916 files changed, 58706 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch
new file mode 100644
index 000000000000..f67ca2e50791
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-cxx-safe-header.patch
@@ -0,0 +1,18 @@
+diff -u -r1.35.2.1 nbtool_config.h.in
+--- a/nbtool_config.h.in	22 Apr 2015 07:18:58 -0000	1.35.2.1
++++ b/nbtool_config.h.in	31 May 2018 01:46:53 -0000
+@@ -680,5 +680,14 @@
+ /* Define if you have u_int8_t, but not uint8_t. */
+ #undef uint8_t
+ 
++#ifdef __cplusplus
++extern "C" {
++#endif
++
+ #include "compat_defs.h"
++
++#ifdef __cplusplus
++}
++#endif
++
+ #endif /* !__NETBSD_NBTOOL_CONFIG_H__ */
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch
new file mode 100644
index 000000000000..1a69e73e255f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-dont-configure-twice.patch
@@ -0,0 +1,22 @@
+commit f2d0ff85e05b49e9d11735ce4810b242c1dbf5af
+Author: John Ericson <John.Ericson@Obsidian.Systems>
+Date:   Wed Sep 1 15:38:56 2021 +0000
+
+    Make should not hit configure
+
+diff --git a/Makefile b/Makefile
+index b5adb8a5f2e9..1a914ef16739 100644
+--- a/Makefile
++++ b/Makefile
+@@ -76,11 +76,6 @@ _CURDIR:=	${.CURDIR}
+ 
+ SRCS:=		${SRCS:M*.c}
+ 
+-config.cache: include/.stamp configure nbtool_config.h.in defs.mk.in
+-	rm -f ${.TARGET}
+-	CC=${HOST_CC:Q} CFLAGS=${HOST_CFLAGS:Q} LDFLAGS=${HOST_LDFLAGS:Q} \
+-		${HOST_SH} ${.CURDIR}/configure --cache-file=config.cache
+-
+ defs.mk: config.cache
+ 	@touch ${.TARGET}
+ 
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch
new file mode 100644
index 000000000000..cd442d95f412
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-no-force-native.patch
@@ -0,0 +1,101 @@
+commit 5acf3bdea5140e90135d15d6479f29fbf624f75e
+Author: John Ericson <John.Ericson@Obsidian.Systems>
+Date:   Wed Sep 1 15:38:56 2021 +0000
+
+    Don't force building and installing for the build platform
+    
+    Also remove `compat/` subdir from install directories.
+
+diff --git a/Makefile b/Makefile
+index 4bcf227f0e75..9ed1d6eea6ff 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ #	$NetBSD: Makefile,v 1.87 2019/05/08 02:25:50 thorpej Exp $
+ 
+-HOSTLIB=	nbcompat
++LIB=	nbcompat
+ 
+-.include <bsd.hostinit.mk>
++.include <bsd.own.mk>
+ 
+@@ -94,63 +94,37 @@ include/.stamp:
+ 
+ # Install rules
+ 
+-HOST_LIBDIR=	${TOOLDIR}/lib
+-HOST_INCSDIR=	${TOOLDIR}/include
+-HOST_SHAREDIR= ${TOOLDIR}/share
+-
+-install:	.PHONY install.lib includes install.defs.mk
+-
+-# Install lib${HOSTLIB}.a in ${TOOLDIR}/lib
+-install.lib: .PHONY ${HOST_LIBDIR}/lib${HOSTLIB}.a
+-${HOST_LIBDIR}/lib${HOSTLIB}.a: lib${HOSTLIB}.a
+-	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_DIR} ${HOST_LIBDIR}
+-	${HOST_INSTALL_FILE} -m ${LIBMODE} ${.ALLSRC} ${.TARGET}
++install:	.PHONY includes install.defs.mk
+ 
+ .for _f in ${INCFILES}
+-HOST_INCINSTFILES+= ${HOST_INCSDIR}/compat/${_f}
+-${HOST_INCSDIR}/compat/${_f}: ${_f}
++INCINSTFILES+= ${INCSDIR}/${_f}
++${INCSDIR}/${_f}: ${_f}
+ 	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_FILE} ${.ALLSRC} ${.TARGET}
++	${INSTALL_FILE} ${.ALLSRC} ${.TARGET}
+ .endfor
+ 
+ .for _d in ${INCSUBDIRS}
+-HOST_INCINSTDIRS+= ${HOST_INCSDIR}/compat/${_d}
+-${HOST_INCSDIR}/compat/${_d}:
++INCINSTDIRS+= ${INCSDIR}/${_d}
++${INCSDIR}/${_d}:
+ 	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_DIR} ${.TARGET}
++	${INSTALL_DIR} ${.TARGET}
+ .endfor
+ 
+-# Install include files in ${TOOLDIR}/include/compat
+-includes: .PHONY ${HOST_INCINSTDIRS} .WAIT ${HOST_INCINSTFILES}
++# Install include files in ${INCSDIR}
++includes: .PHONY ${INCINSTDIRS} .WAIT ${INCINSTFILES}
+ 	@(cd include && find . -name '*.h' -print | while read f ; do \
+-	    ${HOST_INSTALL_FILE} $$f ${HOST_INCSDIR}/compat/$$f ; \
++	    ${INSTALL_FILE} $$f ${INCSDIR}/$$f ; \
+ 	done)
+ 
+ 
+-# Install defs.mk in ${TOOLDIR}/share/compat
+-install.defs.mk: .PHONY ${HOST_SHAREDIR}/compat/defs.mk
+-${HOST_SHAREDIR}/compat/defs.mk: defs.mk
++# Install defs.mk in ${DATADIR}
++install.defs.mk: .PHONY ${DATADIR}/defs.mk
++${DATADIR}/defs.mk: defs.mk
+ 	${_MKTARGET_INSTALL}
+-	${HOST_INSTALL_DIR} ${HOST_SHAREDIR}
+-	${HOST_INSTALL_DIR} ${HOST_SHAREDIR}/compat
+-	${HOST_INSTALL_FILE} ${.ALLSRC} ${.TARGET}
+-
+-# bsd.hostlib.mk wants HOST_CPPFLAGS, not CPPFLAGS
+-
+-HOST_CPPFLAGS:=	${CPPFLAGS}
+-CPPFLAGS:=	# empty
+-
+-.include <bsd.hostlib.mk>
+-
+-# Use uninstalled copy of host-mkdep
+-HOST_MKDEP_OBJ!= cd ${.CURDIR}/../host-mkdep && ${PRINTOBJDIR}
+-HOST_MKDEP=	${HOST_MKDEP_OBJ}/host-mkdep
+-MKDEP=		${HOST_MKDEP}
++	${INSTALL_DIR} ${DATADIR}
++	${INSTALL_FILE} ${.ALLSRC} ${.TARGET}
+ 
+-# Use uninstalled copy of the install program
+-INSTALL_OBJ!=	cd ${NETBSDSRCDIR}/tools/binstall && ${PRINTOBJDIR}
+-INSTALL=	${INSTALL_OBJ}/xinstall
++.include <bsd.lib.mk>
+ 
+ # Run "${TOOLDIR}/bin/nbmake-${MACHINE} regen" by hand after editing
+ # configure.ac.  See more detailed instructions in configure.ac.
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
new file mode 100644
index 000000000000..acd90b7aa2f0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
@@ -0,0 +1,5 @@
+# See pkgs/build-support/setup-hooks/role.bash
+getHostRole
+
+export NIX_LDFLAGS${role_post}+=" -lnbcompat"
+export NIX_CFLAGS_COMPILE${role_post}+=" -DHAVE_NBTOOL_CONFIG_H"
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/default.nix b/nixpkgs/pkgs/os-specific/bsd/netbsd/default.nix
new file mode 100644
index 000000000000..25ac9ce451cc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/default.nix
@@ -0,0 +1,999 @@
+{ stdenv, lib, stdenvNoCC
+, pkgsBuildBuild, pkgsBuildHost, pkgsBuildTarget, pkgsHostHost, pkgsTargetTarget
+, buildPackages, splicePackages, newScope
+, bsdSetupHook, makeSetupHook, fetchcvs, groff, mandoc, byacc, flex
+, zlib
+, writeText, symlinkJoin
+}:
+
+let
+  inherit (buildPackages.buildPackages) rsync;
+
+  fetchNetBSD = path: version: sha256: fetchcvs {
+    cvsRoot = ":pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot";
+    module = "src/${path}";
+    inherit sha256;
+    tag = "netbsd-${lib.replaceStrings ["."] ["-"] version}-RELEASE";
+  };
+
+  netbsdSetupHook = makeSetupHook {
+    name = "netbsd-setup-hook";
+  } ./setup-hook.sh;
+
+  otherSplices = {
+    selfBuildBuild = pkgsBuildBuild.netbsd;
+    selfBuildHost = pkgsBuildHost.netbsd;
+    selfBuildTarget = pkgsBuildTarget.netbsd;
+    selfHostHost = pkgsHostHost.netbsd;
+    selfTargetTarget = pkgsTargetTarget.netbsd or {}; # might be missing
+  };
+
+  defaultMakeFlags = [
+    "MKSOFTFLOAT=${if stdenv.hostPlatform.gcc.float or (stdenv.hostPlatform.parsed.abi.float or "hard") == "soft"
+      then "yes"
+      else "no"}"
+  ];
+
+in lib.makeScopeWithSplicing
+  splicePackages
+  newScope
+  otherSplices
+  (_: {})
+  (_: {})
+  (self: let
+    inherit (self) mkDerivation;
+  in {
+
+  # Why do we have splicing and yet do `nativeBuildInputs = with self; ...`?
+  #
+  # We use `lib.makeScopeWithSplicing` because this should be used for all
+  # nested package sets which support cross, so the inner `callPackage` works
+  # correctly. But for the inline packages we don't bother to use
+  # `callPackage`.
+  #
+  # We still could have tried to `with` a big spliced packages set, but
+  # splicing is jank and causes a number of bootstrapping infinite recursions
+  # if one is not careful. Pulling deps out of the right package set directly
+  # side-steps splicing entirely and avoids those footguns.
+  #
+  # For non-bootstrap-critical packages, we might as well use `callPackage` for
+  # consistency with everything else, and maybe put in separate files too.
+
+  compatIfNeeded = lib.optional (!stdenvNoCC.hostPlatform.isNetBSD) self.compat;
+
+  mkDerivation = lib.makeOverridable (attrs: let
+    stdenv' = if attrs.noCC or false then stdenvNoCC else stdenv;
+  in stdenv'.mkDerivation ({
+    name = "${attrs.pname or (baseNameOf attrs.path)}-netbsd-${attrs.version}";
+    src = fetchNetBSD attrs.path attrs.version attrs.sha256;
+
+    extraPaths = [ ];
+
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install tsort lorder buildPackages.mandoc groff statHook rsync
+    ];
+    buildInputs = with self; compatIfNeeded;
+
+    HOST_SH = stdenv'.shell;
+
+    MACHINE_ARCH = {
+      i486 = "i386";
+      i586 = "i386";
+      i686 = "i386";
+    }.${stdenv'.hostPlatform.parsed.cpu.name}
+      or stdenv'.hostPlatform.parsed.cpu.name;
+
+    MACHINE = {
+      x86_64 = "amd64";
+      aarch64 = "evbarm64";
+      i486 = "i386";
+      i586 = "i386";
+      i686 = "i386";
+    }.${stdenv'.hostPlatform.parsed.cpu.name}
+      or stdenv'.hostPlatform.parsed.cpu.name;
+
+    BSD_PATH = attrs.path;
+
+    makeFlags = defaultMakeFlags;
+
+    strictDeps = true;
+
+    meta = with lib; {
+      maintainers = with maintainers; [ matthewbauer qyliss ];
+      platforms = platforms.unix;
+      license = licenses.bsd2;
+    };
+
+  } // lib.optionalAttrs stdenv'.hasCC {
+    # TODO should CC wrapper set this?
+    CPP = "${stdenv'.cc.targetPrefix}cpp";
+  } // lib.optionalAttrs stdenv'.isDarwin {
+    MKRELRO = "no";
+  } // lib.optionalAttrs (stdenv'.cc.isClang or false) {
+    HAVE_LLVM = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+  } // lib.optionalAttrs (stdenv'.cc.isGNU or false) {
+    HAVE_GCC = lib.versions.major (lib.getVersion stdenv'.cc.cc);
+  } // lib.optionalAttrs (stdenv'.isx86_32) {
+    USE_SSP = "no";
+  } // lib.optionalAttrs (attrs.headersOnly or false) {
+    installPhase = "includesPhase";
+    dontBuild = true;
+  } // attrs // {
+    postPatch = lib.optionalString (!stdenv'.hostPlatform.isNetBSD) ''
+      # Files that use NetBSD-specific macros need to have nbtool_config.h
+      # included ahead of them on non-NetBSD platforms.
+      set +e
+      grep -Zlr "^__RCSID
+      ^__BEGIN_DECLS" | xargs -0r grep -FLZ nbtool_config.h |
+          xargs -0tr sed -i '0,/^#/s//#include <nbtool_config.h>\n\0/'
+      set -e
+    '' + attrs.postPatch or "";
+  }));
+
+  ##
+  ## START BOOTSTRAPPING
+  ##
+  makeMinimal = mkDerivation {
+    path = "tools/make";
+    sha256 = "0fh0nrnk18m613m5blrliq2aydciv51qhc0ihsj4k63incwbk90n";
+    version = "9.2";
+
+    buildInputs = with self; [];
+    nativeBuildInputs = with buildPackages.netbsd; [ bsdSetupHook netbsdSetupHook rsync ];
+
+    skipIncludesPhase = true;
+
+    postPatch = ''
+      patchShebangs configure
+      ${self.make.postPatch}
+    '';
+
+    buildPhase = ''
+      runHook preBuild
+
+      sh ./buildmake.sh
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      install -D nbmake $out/bin/nbmake
+      ln -s $out/bin/nbmake $out/bin/make
+      mkdir -p $out/share
+      cp -r $BSDSRCDIR/share/mk $out/share/mk
+
+      runHook postInstall
+    '';
+
+    extraPaths = with self; [ make.src ] ++ make.extraPaths;
+  };
+
+  compat = mkDerivation (let
+    version = "9.2";
+    commonDeps = [ zlib ];
+  in {
+    path = "tools/compat";
+    sha256 = "1vsxg7136nlhc72vpa664vs22874xh7ila95nkmsd8crn3z3cyn0";
+    inherit version;
+
+    setupHooks = [
+      ../../../build-support/setup-hooks/role.bash
+      ./compat-setup-hook.sh
+    ];
+
+    preConfigure = ''
+      make include/.stamp configure nbtool_config.h.in defs.mk.in
+    '';
+
+    configurePlatforms = [ "build" "host" ];
+    configureFlags = [
+      "--cache-file=config.cache"
+    ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+      # We include this header in our musl package only for legacy
+      # compatibility, and compat works fine without it (and having it
+      # know about sys/cdefs.h breaks packages like glib when built
+      # statically).
+      "ac_cv_header_sys_cdefs_h=no"
+    ];
+
+    nativeBuildInputs = with buildPackages.netbsd; commonDeps ++ [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      rsync
+    ];
+
+    buildInputs = with self; commonDeps;
+
+    # temporarily use gnuinstall for bootstrapping
+    # bsdinstall will be built later
+    makeFlags = defaultMakeFlags ++ [
+      "INSTALL=${buildPackages.coreutils}/bin/install"
+      "DATADIR=$(out)/share"
+      # Can't sort object files yet
+      "LORDER=echo"
+      "TSORT=cat"
+      # Can't process man pages yet
+      "MKSHARE=no"
+    ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
+      # GNU objcopy produces broken .a libs which won't link into dependers.
+      # Makefiles only invoke `$OBJCOPY -x/-X`, so cctools strip works here.
+      "OBJCOPY=${buildPackages.darwin.cctools}/bin/strip"
+    ];
+    RENAME = "-D";
+
+    passthru.tests = { netbsd-install = self.install; };
+
+    patches = [
+      ./compat-cxx-safe-header.patch
+      ./compat-dont-configure-twice.patch
+      ./compat-no-force-native.patch
+    ];
+
+    preInstall = ''
+      makeFlagsArray+=('INSTALL_FILE=''${INSTALL} ''${COPY} ''${PRESERVE} ''${RENAME}')
+      makeFlagsArray+=('INSTALL_DIR=''${INSTALL} -d')
+      makeFlagsArray+=('INSTALL_SYMLINK=''${INSTALL} ''${SYMLINK} ''${RENAME}')
+    '';
+
+    postInstall = ''
+      # why aren't these installed by netbsd?
+      install -D compat_defs.h $out/include/compat_defs.h
+      install -D $BSDSRCDIR/include/cdbw.h $out/include/cdbw.h
+      install -D $BSDSRCDIR/sys/sys/cdbr.h $out/include/cdbr.h
+      install -D $BSDSRCDIR/sys/sys/featuretest.h \
+                 $out/include/sys/featuretest.h
+      install -D $BSDSRCDIR/sys/sys/md5.h $out/include/md5.h
+      install -D $BSDSRCDIR/sys/sys/rmd160.h $out/include/rmd160.h
+      install -D $BSDSRCDIR/sys/sys/sha1.h $out/include/sha1.h
+      install -D $BSDSRCDIR/sys/sys/sha2.h $out/include/sha2.h
+      install -D $BSDSRCDIR/sys/sys/queue.h $out/include/sys/queue.h
+      install -D $BSDSRCDIR/include/vis.h $out/include/vis.h
+      install -D $BSDSRCDIR/include/db.h $out/include/db.h
+      install -D $BSDSRCDIR/include/netconfig.h $out/include/netconfig.h
+      install -D $BSDSRCDIR/include/utmpx.h $out/include/utmpx.h
+      install -D $BSDSRCDIR/include/tzfile.h $out/include/tzfile.h
+      install -D $BSDSRCDIR/sys/sys/tree.h $out/include/sys/tree.h
+      install -D $BSDSRCDIR/include/nl_types.h $out/include/nl_types.h
+      install -D $BSDSRCDIR/include/stringlist.h $out/include/stringlist.h
+
+      # Collapse includes slightly to fix dangling reference
+      install -D $BSDSRCDIR/common/include/rpc/types.h $out/include/rpc/types.h
+      sed -i '1s;^;#include "nbtool_config.h"\n;' $out/include/rpc/types.h
+   '' + lib.optionalString stdenv.isDarwin ''
+      mkdir -p $out/include/ssp
+      touch $out/include/ssp/ssp.h
+   '' + ''
+      mkdir -p $out/lib/pkgconfig
+      substitute ${./libbsd-overlay.pc} $out/lib/pkgconfig/libbsd-overlay.pc \
+        --subst-var-by out $out \
+        --subst-var-by version ${version}
+    '';
+    extraPaths = with self; [ include.src libc.src libutil.src
+      (fetchNetBSD "external/bsd/flex" "9.2" "0h98jpfj7vx5zh7vd7bk6b1hmzgkcb757a8j6d9zgygxxv13v43m")
+      (fetchNetBSD "sys/sys" "9.2" "0zawhw51klaigqqwkx0lzrx3mim2jywrc24cm7c66qsf1im9awgd")
+      (fetchNetBSD "common/include/rpc/types.h" "9.2" "0n2df12mlc3cbc48jxq35yzl1y7ghgpykvy7jnfh898rdhac7m9a")
+    ] ++ libutil.extraPaths ++ _mainLibcExtraPaths;
+  });
+
+  # HACK: to ensure parent directories exist. This emulates GNU
+  # install’s -D option. No alternative seems to exist in BSD install.
+  install = let binstall = writeText "binstall" ''
+    #!${stdenv.shell}
+    for last in $@; do true; done
+    mkdir -p $(dirname $last)
+    xinstall "$@"
+  ''; in mkDerivation {
+    path = "usr.bin/xinstall";
+    version = "9.2";
+    sha256 = "1f6pbz3qv1qcrchdxif8p5lbmnwl8b9nq615hsd3cyl4avd5bfqj";
+    extraPaths = with self; [ mtree.src make.src ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      mandoc groff rsync
+    ];
+    skipIncludesPhase = true;
+    buildInputs = with self; compatIfNeeded ++ [ fts ];
+    installPhase = ''
+      runHook preInstall
+
+      install -D install.1 $out/share/man/man1/install.1
+      install -D xinstall $out/bin/xinstall
+      install -D -m 0550 ${binstall} $out/bin/binstall
+      ln -s $out/bin/binstall $out/bin/install
+
+      runHook postInstall
+    '';
+    setupHook = ./install-setup-hook.sh;
+  };
+
+  fts = mkDerivation {
+    pname = "fts";
+    path = "include/fts.h";
+    sha256 = "01d4fpxvz1pgzfk5xznz5dcm0x0gdzwcsfm1h3d0xc9kc6hj2q77";
+    version = "9.2";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook rsync
+    ];
+    propagatedBuildInputs = with self; compatIfNeeded;
+    extraPaths = with self; [
+      (fetchNetBSD "lib/libc/gen/fts.c" "9.2" "1a8hmf26242nmv05ipn3ircxb0jqmmi66rh78kkyi9vjwkfl3qn7")
+      (fetchNetBSD "lib/libc/include/namespace.h" "9.2" "0kksr3pdwdc1cplqf5z12ih4cml6l11lqrz91f7hjjm64y7785kc")
+      (fetchNetBSD "lib/libc/gen/fts.3" "9.2" "1asxw0n3fhjdadwkkq3xplfgqgl3q32w1lyrvbakfa3gs0wz5zc1")
+    ];
+    skipIncludesPhase = true;
+    buildPhase = ''
+      "$CC" -c -Iinclude -Ilib/libc/include lib/libc/gen/fts.c \
+          -o lib/libc/gen/fts.o
+      "$AR" -rsc libfts.a lib/libc/gen/fts.o
+    '';
+    installPhase = ''
+      runHook preInstall
+
+      install -D lib/libc/gen/fts.3 $out/share/man/man3/fts.3
+      install -D include/fts.h $out/include/fts.h
+      install -D lib/libc/include/namespace.h $out/include/namespace.h
+      install -D libfts.a $out/lib/libfts.a
+
+      runHook postInstall
+    '';
+    setupHooks = [
+      ../../../build-support/setup-hooks/role.bash
+      ./fts-setup-hook.sh
+    ];
+  };
+
+  # Don't add this to nativeBuildInputs directly.  Use statHook instead.
+  stat = mkDerivation {
+    path = "usr.bin/stat";
+    version = "9.2";
+    sha256 = "18nqwlndfc34qbbgqx5nffil37jfq9aw663ippasfxd2hlyc106x";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync
+    ];
+  };
+
+  # stat isn't in POSIX, and NetBSD stat supports a completely
+  # different range of flags than GNU stat, so including it in PATH
+  # breaks stdenv.  Work around that with a hook that will point
+  # NetBSD's build system and NetBSD stat without including it in
+  # PATH.
+  statHook = makeSetupHook {
+    name = "netbsd-stat-hook";
+  } (writeText "netbsd-stat-hook-impl" ''
+    makeFlagsArray+=(TOOL_STAT=${self.stat}/bin/stat)
+  '');
+
+  tsort = mkDerivation {
+    path = "usr.bin/tsort";
+    version = "9.2";
+    sha256 = "1dqvf9gin29nnq3c4byxc7lfd062pg7m84843zdy6n0z63hnnwiq";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync
+    ];
+  };
+
+  lorder = mkDerivation {
+    path = "usr.bin/lorder";
+    version = "9.2";
+    sha256 = "0rjf9blihhm0n699vr2bg88m4yjhkbxh6fxliaay3wxkgnydjwn2";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync
+    ];
+  };
+  ##
+  ## END BOOTSTRAPPING
+  ##
+
+  ##
+  ## START COMMAND LINE TOOLS
+  ##
+  make = mkDerivation {
+    path = "usr.bin/make";
+    sha256 = "0vi73yicbmbp522qzqvd979cx6zm5jakhy77xh73c1kygf8klccs";
+    version = "9.2";
+
+   postPatch = ''
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.doc.mk \
+       --replace '-o ''${DOCOWN}' "" \
+       --replace '-g ''${DOCGRP}' ""
+     for mk in $BSDSRCDIR/share/mk/bsd.inc.mk $BSDSRCDIR/share/mk/bsd.kinc.mk; do
+       substituteInPlace $mk \
+         --replace '-o ''${BINOWN}' "" \
+         --replace '-g ''${BINGRP}' ""
+     done
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.kmodule.mk \
+       --replace '-o ''${KMODULEOWN}' "" \
+       --replace '-g ''${KMODULEGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
+       --replace '-o ''${LIBOWN}' "" \
+       --replace '-g ''${LIBGRP}' "" \
+       --replace '-o ''${DEBUGOWN}' "" \
+       --replace '-g ''${DEBUGGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.lua.mk \
+       --replace '-o ''${LIBOWN}' "" \
+       --replace '-g ''${LIBGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.man.mk \
+       --replace '-o ''${MANOWN}' "" \
+       --replace '-g ''${MANGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.nls.mk \
+       --replace '-o ''${NLSOWN}' "" \
+       --replace '-g ''${NLSGRP}' ""
+     substituteInPlace $BSDSRCDIR/share/mk/bsd.prog.mk \
+       --replace '-o ''${BINOWN}' "" \
+       --replace '-g ''${BINGRP}' "" \
+       --replace '-o ''${RUMPBINOWN}' "" \
+       --replace '-g ''${RUMPBINGRP}' "" \
+       --replace '-o ''${DEBUGOWN}' "" \
+       --replace '-g ''${DEBUGGRP}' ""
+
+      # make needs this to pick up our sys make files
+      export NIX_CFLAGS_COMPILE+=" -D_PATH_DEFSYSPATH=\"$out/share/mk\""
+
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.lib.mk \
+        --replace '_INSTRANLIB=''${empty(PRESERVE):?-a "''${RANLIB} -t":}' '_INSTRANLIB='
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.kinc.mk \
+        --replace /bin/rm rm
+    '' + lib.optionalString stdenv.isDarwin ''
+      substituteInPlace $BSDSRCDIR/share/mk/bsd.sys.mk \
+        --replace '-Wl,--fatal-warnings' "" \
+        --replace '-Wl,--warn-shared-textrel' ""
+    '';
+    postInstall = ''
+      make -C $BSDSRCDIR/share/mk FILESDIR=$out/share/mk install
+    '';
+    extraPaths = [
+      (fetchNetBSD "share/mk" "9.2" "0w9x77cfnm6zwy40slradzi0ip9gz80x6lk7pvnlxzsr2m5ra5sy")
+    ];
+  };
+
+  mtree = mkDerivation {
+    path = "usr.sbin/mtree";
+    version = "9.2";
+    sha256 = "04p7w540vz9npvyb8g8hcf2xa05phn1y88hsyrcz3vwanvpc0yv9";
+    extraPaths = with self; [ mknod.src ];
+  };
+
+  mknod = mkDerivation {
+    path = "sbin/mknod";
+    version = "9.2";
+    sha256 = "1d9369shzwgixz3nph991i8q5vk7hr04py3n9avbfbhzy4gndqs2";
+  };
+
+  getent = mkDerivation {
+    path = "usr.bin/getent";
+    sha256 = "1qngywcmm0y7nl8h3n8brvkxq4jw63szbci3kc1q6a6ndhycbbvr";
+    version = "9.2";
+    patches = [ ./getent.patch ];
+  };
+
+  getconf = mkDerivation {
+    path = "usr.bin/getconf";
+    sha256 = "122vslz4j3h2mfs921nr2s6m078zcj697yrb75rwp2hnw3qz4s8q";
+    version = "9.2";
+  };
+
+  locale = mkDerivation {
+    path = "usr.bin/locale";
+    version = "9.2";
+    sha256 = "0kk6v9k2bygq0wf9gbinliqzqpzs9bgxn0ndyl2wcv3hh2bmsr9p";
+    patches = [ ./locale.patch ];
+    NIX_CFLAGS_COMPILE = "-DYESSTR=__YESSTR -DNOSTR=__NOSTR";
+  };
+
+  rpcgen = mkDerivation {
+    path = "usr.bin/rpcgen";
+    version = "9.2";
+    sha256 = "1kfgfx54jg98wbg0d95p0rvf4w0302v8fz724b0bdackdsrd4988";
+  };
+
+  genassym = mkDerivation {
+    path = "usr.bin/genassym";
+    version = "9.2";
+    sha256 = "1acl1dz5kvh9h5806vkz2ap95rdsz7phmynh5i3x5y7agbki030c";
+  };
+
+  gencat = mkDerivation {
+    path = "usr.bin/gencat";
+    version = "9.2";
+    sha256 = "0gd463x1hg36bhr7y0xryb5jyxk0z0g7xvy8rgk82nlbnlnsbbwb";
+  };
+
+  nbperf = mkDerivation {
+    path = "usr.bin/nbperf";
+    version = "9.2";
+    sha256 = "1nxc302vgmjhm3yqdivqyfzslrg0vjpbss44s74rcryrl19mma9r";
+  };
+
+  tic = mkDerivation {
+    path = "tools/tic";
+    version = "9.2";
+    sha256 = "092y7db7k4kh2jq8qc55126r5qqvlb8lq8mhmy5ipbi36hwb4zrz";
+    HOSTPROG = "tic";
+    buildInputs = with self; compatIfNeeded;
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff nbperf rsync
+    ];
+    makeFlags = defaultMakeFlags ++ [ "TOOLDIR=$(out)" ];
+    extraPaths = with self; [
+      libterminfo.src
+      (fetchNetBSD "usr.bin/tic" "9.2" "1mwdfg7yx1g43ss378qsgl5rqhsxskqvsd2mqvrn38qw54i8v5i1")
+      (fetchNetBSD "tools/Makefile.host" "9.2" "15b4ab0n36lqj00j5lz2xs83g7l8isk3wx1wcapbrn66qmzz2sxy")
+    ];
+  };
+
+  uudecode = mkDerivation {
+    path = "usr.bin/uudecode";
+    version = "9.2";
+    sha256 = "00a3zmh15pg4vx6hz0kaa5mi8d2b1sj4h512d7p6wbvxq6mznwcn";
+    NIX_CFLAGS_COMPILE = lib.optional stdenv.isLinux "-DNO_BASE64";
+  };
+
+  cksum = mkDerivation {
+    path = "usr.bin/cksum";
+    version = "9.2";
+    sha256 = "0msfhgyvh5c2jmc6qjnf12c378dhw32ffsl864qz4rdb2b98rfcq";
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  config = mkDerivation {
+    path = "usr.bin/config";
+    version = "9.2";
+    sha256 = "1yz3n4hncdkk6kp595fh2q5lg150vpqg8iw2dccydkyw4y3hgsjj";
+    NIX_CFLAGS_COMPILE = [ "-DMAKE_BOOTSTRAP" ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal install mandoc byacc flex rsync
+    ];
+    buildInputs = with self; compatIfNeeded;
+    extraPaths = with self; [ cksum.src ];
+  };
+  ##
+  ## END COMMAND LINE TOOLS
+  ##
+
+  ##
+  ## START HEADERS
+  ##
+  include = mkDerivation {
+    path = "include";
+    version = "9.2";
+    sha256 = "0nxnmj4c8s3hb9n3fpcmd0zl3l1nmhivqgi9a35sis943qvpgl9h";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff rsync nbperf rpcgen
+    ];
+
+    # The makefiles define INCSDIR per subdirectory, so we have to set
+    # something else on the command line so those definitions aren't
+    # overridden.
+    postPatch = ''
+      find "$BSDSRCDIR" -name Makefile -exec \
+        sed -i -E \
+          -e 's_/usr/include_''${INCSDIR0}_' \
+          {} \;
+    '';
+
+    # multiple header dirs, see above
+    postConfigure = ''
+      makeFlags=''${makeFlags/INCSDIR/INCSDIR0}
+    '';
+
+    extraPaths = with self; [ common ];
+    headersOnly = true;
+    noCC = true;
+    meta.platforms = lib.platforms.netbsd;
+    makeFlags = defaultMakeFlags ++ [ "RPCGEN_CPP=${buildPackages.stdenv.cc.cc}/bin/cpp" ];
+  };
+
+  common = fetchNetBSD "common" "9.2" "1pfylz9r3ap5wnwwbwczbfjb1m5qdyspzbnmxmcdkpzz2zgj64b9";
+
+  sys-headers = mkDerivation {
+    pname = "sys-headers";
+    path = "sys";
+    version = "9.2";
+    sha256 = "03s18q8d9giipf05bx199fajc2qwikji0djz7hw63d2lya6bfnpj";
+
+    patches = [
+      # Fix this error when building bootia32.efi and bootx64.efi:
+      # error: PHDR segment not covered by LOAD segment
+      ./no-dynamic-linker.patch
+
+      # multiple header dirs, see above
+      ./sys-headers-incsdir.patch
+    ];
+
+    # multiple header dirs, see above
+    inherit (self.include) postPatch;
+
+    CONFIG = "GENERIC";
+
+    propagatedBuildInputs = with self; [ include ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal install tsort lorder statHook rsync uudecode config genassym
+    ];
+
+    postConfigure = ''
+      pushd arch/$MACHINE/conf
+      config $CONFIG
+      popd
+    ''
+      # multiple header dirs, see above
+      + self.include.postConfigure;
+
+    makeFlags = defaultMakeFlags ++ [ "FIRMWAREDIR=$(out)/libdata/firmware" ];
+    hardeningDisable = [ "pic" ];
+    MKKMOD = "no";
+    NIX_CFLAGS_COMPILE = [ "-Wa,--no-warn" ];
+
+    postBuild = ''
+      make -C arch/$MACHINE/compile/$CONFIG $makeFlags
+    '';
+
+    postInstall = ''
+      cp arch/$MACHINE/compile/$CONFIG/netbsd $out
+    '';
+
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ common ];
+
+    installPhase = "includesPhase";
+    dontBuild = true;
+    noCC = true;
+  };
+
+  # The full kernel. We do the funny thing of overridding the headers to the
+  # full kernal and not vice versa to avoid infinite recursion -- the headers
+  # come earlier in the bootstrap.
+  sys = self.sys-headers.override {
+    pname = "sys";
+    installPhase = null;
+    noCC = false;
+    dontBuild = false;
+  };
+
+  headers = symlinkJoin {
+    name = "netbsd-headers-9.2";
+    paths = with self; [
+      include
+      sys-headers
+      libpthread-headers
+    ];
+    meta.platforms = lib.platforms.netbsd;
+  };
+  ##
+  ## END HEADERS
+  ##
+
+  ##
+  ## START LIBRARIES
+  ##
+  libutil = mkDerivation {
+    path = "lib/libutil";
+    version = "9.2";
+    sha256 = "02gm5a5zhh8qp5r5q5r7x8x6x50ir1i0ncgsnfwh1vnrz6mxbq7z";
+    extraPaths = with self; [ common libc.src sys.src ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      byacc install tsort lorder mandoc statHook rsync
+    ];
+    buildInputs = with self; [ headers ];
+    SHLIBINSTALLDIR = "$(out)/lib";
+  };
+
+  libedit = mkDerivation {
+    path = "lib/libedit";
+    version = "9.2";
+    sha256 = "1wqhngraxwqk4jgrf5f18jy195yrp7c06n1gf31pbplq79mg1bcj";
+    buildInputs = with self; [ libterminfo libcurses ];
+    propagatedBuildInputs = with self; compatIfNeeded;
+    SHLIBINSTALLDIR = "$(out)/lib";
+    makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ];
+    postPatch = ''
+      sed -i '1i #undef bool_t' el.h
+      substituteInPlace config.h \
+        --replace "#define HAVE_STRUCT_DIRENT_D_NAMLEN 1" ""
+      substituteInPlace readline/Makefile --replace /usr/include "$out/include"
+    '';
+    NIX_CFLAGS_COMPILE = [
+      "-D__noinline="
+      "-D__scanflike(a,b)="
+      "-D__va_list=va_list"
+    ];
+  };
+
+  libterminfo = mkDerivation {
+    path = "lib/libterminfo";
+    version = "9.2";
+    sha256 = "0pq05k3dj0dfsczv07frnnji92mazmy2qqngqbx2zgqc1x251414";
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal install tsort lorder mandoc statHook nbperf tic rsync
+    ];
+    buildInputs = with self; compatIfNeeded;
+    SHLIBINSTALLDIR = "$(out)/lib";
+    postPatch = ''
+      substituteInPlace term.c --replace /usr/share $out/share
+      substituteInPlace setupterm.c \
+        --replace '#include <curses.h>' 'void use_env(bool);'
+    '';
+    postBuild = ''
+      make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share
+    '';
+    postInstall = ''
+      make -C $BSDSRCDIR/share/terminfo $makeFlags BINDIR=$out/share install
+    '';
+    extraPaths = with self; [
+      (fetchNetBSD "share/terminfo" "9.2" "1vh9rl4w8118a9qdpblfxmv1wkpm83rm9gb4rzz5bpm56i6d7kk7")
+    ];
+  };
+
+  libcurses = mkDerivation {
+    path = "lib/libcurses";
+    version = "9.2";
+    sha256 = "0pd0dggl3w4bv5i5h0s1wrc8hr66n4hkv3zlklarwfdhc692fqal";
+    buildInputs = with self; [ libterminfo ];
+    NIX_CFLAGS_COMPILE = [
+      "-D__scanflike(a,b)="
+      "-D__va_list=va_list"
+      "-D__warn_references(a,b)="
+    ] ++ lib.optional stdenv.isDarwin "-D__strong_alias(a,b)=";
+    propagatedBuildInputs = with self; compatIfNeeded;
+    MKDOC = "no"; # missing vfontedpr
+    makeFlags = defaultMakeFlags ++ [ "LIBDO.terminfo=${self.libterminfo}/lib" ];
+    postPatch = lib.optionalString (!stdenv.isDarwin) ''
+      substituteInPlace printw.c \
+        --replace "funopen(win, NULL, __winwrite, NULL, NULL)" NULL \
+        --replace "__strong_alias(vwprintw, vw_printw)" 'extern int vwprintw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_printw")));'
+      substituteInPlace scanw.c \
+        --replace "__strong_alias(vwscanw, vw_scanw)" 'extern int vwscanw(WINDOW*, const char*, va_list) __attribute__ ((alias ("vw_scanw")));'
+    '';
+  };
+
+  column = mkDerivation {
+    path = "usr.bin/column";
+    version = "9.2";
+    sha256 = "0r6b0hjn5ls3j3sv6chibs44fs32yyk2cg8kh70kb4cwajs4ifyl";
+  };
+
+  libossaudio = mkDerivation {
+    path = "lib/libossaudio";
+    version = "9.2";
+    sha256 = "16l3bfy6dcwqnklvh3x0ps8ld1y504vf57v9rx8f9adzhb797jh0";
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  librpcsvc = mkDerivation {
+    path = "lib/librpcsvc";
+    version = "9.2";
+    sha256 = "1q34pfiyjbrgrdqm46jwrsqms49ly6z3b0xh1wg331zga900vq5n";
+    makeFlags = defaultMakeFlags ++ [ "INCSDIR=$(out)/include/rpcsvc" ];
+    meta.platforms = lib.platforms.netbsd;
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install tsort lorder rpcgen statHook
+    ];
+  };
+
+  librt = mkDerivation {
+    path = "lib/librt";
+    version = "9.2";
+    sha256 = "07f8mpjcqh5kig5z5sp97fg55mc4dz6aa1x5g01nv2pvbmqczxc6";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ libc.src ] ++ libc.extraPaths;
+    postPatch = ''
+      sed -i 's,/usr\(/include/sys/syscall.h\),${self.headers}\1,g' \
+        $BSDSRCDIR/lib/{libc,librt}/sys/Makefile.inc
+    '';
+  };
+
+  libcrypt = mkDerivation {
+    path = "lib/libcrypt";
+    version = "9.2";
+    sha256 = "0siqan1wdqmmhchh2n8w6a8x1abbff8n4yb6jrqxap3hqn8ay54g";
+    SHLIBINSTALLDIR = "$(out)/lib";
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  libpthread-headers = mkDerivation {
+    pname = "libpthread-headers";
+    path = "lib/libpthread";
+    version = "9.2";
+    sha256 = "0mlmc31k509dwfmx5s2x010wxjc44mr6y0cbmk30cfipqh8c962h";
+    installPhase = "includesPhase";
+    dontBuild = true;
+    noCC = true;
+    meta.platforms = lib.platforms.netbsd;
+  };
+
+  libpthread = self.libpthread-headers.override {
+    pname = "libpthread";
+    installPhase = null;
+    noCC = false;
+    dontBuild = false;
+    buildInputs = with self; [ headers ];
+    SHLIBINSTALLDIR = "$(out)/lib";
+    extraPaths = with self; [ common libc.src librt.src sys.src ];
+  };
+
+  libresolv = mkDerivation {
+    path = "lib/libresolv";
+    version = "9.2";
+    sha256 = "1am74s74mf1ynwz3p4ncjkg63f78a1zjm983q166x4sgzps15626";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ libc.src ];
+  };
+
+  libm = mkDerivation {
+    path = "lib/libm";
+    version = "9.2";
+    sha256 = "1apwfr26shdmbqqnmg7hxf7bkfxw44ynqnnnghrww9bnhqdnsy92";
+    SHLIBINSTALLDIR = "$(out)/lib";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ sys.src ];
+  };
+
+  i18n_module = mkDerivation {
+    path = "lib/i18n_module";
+    version = "9.2";
+    sha256 = "0w6y5v3binm7gf2kn7y9jja8k18rhnyl55cvvfnfipjqdxvxd9jd";
+    meta.platforms = lib.platforms.netbsd;
+    extraPaths = with self; [ libc.src ];
+  };
+
+  csu = mkDerivation {
+    path = "lib/csu";
+    version = "9.2";
+    sha256 = "0al5jfazvhlzn9hvmnrbchx4d0gm282hq5gp4xs2zmj9ycmf6d03";
+    meta.platforms = lib.platforms.netbsd;
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff flex
+      byacc genassym gencat lorder tsort statHook rsync
+    ];
+    buildInputs = with self; [ headers ];
+    extraPaths = with self; [ sys.src ld_elf_so.src ];
+  };
+
+  ld_elf_so = mkDerivation {
+    path  = "libexec/ld.elf_so";
+    version = "9.2";
+    sha256 = "0ia9mqzdljly0vqfwflm5mzz55k7qsr4rw2bzhivky6k30vgirqa";
+    meta.platforms = lib.platforms.netbsd;
+    LIBC_PIC = "${self.libc}/lib/libc_pic.a";
+    # Hack to prevent a symlink being installed here for compatibility.
+    SHLINKINSTALLDIR = "/usr/libexec";
+    USE_FORT = "yes";
+    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/libexec" "CLIBOBJ=${self.libc}/lib" ];
+    extraPaths = with self; [ libc.src ] ++ libc.extraPaths;
+  };
+
+  _mainLibcExtraPaths = with self; [
+      common i18n_module.src sys.src
+      ld_elf_so.src libpthread.src libm.src libresolv.src
+      librpcsvc.src libutil.src librt.src libcrypt.src
+  ];
+
+  libc = mkDerivation {
+    path = "lib/libc";
+    version = "9.2";
+    sha256 = "1y9c13igg0kai07sqvf9cm6yqmd8lhfd8hq3q7biilbgs1l99as3";
+    USE_FORT = "yes";
+    MKPROFILE = "no";
+    extraPaths = with self; _mainLibcExtraPaths ++ [
+      (fetchNetBSD "external/bsd/jemalloc" "9.2" "0cq704swa0h2yxv4gc79z2lwxibk9k7pxh3q5qfs7axx3jx3n8kb")
+    ];
+    nativeBuildInputs = with buildPackages.netbsd; [
+      bsdSetupHook netbsdSetupHook
+      makeMinimal
+      install mandoc groff flex
+      byacc genassym gencat lorder tsort statHook rsync rpcgen
+    ];
+    buildInputs = with self; [ headers csu ];
+    NIX_CFLAGS_COMPILE = "-B${self.csu}/lib";
+    meta.platforms = lib.platforms.netbsd;
+    SHLIBINSTALLDIR = "$(out)/lib";
+    MKPICINSTALL = "yes";
+    NLSDIR = "$(out)/share/nls";
+    makeFlags = defaultMakeFlags ++ [ "FILESDIR=$(out)/var/db"];
+    postInstall = ''
+      pushd ${self.headers}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      pushd ${self.csu}
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec cp -pr \{} $out/\{} \;
+      popd
+
+      NIX_CFLAGS_COMPILE+=" -B$out/lib"
+      NIX_CFLAGS_COMPILE+=" -I$out/include"
+      NIX_LDFLAGS+=" -L$out/lib"
+
+      make -C $BSDSRCDIR/lib/libpthread $makeFlags
+      make -C $BSDSRCDIR/lib/libpthread $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libm $makeFlags
+      make -C $BSDSRCDIR/lib/libm $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libresolv $makeFlags
+      make -C $BSDSRCDIR/lib/libresolv $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags
+      make -C $BSDSRCDIR/lib/librpcsvc $makeFlags install
+
+      make -C $BSDSRCDIR/lib/i18n_module $makeFlags
+      make -C $BSDSRCDIR/lib/i18n_module $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libutil $makeFlags
+      make -C $BSDSRCDIR/lib/libutil $makeFlags install
+
+      make -C $BSDSRCDIR/lib/librt $makeFlags
+      make -C $BSDSRCDIR/lib/librt $makeFlags install
+
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags
+      make -C $BSDSRCDIR/lib/libcrypt $makeFlags install
+    '';
+    inherit (self.librt) postPatch;
+  };
+  #
+  # END LIBRARIES
+  #
+
+  #
+  # START MISCELLANEOUS
+  #
+  dict = mkDerivation {
+    path = "share/dict";
+    noCC = true;
+    version = "9.2";
+    sha256 = "0svfc0byk59ri37pyjslv4c4rc7zw396r73mr593i78d39q5g3ad";
+    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
+  };
+
+  misc = mkDerivation {
+    path = "share/misc";
+    noCC = true;
+    version = "9.2";
+    sha256 = "1j2cdssdx6nncv8ffj7f7ybl7m9hadjj8vm8611skqdvxnjg6nbc";
+    makeFlags = defaultMakeFlags ++ [ "BINDIR=$(out)/share" ];
+  };
+
+  man = mkDerivation {
+    path = "share/man";
+    noCC = true;
+    version = "9.2";
+    sha256 = "1l4lmj4kmg8dl86x94sr45w0xdnkz8dn4zjx0ipgr9bnq98663zl";
+    # man0 generates a man.pdf using ps2pdf, but doesn't install it later,
+    # so we can avoid the dependency on ghostscript
+    postPatch = ''
+      substituteInPlace man0/Makefile --replace "ps2pdf" "echo noop "
+    '';
+    makeFlags = defaultMakeFlags ++ [
+      "FILESDIR=$(out)/share"
+      "MKRUMP=no" # would require to have additional path sys/rump/share/man
+    ];
+  };
+  #
+  # END MISCELLANEOUS
+  #
+
+})
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh
new file mode 100644
index 000000000000..b6cb5aaca05b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/fts-setup-hook.sh
@@ -0,0 +1,4 @@
+# See pkgs/build-support/setup-hooks/role.bash
+getHostRole
+
+export NIX_LDFLAGS${role_post}+=" -lfts"
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/getent.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/getent.patch
new file mode 100644
index 000000000000..e9e34d19a315
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/getent.patch
@@ -0,0 +1,455 @@
+Author: Matthew Bauer
+Description: Remove unavailable getent databases
+Version: 7.1.2
+--- a/getent.c	2018-04-16 13:33:49.000000000 -0500
++++ b/getent.c	2018-04-16 13:29:30.000000000 -0500
+@@ -42,7 +42,6 @@
+ #include <grp.h>
+ #include <limits.h>
+ #include <netdb.h>
+-#include <netgroup.h>
+ #include <pwd.h>
+ #include <stdio.h>
+ #include <stdarg.h>
+@@ -57,27 +56,16 @@
+ #include <arpa/nameser.h>
+ 
+ #include <net/if.h>
+-#include <net/if_ether.h>
+ 
+ #include <netinet/in.h>		/* for INET6_ADDRSTRLEN */
+ 
+-#include <rpc/rpcent.h>
+-
+-#include <disktab.h>
+-
+ static int	usage(void) __attribute__((__noreturn__));
+ static int	parsenum(const char *, unsigned long *);
+-static int	disktab(int, char *[]);
+-static int	gettytab(int, char *[]);
+-static int	ethers(int, char *[]);
+ static int	group(int, char *[]);
+ static int	hosts(int, char *[]);
+-static int	netgroup(int, char *[]);
+ static int	networks(int, char *[]);
+ static int	passwd(int, char *[]);
+-static int	printcap(int, char *[]);
+ static int	protocols(int, char *[]);
+-static int	rpc(int, char *[]);
+ static int	services(int, char *[]);
+ static int	shells(int, char *[]);
+ 
+@@ -92,17 +80,11 @@
+ 	const char	*name;
+ 	int		(*callback)(int, char *[]);
+ } databases[] = {
+-	{	"disktab",	disktab,	},
+-	{	"ethers",	ethers,		},
+-	{	"gettytab",	gettytab,	},
+ 	{	"group",	group,		},
+ 	{	"hosts",	hosts,		},
+-	{	"netgroup",	netgroup,	},
+ 	{	"networks",	networks,	},
+ 	{	"passwd",	passwd,		},
+-	{	"printcap",	printcap,	},
+ 	{	"protocols",	protocols,	},
+-	{	"rpc",		rpc,		},
+ 	{	"services",	services,	},
+ 	{	"shells",	shells,		},
+ 
+@@ -195,49 +177,6 @@
+ 	(void)printf("\n");
+ }
+ 
+-
+-		/*
+-		 * ethers
+-		 */
+-
+-static int
+-ethers(int argc, char *argv[])
+-{
+-	char		hostname[MAXHOSTNAMELEN + 1], *hp;
+-	struct ether_addr ea, *eap;
+-	int		i, rv;
+-
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-#define ETHERSPRINT	(void)printf("%-17s  %s\n", ether_ntoa(eap), hp)
+-
+-	rv = RV_OK;
+-	if (argc == 2) {
+-		warnx("Enumeration not supported on ethers");
+-		rv = RV_NOENUM;
+-	} else {
+-		for (i = 2; i < argc; i++) {
+-			if ((eap = ether_aton(argv[i])) == NULL) {
+-				eap = &ea;
+-				hp = argv[i];
+-				if (ether_hostton(hp, eap) != 0) {
+-					rv = RV_NOTFOUND;
+-					break;
+-				}
+-			} else {
+-				hp = hostname;
+-				if (ether_ntohost(hp, eap) != 0) {
+-					rv = RV_NOTFOUND;
+-					break;
+-				}
+-			}
+-			ETHERSPRINT;
+-		}
+-	}
+-	return rv;
+-}
+-
+ 		/*
+ 		 * group
+ 		 */
+@@ -298,7 +237,7 @@
+ hosts(int argc, char *argv[])
+ {
+ 	struct hostent	*he;
+-	char		addr[IN6ADDRSZ];
++	char		addr[NS_IN6ADDRSZ];
+ 	int		i, rv;
+ 
+ 	assert(argc > 1);
+@@ -312,9 +251,9 @@
+ 	} else {
+ 		for (i = 2; i < argc; i++) {
+ 			if (inet_pton(AF_INET6, argv[i], (void *)addr) > 0)
+-				he = gethostbyaddr(addr, IN6ADDRSZ, AF_INET6);
++				he = gethostbyaddr(addr, NS_IN6ADDRSZ, AF_INET6);
+ 			else if (inet_pton(AF_INET, argv[i], (void *)addr) > 0)
+-				he = gethostbyaddr(addr, INADDRSZ, AF_INET);
++				he = gethostbyaddr(addr, NS_INADDRSZ, AF_INET);
+ 			else
+ 				he = gethostbyname(argv[i]);
+ 			if (he != NULL)
+@@ -330,48 +269,6 @@
+ }
+ 
+ 		/*
+-		 * netgroup
+-		 */
+-static int
+-netgroup(int argc, char *argv[])
+-{
+-	int		rv, i;
+-	bool		first;
+-	const char	*host, *user, *domain;
+-
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-#define NETGROUPPRINT(s)	(((s) != NULL) ? (s) : "")
+-
+-	rv = RV_OK;
+-	if (argc == 2) {
+-		warnx("Enumeration not supported on netgroup");
+-		rv = RV_NOENUM;
+-	} else {
+-		for (i = 2; i < argc; i++) {
+-			setnetgrent(argv[i]);
+-			first = true;
+-			while (getnetgrent(&host, &user, &domain) != 0) {
+-				if (first) {
+-					first = false;
+-					(void)fputs(argv[i], stdout);
+-				}
+-				(void)printf(" (%s,%s,%s)",
+-				    NETGROUPPRINT(host),
+-				    NETGROUPPRINT(user),
+-				    NETGROUPPRINT(domain));
+-			}
+-			if (!first)
+-				(void)putchar('\n');
+-			endnetgrent();
+-		}
+-	}
+-
+-	return rv;
+-}
+-
+-		/*
+ 		 * networks
+ 		 */
+ 
+@@ -464,227 +361,6 @@
+ 	return rv;
+ }
+ 
+-static char *
+-mygetent(const char * const * db_array, const char *name)
+-{
+-	char *buf = NULL;
+-	int error;
+-
+-	switch (error = cgetent(&buf, db_array, name)) {
+-	case -3:
+-		warnx("tc= loop in record `%s' in `%s'", name, db_array[0]);
+-		break;
+-	case -2:
+-		warn("system error fetching record `%s' in `%s'", name,
+-		    db_array[0]);
+-		break;
+-	case -1:
+-	case 0:
+-		break;
+-	case 1:
+-		warnx("tc= reference not found in record for `%s' in `%s'",
+-		    name, db_array[0]);
+-		break;
+-	default:
+-		warnx("unknown error %d in record `%s' in `%s'", error, name,
+-		    db_array[0]);
+-		break;
+-	}
+-	return buf;
+-}
+-
+-static char *
+-mygetone(const char * const * db_array, int first)
+-{
+-	char *buf = NULL;
+-	int error;
+-
+-	switch (error = (first ? cgetfirst : cgetnext)(&buf, db_array)) {
+-	case -2:
+-		warnx("tc= loop in `%s'", db_array[0]);
+-		break;
+-	case -1:
+-		warn("system error fetching record in `%s'", db_array[0]);
+-		break;
+-	case 0:
+-	case 1:
+-		break;
+-	case 2:
+-		warnx("tc= reference not found in `%s'", db_array[0]);
+-		break;
+-	default:
+-		warnx("unknown error %d in `%s'", error, db_array[0]);
+-		break;
+-	}
+-	return buf;
+-}
+-
+-static void
+-capprint(const char *cap)
+-{
+-	char *c = strchr(cap, ':');
+-	if (c)
+-		if (c == cap)
+-			(void)printf("true\n");
+-		else {
+-			int l = (int)(c - cap);
+-			(void)printf("%*.*s\n", l, l, cap);
+-		}
+-	else
+-		(void)printf("%s\n", cap);
+-}
+-
+-static void
+-prettyprint(char *b)
+-{
+-#define TERMWIDTH 65
+-	int did = 0;
+-	size_t len;
+-	char *s, c;
+-
+-	for (;;) {
+-		len = strlen(b);
+-		if (len <= TERMWIDTH) {
+-done:
+-			if (did)
+-				printf("\t:");
+-			printf("%s\n", b);
+-			return;
+-		}
+-		for (s = b + TERMWIDTH; s > b && *s != ':'; s--)
+-			continue;
+-		if (*s++ != ':')
+-			goto done;
+-		c = *s;
+-		*s = '\0';
+-		if (did)
+-			printf("\t:");
+-		did++;
+-		printf("%s\\\n", b);
+-		*s = c;
+-		b = s;
+-	}
+-}
+-
+-static void
+-handleone(const char * const *db_array, char *b, int recurse, int pretty,
+-    int level)
+-{
+-	char *tc;
+-
+-	if (level && pretty)
+-		printf("\n");
+-	if (pretty)
+-		prettyprint(b);
+-	else
+-		printf("%s\n", b);
+-	if (!recurse || cgetstr(b, "tc", &tc) <= 0)
+-		return;
+-
+-	b = mygetent(db_array, tc);
+-	free(tc);
+-
+-	if (b == NULL)
+-		return;
+-
+-	handleone(db_array, b, recurse, pretty, ++level);
+-	free(b);
+-}
+-
+-static int
+-handlecap(const char *db, int argc, char *argv[])
+-{
+-	static const char sfx[] = "=#:";
+-	const char *db_array[] = { db, NULL };
+-	char	*b, *cap;
+-	int	i, rv, c;
+-	size_t	j;
+-	int	expand = 1, recurse = 0, pretty = 0;
+-
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-	argc--;
+-	argv++;
+-	while ((c = getopt(argc, argv, "pnr")) != -1)
+-		switch (c) {
+-		case 'n':
+-			expand = 0;
+-			break;
+-		case 'r':
+-			expand = 0;
+-			recurse = 1;
+-			break;
+-		case 'p':
+-			pretty = 1;
+-			break;
+-		default:
+-			usage();
+-			break;
+-		}
+-
+-	argc -= optind;
+-	argv += optind;
+-	csetexpandtc(expand);
+-	rv = RV_OK;
+-	if (argc == 0) {
+-		for (b = mygetone(db_array, 1); b; b = mygetone(db_array, 0)) {
+-			handleone(db_array, b, recurse, pretty, 0);
+-			free(b);
+-		}
+-	} else {
+-		if ((b = mygetent(db_array, argv[0])) == NULL)
+-			return RV_NOTFOUND;
+-		if (argc == 1)
+-			handleone(db_array, b, recurse, pretty, 0);
+-		else {
+-			for (i = 2; i < argc; i++) {
+-				for (j = 0; j < sizeof(sfx) - 1; j++) {
+-					cap = cgetcap(b, argv[i], sfx[j]);
+-					if (cap) {
+-						capprint(cap);
+-						break;
+-					} 
+-				}
+-				if (j == sizeof(sfx) - 1)
+-					printf("false\n");
+-			}
+-		}
+-		free(b);
+-	}
+-	return rv;
+-}
+-
+-		/*
+-		 * gettytab
+-		 */
+-
+-static int
+-gettytab(int argc, char *argv[])
+-{
+-	return handlecap(_PATH_GETTYTAB, argc, argv);
+-}
+-
+-		/*
+-		 * printcap
+-		 */
+-
+-static int
+-printcap(int argc, char *argv[])
+-{
+-	return handlecap(_PATH_PRINTCAP, argc, argv);
+-}
+-
+-		/*
+-		 * disktab
+-		 */
+-
+-static int
+-disktab(int argc, char *argv[])
+-{
+-	return handlecap(_PATH_DISKTAB, argc, argv);
+-}
+-
+ 		/*
+ 		 * protocols
+ 		 */
+@@ -726,47 +402,6 @@
+ }
+ 
+ 		/*
+-		 * rpc
+-		 */
+-
+-static int
+-rpc(int argc, char *argv[])
+-{
+-	struct rpcent	*re;
+-	unsigned long	id;
+-	int		i, rv;
+-	
+-	assert(argc > 1);
+-	assert(argv != NULL);
+-
+-#define RPCPRINT	printfmtstrings(re->r_aliases, "  ", " ", \
+-				"%-16s  %6d", \
+-				re->r_name, re->r_number)
+-
+-	setrpcent(1);
+-	rv = RV_OK;
+-	if (argc == 2) {
+-		while ((re = getrpcent()) != NULL)
+-			RPCPRINT;
+-	} else {
+-		for (i = 2; i < argc; i++) {
+-			if (parsenum(argv[i], &id))
+-				re = getrpcbynumber((int)id);
+-			else
+-				re = getrpcbyname(argv[i]);
+-			if (re != NULL)
+-				RPCPRINT;
+-			else {
+-				rv = RV_NOTFOUND;
+-				break;
+-			}
+-		}
+-	}
+-	endrpcent();
+-	return rv;
+-}
+-
+-		/*
+ 		 * services
+ 		 */
+ 
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh
new file mode 100644
index 000000000000..4bfd4d785fac
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/install-setup-hook.sh
@@ -0,0 +1,8 @@
+addNetBSDInstallMakeFlags() {
+  export INSTALL_FILE="install -U -c"
+  export INSTALL_DIR="install -U -d"
+  export INSTALL_LINK="install -U -l h"
+  export INSTALL_SYMLINK="install -U -l s"
+}
+
+preConfigureHooks+=(addNetBSDInstallMakeFlags)
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc b/nixpkgs/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc
new file mode 100644
index 000000000000..3aadabe50882
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/libbsd-overlay.pc
@@ -0,0 +1,11 @@
+prefix=@out@
+exec_prefix=${prefix}
+libdir=${exec_prefix}/lib
+includedir=${prefix}/include
+
+Name: nbcompat
+Description: NetBSD compatibility framework
+Version: @version@
+URL: https://www.netbsd.org/
+Libs: -L${libdir} -lnbcompat
+Cflags: -I${includedir} -DHAVE_NBTOOL_CONFIG_H -include nbtool_config.h
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/locale.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/locale.patch
new file mode 100644
index 000000000000..1df9eb385625
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/locale.patch
@@ -0,0 +1,85 @@
+--- a/locale.c	2018-06-11 14:39:06.449762000 -0400
++++ b/locale.c	2018-06-11 14:42:28.461122899 -0400
+@@ -56,14 +56,8 @@
+ #include <stringlist.h>
+ #include <unistd.h>
+ 
+-#include "citrus_namespace.h"
+-#include "citrus_region.h"
+-#include "citrus_lookup.h"
+-#include "setlocale_local.h"
+-
+ /* Local prototypes */
+ void	init_locales_list(void);
+-void	init_locales_list_alias(void);
+ void	list_charmaps(void);
+ void	list_locales(void);
+ const char *lookup_localecat(int);
+@@ -221,6 +215,8 @@
+ };
+ #define NKWINFO (sizeof(kwinfo)/sizeof(kwinfo[0]))
+ 
++const char *_PathLocale = NULL;
++
+ int
+ main(int argc, char *argv[])
+ {
+@@ -411,8 +407,7 @@
+ 	while ((dp = readdir(dirp)) != NULL) {
+ 		/* exclude "." and "..", _LOCALE_ALIAS_NAME */
+ 		if ((dp->d_name[0] != '.' || (dp->d_name[1] != '\0' &&
+-		    (dp->d_name[1] != '.' ||  dp->d_name[2] != '\0'))) &&
+-		    strcmp(_LOCALE_ALIAS_NAME, dp->d_name) != 0) {
++		    (dp->d_name[1] != '.' ||  dp->d_name[2] != '\0')))) {
+ 			s = strdup(dp->d_name);
+ 			if (s == NULL)
+ 				err(1, "could not allocate memory");
+@@ -431,48 +426,10 @@
+ 	if (sl_find(locales, "C") == NULL)
+ 		sl_add(locales, "C");
+ 
+-	init_locales_list_alias();
+-
+ 	/* make output nicer, sort the list */
+ 	qsort(locales->sl_str, locales->sl_cur, sizeof(char *), scmp);
+ }
+ 
+-void
+-init_locales_list_alias(void)
+-{
+-	char aliaspath[PATH_MAX];
+-	struct _lookup *hlookup;
+-	struct _region key, dat;
+-	size_t n;
+-	char *s, *t;
+-
+-	_DIAGASSERT(locales != NULL);
+-	_DIAGASSERT(_PathLocale != NULL);
+-
+-	(void)snprintf(aliaspath, sizeof(aliaspath),
+-		"%s/" _LOCALE_ALIAS_NAME, _PathLocale);
+-
+-	if (_lookup_seq_open(&hlookup, aliaspath,
+-	    _LOOKUP_CASE_SENSITIVE) == 0) {
+-		while (_lookup_seq_next(hlookup, &key, &dat) == 0) {
+-			n = _region_size((const struct _region *)&key);
+-			s = _region_head((const struct _region *)&key);
+-			for (t = s; n > 0 && *s!= '/'; --n, ++s);
+-			n = (size_t)(s - t);
+-			s = malloc(n + 1);
+-			if (s == NULL)
+-				err(1, "could not allocate memory");
+-			memcpy(s, t, n);
+-			s[n] = '\0';
+-			if (sl_find(locales, s) == NULL)
+-				sl_add(locales, s);
+-			else
+-				free(s);
+-		}
+-		_lookup_seq_close(hlookup);
+-	}
+-}
+-
+ /*
+  * Show current locale status, depending on environment variables
+  */
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch
new file mode 100644
index 000000000000..5a2b9092a5c5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/no-dynamic-linker.patch
@@ -0,0 +1,16 @@
+===================================================================
+RCS file: /ftp/cvs/cvsroot/src/sys/arch/i386/stand/efiboot/Makefile.efiboot,v
+rcsdiff: /ftp/cvs/cvsroot/src/sys/arch/i386/stand/efiboot/Makefile.efiboot,v: warning: Unknown phrases like `commitid ...;' are present.
+retrieving revision 1.16
+retrieving revision 1.17
+diff -u -p -r1.16 -r1.17
+--- sys/arch/i386/stand/efiboot/Makefile.efiboot	2019/09/13 02:19:45	1.16
++++ sys/arch/i386/stand/efiboot/Makefile.efiboot	2020/04/04 15:30:46	1.17
+@@ -41,6 +41,7 @@ BINMODE=444
+ .PATH:	${.CURDIR}/../../libsa
+ 
+ LDSCRIPT?= ${.CURDIR}/ldscript
++LDFLAGS+= --no-dynamic-linker --noinhibit-exec
+ LDFLAGS+= -nostdlib -T${LDSCRIPT} -Bsymbolic -shared -nocombreloc
+ CPPFLAGS+= -I$S -I${.CURDIR} -I${.CURDIR}/.. -I$S/lib/libsa
+ CPPFLAGS+= -I${.OBJDIR}
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/netbsd/setup-hook.sh
new file mode 100644
index 000000000000..fa8b19e7d8ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/setup-hook.sh
@@ -0,0 +1,15 @@
+mergeNetBSDSourceDir() {
+  # merge together all extra paths
+  # there should be a better way to do this
+  chmod -R u+w $BSDSRCDIR
+  for path in $extraPaths; do
+    rsync -Er --chmod u+w $path/ $BSDSRCDIR/
+  done
+}
+
+addNetBSDMakeFlags() {
+  makeFlags="INCSDIR=${!outputDev}/include $makeFlags"
+}
+
+postUnpackHooks+=(mergeNetBSDSourceDir)
+preConfigureHooks+=(addNetBSDMakeFlags)
diff --git a/nixpkgs/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch b/nixpkgs/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch
new file mode 100644
index 000000000000..ed85f8ea5b0c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/netbsd/sys-headers-incsdir.patch
@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index 3f1e18dc659d..163362b82f94 100644
+--- a/Makefile
++++ b/Makefile
+@@ -2,6 +2,8 @@
+ 
+ .include <bsd.own.mk>
+ 
++INCSDIR= ${INCSDIR0}
++
+ SUBDIR=	altq arch compat dev fs miscfs \
+ 	net net80211 netatalk netbt netcan netipsec netinet netinet6 \
+         netmpls netsmb \
diff --git a/nixpkgs/pkgs/os-specific/bsd/setup-hook.sh b/nixpkgs/pkgs/os-specific/bsd/setup-hook.sh
new file mode 100644
index 000000000000..4bdfde68b62e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/bsd/setup-hook.sh
@@ -0,0 +1,109 @@
+# BSD makefiles should be able to detect this
+# but without they end up using gcc on Darwin stdenv
+addMakeFlags() {
+  export setOutputFlags=
+
+  export LIBCRT0=
+  export LIBCRTI=
+  export LIBCRTEND=
+  export LIBCRTBEGIN=
+  export LIBC=
+  export LIBUTIL=
+  export LIBSSL=
+  export LIBCRYPTO=
+  export LIBCRYPT=
+  export LIBCURSES=
+  export LIBTERMINFO=
+  export LIBM=
+  export LIBL=
+
+  export _GCC_CRTBEGIN=
+  export _GCC_CRTBEGINS=
+  export _GCC_CRTEND=
+  export _GCC_CRTENDS=
+  export _GCC_LIBGCCDIR=
+  export _GCC_CRTI=
+  export _GCC_CRTN=
+  export _GCC_CRTDIR=
+
+  # Definitions passed to share/mk/*.mk. Should be pretty simple -
+  # eventually maybe move it to a configure script.
+  export DESTDIR=
+  export USETOOLS=never
+  export NOCLANGERROR=yes
+  export NOGCCERROR=yes
+  export LEX=flex
+  export MKUNPRIVED=yes
+  export EXTERNAL_TOOLCHAIN=yes
+
+  makeFlags="MACHINE=$MACHINE $makeFlags"
+  makeFlags="MACHINE_ARCH=$MACHINE_ARCH $makeFlags"
+  makeFlags="AR=$AR $makeFlags"
+  makeFlags="CC=$CC $makeFlags"
+  makeFlags="CPP=$CPP $makeFlags"
+  makeFlags="CXX=$CXX $makeFlags"
+  makeFlags="LD=$LD $makeFlags"
+  makeFlags="STRIP=$STRIP $makeFlags"
+
+  makeFlags="BINDIR=${!outputBin}/bin $makeFlags"
+  makeFlags="LIBDIR=${!outputLib}/lib $makeFlags"
+  makeFlags="SHLIBDIR=${!outputLib}/lib $makeFlags"
+  makeFlags="MANDIR=${!outputMan}/share/man $makeFlags"
+  makeFlags="INFODIR=${!outputInfo}/share/info $makeFlags"
+  makeFlags="DOCDIR=${!outputDoc}/share/doc $makeFlags"
+  makeFlags="LOCALEDIR=${!outputLib}/share/locale $makeFlags"
+
+  # Parallel building. Needs the space.
+  makeFlags="-j $NIX_BUILD_CORES $makeFlags"
+}
+
+setBSDSourceDir() {
+  sourceRoot=$PWD/$sourceRoot
+  export BSDSRCDIR=$sourceRoot
+  export _SRC_TOP_=$BSDSRCDIR
+
+  cd $sourceRoot
+  if [ -d "$BSD_PATH" ]
+    then sourceRoot=$sourceRoot/$BSD_PATH
+  fi
+}
+
+includesPhase() {
+  if [ -z "${skipIncludesPhase:-}" ]; then
+    runHook preIncludes
+
+    local flagsArray=(
+         $makeFlags ${makeFlagsArray+"${makeFlagsArray[@]}"}
+         includes
+    )
+
+    echoCmd 'includes flags' "${flagsArray[@]}"
+    make ${makefile:+-f $makefile} "${flagsArray[@]}"
+
+    moveUsrDir
+
+    runHook postIncludes
+  fi
+}
+
+moveUsrDir() {
+  if [ -d $prefix ]; then
+    # Remove lingering /usr references
+    if [ -d $prefix/usr ]; then
+      # Didn't try using rsync yet because per
+      # https://unix.stackexchange.com/questions/127712/merging-folders-with-mv,
+      # it's not neessarily better.
+      pushd $prefix/usr
+      find . -type d -exec mkdir -p $out/\{} \;
+      find . \( -type f -o -type l \) -exec mv \{} $out/\{} \;
+      popd
+    fi
+
+    find $prefix -type d -empty -delete
+  fi
+}
+
+postUnpackHooks+=(setBSDSourceDir)
+preConfigureHooks+=(addMakeFlags)
+preInstallHooks+=(includesPhase)
+fixupOutputHooks+=(moveUsrDir)
diff --git a/nixpkgs/pkgs/os-specific/darwin/CoreSymbolication/default.nix b/nixpkgs/pkgs/os-specific/darwin/CoreSymbolication/default.nix
new file mode 100644
index 000000000000..aa73c7f86c40
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/CoreSymbolication/default.nix
@@ -0,0 +1,19 @@
+{ fetchFromGitHub, stdenv }:
+
+# Reverse engineered CoreSymbolication to make dtrace buildable
+
+stdenv.mkDerivation rec {
+  name = "CoreSymbolication";
+
+  src = fetchFromGitHub {
+    repo = name;
+    owner = "matthewbauer";
+    rev = "671fcb66c82eac1827f3f53dc4cc4e9b1b94da0a";
+    sha256 = "0qpw46gwgjxiwqqjxksb8yghp2q8dwad6hzaf4zl82xpvk9n5ahj";
+  };
+
+  installPhase = ''
+    mkdir -p $out/include
+    cp -r CoreSymbolication $out/include
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/DarwinTools/default.nix b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/default.nix
new file mode 100644
index 000000000000..f648435eed27
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "DarwinTools";
+  version = "1";
+
+  src = fetchurl {
+    url = "https://opensource.apple.com/tarballs/DarwinTools/DarwinTools-${version}.tar.gz";
+    sha256 = "0hh4jl590jv3v830p77r3jcrnpndy7p2b8ajai3ldpnx2913jfhp";
+  };
+
+  patches = [
+    ./sw_vers-CFPriv.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace gcc cc
+  '';
+
+  configurePhase = ''
+    export SRCROOT=.
+    export SYMROOT=.
+    export DSTROOT=$out
+  '';
+
+  postInstall = ''
+    mv $out/usr/* $out
+    rmdir $out/usr
+  '';
+
+  meta = {
+    maintainers = [ lib.maintainers.matthewbauer ];
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/DarwinTools/sw_vers-CFPriv.patch b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/sw_vers-CFPriv.patch
new file mode 100644
index 000000000000..6faeaa75025e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/DarwinTools/sw_vers-CFPriv.patch
@@ -0,0 +1,19 @@
+--- a/sw_vers.c	2021-04-19 13:06:50.131346864 +0900
++++ b/sw_vers.c	2021-04-19 13:07:32.481967474 +0900
+@@ -28,7 +28,15 @@
+  */
+ 
+ #include <CoreFoundation/CoreFoundation.h>
+-#include <CoreFoundation/CFPriv.h>
++
++// Avoid dependency on CoreFoundation/CFPriv, which no longer appears to be
++// part of the upstream sdk.
++
++CFDictionaryRef _CFCopyServerVersionDictionary(void);
++CFDictionaryRef _CFCopySystemVersionDictionary(void);
++extern CFStringRef _kCFSystemVersionProductNameKey;
++extern CFStringRef _kCFSystemVersionProductVersionKey;
++extern CFStringRef _kCFSystemVersionBuildVersionKey;
+ 
+ void usage(char *progname) {
+ 	fprintf(stderr, "Usage: %s [-productName|-productVersion|-buildVersion]\n", progname);
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/apple_sdk.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/apple_sdk.nix
new file mode 100644
index 000000000000..05340642f8d0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/apple_sdk.nix
@@ -0,0 +1,181 @@
+{ lib, stdenvNoCC, buildPackages, fetchurl, xar, cpio, pkgs, python3, pbzx, MacOSX-SDK }:
+
+# TODO: reorganize to make this just frameworks, and move libs to default.nix
+
+let
+  stdenv = stdenvNoCC;
+
+  standardFrameworkPath = name: private:
+    "/System/Library/${lib.optionalString private "Private"}Frameworks/${name}.framework";
+
+  mkDepsRewrites = deps:
+  let
+    mergeRewrites = x: y: {
+      prefix = lib.mergeAttrs (x.prefix or {}) (y.prefix or {});
+      const = lib.mergeAttrs (x.const or {}) (y.const or {});
+    };
+
+    rewriteArgs = { prefix ? {}, const ? {} }: lib.concatLists (
+      (lib.mapAttrsToList (from: to: [ "-p" "${from}:${to}" ]) prefix) ++
+      (lib.mapAttrsToList (from: to: [ "-c" "${from}:${to}" ]) const)
+    );
+
+    rewrites = depList: lib.fold mergeRewrites {}
+      (map (dep: dep.tbdRewrites)
+        (lib.filter (dep: dep ? tbdRewrites) depList));
+  in
+    lib.escapeShellArgs (rewriteArgs (rewrites (builtins.attrValues deps)));
+
+  mkFramework = { name, deps, private ? false }:
+    let self = stdenv.mkDerivation {
+      pname = "apple-${lib.optionalString private "private-"}framework-${name}";
+      version = MacOSX-SDK.version;
+
+      dontUnpack = true;
+
+      # because we copy files from the system
+      preferLocalBuild = true;
+
+      disallowedRequisites = [ MacOSX-SDK ];
+
+      nativeBuildInputs = [ buildPackages.darwin.rewrite-tbd ];
+
+      installPhase = ''
+        mkdir -p $out/Library/Frameworks
+
+        cp -r ${MacOSX-SDK}${standardFrameworkPath name private} $out/Library/Frameworks
+
+        # Fix and check tbd re-export references
+        chmod u+w -R $out
+        find $out -name '*.tbd' -type f | while read tbd; do
+          echo "Fixing re-exports in $tbd"
+          rewrite-tbd \
+            -p ${standardFrameworkPath name private}/:$out/Library/Frameworks/${name}.framework/ \
+            ${mkDepsRewrites deps} \
+            -r ${builtins.storeDir} \
+            "$tbd"
+        done
+      '';
+
+      propagatedBuildInputs = builtins.attrValues deps;
+
+      passthru = {
+        tbdRewrites = {
+          prefix."${standardFrameworkPath name private}/" = "${self}/Library/Frameworks/${name}.framework/";
+        };
+      };
+
+      meta = with lib; {
+        description = "Apple SDK framework ${name}";
+        maintainers = with maintainers; [ copumpkin ];
+        platforms   = platforms.darwin;
+      };
+    };
+  in self;
+
+  framework = name: deps: mkFramework { inherit name deps; private = false; };
+  privateFramework = name: deps: mkFramework { inherit name deps; private = true; };
+in rec {
+  libs = {
+    xpc = stdenv.mkDerivation {
+      name   = "apple-lib-xpc";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        cp -r "${MacOSX-SDK}/usr/include/xpc" $out/include/xpc
+        cp "${MacOSX-SDK}/usr/include/launch.h" $out/include/launch.h
+        popd >/dev/null
+      '';
+    };
+
+    Xplugin = stdenv.mkDerivation {
+      name   = "apple-lib-Xplugin";
+      dontUnpack = true;
+
+      propagatedBuildInputs = with frameworks; [
+        OpenGL ApplicationServices Carbon IOKit CoreGraphics CoreServices CoreText
+      ];
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${MacOSX-SDK}/include/Xplugin.h" $out/include/Xplugin.h
+        cp ${MacOSX-SDK}/usr/lib/libXplugin.1.tbd $out/lib
+        ln -s libXplugin.1.tbd $out/lib/libXplugin.tbd
+      '';
+    };
+
+    utmp = stdenv.mkDerivation {
+      name   = "apple-lib-utmp";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        ln -s "${MacOSX-SDK}/include/utmp.h"
+        ln -s "${MacOSX-SDK}/include/utmpx.h"
+        popd >/dev/null
+      '';
+    };
+
+    sandbox = stdenv.mkDerivation {
+      name = "apple-lib-sandbox";
+
+      dontUnpack = true;
+      dontBuild = true;
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${MacOSX-SDK}/usr/include/sandbox.h" $out/include/sandbox.h
+        cp "${MacOSX-SDK}/usr/lib/libsandbox.1.tbd" $out/lib
+        ln -s libsandbox.1.tbd $out/lib/libsandbox.tbd
+      '';
+    };
+
+    libDER = stdenv.mkDerivation {
+      name = "apple-lib-libDER";
+      dontUnpack = true;
+      installPhase = ''
+        mkdir -p $out/include
+        cp -r ${MacOSX-SDK}/usr/include/libDER $out/include
+      '';
+    };
+
+    simd = stdenv.mkDerivation {
+      name = "apple-lib-simd";
+      dontUnpack = true;
+      installPhase = ''
+        mkdir -p $out/include
+        cp -r ${MacOSX-SDK}/usr/include/simd $out/include
+      '';
+    };
+  };
+
+  overrides = super: {
+    CoreFoundation = lib.overrideDerivation super.CoreFoundation (drv: {
+      setupHook = ./cf-setup-hook.sh;
+    });
+
+    # This framework doesn't exist in newer SDKs (somewhere around 10.13), but
+    # there are references to it in nixpkgs.
+    QuickTime = throw "QuickTime framework not available";
+
+    # Seems to be appropriate given https://developer.apple.com/forums/thread/666686
+    JavaVM = super.JavaNativeFoundation;
+  };
+
+  bareFrameworks = (
+    lib.mapAttrs framework (import ./frameworks.nix {
+      inherit frameworks libs;
+      inherit (pkgs.darwin.apple_sdk_11_0) libnetwork Libsystem;
+      libobjc = pkgs.darwin.apple_sdk_11_0.objc4;
+    })
+  ) // (
+    lib.mapAttrs privateFramework (import ./private-frameworks.nix {
+      inherit frameworks;
+    })
+  );
+
+  frameworks = bareFrameworks // overrides bareFrameworks;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/cf-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/cf-setup-hook.sh
new file mode 100644
index 000000000000..3b08c51d196e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/cf-setup-hook.sh
@@ -0,0 +1,6 @@
+forceLinkCoreFoundationFramework() {
+  NIX_CFLAGS_COMPILE="-F@out@/Library/Frameworks${NIX_CFLAGS_COMPILE:+ }${NIX_CFLAGS_COMPILE-}"
+  NIX_LDFLAGS+=" @out@/Library/Frameworks/CoreFoundation.framework/CoreFoundation"
+}
+
+preConfigureHooks+=(forceLinkCoreFoundationFramework)
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix
new file mode 100644
index 000000000000..b29a36177a82
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/default.nix
@@ -0,0 +1,89 @@
+{ stdenvNoCC, fetchurl, newScope, lib, pkgs
+, stdenv, overrideCC
+, xar, cpio, python3, pbzx }:
+
+let
+  MacOSX-SDK = stdenvNoCC.mkDerivation rec {
+    pname = "MacOSX-SDK";
+    version = "11.0.0";
+
+    # https://swscan.apple.com/content/catalogs/others/index-11-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
+    src = fetchurl {
+      url = "http://swcdn.apple.com/content/downloads/46/21/001-89745-A_56FM390IW5/v1um2qppgfdnam2e9cdqcqu2r6k8aa3lis/CLTools_macOSNMOS_SDK.pkg";
+      sha256 = "0n425smj4q1vxbza8fzwnk323fyzbbq866q32w288c44hl5yhwsf";
+    };
+
+    dontBuild = true;
+    darwinDontCodeSign = true;
+
+    nativeBuildInputs = [ cpio pbzx ];
+
+    outputs = [ "out" ];
+
+    unpackPhase = ''
+      pbzx $src | cpio -idm
+    '';
+
+    installPhase = ''
+      cd Library/Developer/CommandLineTools/SDKs/MacOSX11.1.sdk
+
+      mkdir $out
+      cp -r System usr $out/
+    '';
+
+    passthru = {
+      inherit version;
+    };
+  };
+
+  callPackage = newScope (packages // pkgs.darwin // { inherit MacOSX-SDK; });
+
+  packages = {
+    inherit (callPackage ./apple_sdk.nix {}) frameworks libs;
+
+    # TODO: this is nice to be private. is it worth the callPackage above?
+    # Probably, I don't think that callPackage costs much at all.
+    inherit MacOSX-SDK;
+
+    Libsystem = callPackage ./libSystem.nix {};
+    LibsystemCross = pkgs.darwin.Libsystem;
+    libcharset = callPackage ./libcharset.nix {};
+    libunwind = callPackage ./libunwind.nix {};
+    libnetwork = callPackage ./libnetwork.nix {};
+    objc4 = callPackage ./libobjc.nix {};
+
+    # questionable aliases
+    configd = pkgs.darwin.apple_sdk.frameworks.SystemConfiguration;
+    IOKit = pkgs.darwin.apple_sdk.frameworks.IOKit;
+
+    callPackage = newScope (lib.optionalAttrs stdenv.isDarwin rec {
+      inherit (pkgs.darwin.apple_sdk_11_0) stdenv;
+      darwin = pkgs.darwin.overrideScope (_: prev: {
+        inherit (prev.darwin.apple_sdk_11_0) Libsystem LibsystemCross libcharset libunwind objc4 configd IOKit Security;
+        apple_sdk = prev.darwin.apple_sdk_11_0;
+        CF = prev.darwin.apple_sdk_11_0.CoreFoundation;
+      });
+      xcodebuild = pkgs.xcbuild.override {
+        inherit (pkgs.darwin.apple_sdk_11_0.frameworks) CoreServices CoreGraphics ImageIO;
+        inherit stdenv;
+      };
+      xcbuild = xcodebuild;
+    });
+
+    stdenv =
+      let
+        clang = stdenv.cc.override {
+          bintools = stdenv.cc.bintools.override { libc = packages.Libsystem; };
+          libc = packages.Libsystem;
+        };
+      in
+      if stdenv.isAarch64 then stdenv
+      else
+        (overrideCC stdenv clang).override {
+          targetPlatform = stdenv.targetPlatform // {
+            darwinMinVersion = "10.12";
+            darwinSdkVersion = "11.0";
+          };
+        };
+  };
+in packages
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/frameworks.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/frameworks.nix
new file mode 100644
index 000000000000..e9121b021164
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/frameworks.nix
@@ -0,0 +1,195 @@
+{ frameworks, libs, libobjc, Libsystem, libnetwork }: with frameworks; with libs;
+{
+  AGL                              = { inherit Carbon OpenGL; };
+  AVFoundation                     = { inherit ApplicationServices AVFCapture AVFCore CoreGraphics simd UniformTypeIdentifiers; };
+  AVKit                            = {};
+  Accelerate                       = { inherit CoreWLAN IOBluetooth; };
+  Accessibility                    = {};
+  Accounts                         = {};
+  AdSupport                        = {};
+  AddressBook                      = { inherit AddressBookCore Carbon ContactsPersistence libobjc; };
+  AppKit                           = { inherit ApplicationServices AudioToolbox AudioUnit Foundation QuartzCore UIFoundation; };
+  AppTrackingTransparency          = {};
+  AppleScriptKit                   = {};
+  AppleScriptObjC                  = {};
+  ApplicationServices              = { inherit ColorSync CoreGraphics CoreServices CoreText ImageIO; };
+  AudioToolbox                     = { inherit AudioToolboxCore CoreAudio CoreMIDI; };
+  AudioUnit                        = { inherit AudioToolbox Carbon CoreAudio; };
+  AudioVideoBridging               = { inherit Foundation; };
+  AuthenticationServices           = {};
+  AutomaticAssessmentConfiguration = {};
+  Automator                        = {};
+  BackgroundTasks                  = {};
+  BusinessChat                     = {};
+  CFNetwork                        = {};
+  CalendarStore                    = {};
+  CallKit                          = {};
+  Carbon                           = { inherit ApplicationServices CoreServices Foundation IOKit QuartzCore Security libobjc; };
+  ClassKit                         = {};
+  CloudKit                         = { inherit CoreLocation; };
+  Cocoa                            = { inherit AppKit CoreData; };
+  Collaboration                    = {};
+  ColorSync                        = {};
+  Combine                          = {};
+  Contacts                         = {};
+  ContactsUI                       = {};
+  CoreAudio                        = { inherit IOKit CoreAudioTypes; };
+  CoreAudioKit                     = { inherit AudioUnit; };
+  CoreAudioTypes                   = {};
+  CoreBluetooth                    = {};
+  CoreData                         = { inherit CloudKit; };
+  CoreDisplay                      = {};
+  CoreFoundation                   = { inherit libobjc; };
+  CoreGraphics                     = { inherit Accelerate IOKit IOSurface SystemConfiguration; };
+  CoreHaptics                      = {};
+  CoreImage                        = {};
+  CoreLocation                     = {};
+  CoreMIDI                         = {};
+  CoreMIDIServer                   = { inherit CoreMIDI; };
+  CoreML                           = {};
+  CoreMedia                        = { inherit ApplicationServices AudioToolbox AudioUnit CoreAudio CoreGraphics CoreVideo; };
+  CoreMediaIO                      = { inherit CoreMedia; };
+  CoreMotion                       = {};
+  CoreServices                     = { inherit CFNetwork CoreAudio CoreData CoreFoundation DiskArbitration NetFS OpenDirectory Security ServiceManagement; };
+  CoreSpotlight                    = {};
+  CoreTelephony                    = {};
+  CoreText                         = { inherit CoreGraphics; };
+  CoreVideo                        = { inherit ApplicationServices CoreGraphics IOSurface OpenGL; };
+  CoreWLAN                         = { inherit SecurityFoundation; };
+  CryptoKit                        = {};
+  CryptoTokenKit                   = {};
+  DVDPlayback                      = {};
+  DeveloperToolsSupport            = {};
+  DeviceCheck                      = {};
+  DirectoryService                 = {};
+  DiscRecording                    = { inherit CoreServices IOKit libobjc; };
+  DiscRecordingUI                  = {};
+  DiskArbitration                  = { inherit IOKit; };
+  DriverKit                        = {};
+  EventKit                         = {};
+  ExceptionHandling                = {};
+  ExecutionPolicy                  = {};
+  ExternalAccessory                = {};
+  FWAUserLib                       = {};
+  FileProvider                     = {};
+  FileProviderUI                   = {};
+  FinderSync                       = {};
+  ForceFeedback                    = { inherit IOKit; };
+  Foundation                       = { inherit ApplicationServices CoreFoundation Security SystemConfiguration libobjc; };
+  GLKit                            = {};
+  GLUT                             = { inherit OpenGL; };
+  GSS                              = {};
+  GameController                   = {};
+  GameKit                          = { inherit Cocoa Foundation GameCenterFoundation GameCenterUI GameCenterUICore GameController GameplayKit Metal MetalKit ModelIO ReplayKit SceneKit SpriteKit; };
+  GameplayKit                      = {};
+  HIDDriverKit                     = {};
+  Hypervisor                       = {};
+  ICADevices                       = { inherit Carbon IOBluetooth libobjc; };
+  IMServicePlugIn                  = {};
+  IOBluetooth                      = { inherit CoreBluetooth IOKit; };
+  IOBluetoothUI                    = { inherit IOBluetooth; };
+  IOKit                            = {};
+  # `IOSurface` should depend on `Libsystem` (in place of `xpc`) but this currently causes build
+  # issues due to incompatibility issues between `Libsystem` and `libcxx`.
+  IOSurface                        = { inherit IOKit xpc; };
+  IOUSBHost                        = {};
+  IdentityLookup                   = {};
+  ImageCaptureCore                 = {};
+  ImageIO                          = { inherit CoreGraphics; };
+  InputMethodKit                   = { inherit Carbon; };
+  InstallerPlugins                 = {};
+  InstantMessage                   = {};
+  Intents                          = {};
+  JavaNativeFoundation             = {};
+  JavaRuntimeSupport               = {};
+  JavaScriptCore                   = { inherit libobjc; };
+  Kerberos                         = {};
+  Kernel                           = { inherit IOKit; };
+  KernelManagement                 = {};
+  LDAP                             = {};
+  LatentSemanticMapping            = { inherit Carbon; };
+  LinkPresentation                 = { inherit URLFormatting; };
+  LocalAuthentication              = {};
+  MLCompute                        = {};
+  MapKit                           = {};
+  MediaAccessibility               = { inherit CoreGraphics CoreText QuartzCore; };
+  MediaLibrary                     = {};
+  MediaPlayer                      = {};
+  MediaToolbox                     = { inherit AudioToolbox AudioUnit CoreMedia; };
+  Message                          = {};
+  Metal                            = {};
+  MetalKit                         = { inherit Metal ModelIO; };
+  MetalPerformanceShaders          = {};
+  MetalPerformanceShadersGraph     = {};
+  MetricKit                        = { inherit SignpostMetrics; };
+  ModelIO                          = {};
+  MultipeerConnectivity            = {};
+  NaturalLanguage                  = {};
+  NearbyInteraction                = {};
+  NetFS                            = {};
+  Network                          = { inherit libnetwork; };
+  NetworkExtension                 = { inherit Network; };
+  NetworkingDriverKit              = {};
+  NotificationCenter               = {};
+  OSAKit                           = { inherit Carbon; };
+  OSLog                            = {};
+  OpenAL                           = {};
+  OpenCL                           = { inherit IOSurface OpenGL; };
+  OpenDirectory                    = {};
+  OpenGL                           = {};
+  PCIDriverKit                     = {};
+  PCSC                             = { inherit CoreData; };
+  PDFKit                           = {};
+  ParavirtualizedGraphics          = {};
+  PassKit                          = { inherit PassKitCore; };
+  PencilKit                        = {};
+  Photos                           = {};
+  PhotosUI                         = {};
+  PreferencePanes                  = {};
+  PushKit                          = {};
+  Python                           = {};
+  QTKit                            = { inherit CoreMedia CoreMediaIO MediaToolbox VideoToolbox; };
+  Quartz                           = { inherit QTKit QuartzCore QuickLook PDFKit; };
+  QuartzCore                       = { inherit ApplicationServices CoreImage CoreVideo Metal OpenCL libobjc; };
+  QuickLook                        = { inherit ApplicationServices; };
+  QuickLookThumbnailing            = {};
+  RealityKit                       = {};
+  ReplayKit                        = {};
+  Ruby                             = {};
+  SafariServices                   = {};
+  SceneKit                         = {};
+  ScreenSaver                      = {};
+  ScreenTime                       = {};
+  ScriptingBridge                  = {};
+  Security                         = { inherit IOKit libDER; };
+  SecurityFoundation               = { inherit Security; };
+  SecurityInterface                = { inherit Security SecurityFoundation; };
+  SensorKit                        = {};
+  ServiceManagement                = { inherit Security; };
+  Social                           = {};
+  SoundAnalysis                    = {};
+  Speech                           = {};
+  SpriteKit                        = {};
+  StoreKit                         = {};
+  SwiftUI                          = {};
+  SyncServices                     = {};
+  System                           = {};
+  SystemConfiguration              = { inherit Security; };
+  SystemExtensions                 = {};
+  TWAIN                            = { inherit Carbon; };
+  Tcl                              = {};
+  Tk                               = {};
+  USBDriverKit                     = {};
+  UniformTypeIdentifiers           = {};
+  UserNotifications                = {};
+  UserNotificationsUI              = {};
+  VideoDecodeAcceleration          = { inherit CoreVideo; };
+  VideoSubscriberAccount           = {};
+  VideoToolbox                     = { inherit CoreMedia CoreVideo; };
+  Virtualization                   = {};
+  Vision                           = {};
+  WebKit                           = { inherit ApplicationServices Carbon JavaScriptCore OpenGL libobjc; };
+  WidgetKit                        = {};
+  iTunesLibrary                    = {};
+  vmnet                            = {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libSystem.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libSystem.nix
new file mode 100644
index 000000000000..f04b964f755f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libSystem.nix
@@ -0,0 +1,78 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+stdenvNoCC.mkDerivation {
+  pname = "libSystem";
+  version = MacOSX-SDK.version;
+
+  dontBuild = true;
+  dontUnpack = true;
+
+  nativeBuildInputs = [ buildPackages.darwin.rewrite-tbd ];
+
+  includeDirs = [
+    "CommonCrypto" "_types" "architecture" "arpa" "atm" "bank" "bsd" "bsm"
+    "corecrypto" "corpses" "default_pager" "device" "dispatch" "hfs" "i386"
+    "iokit" "kern" "libkern" "mach" "mach-o" "mach_debug" "machine" "malloc"
+    "miscfs" "net" "netinet" "netinet6" "netkey" "nfs" "os" "osfmk" "pexpert"
+    "platform" "protocols" "pthread" "rpc" "rpcsvc" "secure" "security"
+    "servers" "sys" "uuid" "vfs" "voucher" "xlocale"
+  ] ++ [
+    "arm" "xpc" "arm64"
+  ];
+
+  csu = [
+    "bundle1.o" "crt0.o" "crt1.10.5.o" "crt1.10.6.o" "crt1.o" "dylib1.10.5.o"
+    "dylib1.o" "gcrt1.o" "lazydylib1.o"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/{include,lib}
+
+    for dir in $includeDirs; do
+      from=${MacOSX-SDK}/usr/include/$dir
+      if [ -e "$from" ]; then
+        cp -dr $from $out/include
+      else
+        echo "Header directory '$from' doesn't exist: skipping"
+      fi
+    done
+
+    cp -d \
+      ${MacOSX-SDK}/usr/include/*.h \
+      $out/include
+
+    rm $out/include/tk*.h $out/include/tcl*.h
+
+    cp -dr \
+      ${MacOSX-SDK}/usr/lib/libSystem.* \
+      ${MacOSX-SDK}/usr/lib/system \
+      $out/lib
+
+    # Extra libraries
+    for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.1 resolv; do
+      cp -d \
+        ${MacOSX-SDK}/usr/lib/lib$name.tbd \
+        ${MacOSX-SDK}/usr/lib/lib$name.*.tbd \
+        $out/lib
+    done
+
+    for f in $csu; do
+      from=${MacOSX-SDK}/usr/lib/$f
+      if [ -e "$from" ]; then
+        cp -d $from $out/lib
+      else
+        echo "Csu file '$from' doesn't exist: skipping"
+      fi
+    done
+
+    chmod u+w -R $out/lib
+    find $out -name '*.tbd' -type f | while read tbd; do
+      rewrite-tbd \
+        -c /usr/lib/libsystem.dylib:$out/lib/libsystem.dylib \
+        -p /usr/lib/system/:$out/lib/system/ \
+        -r ${builtins.storeDir} \
+        "$tbd"
+    done
+  '';
+}
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libcharset.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libcharset.nix
new file mode 100644
index 000000000000..bf55037ab605
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libcharset.nix
@@ -0,0 +1,16 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+stdenvNoCC.mkDerivation {
+  pname = "libcharset";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  nativeBuildInputs = [ buildPackages.darwin.checkReexportsHook ];
+
+  installPhase = ''
+    mkdir -p $out/{include,lib}
+    cp ${MacOSX-SDK}/usr/lib/libcharset* $out/lib
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libnetwork.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libnetwork.nix
new file mode 100644
index 000000000000..2e5c0593bf40
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libnetwork.nix
@@ -0,0 +1,20 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+let self = stdenvNoCC.mkDerivation {
+  pname = "libnetwork";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/lib
+    cp ${MacOSX-SDK}/usr/lib/libnetwork* $out/lib
+  '';
+
+  passthru = {
+    tbdRewrites = {
+      const."/usr/lib/libnetwork.dylib" = "${self}/lib/libnetwork.dylib";
+    };
+  };
+}; in self
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libobjc.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libobjc.nix
new file mode 100644
index 000000000000..63ef2a1c263e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libobjc.nix
@@ -0,0 +1,21 @@
+{ stdenvNoCC, MacOSX-SDK, libcharset }:
+
+let self = stdenvNoCC.mkDerivation {
+  pname = "libobjc";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/{include,lib}
+    cp -r ${MacOSX-SDK}/usr/include/objc $out/include
+    cp ${MacOSX-SDK}/usr/lib/libobjc* $out/lib
+  '';
+
+  passthru = {
+    tbdRewrites = {
+      const."/usr/lib/libobjc.A.dylib" = "${self}/lib/libobjc.A.dylib";
+    };
+  };
+}; in self
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libunwind.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libunwind.nix
new file mode 100644
index 000000000000..885780eba75c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/libunwind.nix
@@ -0,0 +1,24 @@
+{ stdenvNoCC, buildPackages, MacOSX-SDK }:
+
+stdenvNoCC.mkDerivation {
+  pname = "libunwind";
+  version = MacOSX-SDK.version;
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  nativeBuildInputs = [ buildPackages.darwin.checkReexportsHook ];
+
+  installPhase = ''
+    mkdir -p $out/include/mach-o
+
+    cp \
+      ${MacOSX-SDK}/usr/include/libunwind.h \
+      ${MacOSX-SDK}/usr/include/unwind.h \
+      $out/include
+
+    cp \
+      ${MacOSX-SDK}/usr/include/mach-o/compact_unwind_encoding.h \
+      $out/include/mach-o
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/private-frameworks.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/private-frameworks.nix
new file mode 100644
index 000000000000..b8786ec92f6d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk-11.0/private-frameworks.nix
@@ -0,0 +1,21 @@
+{ frameworks }: with frameworks;
+# generated by hand to avoid exposing all private frameworks
+# frameworks here are only the necessary ones used by public frameworks.
+{
+  AVFCapture = {};
+  AVFCore = {};
+  AddressBookCore = { inherit ContactsPersistence; };
+  AudioToolboxCore = {};
+  ContactsPersistence = {};
+  UIFoundation = {};
+  GameCenterFoundation = {};
+  GameCenterUI = {};
+  GameCenterUICore = {};
+  URLFormatting = {};
+  SignpostMetrics = {};
+  PassKitCore = {};
+  SkyLight = {};
+
+  # Also expose CoreSymbolication; used by `root` package.
+  CoreSymbolication = {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/cf-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/cf-setup-hook.sh
new file mode 100644
index 000000000000..bbf9625e6557
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/cf-setup-hook.sh
@@ -0,0 +1,9 @@
+linkSystemCoreFoundationFramework() {
+  NIX_CFLAGS_COMPILE="-F@out@/Library/Frameworks${NIX_CFLAGS_COMPILE:+ }${NIX_CFLAGS_COMPILE-}"
+  # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not
+  # in the opensource release
+  # if the package needs private headers, we assume they also want to link with system CF
+  NIX_LDFLAGS+=" @out@/Library/Frameworks/CoreFoundation.framework/CoreFoundation"
+}
+
+preConfigureHooks+=(linkSystemCoreFoundationFramework)
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/default.nix
new file mode 100644
index 000000000000..0cf95cbe9c56
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/default.nix
@@ -0,0 +1,339 @@
+{ stdenv, fetchurl, xar, cpio, pkgs, python3, pbzx, lib, darwin-stubs, print-reexports }:
+
+let
+  # sadly needs to be exported because security_tool needs it
+  sdk = stdenv.mkDerivation rec {
+    pname = "MacOS_SDK";
+    version = "10.12";
+
+    # This URL comes from https://swscan.apple.com/content/catalogs/others/index-10.12.merged-1.sucatalog, which we found by:
+    #  1. Google: site:swscan.apple.com and look for a name that seems appropriate for your version
+    #  2. In the resulting file, search for a file called DevSDK ending in .pkg
+    #  3. ???
+    #  4. Profit
+    src = fetchurl {
+      url    = "http://swcdn.apple.com/content/downloads/33/36/041-90419-A_7JJ4H9ZHO2/xs88ob5wjz6riz7g6764twblnvksusg4ps/DevSDK_OSX1012.pkg";
+      sha256 = "13xq34sb7383b37hwy076gnhf96prpk1b4087p87xnwswxbrisih";
+    };
+
+    nativeBuildInputs = [ xar cpio python3 pbzx ];
+
+    outputs = [ "out" "dev" "man" ];
+
+    unpackPhase = ''
+      xar -x -f $src
+    '';
+
+    installPhase = ''
+      start="$(pwd)"
+      mkdir -p $out
+      cd $out
+      pbzx -n $start/Payload | cpio -idm
+
+      mv usr/* .
+      rmdir usr
+
+      mv System/* .
+      rmdir System
+
+      pushd lib
+      cp ${darwin-stubs}/usr/lib/libcups*.tbd .
+      ln -s libcups.2.tbd      libcups.tbd
+      ln -s libcupscgi.1.tbd   libcupscgi.tbd
+      ln -s libcupsimage.2.tbd libcupsimage.tbd
+      ln -s libcupsmime.1.tbd  libcupsmime.tbd
+      ln -s libcupsppdc.1.tbd  libcupsppdc.tbd
+      popd
+    '';
+
+    meta = with lib; {
+      description = "Apple SDK ${version}";
+      maintainers = with maintainers; [ copumpkin ];
+      platforms   = platforms.darwin;
+    };
+  };
+
+  mkFrameworkSubs = name: deps:
+  let
+    deps' = deps // { "${name}" = placeholder "out"; };
+    substArgs = lib.concatMap (x: [ "--subst-var-by" x deps'."${x}" ]) (lib.attrNames deps');
+  in lib.escapeShellArgs substArgs;
+
+  framework = name: deps: stdenv.mkDerivation {
+    name = "apple-framework-${name}";
+
+    dontUnpack = true;
+
+    # because we copy files from the system
+    preferLocalBuild = true;
+
+    disallowedRequisites = [ sdk ];
+
+    nativeBuildInputs = [ print-reexports ];
+
+    extraTBDFiles = [];
+
+    installPhase = ''
+      linkFramework() {
+        local path="$1"
+        local nested_path="$1"
+        if [ "$path" == "JavaNativeFoundation.framework" ]; then
+          local nested_path="JavaVM.framework/Versions/A/Frameworks/JavaNativeFoundation.framework"
+        fi
+        if [ "$path" == "JavaRuntimeSupport.framework" ]; then
+          local nested_path="JavaVM.framework/Versions/A/Frameworks/JavaRuntimeSupport.framework"
+        fi
+        local name="$(basename "$path" .framework)"
+        local current="$(readlink "/System/Library/Frameworks/$nested_path/Versions/Current")"
+        if [ -z "$current" ]; then
+          current=A
+        fi
+
+        local dest="$out/Library/Frameworks/$path"
+
+        mkdir -p "$dest/Versions/$current"
+        pushd "$dest/Versions/$current" >/dev/null
+
+        if [ -d "${sdk.out}/Library/Frameworks/$nested_path/Versions/$current/Headers" ]; then
+          cp -R "${sdk.out}/Library/Frameworks/$nested_path/Versions/$current/Headers" .
+        elif [ -d "${sdk.out}/Library/Frameworks/$name.framework/Versions/$current/Headers" ]; then
+          current="$(readlink "/System/Library/Frameworks/$name.framework/Versions/Current")"
+          cp -R "${sdk.out}/Library/Frameworks/$name.framework/Versions/$current/Headers" .
+        fi
+
+        local tbd_source=${darwin-stubs}/System/Library/Frameworks/$nested_path/Versions/$current
+        if [ "${name}" != "Kernel" ]; then
+          # The Kernel.framework has headers but no actual library component.
+          cp -v $tbd_source/*.tbd .
+        fi
+
+        if [ -d "$tbd_source/Libraries" ]; then
+          mkdir Libraries
+          cp -v $tbd_source/Libraries/*.tbd Libraries/
+        fi
+
+        ln -s -L "/System/Library/Frameworks/$nested_path/Versions/$current/Resources"
+
+        if [ -f "/System/Library/Frameworks/$nested_path/module.map" ]; then
+          ln -s "/System/Library/Frameworks/$nested_path/module.map"
+        fi
+
+        pushd "${sdk.out}/Library/Frameworks/$nested_path/Versions/$current" >/dev/null
+        local children=$(echo Frameworks/*.framework)
+        popd >/dev/null
+
+        for child in $children; do
+          childpath="$path/Versions/$current/$child"
+          linkFramework "$childpath"
+        done
+
+        pushd ../.. >/dev/null
+        ln -s "$current" Versions/Current
+        ln -s Versions/Current/* .
+        popd >/dev/null
+
+        popd >/dev/null
+      }
+
+      linkFramework "${name}.framework"
+
+      # linkFramework is recursive, the rest of the processing is not.
+
+      local tbd_source=${darwin-stubs}/System/Library/Frameworks/${name}.framework
+      for tbd in $extraTBDFiles; do
+        local tbd_dest_dir=$out/Library/Frameworks/${name}.framework/$(dirname "$tbd")
+        mkdir -p "$tbd_dest_dir"
+        cp -v "$tbd_source/$tbd" "$tbd_dest_dir"
+      done
+
+      # Fix and check tbd re-export references
+      find $out -name '*.tbd' | while read tbd; do
+        echo "Fixing re-exports in $tbd"
+        substituteInPlace "$tbd" ${mkFrameworkSubs name deps}
+
+        echo "Checking re-exports in $tbd"
+        print-reexports "$tbd" | while read target; do
+          local expected="''${target%.dylib}.tbd"
+          if ! [ -e "$expected" ]; then
+            echo -e "Re-export missing:\n\t$target\n\t(expected $expected)"
+            echo -e "While processing\n\t$tbd"
+            exit 1
+          else
+            echo "Re-exported target $target ok"
+          fi
+        done
+      done
+    '';
+
+    propagatedBuildInputs = builtins.attrValues deps;
+
+    # don't use pure CF for dylibs that depend on frameworks
+    setupHook = ./framework-setup-hook.sh;
+
+    # Not going to be more specific than this for now
+    __propagatedImpureHostDeps = lib.optionals (name != "Kernel") [
+      # The setup-hook ensures that everyone uses the impure CoreFoundation who uses these SDK frameworks, so let's expose it
+      "/System/Library/Frameworks/CoreFoundation.framework"
+      "/System/Library/Frameworks/${name}.framework"
+      "/System/Library/Frameworks/${name}.framework/${name}"
+    ];
+
+    meta = with lib; {
+      description = "Apple SDK framework ${name}";
+      maintainers = with maintainers; [ copumpkin ];
+      platforms   = platforms.darwin;
+    };
+  };
+
+  tbdOnlyFramework = name: { private ? true }: stdenv.mkDerivation {
+    name = "apple-framework-${name}";
+    dontUnpack = true;
+    installPhase = ''
+      mkdir -p $out/Library/Frameworks/
+      cp -r ${darwin-stubs}/System/Library/${lib.optionalString private "Private"}Frameworks/${name}.framework \
+        $out/Library/Frameworks
+
+      cd $out/Library/Frameworks/${name}.framework
+
+      versions=(./Versions/*)
+      if [ "''${#versions[@]}" != 1 ]; then
+        echo "Unable to determine current version of framework ${name}"
+        exit 1
+      fi
+      current=$(basename ''${versions[0]})
+
+      chmod u+w -R .
+      ln -s "$current" Versions/Current
+      ln -s Versions/Current/* .
+
+      # NOTE there's no re-export checking here, this is probably wrong
+    '';
+  };
+in rec {
+  libs = {
+    xpc = stdenv.mkDerivation {
+      name   = "apple-lib-xpc";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        cp -r "${lib.getDev sdk}/include/xpc" $out/include/xpc
+        cp "${lib.getDev sdk}/include/launch.h" $out/include/launch.h
+        popd >/dev/null
+      '';
+    };
+
+    Xplugin = stdenv.mkDerivation {
+      name   = "apple-lib-Xplugin";
+      dontUnpack = true;
+
+      # Not enough
+      __propagatedImpureHostDeps = [ "/usr/lib/libXplugin.1.dylib" ];
+
+      propagatedBuildInputs = with frameworks; [
+        OpenGL ApplicationServices Carbon IOKit CoreGraphics CoreServices CoreText
+      ];
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${lib.getDev sdk}/include/Xplugin.h" $out/include/Xplugin.h
+        cp ${darwin-stubs}/usr/lib/libXplugin.1.tbd $out/lib
+        ln -s libXplugin.1.tbd $out/lib/libXplugin.tbd
+      '';
+    };
+
+    utmp = stdenv.mkDerivation {
+      name   = "apple-lib-utmp";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include
+        pushd $out/include >/dev/null
+        ln -s "${lib.getDev sdk}/include/utmp.h"
+        ln -s "${lib.getDev sdk}/include/utmpx.h"
+        popd >/dev/null
+      '';
+    };
+
+    sandbox = stdenv.mkDerivation {
+      name = "apple-lib-sandbox";
+      dontUnpack = true;
+
+      installPhase = ''
+        mkdir -p $out/include $out/lib
+        ln -s "${lib.getDev sdk}/include/sandbox.h" $out/include/sandbox.h
+        cp "${darwin-stubs}/usr/lib/libsandbox.1.tbd" $out/lib
+        ln -s libsandbox.1.tbd $out/lib/libsandbox.tbd
+      '';
+    };
+  };
+
+  overrides = super: {
+    AppKit = lib.overrideDerivation super.AppKit (drv: {
+      __propagatedImpureHostDeps = drv.__propagatedImpureHostDeps or [] ++ [
+        "/System/Library/PrivateFrameworks/"
+      ];
+    });
+
+    Carbon = lib.overrideDerivation super.Carbon (drv: {
+      extraTBDFiles = [ "Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering.tbd" ];
+    });
+
+    CoreFoundation = lib.overrideDerivation super.CoreFoundation (drv: {
+      setupHook = ./cf-setup-hook.sh;
+    });
+
+    CoreMedia = lib.overrideDerivation super.CoreMedia (drv: {
+      __propagatedImpureHostDeps = drv.__propagatedImpureHostDeps or [] ++ [
+        "/System/Library/Frameworks/CoreImage.framework"
+      ];
+    });
+
+    CoreMIDI = lib.overrideDerivation super.CoreMIDI (drv: {
+      __propagatedImpureHostDeps = drv.__propagatedImpureHostDeps or [] ++ [
+        "/System/Library/PrivateFrameworks/"
+      ];
+      setupHook = ./private-frameworks-setup-hook.sh;
+    });
+
+    IMServicePlugIn = lib.overrideDerivation super.IMServicePlugIn (drv: {
+      extraTBDFiles = [ "Versions/A/Frameworks/IMServicePlugInSupport.framework/Versions/A/IMServicePlugInSupport.tbd" ];
+    });
+
+    Security = lib.overrideDerivation super.Security (drv: {
+      setupHook = ./security-setup-hook.sh;
+    });
+
+    QuartzCore = lib.overrideDerivation super.QuartzCore (drv: {
+      installPhase = drv.installPhase + ''
+        f="$out/Library/Frameworks/QuartzCore.framework/Headers/CoreImage.h"
+        substituteInPlace "$f" \
+          --replace "QuartzCore/../Frameworks/CoreImage.framework/Headers" "CoreImage"
+      '';
+    });
+
+    MetalKit = lib.overrideDerivation super.MetalKit (drv: {
+      installPhase = drv.installPhase + ''
+        mkdir -p $out/include/simd
+        cp ${lib.getDev sdk}/include/simd/*.h $out/include/simd/
+      '';
+    });
+
+    WebKit = lib.overrideDerivation super.WebKit (drv: {
+      extraTBDFiles = [
+        "Versions/A/Frameworks/WebCore.framework/Versions/A/WebCore.tbd"
+        "Versions/A/Frameworks/WebKitLegacy.framework/Versions/A/WebKitLegacy.tbd"
+      ];
+    });
+  } // lib.genAttrs [ "ContactsPersistence" "CoreSymbolication" "GameCenter" "SkyLight" "UIFoundation" ] (x: tbdOnlyFramework x {});
+
+  bareFrameworks = lib.mapAttrs framework (import ./frameworks.nix {
+    inherit frameworks libs;
+    inherit (pkgs.darwin) libobjc;
+  });
+
+  frameworks = bareFrameworks // overrides bareFrameworks;
+
+  inherit sdk;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/framework-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/framework-setup-hook.sh
new file mode 100644
index 000000000000..b0d5915fc1fc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/framework-setup-hook.sh
@@ -0,0 +1,42 @@
+# On macOS, frameworks are linked to the system CoreFoundation but
+# dynamic libraries built with nix use a pure version of CF this
+# causes segfaults for binaries that depend on it at runtime.  This
+# can be solved in two ways.
+# 1. Rewrite references to the pure CF using this setup hook, this
+# works for the simple case but this can still cause problems if other
+# dependencies (eg. python) use the pure CF.
+# 2. Create a wrapper for the binary that sets DYLD_FRAMEWORK_PATH to
+# /System/Library/Frameworks.  This will make everything load the
+# system's CoreFoundation framework while still keeping the
+# dependencies pure for other packages.
+
+fixupOutputHooks+=('fixDarwinFrameworksIn $prefix')
+
+fixDarwinFrameworks() {
+    local systemPrefix='/System/Library/Frameworks'
+
+    for fn in "$@"; do
+        if [ -L "$fn" ]; then continue; fi
+        echo "$fn: fixing dylib"
+
+        for framework in $(otool -L "$fn" | awk '/CoreFoundation\.framework/ {print $1}'); do
+          install_name_tool -change "$framework" "$systemPrefix/CoreFoundation.framework/Versions/A/CoreFoundation" "$fn" >&2
+        done
+    done
+}
+
+fixDarwinFrameworksIn() {
+    local dir="$1"
+    fixDarwinFrameworks $(find "$dir" -name "*.dylib")
+}
+
+
+# This configures the stdenv to use /System/Library/Frameworks/CoreFoundation.framework
+# instead of the nix version by including the system frameworks path
+# as an rpath entry when creating binaries.
+
+useSystemCoreFoundationFramework () {
+  export NIX_COREFOUNDATION_RPATH=/System/Library/Frameworks
+}
+
+addEnvHooks "$hostOffset" useSystemCoreFoundationFramework
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/frameworks.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/frameworks.nix
new file mode 100644
index 000000000000..0c70d9bc258f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/frameworks.nix
@@ -0,0 +1,129 @@
+# Current as of 10.12
+# Epic weird knot-tying happening here.
+# TODO: clean up the process for generating this and include it
+
+{ frameworks, libs, libobjc, }:
+
+with frameworks; with libs; {
+  AGL                     = { inherit Carbon OpenGL; };
+  AVFoundation            = { inherit ApplicationServices CoreGraphics CoreMedia MediaToolbox; };
+  AVKit                   = {};
+  Accounts                = {};
+  AddressBook             = { inherit libobjc Carbon ContactsPersistence; };
+  AppKit                  = { inherit ApplicationServices AudioToolbox AudioUnit Foundation QuartzCore UIFoundation; };
+  AppKitScripting         = {};
+  AppleScriptKit          = {};
+  AppleScriptObjC         = {};
+  AudioToolbox            = { inherit CoreAudio CoreMIDI; };
+  AudioUnit               = { inherit AudioToolbox Carbon CoreAudio; };
+  AudioVideoBridging      = { inherit Foundation; };
+  Automator               = {};
+  CFNetwork               = {};
+  CalendarStore           = {};
+  Cocoa                   = { inherit AppKit CoreData; };
+  Collaboration           = {};
+  # Impure version of CoreFoundation, this should not be used unless another
+  # framework includes headers that are not available in the pure version.
+  CoreFoundation          = {};
+  CoreAudio               = { inherit IOKit; };
+  CoreAudioKit            = { inherit AudioUnit; };
+  CoreData                = {};
+  CoreGraphics            = { inherit Accelerate IOKit IOSurface SystemConfiguration; };
+  CoreImage               = {};
+  CoreLocation            = {};
+  CoreMIDI                = {};
+  CoreMIDIServer          = { inherit CoreMIDI; };
+  CoreMedia               = { inherit ApplicationServices AudioToolbox AudioUnit CoreAudio CoreGraphics CoreVideo; };
+  CoreMediaIO             = { inherit CoreMedia; };
+  CoreText                = { inherit CoreGraphics; };
+  CoreVideo               = { inherit ApplicationServices CoreGraphics IOSurface OpenGL; };
+  CoreWLAN                = { inherit SecurityFoundation; };
+  DVDPlayback             = {};
+  DirectoryService        = {};
+  DiscRecording           = { inherit libobjc CoreServices IOKit; };
+  DiscRecordingUI         = {};
+  DiskArbitration         = { inherit IOKit; };
+  EventKit                = {};
+  ExceptionHandling       = {};
+  FWAUserLib              = {};
+  ForceFeedback           = { inherit IOKit; };
+  Foundation              = { inherit libobjc CoreFoundation Security ApplicationServices SystemConfiguration; };
+  GLKit                   = {};
+  GLUT                    = { inherit OpenGL; };
+  GSS                     = {};
+  GameCenter              = {};
+  GameController          = {};
+  GameKit                 = { inherit Cocoa Foundation GameCenter GameController GameplayKit Metal MetalKit ModelIO SceneKit SpriteKit; };
+  GameplayKit             = {};
+  Hypervisor              = {};
+  ICADevices              = { inherit libobjc Carbon IOBluetooth; };
+  IMServicePlugIn         = {};
+  IOBluetoothUI           = { inherit IOBluetooth; };
+  IOKit                   = {};
+  IOSurface               = { inherit IOKit xpc; };
+  ImageCaptureCore        = {};
+  ImageIO                 = { inherit CoreGraphics; };
+  InputMethodKit          = { inherit Carbon; };
+  InstallerPlugins        = {};
+  InstantMessage          = {};
+  JavaFrameEmbedding      = {};
+  JavaNativeFoundation    = {};
+  JavaRuntimeSupport      = {};
+  JavaScriptCore          = { inherit libobjc; };
+  Kerberos                = {};
+  Kernel                  = { inherit IOKit; };
+  LDAP                    = {};
+  LatentSemanticMapping   = { inherit Carbon; };
+  LocalAuthentication     = {};
+  MapKit                  = {};
+  MediaAccessibility      = { inherit CoreGraphics CoreText QuartzCore; };
+  MediaPlayer             = {};
+  MediaToolbox            = { inherit AudioToolbox AudioUnit CoreMedia; };
+  Metal                   = {};
+  MetalKit                = { inherit ModelIO Metal; };
+  ModelIO                 = {};
+  NetFS                   = {};
+  OSAKit                  = { inherit Carbon; };
+  OpenAL                  = {};
+  OpenCL                  = { inherit IOSurface OpenGL; };
+  OpenGL                  = {};
+  PCSC                    = { inherit CoreData; };
+  PreferencePanes         = {};
+  PubSub                  = {};
+  QTKit                   = { inherit CoreMediaIO CoreMedia MediaToolbox QuickTime VideoToolbox; };
+  QuickLook               = { inherit ApplicationServices; };
+  SceneKit                = {};
+  ScreenSaver             = {};
+  Scripting               = {};
+  ScriptingBridge         = {};
+  Security                = { inherit IOKit; };
+  SecurityFoundation      = {};
+  SecurityInterface       = { inherit Security SecurityFoundation; };
+  ServiceManagement       = { inherit Security; };
+  Social                  = {};
+  SpriteKit               = {};
+  StoreKit                = {};
+  SyncServices            = {};
+  SystemConfiguration     = { inherit Security; };
+  TWAIN                   = { inherit Carbon; };
+  Tcl                     = {};
+  VideoDecodeAcceleration = { inherit CoreVideo; };
+  VideoToolbox            = { inherit CoreMedia CoreVideo; };
+  WebKit                  = { inherit libobjc ApplicationServices Carbon JavaScriptCore OpenGL; };
+
+  # Umbrellas
+  Accelerate          = { inherit CoreWLAN IOBluetooth; };
+  ApplicationServices = { inherit CoreGraphics CoreServices CoreText ImageIO; };
+  Carbon              = { inherit libobjc ApplicationServices CoreServices Foundation IOKit Security QuartzCore; };
+  CoreBluetooth       = {};
+  # TODO: figure out which part of the umbrella depends on CoreFoundation and move it there.
+  CoreServices        = { inherit CFNetwork CoreFoundation CoreAudio CoreData DiskArbitration Security NetFS OpenDirectory ServiceManagement; };
+  IOBluetooth         = { inherit CoreBluetooth IOKit; };
+  JavaVM              = {};
+  OpenDirectory       = {};
+  Quartz              = { inherit QuartzCore QuickLook QTKit; };
+  QuartzCore          = { inherit libobjc ApplicationServices CoreVideo OpenCL CoreImage Metal; };
+  QuickTime           = { inherit ApplicationServices AudioUnit Carbon CoreAudio CoreServices OpenGL QuartzCore; };
+
+  vmnet = {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix
new file mode 100644
index 000000000000..c111492f2b3d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/impure-deps.nix
@@ -0,0 +1,256 @@
+rec {
+  CFNetwork = [
+    "/System/Library/Frameworks/CFNetwork.framework"
+    "/usr/lib/libsqlite3.dylib"
+    "/usr/lib/libxml2.2.dylib"
+  ];
+  ForceFeedback = [
+    "/System/Library/Frameworks/ForceFeedback.framework"
+  ];
+  AGL = [
+    "/System/Library/Frameworks/AGL.framework"
+  ];
+  IOKit = [
+    "/System/Library/Frameworks/IOKit.framework"
+  ];
+  JavaScriptCore = [
+    "/System/Library/Frameworks/JavaScriptCore.framework"
+  ];
+  QuickLook = [
+    "/System/Library/Frameworks/QuickLook.framework"
+  ];
+  Quartz = [
+    "/System/Library/Frameworks/Quartz.framework"
+    "/System/Library/PrivateFrameworks/AppleSystemInfo.framework/Versions/A/AppleSystemInfo"
+    "/System/Library/PrivateFrameworks/CorePDF.framework/Versions/A/CorePDF"
+    "/usr/lib/libspindump.dylib"
+  ];
+  ImageCaptureCore = [
+    "/System/Library/Frameworks/ImageCaptureCore.framework"
+  ];
+  VideoToolbox = [
+    "/System/Library/Frameworks/VideoToolbox.framework"
+    "/System/Library/PrivateFrameworks/AppleVA.framework/Versions/A/AppleVA"
+  ];
+  QuickTime = [
+    "/System/Library/Frameworks/QuickTime.framework"
+  ];
+  CoreMedia = [
+    "/System/Library/Frameworks/CoreMedia.framework"
+  ];
+  CoreMediaIO = [
+    "/System/Library/Frameworks/CoreMediaIO.framework"
+    "/System/Library/PrivateFrameworks/AppSandbox.framework/Versions/A/AppSandbox"
+    "/System/Library/PrivateFrameworks/AppContainer.framework/Versions/A/AppContainer"
+    "/System/Library/PrivateFrameworks/SecCodeWrapper.framework/Versions/A/SecCodeWrapper"
+    "/System/Library/PrivateFrameworks/XPCService.framework/Versions/A/XPCService"
+    "/usr/lib/libsandbox.1.dylib"
+    "/usr/lib/libMatch.1.dylib"
+  ];
+  MediaToolbox = [
+    "/System/Library/Frameworks/MediaToolbox.framework"
+    "/System/Library/PrivateFrameworks/CoreAUC.framework/Versions/A/CoreAUC"
+    "/System/Library/PrivateFrameworks/NetworkStatistics.framework/Versions/A/NetworkStatistics"
+  ];
+  QTKit = [
+    "/System/Library/Frameworks/QTKit.framework"
+    "/System/Library/PrivateFrameworks/CoreMediaAuthoring.framework/Versions/A/CoreMediaAuthoring"
+  ];
+  OSAKit = [
+    "/System/Library/Frameworks/OSAKit.framework"
+    "/usr/lib/libexslt.0.dylib"
+  ];
+  WebKit = [
+    "/System/Library/Frameworks/WebKit.framework"
+  ];
+  DiskArbitration = [
+    "/System/Library/Frameworks/DiskArbitration.framework"
+  ];
+  Security = [
+    "/System/Library/Frameworks/Security.framework"
+    "/usr/lib/libbsm.0.dylib"
+    "/usr/lib/libbz2.1.0.dylib"
+    "/usr/lib/libpam.2.dylib"
+    "/usr/lib/libxar.1.dylib"
+    "/usr/lib/libxml2.2.dylib"
+    "/usr/lib/libsqlite3.dylib"
+  ];
+  GSS = [
+    "/System/Library/Frameworks/GSS.framework"
+  ];
+  Kerberos = [
+    "/System/Library/Frameworks/Kerberos.framework"
+  ];
+  CoreServices = [
+    "/System/Library/Frameworks/CoreServices.framework"
+    "/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/DataDetectorsCore"
+    "/System/Library/PrivateFrameworks/TCC.framework/Versions/A/TCC"
+    "/System/Library/PrivateFrameworks/LanguageModeling.framework/Versions/A/LanguageModeling"
+    "/usr/lib/libmecabra.dylib"
+    "/usr/lib/libcmph.dylib"
+    "/usr/lib/libiconv.2.dylib"
+    "/usr/lib/libxslt.1.dylib"
+  ] ++ Foundation;
+  IOSurface = [
+    "/System/Library/Frameworks/IOSurface.framework"
+  ];
+  CoreGraphics = [
+    "/System/Library/Frameworks/CoreGraphics.framework"
+    "/System/Library/PrivateFrameworks/MultitouchSupport.framework/Versions/A/MultitouchSupport"
+    "/usr/lib/libbsm.0.dylib"
+    "/usr/lib/libz.1.dylib"
+  ];
+  CoreText = [
+    "/System/Library/Frameworks/CoreText.framework"
+  ];
+  ImageIO = [
+    "/System/Library/Frameworks/ImageIO.framework"
+  ];
+  ApplicationServices = [
+    "/System/Library/Frameworks/ApplicationServices.framework"
+    "/usr/lib/libcups.2.dylib"
+    "/usr/lib/libresolv.9.dylib"
+  ] ++ AudioToolbox;
+  OpenGL = [
+    "/System/Library/Frameworks/OpenGL.framework"
+  ];
+  CoreVideo = [
+    "/System/Library/Frameworks/CoreVideo.framework"
+  ];
+  QuartzCore = [
+    "/System/Library/Frameworks/QuartzCore.framework"
+    "/System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport"
+  ];
+  PCSC = [
+    "/System/Library/Frameworks/PCSC.framework"
+  ];
+  AppKit = [
+    "/System/Library/Frameworks/AppKit.framework"
+    "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Apple80211"
+    "/System/Library/PrivateFrameworks/AppleJPEG.framework/Versions/A/AppleJPEG"
+    "/System/Library/PrivateFrameworks/AppleVPA.framework/Versions/A/AppleVPA"
+    "/System/Library/PrivateFrameworks/Backup.framework/Versions/A/Backup"
+    "/System/Library/PrivateFrameworks/ChunkingLibrary.framework/Versions/A/ChunkingLibrary"
+    "/System/Library/PrivateFrameworks/CommonAuth.framework/Versions/A/CommonAuth"
+    "/System/Library/PrivateFrameworks/CoreSymbolication.framework/Versions/A/CoreSymbolication"
+    "/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI"
+    "/System/Library/PrivateFrameworks/CoreWiFi.framework/Versions/A/CoreWiFi"
+    "/System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport"
+    "/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/DataDetectorsCore"
+    "/System/Library/PrivateFrameworks/DebugSymbols.framework/Versions/A/DebugSymbols"
+    "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv"
+    "/System/Library/PrivateFrameworks/FaceCore.framework/Versions/A/FaceCore"
+    "/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/GenerationalStorage"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Heimdal"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Versions/Current"
+    "/System/Library/PrivateFrameworks/Heimdal.framework/Versions/A/Heimdal"
+    "/System/Library/PrivateFrameworks/IconServices.framework/Versions/A/IconServices"
+    "/System/Library/PrivateFrameworks/LanguageModeling.framework/Versions/A/LanguageModeling"
+    "/System/Library/PrivateFrameworks/MultitouchSupport.framework/Versions/A/MultitouchSupport"
+    "/System/Library/PrivateFrameworks/NetAuth.framework/Versions/A/NetAuth"
+    "/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/PerformanceAnalysis"
+    "/System/Library/PrivateFrameworks/RemoteViewServices.framework/Versions/A/RemoteViewServices"
+    "/System/Library/PrivateFrameworks/Sharing.framework/Versions/A/Sharing"
+    "/System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/SpeechRecognitionCore"
+    "/System/Library/PrivateFrameworks/Symbolication.framework/Versions/A/Symbolication"
+    "/System/Library/PrivateFrameworks/TCC.framework/Versions/A/TCC"
+    "/System/Library/PrivateFrameworks/UIFoundation.framework/Versions/A/UIFoundation"
+    "/System/Library/PrivateFrameworks/login.framework/Versions/A/Frameworks/loginsupport.framework/Versions/A/loginsupport"
+    "/usr/lib/libCRFSuite.dylib"
+    "/usr/lib/libOpenScriptingUtil.dylib"
+    "/usr/lib/libarchive.2.dylib"
+    "/usr/lib/libbsm.0.dylib"
+    "/usr/lib/libbz2.1.0.dylib"
+    "/usr/lib/libc++.1.dylib"
+    "/usr/lib/libc++abi.dylib"
+    "/usr/lib/libcmph.dylib"
+    "/usr/lib/libcups.2.dylib"
+    "/usr/lib/libextension.dylib"
+    "/usr/lib/libheimdal-asn1.dylib"
+    "/usr/lib/libiconv.2.dylib"
+    "/usr/lib/libicucore.A.dylib"
+    "/usr/lib/liblangid.dylib"
+    "/usr/lib/liblzma.5.dylib"
+    "/usr/lib/libmecabra.dylib"
+    "/usr/lib/libpam.2.dylib"
+    "/usr/lib/libresolv.9.dylib"
+    "/usr/lib/libsqlite3.dylib"
+    "/usr/lib/libxar.1.dylib"
+    "/usr/lib/libxml2.2.dylib"
+    "/usr/lib/libxslt.1.dylib"
+    "/usr/lib/libz.1.dylib"
+  ];
+  Foundation = [
+    "/System/Library/Frameworks/Foundation.framework"
+    "/usr/lib/libextension.dylib"
+    "/usr/lib/libarchive.2.dylib"
+    "/usr/lib/liblzma.5.dylib"
+    "/usr/lib/liblangid.dylib"
+    "/usr/lib/libCRFSuite.dylib"
+  ];
+  CoreData = [
+    "/System/Library/Frameworks/CoreData.framework"
+  ];
+  Cocoa = [
+    "/System/Library/Frameworks/Cocoa.framework"
+    "/System/Library/PrivateFrameworks/UIFoundation.framework/Versions/A/UIFoundation"
+    "/System/Library/PrivateFrameworks/UIFoundation.framework/Versions/A"
+  ];
+  Carbon = [
+    "/System/Library/Frameworks/Carbon.framework"
+    "/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI"
+    "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv"
+    "/System/Library/PrivateFrameworks/IconServices.framework/Versions/A/IconServices"
+    "/System/Library/PrivateFrameworks/ChunkingLibrary.framework/Versions/A/ChunkingLibrary"
+    "/System/Library/PrivateFrameworks/Sharing.framework/Versions/A/Sharing"
+    "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Apple80211"
+    "/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/GenerationalStorage"
+  ];
+  CoreAudio = [
+    "/System/Library/Frameworks/CoreAudio.framework"
+  ];
+  AudioUnit = [
+    "/System/Library/Frameworks/AudioUnit.framework"
+  ];
+  CoreMIDI = [
+    "/System/Library/Frameworks/CoreMIDI.framework"
+  ];
+  AudioToolbox = [
+    "/System/Library/Frameworks/AudioToolbox.framework"
+  ];
+  SystemConfiguration = [
+    "/System/Library/Frameworks/SystemConfiguration.framework"
+  ];
+  NetFS = [
+    "/System/Library/Frameworks/NetFS.framework"
+    "/System/Library/PrivateFrameworks/NetAuth.framework/Versions/A/NetAuth"
+    "/System/Library/PrivateFrameworks/login.framework/Versions/A/Frameworks/loginsupport.framework/Versions/A/loginsupport"
+  ];
+  Accelerate = [
+    "/System/Library/Frameworks/Accelerate.framework"
+  ];
+  OpenDirectory = [
+    "/System/Library/Frameworks/OpenDirectory.framework"
+  ];
+  ServiceManagement = [
+    "/System/Library/Frameworks/ServiceManagement.framework"
+  ];
+  OpenCL = [
+    "/System/Library/Frameworks/OpenCL.framework"
+  ];
+  CoreWLAN = [
+    "/System/Library/Frameworks/CoreWLAN.framework"
+  ];
+  IOBluetooth = [
+    "/System/Library/Frameworks/IOBluetooth.framework"
+  ] ++ AudioUnit ++ CoreBluetooth;
+  CoreBluetooth = [
+    "/System/Library/Frameworks/CoreBluetooth.framework"
+  ];
+  SecurityFoundation = [
+    "/System/Library/Frameworks/SecurityFoundation.framework"
+  ];
+  Kernel = [
+    "/System/Library/Frameworks/Kernel.framework"
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/private-frameworks-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/private-frameworks-setup-hook.sh
new file mode 100644
index 000000000000..a351c39de130
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/private-frameworks-setup-hook.sh
@@ -0,0 +1,8 @@
+addPrivateFrameworks() {
+    flag="-F/System/Library/PrivateFrameworks"
+    if [[ "${NIX_CFLAGS_COMPILE-}" != *$flag* ]]; then
+        NIX_CFLAGS_COMPILE+=" $flag"
+    fi
+}
+
+addEnvHooks "$hostOffset" addPrivateFrameworks
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-sdk/security-setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/security-setup-hook.sh
new file mode 100644
index 000000000000..35cea773f98b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-sdk/security-setup-hook.sh
@@ -0,0 +1,10 @@
+noDeprecatedDeclarations() {
+  # Security.framework has about 2000 deprecated constants, all of which the user will be
+  # warned about at compilation time
+  flag="-Wno-deprecated-declarations"
+  if [[ "${NIX_CFLAGS_COMPILE-}" != *$flag* ]]; then
+    NIX_CFLAGS_COMPILE+=" $flag"
+  fi
+}
+
+addEnvHooks "$hostOffset" noDeprecatedDeclarations
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix
new file mode 100644
index 000000000000..25e1df3773db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CarbonHeaders/default.nix
@@ -0,0 +1,20 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/include
+    cp MacTypes.h          $out/include
+    cp ConditionalMacros.h $out/include
+
+    substituteInPlace $out/include/MacTypes.h \
+      --replace "CarbonCore/" ""
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix
new file mode 100644
index 000000000000..36013fe307ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/CommonCrypto/default.nix
@@ -0,0 +1,42 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include/CommonCrypto
+    cp include/* $out/include/CommonCrypto
+  '';
+
+  appleHeaders = ''
+    CommonCrypto/CommonBaseXX.h
+    CommonCrypto/CommonBigNum.h
+    CommonCrypto/CommonCMACSPI.h
+    CommonCrypto/CommonCRC.h
+    CommonCrypto/CommonCrypto.h
+    CommonCrypto/CommonCryptoError.h
+    CommonCrypto/CommonCryptoPriv.h
+    CommonCrypto/CommonCryptor.h
+    CommonCrypto/CommonCryptorSPI.h
+    CommonCrypto/CommonDH.h
+    CommonCrypto/CommonDigest.h
+    CommonCrypto/CommonDigestSPI.h
+    CommonCrypto/CommonECCryptor.h
+    CommonCrypto/CommonHMAC.h
+    CommonCrypto/CommonHMacSPI.h
+    CommonCrypto/CommonKeyDerivation.h
+    CommonCrypto/CommonKeyDerivationSPI.h
+    CommonCrypto/CommonNumerics.h
+    CommonCrypto/CommonRSACryptor.h
+    CommonCrypto/CommonRandom.h
+    CommonCrypto/CommonRandomSPI.h
+    CommonCrypto/CommonSymmetricKeywrap.h
+    CommonCrypto/aes.h
+    CommonCrypto/lionCompat.h
+    CommonCrypto/module.modulemap
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix
new file mode 100644
index 000000000000..ac09a282f512
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Csu/default.nix
@@ -0,0 +1,28 @@
+{ lib, appleDerivation', stdenv }:
+
+appleDerivation' stdenv {
+
+  prePatch = ''
+    substituteInPlace Makefile \
+      --replace /usr/lib /lib \
+      --replace /usr/local/lib /lib \
+      --replace /usr/bin "" \
+      --replace /bin/ "" \
+      --replace "CC = " "#" \
+      --replace "SDK_DIR = " "SDK_DIR = . #" \
+
+    # Mac OS didn't support rpaths back before 10.5, but we don't care about it.
+    substituteInPlace Makefile \
+      --replace -mmacosx-version-min=10.4 -mmacosx-version-min=10.6 \
+      --replace -mmacosx-version-min=10.5 -mmacosx-version-min=10.6
+  '';
+
+  installFlags = [ "DSTROOT=$(out)" ];
+
+  meta = with lib; {
+    description = "Apple's common startup stubs for darwin";
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix
new file mode 100644
index 000000000000..cdebfe6d2f72
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ICU/default.nix
@@ -0,0 +1,86 @@
+{ appleDerivation, lib, stdenv, buildPackages, python3 }:
+
+let
+  formatVersionNumeric = version:
+    let
+      versionParts = lib.versions.splitVersion version;
+      major = lib.toInt (lib.elemAt versionParts 0);
+      minor = lib.toInt (lib.elemAt versionParts 1);
+      patch = if lib.length versionParts > 2 then lib.toInt (lib.elemAt versionParts 2) else 0;
+    in toString (major * 10000 + minor * 100 + patch);
+in
+
+appleDerivation {
+  nativeBuildInputs = [ python3 ];
+
+  depsBuildBuild = lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [ buildPackages.stdenv.cc ];
+
+  postPatch = ''
+    substituteInPlace makefile \
+      --replace "/usr/bin/" "" \
+      --replace "xcrun --sdk macosx --find" "echo -n" \
+      --replace "xcrun --sdk macosx.internal --show-sdk-path" "echo -n /dev/null" \
+      --replace "-install_name " "-install_name $out"
+
+    substituteInPlace icuSources/config/mh-darwin \
+      --replace "-install_name " "-install_name $out/"
+
+    # drop using impure /var/db/timezone/icutz
+    substituteInPlace makefile \
+      --replace '-DU_TIMEZONE_FILES_DIR=\"\\\"$(TZDATA_LOOKUP_DIR)\\\"\" -DU_TIMEZONE_PACKAGE=\"\\\"$(TZDATA_PACKAGE)\\\"\"' ""
+
+    # FIXME: This will cause `ld: warning: OS version (12.0) too small, changing to 13.0.0`, APPLE should fix it.
+    substituteInPlace makefile \
+      --replace "ZIPPERING_LDFLAGS=-Wl,-iosmac_version_min,12.0" "ZIPPERING_LDFLAGS="
+
+    # skip test for missing encodingSamples data
+    substituteInPlace icuSources/test/cintltst/ucsdetst.c \
+      --replace "&TestMailFilterCSS" "NULL"
+
+    patchShebangs icuSources
+  '' + lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
+
+    # This looks like a bug in the makefile. It defines ENV_BUILDHOST to
+    # propagate the correct value of CC, CXX, etc, but has the following double
+    # expansion that results in the empty string.
+    substituteInPlace makefile \
+      --replace '$($(ENV_BUILDHOST))' '$(ENV_BUILDHOST)'
+  '';
+
+  # APPLE is using makefile to save its default configuration and call ./configure, so we hack makeFlags
+  # instead of configuring ourself, trying to stay abreast of APPLE.
+  dontConfigure = true;
+  makeFlags = [
+    "DSTROOT=$(out)"
+
+    # remove /usr prefix on include and lib
+    "PRIVATE_HDR_PREFIX="
+    "libdir=/lib/"
+
+    "DATA_INSTALL_DIR=/share/icu/"
+    "DATA_LOOKUP_DIR=$(DSTROOT)$(DATA_INSTALL_DIR)"
+  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ # darwin* platform properties are only defined on darwin
+    # hack to use our lower macos version
+    "MAC_OS_X_VERSION_MIN_REQUIRED=${formatVersionNumeric stdenv.hostPlatform.darwinMinVersion}"
+    "ICU_TARGET_VERSION=-m${stdenv.hostPlatform.darwinPlatform}-version-min=${stdenv.hostPlatform.darwinMinVersion}"
+  ]
+  ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
+    "CROSS_BUILD=YES"
+    "BUILD_TYPE="
+    "RC_ARCHS=${stdenv.hostPlatform.darwinArch}"
+    "HOSTCC=cc"
+    "HOSTCXX=c++"
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "CXX=${stdenv.cc.targetPrefix}c++"
+    "HOSTISYSROOT="
+    "OSX_HOST_VERSION_MIN_STRING=${stdenv.buildPlatform.darwinMinVersion}"
+  ];
+
+  doCheck = true;
+  checkTarget = "check";
+
+  postInstall = ''
+    # we don't need all those in usr/local
+    rm -rf $out/usr
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix
new file mode 100644
index 000000000000..b413744677d2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/IOKit/default.nix
@@ -0,0 +1,190 @@
+{ lib, appleDerivation', stdenv, IOKitSrcs, xnu, darwin-stubs }:
+
+# Someday it'll make sense to split these out into their own packages, but today is not that day.
+appleDerivation' stdenv {
+  srcs = lib.attrValues IOKitSrcs;
+  sourceRoot = ".";
+
+  phases = [ "unpackPhase" "installPhase" ];
+
+  __propagatedImpureHostDeps = [
+    "/System/Library/Frameworks/IOKit.framework/IOKit"
+    "/System/Library/Frameworks/IOKit.framework/Resources"
+    "/System/Library/Frameworks/IOKit.framework/Versions"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/Library/Frameworks/IOKit.framework
+
+    ###### IMPURITIES
+    ln -s /System/Library/Frameworks/IOKit.framework/Resources \
+      $out/Library/Frameworks/IOKit.framework
+
+    ###### STUBS
+    cp ${darwin-stubs}/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit.tbd \
+      $out/Library/Frameworks/IOKit.framework
+
+    ###### HEADERS
+
+    export dest=$out/Library/Frameworks/IOKit.framework/Headers
+    mkdir -p $dest
+
+    pushd $dest
+    mkdir audio avc DV firewire graphics hid hidsystem i2c kext ndrvsupport
+    mkdir network ps pwr_mgt sbp2 scsi serial storage stream usb video
+    popd
+
+    # root: complete
+    cp IOKitUser-*/IOCFBundle.h                                       $dest
+    cp IOKitUser-*/IOCFPlugIn.h                                       $dest
+    cp IOKitUser-*/IOCFSerialize.h                                    $dest
+    cp IOKitUser-*/IOCFUnserialize.h                                  $dest
+    cp IOKitUser-*/IOCFURLAccess.h                                    $dest
+    cp IOKitUser-*/IODataQueueClient.h                                $dest
+    cp IOKitUser-*/IOKitLib.h                                         $dest
+    cp IOKitUser-*/iokitmig.h                                         $dest
+    cp ${xnu}/Library/PrivateFrameworks/IOKit.framework/Versions/A/Headers/*.h $dest
+
+    # audio: complete
+    cp IOAudioFamily-*/IOAudioDefines.h          $dest/audio
+    cp IOKitUser-*/audio.subproj/IOAudioLib.h    $dest/audio
+    cp IOAudioFamily-*/IOAudioTypes.h            $dest/audio
+
+    # avc: complete
+    cp IOFireWireAVC-*/IOFireWireAVC/IOFireWireAVCConsts.h $dest/avc
+    cp IOFireWireAVC-*/IOFireWireAVCLib/IOFireWireAVCLib.h $dest/avc
+
+    # DV: complete
+    cp IOFWDVComponents-*/DVFamily.h $dest/DV
+
+    # firewire: complete
+    cp IOFireWireFamily-*/IOFireWireFamily.kmodproj/IOFireWireFamilyCommon.h $dest/firewire
+    cp IOFireWireFamily-*/IOFireWireLib.CFPlugInProj/IOFireWireLib.h         $dest/firewire
+    cp IOFireWireFamily-*/IOFireWireLib.CFPlugInProj/IOFireWireLibIsoch.h    $dest/firewire
+    cp IOFireWireFamily-*/IOFireWireFamily.kmodproj/IOFWIsoch.h              $dest/firewire
+
+    # graphics: missing AppleGraphicsDeviceControlUserCommand.h
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOAccelClientConnect.h     $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOAccelSurfaceConnect.h    $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOAccelTypes.h             $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOFramebufferShared.h      $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsEngine.h         $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsInterface.h      $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsInterfaceTypes.h $dest/graphics
+    cp IOKitUser-*/graphics.subproj/IOGraphicsLib.h                            $dest/graphics
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/graphics/IOGraphicsTypes.h          $dest/graphics
+
+    # hid: complete
+    cp IOKitUser-*/hid.subproj/IOHIDBase.h          $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDDevice.h        $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDDevicePlugIn.h  $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDElement.h       $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDLib.h           $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDManager.h       $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDQueue.h         $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDTransaction.h   $dest/hid
+    cp IOKitUser-*/hid.subproj/IOHIDValue.h         $dest/hid
+    cp IOHIDFamily-*/IOHIDFamily/IOHIDKeys.h        $dest/hid
+    cp IOHIDFamily-*/IOHIDFamily/IOHIDUsageTables.h $dest/hid
+    cp IOHIDFamily-*/IOHIDLib/IOHIDLibObsolete.h    $dest/hid
+
+    # hidsystem: complete
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/ev_keymap.h      $dest/hidsystem
+    cp IOKitUser-*/hidsystem.subproj/event_status_driver.h        $dest/hidsystem
+    cp IOKitUser-*/hidsystem.subproj/IOHIDLib.h                   $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOHIDParameter.h $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOHIDShared.h    $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOHIDTypes.h     $dest/hidsystem
+    cp IOHIDFamily-*/IOHIDSystem/IOKit/hidsystem/IOLLEvent.h      $dest/hidsystem
+
+
+    # i2c: complete
+    cp IOGraphics-*/IOGraphicsFamily/IOKit/i2c/IOI2CInterface.h $dest/i2c
+
+    # kext: complete
+    cp IOKitUser-*/kext.subproj/KextManager.h $dest/kext
+
+    # ndrvsupport: complete
+    cp IOGraphics-*/IONDRVSupport/IOKit/ndrvsupport/IOMacOSTypes.h $dest/ndrvsupport
+    cp IOGraphics-*/IONDRVSupport/IOKit/ndrvsupport/IOMacOSVideo.h $dest/ndrvsupport
+
+    # network: complete
+    cp IONetworkingFamily-*/IOEthernetController.h       $dest/network
+    cp IONetworkingFamily-*/IOEthernetInterface.h        $dest/network
+    cp IONetworkingFamily-*/IOEthernetStats.h            $dest/network
+    cp IONetworkingFamily-*/IONetworkController.h        $dest/network
+    cp IONetworkingFamily-*/IONetworkData.h              $dest/network
+    cp IONetworkingFamily-*/IONetworkInterface.h         $dest/network
+    cp IOKitUser-*/network.subproj/IONetworkLib.h        $dest/network
+    cp IONetworkingFamily-*/IONetworkMedium.h            $dest/network
+    cp IONetworkingFamily-*/IONetworkStack.h             $dest/network
+    cp IONetworkingFamily-*/IONetworkStats.h             $dest/network
+    cp IONetworkingFamily-*/IONetworkUserClient.h        $dest/network
+
+    # ps: missing IOUPSPlugIn.h
+    cp IOKitUser-*/ps.subproj/IOPowerSources.h $dest/ps
+    cp IOKitUser-*/ps.subproj/IOPSKeys.h       $dest/ps
+
+    # pwr_mgt: complete
+    cp IOKitUser-*/pwr_mgt.subproj/IOPMKeys.h                                          $dest/pwr_mgt
+    cp IOKitUser-*/pwr_mgt.subproj/IOPMLib.h                                           $dest/pwr_mgt
+    cp ${xnu}/Library/PrivateFrameworks/IOKit.framework/Versions/A/Headers/pwr_mgt/*.h $dest/pwr_mgt
+    cp IOKitUser-*/pwr_mgt.subproj/IOPMLibPrivate.h                                    $dest/pwr_mgt # Private
+
+    # sbp2: complete
+    cp IOFireWireSBP2-*/IOFireWireSBP2Lib/IOFireWireSBP2Lib.h $dest/sbp2
+
+    # scsi: omitted for now
+
+    # serial: complete
+    cp IOSerialFamily-*/IOSerialFamily.kmodproj/IOSerialKeys.h $dest/serial
+    cp IOSerialFamily-*/IOSerialFamily.kmodproj/ioss.h         $dest/serial
+
+    # storage: complete
+    # Needs ata subdirectory
+    cp IOStorageFamily-*/IOAppleLabelScheme.h                                    $dest/storage
+    cp IOStorageFamily-*/IOApplePartitionScheme.h                                $dest/storage
+    cp IOBDStorageFamily-*/IOBDBlockStorageDevice.h                              $dest/storage
+    cp IOBDStorageFamily-*/IOBDMedia.h                                           $dest/storage
+    cp IOBDStorageFamily-*/IOBDMediaBSDClient.h                                  $dest/storage
+    cp IOBDStorageFamily-*/IOBDTypes.h                                           $dest/storage
+    cp IOStorageFamily-*/IOBlockStorageDevice.h                                  $dest/storage
+    cp IOStorageFamily-*/IOBlockStorageDriver.h                                  $dest/storage
+    cp IOCDStorageFamily-*/IOCDBlockStorageDevice.h                              $dest/storage
+    cp IOCDStorageFamily-*/IOCDMedia.h                                           $dest/storage
+    cp IOCDStorageFamily-*/IOCDMediaBSDClient.h                                  $dest/storage
+    cp IOCDStorageFamily-*/IOCDPartitionScheme.h                                 $dest/storage
+    cp IOCDStorageFamily-*/IOCDTypes.h                                           $dest/storage
+    cp IODVDStorageFamily-*/IODVDBlockStorageDevice.h                            $dest/storage
+    cp IODVDStorageFamily-*/IODVDMedia.h                                         $dest/storage
+    cp IODVDStorageFamily-*/IODVDMediaBSDClient.h                                $dest/storage
+    cp IODVDStorageFamily-*/IODVDTypes.h                                         $dest/storage
+    cp IOStorageFamily-*/IOFDiskPartitionScheme.h                                $dest/storage
+    cp IOStorageFamily-*/IOFilterScheme.h                                        $dest/storage
+    cp IOFireWireSerialBusProtocolTransport-*/IOFireWireStorageCharacteristics.h $dest/storage
+    cp IOStorageFamily-*/IOGUIDPartitionScheme.h                                 $dest/storage
+    cp IOStorageFamily-*/IOMedia.h                                               $dest/storage
+    cp IOStorageFamily-*/IOMediaBSDClient.h                                      $dest/storage
+    cp IOStorageFamily-*/IOPartitionScheme.h                                     $dest/storage
+    cp IOStorageFamily-*/IOStorage.h                                             $dest/storage
+    cp IOStorageFamily-*/IOStorageCardCharacteristics.h                          $dest/storage
+    cp IOStorageFamily-*/IOStorageDeviceCharacteristics.h                        $dest/storage
+    cp IOStorageFamily-*/IOStorageProtocolCharacteristics.h                      $dest/storage
+
+    # stream: missing altogether
+
+    # usb: complete
+    cp IOUSBFamily-630.4.5/IOUSBFamily/Headers/IOUSBLib.h            $dest/usb
+    cp IOUSBFamily-630.4.5/IOUSBUserClient/Headers/IOUSBUserClient.h $dest/usb
+    cp IOUSBFamily-560.4.2/IOUSBFamily/Headers/USB.h                 $dest/usb # This file is empty in 630.4.5!
+    cp IOUSBFamily-630.4.5/IOUSBFamily/Headers/USBSpec.h             $dest/usb
+
+    # video: missing altogether
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch
new file mode 100644
index 000000000000..2ba67734c544
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch
@@ -0,0 +1,47 @@
+From 187d0e8847d080790b22724352e51de50d214dd8 Mon Sep 17 00:00:00 2001
+From: toonn <toonn@toonn.io>
+Date: Tue, 27 Jul 2021 15:12:14 +0200
+Subject: [PATCH] Define TARGET_OS_EMBEDDED in std{lib,io} if not defined
+
+Originally attempted including `TargetConditionals.h` but this had
+knock-on effects, for example, breaking the zlib build because of
+`TARGET_OS_MAC` getting defined.
+
+This should be the lowest impact solution and corresponds to the default
+behavior IIUC.
+---
+ include/stdio.h  | 3 +++
+ include/stdlib.h | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/include/stdio.h b/include/stdio.h
+index d0cf7a5..487496e 100644
+--- a/include/stdio.h
++++ b/include/stdio.h
+@@ -351,6 +351,9 @@ __END_DECLS
+ /* Additional functionality provided by:
+  * POSIX.2-1992 C Language Binding Option
+  */
++#ifndef TARGET_OS_EMBEDDED
++#  define TARGET_OS_EMBEDDED 0
++#endif
+ #if TARGET_OS_EMBEDDED
+ #define __swift_unavailable_on(osx_msg, ios_msg) __swift_unavailable(ios_msg)
+ #else
+diff --git a/include/stdlib.h b/include/stdlib.h
+index c04d3a7..0b454ba 100644
+--- a/include/stdlib.h
++++ b/include/stdlib.h
+@@ -183,6 +183,9 @@ unsigned long long
+ #ifndef LIBC_ALIAS_SYSTEM
+ //End-Libc
+ 
++#ifndef TARGET_OS_EMBEDDED
++#  define TARGET_OS_EMBEDDED 0
++#endif
+ #if TARGET_OS_EMBEDDED
+ #define __swift_unavailable_on(osx_msg, ios_msg) __swift_unavailable(ios_msg)
+ #else
+-- 
+2.17.2 (Apple Git-113)
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/825_40_1.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/825_40_1.nix
new file mode 100644
index 000000000000..c9202b536583
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/825_40_1.nix
@@ -0,0 +1,13 @@
+{ appleDerivation', stdenvNoCC, ed, unifdef }:
+
+appleDerivation' stdenvNoCC {
+  nativeBuildInputs = [ ed unifdef ];
+
+  installPhase = ''
+    export SRCROOT=$PWD
+    export DSTROOT=$out
+    export PUBLIC_HEADERS_FOLDER_PATH=include
+    export PRIVATE_HEADERS_FOLDER_PATH=include
+    bash xcodescripts/headers.sh
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/CrashReporterClient.h b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/CrashReporterClient.h
new file mode 100644
index 000000000000..a1cbb72b9176
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/CrashReporterClient.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2010 Apple Inc. All rights reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/***********************************************************************
+ * Not to be installed in /usr/local/include
+ ***********************************************************************/
+
+#ifndef _LIBC_CRASHREPORTERCLIENT_H
+#define _LIBC_CRASHREPORTERCLIENT_H
+
+#include "stdint.h"
+
+/* Fake the CrashReporterClient API */
+#define CRGetCrashLogMessage() 0
+#define CRSetCrashLogMessage(m) true
+
+#define CRASH_REPORTER_CLIENT_HIDDEN __attribute__((visibility("hidden")))
+#define CRASHREPORTER_ANNOTATIONS_VERSION 4
+#define CRASHREPORTER_ANNOTATIONS_SECTION "__crash_info"
+
+struct crashreporter_annotations_t {
+	uint64_t version;		// unsigned long
+	uint64_t message;		// char *
+	uint64_t signature_string;	// char *
+	uint64_t backtrace;		// char *
+	uint64_t message2;		// char *
+	uint64_t thread;		// uint64_t
+	uint64_t dialog_mode;		// unsigned int
+};
+
+#endif
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix
new file mode 100644
index 000000000000..915d3a61f816
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix
@@ -0,0 +1,38 @@
+{ appleDerivation', stdenvNoCC, ed, unifdef, Libc_old, Libc_10-9 }:
+
+appleDerivation' stdenvNoCC {
+  nativeBuildInputs = [ ed unifdef ];
+
+  patches = [
+    ./0001-Define-TARGET_OS_EMBEDDED-in-std-lib-io-if-not-defin.patch
+  ];
+
+  # TODO: asl.h actually comes from syslog project now
+  installPhase = ''
+    export SRCROOT=$PWD
+    export DSTROOT=$out
+    export PUBLIC_HEADERS_FOLDER_PATH=include
+    export PRIVATE_HEADERS_FOLDER_PATH=include
+    bash xcodescripts/headers.sh
+
+    cp ${./CrashReporterClient.h} $out/include/CrashReporterClient.h
+
+    cp ${Libc_10-9}/include/NSSystemDirectories.h $out/include
+
+    # Ugh Apple stopped releasing this stuff so we need an older one...
+    cp    ${Libc_old}/include/spawn.h    $out/include
+    cp    ${Libc_old}/include/setjmp.h   $out/include
+    cp    ${Libc_old}/include/ucontext.h $out/include
+    cp    ${Libc_old}/include/pthread*.h $out/include
+    cp    ${Libc_old}/include/sched.h    $out/include
+    cp -R ${Libc_old}/include/malloc     $out/include
+
+    mkdir -p $out/include/libkern
+    cp ${Libc_old}/include/asl.h                    $out/include
+    cp ${Libc_old}/include/libproc.h                $out/include
+    cp ${Libc_old}/include/libkern/OSAtomic.h       $out/include/libkern
+    cp ${Libc_old}/include/libkern/OSCacheControl.h $out/include/libkern
+  '';
+
+  appleHeaders = builtins.readFile ./headers.txt;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/headers.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/headers.txt
new file mode 100644
index 000000000000..ea62e31dc781
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libc/headers.txt
@@ -0,0 +1,138 @@
+CrashReporterClient.h
+NSSystemDirectories.h
+_locale.h
+_types.h
+_types/_intmax_t.h
+_types/_nl_item.h
+_types/_uint16_t.h
+_types/_uint32_t.h
+_types/_uint64_t.h
+_types/_uint8_t.h
+_types/_uintmax_t.h
+_types/_wctrans_t.h
+_types/_wctype_t.h
+_wctype.h
+_xlocale.h
+aio.h
+alloca.h
+ar.h
+arpa/ftp.h
+arpa/inet.h
+arpa/nameser_compat.h
+arpa/telnet.h
+arpa/tftp.h
+asl.h
+assert.h
+bitstring.h
+cpio.h
+crt_externs.h
+ctype.h
+db.h
+dirent.h
+disktab.h
+err.h
+errno.h
+execinfo.h
+fcntl.h
+fmtmsg.h
+fnmatch.h
+fsproperties.h
+fstab.h
+fts.h
+ftw.h
+get_compat.h
+getopt.h
+glob.h
+inttypes.h
+iso646.h
+langinfo.h
+libc.h
+libc_private.h
+libgen.h
+libkern/OSAtomic.h
+libkern/OSCacheControl.h
+libproc.h
+limits.h
+locale.h
+malloc/malloc.h
+memory.h
+monetary.h
+monitor.h
+mpool.h
+msgcat.h
+ndbm.h
+nl_types.h
+nlist.h
+os/assumes.h
+os/debug_private.h
+paths.h
+poll.h
+printf.h
+protocols/routed.h
+protocols/rwhod.h
+protocols/talkd.h
+protocols/timed.h
+pthread.h
+pthread_impl.h
+pthread_spis.h
+pthread_workqueue.h
+ranlib.h
+readpassphrase.h
+regex.h
+runetype.h
+sched.h
+search.h
+secure/_common.h
+secure/_stdio.h
+secure/_string.h
+semaphore.h
+setjmp.h
+sgtty.h
+signal.h
+spawn.h
+stab.h
+standards.h
+stddef.h
+stdint.h
+stdio.h
+stdlib.h
+strhash.h
+string.h
+stringlist.h
+strings.h
+struct.h
+sys/acl.h
+sys/rbtree.h
+sys/statvfs.h
+sysexits.h
+syslog.h
+tar.h
+termios.h
+time.h
+timeconv.h
+ttyent.h
+tzfile.h
+ucontext.h
+ulimit.h
+unistd.h
+util.h
+utime.h
+utmpx.h
+utmpx_thread.h
+vis.h
+wchar.h
+wctype.h
+wordexp.h
+xlocale.h
+xlocale/__wctype.h
+xlocale/_ctype.h
+xlocale/_inttypes.h
+xlocale/_langinfo.h
+xlocale/_monetary.h
+xlocale/_regex.h
+xlocale/_stdio.h
+xlocale/_stdlib.h
+xlocale/_string.h
+xlocale/_time.h
+xlocale/_wchar.h
+xlocale/_wctype.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libinfo/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libinfo/default.nix
new file mode 100644
index 000000000000..789e536b8a7f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libinfo/default.nix
@@ -0,0 +1,50 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    substituteInPlace xcodescripts/install_files.sh \
+      --replace "/usr/local/" "/" \
+      --replace "/usr/" "/" \
+      --replace '-o "$INSTALL_OWNER" -g "$INSTALL_GROUP"' "" \
+      --replace "ln -h" "ln -n"
+
+    export DSTROOT=$out
+    sh xcodescripts/install_files.sh
+  '';
+
+  appleHeaders = ''
+    aliasdb.h
+    bootparams.h
+    configuration_profile.h
+    grp.h
+    ifaddrs.h
+    ils.h
+    kvbuf.h
+    libinfo.h
+    libinfo_muser.h
+    membership.h
+    membershipPriv.h
+    netdb.h
+    netdb_async.h
+    ntsid.h
+    printerdb.h
+    pwd.h
+    rpc/auth.h
+    rpc/auth_unix.h
+    rpc/clnt.h
+    rpc/pmap_clnt.h
+    rpc/pmap_prot.h
+    rpc/pmap_rmt.h
+    rpc/rpc.h
+    rpc/rpc_msg.h
+    rpc/svc.h
+    rpc/svc_auth.h
+    rpc/types.h
+    rpc/xdr.h
+    rpcsvc/yp_prot.h
+    rpcsvc/ypclnt.h
+    si_data.h
+    si_module.h
+    thread_data.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/default.nix
new file mode 100644
index 000000000000..6e6712f375e6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libm/default.nix
@@ -0,0 +1,11 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include
+
+    cp Source/Intel/math.h $out/include
+    cp Source/Intel/fenv.h $out/include
+    cp Source/complex.h    $out/include
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libnotify/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libnotify/default.nix
new file mode 100644
index 000000000000..969e64427c9b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libnotify/default.nix
@@ -0,0 +1,9 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include
+    cp notify.h      $out/include
+    cp notify_keys.h $out/include
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix
new file mode 100644
index 000000000000..1bf6396d47fd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Librpcsvc/default.nix
@@ -0,0 +1,22 @@
+{ lib, appleDerivation, developer_cmds }:
+
+appleDerivation {
+  buildInputs = [ developer_cmds ];
+
+  installPhase = ''
+    export DSTROOT=$out
+    export SRCROOT=$PWD
+    export OBJROOT=$PWD
+
+    . ./xcodescripts/install_rpcsvc.sh
+
+    mv $out/usr/* $out
+    rmdir $out/usr/
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ matthewbauer ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix
new file mode 100644
index 000000000000..6f8124dbac4c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix
@@ -0,0 +1,146 @@
+{ lib, stdenv, buildPackages
+, appleDerivation', xnu, Libc, Libm, libdispatch, Libinfo
+, dyld, Csu, architecture, libclosure, CarbonHeaders, ncurses, CommonCrypto
+, copyfile, removefile, libresolvHeaders, libresolv, Libnotify, libplatform, libpthread
+, mDNSResponder, launchd, libutilHeaders, hfsHeaders, darling, darwin-stubs
+, headersOnly ? false
+, withLibresolv ? !headersOnly
+}:
+
+appleDerivation' stdenv {
+  dontBuild = true;
+  dontFixup = true;
+
+  installPhase = ''
+    export NIX_ENFORCE_PURITY=
+
+    mkdir -p $out/lib $out/include
+
+    function copyHierarchy () {
+      mkdir -p $1
+      while read f; do
+        mkdir -p $1/$(dirname $f)
+        cp --parents -pn $f $1
+      done
+    }
+
+    # Set up our include directories
+    (cd ${xnu}/include && find . -name '*.h' -or -name '*.defs' | copyHierarchy $out/include)
+    cp ${xnu}/Library/Frameworks/Kernel.framework/Versions/A/Headers/Availability*.h $out/include
+    cp ${xnu}/Library/Frameworks/Kernel.framework/Versions/A/Headers/stdarg.h        $out/include
+
+    for dep in ${Libc} ${Libm} ${Libinfo} ${dyld} ${architecture} \
+               ${libclosure} ${CarbonHeaders} ${libdispatch} ${ncurses.dev} \
+               ${CommonCrypto} ${copyfile} ${removefile} ${libresolvHeaders} \
+               ${Libnotify} ${libplatform} ${mDNSResponder} ${launchd} \
+               ${libutilHeaders} ${libpthread} ${hfsHeaders}; do
+      (cd $dep/include && find . -name '*.h' | copyHierarchy $out/include)
+    done
+
+    (cd ${buildPackages.darwin.cctools.dev}/include/mach-o && find . -name '*.h' | copyHierarchy $out/include/mach-o)
+
+    mkdir -p $out/include/os
+
+    cp ${darling.src}/src/libc/os/activity.h $out/include/os
+    cp ${darling.src}/src/libc/os/log.h $out/include/os
+    cp ${darling.src}/src/duct/include/os/trace.h $out/include/os
+
+    cat <<EOF > $out/include/os/availability.h
+    #ifndef __OS_AVAILABILITY__
+    #define __OS_AVAILABILITY__
+    #include <AvailabilityInternal.h>
+
+    #if defined(__has_feature) && defined(__has_attribute) && __has_attribute(availability)
+      #define API_AVAILABLE(...) __API_AVAILABLE_GET_MACRO(__VA_ARGS__, __API_AVAILABLE4, __API_AVAILABLE3, __API_AVAILABLE2, __API_AVAILABLE1)(__VA_ARGS__)
+      #define API_DEPRECATED(...) __API_DEPRECATED_MSG_GET_MACRO(__VA_ARGS__, __API_DEPRECATED_MSG5, __API_DEPRECATED_MSG4, __API_DEPRECATED_MSG3, __API_DEPRECATED_MSG2, __API_DEPRECATED_MSG1)(__VA_ARGS__)
+      #define API_DEPRECATED_WITH_REPLACEMENT(...) __API_DEPRECATED_REP_GET_MACRO(__VA_ARGS__, __API_DEPRECATED_REP5, __API_DEPRECATED_REP4, __API_DEPRECATED_REP3, __API_DEPRECATED_REP2, __API_DEPRECATED_REP1)(__VA_ARGS__)
+      #define API_UNAVAILABLE(...) __API_UNAVAILABLE_GET_MACRO(__VA_ARGS__, __API_UNAVAILABLE3, __API_UNAVAILABLE2, __API_UNAVAILABLE1)(__VA_ARGS__)
+    #else
+
+      #define API_AVAILABLE(...)
+      #define API_DEPRECATED(...)
+      #define API_DEPRECATED_WITH_REPLACEMENT(...)
+      #define API_UNAVAILABLE(...)
+
+    #endif
+    #endif
+    EOF
+
+    cat <<EOF > $out/include/TargetConditionals.h
+    #ifndef __TARGETCONDITIONALS__
+    #define __TARGETCONDITIONALS__
+    #define TARGET_OS_MAC               1
+    #define TARGET_OS_WIN32             0
+    #define TARGET_OS_UNIX              0
+    #define TARGET_OS_OSX               1
+    #define TARGET_OS_IPHONE            0
+    #define TARGET_OS_IOS               0
+    #define TARGET_OS_WATCH             0
+    #define TARGET_OS_BRIDGE            0
+    #define TARGET_OS_TV                0
+    #define TARGET_OS_SIMULATOR         0
+    #define TARGET_OS_EMBEDDED          0
+    #define TARGET_OS_EMBEDDED_OTHER    0 /* Used in configd */
+    #define TARGET_IPHONE_SIMULATOR     TARGET_OS_SIMULATOR /* deprecated */
+    #define TARGET_OS_NANO              TARGET_OS_WATCH /* deprecated */
+    #define TARGET_OS_LINUX             0
+
+    #define TARGET_CPU_PPC          0
+    #define TARGET_CPU_PPC64        0
+    #define TARGET_CPU_68K          0
+    #define TARGET_CPU_X86          0
+    #define TARGET_CPU_X86_64       1
+    #define TARGET_CPU_ARM          0
+    #define TARGET_CPU_ARM64        0
+    #define TARGET_CPU_MIPS         0
+    #define TARGET_CPU_SPARC        0
+    #define TARGET_CPU_ALPHA        0
+    #define TARGET_RT_MAC_CFM       0
+    #define TARGET_RT_MAC_MACHO     1
+    #define TARGET_RT_LITTLE_ENDIAN 1
+    #define TARGET_RT_BIG_ENDIAN    0
+    #define TARGET_RT_64_BIT        1
+    #endif  /* __TARGETCONDITIONALS__ */
+    EOF
+  '' + lib.optionalString (!headersOnly) ''
+
+    # The startup object files
+    cp ${Csu}/lib/* $out/lib
+
+    cp -vr \
+      ${darwin-stubs}/usr/lib/libSystem.B.tbd \
+      ${darwin-stubs}/usr/lib/system \
+      $out/lib
+
+    substituteInPlace $out/lib/libSystem.B.tbd \
+      --replace "/usr/lib/system/" "$out/lib/system/"
+    ln -s libSystem.B.tbd $out/lib/libSystem.tbd
+
+    # Set up links to pretend we work like a conventional unix (Apple's design, not mine!)
+    for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.10.4 gcc_s.10.5; do
+      ln -s libSystem.tbd $out/lib/lib$name.tbd
+    done
+  '' + lib.optionalString withLibresolv ''
+
+    # This probably doesn't belong here, but we want to stay similar to glibc, which includes resolv internally...
+    cp ${libresolv}/lib/libresolv.9.dylib $out/lib/libresolv.9.dylib
+    resolv_libSystem=$(${stdenv.cc.bintools.targetPrefix}otool -L "$out/lib/libresolv.9.dylib" | tail -n +3 | grep -o "$NIX_STORE.*-\S*") || true
+    echo $libs
+
+    chmod +w $out/lib/libresolv.9.dylib
+    ${stdenv.cc.bintools.targetPrefix}install_name_tool \
+      -id $out/lib/libresolv.9.dylib \
+      -change "$resolv_libSystem" /usr/lib/libSystem.dylib \
+      $out/lib/libresolv.9.dylib
+    ln -s libresolv.9.dylib $out/lib/libresolv.dylib
+  '';
+
+  appleHeaders = builtins.readFile ./headers.txt;
+
+  meta = with lib; {
+    description = "The Mac OS libc/libSystem (tapi library with pure headers)";
+    maintainers = with maintainers; [ copumpkin gridaphobe ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/headers.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/headers.txt
new file mode 100644
index 000000000000..cdca44c7292c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/headers.txt
@@ -0,0 +1,1729 @@
+AssertMacros.h
+Availability.h
+AvailabilityInternal.h
+AvailabilityMacros.h
+Block.h
+Block_private.h
+CommonCrypto/CommonBaseXX.h
+CommonCrypto/CommonBigNum.h
+CommonCrypto/CommonCMACSPI.h
+CommonCrypto/CommonCRC.h
+CommonCrypto/CommonCrypto.h
+CommonCrypto/CommonCryptoError.h
+CommonCrypto/CommonCryptoPriv.h
+CommonCrypto/CommonCryptor.h
+CommonCrypto/CommonCryptorSPI.h
+CommonCrypto/CommonDH.h
+CommonCrypto/CommonDigest.h
+CommonCrypto/CommonDigestSPI.h
+CommonCrypto/CommonECCryptor.h
+CommonCrypto/CommonHMAC.h
+CommonCrypto/CommonHMacSPI.h
+CommonCrypto/CommonKeyDerivation.h
+CommonCrypto/CommonKeyDerivationSPI.h
+CommonCrypto/CommonNumerics.h
+CommonCrypto/CommonRSACryptor.h
+CommonCrypto/CommonRandom.h
+CommonCrypto/CommonRandomSPI.h
+CommonCrypto/CommonSymmetricKeywrap.h
+CommonCrypto/aes.h
+CommonCrypto/lionCompat.h
+ConditionalMacros.h
+CrashReporterClient.h
+ExtentManager.h
+MacTypes.h
+NSSystemDirectories.h
+TargetConditionals.h
+_errno.h
+_libkernel_init.h
+_locale.h
+_simple.h
+_types.h
+_types/_intmax_t.h
+_types/_nl_item.h
+_types/_uint16_t.h
+_types/_uint32_t.h
+_types/_uint64_t.h
+_types/_uint8_t.h
+_types/_uintmax_t.h
+_types/_wctrans_t.h
+_types/_wctype_t.h
+_wctype.h
+_xlocale.h
+aio.h
+aliasdb.h
+alloca.h
+ar.h
+architecture/alignment.h
+architecture/byte_order.h
+architecture/i386/alignment.h
+architecture/i386/asm_help.h
+architecture/i386/byte_order.h
+architecture/i386/cpu.h
+architecture/i386/desc.h
+architecture/i386/fpu.h
+architecture/i386/frame.h
+architecture/i386/io.h
+architecture/i386/pio.h
+architecture/i386/reg_help.h
+architecture/i386/sel.h
+architecture/i386/table.h
+architecture/i386/tss.h
+arpa/ftp.h
+arpa/inet.h
+arpa/nameser.h
+arpa/nameser_compat.h
+arpa/telnet.h
+arpa/tftp.h
+asl.h
+assert.h
+atm/atm_notification.defs
+atm/atm_types.defs
+atm/atm_types.h
+bank/bank_types.h
+bitstring.h
+bootparams.h
+bootstrap.h
+bootstrap_priv.h
+bsd/bsm/audit.h
+bsd/dev/random/randomdev.h
+bsd/i386/_limits.h
+bsd/i386/_mcontext.h
+bsd/i386/_param.h
+bsd/i386/_types.h
+bsd/i386/endian.h
+bsd/i386/limits.h
+bsd/i386/param.h
+bsd/i386/profile.h
+bsd/i386/signal.h
+bsd/i386/types.h
+bsd/i386/vmparam.h
+bsd/libkern/libkern.h
+bsd/machine/_limits.h
+bsd/machine/_mcontext.h
+bsd/machine/_param.h
+bsd/machine/_types.h
+bsd/machine/byte_order.h
+bsd/machine/disklabel.h
+bsd/machine/endian.h
+bsd/machine/limits.h
+bsd/machine/param.h
+bsd/machine/profile.h
+bsd/machine/signal.h
+bsd/machine/spl.h
+bsd/machine/types.h
+bsd/machine/vmparam.h
+bsd/miscfs/devfs/devfs.h
+bsd/miscfs/devfs/devfs_proto.h
+bsd/miscfs/devfs/devfsdefs.h
+bsd/miscfs/devfs/fdesc.h
+bsd/miscfs/fifofs/fifo.h
+bsd/miscfs/specfs/specdev.h
+bsd/miscfs/union/union.h
+bsd/net/bpf.h
+bsd/net/dlil.h
+bsd/net/ethernet.h
+bsd/net/if.h
+bsd/net/if_arp.h
+bsd/net/if_dl.h
+bsd/net/if_ether.h
+bsd/net/if_llc.h
+bsd/net/if_media.h
+bsd/net/if_mib.h
+bsd/net/if_types.h
+bsd/net/if_utun.h
+bsd/net/if_var.h
+bsd/net/init.h
+bsd/net/kext_net.h
+bsd/net/kpi_interface.h
+bsd/net/kpi_interfacefilter.h
+bsd/net/kpi_protocol.h
+bsd/net/ndrv.h
+bsd/net/net_kev.h
+bsd/net/pfkeyv2.h
+bsd/net/radix.h
+bsd/net/route.h
+bsd/netinet/bootp.h
+bsd/netinet/icmp6.h
+bsd/netinet/icmp_var.h
+bsd/netinet/if_ether.h
+bsd/netinet/igmp.h
+bsd/netinet/igmp_var.h
+bsd/netinet/in.h
+bsd/netinet/in_arp.h
+bsd/netinet/in_pcb.h
+bsd/netinet/in_systm.h
+bsd/netinet/in_var.h
+bsd/netinet/ip.h
+bsd/netinet/ip6.h
+bsd/netinet/ip_icmp.h
+bsd/netinet/ip_var.h
+bsd/netinet/kpi_ipfilter.h
+bsd/netinet/tcp.h
+bsd/netinet/tcp_fsm.h
+bsd/netinet/tcp_seq.h
+bsd/netinet/tcp_timer.h
+bsd/netinet/tcp_var.h
+bsd/netinet/tcpip.h
+bsd/netinet/udp.h
+bsd/netinet/udp_var.h
+bsd/netinet6/ah.h
+bsd/netinet6/esp.h
+bsd/netinet6/in6.h
+bsd/netinet6/in6_var.h
+bsd/netinet6/ipcomp.h
+bsd/netinet6/ipsec.h
+bsd/netinet6/nd6.h
+bsd/netinet6/raw_ip6.h
+bsd/netinet6/scope6_var.h
+bsd/netkey/keysock.h
+bsd/security/audit/audit.h
+bsd/security/audit/audit_bsd.h
+bsd/security/audit/audit_ioctl.h
+bsd/security/audit/audit_private.h
+bsd/sys/_endian.h
+bsd/sys/_select.h
+bsd/sys/_structs.h
+bsd/sys/_types.h
+bsd/sys/_types/_blkcnt_t.h
+bsd/sys/_types/_blksize_t.h
+bsd/sys/_types/_clock_t.h
+bsd/sys/_types/_ct_rune_t.h
+bsd/sys/_types/_dev_t.h
+bsd/sys/_types/_errno_t.h
+bsd/sys/_types/_fd_clr.h
+bsd/sys/_types/_fd_copy.h
+bsd/sys/_types/_fd_def.h
+bsd/sys/_types/_fd_isset.h
+bsd/sys/_types/_fd_set.h
+bsd/sys/_types/_fd_setsize.h
+bsd/sys/_types/_fd_zero.h
+bsd/sys/_types/_filesec_t.h
+bsd/sys/_types/_fsblkcnt_t.h
+bsd/sys/_types/_fsfilcnt_t.h
+bsd/sys/_types/_fsid_t.h
+bsd/sys/_types/_fsobj_id_t.h
+bsd/sys/_types/_gid_t.h
+bsd/sys/_types/_guid_t.h
+bsd/sys/_types/_id_t.h
+bsd/sys/_types/_in_addr_t.h
+bsd/sys/_types/_in_port_t.h
+bsd/sys/_types/_ino64_t.h
+bsd/sys/_types/_ino_t.h
+bsd/sys/_types/_int16_t.h
+bsd/sys/_types/_int32_t.h
+bsd/sys/_types/_int64_t.h
+bsd/sys/_types/_int8_t.h
+bsd/sys/_types/_intptr_t.h
+bsd/sys/_types/_iovec_t.h
+bsd/sys/_types/_key_t.h
+bsd/sys/_types/_mach_port_t.h
+bsd/sys/_types/_mbstate_t.h
+bsd/sys/_types/_mode_t.h
+bsd/sys/_types/_nlink_t.h
+bsd/sys/_types/_null.h
+bsd/sys/_types/_o_dsync.h
+bsd/sys/_types/_o_sync.h
+bsd/sys/_types/_off_t.h
+bsd/sys/_types/_offsetof.h
+bsd/sys/_types/_os_inline.h
+bsd/sys/_types/_pid_t.h
+bsd/sys/_types/_posix_vdisable.h
+bsd/sys/_types/_ptrdiff_t.h
+bsd/sys/_types/_rsize_t.h
+bsd/sys/_types/_rune_t.h
+bsd/sys/_types/_s_ifmt.h
+bsd/sys/_types/_sa_family_t.h
+bsd/sys/_types/_seek_set.h
+bsd/sys/_types/_sigaltstack.h
+bsd/sys/_types/_sigset_t.h
+bsd/sys/_types/_size_t.h
+bsd/sys/_types/_socklen_t.h
+bsd/sys/_types/_ssize_t.h
+bsd/sys/_types/_suseconds_t.h
+bsd/sys/_types/_time_t.h
+bsd/sys/_types/_timespec.h
+bsd/sys/_types/_timeval.h
+bsd/sys/_types/_timeval32.h
+bsd/sys/_types/_timeval64.h
+bsd/sys/_types/_u_int16_t.h
+bsd/sys/_types/_u_int32_t.h
+bsd/sys/_types/_u_int64_t.h
+bsd/sys/_types/_u_int8_t.h
+bsd/sys/_types/_ucontext.h
+bsd/sys/_types/_ucontext64.h
+bsd/sys/_types/_uid_t.h
+bsd/sys/_types/_uintptr_t.h
+bsd/sys/_types/_useconds_t.h
+bsd/sys/_types/_user32_itimerval.h
+bsd/sys/_types/_user32_timespec.h
+bsd/sys/_types/_user32_timeval.h
+bsd/sys/_types/_user64_itimerval.h
+bsd/sys/_types/_user64_timespec.h
+bsd/sys/_types/_user64_timeval.h
+bsd/sys/_types/_user_timespec.h
+bsd/sys/_types/_user_timeval.h
+bsd/sys/_types/_uuid_t.h
+bsd/sys/_types/_va_list.h
+bsd/sys/_types/_wchar_t.h
+bsd/sys/_types/_wint_t.h
+bsd/sys/appleapiopts.h
+bsd/sys/attr.h
+bsd/sys/bsdtask_info.h
+bsd/sys/buf.h
+bsd/sys/cdefs.h
+bsd/sys/codesign.h
+bsd/sys/conf.h
+bsd/sys/content_protection.h
+bsd/sys/cprotect.h
+bsd/sys/csr.h
+bsd/sys/decmpfs.h
+bsd/sys/dir.h
+bsd/sys/dirent.h
+bsd/sys/disk.h
+bsd/sys/disklabel.h
+bsd/sys/disktab.h
+bsd/sys/dkstat.h
+bsd/sys/doc_tombstone.h
+bsd/sys/domain.h
+bsd/sys/errno.h
+bsd/sys/ev.h
+bsd/sys/event.h
+bsd/sys/eventvar.h
+bsd/sys/fbt.h
+bsd/sys/fcntl.h
+bsd/sys/file.h
+bsd/sys/file_internal.h
+bsd/sys/filedesc.h
+bsd/sys/fileport.h
+bsd/sys/filio.h
+bsd/sys/fsctl.h
+bsd/sys/fsevents.h
+bsd/sys/fslog.h
+bsd/sys/guarded.h
+bsd/sys/imgact.h
+bsd/sys/ioccom.h
+bsd/sys/ioctl.h
+bsd/sys/ioctl_compat.h
+bsd/sys/ipc.h
+bsd/sys/kasl.h
+bsd/sys/kauth.h
+bsd/sys/kdebug.h
+bsd/sys/kdebugevents.h
+bsd/sys/kern_control.h
+bsd/sys/kern_event.h
+bsd/sys/kern_memorystatus.h
+bsd/sys/kernel.h
+bsd/sys/kernel_types.h
+bsd/sys/kpi_mbuf.h
+bsd/sys/kpi_private.h
+bsd/sys/kpi_socket.h
+bsd/sys/kpi_socketfilter.h
+bsd/sys/ktrace.h
+bsd/sys/linker_set.h
+bsd/sys/lock.h
+bsd/sys/lockf.h
+bsd/sys/mach_swapon.h
+bsd/sys/malloc.h
+bsd/sys/mbuf.h
+bsd/sys/md5.h
+bsd/sys/memory_maintenance.h
+bsd/sys/mman.h
+bsd/sys/mount.h
+bsd/sys/mount_internal.h
+bsd/sys/msg.h
+bsd/sys/msgbuf.h
+bsd/sys/munge.h
+bsd/sys/namei.h
+bsd/sys/netport.h
+bsd/sys/param.h
+bsd/sys/paths.h
+bsd/sys/persona.h
+bsd/sys/pgo.h
+bsd/sys/pipe.h
+bsd/sys/posix_sem.h
+bsd/sys/posix_shm.h
+bsd/sys/priv.h
+bsd/sys/proc.h
+bsd/sys/proc_info.h
+bsd/sys/proc_internal.h
+bsd/sys/protosw.h
+bsd/sys/pthread_internal.h
+bsd/sys/pthread_shims.h
+bsd/sys/queue.h
+bsd/sys/quota.h
+bsd/sys/random.h
+bsd/sys/reason.h
+bsd/sys/resource.h
+bsd/sys/resourcevar.h
+bsd/sys/sbuf.h
+bsd/sys/select.h
+bsd/sys/sem.h
+bsd/sys/sem_internal.h
+bsd/sys/semaphore.h
+bsd/sys/shm.h
+bsd/sys/shm_internal.h
+bsd/sys/signal.h
+bsd/sys/signalvar.h
+bsd/sys/socket.h
+bsd/sys/socketvar.h
+bsd/sys/sockio.h
+bsd/sys/spawn.h
+bsd/sys/spawn_internal.h
+bsd/sys/stackshot.h
+bsd/sys/stat.h
+bsd/sys/stdio.h
+bsd/sys/sys_domain.h
+bsd/sys/syscall.h
+bsd/sys/sysctl.h
+bsd/sys/syslimits.h
+bsd/sys/syslog.h
+bsd/sys/sysproto.h
+bsd/sys/systm.h
+bsd/sys/termios.h
+bsd/sys/time.h
+bsd/sys/tree.h
+bsd/sys/tty.h
+bsd/sys/ttychars.h
+bsd/sys/ttycom.h
+bsd/sys/ttydefaults.h
+bsd/sys/ttydev.h
+bsd/sys/types.h
+bsd/sys/ubc.h
+bsd/sys/ucontext.h
+bsd/sys/ucred.h
+bsd/sys/uio.h
+bsd/sys/uio_internal.h
+bsd/sys/ulock.h
+bsd/sys/un.h
+bsd/sys/unistd.h
+bsd/sys/unpcb.h
+bsd/sys/user.h
+bsd/sys/utfconv.h
+bsd/sys/vfs_context.h
+bsd/sys/vm.h
+bsd/sys/vmmeter.h
+bsd/sys/vmparam.h
+bsd/sys/vnode.h
+bsd/sys/vnode_if.h
+bsd/sys/vnode_internal.h
+bsd/sys/wait.h
+bsd/sys/xattr.h
+bsd/uuid/uuid.h
+bsd/vfs/vfs_support.h
+bsd/vm/vnode_pager.h
+bsm/audit.h
+bsm/audit_domain.h
+bsm/audit_errno.h
+bsm/audit_fcntl.h
+bsm/audit_internal.h
+bsm/audit_kevents.h
+bsm/audit_record.h
+bsm/audit_socket_type.h
+checkint.h
+complex.h
+configuration_profile.h
+copyfile.h
+corecrypto/cc.h
+corecrypto/cc_config.h
+corecrypto/cc_debug.h
+corecrypto/cc_macros.h
+corecrypto/cc_priv.h
+corecrypto/ccaes.h
+corecrypto/ccasn1.h
+corecrypto/cccmac.h
+corecrypto/ccder.h
+corecrypto/ccdes.h
+corecrypto/ccdigest.h
+corecrypto/ccdigest_priv.h
+corecrypto/ccdrbg.h
+corecrypto/ccdrbg_impl.h
+corecrypto/cchmac.h
+corecrypto/ccmd5.h
+corecrypto/ccmode.h
+corecrypto/ccmode_factory.h
+corecrypto/ccmode_impl.h
+corecrypto/ccmode_siv.h
+corecrypto/ccn.h
+corecrypto/ccpad.h
+corecrypto/ccpbkdf2.h
+corecrypto/ccrc4.h
+corecrypto/ccrng.h
+corecrypto/ccrng_system.h
+corecrypto/ccrsa.h
+corecrypto/ccsha1.h
+corecrypto/ccsha2.h
+corecrypto/cczp.h
+corpses/task_corpse.h
+cpio.h
+crt_externs.h
+ctype.h
+curses.h
+cursesapp.h
+cursesf.h
+cursesm.h
+cursesp.h
+cursesw.h
+cursslk.h
+db.h
+default_pager/default_pager_types.h
+device/device.defs
+device/device_port.h
+device/device_types.defs
+device/device_types.h
+dirent.h
+disktab.h
+dispatch/base.h
+dispatch/benchmark.h
+dispatch/block.h
+dispatch/data.h
+dispatch/data_private.h
+dispatch/dispatch.h
+dispatch/group.h
+dispatch/introspection.h
+dispatch/introspection_private.h
+dispatch/io.h
+dispatch/io_private.h
+dispatch/layout_private.h
+dispatch/mach_private.h
+dispatch/object.h
+dispatch/once.h
+dispatch/private.h
+dispatch/queue.h
+dispatch/queue_private.h
+dispatch/semaphore.h
+dispatch/source.h
+dispatch/source_private.h
+dispatch/time.h
+dlfcn.h
+dns.h
+dns_sd.h
+dns_util.h
+err.h
+errno.h
+eti.h
+etip.h
+execinfo.h
+fcntl.h
+fenv.h
+fmtmsg.h
+fnmatch.h
+form.h
+fsproperties.h
+fstab.h
+fts.h
+ftw.h
+get_compat.h
+gethostuuid.h
+gethostuuid_private.h
+getopt.h
+glob.h
+grp.h
+hfs/BTreeScanner.h
+hfs/BTreesInternal.h
+hfs/BTreesPrivate.h
+hfs/CatalogPrivate.h
+hfs/FileMgrInternal.h
+hfs/HFSUnicodeWrappers.h
+hfs/UCStringCompareData.h
+hfs/hfs.h
+hfs/hfs_alloc_trace.h
+hfs/hfs_attrlist.h
+hfs/hfs_btreeio.h
+hfs/hfs_catalog.h
+hfs/hfs_cnode.h
+hfs/hfs_cprotect.h
+hfs/hfs_dbg.h
+hfs/hfs_endian.h
+hfs/hfs_extents.h
+hfs/hfs_format.h
+hfs/hfs_fsctl.h
+hfs/hfs_hotfiles.h
+hfs/hfs_iokit.h
+hfs/hfs_journal.h
+hfs/hfs_kdebug.h
+hfs/hfs_key_roll.h
+hfs/hfs_macos_defs.h
+hfs/hfs_mount.h
+hfs/hfs_quota.h
+hfs/hfs_unistr.h
+hfs/kext-config.h
+hfs/rangelist.h
+i386/_limits.h
+i386/_mcontext.h
+i386/_param.h
+i386/_types.h
+i386/eflags.h
+i386/endian.h
+i386/fasttrap_isa.h
+i386/limits.h
+i386/param.h
+i386/profile.h
+i386/signal.h
+i386/types.h
+i386/user_ldt.h
+i386/vmparam.h
+ifaddrs.h
+ils.h
+inttypes.h
+iokit/IOKit/AppleKeyStoreInterface.h
+iokit/IOKit/IOBSD.h
+iokit/IOKit/IOBufferMemoryDescriptor.h
+iokit/IOKit/IOCPU.h
+iokit/IOKit/IOCatalogue.h
+iokit/IOKit/IOCommand.h
+iokit/IOKit/IOCommandGate.h
+iokit/IOKit/IOCommandPool.h
+iokit/IOKit/IOCommandQueue.h
+iokit/IOKit/IOConditionLock.h
+iokit/IOKit/IODMACommand.h
+iokit/IOKit/IODMAController.h
+iokit/IOKit/IODMAEventSource.h
+iokit/IOKit/IODataQueue.h
+iokit/IOKit/IODataQueueShared.h
+iokit/IOKit/IODeviceMemory.h
+iokit/IOKit/IODeviceTreeSupport.h
+iokit/IOKit/IOEventSource.h
+iokit/IOKit/IOFilterInterruptEventSource.h
+iokit/IOKit/IOHibernatePrivate.h
+iokit/IOKit/IOInterleavedMemoryDescriptor.h
+iokit/IOKit/IOInterruptAccounting.h
+iokit/IOKit/IOInterruptController.h
+iokit/IOKit/IOInterruptEventSource.h
+iokit/IOKit/IOInterrupts.h
+iokit/IOKit/IOKernelReportStructs.h
+iokit/IOKit/IOKernelReporters.h
+iokit/IOKit/IOKitDebug.h
+iokit/IOKit/IOKitDiagnosticsUserClient.h
+iokit/IOKit/IOKitKeys.h
+iokit/IOKit/IOKitKeysPrivate.h
+iokit/IOKit/IOKitServer.h
+iokit/IOKit/IOLib.h
+iokit/IOKit/IOLocks.h
+iokit/IOKit/IOLocksPrivate.h
+iokit/IOKit/IOMapper.h
+iokit/IOKit/IOMemoryCursor.h
+iokit/IOKit/IOMemoryDescriptor.h
+iokit/IOKit/IOMessage.h
+iokit/IOKit/IOMultiMemoryDescriptor.h
+iokit/IOKit/IONVRAM.h
+iokit/IOKit/IONotifier.h
+iokit/IOKit/IOPlatformExpert.h
+iokit/IOKit/IOPolledInterface.h
+iokit/IOKit/IORangeAllocator.h
+iokit/IOKit/IORegistryEntry.h
+iokit/IOKit/IOReportMacros.h
+iokit/IOKit/IOReportTypes.h
+iokit/IOKit/IOReturn.h
+iokit/IOKit/IOService.h
+iokit/IOKit/IOServicePM.h
+iokit/IOKit/IOSharedDataQueue.h
+iokit/IOKit/IOSharedLock.h
+iokit/IOKit/IOStatistics.h
+iokit/IOKit/IOStatisticsPrivate.h
+iokit/IOKit/IOSubMemoryDescriptor.h
+iokit/IOKit/IOSyncer.h
+iokit/IOKit/IOTimeStamp.h
+iokit/IOKit/IOTimerEventSource.h
+iokit/IOKit/IOTypes.h
+iokit/IOKit/IOUserClient.h
+iokit/IOKit/IOWorkLoop.h
+iokit/IOKit/OSMessageNotification.h
+iokit/IOKit/assert.h
+iokit/IOKit/nvram/IONVRAMController.h
+iokit/IOKit/platform/AppleMacIO.h
+iokit/IOKit/platform/AppleMacIODevice.h
+iokit/IOKit/platform/AppleNMI.h
+iokit/IOKit/platform/ApplePlatformExpert.h
+iokit/IOKit/power/IOPwrController.h
+iokit/IOKit/pwr_mgt/IOPM.h
+iokit/IOKit/pwr_mgt/IOPMLibDefs.h
+iokit/IOKit/pwr_mgt/IOPMPowerSource.h
+iokit/IOKit/pwr_mgt/IOPMPowerSourceList.h
+iokit/IOKit/pwr_mgt/IOPMpowerState.h
+iokit/IOKit/pwr_mgt/IOPowerConnection.h
+iokit/IOKit/pwr_mgt/RootDomain.h
+iokit/IOKit/rtc/IORTCController.h
+iokit/IOKit/system.h
+iokit/IOKit/system_management/IOWatchDogTimer.h
+iso646.h
+kern/exc_resource.h
+kern/kcdata.h
+kern/kern_cdata.h
+kvbuf.h
+langinfo.h
+launch.h
+launch_internal.h
+launch_priv.h
+libc.h
+libc_private.h
+libgen.h
+libinfo.h
+libinfo_muser.h
+libkern/OSAtomic.h
+libkern/OSAtomicDeprecated.h
+libkern/OSAtomicQueue.h
+libkern/OSByteOrder.h
+libkern/OSCacheControl.h
+libkern/OSDebug.h
+libkern/OSKextLib.h
+libkern/OSReturn.h
+libkern/OSSpinLockDeprecated.h
+libkern/OSTypes.h
+libkern/_OSByteOrder.h
+libkern/firehose/chunk_private.h
+libkern/firehose/firehose_types_private.h
+libkern/firehose/ioctl_private.h
+libkern/firehose/tracepoint_private.h
+libkern/i386/OSByteOrder.h
+libkern/i386/_OSByteOrder.h
+libkern/libkern/OSAtomic.h
+libkern/libkern/OSBase.h
+libkern/libkern/OSByteOrder.h
+libkern/libkern/OSDebug.h
+libkern/libkern/OSKextLib.h
+libkern/libkern/OSKextLibPrivate.h
+libkern/libkern/OSMalloc.h
+libkern/libkern/OSReturn.h
+libkern/libkern/OSSerializeBinary.h
+libkern/libkern/OSTypes.h
+libkern/libkern/_OSByteOrder.h
+libkern/libkern/c++/OSArray.h
+libkern/libkern/c++/OSBoolean.h
+libkern/libkern/c++/OSCPPDebug.h
+libkern/libkern/c++/OSCollection.h
+libkern/libkern/c++/OSCollectionIterator.h
+libkern/libkern/c++/OSContainers.h
+libkern/libkern/c++/OSData.h
+libkern/libkern/c++/OSDictionary.h
+libkern/libkern/c++/OSEndianTypes.h
+libkern/libkern/c++/OSIterator.h
+libkern/libkern/c++/OSKext.h
+libkern/libkern/c++/OSLib.h
+libkern/libkern/c++/OSMetaClass.h
+libkern/libkern/c++/OSNumber.h
+libkern/libkern/c++/OSObject.h
+libkern/libkern/c++/OSOrderedSet.h
+libkern/libkern/c++/OSSerialize.h
+libkern/libkern/c++/OSSet.h
+libkern/libkern/c++/OSString.h
+libkern/libkern/c++/OSSymbol.h
+libkern/libkern/c++/OSUnserialize.h
+libkern/libkern/crypto/aes.h
+libkern/libkern/crypto/aesxts.h
+libkern/libkern/crypto/crypto_internal.h
+libkern/libkern/crypto/des.h
+libkern/libkern/crypto/md5.h
+libkern/libkern/crypto/rand.h
+libkern/libkern/crypto/register_crypto.h
+libkern/libkern/crypto/rsa.h
+libkern/libkern/crypto/sha1.h
+libkern/libkern/crypto/sha2.h
+libkern/libkern/i386/OSByteOrder.h
+libkern/libkern/i386/_OSByteOrder.h
+libkern/libkern/kernel_mach_header.h
+libkern/libkern/kext_request_keys.h
+libkern/libkern/kxld.h
+libkern/libkern/kxld_types.h
+libkern/libkern/locks.h
+libkern/libkern/machine/OSByteOrder.h
+libkern/libkern/mkext.h
+libkern/libkern/prelink.h
+libkern/libkern/section_keywords.h
+libkern/libkern/stack_protector.h
+libkern/libkern/sysctl.h
+libkern/libkern/tree.h
+libkern/libkern/version.h
+libkern/libkern/zconf.h
+libkern/libkern/zlib.h
+libkern/machine/OSByteOrder.h
+libkern/os/base.h
+libkern/os/log.h
+libkern/os/log_private.h
+libkern/os/object.h
+libkern/os/object_private.h
+libkern/os/overflow.h
+libkern/os/trace.h
+libproc.h
+libutil.h
+limits.h
+locale.h
+mach-o/arch.h
+mach-o/arm/reloc.h
+mach-o/arm64/reloc.h
+mach-o/dyld-interposing.h
+mach-o/dyld.h
+mach-o/dyld_gdb.h
+mach-o/dyld_images.h
+mach-o/dyld_priv.h
+mach-o/dyld_process_info.h
+mach-o/fat.h
+mach-o/getsect.h
+mach-o/hppa/reloc.h
+mach-o/hppa/swap.h
+mach-o/i386/swap.h
+mach-o/i860/reloc.h
+mach-o/i860/swap.h
+mach-o/ldsyms.h
+mach-o/loader.h
+mach-o/m68k/swap.h
+mach-o/m88k/reloc.h
+mach-o/m88k/swap.h
+mach-o/nlist.h
+mach-o/ppc/reloc.h
+mach-o/ppc/swap.h
+mach-o/ranlib.h
+mach-o/reloc.h
+mach-o/sparc/reloc.h
+mach-o/sparc/swap.h
+mach-o/stab.h
+mach-o/swap.h
+mach-o/x86_64/reloc.h
+mach/audit_triggers.defs
+mach/boolean.h
+mach/bootstrap.h
+mach/clock.defs
+mach/clock.h
+mach/clock_priv.defs
+mach/clock_priv.h
+mach/clock_reply.defs
+mach/clock_reply.h
+mach/clock_types.defs
+mach/clock_types.h
+mach/dyld_kernel.h
+mach/error.h
+mach/exc.defs
+mach/exc.h
+mach/exception.h
+mach/exception_types.h
+mach/host_info.h
+mach/host_notify.h
+mach/host_notify_reply.defs
+mach/host_priv.defs
+mach/host_priv.h
+mach/host_reboot.h
+mach/host_security.defs
+mach/host_security.h
+mach/host_special_ports.h
+mach/i386/_structs.h
+mach/i386/asm.h
+mach/i386/boolean.h
+mach/i386/exception.h
+mach/i386/fp_reg.h
+mach/i386/kern_return.h
+mach/i386/ndr_def.h
+mach/i386/processor_info.h
+mach/i386/rpc.h
+mach/i386/sdt_isa.h
+mach/i386/thread_state.h
+mach/i386/thread_status.h
+mach/i386/vm_param.h
+mach/i386/vm_types.h
+mach/kern_return.h
+mach/kmod.h
+mach/lock_set.defs
+mach/lock_set.h
+mach/mach.h
+mach/mach_error.h
+mach/mach_exc.defs
+mach/mach_host.defs
+mach/mach_host.h
+mach/mach_init.h
+mach/mach_interface.h
+mach/mach_param.h
+mach/mach_port.defs
+mach/mach_port.h
+mach/mach_port_internal.h
+mach/mach_syscalls.h
+mach/mach_time.h
+mach/mach_traps.h
+mach/mach_types.defs
+mach/mach_types.h
+mach/mach_vm.defs
+mach/mach_vm.h
+mach/mach_vm_internal.h
+mach/mach_voucher.defs
+mach/mach_voucher.h
+mach/mach_voucher_attr_control.defs
+mach/mach_voucher_types.h
+mach/machine.h
+mach/machine/asm.h
+mach/machine/boolean.h
+mach/machine/exception.h
+mach/machine/kern_return.h
+mach/machine/machine_types.defs
+mach/machine/ndr_def.h
+mach/machine/processor_info.h
+mach/machine/rpc.h
+mach/machine/sdt.h
+mach/machine/sdt_isa.h
+mach/machine/thread_state.h
+mach/machine/thread_status.h
+mach/machine/vm_param.h
+mach/machine/vm_types.h
+mach/memory_object_types.h
+mach/message.h
+mach/mig.h
+mach/mig_errors.h
+mach/mig_strncpy_zerofill_support.h
+mach/mig_voucher_support.h
+mach/ndr.h
+mach/notify.defs
+mach/notify.h
+mach/policy.h
+mach/port.h
+mach/port_obj.h
+mach/processor.defs
+mach/processor.h
+mach/processor_info.h
+mach/processor_set.defs
+mach/processor_set.h
+mach/rpc.h
+mach/sdt.h
+mach/semaphore.h
+mach/shared_memory_server.h
+mach/shared_region.h
+mach/std_types.defs
+mach/std_types.h
+mach/sync.h
+mach/sync_policy.h
+mach/task.defs
+mach/task.h
+mach/task_access.defs
+mach/task_info.h
+mach/task_policy.h
+mach/task_special_ports.h
+mach/telemetry_notification.defs
+mach/thread_act.defs
+mach/thread_act.h
+mach/thread_act_internal.h
+mach/thread_info.h
+mach/thread_policy.h
+mach/thread_special_ports.h
+mach/thread_state.h
+mach/thread_status.h
+mach/thread_switch.h
+mach/time_value.h
+mach/vm_attributes.h
+mach/vm_behavior.h
+mach/vm_inherit.h
+mach/vm_map.defs
+mach/vm_map.h
+mach/vm_map_internal.h
+mach/vm_page_size.h
+mach/vm_param.h
+mach/vm_prot.h
+mach/vm_purgable.h
+mach/vm_region.h
+mach/vm_statistics.h
+mach/vm_sync.h
+mach/vm_task.h
+mach/vm_types.h
+mach_debug/hash_info.h
+mach_debug/ipc_info.h
+mach_debug/lockgroup_info.h
+mach_debug/mach_debug.h
+mach_debug/mach_debug_types.defs
+mach_debug/mach_debug_types.h
+mach_debug/page_info.h
+mach_debug/vm_info.h
+mach_debug/zone_info.h
+machine/_limits.h
+machine/_mcontext.h
+machine/_param.h
+machine/_types.h
+machine/byte_order.h
+machine/endian.h
+machine/fasttrap_isa.h
+machine/limits.h
+machine/param.h
+machine/profile.h
+machine/signal.h
+machine/types.h
+machine/vmparam.h
+malloc/malloc.h
+math.h
+membership.h
+membershipPriv.h
+memory.h
+menu.h
+miscfs/devfs/devfs.h
+miscfs/specfs/specdev.h
+miscfs/union/union.h
+mntopts.h
+monetary.h
+monitor.h
+mpool.h
+msgcat.h
+nameser.h
+nc_tparm.h
+ncurses.h
+ncurses_dll.h
+ndbm.h
+net/bpf.h
+net/dlil.h
+net/ethernet.h
+net/if.h
+net/if_arp.h
+net/if_dl.h
+net/if_llc.h
+net/if_media.h
+net/if_mib.h
+net/if_types.h
+net/if_utun.h
+net/if_var.h
+net/kext_net.h
+net/ndrv.h
+net/net_kev.h
+net/pfkeyv2.h
+net/route.h
+netdb.h
+netdb_async.h
+netinet/bootp.h
+netinet/icmp6.h
+netinet/icmp_var.h
+netinet/if_ether.h
+netinet/igmp.h
+netinet/igmp_var.h
+netinet/in.h
+netinet/in_pcb.h
+netinet/in_systm.h
+netinet/in_var.h
+netinet/ip.h
+netinet/ip6.h
+netinet/ip_icmp.h
+netinet/ip_var.h
+netinet/tcp.h
+netinet/tcp_fsm.h
+netinet/tcp_seq.h
+netinet/tcp_timer.h
+netinet/tcp_var.h
+netinet/tcpip.h
+netinet/udp.h
+netinet/udp_var.h
+netinet6/ah.h
+netinet6/esp.h
+netinet6/in6.h
+netinet6/in6_var.h
+netinet6/ipcomp.h
+netinet6/ipsec.h
+netinet6/nd6.h
+netinet6/raw_ip6.h
+netinet6/scope6_var.h
+netkey/keysock.h
+nfs/krpc.h
+nfs/nfs.h
+nfs/nfs_gss.h
+nfs/nfs_ioctl.h
+nfs/nfs_lock.h
+nfs/nfsdiskless.h
+nfs/nfsm_subs.h
+nfs/nfsmount.h
+nfs/nfsnode.h
+nfs/nfsproto.h
+nfs/nfsrvcache.h
+nfs/rpcv2.h
+nfs/xdr_subs.h
+nl_types.h
+nlist.h
+notify.h
+notify_keys.h
+ntsid.h
+objc-shared-cache.h
+os/activity.h
+os/alloc_once_impl.h
+os/assumes.h
+os/availability.h
+os/base.h
+os/base_private.h
+os/debug_private.h
+os/internal/atomic.h
+os/internal/crashlog.h
+os/internal/internal_shared.h
+os/lock.h
+os/lock_private.h
+os/log.h
+os/object.h
+os/object_private.h
+os/once_private.h
+os/overflow.h
+os/semaphore_private.h
+os/trace.h
+os/tsd.h
+os/voucher_activity_private.h
+os/voucher_private.h
+osfmk/UserNotification/KUNCUserNotifications.h
+osfmk/UserNotification/UNDReply.defs
+osfmk/UserNotification/UNDRequest.defs
+osfmk/UserNotification/UNDTypes.defs
+osfmk/UserNotification/UNDTypes.h
+osfmk/atm/atm_internal.h
+osfmk/atm/atm_notification.defs
+osfmk/atm/atm_types.defs
+osfmk/atm/atm_types.h
+osfmk/bank/bank_types.h
+osfmk/console/video_console.h
+osfmk/corpses/task_corpse.h
+osfmk/default_pager/default_pager_types.h
+osfmk/device/device.defs
+osfmk/device/device_port.h
+osfmk/device/device_types.defs
+osfmk/device/device_types.h
+osfmk/gssd/gssd_mach.defs
+osfmk/gssd/gssd_mach.h
+osfmk/gssd/gssd_mach_types.h
+osfmk/i386/apic.h
+osfmk/i386/asm.h
+osfmk/i386/atomic.h
+osfmk/i386/bit_routines.h
+osfmk/i386/cpu_capabilities.h
+osfmk/i386/cpu_data.h
+osfmk/i386/cpu_number.h
+osfmk/i386/cpu_topology.h
+osfmk/i386/cpuid.h
+osfmk/i386/eflags.h
+osfmk/i386/io_map_entries.h
+osfmk/i386/lapic.h
+osfmk/i386/lock.h
+osfmk/i386/locks.h
+osfmk/i386/machine_cpu.h
+osfmk/i386/machine_routines.h
+osfmk/i386/mp.h
+osfmk/i386/mp_desc.h
+osfmk/i386/mp_events.h
+osfmk/i386/mtrr.h
+osfmk/i386/pal_hibernate.h
+osfmk/i386/pal_native.h
+osfmk/i386/pal_routines.h
+osfmk/i386/panic_hooks.h
+osfmk/i386/pmCPU.h
+osfmk/i386/pmap.h
+osfmk/i386/proc_reg.h
+osfmk/i386/rtclock_protos.h
+osfmk/i386/seg.h
+osfmk/i386/simple_lock.h
+osfmk/i386/smp.h
+osfmk/i386/tsc.h
+osfmk/i386/tss.h
+osfmk/i386/ucode.h
+osfmk/i386/vmx.h
+osfmk/ipc/ipc_types.h
+osfmk/kdp/kdp_callout.h
+osfmk/kdp/kdp_dyld.h
+osfmk/kdp/kdp_en_debugger.h
+osfmk/kern/affinity.h
+osfmk/kern/assert.h
+osfmk/kern/audit_sessionport.h
+osfmk/kern/backtrace.h
+osfmk/kern/bits.h
+osfmk/kern/block_hint.h
+osfmk/kern/call_entry.h
+osfmk/kern/clock.h
+osfmk/kern/coalition.h
+osfmk/kern/cpu_data.h
+osfmk/kern/cpu_number.h
+osfmk/kern/debug.h
+osfmk/kern/ecc.h
+osfmk/kern/energy_perf.h
+osfmk/kern/exc_resource.h
+osfmk/kern/extmod_statistics.h
+osfmk/kern/host.h
+osfmk/kern/hv_support.h
+osfmk/kern/ipc_mig.h
+osfmk/kern/ipc_misc.h
+osfmk/kern/kalloc.h
+osfmk/kern/kcdata.h
+osfmk/kern/kern_cdata.h
+osfmk/kern/kern_types.h
+osfmk/kern/kext_alloc.h
+osfmk/kern/kpc.h
+osfmk/kern/ledger.h
+osfmk/kern/lock.h
+osfmk/kern/locks.h
+osfmk/kern/mach_param.h
+osfmk/kern/macro_help.h
+osfmk/kern/page_decrypt.h
+osfmk/kern/pms.h
+osfmk/kern/policy_internal.h
+osfmk/kern/processor.h
+osfmk/kern/queue.h
+osfmk/kern/sched_prim.h
+osfmk/kern/sfi.h
+osfmk/kern/simple_lock.h
+osfmk/kern/startup.h
+osfmk/kern/task.h
+osfmk/kern/telemetry.h
+osfmk/kern/thread.h
+osfmk/kern/thread_call.h
+osfmk/kern/timer_call.h
+osfmk/kern/waitq.h
+osfmk/kern/zalloc.h
+osfmk/kextd/kextd_mach.defs
+osfmk/kextd/kextd_mach.h
+osfmk/kperf/action.h
+osfmk/kperf/context.h
+osfmk/kperf/kdebug_trigger.h
+osfmk/kperf/kperf.h
+osfmk/kperf/kperf_timer.h
+osfmk/kperf/kperfbsd.h
+osfmk/kperf/pet.h
+osfmk/lockd/lockd_mach.defs
+osfmk/lockd/lockd_mach.h
+osfmk/lockd/lockd_mach_types.h
+osfmk/mach/audit_triggers.defs
+osfmk/mach/audit_triggers_server.h
+osfmk/mach/boolean.h
+osfmk/mach/branch_predicates.h
+osfmk/mach/clock.defs
+osfmk/mach/clock.h
+osfmk/mach/clock_priv.defs
+osfmk/mach/clock_priv.h
+osfmk/mach/clock_reply.defs
+osfmk/mach/clock_reply_server.h
+osfmk/mach/clock_types.defs
+osfmk/mach/clock_types.h
+osfmk/mach/coalition.h
+osfmk/mach/coalition_notification_server.h
+osfmk/mach/dyld_kernel.h
+osfmk/mach/error.h
+osfmk/mach/exc.defs
+osfmk/mach/exc_server.h
+osfmk/mach/exception.h
+osfmk/mach/exception_types.h
+osfmk/mach/host_info.h
+osfmk/mach/host_notify.h
+osfmk/mach/host_notify_reply.defs
+osfmk/mach/host_priv.defs
+osfmk/mach/host_priv.h
+osfmk/mach/host_reboot.h
+osfmk/mach/host_security.defs
+osfmk/mach/host_security.h
+osfmk/mach/host_special_ports.h
+osfmk/mach/i386/_structs.h
+osfmk/mach/i386/asm.h
+osfmk/mach/i386/boolean.h
+osfmk/mach/i386/exception.h
+osfmk/mach/i386/fp_reg.h
+osfmk/mach/i386/kern_return.h
+osfmk/mach/i386/ndr_def.h
+osfmk/mach/i386/processor_info.h
+osfmk/mach/i386/rpc.h
+osfmk/mach/i386/sdt_isa.h
+osfmk/mach/i386/syscall_sw.h
+osfmk/mach/i386/thread_state.h
+osfmk/mach/i386/thread_status.h
+osfmk/mach/i386/vm_param.h
+osfmk/mach/i386/vm_types.h
+osfmk/mach/kern_return.h
+osfmk/mach/kmod.h
+osfmk/mach/ktrace_background.h
+osfmk/mach/lock_set.defs
+osfmk/mach/lock_set.h
+osfmk/mach/mach_exc.defs
+osfmk/mach/mach_exc_server.h
+osfmk/mach/mach_host.defs
+osfmk/mach/mach_host.h
+osfmk/mach/mach_interface.h
+osfmk/mach/mach_param.h
+osfmk/mach/mach_port.defs
+osfmk/mach/mach_port.h
+osfmk/mach/mach_syscalls.h
+osfmk/mach/mach_time.h
+osfmk/mach/mach_traps.h
+osfmk/mach/mach_types.defs
+osfmk/mach/mach_types.h
+osfmk/mach/mach_vm.defs
+osfmk/mach/mach_vm.h
+osfmk/mach/mach_voucher.defs
+osfmk/mach/mach_voucher.h
+osfmk/mach/mach_voucher_attr_control.defs
+osfmk/mach/mach_voucher_attr_control.h
+osfmk/mach/mach_voucher_types.h
+osfmk/mach/machine.h
+osfmk/mach/machine/asm.h
+osfmk/mach/machine/boolean.h
+osfmk/mach/machine/exception.h
+osfmk/mach/machine/kern_return.h
+osfmk/mach/machine/machine_types.defs
+osfmk/mach/machine/ndr_def.h
+osfmk/mach/machine/processor_info.h
+osfmk/mach/machine/rpc.h
+osfmk/mach/machine/sdt.h
+osfmk/mach/machine/sdt_isa.h
+osfmk/mach/machine/syscall_sw.h
+osfmk/mach/machine/thread_state.h
+osfmk/mach/machine/thread_status.h
+osfmk/mach/machine/vm_param.h
+osfmk/mach/machine/vm_types.h
+osfmk/mach/memory_object_control.h
+osfmk/mach/memory_object_default_server.h
+osfmk/mach/memory_object_types.h
+osfmk/mach/message.h
+osfmk/mach/mig.h
+osfmk/mach/mig_errors.h
+osfmk/mach/mig_strncpy_zerofill_support.h
+osfmk/mach/mig_voucher_support.h
+osfmk/mach/ndr.h
+osfmk/mach/notify.defs
+osfmk/mach/notify.h
+osfmk/mach/notify_server.h
+osfmk/mach/policy.h
+osfmk/mach/port.h
+osfmk/mach/processor.defs
+osfmk/mach/processor.h
+osfmk/mach/processor_info.h
+osfmk/mach/processor_set.defs
+osfmk/mach/processor_set.h
+osfmk/mach/resource_monitors.h
+osfmk/mach/rpc.h
+osfmk/mach/sdt.h
+osfmk/mach/semaphore.h
+osfmk/mach/sfi_class.h
+osfmk/mach/shared_memory_server.h
+osfmk/mach/shared_region.h
+osfmk/mach/std_types.defs
+osfmk/mach/std_types.h
+osfmk/mach/sync_policy.h
+osfmk/mach/syscall_sw.h
+osfmk/mach/sysdiagnose_notification_server.h
+osfmk/mach/task.defs
+osfmk/mach/task.h
+osfmk/mach/task_access.defs
+osfmk/mach/task_access.h
+osfmk/mach/task_access_server.h
+osfmk/mach/task_info.h
+osfmk/mach/task_policy.h
+osfmk/mach/task_special_ports.h
+osfmk/mach/telemetry_notification.defs
+osfmk/mach/telemetry_notification_server.h
+osfmk/mach/thread_act.defs
+osfmk/mach/thread_act.h
+osfmk/mach/thread_info.h
+osfmk/mach/thread_policy.h
+osfmk/mach/thread_special_ports.h
+osfmk/mach/thread_status.h
+osfmk/mach/thread_switch.h
+osfmk/mach/time_value.h
+osfmk/mach/upl.h
+osfmk/mach/vm_attributes.h
+osfmk/mach/vm_behavior.h
+osfmk/mach/vm_inherit.h
+osfmk/mach/vm_map.defs
+osfmk/mach/vm_map.h
+osfmk/mach/vm_param.h
+osfmk/mach/vm_prot.h
+osfmk/mach/vm_purgable.h
+osfmk/mach/vm_region.h
+osfmk/mach/vm_statistics.h
+osfmk/mach/vm_sync.h
+osfmk/mach/vm_types.h
+osfmk/mach_debug/hash_info.h
+osfmk/mach_debug/ipc_info.h
+osfmk/mach_debug/lockgroup_info.h
+osfmk/mach_debug/mach_debug.h
+osfmk/mach_debug/mach_debug_types.defs
+osfmk/mach_debug/mach_debug_types.h
+osfmk/mach_debug/page_info.h
+osfmk/mach_debug/vm_info.h
+osfmk/mach_debug/zone_info.h
+osfmk/machine/atomic.h
+osfmk/machine/cpu_capabilities.h
+osfmk/machine/cpu_number.h
+osfmk/machine/io_map_entries.h
+osfmk/machine/lock.h
+osfmk/machine/locks.h
+osfmk/machine/machine_cpuid.h
+osfmk/machine/machine_kpc.h
+osfmk/machine/machine_routines.h
+osfmk/machine/pal_hibernate.h
+osfmk/machine/pal_routines.h
+osfmk/machine/simple_lock.h
+osfmk/prng/random.h
+osfmk/string.h
+osfmk/vm/WKdm_new.h
+osfmk/vm/pmap.h
+osfmk/vm/vm_compressor_algorithms.h
+osfmk/vm/vm_fault.h
+osfmk/vm/vm_kern.h
+osfmk/vm/vm_map.h
+osfmk/vm/vm_options.h
+osfmk/vm/vm_pageout.h
+osfmk/vm/vm_protos.h
+osfmk/vm/vm_shared_region.h
+osfmk/voucher/ipc_pthread_priority_types.h
+osfmk/x86_64/machine_kpc.h
+panel.h
+paths.h
+pexpert/boot.h
+pexpert/i386/boot.h
+pexpert/i386/efi.h
+pexpert/i386/protos.h
+pexpert/machine/boot.h
+pexpert/machine/protos.h
+pexpert/pexpert.h
+pexpert/pexpert/boot.h
+pexpert/pexpert/device_tree.h
+pexpert/pexpert/i386/boot.h
+pexpert/pexpert/i386/efi.h
+pexpert/pexpert/i386/protos.h
+pexpert/pexpert/machine/boot.h
+pexpert/pexpert/machine/protos.h
+pexpert/pexpert/pexpert.h
+pexpert/pexpert/protos.h
+pexpert/protos.h
+platform/compat.h
+platform/introspection_private.h
+platform/string.h
+poll.h
+printerdb.h
+printf.h
+protocols/routed.h
+protocols/rwhod.h
+protocols/talkd.h
+protocols/timed.h
+pthread.h
+pthread/introspection.h
+pthread/pthread.h
+pthread/pthread_impl.h
+pthread/pthread_spis.h
+pthread/qos.h
+pthread/sched.h
+pthread/spawn.h
+pthread_impl.h
+pthread_spis.h
+pthread_workqueue.h
+pwd.h
+ranlib.h
+readpassphrase.h
+reboot2.h
+regex.h
+removefile.h
+resolv.h
+rpc/auth.h
+rpc/auth_unix.h
+rpc/clnt.h
+rpc/pmap_clnt.h
+rpc/pmap_prot.h
+rpc/pmap_rmt.h
+rpc/rpc.h
+rpc/rpc_msg.h
+rpc/svc.h
+rpc/svc_auth.h
+rpc/types.h
+rpc/xdr.h
+rpcsvc/yp_prot.h
+rpcsvc/ypclnt.h
+runetype.h
+sched.h
+search.h
+secure/_common.h
+secure/_stdio.h
+secure/_string.h
+security/audit/audit_ioctl.h
+security/mac.h
+security/mac_policy.h
+security/security/_label.h
+security/security/mac.h
+security/security/mac_alloc.h
+security/security/mac_data.h
+security/security/mac_framework.h
+security/security/mac_internal.h
+security/security/mac_mach_internal.h
+security/security/mac_policy.h
+semaphore.h
+servers/bootstrap.h
+servers/bootstrap_defs.h
+servers/key_defs.h
+servers/ls_defs.h
+servers/netname.h
+servers/netname_defs.h
+servers/nm_defs.h
+setjmp.h
+sgtty.h
+si_data.h
+si_module.h
+signal.h
+spawn.h
+stab.h
+standards.h
+stdarg.h
+stddef.h
+stdint.h
+stdio.h
+stdlib.h
+strhash.h
+string.h
+stringlist.h
+strings.h
+struct.h
+sys/_endian.h
+sys/_posix_availability.h
+sys/_pthread/_pthread_attr_t.h
+sys/_pthread/_pthread_cond_t.h
+sys/_pthread/_pthread_condattr_t.h
+sys/_pthread/_pthread_key_t.h
+sys/_pthread/_pthread_mutex_t.h
+sys/_pthread/_pthread_mutexattr_t.h
+sys/_pthread/_pthread_once_t.h
+sys/_pthread/_pthread_rwlock_t.h
+sys/_pthread/_pthread_rwlockattr_t.h
+sys/_pthread/_pthread_t.h
+sys/_pthread/_pthread_types.h
+sys/_select.h
+sys/_structs.h
+sys/_symbol_aliasing.h
+sys/_types.h
+sys/_types/_blkcnt_t.h
+sys/_types/_blksize_t.h
+sys/_types/_clock_t.h
+sys/_types/_ct_rune_t.h
+sys/_types/_dev_t.h
+sys/_types/_errno_t.h
+sys/_types/_fd_clr.h
+sys/_types/_fd_copy.h
+sys/_types/_fd_def.h
+sys/_types/_fd_isset.h
+sys/_types/_fd_set.h
+sys/_types/_fd_setsize.h
+sys/_types/_fd_zero.h
+sys/_types/_filesec_t.h
+sys/_types/_fsblkcnt_t.h
+sys/_types/_fsfilcnt_t.h
+sys/_types/_fsid_t.h
+sys/_types/_fsobj_id_t.h
+sys/_types/_gid_t.h
+sys/_types/_guid_t.h
+sys/_types/_id_t.h
+sys/_types/_in_addr_t.h
+sys/_types/_in_port_t.h
+sys/_types/_ino64_t.h
+sys/_types/_ino_t.h
+sys/_types/_int16_t.h
+sys/_types/_int32_t.h
+sys/_types/_int64_t.h
+sys/_types/_int8_t.h
+sys/_types/_intptr_t.h
+sys/_types/_iovec_t.h
+sys/_types/_key_t.h
+sys/_types/_mach_port_t.h
+sys/_types/_mbstate_t.h
+sys/_types/_mode_t.h
+sys/_types/_nlink_t.h
+sys/_types/_null.h
+sys/_types/_o_dsync.h
+sys/_types/_o_sync.h
+sys/_types/_off_t.h
+sys/_types/_offsetof.h
+sys/_types/_os_inline.h
+sys/_types/_pid_t.h
+sys/_types/_posix_vdisable.h
+sys/_types/_pthread_attr_t.h
+sys/_types/_pthread_cond_t.h
+sys/_types/_pthread_condattr_t.h
+sys/_types/_pthread_key_t.h
+sys/_types/_pthread_mutex_t.h
+sys/_types/_pthread_mutexattr_t.h
+sys/_types/_pthread_once_t.h
+sys/_types/_pthread_rwlock_t.h
+sys/_types/_pthread_rwlockattr_t.h
+sys/_types/_pthread_t.h
+sys/_types/_pthread_types.h
+sys/_types/_ptrdiff_t.h
+sys/_types/_rsize_t.h
+sys/_types/_rune_t.h
+sys/_types/_s_ifmt.h
+sys/_types/_sa_family_t.h
+sys/_types/_seek_set.h
+sys/_types/_sigaltstack.h
+sys/_types/_sigset_t.h
+sys/_types/_size_t.h
+sys/_types/_socklen_t.h
+sys/_types/_ssize_t.h
+sys/_types/_suseconds_t.h
+sys/_types/_time_t.h
+sys/_types/_timespec.h
+sys/_types/_timeval.h
+sys/_types/_timeval32.h
+sys/_types/_timeval64.h
+sys/_types/_u_int16_t.h
+sys/_types/_u_int32_t.h
+sys/_types/_u_int64_t.h
+sys/_types/_u_int8_t.h
+sys/_types/_ucontext.h
+sys/_types/_ucontext64.h
+sys/_types/_uid_t.h
+sys/_types/_uintptr_t.h
+sys/_types/_useconds_t.h
+sys/_types/_uuid_t.h
+sys/_types/_va_list.h
+sys/_types/_wchar_t.h
+sys/_types/_wint_t.h
+sys/acct.h
+sys/acl.h
+sys/aio.h
+sys/appleapiopts.h
+sys/attr.h
+sys/buf.h
+sys/cdefs.h
+sys/clonefile.h
+sys/conf.h
+sys/dir.h
+sys/dirent.h
+sys/disk.h
+sys/dkstat.h
+sys/domain.h
+sys/dtrace.h
+sys/dtrace_glue.h
+sys/dtrace_impl.h
+sys/errno.h
+sys/ev.h
+sys/event.h
+sys/fasttrap.h
+sys/fasttrap_isa.h
+sys/fcntl.h
+sys/file.h
+sys/filedesc.h
+sys/filio.h
+sys/gmon.h
+sys/ioccom.h
+sys/ioctl.h
+sys/ioctl_compat.h
+sys/ipc.h
+sys/kauth.h
+sys/kdebug.h
+sys/kdebug_signpost.h
+sys/kern_control.h
+sys/kern_event.h
+sys/kernel.h
+sys/kernel_types.h
+sys/lctx.h
+sys/loadable_fs.h
+sys/lock.h
+sys/lockf.h
+sys/lockstat.h
+sys/malloc.h
+sys/mbuf.h
+sys/mman.h
+sys/mount.h
+sys/msg.h
+sys/msgbuf.h
+sys/netport.h
+sys/param.h
+sys/paths.h
+sys/pipe.h
+sys/poll.h
+sys/posix_sem.h
+sys/posix_shm.h
+sys/proc.h
+sys/proc_info.h
+sys/protosw.h
+sys/ptrace.h
+sys/qos.h
+sys/qos_private.h
+sys/queue.h
+sys/quota.h
+sys/random.h
+sys/rbtree.h
+sys/reboot.h
+sys/resource.h
+sys/resourcevar.h
+sys/sbuf.h
+sys/sdt.h
+sys/select.h
+sys/sem.h
+sys/semaphore.h
+sys/shm.h
+sys/signal.h
+sys/signalvar.h
+sys/socket.h
+sys/socketvar.h
+sys/sockio.h
+sys/spawn.h
+sys/stat.h
+sys/statvfs.h
+sys/stdio.h
+sys/sys_domain.h
+sys/syscall.h
+sys/sysctl.h
+sys/syslimits.h
+sys/syslog.h
+sys/termios.h
+sys/time.h
+sys/timeb.h
+sys/times.h
+sys/tprintf.h
+sys/trace.h
+sys/tty.h
+sys/ttychars.h
+sys/ttycom.h
+sys/ttydefaults.h
+sys/ttydev.h
+sys/types.h
+sys/ubc.h
+sys/ucontext.h
+sys/ucred.h
+sys/uio.h
+sys/un.h
+sys/unistd.h
+sys/unpcb.h
+sys/user.h
+sys/utfconv.h
+sys/utsname.h
+sys/vadvise.h
+sys/vcmd.h
+sys/vm.h
+sys/vmmeter.h
+sys/vmparam.h
+sys/vnioctl.h
+sys/vnode.h
+sys/vnode_if.h
+sys/vstat.h
+sys/wait.h
+sys/xattr.h
+sysexits.h
+syslog.h
+tar.h
+term.h
+term_entry.h
+termcap.h
+termios.h
+thread_data.h
+tic.h
+time.h
+timeconv.h
+ttyent.h
+tzfile.h
+tzlink.h
+tzlink_internal.h
+ucontext.h
+ulimit.h
+unctrl.h
+unistd.h
+util.h
+utime.h
+utmpx.h
+utmpx_thread.h
+uuid/uuid.h
+vfs/vfs_support.h
+vis.h
+voucher/ipc_pthread_priority_types.h
+vproc.h
+vproc_internal.h
+vproc_priv.h
+wchar.h
+wctype.h
+wipefs.h
+wordexp.h
+xlocale.h
+xlocale/__wctype.h
+xlocale/_ctype.h
+xlocale/_inttypes.h
+xlocale/_langinfo.h
+xlocale/_monetary.h
+xlocale/_regex.h
+xlocale/_stdio.h
+xlocale/_stdlib.h
+xlocale/_string.h
+xlocale/_time.h
+xlocale/_wchar.h
+xlocale/_wctype.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols
new file mode 100644
index 000000000000..1ec6c6332cf4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols
@@ -0,0 +1,1320 @@
+__CurrentRuneLocale
+__DefaultRuneLocale
+__Exit
+__NSGetArgc
+__NSGetArgv
+__NSGetEnviron
+__NSGetMachExecuteHeader
+__NSGetProgname
+__PathLocale
+__Read_RuneMagi
+___Balloc_D2A
+___Bfree_D2A
+___ULtod_D2A
+____mb_cur_max
+____mb_cur_max_l
+____runetype
+____runetype_l
+____tolower
+____tolower_l
+____toupper
+____toupper_l
+___add_ovflpage
+___addel
+___any_on_D2A
+___assert_rtn
+___b2d_D2A
+___big_delete
+___big_insert
+___big_keydata
+___big_return
+___big_split
+___bigtens_D2A
+___bt_close
+___bt_cmp
+___bt_defcmp
+___bt_defpfx
+___bt_delete
+___bt_dleaf
+___bt_fd
+___bt_free
+___bt_get
+___bt_new
+___bt_open
+___bt_pgin
+___bt_pgout
+___bt_put
+___bt_ret
+___bt_search
+___bt_seq
+___bt_setcur
+___bt_split
+___bt_sync
+___buf_free
+___call_hash
+___cleanup
+___cmp_D2A
+___collate_equiv_match
+___collate_load_error
+___collate_lookup
+___copybits_D2A
+___cxa_atexit
+___cxa_finalize
+___cxa_finalize_ranges
+___cxa_thread_atexit
+___d2b_D2A
+___dbpanic
+___decrement_D2A
+___default_hash
+___default_utx
+___delpair
+___diff_D2A
+___dtoa
+___expand_table
+___fflush
+___fgetwc
+___find_bigpair
+___find_last_page
+___fix_locale_grouping_str
+___fread
+___free_ovflpage
+___freedtoa
+___gdtoa
+___gdtoa_locks
+___get_buf
+___get_page
+___gethex_D2A
+___getonlyClocaleconv
+___hash_open
+___hdtoa
+___hexdig_D2A
+___hexdig_init_D2A
+___hexnan_D2A
+___hi0bits_D2A
+___hldtoa
+___i2b_D2A
+___ibitmap
+___increment_D2A
+___isctype
+___istype
+___istype_l
+___ldtoa
+___libc_init
+___lo0bits_D2A
+___log2
+___lshift_D2A
+___maskrune
+___maskrune_l
+___match_D2A
+___mb_cur_max
+___mb_sb_limit
+___memccpy_chk
+___memcpy_chk
+___memmove_chk
+___memset_chk
+___mult_D2A
+___multadd_D2A
+___nrv_alloc_D2A
+___opendir2
+___opendir2$INODE64
+___ovfl_delete
+___ovfl_get
+___ovfl_put
+___pow5mult_D2A
+___put_page
+___quorem_D2A
+___ratio_D2A
+___rec_close
+___rec_delete
+___rec_dleaf
+___rec_fd
+___rec_fmap
+___rec_fpipe
+___rec_get
+___rec_iput
+___rec_open
+___rec_put
+___rec_ret
+___rec_search
+___rec_seq
+___rec_sync
+___rec_vmap
+___rec_vpipe
+___reclaim_buf
+___rshift_D2A
+___rv_alloc_D2A
+___s2b_D2A
+___sF
+___sclose
+___sdidinit
+___set_ones_D2A
+___setonlyClocaleconv
+___sflags
+___sflush
+___sfp
+___sfvwrite
+___sglue
+___sinit
+___slbexpand
+___smakebuf
+___snprintf_chk
+___split_page
+___sprintf_chk
+___sread
+___srefill
+___srget
+___sseek
+___stack_chk_fail
+___stack_chk_guard
+___stderrp
+___stdinp
+___stdoutp
+___stpcpy_chk
+___stpncpy_chk
+___strcat_chk
+___strcp_D2A
+___strcpy_chk
+___strlcat_chk
+___strlcpy_chk
+___strncat_chk
+___strncpy_chk
+___strtodg
+___strtopdd
+___strtopx
+___sum_D2A
+___svfscanf
+___swbuf
+___swhatbuf
+___swrite
+___swsetup
+___tens_D2A
+___tinytens_D2A
+___tolower
+___tolower_l
+___toupper
+___toupper_l
+___trailz_D2A
+___ulp_D2A
+___ungetc
+___ungetwc
+___vsnprintf_chk
+___vsprintf_chk
+___wcwidth
+___wcwidth_l
+__allocenvstate
+__atexit_receipt
+__c_locale
+__cleanup
+__closeutx
+__copyenv
+__cthread_init_routine
+__deallocenvstate
+__endutxent
+__flockfile_debug_stub
+__fseeko
+__ftello
+__fwalk
+__getenvp
+__getutxent
+__getutxid
+__getutxline
+__inet_aton_check
+__init_clock_port
+__int_to_time
+__libc_fork_child
+__libc_initializer
+__long_to_time
+__mkpath_np
+__mktemp
+__openutx
+__os_assert_log
+__os_assert_log_ctx
+__os_assumes_log
+__os_assumes_log_ctx
+__os_avoid_tail_call
+__os_crash
+__os_crash_callback
+__os_debug_log
+__os_debug_log_error_str
+__putenvp
+__pututxline
+__rand48_add
+__rand48_mult
+__rand48_seed
+__readdir_unlocked
+__readdir_unlocked$INODE64
+__reclaim_telldir
+__seekdir
+__seekdir$INODE64
+__setenvp
+__setutxent
+__sigaction_nobind
+__sigintr
+__signal_nobind
+__sigvec_nobind
+__sread
+__sseek
+__swrite
+__time32_to_time
+__time64_to_time
+__time_to_int
+__time_to_long
+__time_to_time32
+__time_to_time64
+__unsetenvp
+__utmpxname
+_a64l
+_abort
+_abort_report_np
+_abs
+_acl_add_flag_np
+_acl_add_perm
+_acl_calc_mask
+_acl_clear_flags_np
+_acl_clear_perms
+_acl_copy_entry
+_acl_copy_ext
+_acl_copy_ext_native
+_acl_copy_int
+_acl_copy_int_native
+_acl_create_entry
+_acl_create_entry_np
+_acl_delete_def_file
+_acl_delete_entry
+_acl_delete_fd_np
+_acl_delete_file_np
+_acl_delete_flag_np
+_acl_delete_link_np
+_acl_delete_perm
+_acl_dup
+_acl_free
+_acl_from_text
+_acl_get_entry
+_acl_get_fd
+_acl_get_fd_np
+_acl_get_file
+_acl_get_flag_np
+_acl_get_flagset_np
+_acl_get_link_np
+_acl_get_perm_np
+_acl_get_permset
+_acl_get_permset_mask_np
+_acl_get_qualifier
+_acl_get_tag_type
+_acl_init
+_acl_maximal_permset_mask_np
+_acl_set_fd
+_acl_set_fd_np
+_acl_set_file
+_acl_set_flagset_np
+_acl_set_link_np
+_acl_set_permset
+_acl_set_permset_mask_np
+_acl_set_qualifier
+_acl_set_tag_type
+_acl_size
+_acl_to_text
+_acl_valid
+_acl_valid_fd_np
+_acl_valid_file_np
+_acl_valid_link
+_addr2ascii
+_alarm
+_alphasort
+_alphasort$INODE64
+_arc4random
+_arc4random_addrandom
+_arc4random_buf
+_arc4random_stir
+_arc4random_uniform
+_ascii2addr
+_asctime
+_asctime_r
+_asprintf
+_asprintf_l
+_asxprintf
+_asxprintf_exec
+_atexit
+_atexit_b
+_atof
+_atof_l
+_atoi
+_atoi_l
+_atol
+_atol_l
+_atoll
+_atoll_l
+_backtrace
+_backtrace_symbols
+_backtrace_symbols_fd
+_basename
+_basename_r
+_bcmp
+_bcopy
+_brk
+_bsd_signal
+_bsearch
+_bsearch_b
+_btowc
+_btowc_l
+_bzero
+_catclose
+_catgets
+_catopen
+_cfgetispeed
+_cfgetospeed
+_cfmakeraw
+_cfsetispeed
+_cfsetospeed
+_cfsetspeed
+_cgetcap
+_cgetclose
+_cgetent
+_cgetfirst
+_cgetmatch
+_cgetnext
+_cgetnum
+_cgetset
+_cgetstr
+_cgetustr
+_chmodx_np
+_clearerr
+_clearerr_unlocked
+_clock
+_clock_getres
+_clock_gettime
+_clock_gettime_nsec_np
+_clock_port
+_clock_sem
+_clock_settime
+_closedir
+_compat_mode
+_confstr
+_copy_printf_domain
+_creat
+_creat$NOCANCEL
+_crypt
+_ctermid
+_ctermid_r
+_ctime
+_ctime_r
+_daemon
+_daemon$1050
+_daylight
+_dbm_clearerr
+_dbm_close
+_dbm_delete
+_dbm_dirfno
+_dbm_error
+_dbm_fetch
+_dbm_firstkey
+_dbm_nextkey
+_dbm_open
+_dbm_store
+_dbopen
+_devname
+_devname_r
+_difftime
+_digittoint
+_digittoint_l
+_dirfd
+_dirname
+_dirname_r
+_div
+_dprintf
+_dprintf_l
+_drand48
+_duplocale
+_dxprintf
+_dxprintf_exec
+_ecvt
+_encrypt
+_endttyent
+_endusershell
+_endutxent
+_endutxent_wtmp
+_erand48
+_err
+_err_set_exit
+_err_set_exit_b
+_err_set_file
+_errc
+_errx
+_execl
+_execle
+_execlp
+_execv
+_execvP
+_execvp
+_exit
+_f_prealloc
+_fchmodx_np
+_fclose
+_fcvt
+_fdopen
+_fdopen$DARWIN_EXTSN
+_fdopendir
+_fdopendir$INODE64
+_feof
+_feof_unlocked
+_ferror
+_ferror_unlocked
+_fflagstostr
+_fflush
+_fgetc
+_fgetln
+_fgetpos
+_fgetrune
+_fgets
+_fgetwc
+_fgetwc_l
+_fgetwln
+_fgetwln_l
+_fgetws
+_fgetws_l
+_fileno
+_fileno_unlocked
+_filesec_dup
+_filesec_free
+_filesec_get_property
+_filesec_init
+_filesec_query_property
+_filesec_set_property
+_filesec_unset_property
+_flockfile
+_fmtcheck
+_fmtmsg
+_fnmatch
+_fopen
+_fopen$DARWIN_EXTSN
+_fork
+_forkpty
+_fparseln
+_fprintf
+_fprintf_l
+_fpurge
+_fputc
+_fputrune
+_fputs
+_fputwc
+_fputwc_l
+_fputws
+_fputws_l
+_fread
+_free_printf_comp
+_free_printf_domain
+_freelocale
+_freopen
+_fscanf
+_fscanf_l
+_fseek
+_fseeko
+_fsetpos
+_fstatvfs
+_fstatx64_np
+_fstatx_np
+_fstatx_np$INODE64
+_fsync_volume_np
+_ftell
+_ftello
+_ftime
+_ftok
+_ftrylockfile
+_fts_children
+_fts_children$INODE64
+_fts_close
+_fts_close$INODE64
+_fts_open
+_fts_open$INODE64
+_fts_open_b
+_fts_open_b$INODE64
+_fts_read
+_fts_read$INODE64
+_fts_set
+_fts_set$INODE64
+_ftw
+_ftw$INODE64
+_fungetrune
+_funlockfile
+_funopen
+_fwide
+_fwprintf
+_fwprintf_l
+_fwrite
+_fwscanf
+_fwscanf_l
+_fxprintf
+_fxprintf_exec
+_gcvt
+_getbsize
+_getc
+_getc_unlocked
+_getchar
+_getchar_unlocked
+_getcwd
+_getdate
+_getdate_err
+_getdelim
+_getdiskbyname
+_getenv
+_getgroups$DARWIN_EXTSN
+_gethostid
+_gethostname
+_getipv4sourcefilter
+_getlastlogx
+_getlastlogxbyname
+_getline
+_getloadavg
+_getlogin
+_getlogin_r
+_getmntinfo
+_getmntinfo$INODE64
+_getmntinfo64
+_getmode
+_getopt
+_getopt_long
+_getopt_long_only
+_getpagesize
+_getpass
+_getpeereid
+_getprogname
+_gets
+_getsourcefilter
+_getsubopt
+_gettimeofday
+_getttyent
+_getttynam
+_getusershell
+_getutmp
+_getutmpx
+_getutxent
+_getutxent_wtmp
+_getutxid
+_getutxline
+_getvfsbyname
+_getw
+_getwc
+_getwc_l
+_getwchar
+_getwchar_l
+_getwd
+_glob
+_glob$INODE64
+_glob_b
+_glob_b$INODE64
+_globfree
+_gmtime
+_gmtime_r
+_grantpt
+_hash_create
+_hash_destroy
+_hash_purge
+_hash_search
+_hash_stats
+_hash_traverse
+_hcreate
+_hdestroy
+_heapsort
+_heapsort_b
+_hsearch
+_imaxabs
+_imaxdiv
+_index
+_inet_addr
+_inet_aton
+_inet_lnaof
+_inet_makeaddr
+_inet_net_ntop
+_inet_net_pton
+_inet_neta
+_inet_netof
+_inet_network
+_inet_nsap_addr
+_inet_nsap_ntoa
+_inet_ntoa
+_inet_ntop
+_inet_ntop4
+_inet_ntop6
+_inet_pton
+_initstate
+_insque
+_isalnum
+_isalnum_l
+_isalpha
+_isalpha_l
+_isascii
+_isatty
+_isblank
+_isblank_l
+_iscntrl
+_iscntrl_l
+_isdigit
+_isdigit_l
+_isgraph
+_isgraph_l
+_ishexnumber
+_ishexnumber_l
+_isideogram
+_isideogram_l
+_islower
+_islower_l
+_isnumber
+_isnumber_l
+_isphonogram
+_isphonogram_l
+_isprint
+_isprint_l
+_ispunct
+_ispunct_l
+_isrune
+_isrune_l
+_isspace
+_isspace_l
+_isspecial
+_isspecial_l
+_isupper
+_isupper_l
+_iswalnum
+_iswalnum_l
+_iswalpha
+_iswalpha_l
+_iswascii
+_iswblank
+_iswblank_l
+_iswcntrl
+_iswcntrl_l
+_iswctype
+_iswctype_l
+_iswdigit
+_iswdigit_l
+_iswgraph
+_iswgraph_l
+_iswhexnumber
+_iswhexnumber_l
+_iswideogram
+_iswideogram_l
+_iswlower
+_iswlower_l
+_iswnumber
+_iswnumber_l
+_iswphonogram
+_iswphonogram_l
+_iswprint
+_iswprint_l
+_iswpunct
+_iswpunct_l
+_iswrune
+_iswrune_l
+_iswspace
+_iswspace_l
+_iswspecial
+_iswspecial_l
+_iswupper
+_iswupper_l
+_iswxdigit
+_iswxdigit_l
+_isxdigit
+_isxdigit_l
+_jrand48
+_kOSThermalNotificationPressureLevelName
+_killpg
+_l64a
+_labs
+_lchflags
+_lchmod
+_lcong48
+_ldiv
+_lfind
+_link_addr
+_link_ntoa
+_llabs
+_lldiv
+_localeconv
+_localeconv_l
+_localtime
+_localtime_r
+_lockf
+_lockf$NOCANCEL
+_login
+_login_tty
+_logout
+_logwtmp
+_lrand48
+_lsearch
+_lstatx64_np
+_lstatx_np
+_lstatx_np$INODE64
+_lutimes
+_mblen
+_mblen_l
+_mbmb
+_mbrlen
+_mbrlen_l
+_mbrrune
+_mbrtowc
+_mbrtowc_l
+_mbrune
+_mbsinit
+_mbsinit_l
+_mbsnrtowcs
+_mbsnrtowcs_l
+_mbsrtowcs
+_mbsrtowcs_l
+_mbstowcs
+_mbstowcs_l
+_mbtowc
+_mbtowc_l
+_memccpy
+_memchr
+_memcmp
+_memcpy
+_memmem
+_memmove
+_memset
+_memset_pattern16
+_memset_pattern4
+_memset_pattern8
+_memset_s
+_mergesort
+_mergesort_b
+_mkdirx_np
+_mkdtemp
+_mkfifox_np
+_mkostemp
+_mkostemps
+_mkpath_np
+_mkpathat_np
+_mkstemp
+_mkstemp_dprotected_np
+_mkstemps
+_mktemp
+_mktime
+_monaddition
+_moncontrol
+_moncount
+_moninit
+_monitor
+_monoutput
+_monreset
+_monstartup
+_mpool_close
+_mpool_filter
+_mpool_get
+_mpool_new
+_mpool_open
+_mpool_put
+_mpool_sync
+_mrand48
+_nanosleep
+_nanosleep$NOCANCEL
+_new_printf_comp
+_new_printf_domain
+_newlocale
+_nextwctype
+_nextwctype_l
+_nftw
+_nftw$INODE64
+_nice
+_nl_langinfo
+_nl_langinfo_l
+_nrand48
+_nvis
+_off32
+_off64
+_offtime
+_opendev
+_opendir
+_opendir$INODE64
+_openpty
+_openx_np
+_optarg
+_opterr
+_optind
+_optopt
+_optreset
+_pause
+_pause$NOCANCEL
+_pclose
+_perror
+_popen
+_popen$DARWIN_EXTSN
+_posix2time
+_posix_openpt
+_posix_spawnp
+_printf
+_printf_l
+_psignal
+_psort
+_psort_b
+_psort_r
+_ptsname
+_putc
+_putc_unlocked
+_putchar
+_putchar_unlocked
+_putenv
+_puts
+_pututxline
+_putw
+_putwc
+_putwc_l
+_putwchar
+_putwchar_l
+_qsort
+_qsort_b
+_qsort_r
+_querylocale
+_radixsort
+_raise
+_rand
+_rand_r
+_random
+_rb_tree_count
+_rb_tree_find_node
+_rb_tree_find_node_geq
+_rb_tree_find_node_leq
+_rb_tree_init
+_rb_tree_insert_node
+_rb_tree_iterate
+_rb_tree_remove_node
+_readdir
+_readdir$INODE64
+_readdir_r
+_readdir_r$INODE64
+_readpassphrase
+_reallocf
+_realpath
+_realpath$DARWIN_EXTSN
+_recv
+_recv$NOCANCEL
+_regcomp
+_regcomp_l
+_regerror
+_regexec
+_regfree
+_register_printf_domain_function
+_register_printf_domain_render_std
+_regncomp
+_regncomp_l
+_regnexec
+_regwcomp
+_regwcomp_l
+_regwexec
+_regwncomp
+_regwncomp_l
+_regwnexec
+_remove
+_remque
+_rewind
+_rewinddir
+_rewinddir$INODE64
+_rindex
+_sbrk
+_scandir
+_scandir$INODE64
+_scandir_b
+_scandir_b$INODE64
+_scanf
+_scanf_l
+_seed48
+_seekdir
+_seekdir$INODE64
+_send
+_send$NOCANCEL
+_setbuf
+_setbuffer
+_setenv
+_sethostid
+_sethostname
+_setinvalidrune
+_setipv4sourcefilter
+_setkey
+_setlinebuf
+_setlocale
+_setlogin
+_setmode
+_setpgrp
+_setprogname
+_setrgid
+_setruid
+_setrunelocale
+_setsourcefilter
+_setstate
+_settimeofday
+_setttyent
+_setusershell
+_setutxent
+_setutxent_wtmp
+_setvbuf
+_sigaction
+_sigaddset
+_sigaltstack
+_sigblock
+_sigdelset
+_sigemptyset
+_sigfillset
+_sighold
+_sigignore
+_siginterrupt
+_sigismember
+_signal
+_sigpause
+_sigpause$NOCANCEL
+_sigrelse
+_sigset
+_sigsetmask
+_sigvec
+_skip
+_sl_add
+_sl_find
+_sl_free
+_sl_init
+_sleep
+_sleep$NOCANCEL
+_snprintf
+_snprintf_l
+_snvis
+_sockatmark
+_sprintf
+_sprintf_l
+_sradixsort
+_srand
+_srand48
+_sranddev
+_srandom
+_srandomdev
+_sscanf
+_sscanf_l
+_statvfs
+_statx64_np
+_statx_np
+_statx_np$INODE64
+_stpcpy
+_stpncpy
+_strcasecmp
+_strcasecmp_l
+_strcasestr
+_strcasestr_l
+_strcat
+_strchr
+_strcmp
+_strcoll
+_strcoll_l
+_strcpy
+_strcspn
+_strdup
+_strenvisx
+_strerror
+_strerror_r
+_strfmon
+_strfmon_l
+_strftime
+_strftime_l
+_strlcat
+_strlcpy
+_strlen
+_strmode
+_strncasecmp
+_strncasecmp_l
+_strncat
+_strncmp
+_strncpy
+_strndup
+_strnlen
+_strnstr
+_strnunvis
+_strnunvisx
+_strnvis
+_strnvisx
+_strpbrk
+_strptime
+_strptime_l
+_strrchr
+_strsenvisx
+_strsep
+_strsignal
+_strsnvis
+_strsnvisx
+_strspn
+_strstr
+_strsvis
+_strsvisx
+_strtod
+_strtod_l
+_strtof
+_strtof_l
+_strtofflags
+_strtoimax
+_strtoimax_l
+_strtok
+_strtok_r
+_strtol
+_strtol_l
+_strtold
+_strtold_l
+_strtoll
+_strtoll_l
+_strtoq
+_strtoq_l
+_strtoul
+_strtoul_l
+_strtoull
+_strtoull_l
+_strtoumax
+_strtoumax_l
+_strtouq
+_strtouq_l
+_strunvis
+_strunvisx
+_strvis
+_strvisx
+_strxfrm
+_strxfrm_l
+_suboptarg
+_svis
+_swab
+_swprintf
+_swprintf_l
+_swscanf
+_swscanf_l
+_sxprintf
+_sxprintf_exec
+_sync_volume_np
+_sys_errlist
+_sys_nerr
+_sys_siglist
+_sys_signame
+_sysconf
+_sysctl
+_sysctlbyname
+_sysctlnametomib
+_system
+_system$NOCANCEL
+_tcdrain
+_tcdrain$NOCANCEL
+_tcflow
+_tcflush
+_tcgetattr
+_tcgetpgrp
+_tcgetsid
+_tcsendbreak
+_tcsetattr
+_tcsetpgrp
+_tdelete
+_telldir
+_telldir$INODE64
+_tempnam
+_tfind
+_thread_stack_pcs
+_time
+_time2posix
+_timegm
+_timelocal
+_timeoff
+_times
+_timezone
+_timingsafe_bcmp
+_tmpfile
+_tmpnam
+_toascii
+_tolower
+_tolower_l
+_toupper
+_toupper_l
+_towctrans
+_towctrans_l
+_towlower
+_towlower_l
+_towupper
+_towupper_l
+_tre_ast_new_catenation
+_tre_ast_new_iter
+_tre_ast_new_literal
+_tre_ast_new_node
+_tre_ast_new_union
+_tre_compile
+_tre_fill_pmatch
+_tre_free
+_tre_mem_alloc_impl
+_tre_mem_destroy
+_tre_mem_new_impl
+_tre_parse
+_tre_stack_destroy
+_tre_stack_new
+_tre_stack_num_objects
+_tre_tnfa_run_backtrack
+_tre_tnfa_run_parallel
+_tsearch
+_ttyname
+_ttyname_r
+_ttyslot
+_twalk
+_tzname
+_tzset
+_tzsetwall
+_ualarm
+_ulimit
+_umaskx_np
+_uname
+_ungetc
+_ungetwc
+_ungetwc_l
+_unlockpt
+_unsetenv
+_unvis
+_uselocale
+_usleep
+_usleep$NOCANCEL
+_utime
+_utmpxname
+_uuid_clear
+_uuid_compare
+_uuid_copy
+_uuid_generate
+_uuid_generate_random
+_uuid_generate_time
+_uuid_is_null
+_uuid_pack
+_uuid_parse
+_uuid_unpack
+_uuid_unparse
+_uuid_unparse_lower
+_uuid_unparse_upper
+_vasprintf
+_vasprintf_l
+_vasxprintf
+_vasxprintf_exec
+_vdprintf
+_vdprintf_l
+_vdxprintf
+_vdxprintf_exec
+_verr
+_verrc
+_verrx
+_vfprintf
+_vfprintf_l
+_vfscanf
+_vfscanf_l
+_vfwprintf
+_vfwprintf_l
+_vfwscanf
+_vfwscanf_l
+_vfxprintf
+_vfxprintf_exec
+_vis
+_vprintf
+_vprintf_l
+_vscanf
+_vscanf_l
+_vsnprintf
+_vsnprintf_l
+_vsprintf
+_vsprintf_l
+_vsscanf
+_vsscanf_l
+_vswprintf
+_vswprintf_l
+_vswscanf
+_vswscanf_l
+_vsxprintf
+_vsxprintf_exec
+_vwarn
+_vwarnc
+_vwarnx
+_vwprintf
+_vwprintf_l
+_vwscanf
+_vwscanf_l
+_vxprintf
+_vxprintf_exec
+_wait
+_wait$NOCANCEL
+_wait3
+_waitpid
+_waitpid$NOCANCEL
+_warn
+_warnc
+_warnx
+_wcpcpy
+_wcpncpy
+_wcrtomb
+_wcrtomb_l
+_wcscasecmp
+_wcscasecmp_l
+_wcscat
+_wcschr
+_wcscmp
+_wcscoll
+_wcscoll_l
+_wcscpy
+_wcscspn
+_wcsdup
+_wcsftime
+_wcsftime_l
+_wcslcat
+_wcslcpy
+_wcslen
+_wcsncasecmp
+_wcsncasecmp_l
+_wcsncat
+_wcsncmp
+_wcsncpy
+_wcsnlen
+_wcsnrtombs
+_wcsnrtombs_l
+_wcspbrk
+_wcsrchr
+_wcsrtombs
+_wcsrtombs_l
+_wcsspn
+_wcsstr
+_wcstod
+_wcstod_l
+_wcstof
+_wcstof_l
+_wcstoimax
+_wcstoimax_l
+_wcstok
+_wcstol
+_wcstol_l
+_wcstold
+_wcstold_l
+_wcstoll
+_wcstoll_l
+_wcstombs
+_wcstombs_l
+_wcstoul
+_wcstoul_l
+_wcstoull
+_wcstoull_l
+_wcstoumax
+_wcstoumax_l
+_wcswidth
+_wcswidth_l
+_wcsxfrm
+_wcsxfrm_l
+_wctob
+_wctob_l
+_wctomb
+_wctomb_l
+_wctrans
+_wctrans_l
+_wctype
+_wctype_l
+_wcwidth
+_wcwidth_l
+_wmemchr
+_wmemcmp
+_wmemcpy
+_wmemmove
+_wmemset
+_wordexp
+_wordfree
+_wprintf
+_wprintf_l
+_wscanf
+_wscanf_l
+_wtmpxname
+_xprintf
+_xprintf_exec
+mcount
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols
new file mode 100644
index 000000000000..7c5b90f95ed7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols
@@ -0,0 +1,1172 @@
+_NDR_record
+_____old_semwait_signal_nocancel
+_____sigwait_nocancel
+____kernelVersionNumber
+____kernelVersionString
+___abort_with_payload
+___accept
+___accept_nocancel
+___access_extended
+___aio_suspend_nocancel
+___bind
+___bsdthread_create
+___bsdthread_ctl
+___bsdthread_register
+___bsdthread_terminate
+___carbon_delete
+___channel_get_info
+___channel_get_opt
+___channel_open
+___channel_set_opt
+___channel_sync
+___chmod
+___chmod_extended
+___close_nocancel
+___coalition
+___coalition_info
+___commpage_gettimeofday
+___connect
+___connect_nocancel
+___copyfile
+___csrctl
+___delete
+___disable_threadsignal
+___error
+___exit
+___fchmod
+___fchmod_extended
+___fcntl
+___fcntl_nocancel
+___fork
+___fs_snapshot
+___fstat64_extended
+___fstat_extended
+___fsync_nocancel
+___get_remove_counter
+___getattrlist
+___getdirentries64
+___gethostuuid
+___getlogin
+___getpeername
+___getpid
+___getrlimit
+___getsgroups
+___getsockname
+___gettid
+___gettimeofday
+___getwgroups
+___guarded_open_dprotected_np
+___guarded_open_np
+___identitysvc
+___inc_remove_counter
+___initgroups
+___ioctl
+___iopolicysys
+___kdebug_trace
+___kdebug_trace64
+___kdebug_trace_string
+___kdebug_typefilter
+___kill
+___lchown
+___libkernel_init
+___libkernel_voucher_init
+___listen
+___lseek
+___lstat64_extended
+___lstat_extended
+___mac_execve
+___mac_get_fd
+___mac_get_file
+___mac_get_link
+___mac_get_mount
+___mac_get_pid
+___mac_get_proc
+___mac_getfsstat
+___mac_mount
+___mac_set_fd
+___mac_set_file
+___mac_set_link
+___mac_set_proc
+___mac_syscall
+___microstackshot
+___mkdir_extended
+___mkfifo_extended
+___mmap
+___mprotect
+___msgctl
+___msgrcv_nocancel
+___msgsnd_nocancel
+___msgsys
+___msync
+___msync_nocancel
+___munmap
+___nexus_create
+___nexus_deregister
+___nexus_destroy
+___nexus_get_opt
+___nexus_open
+___nexus_register
+___nexus_set_opt
+___old_semwait_signal
+___open
+___open_dprotected_np
+___open_extended
+___open_nocancel
+___openat
+___openat_nocancel
+___os_nexus_ifattach
+___os_nexus_ifdetach
+___persona
+___pipe
+___poll_nocancel
+___posix_spawn
+___pread_nocancel
+___proc_info
+___process_policy
+___pselect
+___pselect_nocancel
+___psynch_cvbroad
+___psynch_cvclrprepost
+___psynch_cvsignal
+___psynch_cvwait
+___psynch_mutexdrop
+___psynch_mutexwait
+___psynch_rw_downgrade
+___psynch_rw_longrdlock
+___psynch_rw_rdlock
+___psynch_rw_unlock
+___psynch_rw_unlock2
+___psynch_rw_upgrade
+___psynch_rw_wrlock
+___psynch_rw_yieldwrlock
+___pthread_canceled
+___pthread_chdir
+___pthread_fchdir
+___pthread_kill
+___pthread_markcancel
+___pthread_sigmask
+___ptrace
+___pwrite_nocancel
+___read_nocancel
+___readv_nocancel
+___recvfrom
+___recvfrom_nocancel
+___recvmsg
+___recvmsg_nocancel
+___rename
+___renameat
+___renameatx_np
+___rmdir
+___sandbox_me
+___sandbox_mm
+___sandbox_ms
+___sandbox_msp
+___select
+___select_nocancel
+___sem_open
+___sem_wait_nocancel
+___semctl
+___semsys
+___semwait_signal
+___semwait_signal_nocancel
+___sendmsg
+___sendmsg_nocancel
+___sendto
+___sendto_nocancel
+___setattrlist
+___setlogin
+___setpriority
+___setregid
+___setreuid
+___setrlimit
+___setsgroups
+___settid
+___settid_with_pid
+___settimeofday
+___setwgroups
+___sfi_ctl
+___sfi_pidctl
+___shared_region_check_np
+___shared_region_map_and_slide_np
+___shm_open
+___shmctl
+___shmsys
+___sigaction
+___sigaltstack
+___sigreturn
+___sigsuspend
+___sigsuspend_nocancel
+___sigwait
+___socketpair
+___stack_snapshot_with_config
+___stat64_extended
+___stat_extended
+___syscall
+___syscall_logger
+___sysctl
+___sysctlbyname
+___telemetry
+___terminate_with_payload
+___thread_selfid
+___thread_selfusage
+___ulock_wait
+___ulock_wake
+___umask_extended
+___unlink
+___unlinkat
+___vfork
+___wait4
+___wait4_nocancel
+___waitid_nocancel
+___work_interval_ctl
+___workq_kernreturn
+___workq_open
+___write_nocancel
+___writev_nocancel
+__cpu_capabilities
+__cpu_has_altivec
+__exit
+__get_cpu_capabilities
+__getprivatesystemidentifier
+__host_page_size
+__init_cpu_capabilities
+__kernelrpc_host_create_mach_voucher
+__kernelrpc_mach_port_allocate
+__kernelrpc_mach_port_allocate_full
+__kernelrpc_mach_port_allocate_name
+__kernelrpc_mach_port_allocate_qos
+__kernelrpc_mach_port_allocate_trap
+__kernelrpc_mach_port_construct
+__kernelrpc_mach_port_construct_trap
+__kernelrpc_mach_port_deallocate
+__kernelrpc_mach_port_deallocate_trap
+__kernelrpc_mach_port_destroy
+__kernelrpc_mach_port_destroy_trap
+__kernelrpc_mach_port_destruct
+__kernelrpc_mach_port_destruct_trap
+__kernelrpc_mach_port_dnrequest_info
+__kernelrpc_mach_port_extract_member
+__kernelrpc_mach_port_extract_member_trap
+__kernelrpc_mach_port_extract_right
+__kernelrpc_mach_port_get_attributes
+__kernelrpc_mach_port_get_context
+__kernelrpc_mach_port_get_refs
+__kernelrpc_mach_port_get_set_status
+__kernelrpc_mach_port_get_srights
+__kernelrpc_mach_port_guard
+__kernelrpc_mach_port_guard_trap
+__kernelrpc_mach_port_insert_member
+__kernelrpc_mach_port_insert_member_trap
+__kernelrpc_mach_port_insert_right
+__kernelrpc_mach_port_insert_right_trap
+__kernelrpc_mach_port_kernel_object
+__kernelrpc_mach_port_kobject
+__kernelrpc_mach_port_mod_refs
+__kernelrpc_mach_port_mod_refs_trap
+__kernelrpc_mach_port_move_member
+__kernelrpc_mach_port_move_member_trap
+__kernelrpc_mach_port_names
+__kernelrpc_mach_port_peek
+__kernelrpc_mach_port_rename
+__kernelrpc_mach_port_request_notification
+__kernelrpc_mach_port_set_attributes
+__kernelrpc_mach_port_set_context
+__kernelrpc_mach_port_set_mscount
+__kernelrpc_mach_port_set_seqno
+__kernelrpc_mach_port_space_basic_info
+__kernelrpc_mach_port_space_info
+__kernelrpc_mach_port_type
+__kernelrpc_mach_port_unguard
+__kernelrpc_mach_port_unguard_trap
+__kernelrpc_mach_vm_allocate
+__kernelrpc_mach_vm_allocate_trap
+__kernelrpc_mach_vm_deallocate
+__kernelrpc_mach_vm_deallocate_trap
+__kernelrpc_mach_vm_map
+__kernelrpc_mach_vm_map_trap
+__kernelrpc_mach_vm_protect
+__kernelrpc_mach_vm_protect_trap
+__kernelrpc_mach_vm_purgable_control
+__kernelrpc_mach_vm_purgable_control_trap
+__kernelrpc_mach_vm_read
+__kernelrpc_mach_vm_remap
+__kernelrpc_mach_voucher_extract_attr_recipe
+__kernelrpc_task_set_port_space
+__kernelrpc_thread_policy
+__kernelrpc_thread_policy_set
+__kernelrpc_thread_set_policy
+__kernelrpc_vm_map
+__kernelrpc_vm_purgable_control
+__kernelrpc_vm_read
+__kernelrpc_vm_remap
+__mach_errors
+__mach_fork_child
+__mach_snprintf
+__mach_vsnprintf
+__os_alloc_once_table
+__register_gethostuuid_callback
+__thread_set_tsd_base
+_abort_with_payload
+_abort_with_reason
+_accept
+_accept$NOCANCEL
+_access
+_accessx_np
+_acct
+_act_get_state
+_act_set_state
+_adjtime
+_aio_cancel
+_aio_error
+_aio_fsync
+_aio_read
+_aio_return
+_aio_suspend
+_aio_suspend$NOCANCEL
+_aio_write
+_audit
+_audit_session_join
+_audit_session_port
+_audit_session_self
+_auditctl
+_auditon
+_bind
+_bootstrap_port
+_cerror
+_cerror_nocancel
+_change_fdguard_np
+_chdir
+_chflags
+_chmod
+_chown
+_chroot
+_clock_alarm
+_clock_alarm_reply
+_clock_get_attributes
+_clock_get_time
+_clock_set_attributes
+_clock_set_time
+_clock_sleep
+_clock_sleep_trap
+_clonefile
+_clonefileat
+_close
+_close$NOCANCEL
+_coalition_create
+_coalition_info_resource_usage
+_coalition_reap
+_coalition_terminate
+_connect
+_connect$NOCANCEL
+_connectx
+_csops
+_csops_audittoken
+_csr_check
+_csr_get_active_config
+_denap_boost_assertion_token
+_disconnectx
+_dup
+_dup2
+_errno
+_etap_trace_thread
+_exc_server
+_exc_server_routine
+_exception_raise
+_exception_raise_state
+_exception_raise_state_identity
+_exchangedata
+_execve
+_faccessat
+_fchdir
+_fchflags
+_fchmod
+_fchmodat
+_fchown
+_fchownat
+_fclonefileat
+_fcntl
+_fcntl$NOCANCEL
+_fdatasync
+_ffsctl
+_fgetattrlist
+_fgetxattr
+_fhopen
+_fileport_makefd
+_fileport_makeport
+_flistxattr
+_flock
+_fpathconf
+_fremovexattr
+_fs_snapshot_create
+_fs_snapshot_delete
+_fs_snapshot_list
+_fs_snapshot_mount
+_fs_snapshot_rename
+_fs_snapshot_revert
+_fsctl
+_fsetattrlist
+_fsetxattr
+_fsgetpath
+_fstat
+_fstat$INODE64
+_fstat64
+_fstatat
+_fstatat$INODE64
+_fstatat64
+_fstatfs
+_fstatfs$INODE64
+_fstatfs64
+_fsync
+_fsync$NOCANCEL
+_ftruncate
+_futimes
+_getattrlist
+_getattrlistat
+_getattrlistbulk
+_getaudit
+_getaudit_addr
+_getauid
+_getdirentries
+_getdirentriesattr
+_getdtablesize
+_getegid
+_getentropy
+_geteuid
+_getfh
+_getfsstat
+_getfsstat$INODE64
+_getfsstat64
+_getgid
+_getgroups
+_gethostuuid
+_getiopolicy_np
+_getitimer
+_getpeername
+_getpgid
+_getpgrp
+_getpid
+_getppid
+_getpriority
+_getrlimit
+_getrusage
+_getsgroups_np
+_getsid
+_getsockname
+_getsockopt
+_getuid
+_getwgroups_np
+_getxattr
+_grab_pgo_data
+_guarded_close_np
+_guarded_kqueue_np
+_guarded_open_dprotected_np
+_guarded_open_np
+_guarded_pwrite_np
+_guarded_write_np
+_guarded_writev_np
+_host_check_multiuser_mode
+_host_create_mach_voucher
+_host_create_mach_voucher_trap
+_host_default_memory_manager
+_host_get_UNDServer
+_host_get_atm_diagnostic_flag
+_host_get_boot_info
+_host_get_clock_control
+_host_get_clock_service
+_host_get_exception_ports
+_host_get_io_master
+_host_get_multiuser_config_flags
+_host_get_special_port
+_host_info
+_host_kernel_version
+_host_lockgroup_info
+_host_page_size
+_host_priv_statistics
+_host_processor_info
+_host_processor_set_priv
+_host_processor_sets
+_host_processors
+_host_reboot
+_host_register_mach_voucher_attr_manager
+_host_register_well_known_mach_voucher_attr_manager
+_host_request_notification
+_host_security_create_task_token
+_host_security_set_task_token
+_host_self
+_host_self_trap
+_host_set_UNDServer
+_host_set_atm_diagnostic_flag
+_host_set_exception_ports
+_host_set_multiuser_config_flags
+_host_set_special_port
+_host_statistics
+_host_statistics64
+_host_swap_exception_ports
+_host_virtual_physical_table_info
+_i386_get_ldt
+_i386_set_ldt
+_important_boost_assertion_token
+_internal_catch_exc_subsystem
+_ioctl
+_issetugid
+_kas_info
+_kdebug_is_enabled
+_kdebug_signpost
+_kdebug_signpost_end
+_kdebug_signpost_start
+_kdebug_trace
+_kdebug_trace_string
+_kdebug_typefilter
+_kevent
+_kevent64
+_kevent_qos
+_kext_request
+_kill
+_kmod_control
+_kmod_create
+_kmod_destroy
+_kmod_get_info
+_kpersona_alloc
+_kpersona_dealloc
+_kpersona_find
+_kpersona_get
+_kpersona_info
+_kpersona_pidinfo
+_kqueue
+_lchown
+_ledger
+_link
+_linkat
+_lio_listio
+_listen
+_listxattr
+_lock_acquire
+_lock_handoff
+_lock_handoff_accept
+_lock_make_stable
+_lock_release
+_lock_set_create
+_lock_set_destroy
+_lock_try
+_lseek
+_lstat
+_lstat$INODE64
+_lstat64
+_mach_absolute_time
+_mach_approximate_time
+_mach_boottime_usec
+_mach_continuous_approximate_time
+_mach_continuous_time
+_mach_error
+_mach_error_full_diag
+_mach_error_string
+_mach_error_type
+_mach_generate_activity_id
+_mach_get_times
+_mach_host_self
+_mach_init
+_mach_make_memory_entry
+_mach_make_memory_entry_64
+_mach_memory_info
+_mach_memory_object_memory_entry
+_mach_memory_object_memory_entry_64
+_mach_msg
+_mach_msg_destroy
+_mach_msg_overwrite
+_mach_msg_overwrite_trap
+_mach_msg_receive
+_mach_msg_send
+_mach_msg_server
+_mach_msg_server_importance
+_mach_msg_server_once
+_mach_msg_trap
+_mach_notify_dead_name
+_mach_notify_no_senders
+_mach_notify_port_deleted
+_mach_notify_port_destroyed
+_mach_notify_send_once
+_mach_port_allocate
+_mach_port_allocate_full
+_mach_port_allocate_name
+_mach_port_allocate_qos
+_mach_port_construct
+_mach_port_deallocate
+_mach_port_destroy
+_mach_port_destruct
+_mach_port_dnrequest_info
+_mach_port_extract_member
+_mach_port_extract_right
+_mach_port_get_attributes
+_mach_port_get_context
+_mach_port_get_refs
+_mach_port_get_set_status
+_mach_port_get_srights
+_mach_port_guard
+_mach_port_insert_member
+_mach_port_insert_right
+_mach_port_kernel_object
+_mach_port_kobject
+_mach_port_mod_refs
+_mach_port_move_member
+_mach_port_names
+_mach_port_peek
+_mach_port_rename
+_mach_port_request_notification
+_mach_port_set_attributes
+_mach_port_set_context
+_mach_port_set_mscount
+_mach_port_set_seqno
+_mach_port_space_basic_info
+_mach_port_space_info
+_mach_port_type
+_mach_port_unguard
+_mach_ports_lookup
+_mach_ports_register
+_mach_reply_port
+_mach_task_self
+_mach_task_self_
+_mach_thread_self
+_mach_timebase_info
+_mach_timebase_info_trap
+_mach_vm_allocate
+_mach_vm_behavior_set
+_mach_vm_copy
+_mach_vm_deallocate
+_mach_vm_inherit
+_mach_vm_machine_attribute
+_mach_vm_map
+_mach_vm_msync
+_mach_vm_page_info
+_mach_vm_page_query
+_mach_vm_protect
+_mach_vm_purgable_control
+_mach_vm_read
+_mach_vm_read_list
+_mach_vm_read_overwrite
+_mach_vm_region
+_mach_vm_region_recurse
+_mach_vm_remap
+_mach_vm_wire
+_mach_vm_write
+_mach_voucher_attr_command
+_mach_voucher_deallocate
+_mach_voucher_debug_info
+_mach_voucher_extract_all_attr_recipes
+_mach_voucher_extract_attr_content
+_mach_voucher_extract_attr_recipe
+_mach_voucher_extract_attr_recipe_trap
+_mach_wait_until
+_mach_zone_force_gc
+_mach_zone_info
+_macx_backing_store_recovery
+_macx_backing_store_suspend
+_macx_swapoff
+_macx_swapon
+_macx_triggers
+_madvise
+_memorystatus_control
+_memorystatus_get_level
+_mig_allocate
+_mig_dealloc_reply_port
+_mig_deallocate
+_mig_get_reply_port
+_mig_put_reply_port
+_mig_reply_setup
+_mig_strncpy
+_mig_strncpy_zerofill
+_mincore
+_minherit
+_mk_timer_arm
+_mk_timer_cancel
+_mk_timer_create
+_mk_timer_destroy
+_mkdir
+_mkdirat
+_mkfifo
+_mknod
+_mlock
+_mlockall
+_mmap
+_modwatch
+_mount
+_mprotect
+_mremap_encrypted
+_msg_receive
+_msg_rpc
+_msg_send
+_msgctl
+_msgget
+_msgrcv
+_msgrcv$NOCANCEL
+_msgsnd
+_msgsnd$NOCANCEL
+_msgsys
+_msync
+_msync$NOCANCEL
+_munlock
+_munlockall
+_munmap
+_necp_client_action
+_necp_match_policy
+_necp_open
+_netagent_trigger
+_netname_check_in
+_netname_check_out
+_netname_look_up
+_netname_version
+_nfsclnt
+_nfssvc
+_non_boost_assertion_token
+_normal_boost_assertion_token
+_open
+_open$NOCANCEL
+_open_dprotected_np
+_openat
+_openat$NOCANCEL
+_openbyid_np
+_os_channel_advance_slot
+_os_channel_attr_clone
+_os_channel_attr_create
+_os_channel_attr_destroy
+_os_channel_attr_get
+_os_channel_attr_get_key
+_os_channel_attr_set
+_os_channel_attr_set_key
+_os_channel_available_slot_count
+_os_channel_create
+_os_channel_create_extended
+_os_channel_destroy
+_os_channel_get_fd
+_os_channel_get_next_slot
+_os_channel_pending
+_os_channel_read_attr
+_os_channel_read_nexus_extension_info
+_os_channel_ring_id
+_os_channel_rx_ring
+_os_channel_set_slot_properties
+_os_channel_sync
+_os_channel_tx_ring
+_os_channel_write_attr
+_os_nexus_attr_clone
+_os_nexus_attr_create
+_os_nexus_attr_destroy
+_os_nexus_attr_get
+_os_nexus_attr_set
+_os_nexus_controller_alloc_provider_instance
+_os_nexus_controller_bind_provider_instance
+_os_nexus_controller_create
+_os_nexus_controller_deregister_provider
+_os_nexus_controller_destroy
+_os_nexus_controller_free_provider_instance
+_os_nexus_controller_get_fd
+_os_nexus_controller_read_provider_attr
+_os_nexus_controller_register_provider
+_os_nexus_controller_unbind_provider_instance
+_panic
+_panic_init
+_pathconf
+_peeloff
+_pid_for_task
+_pid_hibernate
+_pid_resume
+_pid_shutdown_sockets
+_pid_suspend
+_pipe
+_poll
+_poll$NOCANCEL
+_port_obj_init
+_port_obj_table
+_port_obj_table_size
+_posix_madvise
+_posix_spawn
+_posix_spawn_file_actions_addclose
+_posix_spawn_file_actions_adddup2
+_posix_spawn_file_actions_addinherit_np
+_posix_spawn_file_actions_addopen
+_posix_spawn_file_actions_destroy
+_posix_spawn_file_actions_init
+_posix_spawnattr_destroy
+_posix_spawnattr_get_darwin_role_np
+_posix_spawnattr_get_qos_clamp_np
+_posix_spawnattr_getbinpref_np
+_posix_spawnattr_getcpumonitor
+_posix_spawnattr_getflags
+_posix_spawnattr_getmacpolicyinfo_np
+_posix_spawnattr_getpcontrol_np
+_posix_spawnattr_getpgroup
+_posix_spawnattr_getprocesstype_np
+_posix_spawnattr_getsigdefault
+_posix_spawnattr_getsigmask
+_posix_spawnattr_init
+_posix_spawnattr_set_darwin_role_np
+_posix_spawnattr_set_importancewatch_port_np
+_posix_spawnattr_set_persona_gid_np
+_posix_spawnattr_set_persona_groups_np
+_posix_spawnattr_set_persona_np
+_posix_spawnattr_set_persona_uid_np
+_posix_spawnattr_set_qos_clamp_np
+_posix_spawnattr_setauditsessionport_np
+_posix_spawnattr_setbinpref_np
+_posix_spawnattr_setcoalition_np
+_posix_spawnattr_setcpumonitor
+_posix_spawnattr_setcpumonitor_default
+_posix_spawnattr_setexceptionports_np
+_posix_spawnattr_setflags
+_posix_spawnattr_setjetsam_ext
+_posix_spawnattr_setmacpolicyinfo_np
+_posix_spawnattr_setpcontrol_np
+_posix_spawnattr_setpgroup
+_posix_spawnattr_setprocesstype_np
+_posix_spawnattr_setsigdefault
+_posix_spawnattr_setsigmask
+_posix_spawnattr_setspecialport_np
+_pread
+_pread$NOCANCEL
+_proc_clear_cpulimits
+_proc_clear_delayidlesleep
+_proc_clear_dirty
+_proc_clear_vmpressure
+_proc_denap_assertion_begin_with_msg
+_proc_denap_assertion_complete
+_proc_disable_apptype
+_proc_disable_cpumon
+_proc_disable_wakemon
+_proc_donate_importance_boost
+_proc_enable_apptype
+_proc_get_cpumon_params
+_proc_get_dirty
+_proc_get_wakemon_params
+_proc_importance_assertion_begin_with_msg
+_proc_importance_assertion_complete
+_proc_kmsgbuf
+_proc_libversion
+_proc_list_uptrs
+_proc_listallpids
+_proc_listchildpids
+_proc_listcoalitions
+_proc_listpgrppids
+_proc_listpids
+_proc_listpidspath
+_proc_name
+_proc_pid_rusage
+_proc_pidfdinfo
+_proc_pidfileportinfo
+_proc_pidinfo
+_proc_pidoriginatorinfo
+_proc_pidpath
+_proc_regionfilename
+_proc_resume_cpumon
+_proc_rlimit_control
+_proc_set_cpumon_defaults
+_proc_set_cpumon_params
+_proc_set_cpumon_params_fatal
+_proc_set_delayidlesleep
+_proc_set_dirty
+_proc_set_owner_vmpressure
+_proc_set_wakemon_defaults
+_proc_set_wakemon_params
+_proc_setcpu_percentage
+_proc_setpcontrol
+_proc_setthread_cpupercent
+_proc_suppress
+_proc_terminate
+_proc_trace_log
+_proc_track_dirty
+_proc_uuid_policy
+_processor_assign
+_processor_control
+_processor_exit
+_processor_get_assignment
+_processor_info
+_processor_set_create
+_processor_set_default
+_processor_set_destroy
+_processor_set_info
+_processor_set_max_priority
+_processor_set_policy_control
+_processor_set_policy_disable
+_processor_set_policy_enable
+_processor_set_stack_usage
+_processor_set_statistics
+_processor_set_tasks
+_processor_set_threads
+_processor_start
+_pselect
+_pselect$1050
+_pselect$DARWIN_EXTSN
+_pselect$DARWIN_EXTSN$NOCANCEL
+_pselect$NOCANCEL
+_pthread_getugid_np
+_pthread_setugid_np
+_ptrace
+_pwrite
+_pwrite$NOCANCEL
+_quota
+_quotactl
+_read
+_read$NOCANCEL
+_readlink
+_readlinkat
+_readv
+_readv$NOCANCEL
+_reboot
+_recvfrom
+_recvfrom$NOCANCEL
+_recvmsg
+_recvmsg$NOCANCEL
+_recvmsg_x
+_removexattr
+_rename
+_rename_ext
+_renameat
+_renameatx_np
+_renamex_np
+_revoke
+_rmdir
+_searchfs
+_select
+_select$1050
+_select$DARWIN_EXTSN
+_select$DARWIN_EXTSN$NOCANCEL
+_select$NOCANCEL
+_sem_close
+_sem_destroy
+_sem_getvalue
+_sem_init
+_sem_open
+_sem_post
+_sem_trywait
+_sem_unlink
+_sem_wait
+_sem_wait$NOCANCEL
+_semaphore_create
+_semaphore_destroy
+_semaphore_signal
+_semaphore_signal_all
+_semaphore_signal_all_trap
+_semaphore_signal_thread
+_semaphore_signal_thread_trap
+_semaphore_signal_trap
+_semaphore_timedwait
+_semaphore_timedwait_signal
+_semaphore_timedwait_signal_trap
+_semaphore_timedwait_trap
+_semaphore_wait
+_semaphore_wait_signal
+_semaphore_wait_signal_trap
+_semaphore_wait_trap
+_semctl
+_semget
+_semop
+_semsys
+_sendfile
+_sendmsg
+_sendmsg$NOCANCEL
+_sendmsg_x
+_sendto
+_sendto$NOCANCEL
+_setattrlist
+_setaudit
+_setaudit_addr
+_setauid
+_setegid
+_seteuid
+_setgid
+_setgroups
+_setiopolicy_np
+_setitimer
+_setpgid
+_setpriority
+_setprivexec
+_setquota
+_setregid
+_setreuid
+_setrlimit
+_setsgroups_np
+_setsid
+_setsockopt
+_setuid
+_setwgroups_np
+_setxattr
+_sfi_get_class_offtime
+_sfi_process_get_flags
+_sfi_process_set_flags
+_sfi_set_class_offtime
+_shm_open
+_shm_unlink
+_shmat
+_shmctl
+_shmdt
+_shmget
+_shmsys
+_shutdown
+_sigpending
+_sigprocmask
+_sigsuspend
+_sigsuspend$NOCANCEL
+_socket
+_socket_delegate
+_socketpair
+_stackshot_capture_with_config
+_stackshot_config_create
+_stackshot_config_dealloc
+_stackshot_config_dealloc_buffer
+_stackshot_config_get_stackshot_buffer
+_stackshot_config_get_stackshot_size
+_stackshot_config_set_delta_timestamp
+_stackshot_config_set_flags
+_stackshot_config_set_pid
+_stackshot_config_set_size_hint
+_stat
+_stat$INODE64
+_stat64
+_statfs
+_statfs$INODE64
+_statfs64
+_swapon
+_swtch
+_swtch_pri
+_symlink
+_symlinkat
+_sync
+_syscall
+_syscall_thread_switch
+_system_get_sfi_window
+_system_override
+_system_set_sfi_window
+_task_assign
+_task_assign_default
+_task_create
+_task_for_pid
+_task_generate_corpse
+_task_get_assignment
+_task_get_dyld_image_infos
+_task_get_emulation_vector
+_task_get_exception_ports
+_task_get_mach_voucher
+_task_get_special_port
+_task_get_state
+_task_info
+_task_map_corpse_info
+_task_map_corpse_info_64
+_task_name_for_pid
+_task_policy
+_task_policy_get
+_task_policy_set
+_task_purgable_info
+_task_register_dyld_get_process_state
+_task_register_dyld_image_infos
+_task_register_dyld_set_dyld_state
+_task_register_dyld_shared_cache_image_info
+_task_resume
+_task_resume2
+_task_sample
+_task_self_
+_task_self_trap
+_task_set_emulation
+_task_set_emulation_vector
+_task_set_exception_ports
+_task_set_info
+_task_set_mach_voucher
+_task_set_phys_footprint_limit
+_task_set_policy
+_task_set_port_space
+_task_set_ras_pc
+_task_set_special_port
+_task_set_state
+_task_suspend
+_task_suspend2
+_task_swap_exception_ports
+_task_swap_mach_voucher
+_task_terminate
+_task_threads
+_task_unregister_dyld_image_infos
+_task_zone_info
+_terminate_with_payload
+_terminate_with_reason
+_thread_abort
+_thread_abort_safely
+_thread_assign
+_thread_assign_default
+_thread_create
+_thread_create_running
+_thread_depress_abort
+_thread_get_assignment
+_thread_get_exception_ports
+_thread_get_mach_voucher
+_thread_get_register_pointer_values
+_thread_get_special_port
+_thread_get_state
+_thread_info
+_thread_policy
+_thread_policy_get
+_thread_policy_set
+_thread_resume
+_thread_sample
+_thread_self_trap
+_thread_set_exception_ports
+_thread_set_mach_voucher
+_thread_set_policy
+_thread_set_special_port
+_thread_set_state
+_thread_suspend
+_thread_swap_exception_ports
+_thread_swap_mach_voucher
+_thread_switch
+_thread_terminate
+_thread_wire
+_truncate
+_umask
+_undelete
+_unlink
+_unlinkat
+_unmount
+_usrctl
+_utimes
+_vfork
+_vfs_purge
+_vm_allocate
+_vm_allocate_cpm
+_vm_behavior_set
+_vm_copy
+_vm_deallocate
+_vm_inherit
+_vm_kernel_page_mask
+_vm_kernel_page_shift
+_vm_kernel_page_size
+_vm_machine_attribute
+_vm_map
+_vm_map_page_query
+_vm_msync
+_vm_page_mask
+_vm_page_shift
+_vm_page_size
+_vm_pressure_monitor
+_vm_protect
+_vm_purgable_control
+_vm_read
+_vm_read_list
+_vm_read_overwrite
+_vm_region_64
+_vm_region_recurse_64
+_vm_remap
+_vm_wire
+_vm_write
+_voucher_mach_msg_adopt
+_voucher_mach_msg_clear
+_voucher_mach_msg_revert
+_voucher_mach_msg_set
+_vprintf_stderr_func
+_wait4
+_waitevent
+_waitid
+_waitid$NOCANCEL
+_watchevent
+_work_interval_create
+_work_interval_destroy
+_work_interval_notify
+_work_interval_notify_simple
+_write
+_write$NOCANCEL
+_writev
+_writev$NOCANCEL
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_symbols b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_symbols
new file mode 100644
index 000000000000..75a00acac493
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_symbols
@@ -0,0 +1 @@
+_mach_init_routine
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/PowerManagement/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/PowerManagement/default.nix
new file mode 100644
index 000000000000..5685d09e54fe
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/PowerManagement/default.nix
@@ -0,0 +1,10 @@
+{ appleDerivation, xcbuildHook, IOKit }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ IOKit ];
+  xcbuildFlags = [ "-target" "caffeinate" ];
+  installPhase = ''
+    install -D Products/Deployment/caffeinate $out/bin/caffeinate
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/boot.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/boot.nix
new file mode 100644
index 000000000000..bb09adce252e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/boot.nix
@@ -0,0 +1,117 @@
+{ appleDerivation', stdenv, darwin-stubs }:
+
+appleDerivation' stdenv {
+  phases = [ "unpackPhase" "installPhase" ];
+
+  __propagatedImpureHostDeps = [
+    "/System/Library/Frameworks/Security.framework/Security"
+    "/System/Library/Frameworks/Security.framework/Resources"
+    "/System/Library/Frameworks/Security.framework/PlugIns"
+    "/System/Library/Frameworks/Security.framework/XPCServices"
+    "/System/Library/Frameworks/Security.framework/Versions"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/Library/Frameworks/Security.framework
+
+    ###### IMPURITIES
+    ln -s /System/Library/Frameworks/Security.framework/{Resources,Plugins,XPCServices} \
+      $out/Library/Frameworks/Security.framework
+
+    ###### STUBS
+    cp ${darwin-stubs}/System/Library/Frameworks/Security.framework/Versions/A/Security.tbd \
+      $out/Library/Frameworks/Security.framework
+
+    ###### HEADERS
+
+    export dest=$out/Library/Frameworks/Security.framework/Headers
+    mkdir -p $dest
+
+    cp libsecurity_asn1/lib/SecAsn1Coder.h     $dest
+    cp libsecurity_asn1/lib/SecAsn1Templates.h $dest
+    cp libsecurity_asn1/lib/SecAsn1Types.h     $dest
+    cp libsecurity_asn1/lib/oidsalg.h          $dest
+    cp libsecurity_asn1/lib/oidsattr.h         $dest
+
+    cp libsecurity_authorization/lib/AuthSession.h         $dest
+    cp libsecurity_authorization/lib/Authorization.h       $dest
+    cp libsecurity_authorization/lib/AuthorizationDB.h     $dest
+    cp libsecurity_authorization/lib/AuthorizationPlugin.h $dest
+    cp libsecurity_authorization/lib/AuthorizationTags.h   $dest
+
+    cp libsecurity_cms/lib/CMSDecoder.h $dest
+    cp libsecurity_cms/lib/CMSEncoder.h $dest
+
+    cp libsecurity_codesigning/lib/CSCommon.h       $dest
+    cp libsecurity_codesigning/lib/CodeSigning.h    $dest
+    cp libsecurity_codesigning/lib/SecCode.h        $dest
+    cp libsecurity_codesigning/lib/SecCodeHost.h    $dest
+    cp libsecurity_codesigning/lib/SecRequirement.h $dest
+    cp libsecurity_codesigning/lib/SecStaticCode.h  $dest
+    cp libsecurity_codesigning/lib/SecTask.h        $dest
+
+    cp libsecurity_cssm/lib/certextensions.h $dest
+    cp libsecurity_cssm/lib/cssm.h           $dest
+    cp libsecurity_cssm/lib/cssmaci.h        $dest
+    cp libsecurity_cssm/lib/cssmapi.h        $dest
+    cp libsecurity_cssm/lib/cssmapple.h      $dest
+    cp libsecurity_cssm/lib/cssmcli.h        $dest
+    cp libsecurity_cssm/lib/cssmconfig.h     $dest
+    cp libsecurity_cssm/lib/cssmcspi.h       $dest
+    cp libsecurity_cssm/lib/cssmdli.h        $dest
+    cp libsecurity_cssm/lib/cssmerr.h        $dest
+    cp libsecurity_cssm/lib/cssmkrapi.h      $dest
+    cp libsecurity_cssm/lib/cssmkrspi.h      $dest
+    cp libsecurity_cssm/lib/cssmspi.h        $dest
+    cp libsecurity_cssm/lib/cssmtpi.h        $dest
+    cp libsecurity_cssm/lib/cssmtype.h       $dest
+    cp libsecurity_cssm/lib/eisl.h           $dest
+    cp libsecurity_cssm/lib/emmspi.h         $dest
+    cp libsecurity_cssm/lib/emmtype.h        $dest
+    cp libsecurity_cssm/lib/oidsbase.h       $dest
+    cp libsecurity_cssm/lib/oidscert.h       $dest
+    cp libsecurity_cssm/lib/oidscrl.h        $dest
+    cp libsecurity_cssm/lib/x509defs.h       $dest
+
+    cp libsecurity_keychain/lib/SecACL.h                $dest
+    cp libsecurity_keychain/lib/SecAccess.h             $dest
+    cp libsecurity_keychain/lib/SecBase.h               $dest
+    cp libsecurity_keychain/lib/SecCertificate.h        $dest
+    cp libsecurity_keychain/lib/SecCertificatePriv.h    $dest # Private
+    cp libsecurity_keychain/lib/SecCertificateOIDs.h    $dest
+    cp libsecurity_keychain/lib/SecIdentity.h           $dest
+    cp libsecurity_keychain/lib/SecIdentitySearch.h     $dest
+    cp libsecurity_keychain/lib/SecImportExport.h       $dest
+    cp libsecurity_keychain/lib/SecItem.h               $dest
+    cp libsecurity_keychain/lib/SecKey.h                $dest
+    cp libsecurity_keychain/lib/SecKeychain.h           $dest
+    cp libsecurity_keychain/lib/SecKeychainItem.h       $dest
+    cp libsecurity_keychain/lib/SecKeychainSearch.h     $dest
+    cp libsecurity_keychain/lib/SecPolicy.h             $dest
+    cp libsecurity_keychain/lib/SecPolicySearch.h       $dest
+    cp libsecurity_keychain/lib/SecRandom.h             $dest
+    cp libsecurity_keychain/lib/SecTrust.h              $dest
+    cp libsecurity_keychain/lib/SecTrustSettings.h      $dest
+    cp libsecurity_keychain/lib/SecTrustedApplication.h $dest
+    cp libsecurity_keychain/lib/Security.h              $dest
+
+    cp libsecurity_manifest/lib/SecureDownload.h $dest
+
+    cp libsecurity_mds/lib/mds.h        $dest
+    cp libsecurity_mds/lib/mds_schema.h $dest
+
+    cp libsecurity_ssl/lib/CipherSuite.h     $dest
+    cp libsecurity_ssl/lib/SecureTransport.h $dest
+
+    cp libsecurity_transform/lib/SecCustomTransform.h        $dest
+    cp libsecurity_transform/lib/SecDecodeTransform.h        $dest
+    cp libsecurity_transform/lib/SecDigestTransform.h        $dest
+    cp libsecurity_transform/lib/SecEncodeTransform.h        $dest
+    cp libsecurity_transform/lib/SecEncryptTransform.h       $dest
+    cp libsecurity_transform/lib/SecReadTransform.h          $dest
+    cp libsecurity_transform/lib/SecSignVerifyTransform.h    $dest
+    cp libsecurity_transform/lib/SecTransform.h              $dest
+    cp libsecurity_transform/lib/SecTransformReadTransform.h $dest
+
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/default.nix
new file mode 100644
index 000000000000..f1b5e19feb22
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/Security/default.nix
@@ -0,0 +1,19 @@
+{ appleDerivation, xcbuildHook, xpc, dtrace, xnu }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook dtrace ];
+  # buildInputs = [ Foundation xpc darling ];
+  buildInputs = [ xpc xnu ];
+
+  xcbuildFlags = [ "-target" "Security_frameworks_osx" ];
+
+  # NIX_CFLAGS_COMPILE = "-Wno-error -I${xnu}/include/libkern -DPRIVATE -I${xnu}/Library/Frameworks/System.framework/Headers";
+
+  preBuild = ''
+    dtrace -h -C -s OSX/libsecurity_utilities/lib/security_utilities.d -o OSX/libsecurity_utilities/lib/utilities_dtrace.h
+
+    xcodebuild SYMROOT=$PWD/Products OBJROOT=$PWD/Intermediates -target copyHeadersToSystem
+    NIX_CFLAGS_COMPILE+=" -F./Products/Release"
+    ln -s $PWD/Products/Release/Security.bundle/Contents $PWD/Products/Release/Security.framework
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/boot.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/boot.nix
new file mode 100644
index 000000000000..2ca2d061591a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/boot.nix
@@ -0,0 +1,92 @@
+{ lib, stdenv, buildPackages, appleDerivation, fetchzip, bsdmake, perl, flex, bison
+}:
+
+# this derivation sucks
+# locale data was removed after adv_cmds-118, so our base is that because it's easier than
+# replicating the bizarre bsdmake file structure
+#
+# sadly adv_cmds-118 builds a mklocale and colldef that generate files that our libc can no
+# longer understand
+#
+# the more recent adv_cmds release is used for everything else in this package
+
+let recentAdvCmds = fetchzip {
+  url = "https://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz";
+  sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn";
+};
+
+in appleDerivation {
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ bsdmake perl bison flex ];
+  buildInputs = [ flex ];
+
+  patchPhase = ''
+    substituteInPlace BSDmakefile \
+      --replace chgrp true \
+      --replace /Developer/Makefiles/bin/compress-man-pages.pl true \
+      --replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \
+      --replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \
+      --replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO"
+
+    substituteInPlace Makefile --replace perl true
+
+    for subproject in colldef mklocale monetdef msgdef numericdef timedef; do
+      substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \
+        --replace /usr/share/locale "" \
+        --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
+        --replace "rsync -a" "cp -r"
+    done
+  '';
+
+  preBuild = ''
+    cp -r --no-preserve=all ${recentAdvCmds}/colldef .
+    pushd colldef
+    mv locale/collate.h .
+    flex -t -8 -i scan.l > scan.c
+    yacc -d parse.y
+    clang *.c -o colldef -lfl
+    popd
+    mv colldef/colldef colldef.tproj/colldef
+
+    cp -r --no-preserve=all ${recentAdvCmds}/mklocale .
+    pushd mklocale
+    flex -t -8 -i lex.l > lex.c
+    yacc -d yacc.y
+    clang *.c -o mklocale -lfl
+    popd
+    mv mklocale/mklocale mklocale.tproj/mklocale
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    bsdmake -C usr-share-locale.tproj
+
+    ${stdenv.cc.targetPrefix}clang ${recentAdvCmds}/ps/*.c -o ps
+  '';
+
+  installPhase = ''
+    bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale"
+
+    # need to get rid of runtime dependency on flex
+    # install -d 0755 $locale/bin
+    # install -m 0755 colldef.tproj/colldef $locale/bin
+    # install -m 0755 mklocale.tproj/mklocale $locale/bin
+
+    install -d 0755 $ps/bin
+    install ps $ps/bin/ps
+    touch "$out"
+  '';
+
+  outputs = [
+    "out"
+    "ps"
+    "locale"
+  ];
+  setOutputFlags = false;
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ gridaphobe ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
new file mode 100644
index 000000000000..6e659df4d620
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
@@ -0,0 +1,51 @@
+{ lib, appleDerivation, xcbuild, ncurses, libutil }:
+
+appleDerivation {
+  # We can't just run the root build, because https://github.com/facebook/xcbuild/issues/264
+
+  patchPhase = ''
+    substituteInPlace adv_cmds.xcodeproj/project.pbxproj \
+      --replace '/usr/lib/libtermcap.dylib' 'libncurses.dylib'
+  '';
+
+  # pkill requires special private headers that are unavailable in
+  # NixPkgs. These ones are needed:
+  #  - xpc/xpxc.h
+  #  - os/base_private.h
+  #  - _simple.h
+  # We disable it here for now. TODO: build pkill inside adv_cmds
+  buildPhase = ''
+    targets=$(xcodebuild -list \
+                | awk '/Targets:/{p=1;print;next} p&&/^\s*$/{p=0};p' \
+                | tail -n +2 | sed 's/^[ \t]*//' \
+                | grep -v -e Desktop -e Embedded -e mklocale -e pkill -e pgrep -e colldef)
+
+    for i in $targets; do
+      xcodebuild SYMROOT=$PWD/Products OBJROOT=$PWD/Intermediates -target $i
+    done
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    mkdir -p $out/System/Library/LaunchDaemons
+    install fingerd/finger.plist $out/System/Library/LaunchDaemons
+
+    # from variant_links.sh
+    # ln -s $out/bin/pkill $out/bin/pgrep
+    # ln -s $out/share/man/man1/pkill.1 $out/share/man/man1/pgrep.1
+  '';
+
+  nativeBuildInputs = [ xcbuild ];
+  buildInputs = [ ncurses libutil ];
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
new file mode 100644
index 000000000000..e0e27255b72f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
@@ -0,0 +1,39 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontBuild = true;
+
+  postPatch = ''
+    substituteInPlace Makefile \
+        --replace '/bin/mkdir' 'mkdir' \
+        --replace '/usr/bin/install' 'install'
+  '';
+
+  installFlags = [ "EXPORT_DSTDIR=/include/architecture" ];
+
+  DSTROOT = "$(out)";
+
+  appleHeaders = ''
+    architecture/alignment.h
+    architecture/byte_order.h
+    architecture/i386/alignment.h
+    architecture/i386/asm_help.h
+    architecture/i386/byte_order.h
+    architecture/i386/cpu.h
+    architecture/i386/desc.h
+    architecture/i386/fpu.h
+    architecture/i386/frame.h
+    architecture/i386/io.h
+    architecture/i386/pio.h
+    architecture/i386/reg_help.h
+    architecture/i386/sel.h
+    architecture/i386/table.h
+    architecture/i386/tss.h
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/basic_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/basic_cmds/default.nix
new file mode 100644
index 000000000000..7d011d2d8cc8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/basic_cmds/default.nix
@@ -0,0 +1,32 @@
+{ lib, appleDerivation, xcbuildHook }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+
+  # These PBXcp calls should be patched in xcbuild to allow them to
+  # automatically be prefixed.
+  patchPhase = ''
+    substituteInPlace basic_cmds.xcodeproj/project.pbxproj \
+      --replace "dstPath = /usr/share/man/man1;" "dstPath = $out/share/man/man1;" \
+      --replace "dstPath = /usr/share/man/man5;" "dstPath = $out/share/man/man5;"
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bootstrap_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bootstrap_cmds/default.nix
new file mode 100644
index 000000000000..ff98ed88804c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bootstrap_cmds/default.nix
@@ -0,0 +1,43 @@
+{ lib, appleDerivation, stdenv, bison, flex }:
+
+let
+
+  # Hard to get CC to pull this off without infinite recursion
+  targetTargetPrefix = lib.optionalString
+    (with stdenv; hostPlatform != targetPlatform)
+    (stdenv.targetPlatform.config + "-");
+
+in
+
+appleDerivation {
+  nativeBuildInputs = [ bison flex ];
+
+  buildPhase = ''
+    cd migcom.tproj
+
+    # redundant file, don't know why apple not removing it.
+    rm handler.c
+
+    yacc -d parser.y
+    flex --header-file=lexxer.yy.h -o lexxer.yy.c lexxer.l
+
+    $CC -std=gnu99 -Os -dead_strip -DMIG_VERSION=\"$pname-$version\" -I. -o migcom *.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/libexec $out/share/man/man1
+
+    chmod +x mig.sh
+    cp mig.sh   $out/bin/mig
+    cp migcom   $out/libexec
+    ln -s $out/libexec/migcom $out/bin/migcom
+    cp mig.1    $out/share/man/man1
+    cp migcom.1 $out/share/man/man1
+
+    substituteInPlace $out/bin/mig \
+      --replace 'arch=`/usr/bin/arch`' 'arch=${stdenv.targetPlatform.darwinArch}' \
+      --replace '/usr/bin/' "" \
+      --replace '/bin/rmdir' "rmdir" \
+      --replace 'C=''${MIGCC}' "C=${targetTargetPrefix}cc"
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix
new file mode 100644
index 000000000000..214aa5dfad9e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix
@@ -0,0 +1,55 @@
+{ lib, appleDerivation, makeWrapper }:
+
+appleDerivation {
+  nativeBuildInputs = [ makeWrapper ];
+
+  patchPhase = ''
+    substituteInPlace mk/bsd.prog.mk \
+      --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
+      --replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' ""
+    substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' ""
+    substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' ""
+    substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' ""
+    substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' ""
+    substituteInPlace mk/bsd.files.mk \
+      --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
+      --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
+    substituteInPlace mk/bsd.incs.mk \
+      --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
+      --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
+      --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
+
+    # Workaround for https://github.com/NixOS/nixpkgs/issues/103172
+    # Prevents bsdmake from failing on systems that already had default limits
+    # increased.
+    substituteInPlace main.c \
+      --replace 'err(2, "setrlimit");' 'warn("setrlimit");'
+  '';
+
+  buildPhase = ''
+    objs=()
+    for file in $(find . -name '*.c'); do
+      obj="$(basename "$file" .c).o"
+      objs+=("$obj")
+      $CC -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g
+    done
+    $CC "''${objs[@]}" -o bsdmake
+  '';
+
+  installPhase = ''
+    install -d 0644 $out/bin
+    install -m 0755 bsdmake $out/bin
+    install -d 0644 $out/share/mk
+    install -m 0755 mk/* $out/share/mk
+  '';
+
+  preFixup = ''
+    wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk"
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
new file mode 100644
index 000000000000..37830c0665e1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
@@ -0,0 +1,216 @@
+{ lib, stdenv, appleDerivation', launchd, bootstrap_cmds, xnu, ppp, IOKit, eap8021x, Security
+, headersOnly ? false }:
+
+appleDerivation' stdenv {
+  meta.broken = stdenv.cc.nativeLibc;
+
+  nativeBuildInputs = lib.optionals (!headersOnly) [ bootstrap_cmds ];
+  buildInputs = lib.optionals (!headersOnly) [ launchd ppp IOKit eap8021x ];
+
+  propagatedBuildInputs = lib.optionals (!headersOnly) [ Security ];
+
+  patchPhase = lib.optionalString (!headersOnly) ''
+    HACK=$PWD/hack
+    mkdir $HACK
+    cp -r ${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders/net $HACK
+
+
+    substituteInPlace SystemConfiguration.fproj/SCNetworkReachabilityInternal.h \
+      --replace '#include <xpc/xpc.h>' ""
+
+    substituteInPlace SystemConfiguration.fproj/SCNetworkReachability.c \
+      --replace ''$'#define\tHAVE_VPN_STATUS' ""
+
+    substituteInPlace SystemConfiguration.fproj/reachability/SCNetworkReachabilityServer_client.c \
+      --replace '#include <xpc/xpc.h>' '#include "fake_xpc.h"' \
+      --replace '#include <xpc/private.h>' "" \
+
+    # Our neutered CoreFoundation doesn't have this function, but I think we'll live...
+    substituteInPlace SystemConfiguration.fproj/SCNetworkConnectionPrivate.c \
+      --replace 'CFPreferencesAppValueIsForced(serviceID, USER_PREFERENCES_APPLICATION_ID)' 'FALSE' \
+      --replace 'CFPreferencesAppValueIsForced(userPrivate->serviceID, USER_PREFERENCES_APPLICATION_ID)' 'FALSE'
+
+    cat >SystemConfiguration.fproj/fake_xpc.h <<EOF
+    typedef void *xpc_type_t;
+    typedef void *xpc_object_t;
+    typedef void *xpc_connection_t;
+
+    xpc_type_t xpc_get_type(xpc_object_t object);
+    xpc_object_t xpc_dictionary_create(const char * const *keys, const xpc_object_t *values, size_t count);
+    char *xpc_copy_description(xpc_object_t object);
+    int64_t  xpc_dictionary_get_int64(xpc_object_t xdict, const char *key);
+    uint64_t xpc_dictionary_get_uint64(xpc_object_t xdict, const char *key);
+    void xpc_connection_set_event_handler(xpc_connection_t connection, void *handler);
+
+    extern const struct _xpc_type_s _xpc_type_error;
+    #define XPC_TYPE_ERROR (&_xpc_type_error)
+
+    extern const struct _xpc_type_s _xpc_type_dictionary;
+    #define XPC_TYPE_DICTIONARY (&_xpc_type_dictionary)
+
+    extern const struct _xpc_type_s _xpc_type_array;
+    #define XPC_TYPE_ARRAY (&_xpc_type_array)
+
+    extern const struct _xpc_dictionary_s _xpc_error_connection_interrupted;
+    #define XPC_ERROR_CONNECTION_INTERRUPTED (&_xpc_error_connection_interrupted)
+
+    extern const struct _xpc_dictionary_s _xpc_error_connection_invalid;
+    #define XPC_ERROR_CONNECTION_INVALID (&_xpc_error_connection_invalid)
+
+    extern const char *const _xpc_error_key_description;
+    #define XPC_ERROR_KEY_DESCRIPTION _xpc_error_key_description
+
+    #define XPC_CONNECTION_MACH_SERVICE_PRIVILEGED (1 << 1)
+    EOF
+  '';
+
+  dontBuild = headersOnly;
+
+  buildPhase = ''
+    pushd SystemConfiguration.fproj >/dev/null
+
+    mkdir -p SystemConfiguration.framework/Resources
+    cp ../get-mobility-info       SystemConfiguration.framework/Resources
+    cp Info.plist                 SystemConfiguration.framework/Resources
+    cp -r English.lproj           SystemConfiguration.framework/Resources
+    cp NetworkConfiguration.plist SystemConfiguration.framework/Resources
+
+    mkdir -p SystemConfiguration.framework/Headers
+    mkdir -p SystemConfiguration.framework/PrivateHeaders
+
+    # The standard public headers
+    cp SCSchemaDefinitions.h        SystemConfiguration.framework/Headers
+    cp SystemConfiguration.h        SystemConfiguration.framework/Headers
+    cp SCDynamicStore.h             SystemConfiguration.framework/Headers
+    cp SCDynamicStoreCopySpecific.h SystemConfiguration.framework/Headers
+    cp SCPreferences.h              SystemConfiguration.framework/Headers
+    cp CaptiveNetwork.h             SystemConfiguration.framework/Headers
+    cp SCPreferencesPath.h          SystemConfiguration.framework/Headers
+    cp SCDynamicStoreKey.h          SystemConfiguration.framework/Headers
+    cp SCPreferencesSetSpecific.h   SystemConfiguration.framework/Headers
+    cp SCNetworkConfiguration.h     SystemConfiguration.framework/Headers
+    cp SCNetworkConnection.h        SystemConfiguration.framework/Headers
+    cp SCNetworkReachability.h      SystemConfiguration.framework/Headers
+    cp DHCPClientPreferences.h      SystemConfiguration.framework/Headers
+    cp SCNetwork.h                  SystemConfiguration.framework/Headers
+    cp SCDynamicStoreCopyDHCPInfo.h SystemConfiguration.framework/Headers
+
+    # TODO: Do we want to preserve private headers or just make them public?
+    cp SCDPlugin.h                         SystemConfiguration.framework/PrivateHeaders
+    cp SCPrivate.h                         SystemConfiguration.framework/PrivateHeaders
+    cp SCDynamicStorePrivate.h             SystemConfiguration.framework/PrivateHeaders
+    cp SCDynamicStoreCopySpecificPrivate.h SystemConfiguration.framework/PrivateHeaders
+    cp SCDynamicStoreSetSpecificPrivate.h  SystemConfiguration.framework/PrivateHeaders
+    cp SCValidation.h                      SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesPrivate.h              SystemConfiguration.framework/PrivateHeaders
+    cp DeviceOnHold.h                      SystemConfiguration.framework/PrivateHeaders
+    cp LinkConfiguration.h                 SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesPathKey.h              SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesSetSpecificPrivate.h   SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkConnectionPrivate.h        SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesGetSpecificPrivate.h   SystemConfiguration.framework/PrivateHeaders
+    cp SCSchemaDefinitionsPrivate.h        SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkConfigurationPrivate.h     SystemConfiguration.framework/PrivateHeaders
+    cp SCPreferencesKeychainPrivate.h      SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkSignature.h                SystemConfiguration.framework/PrivateHeaders
+    cp SCNetworkSignaturePrivate.h         SystemConfiguration.framework/PrivateHeaders
+    cp VPNPrivate.h                        SystemConfiguration.framework/PrivateHeaders
+    cp VPNConfiguration.h                  SystemConfiguration.framework/PrivateHeaders
+    cp VPNTunnelPrivate.h                  SystemConfiguration.framework/PrivateHeaders
+    cp VPNTunnel.h                         SystemConfiguration.framework/PrivateHeaders
+
+    mkdir derived
+
+    cat >derived/SystemConfiguration_vers.c <<EOF
+    const unsigned char SystemConfigurationVersionString[] __attribute__ ((used)) = "@(#)PROGRAM:SystemConfiguration  PROJECT:configd-" "\n"; const double SystemConfigurationVersionNumber __attribute__ ((used)) = (double)0.;
+    EOF
+
+    mig -arch x86_64 -header derived/shared_dns_info.h -user derived/shared_dns_infoUser.c -sheader /dev/null -server /dev/null ../dnsinfo/shared_dns_info.defs
+    mig -arch x86_64 -header derived/config.h          -user derived/configUser.c          -sheader /dev/null -server /dev/null config.defs
+    mig -arch x86_64 -header derived/helper.h          -user derived/helperUser.c          -sheader /dev/null -server /dev/null helper/helper.defs
+    mig -arch x86_64 -header derived/pppcontroller.h   -user derived/pppcontrollerUser.c   -sheader /dev/null -server /dev/null pppcontroller.defs
+
+    $CC -I. -Ihelper -Iderived -F. -c SCSchemaDefinitions.c -o SCSchemaDefinitions.o
+    $CC -I. -Ihelper -Iderived -F. -c SCD.c -o SCD.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDKeys.c -o SCDKeys.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDPrivate.c -o SCDPrivate.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDPlugin.c -o SCDPlugin.o
+    $CC -I. -Ihelper -Iderived -F. -c CaptiveNetwork.c -o CaptiveNetwork.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDOpen.c -o SCDOpen.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDList.c -o SCDList.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDAdd.c -o SCDAdd.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDGet.c -o SCDGet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDSet.c -o SCDSet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDRemove.c -o SCDRemove.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotify.c -o SCDNotify.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierSetKeys.c -o SCDNotifierSetKeys.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierAdd.c -o SCDNotifierAdd.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierRemove.c -o SCDNotifierRemove.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierGetChanges.c -o SCDNotifierGetChanges.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierWait.c -o SCDNotifierWait.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierInformViaCallback.c -o SCDNotifierInformViaCallback.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierInformViaFD.c -o SCDNotifierInformViaFD.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierInformViaSignal.c -o SCDNotifierInformViaSignal.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDNotifierCancel.c -o SCDNotifierCancel.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDSnapshot.c -o SCDSnapshot.o
+    $CC -I. -Ihelper -Iderived -F. -c SCP.c -o SCP.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPOpen.c -o SCPOpen.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPLock.c -o SCPLock.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPUnlock.c -o SCPUnlock.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPList.c -o SCPList.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPGet.c -o SCPGet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPAdd.c -o SCPAdd.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPSet.c -o SCPSet.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPRemove.c -o SCPRemove.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPCommit.c -o SCPCommit.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPApply.c -o SCPApply.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPPath.c -o SCPPath.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDConsoleUser.c -o SCDConsoleUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCDHostName.c -o SCDHostName.o
+    $CC -I. -Ihelper -Iderived -F. -c SCLocation.c -o SCLocation.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetwork.c -o SCNetwork.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/pppcontrollerUser.c -o pppcontrollerUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkConnection.c -o SCNetworkConnection.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkConnectionPrivate.c -o SCNetworkConnectionPrivate.o
+    $CC -I. -Ihelper -Iderived -I../dnsinfo -F. -c SCNetworkReachability.c -o SCNetworkReachability.o
+    $CC -I. -Ihelper -Iderived -F. -c SCProxies.c -o SCProxies.o
+    $CC -I. -Ihelper -Iderived -F. -c DHCP.c -o DHCP.o
+    $CC -I. -Ihelper -Iderived -F. -c moh.c -o moh.o
+    $CC -I. -Ihelper -Iderived -F. -c DeviceOnHold.c -o DeviceOnHold.o
+    $CC -I. -Ihelper -Iderived -I $HACK -F. -c LinkConfiguration.c -o LinkConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c dy_framework.c -o dy_framework.o
+    $CC -I. -Ihelper -Iderived -I $HACK -F. -c VLANConfiguration.c -o VLANConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/configUser.c -o configUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPreferencesPathKey.c -o SCPreferencesPathKey.o
+    $CC -I. -Ihelper -Iderived -I../dnsinfo -F. -c derived/shared_dns_infoUser.c -o shared_dns_infoUser.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkConfigurationInternal.c -o SCNetworkConfigurationInternal.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkInterface.c -o SCNetworkInterface.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkProtocol.c -o SCNetworkProtocol.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkService.c -o SCNetworkService.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkSet.c -o SCNetworkSet.o
+    $CC -I. -Ihelper -Iderived -I $HACK -F. -c BondConfiguration.c -o BondConfiguration.o
+    $CC -I. -Ihelper -Iderived -I $HACK -F. -c BridgeConfiguration.c -o BridgeConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c helper/SCHelper_client.c -o SCHelper_client.o
+    $CC -I. -Ihelper -Iderived -F. -c SCPreferencesKeychainPrivate.c -o SCPreferencesKeychainPrivate.o
+    $CC -I. -Ihelper -Iderived -F. -c SCNetworkSignature.c -o SCNetworkSignature.o
+    $CC -I. -Ihelper -Iderived -F. -c VPNPrivate.c -o VPNPrivate.o
+    $CC -I. -Ihelper -Iderived -F. -c VPNConfiguration.c -o VPNConfiguration.o
+    $CC -I. -Ihelper -Iderived -F. -c VPNTunnel.c -o VPNTunnel.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/helperUser.c -o helperUser.o
+    $CC -I. -Ihelper -Iderived -F. -c reachability/SCNetworkReachabilityServer_client.c -o SCNetworkReachabilityServer_client.o
+    $CC -I. -Ihelper -Iderived -F. -c reachability/rb.c -o rb.o
+    $CC -I. -Ihelper -Iderived -F. -c derived/SystemConfiguration_vers.c -o SystemConfiguration_vers.o
+
+    $CC -dynamiclib *.o -install_name $out/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration -dead_strip -framework CoreFoundation -single_module -o SystemConfiguration.framework/SystemConfiguration
+
+    popd >/dev/null
+  '';
+
+  installPhase = ''
+    mkdir -p $out/include
+    cp dnsinfo/*.h $out/include/
+  '' + lib.optionalString (!headersOnly) ''
+    mkdir -p $out/Library/Frameworks/
+    mv SystemConfiguration.fproj/SystemConfiguration.framework $out/Library/Frameworks
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/copyfile/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/copyfile/default.nix
new file mode 100644
index 000000000000..5e7f38e84d7d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/copyfile/default.nix
@@ -0,0 +1,9 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/include/
+    cp copyfile.h $out/include/
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/default.nix
new file mode 100644
index 000000000000..df47d53514ab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/default.nix
@@ -0,0 +1,319 @@
+{ lib, stdenv, fetchurl, fetchzip, pkgs }:
+
+let
+  # This attrset can in theory be computed automatically, but for that to work nicely we need
+  # import-from-derivation to work properly. Currently it's rather ugly when we try to bootstrap
+  # a stdenv out of something like this. With some care we can probably get rid of this, but for
+  # now it's staying here.
+  versions = {
+    "osx-10.12.6" = {
+      xnu           = "3789.70.16";
+      libiconv      = "50";
+      Libnotify     = "165.20.1";
+      objc4         = "709.1";
+      dyld          = "433.5";
+      CommonCrypto  = "60092.50.5";
+      copyfile      = "138";
+      ppp           = "838.50.1";
+      libclosure    = "67";
+      Libinfo       = "503.50.4";
+      Libsystem     = "1238.60.2";
+      removefile    = "45";
+      libresolv     = "64";
+      libplatform   = "126.50.8";
+      mDNSResponder = "765.50.9";
+      libutil       = "47.30.1";
+      libunwind     = "35.3";
+      Libc          = "1158.50.2";
+      dtrace        = "209.50.12";
+      libpthread    = "218.60.3";
+      hfs           = "366.70.1";
+    };
+    "osx-10.11.6" = {
+      PowerManagement = "572.50.1";
+      dtrace        = "168";
+      xnu           = "3248.60.10";
+      libpthread    = "138.10.4";
+      libiconv      = "44";
+      Libnotify     = "150.40.1";
+      objc4         = "680";
+      eap8021x      = "222.40.1";
+      dyld          = "360.22";
+      architecture  = "268";
+      CommonCrypto  = "60075.50.1";
+      copyfile      = "127";
+      Csu           = "85";
+      ppp           = "809.50.2";
+      libclosure    = "65";
+      Libinfo       = "477.50.4";
+      Libsystem     = "1226.10.1";
+      removefile    = "41";
+      libresolv     = "60";
+
+      # Their release page is a bit of a mess here, so I'm going to lie a bit and say this version
+      # is the right one, even though it isn't. The version I have here doesn't appear to be linked
+      # to any OS releases, but Apple also doesn't mention mDNSResponder from 10.11 to 10.11.6, and
+      # neither of those versions are publicly available.
+      libplatform   = "125";
+      mDNSResponder = "625.41.2";
+
+      # IOKit contains a set of packages with different versions, so we don't have a general version
+      IOKit         = "";
+
+      libutil       = "43";
+      libunwind     = "35.3";
+      Librpcsvc     = "26";
+      developer_cmds= "62";
+      network_cmds  = "481.20.1";
+      basic_cmds    = "55";
+      adv_cmds      = "163";
+      file_cmds     = "264.1.1";
+      shell_cmds    = "187";
+      system_cmds   = "550.6";
+      diskdev_cmds   = "593";
+      top           = "108";
+      text_cmds     = "99";
+    };
+    "osx-10.11.5" = {
+      Libc          = "1082.50.1"; # 10.11.6 still unreleased :/
+    };
+    "osx-10.10.5" = {
+      adv_cmds      = "158";
+      CF            = "1153.18";
+      ICU           = "531.48";
+      libdispatch   = "442.1.4";
+      Security      = "57031.40.6";
+
+      IOAudioFamily                        = "203.3";
+      IOFireWireFamily                     = "458";
+      IOFWDVComponents                     = "207.4.1";
+      IOFireWireAVC                        = "423";
+      IOFireWireSBP2                       = "427";
+      IOFireWireSerialBusProtocolTransport = "251.0.1";
+      IOGraphics                           = "485.40.1";
+      IOHIDFamily                          = "606.40.1";
+      IONetworkingFamily                   = "101";
+      IOSerialFamily                       = "74.20.1";
+      IOStorageFamily                      = "182.1.1";
+      IOBDStorageFamily                    = "14";
+      IOCDStorageFamily                    = "51";
+      IODVDStorageFamily                   = "35";
+      IOKitUser                            = "1050.20.2";
+    };
+    "osx-10.9.5" = {
+      launchd            = "842.92.1";
+      libauto            = "185.5";
+      Libc               = "997.90.3"; # We use this, but not from here
+      Libsystem          = "1197.1.1";
+      Security           = "55471.14.18";
+      security_dotmac_tp = "55107.1";
+
+      IOStorageFamily = "172";
+    };
+    "osx-10.8.5" = {
+      configd     = "453.19";
+      Libc        = "825.40.1";
+      IOUSBFamily = "630.4.5";
+    };
+    "osx-10.8.4" = {
+      IOUSBFamily = "560.4.2";
+    };
+    "osx-10.7.4" = {
+      Libm = "2026";
+    };
+    "osx-10.6.2" = {
+      CarbonHeaders = "18.1";
+    };
+    "osx-10.5.8" = {
+      adv_cmds = "119";
+    };
+    "dev-tools-7.0" = {
+      bootstrap_cmds = "93";
+    };
+    "dev-tools-5.1" = {
+      bootstrap_cmds = "86";
+    };
+    "dev-tools-3.2.6" = {
+      bsdmake = "24";
+    };
+  };
+
+  fetchApple' = pname: version: sha256: let
+    # When cross-compiling, fetchurl depends on libiconv, resulting
+    # in an infinite recursion without this. It's not clear why this
+    # worked fine when not cross-compiling
+    fetch = if pname == "libiconv"
+      then stdenv.fetchurlBoot
+      else fetchurl;
+  in fetch {
+    url = "http://www.opensource.apple.com/tarballs/${pname}/${pname}-${version}.tar.gz";
+    inherit sha256;
+  };
+
+  fetchApple = sdkName: sha256: pname: let
+    version = versions.${sdkName}.${pname};
+  in fetchApple' pname version sha256;
+
+  appleDerivation'' = stdenv: pname: version: sdkName: sha256: attrs: stdenv.mkDerivation ({
+    inherit pname version;
+
+    src = if attrs ? srcs then null else (fetchApple' pname version sha256);
+
+    enableParallelBuilding = true;
+
+    # In rare cases, APPLE may drop some headers quietly on new release.
+    doInstallCheck = attrs ? appleHeaders;
+    passAsFile = [ "appleHeaders" ];
+    installCheckPhase = ''
+      cd $out/include
+
+      result=$(diff -u "$appleHeadersPath" <(find * -type f | sort) --label "Listed in appleHeaders" --label "Found in \$out/include" || true)
+
+      if [ -z "$result" ]; then
+        echo "Apple header list is matched."
+      else
+        echo >&2 "\
+      Apple header list is inconsistent, please ensure no header file is unexpectedly dropped.
+      $result
+      "
+        exit 1
+      fi
+    '';
+
+  } // attrs // {
+    meta = (with lib; {
+      platforms = platforms.darwin;
+      license = licenses.apsl20;
+    }) // (attrs.meta or {});
+  });
+
+  IOKitSpecs = {
+    IOAudioFamily                        = fetchApple "osx-10.10.5" "0ggq7za3iq8g02j16rj67prqhrw828jsw3ah3bxq8a1cvr55aqnq";
+    IOFireWireFamily                     = fetchApple "osx-10.10.5" "059qa1m668kwvchl90cqcx35b31zaqdg61zi11y1imn5s389y2g1";
+    IOFWDVComponents                     = fetchApple "osx-10.10.5" "1brr0yn6mxgapw3bvlhyissfksifzj2mqsvj9vmps6zwcsxjfw7m";
+    IOFireWireAVC                        = fetchApple "osx-10.10.5" "194an37gbqs9s5s891lmw6prvd1m2362602s8lj5m89fp9h8mbal";
+    IOFireWireSBP2                       = fetchApple "osx-10.10.5" "1mym158kp46y1vfiq625b15ihh4jjbpimfm7d56wlw6l2syajqvi";
+    IOFireWireSerialBusProtocolTransport = fetchApple "osx-10.10.5" "09kiq907qpk94zbij1mrcfcnyyc5ncvlxavxjrj4v5braxm78lhi";
+    IOGraphics                           = fetchApple "osx-10.10.5" "1z0x3yrv0p8pfdqnvwf8rvrf9wip593lhm9q6yzbclz3fn53ad0p";
+    IOHIDFamily                          = fetchApple "osx-10.10.5" "0yibagwk74imp3j3skjycm703s5ybdqw0qlsmnml6zwjpbrz5894";
+    IONetworkingFamily                   = fetchApple "osx-10.10.5" "04as1hc8avncijf61mp9dmplz8vb1inhirkd1g74gah08lgrfs9j";
+    IOSerialFamily                       = fetchApple "osx-10.10.5" "0jh12aanxcigqi9w6wqzbwjdin9m48zwrhdj3n4ki0h41sg89y91";
+    IOStorageFamily                      = fetchApple "osx-10.9.5"  "0w5yr8ppl82anwph2zba0ppjji6ipf5x410zhcm1drzwn4bbkxrj";
+    IOBDStorageFamily                    = fetchApple "osx-10.10.5" "1rbvmh311n853j5qb6hfda94vym9wkws5w736w2r7dwbrjyppc1q";
+    IOCDStorageFamily                    = fetchApple "osx-10.10.5" "1905sxwmpxdcnm6yggklc5zimx1558ygm3ycj6b34f9h48xfxzgy";
+    IODVDStorageFamily                   = fetchApple "osx-10.10.5" "1fv82rn199mi998l41c0qpnlp3irhqp2rb7v53pxbx7cra4zx3i6";
+    # There should be an IOStreamFamily project here, but they haven't released it :(
+    IOUSBFamily                          = fetchApple "osx-10.8.5"  "1znqb6frxgab9mkyv7csa08c26p9p0ip6hqb4wm9c7j85kf71f4j"; # This is from 10.8 :(
+    IOUSBFamily_older                    = fetchApple "osx-10.8.4"  "113lmpz8n6sibd27p42h8bl7a6c3myc6zngwri7gnvf8qlajzyml" "IOUSBFamily"; # This is even older :(
+    IOKitUser                            = fetchApple "osx-10.10.5" "1jzndziv97bhjxmla8nib5fpcswbvsxr04447g251ls81rw313lb";
+    # There should be an IOVideo here, but they haven't released it :(
+  };
+
+  IOKitSrcs = lib.mapAttrs (name: value: if lib.isFunction value then value name else value) IOKitSpecs;
+
+in
+
+# darwin package set
+self:
+
+let
+  macosPackages_11_0_1 = import ./macos-11.0.1.nix { inherit applePackage'; };
+  developerToolsPackages_11_3_1 = import ./developer-tools-11.3.1.nix { inherit applePackage'; };
+
+  applePackage' = namePath: version: sdkName: sha256:
+    let
+      pname = builtins.head (lib.splitString "/" namePath);
+      appleDerivation' = stdenv: appleDerivation'' stdenv pname version sdkName sha256;
+      appleDerivation = appleDerivation' stdenv;
+      callPackage = self.newScope { inherit appleDerivation' appleDerivation; };
+    in callPackage (./. + "/${namePath}");
+
+  applePackage = namePath: sdkName: sha256: let
+    pname = builtins.head (lib.splitString "/" namePath);
+    version = versions.${sdkName}.${pname};
+  in applePackage' namePath version sdkName sha256;
+
+  # Only used for bootstrapping. It’s convenient because it was the last version to come with a real makefile.
+  adv_cmds-boot = applePackage "adv_cmds/boot.nix" "osx-10.5.8" "102ssayxbg9wb35mdmhswbnw0bg7js3pfd8fcbic83c5q3bqa6c6" {};
+
+in
+
+developerToolsPackages_11_3_1 // macosPackages_11_0_1 // {
+    # TODO: shorten this list, we should cut down to a minimum set of bootstrap or necessary packages here.
+
+    inherit (adv_cmds-boot) ps locale;
+    architecture    = applePackage "architecture"      "osx-10.11.6"     "1pbpjcd7is69hn8y29i98ci0byik826if8gnp824ha92h90w0fq3" {};
+    bsdmake         = applePackage "bsdmake"           "dev-tools-3.2.6" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
+    CarbonHeaders   = applePackage "CarbonHeaders"     "osx-10.6.2"      "1zam29847cxr6y9rnl76zqmkbac53nx0szmqm9w5p469a6wzjqar" {};
+    CommonCrypto    = applePackage "CommonCrypto"      "osx-10.12.6"     "0sgsqjcxbdm2g2zfpc50mzmk4b4ldyw7xvvkwiayhpczg1fga4ff" {};
+    configd         = applePackage "configd"           "osx-10.8.5"      "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {
+      Security      = applePackage "Security/boot.nix" "osx-10.9.5"      "1nv0dczf67dhk17hscx52izgdcyacgyy12ag0jh6nl5hmfzsn8yy" {};
+    };
+    copyfile        = applePackage "copyfile"          "osx-10.12.6"     "0a70bvzndkava1a946cdq42lnjhg7i7b5alpii3lap6r5fkvas0n" {};
+    Csu             = applePackage "Csu"               "osx-10.11.6"     "0yh5mslyx28xzpv8qww14infkylvc1ssi57imhi471fs91sisagj" {};
+    dtrace          = applePackage "dtrace"            "osx-10.12.6"     "0hpd6348av463yqf70n3xkygwmf1i5zza8kps4zys52sviqz3a0l" {};
+    dyld            = applePackage "dyld"              "osx-10.12.6"     "0q4jmk78b5ajn33blh4agyq6v2a63lpb3fln78az0dy12bnp1qqk" {};
+    eap8021x        = applePackage "eap8021x"          "osx-10.11.6"     "0iw0qdib59hihyx2275rwq507bq2a06gaj8db4a8z1rkaj1frskh" {};
+    IOKit           = applePackage "IOKit"             "osx-10.11.6"     "0kcbrlyxcyirvg5p95hjd9k8a01k161zg0bsfgfhkb90kh2s8x00" { inherit IOKitSrcs; };
+    launchd         = applePackage "launchd"           "osx-10.9.5"      "0w30hvwqq8j5n90s3qyp0fccxflvrmmjnicjri4i1vd2g196jdgj" {};
+    libauto         = applePackage "libauto"           "osx-10.9.5"      "17z27yq5d7zfkwr49r7f0vn9pxvj95884sd2k6lq6rfaz9gxqhy3" {};
+    Libc            = applePackage "Libc"              "osx-10.12.6"     "183wcy1nlj2wkpfsx3k3lyv917mk8r2p72qw8lb89mbjsw3yw0xx" {
+      Libc_10-9 = fetchzip {
+        url    = "http://www.opensource.apple.com/tarballs/Libc/Libc-997.90.3.tar.gz";
+        sha256 = "1xchgxkxg5288r2b9yfrqji2gsgdap92k4wx2dbjwslixws12pq7";
+      };
+      Libc_old        = applePackage "Libc/825_40_1.nix" "osx-10.8.5"      "0xsx1im52gwlmcrv4lnhhhn9dyk5ci6g27k6yvibn9vj8fzjxwcf" {};
+    };
+    libclosure      = applePackage "libclosure"        "osx-10.11.6"     "1zqy1zvra46cmqv6vsf1mcsz3a76r9bky145phfwh4ab6y15vjpq" {};
+    libdispatch     = applePackage "libdispatch"       "osx-10.10.5"     "0jsfbzp87lwk9snlby0hd4zvj7j894p5q3cw0wdx9ny1mcp3kdcj" {};
+    libiconv        = applePackage "libiconv"          "osx-10.12.6"     "1gg5h6z8sk851bhv87vyxzs54jmqz6lh57ny8j4s51j7srja0nly" {};
+    Libinfo         = applePackage "Libinfo"           "osx-10.11.6"     "0qjgkd4y8sjvwjzv5wwyzkb61pg8wwg95bkp721dgzv119dqhr8x" {};
+    Libm            = applePackage "Libm"              "osx-10.7.4"      "02sd82ig2jvvyyfschmb4gpz6psnizri8sh6i982v341x6y4ysl7" {};
+    Libnotify       = applePackage "Libnotify"         "osx-10.12.6"     "0p5qhvalf6j1w6n8xwywhn6dvbpzv74q5wqrgs8rwfpf74wg6s9z" {};
+    libplatform     = applePackage "libplatform"       "osx-10.12.6"     "0rh1f5ybvwz8s0nwfar8s0fh7jbgwqcy903cv2x8m15iq1x599yn" {};
+    libpthread      = applePackage "libpthread"        "osx-10.12.6"     "1j6541rcgjpas1fc77ip5krjgw4bvz6jq7bq7h9q7axb0jv2ns6c" {};
+    libresolv       = applePackage "libresolv"         "osx-10.12.6"     "077j6ljfh7amqpk2146rr7dsz5vasvr3als830mgv5jzl7l6vz88" {};
+    Libsystem       = applePackage "Libsystem"         "osx-10.12.6"     "1082ircc1ggaq3wha218vmfa75jqdaqidsy1bmrc4ckfkbr3bwx2" {};
+    libutil         = applePackage "libutil"           "osx-10.12.6"     "0lqdxaj82h8yjbjm856jjz9k2d96k0viimi881akfng08xk1246y" {};
+    libunwind       = applePackage "libunwind"         "osx-10.12.6"     "0miffaa41cv0lzf8az5k1j1ng8jvqvxcr4qrlkf3xyj479arbk1b" {};
+    mDNSResponder   = applePackage "mDNSResponder"     "osx-10.12.6"     "02ms1p8zlgmprzn65jzr7yaqxykh3zxjcrw0c06aayim6h0dsqfy" {};
+    objc4           = applePackage "objc4"             "osx-10.12.6"     "1cj1vhbcs9pkmag2ms8wslagicnq9bxi2qjkszmp3ys7z7ccrbwz" {};
+    ppp             = applePackage "ppp"               "osx-10.12.6"     "1kcc2nc4x1kf8sz0a23i6nfpvxg381kipi0qdisrp8x9z2gbkxb8" {};
+    removefile      = applePackage "removefile"        "osx-10.12.6"     "0jzjxbmxgjzhssqd50z7kq9dlwrv5fsdshh57c0f8mdwcs19bsyx" {};
+    xnu             = if stdenv.isx86_64 then
+    applePackage "xnu"               "osx-10.12.6"     "1sjb0i7qzz840v2h4z3s4jyjisad4r5yyi6sg8pakv3wd81i5fg5" {
+      python3 = pkgs.buildPackages.buildPackages.python3; # TODO(@Ericson2314) this shouldn't be needed.
+    }
+    else macosPackages_11_0_1.xnu;
+    hfs             = applePackage "hfs"               "osx-10.12.6"     "1mj3xvqpq1mgd80b6kl1s04knqnap7hccr0gz8rjphalq14rbl5g" {};
+    Librpcsvc       = applePackage "Librpcsvc"         "osx-10.11.6"     "1zwfwcl9irxl1dlnf2b4v30vdybp0p0r6n6g1pd14zbdci1jcg2k" {};
+    adv_cmds        = applePackage "adv_cmds"          "osx-10.11.6"    "12gbv35i09aij9g90p6b3x2f3ramw43qcb2gjrg8lzkzmwvcyw9q" {};
+    basic_cmds      = applePackage "basic_cmds"        "osx-10.11.6"     "0hvab4b1v5q2x134hdkal0rmz5gsdqyki1vb0dbw4py1bqf0yaw9" {};
+    developer_cmds  = applePackage "developer_cmds"    "osx-10.11.6"     "1r9c2b6dcl22diqf90x58psvz797d3lxh4r2wppr7lldgbgn24di" {};
+    diskdev_cmds    = applePackage "diskdev_cmds"      "osx-10.11.6"     "1ssdyiaq5m1zfy96yy38yyknp682ki6bvabdqd5z18fa0rv3m2ar" {
+      macosPackages_11_0_1 = macosPackages_11_0_1;
+    };
+    network_cmds    = if stdenv.isx86_64 then
+      applePackage "network_cmds" "osx-10.11.6" "0lhi9wz84qr1r2ab3fb4nvmdg9gxn817n5ldg7zw9gnf3wwn42kw" {}
+    else macosPackages_11_0_1.network_cmds;
+    file_cmds       = applePackage "file_cmds"         "osx-10.11.6"     "1zfxbmasps529pnfdjvc13p7ws2cfx8pidkplypkswyff0nff4wp" {};
+    shell_cmds      = applePackage "shell_cmds"        "osx-10.11.6"     "0084k271v66h4jqp7q7rmjvv7w4mvhx3aq860qs8jbd30canm86n" {};
+    system_cmds     = applePackage "system_cmds"       "osx-10.11.6"     "1h46j2c5v02pkv5d9fyv6cpgyg0lczvwicrx6r9s210cl03l77jl" {};
+    text_cmds       = applePackage "text_cmds"         "osx-10.11.6"     "1f93m7dd0ghqb2hwh905mjhzblyfr7dwffw98xhgmv1mfdnigxg0" {};
+    top             = applePackage "top"               "osx-10.11.6"     "0i9120rfwapgwdvjbfg0ya143i29s1m8zbddsxh39pdc59xnsg5l" {};
+    PowerManagement = applePackage "PowerManagement"   "osx-10.11.6"     "1llimhvp0gjffd47322lnjq7cqwinx0c5z7ikli04ad5srpa68mh" {};
+
+    # `configdHeaders` can’t use an override because `pkgs.darwin.configd` on aarch64-darwin will
+    # be replaced by SystemConfiguration.framework from the macOS SDK.
+    configdHeaders  = applePackage "configd"           "osx-10.8.5"      "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {
+      headersOnly = true;
+      Security    = null;
+    };
+    libutilHeaders  = pkgs.darwin.libutil.override { headersOnly = true; };
+    hfsHeaders      = pkgs.darwin.hfs.override { headersOnly = true; };
+    libresolvHeaders= pkgs.darwin.libresolv.override { headersOnly = true; };
+
+    # TODO(matthewbauer):
+    # To be removed, once I figure out how to build a newer Security version.
+    Security        = applePackage "Security/boot.nix" "osx-10.9.5"      "1nv0dczf67dhk17hscx52izgdcyacgyy12ag0jh6nl5hmfzsn8yy" {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer-tools-11.3.1.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer-tools-11.3.1.nix
new file mode 100644
index 000000000000..f57d224615f4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer-tools-11.3.1.nix
@@ -0,0 +1,8 @@
+# Generated using:  ./generate-sdk-packages.sh developer-tools 11.3.1
+
+{ applePackage' }:
+
+{
+bootstrap_cmds = applePackage' "bootstrap_cmds" "116" "developer-tools-11.3.1" "148xpqkf5xzpslqxch5l8h6vsz7sys8sdzk4ghbg9mkcivp8qa03" {};
+developer_cmds = applePackage' "developer_cmds" "66" "developer-tools-11.3.1" "0q08m4cxxwph7gxqravmx13l418p1i050bd46zwksn9j9zpw9mlr" {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/default.nix
new file mode 100644
index 000000000000..18233cfc5227
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/default.nix
@@ -0,0 +1,41 @@
+{ lib, appleDerivation, xcbuildHook, llvmPackages, makeWrapper }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook makeWrapper ];
+
+  patches = [
+    # The following copied from
+    # https://github.com/Homebrew/homebrew-core/commit/712ed3e948868e17f96b7e59972b5f45d4faf688
+    # is needed to build libvirt.
+    ./rpcgen-support-hyper-and-quad-types.patch
+  ];
+
+  postPatch = ''
+    makeWrapper ${llvmPackages.clang}/bin/clang $out/bin/clang-cpp --add-flags "--driver-mode=cpp"
+    substituteInPlace rpcgen/rpc_main.c \
+      --replace "/usr/bin/cpp" "$out/bin/clang-cpp"
+  '';
+
+  # Workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_btype_2' in:args.o pr_comment.o
+  NIX_CFLAGS_COMPILE = "-fcommon";
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/rpcgen-support-hyper-and-quad-types.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/rpcgen-support-hyper-and-quad-types.patch
new file mode 100644
index 000000000000..481cf0f3e055
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/developer_cmds/rpcgen-support-hyper-and-quad-types.patch
@@ -0,0 +1,66 @@
+diff --git a/rpcgen/rpc_parse.c b/rpcgen/rpc_parse.c
+index 52edc9f..db0c1f1 100644
+--- a/rpcgen/rpc_parse.c
++++ b/rpcgen/rpc_parse.c
+@@ -580,6 +580,10 @@ get_type(prefixp, typep, dkind)
+		*typep = "long";
+		(void) peekscan(TOK_INT, &tok);
+		break;
++	case TOK_HYPER:
++		*typep = "int64_t";
++		(void) peekscan(TOK_INT, &tok);
++		break;
+	case TOK_VOID:
+		if (dkind != DEF_UNION && dkind != DEF_PROGRAM) {
+			error("voids allowed only inside union and program definitions with one argument");
+@@ -592,6 +596,7 @@ get_type(prefixp, typep, dkind)
+	case TOK_INT:
+	case TOK_FLOAT:
+	case TOK_DOUBLE:
++	case TOK_QUAD:
+	case TOK_BOOL:
+		*typep = tok.str;
+		break;
+@@ -622,6 +627,11 @@ unsigned_dec(typep)
+		*typep = "u_long";
+		(void) peekscan(TOK_INT, &tok);
+		break;
++	case TOK_HYPER:
++		get_token(&tok);
++		*typep = "u_int64_t";
++		(void) peekscan(TOK_INT, &tok);
++		break;
+	case TOK_INT:
+		get_token(&tok);
+		*typep = "u_int";
+diff --git a/rpcgen/rpc_scan.c b/rpcgen/rpc_scan.c
+index a8df441..4130107 100644
+--- a/rpcgen/rpc_scan.c
++++ b/rpcgen/rpc_scan.c
+@@ -419,8 +419,10 @@ static token symbols[] = {
+	{TOK_UNSIGNED, "unsigned"},
+	{TOK_SHORT, "short"},
+	{TOK_LONG, "long"},
++	{TOK_HYPER, "hyper"},
+	{TOK_FLOAT, "float"},
+	{TOK_DOUBLE, "double"},
++	{TOK_QUAD, "quadruple"},
+	{TOK_STRING, "string"},
+	{TOK_PROGRAM, "program"},
+	{TOK_VERSION, "version"},
+diff --git a/rpcgen/rpc_scan.h b/rpcgen/rpc_scan.h
+index bac2be4..e4c57c8 100644
+--- a/rpcgen/rpc_scan.h
++++ b/rpcgen/rpc_scan.h
+@@ -66,9 +66,11 @@ enum tok_kind {
+	TOK_INT,
+	TOK_SHORT,
+	TOK_LONG,
++	TOK_HYPER,
+	TOK_UNSIGNED,
+	TOK_FLOAT,
+	TOK_DOUBLE,
++	TOK_QUAD,
+	TOK_OPAQUE,
+	TOK_CHAR,
+	TOK_STRING,
\ No newline at end of file
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix
new file mode 100644
index 000000000000..ec252dca41c2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/diskdev_cmds/default.nix
@@ -0,0 +1,41 @@
+{ lib, appleDerivation, xcbuildHook, Libc, stdenv, macosPackages_11_0_1, xnu
+, fetchurl, libutil }:
+
+let
+  xnu-src = if stdenv.isAarch64 then macosPackages_11_0_1.xnu.src else xnu.src;
+  arch = if stdenv.isAarch64 then "arm" else "i386";
+in appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ libutil ];
+
+  NIX_CFLAGS_COMPILE = "-I.";
+  NIX_LDFLAGS = "-lutil";
+  patchPhase = ''
+    # ugly hacks for missing headers
+    # most are bsd related - probably should make this a drv
+    unpackFile ${Libc.src}
+    unpackFile ${xnu-src}
+    mkdir System sys machine ${arch}
+    cp xnu-*/bsd/sys/disklabel.h sys
+    cp xnu-*/bsd/machine/disklabel.h machine
+    cp xnu-*/bsd/${arch}/disklabel.h ${arch}
+    cp -r xnu-*/bsd/sys System
+    cp -r Libc-*/uuid System
+    substituteInPlace diskdev_cmds.xcodeproj/project.pbxproj \
+      --replace 'DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";' ""
+  '';
+  installPhase = ''
+    install -D Products/Release/libdisk.a $out/lib/libdisk.a
+    rm Products/Release/libdisk.a
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dtrace/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dtrace/default.nix
new file mode 100644
index 000000000000..1f13cbef9fc9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dtrace/default.nix
@@ -0,0 +1,55 @@
+{ appleDerivation, xcbuildHook, CoreSymbolication
+, xnu, bison, flex, darling, stdenv, fixDarwinDylibNames }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook flex bison fixDarwinDylibNames ];
+  buildInputs = [ CoreSymbolication darling xnu ];
+  # -fcommon: workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_kCSRegionMachHeaderName' in: libproc.o dt_module_apple.o
+  NIX_CFLAGS_COMPILE = "-DCTF_OLD_VERSIONS -DPRIVATE -DYYDEBUG=1 -I${xnu}/Library/Frameworks/System.framework/Headers -Wno-error=implicit-function-declaration -fcommon";
+  NIX_LDFLAGS = "-L./Products/Release";
+  xcbuildFlags = [ "-target" "dtrace_frameworks" "-target" "dtrace" ];
+
+  doCheck = false;
+  checkPhase = "xcodebuild -target dtrace_tests";
+
+  postPatch = ''
+    substituteInPlace dtrace.xcodeproj/project.pbxproj \
+      --replace "/usr/sbin" ""
+    substituteInPlace libdtrace/dt_open.c \
+      --replace /usr/bin/clang ${stdenv.cc.cc}/bin/clang \
+      --replace /usr/bin/ld ${stdenv.cc.bintools.bintools}/bin/ld \
+      --replace /usr/lib/dtrace/dt_cpp.h $out/include/dt_cpp.h \
+      --replace /usr/lib/dtrace $out/lib/dtrace
+  '';
+
+  # hack to handle xcbuild's broken lex handling
+  preBuild = ''
+    pushd libdtrace
+    yacc -d dt_grammar.y
+    flex -l -d dt_lex.l
+    popd
+
+    substituteInPlace dtrace.xcodeproj/project.pbxproj \
+      --replace '6EBC9800099BFBBF0001019C /* dt_grammar.y */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.yacc; name = dt_grammar.y; path = libdtrace/dt_grammar.y; sourceTree = "<group>"; };' '6EBC9800099BFBBF0001019C /* y.tab.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = y.tab.c; path = libdtrace/y.tab.c; sourceTree = "<group>"; };' \
+      --replace '6EBC9808099BFBBF0001019C /* dt_lex.l */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.lex; name = dt_lex.l; path = libdtrace/dt_lex.l; sourceTree = "<group>"; };' '6EBC9808099BFBBF0001019C /* lex.yy.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = lex.yy.c; path = libdtrace/lex.yy.c; sourceTree = "<group>"; };'
+  '';
+
+  # xcbuild doesn't support install
+  installPhase = ''
+    mkdir -p $out
+
+    cp -r Products/Release/usr/include $out/include
+    cp scripts/dt_cpp.h $out/include/dt_cpp.h
+
+    mkdir $out/lib
+    cp Products/Release/*.dylib $out/lib
+
+    mkdir $out/bin
+    cp Products/Release/dtrace $out/bin
+
+    mkdir -p $out/lib/dtrace
+
+    install_name_tool -change $PWD/Products/Release/libdtrace.dylib $out/lib/libdtrace.dylib $out/bin/dtrace
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix
new file mode 100644
index 000000000000..ca3b70cd0926
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/dyld/default.nix
@@ -0,0 +1,16 @@
+{ lib, appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/lib $out/include
+    ln -s /usr/lib/dyld $out/lib/dyld
+    cp -r include $out/
+  '';
+
+  meta = with lib; {
+    description = "Impure primitive symlinks to the Mac OS native dyld, along with headers";
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/eap8021x/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/eap8021x/default.nix
new file mode 100644
index 000000000000..f5c47f01d37a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/eap8021x/default.nix
@@ -0,0 +1,10 @@
+{ appleDerivation', stdenv }:
+
+appleDerivation' stdenv {
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/Library/Frameworks/EAP8021X.framework/Headers
+
+    cp EAP8021X.fproj/EAPClientProperties.h $out/Library/Frameworks/EAP8021X.framework/Headers
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/file_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/file_cmds/default.nix
new file mode 100644
index 000000000000..cfa66d2c3536
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/file_cmds/default.nix
@@ -0,0 +1,42 @@
+{ lib, appleDerivation, xcbuildHook, zlib, bzip2, xz, ncurses, libutil, Libinfo }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ zlib bzip2 xz ncurses libutil Libinfo ];
+
+  # some commands not working:
+  # mtree: _simple.h not found
+  # ipcs: sys/ipcs.h not found
+  # so remove their targets from the project
+  patchPhase = ''
+    substituteInPlace file_cmds.xcodeproj/project.pbxproj \
+      --replace "FC8A8CAA14B655FD001B97AD /* PBXTargetDependency */," "" \
+      --replace "FC8A8C9C14B655FD001B97AD /* PBXTargetDependency */," "" \
+      --replace "productName = file_cmds;" "" \
+      --replace '/usr/lib/libcurses.dylib' 'libncurses.dylib'
+    sed -i -re "s/name = ([a-zA-Z]+);/name = \1; productName = \1;/" file_cmds.xcodeproj/project.pbxproj
+  '';
+
+  # Workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_chdname' in: ar_io.o tty_subs.o
+  NIX_CFLAGS_COMPILE = "-fcommon";
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/generate-sdk-packages.sh b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/generate-sdk-packages.sh
new file mode 100755
index 000000000000..d7c3fc89c525
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/generate-sdk-packages.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl
+
+# usage:
+#   generate-sdk-packages.sh macos 11.0.1
+
+cd $(dirname "$0")
+
+sdkName="$1-$2"
+outfile="$sdkName.nix"
+
+>$outfile echo "# Generated using:  ./$(basename "$0") $1 $2
+
+{ applePackage' }:
+
+{"
+
+parse_line() {
+    readarray -t -d$'\t' package <<<$2
+    local pname=${package[0]} version=${package[1]}
+
+    if [ -d $pname ]; then
+        sha256=$(nix-prefetch-url "https://opensource.apple.com/tarballs/$pname/$pname-$version.tar.gz")
+        >>$outfile echo "$pname = applePackage' \"$pname\" \"$version\" \"$sdkName\" \"$sha256\" {};"
+    fi
+}
+readarray -s1 -c1 -C parse_line < <(curl -sS "https://opensource.apple.com/text/${sdkName//./}.txt")
+
+>>$outfile echo '}'
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/hfs/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/hfs/default.nix
new file mode 100644
index 000000000000..093e8525e587
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/hfs/default.nix
@@ -0,0 +1,47 @@
+{ appleDerivation', stdenv, stdenvNoCC, lib, headersOnly ? true }:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) {
+  installPhase = lib.optionalString headersOnly ''
+    mkdir -p $out/include/hfs
+    cp core/*.h $out/include/hfs
+  '';
+
+  appleHeaders = ''
+    hfs/BTreeScanner.h
+    hfs/BTreesInternal.h
+    hfs/BTreesPrivate.h
+    hfs/CatalogPrivate.h
+    hfs/FileMgrInternal.h
+    hfs/HFSUnicodeWrappers.h
+    hfs/UCStringCompareData.h
+    hfs/hfs.h
+    hfs/hfs_alloc_trace.h
+    hfs/hfs_attrlist.h
+    hfs/hfs_btreeio.h
+    hfs/hfs_catalog.h
+    hfs/hfs_cnode.h
+    hfs/hfs_cprotect.h
+    hfs/hfs_dbg.h
+    hfs/hfs_endian.h
+    hfs/hfs_extents.h
+    hfs/hfs_format.h
+    hfs/hfs_fsctl.h
+    hfs/hfs_hotfiles.h
+    hfs/hfs_iokit.h
+    hfs/hfs_journal.h
+    hfs/hfs_kdebug.h
+    hfs/hfs_key_roll.h
+    hfs/hfs_macos_defs.h
+    hfs/hfs_mount.h
+    hfs/hfs_quota.h
+    hfs/hfs_unistr.h
+    hfs/kext-config.h
+    hfs/rangelist.h
+  '';
+
+  meta = {
+    # Seems nobody wants its binary, so we didn't implement building.
+    broken = !headersOnly;
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/launchd/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/launchd/default.nix
new file mode 100644
index 000000000000..67e051d56853
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/launchd/default.nix
@@ -0,0 +1,26 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  # No clue why the same file has two different names. Ask Apple!
+  installPhase = ''
+    mkdir -p $out/include/ $out/include/servers
+    cp liblaunch/*.h $out/include
+
+    cp liblaunch/bootstrap.h $out/include/servers
+    cp liblaunch/bootstrap.h $out/include/servers/bootstrap_defs.h
+  '';
+
+  appleHeaders = ''
+    bootstrap.h
+    bootstrap_priv.h
+    launch.h
+    launch_internal.h
+    launch_priv.h
+    reboot2.h
+    servers/bootstrap.h
+    servers/bootstrap_defs.h
+    vproc.h
+    vproc_internal.h
+    vproc_priv.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h
new file mode 100644
index 000000000000..bf367a3cabb3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/auto_dtrace.h
@@ -0,0 +1,129 @@
+/*
+ * Generated by dtrace(1M).
+ */
+
+#ifndef _AUTO_DTRACE_H
+#define _AUTO_DTRACE_H
+
+#include <unistd.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define GARBAGE_COLLECTION_STABILITY "___dtrace_stability$garbage_collection$v1$1_1_0_1_1_0_1_1_0_1_1_0_1_1_0"
+
+#define GARBAGE_COLLECTION_TYPEDEFS "___dtrace_typedefs$garbage_collection$v2$6175746f5f636f6c6c656374696f6e5f70686173655f74$6175746f5f636f6c6c656374696f6e5f747970655f74$6d616c6c6f635f7a6f6e655f74"
+
+#if !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED
+
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY(arg0, arg1) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$auto_block_lost_thread_locality$v1$766f6964202a$75696e7436345f74(arg0, arg1); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$auto_block_lost_thread_locality$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION(arg0) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$auto_refcount_one_allocation$v1$75696e7436345f74(arg0); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$auto_refcount_one_allocation$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN(arg0, arg1) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f747970655f74(arg0, arg1); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_begin$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_END(arg0, arg1, arg2, arg3, arg4) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_end$v1$6d616c6c6f635f7a6f6e655f74202a$75696e7436345f74$75696e7436345f74$75696e7436345f74$75696e7436345f74(arg0, arg1, arg2, arg3, arg4); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_END_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_end$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN(arg0, arg1) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_phase_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74(arg0, arg1); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_phase_begin$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END(arg0, arg1, arg2, arg3) \
+do { \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_TYPEDEFS); \
+  __dtrace_probe$garbage_collection$collection_phase_end$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74$75696e7436345f74$75696e7436345f74(arg0, arg1, arg2, arg3); \
+  __asm__ volatile(".reference " GARBAGE_COLLECTION_STABILITY); \
+} while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END_ENABLED() \
+  ({ int _r = __dtrace_isenabled$garbage_collection$collection_phase_end$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+
+
+extern void __dtrace_probe$garbage_collection$auto_block_lost_thread_locality$v1$766f6964202a$75696e7436345f74(const void *, uint64_t);
+extern int __dtrace_isenabled$garbage_collection$auto_block_lost_thread_locality$v1(void);
+extern void __dtrace_probe$garbage_collection$auto_refcount_one_allocation$v1$75696e7436345f74(uint64_t);
+extern int __dtrace_isenabled$garbage_collection$auto_refcount_one_allocation$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f747970655f74(const malloc_zone_t *, auto_collection_type_t);
+extern int __dtrace_isenabled$garbage_collection$collection_begin$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_end$v1$6d616c6c6f635f7a6f6e655f74202a$75696e7436345f74$75696e7436345f74$75696e7436345f74$75696e7436345f74(const malloc_zone_t *, uint64_t, uint64_t, uint64_t, uint64_t);
+extern int __dtrace_isenabled$garbage_collection$collection_end$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_phase_begin$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74(const malloc_zone_t *, auto_collection_phase_t);
+extern int __dtrace_isenabled$garbage_collection$collection_phase_begin$v1(void);
+extern void __dtrace_probe$garbage_collection$collection_phase_end$v1$6d616c6c6f635f7a6f6e655f74202a$6175746f5f636f6c6c656374696f6e5f70686173655f74$75696e7436345f74$75696e7436345f74(const malloc_zone_t *, auto_collection_phase_t, uint64_t, uint64_t);
+extern int __dtrace_isenabled$garbage_collection$collection_phase_end$v1(void);
+
+#else
+
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY(arg0, arg1) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_AUTO_BLOCK_LOST_THREAD_LOCALITY_ENABLED() (0)
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION(arg0) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_AUTO_REFCOUNT_ONE_ALLOCATION_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN(arg0, arg1) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_BEGIN_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_END(arg0, arg1, arg2, arg3, arg4) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_END_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN(arg0, arg1) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_BEGIN_ENABLED() (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END(arg0, arg1, arg2, arg3) \
+do { \
+  } while (0)
+#define GARBAGE_COLLECTION_COLLECTION_PHASE_END_ENABLED() (0)
+
+#endif /* !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED */
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif  /* _AUTO_DTRACE_H */
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix
new file mode 100644
index 000000000000..8a551dcc892c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libauto/default.nix
@@ -0,0 +1,86 @@
+{ lib, stdenv, appleDerivation, libdispatch, Libsystem }:
+
+appleDerivation {
+  # these are included in the pure libc
+  buildInputs = lib.optionals stdenv.cc.nativeLibc [ libdispatch Libsystem ];
+
+  buildPhase = ''
+    cp ${./auto_dtrace.h} ./auto_dtrace.h
+
+    substituteInPlace ThreadLocalCollector.h --replace SubZone.h Subzone.h
+
+    substituteInPlace auto_zone.cpp \
+      --replace "#include <msgtracer_client.h>" ''$'#include <asl.h>\nstatic void msgtracer_log_with_keys(...) { };'
+
+    substituteInPlace Definitions.h \
+      --replace "#include <System/pthread_machdep.h>" "" \
+      --replace 'void * const, void * const' 'void * const, void *'
+
+    # getspecific_direct is more efficient, but this should be equivalent...
+    substituteInPlace Zone.h \
+      --replace "_pthread_getspecific_direct" "pthread_getspecific" \
+      --replace "_pthread_has_direct_tsd()" "0" \
+      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
+      --replace "__PTK_FRAMEWORK_GC_KEY1" "111" \
+      --replace "__PTK_FRAMEWORK_GC_KEY2" "112" \
+      --replace "__PTK_FRAMEWORK_GC_KEY3" "113" \
+      --replace "__PTK_FRAMEWORK_GC_KEY4" "114" \
+      --replace "__PTK_FRAMEWORK_GC_KEY5" "115" \
+      --replace "__PTK_FRAMEWORK_GC_KEY6" "116" \
+      --replace "__PTK_FRAMEWORK_GC_KEY7" "117" \
+      --replace "__PTK_FRAMEWORK_GC_KEY8" "118" \
+      --replace "__PTK_FRAMEWORK_GC_KEY9" "119"
+
+    substituteInPlace auto_zone.cpp \
+      --replace "__PTK_FRAMEWORK_GC_KEY9" "119" \
+      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
+
+    substituteInPlace Zone.cpp \
+      --replace "_pthread_getspecific_direct" "pthread_getspecific" \
+      --replace "__PTK_FRAMEWORK_GC_KEY9" "119" \
+      --replace "__PTK_FRAMEWORK_GC_KEY0" "110" \
+      --replace "__PTK_LIBDISPATCH_KEY0"  "20" \
+      --replace "struct auto_zone_cursor {" ''$'extern "C" int pthread_key_init_np(int, void (*)(void *));\nstruct auto_zone_cursor {'
+
+    substituteInPlace auto_impl_utilities.c \
+      --replace "#   include <CrashReporterClient.h>" "void CRSetCrashLogMessage(void *msg) { };"
+
+    c++ -I. -O3 -c -Wno-c++11-extensions auto_zone.cpp
+    cc  -I. -O3 -Iauto_tester -c auto_impl_utilities.c
+    c++ -I. -O3 -c auto_weak.cpp
+    c++ -I. -O3 -c Admin.cpp
+    c++ -I. -O3 -c Bitmap.cpp
+    c++ -I. -O3 -c Definitions.cpp
+    c++ -I. -O3 -c Environment.cpp
+    c++ -I. -O3 -c Large.cpp
+    c++ -I. -O3 -c Region.cpp
+    c++ -I. -O3 -c Subzone.cpp
+    c++ -I. -O3 -c WriteBarrier.cpp
+    c++ -I. -O3 -c Zone.cpp
+    c++ -I. -O3 -c Thread.cpp
+    c++ -I. -O3 -c InUseEnumerator.cpp
+    c++ -I. -O3 -c auto_gdb_interface.cpp
+    c++ -I. -O3 -c PointerHash.cpp
+    c++ -I. -O3 -c ThreadLocalCollector.cpp
+    c++ -I. -O3 -c ZoneDump.cpp
+    c++ -I. -O3 -c ZoneCollectors.cpp
+    c++ -I. -O3 -c SubzonePartition.cpp
+    c++ -I. -O3 -c ZoneCollectionChecking.cpp
+    c++ -I. -O3 -c ZoneCompaction.cpp
+    c++ -I. -O3 -c BlockRef.cpp
+
+    c++ -Wl,-no_dtrace_dof --stdlib=libc++ -dynamiclib -install_name $out/lib/libauto.dylib -o libauto.dylib *.o
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib $out/include
+    cp auto_zone.h auto_weak.h auto_tester/auto_tester.h auto_gdb_interface.h $out/include
+    cp libauto.dylib $out/lib
+  '';
+
+  meta = {
+    # libauto is only used by objc4/pure.nix , but objc4 is now using the impure approach, so we don't bother to fix this.
+    broken = true;
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libclosure/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libclosure/default.nix
new file mode 100644
index 000000000000..976658b7e5dd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libclosure/default.nix
@@ -0,0 +1,13 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include
+    cp *.h $out/include/
+  '';
+
+  appleHeaders = ''
+    Block.h
+    Block_private.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix
new file mode 100644
index 000000000000..e91ee86cde08
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libdispatch/default.nix
@@ -0,0 +1,54 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  dontConfigure = true;
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/include/dispatch $out/include/os
+
+    # Move these headers so CF can find <os/voucher_private.h>
+    mv private/voucher*.h  $out/include/os
+    cp -r private/*.h  $out/include/dispatch
+
+    cp -r dispatch/*.h $out/include/dispatch
+    cp -r os/object*.h  $out/include/os
+
+    # gcc compatability. Source: https://stackoverflow.com/a/28014302/3714556
+    substituteInPlace $out/include/dispatch/object.h \
+      --replace 'typedef void (^dispatch_block_t)(void);' \
+                '#ifdef __clang__
+                 typedef void (^dispatch_block_t)(void);
+                 #else
+                 typedef void* dispatch_block_t;
+                 #endif'
+  '';
+
+  appleHeaders = ''
+    dispatch/base.h
+    dispatch/benchmark.h
+    dispatch/block.h
+    dispatch/data.h
+    dispatch/data_private.h
+    dispatch/dispatch.h
+    dispatch/group.h
+    dispatch/introspection.h
+    dispatch/introspection_private.h
+    dispatch/io.h
+    dispatch/io_private.h
+    dispatch/layout_private.h
+    dispatch/mach_private.h
+    dispatch/object.h
+    dispatch/once.h
+    dispatch/private.h
+    dispatch/queue.h
+    dispatch/queue_private.h
+    dispatch/semaphore.h
+    dispatch/source.h
+    dispatch/source_private.h
+    dispatch/time.h
+    os/object.h
+    os/object_private.h
+    os/voucher_activity_private.h
+    os/voucher_private.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix
new file mode 100644
index 000000000000..72ef086f5990
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libiconv/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, appleDerivation, lib
+, enableStatic ? stdenv.hostPlatform.isStatic
+, enableShared ? !stdenv.hostPlatform.isStatic
+}:
+
+appleDerivation {
+  postUnpack = "sourceRoot=$sourceRoot/libiconv";
+
+  preConfigure = lib.optionalString stdenv.hostPlatform.isiOS ''
+    sed -i 's/darwin\*/ios\*/g' configure libcharset/configure
+  '';
+
+  configureFlags = [
+    (lib.enableFeature enableStatic "static")
+    (lib.enableFeature enableShared "shared")
+  ];
+
+  postInstall = lib.optionalString enableShared ''
+    mv $out/lib/libiconv.dylib $out/lib/libiconv-nocharset.dylib
+    ${stdenv.cc.bintools.targetPrefix}install_name_tool -id $out/lib/libiconv-nocharset.dylib $out/lib/libiconv-nocharset.dylib
+
+    # re-export one useless symbol; ld will reject a dylib that only reexports other dylibs
+    echo 'void dont_use_this(){}' | ${stdenv.cc.bintools.targetPrefix}clang -dynamiclib -x c - -current_version 2.4.0 \
+      -compatibility_version 7.0.0 -current_version 7.0.0 -o $out/lib/libiconv.dylib \
+      -Wl,-reexport_library -Wl,$out/lib/libiconv-nocharset.dylib \
+      -Wl,-reexport_library -Wl,$out/lib/libcharset.dylib
+  '';
+
+  setupHooks = [
+    ../../../../build-support/setup-hooks/role.bash
+    ../../../../development/libraries/libiconv/setup-hook.sh
+  ];
+
+  meta = {
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix
new file mode 100644
index 000000000000..39c801962692
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libplatform/default.nix
@@ -0,0 +1,32 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir $out
+    cp -r include $out/include
+  '';
+
+  appleHeaders = ''
+    _simple.h
+    libkern/OSAtomic.h
+    libkern/OSAtomicDeprecated.h
+    libkern/OSAtomicQueue.h
+    libkern/OSCacheControl.h
+    libkern/OSSpinLockDeprecated.h
+    os/alloc_once_impl.h
+    os/base.h
+    os/base_private.h
+    os/internal/atomic.h
+    os/internal/crashlog.h
+    os/internal/internal_shared.h
+    os/lock.h
+    os/lock_private.h
+    os/once_private.h
+    os/semaphore_private.h
+    platform/compat.h
+    platform/introspection_private.h
+    platform/string.h
+    setjmp.h
+    ucontext.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix
new file mode 100644
index 000000000000..3d62270d76c0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix
@@ -0,0 +1,55 @@
+{ lib, appleDerivation', stdenvNoCC, libdispatch, xnu }:
+
+appleDerivation' stdenvNoCC {
+  propagatedBuildInputs = [ libdispatch xnu ];
+
+  installPhase = ''
+    mkdir -p $out/include/pthread/
+    mkdir -p $out/include/sys/_types
+    cp pthread/*.h $out/include/pthread/
+
+    # This overwrites qos.h, and is probably not necessary, but I'll leave it here for now
+    # cp private/*.h $out/include/pthread/
+
+    cp -r sys $out/include
+    cp -r sys/_pthread/*.h $out/include/sys/_types/
+  '';
+
+  appleHeaders = ''
+    pthread/introspection.h
+    pthread/pthread.h
+    pthread/pthread_impl.h
+    pthread/pthread_spis.h
+    pthread/qos.h
+    pthread/sched.h
+    pthread/spawn.h
+    sys/_pthread/_pthread_attr_t.h
+    sys/_pthread/_pthread_cond_t.h
+    sys/_pthread/_pthread_condattr_t.h
+    sys/_pthread/_pthread_key_t.h
+    sys/_pthread/_pthread_mutex_t.h
+    sys/_pthread/_pthread_mutexattr_t.h
+    sys/_pthread/_pthread_once_t.h
+    sys/_pthread/_pthread_rwlock_t.h
+    sys/_pthread/_pthread_rwlockattr_t.h
+    sys/_pthread/_pthread_t.h
+    sys/_pthread/_pthread_types.h
+    sys/_types/_pthread_attr_t.h
+    sys/_types/_pthread_cond_t.h
+    sys/_types/_pthread_condattr_t.h
+    sys/_types/_pthread_key_t.h
+    sys/_types/_pthread_mutex_t.h
+    sys/_types/_pthread_mutexattr_t.h
+    sys/_types/_pthread_once_t.h
+    sys/_types/_pthread_rwlock_t.h
+    sys/_types/_pthread_rwlockattr_t.h
+    sys/_types/_pthread_t.h
+    sys/_types/_pthread_types.h
+    sys/qos.h
+    sys/qos_private.h
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libresolv/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libresolv/default.nix
new file mode 100644
index 000000000000..2a8a609472a2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libresolv/default.nix
@@ -0,0 +1,52 @@
+{ lib, appleDerivation', stdenv, stdenvNoCC, Libinfo, configdHeaders, mDNSResponder
+, headersOnly ? false
+}:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) {
+  buildInputs = lib.optionals (!headersOnly) [ Libinfo configdHeaders mDNSResponder ];
+
+  buildPhase = lib.optionalString (!headersOnly) ''
+    $CC -I. -c dns_util.c
+    $CC -I. -c dns.c
+    $CC -I. -c dns_async.c
+    $CC -I. -c base64.c
+    $CC -I. -c dst_api.c
+    $CC -I. -c dst_hmac_link.c
+    $CC -I. -c dst_support.c
+    $CC -I. -c ns_date.c
+    $CC -I. -c ns_name.c
+    $CC -I. -c ns_netint.c
+    $CC -I. -c ns_parse.c
+    $CC -I. -c ns_print.c
+    $CC -I. -c ns_samedomain.c
+    $CC -I. -c ns_sign.c
+    $CC -I. -c ns_ttl.c
+    $CC -I. -c ns_verify.c
+    $CC -I. -c res_comp.c
+    $CC -I. -c res_data.c
+    $CC -I. -c res_debug.c
+    $CC -I. -c res_findzonecut.c
+    $CC -I. -c res_init.c
+    $CC -I. -c res_mkquery.c
+    $CC -I. -c res_mkupdate.c
+    $CC -I. -c res_query.c
+    $CC -I. -c res_send.c
+    $CC -I. -c res_sendsigned.c
+    $CC -I. -c res_update.c
+    $CC -dynamiclib -install_name $out/lib/libresolv.9.dylib -current_version 1.0.0 -compatibility_version 1.0.0 -o libresolv.9.dylib *.o
+  '';
+
+  installPhase = ''
+    mkdir -p $out/include $out/include/arpa $out/lib
+
+    cp dns.h           $out/include/
+    cp dns_util.h      $out/include
+    cp nameser.h       $out/include
+    ln -s ../nameser.h $out/include/arpa
+    cp resolv.h        $out/include
+  '' + lib.optionalString (!headersOnly) ''
+
+    cp libresolv.9.dylib $out/lib
+    ln -s libresolv.9.dylib $out/lib/libresolv.dylib
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix
new file mode 100644
index 000000000000..0d378f6089fb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libunwind/default.nix
@@ -0,0 +1,17 @@
+{ lib, appleDerivation }:
+
+appleDerivation {
+  dontBuild = true;
+
+  # install headers only
+  installPhase = ''
+    mkdir -p $out/lib
+    cp -R include $out/include
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin lnl7 ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix
new file mode 100644
index 000000000000..e7c8a6b1113b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/libutil/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, stdenvNoCC, appleDerivation', xcbuildHook
+
+# headersOnly is true when building for libSystem
+, headersOnly ? false }:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) {
+  nativeBuildInputs = lib.optional (!headersOnly) xcbuildHook;
+
+  prePatch = ''
+    substituteInPlace tzlink.c \
+      --replace '#include <xpc/xpc.h>' ""
+  '';
+
+  xcbuildFlags = [ "-target" "util" ];
+
+  installPhase = ''
+    mkdir -p $out/include
+  '' + lib.optionalString headersOnly ''
+    cp *.h $out/include
+  '' + lib.optionalString (!headersOnly)''
+    mkdir -p $out/lib $out/include
+
+    cp Products/Release/*.dylib $out/lib
+    cp Products/Release/*.h $out/include
+
+    # TODO: figure out how to get this to be right the first time around
+    install_name_tool -id $out/lib/libutil.dylib $out/lib/libutil.dylib
+  '';
+
+  # FIXME: headers are different against headersOnly. And all the headers are NOT in macos, do we really want them?
+  # appleHeaders = ''
+  #   libutil.h
+  #   mntopts.h
+  #   tzlink.h
+  #   wipefs.h
+  # '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ copumpkin ];
+    platforms   = platforms.darwin;
+    license     = licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/mDNSResponder/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/mDNSResponder/default.nix
new file mode 100644
index 000000000000..64de728805fd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/mDNSResponder/default.nix
@@ -0,0 +1,10 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  phases = [ "unpackPhase" "installPhase" ];
+
+  installPhase = ''
+    mkdir -p $out/include
+    cp mDNSShared/dns_sd.h $out/include
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix
new file mode 100644
index 000000000000..517f53e9435d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/macos-11.0.1.nix
@@ -0,0 +1,46 @@
+# Generated using:  ./generate-sdk-packages.sh macos 11.0.1
+
+{ applePackage' }:
+
+{
+adv_cmds = applePackage' "adv_cmds" "176" "macos-11.0.1" "0x8c25rh6fnzndbc26vcb65vcxilvqyfvm2klfyci1wr4bh3ixgk" {};
+architecture = applePackage' "architecture" "279" "macos-11.0.1" "1cgp33ywa30max6cyp69kvii299hx2vgwvmy3ms8n4gaq2mkpaky" {};
+basic_cmds = applePackage' "basic_cmds" "55" "macos-11.0.1" "0hvab4b1v5q2x134hdkal0rmz5gsdqyki1vb0dbw4py1bqf0yaw9" {};
+bootstrap_cmds = applePackage' "bootstrap_cmds" "121" "macos-11.0.1" "09bwclws6adxb1ky9q35f4ikddk4mbalmgds0cmqaf7j23qxl3fv" {};
+CommonCrypto = applePackage' "CommonCrypto" "60178.40.2" "macos-11.0.1" "0r3b1mlfmbdzpwn6pbsbfaga3k63gpwcwbhkbi4r09aq82skl02v" {};
+configd = applePackage' "configd" "1109.40.9" "macos-11.0.1" "173i55wfzli9pg2x2rw437hs68h6l4ngss5jfgf18g26zjkjzv5v" {};
+copyfile = applePackage' "copyfile" "173.40.2" "macos-11.0.1" "0qyp15qj3fdb7yx033n57l7s61d70mv17f43yiwcbhx09mmlrp07" {};
+Csu = applePackage' "Csu" "88" "macos-11.0.1" "029lgcyj0i16036h2lcx6fd6r1yf1bkj5dnvz905rh6ncl8skgdr" {};
+diskdev_cmds = applePackage' "diskdev_cmds" "667.40.1" "macos-11.0.1" "1bqwkwkwd556rba5000ap77xrhaf4xnmy83mszd7a0yvl2xlma7j" {};
+dtrace = applePackage' "dtrace" "370.40.1" "macos-11.0.1" "1941yczmn94ng5zlnhf0i5mjw2f4g7znisgvhkhn5f86gxmd98wl" {};
+dyld = applePackage' "dyld" "832.7.1" "macos-11.0.1" "1s77ca6jg20z91qlph59da8j61m97y23vrw48xs4rywdzh4915n0" {};
+eap8021x = applePackage' "eap8021x" "304.40.1" "macos-11.0.1" "1ph3kcpf527s0jqsi60j2sgg3m8h128spf292d8kyc08siz9mf9c" {};
+file_cmds = applePackage' "file_cmds" "321.40.3" "macos-11.0.1" "04789vn1wghclfr3ma3ncg716xdsxfj66hrcxi5h3h1ryag2ycfz" {};
+hfs = applePackage' "hfs" "556.41.1" "macos-11.0.1" "1rhkmn2yj5p4wmi4aajy5hj2h0gxk63s8j4qz4ziy4g4bjpdgwmy" {};
+ICU = applePackage' "ICU" "66108" "macos-11.0.1" "1d76cyyqpwkzjlxfajm4nsglxmfrcafbnjwnjxc3j5w3nw67pqhx" {};
+Libc = applePackage' "Libc" "1439.40.11" "macos-11.0.1" "0d5xlnks4lc9391wg31c9126vflb40lc5ffkgxmf2kpyglac1280" {};
+libclosure = applePackage' "libclosure" "78" "macos-11.0.1" "089i2bl4agpnfplrg23xbzma1674g0w05988nxdps6ghxl4kz66f" {};
+libdispatch = applePackage' "libdispatch" "1271.40.12" "macos-11.0.1" "0z7r42zfb8y48f0nrw0qw7fanfvimycimgnrg3jig101kjvjar98" {};
+libiconv = applePackage' "libiconv" "59" "macos-11.0.1" "0hqbsqggjrr0sv6h70lcr3gabgk9inyc8aq1b30wibgjm6crjwpp" {};
+Libinfo = applePackage' "Libinfo" "542.40.3" "macos-11.0.1" "0y5x6wxd3mwn6my1jdp8qrak3y7x7sgjdmwyw9cvvbn3kg9v6z1p" {};
+Libnotify = applePackage' "Libnotify" "279.40.4" "macos-11.0.1" "0aswflxki877izp6sacv35sydn6a3639cflv3zhs3i7vkfbsvbf5" {};
+libplatform = applePackage' "libplatform" "254.40.4" "macos-11.0.1" "1mhi8n66864y98dr3n0pkqad3aqim800kn9bxzp6h5jf2jni3aql" {};
+libpthread = applePackage' "libpthread" "454.40.3" "macos-11.0.1" "18rb4dqjdf3krzi4hdj5i310gy49ipf01klbkp9g51i02a55gphq" {};
+libresolv = applePackage' "libresolv" "68" "macos-11.0.1" "1ysvg6d28xyaky9sn7giglnsflhjsbj17h3h3i6knlzxnzznpkql" {};
+Librpcsvc = applePackage' "Librpcsvc" "26" "macos-11.0.1" "1zwfwcl9irxl1dlnf2b4v30vdybp0p0r6n6g1pd14zbdci1jcg2k" {};
+Libsystem = applePackage' "Libsystem" "1292.50.1" "macos-11.0.1" "0w16zaigq18jfsnw15pfyz2mkfqdkn0cc16q617kmgw2khld8j7j" {};
+libunwind = applePackage' "libunwind" "200.10" "macos-11.0.1" "1pmymcqpfk7lfxh6zqch429vfpvmd2m1dlg898170pkx5zhxisl2" {};
+libutil = applePackage' "libutil" "58.40.2" "macos-11.0.1" "1hhgashfj9g4vjv02070c5pn818a5n0bh5l81l2pflmvb2rrqs3f" {};
+mDNSResponder = applePackage' "mDNSResponder" "1310.40.42" "macos-11.0.1" "0d0b9wwah9rg7rwrr29dxd6iy0y4rlmss3wcz2wcqmnd2qb9x8my" {};
+network_cmds = applePackage' "network_cmds" "606.40.2" "macos-11.0.1" "1dlslk67npvmxx5m50385kmn3ysxih2iv220hhzkin11f8abdjv7" {};
+objc4 = applePackage' "objc4" "818.2" "macos-11.0.1" "177gmh9m9ajy6mvcd2sf7gqydgljy44n3iih0yqsn1b13j784azx" {};
+PowerManagement = applePackage' "PowerManagement" "1132.50.3" "macos-11.0.1" "1n5yn6sc8w67g8iism6ilkyl33j46gcnlqcaq6k16zkngx6lprba" {};
+ppp = applePackage' "ppp" "877.40.2" "macos-11.0.1" "1z506z8ndvb1lfr4pypfy2bnig6qimhmq3yhjvqwfnliv91965iq" {};
+removefile = applePackage' "removefile" "49.40.3" "macos-11.0.1" "1fhp47awi15f02385r25qgw1ag5z0kr1v3kvgqm3r8i8yysfqvwp" {};
+Security = applePackage' "Security" "59754.41.1" "macos-11.0.1" "00kqgg7k80ba70ar2c02f0q9yrdgqcb56nb9z5g0bxwkvi40ryph" {};
+shell_cmds = applePackage' "shell_cmds" "216.40.4" "macos-11.0.1" "1mvp1fp34kkm4mi85fdn3i0l0gig4c0w09zg2mvkpxcf68cq2f69" {};
+system_cmds = applePackage' "system_cmds" "880.40.5" "macos-11.0.1" "1kys4vwfz4559sspdsfhmxc238nd8qgylqypza3zdzaqhfh7lx2x" {};
+text_cmds = applePackage' "text_cmds" "106" "macos-11.0.1" "0cpnfpllwpx20hbxzg5i5488gcjyi9adnbac1sd5hpv3bq6z1hs5" {};
+top = applePackage' "top" "129" "macos-11.0.1" "1nyz5mvq7js3zhsi3dwxl5fslg6m7nhlgc6p2hr889xgyl5prw8f" {};
+xnu = applePackage' "xnu" "7195.50.7.100.1" "macos-11.0.1" "14wqkqp3lcxgpm1sjnsysybrc4ppzkghwv3mb5nr5v8ml37prkib" {};
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/network_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/network_cmds/default.nix
new file mode 100644
index 000000000000..9a95eb04e6ef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/network_cmds/default.nix
@@ -0,0 +1,56 @@
+{ lib, appleDerivation, xcbuildHook, stdenv
+, libressl_3_4, Librpcsvc, xnu, libpcap, developer_cmds }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ libressl_3_4 xnu Librpcsvc libpcap developer_cmds ];
+
+  # Work around error from <stdio.h> on aarch64-darwin:
+  #     error: 'TARGET_OS_IPHONE' is not defined, evaluates to 0 [-Werror,-Wundef-prefix=TARGET_OS_]
+  NIX_CFLAGS_COMPILE = "-Wno-error=undef-prefix -I./unbound -I${xnu}/Library/Frameworks/System.framework/Headers/";
+
+  # "spray" requires some files that aren't compiling correctly in xcbuild.
+  # "rtadvd" seems to fail with some missing constants.
+  # "traceroute6" and "ping6" require ipsec which doesn't build correctly
+  patchPhase = ''
+    substituteInPlace network_cmds.xcodeproj/project.pbxproj \
+      --replace "7294F0EA0EE8BAC80052EC88 /* PBXTargetDependency */," "" \
+      --replace "7216D34D0EE89FEC00AE70E4 /* PBXTargetDependency */," "" \
+      --replace "72CD1D9C0EE8C47C005F825D /* PBXTargetDependency */," "" \
+      --replace "7216D2C20EE89ADF00AE70E4 /* PBXTargetDependency */," ""
+  '' + lib.optionalString stdenv.isAarch64 ''
+    # "unbound" does not build on aarch64
+    substituteInPlace network_cmds.xcodeproj/project.pbxproj \
+      --replace "71D958C51A9455A000C9B286 /* PBXTargetDependency */," ""
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+
+    for n in 1 5; do
+      mkdir -p $out/share/man/man$n
+      install */*.$n $out/share/man/man$n
+    done
+
+    # TODO: patch files to load from $out/ instead of /usr/
+
+    # mkdir -p $out/etc/
+    # install rtadvd.tproj/rtadvd.conf ip6addrctl.tproj/ip6addrctl.conf $out/etc/
+
+    # mkdir -p $out/local/OpenSourceVersions/
+    # install network_cmds.plist $out/local/OpenSourceVersions/
+
+    # mkdir -p $out/System/Library/LaunchDaemons
+    # install kdumpd.tproj/com.apple.kdumpd.plist $out/System/Library/LaunchDaemons
+ '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/default.nix
new file mode 100644
index 000000000000..2fc4afa77d9f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/default.nix
@@ -0,0 +1,37 @@
+{ appleDerivation, darwin-stubs }:
+
+appleDerivation {
+  phases = [ "unpackPhase" "installPhase" ];
+
+  # Not strictly necessary, since libSystem depends on it, but it's nice to be explicit so we
+  # can easily find out what's impure.
+  __propagatedImpureHostDeps = [
+    "/usr/lib/libauto.dylib"
+    "/usr/lib/libc++abi.dylib"
+    "/usr/lib/libc++.1.dylib"
+    "/usr/lib/libSystem.B.dylib"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/include/objc $out/lib
+    cp ${darwin-stubs}/usr/lib/libobjc.A.tbd $out/lib/libobjc.A.tbd
+    ln -s libobjc.A.tbd $out/lib/libobjc.tbd
+    cp runtime/OldClasses.subproj/List.h $out/include/objc/List.h
+    cp runtime/NSObjCRuntime.h $out/include/objc/NSObjCRuntime.h
+    cp runtime/NSObject.h $out/include/objc/NSObject.h
+    cp runtime/Object.h $out/include/objc/Object.h
+    cp runtime/Protocol.h $out/include/objc/Protocol.h
+    cp runtime/hashtable.h $out/include/objc/hashtable.h
+    cp runtime/hashtable2.h $out/include/objc/hashtable2.h
+    cp runtime/message.h $out/include/objc/message.h
+    cp runtime/objc-api.h $out/include/objc/objc-api.h
+    cp runtime/objc-auto.h $out/include/objc/objc-auto.h
+    cp runtime/objc-class.h $out/include/objc/objc-class.h
+    cp runtime/objc-exception.h $out/include/objc/objc-exception.h
+    cp runtime/objc-load.h $out/include/objc/objc-load.h
+    cp runtime/objc-runtime.h $out/include/objc/objc-runtime.h
+    cp runtime/objc-sync.h $out/include/objc/objc-sync.h
+    cp runtime/objc.h $out/include/objc/objc.h
+    cp runtime/runtime.h $out/include/objc/runtime.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/objc-probes.h b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/objc-probes.h
new file mode 100644
index 000000000000..4ad9ba9ad104
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/objc-probes.h
@@ -0,0 +1,65 @@
+/*
+ * Generated by dtrace(1M).
+ */
+
+#ifndef _OBJC_PROBES_H
+#define _OBJC_PROBES_H
+
+#include <unistd.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define OBJC_RUNTIME_STABILITY "___dtrace_stability$objc_runtime$v1$1_1_0_1_1_0_1_1_0_1_1_0_1_1_0"
+
+#define OBJC_RUNTIME_TYPEDEFS "___dtrace_typedefs$objc_runtime$v2"
+
+#if !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED
+
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW() \
+do { \
+  __asm__ volatile(".reference " OBJC_RUNTIME_TYPEDEFS); \
+  __dtrace_probe$objc_runtime$objc_exception_rethrow$v1(); \
+  __asm__ volatile(".reference " OBJC_RUNTIME_STABILITY); \
+} while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW_ENABLED() \
+  ({ int _r = __dtrace_isenabled$objc_runtime$objc_exception_rethrow$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW(arg0) \
+do { \
+  __asm__ volatile(".reference " OBJC_RUNTIME_TYPEDEFS); \
+  __dtrace_probe$objc_runtime$objc_exception_throw$v1$766f6964202a(arg0); \
+  __asm__ volatile(".reference " OBJC_RUNTIME_STABILITY); \
+} while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW_ENABLED() \
+  ({ int _r = __dtrace_isenabled$objc_runtime$objc_exception_throw$v1(); \
+    __asm__ volatile(""); \
+    _r; })
+
+
+extern void __dtrace_probe$objc_runtime$objc_exception_rethrow$v1(void);
+extern int __dtrace_isenabled$objc_runtime$objc_exception_rethrow$v1(void);
+extern void __dtrace_probe$objc_runtime$objc_exception_throw$v1$766f6964202a(const void *);
+extern int __dtrace_isenabled$objc_runtime$objc_exception_throw$v1(void);
+
+#else
+
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW() \
+do { \
+  } while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_RETHROW_ENABLED() (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW(arg0) \
+do { \
+  } while (0)
+#define OBJC_RUNTIME_OBJC_EXCEPTION_THROW_ENABLED() (0)
+
+#endif /* !defined(DTRACE_PROBES_DISABLED) || !DTRACE_PROBES_DISABLED */
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif  /* _OBJC_PROBES_H */
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix
new file mode 100644
index 000000000000..6a0c819a0a31
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/pure.nix
@@ -0,0 +1,118 @@
+{ stdenv, fetchapplesource, libauto, launchd, libc_old, libunwind }:
+
+stdenv.mkDerivation rec {
+  version = "551.1";
+  pname = "objc4";
+
+  src = fetchapplesource {
+    inherit version;
+    name   = "objc4";
+    sha256 = "1jrdb6yyb5jwwj27c1r0nr2y2ihqjln8ynj61mpkvp144c1cm5bg";
+  };
+
+  patches = [ ./spinlocks.patch ];
+
+  buildInputs = [ libauto launchd libc_old libunwind ];
+
+  buildPhase = ''
+    cp ${./objc-probes.h} runtime/objc-probes.h
+
+    mkdir -p build/include/objc
+
+    cp runtime/hashtable.h               build/include/objc/hashtable.h
+    cp runtime/OldClasses.subproj/List.h build/include/objc/List.h
+    cp runtime/hashtable2.h              build/include/objc/hashtable2.h
+    cp runtime/message.h                 build/include/objc/message.h
+    cp runtime/objc-api.h                build/include/objc/objc-api.h
+    cp runtime/objc-auto.h               build/include/objc/objc-auto.h
+    cp runtime/objc-class.h              build/include/objc/objc-class.h
+    cp runtime/objc-exception.h          build/include/objc/objc-exception.h
+    cp runtime/objc-load.h               build/include/objc/objc-load.h
+    cp runtime/objc-sync.h               build/include/objc/objc-sync.h
+    cp runtime/objc.h                    build/include/objc/objc.h
+    cp runtime/objc-runtime.h            build/include/objc/objc-runtime.h
+    cp runtime/Object.h                  build/include/objc/Object.h
+    cp runtime/Protocol.h                build/include/objc/Protocol.h
+    cp runtime/runtime.h                 build/include/objc/runtime.h
+    cp runtime/NSObject.h                build/include/objc/NSObject.h
+    cp runtime/NSObjCRuntime.h           build/include/objc/NSObjCRuntime.h
+
+    # These would normally be in local/include but we don't do local, so they're
+    # going in with the others
+    cp runtime/maptable.h                build/include/objc/maptable.h
+    cp runtime/objc-abi.h                build/include/objc/objc-abi.h
+    cp runtime/objc-auto-dump.h          build/include/objc/objc-auto-dump.h
+    cp runtime/objc-gdb.h                build/include/objc/objc-gdb.h
+    cp runtime/objc-internal.h           build/include/objc/objc-internal.h
+
+    cc -o markgc markgc.c
+
+    FLAGS="-Wno-deprecated-register -Wno-unknown-pragmas -Wno-deprecated-objc-isa-usage -Wno-invalid-offsetof -Wno-inline-new-delete  -Wno-cast-of-sel-type -Iruntime -Ibuild/include -Iruntime/Accessors.subproj -D_LIBCPP_VISIBLE= -DOS_OBJECT_USE_OBJC=0 -DNDEBUG=1"
+
+    cc -std=gnu++11 $FLAGS -c runtime/hashtable2.mm
+    cc -std=gnu++11 $FLAGS -c runtime/maptable.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-auto.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-cache.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-class-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-class.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-errors.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-exception.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-file.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-initialize.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-layout.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-load.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-loadmethod.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-lockdebug.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime-new.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-runtime.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sel-set.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sel.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sync.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-typeencoding.mm
+    cc -std=gnu++11 $FLAGS -c runtime/Object.mm
+    cc -std=gnu++11 $FLAGS -c runtime/Protocol.mm
+
+    cc -std=gnu++11 $FLAGS -c runtime/objc-references.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-os.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-auto-dump.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-file-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-block-trampolines.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-externalref.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-weak.mm
+    cc -std=gnu++11 $FLAGS -c runtime/NSObject.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-opt.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-cache-old.mm
+    cc -std=gnu++11 $FLAGS -c runtime/objc-sel-old.mm
+
+    cc -std=gnu++11 $FLAGS -c runtime/Accessors.subproj/objc-accessors.mm
+
+    cc $FLAGS -c runtime/objc-sel-table.s
+
+    cc $FLAGS -c runtime/OldClasses.subproj/List.m
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-arm.s
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-i386.s
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-x86_64.s
+    cc $FLAGS -c runtime/Messengers.subproj/objc-msg-simulator-i386.s
+
+    cc $FLAGS -c runtime/a1a2-blocktramps-i386.s
+    cc $FLAGS -c runtime/a2a3-blocktramps-i386.s
+
+    cc $FLAGS -c runtime/a1a2-blocktramps-x86_64.s
+    cc $FLAGS -c runtime/a2a3-blocktramps-x86_64.s
+
+    cc $FLAGS -c runtime/a1a2-blocktramps-arm.s
+    cc $FLAGS -c runtime/a2a3-blocktramps-arm.s
+
+    c++ -Wl,-no_dtrace_dof --stdlib=libc++ -dynamiclib -lauto -install_name $out/lib/libobjc.dylib -o libobjc.dylib *.o
+
+    ./markgc -p libobjc.dylib
+  '';
+
+  installPhase = ''
+    mkdir -p $out/include $out/lib
+
+    mv build/include/objc $out/include
+    mv libobjc.dylib $out/lib
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/spinlocks.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/spinlocks.patch
new file mode 100644
index 000000000000..50c6a983fe4d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/objc4/spinlocks.patch
@@ -0,0 +1,107 @@
+--- objc4-551.1/runtime/objc-os.h	2013-06-10 21:16:15.000000000 -0400
++++ ../objc4-551.1/runtime/objc-os.h	2015-01-19 01:01:36.000000000 -0500
+@@ -77,27 +77,72 @@
+ #   include <mach-o/getsect.h>
+ #   include <mach-o/dyld_priv.h>
+ #   include <malloc/malloc.h>
+-#   include <os/lock_private.h>
+ #   include <libkern/OSAtomic.h>
+ #   include <libkern/OSCacheControl.h>
+-#   include <System/pthread_machdep.h>
+ #   include "objc-probes.h"  // generated dtrace probe definitions.
+ 
++#define __PTK_FRAMEWORK_OBJC_KEY5 45
++#define __PTK_FRAMEWORK_OBJC_KEY6 46
++#define __PTK_FRAMEWORK_OBJC_KEY7 47
++#define __PTK_FRAMEWORK_OBJC_KEY8 48
++#define __PTK_FRAMEWORK_OBJC_KEY9 49
++
++extern "C" int pthread_key_init_np(int, void (*)(void *));
++
+ // Some libc functions call objc_msgSend() 
+ // so we can't use them without deadlocks.
+ void syslog(int, const char *, ...) UNAVAILABLE_ATTRIBUTE;
+ void vsyslog(int, const char *, va_list) UNAVAILABLE_ATTRIBUTE;
+ 
++#if defined(__i386__) || defined(__x86_64__)
++
++// Inlined spinlock.
++// Not for arm on iOS because it hurts uniprocessor performance.
++
++#define ARR_SPINLOCK_INIT 0
++// XXX -- Careful: OSSpinLock isn't volatile, but should be
++typedef volatile int ARRSpinLock;
++__attribute__((always_inline))
++static inline void ARRSpinLockLock(ARRSpinLock *l)
++{
++    unsigned y;
++again:
++    if (__builtin_expect(__sync_lock_test_and_set(l, 1), 0) == 0) {
++        return;
++    }
++    for (y = 1000; y; y--) {
++#if defined(__i386__) || defined(__x86_64__)
++        asm("pause");
++#endif
++        if (*l == 0) goto again;
++    }
++    thread_switch(THREAD_NULL, SWITCH_OPTION_DEPRESS, 1);
++    goto again;
++}
++__attribute__((always_inline))
++static inline void ARRSpinLockUnlock(ARRSpinLock *l)
++{
++    __sync_lock_release(l);
++}
++__attribute__((always_inline))
++static inline int ARRSpinLockTry(ARRSpinLock *l)
++{
++    return __sync_bool_compare_and_swap(l, 0, 1);
++}
++
++#define spinlock_t ARRSpinLock
++#define spinlock_trylock(l) ARRSpinLockTry(l)
++#define spinlock_lock(l) ARRSpinLockLock(l)
++#define spinlock_unlock(l) ARRSpinLockUnlock(l)
++#define SPINLOCK_INITIALIZER ARR_SPINLOCK_INIT 
+ 
+-#define spinlock_t os_lock_handoff_s
+-#define spinlock_trylock(l) os_lock_trylock(l)
+-#define spinlock_lock(l) os_lock_lock(l)
+-#define spinlock_unlock(l) os_lock_unlock(l)
+-#define SPINLOCK_INITIALIZER OS_LOCK_HANDOFF_INIT
++#endif
+ 
+ 
+ #if !TARGET_OS_IPHONE
+-#   include <CrashReporterClient.h>
++#define CRSetCrashLogMessage(msg)
++#define CRGetCrashLogMessage() 0
++#define CRSetCrashLogMessage2(msg)
+ #else
+     // CrashReporterClient not yet available on iOS
+     __BEGIN_DECLS
+@@ -594,21 +639,13 @@
+ { 
+     assert(is_valid_direct_key(k));
+ 
+-    if (_pthread_has_direct_tsd()) {
+-        return _pthread_getspecific_direct(k);
+-    } else {
+-        return pthread_getspecific(k);
+-    }
++    return pthread_getspecific(k);
+ }
+ static inline void tls_set_direct(tls_key_t k, void *value) 
+ { 
+     assert(is_valid_direct_key(k));
+ 
+-    if (_pthread_has_direct_tsd()) {
+-        _pthread_setspecific_direct(k, value);
+-    } else {
+-        pthread_setspecific(k, value);
+-    }
++    pthread_setspecific(k, value);
+ }
+ 
+ // not arm
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ppp/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ppp/default.nix
new file mode 100644
index 000000000000..4ced564ffb72
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/ppp/default.nix
@@ -0,0 +1,15 @@
+{ appleDerivation', stdenv }:
+
+appleDerivation' stdenv {
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/include/ppp
+
+    cp Controller/ppp_msg.h                    $out/include/ppp
+    cp Controller/pppcontroller_types.h        $out/include/ppp
+    cp Controller/pppcontroller_types.h        $out/include
+    cp Controller/pppcontroller.defs           $out/include/ppp
+    cp Controller/pppcontroller_mach_defines.h $out/include
+    cp Controller/PPPControllerPriv.h          $out/include/ppp
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/removefile/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/removefile/default.nix
new file mode 100644
index 000000000000..611f445e1ec9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/removefile/default.nix
@@ -0,0 +1,13 @@
+{ appleDerivation', stdenvNoCC }:
+
+appleDerivation' stdenvNoCC {
+  installPhase = ''
+    mkdir -p $out/include/
+    cp removefile.h checkint.h $out/include/
+  '';
+
+  appleHeaders = ''
+    checkint.h
+    removefile.h
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/shell_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/shell_cmds/default.nix
new file mode 100644
index 000000000000..a8352285c78e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/shell_cmds/default.nix
@@ -0,0 +1,50 @@
+{ lib, appleDerivation, xcbuildHook, launchd }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook launchd ];
+
+  patchPhase = ''
+    # NOTE: these hashes must be recalculated for each version change
+
+    # disables:
+    # - su ('security/pam_appl.h' file not found)
+    # - find (Undefined symbol '_get_date')
+    # - w (Undefined symbol '_res_9_init')
+    # - expr
+    substituteInPlace shell_cmds.xcodeproj/project.pbxproj \
+      --replace "FCBA168714A146D000AA698B /* PBXTargetDependency */," "" \
+      --replace "FCBA165914A146D000AA698B /* PBXTargetDependency */," "" \
+      --replace "FCBA169514A146D000AA698B /* PBXTargetDependency */," "" \
+      --replace "FCBA165514A146D000AA698B /* PBXTargetDependency */," ""
+
+    # disable w, test install
+    # get rid of permission stuff
+    substituteInPlace xcodescripts/install-files.sh \
+      --replace 'ln -f "$BINDIR/w" "$BINDIR/uptime"' "" \
+      --replace 'ln -f "$DSTROOT/bin/test" "$DSTROOT/bin/["' "" \
+      --replace "-o root -g wheel -m 0755" "" \
+      --replace "-o root -g wheel -m 0644" ""
+  '';
+
+  # temporary install phase until xcodebuild has "install" support
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/usr/bin/$(basename $f)
+      fi
+    done
+
+    export DSTROOT=$out
+    export SRCROOT=$PWD
+    . xcodescripts/install-files.sh
+
+    mv $out/usr/* $out
+    mv $out/private/etc $out
+    rmdir $out/usr $out/private
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
new file mode 100644
index 000000000000..d42d142ef6ee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
@@ -0,0 +1,109 @@
+{ stdenv, appleDerivation, lib
+, libutil, Librpcsvc, apple_sdk, pam, CF, openbsm }:
+
+appleDerivation {
+  # xcbuild fails with:
+  # /nix/store/fc0rz62dh8vr648qi7hnqyik6zi5sqx8-xcbuild-wrapper/nix-support/setup-hook: line 1:  9083 Segmentation fault: 11  xcodebuild OTHER_CFLAGS="$NIX_CFLAGS_COMPILE" OTHER_CPLUSPLUSFLAGS="$NIX_CFLAGS_COMPILE" OTHER_LDFLAGS="$NIX_LDFLAGS" build
+  # see issue facebook/xcbuild#188
+  # buildInputs = [ xcbuild ];
+
+  buildInputs = [ libutil Librpcsvc apple_sdk.frameworks.OpenDirectory pam CF
+                  apple_sdk.frameworks.IOKit openbsm ];
+  # NIX_CFLAGS_COMPILE = lib.optionalString hostPlatform.isi686 "-D__i386__"
+  #                    + lib.optionalString hostPlatform.isx86_64 "-D__x86_64__"
+  #                    + lib.optionalString hostPlatform.isAarch32 "-D__arm__";
+  NIX_CFLAGS_COMPILE = [ "-DDAEMON_UID=1"
+                         "-DDAEMON_GID=1"
+                         "-DDEFAULT_AT_QUEUE='a'"
+                         "-DDEFAULT_BATCH_QUEUE='b'"
+                         "-DPERM_PATH=\"/usr/lib/cron/\""
+                         "-DOPEN_DIRECTORY"
+                         "-DNO_DIRECT_RPC"
+                         "-DAPPLE_GETCONF_UNDERSCORE"
+                         "-DAPPLE_GETCONF_SPEC"
+                         "-DUSE_PAM"
+                         "-DUSE_BSM_AUDIT"
+                         "-D_PW_NAME_LEN=MAXLOGNAME"
+                         "-D_PW_YPTOKEN=\"__YP!\""
+                         "-DAHZV1=64 "
+                         "-DAU_SESSION_FLAG_HAS_TTY=0x4000"
+                         "-DAU_SESSION_FLAG_HAS_AUTHENTICATED=0x4000"
+                       ] ++ lib.optional (!stdenv.isLinux) " -D__FreeBSD__ ";
+
+  patchPhase = ''
+    substituteInPlace login.tproj/login.c \
+      --replace bsm/audit_session.h bsm/audit.h
+    substituteInPlace login.tproj/login_audit.c \
+      --replace bsm/audit_session.h bsm/audit.h
+  '' + lib.optionalString stdenv.isAarch64 ''
+    substituteInPlace sysctl.tproj/sysctl.c \
+      --replace "GPROF_STATE" "0"
+    substituteInPlace login.tproj/login.c \
+      --replace "defined(__arm__)" "defined(__arm__) || defined(__arm64__)"
+  '';
+
+  buildPhase = ''
+    for dir in *.tproj; do
+      name=$(basename $dir)
+      name=''${name%.tproj}
+
+      CFLAGS=""
+      case $name in
+           arch) CFLAGS="-framework CoreFoundation";;
+           atrun) CFLAGS="-Iat.tproj";;
+           chkpasswd)
+             CFLAGS="-framework OpenDirectory -framework CoreFoundation -lpam";;
+           getconf)
+               for f in getconf.tproj/*.gperf; do
+                   cfile=''${f%.gperf}.c
+                   LC_ALL=C awk -f getconf.tproj/fake-gperf.awk $f > $cfile
+               done
+           ;;
+           iostat) CFLAGS="-framework IOKit -framework CoreFoundation";;
+           login) CFLAGS="-lbsm -lpam";;
+           nvram) CFLAGS="-framework CoreFoundation -framework IOKit";;
+           sadc) CFLAGS="-framework IOKit -framework CoreFoundation";;
+           sar) CFLAGS="-Isadc.tproj";;
+      esac
+
+      echo "Building $name"
+
+      case $name in
+
+           # These are all broken currently.
+           arch) continue;;
+           chpass) continue;;
+           dirhelper) continue;;
+           dynamic_pager) continue;;
+           fs_usage) continue;;
+           latency) continue;;
+           pagesize) continue;;
+           passwd) continue;;
+           reboot) continue;;
+           sc_usage) continue;;
+           shutdown) continue;;
+           trace) continue;;
+
+           *) cc $dir/*.c -I''${dir} $CFLAGS -o $name ;;
+      esac
+    done
+  '';
+
+  installPhase = ''
+    for dir in *.tproj; do
+      name=$(basename $dir)
+      name=''${name%.tproj}
+      [ -x $name ] && install -D $name $out/bin/$name
+      for n in 1 2 3 4 5 6 7 8 9; do
+        for f in $dir/*.$n; do
+          install -D $f $out/share/man/man$n/$(basename $f)
+        done
+      done
+    done
+  '';
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ shlevy matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/text_cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/text_cmds/default.nix
new file mode 100644
index 000000000000..672bb443242b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/text_cmds/default.nix
@@ -0,0 +1,29 @@
+{ lib, appleDerivation, xcbuildHook, ncurses, bzip2, zlib, xz }:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ ncurses bzip2 zlib xz ];
+
+  # patches to use ncursees
+  # disables md5
+  patchPhase = ''
+    substituteInPlace text_cmds.xcodeproj/project.pbxproj \
+          --replace 'FC6C98FB149A94EB00DDCC47 /* libcurses.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libcurses.dylib; path = /usr/lib/libcurses.dylib; sourceTree = "<absolute>"; };' 'FC6C98FB149A94EB00DDCC47 /* libncurses.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libncurses.dylib; path = /usr/lib/libncurses.dylib; sourceTree = "<absolute>"; };' \
+      --replace 'FC7A7EB5149875E00086576A /* PBXTargetDependency */,' ""
+  '';
+
+  installPhase = ''
+    for f in Products/Release/*; do
+      if [ -f $f ]; then
+        install -D $f $out/bin/$(basename $f)
+      fi
+    done
+  '';
+
+  NIX_CFLAGS_COMPILE=[ "-Wno-error=format-security" ]; # hardeningDisable doesn't cut it
+
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/top/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/top/default.nix
new file mode 100644
index 000000000000..ef766f7bd7f1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/top/default.nix
@@ -0,0 +1,19 @@
+{xcbuildHook, appleDerivation, apple_sdk, ncurses, libutil, lib}:
+
+appleDerivation {
+  nativeBuildInputs = [ xcbuildHook ];
+  buildInputs = [ apple_sdk.frameworks.IOKit ncurses libutil ];
+  # Workaround build failure on -fno-common toolchains:
+  #   duplicate symbol '_tsamp' in: main.o top.o
+  NIX_CFLAGS_COMPILE = "-fcommon";
+  NIX_LDFLAGS = "-lutil";
+  installPhase = ''
+    install -D Products/Release/libtop.a $out/lib/libtop.a
+    install -D Products/Release/libtop.h $out/include/libtop.h
+    install -D Products/Release/top $out/bin/top
+  '';
+  meta = {
+    platforms = lib.platforms.darwin;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix
new file mode 100644
index 000000000000..8b0d2054d58a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix
@@ -0,0 +1,160 @@
+{ appleDerivation', lib, stdenv, stdenvNoCC, buildPackages
+, bootstrap_cmds, bison, flex
+, gnum4, unifdef, perl, python3
+, headersOnly ? true
+}:
+
+appleDerivation' (if headersOnly then stdenvNoCC else stdenv) (
+  let arch = if stdenv.isx86_64 then "x86_64" else "arm64";
+  in
+  {
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  nativeBuildInputs = [ bootstrap_cmds bison flex gnum4 unifdef perl python3 ];
+
+  patches = lib.optional stdenv.isx86_64 [ ./python3.patch ];
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace "/bin/" "" \
+      --replace "MAKEJOBS := " '# MAKEJOBS := '
+
+    substituteInPlace makedefs/MakeInc.cmd \
+      --replace "/usr/bin/" "" \
+      --replace "/bin/" "" \
+      --replace "-Werror " ""
+
+    substituteInPlace makedefs/MakeInc.def \
+      --replace "-c -S -m" "-c -m"
+
+    substituteInPlace makedefs/MakeInc.top \
+      --replace "MEMORY_SIZE := " 'MEMORY_SIZE := 1073741824 # '
+
+    substituteInPlace libkern/kxld/Makefile \
+      --replace "-Werror " ""
+
+    substituteInPlace SETUP/kextsymboltool/Makefile \
+      --replace "-lstdc++" "-lc++"
+
+    substituteInPlace libsyscall/xcodescripts/mach_install_mig.sh \
+      --replace "/usr/include" "/include" \
+      --replace "/usr/local/include" "/include" \
+      --replace 'MIG=`' "# " \
+      --replace 'MIGCC=`' "# " \
+      --replace " -o 0" "" \
+      --replace '$SRC/$mig' '-I$DSTROOT/include $SRC/$mig' \
+      --replace '$SRC/servers/netname.defs' '-I$DSTROOT/include $SRC/servers/netname.defs' \
+      --replace '$BUILT_PRODUCTS_DIR/mig_hdr' '$BUILT_PRODUCTS_DIR' \
+      --replace 'MACHINE_ARCH=armv7' 'MACHINE_ARCH=arm64' # this might break the comments saying 32-bit is required
+
+    patchShebangs .
+  '' + lib.optionalString stdenv.isAarch64 ''
+    # iig is closed-sourced, we don't have it
+    # create an empty file to the header instead
+    # this line becomes: echo "" > $@; echo --header ...
+    substituteInPlace iokit/DriverKit/Makefile \
+      --replace '--def $<' '> $@; echo'
+  '';
+
+  PLATFORM = "MacOSX";
+  SDKVERSION = "10.11";
+  CC = "${stdenv.cc.targetPrefix or ""}cc";
+  CXX = "${stdenv.cc.targetPrefix or ""}c++";
+  MIG = "mig";
+  MIGCOM = "migcom";
+  STRIP = "${stdenv.cc.bintools.targetPrefix or ""}strip";
+  NM = "${stdenv.cc.bintools.targetPrefix or ""}nm";
+  UNIFDEF = "unifdef";
+  DSYMUTIL = "dsymutil";
+  HOST_OS_VERSION = "10.10";
+  HOST_CC = "${buildPackages.stdenv.cc.targetPrefix or ""}cc";
+  HOST_FLEX = "flex";
+  HOST_BISON = "bison";
+  HOST_GM4 = "m4";
+  MIGCC = "cc";
+  ARCHS = arch;
+  ARCH_CONFIGS = arch;
+
+  NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  preBuild = let macosVersion =
+    "10.0 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11" +
+    lib.optionalString stdenv.isAarch64 " 10.12 10.13 10.14 10.15 11.0";
+   in ''
+    # This is a bit of a hack...
+    mkdir -p sdk/usr/local/libexec
+
+    cat > sdk/usr/local/libexec/availability.pl <<EOF
+      #!$SHELL
+      if [ "\$1" == "--macosx" ]; then
+        echo ${macosVersion}
+      elif [ "\$1" == "--ios" ]; then
+        echo 2.0 2.1 2.2 3.0 3.1 3.2 4.0 4.1 4.2 4.3 5.0 5.1 6.0 6.1 7.0 8.0 9.0
+      fi
+    EOF
+    chmod +x sdk/usr/local/libexec/availability.pl
+
+    export SDKROOT_RESOLVED=$PWD/sdk
+    export HOST_SDKROOT_RESOLVED=$PWD/sdk
+
+    export BUILT_PRODUCTS_DIR=.
+    export DSTROOT=$out
+  '';
+
+  buildFlags = lib.optional headersOnly "exporthdrs";
+  installTargets = lib.optional headersOnly "installhdrs";
+
+  postInstall = lib.optionalString headersOnly ''
+    mv $out/usr/include $out
+
+    (cd BUILD/obj/EXPORT_HDRS && find -type f -exec install -D \{} $out/include/\{} \;)
+
+    # TODO: figure out why I need to do this
+    cp libsyscall/wrappers/*.h $out/include
+    install -D libsyscall/os/tsd.h $out/include/os/tsd.h
+    cp EXTERNAL_HEADERS/AssertMacros.h $out/include
+    cp EXTERNAL_HEADERS/Availability*.h $out/System/Library/Frameworks/Kernel.framework/Versions/A/Headers/
+    cp -r EXTERNAL_HEADERS/corecrypto $out/include
+
+    # Build the mach headers we crave
+    export SRCROOT=$PWD/libsyscall
+    export DERIVED_SOURCES_DIR=$out/include
+    export SDKROOT=$out
+    export OBJROOT=$PWD
+    export BUILT_PRODUCTS_DIR=$out
+    libsyscall/xcodescripts/mach_install_mig.sh
+
+    # Get rid of the System prefix
+    mv $out/System/* $out/
+    rmdir $out/System
+
+    # TODO: do I need this?
+    mv $out/internal_hdr/include/mach/*.h $out/include/mach
+
+    # Get rid of some junk lying around
+    rm -rf $out/internal_hdr $out/usr $out/local
+
+    # Add some symlinks
+    ln -s $out/Library/Frameworks/System.framework/Versions/B \
+          $out/Library/Frameworks/System.framework/Versions/Current
+    ln -s $out/Library/Frameworks/System.framework/Versions/Current/PrivateHeaders \
+          $out/Library/Frameworks/System.framework/Headers
+
+    # IOKit (and possibly the others) is incomplete,
+    # so let's not make it visible from here...
+    mkdir $out/Library/PrivateFrameworks
+    mv $out/Library/Frameworks/IOKit.framework $out/Library/PrivateFrameworks
+  '';
+
+  appleHeaders = builtins.readFile (./. + "/headers-${arch}.txt");
+} // lib.optionalAttrs headersOnly {
+  HOST_CODESIGN = "echo";
+  HOST_CODESIGN_ALLOCATE = "echo";
+  LIPO = "echo";
+  LIBTOOL = "echo";
+  CTFCONVERT = "echo";
+  CTFMERGE = "echo";
+  CTFINSERT = "echo";
+  NMEDIT = "echo";
+  IIG = "echo";
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-arm64.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-arm64.txt
new file mode 100644
index 000000000000..fe17d8784e41
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-arm64.txt
@@ -0,0 +1,1486 @@
+AssertMacros.h
+_errno.h
+_libkernel_init.h
+arm/_limits.h
+arm/_mcontext.h
+arm/_param.h
+arm/_types.h
+arm/arch.h
+arm/endian.h
+arm/fasttrap_isa.h
+arm/limits.h
+arm/param.h
+arm/profile.h
+arm/signal.h
+arm/types.h
+arm/vmparam.h
+atm/atm_notification.defs
+atm/atm_types.defs
+atm/atm_types.h
+bank/bank_types.h
+bsd/arm/_limits.h
+bsd/arm/_mcontext.h
+bsd/arm/_param.h
+bsd/arm/_types.h
+bsd/arm/endian.h
+bsd/arm/limits.h
+bsd/arm/param.h
+bsd/arm/profile.h
+bsd/arm/signal.h
+bsd/arm/types.h
+bsd/arm/vmparam.h
+bsd/bsm/audit.h
+bsd/crypto/entropy/diag_entropy_sysctl.h
+bsd/dev/random/randomdev.h
+bsd/libkern/copyio.h
+bsd/libkern/libkern.h
+bsd/machine/_limits.h
+bsd/machine/_mcontext.h
+bsd/machine/_param.h
+bsd/machine/_types.h
+bsd/machine/byte_order.h
+bsd/machine/disklabel.h
+bsd/machine/endian.h
+bsd/machine/limits.h
+bsd/machine/param.h
+bsd/machine/profile.h
+bsd/machine/signal.h
+bsd/machine/types.h
+bsd/machine/vmparam.h
+bsd/miscfs/devfs/devfs.h
+bsd/miscfs/devfs/devfs_proto.h
+bsd/miscfs/devfs/devfsdefs.h
+bsd/miscfs/devfs/fdesc.h
+bsd/miscfs/fifofs/fifo.h
+bsd/miscfs/specfs/specdev.h
+bsd/miscfs/union/union.h
+bsd/net/bpf.h
+bsd/net/dlil.h
+bsd/net/ethernet.h
+bsd/net/if.h
+bsd/net/if_arp.h
+bsd/net/if_dl.h
+bsd/net/if_ether.h
+bsd/net/if_llc.h
+bsd/net/if_media.h
+bsd/net/if_mib.h
+bsd/net/if_types.h
+bsd/net/if_utun.h
+bsd/net/if_var.h
+bsd/net/init.h
+bsd/net/kext_net.h
+bsd/net/kpi_interface.h
+bsd/net/kpi_interfacefilter.h
+bsd/net/kpi_protocol.h
+bsd/net/ndrv.h
+bsd/net/net_kev.h
+bsd/net/pfkeyv2.h
+bsd/net/radix.h
+bsd/net/route.h
+bsd/netinet/bootp.h
+bsd/netinet/icmp6.h
+bsd/netinet/icmp_var.h
+bsd/netinet/if_ether.h
+bsd/netinet/igmp.h
+bsd/netinet/igmp_var.h
+bsd/netinet/in.h
+bsd/netinet/in_arp.h
+bsd/netinet/in_pcb.h
+bsd/netinet/in_systm.h
+bsd/netinet/in_var.h
+bsd/netinet/ip.h
+bsd/netinet/ip6.h
+bsd/netinet/ip_icmp.h
+bsd/netinet/ip_var.h
+bsd/netinet/kpi_ipfilter.h
+bsd/netinet/tcp.h
+bsd/netinet/tcp_fsm.h
+bsd/netinet/tcp_seq.h
+bsd/netinet/tcp_timer.h
+bsd/netinet/tcp_var.h
+bsd/netinet/tcpip.h
+bsd/netinet/udp.h
+bsd/netinet/udp_var.h
+bsd/netinet6/ah.h
+bsd/netinet6/esp.h
+bsd/netinet6/in6.h
+bsd/netinet6/in6_var.h
+bsd/netinet6/ipcomp.h
+bsd/netinet6/ipsec.h
+bsd/netinet6/nd6.h
+bsd/netinet6/raw_ip6.h
+bsd/netinet6/scope6_var.h
+bsd/netkey/keysock.h
+bsd/pthread/bsdthread_private.h
+bsd/pthread/priority_private.h
+bsd/pthread/workqueue_internal.h
+bsd/pthread/workqueue_syscalls.h
+bsd/pthread/workqueue_trace.h
+bsd/security/audit/audit.h
+bsd/security/audit/audit_bsd.h
+bsd/security/audit/audit_ioctl.h
+bsd/security/audit/audit_private.h
+bsd/sys/_endian.h
+bsd/sys/_select.h
+bsd/sys/_structs.h
+bsd/sys/_types.h
+bsd/sys/_types/_blkcnt_t.h
+bsd/sys/_types/_blksize_t.h
+bsd/sys/_types/_caddr_t.h
+bsd/sys/_types/_clock_t.h
+bsd/sys/_types/_ct_rune_t.h
+bsd/sys/_types/_dev_t.h
+bsd/sys/_types/_errno_t.h
+bsd/sys/_types/_fd_clr.h
+bsd/sys/_types/_fd_copy.h
+bsd/sys/_types/_fd_def.h
+bsd/sys/_types/_fd_isset.h
+bsd/sys/_types/_fd_set.h
+bsd/sys/_types/_fd_setsize.h
+bsd/sys/_types/_fd_zero.h
+bsd/sys/_types/_filesec_t.h
+bsd/sys/_types/_fsblkcnt_t.h
+bsd/sys/_types/_fsfilcnt_t.h
+bsd/sys/_types/_fsid_t.h
+bsd/sys/_types/_fsobj_id_t.h
+bsd/sys/_types/_gid_t.h
+bsd/sys/_types/_guid_t.h
+bsd/sys/_types/_id_t.h
+bsd/sys/_types/_in_addr_t.h
+bsd/sys/_types/_in_port_t.h
+bsd/sys/_types/_ino64_t.h
+bsd/sys/_types/_ino_t.h
+bsd/sys/_types/_int16_t.h
+bsd/sys/_types/_int32_t.h
+bsd/sys/_types/_int64_t.h
+bsd/sys/_types/_int8_t.h
+bsd/sys/_types/_intptr_t.h
+bsd/sys/_types/_iovec_t.h
+bsd/sys/_types/_key_t.h
+bsd/sys/_types/_mach_port_t.h
+bsd/sys/_types/_mbstate_t.h
+bsd/sys/_types/_mode_t.h
+bsd/sys/_types/_nlink_t.h
+bsd/sys/_types/_null.h
+bsd/sys/_types/_o_dsync.h
+bsd/sys/_types/_o_sync.h
+bsd/sys/_types/_off_t.h
+bsd/sys/_types/_offsetof.h
+bsd/sys/_types/_os_inline.h
+bsd/sys/_types/_pid_t.h
+bsd/sys/_types/_posix_vdisable.h
+bsd/sys/_types/_ptrdiff_t.h
+bsd/sys/_types/_rsize_t.h
+bsd/sys/_types/_rune_t.h
+bsd/sys/_types/_s_ifmt.h
+bsd/sys/_types/_sa_family_t.h
+bsd/sys/_types/_seek_set.h
+bsd/sys/_types/_sigaltstack.h
+bsd/sys/_types/_sigset_t.h
+bsd/sys/_types/_size_t.h
+bsd/sys/_types/_socklen_t.h
+bsd/sys/_types/_ssize_t.h
+bsd/sys/_types/_suseconds_t.h
+bsd/sys/_types/_time_t.h
+bsd/sys/_types/_timespec.h
+bsd/sys/_types/_timeval.h
+bsd/sys/_types/_timeval32.h
+bsd/sys/_types/_timeval64.h
+bsd/sys/_types/_u_char.h
+bsd/sys/_types/_u_int.h
+bsd/sys/_types/_u_int16_t.h
+bsd/sys/_types/_u_int32_t.h
+bsd/sys/_types/_u_int64_t.h
+bsd/sys/_types/_u_int8_t.h
+bsd/sys/_types/_u_short.h
+bsd/sys/_types/_ucontext.h
+bsd/sys/_types/_ucontext64.h
+bsd/sys/_types/_uid_t.h
+bsd/sys/_types/_uintptr_t.h
+bsd/sys/_types/_useconds_t.h
+bsd/sys/_types/_user32_itimerval.h
+bsd/sys/_types/_user32_ntptimeval.h
+bsd/sys/_types/_user32_timespec.h
+bsd/sys/_types/_user32_timeval.h
+bsd/sys/_types/_user32_timex.h
+bsd/sys/_types/_user64_itimerval.h
+bsd/sys/_types/_user64_ntptimeval.h
+bsd/sys/_types/_user64_timespec.h
+bsd/sys/_types/_user64_timeval.h
+bsd/sys/_types/_user64_timex.h
+bsd/sys/_types/_user_timespec.h
+bsd/sys/_types/_user_timeval.h
+bsd/sys/_types/_uuid_t.h
+bsd/sys/_types/_va_list.h
+bsd/sys/_types/_wchar_t.h
+bsd/sys/_types/_wint_t.h
+bsd/sys/appleapiopts.h
+bsd/sys/attr.h
+bsd/sys/bsdtask_info.h
+bsd/sys/buf.h
+bsd/sys/cdefs.h
+bsd/sys/codesign.h
+bsd/sys/commpage.h
+bsd/sys/conf.h
+bsd/sys/content_protection.h
+bsd/sys/cprotect.h
+bsd/sys/csr.h
+bsd/sys/decmpfs.h
+bsd/sys/dir.h
+bsd/sys/dirent.h
+bsd/sys/disk.h
+bsd/sys/disklabel.h
+bsd/sys/disktab.h
+bsd/sys/dkstat.h
+bsd/sys/doc_tombstone.h
+bsd/sys/domain.h
+bsd/sys/errno.h
+bsd/sys/ev.h
+bsd/sys/event.h
+bsd/sys/eventhandler.h
+bsd/sys/eventvar.h
+bsd/sys/fbt.h
+bsd/sys/fcntl.h
+bsd/sys/file.h
+bsd/sys/file_internal.h
+bsd/sys/filedesc.h
+bsd/sys/fileport.h
+bsd/sys/filio.h
+bsd/sys/fsctl.h
+bsd/sys/fsevents.h
+bsd/sys/fslog.h
+bsd/sys/guarded.h
+bsd/sys/imgact.h
+bsd/sys/ioccom.h
+bsd/sys/ioctl.h
+bsd/sys/ioctl_compat.h
+bsd/sys/ipc.h
+bsd/sys/kasl.h
+bsd/sys/kauth.h
+bsd/sys/kdebug.h
+bsd/sys/kdebug_kernel.h
+bsd/sys/kdebug_private.h
+bsd/sys/kern_control.h
+bsd/sys/kern_event.h
+bsd/sys/kern_memorystatus.h
+bsd/sys/kern_memorystatus_freeze.h
+bsd/sys/kern_memorystatus_notify.h
+bsd/sys/kern_sysctl.h
+bsd/sys/kernel.h
+bsd/sys/kernel_types.h
+bsd/sys/kpi_mbuf.h
+bsd/sys/kpi_private.h
+bsd/sys/kpi_socket.h
+bsd/sys/kpi_socketfilter.h
+bsd/sys/ktrace.h
+bsd/sys/linker_set.h
+bsd/sys/lock.h
+bsd/sys/lockf.h
+bsd/sys/mach_swapon.h
+bsd/sys/malloc.h
+bsd/sys/mbuf.h
+bsd/sys/md5.h
+bsd/sys/memory_maintenance.h
+bsd/sys/mman.h
+bsd/sys/monotonic.h
+bsd/sys/mount.h
+bsd/sys/mount_internal.h
+bsd/sys/msg.h
+bsd/sys/msgbuf.h
+bsd/sys/munge.h
+bsd/sys/namei.h
+bsd/sys/netport.h
+bsd/sys/param.h
+bsd/sys/paths.h
+bsd/sys/persona.h
+bsd/sys/pgo.h
+bsd/sys/pipe.h
+bsd/sys/posix_sem.h
+bsd/sys/posix_shm.h
+bsd/sys/priv.h
+bsd/sys/proc.h
+bsd/sys/proc_info.h
+bsd/sys/proc_internal.h
+bsd/sys/proc_require.h
+bsd/sys/protosw.h
+bsd/sys/pthread_internal.h
+bsd/sys/pthread_shims.h
+bsd/sys/queue.h
+bsd/sys/quota.h
+bsd/sys/random.h
+bsd/sys/reason.h
+bsd/sys/reboot.h
+bsd/sys/resource.h
+bsd/sys/resourcevar.h
+bsd/sys/sbuf.h
+bsd/sys/select.h
+bsd/sys/sem.h
+bsd/sys/sem_internal.h
+bsd/sys/semaphore.h
+bsd/sys/shm.h
+bsd/sys/shm_internal.h
+bsd/sys/signal.h
+bsd/sys/signalvar.h
+bsd/sys/socket.h
+bsd/sys/socketvar.h
+bsd/sys/sockio.h
+bsd/sys/spawn.h
+bsd/sys/spawn_internal.h
+bsd/sys/stackshot.h
+bsd/sys/stat.h
+bsd/sys/stdio.h
+bsd/sys/sys_domain.h
+bsd/sys/syscall.h
+bsd/sys/sysctl.h
+bsd/sys/syslimits.h
+bsd/sys/syslog.h
+bsd/sys/sysproto.h
+bsd/sys/systm.h
+bsd/sys/termios.h
+bsd/sys/time.h
+bsd/sys/timex.h
+bsd/sys/tree.h
+bsd/sys/tty.h
+bsd/sys/ttychars.h
+bsd/sys/ttycom.h
+bsd/sys/ttydefaults.h
+bsd/sys/ttydev.h
+bsd/sys/types.h
+bsd/sys/ubc.h
+bsd/sys/ucontext.h
+bsd/sys/ucred.h
+bsd/sys/uio.h
+bsd/sys/uio_internal.h
+bsd/sys/ulock.h
+bsd/sys/un.h
+bsd/sys/unicode.h
+bsd/sys/unistd.h
+bsd/sys/unpcb.h
+bsd/sys/user.h
+bsd/sys/utfconv.h
+bsd/sys/ux_exception.h
+bsd/sys/vfs_context.h
+bsd/sys/vm.h
+bsd/sys/vmmeter.h
+bsd/sys/vmparam.h
+bsd/sys/vnode.h
+bsd/sys/vnode_if.h
+bsd/sys/vnode_internal.h
+bsd/sys/vsock.h
+bsd/sys/vsock_domain.h
+bsd/sys/vsock_transport.h
+bsd/sys/wait.h
+bsd/sys/work_interval.h
+bsd/sys/xattr.h
+bsd/uuid/uuid.h
+bsd/vfs/vfs_disk_conditioner.h
+bsd/vfs/vfs_support.h
+bsd/vm/vnode_pager.h
+bsm/audit.h
+bsm/audit_domain.h
+bsm/audit_errno.h
+bsm/audit_fcntl.h
+bsm/audit_internal.h
+bsm/audit_kevents.h
+bsm/audit_record.h
+bsm/audit_socket_type.h
+corecrypto/cc.h
+corecrypto/cc_config.h
+corecrypto/cc_error.h
+corecrypto/cc_fault_canary.h
+corecrypto/cc_macros.h
+corecrypto/cc_priv.h
+corecrypto/cc_runtime_config.h
+corecrypto/ccaes.h
+corecrypto/ccasn1.h
+corecrypto/ccchacha20poly1305.h
+corecrypto/cccmac.h
+corecrypto/ccdes.h
+corecrypto/ccdigest.h
+corecrypto/ccdigest_priv.h
+corecrypto/ccdrbg.h
+corecrypto/ccdrbg_impl.h
+corecrypto/cchmac.h
+corecrypto/cckprng.h
+corecrypto/ccmd4.h
+corecrypto/ccmode.h
+corecrypto/ccmode_impl.h
+corecrypto/ccmode_siv.h
+corecrypto/ccmode_siv_hmac.h
+corecrypto/ccn.h
+corecrypto/ccpad.h
+corecrypto/ccrng.h
+corecrypto/ccrsa.h
+corecrypto/ccsha1.h
+corecrypto/ccsha2.h
+corecrypto/cczp.h
+corecrypto/fipspost_trace.h
+corpses/task_corpse.h
+default_pager/default_pager_types.h
+device/device.defs
+device/device_port.h
+device/device_types.defs
+device/device_types.h
+gethostuuid.h
+gethostuuid_private.h
+iokit/DriverKit/IOBufferMemoryDescriptor.h
+iokit/DriverKit/IODMACommand.h
+iokit/DriverKit/IODataQueueDispatchSource.h
+iokit/DriverKit/IODispatchQueue.h
+iokit/DriverKit/IODispatchSource.h
+iokit/DriverKit/IOInterruptDispatchSource.h
+iokit/DriverKit/IOKitKeys.h
+iokit/DriverKit/IOMemoryDescriptor.h
+iokit/DriverKit/IOMemoryMap.h
+iokit/DriverKit/IORPC.h
+iokit/DriverKit/IOReturn.h
+iokit/DriverKit/IOService.h
+iokit/DriverKit/IOServiceNotificationDispatchSource.h
+iokit/DriverKit/IOTypes.h
+iokit/DriverKit/IOUserClient.h
+iokit/DriverKit/IOUserServer.h
+iokit/DriverKit/OSAction.h
+iokit/DriverKit/OSObject.h
+iokit/IOKit/AppleKeyStoreInterface.h
+iokit/IOKit/IOBSD.h
+iokit/IOKit/IOBufferMemoryDescriptor.h
+iokit/IOKit/IOCPU.h
+iokit/IOKit/IOCatalogue.h
+iokit/IOKit/IOCommand.h
+iokit/IOKit/IOCommandGate.h
+iokit/IOKit/IOCommandPool.h
+iokit/IOKit/IOCommandQueue.h
+iokit/IOKit/IOConditionLock.h
+iokit/IOKit/IODMACommand.h
+iokit/IOKit/IODMAController.h
+iokit/IOKit/IODMAEventSource.h
+iokit/IOKit/IODataQueue.h
+iokit/IOKit/IODataQueueShared.h
+iokit/IOKit/IODeviceMemory.h
+iokit/IOKit/IODeviceTreeSupport.h
+iokit/IOKit/IOEventSource.h
+iokit/IOKit/IOFilterInterruptEventSource.h
+iokit/IOKit/IOHibernatePrivate.h
+iokit/IOKit/IOInterleavedMemoryDescriptor.h
+iokit/IOKit/IOInterruptAccounting.h
+iokit/IOKit/IOInterruptController.h
+iokit/IOKit/IOInterruptEventSource.h
+iokit/IOKit/IOInterrupts.h
+iokit/IOKit/IOKernelReportStructs.h
+iokit/IOKit/IOKernelReporters.h
+iokit/IOKit/IOKitDebug.h
+iokit/IOKit/IOKitDiagnosticsUserClient.h
+iokit/IOKit/IOKitKeys.h
+iokit/IOKit/IOKitKeysPrivate.h
+iokit/IOKit/IOKitServer.h
+iokit/IOKit/IOLib.h
+iokit/IOKit/IOLocks.h
+iokit/IOKit/IOLocksPrivate.h
+iokit/IOKit/IOMapper.h
+iokit/IOKit/IOMemoryCursor.h
+iokit/IOKit/IOMemoryDescriptor.h
+iokit/IOKit/IOMessage.h
+iokit/IOKit/IOMultiMemoryDescriptor.h
+iokit/IOKit/IONVRAM.h
+iokit/IOKit/IONotifier.h
+iokit/IOKit/IOPMGR.h
+iokit/IOKit/IOPlatformActions.h
+iokit/IOKit/IOPlatformExpert.h
+iokit/IOKit/IOPolledInterface.h
+iokit/IOKit/IORPC.h
+iokit/IOKit/IORangeAllocator.h
+iokit/IOKit/IORegistryEntry.h
+iokit/IOKit/IOReportMacros.h
+iokit/IOKit/IOReportTypes.h
+iokit/IOKit/IOReturn.h
+iokit/IOKit/IOService.h
+iokit/IOKit/IOServicePM.h
+iokit/IOKit/IOSharedDataQueue.h
+iokit/IOKit/IOSharedLock.h
+iokit/IOKit/IOStatistics.h
+iokit/IOKit/IOStatisticsPrivate.h
+iokit/IOKit/IOSubMemoryDescriptor.h
+iokit/IOKit/IOSyncer.h
+iokit/IOKit/IOTimeStamp.h
+iokit/IOKit/IOTimerEventSource.h
+iokit/IOKit/IOTypes.h
+iokit/IOKit/IOUserClient.h
+iokit/IOKit/IOUserServer.h
+iokit/IOKit/IOWorkLoop.h
+iokit/IOKit/OSMessageNotification.h
+iokit/IOKit/PassthruInterruptController.h
+iokit/IOKit/assert.h
+iokit/IOKit/nvram/IONVRAMController.h
+iokit/IOKit/platform/AppleMacIO.h
+iokit/IOKit/platform/AppleMacIODevice.h
+iokit/IOKit/platform/AppleNMI.h
+iokit/IOKit/platform/ApplePlatformExpert.h
+iokit/IOKit/platform/IOPlatformIO.h
+iokit/IOKit/power/IOPwrController.h
+iokit/IOKit/pwr_mgt/IOPM.h
+iokit/IOKit/pwr_mgt/IOPMLibDefs.h
+iokit/IOKit/pwr_mgt/IOPMPowerSource.h
+iokit/IOKit/pwr_mgt/IOPMPowerSourceList.h
+iokit/IOKit/pwr_mgt/IOPMpowerState.h
+iokit/IOKit/pwr_mgt/IOPowerConnection.h
+iokit/IOKit/pwr_mgt/RootDomain.h
+iokit/IOKit/rtc/IORTCController.h
+iokit/IOKit/system.h
+iokit/IOKit/system_management/IOWatchDogTimer.h
+kern/exc_guard.h
+kern/exc_resource.h
+kern/kcdata.h
+kern/kern_cdata.h
+libkern/OSByteOrder.h
+libkern/OSDebug.h
+libkern/OSKextLib.h
+libkern/OSReturn.h
+libkern/OSTypes.h
+libkern/_OSByteOrder.h
+libkern/arm/OSByteOrder.h
+libkern/firehose/chunk_private.h
+libkern/firehose/firehose_types_private.h
+libkern/firehose/ioctl_private.h
+libkern/firehose/tracepoint_private.h
+libkern/libkern/Block.h
+libkern/libkern/Block_private.h
+libkern/libkern/OSAtomic.h
+libkern/libkern/OSBase.h
+libkern/libkern/OSByteOrder.h
+libkern/libkern/OSDebug.h
+libkern/libkern/OSKextLib.h
+libkern/libkern/OSKextLibPrivate.h
+libkern/libkern/OSMalloc.h
+libkern/libkern/OSReturn.h
+libkern/libkern/OSSerializeBinary.h
+libkern/libkern/OSTypes.h
+libkern/libkern/_OSByteOrder.h
+libkern/libkern/arm/OSByteOrder.h
+libkern/libkern/c++/OSAllocation.h
+libkern/libkern/c++/OSArray.h
+libkern/libkern/c++/OSBoolean.h
+libkern/libkern/c++/OSBoundedArray.h
+libkern/libkern/c++/OSBoundedArrayRef.h
+libkern/libkern/c++/OSBoundedPtr.h
+libkern/libkern/c++/OSBoundedPtrFwd.h
+libkern/libkern/c++/OSCPPDebug.h
+libkern/libkern/c++/OSCollection.h
+libkern/libkern/c++/OSCollectionIterator.h
+libkern/libkern/c++/OSContainers.h
+libkern/libkern/c++/OSData.h
+libkern/libkern/c++/OSDictionary.h
+libkern/libkern/c++/OSEndianTypes.h
+libkern/libkern/c++/OSIterator.h
+libkern/libkern/c++/OSKext.h
+libkern/libkern/c++/OSLib.h
+libkern/libkern/c++/OSMetaClass.h
+libkern/libkern/c++/OSNumber.h
+libkern/libkern/c++/OSObject.h
+libkern/libkern/c++/OSOrderedSet.h
+libkern/libkern/c++/OSPtr.h
+libkern/libkern/c++/OSSerialize.h
+libkern/libkern/c++/OSSet.h
+libkern/libkern/c++/OSSharedPtr.h
+libkern/libkern/c++/OSString.h
+libkern/libkern/c++/OSSymbol.h
+libkern/libkern/c++/OSUnserialize.h
+libkern/libkern/c++/bounded_array.h
+libkern/libkern/c++/bounded_array_ref.h
+libkern/libkern/c++/bounded_ptr.h
+libkern/libkern/c++/bounded_ptr_fwd.h
+libkern/libkern/c++/intrusive_shared_ptr.h
+libkern/libkern/c++/safe_allocation.h
+libkern/libkern/crc.h
+libkern/libkern/crypto/aes.h
+libkern/libkern/crypto/aesxts.h
+libkern/libkern/crypto/chacha20poly1305.h
+libkern/libkern/crypto/crypto_internal.h
+libkern/libkern/crypto/des.h
+libkern/libkern/crypto/md5.h
+libkern/libkern/crypto/rand.h
+libkern/libkern/crypto/register_crypto.h
+libkern/libkern/crypto/rsa.h
+libkern/libkern/crypto/sha1.h
+libkern/libkern/crypto/sha2.h
+libkern/libkern/img4/interface.h
+libkern/libkern/kernel_mach_header.h
+libkern/libkern/kext_request_keys.h
+libkern/libkern/kxld.h
+libkern/libkern/kxld_types.h
+libkern/libkern/locks.h
+libkern/libkern/machine/OSByteOrder.h
+libkern/libkern/mkext.h
+libkern/libkern/prelink.h
+libkern/libkern/ptrauth_utils.h
+libkern/libkern/section_keywords.h
+libkern/libkern/stack_protector.h
+libkern/libkern/sysctl.h
+libkern/libkern/tree.h
+libkern/libkern/version.h
+libkern/libkern/zconf.h
+libkern/libkern/zlib.h
+libkern/machine/OSByteOrder.h
+libkern/os/atomic.h
+libkern/os/atomic_private.h
+libkern/os/atomic_private_arch.h
+libkern/os/atomic_private_impl.h
+libkern/os/base.h
+libkern/os/base_private.h
+libkern/os/cpp_util.h
+libkern/os/hash.h
+libkern/os/log.h
+libkern/os/log_private.h
+libkern/os/object.h
+libkern/os/overflow.h
+libkern/os/ptrtools.h
+libkern/os/reason_private.h
+libkern/os/refcnt.h
+libkern/os/refcnt_internal.h
+libkern/os/trace.h
+mach/arm/_structs.h
+mach/arm/asm.h
+mach/arm/boolean.h
+mach/arm/exception.h
+mach/arm/kern_return.h
+mach/arm/ndr_def.h
+mach/arm/processor_info.h
+mach/arm/rpc.h
+mach/arm/sdt_isa.h
+mach/arm/syscall_sw.h
+mach/arm/thread_state.h
+mach/arm/thread_status.h
+mach/arm/traps.h
+mach/arm/vm_param.h
+mach/arm/vm_types.h
+mach/arm64/asm.h
+mach/audit_triggers.defs
+mach/audit_triggers_types.h
+mach/boolean.h
+mach/bootstrap.h
+mach/clock.defs
+mach/clock.h
+mach/clock_priv.defs
+mach/clock_priv.h
+mach/clock_reply.defs
+mach/clock_reply.h
+mach/clock_types.defs
+mach/clock_types.h
+mach/dyld_kernel.h
+mach/error.h
+mach/exc.defs
+mach/exc.h
+mach/exception.h
+mach/exception_types.h
+mach/host_info.h
+mach/host_notify.h
+mach/host_notify_reply.defs
+mach/host_priv.defs
+mach/host_priv.h
+mach/host_reboot.h
+mach/host_security.defs
+mach/host_security.h
+mach/host_special_ports.h
+mach/kern_return.h
+mach/kmod.h
+mach/lock_set.defs
+mach/lock_set.h
+mach/mach.h
+mach/mach_error.h
+mach/mach_eventlink.h
+mach/mach_exc.defs
+mach/mach_host.defs
+mach/mach_host.h
+mach/mach_init.h
+mach/mach_interface.h
+mach/mach_param.h
+mach/mach_port.defs
+mach/mach_port.h
+mach/mach_port_internal.h
+mach/mach_right.h
+mach/mach_syscalls.h
+mach/mach_time.h
+mach/mach_traps.h
+mach/mach_types.defs
+mach/mach_types.h
+mach/mach_vm.defs
+mach/mach_vm.h
+mach/mach_vm_internal.h
+mach/mach_voucher.defs
+mach/mach_voucher.h
+mach/mach_voucher_attr_control.defs
+mach/mach_voucher_types.h
+mach/machine.h
+mach/machine/_structs.h
+mach/machine/asm.h
+mach/machine/boolean.h
+mach/machine/exception.h
+mach/machine/kern_return.h
+mach/machine/machine_types.defs
+mach/machine/ndr_def.h
+mach/machine/processor_info.h
+mach/machine/rpc.h
+mach/machine/sdt.h
+mach/machine/sdt_isa.h
+mach/machine/thread_state.h
+mach/machine/thread_status.h
+mach/machine/vm_param.h
+mach/machine/vm_types.h
+mach/memory_entry.defs
+mach/memory_entry.h
+mach/memory_object_types.h
+mach/message.h
+mach/mig.h
+mach/mig_errors.h
+mach/mig_strncpy_zerofill_support.h
+mach/mig_voucher_support.h
+mach/ndr.h
+mach/notify.defs
+mach/notify.h
+mach/policy.h
+mach/port.h
+mach/port_obj.h
+mach/processor.defs
+mach/processor.h
+mach/processor_info.h
+mach/processor_set.defs
+mach/processor_set.h
+mach/rpc.h
+mach/sdt.h
+mach/semaphore.h
+mach/shared_memory_server.h
+mach/shared_region.h
+mach/std_types.defs
+mach/std_types.h
+mach/sync.h
+mach/sync_policy.h
+mach/task.defs
+mach/task.h
+mach/task_access.defs
+mach/task_info.h
+mach/task_inspect.h
+mach/task_policy.h
+mach/task_special_ports.h
+mach/telemetry_notification.defs
+mach/thread_act.defs
+mach/thread_act.h
+mach/thread_act_internal.h
+mach/thread_info.h
+mach/thread_policy.h
+mach/thread_special_ports.h
+mach/thread_state.h
+mach/thread_status.h
+mach/thread_switch.h
+mach/time_value.h
+mach/vm_attributes.h
+mach/vm_behavior.h
+mach/vm_inherit.h
+mach/vm_map.defs
+mach/vm_map.h
+mach/vm_map_internal.h
+mach/vm_page_size.h
+mach/vm_param.h
+mach/vm_prot.h
+mach/vm_purgable.h
+mach/vm_region.h
+mach/vm_statistics.h
+mach/vm_sync.h
+mach/vm_task.h
+mach/vm_types.h
+mach_debug/hash_info.h
+mach_debug/ipc_info.h
+mach_debug/lockgroup_info.h
+mach_debug/mach_debug.h
+mach_debug/mach_debug_types.defs
+mach_debug/mach_debug_types.h
+mach_debug/page_info.h
+mach_debug/vm_info.h
+mach_debug/zone_info.h
+machine/_limits.h
+machine/_mcontext.h
+machine/_param.h
+machine/_types.h
+machine/byte_order.h
+machine/endian.h
+machine/fasttrap_isa.h
+machine/limits.h
+machine/param.h
+machine/profile.h
+machine/signal.h
+machine/types.h
+machine/vmparam.h
+machine_types.modulemap
+miscfs/devfs/devfs.h
+miscfs/specfs/specdev.h
+miscfs/union/union.h
+net/bpf.h
+net/dlil.h
+net/ethernet.h
+net/if.h
+net/if_arp.h
+net/if_dl.h
+net/if_llc.h
+net/if_media.h
+net/if_mib.h
+net/if_types.h
+net/if_utun.h
+net/if_var.h
+net/kext_net.h
+net/ndrv.h
+net/net_kev.h
+net/pfkeyv2.h
+net/route.h
+netinet/bootp.h
+netinet/icmp6.h
+netinet/icmp_var.h
+netinet/if_ether.h
+netinet/igmp.h
+netinet/igmp_var.h
+netinet/in.h
+netinet/in_pcb.h
+netinet/in_systm.h
+netinet/in_var.h
+netinet/ip.h
+netinet/ip6.h
+netinet/ip_icmp.h
+netinet/ip_var.h
+netinet/tcp.h
+netinet/tcp_fsm.h
+netinet/tcp_seq.h
+netinet/tcp_timer.h
+netinet/tcp_var.h
+netinet/tcpip.h
+netinet/udp.h
+netinet/udp_var.h
+netinet6/ah.h
+netinet6/esp.h
+netinet6/in6.h
+netinet6/in6_var.h
+netinet6/ipcomp.h
+netinet6/ipsec.h
+netinet6/nd6.h
+netinet6/raw_ip6.h
+netinet6/scope6_var.h
+netkey/keysock.h
+nfs/krpc.h
+nfs/nfs.h
+nfs/nfs_gss.h
+nfs/nfs_ioctl.h
+nfs/nfs_lock.h
+nfs/nfsdiskless.h
+nfs/nfsm_subs.h
+nfs/nfsmount.h
+nfs/nfsnode.h
+nfs/nfsproto.h
+nfs/nfsrvcache.h
+nfs/rpcv2.h
+nfs/xdr_subs.h
+os/atomic.h
+os/base.h
+os/overflow.h
+os/tsd.h
+osfmk/UserNotification/KUNCUserNotifications.h
+osfmk/UserNotification/UNDReply.defs
+osfmk/UserNotification/UNDRequest.defs
+osfmk/UserNotification/UNDTypes.defs
+osfmk/UserNotification/UNDTypes.h
+osfmk/arm/arch.h
+osfmk/arm/atomic.h
+osfmk/arm/caches_internal.h
+osfmk/arm/cpu_capabilities.h
+osfmk/arm/cpu_number.h
+osfmk/arm/cpu_x86_64_capabilities.h
+osfmk/arm/cpuid.h
+osfmk/arm/cpuid_internal.h
+osfmk/arm/dbgwrap.h
+osfmk/arm/io_map_entries.h
+osfmk/arm/lock.h
+osfmk/arm/locks.h
+osfmk/arm/machine_cpu.h
+osfmk/arm/machine_cpuid.h
+osfmk/arm/machine_kpc.h
+osfmk/arm/machine_routines.h
+osfmk/arm/memory_types.h
+osfmk/arm/monotonic.h
+osfmk/arm/pal_routines.h
+osfmk/arm/pmap_public.h
+osfmk/arm/proc_reg.h
+osfmk/arm/simple_lock.h
+osfmk/arm/smp.h
+osfmk/arm/thread.h
+osfmk/arm/trap.h
+osfmk/arm64/asm.h
+osfmk/arm64/lowglobals.h
+osfmk/arm64/machine_cpuid.h
+osfmk/arm64/machine_kpc.h
+osfmk/arm64/machine_remote_time.h
+osfmk/arm64/monotonic.h
+osfmk/arm64/pal_hibernate.h
+osfmk/arm64/pgtrace.h
+osfmk/arm64/proc_reg.h
+osfmk/arm64/tlb.h
+osfmk/atm/atm_internal.h
+osfmk/atm/atm_notification.defs
+osfmk/atm/atm_types.defs
+osfmk/atm/atm_types.h
+osfmk/bank/bank_types.h
+osfmk/console/serial_protos.h
+osfmk/console/video_console.h
+osfmk/corpses/task_corpse.h
+osfmk/default_pager/default_pager_types.h
+osfmk/device/device.defs
+osfmk/device/device_port.h
+osfmk/device/device_types.defs
+osfmk/device/device_types.h
+osfmk/gssd/gssd_mach.defs
+osfmk/gssd/gssd_mach.h
+osfmk/gssd/gssd_mach_types.h
+osfmk/ipc/ipc_types.h
+osfmk/kdp/kdp_callout.h
+osfmk/kdp/kdp_dyld.h
+osfmk/kdp/kdp_en_debugger.h
+osfmk/kern/affinity.h
+osfmk/kern/arcade.h
+osfmk/kern/arithmetic_128.h
+osfmk/kern/assert.h
+osfmk/kern/audit_sessionport.h
+osfmk/kern/backtrace.h
+osfmk/kern/bits.h
+osfmk/kern/block_hint.h
+osfmk/kern/btlog.h
+osfmk/kern/cambria_layout.h
+osfmk/kern/circle_queue.h
+osfmk/kern/clock.h
+osfmk/kern/coalition.h
+osfmk/kern/cpu_data.h
+osfmk/kern/cpu_number.h
+osfmk/kern/cpu_quiesce.h
+osfmk/kern/cs_blobs.h
+osfmk/kern/debug.h
+osfmk/kern/ecc.h
+osfmk/kern/energy_perf.h
+osfmk/kern/exc_guard.h
+osfmk/kern/exc_resource.h
+osfmk/kern/extmod_statistics.h
+osfmk/kern/host.h
+osfmk/kern/hv_support.h
+osfmk/kern/hv_support_kext.h
+osfmk/kern/ipc_kobject.h
+osfmk/kern/ipc_mig.h
+osfmk/kern/ipc_misc.h
+osfmk/kern/kalloc.h
+osfmk/kern/kcdata.h
+osfmk/kern/kern_cdata.h
+osfmk/kern/kern_types.h
+osfmk/kern/kext_alloc.h
+osfmk/kern/kpc.h
+osfmk/kern/ledger.h
+osfmk/kern/lock.h
+osfmk/kern/lock_group.h
+osfmk/kern/lock_stat.h
+osfmk/kern/locks.h
+osfmk/kern/mach_param.h
+osfmk/kern/macro_help.h
+osfmk/kern/monotonic.h
+osfmk/kern/mpqueue.h
+osfmk/kern/mpsc_queue.h
+osfmk/kern/page_decrypt.h
+osfmk/kern/percpu.h
+osfmk/kern/pms.h
+osfmk/kern/policy_internal.h
+osfmk/kern/priority_queue.h
+osfmk/kern/processor.h
+osfmk/kern/queue.h
+osfmk/kern/remote_time.h
+osfmk/kern/restartable.h
+osfmk/kern/sched_clutch.h
+osfmk/kern/sched_prim.h
+osfmk/kern/sfi.h
+osfmk/kern/simple_lock.h
+osfmk/kern/startup.h
+osfmk/kern/task.h
+osfmk/kern/telemetry.h
+osfmk/kern/thread.h
+osfmk/kern/thread_call.h
+osfmk/kern/thread_group.h
+osfmk/kern/timer_call.h
+osfmk/kern/trustcache.h
+osfmk/kern/turnstile.h
+osfmk/kern/ux_handler.h
+osfmk/kern/waitq.h
+osfmk/kern/work_interval.h
+osfmk/kern/zalloc.h
+osfmk/kextd/kextd_mach.defs
+osfmk/kextd/kextd_mach.h
+osfmk/kperf/action.h
+osfmk/kperf/context.h
+osfmk/kperf/kdebug_trigger.h
+osfmk/kperf/kperf.h
+osfmk/kperf/kperfbsd.h
+osfmk/kperf/kptimer.h
+osfmk/kperf/lazy.h
+osfmk/kperf/pet.h
+osfmk/lockd/lockd_mach.defs
+osfmk/lockd/lockd_mach.h
+osfmk/lockd/lockd_mach_types.h
+osfmk/mach/arcade_upcall_server.h
+osfmk/mach/arm/_structs.h
+osfmk/mach/arm/asm.h
+osfmk/mach/arm/boolean.h
+osfmk/mach/arm/exception.h
+osfmk/mach/arm/kern_return.h
+osfmk/mach/arm/ndr_def.h
+osfmk/mach/arm/processor_info.h
+osfmk/mach/arm/rpc.h
+osfmk/mach/arm/sdt_isa.h
+osfmk/mach/arm/syscall_sw.h
+osfmk/mach/arm/thread_state.h
+osfmk/mach/arm/thread_status.h
+osfmk/mach/arm/traps.h
+osfmk/mach/arm/vm_param.h
+osfmk/mach/arm/vm_types.h
+osfmk/mach/arm64/asm.h
+osfmk/mach/audit_triggers.defs
+osfmk/mach/audit_triggers_server.h
+osfmk/mach/audit_triggers_types.h
+osfmk/mach/boolean.h
+osfmk/mach/clock.defs
+osfmk/mach/clock.h
+osfmk/mach/clock_priv.defs
+osfmk/mach/clock_priv.h
+osfmk/mach/clock_reply.defs
+osfmk/mach/clock_reply_server.h
+osfmk/mach/clock_types.defs
+osfmk/mach/clock_types.h
+osfmk/mach/coalition.h
+osfmk/mach/coalition_notification_server.h
+osfmk/mach/dyld_kernel.h
+osfmk/mach/error.h
+osfmk/mach/exc.defs
+osfmk/mach/exc_server.h
+osfmk/mach/exception.h
+osfmk/mach/exception_types.h
+osfmk/mach/fairplayd_notification_server.h
+osfmk/mach/host_info.h
+osfmk/mach/host_notify.h
+osfmk/mach/host_notify_reply.defs
+osfmk/mach/host_priv.defs
+osfmk/mach/host_priv.h
+osfmk/mach/host_reboot.h
+osfmk/mach/host_security.defs
+osfmk/mach/host_security.h
+osfmk/mach/host_special_ports.h
+osfmk/mach/kern_return.h
+osfmk/mach/kmod.h
+osfmk/mach/ktrace_background.h
+osfmk/mach/lock_set.defs
+osfmk/mach/lock_set.h
+osfmk/mach/mach_eventlink_types.h
+osfmk/mach/mach_exc.defs
+osfmk/mach/mach_exc_server.h
+osfmk/mach/mach_host.defs
+osfmk/mach/mach_host.h
+osfmk/mach/mach_interface.h
+osfmk/mach/mach_param.h
+osfmk/mach/mach_port.defs
+osfmk/mach/mach_port.h
+osfmk/mach/mach_syscalls.h
+osfmk/mach/mach_time.h
+osfmk/mach/mach_traps.h
+osfmk/mach/mach_types.defs
+osfmk/mach/mach_types.h
+osfmk/mach/mach_vm.defs
+osfmk/mach/mach_vm.h
+osfmk/mach/mach_voucher.defs
+osfmk/mach/mach_voucher.h
+osfmk/mach/mach_voucher_attr_control.defs
+osfmk/mach/mach_voucher_attr_control.h
+osfmk/mach/mach_voucher_types.h
+osfmk/mach/machine.h
+osfmk/mach/machine/_structs.h
+osfmk/mach/machine/asm.h
+osfmk/mach/machine/boolean.h
+osfmk/mach/machine/exception.h
+osfmk/mach/machine/kern_return.h
+osfmk/mach/machine/machine_types.defs
+osfmk/mach/machine/ndr_def.h
+osfmk/mach/machine/processor_info.h
+osfmk/mach/machine/rpc.h
+osfmk/mach/machine/sdt.h
+osfmk/mach/machine/sdt_isa.h
+osfmk/mach/machine/syscall_sw.h
+osfmk/mach/machine/thread_state.h
+osfmk/mach/machine/thread_status.h
+osfmk/mach/machine/vm_param.h
+osfmk/mach/machine/vm_types.h
+osfmk/mach/memory_entry.defs
+osfmk/mach/memory_entry.h
+osfmk/mach/memory_object_control.h
+osfmk/mach/memory_object_default_server.h
+osfmk/mach/memory_object_types.h
+osfmk/mach/message.h
+osfmk/mach/mig.h
+osfmk/mach/mig_errors.h
+osfmk/mach/mig_strncpy_zerofill_support.h
+osfmk/mach/mig_voucher_support.h
+osfmk/mach/ndr.h
+osfmk/mach/notify.defs
+osfmk/mach/notify.h
+osfmk/mach/notify_server.h
+osfmk/mach/policy.h
+osfmk/mach/port.h
+osfmk/mach/processor.defs
+osfmk/mach/processor.h
+osfmk/mach/processor_info.h
+osfmk/mach/processor_set.defs
+osfmk/mach/processor_set.h
+osfmk/mach/resource_monitors.h
+osfmk/mach/rpc.h
+osfmk/mach/sdt.h
+osfmk/mach/semaphore.h
+osfmk/mach/sfi_class.h
+osfmk/mach/shared_memory_server.h
+osfmk/mach/shared_region.h
+osfmk/mach/std_types.defs
+osfmk/mach/std_types.h
+osfmk/mach/sync_policy.h
+osfmk/mach/syscall_sw.h
+osfmk/mach/sysdiagnose_notification_server.h
+osfmk/mach/task.defs
+osfmk/mach/task.h
+osfmk/mach/task_access.defs
+osfmk/mach/task_access.h
+osfmk/mach/task_access_server.h
+osfmk/mach/task_info.h
+osfmk/mach/task_inspect.h
+osfmk/mach/task_policy.h
+osfmk/mach/task_special_ports.h
+osfmk/mach/telemetry_notification.defs
+osfmk/mach/telemetry_notification_server.h
+osfmk/mach/thread_act.defs
+osfmk/mach/thread_act.h
+osfmk/mach/thread_info.h
+osfmk/mach/thread_policy.h
+osfmk/mach/thread_special_ports.h
+osfmk/mach/thread_status.h
+osfmk/mach/thread_switch.h
+osfmk/mach/time_value.h
+osfmk/mach/upl.h
+osfmk/mach/vfs_nspace.h
+osfmk/mach/vfs_nspace_server.h
+osfmk/mach/vm_attributes.h
+osfmk/mach/vm_behavior.h
+osfmk/mach/vm_inherit.h
+osfmk/mach/vm_map.defs
+osfmk/mach/vm_map.h
+osfmk/mach/vm_param.h
+osfmk/mach/vm_prot.h
+osfmk/mach/vm_purgable.h
+osfmk/mach/vm_region.h
+osfmk/mach/vm_statistics.h
+osfmk/mach/vm_sync.h
+osfmk/mach/vm_types.h
+osfmk/mach_debug/hash_info.h
+osfmk/mach_debug/ipc_info.h
+osfmk/mach_debug/lockgroup_info.h
+osfmk/mach_debug/mach_debug.h
+osfmk/mach_debug/mach_debug_types.defs
+osfmk/mach_debug/mach_debug_types.h
+osfmk/mach_debug/page_info.h
+osfmk/mach_debug/vm_info.h
+osfmk/mach_debug/zone_info.h
+osfmk/machine/atomic.h
+osfmk/machine/config.h
+osfmk/machine/cpu_capabilities.h
+osfmk/machine/cpu_number.h
+osfmk/machine/io_map_entries.h
+osfmk/machine/lock.h
+osfmk/machine/locks.h
+osfmk/machine/machine_cpuid.h
+osfmk/machine/machine_kpc.h
+osfmk/machine/machine_remote_time.h
+osfmk/machine/machine_routines.h
+osfmk/machine/memory_types.h
+osfmk/machine/monotonic.h
+osfmk/machine/pal_hibernate.h
+osfmk/machine/pal_routines.h
+osfmk/machine/simple_lock.h
+osfmk/machine/smp.h
+osfmk/machine/trap.h
+osfmk/prng/entropy.h
+osfmk/prng/random.h
+osfmk/string.h
+osfmk/tests/ktest.h
+osfmk/tests/xnupost.h
+osfmk/vm/WKdm_new.h
+osfmk/vm/memory_types.h
+osfmk/vm/pmap.h
+osfmk/vm/vm_compressor_algorithms.h
+osfmk/vm/vm_fault.h
+osfmk/vm/vm_kern.h
+osfmk/vm/vm_map.h
+osfmk/vm/vm_options.h
+osfmk/vm/vm_pageout.h
+osfmk/vm/vm_protos.h
+osfmk/vm/vm_shared_region.h
+osfmk/voucher/ipc_pthread_priority_types.h
+pexpert/boot.h
+pexpert/machine/boot.h
+pexpert/machine/protos.h
+pexpert/pexpert.h
+pexpert/pexpert/arm/AIC.h
+pexpert/pexpert/arm/PL192_VIC.h
+pexpert/pexpert/arm/S3cUART.h
+pexpert/pexpert/arm/T8002.h
+pexpert/pexpert/arm/board_config.h
+pexpert/pexpert/arm/boot.h
+pexpert/pexpert/arm/consistent_debug.h
+pexpert/pexpert/arm/dockchannel.h
+pexpert/pexpert/arm/protos.h
+pexpert/pexpert/arm64/AIC.h
+pexpert/pexpert/arm64/BCM2837.h
+pexpert/pexpert/arm64/H7.h
+pexpert/pexpert/arm64/H8.h
+pexpert/pexpert/arm64/H9.h
+pexpert/pexpert/arm64/S3c2410x.h
+pexpert/pexpert/arm64/apple_arm64_common.h
+pexpert/pexpert/arm64/apple_arm64_regs.h
+pexpert/pexpert/arm64/board_config.h
+pexpert/pexpert/arm64/boot.h
+pexpert/pexpert/arm64/spr_locks.h
+pexpert/pexpert/boot.h
+pexpert/pexpert/device_tree.h
+pexpert/pexpert/machine/boot.h
+pexpert/pexpert/machine/protos.h
+pexpert/pexpert/pexpert.h
+pexpert/pexpert/protos.h
+pexpert/protos.h
+san/san/kasan.h
+san/san/ksancov.h
+san/san/memintrinsics.h
+security/audit/audit_ioctl.h
+security/security/_label.h
+security/security/mac.h
+security/security/mac_data.h
+security/security/mac_framework.h
+security/security/mac_internal.h
+security/security/mac_mach_internal.h
+security/security/mac_policy.h
+servers/key_defs.h
+servers/ls_defs.h
+servers/netname.h
+servers/netname_defs.h
+servers/nm_defs.h
+sys/_endian.h
+sys/_posix_availability.h
+sys/_select.h
+sys/_structs.h
+sys/_symbol_aliasing.h
+sys/_types.h
+sys/_types/_blkcnt_t.h
+sys/_types/_blksize_t.h
+sys/_types/_caddr_t.h
+sys/_types/_clock_t.h
+sys/_types/_ct_rune_t.h
+sys/_types/_dev_t.h
+sys/_types/_errno_t.h
+sys/_types/_fd_clr.h
+sys/_types/_fd_copy.h
+sys/_types/_fd_def.h
+sys/_types/_fd_isset.h
+sys/_types/_fd_set.h
+sys/_types/_fd_setsize.h
+sys/_types/_fd_zero.h
+sys/_types/_filesec_t.h
+sys/_types/_fsblkcnt_t.h
+sys/_types/_fsfilcnt_t.h
+sys/_types/_fsid_t.h
+sys/_types/_fsobj_id_t.h
+sys/_types/_gid_t.h
+sys/_types/_guid_t.h
+sys/_types/_id_t.h
+sys/_types/_in_addr_t.h
+sys/_types/_in_port_t.h
+sys/_types/_ino64_t.h
+sys/_types/_ino_t.h
+sys/_types/_int16_t.h
+sys/_types/_int32_t.h
+sys/_types/_int64_t.h
+sys/_types/_int8_t.h
+sys/_types/_intptr_t.h
+sys/_types/_iovec_t.h
+sys/_types/_key_t.h
+sys/_types/_mach_port_t.h
+sys/_types/_mbstate_t.h
+sys/_types/_mode_t.h
+sys/_types/_nlink_t.h
+sys/_types/_null.h
+sys/_types/_o_dsync.h
+sys/_types/_o_sync.h
+sys/_types/_off_t.h
+sys/_types/_offsetof.h
+sys/_types/_os_inline.h
+sys/_types/_pid_t.h
+sys/_types/_posix_vdisable.h
+sys/_types/_ptrdiff_t.h
+sys/_types/_rsize_t.h
+sys/_types/_rune_t.h
+sys/_types/_s_ifmt.h
+sys/_types/_sa_family_t.h
+sys/_types/_seek_set.h
+sys/_types/_sigaltstack.h
+sys/_types/_sigset_t.h
+sys/_types/_size_t.h
+sys/_types/_socklen_t.h
+sys/_types/_ssize_t.h
+sys/_types/_suseconds_t.h
+sys/_types/_time_t.h
+sys/_types/_timespec.h
+sys/_types/_timeval.h
+sys/_types/_timeval32.h
+sys/_types/_timeval64.h
+sys/_types/_u_char.h
+sys/_types/_u_int.h
+sys/_types/_u_int16_t.h
+sys/_types/_u_int32_t.h
+sys/_types/_u_int64_t.h
+sys/_types/_u_int8_t.h
+sys/_types/_u_short.h
+sys/_types/_ucontext.h
+sys/_types/_ucontext64.h
+sys/_types/_uid_t.h
+sys/_types/_uintptr_t.h
+sys/_types/_useconds_t.h
+sys/_types/_uuid_t.h
+sys/_types/_va_list.h
+sys/_types/_wchar_t.h
+sys/_types/_wint_t.h
+sys/acct.h
+sys/aio.h
+sys/appleapiopts.h
+sys/attr.h
+sys/buf.h
+sys/cdefs.h
+sys/clonefile.h
+sys/commpage.h
+sys/conf.h
+sys/dir.h
+sys/dirent.h
+sys/disk.h
+sys/dkstat.h
+sys/domain.h
+sys/dtrace.h
+sys/dtrace_glue.h
+sys/dtrace_impl.h
+sys/errno.h
+sys/ev.h
+sys/event.h
+sys/fasttrap.h
+sys/fasttrap_isa.h
+sys/fcntl.h
+sys/file.h
+sys/filedesc.h
+sys/filio.h
+sys/fsgetpath.h
+sys/gmon.h
+sys/ioccom.h
+sys/ioctl.h
+sys/ioctl_compat.h
+sys/ipc.h
+sys/kauth.h
+sys/kdebug.h
+sys/kdebug_signpost.h
+sys/kern_control.h
+sys/kern_event.h
+sys/kernel.h
+sys/kernel_types.h
+sys/lctx.h
+sys/loadable_fs.h
+sys/lock.h
+sys/lockf.h
+sys/lockstat.h
+sys/log_data.h
+sys/malloc.h
+sys/mbuf.h
+sys/mman.h
+sys/mount.h
+sys/msg.h
+sys/msgbuf.h
+sys/netport.h
+sys/param.h
+sys/paths.h
+sys/pipe.h
+sys/poll.h
+sys/posix_sem.h
+sys/posix_shm.h
+sys/proc.h
+sys/proc_info.h
+sys/protosw.h
+sys/ptrace.h
+sys/queue.h
+sys/quota.h
+sys/random.h
+sys/reboot.h
+sys/resource.h
+sys/resourcevar.h
+sys/sbuf.h
+sys/sdt.h
+sys/select.h
+sys/sem.h
+sys/semaphore.h
+sys/shm.h
+sys/signal.h
+sys/signalvar.h
+sys/snapshot.h
+sys/socket.h
+sys/socketvar.h
+sys/sockio.h
+sys/spawn.h
+sys/stat.h
+sys/stdio.h
+sys/sys_domain.h
+sys/syscall.h
+sys/sysctl.h
+sys/syslimits.h
+sys/syslog.h
+sys/termios.h
+sys/time.h
+sys/timeb.h
+sys/times.h
+sys/timex.h
+sys/tprintf.h
+sys/trace.h
+sys/tty.h
+sys/ttychars.h
+sys/ttycom.h
+sys/ttydefaults.h
+sys/ttydev.h
+sys/types.h
+sys/ubc.h
+sys/ucontext.h
+sys/ucred.h
+sys/uio.h
+sys/un.h
+sys/unistd.h
+sys/unpcb.h
+sys/user.h
+sys/utfconv.h
+sys/utsname.h
+sys/vadvise.h
+sys/vcmd.h
+sys/vm.h
+sys/vmmeter.h
+sys/vmparam.h
+sys/vnioctl.h
+sys/vnode.h
+sys/vnode_if.h
+sys/vsock.h
+sys/vstat.h
+sys/wait.h
+sys/xattr.h
+sys__types.modulemap
+sys_cdefs.modulemap
+sys_types.modulemap
+system-version-compat-support.h
+uuid/uuid.h
+vfs/vfs_support.h
+voucher/ipc_pthread_priority_types.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-x86_64.txt b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-x86_64.txt
new file mode 100644
index 000000000000..93c0dbb18bf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/headers-x86_64.txt
@@ -0,0 +1,1318 @@
+AssertMacros.h
+_errno.h
+_libkernel_init.h
+atm/atm_notification.defs
+atm/atm_types.defs
+atm/atm_types.h
+bank/bank_types.h
+bsd/bsm/audit.h
+bsd/dev/random/randomdev.h
+bsd/i386/_limits.h
+bsd/i386/_mcontext.h
+bsd/i386/_param.h
+bsd/i386/_types.h
+bsd/i386/endian.h
+bsd/i386/limits.h
+bsd/i386/param.h
+bsd/i386/profile.h
+bsd/i386/signal.h
+bsd/i386/types.h
+bsd/i386/vmparam.h
+bsd/libkern/libkern.h
+bsd/machine/_limits.h
+bsd/machine/_mcontext.h
+bsd/machine/_param.h
+bsd/machine/_types.h
+bsd/machine/byte_order.h
+bsd/machine/disklabel.h
+bsd/machine/endian.h
+bsd/machine/limits.h
+bsd/machine/param.h
+bsd/machine/profile.h
+bsd/machine/signal.h
+bsd/machine/spl.h
+bsd/machine/types.h
+bsd/machine/vmparam.h
+bsd/miscfs/devfs/devfs.h
+bsd/miscfs/devfs/devfs_proto.h
+bsd/miscfs/devfs/devfsdefs.h
+bsd/miscfs/devfs/fdesc.h
+bsd/miscfs/fifofs/fifo.h
+bsd/miscfs/specfs/specdev.h
+bsd/miscfs/union/union.h
+bsd/net/bpf.h
+bsd/net/dlil.h
+bsd/net/ethernet.h
+bsd/net/if.h
+bsd/net/if_arp.h
+bsd/net/if_dl.h
+bsd/net/if_ether.h
+bsd/net/if_llc.h
+bsd/net/if_media.h
+bsd/net/if_mib.h
+bsd/net/if_types.h
+bsd/net/if_utun.h
+bsd/net/if_var.h
+bsd/net/init.h
+bsd/net/kext_net.h
+bsd/net/kpi_interface.h
+bsd/net/kpi_interfacefilter.h
+bsd/net/kpi_protocol.h
+bsd/net/ndrv.h
+bsd/net/net_kev.h
+bsd/net/pfkeyv2.h
+bsd/net/radix.h
+bsd/net/route.h
+bsd/netinet/bootp.h
+bsd/netinet/icmp6.h
+bsd/netinet/icmp_var.h
+bsd/netinet/if_ether.h
+bsd/netinet/igmp.h
+bsd/netinet/igmp_var.h
+bsd/netinet/in.h
+bsd/netinet/in_arp.h
+bsd/netinet/in_pcb.h
+bsd/netinet/in_systm.h
+bsd/netinet/in_var.h
+bsd/netinet/ip.h
+bsd/netinet/ip6.h
+bsd/netinet/ip_icmp.h
+bsd/netinet/ip_var.h
+bsd/netinet/kpi_ipfilter.h
+bsd/netinet/tcp.h
+bsd/netinet/tcp_fsm.h
+bsd/netinet/tcp_seq.h
+bsd/netinet/tcp_timer.h
+bsd/netinet/tcp_var.h
+bsd/netinet/tcpip.h
+bsd/netinet/udp.h
+bsd/netinet/udp_var.h
+bsd/netinet6/ah.h
+bsd/netinet6/esp.h
+bsd/netinet6/in6.h
+bsd/netinet6/in6_var.h
+bsd/netinet6/ipcomp.h
+bsd/netinet6/ipsec.h
+bsd/netinet6/nd6.h
+bsd/netinet6/raw_ip6.h
+bsd/netinet6/scope6_var.h
+bsd/netkey/keysock.h
+bsd/security/audit/audit.h
+bsd/security/audit/audit_bsd.h
+bsd/security/audit/audit_ioctl.h
+bsd/security/audit/audit_private.h
+bsd/sys/_endian.h
+bsd/sys/_select.h
+bsd/sys/_structs.h
+bsd/sys/_types.h
+bsd/sys/_types/_blkcnt_t.h
+bsd/sys/_types/_blksize_t.h
+bsd/sys/_types/_clock_t.h
+bsd/sys/_types/_ct_rune_t.h
+bsd/sys/_types/_dev_t.h
+bsd/sys/_types/_errno_t.h
+bsd/sys/_types/_fd_clr.h
+bsd/sys/_types/_fd_copy.h
+bsd/sys/_types/_fd_def.h
+bsd/sys/_types/_fd_isset.h
+bsd/sys/_types/_fd_set.h
+bsd/sys/_types/_fd_setsize.h
+bsd/sys/_types/_fd_zero.h
+bsd/sys/_types/_filesec_t.h
+bsd/sys/_types/_fsblkcnt_t.h
+bsd/sys/_types/_fsfilcnt_t.h
+bsd/sys/_types/_fsid_t.h
+bsd/sys/_types/_fsobj_id_t.h
+bsd/sys/_types/_gid_t.h
+bsd/sys/_types/_guid_t.h
+bsd/sys/_types/_id_t.h
+bsd/sys/_types/_in_addr_t.h
+bsd/sys/_types/_in_port_t.h
+bsd/sys/_types/_ino64_t.h
+bsd/sys/_types/_ino_t.h
+bsd/sys/_types/_int16_t.h
+bsd/sys/_types/_int32_t.h
+bsd/sys/_types/_int64_t.h
+bsd/sys/_types/_int8_t.h
+bsd/sys/_types/_intptr_t.h
+bsd/sys/_types/_iovec_t.h
+bsd/sys/_types/_key_t.h
+bsd/sys/_types/_mach_port_t.h
+bsd/sys/_types/_mbstate_t.h
+bsd/sys/_types/_mode_t.h
+bsd/sys/_types/_nlink_t.h
+bsd/sys/_types/_null.h
+bsd/sys/_types/_o_dsync.h
+bsd/sys/_types/_o_sync.h
+bsd/sys/_types/_off_t.h
+bsd/sys/_types/_offsetof.h
+bsd/sys/_types/_os_inline.h
+bsd/sys/_types/_pid_t.h
+bsd/sys/_types/_posix_vdisable.h
+bsd/sys/_types/_ptrdiff_t.h
+bsd/sys/_types/_rsize_t.h
+bsd/sys/_types/_rune_t.h
+bsd/sys/_types/_s_ifmt.h
+bsd/sys/_types/_sa_family_t.h
+bsd/sys/_types/_seek_set.h
+bsd/sys/_types/_sigaltstack.h
+bsd/sys/_types/_sigset_t.h
+bsd/sys/_types/_size_t.h
+bsd/sys/_types/_socklen_t.h
+bsd/sys/_types/_ssize_t.h
+bsd/sys/_types/_suseconds_t.h
+bsd/sys/_types/_time_t.h
+bsd/sys/_types/_timespec.h
+bsd/sys/_types/_timeval.h
+bsd/sys/_types/_timeval32.h
+bsd/sys/_types/_timeval64.h
+bsd/sys/_types/_u_int16_t.h
+bsd/sys/_types/_u_int32_t.h
+bsd/sys/_types/_u_int64_t.h
+bsd/sys/_types/_u_int8_t.h
+bsd/sys/_types/_ucontext.h
+bsd/sys/_types/_ucontext64.h
+bsd/sys/_types/_uid_t.h
+bsd/sys/_types/_uintptr_t.h
+bsd/sys/_types/_useconds_t.h
+bsd/sys/_types/_user32_itimerval.h
+bsd/sys/_types/_user32_timespec.h
+bsd/sys/_types/_user32_timeval.h
+bsd/sys/_types/_user64_itimerval.h
+bsd/sys/_types/_user64_timespec.h
+bsd/sys/_types/_user64_timeval.h
+bsd/sys/_types/_user_timespec.h
+bsd/sys/_types/_user_timeval.h
+bsd/sys/_types/_uuid_t.h
+bsd/sys/_types/_va_list.h
+bsd/sys/_types/_wchar_t.h
+bsd/sys/_types/_wint_t.h
+bsd/sys/appleapiopts.h
+bsd/sys/attr.h
+bsd/sys/bsdtask_info.h
+bsd/sys/buf.h
+bsd/sys/cdefs.h
+bsd/sys/codesign.h
+bsd/sys/conf.h
+bsd/sys/content_protection.h
+bsd/sys/cprotect.h
+bsd/sys/csr.h
+bsd/sys/decmpfs.h
+bsd/sys/dir.h
+bsd/sys/dirent.h
+bsd/sys/disk.h
+bsd/sys/disklabel.h
+bsd/sys/disktab.h
+bsd/sys/dkstat.h
+bsd/sys/doc_tombstone.h
+bsd/sys/domain.h
+bsd/sys/errno.h
+bsd/sys/ev.h
+bsd/sys/event.h
+bsd/sys/eventvar.h
+bsd/sys/fbt.h
+bsd/sys/fcntl.h
+bsd/sys/file.h
+bsd/sys/file_internal.h
+bsd/sys/filedesc.h
+bsd/sys/fileport.h
+bsd/sys/filio.h
+bsd/sys/fsctl.h
+bsd/sys/fsevents.h
+bsd/sys/fslog.h
+bsd/sys/guarded.h
+bsd/sys/imgact.h
+bsd/sys/ioccom.h
+bsd/sys/ioctl.h
+bsd/sys/ioctl_compat.h
+bsd/sys/ipc.h
+bsd/sys/kasl.h
+bsd/sys/kauth.h
+bsd/sys/kdebug.h
+bsd/sys/kdebugevents.h
+bsd/sys/kern_control.h
+bsd/sys/kern_event.h
+bsd/sys/kern_memorystatus.h
+bsd/sys/kernel.h
+bsd/sys/kernel_types.h
+bsd/sys/kpi_mbuf.h
+bsd/sys/kpi_private.h
+bsd/sys/kpi_socket.h
+bsd/sys/kpi_socketfilter.h
+bsd/sys/ktrace.h
+bsd/sys/linker_set.h
+bsd/sys/lock.h
+bsd/sys/lockf.h
+bsd/sys/mach_swapon.h
+bsd/sys/malloc.h
+bsd/sys/mbuf.h
+bsd/sys/md5.h
+bsd/sys/memory_maintenance.h
+bsd/sys/mman.h
+bsd/sys/mount.h
+bsd/sys/mount_internal.h
+bsd/sys/msg.h
+bsd/sys/msgbuf.h
+bsd/sys/munge.h
+bsd/sys/namei.h
+bsd/sys/netport.h
+bsd/sys/param.h
+bsd/sys/paths.h
+bsd/sys/persona.h
+bsd/sys/pgo.h
+bsd/sys/pipe.h
+bsd/sys/posix_sem.h
+bsd/sys/posix_shm.h
+bsd/sys/priv.h
+bsd/sys/proc.h
+bsd/sys/proc_info.h
+bsd/sys/proc_internal.h
+bsd/sys/protosw.h
+bsd/sys/pthread_internal.h
+bsd/sys/pthread_shims.h
+bsd/sys/queue.h
+bsd/sys/quota.h
+bsd/sys/random.h
+bsd/sys/reason.h
+bsd/sys/resource.h
+bsd/sys/resourcevar.h
+bsd/sys/sbuf.h
+bsd/sys/select.h
+bsd/sys/sem.h
+bsd/sys/sem_internal.h
+bsd/sys/semaphore.h
+bsd/sys/shm.h
+bsd/sys/shm_internal.h
+bsd/sys/signal.h
+bsd/sys/signalvar.h
+bsd/sys/socket.h
+bsd/sys/socketvar.h
+bsd/sys/sockio.h
+bsd/sys/spawn.h
+bsd/sys/spawn_internal.h
+bsd/sys/stackshot.h
+bsd/sys/stat.h
+bsd/sys/stdio.h
+bsd/sys/sys_domain.h
+bsd/sys/syscall.h
+bsd/sys/sysctl.h
+bsd/sys/syslimits.h
+bsd/sys/syslog.h
+bsd/sys/sysproto.h
+bsd/sys/systm.h
+bsd/sys/termios.h
+bsd/sys/time.h
+bsd/sys/tree.h
+bsd/sys/tty.h
+bsd/sys/ttychars.h
+bsd/sys/ttycom.h
+bsd/sys/ttydefaults.h
+bsd/sys/ttydev.h
+bsd/sys/types.h
+bsd/sys/ubc.h
+bsd/sys/ucontext.h
+bsd/sys/ucred.h
+bsd/sys/uio.h
+bsd/sys/uio_internal.h
+bsd/sys/ulock.h
+bsd/sys/un.h
+bsd/sys/unistd.h
+bsd/sys/unpcb.h
+bsd/sys/user.h
+bsd/sys/utfconv.h
+bsd/sys/vfs_context.h
+bsd/sys/vm.h
+bsd/sys/vmmeter.h
+bsd/sys/vmparam.h
+bsd/sys/vnode.h
+bsd/sys/vnode_if.h
+bsd/sys/vnode_internal.h
+bsd/sys/wait.h
+bsd/sys/xattr.h
+bsd/uuid/uuid.h
+bsd/vfs/vfs_support.h
+bsd/vm/vnode_pager.h
+bsm/audit.h
+bsm/audit_domain.h
+bsm/audit_errno.h
+bsm/audit_fcntl.h
+bsm/audit_internal.h
+bsm/audit_kevents.h
+bsm/audit_record.h
+bsm/audit_socket_type.h
+corecrypto/cc.h
+corecrypto/cc_config.h
+corecrypto/cc_debug.h
+corecrypto/cc_macros.h
+corecrypto/cc_priv.h
+corecrypto/ccaes.h
+corecrypto/ccasn1.h
+corecrypto/cccmac.h
+corecrypto/ccder.h
+corecrypto/ccdes.h
+corecrypto/ccdigest.h
+corecrypto/ccdigest_priv.h
+corecrypto/ccdrbg.h
+corecrypto/ccdrbg_impl.h
+corecrypto/cchmac.h
+corecrypto/ccmd5.h
+corecrypto/ccmode.h
+corecrypto/ccmode_factory.h
+corecrypto/ccmode_impl.h
+corecrypto/ccmode_siv.h
+corecrypto/ccn.h
+corecrypto/ccpad.h
+corecrypto/ccpbkdf2.h
+corecrypto/ccrc4.h
+corecrypto/ccrng.h
+corecrypto/ccrng_system.h
+corecrypto/ccrsa.h
+corecrypto/ccsha1.h
+corecrypto/ccsha2.h
+corecrypto/cczp.h
+corpses/task_corpse.h
+default_pager/default_pager_types.h
+device/device.defs
+device/device_port.h
+device/device_types.defs
+device/device_types.h
+gethostuuid.h
+gethostuuid_private.h
+i386/_limits.h
+i386/_mcontext.h
+i386/_param.h
+i386/_types.h
+i386/eflags.h
+i386/endian.h
+i386/fasttrap_isa.h
+i386/limits.h
+i386/param.h
+i386/profile.h
+i386/signal.h
+i386/types.h
+i386/user_ldt.h
+i386/vmparam.h
+iokit/IOKit/AppleKeyStoreInterface.h
+iokit/IOKit/IOBSD.h
+iokit/IOKit/IOBufferMemoryDescriptor.h
+iokit/IOKit/IOCPU.h
+iokit/IOKit/IOCatalogue.h
+iokit/IOKit/IOCommand.h
+iokit/IOKit/IOCommandGate.h
+iokit/IOKit/IOCommandPool.h
+iokit/IOKit/IOCommandQueue.h
+iokit/IOKit/IOConditionLock.h
+iokit/IOKit/IODMACommand.h
+iokit/IOKit/IODMAController.h
+iokit/IOKit/IODMAEventSource.h
+iokit/IOKit/IODataQueue.h
+iokit/IOKit/IODataQueueShared.h
+iokit/IOKit/IODeviceMemory.h
+iokit/IOKit/IODeviceTreeSupport.h
+iokit/IOKit/IOEventSource.h
+iokit/IOKit/IOFilterInterruptEventSource.h
+iokit/IOKit/IOHibernatePrivate.h
+iokit/IOKit/IOInterleavedMemoryDescriptor.h
+iokit/IOKit/IOInterruptAccounting.h
+iokit/IOKit/IOInterruptController.h
+iokit/IOKit/IOInterruptEventSource.h
+iokit/IOKit/IOInterrupts.h
+iokit/IOKit/IOKernelReportStructs.h
+iokit/IOKit/IOKernelReporters.h
+iokit/IOKit/IOKitDebug.h
+iokit/IOKit/IOKitDiagnosticsUserClient.h
+iokit/IOKit/IOKitKeys.h
+iokit/IOKit/IOKitKeysPrivate.h
+iokit/IOKit/IOKitServer.h
+iokit/IOKit/IOLib.h
+iokit/IOKit/IOLocks.h
+iokit/IOKit/IOLocksPrivate.h
+iokit/IOKit/IOMapper.h
+iokit/IOKit/IOMemoryCursor.h
+iokit/IOKit/IOMemoryDescriptor.h
+iokit/IOKit/IOMessage.h
+iokit/IOKit/IOMultiMemoryDescriptor.h
+iokit/IOKit/IONVRAM.h
+iokit/IOKit/IONotifier.h
+iokit/IOKit/IOPlatformExpert.h
+iokit/IOKit/IOPolledInterface.h
+iokit/IOKit/IORangeAllocator.h
+iokit/IOKit/IORegistryEntry.h
+iokit/IOKit/IOReportMacros.h
+iokit/IOKit/IOReportTypes.h
+iokit/IOKit/IOReturn.h
+iokit/IOKit/IOService.h
+iokit/IOKit/IOServicePM.h
+iokit/IOKit/IOSharedDataQueue.h
+iokit/IOKit/IOSharedLock.h
+iokit/IOKit/IOStatistics.h
+iokit/IOKit/IOStatisticsPrivate.h
+iokit/IOKit/IOSubMemoryDescriptor.h
+iokit/IOKit/IOSyncer.h
+iokit/IOKit/IOTimeStamp.h
+iokit/IOKit/IOTimerEventSource.h
+iokit/IOKit/IOTypes.h
+iokit/IOKit/IOUserClient.h
+iokit/IOKit/IOWorkLoop.h
+iokit/IOKit/OSMessageNotification.h
+iokit/IOKit/assert.h
+iokit/IOKit/nvram/IONVRAMController.h
+iokit/IOKit/platform/AppleMacIO.h
+iokit/IOKit/platform/AppleMacIODevice.h
+iokit/IOKit/platform/AppleNMI.h
+iokit/IOKit/platform/ApplePlatformExpert.h
+iokit/IOKit/power/IOPwrController.h
+iokit/IOKit/pwr_mgt/IOPM.h
+iokit/IOKit/pwr_mgt/IOPMLibDefs.h
+iokit/IOKit/pwr_mgt/IOPMPowerSource.h
+iokit/IOKit/pwr_mgt/IOPMPowerSourceList.h
+iokit/IOKit/pwr_mgt/IOPMpowerState.h
+iokit/IOKit/pwr_mgt/IOPowerConnection.h
+iokit/IOKit/pwr_mgt/RootDomain.h
+iokit/IOKit/rtc/IORTCController.h
+iokit/IOKit/system.h
+iokit/IOKit/system_management/IOWatchDogTimer.h
+kern/exc_resource.h
+kern/kcdata.h
+kern/kern_cdata.h
+libkern/OSByteOrder.h
+libkern/OSDebug.h
+libkern/OSKextLib.h
+libkern/OSReturn.h
+libkern/OSTypes.h
+libkern/_OSByteOrder.h
+libkern/firehose/chunk_private.h
+libkern/firehose/firehose_types_private.h
+libkern/firehose/ioctl_private.h
+libkern/firehose/tracepoint_private.h
+libkern/i386/OSByteOrder.h
+libkern/i386/_OSByteOrder.h
+libkern/libkern/OSAtomic.h
+libkern/libkern/OSBase.h
+libkern/libkern/OSByteOrder.h
+libkern/libkern/OSDebug.h
+libkern/libkern/OSKextLib.h
+libkern/libkern/OSKextLibPrivate.h
+libkern/libkern/OSMalloc.h
+libkern/libkern/OSReturn.h
+libkern/libkern/OSSerializeBinary.h
+libkern/libkern/OSTypes.h
+libkern/libkern/_OSByteOrder.h
+libkern/libkern/c++/OSArray.h
+libkern/libkern/c++/OSBoolean.h
+libkern/libkern/c++/OSCPPDebug.h
+libkern/libkern/c++/OSCollection.h
+libkern/libkern/c++/OSCollectionIterator.h
+libkern/libkern/c++/OSContainers.h
+libkern/libkern/c++/OSData.h
+libkern/libkern/c++/OSDictionary.h
+libkern/libkern/c++/OSEndianTypes.h
+libkern/libkern/c++/OSIterator.h
+libkern/libkern/c++/OSKext.h
+libkern/libkern/c++/OSLib.h
+libkern/libkern/c++/OSMetaClass.h
+libkern/libkern/c++/OSNumber.h
+libkern/libkern/c++/OSObject.h
+libkern/libkern/c++/OSOrderedSet.h
+libkern/libkern/c++/OSSerialize.h
+libkern/libkern/c++/OSSet.h
+libkern/libkern/c++/OSString.h
+libkern/libkern/c++/OSSymbol.h
+libkern/libkern/c++/OSUnserialize.h
+libkern/libkern/crypto/aes.h
+libkern/libkern/crypto/aesxts.h
+libkern/libkern/crypto/crypto_internal.h
+libkern/libkern/crypto/des.h
+libkern/libkern/crypto/md5.h
+libkern/libkern/crypto/rand.h
+libkern/libkern/crypto/register_crypto.h
+libkern/libkern/crypto/rsa.h
+libkern/libkern/crypto/sha1.h
+libkern/libkern/crypto/sha2.h
+libkern/libkern/i386/OSByteOrder.h
+libkern/libkern/i386/_OSByteOrder.h
+libkern/libkern/kernel_mach_header.h
+libkern/libkern/kext_request_keys.h
+libkern/libkern/kxld.h
+libkern/libkern/kxld_types.h
+libkern/libkern/locks.h
+libkern/libkern/machine/OSByteOrder.h
+libkern/libkern/mkext.h
+libkern/libkern/prelink.h
+libkern/libkern/section_keywords.h
+libkern/libkern/stack_protector.h
+libkern/libkern/sysctl.h
+libkern/libkern/tree.h
+libkern/libkern/version.h
+libkern/libkern/zconf.h
+libkern/libkern/zlib.h
+libkern/machine/OSByteOrder.h
+libkern/os/base.h
+libkern/os/log.h
+libkern/os/log_private.h
+libkern/os/object.h
+libkern/os/object_private.h
+libkern/os/overflow.h
+libkern/os/trace.h
+mach/audit_triggers.defs
+mach/boolean.h
+mach/bootstrap.h
+mach/clock.defs
+mach/clock.h
+mach/clock_priv.defs
+mach/clock_priv.h
+mach/clock_reply.defs
+mach/clock_reply.h
+mach/clock_types.defs
+mach/clock_types.h
+mach/dyld_kernel.h
+mach/error.h
+mach/exc.defs
+mach/exc.h
+mach/exception.h
+mach/exception_types.h
+mach/host_info.h
+mach/host_notify.h
+mach/host_notify_reply.defs
+mach/host_priv.defs
+mach/host_priv.h
+mach/host_reboot.h
+mach/host_security.defs
+mach/host_security.h
+mach/host_special_ports.h
+mach/i386/_structs.h
+mach/i386/asm.h
+mach/i386/boolean.h
+mach/i386/exception.h
+mach/i386/fp_reg.h
+mach/i386/kern_return.h
+mach/i386/ndr_def.h
+mach/i386/processor_info.h
+mach/i386/rpc.h
+mach/i386/sdt_isa.h
+mach/i386/thread_state.h
+mach/i386/thread_status.h
+mach/i386/vm_param.h
+mach/i386/vm_types.h
+mach/kern_return.h
+mach/kmod.h
+mach/lock_set.defs
+mach/lock_set.h
+mach/mach.h
+mach/mach_error.h
+mach/mach_exc.defs
+mach/mach_host.defs
+mach/mach_host.h
+mach/mach_init.h
+mach/mach_interface.h
+mach/mach_param.h
+mach/mach_port.defs
+mach/mach_port.h
+mach/mach_port_internal.h
+mach/mach_syscalls.h
+mach/mach_time.h
+mach/mach_traps.h
+mach/mach_types.defs
+mach/mach_types.h
+mach/mach_vm.defs
+mach/mach_vm.h
+mach/mach_vm_internal.h
+mach/mach_voucher.defs
+mach/mach_voucher.h
+mach/mach_voucher_attr_control.defs
+mach/mach_voucher_types.h
+mach/machine.h
+mach/machine/asm.h
+mach/machine/boolean.h
+mach/machine/exception.h
+mach/machine/kern_return.h
+mach/machine/machine_types.defs
+mach/machine/ndr_def.h
+mach/machine/processor_info.h
+mach/machine/rpc.h
+mach/machine/sdt.h
+mach/machine/sdt_isa.h
+mach/machine/thread_state.h
+mach/machine/thread_status.h
+mach/machine/vm_param.h
+mach/machine/vm_types.h
+mach/memory_object_types.h
+mach/message.h
+mach/mig.h
+mach/mig_errors.h
+mach/mig_strncpy_zerofill_support.h
+mach/mig_voucher_support.h
+mach/ndr.h
+mach/notify.defs
+mach/notify.h
+mach/policy.h
+mach/port.h
+mach/port_obj.h
+mach/processor.defs
+mach/processor.h
+mach/processor_info.h
+mach/processor_set.defs
+mach/processor_set.h
+mach/rpc.h
+mach/sdt.h
+mach/semaphore.h
+mach/shared_memory_server.h
+mach/shared_region.h
+mach/std_types.defs
+mach/std_types.h
+mach/sync.h
+mach/sync_policy.h
+mach/task.defs
+mach/task.h
+mach/task_access.defs
+mach/task_info.h
+mach/task_policy.h
+mach/task_special_ports.h
+mach/telemetry_notification.defs
+mach/thread_act.defs
+mach/thread_act.h
+mach/thread_act_internal.h
+mach/thread_info.h
+mach/thread_policy.h
+mach/thread_special_ports.h
+mach/thread_state.h
+mach/thread_status.h
+mach/thread_switch.h
+mach/time_value.h
+mach/vm_attributes.h
+mach/vm_behavior.h
+mach/vm_inherit.h
+mach/vm_map.defs
+mach/vm_map.h
+mach/vm_map_internal.h
+mach/vm_page_size.h
+mach/vm_param.h
+mach/vm_prot.h
+mach/vm_purgable.h
+mach/vm_region.h
+mach/vm_statistics.h
+mach/vm_sync.h
+mach/vm_task.h
+mach/vm_types.h
+mach_debug/hash_info.h
+mach_debug/ipc_info.h
+mach_debug/lockgroup_info.h
+mach_debug/mach_debug.h
+mach_debug/mach_debug_types.defs
+mach_debug/mach_debug_types.h
+mach_debug/page_info.h
+mach_debug/vm_info.h
+mach_debug/zone_info.h
+machine/_limits.h
+machine/_mcontext.h
+machine/_param.h
+machine/_types.h
+machine/byte_order.h
+machine/endian.h
+machine/fasttrap_isa.h
+machine/limits.h
+machine/param.h
+machine/profile.h
+machine/signal.h
+machine/types.h
+machine/vmparam.h
+miscfs/devfs/devfs.h
+miscfs/specfs/specdev.h
+miscfs/union/union.h
+net/bpf.h
+net/dlil.h
+net/ethernet.h
+net/if.h
+net/if_arp.h
+net/if_dl.h
+net/if_llc.h
+net/if_media.h
+net/if_mib.h
+net/if_types.h
+net/if_utun.h
+net/if_var.h
+net/kext_net.h
+net/ndrv.h
+net/net_kev.h
+net/pfkeyv2.h
+net/route.h
+netinet/bootp.h
+netinet/icmp6.h
+netinet/icmp_var.h
+netinet/if_ether.h
+netinet/igmp.h
+netinet/igmp_var.h
+netinet/in.h
+netinet/in_pcb.h
+netinet/in_systm.h
+netinet/in_var.h
+netinet/ip.h
+netinet/ip6.h
+netinet/ip_icmp.h
+netinet/ip_var.h
+netinet/tcp.h
+netinet/tcp_fsm.h
+netinet/tcp_seq.h
+netinet/tcp_timer.h
+netinet/tcp_var.h
+netinet/tcpip.h
+netinet/udp.h
+netinet/udp_var.h
+netinet6/ah.h
+netinet6/esp.h
+netinet6/in6.h
+netinet6/in6_var.h
+netinet6/ipcomp.h
+netinet6/ipsec.h
+netinet6/nd6.h
+netinet6/raw_ip6.h
+netinet6/scope6_var.h
+netkey/keysock.h
+nfs/krpc.h
+nfs/nfs.h
+nfs/nfs_gss.h
+nfs/nfs_ioctl.h
+nfs/nfs_lock.h
+nfs/nfsdiskless.h
+nfs/nfsm_subs.h
+nfs/nfsmount.h
+nfs/nfsnode.h
+nfs/nfsproto.h
+nfs/nfsrvcache.h
+nfs/rpcv2.h
+nfs/xdr_subs.h
+os/overflow.h
+os/tsd.h
+osfmk/UserNotification/KUNCUserNotifications.h
+osfmk/UserNotification/UNDReply.defs
+osfmk/UserNotification/UNDRequest.defs
+osfmk/UserNotification/UNDTypes.defs
+osfmk/UserNotification/UNDTypes.h
+osfmk/atm/atm_internal.h
+osfmk/atm/atm_notification.defs
+osfmk/atm/atm_types.defs
+osfmk/atm/atm_types.h
+osfmk/bank/bank_types.h
+osfmk/console/video_console.h
+osfmk/corpses/task_corpse.h
+osfmk/default_pager/default_pager_types.h
+osfmk/device/device.defs
+osfmk/device/device_port.h
+osfmk/device/device_types.defs
+osfmk/device/device_types.h
+osfmk/gssd/gssd_mach.defs
+osfmk/gssd/gssd_mach.h
+osfmk/gssd/gssd_mach_types.h
+osfmk/i386/apic.h
+osfmk/i386/asm.h
+osfmk/i386/atomic.h
+osfmk/i386/bit_routines.h
+osfmk/i386/cpu_capabilities.h
+osfmk/i386/cpu_data.h
+osfmk/i386/cpu_number.h
+osfmk/i386/cpu_topology.h
+osfmk/i386/cpuid.h
+osfmk/i386/eflags.h
+osfmk/i386/io_map_entries.h
+osfmk/i386/lapic.h
+osfmk/i386/lock.h
+osfmk/i386/locks.h
+osfmk/i386/machine_cpu.h
+osfmk/i386/machine_routines.h
+osfmk/i386/mp.h
+osfmk/i386/mp_desc.h
+osfmk/i386/mp_events.h
+osfmk/i386/mtrr.h
+osfmk/i386/pal_hibernate.h
+osfmk/i386/pal_native.h
+osfmk/i386/pal_routines.h
+osfmk/i386/panic_hooks.h
+osfmk/i386/pmCPU.h
+osfmk/i386/pmap.h
+osfmk/i386/proc_reg.h
+osfmk/i386/rtclock_protos.h
+osfmk/i386/seg.h
+osfmk/i386/simple_lock.h
+osfmk/i386/smp.h
+osfmk/i386/tsc.h
+osfmk/i386/tss.h
+osfmk/i386/ucode.h
+osfmk/i386/vmx.h
+osfmk/ipc/ipc_types.h
+osfmk/kdp/kdp_callout.h
+osfmk/kdp/kdp_dyld.h
+osfmk/kdp/kdp_en_debugger.h
+osfmk/kern/affinity.h
+osfmk/kern/assert.h
+osfmk/kern/audit_sessionport.h
+osfmk/kern/backtrace.h
+osfmk/kern/bits.h
+osfmk/kern/block_hint.h
+osfmk/kern/call_entry.h
+osfmk/kern/clock.h
+osfmk/kern/coalition.h
+osfmk/kern/cpu_data.h
+osfmk/kern/cpu_number.h
+osfmk/kern/debug.h
+osfmk/kern/ecc.h
+osfmk/kern/energy_perf.h
+osfmk/kern/exc_resource.h
+osfmk/kern/extmod_statistics.h
+osfmk/kern/host.h
+osfmk/kern/hv_support.h
+osfmk/kern/ipc_mig.h
+osfmk/kern/ipc_misc.h
+osfmk/kern/kalloc.h
+osfmk/kern/kcdata.h
+osfmk/kern/kern_cdata.h
+osfmk/kern/kern_types.h
+osfmk/kern/kext_alloc.h
+osfmk/kern/kpc.h
+osfmk/kern/ledger.h
+osfmk/kern/lock.h
+osfmk/kern/locks.h
+osfmk/kern/mach_param.h
+osfmk/kern/macro_help.h
+osfmk/kern/page_decrypt.h
+osfmk/kern/pms.h
+osfmk/kern/policy_internal.h
+osfmk/kern/processor.h
+osfmk/kern/queue.h
+osfmk/kern/sched_prim.h
+osfmk/kern/sfi.h
+osfmk/kern/simple_lock.h
+osfmk/kern/startup.h
+osfmk/kern/task.h
+osfmk/kern/telemetry.h
+osfmk/kern/thread.h
+osfmk/kern/thread_call.h
+osfmk/kern/timer_call.h
+osfmk/kern/waitq.h
+osfmk/kern/zalloc.h
+osfmk/kextd/kextd_mach.defs
+osfmk/kextd/kextd_mach.h
+osfmk/kperf/action.h
+osfmk/kperf/context.h
+osfmk/kperf/kdebug_trigger.h
+osfmk/kperf/kperf.h
+osfmk/kperf/kperf_timer.h
+osfmk/kperf/kperfbsd.h
+osfmk/kperf/pet.h
+osfmk/lockd/lockd_mach.defs
+osfmk/lockd/lockd_mach.h
+osfmk/lockd/lockd_mach_types.h
+osfmk/mach/audit_triggers.defs
+osfmk/mach/audit_triggers_server.h
+osfmk/mach/boolean.h
+osfmk/mach/branch_predicates.h
+osfmk/mach/clock.defs
+osfmk/mach/clock.h
+osfmk/mach/clock_priv.defs
+osfmk/mach/clock_priv.h
+osfmk/mach/clock_reply.defs
+osfmk/mach/clock_reply_server.h
+osfmk/mach/clock_types.defs
+osfmk/mach/clock_types.h
+osfmk/mach/coalition.h
+osfmk/mach/coalition_notification_server.h
+osfmk/mach/dyld_kernel.h
+osfmk/mach/error.h
+osfmk/mach/exc.defs
+osfmk/mach/exc_server.h
+osfmk/mach/exception.h
+osfmk/mach/exception_types.h
+osfmk/mach/host_info.h
+osfmk/mach/host_notify.h
+osfmk/mach/host_notify_reply.defs
+osfmk/mach/host_priv.defs
+osfmk/mach/host_priv.h
+osfmk/mach/host_reboot.h
+osfmk/mach/host_security.defs
+osfmk/mach/host_security.h
+osfmk/mach/host_special_ports.h
+osfmk/mach/i386/_structs.h
+osfmk/mach/i386/asm.h
+osfmk/mach/i386/boolean.h
+osfmk/mach/i386/exception.h
+osfmk/mach/i386/fp_reg.h
+osfmk/mach/i386/kern_return.h
+osfmk/mach/i386/ndr_def.h
+osfmk/mach/i386/processor_info.h
+osfmk/mach/i386/rpc.h
+osfmk/mach/i386/sdt_isa.h
+osfmk/mach/i386/syscall_sw.h
+osfmk/mach/i386/thread_state.h
+osfmk/mach/i386/thread_status.h
+osfmk/mach/i386/vm_param.h
+osfmk/mach/i386/vm_types.h
+osfmk/mach/kern_return.h
+osfmk/mach/kmod.h
+osfmk/mach/ktrace_background.h
+osfmk/mach/lock_set.defs
+osfmk/mach/lock_set.h
+osfmk/mach/mach_exc.defs
+osfmk/mach/mach_exc_server.h
+osfmk/mach/mach_host.defs
+osfmk/mach/mach_host.h
+osfmk/mach/mach_interface.h
+osfmk/mach/mach_param.h
+osfmk/mach/mach_port.defs
+osfmk/mach/mach_port.h
+osfmk/mach/mach_syscalls.h
+osfmk/mach/mach_time.h
+osfmk/mach/mach_traps.h
+osfmk/mach/mach_types.defs
+osfmk/mach/mach_types.h
+osfmk/mach/mach_vm.defs
+osfmk/mach/mach_vm.h
+osfmk/mach/mach_voucher.defs
+osfmk/mach/mach_voucher.h
+osfmk/mach/mach_voucher_attr_control.defs
+osfmk/mach/mach_voucher_attr_control.h
+osfmk/mach/mach_voucher_types.h
+osfmk/mach/machine.h
+osfmk/mach/machine/asm.h
+osfmk/mach/machine/boolean.h
+osfmk/mach/machine/exception.h
+osfmk/mach/machine/kern_return.h
+osfmk/mach/machine/machine_types.defs
+osfmk/mach/machine/ndr_def.h
+osfmk/mach/machine/processor_info.h
+osfmk/mach/machine/rpc.h
+osfmk/mach/machine/sdt.h
+osfmk/mach/machine/sdt_isa.h
+osfmk/mach/machine/syscall_sw.h
+osfmk/mach/machine/thread_state.h
+osfmk/mach/machine/thread_status.h
+osfmk/mach/machine/vm_param.h
+osfmk/mach/machine/vm_types.h
+osfmk/mach/memory_object_control.h
+osfmk/mach/memory_object_default_server.h
+osfmk/mach/memory_object_types.h
+osfmk/mach/message.h
+osfmk/mach/mig.h
+osfmk/mach/mig_errors.h
+osfmk/mach/mig_strncpy_zerofill_support.h
+osfmk/mach/mig_voucher_support.h
+osfmk/mach/ndr.h
+osfmk/mach/notify.defs
+osfmk/mach/notify.h
+osfmk/mach/notify_server.h
+osfmk/mach/policy.h
+osfmk/mach/port.h
+osfmk/mach/processor.defs
+osfmk/mach/processor.h
+osfmk/mach/processor_info.h
+osfmk/mach/processor_set.defs
+osfmk/mach/processor_set.h
+osfmk/mach/resource_monitors.h
+osfmk/mach/rpc.h
+osfmk/mach/sdt.h
+osfmk/mach/semaphore.h
+osfmk/mach/sfi_class.h
+osfmk/mach/shared_memory_server.h
+osfmk/mach/shared_region.h
+osfmk/mach/std_types.defs
+osfmk/mach/std_types.h
+osfmk/mach/sync_policy.h
+osfmk/mach/syscall_sw.h
+osfmk/mach/sysdiagnose_notification_server.h
+osfmk/mach/task.defs
+osfmk/mach/task.h
+osfmk/mach/task_access.defs
+osfmk/mach/task_access.h
+osfmk/mach/task_access_server.h
+osfmk/mach/task_info.h
+osfmk/mach/task_policy.h
+osfmk/mach/task_special_ports.h
+osfmk/mach/telemetry_notification.defs
+osfmk/mach/telemetry_notification_server.h
+osfmk/mach/thread_act.defs
+osfmk/mach/thread_act.h
+osfmk/mach/thread_info.h
+osfmk/mach/thread_policy.h
+osfmk/mach/thread_special_ports.h
+osfmk/mach/thread_status.h
+osfmk/mach/thread_switch.h
+osfmk/mach/time_value.h
+osfmk/mach/upl.h
+osfmk/mach/vm_attributes.h
+osfmk/mach/vm_behavior.h
+osfmk/mach/vm_inherit.h
+osfmk/mach/vm_map.defs
+osfmk/mach/vm_map.h
+osfmk/mach/vm_param.h
+osfmk/mach/vm_prot.h
+osfmk/mach/vm_purgable.h
+osfmk/mach/vm_region.h
+osfmk/mach/vm_statistics.h
+osfmk/mach/vm_sync.h
+osfmk/mach/vm_types.h
+osfmk/mach_debug/hash_info.h
+osfmk/mach_debug/ipc_info.h
+osfmk/mach_debug/lockgroup_info.h
+osfmk/mach_debug/mach_debug.h
+osfmk/mach_debug/mach_debug_types.defs
+osfmk/mach_debug/mach_debug_types.h
+osfmk/mach_debug/page_info.h
+osfmk/mach_debug/vm_info.h
+osfmk/mach_debug/zone_info.h
+osfmk/machine/atomic.h
+osfmk/machine/cpu_capabilities.h
+osfmk/machine/cpu_number.h
+osfmk/machine/io_map_entries.h
+osfmk/machine/lock.h
+osfmk/machine/locks.h
+osfmk/machine/machine_cpuid.h
+osfmk/machine/machine_kpc.h
+osfmk/machine/machine_routines.h
+osfmk/machine/pal_hibernate.h
+osfmk/machine/pal_routines.h
+osfmk/machine/simple_lock.h
+osfmk/prng/random.h
+osfmk/string.h
+osfmk/vm/WKdm_new.h
+osfmk/vm/pmap.h
+osfmk/vm/vm_compressor_algorithms.h
+osfmk/vm/vm_fault.h
+osfmk/vm/vm_kern.h
+osfmk/vm/vm_map.h
+osfmk/vm/vm_options.h
+osfmk/vm/vm_pageout.h
+osfmk/vm/vm_protos.h
+osfmk/vm/vm_shared_region.h
+osfmk/voucher/ipc_pthread_priority_types.h
+osfmk/x86_64/machine_kpc.h
+pexpert/boot.h
+pexpert/i386/boot.h
+pexpert/i386/efi.h
+pexpert/i386/protos.h
+pexpert/machine/boot.h
+pexpert/machine/protos.h
+pexpert/pexpert.h
+pexpert/pexpert/boot.h
+pexpert/pexpert/device_tree.h
+pexpert/pexpert/i386/boot.h
+pexpert/pexpert/i386/efi.h
+pexpert/pexpert/i386/protos.h
+pexpert/pexpert/machine/boot.h
+pexpert/pexpert/machine/protos.h
+pexpert/pexpert/pexpert.h
+pexpert/pexpert/protos.h
+pexpert/protos.h
+security/audit/audit_ioctl.h
+security/mac.h
+security/mac_policy.h
+security/security/_label.h
+security/security/mac.h
+security/security/mac_alloc.h
+security/security/mac_data.h
+security/security/mac_framework.h
+security/security/mac_internal.h
+security/security/mac_mach_internal.h
+security/security/mac_policy.h
+servers/key_defs.h
+servers/ls_defs.h
+servers/netname.h
+servers/netname_defs.h
+servers/nm_defs.h
+sys/_endian.h
+sys/_posix_availability.h
+sys/_select.h
+sys/_structs.h
+sys/_symbol_aliasing.h
+sys/_types.h
+sys/_types/_blkcnt_t.h
+sys/_types/_blksize_t.h
+sys/_types/_clock_t.h
+sys/_types/_ct_rune_t.h
+sys/_types/_dev_t.h
+sys/_types/_errno_t.h
+sys/_types/_fd_clr.h
+sys/_types/_fd_copy.h
+sys/_types/_fd_def.h
+sys/_types/_fd_isset.h
+sys/_types/_fd_set.h
+sys/_types/_fd_setsize.h
+sys/_types/_fd_zero.h
+sys/_types/_filesec_t.h
+sys/_types/_fsblkcnt_t.h
+sys/_types/_fsfilcnt_t.h
+sys/_types/_fsid_t.h
+sys/_types/_fsobj_id_t.h
+sys/_types/_gid_t.h
+sys/_types/_guid_t.h
+sys/_types/_id_t.h
+sys/_types/_in_addr_t.h
+sys/_types/_in_port_t.h
+sys/_types/_ino64_t.h
+sys/_types/_ino_t.h
+sys/_types/_int16_t.h
+sys/_types/_int32_t.h
+sys/_types/_int64_t.h
+sys/_types/_int8_t.h
+sys/_types/_intptr_t.h
+sys/_types/_iovec_t.h
+sys/_types/_key_t.h
+sys/_types/_mach_port_t.h
+sys/_types/_mbstate_t.h
+sys/_types/_mode_t.h
+sys/_types/_nlink_t.h
+sys/_types/_null.h
+sys/_types/_o_dsync.h
+sys/_types/_o_sync.h
+sys/_types/_off_t.h
+sys/_types/_offsetof.h
+sys/_types/_os_inline.h
+sys/_types/_pid_t.h
+sys/_types/_posix_vdisable.h
+sys/_types/_ptrdiff_t.h
+sys/_types/_rsize_t.h
+sys/_types/_rune_t.h
+sys/_types/_s_ifmt.h
+sys/_types/_sa_family_t.h
+sys/_types/_seek_set.h
+sys/_types/_sigaltstack.h
+sys/_types/_sigset_t.h
+sys/_types/_size_t.h
+sys/_types/_socklen_t.h
+sys/_types/_ssize_t.h
+sys/_types/_suseconds_t.h
+sys/_types/_time_t.h
+sys/_types/_timespec.h
+sys/_types/_timeval.h
+sys/_types/_timeval32.h
+sys/_types/_timeval64.h
+sys/_types/_u_int16_t.h
+sys/_types/_u_int32_t.h
+sys/_types/_u_int64_t.h
+sys/_types/_u_int8_t.h
+sys/_types/_ucontext.h
+sys/_types/_ucontext64.h
+sys/_types/_uid_t.h
+sys/_types/_uintptr_t.h
+sys/_types/_useconds_t.h
+sys/_types/_uuid_t.h
+sys/_types/_va_list.h
+sys/_types/_wchar_t.h
+sys/_types/_wint_t.h
+sys/acct.h
+sys/aio.h
+sys/appleapiopts.h
+sys/attr.h
+sys/buf.h
+sys/cdefs.h
+sys/clonefile.h
+sys/conf.h
+sys/dir.h
+sys/dirent.h
+sys/disk.h
+sys/dkstat.h
+sys/domain.h
+sys/dtrace.h
+sys/dtrace_glue.h
+sys/dtrace_impl.h
+sys/errno.h
+sys/ev.h
+sys/event.h
+sys/fasttrap.h
+sys/fasttrap_isa.h
+sys/fcntl.h
+sys/file.h
+sys/filedesc.h
+sys/filio.h
+sys/gmon.h
+sys/ioccom.h
+sys/ioctl.h
+sys/ioctl_compat.h
+sys/ipc.h
+sys/kauth.h
+sys/kdebug.h
+sys/kdebug_signpost.h
+sys/kern_control.h
+sys/kern_event.h
+sys/kernel.h
+sys/kernel_types.h
+sys/lctx.h
+sys/loadable_fs.h
+sys/lock.h
+sys/lockf.h
+sys/lockstat.h
+sys/malloc.h
+sys/mbuf.h
+sys/mman.h
+sys/mount.h
+sys/msg.h
+sys/msgbuf.h
+sys/netport.h
+sys/param.h
+sys/paths.h
+sys/pipe.h
+sys/poll.h
+sys/posix_sem.h
+sys/posix_shm.h
+sys/proc.h
+sys/proc_info.h
+sys/protosw.h
+sys/ptrace.h
+sys/queue.h
+sys/quota.h
+sys/random.h
+sys/reboot.h
+sys/resource.h
+sys/resourcevar.h
+sys/sbuf.h
+sys/sdt.h
+sys/select.h
+sys/sem.h
+sys/semaphore.h
+sys/shm.h
+sys/signal.h
+sys/signalvar.h
+sys/socket.h
+sys/socketvar.h
+sys/sockio.h
+sys/spawn.h
+sys/stat.h
+sys/stdio.h
+sys/sys_domain.h
+sys/syscall.h
+sys/sysctl.h
+sys/syslimits.h
+sys/syslog.h
+sys/termios.h
+sys/time.h
+sys/timeb.h
+sys/times.h
+sys/tprintf.h
+sys/trace.h
+sys/tty.h
+sys/ttychars.h
+sys/ttycom.h
+sys/ttydefaults.h
+sys/ttydev.h
+sys/types.h
+sys/ubc.h
+sys/ucontext.h
+sys/ucred.h
+sys/uio.h
+sys/un.h
+sys/unistd.h
+sys/unpcb.h
+sys/user.h
+sys/utfconv.h
+sys/utsname.h
+sys/vadvise.h
+sys/vcmd.h
+sys/vm.h
+sys/vmmeter.h
+sys/vmparam.h
+sys/vnioctl.h
+sys/vnode.h
+sys/vnode_if.h
+sys/vstat.h
+sys/wait.h
+sys/xattr.h
+uuid/uuid.h
+vfs/vfs_support.h
+voucher/ipc_pthread_priority_types.h
diff --git a/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/python3.patch b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/python3.patch
new file mode 100644
index 000000000000..9f29376187f4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/apple-source-releases/xnu/python3.patch
@@ -0,0 +1,41 @@
+diff --git a/bsd/kern/makekdebugevents.py b/bsd/kern/makekdebugevents.py
+index 73b2db4..d354ba0 100755
+--- a/bsd/kern/makekdebugevents.py
++++ b/bsd/kern/makekdebugevents.py
+@@ -5,7 +5,7 @@
+ # named kd_events[] or these mappings.
+ # Required to generate a header file used by DEVELOPMENT and DEBUG kernels.
+ #
+- 
++
+ import sys
+ import re
+ 
+@@ -21,18 +21,18 @@ code_table = []
+ # scan file to generate internal table
+ with open(trace_code_file, 'rt') as codes:
+     for line in codes:
+-	m = id_name_pattern.match(line)
+-	if m:
++        m = id_name_pattern.match(line)
++        if m:
+             code_table += [(int(m.group(1),base=16), m.group(2))]
+ 
+ # emit typedef:
+-print "typedef struct {"
+-print "        uint32_t   id;"
+-print "        const char *name;"
+-print "} kd_event_t;"
++print("typedef struct {")
++print("        uint32_t   id;")
++print("        const char *name;")
++print("} kd_event_t;")
+ # emit structure declaration and sorted initialization:
+-print "kd_event_t kd_events[] = {"
++print("kd_event_t kd_events[] = {")
+ for mapping in sorted(code_table, key=lambda x: x[0]):
+-        print "        {0x%x, \"%s\"}," % mapping
+-print "};"
++        print("        {0x%x, \"%s\"}," % mapping)
++print("};")
+ 
diff --git a/nixpkgs/pkgs/os-specific/darwin/binutils/default.nix b/nixpkgs/pkgs/os-specific/darwin/binutils/default.nix
new file mode 100644
index 000000000000..c5bc50cafd71
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/binutils/default.nix
@@ -0,0 +1,74 @@
+{ lib, stdenv, makeWrapper, binutils-unwrapped, cctools, llvm, clang-unwrapped }:
+
+# Make sure both underlying packages claim to have prepended their binaries
+# with the same targetPrefix.
+assert binutils-unwrapped.targetPrefix == cctools.targetPrefix;
+
+let
+  inherit (binutils-unwrapped) targetPrefix;
+  cmds = [
+    "ar" "ranlib" "as" "install_name_tool"
+    "ld" "strip" "otool" "lipo" "nm" "strings" "size"
+    "codesign_allocate"
+  ];
+in
+
+# TODO: loop over targetPrefixed binaries too
+stdenv.mkDerivation {
+  pname = "${targetPrefix}cctools-binutils-darwin";
+  inherit (cctools) version;
+  outputs = [ "out" "man" ];
+  buildCommand = ''
+    mkdir -p $out/bin $out/include
+
+    ln -s ${binutils-unwrapped.out}/bin/${targetPrefix}c++filt $out/bin/${targetPrefix}c++filt
+
+    # We specifically need:
+    # - ld: binutils doesn't provide it on darwin
+    # - as: as above
+    # - ar: the binutils one produces .a files that the cctools ld doesn't like
+    # - ranlib: for compatibility with ar
+    # - otool: we use it for some of our name mangling
+    # - install_name_tool: we use it to rewrite stuff in our bootstrap tools
+    # - strip: the binutils one seems to break mach-o files
+    # - lipo: gcc build assumes it exists
+    # - nm: the gnu one doesn't understand many new load commands
+    for i in ${lib.concatStringsSep " " (builtins.map (e: targetPrefix + e) cmds)}; do
+      ln -sf "${cctools}/bin/$i" "$out/bin/$i"
+    done
+
+    ln -s ${llvm}/bin/dsymutil $out/bin/dsymutil
+
+    ln -s ${binutils-unwrapped.out}/share $out/share
+
+    ln -s ${cctools}/libexec $out/libexec
+
+    mkdir -p "$man"/share/man/man{1,5}
+    for i in ${builtins.concatStringsSep " " cmds}; do
+      for path in "${cctools.man}"/share/man/man?/$i.*; do
+        dest_path="$man''${path#${cctools.man}}"
+        ln -sv "$path" "$dest_path"
+      done
+    done
+  ''
+  # On aarch64-darwin we must use clang, because "as" from cctools just doesn't
+  # handle the arch. Proxying calls to clang produces quite a bit of warnings,
+  # and using clang directly here is a better option than relying on cctools.
+  # On x86_64-darwin the Clang version is too old to support this mode.
+  + lib.optionalString stdenv.isAarch64 ''
+    rm $out/bin/${targetPrefix}as
+    makeWrapper "${clang-unwrapped}/bin/clang" "$out/bin/${targetPrefix}as" \
+      --add-flags "-x assembler -integrated-as -c"
+  '';
+
+  nativeBuildInputs = lib.optionals stdenv.isAarch64 [ makeWrapper ];
+
+  passthru = {
+    inherit targetPrefix;
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ matthewbauer ];
+    priority = 10;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/ld-ignore-rpath-link.patch b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-ignore-rpath-link.patch
new file mode 100644
index 000000000000..fc87f69ac32d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-ignore-rpath-link.patch
@@ -0,0 +1,16 @@
+diff --git a/cctools/ld64/src/ld/Options.cpp b/cctools/ld64/src/ld/Options.cpp
+index 2565518..9250016 100644
+--- a/cctools/ld64/src/ld/Options.cpp
++++ b/cctools/ld64/src/ld/Options.cpp
+@@ -2522,6 +2522,11 @@ void Options::parse(int argc, const char* argv[])
+ 					throw "missing argument to -rpath";
+ 				fRPaths.push_back(path);
+ 			}
++			else if ( strcmp(arg, "-rpath-link") == 0 ) {
++				const char* path = argv[++i];
++				if ( path == NULL )
++					throw "missing argument to -rpath-link";
++			}
+ 			else if ( strcmp(arg, "-read_only_stubs") == 0 ) {
+ 				fReadOnlyx86Stubs = true;
+ 			}
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/ld-rpath-nonfinal.patch b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-rpath-nonfinal.patch
new file mode 100644
index 000000000000..17ad9053f3bd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/ld-rpath-nonfinal.patch
@@ -0,0 +1,29 @@
+diff --git a/cctools/ld64/src/ld/Options.cpp b/cctools/ld64/src/ld/Options.cpp
+index e4b37ec..4189ebc 100644
+--- a/cctools/ld64/src/ld/Options.cpp
++++ b/cctools/ld64/src/ld/Options.cpp
+@@ -5800,24 +5800,6 @@ void Options::checkIllegalOptionCombinations()
+ 	if ( fDeadStrip && (fOutputKind == Options::kObjectFile) )
+ 		throw "-r and -dead_strip cannot be used together";
+ 
+-	// can't use -rpath unless targeting 10.5 or later
+-	if ( fRPaths.size() > 0 ) {
+-		if ( !platforms().minOS(ld::version2008) )
+-			throw "-rpath can only be used when targeting Mac OS X 10.5 or later";
+-		switch ( fOutputKind ) {
+-			case Options::kDynamicExecutable:
+-			case Options::kDynamicLibrary:
+-			case Options::kDynamicBundle:
+-				break;
+-			case Options::kStaticExecutable:
+-			case Options::kObjectFile:
+-			case Options::kDyld:
+-			case Options::kPreload:
+-			case Options::kKextBundle:
+-				throw "-rpath can only be used when creating a dynamic final linked image";
+-		}
+-	}
+-	
+ 	if ( fPositionIndependentExecutable ) {
+ 		switch ( fOutputKind ) {
+ 			case Options::kDynamicExecutable:
diff --git a/nixpkgs/pkgs/os-specific/darwin/cctools/port.nix b/nixpkgs/pkgs/os-specific/darwin/cctools/port.nix
new file mode 100644
index 000000000000..bace6f0689d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/cctools/port.nix
@@ -0,0 +1,106 @@
+{ lib, stdenv, fetchFromGitHub, autoconf, automake, libtool, autoreconfHook
+, installShellFiles
+, libuuid
+, libobjc ? null, maloader ? null
+, enableTapiSupport ? true, libtapi
+}:
+
+let
+
+  # The targetPrefix prepended to binary names to allow multiple binuntils on the
+  # PATH to both be usable.
+  targetPrefix = lib.optionalString
+    (stdenv.targetPlatform != stdenv.hostPlatform)
+    "${stdenv.targetPlatform.config}-";
+in
+
+# Non-Darwin alternatives
+assert (!stdenv.hostPlatform.isDarwin) -> maloader != null;
+
+stdenv.mkDerivation {
+  pname = "${targetPrefix}cctools-port";
+  version = "949.0.1";
+
+  src = fetchFromGitHub {
+    owner  = "tpoechtrager";
+    repo   = "cctools-port";
+    rev    = "43f32a4c61b5ba7fde011e816136c550b1b3146f";
+    sha256 = "10yc5smiczzm62q6ijqccc58bwmfhc897f3bwa5i9j98csqsjj0k";
+  };
+
+  outputs = [ "out" "dev" "man" ];
+
+  nativeBuildInputs = [ autoconf automake libtool autoreconfHook installShellFiles ];
+  buildInputs = [ libuuid ]
+    ++ lib.optionals stdenv.isDarwin [ libobjc ]
+    ++ lib.optional enableTapiSupport libtapi;
+
+  patches = [ ./ld-ignore-rpath-link.patch ./ld-rpath-nonfinal.patch ];
+
+  __propagatedImpureHostDeps = [
+    # As far as I can tell, otool from cctools is the only thing that depends on these two, and we should fix them
+    "/usr/lib/libobjc.A.dylib"
+    "/usr/lib/libobjc.dylib"
+  ];
+
+  enableParallelBuilding = true;
+
+  # TODO(@Ericson2314): Always pass "--target" and always targetPrefix.
+  configurePlatforms = [ "build" "host" ]
+    ++ lib.optional (stdenv.targetPlatform != stdenv.hostPlatform) "target";
+  configureFlags = [ "--disable-clang-as" ]
+    ++ lib.optionals enableTapiSupport [
+      "--enable-tapi-support"
+      "--with-libtapi=${libtapi}"
+    ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
+    substituteInPlace cctools/Makefile.am --replace libobjc2 ""
+  '' + ''
+    sed -i -e 's/addStandardLibraryDirectories = true/addStandardLibraryDirectories = false/' cctools/ld64/src/ld/Options.cpp
+
+    # FIXME: there are far more absolute path references that I don't want to fix right now
+    substituteInPlace cctools/configure.ac \
+      --replace "-isystem /usr/local/include -isystem /usr/pkg/include" "" \
+      --replace "-L/usr/local/lib" "" \
+
+    substituteInPlace cctools/include/Makefile \
+      --replace "/bin/" ""
+
+    patchShebangs tools
+    sed -i -e 's/which/type -P/' tools/*.sh
+
+    # Workaround for https://www.sourceware.org/bugzilla/show_bug.cgi?id=11157
+    cat > cctools/include/unistd.h <<EOF
+    #ifdef __block
+    #  undef __block
+    #  include_next "unistd.h"
+    #  define __block __attribute__((__blocks__(byref)))
+    #else
+    #  include_next "unistd.h"
+    #endif
+    EOF
+
+    cd cctools
+  '';
+
+  preInstall = ''
+    pushd include
+    make DSTROOT=$out/include RC_OS=common install
+    popd
+
+    installManPage ar/ar.{1,5}
+  '';
+
+  passthru = {
+    inherit targetPrefix;
+  };
+
+  meta = {
+    broken = !stdenv.targetPlatform.isDarwin; # Only supports darwin targets
+    homepage = "http://www.opensource.apple.com/source/cctools/";
+    description = "MacOS Compiler Tools (cross-platform port)";
+    license = lib.licenses.apsl20;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/darling/default.nix b/nixpkgs/pkgs/os-specific/darwin/darling/default.nix
new file mode 100644
index 000000000000..22fb6d3b07c6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/darling/default.nix
@@ -0,0 +1,51 @@
+{stdenv, lib, fetchzip}:
+
+stdenv.mkDerivation rec {
+  pname = "darling";
+  name = pname;
+
+  src = fetchzip {
+    url = "https://github.com/darlinghq/darling/archive/d2cc5fa748003aaa70ad4180fff0a9a85dc65e9b.tar.gz";
+    sha256 = "11b51fw47nl505h63bgx5kqiyhf3glhp1q6jkpb6nqfislnzzkrf";
+    postFetch = ''
+      # The archive contains both `src/opendirectory` and `src/OpenDirectory`,
+      # pre-create the directory to choose the canonical case on
+      # case-insensitive filesystems.
+      mkdir -p $out/src/OpenDirectory
+
+      cd $out
+      tar -xzf $downloadedFile --strip-components=1
+      rm -r $out/src/libm
+
+      # If `src/opendirectory` and `src/OpenDirectory` refer to different
+      # things, then combine them into `src/OpenDirectory` to match the result
+      # on case-insensitive filesystems.
+      if [ "$(stat -c %i src/opendirectory)" != "$(stat -c %i src/OpenDirectory)" ]; then
+        mv src/opendirectory/* src/OpenDirectory/
+        rmdir src/opendirectory
+      fi
+    '';
+  };
+
+  # only packaging sandbox for now
+  buildPhase = ''
+    cc -c src/sandbox/sandbox.c -o src/sandbox/sandbox.o
+    cc -dynamiclib -flat_namespace src/sandbox/sandbox.o -o libsystem_sandbox.dylib
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib
+    cp -rL src/sandbox/include/ $out/
+    cp libsystem_sandbox.dylib $out/lib/
+
+    mkdir -p $out/include
+    cp src/libaks/include/* $out/include
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ matthewbauer ];
+    license = licenses.gpl3;
+    description = "Darwin/macOS emulation layer for Linux";
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/darwin-stubs/default.nix b/nixpkgs/pkgs/os-specific/darwin/darwin-stubs/default.nix
new file mode 100644
index 000000000000..6e3439455cce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/darwin-stubs/default.nix
@@ -0,0 +1,18 @@
+{ stdenvNoCC, fetchurl }:
+
+stdenvNoCC.mkDerivation {
+  pname = "darwin-stubs";
+  version = "10.12";
+
+  src = fetchurl {
+    url = "https://github.com/NixOS/darwin-stubs/releases/download/v20201216/10.12.tar.gz";
+    sha256 = "1fyd3xig7brkzlzp0ql7vyfj5sp8iy56kgp548mvicqdyw92adgm";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir $out
+    mv * $out
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/discrete-scroll/default.nix b/nixpkgs/pkgs/os-specific/darwin/discrete-scroll/default.nix
new file mode 100644
index 000000000000..f38bf8d81322
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/discrete-scroll/default.nix
@@ -0,0 +1,36 @@
+{ stdenv, lib, fetchFromGitHub, Cocoa }:
+
+## after launching for the first time, grant access for parent application (e.g. Terminal.app)
+## from 'system preferences >> security & privacy >> accessibility'
+## and then launch again
+
+stdenv.mkDerivation rec {
+  pname = "discrete-scroll";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "emreyolcu";
+    repo = "discrete-scroll";
+    rev = "v${version}";
+    sha256 = "0aqkp4kkwjlkll91xbqwf8asjww8ylsdgqvdk8d06bwdvg2cgvhg";
+  };
+
+  buildInputs = [ Cocoa ];
+
+  buildPhase = ''
+    cc -std=c99 -O3 -Wall -framework Cocoa -o dc DiscreteScroll/main.m
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp ./dc $out/bin/discretescroll
+  '';
+
+  meta = with lib; {
+    description = "Fix for OS X's scroll wheel problem";
+    homepage = "https://github.com/emreyolcu/discrete-scroll";
+    platforms = platforms.darwin;
+    license = licenses.mit;
+    maintainers = with lib.maintainers; [ bb2020 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/dockutil/default.nix b/nixpkgs/pkgs/os-specific/darwin/dockutil/default.nix
new file mode 100644
index 000000000000..5e4187f07280
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/dockutil/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, libarchive, p7zip }:
+stdenv.mkDerivation rec {
+  pname = "dockutil";
+  version = "3.0.2";
+
+  src = fetchurl {
+    url =
+      "https://github.com/kcrawford/dockutil/releases/download/${version}/dockutil-${version}.pkg";
+    sha256 = "175137ea747e83ed221d60b18b712b256ed31531534cde84f679487d337668fd";
+  };
+
+  dontBuild = true;
+
+  nativeBuildInputs = [ libarchive p7zip ];
+
+  unpackPhase = ''
+    7z x $src
+    bsdtar -xf Payload~
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    mkdir -p $out/usr/local/bin
+    install -Dm755 usr/local/bin/dockutil -t $out/usr/local/bin
+    ln -rs $out/usr/local/bin/dockutil $out/bin/dockutil
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tool for managing dock items";
+    homepage = "https://github.com/kcrawford/dockutil";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ tboerger ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/duti/default.nix b/nixpkgs/pkgs/os-specific/darwin/duti/default.nix
new file mode 100644
index 000000000000..db0b1e1dcbae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/duti/default.nix
@@ -0,0 +1,37 @@
+{stdenv, lib, fetchFromGitHub, autoreconfHook, ApplicationServices}:
+
+stdenv.mkDerivation rec {
+  pname = "duti";
+  version = "1.5.5pre";
+  src = fetchFromGitHub {
+    owner = "moretension";
+    repo = pname;
+    rev = "fe3d3dc411bcea6af7a8cbe53c0e08ed5ecacdb2";
+    sha256 = "1pg4i6ghpib2gy1sqpml7dbnhr1vbr43fs2pqkd09i4w3nmgpic9";
+  };
+
+  nativeBuildInputs = [autoreconfHook];
+  buildInputs = [ApplicationServices];
+  configureFlags = [
+    "--with-macosx-sdk=/homeless-shelter"
+
+    # needed to prevent duti from trying to guess our sdk
+    # NOTE: this is different than stdenv.hostPlatform.config!
+    "--host=x86_64-apple-darwin18"
+  ];
+
+  meta = with lib; {
+    description = "A command-line tool to select default applications for document types and URL schemes on Mac OS X";
+    longDescription = ''
+      duti is a command-line utility capable of setting default applications for
+      various document types on Mac OS X, using Apple's Uniform Type Identifiers. A
+      UTI is a unique string describing the format of a file's content. For instance,
+      a Microsoft Word document has a UTI of com.microsoft.word.doc. Using duti, the
+      user can change which application acts as the default handler for a given UTI.
+    '';
+    maintainers = with maintainers; [matthewbauer];
+    platforms = platforms.darwin;
+    license = licenses.publicDomain;
+    homepage = "https://github.com/moretension/duti/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/ghc-standalone-archive/default.nix b/nixpkgs/pkgs/os-specific/darwin/ghc-standalone-archive/default.nix
new file mode 100644
index 000000000000..46ba68281868
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/ghc-standalone-archive/default.nix
@@ -0,0 +1,13 @@
+{ runCommand, cctools }:
+{ haskellPackages, src, deps ? p : [], name }: let
+  inherit (haskellPackages) ghc ghcWithPackages;
+  with-env = ghcWithPackages deps;
+  ghcName = "${ghc.targetPrefix}ghc";
+in runCommand name { buildInputs = [ with-env cctools ]; } ''
+  mkdir -p $out/lib
+  mkdir -p $out/include
+  ${ghcName} ${src} -staticlib -outputdir . -o $out/lib/${name}.a -stubdir $out/include
+  for file in ${ghc}/lib/${ghcName}-${ghc.version}/include/*; do
+    ln -sv $file $out/include
+  done
+''
diff --git a/nixpkgs/pkgs/os-specific/darwin/goku/default.nix b/nixpkgs/pkgs/os-specific/darwin/goku/default.nix
new file mode 100644
index 000000000000..af70aaccc464
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/goku/default.nix
@@ -0,0 +1,37 @@
+{ lib
+, stdenv
+, fetchurl
+, unzip
+}:
+
+stdenv.mkDerivation rec {
+  pname = "goku";
+  version = "0.5.2";
+
+  src = fetchurl {
+    url = "https://github.com/yqrashawn/GokuRakuJoudo/releases/download/v${version}/goku.zip";
+    sha256 = "506eccdabedc68c112778b13ded65099327267c2e3fd488916e3a340bc312954";
+  };
+
+  nativeBuildInputs = [
+    unzip
+  ];
+
+  sourceRoot = ".";
+
+  installPhase = ''
+    chmod +x goku
+    chmod +x gokuw
+    mkdir -p $out/bin
+    cp goku $out/bin
+    cp gokuw $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Karabiner configurator";
+    homepage = "https://github.com/yqrashawn/GokuRakuJoudo";
+    license = licenses.gpl3;
+    maintainers = [ maintainers.nikitavoloboev ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/impure-cmds/default.nix b/nixpkgs/pkgs/os-specific/darwin/impure-cmds/default.nix
new file mode 100644
index 000000000000..51e345f048bd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/impure-cmds/default.nix
@@ -0,0 +1,34 @@
+{ lib, runCommandLocal }:
+
+# On darwin, there are some commands neither opensource nor able to build in nixpkgs.
+# We have no choice but to use those system-shipped impure ones.
+
+let
+  commands = {
+    ditto = "/usr/bin/ditto"; # ditto is not opensource
+    sudo  = "/usr/bin/sudo";  # sudo must be owned by uid 0 and have the setuid bit set
+  };
+
+  mkImpureDrv = name: path:
+    runCommandLocal "${name}-impure-darwin" {
+      __impureHostDeps = [ path ];
+
+      meta = {
+        platforms = lib.platforms.darwin;
+      };
+    } ''
+      if ! [ -x ${path} ]; then
+        echo Cannot find command ${path}
+        exit 1
+      fi
+
+      mkdir -p $out/bin
+      ln -s ${path} $out/bin
+
+      manpage="/usr/share/man/man1/${name}.1"
+      if [ -f $manpage ]; then
+        mkdir -p $out/share/man/man1
+        ln -s $manpage $out/share/man/man1
+      fi
+    '';
+in lib.mapAttrs mkImpureDrv commands
diff --git a/nixpkgs/pkgs/os-specific/darwin/insert_dylib/default.nix b/nixpkgs/pkgs/os-specific/darwin/insert_dylib/default.nix
new file mode 100644
index 000000000000..7ab9692f0d42
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/insert_dylib/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, fetchFromGitHub, xcbuildHook }:
+
+stdenv.mkDerivation {
+  pname = "insert_dylib";
+  version = "unstable-2016-08-28";
+
+  src = fetchFromGitHub {
+    owner = "Tyilo";
+    repo = "insert_dylib";
+    rev = "c8beef66a08688c2feeee2c9b6eaf1061c2e67a9";
+    sha256 = "0az38y06pvvy9jf2wnzdwp9mp98lj6nr0ldv0cs1df5p9x2qvbya";
+  };
+
+  nativeBuildInputs = [ xcbuildHook ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    install -m755 Products/Release/insert_dylib $out/bin
+  '';
+
+  meta.platforms = lib.platforms.darwin;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/ios-deploy/default.nix b/nixpkgs/pkgs/os-specific/darwin/ios-deploy/default.nix
new file mode 100644
index 000000000000..6567093700df
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/ios-deploy/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenvNoCC, rsync, fetchFromGitHub }:
+
+# Note this is impure, using system XCode to build ios-deploy. We
+# should have a special flag for users to enable this.
+
+let version = "1.11.0";
+in stdenvNoCC.mkDerivation {
+  pname = "ios-deploy";
+  inherit version;
+  src = fetchFromGitHub {
+    owner = "ios-control";
+    repo = "ios-deploy";
+    rev = version;
+    sha256 = "0hqwikdrcnslx4kkw9b0n7n443gzn2gbrw15pp2fnkcw5s0698sc";
+  };
+  nativeBuildInputs = [ rsync ];
+  buildPhase = ''
+    LD=$CC
+    tmp=$(mktemp -d)
+    ln -s /usr/bin/xcodebuild $tmp
+    export PATH="$PATH:$tmp"
+    xcodebuild -configuration Release SYMROOT=build OBJROOT=$tmp
+  '';
+  checkPhase = ''
+    xcodebuild test -scheme ios-deploy-tests -configuration Release SYMROOT=build
+  '';
+  installPhase = ''
+    install -D build/Release/ios-deploy $out/bin/ios-deploy
+  '';
+  meta = {
+    platforms = lib.platforms.darwin;
+    description = "Install and debug iOS apps from the command line. Designed to work on un-jailbroken devices";
+    license = lib.licenses.gpl3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/iproute2mac/default.nix b/nixpkgs/pkgs/os-specific/darwin/iproute2mac/default.nix
new file mode 100644
index 000000000000..f542f2c5221b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/iproute2mac/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, darwin, python3 }:
+
+stdenv.mkDerivation rec {
+  version = "1.4.0";
+  pname = "iproute2mac";
+
+  src = fetchFromGitHub {
+    owner = "brona";
+    repo = "iproute2mac";
+    rev = "v${version}";
+    sha256 = "sha256-xakCNjmZpdVY7MMxk38EZatrakgkEeDhvljhl+aMmGg=";
+  };
+
+  buildInputs = [ python3 ];
+
+  postPatch = ''
+    substituteInPlace src/ip.py \
+      --replace /sbin/ifconfig ${darwin.network_cmds}/bin/ifconfig \
+      --replace /sbin/route ${darwin.network_cmds}/bin/route \
+      --replace /usr/sbin/netstat ${darwin.network_cmds}/bin/netstat \
+      --replace /usr/sbin/ndp ${darwin.network_cmds}/bin/ndp \
+      --replace /usr/sbin/arp ${darwin.network_cmds}/bin/arp \
+      --replace /usr/sbin/networksetup ${darwin.network_cmds}/bin/networksetup
+  '';
+  installPhase = ''
+    mkdir -p $out/bin
+    install -D -m 755 src/ip.py $out/bin/ip
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/brona/iproute2mac";
+    description = "CLI wrapper for basic network utilites on Mac OS X inspired with iproute2 on Linux systems - ip command.";
+    license = licenses.mit;
+    maintainers = with maintainers; [ jiegec ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/khd/default.nix b/nixpkgs/pkgs/os-specific/darwin/khd/default.nix
new file mode 100644
index 000000000000..87e1a8bf6ae6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/khd/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, Carbon, Cocoa }:
+
+stdenv.mkDerivation rec {
+  pname = "khd";
+  version = "3.0.0";
+
+  src = fetchFromGitHub {
+    owner = "koekeishiya";
+    repo = "khd";
+    rev = "v${version}";
+    sha256 = "0nzfhknv1s71870w2dk9dy56a3g5zsbjphmfrz0vsvi438g099r4";
+  };
+
+  patches = [
+    # Fixes build issues, remove with >3.0.0
+    (fetchpatch {
+      url = "https://github.com/koekeishiya/khd/commit/4765ae0b4c7d4ca56319dc92ff54393cd9e03fbc.patch";
+      sha256 = "0kvf5hxi5bf6pf125qib7wn7hys0ag66zzpp4srj1qa87lxyf7np";
+    })
+  ];
+
+  buildInputs = [ Carbon Cocoa ];
+
+  buildPhase = ''
+    make install
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp bin/khd $out/bin/khd
+
+    mkdir -p $out/Library/LaunchDaemons
+    cp ${./org.nixos.khd.plist} $out/Library/LaunchDaemons/org.nixos.khd.plist
+    substituteInPlace $out/Library/LaunchDaemons/org.nixos.khd.plist --subst-var out
+  '';
+
+  meta = with lib; {
+    description = "A simple modal hotkey daemon for OSX";
+    homepage = "https://github.com/koekeishiya/khd";
+    downloadPage = "https://github.com/koekeishiya/khd/releases";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ lnl7 ];
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/khd/org.nixos.khd.plist b/nixpkgs/pkgs/os-specific/darwin/khd/org.nixos.khd.plist
new file mode 100644
index 000000000000..3c0aaa81eb61
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/khd/org.nixos.khd.plist
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>org.nixos.khd</string>
+  <key>ProgramArguments</key>
+  <array>
+  <string>@out@/bin/khd</string>
+  </array>
+  <key>KeepAlive</key>
+  <true/>
+  <key>ProcessType</key>
+  <string>Interactive</string>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>PATH</key>
+    <string>@out@/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+  </dict>
+  <key>Sockets</key>
+  <dict>
+    <key>Listeners</key>
+    <dict>
+      <key>SockServiceName</key>
+      <string>3021</string>
+      <key>SockType</key>
+      <string>dgram</string>
+      <key>SockFamily</key>
+      <string>IPv4</string>
+    </dict>
+  </dict>
+</dict>
+</plist>
diff --git a/nixpkgs/pkgs/os-specific/darwin/kwm/default.nix b/nixpkgs/pkgs/os-specific/darwin/kwm/default.nix
new file mode 100644
index 000000000000..c210f9e8c65d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/kwm/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchzip }:
+
+stdenv.mkDerivation rec {
+  pname = "kwm";
+  version = "4.0.5";
+
+  src = fetchzip {
+    stripRoot = false;
+    url = "https://github.com/koekeishiya/kwm/releases/download/v${version}/Kwm-${version}.zip";
+    sha256 = "1ld1vblg3hmc6lpb8p2ljvisbkijjkijf4y87z5y1ia4k8pk7mxb";
+  };
+
+  # TODO: Build this properly once we have swiftc.
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp kwmc $out/bin/kwmc
+    cp kwm overlaylib.dylib $out
+
+    mkdir -p $out/Library/LaunchDaemons
+    cp ${./org.nixos.kwm.plist} $out/Library/LaunchDaemons/org.nixos.kwm.plist
+    substituteInPlace $out/Library/LaunchDaemons/org.nixos.kwm.plist --subst-var out
+  '';
+
+  meta = with lib; {
+    description = "Tiling window manager with focus follows mouse for OSX";
+    homepage = "https://github.com/koekeishiya/kwm";
+    downloadPage = "https://github.com/koekeishiya/kwm/releases";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ lnl7 ];
+    mainProgram = "kwmc";
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/kwm/org.nixos.kwm.plist b/nixpkgs/pkgs/os-specific/darwin/kwm/org.nixos.kwm.plist
new file mode 100644
index 000000000000..eafce2ab4a46
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/kwm/org.nixos.kwm.plist
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>org.nixos.kwm</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>@out@/kwm</string>
+  </array>
+  <key>KeepAlive</key>
+  <true/>
+  <key>Sockets</key>
+  <dict>
+    <key>Listeners</key>
+    <dict>
+      <key>SockServiceName</key>
+      <string>3020</string>
+      <key>SockType</key>
+      <string>dgram</string>
+      <key>SockFamily</key>
+      <string>IPv4</string>
+  </dict>
+</dict>
+</dict>
+</plist>
diff --git a/nixpkgs/pkgs/os-specific/darwin/libtapi/default.nix b/nixpkgs/pkgs/os-specific/darwin/libtapi/default.nix
new file mode 100644
index 000000000000..da0710740973
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/libtapi/default.nix
@@ -0,0 +1,74 @@
+{ lib, stdenv, fetchFromGitHub, pkgsBuildBuild, cmake, python3, ncurses }:
+
+stdenv.mkDerivation {
+  pname = "libtapi";
+  version = "1100.0.11"; # determined by looking at VERSION.txt
+
+  src = fetchFromGitHub {
+    owner = "tpoechtrager";
+    repo = "apple-libtapi";
+    rev = "664b8414f89612f2dfd35a9b679c345aa5389026";
+    sha256 = "1y1yl46msabfy14z0rln333a06087bk14f5h7q1cdawn8nmvbdbr";
+  };
+
+  sourceRoot = "source/src/llvm";
+
+  # Backported from newer llvm, fixes configure error when cross compiling.
+  # Also means we don't have to manually fix the result with install_name_tool.
+  patches = [
+    ./disable-rpath.patch
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
+    # TODO: make unconditional and rebuild the world
+    # TODO: send upstream
+    ./native-clang-tblgen.patch
+  ];
+
+  nativeBuildInputs = [ cmake python3 ];
+
+  # ncurses is required here to avoid a reference to bootstrap-tools, which is
+  # not allowed for the stdenv.
+  buildInputs = [ ncurses ];
+
+  cmakeFlags = [ "-DLLVM_INCLUDE_TESTS=OFF" ]
+    ++ lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) [
+      "-DCMAKE_CROSSCOMPILING=True"
+      # This package could probably have a llvm_6 llvm-tblgen and clang-tblgen
+      # provided to reduce some building. This package seems intended to
+      # include all of its dependencies, including enough of LLVM to build the
+      # required tablegens.
+      (
+        let
+          nativeCC = pkgsBuildBuild.stdenv.cc;
+          nativeBintools = nativeCC.bintools.bintools;
+          nativeToolchainFlags = [
+            "-DCMAKE_C_COMPILER=${nativeCC}/bin/${nativeCC.targetPrefix}cc"
+            "-DCMAKE_CXX_COMPILER=${nativeCC}/bin/${nativeCC.targetPrefix}c++"
+            "-DCMAKE_AR=${nativeBintools}/bin/${nativeBintools.targetPrefix}ar"
+            "-DCMAKE_STRIP=${nativeBintools}/bin/${nativeBintools.targetPrefix}strip"
+            "-DCMAKE_RANLIB=${nativeBintools}/bin/${nativeBintools.targetPrefix}ranlib"
+          ];
+        in "-DCROSS_TOOLCHAIN_FLAGS_NATIVE:list=${lib.concatStringsSep ";" nativeToolchainFlags}"
+      )
+    ];
+
+  # fixes: fatal error: 'clang/Basic/Diagnostic.h' file not found
+  # adapted from upstream
+  # https://github.com/tpoechtrager/apple-libtapi/blob/3cb307764cc5f1856c8a23bbdf3eb49dfc6bea48/build.sh#L58-L60
+  preConfigure = ''
+    INCLUDE_FIX="-I $PWD/projects/clang/include"
+    INCLUDE_FIX+=" -I $PWD/build/projects/clang/include"
+
+    cmakeFlagsArray+=(-DCMAKE_CXX_FLAGS="$INCLUDE_FIX")
+  '';
+
+  buildFlags = [ "clangBasic" "libtapi" "tapi" ];
+
+  installTargets = [ "install-libtapi" "install-tapi-headers" "install-tapi" ];
+
+  meta = with lib; {
+    description = "Replaces the Mach-O Dynamic Library Stub files in Apple's SDKs to reduce the size";
+    homepage = "https://github.com/tpoechtrager/apple-libtapi";
+    license = licenses.apsl20;
+    maintainers = with maintainers; [ matthewbauer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/libtapi/disable-rpath.patch b/nixpkgs/pkgs/os-specific/darwin/libtapi/disable-rpath.patch
new file mode 100644
index 000000000000..87c0cf3330de
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/libtapi/disable-rpath.patch
@@ -0,0 +1,14 @@
+diff --git a/src/llvm/cmake/modules/AddLLVM.cmake b/src/llvm/cmake/modules/AddLLVM.cmake
+index a53016eb0..b65e608a4 100644
+--- a/cmake/modules/AddLLVM.cmake
++++ b/cmake/modules/AddLLVM.cmake
+@@ -1683,8 +1683,7 @@ function(llvm_setup_rpath name)
+   endif()
+ 
+   if (APPLE)
+-    set(_install_name_dir INSTALL_NAME_DIR "@rpath")
+-    set(_install_rpath "@loader_path/../lib" ${extra_libdir})
++    set(_install_name_dir)
+   elseif(UNIX)
+     set(_install_rpath "\$ORIGIN/../lib${LLVM_LIBDIR_SUFFIX}" ${extra_libdir})
+     if(${CMAKE_SYSTEM_NAME} MATCHES "(FreeBSD|DragonFly)")
diff --git a/nixpkgs/pkgs/os-specific/darwin/libtapi/native-clang-tblgen.patch b/nixpkgs/pkgs/os-specific/darwin/libtapi/native-clang-tblgen.patch
new file mode 100644
index 000000000000..9b715766a122
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/libtapi/native-clang-tblgen.patch
@@ -0,0 +1,21 @@
+diffprojects/libtapi/CMakeLists.txt b/src/llvm/projects/libtapi/CMakeLists.txt
+index 8ee6d8138..8277be147 100644
+--- a/projects/libtapi/CMakeLists.txt
++++ b/projects/libtapi/CMakeLists.txt
+@@ -193,7 +193,15 @@ if (NOT DEFINED CLANG_VERSION)
+   set(CLANG_VERSION "${LLVM_VERSION_MAJOR}.${LLVM_VERSION_MINOR}.${LLVM_VERSION_PATCH}")
+ endif ()
+ if (NOT DEFINED CLANG_TABLEGEN_EXE)
+-  set(CLANG_TABLEGEN_EXE "${LLVM_TOOLS_BINARY_DIR}/clang-tblgen")
++  if(LLVM_USE_HOST_TOOLS)
++    if (NOT CMAKE_CONFIGURATION_TYPES)
++      set(CLANG_TABLEGEN_EXE "${LLVM_NATIVE_BUILD}/bin/clang-tblgen")
++    else()
++      set(CLANG_TABLEGEN_EXE "${LLVM_NATIVE_BUILD}/Release/bin/clang-tblgen")
++    endif()
++  else()
++    set(CLANG_TABLEGEN_EXE "${LLVM_TOOLS_BINARY_DIR}/clang-tblgen")
++  endif ()
+ endif ()
+ 
+ # Include must go first.
diff --git a/nixpkgs/pkgs/os-specific/darwin/lsusb/default.nix b/nixpkgs/pkgs/os-specific/darwin/lsusb/default.nix
new file mode 100644
index 000000000000..712e32f16fe4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/lsusb/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  version = "1.0";
+  pname = "lsusb";
+
+  src = fetchFromGitHub {
+    owner = "jlhonora";
+    repo = "lsusb";
+    rev = "8a6bd7084a55a58ade6584af5075c1db16afadd1";
+    sha256 = "0p8pkcgvsx44dd56wgipa8pzi3298qk9h4rl9pwsw1939hjx6h0g";
+  };
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man8
+    install -m 0755 lsusb $out/bin
+    install -m 0444 man/lsusb.8 $out/share/man/man8
+  '';
+
+  meta = {
+    homepage = "https://github.com/jlhonora/lsusb";
+    description = "lsusb command for Mac OS X";
+    platforms = lib.platforms.darwin;
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.varunpatro ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/m-cli/default.nix b/nixpkgs/pkgs/os-specific/darwin/m-cli/default.nix
new file mode 100644
index 000000000000..9134fad6012c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/m-cli/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "m-cli";
+  version = "0.3.0";
+
+  src = fetchFromGitHub {
+    owner = "rgcr";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-KzlE1DdVMLnGmcOS1a2HK4pASofD1EHpdqbzVVIxeb4=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    local MPATH="$out/share/m"
+
+    gawk -i inplace '{
+      gsub(/^\[ -L.*|^\s+\|\| pushd.*|^popd.*/, "");
+      gsub(/MPATH=.*/, "MPATH='$MPATH'");
+      gsub(/(update|uninstall)_mcli \&\&.*/, "echo NOOP \\&\\& exit 0");
+      print
+    }' m
+
+    install -Dt "$MPATH/plugins" -m755 plugins/*
+
+    install -Dm755 m $out/bin/m
+
+    install -Dt "$out/share/bash-completion/completions/" -m444 completion/bash/m
+    install -Dt "$out/share/fish/vendor_completions.d/" -m444 completion/fish/m.fish
+    install -Dt "$out/share/zsh/site-functions/" -m444 completion/zsh/_m
+  '';
+
+  meta = with lib; {
+    description = "Swiss Army Knife for macOS";
+    inherit (src.meta) homepage;
+
+    license = licenses.mit;
+
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [];
+    mainProgram = "m";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/macfuse/default.nix b/nixpkgs/pkgs/os-specific/darwin/macfuse/default.nix
new file mode 100644
index 000000000000..4fd92a15562c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/macfuse/default.nix
@@ -0,0 +1,65 @@
+{ lib, stdenv, fetchurl, cpio, xar, undmg, libtapi, DiskArbitration }:
+
+stdenv.mkDerivation rec {
+  pname = "macfuse-stubs";
+  version = "4.1.0";
+
+  src = fetchurl {
+    url = "https://github.com/osxfuse/osxfuse/releases/download/macfuse-${version}/macfuse-${version}.dmg";
+    sha256 = "118hg64w5wb95lbxw6w1hbqxrx3plcbxfjhvxx86q0zx0saa9diw";
+  };
+
+  nativeBuildInputs = [ cpio xar undmg libtapi ];
+  propagatedBuildInputs = [ DiskArbitration ];
+
+  postUnpack = ''
+    xar -xf 'Install macFUSE.pkg'
+    cd Core.pkg
+    gunzip -dc Payload | cpio -i
+  '';
+
+  sourceRoot = ".";
+
+  buildPhase = ''
+    pushd usr/local/lib
+    for f in *.dylib; do
+      tapi stubify --filetype=tbd-v2  "$f" -o "''${f%%.dylib}.tbd"
+    done
+    sed -i "s|^prefix=.*|prefix=$out|" pkgconfig/fuse.pc
+    popd
+  '';
+
+  # NOTE: Keep in mind that different parts of macFUSE are distributed under a
+  # different license
+  installPhase = ''
+    mkdir -p $out/include $out/lib/pkgconfig
+    cp usr/local/lib/*.tbd $out/lib
+    cp usr/local/lib/pkgconfig/*.pc $out/lib/pkgconfig
+    cp -R usr/local/include/* $out/include
+  '';
+
+  meta = with lib; {
+    homepage = "https://osxfuse.github.io";
+    description = "Build time stubs for FUSE on macOS";
+    longDescription = ''
+      macFUSE is required for this package to work on macOS. To install macFUSE,
+      use the installer from the <link xlink:href="https://osxfuse.github.io/">
+      project website</link>.
+    '';
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ midchildan ];
+
+    # macFUSE as a whole includes code with restrictions on commercial
+    # redistribution. However, the build artifacts that we actually touch for
+    # this derivation are distributed under a free license.
+    license = with licenses; [
+      lgpl2Plus # libfuse
+    ];
+  };
+
+  passthru.warning = ''
+    macFUSE is required for this package to work on macOS. To install macFUSE,
+    use the installer from the <link xlink:href="https://osxfuse.github.io/">
+    project website</link>.
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/maloader/default.nix b/nixpkgs/pkgs/os-specific/darwin/maloader/default.nix
new file mode 100644
index 000000000000..1313c1897043
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/maloader/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, opencflite, clang, libcxx }:
+
+stdenv.mkDerivation {
+  pname = "maloader";
+  version = "unstable-2014-02-25";
+
+  src = fetchFromGitHub {
+    owner = "shinh";
+    repo = "maloader";
+    rev = "5f220393e0b7b9ad0cf1aba0e89df2b42a1f0442";
+    sha256 = "0dd1pn07x1y8pyn5wz8qcl1c1xwghyya4d060m3y9vx5dhv9xmzw";
+  };
+
+  postPatch = ''
+    sed -i \
+      -e '/if.*loadLibMac.*mypath/s|mypath|"'"$out/lib/"'"|' \
+      -e 's|libCoreFoundation\.so|${opencflite}/lib/&|' \
+      ld-mac.cc
+  '';
+
+  NIX_CFLAGS_COMPILE = "-I${lib.getDev libcxx}/include/c++/v1";
+  buildInputs = [ clang libcxx ];
+  buildFlags = [ "USE_LIBCXX=1" "release" ];
+
+  installPhase = ''
+    install -vD libmac.so "$out/lib/libmac.so"
+
+    for bin in extract macho2elf ld-mac; do
+      install -vD "$bin" "$out/bin/$bin"
+    done
+  '';
+
+  meta = {
+    description = "Mach-O loader for Linux";
+    homepage = "https://github.com/shinh/maloader";
+    license = lib.licenses.bsd2;
+    platforms = lib.platforms.linux;
+    broken = true; # 2018-09-08, no succesful build since 2017-08-21
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/mas/default.nix b/nixpkgs/pkgs/os-specific/darwin/mas/default.nix
new file mode 100644
index 000000000000..968cb10cd5a3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/mas/default.nix
@@ -0,0 +1,41 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, installShellFiles
+, testers
+, mas
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "mas";
+  version = "1.8.6";
+
+  src = fetchurl {
+    # Use the tarball until https://github.com/mas-cli/mas/issues/452 is fixed.
+    # Even though it looks like an OS/arch specific build it is actually a universal binary.
+    url = "https://github.com/mas-cli/mas/releases/download/v${version}/mas-${version}.monterey.bottle.tar.gz";
+    sha256 = "0q4skdhymgn5xrwafyisfshx327faia682yv83mf68r61m2jl10d";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  installPhase = ''
+    install -D './${version}/bin/mas' "$out/bin/mas"
+    installShellCompletion --cmd mas --bash './${version}/etc/bash_completion.d/mas'
+  '';
+
+  passthru.tests = {
+    version = testers.testVersion {
+      package = mas;
+      command = "mas version";
+    };
+  };
+
+  meta = with lib; {
+    description = "Mac App Store command line interface";
+    homepage = "https://github.com/mas-cli/mas";
+    license = licenses.mit;
+    maintainers = with maintainers; [ steinybot zachcoyle ];
+    platforms = [ "x86_64-darwin" "aarch64-darwin" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVK.xcodeproj.patch b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVK.xcodeproj.patch
new file mode 100644
index 000000000000..e4b03dfe0cc3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVK.xcodeproj.patch
@@ -0,0 +1,88 @@
+diff --git a/MoltenVK/MoltenVK.xcodeproj/project.pbxproj b/MoltenVK/MoltenVK.xcodeproj/project.pbxproj
+index c23afce4..12ac12f4 100644
+--- a/MoltenVK/MoltenVK.xcodeproj/project.pbxproj
++++ b/MoltenVK/MoltenVK.xcodeproj/project.pbxproj
+@@ -365,13 +365,6 @@
+ /* End PBXBuildFile section */
+ 
+ /* Begin PBXContainerItemProxy section */
+-		2F21D82E24983488009BEA5F /* PBXContainerItemProxy */ = {
+-			isa = PBXContainerItemProxy;
+-			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+-			proxyType = 1;
+-			remoteGlobalIDString = 2FEA0CFF2490381A00EEF3AD;
+-			remoteInfo = "MoltenVKSPIRVToMSLConverter-tvOS";
+-		};
+ 		2FEA0D1B249040CA00EEF3AD /* PBXContainerItemProxy */ = {
+ 			isa = PBXContainerItemProxy;
+ 			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+@@ -400,20 +393,6 @@
+ 			remoteGlobalIDString = A93903C71C57E9ED00FE90DC;
+ 			remoteInfo = "MVKSPIRVToMSLConverter-macOS";
+ 		};
+-		A981499A1FB6B9CF005F00B4 /* PBXContainerItemProxy */ = {
+-			isa = PBXContainerItemProxy;
+-			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+-			proxyType = 1;
+-			remoteGlobalIDString = A93903B81C57E9D700FE90DC;
+-			remoteInfo = "MVKSPIRVToMSLConverter-iOS";
+-		};
+-		A9B1C7F4251AA5AF001D12CC /* PBXContainerItemProxy */ = {
+-			isa = PBXContainerItemProxy;
+-			containerPortal = A9C86CB61C55B8350096CAF2 /* MoltenVKShaderConverter.xcodeproj */;
+-			proxyType = 1;
+-			remoteGlobalIDString = A9092A8C1A81717B00051823;
+-			remoteInfo = MoltenVKShaderConverter;
+-		};
+ /* End PBXContainerItemProxy section */
+ 
+ /* Begin PBXFileReference section */
+@@ -1019,7 +998,6 @@
+ 			buildRules = (
+ 			);
+ 			dependencies = (
+-				2F21D82F24983488009BEA5F /* PBXTargetDependency */,
+ 			);
+ 			name = "MoltenVK-tvOS";
+ 			productName = MoltenVK;
+@@ -1039,7 +1017,6 @@
+ 			buildRules = (
+ 			);
+ 			dependencies = (
+-				A981499B1FB6B9CF005F00B4 /* PBXTargetDependency */,
+ 			);
+ 			name = "MoltenVK-iOS";
+ 			productName = MoltenVK;
+@@ -1059,7 +1036,6 @@
+ 			buildRules = (
+ 			);
+ 			dependencies = (
+-				A9B1C7F5251AA5AF001D12CC /* PBXTargetDependency */,
+ 			);
+ 			name = "MoltenVK-macOS";
+ 			productName = MoltenVK;
+@@ -1476,24 +1452,6 @@
+ 		};
+ /* End PBXSourcesBuildPhase section */
+ 
+-/* Begin PBXTargetDependency section */
+-		2F21D82F24983488009BEA5F /* PBXTargetDependency */ = {
+-			isa = PBXTargetDependency;
+-			name = "MoltenVKSPIRVToMSLConverter-tvOS";
+-			targetProxy = 2F21D82E24983488009BEA5F /* PBXContainerItemProxy */;
+-		};
+-		A981499B1FB6B9CF005F00B4 /* PBXTargetDependency */ = {
+-			isa = PBXTargetDependency;
+-			name = "MVKSPIRVToMSLConverter-iOS";
+-			targetProxy = A981499A1FB6B9CF005F00B4 /* PBXContainerItemProxy */;
+-		};
+-		A9B1C7F5251AA5AF001D12CC /* PBXTargetDependency */ = {
+-			isa = PBXTargetDependency;
+-			name = MoltenVKShaderConverter;
+-			targetProxy = A9B1C7F4251AA5AF001D12CC /* PBXContainerItemProxy */;
+-		};
+-/* End PBXTargetDependency section */
+-
+ /* Begin XCBuildConfiguration section */
+ 		2FEA0AB824902F9F00EEF3AD /* Debug */ = {
+ 			isa = XCBuildConfiguration;
diff --git a/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVKShaderConverter.xcodeproj.patch b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVKShaderConverter.xcodeproj.patch
new file mode 100644
index 000000000000..ecc5242684d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/moltenvk/MoltenVKShaderConverter.xcodeproj.patch
@@ -0,0 +1,84 @@
+diff --git a/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj b/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj
+index c7842b63..d55f73ed 100644
+--- a/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj
++++ b/MoltenVKShaderConverter/MoltenVKShaderConverter.xcodeproj/project.pbxproj
+@@ -3,7 +3,7 @@
+ 	archiveVersion = 1;
+ 	classes = {
+ 	};
+-	objectVersion = 52;
++	objectVersion = 48;
+ 	objects = {
+
+ /* Begin PBXBuildFile section */
+@@ -33,9 +33,6 @@
+ 		A920A8AC251B75B70076851C /* GLSLToSPIRVConverter.h in Headers */ = {isa = PBXBuildFile; fileRef = A920A8A2251B75B70076851C /* GLSLToSPIRVConverter.h */; };
+ 		A920A8AD251B75B80076851C /* GLSLToSPIRVConverter.h in Headers */ = {isa = PBXBuildFile; fileRef = A920A8A2251B75B70076851C /* GLSLToSPIRVConverter.h */; };
+ 		A920A8AE251B75B80076851C /* GLSLToSPIRVConverter.h in Headers */ = {isa = PBXBuildFile; fileRef = A920A8A2251B75B70076851C /* GLSLToSPIRVConverter.h */; };
+-		A920A8AF251B77900076851C /* glslang.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386FD24EEE93700199A05 /* glslang.xcframework */; };
+-		A920A8B0251B77910076851C /* glslang.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386FD24EEE93700199A05 /* glslang.xcframework */; };
+-		A920A8B1251B77920076851C /* glslang.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386FD24EEE93700199A05 /* glslang.xcframework */; };
+ 		A925B71B1C78DEB2006E7ECD /* libMoltenVKShaderConverter.a in Frameworks */ = {isa = PBXBuildFile; fileRef = A93903C71C57E9ED00FE90DC /* libMoltenVKShaderConverter.a */; };
+ 		A928C9191D0488DC00071B88 /* SPIRVConversion.h in Headers */ = {isa = PBXBuildFile; fileRef = A928C9171D0488DC00071B88 /* SPIRVConversion.h */; };
+ 		A928C91A1D0488DC00071B88 /* SPIRVConversion.h in Headers */ = {isa = PBXBuildFile; fileRef = A928C9171D0488DC00071B88 /* SPIRVConversion.h */; };
+@@ -55,12 +52,6 @@
+ 		A97CC7411C7527F3004A5C7E /* MoltenVKShaderConverterTool.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A97CC73E1C7527F3004A5C7E /* MoltenVKShaderConverterTool.cpp */; };
+ 		A98149681FB6A98A005F00B4 /* MVKStrings.h in Headers */ = {isa = PBXBuildFile; fileRef = A98149651FB6A98A005F00B4 /* MVKStrings.h */; };
+ 		A98149691FB6A98A005F00B4 /* MVKStrings.h in Headers */ = {isa = PBXBuildFile; fileRef = A98149651FB6A98A005F00B4 /* MVKStrings.h */; };
+-		A98386FA24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386F824EEE91A00199A05 /* SPIRVCross.xcframework */; };
+-		A98386FB24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386F824EEE91A00199A05 /* SPIRVCross.xcframework */; };
+-		A98386FC24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A98386F824EEE91A00199A05 /* SPIRVCross.xcframework */; };
+-		A983870724EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A983870224EEE94800199A05 /* SPIRVTools.xcframework */; };
+-		A983870824EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A983870224EEE94800199A05 /* SPIRVTools.xcframework */; };
+-		A983870924EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */ = {isa = PBXBuildFile; fileRef = A983870224EEE94800199A05 /* SPIRVTools.xcframework */; };
+ 		A9A14E332244388700C080F3 /* Metal.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = A9A14E322244388700C080F3 /* Metal.framework */; };
+ 		A9B51BDD225E98BB00AC74D2 /* MVKOSExtensions.mm in Sources */ = {isa = PBXBuildFile; fileRef = A9B51BDB225E98BB00AC74D2 /* MVKOSExtensions.mm */; };
+ 		A9F042B21FB4D060009FCCB8 /* MVKCommonEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = A9F042AA1FB4D060009FCCB8 /* MVKCommonEnvironment.h */; };
+@@ -115,9 +106,6 @@
+ 			isa = PBXFrameworksBuildPhase;
+ 			buildActionMask = 2147483647;
+ 			files = (
+-				A983870824EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */,
+-				A98386FB24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */,
+-				A920A8B0251B77910076851C /* glslang.xcframework in Frameworks */,
+ 			);
+ 			runOnlyForDeploymentPostprocessing = 0;
+ 		};
+@@ -134,9 +122,6 @@
+ 			isa = PBXFrameworksBuildPhase;
+ 			buildActionMask = 2147483647;
+ 			files = (
+-				A983870724EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */,
+-				A98386FA24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */,
+-				A920A8AF251B77900076851C /* glslang.xcframework in Frameworks */,
+ 			);
+ 			runOnlyForDeploymentPostprocessing = 0;
+ 		};
+@@ -144,9 +129,6 @@
+ 			isa = PBXFrameworksBuildPhase;
+ 			buildActionMask = 2147483647;
+ 			files = (
+-				A983870924EEE94800199A05 /* SPIRVTools.xcframework in Frameworks */,
+-				A98386FC24EEE91A00199A05 /* SPIRVCross.xcframework in Frameworks */,
+-				A920A8B1251B77920076851C /* glslang.xcframework in Frameworks */,
+ 			);
+ 			runOnlyForDeploymentPostprocessing = 0;
+ 		};
+@@ -313,7 +295,7 @@
+ 				A925B71D1C78DEBF006E7ECD /* PBXTargetDependency */,
+ 			);
+ 			name = MoltenVKShaderConverter;
+-			productName = MetalGLShaderConverterTool;
++			productName = MoltenVKShaderConverter;
+ 			productReference = A964BD5F1C57EFBD00D930D8 /* MoltenVKShaderConverter */;
+ 			productType = "com.apple.product-type.tool";
+ 		};
+@@ -349,7 +331,7 @@
+ 			dependencies = (
+ 			);
+ 			name = "MoltenVKShaderConverter-macOS";
+-			productName = "MetalGLShaderConverter-macOS";
++			productName = MoltenVKShaderConverter;
+ 			productReference = A93903C71C57E9ED00FE90DC /* libMoltenVKShaderConverter.a */;
+ 			productType = "com.apple.product-type.library.static";
+ 		};
diff --git a/nixpkgs/pkgs/os-specific/darwin/moltenvk/default.nix b/nixpkgs/pkgs/os-specific/darwin/moltenvk/default.nix
new file mode 100644
index 000000000000..1d8f89deff19
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/moltenvk/default.nix
@@ -0,0 +1,189 @@
+{ lib
+, overrideCC
+, stdenv
+, fetchurl
+, fetchFromGitHub
+, cctools
+, sigtool
+, cereal
+, libcxx
+, glslang
+, spirv-cross
+, spirv-headers
+, spirv-tools
+, vulkan-headers
+, xcbuild
+, AppKit
+, Foundation
+, Libsystem
+, MacOSX-SDK
+, Metal
+, QuartzCore
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "MoltenVK";
+  version = "1.1.10";
+
+  buildInputs = [ AppKit Foundation Metal QuartzCore cereal ]
+    ++ lib.attrValues finalAttrs.passthru;
+
+  nativeBuildInputs = [ cctools sigtool xcbuild ];
+
+  outputs = [ "out" "bin" "dev" ];
+
+  # MoltenVK requires specific versions of its dependencies.
+  # Pin them here except for cereal, which is four years old and has several CVEs.
+  passthru = {
+    glslang = (glslang.overrideAttrs (old: {
+      src = fetchFromGitHub {
+        owner = "KhronosGroup";
+        repo = "glslang";
+        rev = "adbf0d3106b26daa237b10b9bf72b1af7c31092d";
+        hash = "sha256-sjidkiPtRADhyOEKDb2cHCBXnFjLwk2F5Lppv5/fwNQ=";
+      };
+    })).override { inherit (finalAttrs.passthru) spirv-headers spirv-tools; };
+    spirv-cross = spirv-cross.overrideAttrs (old: {
+      cmakeFlags = (old.cmakeFlags or [ ])
+        ++ [ "-DSPIRV_CROSS_NAMESPACE_OVERRIDE=MVK_spirv_cross" ];
+      src = fetchFromGitHub {
+        owner = "KhronosGroup";
+        repo = "SPIRV-Cross";
+        rev = "50b4d5389b6a06f86fb63a2848e1a7da6d9755ca";
+        hash = "sha256-SsupPHJ3VHxJhEAUl3EeQwN4texYhdDjxTnGD+bkNAw=";
+      };
+    });
+    spirv-headers = spirv-headers.overrideAttrs (_: {
+      src = fetchFromGitHub {
+        owner = "KhronosGroup";
+        repo = "spirv-headers";
+        rev = "5a121866927a16ab9d49bed4788b532c7fcea766";
+        hash = "sha256-X4GuFesX015mrzutguhZLrIGlllCgAZ+DUBGSADt8xU=";
+      };
+    });
+    spirv-tools = (spirv-tools.overrideAttrs (old: {
+      src = fetchFromGitHub {
+        owner = "KhronosGroup";
+        repo = "spirv-tools";
+        rev = "b930e734ea198b7aabbbf04ee1562cf6f57962f0";
+        hash = "sha256-NWpFSRoxtYWi+hLUt9gpw0YScM3shcUwv9yUmbivRb0=";
+      };
+    })).override { inherit (finalAttrs.passthru) spirv-headers; };
+    vulkan-headers = vulkan-headers.overrideAttrs (old: {
+      src = fetchFromGitHub {
+        owner = "KhronosGroup";
+        repo = "Vulkan-Headers";
+        rev = "3ef4c97fd6ea001d75a8e9da408ee473c180e456";
+        hash = "sha256-jHzW3m9smuzEGbZrSyBI74K9rFozxiG3M5Xql/WOw7U=";
+      };
+    });
+  };
+
+  src = fetchFromGitHub {
+    owner = "KhronosGroup";
+    repo = "MoltenVK";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-LZvCCP2yelTaWcNt+WvG+RZnVLHRgMDTlNWwRIey7ZM=";
+  };
+
+  patches = [
+    # Fix the Xcode projects to play nicely with `xcbuild`.
+    ./MoltenVKShaderConverter.xcodeproj.patch
+    ./MoltenVK.xcodeproj.patch
+  ];
+
+  postPatch = ''
+    # Move `mvkGitRevDerived.h` to a stable location
+    substituteInPlace Scripts/gen_moltenvk_rev_hdr.sh \
+      --replace '$'''{BUILT_PRODUCTS_DIR}' "$NIX_BUILD_TOP/$sourceRoot/build/include" \
+      --replace '$(git rev-parse HEAD)' ${finalAttrs.src.rev}
+    # Adding all of `usr/include` from the SDK results in header conflicts with `libcxx.dev`.
+    # Work around it by symlinking just the SIMD stuff needed by MoltenVK.
+    mkdir -p build/include
+    ln -s "${MacOSX-SDK}/usr/include/simd" "build/include"
+  '';
+
+  dontConfigure = true;
+
+  NIX_CFLAGS_COMPILE = [
+    "-isystem ${lib.getDev libcxx}/include/c++/v1"
+    "-I${finalAttrs.passthru.spirv-cross}/include/spirv_cross"
+    "-I${finalAttrs.passthru.spirv-headers}/include/spirv/unified1/"
+  ];
+
+  buildPhase = ''
+    NIX_CFLAGS_COMPILE+=" \
+      -I$NIX_BUILD_TOP/$sourceRoot/build/include \
+      -I$NIX_BUILD_TOP/$sourceRoot/Common"
+    NIX_LDFLAGS+=" -L$NIX_BUILD_TOP/$sourceRoot/build/lib"
+
+    # Build each project on its own because `xcbuild` fails to build `MoltenVKPackaging.xcodeproj`.
+    build=$NIX_BUILD_TOP/$sourceRoot/build
+    mkdir -p "$build/bin" "$build/lib"
+
+    NIX_LDFLAGS+=" \
+      -lMachineIndependent \
+      -lGenericCodeGen \
+      -lOGLCompiler \
+      -lglslang \
+      -lOSDependent \
+      -lSPIRV \
+      -lSPIRV-Tools \
+      -lSPIRV-Tools-opt \
+      -lspirv-cross-msl \
+      -lspirv-cross-core \
+      -lspirv-cross-glsl"
+
+    pushd MoltenVKShaderConverter
+    xcodebuild build \
+      -jobs $NIX_BUILD_CORES \
+      -configuration Release \
+      -project MoltenVKShaderConverter.xcodeproj \
+      -scheme MoltenVKShaderConverter \
+      -arch ${stdenv.targetPlatform.darwinArch}
+    declare -A products=( [MoltenVKShaderConverter]=bin [libMoltenVKShaderConverter.a]=lib )
+    for product in "''${!products[@]}"; do
+      cp MoltenVKShaderConverter-*/Build/Products/Release/$product "$build/''${products[$product]}/$product"
+    done
+    popd
+
+    NIX_LDFLAGS+=" \
+      -lobjc \
+      -lMoltenVKShaderConverter \
+      -lspirv-cross-reflect"
+
+    pushd MoltenVK
+    xcodebuild build \
+      -jobs $NIX_BUILD_CORES \
+      -configuration Release \
+      -project MoltenVK.xcodeproj \
+      -scheme MoltenVK-macOS \
+      -arch ${stdenv.targetPlatform.darwinArch}
+    cp MoltenVK-*/Build/Products/Release/dynamic/libMoltenVK.dylib "$build/lib/libMoltenVK.dylib"
+    popd
+  '';
+
+  installPhase = ''
+    mkdir -p "$out/lib" "$out/share/vulkan/icd.d" "$bin/bin" "$dev/include/MoltenVK"
+    cp build/bin/MoltenVKShaderConverter "$bin/bin/"
+    cp build/lib/libMoltenVK.dylib "$out/lib/"
+    cp MoltenVK/MoltenVK/API/* "$dev/include/MoltenVK"
+    install -m644 MoltenVK/icd/MoltenVK_icd.json "$out/share/vulkan/icd.d/MoltenVK_icd.json"
+    substituteInPlace $out/share/vulkan/icd.d/MoltenVK_icd.json \
+      --replace ./libMoltenVK.dylib "$out/lib/libMoltenVK.dylib"
+  '';
+
+  postFixup = ''
+    install_name_tool -id "$out/lib/libMoltenVK.dylib" "$out/lib/libMoltenVK.dylib"
+    codesign -s - -f "$out/lib/libMoltenVK.dylib"
+  '';
+
+  meta = {
+    description = "A Vulkan Portability implementation built on top of Apple’s Metal API";
+    homepage = "https://github.com/KhronosGroup/MoltenVK";
+    changelog = "https://github.com/KhronosGroup/MoltenVK/releases";
+    maintainers = [ lib.maintainers.reckenrode ];
+    license = lib.licenses.asl20;
+    platforms = lib.platforms.darwin;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/darwin/mysides/default.nix b/nixpkgs/pkgs/os-specific/darwin/mysides/default.nix
new file mode 100644
index 000000000000..cdbfee5046a2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/mysides/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, libarchive, p7zip }:
+
+stdenv.mkDerivation rec {
+  pname = "mysides";
+  version = "1.0.1";
+
+  src = fetchurl {
+    url = "https://github.com/mosen/mysides/releases/download/v${version}/mysides-${version}.pkg";
+    sha256 = "sha256-dpRrj3xb9xQSXXXxragUDgNPBaniiMc6evRF12wqVRQ=";
+  };
+
+  dontBuild = true;
+  nativeBuildInputs = [ libarchive p7zip ];
+
+  unpackPhase = ''
+    7z x $src
+    bsdtar -xf Payload~
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    install -Dm755 usr/local/bin/mysides -t $out/bin
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Manage macOS Finder sidebar favorites";
+    homepage = "https://github.com/mosen/mysides";
+    license = licenses.mit;
+    maintainers = with maintainers; [ tboerger ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/native-x11-and-opengl/default.nix b/nixpkgs/pkgs/os-specific/darwin/native-x11-and-opengl/default.nix
new file mode 100644
index 000000000000..fa3d4284e597
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/native-x11-and-opengl/default.nix
@@ -0,0 +1,14 @@
+{ stdenv, writeScript }:
+
+stdenv.mkDerivation rec {
+  name = "darwin-native-x11-and-opengl";
+
+  builder = writeScript "${name}-builder.sh" ''
+    /bin/mkdir -p $out
+    /bin/mkdir $out/lib
+    /bin/ln -sv /usr/X11/lib/{*.dylib,X11,xorg} $out/lib
+    /bin/mkdir $out/lib/pkgconfig
+    /bin/ln -sv /usr/X11/lib/pkgconfig/{x*.pc,gl*.pc} $out/lib/pkgconfig
+    /bin/ln -sv /usr/X11/{bin,include,share} $out/
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/noah/default.nix b/nixpkgs/pkgs/os-specific/darwin/noah/default.nix
new file mode 100644
index 000000000000..f4d8a4b21a87
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/noah/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, cmake, Hypervisor }:
+
+stdenv.mkDerivation rec {
+  pname = "noah";
+  version = "0.5.1";
+
+  src = fetchFromGitHub {
+    owner = "linux-noah";
+    repo = pname;
+    rev = version;
+    sha256 = "0bivfsgb56kndz61lzjgdcnqlhjikqw89ma0h6f6radyvfzy0vis";
+  };
+
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [ Hypervisor ];
+
+  meta = with lib; {
+    description = "Bash on Ubuntu on macOS";
+    homepage = "https://github.com/linux-noah/noah";
+    license = [ licenses.mit licenses.gpl2 ];
+    maintainers = [ maintainers.marsam ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/opencflite/default.nix b/nixpkgs/pkgs/os-specific/darwin/opencflite/default.nix
new file mode 100644
index 000000000000..937d0763feff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/opencflite/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl, icu, libuuid, tzdata }:
+
+stdenv.mkDerivation rec {
+  pname = "opencflite";
+  version = "476.19.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/opencflite/${pname}-${version}.tar.gz";
+    sha256 = "0jgmzs0ycl930hmzcvx0ykryik56704yw62w394q1q3xw5kkjn9v";
+  };
+
+  configureFlags = [ "--with-uuid=${libuuid.dev}" ];
+  buildInputs = [ icu tzdata.dev ];
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "Cross platform port of the macOS CoreFoundation";
+    homepage = "https://sourceforge.net/projects/opencflite/";
+    license = lib.licenses.apsl20;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/osx-cpu-temp/default.nix b/nixpkgs/pkgs/os-specific/darwin/osx-cpu-temp/default.nix
new file mode 100644
index 000000000000..ea9d8399667a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/osx-cpu-temp/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub
+, IOKit
+}:
+
+stdenv.mkDerivation rec {
+  pname = "osx-cpu-temp";
+  version = "unstable-2020-12-04";
+
+  src = fetchFromGitHub rec {
+    name = "osx-cpu-temp-source";
+    owner = "lavoiesl";
+    repo = pname;
+    rev = "6ec951be449badcb7fb84676bbc2c521e600e844";
+    sha256 = "1nlibgr55bpln6jbdf8vqcp0fj9zv9343vflb7s9w0yh33fsbg9d";
+  };
+
+  buildInputs = [ IOKit ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp osx-cpu-temp $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Outputs current CPU temperature for OSX.";
+    homepage = "https://github.com/lavoiesl/osx-cpu-temp";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ virusdave ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/osxsnarf/default.nix b/nixpkgs/pkgs/os-specific/darwin/osxsnarf/default.nix
new file mode 100644
index 000000000000..e31271ed2b97
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/osxsnarf/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, lib, fetchFromGitHub, plan9port, darwin, ... }:
+
+stdenv.mkDerivation rec {
+  pname = "osxsnarf";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "eraserhd";
+    repo = "osxsnarf";
+    rev = "v${version}";
+    sha256 = "1vpg39mpc5avnv1j0yfx0x2ncvv38slmm83zv6nmm7alfwfjr2ss";
+  };
+
+  buildInputs = [ plan9port darwin.apple_sdk.frameworks.Carbon ];
+  makeFlags = [ "prefix=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "A Plan 9-inspired way to share your OS X clipboard";
+    homepage = "https://github.com/eraserhd/osxsnarf";
+    license = licenses.unlicense;
+    platforms = platforms.darwin;
+    maintainers = [ maintainers.eraserhd ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/pngpaste/default.nix b/nixpkgs/pkgs/os-specific/darwin/pngpaste/default.nix
new file mode 100644
index 000000000000..99ae8048f7fd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/pngpaste/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, AppKit, Cocoa }:
+
+let
+  pname = "pngpaste";
+  version = "0.2.3";
+in stdenv.mkDerivation {
+  inherit pname version;
+  src = fetchFromGitHub {
+    owner = "jcsalterego";
+    repo = pname;
+    rev = version;
+    sha256 = "uvajxSelk1Wfd5is5kmT2fzDShlufBgC0PDCeabEOSE=";
+  };
+
+  buildInputs = [ AppKit Cocoa ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp pngpaste $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Paste image files from clipboard to file on MacOS";
+    longDescription = ''
+      Paste PNG into files on MacOS, much like pbpaste does for text.
+      Supported input formats are PNG, PDF, GIF, TIF, JPEG.
+      Supported output formats are PNG, GIF, JPEG, TIFF.  Output
+      formats are determined by the provided filename extension,
+      falling back to PNG.
+    '';
+    homepage = "https://github.com/jcsalterego/pngpaste";
+    changelog = "https://github.com/jcsalterego/pngpaste/raw/${version}/CHANGELOG.md";
+    platforms = platforms.darwin;
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ samw ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/print-reexports/default.nix b/nixpkgs/pkgs/os-specific/darwin/print-reexports/default.nix
new file mode 100644
index 000000000000..740bcb48ef59
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/print-reexports/default.nix
@@ -0,0 +1,17 @@
+{ lib, stdenv, libyaml }:
+
+stdenv.mkDerivation {
+  name = "print-reexports";
+  src = lib.sourceFilesBySuffices ./. [".c"];
+
+  buildInputs = [ libyaml ];
+
+  buildPhase = ''
+    $CC -lyaml -o print-reexports main.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mv print-reexports $out/bin
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/print-reexports/main.c b/nixpkgs/pkgs/os-specific/darwin/print-reexports/main.c
new file mode 100644
index 000000000000..e6ff527da966
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/print-reexports/main.c
@@ -0,0 +1,213 @@
+/**
+ * Display the list of re-exported libraries from a TAPI v2 .tbd file, one per
+ * line on stdout.
+ *
+ * TAPI files are the equivalent of library files for the purposes of linking.
+ * Like dylib files, they may re-export other libraries. In upstream usage
+ * these refer to the absolute paths of dylibs, and are resolved to .tbd files
+ * in combination with the syslibroot option. In nixpkgs, the .tbd files refer
+ * directly to other .tbd files without a syslibroot. Note that each .tbd file
+ * contains an install name, so the re-exported path does not affect the final
+ * result.
+ *
+ * In nixpkgs each framework is a distinct store path and some frameworks
+ * re-export other frameworks. The re-exported names are rewritten to refer to
+ * the store paths of dependencies via textual substitution. This utility is
+ * used to emit every file that is listed as a re-exported library, which
+ * allows the framework builder to verify their existence.
+ */
+
+#include <stdio.h>
+#include <sys/errno.h>
+#include <yaml.h>
+
+#define LOG(str, ...) fprintf(stderr, "%s", str)
+
+#define LOGF(...) fprintf(stderr, __VA_ARGS__)
+
+static yaml_node_t *get_mapping_entry(yaml_document_t *document, yaml_node_t *mapping, const char *name) {
+  if (!mapping) {
+    fprintf(stderr, "get_mapping_entry: mapping is null\n");
+    return NULL;
+  }
+
+  for (
+      yaml_node_pair_t *pair = mapping->data.mapping.pairs.start;
+      pair < mapping->data.mapping.pairs.top;
+      ++pair
+  ) {
+    yaml_node_t *key = yaml_document_get_node(document, pair->key);
+
+    if (!key) {
+      LOGF("key (%d) is null\n", pair->key);
+      return NULL;
+    }
+
+    if (key->type != YAML_SCALAR_NODE) {
+      LOG("get_mapping_entry: key is not a scalar\n");
+      return NULL;
+    }
+
+    if (strncmp((const char *)key->data.scalar.value, name, key->data.scalar.length) != 0) {
+      continue;
+    }
+
+    return yaml_document_get_node(document, pair->value);
+  }
+
+  return NULL;
+}
+
+static int emit_reexports_v2(yaml_document_t *document) {
+  yaml_node_t *root = yaml_document_get_root_node(document);
+
+  yaml_node_t *exports = get_mapping_entry(document, root, "exports");
+
+  if (!exports) {
+    return 1;
+  }
+
+  if (exports->type != YAML_SEQUENCE_NODE) {
+    LOG("value is not a sequence\n");
+    return 0;
+  }
+
+  for (
+      yaml_node_item_t *export = exports->data.sequence.items.start;
+      export < exports->data.sequence.items.top;
+      ++export
+  ) {
+    yaml_node_t *export_node = yaml_document_get_node(document, *export);
+
+    yaml_node_t *reexports = get_mapping_entry(document, export_node, "re-exports");
+
+    if (!reexports) {
+      continue;
+    }
+
+    if (reexports->type != YAML_SEQUENCE_NODE) {
+      LOG("re-exports is not a sequence\n");
+      return 0;
+    }
+
+    for (
+        yaml_node_item_t *reexport = reexports->data.sequence.items.start;
+        reexport < reexports->data.sequence.items.top;
+        ++reexport
+    ) {
+      yaml_node_t *val = yaml_document_get_node(document, *reexport);
+
+      if (val->type != YAML_SCALAR_NODE) {
+        LOG("item is not a scalar\n");
+        return 0;
+      }
+
+      fwrite(val->data.scalar.value, val->data.scalar.length, 1, stdout);
+      putchar('\n');
+    }
+  }
+
+  return 1;
+}
+
+static int emit_reexports_v4(yaml_document_t *document) {
+  yaml_node_t *root = yaml_document_get_root_node(document);
+  yaml_node_t *reexports = get_mapping_entry(document, root, "reexported-libraries");
+
+  if (!reexports) {
+    return 1;
+  }
+
+  if (reexports->type != YAML_SEQUENCE_NODE) {
+    LOG("value is not a sequence\n");
+    return 0;
+  }
+
+  for (
+      yaml_node_item_t *entry = reexports->data.sequence.items.start;
+      entry < reexports->data.sequence.items.top;
+      ++entry
+  ) {
+    yaml_node_t *entry_node = yaml_document_get_node(document, *entry);
+
+    yaml_node_t *libs = get_mapping_entry(document, entry_node, "libraries");
+
+    if (!libs) {
+      continue;
+    }
+
+    if (libs->type != YAML_SEQUENCE_NODE) {
+      LOG("libraries is not a sequence\n");
+      return 0;
+    }
+
+    for (
+        yaml_node_item_t *lib = libs->data.sequence.items.start;
+        lib < libs->data.sequence.items.top;
+        ++lib
+    ) {
+      yaml_node_t *val = yaml_document_get_node(document, *lib);
+
+      if (val->type != YAML_SCALAR_NODE) {
+        LOG("item is not a scalar\n");
+        return 0;
+      }
+
+      fwrite(val->data.scalar.value, val->data.scalar.length, 1, stdout);
+      putchar('\n');
+    }
+  }
+
+  return 1;
+}
+
+int main(int argc, char **argv) {
+  int result = 0;
+
+  if (argc != 2) {
+    fprintf(stderr, "Invalid usage\n");
+    result = 2;
+    goto done;
+  }
+
+  FILE *f = fopen(argv[1], "r");
+  if (!f) {
+    perror("opening input file");
+    result = errno;
+    goto done;
+  }
+
+  yaml_parser_t yaml_parser;
+  if (!yaml_parser_initialize(&yaml_parser)) {
+    fprintf(stderr, "Failed to initialize yaml parser\n");
+    result = 1;
+    goto err_file;
+  }
+
+  yaml_parser_set_input_file(&yaml_parser, f);
+
+  yaml_document_t yaml_document;
+
+  if(!yaml_parser_load(&yaml_parser, &yaml_document)) {
+    fprintf(stderr, "Failed to load yaml file\n");
+    result = 1;
+    goto err_yaml;
+  }
+
+  // Try both, only fail if one reports an error.  A lack of re-exports is not
+  // considered an error.
+  int ok = 1;
+  ok = ok && emit_reexports_v2(&yaml_document);
+  ok = ok && emit_reexports_v4(&yaml_document);
+
+  result = !ok;
+
+err_yaml:
+  yaml_parser_delete(&yaml_parser);
+
+err_file:
+  fclose(f);
+
+done:
+  return result;
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/print-reexports/setup-hook.sh b/nixpkgs/pkgs/os-specific/darwin/print-reexports/setup-hook.sh
new file mode 100644
index 000000000000..9efb00aeb4dc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/print-reexports/setup-hook.sh
@@ -0,0 +1,19 @@
+fixupOutputHooks+=('checkTbdReexports')
+
+checkTbdReexports() {
+  local dir="$1"
+
+  while IFS= read -r -d $'\0' tbd; do
+    echo "checkTbdRexports: checking re-exports in $tbd"
+    while read -r target; do
+      local expected="${target%.dylib}.tbd"
+      if ! [ -e "$expected" ]; then
+        echo -e "Re-export missing:\n\t'$target'\n\t(expected '$expected')"
+        echo -e "While processing\n\t'$tbd'"
+        exit 1
+      else
+        echo "Re-exported target '$target' ok"
+      fi
+    done < <(print-reexports "$tbd")
+  done < <(find $prefix -type f -name '*.tbd' -print0)
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/qes/default.nix b/nixpkgs/pkgs/os-specific/darwin/qes/default.nix
new file mode 100644
index 000000000000..dce6e5266260
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/qes/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, Carbon }:
+
+stdenv.mkDerivation {
+  pname = "qes";
+  version = "0.0.2";
+
+  src = fetchFromGitHub {
+    owner = "koekeishiya";
+    repo = "qes";
+    rev = "ddedf008f0c38b134501ad9f328447b671423d34";  # no tag
+    sha256 = "1w9ppid7jg6f4q7pq40lhm0whg7xmnxcmf3pb9xqfkq2zj2f7dxv";
+  };
+
+  buildInputs = [ Carbon ];
+
+  makeFlags = [ "BUILD_PATH=$(out)/bin" ];
+
+  meta = with lib; {
+    description = "Quartz Event Synthesizer";
+    homepage = "https://github.com/koekeishiya/qes";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ lnl7 ];
+    license = licenses.mit;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix b/nixpkgs/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix
new file mode 100644
index 000000000000..b4d26327bdcd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/reattach-to-user-namespace/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "reattach-to-user-namespace";
+  version = "2.9";
+
+  src = fetchFromGitHub {
+    owner = "ChrisJohnsen";
+    repo = "tmux-MacOSX-pasteboard";
+    rev = "v${version}";
+    sha256 = "1qgimh58hcx5f646gj2kpd36ayvrdkw616ad8cb3lcm11kg0ag79";
+  };
+
+  buildFlags =
+    if stdenv.hostPlatform.system == "x86_64-darwin" then [ "ARCHES=x86_64" ]
+    else if stdenv.hostPlatform.system == "aarch64-darwin" then [ "ARCHES=arm64" ]
+    else throw "reattach-to-user-namespace isn't being built for ${stdenv.hostPlatform.system} yet.";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp reattach-to-user-namespace $out/bin/
+  '';
+
+  meta = with lib; {
+    description = "A wrapper that provides access to the Mac OS X pasteboard service";
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ lnl7 ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/rewrite-tbd/default.nix b/nixpkgs/pkgs/os-specific/darwin/rewrite-tbd/default.nix
new file mode 100644
index 000000000000..e5ef118e514c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/rewrite-tbd/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, lib, fetchFromGitHub, cmake, pkg-config, libyaml }:
+
+stdenv.mkDerivation {
+  pname = "rewrite-tbd";
+  version = "20201114";
+
+  src = fetchFromGitHub {
+    owner = "thefloweringash";
+    repo = "rewrite-tbd";
+    rev = "988f29c6ccbca9b883966225263d8d78676da6a3";
+    sha256 = "08sk91zwj6n9x2ymwid2k7y0rwv5b7p6h1b25ipx1dv0i43p6v1a";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libyaml ];
+
+  meta = with lib; {
+    homepage = "https://github.com/thefloweringash/rewrite-tbd/";
+    description = "Rewrite filepath in .tbd to Nix applicable format";
+    platforms = platforms.darwin;
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh b/nixpkgs/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh
new file mode 100644
index 000000000000..cca65661f8a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh
@@ -0,0 +1,31 @@
+postFixupHooks+=(signDarwinBinariesInAllOutputs)
+
+# Uses signingUtils, see definition of autoSignDarwinBinariesHook in
+# darwin-packages.nix
+
+signDarwinBinariesIn() {
+  local dir="$1"
+
+  if [ ! -d "$dir" ]; then
+    return 0
+  fi
+
+  if [ "${darwinDontCodeSign:-}" ]; then
+    return 0
+  fi
+
+  echo "signing $dir"
+
+  while IFS= read -r -d $'\0' f; do
+    signIfRequired "$f"
+  done < <(find "$dir" -type f -print0)
+}
+
+# Apply fixup to each output.
+signDarwinBinariesInAllOutputs() {
+  local output
+
+  for output in $outputs; do
+     signDarwinBinariesIn "${!output}"
+  done
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/signing-utils/default.nix b/nixpkgs/pkgs/os-specific/darwin/signing-utils/default.nix
new file mode 100644
index 000000000000..035ac59b725a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/signing-utils/default.nix
@@ -0,0 +1,24 @@
+{ stdenvNoCC
+, sigtool
+, cctools
+}:
+
+let
+  stdenv = stdenvNoCC;
+in
+
+stdenv.mkDerivation {
+  name = "signing-utils";
+
+  dontUnpack = true;
+  dontConfigure = true;
+  dontBuild = true;
+
+  installPhase = ''
+    substituteAll ${./utils.sh} $out
+  '';
+
+  # Substituted variables
+  inherit sigtool;
+  codesignAllocate = "${cctools}/bin/${cctools.targetPrefix}codesign_allocate";
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/signing-utils/utils.sh b/nixpkgs/pkgs/os-specific/darwin/signing-utils/utils.sh
new file mode 100644
index 000000000000..6d23a461fc99
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/signing-utils/utils.sh
@@ -0,0 +1,43 @@
+# Work around for some odd behaviour where we can't codesign a file
+# in-place if it has been called before. This happens for example if
+# you try to fix-up a binary using strip/install_name_tool, after it
+# had been used previous.  The solution is to copy the binary (with
+# the corrupted signature from strip/install_name_tool) to some
+# location, sign it there and move it back into place.
+#
+# This does not appear to happen with the codesign tool that ships
+# with recent macOS BigSur installs on M1 arm64 machines.  However it
+# had also been happening with the tools that shipped with the DTKs.
+sign() {
+    local tmpdir
+    tmpdir=$(mktemp -d)
+
+    # $1 is the file
+
+    cp "$1" "$tmpdir"
+    CODESIGN_ALLOCATE=@codesignAllocate@ \
+        @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")"
+    mv "$tmpdir/$(basename "$1")" "$1"
+    rmdir "$tmpdir"
+}
+
+checkRequiresSignature() {
+    local file=$1
+    local rc=0
+
+    @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$?
+
+    if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then
+        return "$rc"
+    fi
+
+    echo "Unexpected exit status from sigtool: $rc"
+    exit 1
+}
+
+signIfRequired() {
+    local file=$1
+    if checkRequiresSignature "$file"; then
+        sign "$file"
+    fi
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/sigtool/default.nix b/nixpkgs/pkgs/os-specific/darwin/sigtool/default.nix
new file mode 100644
index 000000000000..4c573af95be1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/sigtool/default.nix
@@ -0,0 +1,18 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, openssl }:
+
+stdenv.mkDerivation rec {
+  pname = "sigtool";
+  version = "0.1.2";
+
+  src = fetchFromGitHub {
+    owner = "thefloweringash";
+    repo = "sigtool";
+    rev = "v${version}";
+    sha256 = "sha256-v4udqW37vwcqBdqfvfwHnoyXpuLFt188ekVCPCPsTPM";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ openssl ];
+
+  installFlags = [ "PREFIX=$(out)" ];
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/sketchybar/default.nix b/nixpkgs/pkgs/os-specific/darwin/sketchybar/default.nix
new file mode 100644
index 000000000000..4f089c7be3e1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/sketchybar/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchFromGitHub, memstreamHook, Carbon, Cocoa, SkyLight }:
+
+let
+  inherit (stdenv.hostPlatform) system;
+  target = {
+    "aarch64-darwin" = "arm64";
+    "x86_64-darwin" = "x86";
+  }.${system} or (throw "Unsupported system: ${system}");
+in
+
+stdenv.mkDerivation rec {
+  pname = "sketchybar";
+  version = "2.8.2";
+
+  src = fetchFromGitHub {
+    owner = "FelixKratz";
+    repo = "SketchyBar";
+    rev = "v${version}";
+    sha256 = "sha256-GmM+0h6xxUzW2kpTDZWAiqJAXoQgdsJRlNbvsuxKmZ8=";
+  };
+
+  buildInputs = [ Carbon Cocoa SkyLight ]
+    ++ lib.optionals (stdenv.system == "x86_64-darwin") [ memstreamHook ];
+
+  makeFlags = [
+    target
+  ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp ./bin/sketchybar $out/bin/sketchybar
+  '';
+
+  meta = with lib; {
+    description = "A highly customizable macOS status bar replacement";
+    homepage = "https://github.com/FelixKratz/SketchyBar";
+    platforms = platforms.darwin;
+    maintainers = [ maintainers.azuwis ];
+    license = licenses.gpl3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/skhd/default.nix b/nixpkgs/pkgs/os-specific/darwin/skhd/default.nix
new file mode 100644
index 000000000000..ad33cf713d0c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/skhd/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub, Carbon }:
+
+stdenv.mkDerivation rec {
+  pname = "skhd";
+  version = "0.3.5";
+
+  src = fetchFromGitHub {
+    owner = "koekeishiya";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0x099979kgpim18r0vi9vd821qnv0rl3rkj0nd1nx3wljxgf7mrg";
+  };
+
+  buildInputs = [ Carbon ];
+
+  makeFlags = [ "BUILD_PATH=$(out)/bin" ];
+
+  postInstall = ''
+    mkdir -p $out/Library/LaunchDaemons
+    cp ${./org.nixos.skhd.plist} $out/Library/LaunchDaemons/org.nixos.skhd.plist
+    substituteInPlace $out/Library/LaunchDaemons/org.nixos.skhd.plist --subst-var out
+  '';
+
+  meta = with lib; {
+    description = "Simple hotkey daemon for macOS";
+    homepage = "https://github.com/koekeishiya/skhd";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ cmacrae lnl7 periklis ];
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist b/nixpkgs/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist
new file mode 100644
index 000000000000..e6624487740b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/skhd/org.nixos.skhd.plist
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>org.nixos.skhd</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>@out@/bin/skhd</string>
+  </array>
+  <key>ProcessType</key>
+  <string>Interactive</string>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>PATH</key>
+    <string>@out@/bin:/nix/var/nix/profiles/default/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+  </dict>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+</dict>
+</plist>
diff --git a/nixpkgs/pkgs/os-specific/darwin/smimesign/default.nix b/nixpkgs/pkgs/os-specific/darwin/smimesign/default.nix
new file mode 100644
index 000000000000..d50e00f984e5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/smimesign/default.nix
@@ -0,0 +1,25 @@
+{ buildGoModule, fetchFromGitHub, lib }:
+
+buildGoModule rec {
+  pname = "smimesign";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "github";
+    repo = "smimesign";
+    rev = "v${version}";
+    sha256 = "12f8vprp4v78l9ifrlql0mvpyw5qa8nlrh5ajq5js8wljzpx7wsv";
+  };
+
+  vendorSha256 = "1cldxykm9qj5rvyfafam45y5xj4f19700s2f9w7ndhxgfp9vahvz";
+
+  ldflags = [ "-X main.versionString=v${version}" ];
+
+  meta = with lib; {
+    description = "An S/MIME signing utility for macOS and Windows that is compatible with Git";
+    homepage = "https://github.com/github/smimesign";
+    license = licenses.mit;
+    platforms = platforms.darwin ++ platforms.windows;
+    maintainers = [ maintainers.enorris ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/spacebar/default.nix b/nixpkgs/pkgs/os-specific/darwin/spacebar/default.nix
new file mode 100644
index 000000000000..2656c10f6dc3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/spacebar/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, Carbon, Cocoa, ScriptingBridge, SkyLight }:
+
+stdenv.mkDerivation rec {
+  pname = "spacebar";
+  version = "1.4.0";
+
+  src = fetchFromGitHub {
+    owner = "cmacrae";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-4LiG43kPZtsm7SQ/28RaGMpYsDshCaGvc1mouPG3jFM=";
+  };
+
+  buildInputs = [ Carbon Cocoa ScriptingBridge SkyLight ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man1/
+    cp ./bin/spacebar $out/bin/spacebar
+    cp ./doc/spacebar.1 $out/share/man/man1/spacebar.1
+  '';
+
+  meta = with lib; {
+    description = "A minimal status bar for macOS";
+    homepage = "https://github.com/cmacrae/spacebar";
+    platforms = platforms.darwin;
+    maintainers = [ maintainers.cmacrae ];
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/stubs/default.nix b/nixpkgs/pkgs/os-specific/darwin/stubs/default.nix
new file mode 100644
index 000000000000..862305a069d6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/stubs/default.nix
@@ -0,0 +1,15 @@
+{ lib, writeScriptBin, runtimeShell }:
+
+let fake = name: lib.overrideDerivation (writeScriptBin name ''
+  #!${runtimeShell}
+  echo >&2 "Faking call to ${name} with arguments:"
+  echo >&2 "$@"
+'') (drv: {
+  name = "${name}-stub";
+}); in
+
+{
+  setfile = fake "SetFile";
+  rez = fake "Rez";
+  derez = fake "DeRez";
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0001-Add-missing-TARGET_OS_-defines.patch b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0001-Add-missing-TARGET_OS_-defines.patch
new file mode 100644
index 000000000000..db17c517c720
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/0001-Add-missing-TARGET_OS_-defines.patch
@@ -0,0 +1,30 @@
+From 549160574ee44656d50997b27ef83736e0848201 Mon Sep 17 00:00:00 2001
+From: toonn <toonn@toonn.io>
+Date: Mon, 26 Apr 2021 20:51:05 +0200
+Subject: [PATCH] Add missing TARGET_OS_* defines
+
+---
+ .../Base.subproj/SwiftRuntime/TargetConditionals.h         | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h b/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h
+index 6d42b873..abf746c9 100644
+--- a/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h
++++ b/CoreFoundation/Base.subproj/SwiftRuntime/TargetConditionals.h
+@@ -118,6 +118,13 @@
+ 
+ #define TARGET_OS_WIN32        TARGET_OS_WINDOWS
+ #define TARGET_OS_MAC          TARGET_OS_DARWIN
++#define TARGET_OS_OSX          TARGET_OS_DARWIN
++
++#define TARGET_OS_IPHONE       0
++#define TARGET_OS_WATCH        0
++#define TARGET_OS_TV           0
++#define TARGET_OS_EMBEDDED     0
++
+ 
+ #if __x86_64__
+ #define TARGET_CPU_PPC          0
+-- 
+2.17.2 (Apple Git-113)
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/corefoundation.nix b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/corefoundation.nix
new file mode 100644
index 000000000000..7c48d695e11d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/corefoundation.nix
@@ -0,0 +1,107 @@
+{ lib, stdenv, fetchFromGitHub, fetchurl, ninja, python3, curl, libxml2, objc4, ICU }:
+
+let
+  # 10.12 adds a new sysdir.h that our version of CF in the main derivation depends on, but
+  # isn't available publicly, so instead we grab an older version of the same file that did
+  # not use sysdir.h, but provided the same functionality. Luckily it's simple :) hack hack
+  sysdir-free-system-directories = fetchurl {
+    url    = "https://raw.githubusercontent.com/apple/swift-corelibs-foundation/9a5d8420f7793e63a8d5ec1ede516c4ebec939f0/CoreFoundation/Base.subproj/CFSystemDirectories.c";
+    sha256 = "0krfyghj4f096arvvpf884ra5czqlmbrgf8yyc0b3avqmb613pcc";
+  };
+in
+
+stdenv.mkDerivation {
+  pname = "swift-corefoundation";
+  version = "unstable-2018-09-14";
+
+  src = fetchFromGitHub {
+    owner  = "apple";
+    repo   = "swift-corelibs-foundation";
+    rev    = "71aaba20e1450a82c516af1342fe23268e15de0a";
+    sha256 = "17kpql0f27xxz4jjw84vpas5f5sn4vdqwv10g151rc3rswbwln1z";
+  };
+
+  nativeBuildInputs = [ ninja python3 ];
+  buildInputs = [ curl libxml2 objc4 ICU ];
+
+  patches = [ ./0001-Add-missing-TARGET_OS_-defines.patch ];
+
+  postPatch = ''
+    cd CoreFoundation
+
+    cp ${sysdir-free-system-directories} Base.subproj/CFSystemDirectories.c
+
+    # In order, since I can't comment individual lines:
+    # 1. Disable dispatch support for now
+    # 2. For the linker too
+    # 3. Use the legit CoreFoundation.h, not the one telling you not to use it because of Swift
+    substituteInPlace build.py \
+      --replace "cf.CFLAGS += '-DDEPLOYMENT" '#' \
+      --replace "cf.LDFLAGS += '-ldispatch" '#'
+
+    # Fix sandbox impurities.
+    substituteInPlace ../lib/script.py \
+      --replace '/bin/cp' cp
+    patchShebangs --build ../configure
+
+    # Includes xpc for some initialization routine that they don't define anyway, so no harm here
+    substituteInPlace PlugIn.subproj/CFBundlePriv.h \
+      --replace '#if (TARGET_OS_MAC' '#if (0'
+
+    # Why do we define __GNU__? Is that normal?
+    substituteInPlace Base.subproj/CFAsmMacros.h \
+      --replace '#if defined(__GNU__) ||' '#if 0 &&'
+
+    # The MIN macro doesn't seem to be defined sensibly for us. Not sure if our stdenv or their bug
+    substituteInPlace Base.subproj/CoreFoundation_Prefix.h \
+      --replace '#if DEPLOYMENT_TARGET_WINDOWS || DEPLOYMENT_TARGET_LINUX' '#if 1'
+
+    # Somehow our ICU doesn't have this, probably because it's too old (we'll update it soon when we update the rest of the SDK)
+    substituteInPlace Locale.subproj/CFLocale.c \
+      --replace '#if U_ICU_VERSION_MAJOR_NUM' '#if 0 //'
+  '';
+
+  BUILD_DIR = "./Build";
+  CFLAGS = "-DINCLUDE_OBJC -I${libxml2.dev}/include/libxml2"; # They seem to assume we include objc in some places and not in others, make a PR; also not sure why but libxml2 include path isn't getting picked up from buildInputs
+
+  # I'm guessing at the version here. https://github.com/apple/swift-corelibs-foundation/commit/df3ec55fe6c162d590a7653d89ad669c2b9716b1 imported "high sierra"
+  # and this version is a version from there. No idea how accurate it is.
+  LDFLAGS = "-current_version 1454.90.0 -compatibility_version 150.0.0 -init ___CFInitialize";
+
+  configurePhase = ''
+    ../configure release --sysroot UNUSED
+  '';
+
+  enableParallelBuilding = true;
+
+  buildPhase = ''
+    runHook preBuild
+
+    ninja -j $NIX_BUILD_CORES
+
+    runHook postBuild
+  '';
+
+  # TODO: their build system sorta kinda can do this, but it doesn't seem to work right now
+  # Also, this includes a bunch of private headers in the framework, which is not what we want
+  installPhase = ''
+    base="$out/Library/Frameworks/CoreFoundation.framework"
+    mkdir -p $base/Versions/A/{Headers,PrivateHeaders,Modules}
+
+    cp ./Build/CoreFoundation/libCoreFoundation.dylib $base/Versions/A/CoreFoundation
+
+    # Note that this could easily live in the ldflags above as `-install_name @rpath/...` but
+    # https://github.com/NixOS/nixpkgs/issues/46434 thwarts that, so for now I'm hacking it up
+    # after the fact.
+    install_name_tool -id '@rpath/CoreFoundation.framework/Versions/A/CoreFoundation' $base/Versions/A/CoreFoundation
+
+    cp ./Build/CoreFoundation/usr/include/CoreFoundation/*.h $base/Versions/A/Headers
+    cp ./Build/CoreFoundation/usr/include/CoreFoundation/module.modulemap $base/Versions/A/Modules
+
+    ln -s A $base/Versions/Current
+
+    for i in CoreFoundation Headers Modules; do
+      ln -s Versions/Current/$i $base/$i
+    done
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/libdispatch.nix b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/libdispatch.nix
new file mode 100644
index 000000000000..a5b4b2a52df1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/swift-corelibs/libdispatch.nix
@@ -0,0 +1,13 @@
+{ stdenv, fetchFromGitHub, cmake, apple_sdk_sierra, xnu-new }:
+
+stdenv.mkDerivation rec {
+  name = "swift-corelibs-libdispatch";
+  src = fetchFromGitHub {
+    owner = "apple";
+    repo = name;
+    rev = "f83b5a498bad8e9ff8916183cf6e8ccf677c346b";
+    sha256 = "1czkyyc9llq2mnqfp19mzcfsxzas0y8zrk0gr5hg60acna6jkz2l";
+  };
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [ apple_sdk_sierra.sdk xnu-new ];
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/trash/default.nix b/nixpkgs/pkgs/os-specific/darwin/trash/default.nix
new file mode 100644
index 000000000000..a239f6607b1f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/trash/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, perl, AppKit, Cocoa, ScriptingBridge }:
+
+stdenv.mkDerivation rec {
+  version = "0.9.2";
+  pname = "trash";
+
+  src = fetchFromGitHub {
+    owner = "ali-rantakari";
+    repo = "trash";
+    rev = "v${version}";
+    sha256 = "1d3rc03vgz32faj7qi18iiggxvxlqrj9lsk5jkpa9r1mcs5d89my";
+  };
+
+  buildInputs = [ perl Cocoa AppKit ScriptingBridge ];
+
+  patches = [ ./trash.diff ];
+
+  buildPhase = "make all docs";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man1
+    install -m 0755 trash $out/bin
+    install -m 0444 trash.1 $out/share/man/man1
+  '';
+
+  meta = {
+    homepage = "https://github.com/ali-rantakari/trash";
+    description = "Small command-line program for OS X that moves files or
+    folders to the trash.";
+    platforms = lib.platforms.darwin;
+    license = lib.licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/trash/trash.diff b/nixpkgs/pkgs/os-specific/darwin/trash/trash.diff
new file mode 100644
index 000000000000..d96f6c9c4fef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/trash/trash.diff
@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index 5e4306f..9c975fc 100644
+--- a/Makefile
++++ b/Makefile
+@@ -10,7 +10,7 @@ trash: $(SOURCE_FILES)
+ 	@echo
+ 	@echo ---- Compiling:
+ 	@echo ======================================
+-	$(CC) -O2 -Wall -Wextra -Wpartial-availability -Wno-unguarded-availability -force_cpusubtype_ALL -mmacosx-version-min=10.7 -arch i386 -arch x86_64 -framework AppKit -framework ScriptingBridge -o $@ $(SOURCE_FILES)
++	$(CC) -O2 -Wall -Wextra -Wpartial-availability -Wno-unguarded-availability -framework AppKit -framework ScriptingBridge -o $@ $(SOURCE_FILES)
+ 
+ analyze:
+ 	@echo
diff --git a/nixpkgs/pkgs/os-specific/darwin/wifi-password/default.nix b/nixpkgs/pkgs/os-specific/darwin/wifi-password/default.nix
new file mode 100644
index 000000000000..f66af1ddfb56
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/wifi-password/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "0.1.0";
+  pname = "wifi-password";
+
+  src = fetchFromGitHub {
+    owner = "rauchg";
+    repo = pname;
+    rev = version;
+    sha256 = "0sfvb40h7rz9jzp4l9iji3jg80paklqsbmnk5h7ipsv2xbsplp64";
+  };
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp wifi-password.sh $out/bin/wifi-password
+  '';
+
+  meta = {
+    homepage = "https://github.com/rauchg/wifi-password";
+    description = "Get the password of the wifi you're on";
+    platforms = lib.platforms.darwin;
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.nikitavoloboev ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/xattr/default.nix b/nixpkgs/pkgs/os-specific/darwin/xattr/default.nix
new file mode 100644
index 000000000000..1aa8b49e88aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/xattr/default.nix
@@ -0,0 +1,73 @@
+{ lib
+, stdenv
+, fetchzip
+, buildPythonPackage
+, python
+, ed
+, unifdef
+}:
+
+buildPythonPackage rec {
+  pname = "xattr";
+  version = "61.60.1";
+
+  src = fetchzip rec {
+    url = "https://opensource.apple.com/tarballs/python_modules/python_modules-${version}.tar.gz";
+    sha256 = "19kydl7w4vpdi7zmfd5z9vjkq24jfk2cv4j0pppw69j06czhdwwi";
+  };
+
+  sourceRoot = "${src.name}/Modules/xattr-0.6.4";
+  format = "other";
+
+  nativeBuildInputs = [
+    ed
+    unifdef
+  ];
+
+  makeFlags = [
+    "OBJROOT=$(PWD)"
+    "DSTROOT=${placeholder "out"}"
+    "OSL=${placeholder "doc"}/share/xattr/OpenSourceLicenses"
+    "OSV=${placeholder "doc"}/share/xattr/OpenSourceVersions"
+  ];
+
+  # need to use `out` instead of `bin` since buildPythonPackage ignores the latter
+  outputs = [ "out" "doc" "python" ];
+
+  # We need to patch a reference to gnutar in an included Makefile
+  postUnpack = ''
+    chmod u+w $sourceRoot/..
+  '';
+
+  postPatch = ''
+    substituteInPlace ../Makefile.inc --replace gnutar tar
+    substituteInPlace Makefile --replace "/usr" ""
+  '';
+
+  preInstall = ''
+    # prevent setup.py from trying to download setuptools
+    sed -i xattr-*/setup.py -e '/ez_setup/d'
+
+    # create our custom target dirs we patch in
+    mkdir -p "$doc/share/xattr/"OpenSource{Licenses,Versions}
+    mkdir -p "$python/lib/${python.libPrefix}"
+  '';
+
+  # move python package to its own output to reduce clutter
+  postInstall = ''
+    mv "$out/lib/python" "$python/${python.sitePackages}"
+    rmdir "$out/lib"
+  '';
+
+  makeWrapperArgs = [
+    "--prefix" "PYTHONPATH" ":" "${placeholder "python"}/${python.sitePackages}"
+  ];
+
+  meta = with lib; {
+    description = "Display and manipulate extended attributes";
+    license = [ licenses.psfl licenses.mit ]; # see $doc/share/xattr/OpenSourceLicenses
+    maintainers = [ maintainers.sternenseemann ];
+    homepage = "https://opensource.apple.com/source/python_modules/";
+    platforms = lib.platforms.darwin;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/xcode/default.nix b/nixpkgs/pkgs/os-specific/darwin/xcode/default.nix
new file mode 100644
index 000000000000..2ce607896b5e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/xcode/default.nix
@@ -0,0 +1,71 @@
+{ buildPlatform, requireFile, targetPlatform, lib }:
+
+let requireXcode = version: sha256:
+  let
+    xip = "Xcode_" + version +  ".xip";
+    # TODO(alexfmpe): Find out how to validate the .xip signature in Linux
+    unxip = if buildPlatform.isDarwin
+            then ''
+              open -W ${xip}
+              rm -rf ${xip}
+            ''
+            else ''
+              xar -xf ${xip}
+              rm -rf ${xip}
+              pbzx -n Content | cpio -i
+              rm Content Metadata
+            '';
+    app = requireFile rec {
+      name     = "Xcode.app";
+      url      = "https://developer.apple.com/services-account/download?path=/Developer_Tools/Xcode_${version}/${xip}";
+      hashMode = "recursive";
+      inherit sha256;
+      message  = ''
+        Unfortunately, we cannot download ${name} automatically.
+        Please go to ${url}
+        to download it yourself, and add it to the Nix store by running the following commands.
+        Note: download (~ 5GB), extraction and storing of Xcode will take a while
+
+        ${unxip}
+        nix-store --add-fixed --recursive sha256 Xcode.app
+        rm -rf Xcode.app
+      '';
+    };
+    meta = with lib; {
+      homepage = "https://developer.apple.com/downloads/";
+      description = "Apple's XCode SDK";
+      license = licenses.unfree;
+      platforms = platforms.darwin ++ platforms.linux;
+    };
+
+  in app.overrideAttrs ( oldAttrs: oldAttrs // { inherit meta; });
+
+in lib.makeExtensible (self: {
+  xcode_8_1 = requireXcode "8.1" "18xjvfipwzia66gm3r9p770xdd4r375vak7chw5vgqnv9yyjiq2n";
+  xcode_8_2 = requireXcode "8.2" "13nd1zsfqcp9hwp15hndr0rsbb8rgprrz7zr2ablj4697qca06m2";
+  xcode_9_1 = requireXcode "9.1" "0ab1403wy84ys3yn26fj78cazhpnslmh3nzzp1wxib3mr1afjvic";
+  xcode_9_2 = requireXcode "9.2" "1bgfgdp266cbbqf2axcflz92frzvhi0qw0jdkcw6r85kdpc8dj4c";
+  xcode_9_3 = requireXcode "9.3" "12m9kb4759s2ky42b1vf7y38qqxn2j99s99adzc6ljnmy26ii12w";
+  xcode_9_4 = requireXcode "9.4" "00az1cf9pm8zmvzs6yq04prdmxp8xi3ymxw94jjh4mh7hlbkhcb7";
+  xcode_9_4_1 = requireXcode "9.4.1" "0y9kphj86c14jl6aibv57sd7ln0w06vdhzm8ysp0s98rfgyq2lbw";
+  xcode_10_1 = requireXcode "10.1" "1ssdbg4v8r11fjf4jl38pwyry2aia1qihbxyxapz0v0n5gfnp05v";
+  xcode_10_2 = requireXcode "10.2" "1xzybl1gvb3q5qwlwchanzpws4sb70i3plf0vrzvlfdp2hsb3pg7";
+  xcode_10_2_1 = requireXcode "10.2.1" "11sdb54nr0x7kp987qq839x6k5gdx7vqdxjiy5xm5279n1n47bmg";
+  xcode_10_3 = requireXcode "10.3" "1i628vfn6zad81fsz3zpc6z15chhskvyp8qnajp2wnpzvrwl6ngb";
+  xcode_11 = requireXcode "11" "1r03j3kkp4blfp2kqpn538w3dx57ms930fj8apjkq6dk7fv3jcqh";
+  xcode_11_1 = requireXcode "11.1" "1c2gzc4jhhx5a7ncg19sh1r99izhipybaqxl1ll52x5y8689awc1";
+  xcode_11_2 = requireXcode "11.2" "1lm3q8zpvm184246h5j9mw4c1y9kk9sxnr3j98kfm0312n0l98gj";
+  xcode_11_3 = requireXcode "11.3" "04rv6xlywy8xqfx9ma8ygsdw4yhckk2mq0qnklxnfly899iw4wza";
+  xcode_11_3_1 = requireXcode "11.3.1" "1p6nicj91kr6ad3rmycahd1i7z4hj7ccjs93ixsiximjzaahx3q4";
+  xcode_11_4 = requireXcode "11.4" "065rpb3rdk19nv3rwyf9bk32ccbd0lld12gj12l89cyg65mhpyy7";
+  xcode_11_5 = requireXcode "11.5" "1dizazq9nz1vjkc5gy7dd4x760mkfjiifk1hf6d9mscchdq8rfkw";
+  xcode_11_6 = requireXcode "11.6" "1y4fhw1kiphzxdb4wpv697z5r0algvaldwq5iqv266797rnfql4x";
+  xcode_11_7 = requireXcode "11.7" "0422rdc4j5qwyk59anbybxyfv0p26x0xryszm0wd8i44g66smlmj";
+  xcode_12 = requireXcode "12" "1w3xm268pyn5m04wv22invd5kr2k4jqllgrzapv6n1sxxynxrh8z";
+  xcode_12_0_1 = requireXcode "12.0.1" "1p6vd5ai0hh3cq6aflh4h21ar0shxnz8wlkaxwq7liwsdmkwzbl0";
+  xcode_12_1 = requireXcode "12.1" "1widy74dk43wx8iqgd7arzf6q4kzdmaz8pfwymzs8chnq9dqr3wp";
+  xcode_12_2 = requireXcode "12.2" "17i0wf4pwrxwfgjw7rpw9mcd59nkmys1k5h2rqsw81snzyxy9j0v";
+  xcode_12_3 = requireXcode "12.3" "0kwf1y4llysf1p0nsbqyzccn7d77my0ldagr5fi3by4k0xy3d189";
+  xcode = self."xcode_${lib.replaceStrings ["."] ["_"] (if (targetPlatform ? xcodeVer) then targetPlatform.xcodeVer else "12.3")}";
+})
+
diff --git a/nixpkgs/pkgs/os-specific/darwin/xcode/sdk-pkgs.nix b/nixpkgs/pkgs/os-specific/darwin/xcode/sdk-pkgs.nix
new file mode 100644
index 000000000000..0512d9dd46a1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/xcode/sdk-pkgs.nix
@@ -0,0 +1,61 @@
+{ targetPlatform
+, clang-unwrapped
+, binutils-unwrapped
+, runCommand
+
+, wrapBintoolsWith
+, wrapCCWith
+, buildIosSdk, targetIosSdkPkgs
+, xcode
+, lib
+}:
+
+let
+
+minSdkVersion = targetPlatform.minSdkVersion or "9.0";
+
+in
+
+rec {
+  sdk = rec {
+    name = "ios-sdk";
+    type = "derivation";
+    outPath = xcode + "/Contents/Developer/Platforms/${platform}.platform/Developer/SDKs/${platform}${version}.sdk";
+
+    platform = targetPlatform.xcodePlatform;
+    version = targetPlatform.sdkVer;
+  };
+
+  binutils = wrapBintoolsWith {
+    libc = targetIosSdkPkgs.libraries;
+    bintools = binutils-unwrapped;
+  };
+
+  clang = (wrapCCWith {
+    cc = clang-unwrapped;
+    bintools = binutils;
+    libc = targetIosSdkPkgs.libraries;
+    extraPackages = [ "${sdk}/System" ];
+    extraBuildCommands = ''
+      tr '\n' ' ' < $out/nix-support/cc-cflags > cc-cflags.tmp
+      mv cc-cflags.tmp $out/nix-support/cc-cflags
+      echo "-target ${targetPlatform.config}" >> $out/nix-support/cc-cflags
+      echo "-isystem ${sdk}/usr/include${lib.optionalString (lib.versionAtLeast "10" sdk.version) " -isystem ${sdk}/usr/include/c++/4.2.1/ -stdlib=libstdc++"}" >> $out/nix-support/cc-cflags
+      ${lib.optionalString (lib.versionAtLeast sdk.version "14") "echo -isystem ${xcode}/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1 >> $out/nix-support/cc-cflags"}
+    '';
+  }) // {
+    inherit sdk;
+  };
+
+  libraries = let sdk = buildIosSdk; in runCommand "libSystem-prebuilt" {
+    passthru = {
+      inherit sdk;
+    };
+  } ''
+    if ! [ -d ${sdk} ]; then
+        echo "You must have version ${sdk.version} of the ${sdk.platform} sdk installed at ${sdk}" >&2
+        exit 1
+    fi
+    ln -s ${sdk}/usr $out
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/darwin/yabai/default.nix b/nixpkgs/pkgs/os-specific/darwin/yabai/default.nix
new file mode 100644
index 000000000000..5a3daed9fff8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/darwin/yabai/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, darwin, xxd }:
+
+stdenv.mkDerivation rec {
+  pname = "yabai";
+  version = "3.3.10";
+
+  src = fetchFromGitHub {
+    owner = "koekeishiya";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-8O6//T894C32Pba3F2Z84Z6VWeCXlwml3xsXoIZGqL0=";
+  };
+
+  nativeBuildInputs = [ xxd ];
+
+  buildInputs = with darwin.apple_sdk.frameworks; [
+    Carbon
+    Cocoa
+    ScriptingBridge
+    SkyLight
+  ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man1/
+    cp ./bin/yabai $out/bin/yabai
+    cp ./doc/yabai.1 $out/share/man/man1/yabai.1
+  '';
+
+  meta = with lib; {
+    description = ''
+      A tiling window manager for macOS based on binary space partitioning
+    '';
+    homepage = "https://github.com/koekeishiya/yabai";
+    platforms = platforms.darwin;
+    maintainers = with maintainers; [ cmacrae shardy ];
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/915resolution/default.nix b/nixpkgs/pkgs/os-specific/linux/915resolution/default.nix
new file mode 100644
index 000000000000..b67d737034e4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/915resolution/default.nix
@@ -0,0 +1,21 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "915resolution";
+  version = "0.5.3";
+
+  src = fetchurl {
+    url = "http://915resolution.mango-lang.org/915resolution-${version}.tar.gz";
+    sha256 = "0hmmy4kkz3x6yigz6hk99416ybznd67dpjaxap50nhay9f1snk5n";
+  };
+
+  patchPhase = "rm *.o";
+  installPhase = "mkdir -p $out/sbin; cp 915resolution $out/sbin/";
+
+  meta = with lib; {
+    homepage = "http://915resolution.mango-lang.org/";
+    description = "A tool to modify Intel 800/900 video BIOS";
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    license = licenses.publicDomain;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/acpi-call/default.nix b/nixpkgs/pkgs/os-specific/linux/acpi-call/default.nix
new file mode 100644
index 000000000000..b84ecd21293a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpi-call/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "acpi-call";
+  version = "1.2.2";
+  name = "${pname}-${version}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "nix-community";
+    repo = "acpi_call";
+    rev = "v${version}";
+    sha256 = "1s7h9y3adyfhw7cjldlfmid79lrwz3vqlvziw9nwd6x5qdj4w9vp";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D acpi_call.ko $out/lib/modules/${kernel.modDirVersion}/misc/acpi_call.ko
+    install -D -m755 examples/turn_off_gpu.sh $out/bin/test_discrete_video_off.sh
+  '';
+
+  meta = with lib; {
+    maintainers = with maintainers; [ raskin mic92 ];
+    homepage = "https://github.com/nix-community/acpi_call";
+    platforms = platforms.linux;
+    description = "A module allowing arbitrary ACPI calls; use case: hybrid video";
+    license = licenses.gpl3Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/acpi/default.nix b/nixpkgs/pkgs/os-specific/linux/acpi/default.nix
new file mode 100644
index 000000000000..d257553299cf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpi/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "acpi";
+  version = "1.7";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/acpiclient/${version}/${pname}-${version}.tar.gz";
+    sha256 = "01ahldvf0gc29dmbd5zi4rrnrw2i1ajnf30sx2vyaski3jv099fp";
+  };
+
+  meta = with lib; {
+    description = "Show battery status and other ACPI information";
+    longDescription = ''
+      Linux ACPI client is a small command-line
+      program that attempts to replicate the functionality of
+      the "old" `apm' command on ACPI systems.  It includes
+      battery and thermal information.
+    '';
+    homepage = "https://sourceforge.net/projects/acpiclient/";
+    license = lib.licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/acpid/default.nix b/nixpkgs/pkgs/os-specific/linux/acpid/default.nix
new file mode 100644
index 000000000000..b766739aaafa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpid/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, fetchurl, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "acpid";
+  version = "2.0.33";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/acpid2/acpid-${version}.tar.xz";
+    sha256 = "sha256-CFb3Gz6zShtmPQqOY2Pfy8UZ5j2EczBJiJhljily2+g=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = with lib; {
+    homepage = "https://sourceforge.net/projects/acpid2/";
+    description = "A daemon for delivering ACPI events to userspace programs";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/acpitool/default.nix b/nixpkgs/pkgs/os-specific/linux/acpitool/default.nix
new file mode 100644
index 000000000000..d494e95e3db6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/acpitool/default.nix
@@ -0,0 +1,52 @@
+{lib, stdenv, fetchurl, fetchpatch}:
+
+let
+   acpitool-patch-051-4 = params: fetchpatch rec {
+     inherit (params) name sha256;
+     url = "https://salsa.debian.org/debian/acpitool/raw/33e2ef42a663de820457b212ea2925e506df3b88/debian/patches/${name}";
+   };
+
+in stdenv.mkDerivation rec {
+  pname = "acpitool";
+  version = "0.5.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/acpitool/acpitool-${version}.tar.bz2";
+    sha256 = "004fb6cd43102918b6302cf537a2db7ceadda04aef2e0906ddf230f820dad34f";
+  };
+
+  patches = [
+    (acpitool-patch-051-4 {
+      name = "ac_adapter.patch";
+      sha256 = "0rn14vfv9x5gmwyvi6bha5m0n0pm4wbpg6h8kagmy3i1f8lkcfi8";
+    })
+    (acpitool-patch-051-4 {
+      name = "battery.patch";
+      sha256 = "190msm5cgqgammxp1j4dycfz206mggajm5904r7ifngkcwizh9m7";
+    })
+    (acpitool-patch-051-4 {
+      name = "kernel3.patch";
+      sha256 = "1qb47iqnv09i7kgqkyk9prr0pvlx0yaip8idz6wc03wci4y4bffg";
+    })
+    (acpitool-patch-051-4 {
+      name = "wakeup.patch";
+      sha256 = "1mmzf8n4zsvc7ngn51map2v42axm9vaf8yknbd5amq148sjf027z";
+    })
+    (acpitool-patch-051-4 {
+      name = "0001-Do-not-assume-fixed-line-lengths-for-proc-acpi-wakeu.patch";
+      sha256 = "10wwh7l3jbmlpa80fzdr18nscahrg5krl18pqwy77f7683mg937m";
+    })
+    (acpitool-patch-051-4 {
+      name = "typos.patch";
+      sha256 = "1178fqpk6sbqp1cyb1zf9qv7ahpd3pidgpid3bbpms7gyhqvvdpa";
+    })
+  ];
+
+  meta = {
+    description = "A small, convenient command-line ACPI client with a lot of features";
+    homepage = "https://sourceforge.net/projects/acpitool/";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.guibert ];
+    platforms = lib.platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/adcli/default.nix b/nixpkgs/pkgs/os-specific/linux/adcli/default.nix
new file mode 100644
index 000000000000..977c1d09dbae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/adcli/default.nix
@@ -0,0 +1,68 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, fetchpatch
+, openldap
+, libkrb5
+, libxslt
+, autoreconfHook
+, pkg-config
+, cyrus_sasl
+, util-linux
+, xmlto
+, docbook_xsl
+, docbook_xml_dtd_43
+}:
+
+stdenv.mkDerivation rec {
+  pname = "adcli";
+  version = "0.9.1";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "realmd";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-Zzt4qgLiJNuSrbtDWuxJEfGL7sWSbqN301q3qXZpn9c=";
+  };
+
+  # https://bugs.gentoo.org/820224
+  # Without this it produces some weird missing symbol error in glibc
+  patches = [
+    (fetchpatch {
+      url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/app-crypt/adcli/files/adcli-0.9.1-glibc-2.34-resolv.patch?id=01db544de893262e857685e11b33c2a74210181f";
+      sha256 = "sha256-dZ6dkzxd+0XjY/X9/2IWMan3syvCDGFHiMbxFxMHGFA=";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace tools/Makefile.am \
+      --replace 'sbin_PROGRAMS' 'bin_PROGRAMS'
+
+    substituteInPlace doc/Makefile.am \
+        --replace 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl' \
+                  '${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl'
+
+    function patch_docbook(){
+      substituteInPlace $1 \
+        --replace "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" \
+                  "${docbook_xml_dtd_43}/xml/dtd/docbook/docbookx.dtd"
+    }
+    patch_docbook doc/adcli.xml
+    patch_docbook doc/adcli-devel.xml
+    patch_docbook doc/adcli-docs.xml
+  '';
+  nativeBuildInputs = [ autoreconfHook pkg-config docbook_xsl ];
+
+  buildInputs = [ openldap libkrb5 libxslt cyrus_sasl util-linux xmlto docbook_xsl ];
+
+  configureFlags = [ "--disable-debug" ];
+
+  meta = with lib; {
+    homepage = "https://www.freedesktop.org/software/realmd/adcli/adcli.html";
+    description = "A helper library and tools for Active Directory client operations.";
+    license = licenses.lgpl21Only;
+    maintainers = with maintainers; [ SohamG ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/afuse/default.nix b/nixpkgs/pkgs/os-specific/linux/afuse/default.nix
new file mode 100644
index 000000000000..5bf32fbe6661
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/afuse/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, autoreconfHook, fuse }:
+
+stdenv.mkDerivation rec {
+  pname = "afuse";
+  version = "0.4.1";
+
+  src = fetchFromGitHub {
+    owner = "pcarrier";
+    repo = "afuse";
+    rev = "v${version}";
+    sha256 = "06i855h8a1w2jfly2gfy7vwhb2fp74yxbf3r69s28lki2kzwjar6";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ fuse ];
+
+  postPatch = lib.optionalString stdenv.isDarwin ''
+    # Fix the build on macOS with macFUSE installed
+    substituteInPlace configure.ac --replace \
+      'export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH' \
+      ""
+  '';
+
+  meta = {
+    description = "Automounter in userspace";
+    homepage = "https://github.com/pcarrier/afuse";
+    license = lib.licenses.gpl2;
+    maintainers = [ lib.maintainers.marcweber ];
+    platforms = lib.platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/akvcam/default.nix b/nixpkgs/pkgs/os-specific/linux/akvcam/default.nix
new file mode 100644
index 000000000000..6d916e0ff7fc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/akvcam/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "akvcam";
+  version = "1.2.2";
+
+  src = fetchFromGitHub {
+    owner = "webcamoid";
+    repo = "akvcam";
+    rev = version;
+    sha256 = "1f0vjia2d7zj3y5c63lx1r537bdjx6821yxy29ilbrvsbjq2szj8";
+  };
+  sourceRoot = "source/src";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -m644 -b -D akvcam.ko $out/lib/modules/${kernel.modDirVersion}/akvcam.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Virtual camera driver for Linux";
+    homepage = "https://github.com/webcamoid/akvcam";
+    maintainers = with maintainers; [ freezeboy ];
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
new file mode 100644
index 000000000000..8ddc97890e92
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
@@ -0,0 +1,38 @@
+{ lib, buildPackages, stdenvNoCC, autoreconfHook, fetchurl }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "alsa-firmware";
+  version = "1.2.4";
+
+  src = fetchurl {
+    url = "mirror://alsa/firmware/alsa-firmware-${version}.tar.bz2";
+    sha256 = "sha256-tnttfQi8/CR+9v8KuIqZwYgwWjz1euLf0LzZpbNs1bs=";
+  };
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ autoreconfHook ];
+
+  configureFlags = [
+    "--with-hotplug-dir=$(out)/lib/firmware"
+  ];
+
+  dontStrip = true;
+
+  postInstall = ''
+    # These are lifted from the Arch PKGBUILD
+    # remove files which conflicts with linux-firmware
+    rm -rf $out/lib/firmware/{ct{efx,speq}.bin,ess,korg,sb16,yamaha}
+    # remove broken symlinks (broken upstream)
+    rm -rf $out/lib/firmware/turtlebeach
+    # remove empty dir
+    rm -rf $out/bin
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.alsa-project.org/";
+    description = "Soundcard firmwares from the alsa project";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ l-as ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
new file mode 100644
index 000000000000..b17df9a492e5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
@@ -0,0 +1,232 @@
+diff --git a/src/control/control.c b/src/control/control.c
+index d66ed75..42cecad 100644
+--- a/src/control/control.c
++++ b/src/control/control.c
+@@ -838,6 +838,10 @@ static int snd_ctl_open_conf(snd_ctl_t **ctlp, const char *name,
+ #ifndef PIC
+ 	extern void *snd_control_open_symbols(void);
+ #endif
++
++	snd_config_t *libs = NULL;
++	const char *libs_lib = NULL;
++
+ 	if (snd_config_get_type(ctl_conf) != SND_CONFIG_TYPE_COMPOUND) {
+ 		if (name)
+ 			SNDERR("Invalid type for CTL %s definition", name);
+@@ -879,6 +883,19 @@ static int snd_ctl_open_conf(snd_ctl_t **ctlp, const char *name,
+ 					SNDERR("Invalid type for %s", id);
+ 					goto _err;
+ 				}
++
++				continue;
++			}
++			// Handle an array of extra libs.
++			if (strcmp(id, "libs") == 0) {
++				if (snd_config_get_type(n) != SND_CONFIG_TYPE_COMPOUND) {
++					SNDERR("Invalid type for libs definition in CTL %s definition",
++						str);
++					goto _err;
++				}
++
++				libs = n;
++
+ 				continue;
+ 			}
+ 			if (strcmp(id, "open") == 0) {
+@@ -903,7 +920,62 @@ static int snd_ctl_open_conf(snd_ctl_t **ctlp, const char *name,
+ 		open_name = buf;
+ 		sprintf(buf, "_snd_ctl_%s_open", str);
+ 	}
+-	if (!lib) {
++
++#ifndef PIC
++	snd_control_open_symbols();
++#endif
++
++	// Normal alsa behaviour when there is no libs array.
++	if (!libs) {
++		if (lib) {
++			open_func = snd_dlobj_cache_get(lib, open_name,
++				SND_DLSYM_VERSION(SND_CONTROL_DLSYM_VERSION), 1);
++		}
++	}
++	// Handle libs array.
++	// Suppresses error messages if any function is loaded successfully.
++	else {
++		if (lib) {
++			open_func = snd_dlobj_cache_get(lib, open_name,
++				SND_DLSYM_VERSION(SND_CONTROL_DLSYM_VERSION), 0);
++		}
++
++		if (!open_func) {
++			snd_config_for_each(i, next, libs) {
++				snd_config_t *n = snd_config_iterator_entry(i);
++
++				err = snd_config_get_string(n, &libs_lib);
++				if (err < 0) {
++					SNDERR("Invalid entry in CTL %s libs definition", str);
++					goto _err;
++				}
++
++				if (!open_func) {
++					open_func = snd_dlobj_cache_get(libs_lib, open_name,
++						SND_DLSYM_VERSION(SND_CONTROL_DLSYM_VERSION), 0);
++				}
++			}
++		}
++
++		// Print error messages.
++		if (!open_func) {
++			if (lib) {
++				SNDERR("Either %s cannot be opened or %s was not defined inside",
++					lib, open_name);
++			}
++
++			snd_config_for_each(i, next, libs) {
++				snd_config_t *n = snd_config_iterator_entry(i);
++
++				snd_config_get_string(n, &libs_lib);
++				SNDERR("Either %s cannot be opened or %s was not defined inside",
++					libs_lib, open_name);
++			}
++		}
++	}
++
++	// Look in ALSA_PLUGIN_DIR iff we found nowhere else to look.
++	if (!lib && (!libs || !libs_lib)) {
+ 		const char *const *build_in = build_in_ctls;
+ 		while (*build_in) {
+ 			if (!strcmp(*build_in, str))
+@@ -919,12 +991,11 @@ static int snd_ctl_open_conf(snd_ctl_t **ctlp, const char *name,
+ 			lib = buf1;
+ 			sprintf(buf1, "%s/libasound_module_ctl_%s.so", ALSA_PLUGIN_DIR, str);
+ 		}
+-	}
+-#ifndef PIC
+-	snd_control_open_symbols();
+-#endif
+-	open_func = snd_dlobj_cache_get(lib, open_name,
++
++		open_func = snd_dlobj_cache_get(lib, open_name,
+ 			SND_DLSYM_VERSION(SND_CONTROL_DLSYM_VERSION), 1);
++	}
++
+ 	if (open_func) {
+ 		err = open_func(ctlp, name, ctl_root, ctl_conf, mode);
+ 		if (err >= 0) {
+diff --git a/src/pcm/pcm.c b/src/pcm/pcm.c
+index 2e24338..7f489f4 100644
+--- a/src/pcm/pcm.c
++++ b/src/pcm/pcm.c
+@@ -2116,6 +2116,10 @@ static int snd_pcm_open_conf(snd_pcm_t **pcmp, const char *name,
+ #ifndef PIC
+ 	extern void *snd_pcm_open_symbols(void);
+ #endif
++
++	snd_config_t *libs = NULL;
++	const char *libs_lib = NULL;
++
+ 	if (snd_config_get_type(pcm_conf) != SND_CONFIG_TYPE_COMPOUND) {
+ 		char *val;
+ 		id = NULL;
+@@ -2160,6 +2164,19 @@ static int snd_pcm_open_conf(snd_pcm_t **pcmp, const char *name,
+ 					SNDERR("Invalid type for %s", id);
+ 					goto _err;
+ 				}
++
++				continue;
++			}
++			// Handle an array of extra libs.
++			if (strcmp(id, "libs") == 0) {
++				if (snd_config_get_type(n) != SND_CONFIG_TYPE_COMPOUND) {
++					SNDERR("Invalid type for libs definition in PCM %s definition",
++						str);
++					goto _err;
++				}
++
++				libs = n;
++
+ 				continue;
+ 			}
+ 			if (strcmp(id, "open") == 0) {
+@@ -2184,7 +2201,62 @@ static int snd_pcm_open_conf(snd_pcm_t **pcmp, const char *name,
+ 		open_name = buf;
+ 		sprintf(buf, "_snd_pcm_%s_open", str);
+ 	}
+-	if (!lib) {
++
++#ifndef PIC
++	snd_pcm_open_symbols();	/* this call is for static linking only */
++#endif
++
++	// Normal alsa behaviour when there is no libs array.
++	if (!libs) {
++		if (lib) {
++			open_func = snd_dlobj_cache_get(lib, open_name,
++				SND_DLSYM_VERSION(SND_PCM_DLSYM_VERSION), 1);
++		}
++	}
++	// Handle libs array.
++	// Suppresses error messages if any function is loaded successfully.
++	else {
++		if (lib) {
++			open_func = snd_dlobj_cache_get(lib, open_name,
++				SND_DLSYM_VERSION(SND_PCM_DLSYM_VERSION), 0);
++		}
++
++		if (!open_func) {
++			snd_config_for_each(i, next, libs) {
++				snd_config_t *n = snd_config_iterator_entry(i);
++
++				err = snd_config_get_string(n, &libs_lib);
++				if (err < 0) {
++					SNDERR("Invalid entry in PCM %s libs definition", str);
++					goto _err;
++				}
++
++				if (!open_func) {
++					open_func = snd_dlobj_cache_get(libs_lib, open_name,
++						SND_DLSYM_VERSION(SND_PCM_DLSYM_VERSION), 0);
++				}
++			}
++		}
++
++		// Print error messages.
++		if (!open_func) {
++			if (lib) {
++				SNDERR("Either %s cannot be opened or %s was not defined inside",
++					lib, open_name);
++			}
++
++			snd_config_for_each(i, next, libs) {
++				snd_config_t *n = snd_config_iterator_entry(i);
++
++				snd_config_get_string(n, &libs_lib);
++				SNDERR("Either %s cannot be opened or %s was not defined inside",
++					libs_lib, open_name);
++			}
++		}
++	}
++
++	// Look in ALSA_PLUGIN_DIR iff we found nowhere else to look.
++	if (!lib && (!libs || !libs_lib)) {
+ 		const char *const *build_in = build_in_pcms;
+ 		while (*build_in) {
+ 			if (!strcmp(*build_in, str))
+@@ -2200,12 +2272,11 @@ static int snd_pcm_open_conf(snd_pcm_t **pcmp, const char *name,
+ 			lib = buf1;
+ 			sprintf(buf1, "%s/libasound_module_pcm_%s.so", ALSA_PLUGIN_DIR, str);
+ 		}
+-	}
+-#ifndef PIC
+-	snd_pcm_open_symbols();	/* this call is for static linking only */
+-#endif
+-	open_func = snd_dlobj_cache_get(lib, open_name,
++
++		open_func = snd_dlobj_cache_get(lib, open_name,
+ 			SND_DLSYM_VERSION(SND_PCM_DLSYM_VERSION), 1);
++	}
++
+ 	if (open_func) {
+ 		err = open_func(pcmp, name, pcm_root, pcm_conf, stream, mode);
+ 		if (err >= 0) {
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
new file mode 100644
index 000000000000..db8ede6feb81
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchurl
+, alsa-topology-conf
+, alsa-ucm-conf
+}:
+
+stdenv.mkDerivation rec {
+  pname = "alsa-lib";
+  version = "1.2.7.2";
+
+  src = fetchurl {
+    url = "mirror://alsa/lib/${pname}-${version}.tar.bz2";
+    hash = "sha256-ijW3IY5Q8qLHk0LQ3pje2BQ5zhnhKAk4Xsm+lZbefC8=";
+  };
+
+  patches = [
+    # Add a "libs" field to the syntax recognized in the /etc/asound.conf file.
+    # The nixos modules for pulseaudio, jack, and pipewire are leveraging this
+    # "libs" field to declare locations for both native and 32bit plugins, in
+    # order to support apps with 32bit sound running on x86_64 architecture.
+    ./alsa-plugin-conf-multilib.patch
+  ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    ln -s ${alsa-ucm-conf}/share/alsa/{ucm,ucm2} $out/share/alsa
+    ln -s ${alsa-topology-conf}/share/alsa/topology $out/share/alsa
+  '';
+
+  outputs = [ "out" "dev" ];
+
+  meta = with lib; {
+    homepage = "http://www.alsa-project.org/";
+    description = "ALSA, the Advanced Linux Sound Architecture libraries";
+
+    longDescription = ''
+      The Advanced Linux Sound Architecture (ALSA) provides audio and
+      MIDI functionality to the Linux-based operating system.
+    '';
+
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ l-as ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
new file mode 100644
index 000000000000..f600b52c5f3a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
@@ -0,0 +1,31 @@
+{lib, stdenv, fetchurl, alsa-lib, gettext, ncurses, libsamplerate}:
+
+stdenv.mkDerivation rec {
+  pname = "alsa-oss";
+  version = "1.1.8";
+
+  src = fetchurl {
+    url = "mirror://alsa/oss-lib/${pname}-${version}.tar.bz2";
+    sha256 = "13nn6n6wpr2sj1hyqx4r9nb9bwxnhnzw8r2f08p8v13yjbswxbb4";
+  };
+
+  buildInputs = [ alsa-lib ncurses libsamplerate ];
+  nativeBuildInputs = [ gettext ];
+
+  configureFlags = [ "--disable-xmlto" ];
+
+  installFlags = [ "ASOUND_STATE_DIR=$(TMPDIR)/dummy" ];
+
+  meta = with lib; {
+    homepage = "http://www.alsa-project.org/";
+    description = "ALSA, the Advanced Linux Sound Architecture alsa-oss emulation";
+
+    longDescription = ''
+      The Advanced Linux Sound Architecture (ALSA) provides audio and
+      MIDI functionality to the Linux-based operating system.
+    '';
+
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
new file mode 100644
index 000000000000..ababb767955b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, fetchurl, lib, pkg-config, alsa-lib, libogg, libpulseaudio ? null, libjack2 ? null }:
+
+stdenv.mkDerivation rec {
+  pname = "alsa-plugins";
+  version = "1.2.7.1";
+
+  src = fetchurl {
+    url = "mirror://alsa/plugins/${pname}-${version}.tar.bz2";
+    hash = "sha256-jDN4FJVLt8FnRWczpgRhQqKTHxLsy6PsKkrmGKNDJRE=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+
+  # ToDo: a52, etc.?
+  buildInputs =
+    [ alsa-lib libogg ]
+    ++ lib.optional (libpulseaudio != null) libpulseaudio
+    ++ lib.optional (libjack2 != null) libjack2;
+
+  meta = with lib; {
+    description = "Various plugins for ALSA";
+    homepage = "http://alsa-project.org/";
+    license = licenses.lgpl21;
+    maintainers = [ maintainers.marcweber ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
new file mode 100644
index 000000000000..992f4886e262
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
@@ -0,0 +1,10 @@
+{ stdenv
+, alsa-plugins
+, writeShellScriptBin
+}:
+let
+  arch = if stdenv.hostPlatform.system == "i686-linux" then "32" else "64";
+in
+writeShellScriptBin "ap${arch}" ''
+  ALSA_PLUGIN_DIRS=${alsa-plugins}/lib/alsa-lib "$@"
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
new file mode 100644
index 000000000000..8b9abb74036b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, fetchurl, alsa-lib, pkg-config, gtk2, gtk3, fltk13 }:
+# Comes from upstream as as bundle of several tools,
+# some use gtk2, some gtk3 (and some even fltk13).
+
+stdenv.mkDerivation rec {
+  pname = "alsa-tools";
+  version = "1.2.5";
+
+  src = fetchurl {
+    url = "mirror://alsa/tools/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-NacQJ6AfTX3kci4iNSDpQN5os8VwtsZxaRVnrij5iT4=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib gtk2 gtk3 fltk13 ];
+
+  patchPhase = ''
+    export tools="as10k1 hda-verb hdspmixer echomixer hdajackretask hdspconf hwmixvolume mixartloader rmedigicontrol sscape_ctl vxloader envy24control hdajacksensetest hdsploader ld10k1 pcxhrloader sb16_csp us428control"
+    # export tools="as10k1 hda-verb hdspmixer qlo10k1 seq usx2yloader echomixer hdajackretask hdspconf hwmixvolume mixartloader rmedigicontrol sscape_ctl vxloader envy24control hdajacksensetest hdsploader ld10k1 pcxhrloader sb16_csp us428control"
+  '';
+
+  configurePhase = ''
+    for tool in $tools; do
+      echo "Tool: $tool:"
+      cd "$tool"; ./configure --prefix="$out"; cd -
+    done
+  '';
+
+  buildPhase = ''
+    for tool in $tools; do
+      cd "$tool"; make; cd -
+    done
+  '';
+
+  installPhase = ''
+    for tool in $tools; do
+      cd "$tool"; make install; cd -
+    done
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.alsa-project.org/";
+    description = "ALSA, the Advanced Linux Sound Architecture tools";
+
+    longDescription = ''
+      The Advanced Linux Sound Architecture (ALSA) provides audio and
+      MIDI functionality to the Linux-based operating system.
+    '';
+
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.fps ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
new file mode 100644
index 000000000000..e0dfc879fbc9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  name = "alsa-topology-conf-${version}";
+  version = "1.2.5.1";
+
+  src = fetchurl {
+    url = "mirror://alsa/lib/${name}.tar.bz2";
+    sha256 = "sha256-98W64VRavNc4JLyX9OcsNA4Rq+oYi6DxwG9eCtd2sXk=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/alsa
+    cp -r topology $out/share/alsa
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.alsa-project.org/";
+    description = "ALSA topology configuration files";
+
+    longDescription = ''
+      The Advanced Linux Sound Architecture (ALSA) provides audio and
+      MIDI functionality to the Linux-based operating system.
+    '';
+
+    license = licenses.bsd3;
+    maintainers = [ maintainers.roastiek ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
new file mode 100644
index 000000000000..512fe605b6e5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "alsa-ucm-conf";
+  version = "1.2.7.1";
+
+  src = fetchurl {
+    url = "mirror://alsa/lib/${pname}-${version}.tar.bz2";
+    hash = "sha256-rFsqEnV4Pv8H4cs0w2xsWYd0JnmjQAN1B8BKncHSLKw=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/alsa
+    cp -r ucm ucm2 $out/share/alsa
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.alsa-project.org/";
+    description = "ALSA Use Case Manager configuration";
+
+    longDescription = ''
+      The Advanced Linux Sound Architecture (ALSA) provides audio and
+      MIDI functionality to the Linux-based operating system.
+    '';
+
+    license = licenses.bsd3;
+    maintainers = [ maintainers.roastiek ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
new file mode 100644
index 000000000000..e8c6a2ae566f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
@@ -0,0 +1,36 @@
+{lib, stdenv, fetchurl, alsa-lib, gettext, makeWrapper, ncurses, libsamplerate, pciutils, which, fftw}:
+
+stdenv.mkDerivation rec {
+  pname = "alsa-utils";
+  version = "1.2.7";
+
+  src = fetchurl {
+    url = "mirror://alsa/utils/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-6Qa/JAT/BMRI6qPSJtKDpiuaKD8S5P2EV/skusJ05ng=";
+  };
+
+  nativeBuildInputs = [ gettext makeWrapper ];
+  buildInputs = [ alsa-lib ncurses libsamplerate fftw ];
+
+  configureFlags = [ "--disable-xmlto" "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ];
+
+  installFlags = [ "ASOUND_STATE_DIR=$(TMPDIR)/dummy" ];
+
+  postFixup = ''
+    mv $out/bin/alsa-info.sh $out/bin/alsa-info
+    wrapProgram $out/bin/alsa-info --prefix PATH : "${lib.makeBinPath [ which pciutils ]}"
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.alsa-project.org/";
+    description = "ALSA, the Advanced Linux Sound Architecture utils";
+    longDescription = ''
+      The Advanced Linux Sound Architecture (ALSA) provides audio and
+      MIDI functionality to the Linux-based operating system.
+    '';
+
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.AndersonTorres ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/amdgpu-pro/default.nix b/nixpkgs/pkgs/os-specific/linux/amdgpu-pro/default.nix
new file mode 100644
index 000000000000..241145a24843
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/amdgpu-pro/default.nix
@@ -0,0 +1,222 @@
+{ lib
+, stdenv
+, fetchurl
+, elfutils
+, xorg
+, patchelf
+, libxcb
+, libxshmfence
+, perl
+, zlib
+, expat
+, libffi
+, libselinux
+, libdrm
+, udev
+, kernel ? null
+}:
+
+with lib;
+
+let
+
+  bitness = if stdenv.is64bit then "64" else "32";
+
+  libArch =
+    if stdenv.hostPlatform.system == "i686-linux" then
+      "i386-linux-gnu"
+    else if stdenv.hostPlatform.system == "x86_64-linux" then
+      "x86_64-linux-gnu"
+    else throw "amdgpu-pro is Linux only. Sorry.";
+
+in stdenv.mkDerivation rec {
+
+  version = "21.30";
+  pname = "amdgpu-pro";
+  build = "${version}-1290604";
+
+  src = fetchurl {
+    url = "https://drivers.amd.com/drivers/linux/amdgpu-pro-${build}-ubuntu-20.04.tar.xz";
+    sha256 = "sha256-WECqxjo2WLP3kMWeVyJgYufkvHTzwGaj57yeMGXiQ4I=";
+    curlOpts = "--referer https://www.amd.com/en/support/kb/release-notes/rn-amdgpu-unified-linux-21-30";
+  };
+
+  postUnpack = ''
+    mkdir root
+    pushd $sourceRoot
+    for deb in *_all.deb *_${if stdenv.is64bit then "amd64" else "i386"}.deb
+    do
+      ar p $deb data.tar.xz | tar -C ../root -xJ
+    done
+    popd
+    # if we don't use a short sourceRoot, compilation can fail due to command
+    # line length
+    sourceRoot=root
+  '';
+
+  passthru = optionalAttrs (kernel != null) {
+    kmod = stdenv.mkDerivation rec {
+      inherit version src postUnpack;
+      name = "${pname}-${version}-kmod-${kernel.dev.version}";
+
+      postPatch = ''
+        pushd usr/src/amdgpu-*
+        patchShebangs amd/dkms/*.sh
+        substituteInPlace amd/dkms/pre-build.sh --replace "./configure" "./configure --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source --with-linux-obj=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+        popd
+      '';
+
+      preConfigure = ''
+        pushd usr/src/amdgpu-*
+        makeFlags="$makeFlags M=$(pwd)"
+        amd/dkms/pre-build.sh ${kernel.version}
+        popd
+      '';
+
+      postBuild = ''
+        pushd usr/src/amdgpu-*
+        find -name \*.ko -exec xz {} \;
+        popd
+      '';
+
+      makeFlags = optionalString (kernel != null) "-C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build modules";
+
+      installPhase = ''
+        runHook preInstall
+
+        pushd usr/src/amdgpu-*
+        find -name \*.ko.xz -exec install -Dm444 {} $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/gpu/drm/{} \;
+        popd
+
+        runHook postInstall
+      '';
+
+      # without this we get a collision with the ttm module from linux
+      meta.priority = 4;
+    };
+
+    fw = stdenv.mkDerivation rec {
+      inherit version src postUnpack;
+      name = "${pname}-${version}-fw";
+
+      installPhase = ''
+        runHook preInstall
+
+        mkdir -p $out/lib
+        cp -r usr/src/amdgpu-*/firmware $out/lib/firmware
+
+        runHook postInstall
+      '';
+    };
+  };
+
+  outputs = [ "out" "vulkan" ];
+
+  depLibPath = makeLibraryPath [
+    stdenv.cc.cc.lib
+    zlib
+    libxcb
+    libxshmfence
+    elfutils
+    expat
+    libffi
+    libselinux
+    # libudev is not listed in any dependencies, but is loaded dynamically
+    udev
+    xorg.libXext
+    xorg.libX11
+    xorg.libXfixes
+    xorg.libXdamage
+    xorg.libXxf86vm
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+
+    cp -r usr/lib/${libArch} $out/lib
+    cp -r usr/share $out/share
+
+    mkdir -p $out/opt/amdgpu{,-pro}
+    cp -r opt/amdgpu-pro/lib/${libArch} $out/opt/amdgpu-pro/lib
+    cp -r opt/amdgpu/lib/${libArch} $out/opt/amdgpu/lib
+
+    pushd $out/lib
+    ln -s ../opt/amdgpu-pro/lib/libGL.so* .
+    ln -s ../opt/amdgpu-pro/lib/libEGL.so* .
+    popd
+
+    # short name to allow replacement below
+    ln -s lib/dri $out/dri
+
+  '' + optionalString (stdenv.is64bit) ''
+    mkdir -p $out/etc
+    pushd etc
+    cp -r modprobe.d udev amd $out/etc
+    popd
+
+    cp -r lib/udev/rules.d/* $out/etc/udev/rules.d
+    cp -r opt/amdgpu/lib/xorg $out/lib/xorg
+    cp -r opt/amdgpu-pro/lib/xorg/* $out/lib/xorg
+    cp -r opt/amdgpu/share $out/opt/amdgpu/share
+  '' + ''
+
+    mkdir -p $vulkan/share/vulkan/icd.d
+    install opt/amdgpu-pro/etc/vulkan/icd.d/amd_icd${bitness}.json $vulkan/share/vulkan/icd.d
+
+    runHook postInstall
+  '';
+
+  preFixup = (if stdenv.is64bit
+    # this could also be done with LIBGL_DRIVERS_PATH, but it would need to be
+    # set in the user session and for Xorg
+    then ''
+      expr1='s:/opt/amdgpu/lib/x86_64-linux-gnu/dri\0:/run/opengl-driver/lib/dri\0\0\0\0\0\0\0\0\0\0\0:g'
+      expr2='s:/usr/lib/x86_64-linux-gnu/dri[\0\:]:/run/opengl-driver/lib/dri\0\0\0\0:g'
+      perl -pi -e "$expr2" $out/lib/xorg/modules/extensions/libglx.so
+    ''
+    else ''
+      expr1='s:/opt/amdgpu/lib/i386-linux-gnu/dri\0:/run/opengl-driver-32/lib/dri\0\0\0\0\0\0:g'
+      # we replace a different path on 32-bit because it's the only one long
+      # enough to fit the target path :(
+      expr2='s:/usr/lib/i386-linux-gnu/dri[\0\:]:/run/opengl-driver-32/dri\0\0\0:g'
+    '') + ''
+    perl -pi -e "$expr1" \
+      $out/opt/amdgpu/lib/libEGL.so.1.0.0 \
+      $out/opt/amdgpu/lib/libgbm.so.1.0.0 \
+      $out/opt/amdgpu/lib/libGL.so.1.2.0
+
+    perl -pi -e "$expr2" \
+      $out/opt/amdgpu-pro/lib/libEGL.so.1 \
+      $out/opt/amdgpu-pro/lib/libGL.so.1.2 \
+      $out/opt/amdgpu-pro/lib/libGLX_amd.so.0
+
+    find $out -type f -exec perl -pi -e 's:/opt/amdgpu-pro/:/run/amdgpu-pro/:g' {} \;
+    find $out -type f -exec perl -pi -e 's:/opt/amdgpu/:/run/amdgpu/:g' {} \;
+
+    substituteInPlace $vulkan/share/vulkan/icd.d/*.json --replace /opt/amdgpu-pro/lib/${libArch} "$out/opt/amdgpu-pro/lib"
+  '';
+
+  # doing this in post because shrinking breaks things that dynamically load
+  postFixup = ''
+    libPath="$out/opt/amdgpu/lib:$out/opt/amdgpu-pro/lib:$depLibPath"
+    find "$out" -name '*.so*' -type f -exec patchelf --set-rpath "$libPath" {} \;
+  '';
+
+  buildInputs = [
+    libdrm
+    patchelf
+    perl
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "AMDGPU-PRO drivers";
+    homepage =  "https://www.amd.com/en/support";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ corngood ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/anbox/default.nix b/nixpkgs/pkgs/os-specific/linux/anbox/default.nix
new file mode 100644
index 000000000000..2a98aa82ebbd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/anbox/default.nix
@@ -0,0 +1,159 @@
+{ lib, stdenv, fetchFromGitHub, fetchurl
+, cmake, pkg-config, dbus, makeWrapper
+, boost
+, elfutils # for libdw
+, git
+, glib
+, glm
+, gtest
+, libbfd
+, libcap
+, libdwarf
+, libGL
+, libglvnd
+, lxc
+, mesa
+, properties-cpp
+, protobuf
+, protobufc
+, python3
+, runtimeShell
+, SDL2
+, SDL2_image
+, systemd
+, writeText
+, writeScript
+}:
+
+let
+
+  dbus-service = writeText "org.anbox.service" ''
+    [D-BUS Service]
+    Name=org.anbox
+    Exec=@out@/libexec/anbox-session-manager
+  '';
+
+  anbox-application-manager = writeScript "anbox-application-manager" ''
+    #!${runtimeShell}
+
+    ${systemd}/bin/busctl --user call \
+        org.freedesktop.DBus \
+        /org/freedesktop/DBus \
+        org.freedesktop.DBus \
+        StartServiceByName "su" org.anbox 0
+
+    @out@/bin/anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
+  '';
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "anbox";
+  version = "unstable-2021-10-20";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "84f0268012cbe322ad858d76613f4182074510ac";
+    sha256 = "sha256-QXWhatewiUDQ93cH1UZsYgbjUxpgB1ajtGFYZnKmabc=";
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    makeWrapper
+  ];
+
+  buildInputs = [
+    boost
+    dbus
+    elfutils # libdw
+    glib
+    glm
+    gtest
+    libbfd
+    libcap
+    libdwarf
+    libGL
+    lxc
+    mesa
+    properties-cpp
+    protobuf protobufc
+    python3
+    SDL2 SDL2_image
+    systemd
+  ];
+
+  patchPhase = ''
+    patchShebangs scripts
+
+    cat >cmake/FindGMock.cmake <<'EOF'
+      add_library(gtest INTERFACE)
+      target_include_directories(gtest INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gtest INTERFACE ${gtest}/lib/libgtest.so ''${CMAKE_THREAD_LIBS_INIT})
+      add_dependencies(gtest GMock)
+
+      add_library(gtest_main INTERFACE)
+      target_include_directories(gtest_main INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gtest_main INTERFACE ${gtest}/lib/libgtest_main.so gtest)
+
+      add_library(gmock INTERFACE)
+      target_include_directories(gmock INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gmock INTERFACE ${gtest}/lib/libgmock.so gtest)
+
+      add_library(gmock_main INTERFACE)
+      target_include_directories(gmock_main INTERFACE ${gtest.dev}/include)
+      target_link_libraries(gmock_main INTERFACE ${gtest}/lib/libgmock_main.so gmock gtest_main)
+
+      set(GTEST_LIBRARIES gtest)
+      set(GTEST_MAIN_LIBRARIES gtest_main)
+      set(GMOCK_LIBRARIES gmock gmock_main)
+      set(GTEST_BOTH_LIBRARIES ''${GTEST_LIBRARIES} ''${GTEST_MAIN_LIBRARIES})
+    EOF
+  '';
+
+  postInstall = ''
+    wrapProgram $out/bin/anbox \
+      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [libGL libglvnd]} \
+      --prefix PATH : ${git}/bin
+
+    mkdir -p $out/share/dbus-1/services
+    substitute ${dbus-service} $out/share/dbus-1/services/org.anbox.service \
+      --subst-var out
+
+    mkdir $out/libexec
+    makeWrapper $out/bin/anbox $out/libexec/anbox-session-manager \
+      --add-flags session-manager
+
+    substitute ${anbox-application-manager} $out/bin/anbox-application-manager \
+      --subst-var out
+  '';
+
+  passthru.image = let
+    imgroot = "https://build.anbox.io/android-images";
+  in
+    {
+      armv7l-linux = fetchurl {
+        url = imgroot + "/2017/06/12/android_1_armhf.img";
+        sha256 = "1za4q6vnj8wgphcqpvyq1r8jg6khz7v6b7h6ws1qkd5ljangf1w5";
+      };
+      aarch64-linux = fetchurl {
+        url = imgroot + "/2017/08/04/android_1_arm64.img";
+        sha256 = "02yvgpx7n0w0ya64y5c7bdxilaiqj9z3s682l5s54vzfnm5a2bg5";
+      };
+      x86_64-linux = fetchurl {
+        url = imgroot + "/2018/07/19/android_amd64.img";
+        sha256 = "1jlcda4q20w30cm9ikm6bjq01p547nigik1dz7m4v0aps4rws13b";
+      };
+    }.${stdenv.system} or null;
+
+  meta = with lib; {
+    homepage = "https://anbox.io";
+    description = "Android in a box";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ edwtjo ];
+    platforms = [ "armv7l-linux" "aarch64-linux" "x86_64-linux" ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/android-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/android-udev-rules/default.nix
new file mode 100644
index 000000000000..530292fe8629
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/android-udev-rules/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+## Usage
+# In NixOS, simply add this package to services.udev.packages:
+#   services.udev.packages = [ pkgs.android-udev-rules ];
+
+stdenv.mkDerivation rec {
+  pname = "android-udev-rules";
+  version = "20220102";
+
+  src = fetchFromGitHub {
+    owner = "M0Rf30";
+    repo = "android-udev-rules";
+    rev = version;
+    sha256 = "sha256-D2dPFvuFcZtosfTfsW0lmK5y8zqHdIxJBlvmP/R91CE=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+    install -D 51-android.rules $out/lib/udev/rules.d/51-android.rules
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/M0Rf30/android-udev-rules";
+    description = "Android udev rules list aimed to be the most comprehensive on the net";
+    platforms = platforms.linux;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/apfs/default.nix b/nixpkgs/pkgs/os-specific/linux/apfs/default.nix
new file mode 100644
index 000000000000..bcc53e82b9aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/apfs/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+}:
+
+stdenv.mkDerivation {
+  pname = "apfs";
+  version = "unstable-2022-07-24-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "linux-apfs";
+    repo = "linux-apfs-rw";
+    rev = "925d86b7be3ccf21b17734cfececf40e43c4598e";
+    sha256 = "sha256-N5lGJu4c03cVDk3WTcegzZHBDmguPEX8dCedJS2TMSI=";
+  };
+
+  hardeningDisable = [ "pic" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "APFS module for linux";
+    homepage = "https://github.com/linux-apfs/linux-apfs-rw";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.9" || kernel.kernelAtLeast "5.19";
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/apparmor/default.nix b/nixpkgs/pkgs/os-specific/linux/apparmor/default.nix
new file mode 100644
index 000000000000..f7a2c0c52a95
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/apparmor/default.nix
@@ -0,0 +1,347 @@
+{ stdenv, lib, fetchFromGitLab, fetchpatch, makeWrapper, autoreconfHook
+, pkg-config, which
+, flex, bison
+, linuxHeaders ? stdenv.cc.libc.linuxHeaders
+, gawk
+, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, perl
+, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python3, python3
+, swig
+, ncurses
+, pam
+, libnotify
+, buildPackages
+, coreutils
+, bash
+, gnugrep
+, gnused
+, kmod
+, writeShellScript
+, closureInfo
+, runCommand
+}:
+
+let
+  apparmor-version = "3.0.4";
+
+  apparmor-meta = component: with lib; {
+    homepage = "https://apparmor.net/";
+    description = "A mandatory access control system - ${component}";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ joachifm julm thoughtpolice ];
+    platforms = platforms.linux;
+  };
+
+  apparmor-sources = fetchFromGitLab {
+    owner = "apparmor";
+    repo = "apparmor";
+    rev = "v${apparmor-version}";
+    sha256 = "1a217j28rgfq4lsmpn0wv1xgmdr9ba8iysv9i6q477kj6z77zrb9";
+  };
+
+  aa-teardown = writeShellScript "aa-teardown" ''
+    PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"
+    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
+    remove_profiles
+  '';
+
+  prePatchCommon = ''
+    chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
+    patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
+    substituteInPlace ./common/Make.rules \
+      --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man" \
+      --replace "/usr/bin/pod2html" "${buildPackages.perl}/bin/pod2html" \
+      --replace "/usr/share/man" "share/man"
+    substituteInPlace ./utils/Makefile \
+      --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
+  '';
+
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
+    (fetchpatch {
+      url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
+      name = "0003-Added-missing-typedef-definitions-on-parser.patch";
+      sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
+    })
+  ];
+
+  python = python3.withPackages (ps: with ps; [ setuptools ]);
+
+  # Set to `true` after the next FIXME gets fixed or this gets some
+  # common derivation infra. Too much copy-paste to fix one by one.
+  doCheck = false;
+
+  # FIXME: convert these to a single multiple-outputs package?
+
+  libapparmor = stdenv.mkDerivation {
+    pname = "libapparmor";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+   # checking whether python bindings are enabled... yes
+   # checking for python3... no
+   # configure: error: python is required when enabling python bindings
+    strictDeps = false;
+
+    nativeBuildInputs = [
+      autoreconfHook
+      bison
+      flex
+      pkg-config
+      swig
+      ncurses
+      which
+      perl
+    ] ++ lib.optional withPython python;
+
+    buildInputs = lib.optional withPerl perl
+      ++ lib.optional withPython python;
+
+    # required to build apparmor-parser
+    dontDisableStatic = true;
+
+    prePatch = prePatchCommon + ''
+      substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site
+    '';
+    inherit patches;
+
+    postPatch = ''
+      cd ./libraries/libapparmor
+    '';
+
+    # https://gitlab.com/apparmor/apparmor/issues/1
+    configureFlags = [
+      (lib.withFeature withPerl "perl")
+      (lib.withFeature withPython "python")
+    ];
+
+    outputs = [ "out" ] ++ lib.optional withPython "python";
+
+    postInstall = lib.optionalString withPython ''
+      mkdir -p $python/lib
+      mv $out/lib/python* $python/lib/
+    '';
+
+    inherit doCheck;
+
+    meta = apparmor-meta "library";
+  };
+
+  apparmor-utils = stdenv.mkDerivation {
+    pname = "apparmor-utils";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    strictDeps = true;
+
+    nativeBuildInputs = [ makeWrapper which python ];
+
+    buildInputs = [
+      bash
+      perl
+      python
+      libapparmor
+      libapparmor.python
+    ];
+
+    prePatch = prePatchCommon +
+      # Do not build vim file
+      lib.optionalString stdenv.hostPlatform.isMusl ''
+        sed -i ./utils/Makefile -e "/\<vim\>/d"
+      '' + ''
+      for file in utils/apparmor/easyprof.py utils/apparmor/aa.py utils/logprof.conf; do
+        substituteInPlace $file --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+      done
+    '';
+    inherit patches;
+    postPatch = "cd ./utils";
+    makeFlags = [ "LANGS=" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
+
+    postInstall = ''
+      sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"
+      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do
+        wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.sitePackages}:$PYTHONPATH"
+      done
+
+      substituteInPlace $out/bin/aa-notify \
+        --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \
+        --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"
+
+      substituteInPlace $out/bin/aa-remove-unknown \
+       --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
+      wrapProgram $out/bin/aa-remove-unknown \
+       --prefix PATH : ${lib.makeBinPath [ gawk ]}
+
+      ln -s ${aa-teardown} $out/bin/aa-teardown
+    '';
+
+    inherit doCheck;
+
+    meta = apparmor-meta "user-land utilities" // {
+      broken = !(withPython && withPerl);
+    };
+  };
+
+  apparmor-bin-utils = stdenv.mkDerivation {
+    pname = "apparmor-bin-utils";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [
+      pkg-config
+      libapparmor
+      which
+    ];
+
+    buildInputs = [
+      libapparmor
+    ];
+
+    prePatch = prePatchCommon;
+    postPatch = ''
+      cd ./binutils
+    '';
+    makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "SBINDIR=$(out)/bin" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "binary user-land utilities";
+  };
+
+  apparmor-parser = stdenv.mkDerivation {
+    name = "apparmor-parser";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [ bison flex which ];
+
+    buildInputs = [ libapparmor ];
+
+    prePatch = prePatchCommon + ''
+      ## techdoc.pdf still doesn't build ...
+      substituteInPlace ./parser/Makefile \
+        --replace "/usr/bin/bison" "${bison}/bin/bison" \
+        --replace "/usr/bin/flex" "${flex}/bin/flex" \
+        --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" \
+        --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
+      substituteInPlace parser/rc.apparmor.functions \
+       --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"
+      sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
+    '';
+    inherit patches;
+    postPatch = ''
+      cd ./parser
+    '';
+    makeFlags = [
+      "LANGS=" "USE_SYSTEM=1" "INCLUDEDIR=${libapparmor}/include"
+      "AR=${stdenv.cc.bintools.targetPrefix}ar"
+    ];
+    installFlags = [ "DESTDIR=$(out)" "DISTRO=unknown" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "rule parser";
+  };
+
+  apparmor-pam = stdenv.mkDerivation {
+    pname = "apparmor-pam";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [ pkg-config which ];
+
+    buildInputs = [ libapparmor pam ];
+
+    postPatch = ''
+      cd ./changehat/pam_apparmor
+    '';
+    makeFlags = [ "USE_SYSTEM=1" ];
+    installFlags = [ "DESTDIR=$(out)" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "PAM service";
+  };
+
+  apparmor-profiles = stdenv.mkDerivation {
+    pname = "apparmor-profiles";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    nativeBuildInputs = [ which ];
+
+    postPatch = ''
+      cd ./profiles
+    '';
+
+    installFlags = [ "DESTDIR=$(out)" "EXTRAS_DEST=$(out)/share/apparmor/extra-profiles" ];
+
+    inherit doCheck;
+
+    meta = apparmor-meta "profiles";
+  };
+
+  apparmor-kernel-patches = stdenv.mkDerivation {
+    pname = "apparmor-kernel-patches";
+    version = apparmor-version;
+
+    src = apparmor-sources;
+
+    dontBuild = true;
+
+    installPhase = ''
+      mkdir "$out"
+      cp -R ./kernel-patches/* "$out"
+    '';
+
+    inherit doCheck;
+
+    meta = apparmor-meta "kernel patches";
+  };
+
+  # Generate generic AppArmor rules in a file, from the closure of given
+  # rootPaths. To be included in an AppArmor profile like so:
+  #
+  #   include "${apparmorRulesFromClosure { } [ pkgs.hello ]}"
+  apparmorRulesFromClosure =
+    { # The store path of the derivation is given in $path
+      additionalRules ? []
+      # TODO: factorize here some other common paths
+      # that may emerge from use cases.
+    , baseRules ? [
+        "r $path"
+        "r $path/etc/**"
+        "r $path/share/**"
+        # Note that not all libraries are prefixed with "lib",
+        # eg. glibc-2.30/lib/ld-2.30.so
+        "mr $path/lib/**.so*"
+        # eg. glibc-2.30/lib/gconv/gconv-modules
+        "r $path/lib/**"
+      ]
+    , name ? ""
+    }: rootPaths: runCommand
+      ( "apparmor-closure-rules"
+      + lib.optionalString (name != "") "-${name}" ) {} ''
+    touch $out
+    while read -r path
+    do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}
+    done <${closureInfo { inherit rootPaths; }}/store-paths
+  '';
+in
+{
+  inherit
+    libapparmor
+    apparmor-utils
+    apparmor-bin-utils
+    apparmor-parser
+    apparmor-pam
+    apparmor-profiles
+    apparmor-kernel-patches
+    apparmorRulesFromClosure;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/nixpkgs/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
new file mode 100644
index 000000000000..ebc1baaa92d4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
@@ -0,0 +1,32 @@
+aa_action() {
+  STRING=$1
+  shift
+  $*
+  rc=$?
+  if [ $rc -eq 0 ] ; then
+    aa_log_success_msg $"$STRING "
+  else
+    aa_log_failure_msg $"$STRING "
+  fi
+  return $rc
+}
+
+aa_log_success_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": done."
+}
+
+aa_log_warning_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Warning."
+}
+
+aa_log_failure_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Failed."
+}
+
+aa_log_skipped_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Skipped."
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/aseq2json/default.nix b/nixpkgs/pkgs/os-specific/linux/aseq2json/default.nix
new file mode 100644
index 000000000000..646e9f7b7b91
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/aseq2json/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, pkg-config, alsa-lib, glib, json-glib }:
+
+stdenv.mkDerivation {
+  pname = "aseq2json";
+  version = "unstable-2018-04-28";
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "midi-dump-tools";
+    rev = "8572e6313a0d7ec95492dcab04a46c5dd30ef33a";
+    sha256 = "LQ9LLVumi3GN6c9tuMSOd1Bs2pgrwrLLQbs5XF+NZeA=";
+  };
+  sourceRoot = "source/aseq2json";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib glib json-glib ];
+
+  installPhase = ''
+    install -D --target-directory "$out/bin" aseq2json
+  '';
+
+  meta = with lib; {
+    description = "Listens for MIDI events on the Alsa sequencer and outputs as JSON to stdout";
+    homepage = "https://github.com/google/midi-dump-tools";
+    license = licenses.asl20;
+    maintainers = [ maintainers.queezle ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/asus-ec-sensors/default.nix b/nixpkgs/pkgs/os-specific/linux/asus-ec-sensors/default.nix
new file mode 100644
index 000000000000..f046ec206ab6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/asus-ec-sensors/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "asus-ec-sensors-${version}-${kernel.version}";
+  version = "unstable-2021-12-16";
+
+  src = fetchFromGitHub {
+    owner = "zeule";
+    repo = "asus-ec-sensors";
+    rev = "3621741c4ecb93216d546942707a9c413e971787";
+    sha256 = "0akdga2854q3w0pyi0jywa6cxr32541ifz0ka1hgn6j4czk39kyn";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+  ];
+
+  installPhase = ''
+    install asus-ec-sensors.ko -Dm444 -t ${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon
+  '';
+
+  meta = with lib; {
+    description = "Linux HWMON sensors driver for ASUS motherboards to read sensor data from the embedded controller";
+    homepage = "https://github.com/zeule/asus-ec-sensors";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" ];
+    maintainers = with maintainers; [ nickhu ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/asus-wmi-sensors/default.nix b/nixpkgs/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
new file mode 100644
index 000000000000..3098cbb72538
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "asus-wmi-sensors-${version}-${kernel.version}";
+  version = "unstable-2019-11-07";
+
+  # The original was deleted from github, but this seems to be an active fork
+  src = fetchFromGitHub {
+    owner = "electrified";
+    repo = "asus-wmi-sensors";
+    rev = "8daafd45d1b860cf5b17eee1c94d93feb04164a9";
+    sha256 = "0kc0xlrsmf783ln5bqyj6qxzmrhdxdfdd2b9ygf2lbl2153i04vc";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    sed -i 's|depmod|#depmod|' Makefile
+  '';
+
+  makeFlags = [
+    "TARGET=${kernel.modDirVersion}"
+    "KERNEL_MODULES=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+    "MODDESTDIR=${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
+  ];
+
+  meta = with lib; {
+    description = "Linux HWMON (lmsensors) sensors driver for various ASUS Ryzen and Threadripper motherboards";
+    homepage = "https://github.com/electrified/asus-wmi-sensors";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = with maintainers; [ Frostman ];
+    broken = versionOlder kernel.version "4.12";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/atop.service.patch b/nixpkgs/pkgs/os-specific/linux/atop/atop.service.patch
new file mode 100644
index 000000000000..3ef59e60cbc0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/atop.service.patch
@@ -0,0 +1,10 @@
+--- a/atop.service
++++ b/atop.service
+@@ -9,5 +9,6 @@
+ Environment=LOGPATH=/var/log/atop
+-EnvironmentFile=/etc/default/atop
++EnvironmentFile=-/etc/default/atop
+ ExecStartPre=/bin/sh -c 'test -n "$LOGINTERVAL" -a "$LOGINTERVAL" -eq "$LOGINTERVAL"'
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
++ExecStartPre=/bin/sh -c 'mkdir -p "${LOGPATH}"'
+ ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/atopacct.service.patch b/nixpkgs/pkgs/os-specific/linux/atop/atopacct.service.patch
new file mode 100644
index 000000000000..9f2cd8f2e9ca
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/atopacct.service.patch
@@ -0,0 +1,7 @@
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -9,3 +9,3 @@
+ Type=forking
+-PIDFile=/var/run/atopacctd.pid
++PIDFile=/run/atopacctd.pid
+ ExecStart=@out@/bin/atopacctd
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/default.nix b/nixpkgs/pkgs/os-specific/linux/atop/default.nix
new file mode 100644
index 000000000000..47f76649dea9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/default.nix
@@ -0,0 +1,95 @@
+{ lib
+, stdenv
+, fetchurl
+, zlib
+, ncurses
+, findutils
+, systemd
+, python3
+# makes the package unfree via pynvml
+, withAtopgpu ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "atop";
+  version = "2.7.1";
+
+  src = fetchurl {
+    url = "https://www.atoptool.nl/download/atop-${version}.tar.gz";
+    sha256 = "sha256-ykjS8X4HHe6tXm6cyeOIv2oycNaV5hl2s3lNTZJ7XE4=";
+  };
+
+  nativeBuildInputs = lib.optionals withAtopgpu [
+    python3.pkgs.wrapPython
+  ];
+
+  buildInputs = [
+    zlib
+    ncurses
+  ] ++ lib.optionals withAtopgpu [
+    python3
+  ];
+
+  pythonPath = lib.optionals withAtopgpu [
+    python3.pkgs.pynvml
+  ];
+
+  makeFlags = [
+    "DESTDIR=$(out)"
+    "BINPATH=/bin"
+    "SBINPATH=/bin"
+    "MAN1PATH=/share/man/man1"
+    "MAN5PATH=/share/man/man5"
+    "MAN8PATH=/share/man/man8"
+    "SYSDPATH=/lib/systemd/system"
+    "PMPATHD=/lib/systemd/system-sleep"
+  ];
+
+  patches = [
+    # Fix paths in atop.service, atop-rotate.service, atopgpu.service, atopacct.service,
+    # and atop-pm.sh
+    ./fix-paths.patch
+    # Don't fail on missing /etc/default/atop, make sure /var/log/atop exists pre-start
+    ./atop.service.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./atopacct.service.patch
+  ];
+
+  preConfigure = ''
+    for f in *.{sh,service}; do
+      findutils=${findutils} systemd=${systemd} substituteAllInPlace "$f"
+    done
+
+    substituteInPlace Makefile --replace 'chown' 'true'
+    substituteInPlace Makefile --replace 'chmod 04711' 'chmod 0711'
+  '';
+
+  preInstall = ''
+    mkdir -p $out/bin
+  '';
+
+  postInstall = ''
+    # Remove extra files we don't need
+    rm -r $out/{var,etc} $out/bin/atop{sar,}-${version}
+  '' + (if withAtopgpu then ''
+    wrapPythonPrograms
+  '' else ''
+    rm $out/lib/systemd/system/atopgpu.service $out/bin/atopgpud $out/share/man/man8/atopgpud.8
+  '');
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ raskin ];
+    description = "Console system performance monitor";
+    longDescription = ''
+      Atop is an ASCII full-screen performance monitor that is capable of reporting the activity of
+      all processes (even if processes have finished during the interval), daily logging of system
+      and process activity for long-term analysis, highlighting overloaded system resources by using
+      colors, etc. At regular intervals, it shows system-level activity related to the CPU, memory,
+      swap, disks and network layers, and for every active process it shows the CPU utilization,
+      memory growth, disk utilization, priority, username, state, and exit code.
+    '';
+    license = licenses.gpl2Plus;
+    downloadPage = "http://atoptool.nl/downloadatop.php";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/atop/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/atop/fix-paths.patch
new file mode 100644
index 000000000000..e6cd631d3c11
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/atop/fix-paths.patch
@@ -0,0 +1,48 @@
+--- a/atop.service
++++ b/atop.service
+@@ -12,4 +12,4 @@
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
+-ExecStart=/bin/sh -c 'exec /usr/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
+-ExecStartPost=/usr/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
++ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
++ExecStartPost=@findutils@/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
+ KillSignal=SIGUSR2
+
+--- a/atop-rotate.service
++++ b/atop-rotate.service
+@@ -4,3 +4,3 @@
+ [Service]
+ Type=oneshot
+-ExecStart=/usr/bin/systemctl try-restart atop.service
++ExecStart=@systemd@/bin/systemctl try-restart atop.service
+
+--- a/atopgpu.service
++++ b/atopgpu.service
+@@ -6,5 +6,5 @@
+
+ [Service]
+-ExecStart=/usr/sbin/atopgpud
++ExecStart=@out@/bin/atopgpud
+ Type=oneshot
+ RemainAfterExit=yes
+
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -10,3 +10,3 @@
+ PIDFile=/var/run/atopacctd.pid
+-ExecStart=/usr/sbin/atopacctd
++ExecStart=@out@/bin/atopacctd
+
+--- a/atop-pm.sh
++++ b/atop-pm.sh
+@@ -2,8 +2,8 @@
+
+ case "$1" in
+-	pre)	/usr/bin/systemctl stop atop
++	pre)	@systemd@/bin/systemctl stop atop
+ 		exit 0
+ 		;;
+-	post)	/usr/bin/systemctl start atop
++	post)	@systemd@/bin/systemctl start atop
+ 		exit 0
+ 		;;
diff --git a/nixpkgs/pkgs/os-specific/linux/audit/default.nix b/nixpkgs/pkgs/os-specific/linux/audit/default.nix
new file mode 100644
index 000000000000..bda8d8ab30c5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/audit/default.nix
@@ -0,0 +1,103 @@
+{
+  lib, stdenv, buildPackages, fetchurl, fetchpatch,
+  runCommand,
+  autoreconfHook,
+  autoconf, automake, libtool, bash,
+  # Enabling python support while cross compiling would be possible, but
+  # the configure script tries executing python to gather info instead of
+  # relying on python3-config exclusively
+  enablePython ? stdenv.hostPlatform == stdenv.buildPlatform, python3, swig,
+  linuxHeaders ? stdenv.cc.libc.linuxHeaders
+}:
+
+stdenv.mkDerivation rec {
+  pname = "audit";
+  version = "2.8.5"; # at the next release, remove the patches below!
+
+  src = fetchurl {
+    url = "https://people.redhat.com/sgrubb/audit/audit-${version}.tar.gz";
+    sha256 = "1dzcwb2q78q7x41shcachn7f4aksxbxd470yk38zh03fch1l2p8f";
+  };
+
+  outputs = [ "bin" "dev" "out" "man" ];
+
+  strictDeps = true;
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ autoreconfHook ]
+    ++ lib.optionals enablePython [ python3 swig ];
+  buildInputs = [ bash ];
+
+  configureFlags = [
+    # z/OS plugin is not useful on Linux,
+    # and pulls in an extra openldap dependency otherwise
+    "--disable-zos-remote"
+    (if enablePython then "--with-python" else "--without-python")
+    "--with-arm"
+    "--with-aarch64"
+  ];
+
+  enableParallelBuilding = true;
+
+  # TODO: Remove the musl patches when
+  #         https://github.com/linux-audit/audit-userspace/pull/25
+  #       is available with the next release.
+  patches = [
+    ./patches/weak-symbols.patch
+    (fetchpatch {
+      # upstream build fix against -fno-common compilers like >=gcc-10
+      url = "https://github.com/linux-audit/audit-userspace/commit/017e6c6ab95df55f34e339d2139def83e5dada1f.patch";
+      sha256 = "100xa1rzkv0mvhjbfgpfm72f7c4p68syflvgc3xm6pxgrqqmfq8h";
+    })
+
+    (
+      let patch = fetchpatch {
+            url = "https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e.patch";
+            name = "Add-substitue-functions-for-strndupa-rawmemchr.patch";
+            sha256 = "015bvzflg1s1k5viap30nznlpjj44a66khyc8yq0waa68qwvdlsd";
+          };
+      in
+        runCommand "Add-substitue-functions-for-strndupa-rawmemchr.patch-fix-copyright-merge-conflict" {} ''
+          cp ${patch} $out
+          substituteInPlace $out --replace \
+              '-* Copyright (c) 2007-09,2011-16,2018 Red Hat Inc., Durham, North Carolina.' \
+              '-* Copyright (c) 2007-09,2011-16 Red Hat Inc., Durham, North Carolina.'
+        ''
+    )
+
+    # upstream fix for linux-headers-5.15 which removed ipx.h
+    (fetchpatch {
+      name = "no-ipx.patch";
+      url = "https://github.com/linux-audit/audit-userspace/commit/6b09724c69d91668418ddb3af00da6db6755208c.patch";
+      sha256 = "0qjq41ridyamajz9v9nyplgq7f8nn3fxw375s9sa5a0igsrx9pm0";
+      excludes = [ "ChangeLog" ];
+    })
+    # Fix pending upstream inclusion for linux-headers-5.17 support:
+    #  https://github.com/linux-audit/audit-userspace/pull/253
+    (fetchpatch {
+      name = "ignore-flexible-array.patch";
+      url = "https://github.com/linux-audit/audit-userspace/commit/beed138222421a2eb4212d83cb889404bd7efc49.patch";
+      sha256 = "1hf02zaxv6x0wmn4ca9fj48y2shks7vfna43i1zz58xw9jq7sza0";
+    })
+  ];
+
+  postPatch = ''
+    sed -i 's,#include <sys/poll.h>,#include <poll.h>\n#include <limits.h>,' audisp/audispd.c
+    substituteInPlace bindings/swig/src/auditswig.i \
+      --replace "/usr/include/linux/audit.h" \
+                "${linuxHeaders}/include/linux/audit.h"
+  ''
+  # According to https://stackoverflow.com/questions/13089166
+  # --whole-archive linker flag is required to be sure that linker
+  # correctly chooses strong version of symbol regardless of order of
+  # object files at command line.
+  + lib.optionalString stdenv.hostPlatform.isStatic ''
+    export LDFLAGS=-Wl,--whole-archive
+  '';
+  meta = {
+    description = "Audit Library";
+    homepage = "https://people.redhat.com/sgrubb/audit/";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/audit/patches/weak-symbols.patch b/nixpkgs/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
new file mode 100644
index 000000000000..301ea9a5476c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
@@ -0,0 +1,147 @@
+Executables in src/ directory are built from source files in src/
+and are linked to libauparse, with both src/auditd-config.c and
+auparse/auditd-config.c defining "free_config" function.
+
+It is known (although obscure) behaviour of shared libraries that
+symbol defined in binary itself overrides symbol in shared library;
+with static linkage it expectedly results in multiple definition
+error.
+
+This set of fixes explicitly marks libauparse versions of
+conflicting functions as weak to have behaviour coherent with
+dynamic linkage version -- definitions in src/ overriding definition
+in auparse/.
+
+Still, this architecture is very strange and confusing.
+
+diff -r -U5 audit-2.8.5-orig/auparse/auditd-config.c audit-2.8.5/auparse/auditd-config.c
+--- audit-2.8.5-orig/auparse/auditd-config.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/auditd-config.c	2021-01-13 11:36:12.716226498 +0000
+@@ -68,10 +68,11 @@
+ };
+ 
+ /*
+  * Set everything to its default value
+ */
++#pragma weak clear_config
+ void clear_config(struct daemon_conf *config)
+ {
+ 	config->local_events = 1;
+ 	config->qos = QOS_NON_BLOCKING;
+ 	config->sender_uid = 0;
+@@ -322,10 +323,11 @@
+ 	if (config->log_file == NULL)
+ 		return 1;
+ 	return 0;
+ }
+ 
++#pragma weak free_config
+ void free_config(struct daemon_conf *config)
+ {
+ 	free((void*)config->log_file);
+ }
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/interpret.c audit-2.8.5/auparse/interpret.c
+--- audit-2.8.5-orig/auparse/interpret.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/interpret.c	2021-01-13 11:39:42.107217224 +0000
+@@ -545,10 +545,11 @@
+ 	else
+ 		snprintf(buf, size, "unknown(%d)", uid);
+ 	return buf;
+ }
+ 
++#pragma weak aulookup_destroy_uid_list
+ void aulookup_destroy_uid_list(void)
+ {
+ 	if (uid_cache_created == 0)
+ 		return;
+ 
+@@ -2810,10 +2811,11 @@
+ 
+ /*
+  * This is the main entry point for the auparse library. Call chain is:
+  * auparse_interpret_field -> nvlist_interp_cur_val -> interpret
+  */
++#pragma weak interpret
+ const char *interpret(const rnode *r, auparse_esc_t escape_mode)
+ {
+ 	const nvlist *nv = &r->nv;
+ 	int type;
+ 	idata id;
+diff -r -U5 audit-2.8.5-orig/auparse/nvlist.c audit-2.8.5/auparse/nvlist.c
+--- audit-2.8.5-orig/auparse/nvlist.c	2019-02-04 14:26:52.000000000 +0000
++++ audit-2.8.5/auparse/nvlist.c	2021-01-13 11:37:37.190222757 +0000
+@@ -27,10 +27,11 @@
+ #include "nvlist.h"
+ #include "interpret.h"
+ #include "auparse-idata.h"
+ 
+ 
++#pragma weak nvlist_create
+ void nvlist_create(nvlist *l)
+ {
+ 	l->head = NULL;
+ 	l->cur = NULL;
+ 	l->cnt = 0;
+@@ -47,17 +48,19 @@
+ 	while (node->next)
+ 		node = node->next;
+ 	l->cur = node;
+ }
+ 
++#pragma weak nvlist_next
+ nvnode *nvlist_next(nvlist *l)
+ {
+ 	if (l->cur)
+ 		l->cur = l->cur->next;
+ 	return l->cur;
+ }
+ 
++#pragma weak nvlist_append
+ void nvlist_append(nvlist *l, nvnode *node)
+ {
+ 	nvnode* newnode = malloc(sizeof(nvnode));
+ 
+ 	newnode->name = node->name;
+@@ -141,10 +144,11 @@
+ 	if (l->cur->interp_val)
+ 		return l->cur->interp_val;
+ 	return interpret(r, escape_mode);
+ }
+ 
++#pragma weak nvlist_clear
+ void nvlist_clear(nvlist* l)
+ {
+ 	nvnode* nextnode;
+ 	register nvnode* current;
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/strsplit.c audit-2.8.5/auparse/strsplit.c
+--- audit-2.8.5-orig/auparse/strsplit.c	2019-03-01 21:15:30.000000000 +0000
++++ audit-2.8.5/auparse/strsplit.c	2021-01-13 11:38:04.306221556 +0000
+@@ -54,10 +54,11 @@
+ 			return NULL;
+ 		return s;
+ 	}
+ }
+ 
++#pragma weak audit_strsplit
+ char *audit_strsplit(char *s)
+ {
+ 	static char *str = NULL;
+ 	char *ptr;
+ 
+diff -r -U5 audit-2.8.5-orig/lib/strsplit.c audit-2.8.5/lib/strsplit.c
+--- audit-2.8.5-orig/lib/strsplit.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/lib/strsplit.c	2021-01-13 11:38:29.444220443 +0000
+@@ -23,10 +23,11 @@
+ 
+ #include <string.h>
+ #include "libaudit.h"
+ #include "private.h"
+ 
++#pragma weak audit_strsplit_r
+ char *audit_strsplit_r(char *s, char **savedpp)
+ {
+ 	char *ptr;
+ 
+ 	if (s)
diff --git a/nixpkgs/pkgs/os-specific/linux/autofs/default.nix b/nixpkgs/pkgs/os-specific/linux/autofs/default.nix
new file mode 100644
index 000000000000..5e552301fe48
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/autofs/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
+, libxml2, libkrb5, kmod, openldap, sssd, cyrus_sasl, openssl, rpcsvc-proto
+, fetchpatch
+}:
+
+stdenv.mkDerivation rec {
+  version = "5.1.6";
+  pname = "autofs";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/daemons/autofs/v5/autofs-${version}.tar.xz";
+    sha256 = "1vya21mb4izj3khcr3flibv7xc15vvx2v0rjfk5yd31qnzcy7pnx";
+  };
+
+  patches = [
+    # glibc 2.34 compat
+    (fetchpatch {
+      url = "https://src.fedoraproject.org/rpms/autofs/raw/cc745af5e42396d540d5b3b92fae486e232bf6bd/f/autofs-5.1.7-use-default-stack-size-for-threads.patch";
+      sha256 = "sha256-6ETDFbW7EhHR03xFWF+6OJBgn9NX3WW3bGhTNGodaOc=";
+      excludes = [ "CHANGELOG" ];
+    })
+  ];
+
+  preConfigure = ''
+    configureFlags="--enable-force-shutdown --enable-ignore-busy --with-path=$PATH"
+    export sssldir="${sssd}/lib/sssd/modules"
+    export HAVE_SSS_AUTOFS=1
+
+    export MOUNT=${mount}/bin/mount
+    export MOUNT_NFS=${nfs-utils}/bin/mount.nfs
+    export UMOUNT=${umount}/bin/umount
+    export MODPROBE=${kmod}/bin/modprobe
+    export E2FSCK=${e2fsprogs}/bin/fsck.ext2
+    export E3FSCK=${e2fsprogs}/bin/fsck.ext3
+    export E4FSCK=${e2fsprogs}/bin/fsck.ext4
+
+    unset STRIP # Makefile.rules defines a usable STRIP only without the env var.
+  '';
+
+  # configure script is not finding the right path
+  NIX_CFLAGS_COMPILE = [ "-I${libtirpc.dev}/include/tirpc" ];
+
+  installPhase = ''
+    make install SUBDIRS="lib daemon modules man" # all but samples
+    #make install SUBDIRS="samples" # impure!
+  '';
+
+  buildInputs = [ linuxHeaders libtirpc libxml2 libkrb5 kmod openldap sssd
+                  openssl cyrus_sasl rpcsvc-proto ];
+
+  nativeBuildInputs = [ flex bison ];
+
+  meta = {
+    description = "Kernel-based automounter";
+    homepage = "https://www.kernel.org/pub/linux/daemons/autofs/";
+    license = lib.licenses.gpl2Plus;
+    executables = [ "automount" ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/autosuspend/default.nix b/nixpkgs/pkgs/os-specific/linux/autosuspend/default.nix
new file mode 100644
index 000000000000..ba3460938920
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/autosuspend/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, fetchFromGitHub
+, python3
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "autosuspend";
+  version = "4.2.0";
+
+  src = fetchFromGitHub {
+    owner = "languitar";
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-aIWqE422xfAzAyF+4hARYOcomZHraTrtxtw2YfAxJ1M=";
+  };
+
+  postPatch = ''
+    substituteInPlace setup.cfg \
+      --replace '--cov-config=setup.cfg' ""
+  '';
+
+  propagatedBuildInputs = with python3.pkgs; [
+    portalocker
+    psutil
+    dbus-python
+  ];
+
+  checkInputs = with python3.pkgs; [
+    pytestCheckHook
+    python-dbusmock
+    pytest-httpserver
+    dateutils
+    freezegun
+    pytest-mock
+    requests
+    requests-file
+    icalendar
+    tzlocal
+    jsonpath-ng
+    mpd2
+    lxml
+    pytest-datadir
+  ];
+
+  # Disable tests that need root
+  disabledTests = [
+    "test_smoke"
+    "test_multiple_sessions"
+  ];
+
+  doCheck = true;
+
+  meta = with lib ; {
+    description = "A daemon to automatically suspend and wake up a system";
+    homepage = "https://autosuspend.readthedocs.io";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.bzizou ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ax99100/default.nix b/nixpkgs/pkgs/os-specific/linux/ax99100/default.nix
new file mode 100644
index 000000000000..9167b4e5f89d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ax99100/default.nix
@@ -0,0 +1,29 @@
+{ kernel, stdenv, kmod, lib, fetchzip }:
+stdenv.mkDerivation
+{
+  pname = "ax99100";
+  version = "1.8.0";
+  nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
+  src = fetchzip {
+    url = "https://www.asix.com.tw/en/support/download/file/1229";
+    sha256 = "1rbp1m01qr6b3nbr72vpbw89pjh8mddc60im78z2yjd951xkbcjh";
+    extension = "tar.bz2";
+  };
+
+  makeFlags = [ "KDIR='${kernel.dev}/lib/modules/${kernel.modDirVersion}/build'" ];
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/tty/serial
+    cp ax99100.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/tty/serial
+  '';
+
+  meta = {
+    description = "ASIX AX99100 Serial and Parralel Port driver";
+    homepage = "https://www.asix.com.tw/en/product/Interface/PCIe_Bridge/AX99100";
+    # According to the source code in the tarball, the license is gpl2.
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    # currently, the build fails with kernels newer than 5.17
+    broken = lib.versionAtLeast kernel.version "5.18.0";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/alfred.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/alfred.nix
new file mode 100644
index 000000000000..96040f2828cf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/alfred.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchurl, pkg-config, gpsd, libcap, libnl }:
+
+let cfg = import ./version.nix; in
+
+stdenv.mkDerivation rec {
+  pname = "alfred";
+  inherit (cfg) version;
+
+  src = fetchurl {
+    url = "https://downloads.open-mesh.org/batman/releases/batman-adv-${version}/${pname}-${version}.tar.gz";
+    sha256 = cfg.sha256.${pname};
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ gpsd libcap libnl ];
+
+  preBuild = ''
+    makeFlags="PREFIX=$out PKG_CONFIG=${pkg-config}/bin/${pkg-config.targetPrefix}pkg-config"
+  '';
+
+  meta = {
+    homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
+    description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, information distribution tool";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/batctl.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/batctl.nix
new file mode 100644
index 000000000000..079624c10ad6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/batctl.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
+
+let cfg = import ./version.nix; in
+
+stdenv.mkDerivation rec {
+  pname = "batctl";
+  inherit (cfg) version;
+
+  src = fetchurl {
+    url = "https://downloads.open-mesh.org/batman/releases/batman-adv-${version}/${pname}-${version}.tar.gz";
+    sha256 = cfg.sha256.${pname};
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl ];
+
+  preBuild = ''
+    makeFlags="PREFIX=$out PKG_CONFIG=${pkg-config}/bin/${pkg-config.targetPrefix}pkg-config"
+  '';
+
+  meta = {
+    homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
+    description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, control tool";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/default.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/default.nix
new file mode 100644
index 000000000000..3d22720b9625
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/default.nix
@@ -0,0 +1,38 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, kernel
+}:
+
+let cfg = import ./version.nix; in
+
+stdenv.mkDerivation rec {
+  pname = "batman-adv";
+  version = "${cfg.version}-${kernel.version}";
+
+  src = fetchurl {
+    url = "http://downloads.open-mesh.org/batman/releases/${pname}-${cfg.version}/${pname}-${cfg.version}.tar.gz";
+    sha256 = cfg.sha256.${pname};
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  preBuild = ''
+    sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \
+      -e /depmod/d Makefile
+  '';
+
+  meta = {
+    homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
+    description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz hexa ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/batman-adv/version.nix b/nixpkgs/pkgs/os-specific/linux/batman-adv/version.nix
new file mode 100644
index 000000000000..dd2227874501
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/batman-adv/version.nix
@@ -0,0 +1,9 @@
+{
+  version = "2022.1";
+
+  sha256 = {
+    batman-adv = "sha256-bQQdNTCr1LJJq/Wpb8Ki4kFDG/lEO1R/2yWi2P0ymkA=";
+    alfred = "sha256-OgrCuybgyz8nMtSHNmmgoi6YJej5qOerrJhjY/J1CX8=";
+    batctl = "sha256-h+iak4lxuGJCJoG7NBBOmytLZRLR0WXelTYw3zjWGmg=";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bbswitch/default.nix b/nixpkgs/pkgs/os-specific/linux/bbswitch/default.nix
new file mode 100644
index 000000000000..886bf3e6fee8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bbswitch/default.nix
@@ -0,0 +1,65 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, runtimeShell }:
+
+let
+  baseName = "bbswitch";
+  version = "unstable-2021-11-29";
+  name = "${baseName}-${version}-${kernel.version}";
+
+in
+
+stdenv.mkDerivation {
+  inherit name;
+
+  src = fetchFromGitHub {
+    owner = "Bumblebee-Project";
+    repo = "bbswitch";
+    # https://github.com/Bumblebee-Project/bbswitch/tree/develop
+    rev = "23891174a80ea79c7720bcc7048a5c2bfcde5cd9";
+    hash = "sha256-50v1Jxem5kaI1dHOKmgBbPLxI82QeYxiaRHhrHpWRzU=";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-community/0bd986055ba52887b81048de5c61e618eec06eb0/trunk/0003-kernel-5.18.patch";
+      sha256 = "sha256-va62/bR1qyBBMPg0lUwCH7slGG0XijxVCsFa4FCoHEQ=";
+    })
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  preBuild = ''
+    substituteInPlace Makefile \
+      --replace "\$(shell uname -r)" "${kernel.modDirVersion}" \
+      --replace "/lib/modules" "${kernel.dev}/lib/modules"
+  '';
+
+  makeFlags = kernel.makeFlags;
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/misc
+    cp bbswitch.ko $out/lib/modules/${kernel.modDirVersion}/misc
+
+    mkdir -p $out/bin
+    tee $out/bin/discrete_vga_poweroff << EOF
+    #!${runtimeShell}
+
+    echo -n OFF > /proc/acpi/bbswitch
+    EOF
+    tee $out/bin/discrete_vga_poweron << EOF
+    #!${runtimeShell}
+
+    echo -n ON > /proc/acpi/bbswitch
+    EOF
+    chmod +x $out/bin/discrete_vga_poweroff $out/bin/discrete_vga_poweron
+  '';
+
+  meta = with lib; {
+    description = "A module for powering off hybrid GPUs";
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    homepage = "https://github.com/Bumblebee-Project/bbswitch";
+    maintainers = with maintainers; [ abbradar ];
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch b/nixpkgs/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch
new file mode 100644
index 000000000000..7480e9c5d97b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/absolute-ausyscall.patch
@@ -0,0 +1,43 @@
+From 01e793163231c5085afced37471df32b94a313f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Thu, 30 Dec 2021 06:34:41 +0100
+Subject: [PATCH] absolute ausyscall
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ libbpf-tools/syscall_helpers.c | 2 +-
+ src/python/bcc/syscall.py      | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libbpf-tools/syscall_helpers.c b/libbpf-tools/syscall_helpers.c
+index e114a08f..62adea78 100644
+--- a/libbpf-tools/syscall_helpers.c
++++ b/libbpf-tools/syscall_helpers.c
+@@ -47,7 +47,7 @@ void init_syscall_names(void)
+ 	int err;
+ 	FILE *f;
+ 
+-	f = popen("ausyscall --dump 2>/dev/null", "r");
++	f = popen("@ausyscall@ --dump 2>/dev/null", "r");
+ 	if (!f) {
+ 		warn("popen: ausyscall --dump: %s\n", strerror(errno));
+ 		return;
+diff --git a/src/python/bcc/syscall.py b/src/python/bcc/syscall.py
+index 1346b4e8..e7e29a11 100644
+--- a/src/python/bcc/syscall.py
++++ b/src/python/bcc/syscall.py
+@@ -376,7 +376,7 @@ def _parse_syscall(line):
+ try:
+     # Skip the first line, which is a header. The rest of the lines are simply
+     # SYSCALL_NUM\tSYSCALL_NAME pairs.
+-    out = subprocess.check_output(['ausyscall', '--dump'], stderr=subprocess.STDOUT)
++    out = subprocess.check_output(['@ausyscall@', '--dump'], stderr=subprocess.STDOUT)
+     # remove the first line of expected output
+     out = out.split(b'\n',1)[1]
+     syscalls = dict(map(_parse_syscall, out.strip().split(b'\n')))
+-- 
+2.34.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/default.nix b/nixpkgs/pkgs/os-specific/linux/bcc/default.nix
new file mode 100644
index 000000000000..ab3e2232852b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/default.nix
@@ -0,0 +1,92 @@
+{ lib, stdenv, fetchFromGitHub
+, makeWrapper, cmake, llvmPackages
+, flex, bison, elfutils, python, luajit, netperf, iperf, libelf
+, bash, libbpf, nixosTests
+, audit
+}:
+
+python.pkgs.buildPythonApplication rec {
+  pname = "bcc";
+  version = "0.24.0";
+
+  disabled = !stdenv.isLinux;
+
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo = "bcc";
+    rev = "v${version}";
+    sha256 = "sha256-5Nq6LmphiyiiIyru/P2rCCmA25cwJIWn08oK1+eM3cQ=";
+  };
+  format = "other";
+
+  buildInputs = with llvmPackages; [
+    llvm llvm.dev libclang
+    elfutils luajit netperf iperf
+    flex bash libbpf
+  ];
+
+  patches = [
+    # This is needed until we fix
+    # https://github.com/NixOS/nixpkgs/issues/40427
+    ./fix-deadlock-detector-import.patch
+  ];
+
+  propagatedBuildInputs = [ python.pkgs.netaddr ];
+  nativeBuildInputs = [ makeWrapper cmake flex bison llvmPackages.llvm.dev ];
+
+  cmakeFlags = [
+    "-DBCC_KERNEL_MODULES_DIR=/run/booted-system/kernel-modules/lib/modules"
+    "-DREVISION=${version}"
+    "-DENABLE_USDT=ON"
+    "-DENABLE_CPP_API=ON"
+    "-DCMAKE_USE_LIBBPF_PACKAGE=ON"
+  ];
+
+  # to replace this executable path:
+  # https://github.com/iovisor/bcc/blob/master/src/python/bcc/syscall.py#L384
+  ausyscall = "${audit}/bin/ausyscall";
+
+  postPatch = ''
+    substituteAll ${./libbcc-path.patch} ./libbcc-path.patch
+    patch -p1 < libbcc-path.patch
+
+    substituteAll ${./absolute-ausyscall.patch} ./absolute-ausyscall.patch
+    patch -p1 < absolute-ausyscall.patch
+  '';
+
+  postInstall = ''
+    mkdir -p $out/bin $out/share
+    rm -r $out/share/bcc/tools/old
+    mv $out/share/bcc/tools/doc $out/share
+    mv $out/share/bcc/man $out/share/
+
+    find $out/share/bcc/tools -type f -executable -print0 | \
+    while IFS= read -r -d ''$'\0' f; do
+      bin=$out/bin/$(basename $f)
+      if [ ! -e $bin ]; then
+        ln -s $f $bin
+      fi
+      substituteInPlace "$f" \
+        --replace '$(dirname $0)/lib' "$out/share/bcc/tools/lib"
+    done
+
+    sed -i -e "s!lib=.*!lib=$out/bin!" $out/bin/{java,ruby,node,python}gc
+  '';
+
+  postFixup = ''
+    wrapPythonProgramsIn "$out/share/bcc/tools" "$out $pythonPath"
+  '';
+
+  outputs = [ "out" "man" ];
+
+  passthru.tests = {
+    bpf = nixosTests.bpf;
+  };
+
+  meta = with lib; {
+    description = "Dynamic Tracing Tools for Linux";
+    homepage    = "https://iovisor.github.io/bcc/";
+    license     = licenses.asl20;
+    maintainers = with maintainers; [ ragge mic92 thoughtpolice martinetd ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch b/nixpkgs/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch
new file mode 100644
index 000000000000..1c422635f4fe
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/fix-deadlock-detector-import.patch
@@ -0,0 +1,14 @@
+--- source.org/tools/deadlock.py	1980-01-02 00:00:00.000000000 +0000
++++ source/tools/deadlock.py	2018-05-29 13:57:11.807126673 +0100
+@@ -44,9 +44,8 @@
+ #
+ # 01-Feb-2017   Kenny Yu   Created this.
+ 
+-from __future__ import (
+-    absolute_import, division, unicode_literals, print_function
+-)
++from __future__ import absolute_import, division, unicode_literals, print_function
++
+ from bcc import BPF
+ from collections import defaultdict
+ import argparse
diff --git a/nixpkgs/pkgs/os-specific/linux/bcc/libbcc-path.patch b/nixpkgs/pkgs/os-specific/linux/bcc/libbcc-path.patch
new file mode 100644
index 000000000000..187bb3aadd00
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bcc/libbcc-path.patch
@@ -0,0 +1,11 @@
+--- source.org/src/python/bcc/libbcc.py	2018-05-13 08:35:06.850522883 +0100
++++ source/src/python/bcc/libbcc.py	2018-05-13 08:36:24.602733151 +0100
+@@ -14,7 +14,7 @@
+ 
+ import ctypes as ct
+ 
+-lib = ct.CDLL("libbcc.so.0", use_errno=True)
++lib = ct.CDLL("@out@/lib/libbcc.so.0", use_errno=True)
+ 
+ # keep in sync with bpf_common.h
+ lib.bpf_module_create_b.restype = ct.c_void_p
diff --git a/nixpkgs/pkgs/os-specific/linux/beefi/default.nix b/nixpkgs/pkgs/os-specific/linux/beefi/default.nix
new file mode 100644
index 000000000000..959a43faea91
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/beefi/default.nix
@@ -0,0 +1,44 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, installShellFiles
+, binutils-unwrapped
+, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "beefi";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "jfeick";
+    repo = "beefi";
+    rev = version;
+    sha256 = "1180avalbw414q1gnfqdgc9zg3k9y0401kw9qvcn51qph81d04v5";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  buildInputs = [
+    binutils-unwrapped
+    systemd
+  ];
+
+  patchPhase = ''
+    substituteInPlace beefi \
+      --replace objcopy ${binutils-unwrapped}/bin/objcopy \
+      --replace /usr/lib/systemd ${systemd}/lib/systemd
+  '';
+
+  installPhase = ''
+    install -Dm755 beefi $out/bin/beefi
+    installManPage beefi.1
+  '';
+
+  meta = with lib; {
+    description = "A small script to create bootable EFISTUB kernel images";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ tu-maurice ];
+    homepage = "https://github.com/jfeick/beefi";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/default.nix b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/default.nix
new file mode 100644
index 000000000000..da5011e67373
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/default.nix
@@ -0,0 +1,148 @@
+{ stdenv, stdenvNoCC, lib, fetchzip, pkgs
+, enableStatic ? stdenv.hostPlatform.isStatic
+, enableShared ? !stdenv.hostPlatform.isStatic
+}:
+let
+
+  choosePlatform =
+    let pname = stdenv.targetPlatform.parsed.cpu.name; in
+    pset: pset.${pname} or (throw "bionic-prebuilt: unsupported platform ${pname}");
+
+  prebuilt_crt = choosePlatform {
+    aarch64 = fetchzip {
+      url =  "https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/+archive/98dce673ad97a9640c5d90bbb1c718e75c21e071/lib/gcc/aarch64-linux-android/4.9.x.tar.gz";
+      sha256 = "sha256-LLD2OJi78sNN5NulOsJZl7Ei4F1EUYItGG6eUsKWULc=";
+      stripRoot = false;
+    };
+    x86_64 = fetchzip {
+      url = "https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/x86/x86_64-linux-android-4.9/+archive/7e8507d2a2d4df3bced561b894576de70f065be4/lib/gcc/x86_64-linux-android/4.9.x.tar.gz";
+      sha256 = "sha256-y7CFLF76pTlj+oYev9taBnL2nlT3+Tx8c6wmicWmKEw=";
+      stripRoot = false;
+    };
+  };
+
+  prebuilt_libs = choosePlatform {
+    aarch64 = fetchzip {
+      url = "https://android.googlesource.com/platform/prebuilts/ndk/+archive/f2c77d8ba8a7f5c2d91771e31164f29be0b8ff98/platform/platforms/android-30/arch-arm64/usr/lib.tar.gz";
+      sha256 = "sha256-TZBV7+D1QvKOCEi+VNGT5SStkgj0xRbyWoLH65zSrjw=";
+      stripRoot = false;
+    };
+    x86_64 = fetchzip {
+      url = "https://android.googlesource.com/platform/prebuilts/ndk/+archive/f2c77d8ba8a7f5c2d91771e31164f29be0b8ff98/platform/platforms/android-30/arch-x86_64/usr/lib64.tar.gz";
+      sha256 = "sha256-n2EuOKy3RGKmEYofNlm+vDDBuiQRuAJEJT6wq6NEJQs=";
+      stripRoot = false;
+    };
+  };
+
+  prebuilt_ndk_crt = choosePlatform {
+    aarch64 = fetchzip {
+      url = "https://android.googlesource.com/toolchain/prebuilts/ndk/r23/+archive/6c5fa4c0d3999b9ee932f6acbd430eb2f31f3151/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/aarch64-linux-android/30.tar.gz";
+      sha256 = "sha256-KHw+cCwAwlm+5Nwp1o8WONqdi4BBDhFaVVr+7GxQ5uE=";
+      stripRoot = false;
+    };
+    x86_64 = fetchzip {
+      url = "https://android.googlesource.com/toolchain/prebuilts/ndk/r23/+archive/6c5fa4c0d3999b9ee932f6acbd430eb2f31f3151/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/x86_64-linux-android/30.tar.gz";
+      sha256 = "sha256-XEd7L3cBzn+1pKfji40V92G/uZhHSMMuZcRZaiKkLnk=";
+      stripRoot = false;
+    };
+  };
+
+  ndk_support_headers = fetchzip {
+    url ="https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+archive/0e7f808fa26cce046f444c9616d9167dafbfb272/clang-r416183b/include/c++/v1/support.tar.gz";
+    sha256 = "sha256-NBv7Pk1CEaz8ns9moleEERr3x/rFmVmG33LgFSeO6fY=";
+    stripRoot = false;
+  };
+
+  kernelHeaders = pkgs.makeLinuxHeaders {
+    version = "android-common-11-5.4";
+    src = fetchzip {
+      url = "https://android.googlesource.com/kernel/common/+archive/48ffcbf0b9e7f0280bfb8c32c68da0aaf0fdfef6.tar.gz";
+      sha256 = "1y7cmlmcr5vdqydd9n785s139yc4aylc3zhqa59xsylmkaf5habk";
+      stripRoot = false;
+    };
+  };
+
+in
+stdenvNoCC.mkDerivation rec {
+  pname = "bionic-prebuilt";
+  version = "ndk-release-r23";
+  name = "${stdenv.targetPlatform.parsed.cpu.name}-${pname}-${version}";
+
+  src = fetchzip {
+    url = "https://android.googlesource.com/platform/bionic/+archive/00e8ce1142d8823b0d2fc8a98b40119b0f1f02cd.tar.gz";
+    sha256 = "10z5mp4w0acvjvgxv7wlqa7m70hcyarmjdlfxbd9rwzf4mrsr8d1";
+    stripRoot = false;
+  };
+
+  NIX_DONT_SET_RPATH = true;
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  patches = [
+    ./ndk-version.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace libc/include/sys/cdefs.h --replace \
+      "__has_builtin(__builtin_umul_overflow)" "1"
+    substituteInPlace libc/include/bits/ioctl.h --replace \
+      "!defined(BIONIC_IOCTL_NO_SIGNEDNESS_OVERLOAD)" "0"
+  '';
+
+  installPhase= ''
+    # copy the bionic headers
+    mkdir -p $out/include/support $out/include/android
+    cp -vr libc/include/* $out/include
+    # copy the kernel headers
+    cp -vr ${kernelHeaders}/include/*  $out/include/
+
+    chmod -R +w $out/include/linux
+
+    # fix a bunch of kernel headers so that things can actually be found
+    sed -i 's,struct epoll_event {,#include <bits/epoll_event.h>\nstruct Xepoll_event {,' $out/include/linux/eventpoll.h
+    sed -i 's,struct in_addr {,typedef unsigned int in_addr_t;\nstruct in_addr {,' $out/include/linux/in.h
+    sed -i 's,struct udphdr {,struct Xudphdr {,' $out/include/linux/udp.h
+    sed -i 's,union semun {,union Xsemun {,' $out/include/linux/sem.h
+    sed -i 's,struct __kernel_sockaddr_storage,#define sockaddr_storage __kernel_sockaddr_storage\nstruct __kernel_sockaddr_storage,' $out/include/linux/socket.h
+    sed -i 's,#ifndef __UAPI_DEF_.*$,#if 1,' $out/include/linux/libc-compat.h
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imr_" "struct in_addr		imr_"
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imsf_" "struct in_addr		imsf_"
+    substituteInPlace $out/include/linux/sysctl.h --replace "__unused" "_unused"
+
+    # what could possibly live in <linux/compiler.h>
+    touch $out/include/linux/compiler.h
+
+    # copy the support headers
+    cp -vr ${ndk_support_headers}* $out/include/support/
+
+    mkdir $out/lib
+    cp -v ${prebuilt_crt.out}/*.o $out/lib/
+    cp -v ${prebuilt_crt.out}/libgcc.a $out/lib/
+    cp -v ${prebuilt_ndk_crt.out}/*.o $out/lib/
+  '' + lib.optionalString enableShared ''
+    for i in libc.so libm.so libdl.so liblog.so; do
+      cp -v ${prebuilt_libs.out}/$i $out/lib/
+    done
+  '' + lib.optionalString enableStatic ''
+    # no liblog.a; while it's also part of the base libraries,
+    # it's only available as shared object in the prebuilts.
+    for i in libc.a libm.a libdl.a; do
+      cp -v ${prebuilt_ndk_crt.out}/$i $out/lib/
+    done
+  '' + ''
+    mkdir -p $dev/include
+    cp -v $out/include/*.h $dev/include/
+  '';
+
+  outputs = [ "out" "dev" ];
+  passthru.linuxHeaders = kernelHeaders;
+
+  meta = with lib; {
+    description = "The Android libc implementation";
+    homepage    = "https://android.googlesource.com/platform/bionic/";
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ s1341 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
new file mode 100644
index 000000000000..a6842ed479ff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
@@ -0,0 +1,42 @@
+--- a/libc/include/android/ndk-version.h	2021-04-01 16:08:03.109183965 +0300
++++ b/libc/include/android/ndk-version.h	2021-04-01 16:07:19.811424641 +0300
+@@ -0,0 +1,39 @@
++#pragma once
++
++/**
++ * Set to 1 if this is an NDK, unset otherwise. See
++ * https://android.googlesource.com/platform/bionic/+/master/docs/defines.md.
++ */
++#define __ANDROID_NDK__ 1
++
++/**
++ * Major version of this NDK.
++ *
++ * For example: 16 for r16.
++ */
++#define __NDK_MAJOR__ 22
++
++/**
++ * Minor version of this NDK.
++ *
++ * For example: 0 for r16 and 1 for r16b.
++ */
++#define __NDK_MINOR__ 0
++
++/**
++ * Set to 0 if this is a release build, or 1 for beta 1,
++ * 2 for beta 2, and so on.
++ */
++#define __NDK_BETA__ 0
++
++/**
++ * Build number for this NDK.
++ *
++ * For a local development build of the NDK, this is -1.
++ */
++#define __NDK_BUILD__ 7026061
++
++/**
++ * Set to 1 if this is a canary build, 0 if not.
++ */
++#define __NDK_CANARY__ 0
diff --git a/nixpkgs/pkgs/os-specific/linux/blktrace/default.nix b/nixpkgs/pkgs/os-specific/linux/blktrace/default.nix
new file mode 100644
index 000000000000..e44f90a36367
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/blktrace/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchurl, libaio }:
+
+stdenv.mkDerivation rec {
+  pname = "blktrace";
+  version = "1.3.0";
+
+  # Official source
+  # "git://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git"
+  src = fetchurl {
+    url = "https://brick.kernel.dk/snaps/blktrace-${version}.tar.bz2";
+    sha256 = "sha256-1t7aA4Yt4r0bG5+6cpu7hi2bynleaqf3yoa2VoEacNY=";
+  };
+
+  buildInputs = [ libaio ];
+
+  preConfigure = ''
+    sed s,/usr/local,$out, -i Makefile
+  '';
+
+  meta = with lib; {
+    description = "Block layer IO tracing mechanism";
+    maintainers = with maintainers; [ ];
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bluez/default.nix b/nixpkgs/pkgs/os-specific/linux/bluez/default.nix
new file mode 100644
index 000000000000..d09ef77fb0d8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bluez/default.nix
@@ -0,0 +1,152 @@
+{ stdenv
+, lib
+, fetchurl
+, fetchpatch
+, alsa-lib
+, dbus
+, ell
+, glib
+, json_c
+, libical
+, docutils
+, pkg-config
+, python3
+, readline
+, systemdMinimal
+, udev
+, withExperimental ? false
+}: let
+  pythonPath = with python3.pkgs; [
+    dbus-python
+    pygobject3
+    recursivePthLoader
+  ];
+in stdenv.mkDerivation rec {
+  pname = "bluez";
+  version = "5.64";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/bluetooth/${pname}-${version}.tar.xz";
+    sha256 = "sha256-rkN+ZbazBwwZi8WwEJ/pzeueqjhzgOIHL53mX+ih3jQ=";
+  };
+
+  buildInputs = [
+    alsa-lib
+    dbus
+    ell
+    glib
+    json_c
+    libical
+    python3
+    readline
+    udev
+  ];
+
+  nativeBuildInputs = [
+    docutils
+    pkg-config
+    python3.pkgs.wrapPython
+  ];
+
+  outputs = [ "out" "dev" "test" ];
+
+  patches = [
+    # https://github.com/bluez/bluez/commit/0905a06410d4a5189f0be81e25eb3c3e8a2199c5
+    # which fixes https://github.com/bluez/bluez/issues/329
+    # and is already merged upstream and not yet in a release.
+    (fetchpatch {
+      name = "StateDirectory_and_ConfigurationDirectory.patch";
+      url = "https://github.com/bluez/bluez/commit/0905a06410d4a5189f0be81e25eb3c3e8a2199c5.patch";
+      sha256 = "sha256-MI6yPTiDLHsSTjLvNqtWnuy2xUMYpSat1WhMbeoedSM=";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace tools/hid2hci.rules \
+      --replace /sbin/udevadm ${systemdMinimal}/bin/udevadm \
+      --replace "hid2hci " "$out/lib/udev/hid2hci "
+    # Disable some tests:
+    # - test-mesh-crypto depends on the following kernel settings:
+    #   CONFIG_CRYPTO_[USER|USER_API|USER_API_AEAD|USER_API_HASH|AES|CCM|AEAD|CMAC]
+    if [[ ! -f unit/test-mesh-crypto.c ]]; then echo "unit/test-mesh-crypto.c no longer exists"; false; fi
+    echo 'int main() { return 77; }' > unit/test-mesh-crypto.c
+  '';
+
+  configureFlags = [
+    "--localstatedir=/var"
+    "--enable-library"
+    "--enable-cups"
+    "--enable-pie"
+    "--enable-external-ell"
+    "--with-dbusconfdir=${placeholder "out"}/share"
+    "--with-dbussystembusdir=${placeholder "out"}/share/dbus-1/system-services"
+    "--with-dbussessionbusdir=${placeholder "out"}/share/dbus-1/services"
+    "--with-systemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "--with-systemduserunitdir=${placeholder "out"}/etc/systemd/user"
+    "--with-udevdir=${placeholder "out"}/lib/udev"
+    "--enable-health"
+    "--enable-mesh"
+    "--enable-midi"
+    "--enable-nfc"
+    "--enable-sap"
+    "--enable-sixaxis"
+    "--enable-btpclient"
+    "--enable-hid2hci"
+    "--enable-logger"
+
+    # To provide ciptool, sdptool, and rfcomm (unmaintained)
+    # superseded by new D-Bus APIs
+    "--enable-deprecated"
+  ] ++ lib.optional withExperimental "--enable-experimental";
+
+
+  # Work around `make install' trying to create /var/lib/bluetooth.
+  installFlags = [ "statedir=$(TMPDIR)/var/lib/bluetooth" ];
+
+  makeFlags = [ "rulesdir=${placeholder "out"}/lib/udev/rules.d" ];
+
+  doCheck = stdenv.hostPlatform.isx86_64;
+
+  postInstall = ''
+    mkdir -p $test/{bin,test}
+    cp -a test $test
+    pushd $test/test
+    for a in \
+            simple-agent \
+            test-adapter \
+            test-device \
+            test-thermometer \
+            list-devices \
+            monitor-bluetooth \
+            ; do
+      ln -s ../test/$a $test/bin/bluez-$a
+    done
+    popd
+    wrapPythonProgramsIn $test/test "$test/test ${toString pythonPath}"
+  '' + ''
+    # for bluez4 compatibility for NixOS
+    mkdir $out/sbin
+    ln -s ../libexec/bluetooth/bluetoothd $out/sbin/bluetoothd
+    ln -s ../libexec/bluetooth/obexd $out/sbin/obexd
+
+    # Add extra configuration
+    mkdir $out/etc/bluetooth
+    ln -s /etc/bluetooth/main.conf $out/etc/bluetooth/main.conf
+
+    # Add missing tools, ref https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bluez
+    for files in `find tools/ -type f -perm -755`; do
+      filename=$(basename $files)
+      install -Dm755 tools/$filename $out/bin/$filename
+    done
+    install -Dm755 attrib/gatttool $out/bin/gatttool
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Bluetooth support for Linux";
+    homepage = "http://www.bluez.org/";
+    license = with licenses; [ gpl2 lgpl21 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bolt/0001-skip-mkdir.patch b/nixpkgs/pkgs/os-specific/linux/bolt/0001-skip-mkdir.patch
new file mode 100644
index 000000000000..0853bcea9167
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bolt/0001-skip-mkdir.patch
@@ -0,0 +1,12 @@
+diff --git a/scripts/meson-install.sh b/scripts/meson-install.sh
+index 859ae81..05a1c58 100644
+--- a/scripts/meson-install.sh
++++ b/scripts/meson-install.sh
+@@ -7,5 +7,5 @@ fi
+ 
+ BOLT_DBDIR=$1
+ 
+-echo "Creating database dir: ${BOLT_DBDIR}"
+-mkdir -p "${DESTDIR}/${BOLT_DBDIR}"
++# echo "Creating database dir: ${BOLT_DBDIR}"
++# mkdir -p "${DESTDIR}/${BOLT_DBDIR}"
diff --git a/nixpkgs/pkgs/os-specific/linux/bolt/default.nix b/nixpkgs/pkgs/os-specific/linux/bolt/default.nix
new file mode 100644
index 000000000000..d424f89fdfb3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bolt/default.nix
@@ -0,0 +1,96 @@
+{ stdenv
+, lib
+, meson
+, ninja
+, pkg-config
+, fetchFromGitLab
+, fetchpatch
+, python3
+, umockdev
+, gobject-introspection
+, dbus
+, asciidoc
+, libxml2
+, libxslt
+, docbook_xml_dtd_45
+, docbook-xsl-nons
+, glib
+, systemd
+, polkit
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bolt";
+  version = "0.9.2";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "bolt";
+    repo = "bolt";
+    rev = version;
+    sha256 = "eXjj7oD5HOW/AG2uxDa0tSleKmbouFd2fwlL2HHFiMA=";
+  };
+
+  patches = [
+    # meson install tries to create /var/lib/boltd
+    ./0001-skip-mkdir.patch
+
+    # Test does not work on ZFS with atime disabled.
+    # Upstream issue: https://gitlab.freedesktop.org/bolt/bolt/-/issues/167
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/bolt/bolt/-/commit/c2f1d5c40ad71b20507e02faa11037b395fac2f8.diff";
+      revert = true;
+      sha256 = "6w7ll65W/CydrWAVi/qgzhrQeDv1PWWShulLxoglF+I=";
+    })
+  ];
+
+  nativeBuildInputs = [
+    asciidoc
+    docbook_xml_dtd_45
+    docbook-xsl-nons
+    libxml2
+    libxslt
+    meson
+    ninja
+    pkg-config
+  ] ++ lib.optional (!doCheck) python3;
+
+  buildInputs = [
+    glib
+    polkit
+    systemd
+  ];
+
+  doCheck = true;
+
+  preCheck = ''
+    export LD_LIBRARY_PATH=${umockdev.out}/lib/
+  '';
+
+  checkInputs = [
+    dbus
+    gobject-introspection
+    umockdev
+    (python3.withPackages
+      (p: [ p.pygobject3 p.dbus-python p.python-dbusmock ]))
+  ];
+
+  postPatch = ''
+    patchShebangs scripts tests
+  '';
+
+  mesonFlags = [
+    "-Dlocalstatedir=/var"
+  ];
+
+  PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
+  PKG_CONFIG_UDEV_UDEVDIR = "${placeholder "out"}/lib/udev";
+
+  meta = with lib; {
+    description = "Thunderbolt 3 device management daemon";
+    homepage = "https://gitlab.freedesktop.org/bolt/bolt";
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ callahad ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bpfmon/default.nix b/nixpkgs/pkgs/os-specific/linux/bpfmon/default.nix
new file mode 100644
index 000000000000..32781d365491
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpfmon/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchFromGitHub, lib, libpcap, yascreen }:
+
+stdenv.mkDerivation rec {
+  pname = "bpfmon";
+  version = "2.50";
+
+  src = fetchFromGitHub {
+    owner = "bbonev";
+    repo = "bpfmon";
+    rev = "v${version}";
+    sha256 = "sha256-x4EuGZBtg45bD9q1B/6KwjDRXXeRsdFmRllREsech+E=";
+  };
+
+  buildInputs = [ libpcap yascreen ];
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "BPF based visual packet rate monitor";
+    homepage = "https://github.com/bbonev/bpfmon";
+    maintainers = with maintainers; [ arezvov ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bpftools/default.nix b/nixpkgs/pkgs/os-specific/linux/bpftools/default.nix
new file mode 100644
index 000000000000..b4621feeb31f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpftools/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, libopcodes, libbfd, elfutils, readline
+, linuxPackages_latest, zlib
+, python3, bison, flex
+}:
+
+stdenv.mkDerivation {
+  pname = "bpftools";
+  inherit (linuxPackages_latest.kernel) version src;
+
+  nativeBuildInputs = [ python3 bison flex ];
+  buildInputs = [ libopcodes libbfd elfutils zlib readline ];
+
+  preConfigure = ''
+    patchShebangs scripts/bpf_doc.py
+
+    cd tools/bpf
+    substituteInPlace ./bpftool/Makefile \
+      --replace '/usr/local' "$out" \
+      --replace '/usr'       "$out" \
+      --replace '/sbin'      '/bin'
+  '';
+
+  buildFlags = [ "bpftool" "bpf_asm" "bpf_dbg" ];
+
+  installPhase = ''
+    make -C bpftool install
+    install -Dm755 -t $out/bin bpf_asm
+    install -Dm755 -t $out/bin bpf_dbg
+  '';
+
+  meta = with lib; {
+    description = "Debugging/program analysis tools for the eBPF subsystem";
+    license     = [ licenses.gpl2 licenses.bsd2 ];
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bpftrace/default.nix b/nixpkgs/pkgs/os-specific/linux/bpftrace/default.nix
new file mode 100644
index 000000000000..6cc9e40bdbf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bpftrace/default.nix
@@ -0,0 +1,86 @@
+{ lib, stdenv, fetchFromGitHub
+, cmake, pkg-config, flex, bison
+, llvmPackages, elfutils
+, libbfd, libbpf, libopcodes, bcc
+, cereal, asciidoctor
+, nixosTests
+, util-linux
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bpftrace";
+  version = "0.15.0";
+
+  # Cherry-picked from merged PR, remove this hook on next update
+  # https://github.com/iovisor/bpftrace/pull/2242
+  # Cannot `fetchpatch` such pure renaming diff since
+  # https://github.com/iovisor/bpftrace/commit/2df807dbae4037aa8bf0afc03f52fb3f6321c62a.patch
+  # does not contain any diff in unified format but just this instead:
+  #   ...
+  #   man/man8/{bashreadline.8 => bashreadline.bt.8}     | 0
+  #   ...
+  #   35 files changed, 0 insertions(+), 0 deletions(-)
+  #   rename man/man8/{bashreadline.8 => bashreadline.bt.8} (100%)
+  #   ...
+  # on witch `fetchpatch` fails with
+  #   error: Normalized patch '/build/patch' is empty (while the fetched file was not)!
+  #   Did you maybe fetch a HTML representation of a patch instead of a raw patch?
+  postUnpack = ''
+    rename .8 .bt.8 "$sourceRoot"/man/man8/*.8
+  '';
+
+  src = fetchFromGitHub {
+    owner  = "iovisor";
+    repo   = "bpftrace";
+    rev    = "v${version}";
+    sha256 = "sha256-9adZAKSn00W2yNwVDbVB1/O5Y+10c4EkVJGCHyd4Tgg=";
+  };
+
+  buildInputs = with llvmPackages;
+    [ llvm libclang
+      elfutils bcc
+      libbpf libbfd libopcodes
+      cereal asciidoctor
+    ];
+
+  nativeBuildInputs = [ cmake pkg-config flex bison llvmPackages.llvm.dev util-linux ];
+
+  # tests aren't built, due to gtest shenanigans. see:
+  #
+  #     https://github.com/iovisor/bpftrace/issues/161#issuecomment-453606728
+  #     https://github.com/iovisor/bpftrace/pull/363
+  #
+  cmakeFlags =
+    [ "-DBUILD_TESTING=FALSE"
+      "-DLIBBCC_INCLUDE_DIRS=${bcc}/include"
+    ];
+
+  # nuke the example/reference output .txt files, for the included tools,
+  # stuffed inside $out. we don't need them at all.
+  # (see "Allow skipping examples" for a potential option
+  #  https://github.com/iovisor/bpftrace/pull/2256)
+  #
+  # Pull BPF scripts into $PATH (next to their bcc program equivalents), but do
+  # not move them to keep `${pkgs.bpftrace}/share/bpftrace/tools/...` working.
+  # (remove `chmod` once a new release "Add executable permission to tools"
+  #  https://github.com/iovisor/bpftrace/commit/77e524e6d276216ed6a6e1984cf204418db07c78)
+  postInstall = ''
+    rm -rf $out/share/bpftrace/tools/doc
+
+    ln -s $out/share/bpftrace/tools/*.bt $out/bin/
+    chmod +x $out/bin/*.bt
+  '';
+
+  outputs = [ "out" "man" ];
+
+  passthru.tests = {
+    bpf = nixosTests.bpf;
+  };
+
+  meta = with lib; {
+    description = "High-level tracing language for Linux eBPF";
+    homepage    = "https://github.com/iovisor/bpftrace";
+    license     = licenses.asl20;
+    maintainers = with maintainers; [ rvl thoughtpolice martinetd ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/bridge-utils/autoconf-ar.patch b/nixpkgs/pkgs/os-specific/linux/bridge-utils/autoconf-ar.patch
new file mode 100644
index 000000000000..21b089179ce1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bridge-utils/autoconf-ar.patch
@@ -0,0 +1,21 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -9,6 +9,7 @@ dnl Checks for programs.
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_RANLIB
++AC_CHECK_TOOL([AR], [ar])
+ 
+ dnl Checks for header files.
+ AC_HEADER_STDC
+--- a/libbridge/Makefile.in
++++ b/libbridge/Makefile.in
+@@ -1,7 +1,7 @@
+ 
+ KERNEL_HEADERS=-I@KERNEL_HEADERS@
+ 
+-AR=ar
++AR=@AR@
+ RANLIB=@RANLIB@
+ 
+ CC=@CC@
diff --git a/nixpkgs/pkgs/os-specific/linux/bridge-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/bridge-utils/default.nix
new file mode 100644
index 000000000000..cbbf77c67c8a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/bridge-utils/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, fetchurl, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "bridge-utils";
+  version = "1.7.1";
+
+  src = fetchurl {
+    url = "https://kernel.org/pub/linux/utils/net/bridge-utils/bridge-utils-${version}.tar.xz";
+    sha256 = "sha256-ph2L5PGhQFxgyO841UTwwYwFszubB+W0sxAzU2Fl5g4=";
+  };
+
+  patches = [ ./autoconf-ar.patch ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = {
+    description = "An userspace tool to configure linux bridges (deprecated in favour or iproute2).";
+    homepage = "https://wiki.linuxfoundation.org/networking/bridge";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/brillo/default.nix b/nixpkgs/pkgs/os-specific/linux/brillo/default.nix
new file mode 100644
index 000000000000..246aa471c2a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/brillo/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitLab , go-md2man, coreutils, substituteAll }:
+
+stdenv.mkDerivation rec {
+  pname = "brillo";
+  version = "1.4.10";
+
+  src = fetchFromGitLab {
+    owner= "cameronnemo";
+    repo= "brillo";
+    rev= "v${version}";
+    sha256 = "sha256-x8K6CMkOyR+kWRlqa/BmJogZo41LvsL1kfz6CZ5PaUI=";
+  };
+
+  patches = [
+    (substituteAll {
+      src = ./udev-rule.patch;
+      inherit coreutils;
+    })
+  ];
+
+  nativeBuildInputs = [ go-md2man ];
+
+  makeFlags = [ "PREFIX=$(out)" "AADIR=$(out)/etc/apparmor.d" ];
+
+  installTargets = [ "install-dist" ];
+
+  meta = with lib; {
+    description = "Backlight and Keyboard LED control tool";
+    homepage = "https://gitlab.com/cameronnemo/brillo";
+    license = [ licenses.gpl3 licenses.bsd0 ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.alexarice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/brillo/udev-rule.patch b/nixpkgs/pkgs/os-specific/linux/brillo/udev-rule.patch
new file mode 100644
index 000000000000..7b1cf4840675
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/brillo/udev-rule.patch
@@ -0,0 +1,13 @@
+diff --git a/contrib/udev.in b/contrib/udev.in
+index 0625952..a6c940e 100644
+--- a/contrib/udev.in
++++ b/contrib/udev.in
+@@ -1,4 +1,4 @@
+-ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp @group@ /sys/class/backlight/%k/brightness"
+-ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chmod g+w /sys/class/backlight/%k/brightness"
+-ACTION=="add", SUBSYSTEM=="leds", RUN+="/bin/chgrp @group@ /sys/class/leds/%k/brightness"
+-ACTION=="add", SUBSYSTEM=="leds", RUN+="/bin/chmod g+w /sys/class/leds/%k/brightness"
++ACTION=="add", SUBSYSTEM=="backlight", RUN+="@coreutils@/bin/chgrp @group@ /sys/class/backlight/%k/brightness"
++ACTION=="add", SUBSYSTEM=="backlight", RUN+="@coreutils@/bin/chmod g+w /sys/class/backlight/%k/brightness"
++ACTION=="add", SUBSYSTEM=="leds", RUN+="@coreutils@/bin/chgrp @group@ /sys/class/leds/%k/brightness"
++ACTION=="add", SUBSYSTEM=="leds", RUN+="@coreutils@/bin/chmod g+w /sys/class/leds/%k/brightness"
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/default.nix b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/default.nix
new file mode 100644
index 000000000000..d7acf94e39a1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/default.nix
@@ -0,0 +1,74 @@
+{ lib, stdenv, fetchurl, kernel }:
+
+let
+  version = "6.30.223.271";
+  hashes = {
+    i686-linux   = "1kaqa2dw3nb8k23ffvx46g8jj3wdhz8xa6jp1v3wb35cjfr712sg";
+    x86_64-linux = "1gj485qqr190idilacpxwgqyw21il03zph2rddizgj7fbd6pfyaz";
+  };
+
+  arch = lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") "_64";
+  tarballVersion = lib.replaceStrings ["."] ["_"] version;
+  tarball = "hybrid-v35${arch}-nodebug-pcoem-${tarballVersion}.tar.gz";
+in
+stdenv.mkDerivation {
+  name = "broadcom-sta-${version}-${kernel.version}";
+
+  src = fetchurl {
+    url = "https://docs.broadcom.com/docs-and-downloads/docs/linux_sta/${tarball}";
+    sha256 = hashes.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  patches = [
+    ./i686-build-failure.patch
+    ./license.patch
+    ./linux-4.7.patch
+    # source: https://git.archlinux.org/svntogit/community.git/tree/trunk/004-linux48.patch?h=packages/broadcom-wl-dkms
+    ./linux-4.8.patch
+    # source: https://aur.archlinux.org/cgit/aur.git/tree/linux411.patch?h=broadcom-wl
+    ./linux-4.11.patch
+    # source: https://aur.archlinux.org/cgit/aur.git/tree/linux412.patch?h=broadcom-wl
+    ./linux-4.12.patch
+    ./linux-4.15.patch
+    ./linux-5.1.patch
+    # source: https://salsa.debian.org/Herrie82-guest/broadcom-sta/-/commit/247307926e5540ad574a17c062c8da76990d056f
+    ./linux-5.6.patch
+    # source: https://gist.github.com/joanbm/5c640ac074d27fd1d82c74a5b67a1290
+    ./linux-5.9.patch
+    # source: https://github.com/archlinux/svntogit-community/blob/33b4bd2b9e30679b03f5d7aa2741911d914dcf94/trunk/012-linux517.patch
+    ./linux-5.17.patch
+    # source: https://github.com/archlinux/svntogit-community/blob/2e1fd240f9ce06f500feeaa3e4a9675e65e6b967/trunk/013-linux518.patch
+    ./linux-5.18.patch
+    ./pedantic-fix.patch
+    ./null-pointer-fix.patch
+    ./gcc.patch
+  ];
+
+  makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" ];
+
+  unpackPhase = ''
+    sourceRoot=broadcom-sta
+    mkdir "$sourceRoot"
+    tar xvf "$src" -C "$sourceRoot"
+  '';
+
+  installPhase = ''
+    binDir="$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+    docDir="$out/share/doc/broadcom-sta/"
+    mkdir -p "$binDir" "$docDir"
+    cp wl.ko "$binDir"
+    cp lib/LICENSE.txt "$docDir"
+  '';
+
+  meta = {
+    description = "Kernel module driver for some Broadcom's wireless cards";
+    homepage = "http://www.broadcom.com/support/802.11/linux_sta.php";
+    license = lib.licenses.unfreeRedistributable;
+    maintainers = with lib.maintainers; [ ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/gcc.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/gcc.patch
new file mode 100644
index 000000000000..f93e3f1d3a3f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/gcc.patch
@@ -0,0 +1,11 @@
+--- a/Makefile	2014-06-26 10:42:08.000000000 +0000
++++ b/Makefile	2014-07-17 22:44:01.662297228 +0000
+@@ -126,6 +126,8 @@
+ EXTRA_CFLAGS       += -I$(src)/src/shared/bcmwifi/include
+ #EXTRA_CFLAGS       += -DBCMDBG_ASSERT -DBCMDBG_ERR
+ 
++EXTRA_CFLAGS       += -Wno-date-time
++
+ EXTRA_LDFLAGS      := $(src)/lib/wlc_hybrid.o_shipped
+ 
+ KBASE              ?= /lib/modules/`uname -r`
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/i686-build-failure.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/i686-build-failure.patch
new file mode 100644
index 000000000000..9bb093ca49c5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/i686-build-failure.patch
@@ -0,0 +1,18 @@
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=fe47ae6e1a5005b2e82f7eab57b5c3820453293a
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4ea1636b04dbd66536fa387bae2eea463efc705b
+
+diff -ru a/src/shared/linux_osl.c b/src/shared/linux_osl.c
+--- a/src/shared/linux_osl.c	2015-09-19 01:47:15.000000000 +0300
++++ b/src/shared/linux_osl.c	2015-11-21 15:20:30.585902518 +0200
+@@ -932,7 +932,11 @@
+ 	uint cycles;
+ 
+ #if defined(__i386__)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
++	cycles = (u32)rdtsc();
++#else
+ 	rdtscl(cycles);
++#endif
+ #else
+ 	cycles = 0;
+ #endif 
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/license.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/license.patch
new file mode 100644
index 000000000000..aebb46365195
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/license.patch
@@ -0,0 +1,13 @@
+diff -Naur hybrid-portsrc-x86_32-v5_10_91_9.orig/src/wl/sys/wl_linux.c hybrid-portsrc-x86_32-v5_10_91_9/src/wl/sys/wl_linux.c
+--- hybrid-portsrc-x86_32-v5_10_91_9.orig/src/wl/sys/wl_linux.c	2009-04-23 02:48:59.000000000 +0900
++++ hybrid-portsrc-x86_32-v5_10_91_9/src/wl/sys/wl_linux.c	2009-05-08 00:48:20.000000000 +0900
+@@ -171,6 +171,8 @@
+ static void wl_free_if(wl_info_t *wl, wl_if_t *wlif);
+ static void wl_get_driver_info(struct net_device *dev, struct ethtool_drvinfo *info);
+ 
++MODULE_LICENSE("MIXED/Proprietary");
++
+ #if defined(WL_CONFIG_RFKILL)
+ #include <linux/rfkill.h>
+ static int wl_init_rfkill(wl_info_t *wl);
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.11.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.11.patch
new file mode 100644
index 000000000000..a779f8c84cfd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.11.patch
@@ -0,0 +1,52 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index a9671e2..da36405 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -30,6 +30,9 @@
+ #include <linux/kthread.h>
+ #include <linux/netdevice.h>
+ #include <linux/ieee80211.h>
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++#include <linux/sched/signal.h>
++#endif
+ #include <net/cfg80211.h>
+ #include <linux/nl80211.h>
+ #include <net/rtnetlink.h>
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index 489c9f5..f8278ad 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -117,6 +117,9 @@ int wl_found = 0;
+ 
+ typedef struct priv_link {
+ 	wl_if_t *wlif;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++	unsigned long last_rx;
++#endif
+ } priv_link_t;
+ 
+ #define WL_DEV_IF(dev)          ((wl_if_t*)((priv_link_t*)DEV_PRIV(dev))->wlif)
+@@ -2450,6 +2453,9 @@ wl_monitor(wl_info_t *wl, wl_rxsts_t *rxsts, void *p)
+ {
+ 	struct sk_buff *oskb = (struct sk_buff *)p;
+ 	struct sk_buff *skb;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++	priv_link_t *priv_link;
++#endif
+ 	uchar *pdata;
+ 	uint len;
+ 
+@@ -2916,7 +2922,13 @@ wl_monitor(wl_info_t *wl, wl_rxsts_t *rxsts, void *p)
+ 	if (skb == NULL) return;
+ 
+ 	skb->dev = wl->monitor_dev;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++	priv_link = MALLOC(wl->osh, sizeof(priv_link_t));
++	priv_link = netdev_priv(skb->dev);
++	priv_link->last_rx = jiffies;
++#else
+ 	skb->dev->last_rx = jiffies;
++#endif
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ 	skb_reset_mac_header(skb);
+ #else
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.12.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.12.patch
new file mode 100644
index 000000000000..8abc73db4db1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.12.patch
@@ -0,0 +1,68 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index da36405..d3741eb 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -53,7 +53,11 @@ u32 wl_dbg_level = WL_DBG_ERR;
+ #endif
+ 
+ static s32 wl_cfg80211_change_iface(struct wiphy *wiphy, struct net_device *ndev,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++           enum nl80211_iftype type, struct vif_params *params);
++#else
+            enum nl80211_iftype type, u32 *flags, struct vif_params *params);
++#endif
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
+ static s32
+ wl_cfg80211_scan(struct wiphy *wiphy,
+@@ -466,7 +470,11 @@ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ 
+ static s32
+ wl_cfg80211_change_iface(struct wiphy *wiphy, struct net_device *ndev,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++                         enum nl80211_iftype type,
++#else
+                          enum nl80211_iftype type, u32 *flags,
++#endif
+    struct vif_params *params)
+ {
+ 	struct wl_cfg80211_priv *wl = wiphy_to_wl(wiphy);
+@@ -2361,6 +2369,20 @@ wl_bss_roaming_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+                     const wl_event_msg_t *e, void *data)
+ {
+ 	struct wl_cfg80211_connect_info *conn_info = wl_to_conn(wl);
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++	struct cfg80211_bss *bss;
++	struct wlc_ssid *ssid;
++	ssid = &wl->profile->ssid;
++	bss = cfg80211_get_bss(wl_to_wiphy(wl), NULL, (s8 *)&wl->bssid,
++	ssid->SSID, ssid->SSID_len, WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_ESS);
++	struct cfg80211_roam_info roam_info = {
++		.bss = bss,
++		.req_ie = conn_info->req_ie,
++		.req_ie_len = conn_info->req_ie_len,
++		.resp_ie = conn_info->resp_ie,
++		.resp_ie_len = conn_info->resp_ie_len,
++	};
++#endif
+ 	s32 err = 0;
+ 
+ 	wl_get_assoc_ies(wl);
+@@ -2368,12 +2390,17 @@ wl_bss_roaming_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+ 	memcpy(&wl->bssid, &e->addr, ETHER_ADDR_LEN);
+ 	wl_update_bss_info(wl);
+ 	cfg80211_roamed(ndev,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
++			&roam_info,
++#else
+ #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 39)
+ 			&wl->conf->channel,	 
+ #endif
+ 			(u8 *)&wl->bssid,
+ 			conn_info->req_ie, conn_info->req_ie_len,
+-			conn_info->resp_ie, conn_info->resp_ie_len, GFP_KERNEL);
++			conn_info->resp_ie, conn_info->resp_ie_len,
++#endif
++			GFP_KERNEL);
+ 	WL_DBG(("Report roaming result\n"));
+ 
+ 	set_bit(WL_STATUS_CONNECTED, &wl->status);
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.15.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.15.patch
new file mode 100644
index 000000000000..523fa291d525
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.15.patch
@@ -0,0 +1,47 @@
+See: https://lkml.org/lkml/2017/11/25/90
+
+diff -urNZ a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+--- a/src/wl/sys/wl_linux.c	2015-09-18 22:47:30.000000000 +0000
++++ b/src/wl/sys/wl_linux.c	2018-01-31 22:52:10.859856221 +0000
+@@ -93,7 +93,11 @@
+
+ #include <wlc_wowl.h>
+
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++static void wl_timer(struct timer_list *tl);
++#else
+ static void wl_timer(ulong data);
++#endif
+ static void _wl_timer(wl_timer_t *t);
+ static struct net_device *wl_alloc_linux_if(wl_if_t *wlif);
+
+@@ -2298,9 +2302,15 @@
+ }
+
+ static void
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++wl_timer(struct timer_list *tl)
++{
++	wl_timer_t *t = from_timer(t, tl, timer);
++#else
+ wl_timer(ulong data)
+ {
+ 	wl_timer_t *t = (wl_timer_t *)data;
++#endif
+
+ 	if (!WL_ALL_PASSIVE_ENAB(t->wl))
+ 		_wl_timer(t);
+@@ -2352,9 +2362,13 @@
+
+ 	bzero(t, sizeof(wl_timer_t));
+
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
++	timer_setup(&t->timer, wl_timer, 0);
++#else
+ 	init_timer(&t->timer);
+ 	t->timer.data = (ulong) t;
+ 	t->timer.function = wl_timer;
++#endif
+ 	t->wl = wl;
+ 	t->fn = fn;
+ 	t->arg = arg;
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.7.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.7.patch
new file mode 100644
index 000000000000..44222b3324bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.7.patch
@@ -0,0 +1,109 @@
+Since Linux 4.7, the enum ieee80211_band is no longer used
+
+This shall cause no problem's since both enums ieee80211_band
+and nl80211_band were added in the same commit:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=13ae75b103e07304a34ab40c9136e9f53e06475c
+
+This patch refactors the references of IEEE80211_BAND_* to NL80211_BAND_*
+
+Reference:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=57fbcce37be7c1d2622b56587c10ade00e96afa3
+
+--- a/src/wl/sys/wl_cfg80211_hybrid.c	2016-06-13 11:57:36.159340297 -0500
++++ b/src/wl/sys/wl_cfg80211_hybrid.c	2016-06-13 11:58:18.442323435 -0500
+@@ -236,7 +236,7 @@
+ #endif				
+ 
+ #define CHAN2G(_channel, _freq, _flags) {			\
+-	.band			= IEEE80211_BAND_2GHZ,		\
++	.band			= NL80211_BAND_2GHZ,		\
+ 	.center_freq		= (_freq),			\
+ 	.hw_value		= (_channel),			\
+ 	.flags			= (_flags),			\
+@@ -245,7 +245,7 @@
+ }
+ 
+ #define CHAN5G(_channel, _flags) {				\
+-	.band			= IEEE80211_BAND_5GHZ,		\
++	.band			= NL80211_BAND_5GHZ,		\
+ 	.center_freq		= 5000 + (5 * (_channel)),	\
+ 	.hw_value		= (_channel),			\
+ 	.flags			= (_flags),			\
+@@ -379,7 +379,7 @@
+ };
+ 
+ static struct ieee80211_supported_band __wl_band_2ghz = {
+-	.band = IEEE80211_BAND_2GHZ,
++	.band = NL80211_BAND_2GHZ,
+ 	.channels = __wl_2ghz_channels,
+ 	.n_channels = ARRAY_SIZE(__wl_2ghz_channels),
+ 	.bitrates = wl_g_rates,
+@@ -387,7 +387,7 @@
+ };
+ 
+ static struct ieee80211_supported_band __wl_band_5ghz_a = {
+-	.band = IEEE80211_BAND_5GHZ,
++	.band = NL80211_BAND_5GHZ,
+ 	.channels = __wl_5ghz_a_channels,
+ 	.n_channels = ARRAY_SIZE(__wl_5ghz_a_channels),
+ 	.bitrates = wl_a_rates,
+@@ -395,7 +395,7 @@
+ };
+ 
+ static struct ieee80211_supported_band __wl_band_5ghz_n = {
+-	.band = IEEE80211_BAND_5GHZ,
++	.band = NL80211_BAND_5GHZ,
+ 	.channels = __wl_5ghz_n_channels,
+ 	.n_channels = ARRAY_SIZE(__wl_5ghz_n_channels),
+ 	.bitrates = wl_a_rates,
+@@ -1876,8 +1876,8 @@
+ 	wdev->wiphy->max_num_pmkids = WL_NUM_PMKIDS_MAX;
+ #endif
+ 	wdev->wiphy->interface_modes = BIT(NL80211_IFTYPE_STATION) | BIT(NL80211_IFTYPE_ADHOC);
+-	wdev->wiphy->bands[IEEE80211_BAND_2GHZ] = &__wl_band_2ghz;
+-	wdev->wiphy->bands[IEEE80211_BAND_5GHZ] = &__wl_band_5ghz_a; 
++	wdev->wiphy->bands[NL80211_BAND_2GHZ] = &__wl_band_2ghz;
++	wdev->wiphy->bands[NL80211_BAND_5GHZ] = &__wl_band_5ghz_a; 
+ 	wdev->wiphy->signal_type = CFG80211_SIGNAL_TYPE_MBM;
+ 	wdev->wiphy->cipher_suites = __wl_cipher_suites;
+ 	wdev->wiphy->n_cipher_suites = ARRAY_SIZE(__wl_cipher_suites);
+@@ -2000,7 +2000,7 @@
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 39)
+ 	freq = ieee80211_channel_to_frequency(notif_bss_info->channel,
+ 		(notif_bss_info->channel <= CH_MAX_2G_CHANNEL) ?
+-		IEEE80211_BAND_2GHZ : IEEE80211_BAND_5GHZ);
++		NL80211_BAND_2GHZ : NL80211_BAND_5GHZ);
+ #else
+ 	freq = ieee80211_channel_to_frequency(notif_bss_info->channel);
+ #endif
+@@ -2116,7 +2116,7 @@
+ 				return err;
+ 			}
+ 			chan = wf_chspec_ctlchan(chanspec);
+-			band = (chan <= CH_MAX_2G_CHANNEL) ? IEEE80211_BAND_2GHZ : IEEE80211_BAND_5GHZ;
++			band = (chan <= CH_MAX_2G_CHANNEL) ? NL80211_BAND_2GHZ : NL80211_BAND_5GHZ;
+ 			freq = ieee80211_channel_to_frequency(chan, band);
+ 			channel = ieee80211_get_channel(wiphy, freq);
+ 			cfg80211_ibss_joined(ndev, (u8 *)&wl->bssid, channel, GFP_KERNEL);
+@@ -2250,10 +2250,10 @@
+ 		join_params->params.chanspec_list[0] =
+ 		    ieee80211_frequency_to_channel(chan->center_freq);
+ 
+-		if (chan->band == IEEE80211_BAND_2GHZ) {
++		if (chan->band == NL80211_BAND_2GHZ) {
+ 			chanspec |= WL_CHANSPEC_BAND_2G;
+ 		}
+-		else if (chan->band == IEEE80211_BAND_5GHZ) {
++		else if (chan->band == NL80211_BAND_5GHZ) {
+ 			chanspec |= WL_CHANSPEC_BAND_5G;
+ 		}
+ 		else {
+@@ -2885,7 +2885,7 @@
+ 
+ 	if (phy == 'n' || phy == 'a' || phy == 'v') {
+ 		wiphy = wl_to_wiphy(wl);
+-		wiphy->bands[IEEE80211_BAND_5GHZ] = &__wl_band_5ghz_n;
++		wiphy->bands[NL80211_BAND_5GHZ] = &__wl_band_5ghz_n;
+ 	}
+ 
+ 	return err;
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.8.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.8.patch
new file mode 100644
index 000000000000..20e8a9ae49d2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-4.8.patch
@@ -0,0 +1,64 @@
+From d3f93542326a06d920c6eb89b703384290d37b8b Mon Sep 17 00:00:00 2001
+From: Alberto Milone <alberto.milone@canonical.com>
+Date: Fri, 2 Sep 2016 17:35:34 +0200
+Subject: [PATCH 1/1] Add support for Linux 4.8
+
+Orginal author: Krzysztof Kolasa
+---
+ src/wl/sys/wl_cfg80211_hybrid.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 2fc71fe..ec5e472 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -2388,8 +2388,16 @@ wl_bss_connect_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+ 	s32 err = 0;
+ 
+ 	if (wl->scan_request) {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
++		struct cfg80211_scan_info info = {
++			.aborted = true,
++		};
++		WL_DBG(("%s: Aborting scan\n", __FUNCTION__));
++		cfg80211_scan_done(wl->scan_request, &info);
++#else
+ 		WL_DBG(("%s: Aborting scan\n", __FUNCTION__));
+ 		cfg80211_scan_done(wl->scan_request, true);     
++#endif
+ 		wl->scan_request = NULL;
+ 	}
+ 
+@@ -2490,7 +2498,14 @@ wl_notify_scan_status(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+ 
+ scan_done_out:
+ 	if (wl->scan_request) {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
++		struct cfg80211_scan_info info = {
++			.aborted = false,
++		};
++		cfg80211_scan_done(wl->scan_request, &info);
++#else
+ 		cfg80211_scan_done(wl->scan_request, false);
++#endif
+ 		wl->scan_request = NULL;
+ 	}
+ 	rtnl_unlock();
+@@ -2909,7 +2924,14 @@ s32 wl_cfg80211_down(struct net_device *ndev)
+ 	s32 err = 0;
+ 
+ 	if (wl->scan_request) {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
++		struct cfg80211_scan_info info = {
++			.aborted = true,
++		};
++		cfg80211_scan_done(wl->scan_request, &info);
++#else
+ 		cfg80211_scan_done(wl->scan_request, true);	
++#endif
+ 		wl->scan_request = NULL;
+ 	}
+ 
+-- 
+2.7.4
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.1.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.1.patch
new file mode 100644
index 000000000000..8f04a737cab8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.1.patch
@@ -0,0 +1,32 @@
+commit bcb06af629a36eb84f9a35ac599ec7e51e2d39fb
+Author: georgewhewell <georgerw@gmail.com>
+Date:   Sat May 18 21:22:37 2019 +0100
+
+    find src -type f -name \'*.c\' -exec sed -i "s/get_ds()/KERNEL_DS/g" {} \;
+
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 7b606e0..51c81bc 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -450,7 +450,7 @@ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ 	ifr.ifr_data = (caddr_t)&ioc;
+ 
+ 	fs = get_fs();
+-	set_fs(get_ds());
++	set_fs(KERNEL_DS);
+ #if defined(WL_USE_NETDEV_OPS)
+ 	err = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+ #else
+diff --git a/src/wl/sys/wl_iw.c b/src/wl/sys/wl_iw.c
+index c4c610b..9c3c74e 100644
+--- a/src/wl/sys/wl_iw.c
++++ b/src/wl/sys/wl_iw.c
+@@ -117,7 +117,7 @@ dev_wlc_ioctl(
+ 	ifr.ifr_data = (caddr_t) &ioc;
+ 
+ 	fs = get_fs();
+-	set_fs(get_ds());
++	set_fs(KERNEL_DS);
+ #if defined(WL_USE_NETDEV_OPS)
+ 	ret = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+ #else
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.17.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.17.patch
new file mode 100644
index 000000000000..6f23316691c8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.17.patch
@@ -0,0 +1,80 @@
+From 31b7849092c43805c7fbaf7518b99874aa1b310c Mon Sep 17 00:00:00 2001
+From: Joan Bruguera <joanbrugueram@gmail.com>
+Date: Wed, 12 Jan 2022 20:49:20 +0100
+Subject: [PATCH] Tentative fix for broadcom-wl 6.30.223.271 driver for Linux 5.17-rc1
+
+Set netdev->dev_addr through dev_addr_mod + PDE_DATA fix
+
+Since Linux 5.17 netdev->dev_addr is const and must be changed through
+dev_addr_mod, otherwise a warning is logged in dmesg and bad things may happen.
+
+NB: The #if is not wrong, dev_addr_mod is defined since Linux 5.15-rc1
+
+Plus a trivial fix for PDE_DATA.
+
+Applies on top of all the patches applied to broadcom-wl-dkms 6.30.223.271-28 on Arch Linux.
+
+See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=adeef3e32146a8d2a73c399dc6f5d76a449131b1
+          https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=359745d78351c6f5442435f81549f0207ece28aa
+---
+ src/wl/sys/wl_linux.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index e491df7..e4614fb 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -93,6 +93,10 @@ struct iw_statistics *wl_get_wireless_stats(struct net_device *dev);
+ 
+ #include <wlc_wowl.h>
+ 
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 17, 0))
++#define PDE_DATA pde_data
++#endif
++
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
+ static void wl_timer(struct timer_list *tl);
+ #else
+@@ -490,6 +494,12 @@ wl_if_setup(struct net_device *dev)
+ #endif
+ }
+ 
++#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)
++static inline void eth_hw_addr_set(struct net_device *dev, const void *addr) {
++	memcpy(dev->dev_addr, addr, ETHER_ADDR_LEN);
++}
++#endif
++
+ static wl_info_t *
+ wl_attach(uint16 vendor, uint16 device, ulong regs,
+ 	uint bustype, void *btparam, uint irq, uchar* bar1_addr, uint32 bar1_size)
+@@ -634,7 +644,7 @@ wl_attach(uint16 vendor, uint16 device, ulong regs,
+ 			WL_ERROR(("wl%d: Error setting MAC ADDRESS\n", unit));
+ 	}
+ #endif 
+-	bcopy(&wl->pub->cur_etheraddr, dev->dev_addr, ETHER_ADDR_LEN);
++	eth_hw_addr_set(dev, wl->pub->cur_etheraddr.octet);
+ 
+ 	online_cpus = 1;
+ 
+@@ -1835,7 +1845,7 @@ wl_set_mac_address(struct net_device *dev, void *addr)
+ 
+ 	WL_LOCK(wl);
+ 
+-	bcopy(sa->sa_data, dev->dev_addr, ETHER_ADDR_LEN);
++	eth_hw_addr_set(dev, sa->sa_data);
+ 	err = wlc_iovar_op(wl->wlc, "cur_etheraddr", NULL, 0, sa->sa_data, ETHER_ADDR_LEN,
+ 		IOV_SET, (WL_DEV_IF(dev))->wlcif);
+ 	WL_UNLOCK(wl);
+@@ -3010,7 +3020,7 @@ _wl_add_monitor_if(wl_task_t *task)
+ 	else
+ 		dev->type = ARPHRD_IEEE80211_RADIOTAP;
+ 
+-	bcopy(wl->dev->dev_addr, dev->dev_addr, ETHER_ADDR_LEN);
++	eth_hw_addr_set(dev, wl->dev->dev_addr);
+ 
+ #if defined(WL_USE_NETDEV_OPS)
+ 	dev->netdev_ops = &wl_netdev_monitor_ops;
+-- 
+2.35.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.18.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.18.patch
new file mode 100644
index 000000000000..d837429a6899
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.18.patch
@@ -0,0 +1,71 @@
+diff -u -r a/src/shared/linux_osl.c b/src/shared/linux_osl.c
+--- a/src/shared/linux_osl.c	2022-05-24 20:51:15.662604980 +0000
++++ b/src/shared/linux_osl.c	2022-05-24 21:13:38.264472425 +0000
+@@ -599,6 +599,8 @@
+ 	va = kmalloc(size, GFP_ATOMIC | __GFP_ZERO);
+ 	if (va)
+ 		*pap = (ulong)__virt_to_phys(va);
++#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	va = dma_alloc_coherent(&((struct pci_dev *)osh->pdev)->dev, size, (dma_addr_t*)pap, GFP_ATOMIC);
+ #else
+ 	va = pci_alloc_consistent(osh->pdev, size, (dma_addr_t*)pap);
+ #endif
+@@ -612,6 +614,8 @@
+ 
+ #ifdef __ARM_ARCH_7A__
+ 	kfree(va);
++#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	dma_free_coherent(&((struct pci_dev *)osh->pdev)->dev, size, va, (dma_addr_t)pa);
+ #else
+ 	pci_free_consistent(osh->pdev, size, va, (dma_addr_t)pa);
+ #endif
+@@ -623,7 +627,11 @@
+ 	int dir;
+ 
+ 	ASSERT((osh && (osh->magic == OS_HANDLE_MAGIC)));
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	dir = (direction == DMA_TX)? DMA_TO_DEVICE: DMA_FROM_DEVICE;
++#else
+ 	dir = (direction == DMA_TX)? PCI_DMA_TODEVICE: PCI_DMA_FROMDEVICE;
++#endif
+ 
+ #if defined(__ARM_ARCH_7A__) && defined(BCMDMASGLISTOSL)
+ 	if (dmah != NULL) {
+@@ -641,7 +649,11 @@
+ 				ASSERT(totsegs + nsegs <= MAX_DMA_SEGS);
+ 				sg->page_link = 0;
+ 				sg_set_buf(sg, PKTDATA(osh, skb), PKTLEN(osh, skb));
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++				dma_map_single(&((struct pci_dev *)osh->pdev)->dev, PKTDATA(osh, skb), PKTLEN(osh, skb), dir);
++#else
+ 				pci_map_single(osh->pdev, PKTDATA(osh, skb), PKTLEN(osh, skb), dir);
++#endif
+ 			}
+ 			totsegs += nsegs;
+ 			totlen += PKTLEN(osh, skb);
+@@ -656,7 +668,11 @@
+ 	}
+ #endif 
+ 
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	return (dma_map_single(&((struct pci_dev *)osh->pdev)->dev, va, size, dir));
++#else
+ 	return (pci_map_single(osh->pdev, va, size, dir));
++#endif
+ }
+ 
+ void BCMFASTPATH
+@@ -665,8 +681,13 @@
+ 	int dir;
+ 
+ 	ASSERT((osh && (osh->magic == OS_HANDLE_MAGIC)));
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
++	dir = (direction == DMA_TX)? DMA_TO_DEVICE: DMA_FROM_DEVICE;
++	dma_unmap_single(&((struct pci_dev *)osh->pdev)->dev, (uint32)pa, size, dir);
++#else
+ 	dir = (direction == DMA_TX)? PCI_DMA_TODEVICE: PCI_DMA_FROMDEVICE;
+ 	pci_unmap_single(osh->pdev, (uint32)pa, size, dir);
++#endif
+ }
+ 
+ #if defined(BCMDBG_ASSERT)
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.6.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.6.patch
new file mode 100644
index 000000000000..df5af79f77c6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.6.patch
@@ -0,0 +1,87 @@
+From dd057e40a167f4febb1a7c77dd32b7d36056952c Mon Sep 17 00:00:00 2001
+From: Herman van Hazendonk <github.com@herrie.org>
+Date: Tue, 31 Mar 2020 17:09:55 +0200
+Subject: [PATCH] Add fixes for 5.6 kernel
+
+Use ioremap instead of ioremap_nocache and proc_ops instead of file_operations on Linux kernel 5.6 and above.
+
+Signed-off-by: Herman van Hazendonk <github.com@herrie.org>
+---
+ src/shared/linux_osl.c |  6 +++++-
+ src/wl/sys/wl_linux.c  | 21 ++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/linux_osl.c b/src/shared/linux_osl.c
+index 6157d18..dcfc075 100644
+--- a/src/shared/linux_osl.c
++++ b/src/shared/linux_osl.c
+@@ -942,7 +942,11 @@ osl_getcycles(void)
+ void *
+ osl_reg_map(uint32 pa, uint size)
+ {
+-	return (ioremap_nocache((unsigned long)pa, (unsigned long)size));
++	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++		return (ioremap((unsigned long)pa, (unsigned long)size));
++	#else
++		return (ioremap_nocache((unsigned long)pa, (unsigned long)size));
++	#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ }
+ 
+ void
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index 0d05100..6d9dd0d 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -582,10 +582,17 @@ wl_attach(uint16 vendor, uint16 device, ulong regs,
+ 	}
+ 	wl->bcm_bustype = bustype;
+ 
++	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++	if ((wl->regsva = ioremap(dev->base_addr, PCI_BAR0_WINSZ)) == NULL) {
++		WL_ERROR(("wl%d: ioremap() failed\n", unit));
++		goto fail;
++	}
++	#else 
+ 	if ((wl->regsva = ioremap_nocache(dev->base_addr, PCI_BAR0_WINSZ)) == NULL) {
+ 		WL_ERROR(("wl%d: ioremap() failed\n", unit));
+ 		goto fail;
+ 	}
++	#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ 
+ 	wl->bar1_addr = bar1_addr;
+ 	wl->bar1_size = bar1_size;
+@@ -772,8 +779,13 @@ wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	if ((val & 0x0000ff00) != 0)
+ 		pci_write_config_dword(pdev, 0x40, val & 0xffff00ff);
+ 		bar1_size = pci_resource_len(pdev, 2);
++		#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++		bar1_addr = (uchar *)ioremap(pci_resource_start(pdev, 2),
++			bar1_size);
++		#else
+ 		bar1_addr = (uchar *)ioremap_nocache(pci_resource_start(pdev, 2),
+ 			bar1_size);
++		#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ 	wl = wl_attach(pdev->vendor, pdev->device, pci_resource_start(pdev, 0), PCI_BUS, pdev,
+ 		pdev->irq, bar1_addr, bar1_size);
+ 
+@@ -3335,12 +3347,19 @@ wl_proc_write(struct file *filp, const char __user *buff, size_t length, loff_t
+ }
+ 
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++static const struct proc_ops wl_fops = {
++	.proc_read	= wl_proc_read,
++	.proc_write	= wl_proc_write,
++};
++#else
+ static const struct file_operations wl_fops = {
+ 	.owner	= THIS_MODULE,
+ 	.read	= wl_proc_read,
+ 	.write	= wl_proc_write,
+ };
+-#endif
++#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
++#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0) */
+ 
+ static int
+ wl_reg_proc_entry(wl_info_t *wl)
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
new file mode 100644
index 000000000000..2a4e6fa89cc3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
@@ -0,0 +1,184 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 4b3298f..c45ad48 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -41,6 +41,7 @@
+ #include <wlioctl.h>
+ #include <proto/802.11.h>
+ #include <wl_cfg80211_hybrid.h>
++#include <wl_linux.h>
+ 
+ #define EVENT_TYPE(e) dtoh32((e)->event_type)
+ #define EVENT_FLAGS(e) dtoh16((e)->flags)
+@@ -442,30 +443,7 @@ static void key_endian_to_host(struct wl_wsec_key *key)
+ static s32
+ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ {
+-	struct ifreq ifr;
+-	struct wl_ioctl ioc;
+-	mm_segment_t fs;
+-	s32 err = 0;
+-
+-	BUG_ON(len < sizeof(int));
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t)&ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	err = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	err = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return err;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static s32
+diff --git a/src/wl/sys/wl_iw.c b/src/wl/sys/wl_iw.c
+index 9c3c74e..e346b15 100644
+--- a/src/wl/sys/wl_iw.c
++++ b/src/wl/sys/wl_iw.c
+@@ -37,6 +37,7 @@ typedef const struct si_pub	si_t;
+ 
+ #include <wl_dbg.h>
+ #include <wl_iw.h>
++#include <wl_linux.h>
+ 
+ extern bool wl_iw_conn_status_str(uint32 event_type, uint32 status,
+ 	uint32 reason, char* stringBuf, uint buflen);
+@@ -103,29 +104,7 @@ dev_wlc_ioctl(
+ 	int len
+ )
+ {
+-	struct ifreq ifr;
+-	wl_ioctl_t ioc;
+-	mm_segment_t fs;
+-	int ret;
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t) &ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	ret = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	ret = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return ret;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static int
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index c990c70..5bb9480 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -1664,10 +1664,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 		goto done2;
+ 	}
+ 
+-	if (segment_eq(get_fs(), KERNEL_DS))
+-		buf = ioc.buf;
+-
+-	else if (ioc.buf) {
++	if (ioc.buf) {
+ 		if (!(buf = (void *) MALLOC(wl->osh, MAX(ioc.len, WLC_IOCTL_MAXLEN)))) {
+ 			bcmerror = BCME_NORESOURCE;
+ 			goto done2;
+@@ -1688,7 +1685,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 	WL_UNLOCK(wl);
+ 
+ done1:
+-	if (ioc.buf && (ioc.buf != buf)) {
++	if (ioc.buf) {
+ 		if (copy_to_user(ioc.buf, buf, ioc.len))
+ 			bcmerror = BCME_BADADDR;
+ 		MFREE(wl->osh, buf, MAX(ioc.len, WLC_IOCTL_MAXLEN));
+@@ -1701,6 +1698,39 @@ done2:
+ 	return (OSL_ERROR(bcmerror));
+ }
+ 
++int
++wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len)
++{
++	wl_info_t *wl;
++	wl_if_t *wlif;
++	int bcmerror;
++
++	if (!dev)
++		return -ENETDOWN;
++
++	wl = WL_INFO(dev);
++	wlif = WL_DEV_IF(dev);
++	if (wlif == NULL || wl == NULL || wl->dev == NULL)
++		return -ENETDOWN;
++
++	bcmerror = 0;
++
++	WL_TRACE(("wl%d: wlc_ioctl_internal: cmd 0x%x\n", wl->pub->unit, cmd));
++
++	WL_LOCK(wl);
++	if (!capable(CAP_NET_ADMIN)) {
++		bcmerror = BCME_EPERM;
++	} else {
++		bcmerror = wlc_ioctl(wl->wlc, cmd, buf, len, wlif->wlcif);
++	}
++	WL_UNLOCK(wl);
++
++	ASSERT(VALID_BCMERROR(bcmerror));
++	if (bcmerror != 0)
++		wl->pub->bcmerror = bcmerror;
++	return (OSL_ERROR(bcmerror));
++}
++
+ static struct net_device_stats*
+ wl_get_stats(struct net_device *dev)
+ {
+diff --git a/src/wl/sys/wl_linux.h b/src/wl/sys/wl_linux.h
+index 5b1048e..c8c1f41 100644
+--- a/src/wl/sys/wl_linux.h
++++ b/src/wl/sys/wl_linux.h
+@@ -22,6 +22,7 @@
+ #define _wl_linux_h_
+ 
+ #include <wlc_types.h>
++#include <wlc_pub.h>
+ 
+ typedef struct wl_timer {
+ 	struct timer_list 	timer;
+@@ -187,6 +188,7 @@ extern irqreturn_t wl_isr(int irq, void *dev_id, struct pt_regs *ptregs);
+ extern int __devinit wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent);
+ extern void wl_free(wl_info_t *wl);
+ extern int  wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd);
++extern int wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len);
+ extern struct net_device * wl_netdev_get(wl_info_t *wl);
+ 
+ #endif 
+diff --git a/src/wl/sys/wlc_pub.h b/src/wl/sys/wlc_pub.h
+index 53a98b8..2b5a029 100644
+--- a/src/wl/sys/wlc_pub.h
++++ b/src/wl/sys/wlc_pub.h
+@@ -24,6 +24,7 @@
+ 
+ #include <wlc_types.h>
+ #include <wlc_utils.h>
++#include <siutils.h>
+ #include "proto/802.11.h"
+ #include "proto/bcmevent.h"
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/null-pointer-fix.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/null-pointer-fix.patch
new file mode 100644
index 000000000000..763797294307
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/null-pointer-fix.patch
@@ -0,0 +1,13 @@
+diff -urN a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+--- a/src/wl/sys/wl_linux.c	2015-01-06 12:33:42.981659618 +0100
++++ b/src/wl/sys/wl_linux.c	2015-01-06 12:34:05.647395418 +0100
+@@ -2157,8 +2157,8 @@
+ 	wlif = WL_DEV_IF(dev);
+ 	wl = WL_INFO(dev);
+ 
++	skb->prev = NULL;
+ 	if (WL_ALL_PASSIVE_ENAB(wl) || (WL_RTR() && WL_CONFIG_SMP())) {
+-		skb->prev = NULL;
+ 
+ 		TXQ_LOCK(wl);
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/broadcom-sta/pedantic-fix.patch b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/pedantic-fix.patch
new file mode 100644
index 000000000000..f97709fef904
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/broadcom-sta/pedantic-fix.patch
@@ -0,0 +1,94 @@
+diff --git a/src/shared/linux_osl.c b/shared/linux_osl.c
+index 711b771..5a2636a 100644
+--- a/src/shared/linux_osl.c
++++ b/src/shared/linux_osl.c
+@@ -1105,7 +1105,7 @@ osl_os_get_image_block(char *buf, int len, void *image)
+ 	if (!image)
+ 		return 0;
+ 
+-	rdlen = kernel_read(fp, fp->f_pos, buf, len);
++	rdlen = kernel_read(fp, (void *)fp->f_pos, (size_t)len, (loff_t *)buf);
+ 	if (rdlen > 0)
+ 		fp->f_pos += rdlen;
+ 
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/wl/sys/wl_cfg80211_hybrid.c
+index 41c16d8..d39d9de 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -790,6 +790,7 @@ wl_set_auth_type(struct net_device *dev, struct cfg80211_connect_params *sme)
+ 		break;
+ 	case NL80211_AUTHTYPE_NETWORK_EAP:
+ 		WL_DBG(("network eap\n"));
++		break;
+ 	default:
+ 		val = 2;
+ 		WL_ERR(("invalid auth type (%d)\n", sme->auth_type));
+@@ -2347,21 +2348,20 @@ wl_bss_roaming_done(struct wl_cfg80211_priv *wl, struct net_device *ndev,
+                     const wl_event_msg_t *e, void *data)
+ {
+ 	struct wl_cfg80211_connect_info *conn_info = wl_to_conn(wl);
++	s32 err = 0;
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
+ 	struct cfg80211_bss *bss;
+ 	struct wlc_ssid *ssid;
++	struct cfg80211_roam_info roam_info;
+ 	ssid = &wl->profile->ssid;
+ 	bss = cfg80211_get_bss(wl_to_wiphy(wl), NULL, (s8 *)&wl->bssid,
+ 	ssid->SSID, ssid->SSID_len, WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_ESS);
+-	struct cfg80211_roam_info roam_info = {
+-		.bss = bss,
+-		.req_ie = conn_info->req_ie,
+-		.req_ie_len = conn_info->req_ie_len,
+-		.resp_ie = conn_info->resp_ie,
+-		.resp_ie_len = conn_info->resp_ie_len,
+-	};
++	roam_info.bss = bss;
++	roam_info.req_ie = conn_info->req_ie;
++	roam_info.req_ie_len = conn_info->req_ie_len;
++	roam_info.resp_ie = conn_info->resp_ie;
++	roam_info.resp_ie_len = conn_info->resp_ie_len;
+ #endif
+-	s32 err = 0;
+ 
+ 	wl_get_assoc_ies(wl);
+ 	memcpy(wl->profile->bssid, &e->addr, ETHER_ADDR_LEN);
+diff --git a/src/wl/sys/wl_iw.h b/wl/sys/wl_iw.h
+index 3ab084f..471d11f 100644
+--- a/src/wl/sys/wl_iw.h
++++ b/src/wl/sys/wl_iw.h
+@@ -70,7 +70,6 @@ struct cntry_locales_custom {
+ #define	WL_IW_RSSI_EXCELLENT	-57	
+ #define	WL_IW_RSSI_INVALID	 0	
+ #define MAX_WX_STRING 80
+-#define isprint(c) bcm_isprint(c)
+ #define WL_IW_SET_ACTIVE_SCAN	(SIOCIWFIRSTPRIV+1)
+ #define WL_IW_GET_RSSI			(SIOCIWFIRSTPRIV+3)
+ #define WL_IW_SET_PASSIVE_SCAN	(SIOCIWFIRSTPRIV+5)
+diff --git a/src/wl/sys/wl_linux.c b/wl/sys/wl_linux.c
+index d13fb98..97ae2a6 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -797,14 +797,15 @@ wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	pci_read_config_dword(pdev, 0x40, &val);
+ 	if ((val & 0x0000ff00) != 0)
+ 		pci_write_config_dword(pdev, 0x40, val & 0xffff00ff);
+-		bar1_size = pci_resource_len(pdev, 2);
+-		#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
+-		bar1_addr = (uchar *)ioremap(pci_resource_start(pdev, 2),
+-			bar1_size);
+-		#else
+-		bar1_addr = (uchar *)ioremap_nocache(pci_resource_start(pdev, 2),
+-			bar1_size);
+-		#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
++
++	bar1_size = pci_resource_len(pdev, 2);
++	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
++	bar1_addr = (uchar *)ioremap(pci_resource_start(pdev, 2),
++		bar1_size);
++	#else
++	bar1_addr = (uchar *)ioremap_nocache(pci_resource_start(pdev, 2),
++		bar1_size);
++	#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0) */
+ 	wl = wl_attach(pdev->vendor, pdev->device, pci_resource_start(pdev, 0), PCI_BUS, pdev,
+ 		pdev->irq, bar1_addr, bar1_size);
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/btfs/default.nix b/nixpkgs/pkgs/os-specific/linux/btfs/default.nix
new file mode 100644
index 000000000000..342272f42861
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/btfs/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config
+, python3, boost, fuse, libtorrent-rasterbar, curl }:
+
+stdenv.mkDerivation rec {
+  pname = "btfs";
+  version = "2.24";
+
+  src = fetchFromGitHub {
+    owner  = "johang";
+    repo   = pname;
+    rev    = "v${version}";
+    sha256 = "sha256-fkS0U/MqFRQNi+n7NE4e1cnNICvfST2IQ9FMoJUyj6w=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [
+    boost fuse libtorrent-rasterbar curl python3
+  ];
+
+  meta = with lib; {
+    description = "A bittorrent filesystem based on FUSE";
+    homepage    = "https://github.com/johang/btfs";
+    license     = licenses.gpl3;
+    maintainers = with maintainers; [ rnhmjoj ];
+    platforms   = platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/busybox-in-store.patch b/nixpkgs/pkgs/os-specific/linux/busybox/busybox-in-store.patch
new file mode 100644
index 000000000000..2d356b66b3ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/busybox-in-store.patch
@@ -0,0 +1,23 @@
+Allow BusyBox to be invoked as "<something>-busybox". This is
+necessary when it's run from the Nix store as <hash>-busybox during
+stdenv bootstrap.
+--- a/libbb/appletlib.c
++++ b/libbb/appletlib.c
+@@ -947,7 +947,7 @@ void FAST_FUNC run_applet_no_and_exit(int applet_no, const char *name, char **ar
+ static NORETURN void run_applet_and_exit(const char *name, char **argv)
+ {
+ #  if ENABLE_BUSYBOX
+-	if (is_prefixed_with(name, "busybox"))
++	if (strstr(name, "busybox") != 0)
+ 		exit(busybox_main(/*unused:*/ 0, argv));
+ #  endif
+ #  if NUM_APPLETS > 0
+@@ -1045,7 +1045,7 @@ int main(int argc UNUSED_PARAM, char **argv)
+
+ 	lbb_prepare("busybox" IF_FEATURE_INDIVIDUAL(, argv));
+ # if !ENABLE_BUSYBOX
+-	if (argv[1] && is_prefixed_with(bb_basename(argv[0]), "busybox"))
++	if (argv[1] && strstr(bb_basename(argv[0]), "busybox") != 0)
+ 		argv++;
+ # endif
+ 	applet_name = argv[0];
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/clang-cross.patch b/nixpkgs/pkgs/os-specific/linux/busybox/clang-cross.patch
new file mode 100644
index 000000000000..b2d696bfd73f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/clang-cross.patch
@@ -0,0 +1,37 @@
+diff --git a/Makefile b/Makefile
+index 6fedcffba..3385836c4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -271,8 +271,8 @@ export quiet Q KBUILD_VERBOSE
+ # Look for make include files relative to root of kernel src
+ MAKEFLAGS += --include-dir=$(srctree)
+ 
+-HOSTCC  	= gcc
+-HOSTCXX  	= g++
++HOSTCC		= cc
++HOSTCXX	= c++
+ HOSTCFLAGS	:=
+ HOSTCXXFLAGS	:=
+ # We need some generic definitions
+@@ -289,7 +289,7 @@ MAKEFLAGS += -rR
+ # Make variables (CC, etc...)
+ 
+ AS		= $(CROSS_COMPILE)as
+-CC		= $(CROSS_COMPILE)gcc
++CC		= $(CROSS_COMPILE)cc
+ LD		= $(CC) -nostdlib
+ CPP		= $(CC) -E
+ AR		= $(CROSS_COMPILE)ar
+diff --git a/scripts/Makefile.IMA b/scripts/Makefile.IMA
+index f155108d7..185257064 100644
+--- a/scripts/Makefile.IMA
++++ b/scripts/Makefile.IMA
+@@ -39,7 +39,7 @@ ifndef HOSTCC
+ HOSTCC = cc
+ endif
+ AS              = $(CROSS_COMPILE)as
+-CC              = $(CROSS_COMPILE)gcc
++CC              = $(CROSS_COMPILE)cc
+ LD              = $(CC) -nostdlib
+ CPP             = $(CC) -E
+ AR              = $(CROSS_COMPILE)ar
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/default.nix b/nixpkgs/pkgs/os-specific/linux/busybox/default.nix
new file mode 100644
index 000000000000..3feb590eb5d6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/default.nix
@@ -0,0 +1,175 @@
+{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab
+, enableStatic ? stdenv.hostPlatform.isStatic
+, enableMinimal ? false
+, enableAppletSymlinks ? true
+# Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
+# nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
+, useMusl ? stdenv.hostPlatform.libc == "musl", musl
+, extraConfig ? ""
+}:
+
+assert stdenv.hostPlatform.libc == "musl" -> useMusl;
+
+let
+  configParser = ''
+    function parseconfig {
+        while read LINE; do
+            NAME=`echo "$LINE" | cut -d \  -f 1`
+            OPTION=`echo "$LINE" | cut -d \  -f 2`
+
+            if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
+
+            echo "parseconfig: removing $NAME"
+            sed -i /$NAME'\(=\| \)'/d .config
+
+            echo "parseconfig: setting $NAME=$OPTION"
+            echo "$NAME=$OPTION" >> .config
+        done
+    }
+  '';
+
+  libcConfig = lib.optionalString useMusl ''
+    CONFIG_FEATURE_UTMP n
+    CONFIG_FEATURE_WTMP n
+  '';
+
+  # The debian version lags behind the upstream version and also contains
+  # a debian-specific suffix. We only fetch the debian repository to get the
+  # default.script
+  debianVersion = "1.30.1-6";
+  debianSource = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "installer-team";
+    repo = "busybox";
+    rev = "debian/1%${debianVersion}";
+    sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
+  };
+  debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
+  outDispatchPath = "$out/default.script";
+in
+
+stdenv.mkDerivation rec {
+  pname = "busybox";
+  version = "1.35.0";
+
+  # Note to whoever is updating busybox: please verify that:
+  # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
+  # still builds after the update.
+  src = fetchurl {
+    url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-+u6yRMNaNIozT0pZ5EYm7ocPsHtohNaMEK6LwZ+DppQ=";
+  };
+
+  hardeningDisable = [ "format" "pie" ]
+    ++ lib.optionals enableStatic [ "fortify" ];
+
+  patches = [
+    ./busybox-in-store.patch
+    (fetchurl {
+      name = "CVE-2022-28391.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
+      sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
+    })
+    (fetchurl {
+      name = "CVE-2022-28391.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
+      sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
+    })
+    (fetchurl {
+      name = "CVE-2022-30065.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2022-30065.patch?id=4ffd996b3f8298c7dd424b912c245864c816e354";
+      sha256 = "sha256-+WSYxI6eF8S0tya/S62f9Nc6jVMnHO0q1OyM69GlNTY=";
+    })
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
+
+  separateDebugInfo = true;
+
+  postPatch = "patchShebangs .";
+
+  configurePhase = ''
+    export KCONFIG_NOTIMESTAMP=1
+    make ${if enableMinimal then "allnoconfig" else "defconfig"}
+
+    ${configParser}
+
+    cat << EOF | parseconfig
+
+    CONFIG_PREFIX "$out"
+    CONFIG_INSTALL_NO_USR y
+
+    CONFIG_LFS y
+
+    # More features for modprobe.
+    ${lib.optionalString (!enableMinimal) ''
+      CONFIG_FEATURE_MODPROBE_BLACKLIST y
+      CONFIG_FEATURE_MODUTILS_ALIAS y
+      CONFIG_FEATURE_MODUTILS_SYMBOLS y
+      CONFIG_MODPROBE_SMALL n
+    ''}
+
+    ${lib.optionalString enableStatic ''
+      CONFIG_STATIC y
+    ''}
+
+    ${lib.optionalString (!enableAppletSymlinks) ''
+      CONFIG_INSTALL_APPLET_DONT y
+      CONFIG_INSTALL_APPLET_SYMLINKS n
+    ''}
+
+    # Use the external mount.cifs program.
+    CONFIG_FEATURE_MOUNT_CIFS n
+    CONFIG_FEATURE_MOUNT_HELPERS y
+
+    # Set paths for console fonts.
+    CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
+
+    # Bump from 4KB, much faster I/O
+    CONFIG_FEATURE_COPYBUF_KB 64
+
+    # Set the path for the udhcpc script
+    CONFIG_UDHCPC_DEFAULT_SCRIPT "${outDispatchPath}"
+
+    ${extraConfig}
+    CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
+    ${libcConfig}
+    EOF
+
+    make oldconfig
+
+    runHook postConfigure
+  '';
+
+  postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
+    makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
+  '';
+
+  makeFlags = [ "SKIP_STRIP=y" ];
+
+  postInstall = ''
+    sed -e '
+    1 a busybox() { '$out'/bin/busybox "$@"; }\
+    logger() { '$out'/bin/logger "$@"; }\
+    ' ${debianDispatcherScript} > ${outDispatchPath}
+    chmod 555 ${outDispatchPath}
+    HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
+  '';
+
+  strictDeps = true;
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ];
+
+  enableParallelBuilding = true;
+
+  doCheck = false; # tries to access the net
+
+  meta = with lib; {
+    description = "Tiny versions of common UNIX utilities in a single small executable";
+    homepage = "https://busybox.net/";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ TethysSvensson qyliss ];
+    platforms = platforms.linux;
+    priority = 10;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/nixpkgs/pkgs/os-specific/linux/busybox/sandbox-shell.nix
new file mode 100644
index 000000000000..fa70e5f91d80
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/busybox/sandbox-shell.nix
@@ -0,0 +1,26 @@
+{ busybox}:
+
+# Minimal shell for use as basic /bin/sh in sandbox builds
+busybox.override {
+  enableStatic = true;
+  enableMinimal = true;
+  extraConfig = ''
+    CONFIG_FEATURE_FANCY_ECHO y
+    CONFIG_FEATURE_SH_MATH y
+    CONFIG_FEATURE_SH_MATH_64 y
+    CONFIG_FEATURE_TEST_64 y
+
+    CONFIG_ASH y
+    CONFIG_ASH_OPTIMIZE_FOR_SIZE y
+
+    CONFIG_ASH_ALIAS y
+    CONFIG_ASH_BASH_COMPAT y
+    CONFIG_ASH_CMDCMD y
+    CONFIG_ASH_ECHO y
+    CONFIG_ASH_GETOPTS y
+    CONFIG_ASH_INTERNAL_GLOB y
+    CONFIG_ASH_JOB_CONTROL y
+    CONFIG_ASH_PRINTF y
+    CONFIG_ASH_TEST y
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cachefilesd/default.nix b/nixpkgs/pkgs/os-specific/linux/cachefilesd/default.nix
new file mode 100644
index 000000000000..6c52eb4a7f60
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cachefilesd/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "cachefilesd";
+  version = "0.10.10";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/dhowells/fscache/${pname}-${version}.tar.bz2";
+    sha256 = "00hsw4cdlm13wijlygp8f0aq6gxdp0skbxs9r2vh5ggs3s2hj0qd";
+  };
+
+  installFlags = [
+    "ETCDIR=$(out)/etc"
+    "SBINDIR=$(out)/sbin"
+    "MANDIR=$(out)/share/man"
+  ];
+
+  meta = with lib; {
+    description = "Local network file caching management daemon";
+    homepage = "https://people.redhat.com/dhowells/fscache/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/can-isotp/default.nix b/nixpkgs/pkgs/os-specific/linux/can-isotp/default.nix
new file mode 100644
index 000000000000..7c20b74e54cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/can-isotp/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, kernel, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "can-isotp";
+  version = "20200910";
+
+  hardeningDisable = [ "pic" ];
+
+  src = fetchFromGitHub {
+    owner = "hartkopp";
+    repo = "can-isotp";
+    rev = "21a3a59e2bfad246782896841e7af042382fcae7";
+    sha256 = "1laax93czalclg7cy9iq1r7hfh9jigh7igj06y9lski75ap2vhfq";
+  };
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  buildFlags = [ "modules" ];
+  installTargets = [ "modules_install" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  meta = with lib; {
+    broken = kernel.kernelAtLeast "5.16";
+    description = "Kernel module for ISO-TP (ISO 15765-2)";
+    homepage = "https://github.com/hartkopp/can-isotp";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.evck ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/can-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/can-utils/default.nix
new file mode 100644
index 000000000000..90261e829048
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/can-utils/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "can-utils";
+  # There are no releases (source archives or git tags), so use the date of the
+  # latest commit in git master as version number.
+  version = "20170830";
+
+  src = fetchFromGitHub {
+    owner = "linux-can";
+    repo = "can-utils";
+    rev = "5b518a0a5fa56856f804372a6b99b518dedb5386";
+    sha256 = "1ygzp8rjr8f1gs48mb1pz7psdgbfhlvr6kjdnmzbsqcml06zvrpr";
+  };
+
+  # Fixup build with newer Linux headers.
+  postPatch = ''
+    sed '1i#include <linux/sockios.h>' -i \
+      slcanpty.c cansniffer.c canlogserver.c isotpdump.c isotpsniffer.c isotpperf.c
+  '';
+
+  preConfigure = ''makeFlagsArray+=(PREFIX="$out")'';
+
+  meta = with lib; {
+    description = "CAN userspace utilities and tools (for use with Linux SocketCAN)";
+    homepage = "https://github.com/linux-can/can-utils";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.bjornfor ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/catfs/default.nix b/nixpkgs/pkgs/os-specific/linux/catfs/default.nix
new file mode 100644
index 000000000000..dbb525e0e298
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/catfs/default.nix
@@ -0,0 +1,47 @@
+{ lib, rustPlatform, fetchFromGitHub
+, fetchpatch
+, fuse
+, pkg-config
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "catfs";
+  version = "unstable-2020-03-21";
+
+  src = fetchFromGitHub {
+    owner = "kahing";
+    repo = pname;
+    rev = "daa2b85798fa8ca38306242d51cbc39ed122e271";
+    sha256 = "0zca0c4n2p9s5kn8c9f9lyxdf3df88a63nmhprpgflj86bh8wgf5";
+  };
+
+  cargoSha256 = "1agcwq409s40kyij487wjrp8mj7942r9l2nqwks4xqlfb0bvaimf";
+
+  cargoPatches = [
+    # update cargo lock
+    (fetchpatch {
+      url = "https://github.com/kahing/catfs/commit/f838c1cf862cec3f1d862492e5be82b6dbe16ac5.patch";
+      sha256 = "1r1p0vbr3j9xyj9r1ahipg4acii3m4ni4m9mp3avbi1rfgzhblhw";
+    })
+  ];
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [ fuse ];
+
+  # require fuse module to be active to run tests
+  # instead, run command
+  doCheck = false;
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/catfs --help > /dev/null
+  '';
+
+  meta = with lib; {
+    description = "Caching filesystem written in Rust";
+    homepage = "https://github.com/kahing/catfs";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jonringer ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cfs-zen-tweaks/default.nix b/nixpkgs/pkgs/os-specific/linux/cfs-zen-tweaks/default.nix
new file mode 100644
index 000000000000..a894e0bd4b69
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cfs-zen-tweaks/default.nix
@@ -0,0 +1,43 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, makeWrapper
+, gawk
+}:
+
+stdenv.mkDerivation rec {
+  pname = "cfs-zen-tweaks";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "igo95862";
+    repo = "cfs-zen-tweaks";
+    rev = version;
+    sha256 = "HRR2tdjNmWyrpbcMlihSdb/7g/tHma3YyXogQpRCVyo=";
+  };
+
+  postPatch = ''
+    patchShebangs set-cfs-zen-tweaks.bash
+    chmod +x set-cfs-zen-tweaks.bash
+    substituteInPlace set-cfs-zen-tweaks.bash \
+      --replace '$(gawk' '$(${gawk}/bin/gawk'
+  '';
+
+  buildInputs = [
+    gawk
+  ];
+
+  nativeBuildInputs = [
+    cmake
+    makeWrapper
+  ];
+
+  meta = with lib; {
+    description = "Tweak Linux CPU scheduler for desktop responsiveness";
+    homepage = "https://github.com/igo95862/cfs-zen-tweaks";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mkg20001 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/checkpolicy/default.nix b/nixpkgs/pkgs/os-specific/linux/checkpolicy/default.nix
new file mode 100644
index 000000000000..52cf0a3ec037
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/checkpolicy/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl, bison, flex, libsepol }:
+
+stdenv.mkDerivation rec {
+  pname = "checkpolicy";
+  version = "3.3";
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/checkpolicy-${version}.tar.gz";
+    sha256 = "118l8c2vvnnckbd269saslr7adv6rdavr5rv0z5vh2m1lgglxj15";
+  };
+
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ libsepol ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ];
+
+  meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
+    description = "SELinux policy compiler";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch b/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
new file mode 100644
index 000000000000..2aabbc4d4c80
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/checksec/0001-attempt-to-modprobe-config-before-checking-kernel.patch
@@ -0,0 +1,24 @@
+From 5cfb08effd21d9278e3eb8901c85112a331c3181 Mon Sep 17 00:00:00 2001
+From: Austin Seipp <aseipp@pobox.com>
+Date: Tue, 26 Oct 2021 09:23:07 +0000
+Subject: [PATCH] attempt to 'modprobe config' before checking kernel
+
+---
+ checksec | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/checksec b/checksec
+index 5536250..895073b 100755
+--- a/checksec
++++ b/checksec
+@@ -1059,6 +1059,7 @@ kernelcheck() {
+   echo_message "  options that harden the kernel itself against attack.\n\n" '' '' ''
+   echo_message "  Kernel config:\n" '' '' '{ "kernel": '
+
++  modprobe configs 2> /dev/null
+   if [[ ! "${1}" == "" ]]; then
+     kconfig="cat ${1}"
+     echo_message "  Warning: The config ${1} on disk may not represent running kernel config!\n\n" "${1}" "<kernel config=\"${1}\"" "{ \"KernelConfig\":\"${1}\""
+-- 
+2.33.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/checksec/default.nix b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix
new file mode 100644
index 000000000000..1bdd4cf5f677
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/checksec/default.nix
@@ -0,0 +1,59 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, makeWrapper
+, file
+, findutils
+, binutils-unwrapped
+, glibc
+, coreutils
+, sysctl
+, openssl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "checksec";
+  version = "2.6.0";
+
+  src = fetchFromGitHub {
+    owner = "slimm609";
+    repo = "checksec.sh";
+    rev = version;
+    hash = "sha256-BWtchWXukIDSLJkFX8M/NZBvfi7vUE2j4yFfS0KEZDo=";
+  };
+
+  patches = [
+    ./0001-attempt-to-modprobe-config-before-checking-kernel.patch
+  ];
+
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+  installPhase =
+    let
+      path = lib.makeBinPath [
+        findutils
+        file
+        binutils-unwrapped
+        sysctl
+        openssl
+      ];
+    in
+    ''
+      mkdir -p $out/bin
+      install checksec $out/bin
+      substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6
+      substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"
+      wrapProgram $out/bin/checksec \
+        --prefix PATH : ${path}
+    '';
+
+  meta = with lib; {
+    description = "Tool for checking security bits on executables";
+    homepage = "https://www.trapkit.de/tools/checksec/";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice globin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/chromium-xorg-conf/default.nix b/nixpkgs/pkgs/os-specific/linux/chromium-xorg-conf/default.nix
new file mode 100644
index 000000000000..d9608650ed9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/chromium-xorg-conf/default.nix
@@ -0,0 +1,8 @@
+{ fetchFromGitiles }:
+
+fetchFromGitiles {
+  name = "chromium-xorg-conf";
+  url = "https://chromium.googlesource.com/chromiumos/platform/xorg-conf";
+  rev = "26fb9d57e195c7e467616b35b17e2b5d279c1514";
+  sha256 = "0643y3l3hjk4mv4lm3h9z56h990q6k11hcr10lcqppgsii0d3zcf";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cifs-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/cifs-utils/default.nix
new file mode 100644
index 000000000000..ba790f2eaca4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cifs-utils/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchurl, autoreconfHook, docutils, pkg-config
+, libkrb5, keyutils, pam, talloc, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "cifs-utils";
+  version = "6.15";
+
+  src = fetchurl {
+    url = "mirror://samba/pub/linux-cifs/cifs-utils/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-p7aUDpMlDBZ2pvpmturZG3jNQ6X+6ZzEYkWci5zx5vQ=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook docutils pkg-config ];
+
+  buildInputs = [ libkrb5 keyutils pam talloc python3 ];
+
+  configureFlags = [ "ROOTSBINDIR=$(out)/sbin" ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    # AC_FUNC_MALLOC is broken on cross builds.
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
+
+  meta = with lib; {
+    homepage = "https://wiki.samba.org/index.php/LinuxCIFS_utils";
+    description = "Tools for managing Linux CIFS client filesystems";
+    platforms = platforms.linux;
+    license = licenses.lgpl3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/compsize/default.nix b/nixpkgs/pkgs/os-specific/linux/compsize/default.nix
new file mode 100644
index 000000000000..9d0dbeffaee3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/compsize/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub, btrfs-progs }:
+
+stdenv.mkDerivation rec {
+  pname = "compsize";
+  version = "1.5";
+
+  src = fetchFromGitHub {
+    owner = "kilobyte";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-OX41ChtHX36lVRL7O2gH21Dfw6GPPEClD+yafR/PFm8=";
+  };
+
+  buildInputs = [ btrfs-progs ];
+
+  installFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  preInstall = ''
+    mkdir -p $out/share/man/man8
+  '';
+
+  meta = with lib; {
+    description = "btrfs: Find compression type/ratio on a file or set of files";
+    homepage = "https://github.com/kilobyte/compsize";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ CrazedProgrammer ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/conky/default.nix b/nixpkgs/pkgs/os-specific/linux/conky/default.nix
new file mode 100644
index 000000000000..87f5bb052f48
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/conky/default.nix
@@ -0,0 +1,147 @@
+{ config, lib, stdenv, fetchFromGitHub, pkg-config, cmake
+
+# dependencies
+, glib, libXinerama, catch2
+
+# optional features without extra dependencies
+, mpdSupport          ? true
+, ibmSupport          ? true # IBM/Lenovo notebooks
+
+# optional features with extra dependencies
+
+# ouch, this is ugly, but this gives the man page
+, docsSupport         ? true, docbook2x, libxslt ? null
+                            , man ? null, less ? null
+                            , docbook_xsl ? null , docbook_xml_dtd_44 ? null
+
+, ncursesSupport      ? true      , ncurses       ? null
+, x11Support          ? true      , xlibsWrapper           ? null
+, xdamageSupport      ? x11Support, libXdamage    ? null
+, doubleBufferSupport ? x11Support
+, imlib2Support       ? x11Support, imlib2        ? null
+
+, luaSupport          ? true      , lua           ? null
+, luaImlib2Support    ? luaSupport && imlib2Support
+, luaCairoSupport     ? luaSupport && x11Support, cairo ? null
+, toluapp ? null
+
+, wirelessSupport     ? true      , wirelesstools ? null
+, nvidiaSupport       ? false     , libXNVCtrl ? null
+, pulseSupport        ? config.pulseaudio or false, libpulseaudio ? null
+
+, curlSupport         ? true      , curl ? null
+, rssSupport          ? curlSupport
+, weatherMetarSupport ? curlSupport
+, weatherXoapSupport  ? curlSupport
+, journalSupport      ? true, systemd ? null
+, libxml2 ? null
+}:
+
+assert docsSupport         -> docbook2x != null && libxslt != null
+                           && man != null && less != null
+                           && docbook_xsl != null && docbook_xml_dtd_44 != null;
+
+assert ncursesSupport      -> ncurses != null;
+
+assert x11Support          -> xlibsWrapper != null;
+assert xdamageSupport      -> x11Support && libXdamage != null;
+assert imlib2Support       -> x11Support && imlib2     != null;
+assert luaSupport          -> lua != null;
+assert luaImlib2Support    -> luaSupport && imlib2Support
+                                         && toluapp != null;
+assert luaCairoSupport     -> luaSupport && toluapp != null
+                                         && cairo   != null;
+assert luaCairoSupport || luaImlib2Support
+                           -> lua.luaversion == "5.3";
+
+assert wirelessSupport     -> wirelesstools != null;
+assert nvidiaSupport       -> libXNVCtrl != null;
+assert pulseSupport        -> libpulseaudio != null;
+
+assert curlSupport         -> curl != null;
+assert rssSupport          -> curlSupport && libxml2 != null;
+assert weatherMetarSupport -> curlSupport;
+assert weatherXoapSupport  -> curlSupport && libxml2 != null;
+assert journalSupport      -> systemd != null;
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "conky";
+  version = "1.12.2";
+
+  src = fetchFromGitHub {
+    owner = "brndnmtthws";
+    repo = "conky";
+    rev = "v${version}";
+    sha256 = "sha256-x6bR5E5LIvKWiVM15IEoUgGas/hcRp3F/O4MTOhVPb8=";
+  };
+
+  postPatch = ''
+    sed -i -e '/include.*CheckIncludeFile)/i include(CheckIncludeFiles)' \
+      cmake/ConkyPlatformChecks.cmake
+  '' + optionalString docsSupport ''
+    # Drop examples, since they contain non-ASCII characters that break docbook2x :(
+    sed -i 's/ Example: .*$//' doc/config_settings.xml
+
+    substituteInPlace cmake/Conky.cmake --replace "# set(RELEASE true)" "set(RELEASE true)"
+
+    cp ${catch2}/include/catch2/catch.hpp tests/catch2/catch.hpp
+  '';
+
+  NIX_LDFLAGS = "-lgcc_s";
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ glib libXinerama ]
+    ++ optionals docsSupport        [ docbook2x docbook_xsl docbook_xml_dtd_44 libxslt man less ]
+    ++ optional  ncursesSupport     ncurses
+    ++ optional  x11Support         xlibsWrapper
+    ++ optional  xdamageSupport     libXdamage
+    ++ optional  imlib2Support      imlib2
+    ++ optional  luaSupport         lua
+    ++ optionals luaImlib2Support   [ toluapp imlib2 ]
+    ++ optionals luaCairoSupport    [ toluapp cairo ]
+    ++ optional  wirelessSupport    wirelesstools
+    ++ optional  curlSupport        curl
+    ++ optional  rssSupport         libxml2
+    ++ optional  weatherXoapSupport libxml2
+    ++ optional  nvidiaSupport      libXNVCtrl
+    ++ optional  pulseSupport       libpulseaudio
+    ++ optional  journalSupport     systemd
+    ;
+
+  cmakeFlags = []
+    ++ optional docsSupport         "-DMAINTAINER_MODE=ON"
+    ++ optional curlSupport         "-DBUILD_CURL=ON"
+    ++ optional (!ibmSupport)       "-DBUILD_IBM=OFF"
+    ++ optional imlib2Support       "-DBUILD_IMLIB2=ON"
+    ++ optional luaCairoSupport     "-DBUILD_LUA_CAIRO=ON"
+    ++ optional luaImlib2Support    "-DBUILD_LUA_IMLIB2=ON"
+    ++ optional (!mpdSupport)       "-DBUILD_MPD=OFF"
+    ++ optional (!ncursesSupport)   "-DBUILD_NCURSES=OFF"
+    ++ optional rssSupport          "-DBUILD_RSS=ON"
+    ++ optional (!x11Support)       "-DBUILD_X11=OFF"
+    ++ optional xdamageSupport      "-DBUILD_XDAMAGE=ON"
+    ++ optional doubleBufferSupport "-DBUILD_XDBE=ON"
+    ++ optional weatherMetarSupport "-DBUILD_WEATHER_METAR=ON"
+    ++ optional weatherXoapSupport  "-DBUILD_WEATHER_XOAP=ON"
+    ++ optional wirelessSupport     "-DBUILD_WLAN=ON"
+    ++ optional nvidiaSupport       "-DBUILD_NVIDIA=ON"
+    ++ optional pulseSupport        "-DBUILD_PULSEAUDIO=ON"
+    ++ optional journalSupport      "-DBUILD_JOURNAL=ON"
+    ;
+
+  # `make -f src/CMakeFiles/conky.dir/build.make src/CMakeFiles/conky.dir/conky.cc.o`:
+  # src/conky.cc:137:23: fatal error: defconfig.h: No such file or directory
+  enableParallelBuilding = false;
+
+  doCheck = true;
+
+  meta = with lib; {
+    homepage = "http://conky.sourceforge.net/";
+    description = "Advanced, highly configurable system monitor based on torsmo";
+    maintainers = [ maintainers.guibert ];
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/conntrack-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/conntrack-tools/default.nix
new file mode 100644
index 000000000000..0b14398e58f6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/conntrack-tools/default.nix
@@ -0,0 +1,29 @@
+{ fetchurl, lib, stdenv, flex, bison, pkg-config, libmnl, libnfnetlink
+, libnetfilter_conntrack, libnetfilter_queue, libnetfilter_cttimeout
+, libnetfilter_cthelper, systemd
+, libtirpc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "conntrack-tools";
+  version = "1.4.6";
+
+  src = fetchurl {
+    url = "https://www.netfilter.org/projects/conntrack-tools/files/${pname}-${version}.tar.bz2";
+    sha256 = "0psx41bclqrh4514yzq03rvs3cq3scfpd1v4kkyxnic2hk65j22r";
+  };
+
+  buildInputs = [
+    libmnl libnfnetlink libnetfilter_conntrack libnetfilter_queue
+    libnetfilter_cttimeout libnetfilter_cthelper systemd libtirpc
+  ];
+  nativeBuildInputs = [ flex bison pkg-config ];
+
+  meta = with lib; {
+    homepage = "http://conntrack-tools.netfilter.org/";
+    description = "Connection tracking userspace tools";
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/consoletools/default.nix b/nixpkgs/pkgs/os-specific/linux/consoletools/default.nix
new file mode 100644
index 000000000000..8def013b956f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/consoletools/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, SDL }:
+
+stdenv.mkDerivation rec {
+  pname = "linuxconsoletools";
+  version = "1.6.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/linuxconsole/${pname}-${version}.tar.bz2";
+    sha256 = "0d2r3j916fl2y7pk1y82b9fvbr10dgs1gw7rqwzfpispdidb1mp9";
+  };
+
+  buildInputs = [ SDL ];
+
+  makeFlags = [ "DESTDIR=$(out)"];
+
+  installFlags = [ "PREFIX=\"\"" ];
+
+  meta = with lib; {
+    homepage = "https://sourceforge.net/projects/linuxconsole/";
+    description = "A set of tools for joysticks and serial peripherals";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ pSub ebzzry ];
+
+    longDescription = ''
+      The included tools are:
+
+      ffcfstress(1)  - force-feedback stress test
+      ffmvforce(1)   - force-feedback orientation test
+      ffset(1)       - force-feedback configuration tool
+      fftest(1)      - general force-feedback test
+      jstest(1)      - joystick test
+      jscal(1)       - joystick calibration tool
+      inputattach(1) - connects legacy serial devices to the input layer
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/conspy/default.nix b/nixpkgs/pkgs/os-specific/linux/conspy/default.nix
new file mode 100644
index 000000000000..00e97855e261
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/conspy/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchurl, autoconf, automake, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "conspy";
+  version = "1.16";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/project/conspy/conspy-${version}-1/conspy-${version}.tar.gz";
+    sha256 = "02andak806vd04bgjlr0y0d2ddx7cazyf8nvca80vlh8x94gcppf";
+    curlOpts = " -A application/octet-stream ";
+  };
+
+  nativeBuildInputs = [ autoconf automake ];
+  buildInputs = [
+    ncurses
+  ];
+
+  preConfigure = ''
+    touch NEWS
+    echo "EPL 1.0" > COPYING
+    aclocal
+    automake --add-missing
+    autoconf
+  '';
+
+  meta = with lib; {
+    description = "Linux text console viewer";
+    license = licenses.epl10;
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpufrequtils/default.nix b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/default.nix
new file mode 100644
index 000000000000..d64996c4961e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchurl, libtool, gettext }:
+
+stdenv.mkDerivation rec {
+  pname = "cpufrequtils";
+  version = "008";
+
+  src = fetchurl {
+    url = "http://ftp.be.debian.org/pub/linux/utils/kernel/cpufreq/cpufrequtils-${version}.tar.gz";
+    sha256 = "127i38d4w1hv2dzdy756gmbhq25q3k34nqb2s0xlhsfhhdqs0lq0";
+  };
+
+  patches = [
+    # I am not 100% sure that this is ok, but it breaks repeatable builds.
+    ./remove-pot-creation-date.patch
+  ];
+
+  patchPhase = ''
+    sed -e "s@= /usr/bin/@= @g" \
+      -e "s@/usr/@$out/@" \
+      -i Makefile
+  '';
+
+  buildInputs = [ stdenv.cc.libc.linuxHeaders libtool gettext ];
+
+  meta = with lib; {
+    description = "Tools to display or change the CPU governor settings";
+    homepage = "http://ftp.be.debian.org/pub/linux/utils/kernel/cpufreq/cpufrequtils.html";
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpufrequtils/remove-pot-creation-date.patch b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/remove-pot-creation-date.patch
new file mode 100644
index 000000000000..0116ed9eab0c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpufrequtils/remove-pot-creation-date.patch
@@ -0,0 +1,24 @@
+diff -u cpufrequtils-008/Makefile cpufrequtils-008.new/Makefile
+--- cpufrequtils-008/Makefile	2012-05-06 01:17:18.000000000 +0200
++++ cpufrequtils-008.new/Makefile	2013-08-16 20:52:29.961086536 +0200
+@@ -205,7 +205,8 @@
+ 	@xgettext --default-domain=$(PACKAGE) --add-comments \
+ 		--keyword=_ --keyword=N_ $(UTIL_SRC) && \
+ 	test -f $(PACKAGE).po && \
+-	mv -f $(PACKAGE).po po/$(PACKAGE).pot
++	mv -f $(PACKAGE).po po/$(PACKAGE).pot && \
++        sed -i -e'/POT-Creation/d' po/*.pot
+ 
+ update-gmo: po/$(PACKAGE).pot
+ 	 @for HLANG in $(LANGUAGES); do \
+@@ -217,6 +218,7 @@
+ 			echo "msgmerge for $$HLANG failed!"; \
+ 			rm -f po/$$HLANG.new.po; \
+ 		fi; \
++		sed -i -e'/POT-Creation/d' po/*.po; \
+ 		msgfmt --statistics -o po/$$HLANG.gmo po/$$HLANG.po; \
+ 	done;
+ 
+Common subdirectories: cpufrequtils-008/man and cpufrequtils-008.new/man
+Common subdirectories: cpufrequtils-008/po and cpufrequtils-008.new/po
+Common subdirectories: cpufrequtils-008/utils and cpufrequtils-008.new/utils
diff --git a/nixpkgs/pkgs/os-specific/linux/cpuid/default.nix b/nixpkgs/pkgs/os-specific/linux/cpuid/default.nix
new file mode 100644
index 000000000000..abe6f44f31a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpuid/default.nix
@@ -0,0 +1,55 @@
+{ lib
+, stdenv
+, fetchurl
+, perl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "cpuid";
+  version = "20220812";
+
+  src = fetchurl {
+    url = "http://etallen.com/cpuid/${pname}-${version}.src.tar.gz";
+    sha256 = "sha256-O/aPuX2UcU+QdjzK2BDfjcX3/pwfmjZSQ2SR/XVBWr8=";
+  };
+
+  # For pod2man during the build process.
+  nativeBuildInputs = [
+    perl
+  ];
+
+  # As runtime dependency for cpuinfo2cpuid.
+  buildInputs = [
+    perl
+  ];
+
+  # The Makefile hardcodes $(BUILDROOT)/usr as installation
+  # destination. Just nuke all mentions of /usr to get the right
+  # installation location.
+  patchPhase = ''
+    sed -i -e 's,/usr/,/,' Makefile
+  '';
+
+  installPhase = ''
+    make install BUILDROOT=$out
+
+    if [ ! -x $out/bin/cpuid ]; then
+      echo Failed to properly patch Makefile.
+      exit 1
+    fi
+  '';
+
+  meta = with lib; {
+    description = "Linux tool to dump x86 CPUID information about the CPU";
+    longDescription = ''
+      cpuid dumps detailed information about the CPU(s) gathered from the CPUID
+      instruction, and also determines the exact model of CPU(s). It supports
+      Intel, AMD, VIA, Hygon, and Zhaoxin CPUs, as well as older Transmeta,
+      Cyrix, UMC, NexGen, Rise, and SiS CPUs.
+    '';
+    homepage = "http://etallen.com/cpuid.html";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ blitz ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpupower-gui/default.nix b/nixpkgs/pkgs/os-specific/linux/cpupower-gui/default.nix
new file mode 100644
index 000000000000..1f57bc9428f0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpupower-gui/default.nix
@@ -0,0 +1,103 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, buildPythonApplication
+, appstream-glib
+, dbus-python
+, desktop-file-utils
+, gettext
+, glib
+, gobject-introspection
+, gtk3
+, hicolor-icon-theme
+, libappindicator
+, libhandy
+, meson
+, ninja
+, pkg-config
+, pygobject3
+, pyxdg
+, systemd
+, wrapGAppsHook
+}:
+
+buildPythonApplication rec {
+  pname = "cpupower-gui";
+  version = "1.0.0";
+
+  # This packages doesn't have a setup.py
+  format = "other";
+
+  src = fetchFromGitHub {
+    owner = "vagnum08";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "05lvpi3wgyi741sd8lgcslj8i7yi3wz7jwl7ca3y539y50hwrdas";
+  };
+
+  patches = [
+    # Fix build with 0.61, can be removed on next update
+    # https://hydra.nixos.org/build/171052557/nixlog/1
+    (fetchpatch {
+      url = "https://github.com/vagnum08/cpupower-gui/commit/97f8ac02fe33e412b59d3f3968c16a217753e74b.patch";
+      sha256 = "XYnpm03kq8JLMjAT73BMCJWlzz40IAuHESm715VV6G0=";
+    })
+  ];
+
+  nativeBuildInputs = [
+    appstream-glib
+    desktop-file-utils # needed for update-desktop-database
+    gettext
+    glib # needed for glib-compile-schemas
+    gobject-introspection # need for gtk namespace to be available
+    hicolor-icon-theme # needed for postinstall script
+    meson
+    ninja
+    pkg-config
+    wrapGAppsHook
+
+    # Python packages
+    dbus-python
+    libappindicator
+    pygobject3
+    pyxdg
+  ];
+
+  buildInputs = [
+    glib
+    gtk3
+    libhandy
+  ];
+
+  propagatedBuildInputs = [
+    dbus-python
+    libappindicator
+    pygobject3
+    pyxdg
+  ];
+
+  mesonFlags = [
+    "-Dsystemddir=${placeholder "out"}/lib/systemd"
+  ];
+
+  preConfigure = ''
+    patchShebangs build-aux/meson/postinstall.py
+  '';
+
+  strictDeps = false;
+  dontWrapGApps = true;
+
+  makeWrapperArgs = [ "\${gappsWrapperArgs[@]}" ];
+
+  postFixup = ''
+    wrapPythonProgramsIn $out/lib "$out $propagatedBuildInputs"
+  '';
+
+  meta = with lib; {
+    description = "Change the frequency limits of your cpu and its governor";
+    homepage = "https://github.com/vagnum08/cpupower-gui/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ unode ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpupower/default.nix b/nixpkgs/pkgs/os-specific/linux/cpupower/default.nix
new file mode 100644
index 000000000000..cfc0ace8e0a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpupower/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, buildPackages, kernel, pciutils, gettext }:
+
+stdenv.mkDerivation {
+  pname = "cpupower";
+  inherit (kernel) version src;
+
+  nativeBuildInputs = [ gettext ];
+  buildInputs = [ pciutils ];
+
+  postPatch = ''
+    cd tools/power/cpupower
+    sed -i 's,/bin/true,${buildPackages.coreutils}/bin/true,' Makefile
+    sed -i 's,/bin/pwd,${buildPackages.coreutils}/bin/pwd,' Makefile
+    sed -i 's,/usr/bin/install,${buildPackages.coreutils}/bin/install,' Makefile
+  '';
+
+  makeFlags = [
+    "CROSS=${stdenv.cc.targetPrefix}"
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "LD=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  installFlags = lib.mapAttrsToList
+    (n: v: "${n}dir=${placeholder "out"}/${v}") {
+    bin = "bin";
+    sbin = "sbin";
+    man = "share/man";
+    include = "include";
+    lib = "lib";
+    locale = "share/locale";
+    doc = "share/doc/cpupower";
+    conf = "etc";
+    bash_completion_ = "share/bash-completion/completions";
+  };
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Tool to examine and tune power saving features";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpuset/default.nix b/nixpkgs/pkgs/os-specific/linux/cpuset/default.nix
new file mode 100644
index 000000000000..bb7a953c1195
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpuset/default.nix
@@ -0,0 +1,45 @@
+{ lib
+, fetchFromGitHub
+, fetchpatch
+, pythonPackages
+}:
+
+pythonPackages.buildPythonApplication rec {
+  pname = "cpuset";
+  version = "1.6";
+
+  propagatedBuildInputs = with pythonPackages; [
+    configparser
+    future
+  ];
+
+  # https://github.com/lpechacek/cpuset/pull/36
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/MawKKe/cpuset/commit/a4b6b275d0a43d2794ab9e82922d3431aeea9903.patch";
+      sha256 = "1mi1xrql81iczl67s4dk2rm9r1mk36qhsa19wn7zgryf95krsix2";
+    })
+  ];
+
+  makeFlags = [ "prefix=$(out)" ];
+
+  src = fetchFromGitHub {
+    owner = "lpechacek";
+    repo = "cpuset";
+    rev = "v${version}";
+    sha256 = "0ig0ml2zd5542d0989872vmy7cs3qg7nxwa93k42bdkm50amhar4";
+  };
+
+  checkPhase = ''
+    cd t
+    make
+  '';
+
+  meta = with lib; {
+    description = "Python application that forms a wrapper around the standard Linux filesystem calls to make using the cpusets facilities in the Linux kernel easier";
+    homepage    = "https://github.com/lpechacek/cpuset";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ thiagokokada wykurz ];
+    mainProgram = "cset";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cpustat/default.nix b/nixpkgs/pkgs/os-specific/linux/cpustat/default.nix
new file mode 100644
index 000000000000..c37c191d8c5f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cpustat/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "cpustat";
+  version = "0.02.17";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-4HDXRtklzQSsywCGCTKdz6AtZta9R1mx7qkT7skX6Kc=";
+  };
+
+  buildInputs = [ ncurses ];
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "CPU usage monitoring tool";
+    homepage = "https://github.com/ColinIanKing/cpustat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsprogs/default.nix b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/default.nix
new file mode 100644
index 000000000000..59fbfed1b728
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv
+, fetchurl
+, zlib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "cramfsprogs";
+  version = "1.1";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/c/cramfs/cramfs_${version}.orig.tar.gz";
+    sha256 = "0s13sabykbkbp0pcw8clxddwzxckyq7ywm2ial343ip7qjiaqg0k";
+  };
+
+  # CramFs is unmaintained upstream: https://tracker.debian.org/pkg/cramfs.
+  # So patch the "missing include" bug ourselves.
+  patches = [ ./include-sysmacros.patch ];
+
+  makeFlags = [
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  installPhase = ''
+    install --target $out/bin -D cramfsck mkcramfs
+  '';
+
+  buildInputs = [ zlib ];
+
+  meta = with lib; {
+    description = "Tools to create, check, and extract content of CramFs images";
+    homepage = "https://packages.debian.org/jessie/cramfsprogs";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ pamplemousse ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsprogs/include-sysmacros.patch b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/include-sysmacros.patch
new file mode 100644
index 000000000000..7c115a66ac90
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsprogs/include-sysmacros.patch
@@ -0,0 +1,12 @@
+diff --git a/mkcramfs.c b/mkcramfs.c
+index a2ef018959d..bec83c112d1 100644
+--- a/mkcramfs.c
++++ b/mkcramfs.c
+@@ -22,6 +22,7 @@
+  * If you change the disk format of cramfs, please update fs/cramfs/README.
+  */
+ 
++#include <sys/sysmacros.h>
+ #include <sys/types.h>
+ #include <stdio.h>
+ #include <sys/stat.h>
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsswap/default.nix b/nixpkgs/pkgs/os-specific/linux/cramfsswap/default.nix
new file mode 100644
index 000000000000..f79921186388
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsswap/default.nix
@@ -0,0 +1,31 @@
+{lib, stdenv, fetchurl, zlib}:
+
+stdenv.mkDerivation rec {
+  pname = "cramfsswap";
+  version = "1.4.2";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/c/cramfsswap/${pname}_${version}.tar.xz";
+    sha256 = "10mj45zx71inaa3l1d81g64f7yn1xcprvq4v4yzpdwbxqmqaikw1";
+  };
+  #  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996964
+  patches = [ ./parallel-make.patch ];
+
+  # Needed for cross-compilation
+  postPatch = ''
+    substituteInPlace Makefile --replace 'strip ' '$(STRIP) '
+  '';
+
+  buildInputs = [zlib];
+
+  installPhase = ''
+    install --target $out/bin -D cramfsswap
+  '';
+
+  meta = with lib; {
+    description = "Swap endianess of a cram filesystem (cramfs)";
+    homepage = "https://packages.debian.org/sid/utils/cramfsswap";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cramfsswap/parallel-make.patch b/nixpkgs/pkgs/os-specific/linux/cramfsswap/parallel-make.patch
new file mode 100644
index 000000000000..280c5286b79a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cramfsswap/parallel-make.patch
@@ -0,0 +1,14 @@
+Fix parallel build failure bya dding the dependency.
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996964
+--- a/Makefile
++++ b/Makefile
+@@ -6,7 +6,7 @@ debian: cramfsswap
+ cramfsswap: cramfsswap.c
+ 	$(CC) -Wall -g -O $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o cramfsswap cramfsswap.c -lz
+ 
+-strip:
++strip: cramfsswap
+ 	strip cramfsswap
+ 
+ install: cramfsswap
diff --git a/nixpkgs/pkgs/os-specific/linux/crda/default.nix b/nixpkgs/pkgs/os-specific/linux/crda/default.nix
new file mode 100644
index 000000000000..ffed5fc36a78
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/crda/default.nix
@@ -0,0 +1,78 @@
+{ lib, stdenv, fetchurl, fetchpatch, libgcrypt, libnl, pkg-config, python3Packages, wireless-regdb }:
+
+stdenv.mkDerivation rec {
+  pname = "crda";
+  version = "4.14";
+
+  src = fetchurl {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snapshot/crda-${version}.tar.gz";
+    sha256 = "sha256-Wo81u4snR09Gaw511FG6kXQz2KqxiJZ4pk2cTnKouMI=";
+  };
+
+  patches = [
+    # Fix python 3 build: except ImportError, e: SyntaxError: invalid syntax
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/d234fddf451fab0f4fc412e2769f54e11f10d7d8/trunk/crda-4.14-python-3.patch";
+      sha256 = "sha256-KEezEKrfizq9k4ZiE2mf3Nl4JiBayhXeVnFl7wYh28Y=";
+    })
+
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/d48ec843222b0d74c85bce86fa6f087c7dfdf952/trunk/0001-Makefile-Link-libreg.so-against-the-crypto-library.patch";
+      sha256 = "sha256-j93oydi209f22OF8aXZ/NczuUOnlhkdSeYvy2WRRvm0=";
+    })
+  ];
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    pkg-config
+    python3Packages.m2crypto # only used for a build time script
+  ];
+
+  buildInputs = [
+    libgcrypt
+    libnl
+  ];
+
+  postPatch = ''
+    patchShebangs utils/
+    substituteInPlace Makefile \
+      --replace 'gzip' 'gzip -n' \
+      --replace ldconfig true \
+      --replace pkg-config $PKG_CONFIG
+    sed -i crda.c \
+      -e "/\/usr\/.*\/regulatory.bin/d" \
+      -e "s|/lib/crda|${wireless-regdb}/lib/crda|g"
+  '';
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SBINDIR=$(out)/bin/"
+    "UDEV_RULE_DIR=$(out)/lib/udev/rules.d/"
+    "REG_BIN=${wireless-regdb}/lib/crda/regulatory.bin"
+  ];
+
+  buildFlags = [ "all_noverify" ];
+  enableParallelBuilding = true;
+
+  doCheck = true;
+  checkTarget = "verify";
+
+  meta = with lib; {
+    description = "Linux wireless Central Regulatory Domain Agent";
+    longDescription = ''
+      CRDA acts as the udev helper for communication between the kernel and
+      userspace for regulatory compliance. It relies on nl80211 for communication.
+
+      CRDA is intended to be run only through udev communication from the kernel.
+      To use it under NixOS, add
+
+        services.udev.packages = [ pkgs.crda ];
+
+      to the system configuration.
+    '';
+    homepage = "https://wireless.wiki.kernel.org/en/developers/regulatory/crda";
+    license = licenses.free; # "copyleft-next 0.3.0", as yet without a web site
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/criu/default.nix b/nixpkgs/pkgs/os-specific/linux/criu/default.nix
new file mode 100644
index 000000000000..5475a565b09b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/criu/default.nix
@@ -0,0 +1,64 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, protobuf, protobufc, asciidoc, iptables
+, xmlto, docbook_xsl, libpaper, libnl, libcap, libnet, pkg-config, iproute2
+, which, python3, makeWrapper, docbook_xml_dtd_45, perl, nftables, libbsd }:
+
+stdenv.mkDerivation rec {
+  pname = "criu";
+  version = "3.17.1";
+
+  src = fetchFromGitHub {
+    owner = "checkpoint-restore";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-0B0cdX5bemy4glF9iWjrQIXIqilyYcCcAN9x4Jjrwzk=";
+  };
+
+  patches = [
+    # Fixes redefinition of rseq headers
+    (fetchpatch {
+      url = "https://github.com/checkpoint-restore/criu/commit/1e6e826ffb7ac05f33fa123051c2fc2ddf0f68ea.patch";
+      hash = "sha256-LJjk0jQ5v5wqeprvBMpxhjLXn7v+lSPldEGgazGUM44=";
+    })
+  ];
+
+  enableParallelBuilding = true;
+  nativeBuildInputs = [ pkg-config docbook_xsl which makeWrapper docbook_xml_dtd_45 python3 python3.pkgs.wrapPython perl ];
+  buildInputs = [ protobuf asciidoc xmlto libpaper libnl libcap libnet nftables libbsd ];
+  propagatedBuildInputs = [ protobufc ] ++ (with python3.pkgs; [ python python3.pkgs.protobuf ]);
+
+  postPatch = ''
+    substituteInPlace ./Documentation/Makefile \
+      --replace "2>/dev/null" "" \
+      --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
+    substituteInPlace ./Makefile --replace "head-name := \$(shell git tag -l v\$(CRIU_VERSION))" "head-name = ${version}.0"
+    ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto
+  '';
+
+  makeFlags = [ "PREFIX=$(out)" "ASCIIDOC=${asciidoc}/bin/asciidoc" "XMLTO=${xmlto}/bin/xmlto" ];
+
+  outputs = [ "out" "dev" "man" ];
+
+  preBuild = ''
+    # No idea why but configure scripts break otherwise.
+    export SHELL=""
+  '';
+
+  hardeningDisable = [ "stackprotector" "fortify" ];
+  # dropping fortify here as well as package uses it by default:
+  # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
+
+  postFixup = ''
+    wrapProgram $out/bin/criu \
+      --set-default CR_IPTABLES ${iptables}/bin/iptables \
+      --set-default CR_IP_TOOL ${iproute2}/bin/ip
+    wrapPythonPrograms
+  '';
+
+  meta = with lib; {
+    description = "Userspace checkpoint/restore for Linux";
+    homepage    = "https://criu.org";
+    license     = licenses.gpl2;
+    platforms   = [ "x86_64-linux" "aarch64-linux" ];
+    maintainers = [ maintainers.thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cryptodev/default.nix b/nixpkgs/pkgs/os-specific/linux/cryptodev/default.nix
new file mode 100644
index 000000000000..cc3a1d81109e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cryptodev/default.nix
@@ -0,0 +1,28 @@
+{ fetchFromGitHub, lib, stdenv, kernel ? false }:
+
+stdenv.mkDerivation rec {
+  pname = "cryptodev-linux-1.12";
+  name = "${pname}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "cryptodev-linux";
+    repo = "cryptodev-linux";
+    rev = pname;
+    sha256 = "sha256-vJQ10rG5FGbeEOqCUmH/pZ0P77kAW/MtUarywbtIyHw=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  hardeningDisable = [ "pic" ];
+
+  KERNEL_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+  INSTALL_MOD_PATH = "\${out}";
+  prefix = "\${out}";
+
+  meta = {
+    description = "Device that allows access to Linux kernel cryptographic drivers";
+    homepage = "http://cryptodev-linux.org/";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cryptsetup/default.nix b/nixpkgs/pkgs/os-specific/linux/cryptsetup/default.nix
new file mode 100644
index 000000000000..be819802394e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, fetchurl, lvm2, json_c
+, openssl, libuuid, pkg-config, popt }:
+
+stdenv.mkDerivation rec {
+  pname = "cryptsetup";
+  version = "2.4.3";
+
+  outputs = [ "bin" "out" "dev" "man" ];
+  separateDebugInfo = true;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/cryptsetup/v2.4/${pname}-${version}.tar.xz";
+    sha256 = "sha256-/A35RRiBciZOxb8dC9oIJk+tyKP4VtR+upHzH+NUtQc=";
+  };
+
+  # Disable 4 test cases that fail in a sandbox
+  patches = [ ./disable-failing-tests.patch ];
+
+  postPatch = ''
+    patchShebangs tests
+
+    # O_DIRECT is filesystem dependent and fails in a sandbox (on tmpfs)
+    # and on several filesystem types (btrfs, zfs) without sandboxing.
+    # Remove it, see discussion in #46151
+    substituteInPlace tests/unit-utils-io.c --replace "| O_DIRECT" ""
+  '';
+
+  NIX_LDFLAGS = lib.optionalString (stdenv.cc.isGNU && !stdenv.hostPlatform.isStatic) "-lgcc_s";
+
+  configureFlags = [
+    "--enable-cryptsetup-reencrypt"
+    "--with-crypto_backend=openssl"
+    "--disable-ssh-token"
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    "--disable-external-tokens"
+    # We have to override this even though we're removing token
+    # support, because the path still gets included in the binary even
+    # though it isn't used.
+    "--with-luks2-external-tokens-path=/"
+  ];
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ lvm2 json_c openssl libuuid popt ];
+
+  doCheck = true;
+
+  meta = {
+    homepage = "https://gitlab.com/cryptsetup/cryptsetup/";
+    description = "LUKS for dm-crypt";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/cryptsetup/disable-failing-tests.patch b/nixpkgs/pkgs/os-specific/linux/cryptsetup/disable-failing-tests.patch
new file mode 100644
index 000000000000..1504bf3e1511
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cryptsetup/disable-failing-tests.patch
@@ -0,0 +1,19 @@
+diff -ur a/tests/blockwise-compat b/tests/blockwise-compat
+--- a/tests/blockwise-compat	2018-09-08 12:23:11.706555098 +0200
++++ b/tests/blockwise-compat	2018-09-08 12:24:24.444393460 +0200
+@@ -148,15 +148,11 @@
+ 	# device/file fn_name length
+ 	RUN "P" $1 read_buffer $BSIZE
+ 	RUN "P" $1 read_buffer $((2*BSIZE))
+-	RUN "F" $1 read_buffer $((BSIZE-1))
+-	RUN "F" $1 read_buffer $((BSIZE+1))
+ 	RUN "P" $1 read_buffer 0
+ 
+ 	RUN "P" $1 write_buffer $BSIZE
+ 	RUN "P" $1 write_buffer $((2*BSIZE))
+ 
+-	RUN "F" $1 write_buffer $((BSIZE-1))
+-	RUN "F" $1 write_buffer $((BSIZE+1))
+ 	RUN "F" $1 write_buffer 0
+ 
+ 	# basic blockwise functions
diff --git a/nixpkgs/pkgs/os-specific/linux/cshatag/default.nix b/nixpkgs/pkgs/os-specific/linux/cshatag/default.nix
new file mode 100644
index 000000000000..dc210b017a68
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/cshatag/default.nix
@@ -0,0 +1,29 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "cshatag";
+  version = "2.0";
+
+  src = fetchFromGitHub {
+    owner = "rfjakob";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-jSRMNLS+JnA3coZf9zkOL/buxZubhbftXnxDJx0nwuU=";
+  };
+
+  vendorSha256 = "sha256-BX7jbYhs3+yeOUvPvz08aV2p14bXNGTag4QYkCHr5DQ=";
+
+  ldflags = [ "-s" "-w" ];
+
+  postInstall = ''
+    # Install man page
+    install -D -m755 -t $out/share/man/man1/ cshatag.1
+  '';
+
+  meta = with lib; {
+    description = "A tool to detect silent data corruption";
+    homepage = "https://github.com/rfjakob/cshatag";
+    license = licenses.mit;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dbus-broker/default.nix b/nixpkgs/pkgs/os-specific/linux/dbus-broker/default.nix
new file mode 100644
index 000000000000..b7e0a6b61586
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dbus-broker/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub, docutils, meson, ninja, pkg-config
+, dbus, linuxHeaders, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "dbus-broker";
+  version = "29";
+
+  src = fetchFromGitHub {
+    owner  = "bus1";
+    repo   = "dbus-broker";
+    rev    = "v${version}";
+    sha256 = "1abbi8c0mgdqjidlp2wnmy0a88xv173hq88sh5m966c5r1h6alkq";
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [ docutils meson ninja pkg-config ];
+
+  buildInputs = [ dbus linuxHeaders systemd ];
+
+  mesonFlags = [ "-D=system-console-users=gdm,sddm,lightdm" ];
+
+  PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
+  PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "${placeholder "out"}/lib/systemd/user";
+  PKG_CONFIG_SYSTEMD_CATALOGDIR = "${placeholder "out"}/lib/systemd/catalog";
+
+  postInstall = ''
+    install -Dm644 $src/README.md $out/share/doc/dbus-broker/README
+
+    sed -i $out/lib/systemd/{system,user}/dbus-broker.service \
+      -e 's,^ExecReload.*busctl,ExecReload=${systemd}/bin/busctl,'
+  '';
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Linux D-Bus Message Broker";
+    homepage    = "https://github.com/bus1/dbus-broker/wiki";
+    license     = licenses.asl20;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ peterhoeg ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ddcci/default.nix b/nixpkgs/pkgs/os-specific/linux/ddcci/default.nix
new file mode 100644
index 000000000000..fe16d283ffc8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ddcci/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, fetchFromGitLab, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "ddcci-driver";
+  version = "0.4.2";
+  name = "${pname}-${kernel.version}-${version}";
+
+  src = fetchFromGitLab {
+    owner = "${pname}-linux";
+    repo = "${pname}-linux";
+    rev = "v${version}";
+    sha256 = "sSmL8PqxqHHQiume62si/Kc9El58/b4wkB93iG0dnNM=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  prePatch = ''
+    substituteInPlace ./ddcci/Makefile \
+      --replace '"$(src)"' '$(PWD)' \
+      --replace depmod \#
+    substituteInPlace ./ddcci-backlight/Makefile \
+      --replace '"$(src)"' '$(PWD)' \
+      --replace depmod \#
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "KVER=${kernel.modDirVersion}"
+    "KERNEL_MODLIB=$(out)/lib/modules/${kernel.modDirVersion}"
+    "INCLUDEDIR=$(out)/include"
+  ];
+
+  meta = with lib; {
+    description = "Kernel module driver for DDC/CI monitors";
+    homepage = "https://gitlab.com/ddcci-driver-linux/ddcci-driver-linux";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.1";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dddvb/default.nix b/nixpkgs/pkgs/os-specific/linux/dddvb/default.nix
new file mode 100644
index 000000000000..ea69ecd7513c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dddvb/default.nix
@@ -0,0 +1,48 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, kernel
+}:
+
+stdenv.mkDerivation rec {
+  pname = "dddvb";
+  version = "0.9.38-pre.6";
+
+  src = fetchFromGitHub {
+    owner = "DigitalDevices";
+    repo = "dddvb";
+    rev = "refs/tags/${version}";
+    hash = "sha256-bt/vMnqRWDDChZ6R4JbCr77cz3nlSPkx6siC9KLSEqs=";
+  };
+
+  patches = [
+    (fetchpatch {
+      # pci_*_dma_mask no longer exists in 5.18
+      url = "https://github.com/DigitalDevices/dddvb/commit/871821d6a0be147313bb52570591ce3853b3d370.patch";
+      hash = "sha256-wY05HrsduvsIdp/KpS9NWfL3hR9IvGjuNCDljFn7dd0=";
+    })
+  ];
+
+  postPatch = ''
+    sed -i '/depmod/d' Makefile
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  INSTALL_MOD_PATH = placeholder "out";
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/DigitalDevices/dddvb";
+    description = "ddbridge linux driver";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ hexa ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/device-tree/default.nix b/nixpkgs/pkgs/os-specific/linux/device-tree/default.nix
new file mode 100644
index 000000000000..88791a1fb1d4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/device-tree/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenvNoCC, dtc }:
+
+with lib; {
+  applyOverlays = (base: overlays': stdenvNoCC.mkDerivation {
+    name = "device-tree-overlays";
+    nativeBuildInputs = [ dtc ];
+    buildCommand = let
+      overlays = toList overlays';
+    in ''
+      mkdir -p $out
+      cd ${base}
+      find . -type f -name '*.dtb' -print0 \
+        | xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
+
+      for dtb in $(find $out -type f -name '*.dtb'); do
+        dtbCompat="$( fdtget -t s $dtb / compatible )"
+
+        ${flip (concatMapStringsSep "\n") overlays (o: ''
+        overlayCompat="$( fdtget -t s ${o.dtboFile} / compatible )"
+        # overlayCompat in dtbCompat
+        if [[ "$dtbCompat" =~ "$overlayCompat" ]]; then
+          echo "Applying overlay ${o.name} to $( basename $dtb )"
+          mv $dtb{,.in}
+          fdtoverlay -o "$dtb" -i "$dtb.in" ${o.dtboFile};
+          rm $dtb.in
+        fi
+        '')}
+
+      done
+    '';
+  });
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/device-tree/raspberrypi.nix b/nixpkgs/pkgs/os-specific/linux/device-tree/raspberrypi.nix
new file mode 100644
index 000000000000..d9ccb70f1f03
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/device-tree/raspberrypi.nix
@@ -0,0 +1,38 @@
+{ lib, stdenvNoCC, raspberrypifw }:
+
+stdenvNoCC.mkDerivation {
+  pname = "raspberrypi-dtbs";
+  version = raspberrypifw.version;
+  nativeBuildInputs = [ raspberrypifw ];
+
+  # Rename DTBs so u-boot finds them, like linux-rpi.nix
+  buildCommand = ''
+    mkdir -p $out/broadcom/
+    cd $out/broadcom/
+
+    cp ${raspberrypifw}/share/raspberrypi/boot/bcm*.dtb .
+
+    cp bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero-w.dtb
+    cp bcm2708-rpi-b.dtb bcm2835-rpi-a.dtb
+    cp bcm2708-rpi-b.dtb bcm2835-rpi-b.dtb
+    cp bcm2708-rpi-b.dtb bcm2835-rpi-b-rev2.dtb
+    cp bcm2708-rpi-b-plus.dtb bcm2835-rpi-a-plus
+    cp bcm2708-rpi-b-plus.dtb bcm2835-rpi-b-plus
+    cp bcm2708-rpi-b-plus.dtb bcm2835-rpi-zero.dtb
+    cp bcm2708-rpi-cm.dtb bcm2835-rpi-cm.dtb
+    cp bcm2709-rpi-2-b.dtb bcm2836-rpi-2-b.dtb
+    cp bcm2710-rpi-3-b.dtb bcm2837-rpi-3-b.dtb
+    cp bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-b-plus.dtb
+    cp bcm2710-rpi-cm3.dtb bcm2837-rpi-cm3.dtb
+    cp bcm2711-rpi-4-b.dtb bcm2838-rpi-4-b.dtb
+  '';
+
+  passthru = {
+    # Compatible overlays that may be used
+    overlays = "${raspberrypifw}/share/raspberrypi/boot/overlays";
+  };
+  meta = with lib; {
+    inherit (raspberrypifw.meta) homepage license;
+    description = "DTBs for the Raspberry Pi";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/devmem2/default.nix b/nixpkgs/pkgs/os-specific/linux/devmem2/default.nix
new file mode 100644
index 000000000000..fbf47204b3e6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/devmem2/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation {
+  pname = "devmem2";
+  version = "unstable-2004-08-05";
+
+  src = fetchurl {
+    urls = [
+      "http://lartmaker.nl/lartware/port/devmem2.c"
+      "https://raw.githubusercontent.com/hackndev/tools/7ed212230f8fbb1da3424a15ee88de3279bf96ec/devmem2.c"
+    ];
+    sha256 = "14f1k7v6i1yaxg4xcaaf5i4aqn0yabba857zjnbg9wiymy82qf7c";
+  };
+
+  hardeningDisable = [ "format" ];  # fix compile error
+
+  buildCommand = ''
+    $CC "$src" -o devmem2
+    install -D devmem2 "$out/bin/devmem2"
+  '';
+
+  meta = with lib; {
+    description = "Simple program to read/write from/to any location in memory";
+    homepage = "http://lartmaker.nl/lartware/port/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ bjornfor ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/digimend/default.nix b/nixpkgs/pkgs/os-specific/linux/digimend/default.nix
new file mode 100644
index 000000000000..70fc58232ab4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/digimend/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "digimend";
+  version = "10";
+
+  src = fetchFromGitHub {
+    owner = "digimend";
+    repo = "digimend-kernel-drivers";
+    rev = "v${version}";
+    sha256 = "0lifd6cx6aa6hcms4zn4hlla3alra08r0svj5x1l8nlsv0ydnl6i";
+  };
+
+  postPatch = ''
+    sed 's/udevadm /true /' -i Makefile
+    sed 's/depmod /true /' -i Makefile
+  '';
+
+  # Fix build on Linux kernel >= 5.18
+  NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  postInstall = ''
+    # Remove module reload hack.
+    # The hid-rebind unloads and then reloads the hid-* module to ensure that
+    # the extra/ module is loaded.
+    rm -r $out/lib/udev
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "KVERSION=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "DESTDIR=${placeholder "out"}"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  meta = with lib; {
+    description = "DIGImend graphics tablet drivers for the Linux kernel";
+    homepage = "https://digimend.github.io/";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ gebner ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/directvnc/default.nix b/nixpkgs/pkgs/os-specific/linux/directvnc/default.nix
new file mode 100644
index 000000000000..78ccb6772571
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/directvnc/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pkg-config, directfb, zlib, libjpeg, xorgproto }:
+
+stdenv.mkDerivation {
+  pname = "directvnc";
+  version = "0.7.7.2015-04-16";
+
+  src = fetchFromGitHub {
+    owner = "drinkmilk";
+    repo = "directvnc";
+    rev = "d336f586c5865da68873960092b7b5fbc9f8617a";
+    sha256 = "16x7mr7x728qw7nbi6rqhrwsy73zsbpiz8pbgfzfl2aqhfdiz88b";
+  };
+
+  patches = [
+    # Pull fix pending upstream inclusion for -fno-common toolchain
+    # support:
+    #   https://github.com/drinkmilk/directvnc/pull/7
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/drinkmilk/directvnc/commit/e9c23d049bcf31d0097348d44391fe5fd9aad12b.patch";
+      sha256 = "1dnzr0dnx20w80r73j4a9n6mhbazjzlr5ps9xjj898924cg140zx";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  buildInputs = [ directfb zlib libjpeg xorgproto ];
+
+  meta = with lib; {
+    description = "DirectFB VNC client";
+    homepage = "http://drinkmilk.github.io/directvnc/";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/disk-indicator/default.nix b/nixpkgs/pkgs/os-specific/linux/disk-indicator/default.nix
new file mode 100644
index 000000000000..f5c7f3bc774e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/disk-indicator/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, libX11 }:
+
+stdenv.mkDerivation {
+  pname = "disk-indicator";
+  version = "unstable-2018-12-18";
+
+  src = fetchFromGitHub {
+    owner = "MeanEYE";
+    repo = "Disk-Indicator";
+    rev = "ec2d2f6833f038f07a72d15e2d52625c23e10b12";
+    sha256 = "sha256-cRqgIxF6H1WyJs5hhaAXVdWAlv6t22BZLp3p/qRlCSM=";
+  };
+
+  buildInputs = [ libX11 ];
+
+  postPatch = ''
+    # avoid -Werror
+    substituteInPlace Makefile --replace "-Werror" ""
+    # avoid host-specific options
+    substituteInPlace Makefile --replace "-march=native" ""
+  '';
+
+  postConfigure = ''
+    patchShebangs ./configure.sh
+    ./configure.sh --all
+  '';
+
+  makeFlags = [
+    "COMPILER=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/bin"
+    cp ./disk_indicator "$out/bin/"
+
+    runHook postInstall
+  '';
+
+  meta = {
+    homepage = "https://github.com/MeanEYE/Disk-Indicator";
+    description = "A program that will turn a LED into a hard disk indicator";
+    longDescription = ''
+      Small program for Linux that will turn your Scroll, Caps or Num Lock LED
+      or LED on your ThinkPad laptop into a hard disk activity indicator.
+    '';
+    license = lib.licenses.gpl3;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/displaylink/99-displaylink.rules b/nixpkgs/pkgs/os-specific/linux/displaylink/99-displaylink.rules
new file mode 100644
index 000000000000..ceeb658a415a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/displaylink/99-displaylink.rules
@@ -0,0 +1 @@
+ACTION=="add", SUBSYSTEM=="usb", DRIVERS=="usb", ATTRS{idVendor}=="17e9", ATTR{bInterfaceClass}=="ff", ATTR{bInterfaceProtocol}=="03", TAG+="systemd", ENV{SYSTEMD_WANTS}="dlm.service"
diff --git a/nixpkgs/pkgs/os-specific/linux/displaylink/default.nix b/nixpkgs/pkgs/os-specific/linux/displaylink/default.nix
new file mode 100644
index 000000000000..d920e44d425a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/displaylink/default.nix
@@ -0,0 +1,78 @@
+{ stdenv
+, lib
+, unzip
+, util-linux
+, libusb1
+, evdi
+, systemd
+, makeWrapper
+, requireFile
+, substituteAll
+}:
+let
+  arch =
+    if stdenv.hostPlatform.system == "x86_64-linux" then "x64"
+    else if stdenv.hostPlatform.system == "i686-linux" then "x86"
+    else throw "Unsupported architecture";
+  bins = "${arch}-ubuntu-1604";
+  libPath = lib.makeLibraryPath [ stdenv.cc.cc util-linux libusb1 evdi ];
+
+in
+stdenv.mkDerivation rec {
+  pname = "displaylink";
+  version = "5.6.0-59.176";
+
+  src = requireFile rec {
+    name = "displaylink-56.zip";
+    sha256 = "1v9s4ksr4mnl629n24si14g762b7knr00sqacz60mxcmy4mch5fa";
+    message = ''
+      In order to install the DisplayLink drivers, you must first
+      comply with DisplayLink's EULA and download the binaries and
+      sources from here:
+
+      https://www.synaptics.com/products/displaylink-graphics/downloads/ubuntu-5.6
+
+      Once you have downloaded the file, please use the following
+      commands and re-run the installation:
+
+      mv \$PWD/"DisplayLink USB Graphics Software for Ubuntu5.6-EXE.zip" \$PWD/${name}
+      nix-prefetch-url file://\$PWD/${name}
+    '';
+  };
+
+  nativeBuildInputs = [ unzip makeWrapper ];
+
+  unpackPhase = ''
+    unzip $src
+    chmod +x displaylink-driver-${version}.run
+    ./displaylink-driver-${version}.run --target . --noexec --nodiskspace
+  '';
+
+  installPhase = ''
+    install -Dt $out/lib/displaylink *.spkg
+    install -Dm755 ${bins}/DisplayLinkManager $out/bin/DisplayLinkManager
+    mkdir -p $out/lib/udev/rules.d $out/share
+    cp ${./99-displaylink.rules} $out/lib/udev/rules.d/99-displaylink.rules
+    patchelf \
+      --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+      --set-rpath ${libPath} \
+      $out/bin/DisplayLinkManager
+    wrapProgram $out/bin/DisplayLinkManager \
+      --chdir "$out/lib/displaylink"
+
+    # We introduce a dependency on the source file so that it need not be redownloaded everytime
+    echo $src >> "$out/share/workspace_dependencies.pin"
+  '';
+
+  dontStrip = true;
+  dontPatchELF = true;
+
+
+  meta = with lib; {
+    description = "DisplayLink DL-5xxx, DL-41xx and DL-3x00 Driver for Linux";
+    maintainers = with maintainers; [ abbradar peterhoeg eyjhb ];
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    license = licenses.unfree;
+    homepage = "https://www.displaylink.com/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dlm/default.nix b/nixpkgs/pkgs/os-specific/linux/dlm/default.nix
new file mode 100644
index 000000000000..3b6f4773a29c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dlm/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromSourcehut
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "dlm";
+  version = "2020-01-07";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = "6b0e11c4f453b1a4d7a32019227539a980b7ce66";
+    sha256 = "1r3w7my0g3v2ya317qnvjx8wnagjahpj7yx72a65hf2pjbf5x42p";
+  };
+
+  cargoSha256 = "01a8k60qnx2pgxb2adgw30c2hjb60w6230khm5hyqgmp7z4rm8k8";
+
+  meta = with lib; {
+    description = "A stupid simple graphical login manager";
+    homepage = "https://git.sr.ht/~kennylevinsen/dlm";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmidecode/default.nix b/nixpkgs/pkgs/os-specific/linux/dmidecode/default.nix
new file mode 100644
index 000000000000..a8c263144208
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmidecode/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "dmidecode";
+  version = "3.4";
+
+  src = fetchurl {
+    url = "mirror://savannah/dmidecode/dmidecode-${version}.tar.xz";
+    sha256 = "sha256-Q8uoUdhGfJl5zNvqsZLrZjjH06aX66Xdt3naiDdUIhI=";
+  };
+
+  makeFlags = [
+    "prefix=$(out)"
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  meta = with lib; {
+    homepage = "https://www.nongnu.org/dmidecode/";
+    description = "A tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ delroth ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmraid/default.nix b/nixpkgs/pkgs/os-specific/linux/dmraid/default.nix
new file mode 100644
index 000000000000..fa26f38941b9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmraid/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, fetchurl, fetchpatch, lvm2 }:
+
+stdenv.mkDerivation rec {
+  pname = "dmraid";
+  version = "1.0.0.rc16";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/~heinzm/sw/dmraid/src/old/dmraid-${version}.tar.bz2";
+    sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq";
+  };
+
+  patches = [ ./hardening-format.patch ]
+    ++ lib.optionals stdenv.hostPlatform.isMusl [
+      (fetchpatch {
+        url = "https://raw.githubusercontent.com/void-linux/void-packages/fceed4b8e96b3c1da07babf6f67b6ed1588a28b2/srcpkgs/dmraid/patches/006-musl-libc.patch";
+        sha256 = "1j8xda0fpz8lxjxnqdidy7qb866qrzwpbca56yjdg6vf4x21hx6w";
+        stripLen = 2;
+        extraPrefix = "1.0.0.rc16/";
+      })
+      (fetchpatch {
+        url = "https://raw.githubusercontent.com/void-linux/void-packages/fceed4b8e96b3c1da07babf6f67b6ed1588a28b2/srcpkgs/dmraid/patches/007-fix-loff_t-musl.patch";
+        sha256 = "0msnq39qnzg3b1pdksnz1dgqwa3ak03g41pqh0lw3h7w5rjc016k";
+        stripLen = 2;
+        extraPrefix = "1.0.0.rc16/";
+      })
+    ];
+
+  postPatch = ''
+    sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in
+  '' + lib.optionalString stdenv.hostPlatform.isMusl ''
+    NIX_CFLAGS_COMPILE+=" -D_GNU_SOURCE"
+  '';
+
+  preConfigure = "cd */";
+
+  buildInputs = [ lvm2 ];
+
+  # Hand-written Makefile does not have full dependencies to survive
+  # parallel build:
+  #   tools/dmraid.c:12:10: fatal error: dmraid/dmraid.h: No such file
+  enableParallelBuilding = false;
+
+  meta = {
+    description = "Old-style RAID configuration utility";
+    longDescription = ''
+      Old RAID configuration utility (still under development, though).
+      It is fully compatible with modern kernels and mdadm recognizes
+      its volumes. May be needed for rescuing an older system or nuking
+      the metadata when reformatting.
+    '';
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmraid/hardening-format.patch b/nixpkgs/pkgs/os-specific/linux/dmraid/hardening-format.patch
new file mode 100644
index 000000000000..f91a7fb18aa0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmraid/hardening-format.patch
@@ -0,0 +1,18 @@
+--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c	2016-01-29 05:16:57.455425454 +0000
++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c	2016-01-29 05:17:55.520564013 +0000
+@@ -838,13 +838,13 @@
+ 
+ 	sz = _log_all_devs(log_type, rs, NULL, 0);
+ 	if (!sz) {
+-		syslog(LOG_ERR, msg[0]);
++		syslog(LOG_ERR, "%s", msg[0]);
+ 		return;
+ 	}
+ 
+ 	str = dm_malloc(++sz);
+ 	if (!str) {
+-		syslog(LOG_ERR, msg[1]);
++		syslog(LOG_ERR, "%s", msg[1]);
+ 		return;
+ 	}
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/dmtcp/default.nix b/nixpkgs/pkgs/os-specific/linux/dmtcp/default.nix
new file mode 100644
index 000000000000..6315d361ed68
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmtcp/default.nix
@@ -0,0 +1,48 @@
+{ lib, stdenv, fetchFromGitHub, bash, perl, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "dmtcp";
+  version = "unstable-2022-02-28";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "133687764c6742906006a1d247e3b83cd860fa1d";
+    hash = "sha256-9Vr8IhoeATCfyt7Lp7kYe/7e87mFX9KMNGTqxJgIztE=";
+  };
+
+  dontDisableStatic = true;
+
+  patches = [ ./ld-linux-so-buffer-size.patch ];
+
+  postPatch = ''
+    patchShebangs .
+
+    substituteInPlace configure \
+      --replace '#define ELF_INTERPRETER "$interp"' \
+                "#define ELF_INTERPRETER \"$(cat $NIX_CC/nix-support/dynamic-linker)\""
+    substituteInPlace src/restartscript.cpp \
+      --replace /bin/bash ${stdenv.shell}
+    substituteInPlace util/dmtcp_restart_wrapper.sh \
+      --replace /bin/bash ${stdenv.shell}
+    substituteInPlace test/autotest.py \
+      --replace /bin/bash ${bash}/bin/bash \
+      --replace /usr/bin/perl ${perl}/bin/perl \
+      --replace /usr/bin/python ${python3.interpreter} \
+      --replace "os.environ['USER']" "\"nixbld1\"" \
+      --replace "os.getenv('USER')" "\"nixbld1\""
+  '';
+
+  meta = with lib; {
+    description = "Distributed MultiThreaded Checkpointing";
+    longDescription = ''
+      DMTCP (Distributed MultiThreaded Checkpointing) is a tool to
+      transparently checkpointing the state of an arbitrary group of
+      programs spread across many machines and connected by sockets. It does
+      not modify the user's program or the operating system.
+    '';
+    homepage = "http://dmtcp.sourceforge.net/";
+    license = licenses.lgpl3Plus; # most files seem this or LGPL-2.1+
+    platforms = intersectLists platforms.linux platforms.x86; # broken on ARM and Darwin
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch b/nixpkgs/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
new file mode 100644
index 000000000000..118e52b8e626
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
@@ -0,0 +1,13 @@
+diff --git a/src/util_exec.cpp b/src/util_exec.cpp
+index 0e8a13c1..0cc99c1e 100644
+--- a/src/util_exec.cpp
++++ b/src/util_exec.cpp
+@@ -300,7 +300,7 @@ Util::elfType(const char *pathname, bool *isElf, bool *is32bitElf)
+ static string
+ ld_linux_so_path(int version, bool is32bitElf = false)
+ {
+-  char buf[80];
++  char buf[128];
+ 
+ #if (defined(__x86_64__) || defined(__aarch64__)) && !defined(CONFIG_M32)
+   if (is32bitElf) {
diff --git a/nixpkgs/pkgs/os-specific/linux/dpdk-kmods/default.nix b/nixpkgs/pkgs/os-specific/linux/dpdk-kmods/default.nix
new file mode 100644
index 000000000000..cdd643a40b66
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dpdk-kmods/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchzip, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "dpdk-kmods";
+  version = "2021-04-21";
+
+  src = fetchzip {
+    url = "https://git.dpdk.org/dpdk-kmods/snapshot/dpdk-kmods-e13d7af77a1bf98757f85c3c4083f6ee6d0d2372.tar.xz";
+    sha256 = "sha256-8ysWT3X3rIyUAo4/QbkX7cQq5iFeU18/BPsmmWugcIc=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+  KSRC = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = "cd linux/igb_uio";
+
+  installPhase = ''
+    make -C ${KSRC} M=$(pwd) modules_install $makeFlags
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Kernel modules for DPDK";
+    homepage = "https://git.dpdk.org/dpdk-kmods/";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.mic92 ];
+    platforms = platforms.linux;
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dpdk/default.nix b/nixpkgs/pkgs/os-specific/linux/dpdk/default.nix
new file mode 100644
index 000000000000..d9f446f7a2dc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dpdk/default.nix
@@ -0,0 +1,96 @@
+{ stdenv, lib
+, kernel
+, fetchurl
+, pkg-config, meson, ninja, makeWrapper
+, libbsd, numactl, libbpf, zlib, libelf, jansson, openssl, libpcap, rdma-core
+, doxygen, python3, pciutils
+, withExamples ? []
+, shared ? false }:
+
+let
+  mod = kernel != null;
+  dpdkVersion = "22.03";
+in stdenv.mkDerivation rec {
+  pname = "dpdk";
+  version = "${dpdkVersion}" + lib.optionalString mod "-${kernel.version}";
+
+  src = fetchurl {
+    url = "https://fast.dpdk.org/rel/dpdk-${dpdkVersion}.tar.xz";
+    sha256 = "sha256-st5fCLzVcz+Q1NfmwDJRWQja2PyNJnrGolNELZuDp8U=";
+  };
+
+  nativeBuildInputs = [
+    makeWrapper
+    doxygen
+    meson
+    ninja
+    pkg-config
+    python3
+    python3.pkgs.sphinx
+    python3.pkgs.pyelftools
+  ];
+  buildInputs = [
+    jansson
+    libbpf
+    libelf
+    libpcap
+    numactl
+    openssl.dev
+    zlib
+    python3
+  ] ++ lib.optionals mod kernel.moduleBuildDependencies;
+
+  propagatedBuildInputs = [
+    # Propagated to support current DPDK users in nixpkgs which statically link
+    # with the framework (e.g. odp-dpdk).
+    rdma-core
+    # Requested by pkg-config.
+    libbsd
+  ];
+
+  postPatch = ''
+    patchShebangs config/arm buildtools
+  '' + lib.optionalString mod ''
+    # kernel_install_dir is hardcoded to `/lib/modules`; patch that.
+    sed -i "s,kernel_install_dir *= *['\"].*,kernel_install_dir = '$kmod/lib/modules/${kernel.modDirVersion}'," kernel/linux/meson.build
+  '';
+
+  mesonFlags = [
+    "-Dtests=false"
+    "-Denable_docs=true"
+    "-Denable_kmods=${lib.boolToString mod}"
+  ]
+  # kni kernel driver is currently not compatble with 5.11
+  ++ lib.optional (mod && kernel.kernelOlder "5.11") "-Ddisable_drivers=kni"
+  ++ lib.optional (!shared) "-Ddefault_library=static"
+  ++ lib.optional stdenv.isx86_64 "-Dmachine=nehalem"
+  ++ lib.optional stdenv.isAarch64 "-Dmachine=generic"
+  ++ lib.optional mod "-Dkernel_dir=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ++ lib.optional (withExamples != []) "-Dexamples=${builtins.concatStringsSep "," withExamples}";
+
+  postInstall = ''
+    # Remove Sphinx cache files. Not only are they not useful, but they also
+    # contain store paths causing spurious dependencies.
+    rm -rf $out/share/doc/dpdk/html/.doctrees
+
+    wrapProgram $out/bin/dpdk-devbind.py \
+      --prefix PATH : "${lib.makeBinPath [ pciutils ]}"
+  '' + lib.optionalString (withExamples != []) ''
+    mkdir -p $examples/bin
+    find examples -type f -executable -exec install {} $examples/bin \;
+  '';
+
+  outputs =
+    [ "out" "doc" ]
+    ++ lib.optional mod "kmod"
+    ++ lib.optional (withExamples != []) "examples";
+
+  meta = with lib; {
+    description = "Set of libraries and drivers for fast packet processing";
+    homepage = "http://dpdk.org/";
+    license = with licenses; [ lgpl21 gpl2 bsd2 ];
+    platforms =  platforms.linux;
+    maintainers = with maintainers; [ magenbluten orivej mic92 zhaofengli ];
+    broken = mod && kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/drbd/default.nix b/nixpkgs/pkgs/os-specific/linux/drbd/default.nix
new file mode 100644
index 000000000000..0c5acd0ac064
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/drbd/default.nix
@@ -0,0 +1,128 @@
+{ lib
+, stdenv
+, docbook_xml_dtd_44
+, docbook_xml_dtd_45
+, docbook_xsl
+, asciidoctor
+, fetchurl
+, flex
+, kmod
+, libxslt
+, nixosTests
+, perl
+, systemd
+
+# drbd-utils are compiled twice, once with forOCF = true to extract
+# its OCF definitions for use in the ocf-resource-agents derivation,
+# then again with forOCF = false, where the ocf-resource-agents is
+# provided as the OCF_ROOT.
+, forOCF ? false
+, ocf-resource-agents
+}:
+
+stdenv.mkDerivation rec {
+  pname = "drbd";
+  version = "9.19.1";
+
+  src = fetchurl {
+    url = "https://pkg.linbit.com/downloads/drbd/utils/${pname}-utils-${version}.tar.gz";
+    sha256 = "1l99kcrb0j85wxxmrdihpx9bk1a4sdi7wlp5m1x5l24k8ck1m5cf";
+  };
+
+  nativeBuildInputs = [
+    flex
+    libxslt
+    docbook_xsl
+    asciidoctor
+  ];
+
+  buildInputs = [
+    perl
+    # perlPackages.Po4a used by ja documentation
+  ];
+
+  configureFlags = [
+    "--libdir=${placeholder "out"}/lib"
+    "--sbindir=${placeholder "out"}/bin"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--without-distro"
+  ];
+
+  makeFlags = [
+    "SOURCE_DATE_EPOCH=1"
+    "WANT_DRBD_REPRODUCIBLE_BUILD=1"
+  ] ++ lib.optional (!forOCF) "OCF_ROOT=${ocf-resource-agents}/usr/lib/ocf}";
+
+  installFlags = [
+    "prefix="
+    "DESTDIR=${placeholder "out"}"
+    "localstatedir=/var"
+    "DRBD_LIB_DIR=/var/lib"
+    "INITDIR=/etc/init.d"
+    "udevrulesdir=/etc/udev/rules.d"
+    "sysconfdir=/etc"
+    "sbindir=/bin"
+    "datadir="
+    "LIBDIR=/lib/drbd"
+    "mandir=/share/man"
+  ];
+
+  postPatch = ''
+    patchShebangs .
+    substituteInPlace user/v84/drbdadm_usage_cnt.c \
+      --replace '"/lib/drbd");' \
+                '"${placeholder "out"}/lib/drbd");'
+    substituteInPlace user/v9/drbdsetup_linux.c \
+      --replace 'ret = system("/sbin/modprobe drbd");' \
+                'ret = system("${kmod}/bin/modprobe drbd");'
+    substituteInPlace user/v84/drbdsetup.c \
+      --replace 'system("/sbin/modprobe drbd")' \
+                'system("${kmod}/bin/modprobe drbd")'
+    substituteInPlace documentation/ra2refentry.xsl \
+      --replace "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" \
+                "${docbook_xml_dtd_44}/xml/dtd/docbook/docbookx.dtd"
+    function patch_docbook45() {
+      substituteInPlace $1 \
+        --replace "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" \
+                  "${docbook_xml_dtd_45}/xml/dtd/docbook/docbookx.dtd"
+    }
+    patch_docbook45 documentation/v9/drbd.conf.xml.in
+    patch_docbook45 documentation/v9/drbdsetup.xml.in
+    patch_docbook45 documentation/v84/drbdsetup.xml
+    patch_docbook45 documentation/v84/drbd.conf.xml
+    # The ja documentation is disabled because:
+    # make[1]: Entering directory '/build/drbd-utils-9.16.0/documentation/ja/v84'
+    # /nix/store/wyx2nn2pjcn50lc95c6qgsgm606rn0x2-perl5.32.1-po4a-0.62/bin/po4a-translate -f docbook -M utf-8 -L utf-8 -keep 0 -m ../../v84/drbdsetup.xml -p drbdsetup.xml.po -l drbdsetup.xml
+    # Use of uninitialized value $args[1] in sprintf at /nix/store/wyx2nn2pjcn50lc95c6qgsgm606rn0x2-perl5.32.1-po4a-0.62/lib/perl5/site_perl/Locale/Po4a/Common.pm line 134.
+    # Invalid po file drbdsetup.xml.po:
+    substituteInPlace Makefile.in \
+      --replace 'DOC_DIRS    := documentation/v9 documentation/ja/v9' \
+                'DOC_DIRS    := documentation/v9' \
+      --replace 'DOC_DIRS    += documentation/v84 documentation/ja/v84' \
+                'DOC_DIRS    += documentation/v84' \
+      --replace '$(MAKE) -C documentation/ja/v9 doc' \
+                "" \
+      --replace '$(MAKE) -C documentation/ja/v84 doc' \
+                ""
+    substituteInPlace user/v9/drbdtool_common.c \
+      --replace 'add_component_to_path("/lib/drbd");' \
+                'add_component_to_path("${placeholder "out"}/lib/drbd");'
+  '';
+
+  preConfigure = ''
+    export PATH=${systemd}/sbin:$PATH
+  '';
+
+  enableParallelBuilding = true;
+
+  passthru.tests.drbd = nixosTests.drbd;
+
+  meta = with lib; {
+    homepage = "https://linbit.com/drbd/";
+    description = "Distributed Replicated Block Device, a distributed storage system for Linux (userspace utilities)";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ryantm astro ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dropwatch/default.nix b/nixpkgs/pkgs/os-specific/linux/dropwatch/default.nix
new file mode 100644
index 000000000000..470b59018704
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dropwatch/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, libbfd
+, libnl
+, libpcap
+, ncurses
+, readline
+, zlib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "dropwatch";
+  version = "1.5.4";
+
+  src = fetchFromGitHub {
+    owner = "nhorman";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-TbhgcX5WzuigP5/Mj5JuK7O/UKcu70D7dcOcvo4fxeQ=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+  buildInputs = [
+    libbfd
+    libnl
+    libpcap
+    ncurses
+    readline
+    zlib
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Linux kernel dropped packet monitor";
+    homepage = "https://github.com/nhorman/dropwatch";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ c0bw3b ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dstat/default.nix b/nixpkgs/pkgs/os-specific/linux/dstat/default.nix
new file mode 100644
index 000000000000..d79f9f4c61bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dstat/default.nix
@@ -0,0 +1,42 @@
+{ lib, fetchFromGitHub, fetchpatch, python3Packages }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "dstat";
+  format = "other";
+  version = "0.7.4";
+
+  src = fetchFromGitHub {
+    owner = "dstat-real";
+    repo = "dstat";
+    rev = "v${version}";
+    sha256 = "1qnmkhqmjd1m3if05jj29dvr5hn6kayq9bkkkh881w472c0zhp8v";
+  };
+
+  propagatedBuildInputs = with python3Packages; [ six ];
+
+  patches = [
+    ./fix_pluginpath.patch
+    # this fixes another bug with python3
+    (fetchpatch {
+      url = "https://github.com/efexgee/dstat/commit/220a785321b13b6df92a536080aca6ef1cb644ad.patch";
+      sha256 = "08kcz3yxvl35m55y7g1pr73x3bjcqnv0qlswxqyq8cqxg9zd64cn";
+    })
+  ];
+
+  makeFlags = [ "prefix=$(out)" ];
+
+  # remove deprecation warnings
+  preFixup = ''
+    sed -i "s/import collections/import collections.abc/g" $out/share/dstat/dstat.py $out/bin/dstat
+    sed -i "s/collections.Sequence/collections.abc.Sequence/g" "$out"/bin/dstat
+  '';
+
+  meta = with lib; {
+    homepage = "http://dag.wieers.com/home-made/dstat/";
+    description = "Versatile resource statistics tool";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+    changelog = "https://github.com/dstat-real/dstat/blob/v${version}/ChangeLog";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/dstat/fix_pluginpath.patch b/nixpkgs/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
new file mode 100644
index 000000000000..06d7793da47e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
@@ -0,0 +1,15 @@
+diff --git a/dstat b/dstat
+index 3ac7087..c5f089d 100755
+--- a/dstat
++++ b/dstat
+@@ -66,9 +66,7 @@ if sys.version_info < (2, 3):
+ 
+ pluginpath = [
+     os.path.expanduser('~/.dstat/'),                                # home + /.dstat/
+-    os.path.abspath(os.path.dirname(sys.argv[0])) + '/plugins/',    # binary path + /plugins/
+-    '/usr/share/dstat/',
+-    '/usr/local/share/dstat/',
++    os.path.abspath(os.path.dirname(sys.argv[0])) + '/../share/dstat/', # binary path + /../share/dstat/
+ ]
+ 
+ class Options:
diff --git a/nixpkgs/pkgs/os-specific/linux/e1000e/default.nix b/nixpkgs/pkgs/os-specific/linux/e1000e/default.nix
new file mode 100644
index 000000000000..51bc6ada07de
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/e1000e/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, kernel }:
+
+assert lib.versionOlder kernel.version "4.10";
+
+stdenv.mkDerivation rec {
+  name = "e1000e-${version}-${kernel.version}";
+  version = "3.8.4";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/e1000/e1000e-${version}.tar.gz";
+    sha256 = "1q8dbqh14c7r15q6k6iv5k0d6xpi74i71d5r54py60gr099m2ha4";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  configurePhase = ''
+    cd src
+    kernel_version=${kernel.modDirVersion}
+    substituteInPlace common.mk \
+      --replace "/lib/modules" "${kernel.dev}/lib/modules"
+    export makeFlags="BUILD_KERNEL=$kernel_version"
+  '';
+
+  installPhase = ''
+    install -v -D -m 644 e1000e.ko "$out/lib/modules/$kernel_version/kernel/drivers/net/e1000e/e1000e.ko"
+  '';
+
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "Linux kernel drivers for Intel Ethernet adapters and LOMs (LAN On Motherboard)";
+    homepage = "http://e1000.sf.net/";
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/earlyoom/default.nix b/nixpkgs/pkgs/os-specific/linux/earlyoom/default.nix
new file mode 100644
index 000000000000..ad7468bac0f5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/earlyoom/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, pandoc, installShellFiles, withManpage ? false, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "earlyoom";
+  version = "1.7";
+
+  src = fetchFromGitHub {
+    owner = "rfjakob";
+    repo = "earlyoom";
+    rev = "v${version}";
+    sha256 = "sha256-8YcT1TTlAet7F1U9Ginda4IApNqkudegOXqm8rnRGfc=";
+  };
+
+  nativeBuildInputs = lib.optionals withManpage [ pandoc installShellFiles ];
+
+  patches = [ ./fix-dbus-path.patch ];
+
+  makeFlags = [ "VERSION=${version}" ];
+
+  installPhase = ''
+    install -D earlyoom $out/bin/earlyoom
+  '' + lib.optionalString withManpage ''
+    installManPage earlyoom.1
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) earlyoom;
+  };
+
+  meta = with lib; {
+    description = "Early OOM Daemon for Linux";
+    homepage = "https://github.com/rfjakob/earlyoom";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch b/nixpkgs/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch
new file mode 100644
index 000000000000..e1c10cf82f96
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/earlyoom/fix-dbus-path.patch
@@ -0,0 +1,11 @@
+--- a/kill.c
++++ b/kill.c
+@@ -55,7 +55,7 @@ static void notify(const char* summary, const char* body)
+     }
+     // Complete command line looks like this:
+     // dbus-send --system / net.nuetzlich.SystemNotifications.Notify 'string:summary text' 'string:and body text'
+-    execl("/usr/bin/dbus-send", "dbus-send", "--system", "/", "net.nuetzlich.SystemNotifications.Notify",
++    execlp("dbus-send", "dbus-send", "--system", "/", "net.nuetzlich.SystemNotifications.Notify",
+         summary2, body2, NULL);
+     warn("notify: exec failed: %s\n", strerror(errno));
+     exit(1);
diff --git a/nixpkgs/pkgs/os-specific/linux/ebtables/default.nix b/nixpkgs/pkgs/os-specific/linux/ebtables/default.nix
new file mode 100644
index 000000000000..bca24d9c9050
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ebtables/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "ebtables";
+  version = "2.0.11";
+
+  src = fetchurl {
+    url = "http://ftp.netfilter.org/pub/${pname}/${pname}-${version}.tar.gz";
+    sha256 = "0apxgmkhsk3vxn9q3libxn3dgrdljrxyy4mli2gk49m7hi3na7xp";
+  };
+
+  makeFlags = [
+    "LIBDIR=$(out)/lib" "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man"
+    "ETCDIR=$(out)/etc" "INITDIR=$(TMPDIR)" "SYSCONFIGDIR=$(out)/etc/sysconfig"
+    "LOCALSTATEDIR=/var"
+  ];
+
+  NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  preInstall = "mkdir -p $out/etc/sysconfig";
+
+  postInstall = ''
+    ln -s $out/sbin/ebtables-legacy          $out/sbin/ebtables
+    ln -s $out/sbin/ebtables-legacy-restore  $out/sbin/ebtables-restore
+    ln -s $out/sbin/ebtables-legacy-save     $out/sbin/ebtables-save
+  '';
+
+  meta = with lib; {
+    description = "A filtering tool for Linux-based bridging firewalls";
+    homepage = "http://ebtables.sourceforge.net/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/edac-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/edac-utils/default.nix
new file mode 100644
index 000000000000..6171f8ed3073
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/edac-utils/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, perl, makeWrapper
+, sysfsutils, dmidecode, kmod }:
+
+stdenv.mkDerivation {
+  pname = "edac-utils";
+  version = "unstable-2015-01-07";
+
+  src = fetchFromGitHub {
+    owner = "grondo";
+    repo = "edac-utils";
+    rev = "f9aa96205f610de39a79ff43c7478b7ef02e3138";
+    sha256 = "1dmfqb15ffldl5zirbmwiqzpxbcc2ny9rpfvxcfvpmh5b69knvdg";
+  };
+
+  nativeBuildInputs = [ perl makeWrapper ];
+  buildInputs = [ sysfsutils ];
+
+  configureFlags = [
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+  ];
+
+  installFlags = [
+    "sysconfdir=\${out}/etc"
+  ];
+
+  postInstall = ''
+    wrapProgram "$out/sbin/edac-ctl" \
+      --set PATH ${lib.makeBinPath [ dmidecode kmod ]}
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/grondo/edac-utils";
+    description = "Handles the reporting of hardware-related memory errors";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ell/default.nix b/nixpkgs/pkgs/os-specific/linux/ell/default.nix
new file mode 100644
index 000000000000..67d8f107ce38
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ell/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv
+, fetchgit
+, autoreconfHook
+, pkg-config
+, dbus
+}:
+
+stdenv.mkDerivation rec {
+  pname = "ell";
+  version = "0.52";
+
+  outputs = [ "out" "dev" ];
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
+    rev = version;
+    sha256 = "sha256-JnkNWWdr0CSlwME619BBWkvelFZoZpzmAR53nm2bSqM=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    autoreconfHook
+  ];
+
+  checkInputs = [
+    dbus
+  ];
+
+  enableParallelBuilding = true;
+
+  doCheck = true;
+
+  meta = with lib; {
+    homepage = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
+    description = "Embedded Linux Library";
+    longDescription = ''
+      The Embedded Linux* Library (ELL) provides core, low-level functionality for system daemons. It typically has no dependencies other than the Linux kernel, C standard library, and libdl (for dynamic linking). While ELL is designed to be efficient and compact enough for use on embedded Linux platforms, it is not limited to resource-constrained systems.
+    '';
+    changelog = "https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog?h=${version}";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mic92 dtzWill maxeaubrey ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ena/default.nix b/nixpkgs/pkgs/os-specific/linux/ena/default.nix
new file mode 100644
index 000000000000..b8128c83c0c6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ena/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  version = "2.7.1";
+  name = "ena-${version}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "amzn";
+    repo = "amzn-drivers";
+    rev = "ena_linux_${version}";
+    sha256 = "sha256-JkGzmmsAmLvL9e+bg58H79GNHgsqydK/79VoWEq5/Mc=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  # linux 3.12
+  NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
+
+  configurePhase = ''
+    runHook preConfigure
+    cd kernel/linux/ena
+    substituteInPlace Makefile --replace '/lib/modules/$(BUILD_KERNEL)' ${kernel.dev}/lib/modules/${kernel.modDirVersion}
+    runHook postConfigure
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    $STRIP -S ena.ko
+    dest=$out/lib/modules/${kernel.modDirVersion}/misc
+    mkdir -p $dest
+    cp ena.ko $dest/
+    xz $dest/ena.ko
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Amazon Elastic Network Adapter (ENA) driver for Linux";
+    homepage = "https://github.com/amzn/amzn-drivers";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.eelco ];
+    platforms = platforms.linux;
+    broken = kernel.kernelAtLeast "5.17";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/erofs-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/erofs-utils/default.nix
new file mode 100644
index 000000000000..547e6cc651ab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/erofs-utils/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchgit, autoreconfHook, pkg-config, fuse, libuuid, lz4 }:
+
+stdenv.mkDerivation rec {
+  pname = "erofs-utils";
+  version = "1.5";
+  outputs = [ "out" "man" ];
+
+  src = fetchgit {
+    url =
+      "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git";
+    rev = "v" + version;
+    sha256 = "sha256-vMWAmGMJp0XDuc4sbo6Y7gfCQVAo4rETea0Tkdbg82U=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ fuse libuuid lz4 ];
+
+  configureFlags = [ "--enable-fuse" ];
+
+  meta = with lib; {
+    description = "Userspace utilities for linux-erofs file system";
+    license = with licenses; [ gpl2 ];
+    maintainers = with maintainers; [ ehmry ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/error-inject/default.nix b/nixpkgs/pkgs/os-specific/linux/error-inject/default.nix
new file mode 100644
index 000000000000..87a40580deb7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/error-inject/default.nix
@@ -0,0 +1,68 @@
+{ lib, stdenv, fetchgit
+, bison, flex, rasdaemon
+}:
+
+{
+  edac-inject = rasdaemon.inject;
+
+  mce-inject = stdenv.mkDerivation rec {
+    pname = "mce-inject";
+    version = "4cbe46321b4a81365ff3aafafe63967264dbfec5";
+
+    src = fetchgit {
+      url = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git";
+      rev = version;
+      sha256 = "0gjapg2hrlxp8ssrnhvc19i3r1xpcnql7xv0zjgbv09zyha08g6z";
+    };
+
+    nativeBuildInputs = [ bison flex ];
+
+    makeFlags = [ "destdir=${placeholder "out"}" ];
+
+    postInstall = ''
+      mkdir $out/sbin
+      mv $out/usr/sbin/mce-inject $out/sbin/mce-inject
+
+      mkdir $out/test
+      cp test/* $out/test/.
+    '';
+
+    meta = with lib; {
+      description = "MCE error injection tool";
+      license = licenses.gpl2Only;
+      platforms = platforms.linux;
+      maintainers = [ maintainers.evils ];
+    };
+  };
+
+  aer-inject = stdenv.mkDerivation rec {
+    pname = "aer-inject";
+    version = "9bd5e2c7886fca72f139cd8402488a2235957d41";
+
+    src = fetchgit {
+      url = "git://git.kernel.org/pub/scm/linux/kernel/git/gong.chen/aer-inject.git";
+      rev = version;
+      sha256 = "0bh6mzpk2mr4xidkammmkfk21b4dbq793qjg25ryyxd1qv0c6cg4";
+    };
+
+    nativeBuildInputs = [ bison flex ];
+
+    # how is this necessary?
+    makeFlags = [ "DESTDIR=${placeholder "out"}" ];
+
+    postInstall = ''
+      mkdir $out/bin
+      mv $out/usr/local/aer-inject $out/bin/aer-inject
+
+      mkdir -p $out/examples
+      cp examples/* $out/examples/.
+    '';
+
+    meta = with lib; {
+      description = "PCIE AER error injection tool";
+      license = licenses.gpl2Only;
+      platforms = platforms.linux;
+      maintainers = [ maintainers.evils ];
+    };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/eudev/default.nix b/nixpkgs/pkgs/os-specific/linux/eudev/default.nix
new file mode 100644
index 000000000000..7807f475e9b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/eudev/default.nix
@@ -0,0 +1,68 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, glib
+, gperf
+, kmod
+, pkg-config
+, util-linux
+}:
+
+stdenv.mkDerivation rec {
+  pname = "eudev";
+  version = "3.2.11";
+
+  src = fetchFromGitHub {
+    owner = "eudev-project";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-W5nL4hicQ4fxz5rqoP+hhkE1tVn8lJZjMq4UaiXH6jc=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    gperf
+    pkg-config
+  ];
+
+  buildInputs = [
+    glib
+    kmod
+    util-linux
+  ];
+
+  configureFlags = [
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+  ];
+
+  makeFlags = [
+    "hwdb_bin=/var/lib/udev/hwdb.bin"
+    "udevrulesdir=/etc/udev/rules.d"
+    ];
+
+  preInstall = ''
+    # Disable install-exec-hook target,
+    # as it conflicts with our move-sbin setup-hook
+
+    sed -i 's;$(MAKE) $(AM_MAKEFLAGS) install-exec-hook;$(MAKE) $(AM_MAKEFLAGS);g' src/udev/Makefile
+  '';
+
+  installFlags = [
+    "localstatedir=$(TMPDIR)/var"
+    "sysconfdir=$(out)/etc"
+    "udevconfdir=$(out)/etc/udev"
+    "udevhwdbbin=$(out)/var/lib/udev/hwdb.bin"
+    "udevhwdbdir=$(out)/var/lib/udev/hwdb.d"
+    "udevrulesdir=$(out)/var/lib/udev/rules.d"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/eudev-project/eudev";
+    description = "A fork of udev with the aim of isolating it from init";
+    license = licenses.gpl2Plus ;
+    maintainers = with maintainers; [ raskin AndersonTorres ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/evdi/default.nix b/nixpkgs/pkgs/os-specific/linux/evdi/default.nix
new file mode 100644
index 000000000000..b94f4351ff52
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/evdi/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub, kernel, libdrm }:
+
+stdenv.mkDerivation rec {
+  pname = "evdi";
+  version = "1.12.0";
+
+  src = fetchFromGitHub {
+    owner = "DisplayLink";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-JZKZ7+1OMbBtUA7pAZ41TzeDDyiD0h7yTXJINJ5FjN4=";
+  };
+
+  NIX_CFLAGS_COMPILE = "-Wno-error -Wno-error=sign-compare";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildInputs = [ kernel libdrm ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  hardeningDisable = [ "format" "pic" "fortify" ];
+
+  installPhase = ''
+    install -Dm755 module/evdi.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/gpu/drm/evdi/evdi.ko
+    install -Dm755 library/libevdi.so $out/lib/libevdi.so
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Extensible Virtual Display Interface";
+    maintainers = with maintainers; [ eyjhb ];
+    platforms = platforms.linux;
+    license = with licenses; [ lgpl21Only gpl2Only ];
+    homepage = "https://www.displaylink.com/";
+    broken = kernel.kernelOlder "4.19" || stdenv.isAarch64;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/eventstat/default.nix b/nixpkgs/pkgs/os-specific/linux/eventstat/default.nix
new file mode 100644
index 000000000000..9a2c20ca38aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/eventstat/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "eventstat";
+  version = "0.04.13";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-psamt9omhakiO3Kx2EzofPL2VAsva7XKQTZmn6zKefA=";
+  };
+
+  buildInputs = [ ncurses ];
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Simple monitoring of system events";
+    homepage = "https://github.com/ColinIanKing/eventstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ cstrahan ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/exfat/default.nix b/nixpkgs/pkgs/os-specific/linux/exfat/default.nix
new file mode 100644
index 000000000000..d459d2408442
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/exfat/default.nix
@@ -0,0 +1,42 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, kernel }:
+
+stdenv.mkDerivation rec {
+  # linux kernel above 5.7 comes with its own exfat implementation https://github.com/arter97/exfat-linux/issues/27
+  # Assertion moved here due to some tests unintenionally triggering it,
+  # e.g. nixosTests.kernel-latest; it's unclear how/why so far.
+  assertion = assert lib.versionOlder kernel.version "5.8"; null;
+
+  name = "exfat-nofuse-${version}-${kernel.version}";
+  version = "2020-04-15";
+
+  src = fetchFromGitHub {
+    owner = "barrybingo";
+    repo = "exfat-nofuse";
+    rev = "297a5739cd4a942a1d814d05a9cd9b542e7b8fc8";
+    sha256 = "14jahy7n6pr482fjfrlf9ck3f2rkr5ds0n5r85xdfsla37ria26d";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  installPhase = ''
+    install -m644 -b -D exfat.ko $out/lib/modules/${kernel.modDirVersion}/kernel/fs/exfat/exfat.ko
+  '';
+
+  meta = {
+    description = "exfat kernel module";
+    inherit (src.meta) homepage;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ makefu ];
+    platforms = lib.platforms.linux;
+    broken = true;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/extrace/default.nix b/nixpkgs/pkgs/os-specific/linux/extrace/default.nix
new file mode 100644
index 000000000000..e4afe6f85039
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/extrace/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "extrace";
+  version = "0.9";
+
+  src = fetchFromGitHub {
+    owner = "leahneukirchen";
+    repo = "extrace";
+    rev = "v${version}";
+    hash = "sha256-Jy/Ac3NcqBkW0kHyypMAVUGAQ41qWM96BbLAym06ogM=";
+  };
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postInstall = ''
+    install -dm755 "$out/share/licenses/extrace/"
+    install -m644 LICENSE "$out/share/licenses/extrace/LICENSE"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/leahneukirchen/extrace";
+    description = "Trace exec() calls system-wide";
+    license = with licenses; [ gpl2Plus bsd2 ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.leahneukirchen ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/facetimehd/default.nix b/nixpkgs/pkgs/os-specific/linux/facetimehd/default.nix
new file mode 100644
index 000000000000..3bb656e8cb09
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/facetimehd/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "facetimehd-${version}-${kernel.version}";
+  version = "0.5.18";
+
+  # Note: When updating this revision:
+  # 1. Also update pkgs/os-specific/linux/firmware/facetimehd-firmware/
+  # 2. Test the module and firmware change via:
+  #    a. Give some applications a try (Skype, Hangouts, Cheese, etc.)
+  #    b. Run: journalctl -f
+  #    c. Then close the lid
+  #    d. Then open the lid (and maybe press a key to wake it up)
+  #    e. see if the module loads back (apps using the camera won't
+  #       recover and will have to be restarted) and the camera
+  #       still works.
+  src = fetchFromGitHub {
+    owner = "patjak";
+    repo = "facetimehd";
+    rev = version;
+    sha256 = "sha256-UO8t2zrfdJlu4uzhhyWOuHIjJNVezIq3nUPGZeW/KJU=";
+  };
+
+  preConfigure = ''
+    export INSTALL_MOD_PATH="$out"
+  '';
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/patjak/bcwc_pcie";
+    description = "Linux driver for the Facetime HD (Broadcom 1570) PCIe webcam";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ womfoo grahamc kraem ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fatrace/default.nix b/nixpkgs/pkgs/os-specific/linux/fatrace/default.nix
new file mode 100644
index 000000000000..2ae8bb2dca24
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fatrace/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv
+, fetchFromGitHub
+, python3
+, which
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fatrace";
+  version = "0.16.3";
+
+  src = fetchFromGitHub {
+    owner = "martinpitt";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-w7leZPdmiTc+avihP203e6GLvbRzbCtNOJdF8MM2v68=";
+  };
+
+  buildInputs = [ python3 which ];
+
+  postPatch = ''
+    substituteInPlace power-usage-report \
+      --replace "'which'" "'${which}/bin/which'"
+  '';
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "Report system-wide file access events";
+    homepage = "https://github.com/martinpitt/fatrace";
+    license = licenses.gpl3Plus;
+    longDescription = ''
+      fatrace reports file access events from all running processes.
+      Its main purpose is to find processes which keep waking up the disk
+      unnecessarily and thus prevent some power saving.
+      Requires a Linux kernel with the FANOTIFY configuration option enabled.
+      Enabling X86_MSR is also recommended for power-usage-report on x86.
+    '';
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fbterm/default.nix b/nixpkgs/pkgs/os-specific/linux/fbterm/default.nix
new file mode 100644
index 000000000000..cbea00ae184d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fbterm/default.nix
@@ -0,0 +1,53 @@
+{ stdenv, lib, fetchurl, gpm, freetype, fontconfig, pkg-config, ncurses, libx86 }:
+
+stdenv.mkDerivation rec {
+  version = "1.7.0";
+  pname = "fbterm";
+
+  src = fetchurl {
+    url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/fbterm/fbterm-${version}.tar.gz";
+    sha256 = "0pciv5by989vzvjxsv1jsv4bdp4m8j0nfbl29jm5fwi12w4603vj";
+  };
+
+  nativeBuildInputs = [ pkg-config ncurses ];
+  buildInputs = [ gpm freetype fontconfig ncurses ]
+    ++ lib.optional stdenv.hostPlatform.isx86 libx86;
+
+  preConfigure = ''
+    sed -e '/ifdef SYS_signalfd/atypedef long long loff_t;' -i src/fbterm.cpp
+    sed -e '/install-exec-hook:/,/^[^\t]/{d}; /.NOEXPORT/iinstall-exec-hook:\
+    ' -i src/Makefile.in
+    export HOME=$PWD;
+    export NIX_LDFLAGS="$NIX_LDFLAGS -lfreetype"
+  '';
+  preBuild = ''
+    mkdir -p "$out/share/terminfo"
+    tic -a -v2 -o"$out/share/terminfo" terminfo/fbterm
+    makeFlagsArray+=("AR=$AR")
+  '';
+
+  patches = [
+    # fixes from Arch Linux package
+    (fetchurl {
+      url = "https://raw.githubusercontent.com/glitsj16/fbterm-patched/d1fe03313be4654dd0a1c0bb5f51530732345134/gcc-6-build-fixes.patch";
+      sha256 = "1kl9fjnrri6pamjdl4jpkqxk5wxcf6jcchv5801xz8vxp4542m40";
+    })
+    (fetchurl {
+      url = "https://raw.githubusercontent.com/glitsj16/fbterm-patched/d1fe03313be4654dd0a1c0bb5f51530732345134/insertmode-fix.patch";
+      sha256 = "1bad9mqcfpqb94lpx23lsamlhplil73ahzin2xjva0gl3gr1038l";
+    })
+    (fetchurl {
+      url = "https://raw.githubusercontent.com/glitsj16/fbterm-patched/d1fe03313be4654dd0a1c0bb5f51530732345134/miscoloring-fix.patch";
+      sha256 = "1mjszji0jgs2jsagjp671fv0d1983wmxv009ff1jfhi9pbay6jd0";
+    })
+    ./select.patch
+  ];
+
+  meta = with lib; {
+    description = "Framebuffer terminal emulator";
+    homepage = "https://code.google.com/archive/p/fbterm/";
+    maintainers = with maintainers; [ raskin ];
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fbterm/select.patch b/nixpkgs/pkgs/os-specific/linux/fbterm/select.patch
new file mode 100644
index 000000000000..549674047a93
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fbterm/select.patch
@@ -0,0 +1,12 @@
+diff --git a/src/fbio.cpp b/src/fbio.cpp
+index e5afc44..2485227 100644
+--- a/src/fbio.cpp
++++ b/src/fbio.cpp
+@@ -18,6 +18,7 @@
+  *
+  */
+ 
++#include <sys/select.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include "config.h"
diff --git a/nixpkgs/pkgs/os-specific/linux/ffado/default.nix b/nixpkgs/pkgs/os-specific/linux/ffado/default.nix
new file mode 100644
index 000000000000..8f58f1c2d045
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ffado/default.nix
@@ -0,0 +1,108 @@
+{ lib
+, mkDerivation
+, dbus
+, dbus_cplusplus
+, desktop-file-utils
+, fetchurl
+, glibmm
+, kernel
+, libavc1394
+, libconfig
+, libiec61883
+, libraw1394
+, libxmlxx3
+, pkg-config
+, python3
+, scons
+, which
+, wrapQtAppsHook
+}:
+
+let
+  inherit (python3.pkgs) pyqt5 dbus-python;
+  python = python3.withPackages (pkgs: with pkgs; [ pyqt5 dbus-python ]);
+in
+mkDerivation rec {
+  pname = "ffado";
+  version = "2.4.3";
+
+  src = fetchurl {
+    url = "http://www.ffado.org/files/libffado-${version}.tgz";
+    sha256 = "08bygzv1k6ai0572gv66h7gfir5zxd9klfy74z2pxqp6s5hms58r";
+  };
+
+  prePatch = ''
+    substituteInPlace ./support/tools/ffado-diag.in \
+      --replace /lib/modules/ "/run/booted-system/kernel-modules/lib/modules/"
+  '';
+
+  patches = [
+    # fix installing metainfo file
+    ./fix-build.patch
+  ];
+
+  outputs = [ "out" "bin" "dev" ];
+
+  nativeBuildInputs = [
+    desktop-file-utils
+    scons
+    pkg-config
+    which
+    python
+    pyqt5
+    wrapQtAppsHook
+  ];
+
+  prefixKey = "PREFIX=";
+  sconsFlags = [
+    "DEBUG=False"
+    "ENABLE_ALL=True"
+    "BUILD_TESTS=True"
+    "WILL_DEAL_WITH_XDG_MYSELF=True"
+    "BUILD_MIXER=True"
+    "UDEVDIR=${placeholder "out"}/lib/udev/rules.d"
+    "PYPKGDIR=${placeholder "out"}/${python3.sitePackages}"
+    "BINDIR=${placeholder "bin"}/bin"
+    "INCLUDEDIR=${placeholder "dev"}/include"
+    "PYTHON_INTERPRETER=${python.interpreter}"
+  ];
+
+  buildInputs = [
+    dbus
+    dbus_cplusplus
+    glibmm
+    libavc1394
+    libconfig
+    libiec61883
+    libraw1394
+    libxmlxx3
+    python
+  ];
+
+  enableParallelBuilding = true;
+  dontWrapQtApps = true;
+
+  postInstall = ''
+    desktop="$bin/share/applications/ffado-mixer.desktop"
+    install -DT -m 444 support/xdg/ffado.org-ffadomixer.desktop $desktop
+    substituteInPlace "$desktop" \
+      --replace Exec=ffado-mixer "Exec=$bin/bin/ffado-mixer" \
+      --replace hi64-apps-ffado ffado-mixer
+    install -DT -m 444 support/xdg/hi64-apps-ffado.png "$bin/share/icons/hicolor/64x64/apps/ffado-mixer.png"
+
+    # prevent build tools from leaking into closure
+    echo 'See `nix-store --query --tree ${placeholder "out"}`.' > $out/lib/libffado/static_info.txt
+  '';
+
+  preFixup = ''
+    wrapQtApp $bin/bin/ffado-mixer
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.ffado.org";
+    description = "FireWire audio drivers";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ goibhniu michojel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ffado/fix-build.patch b/nixpkgs/pkgs/os-specific/linux/ffado/fix-build.patch
new file mode 100644
index 000000000000..7e360932613f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ffado/fix-build.patch
@@ -0,0 +1,26 @@
+From b0f2b20b23780dd2e67a01c15462070dd86c4ac1 Mon Sep 17 00:00:00 2001
+From: Jan Tojnar <jtojnar@gmail.com>
+Date: Sun, 3 Mar 2019 11:50:27 +0100
+Subject: [PATCH] Fix build on Nix
+
+We do not have global /usr.
+---
+ SConstruct | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SConstruct b/SConstruct
+index 05755e4b..3fbdc1d8 100644
+--- a/SConstruct
++++ b/SConstruct
+@@ -537,7 +537,7 @@ env['mandir'] = Template( env.destdir + env['MANDIR'] ).safe_substitute( env )
+ env['pypkgdir'] = Template( env.destdir + env['PYPKGDIR'] ).safe_substitute( env )
+ env['udevdir'] = Template( env.destdir + env['UDEVDIR'] ).safe_substitute( env )
+ env['PYPKGDIR'] = Template( env['PYPKGDIR'] ).safe_substitute( env )
+-env['metainfodir'] = Template( env.destdir + "/usr/share/metainfo" ).safe_substitute( env )
++env['metainfodir'] = Template( env.destdir + env['SHAREDIR'] + "/metainfo" ).safe_substitute( env )
+ 
+ env.Command( target=env['sharedir'], source="", action=Mkdir( env['sharedir'] ) )
+ 
+-- 
+2.19.2
+
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
new file mode 100644
index 000000000000..7b7abdb8441c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
@@ -0,0 +1,97 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, pkg-config
+, libapparmor
+, which
+, xdg-dbus-proxy
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "firejail";
+  version = "0.9.70";
+
+  src = fetchFromGitHub {
+    owner = "netblue30";
+    repo = "firejail";
+    rev = version;
+    sha256 = "sha256-x1txt0uER66bZN6BD6c/31Zu6fPPwC9kl/3bxEE6Ce8=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    libapparmor
+    which
+  ];
+
+  configureFlags = [
+    "--enable-apparmor"
+  ];
+
+  patches = [
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
+  ];
+
+  prePatch = ''
+    # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
+    substituteInPlace src/include/common.h \
+      --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
+  '';
+
+  preConfigure = ''
+    sed -e 's@/bin/bash@${stdenv.shell}@g' -i $( grep -lr /bin/bash .)
+    sed -e "s@/bin/cp@$(which cp)@g" -i $( grep -lr /bin/cp .)
+  '';
+
+  preBuild = ''
+    sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
+  '';
+
+  # The profile files provided with the firejail distribution include `.local`
+  # profile files using relative paths. The way firejail works when it comes to
+  # handling includes is by looking target files up in `~/.config/firejail`
+  # first, and then trying `SYSCONFDIR`. The latter normally points to
+  # `/etc/filejail`, but in the case of nixos points to the nix store. This
+  # makes it effectively impossible to place any profile files in
+  # `/etc/firejail`.
+  #
+  # The workaround applied below is by creating a set of `.local` files which
+  # only contain respective includes to `/etc/firejail`. This way
+  # `~/.config/firejail` still takes precedence, but `/etc/firejail` will also
+  # be searched in second order. This replicates the behaviour from
+  # non-nixos platforms.
+  #
+  # See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83
+  # for the profile file lookup implementation.
+  postInstall = ''
+    for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*{.inc,.profile} | awk '{print $2}' | sort | uniq)
+    do
+      echo "include /etc/firejail/$local" >$out/etc/firejail/$local
+    done
+  '';
+
+  # At high parallelism, the build sometimes fails with:
+  # bash: src/fsec-optimize/fsec-optimize: No such file or directory
+  enableParallelBuilding = false;
+
+  passthru.tests = nixosTests.firejail;
+
+  meta = {
+    description = "Namespace-based sandboxing tool for Linux";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
+    homepage = "https://firejail.wordpress.com/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
new file mode 100644
index 000000000000..548bb80e7bf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@@ -0,0 +1,11 @@
+--- a/src/fbuilder/build_profile.c
++++ b/src/fbuilder/build_profile.c
+@@ -48,7 +48,7 @@
+ 	// build command
+ 	char *cmd[len];
+ 	unsigned curr_len = 0;
+-	cmd[curr_len++] = BINDIR "/firejail";
++	cmd[curr_len++] = "firejail";
+ 	cmd[curr_len++] = "--quiet";
+ 	cmd[curr_len++] = "--noprofile";
+ 	cmd[curr_len++] = "--caps.drop=all";
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
new file mode 100644
index 000000000000..6493eb4fdf26
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@@ -0,0 +1,27 @@
+--- a/src/firejail/fs_overlayfs.c
++++ b/src/firejail/fs_overlayfs.c
+@@ -327,6 +327,16 @@
+ 		errExit("mounting /dev");
+ 	fs_logger("whitelist /dev");
+ 
++	// mount-bind /nix
++	if (arg_debug)
++		printf("Mounting /nix\n");
++	char *nix;
++	if (asprintf(&nix, "%s/nix", oroot) == -1)
++		errExit("asprintf");
++	if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
++		errExit("mounting /nix");
++	fs_logger("whitelist /nix");
++
+ 	// mount-bind run directory
+ 	if (arg_debug)
+ 		printf("Mounting /run\n");
+@@ -384,6 +394,7 @@
+ 	free(odiff);
+ 	free(owork);
+ 	free(dev);
++	free(nix);
+ 	free(run);
+ 	free(tmp);
+ }
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
new file mode 100644
index 000000000000..fe7a3e9ae406
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "b43-fwcutter";
+  version = "019";
+
+  src = fetchurl {
+    url = "https://bues.ch/b43/fwcutter/b43-fwcutter-${version}.tar.bz2";
+    sha256 = "1ki1f5fy3yrw843r697f8mqqdz0pbsbqnvg4yzkhibpn1lqqbsnn";
+  };
+
+  patches = [ ./no-root-install.patch ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  meta = {
+    description = "Firmware extractor for cards supported by the b43 kernel module";
+    homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
+    license = lib.licenses.free;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/no-root-install.patch b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/no-root-install.patch
new file mode 100644
index 000000000000..578812e0ad0b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware-cutter/no-root-install.patch
@@ -0,0 +1,18 @@
+diff -Naur b43-fwcutter-015-orig/Makefile b43-fwcutter-015/Makefile
+--- b43-fwcutter-015-orig/Makefile	2011-08-21 08:17:01.000000000 -0400
++++ b43-fwcutter-015/Makefile	2012-07-13 17:57:53.002154557 -0400
+@@ -51,10 +51,10 @@
+ 	$(QUIET_CC) $(CFLAGS) -o $(BIN) $(call OBJS,$(SRCS)) $(LDFLAGS)
+ 
+ install: all
+-	install -d -o 0 -g 0 -m 755 $(PREFIX)/bin/
+-	install -o 0 -g 0 -m 755 $(BIN) $(PREFIX)/bin/
+-	install -d -o 0 -g 0 -m 755 $(PREFIX)/man/man1/
+-	install -o 0 -g 0 -m 644 $(BIN).1 $(PREFIX)/man/man1/
++	install -d -m 755 $(PREFIX)/bin/
++	install -m 755 $(BIN) $(PREFIX)/bin/
++	install -d -m 755 $(PREFIX)/man/man1/
++	install -m 644 $(BIN).1 $(PREFIX)/man/man1/
+ 
+ clean:
+ 	-rm -Rf obj dep *.orig *.rej *~
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
new file mode 100644
index 000000000000..a5683a1ce535
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
@@ -0,0 +1,26 @@
+{ lib, stdenvNoCC, fetchurl, b43FirmwareCutter }:
+
+let version = "5.100.138"; in
+
+stdenvNoCC.mkDerivation {
+  pname = "b43-firmware";
+  inherit version;
+
+  src = fetchurl {
+    url = "http://www.lwfinger.com/b43-firmware/broadcom-wl-${version}.tar.bz2";
+    sha256 = "0vz4ka8gycf72gmnaq61k8rh8y17j1wm2k3fidxvcqjvmix0drzi";
+  };
+
+  nativeBuildInputs = [ b43FirmwareCutter ];
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware
+    b43-fwcutter -w $out/lib/firmware linux/wl_apsta.o
+  '';
+
+  meta = {
+    description = "Firmware for cards supported by the b43 kernel module";
+    homepage = "https://wireless.wiki.kernel.org/en/users/drivers/b43";
+    license = lib.licenses.unfree;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
new file mode 100644
index 000000000000..e117db45b182
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
@@ -0,0 +1,27 @@
+{ lib, stdenvNoCC, fetchurl, b43FirmwareCutter }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "b43-firmware";
+  version = "6.30.163.46";
+
+  src = fetchurl {
+    url = "http://www.lwfinger.com/b43-firmware/broadcom-wl-${version}.tar.bz2";
+    sha256 = "0baw6gcnrhxbb447msv34xg6rmlcj0gm3ahxwvdwfcvq4xmknz50";
+  };
+
+  nativeBuildInputs = [ b43FirmwareCutter ];
+
+  sourceRoot = ".";
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware
+    b43-fwcutter -w $out/lib/firmware *.wl_apsta.o
+  '';
+
+  meta = with lib; {
+    description = "Firmware for cards supported by the b43 kernel module";
+    homepage = "https://wireless.wiki.kernel.org/en/users/drivers/b43";
+    downloadPage = "http://www.lwfinger.com/b43-firmware";
+    license = licenses.unfree;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
new file mode 100644
index 000000000000..073d443bee41
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenvNoCC, fetchurl, cabextract, bt-fw-converter }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "broadcom-bt-firmware";
+  version = "12.0.1.1012";
+
+  src = fetchurl {
+    url = "http://download.windowsupdate.com/c/msdownload/update/driver/drvs/2017/04/852bb503-de7b-4810-a7dd-cbab62742f09_7cf83a4c194116648d17707ae37d564f9c70bec2.cab";
+    sha256 = "1b1qjwxjk4y91l3iz157kms8601n0mmiik32cs6w9b1q4sl4pxx9";
+  };
+
+  nativeBuildInputs = [ cabextract bt-fw-converter ];
+
+  unpackCmd = ''
+    mkdir -p ${pname}-${version}
+    cabextract $src --directory ${pname}-${version}
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware/brcm
+    bt-fw-converter -f bcbtums.inf -o $out/lib/firmware/brcm
+    for filename in $out/lib/firmware/brcm/*.hcd
+    do
+      linkname=$(basename $filename | awk 'match($0,/^(BCM)[0-9A-Z]+(-[0-9a-z]{4}-[0-9a-z]{4}\.hcd)$/,c) { print c[1]c[2] }')
+      if ! [ -z $linkname ]
+      then
+        ln -s --relative -T $filename $out/lib/firmware/brcm/$linkname
+      fi
+    done
+  '';
+
+  outputHashMode = "recursive";
+  outputHashAlgo = "sha256";
+  outputHash = "042frb2dmrqfj8q83h5p769q6hg2b3i8fgnyvs9r9a71z7pbsagq";
+
+  meta = with lib; {
+    description = "Firmware for Broadcom WIDCOMM® Bluetooth devices";
+    homepage = "https://www.catalog.update.microsoft.com/Search.aspx?q=Broadcom+bluetooth";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ zraexy ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
new file mode 100644
index 000000000000..a28189a9e474
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchurl, makeWrapper, perl, perlPackages, bluez }:
+
+stdenv.mkDerivation  rec {
+  pname = "bt-fw-converter";
+  version = "2017-02-19";
+  rev = "2d8b34402df01c6f7f4b8622de9e8b82fadf4153";
+
+  src = fetchurl {
+    url = "https://raw.githubusercontent.com/winterheart/broadcom-bt-firmware/${rev}/tools/bt-fw-converter.pl";
+    sha256 = "c259b414a4a273c89a0fa7159b3ef73d1ea62b6de91c3a7c2fcc832868e39f4b";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  buildInputs = [ perl perlPackages.RegexpGrammars bluez ];
+
+  unpackCmd = ''
+    mkdir -p ${pname}-${version}
+    cp $src ${pname}-${version}/bt-fw-converter.pl
+  '';
+
+  installPhase = ''
+    install -D -m755 bt-fw-converter.pl $out/bin/bt-fw-converter
+    substituteInPlace $out/bin/bt-fw-converter --replace /usr/bin/hex2hcd ${bluez}/bin/hex2hcd
+    wrapProgram $out/bin/bt-fw-converter --set PERL5LIB $PERL5LIB
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/winterheart/broadcom-bt-firmware/";
+    description = "A tool that converts hex to hcd based on inf file";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ zraexy ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-calibration/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-calibration/default.nix
new file mode 100644
index 000000000000..ca6782688728
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-calibration/default.nix
@@ -0,0 +1,62 @@
+{ lib, stdenvNoCC, fetchurl, unrar-wrapper, pkgs }:
+
+let
+
+  version = "5.1.5769";
+
+
+  # Described on https://github.com/patjak/facetimehd/wiki/Extracting-the-sensor-calibration-files
+
+  # From the wiki page, range extracted with binwalk:
+  zipUrl = "https://download.info.apple.com/Mac_OS_X/031-30890-20150812-ea191174-4130-11e5-a125-930911ba098f/bootcamp${version}.zip";
+  zipRange = "2338085-3492508"; # the whole download is 518MB, this deflate stream is 1.2MB
+
+  # CRC and length from the ZIP entry header (not strictly necessary, but makes it extract cleanly):
+  gzFooter = ''\x51\x1f\x86\x78\xcf\x5b\x12\x00'';
+
+  # Also from the wiki page:
+  calibrationFiles = [
+    { file = "1771_01XX.dat"; offset = "1644880"; size = "19040"; }
+    { file = "1871_01XX.dat"; offset = "1606800"; size = "19040"; }
+    { file = "1874_01XX.dat"; offset = "1625840"; size = "19040"; }
+    { file = "9112_01XX.dat"; offset = "1663920"; size = "33060"; }
+  ];
+
+in
+
+stdenvNoCC.mkDerivation {
+
+  pname = "facetimehd-calibration";
+  inherit version;
+  src = fetchurl {
+    url = zipUrl;
+    sha256 = "1dzyv457fp6d8ly29sivqn6llwj5ydygx7p8kzvdnsp11zvid2xi";
+    curlOpts = "-r ${zipRange}";
+  };
+
+  dontUnpack = true;
+  dontInstall = true;
+
+  buildInputs = [ unrar-wrapper ];
+
+  buildPhase = ''
+    { printf '\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x00'
+      cat $src
+      printf '${gzFooter}'
+    } | zcat > AppleCamera64.exe
+    unrar x AppleCamera64.exe AppleCamera.sys
+
+    mkdir -p $out/lib/firmware/facetimehd
+  '' + lib.concatMapStrings ({file, offset, size}: ''
+    dd bs=1 skip=${offset} count=${size} if=AppleCamera.sys of=$out/lib/firmware/facetimehd/${file}
+  '') calibrationFiles;
+
+  meta = with lib; {
+    description = "facetimehd calibration";
+    homepage = "https://support.apple.com/kb/DL1837";
+    license = licenses.unfree;
+    maintainers = with maintainers; [ alexshpilkin womfoo grahamc ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
new file mode 100644
index 000000000000..6679f1f19e75
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
@@ -0,0 +1,66 @@
+{ lib, stdenvNoCC, fetchurl, cpio, xz, pkgs }:
+
+let
+
+  version = "1.43_5";
+
+
+  # Updated according to https://github.com/patjak/bcwc_pcie/pull/81/files
+  # and https://github.com/patjak/bcwc_pcie/blob/5a7083bd98b38ef3bd223f7ee531d58f4fb0fe7c/firmware/Makefile#L3-L9
+  # and https://github.com/patjak/bcwc_pcie/blob/5a7083bd98b38ef3bd223f7ee531d58f4fb0fe7c/firmware/extract-firmware.sh
+
+  # From the Makefile:
+  dmgUrl = "https://updates.cdn-apple.com/2019/cert/041-88431-20191011-e7ee7d98-2878-4cd9-bc0a-d98b3a1e24b1/OSXUpd10.11.5.dmg";
+  dmgRange = "204909802-207733123"; # the whole download is 1.3GB, this cuts it down to 2MB
+  # Notes:
+  # 1. Be sure to update the sha256 below in the fetch_url
+  # 2. Be sure to update the homepage in the meta
+
+  # Also from the Makefile (OS_DRV, OS_DRV_DIR), but seems to not change:
+  firmwareIn = "./System/Library/Extensions/AppleCameraInterface.kext/Contents/MacOS/AppleCameraInterface";
+  firmwareOut = "firmware.bin";
+
+  # The following are from the extract-firmware.sh
+  firmwareOffset = "81920"; # Variable: firmw_offsets
+  firmwareSize = "603715"; # Variable: firmw_sizes
+
+
+  # separated this here as the script will fail without the 'exit 0'
+  unpack = pkgs.writeScriptBin "unpack" ''
+    xzcat -Q $src | cpio --format odc -i -d ${firmwareIn}
+    exit 0
+  '';
+
+in
+
+stdenvNoCC.mkDerivation {
+
+  pname = "facetimehd-firmware";
+  inherit version;
+  src = fetchurl {
+    url = dmgUrl;
+    sha256 = "0s8crlh8rvpanzk1w4z3hich0a3mw0m5xhpcg07bxy02calhpdk1";
+    curlOpts = "-r ${dmgRange}";
+  };
+
+  dontUnpack = true;
+  dontInstall = true;
+
+  buildInputs = [ cpio xz ];
+
+  buildPhase = ''
+    ${unpack}/bin/unpack
+    dd bs=1 skip=${firmwareOffset} count=${firmwareSize} if=${firmwareIn} of=${firmwareOut}.gz &> /dev/null
+    mkdir -p $out/lib/firmware/facetimehd
+    gunzip -c ${firmwareOut}.gz > $out/lib/firmware/facetimehd/${firmwareOut}
+  '';
+
+  meta = with lib; {
+    description = "facetimehd firmware";
+    homepage = "https://support.apple.com/kb/DL1877";
+    license = licenses.unfree;
+    maintainers = with maintainers; [ womfoo grahamc ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
new file mode 100644
index 000000000000..ee36ab574426
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
@@ -0,0 +1,38 @@
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, glib, udev, cairo, pango, atk, gdk-pixbuf, gtk3, wrapGAppsHook }:
+rustPlatform.buildRustPackage rec {
+  pname = "firmware-manager";
+  version = "0.1.2";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-aKatdjHa/k7j48upkR1O6PFxCUfJYE3KhhzZ9Ohe0Jc=";
+  };
+
+  nativeBuildInputs = [ pkg-config wrapGAppsHook ];
+
+  buildInputs = [ xz openssl dbus glib udev cairo pango atk gdk-pixbuf gtk3 ];
+
+  depsExtraArgs.postPatch = "make prefix='$(out)' toml-gen";
+
+  postPatch = ''
+    sed -i 's|etc|$(prefix)/etc|' Makefile
+  '';
+
+  buildPhase = "make prefix='$(out)'";
+
+  installPhase = "make prefix='$(out)' install";
+
+  cargoSha256 = "sha256-BUo77ERHvuc8IkDdU3Z/gZZicNHT26IbAgEBnVM3O4U=";
+
+  doCheck = false;
+
+  meta = {
+    description = "Graphical frontend for firmware management";
+    homepage = "https://github.com/pop-os/firmware-manager";
+    license = lib.licenses.gpl3;
+    maintainers = [ lib.maintainers.shlevy ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
new file mode 100644
index 000000000000..fb9d3a9a36c4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/firmware-updater/default.nix
@@ -0,0 +1,27 @@
+{ lib
+, flutter
+, fetchFromGitHub
+}:
+
+flutter.mkFlutterApp {
+  pname = "firmware-updater";
+  version = "unstable";
+
+  vendorHash = "sha256-3wVA9BLCnMijC0gOmskz+Hv7NQIGu/jhBDbWjmoq1Tc=";
+
+  src = fetchFromGitHub {
+    owner = "canonical";
+    repo = "firmware-updater";
+    rev = "a51817a2551e29895352618a91df9cf93d944af1";
+    sha256 = "6uhks6a9JcyIC5o0VssqfBlE4pqKiQ7d3KOb6feNTvU=";
+    fetchSubmodules = true;
+  };
+
+  meta = with lib; {
+    description = "Firmware Updater for Linux";
+    homepage = "https://github.com/canonical/firmware-updater";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ mkg20001 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix
new file mode 100644
index 000000000000..56001cb225aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd-efi/default.nix
@@ -0,0 +1,56 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchFromGitHub
+, substituteAll
+, pkg-config
+, meson
+, ninja
+, gnu-efi
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fwupd-efi";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://people.freedesktop.org/~hughsient/releases/${pname}-${version}.tar.xz";
+    sha256 = "sha256-1Ys04TwhWYZ8ORJgr04kGO6/lI1I36sC6kcrVoP/r1k=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    pkg-config
+    python3
+  ];
+
+  buildInputs = [
+    gnu-efi
+  ];
+
+  postPatch = ''
+    patchShebangs \
+      efi/generate_binary.py \
+      efi/generate_sbat.py
+  '';
+
+  mesonFlags = [
+    "-Defi-includedir=${gnu-efi}/include/efi"
+    "-Defi-libdir=${gnu-efi}/lib"
+    "-Defi-ldsdir=${gnu-efi}/lib"
+    "-Defi_sbat_distro_id=nixos"
+    "-Defi_sbat_distro_summary=NixOS"
+    "-Defi_sbat_distro_pkgname=${pname}"
+    "-Defi_sbat_distro_version=${version}"
+    "-Defi_sbat_distro_url=https://search.nixos.org/packages?channel=unstable&show=fwupd-efi&from=0&size=50&sort=relevance&query=fwupd-efi"
+  ];
+
+  meta = with lib; {
+    homepage = "https://fwupd.org/";
+    maintainers = with maintainers; [ maxeaubrey ];
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
new file mode 100644
index 000000000000..c136f935e03e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
@@ -0,0 +1,183 @@
+diff --git a/data/meson.build b/data/meson.build
+index d8494020d..7c896fa0d 100644
+--- a/data/meson.build
++++ b/data/meson.build
+@@ -26,7 +26,7 @@ endif
+ 
+ if build_standalone
+   install_data(['daemon.conf'],
+-    install_dir: join_paths(sysconfdir, 'fwupd')
++    install_dir: join_paths(sysconfdir_install, 'fwupd')
+   )
+   plugin_quirks += join_paths(meson.current_source_dir(), 'power.quirk')
+   plugin_quirks += join_paths(meson.current_source_dir(), 'cfi.quirk')
+diff --git a/data/pki/meson.build b/data/pki/meson.build
+index 3649fecea..c3462744b 100644
+--- a/data/pki/meson.build
++++ b/data/pki/meson.build
+@@ -12,13 +12,13 @@ install_data([
+     'GPG-KEY-Linux-Foundation-Firmware',
+     'GPG-KEY-Linux-Vendor-Firmware-Service',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd')
+ )
+ install_data([
+     'GPG-KEY-Linux-Foundation-Metadata',
+     'GPG-KEY-Linux-Vendor-Firmware-Service',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd-metadata')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd-metadata')
+ )
+ endif
+ 
+@@ -26,11 +26,11 @@ if supported_pkcs7
+ install_data([
+     'LVFS-CA.pem',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd')
+ )
+ install_data([
+     'LVFS-CA.pem',
+   ],
+-  install_dir: join_paths(sysconfdir, 'pki', 'fwupd-metadata')
++  install_dir: join_paths(sysconfdir_install, 'pki', 'fwupd-metadata')
+ )
+ endif
+diff --git a/data/remotes.d/meson.build b/data/remotes.d/meson.build
+index 1d1698a7e..5469d00a6 100644
+--- a/data/remotes.d/meson.build
++++ b/data/remotes.d/meson.build
+@@ -2,7 +2,7 @@ if build_standalone and get_option('lvfs') != 'false'
+   install_data([
+       'lvfs-testing.conf',
+     ],
+-    install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d')
++    install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d')
+   )
+   con3 = configuration_data()
+   if get_option('lvfs') == 'disabled'
+@@ -15,7 +15,7 @@ if build_standalone and get_option('lvfs') != 'false'
+     output: 'lvfs.conf',
+     configuration: con3,
+     install: true,
+-    install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++    install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+   )
+   i18n.merge_file(
+     input: 'lvfs.metainfo.xml',
+@@ -49,12 +49,12 @@ configure_file(
+   output: 'vendor.conf',
+   configuration: con2,
+   install: true,
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+ )
+ configure_file(
+   input: 'vendor-directory.conf',
+   output: 'vendor-directory.conf',
+   configuration: con2,
+   install: true,
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+ )
+diff --git a/meson.build b/meson.build
+index e6b717078..f8a7a7455 100644
+--- a/meson.build
++++ b/meson.build
+@@ -195,6 +195,12 @@ endif
+ mandir = join_paths(prefix, get_option('mandir'))
+ localedir = join_paths(prefix, get_option('localedir'))
+ 
++if get_option('sysconfdir_install') != ''
++  sysconfdir_install = join_paths(prefix, get_option('sysconfdir_install'))
++else
++  sysconfdir_install = sysconfdir
++endif
++
+ diffcmd = find_program('diff')
+ gio = dependency('gio-2.0', version: '>= 2.45.8')
+ giounix = dependency('gio-unix-2.0', version: '>= 2.45.8', required: false)
+diff --git a/meson_options.txt b/meson_options.txt
+index 06d242371..d9e517fc0 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -1,3 +1,4 @@
++option('sysconfdir_install', type: 'string', value: '', description: 'sysconfdir to use during installation')
+ option('build', type : 'combo', choices : ['all', 'standalone', 'library'], value : 'all', description : 'build type')
+ option('consolekit', type : 'feature', description : 'ConsoleKit support', deprecated: {'true': 'enabled', 'false': 'disabled'})
+ option('static_analysis', type : 'boolean', value : false, description : 'enable GCC static analysis support')
+diff --git a/plugins/dell-esrt/meson.build b/plugins/dell-esrt/meson.build
+index 67bd3b9d9..ad04a91b6 100644
+--- a/plugins/dell-esrt/meson.build
++++ b/plugins/dell-esrt/meson.build
+@@ -38,6 +38,6 @@ configure_file(
+   output: 'dell-esrt.conf',
+   configuration: con2,
+   install: true,
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
+ )
+ endif
+diff --git a/plugins/msr/meson.build b/plugins/msr/meson.build
+index 13f03ccd4..9235ebe33 100644
+--- a/plugins/msr/meson.build
++++ b/plugins/msr/meson.build
+@@ -10,7 +10,7 @@ install_data(['fwupd-msr.conf'],
+ endif
+ 
+ install_data(['msr.conf'],
+-  install_dir: join_paths(sysconfdir, 'fwupd')
++  install_dir: join_paths(sysconfdir_install, 'fwupd')
+ )
+ shared_module('fu_plugin_msr',
+   fu_hash,
+diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
+index 95606e478..e5355e520 100644
+--- a/plugins/redfish/meson.build
++++ b/plugins/redfish/meson.build
+@@ -43,7 +43,7 @@ shared_module('fu_plugin_redfish',
+ )
+ 
+ install_data(['redfish.conf'],
+-  install_dir: join_paths(sysconfdir, 'fwupd'),
++  install_dir: join_paths(sysconfdir_install, 'fwupd'),
+ )
+ 
+ if get_option('tests')
+diff --git a/plugins/thunderbolt/meson.build b/plugins/thunderbolt/meson.build
+index 5f8ffbf90..9ba323e75 100644
+--- a/plugins/thunderbolt/meson.build
++++ b/plugins/thunderbolt/meson.build
+@@ -32,7 +32,7 @@ fu_plugin_thunderbolt = shared_module('fu_plugin_thunderbolt',
+ )
+ 
+ install_data(['thunderbolt.conf'],
+-  install_dir: join_paths(sysconfdir, 'fwupd')
++  install_dir: join_paths(sysconfdir_install, 'fwupd')
+ )
+ # we use functions from 2.52 in the tests
+ if get_option('tests') and run_sanitize_unsafe_tests and umockdev.found() and gio.version().version_compare('>= 2.52')
+diff --git a/plugins/uefi-capsule/meson.build b/plugins/uefi-capsule/meson.build
+index ef38dc03e..78ff65e1d 100644
+--- a/plugins/uefi-capsule/meson.build
++++ b/plugins/uefi-capsule/meson.build
+@@ -20,7 +20,7 @@ if host_machine.system() == 'linux'
+     output: '35_fwupd',
+     configuration: con2,
+     install: true,
+-    install_dir: join_paths(sysconfdir, 'grub.d')
++    install_dir: join_paths(sysconfdir_install, 'grub.d')
+   )
+ elif host_machine.system() == 'freebsd'
+   backend_srcs += 'fu-uefi-backend-freebsd.c'
+@@ -110,7 +110,7 @@ if get_option('compat_cli') and get_option('man')
+ endif
+ 
+ install_data(['uefi_capsule.conf'],
+-  install_dir: join_paths(sysconfdir, 'fwupd')
++  install_dir: join_paths(sysconfdir_install, 'fwupd')
+ )
+ 
+ # add all the .po files as inputs to watch
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/default.nix
new file mode 100644
index 000000000000..541bef93a8a3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/default.nix
@@ -0,0 +1,393 @@
+# Updating? Keep $out/etc synchronized with passthru keys
+
+{ stdenv
+, lib
+, fetchurl
+, fetchFromGitHub
+, gi-docgen
+, pkg-config
+, gobject-introspection
+, gettext
+, libgudev
+, polkit
+, libxmlb
+, glib
+, gusb
+, sqlite
+, libarchive
+, curl
+, libjcat
+, elfutils
+, libsmbios
+, efivar
+, valgrind
+, meson
+, libuuid
+, colord
+, ninja
+, gcab
+, gnutls
+, protobufc
+, python3
+, wrapGAppsNoGuiHook
+, json-glib
+, bash-completion
+, shared-mime-info
+, umockdev
+, vala
+, makeFontsConf
+, freefont_ttf
+, pango
+, tpm2-tss
+, bubblewrap
+, efibootmgr
+, flashrom
+, tpm2-tools
+, fwupd-efi
+, nixosTests
+, runCommand
+, unstableGitUpdater
+, modemmanager
+, libqmi
+, libmbim
+, libcbor
+, xz
+}:
+
+let
+  python = python3.withPackages (p: with p; [
+    pygobject3
+    setuptools
+  ]);
+
+  isx86 = stdenv.hostPlatform.isx86;
+
+  # Dell isn't supported on Aarch64
+  haveDell = isx86;
+
+  # only redfish for x86_64
+  haveRedfish = stdenv.isx86_64;
+
+  # only use msr if x86 (requires cpuid)
+  haveMSR = isx86;
+
+  # # Currently broken on Aarch64
+  # haveFlashrom = isx86;
+  # Experimental
+  haveFlashrom = false;
+
+  runPythonCommand = name: buildCommandPython: runCommand name {
+    nativeBuildInputs = [ python3 ];
+      inherit buildCommandPython;
+  } ''
+    exec python3 -c "$buildCommandPython"
+  '';
+
+  test-firmware =
+    let
+      version = "unstable-2021-11-02";
+      src = fetchFromGitHub {
+        name = "fwupd-test-firmware-${version}";
+        owner = "fwupd";
+        repo = "fwupd-test-firmware";
+        rev = "aaa2f9fd68a40684c256dd85b86093cba38ffd9d";
+        sha256 = "Slk7CNfkmvmOh3WtIBkPs3NYT96co6i8PwqcbpeVFgA=";
+        passthru = {
+          inherit src version; # For update script
+          updateScript = unstableGitUpdater {
+            url = "${test-firmware.meta.homepage}.git";
+          };
+        };
+      };
+    in
+      src // {
+        meta = src.meta // {
+          # For update script
+          position =
+            let
+              pos = builtins.unsafeGetAttrPos "updateScript" test-firmware;
+            in
+            pos.file + ":" + toString pos.line;
+        };
+      };
+
+
+  self = stdenv.mkDerivation rec {
+    pname = "fwupd";
+    version = "1.8.3";
+
+    # libfwupd goes to lib
+    # daemon, plug-ins and libfwupdplugin go to out
+    # CLI programs go to out
+    outputs = [ "out" "lib" "dev" "devdoc" "man" "installedTests" ];
+
+    src = fetchurl {
+      url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz";
+      sha256 = "sha256-ciIpd86KhmJRH/o8CIFWb2xFjsjWHSUNlGYRfWEiOOw=";
+    };
+
+    patches = [
+      # Since /etc is the domain of NixOS, not Nix,
+      # we cannot install files there.
+      # Let’s install the files to $prefix/etc
+      # while still reading them from /etc.
+      # NixOS module for fwupd will take take care of copying the files appropriately.
+      ./add-option-for-installation-sysconfdir.patch
+
+      # Install plug-ins and libfwupdplugin to $out output,
+      # they are not really part of the library.
+      ./install-fwupdplugin-to-out.patch
+
+      # Installed tests are installed to different output
+      # we also cannot have fwupd-tests.conf in $out/etc since it would form a cycle.
+      ./installed-tests-path.patch
+
+      # EFI capsule is located in fwupd-efi now.
+      ./efi-app-path.patch
+    ];
+
+    nativeBuildInputs = [
+      meson
+      ninja
+      gi-docgen
+      pkg-config
+      gobject-introspection
+      gettext
+      shared-mime-info
+      valgrind
+      gcab
+      gnutls
+      protobufc # for protoc
+      python
+      wrapGAppsNoGuiHook
+      vala
+    ];
+
+    buildInputs = [
+      polkit
+      libxmlb
+      gusb
+      sqlite
+      libarchive
+      curl
+      elfutils
+      libgudev
+      colord
+      libjcat
+      libuuid
+      json-glib
+      umockdev
+      bash-completion
+      pango
+      tpm2-tss
+      efivar
+      fwupd-efi
+      protobufc
+      modemmanager
+      libmbim
+      libcbor
+      libqmi
+      xz # for liblzma.
+    ] ++ lib.optionals haveDell [
+      libsmbios
+    ] ++ lib.optionals haveFlashrom [
+      flashrom
+    ];
+
+    mesonFlags = [
+      "-Ddocs=enabled"
+      "-Dplugin_dummy=true"
+      # We are building the official releases.
+      "-Dsupported_build=enabled"
+      # Would dlopen libsoup to preserve compatibility with clients linking against older fwupd.
+      # https://github.com/fwupd/fwupd/commit/173d389fa59d8db152a5b9da7cc1171586639c97
+      "-Dsoup_session_compat=false"
+      "-Dudevdir=lib/udev"
+      "-Dsystemd_root_prefix=${placeholder "out"}"
+      "-Dinstalled_test_prefix=${placeholder "installedTests"}"
+      "--localstatedir=/var"
+      "--sysconfdir=/etc"
+      "-Dsysconfdir_install=${placeholder "out"}/etc"
+      "-Defi_os_dir=nixos"
+      "-Dplugin_modem_manager=enabled"
+      # Requires Meson 0.63
+      "-Dgresource_quirks=disabled"
+
+      # We do not want to place the daemon into lib (cyclic reference)
+      "--libexecdir=${placeholder "out"}/libexec"
+      # Our builder only adds $lib/lib to rpath but some things link
+      # against libfwupdplugin which is in $out/lib.
+      "-Dc_link_args=-Wl,-rpath,${placeholder "out"}/lib"
+    ] ++ lib.optionals (!haveDell) [
+      "-Dplugin_dell=disabled"
+      "-Dplugin_synaptics_mst=disabled"
+    ] ++ lib.optionals (!haveRedfish) [
+      "-Dplugin_redfish=disabled"
+    ] ++ lib.optionals (!haveFlashrom) [
+      "-Dplugin_flashrom=disabled"
+    ] ++ lib.optionals (!haveMSR) [
+      "-Dplugin_msr=disabled"
+    ];
+
+    # TODO: wrapGAppsHook wraps efi capsule even though it is not ELF
+    dontWrapGApps = true;
+
+    # /etc/os-release not available in sandbox
+    # doCheck = true;
+
+    # Environment variables
+
+    # Fontconfig error: Cannot load default config file
+    FONTCONFIG_FILE =
+      let
+        fontsConf = makeFontsConf {
+          fontDirectories = [ freefont_ttf ];
+        };
+      in fontsConf;
+
+    # error: “PolicyKit files are missing”
+    # https://github.com/NixOS/nixpkgs/pull/67625#issuecomment-525788428
+    PKG_CONFIG_POLKIT_GOBJECT_1_ACTIONDIR = "/run/current-system/sw/share/polkit-1/actions";
+
+    # Phase hooks
+
+    postPatch = ''
+      patchShebangs \
+        contrib/generate-version-script.py \
+        meson_post_install.sh \
+        po/test-deps
+
+      # This checks a version of a dependency of gi-docgen but gi-docgen is self-contained in Nixpkgs.
+      echo "Clearing docs/test-deps.py"
+      test -f docs/test-deps.py
+      echo > docs/test-deps.py
+
+      substituteInPlace data/installed-tests/fwupdmgr-p2p.sh \
+        --replace "gdbus" ${glib.bin}/bin/gdbus
+    '';
+
+    preBuild = ''
+      # jcat-tool at buildtime requires a home directory
+      export HOME="$(mktemp -d)"
+    '';
+
+    preCheck = ''
+      addToSearchPath XDG_DATA_DIRS "${shared-mime-info}/share"
+    '';
+
+    preInstall = ''
+      # We have pkexec on PATH so Meson will try to use it when installation fails
+      # due to being unable to write to e.g. /etc.
+      # Let’s pretend we already ran pkexec –
+      # the pkexec on PATH would complain it lacks setuid bit,
+      # obscuring the underlying error.
+      # https://github.com/mesonbuild/meson/blob/492cc9bf95d573e037155b588dc5110ded4d9a35/mesonbuild/minstall.py#L558
+      export PKEXEC_UID=-1
+    '';
+
+    postInstall = ''
+      # These files have weird licenses so they are shipped separately.
+      cp --recursive --dereference "${test-firmware}/installed-tests/tests" "$installedTests/libexec/installed-tests/fwupd"
+    '';
+
+    preFixup = let
+      binPath = [
+        efibootmgr
+        bubblewrap
+        tpm2-tools
+      ];
+    in ''
+      gappsWrapperArgs+=(
+        --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
+        # See programs reached with fu_common_find_program_in_path in source
+        --prefix PATH : "${lib.makeBinPath binPath}"
+      )
+    '';
+
+    postFixup = ''
+      # Since we had to disable wrapGAppsHook, we need to wrap the executables manually.
+      find -L "$out/bin" "$out/libexec" -type f -executable -print0 \
+        | while IFS= read -r -d ''' file; do
+        if [[ "$file" != *.efi ]]; then
+          echo "Wrapping program $file"
+          wrapGApp "$file"
+        fi
+      done
+
+      # Cannot be in postInstall, otherwise _multioutDocs hook in preFixup will move right back.
+      moveToOutput "share/doc" "$devdoc"
+    '';
+
+    separateDebugInfo = true;
+
+    passthru = {
+      filesInstalledToEtc = [
+        "fwupd/daemon.conf"
+        "fwupd/remotes.d/lvfs-testing.conf"
+        "fwupd/remotes.d/lvfs.conf"
+        "fwupd/remotes.d/vendor.conf"
+        "fwupd/remotes.d/vendor-directory.conf"
+        "fwupd/thunderbolt.conf"
+        "fwupd/uefi_capsule.conf"
+        "pki/fwupd/GPG-KEY-Linux-Foundation-Firmware"
+        "pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service"
+        "pki/fwupd/LVFS-CA.pem"
+        "pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata"
+        "pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service"
+        "pki/fwupd-metadata/LVFS-CA.pem"
+        "grub.d/35_fwupd"
+      ] ++ lib.optionals haveDell [
+        "fwupd/remotes.d/dell-esrt.conf"
+      ] ++ lib.optionals haveRedfish [
+        "fwupd/redfish.conf"
+      ] ++ lib.optionals haveMSR [
+        "fwupd/msr.conf"
+      ];
+
+      # DisabledPlugins key in fwupd/daemon.conf
+      defaultDisabledPlugins = [
+        "test"
+        "test_ble"
+        "invalid"
+      ];
+
+      # For updating.
+      inherit test-firmware;
+
+      tests = let
+        listToPy = list: "[${lib.concatMapStringsSep ", " (f: "'${f}'") list}]";
+      in {
+        installedTests = nixosTests.installed-tests.fwupd;
+
+        passthruMatches = runPythonCommand "fwupd-test-passthru-matches" ''
+          import itertools
+          import configparser
+          import os
+          import pathlib
+
+          etc = '${self}/etc'
+          package_etc = set(itertools.chain.from_iterable([[os.path.relpath(os.path.join(prefix, file), etc) for file in files] for (prefix, dirs, files) in os.walk(etc)]))
+          passthru_etc = set(${listToPy passthru.filesInstalledToEtc})
+          assert len(package_etc - passthru_etc) == 0, f'fwupd package contains the following paths in /etc that are not listed in passthru.filesInstalledToEtc: {package_etc - passthru_etc}'
+          assert len(passthru_etc - package_etc) == 0, f'fwupd package lists the following paths in passthru.filesInstalledToEtc that are not contained in /etc: {passthru_etc - package_etc}'
+
+          config = configparser.RawConfigParser()
+          config.read('${self}/etc/fwupd/daemon.conf')
+          package_disabled_plugins = config.get('fwupd', 'DisabledPlugins').rstrip(';').split(';')
+          passthru_disabled_plugins = ${listToPy passthru.defaultDisabledPlugins}
+          assert package_disabled_plugins == passthru_disabled_plugins, f'Default disabled plug-ins in the package {package_disabled_plugins} do not match those listed in passthru.defaultDisabledPlugins {passthru_disabled_plugins}'
+
+          pathlib.Path(os.getenv('out')).touch()
+        '';
+      };
+    };
+
+    meta = with lib; {
+      homepage = "https://fwupd.org/";
+      maintainers = with maintainers; [ jtojnar ];
+      license = licenses.lgpl21Plus;
+      platforms = platforms.linux;
+    };
+  };
+
+in self
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/efi-app-path.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/efi-app-path.patch
new file mode 100644
index 000000000000..afee6d9f61ea
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/efi-app-path.patch
@@ -0,0 +1,13 @@
+diff --git a/meson.build b/meson.build
+index b91dd037..01d70a61 100644
+--- a/meson.build
++++ b/meson.build
+@@ -413,7 +413,7 @@ if build_standalone and efiboot.found() and efivar.found()
+     conf.set('HAVE_EFI_TIME_T', '1')
+   endif
+ 
+-  efi_app_location = join_paths(libexecdir, 'fwupd', 'efi')
++  efi_app_location = join_paths(dependency('fwupd-efi').get_pkgconfig_variable('prefix'), 'libexec', 'fwupd', 'efi')
+   conf.set_quoted('EFI_APP_LOCATION', efi_app_location)
+ 
+   if host_cpu == 'x86'
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/install-fwupdplugin-to-out.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/install-fwupdplugin-to-out.patch
new file mode 100644
index 000000000000..f3369b6e1333
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/install-fwupdplugin-to-out.patch
@@ -0,0 +1,37 @@
+diff --git a/libfwupdplugin/meson.build b/libfwupdplugin/meson.build
+index 1afa28e1..3da81d30 100644
+--- a/libfwupdplugin/meson.build
++++ b/libfwupdplugin/meson.build
+@@ -220,7 +220,8 @@ fwupdplugin = library(
+   ],
+   link_args: cc.get_supported_link_arguments([vflag]),
+   link_depends: fwupdplugin_mapfile,
+-  install: true
++  install: true,
++  install_dir: bindir / '..' / 'lib',
+ )
+ 
+ fwupdplugin_pkgg = import('pkgconfig')
+@@ -280,7 +281,8 @@ if introspection.allowed()
+       girtargets,
+       fwupd_gir[0],
+     ],
+-    install: true
++    install: true,
++    install_dir_typelib: bindir / '..' / 'lib' / 'girepository-1.0',
+   )
+ 
+   # Verify the map file is correct -- note we can't actually use the generated
+diff --git a/meson.build b/meson.build
+index b91dd037..f97b4c26 100644
+--- a/meson.build
++++ b/meson.build
+@@ -504,7 +504,7 @@ if build_standalone
+ if host_machine.system() == 'windows'
+   plugin_dir = 'fwupd-plugins-@0@'.format(libfwupdplugin_lt_current)
+ else
+-  plugin_dir = join_paths(libdir, 'fwupd-plugins-@0@'.format(libfwupdplugin_lt_current))
++  plugin_dir = join_paths(bindir, '..', 'lib', 'fwupd-plugins-@0@'.format(libfwupdplugin_lt_current))
+ endif
+ conf.set_quoted('FWUPD_PLUGINDIR', plugin_dir)
+ endif
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
new file mode 100644
index 000000000000..49bca65d9c60
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
@@ -0,0 +1,59 @@
+diff --git a/data/installed-tests/meson.build b/data/installed-tests/meson.build
+index b8ec916f..38209b36 100644
+--- a/data/installed-tests/meson.build
++++ b/data/installed-tests/meson.build
+@@ -83,5 +83,5 @@ configure_file(
+   output : 'fwupd-tests.conf',
+   configuration : con2,
+   install: true,
+-  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
++  install_dir: join_paths(get_option('installed_test_prefix'), 'etc', 'fwupd', 'remotes.d'),
+ )
+diff --git a/meson.build b/meson.build
+index b91dd037..d7e20b18 100644
+--- a/meson.build
++++ b/meson.build
+@@ -188,8 +188,8 @@ else
+   datadir = join_paths(prefix, get_option('datadir'))
+   sysconfdir = join_paths(prefix, get_option('sysconfdir'))
+   localstatedir = join_paths(prefix, get_option('localstatedir'))
+-  installed_test_bindir = join_paths(libexecdir, 'installed-tests', meson.project_name())
+-  installed_test_datadir = join_paths(datadir, 'installed-tests', meson.project_name())
++  installed_test_bindir = join_paths(get_option('installed_test_prefix'), 'libexec', 'installed-tests', meson.project_name())
++  installed_test_datadir = join_paths(get_option('installed_test_prefix'), 'share', 'installed-tests', meson.project_name())
+   daemon_dir = join_paths(libexecdir, 'fwupd')
+ endif
+ mandir = join_paths(prefix, get_option('mandir'))
+@@ -492,6 +492,7 @@ gnome = import('gnome')
+ i18n = import('i18n')
+ 
+ conf.set_quoted('FWUPD_PREFIX', prefix)
++conf.set_quoted('FWUPD_INSTALLED_TEST_PREFIX', get_option('installed_test_prefix'))
+ conf.set_quoted('FWUPD_BINDIR', bindir)
+ conf.set_quoted('FWUPD_LIBDIR', libdir)
+ conf.set_quoted('FWUPD_LIBEXECDIR', libexecdir)
+diff --git a/meson_options.txt b/meson_options.txt
+index d00038db..be1c45b4 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -56,6 +56,7 @@ option('systemd', type : 'feature', description : 'systemd support', deprecated:
+ option('systemd_unit_user', type : 'string', description : 'User account to use for fwupd-refresh.service (empty for DynamicUser)')
+ option('systemd_root_prefix', type: 'string', value: '', description: 'Directory to base systemd’s installation directories on')
+ option('elogind', type : 'feature', description : 'elogind support', deprecated: {'true': 'enabled', 'false': 'disabled'})
++option('installed_test_prefix', type: 'string', description: 'Prefix for installed tests')
+ option('tests', type : 'boolean', value : true, description : 'enable tests')
+ option('soup_session_compat', type : 'boolean', value : true, description : 'enable SoupSession runtime compatibility support')
+ option('curl', type : 'feature', description : 'libcurl support', deprecated: {'true': 'enabled', 'false': 'disabled'})
+diff --git a/plugins/redfish/fu-self-test.c b/plugins/redfish/fu-self-test.c
+index 4d19e560..91cfaa61 100644
+--- a/plugins/redfish/fu-self-test.c
++++ b/plugins/redfish/fu-self-test.c
+@@ -27,7 +27,7 @@ fu_test_is_installed_test(void)
+ 	const gchar *builddir = g_getenv("G_TEST_BUILDDIR");
+ 	if (builddir == NULL)
+ 		return FALSE;
+-	return g_str_has_prefix(builddir, FWUPD_PREFIX);
++	return g_str_has_prefix(builddir, FWUPD_INSTALLED_TEST_PREFIX);
+ }
+ 
+ static void
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/intel2200BGFirmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/intel2200BGFirmware/default.nix
new file mode 100644
index 000000000000..716c5e4d8288
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/intel2200BGFirmware/default.nix
@@ -0,0 +1,32 @@
+{ stdenvNoCC
+, lib
+, fetchurl }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "intel2200BGFirmware";
+  version = "3.1";
+
+  src = fetchurl {
+    url = "https://src.fedoraproject.org/repo/pkgs/ipw2200-firmware/ipw2200-fw-${version}.tgz/eaba788643c7cc7483dd67ace70f6e99/ipw2200-fw-${version}.tgz";
+    hash = "sha256-xoGMEcGMwDDVX/g/ZLK62P7vSF53QvhPlKYdgRpiWL0=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D -m644 ipw2200-bss.fw     $out/lib/firmware/ipw2200-bss.fw
+    install -D -m644 ipw2200-ibss.fw    $out/lib/firmware/ipw2200-ibss.fw
+    install -D -m644 ipw2200-sniffer.fw $out/lib/firmware/ipw2200-sniffer.fw
+    install -D -m644 LICENSE.ipw2200-fw $out/share/doc/intel2200BGFirmware/LICENSE
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Intel 2200BG cards";
+    homepage = "http://ipw2200.sourceforge.net/firmware.php";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ sternenseemann ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/libreelec-dvb-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/libreelec-dvb-firmware/default.nix
new file mode 100644
index 000000000000..9579ff11c739
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/libreelec-dvb-firmware/default.nix
@@ -0,0 +1,31 @@
+{ stdenvNoCC, fetchFromGitHub, lib}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "libreelec-dvb-firmware";
+  version = "1.4.2";
+
+  src = fetchFromGitHub {
+    repo = "dvb-firmware";
+    owner = "LibreElec";
+    rev = version;
+    sha256 = "1xnfl4gp6d81gpdp86v5xgcqiqz2nf1i43sb3a4i5jqs8kxcap2k";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib
+    cp -rv firmware $out/lib
+    find $out/lib \( -name 'README.*' -or -name 'LICEN[SC]E.*' -or -name '*.txt' \) | xargs rm
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "DVB firmware from LibreELEC";
+    homepage = "https://github.com/LibreELEC/dvb-firmware";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ kittywitch ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/default.nix
new file mode 100644
index 000000000000..20058e7bc821
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/linux-firmware/default.nix
@@ -0,0 +1,31 @@
+{ stdenvNoCC, fetchzip, lib }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "linux-firmware";
+  version = "20220815";
+
+  src = fetchzip {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/snapshot/linux-firmware-${version}.tar.gz";
+    sha256 = "sha256-StPlnwn4KOvOf4fRblDzJQqyI8iIz8e9fo/BsTyCKjI=";
+  };
+
+  installFlags = [ "DESTDIR=$(out)" ];
+
+  # Firmware blobs do not need fixing and should not be modified
+  dontFixup = true;
+
+  outputHashMode = "recursive";
+  outputHashAlgo = "sha256";
+  outputHash = "sha256-VTRrOOkdWepUCKAkziO/0egb3oaQEOJCtsuDEgs/W78=";
+
+  meta = with lib; {
+    description = "Binary firmware collection packaged by kernel.org";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fpletz ];
+    priority = 6; # give precedence to kernel firmware
+  };
+
+  passthru = { inherit version; };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
new file mode 100644
index 000000000000..730e839bd457
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation {
+  pname = "raspberrypi-wireless-firmware";
+  version = "2021-12-06";
+
+  srcs = [
+    (fetchFromGitHub {
+      name = "bluez-firmware";
+      owner = "RPi-Distro";
+      repo = "bluez-firmware";
+      rev = "e7fd166981ab4bb9a36c2d1500205a078a35714d";
+      hash = "sha256-6xBdXwAGA1N42k1KKYrEgtsxtFAtrwhKdIrYY39Fb7Y=";
+    })
+    (fetchFromGitHub {
+      name = "firmware-nonfree";
+      owner = "RPi-Distro";
+      repo = "firmware-nonfree";
+      rev = "99d5c588e95ec9c9b86d7e88d3cf85b4f729d2bc";
+      hash = "sha256-xg6fYQvg7t2ikyLI8/XfpiNaNTf7CNFQlAzpTldTz10=";
+    })
+  ];
+
+  sourceRoot = ".";
+
+  dontBuild = true;
+  # Firmware blobs do not need fixing and should not be modified
+  dontFixup = true;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p "$out/lib/firmware/brcm"
+
+    # Wifi firmware
+    cp -rv "$NIX_BUILD_TOP/firmware-nonfree/debian/config/brcm80211/." "$out/lib/firmware/"
+
+    # Bluetooth firmware
+    cp -rv "$NIX_BUILD_TOP/bluez-firmware/broadcom/." "$out/lib/firmware/brcm"
+
+    # CM4 symlink must be added since it's missing from upstream
+    pushd $out/lib/firmware/brcm &>/dev/null
+    ln -s "./brcmfmac43455-sdio.txt" "$out/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module.txt"
+    popd &>/dev/null
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3+ and Zero W";
+    homepage = "https://github.com/RPi-Distro/firmware-nonfree";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lopsided98 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
new file mode 100644
index 000000000000..7143d0b55a27
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
@@ -0,0 +1,53 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+let
+  inherit (lib) optionals;
+in
+stdenv.mkDerivation {
+  pname = "raspberrypi-armstubs";
+  version = "2021-11-01";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "tools";
+    rev = "13474ee775d0c5ec8a7da4fb0a9fa84187abfc87";
+    sha256 = "s/RPMIpQSznoQfchAP9gpO7I2uuTsOV0Ep4vVz7i2o4=";
+  };
+
+  NIX_CFLAGS_COMPILE = [
+    "-march=armv8-a+crc"
+  ];
+
+  preConfigure = ''
+    cd armstubs
+  '';
+
+  makeFlags = [
+    "CC8=${stdenv.cc.targetPrefix}cc"
+    "LD8=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY8=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP8=${stdenv.cc.targetPrefix}objdump"
+    "CC7=${stdenv.cc.targetPrefix}cc"
+    "LD7=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY7=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP7=${stdenv.cc.targetPrefix}objdump"
+  ]
+  ++ optionals (stdenv.isAarch64) [ "armstub8.bin" "armstub8-gic.bin" ]
+  ++ optionals (stdenv.isAarch32) [ "armstub7.bin" "armstub8-32.bin" "armstub8-32-gic.bin" ]
+  ;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -vp $out/
+    cp -v *.bin $out/
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware related ARM stubs for the Raspberry Pi";
+    homepage = "https://github.com/raspberrypi/tools";
+    license = licenses.bsd3;
+    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ samueldr ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
new file mode 100644
index 000000000000..9181a94dcb66
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation rec {
+  # NOTE: this should be updated with linux_rpi
+  pname = "raspberrypi-firmware";
+  version = "1.20220331";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "firmware";
+    rev = version;
+    hash = "sha256-TxlpHPEJAtVJTtDghuJpx2mLjEPiKkcAr7S9Cd/cocE=";
+  };
+
+  installPhase = ''
+    mkdir -p $out/share/raspberrypi/
+    mv boot "$out/share/raspberrypi/"
+  '';
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  meta = with lib; {
+    description = "Firmware for the Raspberry Pi board";
+    homepage = "https://github.com/raspberrypi/firmware";
+    license = licenses.unfreeRedistributableFirmware; # See https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
+    maintainers = with maintainers; [ dezgeg ];
+    broken = stdenvNoCC.isDarwin; # Hash mismatch on source, mystery.
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rt5677/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rt5677/default.nix
new file mode 100644
index 000000000000..47e0068cc348
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rt5677/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation {
+  name = "rt5677-firmware";
+
+  src = fetchFromGitHub {
+    owner = "raphael";
+    repo = "linux-samus";
+    rev = "995de6c2093797905fbcd79f1a3625dd3f50be37";
+    sha256 = "sha256-PjPFpz4qJLC+vTomV31dA3AKGjfYjKB2ZYfUpnj61Cg=";
+  };
+
+  installPhase = ''
+    mkdir -p $out/lib/firmware
+    cp ./firmware/rt5677_elf_vad $out/lib/firmware
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek rt5677 device";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = [ maintainers.zohl ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
new file mode 100644
index 000000000000..53f32ac31f9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+with lib;
+stdenvNoCC.mkDerivation {
+  pname = "rtl8192su";
+  version = "unstable-2016-10-05";
+
+  src = fetchFromGitHub {
+    owner = "chunkeey";
+    repo = "rtl8192su";
+    rev = "c00112c9a14133290fe30bd3b44e45196994cb1c";
+    sha256 = "0j3c35paapq1icmxq0mg7pm2xa2m69q7bkfmwgq99d682yr2cb5l";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    for i in rtl8192sfw.bin \
+             rtl8192sufw-ap.bin \
+             rtl8192sufw-apple.bin \
+             rtl8192sufw-windows.bin \
+             rtl8712u-linux-firmware-bad.bin \
+             rtl8712u-most-recent-v2.6.6-bad.bin \
+             rtl8712u-most-recent-v2.6.6-bad.bin \
+             rtl8712u-oldest-but-good.bin;
+    do
+      install -D -pm644 firmwares/$i $out/lib/firmware/rtlwifi/$i
+    done
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek RTL8188SU/RTL8191SU/RTL8192SU";
+    homepage = "https://github.com/chunkeey/rtl8192su";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ mic92 ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
new file mode 100644
index 000000000000..8e486e1c4b2c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenvNoCC, linuxPackages }:
+with lib;
+stdenvNoCC.mkDerivation {
+  pname = "rtl8723bs-firmware";
+  version = linuxPackages.rtl8723bs.version;
+  inherit (linuxPackages.rtl8723bs) src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p                "$out/lib/firmware/rtlwifi"
+    cp rtl8723bs_nic.bin    "$out/lib/firmware/rtlwifi"
+    cp rtl8723bs_wowlan.bin "$out/lib/firmware/rtlwifi"
+  '';
+
+  meta = with lib; {
+    description = "Firmware for RealTek 8723bs";
+    homepage = "https://github.com/hadess/rtl8723bs";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ elitak ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
new file mode 100644
index 000000000000..c3fbe79537c4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenvNoCC, fetchFromGitHub }:
+
+stdenvNoCC.mkDerivation {
+  name = "rtl8761b-firmware";
+
+  src = fetchFromGitHub {
+    owner = "Realtek-OpenSource";
+    repo = "android_hardware_realtek";
+    rev = "rtk1395";
+    sha256 = "sha256-vd9sZP7PGY+cmnqVty3sZibg01w8+UNinv8X85B+dzc=";
+  };
+
+  installPhase = ''
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_fw \
+      $out/lib/firmware/rtl_bt/rtl8761b_fw.bin
+
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_config \
+      $out/lib/firmware/rtl_bt/rtl8761b_config.bin
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek RTL8761b";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ milibopp ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
new file mode 100644
index 000000000000..b4e07624b6ef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw88-firmware";
+  inherit (linuxPackages.rtw88) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw88
+    cp *.bin $out/lib/firmware/rtw88
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for the newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
new file mode 100644
index 000000000000..8e71770df9ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw89-firmware";
+  inherit (linuxPackages.rtw89) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw89
+    cp *.bin $out/lib/firmware/rtw89
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Driver for Realtek 8852AE, an 802.11ax device";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/sof-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
new file mode 100644
index 000000000000..b15f4c4949de
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, stdenvNoCC
+, fetchFromGitHub
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "sof-firmware";
+  version = "2.2";
+
+  src = fetchFromGitHub {
+    owner = "thesofproject";
+    repo = "sof-bin";
+    rev = "v${version}";
+    sha256 = "sha256-/gjGTDOXJ0vz/MH2hlistS3X3Euqf8T6TLnD1A2SBYo=";
+  };
+
+  dontFixup = true; # binaries must not be stripped or patchelfed
+
+  installPhase = ''
+    runHook preInstall
+    cd "v${lib.versions.majorMinor version}.x"
+    mkdir -p $out/lib/firmware/intel/
+    cp -a sof-v${version} $out/lib/firmware/intel/sof
+    cp -a sof-tplg-v${version} $out/lib/firmware/intel/sof-tplg
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Sound Open Firmware";
+    homepage = "https://www.sofproject.org/";
+    license = with licenses; [ bsd3 isc ];
+    maintainers = with maintainers; [ lblasc evenbrenden hmenke ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
new file mode 100644
index 000000000000..a019a6f79321
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
@@ -0,0 +1,39 @@
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, efibootmgr, makeWrapper }:
+rustPlatform.buildRustPackage rec {
+  pname = "system76-firmware";
+  # Check Makefile when updating, make sure postInstall matches make install
+  version = "1.0.39";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-nPHBL73hmvW9z5SQjmfu+ozMXxUEajNQxNtE/V9QwZ0=";
+  };
+
+  nativeBuildInputs = [ pkg-config makeWrapper ];
+
+  buildInputs = [ xz openssl dbus ];
+
+  cargoBuildFlags = [ "--workspace" ];
+
+  cargoSha256 = "sha256-BrzicLj7FbUqRG1BgQIRqh801tRQpRZkHSiX3ekAYqc=";
+
+  # Purposefully don't install systemd unit file, that's for NixOS
+  postInstall = ''
+    install -D -m -0644 data/system76-firmware-daemon.conf $out/etc/dbus-1/system.d/system76-firmware-daemon.conf
+
+    for bin in $out/bin/system76-firmware-*
+    do
+      wrapProgram $bin --prefix PATH : "${efibootmgr}/bin"
+    done
+  '';
+
+  meta = with lib; {
+    description = "Tools for managing firmware updates for system76 devices";
+    homepage = "https://github.com/pop-os/system76-firmware";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ shlevy ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/xow_dongle-firmware/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/xow_dongle-firmware/default.nix
new file mode 100644
index 000000000000..824615a4baf2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/xow_dongle-firmware/default.nix
@@ -0,0 +1,34 @@
+{ stdenvNoCC, lib, fetchurl, cabextract }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "xow_dongle-firmware";
+  version = "2017-07";
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  src = fetchurl {
+    url = "http://download.windowsupdate.com/c/msdownload/update/driver/drvs/2017/07/1cd6a87c-623f-4407-a52d-c31be49e925c_e19f60808bdcbfbd3c3df6be3e71ffc52e43261e.cab";
+    sha256 = "013g1zngxffavqrk5jy934q3bdhsv6z05ilfixdn8dj0zy26lwv5";
+  };
+
+  nativeBuildInputs = [ cabextract ];
+
+  sourceRoot = "./.";
+
+  unpackCmd = ''
+    cabextract -F FW_ACC_00U.bin ${src}
+  '';
+
+  installPhase = ''
+    install -Dm644 FW_ACC_00U.bin ${placeholder "out"}/lib/firmware/xow_dongle.bin
+  '';
+
+  meta = with lib; {
+    description = "Xbox One wireless dongle firmware";
+    homepage = "https://www.xbox.com/en-NZ/accessories/adapters/wireless-adapter-windows";
+    license = licenses.unfree;
+    maintainers = with lib.maintainers; [ rhysmdnz ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/firmware/zd1211/default.nix b/nixpkgs/pkgs/os-specific/linux/firmware/zd1211/default.nix
new file mode 100644
index 000000000000..6b86277ebc6e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firmware/zd1211/default.nix
@@ -0,0 +1,30 @@
+{ stdenvNoCC
+, lib
+, fetchurl
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "zd1211-firmware";
+  version = "1.5";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/zd1211/${pname}-${version}.tar.bz2";
+    hash = "sha256-8R04ENf3KDOZf2NFhKWG3M7XGjU/llq/gQYuxDHQKxI=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/zd1211
+    cp * $out/lib/firmware/zd1211
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "Firmware for the ZyDAS ZD1211(b) 802.11a/b/g USB WLAN chip";
+    homepage = "https://sourceforge.net/projects/zd1211/";
+    license = "GPL";
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/flashbench/default.nix b/nixpkgs/pkgs/os-specific/linux/flashbench/default.nix
new file mode 100644
index 000000000000..619aea69aa64
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/flashbench/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "flashbench-unstable";
+  version = "2020-01-23";
+
+  src = fetchFromGitHub {
+    owner = "bradfa";
+    repo = "flashbench";
+    rev = "d783b1bd2443812c6deadc31b081f043e43e4c1a";
+    sha256 = "045j1kpay6x2ikz8x54ph862ymfy1nzpbmmqpf3nkapiv32fjqw5";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    install -d -m755 $out/bin $out/share/doc/flashbench
+    install -v -m755 flashbench $out/bin
+    install -v -m755 erase $out/bin/flashbench-erase
+    install -v -m644 README $out/share/doc/flashbench
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Testing tool for flash based memory devices";
+    homepage = "https://github.com/bradfa/flashbench";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fnotifystat/default.nix b/nixpkgs/pkgs/os-specific/linux/fnotifystat/default.nix
new file mode 100644
index 000000000000..e600e163ad73
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fnotifystat/default.nix
@@ -0,0 +1,26 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "fnotifystat";
+  version = "0.02.07";
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    sha256 = "sha256-5oYM1t+vmWywYRbgXI2RGQlOuNJluj2gwCMf3pTpDC0=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "File activity monitoring tool";
+    homepage = "https://github.com/ColinIanKing/fnotifystat";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/forkstat/default.nix b/nixpkgs/pkgs/os-specific/linux/forkstat/default.nix
new file mode 100644
index 000000000000..1c3f3342e081
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/forkstat/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "forkstat";
+  version = "0.02.17";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-Rw1Xwst0+seksTLL+v3IUEojGjwCERwF89xkk70npUU=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Process fork/exec/exit monitoring tool";
+    homepage = "https://github.com/ColinIanKing/forkstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/forktty/default.nix b/nixpkgs/pkgs/os-specific/linux/forktty/default.nix
new file mode 100644
index 000000000000..7dc1f0c3b2e4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/forktty/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "forktty";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "mirror://ibiblioPubLinux/utils/terminal/${pname}-${version}.tgz";
+    hash = "sha256-6xc5eshCuCIOsDh0r2DizKAeypGH0TRRotZ4itsvpVk=";
+  };
+
+  preBuild = ''
+    sed -e s@/usr/bin/ginstall@install@g -i Makefile
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/bin"
+    mkdir -p "$out/share/man/man8"
+  '';
+
+  makeFlags = [ "prefix=$(out)" "manprefix=$(out)/share/" ];
+
+  meta = with lib; {
+    description = "Tool to detach from controlling TTY and attach to another";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/freefall/default.nix b/nixpkgs/pkgs/os-specific/linux/freefall/default.nix
new file mode 100644
index 000000000000..683b599e5beb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/freefall/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, kernel }:
+
+stdenv.mkDerivation {
+  inherit (kernel) version src;
+
+  pname = "freefall";
+
+  postPatch = ''
+    cd tools/laptop/freefall
+
+    # Default time-out is a little low, probably because the AC/lid status
+    # functions were never implemented. Because no-one still uses HDDs, right?
+    substituteInPlace freefall.c --replace "alarm(2)" "alarm(5)"
+  '';
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    inherit (kernel.meta) homepage license;
+
+    description = "Free-fall protection for spinning HP/Dell laptop hard drives";
+    longDescription = ''
+      Provides a shock protection facility in modern laptops with spinning hard
+      drives, by stopping all input/output operations on the internal hard drive
+      and parking its heads on the ramp when critical situations are anticipated.
+      Requires support for the ATA/ATAPI-7 IDLE IMMEDIATE command with unload
+      feature, which should cause the drive to switch to idle mode and unload the
+      disk heads, and an accelerometer device. It has no effect on SSD devices!
+    '';
+
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fscrypt/default.nix b/nixpkgs/pkgs/os-specific/linux/fscrypt/default.nix
new file mode 100644
index 000000000000..e967dea1c3e1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fscrypt/default.nix
@@ -0,0 +1,55 @@
+{ lib, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
+
+# Don't use this for anything important yet!
+
+buildGoModule rec {
+  pname = "fscrypt";
+  version = "0.3.3";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscrypt";
+    rev = "v${version}";
+    hash = "sha256-kkcZuX8tB7N8l9O3X6H92EqEqdAcqSbX+pwr7GrcRFY=";
+  };
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace 'TAG_VERSION := $(shell git describe --tags)' "" \
+      --replace "/usr/local" "$out"
+  '';
+
+  vendorSha256 = "sha256-6zcHz7ePJFSxxfIlhVK2VEf6+soBoUInT9ZsZK/Ag78=";
+
+  doCheck = false;
+
+  nativeBuildInputs = [ gnum4 ];
+  buildInputs = [ pam ];
+
+  buildPhase = ''
+    runHook preBuild
+    make
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    make install
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description =
+      "A high-level tool for the management of Linux filesystem encryption";
+    longDescription = ''
+      This tool manages metadata, key generation, key wrapping, PAM integration,
+      and provides a uniform interface for creating and modifying encrypted
+      directories.
+    '';
+    inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscrypt/releases/tag/v${version}";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fscryptctl/default.nix b/nixpkgs/pkgs/os-specific/linux/fscryptctl/default.nix
new file mode 100644
index 000000000000..2a2a9b41c9c2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fscryptctl/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "fscryptctl";
+  version = "1.0.0";
+
+  goPackagePath = "github.com/google/fscrypt";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscryptctl";
+    rev = "v${version}";
+    sha256 = "1hwj726mm0yhlcf6523n07h0yq1rvkv4km64h3ydpjcrcxklhw6l";
+  };
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
+    '';
+    inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscryptctl/releases/tag/v${version}";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fsverity-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/default.nix
new file mode 100644
index 000000000000..c5bed075338f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/default.nix
@@ -0,0 +1,51 @@
+{ stdenv
+, lib
+, fetchgit
+, openssl
+, enableShared ? !stdenv.hostPlatform.isStatic
+, enableManpages ? false
+, pandoc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "fsverity-utils";
+  version = "1.5";
+
+  outputs = [ "out" "lib" "dev" ] ++ lib.optional enableManpages "man";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git";
+    rev = "v${version}";
+    sha256 = "sha256-ygBOkp2PBe8Z2ak6SXEJ6HHuT4NRKmIsbJDHcY+h8PQ=";
+  };
+
+  patches = lib.optionals (!enableShared) [
+    ./remove-dynamic-libs.patch
+  ];
+
+  enableParallelBuilding = true;
+  strictDeps = true;
+
+  nativeBuildInputs = lib.optional enableManpages pandoc;
+  buildInputs = [ openssl ];
+
+  makeFlags = [ "DESTDIR=$(out)" "PREFIX=" ] ++ lib.optional enableShared "USE_SHARED_LIB=1";
+
+  doCheck = true;
+
+  installTargets = [ "install" ] ++ lib.optional enableManpages "install-man";
+
+  postInstall = ''
+    mkdir -p $lib
+    mv $out/lib $lib/lib
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#userspace-utility";
+    changelog = "https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/NEWS.md";
+    description = "A set of userspace utilities for fs-verity";
+    license = licenses.mit;
+    maintainers = with maintainers; [ jk ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fsverity-utils/remove-dynamic-libs.patch b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/remove-dynamic-libs.patch
new file mode 100644
index 000000000000..95635cbccdb8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fsverity-utils/remove-dynamic-libs.patch
@@ -0,0 +1,27 @@
+diff --git a/Makefile b/Makefile
+index 2304a21..697ccd4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -149,13 +149,11 @@ libfsverity.so.$(SOVERSION):$(SHARED_LIB_OBJ)
+ 	$(QUIET_CCLD) $(CC) -o $@ -Wl,-soname=$@ -shared $+ \
+ 		$(CFLAGS) $(LDFLAGS) $(LDLIBS)
+ 
+-DEFAULT_TARGETS += libfsverity.so.$(SOVERSION)
+ 
+ # Create the symlink libfsverity.so => libfsverity.so.$(SOVERSION)
+ libfsverity.so:libfsverity.so.$(SOVERSION)
+ 	$(QUIET_LN) ln -sf $+ $@
+ 
+-DEFAULT_TARGETS += libfsverity.so
+ 
+ ##############################################################################
+ 
+@@ -263,8 +261,6 @@ install:all
+ 	install -d $(DESTDIR)$(LIBDIR)/pkgconfig $(DESTDIR)$(INCDIR) $(DESTDIR)$(BINDIR)
+ 	install -m755 $(FSVERITY) $(DESTDIR)$(BINDIR)
+ 	install -m644 libfsverity.a $(DESTDIR)$(LIBDIR)
+-	install -m755 libfsverity.so.$(SOVERSION) $(DESTDIR)$(LIBDIR)
+-	ln -sf libfsverity.so.$(SOVERSION) $(DESTDIR)$(LIBDIR)/libfsverity.so
+ 	install -m644 include/libfsverity.h $(DESTDIR)$(INCDIR)
+ 	sed -e "s|@PREFIX@|$(PREFIX)|" \
+ 		-e "s|@LIBDIR@|$(LIBDIR)|" \
diff --git a/nixpkgs/pkgs/os-specific/linux/fswebcam/default.nix b/nixpkgs/pkgs/os-specific/linux/fswebcam/default.nix
new file mode 100644
index 000000000000..678e0d428419
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fswebcam/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl, libv4l, gd }:
+
+stdenv.mkDerivation rec {
+  pname = "fswebcam";
+  version = "20200725";
+
+  src = fetchurl {
+    url = "https://www.sanslogic.co.uk/fswebcam/files/fswebcam-${version}.tar.gz";
+    sha256 = "1dazsrcaw9s30zz3jpxamk9lkff5dkmflp1s0jjjvdbwa0k6k6ii";
+  };
+
+  buildInputs =
+    [ libv4l gd ];
+
+  meta = {
+    description = "Neat and simple webcam app";
+    homepage = "http://www.sanslogic.co.uk/fswebcam";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ftop/default.nix b/nixpkgs/pkgs/os-specific/linux/ftop/default.nix
new file mode 100644
index 000000000000..abd6d7884619
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ftop/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchurl, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "ftop";
+  version = "1.0";
+
+  src = fetchurl {
+    url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/ftop/${pname}-${version}.tar.bz2";
+    sha256 = "3a705f4f291384344cd32c3dd5f5f6a7cd7cea7624c83cb7e923966dbcd47f82";
+  };
+
+  buildInputs = [ ncurses ];
+
+  patches = [
+    ./ftop-fix_buffer_overflow.patch
+    ./ftop-fix_printf_format.patch
+  ];
+  patchFlags = [ "-p0" ];
+
+  postPatch = ''
+    substituteInPlace configure --replace "curses" "ncurses"
+  '';
+
+  meta = with lib; {
+    description = "Show progress of open files and file systems";
+    homepage = "https://code.google.com/archive/p/ftop/";
+    license = licenses.gpl3Plus;
+    longDescription = ''
+      ftop is to files what top is to processes. The progress of all open files
+      and file systems can be monitored. If run as a regular user, the set of
+      open files will be limited to those in that user's processes (which is
+      generally all that is of interest to the user).
+      As with top, the items are displayed in order from most to least active.
+    '';
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_buffer_overflow.patch b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_buffer_overflow.patch
new file mode 100644
index 000000000000..f10fa6a33b85
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_buffer_overflow.patch
@@ -0,0 +1,11 @@
+--- src/ftop.c.orig	2010-06-15 21:42:15.000000000 +0200
++++ src/ftop.c	2010-06-15 21:45:38.000000000 +0200
+@@ -935,7 +935,7 @@
+     {
+         if (bar_used > 0)
+         {
+-            snprintf(rate_buf, bar_used + 1, "%s", tmp_buf);
++            snprintf(rate_buf, bar_used >= sizeof(rate_buf) ? sizeof(rate_buf) : bar_used + 1, "%s", tmp_buf);
+             p_attron(p, A_REVERSE);
+             p_printf(p, "%s", rate_buf);
+             if (bar_used > bytes)
diff --git a/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_printf_format.patch b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_printf_format.patch
new file mode 100644
index 000000000000..afb04306428a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ftop/ftop-fix_printf_format.patch
@@ -0,0 +1,20 @@
+--- src/ftop.c.orig	2010-06-15 23:14:50.000000000 +0200
++++ src/ftop.c	2010-06-15 23:15:52.000000000 +0200
+@@ -222,7 +222,7 @@
+     p_eol(p, part);
+ 
+     cols = snprintf(tmp_buf, sizeof(tmp_buf),
+-                    "Processes:  %u total, %u unreadable",
++                    "Processes:  %zu total, %zu unreadable",
+                     s->num_processes + s->num_unreadable_processes,
+                     s->num_unreadable_processes);
+ 
+@@ -244,7 +244,7 @@
+     p_eol(p, part);
+ 
+     snprintf(tmp_buf, sizeof(tmp_buf),
+-             "Open Files: %u regular, %u dir, %u chr, %u blk, %u pipe, %u sock, %u misc",
++             "Open Files: %zu regular, %zu dir, %zu chr, %zu blk, %zu pipe, %zu sock, %zu misc",
+              s->num_reg, s->num_dir, s->num_chr, s->num_blk, s->num_pipe,
+              s->num_sock, s->num_misc);
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/common.nix b/nixpkgs/pkgs/os-specific/linux/fuse/common.nix
new file mode 100644
index 000000000000..ac4deb19f51c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/common.nix
@@ -0,0 +1,107 @@
+{ version, sha256Hash }:
+
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, fusePackages, util-linux, gettext, shadow
+, meson, ninja, pkg-config
+, autoreconfHook
+, python3Packages, which
+}:
+
+let
+  isFuse3 = lib.hasPrefix "3" version;
+in stdenv.mkDerivation rec {
+  pname = "fuse";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "libfuse";
+    repo = "libfuse";
+    rev = "${pname}-${version}";
+    sha256 = sha256Hash;
+  };
+
+  preAutoreconf = "touch config.rpath";
+
+  patches =
+    lib.optional
+      (!isFuse3 && stdenv.isAarch64)
+      (fetchpatch {
+        url = "https://github.com/libfuse/libfuse/commit/914871b20a901e3e1e981c92bc42b1c93b7ab81b.patch";
+        sha256 = "1w4j6f1awjrycycpvmlv0x5v9gprllh4dnbjxl4dyl2jgbkaw6pa";
+      })
+    ++ (if isFuse3
+      then [ ./fuse3-install.patch ./fuse3-Do-not-set-FUSERMOUNT_DIR.patch ]
+      else [
+        ./fuse2-Do-not-set-FUSERMOUNT_DIR.patch
+        (fetchpatch {
+          url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-fs/fuse/files/fuse-2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9";
+          sha256 = "sha256-ELYBW/wxRcSMssv7ejCObrpsJHtOPJcGq33B9yHQII4=";
+        })
+      ]);
+
+  nativeBuildInputs = if isFuse3
+    then [ meson ninja pkg-config ]
+    else [ autoreconfHook gettext ];
+
+  outputs = [ "out" ] ++ lib.optional isFuse3 "common";
+
+  mesonFlags = lib.optionals isFuse3 [
+    "-Dudevrulesdir=/udev/rules.d"
+    "-Duseroot=false"
+  ];
+
+  preConfigure = ''
+    export MOUNT_FUSE_PATH=$out/sbin
+    export INIT_D_PATH=$TMPDIR/etc/init.d
+    export UDEV_RULES_PATH=$out/etc/udev/rules.d
+
+    # Ensure that FUSE calls the setuid wrapper, not
+    # $out/bin/fusermount. It falls back to calling fusermount in
+    # $PATH, so it should also work on non-NixOS systems.
+    export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""
+
+    substituteInPlace lib/mount_util.c --replace "/bin/" "${util-linux}/bin/"
+    '' + (if isFuse3 then ''
+      # The configure phase will delete these files (temporary workaround for
+      # ./fuse3-install_man.patch)
+      install -D -m444 doc/fusermount3.1 $out/share/man/man1/fusermount3.1
+      install -D -m444 doc/mount.fuse3.8 $out/share/man/man8/mount.fuse3.8
+    '' else ''
+      substituteInPlace util/mount.fuse.c --replace '"su"' '"${shadow.su}/bin/su"'
+      sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
+      ./makeconf.sh
+    '');
+
+  checkInputs = [ which ] ++ (with python3Packages; [ python pytest ]);
+
+  checkPhase = ''
+    python3 -m pytest test/
+  '';
+
+  doCheck = false; # v2: no tests, v3: all tests get skipped in a sandbox
+
+  postFixup = "cd $out\n" + (if isFuse3 then ''
+    install -D -m444 etc/fuse.conf $common/etc/fuse.conf
+    install -D -m444 etc/udev/rules.d/99-fuse3.rules $common/etc/udev/rules.d/99-fuse.rules
+  '' else ''
+    cp ${fusePackages.fuse_3.common}/etc/fuse.conf etc/fuse.conf
+    cp ${fusePackages.fuse_3.common}/etc/udev/rules.d/99-fuse.rules etc/udev/rules.d/99-fuse.rules
+  '');
+
+  meta = with lib; {
+    description = "Library that allows filesystems to be implemented in user space";
+    longDescription = ''
+      FUSE (Filesystem in Userspace) is an interface for userspace programs to
+      export a filesystem to the Linux kernel. The FUSE project consists of two
+      components: The fuse kernel module (maintained in the regular kernel
+      repositories) and the libfuse userspace library (this package). libfuse
+      provides the reference implementation for communicating with the FUSE
+      kernel module.
+    '';
+    homepage = "https://github.com/libfuse/libfuse";
+    changelog = "https://github.com/libfuse/libfuse/releases/tag/fuse-${version}";
+    platforms = platforms.linux;
+    license = with licenses; [ gpl2Only lgpl21Only ];
+    maintainers = [ maintainers.primeos ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/default.nix b/nixpkgs/pkgs/os-specific/linux/fuse/default.nix
new file mode 100644
index 000000000000..6aa3e46d4e1a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/default.nix
@@ -0,0 +1,17 @@
+{ callPackage, util-linux }:
+
+let
+  mkFuse = args: callPackage (import ./common.nix args) {
+    inherit util-linux;
+  };
+in {
+  fuse_2 = mkFuse {
+    version = "2.9.9";
+    sha256Hash = "1yxxvm58c30pc022nl1wlg8fljqpmwnchkywic3r74zirvlcq23n";
+  };
+
+  fuse_3 = mkFuse {
+    version = "3.11.0";
+    sha256Hash = "1wx80xxlvjn0wxhmkr1g91vwrgxssyzds1hizzxc2xrd4kjh9dfb";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/fuse2-Do-not-set-FUSERMOUNT_DIR.patch b/nixpkgs/pkgs/os-specific/linux/fuse/fuse2-Do-not-set-FUSERMOUNT_DIR.patch
new file mode 100644
index 000000000000..8ff40f34f938
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/fuse2-Do-not-set-FUSERMOUNT_DIR.patch
@@ -0,0 +1,11 @@
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -1,7 +1,7 @@
+ ## Process this file with automake to produce Makefile.in
+ 
+ AUTOMAKE_OPTIONS = subdir-objects
+-AM_CPPFLAGS = -I$(top_srcdir)/include -DFUSERMOUNT_DIR=\"$(bindir)\" \
++AM_CPPFLAGS = -I$(top_srcdir)/include \
+  -D_FILE_OFFSET_BITS=64 -D_REENTRANT -DFUSE_USE_VERSION=26
+ 
+ lib_LTLIBRARIES = libfuse.la libulockmgr.la
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-Do-not-set-FUSERMOUNT_DIR.patch b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-Do-not-set-FUSERMOUNT_DIR.patch
new file mode 100644
index 000000000000..903f30325df2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-Do-not-set-FUSERMOUNT_DIR.patch
@@ -0,0 +1,12 @@
+--- a/lib/meson.build
++++ b/lib/meson.build
+@@ -37,8 +37,7 @@ libfuse = library('fuse3', libfuse_sources, version: meson.project_version(),
+                   soversion: '3', include_directories: include_dirs,
+                   dependencies: deps, install: true,
+                   link_depends: 'fuse_versionscript',
+-                  c_args: [ '-DFUSE_USE_VERSION=35',
+-                            '-DFUSERMOUNT_DIR="@0@"'.format(fusermount_path) ],
++                  c_args: [ '-DFUSE_USE_VERSION=35' ],
+                   link_args: ['-Wl,--version-script,' + meson.current_source_dir()
+                               + '/fuse_versionscript' ])
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-install.patch b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-install.patch
new file mode 100644
index 000000000000..147bcb439fb8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fuse/fuse3-install.patch
@@ -0,0 +1,25 @@
+--- a/util/install_helper.sh	2019-07-10 12:00:15.984840142 +0200
++++ b/util/install_helper.sh	2019-07-10 12:28:56.343011401 +0200
+@@ -37,10 +37,10 @@
+ fi
+ 
+ install -D -m 644 "${MESON_SOURCE_ROOT}/util/udev.rules" \
+-        "${DESTDIR}${udevrulesdir}/99-fuse3.rules"
++        "${sysconfdir}${udevrulesdir}/99-fuse3.rules"
+ 
+ install -D -m 755 "${MESON_SOURCE_ROOT}/util/init_script" \
+-        "${DESTDIR}/etc/init.d/fuse3"
++        "${sysconfdir}/init.d/fuse3"
+ 
+ 
+ if test -x /usr/sbin/update-rc.d && test -z "${DESTDIR}"; then
+diff --git a/util/meson.build b/util/meson.build
+index aa0e734..06d4378 100644
+--- a/util/meson.build
++++ b/util/meson.build
+@@ -1,4 +1,4 @@
+-fuseconf_path = join_paths(get_option('prefix'), get_option('sysconfdir'), 'fuse.conf')
++fuseconf_path = join_paths('/', get_option('sysconfdir'), 'fuse.conf')
+ 
+ executable('fusermount3', ['fusermount.c', '../lib/mount_util.c'],
+            include_directories: include_dirs,
diff --git a/nixpkgs/pkgs/os-specific/linux/fwts/default.nix b/nixpkgs/pkgs/os-specific/linux/fwts/default.nix
new file mode 100644
index 000000000000..585347caac0f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fwts/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchzip, autoreconfHook, pkg-config, glib, pcre
+, json_c, flex, bison, dtc, pciutils, dmidecode, acpica-tools, libbsd }:
+
+stdenv.mkDerivation rec {
+  pname = "fwts";
+  version = "21.07.00";
+
+  src = fetchzip {
+    url = "https://fwts.ubuntu.com/release/${pname}-V${version}.tar.gz";
+    sha256 = "sha256-cTm8R7sUJk5aTjXvsxfBXX0J/ehVoqo43ILZ6VqaPTI=";
+    stripRoot = false;
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ glib pcre json_c flex bison dtc pciutils dmidecode acpica-tools libbsd ];
+
+  postPatch = ''
+    substituteInPlace src/lib/include/fwts_binpaths.h \
+      --replace "/usr/bin/lspci"      "${pciutils}/bin/lspci" \
+      --replace "/usr/sbin/dmidecode" "${dmidecode}/bin/dmidecode" \
+      --replace "/usr/bin/iasl"       "${acpica-tools}/bin/iasl"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://wiki.ubuntu.com/FirmwareTestSuite";
+    description = "Firmware Test Suite";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ tadfisher ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fwts/module.nix b/nixpkgs/pkgs/os-specific/linux/fwts/module.nix
new file mode 100644
index 000000000000..72f25aa800eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fwts/module.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fwts, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "fwts-efi-runtime";
+  version = "${fwts.version}-${kernel.version}";
+
+  inherit (fwts) src;
+
+  sourceRoot = "source/efi_runtime";
+
+  postPatch = ''
+    substituteInPlace Makefile --replace \
+      '/lib/modules/$(KVER)/build' \
+      '${kernel.dev}/lib/modules/${kernel.modDirVersion}/build'
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  meta = with lib; {
+    inherit (fwts.meta) homepage license;
+    description = fwts.meta.description + "(efi-runtime kernel module)";
+    maintainers = with maintainers; [ dtzWill ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/fxload/default.nix b/nixpkgs/pkgs/os-specific/linux/fxload/default.nix
new file mode 100644
index 000000000000..8c1a778ec8bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/fxload/default.nix
@@ -0,0 +1,37 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "fxload";
+  version = "2002.04.11";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/linux-hotplug/fxload-${lib.replaceStrings ["."] ["_"] version}.tar.gz";
+    sha256 = "1hql93bp3dxrv1p67nc63xsbqwljyynm997ysldrc3n9ifi6s48m";
+  };
+
+  patches = [
+    # Will be needed after linux-headers is updated to >= 2.6.21.
+    (fetchurl {
+      url = "http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/sys-apps/fxload/files/fxload-20020411-linux-headers-2.6.21.patch?rev=1.1";
+      sha256 = "0ij0c8nr1rbyl5wmyv1cklhkxglvsqz32h21cjw4bjm151kgmk7p";
+    })
+  ];
+
+  preBuild = ''
+    substituteInPlace Makefile --replace /usr /
+    makeFlagsArray=(INSTALL=install prefix=$out)
+  '';
+
+  preInstall = ''
+    mkdir -p $out/sbin
+    mkdir -p $out/share/man/man8
+    mkdir -p $out/share/usb
+  '';
+
+  meta = with lib; {
+    homepage = "http://linux-hotplug.sourceforge.net/?selected=usb";
+    description = "Tool to upload firmware to Cypress EZ-USB microcontrollers";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/g15daemon/default.nix b/nixpkgs/pkgs/os-specific/linux/g15daemon/default.nix
new file mode 100644
index 000000000000..d20fb662ff55
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/g15daemon/default.nix
@@ -0,0 +1,93 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchurl
+, fetchpatch
+, patchelf
+, freetype
+, libusb-compat-0_1
+}:
+let
+  license = lib.licenses.gpl2;
+  maintainers = with lib.maintainers; [ peterhoeg ];
+
+  g15src = { pname, version, sha256 }: fetchurl {
+    url = "mirror://sourceforge/g15tools/${pname}/${version}/${pname}-${version}.tar.bz2";
+    inherit sha256;
+  };
+
+  libg15 = stdenv.mkDerivation rec {
+    pname = "libg15";
+    version = "1.2.7";
+
+    src = g15src {
+      inherit pname version;
+      sha256 = "1mkrf622n0cmz57lj8w9q82a9dcr1lmyyxbnrghrxzb6gvifnbqk";
+    };
+
+    buildInputs = [ libusb-compat-0_1 ];
+
+    enableParallelBuilding = true;
+
+    meta = {
+      description = "Provides low-level access to Logitech G11/G15 keyboards and Z10 speakers";
+      inherit license maintainers;
+    };
+  };
+
+  libg15render = stdenv.mkDerivation rec {
+    pname = "libg15render";
+    version = "1.2";
+
+    src = g15src {
+      inherit pname version;
+      sha256 = "03yjb78j1fnr2fwklxy54sdljwi0imvp29m8kmwl9v0pdapka8yj";
+    };
+
+    buildInputs = [ libg15 ];
+
+    enableParallelBuilding = true;
+
+    meta = {
+      description = "A small graphics library optimised for drawing on an LCD";
+      inherit license maintainers;
+    };
+  };
+in
+stdenv.mkDerivation rec {
+  pname = "g15daemon";
+  version = "1.9.5.3";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/${pname}/G15Daemon%201.9x/${version}/${pname}-${version}.tar.bz2";
+    sha256 = "1613gsp5dgilwbshqxxhiyw73ksngnam7n1iw6yxdjkp9fyd2a3d";
+  };
+
+  patches = let
+    patch = fname: sha256: fetchurl rec {
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-community/c0b0b6d4d6d7b79eca68123b20e0c9fb82e1c6e1/g15daemon/trunk/${pname}-${version}-${fname}.patch";
+      name = "${fname}.patch";
+      inherit sha256;
+    };
+  in
+    [
+      (patch "uinput" "1misfff7a1vg0qgfk3n25y7drnm86a4gq96iflpcwr5x3lw7q0h7")
+      (patch "config-write" "0jkrbqvzqrvxr14h5qi17cb4d32caq7vw9kzlz3qwpxdgxjrjvy2")
+      (patch "recv-oob-answer" "1f67iqpj5hcgpakagi7gbw1xviwhy5vizs546l9bfjimx8r2d29g")
+      ./pid_location.patch
+    ];
+
+  buildInputs = [ libg15 libg15render ];
+
+  # Workaround build failure on -fno-common toolchains like upstream gcc-10:
+  #  ld: g15_plugins.o:/build/g15daemon-1.9.5.3/g15daemon/./g15daemon.h:218:
+  #   multiple definition of `lcdlist_mutex'; utility_funcs.o:g15daemon.h:218: first defined here
+  NIX_CFLAGS_COMPILE = "-fcommon";
+
+  enableParallelBuilding = true;
+
+  meta = {
+    description = "A daemon that makes it possible to use the Logitech keyboard G-Buttons and draw on various Logitech LCDs";
+    inherit license maintainers;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/g15daemon/pid_location.patch b/nixpkgs/pkgs/os-specific/linux/g15daemon/pid_location.patch
new file mode 100644
index 000000000000..f88c4a809626
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/g15daemon/pid_location.patch
@@ -0,0 +1,25 @@
+diff --git a/g15daemon/main.c b/g15daemon/main.c
+index e674475..97b8242 100644
+--- a/g15daemon/main.c
++++ b/g15daemon/main.c
+@@ -574,7 +574,7 @@ exitnow:
+     g15daemon_quit_refresh();
+     uf_conf_write(lcdlist,"/etc/g15daemon.conf");
+     uf_conf_free(lcdlist);
+-    unlink("/var/run/g15daemon.pid");
++    unlink("/run/g15daemon/g15daemon.pid");
+     }
+     return 0;
+ }
+diff --git a/g15daemon/utility_funcs.c b/g15daemon/utility_funcs.c
+index c93d164..2e9c679 100644
+--- a/g15daemon/utility_funcs.c
++++ b/g15daemon/utility_funcs.c
+@@ -48,7 +48,7 @@
+
+ extern unsigned int g15daemon_debug;
+ extern volatile int leaving;
+-#define G15DAEMON_PIDFILE "/var/run/g15daemon.pid"
++#define G15DAEMON_PIDFILE "/run/g15daemon/g15daemon.pid"
+
+ pthread_cond_t lcd_refresh = PTHREAD_COND_INITIALIZER;
diff --git a/nixpkgs/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix b/nixpkgs/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
new file mode 100644
index 000000000000..1f0265207dfb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, fetchFromGitHub
+, kernel
+, kmod
+}:
+
+let
+  kerneldir = "lib/modules/${kernel.modDirVersion}";
+in stdenv.mkDerivation rec {
+  pname = "gcadapter-oc-kmod";
+  version = "unstable-2021-12-11";
+
+  src = fetchFromGitHub {
+    owner = "HannesMann";
+    repo = pname;
+    rev = "d4ddf15deb74c51dbdfc814d481ef127c371f444";
+    sha256 = "sha256-bHA1611rcO8/d48b1CHsiurEt3/n+5WErtHXAU7Eh1o=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNEL_SOURCE_DIR=${kernel.dev}/${kerneldir}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  installPhase = ''
+    install -D {,$out/${kerneldir}/extra/}gcadapter_oc.ko
+  '';
+
+  meta = with lib; {
+    description = "Kernel module for overclocking the Nintendo Wii U/Mayflash GameCube adapter";
+    homepage = "https://github.com/HannesMann/gcadapter-oc-kmod";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ r-burns ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gfxtablet/default.nix b/nixpkgs/pkgs/os-specific/linux/gfxtablet/default.nix
new file mode 100644
index 000000000000..608ca8e58cc5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gfxtablet/default.nix
@@ -0,0 +1,33 @@
+{lib, stdenv, fetchFromGitHub, linuxHeaders}:
+
+stdenv.mkDerivation rec {
+  version = "1.4";
+  pname = "gfxtablet-uinput-driver";
+
+  buildInputs = [
+    linuxHeaders
+  ];
+
+  src = fetchFromGitHub {
+    owner = "rfc2822";
+    repo = "GfxTablet";
+    rev = "android-app-${version}";
+    sha256 = "1i2m98yypfa9phshlmvjlgw7axfisxmldzrvnbzm5spvv5s4kvvb";
+  };
+
+  preBuild = "cd driver-uinput";
+
+  installPhase = ''
+    mkdir -p "$out/bin"
+    cp networktablet "$out/bin"
+    mkdir -p "$out/share/doc/gfxtablet/"
+    cp ../*.md "$out/share/doc/gfxtablet/"
+  '';
+
+  meta = {
+    description = "Uinput driver for Android GfxTablet tablet-as-input-device app";
+    license = lib.licenses.mit ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gobi_loader/default.nix b/nixpkgs/pkgs/os-specific/linux/gobi_loader/default.nix
new file mode 100644
index 000000000000..b7972007719c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gobi_loader/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv
+, fetchurl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gobi_loader";
+  version = "0.7";
+
+  src = fetchurl {
+    url = "https://www.codon.org.uk/~mjg59/gobi_loader/download/${pname}-${version}.tar.gz";
+    sha256 = "0jkmpqkiddpxrzl2s9s3kh64ha48m00nn53f82m1rphw8maw5gbq";
+  };
+
+  postPatch = ''
+    substituteInPlace 60-gobi.rules --replace "gobi_loader" "${placeholder "out"}/lib/udev/gobi_loader"
+    substituteInPlace 60-gobi.rules --replace "/lib/firmware" "/run/current-system/firmware"
+  '';
+
+  makeFlags = "prefix=${placeholder "out"}";
+
+  meta = with lib; {
+    description = "Firmware loader for Qualcomm Gobi USB chipsets";
+    homepage = "https://www.codon.org.uk/~mjg59/gobi_loader/";
+    license = with licenses; [ gpl2 ];
+    maintainers = with maintainers; [ _0x4A6F ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/google-authenticator/default.nix b/nixpkgs/pkgs/os-specific/linux/google-authenticator/default.nix
new file mode 100644
index 000000000000..fcf75ac7821a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/google-authenticator/default.nix
@@ -0,0 +1,34 @@
+{ stdenv, lib, fetchFromGitHub, autoreconfHook, pam, qrencode }:
+
+stdenv.mkDerivation rec {
+  pname = "google-authenticator-libpam";
+  version = "1.09";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "google-authenticator-libpam";
+    rev = version;
+    hash = "sha256-DS0h6FWMNKnSSj039bH6iyWrERa5M7LBSkbyig6pyxY=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ pam ];
+
+  preConfigure = ''
+    sed -i "s|libqrencode.so.4|${qrencode.out}/lib/libqrencode.so.4|" src/google-authenticator.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib/security
+    cp ./.libs/pam_google_authenticator.so $out/lib/security
+    cp google-authenticator $out/bin
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/google/google-authenticator-libpam";
+    description = "Two-step verification, with pam module";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ aneeshusa ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gpu-switch/default.nix b/nixpkgs/pkgs/os-specific/linux/gpu-switch/default.nix
new file mode 100644
index 000000000000..17452a5e2446
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gpu-switch/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "gpu-switch-unstable";
+  version = "2017-04-28";
+  src = fetchFromGitHub {
+    owner = "0xbb";
+    repo = "gpu-switch";
+    rev = "a365f56d435c8ef84c4dd2ab935ede4992359e31";
+    sha256 = "1jnh43nijkqd83h7piq7225ixziggyzaalabgissyxdyz6szcn0r";
+  };
+  installPhase = ''
+    mkdir -p $out/bin
+    cp gpu-switch $out/bin/
+  '';
+  meta = with lib; {
+    description = "Application that allows to switch between the graphic cards of dual-GPU MacBook Pro models";
+    homepage = "https://github.com/0xbb/gpu-switch";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.msiedlarek ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gradm/default.nix b/nixpkgs/pkgs/os-specific/linux/gradm/default.nix
new file mode 100644
index 000000000000..cd99dfa5db8d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gradm/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchurl
+, bison, flex
+, pam
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gradm";
+  version = "3.1-202102241600";
+
+  src  = fetchurl {
+    url    = "https://grsecurity.net/stable/${pname}-${version}.tar.gz";
+    sha256 = "02ni34hpggv00140p9gvh0lqi173zdddd2qhfi96hyr1axd5pl50";
+  };
+
+  nativeBuildInputs = [ bison flex ];
+  buildInputs = [ pam ];
+
+  enableParallelBuilding = true;
+
+  makeFlags = [
+    "DESTDIR=$(out)"
+    "LEX=${flex}/bin/flex"
+    "MANDIR=/share/man"
+    "MKNOD=true"
+  ];
+
+  preBuild = ''
+    substituteInPlace Makefile \
+      --replace "/usr/bin/" "" \
+      --replace "/usr/include/security/pam_" "${pam}/include/security/pam_"
+
+    substituteInPlace gradm_defs.h \
+      --replace "/sbin/grlearn" "$out/bin/grlearn" \
+      --replace "/sbin/gradm" "$out/bin/gradm" \
+      --replace "/sbin/gradm_pam" "$out/bin/gradm_pam"
+
+    echo 'inherit-learn /nix/store' >>learn_config
+
+    mkdir -p "$out/etc/udev/rules.d"
+  '';
+
+  postInstall = "rmdir $out/dev";
+
+  meta = with lib; {
+    description = "grsecurity RBAC administration and policy analysis utility";
+    homepage    = "https://grsecurity.net";
+    license     = licenses.gpl2Only;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice joachifm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/greetd/default.nix b/nixpkgs/pkgs/os-specific/linux/greetd/default.nix
new file mode 100644
index 000000000000..744b43f6f8aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/greetd/default.nix
@@ -0,0 +1,51 @@
+{ rustPlatform
+, lib
+, fetchFromSourcehut
+, pam
+, scdoc
+, installShellFiles
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "greetd";
+  version = "0.8.0";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-20D6HanUeAc0S9czkNJFmhsrfEqodpafkHsmwKccrHQ=";
+  };
+
+  cargoHash = "sha256-8nMQ81Y0DnPs9WmxNASlcjTEVw5lh+nZtZ7vmmBCu2g=";
+
+  nativeBuildInputs = [
+    scdoc
+    installShellFiles
+  ];
+
+  buildInputs = [
+    pam
+  ];
+
+  postInstall = ''
+    for f in man/*; do
+      scdoc < "$f" > "$(sed 's/-\([0-9]\)\.scd$/.\1/' <<< "$f")"
+      rm "$f"
+    done
+    installManPage man/*
+  '';
+
+  meta = with lib; {
+    description = "Minimal and flexible login manager daemon";
+    longDescription = ''
+      greetd is a minimal and flexible login manager daemon
+      that makes no assumptions about what you want to launch.
+      Comes with agreety, a simple, text-based greeter.
+    '';
+    homepage = "https://sr.ht/~kennylevinsen/greetd/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gt/default.nix b/nixpkgs/pkgs/os-specific/linux/gt/default.nix
new file mode 100644
index 000000000000..e227b6b6bc91
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gt/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, lib, fetchFromGitHub, cmake, bash-completion, pkg-config, libconfig
+, asciidoc
+, libusbgx
+}:
+stdenv.mkDerivation {
+  pname = "gt";
+  version = "unstable-2022-05-08";
+
+  src = fetchFromGitHub {
+    owner = "linux-usb-gadgets";
+    repo = "gt";
+    rev = "7f9c45d98425a27444e49606ce3cf375e6164e8e";
+    sha256 = "sha256-km4U+t4Id2AZx6GpH24p2WNmvV5RVjJ14sy8tWLCQsk=";
+  };
+
+  sourceRoot = "source/source";
+
+  preConfigure = ''
+    cmakeFlagsArray+=("-DBASH_COMPLETION_COMPLETIONSDIR=$out/share/bash-completions/completions")
+  '';
+
+  nativeBuildInputs = [ cmake pkg-config asciidoc ];
+
+  buildInputs = [ bash-completion libconfig libusbgx];
+
+  meta = {
+    description = "Linux command line tool for setting up USB gadgets using configfs";
+    license = with lib.licenses; [ asl20 ];
+    maintainers = with lib.maintainers; [ lheckemann ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/gtkgreet/default.nix b/nixpkgs/pkgs/os-specific/linux/gtkgreet/default.nix
new file mode 100644
index 000000000000..7ab7c01475bd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/gtkgreet/default.nix
@@ -0,0 +1,50 @@
+{ stdenv
+, lib
+, fetchFromSourcehut
+, pkg-config
+, cmake
+, meson
+, ninja
+, gtk3
+, gtk-layer-shell
+, json_c
+, scdoc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gtkgreet";
+  version = "0.7";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "ms+2FdtzzNlmlzNxFhu4cpX5H+5H+9ZOtZ0p8uVA3lo=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    cmake
+  ];
+
+  buildInputs = [
+    gtk3
+    gtk-layer-shell
+    json_c
+    scdoc
+  ];
+
+  mesonFlags = [
+    "-Dlayershell=enabled"
+  ];
+
+  meta = with lib; {
+    description = "GTK based greeter for greetd, to be run under cage or similar";
+    homepage = "https://git.sr.ht/~kennylevinsen/gtkgreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/guvcview/default.nix b/nixpkgs/pkgs/os-specific/linux/guvcview/default.nix
new file mode 100644
index 000000000000..04eccaf02435
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/guvcview/default.nix
@@ -0,0 +1,78 @@
+{ config
+, lib, stdenv
+, fetchurl
+, intltool
+, pkg-config
+, portaudio
+, SDL2
+, ffmpeg
+, udev
+, libusb1
+, libv4l
+, alsa-lib
+, gsl
+, libpng
+, sfml
+, pulseaudioSupport ? config.pulseaudio or stdenv.isLinux
+, libpulseaudio ? null
+, useQt ? false
+, qtbase ? null
+, wrapQtAppsHook ? null
+# can be turned off if used as a library
+, useGtk ? true
+, gtk3 ? null
+, wrapGAppsHook ? null
+}:
+
+assert pulseaudioSupport -> libpulseaudio != null;
+
+stdenv.mkDerivation rec {
+  version = "2.0.6";
+  pname = "guvcview";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/project/guvcview/source/guvcview-src-${version}.tar.gz";
+    sha256 = "11byyfpkcik7wvf2qic77zjamfr2rhji97dpj1gy2fg1bvpiqf4m";
+  };
+
+  nativeBuildInputs = [
+    intltool
+    pkg-config
+  ]
+    ++ lib.optionals (useGtk) [ wrapGAppsHook ]
+    ++ lib.optionals (useQt) [ wrapQtAppsHook ]
+  ;
+
+  buildInputs = [
+    SDL2
+    alsa-lib
+    ffmpeg
+    libusb1
+    libv4l
+    portaudio
+    udev
+    gsl
+    libpng
+    sfml
+  ]
+    ++ lib.optionals (pulseaudioSupport) [ libpulseaudio ]
+    ++ lib.optionals (useGtk) [ gtk3 ]
+    ++ lib.optionals (useQt) [
+      qtbase
+    ]
+  ;
+  configureFlags = [
+    "--enable-sfml"
+  ]
+    ++ lib.optionals (useGtk) [ "--enable-gtk3" ]
+    ++ lib.optionals (useQt) [ "--enable-qt5" ]
+  ;
+
+  meta = with lib; {
+    description = "A simple interface for devices supported by the linux UVC driver";
+    homepage = "http://guvcview.sourceforge.net";
+    maintainers = [ maintainers.coconnor ];
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hd-idle/default.nix b/nixpkgs/pkgs/os-specific/linux/hd-idle/default.nix
new file mode 100644
index 000000000000..b9256158549a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hd-idle/default.nix
@@ -0,0 +1,29 @@
+{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+
+buildGoModule rec {
+  pname = "hd-idle";
+  version = "1.17";
+
+  src = fetchFromGitHub {
+    owner = "adelolmo";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-BHUjKvhUDeD/Xm0KKbkLH2XWn1W77E7Pm3OSPARF6Xw=";
+  };
+
+  vendorSha256 = null;
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  postInstall = ''
+    installManPage debian/hd-idle.8
+  '';
+
+  meta = with lib; {
+    description = "Spins down external disks after a period of idle time";
+    homepage = "https://github.com/adelolmo/hd-idle";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.rycee ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hdapsd/default.nix b/nixpkgs/pkgs/os-specific/linux/hdapsd/default.nix
new file mode 100644
index 000000000000..959fa9ac6e8a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hdapsd/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "hdapsd";
+  version = "20141203";
+
+  src = fetchurl {
+    url = "https://github.com/evgeni/hdapsd/releases/download/${version}/hdapsd-${version}.tar.gz";
+    sha256 = "0ppgrfabd0ivx9hyny3c3rv4rphjyxcdsd5svx5pgfai49mxnl36";
+  };
+
+  postInstall = builtins.readFile ./postInstall.sh;
+
+  meta = with lib;
+    { description = "Hard Drive Active Protection System Daemon";
+      homepage = "http://hdaps.sf.net/";
+      license = licenses.gpl2;
+      platforms = platforms.linux;
+      maintainers = [ maintainers.ehmry ];
+    };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hdapsd/postInstall.sh b/nixpkgs/pkgs/os-specific/linux/hdapsd/postInstall.sh
new file mode 100644
index 000000000000..37867817bf63
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hdapsd/postInstall.sh
@@ -0,0 +1,7 @@
+mkdir -p $out/lib/udev/rules.d $out/lib/systemd/system
+cp misc/hdapsd.rules $out/lib/udev/rules.d
+SBIN_REWRITE="s|@sbindir@|$out/bin|g"
+for i in misc/*.service.in
+do sed $SBIN_REWRITE "$i" > "$out/lib/systemd/system/$(basename ${i%.in})"
+done
+
diff --git a/nixpkgs/pkgs/os-specific/linux/hdparm/default.nix b/nixpkgs/pkgs/os-specific/linux/hdparm/default.nix
new file mode 100644
index 000000000000..1dd0fa6a2089
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hdparm/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "hdparm";
+  version = "9.64";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/hdparm/hdparm-${version}.tar.gz";
+    sha256 = "sha256-MVuVaVHD/qAnKH3iBDgVNCF8C9Dze0k1h3/i2wyrhZo=";
+  };
+
+  preBuild = ''
+    makeFlagsArray=(sbindir=$out/sbin manprefix=$out)
+    '';
+
+  meta = with lib; {
+    description = "A tool to get/set ATA/SATA drive parameters under Linux";
+    homepage = "https://sourceforge.net/projects/hdparm/";
+    platforms = platforms.linux;
+    license = licenses.bsd2;
+    maintainers = [ ];
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/health-check/default.nix b/nixpkgs/pkgs/os-specific/linux/health-check/default.nix
new file mode 100644
index 000000000000..e876808b461a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/health-check/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, lib, fetchFromGitHub, json_c, libbsd }:
+
+stdenv.mkDerivation rec {
+  pname = "health-check";
+  version = "0.03.10";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-1dm7tl7DHv1CzuLe1/UewDSUOanO0hN+STkPrAHcZmI=";
+  };
+
+  buildInputs = [ json_c libbsd ];
+
+  makeFlags = [ "JSON_OUTPUT=y" "FNOTIFY=y" ];
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Process monitoring tool";
+    homepage = "https://github.com/ColinIanKing/health-check";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/default.nix b/nixpkgs/pkgs/os-specific/linux/hibernate/default.nix
new file mode 100644
index 000000000000..1a7dd01e9771
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, gawk }:
+
+let version = "2.0";
+in
+  stdenv.mkDerivation {
+    pname = "hibernate";
+    inherit version;
+    src = fetchurl {
+      url = "http://tuxonice.nigelcunningham.com.au/files/hibernate-script-${version}.tar.gz";
+      sha256 = "0ib5bac3spbcwmhf8f9apjbll8x7fgqj4k1s5q3srijh793rfifh";
+    };
+
+    patches = [ ./install.patch ./gen-manpages.patch ./hibernate.patch ];
+
+    buildInputs = [ gawk ];
+
+    installPhase = ''
+      # FIXME: Storing config files under `$out/etc' is not very useful.
+
+      substituteInPlace "hibernate.sh" --replace \
+        'SWSUSP_D="/etc/hibernate"' "SWSUSP_D=\"$out/etc/hibernate\""
+
+      # Remove all references to `/bin' and `/sbin'.
+      for i in scriptlets.d/*
+      do
+        substituteInPlace "$i" --replace "/bin/" "" --replace "/sbin/" ""
+      done
+
+      PREFIX="$out" CONFIG_PREFIX="$out" ./install.sh
+
+      ln -s "$out/share/hibernate/scriptlets.d" "$out/etc/hibernate"
+    '';
+
+    meta = {
+      description = "The `hibernate' script for swsusp and Tux-on-Ice";
+      longDescription = ''
+        This package provides the `hibernate' script, a command-line utility
+        that saves the computer's state to disk and switches it off, turning
+        it into "hibernation".  It works both with Linux swsusp and Tux-on-Ice.
+      '';
+
+      license = lib.licenses.gpl2Plus;
+      homepage = "http://www.tuxonice.net/";
+      platforms = lib.platforms.linux;
+    };
+  }
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/gen-manpages.patch b/nixpkgs/pkgs/os-specific/linux/hibernate/gen-manpages.patch
new file mode 100644
index 000000000000..cdbacc86bafa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/gen-manpages.patch
@@ -0,0 +1,11 @@
+--- hibernate-script-1.98.1/gen-manpages.sh	2008-03-31 09:40:29.000000000 +0200
++++ hibernate-script-1.98.1/gen-manpages.sh	2008-04-01 15:58:11.000000000 +0200
+@@ -254,7 +254,7 @@ BEGIN {
+ }
+ 
+ # Create a copy of hibernate.sh with only the help items
+-TMPF=`mktemp /tmp/tmp.hibernate.XXXXXX`
++TMPF=`mktemp "$TMPDIR/tmp.hibernate.XXXXXX"`
+ awk '{
+     if ((substr($0, 1, 1) != "#") && (match($0, "AddConfigHelp") || match($0, "AddOptionHelp")) && (match($0, "\\(\\)") == 0)) {
+         print $0;
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/hibernate.patch b/nixpkgs/pkgs/os-specific/linux/hibernate/hibernate.patch
new file mode 100644
index 000000000000..24de1637d3ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/hibernate.patch
@@ -0,0 +1,37 @@
+--- hibernate-script-1.98.1/hibernate.sh	2008-03-31 09:40:29.000000000 +0200
++++ hibernate-script-1.98.1/hibernate.sh	2008-04-01 18:24:23.000000000 +0200
+@@ -224,7 +224,7 @@ FindXServer() {
+ 
+ 	    xauth="`get_env_var_of_process $xpid XAUTHORITY`"
+ 	    xhome="`get_env_var_of_process $xpid HOME`"
+-	    xuser=`/bin/ls -ld /proc/$xpid/ | awk '{print $3}'`
++	    xuser=`ls -ld /proc/$xpid/ | awk '{print $3}'`
+ 	    [ -z $xauth ] && [ -n $xhome ] && [ -f $xhome/.Xauthority ] && xauth=$xhome/.Xauthority
+ 
+ 	    [ -z $xauth ] && continue
+@@ -273,14 +273,14 @@ UsingSuspendMethod() {
+ # chain.
+ SortSuspendBits() {
+     # explicit path required to be ash compatible.
+-    /bin/echo -ne "$SUSPEND_BITS" | sort -n
++    echo -ne "$SUSPEND_BITS" | sort -n
+ }
+ 
+ # SortResumeBits: Returns a list of functions registered in the correct order
+ # to call for resuming, prefixed by their position number.
+ SortResumeBits() {
+     # explicit path required to be ash compatible.
+-    /bin/echo -ne "$RESUME_BITS" | sort -rn
++    echo -ne "$RESUME_BITS" | sort -rn
+ }
+ 
+ # WrapHelpText: takes text from stdin, wraps it with an indent of 5 and width
+@@ -557,7 +557,7 @@ LoadScriptlets() {
+     CURRENT_SOURCED_SCRIPTLET=""
+     for scriptlet_dir in $SCRIPTLET_PATH ; do
+ 	[ -d "$scriptlet_dir" ] || continue
+-	[ -z "`/bin/ls -1 $scriptlet_dir`" ] && continue
++	[ -z "`ls -1 $scriptlet_dir`" ] && continue
+ 	for scriptlet in $scriptlet_dir/* ; do
+ 	    # Avoid editor backup files.
+ 	    case "$scriptlet" in *~|*.bak) continue ;; esac
diff --git a/nixpkgs/pkgs/os-specific/linux/hibernate/install.patch b/nixpkgs/pkgs/os-specific/linux/hibernate/install.patch
new file mode 100644
index 000000000000..ae296b955ac8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hibernate/install.patch
@@ -0,0 +1,11 @@
+--- hibernate-script-1.98.1/install.sh	2008-03-31 09:40:29.000000000 +0200
++++ hibernate-script-1.98.1/install.sh	2008-04-01 15:50:46.000000000 +0200
+@@ -63,7 +63,7 @@ fi
+ cp -a blacklisted-modules $BLACKLIST
+ 
+ # Test if they have anything in there, and warn them
+-if /bin/ls $OLD_SCRIPTLET_DIR/* > /dev/null 2>&1 ; then
++if ls $OLD_SCRIPTLET_DIR/* > /dev/null 2>&1 ; then
+     echo "  **"
+     echo "  ** You have scriptlets already installed in $OLD_SCRIPTLET_DIR"
+     echo "  ** Since version 0.95, these have moved to $SCRIPTLET_DIR."
diff --git a/nixpkgs/pkgs/os-specific/linux/hid-ite8291r3/default.nix b/nixpkgs/pkgs/os-specific/linux/hid-ite8291r3/default.nix
new file mode 100644
index 000000000000..d4f69c734ac0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hid-ite8291r3/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "hid-ite8291r3";
+  version = "unstable-2022-06-01";
+
+  src = fetchFromGitHub {
+    owner = "pobrn";
+    repo = "hid-ite8291r3";
+    rev = "48e04cb96517f8574225ebabb286775feb942ef5";
+    hash = "sha256-/69vvVbAVULDW8rwDYSj5706vrqJ6t4s/T6s3vmG9wk=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "VERSION=${version}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D hid-ite8291r3.ko -t $out/lib/modules/${kernel.modDirVersion}/extra
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for the ITE 8291 RGB keyboard backlight controller";
+    homepage = "https://github.com/pobrn/hid-ite8291r3/";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ aacebedo ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.9";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hid-nintendo/default.nix b/nixpkgs/pkgs/os-specific/linux/hid-nintendo/default.nix
new file mode 100644
index 000000000000..7d01120b2f3f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hid-nintendo/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "hid-nintendo";
+  version = "3.2";
+
+  src = fetchFromGitHub {
+    owner = "nicman23";
+    repo = "dkms-hid-nintendo";
+    rev = version;
+    sha256 = "1c262xarslicn9ildndl66sf97i5pzwzra54zh2rp11j7kkvvbyr";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/source/src
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "A Nintendo HID kernel module";
+    homepage = "https://github.com/nicman23/dkms-hid-nintendo";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.rencire ];
+    platforms = platforms.linux;
+    broken = versionOlder kernel.version "4.14";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hostapd/default.nix b/nixpkgs/pkgs/os-specific/linux/hostapd/default.nix
new file mode 100644
index 000000000000..3fdbaa9149a6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hostapd/default.nix
@@ -0,0 +1,81 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl, openssl, sqlite ? null }:
+
+stdenv.mkDerivation rec {
+  pname = "hostapd";
+  version = "2.10";
+
+  src = fetchurl {
+    url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-IG58eZtnhXLC49EgMCOHhLxKn4IyOwFWtMlGbxSYkV0=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl openssl sqlite ];
+
+  patches = [
+    (fetchurl {
+      # Note: fetchurl seems to be unhappy with openwrt git
+      # server's URLs containing semicolons. Using the github mirror instead.
+      url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch";
+      sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00";
+    })
+  ];
+
+  outputs = [ "out" "man" ];
+
+  extraConfig = ''
+    CONFIG_DRIVER_WIRED=y
+    CONFIG_LIBNL32=y
+    CONFIG_EAP_SIM=y
+    CONFIG_EAP_AKA=y
+    CONFIG_EAP_AKA_PRIME=y
+    CONFIG_EAP_PAX=y
+    CONFIG_EAP_PWD=y
+    CONFIG_EAP_SAKE=y
+    CONFIG_EAP_GPSK=y
+    CONFIG_EAP_GPSK_SHA256=y
+    CONFIG_EAP_FAST=y
+    CONFIG_EAP_IKEV2=y
+    CONFIG_EAP_TNC=y
+    CONFIG_EAP_EKE=y
+    CONFIG_RADIUS_SERVER=y
+    CONFIG_IEEE80211R=y
+    CONFIG_IEEE80211N=y
+    CONFIG_IEEE80211AC=y
+    CONFIG_FULL_DYNAMIC_VLAN=y
+    CONFIG_VLAN_NETLINK=y
+    CONFIG_TLS=openssl
+    CONFIG_TLSV11=y
+    CONFIG_TLSV12=y
+    CONFIG_INTERNETWORKING=y
+    CONFIG_HS20=y
+    CONFIG_ACS=y
+    CONFIG_GETRANDOM=y
+    CONFIG_SAE=y
+  '' + lib.optionalString (sqlite != null) ''
+    CONFIG_SQLITE=y
+  '';
+
+  configurePhase = ''
+    cd hostapd
+    cp -v defconfig .config
+    echo "$extraConfig" >> .config
+    cat -n .config
+    substituteInPlace Makefile --replace /usr/local $out
+    export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)"
+  '';
+
+  preInstall = "mkdir -p $out/bin";
+  postInstall = ''
+    install -vD hostapd.8 -t $man/share/man/man8
+    install -vD hostapd_cli.1 -t $man/share/man/man1
+  '';
+
+  meta = with lib; {
+    homepage = "https://hostap.epitest.fi";
+    description = "A user space daemon for access point and authentication servers";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ ninjatrappeur hexa ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hwdata/default.nix b/nixpkgs/pkgs/os-specific/linux/hwdata/default.nix
new file mode 100644
index 000000000000..fe789d51dbb5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hwdata/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "hwdata";
+  version = "0.360";
+
+  src = fetchFromGitHub {
+    owner = "vcrhonek";
+    repo = "hwdata";
+    rev = "v${version}";
+    sha256 = "sha256-dF1Yeb3xH4keQzcydZ3h3kyuSZ1knW/2YAJ8xvFSoMo=";
+  };
+
+  postPatch = ''
+    patchShebangs ./configure
+  '';
+
+  configureFlags = [ "--datadir=${placeholder "out"}/share" ];
+
+  doCheck = false; # this does build machine-specific checks (e.g. enumerates PCI bus)
+
+  outputHashMode = "recursive";
+  outputHash = "sha256-gkgnHy1XwP87qpQiAm31AIAkxgGm5JYxMBr60kvd+gE=";
+
+  meta = {
+    homepage = "https://github.com/vcrhonek/hwdata";
+    description = "Hardware Database, including Monitors, pci.ids, usb.ids, and video cards";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.all;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/hyperv-daemons/default.nix b/nixpkgs/pkgs/os-specific/linux/hyperv-daemons/default.nix
new file mode 100644
index 000000000000..a659908a7a09
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/hyperv-daemons/default.nix
@@ -0,0 +1,111 @@
+{ stdenv, lib, python2, python3, kernel, makeWrapper, writeText
+, gawk, iproute2 }:
+
+let
+  libexec = "libexec/hypervkvpd";
+
+  daemons = stdenv.mkDerivation rec {
+    pname = "hyperv-daemons-bin";
+    inherit (kernel) src version;
+
+    nativeBuildInputs = [ makeWrapper ];
+    buildInputs = [ (if lib.versionOlder version "4.19" then python2 else python3) ];
+
+    # as of 4.9 compilation will fail due to -Werror=format-security
+    hardeningDisable = [ "format" ];
+
+    postPatch = ''
+      cd tools/hv
+      substituteInPlace hv_kvp_daemon.c \
+        --replace /usr/libexec/hypervkvpd/ $out/${libexec}/
+    '';
+
+    # We don't actually need the hv_get_{dhcp,dns}_info scripts on NixOS in
+    # their current incarnation but with them in place, we stop the spam of
+    # errors in the log.
+    installPhase = ''
+      runHook preInstall
+
+      for f in fcopy kvp vss ; do
+        install -Dm755 hv_''${f}_daemon -t $out/bin
+      done
+
+      install -Dm755 lsvmbus             $out/bin/lsvmbus
+      install -Dm755 hv_get_dhcp_info.sh $out/${libexec}/hv_get_dhcp_info
+      install -Dm755 hv_get_dns_info.sh  $out/${libexec}/hv_get_dns_info
+
+      runHook postInstall
+    '';
+
+    postFixup = ''
+      wrapProgram $out/bin/hv_kvp_daemon \
+        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute2 ]}
+    '';
+  };
+
+  service = bin: title: check:
+    writeText "hv-${bin}.service" ''
+      [Unit]
+      Description=Hyper-V ${title} daemon
+      ConditionVirtualization=microsoft
+      ${lib.optionalString (check != "") ''
+        ConditionPathExists=/dev/vmbus/${check}
+      ''}
+      [Service]
+      ExecStart=@out@/hv_${bin}_daemon -n
+      Restart=on-failure
+      PrivateTmp=true
+      Slice=hyperv.slice
+
+      [Install]
+      WantedBy=hyperv-daemons.target
+    '';
+
+in stdenv.mkDerivation {
+  pname = "hyperv-daemons";
+  inherit (kernel) version;
+
+  # we just stick the bins into out as well as it requires "out"
+  outputs = [ "bin" "lib" "out" ];
+
+  buildInputs = [ daemons ];
+
+  buildCommand = ''
+    system=$lib/lib/systemd/system
+
+    install -Dm444 ${service "fcopy" "file copy (FCOPY)" "hv_fcopy" } $system/hv-fcopy.service
+    install -Dm444 ${service "kvp"   "key-value pair (KVP)"     ""  } $system/hv-kvp.service
+    install -Dm444 ${service "vss"   "volume shadow copy (VSS)" ""  } $system/hv-vss.service
+
+    cat > $system/hyperv-daemons.target <<EOF
+    [Unit]
+    Description=Hyper-V Daemons
+    Wants=hv-fcopy.service hv-kvp.service hv-vss.service
+    EOF
+
+    for f in $lib/lib/systemd/system/*.service ; do
+      substituteInPlace $f --replace @out@ ${daemons}/bin
+    done
+
+    # we need to do both $out and $bin as $out is required
+    for d in $out/bin $bin/bin ; do
+      # make user binaries available
+      mkdir -p $d
+      ln -s ${daemons}/bin/lsvmbus $d/lsvmbus
+    done
+  '';
+
+  meta = with lib; {
+    description = "Integration Services for running NixOS under HyperV";
+    longDescription = ''
+      This packages contains the daemons that are used by the Hyper-V hypervisor
+      on the host.
+
+      Microsoft calls their guest agents "Integration Services" which is why
+      we use that name here.
+    '';
+    homepage = "https://kernel.org";
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = kernel.meta.platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/i2c-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/i2c-tools/default.nix
new file mode 100644
index 000000000000..556bc2d89787
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i2c-tools/default.nix
@@ -0,0 +1,44 @@
+{ lib
+, stdenv
+, fetchgit
+, perl
+, read-edid
+}:
+
+stdenv.mkDerivation rec {
+  pname = "i2c-tools";
+  version = "4.3";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git";
+    rev = "v${version}";
+    sha256 = "sha256-HlmIocum+HZEKNiS5BUwEIswRfTMUhD1vCPibAuAK0Q=";
+  };
+
+  buildInputs = [ perl ];
+
+  postPatch = ''
+    substituteInPlace eeprom/decode-edid \
+      --replace "/usr/sbin/parse-edid" "${read-edid}/bin/parse-edid"
+
+    substituteInPlace stub/i2c-stub-from-dump \
+      --replace "/sbin/" ""
+  '';
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  outputs = [ "out" "man" ];
+
+  postInstall = ''
+    rm -rf $out/include/linux/i2c-dev.h # conflics with kernel headers
+  '';
+
+  meta = with lib; {
+    description = "Set of I2C tools for Linux";
+    homepage = "https://i2c.wiki.kernel.org/index.php/I2C_Tools";
+    # library is LGPL 2.1 or later; "most tools" GPL 2 or later
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/i7z/default.nix b/nixpkgs/pkgs/os-specific/linux/i7z/default.nix
new file mode 100644
index 000000000000..9af2aba3d806
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i7z/default.nix
@@ -0,0 +1,57 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, ncurses
+, withGui ? false, qtbase }:
+
+stdenv.mkDerivation rec {
+  pname = "i7z";
+  version = "0.27.4";
+
+  src = fetchFromGitHub {
+    owner = "DimitryAndric";
+    repo = "i7z";
+    rev = "v${version}";
+    sha256 = "00c4ng30ry88hcya4g1i9dngiqmz3cs31x7qh1a10nalxn1829xy";
+  };
+
+  buildInputs = [ ncurses ] ++ lib.optional withGui qtbase;
+
+  patches = [
+    (fetchpatch {
+      url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/fix-insecure-tempfile.patch";
+      sha256 = "0ifg06xjw14y4fnzzgkhqm4sv9mcdzgi8m2wffq9z8b1r0znya3s";
+    })
+    (fetchpatch {
+      url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/nehalem.patch";
+      sha256 = "1ys6sgm01jkqb6d4y7qc3h89dzph8jjjcfya5c5jcm7dkxlzjq8a";
+    })
+    (fetchpatch {
+      url = "https://salsa.debian.org/debian/i7z/raw/ad1359764ee7a860a02e0c972f40339058fa9369/debian/patches/hyphen-used-as-minus-sign.patch";
+      sha256 = "1ji2qvdyq0594cpqz0dlsfggvw3rm63sygh0jxvwjgxpnhykhg1p";
+    })
+    ./qt5.patch
+  ];
+
+  enableParallelBuilding = true;
+
+  postBuild = lib.optionalString withGui ''
+      cd GUI
+      qmake
+      make clean
+      make
+      cd ..
+  '';
+
+  makeFlags = [ "prefix=${placeholder "out"}" ];
+
+  postInstall = lib.optionalString withGui ''
+    install -Dm755 GUI/i7z_GUI $out/bin/i7z-gui
+  '';
+
+  meta = with lib; {
+    description = "A better i7 (and now i3, i5) reporting tool for Linux";
+    homepage = "https://github.com/DimitryAndric/i7z";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ bluescreen303 ];
+    # broken on ARM
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/i7z/qt5.patch b/nixpkgs/pkgs/os-specific/linux/i7z/qt5.patch
new file mode 100644
index 000000000000..9e9b162d9e85
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i7z/qt5.patch
@@ -0,0 +1,13 @@
+diff -Naur a/GUI/i7z_GUI.pro b/GUI/i7z_GUI.pro
+--- a/GUI/i7z_GUI.pro	2013-10-12 21:59:19.000000000 +0100
++++ b/GUI/i7z_GUI.pro	2016-11-05 13:54:30.118655672 +0000
+@@ -3,7 +3,8 @@
+ ######################################################################
+ 
+ TEMPLATE = app
+-TARGET = 
++TARGET = i7z_GUI
++QT += widgets
+ DEPENDPATH += .
+ INCLUDEPATH += .
+ CONFIG += debug
diff --git a/nixpkgs/pkgs/os-specific/linux/i810switch/default.nix b/nixpkgs/pkgs/os-specific/linux/i810switch/default.nix
new file mode 100644
index 000000000000..3a202ca08e96
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/i810switch/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchurl, pciutils }:
+
+stdenv.mkDerivation {
+  pname = "i810switch";
+  version = "0.6.5";
+
+  installPhase = "
+    sed -i -e 's+/usr++' Makefile
+    sed -i -e 's+^\\(.*putenv(\"PATH=\\).*$+\\1${pciutils}/sbin\");+' i810switch.c
+    make clean
+    make install DESTDIR=\${out}
+  ";
+
+  src = fetchurl {
+    url = "http://www16.plala.or.jp/mano-a-mano/i810switch/i810switch-0.6.5.tar.gz";
+    sha256 = "d714840e3b14e1fa9c432c4be0044b7c008d904dece0d611554655b979cad4c3";
+  };
+
+  meta = with lib; {
+    description = "A utility for switching between the LCD and external VGA display on Intel graphics cards";
+    homepage = "http://www16.plala.or.jp/mano-a-mano/i810switch.html";
+    maintainers = with maintainers; [ ];
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ifenslave/default.nix b/nixpkgs/pkgs/os-specific/linux/ifenslave/default.nix
new file mode 100644
index 000000000000..d23fc101bcc0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ifenslave/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "ifenslave";
+  version = "1.1.0";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/i/ifenslave-2.6/ifenslave-2.6_${version}.orig.tar.gz";
+    sha256 = "0h9hrmy19zdksl7ys250r158b943ihbgkb95n8p4k8l0vqsby5vr";
+  };
+
+  buildPhase = ''
+    gcc -o ifenslave ifenslave.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -a ifenslave $out/bin
+  '';
+
+  hardeningDisable = [ "format" ];
+
+  meta = {
+    description = "Utility for enslaving networking interfaces under a bond";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ifmetric/default.nix b/nixpkgs/pkgs/os-specific/linux/ifmetric/default.nix
new file mode 100644
index 000000000000..f5d55db5e41b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ifmetric/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, lynx }:
+
+stdenv.mkDerivation rec {
+  pname = "ifmetric";
+  version = "0.3";
+
+  src = fetchurl {
+    url = "http://0pointer.de/lennart/projects/${pname}/${pname}-${version}.tar.gz";
+    sha256 = "1v0s5x81jzwnnl7hr254d4nkyc8qcv983pzr6vqmbr9l9q553a0g";
+  };
+
+  buildInputs = [ lynx ];
+
+  patches = [
+    # Fixes an issue related to the netlink API.
+    # Upstream is largely inactive; this is a Debian patch.
+    (fetchurl {
+      url = "https://launchpadlibrarian.net/85974387/10_netlink_fix.patch";
+      sha256 = "1pnlcr0qvk0bd5243wpg14i387zp978f4xhwwkcqn1cir91x7fbc";
+    })
+  ];
+
+  meta = with lib; {
+    description = "Tool for setting IP interface metrics";
+    longDescription = ''
+      ifmetric is a Linux tool for setting the metrics of all IPv4 routes
+      attached to a given network interface at once. This may be used to change
+      the priority of routing IPv4 traffic over the interface. Lower metrics
+      correlate with higher priorities.
+    '';
+    homepage = "http://0pointer.de/lennart/projects/ifmetric";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.anna328p ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iio-sensor-proxy/default.nix b/nixpkgs/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
new file mode 100644
index 000000000000..5f44622c5122
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitLab, autoconf-archive, gettext, libtool, intltool, autoconf, automake
+, glib, gtk3, gtk-doc, libgudev, pkg-config, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "iio-sensor-proxy";
+  version = "3.0";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner  = "hadess";
+    repo   = pname;
+    rev    = version;
+    sha256 = "0ngbz1vkbjci3ml6p47jh6c6caipvbkm8mxrc8ayr6vc2p9l1g49";
+  };
+
+  configurePhase = ''
+    runHook preConfigure
+
+    ./autogen.sh --prefix=$out \
+      --with-udevrulesdir=$out/lib/udev/rules.d \
+      --with-systemdsystemunitdir=$out/lib/systemd/system
+
+    runHook postConfigure
+  '';
+
+  buildInputs = [
+    glib
+    gtk3
+    gtk-doc
+    libgudev
+    systemd
+  ];
+
+  nativeBuildInputs = [
+    autoconf
+    autoconf-archive
+    automake
+    gettext
+    intltool
+    libtool
+    pkg-config
+  ];
+
+  meta = with lib; {
+    description = "Proxy for sending IIO sensor data to D-Bus";
+    homepage = "https://github.com/hadess/iio-sensor-proxy";
+    license = licenses.gpl3 ;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ima-evm-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/ima-evm-utils/default.nix
new file mode 100644
index 000000000000..aeafd68e7080
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ima-evm-utils/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchgit, autoreconfHook, pkg-config, openssl, attr, keyutils, asciidoc, libxslt, docbook_xsl }:
+
+stdenv.mkDerivation rec {
+  pname = "ima-evm-utils";
+  version = "1.4";
+
+  src = fetchgit {
+    url = "git://git.code.sf.net/p/linux-ima/ima-evm-utils";
+    rev = "v${version}";
+    sha256 = "1zmyv82232lzqk52m0s7fap9zb9hb1x6nsi5gznk0cbsnq2m67pc";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ openssl attr keyutils asciidoc libxslt ];
+
+  MANPAGE_DOCBOOK_XSL = "${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl";
+
+  meta = {
+    description = "evmctl utility to manage digital signatures of the Linux kernel integrity subsystem (IMA/EVM)";
+    homepage = "https://sourceforge.net/projects/linux-ima/";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/input-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/input-utils/default.nix
new file mode 100644
index 000000000000..36a203a47c76
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/input-utils/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchurl, linuxHeaders }:
+
+stdenv.mkDerivation rec {
+  pname = "input-utils";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://www.kraxel.org/releases/input/input-${version}.tar.gz";
+    sha256 = "11w0pp20knx6qpgzmawdbk1nj2z3fzp8yd6nag6s8bcga16w6hli";
+  };
+
+  prePatch = ''
+    # Use proper include path for kernel include files.
+    substituteInPlace ./name.sh --replace "/usr/include/linux/" "${linuxHeaders}/include/linux/"
+    substituteInPlace ./lirc.sh --replace "/usr/include/linux/" "${linuxHeaders}/include/linux/"
+  '';
+
+  makeFlags = [
+    "prefix=$(out)"
+    "STRIP="
+  ];
+
+  meta = with lib; {
+    description = "Input layer utilities, includes lsinput";
+    homepage    = "https://www.kraxel.org/blog/linux/input/";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ samueldr ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-cmt-cat/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-cmt-cat/default.nix
new file mode 100644
index 000000000000..dd96e518300e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-cmt-cat/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "4.4.1";
+  pname = "intel-cmt-cat";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-cmt-cat";
+    rev = "v${version}";
+    sha256 = "sha256-6v9MRIW9Wqojia6GZNM75AvoYJGJ9C/k+ShwQKOjiL8=";
+  };
+
+  enableParallelBuilding = true;
+
+  makeFlags = [ "PREFIX=$(out)" "NOLDCONFIG=y" ];
+
+  meta = with lib; {
+    description = "User space software for Intel(R) Resource Director Technology";
+    homepage = "https://github.com/intel/intel-cmt-cat";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ arkivm ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-compute-runtime/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-compute-runtime/default.nix
new file mode 100644
index 000000000000..5c38e05fbfe4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-compute-runtime/default.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv
+, fetchFromGitHub
+, patchelf
+, cmake
+, pkg-config
+
+, intel-gmmlib
+, intel-graphics-compiler
+, libva
+}:
+
+stdenv.mkDerivation rec {
+  pname = "intel-compute-runtime";
+  version = "22.32.23937";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "compute-runtime";
+    rev = version;
+    sha256 = "sha256-W+0EbrbF+jPtsf9QCMmSEX7HFDlfiRtD/kjeMJVqCoY=";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+
+  buildInputs = [ intel-gmmlib intel-graphics-compiler libva ];
+
+  cmakeFlags = [
+    "-DSKIP_UNIT_TESTS=1"
+
+    "-DIGC_DIR=${intel-graphics-compiler}"
+    "-DOCL_ICD_VENDORDIR=${placeholder "out"}/etc/OpenCL/vendors"
+
+    # The install script assumes this path is relative to CMAKE_INSTALL_PREFIX
+    "-DCMAKE_INSTALL_LIBDIR=lib"
+  ];
+
+  postInstall = ''
+    # Avoid clash with intel-ocl
+    mv $out/etc/OpenCL/vendors/intel.icd $out/etc/OpenCL/vendors/intel-neo.icd
+  '';
+
+  postFixup = ''
+    patchelf --set-rpath ${lib.makeLibraryPath [ intel-gmmlib intel-graphics-compiler libva stdenv.cc.cc.lib ]} \
+      $out/lib/intel-opencl/libigdrcl.so
+  '';
+
+  meta = with lib; {
+    homepage    = "https://github.com/intel/compute-runtime";
+    description = "Intel Graphics Compute Runtime for OpenCL. Replaces Beignet for Gen8 (Broadwell) and beyond";
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ gloaming ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-ocl/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-ocl/default.nix
new file mode 100644
index 000000000000..b1451421d69b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-ocl/default.nix
@@ -0,0 +1,78 @@
+{ lib, stdenv, fetchzip, rpmextract, ncurses5, numactl, zlib }:
+
+stdenv.mkDerivation rec {
+  pname = "intel-ocl";
+  version = "5.0-63503";
+
+  src = fetchzip {
+    # https://github.com/NixOS/nixpkgs/issues/166886
+    urls = [
+      "https://registrationcenter-download.intel.com/akdlm/irc_nas/11396/SRB5.0_linux64.zip"
+      "http://registrationcenter-download.intel.com/akdlm/irc_nas/11396/SRB5.0_linux64.zip"
+      "https://web.archive.org/web/20190526190814/http://registrationcenter-download.intel.com/akdlm/irc_nas/11396/SRB5.0_linux64.zip"
+    ];
+    sha256 = "0qbp63l74s0i80ysh9ya8x7r79xkddbbz4378nms9i7a0kprg9p2";
+    stripRoot = false;
+  };
+
+  buildInputs = [ rpmextract ];
+
+  sourceRoot = ".";
+
+  libPath = lib.makeLibraryPath [
+    stdenv.cc.cc.lib
+    ncurses5
+    numactl
+    zlib
+  ];
+
+  postUnpack = ''
+    # Extract the RPMs contained within the source ZIP.
+    rpmextract source/intel-opencl-r${version}.x86_64.rpm
+    rpmextract source/intel-opencl-cpu-r${version}.x86_64.rpm
+  '';
+
+  patchPhase = ''
+    runHook prePatch
+
+    # Remove libOpenCL.so, since we use ocl-icd's libOpenCL.so instead and this would cause a clash.
+    rm opt/intel/opencl/libOpenCL.so*
+
+    # Patch shared libraries.
+    for lib in opt/intel/opencl/*.so; do
+      patchelf --set-rpath "${libPath}:$out/lib/intel-ocl" $lib || true
+    done
+
+    runHook postPatch
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    # Create ICD file, which just contains the path of the corresponding shared library.
+    echo "$out/lib/intel-ocl/libintelocl.so" > intel.icd
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D -m 0755 opt/intel/opencl/*.so* -t $out/lib/intel-ocl
+    install -D -m 0644 opt/intel/opencl/*.{o,rtl,bin} -t $out/lib/intel-ocl
+    install -D -m 0644 opt/intel/opencl/{LICENSE,NOTICES} -t $out/share/doc/intel-ocl
+    install -D -m 0644 intel.icd -t $out/etc/OpenCL/vendors
+
+    runHook postInstall
+  '';
+
+  dontStrip = true;
+
+  meta = {
+    description = "Official OpenCL runtime for Intel CPUs";
+    homepage = "https://software.intel.com/en-us/articles/opencl-drivers";
+    license = lib.licenses.unfree;
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ lib.maintainers.kierdavis ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/intel-speed-select/default.nix b/nixpkgs/pkgs/os-specific/linux/intel-speed-select/default.nix
new file mode 100644
index 000000000000..2caad335d57c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/intel-speed-select/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, kernel }:
+
+stdenv.mkDerivation {
+  pname = "intel-speed-select";
+  inherit (kernel) src version;
+
+  makeFlags = [ "bindir=${placeholder "out"}/bin" ];
+
+  postPatch = ''
+    cd tools/power/x86/intel-speed-select
+    sed -i 's,/usr,,g' Makefile
+  '';
+
+  meta = with lib; {
+    description = "Tool to enumerate and control the Intel Speed Select Technology features";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = [ "i686-linux" "x86_64-linux" ]; # x86-specific
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iomelt/default.nix b/nixpkgs/pkgs/os-specific/linux/iomelt/default.nix
new file mode 100644
index 000000000000..860a7b446328
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iomelt/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchurl }:
+
+let version = "0.7";
+in stdenv.mkDerivation {
+  pname = "iomelt";
+  inherit version;
+  src = fetchurl {
+    url = "http://iomelt.com/s/iomelt-${version}.tar.gz";
+    sha256 = "1jhrdm5b7f1bcbrdwcc4yzg26790jxl4d2ndqiwd9brl2g5537im";
+  };
+
+  preBuild = ''
+    mkdir -p $out/bin
+    mkdir -p $out/share/man/man1
+
+    substituteInPlace Makefile \
+      --replace /usr $out
+  '';
+
+  meta = with lib; {
+    description = "A simple yet effective way to benchmark disk IO in Linux systems";
+    homepage    = "http://www.iomelt.com";
+    maintainers = with maintainers; [ cstrahan ];
+    license = licenses.artistic2;
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ioport/default.nix b/nixpkgs/pkgs/os-specific/linux/ioport/default.nix
new file mode 100644
index 000000000000..6da154648fc2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ioport/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, perl, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "ioport";
+  version = "1.2";
+
+  src = fetchurl {
+    url = "https://people.redhat.com/rjones/ioport/files/ioport-${version}.tar.gz";
+    sha256 = "1h4d5g78y7kla0zl25jgyrk43wy3m3bygqg0blki357bc55irb3z";
+  };
+
+  buildInputs = [ perl ];
+
+  meta = with lib; {
+    description = "Direct access to I/O ports from the command line";
+    homepage = "https://people.redhat.com/rjones/ioport/";
+    license = licenses.gpl2Plus;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = [ maintainers.cleverca22 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iotop-c/default.nix b/nixpkgs/pkgs/os-specific/linux/iotop-c/default.nix
new file mode 100644
index 000000000000..4ed45a99ce25
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iotop-c/default.nix
@@ -0,0 +1,31 @@
+{stdenv, fetchFromGitHub, lib, ncurses, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "iotop-c";
+  version = "1.21";
+
+  src = fetchFromGitHub {
+    owner = "Tomas-M";
+    repo = "iotop";
+    rev = "v${version}";
+    sha256 = "sha256-Zzm0EV6baQvKPOC762mnieYe1JM7ZfNovKqFQt20jQ8=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ ncurses ];
+  makeFlags = [ "DESTDIR=$(out)" "TARGET=iotop-c" ];
+
+  postInstall = ''
+    mv $out/usr/share/man/man8/{iotop,iotop-c}.8
+    ln -s $out/usr/sbin $out/bin
+    ln -s $out/usr/share $out/share
+  '';
+
+  meta = with lib; {
+    description = "iotop identifies processes that use high amount of input/output requests on your machine";
+    homepage = "https://github.com/Tomas-M/iotop";
+    maintainers = [ maintainers.arezvov ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iotop/default.nix b/nixpkgs/pkgs/os-specific/linux/iotop/default.nix
new file mode 100644
index 000000000000..0376ff1a55ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iotop/default.nix
@@ -0,0 +1,28 @@
+{ lib, fetchurl, python3Packages, fetchpatch }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "iotop";
+  version = "0.6";
+
+  src = fetchurl {
+    url = "http://guichaz.free.fr/iotop/files/iotop-${version}.tar.bz2";
+    sha256 = "0nzprs6zqax0cwq8h7hnszdl3d2m4c2d4vjfxfxbnjfs9sia5pis";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://repo.or.cz/iotop.git/patch/99c8d7cedce81f17b851954d94bfa73787300599";
+      sha256 = "0rdgz6xpmbx77lkr1ixklliy1aavdsjmfdqvzwrjylbv0xh5wc8z";
+    })
+  ];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "A tool to find out the processes doing the most IO";
+    homepage = "http://guichaz.free.fr/iotop";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.raskin ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iproute/default.nix b/nixpkgs/pkgs/os-specific/linux/iproute/default.nix
new file mode 100644
index 000000000000..4d06e82fcaef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iproute/default.nix
@@ -0,0 +1,66 @@
+{ lib, stdenv, fetchurl, fetchpatch
+, buildPackages, bison, flex, pkg-config
+, db, iptables, libelf, libmnl
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "iproute2";
+  version = "5.18.0";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
+    sha256 = "W6PUZNUcjCg1UNUH/6w9EPeuxYe3xmsMy2lQZDZGOJ4=";
+  };
+
+  patches = [
+    # To avoid ./configure failing due to invalid arguments:
+    (fetchpatch { # configure: restore backward compatibility
+      url = "https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/patch/?id=a3272b93725a406bc98b67373da67a4bdf6fcdb0";
+      sha256 = "0hyagh2lf6rrfss4z7ca8q3ydya6gg7vfhh25slhpgcn6lnk0xbv";
+    })
+  ];
+
+  preConfigure = ''
+    # Don't try to create /var/lib/arpd:
+    sed -e '/ARPDDIR/d' -i Makefile
+  '';
+
+  outputs = [ "out" "dev" ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SBINDIR=$(out)/sbin"
+    "DOCDIR=$(TMPDIR)/share/doc/${pname}" # Don't install docs
+    "HDRDIR=$(dev)/include/iproute2"
+  ];
+
+  buildFlags = [
+    "CONFDIR=/etc/iproute2"
+  ];
+
+  installFlags = [
+    "CONFDIR=$(out)/etc/iproute2"
+  ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ]; # netem requires $HOSTCC
+  nativeBuildInputs = [ bison flex pkg-config ];
+  buildInputs = [ db iptables libelf libmnl ];
+
+  enableParallelBuilding = true;
+
+  passthru.updateScript = gitUpdater {
+    inherit pname version;
+    # No nicer place to find latest release.
+    url = "https://git.kernel.org/pub/scm/network/iproute2/iproute2.git";
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    homepage = "https://wiki.linuxfoundation.org/networking/iproute2";
+    description = "A collection of utilities for controlling TCP/IP networking and traffic control in Linux";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ primeos eelco fpletz globin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iproute/mptcp.nix b/nixpkgs/pkgs/os-specific/linux/iproute/mptcp.nix
new file mode 100644
index 000000000000..e43af52bb349
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iproute/mptcp.nix
@@ -0,0 +1,40 @@
+{ lib, iproute2, fetchFromGitHub, fetchpatch }:
+
+iproute2.overrideAttrs (oa: rec {
+  pname = "iproute_mptcp";
+  version = "0.95";
+
+  src = fetchFromGitHub {
+    owner = "multipath-tcp";
+    repo = "iproute-mptcp";
+    rev = "mptcp_v${version}";
+    sha256 = "07fihvwlaj0ng8s8sxqhd0a9h1narcnp4ibk88km9cpsd32xv4q3";
+  };
+
+  preConfigure = oa.preConfigure + ''
+    patchShebangs configure
+  '';
+
+  patches = [
+    # We override "patches" to never apply any iproute2 patches:
+  ] ++ [
+    # iproute-mptcp patches:
+
+    # Pull upstream fix for -fno-common toolchain support:
+    #   https://github.com/multipath-tcp/iproute-mptcp/pull/8
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/multipath-tcp/iproute-mptcp/commit/7aebfde8624c978f6f73b03142892f802d21cc0b.patch";
+      sha256 = "098402sjdm10r9xggz6naygnfjs74d9k3s2wc2aczx0d2zayhff8";
+    })
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/multipath-tcp/iproute-mptcp";
+    description = "IP-Route extensions for MultiPath TCP";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ teto ];
+    priority = 2;
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/ipset/default.nix b/nixpkgs/pkgs/os-specific/linux/ipset/default.nix
new file mode 100644
index 000000000000..a116aef7920a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipset/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchurl, pkg-config, libmnl }:
+
+stdenv.mkDerivation rec {
+  pname = "ipset";
+  version = "7.15";
+
+  src = fetchurl {
+    url = "https://ipset.netfilter.org/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-ClVFqq22QBQsH4iNNmp43fhyR5mWf6IGhqcAU71iF1E=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libmnl ];
+
+  configureFlags = [ "--with-kmod=no" ];
+
+  meta = with lib; {
+    homepage = "https://ipset.netfilter.org/";
+    description = "Administration tool for IP sets";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iptables/default.nix b/nixpkgs/pkgs/os-specific/linux/iptables/default.nix
new file mode 100644
index 000000000000..0704860c961f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iptables/default.nix
@@ -0,0 +1,70 @@
+{ lib, stdenv, fetchurl, pkg-config, pruneLibtoolFiles, flex, bison
+, libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap
+, nftablesCompat ? true
+, fetchpatch
+}:
+
+stdenv.mkDerivation rec {
+  version = "1.8.8";
+  pname = "iptables";
+
+  src = fetchurl {
+    url = "https://www.netfilter.org/projects/${pname}/files/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-ccdYidxxBnZjFVPrFRHaAXe7qvG1USZbkS0jbD9RhZ8=";
+  };
+
+  patches = [
+    # xshared: Fix build for -Werror=format-security
+    (fetchpatch {
+      url = "https://git.netfilter.org/iptables/patch/?id=b72eb12ea5a61df0655ad99d5048994e916be83a";
+      sha256 = "sha256-pnamqOagwNWoiwlxPnKCqSc2N7MP/eZlT7JiE09c8OE=";
+    })
+    # treewide: use uint* instead of u_int*
+    (fetchpatch {
+      url = "https://git.netfilter.org/iptables/patch/?id=f319389525b066b7dc6d389c88f16a0df3b8f189";
+      sha256 = "sha256-rOxCEWZoI8Ac5fQDp286YHAwvreUAoDVAbomboKrGyM=";
+    })
+    # fix Musl build
+    (fetchpatch {
+      url = "https://git.netfilter.org/iptables/patch/?id=0e7cf0ad306cdf95dc3c28d15a254532206a888e";
+      sha256 = "18mnvqfxzd7ifq3zjb4vyifcyadpxdi8iqcj8wsjgw23n49lgrbj";
+    })
+  ];
+
+  outputs = [ "out" "dev" "man" ];
+
+  nativeBuildInputs = [ pkg-config pruneLibtoolFiles flex bison ];
+
+  buildInputs = [ libmnl libnetfilter_conntrack libnfnetlink libnftnl libpcap ];
+
+  preConfigure = ''
+    export NIX_LDFLAGS="$NIX_LDFLAGS -lmnl -lnftnl"
+  '';
+
+  configureFlags = [
+    "--enable-bpf-compiler"
+    "--enable-devel"
+    "--enable-libipq"
+    "--enable-nfsynproxy"
+    "--enable-shared"
+  ] ++ lib.optional (!nftablesCompat) "--disable-nftables";
+
+  postInstall = lib.optionalString nftablesCompat ''
+    rm $out/sbin/{iptables,iptables-restore,iptables-save,ip6tables,ip6tables-restore,ip6tables-save}
+    ln -sv xtables-nft-multi $out/bin/iptables
+    ln -sv xtables-nft-multi $out/bin/iptables-restore
+    ln -sv xtables-nft-multi $out/bin/iptables-save
+    ln -sv xtables-nft-multi $out/bin/ip6tables
+    ln -sv xtables-nft-multi $out/bin/ip6tables-restore
+    ln -sv xtables-nft-multi $out/bin/ip6tables-save
+  '';
+
+  meta = with lib; {
+    description = "A program to configure the Linux IP packet filtering ruleset";
+    homepage = "https://www.netfilter.org/projects/iptables/index.html";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fpletz ];
+    license = licenses.gpl2;
+    downloadPage = "https://www.netfilter.org/projects/iptables/files/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iptstate/default.nix b/nixpkgs/pkgs/os-specific/linux/iptstate/default.nix
new file mode 100644
index 000000000000..4e3693aba6f1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iptstate/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchurl, libnetfilter_conntrack, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "iptstate";
+  version = "2.2.7";
+
+  src = fetchurl {
+    url = "https://github.com/jaymzh/iptstate/releases/download/v${version}/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-iW3wYCiFRWomMfeV1jT8ITEeUF+MkQNI5jEoYPIJeVU=";
+  };
+
+  buildInputs = [ libnetfilter_conntrack ncurses ];
+
+  meta = with lib; {
+    description = "Conntrack top like tool";
+    homepage = "https://github.com/jaymzh/iptstate";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ trevorj ];
+    downloadPage = "https://github.com/jaymzh/iptstate/releases";
+    license = licenses.zlib;
+  };
+
+  installPhase = ''
+    install -m755 -D iptstate $out/bin/iptstate
+  '';
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/iputils/default.nix b/nixpkgs/pkgs/os-specific/linux/iputils/default.nix
new file mode 100644
index 000000000000..0ca6d8aa187f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iputils/default.nix
@@ -0,0 +1,87 @@
+{ lib, stdenv, fetchFromGitHub
+, meson, ninja, pkg-config, gettext, libxslt, docbook_xsl_ns
+, libcap, libidn2
+, iproute2
+, apparmorRulesFromClosure
+}:
+
+let
+  version = "20211215";
+  sunAsIsLicense = {
+    fullName = "AS-IS, SUN MICROSYSTEMS license";
+    url = "https://github.com/iputils/iputils/blob/s${version}/rdisc.c";
+  };
+in stdenv.mkDerivation rec {
+  pname = "iputils";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = version;
+    sha256 = "1vzdch1xi2x2j8mvnsr4wwwh7kdkgf926xafw5kkb74yy1wac5qv";
+  };
+
+  outputs = ["out" "apparmor"];
+
+  # We don't have the required permissions inside the build sandbox:
+  # /build/source/build/ping/ping: socket: Operation not permitted
+  doCheck = false;
+
+  mesonFlags = [
+    "-DBUILD_RARPD=true"
+    "-DNO_SETCAP_OR_SUID=true"
+    "-Dsystemdunitdir=etc/systemd/system"
+    "-DINSTALL_SYSTEMD_UNITS=true"
+    "-DSKIP_TESTS=${lib.boolToString (!doCheck)}"
+  ]
+    # Disable idn usage w/musl (https://github.com/iputils/iputils/pull/111):
+    ++ lib.optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
+
+  nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ];
+  buildInputs = [ libcap ]
+    ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2;
+  checkInputs = [ iproute2 ];
+
+  postInstall = ''
+    mkdir $apparmor
+    cat >$apparmor/bin.ping <<EOF
+    include <tunables/global>
+    $out/bin/ping {
+      include <abstractions/base>
+      include <abstractions/consoles>
+      include <abstractions/nameservice>
+      include "${apparmorRulesFromClosure { name = "ping"; }
+       ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}"
+      include <local/bin.ping>
+      capability net_raw,
+      network inet raw,
+      network inet6 raw,
+      mr $out/bin/ping,
+      r $out/share/locale/**,
+      r @{PROC}/@{pid}/environ,
+    }
+    EOF
+  '';
+
+  meta = with lib; {
+    description = "A set of small useful utilities for Linux networking";
+    inherit (src.meta) homepage;
+    changelog = "https://github.com/iputils/iputils/releases/tag/s${version}";
+    license = with licenses; [ gpl2Plus bsd3 sunAsIsLicense ];
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos lheckemann ];
+
+    longDescription = ''
+      A set of small useful utilities for Linux networking including:
+
+      arping
+      clockdiff
+      ninfod
+      ping
+      rarpd
+      rdisc
+      tracepath
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ipvsadm/default.nix b/nixpkgs/pkgs/os-specific/linux/ipvsadm/default.nix
new file mode 100644
index 000000000000..c98816746918
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipvsadm/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl, popt, gnugrep }:
+
+stdenv.mkDerivation rec {
+  pname = "ipvsadm";
+  version = "1.31";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/kernel/ipvsadm/${pname}-${version}.tar.xz";
+    sha256 = "1nyzpv1hx75k9lh0vfxfhc0p2fpqaqb38xpvs8sn88m1nljmw2hs";
+  };
+
+  postPatch = ''
+    substituteInPlace Makefile --replace "-lnl" "$(pkg-config --libs libnl-genl-3.0)"
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl popt ];
+
+  # Disable parallel build, errors:
+  #  *** No rule to make target 'libipvs/libipvs.a', needed by 'ipvsadm'.  Stop.
+  enableParallelBuilding = false;
+
+  preBuild = ''
+    makeFlagsArray+=(
+      INCLUDE=$(pkg-config --cflags libnl-genl-3.0)
+      BUILD_ROOT=$out
+      MANDIR=share/man
+    )
+  '';
+
+  postInstall = ''
+    sed -i -e "s|^PATH=.*|PATH=$out/bin:${gnugrep}/bin|" $out/sbin/ipvsadm-{restore,save}
+  '';
+
+  meta = with lib; {
+    description = "Linux Virtual Server support programs";
+    homepage = "http://www.linuxvirtualserver.org/software/ipvs.html";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/irqbalance/default.nix b/nixpkgs/pkgs/os-specific/linux/irqbalance/default.nix
new file mode 100644
index 000000000000..d09b5f38f916
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/irqbalance/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pkg-config, glib, ncurses, libcap_ng }:
+
+stdenv.mkDerivation rec {
+  pname = "irqbalance";
+  version = "1.9.0";
+
+  src = fetchFromGitHub {
+    owner = "irqbalance";
+    repo = "irqbalance";
+    rev = "v${version}";
+    sha256 = "sha256-OifGlOUT/zFz5gussEmLL24w4AovGeyNfbg/yCfzerw=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ glib ncurses libcap_ng ];
+
+  LDFLAGS = "-lncurses";
+
+  postInstall =
+    ''
+      # Systemd service
+      mkdir -p $out/lib/systemd/system
+      grep -vi "EnvironmentFile" misc/irqbalance.service >$out/lib/systemd/system/irqbalance.service
+      substituteInPlace $out/lib/systemd/system/irqbalance.service \
+        --replace /usr/sbin/irqbalance $out/bin/irqbalance \
+        --replace ' $IRQBALANCE_ARGS' ""
+    '';
+
+  meta = with lib; {
+    homepage = "https://github.com/Irqbalance/irqbalance";
+    changelog = "https://github.com/Irqbalance/irqbalance/releases/tag/v${version}";
+    description = "A daemon to help balance the cpu load generated by interrupts across all of a systems cpus";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fortuneteller2k ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/isgx/default.nix b/nixpkgs/pkgs/os-specific/linux/isgx/default.nix
new file mode 100644
index 000000000000..6e97532ee5dd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/isgx/default.nix
@@ -0,0 +1,45 @@
+{ stdenv, lib, fetchFromGitHub, kernel, kernelAtLeast }:
+
+stdenv.mkDerivation rec {
+  name = "isgx-${version}-${kernel.version}";
+  version = "2.14";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx-driver";
+    rev = "sgx_diver_${version}"; # Typo is upstream's.
+    sha256 = "0kbbf2inaywp44lm8ig26mkb36jq3smsln0yp6kmrirdwc3c53mi";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D isgx.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/intel/sgx
+    runHook postInstall
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Intel SGX Linux Driver";
+    longDescription = ''
+      The linux-sgx-driver project (isgx) hosts an out-of-tree driver
+      for the Linux* Intel(R) SGX software stack, which would be used
+      until the driver upstreaming process is complete (before 5.11.0).
+
+      It is used to support Enhanced Privacy Identification (EPID)
+      based attestation on the platforms without Flexible Launch Control.
+    '';
+    homepage = "https://github.com/intel/linux-sgx-driver";
+    license = with licenses; [ bsd3 /* OR */ gpl2Only ];
+    maintainers = with maintainers; [ oxalica ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/it87/default.nix b/nixpkgs/pkgs/os-specific/linux/it87/default.nix
new file mode 100644
index 000000000000..aa51626986e7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/it87/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "it87-${version}-${kernel.version}";
+  version = "unstable-2022-02-26";
+
+  # Original is no longer maintained.
+  # This is the same upstream as the AUR uses.
+  src = fetchFromGitHub {
+    owner = "frankcrawford";
+    repo = "it87";
+    rev = "c93d61adadecb009c92f3258cd3ff14a66efb193";
+    sha256 = "sha256-wVhs//iwZUUGRTk1DpV/SnA7NZ7cFyYbsUbtazlxb6Q=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    sed -i 's|depmod|#depmod|' Makefile
+  '';
+
+  makeFlags = [
+    "TARGET=${kernel.modDirVersion}"
+    "KERNEL_MODULES=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+    "MODDESTDIR=$(out)/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
+  ];
+
+  meta = with lib; {
+    description = "Patched module for IT87xx superio chip sensors support";
+    homepage = "https://github.com/hannesha/it87";
+    license = licenses.gpl2Plus;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = teams.lumiguide.members;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ithc/default.nix b/nixpkgs/pkgs/os-specific/linux/ithc/default.nix
new file mode 100644
index 000000000000..69b202e7e201
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ithc/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "ithc";
+  version = "unstable-2022-06-07";
+
+  src = fetchFromGitHub {
+    owner = "quo";
+    repo = "ithc-linux";
+    rev = "5af2a2213d2f3d944b19ec7ccdb96f16d56adddb";
+    hash = "sha256-p4TooWUOWPfNdePE18ESmRJezPDAl9nLb55LQtkJiSg=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "VERSION=${version}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  postPatch = ''
+    sed -i ./Makefile -e '/depmod/d'
+  '';
+
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Linux driver for Intel Touch Host Controller";
+    homepage = "https://github.com/quo/ithc-linux";
+    license = licenses.publicDomain;
+    maintainers = with maintainers; [ aacebedo ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.9";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iw/default.nix b/nixpkgs/pkgs/os-specific/linux/iw/default.nix
new file mode 100644
index 000000000000..ac8efbb7969f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iw/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
+
+stdenv.mkDerivation rec {
+  pname = "iw";
+  version = "5.16";
+
+  src = fetchurl {
+    url = "https://www.kernel.org/pub/software/network/${pname}/${pname}-${version}.tar.xz";
+    sha256 = "sha256-TETkJ2L5A/kJS6WlmJmMgAqXpir9b9MeweCnmeMIZZw=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libnl ];
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  meta = {
+    description = "Tool to use nl80211";
+    longDescription = ''
+      iw is a new nl80211 based CLI configuration utility for wireless devices.
+      It supports all new drivers that have been added to the kernel recently.
+      The old tool iwconfig, which uses Wireless Extensions interface, is
+      deprecated and it's strongly recommended to switch to iw and nl80211.
+    '';
+    homepage = "https://wireless.wiki.kernel.org/en/users/Documentation/iw";
+    license = lib.licenses.isc;
+    maintainers = with lib.maintainers; [ viric primeos ];
+    platforms = with lib.platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/iwd/default.nix b/nixpkgs/pkgs/os-specific/linux/iwd/default.nix
new file mode 100644
index 000000000000..dfd5f5724ef8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/iwd/default.nix
@@ -0,0 +1,97 @@
+{ lib, stdenv
+, fetchgit
+, autoreconfHook
+, pkg-config
+, ell
+, coreutils
+, docutils
+, readline
+, openssl
+, python3Packages
+}:
+
+stdenv.mkDerivation rec {
+  pname = "iwd";
+  version = "1.29";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
+    rev = version;
+    sha256 = "sha256-W2MOK6aIa1whkj13OeuibNjL/2LWt7TO8h4JeoUrZnQ=";
+  };
+
+  outputs = [ "out" "man" "doc" ]
+    ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "test";
+
+  nativeBuildInputs = [
+    autoreconfHook
+    docutils
+    pkg-config
+    python3Packages.wrapPython
+  ];
+
+  buildInputs = [
+    ell
+    python3Packages.python
+    readline
+  ];
+
+  checkInputs = [ openssl ];
+
+  # wrapPython wraps the scripts in $test. They pull in gobject-introspection,
+  # which doesn't cross-compile.
+  pythonPath = lib.optionals (stdenv.hostPlatform == stdenv.buildPlatform) [
+    python3Packages.dbus-python
+    python3Packages.pygobject3
+  ];
+
+  configureFlags = [
+    "--enable-external-ell"
+    "--enable-wired"
+    "--localstatedir=/var/"
+    "--with-dbus-busdir=${placeholder "out"}/share/dbus-1/system-services/"
+    "--with-dbus-datadir=${placeholder "out"}/share/"
+    "--with-systemd-modloaddir=${placeholder "out"}/etc/modules-load.d/" # maybe
+    "--with-systemd-unitdir=${placeholder "out"}/lib/systemd/system/"
+    "--with-systemd-networkdir=${placeholder "out"}/lib/systemd/network/"
+  ];
+
+  postUnpack = ''
+    mkdir -p iwd/ell
+    ln -s ${ell.src}/ell/useful.h iwd/ell/useful.h
+    ln -s ${ell.src}/ell/asn1-private.h iwd/ell/asn1-private.h
+    patchShebangs .
+  '';
+
+  doCheck = true;
+
+  postInstall = ''
+    mkdir -p $doc/share/doc
+    cp -a doc $doc/share/doc/iwd
+    cp -a README AUTHORS TODO $doc/share/doc/iwd
+  '' + lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
+    mkdir -p $test/bin
+    cp -a test/* $test/bin/
+  '';
+
+  preFixup = ''
+    wrapPythonPrograms
+  '';
+
+  postFixup = ''
+    substituteInPlace $out/share/dbus-1/system-services/net.connman.ead.service \
+      --replace /bin/false ${coreutils}/bin/false
+    substituteInPlace $out/share/dbus-1/system-services/net.connman.iwd.service \
+      --replace /bin/false ${coreutils}/bin/false
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
+    description = "Wireless daemon for Linux";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill fpletz maxeaubrey ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ixgbevf/default.nix b/nixpkgs/pkgs/os-specific/linux/ixgbevf/default.nix
new file mode 100644
index 000000000000..6a748c470190
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ixgbevf/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchurl, kernel, kmod }:
+
+stdenv.mkDerivation rec {
+  name = "ixgbevf-${version}-${kernel.version}";
+  version = "4.6.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/e1000/ixgbevf-${version}.tar.gz";
+    sha256 = "0h8a2g4hm38wmr13gvi2188r7nlv2c5rx6cal9gkf1nh6sla181c";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  configurePhase = ''
+    cd src
+    makeFlagsArray+=(KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build INSTALL_MOD_PATH=$out MANDIR=/share/man)
+    substituteInPlace common.mk --replace /sbin/depmod ${kmod}/bin/depmod
+    # prevent host system kernel introspection
+    substituteInPlace common.mk --replace /boot/System.map /not-exists
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Intel 82599 Virtual Function Driver";
+    homepage = "https://sourceforge.net/projects/e1000/files/ixgbevf%20stable/";
+    license = licenses.gpl2;
+    priority = 20;
+    # kernels ship ixgbevf driver for a long time already, maybe switch to a newest kernel?
+    broken = versionAtLeast kernel.version "5.2";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jfbview/default.nix b/nixpkgs/pkgs/os-specific/linux/jfbview/default.nix
new file mode 100644
index 000000000000..eb61ff9d5130
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jfbview/default.nix
@@ -0,0 +1,73 @@
+{ lib, stdenv, fetchFromGitHub
+, freetype, harfbuzz, jbig2dec, libjpeg, libX11, mupdf_1_17, ncurses, openjpeg
+, openssl
+
+, imageSupport ? true, imlib2 ? null }:
+
+let
+  package = if imageSupport
+    then "jfbview"
+    else "jfbpdf";
+  binaries = if imageSupport
+    then [ "jfbview" "jpdfcat" "jpdfgrep" ] # all require imlib2
+    else [ "jfbpdf" ]; # does not
+in
+
+stdenv.mkDerivation rec {
+  pname = package;
+  version = "0.5.7";
+
+  src = fetchFromGitHub {
+    repo = "JFBView";
+    owner = "jichu4n";
+    rev = version;
+    sha256 = "0ppns49hnmp04zdjw6wc28v0yvz31rkzvd5ylcj7arikx20llpxf";
+  };
+
+  postPatch = ''
+    substituteInPlace main.cpp \
+      --replace "<stropts.h>" "<sys/ioctl.h>"
+  '';
+
+  hardeningDisable = [ "format" ];
+
+  buildInputs = [
+    freetype harfbuzz jbig2dec libjpeg libX11 mupdf_1_17 ncurses openjpeg
+    openssl
+  ] ++ lib.optionals imageSupport [
+    imlib2
+  ];
+
+  configurePhase = ''
+    # Hack. Probing (`ldconfig -p`) fails with ‘cannot execute binary file’.
+    # Overriding `OPENJP2 =` later works, but makes build output misleading:
+    substituteInPlace Makefile --replace "ldconfig -p" "echo libopenjp2"
+
+    make config.mk
+  '';
+
+  buildFlags = binaries;
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    mkdir -p $out/bin
+    install ${toString binaries} $out/bin
+  '';
+
+  meta = with lib; {
+    description = "PDF and image viewer for the Linux framebuffer";
+    longDescription = ''
+      A very fast PDF and image viewer for the Linux framebuffer with some
+      advanced and unique features, including:
+      - Reads PDFs (MuPDF) and common image formats (Imlib2)
+      - Supports arbitrary zoom (10% - 1000%) and rotation
+      - Table of Contents (TOC) viewer for PDF documents
+      - Multi-threaded rendering on multi-core machines
+      - Asynchronous background rendering of the next page
+      - Customizable multi-threaded caching
+    '';
+    homepage = "https://seasonofcode.com/pages/jfbview.html";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jool/cli.nix b/nixpkgs/pkgs/os-specific/linux/jool/cli.nix
new file mode 100644
index 000000000000..4c18f478798e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jool/cli.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libnl, iptables }:
+
+let
+  sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
+in
+
+stdenv.mkDerivation {
+  pname = "jool-cli";
+  version = sourceAttrs.version;
+
+  src = sourceAttrs.src;
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libnl iptables ];
+
+  makeFlags = [ "-C" "src/usr" ];
+
+  prePatch = ''
+    sed -e 's%^XTABLES_SO_DIR = .*%XTABLES_SO_DIR = '"$out"'/lib/xtables%g' -i src/usr/iptables/Makefile
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.jool.mx/";
+    description = "Fairly compliant SIIT and Stateful NAT64 for Linux - CLI tools";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jool/default.nix b/nixpkgs/pkgs/os-specific/linux/jool/default.nix
new file mode 100644
index 000000000000..9246ca679a65
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jool/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+let
+  sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
+in
+
+stdenv.mkDerivation {
+  name = "jool-${sourceAttrs.version}-${kernel.version}";
+
+  src = sourceAttrs.src;
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  hardeningDisable = [ "pic" ];
+
+  prePatch = ''
+    sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i src/mod/*/Makefile
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "-C src/mod"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  installTargets = "modules_install";
+
+  meta = with lib; {
+    homepage = "https://www.jool.mx/";
+    description = "Fairly compliant SIIT and Stateful NAT64 for Linux - kernel modules";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jool/source.nix b/nixpkgs/pkgs/os-specific/linux/jool/source.nix
new file mode 100644
index 000000000000..87e36fe5a9eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jool/source.nix
@@ -0,0 +1,11 @@
+{ fetchFromGitHub }:
+
+rec {
+  version = "4.1.7";
+  src = fetchFromGitHub {
+    owner = "NICMx";
+    repo = "Jool";
+    rev = "v${version}";
+    sha256 = "08z23mi6xkr6zzp0hzh1cppvl2y0177s0lnpxqbpy8jiii5fxw8f";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/joycond/default.nix b/nixpkgs/pkgs/os-specific/linux/joycond/default.nix
new file mode 100644
index 000000000000..e60e661f0c44
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/joycond/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libevdev, udev, acl }:
+
+stdenv.mkDerivation rec {
+  pname = "joycond";
+  version = "unstable-2021-07-30";
+
+  src = fetchFromGitHub {
+    owner = "DanielOgorchock";
+    repo = "joycond";
+    rev = "f9a66914622514c13997c2bf7ec20fa98e9dfc1d";
+    sha256 = "sha256-quw7yBHDDZk1+6uHthsfMCej7g5uP0nIAqzvI6436B8=";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libevdev udev ];
+
+  # CMake has hardcoded install paths
+  installPhase = ''
+    mkdir -p $out/{bin,etc/{systemd/system,udev/rules.d},lib/modules-load.d}
+
+    cp ./joycond $out/bin
+    cp $src/udev/{89,72}-joycond.rules $out/etc/udev/rules.d
+    cp $src/systemd/joycond.service $out/etc/systemd/system
+    cp $src/systemd/joycond.conf $out/lib/modules-load.d
+
+    substituteInPlace $out/etc/systemd/system/joycond.service --replace \
+      "ExecStart=/usr/bin/joycond" "ExecStart=$out/bin/joycond"
+
+    substituteInPlace $out/etc/udev/rules.d/89-joycond.rules --replace \
+      "/bin/setfacl"  "${acl}/bin/setfacl"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/DanielOgorchock/joycond";
+    description = "Userspace daemon to combine joy-cons from the hid-nintendo kernel driver";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.ivar ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/jujuutils/default.nix b/nixpkgs/pkgs/os-specific/linux/jujuutils/default.nix
new file mode 100644
index 000000000000..12e4c15e62c0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/jujuutils/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, fetchurl, linuxHeaders }:
+
+stdenv.mkDerivation rec {
+  pname = "jujuutils";
+  version = "0.2";
+
+  src = fetchurl {
+    url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/jujuutils/jujuutils-${version}.tar.gz";
+    sha256 = "1r74m7s7rs9d6y7cffi7mdap3jf96qwm1v6jcw53x5cikgmfxn4x";
+  };
+
+  buildInputs = [ linuxHeaders ];
+
+  meta = {
+    homepage = "https://github.com/cladisch/linux-firewire-utils";
+    description = "Utilities around FireWire devices connected to a Linux computer";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kbd/default.nix b/nixpkgs/pkgs/os-specific/linux/kbd/default.nix
new file mode 100644
index 000000000000..4d08a38dbe85
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kbd/default.nix
@@ -0,0 +1,81 @@
+{ lib
+, stdenv
+, fetchurl
+, nixosTests
+, autoreconfHook
+, pkg-config
+, flex
+, check
+, pam
+, coreutils
+, gzip
+, bzip2
+, xz
+, zstd
+}:
+
+stdenv.mkDerivation rec {
+  pname = "kbd";
+  version = "2.4.0";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/kbd/${pname}-${version}.tar.xz";
+    sha256 = "17wvrqz2kk0w87idinhyvd31ih1dp7ldfl2yfx7ailygb0279w2m";
+  };
+
+  configureFlags = [
+    "--enable-optional-progs"
+    "--enable-libkeymap"
+    "--disable-nls"
+  ];
+
+  patches = [
+    ./search-paths.patch
+  ];
+
+  postPatch =
+    ''
+      # Renaming keymaps with name clashes, because loadkeys just picks
+      # the first keymap it sees. The clashing names lead to e.g.
+      # "loadkeys no" defaulting to a norwegian dvorak map instead of
+      # the much more common qwerty one.
+      pushd data/keymaps/i386
+      mv qwertz/cz{,-qwertz}.map
+      mv olpc/es{,-olpc}.map
+      mv olpc/pt{,-olpc}.map
+      mv fgGIod/trf{,-fgGIod}.map
+      mv colemak/{en-latin9,colemak}.map
+      popd
+
+      # Fix paths to decompressors. Trailing space to avoid replacing `xz` in `".xz"`.
+      substituteInPlace src/libkbdfile/kbdfile.c \
+        --replace 'gzip '  '${gzip}/bin/gzip ' \
+        --replace 'bzip2 ' '${bzip2.bin}/bin/bzip2 ' \
+        --replace 'xz '    '${xz.bin}/bin/xz ' \
+        --replace 'zstd '  '${zstd.bin}/bin/zstd '
+    '';
+
+  postInstall = ''
+    for i in $out/bin/unicode_{start,stop}; do
+      substituteInPlace "$i" \
+        --replace /usr/bin/tty ${coreutils}/bin/tty
+    done
+  '';
+
+  buildInputs = [ check pam ];
+  NIX_LDFLAGS = lib.optional stdenv.hostPlatform.isStatic "-laudit";
+  nativeBuildInputs = [ autoreconfHook pkg-config flex ];
+
+  passthru.tests = {
+    inherit (nixosTests) keymap kbd-setfont-decompress kbd-update-search-paths-patch;
+  };
+  passthru.gzip = gzip;
+
+  meta = with lib; {
+    homepage = "https://kbd-project.org/";
+    description = "Linux keyboard tools and keyboard maps";
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ davidak ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kbd/search-paths.patch b/nixpkgs/pkgs/os-specific/linux/kbd/search-paths.patch
new file mode 100644
index 000000000000..3b337ca7cc2b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kbd/search-paths.patch
@@ -0,0 +1,85 @@
+Add /etc/kbd to the list of directories to search for the console
+fonts, screen mappings, Unicode maps, keytable files, etc.
+
+Without this patch, kbd will only look inside
+/nix/store/<hash>-kbd-x.x.x/share.
+
+--- a/src/libkeymap/analyze.l
++++ b/src/libkeymap/analyze.l
+@@ -109,6 +109,9 @@ static const char *const include_dirpath1[] = {
+ 	NULL
+ };
+ static const char *const include_dirpath3[] = {
++	"/etc/kbd/" KEYMAPDIR "/include/",
++	"/etc/kbd/" KEYMAPDIR "/i386/include/",
++	"/etc/kbd/" KEYMAPDIR "/mac/include/",
+ 	DATADIR "/" KEYMAPDIR "/include/",
+ 	DATADIR "/" KEYMAPDIR "/i386/include/",
+ 	DATADIR "/" KEYMAPDIR "/mac/include/",
+--- a/src/libkfont/context.c
++++ b/src/libkfont/context.c
+@@ -13,6 +13,7 @@
+ /* search for the map file in these directories (with trailing /) */
+ static const char *const mapdirpath[]  = {
+ 	"",
++	"/etc/kbd/" TRANSDIR "/",
+ 	DATADIR "/" TRANSDIR "/",
+ 	NULL
+ };
+@@ -28,6 +29,7 @@ static const char *const mapsuffixes[] = {
+ /* search for the font in these directories (with trailing /) */
+ static const char *const fontdirpath[]  = {
+ 	"",
++	"/etc/kbd/" FONTDIR "/",
+ 	DATADIR "/" FONTDIR "/",
+ 	NULL
+ };
+@@ -42,6 +44,7 @@ static char const *const fontsuffixes[] = {
+ 
+ static const char *const unidirpath[]  = {
+ 	"",
++	"/etc/kbd/" UNIMAPDIR "/",
+ 	DATADIR "/" UNIMAPDIR "/",
+ 	NULL
+ };
+@@ -55,6 +58,7 @@ static const char *const unisuffixes[] = {
+ /* hide partial fonts a bit - loading a single one is a bad idea */
+ const char *const partfontdirpath[]  = {
+ 	"",
++	"/etc/kbd/" FONTDIR "/" PARTIALDIR "/",
+ 	DATADIR "/" FONTDIR "/" PARTIALDIR "/",
+ 	NULL
+ };
+--- a/src/loadkeys.c
++++ b/src/loadkeys.c
+@@ -27,6 +27,7 @@
+ 
+ static const char *const dirpath1[] = {
+ 	"",
++	"/etc/kbd/" KEYMAPDIR "/**",
+ 	DATADIR "/" KEYMAPDIR "/**",
+ 	KERNDIR "/",
+ 	NULL
+--- a/src/resizecons.c
++++ b/src/resizecons.c
+@@ -104,6 +104,7 @@ static void vga_set_verticaldisplayend_lowbyte(int);
+ 
+ const char *const dirpath[]  = {
+ 	"",
++	"/etc/kbd/" VIDEOMODEDIR "/",
+ 	DATADIR "/" VIDEOMODEDIR "/",
+ 	NULL
+ };
+--- a/src/setfont.c
++++ b/src/setfont.c
+@@ -48,8 +48,8 @@ usage(void)
+ 	                    "    -v         Be verbose.\n"
+ 	                    "    -C <cons>  Indicate console device to be used.\n"
+ 	                    "    -V         Print version and exit.\n"
+-	                    "Files are loaded from the current directory or %s/*/.\n"),
+-	        DATADIR);
++	                    "Files are loaded from the current directory or %s/*/ or %s/*/.\n"),
++	        DATADIR, "/etc/kbd");
+ 	exit(EX_USAGE);
+ }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/kbdlight/default.nix b/nixpkgs/pkgs/os-specific/linux/kbdlight/default.nix
new file mode 100644
index 000000000000..0ed575b82546
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kbdlight/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "kbdlight";
+  version = "1.3";
+
+  src = fetchFromGitHub {
+    owner = "hobarrera";
+    repo = "kbdlight";
+    rev = "v${version}";
+    sha256 = "1f08aid1xrbl4sb5447gkip9lnvkia1c4ap0v8zih5s9w8v72bny";
+  };
+
+  preConfigure = ''
+    substituteInPlace Makefile \
+      --replace /usr/local $out \
+      --replace 4755 0755
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/hobarrera/kbdlight";
+    description = "A very simple application that changes MacBooks' keyboard backlight level";
+    license = licenses.isc;
+    maintainers = [ maintainers.womfoo ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel-headers/default.nix b/nixpkgs/pkgs/os-specific/linux/kernel-headers/default.nix
new file mode 100644
index 000000000000..daa8c1ae2019
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel-headers/default.nix
@@ -0,0 +1,98 @@
+{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header
+, bison ? null, flex ? null, python ? null, rsync ? null
+}:
+
+assert stdenvNoCC.hostPlatform.isAndroid ->
+  (flex != null && bison != null && python != null && rsync != null);
+
+let
+  makeLinuxHeaders = { src, version, patches ? [] }: stdenvNoCC.mkDerivation {
+    inherit src;
+
+    pname = "linux-headers";
+    inherit version;
+
+    ARCH = stdenvNoCC.hostPlatform.linuxArch;
+
+    strictDeps = true;
+    enableParallelBuilding = true;
+
+    # It may look odd that we use `stdenvNoCC`, and yet explicit depend on a cc.
+    # We do this so we have a build->build, not build->host, C compiler.
+    depsBuildBuild = [ buildPackages.stdenv.cc ];
+    # `elf-header` is null when libc provides `elf.h`.
+    nativeBuildInputs = [
+      perl elf-header
+    ] ++ lib.optionals stdenvNoCC.hostPlatform.isAndroid [
+      flex bison python rsync
+    ];
+
+    extraIncludeDirs = lib.optional (with stdenvNoCC.hostPlatform; isPower && is32bit && isBigEndian) ["ppc"];
+
+    inherit patches;
+
+    hardeningDisable = lib.optional stdenvNoCC.buildPlatform.isDarwin "format";
+
+    makeFlags = [
+      "SHELL=bash"
+      # Avoid use of runtime build->host compilers for checks. These
+      # checks only cared to work around bugs in very old compilers, so
+      # these changes should be safe.
+      "cc-version:=9999"
+      "cc-fullversion:=999999"
+      # `$(..)` expanded by make alone
+      "HOSTCC:=$(CC_FOR_BUILD)"
+      "HOSTCXX:=$(CXX_FOR_BUILD)"
+    ];
+
+    # Skip clean on darwin, case-sensitivity issues.
+    buildPhase = lib.optionalString (!stdenvNoCC.buildPlatform.isDarwin) ''
+      make mrproper $makeFlags
+    '' + (if stdenvNoCC.hostPlatform.isAndroid then ''
+      make defconfig
+      make headers_install
+    '' else ''
+      make headers $makeFlags
+    '');
+
+    checkPhase = ''
+      make headers_check $makeFlags
+    '';
+
+    # The following command requires rsync:
+    #   make headers_install INSTALL_HDR_PATH=$out $makeFlags
+    # but rsync depends on popt which does not compile on aarch64 without
+    # updateAutotoolsGnuConfigScriptsHook which is not enabled in stage2,
+    # so we replicate it with cp. This also reduces bootstrap closure size.
+    installPhase = ''
+      mkdir -p $out
+      cp -r usr/include $out
+      find $out -type f ! -name '*.h' -delete
+    ''
+    # Some builds (e.g. KVM) want a kernel.release.
+    + ''
+      mkdir -p $out/include/config
+      echo "${version}-default" > $out/include/config/kernel.release
+    '';
+
+    meta = with lib; {
+      description = "Header files and scripts for Linux kernel";
+      license = licenses.gpl2;
+      platforms = platforms.linux;
+    };
+  };
+in {
+  inherit makeLinuxHeaders;
+
+  linuxHeaders = let version = "5.19"; in
+    makeLinuxHeaders {
+      inherit version;
+      src = fetchurl {
+        url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+        sha256 = "1a05a3hw4w3k530mxhns96xw7hag743xw5w967yazqcykdbhq97z";
+      };
+      patches = [
+         ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms
+      ];
+    };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel-headers/no-relocs.patch b/nixpkgs/pkgs/os-specific/linux/kernel-headers/no-relocs.patch
new file mode 100644
index 000000000000..32c88224b867
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel-headers/no-relocs.patch
@@ -0,0 +1,7 @@
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -231,3 +231,3 @@ endif
+ archscripts: scripts_basic
+-	$(Q)$(MAKE) $(build)=arch/x86/tools relocs
++	$(Q)$(MAKE) $(build)=arch/x86/tools
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/bridge-stp-helper.patch b/nixpkgs/pkgs/os-specific/linux/kernel/bridge-stp-helper.patch
new file mode 100644
index 000000000000..70d0f944c2a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/bridge-stp-helper.patch
@@ -0,0 +1,13 @@
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index aea3d13..8fcbf81 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -39,7 +39,7 @@
+ #define BR_GROUPFWD_8021AD	0xB801u
+ 
+ /* Path to usermode spanning tree program */
+-#define BR_STP_PROG	"/sbin/bridge-stp"
++#define BR_STP_PROG	"/run/current-system/sw/bin/bridge-stp"
+ 
+ typedef struct bridge_id bridge_id;
+ typedef struct mac_addr mac_addr;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/common-config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/common-config.nix
new file mode 100644
index 000000000000..a859d7eea4f1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/common-config.nix
@@ -0,0 +1,986 @@
+# WARNING/NOTE: whenever you want to add an option here you need to either
+# * mark it as an optional one with `option`,
+# * or make sure it works for all the versions in nixpkgs,
+# * or check for which kernel versions it will work (using kernel
+#   changelog, google or whatever) and mark it with `whenOlder` or
+#   `whenAtLeast`.
+# Then do test your change by building all the kernels (or at least
+# their configs) in Nixpkgs or else you will guarantee lots and lots
+# of pain to users trying to switch to an older kernel because of some
+# hardware problems with a new one.
+
+# Configuration
+{ lib, stdenv, version
+
+, features ? {}
+}:
+
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
+
+let
+
+
+  # configuration items have to be part of a subattrs
+  flattenKConf =  nested: mapAttrs (_: head) (zipAttrs (attrValues nested));
+
+  whenPlatformHasEBPFJit =
+    mkIf (stdenv.hostPlatform.isAarch32 ||
+          stdenv.hostPlatform.isAarch64 ||
+          stdenv.hostPlatform.isx86_64 ||
+          (stdenv.hostPlatform.isPower && stdenv.hostPlatform.is64bit) ||
+          (stdenv.hostPlatform.isMips && stdenv.hostPlatform.is64bit));
+
+  options = {
+
+    debug = {
+      # Necessary for BTF
+      DEBUG_INFO                = mkMerge [
+        (whenOlder "5.2" (if (features.debug or false) then yes else no))
+        (whenBetween "5.2" "5.18" yes)
+      ];
+      DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT = whenAtLeast "5.18" yes;
+      # Reduced debug info conflict with BTF and have been enabled in
+      # aarch64 defconfig since 5.13
+      DEBUG_INFO_REDUCED        = whenAtLeast "5.13" (option no);
+      DEBUG_INFO_BTF            = whenAtLeast "5.2" (option yes);
+      # Allow loading modules with mismatched BTFs
+      # FIXME: figure out how to actually make BTFs reproducible instead
+      # See https://github.com/NixOS/nixpkgs/pull/181456 for details.
+      MODULE_ALLOW_BTF_MISMATCH = whenAtLeast "5.18" (option yes);
+      BPF_LSM                   = whenAtLeast "5.7" (option yes);
+      DEBUG_KERNEL              = yes;
+      DEBUG_DEVRES              = no;
+      DYNAMIC_DEBUG             = yes;
+      TIMER_STATS               = whenOlder "4.11" yes;
+      DEBUG_NX_TEST             = whenOlder "4.11" no;
+      DEBUG_STACK_USAGE         = no;
+      DEBUG_STACKOVERFLOW       = option no;
+      RCU_TORTURE_TEST          = no;
+      SCHEDSTATS                = no;
+      DETECT_HUNG_TASK          = yes;
+      CRASH_DUMP                = option no;
+      # Easier debugging of NFS issues.
+      SUNRPC_DEBUG              = yes;
+      # Provide access to tunables like sched_migration_cost_ns
+      SCHED_DEBUG               = yes;
+    };
+
+    power-management = {
+      CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
+      CPU_FREQ_GOV_SCHEDUTIL           = yes;
+      PM_ADVANCED_DEBUG                = yes;
+      PM_WAKELOCKS                     = yes;
+      POWERCAP                         = yes;
+    } // optionalAttrs (stdenv.hostPlatform.isx86) {
+      INTEL_IDLE                       = yes;
+      INTEL_RAPL                       = whenAtLeast "5.3" module;
+      X86_INTEL_LPSS                   = yes;
+      X86_INTEL_PSTATE                 = yes;
+    };
+
+    external-firmware = {
+      # Support drivers that need external firmware.
+      STANDALONE = no;
+    };
+
+    proc-config-gz = {
+      # Make /proc/config.gz available
+      IKCONFIG      = yes;
+      IKCONFIG_PROC = yes;
+    };
+
+    optimization = {
+      # Optimize with -O2, not -Os
+      CC_OPTIMIZE_FOR_SIZE = no;
+    };
+
+    memtest = {
+      MEMTEST = yes;
+    };
+
+    # Include the CFQ I/O scheduler in the kernel, rather than as a
+    # module, so that the initrd gets a good I/O scheduler.
+    scheduler = {
+      IOSCHED_CFQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      BLK_CGROUP  = yes; # required by CFQ"
+      BLK_CGROUP_IOLATENCY = whenAtLeast "4.19" yes;
+      BLK_CGROUP_IOCOST = whenAtLeast "5.4" yes;
+      IOSCHED_DEADLINE = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      MQ_IOSCHED_DEADLINE = whenAtLeast "4.11" yes;
+      BFQ_GROUP_IOSCHED = whenAtLeast "4.12" yes;
+      MQ_IOSCHED_KYBER = whenAtLeast "4.12" yes;
+      IOSCHED_BFQ = whenAtLeast "4.12" module;
+    };
+
+    # Enable NUMA.
+    numa = {
+      NUMA  = option yes;
+    };
+
+    networking = {
+      NET                = yes;
+      IP_ADVANCED_ROUTER = yes;
+      IP_PNP             = no;
+      IP_VS_PROTO_TCP    = yes;
+      IP_VS_PROTO_UDP    = yes;
+      IP_VS_PROTO_ESP    = yes;
+      IP_VS_PROTO_AH     = yes;
+      IP_VS_IPV6         = yes;
+      IP_DCCP_CCID3      = no; # experimental
+      CLS_U32_PERF       = yes;
+      CLS_U32_MARK       = yes;
+      BPF_JIT            = whenPlatformHasEBPFJit yes;
+      BPF_JIT_ALWAYS_ON  = whenPlatformHasEBPFJit no; # whenPlatformHasEBPFJit yes; # see https://github.com/NixOS/nixpkgs/issues/79304
+      HAVE_EBPF_JIT      = whenPlatformHasEBPFJit yes;
+      BPF_STREAM_PARSER  = whenAtLeast "4.19" yes;
+      XDP_SOCKETS        = whenAtLeast "4.19" yes;
+      XDP_SOCKETS_DIAG   = whenAtLeast "5.1" yes;
+      WAN                = yes;
+      TCP_CONG_ADVANCED  = yes;
+      TCP_CONG_CUBIC     = yes; # This is the default congestion control algorithm since 2.6.19
+      # Required by systemd per-cgroup firewalling
+      CGROUP_BPF                  = option yes;
+      CGROUP_NET_PRIO             = yes; # Required by systemd
+      IP_ROUTE_VERBOSE            = yes;
+      IP_MROUTE_MULTIPLE_TABLES   = yes;
+      IP_MULTICAST                = yes;
+      IP_MULTIPLE_TABLES          = yes;
+      IPV6                        = yes;
+      IPV6_ROUTER_PREF            = yes;
+      IPV6_ROUTE_INFO             = yes;
+      IPV6_OPTIMISTIC_DAD         = yes;
+      IPV6_MULTIPLE_TABLES        = yes;
+      IPV6_SUBTREES               = yes;
+      IPV6_MROUTE                 = yes;
+      IPV6_MROUTE_MULTIPLE_TABLES = yes;
+      IPV6_PIMSM_V2               = yes;
+      IPV6_FOU_TUNNEL             = module;
+      IPV6_SEG6_LWTUNNEL          = whenAtLeast "4.10" yes;
+      IPV6_SEG6_HMAC              = whenAtLeast "4.10" yes;
+      IPV6_SEG6_BPF               = whenAtLeast "4.18" yes;
+      NET_CLS_BPF                 = module;
+      NET_ACT_BPF                 = module;
+      NET_SCHED                   = yes;
+      L2TP_V3                     = yes;
+      L2TP_IP                     = module;
+      L2TP_ETH                    = module;
+      BRIDGE_VLAN_FILTERING       = yes;
+      BONDING                     = module;
+      NET_L3_MASTER_DEV           = option yes;
+      NET_FOU_IP_TUNNELS          = option yes;
+      IP_NF_TARGET_REDIRECT       = module;
+
+      PPP_MULTILINK = yes; # PPP multilink support
+      PPP_FILTER    = yes;
+
+      # needed for iwd WPS support (wpa_supplicant replacement)
+      KEY_DH_OPERATIONS = yes;
+
+      # needed for nftables
+      # Networking Options
+      NETFILTER                   = yes;
+      NETFILTER_ADVANCED          = yes;
+      # Core Netfilter Configuration
+      NF_CONNTRACK_ZONES          = yes;
+      NF_CONNTRACK_EVENTS         = yes;
+      NF_CONNTRACK_TIMEOUT        = yes;
+      NF_CONNTRACK_TIMESTAMP      = yes;
+      NETFILTER_NETLINK_GLUE_CT   = yes;
+      NF_TABLES_INET              = mkMerge [ (whenOlder "4.17" module)
+                                              (whenAtLeast "4.17" yes) ];
+      NF_TABLES_NETDEV            = mkMerge [ (whenOlder "4.17" module)
+                                              (whenAtLeast "4.17" yes) ];
+      NFT_REJECT_NETDEV           = whenAtLeast "5.11" module;
+
+      # IP: Netfilter Configuration
+      NF_TABLES_IPV4              = mkMerge [ (whenOlder "4.17" module)
+                                              (whenAtLeast "4.17" yes) ];
+      NF_TABLES_ARP               = mkMerge [ (whenOlder "4.17" module)
+                                              (whenAtLeast "4.17" yes) ];
+      # IPv6: Netfilter Configuration
+      NF_TABLES_IPV6              = mkMerge [ (whenOlder "4.17" module)
+                                              (whenAtLeast "4.17" yes) ];
+      # Bridge Netfilter Configuration
+      NF_TABLES_BRIDGE            = mkMerge [ (whenBetween "4.19" "5.3" yes)
+                                              (whenAtLeast "5.3" module) ];
+
+      # needed for `dropwatch`
+      # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450
+      NET_DROP_MONITOR = yes;
+
+      # needed for ss
+      # Use a lower priority to allow these options to be overridden in hardened/config.nix
+      INET_DIAG         = mkDefault module;
+      INET_TCP_DIAG     = mkDefault module;
+      INET_UDP_DIAG     = mkDefault module;
+      INET_RAW_DIAG     = whenAtLeast "4.14" (mkDefault module);
+      INET_DIAG_DESTROY = mkDefault yes;
+
+      # enable multipath-tcp
+      MPTCP           = whenAtLeast "5.6" yes;
+      MPTCP_IPV6      = whenAtLeast "5.6" yes;
+      INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module);
+
+      # Kernel TLS
+      TLS         = whenAtLeast "4.13" module;
+      TLS_DEVICE  = whenAtLeast "4.18" yes;
+
+      # infiniband
+      INFINIBAND = module;
+      INFINIBAND_IPOIB = module;
+      INFINIBAND_IPOIB_CM = yes;
+    };
+
+    wireless = {
+      CFG80211_WEXT         = option yes; # Without it, ipw2200 drivers don't build
+      IPW2100_MONITOR       = option yes; # support promiscuous mode
+      IPW2200_MONITOR       = option yes; # support promiscuous mode
+      HOSTAP_FIRMWARE       = option yes; # Support downloading firmware images with Host AP driver
+      HOSTAP_FIRMWARE_NVRAM = option yes;
+      ATH9K_PCI             = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus
+      ATH9K_AHB             = option yes; # Ditto, AHB bus
+      B43_PHY_HT            = option yes;
+      BCMA_HOST_PCI         = option yes;
+      RTW88                 = whenAtLeast "5.2" module;
+      RTW88_8822BE          = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ];
+      RTW88_8822CE          = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ];
+    };
+
+    fb = {
+      FB                  = yes;
+      FB_EFI              = yes;
+      FB_NVIDIA_I2C       = yes; # Enable DDC Support
+      FB_RIVA_I2C         = yes;
+      FB_ATY_CT           = yes; # Mach64 CT/VT/GT/LT (incl. 3D RAGE) support
+      FB_ATY_GX           = yes; # Mach64 GX support
+      FB_SAVAGE_I2C       = yes;
+      FB_SAVAGE_ACCEL     = yes;
+      FB_SIS_300          = yes;
+      FB_SIS_315          = yes;
+      FB_3DFX_ACCEL       = yes;
+      FB_VESA             = yes;
+      FRAMEBUFFER_CONSOLE = yes;
+      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = whenAtLeast "4.19" yes;
+      FRAMEBUFFER_CONSOLE_ROTATION = yes;
+      FB_GEODE            = mkIf (stdenv.hostPlatform.system == "i686-linux") yes;
+      # On 5.14 this conflicts with FB_SIMPLE.
+      DRM_SIMPLEDRM = whenAtLeast "5.14" no;
+    };
+
+    video = {
+      # Allow specifying custom EDID on the kernel command line
+      DRM_LOAD_EDID_FIRMWARE = yes;
+      VGA_SWITCHEROO         = yes; # Hybrid graphics support
+      DRM_GMA500             = whenAtLeast "5.12" module;
+      DRM_GMA600             = whenOlder "5.13" yes;
+      DRM_GMA3600            = whenOlder "5.12" yes;
+      DRM_VMWGFX_FBCON       = yes;
+      # (experimental) amdgpu support for verde and newer chipsets
+      DRM_AMDGPU_SI = yes;
+      # (stable) amdgpu support for bonaire and newer chipsets
+      DRM_AMDGPU_CIK = yes;
+      # Allow device firmware updates
+      DRM_DP_AUX_CHARDEV = yes;
+      # amdgpu display core (DC) support
+      DRM_AMD_DC_DCN1_0 = whenBetween "4.15" "5.6" yes;
+      DRM_AMD_DC_PRE_VEGA = whenBetween "4.15" "4.18" yes;
+      DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes;
+      DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes;
+      DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes;
+      DRM_AMD_DC_DCN = whenAtLeast "5.11" yes;
+      DRM_AMD_DC_HDCP = whenAtLeast "5.5" yes;
+      DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
+    } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
+      # Intel GVT-g graphics virtualization supports 64-bit only
+      DRM_I915_GVT = whenAtLeast "4.16" yes;
+      DRM_I915_GVT_KVMGT = whenAtLeast "4.16" module;
+    } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
+      # enable HDMI-CEC on RPi boards
+      DRM_VC4_HDMI_CEC = whenAtLeast "4.14" yes;
+    };
+
+    sound = {
+      SND_DYNAMIC_MINORS  = yes;
+      SND_AC97_POWER_SAVE = yes; # AC97 Power-Saving Mode
+      SND_HDA_INPUT_BEEP  = yes; # Support digital beep via input layer
+      SND_HDA_RECONFIG    = yes; # Support reconfiguration of jack functions
+      # Support configuring jack functions via fw mechanism at boot
+      SND_HDA_PATCH_LOADER = yes;
+      SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon
+      SND_OSSEMUL         = yes;
+      SND_USB_CAIAQ_INPUT = yes;
+      # Enable PSS mixer (Beethoven ADSP-16 and other compatible)
+      PSS_MIXER           = whenOlder "4.12" yes;
+    # Enable Sound Open Firmware support
+    } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" &&
+                        versionAtLeast version "5.5") {
+      SND_SOC_INTEL_SOUNDWIRE_SOF_MACH       = whenAtLeast "5.10" module;
+      SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES = whenAtLeast "5.10" yes; # dep of SOF_MACH
+      SND_SOC_SOF_INTEL_SOUNDWIRE_LINK = whenBetween "5.10" "5.11" yes; # dep of SOF_MACH
+      SND_SOC_SOF_TOPLEVEL              = yes;
+      SND_SOC_SOF_ACPI                  = module;
+      SND_SOC_SOF_PCI                   = module;
+      SND_SOC_SOF_APOLLOLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_CANNONLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_CANNONLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COFFEELAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_COFFEELAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COMETLAKE             = whenAtLeast "5.12" module;
+      SND_SOC_SOF_COMETLAKE_H_SUPPORT   = whenOlder "5.8" yes;
+      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = whenOlder "5.12" yes;
+      SND_SOC_SOF_ELKHARTLAKE           = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = whenOlder "5.12" yes;
+      SND_SOC_SOF_GEMINILAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_GEMINILAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_HDA_AUDIO_CODEC       = yes;
+      SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
+      SND_SOC_SOF_HDA_LINK              = yes;
+      SND_SOC_SOF_ICELAKE               = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ICELAKE_SUPPORT       = whenOlder "5.12" yes;
+      SND_SOC_SOF_INTEL_TOPLEVEL        = yes;
+      SND_SOC_SOF_JASPERLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_JASPERLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_MERRIFIELD            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_MERRIFIELD_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_TIGERLAKE             = whenAtLeast "5.12" module;
+      SND_SOC_SOF_TIGERLAKE_SUPPORT     = whenOlder "5.12" yes;
+    };
+
+    usb-serial = {
+      USB_SERIAL_GENERIC          = yes; # USB Generic Serial Driver
+    } // optionalAttrs (versionOlder version "4.16") {
+      # Include firmware for various USB serial devices.
+      # Only applicable for kernels below 4.16, after that no firmware is shipped in the kernel tree.
+      USB_SERIAL_KEYSPAN_MPR      = yes;
+      USB_SERIAL_KEYSPAN_USA28    = yes;
+      USB_SERIAL_KEYSPAN_USA28X   = yes;
+      USB_SERIAL_KEYSPAN_USA28XA  = yes;
+      USB_SERIAL_KEYSPAN_USA28XB  = yes;
+      USB_SERIAL_KEYSPAN_USA19    = yes;
+      USB_SERIAL_KEYSPAN_USA18X   = yes;
+      USB_SERIAL_KEYSPAN_USA19W   = yes;
+      USB_SERIAL_KEYSPAN_USA19QW  = yes;
+      USB_SERIAL_KEYSPAN_USA19QI  = yes;
+      USB_SERIAL_KEYSPAN_USA49W   = yes;
+      USB_SERIAL_KEYSPAN_USA49WLC = yes;
+    };
+
+    usb = {
+      USB_DEBUG = { optional = true; tristate = whenOlder "4.18" "n";};
+      USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators
+      USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling
+      USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies)
+    };
+
+    # Filesystem options - in particular, enable extended attributes and
+    # ACLs for all filesystems that support them.
+    filesystem = {
+      FANOTIFY        = yes;
+      TMPFS           = yes;
+      TMPFS_POSIX_ACL = yes;
+      FS_ENCRYPTION   = if (versionAtLeast version "5.1") then yes else whenAtLeast "4.9" (option module);
+
+      EXT2_FS_XATTR     = yes;
+      EXT2_FS_POSIX_ACL = yes;
+      EXT2_FS_SECURITY  = yes;
+
+      EXT3_FS_POSIX_ACL = yes;
+      EXT3_FS_SECURITY  = yes;
+
+      EXT4_FS_POSIX_ACL = yes;
+      EXT4_FS_SECURITY  = yes;
+      EXT4_ENCRYPTION   = option yes;
+
+      REISERFS_FS_XATTR     = option yes;
+      REISERFS_FS_POSIX_ACL = option yes;
+      REISERFS_FS_SECURITY  = option yes;
+
+      JFS_POSIX_ACL = option yes;
+      JFS_SECURITY  = option yes;
+
+      XFS_QUOTA     = option yes;
+      XFS_POSIX_ACL = option yes;
+      XFS_RT        = option yes; # XFS Realtime subvolume support
+
+      OCFS2_DEBUG_MASKLOG = option no;
+
+      BTRFS_FS_POSIX_ACL = yes;
+
+      UBIFS_FS_ADVANCED_COMPR = option yes;
+
+      F2FS_FS             = module;
+      F2FS_FS_SECURITY    = option yes;
+      F2FS_FS_ENCRYPTION  = option yes;
+      F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
+      UDF_FS              = module;
+
+      NFSD_V2_ACL            = yes;
+      NFSD_V3                = whenOlder "5.18" yes;
+      NFSD_V3_ACL            = yes;
+      NFSD_V4                = yes;
+      NFSD_V4_SECURITY_LABEL = yes;
+
+      NFS_FSCACHE           = yes;
+      NFS_SWAP              = yes;
+      NFS_V3_ACL            = yes;
+      NFS_V4_1              = yes;  # NFSv4.1 client support
+      NFS_V4_2              = yes;
+      NFS_V4_SECURITY_LABEL = yes;
+
+      CIFS_XATTR        = yes;
+      CIFS_POSIX        = option yes;
+      CIFS_FSCACHE      = yes;
+      CIFS_STATS        = whenOlder "4.19" yes;
+      CIFS_WEAK_PW_HASH = whenOlder "5.15" yes;
+      CIFS_UPCALL       = yes;
+      CIFS_ACL          = whenOlder "5.3" yes;
+      CIFS_DFS_UPCALL   = yes;
+      CIFS_SMB2         = whenOlder "4.13" yes;
+
+      CEPH_FSCACHE      = yes;
+      CEPH_FS_POSIX_ACL = yes;
+
+      SQUASHFS_FILE_DIRECT         = yes;
+      SQUASHFS_DECOMP_MULTI_PERCPU = yes;
+      SQUASHFS_XATTR               = yes;
+      SQUASHFS_ZLIB                = yes;
+      SQUASHFS_LZO                 = yes;
+      SQUASHFS_XZ                  = yes;
+      SQUASHFS_LZ4                 = yes;
+      SQUASHFS_ZSTD                = whenAtLeast "4.14" yes;
+
+      # Native Language Support modules, needed by some filesystems
+      NLS              = yes;
+      NLS_DEFAULT      = freeform "utf8";
+      NLS_UTF8         = module;
+      NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option
+      NLS_ISO8859_1    = module; # VFAT default for the iocharset= mount option
+
+      # Needed to use the installation iso image. Not included in all defconfigs (e.g. arm64)
+      ISO9660_FS = module;
+
+      DEVTMPFS = yes;
+
+      UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems
+    };
+
+    security = {
+      FORTIFY_SOURCE                   = whenAtLeast "4.13" (option yes);
+
+      # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
+      DEBUG_LIST                       = yes;
+      # Detect writes to read-only module pages
+      DEBUG_SET_MODULE_RONX            = whenOlder "4.11" (option yes);
+      RANDOMIZE_BASE                   = option yes;
+      STRICT_DEVMEM                    = mkDefault yes; # Filter access to /dev/mem
+      IO_STRICT_DEVMEM                 = mkDefault yes;
+      SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
+      # Prevent processes from ptracing non-children processes
+      SECURITY_YAMA                    = option yes;
+      # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
+      # This does not have any effect if a program does not support it
+      SECURITY_LANDLOCK                = whenAtLeast "5.13" yes;
+      DEVKMEM                          = whenOlder "5.13" no; # Disable /dev/kmem
+
+      USER_NS                          = yes; # Support for user namespaces
+
+      SECURITY_APPARMOR                = yes;
+      DEFAULT_SECURITY_APPARMOR        = yes;
+
+      RANDOM_TRUST_CPU                 = whenAtLeast "4.19" yes; # allow RDRAND to seed the RNG
+      RANDOM_TRUST_BOOTLOADER          = whenAtLeast "5.4" yes; # allow the bootloader to seed the RNG
+
+      MODULE_SIG            = no; # r13y, generates a random key during build and bakes it in
+      # Depends on MODULE_SIG and only really helps when you sign your modules
+      # and enforce signatures which we don't do by default.
+      SECURITY_LOCKDOWN_LSM = option no;
+    } // optionalAttrs (!stdenv.hostPlatform.isAarch32) {
+
+      # Detect buffer overflows on the stack
+      CC_STACKPROTECTOR_REGULAR = {optional = true; tristate = whenOlder "4.18" "y";};
+    } // optionalAttrs stdenv.hostPlatform.isx86_64 {
+      # Enable Intel SGX
+      X86_SGX     = whenAtLeast "5.11" yes;
+      # Allow KVM guests to load SGX enclaves
+      X86_SGX_KVM = whenAtLeast "5.13" yes;
+    };
+
+    microcode = {
+      MICROCODE       = yes;
+      MICROCODE_INTEL = yes;
+      MICROCODE_AMD   = yes;
+    } // optionalAttrs (versionAtLeast version "4.10") {
+      # Write Back Throttling
+      # https://lwn.net/Articles/682582/
+      # https://bugzilla.kernel.org/show_bug.cgi?id=12309#c655
+      BLK_WBT    = yes;
+      BLK_WBT_SQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      BLK_WBT_MQ = yes;
+    };
+
+    container = {
+      NAMESPACES     = yes; #  Required by 'unshare' used by 'nixos-install'
+      RT_GROUP_SCHED = no;
+      CGROUP_DEVICE  = yes;
+      CGROUP_HUGETLB = yes;
+      CGROUP_PERF    = yes;
+      CGROUP_RDMA    = whenAtLeast "4.11" yes;
+
+      MEMCG                    = yes;
+      MEMCG_SWAP               = yes;
+
+      BLK_DEV_THROTTLING        = yes;
+      CFQ_GROUP_IOSCHED         = whenOlder "5.0" yes; # Removed in 5.0-RC1
+      CGROUP_PIDS               = yes;
+    };
+
+    staging = {
+      # Enable staging drivers.  These are somewhat experimental, but
+      # they generally don't hurt.
+      STAGING = yes;
+    };
+
+    proc-events = {
+      # PROC_EVENTS requires that the netlink connector is not built
+      # as a module.  This is required by libcgroup's cgrulesengd.
+      CONNECTOR   = yes;
+      PROC_EVENTS = yes;
+    };
+
+    tracing = {
+      FTRACE                = yes;
+      KPROBES               = yes;
+      FUNCTION_TRACER       = yes;
+      FTRACE_SYSCALLS       = yes;
+      SCHED_TRACER          = yes;
+      STACK_TRACER          = yes;
+      UPROBE_EVENT          = { optional = true; tristate = whenOlder "4.11" "y";};
+      UPROBE_EVENTS         = { optional = true; tristate = whenAtLeast "4.11" "y";};
+      BPF_SYSCALL           = yes;
+      BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.16" yes;
+      BPF_EVENTS            = yes;
+      FUNCTION_PROFILER     = yes;
+      RING_BUFFER_BENCHMARK = no;
+    };
+
+    virtualisation = {
+      PARAVIRT = option yes;
+
+      HYPERVISOR_GUEST = yes;
+      PARAVIRT_SPINLOCKS  = option yes;
+
+      KVM_ASYNC_PF                      = yes;
+      KVM_COMPAT                        = whenOlder "4.12" (option yes);
+      KVM_DEVICE_ASSIGNMENT             = whenOlder "4.12" (option yes);
+      KVM_GENERIC_DIRTYLOG_READ_PROTECT = yes;
+      KVM_GUEST                         = yes;
+      KVM_MMIO                          = yes;
+      KVM_VFIO                          = yes;
+      KSM = yes;
+      VIRT_DRIVERS = yes;
+      # We need 64 GB (PAE) support for Xen guest support
+      HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";};
+
+      VFIO_PCI_VGA = mkIf stdenv.is64bit yes;
+
+      # VirtualBox guest drivers in the kernel conflict with the ones in the
+      # official additions package and prevent the vboxsf module from loading,
+      # so disable them for now.
+      VBOXGUEST = option no;
+      DRM_VBOXVIDEO = option no;
+
+      XEN                         = option yes;
+      XEN_DOM0                    = option yes;
+      PCI_XEN                     = option yes;
+      HVC_XEN                     = option yes;
+      HVC_XEN_FRONTEND            = option yes;
+      XEN_SYS_HYPERVISOR          = option yes;
+      SWIOTLB_XEN                 = option yes;
+      XEN_BACKEND                 = option yes;
+      XEN_BALLOON                 = option yes;
+      XEN_BALLOON_MEMORY_HOTPLUG  = option yes;
+      XEN_EFI                     = option yes;
+      XEN_HAVE_PVMMU              = option yes;
+      XEN_MCE_LOG                 = option yes;
+      XEN_PVH                     = option yes;
+      XEN_PVHVM                   = option yes;
+      XEN_SAVE_RESTORE            = option yes;
+      XEN_SCRUB_PAGES             = option yes;
+      XEN_SELFBALLOONING          = option yes;
+      XEN_STUB                    = option yes;
+      XEN_TMEM                    = option yes;
+    };
+
+    media = {
+      MEDIA_DIGITAL_TV_SUPPORT = yes;
+      MEDIA_CAMERA_SUPPORT     = yes;
+      MEDIA_RC_SUPPORT         = whenOlder "4.14" yes;
+      MEDIA_CONTROLLER         = yes;
+      MEDIA_PCI_SUPPORT        = yes;
+      MEDIA_USB_SUPPORT        = yes;
+      MEDIA_ANALOG_TV_SUPPORT  = yes;
+      VIDEO_STK1160_COMMON     = module;
+      VIDEO_STK1160_AC97       = whenOlder "4.11" yes;
+    };
+
+    "9p" = {
+      # Enable the 9P cache to speed up NixOS VM tests.
+      "9P_FSCACHE"      = option yes;
+      "9P_FS_POSIX_ACL" = option yes;
+    };
+
+    huge-page = {
+      TRANSPARENT_HUGEPAGE         = option yes;
+      TRANSPARENT_HUGEPAGE_ALWAYS  = option no;
+      TRANSPARENT_HUGEPAGE_MADVISE = option yes;
+    };
+
+    zram = {
+      ZRAM     = module;
+      ZSWAP    = option yes;
+      ZBUD     = option yes;
+      ZSMALLOC = module;
+    };
+
+    brcmfmac = {
+      # Enable PCIe and USB for the brcmfmac driver
+      BRCMFMAC_USB  = option yes;
+      BRCMFMAC_PCIE = option yes;
+    };
+
+    # Support x2APIC (which requires IRQ remapping)
+    x2apic = optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
+      X86_X2APIC = yes;
+      IRQ_REMAP  = yes;
+    };
+
+    # Disable various self-test modules that have no use in a production system
+    tests = {
+      # This menu disables all/most of them on >= 4.16
+      RUNTIME_TESTING_MENU = option no;
+    } // optionalAttrs (versionOlder version "4.16") {
+      # For older kernels, painstakingly disable each symbol.
+      ARM_KPROBES_TEST    = option no;
+      ASYNC_RAID6_TEST    = option no;
+      ATOMIC64_SELFTEST   = option no;
+      BACKTRACE_SELF_TEST = option no;
+      INTERVAL_TREE_TEST  = option no;
+      PERCPU_TEST         = option no;
+      RBTREE_TEST         = option no;
+      TEST_BITMAP         = option no;
+      TEST_BPF            = option no;
+      TEST_FIRMWARE       = option no;
+      TEST_HASH           = option no;
+      TEST_HEXDUMP        = option no;
+      TEST_KMOD           = option no;
+      TEST_KSTRTOX        = option no;
+      TEST_LIST_SORT      = option no;
+      TEST_LKM            = option no;
+      TEST_PARMAN         = option no;
+      TEST_PRINTF         = option no;
+      TEST_RHASHTABLE     = option no;
+      TEST_SORT           = option no;
+      TEST_STATIC_KEYS    = option no;
+      TEST_STRING_HELPERS = option no;
+      TEST_UDELAY         = option no;
+      TEST_USER_COPY      = option no;
+      TEST_UUID           = option no;
+    } // {
+      CRC32_SELFTEST           = option no;
+      CRYPTO_TEST              = option no;
+      EFI_TEST                 = option no;
+      GLOB_SELFTEST            = option no;
+      DRM_DEBUG_MM_SELFTEST    = { optional = true; tristate = whenOlder "4.18" "n";};
+      LNET_SELFTEST            = { optional = true; tristate = whenOlder "4.18" "n";};
+      LOCK_TORTURE_TEST        = option no;
+      MTD_TESTS                = option no;
+      NOTIFIER_ERROR_INJECTION = option no;
+      RCU_PERF_TEST            = option no;
+      RCU_TORTURE_TEST         = option no;
+      TEST_ASYNC_DRIVER_PROBE  = option no;
+      WW_MUTEX_SELFTEST        = option no;
+      XZ_DEC_TEST              = option no;
+    };
+
+    criu = if (versionAtLeast version "4.19") then {
+      # Unconditionally enabled, because it is required for CRIU and
+      # it provides the kcmp() system call that Mesa depends on.
+      CHECKPOINT_RESTORE  = yes;
+    } else optionalAttrs (features.criu or false) ({
+      # For older kernels, CHECKPOINT_RESTORE is hidden behind EXPERT.
+      EXPERT              = yes;
+      CHECKPOINT_RESTORE  = yes;
+    } // optionalAttrs (features.criu_revert_expert or true) {
+      RFKILL_INPUT          = option yes;
+      HID_PICOLCD_FB        = option yes;
+      HID_PICOLCD_BACKLIGHT = option yes;
+      HID_PICOLCD_LCD       = option yes;
+      HID_PICOLCD_LEDS      = option yes;
+      HID_PICOLCD_CIR       = option yes;
+      DEBUG_MEMORY_INIT     = option yes;
+    });
+
+    misc = let
+      # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz.
+      # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
+      useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9";
+    in {
+      KERNEL_XZ            = mkIf (!useZstd) yes;
+      KERNEL_ZSTD          = mkIf useZstd yes;
+
+      HID_BATTERY_STRENGTH = yes;
+      # enabled by default in x86_64 but not arm64, so we do that here
+      HIDRAW               = yes;
+
+      HID_ACRUX_FF       = yes;
+      DRAGONRISE_FF      = yes;
+      GREENASIA_FF       = yes;
+      HOLTEK_FF          = yes;
+      JOYSTICK_PSXPAD_SPI_FF = whenAtLeast "4.14" yes;
+      LOGIG940_FF        = yes;
+      NINTENDO_FF        = whenAtLeast "5.16" yes;
+      PLAYSTATION_FF     = whenAtLeast "5.12" yes;
+      SONY_FF            = yes;
+      SMARTJOYPLUS_FF    = yes;
+      THRUSTMASTER_FF    = yes;
+      ZEROPLUS_FF        = yes;
+
+      MODULE_COMPRESS    = whenOlder "5.13" yes;
+      MODULE_COMPRESS_XZ = yes;
+
+      SYSVIPC            = yes;  # System-V IPC
+
+      AIO                = yes;  # POSIX asynchronous I/O
+
+      UNIX               = yes;  # Unix domain sockets.
+
+      MD                 = yes;     # Device mapper (RAID, LVM, etc.)
+
+      # Enable initrd support.
+      BLK_DEV_INITRD    = yes;
+
+      PM_TRACE_RTC         = no; # Disable some expensive (?) features.
+      ACCESSIBILITY        = yes; # Accessibility support
+      AUXDISPLAY           = yes; # Auxiliary Display support
+      DONGLE               = whenOlder "4.17" yes; # Serial dongle support
+      HIPPI                = yes;
+      MTD_COMPLEX_MAPPINGS = yes; # needed for many devices
+
+      SCSI_LOWLEVEL        = yes; # enable lots of SCSI devices
+      SCSI_LOWLEVEL_PCMCIA = yes;
+      SCSI_SAS_ATA         = yes; # added to enable detection of hard drive
+
+      SPI        = yes; # needed for many devices
+      SPI_MASTER = yes;
+
+      "8139TOO_8129" = yes;
+      "8139TOO_PIO"  = no; # PIO is slower
+
+      AIC79XX_DEBUG_ENABLE = no;
+      AIC7XXX_DEBUG_ENABLE = no;
+      AIC94XX_DEBUG = no;
+
+      BLK_DEV_INTEGRITY       = yes;
+
+      BLK_SED_OPAL = whenAtLeast "4.14" yes;
+
+      BSD_PROCESS_ACCT_V3 = yes;
+
+      SERIAL_DEV_BUS = whenAtLeast "4.11" yes; # enables support for serial devices
+      SERIAL_DEV_CTRL_TTYPORT = whenAtLeast "4.11" yes; # enables support for TTY serial devices
+
+      BT_HCIBTUSB_MTK = whenAtLeast "5.3" yes; # MediaTek protocol support
+      BT_HCIUART_QCA = yes; # Qualcomm Atheros protocol support
+      BT_HCIUART_SERDEV = whenAtLeast "4.12" yes; # required by BT_HCIUART_QCA
+      BT_HCIUART = module; # required for BT devices with serial port interface (QCA6390)
+      BT_HCIUART_BCSP = option yes;
+      BT_HCIUART_H4   = option yes; # UART (H4) protocol support
+      BT_HCIUART_LL   = option yes;
+      BT_RFCOMM_TTY   = option yes; # RFCOMM TTY support
+      BT_QCA = module; # enables QCA6390 bluetooth
+
+      # Removed on 5.17 as it was unused
+      # upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a4ee518185e902758191d968600399f3bc2be31
+      CLEANCACHE = whenOlder "5.17" (option yes);
+      CRASH_DUMP = option no;
+
+      DVB_DYNAMIC_MINORS = option yes; # we use udev
+
+      EFI_STUB            = yes; # EFI bootloader in the bzImage itself
+      EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER =
+          whenAtLeast "5.8" yes; # initrd kernel parameter for EFI
+      CGROUPS             = yes; # used by systemd
+      FHANDLE             = yes; # used by systemd
+      SECCOMP             = yes; # used by systemd >= 231
+      SECCOMP_FILTER      = yes; # ditto
+      POSIX_MQUEUE        = yes;
+      FRONTSWAP           = yes;
+      FUSION              = yes; # Fusion MPT device support
+      IDE                 = whenOlder "5.14" no; # deprecated IDE support, removed in 5.14
+      IDLE_PAGE_TRACKING  = yes;
+      IRDA_ULTRA          = whenOlder "4.17" yes; # Ultra (connectionless) protocol
+
+      JOYSTICK_IFORCE_232 = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force Serial joysticks and wheels
+      JOYSTICK_IFORCE_USB = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force USB joysticks and wheels
+      JOYSTICK_XPAD_FF    = option yes; # X-Box gamepad rumble support
+      JOYSTICK_XPAD_LEDS  = option yes; # LED Support for Xbox360 controller 'BigX' LED
+
+      KEYBOARD_APPLESPI = whenAtLeast "5.3" module;
+
+      KEXEC_FILE      = option yes;
+      KEXEC_JUMP      = option yes;
+
+      PARTITION_ADVANCED    = yes; # Needed for LDM_PARTITION
+      # Windows Logical Disk Manager (Dynamic Disk) support
+      LDM_PARTITION         = yes;
+      LOGIRUMBLEPAD2_FF     = yes; # Logitech Rumblepad 2 force feedback
+      LOGO                  = no; # not needed
+      MEDIA_ATTACH          = yes;
+      MEGARAID_NEWGEN       = yes;
+
+      MLX5_CORE_EN       = option yes;
+
+      NVME_MULTIPATH = whenAtLeast "4.15" yes;
+
+      PSI = whenAtLeast "4.20" yes;
+
+      MOUSE_ELAN_I2C_SMBUS = yes;
+      MOUSE_PS2_ELANTECH = yes; # Elantech PS/2 protocol extension
+      MOUSE_PS2_VMMOUSE  = yes;
+      MTRR_SANITIZER     = yes;
+      NET_FC             = yes; # Fibre Channel driver support
+      # Needed for touchpads to work on some AMD laptops
+      PINCTRL_AMD        = whenAtLeast "5.19" yes;
+      # GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks
+      PINCTRL_BAYTRAIL   = yes;
+      # GPIO for Braswell and Cherryview devices
+      # Needs to be built-in to for integrated keyboards to function properly
+      PINCTRL_CHERRYVIEW = yes;
+      # 8 is default. Modern gpt tables on eMMC may go far beyond 8.
+      MMC_BLOCK_MINORS   = freeform "32";
+
+      REGULATOR  = yes; # Voltage and Current Regulator Support
+      RC_DEVICES = option yes; # Enable IR devices
+
+      RT2800USB_RT53XX = yes;
+      RT2800USB_RT55XX = yes;
+
+      SCHED_AUTOGROUP  = yes;
+      CFS_BANDWIDTH    = yes;
+
+      SCSI_LOGGING = yes; # SCSI logging facility
+      SERIAL_8250  = yes; # 8250/16550 and compatible serial support
+
+      SLIP_COMPRESSED = yes; # CSLIP compressed headers
+      SLIP_SMART      = yes;
+
+      HWMON         = yes;
+      THERMAL_HWMON = yes; # Hardware monitoring support
+      NVME_HWMON    = whenAtLeast "5.5" yes; # NVMe drives temperature reporting
+      UEVENT_HELPER = no;
+
+      USERFAULTFD   = yes;
+      X86_CHECK_BIOS_CORRUPTION = yes;
+      X86_MCE                   = yes;
+
+      RAS = yes; # Needed for EDAC support
+
+      # Our initrd init uses shebang scripts, so can't be modular.
+      BINFMT_SCRIPT = yes;
+      # For systemd-binfmt
+      BINFMT_MISC   = option yes;
+
+      # Disable the firmware helper fallback, udev doesn't implement it any more
+      FW_LOADER_USER_HELPER_FALLBACK = option no;
+
+      FW_LOADER_COMPRESS = option yes;
+
+      HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI
+      HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support
+
+      # Enable AMD's ROCm GPU compute stack
+      HSA_AMD =     mkIf stdenv.hostPlatform.is64bit (whenAtLeast "4.20" yes);
+      ZONE_DEVICE = mkIf stdenv.hostPlatform.is64bit (whenAtLeast "5.3" yes);
+      HMM_MIRROR = whenAtLeast "5.3" yes;
+      DRM_AMDGPU_USERPTR = whenAtLeast "5.3" yes;
+
+      PREEMPT = no;
+      PREEMPT_VOLUNTARY = yes;
+
+      X86_AMD_PLATFORM_DEVICE = yes;
+      X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes;
+
+      LIRC = mkMerge [ (whenOlder "4.16" module) (whenAtLeast "4.17" yes) ];
+
+      SCHED_CORE = whenAtLeast "5.14" yes;
+
+      FSL_MC_UAPI_SUPPORT = mkIf (stdenv.hostPlatform.system == "aarch64-linux") (whenAtLeast "5.12" yes);
+
+      ASHMEM =                 { optional = true; tristate = whenBetween "5.0" "5.18" "y";};
+      ANDROID =                { optional = true; tristate = whenAtLeast "5.0" "y";};
+      ANDROID_BINDER_IPC =     { optional = true; tristate = whenAtLeast "5.0" "y";};
+      ANDROID_BINDERFS =       { optional = true; tristate = whenAtLeast "5.0" "y";};
+      ANDROID_BINDER_DEVICES = { optional = true; freeform = whenAtLeast "5.0" "binder,hwbinder,vndbinder";};
+
+      TASKSTATS = yes;
+      TASK_DELAY_ACCT = yes;
+      TASK_XACCT = yes;
+      TASK_IO_ACCOUNTING = yes;
+
+      # Fresh toolchains frequently break -Werror build for minor issues.
+      WERROR = whenAtLeast "5.15" no;
+    } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
+      # Enable CPU/memory hotplug support
+      # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot
+      ACPI_HOTPLUG_CPU = yes;
+      ACPI_HOTPLUG_MEMORY = yes;
+      MEMORY_HOTPLUG = yes;
+      MEMORY_HOTREMOVE = yes;
+      HOTPLUG_CPU = yes;
+      MIGRATION = yes;
+      SPARSEMEM = yes;
+
+      # Bump the maximum number of CPUs to support systems like EC2 x1.*
+      # instances and Xeon Phi.
+      NR_CPUS = freeform "384";
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
+      # Enables support for the Allwinner Display Engine 2.0
+      SUN8I_DE2_CCU = whenAtLeast "4.13" yes;
+
+      # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647
+      CRYPTO_AEGIS128_SIMD = whenAtLeast "5.4" no;
+
+      # Distros should configure the default as a kernel option.
+      # We previously defined it on the kernel command line as cma=
+      # The kernel command line will override a platform-specific configuration from its device tree.
+      # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
+      CMA_SIZE_MBYTES = freeform "32";
+
+      # Many ARM SBCs hand off a pre-configured framebuffer.
+      # This always can can be replaced by the actual native driver.
+      # Keeping it a built-in ensures it will be used if possible.
+      FB_SIMPLE = yes;
+
+    } // optionalAttrs (versionAtLeast version "5.4" && (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux")) {
+      # Required for various hardware features on Chrome OS devices
+      CHROME_PLATFORMS = yes;
+      CHROMEOS_TBMC = module;
+
+      CROS_EC = module;
+
+      CROS_EC_I2C = module;
+      CROS_EC_SPI = module;
+      CROS_EC_LPC = module;
+      CROS_EC_ISHTP = module;
+
+      CROS_KBD_LED_BACKLIGHT = module;
+    } // optionalAttrs (versionAtLeast version "5.4" && stdenv.hostPlatform.system == "x86_64-linux") {
+      CHROMEOS_LAPTOP = module;
+      CHROMEOS_PSTORE = module;
+    };
+  };
+in
+  flattenKConf options
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/4.11.patch b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/4.11.patch
new file mode 100644
index 000000000000..4e247e432891
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/4.11.patch
@@ -0,0 +1,784 @@
+commit 827b86ad1dd21feed4c0b99faf6059f245f7dadb
+Author: Tejun Heo <tj@kernel.org>
+Date:   Fri Mar 11 07:31:23 2016 -0500
+
+    sched: Misc preps for cgroup unified hierarchy interface
+    
+    Make the following changes in preparation for the cpu controller
+    interface implementation for the unified hierarchy.  This patch
+    doesn't cause any functional differences.
+    
+    * s/cpu_stats_show()/cpu_cfs_stats_show()/
+    
+    * s/cpu_files/cpu_legacy_files/
+    
+    * Separate out cpuacct_stats_read() from cpuacct_stats_show().  While
+      at it, make the @val array u64 for consistency.
+    
+    Signed-off-by: Tejun Heo <tj@kernel.org>
+    Cc: Ingo Molnar <mingo@redhat.com>
+    Cc: Peter Zijlstra <peterz@infradead.org>
+    Cc: Li Zefan <lizefan@huawei.com>
+    Cc: Johannes Weiner <hannes@cmpxchg.org>
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 3b31fc05a0f1..a1b95e83fa87 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7174,7 +7174,7 @@ static int __cfs_schedulable(struct task_group *tg, u64 period, u64 quota)
+ 	return ret;
+ }
+ 
+-static int cpu_stats_show(struct seq_file *sf, void *v)
++static int cpu_cfs_stats_show(struct seq_file *sf, void *v)
+ {
+ 	struct task_group *tg = css_tg(seq_css(sf));
+ 	struct cfs_bandwidth *cfs_b = &tg->cfs_bandwidth;
+@@ -7214,7 +7214,7 @@ static u64 cpu_rt_period_read_uint(struct cgroup_subsys_state *css,
+ }
+ #endif /* CONFIG_RT_GROUP_SCHED */
+ 
+-static struct cftype cpu_files[] = {
++static struct cftype cpu_legacy_files[] = {
+ #ifdef CONFIG_FAIR_GROUP_SCHED
+ 	{
+ 		.name = "shares",
+@@ -7235,7 +7235,7 @@ static struct cftype cpu_files[] = {
+ 	},
+ 	{
+ 		.name = "stat",
+-		.seq_show = cpu_stats_show,
++		.seq_show = cpu_cfs_stats_show,
+ 	},
+ #endif
+ #ifdef CONFIG_RT_GROUP_SCHED
+@@ -7261,7 +7261,7 @@ struct cgroup_subsys cpu_cgrp_subsys = {
+ 	.fork		= cpu_cgroup_fork,
+ 	.can_attach	= cpu_cgroup_can_attach,
+ 	.attach		= cpu_cgroup_attach,
+-	.legacy_cftypes	= cpu_files,
++	.legacy_cftypes	= cpu_legacy_files,
+ 	.early_init	= true,
+ };
+ 
+diff --git a/kernel/sched/cpuacct.c b/kernel/sched/cpuacct.c
+index f95ab29a45d0..6151c23f722f 100644
+--- a/kernel/sched/cpuacct.c
++++ b/kernel/sched/cpuacct.c
+@@ -276,26 +276,33 @@ static int cpuacct_all_seq_show(struct seq_file *m, void *V)
+ 	return 0;
+ }
+ 
+-static int cpuacct_stats_show(struct seq_file *sf, void *v)
++static void cpuacct_stats_read(struct cpuacct *ca,
++			       u64 (*val)[CPUACCT_STAT_NSTATS])
+ {
+-	struct cpuacct *ca = css_ca(seq_css(sf));
+-	s64 val[CPUACCT_STAT_NSTATS];
+ 	int cpu;
+-	int stat;
+ 
+-	memset(val, 0, sizeof(val));
++	memset(val, 0, sizeof(*val));
++
+ 	for_each_possible_cpu(cpu) {
+ 		u64 *cpustat = per_cpu_ptr(ca->cpustat, cpu)->cpustat;
+ 
+-		val[CPUACCT_STAT_USER]   += cpustat[CPUTIME_USER];
+-		val[CPUACCT_STAT_USER]   += cpustat[CPUTIME_NICE];
+-		val[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SYSTEM];
+-		val[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_IRQ];
+-		val[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SOFTIRQ];
++		(*val)[CPUACCT_STAT_USER]   += cpustat[CPUTIME_USER];
++		(*val)[CPUACCT_STAT_USER]   += cpustat[CPUTIME_NICE];
++		(*val)[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SYSTEM];
++		(*val)[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_IRQ];
++		(*val)[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SOFTIRQ];
+ 	}
++}
++
++static int cpuacct_stats_show(struct seq_file *sf, void *v)
++{
++	u64 val[CPUACCT_STAT_NSTATS];
++	int stat;
++
++	cpuacct_stats_read(css_ca(seq_css(sf)), &val);
+ 
+ 	for (stat = 0; stat < CPUACCT_STAT_NSTATS; stat++) {
+-		seq_printf(sf, "%s %lld\n",
++		seq_printf(sf, "%s %llu\n",
+ 			   cpuacct_stat_desc[stat],
+ 			   (long long)nsec_to_clock_t(val[stat]));
+ 	}
+
+commit fdb64d002b3a223ce4bb11aa4448a42050470052
+Author: Tejun Heo <tj@kernel.org>
+Date:   Fri Mar 11 07:31:23 2016 -0500
+
+    sched: Implement interface for cgroup unified hierarchy
+    
+    While the cpu controller doesn't have any functional problems, there
+    are a couple interface issues which can be addressed in the v2
+    interface.
+    
+    * cpuacct being a separate controller.  This separation is artificial
+      and rather pointless as demonstrated by most use cases co-mounting
+      the two controllers.  It also forces certain information to be
+      accounted twice.
+    
+    * Use of different time units.  Writable control knobs use
+      microseconds, some stat fields use nanoseconds while other cpuacct
+      stat fields use centiseconds.
+    
+    * Control knobs which can't be used in the root cgroup still show up
+      in the root.
+    
+    * Control knob names and semantics aren't consistent with other
+      controllers.
+    
+    This patchset implements cpu controller's interface on the unified
+    hierarchy which adheres to the controller file conventions described
+    in Documentation/cgroups/unified-hierarchy.txt.  Overall, the
+    following changes are made.
+    
+    * cpuacct is implictly enabled and disabled by cpu and its information
+      is reported through "cpu.stat" which now uses microseconds for all
+      time durations.  All time duration fields now have "_usec" appended
+      to them for clarity.  While this doesn't solve the double accounting
+      immediately, once majority of users switch to v2, cpu can directly
+      account and report the relevant stats and cpuacct can be disabled on
+      the unified hierarchy.
+    
+      Note that cpuacct.usage_percpu is currently not included in
+      "cpu.stat".  If this information is actually called for, it can be
+      added later.
+    
+    * "cpu.shares" is replaced with "cpu.weight" and operates on the
+      standard scale defined by CGROUP_WEIGHT_MIN/DFL/MAX (1, 100, 10000).
+      The weight is scaled to scheduler weight so that 100 maps to 1024
+      and the ratio relationship is preserved - if weight is W and its
+      scaled value is S, W / 100 == S / 1024.  While the mapped range is a
+      bit smaller than the orignal scheduler weight range, the dead zones
+      on both sides are relatively small and covers wider range than the
+      nice value mappings.  This file doesn't make sense in the root
+      cgroup and isn't create on root.
+    
+    * "cpu.cfs_quota_us" and "cpu.cfs_period_us" are replaced by "cpu.max"
+      which contains both quota and period.
+    
+    * "cpu.rt_runtime_us" and "cpu.rt_period_us" are replaced by
+      "cpu.rt.max" which contains both runtime and period.
+    
+    v2: cpu_stats_show() was incorrectly using CONFIG_FAIR_GROUP_SCHED for
+        CFS bandwidth stats and also using raw division for u64.  Use
+        CONFIG_CFS_BANDWITH and do_div() instead.
+    
+        The semantics of "cpu.rt.max" is not fully decided yet.  Dropped
+        for now.
+    
+    Signed-off-by: Tejun Heo <tj@kernel.org>
+    Cc: Ingo Molnar <mingo@redhat.com>
+    Cc: Peter Zijlstra <peterz@infradead.org>
+    Cc: Li Zefan <lizefan@huawei.com>
+    Cc: Johannes Weiner <hannes@cmpxchg.org>
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index a1b95e83fa87..f01d56e58a1b 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7253,6 +7253,139 @@ static struct cftype cpu_legacy_files[] = {
+ 	{ }	/* Terminate */
+ };
+ 
++static int cpu_stats_show(struct seq_file *sf, void *v)
++{
++	cpuacct_cpu_stats_show(sf);
++
++#ifdef CONFIG_CFS_BANDWIDTH
++	{
++		struct task_group *tg = css_tg(seq_css(sf));
++		struct cfs_bandwidth *cfs_b = &tg->cfs_bandwidth;
++		u64 throttled_usec;
++
++		throttled_usec = cfs_b->throttled_time;
++		do_div(throttled_usec, NSEC_PER_USEC);
++
++		seq_printf(sf, "nr_periods %d\n"
++			   "nr_throttled %d\n"
++			   "throttled_usec %llu\n",
++			   cfs_b->nr_periods, cfs_b->nr_throttled,
++			   throttled_usec);
++	}
++#endif
++	return 0;
++}
++
++#ifdef CONFIG_FAIR_GROUP_SCHED
++static u64 cpu_weight_read_u64(struct cgroup_subsys_state *css,
++			       struct cftype *cft)
++{
++	struct task_group *tg = css_tg(css);
++	u64 weight = scale_load_down(tg->shares);
++
++	return DIV_ROUND_CLOSEST_ULL(weight * CGROUP_WEIGHT_DFL, 1024);
++}
++
++static int cpu_weight_write_u64(struct cgroup_subsys_state *css,
++				struct cftype *cftype, u64 weight)
++{
++	/*
++	 * cgroup weight knobs should use the common MIN, DFL and MAX
++	 * values which are 1, 100 and 10000 respectively.  While it loses
++	 * a bit of range on both ends, it maps pretty well onto the shares
++	 * value used by scheduler and the round-trip conversions preserve
++	 * the original value over the entire range.
++	 */
++	if (weight < CGROUP_WEIGHT_MIN || weight > CGROUP_WEIGHT_MAX)
++		return -ERANGE;
++
++	weight = DIV_ROUND_CLOSEST_ULL(weight * 1024, CGROUP_WEIGHT_DFL);
++
++	return sched_group_set_shares(css_tg(css), scale_load(weight));
++}
++#endif
++
++static void __maybe_unused cpu_period_quota_print(struct seq_file *sf,
++						  long period, long quota)
++{
++	if (quota < 0)
++		seq_puts(sf, "max");
++	else
++		seq_printf(sf, "%ld", quota);
++
++	seq_printf(sf, " %ld\n", period);
++}
++
++/* caller should put the current value in *@periodp before calling */
++static int __maybe_unused cpu_period_quota_parse(char *buf,
++						 u64 *periodp, u64 *quotap)
++{
++	char tok[21];	/* U64_MAX */
++
++	if (!sscanf(buf, "%s %llu", tok, periodp))
++		return -EINVAL;
++
++	*periodp *= NSEC_PER_USEC;
++
++	if (sscanf(tok, "%llu", quotap))
++		*quotap *= NSEC_PER_USEC;
++	else if (!strcmp(tok, "max"))
++		*quotap = RUNTIME_INF;
++	else
++		return -EINVAL;
++
++	return 0;
++}
++
++#ifdef CONFIG_CFS_BANDWIDTH
++static int cpu_max_show(struct seq_file *sf, void *v)
++{
++	struct task_group *tg = css_tg(seq_css(sf));
++
++	cpu_period_quota_print(sf, tg_get_cfs_period(tg), tg_get_cfs_quota(tg));
++	return 0;
++}
++
++static ssize_t cpu_max_write(struct kernfs_open_file *of,
++			     char *buf, size_t nbytes, loff_t off)
++{
++	struct task_group *tg = css_tg(of_css(of));
++	u64 period = tg_get_cfs_period(tg);
++	u64 quota;
++	int ret;
++
++	ret = cpu_period_quota_parse(buf, &period, &quota);
++	if (!ret)
++		ret = tg_set_cfs_bandwidth(tg, period, quota);
++	return ret ?: nbytes;
++}
++#endif
++
++static struct cftype cpu_files[] = {
++	{
++		.name = "stat",
++		.flags = CFTYPE_NOT_ON_ROOT,
++		.seq_show = cpu_stats_show,
++	},
++#ifdef CONFIG_FAIR_GROUP_SCHED
++	{
++		.name = "weight",
++		.flags = CFTYPE_NOT_ON_ROOT,
++		.read_u64 = cpu_weight_read_u64,
++		.write_u64 = cpu_weight_write_u64,
++	},
++#endif
++#ifdef CONFIG_CFS_BANDWIDTH
++	{
++		.name = "max",
++		.flags = CFTYPE_NOT_ON_ROOT,
++		.seq_show = cpu_max_show,
++		.write = cpu_max_write,
++	},
++#endif
++	{ }	/* terminate */
++};
++
+ struct cgroup_subsys cpu_cgrp_subsys = {
+ 	.css_alloc	= cpu_cgroup_css_alloc,
+ 	.css_online	= cpu_cgroup_css_online,
+@@ -7262,7 +7395,15 @@ struct cgroup_subsys cpu_cgrp_subsys = {
+ 	.can_attach	= cpu_cgroup_can_attach,
+ 	.attach		= cpu_cgroup_attach,
+ 	.legacy_cftypes	= cpu_legacy_files,
++	.dfl_cftypes	= cpu_files,
+ 	.early_init	= true,
++#ifdef CONFIG_CGROUP_CPUACCT
++	/*
++	 * cpuacct is enabled together with cpu on the unified hierarchy
++	 * and its stats are reported through "cpu.stat".
++	 */
++	.depends_on	= 1 << cpuacct_cgrp_id,
++#endif
+ };
+ 
+ #endif	/* CONFIG_CGROUP_SCHED */
+diff --git a/kernel/sched/cpuacct.c b/kernel/sched/cpuacct.c
+index 6151c23f722f..fc1cf13c3af1 100644
+--- a/kernel/sched/cpuacct.c
++++ b/kernel/sched/cpuacct.c
+@@ -347,6 +347,31 @@ static struct cftype files[] = {
+ 	{ }	/* terminate */
+ };
+ 
++/* used to print cpuacct stats in cpu.stat on the unified hierarchy */
++void cpuacct_cpu_stats_show(struct seq_file *sf)
++{
++	struct cgroup_subsys_state *css;
++	u64 usage, val[CPUACCT_STAT_NSTATS];
++
++	css = cgroup_get_e_css(seq_css(sf)->cgroup, &cpuacct_cgrp_subsys);
++
++	usage = cpuusage_read(css, seq_cft(sf));
++	cpuacct_stats_read(css_ca(css), &val);
++
++	val[CPUACCT_STAT_USER] *= TICK_NSEC;
++	val[CPUACCT_STAT_SYSTEM] *= TICK_NSEC;
++	do_div(usage, NSEC_PER_USEC);
++	do_div(val[CPUACCT_STAT_USER], NSEC_PER_USEC);
++	do_div(val[CPUACCT_STAT_SYSTEM], NSEC_PER_USEC);
++
++	seq_printf(sf, "usage_usec %llu\n"
++		   "user_usec %llu\n"
++		   "system_usec %llu\n",
++		   usage, val[CPUACCT_STAT_USER], val[CPUACCT_STAT_SYSTEM]);
++
++	css_put(css);
++}
++
+ /*
+  * charge this task's execution time to its accounting group.
+  *
+diff --git a/kernel/sched/cpuacct.h b/kernel/sched/cpuacct.h
+index ba72807c73d4..ddf7af466d35 100644
+--- a/kernel/sched/cpuacct.h
++++ b/kernel/sched/cpuacct.h
+@@ -2,6 +2,7 @@
+ 
+ extern void cpuacct_charge(struct task_struct *tsk, u64 cputime);
+ extern void cpuacct_account_field(struct task_struct *tsk, int index, u64 val);
++extern void cpuacct_cpu_stats_show(struct seq_file *sf);
+ 
+ #else
+ 
+@@ -14,4 +15,8 @@ cpuacct_account_field(struct task_struct *tsk, int index, u64 val)
+ {
+ }
+ 
++static inline void cpuacct_cpu_stats_show(struct seq_file *sf)
++{
++}
++
+ #endif
+
+commit 8dde150866b8c433216105c50b7e889d5242d583
+Author: Tejun Heo <tj@kernel.org>
+Date:   Fri Aug 5 12:41:01 2016 -0400
+
+    cgroup: add documentation regarding CPU controller cgroup v2 support
+    
+    Signed-off-by: Tejun Heo <tj@kernel.org>
+
+diff --git a/Documentation/cgroup-v2-cpu.txt b/Documentation/cgroup-v2-cpu.txt
+new file mode 100644
+index 000000000000..1ed7032d4472
+--- /dev/null
++++ b/Documentation/cgroup-v2-cpu.txt
+@@ -0,0 +1,368 @@
++
++
++CPU Controller on Control Group v2
++
++August, 2016		Tejun Heo <tj@kernel.org>
++
++
++While most controllers have support for cgroup v2 now, the CPU
++controller support is not upstream yet due to objections from the
++scheduler maintainers on the basic designs of cgroup v2.  This
++document explains the current situation as well as an interim
++solution, and details the disagreements and arguments.  The latest
++version of this document can be found at the following URL.
++
++ https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/tree/Documentation/cgroup-v2-cpu.txt?h=cgroup-v2-cpu
++
++This document was posted to the linux-kernel and cgroup mailing lists.
++Unfortunately, no consensus was reached as of Oct, 2016.  The thread
++can be found at the following URL.
++
++ http://lkml.kernel.org/r/20160805170752.GK2542@mtj.duckdns.org
++
++
++CONTENTS
++
++1. Current Situation and Interim Solution
++2. Disagreements and Arguments
++  2-1. Contentious Restrictions
++    2-1-1. Process Granularity
++    2-1-2. No Internal Process Constraint
++  2-2. Impact on CPU Controller
++    2-2-1. Impact of Process Granularity
++    2-2-2. Impact of No Internal Process Constraint
++  2-3. Arguments for cgroup v2
++3. Way Forward
++4. References
++
++
++1. Current Situation and Interim Solution
++
++All objections from the scheduler maintainers apply to cgroup v2 core
++design, and there are no known objections to the specifics of the CPU
++controller cgroup v2 interface.  The only blocked part is changes to
++expose the CPU controller interface on cgroup v2, which comprises the
++following two patches:
++
++ [1] sched: Misc preps for cgroup unified hierarchy interface
++ [2] sched: Implement interface for cgroup unified hierarchy
++
++The necessary changes are superficial and implement the interface
++files on cgroup v2.  The combined diffstat is as follows.
++
++ kernel/sched/core.c    |  149 +++++++++++++++++++++++++++++++++++++++++++++++--
++ kernel/sched/cpuacct.c |   57 ++++++++++++------
++ kernel/sched/cpuacct.h |    5 +
++ 3 files changed, 189 insertions(+), 22 deletions(-)
++
++The patches are easy to apply and forward-port.  The following git
++branch will always carry the two patches on top of the latest release
++of the upstream kernel.
++
++ git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/cgroup-v2-cpu
++
++There also are versioned branches going back to v4.4.
++
++ git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/cgroup-v2-cpu-$KERNEL_VER
++
++While it's difficult to tell whether the CPU controller support will
++be merged, there are crucial resource control features in cgroup v2
++that are only possible due to the design choices that are being
++objected to, and every effort will be made to ease enabling the CPU
++controller cgroup v2 support out-of-tree for parties which choose to.
++
++
++2. Disagreements and Arguments
++
++There have been several lengthy discussion threads [3][4] on LKML
++around the structural constraints of cgroup v2.  The two that affect
++the CPU controller are process granularity and no internal process
++constraint.  Both arise primarily from the need for common resource
++domain definition across different resources.
++
++The common resource domain is a powerful concept in cgroup v2 that
++allows controllers to make basic assumptions about the structural
++organization of processes and controllers inside the cgroup hierarchy,
++and thus solve problems spanning multiple types of resources.  The
++prime example for this is page cache writeback: dirty page cache is
++regulated through throttling buffered writers based on memory
++availability, and initiating batched write outs to the disk based on
++IO capacity.  Tracking and controlling writeback inside a cgroup thus
++requires the direct cooperation of the memory and the IO controller.
++
++This easily extends to other areas, such as CPU cycles consumed while
++performing memory reclaim or IO encryption.
++
++
++2-1. Contentious Restrictions
++
++For controllers of different resources to work together, they must
++agree on a common organization.  This uniform model across controllers
++imposes two contentious restrictions on the CPU controller: process
++granularity and the no-internal-process constraint.
++
++
++  2-1-1. Process Granularity
++
++  For memory, because an address space is shared between all threads
++  of a process, the terminal consumer is a process, not a thread.
++  Separating the threads of a single process into different memory
++  control domains doesn't make semantical sense.  cgroup v2 ensures
++  that all controller can agree on the same organization by requiring
++  that threads of the same process belong to the same cgroup.
++
++  There are other reasons to enforce process granularity.  One
++  important one is isolating system-level management operations from
++  in-process application operations.  The cgroup interface, being a
++  virtual filesystem, is very unfit for multiple independent
++  operations taking place at the same time as most operations have to
++  be multi-step and there is no way to synchronize multiple accessors.
++  See also [5] Documentation/cgroup-v2.txt, "R-2. Thread Granularity"
++
++
++  2-1-2. No Internal Process Constraint
++
++  cgroup v2 does not allow processes to belong to any cgroup which has
++  child cgroups when resource controllers are enabled on it (the
++  notable exception being the root cgroup itself).  This is because,
++  for some resources, a resource domain (cgroup) is not directly
++  comparable to the terminal consumer (process/task) of said resource,
++  and so putting the two into a sibling relationship isn't meaningful.
++
++  - Differing Control Parameters and Capabilities
++
++    A cgroup controller has different resource control parameters and
++    capabilities from a terminal consumer, be that a task or process.
++    There are a couple cases where a cgroup control knob can be mapped
++    to a per-task or per-process API but they are exceptions and the
++    mappings aren't obvious even in those cases.
++
++    For example, task priorities (also known as nice values) set
++    through setpriority(2) are mapped to the CPU controller
++    "cpu.shares" values.  However, how exactly the two ranges map and
++    even the fact that they map to each other at all are not obvious.
++
++    The situation gets further muddled when considering other resource
++    types and control knobs.  IO priorities set through ioprio_set(2)
++    cannot be mapped to IO controller weights and most cgroup resource
++    control knobs including the bandwidth control knobs of the CPU
++    controller don't have counterparts in the terminal consumers.
++
++  - Anonymous Resource Consumption
++
++    For CPU, every time slice consumed from inside a cgroup, which
++    comprises most but not all of consumed CPU time for the cgroup,
++    can be clearly attributed to a specific task or process.  Because
++    these two types of entities are directly comparable as consumers
++    of CPU time, it's theoretically possible to mix tasks and cgroups
++    on the same tree levels and let them directly compete for the time
++    quota available to their common ancestor.
++
++    However, the same can't be said for resource types like memory or
++    IO: the memory consumed by the page cache, for example, can be
++    tracked on a per-cgroup level, but due to mismatches in lifetimes
++    of involved objects (page cache can persist long after processes
++    are gone), shared usages and the implementation overhead of
++    tracking persistent state, it can no longer be attributed to
++    individual processes after instantiation.  Consequently, any IO
++    incurred by page cache writeback can be attributed to a cgroup,
++    but not to the individual consumers inside the cgroup.
++
++  For memory and IO, this makes a resource domain (cgroup) an object
++  of a fundamentally different type than a terminal consumer
++  (process).  A process can't be a first class object in the resource
++  distribution graph as its total resource consumption can't be
++  described without the containing resource domain.
++
++  Disallowing processes in internal cgroups avoids competition between
++  cgroups and processes which cannot be meaningfully defined for these
++  resources.  All resource control takes place among cgroups and a
++  terminal consumer interacts with the containing cgroup the same way
++  it would with the system without cgroup.
++
++  Root cgroup is exempt from this constraint, which is in line with
++  how root cgroup is handled in general - it's excluded from cgroup
++  resource accounting and control.
++
++
++Enforcing process granularity and no internal process constraint
++allows all controllers to be on the same footing in terms of resource
++distribution hierarchy.
++
++
++2-2. Impact on CPU Controller
++
++As indicated earlier, the CPU controller's resource distribution graph
++is the simplest.  Every schedulable resource consumption can be
++attributed to a specific task.  In addition, for weight based control,
++the per-task priority set through setpriority(2) can be translated to
++and from a per-cgroup weight.  As such, the CPU controller can treat a
++task and a cgroup symmetrically, allowing support for any tree layout
++of cgroups and tasks.  Both process granularity and the no internal
++process constraint restrict how the CPU controller can be used.
++
++
++  2-2-1. Impact of Process Granularity
++
++  Process granularity prevents tasks belonging to the same process to
++  be assigned to different cgroups.  It was pointed out [6] that this
++  excludes the valid use case of hierarchical CPU distribution within
++  processes.
++
++  To address this issue, the rgroup (resource group) [7][8][9]
++  interface, an extension of the existing setpriority(2) API, was
++  proposed, which is in line with other programmable priority
++  mechanisms and eliminates the risk of in-application configuration
++  and system configuration stepping on each other's toes.
++  Unfortunately, the proposal quickly turned into discussions around
++  cgroup v2 design decisions [4] and no consensus could be reached.
++
++
++  2-2-2. Impact of No Internal Process Constraint
++
++  The no internal process constraint disallows tasks from competing
++  directly against cgroups.  Here is an excerpt from Peter Zijlstra
++  pointing out the issue [10] - R, L and A are cgroups; t1, t2, t3 and
++  t4 are tasks:
++
++
++          R
++        / | \
++       t1 t2 A
++           /   \
++          t3   t4
++
++
++    Is fundamentally different from:
++
++
++               R
++             /   \
++           L       A
++         /   \   /   \
++        t1  t2  t3   t4
++
++
++    Because if in the first hierarchy you add a task (t5) to R, all of
++    its A will run at 1/4th of total bandwidth where before it had
++    1/3rd, whereas with the second example, if you add our t5 to L, A
++    doesn't get any less bandwidth.
++
++
++  It is true that the trees are semantically different from each other
++  and the symmetric handling of tasks and cgroups is aesthetically
++  pleasing.  However, it isn't clear what the practical usefulness of
++  a layout with direct competition between tasks and cgroups would be,
++  considering that number and behavior of tasks are controlled by each
++  application, and cgroups primarily deal with system level resource
++  distribution; changes in the number of active threads would directly
++  impact resource distribution.  Real world use cases of such layouts
++  could not be established during the discussions.
++
++
++2-3. Arguments for cgroup v2
++
++There are strong demands for comprehensive hierarchical resource
++control across all major resources, and establishing a common resource
++hierarchy is an essential step.  As with most engineering decisions,
++common resource hierarchy definition comes with its trade-offs.  With
++cgroup v2, the trade-offs are in the form of structural constraints
++which, among others, restrict the CPU controller's space of possible
++configurations.
++
++However, even with the restrictions, cgroup v2, in combination with
++rgroup, covers most of identified real world use cases while enabling
++new important use cases of resource control across multiple resource
++types that were fundamentally broken previously.
++
++Furthermore, for resource control, treating resource domains as
++objects of a different type from terminal consumers has important
++advantages - it can account for resource consumptions which are not
++tied to any specific terminal consumer, be that a task or process, and
++allows decoupling resource distribution controls from in-application
++APIs.  Even the CPU controller may benefit from it as the kernel can
++consume significant amount of CPU cycles in interrupt context or tasks
++shared across multiple resource domains (e.g. softirq).
++
++Finally, it's important to note that enabling cgroup v2 support for
++the CPU controller doesn't block use cases which require the features
++which are not available on cgroup v2.  Unlikely, but should anybody
++actually rely on the CPU controller's symmetric handling of tasks and
++cgroups, backward compatibility is and will be maintained by being
++able to disconnect the controller from the cgroup v2 hierarchy and use
++it standalone.  This also holds for cpuset which is often used in
++highly customized configurations which might be a poor fit for common
++resource domains.
++
++The required changes are minimal, the benefits for the target use
++cases are critical and obvious, and use cases which have to use v1 can
++continue to do so.
++
++
++3. Way Forward
++
++cgroup v2 primarily aims to solve the problem of comprehensive
++hierarchical resource control across all major computing resources,
++which is one of the core problems of modern server infrastructure
++engineering.  The trade-offs that cgroup v2 took are results of
++pursuing that goal and gaining a better understanding of the nature of
++resource control in the process.
++
++I believe that real world usages will prove cgroup v2's model right,
++considering the crucial pieces of comprehensive resource control that
++cannot be implemented without common resource domains.  This is not to
++say that cgroup v2 is fixed in stone and can't be updated; if there is
++an approach which better serves both comprehensive resource control
++and the CPU controller's flexibility, we will surely move towards
++that.  It goes without saying that discussions around such approach
++should consider practical aspects of resource control as a whole
++rather than absolutely focusing on a particular controller.
++
++Until such consensus can be reached, the CPU controller cgroup v2
++support will be maintained out of the mainline kernel in an easily
++accessible form.  If there is anything cgroup developers can do to
++ease the pain, please feel free to contact us on the cgroup mailing
++list at cgroups@vger.kernel.org.
++
++
++4. References
++
++[1]  http://lkml.kernel.org/r/20160105164834.GE5995@mtj.duckdns.org
++     [PATCH 1/2] sched: Misc preps for cgroup unified hierarchy interface
++     Tejun Heo <tj@kernel.org>
++
++[2]  http://lkml.kernel.org/r/20160105164852.GF5995@mtj.duckdns.org
++     [PATCH 2/2] sched: Implement interface for cgroup unified hierarchy
++     Tejun Heo <tj@kernel.org>
++
++[3]  http://lkml.kernel.org/r/1438641689-14655-4-git-send-email-tj@kernel.org
++     [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy
++     Tejun Heo <tj@kernel.org>
++
++[4]  http://lkml.kernel.org/r/20160407064549.GH3430@twins.programming.kicks-ass.net
++     Re: [PATCHSET RFC cgroup/for-4.6] cgroup, sched: implement resource group and PRIO_RGRP
++     Peter Zijlstra <peterz@infradead.org>
++
++[5]  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroup-v2.txt
++     Control Group v2
++     Tejun Heo <tj@kernel.org>
++
++[6]  http://lkml.kernel.org/r/CAPM31RJNy3jgG=DYe6GO=wyL4BPPxwUm1f2S6YXacQmo7viFZA@mail.gmail.com
++     Re: [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy
++     Paul Turner <pjt@google.com>
++
++[7]  http://lkml.kernel.org/r/20160105154503.GC5995@mtj.duckdns.org
++     [RFD] cgroup: thread granularity support for cpu controller
++     Tejun Heo <tj@kernel.org>
++
++[8]  http://lkml.kernel.org/r/1457710888-31182-1-git-send-email-tj@kernel.org
++     [PATCHSET RFC cgroup/for-4.6] cgroup, sched: implement resource group and PRIO_RGRP
++     Tejun Heo <tj@kernel.org>
++
++[9]  http://lkml.kernel.org/r/20160311160522.GA24046@htj.duckdns.org
++     Example program for PRIO_RGRP
++     Tejun Heo <tj@kernel.org>
++
++[10] http://lkml.kernel.org/r/20160407082810.GN3430@twins.programming.kicks-ass.net
++     Re: [PATCHSET RFC cgroup/for-4.6] cgroup, sched: implement resource
++     Peter Zijlstra <peterz@infradead.org>
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/4.9.patch b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/4.9.patch
new file mode 100644
index 000000000000..596718b83c43
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/4.9.patch
@@ -0,0 +1,784 @@
+commit 280858b0bb3384b9ec06b455e196b453888bd6b8
+Author: Tejun Heo <tj@kernel.org>
+Date:   Fri Mar 11 07:31:23 2016 -0500
+
+    sched: Misc preps for cgroup unified hierarchy interface
+    
+    Make the following changes in preparation for the cpu controller
+    interface implementation for the unified hierarchy.  This patch
+    doesn't cause any functional differences.
+    
+    * s/cpu_stats_show()/cpu_cfs_stats_show()/
+    
+    * s/cpu_files/cpu_legacy_files/
+    
+    * Separate out cpuacct_stats_read() from cpuacct_stats_show().  While
+      at it, make the @val array u64 for consistency.
+    
+    Signed-off-by: Tejun Heo <tj@kernel.org>
+    Cc: Ingo Molnar <mingo@redhat.com>
+    Cc: Peter Zijlstra <peterz@infradead.org>
+    Cc: Li Zefan <lizefan@huawei.com>
+    Cc: Johannes Weiner <hannes@cmpxchg.org>
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 154fd689fe02..57472485b79c 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8705,7 +8705,7 @@ static int __cfs_schedulable(struct task_group *tg, u64 period, u64 quota)
+ 	return ret;
+ }
+ 
+-static int cpu_stats_show(struct seq_file *sf, void *v)
++static int cpu_cfs_stats_show(struct seq_file *sf, void *v)
+ {
+ 	struct task_group *tg = css_tg(seq_css(sf));
+ 	struct cfs_bandwidth *cfs_b = &tg->cfs_bandwidth;
+@@ -8745,7 +8745,7 @@ static u64 cpu_rt_period_read_uint(struct cgroup_subsys_state *css,
+ }
+ #endif /* CONFIG_RT_GROUP_SCHED */
+ 
+-static struct cftype cpu_files[] = {
++static struct cftype cpu_legacy_files[] = {
+ #ifdef CONFIG_FAIR_GROUP_SCHED
+ 	{
+ 		.name = "shares",
+@@ -8766,7 +8766,7 @@ static struct cftype cpu_files[] = {
+ 	},
+ 	{
+ 		.name = "stat",
+-		.seq_show = cpu_stats_show,
++		.seq_show = cpu_cfs_stats_show,
+ 	},
+ #endif
+ #ifdef CONFIG_RT_GROUP_SCHED
+@@ -8791,7 +8791,7 @@ struct cgroup_subsys cpu_cgrp_subsys = {
+ 	.fork		= cpu_cgroup_fork,
+ 	.can_attach	= cpu_cgroup_can_attach,
+ 	.attach		= cpu_cgroup_attach,
+-	.legacy_cftypes	= cpu_files,
++	.legacy_cftypes	= cpu_legacy_files,
+ 	.early_init	= true,
+ };
+ 
+diff --git a/kernel/sched/cpuacct.c b/kernel/sched/cpuacct.c
+index bc0b309c3f19..d1e5dd0b3a64 100644
+--- a/kernel/sched/cpuacct.c
++++ b/kernel/sched/cpuacct.c
+@@ -276,26 +276,33 @@ static int cpuacct_all_seq_show(struct seq_file *m, void *V)
+ 	return 0;
+ }
+ 
+-static int cpuacct_stats_show(struct seq_file *sf, void *v)
++static void cpuacct_stats_read(struct cpuacct *ca,
++			       u64 (*val)[CPUACCT_STAT_NSTATS])
+ {
+-	struct cpuacct *ca = css_ca(seq_css(sf));
+-	s64 val[CPUACCT_STAT_NSTATS];
+ 	int cpu;
+-	int stat;
+ 
+-	memset(val, 0, sizeof(val));
++	memset(val, 0, sizeof(*val));
++
+ 	for_each_possible_cpu(cpu) {
+ 		u64 *cpustat = per_cpu_ptr(ca->cpustat, cpu)->cpustat;
+ 
+-		val[CPUACCT_STAT_USER]   += cpustat[CPUTIME_USER];
+-		val[CPUACCT_STAT_USER]   += cpustat[CPUTIME_NICE];
+-		val[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SYSTEM];
+-		val[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_IRQ];
+-		val[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SOFTIRQ];
++		(*val)[CPUACCT_STAT_USER]   += cpustat[CPUTIME_USER];
++		(*val)[CPUACCT_STAT_USER]   += cpustat[CPUTIME_NICE];
++		(*val)[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SYSTEM];
++		(*val)[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_IRQ];
++		(*val)[CPUACCT_STAT_SYSTEM] += cpustat[CPUTIME_SOFTIRQ];
+ 	}
++}
++
++static int cpuacct_stats_show(struct seq_file *sf, void *v)
++{
++	u64 val[CPUACCT_STAT_NSTATS];
++	int stat;
++
++	cpuacct_stats_read(css_ca(seq_css(sf)), &val);
+ 
+ 	for (stat = 0; stat < CPUACCT_STAT_NSTATS; stat++) {
+-		seq_printf(sf, "%s %lld\n",
++		seq_printf(sf, "%s %llu\n",
+ 			   cpuacct_stat_desc[stat],
+ 			   cputime64_to_clock_t(val[stat]));
+ 	}
+
+commit 015cbdcb90034fd566d00de9d3d405613da3cd26
+Author: Tejun Heo <tj@kernel.org>
+Date:   Fri Mar 11 07:31:23 2016 -0500
+
+    sched: Implement interface for cgroup unified hierarchy
+    
+    While the cpu controller doesn't have any functional problems, there
+    are a couple interface issues which can be addressed in the v2
+    interface.
+    
+    * cpuacct being a separate controller.  This separation is artificial
+      and rather pointless as demonstrated by most use cases co-mounting
+      the two controllers.  It also forces certain information to be
+      accounted twice.
+    
+    * Use of different time units.  Writable control knobs use
+      microseconds, some stat fields use nanoseconds while other cpuacct
+      stat fields use centiseconds.
+    
+    * Control knobs which can't be used in the root cgroup still show up
+      in the root.
+    
+    * Control knob names and semantics aren't consistent with other
+      controllers.
+    
+    This patchset implements cpu controller's interface on the unified
+    hierarchy which adheres to the controller file conventions described
+    in Documentation/cgroups/unified-hierarchy.txt.  Overall, the
+    following changes are made.
+    
+    * cpuacct is implictly enabled and disabled by cpu and its information
+      is reported through "cpu.stat" which now uses microseconds for all
+      time durations.  All time duration fields now have "_usec" appended
+      to them for clarity.  While this doesn't solve the double accounting
+      immediately, once majority of users switch to v2, cpu can directly
+      account and report the relevant stats and cpuacct can be disabled on
+      the unified hierarchy.
+    
+      Note that cpuacct.usage_percpu is currently not included in
+      "cpu.stat".  If this information is actually called for, it can be
+      added later.
+    
+    * "cpu.shares" is replaced with "cpu.weight" and operates on the
+      standard scale defined by CGROUP_WEIGHT_MIN/DFL/MAX (1, 100, 10000).
+      The weight is scaled to scheduler weight so that 100 maps to 1024
+      and the ratio relationship is preserved - if weight is W and its
+      scaled value is S, W / 100 == S / 1024.  While the mapped range is a
+      bit smaller than the orignal scheduler weight range, the dead zones
+      on both sides are relatively small and covers wider range than the
+      nice value mappings.  This file doesn't make sense in the root
+      cgroup and isn't create on root.
+    
+    * "cpu.cfs_quota_us" and "cpu.cfs_period_us" are replaced by "cpu.max"
+      which contains both quota and period.
+    
+    * "cpu.rt_runtime_us" and "cpu.rt_period_us" are replaced by
+      "cpu.rt.max" which contains both runtime and period.
+    
+    v2: cpu_stats_show() was incorrectly using CONFIG_FAIR_GROUP_SCHED for
+        CFS bandwidth stats and also using raw division for u64.  Use
+        CONFIG_CFS_BANDWITH and do_div() instead.
+    
+        The semantics of "cpu.rt.max" is not fully decided yet.  Dropped
+        for now.
+    
+    Signed-off-by: Tejun Heo <tj@kernel.org>
+    Cc: Ingo Molnar <mingo@redhat.com>
+    Cc: Peter Zijlstra <peterz@infradead.org>
+    Cc: Li Zefan <lizefan@huawei.com>
+    Cc: Johannes Weiner <hannes@cmpxchg.org>
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 57472485b79c..c0ae869f51c4 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8784,6 +8784,139 @@ static struct cftype cpu_legacy_files[] = {
+ 	{ }	/* terminate */
+ };
+ 
++static int cpu_stats_show(struct seq_file *sf, void *v)
++{
++	cpuacct_cpu_stats_show(sf);
++
++#ifdef CONFIG_CFS_BANDWIDTH
++	{
++		struct task_group *tg = css_tg(seq_css(sf));
++		struct cfs_bandwidth *cfs_b = &tg->cfs_bandwidth;
++		u64 throttled_usec;
++
++		throttled_usec = cfs_b->throttled_time;
++		do_div(throttled_usec, NSEC_PER_USEC);
++
++		seq_printf(sf, "nr_periods %d\n"
++			   "nr_throttled %d\n"
++			   "throttled_usec %llu\n",
++			   cfs_b->nr_periods, cfs_b->nr_throttled,
++			   throttled_usec);
++	}
++#endif
++	return 0;
++}
++
++#ifdef CONFIG_FAIR_GROUP_SCHED
++static u64 cpu_weight_read_u64(struct cgroup_subsys_state *css,
++			       struct cftype *cft)
++{
++	struct task_group *tg = css_tg(css);
++	u64 weight = scale_load_down(tg->shares);
++
++	return DIV_ROUND_CLOSEST_ULL(weight * CGROUP_WEIGHT_DFL, 1024);
++}
++
++static int cpu_weight_write_u64(struct cgroup_subsys_state *css,
++				struct cftype *cftype, u64 weight)
++{
++	/*
++	 * cgroup weight knobs should use the common MIN, DFL and MAX
++	 * values which are 1, 100 and 10000 respectively.  While it loses
++	 * a bit of range on both ends, it maps pretty well onto the shares
++	 * value used by scheduler and the round-trip conversions preserve
++	 * the original value over the entire range.
++	 */
++	if (weight < CGROUP_WEIGHT_MIN || weight > CGROUP_WEIGHT_MAX)
++		return -ERANGE;
++
++	weight = DIV_ROUND_CLOSEST_ULL(weight * 1024, CGROUP_WEIGHT_DFL);
++
++	return sched_group_set_shares(css_tg(css), scale_load(weight));
++}
++#endif
++
++static void __maybe_unused cpu_period_quota_print(struct seq_file *sf,
++						  long period, long quota)
++{
++	if (quota < 0)
++		seq_puts(sf, "max");
++	else
++		seq_printf(sf, "%ld", quota);
++
++	seq_printf(sf, " %ld\n", period);
++}
++
++/* caller should put the current value in *@periodp before calling */
++static int __maybe_unused cpu_period_quota_parse(char *buf,
++						 u64 *periodp, u64 *quotap)
++{
++	char tok[21];	/* U64_MAX */
++
++	if (!sscanf(buf, "%s %llu", tok, periodp))
++		return -EINVAL;
++
++	*periodp *= NSEC_PER_USEC;
++
++	if (sscanf(tok, "%llu", quotap))
++		*quotap *= NSEC_PER_USEC;
++	else if (!strcmp(tok, "max"))
++		*quotap = RUNTIME_INF;
++	else
++		return -EINVAL;
++
++	return 0;
++}
++
++#ifdef CONFIG_CFS_BANDWIDTH
++static int cpu_max_show(struct seq_file *sf, void *v)
++{
++	struct task_group *tg = css_tg(seq_css(sf));
++
++	cpu_period_quota_print(sf, tg_get_cfs_period(tg), tg_get_cfs_quota(tg));
++	return 0;
++}
++
++static ssize_t cpu_max_write(struct kernfs_open_file *of,
++			     char *buf, size_t nbytes, loff_t off)
++{
++	struct task_group *tg = css_tg(of_css(of));
++	u64 period = tg_get_cfs_period(tg);
++	u64 quota;
++	int ret;
++
++	ret = cpu_period_quota_parse(buf, &period, &quota);
++	if (!ret)
++		ret = tg_set_cfs_bandwidth(tg, period, quota);
++	return ret ?: nbytes;
++}
++#endif
++
++static struct cftype cpu_files[] = {
++	{
++		.name = "stat",
++		.flags = CFTYPE_NOT_ON_ROOT,
++		.seq_show = cpu_stats_show,
++	},
++#ifdef CONFIG_FAIR_GROUP_SCHED
++	{
++		.name = "weight",
++		.flags = CFTYPE_NOT_ON_ROOT,
++		.read_u64 = cpu_weight_read_u64,
++		.write_u64 = cpu_weight_write_u64,
++	},
++#endif
++#ifdef CONFIG_CFS_BANDWIDTH
++	{
++		.name = "max",
++		.flags = CFTYPE_NOT_ON_ROOT,
++		.seq_show = cpu_max_show,
++		.write = cpu_max_write,
++	},
++#endif
++	{ }	/* terminate */
++};
++
+ struct cgroup_subsys cpu_cgrp_subsys = {
+ 	.css_alloc	= cpu_cgroup_css_alloc,
+ 	.css_released	= cpu_cgroup_css_released,
+@@ -8792,7 +8925,15 @@ struct cgroup_subsys cpu_cgrp_subsys = {
+ 	.can_attach	= cpu_cgroup_can_attach,
+ 	.attach		= cpu_cgroup_attach,
+ 	.legacy_cftypes	= cpu_legacy_files,
++	.dfl_cftypes	= cpu_files,
+ 	.early_init	= true,
++#ifdef CONFIG_CGROUP_CPUACCT
++	/*
++	 * cpuacct is enabled together with cpu on the unified hierarchy
++	 * and its stats are reported through "cpu.stat".
++	 */
++	.depends_on	= 1 << cpuacct_cgrp_id,
++#endif
+ };
+ 
+ #endif	/* CONFIG_CGROUP_SCHED */
+diff --git a/kernel/sched/cpuacct.c b/kernel/sched/cpuacct.c
+index d1e5dd0b3a64..57f390514c39 100644
+--- a/kernel/sched/cpuacct.c
++++ b/kernel/sched/cpuacct.c
+@@ -347,6 +347,31 @@ static struct cftype files[] = {
+ 	{ }	/* terminate */
+ };
+ 
++/* used to print cpuacct stats in cpu.stat on the unified hierarchy */
++void cpuacct_cpu_stats_show(struct seq_file *sf)
++{
++	struct cgroup_subsys_state *css;
++	u64 usage, val[CPUACCT_STAT_NSTATS];
++
++	css = cgroup_get_e_css(seq_css(sf)->cgroup, &cpuacct_cgrp_subsys);
++
++	usage = cpuusage_read(css, seq_cft(sf));
++	cpuacct_stats_read(css_ca(css), &val);
++
++	val[CPUACCT_STAT_USER] *= TICK_NSEC;
++	val[CPUACCT_STAT_SYSTEM] *= TICK_NSEC;
++	do_div(usage, NSEC_PER_USEC);
++	do_div(val[CPUACCT_STAT_USER], NSEC_PER_USEC);
++	do_div(val[CPUACCT_STAT_SYSTEM], NSEC_PER_USEC);
++
++	seq_printf(sf, "usage_usec %llu\n"
++		   "user_usec %llu\n"
++		   "system_usec %llu\n",
++		   usage, val[CPUACCT_STAT_USER], val[CPUACCT_STAT_SYSTEM]);
++
++	css_put(css);
++}
++
+ /*
+  * charge this task's execution time to its accounting group.
+  *
+diff --git a/kernel/sched/cpuacct.h b/kernel/sched/cpuacct.h
+index ba72807c73d4..ddf7af466d35 100644
+--- a/kernel/sched/cpuacct.h
++++ b/kernel/sched/cpuacct.h
+@@ -2,6 +2,7 @@
+ 
+ extern void cpuacct_charge(struct task_struct *tsk, u64 cputime);
+ extern void cpuacct_account_field(struct task_struct *tsk, int index, u64 val);
++extern void cpuacct_cpu_stats_show(struct seq_file *sf);
+ 
+ #else
+ 
+@@ -14,4 +15,8 @@ cpuacct_account_field(struct task_struct *tsk, int index, u64 val)
+ {
+ }
+ 
++static inline void cpuacct_cpu_stats_show(struct seq_file *sf)
++{
++}
++
+ #endif
+
+commit 5019fe3d7ec456b58d451ef06fe1f81d7d9f28a9
+Author: Tejun Heo <tj@kernel.org>
+Date:   Fri Aug 5 12:41:01 2016 -0400
+
+    cgroup: add documentation regarding CPU controller cgroup v2 support
+    
+    Signed-off-by: Tejun Heo <tj@kernel.org>
+
+diff --git a/Documentation/cgroup-v2-cpu.txt b/Documentation/cgroup-v2-cpu.txt
+new file mode 100644
+index 000000000000..1ed7032d4472
+--- /dev/null
++++ b/Documentation/cgroup-v2-cpu.txt
+@@ -0,0 +1,368 @@
++
++
++CPU Controller on Control Group v2
++
++August, 2016		Tejun Heo <tj@kernel.org>
++
++
++While most controllers have support for cgroup v2 now, the CPU
++controller support is not upstream yet due to objections from the
++scheduler maintainers on the basic designs of cgroup v2.  This
++document explains the current situation as well as an interim
++solution, and details the disagreements and arguments.  The latest
++version of this document can be found at the following URL.
++
++ https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/tree/Documentation/cgroup-v2-cpu.txt?h=cgroup-v2-cpu
++
++This document was posted to the linux-kernel and cgroup mailing lists.
++Unfortunately, no consensus was reached as of Oct, 2016.  The thread
++can be found at the following URL.
++
++ http://lkml.kernel.org/r/20160805170752.GK2542@mtj.duckdns.org
++
++
++CONTENTS
++
++1. Current Situation and Interim Solution
++2. Disagreements and Arguments
++  2-1. Contentious Restrictions
++    2-1-1. Process Granularity
++    2-1-2. No Internal Process Constraint
++  2-2. Impact on CPU Controller
++    2-2-1. Impact of Process Granularity
++    2-2-2. Impact of No Internal Process Constraint
++  2-3. Arguments for cgroup v2
++3. Way Forward
++4. References
++
++
++1. Current Situation and Interim Solution
++
++All objections from the scheduler maintainers apply to cgroup v2 core
++design, and there are no known objections to the specifics of the CPU
++controller cgroup v2 interface.  The only blocked part is changes to
++expose the CPU controller interface on cgroup v2, which comprises the
++following two patches:
++
++ [1] sched: Misc preps for cgroup unified hierarchy interface
++ [2] sched: Implement interface for cgroup unified hierarchy
++
++The necessary changes are superficial and implement the interface
++files on cgroup v2.  The combined diffstat is as follows.
++
++ kernel/sched/core.c    |  149 +++++++++++++++++++++++++++++++++++++++++++++++--
++ kernel/sched/cpuacct.c |   57 ++++++++++++------
++ kernel/sched/cpuacct.h |    5 +
++ 3 files changed, 189 insertions(+), 22 deletions(-)
++
++The patches are easy to apply and forward-port.  The following git
++branch will always carry the two patches on top of the latest release
++of the upstream kernel.
++
++ git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/cgroup-v2-cpu
++
++There also are versioned branches going back to v4.4.
++
++ git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/cgroup-v2-cpu-$KERNEL_VER
++
++While it's difficult to tell whether the CPU controller support will
++be merged, there are crucial resource control features in cgroup v2
++that are only possible due to the design choices that are being
++objected to, and every effort will be made to ease enabling the CPU
++controller cgroup v2 support out-of-tree for parties which choose to.
++
++
++2. Disagreements and Arguments
++
++There have been several lengthy discussion threads [3][4] on LKML
++around the structural constraints of cgroup v2.  The two that affect
++the CPU controller are process granularity and no internal process
++constraint.  Both arise primarily from the need for common resource
++domain definition across different resources.
++
++The common resource domain is a powerful concept in cgroup v2 that
++allows controllers to make basic assumptions about the structural
++organization of processes and controllers inside the cgroup hierarchy,
++and thus solve problems spanning multiple types of resources.  The
++prime example for this is page cache writeback: dirty page cache is
++regulated through throttling buffered writers based on memory
++availability, and initiating batched write outs to the disk based on
++IO capacity.  Tracking and controlling writeback inside a cgroup thus
++requires the direct cooperation of the memory and the IO controller.
++
++This easily extends to other areas, such as CPU cycles consumed while
++performing memory reclaim or IO encryption.
++
++
++2-1. Contentious Restrictions
++
++For controllers of different resources to work together, they must
++agree on a common organization.  This uniform model across controllers
++imposes two contentious restrictions on the CPU controller: process
++granularity and the no-internal-process constraint.
++
++
++  2-1-1. Process Granularity
++
++  For memory, because an address space is shared between all threads
++  of a process, the terminal consumer is a process, not a thread.
++  Separating the threads of a single process into different memory
++  control domains doesn't make semantical sense.  cgroup v2 ensures
++  that all controller can agree on the same organization by requiring
++  that threads of the same process belong to the same cgroup.
++
++  There are other reasons to enforce process granularity.  One
++  important one is isolating system-level management operations from
++  in-process application operations.  The cgroup interface, being a
++  virtual filesystem, is very unfit for multiple independent
++  operations taking place at the same time as most operations have to
++  be multi-step and there is no way to synchronize multiple accessors.
++  See also [5] Documentation/cgroup-v2.txt, "R-2. Thread Granularity"
++
++
++  2-1-2. No Internal Process Constraint
++
++  cgroup v2 does not allow processes to belong to any cgroup which has
++  child cgroups when resource controllers are enabled on it (the
++  notable exception being the root cgroup itself).  This is because,
++  for some resources, a resource domain (cgroup) is not directly
++  comparable to the terminal consumer (process/task) of said resource,
++  and so putting the two into a sibling relationship isn't meaningful.
++
++  - Differing Control Parameters and Capabilities
++
++    A cgroup controller has different resource control parameters and
++    capabilities from a terminal consumer, be that a task or process.
++    There are a couple cases where a cgroup control knob can be mapped
++    to a per-task or per-process API but they are exceptions and the
++    mappings aren't obvious even in those cases.
++
++    For example, task priorities (also known as nice values) set
++    through setpriority(2) are mapped to the CPU controller
++    "cpu.shares" values.  However, how exactly the two ranges map and
++    even the fact that they map to each other at all are not obvious.
++
++    The situation gets further muddled when considering other resource
++    types and control knobs.  IO priorities set through ioprio_set(2)
++    cannot be mapped to IO controller weights and most cgroup resource
++    control knobs including the bandwidth control knobs of the CPU
++    controller don't have counterparts in the terminal consumers.
++
++  - Anonymous Resource Consumption
++
++    For CPU, every time slice consumed from inside a cgroup, which
++    comprises most but not all of consumed CPU time for the cgroup,
++    can be clearly attributed to a specific task or process.  Because
++    these two types of entities are directly comparable as consumers
++    of CPU time, it's theoretically possible to mix tasks and cgroups
++    on the same tree levels and let them directly compete for the time
++    quota available to their common ancestor.
++
++    However, the same can't be said for resource types like memory or
++    IO: the memory consumed by the page cache, for example, can be
++    tracked on a per-cgroup level, but due to mismatches in lifetimes
++    of involved objects (page cache can persist long after processes
++    are gone), shared usages and the implementation overhead of
++    tracking persistent state, it can no longer be attributed to
++    individual processes after instantiation.  Consequently, any IO
++    incurred by page cache writeback can be attributed to a cgroup,
++    but not to the individual consumers inside the cgroup.
++
++  For memory and IO, this makes a resource domain (cgroup) an object
++  of a fundamentally different type than a terminal consumer
++  (process).  A process can't be a first class object in the resource
++  distribution graph as its total resource consumption can't be
++  described without the containing resource domain.
++
++  Disallowing processes in internal cgroups avoids competition between
++  cgroups and processes which cannot be meaningfully defined for these
++  resources.  All resource control takes place among cgroups and a
++  terminal consumer interacts with the containing cgroup the same way
++  it would with the system without cgroup.
++
++  Root cgroup is exempt from this constraint, which is in line with
++  how root cgroup is handled in general - it's excluded from cgroup
++  resource accounting and control.
++
++
++Enforcing process granularity and no internal process constraint
++allows all controllers to be on the same footing in terms of resource
++distribution hierarchy.
++
++
++2-2. Impact on CPU Controller
++
++As indicated earlier, the CPU controller's resource distribution graph
++is the simplest.  Every schedulable resource consumption can be
++attributed to a specific task.  In addition, for weight based control,
++the per-task priority set through setpriority(2) can be translated to
++and from a per-cgroup weight.  As such, the CPU controller can treat a
++task and a cgroup symmetrically, allowing support for any tree layout
++of cgroups and tasks.  Both process granularity and the no internal
++process constraint restrict how the CPU controller can be used.
++
++
++  2-2-1. Impact of Process Granularity
++
++  Process granularity prevents tasks belonging to the same process to
++  be assigned to different cgroups.  It was pointed out [6] that this
++  excludes the valid use case of hierarchical CPU distribution within
++  processes.
++
++  To address this issue, the rgroup (resource group) [7][8][9]
++  interface, an extension of the existing setpriority(2) API, was
++  proposed, which is in line with other programmable priority
++  mechanisms and eliminates the risk of in-application configuration
++  and system configuration stepping on each other's toes.
++  Unfortunately, the proposal quickly turned into discussions around
++  cgroup v2 design decisions [4] and no consensus could be reached.
++
++
++  2-2-2. Impact of No Internal Process Constraint
++
++  The no internal process constraint disallows tasks from competing
++  directly against cgroups.  Here is an excerpt from Peter Zijlstra
++  pointing out the issue [10] - R, L and A are cgroups; t1, t2, t3 and
++  t4 are tasks:
++
++
++          R
++        / | \
++       t1 t2 A
++           /   \
++          t3   t4
++
++
++    Is fundamentally different from:
++
++
++               R
++             /   \
++           L       A
++         /   \   /   \
++        t1  t2  t3   t4
++
++
++    Because if in the first hierarchy you add a task (t5) to R, all of
++    its A will run at 1/4th of total bandwidth where before it had
++    1/3rd, whereas with the second example, if you add our t5 to L, A
++    doesn't get any less bandwidth.
++
++
++  It is true that the trees are semantically different from each other
++  and the symmetric handling of tasks and cgroups is aesthetically
++  pleasing.  However, it isn't clear what the practical usefulness of
++  a layout with direct competition between tasks and cgroups would be,
++  considering that number and behavior of tasks are controlled by each
++  application, and cgroups primarily deal with system level resource
++  distribution; changes in the number of active threads would directly
++  impact resource distribution.  Real world use cases of such layouts
++  could not be established during the discussions.
++
++
++2-3. Arguments for cgroup v2
++
++There are strong demands for comprehensive hierarchical resource
++control across all major resources, and establishing a common resource
++hierarchy is an essential step.  As with most engineering decisions,
++common resource hierarchy definition comes with its trade-offs.  With
++cgroup v2, the trade-offs are in the form of structural constraints
++which, among others, restrict the CPU controller's space of possible
++configurations.
++
++However, even with the restrictions, cgroup v2, in combination with
++rgroup, covers most of identified real world use cases while enabling
++new important use cases of resource control across multiple resource
++types that were fundamentally broken previously.
++
++Furthermore, for resource control, treating resource domains as
++objects of a different type from terminal consumers has important
++advantages - it can account for resource consumptions which are not
++tied to any specific terminal consumer, be that a task or process, and
++allows decoupling resource distribution controls from in-application
++APIs.  Even the CPU controller may benefit from it as the kernel can
++consume significant amount of CPU cycles in interrupt context or tasks
++shared across multiple resource domains (e.g. softirq).
++
++Finally, it's important to note that enabling cgroup v2 support for
++the CPU controller doesn't block use cases which require the features
++which are not available on cgroup v2.  Unlikely, but should anybody
++actually rely on the CPU controller's symmetric handling of tasks and
++cgroups, backward compatibility is and will be maintained by being
++able to disconnect the controller from the cgroup v2 hierarchy and use
++it standalone.  This also holds for cpuset which is often used in
++highly customized configurations which might be a poor fit for common
++resource domains.
++
++The required changes are minimal, the benefits for the target use
++cases are critical and obvious, and use cases which have to use v1 can
++continue to do so.
++
++
++3. Way Forward
++
++cgroup v2 primarily aims to solve the problem of comprehensive
++hierarchical resource control across all major computing resources,
++which is one of the core problems of modern server infrastructure
++engineering.  The trade-offs that cgroup v2 took are results of
++pursuing that goal and gaining a better understanding of the nature of
++resource control in the process.
++
++I believe that real world usages will prove cgroup v2's model right,
++considering the crucial pieces of comprehensive resource control that
++cannot be implemented without common resource domains.  This is not to
++say that cgroup v2 is fixed in stone and can't be updated; if there is
++an approach which better serves both comprehensive resource control
++and the CPU controller's flexibility, we will surely move towards
++that.  It goes without saying that discussions around such approach
++should consider practical aspects of resource control as a whole
++rather than absolutely focusing on a particular controller.
++
++Until such consensus can be reached, the CPU controller cgroup v2
++support will be maintained out of the mainline kernel in an easily
++accessible form.  If there is anything cgroup developers can do to
++ease the pain, please feel free to contact us on the cgroup mailing
++list at cgroups@vger.kernel.org.
++
++
++4. References
++
++[1]  http://lkml.kernel.org/r/20160105164834.GE5995@mtj.duckdns.org
++     [PATCH 1/2] sched: Misc preps for cgroup unified hierarchy interface
++     Tejun Heo <tj@kernel.org>
++
++[2]  http://lkml.kernel.org/r/20160105164852.GF5995@mtj.duckdns.org
++     [PATCH 2/2] sched: Implement interface for cgroup unified hierarchy
++     Tejun Heo <tj@kernel.org>
++
++[3]  http://lkml.kernel.org/r/1438641689-14655-4-git-send-email-tj@kernel.org
++     [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy
++     Tejun Heo <tj@kernel.org>
++
++[4]  http://lkml.kernel.org/r/20160407064549.GH3430@twins.programming.kicks-ass.net
++     Re: [PATCHSET RFC cgroup/for-4.6] cgroup, sched: implement resource group and PRIO_RGRP
++     Peter Zijlstra <peterz@infradead.org>
++
++[5]  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroup-v2.txt
++     Control Group v2
++     Tejun Heo <tj@kernel.org>
++
++[6]  http://lkml.kernel.org/r/CAPM31RJNy3jgG=DYe6GO=wyL4BPPxwUm1f2S6YXacQmo7viFZA@mail.gmail.com
++     Re: [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy
++     Paul Turner <pjt@google.com>
++
++[7]  http://lkml.kernel.org/r/20160105154503.GC5995@mtj.duckdns.org
++     [RFD] cgroup: thread granularity support for cpu controller
++     Tejun Heo <tj@kernel.org>
++
++[8]  http://lkml.kernel.org/r/1457710888-31182-1-git-send-email-tj@kernel.org
++     [PATCHSET RFC cgroup/for-4.6] cgroup, sched: implement resource group and PRIO_RGRP
++     Tejun Heo <tj@kernel.org>
++
++[9]  http://lkml.kernel.org/r/20160311160522.GA24046@htj.duckdns.org
++     Example program for PRIO_RGRP
++     Tejun Heo <tj@kernel.org>
++
++[10] http://lkml.kernel.org/r/20160407082810.GN3430@twins.programming.kicks-ass.net
++     Re: [PATCHSET RFC cgroup/for-4.6] cgroup, sched: implement resource
++     Peter Zijlstra <peterz@infradead.org>
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/README.md b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/README.md
new file mode 100644
index 000000000000..b454e14801db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/README.md
@@ -0,0 +1,21 @@
+Patches for CPU Controller on Control Group v2
+===============================================
+
+See Tejun Heo's [explanation][1] for why these patches are currently
+out-of-tree.
+
+Generating the patches
+-----------------------
+
+In a linux checkout, with remote tc-cgroup pointing to
+git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git, your
+nixpkgs checkout in the same directory as your linux checkout (or
+modify the command accordingly), and setting `ver` to the appropriate
+version:
+
+```shell
+$ ver=4.7
+$ git log --reverse --patch v$ver..remotes/tc-cgroup/cgroup-v2-cpu-v$ver > ../nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/$ver.patch
+```
+
+[1]: https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/tree/Documentation/cgroup-v2-cpu.txt?h=cgroup-v2-cpu
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/default.nix b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/default.nix
new file mode 100644
index 000000000000..5bef5633aa03
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/default.nix
@@ -0,0 +1,11 @@
+let
+  ents = builtins.readDir ./.;
+in builtins.listToAttrs (builtins.filter (x: x != null) (map (name: let
+  match = builtins.match "(.*)\\.patch" name;
+in if match == null then null else {
+  name = builtins.head match;
+  value = {
+    name = "cpu-cgroup-v2-${name}";
+    patch = ./. + "/${name}";
+  };
+}) (builtins.attrNames ents)))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch b/nixpkgs/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
new file mode 100644
index 000000000000..1d8ed6f712cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
@@ -0,0 +1,11 @@
+Export linux-rt (PREEMPT_RT) specific symbols needed by ZFS.
+(Regular kernel provides them static inline in linux/preempt.h.)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1812 +1812 @@ void migrate_disable(void)
+-EXPORT_SYMBOL_GPL(migrate_disable);
++EXPORT_SYMBOL(migrate_disable);
+@@ -1843 +1843 @@ void migrate_enable(void)
+-EXPORT_SYMBOL_GPL(migrate_enable);
++EXPORT_SYMBOL(migrate_enable);
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/gen-kheaders-metadata.patch b/nixpkgs/pkgs/os-specific/linux/kernel/gen-kheaders-metadata.patch
new file mode 100644
index 000000000000..0639f8b4e8fb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/gen-kheaders-metadata.patch
@@ -0,0 +1,86 @@
+From 2cc99c9cdc8fde5e92e34f9655829449cebd3e00 Mon Sep 17 00:00:00 2001
+From: Dmitry Goldin <dgoldin+lkml@protonmail.ch>
+Date: Fri, 4 Oct 2019 10:40:07 +0000
+Subject: kheaders: make headers archive reproducible
+
+In commit 43d8ce9d65a5 ("Provide in-kernel headers to make
+extending kernel easier") a new mechanism was introduced, for kernels
+>=5.2, which embeds the kernel headers in the kernel image or a module
+and exposes them in procfs for use by userland tools.
+
+The archive containing the header files has nondeterminism caused by
+header files metadata. This patch normalizes the metadata and utilizes
+KBUILD_BUILD_TIMESTAMP if provided and otherwise falls back to the
+default behaviour.
+
+In commit f7b101d33046 ("kheaders: Move from proc to sysfs") it was
+modified to use sysfs and the script for generation of the archive was
+renamed to what is being patched.
+
+Signed-off-by: Dmitry Goldin <dgoldin+lkml@protonmail.ch>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+---
+
+nixos note: This patch is from
+https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git/commit/?h=fixes&id=2cc99c9cdc8fde5e92e34f9655829449cebd3e00
+I commented out the documentation part here, so that it easily applies
+to linux 5.2 and 5.3, which does not ship with the reproducible build
+documentation yet, which only was introduced recently.
+
+---
+ Documentation/kbuild/reproducible-builds.rst | 13 +++++++++----
+ kernel/gen_kheaders.sh                       |  5 ++++-
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+#diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/kbuild/reproducible-builds.rst
+#index ab92e98c89c8..503393854e2e 100644
+# --- a/Documentation/kbuild/reproducible-builds.rst
+#+++ b/Documentation/kbuild/reproducible-builds.rst
+#@@ -16,16 +16,21 @@ the kernel may be unreproducible, and how to avoid them.
+# Timestamps
+# ----------
+#
+#-The kernel embeds a timestamp in two places:
+#+The kernel embeds timestamps in three places:
+#
+# * The version string exposed by ``uname()`` and included in
+#   ``/proc/version``
+#
+# * File timestamps in the embedded initramfs
+#
+#-By default the timestamp is the current time.  This must be overridden
+#-using the `KBUILD_BUILD_TIMESTAMP`_ variable.  If you are building
+#-from a git commit, you could use its commit date.
+#+* If enabled via ``CONFIG_IKHEADERS``, file timestamps of kernel
+#+  headers embedded in the kernel or respective module,
+#+  exposed via ``/sys/kernel/kheaders.tar.xz``
+#+
+#+By default the timestamp is the current time and in the case of
+#+``kheaders`` the various files' modification times. This must
+#+be overridden using the `KBUILD_BUILD_TIMESTAMP`_ variable.
+#+If you are building from a git commit, you could use its commit date.
+#
+# The kernel does *not* use the ``__DATE__`` and ``__TIME__`` macros,
+# and enables warnings if they are used.  If you incorporate external
+diff --git a/kernel/gen_kheaders.sh b/kernel/gen_kheaders.sh
+index 9ff449888d9c..aff79e461fc9 100755
+--- a/kernel/gen_kheaders.sh
++++ b/kernel/gen_kheaders.sh
+@@ -71,7 +71,10 @@ done | cpio --quiet -pd $cpio_dir >/dev/null 2>&1
+ find $cpio_dir -type f -print0 |
+ 	xargs -0 -P8 -n1 perl -pi -e 'BEGIN {undef $/;}; s/\/\*((?!SPDX).)*?\*\///smg;'
+
+-tar -Jcf $tarfile -C $cpio_dir/ . > /dev/null
++# Create archive and try to normalize metadata for reproducibility
++tar "${KBUILD_BUILD_TIMESTAMP:+--mtime=$KBUILD_BUILD_TIMESTAMP}" \
++    --owner=0 --group=0 --sort=name --numeric-owner \
++    -Jcf $tarfile -C $cpio_dir/ . > /dev/null
+
+ echo "$src_files_md5" >  kernel/kheaders.md5
+ echo "$obj_files_md5" >> kernel/kheaders.md5
+--
+cgit 1.2-0.3.lf.el7
+
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/generate-config.pl b/nixpkgs/pkgs/os-specific/linux/kernel/generate-config.pl
new file mode 100644
index 000000000000..7e12ca5d96a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/generate-config.pl
@@ -0,0 +1,154 @@
+# This script runs `make config' to generate a Linux kernel
+# configuration file.  For each question (i.e. kernel configuration
+# option), unless an override is provided, it answers "m" if possible,
+# and otherwise uses the default answer (as determined by the default
+# config for the architecture).  Overrides are read from the file
+# $KERNEL_CONFIG, which on each line contains an option name and an
+# answer, e.g. "EXT2_FS_POSIX_ACL y".  The script warns about ignored
+# options in $KERNEL_CONFIG, and barfs if `make config' selects
+# another answer for an option than the one provided in
+# $KERNEL_CONFIG.
+
+use strict;
+use IPC::Open2;
+use Cwd;
+
+# exported via nix
+my $debug = $ENV{'DEBUG'};
+my $autoModules = $ENV{'AUTO_MODULES'};
+my $preferBuiltin = $ENV{'PREFER_BUILTIN'};
+my $ignoreConfigErrors = $ENV{'ignoreConfigErrors'};
+my $buildRoot = $ENV{'BUILD_ROOT'};
+my $makeFlags = $ENV{'MAKE_FLAGS'};
+$SIG{PIPE} = 'IGNORE';
+
+# Read the answers.
+my %answers;
+my %requiredAnswers;
+open ANSWERS, "<$ENV{KERNEL_CONFIG}" or die "Could not open answer file";
+while (<ANSWERS>) {
+    chomp;
+    s/#.*//;
+    if (/^\s*([A-Za-z0-9_]+)(\?)?\s+(.*\S)\s*$/) {
+        $answers{$1} = $3;
+        $requiredAnswers{$1} = !(defined $2);
+    } elsif (!/^\s*$/) {
+        die "invalid config line: $_";
+    }
+}
+close ANSWERS;
+
+sub runConfig {
+
+    # Run `make config'.
+    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH} CC=$ENV{CC} HOSTCC=$ENV{HOSTCC} HOSTCXX=$ENV{HOSTCXX} $makeFlags");
+
+    # Parse the output, look for questions and then send an
+    # appropriate answer.
+    my $line = ""; my $s;
+    my %choices = ();
+
+    my ($prevQuestion, $prevName);
+
+    while (!eof IN) {
+        read IN, $s, 1 or next;
+        $line .= $s;
+
+        #print STDERR "LINE: $line\n";
+
+        if ($s eq "\n") {
+            print STDERR "GOT: $line" if $debug;
+
+            # Remember choice alternatives ("> 1. bla (FOO)" or " 2. bla (BAR) (NEW)").
+            if ($line =~ /^\s*>?\s*(\d+)\.\s+.*?\(([A-Za-z0-9_]+)\)(?:\s+\(NEW\))?\s*$/) {
+                $choices{$2} = $1;
+            } else {
+                # The list of choices has ended without us being
+                # asked. This happens for options where only one value
+                # is valid, for instance. The results can foul up
+                # later options, so forget about it.
+                %choices = ();
+            }
+
+            $line = "";
+        }
+
+        elsif ($line =~ /###$/) {
+            # The config program is waiting for an answer.
+
+            # Is this a regular question? ("bla bla (OPTION_NAME) [Y/n/m/...] ")
+            if ($line =~ /(.*) \(([A-Za-z0-9_]+)\) \[(.*)\].*###$/) {
+                my $question = $1; my $name = $2; my $alts = $3;
+                my $answer = "";
+                # Build everything as a module if possible.
+                $answer = "m" if $autoModules && $alts =~ qr{\A(\w/)+m/(\w/)*\?\z} && !($preferBuiltin && $alts =~ /Y/);
+                $answer = $answers{$name} if defined $answers{$name};
+                print STDERR "QUESTION: $question, NAME: $name, ALTS: $alts, ANSWER: $answer\n" if $debug;
+                print OUT "$answer\n";
+                die "repeated question: $question" if $prevQuestion && $prevQuestion eq $question && $name eq $prevName;
+                $prevQuestion = $question;
+                $prevName = $name;
+            }
+
+            # Is this a choice? ("choice[1-N]: ")
+            elsif ($line =~ /choice\[(.*)\]: ###$/) {
+                my $answer = "";
+                foreach my $name (keys %choices) {
+                    $answer = $choices{$name} if ($answers{$name} || "") eq "y";
+                }
+                print STDERR "CHOICE: $1, ANSWER: $answer\n" if $debug;
+                print OUT "$answer\n" if $1 =~ /-/;
+            }
+
+            # Some questions lack the option name ("bla bla [Y/n/m/...] ").
+            elsif ($line =~ /(.*) \[(.*)\] ###$/) {
+                print OUT "\n";
+            }
+
+            else {
+                warn "don't know how to answer this question: $line\n";
+                print OUT "\n";
+            }
+
+            $line = "";
+            %choices = ();
+        }
+    }
+
+    close IN;
+    waitpid $pid, 0;
+}
+
+# Run `make config' several times to converge on the desired result.
+# (Some options may only become available after other options are
+# set in a previous run.)
+runConfig;
+runConfig;
+
+# Read the final .config file and check that our answers are in
+# there.  `make config' often overrides answers if later questions
+# cause options to be selected.
+my %config;
+open CONFIG, "<$buildRoot/.config" or die "Could not read .config";
+while (<CONFIG>) {
+    chomp;
+    if (/^CONFIG_([A-Za-z0-9_]+)="(.*)"$/) {
+        # String options have double quotes, e.g. 'CONFIG_NLS_DEFAULT="utf8"' and allow escaping.
+        ($config{$1} = $2) =~ s/\\([\\"])/$1/g;
+    } elsif (/^CONFIG_([A-Za-z0-9_]+)=(.*)$/) {
+        $config{$1} = $2;
+    } elsif (/^# CONFIG_([A-Za-z0-9_]+) is not set$/) {
+        $config{$1} = "n";
+    }
+}
+close CONFIG;
+
+my $ret = 0;
+foreach my $name (sort (keys %answers)) {
+    my $f = $requiredAnswers{$name} && $ignoreConfigErrors ne "1"
+        ? sub { warn "error: " . $_[0]; $ret = -1; } : sub { warn "warning: " . $_[0]; };
+    &$f("unused option: $name\n") unless defined $config{$name};
+    &$f("option not set correctly: $name (wanted '$answers{$name}', got '$config{$name}')\n")
+        if $config{$name} && $config{$name} ne $answers{$name};
+}
+exit $ret;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/generic.nix b/nixpkgs/pkgs/os-specific/linux/kernel/generic.nix
new file mode 100644
index 000000000000..056544014f42
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/generic.nix
@@ -0,0 +1,221 @@
+{ buildPackages
+, callPackage
+, perl
+, bison ? null
+, flex ? null
+, gmp ? null
+, libmpc ? null
+, mpfr ? null
+, pahole
+, lib
+, stdenv
+
+, # The kernel source tarball.
+  src
+
+, # The kernel version.
+  version
+
+, # Allows overriding the default defconfig
+  defconfig ? null
+
+, # Legacy overrides to the intermediate kernel config, as string
+  extraConfig ? ""
+
+  # Additional make flags passed to kbuild
+, extraMakeFlags ? []
+
+, # kernel intermediate config overrides, as a set
+ structuredExtraConfig ? {}
+
+, # The version number used for the module directory
+  modDirVersion ? version
+
+, # An attribute set whose attributes express the availability of
+  # certain features in this kernel.  E.g. `{iwlwifi = true;}'
+  # indicates a kernel that provides Intel wireless support.  Used in
+  # NixOS to implement kernel-specific behaviour.
+  features ? {}
+
+, # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+  # automatically extended with extra per-version and per-config values.
+  randstructSeed ? ""
+
+, # A list of patches to apply to the kernel.  Each element of this list
+  # should be an attribute set {name, patch} where `name' is a
+  # symbolic name and `patch' is the actual patch.  The patch may
+  # optionally be compressed with gzip or bzip2.
+  kernelPatches ? []
+, ignoreConfigErrors ? stdenv.hostPlatform.linux-kernel.name != "pc" ||
+                       stdenv.hostPlatform != stdenv.buildPlatform
+, extraMeta ? {}
+
+, isZen      ? false
+, isLibre    ? false
+, isHardened ? false
+
+# easy overrides to stdenv.hostPlatform.linux-kernel members
+, autoModules ? stdenv.hostPlatform.linux-kernel.autoModules
+, preferBuiltin ? stdenv.hostPlatform.linux-kernel.preferBuiltin or false
+, kernelArch ? stdenv.hostPlatform.linuxArch
+, kernelTests ? []
+, nixosTests
+, ...
+}@args:
+
+# Note: this package is used for bootstrapping fetchurl, and thus
+# cannot use fetchpatch! All mutable patches (generated by GitHub or
+# cgit) that are needed here should be included directly in Nixpkgs as
+# files.
+
+assert stdenv.isLinux;
+
+let
+  # Dirty hack to make sure that `version` & `src` have
+  # `<nixpkgs/pkgs/os-specific/linux/kernel/linux-x.y.nix>` as position
+  # when using `builtins.unsafeGetAttrPos`.
+  #
+  # This is to make sure that ofborg actually detects changes in the kernel derivation
+  # and pings all maintainers.
+  #
+  # For further context, see https://github.com/NixOS/nixpkgs/pull/143113#issuecomment-953319957
+  basicArgs = builtins.removeAttrs
+    args
+    (lib.filter (x: ! (builtins.elem x [ "version" "src" ])) (lib.attrNames args));
+
+  # Combine the `features' attribute sets of all the kernel patches.
+  kernelFeatures = lib.foldr (x: y: (x.features or {}) // y) ({
+    iwlwifi = true;
+    efiBootStub = true;
+    needsCifsUtils = true;
+    netfilterRPFilter = true;
+    ia32Emulation = true;
+  } // features) kernelPatches;
+
+  commonStructuredConfig = import ./common-config.nix {
+    inherit lib stdenv version;
+
+    features = kernelFeatures; # Ensure we know of all extra patches, etc.
+  };
+
+  intermediateNixConfig = configfile.moduleStructuredConfig.intermediateNixConfig
+    # extra config in legacy string format
+    + extraConfig
+    + stdenv.hostPlatform.linux-kernel.extraConfig or "";
+
+  structuredConfigFromPatches =
+        map ({extraStructuredConfig ? {}, ...}: {settings=extraStructuredConfig;}) kernelPatches;
+
+  # appends kernel patches extraConfig
+  kernelConfigFun = baseConfigStr:
+    let
+      configFromPatches =
+        map ({extraConfig ? "", ...}: extraConfig) kernelPatches;
+    in lib.concatStringsSep "\n" ([baseConfigStr] ++ configFromPatches);
+
+  configfile = stdenv.mkDerivation {
+    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch extraMakeFlags;
+    pname = "linux-config";
+    inherit version;
+
+    generateConfig = ./generate-config.pl;
+
+    kernelConfig = kernelConfigFun intermediateNixConfig;
+    passAsFile = [ "kernelConfig" ];
+
+    depsBuildBuild = [ buildPackages.stdenv.cc ];
+    nativeBuildInputs = [ perl gmp libmpc mpfr ]
+      ++ lib.optionals (lib.versionAtLeast version "4.16") [ bison flex ]
+      ++ lib.optional (lib.versionAtLeast version "5.2") pahole;
+
+    platformName = stdenv.hostPlatform.linux-kernel.name;
+    # e.g. "defconfig"
+    kernelBaseConfig = if defconfig != null then defconfig else stdenv.hostPlatform.linux-kernel.baseConfig;
+    # e.g. "bzImage"
+    kernelTarget = stdenv.hostPlatform.linux-kernel.target;
+
+    makeFlags = lib.optionals (stdenv.hostPlatform.linux-kernel ? makeFlags) stdenv.hostPlatform.linux-kernel.makeFlags
+      ++ extraMakeFlags;
+
+    prePatch = kernel.prePatch + ''
+      # Patch kconfig to print "###" after every question so that
+      # generate-config.pl from the generic builder can answer them.
+      sed -e '/fflush(stdout);/i\printf("###");' -i scripts/kconfig/conf.c
+    '';
+
+    preUnpack = kernel.preUnpack or "";
+
+    inherit (kernel) src patches;
+
+    buildPhase = ''
+      export buildRoot="''${buildRoot:-build}"
+      export HOSTCC=$CC_FOR_BUILD
+      export HOSTCXX=$CXX_FOR_BUILD
+      export HOSTAR=$AR_FOR_BUILD
+      export HOSTLD=$LD_FOR_BUILD
+
+      # Get a basic config file for later refinement with $generateConfig.
+      make $makeFlags \
+          -C . O="$buildRoot" $kernelBaseConfig \
+          ARCH=$kernelArch \
+          HOSTCC=$HOSTCC HOSTCXX=$HOSTCXX HOSTAR=$HOSTAR HOSTLD=$HOSTLD \
+          CC=$CC OBJCOPY=$OBJCOPY OBJDUMP=$OBJDUMP READELF=$READELF \
+          $makeFlags
+
+      # Create the config file.
+      echo "generating kernel configuration..."
+      ln -s "$kernelConfigPath" "$buildRoot/kernel-config"
+      DEBUG=1 ARCH=$kernelArch KERNEL_CONFIG="$buildRoot/kernel-config" AUTO_MODULES=$autoModules \
+        PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. MAKE_FLAGS="$makeFlags" \
+        perl -w $generateConfig
+    '';
+
+    installPhase = "mv $buildRoot/.config $out";
+
+    enableParallelBuilding = true;
+
+    passthru = rec {
+      module = import ../../../../nixos/modules/system/boot/kernel_config.nix;
+      # used also in apache
+      # { modules = [ { options = res.options; config = svc.config or svc; } ];
+      #   check = false;
+      # The result is a set of two attributes
+      moduleStructuredConfig = (lib.evalModules {
+        modules = [
+          module
+          { settings = commonStructuredConfig; _file = "pkgs/os-specific/linux/kernel/common-config.nix"; }
+          { settings = structuredExtraConfig; _file = "structuredExtraConfig"; }
+        ]
+        ++  structuredConfigFromPatches
+        ;
+      }).config;
+
+      structuredConfig = moduleStructuredConfig.settings;
+    };
+  }; # end of configfile derivation
+
+  kernel = (callPackage ./manual-config.nix { inherit buildPackages;  }) (basicArgs // {
+    inherit modDirVersion kernelPatches randstructSeed lib stdenv extraMakeFlags extraMeta configfile;
+    pos = builtins.unsafeGetAttrPos "version" args;
+
+    config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; };
+  });
+
+  passthru = basicArgs // {
+    features = kernelFeatures;
+    inherit commonStructuredConfig structuredExtraConfig extraMakeFlags isZen isHardened isLibre modDirVersion;
+    isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+    passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]);
+    tests = let
+      overridableKernel = finalKernel // {
+        override = args:
+          lib.warn (
+            "override is stubbed for NixOS kernel tests, not applying changes these arguments: "
+            + toString (lib.attrNames (if lib.isAttrs args then args else args {}))
+          ) overridableKernel;
+      };
+    in [ (nixosTests.kernel-generic.testsForKernel overridableKernel) ] ++ kernelTests;
+  };
+
+  finalKernel = lib.extendDerivation true passthru kernel;
+in finalKernel
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/genksyms-fix-segfault.patch b/nixpkgs/pkgs/os-specific/linux/kernel/genksyms-fix-segfault.patch
new file mode 100644
index 000000000000..47ae77a5a54d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/genksyms-fix-segfault.patch
@@ -0,0 +1,19 @@
+diff --git a/scripts/genksyms/genksyms.c b/scripts/genksyms/genksyms.c
+index 88632df..ba6cfa9 100644
+--- a/scripts/genksyms/genksyms.c
++++ b/scripts/genksyms/genksyms.c
+@@ -233,11 +233,11 @@ static struct symbol *__add_symbol(const char *name, enum symbol_type type,
+ 		free_list(last_enum_expr, NULL);
+ 		last_enum_expr = NULL;
+ 		enum_counter = 0;
+-		if (!name)
+-			/* Anonymous enum definition, nothing more to do */
+-			return NULL;
+ 	}
+ 
++	if (!name)
++		return NULL;
++
+ 	h = crc32(name) % HASH_BUCKETS;
+ 	for (sym = symtab[h]; sym; sym = sym->hash_next) {
+ 		if (map_to_ns(sym->type) == map_to_ns(type) &&
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/gpio-utils.nix b/nixpkgs/pkgs/os-specific/linux/kernel/gpio-utils.nix
new file mode 100644
index 000000000000..40e282bbf541
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/gpio-utils.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, linux }:
+
+with lib;
+
+stdenv.mkDerivation {
+  pname = "gpio-utils";
+  version = linux.version;
+
+  inherit (linux) src makeFlags;
+
+  preConfigure = ''
+    cd tools/gpio
+  '';
+
+  separateDebugInfo = true;
+  installFlags = [ "install" "DESTDIR=$(out)" "bindir=/bin" ];
+
+  meta = {
+    description = "Linux tools to inspect the gpiochip interface";
+    maintainers = with maintainers; [ kwohlfahrt ];
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
new file mode 100644
index 000000000000..101ccfbf0f2b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
@@ -0,0 +1,325 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBE64OEUBEADPS1v+zoCdKA6zyfUtVIaBoIwMhCibqurXi30tVoC9LgM6W1ve
+HwPFukWq7DAS0mZUPE3mSV63JFLaTy0bY/6GO1D4wLdWZx4ppH7XKNCvKCbsi70k
+UozFykNVf+83WEskuF1oYzXlF3aB5suz2IWJl7ey1EXgIpehwQaTJUA5JIWYFp9A
+566LRNJefYMzUR33xc4dRKj6Etg0xdLVq7/vZoo8HpLCBGNWiP0AKqFWEwTg0xQL
+7nsJA5tfJJdwAJvrzjpFsvb63PKG6waAtdHhON4q7E2Udak9fz2tRjxA5l9l2zXk
+aqsysUzkxPhNjwMENoQ04KZg4aT+ZhhBzTowSWLp3KV2uaZ66kdPUO3s+/1bPp5/
+N/IlykaUwyL773iYOZ5dOY/9hIuX/zssihcrGEMW6yIyZR5uKhzYdaM9ExTXP637
+UccgNS9/pskPGPx/xK23NDCfeHzL9YHS5KokA2wb/b9hqpwvLaeblbMl2pt79F1R
+ac+rZlrRyX3NvlTQP4hqM9Ei2YBAU7QFDJEjH8pVIceL7grxi1Ju1iD5QiSK+je5
+Jj5EAikfwSeAttSzsqNvaXJHfABrv5mkkVt1z3icP3HIHTYnG+uj+t8kvW+o9/1i
+pD6e6LUh4w5v1aY9kaK/M3+eBH59yNYI99crPUKUBVfW4gv4DBUJAQTWRQARAQAB
+tDVMZXZlbnRlIFBvbHlhayAoYW50aHJheHgpIDxsZXZlbnRlQGxldmVudGVwb2x5
+YWsubmV0PokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4ACGQEF
+AlSXU9QFCQfATw8ACgkQ/BtUfI2BcsjPbxAAs+UR/bJz/HeYTpPy+HnKwDJgI9GP
+AZlNvp+QSIhOTtKCYkQ/Iu+5scY5J0Qyv0pcJW5Rxjx+l7KGovw84jzVznnYsJoy
+UQ5H3Ev9T2xW1nrZT3abJ7j6ZIck+Q+WFHu5Plsq6doSXOXmJNoehvT3BVolvc6w
+S1+CAoyA5Wm1yfocZgVOvWPWQaa1T4XA7OwxFWrvNWEZwAzTSjkGHkwmji+DxdBd
+RPam9+qm/rcN1IJTu6xJPr38a9LydWonsUpTR2Qn7Bo4EJp8yHJLaiLEMV/Nmgrr
+1orBYw/OzDzhbdMl+2zzwEBLUMPABdgnPM6ZCZ5PWyWnCU4jsBGyVd0IC5xEu3Eg
+a0EtIdvx2lXiLfh2dulpMn52uJY5iNwaTleO+z9CENQVhh5R4FuN9H0BLiyAxf1+
+MkD3jLT+DGl02hQghtxz18iTkRk7KOw/NFn4z0is+TRl4/ocNt1LiWQXt8dr7qdx
+zvUpDnxCSYZkeutzopo1TA4lKpnsS2mHabx6CbrUmF+wOIr8gHUfpBFeEQ8BHebU
+5X0JrFF5mjeNl4uK9l9lD9ng74rsSpKPr15DU41jIuQDHJYd6H3TXQ4K1z7Ciivy
+r4vgsruAFX/GduKseOx1obWW3GfIQzLAIuVdjldgREl61GWoLiGFqlcveiAIkN5p
+Bxc20hSrHgZP9ZyIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GTK7AKC8Sd1ndNvc
+1ispBaECbHT/JPfGrQCgvkfGBsFn/KBrgC5hTm0mSxdy942JAkEEEwECACsCGwMF
+CQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOuD2qAhkBAAoJEPwbVHyN
+gXLIXL4QAJtbs62EpOIFld0N+tTEFn1qQPPaExAXmH/RF5Epf+0rSS6B0OXEZBXz
+cWtMPbHxoLjN1iY8o0QC1ex7/KDfYq8Ho18M9P+Lf6XfW0sJ9d021U5MJWGPs4zA
+lNFXJqeMgfJZAno2N6dO/azcYHq1wmSgUbTb9Oyi1PHfn3g0UAW59dfkB8d2jEvY
+Yed1X0mBPPXcbgnYNZ514JQtm9wuDdVWrh/Si9EhKg6+MPcbv18G4lpPGR+yNq9y
+3Jze4vmmWen0ceDJEp06IAeTfJzzD80Oui2WXtLfaQxgf9uuZtGjrMX5l+mq7rBS
+VH/dsHP1VYI0efKIs7qbmiLcMRVWYIGix9I1C3UYr3ImYiCGlBG/uQ929xbjWAHa
+hy4W6rzruUWjyi/Kz7QRnyBgtHfhDO7hYziTr5hoGhd4VeUpcbxL+MegXFZsWJlE
+kz8TOOsZ/4XxXHVoalg8fYOcA7j/aoszsPMQUOL/5jsVRhyP3evtVxb3m1EwvYDK
+Lii4IkVxGztlBOIgeT4kwXgoJEASSZHgcd6tDv9q7o33n2I1DGL8X3axcHES2/C7
+cP+li3KL3Hc9vjgaJ9HfcQLuMcHqfoHn+YzVfbG5XeFcxhgQpwpYsZv3MTbXAQwI
+fRHXRuIfOiFwqUXahi5N1WSIXNBGSyI7pu9ht5I7gIIOINE+VS7FiQJBBBMBAgAr
+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAIZAQUCUNol8QUJA/yTqwAKCRD8
+G1R8jYFyyIqUD/9yWw7WBQiWyIMpVuX9c2Ov1fAkDya43fDm0gqIgNsdaxCt5ATh
+XaXZ/p2jglWwon5jDLDNsVR0/Q/t8ugdcP3bcwRtW2YYQ2F1PaNjfr5WsuPEadyc
+J62DIobY4IzqBpDuqGLYdbzZeKr49VwbRRvIJpphrk3+CekFvdIs1ofEpA2Kn2oA
+DXfYuaWoVBF7fTwAZmc3hYPOI1jK7nrFZbCnAT4WZPzZ4IY9lsaNTF/4mQ8vV1xF
+De6HjfslHURlZWsWtQIKhIPBKoZC1nP5VRK3IHYgKw8toq780kalLH8ofv9BkSrs
+t98JOoJX4etdmE8Ta/+Wg5C9EzR+909tQfdWdkaRbhvbtl/x7X76HU4ItefLR5pW
+d0OSo488QZMQjCUWlzgPMsmnYMQm6ckNOp0B/RtMfbJV7t5H+JE3PLfFG55jcz3w
+uNGhfZyl/ZhV9fvGLU/sPyhIW7ewuIwd+7i12fH9r4NAGB/mkSKK+tHGcTZvXxux
+5QMKE+a9u6NMJRrbsIiTFwhrCLMgzLYL0mtX8FZXNFFZzGFYkiXymBR0ze4LKzRo
+dMFpyP/w/IIjYBhVpgboT2EMMIgJHSsMJDCdDjI+9cAykVF6ccSiUQ11devHL6Pv
+WwlT2Ub4TP4yCScHDPyfWq+tfdQlWFVRZMRJ7kmq0VagqomdRHgLPyPgDYkCHAQQ
+AQIABgUCUtgrXgAKCRBH1QFsQv98LACcEACFq3Oz8nHAa6KsyspIWo0+HjzCtTv0
+G6TB+svf3fl24C93IfFhpSyxNf8XVa9h9kCU5ZImYN+LaoUGiz3lcYxjdOeFYDc4
+GU5TFrJwY9eOYYCsr+z+NLn7wlLZEO772lGUDPJMWxSGqR9yOGhQCTIADLLcp6mt
+07zdejESYxMT6IjYR+rX6miWG5Hr9/lBdh/X4XhGpHEY64IL8vVB3C+FQfG3hiMB
+bHbvJ4/S/cjfNM1T9oKiA0H6jklRHIdstj+2eeWA7lS+GE3Mpkra+8KmkEjV4O03
+izcRpMm1yTGoTjp9UddTNYErb/sha5YigYAqK8bj3gh6tTFNJHbN4RWgtPDyc5Va
+1u+sH2ob6JS5tez8/Z6pMarGpTQujIGAlntP4igi0Q4hxyLof6Vtc6XF80uSwTvN
+RRmQrcq+kLPwX0NbyZCBCI+kjBPu2b932JDTfVBKwJCLF3e1zvQqN0C7EZnIzveX
+r7VtJ4WHIfSyi/HQP7xm5L0uQj+KRr+/LMaxkCDgrlqoWTgAoxCAPYH1XCvBoJRc
+DHjNikyEAS8WUGl9ZHQyAoFngi/jqH6WoDAmfBUKRoBMR2hXLOKUBmObw0DHgauM
+kk4kD6CW4UEy0SM/i9JD7sk9KiKoHMip1jguKRJkHJ1WSkNl7nZpeo+KG0WbGHXN
+b7hnrQsNyqJkUokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AC
+GQEFAlLV0QIFCQXdHmsACgkQ/BtUfI2Bcsj8DA//b8wZrFY/Fj/iR5ZaO0AjmMV1
+hM7lAFWLfDiLyYofuiGLUg9rqFWj+Ks2kedVN7+22Bjgi5fvpXv3Uy4trZKKw8Xs
+FJ/s8HQ6jzIv6pFdIYPLFQBqS2tEgfsanPZWIqJI9fbhOrRGN7WV5tXiksCaRO+u
+rLjIhAYmsDb//BD2xqsY54ouRdrz5nRG3qG2odq2Lw8XquW6srouGaSm+BI3sow6
+l2eAW8UjbxwICQg2ZPZYCBc9ArbgLS1ha+yPhp65nGpVbqDA8rUKC11op1ArAbY3
+Yt6xzLg+RCuCHBa1gNPpDoYV9V8Zve03mEIcsK10X0RhJQ+z4INvrjtelPRCOLpN
+179JmsyxwOzwAPg773SK1Z31jSirsiEke/q8j13PGNDBCb4ZKpm/KOht+4d0jJLK
+GLqD85cv3/uAeSh2zWkoKcVW6uVZpiz3KA3i4YMWnteOlrlZH28nIrDXevPzkOxo
+pZlhuLboCD6g6yuZI4Wm9fEiga8xmRDw4RrOIuDXWjNW6IVaeFGvnYaNf0wnmBD+
+FE1SMWwcmqgB1yIylmKqH0lYce8SVAMLkkOlaijhWrfCO5iS7zjWaVz98HCqFfwR
+gHuJTxOwwlf9Qb6cyC3bGsfILBUuE0L5vUAZUAc61H+6Sv88CDDUO1EOKaqAAYhR
+plvoyYZ3xiSMgzYKGZ+0OkxldmVudGUgUG9seWFrIChKYWJiZXIvWE1QUCBvbmx5
+KSA8YW50aHJheHhAamFiYmVyLmNjYy5kZT6JAj4EEwECACgCGwMGCwkIBwMCBhUI
+AgkKCwQWAgMBAh4BAheABQJUl1PaBQkHwE8PAAoJEPwbVHyNgXLIQokQAKxJB9/F
+TfBae6eqcT+izxGSnsvbc2bcrtsmKkhu9HwpsJ4IDutphXFB0wFalI40BL0o1k54
+Wlfv5GHbq7Ju3kW2dmTMP0WpfFytV7rr2yqSmik+skJw27BDk74rP0v4TNOHaTrP
+nokfTnlaKuv1bqlwbIwV7rJ5jbAtw5hueeN4jghGU8SGlCOEZ/xGxYYsvtyPhZhn
+kmsAzcPr/BpW4NkSb2SnRIO8KzcPnzxz7JDdeIusq/YW7P5OlhDx4ejdh0Wg6ISl
+zxB5VoqFqNuKTBQNz4HHpqDVQqEDE4JngMerDr+4qAiDYI4w6kN3Ce2LqciRyMVh
+YYnTqyyjXYY3C1WwXIa1tZb2Cw2DorshNFdACr7wKQMOoJtAFpdd3d/DRKQWCc3x
+jkBERqZ+55unTY0/0uyNPoK0noAcGydiU8WGh6wyi+Do+Zxq4QJEcqL/FHrhlaiw
+LTmgDS+XDl7zRtQia7ykpi/xqe74ujOHcJO8tpY0ZCdR2A13xiOi+11wndbOkBFv
+dQ0vgih9ROzwe3hBbBQQOdF4hkA9vEd2Ks4gF8IR+5ixWAIyZAVbnDiLelWgQgnE
+aeEwTtfcXRNAxuj+MgMPQhXQ2/cK0dPD4z51DchVRIf9G3hAuBT/CEhTqNkkm5F0
+og7azwd75+vh5RxwVld3ES6CMXKaiV4csQkdiEYEEBECAAYFAk64PygACgkQvnQP
+QT8iuxlligCeNgfNE4w1AQuOC4ef3HNNY0GXgVMAnjmtCVIUJv/w6PDimvf20rgF
+GVHxiQI+BBMBAgAoBQJOuD0KAhsDBQkCHIcABgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRD8G1R8jYFyyPv3D/wJ+sYXqSxoo8OriGMUzG5LXs2Hf1YULdlysGa8
+mxWTwCIEMSSx8AoOKf/FyXglDVl9msfOgv6jRiN+UyNCQEv+6a5ZCL7BlAVU0Q4W
+w2/UUlOUlLMC1QAodGcC3kiPSy41jnDVswKYRrICuiW1Pqgad3h7u7caqvqG1D/A
+YOR2Q8JjY15j6Qf62Xx+YANx2tPWKeDyPUAN/x1W6RrEDbN5F+1qOpPFuTnpPmqH
+q4zxm4Dz4szypmAKsN+5/q8T6DJtSnP7COtsY467oX2XtNTTuCIsU79lBVo/yan9
+ofB6hu12KyXwJIl1OK34g9VEP5suU3hcEw7uVAvxyMYJQlxORUCG0DAFc/oPm3d0
+ypRdbxXJMjoS3pmCf7kwnEA9PIAjZDYuVHGZkAdmYYInTIH6ipjkVxDHEF1en0h2
+zHJEZC7NIYgPyzHXmH7Xy3VZVhhKKKM12VDOuIOOecQPuFIw3hG7dymjn5e9dMzv
++DMkbEZzoFahLYkbVGG1FGzhE6Uvb/IG0UJCC4nDz0pzZpV++QHvgEvbY/HLbHJ4
+o3CT5aVE0YIhTP+zqXNFMOao8yZy+AzdMzdX+Y3ADZfY0oiZ+JH1Zo++rdrgXUhg
+Y98QgMwVwESbwaBKjsC0JnlmWyNivhIOS6NRyqR75E7j7JSvgJdxhvpQXXkQ/BzL
+FM1Ej4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlDaJfoF
+CQP8k6sACgkQ/BtUfI2BcsiEahAArZfD1yJK385eqgCZ5LryVLRXrocuF1zlHl/6
+ugRy2TEe43ex4eTOY+mv4ZJVSxbDzUqMbBv0m3IETbM0CSESjGD+i5I7K3IToZO9
+ZgIXDbpoy9x2KWjU+R5oaxCTmZ9jk1p+f4zHxc8lJdgOXPwcIIT5Euwk4LAFN+wn
+CUHkO/D0xzP2ivTrM+VHNWqSUcNInAGRx+R0NvdSryIAsdA/5E3ql786WQhPy6L6
+1d7cmxaLsfAKIOf8ydNyoiqmJkT62omLLnqyERfLZRa9RKt5EgnxX6kR2BA+h/Gn
+KVV18bCIJjF3Gjnh3qjJehKRaw9nmzrB9KtGQAHdIp8ivNvjMitc1ijRIECfidWd
+lGxgmuI/gX58eaV3scjbs5YUFmGhcZIgjCxWWxFSwmzJTUVT5XqBpXFQB4dokj9m
+NNMpM3YH8T9QaaS/m9j7cmCJ4gxp7i1bJsqsVG5BjRLiZv701eVKVmU6vqhubR0R
+eSZghqho9e44ZMbn4rJ5kTQhGc7ZGNsIyChMSaYVreB8IBLDC7rg8dB/umg1OYOp
+8EqRLJyXdtpa4DN3X0e4WcWb0Toj4QuyCh/es1CtBldhdqHr0aLZYCX4i/KuGTXI
+kA8LTOJmZsE+K+/NCux1VHK9DADKcNjhSV0QTf+8ntGlNW6i2Mlt34thZK5eeB6W
+Bbo1zl6JAhwEEAECAAYFAlLYK14ACgkQR9UBbEL/fCyyQBAA0931q8dBD/6COmat
+8S+JSgcuIpylukFxU2vySBWSGRHFmFzwbokUE4bbNyutwNO2cNBa9zcxRPrkIg+7
+d65QjdZNDV2zWTjv5GwzEMjWxhP7VpTwTouYgx9j2d2KpFo2jfhTtZ7OU7DDF9YT
+FsaRiZHHZT+W/JHuB9Lxc55HkSagu00yTaZURc0olBui5c/hqBte1b3OWTjCmysG
+mwDL2FwdmFi9mbEm77sdD8PSVfkZaBv5rIaet+Xe/JMZoz0WUkZRCFXMr6B7aOdS
+WeB7kUsPh2J5dhf4x4YaxKLOHod9JQF/DGJsdexKqMTqM/xOMSQ1FTUMCQ5SBWJc
+3PywqMB/0eqlteHydlk7bb9HLCT3M6vVxTkpj834wGRsoVXPqWKzAHPpO2kjxXtc
+4DBh7T88YGE2k5rxdJHb3MjWVJQzHGhrO5Ji8CQaHjUJ4BTyim++RDisDi4C/QJ4
+qPOrafw/+KyJoWyfmAUpxplPvY/LKJlvKaKxmpwlildYjH7HjoYvCjagbSCUOnzo
+uM//YIJ8/o8QdxEDdYiTd7cwskYWphrAlV8+vCl/Y0lepRf+hsUS+uZi/NX4qYMx
+CTsewnnqJQduuehQl9/RnoBX9T04kS64cWNaPZ4dxZUYJm3us5QFcQJMysZ4tT1Y
+A0oEUX1KUTDzTQXT/kFi8MtmXauJAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQW
+AgMBAh4BAheABQJS1dELBQkF3R5rAAoJEPwbVHyNgXLIV98P/jcu/DiP/muH2Qsy
+FtjscyLu1NzBbSFB9q1jMVfx3VbaIT22Ly6BIQNHF7L2fpjf36EWpdJzpfR+Glp5
+1+KqZgIMAW5CGguSy8v7iHs6Rh5hzChiF48wCqxUmMdQ0ITTrnAXIYq6H6s8ytKF
+Y31znXmne1XYBg8e4yb3pcBhkzIPeVU7rMz9PjPB0+Q2jWCpqPA4eUSV8rL2TxFR
+KbEt8XlkZ6yuCLnkN84aLZFxfZA1tIGifi0PpeaO2z/IwOmftbQRiljMdnsPye49
+j4wlJS7yRIpnH3nH9Zku/MrDV/M0z7BVwKfF2F95/2QX4Tdyd/UESTdLqGtXpX4c
+axahZKrOhNr+k60qSBxoBqKauZkSbZunRnbYmVa3nA2kQuIPF9/QmoZgDUfdkKZJ
+u1RjwcRUGKd1XV19QjUvBMD3oHA4G6Jbi5vWKQZ40KVcL78YIL7C8dUOiPIasA45
+olaGpCSsGsfrMp5ngegxM+uh9Tc2kTFC9bTqp17VYI96cAqGrEBUQrmLmZLk0HUm
+a6MNZO/+vKN4UTlgjpjxZon+/yK8bsmT/VNie5hzqZim6tfztl3rpJ9jPUeLgr5x
+oGePYV02inapzNHdWFHk0L9zR/3KKfJ3IRJwUXp00Eya28hEepIvdxgLYcN1UqVn
+VuFuMY8zYSl/VXtPxySCLENJHxvdtClMZXZlbnRlIFBvbHlhayA8bGV2ZW50ZUBs
+ZXZlbnRlcG9seWFrLmRlPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC
+HgECF4AFAlSXU9oFCQfATw8ACgkQ/BtUfI2BcsiPxw//X2xUctIrd1O7UOk7LHBX
+/xI7xXoWQcA7l/1XMuZhM8yC8yIoAgvFrWBP1a29I0P3/yigkQXs+eTDTdvb0QP2
+q72q7Azt852v5u8+dHzoOXDpbo+4lfX+0OBDWimwJuChD8LQH7b7jO0oqWIV0AzM
+vegFJVp3cDbyqw08lBz3xZ79A9JtBeewf6PLpXKjEVS8bEAZjZKjsjAY+5ShtJAf
+PsD8r353dmkaHgC5Aji74ijZeY3PUCvGVVCGeN9isLnRpTEn7qUvN2DfHJU4w6aw
+sXu7m7zidISo6dQLUzo54dHKWPGFy6INNkzXPOgrlbYnjt7v0Ou21/R6HrhdmsSw
+lt7GALJcgAUxrcT/ljB3SZhSB0BdH0DXPcUziEdfhgMhhrXYpMjwH2XFBD1MLusW
+GaVDbpPrSoEnmPVePcDUonDHePcuLjfOl13mOER1Kf6WFapOCa+4HCLakfKcPnGY
+eyfD7Dbz3/046MmfQ8/Iyf8ipFXN6tI2WkRKj8uq9IFYrX3yoCBxZJN837DM3Grq
+h48/T3pYU1f9LiekxbsgXmcHoGNdXX5+EsuO+QILZPttlG5QLuqFdJHei77uvW+B
+4u8mgzi1Zhh0hRLm4K6UaJ/fBJ87BZSHShPKI9PI073U1O/CcYXnb8cdPLu3UgSQ
+FM/bxT70TSYKI01Dt4KXRfWIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GT9FAJ47
+X5+0dQaOFkfy3WnMgX3AmIXJYQCfR4XL47rZ9a66jWaD0IbcXMK4oE2JAj4EEwEC
+ACgFAk64PJ4CGwMFCQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwb
+VHyNgXLI2U8QAJGKPv1gWLn7P1KeHVsKkfRf+zgdsoY4mF3bUjX/03z1h1OKp+S7
+gZD/ZI80ckw/ElgFt9sr8J+pOgHk+aGHW+V0cZNgDHXCINb17s+Ra7SA/SWeJOrr
+d4IpvTnjGc88C/j+bzRFagfnGXU601PeJdXIe6H75xVGIb0DgQBfPB9m+7p3sq/R
+6UigzLwwhIQRW/l77hq79v5Rm77e0GTfcYHSuKu2Itim8p5OYCNchr4ZpBzrv5cF
+/nH+HyD0AnM1q4a3mT9y4abNgtxJMGJBoIUEDT5vaTRpPowVHIGg9QroHkrYkMWA
+ffIBzoq38WLnPjvjNtTncyP7sjbP8KS7NfjxZ6RAcNO6m6BTDYG/lM9jwCcOma90
+RZDVYD8hy+z1hXWFfB7zB+5TYuuKV5SXZpS9/JUR1BuI44WkY0hLHUa7inpqLlqc
+b9O7KYikgyaeUKAN5LkF8A7rMVzuhrSItNzJVOs7WLnNAe9+Frzqx/jZ9aU04avS
+r5OlWLdL7k9JNDnsLFqNtG/XQ7Hc8CPl0HvY3YXYGD3xwW6Ua6+ykxZGmQGPB68W
+6a7G5EX+MEWKZgMQYsl1HgU49/sOD6QnCG3m2IB7bRAf5Kd527BnSgAaYHjVug8G
++X9opDwUW1b73Ut5tWfZJqQ4XBjl0Hc7Zi7OtlqdBeKGu/65QU+N9x33iQI+BBMB
+AgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8
+G1R8jYFyyPv+D/9lA9yMXPBROLaCRab8Ca2QJBEtpT6lGVlkQ5Am2C8xdoLGiuJF
+E7Cn/lS1j4RSVDK6DELeaBMXaY2g1eun8g2ERJIUGC98zrPjZXs/ZtCZtX8vYr1X
+Bf9U8Ty6N3rKgt1XHc1oMgzkKLUc72RC+P/fkDsiAg62nVcmOFFykyTXnpM/5Ux/
+9kaahjf4LwGeRqkDIoLrXdZ7FHPjei8VlKSiHTkl4F+UCzEySxiInV+BWAhL5Lvb
+zHxHaNDCquOb2zbgafVKON3oa8nCZoUw3iwpjrEy/JT+1BG6vxyT/LX7wPG3SKEw
+8QTl8YBF8wvHS0JHW4KTc4grCMNWDwfkrlXnp6ZzTpy4JXZfYs/ltR4FH3atDG2C
+xRCSAWXkGyTPMZkougdDbJ3jjViYcWO6B//LE1qDjeC05O9G3MXVxu16M5U8nVA2
+B3bo5cVv7+ECBTKaAvG3ZV6eOaeJ63gHRY8qI7y5OgzuNfxUXMTIAjHfO2mvSy5M
+qFgDI10F8rYevGOKxvPVE1F8aiD1uRAOMCcLTy3oUKHIdaskSytL1D/bT9WqWzii
+OXhLhSjMzkdPSUWVABeC6KM+Jcll0A0sHTkKWS3mavx3dUacB+O4efuTKNhSvo7n
+XhUvSOOikRityipE5Ma5WlXBiu54DdIMGFzANHFdb5GmC7da9F1aALkshokCHAQQ
+AQIABgUCUtgrXgAKCRBH1QFsQv98LMmaD/9W2qJyFlZAsjOWgNQPwUU4vV9/Ursj
+kt4RI/oS0Gzovw2bmL0a+Q/dp6wM4PBMuYQXCepF8V+o4uKzL2OjVZDVtU/KqGCY
+rEigiAhG0gHxgF1ukc9JQzhShFeq7/wkY+FQ4MOhuhuUsSMlvFzAd1hY+xlvckol
+DEeS54loDspUh4EwxsWlopaA1rs5dzVXrYcinz9iDzLj6ujb6uJzCQVogk9w3dv8
+smKn81TVhtR4RFecqL9mURZcGnj7NV3n2Lrl2Pe0u/DiTtpavCkzVx7v9qiB/2Di
+dqWR7OtYcywUr6lZeZsNabNwntPxSP7V6EcNXF3Qpi2IkAcwdJKb+aIG1v7/Wx77
+GhpBhbtdgKEebttzO4EVVeE8a2kmgqc8VXeAeqI89egU53dUdAinejFVDyemxHnJ
+L4L6uVnSxbk/vRzu+fr6EaPyBsqORGXj2OuwxlWcnWs/N9XzNaiq6funedUSYtbP
+trdpt7ogvzrQew7wetcwfxSB3IWcVwA9QvGDIBHTWPrb87jKV153w9I+cSfz9jg8
+qTIOw4qad7VOC4L1oaoRsLq6VFgnoW5DLsuhaVd6fgdY/byL6H5q2FPYJ+F8ovhR
+2yPlQm8UYIFwmnwzpnuGBaPtU0bP7C+SNMK+G/9+b5q4psh1MnK8sg1RfSr1w7sw
+b+Tur045QrUDu4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AF
+AlLV0QsFCQXdHmsACgkQ/BtUfI2BcsitRA/7BbFuuAXPJMA4XtPhlYbfhNkYQ7+v
+vx9HIZ1SgJfhpYwt/vbNTVclO79XD65v5JSWx+0gVJfHNolP5umB0++giIw9NCIx
+uVa5eh3kS5NFfJ0YHrYgpFDdZPHRA9wI+oZgJBC/Cm40kafgTUoPFqXb0Sdlcz3R
+hciLZBgYXV/uYubczfmAaJpmrVI1UuUWYrdPnmUkgitp9e6IePYiKVDeIGhBW8Bc
+7Nbs2hc9yH1zwv3Affs8m+4tQQiwQHsB29WEZcmBuFllTbA5g5bvTvhfCRmYVgWC
+Ti4SW+uA0B05a/aVP8fDXk82qCQ4cRB1BOwVNn+1/Aqcw+Zh8KKzH8gpPcsKGGP6
+uNg9uinuxYDneEY8cG7FSpm3XsXu4q4N6j5R63U6hz39pY/5Ib8mzYMEoLEZOLPu
+CkVH9OOQc8zuiRL/wGc0pbMiGPEp13rAI0WbIFahrWS60bwtM1YEM5Ep8vD3TLl1
+pTWlF/zWpM/uJ6n/4nDXGQsGzKQn5D5Nsu7+55C0du0d1VRvYd8oG3AaNqhtM46V
+C4eOqxH8XZtkJ3WMxhsHnV9acuDTpn5E5JKL7vEq0btN2UQ69lpKv7PmV/TgOJhf
+KKvHZ0dh6KYY7iKW7NUCouLGibBoxDa+K4reh0i0M5UcsNiPkCqDIHUAIxW6FrvQ
+xBr7NgCls+B9Kwu0JExldmVudGUgUG9seWFrIDxaM3IwLjB4MDBAZ21haWwuY29t
+PokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlSXU9oFCQfA
+Tw8ACgkQ/BtUfI2Bcsg4cw/5Af5/cxr5s8qiPvcGDglJyzFj8VBk0d7hpgdxcOi3
+VCOJY4YRoliu8WKThwxt7sD03fSZurFDDx+X27y3zPtgH/qBohmcr51jbSNom4mH
+Gf8gpViFqbQlFh7tYz4kSQExgmpFx/FIaxmwFoEqiVrp6VpM2DZ6kg//4M+Ka2Mt
+nuzV3C631A0eoMCJhPWPTgkGGknURvzhw6m2aGFWC/HE1yzf7Ej7fQeaqIxIG4Wy
+Fk3lMV9rxMxGuUZTqIhvcU85JSriHowfX1VsAI2LXJYQ9c0jI737FcLwHv8VCa5s
+NKDkLkb5S83/4Ep8e9M+a7u4WvkAqzmPfSna7bLxdsTS5gKGqEtMvMP2YGWWQxSR
+GRSttiMmIC8Cnd45S8cASA2mR/ebNcrYOpa48cjYpBKDG2BIYU7oSLNulsM1qbxL
+WJ0QM/g7iKHcrXhyIBaI22GS9hvmYcS960cox9oPCvNZcOKA6FBklnUg/ReJ3JTj
+6D6v9SUxOOfXPQIon8EzB7BNKGedHxCFgniZnl10k+pP34YGyphMZTYGdhtAm6zq
+T7PlraHQaFgQ3ba78lJcn3cWVZYpbCNJiH+Nna/Akm3/qQKTst3eW1lqopffCs1m
+F6G6wjiHCw2bio5uX1c/gDr4Peh0E28heAqKopjultPXPZbSZL4D3fJIGP2j6e1B
+wvmIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GcYrAKCgKW+qFwbMNeh4ikFg9fJx
+4/lH9wCdGevT7dwBzPe6L+aWZxipEXYmjx6JAj4EEwECACgFAk64PN0CGwMFCQIc
+hwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwbVHyNgXLIThYP/AnoLpQl
+whEEKaIhOSOKXegfdUHK6cL4cHRACzRIbBk/S4G2Vg/bnUW8tvWZDQLZ3CGL8Z0F
+tNQ6GusUxt7mcYdSj7xynbi7bZiurgYp7B7hh1hVG3pAXEwlDnJgfoc0YZHrHZwt
+HnNVYOfGEQF4zyplmUUxDyp/ZMYcXMr3PVJkYBJhYKCHOkMUtzzNjSSginaqZY1p
+fgbP+Gou/9qgotkYiH84oUG9yTSKLIO5x0WzQYuoPNJyOdSHaLPfEqCC435vCYT5
+YLZB1YI5xzQiGsAL//cUCe267oiFmO9Ioky/azeX1Ouy2DH8uEDQPQFTJYXt3CbL
+i10HkoBWdmncPC6+b0IJjDUo8Iv4yk0xFt2/DGkGK3h6jJxJ9pzx5KBT46iLfU50
+iTWMTguXn9ud/UJV0MpKgKjvO9hB4fae60n2UootknzEw6Y5W55PfGkT14WcrGGo
+WHLSbpR6+gA9apU1cdoOC8nXlf3Eb2No6LP3X7RJXqiRsdP0s6QXkZGfR/qyNXI9
+S5j6wIyqNFU0cX21UgI9oJSKEKIKEFacgyD9za0gswEI+DZr8/p3cJE89ZX8ySgO
+FG148wgaakTNGyGwR6aogGZ8IAHc83bnwGCgTeK6ZPSKNLSE/sImcTOrxIN1/x39
+r8o0TxuZjqFH+zKWfpdHX+sJLyi8Gs29CsUhiQI+BBMBAgAoAhsDBgsJCAcDAgYV
+CAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8G1R8jYFyyLl/EACG6QRV
+kKVBoI2Ycr4UISk2+gCD2r4xSK/QLEhDFcZRgMctvPVnhod3uJOsMGJCk3aPGu91
+Jtwuj0CkeURa/cVzOjC+f7baveTuWQaAqW+r70m6F4gYHU0aDD/uQ75rTCcrsmt2
+pnZCyA9jLJxQGG11AvbOcV+7K7BuIvXs4iAactZ0hRvDVuGXuup2LnUbxyBU2oj7
+OWCXKTpZcJ0KGTWapMf8ClYYsEgS0wvMWotJzAov7ijkoP2DyEQVOPTnGWcfjsTk
+QgbyqiFeBl+3IT4+xSzkPsd75dCYhsHBvCoT8cfUH4wvDXzU2CwpC1CDfHit6Hw5
+UigvZ8HXyn00Bm0UjLHGW+haS3kyOoz+z09gVFYd33cpjSnFr5is8ZMBPW31PE15
+q9/l6G/o6OGJCtOax3Yi6ttqn+KbDXIooZoRPZlayOSghyjoD40+ErevmqZPfJ3E
+o1kHz62B1YpoXmhUm2Ihf2SbjWJRaW9Hp2nd81kAAXjr+8k4yvOuHxwYPFnpBjfV
+cfYNQ3Zf5xF4nfszFuZMc5JYrIR3EYVgEk+n8VpulAqd0rXUEODwGy7rPjdxLY7w
+DhUEZMQN3xweIb4vjPDBb0Ax3ACyfWKIdT0kC3rGOy9xyCzxWO2CjHMjrbxy4jL7
+B0WIQ5fpRcV2+wozs2WYgJKVKJgJZGYsW8dDLYkCHAQQAQIABgUCUtgrXgAKCRBH
+1QFsQv98LIX0EADVefJUEMGKiTFLwUmWNF2X4oCzEZEMsQ6NliiQFvtNkKrT+OzZ
+zggxfINUr0XEKgjjoGZ03Hmm7xAFc1Y51QZEr25H18PuSixz2YSHPqYwwVgLUh0v
+u2AqaP0mQckssK+ZAQVvoZ7ZOI22ZXIZ6CPEPY6aJawHov8Strlm8oTbFgLfZ5Wo
+3NCxMkkq3NFNHuwesccelNPefgnFZWhwr1mkUeX+rCAbQF/QHYEAi7KjfKyY+XKs
+ccjYS+RWxpte21ejngp7pRYli3M8cZoaWKCzLTrD8gKztlo3op9Zc2+hjOY9gZtG
+CaXkN8lchJ1yMyWju61ZO++AJq6S2OdBVxgsj9xPm+x91RbZRHQmUuq8mefUzaEm
+NHE29udVFfuV//Fpabi04IrOuabkrSvP27eX9FT1y25tKFHuJdL5fDUFGnNnTvcR
+X51lJmvnuIKJQ+Lthup7npS0L06+dPIDoqyxF8hmdu3RtwEsvkboPaxx5XTB5d8y
+3wzBFWd4ePwBIumrY1YHSzdJCvyyLRXZbSOsHXgZfhfQ1LVgxxebP7E+stWqGLLC
+Fry0WGG8f/UUgVr1QpluT6NjioUnuI/ZmKR/aKewqVYWAnr54fF+np4VdxPfYwci
+lpbXpkamORZqPfq/nyoWgnp+y4AptDdDkSWnFxfcJ1wnFFcrHVUSFQ1wBYkCPgQT
+AQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlLV0QsFCQXdHmsACgkQ
+/BtUfI2BcsjV6w/9Fe1+3Mc6wG3R9VbxiYo13/JV4t+tA9/tcJ1R/Y96eAqVajoK
+c2ZQ7FrimmlzvLIvxpH4Z76h3NmPWfOQ6qEumZQ5BM3QwBfQQ3Tmj10gfiL5vOZJ
+6dUaJjwXgjz0Qyk1G3gw7K1xmtnXgBPyGT9T9q3OAhHHdV2b6xS9dWoNKhUV8GUn
+HfIKwq+87aZqexjFE7ubZdOAe+5nrqnlMEfJKgDjXbazES9IYvPQiSjwR3xaIPOa
+ma5WfQV0SHg3Vkhtv2PjuoYWNfNy17N7u+dfg7nAtKLIQCPht45uKk66BYWYBoDI
+VQfg6zcFLpdNcFzzwmgrYRZvEvBf5aSG3KFD7UReT0695/lHheRxEAA3thsx8gaM
+CCavtVxbVUluEfYZ7TgXLMuIO9OBKhi7MwB3iL5qacrNShMB+1J5FxieJBmWXdla
++kCdCdS+9kIZH+mnQ8daGEJ5R9mNcVwcWasI0o9NObqIZwhKw4obrC5Q7m2NfXL6
+FUScfA7yn7+/icdQB9fH2ZXGJVuNm1b8OBN6Nbz0QauaCystWzKXKwpVb/5M623v
+Vw75RfnqCFiAf4tX58nL/QalJc4C0E+TvQ2pXC47VQvHmiAB31vKvU0nbo+lzi64
+hAPWJnhr2pmTvglquTFzLwEsWfO4zDtUwFo8KM1XFsonaoX5UzGTXPmIN5+0J0xl
+dmVudGUgUG9seWFrIDxhbnRocmF4eEBhcmNobGludXgub3JnPokCPwQTAQIAKQIb
+AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJUl1PbBQkHwE8PAAoJEPwbVHyN
+gXLIdGAP/0ch1NeFyXWszqA5ow+itBn6iyUaplXB5I56Q77cTIFB6LqJ5+2kdUuO
+UqPvOilGS3dxbyDsSdWDLs+bHRFG4uqZyGUDhmu2mvS+uDqPFwcKJUNDlgdccxph
+sA5HJFGg1ca0TWWg8vjwANdU4sL9Ujbaw93v0Mx/1+aSIxyEJBNxc6DJWEfCjpSy
+R9JB8WTHgvxEAImVNsT1OGNTvd2DN+17WBhxBktLHDocIGJ/fttzFgKkv6NTPwt+
+y4QyP3UgeYRZR21B6MVckk2/UuCuCY7gAGruTFVoINa/Wqn2YPPZhJYrTX7ysDaV
+QLObxlepeo0UWC7wFEiuqu5OM75MWLUX8j/1OAIE6my85vrlcWSf0Z3jOAgPTjJw
+VT5h7T/7NPP2azoIlOE2bh5UcKXFkT0xDYPcMr2hV2Ih+jU+Ygiyg/1yIIxearmm
+PFjfIHMLepa+7RPtTlHwu4fpNPXzL13W6PXSoCTTi/suGlYmSyLtOwxq15GGT3vg
+1Xh8wfkuWwbWJnBKXtt8HkteQRgDngDnRSJwsO2nnQ7+sr+F8J3rQDdlVdVcolic
+ekup8ZgSjJYinfcpF+H+qy2kK2jOYyyHI/+zHQtwy1R7MbLwPJe7WNWrBmEvmazB
+2//Iu5EVIfFX3flPjeRQbKX4B/SuXF48uo0/8WfdgaMW8glRWJnbiQI/BBMBAgAp
+BQJUSwOnAhsDBQkF3R5rBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/BtU
+fI2Bcsj5ihAAg0d0A8OUsNWG7TiPQTuC/D4e/5JTkJARmQ5xO6gMPxTpjSZCyWEl
+7gQOg/liU8nz5HZGaJgg4HuBwTs6euqdnVi6zhW1c1wye2thGTQ7DeSPJnhju3Qe
+mPS1jEdC34lXCo6eGjdKnGb7TV7hkptHKHh7XCU9n6qcXQ2cNQQbdqSCRsfVm1XD
++p+mM/FGOz8uFOrhERAUl99WkVZ4NKTdws8U6FXulbdWrWwI4eRggIdwI/Tl7zuy
+ja7KxBCCeJ/gFY6g+iOYmIo6//bJITgmAG60hFHJ9JigcN6xglYFI28TCdNqM0+C
+hgbZUner0vLmaxRNoXqV9Xw8ihNMQa7fUFYkX8VrXOdLdVvee7OaeLuWWE8x6usQ
+NzgLDQQx9fmxtrQY+dC6Y25IPMm094z0nrbM1wtfG2+8Vw4mQ2U099fT5t3Yl7fE
+PlanhgQxRZE78PxezyYxms4HV+wqvrhlBzFnWAd6H27uDPfUfO9cLgbmFTUlwFhg
+gsDeIFRFx8+h4/0xAIPqUODmTiN0mj5sLRW7zvqZW6zhsGIMdPd+IkhHiGjeJqme
+Ai0iOjpV3tRteoW51/+/ajPmyUBbvOxiFJNADHH2NvqoBMU1pkTvpc7Wy+2J9VcF
+4TFdWBbwjU8BoC3ZgixTrT0zCSwabnKriglOhA5Ik/n5HsR7S76V13y0KExldmVu
+dGUgUG9seWFrIDxhbnRocmF4eEBoYW1idXJnLmNjYy5kZT6JAj0EEwEIACcFAlSX
+VHICGwMFCQfATw8FCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ/BtUfI2Bcsia
+Wg//SKLFNUTEBQG11cV/AljxmI2s8y+cPKs3VqlwEjiuRMu4DRkFVaZNEuPq0b8q
+8pwcHIJ5/nZvOticm9M/g7TrTp3pOxmSYf7WG31vVrprig22dz8WxQAy76srNn1z
+stg0TFO7nKNVjZOFz5D0RpWazwnXyDed3l2/7RZ1CMv7ue/rZez8FnDHN7Di3daX
+AJ5XkvDAsD6AITYQd+4XEbh2rt9p8G6qUUjwzoVU/aGVgo1CGZydYMJQVccNL7kv
+fumnwkAED8u9j0ZI+xfaD3c1rP98bnqk9u8rJPCAeIkA4ppisDb7noz0NaO7dDyM
+ywBK4OR478fw5h7GfiIwZdVAHkCoEHNvF1ON8JnYgyplLvZvxZ0dtYGDYDiFdORN
+gVgGMU12kemPws4hEx3WMgUu/BBkF58XyQyqcwt7q+WGI2lQ88UzZ/FAsu8i8r/J
+jkV8FsiCJ2rSHEMddmOHoaTM+6oB2i9kZo7KmToSZu7DxuemlHpuOO3kG/iRga2y
+NeancRJwbxgZhNGBbhrA/7k5UOcXkmfW74oBkbCci0ncVhHu12dsJXhk+eprkOXv
+nD1vEIeuzL4V/SMDar3SxFlfLFwQk4cn9+pdeP3LxwHKBn74pABsbEBhEY4IjUEL
+YOTEVoP6s+Ou1NcLxFl3elmniwL2+GV5rDM8pctkKNemtZa5Ag0ETrg4RQEQALfu
+qEihKS+DTVlWUujzSq5zK/5oQ1ZL8AiTUTZuVtrRWCq0HE8tWaVxEP3Vt9FCo7yF
+afXigokChzHOgzczg80tctrlv+vbFyaZnjGQH20Nlz8EnZP102zudx/RdFXG/up8
+PX50Eck2lH+IvvosMLdvrZTkFJ4SgqMGSoAgMhJHZdZB5N0y8yPPAjcEnSXp8L2A
+mo9e0egCrEuqBrCZld00nIoipyDlYNZkLjPf0JRgFPO/AWWgBZLvLlteLu0emq8N
+96bT3QTdXpRVPM0qeX94+2gIj+0V1uQ9+k5Xkslbbii9TnOzMnLRO6dBAONVTTb3
+ajzdXK71iv2a8Y9lKShxhYWP9JNOFlXkAp+ZoD7EZex4dgu6giV3PrTDJLyWSu41
+WfqOz6cJGpJSTacrenC542ynAaSVKXH+1plqB9kq/M7HtE/P4GveQXIVT9Sho394
+4hwkuETo20KwCgFPMmiNaBysnOykIcDsDutBOyygdovzdGEyHVsM8/kz007QFgJf
+hKy91H6O/Cg7VH+yaUKllRZ+kFsoSy8/E0IqLzqBHG3sUGM6lJ0Q9fgSnpzIZsdE
+jRhczNCvlovGLa/kBHcEUWQ2zrjnfjsLkxvamKJ8N6LLIXIDRv5dE2smpdi3oiVg
+XdOKshyXB+obhRFlWtirK4udX5yYzUpcB0zBoo1hABEBAAGJAiUEGAECAA8CGwwF
+AlSXVAEFCQfATzwACgkQ/BtUfI2Bcsj0Tw//dyDYwcnh0BIb+nDCXFC91KiPUILa
+f+wI5w6c9YYEo6TR89q6Wsq8EDiqcqSJcztuNvw3MZGHWA25nNB/0046CGM/tUBd
+Jyudd3TxQBi6XMMSTbG1EMtSN1UMV4guuUfYcAGW38oZ+YJACCBFFz/Kt0aa/hhi
+/hBNyvI73vZfQ/fsScFDewkxikUEspRsLVmX6gaEmumOxOhJP3HBoxeBCM4Z3IXo
+dON2SiiMxt9BPIPJOyKNkFQGQ3dqJIag3GnsZ1s0CEoi8iqF7uS4RjC7uOJtvn74
+CODxg1Ibl1IweyAuBEA80wUh9DGLAdRJpxWy1B2fDhIROvpcg0R5p6j9UX0b0esc
+jKLQEiE1wRswjXhWpZhe7Pjl38KhwqMyaeR3OnDtP7JXazIG6HiBIp4cx4k5A2TT
+X+LhvG3NHCeuxIyjLTRTWgv241kf7uAu+qgjHDSKXQqpjvo+cUYQgSxQZZXnmlz0
+sz/tEeiWl+i8kW/RNKQvNNR8ghWDW3YRak/zS+WFNoLZchecIzMj+je1vSg411o4
+Xd3LHDur6boCetaq7ZkqoS+NcX9n8MnKhHKYJblvXyc1h67s90+wSwhlumA8WqlM
+yqn99m13aF8GuGZbw5B2/x/Cd7WW5wZV6ioola/yqDXB1XtDFBy2Hxr/VMRlE3Cu
+kekzzVjVTZxOgZE=
+=yRuG
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix
new file mode 100644
index 000000000000..3e3cd149c4d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -0,0 +1,100 @@
+# Based on recommendations from:
+# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
+# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
+#
+# Dangerous features that can be permanently (for the boot session) disabled at
+# boot via sysctl or kernel cmdline are left enabled here, for improved
+# flexibility.
+#
+# See also <nixos/modules/profiles/hardened.nix>
+
+{ lib, version }:
+
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
+
+assert (versionAtLeast version "4.9");
+
+{
+  # Report BUG() conditions and kill the offending process.
+  BUG = yes;
+
+  # Safer page access permissions (wrt. code injection).  Default on >=4.11.
+  DEBUG_RODATA          = whenOlder "4.11" yes;
+  DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;
+
+  # Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
+  # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
+  # implicitly marks LSM hooks read-only after init.
+  #
+  # SELinux can only be disabled at boot via selinux=0
+  #
+  # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
+  # config builder fails to detect that it has indeed been unset.
+  SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;
+  SECURITY_WRITABLE_HOOKS  = whenAtLeast "4.12" (option no);
+
+  STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;
+
+  # Perform additional validation of commonly targeted structures.
+  DEBUG_CREDENTIALS     = yes;
+  DEBUG_NOTIFIERS       = yes;
+  DEBUG_PI_LIST         = whenOlder "5.2" yes; # doesn't BUG()
+  DEBUG_PLIST           = whenAtLeast "5.2" yes;
+  DEBUG_SG              = yes;
+  SCHED_STACK_END_CHECK = yes;
+
+  REFCOUNT_FULL = whenBetween "4.13" "5.5" yes;
+
+  # Randomize page allocator when page_alloc.shuffle=1
+  SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
+
+  # Allow enabling slub/slab free poisoning with slub_debug=P
+  SLUB_DEBUG = yes;
+
+  # Wipe higher-level memory allocations on free() with page_poison=1
+  PAGE_POISONING           = yes;
+  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
+  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;
+
+  # Enable the SafeSetId LSM
+  SECURITY_SAFESETID = whenAtLeast "5.1" yes;
+
+  # Reboot devices immediately if kernel experiences an Oops.
+  PANIC_TIMEOUT = freeform "-1";
+
+  GCC_PLUGINS = yes; # Enable gcc plugin options
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
+  GCC_PLUGIN_LATENT_ENTROPY = yes;
+
+  GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
+  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address
+  GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
+  GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin
+  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;
+
+  # Disable various dangerous settings
+  ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
+  PROC_KCORE         = no; # Exposes kernel text image layout
+  INET_DIAG          = no; # Has been used for heap based attacks in the past
+
+  # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
+  # make them optional
+  INET_DIAG_DESTROY = option no;
+  INET_RAW_DIAG     = option no;
+  INET_TCP_DIAG     = option no;
+  INET_UDP_DIAG     = option no;
+  INET_MPTCP_DIAG   = option no;
+
+  # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
+  CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
+  CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
+
+  # Detect out-of-bound reads/writes and use-after-free
+  KFENCE = whenAtLeast "5.12" yes;
+
+  # CONFIG_DEVMEM=n causes these to not exist anymore.
+  STRICT_DEVMEM    = option no;
+  IO_STRICT_DEVMEM = option no;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json
new file mode 100644
index 000000000000..35ef199c9d6a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -0,0 +1,62 @@
+{
+    "4.14": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-4.14.290-hardened1.patch",
+            "sha256": "14bnps4y5k2aa0fd2g4bdbiir1w7xfrvgsqd3cfzni8zhf4xrw0l",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.290-hardened1/linux-hardened-4.14.290-hardened1.patch"
+        },
+        "sha256": "0zyxb99a7fa2l85vnzmvg2nry99clj20d4j38piqm921iqxak2j4",
+        "version": "4.14.290"
+    },
+    "4.19": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-4.19.255-hardened1.patch",
+            "sha256": "1pi0na6gr0l56479dzny8fvb3yzvxvjbvwn7c6kxf0gdhdqjzsc9",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.255-hardened1/linux-hardened-4.19.255-hardened1.patch"
+        },
+        "sha256": "0hwa3g09cmllc2z01s2jqbczpznzdp3ldngx18k5c2ac7w394fbp",
+        "version": "4.19.255"
+    },
+    "5.10": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.10.136-hardened1.patch",
+            "sha256": "1mw30dy0xk2l12gds0kf7mjxbfamjxdwshkwc4kcics9rf57mgx6",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.136-hardened1/linux-hardened-5.10.136-hardened1.patch"
+        },
+        "sha256": "0naiwihlj6aswnqwdz3xzmga98xpj5lf2iy9vxqzdng7b46rs28w",
+        "version": "5.10.136"
+    },
+    "5.15": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.15.60-hardened1.patch",
+            "sha256": "1w93qgwycicwjp3aiklm6c6yvg0gq674pxcxvbsdd0c1p0b4y8dk",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.60-hardened1/linux-hardened-5.15.60-hardened1.patch"
+        },
+        "sha256": "0yi3bvqz4qn8nvgr910ic09zvpisafwi282j0y2gvbvgr7vlb59d",
+        "version": "5.15.60"
+    },
+    "5.18": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.18.17-hardened1.patch",
+            "sha256": "0vic9y72d3vfw66y32yrgh7q2wgjk902780ik2viylwr3f5xq1yq",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.18.17-hardened1/linux-hardened-5.18.17-hardened1.patch"
+        },
+        "sha256": "0i7yms65b8kxjm92ahic0787vb9h7xblbwp1v6cq8zpns3ivv0ih",
+        "version": "5.18.17"
+    },
+    "5.4": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.4.210-hardened1.patch",
+            "sha256": "0qbz9h97m0lxa45j85sv2lhhmrlx9nv5z0bf5vdhyq6g0h7d2mm9",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.210-hardened1/linux-hardened-5.4.210-hardened1.patch"
+        },
+        "sha256": "13l8zh5balciqhi4k4328sznza30v8g871wxcqqka61cij3rc0wl",
+        "version": "5.4.210"
+    }
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py
new file mode 100755
index 000000000000..d0f8c77c783f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -0,0 +1,305 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i python -p "python38.withPackages (ps: [ps.PyGithub])" git gnupg
+
+# This is automatically called by ../update.sh.
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import subprocess
+import sys
+from dataclasses import dataclass
+from pathlib import Path
+from tempfile import TemporaryDirectory
+from typing import (
+    Dict,
+    Iterator,
+    List,
+    Optional,
+    Sequence,
+    Tuple,
+    TypedDict,
+    Union,
+)
+
+from github import Github
+from github.GitRelease import GitRelease
+
+VersionComponent = Union[int, str]
+Version = List[VersionComponent]
+
+
+PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str})
+Patch = TypedDict("Patch", {
+    "patch": PatchData,
+    "version": str,
+    "sha256": str,
+})
+
+
+@dataclass
+class ReleaseInfo:
+    version: Version
+    release: GitRelease
+
+
+HERE = Path(__file__).resolve().parent
+NIXPKGS_KERNEL_PATH = HERE.parent
+NIXPKGS_PATH = HERE.parents[4]
+HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
+HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
+HARDENED_PATCHES_PATH = HERE / "patches.json"
+MIN_KERNEL_VERSION: Version = [4, 14]
+
+
+def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]:
+    try:
+        return subprocess.run(
+            args,
+            check=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            encoding="utf-8",
+        )
+    except subprocess.CalledProcessError as err:
+        print(
+            f"error: `{err.cmd}` failed unexpectedly\n"
+            f"status code: {err.returncode}\n"
+            f"stdout:\n{err.stdout.strip()}\n"
+            f"stderr:\n{err.stderr.strip()}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+
+def nix_prefetch_url(url: str) -> Tuple[str, Path]:
+    output = run("nix-prefetch-url", "--print-path", url).stdout
+    sha256, path = output.strip().split("\n")
+    return sha256, Path(path)
+
+
+def verify_openpgp_signature(
+    *, name: str, trusted_key: Path, sig_path: Path, data_path: Path,
+) -> bool:
+    with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home_str:
+        gnupg_home = Path(gnupg_home_str)
+        run("gpg", "--homedir", gnupg_home, "--import", trusted_key)
+        keyring = gnupg_home / "pubring.kbx"
+        try:
+            subprocess.run(
+                ("gpgv", "--keyring", keyring, sig_path, data_path),
+                check=True,
+                stderr=subprocess.PIPE,
+                encoding="utf-8",
+            )
+            return True
+        except subprocess.CalledProcessError as err:
+            print(
+                f"error: signature for {name} failed to verify!",
+                file=sys.stderr,
+            )
+            print(err.stderr, file=sys.stderr, end="")
+            return False
+
+
+def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
+    release = release_info.release
+    extra = f'-{release_info.version[-1]}'
+
+    def find_asset(filename: str) -> str:
+        try:
+            it: Iterator[str] = (
+                asset.browser_download_url
+                for asset in release.get_assets()
+                if asset.name == filename
+            )
+            return next(it)
+        except StopIteration:
+            raise KeyError(filename)
+
+    patch_filename = f"{name}.patch"
+    try:
+        patch_url = find_asset(patch_filename)
+        sig_url = find_asset(patch_filename + ".sig")
+    except KeyError:
+        print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr)
+        return None
+
+    sha256, patch_path = nix_prefetch_url(patch_url)
+    _, sig_path = nix_prefetch_url(sig_url)
+    sig_ok = verify_openpgp_signature(
+        name=name,
+        trusted_key=HARDENED_TRUSTED_KEY,
+        sig_path=sig_path,
+        data_path=patch_path,
+    )
+    if not sig_ok:
+        return None
+
+    kernel_ver = release_info.release.tag_name.replace("-hardened1", "")
+    major = kernel_ver.split('.')[0]
+    sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz")
+
+    return Patch(
+        patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra),
+        version=kernel_ver,
+        sha256=sha256_kernel
+    )
+
+
+def parse_version(version_str: str) -> Version:
+    version: Version = []
+    for component in re.split('\.|\-', version_str):
+        try:
+            version.append(int(component))
+        except ValueError:
+            version.append(component)
+    return version
+
+
+def version_string(version: Version) -> str:
+    return ".".join(str(component) for component in version)
+
+
+def major_kernel_version_key(kernel_version: Version) -> str:
+    return version_string(kernel_version[:-1])
+
+
+def commit_patches(*, kernel_key: str, message: str) -> None:
+    new_patches_path = HARDENED_PATCHES_PATH.with_suffix(".new")
+    with open(new_patches_path, "w") as new_patches_file:
+        json.dump(patches, new_patches_file, indent=4, sort_keys=True)
+        new_patches_file.write("\n")
+    os.rename(new_patches_path, HARDENED_PATCHES_PATH)
+    message = f"linux/hardened/patches/{kernel_key}: {message}"
+    print(message)
+    if os.environ.get("COMMIT"):
+        run(
+            "git",
+            "-C",
+            NIXPKGS_PATH,
+            "commit",
+            f"--message={message}",
+            HARDENED_PATCHES_PATH,
+        )
+
+
+# Load the existing patches.
+patches: Dict[str, Patch]
+with open(HARDENED_PATCHES_PATH) as patches_file:
+    patches = json.load(patches_file)
+
+# Get the set of currently packaged kernel versions.
+kernel_versions = {}
+for filename in os.listdir(NIXPKGS_KERNEL_PATH):
+    filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename)
+    if filename_match:
+        nix_version_expr = f"""
+            with import {NIXPKGS_PATH} {{}};
+            (callPackage {NIXPKGS_KERNEL_PATH / filename} {{}}).version
+        """
+        kernel_version_json = run(
+            "nix-instantiate", "--eval", "--json", "--expr", nix_version_expr,
+        ).stdout
+        kernel_version = parse_version(json.loads(kernel_version_json))
+        if kernel_version < MIN_KERNEL_VERSION:
+            continue
+        kernel_key = major_kernel_version_key(kernel_version)
+        kernel_versions[kernel_key] = kernel_version
+
+# Remove patches for unpackaged kernel versions.
+for kernel_key in sorted(patches.keys() - kernel_versions.keys()):
+    commit_patches(kernel_key=kernel_key, message="remove")
+
+g = Github(os.environ.get("GITHUB_TOKEN"))
+repo = g.get_repo(HARDENED_GITHUB_REPO)
+failures = False
+
+# Match each kernel version with the best patch version.
+releases = {}
+i = 0
+for release in repo.get_releases():
+    # Dirty workaround to make sure that we don't run into issues because
+    # GitHub's API only allows fetching the last 1000 releases.
+    # It's not reliable to exit earlier because not every kernel minor may
+    # have hardened patches, hence the naive search below.
+    i += 1
+    if i > 500:
+        break
+
+    version = parse_version(release.tag_name)
+    # needs to look like e.g. 5.6.3-hardened1
+    if len(version) < 4:
+        continue
+
+    if not (isinstance(version[-2], int)):
+        continue
+
+    kernel_version = version[:-1]
+
+    kernel_key = major_kernel_version_key(kernel_version)
+    try:
+        packaged_kernel_version = kernel_versions[kernel_key]
+    except KeyError:
+        continue
+
+    release_info = ReleaseInfo(version=version, release=release)
+
+    if kernel_version == packaged_kernel_version:
+        releases[kernel_key] = release_info
+    else:
+        # Fall back to the latest patch for this major kernel version,
+        # skipping patches for kernels newer than the packaged one.
+        if '.'.join(str(x) for x in kernel_version) > '.'.join(str(x) for x in packaged_kernel_version):
+            continue
+        elif (
+            kernel_key not in releases or releases[kernel_key].version < version
+        ):
+            releases[kernel_key] = release_info
+
+# Update hardened-patches.json for each release.
+for kernel_key in sorted(releases.keys()):
+    release_info = releases[kernel_key]
+    release = release_info.release
+    version = release_info.version
+    version_str = release.tag_name
+    name = f"linux-hardened-{version_str}"
+
+    old_version: Optional[Version] = None
+    old_version_str: Optional[str] = None
+    update: bool
+    try:
+        old_filename = patches[kernel_key]["patch"]["name"]
+        old_version_str = old_filename.replace("linux-hardened-", "").replace(
+            ".patch", ""
+        )
+        old_version = parse_version(old_version_str)
+        update = old_version < version
+    except KeyError:
+        update = True
+
+    if update:
+        patch = fetch_patch(name=name, release_info=release_info)
+        if patch is None:
+            failures = True
+        else:
+            patches[kernel_key] = patch
+            if old_version:
+                message = f"{old_version_str} -> {version_str}"
+            else:
+                message = f"init at {version_str}"
+            commit_patches(kernel_key=kernel_key, message=message)
+
+missing_kernel_versions = kernel_versions.keys() - patches.keys()
+
+if missing_kernel_versions:
+    print(
+        f"warning: no patches for kernel versions "
+        + ", ".join(missing_kernel_versions),
+        file=sys.stderr,
+    )
+
+if failures:
+    sys.exit(1)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/htmldocs.nix b/nixpkgs/pkgs/os-specific/linux/kernel/htmldocs.nix
new file mode 100644
index 000000000000..4e42288aff8d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/htmldocs.nix
@@ -0,0 +1,85 @@
+{ lib
+, stdenv
+, graphviz
+, imagemagick
+, linux_latest
+, makeFontsConf
+, perl
+, python3
+, sphinx
+, which
+}:
+
+let
+  py = python3.override {
+    packageOverrides = final: prev: rec {
+      docutils_old = prev.docutils.overridePythonAttrs (oldAttrs: rec {
+        version = "0.16";
+        src = final.fetchPypi {
+          pname = "docutils";
+          inherit version;
+          sha256 = "sha256-wt46YOnn0Hvia38rAMoDCcIH4GwQD5zCqUkx/HWkePw=";
+        };
+      });
+
+      sphinx = (prev.sphinx.override rec {
+        alabaster = prev.alabaster.override { inherit pygments; };
+        docutils = docutils_old;
+        pygments = prev.pygments.override { docutils = docutils_old; };
+      }).overridePythonAttrs {
+        # fails due to duplicated packages
+        doCheck = false;
+      };
+
+      sphinx-rtd-theme = prev.sphinx-rtd-theme.override {
+        inherit sphinx;
+        docutils = docutils_old;
+      };
+    };
+  };
+in
+
+stdenv.mkDerivation {
+  pname = "linux-kernel-latest-htmldocs";
+
+  inherit (linux_latest) version src;
+
+  postPatch = ''
+    patchShebangs \
+      Documentation/sphinx/parse-headers.pl \
+      scripts/{get_abi.pl,get_feat.pl,kernel-doc,sphinx-pre-install}
+  '';
+
+  FONTCONFIG_FILE = makeFontsConf {
+    fontDirectories = [ ];
+  };
+
+  nativeBuildInputs = [
+    graphviz
+    imagemagick
+    perl
+    py.pkgs.sphinx
+    py.pkgs.sphinx-rtd-theme
+    which
+  ];
+
+  preBuild = ''
+    export XDG_CACHE_HOME="$(mktemp -d)"
+  '';
+
+  makeFlags = [ "htmldocs" ];
+
+  installPhase = ''
+    mkdir -p $out/share/doc
+    mv Documentation/output $out/share/doc/linux-doc
+    cp -r Documentation/* $out/share/doc/linux-doc/
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel html documentation";
+    homepage = "https://www.kernel.org/doc/htmldocs/";
+    platforms = platforms.linux;
+    inherit (linux_latest.meta) license;
+    maintainers = with maintainers; [ SuperSandro2000 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.14.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.14.nix
new file mode 100644
index 000000000000..018ec0e8a927
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.14.nix
@@ -0,0 +1,18 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "4.14.290";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "0zyxb99a7fa2l85vnzmvg2nry99clj20d4j38piqm921iqxak2j4";
+  };
+} // (args.argsOverride or {}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.19.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.19.nix
new file mode 100644
index 000000000000..0981efb66a77
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.19.nix
@@ -0,0 +1,18 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "4.19.255";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "0hwa3g09cmllc2z01s2jqbczpznzdp3ldngx18k5c2ac7w394fbp";
+  };
+} // (args.argsOverride or {}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.9.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.9.nix
new file mode 100644
index 000000000000..3fb588d3cb93
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-4.9.nix
@@ -0,0 +1,12 @@
+{ buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
+
+buildLinux (args // rec {
+  version = "4.9.325";
+  extraMeta.branch = "4.9";
+  extraMeta.broken = stdenv.isAarch64;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "04msx0x0d8v93zjr3jj0qqkgg7m4hb7rj6hk5vzrzasmgbjmb3dl";
+  };
+} // (args.argsOverride or {}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.10.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.10.nix
new file mode 100644
index 000000000000..a9fde05e0ca5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.10.nix
@@ -0,0 +1,18 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.10.136";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0naiwihlj6aswnqwdz3xzmga98xpj5lf2iy9vxqzdng7b46rs28w";
+  };
+} // (args.argsOverride or {}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.15.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.15.nix
new file mode 100644
index 000000000000..4bf8303b2a41
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.15.nix
@@ -0,0 +1,18 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.15.61";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0hpx0ziz162lc41jwi2ybj3qgidinjcsp71lchvmp6h0vyiddj9v";
+  };
+} // (args.argsOverride or { }))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.18.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.18.nix
new file mode 100644
index 000000000000..096f197a1a1c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.18.nix
@@ -0,0 +1,18 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.18.18";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0as0cslwz6zdiwd5wzcjggw3qpa9hzvfmxlhy72jdhn5vk47dhy1";
+  };
+} // (args.argsOverride or { }))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.19.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.19.nix
new file mode 100644
index 000000000000..09e226ba3410
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.19.nix
@@ -0,0 +1,18 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.19.2";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0gg63y078k886clgfq4k5n7nh2r0359ksvf8wd06rv01alghmr28";
+  };
+} // (args.argsOverride or { }))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.4.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.4.nix
new file mode 100644
index 000000000000..3018d83840e3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-5.4.nix
@@ -0,0 +1,18 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.4.210";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "13l8zh5balciqhi4k4328sznza30v8g871wxcqqka61cij3rc0wl";
+  };
+} // (args.argsOverride or {}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
new file mode 100644
index 000000000000..69bbdf648d22
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
@@ -0,0 +1,41 @@
+{ buildPackages, fetchFromGitHub, fetchurl, perl, buildLinux, libelf, util-linux, kernelPatches ? [], ... } @ args:
+
+buildLinux (args // rec {
+  version = "4.14.180-176";
+
+  # modDirVersion needs to be x.y.z.
+  modDirVersion = "4.14.180";
+
+  # branchVersion needs to be x.y.
+  extraMeta.branch = "4.14";
+
+  src = fetchFromGitHub {
+    owner = "hardkernel";
+    repo = "linux";
+    rev = version;
+    sha256 = "0n7i7a2bkrm9p1wfr20h54cqm32fbjvwyn703r6zm1f6ivqhk43v";
+  };
+
+  kernelPatches = args.kernelPatches ++ [{
+    name = "usbip-tools-fno-common";
+    patch = fetchurl {
+      url = "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=d5efc2e6b98fe661dbd8dd0d5d5bfb961728e57a";
+      hash = "sha256-1CXYCV5zMLA4YdbCr8cO2N4CHEDzQChS9qbKYHPm3U4=";
+    };
+  }];
+
+  defconfig = "odroidxu4_defconfig";
+
+  # This extraConfig is (only) required because the gator module fails to build as-is.
+  extraConfig = ''
+
+    GATOR n
+
+    # This attempted fix applies correctly but does not fix the build.
+    #GATOR_MALI_MIDGARD_PATH ${src}/drivers/gpu/arm/midgard
+
+  '' + (args.extraConfig or "");
+
+  extraMeta.platforms = [ "armv7l-linux" ];
+
+} // (args.argsOverride or {}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix
new file mode 100644
index 000000000000..389bae733587
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix
@@ -0,0 +1,47 @@
+{ stdenv, lib, fetchsvn, linux
+, scripts ? fetchsvn {
+    url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
+    rev = "18837";
+    sha256 = "0645lkbh5bi9a8nhdyh21h7rrw8x8pmb7la08zn7gpkmwvk3wnwx";
+  }
+, ...
+}:
+
+let
+  majorMinor = lib.versions.majorMinor linux.modDirVersion;
+
+  major = lib.versions.major linux.modDirVersion;
+  minor = lib.versions.minor linux.modDirVersion;
+  patch = lib.versions.patch linux.modDirVersion;
+
+  # See http://linux-libre.fsfla.org/pub/linux-libre/releases
+  versionPrefix = if linux.kernelOlder "5.14" then
+    "gnu1"
+  else
+    "gnu";
+in linux.override {
+  argsOverride = {
+    modDirVersion = "${linux.modDirVersion}-${versionPrefix}";
+    isLibre = true;
+
+    src = stdenv.mkDerivation {
+      name = "${linux.name}-libre-src";
+      src = linux.src;
+      buildPhase = ''
+        # --force flag to skip empty files after deblobbing
+        ${scripts}/${majorMinor}/deblob-${majorMinor} --force \
+            ${major} ${minor} ${patch}
+      '';
+      checkPhase = ''
+        ${scripts}/deblob-check
+      '';
+      installPhase = ''
+        cp -r . "$out"
+      '';
+    };
+
+    passthru.updateScript = ./update-libre.sh;
+
+    maintainers = with lib.maintainers; [ qyliss ivar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
new file mode 100644
index 000000000000..a6a8d4936d4f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
@@ -0,0 +1,27 @@
+{ lib, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
+let
+  mptcpVersion = "0.95.1";
+  modDirVersion = "4.19.126";
+in
+buildLinux ({
+  version = "${modDirVersion}-mptcp_v${mptcpVersion}";
+  inherit modDirVersion;
+
+  extraMeta = {
+    branch = "4.19";
+    maintainers = with lib.maintainers; [ teto layus ];
+  };
+
+  src = fetchFromGitHub {
+    owner = "multipath-tcp";
+    repo = "mptcp";
+    rev = "v${mptcpVersion}";
+    sha256 = "sha256-J9UXhkI49cq83EtojLHieRtp8fT3LXTJNIqb+mUwZdM=";
+  };
+
+  structuredExtraConfig = lib.mkMerge [
+    (import ./mptcp-config.nix { inherit lib; })
+    structuredExtraConfig
+  ];
+
+} // args)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rpi.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rpi.nix
new file mode 100644
index 000000000000..8654bc432ceb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rpi.nix
@@ -0,0 +1,85 @@
+{ stdenv, lib, buildPackages, fetchFromGitHub, perl, buildLinux, rpiVersion, ... } @ args:
+
+let
+  # NOTE: raspberrypifw & raspberryPiWirelessFirmware should be updated with this
+  modDirVersion = "5.15.32";
+  tag = "1.20220331";
+in
+lib.overrideDerivation (buildLinux (args // {
+  version = "${modDirVersion}-${tag}";
+  inherit modDirVersion;
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "linux";
+    rev = tag;
+    hash = "sha256-dJtOXe4yvZz/iu0Ly5F9/E/2GbpTJF/9ZMU3rC1nKMw=";
+  };
+
+  defconfig = {
+    "1" = "bcmrpi_defconfig";
+    "2" = "bcm2709_defconfig";
+    "3" = if stdenv.hostPlatform.isAarch64 then "bcmrpi3_defconfig" else "bcm2709_defconfig";
+    "4" = "bcm2711_defconfig";
+  }.${toString rpiVersion};
+
+  features = {
+    efiBootStub = false;
+  } // (args.features or {});
+
+  extraConfig = ''
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: error: initialization of 'void (*)(struct drm_crtc *, struct drm_atomic_state *)' from incompatible pointer type 'void (*)(struct drm_crtc *, struct drm_crtc_state *)' [-Werror=incompatible-pointer-types]
+    #   851 |  .atomic_flush = ast_crtc_helper_atomic_flush,
+    #       |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: note: (near initialization for 'ast_crtc_helper_funcs.atomic_flush')
+    DRM_AST n
+    # ../drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c: In function 'amdgpu_dm_atomic_commit_tail':
+    # ../drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:7757:4: error: implicit declaration of function 'is_hdr_metadata_different' [-Werror=implicit-function-declaration]
+    #  7757 |    is_hdr_metadata_different(old_con_state, new_con_state);
+    #       |    ^~~~~~~~~~~~~~~~~~~~~~~~~
+    DRM_AMDGPU n
+  '';
+
+  extraMeta = if (rpiVersion < 3) then {
+    platforms = with lib.platforms; [ arm ];
+    hydraPlatforms = [];
+  } else {
+    platforms = with lib.platforms; [ arm aarch64 ];
+    hydraPlatforms = [ "aarch64-linux" ];
+  };
+} // (args.argsOverride or {}))) (oldAttrs: {
+  postConfigure = ''
+    # The v7 defconfig has this set to '-v7' which screws up our modDirVersion.
+    sed -i $buildRoot/.config -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+    sed -i $buildRoot/include/config/auto.conf -e 's/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=""/'
+  '';
+
+  # Make copies of the DTBs named after the upstream names so that U-Boot finds them.
+  # This is ugly as heck, but I don't know a better solution so far.
+  postFixup = ''
+    dtbDir=${if stdenv.isAarch64 then "$out/dtbs/broadcom" else "$out/dtbs"}
+    rm $dtbDir/bcm283*.dtb
+    copyDTB() {
+      cp -v "$dtbDir/$1" "$dtbDir/$2"
+    }
+  '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv6l-linux"]) ''
+    copyDTB bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero.dtb
+    copyDTB bcm2708-rpi-zero-w.dtb bcm2835-rpi-zero-w.dtb
+    copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-a.dtb
+    copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-b.dtb
+    copyDTB bcm2708-rpi-b.dtb bcm2835-rpi-b-rev2.dtb
+    copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-a-plus.dtb
+    copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-b-plus.dtb
+    copyDTB bcm2708-rpi-b-plus.dtb bcm2835-rpi-zero.dtb
+    copyDTB bcm2708-rpi-cm.dtb bcm2835-rpi-cm.dtb
+  '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv7l-linux"]) ''
+    copyDTB bcm2709-rpi-2-b.dtb bcm2836-rpi-2-b.dtb
+  '' + lib.optionalString (lib.elem stdenv.hostPlatform.system ["armv7l-linux" "aarch64-linux"]) ''
+    copyDTB bcm2710-rpi-zero-2.dtb bcm2837-rpi-zero-2.dtb
+    copyDTB bcm2710-rpi-3-b.dtb bcm2837-rpi-3-b.dtb
+    copyDTB bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-a-plus.dtb
+    copyDTB bcm2710-rpi-3-b-plus.dtb bcm2837-rpi-3-b-plus.dtb
+    copyDTB bcm2710-rpi-cm3.dtb bcm2837-rpi-cm3.dtb
+    copyDTB bcm2711-rpi-4-b.dtb bcm2838-rpi-4-b.dtb
+  '';
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
new file mode 100644
index 000000000000..58be2be6e9d2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
@@ -0,0 +1,45 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.10.131-rt72"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1ki11mvl3dky7iih90znr47vr66dxnlwrqwg2jkk1hqn5i243i4b";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "0ag000h9m7phvgrqa4jcmd94x0rk8z8bh7qhqqlywbiz2b1b91qa";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
new file mode 100644
index 000000000000..898bd1d18ad1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
@@ -0,0 +1,41 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.4.209-rt77"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1kdnz99k7zspzaxqaxahbf6hncigy4cvjlb79jsy7a95qxxr31qf";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "1wh5m7ychgnn33yg7gg9nlwcmmm72dixvdf77m764hs90xl8c9ig";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
new file mode 100644
index 000000000000..a1748156d098
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
@@ -0,0 +1,35 @@
+{ lib
+, fetchpatch
+, kernel
+, date ? "2022-04-25"
+, commit ? "bdf6d7c1350497bc7b0be6027a51d9330645672d"
+, diffHash ? "09bcbklvfj9i9czjdpix2iz7fvjksmavaljx8l92ay1i9fapjmhc"
+, kernelPatches # must always be defined in bcachefs' all-packages.nix entry because it's also a top-level attribute supplied by callPackage
+, argsOverride ? {}
+, ...
+} @ args:
+
+# NOTE: bcachefs-tools should be updated simultaneously to preserve compatibility
+(kernel.override ( args // {
+  argsOverride = {
+    version = "${kernel.version}-bcachefs-unstable-${date}";
+
+    extraMeta = {
+      branch = "master";
+      maintainers = with lib.maintainers; [ davidak Madouura ];
+      broken = true;
+    };
+  } // argsOverride;
+
+  kernelPatches = [ {
+      name = "bcachefs-${commit}";
+
+      patch = fetchpatch {
+        name = "bcachefs-${commit}.diff";
+        url = "https://evilpiepirate.org/git/bcachefs.git/rawdiff/?id=${commit}&id2=v${lib.versions.majorMinor kernel.version}";
+        sha256 = diffHash;
+      };
+
+      extraConfig = "BCACHEFS_FS m";
+    } ] ++ kernelPatches;
+}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing.nix b/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing.nix
new file mode 100644
index 000000000000..a4304e9e9369
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/linux-testing.nix
@@ -0,0 +1,20 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "6.0-rc1";
+  extraMeta.branch = lib.versions.majorMinor version;
+
+  # modDirVersion needs to be x.y.z, will always add .0
+  modDirVersion = if (modDirVersionArg == null) then builtins.replaceStrings ["-"] [".0-"] version else modDirVersionArg;
+
+  src = fetchurl {
+    url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz";
+    sha256 = "sha256-RReHoEYavib86K9XQKwguBYQvyQboRl7537p69P8ca0=";
+  };
+
+  # Should the testing kernels ever be built on Hydra?
+  extraMeta.hydraPlatforms = [];
+
+} // (args.argsOverride or {}))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/mac-nvme-t2.patch b/nixpkgs/pkgs/os-specific/linux/kernel/mac-nvme-t2.patch
new file mode 100644
index 000000000000..2f1fa6a0daec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/mac-nvme-t2.patch
@@ -0,0 +1,283 @@
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index dd10cf78f2d3..8f006638452b 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -28,8 +28,8 @@
+ #include "trace.h"
+ #include "nvme.h"
+ 
+-#define SQ_SIZE(depth)		(depth * sizeof(struct nvme_command))
+-#define CQ_SIZE(depth)		(depth * sizeof(struct nvme_completion))
++#define SQ_SIZE(q)	((q)->q_depth * sizeof(struct nvme_command))
++#define CQ_SIZE(q)	((q)->q_depth * sizeof(struct nvme_completion))
+ 
+ #define SGES_PER_PAGE	(PAGE_SIZE / sizeof(struct nvme_sgl_desc))
+ 
+@@ -1344,16 +1344,16 @@ static enum blk_eh_timer_return nvme_timeout(struct request *req, bool reserved)
+ 
+ static void nvme_free_queue(struct nvme_queue *nvmeq)
+ {
+-	dma_free_coherent(nvmeq->dev->dev, CQ_SIZE(nvmeq->q_depth),
++	dma_free_coherent(nvmeq->dev->dev, CQ_SIZE(nvmeq),
+ 				(void *)nvmeq->cqes, nvmeq->cq_dma_addr);
+ 	if (!nvmeq->sq_cmds)
+ 		return;
+ 
+ 	if (test_and_clear_bit(NVMEQ_SQ_CMB, &nvmeq->flags)) {
+ 		pci_free_p2pmem(to_pci_dev(nvmeq->dev->dev),
+-				nvmeq->sq_cmds, SQ_SIZE(nvmeq->q_depth));
++				nvmeq->sq_cmds, SQ_SIZE(nvmeq));
+ 	} else {
+-		dma_free_coherent(nvmeq->dev->dev, SQ_SIZE(nvmeq->q_depth),
++		dma_free_coherent(nvmeq->dev->dev, SQ_SIZE(nvmeq),
+ 				nvmeq->sq_cmds, nvmeq->sq_dma_addr);
+ 	}
+ }
+@@ -1433,12 +1433,12 @@ static int nvme_cmb_qdepth(struct nvme_dev *dev, int nr_io_queues,
+ }
+ 
+ static int nvme_alloc_sq_cmds(struct nvme_dev *dev, struct nvme_queue *nvmeq,
+-				int qid, int depth)
++				int qid)
+ {
+ 	struct pci_dev *pdev = to_pci_dev(dev->dev);
+ 
+ 	if (qid && dev->cmb_use_sqes && (dev->cmbsz & NVME_CMBSZ_SQS)) {
+-		nvmeq->sq_cmds = pci_alloc_p2pmem(pdev, SQ_SIZE(depth));
++		nvmeq->sq_cmds = pci_alloc_p2pmem(pdev, SQ_SIZE(nvmeq));
+ 		if (nvmeq->sq_cmds) {
+ 			nvmeq->sq_dma_addr = pci_p2pmem_virt_to_bus(pdev,
+ 							nvmeq->sq_cmds);
+@@ -1447,11 +1447,11 @@ static int nvme_alloc_sq_cmds(struct nvme_dev *dev, struct nvme_queue *nvmeq,
+ 				return 0;
+ 			}
+ 
+-			pci_free_p2pmem(pdev, nvmeq->sq_cmds, SQ_SIZE(depth));
++			pci_free_p2pmem(pdev, nvmeq->sq_cmds, SQ_SIZE(nvmeq));
+ 		}
+ 	}
+ 
+-	nvmeq->sq_cmds = dma_alloc_coherent(dev->dev, SQ_SIZE(depth),
++	nvmeq->sq_cmds = dma_alloc_coherent(dev->dev, SQ_SIZE(nvmeq),
+ 				&nvmeq->sq_dma_addr, GFP_KERNEL);
+ 	if (!nvmeq->sq_cmds)
+ 		return -ENOMEM;
+@@ -1465,12 +1465,13 @@ static int nvme_alloc_queue(struct nvme_dev *dev, int qid, int depth)
+ 	if (dev->ctrl.queue_count > qid)
+ 		return 0;
+ 
+-	nvmeq->cqes = dma_alloc_coherent(dev->dev, CQ_SIZE(depth),
++	nvmeq->q_depth = depth;
++	nvmeq->cqes = dma_alloc_coherent(dev->dev, CQ_SIZE(nvmeq),
+ 					 &nvmeq->cq_dma_addr, GFP_KERNEL);
+ 	if (!nvmeq->cqes)
+ 		goto free_nvmeq;
+ 
+-	if (nvme_alloc_sq_cmds(dev, nvmeq, qid, depth))
++	if (nvme_alloc_sq_cmds(dev, nvmeq, qid))
+ 		goto free_cqdma;
+ 
+ 	nvmeq->dev = dev;
+@@ -1479,15 +1480,14 @@ static int nvme_alloc_queue(struct nvme_dev *dev, int qid, int depth)
+ 	nvmeq->cq_head = 0;
+ 	nvmeq->cq_phase = 1;
+ 	nvmeq->q_db = &dev->dbs[qid * 2 * dev->db_stride];
+-	nvmeq->q_depth = depth;
+ 	nvmeq->qid = qid;
+ 	dev->ctrl.queue_count++;
+ 
+ 	return 0;
+ 
+  free_cqdma:
+-	dma_free_coherent(dev->dev, CQ_SIZE(depth), (void *)nvmeq->cqes,
+-							nvmeq->cq_dma_addr);
++	dma_free_coherent(dev->dev, CQ_SIZE(nvmeq), (void *)nvmeq->cqes,
++			  nvmeq->cq_dma_addr);
+  free_nvmeq:
+ 	return -ENOMEM;
+ }
+@@ -1515,7 +1515,7 @@ static void nvme_init_queue(struct nvme_queue *nvmeq, u16 qid)
+ 	nvmeq->cq_head = 0;
+ 	nvmeq->cq_phase = 1;
+ 	nvmeq->q_db = &dev->dbs[qid * 2 * dev->db_stride];
+-	memset((void *)nvmeq->cqes, 0, CQ_SIZE(nvmeq->q_depth));
++	memset((void *)nvmeq->cqes, 0, CQ_SIZE(nvmeq));
+ 	nvme_dbbuf_init(dev, nvmeq, qid);
+ 	dev->online_queues++;
+ 	wmb(); /* ensure the first interrupt sees the initialization */
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index cc09b81fc7f4..716ebe87a2b8 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1986,6 +1986,7 @@ int nvme_enable_ctrl(struct nvme_ctrl *ctrl, u64 cap)
+ 	ctrl->ctrl_config = NVME_CC_CSS_NVM;
+ 	ctrl->ctrl_config |= (page_shift - 12) << NVME_CC_MPS_SHIFT;
+ 	ctrl->ctrl_config |= NVME_CC_AMS_RR | NVME_CC_SHN_NONE;
++	/* Use default IOSQES. We'll update it later if needed */
+ 	ctrl->ctrl_config |= NVME_CC_IOSQES | NVME_CC_IOCQES;
+ 	ctrl->ctrl_config |= NVME_CC_ENABLE;
+ 
+@@ -2698,6 +2699,30 @@ int nvme_init_identify(struct nvme_ctrl *ctrl)
+ 		ctrl->hmmin = le32_to_cpu(id->hmmin);
+ 		ctrl->hmminds = le32_to_cpu(id->hmminds);
+ 		ctrl->hmmaxd = le16_to_cpu(id->hmmaxd);
++
++		/* Grab required IO queue size */
++		ctrl->iosqes = id->sqes & 0xf;
++		if (ctrl->iosqes < NVME_NVM_IOSQES) {
++			dev_err(ctrl->device,
++				"unsupported required IO queue size %d\n", ctrl->iosqes);
++			ret = -EINVAL;
++			goto out_free;
++		}
++		/*
++		 * If our IO queue size isn't the default, update the setting
++		 * in CC:IOSQES.
++		 */
++		if (ctrl->iosqes != NVME_NVM_IOSQES) {
++			ctrl->ctrl_config &= ~(0xfu << NVME_CC_IOSQES_SHIFT);
++			ctrl->ctrl_config |= ctrl->iosqes << NVME_CC_IOSQES_SHIFT;
++			ret = ctrl->ops->reg_write32(ctrl, NVME_REG_CC,
++						     ctrl->ctrl_config);
++			if (ret) {
++				dev_err(ctrl->device,
++					"error updating CC register\n");
++				goto out_free;
++			}
++		}
+ 	}
+ 
+ 	ret = nvme_mpath_init(ctrl, id);
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 716a876119c8..34ef35fcd8a5 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -244,6 +244,7 @@ struct nvme_ctrl {
+ 	u32 hmmin;
+ 	u32 hmminds;
+ 	u16 hmmaxd;
++	u8 iosqes;
+ 
+ 	/* Fabrics only */
+ 	u16 sqsize;
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 8f006638452b..54b35ea4af88 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -28,7 +28,7 @@
+ #include "trace.h"
+ #include "nvme.h"
+ 
+-#define SQ_SIZE(q)	((q)->q_depth * sizeof(struct nvme_command))
++#define SQ_SIZE(q)	((q)->q_depth << (q)->sqes)
+ #define CQ_SIZE(q)	((q)->q_depth * sizeof(struct nvme_completion))
+ 
+ #define SGES_PER_PAGE	(PAGE_SIZE / sizeof(struct nvme_sgl_desc))
+@@ -162,7 +162,7 @@ static inline struct nvme_dev *to_nvme_dev(struct nvme_ctrl *ctrl)
+ struct nvme_queue {
+ 	struct nvme_dev *dev;
+ 	spinlock_t sq_lock;
+-	struct nvme_command *sq_cmds;
++	void *sq_cmds;
+ 	 /* only used for poll queues: */
+ 	spinlock_t cq_poll_lock ____cacheline_aligned_in_smp;
+ 	volatile struct nvme_completion *cqes;
+@@ -178,6 +178,7 @@ struct nvme_queue {
+ 	u16 last_cq_head;
+ 	u16 qid;
+ 	u8 cq_phase;
++	u8 sqes;
+ 	unsigned long flags;
+ #define NVMEQ_ENABLED		0
+ #define NVMEQ_SQ_CMB		1
+@@ -488,7 +489,8 @@ static void nvme_submit_cmd(struct nvme_queue *nvmeq, struct nvme_command *cmd,
+ 			    bool write_sq)
+ {
+ 	spin_lock(&nvmeq->sq_lock);
+-	memcpy(&nvmeq->sq_cmds[nvmeq->sq_tail], cmd, sizeof(*cmd));
++	memcpy(nvmeq->sq_cmds + (nvmeq->sq_tail << nvmeq->sqes),
++	       cmd, sizeof(*cmd));
+ 	if (++nvmeq->sq_tail == nvmeq->q_depth)
+ 		nvmeq->sq_tail = 0;
+ 	nvme_write_sq_db(nvmeq, write_sq);
+@@ -1465,6 +1467,7 @@ static int nvme_alloc_queue(struct nvme_dev *dev, int qid, int depth)
+ 	if (dev->ctrl.queue_count > qid)
+ 		return 0;
+ 
++	nvmeq->sqes = qid ? dev->ctrl.iosqes : NVME_NVM_ADMSQES;
+ 	nvmeq->q_depth = depth;
+ 	nvmeq->cqes = dma_alloc_coherent(dev->dev, CQ_SIZE(nvmeq),
+ 					 &nvmeq->cq_dma_addr, GFP_KERNEL);
+diff --git a/include/linux/nvme.h b/include/linux/nvme.h
+index 01aa6a6c241d..7af18965fb57 100644
+--- a/include/linux/nvme.h
++++ b/include/linux/nvme.h
+@@ -141,6 +141,7 @@ enum {
+  * (In bytes and specified as a power of two (2^n)).
+  */
+ #define NVME_NVM_IOSQES		6
++#define NVME_NVM_ADMSQES	6
+ #define NVME_NVM_IOCQES		4
+ 
+ enum {
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 716ebe87a2b8..480ea24d8cf4 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2701,7 +2701,10 @@ int nvme_init_identify(struct nvme_ctrl *ctrl)
+ 		ctrl->hmmaxd = le16_to_cpu(id->hmmaxd);
+ 
+ 		/* Grab required IO queue size */
+-		ctrl->iosqes = id->sqes & 0xf;
++		if (ctrl->quirks & NVME_QUIRK_128_BYTES_SQES)
++			ctrl->iosqes = 7;
++		else
++			ctrl->iosqes = id->sqes & 0xf;
+ 		if (ctrl->iosqes < NVME_NVM_IOSQES) {
+ 			dev_err(ctrl->device,
+ 				"unsupported required IO queue size %d\n", ctrl->iosqes);
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 34ef35fcd8a5..b2a78d08b984 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -92,6 +92,16 @@ enum nvme_quirks {
+ 	 * Broken Write Zeroes.
+ 	 */
+ 	NVME_QUIRK_DISABLE_WRITE_ZEROES		= (1 << 9),
++
++	/*
++	 * Use only one interrupt vector for all queues
++	 */
++	NVME_QUIRK_SINGLE_VECTOR		= (1 << 10),
++
++	/*
++	 * Use non-standard 128 bytes SQEs.
++	 */
++	NVME_QUIRK_128_BYTES_SQES		= (1 << 11),
+ };
+ 
+ /*
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 54b35ea4af88..ab2358137419 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2080,6 +2080,9 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues)
+ 	dev->io_queues[HCTX_TYPE_DEFAULT] = 1;
+ 	dev->io_queues[HCTX_TYPE_READ] = 0;
+ 
++	if (dev->ctrl.quirks & NVME_QUIRK_SINGLE_VECTOR)
++		irq_queues = 1;
++
+ 	return pci_alloc_irq_vectors_affinity(pdev, 1, irq_queues,
+ 			      PCI_IRQ_ALL_TYPES | PCI_IRQ_AFFINITY, &affd);
+ }
+@@ -3037,6 +3040,9 @@ static const struct pci_device_id nvme_id_table[] = {
+ 	{ PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001) },
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2003) },
++	{ PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2005),
++		.driver_data = NVME_QUIRK_SINGLE_VECTOR |
++				NVME_QUIRK_128_BYTES_SQES },
+ 	{ 0, }
+ };
+ MODULE_DEVICE_TABLE(pci, nvme_id_table);
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/manual-config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/manual-config.nix
new file mode 100644
index 000000000000..7e734a4f13ab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -0,0 +1,343 @@
+{ lib, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
+, libelf, cpio, elfutils, zstd, python3Minimal, zlib, pahole
+}:
+
+let
+  readConfig = configfile: import (runCommand "config.nix" {} ''
+    echo "{" > "$out"
+    while IFS='=' read key val; do
+      [ "x''${key#CONFIG_}" != "x$key" ] || continue
+      no_firstquote="''${val#\"}";
+      echo '  "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
+    done < "${configfile}"
+    echo "}" >> $out
+  '').outPath;
+in {
+  lib,
+  # Allow overriding stdenv on each buildLinux call
+  stdenv,
+  # The kernel version
+  version,
+  # Position of the Linux build expression
+  pos ? null,
+  # Additional kernel make flags
+  extraMakeFlags ? [],
+  # The version of the kernel module directory
+  modDirVersion ? version,
+  # The kernel source (tarball, git checkout, etc.)
+  src,
+  # a list of { name=..., patch=..., extraConfig=...} patches
+  kernelPatches ? [],
+  # The kernel .config file
+  configfile,
+  # Manually specified nixexpr representing the config
+  # If unspecified, this will be autodetected from the .config
+  config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+  # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+  # automatically extended with extra per-version and per-config values.
+  randstructSeed ? "",
+  # Use defaultMeta // extraMeta
+  extraMeta ? {},
+
+  # for module compatibility
+  isZen      ? false,
+  isLibre    ? false,
+  isHardened ? false,
+
+  # Whether to utilize the controversial import-from-derivation feature to parse the config
+  allowImportFromDerivation ? false,
+  # ignored
+  features ? null,
+}:
+
+let
+  inherit (lib)
+    hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
+
+  # Dependencies that are required to build kernel modules
+  moduleBuildDependencies = [ perl ]
+    ++ optional (lib.versionAtLeast version "4.14") libelf
+    ++ optional (lib.versionAtLeast version "5.13") zstd;
+
+
+  installkernel = buildPackages.writeShellScript "installkernel" ''
+    set -e
+    mkdir -p $4
+    cp -av $2 $4
+    cp -av $3 $4
+  '';
+
+  drvAttrs = config_: kernelConf: kernelPatches: configfile:
+    let
+      config = let attrName = attr: "CONFIG_" + attr; in {
+        isSet = attr: hasAttr (attrName attr) config;
+
+        getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
+
+        isYes = attr: (config.getValue attr) == "y";
+
+        isNo = attr: (config.getValue attr) == "n";
+
+        isModule = attr: (config.getValue attr) == "m";
+
+        isEnabled = attr: (config.isModule attr) || (config.isYes attr);
+
+        isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
+      } // config_;
+
+      isModular = config.isYes "MODULES";
+
+      buildDTBs = kernelConf.DTB or false;
+
+      installsFirmware = (config.isEnabled "FW_LOADER") &&
+        (isModular || (config.isDisabled "FIRMWARE_IN_KERNEL")) &&
+        (lib.versionOlder version "4.14");
+    in (optionalAttrs isModular { outputs = [ "out" "dev" ]; }) // {
+      passthru = rec {
+        inherit version modDirVersion config kernelPatches configfile
+          moduleBuildDependencies stdenv;
+        inherit isZen isHardened isLibre;
+        isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+        baseVersion = lib.head (lib.splitString "-rc" version);
+        kernelOlder = lib.versionOlder baseVersion;
+        kernelAtLeast = lib.versionAtLeast baseVersion;
+      };
+
+      inherit src;
+
+      patches =
+        map (p: p.patch) kernelPatches
+        # Required for deterministic builds along with some postPatch magic.
+        ++ optional (lib.versionAtLeast version "4.13" && lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
+        ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
+        # Fixes determinism by normalizing metadata for the archive of kheaders
+        ++ optional (lib.versionAtLeast version "5.2" && lib.versionOlder version "5.4") ./gen-kheaders-metadata.patch;
+
+      prePatch = ''
+        for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do
+            echo "stripping FHS paths in \`$mf'..."
+            sed -i "$mf" -e 's|/usr/bin/||g ; s|/bin/||g ; s|/sbin/||g'
+        done
+        sed -i Makefile -e 's|= depmod|= ${buildPackages.kmod}/bin/depmod|'
+
+        # Don't include a (random) NT_GNU_BUILD_ID, to make the build more deterministic.
+        # This way kernels can be bit-by-bit reproducible depending on settings
+        # (e.g. MODULE_SIG and SECURITY_LOCKDOWN_LSM need to be disabled).
+        # See also https://kernelnewbies.org/BuildId
+        sed -i Makefile -e 's|--build-id=[^ ]*|--build-id=none|'
+
+        # Some linux-hardened patches now remove certain files in the scripts directory, so we cannot
+        # patch all scripts until after patches are applied.
+        # However, scripts/ld-version.sh is still ran when generating a configfile for a kernel, so it needs
+        # to be patched prior to patchPhase
+        patchShebangs scripts/ld-version.sh
+      '';
+
+      postPatch = ''
+        # Set randstruct seed to a deterministic but diversified value. Note:
+        # we could have instead patched gen-random-seed.sh to take input from
+        # the buildFlags, but that would require also patching the kernel's
+        # toplevel Makefile to add a variable export. This would be likely to
+        # cause future patch conflicts.
+        if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then
+          substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \
+            --replace NIXOS_RANDSTRUCT_SEED \
+            $(echo ${randstructSeed}${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
+        fi
+
+        patchShebangs scripts
+      '';
+
+      configurePhase = ''
+        runHook preConfigure
+
+        mkdir build
+        export buildRoot="$(pwd)/build"
+
+        echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
+
+        if [ -f "$buildRoot/.config" ]; then
+          echo "Could not link $buildRoot/.config : file exists"
+          exit 1
+        fi
+        ln -sv ${configfile} $buildRoot/.config
+
+        # reads the existing .config file and prompts the user for options in
+        # the current kernel source that are not found in the file.
+        make $makeFlags "''${makeFlagsArray[@]}" oldconfig
+        runHook postConfigure
+
+        make $makeFlags "''${makeFlagsArray[@]}" prepare
+        actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
+        if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
+          echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
+          exit 1
+        fi
+
+        # Note: we can get rid of this once http://permalink.gmane.org/gmane.linux.kbuild.devel/13800 is merged.
+        buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
+
+        cd $buildRoot
+      '';
+
+      buildFlags = [
+        "KBUILD_BUILD_VERSION=1-NixOS"
+        kernelConf.target
+        "vmlinux"  # for "perf" and things like that
+      ] ++ optional isModular "modules"
+        ++ optional buildDTBs "dtbs"
+      ++ extraMakeFlags;
+
+      installFlags = [
+        "INSTALLKERNEL=${installkernel}"
+        "INSTALL_PATH=$(out)"
+      ] ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
+      ++ optional installsFirmware "INSTALL_FW_PATH=$(out)/lib/firmware"
+      ++ optionals buildDTBs ["dtbs_install" "INSTALL_DTBS_PATH=$(out)/dtbs"];
+
+      preInstall = ''
+        installFlagsArray+=("-j$NIX_BUILD_CORES")
+      '';
+
+      # Some image types need special install targets (e.g. uImage is installed with make uinstall)
+      installTargets = [
+        (kernelConf.installTarget or (
+          /**/ if kernelConf.target == "uImage" then "uinstall"
+          else if kernelConf.target == "zImage" || kernelConf.target == "Image.gz" then "zinstall"
+          else "install"))
+      ];
+
+      postInstall = (optionalString installsFirmware ''
+        mkdir -p $out/lib/firmware
+      '') + (if isModular then ''
+        mkdir -p $dev
+        cp vmlinux $dev/
+        if [ -z "''${dontStrip-}" ]; then
+          installFlagsArray+=("INSTALL_MOD_STRIP=1")
+        fi
+        make modules_install $makeFlags "''${makeFlagsArray[@]}" \
+          $installFlags "''${installFlagsArray[@]}"
+        unlink $out/lib/modules/${modDirVersion}/build
+        unlink $out/lib/modules/${modDirVersion}/source
+
+        mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
+
+        # To save space, exclude a bunch of unneeded stuff when copying.
+        (cd .. && rsync --archive --prune-empty-dirs \
+            --exclude='/build/' \
+            * $dev/lib/modules/${modDirVersion}/source/)
+
+        cd $dev/lib/modules/${modDirVersion}/source
+
+        cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
+        make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
+
+        # For reproducibility, removes accidental leftovers from a `cc1` call
+        # from a `try-run` call from the Makefile
+        rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
+
+        # Keep some extra files on some arches (powerpc, aarch64)
+        for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
+          if [ -f "$buildRoot/$f" ]; then
+            cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
+          fi
+        done
+
+        # !!! No documentation on how much of the source tree must be kept
+        # If/when kernel builds fail due to missing files, you can add
+        # them here. Note that we may see packages requiring headers
+        # from drivers/ in the future; it adds 50M to keep all of its
+        # headers on 3.10 though.
+
+        chmod u+w -R ..
+        arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
+
+        # Remove unused arches
+        for d in $(cd arch/; ls); do
+          if [ "$d" = "$arch" ]; then continue; fi
+          if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
+          rm -rf arch/$d
+        done
+
+        # Remove all driver-specific code (50M of which is headers)
+        rm -fR drivers
+
+        # Keep all headers
+        find .  -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
+
+        # Keep linker scripts (they are required for out-of-tree modules on aarch64)
+        find .  -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
+
+        # Keep root and arch-specific Makefiles
+        chmod u-w Makefile arch/"$arch"/Makefile*
+
+        # Keep whole scripts dir
+        chmod u-w -R scripts
+
+        # Delete everything not kept
+        find . -type f -perm -u=w -print0 | xargs -0 -r rm
+
+        # Delete empty directories
+        find -empty -type d -delete
+
+        # Remove reference to kmod
+        sed -i Makefile -e 's|= ${buildPackages.kmod}/bin/depmod|= depmod|'
+      '' else optionalString installsFirmware ''
+        make firmware_install $makeFlags "''${makeFlagsArray[@]}" \
+          $installFlags "''${installFlagsArray[@]}"
+      '');
+
+      requiredSystemFeatures = [ "big-parallel" ];
+
+      meta = {
+        description =
+          "The Linux kernel" +
+          (if kernelPatches == [] then "" else
+            " (with patches: "
+            + lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
+            + ")");
+        license = lib.licenses.gpl2Only;
+        homepage = "https://www.kernel.org/";
+        maintainers = lib.teams.linux-kernel.members ++ [
+          maintainers.thoughtpolice
+        ];
+        platforms = platforms.linux;
+        timeout = 14400; # 4 hours
+      } // extraMeta;
+    };
+in
+
+assert (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") -> libelf != null;
+assert lib.versionAtLeast version "5.8" -> elfutils != null;
+
+stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile) // {
+  pname = "linux";
+  inherit version;
+
+  enableParallelBuilding = true;
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr zstd python3Minimal ]
+      ++ optional  (stdenv.hostPlatform.linux-kernel.target == "uImage") buildPackages.ubootTools
+      ++ optional  (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") libelf
+      # Removed util-linuxMinimal since it should not be a dependency.
+      ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ]
+      ++ optionals (lib.versionAtLeast version "5.2")  [ cpio pahole zlib ]
+      ++ optional  (lib.versionAtLeast version "5.8")  elfutils
+      ;
+
+  hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];
+
+  # Absolute paths for compilers avoid any PATH-clobbering issues.
+  makeFlags = [
+    "O=$(buildRoot)"
+    "CC=${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc"
+    "HOSTCC=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc"
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ] ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [])
+    ++ extraMakeFlags;
+
+  karch = stdenv.hostPlatform.linuxArch;
+} // (optionalAttrs (pos != null) { inherit pos; }))
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/modinst-arg-list-too-long.patch b/nixpkgs/pkgs/os-specific/linux/kernel/modinst-arg-list-too-long.patch
new file mode 100644
index 000000000000..58a9191989ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/modinst-arg-list-too-long.patch
@@ -0,0 +1,14 @@
+diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
+index 07650ee..934a7a8 100644
+--- a/scripts/Makefile.modinst
++++ b/scripts/Makefile.modinst
+@@ -9,7 +9,8 @@ include scripts/Kbuild.include
+ 
+ #
+ 
+-__modules := $(sort $(shell grep -h '\.ko$$' /dev/null $(wildcard $(MODVERDIR)/*.mod)))
++__modules := $(sort $(foreach f,$(wildcard $(MODVERDIR)/*.mod),$(shell \
++    grep -h '\.ko$$' '$f')))
+ modules := $(patsubst %.o,%.ko,$(wildcard $(__modules:.ko=.o)))
+ 
+ PHONY += $(modules)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/mptcp-config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/mptcp-config.nix
new file mode 100644
index 000000000000..59b11167ac22
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/mptcp-config.nix
@@ -0,0 +1,28 @@
+{ lib }:
+with lib.kernel;
+{
+    # DRM_AMDGPU = yes;
+
+    IPV6               = yes;
+    MPTCP              = yes;
+    IP_MULTIPLE_TABLES = yes;
+
+    # Enable advanced path-managers...
+    MPTCP_PM_ADVANCED = yes;
+    MPTCP_FULLMESH = yes;
+    MPTCP_NDIFFPORTS = yes;
+    # ... but use none by default.
+    # The default is safer if source policy routing is not setup.
+    DEFAULT_DUMMY = yes;
+    DEFAULT_MPTCP_PM.freeform = "default";
+
+    # MPTCP scheduler selection.
+    MPTCP_SCHED_ADVANCED = yes;
+    DEFAULT_MPTCP_SCHED.freeform = "default";
+
+    # Smarter TCP congestion controllers
+    TCP_CONG_LIA = module;
+    TCP_CONG_OLIA = module;
+    TCP_CONG_WVEGAS = module;
+    TCP_CONG_BALIA = module;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/p9-fixes.patch b/nixpkgs/pkgs/os-specific/linux/kernel/p9-fixes.patch
new file mode 100644
index 000000000000..f6061b60667a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/p9-fixes.patch
@@ -0,0 +1,85 @@
+diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode *inode, void *data)
+ 
+ 	if (v9inode->qid.type != st->qid.type)
+ 		return 0;
++
++	if (v9inode->qid.path != st->qid.path)
++		return 0;
+ 	return 1;
+ }
+ 
+diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct inode *inode, void *data)
+ 
+ 	if (v9inode->qid.type != st->qid.type)
+ 		return 0;
++
++	if (v9inode->qid.path != st->qid.path)
++		return 0;
+ 	return 1;
+ }
+ 
+diff --git a/net/9p/client.c b/net/9p/client.c
+index 3ce672af1596..f1c8ad373f90 100644
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -749,8 +749,7 @@ p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...)
+ 	}
+ again:
+ 	/* Wait for the response */
+-	err = wait_event_interruptible(*req->wq,
+-				       req->status >= REQ_STATUS_RCVD);
++	err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
+ 
+ 	/*
+ 	 * Make sure our req is coherent with regard to updates in other
+diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
+index f24b25c25106..f3a4efcf1456 100644
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -286,8 +286,8 @@ p9_virtio_request(struct p9_client *client, struct p9_req_t *req)
+ 		if (err == -ENOSPC) {
+ 			chan->ring_bufs_avail = 0;
+ 			spin_unlock_irqrestore(&chan->lock, flags);
+-			err = wait_event_interruptible(*chan->vc_wq,
+-							chan->ring_bufs_avail);
++			err = wait_event_killable(*chan->vc_wq,
++						  chan->ring_bufs_avail);
+ 			if (err  == -ERESTARTSYS)
+ 				return err;
+ 
+@@ -327,7 +327,7 @@ static int p9_get_mapped_pages(struct virtio_chan *chan,
+ 		 * Other zc request to finish here
+ 		 */
+ 		if (atomic_read(&vp_pinned) >= chan->p9_max_pages) {
+-			err = wait_event_interruptible(vp_wq,
++			err = wait_event_killable(vp_wq,
+ 			      (atomic_read(&vp_pinned) < chan->p9_max_pages));
+ 			if (err == -ERESTARTSYS)
+ 				return err;
+@@ -471,8 +471,8 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
+ 		if (err == -ENOSPC) {
+ 			chan->ring_bufs_avail = 0;
+ 			spin_unlock_irqrestore(&chan->lock, flags);
+-			err = wait_event_interruptible(*chan->vc_wq,
+-						       chan->ring_bufs_avail);
++			err = wait_event_killable(*chan->vc_wq,
++						  chan->ring_bufs_avail);
+ 			if (err  == -ERESTARTSYS)
+ 				goto err_out;
+ 
+@@ -489,8 +489,7 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
+ 	virtqueue_kick(chan->vq);
+ 	spin_unlock_irqrestore(&chan->lock, flags);
+ 	p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n");
+-	err = wait_event_interruptible(*req->wq,
+-				       req->status >= REQ_STATUS_RCVD);
++	err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
+ 	/*
+ 	 * Non kernel buffers are pinned, unpin them
+ 	 */
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/patches.nix b/nixpkgs/pkgs/os-specific/linux/kernel/patches.nix
new file mode 100644
index 000000000000..f64a0a0ef158
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/patches.nix
@@ -0,0 +1,106 @@
+{ lib, fetchpatch, fetchurl }:
+
+{
+  ath_regd_optional = rec {
+    name = "ath_regd_optional";
+    patch = fetchpatch {
+      name = name + ".patch";
+      url = "https://github.com/openwrt/openwrt/raw/ed2015c38617ed6624471e77f27fbb0c58c8c660/package/kernel/mac80211/patches/ath/402-ath_regd_optional.patch";
+      sha256 = "1ssDXSweHhF+pMZyd6kSrzeW60eb6MO6tlf0il17RC0=";
+      postFetch = ''
+        sed -i 's/CPTCFG_/CONFIG_/g' $out
+        sed -i '/--- a\/local-symbols/,$d' $out
+      '';
+    };
+  };
+
+  bridge_stp_helper =
+    { name = "bridge-stp-helper";
+      patch = ./bridge-stp-helper.patch;
+    };
+
+  request_key_helper =
+    { name = "request-key-helper";
+      patch = ./request-key-helper.patch;
+    };
+
+  request_key_helper_updated =
+    { name = "request-key-helper-updated";
+      patch = ./request-key-helper-updated.patch;
+    };
+
+  p9_fixes =
+    { name = "p9-fixes";
+      patch = ./p9-fixes.patch;
+    };
+
+  modinst_arg_list_too_long =
+    { name = "modinst-arglist-too-long";
+      patch = ./modinst-arg-list-too-long.patch;
+    };
+
+  genksyms_fix_segfault =
+    { name = "genksyms-fix-segfault";
+      patch = ./genksyms-fix-segfault.patch;
+    };
+
+  cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
+
+  hardened = let
+    mkPatch = kernelVersion: { version, sha256, patch }: let src = patch; in {
+      name = lib.removeSuffix ".patch" src.name;
+      patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
+      extra = src.extra;
+      inherit version sha256;
+    };
+    patches = lib.importJSON ./hardened/patches.json;
+  in lib.mapAttrs mkPatch patches;
+
+  # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
+  iwlwifi_mvm_support_version_7_scan_req_umac_fw_command = rec {
+    name = "iwlwifi_mvm_support_version_7_scan_req_umac_fw_command";
+    patch = fetchpatch {
+      name = name + ".patch";
+      url = "https://bugzilla.kernel.org/attachment.cgi?id=260597";
+      sha256 = "09096npxpgvlwdz3pb3m9brvxh7vy0xc9z9p8hh85xyczyzcsjhr";
+    };
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/42755
+  xen-netfront_fix_mismatched_rtnl_unlock = rec {
+    name = "xen-netfront_fix_mismatched_rtnl_unlock";
+    patch = fetchpatch {
+      name = name + ".patch";
+      url = "https://github.com/torvalds/linux/commit/cb257783c2927b73614b20f915a91ff78aa6f3e8.patch";
+      sha256 = "0xhblx2j8wi3kpnfpgjjwlcwdry97ji2aaq54r3zirk5g5p72zs8";
+    };
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/42755
+  xen-netfront_update_features_after_registering_netdev = rec {
+    name = "xen-netfront_update_features_after_registering_netdev";
+    patch = fetchpatch {
+      name = name + ".patch";
+      url = "https://github.com/torvalds/linux/commit/45c8184c1bed1ca8a7f02918552063a00b909bf5.patch";
+      sha256 = "1l8xq02rd7vakxg52xm9g4zng0ald866rpgm8kjlh88mwwyjkrwv";
+    };
+  };
+
+  # Adapted for Linux 5.4 from:
+  # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04896832c94aae4842100cafb8d3a73e1bed3a45
+  rtl8761b_support =
+    { name = "rtl8761b-support";
+      patch = ./rtl8761b-support.patch;
+    };
+
+  export-rt-sched-migrate = {
+    name = "export-rt-sched-migrate";
+    patch = ./export-rt-sched-migrate.patch;
+  };
+
+  # patches from https://lkml.org/lkml/2019/7/15/1748
+  mac_nvme_t2 = rec {
+    name = "mac_nvme_t2";
+    patch = ./mac-nvme-t2.patch;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/perf/5.19-binutils-2.39-support.patch b/nixpkgs/pkgs/os-specific/linux/kernel/perf/5.19-binutils-2.39-support.patch
new file mode 100644
index 000000000000..5f4f2fc0b4a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/perf/5.19-binutils-2.39-support.patch
@@ -0,0 +1,352 @@
+Fetched as:
+    $ wget 'https://github.com/torvalds/linux/compare/00b32625982e0c796f0abb8effcac9c05ef55bd3...600b7b26c07a070d0153daa76b3806c1e52c9e00.patch'
+
+Adds support for binutils-2.39 API change around init_disassemble_info().
+--- a/tools/build/Makefile.feature
++++ b/tools/build/Makefile.feature
+@@ -70,6 +70,7 @@ FEATURE_TESTS_BASIC :=                  \
+         libaio				\
+         libzstd				\
+         disassembler-four-args		\
++        disassembler-init-styled	\
+         file-handle
+ 
+ # FEATURE_TESTS_BASIC + FEATURE_TESTS_EXTRA is the complete list
+--- a/tools/build/feature/Makefile
++++ b/tools/build/feature/Makefile
+@@ -18,6 +18,7 @@ FILES=                                          \
+          test-libbfd.bin                        \
+          test-libbfd-buildid.bin		\
+          test-disassembler-four-args.bin        \
++         test-disassembler-init-styled.bin	\
+          test-reallocarray.bin			\
+          test-libbfd-liberty.bin                \
+          test-libbfd-liberty-z.bin              \
+@@ -248,6 +249,9 @@ $(OUTPUT)test-libbfd-buildid.bin:
+ $(OUTPUT)test-disassembler-four-args.bin:
+ 	$(BUILD) -DPACKAGE='"perf"' -lbfd -lopcodes
+ 
++$(OUTPUT)test-disassembler-init-styled.bin:
++	$(BUILD) -DPACKAGE='"perf"' -lbfd -lopcodes
++
+ $(OUTPUT)test-reallocarray.bin:
+ 	$(BUILD)
+ 
+--- a/tools/build/feature/test-all.c
++++ b/tools/build/feature/test-all.c
+@@ -166,6 +166,10 @@
+ # include "test-disassembler-four-args.c"
+ #undef main
+ 
++#define main main_test_disassembler_init_styled
++# include "test-disassembler-init-styled.c"
++#undef main
++
+ #define main main_test_libzstd
+ # include "test-libzstd.c"
+ #undef main
+--- /dev/null
++++ b/tools/build/feature/test-disassembler-init-styled.c
+@@ -0,0 +1,13 @@
++// SPDX-License-Identifier: GPL-2.0
++#include <stdio.h>
++#include <dis-asm.h>
++
++int main(void)
++{
++	struct disassemble_info info;
++
++	init_disassemble_info(&info, stdout,
++			      NULL, NULL);
++
++	return 0;
++}
+
+--- a/tools/build/Makefile.feature
++++ b/tools/build/Makefile.feature
+@@ -135,8 +135,7 @@ FEATURE_DISPLAY ?=              \
+          get_cpuid              \
+          bpf			\
+          libaio			\
+-         libzstd		\
+-         disassembler-four-args
++         libzstd
+ 
+ # Set FEATURE_CHECK_(C|LD)FLAGS-all for all FEATURE_TESTS features.
+ # If in the future we need per-feature checks/flags for features not
+
+--- /dev/null
++++ b/tools/include/tools/dis-asm-compat.h
+@@ -0,0 +1,55 @@
++/* SPDX-License-Identifier: GPL-2.0-only OR BSD-2-Clause */
++#ifndef _TOOLS_DIS_ASM_COMPAT_H
++#define _TOOLS_DIS_ASM_COMPAT_H
++
++#include <stdio.h>
++#include <dis-asm.h>
++
++/* define types for older binutils version, to centralize ifdef'ery a bit */
++#ifndef DISASM_INIT_STYLED
++enum disassembler_style {DISASSEMBLER_STYLE_NOT_EMPTY};
++typedef int (*fprintf_styled_ftype) (void *, enum disassembler_style, const char*, ...);
++#endif
++
++/*
++ * Trivial fprintf wrapper to be used as the fprintf_styled_func argument to
++ * init_disassemble_info_compat() when normal fprintf suffices.
++ */
++static inline int fprintf_styled(void *out,
++				 enum disassembler_style style,
++				 const char *fmt, ...)
++{
++	va_list args;
++	int r;
++
++	(void)style;
++
++	va_start(args, fmt);
++	r = vfprintf(out, fmt, args);
++	va_end(args);
++
++	return r;
++}
++
++/*
++ * Wrapper for init_disassemble_info() that hides version
++ * differences. Depending on binutils version and architecture either
++ * fprintf_func or fprintf_styled_func will be called.
++ */
++static inline void init_disassemble_info_compat(struct disassemble_info *info,
++						void *stream,
++						fprintf_ftype unstyled_func,
++						fprintf_styled_ftype styled_func)
++{
++#ifdef DISASM_INIT_STYLED
++	init_disassemble_info(info, stream,
++			      unstyled_func,
++			      styled_func);
++#else
++	(void)styled_func;
++	init_disassemble_info(info, stream,
++			      unstyled_func);
++#endif
++}
++
++#endif /* _TOOLS_DIS_ASM_COMPAT_H */
+
+--- a/tools/perf/Makefile.config
++++ b/tools/perf/Makefile.config
+@@ -298,6 +298,7 @@ FEATURE_CHECK_LDFLAGS-libpython := $(PYTHON_EMBED_LDOPTS)
+ FEATURE_CHECK_LDFLAGS-libaio = -lrt
+ 
+ FEATURE_CHECK_LDFLAGS-disassembler-four-args = -lbfd -lopcodes -ldl
++FEATURE_CHECK_LDFLAGS-disassembler-init-styled = -lbfd -lopcodes -ldl
+ 
+ CORE_CFLAGS += -fno-omit-frame-pointer
+ CORE_CFLAGS += -ggdb3
+@@ -924,13 +925,16 @@ ifndef NO_LIBBFD
+     ifeq ($(feature-libbfd-liberty), 1)
+       EXTLIBS += -lbfd -lopcodes -liberty
+       FEATURE_CHECK_LDFLAGS-disassembler-four-args += -liberty -ldl
++      FEATURE_CHECK_LDFLAGS-disassembler-init-styled += -liberty -ldl
+     else
+       ifeq ($(feature-libbfd-liberty-z), 1)
+         EXTLIBS += -lbfd -lopcodes -liberty -lz
+         FEATURE_CHECK_LDFLAGS-disassembler-four-args += -liberty -lz -ldl
++        FEATURE_CHECK_LDFLAGS-disassembler-init-styled += -liberty -lz -ldl
+       endif
+     endif
+     $(call feature_check,disassembler-four-args)
++    $(call feature_check,disassembler-init-styled)
+   endif
+ 
+   ifeq ($(feature-libbfd-buildid), 1)
+@@ -1044,6 +1048,10 @@ ifeq ($(feature-disassembler-four-args), 1)
+     CFLAGS += -DDISASM_FOUR_ARGS_SIGNATURE
+ endif
+ 
++ifeq ($(feature-disassembler-init-styled), 1)
++    CFLAGS += -DDISASM_INIT_STYLED
++endif
++
+ ifeq (${IS_64_BIT}, 1)
+   ifndef NO_PERF_READ_VDSO32
+     $(call feature_check,compile-32)
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -1720,6 +1720,7 @@ static int dso__disassemble_filename(struct dso *dso, char *filename, size_t fil
+ #include <bpf/btf.h>
+ #include <bpf/libbpf.h>
+ #include <linux/btf.h>
++#include <tools/dis-asm-compat.h>
+ 
+ static int symbol__disassemble_bpf(struct symbol *sym,
+ 				   struct annotate_args *args)
+@@ -1762,9 +1763,9 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ 		ret = errno;
+ 		goto out;
+ 	}
+-	init_disassemble_info(&info, s,
+-			      (fprintf_ftype) fprintf);
+-
++	init_disassemble_info_compat(&info, s,
++				     (fprintf_ftype) fprintf,
++				     fprintf_styled);
+ 	info.arch = bfd_get_arch(bfdf);
+ 	info.mach = bfd_get_mach(bfdf);
+ 
+
+--- a/tools/bpf/Makefile
++++ b/tools/bpf/Makefile
+@@ -34,7 +34,7 @@ else
+ endif
+ 
+ FEATURE_USER = .bpf
+-FEATURE_TESTS = libbfd disassembler-four-args
++FEATURE_TESTS = libbfd disassembler-four-args disassembler-init-styled
+ FEATURE_DISPLAY = libbfd disassembler-four-args
+ 
+ check_feat := 1
+@@ -56,6 +56,9 @@ endif
+ ifeq ($(feature-disassembler-four-args), 1)
+ CFLAGS += -DDISASM_FOUR_ARGS_SIGNATURE
+ endif
++ifeq ($(feature-disassembler-init-styled), 1)
++CFLAGS += -DDISASM_INIT_STYLED
++endif
+ 
+ $(OUTPUT)%.yacc.c: $(srctree)/tools/bpf/%.y
+ 	$(QUIET_BISON)$(YACC) -o $@ -d $<
+--- a/tools/bpf/bpf_jit_disasm.c
++++ b/tools/bpf/bpf_jit_disasm.c
+@@ -28,6 +28,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <limits.h>
++#include <tools/dis-asm-compat.h>
+ 
+ #define CMD_ACTION_SIZE_BUFFER		10
+ #define CMD_ACTION_READ_ALL		3
+@@ -64,7 +65,9 @@ static void get_asm_insns(uint8_t *image, size_t len, int opcodes)
+ 	assert(bfdf);
+ 	assert(bfd_check_format(bfdf, bfd_object));
+ 
+-	init_disassemble_info(&info, stdout, (fprintf_ftype) fprintf);
++	init_disassemble_info_compat(&info, stdout,
++				     (fprintf_ftype) fprintf,
++				     fprintf_styled);
+ 	info.arch = bfd_get_arch(bfdf);
+ 	info.mach = bfd_get_mach(bfdf);
+ 	info.buffer = image;
+
+--- a/tools/bpf/Makefile
++++ b/tools/bpf/Makefile
+@@ -35,7 +35,7 @@ endif
+ 
+ FEATURE_USER = .bpf
+ FEATURE_TESTS = libbfd disassembler-four-args disassembler-init-styled
+-FEATURE_DISPLAY = libbfd disassembler-four-args
++FEATURE_DISPLAY = libbfd
+ 
+ check_feat := 1
+ NON_CHECK_FEAT_TARGETS := clean bpftool_clean runqslower_clean resolve_btfids_clean
+
+--- a/tools/bpf/bpftool/Makefile
++++ b/tools/bpf/bpftool/Makefile
+@@ -93,7 +93,7 @@ INSTALL ?= install
+ RM ?= rm -f
+ 
+ FEATURE_USER = .bpftool
+-FEATURE_TESTS = libbfd disassembler-four-args zlib libcap \
++FEATURE_TESTS = libbfd disassembler-four-args disassembler-init-styled zlib libcap \
+ 	clang-bpf-co-re
+ FEATURE_DISPLAY = libbfd disassembler-four-args zlib libcap \
+ 	clang-bpf-co-re
+@@ -117,6 +117,9 @@ endif
+ ifeq ($(feature-disassembler-four-args), 1)
+ CFLAGS += -DDISASM_FOUR_ARGS_SIGNATURE
+ endif
++ifeq ($(feature-disassembler-init-styled), 1)
++    CFLAGS += -DDISASM_INIT_STYLED
++endif
+ 
+ LIBS = $(LIBBPF) -lelf -lz
+ LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
+--- a/tools/bpf/bpftool/jit_disasm.c
++++ b/tools/bpf/bpftool/jit_disasm.c
+@@ -24,6 +24,7 @@
+ #include <sys/stat.h>
+ #include <limits.h>
+ #include <bpf/libbpf.h>
++#include <tools/dis-asm-compat.h>
+ 
+ #include "json_writer.h"
+ #include "main.h"
+@@ -39,15 +40,12 @@ static void get_exec_path(char *tpath, size_t size)
+ }
+ 
+ static int oper_count;
+-static int fprintf_json(void *out, const char *fmt, ...)
++static int printf_json(void *out, const char *fmt, va_list ap)
+ {
+-	va_list ap;
+ 	char *s;
+ 	int err;
+ 
+-	va_start(ap, fmt);
+ 	err = vasprintf(&s, fmt, ap);
+-	va_end(ap);
+ 	if (err < 0)
+ 		return -1;
+ 
+@@ -73,6 +71,32 @@ static int fprintf_json(void *out, const char *fmt, ...)
+ 	return 0;
+ }
+ 
++static int fprintf_json(void *out, const char *fmt, ...)
++{
++	va_list ap;
++	int r;
++
++	va_start(ap, fmt);
++	r = printf_json(out, fmt, ap);
++	va_end(ap);
++
++	return r;
++}
++
++static int fprintf_json_styled(void *out,
++			       enum disassembler_style style __maybe_unused,
++			       const char *fmt, ...)
++{
++	va_list ap;
++	int r;
++
++	va_start(ap, fmt);
++	r = printf_json(out, fmt, ap);
++	va_end(ap);
++
++	return r;
++}
++
+ void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes,
+ 		       const char *arch, const char *disassembler_options,
+ 		       const struct btf *btf,
+@@ -99,11 +123,13 @@ void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes,
+ 	assert(bfd_check_format(bfdf, bfd_object));
+ 
+ 	if (json_output)
+-		init_disassemble_info(&info, stdout,
+-				      (fprintf_ftype) fprintf_json);
++		init_disassemble_info_compat(&info, stdout,
++					     (fprintf_ftype) fprintf_json,
++					     fprintf_json_styled);
+ 	else
+-		init_disassemble_info(&info, stdout,
+-				      (fprintf_ftype) fprintf);
++		init_disassemble_info_compat(&info, stdout,
++					     (fprintf_ftype) fprintf,
++					     fprintf_styled);
+ 
+ 	/* Update architecture info for offload. */
+ 	if (arch) {
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/perf/default.nix b/nixpkgs/pkgs/os-specific/linux/kernel/perf/default.nix
new file mode 100644
index 000000000000..d481eea7e753
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/perf/default.nix
@@ -0,0 +1,85 @@
+{ lib, stdenv, fetchpatch, kernel, elfutils, python2, python3, perl, newt, slang, asciidoc, xmlto, makeWrapper
+, docbook_xsl, docbook_xml_dtd_45, libxslt, flex, bison, pkg-config, libunwind, binutils-unwrapped
+, libiberty, audit, libbfd, libopcodes, openssl, systemtap, numactl
+, zlib
+, withGtk ? false, gtk2
+, withZstd ? true, zstd
+, withLibcap ? true, libcap
+}:
+
+stdenv.mkDerivation {
+  pname = "perf-linux";
+  version = kernel.version;
+
+  inherit (kernel) src;
+
+  patches = lib.optionals (lib.versionAtLeast kernel.version "5.19" && lib.versionOlder kernel.version "5.20") [
+    # binutils-2.39 support around init_disassemble_info()
+    # API change.
+    # Will be included in 5.20.
+    ./5.19-binutils-2.39-support.patch
+  ];
+
+  preConfigure = ''
+    cd tools/perf
+
+    substituteInPlace Makefile \
+      --replace /usr/include/elfutils $elfutils/include/elfutils
+
+    for x in util/build-id.c util/dso.c; do
+      substituteInPlace $x --replace /usr/lib/debug /run/current-system/sw/lib/debug
+    done
+
+    if [ -f bash_completion ]; then
+      sed -i 's,^have perf,_have perf,' bash_completion
+    fi
+  '';
+
+  makeFlags = ["prefix=$(out)" "WERROR=0"] ++ kernel.makeFlags;
+
+  hardeningDisable = [ "format" ];
+
+  # perf refers both to newt and slang
+  nativeBuildInputs = [
+    asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt
+    flex bison libiberty audit makeWrapper pkg-config python3
+  ];
+  buildInputs = [
+    elfutils newt slang libunwind libbfd zlib openssl systemtap.stapBuild numactl
+    libopcodes python3 perl
+  ] ++ lib.optional withGtk gtk2
+    ++ (if (lib.versionAtLeast kernel.version "4.19") then [ python3 ] else [ python2 ])
+    ++ lib.optional withZstd zstd
+    ++ lib.optional withLibcap libcap;
+
+  NIX_CFLAGS_COMPILE = toString [
+    "-Wno-error=cpp"
+    "-Wno-error=bool-compare"
+    "-Wno-error=deprecated-declarations"
+    "-Wno-error=stringop-truncation"
+  ];
+
+  postPatch = ''
+    patchShebangs scripts
+  '';
+
+  doCheck = false; # requires "sparse"
+  doInstallCheck = false; # same
+
+  separateDebugInfo = true;
+  installFlags = [ "install" "install-man" "ASCIIDOC8=1" "prefix=$(out)" ];
+
+  preFixup = ''
+    # pull in 'objdump' into PATH to make annotations work
+    wrapProgram $out/bin/perf \
+      --prefix PATH : "${binutils-unwrapped}/bin"
+  '';
+
+  meta = with lib; {
+    homepage = "https://perf.wiki.kernel.org/";
+    description = "Linux tools to profile with performance counters";
+    maintainers = with maintainers; [ viric ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed-5.19.patch b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed-5.19.patch
new file mode 100644
index 000000000000..5ca897a76bf6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed-5.19.patch
@@ -0,0 +1,13 @@
+diff --git a/scripts/gen-randstruct-seed.sh b/scripts/gen-randstruct-seed.sh
+index 61017b36c464..7bb494dd2e18 100755
+--- a/scripts/gen-randstruct-seed.sh
++++ b/scripts/gen-randstruct-seed.sh
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0
+ 
+-SEED=$(od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n')
++SEED="NIXOS_RANDSTRUCT_SEED"
+ echo "$SEED" > "$1"
+ HASH=$(echo -n "$SEED" | sha256sum | cut -d" " -f1)
+ echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch
new file mode 100644
index 000000000000..1328b9cee3c9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch
@@ -0,0 +1,12 @@
+diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh
+--- a/scripts/gcc-plugins/gen-random-seed.sh	2019-01-11 11:50:29.228258920 +0100
++++ b/scripts/gcc-plugins/gen-random-seed.sh	2019-01-11 12:18:33.555902720 +0100
+@@ -2,7 +2,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ 
+ if [ ! -f "$1" ]; then
+-	SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
++	SEED="NIXOS_RANDSTRUCT_SEED"
+ 	echo "const char *randstruct_seed = \"$SEED\";" > "$1"
+ 	HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'`
+ 	echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper-updated.patch b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper-updated.patch
new file mode 100644
index 000000000000..aabb9e801be4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper-updated.patch
@@ -0,0 +1,13 @@
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 88172c163953..4da74a1eebb2 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -161,7 +161,7 @@ static int call_sbin_request_key(struct key_construction *cons,
+
+	/* set up the argument list */
+	i = 0;
+-	argv[i++] = "/sbin/request-key";
++	argv[i++] = "/run/current-system/sw/bin/request-key";
+	argv[i++] = (char *) op;
+	argv[i++] = key_str;
+	argv[i++] = uid_str;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper.patch b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper.patch
new file mode 100644
index 000000000000..8264e265aedf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/request-key-helper.patch
@@ -0,0 +1,13 @@
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 957b9e3e1492..5436a0d8b81d 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -114,7 +114,7 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
+  */
+ static int call_sbin_request_key(struct key *authkey, void *aux)
+ {
+-	static char const request_key[] = "/sbin/request-key";
++	static char const request_key[] = "/run/current-system/sw/bin/request-key";
+ 	struct request_key_auth *rka = get_request_key_auth(authkey);
+ 	const struct cred *cred = current_cred();
+ 	key_serial_t prkey, sskey;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/rtl8761b-support.patch b/nixpkgs/pkgs/os-specific/linux/kernel/rtl8761b-support.patch
new file mode 100644
index 000000000000..b6d80d5bc8d3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/rtl8761b-support.patch
@@ -0,0 +1,33 @@
+diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
+index 67f4bc21e7c5..3a9afc905f24 100644
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -130,12 +130,19 @@  static const struct id_table ic_id_table[] = {
+ 	  .cfg_name = "rtl_bt/rtl8821c_config" },
+
+ 	/* 8761A */
+-	{ IC_MATCH_FL_LMPSUBV, RTL_ROM_LMP_8761A, 0x0,
++	{ IC_INFO(RTL_ROM_LMP_8761A, 0xa),
+ 	  .config_needed = false,
+ 	  .has_rom_version = true,
+ 	  .fw_name  = "rtl_bt/rtl8761a_fw.bin",
+ 	  .cfg_name = "rtl_bt/rtl8761a_config" },
+
++	/* 8761B */
++	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb),
++	  .config_needed = false,
++	  .has_rom_version = true,
++	  .fw_name  = "rtl_bt/rtl8761b_fw.bin",
++	  .cfg_name = "rtl_bt/rtl8761b_config" },
++
+	/* 8822C with USB interface */
+	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc),
+	  .config_needed = false,
+@@ -251,6 +258,7 @@  static int rtlbt_parse_firmware(struct hci_dev *hdev,
+ 		{ RTL_ROM_LMP_8723B, 9 },	/* 8723D */
+ 		{ RTL_ROM_LMP_8821A, 10 },	/* 8821C */
+ 		{ RTL_ROM_LMP_8822B, 13 },	/* 8822C */
++		{ RTL_ROM_LMP_8761A, 14 },	/* 8761B */
+ 	};
+
+ 	min_size = sizeof(struct rtl_epatch_header) + sizeof(extension_sig) + 3;
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update-libre.sh b/nixpkgs/pkgs/os-specific/linux/kernel/update-libre.sh
new file mode 100755
index 000000000000..aea12df55cc5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update-libre.sh
@@ -0,0 +1,33 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p nix-prefetch-svn git curl
+set -euo pipefail
+
+nixpkgs="$(git rev-parse --show-toplevel)"
+path="$nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix"
+
+old_rev="$(grep -o 'rev = ".*"' "$path" | awk -F'"' '{print $2}')"
+old_sha256="$(grep -o 'sha256 = ".*"' "$path" | awk -F'"' '{print $2}')"
+
+svn_url=https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/
+rev="$(curl -s "$svn_url" | grep -Em 1 -o 'Revision [0-9]+' | awk '{print $2}')"
+
+if [ "$old_rev" = "$rev" ]; then
+    echo "No updates for linux-libre"
+    exit 0
+fi
+
+sha256="$(QUIET=1 nix-prefetch-svn "$svn_url" "$rev" | tail -1)"
+
+if [ "$old_sha256" = "$sha256" ]; then
+    echo "No updates for linux-libre"
+    exit 0
+fi
+
+sed -i -e "s/rev = \".*\"/rev = \"$rev\"/" \
+    -e "s/sha256 = \".*\"/sha256 = \"$sha256\"/" "$path"
+
+if [ -n "${COMMIT-}" ]; then
+    git commit -qm "linux_latest-libre: $old_rev -> $rev" "$path" \
+       $nixpkgs/pkgs/os-specific/linux/kernel/linux-libre.nix
+    echo "Updated linux_latest-libre $old_rev -> $rev"
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update-rt.sh b/nixpkgs/pkgs/os-specific/linux/kernel/update-rt.sh
new file mode 100755
index 000000000000..a9e0577fae92
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update-rt.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# To update all rt kernels run: ./update-rt.sh
+
+# To update just one ./linux-rt-5.X.nix run: ./update-rt.sh ./linux-rt-5.X.nix
+
+# To add a new kernel branch 5.Y run: ./update-rt.sh ./linux-rt-5.Y.nix
+# (with nonexistent .nix file) and update all-packages.nix.
+
+# To commit run with: env COMMIT=1
+
+mirror=https://kernel.org/pub/linux/kernel
+
+main() {
+    if [ $# -ge 1 ]; then
+        update-if-needed "$1"
+    else
+        update-all-if-needed
+    fi
+}
+
+update-all-if-needed() {
+    for f in "$(dirname "$0")"/linux-rt-*.nix; do
+        update-if-needed "$f"
+    done
+}
+
+file-version() {
+    file="$1" # e.g. ./linux-rt-5.4.nix
+    if [ -e "$file" ]; then
+        grep ' version = ' "$file" | grep -o '[0-9].[^"]*'
+    fi
+}
+
+latest-rt-version() {
+    branch="$1" # e.g. 5.4
+    curl -sL "$mirror/projects/rt/$branch/sha256sums.asc" |
+        sed -ne '/.patch.xz/ { s/.*patch-\(.*\).patch.xz/\1/p}' |
+        grep -v '\-rc' |
+        sort --version-sort |
+        tail -n 1
+}
+
+update-if-needed() {
+    file="$1" # e.g. ./linux-rt-5.4.nix (created if does not exist)
+    branch=$(basename "$file" .nix) # e.g. linux-rt-5.4
+    branch=${branch#linux-rt-} # e.g. 5.4
+    cur=$(file-version "$file") # e.g. 5.4.59-rt36 or empty
+    new=$(latest-rt-version "$branch") # e.g. 5.4.61-rt37
+    kversion=${new%-*} # e.g. 5.4.61
+    major=${branch%.*} # e.g 5
+    nixattr="linux-rt_${branch/./_}"
+    if [ "$new" = "$cur" ]; then
+        echo "$nixattr: $cur (up-to-date)"
+        return
+    fi
+    khash=$(nix-prefetch-url "$mirror/v${major}.x/linux-${kversion}.tar.xz")
+    phash=$(nix-prefetch-url "$mirror/projects/rt/${branch}/older/patch-${new}.patch.xz")
+    if [ "$cur" ]; then
+        msg="$nixattr: $cur -> $new"
+    else
+        msg="$nixattr: init at $new"
+        prev=$(ls -v "$(dirname "$0")"/linux-rt-*.nix | tail -1)
+        cp "$prev" "$file"
+        cur=$(file-version "$file")
+    fi
+    echo "$msg"
+    sed -i "$file" \
+        -e "s/$cur/$new/" \
+        -e "s|kernel/v[0-9]*|kernel/v$major|" \
+        -e "1,/.patch.xz/ s/sha256 = .*/sha256 = \"$khash\";/" \
+        -e "1,/.patch.xz/! s/sha256 = .*/sha256 = \"$phash\";/"
+    if [ "${COMMIT:-}" ]; then
+        git add "$file"
+        git commit -m "$msg"
+    fi
+}
+
+return 2>/dev/null || main "$@"
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update-zen.py b/nixpkgs/pkgs/os-specific/linux/kernel/update-zen.py
new file mode 100755
index 000000000000..204a39ad3a9a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update-zen.py
@@ -0,0 +1,97 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i python3 -p python3 nix nix-prefetch-git
+
+import fileinput
+import json
+import os
+import sys
+import re
+import subprocess
+
+from datetime import datetime
+from urllib.request import urlopen, Request
+
+
+def panic(exc):
+    raise Exception(exc)
+
+
+DIR = os.path.dirname(os.path.abspath(__file__))
+HEADERS = {'Accept': 'application/vnd.github.v3+json'}
+
+
+def github_api_request(endpoint):
+    base_url = 'https://api.github.com/'
+    request = Request(base_url + endpoint, headers=HEADERS)
+    with urlopen(request) as http_response:
+        return json.loads(http_response.read().decode('utf-8'))
+
+
+def get_commit_date(repo, sha):
+    url = f'https://api.github.com/repos/{repo}/commits/{sha}'
+    request = Request(url, headers=HEADERS)
+    with urlopen(request) as http_response:
+        commit = json.loads(http_response.read().decode())
+        date = commit['commit']['committer']['date'].rstrip('Z')
+        date = datetime.fromisoformat(date).date().isoformat()
+        return 'unstable-' + date
+
+
+def nix_prefetch_git(url, rev):
+    """Prefetches the requested Git revision (incl. submodules) of the given repository URL."""
+    print(f'nix-prefetch-git {url} {rev}')
+    out = subprocess.check_output([
+        'nix-prefetch-git', '--quiet',
+        '--url', url,
+        '--rev', rev,
+        '--fetch-submodules'])
+    return json.loads(out)['sha256']
+
+
+def nix_prefetch_url(url, unpack=False):
+    """Prefetches the content of the given URL."""
+    print(f'nix-prefetch-url {url}')
+    options = ['--type', 'sha256']
+    if unpack:
+        options += ['--unpack']
+    out = subprocess.check_output(['nix-prefetch-url'] + options + [url])
+    return out.decode('utf-8').rstrip()
+
+
+def update_file(relpath, variant, version, suffix, sha256):
+    file_path = os.path.join(DIR, relpath)
+    with fileinput.FileInput(file_path, inplace=True) as f:
+        for line in f:
+            result = line
+            result = re.sub(
+                fr'^    version = ".+"; #{variant}',
+                f'    version = "{version}"; #{variant}',
+                result)
+            result = re.sub(
+                fr'^    suffix = ".+"; #{variant}',
+                f'    suffix = "{suffix}"; #{variant}',
+                result)
+            result = re.sub(
+                fr'^    sha256 = ".+"; #{variant}',
+                f'    sha256 = "{sha256}"; #{variant}',
+                result)
+            print(result, end='')
+
+
+if __name__ == "__main__":
+    if len(sys.argv) == 1:
+        panic("Update variant expected")
+    variant = sys.argv[1]
+    if variant not in ("zen", "lqx"):
+        panic(f"Unexepected variant instead of 'zen' or 'lqx': {sys.argv[1]}")
+    pattern = re.compile(fr"v(\d+\.\d+\.?\d*)-({variant}\d+)")
+    zen_tags = github_api_request('repos/zen-kernel/zen-kernel/releases')
+    for tag in zen_tags:
+        zen_match = pattern.match(tag['tag_name'])
+        if zen_match:
+            zen_tag = zen_match.group(0)
+            zen_version = zen_match.group(1)
+            zen_suffix = zen_match.group(2)
+            break
+    zen_hash = nix_prefetch_git('https://github.com/zen-kernel/zen-kernel.git', zen_tag)
+    update_file('zen-kernels.nix', variant, zen_version, zen_suffix, zen_hash)
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/update.sh b/nixpkgs/pkgs/os-specific/linux/kernel/update.sh
new file mode 100755
index 000000000000..560edced36ea
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/update.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+set -e
+
+# Get the latest versions from kernel.org
+LINUXSED='s/.*linux-\([0-9]\+\(.[0-9]\+\)*\).*/\1/p'
+KDATA="$(curl -s https://www.kernel.org | sed -n -e '/Download complete/p')"
+VERSIONS=($(sed -n -e $LINUXSED <<< "$KDATA" | sort -Vr))
+
+# Remove mainline version if there is a stable update
+# Note due to sorting these two will always exist at the bottom
+if grep -q "^${VERSIONS[1]}" <<< "${VERSIONS[0]}"; then
+  VERSIONS=(${VERSIONS[@]:0:1} ${VERSIONS[@]:2})
+fi
+
+# Inspect each file and see if it has the latest version
+NIXPKGS="$(git rev-parse --show-toplevel)"
+ls $NIXPKGS/pkgs/os-specific/linux/kernel | while read FILE; do
+  KERNEL="$(sed -n -e $LINUXSED <<< "$FILE")"
+  [ -z "$KERNEL" ] && continue
+
+  # Find the matching new kernel version
+  MATCHING=""
+  for V in "${VERSIONS[@]}"; do
+    if grep -q "^$KERNEL" <<< "$V"; then
+      MATCHING="$V"
+      break
+    fi
+  done
+  if [ -z "$MATCHING" ]; then
+    echo "Out-of-support $KERNEL"
+    continue
+  fi
+
+  # Inspect the nix expression to check for changes
+  DATA="$(<$NIXPKGS/pkgs/os-specific/linux/kernel/$FILE)"
+  URL="$(sed -n -e 's/.*url = "\(.*\)";.*/\1/p' <<< "$DATA" | sed -e "s/\${version}/$MATCHING/g")"
+  OLDVER=$(sed -n -e 's/.*version = "\(.*\)".*/\1/p' <<< "$DATA")
+  if [ "$OLDVER" = "$V" ]; then
+    echo "No updates for $KERNEL"
+    continue
+  fi
+
+  # Download the new file for the hash
+  if ! HASH="$(nix-prefetch-url $URL 2>/dev/null)"; then
+    echo "Failed to get hash of $URL"
+    continue
+  fi
+  sed -i -e "s/sha256 = \".*\"/sha256 = \"$HASH\"/g" $NIXPKGS/pkgs/os-specific/linux/kernel/$FILE
+
+  # Rewrite the expression
+  sed -i -e '/version = /d' $NIXPKGS/pkgs/os-specific/linux/kernel/$FILE
+  sed -i -e "\#buildLinux (args // rec {#a \  version = \"$V\";" $NIXPKGS/pkgs/os-specific/linux/kernel/$FILE
+
+  # Commit the changes
+  git add -u $NIXPKGS/pkgs/os-specific/linux/kernel/$FILE
+  git commit -m "linux: $OLDVER -> $V" >/dev/null 2>&1
+
+  echo "Updated $OLDVER -> $V"
+done
+
+# Update linux-rt
+COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-rt.sh
+
+# Update linux-libre
+COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
+
+# Update linux-hardened
+COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/xanmod-kernels.nix b/nixpkgs/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
new file mode 100644
index 000000000000..53b00b93358a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/xanmod-kernels.nix
@@ -0,0 +1,84 @@
+{ lib, stdenv, fetchFromGitHub, buildLinux, ... } @ args:
+
+let
+  # These names are how they are designated in https://xanmod.org.
+  ltsVariant = {
+    version = "5.15.60";
+    hash = "sha256-XSOYgrJ/uvPpEG+P3Zy1geFeF/HMZ4LejsKWtTxMUTs=";
+  };
+
+  edgeVariant = {
+    version = "5.19.1";
+    hash = "sha256-Fw+XW2YDAGKEzZ4AO88Y8GcypfOb6AjKp3XOlkT8ZTQ=";
+  };
+
+  ttVariant = {
+    version = "5.15.54";
+    suffix = "xanmod1-tt";
+    hash = "sha256-4ck9PAFuIt/TxA/U+moGlVfCudJnzSuAw7ooFG3OJis=";
+  };
+
+  xanmodKernelFor = { version, suffix ? "xanmod1", hash }: buildLinux (args // rec {
+    inherit version;
+    modDirVersion = "${version}-${suffix}";
+
+    src = fetchFromGitHub {
+      owner = "xanmod";
+      repo = "linux";
+      rev = modDirVersion;
+      inherit hash;
+    };
+
+    structuredExtraConfig = with lib.kernel; {
+      # removed options
+      CFS_BANDWIDTH = lib.mkForce (option no);
+      RT_GROUP_SCHED = lib.mkForce (option no);
+      SCHED_AUTOGROUP = lib.mkForce (option no);
+
+      # AMD P-state driver
+      X86_AMD_PSTATE = yes;
+
+      # Paragon's NTFS3 driver
+      NTFS3_FS = module;
+      NTFS3_LZX_XPRESS = yes;
+      NTFS3_FS_POSIX_ACL = yes;
+
+      # Preemptive Full Tickless Kernel at 500Hz
+      SCHED_CORE = lib.mkForce (option no);
+      PREEMPT_VOLUNTARY = lib.mkForce no;
+      PREEMPT = lib.mkForce yes;
+      NO_HZ_FULL = yes;
+      HZ_500 = yes;
+
+      # Google's BBRv2 TCP congestion Control
+      TCP_CONG_BBR2 = yes;
+      DEFAULT_BBR2 = yes;
+
+      # FQ-PIE Packet Scheduling
+      NET_SCH_DEFAULT = yes;
+      DEFAULT_FQ_PIE = yes;
+
+      # Graysky's additional CPU optimizations
+      CC_OPTIMIZE_FOR_PERFORMANCE_O3 = yes;
+
+      # Futex WAIT_MULTIPLE implementation for Wine / Proton Fsync.
+      FUTEX = yes;
+      FUTEX_PI = yes;
+
+      # WineSync driver for fast kernel-backed Wine
+      WINESYNC = module;
+    };
+
+    extraMeta = {
+      branch = lib.versions.majorMinor version;
+      maintainers = with lib.maintainers; [ fortuneteller2k lovesegfault atemu ];
+      description = "Built with custom settings and new features built to provide a stable, responsive and smooth desktop experience";
+      broken = stdenv.isAarch64;
+    };
+  } // (args.argsOverride or { }));
+in
+{
+  lts = xanmodKernelFor ltsVariant;
+  edge = xanmodKernelFor edgeVariant;
+  tt = xanmodKernelFor ttVariant;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/zen-kernels.nix b/nixpkgs/pkgs/os-specific/linux/kernel/zen-kernels.nix
new file mode 100644
index 000000000000..58a71edf6fa9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kernel/zen-kernels.nix
@@ -0,0 +1,45 @@
+{ lib, fetchFromGitHub, buildLinux, ... } @ args:
+
+let
+  # comments with variant added for update script
+  # ./update-zen.py zen
+  zenVariant = {
+    version = "5.19.1"; #zen
+    suffix = "zen1"; #zen
+    sha256 = "1b906fa4hk56y5g1hx50kp395fakrphna4nnvy98vs8cxpcfyqi7"; #zen
+    isLqx = false;
+  };
+  # ./update-zen.py lqx
+  lqxVariant = {
+    version = "5.18.17"; #lqx
+    suffix = "lqx1"; #lqx
+    sha256 = "1cf4ix9xx1yi781xsrkaxn673mzi98dxlccsfvky78gjchmc8d6p"; #lqx
+    isLqx = true;
+  };
+  zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // {
+    inherit version;
+    modDirVersion = "${lib.concatStringsSep "." (lib.take 3 (lib.splitVersion version ++ [ "0" "0" ]))}-${suffix}";
+    isZen = true;
+
+    src = fetchFromGitHub {
+      owner = "zen-kernel";
+      repo = "zen-kernel";
+      rev = "v${version}-${suffix}";
+      inherit sha256;
+    };
+
+    passthru.updateScript = [ ./update-zen.py (if isLqx then "lqx" else "zen") ];
+
+    extraMeta = {
+      branch = lib.versions.majorMinor version + "/master";
+      maintainers = with lib.maintainers; [ andresilva pedrohlc ];
+      description = "Built using the best configuration and kernel sources for desktop, multimedia, and gaming workloads." +
+        lib.optionalString isLqx " (Same as linux_zen but less aggressive release schedule)";
+    };
+
+  } // (args.argsOverride or { }));
+in
+{
+  zen = zenKernelsFor zenVariant;
+  lqx = zenKernelsFor lqxVariant;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kexec-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/kexec-tools/default.nix
new file mode 100644
index 000000000000..6faa401eccc5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kexec-tools/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, buildPackages, fetchurl, fetchpatch, zlib }:
+
+stdenv.mkDerivation rec {
+  pname = "kexec-tools";
+  version = "2.0.23";
+
+  src = fetchurl {
+    urls = [
+      "mirror://kernel/linux/utils/kernel/kexec/${pname}-${version}.tar.xz"
+      "http://horms.net/projects/kexec/kexec-tools/${pname}-${version}.tar.xz"
+    ];
+    sha256 = "qmPNbH3ZWwbOumJAp/3GeSeJytp1plXmcUmHF1IkJBs=";
+  };
+
+  patches = [
+    # Use ELFv2 ABI on ppc64be
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/void-linux/void-packages/6c1192cbf166698932030c2e3de71db1885a572d/srcpkgs/kexec-tools/patches/ppc64-elfv2.patch";
+      sha256 = "19wzfwb0azm932v0vhywv4221818qmlmvdfwpvvpfyw4hjsc2s1l";
+    })
+  ];
+
+  hardeningDisable = [ "format" "pic" "relro" "pie" ];
+
+  # Prevent kexec-tools from using uname to detect target, which is wrong in
+  # cases like compiling for aarch32 on aarch64
+  configurePlatforms = [ "build" "host" ];
+  configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" ];
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  buildInputs = [ zlib ];
+
+  meta = with lib; {
+    homepage = "http://horms.net/projects/kexec/kexec-tools";
+    description = "Tools related to the kexec Linux feature";
+    platforms = platforms.linux;
+    badPlatforms = [
+      "riscv64-linux" "riscv32-linux"
+      "sparc-linux" "sparc64-linux"
+    ];
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/keyutils/0001-Remove-unused-function-after_eq.patch b/nixpkgs/pkgs/os-specific/linux/keyutils/0001-Remove-unused-function-after_eq.patch
new file mode 100644
index 000000000000..61ad2a474f9a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/keyutils/0001-Remove-unused-function-after_eq.patch
@@ -0,0 +1,28 @@
+From 59d91e57d103fb4686d2f45ee3c688878244367a Mon Sep 17 00:00:00 2001
+From: Christian Kampka <christian@kampka.net>
+Date: Tue, 24 Nov 2020 22:12:40 +0100
+Subject: [PATCH] Remove unused function 'after_eq'
+
+---
+ keyctl_watch.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/keyctl_watch.c b/keyctl_watch.c
+index a70a19a..c4ca7f7 100644
+--- a/keyctl_watch.c
++++ b/keyctl_watch.c
+@@ -47,11 +47,6 @@ static struct watch_notification_filter filter = {
+ 	},
+ };
+ 
+-static inline bool after_eq(unsigned int a, unsigned int b)
+-{
+-        return (signed int)(a - b) >= 0;
+-}
+-
+ static void consumer_term(int sig)
+ {
+ 	consumer_stop = 1;
+-- 
+2.28.0
+
diff --git a/nixpkgs/pkgs/os-specific/linux/keyutils/conf-symlink.patch b/nixpkgs/pkgs/os-specific/linux/keyutils/conf-symlink.patch
new file mode 100644
index 000000000000..02762e857a81
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/keyutils/conf-symlink.patch
@@ -0,0 +1,13 @@
+diff --git a/request-key.c b/request-key.c
+index bf47c0a..105fee8 100644
+--- a/request-key.c
++++ b/request-key.c
+@@ -313,7 +313,7 @@ static void scan_conf_dir(struct parameters *params, const char *confdir)
+ 	while ((d = readdir(dir))) {
+ 		if (d->d_name[0] == '.')
+ 			continue;
+-		if (d->d_type != DT_UNKNOWN && d->d_type != DT_REG)
++		if (d->d_type != DT_UNKNOWN && d->d_type != DT_REG && d->d_type != DT_LNK)
+ 			continue;
+ 		l = strlen(d->d_name);
+ 		if (l < 5)
diff --git a/nixpkgs/pkgs/os-specific/linux/keyutils/default.nix b/nixpkgs/pkgs/os-specific/linux/keyutils/default.nix
new file mode 100644
index 000000000000..88410654f3b3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/keyutils/default.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, fetchurl }:
+
+# Note: this package is used for bootstrapping fetchurl, and thus
+# cannot use fetchpatch! All mutable patches (generated by GitHub or
+# cgit) that are needed here should be included directly in Nixpkgs as
+# files.
+
+stdenv.mkDerivation rec {
+  pname = "keyutils";
+  version = "1.6.3";
+
+  src = fetchurl {
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/snapshot/${pname}-${version}.tar.gz";
+    sha256 = "sha256-ph1XBhNq5MBb1I+GGGvP29iN2L1RB+Phlckkz8Gzm7Q=";
+  };
+
+  patches = [
+    ./conf-symlink.patch
+    # This patch solves a duplicate symbol error when building with a clang stdenv
+    # Before removing this patch, please ensure the package still builds by running eg.
+    # nix-build -E 'with import ./. {}; pkgs.keyutils.override { stdenv = pkgs.llvmPackages_latest.stdenv; }'
+    ./0001-Remove-unused-function-after_eq.patch
+  ];
+
+  makeFlags = lib.optionals stdenv.hostPlatform.isStatic "NO_SOLIB=1";
+
+  outputs = [ "out" "lib" "dev" ];
+
+  postPatch = ''
+    # https://github.com/archlinux/svntogit-packages/blob/packages/keyutils/trunk/reproducible.patch
+    substituteInPlace Makefile \
+      --replace \
+        'VCPPFLAGS	:= -DPKGBUILD="\"$(shell date -u +%F)\""' \
+        'VCPPFLAGS	:= -DPKGBUILD="\"$(date -ud "@$SOURCE_DATE_EPOCH" +%F)\""'
+  '';
+
+  enableParallelBuilding = true;
+
+  installFlags = [
+    "ETCDIR=$(out)/etc"
+    "BINDIR=$(out)/bin"
+    "SBINDIR=$(out)/sbin"
+    "SHAREDIR=$(out)/share/keyutils"
+    "MANDIR=$(out)/share/man"
+    "INCLUDEDIR=$(dev)/include"
+    "LIBDIR=$(lib)/lib"
+    "USRLIBDIR=$(lib)/lib"
+  ];
+
+  meta = with lib; {
+    homepage = "https://people.redhat.com/dhowells/keyutils/";
+    description = "Tools used to control the Linux kernel key management system";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/default.nix b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/default.nix
new file mode 100644
index 000000000000..94ae4806cf25
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/default.nix
@@ -0,0 +1,91 @@
+{ lib
+, stdenv
+, fetchgit
+, requireFile
+, pkg-config
+, libusb1
+, p7zip
+}:
+
+let
+  # The last known good firmware package to have been tested
+  # by the upstream projet.
+  # The firmware URL is hardcoded in the upstream project's installation script
+  firmwareUrl = "https://download.microsoft.com/download/F/9/9/F99791F2-D5BE-478A-B77A-830AD14950C3/KinectSDK-v1.0-beta2-x86.msi";
+  # The original URL "https://research.microsoft.com/en-us/um/legal/kinectsdk-tou_noncommercial.htm"
+  # redirects to the following url:
+  licenseUrl = "https://www.microsoft.com/en-us/legal/terms-of-use";
+in
+stdenv.mkDerivation rec {
+  pname = "kinect-audio-setup";
+
+  # On update: Make sure that the `firmwareURL` is still in sync with upstream.
+  # If the project structure hasn't changed you can find the URL in the
+  # `kinect_fetch_fw` file in the project source.
+  version = "0.5";
+
+  # This is an MSI or CAB file
+  FIRMWARE = requireFile rec {
+    name = "UACFirmware";
+    sha256 = "08a2vpgd061cmc6h3h8i6qj3sjvjr1fwcnwccwywqypz3icn8xw1";
+    message = ''
+      In order to install the Kinect Audio Firmware, you need to download the
+      non-redistributable firmware from Microsoft.
+      The firmware is available at ${firmwareUrl} and the license at ${licenseUrl} .
+      Save the file as UACFirmware and use "nix-prefetch-url file://\$PWD/UACFirmware" to
+      add it to the Nix store.
+    '';
+  };
+
+  src = fetchgit {
+    url = "git://git.ao2.it/kinect-audio-setup.git";
+    rev = "v${version}";
+    sha256 = "sha256-bFwmWh822KvFwP/0Gu097nF5K2uCwCLMB1RtP7k+Zt0=";
+  };
+
+  # These patches are not upstream because the project has seen no
+  # activity since 2016
+  patches = [
+    ./libusb-1-import-path.patch
+    ./udev-rules-extra-devices.patch
+  ];
+
+  nativeBuildInputs = [ p7zip libusb1 pkg-config ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "DESTDIR=$(out)"
+    "FIRMWARE_PATH=$(out)/lib/firmware/UACFirmware"
+    "LOADER_PATH=$(out)/libexec/kinect_upload_fw"
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    make -C kinect_upload_fw kinect_upload_fw $makeFlags "''${makeFlagsArray[@]}"
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/libexec/ $out/lib/firmware $out/lib/udev/rules.d
+
+    install -Dm755 kinect_upload_fw/kinect_upload_fw $out/libexec/
+
+    # 7z extract "assume yes on all queries" "only extract/keep files/directories matching UACFIRMWARE.* recursively"
+    7z e -y -r "${FIRMWARE}" "UACFirmware.*" >/dev/null
+    # The filename is bound to change with the Firmware SDK
+    mv UACFirmware.* $out/lib/firmware/UACFirmware
+
+    make install_udev_rules $makeFlags "''${makeFlagsArray[@]}"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tools to enable audio input from the Microsoft Kinect sensor device";
+    homepage = "https://git.ao2.it/kinect-audio-setup.git";
+    maintainers = with maintainers; [ berbiche ];
+    platforms = platforms.linux;
+    license = licenses.unfree;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
new file mode 100644
index 000000000000..a0c5ad99f9f2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
@@ -0,0 +1,23 @@
+commit 02fd6c4355809e1bff7c66d478e88f30bedde13b
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Wed May 5 23:14:56 2021 -0400
+
+    fix libusb include for Linux
+
+diff --git a/kinect_upload_fw/kinect_upload_fw.c b/kinect_upload_fw/kinect_upload_fw.c
+index 1bd4102..351c94f 100644
+--- a/kinect_upload_fw/kinect_upload_fw.c
++++ b/kinect_upload_fw/kinect_upload_fw.c
+@@ -35,7 +35,12 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <errno.h>
++
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(_WIN32)
+ #include <libusb.h>
++#else
++#include <libusb-1.0/libusb.h>
++#endif
+ 
+ #include "endian.h"
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
new file mode 100644
index 000000000000..d58b970c7c01
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
@@ -0,0 +1,15 @@
+commit afaaa77b0a03811f86428cf264397b60dd795549
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Thu May 6 00:10:37 2021 -0400
+
+    Add support for other Kinect device in udev
+
+diff --git a/contrib/55-kinect_audio.rules.in b/contrib/55-kinect_audio.rules.in
+index 25ea713..9e1b69f 100644
+--- a/contrib/55-kinect_audio.rules.in
++++ b/contrib/55-kinect_audio.rules.in
+@@ -1,2 +1,4 @@
+ # Rule to load the Kinect UAC firmware on the "generic" usb device
+ ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02ad", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
++# Rule to load the Kinect UAC firmware on another supported device
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02bb", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
diff --git a/nixpkgs/pkgs/os-specific/linux/klibc/default.nix b/nixpkgs/pkgs/os-specific/linux/klibc/default.nix
new file mode 100644
index 000000000000..6efcb01cc531
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/klibc/default.nix
@@ -0,0 +1,53 @@
+{ lib, stdenv, fetchurl, buildPackages, linuxHeaders, perl }:
+
+let
+  commonMakeFlags = [
+    "prefix=$(out)"
+    "SHLIBDIR=$(out)/lib"
+  ];
+in
+
+stdenv.mkDerivation rec {
+  pname = "klibc";
+  version = "2.0.10";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/libs/klibc/2.0/klibc-${version}.tar.xz";
+    sha256 = "sha256-ZidT2oiJ50TfwNtutAIcM3fufvjtZtfVd2X4yeJZOc0=";
+  };
+
+  patches = [ ./no-reinstall-kernel-headers.patch ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ perl ];
+  strictDeps = true;
+
+  hardeningDisable = [ "format" "stackprotector" ];
+
+  makeFlags = commonMakeFlags ++ [
+    "KLIBCARCH=${stdenv.hostPlatform.linuxArch}"
+    "KLIBCKERNELSRC=${linuxHeaders}"
+  ] # TODO(@Ericson2314): We now can get the ABI from
+    # `stdenv.hostPlatform.parsed.abi`, is this still a good idea?
+    ++ lib.optional (stdenv.hostPlatform.linuxArch == "arm") "CONFIG_AEABI=y"
+    ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) "CROSS_COMPILE=${stdenv.cc.targetPrefix}";
+
+  # Install static binaries as well.
+  postInstall = ''
+    dir=$out/lib/klibc/bin.static
+    mkdir $dir
+    cp $(find $(find . -name static) -type f ! -name "*.g" -a ! -name ".*") $dir/
+
+    for file in ${linuxHeaders}/include/*; do
+      ln -sv $file $out/lib/klibc/include
+    done
+  '';
+
+  meta = {
+    description = "Minimalistic libc subset for initramfs usage";
+    homepage = "https://kernel.org/pub/linux/libs/klibc/";
+    maintainers = with lib.maintainers; [ fpletz ];
+    license = lib.licenses.bsd3;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/klibc/no-reinstall-kernel-headers.patch b/nixpkgs/pkgs/os-specific/linux/klibc/no-reinstall-kernel-headers.patch
new file mode 100644
index 000000000000..709dd30f8c7e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/klibc/no-reinstall-kernel-headers.patch
@@ -0,0 +1,11 @@
+diff -Naur klibc-2.0.3-orig/scripts/Kbuild.install klibc-2.0.3/scripts/Kbuild.install
+--- klibc-2.0.3-orig/scripts/Kbuild.install	2013-12-03 13:53:46.000000000 -0500
++++ klibc-2.0.3/scripts/Kbuild.install	2014-01-04 18:17:09.342609021 -0500
+@@ -95,7 +95,6 @@
+ 	$(Q)mkdir -p $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)include
+ 	$(Q)mkdir -p $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)lib
+ 	$(Q)mkdir -p $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)bin
+-	$(Q)cp -rfL $(KLIBCKERNELSRC)/include/. $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)include/.
+ 	$(Q)cp -rf usr/include/. $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)include/.
+ 	$(Q)chmod -R a+rX $(INSTALLROOT)$(INSTALLDIR)/$(KCROSS)include
+ 	$(Q)$(install-data) $(srctree)/klcc/klcc.1 $(INSTALLROOT)$(mandir)/man1/$(KCROSS)klcc.1
diff --git a/nixpkgs/pkgs/os-specific/linux/klibc/shrunk.nix b/nixpkgs/pkgs/os-specific/linux/klibc/shrunk.nix
new file mode 100644
index 000000000000..8b79940ed78c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/klibc/shrunk.nix
@@ -0,0 +1,26 @@
+{stdenv, klibc}:
+
+stdenv.mkDerivation {
+  # !!! For now, the name has to be exactly as long as the original
+  # name due to the sed hackery below.  Once patchelf 0.4 is in the
+  # tree, we can do this properly.
+  #name = "${klibc.name}-shrunk";
+  name = klibc.name;
+  buildCommand = ''
+    mkdir -p $out/lib
+    cp -prd ${klibc.out}/lib/klibc/bin $out/
+    cp -p ${klibc.out}/lib/*.so $out/lib/
+    chmod +w $out/*
+    old=$(echo ${klibc.out}/lib/klibc-*.so)
+    new=$(echo $out/lib/klibc-*.so)
+    for i in $out/bin/*; do
+      echo $i
+      sed "s^$old^$new^" -i $i
+      # !!! use patchelf
+      #patchelf --set-interpreter $new $i
+    done
+  ''; # */
+  allowedReferences = ["out"];
+
+  inherit (klibc) meta;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix b/nixpkgs/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix
new file mode 100644
index 000000000000..3964538a4096
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchurl }:
+
+let
+  version = "28-1ubuntu4"; # impish 2021-06-24
+
+in stdenv.mkDerivation {
+  pname = "kmod-blacklist";
+  inherit version;
+
+  src = fetchurl {
+    url = "https://launchpad.net/ubuntu/+archive/primary/+files/kmod_${version}.debian.tar.xz";
+    sha256 = "sha256-K8tWpaLmCm3Jcxw3OZ+D7Koiug7epooRn1YMfqjGAiw=";
+  };
+
+  installPhase = ''
+    mkdir "$out"
+    for f in modprobe.d/*.conf; do
+      echo "''\n''\n## file: "`basename "$f"`"''\n''\n" >> "$out"/modprobe.conf
+      cat "$f" >> "$out"/modprobe.conf
+      # https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/1475945
+      sed -i '/^blacklist i2c_i801/d' $out/modprobe.conf
+    done
+
+    substituteInPlace "$out"/modprobe.conf \
+      --replace "blacklist bochs-drm" "" \
+      --replace /sbin/lsmod /run/booted-system/sw/bin/lsmod \
+      --replace /sbin/rmmod /run/booted-system/sw/bin/rmmod \
+      --replace /sbin/modprobe /run/booted-system/sw/bin/modprobe \
+      --replace " grep " " /run/booted-system/sw/bin/grep " \
+      --replace " xargs " " /run/booted-system/sw/bin/xargs "
+  '';
+
+  meta = with lib; {
+    homepage = "https://launchpad.net/ubuntu/+source/kmod";
+    description = "Linux kernel module blacklists from Ubuntu";
+    platforms = platforms.linux;
+    license = with licenses; [ gpl2Plus lgpl21Plus ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod-debian-aliases/default.nix b/nixpkgs/pkgs/os-specific/linux/kmod-debian-aliases/default.nix
new file mode 100644
index 000000000000..15f7251f9961
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod-debian-aliases/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "kmod-debian-aliases.conf";
+  version = "22-1.1";
+
+  src = fetchurl {
+    url = "https://snapshot.debian.org/archive/debian/20160404T220610Z/pool/main/k/kmod/kmod_${version}.debian.tar.xz";
+    sha256 = "0daap2n4bvjqcnksaayy6csmdb1px4r02w3xp36bcp6w3lbnqamh";
+  };
+
+  installPhase = ''
+    patch -i patches/aliases_conf
+    cp aliases.conf $out
+  '';
+
+  meta = with lib; {
+    homepage = "https://packages.debian.org/source/sid/kmod";
+    description = "Linux configuration file for modprobe";
+    maintainers = with maintainers; [ mathnerd314 ];
+    platforms = with platforms; linux;
+    license = with licenses; [ gpl2Plus lgpl21Plus ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/aggregator.nix b/nixpkgs/pkgs/os-specific/linux/kmod/aggregator.nix
new file mode 100644
index 000000000000..cd138f1d7f55
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/aggregator.nix
@@ -0,0 +1,35 @@
+{ stdenvNoCC, kmod, modules, buildEnv, name ? "kernel-modules" }:
+
+buildEnv {
+  inherit name;
+
+  paths = modules;
+
+  postBuild =
+    ''
+      source ${stdenvNoCC}/setup
+
+      if ! test -d "$out/lib/modules"; then
+        echo "No modules found."
+        # To support a kernel without modules
+        exit 0
+      fi
+
+      kernelVersion=$(cd $out/lib/modules && ls -d *)
+      if test "$(echo $kernelVersion | wc -w)" != 1; then
+         echo "inconsistent kernel versions: $kernelVersion"
+         exit 1
+      fi
+
+      echo "kernel version is $kernelVersion"
+
+      shopt -s extglob
+
+      # Regenerate the depmod map files.  Be sure to pass an explicit
+      # kernel version number, otherwise depmod will use `uname -r'.
+      if test -w $out/lib/modules/$kernelVersion; then
+          rm -f $out/lib/modules/$kernelVersion/modules.!(builtin*|order*)
+          ${kmod}/bin/depmod -b $out -C $out/etc/depmod.d -a $kernelVersion
+      fi
+    '';
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/default.nix b/nixpkgs/pkgs/os-specific/linux/kmod/default.nix
new file mode 100644
index 000000000000..802335046342
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/default.nix
@@ -0,0 +1,82 @@
+{ stdenv, lib, fetchzip, autoconf, automake, docbook_xml_dtd_42
+, docbook_xml_dtd_43, docbook_xsl, gtk-doc, libtool, pkg-config
+, libxslt, xz, zstd, elf-header
+, withDevdoc ? stdenv.hostPlatform == stdenv.buildPlatform
+, withStatic ? stdenv.hostPlatform.isStatic
+, gitUpdater
+}:
+
+let
+  systems = [ "/run/booted-system/kernel-modules" "/run/current-system/kernel-modules" "" ];
+  modulesDirs = lib.concatMapStringsSep ":" (x: "${x}/lib/modules") systems;
+
+in stdenv.mkDerivation rec {
+  pname = "kmod";
+  version = "30";
+
+  # autogen.sh is missing from the release tarball,
+  # and we need to run it to regenerate gtk_doc.make,
+  # because the version in the release tarball is broken.
+  # Possibly this will be fixed in kmod 30?
+  # https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/.gitignore?id=61a93a043aa52ad62a11ba940d4ba93cb3254e78
+  src = fetchzip {
+    url = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/snapshot/kmod-${version}.tar.gz";
+    sha256 = "sha256-/dih2LoqgRrAsVdHRwld28T8pXgqnzapnQhqkXnxbbc=";
+  };
+
+  outputs = [ "out" "dev" "lib" ] ++ lib.optional withDevdoc "devdoc";
+
+  nativeBuildInputs = [
+    autoconf automake docbook_xsl libtool libxslt pkg-config
+
+    docbook_xml_dtd_42 # for the man pages
+  ] ++ lib.optionals withDevdoc [ docbook_xml_dtd_43 gtk-doc ];
+  buildInputs = [ xz zstd ];
+
+  preConfigure = ''
+    ./autogen.sh
+  '';
+
+  configureFlags = [
+    "--sysconfdir=/etc"
+    "--with-xz"
+    "--with-zstd"
+    "--with-modulesdirs=${modulesDirs}"
+    (lib.enableFeature withDevdoc "gtk-doc")
+  ] ++ lib.optional withStatic "--enable-static";
+
+  patches = [ ./module-dir.patch ]
+    ++ lib.optional withStatic ./enable-static.patch;
+
+  postInstall = ''
+    for prog in rmmod insmod lsmod modinfo modprobe depmod; do
+      ln -sv $out/bin/kmod $out/bin/$prog
+    done
+
+    # Backwards compatibility
+    ln -s bin $out/sbin
+  '';
+
+  passthru.updateScript = gitUpdater {
+    inherit pname version;
+    # No nicer place to find latest release.
+    url = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git";
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    description = "Tools for loading and managing Linux kernel modules";
+    longDescription = ''
+      kmod is a set of tools to handle common tasks with Linux kernel modules
+      like insert, remove, list, check properties, resolve dependencies and
+      aliases. These tools are designed on top of libkmod, a library that is
+      shipped with kmod.
+    '';
+    homepage = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/";
+    downloadPage = "https://www.kernel.org/pub/linux/utils/kernel/kmod/";
+    changelog = "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/plain/NEWS?h=v${version}";
+    license = with licenses; [ lgpl21Plus gpl2Plus ]; # GPLv2+ for tools
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ artturin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/enable-static.patch b/nixpkgs/pkgs/os-specific/linux/kmod/enable-static.patch
new file mode 100644
index 000000000000..8308c6557921
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/enable-static.patch
@@ -0,0 +1,12 @@
+diff --git a/configure.ac b/configure.ac
+index ee72283..b42c42a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -19,7 +19,6 @@ AM_SILENT_RULES([yes])
+ LT_INIT([disable-static pic-only])
+ DOLT
+ 
+-AS_IF([test "x$enable_static" = "xyes"], [AC_MSG_ERROR([--enable-static is not supported by kmod])])
+ AS_IF([test "x$enable_largefile" = "xno"], [AC_MSG_ERROR([--disable-largefile is not supported by kmod])])
+ 
+ #####################################################################
diff --git a/nixpkgs/pkgs/os-specific/linux/kmod/module-dir.patch b/nixpkgs/pkgs/os-specific/linux/kmod/module-dir.patch
new file mode 100644
index 000000000000..f7432e3756e9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmod/module-dir.patch
@@ -0,0 +1,157 @@
+diff --git a/Makefile.am b/Makefile.am
+index d4eeb7e..5c9f603 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -19,6 +19,7 @@ AM_CPPFLAGS = \
+ 	-include $(top_builddir)/config.h \
+ 	-I$(top_srcdir) \
+ 	-DSYSCONFDIR=\""$(sysconfdir)"\" \
++	-DMODULESDIRS=\""$(shell echo $(modulesdirs) | $(SED) 's|:|\\",\\"|g')"\" \
+ 	${zlib_CFLAGS}
+ 
+ AM_CFLAGS = $(OUR_CFLAGS)
+diff --git a/configure.ac b/configure.ac
+index 23510c8..66490cf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -202,6 +202,12 @@ GTK_DOC_CHECK([1.14],[--flavour no-tmpl-flat])
+ ], [
+ AM_CONDITIONAL([ENABLE_GTK_DOC], false)])
+ 
++AC_ARG_WITH([modulesdirs],
++	AS_HELP_STRING([--with-modulesdirs=DIRS], [Kernel modules directories, separated by :]),
++	[],
++	[with_modulesdirs=/lib/modules])
++AC_SUBST([modulesdirs], [$with_modulesdirs])
++
+ 
+ #####################################################################
+ # Default CFLAGS and LDFLAGS
+diff --git a/libkmod/libkmod.c b/libkmod/libkmod.c
+index 69fe431..d37da32 100644
+--- a/libkmod/libkmod.c
++++ b/libkmod/libkmod.c
+@@ -206,12 +206,15 @@ static int log_priority(const char *priority)
+ 	return 0;
+ }
+ 
+-static const char *dirname_default_prefix = "/lib/modules";
++static const char *dirname_default_prefixes[] = {
++	MODULESDIRS,
++	NULL
++};
+ 
+ static char *get_kernel_release(const char *dirname)
+ {
+ 	struct utsname u;
+-	char *p;
++	char *p, *dirname_prefix;
+ 
+ 	if (dirname != NULL)
+ 		return path_make_absolute_cwd(dirname);
+@@ -219,8 +222,42 @@ static char *get_kernel_release(const char *dirname)
+ 	if (uname(&u) < 0)
+ 		return NULL;
+ 
+-	if (asprintf(&p, "%s/%s", dirname_default_prefix, u.release) < 0)
+-		return NULL;
++	if ((dirname_prefix = getenv("MODULE_DIR")) != NULL) {
++		if(asprintf(&p, "%s/%s", dirname_prefix, u.release) < 0)
++			return NULL;
++	} else {
++		size_t i;
++		char buf[PATH_MAX];
++
++		for (i = 0; dirname_default_prefixes[i] != NULL; i++) {
++			int plen;
++			struct stat dirstat;
++
++			plen = snprintf(buf, sizeof(buf), "%s/%s", dirname_default_prefixes[i], u.release);
++			if (plen < 0)
++				return NULL;
++			else if (plen >= PATH_MAX)
++				continue;
++
++			if (dirname_default_prefixes[i + 1] != NULL) {
++				if (stat(buf, &dirstat) < 0) {
++					if (errno == ENOENT)
++						continue;
++					else
++						return NULL;
++				}
++
++				if (!S_ISDIR(dirstat.st_mode))
++					continue;
++			}
++
++			p = malloc(plen + 1);
++			if (p == NULL)
++				return NULL;
++			memcpy(p, buf, plen + 1);
++			break;
++		}
++	}
+ 
+ 	return p;
+ }
+diff --git a/tools/static-nodes.c b/tools/static-nodes.c
+index 8d2356d..2ed306d 100644
+--- a/tools/static-nodes.c
++++ b/tools/static-nodes.c
+@@ -29,10 +29,11 @@
+ #include <unistd.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
+-#include <sys/utsname.h>
+ 
+ #include <shared/util.h>
+ 
++#include <libkmod/libkmod.h>
++
+ #include "kmod.h"
+ 
+ struct static_nodes_format {
+@@ -154,8 +155,8 @@ static void help(void)
+ 
+ static int do_static_nodes(int argc, char *argv[])
+ {
+-	struct utsname kernel;
+ 	char modules[PATH_MAX], buf[4096];
++	struct kmod_ctx *ctx;
+ 	const char *output = "/dev/stdout";
+ 	FILE *in = NULL, *out = NULL;
+ 	const struct static_nodes_format *format = &static_nodes_format_human;
+@@ -206,22 +207,25 @@ static int do_static_nodes(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (uname(&kernel) < 0) {
+-		fputs("Error: uname failed!\n", stderr);
++	ctx = kmod_new(NULL, NULL);
++	if (ctx == NULL) {
++		fprintf(stderr, "Error: failed to create kmod context\n");
+ 		ret = EXIT_FAILURE;
+ 		goto finish;
+ 	}
+-
+-	snprintf(modules, sizeof(modules), "/lib/modules/%s/modules.devname", kernel.release);
++	if (snprintf(modules, sizeof(modules), "%s/modules.devname", kmod_get_dirname(ctx)) < 0) {
++		fprintf(stderr, "Error: path to modules.devname is too long\n");
++		ret = EXIT_FAILURE;
++		goto finish;
++	}
++	kmod_unref(ctx);
+ 	in = fopen(modules, "re");
+ 	if (in == NULL) {
+ 		if (errno == ENOENT) {
+-			fprintf(stderr, "Warning: /lib/modules/%s/modules.devname not found - ignoring\n",
+-				kernel.release);
++			fprintf(stderr, "Warning: %s not found - ignoring\n", modules);
+ 			ret = EXIT_SUCCESS;
+ 		} else {
+-			fprintf(stderr, "Error: could not open /lib/modules/%s/modules.devname - %m\n",
+-				kernel.release);
++			fprintf(stderr, "Error: could not open %s - %m\n", modules);
+ 			ret = EXIT_FAILURE;
+ 		}
+ 		goto finish;
diff --git a/nixpkgs/pkgs/os-specific/linux/kmscon/default.nix b/nixpkgs/pkgs/os-specific/linux/kmscon/default.nix
new file mode 100644
index 000000000000..f48895fc017e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmscon/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, libtsm
+, systemd
+, libxkbcommon
+, libdrm
+, libGLU, libGL
+, pango
+, pixman
+, pkg-config
+, docbook_xsl
+, libxslt
+}:
+
+stdenv.mkDerivation rec {
+  pname = "kmscon";
+  version = "unstable-2018-09-07";
+
+  src = fetchFromGitHub {
+    owner = "Aetf";
+    repo = "kmscon";
+    rev = "01dd0a231e2125a40ceba5f59fd945ff29bf2cdc";
+    sha256 = "0q62kjsvy2iwy8adfiygx2bfwlh83rphgxbis95ycspqidg9py87";
+  };
+
+  buildInputs = [
+    libGLU libGL
+    libdrm
+    libtsm
+    libxkbcommon
+    libxslt
+    pango
+    pixman
+    systemd
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    docbook_xsl
+    pkg-config
+  ];
+
+  configureFlags = [
+    "--enable-multi-seat"
+    "--disable-debug"
+    "--enable-optimizations"
+    "--with-renderers=bbulk,gltex,pixman"
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "KMS/DRM based System Console";
+    homepage = "http://www.freedesktop.org/wiki/Software/kmscon/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ omasanori ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kmscube/default.nix b/nixpkgs/pkgs/os-specific/linux/kmscube/default.nix
new file mode 100644
index 000000000000..b9da37901700
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kmscube/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchgit, fetchpatch, autoreconfHook, libdrm, libX11, libGL, mesa, pkg-config }:
+
+stdenv.mkDerivation {
+  pname = "kmscube";
+  version = "unstable-2018-06-17";
+
+  src = fetchgit {
+    url = "git://anongit.freedesktop.org/mesa/kmscube";
+    rev = "9dcce71e603616ee7a54707e932f962cdf8fb20a";
+    sha256 = "1q5b5yvyfj3127385mp1bfmcbnpnbdswdk8gspp7g4541xk4k933";
+  };
+
+  patches = [
+    # Pull upstream patch for -fno-common toolchains.
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://gitlab.freedesktop.org/mesa/kmscube/-/commit/908ef39864442c0807954af5d3f88a3da1a6f8a5.patch";
+      sha256 = "1gxn3b50mvjlc25234839v5z29r8fd9di4176a3yx4gbsz8cc5vi";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libdrm libX11 libGL mesa ];
+
+  meta = with lib; {
+    description = "Example OpenGL app using KMS/GBM";
+    homepage = "https://gitlab.freedesktop.org/mesa/kmscube";
+    license = licenses.mit;
+    maintainers = with maintainers; [ dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kvdo/default.nix b/nixpkgs/pkgs/os-specific/linux/kvdo/default.nix
new file mode 100644
index 000000000000..7e7c765bd819
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kvdo/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, lib, fetchFromGitHub, vdo, kernel }:
+
+stdenv.mkDerivation rec {
+  inherit (vdo) version;
+  pname = "kvdo";
+
+  src = fetchFromGitHub {
+    owner = "dm-vdo";
+    repo = "kvdo";
+    rev = version;
+    hash = "sha256-4FYTFUIvGjea3bh2GbQYG7hSswVDdNS3S+jWQ9+inpg=";
+  };
+
+  dontConfigure = true;
+  enableParallelBuilding = true;
+
+  KSRC = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+  INSTALL_MOD_PATH = placeholder "out";
+
+  preBuild = ''
+    makeFlags="$makeFlags -C ${KSRC} M=$(pwd)"
+'';
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    inherit (vdo.meta) license maintainers;
+    homepage = "https://github.com/dm-vdo/kvdo";
+    description = "A pair of kernel modules which provide pools of deduplicated and/or compressed block storage";
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.15" || kernel.kernelAtLeast "5.17";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/kvmfr/default.nix b/nixpkgs/pkgs/os-specific/linux/kvmfr/default.nix
new file mode 100644
index 000000000000..24fedbf59d78
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/kvmfr/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, kmod, looking-glass-client }:
+
+stdenv.mkDerivation rec {
+  pname = "kvmfr";
+  version = looking-glass-client.version;
+
+  src = looking-glass-client.src;
+  sourceRoot = "source/module";
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  patches = lib.optional (kernel.kernelAtLeast "5.16") (fetchpatch {
+    name = "kvmfr-5.16.patch";
+    url = "https://github.com/gnif/LookingGlass/commit/a9b5302a517e19d7a2da114acf71ef1e69cfb497.patch";
+    sha256 = "017nxlk2f7kyjp6llwa74dbczdb1jk8v791qld81dxhzkm9dyqqx";
+    stripLen = 1;
+  })
+  ++ lib.optional (kernel.kernelAtLeast "5.18") (fetchpatch {
+    name = "kvmfr-5.18.patch";
+    url = "https://github.com/gnif/LookingGlass/commit/c7029f95042fe902843cb6acbfc75889e93dc210.patch";
+    sha256 = "sha256-6DpL17XWj8BKpiBdKdCPC51MWKLIo6PixQ9UaygT2Zg=";
+    stripLen = 1;
+  });
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D kvmfr.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  meta = with lib; {
+    description = "Optional kernel module for LookingGlass";
+    longDescription = ''
+      This kernel module implements a basic interface to the IVSHMEM device for LookingGlass when using LookingGlass in VM->VM mode
+      Additionally, in VM->host mode, it can be used to generate a shared memory device on the host machine that supports dmabuf
+    '';
+    homepage = "https://github.com/gnif/LookingGlass";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ j-brn ];
+    platforms = [ "x86_64-linux" ];
+    broken = kernel.kernelOlder "5.3";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/latencytop/default.nix b/nixpkgs/pkgs/os-specific/linux/latencytop/default.nix
new file mode 100644
index 000000000000..a48abf85831f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/latencytop/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchurl, ncurses, glib, pkg-config, gtk2, util-linux }:
+
+stdenv.mkDerivation rec {
+  pname = "latencytop";
+  version = "0.5";
+
+  postPatch = ''
+    sed -i s,/usr,$out, Makefile
+
+    # Fix #171609
+    substituteInPlace fsync.c --replace /bin/mount ${util-linux}/bin/mount
+  '';
+
+  preInstall = "mkdir -p $out/sbin";
+
+  src = fetchurl {
+    urls = [ "http://latencytop.org/download/latencytop-${version}.tar.gz"
+     "http://dbg.download.sourcemage.org/mirror/latencytop-0.5.tar.gz" ];
+    sha256 = "1vq3j9zdab6njly2wp900b3d5244mnxfm88j2bkiinbvxbxp4zwy";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ ncurses glib gtk2 ];
+
+  meta = {
+    homepage = "http://latencytop.org";
+    description = "Tool to show kernel reports on latencies (LATENCYTOP option)";
+    license = lib.licenses.gpl2;
+    maintainers = [ lib.maintainers.viric ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ldm/default.nix b/nixpkgs/pkgs/os-specific/linux/ldm/default.nix
new file mode 100644
index 000000000000..f8a519de847e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ldm/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchgit, udev, util-linux, mountPath ? "/media/" }:
+
+assert mountPath != "";
+
+let
+  version = "0.5";
+in
+stdenv.mkDerivation rec {
+  pname = "ldm";
+  inherit version;
+
+  # There is a stable release, but we'll use the lvm branch, which
+  # contains important fixes for LVM setups.
+  src = fetchgit {
+    url = "https://github.com/LemonBoy/ldm";
+    rev = "refs/tags/v${version}";
+    sha256 = "0lxfypnbamfx6p9ar5k9wra20gvwn665l4pp2j4vsx4yi5q7rw2n";
+  };
+
+  buildInputs = [ udev util-linux ];
+
+  postPatch = ''
+    substituteInPlace ldm.c \
+      --replace "/mnt/" "${mountPath}"
+    sed '16i#include <sys/stat.h>' -i ldm.c
+  '';
+
+  buildFlags = [ "ldm" ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -v ldm $out/bin
+  '';
+
+  meta = {
+    description = "A lightweight device mounter, with libudev as only dependency";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ledger-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/ledger-udev-rules/default.nix
new file mode 100644
index 000000000000..3a6bf9e5d51c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ledger-udev-rules/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "ledger-udev-rules";
+  version = "unstable-2021-09-10";
+
+  src = fetchFromGitHub {
+    owner = "LedgerHQ";
+    repo = "udev-rules";
+    rev = "2776324af6df36c2af4d2e8e92a1c98c281117c9";
+    sha256 = "sha256-yTYI81PXMc32lMfI5uhD14nP20zAI7ZF33V1LRDWg2Y=";
+  };
+
+  dontBuild = true;
+  dontConfigure = true;
+
+  installPhase = ''
+    mkdir -p $out/lib/udev/rules.d
+    cp 20-hw1.rules $out/lib/udev/rules.d/20-ledger.rules
+  '';
+
+  meta = with lib; {
+    description = "udev rules for Ledger devices";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ asymmetric ];
+    platforms = platforms.linux;
+    homepage = "https://github.com/LedgerHQ/udev-rules";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libaio/default.nix b/nixpkgs/pkgs/os-specific/linux/libaio/default.nix
new file mode 100644
index 000000000000..046bba5dda0f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libaio/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchurl, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  version = "0.3.112";
+  pname = "libaio";
+
+  src = fetchurl {
+    url = "https://pagure.io/libaio/archive/${pname}-${version}/${pname}-${pname}-${version}.tar.gz";
+    sha256 = "0wi2myh191sja13qj3claxhpfkngvy10x30f78hm9cxzkfr97kxp";
+  };
+
+  postPatch = ''
+    patchShebangs harness
+
+    # Makefile is too optimistic, gcc is too smart
+    substituteInPlace harness/Makefile \
+      --replace "-Werror" ""
+  '';
+
+  makeFlags = [
+    "prefix=${placeholder "out"}"
+  ] ++ lib.optional stdenv.hostPlatform.isStatic "ENABLE_SHARED=0";
+
+  hardeningDisable = lib.optional (stdenv.isi686) "stackprotector";
+
+  checkTarget = "partcheck"; # "check" needs root
+
+  meta = {
+    description = "Library for asynchronous I/O in Linux";
+    homepage = "http://lse.sourceforge.net/io/aio.html";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libatasmart/default.nix b/nixpkgs/pkgs/os-specific/linux/libatasmart/default.nix
new file mode 100644
index 000000000000..d5be78e913b7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libatasmart/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, fetchurl, pkg-config, udev, buildPackages }:
+
+stdenv.mkDerivation rec {
+  pname = "libatasmart";
+  version = "0.19";
+
+  src = fetchurl {
+    url = "http://0pointer.de/public/libatasmart-${version}.tar.xz";
+    sha256 = "138gvgdwk6h4ljrjsr09pxk1nrki4b155hqdzyr8mlk3bwsfmw31";
+  };
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ udev ];
+
+  meta = with lib; {
+    homepage = "http://0pointer.de/blog/projects/being-smart.html";
+    description = "Library for querying ATA SMART status";
+    license = licenses.lgpl21;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libbpf/default.nix b/nixpkgs/pkgs/os-specific/linux/libbpf/default.nix
new file mode 100644
index 000000000000..2c15e3d49ee1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libbpf/default.nix
@@ -0,0 +1,49 @@
+{ fetchFromGitHub
+, elfutils
+, pkg-config
+, stdenv
+, zlib
+, lib
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libbpf";
+  version = "0.8.1";
+
+  src = fetchFromGitHub {
+    owner = "libbpf";
+    repo = "libbpf";
+    rev = "v${version}";
+    sha256 = "sha256-daVS+TErmDU8ksThOvcepg1A61iD8N8GIkC40cmc9/8=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ elfutils zlib ];
+
+  enableParallelBuilding = true;
+  makeFlags = [ "PREFIX=$(out)" "-C src" ];
+
+  passthru.tests = {
+    bpf = nixosTests.bpf;
+  };
+
+  postInstall = ''
+    # install linux's libbpf-compatible linux/btf.h
+    install -Dm444 include/uapi/linux/*.h -t $out/include/linux
+  '';
+
+  # FIXME: Multi-output requires some fixes to the way the pkg-config file is
+  # constructed (it gets put in $out instead of $dev for some reason, with
+  # improper paths embedded). Don't enable it for now.
+
+  # outputs = [ "out" "dev" ];
+
+  meta = with lib; {
+    description = "Upstream mirror of libbpf";
+    homepage = "https://github.com/libbpf/libbpf";
+    license = with licenses; [ lgpl21 /* or */ bsd2 ];
+    maintainers = with maintainers; [ thoughtpolice vcunat saschagrunert martinetd ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libcap-ng/default.nix b/nixpkgs/pkgs/os-specific/linux/libcap-ng/default.nix
new file mode 100644
index 000000000000..ad01a83ac935
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libcap-ng/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchurl, swig ? null, python2 ? null, python3 ? null }:
+
+assert python2 != null || python3 != null -> swig != null;
+
+stdenv.mkDerivation rec {
+  pname = "libcap-ng";
+  # When updating make sure to test that the version with
+  # all of the python bindings still works
+  version = "0.8.3";
+
+  src = fetchurl {
+    url = "${meta.homepage}/${pname}-${version}.tar.gz";
+    sha256 = "sha256-vtb2hI4iuy+Dtfdksq7w7TkwVOgDqOOocRyyo55rSS0=";
+  };
+
+  nativeBuildInputs = [ swig ];
+  buildInputs = [ python2 python3 ];
+
+  postPatch = ''
+    function get_header() {
+      echo -e "#include <$1>" | gcc -M -xc - | tr ' ' '\n' | grep "$1" | head -n 1
+    }
+
+    # Fix some hardcoding of header paths
+    sed -i "s,/usr/include/linux/capability.h,$(get_header linux/capability.h),g" bindings/python{,3}/Makefile.in
+  '';
+
+  configureFlags = [
+    (if python2 != null then "--with-python" else "--without-python")
+    (if python3 != null then "--with-python3" else "--without-python3")
+  ];
+
+  meta = let inherit (lib) platforms licenses; in {
+    description = "Library for working with POSIX capabilities";
+    homepage = "https://people.redhat.com/sgrubb/libcap-ng/";
+    platforms = platforms.linux;
+    license = licenses.lgpl21;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libcap/default.nix b/nixpkgs/pkgs/os-specific/linux/libcap/default.nix
new file mode 100644
index 000000000000..0577107fd026
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libcap/default.nix
@@ -0,0 +1,66 @@
+{ stdenv, lib, buildPackages, fetchurl, attr, runtimeShell
+, usePam ? !isStatic, pam ? null
+, isStatic ? stdenv.hostPlatform.isStatic
+}:
+
+assert usePam -> pam != null;
+
+stdenv.mkDerivation rec {
+  pname = "libcap";
+  version = "2.65";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/libs/security/linux-privs/libcap2/${pname}-${version}.tar.xz";
+    sha256 = "sha256-c+NQAgzDH+FTYIedGThP+jOVqCXwZfz2vaOlzfllvr0=";
+  };
+
+  outputs = [ "out" "dev" "lib" "man" "doc" ]
+    ++ lib.optional usePam "pam";
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  buildInputs = lib.optional usePam pam;
+
+  propagatedBuildInputs = [ attr ];
+
+  makeFlags = [
+    "lib=lib"
+    "PAM_CAP=${if usePam then "yes" else "no"}"
+    "BUILD_CC=$(CC_FOR_BUILD)"
+    "CC:=$(CC)"
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ] ++ lib.optional isStatic "SHARED=no";
+
+  postPatch = ''
+    patchShebangs ./progs/mkcapshdoc.sh
+
+    # use full path to bash
+    substituteInPlace progs/capsh.c --replace "/bin/bash" "${runtimeShell}"
+
+    # set prefixes
+    substituteInPlace Make.Rules \
+      --replace 'prefix=/usr' "prefix=$lib" \
+      --replace 'exec_prefix=' "exec_prefix=$out" \
+      --replace 'lib_prefix=$(exec_prefix)' "lib_prefix=$lib" \
+      --replace 'inc_prefix=$(prefix)' "inc_prefix=$dev" \
+      --replace 'man_prefix=$(prefix)' "man_prefix=$doc"
+  '';
+
+  installFlags = [ "RAISE_SETFCAP=no" ];
+
+  postInstall = ''
+    ${lib.optionalString (!isStatic) ''rm "$lib"/lib/*.a''}
+    mkdir -p "$doc/share/doc/${pname}-${version}"
+    cp License "$doc/share/doc/${pname}-${version}/"
+  '' + lib.optionalString usePam ''
+    mkdir -p "$pam/lib/security"
+    mv "$lib"/lib/security "$pam/lib"
+  '';
+
+  meta = {
+    description = "Library for working with POSIX capabilities";
+    homepage = "https://sites.google.com/site/fullycapable";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.bsd3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libcgroup/default.nix b/nixpkgs/pkgs/os-specific/linux/libcgroup/default.nix
new file mode 100644
index 000000000000..6d6a8e7c21e1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libcgroup/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub, pam, bison, flex, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "libcgroup";
+  version = "0.42.2";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1h8s70lm6g7r0wj7j3xgj2g3j9fifvsy2pna6w0j3i5hh42qfms4";
+  };
+
+  buildInputs = [ pam bison flex ];
+  nativeBuildInputs = [ autoreconfHook ];
+
+  postPatch = ''
+    substituteInPlace src/tools/Makefile.am \
+      --replace 'chmod u+s' 'chmod +x'
+  '';
+
+  meta = {
+    description = "Library and tools to manage Linux cgroups";
+    homepage    = "http://libcg.sourceforge.net/";
+    license     = lib.licenses.lgpl2;
+    platforms   = lib.platforms.linux;
+    maintainers = [ lib.maintainers.thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libevdevc/default.nix b/nixpkgs/pkgs/os-specific/linux/libevdevc/default.nix
new file mode 100644
index 000000000000..4998ee3e6b57
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libevdevc/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub, coreutils, pkg-config, glib, jsoncpp }:
+
+stdenv.mkDerivation rec {
+  pname = "libevdevc";
+  version = "2.0.1";
+  src = fetchFromGitHub {
+    owner = "hugegreenbug";
+    repo = "libevdevc";
+    rev = "v${version}";
+    sha256 = "0ry30krfizh87yckmmv8n082ad91mqhhbbynx1lfidqzb6gdy2dd";
+  };
+
+  postPatch = ''
+    substituteInPlace common.mk \
+      --replace /bin/echo ${coreutils}/bin/echo
+    substituteInPlace include/module.mk \
+      --replace /usr/include /include
+  '';
+
+  makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];
+
+  meta = with lib; {
+    description = "ChromiumOS libevdev. Renamed to avoid conflicts with the standard libevdev found in Linux distros";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    homepage = "https://chromium.googlesource.com/chromiumos/platform/libevdev/";
+    maintainers = with maintainers; [ kcalvinalvin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libgestures/default.nix b/nixpkgs/pkgs/os-specific/linux/libgestures/default.nix
new file mode 100644
index 000000000000..1454c0c78a50
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libgestures/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, glib, jsoncpp }:
+
+stdenv.mkDerivation rec {
+  pname = "libgestures";
+  version = "2.0.1";
+  src = fetchFromGitHub {
+    owner = "hugegreenbug";
+    repo = "libgestures";
+    rev = "v${version}";
+    sha256 = "0dfvads2adzx4k8cqc1rbwrk1jm2wn9wl2jk51m26xxpmh1g0zab";
+  };
+  patches = [ ./include-fix.patch ];
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace -Werror -Wno-error \
+      --replace '$(DESTDIR)/usr/include' '$(DESTDIR)/include'
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ glib jsoncpp ];
+
+
+  makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];
+
+  meta = with lib; {
+    description = "ChromiumOS libgestures modified to compile for Linux";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    homepage = "https://chromium.googlesource.com/chromiumos/platform/gestures";
+    maintainers = with maintainers; [ kcalvinalvin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libgestures/include-fix.patch b/nixpkgs/pkgs/os-specific/linux/libgestures/include-fix.patch
new file mode 100644
index 000000000000..851be4771434
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libgestures/include-fix.patch
@@ -0,0 +1,12 @@
+diff -ur a/include/gestures/include/finger_metrics.h b/include/gestures/include/finger_metrics.h
+--- a/include/gestures/include/finger_metrics.h    1970-01-01 09:00:01.000000000 +0900
++++ b/include/gestures/include/finger_metrics.h    2018-12-01 16:58:51.590718511 +0900
+@@ -5,6 +5,8 @@
+ #ifndef GESTURES_FINGER_METRICS_H_
+ #define GESTURES_FINGER_METRICS_H_
+ 
++#include <math.h>
++
+ #include "gestures/include/gestures.h"
+ #include "gestures/include/prop_registry.h"
+#include "gestures/include/vector.h"
diff --git a/nixpkgs/pkgs/os-specific/linux/libnl/default.nix b/nixpkgs/pkgs/os-specific/linux/libnl/default.nix
new file mode 100644
index 000000000000..08a55134e773
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libnl/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, file, lib, fetchFromGitHub, autoreconfHook, bison, flex, pkg-config
+, pythonSupport ? false, swig ? null, python ? null}:
+
+stdenv.mkDerivation rec {
+  pname = "libnl";
+  version = "3.7.0";
+
+  src = fetchFromGitHub {
+    repo = "libnl";
+    owner = "thom311";
+    rev = "libnl${lib.replaceStrings ["."] ["_"] version}";
+    sha256 = "sha256-Ty9NdWKWB29MTRfG5OJlSE0mSTN3Wy+sR4KtuExXcB4=";
+  };
+
+  outputs = [ "bin" "dev" "out" "man" ] ++ lib.optional pythonSupport "py";
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [ autoreconfHook bison flex pkg-config file ]
+    ++ lib.optional pythonSupport swig;
+
+  postBuild = lib.optionalString (pythonSupport) ''
+      cd python
+      ${python.interpreter} setup.py install --prefix=../pythonlib
+      cd -
+  '';
+
+  postFixup = lib.optionalString pythonSupport ''
+    mv "pythonlib/" "$py"
+  '';
+
+  passthru = {
+    inherit pythonSupport;
+  };
+
+  meta = with lib; {
+    homepage = "http://www.infradead.org/~tgr/libnl/";
+    description = "Linux Netlink interface library suite";
+    license = licenses.lgpl21;
+    maintainers = with maintainers; [ fpletz ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libnss-mysql/default.nix b/nixpkgs/pkgs/os-specific/linux/libnss-mysql/default.nix
new file mode 100644
index 000000000000..77e629b03074
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libnss-mysql/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, which, libmysqlclient }:
+
+stdenv.mkDerivation rec {
+  pname = "libnss-mysql";
+  version = "1.7.1";
+
+  src = fetchFromGitHub {
+    owner = "saknopper";
+    repo = "libnss-mysql";
+    rev = "v${version}";
+    sha256 = "1fhsswa3h2nkhjkyjxxqnj07rlx6bmfvd8j521snimx2jba8h0d6";
+  };
+
+  nativeBuildInputs = [ autoreconfHook which ];
+  buildInputs = [ libmysqlclient ];
+
+  configureFlags = [ "--sysconfdir=/etc" ];
+  installFlags = [ "sysconfdir=$(out)/etc" ];
+  postInstall = ''
+    rm -r $out/etc
+  '';
+
+  meta = with lib; {
+    description = "MySQL module for the Solaris Nameservice Switch (NSS)";
+    homepage = "https://github.com/saknopper/libnss-mysql";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ netali ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libpsm2/default.nix b/nixpkgs/pkgs/os-specific/linux/libpsm2/default.nix
new file mode 100644
index 000000000000..ebfe492f7364
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libpsm2/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchFromGitHub, numactl, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "libpsm2";
+  version = "11.2.229";
+
+  preConfigure= ''
+    export UDEVDIR=$out/etc/udev
+    substituteInPlace ./Makefile --replace "udevrulesdir}" "prefix}/etc/udev";
+  '';
+
+  enableParallelBuilding = true;
+
+  buildInputs = [ numactl pkg-config ];
+
+  makeFlags = [
+    # Disable blanket -Werror to avoid build failures
+    # on fresh toolchains like gcc-11.
+    "WERROR="
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+    "UDEVDIR=/etc/udev"
+    "LIBPSM2_COMPAT_CONF_DIR=/etc"
+  ];
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "opa-psm2";
+    rev = "PSM2_${version}";
+    sha256 = "sha256-t3tZCxGmGMscDmeyCATLbHxU7jEJqAzxwPV0Z8pl2ko=";
+  };
+
+  postInstall = ''
+    mv $out/usr/* $out
+    rmdir $out/usr
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/intel/opa-psm2";
+    description = "The PSM2 library supports a number of fabric media and stacks";
+    license = with licenses; [ gpl2 bsd3 ];
+    platforms = [ "x86_64-linux" ];
+    maintainers = [ maintainers.bzizou ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libratbag/default.nix b/nixpkgs/pkgs/os-specific/linux/libratbag/default.nix
new file mode 100644
index 000000000000..a264c4544874
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libratbag/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config
+, glib, systemd, udev, libevdev, gitMinimal, check, valgrind, swig, python3
+, json-glib, libunistring }:
+
+stdenv.mkDerivation rec {
+  pname = "libratbag";
+  version = "0.16";
+
+  src = fetchFromGitHub {
+    owner  = "libratbag";
+    repo   = "libratbag";
+    rev    = "v${version}";
+    sha256 = "sha256-wJLG0Gxm1RWwW5SCGoa2QscU1VC0r93KZfEMNVg3Tko=";
+  };
+
+  nativeBuildInputs = [
+    meson ninja pkg-config gitMinimal swig check valgrind
+  ];
+
+  buildInputs = [
+    glib systemd udev libevdev json-glib libunistring
+    (python3.withPackages (ps: with ps; [ evdev pygobject3 ]))
+  ];
+
+  mesonFlags = [
+    "-Dsystemd-unit-dir=./lib/systemd/system/"
+  ];
+
+  meta = with lib; {
+    description = "Configuration library for gaming mice";
+    homepage    = "https://github.com/libratbag/libratbag";
+    license     = licenses.mit;
+    maintainers = with maintainers; [ mvnetbiz ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libselinux/default.nix b/nixpkgs/pkgs/os-specific/linux/libselinux/default.nix
new file mode 100644
index 000000000000..fd697fed7763
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libselinux/default.nix
@@ -0,0 +1,85 @@
+{ lib, stdenv, fetchurl, fetchpatch, buildPackages, pcre, pkg-config, libsepol
+, enablePython ? !stdenv.hostPlatform.isStatic, swig ? null, python3 ? null
+, fts
+}:
+
+assert enablePython -> swig != null && python3 != null;
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "libselinux";
+  version = "3.3";
+  inherit (libsepol) se_url;
+
+  outputs = [ "bin" "out" "dev" "man" ] ++ optional enablePython "py";
+
+  src = fetchurl {
+    url = "${se_url}/${version}/libselinux-${version}.tar.gz";
+    sha256 = "0mvh793g7fg6wb6zqhkdyrv80x6k84ypqwi8ii89c91xcckyxzdc";
+  };
+
+  patches = [
+    # Make it possible to disable shared builds (for pkgsStatic).
+    #
+    # We can't use fetchpatch because it processes includes/excludes
+    # /after/ stripping the prefix, which wouldn't work here because
+    # there would be no way to distinguish between
+    # e.g. libselinux/src/Makefile and libsepol/src/Makefile.
+    #
+    # This is a static email, so we shouldn't have to worry about
+    # normalizing the patch.
+    (fetchurl {
+      url = "https://lore.kernel.org/selinux/20211113141616.361640-1-hi@alyssa.is/raw";
+      sha256 = "16a2s2ji9049892i15yyqgp4r20hi1hij4c1s4s8law9jsx65b3n";
+      postFetch = ''
+        mv "$out" $TMPDIR/patch
+        ${buildPackages.patchutils_0_3_3}/bin/filterdiff \
+            -i 'a/libselinux/*' --strip 1 <$TMPDIR/patch >"$out"
+      '';
+    })
+  ];
+
+  nativeBuildInputs = [ pkg-config python3 ] ++ optionals enablePython [ swig ];
+  buildInputs = [ libsepol pcre fts ] ++ optionals enablePython [ python3 ];
+
+  # drop fortify here since package uses it by default, leading to compile error:
+  # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
+  hardeningDisable = [ "fortify" ];
+
+  NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "INCDIR=$(dev)/include/selinux"
+    "INCLUDEDIR=$(dev)/include"
+    "MAN3DIR=$(man)/share/man/man3"
+    "MAN5DIR=$(man)/share/man/man5"
+    "MAN8DIR=$(man)/share/man/man8"
+    "SBINDIR=$(bin)/sbin"
+    "SHLIBDIR=$(out)/lib"
+
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ optionals stdenv.hostPlatform.isStatic [
+    "DISABLE_SHARED=y"
+  ] ++ optionals enablePython [
+    "PYTHON=${python3.pythonForBuild.interpreter}"
+    "PYTHONLIBDIR=$(py)/${python3.sitePackages}"
+  ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+    substituteInPlace src/procattr.c \
+      --replace "#include <unistd.h>" ""
+  '';
+
+  preInstall = optionalString enablePython ''
+    mkdir -p $py/${python3.sitePackages}/selinux
+  '';
+
+  installTargets = [ "install" ] ++ optional enablePython "install-pywrap";
+
+  meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
+    description = "SELinux core library";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libsemanage/default.nix b/nixpkgs/pkgs/os-specific/linux/libsemanage/default.nix
new file mode 100644
index 000000000000..d828c38be1d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libsemanage/default.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, fetchurl, pkg-config, bison, flex, libsepol, libselinux, bzip2, audit
+, enablePython ? true, swig ? null, python ? null
+}:
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "libsemanage";
+  version = "3.3";
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/libsemanage-${version}.tar.gz";
+    sha256 = "1s3wb66l47blc15s6lkqs11j9l8pycdqqbb03x3vpfrlz9dfrl44";
+   };
+
+  outputs = [ "out" "dev" "man" ] ++ optional enablePython "py";
+
+  strictDeps = true;
+
+  nativeBuildInputs = [ bison flex pkg-config ] ++ optional enablePython swig;
+  buildInputs = [ libsepol libselinux bzip2 audit ]
+    ++ optional enablePython python;
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "INCLUDEDIR=$(dev)/include"
+    "MAN3DIR=$(man)/share/man/man3"
+    "MAN5DIR=$(man)/share/man/man5"
+    "PYTHON=python"
+    "PYPREFIX=python"
+    "PYTHONLIBDIR=$(py)/${python.sitePackages}"
+    "DEFAULT_SEMANAGE_CONF_LOCATION=$(out)/etc/selinux/semanage.conf"
+  ];
+
+  # The following turns the 'clobbered' error into a warning
+  # which should fix the following error:
+  #
+  # semanage_store.c: In function 'semanage_exec_prog':
+  # semanage_store.c:1278:6: error: variable 'i' might be clobbered by 'longjmp' or 'vfork' [8;;https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wclobbered-Werror=clobbered8;;]
+  #  1278 |  int i;
+  #       |      ^
+  # cc1: all warnings being treated as errors
+  NIX_CFLAGS_COMPILE = [ "-Wno-error=clobbered" ];
+
+  installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
+
+  enableParallelBuilding = true;
+
+  meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
+    description = "Policy management tools for SELinux";
+    license = lib.licenses.lgpl21;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libsepol/default.nix b/nixpkgs/pkgs/os-specific/linux/libsepol/default.nix
new file mode 100644
index 000000000000..108e65072314
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libsepol/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchurl, fetchpatch, flex }:
+
+stdenv.mkDerivation rec {
+  pname = "libsepol";
+  version = "3.3";
+  se_url = "https://github.com/SELinuxProject/selinux/releases/download";
+
+  outputs = [ "bin" "out" "dev" "man" ];
+
+  src = fetchurl {
+    url = "${se_url}/${version}/libsepol-${version}.tar.gz";
+    sha256 = "12r39ygn7aa1kz52wibfr4520m0cp75hlrn3i6rnjqa6p0zdz5rd";
+  };
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
+    substituteInPlace src/Makefile --replace 'all: $(LIBA) $(LIBSO)' 'all: $(LIBA)'
+    sed -i $'/^\t.*LIBSO/d' src/Makefile
+  '';
+
+  nativeBuildInputs = [ flex ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "BINDIR=$(bin)/bin"
+    "INCDIR=$(dev)/include/sepol"
+    "INCLUDEDIR=$(dev)/include"
+    "MAN3DIR=$(man)/share/man/man3"
+    "MAN8DIR=$(man)/share/man/man8"
+    "SHLIBDIR=$(out)/lib"
+  ];
+
+  NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  enableParallelBuilding = true;
+
+  passthru = { inherit se_url; };
+
+  meta = with lib; {
+    description = "SELinux binary policy manipulation library";
+    homepage = "http://userspace.selinuxproject.org";
+    platforms = platforms.linux;
+    maintainers = [ ];
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libsmbios/default.nix b/nixpkgs/pkgs/os-specific/linux/libsmbios/default.nix
new file mode 100644
index 000000000000..46d0e94bb14c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libsmbios/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, autoreconfHook, help2man, gettext
+, libxml2, perl, python3, doxygen }:
+
+
+stdenv.mkDerivation rec {
+  pname = "libsmbios";
+  version = "2.4.3";
+
+  src = fetchFromGitHub {
+    owner = "dell";
+    repo = "libsmbios";
+    rev = "v${version}";
+    sha256 = "0krwwydyvb9224r884y1mlmzyxhlfrcqw73vi1j8787rl0gl5a2i";
+  };
+
+  nativeBuildInputs = [ autoreconfHook doxygen gettext libxml2 help2man perl pkg-config ];
+
+  buildInputs = [ python3 ];
+
+  configureFlags = [ "--disable-graphviz" ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    mkdir -p $out/include
+    cp -a src/include/smbios_c $out/include/
+    cp -a out/public-include/smbios_c $out/include/
+  '';
+
+  preFixup = ''rm -rf "$(pwd)" ''; # Hack to avoid TMPDIR in RPATHs
+
+  meta = with lib; {
+    homepage = "https://github.com/dell/libsmbios";
+    description = "A library to obtain BIOS information";
+    license = with licenses; [ osl21 gpl2Plus ];
+    maintainers = with maintainers; [ ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libtraceevent/default.nix b/nixpkgs/pkgs/os-specific/linux/libtraceevent/default.nix
new file mode 100644
index 000000000000..c81949bf39a6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libtraceevent/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchgit, pkg-config, asciidoc, xmlto, docbook_xml_dtd_45, docbook_xsl, coreutils }:
+
+stdenv.mkDerivation rec {
+  pname = "libtraceevent";
+  version = "1.6.2";
+
+  src = fetchgit {
+    url = "git://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git";
+    rev = "libtraceevent-${version}";
+    sha256 = "sha256-iLy2rEKn0UJguRcY/W8RvUq7uX+snQojb/cXOmMsjwc=";
+  };
+
+  # Don't build and install html documentation
+  postPatch = ''
+    sed -i -e '/^all:/ s/html//' -e '/^install:/ s/install-html//' Documentation/Makefile
+    substituteInPlace scripts/utils.mk --replace /bin/pwd ${coreutils}/bin/pwd
+  '';
+
+  outputs = [ "out" "dev" "devman" ];
+  enableParallelBuilding = true;
+  nativeBuildInputs = [ pkg-config asciidoc xmlto docbook_xml_dtd_45 docbook_xsl ];
+  makeFlags = [
+    "prefix=${placeholder "out"}"
+    "doc"                       # build docs
+  ];
+  installFlags = [
+    "pkgconfig_dir=${placeholder "out"}/lib/pkgconfig"
+    "doc-install"
+  ];
+
+  meta = with lib; {
+    description = "Linux kernel trace event library";
+    homepage    = "https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/";
+    license     = licenses.lgpl21Only;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ wentasah ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libtracefs/default.nix b/nixpkgs/pkgs/os-specific/linux/libtracefs/default.nix
new file mode 100644
index 000000000000..3a973b9880d5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libtracefs/default.nix
@@ -0,0 +1,51 @@
+{ lib
+, stdenv
+, fetchgit
+, pkg-config
+, libtraceevent
+, asciidoc
+, xmlto
+, docbook_xml_dtd_45
+, docbook_xsl
+, coreutils
+, which
+, valgrind
+, sourceHighlight
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libtracefs";
+  version = "1.4.2";
+
+  src = fetchgit {
+    url = "git://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git";
+    rev = "libtracefs-${version}";
+    sha256 = "sha256-CmFzonPq91iLflolJaucpPWzb8MCgfuov/OQ6KUD3f4=";
+  };
+
+  postPatch = ''
+    substituteInPlace scripts/utils.mk --replace /bin/pwd ${coreutils}/bin/pwd
+    patchShebangs check-manpages.sh
+  '';
+
+  outputs = [ "out" "dev" "devman" "doc" ];
+  enableParallelBuilding = true;
+  nativeBuildInputs = [ pkg-config asciidoc xmlto docbook_xml_dtd_45 docbook_xsl which valgrind sourceHighlight ];
+  buildInputs = [ libtraceevent ];
+  makeFlags = [
+    "prefix=${placeholder "out"}"
+    "doc"                       # build docs
+  ];
+  installFlags = [
+    "pkgconfig_dir=${placeholder "out"}/lib/pkgconfig"
+    "install_doc"
+  ];
+
+  meta = with lib; {
+    description = "Linux kernel trace file system library";
+    homepage    = "https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git/";
+    license     = licenses.lgpl21Only;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ wentasah ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libudev0-shim/default.nix b/nixpkgs/pkgs/os-specific/linux/libudev0-shim/default.nix
new file mode 100644
index 000000000000..642dd534232b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libudev0-shim/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub, udev }:
+
+stdenv.mkDerivation rec {
+  pname = "libudev0-shim";
+  version = "1";
+
+  src = fetchFromGitHub {
+    owner = "archlinux";
+    repo = "libudev0-shim";
+    rev = "v${version}";
+    sha256 = "1460qm6rp1cqnns39lj24z7191m8sbpvbjabqbzb55dkdd2kw50z";
+  };
+
+  buildInputs = [ udev ];
+
+  installPhase = ''
+    name="$(echo libudev.so.*)"
+    install -Dm755 "$name" "$out/lib/$name"
+    ln -s "$name" "$out/lib/libudev.so.0"
+  '';
+
+  meta = with lib; {
+    description = "Shim to preserve libudev.so.0 compatibility";
+    homepage = "https://github.com/archlinux/libudev0-shim";
+    platforms = platforms.linux;
+    license = licenses.lgpl21;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libvolume_id/default.nix b/nixpkgs/pkgs/os-specific/linux/libvolume_id/default.nix
new file mode 100644
index 000000000000..653094c91884
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libvolume_id/default.nix
@@ -0,0 +1,27 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "libvolume_id";
+  version = "0.81.1";
+
+  src = fetchurl {
+    url = "https://www.marcuscom.com/downloads/libvolume_id-${version}.tar.bz2";
+    sha256 = "029z04vdxxsl8gycm9whcljhv6dy4b12ybsxdb99jr251gl1ifs5";
+  };
+
+  preBuild = "
+    makeFlagsArray=(prefix=$out E=echo RANLIB=${stdenv.cc.targetPrefix}ranlib INSTALL='install -c')
+  ";
+
+  # Work around a broken Makefile.
+  postInstall = "
+    rm $out/lib/libvolume_id.so.0
+    cp -f libvolume_id.so.0 $out/lib/
+  ";
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+    homepage = "http://www.marcuscom.com/downloads/";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libwebcam/default.nix b/nixpkgs/pkgs/os-specific/linux/libwebcam/default.nix
new file mode 100644
index 000000000000..5f87a89496b7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libwebcam/default.nix
@@ -0,0 +1,51 @@
+{ lib
+, stdenv
+, fetchurl
+, cmake
+, pkg-config
+, libxml2
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libwebcam";
+  version = "0.2.5";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/project/${pname}/source/${pname}-src-${version}.tar.gz";
+    sha256 = "0hcxv8di83fk41zjh0v592qm7c0v37a3m3n3lxavd643gff1k99w";
+  };
+
+  patches = [
+    ./uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch
+  ];
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libxml2 ];
+
+  postPatch = ''
+    substituteInPlace ./uvcdynctrl/CMakeLists.txt \
+      --replace "/lib/udev" "$out/lib/udev"
+
+    substituteInPlace ./uvcdynctrl/udev/scripts/uvcdynctrl \
+      --replace 'debug=0' 'debug=''${NIX_UVCDYNCTRL_UDEV_DEBUG:-0}' \
+      --replace 'uvcdynctrlpath=uvcdynctrl' "uvcdynctrlpath=$out/bin/uvcdynctrl"
+
+    substituteInPlace ./uvcdynctrl/udev/rules/80-uvcdynctrl.rules \
+      --replace "/lib/udev" "$out/lib/udev"
+  '';
+
+
+  preConfigure = ''
+    cmakeFlagsArray=(
+      $cmakeFlagsArray
+      "-DCMAKE_INSTALL_PREFIX=$out"
+    )
+  '';
+
+  meta = with lib; {
+    description = "The webcam-tools package";
+    platforms = platforms.linux;
+    license = licenses.lgpl3;
+    maintainers = with maintainers; [ jraygauthier ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/libwebcam/uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch b/nixpkgs/pkgs/os-specific/linux/libwebcam/uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch
new file mode 100644
index 000000000000..07e5f0bf852b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/libwebcam/uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch
@@ -0,0 +1,65 @@
+diff --git a/uvcdynctrl/main.c b/uvcdynctrl/main.c
+index b7befd1..f3a768c 100644
+--- a/uvcdynctrl/main.c
++++ b/uvcdynctrl/main.c
+@@ -674,27 +674,31 @@ get_filename (const char *dir_path, const char *vid)
+ 	printf ( "checking dir: %s \n", dir_path);
+ 	while ((dp = readdir(dir)) != NULL) 
+ 	{
+-		if((dp->d_type == DT_DIR) && (fnmatch("[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]", dp->d_name, 0) == 0))
++		if((dp->d_type == DT_DIR || dp->d_type == DT_LNK ) && (fnmatch("[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]", dp->d_name, 0) == 0))
+ 		{
+ 			if( strcasecmp(vid, dp->d_name) != 0)
+ 			{
+ 				/*doesn't match - clean up and move to the next entry*/
+ 				continue;
+ 			}
+-			
++
+ 			char *tmp = path_cat (dir_path, dp->d_name);
+-			printf("found dir: %s \n", dp->d_name);
++
+ 			DIR * subdir = opendir(tmp);
+-			while ((sdp = readdir(subdir)) != NULL) 
++			if ( subdir != NULL )
+ 			{
+-				if( fnmatch("*.xml", sdp->d_name, 0) == 0 )
++				printf("found dir: %s \n", dp->d_name);
++				while ((sdp = readdir(subdir)) != NULL) 
+ 				{
+-					file_list[nf-1] = path_cat (tmp, sdp->d_name);
+-					printf("found: %s \n", file_list[nf-1]);
+-					nf++;
+-					file_list = realloc(file_list,nf*sizeof(file_list));
+-					file_list[nf-1] = NULL;   
+-				} 
++					if( fnmatch("*.xml", sdp->d_name, 0) == 0 )
++					{
++						file_list[nf-1] = path_cat (tmp, sdp->d_name);
++						printf("found: %s \n", file_list[nf-1]);
++						nf++;
++						file_list = realloc(file_list,nf*sizeof(file_list));
++						file_list[nf-1] = NULL;   
++					} 
++				}
+ 			}
+ 			closedir(subdir);
+ 			free (tmp);
+@@ -869,9 +873,15 @@ main (int argc, char **argv)
+ 			pid_set = 1; /*flag pid.xml check*/
+ 			//printf("vid:%s pid:%s\n", vid, pid);
+ 		}
+-		
++
++		const char* dataDir = getenv( "NIX_UVCDYNCTRL_DATA_DIR" );
++		// When unavailable, fallback on data dir specified at build time.
++		if ( !dataDir ) {
++			dataDir = DATA_DIR;
++		}
++
+ 		/* get xml file list from DATA_DIR/vid/ */ 
+-		char **xml_files = get_filename (DATA_DIR, vid);
++		char **xml_files = get_filename (dataDir, vid);
+  
+ 		/*check for pid.xml*/
+ 		char fname[9];
diff --git a/nixpkgs/pkgs/os-specific/linux/light/default.nix b/nixpkgs/pkgs/os-specific/linux/light/default.nix
new file mode 100644
index 000000000000..6caa8e394508
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/light/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, coreutils }:
+
+stdenv.mkDerivation rec {
+  version = "1.2.2";
+  pname = "light";
+  src = fetchFromGitHub {
+    owner = "haikarainen";
+    repo = "light";
+    rev = "v${version}";
+    sha256 = "1a70zcf88ifsnwll486aicjnh48zisdf8f7vi34ihw61kdadsq9s";
+  };
+
+  patches = [
+    # Pull upstream fix for -fno-common toolchains:
+    #  https://github.com/haikarainen/light/pull/135
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/haikarainen/light/commit/eae912ca7ff3356805e47739114861d2b6ae7ec0.patch";
+      sha256 = "15jp8hm5scl0myiy1jmvd6m52lhx5jscvi3rgb5siwakmnkgzx9j";
+    })
+  ];
+
+  configureFlags = [ "--with-udev" ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  # ensure udev rules can find the commands used
+  postPatch = ''
+    substituteInPlace 90-backlight.rules \
+      --replace '/bin/chgrp' '${coreutils}/bin/chgrp' \
+      --replace '/bin/chmod' '${coreutils}/bin/chmod'
+  '';
+
+  meta = {
+    description = "GNU/Linux application to control backlights";
+    homepage = "https://haikarainen.github.io/light/";
+    license = lib.licenses.gpl3;
+    maintainers = with lib.maintainers; [ puffnfresh dtzWill ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lightum/default.nix b/nixpkgs/pkgs/os-specific/linux/lightum/default.nix
new file mode 100644
index 000000000000..95b766aec05b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lightum/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchFromGitHub, libX11, libXScrnSaver, libXext, glib, dbus, pkg-config, systemd }:
+
+stdenv.mkDerivation {
+  pname = "lightum";
+  version = "unstable-2014-06-07";
+
+  src = fetchFromGitHub {
+    owner = "poliva";
+    repo = "lightum";
+    rev = "123e6babe0669b23d4c1dfa5511088608ff2baa8";
+    sha256 = "sha256-dzWUVY2srgk6BM6jZ7FF+snxnPopz3fx9nq+mVkmogc=";
+  };
+
+  buildInputs = [
+    dbus
+    glib
+    libX11
+    libXScrnSaver
+    libXext
+    pkg-config
+    systemd
+  ];
+
+  patchPhase = ''
+    substituteInPlace Makefile \
+      --replace "libsystemd-login" "libsystemd"
+  '';
+
+  installPhase = ''
+    make install prefix=$out bindir=$out/bin docdir=$out/share/doc \
+      mandir=$out/share/man INSTALL="install -c" INSTALLDATA="install -c -m 644"
+  '';
+
+  meta = {
+    description = "MacBook automatic light sensor daemon";
+    homepage = "https://github.com/poliva/lightum";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ puffnfresh ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/linux-wifi-hotspot/default.nix b/nixpkgs/pkgs/os-specific/linux/linux-wifi-hotspot/default.nix
new file mode 100644
index 000000000000..e5e4e1dca87a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/linux-wifi-hotspot/default.nix
@@ -0,0 +1,101 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, which
+, pkg-config
+, glib
+, gtk3
+, iw
+, makeWrapper
+, qrencode
+, hostapd
+, getopt
+, dnsmasq
+, iproute2
+, flock
+, iptables
+, gawk
+, coreutils
+, gnugrep
+, gnused
+, kmod
+, networkmanager
+, procps
+}:
+
+
+stdenv.mkDerivation rec {
+  pname = "linux-wifi-hotspot";
+  version = "4.4.0";
+
+  src = fetchFromGitHub {
+    owner = "lakinduakash";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-XCgYWOX7QSdANG6DqYk0yZZqnvZGDl3GaF9KtYRmpJ0=";
+  };
+
+  nativeBuildInputs = [
+    which
+    pkg-config
+    makeWrapper
+    qrencode
+    hostapd
+  ];
+
+  buildInputs = [
+    glib
+    gtk3
+  ];
+
+  outputs = [ "out" ];
+
+  postPatch = ''
+    substituteInPlace ./src/scripts/Makefile \
+      --replace "etc" "$out/etc"
+    substituteInPlace ./src/scripts/wihotspot \
+      --replace "/usr" "$out"
+  '';
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  postInstall = ''
+    wrapProgram $out/bin/create_ap \
+      --prefix PATH : ${lib.makeBinPath [
+          coreutils
+          dnsmasq
+          flock
+          gawk
+          getopt
+          gnugrep
+          gnused
+          hostapd
+          iproute2
+          iptables
+          iw
+          kmod
+          networkmanager
+          procps
+          which
+        ]}
+
+    wrapProgram $out/bin/wihotspot-gui \
+      --prefix PATH : ${lib.makeBinPath [ iw ]} \
+      --prefix PATH : "${placeholder "out"}/bin"
+
+    wrapProgram $out/bin/wihotspot \
+      --prefix PATH : ${lib.makeBinPath [ iw ]} \
+      --prefix PATH : "${placeholder "out"}/bin"
+  '';
+
+  meta = with lib; {
+    description = "Feature-rich wifi hotspot creator for Linux which provides both GUI and command-line interface";
+    homepage = "https://github.com/lakinduakash/linux-wifi-hotspot";
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ onny ];
+    platforms = platforms.unix;
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/linuxptp/default.nix b/nixpkgs/pkgs/os-specific/linux/linuxptp/default.nix
new file mode 100644
index 000000000000..4c14d2ecae3d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/linuxptp/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchurl, linuxHeaders } :
+
+
+stdenv.mkDerivation rec {
+  pname = "linuxptp";
+  version = "3.1.1";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/linuxptp/${pname}-${version}.tgz";
+    sha256 = "1nf0w4xyzg884v8blb81zkk6q8p6zbiq9lx61jdqwbbzkdgqbmll";
+  };
+
+  postPatch = ''
+    substituteInPlace incdefs.sh --replace \
+       '/usr/include/linux/' "${linuxHeaders}/include/linux/"
+  '';
+
+  makeFlags = [ "prefix=" ];
+
+  preInstall = ''
+    export DESTDIR=$out
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux";
+    homepage = "http://linuxptp.sourceforge.net/";
+    maintainers = [ maintainers.markuskowa ];
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/liquidtux/default.nix b/nixpkgs/pkgs/os-specific/linux/liquidtux/default.nix
new file mode 100644
index 000000000000..317801bb3cdd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/liquidtux/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "liquidtux-${version}-${kernel.version}";
+  version = "unstable-2021-12-16";
+
+  src = fetchFromGitHub {
+    owner = "liquidctl";
+    repo = "liquidtux";
+    rev = "342defc0e22ea58f8ab2ab0f191ad3fd302c44cb";
+    sha256 = "12rc3vzfq8vnq9x9ca6swk5ag0xkpgkzmga8ga7q80mah9kxbaax";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install nzxt-grid3.ko nzxt-kraken2.ko nzxt-kraken3.ko nzxt-smart2.ko -Dm444 -t ${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel hwmon drivers for AIO liquid coolers and other devices";
+    homepage = "https://github.com/liquidctl/liquidtux";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = with maintainers; [ nickhu ];
+    broken = lib.versionOlder kernel.version "5.10";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lksctp-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/lksctp-tools/default.nix
new file mode 100644
index 000000000000..19d6f10e3de1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lksctp-tools/default.nix
@@ -0,0 +1,18 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "lksctp-tools";
+  version = "1.0.17";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/lksctp/lksctp-tools-${version}.tar.gz";
+    sha256 = "05da6c2v3acc18ndvmkrag6x5lf914b7s0xkkr6wkvrbvd621sqs";
+  };
+
+  meta = with lib; {
+    description = "Linux Kernel Stream Control Transmission Protocol Tools";
+    homepage = "http://lksctp.sourceforge.net/";
+    license = with licenses; [ gpl2 lgpl21 ]; # library is lgpl21
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lm-sensors/default.nix b/nixpkgs/pkgs/os-specific/linux/lm-sensors/default.nix
new file mode 100644
index 000000000000..c40a37940543
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lm-sensors/default.nix
@@ -0,0 +1,51 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, bash
+, bison
+, flex
+, which
+, perl
+, sensord ? false
+, rrdtool ? null
+}:
+
+assert sensord -> rrdtool != null;
+
+stdenv.mkDerivation rec {
+  pname = "lm-sensors";
+  version = "3.6.0";
+  dashedVersion = lib.replaceStrings [ "." ] [ "-" ] version;
+
+  src = fetchFromGitHub {
+    owner = "lm-sensors";
+    repo = "lm-sensors";
+    rev = "V${dashedVersion}";
+    hash = "sha256-9lfHCcODlS7sZMjQhK0yQcCBEoGyZOChx/oM0CU37sY=";
+  };
+
+  nativeBuildInputs = [ bison flex which ];
+  # bash is required for correctly replacing the shebangs in all tools for cross-compilation.
+  buildInputs = [ bash perl ]
+    ++ lib.optional sensord rrdtool;
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "AR=${stdenv.cc.targetPrefix}ar"
+  ] ++ lib.optional sensord "PROG_EXTRA=sensord";
+
+  installFlags = [
+    "ETCDIR=${placeholder "out"}/etc"
+  ];
+
+  meta = with lib; {
+    homepage = "https://hwmon.wiki.kernel.org/lm_sensors";
+    changelog = "https://raw.githubusercontent.com/lm-sensors/lm-sensors/V${dashedVersion}/CHANGES";
+    description = "Tools for reading hardware sensors";
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = with maintainers; [ pmy ];
+    platforms = platforms.linux;
+    mainProgram = "sensors";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lockdep/default.nix b/nixpkgs/pkgs/os-specific/linux/lockdep/default.nix
new file mode 100644
index 000000000000..047b2499a827
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lockdep/default.nix
@@ -0,0 +1,67 @@
+{ lib, stdenv, fetchurl, bash, flex, bison, valgrind }:
+
+stdenv.mkDerivation rec {
+  pname = "lockdep";
+
+  # it would be nice to be able to pick a kernel version in sync with something
+  # else we already ship, but it seems userspace lockdep isn't very well maintained
+  # and appears broken in many kernel releases
+  version = "5.0.21";
+  fullver = "5.0.21";
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "1my2m9hvnvdrvzcg0fgqgaga59y2cd5zlpv7xrfj2nn98sjhglwq";
+  };
+
+  # ensure *this* kernel's userspace-headers are picked up before we
+  # fall back to those in glibc, as they will be from a mismatched
+  # kernel version
+  postPatch = ''
+    substituteInPlace tools/lib/lockdep/Makefile \
+      --replace 'CONFIG_INCLUDES =' $'CONFIG_INCLUDES = -I../../../usr/include\n#'
+  '';
+
+  nativeBuildInputs = [ flex bison ];
+
+  # Workaround build failure on -fno-common toolchains like upstream
+  # gcc-10. Otherwise build fails as:
+  #   ld: lockdep.o:/build/linux-5.0.21/tools/lib/lockdep/../../include/linux/rcu.h:5: multiple definition of
+  #     `rcu_scheduler_active'; common.o:/build/linux-5.0.21/tools/lib/lockdep/../../include/linux/rcu.h:5: first defined here
+  NIX_CFLAGS_COMPILE = "-fcommon";
+
+  buildPhase = ''
+    make defconfig
+    make headers_install
+    cd tools/lib/lockdep
+    make
+  '';
+
+  doCheck = true;
+  checkInputs = [ valgrind ];
+  checkPhase = ''
+    # there are more /bin/bash references than just shebangs
+    for f in lockdep run_tests.sh tests/*.sh; do
+      substituteInPlace $f \
+        --replace '/bin/bash' '${bash}/bin/bash'
+    done
+
+    ./run_tests.sh
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib $out/include
+
+    cp -R include/liblockdep $out/include
+    make install DESTDIR=$out prefix=""
+
+    substituteInPlace $out/bin/lockdep --replace "./liblockdep.so" "$out/lib/liblockdep.so.$fullver"
+  '';
+
+  meta = {
+    description = "Userspace locking validation tool built on the Linux kernel";
+    homepage    = "https://kernel.org/";
+    license     = lib.licenses.gpl2;
+    platforms   = lib.platforms.linux;
+    maintainers = [ lib.maintainers.thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsb-release/default.nix b/nixpkgs/pkgs/os-specific/linux/lsb-release/default.nix
new file mode 100644
index 000000000000..7ab10bfac124
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsb-release/default.nix
@@ -0,0 +1,21 @@
+{ substituteAll, lib
+, coreutils, getopt
+}:
+
+substituteAll {
+  name = "lsb_release";
+
+  src = ./lsb_release.sh;
+
+  dir = "bin";
+  isExecutable = true;
+
+  inherit coreutils getopt;
+
+  meta = with lib; {
+    description = "Prints certain LSB (Linux Standard Base) and Distribution information";
+    license = [ licenses.mit ];
+    maintainers = with maintainers; [ primeos ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsb-release/lsb_release.sh b/nixpkgs/pkgs/os-specific/linux/lsb-release/lsb_release.sh
new file mode 100644
index 000000000000..47b449c31614
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsb-release/lsb_release.sh
@@ -0,0 +1,190 @@
+#! @shell@
+
+set -o errexit
+set -o nounset
+
+show_help() {
+  @coreutils@/bin/cat << EOF
+Usage: lsb_release [options]
+
+Options:
+  -h, --help         show this help message and exit
+  -v, --version      show LSB modules this system supports
+  -i, --id           show distributor ID
+  -d, --description  show description of this distribution
+  -r, --release      show release number of this distribution
+  -c, --codename     show code name of this distribution
+  -a, --all          show all of the above information
+  -s, --short        show requested information in short format
+EOF
+  exit 0
+}
+
+# Potential command-line options.
+version=0
+id=0
+description=0
+release=0
+codename=0
+all=0
+short=0
+
+@getopt@/bin/getopt --test > /dev/null && rc=$? || rc=$?
+if [[ $rc -ne 4 ]]; then
+  # This shouldn't happen.
+  echo "Warning: Enhanced getopt not supported, please open an issue." >&2
+else
+  # Define all short and long options.
+  SHORT=hvidrcas
+  LONG=help,version,id,description,release,codename,all,short
+
+  # Parse all options.
+  PARSED=`@getopt@/bin/getopt --options $SHORT --longoptions $LONG --name "$0" -- "$@"`
+
+  eval set -- "$PARSED"
+fi
+
+
+# Process each argument, and set the appropriate flag if we recognize it.
+while [[ $# -ge 1 ]]; do
+  case "$1" in
+    -v|--version)
+      version=1
+      ;;
+    -i|--id)
+      id=1
+      ;;
+    -d|--description)
+      description=1
+      ;;
+    -r|--release)
+      release=1
+      ;;
+    -c|--codename)
+      codename=1
+      ;;
+    -a|--all)
+      all=1
+      ;;
+    -s|--short)
+      short=1
+      ;;
+    -h|--help)
+      show_help
+      ;;
+    --)
+      shift
+      break
+      ;;
+    *)
+      echo "lsb_release: unrecognized option '$1'"
+      echo "Type 'lsb_release -h' for a list of available options."
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+#  Read our variables.
+if [[ -e /etc/os-release ]]; then
+  . /etc/os-release
+  OS_RELEASE_FOUND=1
+else
+  # This is e.g. relevant for the Nix build sandbox and compatible with the
+  # original lsb_release binary:
+  OS_RELEASE_FOUND=0
+  NAME="n/a"
+  PRETTY_NAME="(none)"
+  VERSION_ID="n/a"
+  VERSION_CODENAME="n/a"
+fi
+
+# Default output
+if [[ "$version" = "0" ]] && [[ "$id" = "0" ]] && \
+   [[ "$description" = "0" ]] && [[ "$release" = "0" ]] && \
+   [[ "$codename" = "0" ]] && [[ "$all" = "0" ]]; then
+  if [[ "$OS_RELEASE_FOUND" = "1" ]]; then
+    echo "No LSB modules are available." >&2
+  else
+    if [[ "$short" = "0" ]]; then
+      printf "LSB Version:\tn/a\n"
+    else
+      printf "n/a\n"
+    fi
+  fi
+  exit 0
+fi
+
+# Now output the data - The order of these was chosen to match
+# what the original lsb_release used.
+
+SHORT_OUTPUT=""
+append_short_output() {
+  if [[ "$1" = "n/a" ]]; then
+    SHORT_OUTPUT+=" $1"
+  else
+    SHORT_OUTPUT+=" \"$1\""
+  fi
+}
+
+if [[ "$all" = "1" ]] || [[ "$version" = "1" ]]; then
+  if [[ "$OS_RELEASE_FOUND" = "1" ]]; then
+    if [[ "$short" = "0" ]]; then
+      echo "No LSB modules are available." >&2
+    else
+      append_short_output "n/a"
+    fi
+  else
+    if [[ "$short" = "0" ]]; then
+      printf "LSB Version:\tn/a\n"
+    else
+      append_short_output "n/a"
+    fi
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$id" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Distributor ID:\t$NAME\n"
+  else
+    append_short_output "$NAME"
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$description" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Description:\t$PRETTY_NAME\n"
+  else
+    append_short_output "$PRETTY_NAME"
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$release" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Release:\t$VERSION_ID\n"
+  else
+    append_short_output "$VERSION_ID"
+  fi
+fi
+
+if [[ "$all" = "1" ]] || [[ "$codename" = "1" ]]; then
+  if [[ "$short" = "0" ]]; then
+    printf "Codename:\t$VERSION_CODENAME\n"
+  else
+    append_short_output "$VERSION_CODENAME"
+  fi
+fi
+
+if [[ "$short" = "1" ]]; then
+  # Output in one line without the first space:
+  echo "${SHORT_OUTPUT:1}"
+fi
+
+# For compatibility with the original lsb_release:
+if [[ "$OS_RELEASE_FOUND" = "0" ]]; then
+  if [[ "$all" = "1" ]] || [[ "$id" = "1" ]] || \
+     [[ "$description" = "1" ]] || [[ "$release" = "1" ]] || \
+     [[ "$codename" = "1" ]]; then
+    exit 3
+  fi
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/lsirec/default.nix b/nixpkgs/pkgs/os-specific/linux/lsirec/default.nix
new file mode 100644
index 000000000000..cf2da7d16480
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsirec/default.nix
@@ -0,0 +1,36 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "lsirec";
+  version = "unstable-2019-03-03";
+
+  src = fetchFromGitHub {
+    owner = "marcan";
+    repo = "lsirec";
+    rev = "2dfb6dc92649feb01a3ddcfd117d4a99098084f2";
+    sha256 = "sha256-8v+KKjAJlJNpUT0poedRTQfPiDiwahrosXD35Bmh3jM=";
+  };
+
+  buildInputs = [ python3 ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 'lsirec' "$out/bin/lsirec"
+    install -Dm755 'sbrtool.py' "$out/bin/sbrtool"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "LSI SAS2008/SAS2108 low-level recovery tool for Linux";
+    homepage = "https://github.com/marcan/lsirec";
+    platforms = platforms.linux;
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsiutil/default.nix b/nixpkgs/pkgs/os-specific/linux/lsiutil/default.nix
new file mode 100644
index 000000000000..d880e6a60e03
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsiutil/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchurl
+, kmod
+, coreutils
+}:
+
+stdenv.mkDerivation rec {
+  pname = "lsiutil";
+  version = "1.72";
+
+  src = fetchurl {
+    url = "https://github.com/exactassembly/meta-xa-stm/raw/f96cf6e13f3c9c980f5651510dd96279b9b2af4f/recipes-support/lsiutil/files/lsiutil-${version}.tar.gz";
+    sha256 = "sha256-aTi+EogY1aDWYq3anjRkjz1mzINVfUPQbOPHthxrvS4=";
+  };
+
+  postPatch = ''
+    substituteInPlace lsiutil.c \
+      --replace /sbin/modprobe "${kmod}/bin/modprobe" \
+      --replace /bin/mknod "${coreutils}/bin/mknod"
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    gcc -Wall -O lsiutil.c -o lsiutil
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/bin"
+    install -Dm755 lsiutil "$out/bin/lsiutil"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/exactassembly/meta-xa-stm/tree/master/recipes-support/lsiutil/files";
+    description = "Configuration utility for MPT adapters (FC, SCSI, and SAS/SATA)";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lsscsi/default.nix b/nixpkgs/pkgs/os-specific/linux/lsscsi/default.nix
new file mode 100644
index 000000000000..d87820f24664
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lsscsi/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "lsscsi";
+  version = "0.32";
+
+  src = fetchurl {
+    url = "http://sg.danny.cz/scsi/lsscsi-${version}.tgz";
+    sha256 = "sha256-CoAOnpTcoqtwLWXXJ3eujK4Hjj100Ly+1kughJ6AKaE=";
+  };
+
+  preConfigure = ''
+    substituteInPlace Makefile.in --replace /usr "$out"
+  '';
+
+  meta = with lib; {
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lttng-modules/default.nix b/nixpkgs/pkgs/os-specific/linux/lttng-modules/default.nix
new file mode 100644
index 000000000000..b2fa10568075
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -0,0 +1,61 @@
+{ lib, stdenv, fetchgit, fetchpatch, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "lttng-modules-${kernel.version}";
+  version = "2.13.4";
+
+  src = fetchgit {
+    url = "https://git.lttng.org/lttng-modules.git";
+    rev = "v${version}";
+    hash = "sha256-J2Tr1vOiCAilmnf3attF3bz8Irn9IQ2QbapdXJ4MUSg=";
+  };
+
+  patches = [
+    # fix: mm/page_alloc: fix tracepoint mm_page_alloc_zone_locked() (v5.19)
+    (fetchpatch {
+      url = "https://git.lttng.org/?p=lttng-modules.git;a=patch;h=6229bbaa423832f6b7c7a658ad11e1d4242752ff";
+      hash = "sha256-pqbKxBzjfN20wfsqSeBLXNQ+/U+3qk9RfTiT32OwSIc=";
+    })
+
+    # fix: fs: Remove flags parameter from aops->write_begin (v5.19)
+    (fetchpatch {
+      url = "https://git.lttng.org/?p=lttng-modules.git;a=patch;h=5e2f832d59d51589ab69479c7db43c7581fb9346";
+      hash = "sha256-auoCbvFEVR76sOCLjIe+q/Q+vunQlR3G3gVcjqAGGPk=";
+    })
+
+    # fix: workqueue: Fix type of cpu in trace event (v5.19)
+    (fetchpatch {
+      url = "https://git.lttng.org/?p=lttng-modules.git;a=patch;h=c6da9604b1666780ea4725b3b3d1bfa1548f9c89";
+      hash = "sha256-qoTwy+P32qg1L+JctqM1+70OkeTbnbL3QJ9LwaBq/bw=";
+    })
+
+    # fix: net: skb: introduce kfree_skb_reason() (v5.15.58..v5.16)
+    (fetchpatch {
+      url = "https://git.lttng.org/?p=lttng-modules.git;a=patch;h=96c477dabaaf6cd1734bebe0972fef877e5a463b";
+      hash = "sha256-b7BhrYZ5SZqeRVGEu0Eo9GfbcZdDPrgEnOl2XU3z+ds=";
+    })
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=${placeholder "out"}"
+  ];
+
+  installTargets = [ "modules_install" ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Linux kernel modules for LTTng tracing";
+    homepage = "https://lttng.org/";
+    license = with licenses; [ lgpl21Only gpl2Only mit ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.bjornfor ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/2_02.nix b/nixpkgs/pkgs/os-specific/linux/lvm2/2_02.nix
new file mode 100644
index 000000000000..56ab613afd24
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/2_02.nix
@@ -0,0 +1,4 @@
+import ./common.nix {
+  version = "2.02.187";
+  sha256 = "sha256-Dg1SGoY6XbJEDy4edie6grcCc65KsLvhMIUdsNWOWvE=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/2_03.nix b/nixpkgs/pkgs/os-specific/linux/lvm2/2_03.nix
new file mode 100644
index 000000000000..0cca51feab30
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/2_03.nix
@@ -0,0 +1,4 @@
+import ./common.nix {
+  version = "2.03.16";
+  sha256 = "sha256-5mHs4VtdiNir45pMHh2y9D4YlvAZlIu5iw4V13doB4Y=";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/common.nix b/nixpkgs/pkgs/os-specific/linux/lvm2/common.nix
new file mode 100644
index 000000000000..4cb86bf3d8b9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/common.nix
@@ -0,0 +1,172 @@
+{ version, sha256 }:
+
+{ lib, stdenv
+, fetchpatch
+, fetchurl
+, pkg-config
+, coreutils
+, libuuid
+, libaio
+, substituteAll
+, enableCmdlib ? false
+, enableDmeventd ? false
+, udevSupport ? !stdenv.hostPlatform.isStatic, udev
+, onlyLib ? stdenv.hostPlatform.isStatic
+  # Otherwise we have a infinity recursion during static compilation
+, enableUtilLinux ? !stdenv.hostPlatform.isStatic, util-linux
+, enableVDO ? false, vdo
+, enableMdadm ? false, mdadm
+, enableMultipath ? false, multipath-tools
+, nixosTests
+}:
+
+# configure: error: --enable-dmeventd requires --enable-cmdlib to be used as well
+assert enableDmeventd -> enableCmdlib;
+
+stdenv.mkDerivation rec {
+  pname = "lvm2" + lib.optionalString enableDmeventd "-with-dmeventd" + lib.optionalString enableVDO "-with-vdo";
+  inherit version;
+
+  src = fetchurl {
+    url = "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz";
+    inherit sha256;
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    libaio
+  ] ++ lib.optionals udevSupport [
+    udev
+  ] ++ lib.optionals (!onlyLib) [
+    libuuid
+  ] ++ lib.optionals enableVDO [
+    vdo
+  ];
+
+  configureFlags = [
+    "--disable-readline"
+    "--enable-pkgconfig"
+    "--with-default-locking-dir=/run/lock/lvm"
+    "--with-default-run-dir=/run/lvm"
+    "--with-systemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
+  ] ++ lib.optionals (!enableCmdlib) [
+    "--bindir=${placeholder "bin"}/bin"
+    "--sbindir=${placeholder "bin"}/bin"
+    "--libdir=${placeholder "lib"}/lib"
+  ] ++ lib.optional enableCmdlib "--enable-cmdlib"
+  ++ lib.optionals enableDmeventd [
+    "--enable-dmeventd"
+    "--with-dmeventd-pidfile=/run/dmeventd/pid"
+    "--with-default-dm-run-dir=/run/dmeventd"
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ] ++ lib.optionals udevSupport [
+    "--enable-udev_rules"
+    "--enable-udev_sync"
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    "--enable-static_link"
+  ] ++  lib.optionals enableVDO [
+    "--enable-vdo"
+  ];
+
+  preConfigure = ''
+    sed -i /DEFAULT_SYS_DIR/d Makefile.in
+    sed -i /DEFAULT_PROFILE_DIR/d conf/Makefile.in
+  '' + lib.optionalString (lib.versionOlder version "2.03.15") ''
+    substituteInPlace scripts/lvm2_activation_generator_systemd_red_hat.c \
+      --replace /usr/bin/udevadm /run/current-system/systemd/bin/udevadm
+    # https://github.com/lvmteam/lvm2/issues/36
+  '' + lib.optionalString (lib.versionOlder version "2.03.14") ''
+    substituteInPlace udev/69-dm-lvm-metad.rules.in \
+      --replace "(BINDIR)/systemd-run" /run/current-system/systemd/bin/systemd-run
+  '' + lib.optionalString (lib.versionAtLeast version "2.03.14") ''
+    substituteInPlace udev/69-dm-lvm.rules.in \
+      --replace "/usr/bin/systemd-run" /run/current-system/systemd/bin/systemd-run
+  '' + ''
+    substituteInPlace make.tmpl.in --replace "@systemdsystemunitdir@" "$out/lib/systemd/system"
+  '' + lib.optionalString (lib.versionAtLeast version "2.03") ''
+    substituteInPlace libdm/make.tmpl.in --replace "@systemdsystemunitdir@" "$out/lib/systemd/system"
+
+    substituteInPlace scripts/blk_availability_systemd_red_hat.service.in \
+      --replace '/usr/bin/true' '${coreutils}/bin/true'
+  '';
+
+  postConfigure = ''
+    sed -i 's|^#define LVM_CONFIGURE_LINE.*$|#define LVM_CONFIGURE_LINE "<removed>"|g' ./include/configure.h
+  '';
+
+  patches = lib.optionals (lib.versionAtLeast version "2.03.15") [
+    # fixes paths to and checks for tools
+    # TODO: needs backport to LVM 2.02 used by static/musl
+    (substituteAll (let
+      optionalTool = cond: pkg: if cond then pkg else "/run/current-system/sw";
+    in {
+      src = ./fix-blkdeactivate.patch;
+      inherit coreutils;
+      util_linux = optionalTool enableUtilLinux util-linux;
+      mdadm = optionalTool enableMdadm mdadm;
+      multipath_tools = optionalTool enableMultipath multipath-tools;
+      vdo = optionalTool enableVDO vdo;
+    }))
+  ] ++ lib.optionals (lib.versionOlder version "2.03.15") [
+    # Musl fixes from Alpine.
+    ./fix-stdio-usage.patch
+    (fetchpatch {
+      name = "mallinfo.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/lvm2/mallinfo.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50";
+      sha256 = "0g6wlqi215i5s30bnbkn8w7axrs27y3bnygbpbnf64wwx7rxxlj0";
+    })
+  ] ++ lib.optionals stdenv.hostPlatform.isStatic [
+    ./no-shared.diff
+  ];
+
+  doCheck = false; # requires root
+
+  makeFlags = lib.optionals udevSupport [
+    "SYSTEMD_GENERATOR_DIR=$(out)/lib/systemd/system-generators"
+  ] ++ lib.optionals onlyLib [
+    "libdm.device-mapper"
+  ];
+
+  # To prevent make install from failing.
+  installFlags = [ "OWNER=" "GROUP=" "confdir=$(out)/etc" ];
+
+  # Install systemd stuff.
+  installTargets = [ "install" ] ++ lib.optionals udevSupport [
+    "install_systemd_generators"
+    "install_systemd_units"
+    "install_tmpfiles_configuration"
+  ];
+
+  installPhase = lib.optionalString onlyLib ''
+    install -D -t $out/lib libdm/ioctl/libdevmapper.${if stdenv.hostPlatform.isStatic then "a" else "so"}
+    make -C libdm install_include
+    make -C libdm install_pkgconfig
+  '';
+
+  # only split bin and lib out from out if cmdlib isn't enabled
+  outputs = [
+    "out"
+  ] ++ lib.optionals (!onlyLib) [
+    "dev"
+    "man"
+  ] ++ lib.optionals (!onlyLib && !enableCmdlib) [
+    "bin"
+    "lib"
+  ];
+
+  postInstall = lib.optionalString (enableCmdlib != true) ''
+    moveToOutput lib/libdevmapper.so $lib
+  '';
+
+  passthru.tests.installer = nixosTests.installer.lvm;
+
+  meta = with lib; {
+    homepage = "http://sourceware.org/lvm2/";
+    description = "Tools to support Logical Volume Management (LVM) on Linux";
+    platforms = platforms.linux;
+    license = with licenses; [ gpl2 bsd2 lgpl21 ];
+    maintainers = with maintainers; [ raskin ajs124 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/fix-blkdeactivate.patch b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-blkdeactivate.patch
new file mode 100644
index 000000000000..db8cfaeae9e3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-blkdeactivate.patch
@@ -0,0 +1,51 @@
+diff --git a/scripts/blkdeactivate.sh.in b/scripts/blkdeactivate.sh.in
+index 7c517b87b..e51a33778 100644
+--- a/scripts/blkdeactivate.sh.in
++++ b/scripts/blkdeactivate.sh.in
+@@ -34,11 +34,11 @@ TOOL=blkdeactivate
+ DEV_DIR="/dev"
+ SYS_BLK_DIR="/sys/block"
+ 
+-MDADM="/sbin/mdadm"
+-MOUNTPOINT="/bin/mountpoint"
+-MPATHD="/sbin/multipathd"
+-UMOUNT="/bin/umount"
+-VDO="/bin/vdo"
++MDADM="@mdadm@/bin/mdadm"
++MOUNTPOINT="@util_linux@/bin/mountpoint"
++MPATHD="@multipath_tools@/bin/multipathd"
++UMOUNT="@util_linux@/bin/umount"
++VDO="@vdo@/bin/vdo"
+ 
+ sbindir="@SBINDIR@"
+ DMSETUP="$sbindir/dmsetup"
+@@ -48,7 +48,7 @@ if "$UMOUNT" --help | grep -- "--all-targets" >"$DEV_DIR/null"; then
+ 	UMOUNT_OPTS="--all-targets "
+ else
+ 	UMOUNT_OPTS=""
+-	FINDMNT="/bin/findmnt -r --noheadings -u -o TARGET"
++	FINDMNT="@util_linux@/bin/findmnt -r --noheadings -u -o TARGET"
+ 	FINDMNT_READ="read -r mnt"
+ fi
+ DMSETUP_OPTS=""
+@@ -57,10 +57,10 @@ MDADM_OPTS=""
+ MPATHD_OPTS=""
+ VDO_OPTS=""
+ 
+-LSBLK="/bin/lsblk -r --noheadings -o TYPE,KNAME,NAME,MOUNTPOINT"
++LSBLK="@util_linux@/bin/lsblk -r --noheadings -o TYPE,KNAME,NAME,MOUNTPOINT"
+ LSBLK_VARS="local devtype local kname local name local mnt"
+ LSBLK_READ="read -r devtype kname name mnt"
+-SORT_MNT="/bin/sort -r -u -k 4"
++SORT_MNT="@coreutils@/bin/sort -r -u -k 4"
+ 
+ # Do not show tool errors by default (only done/skipping summary
+ # message provided by this script) and no verbose mode by default.
+@@ -102,6 +102,7 @@ declare -A SKIP_VG_LIST=()
+ # (list is an associative array!)
+ #
+ declare -A SKIP_UMOUNT_LIST=(["/"]=1 \
++                             ["/nix"]=1 ["/nix/store"]=1 \
+                              ["/lib"]=1 ["/lib64"]=1 \
+                              ["/bin"]=1 ["/sbin"]=1 \
+                              ["/var"]=1 ["/var/log"]=1 \
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/fix-stdio-usage.patch b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-stdio-usage.patch
new file mode 100644
index 000000000000..59666ffbad5a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/fix-stdio-usage.patch
@@ -0,0 +1,53 @@
+diff --git a/lib/commands/toolcontext.c b/lib/commands/toolcontext.c
+index 296618686..96343eeb7 100644
+--- a/lib/commands/toolcontext.c
++++ b/lib/commands/toolcontext.c
+@@ -1619,7 +1619,7 @@ struct cmd_context *create_toolcontext(unsigned is_clvmd,
+ 	/* FIXME Make this configurable? */
+ 	reset_lvm_errno(1);
+ 
+-#ifndef VALGRIND_POOL
++#if !defined(VALGRIND_POOL) && defined(__GLIBC__)
+ 	/* Set in/out stream buffering before glibc */
+ 	if (set_buffering
+ #ifdef SYS_gettid
+@@ -2006,7 +2006,7 @@ void destroy_toolcontext(struct cmd_context *cmd)
+ 
+ 	if (cmd->pending_delete_mem)
+ 		dm_pool_destroy(cmd->pending_delete_mem);
+-#ifndef VALGRIND_POOL
++#if !defined(VALGRIND_POOL) && defined(__GLIBC__)
+ 	if (cmd->linebuffer) {
+ 		/* Reset stream buffering to defaults */
+ 		if (is_valid_fd(STDIN_FILENO) &&
+diff --git a/tools/lvmcmdline.c b/tools/lvmcmdline.c
+index d97ff5720..bbbda82bd 100644
+--- a/tools/lvmcmdline.c
++++ b/tools/lvmcmdline.c
+@@ -3342,7 +3342,7 @@ static int _check_standard_fds(void)
+ 	int err = is_valid_fd(STDERR_FILENO);
+ 
+ 	if (!is_valid_fd(STDIN_FILENO) &&
+-	    !(stdin = fopen(_PATH_DEVNULL, "r"))) {
++	    !freopen(_PATH_DEVNULL, "r", stdin)) {
+ 		if (err)
+ 			perror("stdin stream open");
+ 		else
+@@ -3352,7 +3352,7 @@ static int _check_standard_fds(void)
+ 	}
+ 
+ 	if (!is_valid_fd(STDOUT_FILENO) &&
+-	    !(stdout = fopen(_PATH_DEVNULL, "w"))) {
++	    !freopen(_PATH_DEVNULL, "w", stdout)) {
+ 		if (err)
+ 			perror("stdout stream open");
+ 		/* else no stdout */
+@@ -3360,7 +3360,7 @@ static int _check_standard_fds(void)
+ 	}
+ 
+ 	if (!is_valid_fd(STDERR_FILENO) &&
+-	    !(stderr = fopen(_PATH_DEVNULL, "w"))) {
++	    !freopen(_PATH_DEVNULL, "w", stderr)) {
+ 		printf("stderr stream open: %s\n",
+ 		       strerror(errno));
+ 		return 0;
diff --git a/nixpkgs/pkgs/os-specific/linux/lvm2/no-shared.diff b/nixpkgs/pkgs/os-specific/linux/lvm2/no-shared.diff
new file mode 100644
index 000000000000..d40dd85dfc62
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lvm2/no-shared.diff
@@ -0,0 +1,25 @@
+diff --git a/libdm/Makefile.in b/libdm/Makefile.in
+index 66ec39513..ab7123dae 100644
+--- a/libdm/Makefile.in
++++ b/libdm/Makefile.in
+@@ -44,7 +44,6 @@ endif
+ 
+ LIB_SHARED = $(interface)/libdevmapper.$(LIB_SUFFIX)
+ LIB_VERSION = $(LIB_VERSION_DM)
+-TARGETS = libdevmapper.$(LIB_SUFFIX) libdevmapper.$(LIB_SUFFIX).$(LIB_VERSION)
+ 
+ CFLOW_LIST = $(SOURCES)
+ CFLOW_LIST_TARGET = libdevmapper.cflow
+diff --git a/make.tmpl.in b/make.tmpl.in
+index e7780e8d4..ca4aa9fdd 100644
+--- a/make.tmpl.in
++++ b/make.tmpl.in
+@@ -346,7 +346,7 @@ SUBDIRS.cflow := $(SUBDIRS:=.cflow)
+ SUBDIRS.clean := $(SUBDIRS:=.clean)
+ SUBDIRS.distclean := $(SUBDIRS:=.distclean)
+ 
+-TARGETS += $(LIB_SHARED) $(LIB_STATIC)
++TARGETS += $(LIB_STATIC)
+ 
+ all: $(SUBDIRS) $(TARGETS)
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/lxc/default.nix b/nixpkgs/pkgs/os-specific/linux/lxc/default.nix
new file mode 100644
index 000000000000..18c23c46c13c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lxc/default.nix
@@ -0,0 +1,99 @@
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, perl, docbook2x
+, docbook_xml_dtd_45, python3Packages, pam
+
+# Optional Dependencies
+, libapparmor ? null, gnutls ? null, libselinux ? null, libseccomp ? null
+, libcap ? null, systemd ? null
+}:
+
+with lib;
+stdenv.mkDerivation rec {
+  pname = "lxc";
+  version = "4.0.12";
+
+  src = fetchurl {
+    url = "https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz";
+    sha256 = "1vyk2j5w9gfyh23w3ar09cycyws16mxh3clbb33yhqzwcs1jy96v";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook pkg-config perl docbook2x python3Packages.wrapPython
+  ];
+  buildInputs = [
+    pam libapparmor gnutls libselinux libseccomp libcap
+    python3Packages.python python3Packages.setuptools systemd
+  ];
+
+  patches = [
+    ./support-db2x.patch
+  ];
+
+  postPatch = ''
+    sed -i '/chmod u+s/d' src/lxc/Makefile.am
+  '';
+
+  XML_CATALOG_FILES = "${docbook_xml_dtd_45}/xml/dtd/docbook/catalog.xml";
+
+  configureFlags = [
+    "--enable-pam"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--disable-api-docs"
+    "--with-init-script=none"
+    "--with-distro=nixos" # just to be sure it is "unknown"
+  ] ++ optional (libapparmor != null) "--enable-apparmor"
+    ++ optional (libselinux != null) "--enable-selinux"
+    ++ optional (libseccomp != null) "--enable-seccomp"
+    ++ optional (libcap != null) "--enable-capabilities"
+    ++ [
+    "--disable-examples"
+    "--enable-python"
+    "--disable-lua"
+    "--enable-bash"
+    (if doCheck then "--enable-tests" else "--disable-tests")
+    "--with-rootfs-path=/var/lib/lxc/rootfs"
+  ];
+
+  doCheck = false;
+
+  installFlags = [
+    "localstatedir=\${TMPDIR}"
+    "sysconfdir=\${out}/etc"
+    "sysconfigdir=\${out}/etc/default"
+    "bashcompdir=\${out}/share/bash-completion/completions"
+    "READMEdir=\${TMPDIR}/var/lib/lxc/rootfs"
+    "LXCPATH=\${TMPDIR}/var/lib/lxc"
+  ];
+
+  postInstall = ''
+    wrapPythonPrograms
+
+    completions=(
+      lxc-attach lxc-cgroup lxc-console lxc-destroy lxc-device lxc-execute
+      lxc-freeze lxc-info lxc-monitor lxc-snapshot lxc-stop lxc-unfreeze
+    )
+    pushd $out/share/bash-completion/completions/
+      mv lxc lxc-start
+      for completion in ''${completions[@]}; do
+        ln -sfn lxc-start $completion
+      done
+    popd
+  '';
+
+  meta = {
+    homepage = "https://linuxcontainers.org/";
+    description = "Userspace tools for Linux Containers, a lightweight virtualization system";
+    license = licenses.lgpl21Plus;
+
+    longDescription = ''
+      LXC is the userspace control package for Linux Containers, a
+      lightweight virtual system mechanism sometimes described as
+      "chroot on steroids". LXC builds up from chroot to implement
+      complete virtual systems, adding resource management and isolation
+      mechanisms to Linux’s existing process management infrastructure.
+    '';
+
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/lxc/support-db2x.patch b/nixpkgs/pkgs/os-specific/linux/lxc/support-db2x.patch
new file mode 100644
index 000000000000..16715992d35f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lxc/support-db2x.patch
@@ -0,0 +1,16 @@
+diff --git a/configure.ac b/configure.ac
+index 84f8699..dce9033 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -192,9 +192,9 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then
+ 	AC_SUBST(db2xman)
+ fi
+ AM_CONDITIONAL([ENABLE_DOCBOOK], [test "x$db2xman" != "x"])
+-AM_CONDITIONAL([USE_DOCBOOK2X], [test "x$db2xman" != "xdocbook2man"])
++AM_CONDITIONAL([USE_DOCBOOK2X], [test "x$db2xman" != "no-no-no"])
+ 
+-if test "x$db2xman" = "xdocbook2man"; then
++if test "x$db2xman" = "no-no-no"; then
+ 	docdtd="\"-//Davenport//DTD DocBook V3.0//EN\""
+ else
+ 	docdtd="\"-//OASIS//DTD DocBook XML\" \"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd\""
diff --git a/nixpkgs/pkgs/os-specific/linux/lxcfs/default.nix b/nixpkgs/pkgs/os-specific/linux/lxcfs/default.nix
new file mode 100644
index 000000000000..67e96289e2ab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/lxcfs/default.nix
@@ -0,0 +1,51 @@
+{ config, lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, help2man, fuse
+, util-linux, makeWrapper
+, enableDebugBuild ? config.lxcfs.enableDebugBuild or false }:
+
+with lib;
+stdenv.mkDerivation rec {
+  pname = "lxcfs";
+  version = "4.0.12";
+
+  src = fetchFromGitHub {
+    owner = "lxc";
+    repo = "lxcfs";
+    rev = "lxcfs-${version}";
+    sha256 = "sha256-+wp29GD+toXGfQbPGYbDJ7/P+FY1uQY4uK3OQxTE9GM=";
+  };
+
+  nativeBuildInputs = [ pkg-config help2man autoreconfHook makeWrapper ];
+  buildInputs = [ fuse ];
+
+  preConfigure = lib.optionalString enableDebugBuild ''
+    sed -i 's,#AM_CFLAGS += -DDEBUG,AM_CFLAGS += -DDEBUG,' Makefile.am
+  '';
+
+  configureFlags = [
+    "--with-init-script=systemd"
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+  ];
+
+  installFlags = [ "SYSTEMD_UNIT_DIR=\${out}/lib/systemd" ];
+
+  postInstall = ''
+    # `mount` hook requires access to the `mount` command from `util-linux`:
+    wrapProgram "$out/share/lxcfs/lxc.mount.hook" \
+      --prefix PATH : "${util-linux}/bin"
+  '';
+
+  postFixup = ''
+    # liblxcfs.so is reloaded with dlopen()
+    patchelf --set-rpath "$(patchelf --print-rpath "$out/bin/lxcfs"):$out/lib" "$out/bin/lxcfs"
+  '';
+
+  meta = {
+    description = "FUSE filesystem for LXC";
+    homepage = "https://linuxcontainers.org/lxcfs";
+    changelog = "https://linuxcontainers.org/lxcfs/news/";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mic92 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/macchanger/default.nix b/nixpkgs/pkgs/os-specific/linux/macchanger/default.nix
new file mode 100644
index 000000000000..1c5167070496
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/macchanger/default.nix
@@ -0,0 +1,48 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, texinfo }:
+
+stdenv.mkDerivation rec {
+  pname = "macchanger";
+  version = "1.7.0";
+
+  src = fetchFromGitHub {
+    owner = "alobbs";
+    repo = "macchanger";
+    rev = version;
+    sha256 = "1hypx6sxhd2b1nsxj314hpkhj7q4x9p2kfaaf20rjkkkig0nck9r";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/02-fix_usage_message.patch";
+      sha256 = "0pxljmq0l0znylbhms09i19qwil74gm8gx3xx2ffx00dajaizj18";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/06-update_OUI_list.patch";
+      sha256 = "04kbd784z9nwkjva5ckkvb0yb3pim9valb1viywn1yyh577d0y7w";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/08-fix_random_MAC_choice.patch";
+      sha256 = "1vz3appxxsdf1imzrn57amazfwlbrvx6g78b6n88aqgwzy5dm34d";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/check-random-device-read-errors.patch";
+      sha256 = "0pra6qnk39crjlidspg3l6hpaqiw43cypahx793l59mqn956cngc";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/verify-changed-MAC.patch";
+      sha256 = "0vjhf2fnj1hlghjl821p6idrfc8hmd4lgps5lf1l68ylqvwjw0zj";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook texinfo ];
+
+  outputs = [ "out" "info" ];
+
+  meta = with lib; {
+    description = "A utility for viewing/manipulating the MAC address of network interfaces";
+    maintainers = with maintainers; [ joachifm ma27 dotlambda ];
+    license = licenses.gpl2Plus;
+    homepage = "https://github.com/alobbs/macchanger";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mba6x_bl/default.nix b/nixpkgs/pkgs/os-specific/linux/mba6x_bl/default.nix
new file mode 100644
index 000000000000..04a89ad038dd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mba6x_bl/default.nix
@@ -0,0 +1,31 @@
+{ fetchFromGitHub, kernel, lib, stdenv }:
+
+stdenv.mkDerivation {
+  pname = "mba6x_bl";
+  version = "unstable-2016-12-08";
+
+  src = fetchFromGitHub {
+    owner = "patjak";
+    repo = "mba6x_bl";
+    rev = "b96aafd30c18200b4ad1f6eb995bc19200f60c47";
+    sha256 = "10payvfxahazdxisch4wm29fhl8y07ki72q4c78sl4rn73sj6yjq";
+  };
+
+  enableParallelBuilding = true;
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "MacBook Air 6,1 and 6,2 (mid 2013) backlight driver";
+    homepage = "https://github.com/patjak/mba6x_bl";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.simonvandel ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix b/nixpkgs/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
new file mode 100644
index 000000000000..0b4fec4dfb4e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, kernel, fetchFromGitHub, }:
+
+stdenv.mkDerivation rec {
+  pname = "mbp2018-bridge-drv";
+  version = "2020-01-31";
+
+  src = fetchFromGitHub {
+    owner = "MCMrARM";
+    repo = "mbp2018-bridge-drv";
+    rev = "b43fcc069da73e051072fde24af4014c9c487286";
+    sha256 = "sha256-o6yGiR+Y5SnX1johdi7fQWP5ts7HdDMqeju75UOhgik=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  buildPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
+      -j$NIX_BUILD_CORES M=$(pwd) modules $makeFlags
+  '';
+
+  installPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build  \
+      INSTALL_MOD_PATH=$out M=$(pwd) modules_install $makeFlags
+  '';
+
+  meta = with lib; {
+    description = "A driver for MacBook models 2018 and newer, which makes the keyboard, mouse and audio output work.";
+    longDescription = ''
+      A driver for MacBook models 2018 and newer, implementing the VHCI (required for mouse/keyboard/etc.) and audio functionality.
+    '';
+    homepage = "https://github.com/MCMrARM/mbp2018-bridge-drv";
+    license = lib.licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = [ lib.maintainers.hlolli ];
+    broken = kernel.kernelOlder "5.4";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mbpfan/default.nix b/nixpkgs/pkgs/os-specific/linux/mbpfan/default.nix
new file mode 100644
index 000000000000..26c3d07364ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mbpfan/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "mbpfan";
+  version = "2.3.0";
+  src = fetchFromGitHub {
+    owner = "dgraziotin";
+    repo = "mbpfan";
+    rev = "v${version}";
+    sha256 = "sha256-jIYg9b0c/7mMRS5WF+mOH6t9SCWEP32lsdbCgpWpg24=";
+  };
+  installPhase = ''
+    mkdir -p $out/bin $out/etc
+    cp bin/mbpfan $out/bin
+    cp mbpfan.conf $out/etc
+  '';
+  meta = with lib; {
+    description = "Daemon that uses input from coretemp module and sets the fan speed using the applesmc module";
+    homepage = "https://github.com/dgraziotin/mbpfan";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ cstrahan ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mceinject/default.nix b/nixpkgs/pkgs/os-specific/linux/mceinject/default.nix
new file mode 100644
index 000000000000..3e89ed83361f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mceinject/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, bison, flex }:
+
+stdenv.mkDerivation rec {
+  pname = "mceinject";
+  version = "unstable-2013-01-19";
+
+  src = fetchFromGitHub {
+    owner  = "andikleen";
+    repo   = "mce-inject";
+    rev    = "4cbe46321b4a81365ff3aafafe63967264dbfec5";
+    sha256 = "0gjapg2hrlxp8ssrnhvc19i3r1xpcnql7xv0zjgbv09zyha08g6z";
+  };
+
+  nativeBuildInputs = [ flex bison ];
+
+  NIX_CFLAGS_COMPILE = "-Os -g -Wall";
+
+  NIX_LDFLAGS = [ "-lpthread" ];
+
+  makeFlags = [ "prefix=" ];
+
+  enableParallelBuilding = true;
+
+  installFlags = [ "destdir=$(out)" "manprefix=/share" ];
+
+  meta = with lib; {
+    description = "A tool to inject machine checks into x86 kernel for testing";
+    longDescription = ''
+      mce-inject allows to inject machine check errors on the software level
+      into a running Linux kernel. This is intended for validation of the
+      kernel machine check handler.
+    '';
+    homepage = "https://github.com/andikleen/mce-inject/";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ arkivm ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mcelog/default.nix b/nixpkgs/pkgs/os-specific/linux/mcelog/default.nix
new file mode 100644
index 000000000000..916c79a4298d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mcelog/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, util-linux }:
+
+stdenv.mkDerivation rec {
+  pname = "mcelog";
+  version = "180";
+
+  src = fetchFromGitHub {
+    owner  = "andikleen";
+    repo   = "mcelog";
+    rev    = "v${version}";
+    sha256 = "1xy1082c67yd48idg5vwvrw7yx74gn6jj2d9c67d0rh6yji091ki";
+  };
+
+  postPatch = ''
+    for i in mcelog.conf paths.h; do
+      substituteInPlace $i --replace /etc $out/etc
+    done
+    touch mcelog.conf.5 # avoid regeneration requiring Python
+
+    substituteInPlace Makefile --replace '"unknown"' '"${version}"'
+
+    for i in triggers/*; do
+      substituteInPlace $i --replace 'logger' '${util-linux}/bin/logger'
+    done
+  '';
+
+  enableParallelBuilding = true;
+
+  installFlags = [ "DESTDIR=$(out)" "prefix=" "DOCDIR=/share/doc" ];
+
+  postInstall = ''
+    mkdir -p $out/lib/systemd/system
+    substitute mcelog.service $out/lib/systemd/system/mcelog.service \
+      --replace /usr/sbin $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Log x86 machine checks: memory, IO, and CPU hardware errors";
+    longDescription = ''
+      The mcelog daemon accounts memory and some other errors in various ways
+      on modern x86 Linux systems. The daemon can be queried and/or execute
+      triggers when configurable error thresholds are exceeded. This is used to
+      implement a range of automatic predictive failure analysis algorithms,
+      including bad page offlining and automatic cache error handling. All
+      errors are logged to /var/log/mcelog or syslog or the journal.
+    '';
+    homepage = "http://mcelog.org/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mdadm/default.nix b/nixpkgs/pkgs/os-specific/linux/mdadm/default.nix
new file mode 100644
index 000000000000..05e0600928a3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mdadm/default.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, util-linux, coreutils, fetchurl, groff, system-sendmail, udev }:
+
+stdenv.mkDerivation rec {
+  pname = "mdadm";
+  version = "4.2";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/raid/mdadm/mdadm-${version}.tar.xz";
+    sha256 = "sha256-RhwhVnCGS7dKTRo2IGhKorL4KW3/oGdD8m3aVVes8B0=";
+  };
+
+  patches = [ ./no-self-references.patch ];
+
+  makeFlags = [
+    "NIXOS=1" "INSTALL=install" "BINDIR=$(out)/sbin"
+    "SYSTEMD_DIR=$(out)/lib/systemd/system"
+    "MANDIR=$(out)/share/man" "RUN_DIR=/dev/.mdadm"
+    "STRIP="
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  installFlags = [ "install-systemd" ];
+
+  enableParallelBuilding = true;
+
+  buildInputs = [ udev ];
+
+  nativeBuildInputs = [ groff ];
+
+  postPatch = ''
+    sed -e 's@/lib/udev@''${out}/lib/udev@' \
+        -e 's@ -Werror @ @' \
+        -e 's@/usr/sbin/sendmail@${system-sendmail}/bin/sendmail@' -i Makefile
+    sed -i \
+        -e 's@/usr/bin/basename@${coreutils}/bin/basename@g' \
+        -e 's@BINDIR/blkid@${util-linux}/bin/blkid@g' \
+        *.rules
+  '';
+
+  # This is to avoid self-references, which causes the initrd to explode
+  # in size and in turn prevents mdraid systems from booting.
+  postFixup = ''
+    grep -r $out $out/bin && false || true
+  '';
+
+  meta = with lib; {
+    description = "Programs for managing RAID arrays under Linux";
+    homepage = "http://neil.brown.name/blog/mdadm";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ ekleog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mdadm/no-self-references.patch b/nixpkgs/pkgs/os-specific/linux/mdadm/no-self-references.patch
new file mode 100644
index 000000000000..3b3dc4d84609
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mdadm/no-self-references.patch
@@ -0,0 +1,124 @@
+diff --git a/Makefile b/Makefile
+index 2a51d813..a31ac48a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -63,6 +63,9 @@ endif
+ ifdef DEBIAN
+ CPPFLAGS += -DDEBIAN
+ endif
++ifdef NIXOS
++CPPFLAGS += -DNIXOS
++endif
+ ifdef DEFAULT_OLD_METADATA
+  CPPFLAGS += -DDEFAULT_OLD_METADATA
+  DEFAULT_METADATA=0.90
+@@ -129,6 +132,7 @@ endif
+ INSTALL = /usr/bin/install
+ DESTDIR =
+ BINDIR  = /sbin
++INSTALL_BINDIR = ${BINDIR}
+ MANDIR  = /usr/share/man
+ MAN4DIR = $(MANDIR)/man4
+ MAN5DIR = $(MANDIR)/man5
+@@ -253,16 +257,16 @@ sha1.o : sha1.c sha1.h md5.h
+ install : install-bin install-man install-udev
+ 
+ install-static : mdadm.static install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-tcc : mdadm.tcc install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-uclibc : mdadm.uclibc install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-klibc : mdadm.klibc install-man
+-	$(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(BINDIR)/mdadm
++	$(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ install-man: mdadm.8 md.4 mdadm.conf.5 mdmon.8
+ 	$(INSTALL) -D -m 644 mdadm.8 $(DESTDIR)$(MAN8DIR)/mdadm.8
+@@ -305,7 +309,7 @@ install-bin: mdadm mdmon
+ 	$(INSTALL) -D $(STRIP) -m 755 mdmon $(DESTDIR)$(BINDIR)/mdmon
+ 
+ uninstall:
+-	rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(BINDIR)/mdadm
++	rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(INSTALL_BINDIR)/mdadm
+ 
+ test: mdadm mdmon test_stripe swap_super raid6check
+ 	@echo "Please run './test' as root"
+diff --git a/policy.c b/policy.c
+index eee9ef63..9f916e9d 100644
+--- a/policy.c
++++ b/policy.c
+@@ -817,12 +817,39 @@ char *find_rule(struct rule *rule, char *rule_type)
+ #define UDEV_RULE_FORMAT \
+ "ACTION==\"add\", SUBSYSTEM==\"block\", " \
+ "ENV{DEVTYPE}==\"%s\", ENV{ID_PATH}==\"%s\", " \
+-"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n"
++"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n"
+ 
+ #define UDEV_RULE_FORMAT_NOTYPE \
+ "ACTION==\"add\", SUBSYSTEM==\"block\", " \
+ "ENV{ID_PATH}==\"%s\", " \
+-"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n"
++"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n"
++
++#ifdef NIXOS
++const char *get_mdadm_bindir(void)
++{
++	static char *bindir = NULL;
++	if (bindir != NULL) {
++		return bindir;
++	} else {
++		int len;
++		bindir = xmalloc(1025);
++		len = readlink("/proc/self/exe", bindir, 1024);
++		if (len > 0) {
++			char *basename;
++			if ((basename = strrchr(bindir, '/')) != NULL)
++				*basename = '\0';
++			else
++				*(bindir + len) = '\0';
++		} else {
++			*bindir = '\0';
++		}
++		return bindir;
++	}
++}
++#define SELF get_mdadm_bindir()
++#else
++#define SELF BINDIR
++#endif
+ 
+ /* Write rule in the rule file. Use format from UDEV_RULE_FORMAT */
+ int write_rule(struct rule *rule, int fd, int force_part)
+@@ -836,9 +863,9 @@ int write_rule(struct rule *rule, int fd, int force_part)
+ 	if (force_part)
+ 		typ = type_part;
+ 	if (typ)
+-		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth);
++		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth, SELF);
+ 	else
+-		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth);
++		snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth, SELF);
+ 	return write(fd, line, strlen(line)) == (int)strlen(line);
+ }
+ 
+diff --git a/util.c b/util.c
+index 3d05d074..e004a798 100644
+--- a/util.c
++++ b/util.c
+@@ -1913,7 +1913,9 @@ int start_mdmon(char *devnm)
+ 	char pathbuf[1024];
+ 	char *paths[4] = {
+ 		pathbuf,
++#ifndef NIXOS
+ 		BINDIR "/mdmon",
++#endif
+ 		"./mdmon",
+ 		NULL
+ 	};
diff --git a/nixpkgs/pkgs/os-specific/linux/mdevd/default.nix b/nixpkgs/pkgs/os-specific/linux/mdevd/default.nix
new file mode 100644
index 000000000000..2a55676fc767
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mdevd/default.nix
@@ -0,0 +1,28 @@
+{ lib, skawarePackages }:
+
+with skawarePackages;
+
+buildPackage {
+  pname = "mdevd";
+  version = "0.1.5.2";
+  sha256 = "sha256-RgNys9O6yfNXQVbtfkhhj59KNhy1LESUrZBjJIq0pP8=";
+
+  description = "mdev-compatible Linux hotplug manager daemon";
+  platforms = lib.platforms.linux;
+
+  outputs = [ "bin" "out" "dev" "doc" ];
+
+  configureFlags = [
+    "--with-sysdeps=${skalibs.lib}/lib/skalibs/sysdeps"
+    "--with-include=${skalibs.dev}/include"
+    "--with-lib=${skalibs.lib}/lib"
+  ];
+
+  postInstall = ''
+    # remove all mdevd executables from build directory
+    rm $(find -type f -mindepth 1 -maxdepth 1 -executable)
+
+    mv doc $doc/share/doc/mdevd/html
+    mv examples $doc/share/doc/mdevd/examples
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/metastore/default.nix b/nixpkgs/pkgs/os-specific/linux/metastore/default.nix
new file mode 100644
index 000000000000..c9875297186e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/metastore/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, libbsd, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  version = "1.1.2";
+  pname = "metastore";
+
+  src = fetchFromGitHub {
+    owner = "przemoc";
+    repo = "metastore";
+    rev = "v${version}";
+    sha256 = "0mb10wfckswqgi0bq25ncgabnd3iwj7s7hhg3wpcyfgckdynwizv";
+  };
+
+  buildInputs = [ libbsd ];
+  installFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "Store and restore metadata from a filesystem";
+    homepage = "https://software.przemoc.net/#metastore";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ sstef ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/microcode/amd.nix b/nixpkgs/pkgs/os-specific/linux/microcode/amd.nix
new file mode 100644
index 000000000000..051ad131be93
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/microcode/amd.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, linux-firmware, libarchive }:
+
+stdenv.mkDerivation {
+  pname = "amd-ucode";
+  version = linux-firmware.version;
+
+  src = linux-firmware;
+
+  sourceRoot = ".";
+
+  buildInputs = [ libarchive ];
+
+  buildPhase = ''
+    mkdir -p kernel/x86/microcode
+    find ${linux-firmware}/lib/firmware/amd-ucode -name \*.bin -print0 | sort -z |\
+      xargs -0 -I{} sh -c 'cat {} >> kernel/x86/microcode/AuthenticAMD.bin'
+  '';
+
+  installPhase = ''
+    mkdir -p $out
+    touch -d @$SOURCE_DATE_EPOCH kernel/x86/microcode/AuthenticAMD.bin
+    echo kernel/x86/microcode/AuthenticAMD.bin | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- > $out/amd-ucode.img
+  '';
+
+  meta = with lib; {
+    description = "AMD Processor microcode patch";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/microcode/intel.nix b/nixpkgs/pkgs/os-specific/linux/microcode/intel.nix
new file mode 100644
index 000000000000..6bb2855719bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/microcode/intel.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, libarchive, iucode-tool }:
+
+stdenv.mkDerivation rec {
+  pname = "microcode-intel";
+  version = "20220809";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "Intel-Linux-Processor-Microcode-Data-Files";
+    rev = "microcode-${version}";
+    hash = "sha256-vcuLQHAGr5uRkGWWIwA2WXLJadVNxfcPgjmNS82Logg=";
+  };
+
+  nativeBuildInputs = [ iucode-tool libarchive ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out kernel/x86/microcode
+    iucode_tool -w kernel/x86/microcode/GenuineIntel.bin intel-ucode/
+    touch -d @$SOURCE_DATE_EPOCH kernel/x86/microcode/GenuineIntel.bin
+    echo kernel/x86/microcode/GenuineIntel.bin | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- > $out/intel-ucode.img
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.intel.com/";
+    description = "Microcode for Intel processors";
+    license = licenses.unfreeRedistributableFirmware;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/microcode/iucode-tool.nix b/nixpkgs/pkgs/os-specific/linux/microcode/iucode-tool.nix
new file mode 100644
index 000000000000..e38dd83e0dba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/microcode/iucode-tool.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitLab, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "iucode-tool";
+  version = "2.3.1";
+
+  src = fetchFromGitLab {
+    owner  = "iucode-tool";
+    repo   = "iucode-tool";
+    rev    = "v${version}";
+    sha256 = "04dlisw87dd3q3hhmkqc5dd58cp22fzx3rzah7pvcyij135yjc3a";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Intel® 64 and IA-32 processor microcode tool";
+    homepage = "https://gitlab.com/iucode-tool/iucode-tool";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = [ "x86_64-linux" "i686-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mingetty/default.nix b/nixpkgs/pkgs/os-specific/linux/mingetty/default.nix
new file mode 100644
index 000000000000..eb58dc553676
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mingetty/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "mingetty";
+  version = "1.08";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingetty/mingetty-${version}.tar.gz";
+    sha256 = "05yxrp44ky2kg6qknk1ih0kvwkgbn9fbz77r3vci7agslh5wjm8g";
+  };
+
+  preInstall = ''
+    mkdir -p $out/sbin $out/share/man/man8
+    makeFlagsArray=(SBINDIR=$out/sbin MANDIR=$out/share/man/man8)
+  '';
+
+  meta = with lib; {
+    homepage = "https://sourceforge.net/projects/mingetty";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/miraclecast/default.nix b/nixpkgs/pkgs/os-specific/linux/miraclecast/default.nix
new file mode 100644
index 000000000000..7b502fa4adee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/miraclecast/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config
+, glib, readline, pcre, systemd, udev }:
+
+stdenv.mkDerivation {
+  pname = "miraclecast";
+  version = "1.0-20190403";
+
+  src = fetchFromGitHub {
+    owner  = "albfan";
+    repo   = "miraclecast";
+    rev    = "960a785e10523cc525885380dd03aa2c5ba11bc7";
+    sha256 = "05afqi33rv7k6pbkkw4mynj6p97vkzhhh13y5nh0yxkyhcgf45pm";
+  };
+
+  nativeBuildInputs = [ meson ninja pkg-config ];
+
+  buildInputs = [ glib pcre readline systemd udev ];
+
+  mesonFlags = [
+    "-Drely-udev=true"
+    "-Dbuild-tests=true"
+  ];
+
+  meta = with lib; {
+    description = "Connect external monitors via Wi-Fi";
+    homepage    = "https://github.com/albfan/miraclecast";
+    license     = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix
new file mode 100644
index 000000000000..da2ba4b9ff2d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "mkinitcpio-nfs-utils";
+  version = "0.3";
+
+  src = fetchurl {
+    url = "https://sources.archlinux.org/other/mkinitcpio/mkinitcpio-nfs-utils-${version}.tar.xz";
+    sha256 = "0fc93sfk41ycpa33083kyd7i4y00ykpbhj5qlw611bjghj4x946j";
+    # ugh, upstream...
+    name = "mkinitcpio-nfs-utils-${version}.tar.gz";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)" "bindir=/bin" ];
+
+  postInstall = ''
+    rm -rf $out/usr
+  '';
+
+  meta = with lib; {
+    homepage = "https://archlinux.org/";
+    description = "ipconfig and nfsmount tools for root on NFS, ported from klibc";
+    license = licenses.gpl2;
+    platforms  = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mmc-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/mmc-utils/default.nix
new file mode 100644
index 000000000000..6d737ea6bad3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mmc-utils/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchzip, unstableGitUpdater }:
+
+stdenv.mkDerivation {
+  pname = "mmc-utils";
+  version = "unstable-2022-07-13";
+
+  src = fetchzip rec {
+    url = "https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git/snapshot/mmc-utils-${passthru.rev}.tar.gz";
+    passthru.rev = "d7b343fd262880994f041ce2335442e7bd1071f5";
+    sha256 = "cTF3xSNvZ1wifItPmflNFd+fpYArPRvinM7Cyg3JoeE=";
+  };
+
+  makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "prefix=$(out)" ];
+
+  postInstall = ''
+    mkdir -p $out/share/man/man1
+    cp man/mmc.1 $out/share/man/man1/
+  '';
+
+  enableParallelBuilding = true;
+
+  passthru.updateScript = unstableGitUpdater {
+    url = "https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git";
+  };
+
+  meta = with lib; {
+    description = "Configure MMC storage devices from userspace";
+    homepage = "https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git/";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/molly-guard/default.nix b/nixpkgs/pkgs/os-specific/linux/molly-guard/default.nix
new file mode 100644
index 000000000000..de396e4f5c76
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/molly-guard/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchurl, dpkg, busybox, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "molly-guard";
+  version = "0.7.2";
+
+  src = fetchurl {
+    url = "https://launchpad.net/ubuntu/+archive/primary/+files/molly-guard_${version}_all.deb";
+    sha256 = "1k6b1hn8lc4rj9n036imsl7s9lqj6ny3acdhnbnamsdkkndmxrw7";
+  };
+
+  buildInputs = [ dpkg ];
+
+  sourceRoot = ".";
+
+  unpackCmd = ''
+    dpkg-deb -x "$src" .
+  '';
+
+  installPhase = ''
+    sed -i "s|/lib/molly-guard|${systemd}/sbin|g" lib/molly-guard/molly-guard
+    sed -i "s|run-parts|${busybox}/bin/run-parts|g" lib/molly-guard/molly-guard
+    sed -i "s|/etc/molly-guard/|$out/etc/molly-guard/|g" lib/molly-guard/molly-guard
+    cp -r ./ $out/
+  '';
+
+  postFixup = ''
+    for modus in init halt poweroff reboot runlevel shutdown telinit; do
+       ln -sf $out/lib/molly-guard/molly-guard $out/bin/$modus;
+    done;
+  '';
+
+  meta = with lib; {
+    description = "Attempts to prevent you from accidentally shutting down or rebooting machines";
+    homepage    = "https://salsa.debian.org/debian/molly-guard";
+    license     = licenses.artistic2;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ DerTim1 ];
+    priority    = -10;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/msr-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/msr-tools/default.nix
new file mode 100644
index 000000000000..1e6a55a4d656
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/msr-tools/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchurl, unzip }:
+
+stdenv.mkDerivation rec {
+  pname = "msr-tools";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://01.org/sites/default/files/downloads/msr-tools/${pname}-${version}.zip";
+    sha256 = "07hxmddg0l31kjfmaq84ni142lbbvgq6391r8bd79wpm819pnigr";
+  };
+
+  nativeBuildInputs = [ unzip ];
+
+  preInstall = ''
+    mkdir -p $out/bin
+    substituteInPlace Makefile \
+      --replace /usr/sbin $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Tool to read/write from/to MSR CPU registers on Linux";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ peterhoeg ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/msr/000-include-sysmacros.patch b/nixpkgs/pkgs/os-specific/linux/msr/000-include-sysmacros.patch
new file mode 100644
index 000000000000..5fa96cd14699
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/msr/000-include-sysmacros.patch
@@ -0,0 +1,11 @@
+diff -Naur msr-old/msr.c msr-20060208/msr.c
+--- msr-old/msr.c	1969-12-31 21:00:01.000000000 -0300
++++ msr-20060208/msr.c	2021-11-02 21:19:34.576722617 -0300
+@@ -19,6 +19,7 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <sys/sysmacros.h>
+ #include <fcntl.h>
+ #include <errno.h>
+ #include <unistd.h>
diff --git a/nixpkgs/pkgs/os-specific/linux/msr/default.nix b/nixpkgs/pkgs/os-specific/linux/msr/default.nix
new file mode 100644
index 000000000000..0ffc46012096
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/msr/default.nix
@@ -0,0 +1,40 @@
+{ lib
+, stdenv
+, fetchzip
+, installShellFiles
+}:
+
+stdenv.mkDerivation rec {
+  pname = "msr";
+  version = "20060208";
+
+  src = fetchzip {
+    name = "${pname}-${version}";
+    url = "http://www.etallen.com/msr/${pname}-${version}.src.tar.gz";
+    hash = "sha256-e01qYWbOALkXp5NpexuVodMxA3EBySejJ6ZBpZjyT+E=";
+  };
+
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+
+  patches = [
+    ./000-include-sysmacros.patch
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin/
+    cp msr $out/bin/
+    installManPage msr.man
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.etallen.com/msr.html";
+    description = "Linux tool to display or modify x86 model-specific registers (MSRs)";
+    license = licenses.bsd0;
+    maintainers = with maintainers; [ AndersonTorres ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mstpd/default.nix b/nixpkgs/pkgs/os-specific/linux/mstpd/default.nix
new file mode 100644
index 000000000000..389acdf91e6e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mstpd/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "mstpd";
+  version = "0.0.8";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = version;
+    sha256 = "1xkfydxljdnj49p5r3mirk4k146428b6imfc9bkfps9yjn64mkgb";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "fix-strncpy-gcc9.patch";
+      url = "https://github.com/mstpd/mstpd/commit/d27d7e93485d881d8ff3a7f85309b545edbe1fc6.patch";
+      sha256 = "19456daih8l3y6m9kphjr7pj7slrqzbj6yacnlgznpxyd8y4d86y";
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  configureFlags = [
+    "--prefix=$(out)"
+    "--sysconfdir=$(out)/etc"
+    "--sbindir=$(out)/sbin"
+    "--libexecdir=$(out)/lib"
+  ];
+
+  meta = with lib; {
+    description = "Multiple Spanning Tree Protocol daemon";
+    homepage = "https://github.com/mstpd/mstpd";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/multipath-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/multipath-tools/default.nix
new file mode 100644
index 000000000000..437fe9bd1bd9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -0,0 +1,64 @@
+{ lib, stdenv, fetchurl, fetchpatch, pkg-config, perl, lvm2, libaio, readline, systemd, liburcu, json_c, kmod, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "multipath-tools";
+  version = "0.8.3";
+
+  src = fetchurl {
+    name = "${pname}-${version}.tar.gz";
+    url = "https://git.opensvc.com/gitweb.cgi?p=multipath-tools/.git;a=snapshot;h=refs/tags/${version};sf=tgz";
+    sha256 = "1mgjylklh1cx8px8ffgl12kyc0ln3445vbabd2sy8chq31rpiiq8";
+  };
+
+  patches = [
+    # fix build with json-c 0.14 https://www.redhat.com/archives/dm-devel/2020-May/msg00261.html
+    ./json-c-0.14.patch
+
+    # pull upstream fix for -fno-common toolchains like clang-12
+    (fetchpatch {
+        name = "fno-common.patch";
+        url = "https://github.com/opensvc/multipath-tools/commit/23a9247fa89cd0c84fe7e0f32468fd698b1caa48.patch";
+        sha256 = "10hq0g2jfkfbmwhm4x4q5cgsswj30lm34ib153alqzjzsxc1hqjk";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace libmultipath/Makefile \
+      --replace /usr/include/libdevmapper.h ${lib.getDev lvm2}/include/libdevmapper.h
+
+    # systemd-udev-settle.service is deprecated.
+    substituteInPlace multipathd/multipathd.service \
+      --replace /sbin/modprobe ${lib.getBin kmod}/sbin/modprobe \
+      --replace /sbin/multipathd "$out/bin/multipathd" \
+      --replace " systemd-udev-settle.service" ""
+
+    sed -i -re '
+      s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'",
+    ' libmultipath/defaults.h
+    sed -i -e 's,\$(DESTDIR)/\(usr/\)\?,$(prefix)/,g' \
+      kpartx/Makefile libmpathpersist/Makefile
+    sed -i -e "s,GZIP,GZ," \
+      $(find * -name Makefile\*)
+  '';
+
+  nativeBuildInputs = [ pkg-config perl ];
+  buildInputs = [ systemd lvm2 libaio readline liburcu json_c ];
+
+  makeFlags = [
+    "LIB=lib"
+    "prefix=$(out)"
+    "man8dir=$(out)/share/man/man8"
+    "man5dir=$(out)/share/man/man5"
+    "man3dir=$(out)/share/man/man3"
+    "SYSTEMDPATH=lib"
+  ];
+
+  passthru.tests = { inherit (nixosTests) iscsi-multipath-root; };
+
+  meta = with lib; {
+    description = "Tools for the Linux multipathing driver";
+    homepage = "http://christophe.varoqui.free.fr/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/multipath-tools/json-c-0.14.patch b/nixpkgs/pkgs/os-specific/linux/multipath-tools/json-c-0.14.patch
new file mode 100644
index 000000000000..d5fee4248830
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/multipath-tools/json-c-0.14.patch
@@ -0,0 +1,21 @@
+diff --git a/libdmmp/libdmmp_private.h b/libdmmp/libdmmp_private.h
+index ac85b63f..b1a6ddea 100644
+--- a/libdmmp/libdmmp_private.h
++++ b/libdmmp/libdmmp_private.h
+@@ -30,6 +30,7 @@
+ #include <stdint.h>
+ #include <string.h>
+ #include <assert.h>
++#include <stdbool.h>
+ #include <json.h>
+ 
+ #include "libdmmp/libdmmp.h"
+@@ -82,7 +83,7 @@ static out_type func_name(struct dmmp_context *ctx, const char *var_name) { \
+ do { \
+ 	json_type j_type = json_type_null; \
+ 	json_object *j_obj_tmp = NULL; \
+-	if (json_object_object_get_ex(j_obj, key, &j_obj_tmp) != TRUE) { \
++	if (json_object_object_get_ex(j_obj, key, &j_obj_tmp) != true) { \
+ 		_error(ctx, "Invalid JSON output from multipathd IPC: " \
+ 		       "key '%s' not found", key); \
+ 		rc = DMMP_ERR_IPC_ERROR; \
diff --git a/nixpkgs/pkgs/os-specific/linux/musl-fts/default.nix b/nixpkgs/pkgs/os-specific/linux/musl-fts/default.nix
new file mode 100644
index 000000000000..cdb1cca47c6a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/musl-fts/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-fts";
+  version = "1.2.7";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-fts";
+    rev = "v${version}";
+    sha256 = "Azw5qrz6OKDcpYydE6jXzVxSM5A8oYWAztrHr+O/DOE=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-fts";
+    description = "An implementation of fts(3) for musl-libc";
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/musl-obstack/default.nix b/nixpkgs/pkgs/os-specific/linux/musl-obstack/default.nix
new file mode 100644
index 000000000000..ec183da7048c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/musl-obstack/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-obstack";
+  version = "1.2.3";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-obstack";
+    rev = "v${version}";
+    sha256 = "sha256-oydS7FubUniMHAUWfg84OH9+CZ0JCrTXy7jzwOyJzC8=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-obstack";
+    description =
+      "An extraction of the obstack functions and macros from GNU libiberty for use with musl-libc";
+    platforms = platforms.linux;
+    license = licenses.lgpl21Plus;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/musl/default.nix b/nixpkgs/pkgs/os-specific/linux/musl/default.nix
new file mode 100644
index 000000000000..fb0d19115da3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/musl/default.nix
@@ -0,0 +1,153 @@
+{ stdenv, lib, fetchurl
+, linuxHeaders ? null
+, useBSDCompatHeaders ? true
+}:
+let
+  cdefs_h = fetchurl {
+    url = "http://git.alpinelinux.org/cgit/aports/plain/main/libc-dev/sys-cdefs.h";
+    sha256 = "16l3dqnfq0f20rzbkhc38v74nqcsh9n3f343bpczqq8b1rz6vfrh";
+  };
+  queue_h = fetchurl {
+    url = "http://git.alpinelinux.org/cgit/aports/plain/main/libc-dev/sys-queue.h";
+    sha256 = "12qm82id7zys92a1qh2l1qf2wqgq6jr4qlbjmqyfffz3s3nhfd61";
+  };
+  tree_h = fetchurl {
+    url = "http://git.alpinelinux.org/cgit/aports/plain/main/libc-dev/sys-tree.h";
+    sha256 = "14igk6k00bnpfw660qhswagyhvr0gfqg4q55dxvaaq7ikfkrir71";
+  };
+
+  stack_chk_fail_local_c = fetchurl {
+    url = "https://git.alpinelinux.org/aports/plain/main/musl/__stack_chk_fail_local.c?h=3.10-stable";
+    sha256 = "1nhkzzy9pklgjcq2yg89d3l18jif331srd3z3vhy5qwxl1spv6i9";
+  };
+
+  # iconv tool, implemented by musl author.
+  # Original: http://git.etalabs.net/cgit/noxcuse/plain/src/iconv.c?id=02d288d89683e99fd18fe9f54d4e731a6c474a4f
+  # We use copy from Alpine which fixes error messages, see:
+  # https://git.alpinelinux.org/aports/commit/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f
+  iconv_c = fetchurl {
+    name = "iconv.c";
+    url = "https://git.alpinelinux.org/aports/plain/main/musl/iconv.c?id=a3d97e95f766c9c378194ee49361b375f093b26f";
+    sha256 = "1mzxnc2ncq8lw9x6n7p00fvfklc9p3wfv28m68j0dfz5l8q2k6pp";
+  };
+
+  arch = if stdenv.hostPlatform.isx86_64
+    then "x86_64"
+    else if stdenv.hostPlatform.isx86_32
+      then "i386"
+      else null;
+
+in
+stdenv.mkDerivation rec {
+  pname = "musl";
+  version = "1.2.3";
+
+  src = fetchurl {
+    url    = "https://musl.libc.org/releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-fVsLYGJSHkYn4JnkydyCSNMqMChelZt+7Kp4DPjP1KQ=";
+  };
+
+  enableParallelBuilding = true;
+
+  # Disable auto-adding stack protector flags,
+  # so musl can selectively disable as needed
+  hardeningDisable = [ "stackprotector" ];
+
+  # Leave these, be friendlier to debuggers/perf tools
+  # Don't force them on, but don't force off either
+  postPatch = ''
+    substituteInPlace configure \
+      --replace -fno-unwind-tables "" \
+      --replace -fno-asynchronous-unwind-tables ""
+  '';
+
+  patches = [
+    # Minor touchup to build system making dynamic linker symlink relative
+    (fetchurl {
+      url = "https://raw.githubusercontent.com/openwrt/openwrt/87606e25afac6776d1bbc67ed284434ec5a832b4/toolchain/musl/patches/300-relative.patch";
+      sha256 = "0hfadrycb60sm6hb6by4ycgaqc9sgrhh42k39v8xpmcvdzxrsq2n";
+    })
+  ];
+  CFLAGS = [ "-fstack-protector-strong" ]
+    ++ lib.optional stdenv.hostPlatform.isPower "-mlong-double-64";
+
+  configureFlags = [
+    "--enable-shared"
+    "--enable-static"
+    "--enable-debug"
+    "--enable-wrapper=all"
+    "--syslibdir=${placeholder "out"}/lib"
+  ];
+
+  outputs = [ "out" "dev" ];
+
+  dontDisableStatic = true;
+  dontAddStaticConfigureFlags = true;
+  separateDebugInfo = true;
+
+  NIX_DONT_SET_RPATH = true;
+
+  preBuild = ''
+    ${if (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32) then
+    "# the -x c flag is required since the file extension confuses gcc
+    # that detect the file as a linker script.
+    $CC -x c -c ${stack_chk_fail_local_c} -o __stack_chk_fail_local.o
+    $AR r libssp_nonshared.a __stack_chk_fail_local.o"
+      else ""
+    }
+  '';
+
+  postInstall = ''
+    # Not sure why, but link in all but scsi directory as that's what uclibc/glibc do.
+    # Apparently glibc provides scsi itself?
+    (cd $dev/include && ln -s $(ls -d ${linuxHeaders}/include/* | grep -v "scsi$") .)
+
+    # Strip debug out of the static library
+    $STRIP -S $out/lib/libc.a
+    mkdir -p $out/bin
+
+
+    ${if (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32) then
+      "install -D libssp_nonshared.a $out/lib/libssp_nonshared.a
+      $STRIP -S $out/lib/libssp_nonshared.a"
+      else ""
+    }
+
+    # Create 'ldd' symlink, builtin
+    ln -rs $out/lib/libc.so $out/bin/ldd
+
+    # (impure) cc wrapper around musl for interactive usuage
+    for i in musl-gcc musl-clang ld.musl-clang; do
+      moveToOutput bin/$i $dev
+    done
+    moveToOutput lib/musl-gcc.specs $dev
+    substituteInPlace $dev/bin/musl-gcc \
+      --replace $out/lib/musl-gcc.specs $dev/lib/musl-gcc.specs
+
+    # provide 'iconv' utility, using just-built headers, libc/ldso
+    $CC ${iconv_c} -o $out/bin/iconv \
+      -I$dev/include \
+      -L$out/lib -Wl,-rpath=$out/lib \
+      -lc \
+      -B $out/lib \
+      -Wl,-dynamic-linker=$(ls $out/lib/ld-*)
+  '' + lib.optionalString (arch != null) ''
+    # Create 'libc.musl-$arch' symlink
+    ln -rs $out/lib/libc.so $out/lib/libc.musl-${arch}.so.1
+  '' + lib.optionalString useBSDCompatHeaders ''
+    install -D ${queue_h} $dev/include/sys/queue.h
+    install -D ${cdefs_h} $dev/include/sys/cdefs.h
+    install -D ${tree_h} $dev/include/sys/tree.h
+  '';
+
+  passthru.linuxHeaders = linuxHeaders;
+
+  meta = with lib; {
+    description = "An efficient, small, quality libc implementation";
+    homepage    = "https://musl.libc.org/";
+    changelog   = "https://git.musl-libc.org/cgit/musl/tree/WHATSNEW?h=v${version}";
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mwprocapture/default.nix b/nixpkgs/pkgs/os-specific/linux/mwprocapture/default.nix
new file mode 100644
index 000000000000..2286e86df72c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mwprocapture/default.nix
@@ -0,0 +1,65 @@
+{ lib, stdenv, fetchurl, kernel, alsa-lib }:
+
+with lib;
+
+let
+  bits =
+    if stdenv.is64bit then "64"
+    else "32";
+
+  libpath = makeLibraryPath [ stdenv.cc.cc stdenv.cc.libc alsa-lib ];
+
+in
+stdenv.mkDerivation rec {
+  pname = "mwprocapture";
+  subVersion = "4236";
+  version = "1.3.0.${subVersion}-${kernel.version}";
+
+  src = fetchurl {
+    url = "https://www.magewell.com/files/drivers/ProCaptureForLinux_${subVersion}.tar.gz";
+    sha256 = "1mfgj84km276sq5i8dny1vqp2ycqpvgplrmpbqwnk230d0w3qs74";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    cd ./src
+    export INSTALL_MOD_PATH="$out"
+  '';
+
+  hardeningDisable = [ "pic" "format" ];
+
+  makeFlags = [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  postInstall = ''
+    cd ../
+    mkdir -p $out/bin
+    cp bin/mwcap-control_${bits} $out/bin/mwcap-control
+    cp bin/mwcap-info_${bits} $out/bin/mwcap-info
+    mkdir -p $out/lib/udev/rules.d
+    # source has a filename typo
+    cp scripts/10-procatpure-event-dev.rules $out/lib/udev/rules.d/10-procapture-event-dev.rules
+    cp -r src/res $out
+
+    patchelf \
+      --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+      --set-rpath "${libpath}" \
+      "$out"/bin/mwcap-control
+
+    patchelf \
+      --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+      --set-rpath "${libpath}" \
+      "$out"/bin/mwcap-info
+  '';
+
+  meta = {
+    broken = kernel.kernelAtLeast "5.16";
+    homepage = "http://www.magewell.com/";
+    description = "Linux driver for the Magewell Pro Capture family";
+    license = licenses.unfreeRedistributable;
+    maintainers = with maintainers; [ MP2E ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mxu11x0/default.nix b/nixpkgs/pkgs/os-specific/linux/mxu11x0/default.nix
new file mode 100644
index 000000000000..ee29180a8d9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mxu11x0/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchurl, kernel }:
+
+let
+  srcs = import (./srcs.nix) { inherit fetchurl; };
+in
+stdenv.mkDerivation rec {
+  pname = "mxu11x0";
+
+  src = if lib.versionAtLeast kernel.version "5.0" then srcs.mxu11x0_5.src else srcs.mxu11x0_4.src;
+  mxu_version = if lib.versionAtLeast kernel.version "5.0" then srcs.mxu11x0_5.version else srcs.mxu11x0_4.version;
+
+  version = mxu_version + "-${kernel.version}";
+
+  preBuild = ''
+    sed -i -e "s/\$(uname -r).*/${kernel.modDirVersion}/g" driver/mxconf
+    sed -i -e "s/\$(shell uname -r).*/${kernel.modDirVersion}/g" driver/Makefile
+    sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' driver/mxconf
+    sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' driver/Makefile
+  '';
+
+  installPhase = ''
+    install -v -D -m 644 ./driver/mxu11x0.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/usb/serial/mxu11x0.ko"
+    install -v -D -m 644 ./driver/mxu11x0.ko "$out/lib/modules/${kernel.modDirVersion}/misc/mxu11x0.ko"
+  '';
+
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  hardeningDisable = [ "pic" ];
+
+  meta = with lib; {
+    description = "MOXA UPort 11x0 USB to Serial Hub driver";
+    homepage = "https://www.moxa.com/en/products/industrial-edge-connectivity/usb-to-serial-converters-usb-hubs/usb-to-serial-converters/uport-1000-series";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ uralbash ];
+    platforms = platforms.linux;
+    # broken due to API change in write_room() > v5.14-rc1
+    # https://github.com/torvalds/linux/commit/94cc7aeaf6c0cff0b8aeb7cb3579cee46b923560
+    broken = kernel.kernelAtLeast "5.14";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/mxu11x0/srcs.nix b/nixpkgs/pkgs/os-specific/linux/mxu11x0/srcs.nix
new file mode 100644
index 000000000000..5c4e9137c6a6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/mxu11x0/srcs.nix
@@ -0,0 +1,18 @@
+{ fetchurl }:
+
+{
+  mxu11x0_4 = {
+    version = "4.1";
+    src = fetchurl {
+      url = "https://www.moxa.com/getmedia/b152d8c2-b9d6-4bc7-b0f4-420633b4bc2d/moxa-uport-1100-series-linux-kernel-4.x-driver-v4.1.tgz";
+      sha256 = "sha256-sbq5M5FQjrrORtSS07PQHf+MAZArxFcUDN5wszBwbnc=";
+    };
+  };
+  mxu11x0_5 = {
+    version = "5.1";
+    src = fetchurl {
+      url = "https://www.moxa.com/getmedia/57dfa4c1-8a2a-4da6-84c1-a36944ead74d/moxa-uport-1100-series-linux-kernel-5.x-driver-v5.1.tgz";
+      sha256 = "sha256-pdFIiD5naSDdYwRz8ww8Mg8z1gDOfZ/OeO6Q5n+kjDQ=";
+    };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ndiswrapper/default.nix b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/default.nix
new file mode 100644
index 000000000000..2db046e6392f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, kernel, perl, kmod, libelf }:
+let
+  version = "1.63";
+in
+stdenv.mkDerivation {
+  name = "ndiswrapper-${version}-${kernel.version}";
+  inherit version;
+
+  hardeningDisable = [ "pic" ];
+
+  patches = [ ./no-sbin.patch ];
+
+  # need at least .config and include
+  kernel = kernel.dev;
+
+  buildPhase = "
+    echo make KBUILD=$(echo \$kernel/lib/modules/*/build);
+    echo -n $kernel/lib/modules/*/build > kbuild_path
+    export PATH=${kmod}/sbin:$PATH
+    make KBUILD=$(echo \$kernel/lib/modules/*/build);
+  ";
+
+  installPhase = ''
+    make install KBUILD=$(cat kbuild_path) DESTDIR=$out
+    mv $out/usr/sbin/* $out/sbin/
+    mv $out/usr/share $out/
+    rm -r $out/usr
+
+    patchShebangs $out/sbin
+  '';
+
+  src = fetchurl {
+    url = "mirror://sourceforge/ndiswrapper/files/stable/ndiswrapper-${version}.tar.gz";
+    sha256 = "1v6b66jhisl110jfl00hm43lmnrav32vs39d85gcbxrjqnmcx08g";
+  };
+
+  buildInputs = [ perl libelf ];
+
+  meta = {
+    description = "Ndis driver wrapper for the Linux kernel";
+    homepage = "https://sourceforge.net/projects/ndiswrapper";
+    license = "GPL";
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = lib.versionAtLeast kernel.version "5.8";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch
new file mode 100644
index 000000000000..373965fb0853
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch
@@ -0,0 +1,11 @@
+--- a/driver/Makefile
++++ b/driver/Makefile
+@@ -191,7 +191,7 @@ clean:
+ 	rm -rf .tmp_versions
+ 
+ install: config_check $(MODULE)
+-	@/sbin/modinfo $(MODULE) | grep -q "^vermagic: *$(KVERS) " || \
++	@modinfo $(MODULE) | grep -q "^vermagic: *$(KVERS) " || \
+ 		{ echo "$(MODULE)" is not for Linux $(KVERS); exit 1; }
+ 	mkdir -p -m 755 $(DESTDIR)$(INST_DIR)
+ 	install -m 0644 $(MODULE) $(DESTDIR)$(INST_DIR)
diff --git a/nixpkgs/pkgs/os-specific/linux/net-tools/config.h b/nixpkgs/pkgs/os-specific/linux/net-tools/config.h
new file mode 100644
index 000000000000..dedaac6247d0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/net-tools/config.h
@@ -0,0 +1,79 @@
+/*
+* config.h	Automatically generated configuration includefile
+*
+* NET-TOOLS	A collection of programs that form the base set of the
+*		NET-3 Networking Distribution for the LINUX operating
+*		system.
+*
+*		DO  NOT  EDIT  DIRECTLY
+*
+*/
+
+/* 
+ * 
+ * Internationalization
+ * 
+ * The net-tools package has currently been translated to French,
+ * German and Brazilian Portugese.  Other translations are, of
+ * course, welcome.  Answer `n' here if you have no support for
+ * internationalization on your system.
+ * 
+ */
+#define I18N 0
+
+/* 
+ * 
+ * Protocol Families.
+ * 
+ */
+#define HAVE_AFUNIX 1
+#define HAVE_AFINET 1
+#define HAVE_AFINET6 1
+#define HAVE_AFIPX 1
+#define HAVE_AFATALK 1
+#define HAVE_AFAX25 0
+#define HAVE_AFNETROM 1
+#define HAVE_AFROSE 0
+#define HAVE_AFX25 0
+#define HAVE_AFECONET 0
+#define HAVE_AFDECnet 0
+#define HAVE_AFASH 0
+#define HAVE_AFBLUETOOTH 0
+
+/* 
+ * 
+ * Device Hardware types.
+ * 
+ */
+#define HAVE_HWETHER 1
+#define HAVE_HWARC 1
+#define HAVE_HWSLIP 1
+#define HAVE_HWPPP 1
+#define HAVE_HWTUNNEL 1
+#define HAVE_HWSTRIP 0
+#define HAVE_HWTR 0
+#define HAVE_HWAX25 0
+#define HAVE_HWROSE 0
+#define HAVE_HWNETROM 1
+#define HAVE_HWX25 0
+#define HAVE_HWFR 1
+#define HAVE_HWSIT 1
+#define HAVE_HWFDDI 0
+#define HAVE_HWHIPPI 0
+#define HAVE_HWASH 0
+#define HAVE_HWHDLCLAPB 0
+#define HAVE_HWIRDA 1
+#define HAVE_HWEC 0
+#define HAVE_HWEC 0
+#define HAVE_HWEUI64 1
+#define HAVE_HWIB 1
+
+/* 
+ * 
+ * Other Features.
+ * 
+ */
+#define HAVE_FW_MASQUERADE 0
+#define HAVE_IP_TOOLS 0
+#define HAVE_MII 0
+#define HAVE_SELINUX 0
diff --git a/nixpkgs/pkgs/os-specific/linux/net-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/net-tools/default.nix
new file mode 100644
index 000000000000..9630b5c0c7a1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/net-tools/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "net-tools";
+  version = "2.10";
+
+  src = fetchurl {
+    url = "mirror://gentoo/distfiles/${pname}-${version}.tar.xz";
+    sha256 = "sha256-smJDWlJB6Jv6UcPKvVEzdTlS96e3uT8y4Iy52W9YDWk=";
+  };
+
+  preBuild =
+    ''
+      cp ${./config.h} config.h
+    '';
+
+  makeFlags = [
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "AR=${stdenv.cc.targetPrefix}ar"
+    "BASEDIR=$(out)"
+    "mandir=/share/man"
+    "HAVE_ARP_TOOLS=1"
+    "HAVE_PLIP_TOOLS=1"
+    "HAVE_SERIAL_TOOLS=1"
+    "HAVE_HOSTNAME_TOOLS=1"
+    "HAVE_HOSTNAME_SYMLINKS=1"
+    "HAVE_MII=1"
+  ];
+
+  meta = {
+    homepage = "http://net-tools.sourceforge.net/";
+    description = "A set of tools for controlling the network subsystem in Linux";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/net-tools/mptcp.nix b/nixpkgs/pkgs/os-specific/linux/net-tools/mptcp.nix
new file mode 100644
index 000000000000..b4ce59a7c68d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/net-tools/mptcp.nix
@@ -0,0 +1,21 @@
+{ lib, nettools, fetchFromGitHub  }:
+
+nettools.overrideAttrs(oa: rec {
+  pname = "net-tools-mptcp";
+  version = "0.95";
+
+  src = fetchFromGitHub {
+    owner = "multipath-tcp";
+    repo = "net-tools";
+    rev = "mptcp_v${version}";
+    sha256 = "0i7gr1y699nc7j9qllsx8kicqkpkhw51x4chcmyl5xs06b2mdjri";
+  };
+
+  meta = with lib; {
+    homepage = "https://github.com/multipath-tcp/net-tools";
+    description = "A set of tools for controlling the network subsystem in Linux";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ teto ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/netatop/default.nix b/nixpkgs/pkgs/os-specific/linux/netatop/default.nix
new file mode 100644
index 000000000000..b892292477ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/netatop/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, fetchurl, kernel, kmod, zlib }:
+
+let
+  version = "3.1";
+in
+
+stdenv.mkDerivation {
+  name = "netatop-${kernel.version}-${version}";
+
+  src = fetchurl {
+    url = "http://www.atoptool.nl/download/netatop-${version}.tar.gz";
+    sha256 = "0qjw8glfdmngfvbn1w63q128vxdz2jlabw13y140ga9i5ibl6vvk";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  buildInputs = [ kmod zlib ];
+
+  hardeningDisable = [ "pic" ];
+  NIX_CFLAGS_COMPILE = [ "-Wno-error=implicit-fallthrough" ];
+
+  patches = [
+    # fix paths in netatop.service
+    ./fix-paths.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./netatop.service.patch
+  ];
+  preConfigure = ''
+    patchShebangs mkversion
+    sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \
+        */Makefile
+    sed -i -e 's,/lib/modules.*extra,'$out'/lib/modules/${kernel.modDirVersion}/extra,' \
+        -e s,/usr,$out, \
+        -e /init.d/d \
+        -e /depmod/d \
+        -e s,/lib/systemd,$out/lib/systemd, \
+        Makefile
+
+    kmod=${kmod} substituteAllInPlace netatop.service
+  '';
+
+  makeFlags = kernel.makeFlags;
+
+  preInstall = ''
+    mkdir -p $out/lib/systemd/system $out/bin $out/sbin $out/share/man/man{4,8}
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/extra
+  '';
+
+  meta = {
+    description = "Network monitoring module for atop";
+    homepage = "https://www.atoptool.nl/downloadnetatop.php";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ viric ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/netatop/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/netatop/fix-paths.patch
new file mode 100644
index 000000000000..0e71c4efdd31
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/netatop/fix-paths.patch
@@ -0,0 +1,11 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -8,5 +8,5 @@
+ Type=oneshot
+-ExecStartPre=/sbin/modprobe netatop
+-ExecStart=/usr/sbin/netatopd
+-ExecStopPost=/sbin/rmmod netatop
++ExecStartPre=@kmod@/bin/modprobe netatop
++ExecStart=@out@/bin/netatopd
++ExecStopPost=@kmod@/bin/rmmod netatop
+ PIDFile=/var/run/netatop.pid
diff --git a/nixpkgs/pkgs/os-specific/linux/netatop/netatop.service.patch b/nixpkgs/pkgs/os-specific/linux/netatop/netatop.service.patch
new file mode 100644
index 000000000000..c7c798ee06bc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/netatop/netatop.service.patch
@@ -0,0 +1,7 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -11,3 +11,3 @@
+ ExecStopPost=@kmod@/bin/rmmod netatop
+-PIDFile=/var/run/netatop.pid
++PIDFile=/run/netatop.pid
+ RemainAfterExit=yes
diff --git a/nixpkgs/pkgs/os-specific/linux/new-lg4ff/default.nix b/nixpkgs/pkgs/os-specific/linux/new-lg4ff/default.nix
new file mode 100644
index 000000000000..df2b66e9079a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/new-lg4ff/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, kernel, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "new-lg4ff";
+  version = "0.3.3";
+
+  src = fetchFromGitHub {
+    owner = "berarma";
+    repo = "new-lg4ff";
+    rev = "${version}";
+    sha256 = "+05xDpNI4m6wTS+YPgA0fP4iM10nMOZOtCrdQxpevBU=";
+  };
+
+  preBuild = ''
+    substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+    sed -i '/depmod/d' Makefile
+    sed -i "10i\\\trmmod hid-logitech 2> /dev/null || true" Makefile
+    sed -i "11i\\\trmmod hid-logitech-new 2> /dev/null || true" Makefile
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KVERSION=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description = "Experimental Logitech force feedback module for Linux";
+    homepage = "https://github.com/berarma/new-lg4ff";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ matthiasbenaets ];
+    platforms = platforms.linux;
+    broken = stdenv.isAarch64;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nfs-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/nfs-utils/default.nix
new file mode 100644
index 000000000000..7b5f6e720018
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nfs-utils/default.nix
@@ -0,0 +1,131 @@
+{ stdenv, fetchurl, fetchpatch, lib, pkg-config, util-linux, libcap, libtirpc, libevent
+, sqlite, libkrb5, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers
+, python3, buildPackages, nixosTests, rpcsvc-proto
+, enablePython ? true
+}:
+
+let
+  statdPath = lib.makeBinPath [ systemd util-linux coreutils ];
+in
+
+stdenv.mkDerivation rec {
+  pname = "nfs-utils";
+  version = "2.5.1";
+
+  src = fetchurl {
+    url = "https://kernel.org/pub/linux/utils/nfs-utils/${version}/${pname}-${version}.tar.xz";
+    sha256 = "1i1h3n2m35q9ixs1i2qf1rpjp10cipa3c25zdf1xj1vaw5q8270g";
+  };
+
+  # libnfsidmap is built together with nfs-utils from the same source,
+  # put it in the "lib" output, and the headers in "dev"
+  outputs = [ "out" "dev" "lib" "man" ];
+
+  nativeBuildInputs = [ pkg-config buildPackages.stdenv.cc rpcsvc-proto ];
+
+  buildInputs = [
+    libtirpc libcap libevent sqlite lvm2
+    libuuid keyutils libkrb5 tcp_wrappers
+  ] ++ lib.optional enablePython python3;
+
+  enableParallelBuilding = true;
+
+  preConfigure =
+    ''
+      substituteInPlace configure \
+        --replace '$dir/include/gssapi' ${lib.getDev libkrb5}/include/gssapi \
+        --replace '$dir/bin/krb5-config' ${lib.getDev libkrb5}/bin/krb5-config
+    '';
+
+  configureFlags =
+    [ "--enable-gss"
+      "--enable-svcgss"
+      "--with-statedir=/var/lib/nfs"
+      "--with-krb5=${lib.getLib libkrb5}"
+      "--with-systemd=${placeholder "out"}/etc/systemd/system"
+      "--enable-libmount-mount"
+      "--with-pluginpath=${placeholder "lib"}/lib/libnfsidmap" # this installs libnfsidmap
+      "--with-rpcgen=${buildPackages.rpcsvc-proto}/bin/rpcgen"
+    ];
+
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/alpinelinux/aports/cb880042d48d77af412d4688f24b8310ae44f55f/main/nfs-utils/0011-exportfs-only-do-glibc-specific-hackery-on-glibc.patch";
+      sha256 = "0rrddrykz8prk0dcgfvmnz0vxn09dbgq8cb098yjjg19zz6d7vid";
+    })
+    # http://openwall.com/lists/musl/2015/08/18/10
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/alpinelinux/aports/cb880042d48d77af412d4688f24b8310ae44f55f/main/nfs-utils/musl-getservbyport.patch";
+      sha256 = "1fqws9dz8n1d9a418c54r11y3w330qgy2652dpwcy96cm44sqyhf";
+    })
+  ];
+
+  postPatch =
+    ''
+      patchShebangs tests
+      sed -i "s,/usr/sbin,$out/bin,g" utils/statd/statd.c
+      sed -i "s,^PATH=.*,PATH=$out/bin:${statdPath}," utils/statd/start-statd
+
+      configureFlags="--with-start-statd=$out/bin/start-statd $configureFlags"
+
+      substituteInPlace systemd/nfs-utils.service \
+        --replace "/bin/true" "${coreutils}/bin/true"
+
+      substituteInPlace utils/mount/Makefile.in \
+        --replace "chmod 4511" "chmod 0511"
+
+      sed '1i#include <stdint.h>' -i support/nsm/rpc.c
+    '';
+
+  makeFlags = [
+    "sbindir=$(out)/bin"
+    "generator_dir=$(out)/etc/systemd/system-generators"
+  ];
+
+  installFlags = [
+    "statedir=$(TMPDIR)"
+    "statdpath=$(TMPDIR)"
+  ];
+
+  stripDebugList = [ "lib" "libexec" "bin" "etc/systemd/system-generators" ];
+
+  postInstall =
+    ''
+      # Not used on NixOS
+      sed -i \
+        -e "s,/sbin/modprobe,${kmod}/bin/modprobe,g" \
+        -e "s,/usr/sbin,$out/bin,g" \
+        $out/etc/systemd/system/*
+    '' + lib.optionalString (!enablePython) ''
+      # Remove all scripts that require python (currently mountstats and nfsiostat)
+      grep -l /usr/bin/python $out/bin/* | xargs -I {} rm -v {}
+    '';
+
+  # One test fails on mips.
+  # doCheck = !stdenv.isMips;
+  # https://bugzilla.kernel.org/show_bug.cgi?id=203793
+  doCheck = false;
+
+  disallowedReferences = [ (lib.getDev libkrb5) ];
+
+  passthru.tests = {
+    nfs3-simple = nixosTests.nfs3.simple;
+    nfs4-simple = nixosTests.nfs4.simple;
+    nfs4-kerberos = nixosTests.nfs4.kerberos;
+  };
+
+  meta = with lib; {
+    description = "Linux user-space NFS utilities";
+
+    longDescription = ''
+      This package contains various Linux user-space Network File
+      System (NFS) utilities, including RPC `mount' and `nfs'
+      daemons.
+    '';
+
+    homepage = "https://linux-nfs.org/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nftables/default.nix b/nixpkgs/pkgs/os-specific/linux/nftables/default.nix
new file mode 100644
index 000000000000..8339eabb495a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nftables/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchurl, pkg-config, bison, flex
+, asciidoc, libxslt, findXMLCatalogs, docbook_xml_dtd_45, docbook_xsl
+, libmnl, libnftnl, libpcap
+, gmp, jansson, libedit
+, autoreconfHook
+, withDebugSymbols ? false
+, withPython ? false , python3
+, withXtables ? true , iptables
+}:
+
+stdenv.mkDerivation rec {
+  version = "1.0.4";
+  pname = "nftables";
+
+  src = fetchurl {
+    url = "https://netfilter.org/projects/nftables/files/${pname}-${version}.tar.bz2";
+    hash = "sha256-kn+x/qH2haMowQz3ketlXX4e1J0xDupcsxAd/Y1sujU=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config bison flex
+    asciidoc docbook_xml_dtd_45 docbook_xsl findXMLCatalogs libxslt
+  ];
+
+  buildInputs = [
+    libmnl libnftnl libpcap
+    gmp jansson libedit
+  ] ++ lib.optional withXtables iptables
+    ++ lib.optional withPython python3;
+
+  configureFlags = [
+    "--with-json"
+    "--with-cli=editline"
+  ] ++ lib.optional (!withDebugSymbols) "--disable-debug"
+    ++ lib.optional (!withPython) "--disable-python"
+    ++ lib.optional withPython "--enable-python"
+    ++ lib.optional withXtables "--with-xtables";
+
+  meta = with lib; {
+    description = "The project that aims to replace the existing {ip,ip6,arp,eb}tables framework";
+    homepage = "https://netfilter.org/projects/nftables/";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ izorkin ajs124 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nix-ld/default.nix b/nixpkgs/pkgs/os-specific/linux/nix-ld/default.nix
new file mode 100644
index 000000000000..b54f9e36515d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nix-ld/default.nix
@@ -0,0 +1,56 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, nixosTests
+}:
+let
+  libDir = if builtins.elem stdenv.system [ "x86_64-linux" "mips64-linux" "powerpc64le-linux" ]
+           then "/lib64"
+           else "/lib";
+in
+stdenv.mkDerivation rec {
+  pname = "nix-ld";
+  version = "1.0.2";
+
+  src = fetchFromGitHub {
+    owner = "mic92";
+    repo = "nix-ld";
+    rev = version;
+    sha256 = "sha256-DlWU5i/MykqWgB9vstYbECy3e+XagXWCxi+XDJNey0s=";
+  };
+
+  doCheck = true;
+
+  nativeBuildInputs = [ meson ninja ];
+
+  mesonFlags = [
+    "-Dnix-system=${stdenv.system}"
+  ];
+
+  hardeningDisable = [
+    "stackprotector"
+  ];
+
+  postInstall = ''
+    mkdir -p $out/nix-support
+
+    ldpath=${libDir}/$(basename $(< ${stdenv.cc}/nix-support/dynamic-linker))
+    echo "$ldpath" > $out/nix-support/ldpath
+    mkdir -p $out/lib/tmpfiles.d/
+    cat > $out/lib/tmpfiles.d/nix-ld.conf <<EOF
+      L+ $ldpath - - - - $out/libexec/nix-ld
+    EOF
+  '';
+
+  passthru.tests.nix-ld = nixosTests.nix-ld;
+
+  meta = with lib; {
+    description = "Run unpatched dynamic binaries on NixOS";
+    homepage = "https://github.com/Mic92/nix-ld";
+    license = licenses.mit;
+    maintainers = with maintainers; [ mic92 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/default.nix b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/default.nix
new file mode 100644
index 000000000000..34611d3f4009
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/default.nix
@@ -0,0 +1,36 @@
+{ substituteAll
+, runtimeShell
+, coreutils
+, gnused
+, gnugrep
+, nix
+, lib
+, nixosTests
+}:
+let
+  fallback = import ./../../../../nixos/modules/installer/tools/nix-fallback-paths.nix;
+in
+substituteAll {
+  name = "nixos-rebuild";
+  src = ./nixos-rebuild.sh;
+  dir = "bin";
+  isExecutable = true;
+  inherit runtimeShell nix;
+  nix_x86_64_linux = fallback.x86_64-linux;
+  nix_i686_linux = fallback.i686-linux;
+  nix_aarch64_linux = fallback.aarch64-linux;
+  path = lib.makeBinPath [ coreutils gnused gnugrep ];
+
+  # run some a simple installer tests to make sure nixos-rebuild still works for them
+  passthru.tests = {
+    simple-installer-test = nixosTests.installer.simple;
+  };
+
+  meta = {
+    description = "Rebuild your NixOS configuration and switch to it, on local hosts and remote.";
+    homepage = "https://github.com/NixOS/nixpkgs/tree/master/pkgs/os-specific/linux/nixos-rebuild";
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.Profpatsch ];
+    mainProgram = "nixos-rebuild";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
new file mode 100755
index 000000000000..ebbb596f91f6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
@@ -0,0 +1,580 @@
+#! @runtimeShell@
+# shellcheck shell=bash
+
+if [ -x "@runtimeShell@" ]; then export SHELL="@runtimeShell@"; fi;
+
+set -e
+set -o pipefail
+shopt -s inherit_errexit
+
+export PATH=@path@:$PATH
+
+showSyntax() {
+    exec man nixos-rebuild
+    exit 1
+}
+
+
+# Parse the command line.
+origArgs=("$@")
+copyClosureFlags=()
+extraBuildFlags=()
+lockFlags=()
+flakeFlags=(--extra-experimental-features 'nix-command flakes')
+action=
+buildNix=1
+fast=
+rollback=
+upgrade=
+upgrade_all=
+profile=/nix/var/nix/profiles/system
+buildHost=localhost
+targetHost=
+remoteSudo=
+verboseScript=
+noFlake=
+# comma separated list of vars to preserve when using sudo
+preservedSudoVars=NIXOS_INSTALL_BOOTLOADER
+
+# log the given argument to stderr
+log() {
+    echo "$@" >&2
+}
+
+while [ "$#" -gt 0 ]; do
+    i="$1"; shift 1
+    case "$i" in
+      --help)
+        showSyntax
+        ;;
+      switch|boot|test|build|edit|dry-build|dry-run|dry-activate|build-vm|build-vm-with-bootloader)
+        if [ "$i" = dry-run ]; then i=dry-build; fi
+        # exactly one action mandatory, bail out if multiple are given
+        if [ -n "$action" ]; then showSyntax; fi
+        action="$i"
+        ;;
+      --install-grub)
+        log "$0: --install-grub deprecated, use --install-bootloader instead"
+        export NIXOS_INSTALL_BOOTLOADER=1
+        ;;
+      --install-bootloader)
+        export NIXOS_INSTALL_BOOTLOADER=1
+        ;;
+      --no-build-nix)
+        buildNix=
+        ;;
+      --rollback)
+        rollback=1
+        ;;
+      --upgrade)
+        upgrade=1
+        ;;
+      --upgrade-all)
+        upgrade=1
+        upgrade_all=1
+        ;;
+      --use-substitutes|-s)
+        copyClosureFlags+=("$i")
+        ;;
+      -I|--max-jobs|-j|--cores|--builders)
+        j="$1"; shift 1
+        extraBuildFlags+=("$i" "$j")
+        ;;
+      -j*|--quiet|--print-build-logs|-L|--no-build-output|-Q| --show-trace|--keep-going|-k|--keep-failed|-K|--fallback|--refresh|--repair|--impure|--offline|--no-net)
+        extraBuildFlags+=("$i")
+        ;;
+      --verbose|-v|-vv|-vvv|-vvvv|-vvvvv)
+        verboseScript="true"
+        extraBuildFlags+=("$i")
+        ;;
+      --option)
+        j="$1"; shift 1
+        k="$1"; shift 1
+        extraBuildFlags+=("$i" "$j" "$k")
+        ;;
+      --fast)
+        buildNix=
+        fast=1
+        ;;
+      --profile-name|-p)
+        if [ -z "$1" ]; then
+            log "$0: ‘--profile-name’ requires an argument"
+            exit 1
+        fi
+        if [ "$1" != system ]; then
+            profile="/nix/var/nix/profiles/system-profiles/$1"
+            mkdir -p -m 0755 "$(dirname "$profile")"
+        fi
+        shift 1
+        ;;
+      --build-host|h)
+        buildHost="$1"
+        shift 1
+        ;;
+      --target-host|t)
+        targetHost="$1"
+        shift 1
+        ;;
+      --use-remote-sudo)
+        remoteSudo=1
+        ;;
+      --flake)
+        flake="$1"
+        shift 1
+        ;;
+      --no-flake)
+        noFlake=1
+        ;;
+      --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
+        lockFlags+=("$i")
+        ;;
+      --update-input)
+        j="$1"; shift 1
+        lockFlags+=("$i" "$j")
+        ;;
+      --override-input)
+        j="$1"; shift 1
+        k="$1"; shift 1
+        lockFlags+=("$i" "$j" "$k")
+        ;;
+      *)
+        log "$0: unknown option \`$i'"
+        exit 1
+        ;;
+    esac
+done
+
+if [[ -n "$SUDO_USER" || -n $remoteSudo ]]; then
+    maybeSudo=(sudo --preserve-env="$preservedSudoVars" --)
+fi
+
+if [[ -z "$buildHost" && -n "$targetHost" ]]; then
+    buildHost="$targetHost"
+fi
+if [ "$targetHost" = localhost ]; then
+    targetHost=
+fi
+if [ "$buildHost" = localhost ]; then
+    buildHost=
+fi
+
+# log the given argument to stderr if verbose mode is on
+logVerbose() {
+    if [ -n "$verboseScript" ]; then
+      echo "$@" >&2
+    fi
+}
+
+# Run a command, logging it first if verbose mode is on
+runCmd() {
+    logVerbose "$" "$@"
+    "$@"
+}
+
+buildHostCmd() {
+    if [ -z "$buildHost" ]; then
+        runCmd "$@"
+    elif [ -n "$remoteNix" ]; then
+        runCmd ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" env PATH="$remoteNix":'$PATH' "$@"
+    else
+        runCmd ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" "$@"
+    fi
+}
+
+targetHostCmd() {
+    if [ -z "$targetHost" ]; then
+        runCmd "${maybeSudo[@]}" "$@"
+    else
+        runCmd ssh $SSHOPTS "$targetHost" "${maybeSudo[@]}" "$@"
+    fi
+}
+
+copyToTarget() {
+    if ! [ "$targetHost" = "$buildHost" ]; then
+        if [ -z "$targetHost" ]; then
+            logVerbose "Running nix-copy-closure with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix-copy-closure "${copyClosureFlags[@]}" --from "$buildHost" "$1"
+        elif [ -z "$buildHost" ]; then
+            logVerbose "Running nix-copy-closure with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix-copy-closure "${copyClosureFlags[@]}" --to "$targetHost" "$1"
+        else
+            buildHostCmd nix-copy-closure "${copyClosureFlags[@]}" --to "$targetHost" "$1"
+        fi
+    fi
+}
+
+nixBuild() {
+    logVerbose "Building in legacy (non-flake) mode."
+    if [ -z "$buildHost" ]; then
+        logVerbose "No --build-host given, running nix-build locally"
+        runCmd nix-build "$@"
+    else
+        logVerbose "buildHost set to \"$buildHost\", running nix-build remotely"
+        local instArgs=()
+        local buildArgs=()
+        local drv=
+
+        while [ "$#" -gt 0 ]; do
+            local i="$1"; shift 1
+            case "$i" in
+              -o)
+                local out="$1"; shift 1
+                buildArgs+=("--add-root" "$out" "--indirect")
+                ;;
+              -A)
+                local j="$1"; shift 1
+                instArgs+=("$i" "$j")
+                ;;
+              -I) # We don't want this in buildArgs
+                shift 1
+                ;;
+              --no-out-link) # We don't want this in buildArgs
+                ;;
+              "<"*) # nix paths
+                instArgs+=("$i")
+                ;;
+              *)
+                buildArgs+=("$i")
+                ;;
+            esac
+        done
+
+        drv="$(runCmd nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
+        if [ -a "$drv" ]; then
+            logVerbose "Running nix-copy-closure with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix-copy-closure --to "$buildHost" "$drv"
+            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
+        else
+            log "nix-instantiate failed"
+            exit 1
+        fi
+  fi
+}
+
+nixFlakeBuild() {
+    logVerbose "Building in flake mode."
+    if [[ -z "$buildHost" && -z "$targetHost" && "$action" != switch && "$action" != boot && "$action" != test && "$action" != dry-activate ]]
+    then
+        runCmd nix "${flakeFlags[@]}" build "$@"
+        readlink -f ./result
+    elif [ -z "$buildHost" ]; then
+        runCmd nix "${flakeFlags[@]}" build "$@" --out-link "${tmpDir}/result"
+        readlink -f "${tmpDir}/result"
+    else
+        local attr="$1"
+        shift 1
+        local evalArgs=()
+        local buildArgs=()
+        local drv=
+
+        while [ "$#" -gt 0 ]; do
+            local i="$1"; shift 1
+            case "$i" in
+              --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
+                evalArgs+=("$i")
+                ;;
+              --update-input)
+                local j="$1"; shift 1
+                evalArgs+=("$i" "$j")
+                ;;
+              --override-input)
+                local j="$1"; shift 1
+                local k="$1"; shift 1
+                evalArgs+=("$i" "$j" "$k")
+                ;;
+              --impure) # We don't want this in buildArgs, it's only needed at evaluation time, and unsupported during realisation
+                ;;
+              *)
+                buildArgs+=("$i")
+                ;;
+            esac
+        done
+
+        drv="$(runCmd nix "${flakeFlags[@]}" eval --raw "${attr}.drvPath" "${evalArgs[@]}" "${extraBuildFlags[@]}")"
+        if [ -a "$drv" ]; then
+            logVerbose "Running nix with these NIX_SSHOPTS: $SSHOPTS"
+            NIX_SSHOPTS=$SSHOPTS runCmd nix "${flakeFlags[@]}" copy --derivation --to "ssh://$buildHost" "$drv"
+            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
+        else
+            log "nix eval failed"
+            exit 1
+        fi
+    fi
+}
+
+
+if [ -z "$action" ]; then showSyntax; fi
+
+# Only run shell scripts from the Nixpkgs tree if the action is
+# "switch", "boot", or "test". With other actions (such as "build"),
+# the user may reasonably expect that no code from the Nixpkgs tree is
+# executed, so it's safe to run nixos-rebuild against a potentially
+# untrusted tree.
+canRun=
+if [[ "$action" = switch || "$action" = boot || "$action" = test ]]; then
+    canRun=1
+fi
+
+
+# If ‘--upgrade’ or `--upgrade-all` is given,
+# run ‘nix-channel --update nixos’.
+if [[ -n $upgrade && -z $_NIXOS_REBUILD_REEXEC && -z $flake ]]; then
+    # If --upgrade-all is passed, or there are other channels that
+    # contain a file called ".update-on-nixos-rebuild", update them as
+    # well. Also upgrade the nixos channel.
+
+    for channelpath in /nix/var/nix/profiles/per-user/root/channels/*; do
+        channel_name=$(basename "$channelpath")
+
+        if [[ "$channel_name" == "nixos" ]]; then
+            runCmd nix-channel --update "$channel_name"
+        elif [ -e "$channelpath/.update-on-nixos-rebuild" ]; then
+            runCmd nix-channel --update "$channel_name"
+        elif [[ -n $upgrade_all ]] ; then
+            runCmd nix-channel --update "$channel_name"
+        fi
+    done
+fi
+
+# Make sure that we use the Nix package we depend on, not something
+# else from the PATH for nix-{env,instantiate,build}.  This is
+# important, because NixOS defaults the architecture of the rebuilt
+# system to the architecture of the nix-* binaries used.  So if on an
+# amd64 system the user has an i686 Nix package in her PATH, then we
+# would silently downgrade the whole system to be i686 NixOS on the
+# next reboot.
+if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
+    export PATH=@nix@/bin:$PATH
+fi
+
+# Use /etc/nixos/flake.nix if it exists. It can be a symlink to the
+# actual flake.
+if [[ -z $flake && -e /etc/nixos/flake.nix && -z $noFlake ]]; then
+    flake="$(dirname "$(readlink -f /etc/nixos/flake.nix)")"
+fi
+
+# For convenience, use the hostname as the default configuration to
+# build from the flake.
+if [[ -n $flake ]]; then
+    if [[ $flake =~ ^(.*)\#([^\#\"]*)$ ]]; then
+       flake="${BASH_REMATCH[1]}"
+       flakeAttr="${BASH_REMATCH[2]}"
+    fi
+    if [[ -z $flakeAttr ]]; then
+        read -r hostname < /proc/sys/kernel/hostname
+        if [[ -z $hostname ]]; then
+            hostname=default
+        fi
+        flakeAttr="nixosConfigurations.\"$hostname\""
+    else
+        flakeAttr="nixosConfigurations.\"$flakeAttr\""
+    fi
+fi
+
+
+tmpDir=$(mktemp -t -d nixos-rebuild.XXXXXX)
+
+cleanup() {
+    for ctrl in "$tmpDir"/ssh-*; do
+        ssh -o ControlPath="$ctrl" -O exit dummyhost 2>/dev/null || true
+    done
+    rm -rf "$tmpDir"
+}
+trap cleanup EXIT
+
+
+# Re-execute nixos-rebuild from the Nixpkgs tree.
+if [[ -z $_NIXOS_REBUILD_REEXEC && -n $canRun && -z $fast ]]; then
+    if [[ -z $flake ]]; then
+        if p=$(runCmd nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
+            SHOULD_REEXEC=1
+        fi
+    else
+        runCmd nix "${flakeFlags[@]}" build --out-link "${tmpDir}/nixos-rebuild" "$flake#$flakeAttr.config.system.build.nixos-rebuild" "${extraBuildFlags[@]}" "${lockFlags[@]}"
+        if p=$(readlink -e "${tmpDir}/nixos-rebuild"); then
+            SHOULD_REEXEC=1
+        fi
+    fi
+
+    if [[ -n $SHOULD_REEXEC ]]; then
+        export _NIXOS_REBUILD_REEXEC=1
+        # Manually call cleanup as the EXIT trap is not triggered when using exec
+        cleanup
+        runCmd exec "$p/bin/nixos-rebuild" "${origArgs[@]}"
+        exit 1
+    fi
+fi
+
+# Find configuration.nix and open editor instead of building.
+if [ "$action" = edit ]; then
+    if [[ -z $flake ]]; then
+        NIXOS_CONFIG=${NIXOS_CONFIG:-$(runCmd nix-instantiate --find-file nixos-config)}
+        if [[ -d $NIXOS_CONFIG ]]; then
+            NIXOS_CONFIG=$NIXOS_CONFIG/default.nix
+        fi
+        runCmd exec ${EDITOR:-nano} "$NIXOS_CONFIG"
+    else
+        runCmd exec nix "${flakeFlags[@]}" edit "${lockFlags[@]}" -- "$flake#$flakeAttr"
+    fi
+    exit 1
+fi
+
+SSHOPTS="$NIX_SSHOPTS -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-%n -o ControlPersist=60"
+
+# First build Nix, since NixOS may require a newer version than the
+# current one.
+if [[ -n "$rollback" || "$action" = dry-build ]]; then
+    buildNix=
+fi
+
+nixSystem() {
+    machine="$(uname -m)"
+    if [[ "$machine" =~ i.86 ]]; then
+        machine=i686
+    fi
+    echo $machine-linux
+}
+
+prebuiltNix() {
+    machine="$1"
+    if [ "$machine" = x86_64 ]; then
+        echo @nix_x86_64_linux@
+    elif [[ "$machine" =~ i.86 ]]; then
+        echo @nix_i686_linux@
+    elif [[ "$machine" = aarch64 ]]; then
+        echo @nix_aarch64_linux@
+    else
+        log "$0: unsupported platform"
+        exit 1
+    fi
+}
+
+if [[ -n $buildNix && -z $flake ]]; then
+    log "building Nix..."
+    nixDrv=
+    if ! nixDrv="$(runCmd nix-instantiate '<nixpkgs/nixos>' --add-root "$tmpDir/nix.drv" --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
+        if ! nixDrv="$(runCmd nix-instantiate '<nixpkgs>' --add-root "$tmpDir/nix.drv" --indirect -A nix "${extraBuildFlags[@]}")"; then
+            if ! nixStorePath="$(runCmd nix-instantiate --eval '<nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix>' -A "$(nixSystem)" | sed -e 's/^"//' -e 's/"$//')"; then
+                nixStorePath="$(prebuiltNix "$(uname -m)")"
+            fi
+            if ! runCmd nix-store -r "$nixStorePath" --add-root "${tmpDir}/nix" --indirect \
+                --option extra-binary-caches https://cache.nixos.org/; then
+                log "warning: don't know how to get latest Nix"
+            fi
+            # Older version of nix-store -r don't support --add-root.
+            [ -e "$tmpDir/nix" ] || ln -sf "$nixStorePath" "$tmpDir/nix"
+            if [ -n "$buildHost" ]; then
+                remoteNixStorePath="$(runCmd prebuiltNix "$(buildHostCmd uname -m)")"
+                remoteNix="$remoteNixStorePath/bin"
+                if ! buildHostCmd nix-store -r "$remoteNixStorePath" \
+                  --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
+                    remoteNix=
+                    log "warning: don't know how to get latest Nix"
+                fi
+            fi
+        fi
+    fi
+    if [ -a "$nixDrv" ]; then
+        nix-store -r "$nixDrv"'!'"out" --add-root "$tmpDir/nix" --indirect >/dev/null
+        if [ -n "$buildHost" ]; then
+            nix-copy-closure "${copyClosureFlags[@]}" --to "$buildHost" "$nixDrv"
+            # The nix build produces multiple outputs, we add them all to the remote path
+            for p in $(buildHostCmd nix-store -r "$(readlink "$nixDrv")" "${buildArgs[@]}"); do
+                remoteNix="$remoteNix${remoteNix:+:}$p/bin"
+            done
+        fi
+    fi
+    PATH="$tmpDir/nix/bin:$PATH"
+fi
+
+
+# Update the version suffix if we're building from Git (so that
+# nixos-version shows something useful).
+if [[ -n $canRun && -z $flake ]]; then
+    if nixpkgs=$(runCmd nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
+        suffix=$(runCmd $SHELL "$nixpkgs/nixos/modules/installer/tools/get-version-suffix" "${extraBuildFlags[@]}" || true)
+        if [ -n "$suffix" ]; then
+            echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
+        fi
+    fi
+fi
+
+
+if [ "$action" = dry-build ]; then
+    extraBuildFlags+=(--dry-run)
+fi
+
+
+# Either upgrade the configuration in the system profile (for "switch"
+# or "boot"), or just build it and create a symlink "result" in the
+# current directory (for "build" and "test").
+if [ -z "$rollback" ]; then
+    log "building the system configuration..."
+    if [[ "$action" = switch || "$action" = boot ]]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+        copyToTarget "$pathToConfig"
+        targetHostCmd nix-env -p "$profile" --set "$pathToConfig"
+    elif [[ "$action" = test || "$action" = build || "$action" = dry-build || "$action" = dry-activate ]]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    elif [ "$action" = build-vm ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vm" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    elif [ "$action" = build-vm-with-bootloader ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vmWithBootLoader" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    else
+        showSyntax
+    fi
+    # Copy build to target host if we haven't already done it
+    if ! [[ "$action" = switch || "$action" = boot ]]; then
+        copyToTarget "$pathToConfig"
+    fi
+else # [ -n "$rollback" ]
+    if [[ "$action" = switch || "$action" = boot ]]; then
+        targetHostCmd nix-env --rollback -p "$profile"
+        pathToConfig="$profile"
+    elif [[ "$action" = test || "$action" = build ]]; then
+        systemNumber=$(
+            targetHostCmd nix-env -p "$profile" --list-generations |
+            sed -n '/current/ {g; p;}; s/ *\([0-9]*\).*/\1/; h'
+        )
+        pathToConfig="$profile"-${systemNumber}-link
+        if [ -z "$targetHost" ]; then
+            ln -sT "$pathToConfig" ./result
+        fi
+    else
+        showSyntax
+    fi
+fi
+
+
+# If we're not just building, then make the new configuration the boot
+# default and/or activate it now.
+if [[ "$action" = switch || "$action" = boot || "$action" = test || "$action" = dry-activate ]]; then
+    if ! targetHostCmd "$pathToConfig/bin/switch-to-configuration" "$action"; then
+        log "warning: error(s) occurred while switching to the new configuration"
+        exit 1
+    fi
+fi
+
+
+if [[ "$action" = build-vm || "$action" = build-vm-with-bootloader ]]; then
+    cat >&2 <<EOF
+
+Done.  The virtual machine can be started by running $(echo "${pathToConfig}/bin/"run-*-vm)
+EOF
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/nmon/default.nix b/nixpkgs/pkgs/os-specific/linux/nmon/default.nix
new file mode 100644
index 000000000000..41c16f9f394c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nmon/default.nix
@@ -0,0 +1,33 @@
+{ fetchurl, lib, stdenv, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "nmon";
+  version = "16n";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/nmon/lmon${version}.c";
+    sha256 = "1wpm2f30414b87kpbr9hbidblr5cmfby5skwqd0fkpi5v712q0f0";
+  };
+
+  buildInputs = [ ncurses ];
+  dontUnpack = true;
+  buildPhase = "${stdenv.cc.targetPrefix}cc -o nmon ${src} -g -O2 -D JFS -D GETUSER -Wall -D LARGEMEM -lncurses -lm -g -D ${
+    with stdenv.targetPlatform;
+    if isx86 then "X86"
+    else if isAarch then "ARM"
+    else if isPower then "POWER"
+    else "UNKNOWN"
+  }";
+  installPhase = ''
+    mkdir -p $out/bin
+    cp nmon $out/bin
+  '';
+
+  meta = with lib; {
+    description = "AIX & Linux Performance Monitoring tool";
+    homepage = "http://nmon.sourceforge.net";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ sveitser ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nss_ldap/crashes.patch b/nixpkgs/pkgs/os-specific/linux/nss_ldap/crashes.patch
new file mode 100644
index 000000000000..48250141e82a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nss_ldap/crashes.patch
@@ -0,0 +1,104 @@
+https://bugzilla.redhat.com/show_bug.cgi?id=488857
+
+
+Distinguish between contexts that are somewhat persistent and one-offs
+which are used to fulfill part of a larger request.
+
+diff -up nss_ldap-253/ldap-grp.c nss_ldap-253/ldap-grp.c
+--- nss_ldap-253/ldap-grp.c	2009-05-08 13:30:43.000000000 -0400
++++ nss_ldap-253/ldap-grp.c	2009-05-08 13:34:41.000000000 -0400
+@@ -857,7 +857,7 @@ ng_chase (const char *dn, ldap_initgroup
+   LA_STRING (a) = dn;
+   LA_TYPE (a) = LA_TYPE_STRING;
+ 
+-  if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++  if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+     {
+       return NSS_UNAVAIL;
+     }
+@@ -930,7 +930,7 @@ ng_chase_backlink (const char ** members
+   LA_STRING_LIST (a) = filteredMembersOf;
+   LA_TYPE (a) = LA_TYPE_STRING_LIST_OR;
+ 
+-  if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++  if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+     {
+       free (filteredMembersOf);
+       return NSS_UNAVAIL;
+diff -up nss_ldap-253/ldap-netgrp.c nss_ldap-253/ldap-netgrp.c
+--- nss_ldap-253/ldap-netgrp.c	2009-05-08 13:31:35.000000000 -0400
++++ nss_ldap-253/ldap-netgrp.c	2009-05-08 13:33:14.000000000 -0400
+@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t *
+   LA_TYPE (a) = LA_TYPE_STRING;
+   LA_STRING (a) = nested;	/* memberNisNetgroup */
+ 
+-  if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++  if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+     {
+       debug ("<== do_innetgr_nested: failed to initialize context");
+       return NSS_UNAVAIL;
+diff -up nss_ldap-253/ldap-nss.c nss_ldap-253/ldap-nss.c
+--- nss_ldap-253/ldap-nss.c	2009-05-08 13:27:17.000000000 -0400
++++ nss_ldap-253/ldap-nss.c	2009-05-08 14:05:51.000000000 -0400
+@@ -1961,6 +1961,7 @@ _nss_ldap_ent_context_init_locked (ent_c
+ 	  debug ("<== _nss_ldap_ent_context_init_locked");
+ 	  return NULL;
+ 	}
++      ctx->ec_internal = 0;
+       *pctx = ctx;
+     }
+   else
+@@ -1990,6 +1991,15 @@ _nss_ldap_ent_context_init_locked (ent_c
+ 
+   return ctx;
+ }
++ent_context_t *
++_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx)
++{
++  ent_context_t *ctx;
++  ctx = _nss_ldap_ent_context_init_locked (pctx);
++  if (ctx != NULL)
++    ctx->ec_internal = 1;
++  return ctx;
++}
+ 
+ /*
+  * Clears a given context; we require the caller
+@@ -2031,7 +2041,8 @@ _nss_ldap_ent_context_release (ent_conte
+ 
+   LS_INIT (ctx->ec_state);
+ 
+-  if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
++  if (!ctx->ec_internal &&
++      _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
+     {
+       do_close ();
+     }
+diff -up nss_ldap-253/ldap-nss.h nss_ldap-253/ldap-nss.h
+--- nss_ldap-253/ldap-nss.h	2009-05-08 13:35:47.000000000 -0400
++++ nss_ldap-253/ldap-nss.h	2009-05-08 13:52:25.000000000 -0400
+@@ -560,6 +560,8 @@ struct ent_context
+   ldap_state_t ec_state;	/* eg. for services */
+   int ec_msgid;			/* message ID */
+   LDAPMessage *ec_res;		/* result chain */
++  int ec_internal;		/* this context is just a part of a larger
++				 * query for information */
+   ldap_service_search_descriptor_t *ec_sd;	/* current sd */
+   struct berval *ec_cookie;     /* cookie for paged searches */
+ };
+@@ -744,6 +746,15 @@ ent_context_t *_nss_ldap_ent_context_ini
+ ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **);
+ 
+ /*
++ * _nss_ldap_ent_context_init_internal_locked() has the same
++ * behaviour, except it marks the context as one that's being
++ * used to fetch additional data used in answering a request, i.e.
++ * that this isn't the "main" context
++ */
++
++ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **);
++
++/*
+  * _nss_ldap_ent_context_release() is used to manually free a context 
+  */
+ void _nss_ldap_ent_context_release (ent_context_t *);
diff --git a/nixpkgs/pkgs/os-specific/linux/nss_ldap/default.nix b/nixpkgs/pkgs/os-specific/linux/nss_ldap/default.nix
new file mode 100644
index 000000000000..23bc8ff0dfad
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nss_ldap/default.nix
@@ -0,0 +1,39 @@
+{lib, stdenv, fetchurl, openldap, perl}:
+
+stdenv.mkDerivation rec {
+  pname = "nss_ldap";
+  version = "265";
+
+  src = fetchurl {
+    url = "http://www.padl.com/download/nss_ldap-${version}.tar.gz";
+    sha256 = "1a16q9p97d2blrj0h6vl1xr7dg7i4s8x8namipr79mshby84vdbp";
+  };
+
+  preConfigure = ''
+    patchShebangs ./vers_string
+    sed -i s,vers_string,./vers_string, Makefile*
+    substituteInPlace vers_string --replace "cvslib.pl" "./cvslib.pl"
+  '';
+
+  patches = [ ./crashes.patch ];
+
+  postPatch = ''
+    patch -p0 < ${./nss_ldap-265-glibc-2.16.patch}
+  '';
+
+  preInstall = ''
+    installFlagsArray=(INST_UID=$(id -u) INST_GID=$(id -g) LIBC_VERS=2.5 NSS_VERS=2 NSS_LDAP_PATH_CONF=$out/etc/ldap.conf)
+    substituteInPlace Makefile \
+      --replace '/usr$(libdir)' $TMPDIR \
+      --replace 'install-data-local:' 'install-data-local-disabled:'
+    mkdir -p $out/etc
+  '';
+
+  buildInputs = [ openldap perl ];
+
+  meta = with lib; {
+    description = "LDAP module for the Solaris Nameservice Switch (NSS)";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nss_ldap/nss_ldap-265-glibc-2.16.patch b/nixpkgs/pkgs/os-specific/linux/nss_ldap/nss_ldap-265-glibc-2.16.patch
new file mode 100644
index 000000000000..8b0b9289327a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nss_ldap/nss_ldap-265-glibc-2.16.patch
@@ -0,0 +1,139 @@
+https://github.com/archlinuxarm/PKGBUILDs/issues/296
+
+Fixes the bug causing a segfault on nscd and sshd:
+symbol lookup error: /usr/lib/libnss_ldap.so.2: undefined symbol: __libc_lock_lock
+
+--- ldap-nss.c.orig	2012-10-17 12:32:03.908730283 +0000
++++ ldap-nss.c	2012-10-17 12:38:10.906767283 +0000
+@@ -148,7 +148,7 @@
+  */
+ static ldap_session_t __session = { NULL, NULL, 0, LS_UNINITIALIZED };
+ 
+-#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE___LIBC_ONCE)
+ static pthread_once_t __once = PTHREAD_ONCE_INIT;
+ #endif
+ 
+@@ -168,7 +168,7 @@
+ static int __ssl_initialized = 0;
+ #endif /* HAVE_LDAPSSL_CLIENT_INIT */
+ 
+-#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE___LIBC_ONCE)
+ /*
+  * Prepare for fork(); lock mutex.
+  */
+@@ -519,7 +519,7 @@
+ }
+ #endif /* HAVE_NSSWITCH_H */
+ 
+-#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE_PTHREAD_ATFORK) || defined(HAVE___LIBC_ONCE)
+ static void
+ do_atfork_prepare (void)
+ {
+@@ -553,7 +553,7 @@
+ #ifdef HAVE_PTHREAD_ATFORK
+   (void) pthread_atfork (do_atfork_prepare, do_atfork_parent,
+ 			 do_atfork_child);
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_ATFORK)
+   (void) __libc_atfork (do_atfork_prepare, do_atfork_parent, do_atfork_child);
+ #endif
+ 
+@@ -1119,7 +1119,7 @@
+     }
+ 
+ #ifndef HAVE_PTHREAD_ATFORK
+-#if defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE___LIBC_ONCE)
+   /*
+    * This bogosity is necessary because Linux uses different
+    * PIDs for different threads (like IRIX, which we don't
+@@ -1151,7 +1151,7 @@
+     pid = -1;			/* linked against libpthreads, don't care */
+ #else
+   pid = getpid ();
+-#endif /* HAVE_LIBC_LOCK_H || HAVE_BITS_LIBC_LOCK_H */
++#endif /* HAVE___LIBC_ONCE */
+ #endif /* HAVE_PTHREAD_ATFORK */
+ 
+   euid = geteuid ();
+@@ -1161,7 +1161,7 @@
+   syslog (LOG_DEBUG,
+ 	  "nss_ldap: __session.ls_state=%d, __session.ls_conn=%p, __euid=%i, euid=%i",
+ 	  __session.ls_state, __session.ls_conn, __euid, euid);
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_ONCE)
+   syslog (LOG_DEBUG,
+ 	  "nss_ldap: libpthreads=%s, __session.ls_state=%d, __session.ls_conn=%p, __pid=%i, pid=%i, __euid=%i, euid=%i",
+  	  ((__pthread_once == NULL || __pthread_atfork == NULL) ? "FALSE" : "TRUE"),
+@@ -1185,11 +1185,11 @@
+     }
+   else
+ #ifndef HAVE_PTHREAD_ATFORK
+-#if defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#if defined(HAVE___LIBC_ONCE)
+   if ((__pthread_once == NULL || __pthread_atfork == NULL) && __pid != pid)
+ #else
+   if (__pid != pid)
+-#endif /* HAVE_LIBC_LOCK_H || HAVE_BITS_LIBC_LOCK_H */
++#endif /* HAVE___LIBC_ONCE */
+     {
+       do_close_no_unbind ();
+     }
+@@ -1250,9 +1250,9 @@
+       debug ("<== do_init (pthread_once failed)");
+       return NSS_UNAVAIL;
+     }
+-#elif defined(HAVE_PTHREAD_ATFORK) && ( defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H) )
++#elif defined(HAVE_PTHREAD_ATFORK) && defined(HAVE___LIBC_ONCE)
+   __libc_once (__once, do_atfork_setup);
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_ONCE)
+   /*
+    * Only install the pthread_atfork() handlers i
+    * we are linked against libpthreads. Otherwise,
+--- ldap-nss.h.orig	2012-10-17 12:33:05.681379283 +0000
++++ ldap-nss.h	2012-10-17 12:34:06.337050753 +0000
+@@ -671,7 +671,7 @@
+ #define NSS_LDAP_LOCK(m)		mutex_lock(&m)
+ #define NSS_LDAP_UNLOCK(m)		mutex_unlock(&m)
+ #define NSS_LDAP_DEFINE_LOCK(m)		static mutex_t m = DEFAULTMUTEX
+-#elif defined(HAVE_LIBC_LOCK_H) || defined(HAVE_BITS_LIBC_LOCK_H)
++#elif defined(HAVE___LIBC_LOCK_LOCK) && defined(HAVE___LIBC_LOCK_UNLOCK)
+ #define NSS_LDAP_LOCK(m)		__libc_lock_lock(m)
+ #define NSS_LDAP_UNLOCK(m)		__libc_lock_unlock(m)
+ #define NSS_LDAP_DEFINE_LOCK(m)		static pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER
+--- ldap-nss.c.orig	2012-10-17 12:58:20.270783283 +0000
++++ ldap-nss.c	2012-10-17 12:58:43.699267283 +0000
+@@ -156,7 +156,7 @@
+ static FILE *__debugfile;
+ #endif /* LBER_OPT_LOG_PRINT_FILE */
+ 
+-#ifndef HAVE_PTHREAD_ATFORK
++#if !defined(HAVE_PTHREAD_ATFORK) || !defined(HAVE___LIBC_ONCE)
+ /* 
+  * Process ID that opened the session.
+  */
+--- configure.in.orig	2012-10-17 12:59:31.707235283 +0000
++++ configure.in	2012-10-17 13:00:15.854289283 +0000
+@@ -255,6 +255,7 @@
+ AC_CHECK_FUNCS(pthread_once)
+ AC_CHECK_FUNCS(ether_aton)
+ AC_CHECK_FUNCS(ether_ntoa)
++AC_CHECK_FUNCS(__libc_once __libc_atfork __libc_lock_lock __libc_lock_unlock)
+ 
+ AC_MSG_CHECKING(for struct ether_addr)
+ AC_TRY_COMPILE([#include <sys/types.h>
+--- ldap-nss.c.orig	2012-10-17 13:02:01.418010283 +0000
++++ ldap-nss.c	2012-10-17 13:03:25.017240283 +0000
+@@ -1102,7 +1102,7 @@
+ do_init (void)
+ {
+   ldap_config_t *cfg;
+-#ifndef HAVE_PTHREAD_ATFORK
++#if !defined(HAVE_PTHREAD_ATFORK) || !defined(HAVE___LIBC_ONCE)
+   pid_t pid;
+ #endif
+   uid_t euid;
diff --git a/nixpkgs/pkgs/os-specific/linux/numactl/default.nix b/nixpkgs/pkgs/os-specific/linux/numactl/default.nix
new file mode 100644
index 000000000000..2f8a4feb0301
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numactl/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "numactl";
+  version = "2.0.14";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0hahpdp5xqy9cbg251bdxqkml341djn2h856g435h4ngz63sr9fs";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  postPatch = ''
+    patchShebangs test
+  '';
+
+  LDFLAGS = lib.optionalString stdenv.hostPlatform.isRiscV "-latomic";
+
+  # You probably shouldn't ever run these! They will reconfigure Linux
+  # NUMA settings, which on my build machine makes the rest of package
+  # building ~5% slower until reboot. Ugh!
+  doCheck = false; # never ever!
+
+  meta = with lib; {
+    description = "Library and tools for non-uniform memory access (NUMA) machines";
+    homepage = "https://github.com/numactl/numactl";
+    license = with licenses; [ gpl2 lgpl21 ]; # libnuma is lgpl21
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numad/default.nix b/nixpkgs/pkgs/os-specific/linux/numad/default.nix
new file mode 100644
index 000000000000..24fc9e188741
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numad/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchgit }:
+
+stdenv.mkDerivation rec {
+  pname = "numad";
+  version = "0.5";
+
+  src = fetchgit {
+    url = "https://pagure.io/numad.git";
+    rev = "334278ff3d774d105939743436d7378a189e8693";
+    sha256 = "sha256-6nrbfooUI1ufJhsPf68li5584oKQcznXQlxfpStuX5I=";
+  };
+
+  hardeningDisable = [ "format" ];
+
+  patches = [
+    ./numad-linker-flags.patch
+  ];
+  postPatch = ''
+    substituteInPlace Makefile --replace "install -m" "install -Dm"
+  '';
+
+  makeFlags = [ "prefix=$(out)" ];
+
+  meta = with lib; {
+    description = "A user-level daemon that monitors NUMA topology and processes resource consumption to facilitate good NUMA resource access";
+    homepage = "https://fedoraproject.org/wiki/Features/numad";
+    license = licenses.lgpl21;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numad/numad-linker-flags.patch b/nixpkgs/pkgs/os-specific/linux/numad/numad-linker-flags.patch
new file mode 100644
index 000000000000..97f3dc8b6cf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numad/numad-linker-flags.patch
@@ -0,0 +1,33 @@
+From 9eb3cc5c51d846c8c8b750a4eb55545d7b5fea6c Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 23 Apr 2014 15:41:26 -0400
+Subject: [PATCH] use LDLIBS for linker flags
+
+When you put -lfoo into the dependency line of make, it forces it to
+search /lib and /usr/lib for files to link against.  This can cause
+problems when trying to cross-compile or build for different ABIs.
+Use the standard LDLIBS variable instead.
+
+URL: https://bugs.gentoo.org/505760
+Reported-by: Georgi Georgiev <chutzimir@gmail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index f3838b4..f2e9a6e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -31,7 +31,8 @@ docdir := ${prefix}/share/doc
+ 
+ all: numad
+ 
+-numad: numad.o -lpthread
++LDLIBS := -lpthread
++numad: numad.o
+ 
+ AR ?= ar
+ RANLIB ?= ranlib
+-- 
+1.9.2
diff --git a/nixpkgs/pkgs/os-specific/linux/numatop/default.nix b/nixpkgs/pkgs/os-specific/linux/numatop/default.nix
new file mode 100644
index 000000000000..0946d5050db4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numatop/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pkg-config, numactl, ncurses, check }:
+
+stdenv.mkDerivation rec {
+  pname = "numatop";
+  version = "2.2";
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "numatop";
+    rev = "v${version}";
+    sha256 = "sha256-GJvTwqgx34ZW10eIJj/xiKe3ZkAfs7GlJImz8jrnjfI=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ numactl ncurses ];
+  checkInputs = [ check ];
+
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/intel/numatop/pull/54.patch";
+      sha256 = "sha256-TbMLv7TT9T8wE4uJ1a/AroyPPwrwL0eX5IBLsh9GTTM=";
+      name = "fix-string-operations.patch";
+    })
+    (fetchpatch {
+      url = "https://github.com/intel/numatop/pull/64.patch";
+      sha256 = "sha256-IevbSFJRTS5iQ5apHOVXzF67f3LJaW6j7DySFmVuyiM=";
+      name = "fix-format-strings-mvwprintw.patch";
+    })
+  ];
+
+  doCheck  = true;
+
+  meta = with lib; {
+    description = "Tool for runtime memory locality characterization and analysis of processes and threads on a NUMA system";
+    homepage = "https://01.org/numatop";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ dtzWill ];
+    platforms = [
+      "i686-linux" "x86_64-linux"
+      "powerpc64-linux" "powerpc64le-linux"
+    ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules
new file mode 100644
index 000000000000..ab07de99718b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules
@@ -0,0 +1,2 @@
+SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="a291", TAG+="uaccess"
+SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="df11", TAG+="uaccess"
diff --git a/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/default.nix
new file mode 100644
index 000000000000..aae7507f50cd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "numworks-udev-rules";
+  version = "unstable-2020-08-31";
+
+  udevRules = ./50-numworks-calculator.rules;
+  dontUnpack = true;
+
+  installPhase = ''
+    install -Dm 644 "${udevRules}" "$out/lib/udev/rules.d/50-numworks-calculator.rules"
+  '';
+
+  meta = with lib; {
+    description = "Udev rules for Numworks calculators";
+    homepage = "https://numworks.com";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ shamilton ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/update.sh b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/update.sh
new file mode 100755
index 000000000000..3949f6fd8f41
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/numworks-udev-rules/update.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+wget -O 50-numworks-calculator.rules "https://workshop.numworks.com/files/drivers/linux/50-numworks-calculator.rules"
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/builder.sh b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/builder.sh
new file mode 100755
index 000000000000..a7746194570c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/builder.sh
@@ -0,0 +1,208 @@
+source $stdenv/setup
+
+unpackManually() {
+    skip=$(sed 's/^skip=//; t; d' $src)
+    tail -n +$skip $src | xz -d | tar xvf -
+    sourceRoot=.
+}
+
+
+unpackFile() {
+    sh $src -x || unpackManually
+}
+
+
+buildPhase() {
+    if [ -n "$bin" ]; then
+        # Create the module.
+        echo "Building linux driver against kernel: $kernel";
+        cd kernel
+        unset src # used by the nv makefile
+        make $makeFlags -j $NIX_BUILD_CORES module
+
+        cd ..
+    fi
+}
+
+
+installPhase() {
+    # Install libGL and friends.
+
+    # since version 391, 32bit libraries are bundled in the 32/ sub-directory
+    if [ "$i686bundled" = "1" ]; then
+        mkdir -p "$lib32/lib"
+        cp -prd 32/*.so.* "$lib32/lib/"
+        if [ -d 32/tls ]; then
+            cp -prd 32/tls "$lib32/lib/"
+        fi
+    fi
+
+    mkdir -p "$out/lib"
+    cp -prd *.so.* "$out/lib/"
+    if [ -d tls ]; then
+        cp -prd tls "$out/lib/"
+    fi
+
+    # Install systemd power management executables
+    if [ -e systemd/nvidia-sleep.sh ]; then
+        mv systemd/nvidia-sleep.sh ./
+    fi
+    if [ -e nvidia-sleep.sh ]; then
+        sed -E 's#(PATH=).*#\1"$PATH"#' nvidia-sleep.sh > nvidia-sleep.sh.fixed
+        install -Dm755 nvidia-sleep.sh.fixed $out/bin/nvidia-sleep.sh
+    fi
+
+    if [ -e systemd/system-sleep/nvidia ]; then
+        mv systemd/system-sleep/nvidia ./
+    fi
+    if [ -e nvidia ]; then
+        sed -E "s#/usr(/bin/nvidia-sleep.sh)#$out\\1#" nvidia > nvidia.fixed
+        install -Dm755 nvidia.fixed $out/lib/systemd/system-sleep/nvidia
+    fi
+
+    for i in $lib32 $out; do
+        rm -f $i/lib/lib{glx,nvidia-wfb}.so.* # handled separately
+        rm -f $i/lib/libnvidia-gtk* # built from source
+        if [ "$useGLVND" = "1" ]; then
+            # Pre-built libglvnd
+            rm $i/lib/lib{GL,GLX,EGL,GLESv1_CM,GLESv2,OpenGL,GLdispatch}.so.*
+        fi
+        # Use ocl-icd instead
+        rm -f $i/lib/libOpenCL.so*
+        # Move VDPAU libraries to their place
+        mkdir $i/lib/vdpau
+        mv $i/lib/libvdpau* $i/lib/vdpau
+
+        # Install ICDs, make absolute paths.
+        # Be careful not to modify any original files because this runs twice.
+
+        # OpenCL
+        sed -E "s#(libnvidia-opencl)#$i/lib/\\1#" nvidia.icd > nvidia.icd.fixed
+        install -Dm644 nvidia.icd.fixed $i/etc/OpenCL/vendors/nvidia.icd
+
+        # Vulkan
+        if [ -e nvidia_icd.json.template ] || [ -e nvidia_icd.json ]; then
+            if [ -e nvidia_icd.json.template ]; then
+                # template patching for version < 435
+                sed "s#__NV_VK_ICD__#$i/lib/libGLX_nvidia.so#" nvidia_icd.json.template > nvidia_icd.json.fixed
+            else
+                sed -E "s#(libGLX_nvidia)#$i/lib/\\1#" nvidia_icd.json > nvidia_icd.json.fixed
+            fi
+
+            # nvidia currently only supports x86_64 and i686
+            if [ "$i" == "$lib32" ]; then
+                install -Dm644 nvidia_icd.json.fixed $i/share/vulkan/icd.d/nvidia_icd.i686.json
+            else
+                install -Dm644 nvidia_icd.json.fixed $i/share/vulkan/icd.d/nvidia_icd.x86_64.json
+            fi
+        fi
+
+        if [ -e nvidia_layers.json ]; then
+            sed -E "s#(libGLX_nvidia)#$i/lib/\\1#" nvidia_layers.json > nvidia_layers.json.fixed
+            install -Dm644 nvidia_layers.json.fixed $i/share/vulkan/implicit_layer.d/nvidia_layers.json
+        fi
+
+        # EGL
+        if [ "$useGLVND" = "1" ]; then
+            sed -E "s#(libEGL_nvidia)#$i/lib/\\1#" 10_nvidia.json > 10_nvidia.json.fixed
+            sed -E "s#(libnvidia-egl-wayland)#$i/lib/\\1#" 10_nvidia_wayland.json > 10_nvidia_wayland.json.fixed
+
+            install -Dm644 10_nvidia.json.fixed $i/share/glvnd/egl_vendor.d/10_nvidia.json
+            install -Dm644 10_nvidia_wayland.json.fixed $i/share/egl/egl_external_platform.d/10_nvidia_wayland.json
+
+            if [[ -f "15_nvidia_gbm.json" ]]; then
+              sed -E "s#(libnvidia-egl-gbm)#$i/lib/\\1#" 15_nvidia_gbm.json > 15_nvidia_gbm.json.fixed
+              install -Dm644 15_nvidia_gbm.json.fixed $i/share/egl/egl_external_platform.d/15_nvidia_gbm.json
+
+              mkdir -p $i/lib/gbm
+              ln -s $i/lib/libnvidia-allocator.so $i/lib/gbm/nvidia-drm_gbm.so
+            fi
+        fi
+
+        # Install libraries needed by Proton to support DLSS
+        if [ -e nvngx.dll ] && [ -e _nvngx.dll ]; then
+            install -Dm644 -t $i/lib/nvidia/wine/ nvngx.dll _nvngx.dll
+        fi
+    done
+
+    if [ -n "$bin" ]; then
+        # Install the X drivers.
+        mkdir -p $bin/lib/xorg/modules
+        if [ -f libnvidia-wfb.so ]; then
+            cp -p libnvidia-wfb.* $bin/lib/xorg/modules/
+        fi
+        mkdir -p $bin/lib/xorg/modules/drivers
+        cp -p nvidia_drv.so $bin/lib/xorg/modules/drivers
+        mkdir -p $bin/lib/xorg/modules/extensions
+        cp -p libglx*.so* $bin/lib/xorg/modules/extensions
+
+        # Install the kernel module.
+        mkdir -p $bin/lib/modules/$kernelVersion/misc
+        for i in $(find ./kernel -name '*.ko'); do
+            nuke-refs $i
+            cp $i $bin/lib/modules/$kernelVersion/misc/
+        done
+
+        # Install application profiles.
+        if [ "$useProfiles" = "1" ]; then
+            mkdir -p $bin/share/nvidia
+            cp nvidia-application-profiles-*-rc $bin/share/nvidia/nvidia-application-profiles-rc
+            cp nvidia-application-profiles-*-key-documentation $bin/share/nvidia/nvidia-application-profiles-key-documentation
+        fi
+    fi
+
+    if [ -n "$firmware" ]; then
+        # Install the GSP firmware
+        install -Dm644 firmware/gsp.bin $firmware/lib/firmware/nvidia/$version/gsp.bin
+    fi
+
+    # All libs except GUI-only are installed now, so fixup them.
+    for libname in $(find "$out/lib/" $(test -n "$lib32" && echo "$lib32/lib/") $(test -n "$bin" && echo "$bin/lib/") -name '*.so.*')
+    do
+      # I'm lazy to differentiate needed libs per-library, as the closure is the same.
+      # Unfortunately --shrink-rpath would strip too much.
+      if [[ -n $lib32 && $libname == "$lib32/lib/"* ]]; then
+        patchelf --set-rpath "$lib32/lib:$libPath32" "$libname"
+      else
+        patchelf --set-rpath "$out/lib:$libPath" "$libname"
+      fi
+
+      libname_short=`echo -n "$libname" | sed 's/so\..*/so/'`
+
+      if [[ "$libname" != "$libname_short" ]]; then
+        ln -srnf "$libname" "$libname_short"
+      fi
+
+      if [[ $libname_short =~ libEGL.so || $libname_short =~ libEGL_nvidia.so || $libname_short =~ libGLX.so || $libname_short =~ libGLX_nvidia.so ]]; then
+          major=0
+      else
+          major=1
+      fi
+
+      if [[ "$libname" != "$libname_short.$major" ]]; then
+        ln -srnf "$libname" "$libname_short.$major"
+      fi
+    done
+
+    if [ -n "$bin" ]; then
+        # Install /share files.
+        mkdir -p $bin/share/man/man1
+        cp -p *.1.gz $bin/share/man/man1
+        rm -f $bin/share/man/man1/{nvidia-xconfig,nvidia-settings,nvidia-persistenced}.1.gz
+
+        # Install the programs.
+        for i in nvidia-cuda-mps-control nvidia-cuda-mps-server nvidia-smi nvidia-debugdump; do
+            if [ -e "$i" ]; then
+                install -Dm755 $i $bin/bin/$i
+                # unmodified binary backup for mounting in containers
+                install -Dm755 $i $bin/origBin/$i
+                patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+                    --set-rpath $out/lib:$libPath $bin/bin/$i
+            fi
+        done
+        # FIXME: needs PATH and other fixes
+        # install -Dm755 nvidia-bug-report.sh $bin/bin/nvidia-bug-report.sh
+    fi
+}
+
+genericBuild
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/default.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/default.nix
new file mode 100644
index 000000000000..bc66e3c8b7eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -0,0 +1,111 @@
+{ lib, callPackage, fetchpatch, fetchurl, stdenv, pkgsi686Linux }:
+
+let
+  generic = args: let
+    imported = import ./generic.nix args;
+  in callPackage imported {
+    lib32 = (pkgsi686Linux.callPackage imported {
+      libsOnly = true;
+      kernel = null;
+    }).out;
+  };
+
+  kernel = callPackage # a hacky way of extracting parameters from callPackage
+    ({ kernel, libsOnly ? false }: if libsOnly then { } else kernel) { };
+
+  selectHighestVersion = a: b: if lib.versionOlder a.version b.version
+    then b
+    else a;
+in
+rec {
+  # Official Unix Drivers - https://www.nvidia.com/en-us/drivers/unix/
+  # Branch/Maturity data - http://people.freedesktop.org/~aplattner/nvidia-versions.txt
+
+  # Policy: use the highest stable version as the default (on our master).
+  stable = if stdenv.hostPlatform.system == "i686-linux" then legacy_390 else latest;
+
+  production = generic {
+    version = "515.65.01";
+    sha256_64bit = "sha256-BJLdxbXmWqAMvHYujWaAIFyNCOEDtxMQh6FRJq7klek=";
+    openSha256 = "sha256-GCCDnaDsbXTmbCYZBCM3fpHmOSWti/DkBJwYrRGAMPI=";
+    settingsSha256 = "sha256-kBELMJCIWD9peZba14wfCoxsi3UXO3ehFYcVh4nvzVg=";
+    persistencedSha256 = "sha256-P8oT7g944HvNk2Ot/0T0sJM7dZs+e0d+KwbwRrmsuDY=";
+  };
+
+  latest = selectHighestVersion production (generic {
+    version = "495.46";
+    sha256_64bit = "2Dt30X2gxUZnqlsT1uqVpcUTBCV7Hs8vjUo7WuMcYvU=";
+    settingsSha256 = "vbcZYn+UBBGwjfrJ6SyXt3+JLBeNcXK4h8mjj7qxZPk=";
+    persistencedSha256 = "ieYqkVxe26cLw1LUgBsFSSowAyfZkTcItIzQCestCXI=";
+  });
+
+  beta = selectHighestVersion latest (generic {
+    version = "515.43.04";
+    sha256_64bit = "sha256-PodaTTUOSyMW8rtdtabIkSLskgzAymQyfToNlwxPPcc=";
+    openSha256 = "sha256-1bAr5dWZ4jnY3Uo2JaEz/rhw2HuW9LZ5bACmA1VG068=";
+    settingsSha256 = "sha256-j47LtP6FNTPfiXFh9KwXX8vZOQzlytA30ZfW9N5F2PY=";
+    persistencedSha256 = "sha256-hULBy0wnVpLH8I0L6O9/HfgvJURtE2whpXOgN/vb3Wo=";
+  });
+
+  # Vulkan developer beta driver
+  # See here for more information: https://developer.nvidia.com/vulkan-driver
+  vulkan_beta = generic rec {
+    version = "470.62.13";
+    persistencedVersion = "470.86";
+    settingsVersion = "470.86";
+    sha256_64bit = "sha256-itBFNPMy+Nn0g8V8qdkRb+ELHj57GRso1lXhPHUxKVI=";
+    settingsSha256 = "sha256-fq6RlD6g3uylvvTjE4MmaQwxPJYU0u6IMfpPVzks0tI=";
+    persistencedSha256 = "sha256-eHvauvh8Wd+b8DK6B3ZWNjoWGztupWrR8iog9ok58io=";
+    url = "https://developer.nvidia.com/vulkan-beta-${lib.concatStrings (lib.splitString "." version)}-linux";
+    broken = kernel.kernelAtLeast "5.17";
+  };
+
+  # Update note:
+  # If you add a legacy driver here, also update `top-level/linux-kernels.nix`,
+  # adding to the `nvidia_x11_legacy*` entries.
+
+  # Last one supporting Kepler architecture
+  legacy_470 = generic {
+      version = "470.141.03";
+      sha256_64bit = "sha256-vpjSR6Q9dJGmW/3Jl/tlMeFZQ0brEqD6qgRGcs21cJ8=";
+      settingsSha256 = "sha256-OWSUmUBqAxsR3e6EPzcIotpd6nm4Le8hIj4pzJ5WnhE=";
+      persistencedSha256 = "sha256-XsGYGgucDhvPpqtM9IBLfo3tbn7sIobpo5JW/XqOkTo=";
+  };
+
+  # Last one supporting x86
+  legacy_390 = generic {
+    version = "390.154";
+    sha256_32bit = "sha256-XuhxuEvZ8o4iW3o+Xxvh+eLQBn83uNa40MJRcC8G0+c=";
+    sha256_64bit = "sha256-9EICgMVSEJZMAI1bck8mFYRdR61MnAXY7SamL8YzH3w=";
+    settingsSha256 = "sha256-iNT6//EvtasivDfXPY6j6OrpymbslO/q45uKd5smFUw=";
+    persistencedSha256 = "sha256-y+MkudjQBkuVzHrY/rh7IGRN8VjLsJQ3a+fYDXdrzzk=";
+
+    broken = kernel.kernelAtLeast "5.18";
+
+    patches =
+      let patch390 = o:
+        (lib.optional ((lib.versions.majorMinor kernel.modDirVersion) == o.version) (fetchpatch {
+          inherit (o) sha256;
+          url = "https://gitlab.com/herecura/packages/nvidia-390xx-dkms/-/raw/herecura/kernel-${o.version}.patch";
+        }));
+      in
+        []
+        ++ (patch390 {
+          version = "5.18";
+          sha256 = "sha256-A6itoozgDWmXKQAU0D8bT2vUaZqh5G5Tg3d3E+CLOTs=";
+        })
+      ;
+  };
+
+  legacy_340 = generic {
+    version = "340.108";
+    sha256_32bit = "1jkwa1phf0x4sgw8pvr9d6krmmr3wkgwyygrxhdazwyr2bbalci0";
+    sha256_64bit = "06xp6c0sa7v1b82gf0pq0i5p0vdhmm3v964v0ypw36y0nzqx8wf6";
+    settingsSha256 = "0zm29jcf0mp1nykcravnzb5isypm8l8mg2gpsvwxipb7nk1ivy34";
+    persistencedSha256 = "1ax4xn3nmxg1y6immq933cqzw6cj04x93saiasdc0kjlv0pvvnkn";
+    useGLVND = false;
+
+    broken = kernel.kernelAtLeast "5.5";
+    patches = [ ./vm_operations_struct-fault.patch ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/generic.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/generic.nix
new file mode 100644
index 000000000000..d6dcc7ad6cd0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/generic.nix
@@ -0,0 +1,131 @@
+{ version
+, url ? null
+, sha256_32bit ? null
+, sha256_64bit
+, openSha256 ? null
+, settingsSha256
+, settingsVersion ? version
+, persistencedSha256
+, persistencedVersion ? version
+, useGLVND ? true
+, useProfiles ? true
+, preferGtk2 ? false
+, settings32Bit ? false
+
+, prePatch ? ""
+, patches ? []
+, broken ? false
+}@args:
+
+{ lib, stdenv, callPackage, pkgs, pkgsi686Linux, fetchurl
+, kernel ? null, perl, nukeReferences, which
+, # Whether to build the libraries only (i.e. not the kernel module or
+  # nvidia-settings).  Used to support 32-bit binaries on 64-bit
+  # Linux.
+  libsOnly ? false
+, # don't include the bundled 32-bit libraries on 64-bit platforms,
+  # even if it’s in downloaded binary
+  disable32Bit ? false
+  # 32 bit libs only version of this package
+, lib32 ? null
+  # Whether to extract the GSP firmware
+, firmware ? openSha256 != null
+}:
+
+with lib;
+
+assert !libsOnly -> kernel != null;
+assert versionOlder version "391" -> sha256_32bit != null;
+
+let
+  nameSuffix = optionalString (!libsOnly) "-${kernel.version}";
+  pkgSuffix = optionalString (versionOlder version "304") "-pkg0";
+  i686bundled = versionAtLeast version "391" && !disable32Bit;
+
+  libPathFor = pkgs: lib.makeLibraryPath (with pkgs; [
+    libdrm xorg.libXext xorg.libX11
+    xorg.libXv xorg.libXrandr xorg.libxcb zlib stdenv.cc.cc
+    wayland mesa libGL
+  ]);
+
+  self = stdenv.mkDerivation {
+    name = "nvidia-x11-${version}${nameSuffix}";
+
+    builder = ./builder.sh;
+
+    src =
+      if stdenv.hostPlatform.system == "x86_64-linux" then
+        fetchurl {
+          url = args.url or "https://us.download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run";
+          sha256 = sha256_64bit;
+        }
+      else if stdenv.hostPlatform.system == "i686-linux" then
+        fetchurl {
+          url = args.url or "https://download.nvidia.com/XFree86/Linux-x86/${version}/NVIDIA-Linux-x86-${version}${pkgSuffix}.run";
+          sha256 = sha256_32bit;
+        }
+      else throw "nvidia-x11 does not support platform ${stdenv.hostPlatform.system}";
+
+    patches = if libsOnly then null else patches;
+    inherit prePatch;
+    inherit version useGLVND useProfiles;
+    inherit (stdenv.hostPlatform) system;
+    inherit i686bundled;
+
+    outputs = [ "out" ]
+        ++ optional i686bundled "lib32"
+        ++ optional (!libsOnly) "bin"
+        ++ optional (!libsOnly && firmware) "firmware";
+    outputDev = if libsOnly then null else "bin";
+
+    kernel = if libsOnly then null else kernel.dev;
+    kernelVersion = if libsOnly then null else kernel.modDirVersion;
+
+    makeFlags = optionals (!libsOnly) (kernel.makeFlags ++ [
+      "IGNORE_PREEMPT_RT_PRESENCE=1"
+      "NV_BUILD_SUPPORTS_HMM=1"
+      "SYSSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+      "SYSOUT=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    ]);
+
+    hardeningDisable = [ "pic" "format" ];
+
+    dontStrip = true;
+    dontPatchELF = true;
+
+    libPath = libPathFor pkgs;
+    libPath32 = optionalString i686bundled (libPathFor pkgsi686Linux);
+
+    buildInputs = [ which ];
+    nativeBuildInputs = [ perl nukeReferences ]
+      ++ optionals (!libsOnly) kernel.moduleBuildDependencies;
+
+    disallowedReferences = optional (!libsOnly) [ kernel.dev ];
+
+    passthru = {
+      open = mapNullable (hash: callPackage ./open.nix {
+        inherit hash broken;
+        nvidia_x11 = self;
+      }) openSha256;
+      settings = (if settings32Bit then pkgsi686Linux.callPackage else callPackage) (import ./settings.nix self settingsSha256) {
+        withGtk2 = preferGtk2;
+        withGtk3 = !preferGtk2;
+      };
+      persistenced = mapNullable (hash: callPackage (import ./persistenced.nix self hash) { }) persistencedSha256;
+      inherit persistencedVersion settingsVersion;
+    } // optionalAttrs (!i686bundled) {
+      inherit lib32;
+    };
+
+    meta = with lib; {
+      homepage = "https://www.nvidia.com/object/unix.html";
+      description = "X.org driver and kernel module for NVIDIA graphics cards";
+      license = licenses.unfreeRedistributable;
+      platforms = [ "x86_64-linux" ] ++ optionals (!i686bundled) [ "i686-linux" ];
+      maintainers = with maintainers; [ jonringer ];
+      priority = 4; # resolves collision with xorg-server's "lib/xorg/modules/extensions/libglx.so"
+      inherit broken;
+    };
+  };
+
+in self
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/open.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/open.nix
new file mode 100644
index 000000000000..3e21dade83ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/open.nix
@@ -0,0 +1,40 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, kernel
+, nvidia_x11
+, hash
+, broken ? false
+}:
+
+stdenv.mkDerivation {
+  pname = "nvidia-open";
+  version = "${kernel.version}-${nvidia_x11.version}";
+
+  src = fetchFromGitHub {
+    owner = "NVIDIA";
+    repo = "open-gpu-kernel-modules";
+    rev = nvidia_x11.version;
+    inherit hash;
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "SYSSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+    "SYSOUT=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "MODLIB=$(out)/lib/modules/${kernel.modDirVersion}"
+  ];
+
+  installTargets = [ "modules_install" ];
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "NVIDIA Linux Open GPU Kernel Module";
+    homepage = "https://github.com/NVIDIA/open-gpu-kernel-modules";
+    license = with licenses; [ gpl2Plus mit ];
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ nickcao ];
+    inherit broken;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/persistenced.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
new file mode 100644
index 000000000000..5276dfd2aff4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
@@ -0,0 +1,48 @@
+nvidia_x11: sha256:
+
+{ stdenv
+, lib
+, fetchFromGitHub
+, m4
+, libtirpc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "nvidia-persistenced";
+  version = nvidia_x11.persistencedVersion;
+
+  src = fetchFromGitHub {
+    owner = "NVIDIA";
+    repo = "nvidia-persistenced";
+    rev = nvidia_x11.persistencedVersion;
+    inherit sha256;
+  };
+
+  nativeBuildInputs = [ m4 ];
+  buildInputs = [ libtirpc ];
+
+  inherit (nvidia_x11) makeFlags;
+
+  installFlags = [ "PREFIX=$(out)" ];
+
+  postFixup = ''
+    # Save a copy of persistenced for mounting in containers
+    mkdir $out/origBin
+    cp $out/{bin,origBin}/nvidia-persistenced
+    patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 $out/origBin/nvidia-persistenced
+
+    patchelf --set-rpath "$(patchelf --print-rpath $out/bin/nvidia-persistenced):${nvidia_x11}/lib" \
+      $out/bin/nvidia-persistenced
+  '';
+
+  NIX_CFLAGS_COMPILE = [ "-I${libtirpc.dev}/include/tirpc" ];
+  NIX_LDFLAGS = [ "-ltirpc" ];
+
+  meta = with lib; {
+    homepage = "https://www.nvidia.com/object/unix.html";
+    description = "Settings application for NVIDIA graphics cards";
+    license = licenses.unfreeRedistributable;
+    platforms = nvidia_x11.meta.platforms;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/settings.nix b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/settings.nix
new file mode 100644
index 000000000000..884ccdd6c52d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/settings.nix
@@ -0,0 +1,116 @@
+nvidia_x11: sha256:
+
+{ stdenv, lib, fetchFromGitHub, fetchpatch, pkg-config, m4, jansson, gtk2, dbus, gtk3
+, libXv, libXrandr, libXext, libXxf86vm, libvdpau
+, librsvg, wrapGAppsHook
+, withGtk2 ? false, withGtk3 ? true
+}:
+
+let
+  src = fetchFromGitHub {
+    owner = "NVIDIA";
+    repo = "nvidia-settings";
+    rev = nvidia_x11.settingsVersion;
+    inherit sha256;
+  };
+
+  libXNVCtrl = stdenv.mkDerivation {
+    pname = "libXNVCtrl";
+    version = nvidia_x11.settingsVersion;
+    inherit src;
+
+    buildInputs = [ libXrandr libXext ];
+
+    preBuild = ''
+      cd src/libXNVCtrl
+    '';
+
+    makeFlags = nvidia_x11.makeFlags ++ [
+      "OUTPUTDIR=." # src/libXNVCtrl
+    ];
+
+    installPhase = ''
+      mkdir -p $out/lib
+      mkdir -p $out/include/NVCtrl
+
+      cp libXNVCtrl.a $out/lib
+      cp NVCtrl.h     $out/include/NVCtrl
+      cp NVCtrlLib.h  $out/include/NVCtrl
+    '';
+  };
+
+in
+
+stdenv.mkDerivation {
+  pname = "nvidia-settings";
+  version = nvidia_x11.settingsVersion;
+
+  inherit src;
+
+  patches = lib.optional (lib.versionOlder nvidia_x11.settingsVersion "440")
+    (fetchpatch {
+      # fixes "multiple definition of `VDPAUDeviceFunctions'" linking errors
+      url = "https://github.com/NVIDIA/nvidia-settings/commit/a7c1f5fce6303a643fadff7d85d59934bd0cf6b6.patch";
+      hash = "sha256-ZwF3dRTYt/hO8ELg9weoz1U/XcU93qiJL2d1aq1Jlak=";
+    });
+
+  postPatch = lib.optionalString nvidia_x11.useProfiles ''
+    sed -i 's,/usr/share/nvidia/,${nvidia_x11.bin}/share/nvidia/,g' src/gtk+-2.x/ctkappprofile.c
+  '';
+
+  enableParallelBuilding = true;
+  makeFlags = nvidia_x11.makeFlags ++ [ "NV_USE_BUNDLED_LIBJANSSON=0" ];
+
+  preBuild = ''
+    if [ -e src/libXNVCtrl/libXNVCtrl.a ]; then
+      ( cd src/libXNVCtrl
+        make $makeFlags
+      )
+    fi
+  '';
+
+  nativeBuildInputs = [ pkg-config m4 ];
+
+  buildInputs = [ jansson libXv libXrandr libXext libXxf86vm libvdpau nvidia_x11 gtk2 dbus ]
+             ++ lib.optionals withGtk3 [ gtk3 librsvg wrapGAppsHook ];
+
+  installFlags = [ "PREFIX=$(out)" ];
+
+  postInstall = ''
+    ${lib.optionalString (!withGtk2) ''
+      rm -f $out/lib/libnvidia-gtk2.so.*
+    ''}
+    ${lib.optionalString (!withGtk3) ''
+      rm -f $out/lib/libnvidia-gtk3.so.*
+    ''}
+
+    # Install the desktop file and icon.
+    # The template has substitution variables intended to be replaced resulting
+    # in absolute paths. Because absolute paths break after the desktop file is
+    # copied by a desktop environment, make Exec and Icon be just a name.
+    sed -i doc/nvidia-settings.desktop \
+      -e "s|^Exec=.*$|Exec=nvidia-settings|" \
+      -e "s|^Icon=.*$|Icon=nvidia-settings|" \
+      -e "s|__NVIDIA_SETTINGS_DESKTOP_CATEGORIES__|Settings|g"
+    install doc/nvidia-settings.desktop -D -t $out/share/applications/
+    install doc/nvidia-settings.png -D -t $out/share/icons/hicolor/128x128/apps/
+  '';
+
+  binaryName = if withGtk3 then ".nvidia-settings-wrapped" else "nvidia-settings";
+  postFixup = ''
+    patchelf --set-rpath "$(patchelf --print-rpath $out/bin/$binaryName):$out/lib:${libXv}/lib" \
+      $out/bin/$binaryName
+  '';
+
+  passthru = {
+    inherit libXNVCtrl;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.nvidia.com/object/unix.html";
+    description = "Settings application for NVIDIA graphics cards";
+    license = licenses.unfreeRedistributable;
+    platforms = nvidia_x11.meta.platforms;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidia-x11/vm_operations_struct-fault.patch b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/vm_operations_struct-fault.patch
new file mode 100644
index 000000000000..6ce5c1205e2d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidia-x11/vm_operations_struct-fault.patch
@@ -0,0 +1,31 @@
+https://devtalk.nvidia.com/default/topic/1025051/fully-working-patches-2-of-them-for-nvidia-driver-340-104-compiler-installer-file-and-linux-kernels-4-13-amp-4-14/?offset=5
+--- a/kernel/uvm/nvidia_uvm_lite.c
++++ b/kernel/uvm/nvidia_uvm_lite.c
+@@ -818,8 +818,15 @@ done:
+ }
+
+ #if defined(NV_VM_OPERATIONS_STRUCT_HAS_FAULT)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 11, 0)
+ int _fault(struct vm_area_struct *vma, struct vm_fault *vmf)
++#else
++int _fault(struct vm_fault *vmf)
++#endif
+ {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
++    struct vm_area_struct *vma = vmf->vma;
++#endif
+ #if defined(NV_VM_FAULT_HAS_ADDRESS)
+     unsigned long vaddr = vmf->address;
+ #else
+@@ -866,7 +873,11 @@ static struct vm_operations_struct uvmlite_vma_ops =
+ // it's dealing with anonymous mapping (see handle_pte_fault).
+ //
+ #if defined(NV_VM_OPERATIONS_STRUCT_HAS_FAULT)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 11, 0)
+ int _sigbus_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
++#else
++int _sigbus_fault(struct vm_fault *vmf)
++#endif
+ {
+     vmf->page = NULL;
+     return VM_FAULT_SIGBUS;
diff --git a/nixpkgs/pkgs/os-specific/linux/nvidiabl/default.nix b/nixpkgs/pkgs/os-specific/linux/nvidiabl/default.nix
new file mode 100644
index 000000000000..0f4d485a4edc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvidiabl/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "nvidiabl-${version}-${kernel.version}";
+  version = "2020-10-01";
+
+  # We use a fork which adds support for newer kernels -- upstream has been abandoned.
+  src = fetchFromGitHub {
+    owner = "yorickvP";
+    repo = "nvidiabl";
+    rev = "9e21bdcb7efedf29450373a2e9ff2913d1b5e3ab";
+    sha256 = "1z57gbnayjid2jv782rpfpp13qdchmbr1vr35g995jfnj624nlgy";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preConfigure = ''
+    sed -i 's|/sbin/depmod|#/sbin/depmod|' Makefile
+  '';
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "DESTDIR=$(out)"
+    "KVER=${kernel.modDirVersion}"
+  ];
+
+  meta = with lib; {
+    description = "Linux driver for setting the backlight brightness on laptops using NVIDIA GPU";
+    homepage = "https://github.com/yorickvP/nvidiabl";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = with maintainers; [ yorickvp ];
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvme-cli/default.nix b/nixpkgs/pkgs/os-specific/linux/nvme-cli/default.nix
new file mode 100644
index 000000000000..c7819afe3ef4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvme-cli/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config
+, libuuid
+}:
+
+stdenv.mkDerivation rec {
+  pname = "nvme-cli";
+  version = "1.16";
+
+  src = fetchFromGitHub {
+    owner = "linux-nvme";
+    repo = "nvme-cli";
+    rev = "v${version}";
+    sha256 = "sha256-/wDQxsN1sji56zfcvqx02iciYnyxjIbL85bNaRwrHYw=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libuuid ];
+
+  makeFlags = [ "DESTDIR=$(out)" "PREFIX=" ];
+
+  # To omit the hostnqn and hostid files that are impure and should be unique
+  # for each target host:
+  installTargets = [ "install-spec" ];
+
+  meta = with lib; {
+    inherit (src.meta) homepage; # https://nvmexpress.org/
+    description = "NVM-Express user space tooling for Linux";
+    longDescription = ''
+      NVM-Express is a fast, scalable host controller interface designed to
+      address the needs for not only PCI Express based solid state drives, but
+      also NVMe-oF(over fabrics).
+      This nvme program is a user space utility to provide standards compliant
+      tooling for NVM-Express drives. It was made specifically for Linux as it
+      relies on the IOCTLs defined by the mainline kernel driver.
+    '';
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mic92 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/nvmet-cli/default.nix b/nixpkgs/pkgs/os-specific/linux/nvmet-cli/default.nix
new file mode 100644
index 000000000000..4196efeae672
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/nvmet-cli/default.nix
@@ -0,0 +1,25 @@
+{ lib, python3Packages, fetchurl }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "nvmet-cli";
+  version = "0.7";
+
+  src = fetchurl {
+    url = "ftp://ftp.infradead.org/pub/nvmetcli/nvmetcli-${version}.tar.gz";
+    sha256 = "051y1b9w46azy35118154c353v3mhjkdzh6h59brdgn5054hayj2";
+  };
+
+  buildInputs = with python3Packages; [ nose2 ];
+
+  propagatedBuildInputs = with python3Packages; [ configshell ];
+
+  # This package requires the `nvmet` kernel module to be loaded for tests.
+  doCheck = false;
+
+  meta = with lib; {
+    description = "NVMe target CLI";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ hoverbear ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ocf-resource-agents/default.nix b/nixpkgs/pkgs/os-specific/linux/ocf-resource-agents/default.nix
new file mode 100644
index 000000000000..8d7f2b527144
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ocf-resource-agents/default.nix
@@ -0,0 +1,63 @@
+# This combines together OCF definitions from other derivations.
+# https://github.com/ClusterLabs/resource-agents/blob/master/doc/dev-guides/ra-dev-guide.asc
+{ stdenv
+, lib
+, runCommand
+, lndir
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, glib
+, drbd
+, pacemaker
+}:
+
+let
+  drbdForOCF = drbd.override {
+    forOCF = true;
+  };
+  pacemakerForOCF = pacemaker.override {
+    forOCF = true;
+  };
+
+  resource-agentsForOCF = stdenv.mkDerivation rec {
+    pname = "resource-agents";
+    version = "4.10.0";
+
+    src = fetchFromGitHub {
+      owner = "ClusterLabs";
+      repo = pname;
+      rev = "v${version}";
+      sha256 = "0haryi3yrszdfpqnkfnppxj1yiy6ipah6m80snvayc7v0ss0wnir";
+    };
+
+    nativeBuildInputs = [
+      autoreconfHook
+      pkg-config
+    ];
+
+    buildInputs = [
+      glib
+      python3
+    ];
+
+    meta = with lib; {
+      homepage = "https://github.com/ClusterLabs/resource-agents";
+      description = "Combined repository of OCF agents from the RHCS and Linux-HA projects";
+      license = licenses.gpl2Plus;
+      platforms = platforms.linux;
+      maintainers = with maintainers; [ ryantm astro ];
+    };
+  };
+
+in
+
+# This combines together OCF definitions from other derivations.
+# https://github.com/ClusterLabs/resource-agents/blob/master/doc/dev-guides/ra-dev-guide.asc
+runCommand "ocf-resource-agents" {} ''
+  mkdir -p $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${resource-agentsForOCF}/lib/ocf/" $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${drbdForOCF}/usr/lib/ocf/" $out/usr/lib/ocf
+  ${lndir}/bin/lndir -silent "${pacemakerForOCF}/usr/lib/ocf/" $out/usr/lib/ocf
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix b/nixpkgs/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
new file mode 100644
index 000000000000..75f210f4c228
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, go-md2man
+, installShellFiles
+, pkg-config
+, bcc
+, libseccomp
+}:
+
+buildGoModule rec {
+  pname = "oci-seccomp-bpf-hook";
+  version = "1.2.6";
+  src = fetchFromGitHub {
+    owner = "containers";
+    repo = "oci-seccomp-bpf-hook";
+    rev = "v${version}";
+    sha256 = "sha256-+HGVxPBCPIdFwzZf3lFE0MWA2xMKsHQkfDo4zyNgzpg=";
+  };
+  vendorSha256 = null;
+
+  outputs = [ "out" "man" ];
+  nativeBuildInputs = [
+    go-md2man
+    installShellFiles
+    pkg-config
+  ];
+  buildInputs = [
+    bcc
+    libseccomp
+  ];
+
+  checkPhase = ''
+    go test -v ./...
+  '';
+
+  buildPhase = ''
+    make
+  '';
+
+  postBuild = ''
+    substituteInPlace oci-seccomp-bpf-hook.json --replace HOOK_BIN_DIR "$out/bin"
+  '';
+
+  installPhase = ''
+    install -Dm755 bin/* -t $out/bin
+    install -Dm644 oci-seccomp-bpf-hook.json -t $out
+    installManPage docs/*.[1-9]
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/containers/oci-seccomp-bpf-hook";
+    description = ''
+      OCI hook to trace syscalls and generate a seccomp profile
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ saschagrunert ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/odp-dpdk/default.nix b/nixpkgs/pkgs/os-specific/linux/odp-dpdk/default.nix
new file mode 100644
index 000000000000..a9dac153b15d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/odp-dpdk/default.nix
@@ -0,0 +1,53 @@
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config
+, dpdk, libbpf, libconfig, libpcap, numactl, openssl, zlib, libbsd, libelf, jansson
+}: let
+  dpdk_19_11 = dpdk.overrideAttrs (old: rec {
+    version = "19.11.12";
+    src = fetchurl {
+      url = "https://fast.dpdk.org/rel/dpdk-${version}.tar.xz";
+      sha256 = "sha256-F9m2+MZi3n0psPIwjWwhiIbbNkoGlxqtru2OlV7TbzQ=";
+    };
+    mesonFlags = old.mesonFlags ++ [
+      "-Denable_docs=false"
+    ];
+  });
+
+in stdenv.mkDerivation rec {
+  pname = "odp-dpdk";
+  version = "1.35.0.0_DPDK_19.11";
+
+  src = fetchurl {
+    url = "https://git.linaro.org/lng/odp-dpdk.git/snapshot/${pname}-${version}.tar.gz";
+    sha256 = "sha256-R4cRfz0uUDbeQmJfFSIAmq3KfD6CE9hIW2yvFqL+b0M=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+  buildInputs = [
+    dpdk_19_11
+    libconfig
+    libpcap
+    numactl
+    openssl
+    zlib
+    libbsd
+    libelf
+    jansson
+    libbpf
+  ];
+
+  # binaries will segfault otherwise
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Open Data Plane optimized for DPDK";
+    homepage = "https://www.opendataplane.org";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.abuibrahim ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/open-iscsi/default.nix b/nixpkgs/pkgs/os-specific/linux/open-iscsi/default.nix
new file mode 100644
index 000000000000..32b3e636ac56
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/open-iscsi/default.nix
@@ -0,0 +1,62 @@
+{ lib, stdenv, fetchFromGitHub, automake, autoconf, libtool, gettext
+, util-linux, open-isns, openssl, kmod, perl, systemd, pkgconf, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "open-iscsi";
+  version = "2.1.7";
+
+  nativeBuildInputs = [ autoconf automake gettext libtool perl pkgconf ];
+  buildInputs = [ kmod open-isns.lib openssl systemd util-linux ];
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = "open-iscsi";
+    rev = version;
+    sha256 = "sha256-R1ttHHxVSQ5TGtWVy4I9BAmEJfcRhKRD5jThoeddjUw=";
+  };
+
+  DESTDIR = "$(out)";
+
+  NIX_LDFLAGS = "-lkmod -lsystemd";
+  NIX_CFLAGS_COMPILE = "-DUSE_KMOD";
+
+  preConfigure = ''
+    # Remove blanket -Werror. Fails for minor error on gcc-11.
+    substituteInPlace usr/Makefile --replace ' -Werror ' ' '
+  '';
+
+  # avoid /usr/bin/install
+  makeFlags = [
+    "INSTALL=install"
+    "SED=sed"
+    "prefix=/"
+    "manprefix=/share"
+  ];
+
+  installFlags = [
+    "install"
+  ];
+
+  postInstall = ''
+    cp usr/iscsistart $out/sbin/
+    for f in $out/lib/systemd/system/*; do
+      substituteInPlace $f --replace /sbin $out/bin
+    done
+    $out/sbin/iscsistart -v
+  '';
+
+  postFixup = ''
+    sed -i "s|/sbin/iscsiadm|$out/bin/iscsiadm|" $out/bin/iscsi_fw_login
+  '';
+
+  passthru.tests = { inherit (nixosTests) iscsi-root iscsi-multipath-root; };
+
+  meta = with lib; {
+    description = "A high performance, transport independent, multi-platform implementation of RFC3720";
+    license = licenses.gpl2Plus;
+    homepage = "https://www.open-iscsi.com";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ cleverca22 zaninime ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/open-isns/default.nix b/nixpkgs/pkgs/os-specific/linux/open-isns/default.nix
new file mode 100644
index 000000000000..3f939024a48f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/open-isns/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, openssl, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "open-isns";
+  version = "0.101";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = "open-isns";
+    rev = "v${version}";
+    sha256 = "1g7kp1j2f8afsach6sbl4k05ybz1yz2s8yg073bv4gnv48gyxb2p";
+  };
+
+  propagatedBuildInputs = [ openssl ];
+  outputs = [ "out" "lib" ];
+  outputInclude = "lib";
+
+  configureFlags = [ "--enable-shared" ];
+
+  installFlags = [ "etcdir=$(out)/etc" "vardir=$(out)/var/lib/isns" ];
+  installTargets = [ "install" "install_hdrs" "install_lib" ];
+
+  meta = with lib; {
+    description = "iSNS server and client for Linux";
+    license = licenses.lgpl21Only;
+    homepage = "https://github.com/open-iscsi/open-isns";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.markuskowa ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh
new file mode 100644
index 000000000000..cd21899e60e7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh
@@ -0,0 +1,16 @@
+source $stdenv/setup
+
+mkdir -p $out/lib
+
+ln -s /usr/lib/libGL.so.1 $out/lib/
+ln -s /usr/lib/libGLU.so.1 $out/lib/
+ln -s /usr/lib/libGLcore.so.1 $out/lib/
+ln -s /usr/lib/tls/libnvidia-tls.so.1 $out/lib/
+#ln -s /usr/lib/libdrm.so.2 $out/lib/
+
+for i in $neededLibs; do
+    ln -s $i/lib/*.so* $out/lib/
+done
+
+
+
diff --git a/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/default.nix b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/default.nix
new file mode 100644
index 000000000000..b7f1b6574404
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/opengl/xorg-sys/default.nix
@@ -0,0 +1,21 @@
+# This is a very dirty hack to allow hardware acceleration of OpenGL
+# applications for most (?) users.  It will use the driver that your
+# Linux distribution installed in /usr/lib/libGL.so.1.  Hopefully,
+# this driver uses hardware acceleration.
+#
+# Of course, use of the driver in /usr/lib is highly impure.  But it
+# might actually work ;-)
+
+{lib, stdenv, xorg, expat, libdrm}:
+
+stdenv.mkDerivation {
+  pname = "xorg-sys-opengl";
+  version = "3";
+  builder = ./builder.sh;
+  neededLibs = map (p: p.out)
+    [xorg.libXxf86vm xorg.libXext expat libdrm stdenv.cc.cc];
+
+  meta = {
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openrazer/driver.nix b/nixpkgs/pkgs/os-specific/linux/openrazer/driver.nix
new file mode 100644
index 000000000000..f98fe5cfc743
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openrazer/driver.nix
@@ -0,0 +1,50 @@
+{ coreutils
+, fetchFromGitHub
+, kernel
+, stdenv
+, lib
+, util-linux
+}:
+
+let
+  common = import ../../../development/python-modules/openrazer/common.nix { inherit lib fetchFromGitHub; };
+in
+stdenv.mkDerivation (common // {
+  pname = "openrazer";
+  version = "${common.version}-${kernel.version}";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    binDir="$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hid"
+    mkdir -p "$binDir"
+    cp -v driver/*.ko "$binDir"
+    RAZER_MOUNT_OUT="$out/bin/razer_mount"
+    RAZER_RULES_OUT="$out/etc/udev/rules.d/99-razer.rules"
+    install -m 644 -v -D install_files/udev/99-razer.rules $RAZER_RULES_OUT
+    install -m 755 -v -D install_files/udev/razer_mount $RAZER_MOUNT_OUT
+    substituteInPlace $RAZER_RULES_OUT \
+      --replace razer_mount $RAZER_MOUNT_OUT \
+      --replace plugdev openrazer
+    substituteInPlace $RAZER_MOUNT_OUT \
+      --replace /usr/bin/logger ${util-linux}/bin/logger \
+      --replace chgrp ${coreutils}/bin/chgrp \
+      --replace "PATH='/sbin:/bin:/usr/sbin:/usr/bin'" "" \
+      --replace plugdev openrazer
+
+    runHook postInstall
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = common.meta // {
+    description = "An entirely open source Linux driver that allows you to manage your Razer peripherals on GNU/Linux";
+    broken = kernel.kernelOlder "4.19";
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/openvswitch/default.nix b/nixpkgs/pkgs/os-specific/linux/openvswitch/default.nix
new file mode 100644
index 000000000000..ba93b068fddc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openvswitch/default.nix
@@ -0,0 +1,65 @@
+{ lib, stdenv, fetchurl, makeWrapper, pkg-config, util-linux, which
+, procps, libcap_ng, openssl, python3 , perl
+, kernel ? null }:
+
+with lib;
+
+let
+  _kernel = kernel;
+  pythonEnv = python3.withPackages (ps: with ps; [ six ]);
+in stdenv.mkDerivation rec {
+  version = "2.17.0";
+  pname = "openvswitch";
+
+  src = fetchurl {
+    url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-4Dv6t8qC2Bp9OjbeTzkKO1IQ4/OWV2cfkih3zU6m3HM=";
+  };
+
+  kernel = optional (_kernel != null) _kernel.dev;
+
+  nativeBuildInputs = [ pkg-config makeWrapper ];
+  buildInputs = [ util-linux openssl libcap_ng pythonEnv
+                  perl procps which ];
+
+  configureFlags = [
+    "--localstatedir=/var"
+    "--sharedstatedir=/var"
+    "--sbindir=$(out)/bin"
+  ] ++ (optionals (_kernel != null) ["--with-linux"]);
+
+  # Leave /var out of this!
+  installFlags = [
+    "LOGDIR=$(TMPDIR)/dummy"
+    "RUNDIR=$(TMPDIR)/dummy"
+    "PKIDIR=$(TMPDIR)/dummy"
+  ];
+
+  postBuild = ''
+    # fix tests
+    substituteInPlace xenserver/opt_xensource_libexec_interface-reconfigure --replace '/usr/bin/env python' '${pythonEnv.interpreter}'
+    substituteInPlace vtep/ovs-vtep --replace '/usr/bin/env python' '${pythonEnv.interpreter}'
+  '';
+
+  enableParallelBuilding = true;
+  doCheck = false; # bash-completion test fails with "compgen: command not found"
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    description = "A multilayer virtual switch";
+    longDescription =
+      ''
+      Open vSwitch is a production quality, multilayer virtual switch
+      licensed under the open source Apache 2.0 license. It is
+      designed to enable massive network automation through
+      programmatic extension, while still supporting standard
+      management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
+      RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
+      support distribution across multiple physical servers similar
+      to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+      '';
+    homepage = "https://www.openvswitch.org/";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ netixx kmcopper ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openvswitch/lts.nix b/nixpkgs/pkgs/os-specific/linux/openvswitch/lts.nix
new file mode 100644
index 000000000000..15c6c05b0613
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openvswitch/lts.nix
@@ -0,0 +1,81 @@
+{ lib, stdenv, fetchurl, makeWrapper, pkg-config, util-linux, which
+, procps, libcap_ng, openssl, python2, perl
+, automake, autoconf, libtool, kernel ? null }:
+
+with lib;
+
+let
+  _kernel = kernel;
+in stdenv.mkDerivation rec {
+  version = "2.5.12";
+  pname = "openvswitch";
+
+  src = fetchurl {
+    url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
+    sha256 = "0a8wa1lj5p28x3vq0yaxjhqmppp4hvds6hhm0j3czpp8mc09fsfq";
+  };
+
+  patches = [ ./patches/lts-ssl.patch ];
+
+  kernel = optional (_kernel != null) _kernel.dev;
+
+  nativeBuildInputs = [ autoconf libtool automake pkg-config makeWrapper ];
+  buildInputs = [ util-linux openssl libcap_ng python2 perl procps which ];
+
+  preConfigure = "./boot.sh";
+
+  configureFlags = [
+    "--localstatedir=/var"
+    "--sharedstatedir=/var"
+    "--sbindir=$(out)/bin"
+  ] ++ (optionals (_kernel != null) ["--with-linux"]);
+
+  # Leave /var out of this!
+  installFlags = [
+    "LOGDIR=$(TMPDIR)/dummy"
+    "RUNDIR=$(TMPDIR)/dummy"
+    "PKIDIR=$(TMPDIR)/dummy"
+  ];
+
+  postBuild = ''
+    # fix tests
+    substituteInPlace xenserver/opt_xensource_libexec_interface-reconfigure --replace '/usr/bin/env python' '${python2.interpreter}'
+    substituteInPlace vtep/ovs-vtep --replace '/usr/bin/env python' '${python2.interpreter}'
+  '';
+
+  enableParallelBuilding = true;
+  doCheck = false; # bash-completion test fails with "compgen: command not found"
+
+  postInstall = ''
+    cp debian/ovs-monitor-ipsec $out/share/openvswitch/scripts
+    makeWrapper \
+      $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      $out/bin/ovs-monitor-ipsec \
+      --prefix PYTHONPATH : "$out/share/openvswitch/python"
+    substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      --replace "UnixctlServer.create(None)" "UnixctlServer.create(os.environ['UNIXCTLPATH'])"
+    substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      --replace "self.psk_file" "root_prefix + self.psk_file"
+    substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      --replace "self.cert_dir" "root_prefix + self.cert_dir"
+  '';
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    description = "A multilayer virtual switch";
+    longDescription =
+      ''
+      Open vSwitch is a production quality, multilayer virtual switch
+      licensed under the open source Apache 2.0 license. It is
+      designed to enable massive network automation through
+      programmatic extension, while still supporting standard
+      management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
+      RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
+      support distribution across multiple physical servers similar
+      to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+      '';
+    homepage = "https://www.openvswitch.org/";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ netixx kmcopper ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/openvswitch/patches/lts-ssl.patch b/nixpkgs/pkgs/os-specific/linux/openvswitch/patches/lts-ssl.patch
new file mode 100644
index 000000000000..0d8ff5b0d523
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/openvswitch/patches/lts-ssl.patch
@@ -0,0 +1,274 @@
+diff --git a/build-aux/automake.mk b/build-aux/automake.mk
+new file mode 100644
+index 000000000..5d2657fd6
+--- /dev/null
++++ b/build-aux/automake.mk
+@@ -0,0 +1,2 @@
++EXTRA_DIST += \
++	build-aux/generate-dhparams-c 
+diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c
+new file mode 100755
+index 000000000..bcd25e2d8
+--- /dev/null
++++ b/build-aux/generate-dhparams-c
+@@ -0,0 +1,33 @@
++#! /bin/sh -e
++
++cat <<'EOF'
++/* Generated automatically; do not modify!     -*- buffer-read-only: t -*-
++ *
++ * If you do need to regenerate this file, run "make generate-dhparams-c". */
++
++#include <config.h>
++#include "lib/dhparams.h"
++#include "lib/util.h"
++
++static int
++my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
++{
++    ovs_assert(q == NULL);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
++    dh->p = p;
++    dh->g = g;
++    return 1;
++#else
++    return DH_set0_pqg(dh, p, NULL, g);
++#endif
++}
++EOF
++(openssl dhparam -C -in lib/dh1024.pem -noout &&
++openssl dhparam -C -in lib/dh2048.pem -noout &&
++openssl dhparam -C -in lib/dh4096.pem -noout) | sed '
++    s/^static DH/DH/
++    s/\(get_dh[0-9]*\)()/\1(void)/
++    s/\(DH_set0_pqg\)/my_\1/
++    s/[ 	]*$//
++    s/	/        /g
++'
+diff --git a/lib/automake.mk b/lib/automake.mk
+index 5387d519a..804a8b7d7 100644
+--- a/lib/automake.mk
++++ b/lib/automake.mk
+@@ -399,15 +399,16 @@ lib_libopenvswitch_la_SOURCES += \
+ 	lib/route-table-bsd.c
+ endif
+ 
++.PHONY: generate-dhparams-c
+ if HAVE_OPENSSL
+-lib_libopenvswitch_la_SOURCES += lib/stream-ssl.c
+-nodist_lib_libopenvswitch_la_SOURCES += lib/dhparams.c
+-lib/dhparams.c: lib/dh1024.pem lib/dh2048.pem lib/dh4096.pem
+-	$(AM_V_GEN)(echo '#include "lib/dhparams.h"' &&                 \
+-	 openssl dhparam -C -in $(srcdir)/lib/dh1024.pem -noout &&	\
+-	 openssl dhparam -C -in $(srcdir)/lib/dh2048.pem -noout &&	\
+-	 openssl dhparam -C -in $(srcdir)/lib/dh4096.pem -noout)	\
+-	| sed 's/\(get_dh[0-9]*\)()/\1(void)/' > lib/dhparams.c.tmp &&  \
++lib_libopenvswitch_la_SOURCES += lib/stream-ssl.c lib/dhparams.c
++
++# Manually regenerates lib/dhparams.c.  Not normally necessary since
++# lib/dhparams.c is part of the repository and doesn't normally need
++# updates.
++generate-dhparams-c:
++	$(AM_V_GEN)cd $(srcdir) && \
++	build-aux/generate-dhparams-c > lib/dhparams.c.tmp && \
+ 	mv lib/dhparams.c.tmp lib/dhparams.c
+ else
+ lib_libopenvswitch_la_SOURCES += lib/stream-nossl.c
+diff --git a/lib/dhparams.c b/lib/dhparams.c
+new file mode 100644
+index 000000000..4e42efad2
+--- /dev/null
++++ b/lib/dhparams.c
+@@ -0,0 +1,192 @@
++/* Generated automatically; do not modify!     -*- buffer-read-only: t -*-
++ *
++ * If you do need to regenerate this file, run "make generate-dhparams-c". */
++
++#include <config.h>
++#include "lib/dhparams.h"
++#include "lib/util.h"
++
++static int
++my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
++{
++    ovs_assert(q == NULL);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
++    dh->p = p;
++    dh->g = g;
++    return 1;
++#else
++    return DH_set0_pqg(dh, p, NULL, g);
++#endif
++}
++#ifndef HEADER_DH_H
++# include <openssl/dh.h>
++#endif
++
++DH *get_dh1024(void)
++{
++    static unsigned char dhp_1024[] = {
++        0xF4, 0x88, 0xFD, 0x58, 0x4E, 0x49, 0xDB, 0xCD, 0x20, 0xB4,
++        0x9D, 0xE4, 0x91, 0x07, 0x36, 0x6B, 0x33, 0x6C, 0x38, 0x0D,
++        0x45, 0x1D, 0x0F, 0x7C, 0x88, 0xB3, 0x1C, 0x7C, 0x5B, 0x2D,
++        0x8E, 0xF6, 0xF3, 0xC9, 0x23, 0xC0, 0x43, 0xF0, 0xA5, 0x5B,
++        0x18, 0x8D, 0x8E, 0xBB, 0x55, 0x8C, 0xB8, 0x5D, 0x38, 0xD3,
++        0x34, 0xFD, 0x7C, 0x17, 0x57, 0x43, 0xA3, 0x1D, 0x18, 0x6C,
++        0xDE, 0x33, 0x21, 0x2C, 0xB5, 0x2A, 0xFF, 0x3C, 0xE1, 0xB1,
++        0x29, 0x40, 0x18, 0x11, 0x8D, 0x7C, 0x84, 0xA7, 0x0A, 0x72,
++        0xD6, 0x86, 0xC4, 0x03, 0x19, 0xC8, 0x07, 0x29, 0x7A, 0xCA,
++        0x95, 0x0C, 0xD9, 0x96, 0x9F, 0xAB, 0xD0, 0x0A, 0x50, 0x9B,
++        0x02, 0x46, 0xD3, 0x08, 0x3D, 0x66, 0xA4, 0x5D, 0x41, 0x9F,
++        0x9C, 0x7C, 0xBD, 0x89, 0x4B, 0x22, 0x19, 0x26, 0xBA, 0xAB,
++        0xA2, 0x5E, 0xC3, 0x55, 0xE9, 0x2F, 0x78, 0xC7
++    };
++    static unsigned char dhg_1024[] = {
++        0x02
++    };
++    DH *dh = DH_new();
++    BIGNUM *dhp_bn, *dhg_bn;
++
++    if (dh == NULL)
++        return NULL;
++    dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
++    dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
++    if (dhp_bn == NULL || dhg_bn == NULL
++            || !my_DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++        DH_free(dh);
++        BN_free(dhp_bn);
++        BN_free(dhg_bn);
++        return NULL;
++    }
++    return dh;
++}
++#ifndef HEADER_DH_H
++# include <openssl/dh.h>
++#endif
++
++DH *get_dh2048(void)
++{
++    static unsigned char dhp_2048[] = {
++        0xF6, 0x42, 0x57, 0xB7, 0x08, 0x7F, 0x08, 0x17, 0x72, 0xA2,
++        0xBA, 0xD6, 0xA9, 0x42, 0xF3, 0x05, 0xE8, 0xF9, 0x53, 0x11,
++        0x39, 0x4F, 0xB6, 0xF1, 0x6E, 0xB9, 0x4B, 0x38, 0x20, 0xDA,
++        0x01, 0xA7, 0x56, 0xA3, 0x14, 0xE9, 0x8F, 0x40, 0x55, 0xF3,
++        0xD0, 0x07, 0xC6, 0xCB, 0x43, 0xA9, 0x94, 0xAD, 0xF7, 0x4C,
++        0x64, 0x86, 0x49, 0xF8, 0x0C, 0x83, 0xBD, 0x65, 0xE9, 0x17,
++        0xD4, 0xA1, 0xD3, 0x50, 0xF8, 0xF5, 0x59, 0x5F, 0xDC, 0x76,
++        0x52, 0x4F, 0x3D, 0x3D, 0x8D, 0xDB, 0xCE, 0x99, 0xE1, 0x57,
++        0x92, 0x59, 0xCD, 0xFD, 0xB8, 0xAE, 0x74, 0x4F, 0xC5, 0xFC,
++        0x76, 0xBC, 0x83, 0xC5, 0x47, 0x30, 0x61, 0xCE, 0x7C, 0xC9,
++        0x66, 0xFF, 0x15, 0xF9, 0xBB, 0xFD, 0x91, 0x5E, 0xC7, 0x01,
++        0xAA, 0xD3, 0x5B, 0x9E, 0x8D, 0xA0, 0xA5, 0x72, 0x3A, 0xD4,
++        0x1A, 0xF0, 0xBF, 0x46, 0x00, 0x58, 0x2B, 0xE5, 0xF4, 0x88,
++        0xFD, 0x58, 0x4E, 0x49, 0xDB, 0xCD, 0x20, 0xB4, 0x9D, 0xE4,
++        0x91, 0x07, 0x36, 0x6B, 0x33, 0x6C, 0x38, 0x0D, 0x45, 0x1D,
++        0x0F, 0x7C, 0x88, 0xB3, 0x1C, 0x7C, 0x5B, 0x2D, 0x8E, 0xF6,
++        0xF3, 0xC9, 0x23, 0xC0, 0x43, 0xF0, 0xA5, 0x5B, 0x18, 0x8D,
++        0x8E, 0xBB, 0x55, 0x8C, 0xB8, 0x5D, 0x38, 0xD3, 0x34, 0xFD,
++        0x7C, 0x17, 0x57, 0x43, 0xA3, 0x1D, 0x18, 0x6C, 0xDE, 0x33,
++        0x21, 0x2C, 0xB5, 0x2A, 0xFF, 0x3C, 0xE1, 0xB1, 0x29, 0x40,
++        0x18, 0x11, 0x8D, 0x7C, 0x84, 0xA7, 0x0A, 0x72, 0xD6, 0x86,
++        0xC4, 0x03, 0x19, 0xC8, 0x07, 0x29, 0x7A, 0xCA, 0x95, 0x0C,
++        0xD9, 0x96, 0x9F, 0xAB, 0xD0, 0x0A, 0x50, 0x9B, 0x02, 0x46,
++        0xD3, 0x08, 0x3D, 0x66, 0xA4, 0x5D, 0x41, 0x9F, 0x9C, 0x7C,
++        0xBD, 0x89, 0x4B, 0x22, 0x19, 0x26, 0xBA, 0xAB, 0xA2, 0x5E,
++        0xC3, 0x55, 0xE9, 0x32, 0x0B, 0x3B
++    };
++    static unsigned char dhg_2048[] = {
++        0x02
++    };
++    DH *dh = DH_new();
++    BIGNUM *dhp_bn, *dhg_bn;
++
++    if (dh == NULL)
++        return NULL;
++    dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
++    dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
++    if (dhp_bn == NULL || dhg_bn == NULL
++            || !my_DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++        DH_free(dh);
++        BN_free(dhp_bn);
++        BN_free(dhg_bn);
++        return NULL;
++    }
++    return dh;
++}
++#ifndef HEADER_DH_H
++# include <openssl/dh.h>
++#endif
++
++DH *get_dh4096(void)
++{
++    static unsigned char dhp_4096[] = {
++        0xFA, 0x14, 0x72, 0x52, 0xC1, 0x4D, 0xE1, 0x5A, 0x49, 0xD4,
++        0xEF, 0x09, 0x2D, 0xC0, 0xA8, 0xFD, 0x55, 0xAB, 0xD7, 0xD9,
++        0x37, 0x04, 0x28, 0x09, 0xE2, 0xE9, 0x3E, 0x77, 0xE2, 0xA1,
++        0x7A, 0x18, 0xDD, 0x46, 0xA3, 0x43, 0x37, 0x23, 0x90, 0x97,
++        0xF3, 0x0E, 0xC9, 0x03, 0x50, 0x7D, 0x65, 0xCF, 0x78, 0x62,
++        0xA6, 0x3A, 0x62, 0x22, 0x83, 0xA1, 0x2F, 0xFE, 0x79, 0xBA,
++        0x35, 0xFF, 0x59, 0xD8, 0x1D, 0x61, 0xDD, 0x1E, 0x21, 0x13,
++        0x17, 0xFE, 0xCD, 0x38, 0x87, 0x9E, 0xF5, 0x4F, 0x79, 0x10,
++        0x61, 0x8D, 0xD4, 0x22, 0xF3, 0x5A, 0xED, 0x5D, 0xEA, 0x21,
++        0xE9, 0x33, 0x6B, 0x48, 0x12, 0x0A, 0x20, 0x77, 0xD4, 0x25,
++        0x60, 0x61, 0xDE, 0xF6, 0xB4, 0x4F, 0x1C, 0x63, 0x40, 0x8B,
++        0x3A, 0x21, 0x93, 0x8B, 0x79, 0x53, 0x51, 0x2C, 0xCA, 0xB3,
++        0x7B, 0x29, 0x56, 0xA8, 0xC7, 0xF8, 0xF4, 0x7B, 0x08, 0x5E,
++        0xA6, 0xDC, 0xA2, 0x45, 0x12, 0x56, 0xDD, 0x41, 0x92, 0xF2,
++        0xDD, 0x5B, 0x8F, 0x23, 0xF0, 0xF3, 0xEF, 0xE4, 0x3B, 0x0A,
++        0x44, 0xDD, 0xED, 0x96, 0x84, 0xF1, 0xA8, 0x32, 0x46, 0xA3,
++        0xDB, 0x4A, 0xBE, 0x3D, 0x45, 0xBA, 0x4E, 0xF8, 0x03, 0xE5,
++        0xDD, 0x6B, 0x59, 0x0D, 0x84, 0x1E, 0xCA, 0x16, 0x5A, 0x8C,
++        0xC8, 0xDF, 0x7C, 0x54, 0x44, 0xC4, 0x27, 0xA7, 0x3B, 0x2A,
++        0x97, 0xCE, 0xA3, 0x7D, 0x26, 0x9C, 0xAD, 0xF4, 0xC2, 0xAC,
++        0x37, 0x4B, 0xC3, 0xAD, 0x68, 0x84, 0x7F, 0x99, 0xA6, 0x17,
++        0xEF, 0x6B, 0x46, 0x3A, 0x7A, 0x36, 0x7A, 0x11, 0x43, 0x92,
++        0xAD, 0xE9, 0x9C, 0xFB, 0x44, 0x6C, 0x3D, 0x82, 0x49, 0xCC,
++        0x5C, 0x6A, 0x52, 0x42, 0xF8, 0x42, 0xFB, 0x44, 0xF9, 0x39,
++        0x73, 0xFB, 0x60, 0x79, 0x3B, 0xC2, 0x9E, 0x0B, 0xDC, 0xD4,
++        0xA6, 0x67, 0xF7, 0x66, 0x3F, 0xFC, 0x42, 0x3B, 0x1B, 0xDB,
++        0x4F, 0x66, 0xDC, 0xA5, 0x8F, 0x66, 0xF9, 0xEA, 0xC1, 0xED,
++        0x31, 0xFB, 0x48, 0xA1, 0x82, 0x7D, 0xF8, 0xE0, 0xCC, 0xB1,
++        0xC7, 0x03, 0xE4, 0xF8, 0xB3, 0xFE, 0xB7, 0xA3, 0x13, 0x73,
++        0xA6, 0x7B, 0xC1, 0x0E, 0x39, 0xC7, 0x94, 0x48, 0x26, 0x00,
++        0x85, 0x79, 0xFC, 0x6F, 0x7A, 0xAF, 0xC5, 0x52, 0x35, 0x75,
++        0xD7, 0x75, 0xA4, 0x40, 0xFA, 0x14, 0x74, 0x61, 0x16, 0xF2,
++        0xEB, 0x67, 0x11, 0x6F, 0x04, 0x43, 0x3D, 0x11, 0x14, 0x4C,
++        0xA7, 0x94, 0x2A, 0x39, 0xA1, 0xC9, 0x90, 0xCF, 0x83, 0xC6,
++        0xFF, 0x02, 0x8F, 0xA3, 0x2A, 0xAC, 0x26, 0xDF, 0x0B, 0x8B,
++        0xBE, 0x64, 0x4A, 0xF1, 0xA1, 0xDC, 0xEE, 0xBA, 0xC8, 0x03,
++        0x82, 0xF6, 0x62, 0x2C, 0x5D, 0xB6, 0xBB, 0x13, 0x19, 0x6E,
++        0x86, 0xC5, 0x5B, 0x2B, 0x5E, 0x3A, 0xF3, 0xB3, 0x28, 0x6B,
++        0x70, 0x71, 0x3A, 0x8E, 0xFF, 0x5C, 0x15, 0xE6, 0x02, 0xA4,
++        0xCE, 0xED, 0x59, 0x56, 0xCC, 0x15, 0x51, 0x07, 0x79, 0x1A,
++        0x0F, 0x25, 0x26, 0x27, 0x30, 0xA9, 0x15, 0xB2, 0xC8, 0xD4,
++        0x5C, 0xCC, 0x30, 0xE8, 0x1B, 0xD8, 0xD5, 0x0F, 0x19, 0xA8,
++        0x80, 0xA4, 0xC7, 0x01, 0xAA, 0x8B, 0xBA, 0x53, 0xBB, 0x47,
++        0xC2, 0x1F, 0x6B, 0x54, 0xB0, 0x17, 0x60, 0xED, 0x79, 0x21,
++        0x95, 0xB6, 0x05, 0x84, 0x37, 0xC8, 0x03, 0xA4, 0xDD, 0xD1,
++        0x06, 0x69, 0x8F, 0x4C, 0x39, 0xE0, 0xC8, 0x5D, 0x83, 0x1D,
++        0xBE, 0x6A, 0x9A, 0x99, 0xF3, 0x9F, 0x0B, 0x45, 0x29, 0xD4,
++        0xCB, 0x29, 0x66, 0xEE, 0x1E, 0x7E, 0x3D, 0xD7, 0x13, 0x4E,
++        0xDB, 0x90, 0x90, 0x58, 0xCB, 0x5E, 0x9B, 0xCD, 0x2E, 0x2B,
++        0x0F, 0xA9, 0x4E, 0x78, 0xAC, 0x05, 0x11, 0x7F, 0xE3, 0x9E,
++        0x27, 0xD4, 0x99, 0xE1, 0xB9, 0xBD, 0x78, 0xE1, 0x84, 0x41,
++        0xA0, 0xDF
++    };
++    static unsigned char dhg_4096[] = {
++        0x02
++    };
++    DH *dh = DH_new();
++    BIGNUM *dhp_bn, *dhg_bn;
++
++    if (dh == NULL)
++        return NULL;
++    dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
++    dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
++    if (dhp_bn == NULL || dhg_bn == NULL
++            || !my_DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
++        DH_free(dh);
++        BN_free(dhp_bn);
++        BN_free(dhg_bn);
++        return NULL;
++    }
++    return dh;
++}
diff --git a/nixpkgs/pkgs/os-specific/linux/otpw/default.nix b/nixpkgs/pkgs/os-specific/linux/otpw/default.nix
new file mode 100644
index 000000000000..14381ac68c16
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/otpw/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, pam }:
+
+stdenv.mkDerivation rec {
+  pname = "otpw";
+  version = "1.3";
+
+  src = fetchurl {
+    url = "https://www.cl.cam.ac.uk/~mgk25/download/otpw-${version}.tar.gz";
+    sha256 = "1k3hc7xbxz6hkc55kvddi3cibafwf93ivn58sy1l888d3l5dwmrk";
+  };
+
+  patchPhase = ''
+    sed -i 's/^CFLAGS.*/CFLAGS=-O2 -fPIC/' Makefile
+    sed -i -e 's,PATH=.*;,,' conf.h
+    sed -i -e '/ENTROPY_ENV/d' otpw-gen.c
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/lib/security $out/share/man/man{1,8}
+    cp pam_*.so $out/lib/security
+    cp otpw-gen $out/bin
+    cp *.1 $out/share/man/man1
+    cp *.8 $out/share/man/man8
+  '';
+
+  buildInputs = [ pam ];
+
+  hardeningDisable = [ "stackprotector" ];
+
+  meta = {
+    homepage = "http://www.cl.cam.ac.uk/~mgk25/otpw.html";
+    description = "A one-time password login package";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pagemon/default.nix b/nixpkgs/pkgs/os-specific/linux/pagemon/default.nix
new file mode 100644
index 000000000000..2ce723913578
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pagemon/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "pagemon";
+  version = "0.01.18";
+
+  src = fetchFromGitHub {
+    sha256 = "1aq1mq3k8n70h81s64w2zg4kksw1y05326bn4y8p94lpaypvxqfd";
+    rev = "V${version}";
+    repo = "pagemon";
+    owner = "ColinIanKing";
+  };
+
+  buildInputs = [ ncurses ];
+
+  makeFlags = [
+    "BINDIR=$(out)/bin"
+    "MANDIR=$(out)/share/man/man8"
+  ];
+
+  meta = with lib; {
+    inherit (src.meta) homepage;
+    description = "Interactive memory/page monitor for Linux";
+    longDescription = ''
+      pagemon is an ncurses based interactive memory/page monitoring tool
+      allowing one to browse the memory map of an active running process
+      on Linux.
+      pagemon reads the PTEs of a given process and display the soft/dirty
+      activity in real time. The tool identifies the type of memory mapping
+      a page belongs to, so one can easily scan through memory looking at
+      pages of memory belonging data, code, heap, stack, anonymous mappings
+      or even swapped-out pages.
+    '';
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam/default.nix b/nixpkgs/pkgs/os-specific/linux/pam/default.nix
new file mode 100644
index 000000000000..72f91e89c745
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam/default.nix
@@ -0,0 +1,58 @@
+{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit
+, nixosTests
+, withLibxcrypt ? false, libxcrypt
+}:
+
+stdenv.mkDerivation rec {
+  pname = "linux-pam";
+  version = "1.5.2";
+
+  src = fetchurl {
+    url    = "https://github.com/linux-pam/linux-pam/releases/download/v${version}/Linux-PAM-${version}.tar.xz";
+    sha256 = "sha256-5OxxMakdpEUSV0Jo9JPG2MoQXIcJFpG46bVspoXU+U0=";
+  };
+
+  patches = [ ./suid-wrapper-path.patch ];
+
+  outputs = [ "out" "doc" "man" /* "modules" */ ];
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ flex ]
+    ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
+
+  buildInputs = [ cracklib db4 ]
+    ++ lib.optional stdenv.buildPlatform.isLinux audit
+    ++ lib.optional withLibxcrypt libxcrypt;
+
+  enableParallelBuilding = true;
+
+  preConfigure = lib.optionalString (stdenv.hostPlatform.libc == "musl") ''
+      # export ac_cv_search_crypt=no
+      # (taken from Alpine linux, apparently insecure but also doesn't build O:))
+      # disable insecure modules
+      # sed -e 's/pam_rhosts//g' -i modules/Makefile.am
+      sed -e 's/pam_rhosts//g' -i modules/Makefile.in
+  '';
+
+  configureFlags = [
+    "--includedir=${placeholder "out"}/include/security"
+    "--enable-sconfigdir=/etc/security"
+  ];
+
+  installFlags = [
+    "SCONFIGDIR=${placeholder "out"}/etc/security"
+  ];
+
+  doCheck = false; # fails
+
+  passthru.tests = {
+    inherit (nixosTests) pam-oath-login pam-u2f shadow;
+  };
+
+  meta = with lib; {
+    homepage = "http://www.linux-pam.org/";
+    description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user";
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam/suid-wrapper-path.patch b/nixpkgs/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
new file mode 100644
index 000000000000..71533c51a190
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam/suid-wrapper-path.patch
@@ -0,0 +1,6 @@
+It needs the SUID version during runtime, and that can't be in /nix/store/**
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651 +651 @@
+-	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++	-DCHKPWD_HELPER=\"/run/wrappers/bin/unix_chkpwd\" \
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ccreds/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ccreds/default.nix
new file mode 100644
index 000000000000..4b2cc7a3822b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ccreds/default.nix
@@ -0,0 +1,23 @@
+{lib, stdenv, fetchurl, pam, openssl, db}:
+
+stdenv.mkDerivation rec {
+  pname = "pam_ccreds";
+  version = "10";
+
+  src = fetchurl {
+    url = "https://www.padl.com/download/pam_ccreds-${version}.tar.gz";
+    sha256 = "1h7zyg1b1h69civyvrj95w22dg0y7lgw3hq4gqkdcg35w1y76fhz";
+  };
+  patchPhase = ''
+    sed 's/-o root -g root//' -i Makefile.in
+  '';
+
+  buildInputs = [ pam openssl db ];
+
+  meta = with lib; {
+    homepage = "https://www.padl.com/OSS/pam_ccreds.html";
+    description = "PAM module to locally authenticate using an enterprise identity when the network is unavailable";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_gnupg/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_gnupg/default.nix
new file mode 100644
index 000000000000..1c54c42120ab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pam, gnupg }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_gnupg";
+  version = "0.4";
+
+  src = fetchFromGitHub {
+    owner = "cruegge";
+    repo = "pam-gnupg";
+    rev = "v${version}";
+    sha256 = "sha256-6I9a841qohA42lhOgZf/hharnjkthuB8lRptPDxUgMI=";
+  };
+
+  configureFlags = [
+    "--with-moduledir=${placeholder "out"}/lib/security"
+  ];
+
+  buildInputs = [ pam gnupg ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = with lib; {
+    description = "Unlock GnuPG keys on login";
+    longDescription = ''
+      A PAM module that hands over your login password to gpg-agent. This can
+      be useful if you are using a GnuPG-based password manager like pass.
+    '';
+    homepage = "https://github.com/cruegge/pam-gnupg";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ mtreca ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_krb5/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_krb5/default.nix
new file mode 100644
index 000000000000..157226373db0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_krb5/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl, pam, libkrb5 }:
+
+stdenv.mkDerivation rec {
+  pname = "pam-krb5";
+  version = "4.11";
+
+  src = fetchurl {
+    url = "https://archives.eyrie.org/software/kerberos/pam-krb5-${version}.tar.gz";
+    sha256 = "sha256-UDy+LLGv9L39o7z3+T+U+2ulLCbXCJNOcDmyGC/hCyA=";
+  };
+
+  buildInputs = [ pam libkrb5 ];
+
+  meta = with lib; {
+    homepage = "https://www.eyrie.org/~eagle/software/pam-krb5/";
+    description = "PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC";
+    longDescription = ''
+      pam_krb5 can optionally convert Kerberos 5 credentials to Kerberos IV
+      credentials and/or use them to set up AFS tokens for a user's session.
+    '';
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ldap/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ldap/default.nix
new file mode 100644
index 000000000000..988256808dbb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ldap/default.nix
@@ -0,0 +1,34 @@
+{ stdenv, fetchurl, pam, openldap, perl }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_ldap";
+  version = "186";
+
+  src = fetchurl {
+    url = "https://www.padl.com/download/pam_ldap-${version}.tar.gz";
+    sha256 = "0lv4f7hc02jrd2l3gqxd247qq62z11sp3fafn8lgb8ymb7aj5zn8";
+  };
+
+  postPatch = ''
+    patchShebangs ./vers_string
+    substituteInPlace vers_string --replace "cvslib.pl" "./cvslib.pl"
+  '';
+
+  preInstall = "
+    substituteInPlace Makefile --replace '-o root -g root' ''
+  ";
+
+  nativeBuildInputs = [ perl ];
+  buildInputs = [ pam openldap ];
+
+  meta = {
+    homepage = "https://www.padl.com/OSS/pam_ldap.html";
+    description = "LDAP backend for PAM";
+    longDescription = ''
+      The pam_ldap module provides the means for Solaris and Linux servers and
+      workstations to authenticate against LDAP directories, and to change their
+      passwords in the directory.'';
+    license = "LGPL";
+    inherit (pam.meta) platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_mount/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_mount/default.nix
new file mode 100644
index 000000000000..c49351f3249d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_mount/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, libtool, pam, libHX, libxml2, pcre2, perl, openssl, cryptsetup, util-linux }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_mount";
+  version = "2.19";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/pam-mount/pam_mount/${pname}-${version}.tar.xz";
+    sha256 = "02m6w04xhgv2yx69yxph8giw0sp39s9lvvlffslyna46fnr64qvb";
+  };
+
+  patches = [
+    ./insert_utillinux_path_hooks.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace src/mtcrypt.c \
+      --replace @@NIX_UTILLINUX@@ ${util-linux}/bin
+  '';
+
+  nativeBuildInputs = [ autoreconfHook libtool pkg-config ];
+
+  buildInputs = [ pam libHX util-linux libxml2 pcre2 perl openssl cryptsetup ];
+
+  enableParallelBuilding = true;
+
+  configureFlags = [
+    "--prefix=${placeholder "out"}"
+    "--localstatedir=${placeholder "out"}/var"
+    "--sbindir=${placeholder "out"}/bin"
+    "--sysconfdir=${placeholder "out"}/etc"
+    "--with-slibdir=${placeholder "out"}/lib"
+  ];
+
+  postInstall = ''
+    rm -r $out/var
+  '';
+
+  meta = with lib; {
+    description = "PAM module to mount volumes for a user session";
+    homepage = "https://pam-mount.sourceforge.net/";
+    license = with licenses; [ gpl2 gpl3 lgpl21 lgpl3 ];
+    maintainers = with maintainers; [ netali ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_mount/insert_utillinux_path_hooks.patch b/nixpkgs/pkgs/os-specific/linux/pam_mount/insert_utillinux_path_hooks.patch
new file mode 100644
index 000000000000..6d9da05da295
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_mount/insert_utillinux_path_hooks.patch
@@ -0,0 +1,30 @@
+diff -uNr pam_mount-2.15_old/src/mtcrypt.c pam_mount-2.15/src/mtcrypt.c
+--- pam_mount-2.15_old/src/mtcrypt.c	2015-07-04 16:00:12.917943336 +0200
++++ pam_mount-2.15/src/mtcrypt.c	2015-07-04 16:03:45.685302493 +0200
+@@ -534,7 +534,7 @@
+ 
+ 	/* candidate for replacement by some libmount calls, I guess. */
+ 	argk = 0;
+-	mount_args[argk++] = "mount";
++	mount_args[argk++] = "@@NIX_UTILLINUX@@/mount";
+ 	if (opt->fstype != NULL) {
+ 		mount_args[argk++] = "-t";
+ 		mount_args[argk++] = opt->fstype;
+@@ -668,7 +668,7 @@
+ 
+ 	if (!opt->no_update)
+ 		pmt_smtab_remove(mntpt, SMTABF_MOUNTPOINT);
+-	rmt_args[argk++] = "mount";
++	rmt_args[argk++] = "@@NIX_UTILLINUX@@/mount";
+ 	rmt_args[argk++] = "-o";
+ 	rmt_args[argk++] = opt->extra_opts;
+ 	rmt_args[argk++] = mntpt;
+@@ -749,7 +749,7 @@
+ 		pmt_smtab_remove(mountpoint, SMTABF_MOUNTPOINT);
+ 	pmt_cmtab_remove(mountpoint);
+ 
+-	umount_args[argk++] = "umount";
++	umount_args[argk++] = "@@NIX_UTILLINUX@@/umount";
+ 	umount_args[argk++] = "-i";
+ 	umount_args[argk++] = mountpoint;
+ 	umount_args[argk]   = NULL;
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_mysql/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_mysql/default.nix
new file mode 100644
index 000000000000..807899cf2b28
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_mysql/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_mysql";
+  version = "1.0.0-beta2";
+
+  src = fetchFromGitHub {
+    owner = "NigelCunningham";
+    repo = "pam-MySQL";
+    rev = version;
+    sha256 = "07acf0hbhkd0kg49gnj4nb5ilnv3v4xx3dsggvzvjg8gi3cjmsap";
+  };
+
+  nativeBuildInputs = [ meson pkg-config ninja ];
+  buildInputs = [ pam libmysqlclient mariadb ];
+
+  meta = with lib; {
+    description = "PAM authentication module against a MySQL database";
+    homepage = "https://github.com/NigelCunningham/pam-MySQL";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ netali ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_p11/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_p11/default.nix
new file mode 100644
index 000000000000..35199d3357b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_p11/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam, libintl }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_p11";
+  version = "0.3.1";
+
+  src = fetchFromGitHub {
+    owner = "OpenSC";
+    repo = "pam_p11";
+    rev = "pam_p11-${version}";
+    sha256 = "1caidy18rq5zk82d51x8vwidmkhwmanf3qm25x1yrdlbhxv6m7lk";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ pam openssl libp11 ]
+    ++ lib.optionals stdenv.isDarwin [ libintl ];
+
+  meta = with lib; {
+    homepage = "https://github.com/OpenSC/pam_p11";
+    description = "Authentication with PKCS#11 modules";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ sb0 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_pgsql/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_pgsql/default.nix
new file mode 100644
index 000000000000..3cfa6733efa8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_pgsql/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, postgresql, libgcrypt, pam }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_pgsql";
+  version = "unstable-2020-05-05";
+
+  src = fetchFromGitHub {
+    owner = "pam-pgsql";
+    repo = "pam-pgsql";
+    rev = "f9fd1e1a0daf754e6764a31db5cbec6f9fc02b3d";
+    sha256 = "1bvddrwyk1479wibyayzc24h62qzfnlbk9qvdhb31yw9yn17gp6k";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libgcrypt pam postgresql ];
+
+  meta = with lib; {
+    description = "Support to authenticate against PostgreSQL for PAM-enabled appliations";
+    homepage = "https://github.com/pam-pgsql/pam-pgsql";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
new file mode 100644
index 000000000000..f28cb28ef373
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, fetchpatch, fetchFromGitHub, pam, openssl, perl }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_ssh_agent_auth";
+  version = "0.10.4";
+
+  src = fetchFromGitHub {
+    owner = "jbeverly";
+    repo = "pam_ssh_agent_auth";
+    rev = "pam_ssh_agent_auth-${version}";
+    sha256 = "YD1R8Cox0UoNiuWleKGzWSzxJ5lhDRCB2mZPp9OM6Cs=";
+  };
+
+  ed25519-donna = fetchFromGitHub {
+    owner = "floodyberry";
+    repo = "ed25519-donna";
+    rev = "8757bd4cd209cb032853ece0ce413f122eef212c";
+    sha256 = "ETFpIaWQnlYG8ZuDG2dNjUJddlvibB4ukHquTFn3NZM=";
+  };
+
+  buildInputs = [ pam openssl perl ];
+
+  patches = [
+    # Allow multiple colon-separated authorized keys files to be
+    # specified in the file= option.
+    ./multiple-key-files.patch
+    ./edcsa-crash-fix.patch
+  ];
+
+  configureFlags = [
+    # It's not clear to me why this is necessary, but without it, you see:
+    #
+    # checking OpenSSL header version... 1010108f (OpenSSL 1.1.1h  22 Sep 2020)
+    # checking OpenSSL library version... 1010108f (OpenSSL 1.1.1h  22 Sep 2020)
+    # checking whether OpenSSL's headers match the library... no
+    # configure: WARNING: Your OpenSSL headers do not match your
+    # library. Check config.log for details.
+    #
+    # ...despite the fact that clearly the values match
+    "--without-openssl-header-check"
+    # Make sure it can find ed25519-donna
+    "--with-cflags=-I$PWD"
+  ];
+
+  prePatch = "cp -r ${ed25519-donna}/. ed25519-donna/.";
+
+  enableParallelBuilding = true;
+
+  meta = {
+    homepage = "https://github.com/jbeverly/pam_ssh_agent_auth";
+    description = "PAM module for authentication through the SSH agent";
+    maintainers = [ lib.maintainers.eelco ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch
new file mode 100644
index 000000000000..45ee87458161
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch
@@ -0,0 +1,53 @@
+commit 1b0d9bcc5f5cd78b0bb1357d6a11da5d616ad26f
+Author: Wout Mertens <Wout.Mertens@gmail.com>
+Date:   Thu Jun 11 18:08:13 2020 +0200
+
+    fix segfault when using ECDSA keys.
+    
+    Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+    Bug-Ubuntu: https://bugs.launchpad.net/bugs/1869512
+
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index 5b13b30..5bf29cc 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -46,7 +46,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+     u_int len, dlen;
+     Buffer b, bb;
+ #if OPENSSL_VERSION_NUMBER >= 0x10100005L
+-	BIGNUM *r, *s;
++	BIGNUM *r = NULL, *s = NULL;
+ #endif
+ 
+     if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+@@ -137,20 +137,27 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 
+     /* parse signature */
+     if ((sig = ECDSA_SIG_new()) == NULL)
+-        pamsshagentauth_fatal("ssh_ecdsa_verify: DSA_SIG_new failed");
++        pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_new failed");
+ 
+     pamsshagentauth_buffer_init(&b);
+     pamsshagentauth_buffer_append(&b, sigblob, len);
+ #if OPENSSL_VERSION_NUMBER < 0x10100005L
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
++        pamsshagentauth_fatal("ssh_ecdsa_verify:"
++            "pamsshagentauth_buffer_get_bignum2_ret failed");
+ #else
+-    DSA_SIG_get0(sig, &r, &s);
++    if ((r = BN_new()) == NULL)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
++    if ((s = BN_new()) == NULL)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1))
+-#endif
+         pamsshagentauth_fatal("ssh_ecdsa_verify:"
+             "pamsshagentauth_buffer_get_bignum2_ret failed");
++    if (ECDSA_SIG_set0(sig, r, s) != 1)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_set0 failed");
++#endif
+ 
+     /* clean up */
+     memset(sigblob, 0, len);
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch
new file mode 100644
index 000000000000..71d8e08ecd0b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch
@@ -0,0 +1,371 @@
+diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
+--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2017-03-02 23:47:18.012203283 -0800
+@@ -176,7 +176,7 @@
+     return;
+ }
+ 
+-int
++const char *
+ pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
+ {
+     Buffer session_id2 = { 0 };
+@@ -184,7 +184,7 @@
+     Key *key;
+     AuthenticationConnection *ac;
+     char *comment;
+-    uint8_t retval = 0;
++    const char *key_file = 0;
+     uid_t uid = getpwnam(ruser)->pw_uid;
+ 
+     OpenSSL_add_all_digests();
+@@ -199,13 +199,11 @@
+                 id->key = key;
+                 id->filename = comment;
+                 id->ac = ac;
+-                if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
+-                    retval = 1;
+-                }
++                key_file = userauth_pubkey_from_id(ruser, id, &session_id2);
+                 pamsshagentauth_xfree(id->filename);
+                 pamsshagentauth_key_free(id->key);
+                 pamsshagentauth_xfree(id);
+-                if(retval == 1)
++                if(key_file)
+                     break;
+             }
+         }
+@@ -217,5 +215,5 @@
+     }
+     /* pamsshagentauth_xfree(session_id2); */
+     EVP_cleanup();
+-    return retval;
++    return key_file;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h
+--- pam_ssh_agent_auth-0.10.3-orig/iterate_ssh_agent_keys.h	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.h	2017-03-02 23:48:06.345803339 -0800
+@@ -31,6 +31,6 @@
+ #ifndef _ITERATE_SSH_AGENT_KEYS_H
+ #define _ITERATE_SSH_AGENT_KEYS_H
+ 
+-int pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename);
++const char * pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename);
+ 
+ #endif
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
+--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c	2017-03-02 23:51:57.642669946 -0800
+@@ -61,7 +61,6 @@
+ #define strncasecmp_literal(A,B) strncasecmp( A, B, sizeof(B) - 1)
+ #define UNUSED(expr) do { (void)(expr); } while (0)
+ 
+-char           *authorized_keys_file = NULL;
+ uint8_t         allow_user_owned_authorized_keys_file = 0;
+ char           *authorized_keys_command = NULL;
+ char           *authorized_keys_command_user = NULL;
+@@ -171,15 +170,13 @@
+         goto cleanexit;
+     }
+ 
+-    if(authorized_keys_file_input && user) {
+-        /*
+-         * user is the name of the target-user, and so must be used for validating the authorized_keys file
+-         */
+-        parse_authorized_key_file(user, authorized_keys_file_input);
+-    } else {
+-        pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
+-        authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
+-    }
++    if (!authorized_keys_file_input || !user)
++        authorized_keys_file_input = "/etc/security/authorized_keys";
++
++    /*
++     * user is the name of the target-user, and so must be used for validating the authorized_keys file
++     */
++    parse_authorized_key_files(user, authorized_keys_file_input);
+ 
+     /*
+      * PAM_USER and PAM_RUSER do not necessarily have to get set by the calling application, and we may be unable to divine the latter.
+@@ -184,5 +181,5 @@
+      */
+ 
+     if(user && strlen(ruser) > 0) {
+-        pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++        pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
+ 
+@@ -201,3 +197,3 @@
+                 retval = PAM_SUCCESS;
+-                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
+ 
+@@ -211,11 +208,12 @@
+         /*
+          * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
+          */
+-        if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
+-            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++        const char *key_file;
++        if((key_file = pamsshagentauth_find_authorized_keys(user, ruser, servicename))) { /* getpwnam(ruser)->pw_uid)) { */
++            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, key_file);
+             retval = PAM_SUCCESS;
+         } else {
+-            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
+         }
+     } else {
+         pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
+@@ -208,7 +206,7 @@
+     free(__progname);
+ #endif
+ 
+-    free(authorized_keys_file);
++    free_authorized_key_files();
+ 
+     return retval;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod
+--- pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.pod	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.pod	2017-03-02 23:52:28.914857449 -0800
+@@ -31,7 +31,7 @@
+ 
+ =item file=<path to authorized_keys>
+ 
+-Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below) 
++Specify the path(s) to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below). Paths are separated using colons.
+ 
+ =item allow_user_owned_authorized_keys_file
+ 
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
+--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c	2017-03-03 00:07:45.201322570 -0800
+@@ -79,8 +79,12 @@
+ 
+ #include "identity.h"
+ #include "pam_user_key_allowed2.h"
++#include "pam_user_authorized_keys.h"
+ 
+-extern char *authorized_keys_file;
++#define MAX_AUTHORIZED_KEY_FILES 16
++
++char *authorized_keys_files[MAX_AUTHORIZED_KEY_FILES];
++unsigned int nr_authorized_keys_files = 0;
+ 
+ extern char *authorized_keys_command;
+ 
+@@ -91,79 +95,88 @@
+ uid_t authorized_keys_file_allowed_owner_uid;
+ 
+ void
+-parse_authorized_key_file(const char *user,
+-                          const char *authorized_keys_file_input)
++parse_authorized_key_files(const char *user,
++                           const char *authorized_keys_file_input)
+ {
+-    char fqdn[HOST_NAME_MAX] = "";
++    const char *pos = authorized_keys_file_input;
+     char hostname[HOST_NAME_MAX] = "";
+-    char auth_keys_file_buf[4096] = "";
+-    char *slash_ptr = NULL;
+-    char owner_uname[128] = "";
+-    size_t owner_uname_len = 0;
+-
+-    /* 
+-     * temporary copy, so that both tilde expansion and percent expansion both
+-     * get to apply to the path
+-     */
+-    strncat(auth_keys_file_buf, authorized_keys_file_input,
+-            sizeof(auth_keys_file_buf) - 1);
++    char fqdn[HOST_NAME_MAX] = "";
+ 
+-    if(allow_user_owned_authorized_keys_file)
+-        authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++#if HAVE_GETHOSTNAME
++    *hostname = '\0';
++    gethostname(fqdn, HOST_NAME_MAX);
++    strncat(hostname, fqdn, strcspn(fqdn,"."));
++#endif
+ 
+-    if(*auth_keys_file_buf == '~') {
+-        if(*(auth_keys_file_buf + 1) == '/') {
+-            authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++    while (pos) {
++        const char *colon = strchr(pos, ':');
++        char auth_keys_file_buf[4096] = "";
++        char *slash_ptr = NULL;
++        char owner_uname[128] = "";
++        size_t owner_uname_len = 0;
++
++        strncat(auth_keys_file_buf, pos, sizeof(auth_keys_file_buf) - 1);
++        if (colon) {
++            auth_keys_file_buf[colon - pos] = 0;
++            pos = colon + 1;
+         } else {
+-            slash_ptr = strchr(auth_keys_file_buf, '/');
+-            if(!slash_ptr)
+-                pamsshagentauth_fatal
+-                    ("cannot expand tilde in path without a `/'");
+-
+-            owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
+-            if(owner_uname_len > (sizeof(owner_uname) - 1))
+-                pamsshagentauth_fatal("Username too long");
+-
+-            strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
+-            if(!authorized_keys_file_allowed_owner_uid)
+-                authorized_keys_file_allowed_owner_uid =
+-                    getpwnam(owner_uname)->pw_uid;
++            pos = 0;
++        }
++
++        if(allow_user_owned_authorized_keys_file)
++            authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++
++        if(*auth_keys_file_buf == '~') {
++            if(*(auth_keys_file_buf+1) == '/') {
++                authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++            }
++            else {
++                slash_ptr = strchr(auth_keys_file_buf,'/');
++                if(!slash_ptr)
++                    pamsshagentauth_fatal("cannot expand tilde in path without a `/'");
++
++                owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
++                if(owner_uname_len > (sizeof(owner_uname) - 1) )
++                    pamsshagentauth_fatal("Username too long");
++
++                strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
++                if(!authorized_keys_file_allowed_owner_uid)
++                    authorized_keys_file_allowed_owner_uid = getpwnam(owner_uname)->pw_uid;
++            }
++            char *tmp = pamsshagentauth_tilde_expand_filename(auth_keys_file_buf, authorized_keys_file_allowed_owner_uid);
++            strncpy(auth_keys_file_buf, tmp, sizeof(auth_keys_file_buf) - 1 );
++            pamsshagentauth_xfree(tmp);
+         }
+-        authorized_keys_file =
+-            pamsshagentauth_tilde_expand_filename(auth_keys_file_buf,
+-                                                  authorized_keys_file_allowed_owner_uid);
+-        strncpy(auth_keys_file_buf, authorized_keys_file,
+-                sizeof(auth_keys_file_buf) - 1);
+-        pamsshagentauth_xfree(authorized_keys_file)        /* when we
+-                                                              percent_expand
+-                                                              later, we'd step
+-                                                              on this, so free
+-                                                              it immediately */ ;
+-    }
+ 
+-    if(strstr(auth_keys_file_buf, "%h")) {
+-        authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++        if(strstr(auth_keys_file_buf, "%h")) {
++            authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
++        }
++
++        if (nr_authorized_keys_files >= MAX_AUTHORIZED_KEY_FILES)
++            pamsshagentauth_fatal("Too many authorized key files");
++        authorized_keys_files[nr_authorized_keys_files++] =
++            pamsshagentauth_percent_expand(auth_keys_file_buf, "h", getpwnam(user)->pw_dir, "H", hostname, "f", fqdn, "u", user, NULL);
+     }
+-#if HAVE_GETHOSTNAME
+-    *hostname = '\0';
+-    gethostname(fqdn, HOST_NAME_MAX);
+-    strncat(hostname, fqdn, strcspn(fqdn, "."));
+-#endif
+-    authorized_keys_file =
+-        pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
+-                                       getpwnam(user)->pw_dir, "H", hostname,
+-                                       "f", fqdn, "u", user, NULL);
+ }
+ 
+-int
++void
++free_authorized_key_files()
++{
++    unsigned int n;
++    for (n = 0; n < nr_authorized_keys_files; n++)
++        free(authorized_keys_files[n]);
++    nr_authorized_keys_files = 0;
++}
++
++const char *
+ pam_user_key_allowed(const char *ruser, Key * key)
+ {
+-    return
+-        pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
+-                                          key, authorized_keys_file)
+-        || pamsshagentauth_user_key_allowed2(getpwuid(0), key,
+-                                             authorized_keys_file)
+-        || pamsshagentauth_user_key_command_allowed2(authorized_keys_command,
+-                                                     authorized_keys_command_user,
+-                                                     getpwnam(ruser), key);
++    unsigned int n;
++    for (n = 0; n < nr_authorized_keys_files; n++) {
++        if (pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), key, authorized_keys_files[n])
++            || pamsshagentauth_user_key_allowed2(getpwuid(0), key, authorized_keys_files[n])
++            || pamsshagentauth_user_key_command_allowed2(authorized_keys_command, authorized_keys_command_user, getpwnam(ruser), key))
++            return authorized_keys_files[n];
++    }
++    return 0;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
+--- pam_ssh_agent_auth-0.10.3-orig/pam_user_authorized_keys.h	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h	2017-03-03 00:09:17.256064914 -0800
+@@ -28,11 +28,12 @@
+  */
+ 
+ 
+-#ifndef _PAM_USER_KEY_ALLOWED_H
+-#define _PAM_USER_KEY_ALLOWED_H
++#ifndef _PAM_USER_AUTHORIZED_KEYS_H
++#define _PAM_USER_AUTHORIZED_KEYS_H
+ 
+ #include "identity.h"
+-int pam_user_key_allowed(const char *, Key *);
+-void parse_authorized_key_file(const char *, const char *);
++const char * pam_user_key_allowed(const char *, Key *);
++void parse_authorized_key_files(const char *, const char *);
++void free_authorized_key_files();
+ 
+ #endif
+diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
+--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.c	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2017-03-03 00:10:33.163545380 -0800
+@@ -52,7 +52,7 @@
+ extern uint8_t  session_id_len;
+  */
+ 
+-int
++const char *
+ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
+ {
+     Buffer          b = { 0 };
+@@ -60,11 +60,12 @@
+     u_char         *pkblob = NULL, *sig = NULL;
+     u_int           blen = 0, slen = 0;
+     int             authenticated = 0;
++    const char     *key_file;
+ 
+     pkalg = (char *) key_ssh_name(id->key);
+ 
+     /* first test if this key is even allowed */
+-    if(! pam_user_key_allowed(ruser, id->key))
++    if(!(key_file = pam_user_key_allowed(ruser, id->key)))
+         goto user_auth_clean_exit;
+ 
+     if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
+@@ -97,5 +98,5 @@
+     if(pkblob != NULL)
+         pamsshagentauth_xfree(pkblob);
+     CRYPTO_cleanup_all_ex_data();
+-    return authenticated;
++    return authenticated ? key_file : 0;
+ }
+diff -u pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
+--- pam_ssh_agent_auth-0.10.3-orig/userauth_pubkey_from_id.h	2016-11-12 19:24:32.000000000 -0800
++++ pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h	2017-03-03 00:10:59.067046872 -0800
+@@ -32,6 +32,6 @@
+ #define _USERAUTH_PUBKEY_FROM_ID_H
+ 
+ #include <identity.h>
+-int userauth_pubkey_from_id(const char *, Identity *, Buffer *);
++const char * userauth_pubkey_from_id(const char *, Identity *, Buffer *);
+ 
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_tmpdir/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_tmpdir/default.nix
new file mode 100644
index 000000000000..859ebedc3340
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_tmpdir/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, autoreconfHook, pam }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_tmpdir";
+  version = "0.09";
+
+  src = fetchurl {
+    url = "http://deb.debian.org/debian/pool/main/p/pam-tmpdir/pam-tmpdir_${version}.tar.gz";
+    hash = "sha256-MXa1CY6alD83E/Q+MJmsv8NaImWd0pPJKZd/7nbe4J8=";
+  };
+
+  postPatch = ''
+    substituteInPlace pam_tmpdir.c \
+      --replace /sbin/pam-tmpdir-helper $out/sbin/pam-tmpdir-helper
+
+    # chmod/chown fails on files in /nix/store
+    sed -i -E -e '/^\s*(chmod|chown)/d' Makefile.{am,in}
+
+    # the symlinks in m4 assume FHS
+    rm -rf m4
+  '';
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  buildInputs = [ pam ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://tracker.debian.org/pkg/pam-tmpdir";
+    description = "PAM module for creating safe per-user temporary directories";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_u2f/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_u2f/default.nix
new file mode 100644
index 000000000000..bcccd20cd6f0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_u2f/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchurl, pkg-config, libfido2, pam, openssl }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_u2f";
+  version = "1.2.1";
+
+  src     = fetchurl {
+    url = "https://developers.yubico.com/pam-u2f/Releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-cOdBvKGXtktPvo3R9tV84ritWMp4Y1LFJfPy1EEliUw=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libfido2 pam openssl ];
+
+  preConfigure = ''
+    configureFlagsArray+=("--with-pam-dir=$out/lib/security")
+  '';
+
+  # a no-op makefile to prevent building the fuzz targets
+  postConfigure = ''
+    cat > fuzz/Makefile <<EOF
+    all:
+    install:
+    EOF
+  '';
+
+  meta = with lib; {
+    homepage = "https://developers.yubico.com/pam-u2f/";
+    description = "A PAM module for allowing authentication with a U2F device";
+    changelog = "https://github.com/Yubico/pam-u2f/raw/pam_u2f-${version}/NEWS";
+    license = licenses.bsd2;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ philandstuff ];
+    mainProgram = "pamu2fcfg";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_usb/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_usb/default.nix
new file mode 100644
index 000000000000..ebd45246ae8d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_usb/default.nix
@@ -0,0 +1,81 @@
+{ lib, stdenv, fetchurl, makeWrapper, dbus, libxml2, pam, pkg-config, pmount, python2Packages, writeScript, runtimeShell }:
+
+let
+
+  # Search in the environment if the same program exists with a set uid or
+  # set gid bit.  If it exists, run the first program found, otherwise run
+  # the default binary.
+  useSetUID = drv: path:
+    let
+      name = baseNameOf path;
+      bin = "${drv}${path}";
+    in assert name != "";
+      writeScript "setUID-${name}" ''
+        #!${runtimeShell}
+        inode=$(stat -Lc %i ${bin})
+        for file in $(type -ap ${name}); do
+          case $(stat -Lc %a $file) in
+            ([2-7][0-7][0-7][0-7])
+              if test -r "$file".real; then
+                orig=$(cat "$file".real)
+                if test $inode = $(stat -Lc %i "$orig"); then
+                  exec "$file" "$@"
+                fi
+              fi;;
+          esac
+        done
+        exec ${bin} "$@"
+      '';
+
+  pmountBin = useSetUID pmount "/bin/pmount";
+  pumountBin = useSetUID pmount "/bin/pumount";
+  inherit (python2Packages) python dbus-python;
+in
+
+stdenv.mkDerivation rec {
+  pname = "pam_usb";
+  version = "0.5.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/pamusb/pam_usb-${version}.tar.gz";
+    sha256 = "1g1w0s9d8mfld8abrn405ll5grv3xgs0b0hsganrz6qafdq9j7q1";
+  };
+
+  nativeBuildInputs = [
+    makeWrapper
+    pkg-config
+  ];
+
+  buildInputs = [
+    # pam_usb dependencies
+    dbus libxml2 pam pmount pkg-config
+    # pam_usb's tools dependencies
+    python
+    # cElementTree is included with python 2.5 and later.
+  ];
+
+  preBuild = ''
+    makeFlagsArray=(DESTDIR=$out)
+    substituteInPlace ./src/volume.c \
+      --replace 'pmount' '${pmountBin}' \
+      --replace 'pumount' '${pumountBin}'
+  '';
+
+  # pmount is append to the PATH because pmounts binaries should have a set uid bit.
+  postInstall = ''
+    mv $out/usr/* $out/. # fix color */
+    rm -rf $out/usr
+    for prog in $out/bin/pamusb-conf $out/bin/pamusb-agent; do
+      substituteInPlace $prog --replace '/usr/bin/env python' '/bin/python'
+      wrapProgram $prog \
+        --prefix PYTHONPATH : "$(toPythonPath ${dbus-python})"
+    done
+  '';
+
+  meta = {
+    homepage = "http://pamusb.org/";
+    description = "Authentication using USB Flash Drives";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ussh/default.nix b/nixpkgs/pkgs/os-specific/linux/pam_ussh/default.nix
new file mode 100644
index 000000000000..889c8bc6f57c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ussh/default.nix
@@ -0,0 +1,67 @@
+{ buildGoModule
+, fetchFromGitHub
+, pam
+, lib
+, nixosTests
+}:
+
+buildGoModule rec {
+  pname = "pam_ussh";
+  version = "unstable-20210615";
+
+  src = fetchFromGitHub {
+    owner = "uber";
+    repo = "pam-ussh";
+    rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193";  # HEAD as of 2022-03-13
+    sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8";
+  };
+
+  prePatch = ''
+    cp ${./go.mod} go.mod
+  '';
+  overrideModAttrs = (_: {
+    inherit prePatch;
+  });
+
+  vendorSha256 = "0hjifc3kbwmx7kjn858vi05cwwra6q19cqjfd94k726pwhk37qkw";
+
+  buildInputs = [
+    pam
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    if [ -z "$enableParallelBuilding" ]; then
+      export NIX_BUILD_CORES=1
+    fi
+    go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES .
+
+    runHook postBuild
+  '';
+  checkPhase = ''
+    runHook preCheck
+
+    go test -v -p $NIX_BUILD_CORES .
+
+    runHook postCheck
+  '';
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/security
+    cp pam_ussh.so $out/lib/security
+
+    runHook postInstall
+  '';
+
+  passthru.tests = { inherit (nixosTests) pam-ussh; };
+
+  meta = with lib; {
+    homepage = "https://github.com/uber/pam-ussh";
+    description = "PAM module to authenticate using SSH certificates";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lukegb ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.mod b/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.mod
new file mode 100644
index 000000000000..9adc453560a4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pam_ussh/go.mod
@@ -0,0 +1,15 @@
+module github.com/uber/pam-ussh
+
+go 1.17
+
+require (
+	github.com/stretchr/testify v1.7.0
+	golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)
diff --git a/nixpkgs/pkgs/os-specific/linux/pax-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/pax-utils/default.nix
new file mode 100644
index 000000000000..844dc61dac37
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pax-utils/default.nix
@@ -0,0 +1,50 @@
+{ stdenv
+, lib
+, fetchurl
+, buildPackages
+, docbook_xml_dtd_44
+, docbook_xsl
+, libcap
+, pkg-config
+, meson
+, ninja
+, xmlto
+
+, gitUpdater
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pax-utils";
+  version = "1.3.5";
+
+  src = fetchurl {
+    url = "mirror://gentoo/distfiles/${pname}-${version}.tar.xz";
+    sha256 = "sha256-8KWwPfIwiqLdeq9TuewLK0hFW4YSnkd6FkPeYpBKuHQ=";
+  };
+
+  strictDeps = true;
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ docbook_xml_dtd_44 docbook_xsl meson ninja pkg-config xmlto ];
+  buildInputs = [ libcap ];
+
+  passthru.updateScript = gitUpdater {
+    inherit pname version;
+    url = "https://anongit.gentoo.org/git/proj/pax-utils.git";
+    rev-prefix = "v";
+  };
+
+  meta = with lib; {
+    description = "ELF utils that can check files for security relevant properties";
+    longDescription = ''
+      A suite of ELF tools to aid auditing systems. Contains
+      various ELF related utils for ELF32, ELF64 binaries useful
+      for displaying PaX and security info on a large groups of
+      binary files.
+    '';
+    homepage = "https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities";
+    license = licenses.gpl2Only;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ thoughtpolice joachifm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/paxctl/default.nix b/nixpkgs/pkgs/os-specific/linux/paxctl/default.nix
new file mode 100644
index 000000000000..da9928a66e3b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/paxctl/default.nix
@@ -0,0 +1,34 @@
+{ fetchurl, lib, stdenv, elf-header }:
+
+stdenv.mkDerivation rec {
+  pname = "paxctl";
+  version = "0.9";
+
+  src = fetchurl {
+    url = "https://pax.grsecurity.net/${pname}-${version}.tar.gz";
+    sha256 = "0biw882fp1lmgs6kpxznp1v6758r7dg9x8iv5a06k0b82bcdsc53";
+  };
+
+  buildInputs = [ elf-header ];
+
+  preBuild = ''
+    sed -i Makefile \
+      -e 's|--owner 0 --group 0||g' \
+      -e '/CC:=gcc/d'
+  '';
+
+  makeFlags = [
+    "DESTDIR=$(out)"
+    "MANDIR=share/man/man1"
+  ];
+
+  setupHook = ./setup-hook.sh;
+
+  meta = with lib; {
+    description = "A tool for controlling PaX flags on a per binary basis";
+    homepage    = "https://pax.grsecurity.net";
+    license     = licenses.gpl2;
+    platforms   = platforms.all;
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/paxctl/setup-hook.sh b/nixpkgs/pkgs/os-specific/linux/paxctl/setup-hook.sh
new file mode 100644
index 000000000000..11a6bb9910f9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/paxctl/setup-hook.sh
@@ -0,0 +1,8 @@
+# PaX-mark binaries.
+paxmark() {
+    local flags="$1"
+    shift
+
+    paxctl -c "$@"
+    paxctl -zex -${flags} "$@"
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/paxtest/default.nix b/nixpkgs/pkgs/os-specific/linux/paxtest/default.nix
new file mode 100644
index 000000000000..aae8c1296c63
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/paxtest/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl, paxctl }:
+
+stdenv.mkDerivation rec {
+  pname = "paxtest";
+  version = "0.9.15";
+
+  src = fetchurl {
+    url    = "https://www.grsecurity.net/~spender/${pname}-${version}.tar.gz";
+    sha256 = "0zv6vlaszlik98gj9200sv0irvfzrvjn46rnr2v2m37x66288lym";
+  };
+
+  enableParallelBuilding = true;
+
+  makefile     = "Makefile.psm";
+  makeFlags    = [ "PAXBIN=${paxctl}/bin/paxctl" "BINDIR=$(out)/bin" "RUNDIR=$(out)/lib/paxtest" ];
+  installFlags = [ "DESTDIR=\"\"" ];
+
+  meta = with lib; {
+    description = "Test various memory protection measures";
+    license     = licenses.gpl2;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ copumpkin joachifm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pcimem/default.nix b/nixpkgs/pkgs/os-specific/linux/pcimem/default.nix
new file mode 100644
index 000000000000..dda4d0fff0b9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pcimem/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "pcimem";
+  version = "unstable-2018-08-29";
+
+  src = fetchFromGitHub {
+    owner = "billfarrow";
+    repo = pname;
+    rev = "09724edb1783a98da2b7ae53c5aaa87493aabc9b";
+    sha256 = "0zlbvcl5q4hgna11p3w00px1p8qgn8ga79lh6a2m7d597g86kbq3";
+  };
+
+  outputs = [ "out" "doc" ];
+
+  makeFlags = [ "CFLAGS=-Wno-maybe-uninitialized" ];
+
+  installPhase = ''
+    install -D pcimem "$out/bin/pcimem"
+    install -D README "$doc/doc/README"
+  '';
+
+  meta = with lib; {
+    description = "Simple method of reading and writing to memory registers on a PCI card";
+    homepage = "https://github.com/billfarrow/pcimem";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mafo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pcm/default.nix b/nixpkgs/pkgs/os-specific/linux/pcm/default.nix
new file mode 100644
index 000000000000..a5d9771a2f9c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pcm/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "pcm";
+  version = "202112";
+
+  src = fetchFromGitHub {
+    owner = "opcm";
+    repo = "pcm";
+    rev = version;
+    sha256 = "sha256-uuQvj8BcUmuYDwV4r3oqkT+QTcSFcGjBeGUM2NZRFcA=";
+  };
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp pcm*.x $out/bin
+  '';
+
+  meta = with lib; {
+    description = "Processor counter monitor";
+    homepage = "https://www.intel.com/software/pcm";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ roosemberth ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pcmciautils/default.nix b/nixpkgs/pkgs/os-specific/linux/pcmciautils/default.nix
new file mode 100644
index 000000000000..bca58bd808eb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pcmciautils/default.nix
@@ -0,0 +1,55 @@
+{ config, lib, stdenv, fetchurl
+, bison, flex
+, sysfsutils, kmod, udev
+, firmware   ? config.pcmciaUtils.firmware or [] # Special pcmcia cards.
+, configOpts ? config.pcmciaUtils.config or null # Special hardware (map memory & port & irq)
+}:                   # used to generate postInstall script.
+
+# FIXME: should add an option to choose between hotplug and udev.
+stdenv.mkDerivation rec {
+  pname = "pcmciautils";
+  version = "018";
+
+  src = fetchurl {
+    url = "https://kernel.org/pub/linux/utils/kernel/pcmcia/pcmciautils-${version}.tar.gz";
+    sha256 = "0sfm3w2n73kl5w7gb1m6q8gy5k4rgwvzz79n6yhs9w3sag3ix8sk";
+  };
+
+  buildInputs = [udev bison sysfsutils kmod flex];
+
+  patchPhase = ''
+    sed -i "
+      s,/sbin/modprobe,${kmod}&,;
+      s,/lib/udev/,$out/sbin/,;
+    " udev/* # fix-color */
+    sed -i "
+      s,/lib/firmware,$out&,;
+      s,/etc/pcmcia,$out&,;
+    " src/{startup.c,pcmcia-check-broken-cis.c} # fix-color */
+  ''
+  + (if firmware == [] then ''sed -i "s,STARTUP = true,STARTUP = false," Makefile'' else "")
+  + (if configOpts == null then "" else "ln -sf ${configOpts} ./config/config.opts")
+  ;
+
+  makeFlags = [ "LEX=flex" ];
+  installFlags = [ "INSTALL=install" "DESTDIR=${placeholder "out"}" ];
+  postInstall =
+    lib.concatMapStrings (path: ''
+      for f in : $(find ${path} -type f); do
+        test "$f" == ":" && continue;
+        mkdir -p $(dirname $out/lib/firmware/$\{f#${path}});
+        ln -s $f $out/lib/firmware/$\{f#${path}};
+      done;
+    '') firmware;
+
+  meta = {
+    homepage = "https://www.kernel.org/pub/linux/utils/kernel/pcmcia/";
+    longDescription = "
+      PCMCIAutils contains the initialization tools necessary to allow
+      the PCMCIA subsystem to behave (almost) as every other
+      hotpluggable bus system.
+    ";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/perf-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/perf-tools/default.nix
new file mode 100644
index 000000000000..8c3e31e45384
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/perf-tools/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, perl }:
+
+stdenv.mkDerivation {
+  pname = "perf-tools";
+  version = "unstable-2017-12-19";
+
+  src = fetchFromGitHub {
+    owner = "brendangregg";
+    repo = "perf-tools";
+    rev = "98d42a2a1493d2d1c651a5c396e015d4f082eb20";
+    sha256 = "09qnss9pd4kr6qadvp62m2g8sfrj86fksi1rr8m8w4314pzfb93c";
+  };
+
+  buildInputs = [ perl ];
+
+  patchPhase =
+    ''
+      for i in execsnoop iolatency iosnoop kernel/funcslower killsnoop opensnoop; do
+        substituteInPlace $i \
+          --replace /usr/bin/gawk "$(type -p gawk)" \
+          --replace /usr/bin/mawk /no-such-path \
+          --replace /usr/bin/getconf "$(type -p getconf)" \
+          --replace awk=awk "awk=$(type -p gawk)"
+      done
+
+      rm -rf examples deprecated
+    '';
+
+  installPhase =
+    ''
+      d=$out/libexec/perf-tools
+      mkdir -p $d $out/share
+      cp -prvd . $d/
+      ln -s $d/bin $out/bin
+      mv $d/man $out/share/
+    '';
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    homepage = "https://github.com/brendangregg/perf-tools";
+    description = "Performance analysis tools based on Linux perf_events (aka perf) and ftrace";
+    maintainers = [ maintainers.eelco ];
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pflask/default.nix b/nixpkgs/pkgs/os-specific/linux/pflask/default.nix
new file mode 100644
index 000000000000..1270a9b9494f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pflask/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, python3, wafHook }:
+
+stdenv.mkDerivation rec {
+  pname = "pflask";
+  version = "unstable-2018-01-23";
+
+  src = fetchFromGitHub {
+    owner = "ghedo";
+    repo = pname;
+    rev = "9ac31ffe2ed29453218aac89ae992abbd6e7cc69";
+    hash = "sha256-bAKPUj/EipZ98kHbZiFZZI3hLVMoQpCrYKMmznpSDhg=";
+  };
+
+  patches = [
+    # Pull patch pending upstream inclusion for -fno-common toolchain support:
+    #  https://github.com/ghedo/pflask/pull/30
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/ghedo/pflask/commit/73ba32ec48e1e0e4a56b1bceed4635711526e079.patch";
+      hash = "sha256-KVuBS7LbYJQv6NXljpSiGGja7ar7W6A6SKzkEjB1B6U=";
+    })
+  ];
+
+  nativeBuildInputs = [ python3 wafHook ];
+
+  postInstall = ''
+    mkdir -p $out/bin
+    cp build/pflask $out/bin
+  '';
+
+  meta = {
+    description = "Lightweight process containers for Linux";
+    homepage = "https://ghedo.github.io/pflask/";
+    license = lib.licenses.bsd2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/phc-intel/default.nix b/nixpkgs/pkgs/os-specific/linux/phc-intel/default.nix
new file mode 100644
index 000000000000..a0d43b2e0e36
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/phc-intel/default.nix
@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchurl, kernel, which }:
+
+# Don't bother with older versions, though some might even work:
+assert lib.versionAtLeast kernel.version "4.10";
+
+let
+  release = "0.4.0";
+  revbump = "rev25"; # don't forget to change forum download id...
+in stdenv.mkDerivation rec {
+  name = "linux-phc-intel-${version}-${kernel.version}";
+  version = "${release}-${revbump}";
+
+  src = fetchurl {
+    sha256 = "1w91hpphd8i0br7g5qra26jdydqar45zqwq6jq8yyz6l0vb10zlz";
+    url = "http://www.linux-phc.org/forum/download/file.php?id=194";
+    name = "phc-intel-pack-${revbump}.tar.bz2";
+  };
+
+  nativeBuildInputs = [ which ] ++ kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = with kernel; [
+    "DESTDIR=$(out)"
+    "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build"
+  ];
+
+  configurePhase = ''
+    make $makeFlags brave
+  '';
+
+  enableParallelBuilding = false;
+
+  installPhase = ''
+    install -m 755   -d $out/lib/modules/${kernel.modDirVersion}/extra/
+    install -m 644 *.ko $out/lib/modules/${kernel.modDirVersion}/extra/
+  '';
+
+  meta = with lib; {
+    description = "Undervolting kernel driver for Intel processors";
+    longDescription = ''
+      PHC is a Linux kernel patch to undervolt processors. This can divide the
+      power consumption of the CPU by two or more, increasing battery life
+      while noticably reducing fan noise. This driver works only on supported
+      Intel architectures.
+    '';
+    homepage = "https://github.com/danielw86dev/phc-intel-dkms";
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    broken = lib.versionAtLeast kernel.version "4.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/piper/default.nix b/nixpkgs/pkgs/os-specific/linux/piper/default.nix
new file mode 100644
index 000000000000..5edcd263f0d9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/piper/default.nix
@@ -0,0 +1,38 @@
+{ lib, meson, ninja, pkg-config, gettext, fetchFromGitHub, python3
+, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome
+, gobject-introspection }:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "piper";
+  version = "0.5.1";
+
+  format = "other";
+
+  src = fetchFromGitHub {
+    owner  = "libratbag";
+    repo   = "piper";
+    rev    =  version;
+    sha256 = "1nfjnsiwg2rs6gkjsxzhr2708i6di149dgwq3cf6l12rxqpb8arj";
+  };
+
+  nativeBuildInputs = [ meson ninja gettext pkg-config wrapGAppsHook desktop-file-utils appstream-glib gobject-introspection ];
+  buildInputs = [
+    gtk3 glib gnome.adwaita-icon-theme python3
+  ];
+  propagatedBuildInputs = with python3.pkgs; [ lxml evdev pygobject3 ] ++ [
+    gobject-introspection # fixes https://github.com/NixOS/nixpkgs/issues/56943 for now
+  ];
+
+  postPatch = ''
+    chmod +x meson_install.sh # patchShebangs requires executable file
+    patchShebangs meson_install.sh
+  '';
+
+  meta = with lib; {
+    description = "GTK frontend for ratbagd mouse config daemon";
+    homepage    = "https://github.com/libratbag/piper";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ mvnetbiz ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pipework/default.nix b/nixpkgs/pkgs/os-specific/linux/pipework/default.nix
new file mode 100644
index 000000000000..ea274377ced9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pipework/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub, makeWrapper
+, bridge-utils, iproute2, lxc, openvswitch, docker, busybox, dhcpcd
+}:
+
+stdenv.mkDerivation {
+  pname = "pipework";
+  version = "2017-08-22";
+  src = fetchFromGitHub {
+    owner = "jpetazzo";
+    repo = "pipework";
+    rev = "ae42f1b5fef82b3bc23fe93c95c345e7af65fef3";
+    sha256 = "0c342m0bpq6ranr7dsxk9qi5mg3j5aw9wv85ql8gprdb2pz59qy8";
+  };
+  nativeBuildInputs = [ makeWrapper ];
+  installPhase = ''
+    install -D pipework $out/bin/pipework
+    wrapProgram $out/bin/pipework --prefix PATH : \
+      ${lib.makeBinPath [ bridge-utils iproute2 lxc openvswitch docker busybox dhcpcd ]};
+  '';
+  meta = with lib; {
+    description = "Software-Defined Networking tools for LXC";
+    homepage = "https://github.com/jpetazzo/pipework";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ cstrahan ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pktgen/default.nix b/nixpkgs/pkgs/os-specific/linux/pktgen/default.nix
new file mode 100644
index 000000000000..0ddda99bf592
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pktgen/default.nix
@@ -0,0 +1,48 @@
+{ stdenv, lib, fetchFromGitHub, meson, ninja, pkg-config
+, dpdk, libbsd, libpcap, lua5_3, numactl, util-linux
+, gtk2, which, withGtk ? false
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pktgen";
+  version = "22.04.1";
+
+  src = fetchFromGitHub {
+    owner = "pktgen";
+    repo = "Pktgen-DPDK";
+    rev = "pktgen-${version}";
+    sha256 = "0gbag98i2jq0p2hpvfgc3fiqy2sark1dm72hla4sxmn3gljy3p70";
+  };
+
+  nativeBuildInputs = [ meson ninja pkg-config ];
+
+  buildInputs = [
+    dpdk libbsd libpcap lua5_3 numactl which
+  ] ++ lib.optionals withGtk [
+    gtk2
+  ];
+
+  RTE_SDK = dpdk;
+  GUI = lib.optionalString withGtk "true";
+
+  # requires symbols from this file
+  NIX_LDFLAGS = "-lrte_net_bond";
+
+  postPatch = ''
+    substituteInPlace lib/common/lscpu.h --replace /usr/bin/lscpu ${util-linux}/bin/lscpu
+  '';
+
+  postInstall = ''
+    # meson installs unneeded files with conflicting generic names, such as
+    # include/cli.h and lib/liblua.so.
+    rm -rf $out/include $out/lib
+  '';
+
+  meta = with lib; {
+    description = "Traffic generator powered by DPDK";
+    homepage = "http://dpdk.org/";
+    license = licenses.bsdOriginal;
+    platforms =  platforms.linux;
+    maintainers = [ maintainers.abuibrahim ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ply/default.nix b/nixpkgs/pkgs/os-specific/linux/ply/default.nix
new file mode 100644
index 000000000000..dbd8925a5cb3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ply/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, kernel, fetchFromGitHub, autoreconfHook, bison, flex, p7zip, rsync }:
+
+stdenv.mkDerivation rec {
+  pname = "ply";
+  version = "2.1.1-${lib.substring 0 7 src.rev}";
+
+  nativeBuildInputs = [ autoreconfHook flex bison p7zip rsync ];
+
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo = "ply";
+    rev = "e25c9134b856cc7ffe9f562ff95caf9487d16b59";
+    sha256 = "1178z7vvnjwnlxc98g2962v16878dy7bd0b2njsgn4vqgrnia7i5";
+  };
+
+  preAutoreconf = ''
+    # If kernel sources are a folder (i.e. fetched from git), we just copy them in
+    # Since they are owned by uid 0 and read-only, we need to fix permissions
+    if [ -d ${kernel.src} ]; then
+      cp -r ${kernel.src} linux-${kernel.version}
+      chown -R $(whoami): linux-${kernel.version}
+      chmod -R a+w linux-${kernel.version}
+    else
+      # ply wants to install header files to its build directory
+      # use 7z to handle multiple archive formats transparently
+      7z x ${kernel.src} -so | 7z x -aoa -si -ttar
+    fi
+
+    configureFlagsArray+=(--with-kerneldir=$(echo $(pwd)/linux-*))
+    ./autogen.sh --prefix=$out
+  '';
+
+  meta = with lib; {
+    description = "Dynamic tracing in Linux";
+    homepage = "https://wkz.github.io/ply/";
+    license = [ licenses.gpl2Only ];
+    maintainers = with maintainers; [ mic92 mbbx6spp ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/plymouth/default.nix b/nixpkgs/pkgs/os-specific/linux/plymouth/default.nix
new file mode 100644
index 000000000000..4e755a28db8b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/plymouth/default.nix
@@ -0,0 +1,102 @@
+{ lib
+, stdenv
+, fetchpatch
+, fetchFromGitLab
+, pkg-config
+, autoreconfHook
+, libxslt
+, docbook-xsl-nons
+, gettext
+, gtk3
+, systemd
+, pango
+, cairo
+, libdrm
+}:
+
+stdenv.mkDerivation rec {
+  pname = "plymouth";
+  version = "unstable-2021-10-18";
+
+  outputs = [
+    "out"
+    "dev"
+  ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "plymouth";
+    repo = "plymouth";
+    rev = "18363cd887dbfe7e82a2f4cc1a49ef9513919142";
+    sha256 = "sha256-+AP4ALOFdYFt/8MDXjMaHptkogCwK1iXKuza1zfMaws=";
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    docbook-xsl-nons
+    gettext
+    libxslt
+    pkg-config
+  ];
+
+  buildInputs = [
+    cairo
+    gtk3
+    libdrm
+    pango
+    systemd
+  ];
+
+  postPatch = ''
+    sed -i \
+      -e "s#plymouthplugindir=.*#plymouthplugindir=/etc/plymouth/plugins/#" \
+      -e "s#plymouththemedir=.*#plymouththemedir=/etc/plymouth/themes#" \
+      -e "s#plymouthpolicydir=.*#plymouthpolicydir=/etc/plymouth/#" \
+      -e "s#plymouthconfdir=.*#plymouthconfdir=/etc/plymouth/#" \
+      configure.ac
+  '';
+
+  configurePlatforms = [ "host" ];
+
+  configureFlags = [
+    "--enable-documentation"
+    "--enable-drm"
+    "--enable-gtk"
+    "--enable-pango"
+    "--enable-systemd-integration"
+    "--enable-tracing"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--with-background-color=0x000000"
+    "--with-background-end-color-stop=0x000000"
+    "--with-background-start-color-stop=0x000000"
+    "--with-logo=/etc/plymouth/logo.png"
+    "--with-release-file=/etc/os-release"
+    "--with-runtimedir=/run"
+    "--with-systemdunitdir=${placeholder "out"}/etc/systemd/system"
+    "--without-rhgb-compat-link"
+    "--without-system-root-install"
+    "ac_cv_path_SYSTEMD_ASK_PASSWORD_AGENT=${lib.getBin systemd}/bin/systemd-tty-ask-password-agent"
+  ];
+
+  installFlags = [
+    "localstatedir=\${TMPDIR}"
+    "plymouthd_confdir=${placeholder "out"}/etc/plymouth"
+    "plymouthd_defaultsdir=${placeholder "out"}/share/plymouth"
+    "sysconfdir=${placeholder "out"}/etc"
+  ];
+
+  postInstall = ''
+    # Makes a symlink to /usr/share/pixmaps/system-logo-white.png
+    # We'll handle it in the nixos module.
+    rm $out/share/plymouth/themes/spinfinity/header-image.png
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.freedesktop.org/wiki/Software/Plymouth/";
+    description = "Boot splash and boot logger";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.goibhniu ] ++ teams.gnome.members;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pm-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/pm-utils/default.nix
new file mode 100644
index 000000000000..4076641717f4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pm-utils/default.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, fetchurl, coreutils, gnugrep, util-linux, kmod
+, procps, kbd, dbus }:
+
+let
+
+  binPath = lib.makeBinPath
+    [ coreutils gnugrep util-linux kmod procps kbd dbus ];
+
+  sbinPath = lib.makeSearchPathOutput "bin" "sbin"
+    [ procps ];
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "pm-utils";
+  version = "1.4.1";
+
+  src = fetchurl {
+    url = "https://pm-utils.freedesktop.org/releases/pm-utils-${version}.tar.gz";
+    sha256 = "02qc6zaf7ams6qcc470fwb6jvr4abv3lrlx16clqpn36501rkn4f";
+  };
+
+  configureFlags = [ "--sysconfdir=/etc" ];
+
+  preConfigure =
+    ''
+      # Install the manpages (xmlto isn't really needed).
+      substituteInPlace man/Makefile.in --replace '@HAVE_XMLTO_TRUE@' ""
+
+      # Set the PATH properly.
+      substituteInPlace pm/pm-functions.in --replace '/sbin:/usr/sbin:/bin:/usr/bin' '$PATH:${binPath}:${sbinPath}'
+
+      substituteInPlace src/pm-action.in --replace 'tr ' '${coreutils}/bin/tr '
+
+      substituteInPlace pm/sleep.d/00logging --replace /bin/uname "$(type -P uname)"
+
+      substituteInPlace pm/sleep.d/90clock --replace /sbin/hwclock hwclock
+    '';
+
+  postInstall =
+    ''
+      # Remove some hooks that have doubtful usefulness.  See
+      # http://zinc.canonical.com/~cking/power-benchmarking/pm-utils-results/results.txt.
+      # In particular, journal-commit breaks things if you have
+      # read-only bind mounts, since it ends up remounting the
+      # underlying filesystem read-only.
+      rm $out/lib/pm-utils/power.d/{journal-commit,readahead}
+    '';
+
+  meta = {
+    homepage = "https://pm-utils.freedesktop.org/wiki/";
+    description = "A small collection of scripts that handle suspend and resume on behalf of HAL";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pmount/default.nix b/nixpkgs/pkgs/os-specific/linux/pmount/default.nix
new file mode 100644
index 000000000000..0f65e0278cab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pmount/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchurl, intltool, ntfs3g, util-linux
+, mediaDir ? "/media/"
+, lockDir ? "/var/lock/pmount"
+, whiteList ? "/etc/pmount.allow"
+}:
+
+# constraint mention in the configure.ac
+assert lib.hasSuffix "/" mediaDir;
+
+stdenv.mkDerivation rec {
+  pname = "pmount";
+  version = "0.9.23";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/p/pmount/pmount_${version}.orig.tar.bz2";
+    sha256 = "db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036";
+  };
+
+  buildInputs = [ intltool util-linux ];
+
+  configureFlags = [
+    "--with-media-dir=${mediaDir}"
+    "--with-lock-dir=${lockDir}"
+    "--with-whitelist=${whiteList}"
+    "--with-mount-prog=${util-linux}/bin/mount"
+    "--with-umount-prog=${util-linux}/bin/umount"
+    "--with-mount-ntfs3g=${ntfs3g}/sbin/mount.ntfs-3g"
+  ];
+
+  postConfigure = ''
+    # etc/Mafile.am is hardcoded and it does not respect the --prefix option.
+    substituteInPlace ./etc/Makefile --replace DESTDIR prefix
+    # Do not change ownership & Do not add the set user ID bit
+    substituteInPlace ./src/Makefile --replace '-o root -g root -m 4755 ' '-m 755 '
+  '';
+
+  doCheck = false; # fails 1 out of 1 tests with "Error: could not open fstab-type file: No such file or directory"
+
+  meta = {
+    homepage = "https://bazaar.launchpad.net/~fourmond/pmount/main/files";
+    description = "Mount removable devices as normal user";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/policycoreutils/default.nix b/nixpkgs/pkgs/os-specific/linux/policycoreutils/default.nix
new file mode 100644
index 000000000000..c066dd4c4c5c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/policycoreutils/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }:
+
+stdenv.mkDerivation rec {
+  pname = "policycoreutils";
+  version = "3.3";
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/policycoreutils-${version}.tar.gz";
+    sha256 = "0y0hl32b2ks7r0fhbx3k2j1gqqms5aplyasjs3fz50caxl6096a1";
+  };
+
+  postPatch = ''
+    # Fix install references
+    substituteInPlace po/Makefile \
+       --replace /usr/bin/install install --replace /usr/share /share
+    substituteInPlace newrole/Makefile --replace /usr/share /share
+
+    sed -i -e '39i#include <crypt.h>' run_init/run_init.c
+  '';
+
+  nativeBuildInputs = [ gettext ];
+  buildInputs = [ libsepol libselinux libsemanage ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SBINDIR=$(out)/bin"
+    "ETCDIR=$(out)/etc"
+    "BASHCOMPLETIONDIR=$out/share/bash-completion/completions"
+    "LOCALEDIR=$(out)/share/locale"
+    "MAN5DIR=$(out)/share/man/man5"
+  ];
+
+  meta = with lib; {
+    description = "SELinux policy core utilities";
+    license = licenses.gpl2;
+    inherit (libsepol.meta) homepage platforms maintainers;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pommed-light/default.nix b/nixpkgs/pkgs/os-specific/linux/pommed-light/default.nix
new file mode 100644
index 000000000000..113cedfab2e9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pommed-light/default.nix
@@ -0,0 +1,75 @@
+{ lib, stdenv
+, fetchFromGitHub
+, fetchpatch
+, pciutils
+, libconfuse
+, alsa-lib
+, audiofile
+, pkg-config
+, zlib
+, eject
+}:
+
+stdenv.mkDerivation rec {
+  pname = "pommed-light";
+  version = "1.51lw";
+
+  src = fetchFromGitHub {
+    owner = "bytbox";
+    repo = "pommed-light";
+    rev = "v${version}";
+    sha256 = "18fvdwwhcl6s4bpf2f2i389s71c8k4g0yb81am9rdddqmzaw27iy";
+  };
+
+  patches = [
+    # Pull fix pending upstream inclusion for -fno-common toolchain support:
+    #   https://github.com/bytbox/pommed-light/pull/38
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/bytbox/pommed-light/commit/5848b49b45a9c3ab047ebd17deb2162daab1e0b8.patch";
+      sha256 = "15rsq2i4rqp4ssab20486a1wgxi2cp87b7nxyk9h23gdwld713vf";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace pommed.conf.mactel --replace /usr $out
+    substituteInPlace pommed.conf.pmac --replace /usr $out
+    substituteInPlace pommed/beep.h --replace /usr $out
+    substituteInPlace pommed/cd_eject.c --replace /usr/bin/eject ${eject}/bin/eject
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    pciutils
+    libconfuse
+    alsa-lib
+    audiofile
+    zlib
+    eject
+  ];
+
+  installPhase = ''
+    install -Dm755 pommed/pommed $out/bin/pommed
+    install -Dm644 pommed.conf.mactel $out/etc/pommed.conf.mactel
+    install -Dm644 pommed.conf.pmac $out/etc/pommed.conf.pmac
+
+    # Man page
+    install -Dm644 pommed.1 $out/share/man/man1/pommed.1
+
+    # Sounds
+    install -Dm644 pommed/data/goutte.wav $out/share/pommed/goutte.wav
+    install -Dm644 pommed/data/click.wav $out/share/pommed/click.wav
+  '';
+
+  meta = {
+    description = "A trimmed version of the pommed hotkey handler for MacBooks";
+    longDescription = ''
+      This is a stripped-down version of pommed with client, dbus, and
+      ambient light sensor support removed, optimized for use with dwm
+      and the like.
+    '';
+    homepage = "https://github.com/bytbox/pommed-light";
+    platforms = [ "x86_64-linux" ];
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/power-calibrate/default.nix b/nixpkgs/pkgs/os-specific/linux/power-calibrate/default.nix
new file mode 100644
index 000000000000..884b2d0e01cd
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/power-calibrate/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "power-calibrate";
+  version = "0.01.34";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-T2fCTE+snNt1ylOpVR0JfT2x0lWrgItpfjtUx/zjaQw=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Tool to calibrate power consumption";
+    homepage = "https://github.com/ColinIanKing/power-calibrate";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/power-profiles-daemon/default.nix b/nixpkgs/pkgs/os-specific/linux/power-profiles-daemon/default.nix
new file mode 100644
index 000000000000..402b2536163c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/power-profiles-daemon/default.nix
@@ -0,0 +1,142 @@
+{ stdenv
+, lib
+, pkg-config
+, meson
+, ninja
+, fetchFromGitLab
+, fetchpatch
+, libgudev
+, glib
+, polkit
+, dbus
+, gobject-introspection
+, gettext
+, gtk-doc
+, docbook-xsl-nons
+, docbook_xml_dtd_412
+, libxml2
+, libxslt
+, upower
+, umockdev
+, systemd
+, python3
+, wrapGAppsNoGuiHook
+, nixosTests
+}:
+
+let
+  testPythonPkgs = ps: with ps; [
+    pygobject3
+    dbus-python
+    python-dbusmock
+  ];
+in
+stdenv.mkDerivation rec {
+  pname = "power-profiles-daemon";
+  version = "0.12";
+
+  outputs = [ "out" "devdoc" ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = "power-profiles-daemon";
+    rev = version;
+    sha256 = "sha256-2eMFPGVLwTBIlaB1zM3BzHrhydgBEm+kvx+VIZdUDPM=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    gettext
+    gtk-doc
+    docbook-xsl-nons
+    docbook_xml_dtd_412
+    libxml2 # for xmllint for stripping GResources
+    libxslt # for xsltproc for building docs
+    gobject-introspection
+    wrapGAppsNoGuiHook
+    python3.pkgs.wrapPython
+  ];
+
+  buildInputs = [
+    libgudev
+    systemd
+    upower
+    glib
+    polkit
+    python3 # for cli tool
+    # Duplicate from checkInputs until https://github.com/NixOS/nixpkgs/issues/161570 is solved
+    umockdev
+  ];
+
+  strictDeps = true;
+
+  # for cli tool
+  pythonPath = [
+    python3.pkgs.pygobject3
+  ];
+
+  checkInputs = [
+    umockdev
+    dbus
+    (python3.withPackages testPythonPkgs)
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
+    "-Dgtk_doc=true"
+    "-Dtests=true"
+  ];
+
+  doCheck = true;
+
+  PKG_CONFIG_POLKIT_GOBJECT_1_POLICYDIR = "${placeholder "out"}/share/polkit-1/actions";
+
+  # Avoid double wrapping
+  dontWrapGApps = true;
+
+  postPatch = ''
+    patchShebangs --build \
+      tests/integration-test.py \
+      tests/unittest_inspector.py
+  '';
+
+  preInstall = ''
+    # We have pkexec on PATH so Meson will try to use it when installation fails
+    # due to being unable to write to e.g. /etc.
+    # Let’s pretend we already ran pkexec –
+    # the pkexec on PATH would complain it lacks setuid bit,
+    # obscuring the underlying error.
+    # https://github.com/mesonbuild/meson/blob/492cc9bf95d573e037155b588dc5110ded4d9a35/mesonbuild/minstall.py#L558
+    export PKEXEC_UID=-1
+  '';
+
+  postCheck = ''
+    # Do not contaminate the wrapper with test dependencies.
+    unset GI_TYPELIB_PATH
+    unset XDG_DATA_DIRS
+  '';
+
+  postFixup = ''
+    # Avoid double wrapping
+    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
+    # Make Python libraries available
+    wrapPythonProgramsIn "$out/bin" "$pythonPath"
+  '';
+
+  passthru = {
+    tests = {
+      nixos = nixosTests.power-profiles-daemon;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://gitlab.freedesktop.org/hadess/power-profiles-daemon";
+    description = "Makes user-selected power profiles handling available over D-Bus";
+    platforms = platforms.linux;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ jtojnar mvnetbiz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/powercap/default.nix b/nixpkgs/pkgs/os-specific/linux/powercap/default.nix
new file mode 100644
index 000000000000..96ec83852d9d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/powercap/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, cmake }:
+
+stdenv.mkDerivation rec {
+  pname = "powercap";
+  version = "0.6.0";
+
+  src = fetchFromGitHub {
+    owner = "powercap";
+    repo = "powercap";
+    rev = "v${version}";
+    sha256 = "sha256-l+IpFqBnCYUU825++sUPySD/Ku0TEIX2kt+S0Wml6iA=";
+  };
+
+  nativeBuildInputs = [ cmake ];
+
+  cmakeFlags = [
+    "-DBUILD_SHARED_LIBS=On"
+  ];
+
+  meta = with lib; {
+    description = "Tools and library to read/write to the Linux power capping framework (sysfs interface)";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ rowanG077 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/powerstat/default.nix b/nixpkgs/pkgs/os-specific/linux/powerstat/default.nix
new file mode 100644
index 000000000000..86f2e124ed29
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/powerstat/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "powerstat";
+  version = "0.02.27";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-P6DhsHnB+ak35JpUfD8Q8XbgMhI1QKKe31B8uMT2ZcY=";
+  };
+
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Laptop power measuring tool";
+    homepage = "https://github.com/ColinIanKing/powerstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/powertop/default.nix b/nixpkgs/pkgs/os-specific/linux/powertop/default.nix
new file mode 100644
index 000000000000..2b498d9ddc91
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/powertop/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, gettext, libnl, ncurses, pciutils
+, pkg-config, zlib, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  pname = "powertop";
+  version = "2.14";
+
+  src = fetchFromGitHub {
+    owner = "fenrus75";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1zkr2y5nb1nr22nq8a3zli87iyfasfq6489p7h1k428pv8k45w4f";
+  };
+
+  patches = [
+    # Pull upstream patch for ncurses-6.3 compatibility
+    (fetchpatch {
+      name = "ncurses-6.3.patch";
+      url = "https://github.com/fenrus75/powertop/commit/9ef1559a1582f23d599c149601c3a8e06809296c.patch";
+      sha256 = "0qx69f3bwhxgsga9nas8lgrclf1rxvr7fq7fd2n8dv3x4lsb46j1";
+    })
+  ];
+
+  outputs = [ "out" "man" ];
+
+  nativeBuildInputs = [ pkg-config autoreconfHook ];
+  buildInputs = [ gettext libnl ncurses pciutils zlib ];
+
+  NIX_LDFLAGS = [ "-lpthread" ];
+
+  postPatch = ''
+    substituteInPlace src/main.cpp --replace "/sbin/modprobe" "modprobe"
+    substituteInPlace src/calibrate/calibrate.cpp --replace "/usr/bin/xset" "xset"
+    substituteInPlace src/tuning/bluetooth.cpp --replace "/usr/bin/hcitool" "hcitool"
+  '';
+
+  meta = with lib; {
+    description = "Analyze power consumption on Intel-based laptops";
+    homepage = "https://01.org/powertop";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fpletz ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pps-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/pps-tools/default.nix
new file mode 100644
index 000000000000..66754e5148ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pps-tools/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "pps-tools";
+  version = "1.0.3";
+
+  src = fetchFromGitHub {
+    owner = "redlab-i";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-eLLFHrCgOQzOtVxlAsZ5X91KK+vZiKMGL7zbQFiIZtI=";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mkdir -p $dev/include
+    mkdir -p $out/{usr/bin,usr/include/sys}
+    make install DESTDIR=$out
+    mv $out/usr/bin/* $out/bin
+    mv $out/usr/include/* $dev/include/
+    rm -rf $out/usr/
+  '';
+
+  meta = with lib; {
+    description = "User-space tools for LinuxPPS";
+    homepage = "http://linuxpps.org/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ sorki ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/prl-tools/autostart.desktop b/nixpkgs/pkgs/os-specific/linux/prl-tools/autostart.desktop
new file mode 100644
index 000000000000..b8eb27fdd992
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/prl-tools/autostart.desktop
@@ -0,0 +1,8 @@
+[Desktop Entry]
+Version=@version@
+Encoding=UTF-8
+Name=@description@
+Type=Application
+Exec=@exec@
+X-KDE-autostart-phase=1
+GenericName[en_US]=
diff --git a/nixpkgs/pkgs/os-specific/linux/prl-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/prl-tools/default.nix
new file mode 100644
index 000000000000..0b4acc44400e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/prl-tools/default.nix
@@ -0,0 +1,159 @@
+{ stdenv
+, lib
+, makeWrapper
+, p7zip
+, gawk
+, util-linux
+, xorg
+, glib
+, dbus-glib
+, zlib
+, bbe
+, bash
+, timetrap
+, netcat
+, cups
+, kernel ? null
+, libsOnly ? false
+, fetchurl
+, undmg
+, perl
+, autoPatchelfHook
+}:
+
+assert (!libsOnly) -> kernel != null;
+
+stdenv.mkDerivation rec {
+  version = "18.0.0-53049";
+  pname = "prl-tools";
+
+  # We download the full distribution to extract prl-tools-lin.iso from
+  # => ${dmg}/Parallels\ Desktop.app/Contents/Resources/Tools/prl-tools-lin.iso
+  src = fetchurl {
+    url = "https://download.parallels.com/desktop/v${lib.versions.major version}/${version}/ParallelsDesktop-${version}.dmg";
+    sha256 = "sha256-MGiqCvOsu/sKz6JHJFGP5bT12XYnm2kTMdOiflg9ses=";
+  };
+
+  hardeningDisable = [ "pic" "format" ];
+
+  nativeBuildInputs = [ p7zip undmg perl bbe autoPatchelfHook ]
+    ++ lib.optionals (!libsOnly) [ makeWrapper ] ++ kernel.moduleBuildDependencies;
+
+  buildInputs = with xorg; [ libXrandr libXext libX11 libXcomposite libXinerama ]
+    ++ lib.optionals (!libsOnly) [ libXi glib dbus-glib zlib ];
+
+  runtimeDependencies = [ glib xorg.libXrandr ];
+
+  inherit libsOnly;
+
+  unpackPhase = ''
+    undmg "${src}"
+    export sourceRoot=prl-tools-build
+    7z x "Parallels Desktop.app/Contents/Resources/Tools/prl-tools-lin${lib.optionalString stdenv.isAarch64 "-arm"}.iso" -o$sourceRoot
+    if test -z "$libsOnly"; then
+      ( cd $sourceRoot/kmods; tar -xaf prl_mod.tar.gz )
+    fi
+  '';
+
+  kernelVersion = lib.optionalString (!libsOnly) kernel.modDirVersion;
+  kernelDir = lib.optionalString (!libsOnly) "${kernel.dev}/lib/modules/${kernelVersion}";
+
+  libPath = lib.concatStringsSep ":" [ "${glib.out}/lib" "${xorg.libXrandr}/lib" ];
+
+  scriptPath = lib.concatStringsSep ":" (lib.optionals (!libsOnly) [
+    "${util-linux}/bin"
+    "${gawk}/bin"
+    "${bash}/bin"
+    "${timetrap}/bin"
+    "${netcat}/bin"
+    "${cups}/sbin"
+  ]);
+
+  buildPhase = ''
+    if test -z "$libsOnly"; then
+      ( # kernel modules
+        cd kmods
+        make -f Makefile.kmods \
+          KSRC=$kernelDir/source \
+          HEADERS_CHECK_DIR=$kernelDir/source \
+          KERNEL_DIR=$kernelDir/build \
+          SRC=$kernelDir/build \
+          KVER=$kernelVersion
+      )
+    fi
+  '';
+
+  installPhase = ''
+    if test -z "$libsOnly"; then
+      ( # kernel modules
+        cd kmods
+        mkdir -p $out/lib/modules/${kernelVersion}/extra
+        cp prl_fs/SharedFolders/Guest/Linux/prl_fs/prl_fs.ko $out/lib/modules/${kernelVersion}/extra
+        cp prl_fs_freeze/Snapshot/Guest/Linux/prl_freeze/prl_fs_freeze.ko $out/lib/modules/${kernelVersion}/extra
+        cp prl_tg/Toolgate/Guest/Linux/prl_tg/prl_tg.ko $out/lib/modules/${kernelVersion}/extra
+        ${lib.optionalString stdenv.isAarch64
+        "cp prl_notifier/Installation/lnx/prl_notifier/prl_notifier.ko $out/lib/modules/${kernelVersion}/extra"}
+      )
+    fi
+
+    ( # tools
+      cd tools/tools${if stdenv.isAarch64 then "-arm64" else if stdenv.isx86_64 then "64" else "32"}
+      mkdir -p $out/lib
+
+      if test -z "$libsOnly"; then
+        # prltoolsd contains hardcoded /bin/bash path
+        # we're lucky because it uses only -c command
+        # => replace to /bin/sh
+        bbe -e "s:/bin/bash:/bin/sh\x00\x00:" -o bin/prltoolsd.tmp bin/prltoolsd
+        rm -f bin/prltoolsd
+        mv bin/prltoolsd.tmp bin/prltoolsd
+
+        # install binaries
+        for i in bin/* sbin/prl_nettool sbin/prl_snapshot; do
+          # also patch binaries to replace /usr/bin/XXX to XXX
+          # here a two possible cases:
+          # 1. it is uses as null terminated string and should be truncated by null;
+          # 2. it is uses inside shell script and should be truncated by space.
+          for p in bin/* sbin/prl_nettool sbin/prl_snapshot sbin/prlfsmountd; do
+            p=$(basename $p)
+            bbe -e "s:/usr/bin/$p\x00:./$p\x00\x00\x00\x00\x00\x00\x00\x00:" -o $i.tmp $i
+            bbe -e "s:/usr/sbin/$p\x00:./$p\x00\x00\x00\x00\x00\x00\x00\x00 :" -o $i $i.tmp
+            bbe -e "s:/usr/bin/$p:$p         :" -o $i.tmp $i
+            bbe -e "s:/usr/sbin/$p:$p          :" -o $i $i.tmp
+          done
+
+          install -Dm755 $i $out/$i
+        done
+
+        install -Dm755 ../../tools/prlfsmountd.sh $out/sbin/prlfsmountd
+        for f in $out/bin/* $out/sbin/*; do
+          wrapProgram $f \
+            --prefix LD_LIBRARY_PATH ':' "$libPath" \
+            --prefix PATH ':' "$scriptPath"
+        done
+
+        for i in lib/libPrl*.0.0; do
+          cp $i $out/lib
+          ln -s $out/$i $out/''${i%.0.0}
+        done
+
+        mkdir -p $out/share/man/man8
+        install -Dm644 ../mount.prl_fs.8 $out/share/man/man8
+
+        substituteInPlace ../99prltoolsd-hibernate \
+          --replace "/bin/bash" "${bash}/bin/bash"
+
+        mkdir -p $out/etc/pm/sleep.d
+        install -Dm644 ../99prltoolsd-hibernate $out/etc/pm/sleep.d
+      fi
+    )
+  '';
+
+  meta = with lib; {
+    description = "Parallels Tools for Linux guests";
+    homepage = "https://parallels.com";
+    platforms = platforms.linux;
+    license = licenses.unfree;
+    maintainers = with maintainers; [ catap wegank ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/procdump/default.nix b/nixpkgs/pkgs/os-specific/linux/procdump/default.nix
new file mode 100644
index 000000000000..05ec4b90ed70
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/procdump/default.nix
@@ -0,0 +1,61 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, bash, coreutils, gdb, zlib }:
+
+stdenv.mkDerivation rec {
+  pname = "procdump";
+  version = "1.2";
+
+  src = fetchFromGitHub {
+    owner = "Microsoft";
+    repo = "ProcDump-for-Linux";
+    rev = version;
+    sha256 = "sha256-gVswAezHl7E2cBTJEQhPFXhHkzhWVHSpPF8m0s8+ekc=";
+  };
+
+  patches = [
+    # Pull upstream patch to fix parallel builds:
+    #  https://github.com/Sysinternals/ProcDump-for-Linux/pull/133
+    (fetchpatch {
+      name = "parallel.patch";
+      url = "https://github.com/Sysinternals/ProcDump-for-Linux/commit/0d735836f11281cc6134be93eac8acb302f2055e.patch";
+      sha256 = "sha256-zsqllPHF8ZuXAIDSAPvbzdKa43uSSx9ilUKM1vFVW90=";
+    })
+  ];
+
+  nativeBuildInputs = [ zlib ];
+  buildInputs = [ bash coreutils gdb ];
+
+  postPatch = ''
+    substituteInPlace src/CoreDumpWriter.c \
+      --replace '"gcore ' '"${gdb}/bin/gcore ' \
+      --replace '"rm ' '"${coreutils}/bin/rm ' \
+      --replace '/bin/bash' '${bash}/bin/bash'
+  '';
+
+  makeFlags = [
+    "DESTDIR=${placeholder "out"}"
+    "INSTALLDIR=/bin"
+    "MANDIR=/share/man/man1"
+  ];
+
+  enableParallelBuilding = true;
+
+  doCheck = false; # needs sudo root
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+    set +o pipefail
+    ($out/bin/procdump -h | grep "ProcDump v${version}") ||
+      (echo "ERROR: ProcDump is not the expected version or does not run properly" ; exit 1)
+    set -o pipefail
+    runHook postInstallCheck
+  '';
+
+  meta = with lib; {
+    description = "A Linux version of the ProcDump Sysinternals tool";
+    homepage = "https://github.com/Microsoft/ProcDump-for-Linux";
+    license = licenses.mit;
+    maintainers = with maintainers; [ c0bw3b ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/procps-ng/default.nix b/nixpkgs/pkgs/os-specific/linux/procps-ng/default.nix
new file mode 100644
index 000000000000..1d19d9151175
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/procps-ng/default.nix
@@ -0,0 +1,68 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, ncurses
+, pkg-config
+
+  # `ps` with systemd support is able to properly report different
+  # attributes like unit name, so we want to have it on linux.
+, withSystemd ? stdenv.isLinux
+, systemd
+
+  # procps is mostly Linux-only. Most commands require a running Linux
+  # system (or very similar like that found in Cygwin). The one
+  # exception is ‘watch’ which is portable enough to run on pretty much
+  # any UNIX-compatible system.
+, watchOnly ? !(stdenv.isLinux || stdenv.isCygwin)
+}:
+
+stdenv.mkDerivation rec {
+  pname = "procps";
+  version = "3.3.16";
+
+  # The project's releases are on SF, but git repo on gitlab.
+  src = fetchurl {
+    url = "mirror://sourceforge/procps-ng/procps-ng-${version}.tar.xz";
+    sha256 = "1br0g93ysqhlv13i1k4lfbimsgxnpy5rgs4lxfc9rkzdbpbaqplj";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://gitlab.com/procps-ng/procps/-/commit/bb96fc42956c9ed926a1b958ab715f8b4a663dec.diff";
+      sha256 = "0fzsb6ns3fvrszyzsz28qvbmcn135ilr4nwh2z1a0vlpl2fw961z";
+      name = "sysconf-argmax-sanity.patch";
+    })
+  ];
+
+  buildInputs = [ ncurses ]
+    ++ lib.optional withSystemd systemd;
+  nativeBuildInputs = [ pkg-config ];
+
+  makeFlags = [ "usrbin_execdir=$(out)/bin" ]
+    ++ lib.optionals watchOnly [ "watch" "PKG_LDFLAGS=" ];
+
+  enableParallelBuilding = true;
+
+  # Too red
+  configureFlags = [ "--disable-modern-top" ]
+    ++ lib.optional withSystemd "--with-systemd"
+    ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
+
+  installPhase = lib.optionalString watchOnly ''
+    install -m 0755 -D watch $out/bin/watch
+    install -m 0644 -D watch.1 $out/share/man/man1/watch.1
+  '';
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/procps-ng/procps";
+    description = "Utilities that give information about processes using the /proc filesystem";
+    priority = 11; # less than coreutils, which also provides "kill" and "uptime"
+    license = licenses.gpl2;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.typetetris ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/projecteur/default.nix b/nixpkgs/pkgs/os-specific/linux/projecteur/default.nix
new file mode 100644
index 000000000000..63de7453935c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/projecteur/default.nix
@@ -0,0 +1,32 @@
+{ lib, mkDerivation, fetchFromGitHub,
+  cmake, pkg-config,
+  qtbase, qtgraphicaleffects, wrapQtAppsHook }:
+mkDerivation rec {
+  pname = "projecteur";
+  version = "0.9.2";
+
+  src = fetchFromGitHub {
+    owner = "jahnf";
+    repo = "Projecteur";
+    rev = "v${version}";
+    fetchSubmodules = false;
+    sha256 = "sha256-kg6oYtJ4H5A6RNATBg+XvMfCb9FlhEBFjfxamGosMQg=";
+  };
+
+  buildInputs = [ qtbase qtgraphicaleffects ];
+  nativeBuildInputs = [ wrapQtAppsHook cmake pkg-config ];
+
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_PREFIX:PATH=${placeholder "out"}"
+    "-DPACKAGE_TARGETS=OFF"
+    "-DCMAKE_INSTALL_UDEVRULESDIR=${placeholder "out"}/lib/udev/rules.d"
+  ];
+
+  meta = with lib; {
+    description = "Linux/X11 application for the Logitech Spotlight device (and similar devices).";
+    homepage = "https://github.com/jahnf/Projecteur";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ benneti ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/pscircle/default.nix b/nixpkgs/pkgs/os-specific/linux/pscircle/default.nix
new file mode 100644
index 000000000000..a293790cc97c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/pscircle/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchFromGitLab, meson, pkg-config, ninja, cairo }:
+
+stdenv.mkDerivation rec {
+  pname = "pscircle";
+  version = "1.3.1";
+
+  src = fetchFromGitLab {
+    owner = "mildlyparallel";
+    repo = "pscircle";
+    rev = "v${version}";
+    sha256 = "1sm99423hh90kr4wdjqi9sdrrpk65j2vz2hzj65zcxfxyr6khjci";
+  };
+
+  nativeBuildInputs = [
+    meson
+    pkg-config
+    ninja
+  ];
+
+  buildInputs = [
+    cairo
+  ];
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/mildlyparallel/pscircle";
+    description = "Visualize Linux processes in a form of a radial tree";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.ldesgoui ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/psftools/default.nix b/nixpkgs/pkgs/os-specific/linux/psftools/default.nix
new file mode 100644
index 000000000000..5d8c39bb145c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/psftools/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+stdenv.mkDerivation rec {
+  pname = "psftools";
+  version = "1.1.1";
+  src = fetchurl {
+    url = "https://www.seasip.info/Unix/PSF/${pname}-${version}.tar.gz";
+    sha256 = "sha256-MecY4JsIXTgHdkrFkQ+C3fC6OEFRUgjUgf7qxfKeZtM=";
+  };
+  outputs = ["out" "man" "dev" "lib"];
+
+  meta = with lib; {
+    homepage = "https://www.seasip.info/Unix/PSF";
+    description = "Conversion tools for .PSF fonts";
+    longDescription = ''
+      The PSFTOOLS are designed to manipulate fixed-width bitmap fonts,
+      such as DOS or Linux console fonts. Both the PSF1 (8 pixels wide)
+      and PSF2 (any width) formats are supported; the default output
+      format is PSF2.
+    '';
+    platforms = platforms.unix;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ kaction ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/psmisc/default.nix b/nixpkgs/pkgs/os-specific/linux/psmisc/default.nix
new file mode 100644
index 000000000000..e2f0fe59a075
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/psmisc/default.nix
@@ -0,0 +1,33 @@
+{lib, stdenv, fetchFromGitLab, autoconf, automake, gettext, ncurses}:
+
+stdenv.mkDerivation rec {
+  pname = "psmisc";
+  version = "23.5";
+
+  src = fetchFromGitLab {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-02jvRPqN8DS30ID42hQFu400NoFC5QiH5YA3NB+EoFI=";
+  };
+
+  nativeBuildInputs = [ autoconf automake gettext ];
+  buildInputs = [ ncurses ];
+
+  preConfigure = lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
+    # Goes past the rpl_malloc linking failure
+    export ac_cv_func_malloc_0_nonnull=yes
+    export ac_cv_func_realloc_0_nonnull=yes
+  '' + ''
+    echo $version > .tarball-version
+    ./autogen.sh
+  '';
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/psmisc/psmisc";
+    description = "A set of small useful utilities that use the proc filesystem (such as fuser, killall and pstree)";
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ ryantm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/qc71_laptop/default.nix b/nixpkgs/pkgs/os-specific/linux/qc71_laptop/default.nix
new file mode 100644
index 000000000000..92818ccfb096
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/qc71_laptop/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "qc71_laptop";
+  version = "unstable-2022-06-01";
+
+  src = fetchFromGitHub {
+    owner = "pobrn";
+    repo = "qc71_laptop";
+    rev = "28106e0602807d78d1f5fa220ab6148dd6477c1c";
+    hash = "sha256-3bhw2HbEVuxPfGMt/eE2nCuMLHzYHRY3nRWPzZxKHro=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = kernel.makeFlags ++ [
+    "VERSION=${version}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D qc71_laptop.ko -t $out/lib/modules/${kernel.modDirVersion}/extra
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for QC71 laptop";
+    homepage = "https://github.com/pobrn/qc71_laptop/";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ aacebedo ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/qmk-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/qmk-udev-rules/default.nix
new file mode 100644
index 000000000000..5e956f3baf34
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/qmk-udev-rules/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+## Usage
+# In NixOS, simply add this package to services.udev.packages:
+#   services.udev.packages = [ pkgs.qmk-udev-rules ];
+
+stdenv.mkDerivation rec {
+  pname = "qmk-udev-rules";
+  version = "0.15.25";
+
+  src = fetchFromGitHub {
+    owner = "qmk";
+    repo = "qmk_firmware";
+    rev = version;
+    sha256 = "4U1/9DgoKZ1Al76lZ2P8x4LIvtqaJPLq81cCSCy+9iE=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install -D util/udev/50-qmk.rules $out/lib/udev/rules.d/50-qmk.rules
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/qmk/qmk_firmware";
+    description = "Official QMK udev rules list";
+    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ ekleog ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/r8125/default.nix b/nixpkgs/pkgs/os-specific/linux/r8125/default.nix
new file mode 100644
index 000000000000..30f8da7d5f4c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/r8125/default.nix
@@ -0,0 +1,47 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "r8125";
+  # On update please verify (using `diff -r`) that the source matches the
+  # realtek version.
+  version = "9.004.01";
+
+  # This is a mirror. The original website[1] doesn't allow non-interactive
+  # downloads, instead emailing you a download link.
+  # [1] https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software
+  src = fetchFromGitHub {
+    owner = "louistakepillz";
+    repo = "r8125";
+    rev = version;
+    sha256 = "0h2y4mzydhc7var5281bk2jj1knig6i64k11ii4b94az3g9dbq24";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = ''
+    substituteInPlace src/Makefile --replace "BASEDIR :=" "BASEDIR ?="
+    substituteInPlace src/Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+  '';
+
+  makeFlags = [
+    "BASEDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+  ];
+
+  buildFlags = [ "modules" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/louistakepillz/r8125";
+    downloadPage = "https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software";
+    description = "Realtek r8125 driver";
+    longDescription = ''
+      A kernel module for Realtek 8125 2.5G network cards.
+    '';
+    # r8125 has been integrated into the kernel as of v5.9.1
+    broken = lib.versionAtLeast kernel.version "5.9.1";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ peelz ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/r8168/default.nix b/nixpkgs/pkgs/os-specific/linux/r8168/default.nix
new file mode 100644
index 000000000000..bcf5fb8956ab
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/r8168/default.nix
@@ -0,0 +1,59 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+
+let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/r8168";
+
+in stdenv.mkDerivation rec {
+  name = "r8168-${kernel.version}-${version}";
+  # on update please verify that the source matches the realtek version
+  version = "8.048.03";
+
+  # This is a mirror. The original website[1] doesn't allow non-interactive
+  # downloads, instead emailing you a download link.
+  # [1] https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software
+  # I've verified manually (`diff -r`) that the source code for version 8.046.00
+  # is the same as the one available on the realtek website.
+  src = fetchFromGitHub {
+    owner = "mtorromeo";
+    repo = "r8168";
+    rev = version;
+    sha256 = "1l8llpcnapcaafxp7wlyny2ywh7k6q5zygwwjl9h0l6p04cghss4";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  # avoid using the Makefile directly -- it doesn't understand
+  # any kernel but the current.
+  # based on the ArchLinux pkgbuild: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/r8168
+  makeFlags = kernel.makeFlags ++ [
+    "-C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(PWD)/src"
+    "modules"
+  ];
+  preBuild = ''
+    makeFlagsArray+=("EXTRA_CFLAGS=-DCONFIG_R8168_NAPI -DCONFIG_R8168_VLAN -DCONFIG_ASPM -DENABLE_S5WOL -DENABLE_EEE")
+  '';
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents '{}' ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f '{}' \;
+  '';
+
+  meta = with lib; {
+    description = "Realtek r8168 driver";
+    longDescription = ''
+      A kernel module for Realtek 8168 network cards.
+      If you want to use this driver, you might need to blacklist the r8169 driver
+      by adding "r8169" to boot.blacklistedKernelModules.
+    '';
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ timokau ];
+    broken = kernel.kernelAtLeast "5.17";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/radeontools/default.nix b/nixpkgs/pkgs/os-specific/linux/radeontools/default.nix
new file mode 100644
index 000000000000..01b83f879119
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/radeontools/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl
+, autoreconfHook
+, pciutils
+, pkg-config
+, xorg
+}:
+
+stdenv.mkDerivation rec {
+  pname = "radeontool";
+  version = "1.6.3";
+
+  src = fetchurl {
+    url = "https://people.freedesktop.org/~airlied/radeontool/${pname}-${version}.tar.gz";
+    sha256 = "0mjk9wr9rsb17yy92j6yi16hfpa6v5r1dbyiy60zp4r125wr63za";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ xorg.libpciaccess ];
+
+  meta = with lib; {
+    description = "Lowlevel tools to tweak register and dump state on radeon GPUs";
+    homepage = "https://airlied.livejournal.com/";
+    license = licenses.zlib;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/radeontop/default.nix b/nixpkgs/pkgs/os-specific/linux/radeontop/default.nix
new file mode 100644
index 000000000000..9e9cb5845e4e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/radeontop/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, gettext, makeWrapper
+, ncurses, libdrm, libpciaccess, libxcb }:
+
+stdenv.mkDerivation rec {
+  pname = "radeontop";
+  version = "1.4";
+
+  src = fetchFromGitHub {
+    sha256 = "0kwqddidr45s1blp0h8r8h1dd1p50l516yb6mb4s6zsc827xzgg3";
+    rev = "v${version}";
+    repo = "radeontop";
+    owner = "clbr";
+  };
+
+  buildInputs = [ ncurses libdrm libpciaccess libxcb ];
+  nativeBuildInputs = [ pkg-config gettext makeWrapper ];
+
+  enableParallelBuilding = true;
+
+  patchPhase = ''
+    substituteInPlace getver.sh --replace ver=unknown ver=${version}
+    substituteInPlace Makefile --replace pkg-config "$PKG_CONFIG"
+  '';
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  postInstall = ''
+    wrapProgram $out/bin/radeontop \
+      --prefix LD_LIBRARY_PATH : $out/lib
+  '';
+
+  meta = with lib; {
+    description = "Top-like tool for viewing AMD Radeon GPU utilization";
+    longDescription = ''
+      View GPU utilization, both for the total activity percent and individual
+      blocks. Supports R600 and later cards: even Southern Islands should work.
+      Works with both the open drivers and AMD Catalyst. Total GPU utilization
+      is also valid for OpenCL loads; the other blocks are only useful for GL
+      loads. Requires root rights or other permissions to read /dev/mem.
+    '';
+    homepage = "https://github.com/clbr/radeontop";
+    platforms = platforms.linux;
+    license = licenses.gpl3;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rasdaemon/default.nix b/nixpkgs/pkgs/os-specific/linux/rasdaemon/default.nix
new file mode 100644
index 000000000000..cccd91fff8e1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rasdaemon/default.nix
@@ -0,0 +1,111 @@
+{ lib, stdenv, fetchFromGitHub
+, autoreconfHook
+, glibcLocales, kmod, coreutils, perl
+, dmidecode, hwdata, sqlite
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rasdaemon";
+  version = "0.6.8";
+
+  src = fetchFromGitHub {
+    owner = "mchehab";
+    repo = "rasdaemon";
+    rev = "v${version}";
+    sha256 = "sha256-gcwoc9lIJyqUiCSAHf1U8geLG58CxzjMFYFl8moaA2Q=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  buildInputs = [
+    coreutils
+    glibcLocales
+    hwdata
+    kmod
+    sqlite
+    (perl.withPackages (ps: with ps; [ DBI DBDSQLite ]))
+  ]
+  ++ lib.optionals (!stdenv.isAarch64) [ dmidecode ];
+
+  configureFlags = [
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "--with-sysconfdefdir=${placeholder "out"}/etc/sysconfig"
+    "--enable-sqlite3"
+    "--enable-aer"
+    "--enable-mce"
+    "--enable-extlog"
+    "--enable-non-standard"
+    "--enable-abrt-report"
+    "--enable-hisi-ns-decode"
+    "--enable-devlink"
+    "--enable-diskerror"
+    "--enable-memory-failure"
+    "--enable-memory-ce-pfa"
+    "--enable-amp-ns-decode"
+  ]
+  ++ lib.optionals (stdenv.isAarch64) [ "--enable-arm" ];
+
+  # The installation attempts to create the following directories:
+  # /var/lib/rasdaemon
+  #   location of the RAS event log generated by rasdaemon -r
+  # /etc/ras/dimm_labels.d
+  #   location of the DIMM labels generated by ras-mc-ctl
+  # /etc/sysconfig/rasdaemon
+  #   location of rasdaemon config file, currently only used for CE PFA config
+
+  # these are optional (for logging, DIMM label storage and user config)
+  # /var/lib/rasdaemon should be created by the NixOS module
+  # /etc/ras/dimm_labels.d should probably be generated,
+  # from user supplied content, in the NixOS module
+  # /etc/sysconfig/rasdaemon should be generated if there is user supplied content
+  # and default to $out/etc/sysconfig/rasdaemon which should hold the supplied default
+
+  # therefore, stripping these from the generated Makefile
+  # (needed in the config flags because those set where the tools look for these)
+
+# easy way out, ends up installing /nix/store/...rasdaemon/bin in $out
+
+  postConfigure = ''
+    substituteInPlace Makefile \
+      --replace '"$(DESTDIR)/etc/ras/dimm_labels.d"' '"$(prefix)/etc/ras/dimm_labels.d"'
+  '';
+
+  outputs = [ "out" "dev" "man" "inject" ];
+
+  postInstall = ''
+    install -Dm 0755 contrib/edac-fake-inject $inject/bin/edac-fake-inject
+    install -Dm 0755 contrib/edac-tests $inject/bin/edac-tests
+  '';
+
+  postFixup = ''
+    # Fix dmidecode and modprobe paths
+    substituteInPlace $out/bin/ras-mc-ctl \
+      --replace 'find_prog ("modprobe")  or exit (1)' '"${kmod}/bin/modprobe"'
+  ''
+  + lib.optionalString (!stdenv.isAarch64) ''
+    substituteInPlace $out/bin/ras-mc-ctl \
+      --replace 'find_prog ("dmidecode")' '"${dmidecode}/bin/dmidecode"'
+  '';
+
+  passthru.tests = nixosTests.rasdaemon;
+
+  meta = with lib; {
+    description = ''
+      A Reliability, Availability and Serviceability (RAS) logging tool using EDAC kernel tracing events
+    '';
+    longDescription = ''
+      Rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+      tool. It records memory errors, using the EDAC tracing events. EDAC is a
+      Linux kernel subsystem with handles detection of ECC errors from memory
+      controllers for most chipsets on i386 and x86_64 architectures. EDAC
+      drivers for other architectures like arm also exists.
+    '';
+    homepage = "https://github.com/mchehab/rasdaemon";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    changelog = "https://github.com/mchehab/rasdaemon/blob/v${version}/ChangeLog";
+    maintainers = with maintainers; [ evils ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix b/nixpkgs/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
new file mode 100644
index 000000000000..c2ce195faf1c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
@@ -0,0 +1,58 @@
+{ stdenvNoCC, lib, fetchFromGitHub, makeWrapper
+, python3, binutils-unwrapped, findutils, kmod, pciutils, libraspberrypi
+}:
+stdenvNoCC.mkDerivation rec {
+  pname = "raspberrypi-eeprom";
+  version = "unstable-2022-03-10";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "rpi-eeprom";
+    rev = "e8927007e3800db3a72100ee6cd38b0d9b687c16";
+    hash = "sha256-/hn6l5gheh6E3zoANwU1SXYgdry2IjOT9Muw2jkrtCU=";
+  };
+
+  buildInputs = [ python3 ];
+  nativeBuildInputs = [ makeWrapper ];
+
+  postPatch = ''
+    # Don't try to verify md5 signatures from /var/lib/dpkg and
+    # fix path to the configuration.
+    substituteInPlace rpi-eeprom-update \
+      --replace 'IGNORE_DPKG_CHECKSUMS=''${LOCAL_MODE}' 'IGNORE_DPKG_CHECKSUMS=1' \
+      --replace '/etc/default' '/etc'
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/share/rpi-eeprom
+
+    cp rpi-eeprom-config rpi-eeprom-update rpi-eeprom-digest $out/bin
+    cp -r firmware/{beta,critical,old,stable} $out/share/rpi-eeprom
+    cp -P firmware/default firmware/latest $out/share/rpi-eeprom
+  '';
+
+  fixupPhase = ''
+    patchShebangs $out/bin
+    for i in rpi-eeprom-update rpi-eeprom-config; do
+      wrapProgram $out/bin/$i \
+        --set FIRMWARE_ROOT $out/share/rpi-eeprom \
+        ${lib.optionalString stdenvNoCC.isAarch64 "--set VCMAILBOX ${libraspberrypi}/bin/vcmailbox"} \
+        --prefix PATH : "${lib.makeBinPath ([
+          binutils-unwrapped
+          findutils
+          kmod
+          pciutils
+          (placeholder "out")
+        ] ++ lib.optionals stdenvNoCC.isAarch64 [
+          libraspberrypi
+        ])}"
+    done
+  '';
+
+  meta = with lib; {
+    description = "Installation scripts and binaries for the closed sourced Raspberry Pi 4 EEPROMs";
+    homepage = "https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md";
+    license = with licenses; [ bsd3 unfreeRedistributableFirmware ];
+    maintainers = with maintainers; [ das_j ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rdma-core/default.nix b/nixpkgs/pkgs/os-specific/linux/rdma-core/default.nix
new file mode 100644
index 000000000000..aeed100fd84c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rdma-core/default.nix
@@ -0,0 +1,52 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, docutils
+, pandoc, ethtool, iproute2, libnl, udev, python3, perl
+} :
+
+
+stdenv.mkDerivation rec {
+  pname = "rdma-core";
+  version = "41.0";
+
+  src = fetchFromGitHub {
+    owner = "linux-rdma";
+    repo = "rdma-core";
+    rev = "v${version}";
+    sha256 = "sha256-D6pgWdJKA6ZL+atFChqSW7hI6/dYfDBRzvb6hu1wxPg=";
+  };
+
+  strictDeps = true;
+  nativeBuildInputs = [ cmake pkg-config pandoc docutils python3 ];
+  buildInputs = [ libnl ethtool iproute2 udev perl ];
+
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_RUNDIR=/run"
+    "-DCMAKE_INSTALL_SHAREDSTATEDIR=/var/lib"
+  ];
+
+  postPatch = ''
+    substituteInPlace srp_daemon/srp_daemon.sh.in \
+      --replace /bin/rm rm
+  '';
+
+  postInstall = ''
+    # cmake script is buggy, move file manually
+    mkdir -p $out/${perl.libPrefix}
+    mv $out/share/perl5/* $out/${perl.libPrefix}
+  '';
+
+  postFixup = ''
+    for pls in $out/bin/{ibfindnodesusing.pl,ibidsverify.pl}; do
+      echo "wrapping $pls"
+      substituteInPlace $pls --replace \
+        "${perl}/bin/perl" "${perl}/bin/perl -I $out/${perl.libPrefix}"
+    done
+  '';
+
+  meta = with lib; {
+    description = "RDMA Core Userspace Libraries and Daemons";
+    homepage = "https://github.com/linux-rdma/rdma-core";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ markuskowa ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/read-edid/default.nix b/nixpkgs/pkgs/os-specific/linux/read-edid/default.nix
new file mode 100644
index 000000000000..6e040d3cbffb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/read-edid/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, lib, fetchurl, cmake, libx86 }:
+
+stdenv.mkDerivation rec {
+  pname = "read-edid";
+  version = "3.0.2";
+
+  src = fetchurl {
+    url = "http://www.polypux.org/projects/read-edid/${pname}-${version}.tar.gz";
+    sha256 = "0vqqmwsgh2gchw7qmpqk6idgzcm5rqf2fab84y7gk42v1x2diin7";
+  };
+
+  patches = [ ./fno-common.patch ];
+
+  postPatch = ''
+    substituteInPlace CMakeLists.txt --replace 'COPYING' 'LICENSE'
+  '';
+
+  nativeBuildInputs = [ cmake ];
+  buildInputs = lib.optional stdenv.hostPlatform.isx86 libx86;
+
+  cmakeFlags = [ "-DCLASSICBUILD=${if stdenv.hostPlatform.isx86 then "ON" else "OFF"}" ];
+
+
+  meta = with lib; {
+    description = "Tool for reading and parsing EDID data from monitors";
+    homepage = "http://www.polypux.org/projects/read-edid/";
+    license = licenses.bsd2; # Quoted: "This is an unofficial license. Let's call it BSD-like."
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/read-edid/fno-common.patch b/nixpkgs/pkgs/os-specific/linux/read-edid/fno-common.patch
new file mode 100644
index 000000000000..336b48b66ad8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/read-edid/fno-common.patch
@@ -0,0 +1,22 @@
+--- a/get-edid/classic.c
++++ b/get-edid/classic.c
+@@ -26,7 +26,7 @@ typedef byte* real_ptr;
+ #define dosmemput(buffer,length,offset) memcpy(offset,buffer,length)
+ 
+ #define display(...) if (quiet == 0) { fprintf(stderr, __VA_ARGS__); }
+-int quiet;
++extern int quiet;
+ 
+ real_ptr far_ptr_to_real_ptr( uint32 farptr )
+ {
+--- a/get-edid/i2c.c
++++ b/get-edid/i2c.c
+@@ -15,7 +15,7 @@
+ 
+ //Ideas (but not too much actual code) taken from i2c-tools. Thanks guys.
+ 
+-int quiet;
++extern int quiet;
+ 
+ #define display(...) if (quiet == 0) { fprintf(stderr, __VA_ARGS__); }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/reap/default.nix b/nixpkgs/pkgs/os-specific/linux/reap/default.nix
new file mode 100644
index 000000000000..fbbabc96c781
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/reap/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "reap";
+  version = "0.3-unreleased";
+
+  src = fetchFromGitHub {
+    owner = "leahneukirchen";
+    repo = "reap";
+    rev = "0e68d09804fb9ec82af37045fb37c2ceefa391d5";
+    hash = "sha256-4Bv7stW5PKcODQanup37YbiUWrEGR6BuSFXibAHmwn0=";
+  };
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postInstall = ''
+    install -dm755 "$out/share/licenses/reap/"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/leahneukirchen/reap";
+    description = "run process until all its spawned processes are dead ";
+    license = with licenses; [ publicDomain ];
+    platforms = platforms.linux;
+    maintainers = [ maintainers.leahneukirchen ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/regionset/default.nix b/nixpkgs/pkgs/os-specific/linux/regionset/default.nix
new file mode 100644
index 000000000000..f685eec19488
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/regionset/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+let version = "0.2"; in
+stdenv.mkDerivation {
+  pname = "regionset";
+  inherit version;
+
+  src = fetchurl {
+    url = "http://linvdr.org/download/regionset/regionset-${version}.tar.gz";
+    sha256 = "1fgps85dmjvj41a5bkira43vs2aiivzhqwzdvvpw5dpvdrjqcp0d";
+  };
+
+  installPhase = ''
+    install -Dm755 {.,$out/bin}/regionset
+    install -Dm644 {.,$out/share/man/man8}/regionset.8
+  '';
+
+  meta = with lib; {
+    inherit version;
+    homepage = "http://linvdr.org/projects/regionset/";
+    description = "Tool for changing the region code setting of DVD players";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/reptyr/default.nix b/nixpkgs/pkgs/os-specific/linux/reptyr/default.nix
new file mode 100644
index 000000000000..f02b0acd3492
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/reptyr/default.nix
@@ -0,0 +1,36 @@
+{ stdenv, lib, fetchFromGitHub, python2 }:
+
+stdenv.mkDerivation rec {
+  version = "0.9.0";
+  pname = "reptyr";
+
+  src = fetchFromGitHub {
+    owner = "nelhage";
+    repo = "reptyr";
+    rev = "reptyr-${version}";
+    sha256 = "sha256-gM3aMEqk71RWUN1NxByd21tIzp6PmJ54Cqrh5MsjHtI=";
+  };
+
+  makeFlags = [ "PREFIX=" "DESTDIR=$(out)" ];
+
+  checkInputs = [ (python2.withPackages (p: [ p.pexpect ])) ];
+  doCheck = true;
+
+  meta = {
+    platforms = [
+      "i686-linux"
+      "x86_64-linux"
+      "i686-freebsd"
+      "x86_64-freebsd"
+      "armv5tel-linux"
+      "armv6l-linux"
+      "armv7l-linux"
+      "aarch64-linux"
+      "riscv64-linux"
+    ];
+    maintainers = with lib.maintainers; [raskin];
+    license = lib.licenses.mit;
+    description = "Reparent a running program to a new terminal";
+    homepage = "https://github.com/nelhage/reptyr";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/restool/default.nix b/nixpkgs/pkgs/os-specific/linux/restool/default.nix
new file mode 100644
index 000000000000..add68522e7f9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/restool/default.nix
@@ -0,0 +1,51 @@
+{ stdenv, lib, fetchgit, bash, coreutils, dtc, file, gawk, gnugrep, gnused, pandoc, which }:
+
+stdenv.mkDerivation rec {
+  pname = "restool";
+  version = "2.4";
+
+  src = fetchgit {
+    url = "https://source.codeaurora.org/external/qoriq/qoriq-components/restool";
+    rev = "abd2f5b7181db9d03db9e6ccda0194923b73e9a2";
+    sha256 = "sha256-ryTDyqSy39e8Omf7l8lK4mLWr8jccDhMVPldkVGSQVo=";
+  };
+
+  nativeBuildInputs = [ file pandoc ];
+  buildInputs = [ bash coreutils dtc gawk gnugrep gnused which ];
+
+  enableParallelBuilding = true;
+  makeFlags = [
+    "prefix="
+    "bindir_completion=/share/bash-completion/completions"
+    "DESTDIR=$(out)"
+    "VERSION=${version}"
+  ];
+
+  postPatch = ''
+    # -Werror makes this derivation fragile on compiler version upgrades, patch
+    # it out.
+    sed -i /-Werror/d Makefile
+  '';
+
+  preFixup = ''
+    # wrapProgram interacts badly with the ls-main tool, which relies on the
+    # shell's $0 argument to figure out which operation to run (busybox-style
+    # symlinks). Instead, inject the environment directly into the shell
+    # scripts we need to wrap.
+    for tool in ls-append-dpl ls-debug ls-main; do
+      sed -i "1 a export PATH=\"$out/bin:${lib.makeBinPath buildInputs}:\$PATH\"" $out/bin/$tool
+    done
+  '';
+
+  meta = with lib; {
+    description = "DPAA2 Resource Management Tool";
+    longDescription = ''
+      restool is a user space application providing the ability to dynamically
+      create and manage DPAA2 containers and objects from Linux.
+    '';
+    homepage = "https://source.codeaurora.org/external/qoriq/qoriq-components/restool/about/";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ delroth ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rewritefs/default.nix b/nixpkgs/pkgs/os-specific/linux/rewritefs/default.nix
new file mode 100644
index 000000000000..e78d5f2d164c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rewritefs/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, fuse3, pcre }:
+
+stdenv.mkDerivation {
+  pname = "rewritefs";
+  version = "unstable-2021-10-03";
+
+  src = fetchFromGitHub {
+    owner  = "sloonz";
+    repo   = "rewritefs";
+    rev    = "3a56de8b5a2d44968b8bc3885c7d661d46367306";
+    sha256 = "1w2rik0lhqm3wr68x51zs45gqfx79l7fi4p0sqznlfq7sz5s8xxn";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ fuse3 pcre ];
+
+  prePatch = ''
+    # do not set sticky bit in nix store
+    substituteInPlace Makefile --replace 6755 0755
+  '';
+
+  preConfigure = "substituteInPlace Makefile --replace /usr/local $out";
+
+  meta = with lib; {
+    description = ''A FUSE filesystem intended to be used
+      like Apache mod_rewrite'';
+    homepage    = "https://github.com/sloonz/rewritefs";
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ rnhmjoj ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rfkill/rfkill-hook.sh b/nixpkgs/pkgs/os-specific/linux/rfkill/rfkill-hook.sh
new file mode 100755
index 000000000000..75716e40daee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rfkill/rfkill-hook.sh
@@ -0,0 +1,19 @@
+#!@shell@
+
+# Executes a hook in case of a change to the
+# rfkill state. The hook can be passed as
+# environment variable, or present as executable
+# file.
+
+if [ -z "$RFKILL_STATE" ]; then
+  echo "rfkill-hook: error: RFKILL_STATE variable not set"
+  exit 1
+fi
+
+if [ -x /run/current-system/etc/rfkill.hook ]; then
+  exec /run/current-system/etc/rfkill.hook
+elif [ ! -z "$RFKILL_HOOK" ]; then
+  exec $RFKILL_HOOK
+else
+  echo "rfkill-hook: $RFKILL_STATE"
+fi
diff --git a/nixpkgs/pkgs/os-specific/linux/rfkill/udev.nix b/nixpkgs/pkgs/os-specific/linux/rfkill/udev.nix
new file mode 100644
index 000000000000..e1a14a80162c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rfkill/udev.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv, substituteAll }:
+
+# Provides a facility to hook into rfkill changes.
+#
+# Exemplary usage:
+#
+# Add this package to udev.packages, e.g.:
+#   udev.packages = [ pkgs.rfkill_udev ];
+#
+# Add a hook script in the managed etc directory, e.g.:
+#   etc."rfkill.hook" = {
+#     mode = "0755";
+#     text = ''
+#       #!${pkgs.runtimeShell}
+#
+#       if [ "$RFKILL_STATE" -eq "1" ]; then
+#         exec ${config.system.build.upstart}/sbin/initctl emit -n antenna-on
+#       else
+#         exec ${config.system.build.upstart}/sbin/initctl emit -n antenna-off
+#       fi
+#     '';
+#   }
+
+# Note: this package does not need the binaries
+# in the rfkill package.
+
+let
+  rfkillHook =
+    substituteAll {
+      inherit (stdenv) shell;
+      isExecutable = true;
+      src = ./rfkill-hook.sh;
+    };
+in stdenv.mkDerivation {
+  name = "rfkill-udev";
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p "$out/etc/udev/rules.d/";
+    cat > "$out/etc/udev/rules.d/90-rfkill.rules" << EOF
+      SUBSYSTEM=="rfkill", ATTR{type}=="wlan", RUN+="$out/bin/rfkill-hook.sh"
+    EOF
+
+    mkdir -p "$out/bin/";
+    cp ${rfkillHook} "$out/bin/rfkill-hook.sh"
+  '';
+
+  meta = with lib; {
+    homepage = "http://wireless.kernel.org/en/users/Documentation/rfkill";
+    description = "Rules+hook for udev to catch rfkill state changes";
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/roccat-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/roccat-tools/default.nix
new file mode 100644
index 000000000000..bea79c2007db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/roccat-tools/default.nix
@@ -0,0 +1,49 @@
+{ lib, stdenv, fetchurl, cmake, pkg-config, gettext
+, dbus, dbus-glib, libgaminggear, libgudev, lua
+, harfbuzz
+}:
+
+stdenv.mkDerivation rec {
+  pname = "roccat-tools";
+  version = "5.9.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/roccat/${pname}-${version}.tar.bz2";
+    sha256 = "12j02rzbz3iqxprz8cj4kcfcdgnqlva142ci177axqmckcq6crvg";
+  };
+
+  postPatch = ''
+    sed -i -re 's,/(etc/xdg),\1,' roccateventhandler/CMakeLists.txt
+
+    sed -i -e '/roccat_profile_dir(void).*{/,/}/ {
+      /return/c \
+        return g_build_path("/", g_get_user_data_dir(), "roccat", NULL);
+    }' libroccat/roccat_helper.c
+  '';
+
+  nativeBuildInputs = [ cmake pkg-config gettext ];
+  buildInputs = [ dbus dbus-glib libgaminggear libgudev lua ];
+
+  cmakeFlags = [
+    "-DUDEVDIR=\${out}/lib/udev/rules.d"
+    "-DCMAKE_MODULE_PATH=${libgaminggear.dev}/lib/cmake"
+    "-DWITH_LUA=${lua.luaversion}"
+    "-DLIBDIR=lib"
+  ];
+
+  NIX_CFLAGS_COMPILE = [
+    "-I${harfbuzz.dev}/include/harfbuzz"
+
+    # Workaround build failure on -fno-common toolchains:
+    #   ld: ryos_talk.c.o:(.bss+0x0): multiple definition of `RyosWriteCheckWait';
+    #     ryos_custom_lights.c.o:(.bss+0x0): first defined here
+    "-fcommon"
+  ];
+
+  meta = {
+    description = "Tools to configure ROCCAT devices";
+    homepage = "http://roccat.sourceforge.net/";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rt-tests/default.nix b/nixpkgs/pkgs/os-specific/linux/rt-tests/default.nix
new file mode 100644
index 000000000000..67000776256c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rt-tests/default.nix
@@ -0,0 +1,34 @@
+{ stdenv
+, lib
+, makeWrapper
+, fetchurl
+, numactl
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rt-tests";
+  version = "2.4";
+
+  src = fetchurl {
+    url = "https://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git/snapshot/${pname}-${version}.tar.gz";
+    sha256 = "sha256-yuSfeYTaCZ0F1GXQkDnH8PBvyzR2w/XDitN8csHB9xE=";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ numactl python3 ];
+
+  makeFlags = [ "prefix=$(out)" "DESTDIR=" "PYLIB=$(out)/${python3.sitePackages}" ];
+
+  postInstall = ''
+    wrapProgram "$out/bin/determine_maximum_mpps.sh" --prefix PATH : $out/bin
+  '';
+
+  meta = with lib; {
+    homepage = "https://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git";
+    description = "Suite of real-time tests - cyclictest, hwlatdetect, pip_stress, pi_stress, pmqtest, ptsematest, rt-migrate-test, sendme, signaltest, sigwaittest, svsematest";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ poelzi ];
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtkit/default.nix b/nixpkgs/pkgs/os-specific/linux/rtkit/default.nix
new file mode 100644
index 000000000000..fb41863c431d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtkit/default.nix
@@ -0,0 +1,48 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, meson, ninja, pkg-config, unixtools
+, dbus, libcap, polkit, systemd
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rtkit";
+  version = "0.13";
+
+  src = fetchFromGitHub {
+    owner = "heftig";
+    repo = "rtkit";
+    rev = "c295fa849f52b487be6433e69e08b46251950399";
+    sha256 = "0yfsgi3pvg6dkizrww1jxpkvcbhzyw9110n1dypmzq0c5hlzjxcd";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/heftig/rtkit/commit/7d62095b94f8df3891c984a1535026d2658bb177.patch";
+      sha256 = "17acv549zqcgh7sgprfagbf6drqsr0zdwvf1dsqda7wlqc2h9zn7";
+    })
+
+    (fetchpatch {
+      url = "https://github.com/heftig/rtkit/commit/98f70edd8f534c371cb4308b9720739c5178918d.patch";
+      sha256 = "18mnjjsdjfr184nkzi01xyphpdngi31ry4bmkv9ysjxf9wilv4nl";
+    })
+  ];
+
+  nativeBuildInputs = [ meson ninja pkg-config unixtools.xxd ];
+  buildInputs = [ dbus libcap polkit systemd ];
+
+  mesonFlags = [
+    "-Dinstalled_tests=false"
+
+    "-Ddbus_systemservicedir=${placeholder "out"}/share/dbus-1/system-services"
+    "-Ddbus_interfacedir=${placeholder "out"}/share/dbus-1/interfaces"
+    "-Ddbus_rulesdir=${placeholder "out"}/etc/dbus-1/system.d"
+    "-Dpolkit_actiondir=${placeholder "out"}/share/polkit-1/actions"
+    "-Dsystemd_systemunitdir=${placeholder "out"}/etc/systemd/system"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/heftig/rtkit";
+    description = "A daemon that hands out real-time priority to processes";
+    license = with licenses; [ gpl3 bsd0 ]; # lib is bsd license
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
new file mode 100644
index 000000000000..0f2e00c8382f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
@@ -0,0 +1,48 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc, fetchpatch }:
+
+stdenv.mkDerivation {
+  pname = "rtl8188eus-aircrack";
+  version = "${kernel.version}-unstable-2022-03-19";
+
+  src = fetchFromGitHub {
+    owner = "aircrack-ng";
+    repo = "rtl8188eus";
+    rev = "0958f294f90b49d6bad4972b14f90676e5d858d3";
+    sha256 = "sha256-dkCcwvOLxqU1IZ/OXTp67akjWgsaH1Cq4N8d9slMRI8=";
+  };
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/aircrack-ng/rtl8188eus/commit/daa3a2e12290050be3af956915939a55aed50d5f.patch";
+      hash = "sha256-VsvaAhO74LzqUxbmdDT9qwVl6Y9lXfGfrHHK3SbnOVA=";
+    })
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [ bc ];
+
+  buildInputs = kernel.moduleBuildDependencies;
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  meta = with lib; {
+    description = "RealTek RTL8188eus WiFi driver with monitor mode & frame injection support";
+    homepage = "https://github.com/aircrack-ng/rtl8188eus";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
+    broken = (lib.versionAtLeast kernel.version "5.17") || ((lib.versions.majorMinor kernel.version) == "5.4" && kernel.isHardened);
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8189es/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8189es/default.nix
new file mode 100644
index 000000000000..a755404e6e5d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8189es/default.nix
@@ -0,0 +1,47 @@
+{ stdenv, lib, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation rec {
+  name = "rtl8189es-${kernel.version}-${version}";
+  version = "2021-10-01";
+
+  src = fetchFromGitHub {
+    owner = "jwrdegoede";
+    repo = "rtl8189ES_linux";
+    rev = "be378f47055da1bae42ff6ec1d62f1a5052ef097";
+    sha256 = "sha256-+19q1Xux2BjquavY+s0UDzTubEt6BEUZ9XVDVmj36us=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ] ++ kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" "format" ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
+    substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}"
+    substituteInPlace ./Makefile --replace /sbin/depmod \#
+    substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    ("CONFIG_PLATFORM_I386_PC=" + (if (stdenv.hostPlatform.isi686 || stdenv.hostPlatform.isx86_64) then "y" else "n"))
+    ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n"))
+  ];
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  meta = with lib; {
+    description = "Driver for Realtek rtl8189es";
+    homepage = "https://github.com/jwrdegoede/rtl8189ES_linux";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ danielfullmer lheckemann ];
+    broken = kernel.kernelAtLeast "5.17";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8189fs/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8189fs/default.nix
new file mode 100644
index 000000000000..c1fe5e9733fa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8189fs/default.nix
@@ -0,0 +1,22 @@
+{ lib, kernel, rtl8189es, fetchFromGitHub }:
+
+# rtl8189fs is a branch of the rtl8189es driver
+rtl8189es.overrideAttrs (drv: rec {
+  name = "rtl8189fs-${kernel.version}-${version}";
+  version = "2022-05-20";
+
+  src = fetchFromGitHub {
+    owner = "jwrdegoede";
+    repo = "rtl8189ES_linux";
+    rev = "71500c28164369800041d1716ac513457179ce93";
+    sha256 = "sha256-JTv+ssSv5toNcZ5wR6p0Cywdk87z9Bdq0ftU0ekr/98=";
+  };
+
+  meta = with lib; {
+    description = "Driver for Realtek rtl8189fs";
+    homepage = "https://github.com/jwrdegoede/rtl8189ES_linux/tree/rtl8189fs";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ puffnfresh ];
+  };
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8192eu/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8192eu/default.nix
new file mode 100644
index 000000000000..c91353e465e3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8192eu/default.nix
@@ -0,0 +1,44 @@
+{ stdenv, lib, fetchFromGitHub, kernel, bc }:
+
+with lib;
+
+let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtl8192eu";
+
+in stdenv.mkDerivation rec {
+  pname = "rtl8192eu";
+  version = "${kernel.version}-4.4.1.20220614";
+
+  src = fetchFromGitHub {
+    owner = "Mange";
+    repo = "rtl8192eu-linux-driver";
+    rev = "6ba1f320963376f15ea216238c0b62ff3e71fa82";
+    sha256 = "sha256-c5swRxSjWT1tCcR7tfFKdAdVVmAEYgMZuOwUxGYYESI=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies ++ [ bc ];
+
+  makeFlags = kernel.makeFlags ++ [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Realtek rtl8192eu driver";
+    homepage = "https://github.com/Mange/rtl8192eu-linux-driver";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = stdenv.hostPlatform.isAarch64 || kernel.kernelAtLeast "5.18";
+    maintainers = with maintainers; [ troydm ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8723bs/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8723bs/default.nix
new file mode 100644
index 000000000000..b6ab883ca751
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8723bs/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchFromGitHub, nukeReferences, kernel }:
+with lib;
+stdenv.mkDerivation rec {
+  name = "rtl8723bs-${kernel.version}-${version}";
+  version = "2017-04-06";
+
+  src = fetchFromGitHub {
+    owner = "hadess";
+    repo = "rtl8723bs";
+    rev = "db2c4f61d48fe3b47c167c8bcd722ce83c24aca5";
+    sha256 = "0pxqya14a61vv2v5ky1ldybc0mjfin9mpvmajlmv0lls904rph7g";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  buildInputs = [ nukeReferences ];
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}" # Normally not needed, but the Makefile sets ARCH in a broken way.
+    "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" # Makefile uses $(uname -r); breaks us.
+  ];
+
+  enableParallelBuilding = true;
+
+  # The Makefile doesn't use env-vars well, so install manually:
+  installPhase = ''
+    mkdir -p      $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless
+    cp r8723bs.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless
+
+    nuke-refs $(find $out -name "*.ko")
+  '';
+
+  meta = {
+    description = "Realtek SDIO Wi-Fi driver";
+    homepage = "https://github.com/hadess/rtl8723bs";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    broken = versionAtLeast kernel.version "4.12"; # Now in kernel staging drivers
+    maintainers = with maintainers; [ elitak ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8812au/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8812au/default.nix
new file mode 100644
index 000000000000..30f04c1eb8b3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -0,0 +1,55 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation rec {
+  pname = "rtl8812au";
+  version = "${kernel.version}-5.9.3.2.20210427";
+
+  src = fetchFromGitHub {
+    owner = "gordboy";
+    repo = "rtl8812au-5.9.3.2";
+    rev = "6ef5d8fcdb0b94b7490a9a38353877708fca2cd4";
+    sha256 = "sha256-czExf4z0nf7XEJ1YnRSB3CrGV6NTmUKDiZjLmrh6Hwo=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ];
+
+  buildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" "format" ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+    "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    ("CONFIG_PLATFORM_I386_PC=" + (if stdenv.hostPlatform.isx86 then "y" else "n"))
+    ("CONFIG_PLATFORM_ARM_RPI=" + (if stdenv.hostPlatform.isAarch then "y" else "n"))
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ];
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod";
+    homepage = "https://github.com/gordboy/rtl8812au-5.9.3.2";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fortuneteller2k ];
+    broken = kernel.kernelOlder "4.10" || kernel.kernelAtLeast "5.15" || kernel.isHardened;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8814au/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8814au/default.nix
new file mode 100644
index 000000000000..cab36054f516
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8814au/default.nix
@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation {
+  pname = "rtl8814au";
+  version = "${kernel.version}-unstable-2022-05-23";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "8814au";
+    rev = "687f05c73e22dc14d5f24f2bb92f2ecac3cc71d5";
+    sha256 = "08znnihk9rdrwgyzazxqcrzwdjnm5q8ah92bfb552wjv11r87zv1";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  hardeningDisable = [ "pic" ];
+
+  NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types";
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek 8814AU USB WiFi driver";
+    homepage = "https://github.com/morrownr/8814au";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.lassulus ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8821au/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8821au/default.nix
new file mode 100644
index 000000000000..dc693f01f572
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8821au/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+
+stdenv.mkDerivation rec {
+  pname = "rtl8821au";
+  version = "${kernel.version}-unstable-2022-03-08";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "8821au-20210708";
+    rev = "2c0c6fef81c0c7dcf8fa06fc4ab72168abc4f7bb";
+    sha256 = "sha256-Hdzi3pGqH71O0Jenjd/myG4+rZDLC/CcWHkjDoXBxS0=";
+  };
+
+  nativeBuildInputs = [ bc nukeReferences ];
+  buildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" "format" ];
+
+  NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types";
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  postInstall = ''
+    nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "rtl8821AU and rtl8812AU chipset driver with firmware";
+    homepage = "https://github.com/morrownr/8821au";
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" "i686-linux" ];
+    maintainers = with maintainers; [ plchldr ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8821ce/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8821ce/default.nix
new file mode 100644
index 000000000000..f841ba471a42
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8821ce/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, kernel
+, bc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "rtl8821ce";
+  version = "${kernel.version}-unstable-2022-06-01";
+
+  src = fetchFromGitHub {
+    owner = "tomaspinho";
+    repo = "rtl8821ce";
+    rev = "be733dc86781c68571650b395dd0fa6b53c0a039";
+    sha256 = "sha256-4PgISOjCSSGymz96VwE4jzcUiOEO+Ocuk2kJVIA+TQM=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek rtl8821ce driver";
+    homepage = "https://github.com/tomaspinho/rtl8821ce";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = stdenv.isAarch64;
+    maintainers = with maintainers; [ hhm ivar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl8821cu/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl8821cu/default.nix
new file mode 100644
index 000000000000..3af4fee9eda2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl8821cu/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation rec {
+  pname = "rtl8821cu";
+  version = "${kernel.version}-unstable-2022-05-07";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "8821cu-20210118";
+    rev = "e3cf788e1dddaba3273190755ce424f93fe593e4";
+    hash = "sha256-VUZU/oFSaxewy/BF/2k4OssAi4AWSWweqXYZPHmsQvY=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek rtl8821cu driver";
+    homepage = "https://github.com/morrownr/8821cu";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.contrun ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl88x2bu/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl88x2bu/default.nix
new file mode 100644
index 000000000000..cd13c48779ea
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl88x2bu/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation rec {
+  pname = "rtl88x2bu";
+  version = "${kernel.version}-unstable-2022-05-23";
+
+  src = fetchFromGitHub {
+    owner = "morrownr";
+    repo = "88x2bu-20210702";
+    rev = "3fbe980a9a8cee223e4671449128212cf7514b3c";
+    sha256 = "1p4bp8g94ny385nl3m2ca824dbm6lhjvh7s5rqyzk220il2sa0nd";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = [ bc ] ++ kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags;
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Realtek rtl88x2bu driver";
+    homepage = "https://github.com/morrownr/88x2bu-20210702";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.ralith ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix b/nixpkgs/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
new file mode 100644
index 000000000000..de5c79a56013
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
@@ -0,0 +1,45 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+let
+  rev = "37e27f9165300c89607144b646545fac576ec510";
+in
+stdenv.mkDerivation rec {
+  pname = "rtl88xxau-aircrack";
+  version = "${kernel.version}-${builtins.substring 0 6 rev}";
+
+  src = fetchFromGitHub {
+    owner = "aircrack-ng";
+    repo = "rtl8812au";
+    inherit rev;
+    sha256 = "sha256-TpmpueKAaCe7Nlmv8pMvgMXGVmXVa/1mBwtEoy4JyCY=";
+  };
+
+  buildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types";
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Aircrack-ng kernel module for Realtek 88XXau network cards\n(8811au, 8812au, 8814au and 8821au chipsets) with monitor mode and injection support.";
+    homepage = "https://github.com/aircrack-ng/rtl8812au";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.jethro ];
+    platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
+    broken = kernel.kernelAtLeast "5.18";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtw88/default.nix b/nixpkgs/pkgs/os-specific/linux/rtw88/default.nix
new file mode 100644
index 000000000000..bbff4f6e4a71
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtw88/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw88";
+in
+stdenv.mkDerivation {
+  pname = "rtw88";
+  version = "unstable-2022-06-03";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw88";
+    rev = "03da251c76ea1005b42625825c39181e12d75693";
+    sha256 = "0l5ysp4x5wzrn48sfjv3rciqhq5ldcmk86b9x6j9775zjj7yw8hw";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "The newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = with licenses; [ bsd3 gpl2Only ];
+    maintainers = with maintainers; [ tvorog atila ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.14";
+    priority = -1;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/rtw89/default.nix b/nixpkgs/pkgs/os-specific/linux/rtw89/default.nix
new file mode 100644
index 000000000000..6ff208fa6dd9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/rtw89/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw89";
+in
+stdenv.mkDerivation {
+  pname = "rtw89";
+  version = "unstable-2021-10-21";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw89";
+    rev = "0684157cba90e36bff5bc61a59e7e87c359b5e5c";
+    sha256 = "0cvawyi1ksw9xkr8pzwipsl7b8hnmrb17w5cblyicwih8fqaw632";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  makeFlags = kernel.makeFlags ++ [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = " Driver for Realtek 8852AE, an 802.11ax device";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = with licenses; [ gpl2Only ];
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.4";
+    priority = -1;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ryzenadj/default.nix b/nixpkgs/pkgs/os-specific/linux/ryzenadj/default.nix
new file mode 100644
index 000000000000..c7d9c1f8fb96
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ryzenadj/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub, pciutils, cmake }:
+stdenv.mkDerivation rec {
+  pname = "ryzenadj";
+  version = "0.10.0";
+
+  src = fetchFromGitHub {
+    owner = "FlyGoat";
+    repo = "RyzenAdj";
+    rev = "v${version}";
+    sha256 = "sha256-SEM+HN5ecxp64jZTOouWuFO1HICtc6M+GitnS+bdfb4=";
+  };
+
+  nativeBuildInputs = [ pciutils cmake ];
+
+  installPhase = ''
+    install -D libryzenadj.so $out/lib/libryzenadj.so
+    install -D ryzenadj $out/bin/ryzenadj
+  '';
+
+  meta = with lib; {
+    description = "Adjust power management settings for Ryzen Mobile Processors.";
+    homepage = "https://github.com/FlyGoat/RyzenAdj";
+    license = licenses.lgpl3Only;
+    maintainers = with maintainers; [ asbachb ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/s6-linux-init/default.nix b/nixpkgs/pkgs/os-specific/linux/s6-linux-init/default.nix
new file mode 100644
index 000000000000..27773a90e283
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/s6-linux-init/default.nix
@@ -0,0 +1,39 @@
+{ lib, skawarePackages }:
+
+with skawarePackages;
+
+buildPackage {
+  pname = "s6-linux-init";
+  version = "1.0.8.0";
+  sha256 = "sha256-kgVaeWTPZmBAZq2WSiwjku58XmSCG+AxRsE0Hg2MPcY=";
+
+  description = "A set of minimalistic tools used to create a s6-based init system, including a /sbin/init binary, on a Linux kernel";
+  platforms = lib.platforms.linux;
+
+  outputs = [ "bin" "dev" "doc" "out" ];
+
+  configureFlags = [
+    "--bindir=\${bin}/bin"
+    "--includedir=\${dev}/include"
+    "--with-sysdeps=${skalibs.lib}/lib/skalibs/sysdeps"
+    "--with-include=${skalibs.dev}/include"
+    "--with-include=${execline.dev}/include"
+    "--with-include=${s6.dev}/include"
+    "--with-lib=${skalibs.lib}/lib"
+    "--with-lib=${s6.out}/lib"
+    "--with-lib=${execline.lib}/lib"
+    "--with-dynlib=${skalibs.lib}/lib"
+    "--with-dynlib=${execline.lib}/lib"
+    "--with-dynlib=${s6.out}/lib"
+  ];
+
+  postInstall = ''
+    # remove all s6 executables from build directory
+    rm $(find -name "s6-*" -type f -mindepth 1 -maxdepth 1 -executable)
+    rm libs6_linux_init.* libhpr.*
+    rm -rf skel
+
+    mv doc $doc/share/doc/s6-linux-init/html
+  '';
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/s6-linux-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/s6-linux-utils/default.nix
new file mode 100644
index 000000000000..98199516a04e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/s6-linux-utils/default.nix
@@ -0,0 +1,32 @@
+{ lib, skawarePackages }:
+
+with skawarePackages;
+
+buildPackage {
+  pname = "s6-linux-utils";
+  version = "2.6.0.0";
+  sha256 = "sha256-bHEyc0oMgocALuaRDEafF1qX12aoAjwMM6+LqSZD7Vk=";
+
+  description = "A set of minimalistic Linux-specific system utilities";
+  platforms = lib.platforms.linux;
+
+  outputs = [ "bin" "dev" "doc" "out" ];
+
+  # TODO: nsss support
+  configureFlags = [
+    "--bindir=\${bin}/bin"
+    "--includedir=\${dev}/include"
+    "--with-sysdeps=${skalibs.lib}/lib/skalibs/sysdeps"
+    "--with-include=${skalibs.dev}/include"
+    "--with-lib=${skalibs.lib}/lib"
+    "--with-dynlib=${skalibs.lib}/lib"
+  ];
+
+  postInstall = ''
+    # remove all s6 executables from build directory
+    rm $(find -name "s6-*" -type f -mindepth 1 -maxdepth 1 -executable) rngseed
+
+    mv doc $doc/share/doc/s6-linux-utils/html
+  '';
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sasutils/default.nix b/nixpkgs/pkgs/os-specific/linux/sasutils/default.nix
new file mode 100644
index 000000000000..fd1a6f0b049b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sasutils/default.nix
@@ -0,0 +1,28 @@
+{ lib, python3Packages, fetchFromGitHub, installShellFiles, sg3_utils }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "sasutils";
+  version = "0.3.12";
+
+  src = fetchFromGitHub {
+    owner = "stanford-rc";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0kh5pcc2shdmrvqqi2y1zamzsfvk56pqgwqgqhjfz4r6yfpm04wl";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  propagatedBuildInputs = [ sg3_utils ];
+
+  postInstall = ''
+    installManPage doc/man/man1/*.1
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/stanford-rc/sasutils";
+    description = "A set of command-line tools to ease the administration of Serial Attached SCSI (SAS) fabrics";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ aij ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sch_cake/default.nix b/nixpkgs/pkgs/os-specific/linux/sch_cake/default.nix
new file mode 100644
index 000000000000..f93713344efb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sch_cake/default.nix
@@ -0,0 +1,34 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation {
+  pname = "sch_cake";
+  version = "unstable-2017-07-16";
+
+  src = fetchFromGitHub {
+    owner = "dtaht";
+    repo = "sch_cake";
+    rev = "e641a56f27b6848736028f87eda65ac3df9f99f7";
+    sha256 = "08582jy01j32b3mj8hf6m8687qrcz64zv2m236j24inlkmd94q21";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = [
+    "KERNEL_VERSION=${kernel.version}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -v -m 644 -D sch_cake.ko \
+      $out/lib/modules/${kernel.modDirVersion}/kernel/net/sched/sch_cake.ko
+  '';
+
+  meta = with lib; {
+    description = "The cake qdisc scheduler";
+    homepage = "https://www.bufferbloat.net/projects/codel/wiki/Cake/";
+    license = with licenses; [ bsd3 gpl2 ];
+    maintainers = with maintainers; [ fpletz ];
+    platforms = platforms.linux;
+    broken = lib.versionAtLeast kernel.version "4.13";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/schedtool/default.nix b/nixpkgs/pkgs/os-specific/linux/schedtool/default.nix
new file mode 100644
index 000000000000..98d9248e3f42
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/schedtool/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "schedtool";
+  version = "1.3.0";
+
+  src = fetchFromGitHub {
+    owner = "freequaos";
+    repo = "schedtool";
+    rev = "${pname}-${version}";
+    sha256 = "1wdw6fnf9a01xfjhdah3mn8bp1bvahf2lfq74i6hk5b2cagkppyp";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)" "DESTPREFIX=" ];
+
+  meta = with lib; {
+    description = "Query or alter a process' scheduling policy under Linux";
+    homepage = "https://freequaos.host.sk/schedtool/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sd-switch/default.nix b/nixpkgs/pkgs/os-specific/linux/sd-switch/default.nix
new file mode 100644
index 000000000000..987f32664c11
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sd-switch/default.nix
@@ -0,0 +1,26 @@
+{ lib, fetchFromGitLab, rustPlatform, pkg-config, dbus }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "sd-switch";
+  version = "0.2.3";
+
+  src = fetchFromGitLab {
+    owner = "rycee";
+    repo = pname;
+    rev = version;
+    sha256 = "12h2d7v7pdz7b0hrna64561kf35nbpwb2kzxa791xk8raxc2b72k";
+  };
+
+  cargoSha256 = "12ny3cir2nxzrmf4vwq6sgc35dbpq88hav53xqdp44rigdf4vzbs";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus ];
+
+  meta = with lib; {
+    description = "A systemd unit switcher for Home Manager";
+    homepage = "https://gitlab.com/rycee/sd-switch";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ rycee ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sdnotify-wrapper/default.nix b/nixpkgs/pkgs/os-specific/linux/sdnotify-wrapper/default.nix
new file mode 100644
index 000000000000..b4b6a7f42a7e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sdnotify-wrapper/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, lib, runCommandCC, skawarePackages }:
+
+with skawarePackages;
+
+let
+  # From https://skarnet.org/software/misc/sdnotify-wrapper.c,
+  # which is unversioned.
+  src = ./sdnotify-wrapper.c;
+
+in runCommandCC "sdnotify-wrapper" {
+
+   outputs = [ "bin" "doc" "out" ];
+
+   meta = {
+     homepage = "https://skarnet.org/software/misc/sdnotify-wrapper.c";
+     description = "Use systemd sd_notify without having to link against libsystemd";
+     platforms = lib.platforms.linux;
+     license = lib.licenses.isc;
+     maintainers = with lib.maintainers; [ Profpatsch ];
+   };
+
+} ''
+  mkdir -p $bin/bin
+  mkdir $out
+
+  # the -lskarnet has to come at the end to support static builds
+  $CC \
+    -o $bin/bin/sdnotify-wrapper \
+    -I${skalibs.dev}/include \
+    -L${skalibs.lib}/lib \
+    ${src} \
+    -lskarnet
+
+  mkdir -p $doc/share/doc/sdnotify-wrapper
+  # copy the documentation comment
+  sed -ne '/Usage:/,/*\//p' ${src} > $doc/share/doc/sdnotify-wrapper/README
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c b/nixpkgs/pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c
new file mode 100644
index 000000000000..3ad3cbc69063
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c
@@ -0,0 +1,174 @@
+/*
+   Copyright: (C)2015-2020 Laurent Bercot.  http://skarnet.org/
+   ISC license. See http://opensource.org/licenses/ISC
+
+   Build-time requirements: skalibs.  https://skarnet.org/software/skalibs/
+   Run-time requirements: none, if you link skalibs statically.
+
+   Compilation:
+     gcc -o sdnotify-wrapper -L/usr/lib/skalibs sdnotify-wrapper.c -lskarnet
+   Use /usr/lib/skalibs/libskarnet.a instead of -lskarnet to link statically.
+   Adapt gcc's -I and -L options to your skalibs installation paths.
+
+   Usage: if a daemon would be launched by systemd as "foobard args...",
+   launch it as "sdnotify-wrapper foobard args..." instead, and you can now
+   tell systemd that this daemon supports readiness notification.
+
+   Instead of using sd_notify() and having to link against the systemd
+   library, the daemon notifies readiness by writing whatever it wants
+   to a file descriptor (by default: stdout), then a newline. (Then it
+   should close that file descriptor.) The simplest way is something like
+   int notify_readiness() { write(1, "\n", 1) ; close(1) ; }
+   This mechanism is understandable by any notification readiness framework.
+
+   Readiness notification occurs when the newline is written, not when
+   the descriptor is closed; but since sdnotify-wrapper stops reading
+   after the first newline and will exit, any subsequent writes will
+   fail and it's best to simply close the descriptor right away.
+
+   sdnotify-wrapper sees the notification when it occurs and sends it
+   to systemd using the sd_notify format.
+
+   Options:
+     -d fd: the daemon will write its notification on descriptor fd.
+     Default is 1.
+     -f: do not doublefork. Use if the daemon waits for children it does
+     not know it has (for instance, superservers do this). When in doubt,
+     do not use that option, or you may have a zombie hanging around.
+     -t timeout: if the daemon has not sent a notification after timeout
+     milliseconds, give up and exit; systemd will not be notified.
+     -k: keep the NOTIFY_SOCKET environment variable when execing into the
+     daemon. By default, the variable is unset: the daemon should not need it.
+
+   Notes:
+     sdnotify-wrapper does not change the daemon's pid. It runs as a
+     (grand)child of the daemon.
+     If the NOTIFY_SOCKET environment variable is not set, sdnotify-wrapper
+     does nothing - it only execs into the daemon.
+     sdnotify-wrapper is more liberal than sd_notify(). It will accept
+     a relative path in NOTIFY_SOCKET.
+*/
+
+
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <skalibs/uint64.h>
+#include <skalibs/types.h>
+#include <skalibs/bytestr.h>
+#include <skalibs/sgetopt.h>
+#include <skalibs/strerr2.h>
+#include <skalibs/allreadwrite.h>
+#include <skalibs/tai.h>
+#include <skalibs/iopause.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/socket.h>
+#include <skalibs/exec.h>
+
+#define USAGE "sdnotify-wrapper [ -d fd ] [ -f ] [ -t timeout ] [ -k ] prog..."
+#define dieusage() strerr_dieusage(100, USAGE)
+
+#define VAR "NOTIFY_SOCKET"
+
+static inline int ipc_sendto (int fd, char const *s, size_t len, char const *path)
+{
+  struct sockaddr_un sa ;
+  size_t l = strlen(path) ;
+  if (l > IPCPATH_MAX) return (errno = ENAMETOOLONG, 0) ;
+  memset(&sa, 0, sizeof sa) ;
+  sa.sun_family = AF_UNIX ;
+  memcpy(sa.sun_path, path, l+1) ;
+  if (path[0] == '@') sa.sun_path[0] = 0 ;
+  return sendto(fd, s, len, MSG_NOSIGNAL, (struct sockaddr *)&sa, sizeof sa) >= 0 ;
+}
+
+static inline void notify_systemd (pid_t pid, char const *socketpath)
+{
+  size_t n = 16 ;
+  char fmt[16 + PID_FMT] = "READY=1\nMAINPID=" ;
+  int fd = ipc_datagram_b() ;
+  if (fd < 0) strerr_diefu1sys(111, "create socket") ;
+  n += pid_fmt(fmt + n, pid) ;
+  fmt[n++] = '\n' ;
+  if (!ipc_sendto(fd, fmt, n, socketpath))
+    strerr_diefu2sys(111, "send notification message to ", socketpath) ;
+  close(fd) ;
+}
+
+static inline int run_child (int fd, unsigned int timeout, pid_t pid, char const *s)
+{
+  char dummy[4096] ;
+  iopause_fd x = { .fd = fd, .events = IOPAUSE_READ } ;
+  tain deadline ;
+  tain_now_g() ;
+  if (timeout) tain_from_millisecs(&deadline, timeout) ;
+  else deadline = tain_infinite_relative ;
+  tain_add_g(&deadline, &deadline) ;
+  for (;;)
+  {
+    int r = iopause_g(&x, 1, &deadline) ;
+    if (r < 0) strerr_diefu1sys(111, "iopause") ;
+    if (!r) return 99 ;
+    r = sanitize_read(fd_read(fd, dummy, 4096)) ;
+    if (r < 0)
+      if (errno == EPIPE) return 1 ;
+      else strerr_diefu1sys(111, "read from parent") ;
+    else if (r && memchr(dummy, '\n', r)) break ;
+  }
+  close(fd) ;
+  notify_systemd(pid, s) ;
+  return 0 ;
+}
+
+int main (int argc, char const *const *argv)
+{
+  char const *s = getenv(VAR) ;
+  unsigned int fd = 1 ;
+  unsigned int timeout = 0 ;
+  int df = 1, keep = 0 ;
+  PROG = "sdnotify-wrapper" ;
+  {
+    subgetopt l = SUBGETOPT_ZERO ;
+    for (;;)
+    {
+      int opt = subgetopt_r(argc, argv, "d:ft:k", &l) ;
+      if (opt == -1) break ;
+      switch (opt)
+      {
+        case 'd' : if (!uint0_scan(l.arg, &fd)) dieusage() ; break ;
+        case 'f' : df = 0 ; break ;
+        case 't' : if (!uint0_scan(l.arg, &timeout)) dieusage() ; break ;
+        case 'k' : keep = 1 ; break ;
+        default : dieusage() ;
+      }
+    }
+    argc -= l.ind ; argv += l.ind ;
+  }
+  if (!argc) dieusage() ;
+
+  if (!s) xexec(argv) ;
+  else
+  {
+    pid_t parent = getpid() ;
+    pid_t child ;
+    int p[2] ;
+    if (pipe(p) < 0) strerr_diefu1sys(111, "pipe") ;
+    child = df ? doublefork() : fork() ;
+    if (child < 0) strerr_diefu1sys(111, df ? "doublefork" : "fork") ;
+    else if (!child)
+    {
+      PROG = "sdnotify-wrapper (child)" ;
+      close(p[1]) ;
+      return run_child(p[0], timeout, parent, s) ;
+    }
+    close(p[0]) ;
+    if (fd_move((int)fd, p[1]) < 0) strerr_diefu1sys(111, "move descriptor") ;
+    if (keep) xexec(argv) ;
+    else xmexec_m(argv, VAR, sizeof(VAR)) ;
+  }
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sdparm/default.nix b/nixpkgs/pkgs/os-specific/linux/sdparm/default.nix
new file mode 100644
index 000000000000..a9137b18f39d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sdparm/default.nix
@@ -0,0 +1,18 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "sdparm";
+  version = "1.12";
+
+  src = fetchurl {
+    url = "http://sg.danny.cz/sg/p/${pname}-${version}.tar.xz";
+    sha256 = "sha256-xMnvr9vrZi4vlxJwfsSQkyvU0BC7ESmueplSZUburb4=";
+  };
+
+  meta = with lib; {
+    homepage = "http://sg.danny.cz/sg/sdparm.html";
+    description = "A utility to access SCSI device parameters";
+    license = licenses.bsd3;
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/selinux-python/default.nix b/nixpkgs/pkgs/os-specific/linux/selinux-python/default.nix
new file mode 100644
index 000000000000..c50f4ffccd0b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/selinux-python/default.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchurl, python3
+, libselinux, libsemanage, libsepol, setools }:
+
+# this is python3 only because setools only supports python3
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "selinux-python";
+  version = "3.3";
+
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/selinux-python-${version}.tar.gz";
+    sha256 = "1v244hpb45my303793xa4kcn7qnxjgxn4ja7rdn9k1q361hi1nca";
+  };
+
+  strictDeps = true;
+
+  nativeBuildInputs = [ python3 python3.pkgs.wrapPython ];
+  buildInputs = [ libsepol ];
+  propagatedBuildInputs = [ libselinux libsemanage setools python3.pkgs.ipy ];
+
+  postPatch = ''
+    substituteInPlace sepolicy/Makefile --replace "echo --root" "echo --prefix"
+    substituteInPlace sepolgen/src/share/Makefile --replace "/var/lib/sepolgen" \
+                                                            "\$PREFIX/var/lib/sepolgen"
+  '';
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "LOCALEDIR=$(out)/share/locale"
+    "BASHCOMPLETIONDIR=$(out)/share/bash-completion/completions"
+    "PYTHON=python"
+    "PYTHONLIBDIR=$(out)/${python3.sitePackages}"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ];
+
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux policy core utilities written in Python";
+    license = licenses.gpl2;
+    homepage = "https://selinuxproject.org";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/selinux-sandbox/default.nix b/nixpkgs/pkgs/os-specific/linux/selinux-sandbox/default.nix
new file mode 100644
index 000000000000..0d2843d216a4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/selinux-sandbox/default.nix
@@ -0,0 +1,60 @@
+{ lib, stdenv, fetchurl, bash, coreutils, python3
+, libcap_ng, policycoreutils, selinux-python, dbus
+, xorgserver, openbox, xmodmap }:
+
+# this is python3 only as it depends on selinux-python
+
+with lib;
+with python3.pkgs;
+
+stdenv.mkDerivation rec {
+  pname = "selinux-sandbox";
+  version = "3.3";
+  inherit (policycoreutils) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/selinux-sandbox-${version}.tar.gz";
+    sha256 = "0rw8pxfqhl6ww4w31fbf4hi3zilh1n3b1rfjm7ra76mm78wfyylj";
+  };
+
+  nativeBuildInputs = [ wrapPython ];
+  buildInputs = [ bash coreutils libcap_ng policycoreutils python3 xorgserver openbox xmodmap dbus ];
+  propagatedBuildInputs = [ pygobject3 selinux-python ];
+
+  postPatch = ''
+    # Fix setuid install
+    substituteInPlace Makefile --replace "-m 4755" "-m 755"
+    substituteInPlace sandboxX.sh \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "/usr/share/sandbox/start" "${placeholder "out"}/share/sandbox/start" \
+      --replace "/usr/bin/cut" "${coreutils}/bin/cut" \
+      --replace "/usr/bin/Xephyr" "${xorgserver}/bin/Xepyhr" \
+      --replace "secon" "${policycoreutils}/bin/secon"
+    substituteInPlace sandbox \
+      --replace "/usr/sbin/seunshare" "$out/bin/seunshare" \
+      --replace "/usr/share/sandbox" "$out/share/sandbox" \
+      --replace "/usr/share/locale" "${policycoreutils}/share/locale" \
+      --replace "/usr/bin/openbox" "${openbox}/bin/openbox" \
+      --replace "#!/bin/sh" "#!${bash}/bin/sh" \
+      --replace "dbus-" "${dbus}/bin/dbus-" \
+      --replace "/usr/bin/xmodmap" "${xmodmap}/bin/xmodmap" \
+      --replace "/usr/bin/shred" "${coreutils}/bin/shred" \
+      --replace "/usr/bin/test" "${coreutils}/bin/test" \
+  '';
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "SYSCONFDIR=$(out)/etc/sysconfig"
+  ];
+
+  postFixup = ''
+    wrapPythonPrograms
+  '';
+
+  meta = {
+    description = "SELinux sandbox utility";
+    license = licenses.gpl2;
+    homepage = "https://selinuxproject.org";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/semodule-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/semodule-utils/default.nix
new file mode 100644
index 000000000000..5c8d83c3f82a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/semodule-utils/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchurl, libsepol }:
+
+stdenv.mkDerivation rec {
+  pname = "semodule-utils";
+  version = "3.3";
+
+  inherit (libsepol) se_url;
+
+  src = fetchurl {
+    url = "${se_url}/${version}/${pname}-${version}.tar.gz";
+    sha256 = "0qvhl40a6jlm8p719nnlw2ghlxbh8lxbcsd59azxp884bxgfr61h";
+  };
+
+  buildInputs = [ libsepol ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ];
+
+  meta = with lib; {
+    description = "SELinux policy core utilities (packaging additions)";
+    license = licenses.gpl2;
+    inherit (libsepol.meta) homepage platforms;
+    maintainers = [ maintainers.e-user ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/service-wrapper/default.nix b/nixpkgs/pkgs/os-specific/linux/service-wrapper/default.nix
new file mode 100644
index 000000000000..381f0699697a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/service-wrapper/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, runCommand, substituteAll, coreutils }:
+
+let
+  name = "service-wrapper-${version}";
+  version = "19.04"; # Akin to Ubuntu Release
+in
+runCommand name {
+  script = substituteAll {
+    src = ./service-wrapper.sh;
+    isExecutable = true;
+    inherit (stdenv) shell;
+    inherit coreutils;
+  };
+
+  meta = with lib; {
+    description = "A convenient wrapper for the systemctl commands, borrow from Ubuntu";
+    license     = licenses.gpl2Plus;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ DerTim1 ];
+    # Shellscript has been modified but upstream source is: https://git.launchpad.net/ubuntu/+source/init-system-helpers
+  };
+}
+''
+  mkdir -p $out/bin
+  ln -s $out/bin $out/sbin
+  cp $script $out/bin/service
+  chmod a+x $out/bin/service
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/service-wrapper/service-wrapper.sh b/nixpkgs/pkgs/os-specific/linux/service-wrapper/service-wrapper.sh
new file mode 100755
index 000000000000..2889adc18686
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/service-wrapper/service-wrapper.sh
@@ -0,0 +1,224 @@
+#!@shell@
+
+###########################################################################
+# /usr/bin/service
+#
+# A convenient wrapper for the /etc/init.d init scripts.
+#
+# This script is a modified version of the /sbin/service utility found on
+# Red Hat/Fedora systems (licensed GPLv2+).
+#
+# Copyright (C) 2006 Red Hat, Inc. All rights reserved.
+# Copyright (C) 2008 Canonical Ltd.
+#   * August 2008 - Dustin Kirkland <kirkland@canonical.com>
+# Copyright (C) 2013 Michael Stapelberg <stapelberg@debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# On Debian GNU/Linux systems, the complete text of the GNU General
+# Public License can be found in `/usr/share/common-licenses/GPL-2'.
+###########################################################################
+
+
+is_ignored_file() {
+    case "$1" in
+        skeleton | README | *.dpkg-dist | *.dpkg-old | rc | rcS | single | reboot | bootclean.sh)
+            return 0
+        ;;
+    esac
+    return 1
+}
+
+VERSION=$(@coreutils@/bin/basename $0)" ver. 19-04"
+USAGE="Usage: "$(@coreutils@/bin/basename $0)" < option > | --status-all | \
+[ service_name [ command | --full-restart ] ]"
+SERVICE=
+ACTION=
+SERVICEDIR="/etc/init.d"
+OPTIONS=
+is_systemd=
+
+
+if [ $# -eq 0 ]; then
+   echo "${USAGE}" >&2
+   exit 1
+fi
+
+if [ -d /run/systemd/system ]; then
+   is_systemd=1
+fi
+
+cd /
+while [ $# -gt 0 ]; do
+  case "${1}" in
+    --help | -h | --h* )
+       echo "${USAGE}" >&2
+       exit 0
+       ;;
+    --version | -V )
+       echo "${VERSION}" >&2
+       exit 0
+       ;;
+    *)
+       if [ -z "${SERVICE}" -a $# -eq 1 -a "${1}" = "--status-all" ]; then
+          if [ -d "${SERVICEDIR}" ]; then
+             cd ${SERVICEDIR}
+         for SERVICE in * ; do
+           case "${SERVICE}" in
+             functions | halt | killall | single| linuxconf| kudzu)
+                 ;;
+             *)
+               if ! is_ignored_file "${SERVICE}" \
+               && [ -x "${SERVICEDIR}/${SERVICE}" ]; then
+                       out=$(env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" status 2>&1)
+                       retval=$?
+                       if echo "$out" | egrep -iq "usage:"; then
+                         #printf " %s %-60s %s\n" "[?]" "$SERVICE:" "unknown" 1>&2
+                         echo " [ ? ]  $SERVICE" 1>&2
+                         continue
+                       else
+                         if [ "$retval" = "0" -a -n "$out" ]; then
+                           #printf " %s %-60s %s\n" "[+]" "$SERVICE:" "running"
+                           echo " [ + ]  $SERVICE"
+                           continue
+                         else
+                           #printf " %s %-60s %s\n" "[-]" "$SERVICE:" "NOT running"
+                           echo " [ - ]  $SERVICE"
+                           continue
+                         fi
+                       fi
+                 #env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" status
+               fi
+               ;;
+           esac
+         done
+          else
+             systemctl $sctl_args list-units
+          fi
+          exit 0
+       elif [ $# -eq 2 -a "${2}" = "--full-restart" ]; then
+          SERVICE="${1}"
+          # On systems using systemd, we just perform a normal restart:
+          # A restart with systemd is already a full restart.
+          if [ -n "$is_systemd" ]; then
+             ACTION="restart"
+          else
+             if [ -x "${SERVICEDIR}/${SERVICE}" ]; then
+               env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" stop
+               env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" start
+               exit $?
+             fi
+          fi
+       elif [ -z "${SERVICE}" ]; then
+         SERVICE="${1}"
+       elif [ -z "${ACTION}" ]; then
+         ACTION="${1}"
+       else
+         OPTIONS="${OPTIONS} ${1}"
+       fi
+       shift
+       ;;
+   esac
+done
+
+run_via_sysvinit() {
+   # Otherwise, use the traditional sysvinit
+   if [ -x "${SERVICEDIR}/${SERVICE}" ]; then
+      exec env -i LANG="$LANG" LANGUAGE="$LANGUAGE" LC_CTYPE="$LC_CTYPE" LC_NUMERIC="$LC_NUMERIC" LC_TIME="$LC_TIME" LC_COLLATE="$LC_COLLATE" LC_MONETARY="$LC_MONETARY" LC_MESSAGES="$LC_MESSAGES" LC_PAPER="$LC_PAPER" LC_NAME="$LC_NAME" LC_ADDRESS="$LC_ADDRESS" LC_TELEPHONE="$LC_TELEPHONE" LC_MEASUREMENT="$LC_MEASUREMENT" LC_IDENTIFICATION="$LC_IDENTIFICATION" LC_ALL="$LC_ALL" PATH="$PATH" TERM="$TERM" "$SERVICEDIR/$SERVICE" ${ACTION} ${OPTIONS}
+   else
+      echo "${SERVICE}: unrecognized service" >&2
+      exit 1
+   fi
+}
+
+update_openrc_started_symlinks() {
+   # maintain the symlinks of /run/openrc/started so that
+   # rc-status works with the service command as well
+   if [ -d /run/openrc/started ] ; then
+      case "${ACTION}" in
+      start)
+         if [ ! -h /run/openrc/started/$SERVICE ] ; then
+            ln -s $SERVICEDIR/$SERVICE /run/openrc/started/$SERVICE || true
+         fi
+      ;;
+      stop)
+         rm /run/openrc/started/$SERVICE || true
+      ;;
+      esac
+   fi
+}
+
+# When this machine is running systemd, standard service calls are turned into
+# systemctl calls.
+if [ -n "$is_systemd" ]
+then
+   UNIT="${SERVICE%.sh}.service"
+   # avoid deadlocks during bootup and shutdown from units/hooks
+   # which call "invoke-rc.d service reload" and similar, since
+   # the synchronous wait plus systemd's normal behaviour of
+   # transactionally processing all dependencies first easily
+   # causes dependency loops
+   if ! systemctl --quiet is-active multi-user.target; then
+       sctl_args="--job-mode=ignore-dependencies"
+   fi
+
+   case "${ACTION}" in
+      restart|status|try-restart)
+         exec systemctl $sctl_args ${ACTION} ${UNIT}
+      ;;
+      start|stop)
+         # Follow the principle of least surprise for SysV people:
+         # When running "service foo stop" and foo happens to be a service that
+         # has one or more .socket files, we also stop the .socket units.
+         # Users who need more control will use systemctl directly.
+         for unit in $(systemctl list-unit-files --full --type=socket 2>/dev/null | sed -ne 's/\.socket\s*[a-z]*\s*$/.socket/p'); do
+             if [ "$(systemctl -p Triggers show $unit)" = "Triggers=${UNIT}" ]; then
+                systemctl $sctl_args ${ACTION} $unit
+             fi
+         done
+         exec systemctl $sctl_args ${ACTION} ${UNIT}
+      ;;
+      reload)
+         _canreload="$(systemctl -p CanReload show ${UNIT} 2>/dev/null)"
+         if [ "$_canreload" = "CanReload=no" ]; then
+            # The reload action falls back to the sysv init script just in case
+            # the systemd service file does not (yet) support reload for a
+            # specific service.
+            run_via_sysvinit
+         else
+            exec systemctl $sctl_args reload "${UNIT}"
+         fi
+         ;;
+      force-stop)
+         exec systemctl --signal=KILL kill "${UNIT}"
+         ;;
+      force-reload)
+         _canreload="$(systemctl -p CanReload show ${UNIT} 2>/dev/null)"
+         if [ "$_canreload" = "CanReload=no" ]; then
+            exec systemctl $sctl_args restart "${UNIT}"
+         else
+            exec systemctl $sctl_args reload "${UNIT}"
+         fi
+         ;;
+      *)
+         # We try to run non-standard actions by running
+         # the init script directly.
+         run_via_sysvinit
+         ;;
+   esac
+fi
+
+update_openrc_started_symlinks
+run_via_sysvinit
diff --git a/nixpkgs/pkgs/os-specific/linux/setools/default.nix b/nixpkgs/pkgs/os-specific/linux/setools/default.nix
new file mode 100644
index 000000000000..9d547d2007ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/setools/default.nix
@@ -0,0 +1,42 @@
+{ lib, fetchFromGitHub, python3
+, libsepol, libselinux, checkpolicy
+, withGraphics ? false
+}:
+
+with lib;
+with python3.pkgs;
+
+buildPythonApplication rec {
+  pname = "setools";
+  version = "4.4.0";
+
+  src = fetchFromGitHub {
+    owner = "SELinuxProject";
+    repo = pname;
+    rev = version;
+    sha256 = "1qvd5j6zwq4fmlahg45swjplhif2z89x7s6pnp07gvcp2fbqdsh5";
+  };
+
+  nativeBuildInputs = [ cython ];
+  buildInputs = [ libsepol ];
+  propagatedBuildInputs = [ enum34 libselinux networkx ]
+    ++ optionals withGraphics [ pyqt5 ];
+
+  checkInputs = [ tox checkpolicy ];
+  preCheck = ''
+    export CHECKPOLICY=${checkpolicy}/bin/checkpolicy
+  '';
+
+  setupPyBuildFlags = [ "-i" ];
+
+  preBuild = ''
+    export SEPOL="${lib.getLib libsepol}/lib/libsepol.a"
+  '';
+
+  meta = {
+    description = "SELinux Policy Analysis Tools";
+    homepage = "https://github.com/SELinuxProject/setools";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/seturgent/default.nix b/nixpkgs/pkgs/os-specific/linux/seturgent/default.nix
new file mode 100644
index 000000000000..6d83e322ce8f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/seturgent/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchgit, libX11, xorgproto }:
+
+stdenv.mkDerivation rec {
+  pname = "seturgent";
+  version = "1.5";
+
+  src = fetchgit {
+    url = "git://git.codemadness.org/seturgent";
+    rev = version;
+    sha256 = "sha256-XW7ms0BVCf1/fuL3PJ970t6sHkmMY1iLYXfS9R60JX0=";
+  };
+
+  buildInputs = [
+    libX11
+    xorgproto
+  ];
+
+  installPhase = ''
+    mkdir -pv $out/bin
+    mv seturgent $out/bin
+  '';
+
+  meta = with lib; {
+    platforms = platforms.linux;
+    description = "Set an application's urgency hint (or not)";
+    maintainers = with maintainers; [ yarr ];
+    homepage = "https://codemadness.org/seturgent-set-urgency-hints-for-x-applications.html";
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix
new file mode 100644
index 000000000000..2077d23bc9d7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/psw/default.nix
@@ -0,0 +1,169 @@
+{ stdenv
+, lib
+, fetchurl
+, cmake
+, coreutils
+, curl
+, file
+, glibc
+, makeWrapper
+, nixosTests
+, protobuf
+, python3
+, sgx-sdk
+, shadow
+, systemd
+, util-linux
+, which
+, debug ? false
+}:
+stdenv.mkDerivation rec {
+  inherit (sgx-sdk) version versionTag src;
+  pname = "sgx-psw";
+
+  postUnpack =
+    let
+      ae.prebuilt = fetchurl {
+        url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
+        hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
+      };
+      dcap = rec {
+        version = "1.13";
+        filename = "prebuilt_dcap_${version}.tar.gz";
+        prebuilt = fetchurl {
+          url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
+          hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik=";
+        };
+      };
+    in
+    sgx-sdk.postUnpack + ''
+      # Make sure we use the correct version of prebuilt DCAP
+      grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
+        || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
+
+      tar -zxf ${ae.prebuilt}   -C $sourceRoot/
+      tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/
+    '';
+
+  nativeBuildInputs = [
+    cmake
+    file
+    makeWrapper
+    python3
+    sgx-sdk
+    which
+  ];
+
+  buildInputs = [
+    curl
+    protobuf
+  ];
+
+  hardeningDisable = lib.optionals debug [
+    "fortify"
+  ];
+
+  postPatch = ''
+    patchShebangs \
+      linux/installer/bin/build-installpkg.sh \
+      linux/installer/common/psw/createTarball.sh \
+      linux/installer/common/psw/install.sh
+  '';
+
+  dontUseCmakeConfigure = true;
+
+  # Randomly fails if enabled
+  enableParallelBuilding = false;
+
+  buildFlags = [
+    "psw_install_pkg"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "-C linux/installer/common/psw/output"
+    "DESTDIR=$(TMPDIR)/install"
+  ];
+
+  postInstall = ''
+    installDir=$TMPDIR/install
+    sgxPswDir=$installDir/opt/intel/sgxpsw
+
+    mv $installDir/usr/lib64/ $out/lib/
+    ln -sr $out/lib $out/lib64
+
+    # Install udev rules to lib/udev/rules.d
+    mv $sgxPswDir/udev/ $out/lib/
+
+    # Install example AESM config
+    mkdir $out/etc/
+    mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/
+    rmdir $sgxPswDir/aesm/conf/
+
+    # Delete init service
+    rm $sgxPswDir/aesm/aesmd.conf
+
+    # Move systemd services
+    mkdir -p $out/lib/systemd/system/
+    mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/
+    mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/
+
+    # Move misc files
+    mkdir $out/share/
+    mv $sgxPswDir/licenses $out/share/
+
+    # Remove unnecessary files
+    rm $sgxPswDir/{cleanup.sh,startup.sh}
+    rm -r $sgxPswDir/scripts
+
+    mv $sgxPswDir/aesm/ $out/
+
+    mkdir $out/bin
+    makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
+      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
+      --chdir "$out/aesm"
+
+    # Make sure we didn't forget to handle any files
+    rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
+  '';
+
+  # Most—if not all—of those fixups are not relevant for NixOS as we have our own
+  # NixOS module which is based on those files without relying on them. Still, it
+  # is helpful to have properly patched versions for non-NixOS distributions.
+  postFixup = ''
+    header "Fixing aesmd.service"
+    substituteInPlace $out/lib/systemd/system/aesmd.service \
+      --replace '@aesm_folder@' \
+                "$out/aesm" \
+      --replace 'Type=forking' \
+                'Type=simple' \
+      --replace "ExecStart=$out/aesm/aesm_service" \
+                "ExecStart=$out/bin/aesm_service --no-daemon"\
+      --replace "/bin/mkdir" \
+                "${coreutils}/bin/mkdir" \
+      --replace "/bin/chown" \
+                "${coreutils}/bin/chown" \
+      --replace "/bin/chmod" \
+                "${coreutils}/bin/chmod" \
+      --replace "/bin/kill" \
+                "${coreutils}/bin/kill"
+
+    header "Fixing remount-dev-exec.service"
+    substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
+      --replace '/bin/mount' \
+                "${util-linux}/bin/mount"
+  '';
+
+  passthru.tests = {
+    service = nixosTests.aesmd;
+  };
+
+  meta = with lib; {
+    description = "Intel SGX Architectural Enclave Service Manager";
+    homepage = "https://github.com/intel/linux-sgx";
+    maintainers = with maintainers; [ veehaitch citadelcore ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/samples/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/samples/default.nix
new file mode 100644
index 000000000000..2afd62de75d4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/samples/default.nix
@@ -0,0 +1,109 @@
+{ stdenv
+, lib
+, makeWrapper
+, sgx-sdk
+, sgx-psw
+, which
+  # "SIM" or "HW"
+, sgxMode
+}:
+let
+  isSimulation = sgxMode == "SIM";
+  buildSample = name: stdenv.mkDerivation {
+    pname = name;
+    version = sgxMode;
+
+    src = sgx-sdk.out;
+    sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";
+
+    nativeBuildInputs = [
+      makeWrapper
+      which
+    ];
+
+    buildInputs = [
+      sgx-sdk
+    ];
+
+    # The samples don't have proper support for parallel building
+    # causing them to fail randomly.
+    enableParallelBuilding = false;
+
+    buildFlags = [
+      "SGX_MODE=${sgxMode}"
+    ];
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/{bin,lib}
+      install -m 755 app $out/bin
+      install *.so $out/lib
+
+      wrapProgram "$out/bin/app" \
+        --chdir "$out/lib" \
+        ${lib.optionalString (!isSimulation)
+        ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
+
+      runHook postInstall
+    '';
+
+    # Breaks the signature of the enclaves
+    dontFixup = true;
+
+    # We don't have access to real SGX hardware during the build
+    doInstallCheck = isSimulation;
+    installCheckPhase = ''
+      runHook preInstallCheck
+
+      pushd /
+      echo a | $out/bin/app
+      popd
+
+      runHook preInstallCheck
+    '';
+  };
+in
+{
+  cxx11SGXDemo = buildSample "Cxx11SGXDemo";
+  localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/{bin,lib}
+      install -m 755 bin/app* $out/bin
+      install bin/*.so $out/lib
+
+      for bin in $out/bin/*; do
+        wrapProgram $bin \
+          --chdir "$out/lib" \
+          ${lib.optionalString (!isSimulation)
+          ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
+      done
+
+      runHook postInstall
+    '';
+  });
+  powerTransition = buildSample "PowerTransition";
+  protobufSGXDemo = buildSample "ProtobufSGXDemo";
+  remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
+    # Makefile sets rpath to point to $TMPDIR
+    preFixup = ''
+      patchelf --remove-rpath $out/bin/app
+    '';
+
+    postInstall = ''
+      install sample_libcrypto/*.so $out/lib
+    '';
+  });
+  sampleEnclave = buildSample "SampleEnclave";
+  sampleEnclavePCL = buildSample "SampleEnclavePCL";
+  sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
+  sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: {
+    prePatch = ''
+      substituteInPlace App/App.cpp \
+        --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
+    '';
+  });
+  switchless = buildSample "Switchless";
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/sdk/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/default.nix
new file mode 100644
index 000000000000..977139406fe9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/default.nix
@@ -0,0 +1,285 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, fetchzip
+, autoconf
+, automake
+, binutils
+, callPackage
+, cmake
+, file
+, gdb
+, git
+, libtool
+, linkFarmFromDrvs
+, nasm
+, ocaml
+, ocamlPackages
+, openssl
+, perl
+, python3
+, texinfo
+, validatePkgConfig
+, writeShellApplication
+, writeShellScript
+, writeText
+, debug ? false
+}:
+stdenv.mkDerivation rec {
+  pname = "sgx-sdk";
+  # Version as given in se_version.h
+  version = "2.16.100.4";
+  # Version as used in the Git tag
+  versionTag = "2.16";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx";
+    rev = "sgx_${versionTag}";
+    hash = "sha256-qgXuJJWiqmcU11umCsE3DnlK4VryuTDAsNf53YPw6UY=";
+    fetchSubmodules = true;
+  };
+
+  postUnpack = ''
+    # Make sure this is the right version of linux-sgx
+    grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
+      || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
+  '';
+
+  patches = [
+    # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch";
+      sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w=";
+    })
+  ];
+
+  postPatch = ''
+    patchShebangs linux/installer/bin/build-installpkg.sh \
+      linux/installer/common/sdk/createTarball.sh \
+      linux/installer/common/sdk/install.sh
+  '';
+
+  # We need `cmake` as a build input but don't use it to kick off the build phase
+  dontUseCmakeConfigure = true;
+
+  # SDK built with stackprotector produces broken enclaves which crash at runtime.
+  # Disable all to be safe, SDK build configures compiler mitigations manually.
+  hardeningDisable = [ "all" ];
+
+  nativeBuildInputs = [
+    autoconf
+    automake
+    cmake
+    file
+    git
+    ocaml
+    ocamlPackages.ocamlbuild
+    perl
+    python3
+    texinfo
+    validatePkgConfig
+  ];
+
+  buildInputs = [
+    libtool
+    openssl
+  ];
+
+  BINUTILS_DIR = "${binutils}/bin";
+
+  # Build external/ippcp_internal first. The Makefile is rewritten to make the
+  # build faster by splitting different versions of ipp-crypto builds and to
+  # avoid patching the Makefile for reproducibility issues.
+  preBuild =
+    let
+      ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };
+
+      sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
+
+      nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
+      ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
+      };
+
+      nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
+      ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
+      };
+    in
+    ''
+      header "Setting up IPP crypto build artifacts"
+
+      pushd 'external/ippcp_internal'
+
+      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
+
+      install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
+        lib/linux/intel64/no_mitigation/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_load/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_cf/libippcp.a
+
+      rm inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h
+
+      install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
+
+      popd
+    '';
+
+  buildFlags = [
+    "sdk_install_pkg"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  enableParallelBuilding = true;
+
+  postBuild = ''
+    patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    installDir=$TMPDIR
+    ./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir
+    installDir=$installDir/sgxsdk
+
+    header "Move files created by installer"
+
+    mkdir -p $out/bin
+    pushd $out
+
+    mv $installDir/bin/sgx-gdb $out/bin
+    mkdir $out/bin/x64
+    for file in $installDir/bin/x64/*; do
+      mv $file bin/
+      ln -sr bin/$(basename $file) bin/x64/
+    done
+    rmdir $installDir/bin/{x64,}
+
+    # Move `lib64` to `lib` and symlink `lib64`
+    mv $installDir/lib64 lib
+    ln -s lib/ lib64
+
+    mv $installDir/include/ .
+
+    mkdir -p share/
+    mv $installDir/{SampleCode,licenses} share/
+
+    mkdir -p share/bin
+    mv $installDir/{environment,buildenv.mk} share/bin/
+    ln -s share/bin/{environment,buildenv.mk} .
+
+    # pkgconfig should go to lib/
+    mv $installDir/pkgconfig lib/
+    ln -s lib/pkgconfig/ .
+
+    # Also create the `sdk_libs` for compat. All the files
+    # link to libraries in `lib64/`, we shouldn't link the entire
+    # directory, however, as there seems to be some ambiguity between
+    # SDK and PSW libraries.
+    mkdir sdk_libs/
+    for file in $installDir/sdk_libs/*; do
+      ln -sr lib/$(basename $file) sdk_libs/
+      rm $file
+    done
+    rmdir $installDir/sdk_libs
+
+    # No uninstall script required
+    rm $installDir/uninstall.sh
+
+    # Create an `sgxsdk` symlink which points to `$out` for compat
+    ln -sr . sgxsdk
+
+    # Make sure we didn't forget any files
+    rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
+
+    popd
+
+    runHook postInstall
+  '';
+
+
+  preFixup = ''
+    header "Strip sgxsdk prefix"
+    for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do
+      substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out"
+    done
+
+    header "Fixing pkg-config files"
+    sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc
+
+    header "Fixing SGX_SDK default in samples"
+    substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \
+      --replace '/opt/intel/sgxsdk' "$out"
+    for file in $out/share/SampleCode/*/Makefile; do
+      substituteInPlace $file \
+        --replace '/opt/intel/sgxsdk' "$out"
+    done
+
+    header "Fixing BINUTILS_DIR in buildenv.mk"
+    substituteInPlace $out/share/bin/buildenv.mk \
+      --replace 'BINUTILS_DIR ?= /usr/local/bin' \
+                'BINUTILS_DIR ?= ${BINUTILS_DIR}'
+
+    header "Fixing GDB path in bin/sgx-gdb"
+    substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
+  '';
+
+  doInstallCheck = true;
+
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    # Make sure all symlinks are valid
+    output=$(find "$out" -type l -exec test ! -e {} \; -print)
+    if [[ -n "$output" ]]; then
+      echo "Broken symlinks:"
+      echo "$output"
+      exit 1
+    fi
+
+    runHook postInstallCheck
+  '';
+
+  setupHook = writeText "setup-hook.sh" ''
+    sgxsdk() {
+        export SGX_SDK=@out@
+    }
+
+    postHooks+=(sgxsdk)
+  '';
+
+  passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
+
+  # Run tests in SGX hardware mode on an SGX-enabled machine
+  # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
+  passthru.runTestsHW =
+    let
+      testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
+      testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
+    in
+    writeShellApplication {
+      name = "run-tests-hw";
+      text = ''
+        for test in ${testsHWLinked}/*; do
+          printf '*** Running test %s ***\n\n' "$(basename "$test")"
+          printf 'a\n' | "$test/bin/app"
+          printf '\n'
+        done
+      '';
+    };
+
+  meta = with lib; {
+    description = "Intel SGX SDK for Linux built with IPP Crypto Library";
+    homepage = "https://github.com/intel/linux-sgx";
+    maintainers = with maintainers; [ sbellem arturcygan veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
new file mode 100644
index 000000000000..85fcfc9c554d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
@@ -0,0 +1,36 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, nasm
+, openssl
+, python3
+, extraCmakeFlags ? [ ]
+}:
+
+stdenv.mkDerivation rec {
+  pname = "ipp-crypto";
+  version = "2021.3";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ipp-crypto";
+    rev = "ippcp_${version}";
+    hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM=";
+  };
+
+  # Fix typo: https://github.com/intel/ipp-crypto/pull/33
+  postPatch = ''
+    substituteInPlace sources/cmake/ippcp-gen-config.cmake \
+      --replace 'ippcpo-config.cmake' 'ippcp-config.cmake'
+  '';
+
+  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+
+  nativeBuildInputs = [
+    cmake
+    nasm
+    openssl
+    python3
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix
new file mode 100644
index 000000000000..f3f6ce485063
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -0,0 +1,95 @@
+{ stdenv
+, fetchFromGitHub
+, fetchpatch
+, fetchurl
+, lib
+, perl
+, sgx-sdk
+, which
+, debug ? false
+}:
+let
+  sgxVersion = sgx-sdk.versionTag;
+  opensslVersion = "1.1.1l";
+in
+stdenv.mkDerivation rec {
+  pname = "sgx-ssl" + lib.optionalString debug "-debug";
+  version = "${sgxVersion}_${opensslVersion}";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-sgx-ssl";
+    rev = "lin_${sgxVersion}_${opensslVersion}";
+    hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
+  };
+
+  postUnpack =
+    let
+      opensslSourceArchive = fetchurl {
+        url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
+        hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
+      };
+    in
+    ''
+      ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
+    '';
+
+  patches = [
+    # https://github.com/intel/intel-sgx-ssl/pull/111
+    ./intel-sgx-ssl-pr-111.patch
+  ];
+
+  postPatch = ''
+    patchShebangs Linux/build_openssl.sh
+
+    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    substituteInPlace Linux/sgx/Makefile \
+      --replace '$(MAKE) -C $(TEST_DIR) all' \
+                'bash -c "true"'
+  '';
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [
+    perl
+    sgx-sdk
+    stdenv.cc.libc
+    which
+  ];
+
+  makeFlags = [
+    "-C Linux"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+  ];
+
+  # Build the test app
+  #
+  # Running the test app is currently only supported on Intel CPUs
+  # and will fail on non-Intel CPUs even in SGX simulation mode.
+  # Therefore, we only build the test app without running it until
+  # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
+  doInstallCheck = true;
+  installCheckTarget = "all";
+  installCheckFlags = [
+    "SGX_MODE=SIM"
+    "-C sgx/test_app"
+    "-j 1" # Makefile doesn't support multiple jobs
+  ];
+  preInstallCheck = ''
+    # Expects the enclave file in the current working dir
+    ln -s sgx/test_app/TestEnclave.signed.so .
+  '';
+
+  meta = with lib; {
+    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
+    homepage = "https://github.com/intel/intel-sgx-ssl";
+    maintainers = with maintainers; [ trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 openssl ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
new file mode 100644
index 000000000000..6ef06d7e231b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
@@ -0,0 +1,99 @@
+From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:22:31 +0100
+Subject: [PATCH 1/3] Linux: fix Nix detection
+
+Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
+environment variable instead of `NIX_PATH`. The latter is only set in a
+`nix-shell` session but isn't when building a derivation through
+`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
+both cases.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/sgx/buildenv.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
+index cd8818e..dac23c7 100644
+--- a/Linux/sgx/buildenv.mk
++++ b/Linux/sgx/buildenv.mk
+@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
+ UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
+ ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
+ 	OS_ID=1
+-else ifeq ($(origin NIX_PATH),environment)
++else ifeq ($(origin NIX_STORE),environment)
+ 	OS_ID=3
+ else
+ 	OS_ID=2
+
+From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:33:22 +0100
+Subject: [PATCH 2/3] Linux: call binaries relative to PATH
+
+Using an absolute path to call binaries is incompatible with
+distributions which do not follow the Filesystem Hierachy Standard;
+Nix is an example. Also, it is inconsistent with the rest of the code
+base, let alone superfluous.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index 7d77b79..e8b59a1 100755
+--- a/Linux/build_openssl.sh
++++ b/Linux/build_openssl.sh
+@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ echo $SGXSSL_ROOT
+ 
+ OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
+-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
++OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
+ if [ "$OPENSSL_VERSION" == "" ] 
+ then
+ 	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
+
+From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Tue, 11 Jan 2022 10:56:39 +0100
+Subject: [PATCH 3/3] Linux: properly extract GCC major version
+
+Calling `gcc -dumpversion` yields the full version string, e.g.,
+`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
+comparison operator to check if the returned version is at least
+8. This results in an error if the returned GCC version includes a patch
+version; "10.3.0" isn't a valid number.
+
+This commit fixes the version detection by only extracting the relevant
+major version of GCC.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index e8b59a1..6e4046f 100755
+--- a/Linux/build_openssl.sh
++++ b/Linux/build_openssl.sh
+@@ -82,6 +82,7 @@ fi
+ MITIGATION_OPT=""
+ MITIGATION_FLAGS=""
+ CC_VERSION=`gcc -dumpversion`
++CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
+ for arg in "$@"
+ do
+     case $arg in
+@@ -99,7 +100,7 @@ do
+         ;;
+     -mfunction-return=thunk-extern)
+         MITIGATION_FLAGS+=" $arg"
+-        if [[ $CC_VERSION -ge 8 ]] ; then
++        if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
+             MITIGATION_FLAGS+=" -fcf-protection=none"
+         fi
+         shift
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/default.nix b/nixpkgs/pkgs/os-specific/linux/shadow/default.nix
new file mode 100644
index 000000000000..5537f9f6aacb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/default.nix
@@ -0,0 +1,96 @@
+{ lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt
+, libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell
+, pam ? null, glibcCross ? null
+}:
+
+let
+
+  glibc =
+    if stdenv.hostPlatform != stdenv.buildPlatform
+    then glibcCross
+    else assert stdenv.hostPlatform.libc == "glibc"; stdenv.cc.libc;
+
+  dots_in_usernames = fetchpatch {
+    url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch";
+    sha256 = "1fj3rg6x3jppm5jvi9y7fhd2djbi4nc5pgwisw00xlh4qapgz692";
+  };
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "shadow";
+  version = "4.11.1";
+
+  src = fetchFromGitHub {
+    owner = "shadow-maint";
+    repo = "shadow";
+    rev = "v${version}";
+    sha256 = "sha256-PxLX5V0t18JftT5wT41krNv18Ew7Kz3MfZkOi/80ODA=";
+  };
+
+  buildInputs = lib.optional (pam != null && stdenv.isLinux) pam;
+  nativeBuildInputs = [autoreconfHook libxslt libxml2
+    docbook_xml_dtd_45 docbook_xsl flex bison itstool
+    ];
+
+  patches =
+    [ ./keep-path.patch
+      # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
+      ./respect-xml-catalog-files-var.patch
+      dots_in_usernames
+      ./runtime-shell.patch
+    ];
+
+  RUNTIME_SHELL = runtimeShell;
+
+  # The nix daemon often forbids even creating set[ug]id files.
+  postPatch =
+    ''sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
+    '';
+
+  outputs = [ "out" "su" "man" ];
+
+  enableParallelBuilding = true;
+
+  # Assume System V `setpgrp (void)', which is the default on GNU variants
+  # (`AC_FUNC_SETPGRP' is not cross-compilation capable.)
+  preConfigure = ''
+    export ac_cv_func_setpgrp_void=yes
+    export shadow_cv_logdir=/var/log
+  '';
+
+  configureFlags = [
+    "--enable-man"
+    "--with-group-name-max-length=32"
+  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd";
+
+  preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc")
+    ''
+      substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc.bin}/bin/nscd
+    '';
+
+  postInstall =
+    ''
+      # Don't install ‘groups’, since coreutils already provides it.
+      rm $out/bin/groups
+      rm $man/share/man/man1/groups.*
+
+      # Move the su binary into the su package
+      mkdir -p $su/bin
+      mv $out/bin/su $su/bin
+    '';
+
+  disallowedReferences = lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) stdenv.shellPackage;
+
+  meta = with lib; {
+    homepage = "https://github.com/shadow-maint";
+    description = "Suite containing authentication-related tools such as passwd and su";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+  };
+
+  passthru = {
+    shellPath = "/bin/nologin";
+    tests = { inherit (nixosTests) shadow; };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/keep-path.patch b/nixpkgs/pkgs/os-specific/linux/shadow/keep-path.patch
new file mode 100644
index 000000000000..99fd17c27bc9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/keep-path.patch
@@ -0,0 +1,19 @@
+diff -ru shadow-4.1.5.1-orig/src/su.c shadow-4.1.5.1/src/su.c
+--- shadow-4.1.5.1-orig/src/su.c	2012-05-25 07:51:55.000000000 -0400
++++ shadow-4.1.5.1/src/su.c	2012-07-25 17:22:57.013547930 -0400
+@@ -879,6 +879,7 @@
+ 		}
+ 	}
+ 
++#if 0
+ 	cp = getdef_str ((pw->pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
+ 	if (NULL == cp) {
+ 		addenv ((pw->pw_uid == 0) ? "PATH=/sbin:/bin:/usr/sbin:/usr/bin" : "PATH=/bin:/usr/bin", NULL);
+@@ -887,6 +888,7 @@
+ 	} else {
+ 		addenv ("PATH", cp);
+ 	}
++#endif
+ 
+ 	if (getenv ("IFS") != NULL) {	/* don't export user IFS ... */
+ 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/respect-xml-catalog-files-var.patch b/nixpkgs/pkgs/os-specific/linux/shadow/respect-xml-catalog-files-var.patch
new file mode 100644
index 000000000000..7d922eae71fc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/respect-xml-catalog-files-var.patch
@@ -0,0 +1,30 @@
+diff --git a/acinclude.m4 b/acinclude.m4
+index dd01f165..e23160ee 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -46,9 +46,21 @@ AC_DEFUN([JH_CHECK_XML_CATALOG],
+     ifelse([$3],,,[$3
+ ])dnl
+   else
+-    AC_MSG_RESULT([not found])
+-    ifelse([$4],,
+-       [AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],
+-       [$4])
++    jh_check_xml_catalog_saved_ifs="$IFS"
++    IFS=' '
++    for f in $XML_CATALOG_FILES; do
++      if [[ -f "$f" ]] && \
++        AC_RUN_LOG([$XMLCATALOG --noout "$f" "$1" >&2]); then
++        jh_found_xmlcatalog=true
++        AC_MSG_RESULT([found])
++        ifelse([$3],,,[$3])
++        break
++      fi
++    done
++    IFS="$jh_check_xml_catalog_saved_ifs"
++    if ! $jh_found_xmlcatalog; then
++      AC_MSG_RESULT([not found])
++      ifelse([$4],,[AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],[$4])
++    fi
+   fi
+ ])
diff --git a/nixpkgs/pkgs/os-specific/linux/shadow/runtime-shell.patch b/nixpkgs/pkgs/os-specific/linux/shadow/runtime-shell.patch
new file mode 100644
index 000000000000..0b2e68e330e4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/shadow/runtime-shell.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index e4c6aaec..03883ad7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -682,7 +682,7 @@ if test "$enable_utmpx" = "yes"; then
+ 	          [Define if utmpx should be used])
+ fi
+ 
+-AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
++AC_DEFINE_UNQUOTED(SHELL, ["$RUNTIME_SHELL"], [The runtime shell.])
+ 
+ AM_GNU_GETTEXT_VERSION(0.16)
+ AM_GNU_GETTEXT([external], [need-ngettext])
diff --git a/nixpkgs/pkgs/os-specific/linux/sinit/default.nix b/nixpkgs/pkgs/os-specific/linux/sinit/default.nix
new file mode 100644
index 000000000000..a412461bfd51
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sinit/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchgit, rcinit ? null, rcshutdown ? null, rcreboot ? null }:
+
+stdenv.mkDerivation rec {
+  pname = "sinit";
+  version = "1.1";
+
+  src = fetchgit {
+    url = "https://git.suckless.org/sinit/";
+    sha256 = "sha256-VtXkgixgElKKOT26uKN9feXDVjjtSgTWvcgk5o5MLmw=";
+    rev = "refs/tags/v${version}";
+  };
+  buildInputs = [
+    (lib.getOutput "static" stdenv.cc.libc)
+  ];
+  makeFlags = [ "PREFIX=$(out)" ];
+  preConfigure = ""
+    + (lib.optionalString (rcinit != null) ''sed -re 's@(rcinitcmd[^"]*")[^"]*"@\1${rcinit}"@' -i config.def.h; '')
+    + (lib.optionalString (rcshutdown != null) ''sed -re 's@(rc(reboot|poweroff)cmd[^"]*")[^"]*"@\1${rcshutdown}"@' -i config.def.h; '')
+    + (lib.optionalString (rcreboot != null) ''sed -re 's@(rc(reboot)cmd[^"]*")[^"]*"@\1${rcreboot}"@' -i config.def.h; '')
+  ;
+
+  meta = with lib; {
+    description = "A very minimal Linux init implementation from suckless.org";
+    license = licenses.mit;
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+    homepage = "https://tools.suckless.org/sinit";
+    downloadPage = "https://git.suckless.org/sinit";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/smem/default.nix b/nixpkgs/pkgs/os-specific/linux/smem/default.nix
new file mode 100644
index 000000000000..6308b83b600a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/smem/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "smem";
+  version = "1.5";
+
+  src = fetchurl {
+    url = "https://selenic.com/repo/smem/archive/${version}.tar.bz2";
+    sha256 = "19ibv1byxf2b68186ysrgrhy5shkc5mc69abark1h18yigp3j34m";
+  };
+
+  buildInputs = [ python3 ];
+
+  makeFlags = [ "smemcap" ];
+
+  installPhase =
+    ''
+      install -Dm555 -t $out/bin/ smem smemcap
+      install -Dm444 -t $out/share/man/man8/ smem.8
+    '';
+
+  meta = {
+    homepage = "https://www.selenic.com/smem/";
+    description = "A memory usage reporting tool that takes shared memory into account";
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.eelco ];
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/smemstat/default.nix b/nixpkgs/pkgs/os-specific/linux/smemstat/default.nix
new file mode 100644
index 000000000000..5d78a3b30232
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/smemstat/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, ncurses }:
+
+stdenv.mkDerivation rec {
+  pname = "smemstat";
+  version = "0.02.11";
+
+  src = fetchFromGitHub {
+    owner = "ColinIanKing";
+    repo = pname;
+    rev = "V${version}";
+    hash = "sha256-RvHBrcyNB/zqxEY27twgMsjHNg8kzJryqnIAM7+vpg8=";
+  };
+
+  buildInputs = [ ncurses ];
+  installFlags = [
+    "BINDIR=${placeholder "out"}/bin"
+    "MANDIR=${placeholder "out"}/share/man/man8"
+    "BASHDIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "Memory usage monitoring tool";
+    homepage = "https://github.com/ColinIanKing/smemstat";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ womfoo ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sssd/default.nix b/nixpkgs/pkgs/os-specific/linux/sssd/default.nix
new file mode 100644
index 000000000000..054d0c9fa1a4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sssd/default.nix
@@ -0,0 +1,106 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, makeWrapper, glibc, augeas, dnsutils, c-ares, curl,
+  cyrus_sasl, ding-libs, libnl, libunistring, nss, samba, nfs-utils, doxygen,
+  python3, pam, popt, talloc, tdb, tevent, pkg-config, ldb, openldap,
+  pcre2, libkrb5, cifs-utils, glib, keyutils, dbus, fakeroot, libxslt, libxml2,
+  libuuid, systemd, nspr, check, cmocka, uid_wrapper, p11-kit,
+  nss_wrapper, ncurses, Po4a, http-parser, jansson, jose,
+  docbook_xsl, docbook_xml_dtd_44,
+  nixosTests,
+  withSudo ? false }:
+
+let
+  docbookFiles = "${docbook_xsl}/share/xml/docbook-xsl/catalog.xml:${docbook_xml_dtd_44}/xml/dtd/docbook/catalog.xml";
+in
+stdenv.mkDerivation rec {
+  pname = "sssd";
+  version = "2.7.3";
+
+  src = fetchFromGitHub {
+    owner = "SSSD";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-mdgBRFqIT5SvDTeNiv1IbTyd9tcu8YJVfbw49gR6bKI=";
+  };
+
+  postPatch = ''
+    patchShebangs ./sbus_generate.sh.in
+  '';
+
+  # Something is looking for <libxml/foo.h> instead of <libxml2/libxml/foo.h>
+  NIX_CFLAGS_COMPILE = "-I${libxml2.dev}/include/libxml2";
+
+  preConfigure = ''
+    export SGML_CATALOG_FILES="${docbookFiles}"
+    export PYTHONPATH=$(find ${python3.pkgs.ldap} -type d -name site-packages)
+    export PATH=$PATH:${openldap}/libexec
+
+    configureFlagsArray=(
+      --prefix=$out
+      --sysconfdir=/etc
+      --localstatedir=/var
+      --enable-pammoddir=$out/lib/security
+      --with-os=fedora
+      --with-pid-path=/run
+      --with-python3-bindings
+      --with-syslog=journald
+      --without-selinux
+      --without-semanage
+      --with-xml-catalog-path=''${SGML_CATALOG_FILES%%:*}
+      --with-ldb-lib-dir=$out/modules/ldb
+      --with-nscd=${glibc.bin}/sbin/nscd
+    )
+  '' + lib.optionalString withSudo ''
+    configureFlagsArray+=("--with-sudo")
+  '';
+
+  enableParallelBuilding = true;
+  nativeBuildInputs = [ autoreconfHook makeWrapper pkg-config doxygen ];
+  buildInputs = [ augeas dnsutils c-ares curl cyrus_sasl ding-libs libnl libunistring nss
+                  samba nfs-utils p11-kit python3 popt
+                  talloc tdb tevent ldb pam openldap pcre2 libkrb5
+                  cifs-utils glib keyutils dbus fakeroot libxslt libxml2
+                  libuuid python3.pkgs.ldap systemd nspr check cmocka uid_wrapper
+                  nss_wrapper ncurses Po4a http-parser jansson jose ];
+
+  makeFlags = [
+    "SGML_CATALOG_FILES=${docbookFiles}"
+  ];
+
+  installFlags = [
+     "sysconfdir=$(out)/etc"
+     "localstatedir=$(out)/var"
+     "pidpath=$(out)/run"
+     "sss_statedir=$(out)/var/lib/sss"
+     "logpath=$(out)/var/log/sssd"
+     "pubconfpath=$(out)/var/lib/sss/pubconf"
+     "dbpath=$(out)/var/lib/sss/db"
+     "mcpath=$(out)/var/lib/sss/mc"
+     "pipepath=$(out)/var/lib/sss/pipes"
+     "gpocachepath=$(out)/var/lib/sss/gpo_cache"
+     "secdbpath=$(out)/var/lib/sss/secrets"
+     "initdir=$(out)/rc.d/init"
+  ];
+
+  postInstall = ''
+    rm -rf "$out"/run
+    rm -rf "$out"/rc.d
+    rm -f "$out"/modules/ldb/memberof.la
+    find "$out" -depth -type d -exec rmdir --ignore-fail-on-non-empty {} \;
+  '';
+  postFixup = ''
+    for f in $out/bin/sss{ctl,_cache,_debuglevel,_override,_seed}; do
+      wrapProgram $f --prefix LDB_MODULES_PATH : $out/modules/ldb
+    done
+  '';
+
+  passthru.tests = { inherit (nixosTests) sssd sssd-ldap; };
+
+  meta = with lib; {
+    description = "System Security Services Daemon";
+    homepage = "https://sssd.io/";
+    changelog = "https://sssd.io/release-notes/sssd-${version}.html";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ e-user illustris ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/statifier/default.nix b/nixpkgs/pkgs/os-specific/linux/statifier/default.nix
new file mode 100644
index 000000000000..eefd95d1153a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/statifier/default.nix
@@ -0,0 +1,24 @@
+{ lib, multiStdenv, fetchurl }:
+
+multiStdenv.mkDerivation rec {
+  pname = "statifier";
+  version = "1.7.4";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/statifier/statifier-${version}.tar.gz";
+    sha256 = "03lzkla6knjhh186b43cac410x2fmhi28pkmzb3d211n3zp5i9y8";
+  };
+
+  phaseNames = [ "patchPhase" "installPhase" ];
+
+  postPatch = ''
+    sed -e s@/usr/@"$out/"@g -i */Makefile src/statifier
+    sed -e s@/bin/bash@"${multiStdenv.shell}"@g -i src/*.sh
+  '';
+
+  meta = with lib; {
+    description = "Tool for creating static Linux binaries";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/swapview/default.nix b/nixpkgs/pkgs/os-specific/linux/swapview/default.nix
new file mode 100644
index 000000000000..8eb455501052
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/swapview/default.nix
@@ -0,0 +1,23 @@
+{ lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "swapview";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "lilydjwg";
+    repo = "swapview";
+    rev = "v${version}";
+    sha256 = "0339biydk997j5r72vzp7djwkscsz89xr3936nshv23fmxjh2rzj";
+  };
+
+  cargoSha256 = "03yi6bsjjnl8hznxr1nrnxx5lrqb574625j2lkxqbl9vrg9mswdz";
+
+  meta = with lib; {
+    description = "A simple program to view processes' swap usage on Linux";
+    homepage = "https://github.com/lilydjwg/swapview";
+    platforms = platforms.linux;
+    license = with licenses; [ bsd3 ];
+    maintainers = with maintainers; [ oxalica ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/switcheroo-control/default.nix b/nixpkgs/pkgs/os-specific/linux/switcheroo-control/default.nix
new file mode 100644
index 000000000000..38945c706221
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/switcheroo-control/default.nix
@@ -0,0 +1,58 @@
+{ lib
+, ninja
+, meson
+, fetchFromGitLab
+, systemd
+, libgudev
+, pkg-config
+, glib
+, python3
+, gobject-introspection
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "switcheroo-control";
+  version = "2.3";
+
+  format = "other";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = pname;
+    rev = version;
+    hash = "sha256-1Pze2TJ9mggfcpiLFwJ7/9WhsdJx4G3GoA7+Z47shuc=";
+  };
+
+  nativeBuildInputs = [
+    ninja
+    meson
+    pkg-config
+
+    # needed for glib-compile-resources
+    glib
+  ];
+
+  buildInputs = [
+    systemd
+    libgudev
+  ];
+
+  propagatedBuildInputs = [
+    python3.pkgs.pygobject3
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "-Dhwdbdir=${placeholder "out"}/etc/udev/hwdb.d"
+  ];
+
+  meta = with lib; {
+    description = "D-Bus service to check the availability of dual-GPU";
+    homepage = "https://gitlab.freedesktop.org/hadess/switcheroo-control/";
+    changelog = "https://gitlab.freedesktop.org/hadess/switcheroo-control/-/blob/${version}/NEWS";
+    license = licenses.gpl3Plus;
+    maintainers = [ ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sydbox/default.nix b/nixpkgs/pkgs/os-specific/linux/sydbox/default.nix
new file mode 100644
index 000000000000..bdaf77147f2e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sydbox/default.nix
@@ -0,0 +1,77 @@
+{ lib
+, stdenv
+, fetchurl
+, pkg-config
+, autoreconfHook
+, python3
+, perl
+, libxslt
+, docbook_xsl
+, docbook_xml_dtd_42
+, libseccomp
+, installTests ? true, gnumake, which
+, debugBuild ? false, libunwind
+}:
+
+stdenv.mkDerivation rec {
+  pname = "sydbox-1";
+  version = "2.2.0";
+
+  outputs = [ "out" "dev" "man" "doc" ]
+    ++ lib.optional installTests "installedTests";
+
+  src = fetchurl {
+    url = "https://git.exherbo.org/${pname}.git/snapshot/${pname}-${version}.tar.xz";
+    sha256 = "0664myrrzbvsw73q5b7cqwgv4hl9a7vkm642s1r96gaxm16jk0z7";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    autoreconfHook
+    python3
+    perl
+    libxslt.bin
+    docbook_xsl
+    docbook_xml_dtd_42
+  ];
+
+  buildInputs = [
+    libseccomp
+  ] ++ lib.optional debugBuild libunwind
+    ++ lib.optionals installTests [
+      gnumake
+      python3
+      perl
+      which
+    ];
+
+  enableParallelBuilding = true;
+
+  configureFlags = [ ]
+    ++ lib.optionals installTests [ "--enable-installed-tests"
+      "--libexecdir=${placeholder "installedTests"}/libexec" ]
+    ++ lib.optional debugBuild "--enable-debug";
+
+  makeFlags = [ "SYD_INCLUDEDIR=${stdenv.cc.libc.dev}/include" ];
+
+  doCheck = true;
+  checkPhase = ''
+    # Many of the regular test cases in t/ do not work inside the build sandbox
+    make -C syd check
+  '';
+
+  postInstall = if installTests then ''
+    moveToOutput bin/syd-test $installedTests
+  '' else ''
+    # Tests are installed despite --disable-installed-tests
+    rm -r $out/bin/syd-test $out/libexec
+  '';
+
+  meta = with lib; {
+    homepage = "https://sydbox.exherbo.org/";
+    description = "seccomp-based application sandbox";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mvs ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/syscall_limiter/default.nix b/nixpkgs/pkgs/os-specific/linux/syscall_limiter/default.nix
new file mode 100644
index 000000000000..329ec522c422
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/syscall_limiter/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv
+, fetchFromGitHub
+, libseccomp
+, perl
+, which
+}:
+
+stdenv.mkDerivation {
+  pname = "syscall_limiter";
+  version = "2017-01-23";
+
+  src = fetchFromGitHub {
+    owner  = "vi";
+    repo   = "syscall_limiter";
+    rev    = "481c8c883f2e1260ebc83b352b63bf61a930a341";
+    sha256 = "0z5arj1kq1xczgrbw1b8m9kicbv3vs9bd32wvgfr4r6ndingsp5m";
+  };
+
+  buildInputs = [ libseccomp ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -v limit_syscalls $out/bin
+    cp -v monitor.sh $out/bin/limit_syscalls_monitor.sh
+    substituteInPlace $out/bin/limit_syscalls_monitor.sh \
+      --replace perl ${perl}/bin/perl \
+      --replace which ${which}/bin/which
+  '';
+
+  meta = with lib; {
+    description = "Start Linux programs with only selected syscalls enabled";
+    homepage    = "https://github.com/vi/syscall_limiter";
+    license     = licenses.mit;
+    maintainers = with maintainers; [ obadz ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysdig/default.nix b/nixpkgs/pkgs/os-specific/linux/sysdig/default.nix
new file mode 100644
index 000000000000..4f5f3b585dad
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysdig/default.nix
@@ -0,0 +1,115 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, kernel, installShellFiles, pkg-config
+, luajit, ncurses, perl, jsoncpp, libb64, openssl, curl, jq, gcc, elfutils, tbb, protobuf, grpc
+, libyamlcpp, nlohmann_json
+}:
+
+with lib;
+let
+  # Compare with https://github.com/draios/sysdig/blob/dev/cmake/modules/falcosecurity-libs.cmake
+  libsRev = "e5c53d648f3c4694385bbe488e7d47eaa36c229a";
+  libsSha256 = "sha256-pG10y5PpDqaF/cq8oAvax5B/ls2UTRQd7tCfBjWVf0U=";
+
+  # Compare with https://github.com/falcosecurity/libs/blob/master/cmake/modules/valijson.cmake#L17
+  valijson = fetchFromGitHub {
+    owner = "tristanpenman";
+    repo = "valijson";
+    rev = "v0.6";
+    sha256 = "sha256-ZD19Q2MxMQd3yEKbY90GFCrerie5/jzgO8do4JQDoKM=";
+  };
+
+in
+stdenv.mkDerivation rec {
+  pname = "sysdig";
+  version = "0.29.3";
+
+  src = fetchFromGitHub {
+    owner = "draios";
+    repo = "sysdig";
+    rev = version;
+    sha256 = "sha256-dMLeroOd9CgvmgQdPfX8oBxQSyksZi/hP4vO03JhlF0=";
+  };
+
+  nativeBuildInputs = [ cmake perl installShellFiles pkg-config ];
+  buildInputs = [
+    luajit
+    ncurses
+    libb64
+    openssl
+    curl
+    jq
+    gcc
+    elfutils
+    tbb
+    protobuf
+    grpc
+    libyamlcpp
+    jsoncpp
+    nlohmann_json
+  ] ++ optionals (kernel != null) kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  postUnpack = ''
+    cp -r ${fetchFromGitHub {
+      owner = "falcosecurity";
+      repo = "libs";
+      rev = libsRev;
+      sha256 = libsSha256;
+    }} libs
+    chmod -R +w libs
+    cmakeFlagsArray+=("-DFALCOSECURITY_LIBS_SOURCE_DIR=$(pwd)/libs" "-DVALIJSON_INCLUDE=${valijson}/include")
+  '';
+
+  cmakeFlags = [
+    "-DUSE_BUNDLED_DEPS=OFF"
+    "-DSYSDIG_VERSION=${version}"
+    "-DCREATE_TEST_TARGETS=OFF"
+  ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF";
+
+  # needed since luajit-2.1.0-beta3
+  NIX_CFLAGS_COMPILE = "-DluaL_reg=luaL_Reg -DluaL_getn(L,i)=((int)lua_objlen(L,i))";
+
+  preConfigure = ''
+    if ! grep -q "${libsRev}" cmake/modules/falcosecurity-libs.cmake; then
+      echo "falcosecurity-libs checksum needs to be updated!"
+      exit 1
+    fi
+    cmakeFlagsArray+=(-DCMAKE_EXE_LINKER_FLAGS="-ltbb -lcurl -labsl_synchronization")
+  '' + optionalString (kernel != null) ''
+    export INSTALL_MOD_PATH="$out"
+    export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  '';
+
+  postInstall =
+    ''
+      # Fix the bash completion location
+      installShellCompletion --bash $out/etc/bash_completion.d/sysdig
+      rm $out/etc/bash_completion.d/sysdig
+      rmdir $out/etc/bash_completion.d
+      rmdir $out/etc
+    ''
+    + optionalString (kernel != null) ''
+      make install_driver
+      kernel_dev=${kernel.dev}
+      kernel_dev=''${kernel_dev#/nix/store/}
+      kernel_dev=''${kernel_dev%%-linux*dev*}
+      if test -f "$out/lib/modules/${kernel.modDirVersion}/extra/scap.ko"; then
+          sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/scap.ko
+      else
+          xz -d $out/lib/modules/${kernel.modDirVersion}/extra/scap.ko.xz
+          sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/scap.ko
+          xz $out/lib/modules/${kernel.modDirVersion}/extra/scap.ko
+      fi
+    '';
+
+
+  meta = {
+    description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)";
+    license = with licenses; [ asl20 gpl2 mit ];
+    maintainers = [maintainers.raskin];
+    platforms = ["x86_64-linux"] ++ platforms.darwin;
+    broken = kernel != null && versionOlder kernel.version "4.14";
+    homepage = "https://sysdig.com/opensource/";
+    downloadPage = "https://github.com/draios/sysdig/releases";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysfsutils/default.nix b/nixpkgs/pkgs/os-specific/linux/sysfsutils/default.nix
new file mode 100644
index 000000000000..b5f067fffd72
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysfsutils/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "sysfsutils";
+  version = "2.1.0";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/linux-diag/sysfsutils-${version}.tar.gz";
+    sha256 = "e865de2c1f559fff0d3fc936e660c0efaf7afe662064f2fb97ccad1ec28d208a";
+  };
+
+  meta = {
+    homepage = "http://linux-diag.sourceforge.net/Sysfsutils.html";
+    longDescription =
+      ''
+        These are a set of utilites built upon sysfs, a new virtual
+        filesystem in Linux kernel versions 2.5+ that exposes a system's
+        device tree.
+      '';
+    license = with lib.licenses; [ gpl2 lgpl21 ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/default.nix b/nixpkgs/pkgs/os-specific/linux/sysklogd/default.nix
new file mode 100644
index 000000000000..4d9844f516b0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/default.nix
@@ -0,0 +1,41 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "sysklogd";
+  version = "1.5.1";
+
+  src = fetchurl {
+    url = "http://www.infodrom.org/projects/sysklogd/download/sysklogd-${version}.tar.gz";
+    sha256 = "00f2wy6f0qng7qzga4iicyzl9j8b7mp6mrpfky5jxj93ms2w2rji";
+  };
+
+  patches = [ ./systemd.patch ./union-wait.patch ./fix-includes-for-musl.patch ];
+
+  NIX_CFLAGS_COMPILE = "-DSYSV";
+
+  installFlags = [ "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man" "INSTALL=install" ];
+
+  makeFlags = [
+    "CC=${stdenv.cc.targetPrefix}cc"
+  ];
+
+  postPatch = ''
+    # Disable stripping during installation, stripping will be done anyway.
+    # Fixes cross-compilation.
+    substituteInPlace Makefile \
+      --replace "-m 500 -s" "-m 500"
+  '';
+
+  preConfigure =
+    ''
+      sed -e 's@-o \''${MAN_USER} -g \''${MAN_GROUP} -m \''${MAN_PERMS} @@' -i Makefile
+    '';
+
+  preInstall = "mkdir -p $out/share/man/man5/ $out/share/man/man8/ $out/sbin";
+
+  meta = with lib; {
+    description = "A system logging daemon";
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch b/nixpkgs/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch
new file mode 100644
index 000000000000..87e56a10db8b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch
@@ -0,0 +1,120 @@
+# this patch both fixes some include paths as well as removes glibc
+# gates around defines that musl-libc also depends on.
+diff -u sysklogd-1.5.1.orig/klogd.c sysklogd-1.5.1/klogd.c
+--- sysklogd-1.5.1.orig/klogd.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/klogd.c	2021-01-18 23:09:23.000000000 -0500
+@@ -260,11 +260,8 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <errno.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+-#if !defined(__GLIBC__)
+-#include <linux/time.h>
+-#endif /* __GLIBC__ */
+ #include <stdarg.h>
+ #include <paths.h>
+ #include <stdlib.h>
+@@ -277,13 +274,8 @@
+ 
+ #define __LIBRARY__
+ #include <linux/unistd.h>
+-#if !defined(__GLIBC__)
+-# define __NR_ksyslog __NR_syslog
+-_syscall3(int,ksyslog,int, type, char *, buf, int, len);
+-#else
+ #include <sys/klog.h>
+ #define ksyslog klogctl
+-#endif
+ 
+ #define LOG_BUFFER_SIZE 4096
+ #define LOG_LINE_LENGTH 1000
+diff -u sysklogd-1.5.1.orig/ksym_mod.c sysklogd-1.5.1/ksym_mod.c
+--- sysklogd-1.5.1.orig/ksym_mod.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/ksym_mod.c	2021-01-18 23:09:57.000000000 -0500
+@@ -113,12 +113,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <errno.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include "module.h"
+-#if !defined(__GLIBC__)
+-#include <linux/time.h>
+-#endif /* __GLIBC__ */
+ #include <stdarg.h>
+ #include <paths.h>
+ #include <linux/version.h>
+diff -u sysklogd-1.5.1.orig/pidfile.c sysklogd-1.5.1/pidfile.c
+--- sysklogd-1.5.1.orig/pidfile.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/pidfile.c	2021-01-18 23:23:55.000000000 -0500
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/stat.h>
+ #include <sys/file.h>
+diff -u sysklogd-1.5.1.orig/syslog.c sysklogd-1.5.1/syslog.c
+--- sysklogd-1.5.1.orig/syslog.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/syslog.c	2021-01-18 23:11:45.000000000 -0500
+@@ -55,7 +55,6 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/file.h>
+-#include <sys/signal.h>
+ #include <sys/syslog.h>
+ #if 0
+ #include "syslog.h"
+@@ -64,6 +63,8 @@
+ 
+ #include <sys/uio.h>
+ #include <sys/wait.h>
++#include <signal.h>
++#include <fcntl.h>
+ #include <netdb.h>
+ #include <string.h>
+ #include <time.h>
+diff -u sysklogd-1.5.1.orig/syslogd.c sysklogd-1.5.1/syslogd.c
+--- sysklogd-1.5.1.orig/syslogd.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/syslogd.c	2021-01-18 23:13:25.000000000 -0500
+@@ -519,9 +519,9 @@
+ #include <time.h>
+ 
+ #define SYSLOG_NAMES
++#include <errno.h>
+ #include <sys/syslog.h>
+ #include <sys/param.h>
+-#include <sys/errno.h>
+ #include <sys/ioctl.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+@@ -818,9 +818,7 @@
+ void init();
+ void cfline(char *line, register struct filed *f);
+ int decode(char *name, struct code *codetab);
+-#if defined(__GLIBC__)
+ #define dprintf mydprintf
+-#endif /* __GLIBC__ */
+ static void dprintf(char *, ...);
+ static void allocate_log(void);
+ void sighup_handler();
+@@ -840,15 +838,9 @@
+ 	register char *p;
+ #ifndef TESTING
+ 	ssize_t msglen;
+-#endif
+-#if !defined(__GLIBC__)
+-	int len, num_fds;
+-#else /* __GLIBC__ */
+-#ifndef TESTING
+ 	socklen_t len;
+ #endif
+ 	int num_fds;
+-#endif /* __GLIBC__ */
+ 	/*
+ 	 * It took me quite some time to figure out how this is
+ 	 * supposed to work so I guess I should better write it down.
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/systemd.patch b/nixpkgs/pkgs/os-specific/linux/sysklogd/systemd.patch
new file mode 100644
index 000000000000..a170f67cadbb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/systemd.patch
@@ -0,0 +1,845 @@
+Based on http://ftp.free.org/mirrors/rsync.frugalware.org/frugalware-testing/source/apps-extra/sysklogd/sysklogd-1.5-systemd.diff
+
+diff -ruN -x '*~' sysklogd-1.5-old/Makefile sysklogd-1.5/Makefile
+--- sysklogd-1.5-old/Makefile	2007-05-30 17:28:48.000000000 +0200
++++ sysklogd-1.5/Makefile	2013-05-09 16:01:14.428638113 +0200
+@@ -20,7 +20,7 @@
+ CC= gcc
+ #SKFLAGS= -g -DSYSV -Wall
+ #LDFLAGS= -g
+-SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce
++SKFLAGS= $(RPM_OPT_FLAGS) -O3 -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce -I.
+ # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
+ # -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE
+ # $(shell getconf LFS_SKFLAGS)
+@@ -79,8 +79,8 @@
+ 
+ install: install_man install_exec
+ 
+-syslogd: syslogd.o pidfile.o
+-	${CC} ${LDFLAGS} -o syslogd syslogd.o pidfile.o ${LIBS}
++syslogd: syslogd.o pidfile.o sd-daemon.o
++	${CC} ${LDFLAGS} -o syslogd syslogd.o pidfile.o sd-daemon.o ${LIBS}
+ 
+ klogd:	klogd.o syslog.o pidfile.o ksym.o ksym_mod.o
+ 	${CC} ${LDFLAGS} -o klogd klogd.o syslog.o pidfile.o ksym.o \
+@@ -101,6 +101,9 @@
+ syslog.o: syslog.c
+ 	${CC} ${SKFLAGS} ${SYSLOG_FLAGS} -c syslog.c
+ 
++sd-daemon.o: sd-daemon.c sd-daemon.h
++	${CC} ${SKFLAGS} ${SYSLOG_FLAGS} -c sd-daemon.c
++
+ klogd.o: klogd.c klogd.h version.h
+ 	${CC} ${SKFLAGS} ${KLOGD_FLAGS} $(DEB) -c klogd.c
+ 
+diff -ruN -x '*~' sysklogd-1.5-old/sd-daemon.c sysklogd-1.5/sd-daemon.c
+--- sysklogd-1.5-old/sd-daemon.c	1970-01-01 01:00:00.000000000 +0100
++++ sysklogd-1.5/sd-daemon.c	2013-05-09 16:01:14.429638107 +0200
+@@ -0,0 +1,436 @@
++/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
++
++/***
++  Copyright 2010 Lennart Poettering
++
++  Permission is hereby granted, free of charge, to any person
++  obtaining a copy of this software and associated documentation files
++  (the "Software"), to deal in the Software without restriction,
++  including without limitation the rights to use, copy, modify, merge,
++  publish, distribute, sublicense, and/or sell copies of the Software,
++  and to permit persons to whom the Software is furnished to do so,
++  subject to the following conditions:
++
++  The above copyright notice and this permission notice shall be
++  included in all copies or substantial portions of the Software.
++
++  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++  NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++  BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++  SOFTWARE.
++***/
++
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif
++
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <netinet/in.h>
++#include <stdlib.h>
++#include <fcntl.h>
++#include <errno.h>
++#include <unistd.h>
++#include <string.h>
++#include <stdarg.h>
++#include <stdio.h>
++#include <stddef.h>
++
++#include "sd-daemon.h"
++
++int sd_listen_fds(int unset_environment) {
++
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__)
++        return 0;
++#else
++        int r, fd;
++        const char *e;
++        char *p = NULL;
++        unsigned long l;
++
++        if (!(e = getenv("LISTEN_PID"))) {
++                r = 0;
++                goto finish;
++        }
++
++        errno = 0;
++        l = strtoul(e, &p, 10);
++
++        if (errno != 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        if (!p || *p || l <= 0) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        /* Is this for us? */
++        if (getpid() != (pid_t) l) {
++                r = 0;
++                goto finish;
++        }
++
++        if (!(e = getenv("LISTEN_FDS"))) {
++                r = 0;
++                goto finish;
++        }
++
++        errno = 0;
++        l = strtoul(e, &p, 10);
++
++        if (errno != 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        if (!p || *p) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + (int) l; fd ++) {
++                int flags;
++
++                if ((flags = fcntl(fd, F_GETFD)) < 0) {
++                        r = -errno;
++                        goto finish;
++                }
++
++                if (flags & FD_CLOEXEC)
++                        continue;
++
++                if (fcntl(fd, F_SETFD, flags | FD_CLOEXEC) < 0) {
++                        r = -errno;
++                        goto finish;
++                }
++        }
++
++        r = (int) l;
++
++finish:
++        if (unset_environment) {
++                unsetenv("LISTEN_PID");
++                unsetenv("LISTEN_FDS");
++        }
++
++        return r;
++#endif
++}
++
++int sd_is_fifo(int fd, const char *path) {
++        struct stat st_fd;
++
++        if (fd < 0)
++                return -EINVAL;
++
++        memset(&st_fd, 0, sizeof(st_fd));
++        if (fstat(fd, &st_fd) < 0)
++                return -errno;
++
++        if (!S_ISFIFO(st_fd.st_mode))
++                return 0;
++
++        if (path) {
++                struct stat st_path;
++
++                memset(&st_path, 0, sizeof(st_path));
++                if (stat(path, &st_path) < 0) {
++
++                        if (errno == ENOENT || errno == ENOTDIR)
++                                return 0;
++
++                        return -errno;
++                }
++
++                return
++                        st_path.st_dev == st_fd.st_dev &&
++                        st_path.st_ino == st_fd.st_ino;
++        }
++
++        return 1;
++}
++
++static int sd_is_socket_internal(int fd, int type, int listening) {
++        struct stat st_fd;
++
++        if (fd < 0 || type < 0)
++                return -EINVAL;
++
++        if (fstat(fd, &st_fd) < 0)
++                return -errno;
++
++        if (!S_ISSOCK(st_fd.st_mode))
++                return 0;
++
++        if (type != 0) {
++                int other_type = 0;
++                socklen_t l = sizeof(other_type);
++
++                if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &other_type, &l) < 0)
++                        return -errno;
++
++                if (l != sizeof(other_type))
++                        return -EINVAL;
++
++                if (other_type != type)
++                        return 0;
++        }
++
++        if (listening >= 0) {
++                int accepting = 0;
++                socklen_t l = sizeof(accepting);
++
++                if (getsockopt(fd, SOL_SOCKET, SO_ACCEPTCONN, &accepting, &l) < 0)
++                        return -errno;
++
++                if (l != sizeof(accepting))
++                        return -EINVAL;
++
++                if (!accepting != !listening)
++                        return 0;
++        }
++
++        return 1;
++}
++
++union sockaddr_union {
++        struct sockaddr sa;
++        struct sockaddr_in in4;
++        struct sockaddr_in6 in6;
++        struct sockaddr_un un;
++        struct sockaddr_storage storage;
++};
++
++int sd_is_socket(int fd, int family, int type, int listening) {
++        int r;
++
++        if (family < 0)
++                return -EINVAL;
++
++        if ((r = sd_is_socket_internal(fd, type, listening)) <= 0)
++                return r;
++
++        if (family > 0) {
++                union sockaddr_union sockaddr;
++                socklen_t l;
++
++                memset(&sockaddr, 0, sizeof(sockaddr));
++                l = sizeof(sockaddr);
++
++                if (getsockname(fd, &sockaddr.sa, &l) < 0)
++                        return -errno;
++
++                if (l < sizeof(sa_family_t))
++                        return -EINVAL;
++
++                return sockaddr.sa.sa_family == family;
++        }
++
++        return 1;
++}
++
++int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) {
++        union sockaddr_union sockaddr;
++        socklen_t l;
++        int r;
++
++        if (family != 0 && family != AF_INET && family != AF_INET6)
++                return -EINVAL;
++
++        if ((r = sd_is_socket_internal(fd, type, listening)) <= 0)
++                return r;
++
++        memset(&sockaddr, 0, sizeof(sockaddr));
++        l = sizeof(sockaddr);
++
++        if (getsockname(fd, &sockaddr.sa, &l) < 0)
++                return -errno;
++
++        if (l < sizeof(sa_family_t))
++                return -EINVAL;
++
++        if (sockaddr.sa.sa_family != AF_INET &&
++            sockaddr.sa.sa_family != AF_INET6)
++                return 0;
++
++        if (family > 0)
++                if (sockaddr.sa.sa_family != family)
++                        return 0;
++
++        if (port > 0) {
++                if (sockaddr.sa.sa_family == AF_INET) {
++                        if (l < sizeof(struct sockaddr_in))
++                                return -EINVAL;
++
++                        return htons(port) == sockaddr.in4.sin_port;
++                } else {
++                        if (l < sizeof(struct sockaddr_in6))
++                                return -EINVAL;
++
++                        return htons(port) == sockaddr.in6.sin6_port;
++                }
++        }
++
++        return 1;
++}
++
++int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) {
++        union sockaddr_union sockaddr;
++        socklen_t l;
++        int r;
++
++        if ((r = sd_is_socket_internal(fd, type, listening)) <= 0)
++                return r;
++
++        memset(&sockaddr, 0, sizeof(sockaddr));
++        l = sizeof(sockaddr);
++
++        if (getsockname(fd, &sockaddr.sa, &l) < 0)
++                return -errno;
++
++        if (l < sizeof(sa_family_t))
++                return -EINVAL;
++
++        if (sockaddr.sa.sa_family != AF_UNIX)
++                return 0;
++
++        if (path) {
++                if (length <= 0)
++                        length = strlen(path);
++
++                if (length <= 0)
++                        /* Unnamed socket */
++                        return l == offsetof(struct sockaddr_un, sun_path);
++
++                if (path[0])
++                        /* Normal path socket */
++                        return
++                                (l >= offsetof(struct sockaddr_un, sun_path) + length + 1) &&
++                                memcmp(path, sockaddr.un.sun_path, length+1) == 0;
++                else
++                        /* Abstract namespace socket */
++                        return
++                                (l == offsetof(struct sockaddr_un, sun_path) + length) &&
++                                memcmp(path, sockaddr.un.sun_path, length) == 0;
++        }
++
++        return 1;
++}
++
++int sd_notify(int unset_environment, const char *state) {
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__) || !defined(SOCK_CLOEXEC)
++        return 0;
++#else
++        int fd = -1, r;
++        struct msghdr msghdr;
++        struct iovec iovec;
++        union sockaddr_union sockaddr;
++        const char *e;
++
++        if (!state) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        if (!(e = getenv("NOTIFY_SOCKET")))
++                return 0;
++
++        /* Must be an abstract socket, or an absolute path */
++        if ((e[0] != '@' && e[0] != '/') || e[1] == 0) {
++                r = -EINVAL;
++                goto finish;
++        }
++
++        if ((fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        memset(&sockaddr, 0, sizeof(sockaddr));
++        sockaddr.sa.sa_family = AF_UNIX;
++        strncpy(sockaddr.un.sun_path, e, sizeof(sockaddr.un.sun_path));
++
++        if (sockaddr.un.sun_path[0] == '@')
++                sockaddr.un.sun_path[0] = 0;
++
++        memset(&iovec, 0, sizeof(iovec));
++        iovec.iov_base = (char*) state;
++        iovec.iov_len = strlen(state);
++
++        memset(&msghdr, 0, sizeof(msghdr));
++        msghdr.msg_name = &sockaddr;
++        msghdr.msg_namelen = offsetof(struct sockaddr_un, sun_path) + strlen(e);
++
++        if (msghdr.msg_namelen > sizeof(struct sockaddr_un))
++                msghdr.msg_namelen = sizeof(struct sockaddr_un);
++
++        msghdr.msg_iov = &iovec;
++        msghdr.msg_iovlen = 1;
++
++        if (sendmsg(fd, &msghdr, MSG_NOSIGNAL) < 0) {
++                r = -errno;
++                goto finish;
++        }
++
++        r = 1;
++
++finish:
++        if (unset_environment)
++                unsetenv("NOTIFY_SOCKET");
++
++        if (fd >= 0)
++                close(fd);
++
++        return r;
++#endif
++}
++
++int sd_notifyf(int unset_environment, const char *format, ...) {
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__)
++        return 0;
++#else
++        va_list ap;
++        char *p = NULL;
++        int r;
++
++        va_start(ap, format);
++        r = vasprintf(&p, format, ap);
++        va_end(ap);
++
++        if (r < 0 || !p)
++                return -ENOMEM;
++
++        r = sd_notify(unset_environment, p);
++        free(p);
++
++        return r;
++#endif
++}
++
++int sd_booted(void) {
++#if defined(DISABLE_SYSTEMD) || !defined(__linux__)
++        return 0;
++#else
++
++        struct stat a, b;
++
++        /* We simply test whether the systemd cgroup hierarchy is
++         * mounted */
++
++        if (lstat("/sys/fs/cgroup", &a) < 0)
++                return 0;
++
++        if (lstat("/sys/fs/cgroup/systemd", &b) < 0)
++                return 0;
++
++        return a.st_dev != b.st_dev;
++#endif
++}
+diff -ruN -x '*~' sysklogd-1.5-old/sd-daemon.h sysklogd-1.5/sd-daemon.h
+--- sysklogd-1.5-old/sd-daemon.h	1970-01-01 01:00:00.000000000 +0100
++++ sysklogd-1.5/sd-daemon.h	2013-05-09 16:01:14.429638107 +0200
+@@ -0,0 +1,265 @@
++/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
++
++#ifndef foosddaemonhfoo
++#define foosddaemonhfoo
++
++/***
++  Copyright 2010 Lennart Poettering
++
++  Permission is hereby granted, free of charge, to any person
++  obtaining a copy of this software and associated documentation files
++  (the "Software"), to deal in the Software without restriction,
++  including without limitation the rights to use, copy, modify, merge,
++  publish, distribute, sublicense, and/or sell copies of the Software,
++  and to permit persons to whom the Software is furnished to do so,
++  subject to the following conditions:
++
++  The above copyright notice and this permission notice shall be
++  included in all copies or substantial portions of the Software.
++
++  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++  NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++  BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++  SOFTWARE.
++***/
++
++#include <sys/types.h>
++#include <inttypes.h>
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++/*
++  Reference implementation of a few systemd related interfaces for
++  writing daemons. These interfaces are trivial to implement. To
++  simplify porting we provide this reference implementation.
++  Applications are welcome to reimplement the algorithms described
++  here if they do not want to include these two source files.
++
++  The following functionality is provided:
++
++  - Support for logging with log levels on stderr
++  - File descriptor passing for socket-based activation
++  - Daemon startup and status notification
++  - Detection of systemd boots
++
++  You may compile this with -DDISABLE_SYSTEMD to disable systemd
++  support. This makes all those calls NOPs that are directly related to
++  systemd (i.e. only sd_is_xxx() will stay useful).
++
++  Since this is drop-in code we don't want any of our symbols to be
++  exported in any case. Hence we declare hidden visibility for all of
++  them.
++
++  You may find an up-to-date version of these source files online:
++
++  http://cgit.freedesktop.org/systemd/plain/src/sd-daemon.h
++  http://cgit.freedesktop.org/systemd/plain/src/sd-daemon.c
++
++  This should compile on non-Linux systems, too, but with the
++  exception of the sd_is_xxx() calls all functions will become NOPs.
++
++  See sd-daemon(7) for more information.
++*/
++
++#ifndef _sd_printf_attr_
++#if __GNUC__ >= 4
++#define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b)))
++#else
++#define _sd_printf_attr_(a,b)
++#endif
++#endif
++
++#ifndef _sd_hidden_
++#if (__GNUC__ >= 4) && !defined(SD_EXPORT_SYMBOLS)
++#define _sd_hidden_ __attribute__ ((visibility("hidden")))
++#else
++#define _sd_hidden_
++#endif
++#endif
++
++/*
++  Log levels for usage on stderr:
++
++          fprintf(stderr, SD_NOTICE "Hello World!\n");
++
++  This is similar to printk() usage in the kernel.
++*/
++#define SD_EMERG   "<0>"  /* system is unusable */
++#define SD_ALERT   "<1>"  /* action must be taken immediately */
++#define SD_CRIT    "<2>"  /* critical conditions */
++#define SD_ERR     "<3>"  /* error conditions */
++#define SD_WARNING "<4>"  /* warning conditions */
++#define SD_NOTICE  "<5>"  /* normal but significant condition */
++#define SD_INFO    "<6>"  /* informational */
++#define SD_DEBUG   "<7>"  /* debug-level messages */
++
++/* The first passed file descriptor is fd 3 */
++#define SD_LISTEN_FDS_START 3
++
++/*
++  Returns how many file descriptors have been passed, or a negative
++  errno code on failure. Optionally, removes the $LISTEN_FDS and
++  $LISTEN_PID file descriptors from the environment (recommended, but
++  problematic in threaded environments). If r is the return value of
++  this function you'll find the file descriptors passed as fds
++  SD_LISTEN_FDS_START to SD_LISTEN_FDS_START+r-1. Returns a negative
++  errno style error code on failure. This function call ensures that
++  the FD_CLOEXEC flag is set for the passed file descriptors, to make
++  sure they are not passed on to child processes. If FD_CLOEXEC shall
++  not be set, the caller needs to unset it after this call for all file
++  descriptors that are used.
++
++  See sd_listen_fds(3) for more information.
++*/
++int sd_listen_fds(int unset_environment) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is a FIFO in the file system stored under the
++  specified path, 0 otherwise. If path is NULL a path name check will
++  not be done and the call only verifies if the file descriptor
++  refers to a FIFO. Returns a negative errno style error code on
++  failure.
++
++  See sd_is_fifo(3) for more information.
++*/
++int sd_is_fifo(int fd, const char *path) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is a socket of the specified family (AF_INET,
++  ...) and type (SOCK_DGRAM, SOCK_STREAM, ...), 0 otherwise. If
++  family is 0 a socket family check will not be done. If type is 0 a
++  socket type check will not be done and the call only verifies if
++  the file descriptor refers to a socket. If listening is > 0 it is
++  verified that the socket is in listening mode. (i.e. listen() has
++  been called) If listening is == 0 it is verified that the socket is
++  not in listening mode. If listening is < 0 no listening mode check
++  is done. Returns a negative errno style error code on failure.
++
++  See sd_is_socket(3) for more information.
++*/
++int sd_is_socket(int fd, int family, int type, int listening) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is an Internet socket, of the specified family
++  (either AF_INET or AF_INET6) and the specified type (SOCK_DGRAM,
++  SOCK_STREAM, ...), 0 otherwise. If version is 0 a protocol version
++  check is not done. If type is 0 a socket type check will not be
++  done. If port is 0 a socket port check will not be done. The
++  listening flag is used the same way as in sd_is_socket(). Returns a
++  negative errno style error code on failure.
++
++  See sd_is_socket_inet(3) for more information.
++*/
++int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) _sd_hidden_;
++
++/*
++  Helper call for identifying a passed file descriptor. Returns 1 if
++  the file descriptor is an AF_UNIX socket of the specified type
++  (SOCK_DGRAM, SOCK_STREAM, ...) and path, 0 otherwise. If type is 0
++  a socket type check will not be done. If path is NULL a socket path
++  check will not be done. For normal AF_UNIX sockets set length to
++  0. For abstract namespace sockets set length to the length of the
++  socket name (including the initial 0 byte), and pass the full
++  socket path in path (including the initial 0 byte). The listening
++  flag is used the same way as in sd_is_socket(). Returns a negative
++  errno style error code on failure.
++
++  See sd_is_socket_unix(3) for more information.
++*/
++int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) _sd_hidden_;
++
++/*
++  Informs systemd about changed daemon state. This takes a number of
++  newline separated environment-style variable assignments in a
++  string. The following variables are known:
++
++     READY=1      Tells systemd that daemon startup is finished (only
++                  relevant for services of Type=notify). The passed
++                  argument is a boolean "1" or "0". Since there is
++                  little value in signalling non-readiness the only
++                  value daemons should send is "READY=1".
++
++     STATUS=...   Passes a single-line status string back to systemd
++                  that describes the daemon state. This is free-from
++                  and can be used for various purposes: general state
++                  feedback, fsck-like programs could pass completion
++                  percentages and failing programs could pass a human
++                  readable error message. Example: "STATUS=Completed
++                  66% of file system check..."
++
++     ERRNO=...    If a daemon fails, the errno-style error code,
++                  formatted as string. Example: "ERRNO=2" for ENOENT.
++
++     BUSERROR=... If a daemon fails, the D-Bus error-style error
++                  code. Example: "BUSERROR=org.freedesktop.DBus.Error.TimedOut"
++
++     MAINPID=...  The main pid of a daemon, in case systemd did not
++                  fork off the process itself. Example: "MAINPID=4711"
++
++  Daemons can choose to send additional variables. However, it is
++  recommened to prefix variable names not listed above with X_.
++
++  Returns a negative errno-style error code on failure. Returns > 0
++  if systemd could be notified, 0 if it couldn't possibly because
++  systemd is not running.
++
++  Example: When a daemon finished starting up, it could issue this
++  call to notify systemd about it:
++
++     sd_notify(0, "READY=1");
++
++  See sd_notifyf() for more complete examples.
++
++  See sd_notify(3) for more information.
++*/
++int sd_notify(int unset_environment, const char *state) _sd_hidden_;
++
++/*
++  Similar to sd_notify() but takes a format string.
++
++  Example 1: A daemon could send the following after initialization:
++
++     sd_notifyf(0, "READY=1\n"
++                   "STATUS=Processing requests...\n"
++                   "MAINPID=%lu",
++                   (unsigned long) getpid());
++
++  Example 2: A daemon could send the following shortly before
++  exiting, on failure:
++
++     sd_notifyf(0, "STATUS=Failed to start up: %s\n"
++                   "ERRNO=%i",
++                   strerror(errno),
++                   errno);
++
++  See sd_notifyf(3) for more information.
++*/
++int sd_notifyf(int unset_environment, const char *format, ...) _sd_printf_attr_(2,3) _sd_hidden_;
++
++/*
++  Returns > 0 if the system was booted with systemd. Returns < 0 on
++  error. Returns 0 if the system was not booted with systemd. Note
++  that all of the functions above handle non-systemd boots just
++  fine. You should NOT protect them with a call to this function. Also
++  note that this function checks whether the system, not the user
++  session is controlled by systemd. However the functions above work
++  for both user and system services.
++
++  See sd_booted(3) for more information.
++*/
++int sd_booted(void) _sd_hidden_;
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif
+diff -ruN -x '*~' sysklogd-1.5-old/syslogd.c sysklogd-1.5/syslogd.c
+--- sysklogd-1.5-old/syslogd.c	2007-07-04 21:04:01.000000000 +0200
++++ sysklogd-1.5/syslogd.c	2013-05-09 16:04:32.106602589 +0200
+@@ -551,6 +551,7 @@
+ 
+ #if defined(__linux__)
+ #include <paths.h>
++#include <sd-daemon.h>
+ #endif
+ 
+ #ifndef UTMP_FILE
+@@ -965,8 +966,11 @@
+ 			}
+ 			signal (SIGTERM, SIG_DFL);
+ 			num_fds = getdtablesize();
+-			for (i= 0; i < num_fds; i++)
+-				(void) close(i);
++#if defined(__linux__)
++			if (sd_listen_fds(0) <= 0)
++#endif
++				for (i = 0; i < num_fds; i++)
++					(void) close(i);
+ 			untty();
+ 		}
+ 		else
+@@ -1253,6 +1257,60 @@
+ 	if (path[0] == '\0')
+ 		return -1;
+ 
++#if defined(__linux__)
++	if (strcmp(path, _PATH_LOG) == 0) {
++		int r;
++ 
++		/* Check whether an FD was passed in from systemd. If
++		 * so, it's the /dev/log socket, so use it. */
++ 
++		r = sd_listen_fds(0);
++		if (r < 0) {
++			logerror("Failed to acquire systemd socket");
++#ifndef SYSV
++			dienow();
++#else
++			return -1;
++#endif
++		}
++
++ 
++		if (r > 1) {
++			logerror("Wrong number of systemd sockets passed");
++#ifndef SYSV
++			dienow();
++#else
++			return -1;
++#endif
++		}
++ 
++		if (r == 1) {
++			fd = SD_LISTEN_FDS_START;
++			r = sd_is_socket_unix(fd, SOCK_DGRAM, -1, "/run/systemd/journal/syslog", 0);
++			if (r < 0) {
++				logerror("Failed to verify systemd socket type");
++#ifndef SYSV
++				dienow();
++#else
++				return -1;
++#endif
++			}
++ 
++			if (!r) {
++				logerror("Passed systemd socket of wrong type");
++#ifndef SYSV
++				dienow();
++#else
++				return -1;
++#endif
++			}
++ 
++		        dprintf("Using systemd socket (%d).\n", fd);
++			return fd;
++		}
++	}
++#endif
++
+ 	(void) unlink(path);
+ 
+ 	memset(&sunx, 0, sizeof(sunx));
+@@ -2254,9 +2312,11 @@
+ 	if (InetInuse) close(inetm);
+ 
+ 	/* Clean-up files. */
+-        for (i = 0; i < nfunix; i++)
+-		if (funixn[i] && funix[i] != -1)
+-			(void)unlink(funixn[i]);
++	i = 0;
++#if defined(__linux__)
++	if (sd_listen_fds(0) > 0)
++		i = 1;
++#endif
+ #ifndef TESTING
+ 	(void) remove_pid(PidFile);
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/linux/sysklogd/union-wait.patch b/nixpkgs/pkgs/os-specific/linux/sysklogd/union-wait.patch
new file mode 100644
index 000000000000..e4bffa5d6953
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysklogd/union-wait.patch
@@ -0,0 +1,11 @@
+--- sysklogd-1.5-old/syslogd.c	2016-08-30 22:50:59.812926945 +0100
++++ sysklogd-1.5/syslogd.c	2016-08-30 22:51:12.008842890 +0100
+@@ -2094,7 +2094,7 @@
+ 	(void) signal(SIGCHLD, reapchild);	/* reset signal handler -ASP */
+ 	wait ((int *)0);
+ #else
+-	union wait status;
++	int status;
+ 
+ 	while (wait3(&status, WNOHANG, (struct rusage *) NULL) > 0)
+ 		;
diff --git a/nixpkgs/pkgs/os-specific/linux/syslinux/default.nix b/nixpkgs/pkgs/os-specific/linux/syslinux/default.nix
new file mode 100644
index 000000000000..821d51133087
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/syslinux/default.nix
@@ -0,0 +1,135 @@
+{ lib
+, stdenv
+, fetchgit
+, fetchurl
+, libuuid
+, makeWrapper
+, mtools
+, nasm
+, perl
+, python3
+}:
+
+stdenv.mkDerivation {
+  pname = "syslinux";
+  version = "unstable-2019-02-07";
+
+  # This is syslinux-6.04-pre3^1; syslinux-6.04-pre3 fails to run.
+  # Same issue here https://www.syslinux.org/archives/2019-February/026330.html
+  src = fetchgit {
+    url = "https://repo.or.cz/syslinux";
+    rev = "b40487005223a78c3bb4c300ef6c436b3f6ec1f7";
+    sha256 = "sha256-GqvRTr9mA2yRD0G0CF11x1X0jCgqV4Mh+tvE0/0yjqk=";
+    fetchSubmodules = true;
+  };
+
+  patches = let
+    fetchDebianPatch = name: commit: hash:
+      fetchurl {
+        url = "https://salsa.debian.org/images-team/syslinux/raw/"
+              + commit + "/debian/patches/" + name;
+        inherit name hash;
+      };
+    fetchArchlinuxPatch = name: commit: hash:
+      fetchurl {
+        url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/"
+              + commit + "/trunk/" + name;
+        inherit name hash;
+      };
+  in [
+    ./gcc10.patch
+    (fetchDebianPatch
+      "0002-gfxboot-menu-label.patch"
+      "fa1349f1"
+      "sha256-0f6QhM4lJmGflLige4n7AZTodL7vnyAvi5dIedd/Lho=")
+    (fetchArchlinuxPatch
+      "0005-gnu-efi-version-compatibility.patch"
+      "821c3da473d1399d930d5b4a086e46a4179eaa45"
+      "sha256-hhCVnfbAFWj/R4yh60qsMB87ofW9RznarsByhl6L4tc=")
+    (fetchArchlinuxPatch
+      "0025-reproducible-build.patch"
+      "821c3da473d1399d930d5b4a086e46a4179eaa45"
+      "sha256-mnb291pCSFvDNxY7o4BosJ94ib3BpOGRQIiY8Q3jZmI=")
+    (fetchDebianPatch
+      # mbr.bin: too big (452 > 440)
+      # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906414
+      "0016-strip-gnu-property.patch"
+      "7468ef0e38c43"
+      "sha256-lW+E6THuXlTGvhly0f/D9NwYHhkiKHot2l+bz9Eaxp4=")
+    (fetchDebianPatch
+      # mbr.bin: too big (452 > 440)
+      "0017-single-load-segment.patch"
+      "012e1dd312eb"
+      "sha256-C6VmdlTs1blMGUHH3OfOlFBZsfpwRn9vWodwqVn8+Cs=")
+    (fetchDebianPatch
+      "0018-prevent-pow-optimization.patch"
+      "26f0e7b2"
+      "sha256-dVzXBi/oSV9vYgU85mRFHBKuZdup+1x1BipJX74ED7E=")
+  ];
+
+  postPatch = ''
+    substituteInPlace Makefile --replace /bin/pwd $(type -P pwd)
+    substituteInPlace utils/ppmtolss16 --replace /usr/bin/perl $(type -P perl)
+
+    # fix tests
+    substituteInPlace tests/unittest/include/unittest/unittest.h \
+      --replace /usr/include/ ""
+
+    # Hack to get `gcc -m32' to work without having 32-bit Glibc headers.
+    mkdir gnu-efi/inc/ia32/gnu
+    touch gnu-efi/inc/ia32/gnu/stubs-32.h
+  '';
+
+  nativeBuildInputs = [
+    nasm
+    perl
+    python3
+    makeWrapper
+  ];
+
+  buildInputs = [
+    libuuid
+  ];
+
+  # Fails very rarely with 'No rule to make target: ...'
+  enableParallelBuilding = false;
+
+  hardeningDisable = [ "pic" "stackprotector" "fortify" ];
+
+  stripDebugList = [ "bin" "sbin" "share/syslinux/com32" ];
+
+  # Workaround build failure on -fno-common toolchains like upstream
+  # gcc-10. Otherwise build fails as:
+  #   ld: acpi/xsdt.o:/build/syslinux-b404870/com32/gpllib/../gplinclude/memory.h:40: multiple definition of
+  #     `e820_types'; memory.o:/build/syslinux-b404870/com32/gpllib/../gplinclude/memory.h:40: first defined here
+  NIX_CFLAGS_COMPILE="-fcommon";
+
+  makeFlags = [
+    "BINDIR=$(out)/bin"
+    "SBINDIR=$(out)/sbin"
+    "DATADIR=$(out)/share"
+    "MANDIR=$(out)/share/man"
+    "PERL=perl"
+    "HEXDATE=0x00000000"
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isi686 [ "bios" "efi32" ];
+
+  # Some tests require qemu, some others fail in a sandboxed environment
+  doCheck = false;
+
+  postInstall = ''
+    wrapProgram $out/bin/syslinux \
+      --prefix PATH : "${mtools}/bin"
+
+    # Delete com32 headers to save space, nobody seems to be using them
+    rm -rf $out/share/syslinux/com32
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.syslinux.org/";
+    description = "A lightweight bootloader";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.samueldr ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/syslinux/gcc10.patch b/nixpkgs/pkgs/os-specific/linux/syslinux/gcc10.patch
new file mode 100644
index 000000000000..f4893a912313
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/syslinux/gcc10.patch
@@ -0,0 +1,33 @@
+diff --git a/dos/string.h b/dos/string.h
+index f648de2..a502132 100644
+--- a/dos/string.h
++++ b/dos/string.h
+@@ -5,12 +5,13 @@
+ #ifndef _STRING_H
+ #define _STRING_H
+ 
++#include <stddef.h>
++
+ /* Standard routines */
+ #define memcpy(a,b,c)	__builtin_memcpy(a,b,c)
+ #define memmove(a,b,c)	__builtin_memmove(a,b,c)
+ #define memset(a,b,c)	__builtin_memset(a,b,c)
+ #define strcpy(a,b)	__builtin_strcpy(a,b)
+-#define strlen(a)	__builtin_strlen(a)
+ 
+ /* This only returns true or false */
+ static inline int memcmp(const void *__m1, const void *__m2, unsigned int __n)
+@@ -21,6 +22,13 @@ static inline int memcmp(const void *__m1, const void *__m2, unsigned int __n)
+     return rv;
+ }
+ 
++static inline size_t strlen(const char *s)
++{
++    size_t len = 0;
++    while (*s++) len++;
++    return len;
++}
++
+ extern char *strchr(const char *s, int c);
+ 
+ #endif /* _STRING_H */
diff --git a/nixpkgs/pkgs/os-specific/linux/sysstat/default.nix b/nixpkgs/pkgs/os-specific/linux/sysstat/default.nix
new file mode 100644
index 000000000000..f28b163a2fc7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysstat/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchurl, gettext, bzip2 }:
+
+stdenv.mkDerivation rec {
+  pname = "sysstat";
+  version = "12.4.5";
+
+  src = fetchurl {
+    url = "http://pagesperso-orange.fr/sebastien.godard/sysstat-${version}.tar.xz";
+    sha256 = "sha256-70RazqMBu7mW5BCEL2KQqNBJ6ITUhoz+9+hdwEt+7ls=";
+  };
+
+  buildInputs = [ gettext ];
+
+  preConfigure = ''
+    export PATH_CP=$(type -tp cp)
+    export PATH_CHKCONFIG=/no-such-program
+    export BZIP=${bzip2.bin}/bin/bzip2
+    export SYSTEMCTL=systemctl
+    export COMPRESS_MANPG=n
+  '';
+
+  makeFlags = [ "SYSCONFIG_DIR=$(out)/etc" "IGNORE_FILE_ATTRIBUTES=y" "CHOWN=true" ];
+  installTargets = [ "install_base" "install_nls" "install_man" ];
+
+  patches = [ ./install.patch ];
+
+  meta = {
+    homepage = "http://sebastien.godard.pagesperso-orange.fr/";
+    description = "A collection of performance monitoring tools for Linux (such as sar, iostat and pidstat)";
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.eelco ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysstat/install.patch b/nixpkgs/pkgs/os-specific/linux/sysstat/install.patch
new file mode 100644
index 000000000000..473fa30b98b4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysstat/install.patch
@@ -0,0 +1,13 @@
+diff -rc sysstat-11.0.1/Makefile.in sysstat-11.0.1-new/Makefile.in
+*** sysstat-11.0.1/Makefile.in	2014-08-30 15:38:39.000000000 +0200
+--- sysstat-11.0.1-new/Makefile.in	2014-12-18 14:40:45.466349009 +0100
+***************
+*** 331,337 ****
+  install_base: all sa1 sa2 sysstat.sysconfig install_man install_nls \
+  	contrib/isag/isag
+  	mkdir -p $(DESTDIR)$(SA_LIB_DIR)
+- 	mkdir -p $(DESTDIR)$(SA_DIR)
+  ifeq ($(CLEAN_SA_DIR),y)
+  	find $(DESTDIR)$(SA_DIR) \( -name 'sar??' -o -name 'sa??' -o -name 'sar??.gz' -o -name 'sa??.gz' \) \
+  		-exec rm -f {} \;
+--- 331,336 ----
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-acpi/default.nix b/nixpkgs/pkgs/os-specific/linux/system76-acpi/default.nix
new file mode 100644
index 000000000000..b384cf639487
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-acpi/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.2";
+  sha256 = "1i7zjn5cdv9h00fgjg46b8yrz4d3dqvfr25g3f13967ycy58m48h";
+in
+stdenv.mkDerivation {
+  name = "system76-acpi-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76_acpi";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-acpi-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76_acpi.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76_acpi.ko
+    mkdir -p $out/lib/udev/hwdb.d
+    mv lib/udev/hwdb.d/* $out/lib/udev/hwdb.d
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Only ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = kernel.kernelOlder "5.2";
+    description = "System76 ACPI Driver (DKMS)";
+    homepage = "https://github.com/pop-os/system76-acpi-dkms";
+    longDescription = ''
+      This provides the system76_acpi in-tree driver for systems missing it.
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-io/default.nix b/nixpkgs/pkgs/os-specific/linux/system76-io/default.nix
new file mode 100644
index 000000000000..54af222bc7d8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-io/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.2";
+  sha256 = "sha256-DWUjQmoojkzFv1p4Xyt0kOwwqQ216ocO5yR/ujhhMPA=";
+in
+stdenv.mkDerivation {
+  name = "system76-io-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76_io";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-io-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76-io.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76-io.ko
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Plus ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+    description = "DKMS module for controlling System76 I/O board";
+    homepage = "https://github.com/pop-os/system76-io-dkms";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76-power/default.nix b/nixpkgs/pkgs/os-specific/linux/system76-power/default.nix
new file mode 100644
index 000000000000..edaf2b5c8144
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76-power/default.nix
@@ -0,0 +1,30 @@
+{ pkg-config, libusb1, dbus, lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "system76-power";
+  version = "1.1.20";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-power";
+    rev = version;
+    sha256 = "sha256-Qk9zHqwFlUTWE+YRt2GASIekbDoBCHPAUUN3+0wpvfw=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus libusb1 ];
+
+  cargoSha256 = "sha256-iG7M9ICFRTFVkbC89DyfR+Iyi7jaT9WmG3PSdBOF7YI=";
+
+  postInstall = ''
+    install -D -m 0644 data/system76-power.conf $out/etc/dbus-1/system.d/system76-power.conf
+  '';
+
+  meta = with lib; {
+    description = "System76 Power Management";
+    homepage = "https://github.com/pop-os/system76-power";
+    license = licenses.gpl3Plus;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = [ maintainers.jwoudenberg ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/system76/default.nix b/nixpkgs/pkgs/os-specific/linux/system76/default.nix
new file mode 100644
index 000000000000..7d9cd9bde024
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/system76/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.13";
+  sha256 = "162hhmnww8z9k0795ffs8v3f61hlfm375law156sk5l08if19a4r";
+in
+stdenv.mkDerivation {
+  name = "system76-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76.ko
+    mkdir -p $out/lib/udev/hwdb.d
+    mv lib/udev/hwdb.d/* $out/lib/udev/hwdb.d
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Plus ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+    description = "System76 DKMS driver";
+    homepage = "https://github.com/pop-os/system76-dkms";
+    longDescription = ''
+      The System76 DKMS driver. On newer System76 laptops, this driver controls
+      some of the hotkeys and allows for custom fan control.
+    '';
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd-wait/default.nix b/nixpkgs/pkgs/os-specific/linux/systemd-wait/default.nix
new file mode 100644
index 000000000000..348549a1bc64
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd-wait/default.nix
@@ -0,0 +1,25 @@
+{ python3Packages, fetchFromGitHub, lib }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "systemd-wait";
+  version = "0.1+2018-10-05";
+
+  src = fetchFromGitHub {
+    owner = "Stebalien";
+    repo = pname;
+    rev = "bbb58dd4584cc08ad20c3888edb7628f28aee3c7";
+    sha256 = "1l8rd0wzf3m7fk0g1c8wc0csdisdfac0filhixpgp0ck9ignayq5";
+  };
+
+  propagatedBuildInputs = with python3Packages; [
+    dbus-python pygobject3
+  ];
+
+  meta = {
+    homepage = "https://github.com/Stebalien/systemd-wait";
+    license = lib.licenses.gpl3;
+    description = "Wait for a systemd unit to enter a specific state";
+    maintainers = [ lib.maintainers.benley ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
new file mode 100644
index 000000000000..2699c38440ce
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Tue, 8 Jan 2013 15:46:30 +0100
+Subject: [PATCH] Start device units for uninitialised encrypted devices
+
+This is necessary because the NixOS service that initialises the
+filesystem depends on the appearance of the device unit.  Also, this
+makes more sense to me: the device is ready; it's the filesystem
+that's not, but taking care of that is the responsibility of the mount
+unit.  (However, this ignores the fsck unit, so it's not perfect...)
+---
+ rules.d/99-systemd.rules.in | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
+index 25b8a590a6..d18999ea87 100644
+--- a/rules.d/99-systemd.rules.in
++++ b/rules.d/99-systemd.rules.in
+@@ -17,10 +17,6 @@ SUBSYSTEM=="ubi", TAG+="systemd"
+ SUBSYSTEM=="block", TAG+="systemd"
+ SUBSYSTEM=="block", ACTION=="add", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}="0"
+ 
+-# Ignore encrypted devices with no identified superblock on it, since
+-# we are probably still calling mke2fs or mkswap on it.
+-SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
+-
+ # add symlink to GPT root disk
+ SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root"
+ SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks"
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
new file mode 100644
index 000000000000..f46480d32feb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Fri, 12 Apr 2013 13:16:57 +0200
+Subject: [PATCH] Don't try to unmount /nix or /nix/store
+
+They'll still be remounted read-only.
+
+https://github.com/NixOS/nixos/issues/126
+---
+ src/shared/fstab-util.c | 2 ++
+ src/shutdown/umount.c   | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/shared/fstab-util.c b/src/shared/fstab-util.c
+index f683f05981..5a04c2c2a6 100644
+--- a/src/shared/fstab-util.c
++++ b/src/shared/fstab-util.c
+@@ -40,6 +40,8 @@ bool fstab_is_extrinsic(const char *mount, const char *opts) {
+         /* Don't bother with the OS data itself */
+         if (PATH_IN_SET(mount,
+                         "/",
++                        "/nix",
++                        "/nix/store",
+                         "/usr",
+                         "/etc"))
+                 return true;
+diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c
+index 820aa8e286..653e43053d 100644
+--- a/src/shutdown/umount.c
++++ b/src/shutdown/umount.c
+@@ -518,6 +518,8 @@ static int delete_md(MountPoint *m) {
+ 
+ static bool nonunmountable_path(const char *path) {
+         return path_equal(path, "/")
++                || path_equal(path, "/nix")
++                || path_equal(path, "/nix/store")
+ #if ! HAVE_SPLIT_USR
+                 || path_equal(path, "/usr")
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
new file mode 100644
index 000000000000..a669350dbed8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Wed, 16 Apr 2014 10:59:28 +0200
+Subject: [PATCH] Fix NixOS containers
+
+In NixOS containers, the init script is bind-mounted into the
+container, so checking early whether it exists will fail.
+---
+ src/nspawn/nspawn.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 4ce80bba70..bb149192bd 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -5651,6 +5651,7 @@ static int run(int argc, char *argv[]) {
+                                 goto finish;
+                         }
+                 } else {
++#if 0
+                         _cleanup_free_ char *p = NULL;
+ 
+                         if (arg_pivot_root_new)
+@@ -5665,6 +5666,7 @@ static int run(int argc, char *argv[]) {
+                                                     "Directory %s doesn't look like it has an OS tree (/usr/ directory is missing). Refusing.", arg_directory);
+                                 goto finish;
+                         }
++#endif
+                 }
+ 
+         } else {
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
new file mode 100644
index 000000000000..dfaf53e4a314
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Thu, 1 May 2014 14:10:10 +0200
+Subject: [PATCH] Look for fsck in the right place
+
+---
+ src/fsck/fsck.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c
+index 745d01ff50..dd4eef45c3 100644
+--- a/src/fsck/fsck.c
++++ b/src/fsck/fsck.c
+@@ -368,7 +368,7 @@ static int run(int argc, char *argv[]) {
+                 } else
+                         dash_c[0] = 0;
+ 
+-                cmdline[i++] = "/sbin/fsck";
++                cmdline[i++] = "/run/current-system/sw/bin/fsck";
+                 cmdline[i++] =  arg_repair;
+                 cmdline[i++] = "-T";
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
new file mode 100644
index 000000000000..8a06e2cf69cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Fri, 19 Dec 2014 14:46:17 +0100
+Subject: [PATCH] Add some NixOS-specific unit directories
+
+Look in `/nix/var/nix/profiles/default/lib/systemd/{system,user}` for
+units provided by packages installed into the default profile via
+`nix-env -iA nixos.$package`.
+
+Also, remove /usr and /lib as these don't exist on NixOS.
+---
+ src/basic/path-lookup.c | 17 ++---------------
+ src/core/systemd.pc.in  |  8 ++++----
+ 2 files changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c
+index 1f4331a8bf..4b9a8ae26e 100644
+--- a/src/basic/path-lookup.c
++++ b/src/basic/path-lookup.c
+@@ -92,11 +92,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
+ }
+ 
+ static const char* const user_data_unit_paths[] = {
+-        "/usr/local/lib/systemd/user",
+-        "/usr/local/share/systemd/user",
+         USER_DATA_UNIT_DIR,
+-        "/usr/lib/systemd/user",
+-        "/usr/share/systemd/user",
+         NULL
+ };
+ 
+@@ -617,15 +613,13 @@ int lookup_paths_init(
+                                         persistent_config,
+                                         SYSTEM_CONFIG_UNIT_DIR,
+                                         "/etc/systemd/system",
++                                        "/nix/var/nix/profiles/default/lib/systemd/system",
+                                         STRV_IFNOTNULL(persistent_attached),
+                                         runtime_config,
+                                         "/run/systemd/system",
+                                         STRV_IFNOTNULL(runtime_attached),
+                                         STRV_IFNOTNULL(generator),
+-                                        "/usr/local/lib/systemd/system",
+                                         SYSTEM_DATA_UNIT_DIR,
+-                                        "/usr/lib/systemd/system",
+-                                        STRV_IFNOTNULL(flags & LOOKUP_PATHS_SPLIT_USR ? "/lib/systemd/system" : NULL),
+                                         STRV_IFNOTNULL(generator_late));
+                         break;
+ 
+@@ -641,14 +635,11 @@ int lookup_paths_init(
+                                         persistent_config,
+                                         USER_CONFIG_UNIT_DIR,
+                                         "/etc/systemd/user",
++                                        "/nix/var/nix/profiles/default/lib/systemd/user",
+                                         runtime_config,
+                                         "/run/systemd/user",
+                                         STRV_IFNOTNULL(generator),
+-                                        "/usr/local/share/systemd/user",
+-                                        "/usr/share/systemd/user",
+-                                        "/usr/local/lib/systemd/user",
+                                         USER_DATA_UNIT_DIR,
+-                                        "/usr/lib/systemd/user",
+                                         STRV_IFNOTNULL(generator_late));
+                         break;
+ 
+@@ -808,7 +799,6 @@ char **generator_binary_paths(LookupScope scope) {
+                 case LOOKUP_SCOPE_SYSTEM:
+                         add = strv_new("/run/systemd/system-generators",
+                                        "/etc/systemd/system-generators",
+-                                       "/usr/local/lib/systemd/system-generators",
+                                        SYSTEM_GENERATOR_DIR);
+                         break;
+ 
+@@ -816,7 +806,6 @@ char **generator_binary_paths(LookupScope scope) {
+                 case LOOKUP_SCOPE_USER:
+                         add = strv_new("/run/systemd/user-generators",
+                                        "/etc/systemd/user-generators",
+-                                       "/usr/local/lib/systemd/user-generators",
+                                        USER_GENERATOR_DIR);
+                         break;
+ 
+@@ -855,12 +844,10 @@ char **env_generator_binary_paths(bool is_system) {
+                 if (is_system)
+                         add = strv_new("/run/systemd/system-environment-generators",
+                                         "/etc/systemd/system-environment-generators",
+-                                        "/usr/local/lib/systemd/system-environment-generators",
+                                         SYSTEM_ENV_GENERATOR_DIR);
+                 else
+                         add = strv_new("/run/systemd/user-environment-generators",
+                                        "/etc/systemd/user-environment-generators",
+-                                       "/usr/local/lib/systemd/user-environment-generators",
+                                        USER_ENV_GENERATOR_DIR);
+ 
+                 if (!add)
+diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
+index 693433b34b..5932a21b5b 100644
+--- a/src/core/systemd.pc.in
++++ b/src/core/systemd.pc.in
+@@ -38,10 +38,10 @@ systemdsystemconfdir=${systemd_system_conf_dir}
+ systemd_user_conf_dir=${sysconfdir}/systemd/user
+ systemduserconfdir=${systemd_user_conf_dir}
+ 
+-systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemd_system_unit_dir}:/usr/lib/systemd/system:/lib/systemd/system
++systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/nix/var/nix/profiles/default/lib/systemd/system:/run/systemd/system:${systemdsystemunitdir}
+ systemdsystemunitpath=${systemd_system_unit_path}
+ 
+-systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user
++systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/nix/var/nix/profiles/default/lib/systemd/user:/run/systemd/user:${systemduserunitdir}
+ systemduserunitpath=${systemd_user_unit_path}
+ 
+ systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
+@@ -50,10 +50,10 @@ systemdsystemgeneratordir=${systemd_system_generator_dir}
+ systemd_user_generator_dir=${prefix}/lib/systemd/user-generators
+ systemdusergeneratordir=${systemd_user_generator_dir}
+ 
+-systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:/usr/local/lib/systemd/system-generators:${systemd_system_generator_dir}
++systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:${systemd_system_generator_dir}
+ systemdsystemgeneratorpath=${systemd_system_generator_path}
+ 
+-systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:/usr/local/lib/systemd/user-generators:${systemd_user_generator_dir}
++systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:${systemd_user_generator_dir}
+ systemdusergeneratorpath=${systemd_user_generator_path}
+ 
+ systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
new file mode 100644
index 000000000000..c06f12550261
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Mon, 11 May 2015 15:39:38 +0200
+Subject: [PATCH] Get rid of a useless message in user sessions
+
+Namely lots of variants of
+
+  Unit nix-var-nix-db.mount is bound to inactive unit dev-disk-by\x2dlabel-nixos.device. Stopping, too.
+
+in containers.
+---
+ src/core/manager.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 296b759959..71ef7f27b4 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -1428,7 +1428,8 @@ static unsigned manager_dispatch_stop_when_bound_queue(Manager *m) {
+                 if (!unit_is_bound_by_inactive(u, &culprit))
+                         continue;
+ 
+-                log_unit_debug(u, "Unit is stopped because bound to inactive unit %s.", culprit->id);
++                if (u->type != UNIT_MOUNT || detect_container() <= 0)
++                        log_unit_debug(u, "Unit is stopped because bound to inactive unit %s.", culprit->id);
+ 
+                 /* If stopping a unit fails continuously we might enter a stop loop here, hence stop acting on the
+                  * service being unnecessary after a while. */
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
new file mode 100644
index 000000000000..174cca335b8e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gabriel Ebner <gebner@gebner.org>
+Date: Sun, 6 Dec 2015 14:26:36 +0100
+Subject: [PATCH] hostnamed, localed, timedated: disable methods that change
+ system settings.
+
+---
+ src/hostname/hostnamed.c |  6 ++++++
+ src/locale/localed.c     |  9 +++++++++
+ src/timedate/timedated.c | 10 ++++++++++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
+index 5f09e6d0eb..46bef3b59d 100644
+--- a/src/hostname/hostnamed.c
++++ b/src/hostname/hostnamed.c
+@@ -910,6 +910,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         name = empty_to_null(name);
+ 
+         context_read_etc_hostname(c);
+@@ -973,6 +976,9 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         name = empty_to_null(name);
+ 
+         context_read_machine_info(c);
+diff --git a/src/locale/localed.c b/src/locale/localed.c
+index 89bf9c6fba..af2f37a4ca 100644
+--- a/src/locale/localed.c
++++ b/src/locale/localed.c
+@@ -359,6 +359,9 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++                                 "Changing system settings via systemd is not supported on NixOS.");
++
+         use_localegen = locale_gen_check_available();
+ 
+         /* If single locale without variable name is provided, then we assume it is LANG=. */
+@@ -484,6 +487,9 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         keymap = empty_to_null(keymap);
+         keymap_toggle = empty_to_null(keymap_toggle);
+ 
+@@ -664,6 +670,9 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         layout = empty_to_null(layout);
+         model = empty_to_null(model);
+         variant = empty_to_null(variant);
+diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
+index 9ca5d37b75..e41d8d73df 100644
+--- a/src/timedate/timedated.c
++++ b/src/timedate/timedated.c
+@@ -669,6 +669,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
+         if (r < 0)
+                 return r;
+ 
++        if (getenv("NIXOS_STATIC_TIMEZONE"))
++                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++                    "Changing timezone via systemd is not supported when it is set in NixOS configuration.");
++
+         if (!timezone_is_valid(z, LOG_DEBUG))
+                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid or not installed time zone '%s'", z);
+ 
+@@ -748,6 +752,9 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         if (lrtc == c->local_rtc && !fix_system)
+                 return sd_bus_reply_method_return(m, NULL);
+ 
+@@ -930,6 +937,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         r = context_update_ntp_status(c, bus, m);
+         if (r < 0)
+                 return r;
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
new file mode 100644
index 000000000000..69bd1cc97b27
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Thu, 7 Jul 2016 02:47:13 +0300
+Subject: [PATCH] Fix hwdb paths
+
+Patch by vcunat.
+---
+ src/libsystemd/sd-hwdb/hwdb-internal.h | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/libsystemd/sd-hwdb/hwdb-internal.h b/src/libsystemd/sd-hwdb/hwdb-internal.h
+index 62d27f7b89..87318e041b 100644
+--- a/src/libsystemd/sd-hwdb/hwdb-internal.h
++++ b/src/libsystemd/sd-hwdb/hwdb-internal.h
+@@ -83,8 +83,5 @@ struct trie_value_entry2_f {
+ } _packed_;
+ 
+ #define hwdb_bin_paths                          \
+-        "/etc/systemd/hwdb/hwdb.bin\0"          \
+-        "/etc/udev/hwdb.bin\0"                  \
+-        "/usr/lib/systemd/hwdb/hwdb.bin\0"      \
+-        _CONF_PATHS_SPLIT_USR_NULSTR("systemd/hwdb/hwdb.bin") \
+-        UDEVLIBEXECDIR "/hwdb.bin\0"
++        "/etc/udev/hwdb.bin\0"
++
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
new file mode 100644
index 000000000000..106eba2bed83
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
@@ -0,0 +1,138 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Tue, 11 Oct 2016 13:12:08 +0300
+Subject: [PATCH] Change /usr/share/zoneinfo to /etc/zoneinfo
+
+NixOS uses this path.
+---
+ man/localtime.xml         | 4 ++--
+ src/basic/time-util.c     | 8 ++++----
+ src/firstboot/firstboot.c | 2 +-
+ src/nspawn/nspawn.c       | 4 ++--
+ src/timedate/timedated.c  | 8 ++++----
+ 5 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/man/localtime.xml b/man/localtime.xml
+index e486474c44..5f373d0723 100644
+--- a/man/localtime.xml
++++ b/man/localtime.xml
+@@ -20,7 +20,7 @@
+   </refnamediv>
+ 
+   <refsynopsisdiv>
+-    <para><filename>/etc/localtime</filename> -&gt; <filename>../usr/share/zoneinfo/…</filename></para>
++    <para><filename>/etc/localtime</filename> -&gt; <filename>zoneinfo/…</filename></para>
+   </refsynopsisdiv>
+ 
+   <refsect1>
+@@ -30,7 +30,7 @@
+     system-wide timezone of the local system that is used by
+     applications for presentation to the user. It should be an
+     absolute or relative symbolic link pointing to
+-    <filename>/usr/share/zoneinfo/</filename>, followed by a timezone
++    <filename>/etc/zoneinfo/</filename>, followed by a timezone
+     identifier such as <literal>Europe/Berlin</literal> or
+     <literal>Etc/UTC</literal>. The resulting link should lead to the
+     corresponding binary
+diff --git a/src/basic/time-util.c b/src/basic/time-util.c
+index 0ad8de4b9a..b794c6c7d0 100644
+--- a/src/basic/time-util.c
++++ b/src/basic/time-util.c
+@@ -1281,7 +1281,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) {
+ 
+         assert(ret);
+ 
+-        f = fopen("/usr/share/zoneinfo/zone1970.tab", "re");
++        f = fopen("/etc/zoneinfo/zone1970.tab", "re");
+         if (!f)
+                 return -errno;
+ 
+@@ -1320,7 +1320,7 @@ static int get_timezones_from_tzdata_zi(char ***ret) {
+         _cleanup_strv_free_ char **zones = NULL;
+         int r;
+ 
+-        f = fopen("/usr/share/zoneinfo/tzdata.zi", "re");
++        f = fopen("/etc/zoneinfo/tzdata.zi", "re");
+         if (!f)
+                 return -errno;
+ 
+@@ -1433,7 +1433,7 @@ int verify_timezone(const char *name, int log_level) {
+         if (p - name >= PATH_MAX)
+                 return -ENAMETOOLONG;
+ 
+-        t = strjoina("/usr/share/zoneinfo/", name);
++        t = strjoina("/etc/zoneinfo/", name);
+ 
+         fd = open(t, O_RDONLY|O_CLOEXEC);
+         if (fd < 0)
+@@ -1491,7 +1491,7 @@ int get_timezone(char **ret) {
+         if (r < 0)
+                 return r; /* returns EINVAL if not a symlink */
+ 
+-        e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
++        e = PATH_STARTSWITH_SET(t, "/etc/zoneinfo/", "../etc/zoneinfo/");
+         if (!e)
+                 return -EINVAL;
+ 
+diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
+index 39160182ef..8dcc3307c8 100644
+--- a/src/firstboot/firstboot.c
++++ b/src/firstboot/firstboot.c
+@@ -494,7 +494,7 @@ static int process_timezone(void) {
+         if (isempty(arg_timezone))
+                 return 0;
+ 
+-        e = strjoina("../usr/share/zoneinfo/", arg_timezone);
++        e = strjoina("zoneinfo/", arg_timezone);
+ 
+         (void) mkdir_parents(etc_localtime, 0755);
+         if (symlink(e, etc_localtime) < 0)
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index bb149192bd..08751ed944 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -1901,8 +1901,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid
+ static const char *timezone_from_path(const char *path) {
+         return PATH_STARTSWITH_SET(
+                         path,
+-                        "../usr/share/zoneinfo/",
+-                        "/usr/share/zoneinfo/");
++                        "../etc/zoneinfo/",
++                        "/etc/zoneinfo/");
+ }
+ 
+ static bool etc_writable(void) {
+diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
+index e41d8d73df..ff1a384b3b 100644
+--- a/src/timedate/timedated.c
++++ b/src/timedate/timedated.c
+@@ -282,7 +282,7 @@ static int context_read_data(Context *c) {
+ 
+         r = get_timezone(&t);
+         if (r == -EINVAL)
+-                log_warning_errno(r, "/etc/localtime should be a symbolic link to a time zone data file in /usr/share/zoneinfo/.");
++                log_warning_errno(r, "/etc/localtime should be a symbolic link to a time zone data file in /etc/zoneinfo/.");
+         else if (r < 0)
+                 log_warning_errno(r, "Failed to get target of /etc/localtime: %m");
+ 
+@@ -306,7 +306,7 @@ static int context_write_data_timezone(Context *c) {
+ 
+         if (isempty(c->zone) || streq(c->zone, "UTC")) {
+ 
+-                if (access("/usr/share/zoneinfo/UTC", F_OK) < 0) {
++                if (access("/etc/zoneinfo/UTC", F_OK) < 0) {
+ 
+                         if (unlink("/etc/localtime") < 0 && errno != ENOENT)
+                                 return -errno;
+@@ -314,9 +314,9 @@ static int context_write_data_timezone(Context *c) {
+                         return 0;
+                 }
+ 
+-                source = "../usr/share/zoneinfo/UTC";
++                source = "../etc/zoneinfo/UTC";
+         } else {
+-                p = path_join("../usr/share/zoneinfo", c->zone);
++                p = path_join("../etc/zoneinfo", c->zone);
+                 if (!p)
+                         return -ENOMEM;
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
new file mode 100644
index 000000000000..a3315a1e657a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Imuli <i@imu.li>
+Date: Wed, 19 Oct 2016 08:46:47 -0400
+Subject: [PATCH] localectl: use /etc/X11/xkb for list-x11-*
+
+NixOS has an option to link the xkb data files to /etc/X11, but not to
+/usr/share/X11.
+---
+ src/locale/localectl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/localectl.c b/src/locale/localectl.c
+index 661d54c27d..e98b578531 100644
+--- a/src/locale/localectl.c
++++ b/src/locale/localectl.c
+@@ -277,7 +277,7 @@ static int list_x11_keymaps(int argc, char **argv, void *userdata) {
+         } state = NONE, look_for;
+         int r;
+ 
+-        f = fopen("/usr/share/X11/xkb/rules/base.lst", "re");
++        f = fopen("/etc/X11/xkb/rules/base.lst", "re");
+         if (!f)
+                 return log_error_errno(errno, "Failed to open keyboard mapping list. %m");
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
new file mode 100644
index 000000000000..75d113d00339
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Franz Pletz <fpletz@fnordicwalking.de>
+Date: Sun, 11 Feb 2018 04:37:44 +0100
+Subject: [PATCH] build: don't create statedir and don't touch prefixdir
+
+---
+ meson.build | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 9c170acc0a..818b7a3eb5 100644
+--- a/meson.build
++++ b/meson.build
+@@ -3928,9 +3928,6 @@ install_data('LICENSE.GPL2',
+ install_subdir('LICENSES',
+                install_dir : docdir)
+ 
+-meson.add_install_script('sh', '-c', mkdir_p.format(systemdstatedir))
+-meson.add_install_script('sh', '-c', 'touch $DESTDIR@0@'.format(prefixdir))
+-
+ ############################################################
+ 
+ # Ensure that changes to the docs/ directory do not break the
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch
new file mode 100644
index 000000000000..c1659ae8a78a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andreas Rammhold <andreas@rammhold.de>
+Date: Thu, 9 May 2019 11:15:22 +0200
+Subject: [PATCH] add rootprefix to lookup dir paths
+
+systemd does not longer use the UDEVLIBEXEC directory as root for
+discovery default udev rules. By adding `$out/lib` to the lookup paths
+we should again be able to discover the udev rules amongst other default
+files that I might have missed.
+---
+ src/basic/def.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/basic/def.h b/src/basic/def.h
+index 0a1ae023a3..cc00ff6c68 100644
+--- a/src/basic/def.h
++++ b/src/basic/def.h
+@@ -39,13 +39,15 @@
+         "/run/" n "\0"                          \
+         "/usr/local/lib/" n "\0"                \
+         "/usr/lib/" n "\0"                      \
+-        _CONF_PATHS_SPLIT_USR_NULSTR(n)
++        _CONF_PATHS_SPLIT_USR_NULSTR(n)         \
++        ROOTPREFIX "/lib/" n "\0"
+ 
+ #define CONF_PATHS_USR(n)                       \
+         "/etc/" n,                              \
+         "/run/" n,                              \
+         "/usr/local/lib/" n,                    \
+-        "/usr/lib/" n
++        "/usr/lib/" n,                          \
++        ROOTPREFIX "/lib/" n
+ 
+ #define CONF_PATHS(n)                           \
+         CONF_PATHS_USR(n)                       \
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
new file mode 100644
index 000000000000..4add87267ddb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Thu, 25 Jul 2019 20:45:55 +0300
+Subject: [PATCH] systemd-shutdown: execute scripts in
+ /etc/systemd/system-shutdown
+
+This is needed for NixOS to use such scripts as systemd directory is immutable.
+---
+ src/shutdown/shutdown.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c
+index 2c3cbec02c..1b876203c6 100644
+--- a/src/shutdown/shutdown.c
++++ b/src/shutdown/shutdown.c
+@@ -335,7 +335,7 @@ int main(int argc, char *argv[]) {
+         _cleanup_free_ char *cgroup = NULL;
+         char *arguments[3];
+         int cmd, r, umount_log_level = LOG_INFO;
+-        static const char* const dirs[] = {SYSTEM_SHUTDOWN_PATH, NULL};
++        static const char* const dirs[] = {SYSTEM_SHUTDOWN_PATH, "/etc/systemd/system-shutdown", NULL};
+ 
+         /* The log target defaults to console, but the original systemd process will pass its log target in through a
+          * command line argument, which will override this default. Also, ensure we'll never log to the journal or
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
new file mode 100644
index 000000000000..22e2bc8e5300
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nikolay Amiantov <ab@fmap.me>
+Date: Thu, 25 Jul 2019 20:46:58 +0300
+Subject: [PATCH] systemd-sleep: execute scripts in /etc/systemd/system-sleep
+
+This is needed for NixOS to use such scripts as systemd directory is immutable.
+---
+ src/sleep/sleep.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c
+index 65e391d02a..28af2f8bf5 100644
+--- a/src/sleep/sleep.c
++++ b/src/sleep/sleep.c
+@@ -180,6 +180,7 @@ static int execute(
+         };
+         static const char* const dirs[] = {
+                 SYSTEM_SLEEP_PATH,
++                "/etc/systemd/system-sleep",
+                 NULL
+         };
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
new file mode 100644
index 000000000000..653f3beea965
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Florian Klink <flokli@flokli.de>
+Date: Sun, 8 Mar 2020 01:05:54 +0100
+Subject: [PATCH] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
+
+This will be the $PATH used to lookup ExecStart= etc. options, which
+systemd itself uses extensively.
+---
+ src/basic/path-util.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/basic/path-util.h b/src/basic/path-util.h
+index 553aa4fb58..46294f4bb1 100644
+--- a/src/basic/path-util.h
++++ b/src/basic/path-util.h
+@@ -24,11 +24,11 @@
+ #  define PATH_SBIN_BIN_NULSTR(x) PATH_NORMAL_SBIN_BIN_NULSTR(x)
+ #endif
+ 
+-#define DEFAULT_PATH_NORMAL PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/")
+-#define DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/")
++#define DEFAULT_PATH_NORMAL "@defaultPathNormal@"
++#define DEFAULT_PATH_NORMAL_NULSTR "@defaultPathNormal@\0"
+ #define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":" PATH_SBIN_BIN("/")
+ #define DEFAULT_PATH_SPLIT_USR_NULSTR DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/")
+-#define DEFAULT_PATH_COMPAT PATH_SPLIT_SBIN_BIN("/usr/local/") ":" PATH_SPLIT_SBIN_BIN("/usr/") ":" PATH_SPLIT_SBIN_BIN("/")
++#define DEFAULT_PATH_COMPAT DEFAULT_PATH_NORMAL
+ 
+ #if HAVE_SPLIT_USR
+ #  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch
new file mode 100644
index 000000000000..3fbfd7f10ab4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sun, 6 Dec 2020 08:34:19 +0100
+Subject: [PATCH] pkg-config: derive prefix from --prefix
+
+Point prefix to the one configured, instead of `/usr` `systemd` has limited
+support for making the pkgconfig prefix overridable, and interpolates those
+values later down.
+
+So we only need to patch this one value to get the correct paths.
+See systemd/systemd@bc4e6e27922a2873985ab9367d79fb099f70b505 for details.
+
+Co-Authored-By: Florian Klink <flokli@flokli.de>
+---
+ src/core/systemd.pc.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
+index 5932a21b5b..20bf8e316d 100644
+--- a/src/core/systemd.pc.in
++++ b/src/core/systemd.pc.in
+@@ -11,7 +11,7 @@
+ # considered deprecated (though there is no plan to remove them). New names
+ # shall have underscores.
+ 
+-prefix=/usr
++prefix={{PREFIX}}
+ root_prefix={{ROOTPREFIX_NOSLASH}}
+ rootprefix=${root_prefix}
+ sysconf_dir={{SYSCONF_DIR}}
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch b/nixpkgs/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch
new file mode 100644
index 000000000000..f4925437aa58
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yuriy Taraday <yorik.sar@gmail.com>
+Date: Fri, 17 Jun 2022 12:45:10 +0000
+Subject: [PATCH] inherit systemd environment when calling generators.
+
+Systemd generators need access to the environment configured in
+stage-2-init.sh since it schedules fsck and mkfs executions based on
+being able to find an appropriate binary for the target filesystem.
+
+With this commit I am altering the systemd behaviour since upstream
+tries to gather environments with that they call
+"environment-generators" and then seems to pass that on to all the other
+executables that are being called from managers.
+---
+ src/core/manager.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 71ef7f27b4..33ded94a7c 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -3704,9 +3704,17 @@ static int build_generator_environment(Manager *m, char ***ret) {
+          * adjust generated units to that. Let's pass down some bits of information that are easy for us to
+          * determine (but a bit harder for generator scripts to determine), as environment variables. */
+ 
++        // On NixOS we must propagate PATH to generators so they are
++        // able to find binaries such as `fsck.${fstype}` and
++        // `mkfs.${fstype}`. That is why we ignore transient_environment that
++        // overrides the PATH variable. This propagates systemd's
++        // environment (e.g. PATH) that was setup
++        // before calling systemd from stage-2-init.sh.
++#if 0
+         nl = strv_copy(m->transient_environment);
+         if (!nl)
+                 return -ENOMEM;
++#endif
+ 
+         r = strv_env_assign(&nl, "SYSTEMD_SCOPE", MANAGER_IS_SYSTEM(m) ? "system" : "user");
+         if (r < 0)
diff --git a/nixpkgs/pkgs/os-specific/linux/systemd/default.nix b/nixpkgs/pkgs/os-specific/linux/systemd/default.nix
new file mode 100644
index 000000000000..348f0e11342e
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/systemd/default.nix
@@ -0,0 +1,697 @@
+# NOTE: Make sure to (re-)format this file on changes with `nixpkgs-fmt`!
+
+{ stdenv
+, lib
+, nixosTests
+, fetchFromGitHub
+, fetchpatch
+, fetchzip
+, buildPackages
+, ninja
+, meson
+, m4
+, pkg-config
+, coreutils
+, gperf
+, getent
+, glibcLocales
+
+  # glib is only used during tests (test-bus-gvariant, test-bus-marshal)
+, glib
+, substituteAll
+, gettext
+, python3Packages
+
+  # Mandatory dependencies
+, libcap
+, util-linux
+, kbd
+, kmod
+
+  # Optional dependencies
+, pam
+, cryptsetup
+, audit
+, acl
+, lz4
+, libgcrypt
+, libgpg-error
+, libidn2
+, curl
+, gnutar
+, gnupg
+, zlib
+, xz
+, zstd
+, tpm2-tss
+, libuuid
+, libapparmor
+, intltool
+, bzip2
+, pcre2
+, e2fsprogs
+, elfutils
+, linuxHeaders ? stdenv.cc.libc.linuxHeaders
+, gnu-efi
+, iptables
+, withSelinux ? false
+, libselinux
+, withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp
+, libseccomp
+, withKexectools ? lib.meta.availableOn stdenv.hostPlatform kexec-tools
+, kexec-tools
+, bashInteractive
+, libmicrohttpd
+, libfido2
+, p11-kit
+
+  # the (optional) BPF feature requires bpftool, libbpf, clang and llvm-strip to be available during build time.
+  # Only libbpf should be a runtime dependency.
+, bpftools
+, libbpf
+, llvmPackages
+
+, withAnalyze ? true
+, withApparmor ? true
+, withCompression ? true  # adds bzip2, lz4, xz and zstd
+, withCoredump ? true
+, withCryptsetup ? true
+, withDocumentation ? true
+, withEfi ? stdenv.hostPlatform.isEfi
+, withFido2 ? true
+, withHomed ? false
+, withHostnamed ? true
+, withHwdb ? true
+, withImportd ? !stdenv.hostPlatform.isMusl
+, withLibBPF ? false # currently fails while generating BPF objects
+, withLocaled ? true
+, withLogind ? true
+, withMachined ? true
+, withNetworkd ? true
+, withNss ? !stdenv.hostPlatform.isMusl
+, withOomd ? false
+, withPCRE2 ? true
+, withPolkit ? true
+, withPortabled ? false
+, withRemote ? !stdenv.hostPlatform.isMusl
+, withResolved ? true
+, withShellCompletions ? true
+, withTimedated ? true
+, withTimesyncd ? true
+, withTpm2Tss ? !stdenv.hostPlatform.isMusl
+, withUserDb ? !stdenv.hostPlatform.isMusl
+  # tests assume too much system access for them to be feasible for us right now
+, withTests ? false
+
+  # name argument
+, pname ? "systemd"
+
+, libxslt
+, docbook_xsl
+, docbook_xml_dtd_42
+, docbook_xml_dtd_45
+}:
+
+assert withResolved -> (libgcrypt != null && libgpg-error != null);
+assert withImportd ->
+(curl.dev != null && zlib != null && xz != null && libgcrypt != null
+  && gnutar != null && gnupg != null && withCompression);
+
+assert withEfi -> (gnu-efi != null);
+assert withRemote -> lib.getDev curl != null;
+assert withCoredump -> withCompression;
+
+assert withHomed -> withCryptsetup;
+
+assert withCryptsetup -> (cryptsetup != null);
+let
+  wantCurl = withRemote || withImportd;
+  wantGcrypt = withResolved || withImportd;
+  version = "251.3";
+
+  # Bump this variable on every (major) version change. See below (in the meson options list) for why.
+  # command:
+  #  $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
+  #     jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
+  releaseTimestamp = "1653143108";
+in
+stdenv.mkDerivation {
+  inherit pname version;
+
+  # We use systemd/systemd-stable for src, and ship NixOS-specific patches inside nixpkgs directly
+  # This has proven to be less error-prone than the previous systemd fork.
+  src = fetchFromGitHub {
+    owner = "systemd";
+    repo = "systemd-stable";
+    rev = "v${version}";
+    sha256 = "sha256-vcj+k/duRID2R+wGQIyq+dVRrFYNQTsjHya6k0hmZxk=";
+  };
+
+  # On major changes, or when otherwise required, you *must* reformat the patches,
+  # `git am path/to/00*.patch` them into a systemd worktree, rebase to the more recent
+  # systemd version, and export the patches again via
+  # `git -c format.signoff=false format-patch v${version} --no-numbered --zero-commit --no-signature`.
+  # Use `find . -name "*.patch" | sort` to get an up-to-date listing of all patches
+  patches = [
+    ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch
+    ./0002-Don-t-try-to-unmount-nix-or-nix-store.patch
+    ./0003-Fix-NixOS-containers.patch
+    ./0004-Look-for-fsck-in-the-right-place.patch
+    ./0005-Add-some-NixOS-specific-unit-directories.patch
+    ./0006-Get-rid-of-a-useless-message-in-user-sessions.patch
+    ./0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
+    ./0008-Fix-hwdb-paths.patch
+    ./0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+    ./0010-localectl-use-etc-X11-xkb-for-list-x11.patch
+    ./0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
+    ./0012-add-rootprefix-to-lookup-dir-paths.patch
+    ./0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+    ./0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+    ./0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+    ./0016-pkg-config-derive-prefix-from-prefix.patch
+    ./0017-inherit-systemd-environment-when-calling-generators.patch
+  ] ++ lib.optional stdenv.hostPlatform.isMusl (
+    let
+      oe-core = fetchzip {
+        url = "https://git.openembedded.org/openembedded-core/snapshot/openembedded-core-86a33f98a7c0d6f2c2b51d02ba9e01b63062cf98.tar.bz2";
+        sha256 = "081j01sw21hl405l7g9z4bavvq0q0k4g80365677m0ykhiqlx3am";
+      };
+      musl-patches = oe-core + "/meta/recipes-core/systemd/systemd";
+    in
+    [
+      (musl-patches + "/0003-missing_type.h-add-comparison_fn_t.patch")
+      (musl-patches + "/0004-add-fallback-parse_printf_format-implementation.patch")
+      (musl-patches + "/0005-src-basic-missing.h-check-for-missing-strndupa.patch")
+      (musl-patches + "/0007-don-t-fail-if-GLOB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch")
+      (musl-patches + "/0008-add-missing-FTW_-macros-for-musl.patch")
+      (musl-patches + "/0010-Use-uintmax_t-for-handling-rlim_t.patch")
+      (musl-patches + "/0011-test-sizeof.c-Disable-tests-for-missing-typedefs-in-.patch")
+      (musl-patches + "/0012-don-t-pass-AT_SYMLINK_NOFOLLOW-flag-to-faccessat.patch")
+      (musl-patches + "/0013-Define-glibc-compatible-basename-for-non-glibc-syste.patch")
+      (musl-patches + "/0014-Do-not-disable-buffering-when-writing-to-oom_score_a.patch")
+      (musl-patches + "/0015-distinguish-XSI-compliant-strerror_r-from-GNU-specif.patch")
+      (musl-patches + "/0018-avoid-redefinition-of-prctl_mm_map-structure.patch")
+      (musl-patches + "/0022-do-not-disable-buffer-in-writing-files.patch")
+      (musl-patches + "/0025-Handle-__cpu_mask-usage.patch")
+      (musl-patches + "/0026-Handle-missing-gshadow.patch")
+      (musl-patches + "/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch")
+      (musl-patches + "/0001-pass-correct-parameters-to-getdents64.patch")
+      (musl-patches + "/0002-Add-sys-stat.h-for-S_IFDIR.patch")
+      (musl-patches + "/0001-Adjust-for-musl-headers.patch")
+    ]
+  );
+
+  postPatch = ''
+    substituteInPlace src/basic/path-util.h --replace "@defaultPathNormal@" "${placeholder "out"}/bin/"
+    substituteInPlace src/boot/efi/meson.build \
+      --replace \
+      "run_command(cc.cmd_array(), '-print-prog-name=objcopy', check: true).stdout().strip()" \
+      "'${stdenv.cc.bintools.targetPrefix}objcopy'"
+  '' + (
+    let
+      # The following patches references to dynamic libraries to ensure that
+      # all the features that are implemented via dlopen(3) are available (or
+      # explicitly deactivated) by pointing dlopen to the absolute store path
+      # instead of relying on the linkers runtime lookup code.
+      #
+      # All of the shared library references have to be handled. When new ones
+      # are introduced by upstream (or one of our patches) they must be
+      # explicitly declared, otherwise the build will fail.
+      #
+      # As of systemd version 247 we've seen a few errors like `libpcre2.… not
+      # found` when using e.g. --grep with journalctl. Those errors should
+      # become less unexpected now.
+      #
+      # There are generally two classes of dlopen(3) calls. Those that we want to
+      # support and those that should be deactivated / unsupported. This change
+      # enforces that we handle all dlopen calls explicitly. Meaning: There is
+      # not a single dlopen call in the source code tree that we did not
+      # explicitly handle.
+      #
+      # In order to do this we introduced a list of attributes that maps from
+      # shared object name to the package that contains them. The package can be
+      # null meaning the reference should be nuked and the shared object will
+      # never be loadable during runtime (because it points at an invalid store
+      # path location).
+      #
+      # To get a list of dynamically loaded libraries issue something like
+      # `grep -ri '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"'' $src` and update the below list.
+      dlopenLibs =
+        let
+          opt = condition: pkg: if condition then pkg else null;
+        in
+        [
+          # bpf compilation support
+          { name = "libbpf.so.0"; pkg = opt withLibBPF libbpf; }
+
+          # We did never provide support for libxkbcommon & qrencode
+          { name = "libxkbcommon.so.0"; pkg = null; }
+          { name = "libqrencode.so.4"; pkg = null; }
+
+          # We did not provide libpwquality before so it is safe to disable it for
+          # now.
+          { name = "libpwquality.so.1"; pkg = null; }
+
+          # Only include cryptsetup if it is enabled. We might not be able to
+          # provide it during "bootstrap" in e.g. the minimal systemd build as
+          # cryptsetup has udev (aka systemd) in it's dependencies.
+          { name = "libcryptsetup.so.12"; pkg = opt withCryptsetup cryptsetup; }
+
+          # We are using libidn2 so we only provide that and ignore the others.
+          # Systemd does this decision during configure time and uses ifdef's to
+          # enable specific branches. We can safely ignore (nuke) the libidn "v1"
+          # libraries.
+          { name = "libidn2.so.0"; pkg = libidn2; }
+          { name = "libidn.so.12"; pkg = null; }
+          { name = "libidn.so.11"; pkg = null; }
+
+          # journalctl --grep requires libpcre so let's provide it
+          { name = "libpcre2-8.so.0"; pkg = pcre2; }
+
+          # Support for TPM2 in systemd-cryptsetup, systemd-repart and systemd-cryptenroll
+          { name = "libtss2-esys.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libtss2-rc.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libtss2-mu.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libtss2-tcti-"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libfido2.so.1"; pkg = opt withFido2 libfido2; }
+
+          # inspect-elf support
+          { name = "libelf.so.1"; pkg = opt withCoredump elfutils; }
+          { name = "libdw.so.1"; pkg = opt withCoredump elfutils; }
+        ];
+
+      patchDlOpen = dl:
+        let
+          library = "${lib.makeLibraryPath [ dl.pkg ]}/${dl.name}";
+        in
+        if dl.pkg == null then ''
+          # remove the dependency on the library by replacing it with an invalid path
+          for file in $(grep -lr '"${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to an invalid store path ("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}")…"
+            substituteInPlace "$file" --replace '"${dl.name}"' '"/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}"'
+          done
+        '' else ''
+          # ensure that the library we provide actually exists
+          if ! [ -e ${library} ]; then
+            # exceptional case, details:
+            # https://github.com/systemd/systemd-stable/blob/v249-stable/src/shared/tpm2-util.c#L157
+            if ! [[ "${library}" =~ .*libtss2-tcti-$ ]]; then
+              echo 'The shared library `${library}` does not exist but was given as substitute for `${dl.name}`'
+              exit 1
+            fi
+          fi
+          # make the path to the dependency explicit
+          for file in $(grep -lr '"${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to ${library}…"
+            substituteInPlace "$file" --replace '"${dl.name}"' '"${library}"'
+          done
+
+        '';
+    in
+    # patch all the dlopen calls to contain absolute paths to the libraries
+    lib.concatMapStringsSep "\n" patchDlOpen dlopenLibs
+  )
+  # finally ensure that there are no left-over dlopen calls (or rather strings pointing to shared libraries) that we didn't handle
+  + ''
+    if grep -qr '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"' src; then
+      echo "Found unhandled dynamic library calls: "
+      grep -r '"lib[a-zA-Z0-9-]*\.so[\.0-9a-zA-z]*"' src
+      exit 1
+    fi
+  ''
+  # Finally, patch shebangs in scripts used at build time. This must not patch
+  # scripts that will end up in the output, to avoid build platform references
+  # when cross-compiling.
+  + ''
+    shopt -s extglob
+    patchShebangs tools test src/!(rpm)
+  '';
+
+  outputs = [ "out" "man" "dev" ];
+
+  nativeBuildInputs =
+    [
+      pkg-config
+      gperf
+      ninja
+      meson
+      glibcLocales
+      getent
+      m4
+
+      intltool
+      gettext
+
+      libxslt
+      docbook_xsl
+      docbook_xml_dtd_42
+      docbook_xml_dtd_45
+      (buildPackages.python3Packages.python.withPackages (ps: with ps; [ lxml jinja2 ]))
+    ]
+    ++ lib.optional withLibBPF [
+      bpftools
+      llvmPackages.clang
+      llvmPackages.libllvm
+    ]
+  ;
+
+  buildInputs =
+    [
+      acl
+      audit
+      kmod
+      libcap
+      libidn2
+      libuuid
+      linuxHeaders
+      pam
+    ]
+
+    ++ lib.optional wantGcrypt libgcrypt
+    ++ lib.optional withTests glib
+    ++ lib.optional withApparmor libapparmor
+    ++ lib.optional wantCurl (lib.getDev curl)
+    ++ lib.optionals withCompression [ bzip2 lz4 xz zstd ]
+    ++ lib.optional withCoredump elfutils
+    ++ lib.optional withCryptsetup (lib.getDev cryptsetup.dev)
+    ++ lib.optional withEfi gnu-efi
+    ++ lib.optional withKexectools kexec-tools
+    ++ lib.optional withLibseccomp libseccomp
+    ++ lib.optional withNetworkd iptables
+    ++ lib.optional withPCRE2 pcre2
+    ++ lib.optional withResolved libgpg-error
+    ++ lib.optional withSelinux libselinux
+    ++ lib.optional withRemote libmicrohttpd
+    ++ lib.optionals withHomed [ p11-kit ]
+    ++ lib.optionals (withHomed || withCryptsetup) [ libfido2 ]
+    ++ lib.optionals withLibBPF [ libbpf ]
+    ++ lib.optional withTpm2Tss tpm2-tss
+  ;
+
+  #dontAddPrefix = true;
+
+  mesonFlags = [
+    "-Dversion-tag=${version}"
+    # We bump this variable on every (major) version change to ensure
+    # that we have known-good value for a timestamp that is in the (not so distant) past.
+    # This serves as a lower bound for valid system timestamps during startup. Systemd will
+    # reset the system timestamp if this date is +- 15 years from the system time.
+    # See the systemd v250 release notes for further details:
+    # https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
+    "-Dtime-epoch=${releaseTimestamp}"
+
+    "-Ddbuspolicydir=${placeholder "out"}/share/dbus-1/system.d"
+    "-Ddbussessionservicedir=${placeholder "out"}/share/dbus-1/services"
+    "-Ddbussystemservicedir=${placeholder "out"}/share/dbus-1/system-services"
+    "-Dpamconfdir=${placeholder "out"}/etc/pam.d"
+    "-Drootprefix=${placeholder "out"}"
+    "-Dpkgconfiglibdir=${placeholder "dev"}/lib/pkgconfig"
+    "-Dpkgconfigdatadir=${placeholder "dev"}/share/pkgconfig"
+    "-Dloadkeys-path=${kbd}/bin/loadkeys"
+    "-Dsetfont-path=${kbd}/bin/setfont"
+    "-Dtty-gid=3" # tty in NixOS has gid 3
+    "-Ddebug-shell=${bashInteractive}/bin/bash"
+    "-Dglib=${lib.boolToString withTests}"
+    # while we do not run tests we should also not build them. Removes about 600 targets
+    "-Dtests=false"
+    "-Danalyze=${lib.boolToString withAnalyze}"
+    "-Dgcrypt=${lib.boolToString wantGcrypt}"
+    "-Dimportd=${lib.boolToString withImportd}"
+    "-Dlz4=${lib.boolToString withCompression}"
+    "-Dhomed=${lib.boolToString withHomed}"
+    "-Dlogind=${lib.boolToString withLogind}"
+    "-Dlocaled=${lib.boolToString withLocaled}"
+    "-Dhostnamed=${lib.boolToString withHostnamed}"
+    "-Dmachined=${lib.boolToString withMachined}"
+    "-Dnetworkd=${lib.boolToString withNetworkd}"
+    "-Doomd=${lib.boolToString withOomd}"
+    "-Dpolkit=${lib.boolToString withPolkit}"
+    "-Dlibcryptsetup=${lib.boolToString withCryptsetup}"
+    "-Dportabled=${lib.boolToString withPortabled}"
+    "-Dhwdb=${lib.boolToString withHwdb}"
+    "-Dremote=${lib.boolToString withRemote}"
+    "-Dsysusers=false"
+    "-Dtimedated=${lib.boolToString withTimedated}"
+    "-Dtimesyncd=${lib.boolToString withTimesyncd}"
+    "-Duserdb=${lib.boolToString withUserDb}"
+    "-Dcoredump=${lib.boolToString withCoredump}"
+    "-Dfirstboot=false"
+    "-Dresolve=${lib.boolToString withResolved}"
+    "-Dsplit-usr=false"
+    "-Dlibcurl=${lib.boolToString wantCurl}"
+    "-Dlibidn=false"
+    "-Dlibidn2=true"
+    "-Dquotacheck=false"
+    "-Dldconfig=false"
+    "-Dsmack=true"
+    "-Db_pie=true"
+    "-Dinstall-sysconfdir=false"
+    "-Dsbat-distro=nixos"
+    "-Dsbat-distro-summary=NixOS"
+    "-Dsbat-distro-url=https://nixos.org/"
+    "-Dsbat-distro-pkgname=${pname}"
+    "-Dsbat-distro-version=${version}"
+    /*
+      As of now, systemd doesn't allow runtime configuration of these values. So
+      the settings in /etc/login.defs have no effect on it. Many people think this
+      should be supported however, see
+      - https://github.com/systemd/systemd/issues/3855
+      - https://github.com/systemd/systemd/issues/4850
+      - https://github.com/systemd/systemd/issues/9769
+      - https://github.com/systemd/systemd/issues/9843
+      - https://github.com/systemd/systemd/issues/10184
+    */
+    "-Dsystem-uid-max=999"
+    "-Dsystem-gid-max=999"
+
+    "-Dsysvinit-path="
+    "-Dsysvrcnd-path="
+
+    "-Dkmod-path=${kmod}/bin/kmod"
+    "-Dsulogin-path=${util-linux}/bin/sulogin"
+    "-Dmount-path=${util-linux}/bin/mount"
+    "-Dumount-path=${util-linux}/bin/umount"
+    "-Dcreate-log-dirs=false"
+
+    # Use cgroupsv2. This is already the upstream default, but better be explicit.
+    "-Ddefault-hierarchy=unified"
+    # Upstream defaulted to disable manpages since they optimize for the much
+    # more frequent development builds
+    "-Dman=true"
+
+    "-Defi=${lib.boolToString withEfi}"
+    "-Dgnu-efi=${lib.boolToString withEfi}"
+  ] ++ lib.optionals withEfi [
+    "-Defi-libdir=${toString gnu-efi}/lib"
+    "-Defi-includedir=${toString gnu-efi}/include/efi"
+  ] ++ lib.optionals (withShellCompletions == false) [
+    "-Dbashcompletiondir=no"
+    "-Dzshcompletiondir=no"
+  ] ++ lib.optionals (!withNss) [
+    "-Dnss-myhostname=false"
+    "-Dnss-mymachines=false"
+    "-Dnss-resolve=false"
+    "-Dnss-systemd=false"
+  ] ++ lib.optionals withLibBPF [
+    "-Dbpf-framework=true"
+  ] ++ lib.optionals withTpm2Tss [
+    "-Dtpm2=true"
+  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+    "-Dgshadow=false"
+    "-Dutmp=false"
+    "-Didn=false"
+  ];
+  preConfigure =
+    let
+      # A list of all the runtime binaries that the systemd exectuables, tests and libraries are referencing in their source code, scripts and unit files.
+      # As soon as a dependency isn't required anymore we should remove it from the list. The `where` attribute for each of the replacement patterns must be exhaustive. If another (unhandled) case is found in the source code the build fails with an error message.
+      binaryReplacements = [
+        { search = "/usr/bin/getent"; replacement = "${getent}/bin/getent"; where = [ "src/nspawn/nspawn-setuid.c" ]; }
+
+        {
+          search = "/sbin/mkswap";
+          replacement = "${lib.getBin util-linux}/sbin/mkswap";
+          where = [
+            "man/systemd-makefs@.service.xml"
+          ];
+        }
+        { search = "/sbin/swapon"; replacement = "${lib.getBin util-linux}/sbin/swapon"; where = [ "src/core/swap.c" "src/basic/unit-def.h" ]; }
+        { search = "/sbin/swapoff"; replacement = "${lib.getBin util-linux}/sbin/swapoff"; where = [ "src/core/swap.c" ]; }
+        {
+          search = "/bin/echo";
+          replacement = "${coreutils}/bin/echo";
+          where = [
+            "man/systemd-analyze.xml"
+            "man/systemd.service.xml"
+            "src/analyze/test-verify.c"
+            "src/test/test-env-file.c"
+            "src/test/test-fileio.c"
+            "src/test/test-load-fragment.c"
+          ];
+        }
+        {
+          search = "/bin/cat";
+          replacement = "${coreutils}/bin/cat";
+          where = [ "test/create-busybox-container" "test/test-execute/exec-noexecpaths-simple.service" "src/journal/cat.c" ];
+        }
+        { search = "/sbin/modprobe"; replacement = "${lib.getBin kmod}/sbin/modprobe"; where = [ "units/modprobe@.service" ]; }
+        {
+          search = "/usr/lib/systemd/systemd-fsck";
+          replacement = "$out/lib/systemd/systemd-fsck";
+          where = [
+            "man/systemd-fsck@.service.xml"
+          ];
+        }
+      ] ++ lib.optionals withImportd [
+        {
+          search = "\"gpg\"";
+          replacement = "\\\"${gnupg}/bin/gpg\\\"";
+          where = [ "src/import/pull-common.c" ];
+        }
+        {
+          search = "\"tar\"";
+          replacement = "\\\"${gnutar}/bin/tar\\\"";
+          where = [
+            "src/import/export-tar.c"
+            "src/import/import-common.c"
+            "src/import/import-tar.c"
+          ];
+          ignore = [
+            # occurences here refer to the tar sub command
+            "src/sysupdate/sysupdate-resource.c"
+            "src/sysupdate/sysupdate-transfer.c"
+            "src/import/pull.c"
+            "src/import/export.c"
+            "src/import/import.c"
+            "src/import/importd.c"
+            # runs `tar` but also also creates a temporary directory with the string
+            "src/import/pull-tar.c"
+          ];
+        }
+      ];
+
+      # { replacement, search, where } -> List[str]
+      mkSubstitute = { replacement, search, where, ignore ? [] }:
+        map (path: "substituteInPlace ${path} --replace '${search}' \"${replacement}\"") where;
+      mkEnsureSubstituted = { replacement, search, where, ignore ? [] }:
+      let
+        ignore' = lib.concatStringsSep "|" (ignore ++ ["^test" "NEWS"]);
+      in ''
+        set +e
+        search=$(grep '${search}' -r | grep -v "${replacement}" | grep -Ev "${ignore'}")
+        set -e
+        if [[ -n "$search" ]]; then
+          echo "Not all references to '${search}' have been replaced. Found the following matches:"
+          echo "$search"
+          exit 1
+        fi
+      '';
+    in
+    ''
+      mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org")
+      export LC_ALL="en_US.UTF-8";
+
+      ${lib.concatStringsSep "\n" (lib.flatten (map mkSubstitute binaryReplacements))}
+      ${lib.concatMapStringsSep "\n" mkEnsureSubstituted binaryReplacements}
+
+      substituteInPlace src/libsystemd/sd-journal/catalog.c \
+        --replace /usr/lib/systemd/catalog/ $out/lib/systemd/catalog/
+
+      substituteInPlace src/import/pull-tar.c \
+        --replace 'wait_for_terminate_and_check("tar"' 'wait_for_terminate_and_check("${gnutar}/bin/tar"'
+    '';
+
+  # These defines are overridden by CFLAGS and would trigger annoying
+  # warning messages
+  postConfigure = ''
+    substituteInPlace config.h \
+      --replace "POLKIT_AGENT_BINARY_PATH" "_POLKIT_AGENT_BINARY_PATH" \
+      --replace "SYSTEMD_BINARY_PATH" "_SYSTEMD_BINARY_PATH" \
+      --replace "SYSTEMD_CGROUP_AGENTS_PATH" "_SYSTEMD_CGROUP_AGENT_PATH"
+  '';
+
+  NIX_CFLAGS_COMPILE = toString ([
+    # Can't say ${polkit.bin}/bin/pkttyagent here because that would
+    # lead to a cyclic dependency.
+    "-UPOLKIT_AGENT_BINARY_PATH"
+    "-DPOLKIT_AGENT_BINARY_PATH=\"/run/current-system/sw/bin/pkttyagent\""
+
+    # Set the release_agent on /sys/fs/cgroup/systemd to the
+    # currently running systemd (/run/current-system/systemd) so
+    # that we don't use an obsolete/garbage-collected release agent.
+    "-USYSTEMD_CGROUP_AGENTS_PATH"
+    "-DSYSTEMD_CGROUP_AGENTS_PATH=\"/run/current-system/systemd/lib/systemd/systemd-cgroups-agent\""
+
+    "-USYSTEMD_BINARY_PATH"
+    "-DSYSTEMD_BINARY_PATH=\"/run/current-system/systemd/lib/systemd/systemd\""
+
+  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+    "-D__UAPI_DEF_ETHHDR=0"
+  ]);
+
+  doCheck = false; # fails a bunch of tests
+
+  # trigger the test -n "$DESTDIR" || mutate in upstreams build system
+  preInstall = ''
+    export DESTDIR=/
+  '';
+
+  postInstall = ''
+    mkdir -p $out/example/systemd
+    mv $out/lib/{modules-load.d,binfmt.d,sysctl.d,tmpfiles.d} $out/example
+    mv $out/lib/systemd/{system,user} $out/example/systemd
+
+    rm -rf $out/etc/systemd/system
+
+    # Fix reference to /bin/false in the D-Bus services.
+    for i in $out/share/dbus-1/system-services/*.service; do
+      substituteInPlace $i --replace /bin/false ${coreutils}/bin/false
+    done
+
+    rm -rf $out/etc/rpm
+
+    # "kernel-install" shouldn't be used on NixOS.
+    find $out -name "*kernel-install*" -exec rm {} \;
+  '' + lib.optionalString (!withDocumentation) ''
+    rm -rf $out/share/doc
+  '';
+
+  # Avoid *.EFI binary stripping. At least on aarch64-linux strip
+  # removes too much from PE32+ files:
+  #   https://github.com/NixOS/nixpkgs/issues/169693
+  # The hack is to move EFI file out of lib/ before doStrip
+  # run and return it after doStrip run.
+  preFixup = lib.optionalString withEfi ''
+    mv $out/lib/systemd/boot/efi $out/dont-strip-me
+  '';
+  postFixup = lib.optionalString withEfi ''
+    mv $out/dont-strip-me $out/lib/systemd/boot/efi
+  '';
+
+  passthru = {
+    # The interface version prevents NixOS from switching to an
+    # incompatible systemd at runtime.  (Switching across reboots is
+    # fine, of course.)  It should be increased whenever systemd changes
+    # in a backwards-incompatible way.  If the interface version of two
+    # systemd builds is the same, then we can switch between them at
+    # runtime; otherwise we can't and we need to reboot.
+    interfaceVersion = 2;
+
+    inherit withCryptsetup withHostnamed withImportd withLocaled withMachined withTimedated util-linux kmod kbd;
+
+    tests = {
+      inherit (nixosTests) switchTest;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://www.freedesktop.org/wiki/Software/systemd/";
+    description = "A system and service manager for Linux";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.linux;
+    # https://github.com/systemd/systemd/issues/20600#issuecomment-912338965
+    broken = stdenv.hostPlatform.isStatic;
+    priority = 10;
+    maintainers = with maintainers; [ flokli kloenk mic92 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/sysvinit/default.nix b/nixpkgs/pkgs/os-specific/linux/sysvinit/default.nix
new file mode 100644
index 000000000000..091584a93cf4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/sysvinit/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchurl, withoutInitTools ? false }:
+
+stdenv.mkDerivation rec {
+  pname = if withoutInitTools then "sysvtools" else "sysvinit";
+  version = "3.01";
+
+  src = fetchurl {
+    url = "mirror://savannah/sysvinit/sysvinit-${version}.tar.xz";
+    sha256 = "sha256-aLEaR3LNrM5ftlpMvq0ySizjmZ0Ti0/2HcLVnlfvV5M=";
+  };
+
+  prePatch = ''
+    # Patch some minimal hard references, so halt/shutdown work
+    sed -i -e "s,/sbin/,$out/sbin/," src/halt.c src/init.c src/paths.h
+  '';
+
+  makeFlags = [ "SULOGINLIBS=-lcrypt" "ROOT=$(out)" "MANDIR=/share/man" ];
+
+  preInstall =
+    ''
+      substituteInPlace src/Makefile --replace /usr /
+    '';
+
+  postInstall = ''
+    mv $out/sbin/killall5 $out/bin
+    ln -sf killall5 $out/bin/pidof
+  ''
+    + lib.optionalString withoutInitTools
+    ''
+      shopt -s extglob
+      rm -rf $out/sbin/!(sulogin)
+      rm -rf $out/include
+      rm -rf $out/share/man/man5
+      rm $(for i in $out/share/man/man8/*; do echo $i; done | grep -v 'pidof\|killall5')
+      rm $out/bin/wall $out/share/man/man1/wall.1
+    '';
+
+  meta = {
+    homepage = "https://www.nongnu.org/sysvinit/";
+    description = "Utilities related to booting and shutdown";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/target-isns/default.nix b/nixpkgs/pkgs/os-specific/linux/target-isns/default.nix
new file mode 100644
index 000000000000..fdc0c52a0bf7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/target-isns/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, cmake, fetchFromGitHub, fetchpatch } :
+
+stdenv.mkDerivation rec {
+  pname = "target-isns";
+  version = "0.6.8";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1b6jjalvvkkjyjbg1pcgk8vmvc6xzzksyjnh2pfi45bbpya4zxim";
+  };
+
+  patches = [
+    # fix absoulute paths
+    ./install_prefix_path.patch
+
+    # fix gcc 10 compiler warning, remove with next update
+    (fetchpatch {
+      url = "https://github.com/open-iscsi/target-isns/commit/3d0c47dd89bcf83d828bcc22ecaaa5f58d78b58e.patch";
+      sha256 = "1x2bkc1ff15621svhpq1r11m0q4ajv0j4fng6hm7wkkbr2s6d1vx";
+    })
+  ];
+
+  cmakeFlags = [ "-DSUPPORT_SYSTEMD=ON" ];
+
+  nativeBuildInputs = [ cmake ];
+
+  meta = with lib; {
+    description = "iSNS client for the Linux LIO iSCSI target";
+    homepage = "https://github.com/open-iscsi/target-isns";
+    maintainers = [ maintainers.markuskowa ];
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/target-isns/install_prefix_path.patch b/nixpkgs/pkgs/os-specific/linux/target-isns/install_prefix_path.patch
new file mode 100644
index 000000000000..f98fc21b7a24
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/target-isns/install_prefix_path.patch
@@ -0,0 +1,17 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index f46144d..aeac3e4 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -14,10 +14,10 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror")
+ option(SUPPORT_SYSTEMD "Support service control via systemd" OFF)
+
+ add_subdirectory(src)
+-install(FILES target-isns.conf DESTINATION /etc/)
++install(FILES target-isns.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/etc/)
+ install(FILES target-isns.8 DESTINATION ${CMAKE_INSTALL_PREFIX}/share/man/man8/)
+ if (SUPPORT_SYSTEMD)
+-  install(FILES target-isns.service DESTINATION /usr/lib/systemd/system/)
++  install(FILES target-isns.service DESTINATION ${CMAKE_INSTALL_PREFIX}/lib/systemd/system/)
+ endif (SUPPORT_SYSTEMD)
+
+ add_subdirectory(tests)
diff --git a/nixpkgs/pkgs/os-specific/linux/targetcli/default.nix b/nixpkgs/pkgs/os-specific/linux/targetcli/default.nix
new file mode 100644
index 000000000000..f08ac284f23c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/targetcli/default.nix
@@ -0,0 +1,27 @@
+{ lib, python3, fetchFromGitHub }:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "targetcli";
+  version = "2.1.54";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = "${pname}-fb";
+    rev = "v${version}";
+    sha256 = "1kbbvx0lba96ynr5iwws9jpi319m4rzph4bmcj7yfb37k8mi161v";
+  };
+
+  propagatedBuildInputs = with python3.pkgs; [ configshell rtslib ];
+
+  postInstall = ''
+    install -D targetcli.8 -t $out/share/man/man8/
+    install -D targetclid.8 -t $out/share/man/man8/
+  '';
+
+  meta = with lib; {
+    description = "A command shell for managing the Linux LIO kernel target";
+    homepage = "https://github.com/open-iscsi/targetcli-fb";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tbs/default.nix b/nixpkgs/pkgs/os-specific/linux/tbs/default.nix
new file mode 100644
index 000000000000..54268693454c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tbs/default.nix
@@ -0,0 +1,64 @@
+{ stdenv, lib, fetchFromGitHub, kernel, kmod, perl, patchutils, perlPackages }:
+let
+
+  media = fetchFromGitHub rec {
+    name = repo;
+    owner = "tbsdtv";
+    repo = "linux_media";
+    rev = "efe31531b77efd3a4c94516504a5823d31cdc776";
+    sha256 = "1533qi3sb91v00289hl5zaj4l35r2sf9fqc6z5ky1vbb7byxgnlr";
+  };
+
+  build = fetchFromGitHub rec {
+    name = repo;
+    owner = "tbsdtv";
+    repo = "media_build";
+    rev = "a0d62eba4d429e0e9d2c2f910fb203e817cac84b";
+    sha256 = "1329s7w9xlqjqwkpaqsd6b5dmzhm97jw0c7c7zzmmbdkl289i4i4";
+  };
+
+in stdenv.mkDerivation {
+  pname = "tbs";
+  version = "2018.04.18-${kernel.version}";
+
+  srcs = [ media build ];
+  sourceRoot = build.name;
+
+  preConfigure = ''
+    make dir DIR=../${media.name}
+  '';
+
+  postPatch = ''
+    patchShebangs .
+
+    sed -i v4l/Makefile \
+      -i v4l/scripts/make_makefile.pl \
+      -e 's,/sbin/depmod,${kmod}/bin/depmod,g' \
+      -e 's,/sbin/lsmod,${kmod}/bin/lsmod,g'
+
+    sed -i v4l/Makefile \
+      -e 's,^OUTDIR ?= /lib/modules,OUTDIR ?= ${kernel.dev}/lib/modules,' \
+      -e 's,^SRCDIR ?= /lib/modules,SRCDIR ?= ${kernel.dev}/lib/modules,'
+  '';
+
+  buildFlags = [ "VER=${kernel.modDirVersion}" ];
+  installFlags = [ "DESTDIR=$(out)" ];
+
+  hardeningDisable = [ "all" ];
+
+  nativeBuildInputs = [ patchutils kmod perl perlPackages.ProcProcessTable ]
+  ++ kernel.moduleBuildDependencies;
+
+   postInstall = ''
+    find $out/lib/modules/${kernel.modDirVersion} -name "*.ko" -exec xz {} \;
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.tbsdtv.com/";
+    description = "Linux driver for TBSDTV cards";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ ck3d ];
+    priority = -1;
+    broken = true;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/cdecls.patch b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/cdecls.patch
new file mode 100644
index 000000000000..eee640e8a824
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/cdecls.patch
@@ -0,0 +1,31 @@
+__BEGIN_DECLS/__END_DECLS are BSD specific and not defined in musl
+glibc and uclibc had sys/cdefs.h doing it.
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Index: tcp_wrappers_7.6/tcpd.h
+===================================================================
+--- tcp_wrappers_7.6.orig/tcpd.h
++++ tcp_wrappers_7.6/tcpd.h
+@@ -11,7 +11,9 @@
+ #include <netinet/in.h>
+ #include <stdio.h>
+ 
+-__BEGIN_DECLS
++#ifdef __cplusplus
++extern "C" {
++#endif
+ 
+ /* Structure to describe one communications endpoint. */
+ 
+@@ -252,6 +254,8 @@ extern char *fix_strtok();
+ extern char *my_strtok();
+ #endif
+ 
+-__END_DECLS
++#ifdef __cplusplus
++}
++#endif
+ 
+ #endif
diff --git a/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/default.nix b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/default.nix
new file mode 100644
index 000000000000..92a6b328b2cc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/default.nix
@@ -0,0 +1,75 @@
+{ fetchurl, lib, stdenv, libnsl }:
+
+let
+  vanillaVersion = "7.6.q";
+  patchLevel = "26";
+in stdenv.mkDerivation rec {
+  pname = "tcp-wrappers";
+  version = "${vanillaVersion}-${patchLevel}";
+
+  src = fetchurl {
+    url = "mirror://debian/pool/main/t/tcp-wrappers/tcp-wrappers_${vanillaVersion}.orig.tar.gz";
+    sha256 = "0p9ilj4v96q32klavx0phw9va21fjp8vpk11nbh6v2ppxnnxfhwm";
+  };
+
+  debian = fetchurl {
+    url = "mirror://debian/pool/main/t/tcp-wrappers/tcp-wrappers_${version}.debian.tar.xz";
+    sha256 = "1dcdhi9lwzv7g19ggwxms2msq9fy14rl09rjqb10hwv0jix7z8j8";
+  };
+
+  prePatch = ''
+    tar -xaf $debian
+    patches="$(cat debian/patches/series | sed 's,^,debian/patches/,') $patches"
+
+    substituteInPlace Makefile --replace STRINGS STRINGDEFS
+    substituteInPlace debian/patches/13_shlib_weaksym --replace STRINGS STRINGDEFS
+  '';
+
+  # Fix __BEGIN_DECLS usage (even if it wasn't non-standard, this doesn't include sys/cdefs.h)
+  patches = [ ./cdecls.patch ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+    substituteInPlace Makefile \
+      --replace '-DNETGROUP' '-DUSE_GETDOMAIN'
+  '';
+
+  buildInputs = [ libnsl ];
+
+  makeFlags = [ "REAL_DAEMON_DIR=$(out)/bin" "linux" "AR:=$(AR)" ];
+
+  installPhase = ''
+    mkdir -p "$out/bin"
+    cp -v safe_finger tcpd tcpdchk tcpdmatch try-from "$out/bin"
+
+    mkdir -p "$out/lib"
+    cp -v shared/lib*.so* "$out/lib"
+
+    mkdir -p "$out/include"
+    cp -v *.h "$out/include"
+
+    for i in 3 5 8;
+    do
+      mkdir -p "$out/man/man$i"
+      cp *.$i "$out/man/man$i" ;
+    done
+  '';
+
+  meta = {
+    description = "TCP Wrappers, a network logger, also known as TCPD or LOG_TCP";
+
+    longDescription = ''
+      Wietse Venema's network logger, also known as TCPD or LOG_TCP.
+      These programs log the client host name of incoming telnet, ftp,
+      rsh, rlogin, finger etc. requests.  Security options are: access
+      control per host, domain and/or service; detection of host name
+      spoofing or host address spoofing; booby traps to implement an
+      early-warning system.  The current version supports the System
+      V.4 TLI network programming interface (Solaris, DG/UX) in
+      addition to the traditional BSD sockets.
+    '';
+
+    homepage = "ftp://ftp.porcupine.org/pub/security/index.html";
+    license = "BSD-style";
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/tcp-wrappers-7.6-headers.patch b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/tcp-wrappers-7.6-headers.patch
new file mode 100644
index 000000000000..328a4a102618
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tcp-wrappers/tcp-wrappers-7.6-headers.patch
@@ -0,0 +1,295 @@
+--- a/options.c
++++ b/options.c
+@@ -34,6 +34,8 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <sys/socket.h>
+--- a/safe_finger.c
++++ b/safe_finger.c
+@@ -20,6 +20,11 @@
+ 
+ /* System libraries */
+ 
++#include <unistd.h>
++#include <fcntl.h>
++#include <stdlib.h>
++#include <sys/wait.h>
++#include <grp.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <signal.h>
+@@ -27,7 +31,7 @@
+ #include <ctype.h>
+ #include <pwd.h>
+ 
+-extern void exit();
++int pipe_stdin(char **argv);
+ 
+ /* Local stuff */
+ 
+--- a/scaffold.c
++++ b/scaffold.c
+@@ -10,6 +10,7 @@
+ 
+ /* System libraries. */
+ 
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+@@ -27,7 +27,4 @@
+ #endif
+ 
+-#ifndef INET6
+-extern char *malloc();
+-#endif
+ 
+ /* Application-specific. */
+--- a/shell_cmd.c
++++ b/shell_cmd.c
+@@ -14,6 +14,10 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
++#include <fcntl.h>
++#include <sys/wait.h>
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <signal.h>
+@@ -25,8 +25,6 @@
+ #include <syslog.h>
+ #include <string.h>
+ 
+-extern void exit();
+-
+ /* Local stuff. */
+ 
+ #include "tcpd.h"
+--- a/tcpdchk.c
++++ b/tcpdchk.c
+@@ -20,6 +20,8 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #ifdef INET6
+@@ -35,10 +36,7 @@
+ #include <netdb.h>
+ #include <string.h>
+ 
+-extern int errno;
+-extern void exit();
+-extern int optind;
+-extern char *optarg;
++int cidr_mask_addr(char *str);
+ 
+ #ifndef INADDR_NONE
+ #define INADDR_NONE     (-1)		/* XXX should be 0xffffffff */
+--- a/clean_exit.c
++++ b/clean_exit.c
+@@ -13,8 +13,8 @@
+ #endif
+ 
+ #include <stdio.h>
+-
+-extern void exit();
++#include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "tcpd.h"
+ 
+--- a/hosts_access.c
++++ b/hosts_access.c
+@@ -23,6 +23,7 @@
+ 
+ /* System libraries. */
+ 
++#include <stdlib.h>
+ #include <sys/types.h>
+ #ifdef INT32_T
+     typedef uint32_t u_int32_t;
+@@ -43,8 +44,8 @@
+ #include <netdb.h>
+ #endif
+ 
+-extern char *fgets();
+-extern int errno;
++static int match_pattern_ylo(const char *s, const char *pattern);
++int cidr_mask_addr(char *str);
+ 
+ #ifndef	INADDR_NONE
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+--- a/inetcf.c
++++ b/inetcf.c
+@@ -9,15 +9,14 @@
+ static char sccsid[] = "@(#) inetcf.c 1.7 97/02/12 02:13:23";
+ #endif
+ 
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <stdio.h>
+ #include <errno.h>
+ #include <string.h>
+ 
+-extern int errno;
+-extern void exit();
+-
++#include "scaffold.h"
+ #include "tcpd.h"
+ #include "inetcf.h"
+ 
+--- a/percent_x.c
++++ b/percent_x.c
+@@ -16,12 +16,12 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
+ 
+-extern void exit();
+-
+ /* Local stuff. */
+ 
+ #include "tcpd.h"
+--- a/rfc931.c
++++ b/rfc931.c
+@@ -15,6 +15,7 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <sys/types.h>
+--- a/tcpd.c
++++ b/tcpd.c
+@@ -16,6 +16,7 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <sys/stat.h>
+@@ -39,6 +39,8 @@
+ #include "patchlevel.h"
+ #include "tcpd.h"
+ 
++void fix_options(struct request_info *request);
++
+ int     allow_severity = SEVERITY;	/* run-time adjustable */
+ int     deny_severity = LOG_WARNING;	/* ditto */
+ 
+--- a/tcpdmatch.c
++++ b/tcpdmatch.c
+@@ -19,6 +19,8 @@
+ 
+ /* System libraries. */
+ 
++#include <unistd.h>
++#include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+@@ -30,9 +32,6 @@
+ #include <setjmp.h>
+ #include <string.h>
+ 
+-extern void exit();
+-extern int optind;
+-extern char *optarg;
+ 
+ #ifndef	INADDR_NONE
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+--- a/update.c
++++ b/update.c
+@@ -19,6 +19,7 @@
+ 
+ /* System libraries */
+ 
++#include <unistd.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
+--- a/misc.c
++++ b/misc.c
+@@ -14,11 +14,10 @@
+ #include <arpa/inet.h>
+ #include <stdio.h>
+ #include <string.h>
++#include <stdlib.h>
+ 
+ #include "tcpd.h"
+ 
+-extern char *fgets();
+-
+ #ifndef	INADDR_NONE
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+ #endif
+--- a/fix_options.c
++++ b/fix_options.c
+@@ -32,6 +32,7 @@
+ 
+ /* fix_options - get rid of IP-level socket options */
+ 
++void
+ fix_options(request)
+ struct request_info *request;
+ {
+@@ -38,11 +38,8 @@
+ #ifdef IP_OPTIONS
+     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
+     char    lbuf[BUFFER_SIZE], *lp;
+-#ifdef __GLIBC__
+-    size_t  optsize = sizeof(optbuf), ipproto;
+-#else
+-    int     optsize = sizeof(optbuf), ipproto;
+-#endif
++    socklen_t optsize = sizeof(optbuf);
++    int ipproto;
+     struct protoent *ip;
+     int     fd = request->fd;
+     unsigned int opt;
+--- a/socket.c
++++ b/socket.c
+@@ -95,11 +95,7 @@
+     static struct sockaddr_in client;
+     static struct sockaddr_in server;
+ #endif
+-#ifdef __GLIBC__
+-    size_t  len;
+-#else
+-    int     len;
+-#endif
++    socklen_t len;
+     char    buf[BUFSIZ];
+     int     fd = request->fd;
+ 
+@@ -430,11 +426,7 @@
+ #else
+     struct sockaddr_in sin;
+ #endif
+-#ifdef __GLIBC__
+-    size_t  size = sizeof(sin);
+-#else
+-    int     size = sizeof(sin);
+-#endif
++    socklen_t size;
+ 
+     /*
+      * Eat up the not-yet received datagram. Some systems insist on a
diff --git a/nixpkgs/pkgs/os-specific/linux/teck-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/teck-udev-rules/default.nix
new file mode 100644
index 000000000000..eec5eac344ef
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/teck-udev-rules/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, teck-programmer }:
+
+stdenv.mkDerivation {
+  pname = "teck-udev-rules";
+  version = lib.getVersion teck-programmer;
+
+  inherit (teck-programmer) src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install 40-teck.rules -D -t $out/etc/udev/rules.d/
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "udev rules for TECK keyboards";
+    inherit (teck-programmer.meta) license;
+    maintainers = [ lib.maintainers.lourkeur ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/default.nix
new file mode 100644
index 000000000000..e3d50eee5f67
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, coreutils }:
+
+stdenv.mkDerivation {
+  pname = "teensy-udev-rules";
+  version = "2022-05-15";
+
+  # Source: https://www.pjrc.com/teensy/00-teensy.rules
+  src = ./teensy.rules;
+
+  dontUnpack = true;
+
+  runtimeDeps = [ coreutils ];
+
+  installPhase = ''
+    install -D $src $out/etc/udev/rules.d/70-teensy.rules
+    substituteInPlace $out/etc/udev/rules.d/70-teensy.rules \
+      --replace "/bin/stty" "${coreutils}/bin/stty"
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.pjrc.com/teensy/00-teensy.rules";
+    description = ''
+      udev rules that give non-root users permission to communicate with the
+      Teensy family of microcontrolers.
+
+      ModemManager (part of NetworkManager) can interfere with USB Serial
+      devices, which includes the Teensy.  See comments in the .rules file (or
+      this package's homepage) for possible workarounds.
+    '';
+    platforms = platforms.linux;
+    license = "unknown";
+    maintainers = with maintainers; [ aidalgol ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/teensy.rules b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/teensy.rules
new file mode 100644
index 000000000000..0a921a507af6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/teensy-udev-rules/teensy.rules
@@ -0,0 +1,39 @@
+# UDEV Rules for Teensy boards, http://www.pjrc.com/teensy/
+#
+# The latest version of this file may be found at:
+#   http://www.pjrc.com/teensy/00-teensy.rules
+#
+# This file must be placed at:
+#
+# /etc/udev/rules.d/00-teensy.rules    (preferred location)
+#   or
+# /lib/udev/rules.d/00-teensy.rules    (req'd on some broken systems)
+#
+# To install, type this command in a terminal:
+#   sudo cp 00-teensy.rules /etc/udev/rules.d/00-teensy.rules
+#
+# After this file is installed, physically unplug and reconnect Teensy.
+#
+ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_PORT_IGNORE}="1"
+ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789a]*", ENV{MTP_NO_PROBE}="1"
+KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", MODE:="0666", RUN:="/bin/stty -F /dev/%k raw -echo"
+KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", MODE:="0666"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04*", MODE:="0666"
+KERNEL=="hidraw*", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="013*", MODE:="0666"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="013*", MODE:="0666"
+
+#
+# If you share your linux system with other users, or just don't like the
+# idea of write permission for everybody, you can replace MODE:="0666" with
+# OWNER:="yourusername" to create the device owned by you, or with
+# GROUP:="somegroupname" and mange access using standard unix groups.
+#
+# ModemManager tends to interfere with USB Serial devices like Teensy.
+# Problems manifest as the Arduino Serial Monitor missing some incoming
+# data, and "Unable to open /dev/ttyACM0 for reboot request" when
+# uploading.  If you experience these problems, disable or remove
+# ModemManager from your system.  If you must use a modem, perhaps
+# try disabling the "MM_FILTER_RULE_TTY_ACM_INTERFACE" ModemManager
+# rule.  Changing ModemManager's filter policy from "strict" to "default"
+# may also help.  But if you don't use a modem, completely removing
+# the troublesome ModemManager is the most effective solution.
diff --git a/nixpkgs/pkgs/os-specific/linux/thunderbolt/default.nix b/nixpkgs/pkgs/os-specific/linux/thunderbolt/default.nix
new file mode 100644
index 000000000000..e532f9965aa8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/thunderbolt/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv
+, boost
+, cmake
+, fetchFromGitHub
+, pkg-config
+, txt2tags
+}:
+
+stdenv.mkDerivation rec {
+  pname = "thunderbolt";
+  version = "0.9.3";
+  src = fetchFromGitHub {
+    owner = "01org";
+    repo = "thunderbolt-software-user-space";
+    rev = "v${version}";
+    sha256 = "02w1bfm7xvq0dzkhwqiq0camkzz9kvciyhnsis61c8vzp39cwx0x";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config txt2tags ];
+  buildInputs = [ boost ];
+
+  cmakeFlags = [
+    "-DUDEV_BIN_DIR=${placeholder "out"}/bin"
+    "-DUDEV_RULES_DIR=${placeholder "out"}/etc/udev/rules.d"
+  ];
+
+  meta = {
+    description = "Thunderbolt(TM) user-space components";
+    license = lib.licenses.bsd3;
+    maintainers = [ lib.maintainers.ryantrinkle ];
+    homepage = "https://01.org/thunderbolt-sw";
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tinyalsa/default.nix b/nixpkgs/pkgs/os-specific/linux/tinyalsa/default.nix
new file mode 100644
index 000000000000..45d9191eea08
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tinyalsa/default.nix
@@ -0,0 +1,37 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tinyalsa";
+  version = "unstable-2022-06-05";
+
+  src = fetchFromGitHub {
+    owner = "tinyalsa";
+    repo = "tinyalsa";
+    rev = "3d70d227e7dfd1be6f8f420a5aae164a2b4126e0";
+    hash = "sha256-RHeF3VShy+LYFtJK+AEU7swIr5/rnpg2fdllnH9cFCk=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+  ];
+
+  cmakeFlags = [
+    "-DTINYALSA_USES_PLUGINS=ON"
+  ];
+
+  NIX_CFLAGS_COMPILE = toString [
+    "-Wno-error=sign-compare"
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/tinyalsa/tinyalsa";
+    description = "Tiny library to interface with ALSA in the Linux kernel";
+    license = licenses.mit;
+    maintainers = with maintainers; [ AndersonTorres ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tiptop/default.nix b/nixpkgs/pkgs/os-specific/linux/tiptop/default.nix
new file mode 100644
index 000000000000..7e88e1b14b52
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiptop/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchurl, fetchpatch, libxml2, ncurses, bison, flex }:
+
+stdenv.mkDerivation rec {
+  pname = "tiptop";
+  version = "2.3.1";
+
+  src = fetchurl {
+    url = "${meta.homepage}/releases/${pname}-${version}.tar.gz";
+    sha256 = "10j1138y3cj3hsmfz4w0bmk90523b0prqwi9nhb4z8xvjnf49i2i";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "reproducibility.patch";
+      url = "https://salsa.debian.org/debian/tiptop/raw/debian/2.3.1-1/debian/patches/0001-fix-reproducibility-of-build-process.patch";
+      sha256 = "116l7n3nl9lj691i7j8x0d0za1i6zpqgghw5d70qfpb17c04cblp";
+    })
+
+    # Pull upstream patch for ncurses-6.3
+    (fetchpatch {
+      name = "ncurses-6.3.patch";
+      url = "https://gitlab.inria.fr/rohou/tiptop/-/commit/a78234c27fdd62fed09430d998950e49e11a1832.patch";
+      sha256 = "1k55agdri7iw3gwm4snj3ps62qzmxlqr6s0868l8qamjw38z9g00";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace ./configure --replace -lcurses -lncurses
+  '';
+
+  nativeBuildInputs = [ flex bison ];
+  buildInputs = [ libxml2 ncurses ];
+
+  NIX_CFLAGS_COMPILE = "-I${libxml2.dev}/include/libxml2";
+
+  meta = with lib; {
+    description = "Performance monitoring tool for Linux";
+    homepage = "http://tiptop.gforge.inria.fr";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = [ ];
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch
new file mode 100644
index 000000000000..0e9821467850
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch
@@ -0,0 +1,25 @@
+From 90b540bd135de2587352719b14c385b20aa572be Mon Sep 17 00:00:00 2001
+From: Raymond Gauthier <jraygauthier@gmail.com>
+Date: Wed, 15 Jun 2022 16:09:58 -0400
+Subject: [PATCH] cmake-find-aravis: fix pkg cfg include dirs
+
+---
+ cmake/modules/FindAravis.cmake | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cmake/modules/FindAravis.cmake b/cmake/modules/FindAravis.cmake
+index 5dab5431..811302b9 100644
+--- a/cmake/modules/FindAravis.cmake
++++ b/cmake/modules/FindAravis.cmake
+@@ -20,7 +20,7 @@ find_path(aravis_INCLUDE_DIR
+ 	arv.h
+ 	PATHS
+ 	${aravis_PKGCONF_INCLUDE_DIRS}
+-	${aravis0_6_PKGCONF_INCLUDE_DIRS}
++	${aravis0_8_PKGCONF_INCLUDE_DIRS}
+ 	/usr/local/include
+ 	# /usr/local/include/aravis-0.4
+ 	/usr/local/include/aravis-0.8
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch
new file mode 100644
index 000000000000..3d1e5503bcd3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch
@@ -0,0 +1,70 @@
+From 5e7146e176cb1b01b47d16a66763469dccd87f25 Mon Sep 17 00:00:00 2001
+From: Raymond Gauthier <jraygauthier@gmail.com>
+Date: Thu, 9 Jun 2022 19:45:30 -0400
+Subject: [PATCH] tcamconvert&tcamsrc: add missing include/lib dirs
+
+These were building libraries with dependencies on gstreamer-video
+and gstreamer-base but weren't adding the proper include and
+lib directories which resulted in build failure on systems
+where video and base aren't installed in the same location
+as gstreamer itself (e.g: nix, nixos).
+---
+ src/gstreamer-1.0/tcamconvert/CMakeLists.txt |  2 ++
+ src/gstreamer-1.0/tcamsrc/CMakeLists.txt     | 11 +++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/gstreamer-1.0/tcamconvert/CMakeLists.txt b/src/gstreamer-1.0/tcamconvert/CMakeLists.txt
+index 30563c38..066cb5d7 100644
+--- a/src/gstreamer-1.0/tcamconvert/CMakeLists.txt
++++ b/src/gstreamer-1.0/tcamconvert/CMakeLists.txt
+@@ -28,6 +28,8 @@ add_library(tcamconvert SHARED
+ target_include_directories(tcamconvert
+   PRIVATE
+   ${GSTREAMER_INCLUDE_DIRS}
++  ${GSTREAMER_BASE_INCLUDE_DIRS}
++  ${GSTREAMER_VIDEO_INCLUDE_DIRS}
+   )
+ 
+ set_project_warnings(tcamconvert)
+diff --git a/src/gstreamer-1.0/tcamsrc/CMakeLists.txt b/src/gstreamer-1.0/tcamsrc/CMakeLists.txt
+index 3bc7ed97..ed5be37f 100644
+--- a/src/gstreamer-1.0/tcamsrc/CMakeLists.txt
++++ b/src/gstreamer-1.0/tcamsrc/CMakeLists.txt
+@@ -21,12 +21,15 @@ add_library(gsttcamstatistics SHARED
+ target_include_directories(gsttcamstatistics
+   PRIVATE
+   ${GSTREAMER_INCLUDE_DIRS}
++  ${GSTREAMER_BASE_INCLUDE_DIRS}
++  ${GSTREAMER_VIDEO_INCLUDE_DIRS}
+   )
+ 
+ target_link_libraries( gsttcamstatistics
+   PRIVATE
+   ${GSTREAMER_LIBRARIES}
+   ${GSTREAMER_BASE_LIBRARIES}
++  ${GSTREAMER_VIDEO_LIBRARIES}
+   )
+ 
+ 
+@@ -53,10 +56,18 @@ add_library(gsttcamsrc SHARED
+ 	tcambind.cpp
+     )
+ 
++  target_include_directories(gsttcamsrc
++    PRIVATE
++    ${GSTREAMER_INCLUDE_DIRS}
++    ${GSTREAMER_BASE_INCLUDE_DIRS}
++    ${GSTREAMER_VIDEO_INCLUDE_DIRS}
++    )
++
+   target_link_libraries( gsttcamsrc
+     PRIVATE
+ 	${GSTREAMER_LIBRARIES}
+ 	${GSTREAMER_BASE_LIBRARIES}
++    ${GSTREAMER_VIDEO_LIBRARIES}
+ 
+ 	tcamgstbase
+ 	tcam::gst-helper
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-udev-rules-fix-install-location.patch b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-udev-rules-fix-install-location.patch
new file mode 100644
index 000000000000..9b373516aa9b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/0001-udev-rules-fix-install-location.patch
@@ -0,0 +1,25 @@
+From fdbc0b74812b9afd663226715375b5688e5408b5 Mon Sep 17 00:00:00 2001
+From: Raymond Gauthier <jraygauthier@gmail.com>
+Date: Thu, 9 Jun 2022 20:23:02 -0400
+Subject: [PATCH] udev/rules: fix install location
+
+---
+ CMakeInstall.cmake | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeInstall.cmake b/CMakeInstall.cmake
+index 4773091f..962c9b09 100644
+--- a/CMakeInstall.cmake
++++ b/CMakeInstall.cmake
+@@ -92,7 +92,7 @@ else()
+ 
+   else()
+ 
+-    set(TCAM_INSTALL_UDEV "${CMAKE_INSTALL_PREFIX}/udev/rules.d" CACHE PATH "udev rules installation path" FORCE)
++    set(TCAM_INSTALL_UDEV "${CMAKE_INSTALL_PREFIX}/lib/udev/rules.d" CACHE PATH "udev rules installation path" FORCE)
+     set(TCAM_INSTALL_SYSTEMD "${CMAKE_INSTALL_PREFIX}/lib/systemd/system/" CACHE PATH "systemd unit installation path" FORCE)
+ 
+     set(TCAM_INSTALL_PKGCONFIG "${CMAKE_INSTALL_PREFIX}/lib/pkgconfig" CACHE PATH "pkgconfig installation path" FORCE)
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tiscamera/default.nix b/nixpkgs/pkgs/os-specific/linux/tiscamera/default.nix
new file mode 100644
index 000000000000..5ef0b0b0ea7f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tiscamera/default.nix
@@ -0,0 +1,138 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, pkg-config
+, runtimeShell
+, catch2
+, elfutils
+, libselinux
+, libsepol
+, libunwind
+, libusb1
+, libuuid
+, libzip
+, orc
+, pcre
+, zstd
+, glib
+, gobject-introspection
+, gst_all_1
+, wrapGAppsHook
+, withDoc ? true
+, sphinx
+, graphviz
+, withAravis ? true
+, aravis
+, meson
+, withAravisUsbVision ? withAravis
+, withGui ? true
+, qt5
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tiscamera";
+  version = "1.0.0";
+
+  src = fetchFromGitHub {
+    owner = "TheImagingSource";
+    repo = pname;
+    rev = "v-${pname}-${version}";
+    sha256 = "0msz33wvqrji11kszdswcvljqnjflmjpk0aqzmsv6i855y8xn6cd";
+  };
+
+  patches = [
+    ./0001-tcamconvert-tcamsrc-add-missing-include-lib-dirs.patch
+    ./0001-udev-rules-fix-install-location.patch
+    ./0001-cmake-find-aravis-fix-pkg-cfg-include-dirs.patch
+  ];
+
+  postPatch = ''
+    cp ${catch2}/include/catch2/catch.hpp external/catch/catch.hpp
+
+    substituteInPlace ./data/udev/80-theimagingsource-cameras.rules.in \
+      --replace "/bin/sh" "${runtimeShell}/bin/sh" \
+      --replace "typically /usr/bin/" "" \
+      --replace "typically /usr/share/theimagingsource/tiscamera/uvc-extension/" ""
+  '';
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    wrapGAppsHook
+  ] ++ lib.optionals withDoc [
+    sphinx
+    graphviz
+  ] ++ lib.optionals withAravis [
+    meson
+  ] ++ lib.optionals withGui [
+    qt5.wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    elfutils
+    libselinux
+    libsepol
+    libunwind
+    libusb1
+    libuuid
+    libzip
+    orc
+    pcre
+    zstd
+    glib
+    gobject-introspection
+    gst_all_1.gstreamer
+    gst_all_1.gst-plugins-base
+    gst_all_1.gst-plugins-good
+    gst_all_1.gst-plugins-bad
+    gst_all_1.gst-plugins-ugly
+  ] ++ lib.optionals withAravis [
+    aravis
+  ] ++ lib.optionals withGui [
+    qt5.qtbase
+  ];
+
+  hardeningDisable = [ "format" ];
+
+  cmakeFlags = [
+    "-DTCAM_BUILD_GST_1_0=ON"
+    "-DTCAM_BUILD_TOOLS=ON"
+    "-DTCAM_BUILD_V4L2=ON"
+    "-DTCAM_BUILD_LIBUSB=ON"
+    "-DTCAM_BUILD_TESTS=ON"
+    "-DTCAM_BUILD_ARAVIS=${if withAravis then "ON" else "OFF"}"
+    "-DTCAM_BUILD_DOCUMENTATION=${if withDoc then "ON" else "OFF"}"
+    "-DTCAM_BUILD_WITH_GUI=${if withGui then "ON" else "OFF"}"
+    "-DTCAM_DOWNLOAD_MESON=OFF"
+    "-DTCAM_INTERNAL_ARAVIS=OFF"
+    "-DTCAM_ARAVIS_USB_VISION=${if withAravis && withAravisUsbVision then "ON" else "OFF"}"
+    "-DTCAM_INSTALL_FORCE_PREFIX=ON"
+  ];
+
+  doCheck = true;
+
+  # gstreamer tests requires, besides gst-plugins-bad, plugins installed by this expression.
+  checkPhase = "ctest --force-new-ctest-process -E gstreamer";
+
+  # wrapGAppsHook: make sure we add ourselves to the introspection
+  # and gstreamer paths.
+  GI_TYPELIB_PATH = "${placeholder "out"}/lib/girepository-1.0";
+  GST_PLUGIN_SYSTEM_PATH_1_0 = "${placeholder "out"}/lib/gstreamer-1.0";
+
+  QT_PLUGIN_PATH = lib.optionalString withGui "${qt5.qtbase.bin}/${qt5.qtbase.qtPluginPrefix}";
+
+  dontWrapQtApps = true;
+
+  preFixup = ''
+    gappsWrapperArgs+=("''${qtWrapperArgs[@]}")
+  '';
+
+  meta = with lib; {
+    description = "The Linux sources and UVC firmwares for The Imaging Source cameras";
+    homepage = "https://github.com/TheImagingSource/tiscamera";
+    license = with licenses; [ asl20 ];
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jraygauthier ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tmon/default.nix b/nixpkgs/pkgs/os-specific/linux/tmon/default.nix
new file mode 100644
index 000000000000..3a2697e0a712
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tmon/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, kernel, ncurses }:
+
+stdenv.mkDerivation {
+  pname = "tmon";
+  version = kernel.version;
+
+  inherit (kernel) src;
+
+  buildInputs = [ ncurses ];
+
+  configurePhase = ''
+    cd tools/thermal/tmon
+  '';
+
+  makeFlags = kernel.makeFlags ++ [ "INSTALL_ROOT=\"$(out)\"" "BINDIR=bin" ];
+  NIX_CFLAGS_LINK = "-lgcc_s";
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Monitoring and Testing Tool for Linux kernel thermal subsystem";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tomb/default.nix b/nixpkgs/pkgs/os-specific/linux/tomb/default.nix
new file mode 100644
index 000000000000..af04476aa1d0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tomb/default.nix
@@ -0,0 +1,44 @@
+{ stdenv, lib, fetchFromGitHub, makeWrapper
+, gettext, zsh, pinentry, cryptsetup, gnupg, util-linux, e2fsprogs, sudo
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tomb";
+  version = "2.9";
+
+  src = fetchFromGitHub {
+    owner  = "dyne";
+    repo   = "Tomb";
+    rev    = "v${version}";
+    sha256 = "0d6vmfcf4kd0p2bcljmdnyc2fmbwvar81cc472zx86r7yc3ih102";
+  };
+
+  buildInputs = [ sudo zsh pinentry ];
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postPatch = ''
+    # if not, it shows .tomb-wrapped when running
+    substituteInPlace tomb \
+      --replace 'TOMBEXEC=$0' 'TOMBEXEC=tomb'
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = "$out/bin/tomb -h";
+
+  installPhase = ''
+    install -Dm755 tomb       $out/bin/tomb
+    install -Dm644 doc/tomb.1 $out/share/man/man1/tomb.1
+
+    wrapProgram $out/bin/tomb \
+      --prefix PATH : $out/bin:${lib.makeBinPath [ cryptsetup gettext gnupg pinentry util-linux e2fsprogs ]}
+  '';
+
+  meta = with lib; {
+    description = "File encryption on GNU/Linux";
+    homepage    = "https://www.dyne.org/software/tomb/";
+    license     = licenses.gpl3;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms   = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tp_smapi/default.nix b/nixpkgs/pkgs/os-specific/linux/tp_smapi/default.nix
new file mode 100644
index 000000000000..d9b4333d2490
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tp_smapi/default.nix
@@ -0,0 +1,48 @@
+{ stdenv, lib, fetchFromGitHub, kernel, writeScript, coreutils, gnugrep, jq, curl, common-updater-scripts, runtimeShell
+}:
+
+stdenv.mkDerivation rec {
+  name = "tp_smapi-${version}-${kernel.version}";
+  version = "0.43";
+
+  src = fetchFromGitHub {
+    owner = "evgeni";
+    repo = "tp_smapi";
+    rev = "tp-smapi/${version}";
+    sha256 = "1rjb0njckczc2mj05cagvj0lkyvmyk6bw7wkiinv81lw8m90g77g";
+    name = "tp-smapi-${version}";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = [
+    "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
+    "SHELL=${stdenv.shell}"
+    "HDAPS=1"
+  ];
+
+  installPhase = ''
+    install -v -D -m 644 thinkpad_ec.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/firmware/thinkpad_ec.ko"
+    install -v -D -m 644 tp_smapi.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/firmware/tp_smapi.ko"
+    install -v -D -m 644 hdaps.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/firmware/hdapsd.ko"
+  '';
+
+  dontStrip = true;
+
+  enableParallelBuilding = true;
+
+  passthru.updateScript = import ./update.nix {
+    inherit lib writeScript coreutils gnugrep jq curl common-updater-scripts runtimeShell;
+  };
+
+  meta = {
+    description = "IBM ThinkPad hardware functions driver";
+    homepage = "https://github.com/evgeni/tp_smapi";
+    license = lib.licenses.gpl2;
+    maintainers = [ ];
+    # driver is only ment for linux thinkpads i think  bellow platforms should cover it.
+    platforms = [ "x86_64-linux" "i686-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tp_smapi/update.nix b/nixpkgs/pkgs/os-specific/linux/tp_smapi/update.nix
new file mode 100644
index 000000000000..65b557e45457
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tp_smapi/update.nix
@@ -0,0 +1,11 @@
+{ lib, writeScript, coreutils, curl, gnugrep, jq, common-updater-scripts, runtimeShell }:
+
+writeScript "update-tp_smapi" ''
+#!${runtimeShell}
+PATH=${lib.makeBinPath [ common-updater-scripts coreutils curl gnugrep jq ]}
+
+tags=`curl -s https://api.github.com/repos/evgeni/tp_smapi/tags`
+latest_tag=`echo $tags | jq -r '.[] | .name' | grep -oP "^tp-smapi/\K.*" | sort --version-sort | tail -1`
+
+update-source-version linuxPackages.tp_smapi "$latest_tag"
+''
diff --git a/nixpkgs/pkgs/os-specific/linux/tpacpi-bat/default.nix b/nixpkgs/pkgs/os-specific/linux/tpacpi-bat/default.nix
new file mode 100644
index 000000000000..5512eed63abb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tpacpi-bat/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchFromGitHub, perl, kmod, coreutils }:
+
+# Requires the acpi_call kernel module in order to run.
+stdenv.mkDerivation rec {
+  pname = "tpacpi-bat";
+  version = "3.1";
+
+  src = fetchFromGitHub {
+    owner = "teleshoes";
+    repo = "tpacpi-bat";
+    rev = "v${version}";
+    sha256 = "0wbaz34z99gqx721alh5vmpxpj2yxg3x9m8jqyivfi1wfpwc2nd5";
+  };
+
+  buildInputs = [ perl ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp tpacpi-bat $out/bin
+  '';
+
+  postPatch = ''
+    substituteInPlace tpacpi-bat \
+      --replace modprobe ${kmod}/bin/modprobe \
+      --replace cat ${coreutils}/bin/cat
+  '';
+
+  meta = {
+    maintainers = [lib.maintainers.orbekk];
+    platforms = lib.platforms.linux;
+    description = "Tool to set battery charging thesholds on Lenovo Thinkpad";
+    license = lib.licenses.gpl3Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trace-cmd/default.nix b/nixpkgs/pkgs/os-specific/linux/trace-cmd/default.nix
new file mode 100644
index 000000000000..0bf5a8e2adb0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trace-cmd/default.nix
@@ -0,0 +1,63 @@
+{ lib, stdenv, fetchgit, pkg-config, asciidoc, xmlto, docbook_xsl, docbook_xml_dtd_45, libxslt, libtraceevent, libtracefs, zstd, sourceHighlight }:
+stdenv.mkDerivation rec {
+  pname = "trace-cmd";
+  version = "3.1.1";
+
+  src = fetchgit {
+    url    = "git://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
+    rev    = "trace-cmd-v${version}";
+    sha256 = "sha256-zYw6DObwmroAU3ikUNo9XrwQeDlyLppe7E63WFjn44Q=";
+  };
+
+  # Don't build and install html documentation
+  postPatch = ''
+    sed -i -e '/^all:/ s/html//' -e '/^install:/ s/install-html//' \
+       Documentation{,/trace-cmd,/libtracecmd}/Makefile
+  '';
+
+  nativeBuildInputs = [ asciidoc libxslt pkg-config xmlto docbook_xsl docbook_xml_dtd_45 sourceHighlight ];
+
+  buildInputs = [ libtraceevent libtracefs zstd ];
+
+  outputs = [ "out" "lib" "dev" "man" ];
+
+  MANPAGE_DOCBOOK_XSL="${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl";
+
+  dontConfigure = true;
+
+  enableParallelBuilding = true;
+  makeFlags = [
+    # The following values appear in the generated .pc file
+    "prefix=${placeholder "lib"}"
+  ];
+
+  # We do not mention targets (like "doc") explicitly in makeFlags
+  # because the Makefile would not print warnings about too old
+  # libraries (see "warning:" in the Makefile)
+  postBuild = ''
+    make libs doc -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES
+  '';
+
+  installTargets = [
+    "install_cmd"
+    "install_libs"
+    "install_doc"
+  ];
+  installFlags = [
+    "LDCONFIG=false"
+    "bindir=${placeholder "out"}/bin"
+    "mandir=${placeholder "man"}/share/man"
+    "libdir=${placeholder "lib"}/lib"
+    "pkgconfig_dir=${placeholder "dev"}/lib/pkgconfig"
+    "includedir=${placeholder "dev"}/include"
+    "BASH_COMPLETE_DIR=${placeholder "out"}/share/bash-completion/completions"
+  ];
+
+  meta = with lib; {
+    description = "User-space tools for the Linux kernel ftrace subsystem";
+    homepage    = "https://www.trace-cmd.org/";
+    license     = with licenses; [ lgpl21Only gpl2Only ];
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice basvandijk ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trace-cmd/kernelshark.nix b/nixpkgs/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
new file mode 100644
index 000000000000..e59e37c0b3cf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
@@ -0,0 +1,36 @@
+{ lib, mkDerivation, fetchgit, qtbase, cmake, asciidoc
+, docbook_xsl, json_c, mesa_glu, freeglut, trace-cmd, pkg-config
+, libtraceevent, libtracefs, freefont_ttf
+}:
+
+mkDerivation rec {
+  pname = "kernelshark";
+  version = "2.1.0";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/trace-cmd/kernel-shark.git/";
+    rev = "kernelshark-v${version}";
+    sha256 = "18yx8bp2996hiy026ncw2z5yfihvkjfl6m09y19yvs72crgvpyn8";
+  };
+
+  outputs = [ "out" ];
+
+  nativeBuildInputs = [ pkg-config cmake ];
+
+  buildInputs = [ qtbase json_c mesa_glu freeglut libtraceevent libtracefs trace-cmd ];
+
+  cmakeFlags = [
+    "-D_INSTALL_PREFIX=${placeholder "out"}"
+    "-D_POLKIT_INSTALL_PREFIX=${placeholder "out"}"
+    "-DPKG_CONGIG_DIR=${placeholder "out"}/lib/pkgconfig"
+    "-DTT_FONT_FILE=${freefont_ttf}/share/fonts/truetype/FreeSans.ttf"
+  ];
+
+  meta = with lib; {
+    description = "GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem";
+    homepage    = "https://kernelshark.org/";
+    license     = licenses.gpl2;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ basvandijk ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trezor-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/trezor-udev-rules/default.nix
new file mode 100644
index 000000000000..e5d20171c5cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trezor-udev-rules/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "trezor-udev-rules";
+  version = "unstable-2019-07-17";
+
+  udevRules = fetchurl {
+    # let's pin the latest commit in the repo which touched the udev rules file
+    url = "https://raw.githubusercontent.com/trezor/trezor-firmware/68a3094b0a8e36b588b1bcb58c34a2c9eafc0dca/common/udev/51-trezor.rules";
+    sha256 = "0vlxif89nsqpbnbz1vwfgpl1zayzmq87gw1snskn0qns6x2rpczk";
+  };
+
+  dontUnpack = true;
+
+  installPhase = ''
+    cp ${udevRules} 51-trezor.rules
+    mkdir -p $out/lib/udev/rules.d
+    # we use trezord group, not plugdev
+    # we don't need the udev-acl tag
+    substituteInPlace 51-trezor.rules \
+      --replace 'GROUP="plugdev"' 'GROUP="trezord"' \
+      --replace ', TAG+="udev-acl"' ""
+    cp 51-trezor.rules $out/lib/udev/rules.d/51-trezor.rules
+  '';
+
+  meta = with lib; {
+    description = "Udev rules for Trezor";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ prusnak ];
+    platforms = platforms.linux;
+    homepage = "https://github.com/trezor/trezor-firmware/tree/master/common/udev";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/trinity/default.nix b/nixpkgs/pkgs/os-specific/linux/trinity/default.nix
new file mode 100644
index 000000000000..09a2d8bf638d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/trinity/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  pname = "trinity";
+  version = "1.9";
+
+  src = fetchFromGitHub {
+    owner = "kernelslacker";
+    repo = "trinity";
+    rev = "v${version}";
+    sha256 = "0z1a7x727xacam74jccd223k303sllgwpq30lnq9b6xxy8b659bv";
+  };
+
+  patches = [
+    # Pull upstream fix for -fno-common toolchains
+    (fetchpatch {
+      name = "fno-common.patch";
+      url = "https://github.com/kernelslacker/trinity/commit/e53e25cc8dd5bdb5f7d9b4247de9e9921eec81d8.patch";
+      sha256 = "0dbhyc98x11cmac6rj692zymnfqfqcbawlrkg1lhgfagzjxxwshg";
+    })
+  ];
+
+  postPatch = ''
+    patchShebangs configure
+    patchShebangs scripts
+  '';
+
+  enableParallelBuilding = true;
+
+  makeFlags = [ "DESTDIR=$(out)" ];
+
+  meta = with lib; {
+    description = "A Linux System call fuzz tester";
+    homepage = "https://codemonkey.org.uk/projects/trinity/";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tuigreet/default.nix b/nixpkgs/pkgs/os-specific/linux/tuigreet/default.nix
new file mode 100644
index 000000000000..8660c4a1a49c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tuigreet/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "tuigreet";
+  version = "0.8.0";
+
+  src = fetchFromGitHub {
+    owner = "apognu";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-8/2I6bk29/GqZ1ACuN9RgBiGAy7yt0iw2fagHfu4/BI=";
+  };
+
+  cargoSha256 = "sha256-fOs9a0/1c8Kh4JA5up3XSQ+km/FwSYzl0w4UDL4yU4M=";
+
+  meta = with lib; {
+    description = "Graphical console greeter for greetd";
+    homepage = "https://github.com/apognu/tuigreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ivar ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tuna/default.nix b/nixpkgs/pkgs/os-specific/linux/tuna/default.nix
new file mode 100644
index 000000000000..0e621a24f081
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tuna/default.nix
@@ -0,0 +1,62 @@
+{ lib
+, buildPythonApplication
+, fetchgit
+, pygobject3
+, pytestCheckHook
+, gdk-pixbuf
+, glib
+, gobject-introspection
+, gtk3
+, python-linux-procfs
+, python-ethtool
+, wrapGAppsHook
+}:
+
+buildPythonApplication rec {
+  pname = "tuna";
+  version = "0.15";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/${pname}/${pname}.git";
+    rev = "v${version}";
+    sha256 = "sha256-lRHlbdCQ0NcjcWgLvCze67kN8NsK0f5RmKfPbkHhk78=";
+  };
+
+  patchPhase = ''
+    mv tuna-cmd.py tuna/cmd.py
+
+    substituteInPlace setup.py \
+      --replace 'packages = ["tuna", "tuna/gui"],' \
+                'packages = ["tuna", "tuna/gui"], entry_points={"console_scripts":["tuna=tuna.cmd:main"]},'
+
+    substituteInPlace tuna/tuna_gui.py \
+      --replace "self.binpath + 'pkexec'" "'/run/wrappers/bin/pkexec'" \
+      --replace 'tuna_glade_dirs = [".", "tuna", "/usr/share/tuna"]' "tuna_glade_dirs = [ \"$out/share/tuna\" ]"
+  '';
+
+  nativeBuildInputs = [
+    glib.dev
+    gobject-introspection
+    gtk3
+    wrapGAppsHook
+  ];
+
+  propagatedBuildInputs = [ pygobject3 python-linux-procfs python-ethtool ];
+
+  postInstall = ''
+    mkdir -p $out/share/tuna
+    cp tuna/tuna_gui.glade $out/share/tuna/
+  '';
+
+  # contains no tests
+  doCheck = false;
+  pythonImportsCheck = [ "tuna" ];
+
+  meta = with lib; {
+    description = "Thread and IRQ affinity setting GUI and cmd line tool";
+    homepage = "https://git.kernel.org/pub/scm/utils/tuna/tuna.git";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ elohmeier ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/tunctl/default.nix b/nixpkgs/pkgs/os-specific/linux/tunctl/default.nix
new file mode 100644
index 000000000000..646e3702fed0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tunctl/default.nix
@@ -0,0 +1,24 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "tunctl";
+  version = "1.5";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/tunctl/tunctl-${version}.tar.gz";
+    sha256 = "aa2a6c4cc6bfacb11e0d9f62334a6638a0d435475c61230116f00b6af8b14fff";
+  };
+
+  makeFlags = [ "tunctl" ];
+  installPhase = ''
+    mkdir -p $out/bin
+    cp tunctl $out/bin
+  '';
+
+  meta = {
+    homepage = "http://tunctl.sourceforge.net/";
+    description = "Utility to set up and maintain TUN/TAP network interfaces";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/turbostat/default.nix b/nixpkgs/pkgs/os-specific/linux/turbostat/default.nix
new file mode 100644
index 000000000000..fb1bcf582fba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/turbostat/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, kernel, libcap }:
+
+stdenv.mkDerivation {
+  pname = "turbostat";
+  inherit (kernel) src version;
+
+  buildInputs = [ libcap ];
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  postPatch = ''
+    cd tools/power/x86/turbostat
+  '';
+
+  meta = with lib; {
+    description = "Report processor frequency and idle statistics";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = [ "i686-linux" "x86_64-linux" ]; # x86-specific
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/tuxedo-keyboard/default.nix b/nixpkgs/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
new file mode 100644
index 000000000000..f122aaf641db
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, kernel, linuxHeaders }:
+
+stdenv.mkDerivation rec {
+  pname = "tuxedo-keyboard-${kernel.version}";
+  version = "3.0.9";
+
+  src = fetchFromGitHub {
+    owner = "tuxedocomputers";
+    repo = "tuxedo-keyboard";
+    rev = "v${version}";
+    sha256 = "HGN2CKJ76FzgKkOsU5pLMsRl7hEGMcZ8Loa2YP0P558=";
+  };
+
+  buildInputs = [ linuxHeaders ];
+
+  makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  installPhase = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}"
+
+    for module in clevo_acpi.ko clevo_wmi.ko tuxedo_keyboard.ko tuxedo_io/tuxedo_io.ko; do
+        mv src/$module $out/lib/modules/${kernel.modDirVersion}
+    done
+  '';
+
+  meta = with lib; {
+    description = "Keyboard and hardware I/O driver for TUXEDO Computers laptops";
+    longDescription = ''
+      This driver provides support for Fn keys, brightness/color/mode for most TUXEDO
+      keyboards (except white backlight-only models).
+
+      Can be used with the "hardware.tuxedo-keyboard" NixOS module.
+    '';
+    homepage = "https://github.com/tuxedocomputers/tuxedo-keyboard/";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    broken = stdenv.isAarch64;
+    maintainers = [ maintainers.blanky0230 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/uclibc-ng/default.nix b/nixpkgs/pkgs/os-specific/linux/uclibc-ng/default.nix
new file mode 100644
index 000000000000..f7cd34a458c3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/uclibc-ng/default.nix
@@ -0,0 +1,141 @@
+{ lib
+, stdenv
+, buildPackages
+, fetchurl
+, linuxHeaders
+, libiconvReal
+, extraConfig ? ""
+}:
+
+let
+  isCross = (stdenv.buildPlatform != stdenv.hostPlatform);
+  configParser = ''
+    function parseconfig {
+        set -x
+        while read LINE; do
+            NAME=`echo "$LINE" | cut -d \  -f 1`
+            OPTION=`echo "$LINE" | cut -d \  -f 2`
+
+            if test -z "$NAME"; then
+                continue
+            fi
+
+            echo "parseconfig: removing $NAME"
+            sed -i /^$NAME=/d .config
+
+            #if test "$OPTION" != n; then
+                echo "parseconfig: setting $NAME=$OPTION"
+                echo "$NAME=$OPTION" >> .config
+            #fi
+        done
+        set +x
+    }
+  '';
+
+  # UCLIBC_SUSV4_LEGACY defines 'tmpnam', needed for gcc libstdc++ builds.
+  nixConfig = ''
+    RUNTIME_PREFIX "/"
+    DEVEL_PREFIX "/"
+    UCLIBC_HAS_WCHAR y
+    UCLIBC_HAS_FTW y
+    UCLIBC_HAS_RPC y
+    DO_C99_MATH y
+    UCLIBC_HAS_PROGRAM_INVOCATION_NAME y
+    UCLIBC_HAS_RESOLVER_SUPPORT y
+    UCLIBC_SUSV4_LEGACY y
+    UCLIBC_HAS_THREADS_NATIVE y
+    KERNEL_HEADERS "${linuxHeaders}/include"
+  '' + lib.optionalString (stdenv.hostPlatform.gcc.float or "" == "soft") ''
+    UCLIBC_HAS_FPU n
+  '' + lib.optionalString (stdenv.isAarch32 && isCross) ''
+    CONFIG_ARM_EABI y
+    ARCH_WANTS_BIG_ENDIAN n
+    ARCH_BIG_ENDIAN n
+    ARCH_WANTS_LITTLE_ENDIAN y
+    ARCH_LITTLE_ENDIAN y
+    UCLIBC_HAS_FPU n
+  '';
+in
+stdenv.mkDerivation rec {
+  pname = "uclibc-ng";
+  version = "1.0.41";
+
+  src = fetchurl {
+    url = "https://downloads.uclibc-ng.org/releases/${version}/uClibc-ng-${version}.tar.xz";
+    sha256 = "sha256-syqSoCGNlZItaXZGTm71Hi66z7zbYFggRY2du4ph4CU=";
+  };
+
+  # 'ftw' needed to build acl, a coreutils dependency
+  configurePhase = ''
+    make defconfig
+    ${configParser}
+    cat << EOF | parseconfig
+    ${nixConfig}
+    ${extraConfig}
+    ${stdenv.hostPlatform.uclibc.extraConfig or ""}
+    EOF
+    ( set +o pipefail; yes "" | make oldconfig )
+  '';
+
+  hardeningDisable = [ "stackprotector" ];
+
+  # Cross stripping hurts.
+  dontStrip = isCross;
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  makeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+    "TARGET_ARCH=${stdenv.hostPlatform.linuxArch}"
+    "VERBOSE=1"
+  ] ++ lib.optionals (isCross) [
+    "CROSS=${stdenv.cc.targetPrefix}"
+  ];
+
+  # `make libpthread/nptl/sysdeps/unix/sysv/linux/lowlevelrwlock.h`:
+  # error: bits/sysnum.h: No such file or directory
+  enableParallelBuilding = false;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    make $makeFlags PREFIX=$out VERBOSE=1 install
+    (cd $out/include && ln -s $(ls -d ${linuxHeaders}/include/* | grep -v "scsi$") .)
+    # libpthread.so may not exist, so I do || true
+    sed -i s@/lib/@$out/lib/@g $out/lib/libc.so $out/lib/libpthread.so || true
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://uclibc-ng.org";
+    description = "Embedded C library";
+    longDescription = ''
+      uClibc-ng is a small C library for developing embedded Linux systems. It
+      is much smaller than the GNU C Library, but nearly all applications
+      supported by glibc also work perfectly with uClibc-ng.
+
+      Porting applications from glibc to uClibc-ng typically involves just
+      recompiling the source code. uClibc-ng supports shared libraries and
+      threading. It currently runs on standard Linux and MMU-less (also known as
+      uClinux) systems with support for Aarch64, Alpha, ARC, ARM, AVR32,
+      Blackfin, CRIS, C-Sky, C6X, FR-V, H8/300, HPPA, i386, IA64, KVX, LM32,
+      M68K/Coldfire, Metag, Microblaze, MIPS, MIPS64, NDS32, NIOS2, OpenRISC,
+      PowerPC, RISCV64, Sparc, Sparc64, SuperH, Tile, X86_64 and XTENSA
+      processors. Alpha, FR-V, HPPA, IA64, LM32, NIOS2, Tile and Sparc64 are
+      experimental and need more testing.
+    '';
+    license = licenses.lgpl2Plus;
+    maintainers = with maintainers; [ rasendubi AndersonTorres ];
+    platforms = platforms.linux;
+    badPlatforms = platforms.aarch64;
+  };
+
+  passthru = {
+    # Derivations may check for the existance of this attribute, to know what to
+    # link to.
+    libiconv = libiconvReal;
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/udisks/2-default.nix b/nixpkgs/pkgs/os-specific/linux/udisks/2-default.nix
new file mode 100644
index 000000000000..5aff6e969705
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/udisks/2-default.nix
@@ -0,0 +1,96 @@
+{ lib, stdenv, fetchFromGitHub, substituteAll, pkg-config, gnused, autoreconfHook
+, gtk-doc, acl, systemd, glib, libatasmart, polkit, coreutils, bash, which
+, expat, libxslt, docbook_xsl, util-linux, mdadm, libgudev, libblockdev, parted
+, gobject-introspection, docbook_xml_dtd_412, docbook_xml_dtd_43
+, xfsprogs, f2fs-tools, dosfstools, e2fsprogs, btrfs-progs, exfat, nilfs-utils, ntfs3g
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "udisks";
+  version = "2.9.4";
+
+  src = fetchFromGitHub {
+    owner = "storaged-project";
+    repo = "udisks";
+    rev = "${pname}-${version}";
+    sha256 = "sha256-MYQztzIyp5kh9t1bCIlj08/gaOmZfuu/ZOwo3F+rZiw=";
+  };
+
+  outputs = [ "out" "man" "dev" ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "devdoc";
+
+  patches = [
+    (substituteAll {
+      src = ./fix-paths.patch;
+      bash = "${bash}/bin/bash";
+      blkid = "${util-linux}/bin/blkid";
+      false = "${coreutils}/bin/false";
+      mdadm = "${mdadm}/bin/mdadm";
+      mkswap = "${util-linux}/bin/mkswap";
+      sed = "${gnused}/bin/sed";
+      sh = "${bash}/bin/sh";
+      sleep = "${coreutils}/bin/sleep";
+      swapon = "${util-linux}/bin/swapon";
+      true = "${coreutils}/bin/true";
+    })
+    (substituteAll {
+      src = ./force-path.patch;
+      path = lib.makeBinPath [
+        btrfs-progs coreutils dosfstools e2fsprogs exfat f2fs-tools nilfs-utils
+        xfsprogs ntfs3g parted util-linux
+      ];
+    })
+  ];
+
+  strictDeps = true;
+  # pkg-config had to be in both to find gtk-doc and gobject-introspection
+  depsBuildBuild = [ pkg-config ];
+  nativeBuildInputs = [
+    autoreconfHook which gobject-introspection pkg-config
+    gtk-doc libxslt docbook_xml_dtd_412 docbook_xml_dtd_43 docbook_xsl
+  ];
+
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+      substituteInPlace udisks/udisksclient.c \
+        --replace 'defined( __GNUC_PREREQ)' 1 \
+        --replace '__GNUC_PREREQ(4,6)' 1
+  '';
+
+  buildInputs = [
+    expat libgudev libblockdev acl systemd glib libatasmart polkit util-linux
+  ];
+
+  preConfigure = "NOCONFIGURE=1 ./autogen.sh";
+
+  configureFlags = [
+    (lib.enableFeature (stdenv.buildPlatform == stdenv.hostPlatform) "gtk-doc")
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "--with-systemdsystemunitdir=$(out)/etc/systemd/system"
+    "--with-udevdir=$(out)/lib/udev"
+    "--with-tmpfilesdir=no"
+  ];
+
+  makeFlags = [
+    "INTROSPECTION_GIRDIR=$(dev)/share/gir-1.0"
+    "INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0"
+  ];
+
+  installFlags = [
+    "sysconfdir=${placeholder "out"}/etc"
+  ];
+
+  enableParallelBuilding = true;
+
+  doCheck = true;
+
+  passthru.tests.vm = nixosTests.udisks2;
+
+  meta = with lib; {
+    description = "A daemon, tools and libraries to access and manipulate disks, storage devices and technologies";
+    homepage = "https://www.freedesktop.org/wiki/Software/udisks/";
+    license = with licenses; [ lgpl2Plus gpl2Plus ]; # lgpl2Plus for the library, gpl2Plus for the tools & daemon
+    maintainers = teams.freedesktop.members ++ (with maintainers; [ johnazoidberg ]);
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/udisks/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/udisks/fix-paths.patch
new file mode 100644
index 000000000000..30bc08da8cfa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/udisks/fix-paths.patch
@@ -0,0 +1,158 @@
+diff --git a/data/80-udisks2.rules b/data/80-udisks2.rules
+index ca802cce..bfd1c29e 100644
+--- a/data/80-udisks2.rules
++++ b/data/80-udisks2.rules
+@@ -17,9 +17,9 @@ ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="?*", GOTO="udisks_probe_end"
+ #
+ # TODO: file bug against mdadm(8) to have --export-prefix option that can be used with e.g. UDISKS_MD_MEMBER
+ #
+-SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="raid", ENV{ID_FS_TYPE}=="linux_raid_member", ENV{UDISKS_MD_MEMBER_LEVEL}=="", IMPORT{program}="/bin/sh -c '/sbin/mdadm --examine --export $tempnode | /bin/sed s/^MD_/UDISKS_MD_MEMBER_/g'"
++SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="raid", ENV{ID_FS_TYPE}=="linux_raid_member", ENV{UDISKS_MD_MEMBER_LEVEL}=="", IMPORT{program}="@sh@ -c '@mdadm@ --examine --export $tempnode | @sed@ s/^MD_/UDISKS_MD_MEMBER_/g'"
+ 
+-SUBSYSTEM=="block", KERNEL=="md*", ENV{DEVTYPE}!="partition", IMPORT{program}="/bin/sh -c '/sbin/mdadm --detail --export $tempnode | /bin/sed s/^MD_/UDISKS_MD_/g'"
++SUBSYSTEM=="block", KERNEL=="md*", ENV{DEVTYPE}!="partition", IMPORT{program}="@sh@ -c '@mdadm@ --detail --export $tempnode | @sed@ s/^MD_/UDISKS_MD_/g'"
+ 
+ LABEL="udisks_probe_end"
+ 
+diff --git a/modules/zram/data/udisks2-zram-setup@.service.in b/modules/zram/data/udisks2-zram-setup@.service.in
+index ac868e84..03fdd887 100644
+--- a/modules/zram/data/udisks2-zram-setup@.service.in
++++ b/modules/zram/data/udisks2-zram-setup@.service.in
+@@ -8,7 +8,7 @@ Requires=dev-%i.device
+ Type=oneshot
+ RemainAfterExit=no
+ EnvironmentFile=-@zramconfdir@/%i
+-ExecStart=-/bin/sh -c 'if [ -n "$ZRAM_NUM_STR" ]; then echo "$ZRAM_NUM_STR" > /sys/class/block/%i/max_comp_streams; fi'
+-ExecStart=-/bin/sh -c 'if [ -n "$ZRAM_DEV_SIZE" ]; then echo "$ZRAM_DEV_SIZE" > /sys/class/block/%i/disksize; fi'
+-ExecStart=-/bin/sh -c 'if [ "$SWAP" = "y" ]; then mkswap /dev/%i && swapon /dev/%i; fi'
+-# ExecStop=-/bin/sh -c 'echo 1 > /sys/class/block/%i/reset'
++ExecStart=-@sh@ -c 'if [ -n "$ZRAM_NUM_STR" ]; then echo "$ZRAM_NUM_STR" > /sys/class/block/%i/max_comp_streams; fi'
++ExecStart=-@sh@ -c 'if [ -n "$ZRAM_DEV_SIZE" ]; then echo "$ZRAM_DEV_SIZE" > /sys/class/block/%i/disksize; fi'
++ExecStart=-@sh@ -c 'if [ "$SWAP" = "y" ]; then @mkswap@ /dev/%i && @swapon@ /dev/%i; fi'
++# ExecStop=-@sh@ -c 'echo 1 > /sys/class/block/%i/reset'
+diff --git a/modules/zram/udiskslinuxmanagerzram.c b/modules/zram/udiskslinuxmanagerzram.c
+index f647f653..df81e910 100644
+--- a/modules/zram/udiskslinuxmanagerzram.c
++++ b/modules/zram/udiskslinuxmanagerzram.c
+@@ -243,7 +243,7 @@ create_conf_files (guint64   num_devices,
+ 
+       g_snprintf (tmp, 255, "zram%" G_GUINT64_FORMAT, i);
+       filename = g_build_filename (PACKAGE_ZRAMCONF_DIR, tmp, NULL);
+-      contents = g_strdup_printf ("#!/bin/bash\n"
++      contents = g_strdup_printf ("#!@bash@\n"
+                                   "# UDisks2 managed ZRAM configuration\n\n"
+                                   "ZRAM_NUM_STR=%" G_GUINT64_FORMAT "\n"
+                                   "ZRAM_DEV_SIZE=%" G_GUINT64_FORMAT "\n"
+diff --git a/src/tests/install-udisks/runtest.sh b/src/tests/install-udisks/runtest.sh
+index e7df4ed2..ab4356d9 100644
+--- a/src/tests/install-udisks/runtest.sh
++++ b/src/tests/install-udisks/runtest.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!@bash@
+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ #
+diff --git a/src/tests/integration-test b/src/tests/integration-test
+index 07e4e029..3bd8ec51 100755
+--- a/src/tests/integration-test
++++ b/src/tests/integration-test
+@@ -299,7 +299,7 @@ class UDisksTestCase(unittest.TestCase):
+         if not device:
+             device = cls.devname(partition)
+         result = {}
+-        cmd = subprocess.Popen(['blkid', '-p', '-o', 'udev', device], stdout=subprocess.PIPE)
++        cmd = subprocess.Popen(['@blkid@', '-p', '-o', 'udev', device], stdout=subprocess.PIPE)
+         for l in cmd.stdout:
+             (key, value) = l.decode('UTF-8').split('=', 1)
+             result[key] = value.strip()
+@@ -437,7 +437,7 @@ class UDisksTestCase(unittest.TestCase):
+                 f.write('KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", '
+                         'ATTRS{model}=="scsi_debug*", '
+                         'ENV{ID_CDROM_MEDIA}=="?*", '
+-                        'IMPORT{program}="/sbin/blkid -o udev -p -u noraid $tempnode"\n')
++                        'IMPORT{program}="@blkid@ -o udev -p -u noraid $tempnode"\n')
+             # reload udev
+             subprocess.call('sync; pkill --signal HUP udevd || '
+                             'pkill --signal HUP systemd-udevd',
+@@ -1142,7 +1142,7 @@ class FS(UDisksTestCase):
+         self.assertFalse(os.access(f, os.X_OK))
+ 
+         f = os.path.join(mount_point, 'simple.exe')
+-        shutil.copy('/bin/bash', f)
++        shutil.copy('@bash@', f)
+         self.assertTrue(os.access(f, os.R_OK))
+         self.assertTrue(os.access(f, os.W_OK))
+         self.assertTrue(os.access(f, os.X_OK))
+@@ -1155,7 +1155,7 @@ class FS(UDisksTestCase):
+         self.assertFalse(os.access(f, os.X_OK))
+ 
+         f = os.path.join(mount_point, 'subdir', 'subdir.exe')
+-        shutil.copy('/bin/bash', f)
++        shutil.copy('@bash@', f)
+         self.assertTrue(os.access(f, os.R_OK))
+         self.assertTrue(os.access(f, os.W_OK))
+         self.assertTrue(os.access(f, os.X_OK))
+diff --git a/src/tests/storadectl/runtest.sh b/src/tests/storadectl/runtest.sh
+index f03885f9..baca6a93 100644
+--- a/src/tests/storadectl/runtest.sh
++++ b/src/tests/storadectl/runtest.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!@bash@
+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ #
+diff --git a/src/tests/test.c b/src/tests/test.c
+index 3ddbdf2c..a87f960a 100644
+--- a/src/tests/test.c
++++ b/src/tests/test.c
+@@ -71,7 +71,7 @@ test_spawned_job_successful (void)
+ {
+   UDisksSpawnedJob *job;
+ 
+-  job = udisks_spawned_job_new ("/bin/true", NULL, getuid (), geteuid (), NULL, NULL);
++  job = udisks_spawned_job_new ("@true@", NULL, getuid (), geteuid (), NULL, NULL);
+   udisks_spawned_job_start (job);
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_success), NULL);
+   g_object_unref (job);
+@@ -84,10 +84,10 @@ test_spawned_job_failure (void)
+ {
+   UDisksSpawnedJob *job;
+ 
+-  job = udisks_spawned_job_new ("/bin/false", NULL, getuid (), geteuid (), NULL, NULL);
++  job = udisks_spawned_job_new ("@false@", NULL, getuid (), geteuid (), NULL, NULL);
+   udisks_spawned_job_start (job);
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_failure),
+-                             (gpointer) "Command-line `/bin/false' exited with non-zero exit status 1: ");
++                             (gpointer) "Command-line `@false@' exited with non-zero exit status 1: ");
+   g_object_unref (job);
+ }
+ 
+@@ -119,7 +119,7 @@ test_spawned_job_cancelled_at_start (void)
+ 
+   cancellable = g_cancellable_new ();
+   g_cancellable_cancel (cancellable);
+-  job = udisks_spawned_job_new ("/bin/true", NULL, getuid (), geteuid (), NULL, cancellable);
++  job = udisks_spawned_job_new ("@true@", NULL, getuid (), geteuid (), NULL, cancellable);
+   udisks_spawned_job_start (job);
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_failure),
+                              (gpointer) "Operation was cancelled (g-io-error-quark, 19)");
+@@ -144,7 +144,7 @@ test_spawned_job_cancelled_midway (void)
+   GCancellable *cancellable;
+ 
+   cancellable = g_cancellable_new ();
+-  job = udisks_spawned_job_new ("/bin/sleep 0.5", NULL, getuid (), geteuid (), NULL, cancellable);
++  job = udisks_spawned_job_new ("@sleep@ 0.5", NULL, getuid (), geteuid (), NULL, cancellable);
+   udisks_spawned_job_start (job);
+   g_timeout_add (10, on_timeout, cancellable); /* 10 msec */
+   _g_assert_signal_received (job, "completed", G_CALLBACK (on_completed_expect_failure),
+@@ -197,7 +197,7 @@ test_spawned_job_premature_termination (void)
+ {
+   UDisksSpawnedJob *job;
+ 
+-  job = udisks_spawned_job_new ("/bin/sleep 1000", NULL, getuid (), geteuid (), NULL, NULL /* GCancellable */);
++  job = udisks_spawned_job_new ("@sleep@ 1000", NULL, getuid (), geteuid (), NULL, NULL /* GCancellable */);
+   udisks_spawned_job_start (job);
+   g_object_unref (job);
+ }
diff --git a/nixpkgs/pkgs/os-specific/linux/udisks/force-path.patch b/nixpkgs/pkgs/os-specific/linux/udisks/force-path.patch
new file mode 100644
index 000000000000..741f53544bee
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/udisks/force-path.patch
@@ -0,0 +1,17 @@
+diff --git a/src/main.c b/src/main.c
+index b4dbf9e0..3171fa34 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -144,8 +144,7 @@ main (int    argc,
+       g_setenv("G_MESSAGES_DEBUG", "udisks", FALSE);
+     }
+ 
+-  if (g_getenv ("PATH") == NULL)
+-    g_setenv ("PATH", "/usr/bin:/bin:/usr/sbin:/sbin", TRUE);
++  g_setenv ("PATH", "@path@", TRUE);
+ 
+   udisks_notice ("udisks daemon version %s starting", PACKAGE_VERSION);
+ 
+-- 
+2.33.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/uhk-agent/default.nix b/nixpkgs/pkgs/os-specific/linux/uhk-agent/default.nix
new file mode 100644
index 000000000000..688a743fa9c1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/uhk-agent/default.nix
@@ -0,0 +1,39 @@
+{ appimageTools, lib, fetchurl, polkit, udev }:
+let
+  pname = "uhk-agent";
+  version = "1.5.17";
+  src = fetchurl {
+    url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage";
+    name = "${pname}-${version}.AppImage";
+    sha256 = "sha256-auOoTTRmkXVDDvcmRFzQIStNlbai8bTBLb/KUjk6EAc=";
+  };
+
+  appimageContents = appimageTools.extract {
+    name = "${pname}-${version}";
+    inherit src;
+  };
+in appimageTools.wrapType2 {
+  inherit pname version src;
+
+  extraPkgs = pkgs: with pkgs; [ polkit udev ];
+
+  extraInstallCommands = ''
+    mv $out/bin/${pname}-${version} $out/bin/${pname}
+
+    install -m 444 -D ${appimageContents}/${pname}.desktop -t $out/share/applications
+    install -m 644 -D ${appimageContents}/resources/rules/50-uhk60.rules $out/rules/50-uhk60.rules
+    substituteInPlace $out/share/applications/${pname}.desktop \
+      --replace 'Exec=AppRun' 'Exec=${pname}'
+    cp -r ${appimageContents}/usr/share/icons $out/share
+  '';
+  # wrapType2 does not passthru pname+version
+  passthru.version = version;
+
+  meta = with lib; {
+    description = "Agent is the configuration application of the Ultimate Hacking Keyboard";
+    homepage = "https://github.com/UltimateHackingKeyboard/agent";
+    license = licenses.unfreeRedistributable;
+    maintainers = with maintainers; [ ngiger ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/uhk-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/uhk-udev-rules/default.nix
new file mode 100644
index 000000000000..bcb7799731f6
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/uhk-udev-rules/default.nix
@@ -0,0 +1,20 @@
+{ lib, stdenv, uhk-agent }:
+
+stdenv.mkDerivation {
+  pname = "uhk-udev-rules";
+  inherit (uhk-agent) version;
+
+  dontUnpack = true;
+  dontBuild = true;
+  installPhase = ''
+    runHook preInstall
+    install -D -m 644 ${uhk-agent.out}/rules/50-uhk60.rules $out/lib/udev/rules.d/50-uhk60.rules
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "udev rules for UHK keyboards from https://ultimatehackingkeyboard.com";
+    inherit (uhk-agent.meta) license;
+    maintainers = [ lib.maintainers.ngiger ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/undervolt/default.nix b/nixpkgs/pkgs/os-specific/linux/undervolt/default.nix
new file mode 100644
index 000000000000..cc9fb7374658
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/undervolt/default.nix
@@ -0,0 +1,27 @@
+{ lib, fetchFromGitHub, python3Packages }:
+
+python3Packages.buildPythonApplication rec {
+  version = "0.3.0";
+  pname = "undervolt";
+
+  src = fetchFromGitHub {
+    owner = "georgewhewell";
+    repo = "undervolt";
+    rev = version;
+    sha256 = "1aybk8vbb4745raz7rvpkk6b98xrdiwjhkpbv3kwsgsr9sj42lp0";
+  };
+
+  meta = with lib; {
+    homepage = "https://github.com/georgewhewell/undervolt/";
+    description = "A program for undervolting Intel CPUs on Linux";
+
+    longDescription = ''
+      Undervolt is a program for undervolting Intel CPUs under Linux. It works in a similar
+      manner to the Windows program ThrottleStop (i.e, MSR 0x150). You can apply a fixed
+      voltage offset to one of 5 voltage planes, and override your systems temperature
+      target (CPU will throttle when this temperature is reached).
+    '';
+    license = licenses.gpl2;
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/unscd/0001-adjust-socket-paths-for-nixos.patch b/nixpkgs/pkgs/os-specific/linux/unscd/0001-adjust-socket-paths-for-nixos.patch
new file mode 100644
index 000000000000..941b5c90a624
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/unscd/0001-adjust-socket-paths-for-nixos.patch
@@ -0,0 +1,41 @@
+From 9d76d183a97cb667a1ab6d95af69d6db745215df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Milan=20P=C3=A4ssler?= <milan@petabyte.dev>
+Date: Tue, 1 Jun 2021 16:55:45 +0200
+Subject: [PATCH] adjust socket paths for nixos
+
+The original unscd would crash, because it is not allowed to create its
+legacy socket at /var/run/.nscd_socket.
+
+This socket is only required for very old glibc versions, but removing it
+is currently non-trivial, so we just move it somewhere, where it is
+allowed to be created. A patch has been submitted upstream to make this
+hack unnecessary.
+
+Also change /var/run to /run, since we shouldn't be using /var/run
+anymore.
+---
+ nscd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/nscd.c b/nscd.c
+index a71e474..0cd7106 100644
+--- a/nscd.c
++++ b/nscd.c
+@@ -2100,10 +2100,10 @@ static void main_loop(void)
+ ** Initialization
+ */
+ 
+-#define NSCD_PIDFILE    "/var/run/nscd/nscd.pid"
+-#define NSCD_DIR        "/var/run/nscd"
+-#define NSCD_SOCKET     "/var/run/nscd/socket"
+-#define NSCD_SOCKET_OLD "/var/run/.nscd_socket"
++#define NSCD_PIDFILE    "/run/nscd/nscd.pid"
++#define NSCD_DIR        "/run/nscd"
++#define NSCD_SOCKET     "/run/nscd/socket"
++#define NSCD_SOCKET_OLD "/run/nscd/socket_legacy"
+ 
+ static smallint wrote_pidfile;
+ 
+-- 
+2.31.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/unscd/default.nix b/nixpkgs/pkgs/os-specific/linux/unscd/default.nix
new file mode 100644
index 000000000000..82b8c7076271
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/unscd/default.nix
@@ -0,0 +1,76 @@
+{ fetchurl, fetchpatch, stdenv, systemd, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "unscd";
+  version = "0.54";
+
+  src = fetchurl {
+    url = "https://busybox.net/~vda/unscd/nscd-${version}.c";
+    sha256 = "0iv4iwgs3sjnqnwd7dpcw6s7i4ar9q89vgsms32clx14fdqjrqch";
+  };
+
+  unpackPhase = ''
+    runHook preUnpack
+    cp $src nscd.c
+    chmod u+w nscd.c
+    runHook postUnpack
+  '';
+
+  patches = [
+    # Patches from Debian that have not (yet) been included upstream, but are useful to us
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/change_invalidate_request_info_output";
+      sha256 = "17whakazpisiq9nnw3zybaf7v3lqkww7n6jkx0igxv4z2r3mby6l";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/support_large_numbers_in_config";
+      sha256 = "0jrqb4cwclwirpqfb6cvnmiff3sm2jhxnjwxa7h0wx78sg0y3bpp";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/no_debug_on_invalidate";
+      sha256 = "0znwzb522zgikb0mm7awzpvvmy0wf5z7l3jgjlkdpgj0scxgz86w";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/u/${pname}/${version}-1/debian/patches/notify_systemd_about_successful_startup";
+      sha256 = "1ipwmbfwm65yisy74nig9960vxpjx683l3skgxfgssfx1jb9z2mc";
+    })
+
+    # The original unscd would crash, because it is not allowed to create its
+    # legacy socket at /var/run/.nscd_socket.
+    # This socket is only required for very old glibc versions, but removing it
+    # is currently non-trivial, so we just move it somewhere, where it is
+    # allowed to be created. A patch has been submitted upstream to make this
+    # hack unnecessary.
+    # Also change /var/run to /run, since we shouldn't be using /var/run
+    # anymore.
+    # See also: http://lists.busybox.net/pipermail/busybox/2021-June/088866.html
+    ./0001-adjust-socket-paths-for-nixos.patch
+  ];
+
+  buildInputs = [ systemd ];
+
+  buildPhase = ''
+    runHook preBuild
+    gcc -Wall \
+      -Wl,--sort-section -Wl,alignment \
+      -Wl,--sort-common \
+      -fomit-frame-pointer \
+      -lsystemd \
+      -o nscd nscd.c
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm755 -t $out/bin nscd
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://busybox.net/~vda/unscd/";
+    description = "Less buggy replacement for the glibc name service cache daemon";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/unstick/default.nix b/nixpkgs/pkgs/os-specific/linux/unstick/default.nix
new file mode 100644
index 000000000000..7856456a3c36
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/unstick/default.nix
@@ -0,0 +1,26 @@
+{ stdenv, lib, fetchFromGitHub, meson, ninja, pkg-config, libseccomp }:
+
+stdenv.mkDerivation rec {
+  pname = "unstick";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "kwohlfahrt";
+    repo = "unstick";
+    rev = "effee9aa242ca12dc94cc6e96bc073f4cc9e8657";
+    sha256 = "08la3jmmzlf4pm48bf9zx4cqj9gbqalpqy0s57bh5vfsdk74nnhv";
+  };
+
+  sourceRoot = "source/src";
+
+  nativeBuildInputs = [ meson ninja pkg-config ];
+  buildInputs = [ libseccomp ];
+
+  meta = {
+    homepage = "https://github.com/kwohlfahrt/unstick";
+    description = "Silently eats chmod commands forbidden by Nix";
+    license = lib.licenses.gpl3;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ kwohlfahrt ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/untie/default.nix b/nixpkgs/pkgs/os-specific/linux/untie/default.nix
new file mode 100644
index 000000000000..947ae2ca8d8b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/untie/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "untie";
+  version = "0.3";
+  src = fetchurl {
+    url = "http://guichaz.free.fr/untie/files/${pname}-${version}.tar.bz2";
+    sha256 = "1334ngvbi4arcch462mzi5vxvxck4sy1nf0m58116d9xmx83ak0m";
+  };
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  meta = with lib; {
+    description = "A tool to run processes untied from some of the namespaces";
+    maintainers = with maintainers; [ raskin ];
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+  };
+
+  passthru = {
+    updateInfo = {
+      downloadPage = "http://guichaz.free.fr/untie";
+    };
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/upower/default.nix b/nixpkgs/pkgs/os-specific/linux/upower/default.nix
new file mode 100644
index 000000000000..ae24c4db6ec8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/upower/default.nix
@@ -0,0 +1,155 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, fetchpatch
+, pkg-config
+, rsync
+, libxslt
+, meson
+, ninja
+, python3
+, dbus
+, umockdev
+, libeatmydata
+, gtk-doc
+, docbook-xsl-nons
+, udev
+, libgudev
+, libusb1
+, glib
+, gobject-introspection
+, gettext
+, systemd
+, useIMobileDevice ? true
+, libimobiledevice
+, withDocs ? (stdenv.buildPlatform == stdenv.hostPlatform)
+}:
+
+stdenv.mkDerivation rec {
+  pname = "upower";
+  version = "1.90.0";
+
+  outputs = [ "out" "dev" ]
+    ++ lib.optionals withDocs [ "devdoc" ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "upower";
+    repo = "upower";
+    rev = "v${version}";
+    hash = "sha256-+C/4dDg6WTLpBgkpNyxjthSdqYdaTLC8vG6jG1LNJ7w=";
+  };
+
+  strictDeps = true;
+
+  depsBuildBuild = [
+    pkg-config
+  ];
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    python3
+    gtk-doc
+    docbook-xsl-nons
+    gettext
+    gobject-introspection
+    libxslt
+    pkg-config
+    rsync
+  ];
+
+  buildInputs = [
+    libgudev
+    libusb1
+    udev
+    systemd
+    # Duplicate from checkInputs until https://github.com/NixOS/nixpkgs/issues/161570 is solved
+    umockdev
+  ] ++ lib.optionals useIMobileDevice [
+    libimobiledevice
+  ];
+
+  checkInputs = [
+    python3.pkgs.dbus-python
+    python3.pkgs.python-dbusmock
+    python3.pkgs.pygobject3
+    dbus
+    umockdev
+    libeatmydata
+    python3.pkgs.packaging
+  ];
+
+  propagatedBuildInputs = [
+    glib
+  ];
+
+  mesonFlags = [
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "-Dos_backend=linux"
+    "-Dsystemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "-Dudevrulesdir=${placeholder "out"}/lib/udev/rules.d"
+    "-Dudevhwdbdir=${placeholder "out"}/lib/udev/hwdb.d"
+    "-Dintrospection=${if (stdenv.buildPlatform == stdenv.hostPlatform) then "auto" else "disabled"}"
+    "-Dgtk-doc=${lib.boolToString withDocs}"
+  ];
+
+  doCheck = true;
+
+  postPatch = ''
+    patchShebangs src/linux/integration-test.py
+    patchShebangs src/linux/unittest_inspector.py
+  '';
+
+  preCheck = ''
+    # Our gobject-introspection patches make the shared library paths absolute
+    # in the GIR files. When running tests, the library is not yet installed,
+    # though, so we need to replace the absolute path with a local one during build.
+    # We are using a symlink that will be overwitten during installation.
+    mkdir -p "$out/lib"
+    ln -s "$PWD/libupower-glib/libupower-glib.so" "$out/lib/libupower-glib.so.3"
+  '';
+
+  checkPhase = ''
+    runHook preCheck
+
+    # Slow fsync calls can make self-test fail:
+    # https://gitlab.freedesktop.org/upower/upower/-/issues/195
+    eatmydata meson test --print-errorlogs
+
+    runHook postCheck
+  '';
+
+  postInstall = ''
+    # Move stuff from DESTDIR to proper location.
+    # We use rsync to merge the directories.
+    for dir in etc var; do
+        rsync --archive "${DESTDIR}/$dir" "$out"
+        rm --recursive "${DESTDIR}/$dir"
+    done
+    for o in out dev; do
+        rsync --archive "${DESTDIR}/''${!o}" "$(dirname "''${!o}")"
+        rm --recursive "${DESTDIR}/''${!o}"
+    done
+    # Ensure the DESTDIR is removed.
+    rmdir "${DESTDIR}/nix/store" "${DESTDIR}/nix" "${DESTDIR}"
+  '';
+
+  # HACK: We want to install configuration files to $out/etc
+  # but upower should read them from /etc on a NixOS system.
+  # With autotools, it was possible to override Make variables
+  # at install time but Meson does not support this
+  # so we need to convince it to install all files to a temporary
+  # location using DESTDIR and then move it to proper one in postInstall.
+  DESTDIR = "${placeholder "out"}/dest";
+
+  meta = with lib; {
+    homepage = "https://upower.freedesktop.org/";
+    changelog = "https://gitlab.freedesktop.org/upower/upower/-/blob/v${version}/NEWS";
+    description = "A D-Bus service for power management";
+    maintainers = teams.freedesktop.members;
+    platforms = platforms.linux;
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/default.nix
new file mode 100644
index 000000000000..d04c8ddb9398
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenvNoCC }:
+
+stdenvNoCC.mkDerivation rec {
+  name = "usb-blaster-udev-rules";
+
+  udevRules = ./usb-blaster.rules;
+  dontUnpack = true;
+
+  installPhase = ''
+    install -Dm 644 "${udevRules}" "$out/lib/udev/rules.d/51-usbblaster.rules"
+  '';
+
+  meta = with lib; {
+    description = "udev rules that give NixOS permission to communicate with usb blasters";
+    longDescription = ''
+      udev rules that give NixOS permission to communicate with usb blasters.
+      To use it under NixOS, add
+
+        services.udev.packages = [ pkgs.usb-blaster-udev-rules ];
+
+      to the system configuration.
+    '';
+    license = licenses.free;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/usb-blaster.rules b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/usb-blaster.rules
new file mode 100644
index 000000000000..0add604ee819
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usb-blaster-udev-rules/usb-blaster.rules
@@ -0,0 +1,8 @@
+# USB-Blaster
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6001", TAG+="uaccess"
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6002", TAG+="uaccess"
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6003", TAG+="uaccess"
+
+# USB-Blaster II
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6010", TAG+="uaccess"
+ATTRS{idVendor}=="09fb", ATTRS{idProduct}=="6810", TAG+="uaccess"
diff --git a/nixpkgs/pkgs/os-specific/linux/usbguard/default.nix b/nixpkgs/pkgs/os-specific/linux/usbguard/default.nix
new file mode 100644
index 000000000000..35505af5a1ed
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbguard/default.nix
@@ -0,0 +1,91 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, autoreconfHook
+, installShellFiles
+, nixosTests
+, asciidoc
+, pkg-config
+, libxslt
+, libxml2
+, docbook_xml_dtd_45
+, docbook_xsl
+, dbus-glib
+, libcap_ng
+, libqb
+, libseccomp
+, polkit
+, protobuf
+, audit
+, libgcrypt
+, libsodium
+}:
+
+assert libgcrypt != null -> libsodium == null;
+
+stdenv.mkDerivation rec {
+  version = "1.1.1";
+  pname = "usbguard";
+
+  src = fetchFromGitHub {
+    owner = "USBGuard";
+    repo = pname;
+    rev = "usbguard-${version}";
+    sha256 = "sha256-lAh+l9GF+FHQqv2kEYU5JienZKGwR5e45BYAwjieYgw=";
+    fetchSubmodules = true;
+  };
+
+  nativeBuildInputs = [
+    autoreconfHook
+    installShellFiles
+    asciidoc
+    pkg-config
+    libxslt # xsltproc
+    libxml2 # xmllint
+    docbook_xml_dtd_45
+    docbook_xsl
+  ];
+
+  buildInputs = [
+    dbus-glib
+    libcap_ng
+    libqb
+    libseccomp
+    polkit
+    protobuf
+    audit
+  ]
+  ++ (lib.optional (libgcrypt != null) libgcrypt)
+  ++ (lib.optional (libsodium != null) libsodium);
+
+  configureFlags = [
+    "--with-bundled-catch"
+    "--with-bundled-pegtl"
+    "--with-dbus"
+    "--with-polkit"
+  ]
+  ++ (lib.optional (libgcrypt != null) "--with-crypto-library=gcrypt")
+  ++ (lib.optional (libsodium != null) "--with-crypto-library=sodium");
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    installShellCompletion --bash --name usbguard.bash scripts/bash_completion/usbguard
+    installShellCompletion --zsh --name _usbguard scripts/usbguard-zsh-completion
+  '';
+
+  passthru.tests = nixosTests.usbguard;
+
+  meta = with lib; {
+    description = "The USBGuard software framework helps to protect your computer against BadUSB";
+    longDescription = ''
+      USBGuard is a software framework for implementing USB device authorization
+      policies (what kind of USB devices are authorized) as well as method of
+      use policies (how a USB device may interact with the system). Simply put,
+      it is a USB device whitelisting tool.
+    '';
+    homepage = "https://usbguard.github.io/";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.tnias ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbip/default.nix b/nixpkgs/pkgs/os-specific/linux/usbip/default.nix
new file mode 100644
index 000000000000..cadf38b106cc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbip/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchpatch, kernel, udev, autoconf, automake, libtool, hwdata, kernelOlder }:
+
+stdenv.mkDerivation {
+  name = "usbip-${kernel.name}";
+
+  src = kernel.src;
+
+  patches = lib.optionals (kernelOlder "5.4") [
+    # fixes build with gcc8
+    ./fix-snprintf-truncation.patch
+    # fixes build with gcc9
+    ./fix-strncpy-truncation.patch
+  ] ++ kernel.patches;
+
+  nativeBuildInputs = [ autoconf automake libtool ];
+  buildInputs = [ udev ];
+
+  NIX_CFLAGS_COMPILE = [ "-Wno-error=address-of-packed-member" ];
+
+  preConfigure = ''
+    cd tools/usb/usbip
+    ./autogen.sh
+  '';
+
+  configureFlags = [ "--with-usbids-dir=${hwdata}/share/hwdata/" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/torvalds/linux/tree/master/tools/usb/usbip";
+    description = "allows to pass USB device from server to client over the network";
+    license = with licenses; [ gpl2Only gpl2Plus ];
+    platforms = platforms.linux;
+    broken = kernelOlder "4.10";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbip/fix-snprintf-truncation.patch b/nixpkgs/pkgs/os-specific/linux/usbip/fix-snprintf-truncation.patch
new file mode 100644
index 000000000000..63fca9ddbfe5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbip/fix-snprintf-truncation.patch
@@ -0,0 +1,13 @@
+diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c
+index 8159fd98680b..7d6eb3e3fe1e 100644
+--- a/tools/usb/usbip/libsrc/vhci_driver.c
++++ b/tools/usb/usbip/libsrc/vhci_driver.c
+@@ -111,7 +111,7 @@ static int parse_status(const char *value)
+ static int refresh_imported_device_list(void)
+ {
+ 	const char *attr_status;
+-	char status[MAX_STATUS_NAME+1] = "status";
++	char status[MAX_STATUS_NAME+2] = "status";
+ 	int i, ret;
+ 
+ 	for (i = 0; i < vhci_driver->ncontrollers; i++) {
diff --git a/nixpkgs/pkgs/os-specific/linux/usbip/fix-strncpy-truncation.patch b/nixpkgs/pkgs/os-specific/linux/usbip/fix-strncpy-truncation.patch
new file mode 100644
index 000000000000..a5c4c97bbc08
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbip/fix-strncpy-truncation.patch
@@ -0,0 +1,37 @@
+diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c
+index bb424638d75b..2fc5837e609a 100644
+--- a/tools/usb/usbip/libsrc/usbip_common.c
++++ b/tools/usb/usbip/libsrc/usbip_common.c
+@@ -226,8 +226,8 @@ int read_usb_device(struct udev_device *sdev, struct usbip_usb_device *udev)
+ 	path = udev_device_get_syspath(sdev);
+ 	name = udev_device_get_sysname(sdev);
+ 
+-	strncpy(udev->path,  path,  SYSFS_PATH_MAX);
+-	strncpy(udev->busid, name, SYSFS_BUS_ID_SIZE);
++	strncpy(udev->path,  path,  SYSFS_PATH_MAX-1);
++	strncpy(udev->busid, name, SYSFS_BUS_ID_SIZE-1);
+ 
+ 	sscanf(name, "%u-%u", &busnum, &devnum);
+ 	udev->busnum = busnum;
+diff --git a/tools/usb/usbip/libsrc/usbip_device_driver.c b/tools/usb/usbip/libsrc/usbip_device_driver.c
+index 5a3726eb44ab..95b416af8b99 100644
+--- a/tools/usb/usbip/libsrc/usbip_device_driver.c
++++ b/tools/usb/usbip/libsrc/usbip_device_driver.c
+@@ -91,7 +91,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
+ 	copy_descr_attr16(dev, &descr, idProduct);
+ 	copy_descr_attr16(dev, &descr, bcdDevice);
+ 
+-	strncpy(dev->path, path, SYSFS_PATH_MAX);
++	strncpy(dev->path, path, SYSFS_PATH_MAX-1);
+ 
+ 	dev->speed = USB_SPEED_UNKNOWN;
+ 	speed = udev_device_get_sysattr_value(sdev, "current_speed");
+@@ -110,7 +110,7 @@ int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
+ 	dev->busnum = 0;
+ 
+ 	name = udev_device_get_sysname(plat);
+-	strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE);
++	strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE-1);
+ 	return 0;
+ err:
+ 	fclose(fd);
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/daemon.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/daemon.nix
new file mode 100644
index 000000000000..e5e4baae9e99
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/daemon.nix
@@ -0,0 +1,36 @@
+{ stdenv, usbrelay, python3 }:
+let
+  python = python3.withPackages (ps: with ps; [ usbrelay-py paho-mqtt ]);
+in
+# This is a separate derivation, not just an additional output of
+# usbrelay, because otherwise, we have a cyclic dependency between
+# usbrelay (default.nix) and the python module (python.nix).
+stdenv.mkDerivation rec {
+  pname = "usbrelayd";
+
+  inherit (usbrelay) src version;
+
+  postPatch = ''
+    substituteInPlace 'usbrelayd.service' \
+      --replace '/usr/bin/python3' "${python}/bin/python3" \
+      --replace '/usr/sbin/usbrelayd' "$out/bin/usbrelayd"
+  '';
+
+  buildInputs = [ python ];
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall;
+    install -m 644 -D usbrelayd $out/bin/usbrelayd
+    install -m 644 -D usbrelayd.service $out/lib/systemd/system/usbrelayd.service
+    install -m 644 -D 50-usbrelay.rules $out/lib/udev/rules.d/50-usbrelay.rules
+    install -m 644 -D usbrelayd.conf $out/etc/usbrelayd.conf # include this as an example
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "USB Relay MQTT service";
+    inherit (usbrelay.meta) homepage license maintainers platforms;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/default.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/default.nix
new file mode 100644
index 000000000000..25388d3b2308
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, lib, fetchFromGitHub, hidapi, installShellFiles }:
+stdenv.mkDerivation rec {
+  pname = "usbrelay";
+  version = "1.0";
+
+  src = fetchFromGitHub {
+    owner = "darrylb123";
+    repo = "usbrelay";
+    rev = version;
+    sha256 = "sha256-5zgpN4a+r0tmw0ISTJM+d9mo+L/qwUvpWPSsykuG0cg=";
+  };
+
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+
+  buildInputs = [
+    hidapi
+  ];
+
+  makeFlags = [
+    "DIR_VERSION=${version}"
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  postInstall = ''
+    installManPage usbrelay.1
+  '';
+
+  meta = with lib; {
+    description = "Tool to control USB HID relays";
+    homepage = "https://github.com/darrylb123/usbrelay";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ wentasah ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/python.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/python.nix
new file mode 100644
index 000000000000..02d5ac284eda
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/python.nix
@@ -0,0 +1,12 @@
+{ buildPythonPackage, usbrelay }:
+
+buildPythonPackage rec {
+  pname = "usbrelay_py";
+  inherit (usbrelay) version src;
+
+  buildInputs = [ usbrelay ];
+
+  pythonImportsCheck = [ "usbrelay_py" ];
+
+  inherit (usbrelay) meta;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbrelay/test.nix b/nixpkgs/pkgs/os-specific/linux/usbrelay/test.nix
new file mode 100644
index 000000000000..dc5847558a69
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbrelay/test.nix
@@ -0,0 +1,63 @@
+# NixOS test for usbrelayd
+#
+# It is not stored in nixos/tests directory, because it requires the
+# USB relay connected to the host computer and as such, it cannot be
+# run automatically.
+#
+# Run this test as:
+#
+#     nix-build test.nix -A driverInteractive && ./result/bin/nixos-test-driver --no-interactive
+#
+# The interactive driver is required because the default
+# (non-interactive) driver uses qemu without support for passing USB
+# devices to the guest (see
+# https://discourse.nixos.org/t/hardware-dependent-nixos-tests/18564
+# for discussion of other alternatives).
+
+import ../../../../nixos/tests/make-test-python.nix ({ pkgs, ... }: {
+  name = "usbrelayd";
+
+  nodes.machine = {
+    virtualisation.qemu.options = [
+      "-device qemu-xhci"
+      "-device usb-host,vendorid=0x16c0,productid=0x05df"
+    ];
+    services.usbrelayd.enable = true;
+    systemd.services.usbrelayd = {
+      after = [ "mosquitto.service" ];
+    };
+    services.mosquitto = {
+      enable = true;
+      listeners = [{
+        acl = [ "pattern readwrite #" ];
+        omitPasswordAuth = true;
+        settings.allow_anonymous = true;
+      }];
+    };
+    environment.systemPackages = [
+      pkgs.usbrelay
+      pkgs.mosquitto
+    ];
+    documentation.nixos.enable = false; # building nixos manual takes long time
+  };
+
+  testScript = ''
+    if os.waitstatus_to_exitcode(os.system("lsusb -d 16c0:05df")) != 0:
+        print("No USB relay detected, skipping test")
+        import sys
+        sys.exit(2)
+    machine.start()
+    # usbrelayd is started by udev when an relay is detected
+    machine.wait_for_unit("usbrelayd.service")
+
+    stdout = machine.succeed("usbrelay")
+    relay_id = stdout.split(sep="_")[0]
+    assert relay_id != ""
+    import time
+    time.sleep(1)
+    machine.succeed(f"mosquitto_pub -h localhost -t cmnd/{relay_id}/1 -m ON")
+    time.sleep(1)
+    machine.succeed(f"mosquitto_pub -h localhost -t cmnd/{relay_id}/1 -m OFF")
+    print("Did you see the relay switching on and off?")
+  '';
+})
diff --git a/nixpkgs/pkgs/os-specific/linux/usbtop/default.nix b/nixpkgs/pkgs/os-specific/linux/usbtop/default.nix
new file mode 100644
index 000000000000..fb3d32df09a0
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbtop/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub
+, cmake
+, libpcap, boost }:
+
+stdenv.mkDerivation rec {
+  pname = "usbtop";
+  version = "1.0";
+
+  src = fetchFromGitHub {
+    owner = "aguinet";
+    repo = pname;
+    rev = "release-${version}";
+    sha256 = "0qbad0aq6j4jrh90l6a0akk71wdzhyzmy6q8wl138axyj2bp9kss";
+  };
+
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [ libpcap boost ];
+
+  meta = with lib; {
+    homepage = "https://github.com/aguinet/usbtop";
+    description = "A top utility that shows an estimated instantaneous bandwidth on USB buses and devices";
+    maintainers = with maintainers; [ ];
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbutils/default.nix b/nixpkgs/pkgs/os-specific/linux/usbutils/default.nix
new file mode 100644
index 000000000000..0e0163c2ae2a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbutils/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchurl, substituteAll, autoreconfHook, pkg-config, libusb1, hwdata, python3 }:
+
+stdenv.mkDerivation rec {
+  pname = "usbutils";
+  version = "014";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/usb/usbutils/usbutils-${version}.tar.xz";
+    sha256 = "sha256-Ogec+tYFYCJ7ZxkkgteBO/ljJvy7ZsBCVIOXFfJ2/Gk=";
+  };
+
+  patches = [
+    (substituteAll {
+      src = ./fix-paths.patch;
+      inherit hwdata;
+    })
+  ];
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  buildInputs = [ libusb1 python3 ];
+
+  outputs = [ "out" "man" "python" ];
+  postInstall = ''
+    moveToOutput "bin/lsusb.py" "$python"
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.linux-usb.org/";
+    description = "Tools for working with USB devices, such as lsusb";
+    maintainers = with maintainers; [ ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/usbutils/fix-paths.patch b/nixpkgs/pkgs/os-specific/linux/usbutils/fix-paths.patch
new file mode 100644
index 000000000000..ef63a41e726c
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usbutils/fix-paths.patch
@@ -0,0 +1,11 @@
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -61,7 +61,7 @@ EXTRA_DIST = \
+ 	LICENSES/GPL-3.0-only.txt
+ 
+ lsusb.py: $(srcdir)/lsusb.py.in
+-	sed 's|VERSION|$(VERSION)|g;s|@usbids@|$(datadir)/usb.ids|g' $< >$@
++	sed 's|VERSION|$(VERSION)|g;s|@usbids@|@hwdata@/share/hwdata/usb.ids|g' $< >$@
+ 	chmod 755 $@
+ 
+ lsusb.8: $(srcdir)/lsusb.8.in
diff --git a/nixpkgs/pkgs/os-specific/linux/usermount/default.nix b/nixpkgs/pkgs/os-specific/linux/usermount/default.nix
new file mode 100644
index 000000000000..934367dcd11b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/usermount/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, dbus, libnotify, udisks2, gdk-pixbuf }:
+
+stdenv.mkDerivation {
+  pname = "usermount";
+  version = "0.1";
+
+  src = fetchFromGitHub {
+    owner = "tom5760";
+    repo = "usermount";
+    rev = "0d6aba3c1f8fec80de502f5b92fd8b28041cc8e4";
+    sha256 = "sha256-giMHUVYdAygiemYru20VxpQixr5aGgHhevNkHvkG9z4=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus libnotify udisks2 gdk-pixbuf ];
+
+  NIX_CFLAGS_COMPILE = "-DENABLE_NOTIFICATIONS";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mv usermount $out/bin/
+  '';
+
+  meta = {
+    homepage = "https://github.com/tom5760/usermount";
+    description = "A simple tool to automatically mount removable drives using UDisks2 and D-Bus";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/util-linux/default.nix b/nixpkgs/pkgs/os-specific/linux/util-linux/default.nix
new file mode 100644
index 000000000000..cb323e623bed
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/util-linux/default.nix
@@ -0,0 +1,90 @@
+{ lib, stdenv, fetchurl, pkg-config, zlib, shadow
+, capabilitiesSupport ? true
+, libcap_ng
+, ncursesSupport ? true
+, ncurses
+, pamSupport ? true
+, pam
+, systemdSupport ? stdenv.isLinux && !stdenv.hostPlatform.isStatic
+, systemd
+, nlsSupport ? true
+, translateManpages ? true
+, po4a
+}:
+
+stdenv.mkDerivation rec {
+  pname = "util-linux" + lib.optionalString (!nlsSupport && !ncursesSupport && !systemdSupport) "-minimal";
+  version = "2.38";
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor version}/util-linux-${version}.tar.xz";
+    hash = "sha256-bREcvk1VszbbLx++/7xluJkIcEwBE2Nx0yqpvsNz62Q=";
+  };
+
+  patches = [
+    ./rtcwake-search-PATH-for-shutdown.patch
+  ];
+
+  outputs = [ "bin" "dev" "out" "lib" "man" ];
+  separateDebugInfo = true;
+
+  postPatch = ''
+    patchShebangs tests/run.sh
+
+    substituteInPlace include/pathnames.h \
+      --replace "/bin/login" "${shadow}/bin/login"
+    substituteInPlace sys-utils/eject.c \
+      --replace "/bin/umount" "$bin/bin/umount"
+  '';
+
+  # !!! It would be better to obtain the path to the mount helpers
+  # (/sbin/mount.*) through an environment variable, but that's
+  # somewhat risky because we have to consider that mount can setuid
+  # root...
+  configureFlags = [
+    "--localstatedir=/var"
+    "--enable-write"
+    "--disable-use-tty-group"
+    "--enable-fs-paths-default=/run/wrappers/bin:/run/current-system/sw/bin:/sbin"
+    "--disable-makeinstall-setuid" "--disable-makeinstall-chown"
+    "--disable-su" # provided by shadow
+    (lib.enableFeature nlsSupport "nls")
+    (lib.withFeature ncursesSupport "ncursesw")
+    (lib.withFeature systemdSupport "systemd")
+    (lib.withFeatureAs systemdSupport
+       "systemdsystemunitdir" "${placeholder "bin"}/lib/systemd/system/")
+    (lib.enableFeature translateManpages "poman")
+    "SYSCONFSTATICDIR=${placeholder "lib"}/lib"
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform)
+       "scanf_cv_type_modifier=ms"
+  ;
+
+  makeFlags = [
+    "usrbin_execdir=${placeholder "bin"}/bin"
+    "usrlib_execdir=${placeholder "lib"}/lib"
+    "usrsbin_execdir=${placeholder "bin"}/sbin"
+  ];
+
+  nativeBuildInputs = [ pkg-config ]
+    ++ lib.optionals translateManpages [ po4a ];
+
+  buildInputs = [ zlib ]
+    ++ lib.optionals pamSupport [ pam ]
+    ++ lib.optionals capabilitiesSupport [ libcap_ng ]
+    ++ lib.optionals ncursesSupport [ ncurses ]
+    ++ lib.optionals systemdSupport [ systemd ];
+
+  doCheck = false; # "For development purpose only. Don't execute on production system!"
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://www.kernel.org/pub/linux/utils/util-linux/";
+    description = "A set of system utilities for Linux";
+    changelog = "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v${lib.versions.majorMinor version}/v${version}-ReleaseNotes";
+    # https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/README.licensing
+    license = with licenses; [ gpl2Only gpl2Plus gpl3Plus lgpl21Plus bsd3 bsdOriginalUC publicDomain ];
+    platforms = platforms.linux;
+    priority = 6; # lower priority than coreutils ("kill") and shadow ("login" etc.) packages
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/util-linux/rtcwake-search-PATH-for-shutdown.patch b/nixpkgs/pkgs/os-specific/linux/util-linux/rtcwake-search-PATH-for-shutdown.patch
new file mode 100644
index 000000000000..52c970a18f3d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/util-linux/rtcwake-search-PATH-for-shutdown.patch
@@ -0,0 +1,69 @@
+Search $PATH for the shutdown binary instead of hard-coding /sbin/shutdown,
+which isn't valid on NixOS (and a compatibility link on most other modern
+distros anyway).
+
+--- a/include/pathnames.h
++++ b/include/pathnames.h
+@@ -50,8 +50,8 @@
+ #ifndef _PATH_LOGIN
+ # define _PATH_LOGIN		"/bin/login"
+ #endif
+-#define _PATH_SHUTDOWN		"/sbin/shutdown"
+-#define _PATH_POWEROFF		"/sbin/poweroff"
++#define _PATH_SHUTDOWN		"shutdown"
++#define _PATH_POWEROFF		"poweroff"
+ 
+ #define _PATH_TERMCOLORS_DIRNAME "terminal-colors.d"
+ #define _PATH_TERMCOLORS_DIR	"/etc/" _PATH_TERMCOLORS_DIRNAME
+--- a/sys-utils/rtcwake.c
++++ b/sys-utils/rtcwake.c
+@@ -587,29 +587,29 @@ int main(int argc, char **argv)
+ 		char *arg[5];
+ 		int i = 0;
+ 
+-		if (!access(_PATH_SHUTDOWN, X_OK)) {
+-			arg[i++] = _PATH_SHUTDOWN;
+-			arg[i++] = "-h";
+-			arg[i++] = "-P";
+-			arg[i++] = "now";
+-			arg[i]   = NULL;
+-		} else if (!access(_PATH_POWEROFF, X_OK)) {
+-			arg[i++] = _PATH_POWEROFF;
+-			arg[i]   = NULL;
+-		} else {
+-			arg[i] 	 = NULL;
+-		}
++		arg[i++] = _PATH_SHUTDOWN;
++		arg[i++] = "-h";
++		arg[i++] = "-P";
++		arg[i++] = "now";
++		arg[i]   = NULL;
+ 
+-		if (arg[0]) {
+-			if (ctl.verbose)
+-				printf(_("suspend mode: off; executing %s\n"),
+-						arg[0]);
+-			if (!ctl.dryrun) {
+-				execv(arg[0], arg);
++		if (ctl.verbose)
++			printf(_("suspend mode: off; executing %s\n"),
++					arg[0]);
++
++		if (!ctl.dryrun) {
++			execvp(arg[0], arg);
++			if (ctl.verbose) {
+ 				warn(_("failed to execute %s"), arg[0]);
+-				rc = EX_EXEC_ENOENT;
++				// Reuse translations.
++				printf(_("suspend mode: off; executing %s\n"),
++						_PATH_POWEROFF);
+ 			}
+-		} else {
++
++			i = 0;
++			arg[i++] = _PATH_POWEROFF;
++			arg[i]   = NULL;
++			execvp(arg[0], arg);
+ 			/* Failed to find shutdown command */
+ 			warn(_("failed to find shutdown command"));
+ 			rc = EX_EXEC_ENOENT;
diff --git a/nixpkgs/pkgs/os-specific/linux/uvcdynctrl/default.nix b/nixpkgs/pkgs/os-specific/linux/uvcdynctrl/default.nix
new file mode 100644
index 000000000000..d5f3a729978d
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/uvcdynctrl/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libxml2 }:
+
+stdenv.mkDerivation {
+  version = "0.3.0";
+  pname = "uvcdynctrl";
+
+  src = fetchFromGitHub {
+    owner = "cshorler";
+    repo = "webcam-tools";
+    rev = "bee2ef3c9e350fd859f08cd0e6745871e5f55cb9";
+    sha256 = "0s15xxgdx8lnka7vi8llbf6b0j4rhbjl6yp0qxaihysf890xj73s";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libxml2 ];
+
+  prePatch = ''
+    local fixup_list=(
+      uvcdynctrl/CMakeLists.txt
+      uvcdynctrl/udev/rules/80-uvcdynctrl.rules
+      uvcdynctrl/udev/scripts/uvcdynctrl
+    )
+    for f in "''${fixup_list[@]}"; do
+      substituteInPlace "$f" \
+        --replace "/etc/udev" "$out/etc/udev" \
+        --replace "/lib/udev" "$out/lib/udev"
+    done
+  '';
+
+  meta = with lib; {
+    description = "A simple interface for devices supported by the linux UVC driver";
+    homepage = "http://guvcview.sourceforge.net";
+    license = licenses.gpl3Plus;
+    maintainers = [ maintainers.puffnfresh ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/v4l-utils/default.nix b/nixpkgs/pkgs/os-specific/linux/v4l-utils/default.nix
new file mode 100644
index 000000000000..f8d0c9be0d90
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v4l-utils/default.nix
@@ -0,0 +1,58 @@
+{ stdenv, lib, fetchurl, pkg-config, perl
+, argp-standalone, libjpeg, udev
+, withUtils ? true
+, withGUI ? true, alsa-lib, libX11, qtbase, libGLU, wrapQtAppsHook
+}:
+
+# See libv4l in all-packages.nix for the libs only (overrides alsa, libX11 & QT)
+
+let
+  withQt = withUtils && withGUI;
+
+# we need to use stdenv.mkDerivation in order not to pollute the libv4l’s closure with Qt
+in stdenv.mkDerivation rec {
+  pname = "v4l-utils";
+  version = "1.22.1";
+
+  src = fetchurl {
+    url = "https://linuxtv.org/downloads/${pname}/${pname}-${version}.tar.bz2";
+    hash = "sha256-Zcb76DCkTKEFxEOwJxgsGyyQU6kdHnKthJ36s4i5TjE=";
+  };
+
+  outputs = [ "out" ] ++ lib.optional withUtils "lib" ++ [ "dev" ];
+
+  configureFlags = (if withUtils then [
+    "--with-localedir=${placeholder "lib"}/share/locale"
+    "--with-udevdir=${placeholder "out"}/lib/udev"
+  ] else [
+    "--disable-v4l-utils"
+  ]);
+
+  postFixup = ''
+    # Create symlink for V4l1 compatibility
+    ln -s "$dev/include/libv4l1-videodev.h" "$dev/include/videodev.h"
+  '';
+
+  nativeBuildInputs = [ pkg-config perl ] ++ lib.optional withQt wrapQtAppsHook;
+
+  buildInputs = [ udev ]
+    ++ lib.optional (!stdenv.hostPlatform.isGnu) argp-standalone
+    ++ lib.optionals withQt [ alsa-lib libX11 qtbase libGLU ];
+
+  propagatedBuildInputs = [ libjpeg ];
+
+  postPatch = ''
+    patchShebangs utils/
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "V4L utils and libv4l, provide common image formats regardless of the v4l device";
+    homepage = "https://linuxtv.org/projects.php";
+    changelog = "https://git.linuxtv.org/v4l-utils.git/plain/ChangeLog?h=v4l-utils-${version}";
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = with maintainers; [ codyopel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/v4l2loopback/default.nix b/nixpkgs/pkgs/os-specific/linux/v4l2loopback/default.nix
new file mode 100644
index 000000000000..095d873e66cb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v4l2loopback/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchFromGitHub, kernel, kmod }:
+
+stdenv.mkDerivation rec {
+  pname = "v4l2loopback";
+  version = "unstable-2021-07-13-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "umlaeute";
+    repo = "v4l2loopback";
+    rev = "baf9de279afc7a7c7513e9c40a0c9ff88f456af4";
+    sha256 = "sha256-uglYTeqz81fgkKYYU9Cw8x9+S088jGxDEGkb3rmkhrw==";
+  };
+
+  hardeningDisable = [ "format" "pic" ];
+
+  preBuild = ''
+    substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+    sed -i '/depmod/d' Makefile
+  '';
+
+  nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
+
+  postInstall = ''
+    make install-utils PREFIX=$bin
+  '';
+
+  outputs = [ "out" "bin" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description = "A kernel module to create V4L2 loopback devices";
+    homepage = "https://github.com/umlaeute/v4l2loopback";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
+    platforms = platforms.linux;
+    outputsToInstall = [ "out" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/v86d/default.nix b/nixpkgs/pkgs/os-specific/linux/v86d/default.nix
new file mode 100644
index 000000000000..dbc98344c5ec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/v86d/default.nix
@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+, klibc
+}:
+
+let
+  pversion = "0.1.10";
+in stdenv.mkDerivation rec {
+  pname = "v86d";
+  version = "${pversion}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "mjanusz";
+    repo = "v86d";
+    rev = "v86d-${pversion}";
+    hash = "sha256-95LRzVbO/DyddmPwQNNQ290tasCGoQk7FDHlst6LkbA=";
+  };
+
+  patchPhase = ''
+    patchShebangs configure
+  '';
+
+  configureFlags = [ "--with-klibc" "--with-x86emu" ];
+
+  hardeningDisable = [ "stackprotector" ];
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+    "DESTDIR=$(out)"
+  ];
+
+  configurePhase = ''
+    ./configure $configureFlags
+  '';
+
+  buildInputs = [ klibc ];
+
+  meta = with lib; {
+    description = "A daemon to run x86 code in an emulated environment";
+    homepage = "https://github.com/mjanusz/v86d";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ codyopel ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vdo/default.nix b/nixpkgs/pkgs/os-specific/linux/vdo/default.nix
new file mode 100644
index 000000000000..d9033e65876b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vdo/default.nix
@@ -0,0 +1,64 @@
+{ lib, stdenv
+, fetchFromGitHub
+, installShellFiles
+, libuuid
+, lvm2_dmeventd  # <libdevmapper-event.h>
+, zlib
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "vdo";
+  version = "8.2.0.2";  # kvdo uses this!
+
+  src = fetchFromGitHub {
+    owner = "dm-vdo";
+    repo = pname;
+    rev = version;
+    hash = "sha256-IP/nL4jQ+rIWuUxXUiBtlIKTMZCNelvxgTfTcaB1it0=";
+  };
+
+  nativeBuildInputs = [
+    installShellFiles
+  ];
+
+  buildInputs = [
+    libuuid
+    lvm2_dmeventd
+    zlib
+    python3.pkgs.wrapPython
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    pyyaml
+  ];
+
+  pythonPath = propagatedBuildInputs;
+
+  makeFlags = [
+    "DESTDIR=${placeholder "out"}"
+    "INSTALLOWNER="
+    # all of these paths are relative to DESTDIR and have defaults that don't work for us
+    "bindir=/bin"
+    "defaultdocdir=/share/doc"
+    "mandir=/share/man"
+    "python3_sitelib=${python3.sitePackages}"
+  ];
+
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    installShellCompletion --bash $out/bash_completion.d/*
+    rm -r $out/bash_completion.d
+
+    wrapPythonPrograms
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/dm-vdo/vdo";
+    description = "A set of userspace tools for managing pools of deduplicated and/or compressed block storage";
+    platforms = platforms.linux;
+    license = with licenses; [ gpl2Plus ];
+    maintainers = with maintainers; [ ajs124 ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/veikk-linux-driver/default.nix b/nixpkgs/pkgs/os-specific/linux/veikk-linux-driver/default.nix
new file mode 100644
index 000000000000..8cf4896ae027
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/veikk-linux-driver/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "veikk-linux-driver";
+  version = "2.0";
+
+  src = fetchFromGitHub {
+    owner = "jlam55555";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "11mg74ds58jwvdmi3i7c4chxs6v9g09r9ll22pc2kbxjdnrp8zrn";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildInputs = [ kernel ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "BUILD_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+    install -Dm755 veikk.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for VEIKK-brand digitizers";
+    homepage = "https://github.com/jlam55555/veikk-linux-driver/";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ nicbk ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vendor-reset/default.nix b/nixpkgs/pkgs/os-specific/linux/vendor-reset/default.nix
new file mode 100644
index 000000000000..f4430f3224ae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vendor-reset/default.nix
@@ -0,0 +1,46 @@
+{ stdenv, fetchFromGitHub, fetchpatch, kernel, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "vendor-reset";
+  version = "unstable-2021-02-16-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "gnif";
+    repo = "vendor-reset";
+    rev = "225a49a40941e350899e456366265cf82b87ad25";
+    sha256 = "sha256-xa7P7+mRk4FVgi+YYCcsFLfyNqPmXvy3xhGoTDVqPxw=";
+  };
+
+  patches = [
+    # Fix build with Linux 5.18.
+    # https://github.com/gnif/vendor-reset/pull/58
+    (fetchpatch {
+      url = "https://github.com/gnif/vendor-reset/commit/5bbffcd6fee5348e8808bdbfcb5b21d455b02f55.patch";
+      sha256 = "sha256-L1QxVpcZAVYiaMFCBfL2EJgeMyOR8sDa1UqF1QB3bns=";
+    })
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D vendor-reset.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Linux kernel vendor specific hardware reset module";
+    homepage = "https://github.com/gnif/vendor-reset";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ ];
+    platforms = [ "x86_64-linux" ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/virtio_vmmci/default.nix b/nixpkgs/pkgs/os-specific/linux/virtio_vmmci/default.nix
new file mode 100644
index 000000000000..ccf462702fd3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/virtio_vmmci/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "virtio_vmmci";
+  version = "0.4.0";
+
+  src = fetchFromGitHub {
+    owner = "voutilad";
+    repo = "virtio_vmmci";
+    rev = "${version}";
+    sha256 = "104xnpcy5kb4y7ipy1fx1v6byddzs63bv2dqjy3yl23n764fsy43";
+  };
+
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  extraConfig = ''
+    CONFIG_RTC_HCTOSYS yes
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "DEPMOD=echo"
+    "INSTALL_MOD_PATH=$(out)"
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    description = "An OpenBSD VMM Control Interface (vmmci) for Linux";
+    homepage = "https://github.com/voutilad/virtio_vmmci";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ qbit ];
+    platforms = platforms.linux;
+  };
+
+  enableParallelBuilding = true;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/virtualbox/default.nix b/nixpkgs/pkgs/os-specific/linux/virtualbox/default.nix
new file mode 100644
index 000000000000..3aae58933c8f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/virtualbox/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, virtualbox, kernel }:
+
+stdenv.mkDerivation {
+  pname = "virtualbox-modules";
+  version = "${virtualbox.version}-${kernel.version}";
+  src = virtualbox.modsrc;
+  hardeningDisable = [
+    "fortify" "pic" "stackprotector"
+  ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  KERN_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  makeFlags = [ "INSTALL_MOD_PATH=$(out)" ];
+  installTargets = [ "install" ];
+
+  enableParallelBuilding = true;
+
+  meta = virtualbox.meta // {
+    description = virtualbox.meta.description + " (kernel modules)";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vm-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/vm-tools/default.nix
new file mode 100644
index 000000000000..c5981bfc2713
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vm-tools/default.nix
@@ -0,0 +1,16 @@
+{ lib, stdenv, linux }:
+
+stdenv.mkDerivation {
+  pname = "vm-tools";
+  inherit (linux) version src;
+
+  makeFlags = [ "sbindir=${placeholder "out"}/bin" ];
+
+  preConfigure = "cd tools/vm";
+
+  meta = with lib; {
+    inherit (linux.meta) license platforms;
+    description = "Set of virtual memory tools";
+    maintainers = [ maintainers.evils ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vmm_clock/default.nix b/nixpkgs/pkgs/os-specific/linux/vmm_clock/default.nix
new file mode 100644
index 000000000000..b630ed4749fa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vmm_clock/default.nix
@@ -0,0 +1,39 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  name = "vmm_clock";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "voutilad";
+    repo = "vmm_clock";
+    rev = "${version}";
+    sha256 = "0hg7ywznh6v11fywsz6f7w298bxph0wwm046zqaqncjvr4aizla4";
+  };
+
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  extraConfig = ''
+    CONFIG_RTC_HCTOSYS yes
+  '';
+
+  makeFlags = kernel.makeFlags ++ [
+    "DEPMOD=echo"
+    "INSTALL_MOD_PATH=$(out)"
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNELDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  meta = with lib; {
+    broken = kernel.kernelOlder "4.19";
+    description =
+      "Experimental implementation of a kvmclock-derived clocksource for Linux guests under OpenBSD's hypervisor";
+    homepage = "https://github.com/voutilad/vmm_clock";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ qbit ];
+    platforms = platforms.linux;
+  };
+
+  enableParallelBuilding = true;
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/vmware/default.nix b/nixpkgs/pkgs/os-specific/linux/vmware/default.nix
new file mode 100644
index 000000000000..ecc43bf3f3a9
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/vmware/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, fetchFromGitHub, kernel, kmod, gnugrep, vmware-workstation }:
+
+stdenv.mkDerivation rec {
+  pname = "vmware-modules";
+  version = "${vmware-workstation.version}-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "mkubecek";
+    repo = "vmware-host-modules";
+    rev = "w${vmware-workstation.version}-k5.18";
+    sha256 = "sha256-sAeCjaSrBXGP5szfCY5CpMrGwzCw4aM67EN+YfA3AWA=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  enableParallelBuilding = true;
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace '/lib/modules/$(VM_UNAME)/misc' "$out/lib/modules/${kernel.modDirVersion}/misc" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/modinfo "${kmod}/bin/modinfo" \
+      --replace 'test -z "$(DESTDIR)"' "0"
+
+    for module in "vmmon-only" "vmnet-only"; do
+      substituteInPlace "./$module/Makefile" \
+        --replace '/lib/modules/' "${kernel.dev}/lib/modules/" \
+        --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+        --replace /bin/grep "${gnugrep}/bin/grep"
+    done
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/misc"
+  '';
+
+  meta = with lib; {
+    description = "Kernel modules needed for VMware hypervisor";
+    homepage = "https://github.com/mkubecek/vmware-host-modules";
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" ];
+    broken = (kernel.kernelOlder "5.5" && kernel.isHardened) || kernel.kernelAtLeast "5.19";
+    maintainers = with maintainers; [ deinferno ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/waydroid/default.nix b/nixpkgs/pkgs/os-specific/linux/waydroid/default.nix
new file mode 100644
index 000000000000..0a0a4019e983
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/waydroid/default.nix
@@ -0,0 +1,78 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, python3Packages
+, dnsmasq
+, getent
+, kmod
+, lxc
+, iproute2
+, iptables
+, nftables
+, util-linux
+, which
+, xclip
+}:
+
+python3Packages.buildPythonApplication rec {
+  pname = "waydroid";
+  version = "1.2.1";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-Sf1rl8GCSTuneuYroGqsm9Aq2rBurpyswOrfCq2mWOs=";
+  };
+
+  propagatedBuildInputs = with python3Packages; [
+    gbinder-python
+    pyclip
+    pygobject3
+  ];
+
+  dontUseSetuptoolsBuild = true;
+  dontUsePipInstall = true;
+  dontUseSetuptoolsCheck = true;
+  dontWrapPythonPrograms = true;
+
+  installPhase = ''
+    mkdir -p $out/${python3Packages.python.sitePackages}
+
+    cp -ra tools $out/${python3Packages.python.sitePackages}/tools
+
+    cp -ra data $out/${python3Packages.python.sitePackages}/data
+    wrapProgram $out/${python3Packages.python.sitePackages}/data/scripts/waydroid-net.sh \
+       --prefix PATH ":" ${lib.makeBinPath [ dnsmasq getent iproute2 iptables nftables ]}
+
+    mkdir -p $out/share/waydroid/gbinder.d
+    cp gbinder/anbox.conf $out/share/waydroid/gbinder.d/anbox.conf
+
+    mkdir -p $out/share/applications
+    ln -s $out/${python3Packages.python.sitePackages}/data/Waydroid.desktop $out/share/applications/Waydroid.desktop
+
+    mkdir $out/bin
+    cp -a waydroid.py $out/${python3Packages.python.sitePackages}/waydroid.py
+    ln -s $out/${python3Packages.python.sitePackages}/waydroid.py $out/bin/waydroid
+
+    wrapPythonProgramsIn $out/${python3Packages.python.sitePackages} "${lib.concatStringsSep " " [
+      "$out"
+      python3Packages.gbinder-python
+      python3Packages.pygobject3
+      python3Packages.pyclip
+      kmod
+      lxc
+      util-linux
+      which
+      xclip
+    ]}"
+  '';
+
+  meta = with lib; {
+    description = "Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu";
+    homepage = "https://github.com/waydroid/waydroid";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mcaju ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wireguard/default.nix b/nixpkgs/pkgs/os-specific/linux/wireguard/default.nix
new file mode 100644
index 000000000000..a47fb30c1b39
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wireguard/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchzip, kernel, perl, wireguard-tools, bc }:
+
+# wireguard upstreamed since 5.6 https://lists.zx2c4.com/pipermail/wireguard/2019-December/004704.html
+assert lib.versionOlder kernel.version "5.6";
+
+stdenv.mkDerivation rec {
+  pname = "wireguard";
+  version = "1.0.20211208";
+
+  src = fetchzip {
+    url = "https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${version}.tar.xz";
+    sha256 = "sha256-MHC4ojhRD8IGwTUE8oEew8IVof9hQCC7CPgVQIBfBRQ=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  nativeBuildInputs = [ perl bc ] ++ kernel.moduleBuildDependencies;
+
+  preBuild = "cd src";
+  buildFlags = [ "module" ];
+
+  INSTALL_MOD_PATH = placeholder "out";
+  installFlags = [ "DEPMOD=true" ];
+  enableParallelBuilding = true;
+
+  passthru = {
+    # remove this when our kernel comes with native wireguard support
+    # and our tests no longer tests this package
+    inherit (wireguard-tools) tests;
+  };
+
+  meta = with lib; {
+    inherit (wireguard-tools.meta) homepage license maintainers;
+    description = "Kernel module for the WireGuard secure network tunnel";
+    longDescription = ''
+      Backport of WireGuard for kernels 3.10 to 5.5, as an out of tree module.
+      (as WireGuard was merged into the Linux kernel for 5.6)
+    '';
+    downloadPage = "https://git.zx2c4.com/wireguard-linux-compat/refs/";
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wireless-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/wireless-tools/default.nix
new file mode 100644
index 000000000000..fbe5d95e2a65
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wireless-tools/default.nix
@@ -0,0 +1,24 @@
+{lib, stdenv, fetchurl}:
+
+stdenv.mkDerivation rec {
+  pname = "wireless-tools";
+  version = "30.pre9";
+
+  src = fetchurl {
+    url = "http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/wireless_tools.${version}.tar.gz";
+    sha256 = "0qscyd44jmhs4k32ggp107hlym1pcyjzihiai48xs7xzib4wbndb";
+  };
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+    "CC:=$(CC)"
+    "AR:=$(AR)"
+    "RANLIB:=$(RANLIB)"
+    "LDCONFIG=:"
+  ];
+
+  meta = {
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wlgreet/default.nix b/nixpkgs/pkgs/os-specific/linux/wlgreet/default.nix
new file mode 100644
index 000000000000..932aa47fd714
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wlgreet/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromSourcehut
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "wlgreet-unstable";
+  version = "2022-01-25";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = "wlgreet";
+    rev = "8517e578cb64a8fb3bd8f8a438cdbe46f208b87c";
+    sha256 = "0la4xlikw61cxvbkil1d22dgvazi7rs17n5i2z02090fvnfxxzxh";
+  };
+
+  cargoSha256 = "651d2bf01612534f1c4b0472c812095a86eb064d16879380c87f684c04fe0d8d";
+
+  meta = with lib; {
+    description = "Raw wayland greeter for greetd, to be run under sway or similar";
+    homepage = "https://git.sr.ht/~kennylevinsen/wlgreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/default.nix
new file mode 100644
index 000000000000..f34e106727c1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/default.nix
@@ -0,0 +1,23 @@
+{ lib, stdenv }:
+
+stdenv.mkDerivation rec {
+  pname = "wooting-udev-rules";
+  version = "20210525";
+
+  # Source: https://wooting.helpscoutdocs.com/article/68-wootility-configuring-device-access-for-wootility-under-linux-udev-rules
+  src = [ ./wooting.rules ];
+
+  dontUnpack = true;
+
+  installPhase = ''
+    install -Dpm644 $src $out/lib/udev/rules.d/70-wooting.rules
+  '';
+
+  meta = with lib; {
+    homepage = "https://wooting.helpscoutdocs.com/article/34-linux-udev-rules";
+    description = "udev rules that give NixOS permission to communicate with Wooting keyboards";
+    platforms = platforms.linux;
+    license = "unknown";
+    maintainers = with maintainers; [ davidtwco ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/wooting.rules b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/wooting.rules
new file mode 100644
index 000000000000..fa4148d87438
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wooting-udev-rules/wooting.rules
@@ -0,0 +1,14 @@
+# Wooting One
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="ff01", MODE:="0660", GROUP="input"
+# Wooting One update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2402", MODE:="0660", GROUP="input"
+
+# Wooting Two
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="ff02", MODE:="0660", GROUP="input"
+# Wooting Two update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="03eb", ATTRS{idProduct}=="2403", MODE:="0660", GROUP="input"
+
+# Wooting Two Lekker Edition
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="1210", MODE:="0660", GROUP="input"
+# Wooting Two Lekker Edition update mode
+SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31e3", ATTRS{idProduct}=="121f", MODE:="0660", GROUP="input"
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
new file mode 100644
index 000000000000..d459de8a7f39
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
@@ -0,0 +1,130 @@
+From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 19 Feb 2021 19:44:21 +0100
+Subject: [PATCH] Implement read-only mode for ssids
+
+With this change it's possible to define `network=`-sections in a second
+config file specified via `-I` without having changes written to
+`/etc/wpa_supplicant.conf`.
+
+This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
+and imperative (i.e. mutable) networks.
+---
+ wpa_supplicant/config.h         | 2 +-
+ wpa_supplicant/config_file.c    | 5 +++--
+ wpa_supplicant/config_none.c    | 2 +-
+ wpa_supplicant/config_ssid.h    | 2 ++
+ wpa_supplicant/wpa_supplicant.c | 8 ++++----
+ 5 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
+index 6a297ecfe..adaf4d398 100644
+--- a/wpa_supplicant/config.h
++++ b/wpa_supplicant/config.h
+@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
+  *
+  * Each configuration backend needs to implement this function.
+  */
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
+ 
+ /**
+  * wpa_config_write - Write or update configuration data
+diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
+index 77c326df5..d5ed051b9 100644
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
+ #endif /* CONFIG_NO_CONFIG_BLOBS */
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	FILE *f;
+ 	char buf[512], *pos;
+@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+ 	while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
+ 		if (os_strcmp(pos, "network={") == 0) {
+ 			ssid = wpa_config_read_network(f, &line, id++);
++			ssid->ro = ro;
+ 			if (ssid == NULL) {
+ 				wpa_printf(MSG_ERROR, "Line %d: failed to "
+ 					   "parse network block.", line);
+@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
+ 	}
+ 
+ 	for (ssid = config->ssid; ssid; ssid = ssid->next) {
+-		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
++		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
+ 			continue; /* do not save temporary networks */
+ 		if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
+ 		    !ssid->passphrase)
+diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
+index 2aac28fa3..02191b425 100644
+--- a/wpa_supplicant/config_none.c
++++ b/wpa_supplicant/config_none.c
+@@ -17,7 +17,7 @@
+ #include "base64.h"
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	struct wpa_config *config;
+ 
+diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
+index d5c5c00a9..fd80c079c 100644
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -93,6 +93,8 @@ struct wpa_ssid {
+ 	 */
+ 	int id;
+ 
++	int ro;
++
+ 	/**
+ 	 * priority - Priority group
+ 	 *
+diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+index 911d79d17..cb0cb99b1 100644
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
+ 
+ 	if (wpa_s->confname == NULL)
+ 		return -1;
+-	conf = wpa_config_read(wpa_s->confname, NULL);
++	conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 	if (conf == NULL) {
+ 		wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
+ 			"file '%s' - exiting", wpa_s->confname);
+ 		return -1;
+ 	}
+ 	if (wpa_s->confanother &&
+-	    !wpa_config_read(wpa_s->confanother, conf)) {
++	    !wpa_config_read(wpa_s->confanother, conf, 1)) {
+ 		wpa_msg(wpa_s, MSG_ERROR,
+ 			"Failed to parse the configuration file '%s' - exiting",
+ 			wpa_s->confanother);
+@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ #else /* CONFIG_BACKEND_FILE */
+ 		wpa_s->confname = os_strdup(iface->confname);
+ #endif /* CONFIG_BACKEND_FILE */
+-		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
++		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 		if (wpa_s->conf == NULL) {
+ 			wpa_printf(MSG_ERROR, "Failed to read or parse "
+ 				   "configuration '%s'.", wpa_s->confname);
+@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ 		}
+ 		wpa_s->confanother = os_rel2abs_path(iface->confanother);
+ 		if (wpa_s->confanother &&
+-		    !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
++		    !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
+ 			wpa_printf(MSG_ERROR,
+ 				   "Failed to read or parse configuration '%s'.",
+ 				   wpa_s->confanother);
+-- 
+2.29.2
+
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch
new file mode 100644
index 000000000000..09e5b3673ac4
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch
@@ -0,0 +1,32 @@
+The id and cred_id variables are reset to 0 every time the
+wpa_config_read function is called, which is fine as long as it is only
+called once. However, this is not the case when using both the -c and -I
+options to specify two config files.
+
+This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646,
+relies on the network IDs being unique (and increasing), and might get
+into an infinite loop otherwise.
+
+This is solved by simply making the variables static.
+---
+ wpa_supplicant/config_file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
+index 6db5010db..c996e3916 100644
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+ 	struct wpa_ssid *ssid, *tail, *head;
+ 	struct wpa_cred *cred, *cred_tail, *cred_head;
+ 	struct wpa_config *config;
+-	int id = 0;
+-	int cred_id = 0;
++	static int id = 0;
++	static int cred_id = 0;
+
+ 	if (name == NULL)
+ 		return NULL;
+--
+2.34.1
+
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/default.nix b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/default.nix
new file mode 100644
index 000000000000..2d954d83ecf3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/default.nix
@@ -0,0 +1,130 @@
+{ lib, stdenv, fetchurl, openssl, pkg-config, libnl
+, nixosTests, wpa_supplicant_gui
+, dbusSupport ? true, dbus
+, withReadline ? true, readline
+, withPcsclite ? true, pcsclite
+, readOnlyModeSSIDs ? false
+}:
+
+with lib;
+stdenv.mkDerivation rec {
+  version = "2.10";
+
+  pname = "wpa_supplicant";
+
+  src = fetchurl {
+    url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
+    sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8=";
+  };
+
+  patches = [
+    # Fix a bug when using two config files
+    ./Use-unique-IDs-for-networks-and-credentials.patch
+  ] ++ lib.optionals readOnlyModeSSIDs [
+    # Allow read-only networks
+    ./0001-Implement-read-only-mode-for-ssids.patch
+  ];
+
+  # TODO: Patch epoll so that the dbus actually responds
+  # TODO: Figure out how to get privsep working, currently getting SIGBUS
+  extraConfig = ''
+    #CONFIG_ELOOP_EPOLL=y
+    #CONFIG_PRIVSEP=y
+    #CONFIG_TLSV12=y see #8332
+    CONFIG_AP=y
+    CONFIG_BGSCAN_LEARN=y
+    CONFIG_BGSCAN_SIMPLE=y
+    CONFIG_DEBUG_SYSLOG=y
+    CONFIG_EAP_EKE=y
+    CONFIG_EAP_FAST=y
+    CONFIG_EAP_GPSK=y
+    CONFIG_EAP_GPSK_SHA256=y
+    CONFIG_EAP_IKEV2=y
+    CONFIG_EAP_PAX=y
+    CONFIG_EAP_PWD=y
+    CONFIG_EAP_SAKE=y
+    CONFIG_ELOOP=eloop
+    CONFIG_EXT_PASSWORD_FILE=y
+    CONFIG_HS20=y
+    CONFIG_HT_OVERRIDES=y
+    CONFIG_IEEE80211AC=y
+    CONFIG_IEEE80211N=y
+    CONFIG_IEEE80211R=y
+    CONFIG_IEEE80211W=y
+    CONFIG_INTERNETWORKING=y
+    CONFIG_L2_PACKET=linux
+    CONFIG_LIBNL32=y
+    CONFIG_OWE=y
+    CONFIG_P2P=y
+    CONFIG_TDLS=y
+    CONFIG_TLS=openssl
+    CONFIG_TLSV11=y
+    CONFIG_VHT_OVERRIDES=y
+    CONFIG_WNM=y
+    CONFIG_WPS=y
+    CONFIG_WPS_ER=y
+    CONFIG_WPS_NFS=y
+  '' + optionalString withPcsclite ''
+    CONFIG_EAP_SIM=y
+    CONFIG_EAP_AKA=y
+    CONFIG_EAP_AKA_PRIME=y
+    CONFIG_PCSC=y
+  '' + optionalString dbusSupport ''
+    CONFIG_CTRL_IFACE_DBUS=y
+    CONFIG_CTRL_IFACE_DBUS_NEW=y
+    CONFIG_CTRL_IFACE_DBUS_INTRO=y
+  '' + (if withReadline then ''
+    CONFIG_READLINE=y
+  '' else ''
+    CONFIG_WPA_CLI_EDIT=y
+  '');
+
+  preBuild = ''
+    for manpage in wpa_supplicant/doc/docbook/wpa_supplicant.conf* ; do
+      substituteInPlace "$manpage" --replace /usr/share/doc $out/share/doc
+    done
+    cd wpa_supplicant
+    cp -v defconfig .config
+    echo "$extraConfig" >> .config
+    cat -n .config
+    substituteInPlace Makefile --replace /usr/local $out
+    export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE \
+      -I$(echo "${lib.getDev libnl}"/include/libnl*/) \
+      ${optionalString withPcsclite "-I${lib.getDev pcsclite}/include/PCSC/"}"
+  '';
+
+  buildInputs = [ openssl libnl ]
+    ++ optional dbusSupport dbus
+    ++ optional withReadline readline
+    ++ optional withPcsclite pcsclite;
+
+  nativeBuildInputs = [ pkg-config ];
+
+  postInstall = ''
+    mkdir -p $out/share/man/man5 $out/share/man/man8
+    cp -v "doc/docbook/"*.5 $out/share/man/man5/
+    cp -v "doc/docbook/"*.8 $out/share/man/man8/
+
+    mkdir -p $out/share/dbus-1/system.d $out/share/dbus-1/system-services $out/etc/systemd/system
+    cp -v "dbus/"*service $out/share/dbus-1/system-services
+    sed -e "s@/sbin/wpa_supplicant@$out&@" -i "$out/share/dbus-1/system-services/"*
+    cp -v dbus/dbus-wpa_supplicant.conf $out/share/dbus-1/system.d
+    cp -v "systemd/"*.service $out/etc/systemd/system
+
+    rm $out/share/man/man8/wpa_priv.8
+    install -Dm444 wpa_supplicant.conf $out/share/doc/wpa_supplicant/wpa_supplicant.conf.example
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) wpa_supplicant;
+    inherit wpa_supplicant_gui; # inherits the src+version updates
+  };
+
+  meta = with lib; {
+    homepage = "https://w1.fi/wpa_supplicant/";
+    description = "A tool for connecting to WPA and WPA2-protected wireless networks";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ marcweber ma27 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/gui.nix b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/gui.nix
new file mode 100644
index 000000000000..82e104cac3aa
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/wpa_supplicant/gui.nix
@@ -0,0 +1,31 @@
+{ lib, mkDerivation, fetchpatch, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }:
+
+mkDerivation {
+  pname = "wpa_gui";
+  inherit (wpa_supplicant) version src;
+
+  buildInputs = [ qtbase ];
+  nativeBuildInputs = [ qmake inkscape imagemagick ];
+
+  postPatch = ''
+    cd wpa_supplicant/wpa_gui-qt4
+  '';
+
+  postBuild = ''
+    make -C icons
+  '';
+
+  postInstall = ''
+    mkdir -pv $out/{bin,share/applications,share/icons}
+    cp -v wpa_gui $out/bin
+    cp -v wpa_gui.desktop $out/share/applications
+    cp -av icons/hicolor $out/share/icons
+  '';
+
+  meta = with lib; {
+    description = "Qt-based GUI for wpa_supplicant";
+    homepage = "https://hostap.epitest.fi/wpa_supplicant/";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix b/nixpkgs/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix
new file mode 100644
index 000000000000..d636f928f249
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, kernel }:
+
+stdenv.mkDerivation {
+  pname = "x86_energy_perf_policy";
+  version = kernel.version;
+
+  src = kernel.src;
+
+  postPatch = ''
+    cd tools/power/x86/x86_energy_perf_policy
+    sed -i 's,/usr,,g' Makefile
+  '';
+
+  preInstall = ''
+    mkdir -p $out/bin $out/share/man/man8
+  '';
+
+  makeFlags = [ "DESTDIR=$(out)" ];
+
+  meta = with lib; {
+    description = "Set the energy versus performance policy preference bias on recent X86 processors";
+    homepage = "https://www.kernel.org/";
+    license = licenses.gpl2;
+    platforms = [ "i686-linux" "x86_64-linux" ]; # x86-specific
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/x86info/default.nix b/nixpkgs/pkgs/os-specific/linux/x86info/default.nix
new file mode 100644
index 000000000000..db5b040da3a2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/x86info/default.nix
@@ -0,0 +1,53 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, pciutils
+, pkg-config
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "x86info";
+  version = "unstable-2021-08-07";
+
+  src = fetchFromGitHub {
+    owner = "kernelslacker";
+    repo = pname;
+    rev = "061ea35ecb0697761b6260998fa2045b8bb0be68";
+    hash = "sha256-/qWioC4dV1bQkU4SiTR8duYqoGIMIH7s8vuAXi75juo=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    python3
+  ];
+
+  buildInputs = [
+    pciutils
+  ];
+
+  postBuild = ''
+    patchShebangs lsmsr/createheader.py
+    make -C lsmsr
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp x86info $out/bin
+    cp lsmsr/lsmsr $out/bin
+  '';
+
+  meta = {
+    description = "Identification utility for the x86 series of processors";
+    longDescription = ''
+      x86info will identify all Intel/AMD/Centaur/Cyrix/VIA CPUs. It leverages
+      the cpuid kernel module where possible.  it supports parsing model specific
+      registers (MSRs) via the msr kernel module.  it will approximate processor
+      frequency, and identify the cache sizes and layout.
+    '';
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    license = lib.licenses.gpl2;
+    homepage = "https://github.com/kernelslacker/x86info";
+    maintainers = with lib.maintainers; [ jcumming ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xf86-input-cmt/default.nix b/nixpkgs/pkgs/os-specific/linux/xf86-input-cmt/default.nix
new file mode 100644
index 000000000000..a973f844fd4a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xf86-input-cmt/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, xorgserver, xorgproto,
+  utilmacros, libgestures, libevdevc }:
+
+stdenv.mkDerivation rec {
+  pname = "xf86-input-cmt";
+  version = "2.0.2";
+  src = fetchFromGitHub {
+    owner = "hugegreenbug";
+    repo = "xf86-input-cmt";
+    rev = "v${version}";
+    sha256 = "1cnwf518nc0ybc1r3rsgc1gcql1k3785khffv0i4v3akrm9wdw98";
+  };
+
+  postPatch = ''
+    patchShebangs ./apply_patches.sh
+    ./apply_patches.sh
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    xorgserver xorgproto utilmacros
+    libgestures libevdevc
+  ];
+
+  configureFlags = [
+    "--with-sdkdir=${placeholder "out"}"
+  ];
+
+  meta = with lib; {
+    description = "Chromebook touchpad driver";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    homepage = "https://www.github.com/hugegreenbug/xf86-input-cmt";
+    maintainers = with maintainers; [ kcalvinalvin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xf86-input-wacom/default.nix b/nixpkgs/pkgs/os-specific/linux/xf86-input-wacom/default.nix
new file mode 100644
index 000000000000..af1dc126bfdc
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xf86-input-wacom/default.nix
@@ -0,0 +1,61 @@
+{ lib
+, stdenv
+, autoreconfHook
+, fetchFromGitHub
+, xorgproto
+, libX11
+, libXext
+, libXi
+, libXinerama
+, libXrandr
+, libXrender
+, ncurses
+, pixman
+, pkg-config
+, udev
+, utilmacros
+, xorgserver
+}:
+
+stdenv.mkDerivation rec {
+  pname = "xf86-input-wacom";
+  version = "1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "linuxwacom";
+    repo = pname;
+    rev = "${pname}-${version}";
+    sha256 = "sha256-AYjO7B0Z6G1JqpLdvm9LS+ujz7iUp8UwZ9X1WQ/dGk0=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  buildInputs = [
+    libX11
+    libXext
+    libXi
+    libXinerama
+    libXrandr
+    libXrender
+    ncurses
+    udev
+    utilmacros
+    pixman
+    xorgproto
+    xorgserver
+  ];
+
+  configureFlags = [
+    "--with-xorg-module-dir=${placeholder "out"}/lib/xorg/modules"
+    "--with-sdkdir=${placeholder "out"}/include/xorg"
+    "--with-xorg-conf-dir=${placeholder "out"}/share/X11/xorg.conf.d"
+  ];
+
+  meta = with lib; {
+    maintainers = with maintainers; [ goibhniu fortuneteller2k ];
+    description = "Wacom digitizer driver for X11";
+    homepage = "http://linuxwacom.sourceforge.net";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux; # Probably, works with other unixes as well
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xf86-video-nested/default.nix b/nixpkgs/pkgs/os-specific/linux/xf86-video-nested/default.nix
new file mode 100644
index 000000000000..bba646e583b8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xf86-video-nested/default.nix
@@ -0,0 +1,31 @@
+{ lib, stdenv, fetchgit, autoreconfHook, xorgproto, libX11, libXext
+, pixman, pkg-config, utilmacros, xorgserver
+}:
+
+stdenv.mkDerivation {
+  pname = "xf86-video-nested";
+  version = "unstable-2017-06-12";
+
+  src = fetchgit {
+    url = "git://anongit.freedesktop.org/xorg/driver/xf86-video-nested";
+    rev = "6a48b385c41ea89354d0b2ee7f4649a1d1d9ec70";
+    sha256 = "133rd2kvr2q2wmwpx82bb93qbi8wm8qp1vlmbhgc7aslz0j4cqqv";
+  };
+
+  buildInputs =
+    [ autoreconfHook xorgproto libX11 libXext pixman
+      pkg-config utilmacros xorgserver
+    ];
+
+  hardeningDisable = [ "fortify" ];
+
+  CFLAGS = "-I${pixman}/include/pixman-1";
+
+  meta = with lib; {
+    homepage = "https://cgit.freedesktop.org/xorg/driver/xf86-video-nested";
+    description = "A driver to run Xorg on top of Xorg or something else";
+    maintainers = [ maintainers.goibhniu ];
+    platforms = platforms.linux;
+    license = licenses.mit;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xone/default.nix b/nixpkgs/pkgs/os-specific/linux/xone/default.nix
new file mode 100644
index 000000000000..71bafb7abd9b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xone/default.nix
@@ -0,0 +1,39 @@
+{ stdenv, lib, fetchFromGitHub, kernel, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "xone";
+  version = "0.3";
+
+  src = fetchFromGitHub {
+    owner = "medusalix";
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-h+j4xCV9R6hp9trsv1NByh9m0UBafOz42ZuYUjclILE=";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/source
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+    "VERSION=${version}"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "Linux kernel driver for Xbox One and Xbox Series X|S accessories";
+    homepage = "https://github.com/medusalix/xone";
+    license = licenses.gpl2;
+    maintainers = with lib.maintainers; [ rhysmdnz ];
+    platforms = platforms.linux;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/deco-01-v2/default.nix b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/deco-01-v2/default.nix
new file mode 100644
index 000000000000..32804afa9ff2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/deco-01-v2/default.nix
@@ -0,0 +1,81 @@
+{ lib
+, stdenv
+, fetchzip
+, libusb1
+, glibc
+, libGL
+, xorg
+, qtx11extras
+, wrapQtAppsHook
+, autoPatchelfHook
+, libX11
+, libXtst
+, libXi
+, libXrandr
+, libXinerama
+}:
+
+let
+  dataDir = "var/lib/xppend1v2";
+in
+stdenv.mkDerivation rec {
+  pname = "xp-pen-deco-01-v2-driver";
+  version = "3.2.3.220323-1";
+
+  src = fetchzip {
+    url = "https://www.xp-pen.com/download/file/id/1936/pid/440/ext/gz.html#.tar.gz";
+    name = "xp-pen-deco-01-v2-driver-${version}.tar.gz";
+    sha256 = "sha256-n/yutkRsjcIRRhB4q1yqEmaa03/1SO8RigJi/ZkfLbk=";
+  };
+
+  nativeBuildInputs = [
+    wrapQtAppsHook
+    autoPatchelfHook
+  ];
+
+  dontBuild = true;
+
+  dontWrapQtApps = true; # this is done manually
+
+  buildInputs = [
+    libusb1
+    libX11
+    libXtst
+    libXi
+    libXrandr
+    libXinerama
+    glibc
+    libGL
+    stdenv.cc.cc.lib
+    qtx11extras
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{opt,bin}
+    cp -r App/usr/lib/pentablet/{pentablet,resource.rcc,conf} $out/opt
+    chmod +x $out/opt/pentablet
+    cp -r App/lib $out/lib
+    sed -i 's#usr/lib/pentablet#${dataDir}#g' $out/opt/pentablet
+
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    makeWrapper $out/opt/pentablet $out/bin/xp-pen-deco-01-v2-driver \
+      "''${qtWrapperArgs[@]}" \
+      --run 'if [ "$EUID" -ne 0 ]; then echo "Please run as root."; exit 1; fi' \
+      --run 'if [ ! -d /${dataDir} ]; then mkdir -p /${dataDir}; cp -r '$out'/opt/conf /${dataDir}; chmod u+w -R /${dataDir}; fi'
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.xp-pen.com/product/461.html";
+    description = "Drivers for the XP-PEN Deco 01 v2 drawing tablet";
+    platforms = [ "x86_64-linux" ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    maintainers = with maintainers; [ virchau13 ];
+    license = licenses.unfree;
+  };
+}
+
diff --git a/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/g430/default.nix b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/g430/default.nix
new file mode 100644
index 000000000000..ad983662109a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xp-pen-drivers/g430/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, mkDerivation, fetchzip, autoPatchelfHook, libusb1, libX11, libXtst, qtbase, libglvnd }:
+
+mkDerivation rec {
+  pname = "xp-pen-g430-driver";
+  version = "1.2.13.1";
+
+  src = fetchzip {
+    url = "https://download01.xp-pen.com/file/2020/04/Linux_Pentablet_V${version}.tar.gz(20200428).zip";
+    sha256 = "1r423hcpi26v82pzl59br1zw5vablikclqsy6mcqi0v5p84hfrdd";
+  } + /Linux_Pentablet_V1.2.13.1.tar.gz;
+
+  nativeBuildInputs = [
+    autoPatchelfHook
+  ];
+
+  buildInputs = [
+    libusb1
+    libX11
+    libXtst
+    qtbase
+    libglvnd
+    stdenv.cc.cc.lib
+  ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp Pentablet_Driver $out/bin/pentablet-driver
+    cp config.xml $out/bin/config.xml
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.xp-pen.com/download-46.html";
+    description = "Driver for XP-PEN Pentablet drawing tablets";
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+    license = licenses.unfree;
+    platforms = [ "x86_64-linux" ];
+    maintainers = with maintainers; [ ivar ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xpadneo/default.nix b/nixpkgs/pkgs/os-specific/linux/xpadneo/default.nix
new file mode 100644
index 000000000000..623b881cd0f2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xpadneo/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bluez }:
+
+stdenv.mkDerivation rec {
+  pname = "xpadneo";
+  version = "0.9.4";
+
+  src = fetchFromGitHub {
+    owner = "atar-axis";
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-4zd+x9uYl0lJgePM9LEgLYFqvcw6VPF/CbR1XiYSwGE=";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/source/hid-xpadneo/src
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  buildInputs = [ bluez ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+    "VERSION=${version}"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "Advanced Linux driver for Xbox One wireless controllers";
+    homepage = "https://atar-axis.github.io/xpadneo";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ kira-bruneau ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xsensors/default.nix b/nixpkgs/pkgs/os-specific/linux/xsensors/default.nix
new file mode 100644
index 000000000000..02ce560d8a94
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsensors/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, lib, fetchurl, gtk2, pkg-config, lm_sensors }:
+
+stdenv.mkDerivation rec {
+  pname = "xsensors";
+  version = "0.70";
+  src = fetchurl {
+    url = "http://www.linuxhardware.org/xsensors/xsensors-${version}.tar.gz";
+    sha256 = "1siplsfgvcxamyqf44h71jx6jdfmvhfm7mh0y1q8ps4zs6pj2zwh";
+  };
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    gtk2 lm_sensors
+  ];
+  patches = [
+    ./remove-unused-variables.patch
+    ./replace-deprecated-gtk.patch
+  ];
+  meta = with lib; {
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ cstrahan ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/xsensors/remove-unused-variables.patch b/nixpkgs/pkgs/os-specific/linux/xsensors/remove-unused-variables.patch
new file mode 100644
index 000000000000..7da97a0e56e8
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsensors/remove-unused-variables.patch
@@ -0,0 +1,39 @@
+Author: Nanley Chery <nanleychery@gmail.com>
+From: Jean Delvare <khali@linux-fr.org>
+Subject: Remove declared, but unused variables
+Bug-Debian: http://bugs.debian.org/625435
+---
+--- a/src/gui.c
++++ b/src/gui.c
+@@ -257,10 +257,9 @@
+ 
+ /* Start the sensor info update timer. */
+ gint start_timer( GtkWidget *widget, gpointer data ) {
+-    gint timer;
+ 
+     /* Setup timer for updates. */
+-    timer = g_timeout_add( update_time * 1000, 
++    g_timeout_add( update_time * 1000,
+                              (GtkFunction) update_sensor_data, 
+ 			     (gpointer) data );
+ 
+@@ -287,7 +286,7 @@
+ 
+     /* feature data */
+     updates *head = NULL;
+-    updates *current = NULL, *prev = NULL;
++    updates *current = NULL;
+ 
+     const sensors_feature *feature;
+ 
+@@ -347,10 +346,8 @@
+             new_node->pbar = featpbar;
+ 
+             if ( head == NULL ) {
+-                prev = head;
+                 head = current = new_node;
+             } else {
+-                prev = current;
+                 current = current->next = new_node;
+             }
+ 
diff --git a/nixpkgs/pkgs/os-specific/linux/xsensors/replace-deprecated-gtk.patch b/nixpkgs/pkgs/os-specific/linux/xsensors/replace-deprecated-gtk.patch
new file mode 100644
index 000000000000..fed4c7dc4c95
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsensors/replace-deprecated-gtk.patch
@@ -0,0 +1,168 @@
+Author: Nanley Chery <nanleychery@gmail.com>
+Subject: Update deprecated gtk casts and replace deprecated function calls with their analogous cairo counterparts.
+Bug-Debian: http://bugs.debian.org/622005
+Bug-Debian: http://bugs.debian.org/610321
+---
+--- a/src/gui.c
++++ b/src/gui.c
+@@ -27,10 +27,10 @@
+ GtkWidget *mainwindow = NULL;
+ 
+ GdkColor colorWhite = { 0, 0xFFFF, 0xFFFF, 0xFFFF };
+-    
+-GdkColormap *cmap = NULL;
+ 
+-GdkPixmap *theme = NULL;
++GdkPixbuf *theme = NULL;
++
++cairo_surface_t *surface = NULL;
+ 
+ /* Destroy the main window. */
+ gint destroy_gui( GtkWidget *widget, gpointer data ) {
+@@ -76,17 +76,16 @@
+     }
+ }
+ 
+-static void draw_digits( GtkWidget *widget, const gchar *digits, int highLow )
++static void draw_digits( GtkWidget *widget, cairo_t *cr, const gchar *digits, int highLow )
+ {
+     const gchar *digit = digits;
+     int pos = 0, x = 0, y = 0, w = 0;
+ 
+     while ( *digit ) {
+         get_pm_location( *digit, &x, &y, &w );
+-        gdk_draw_drawable( widget->window,
+-                           widget->style->fg_gc[ GTK_WIDGET_STATE
+-                           (widget) ], theme, x, y + highLow,
+-                           pos, 0, w, 30 );
++        cairo_set_source_surface (cr, surface, pos-x, 0-(y + highLow));
++		cairo_rectangle(cr, pos, 0, w, 30);
++		cairo_fill(cr);
+         pos += w;
+         digit++;
+     }
+@@ -102,6 +101,8 @@
+ 
+     gchar result[7];
+ 
++    cairo_t *cr = gdk_cairo_create(widget->window);
++
+ #ifdef DEBUG_XSENSORS
+     printf( "area.width = %d, area.height = %d\n", event->area.width,
+             event->area.height );
+@@ -117,13 +118,11 @@
+ 
+             /* Display the digits */
+             if ( g_snprintf( result, 6, "%5.0f", current->curvalue ) >= 0 )
+-               draw_digits( widget, result, highLow );
++               draw_digits( widget, cr, result, highLow );
+ 
+             /* Display RPM */
+-            gdk_draw_drawable( widget->window, 
+-                               widget->style->fg_gc[ GTK_WIDGET_STATE 
+-                               (widget) ], theme, 0, 120 + highLow, 
+-                               90, 0, 57, 30 );
++            cairo_set_source_surface (cr, surface, 90-0, 0-(120 + highLow));
++     	    cairo_rectangle(cr, 90, 0, 57, 30);
+             break;
+         case TEMP:
+             if ( current->curvalue > current->curmax )
+@@ -134,17 +133,15 @@
+ 
+             /* Display the digits */
+             if ( g_snprintf( result, 7, "%6.1f", current->curvalue ) >= 0 )
+-               draw_digits( widget, result, highLow );
++               draw_digits( widget, cr, result, highLow );
+ 
+             /* Display degree symbol */
+             if ( tf == FALSE )
+                 x = 0;
+             else
+                 x = 57;
+-            gdk_draw_drawable( widget->window, 
+-                             widget->style->fg_gc[ GTK_WIDGET_STATE 
+-                             (widget) ], theme, x, 60 + highLow, 
+-                             96, 0, 57, 30 );
++            cairo_set_source_surface (cr, surface, 96-x, 0-(60 + highLow));
++     	    cairo_rectangle(cr, 96, 0, 57, 30);
+             
+             break;
+         case VOLT:
+@@ -154,20 +151,17 @@
+             
+             /* Display the digits */
+             if ( g_snprintf( result, 7, "%6.2f", current->curvalue ) >= 0 )
+-               draw_digits( widget, result, highLow );
++               draw_digits( widget, cr, result, highLow );
+ 
+             /* Display V */
+-            gdk_draw_drawable( widget->window, 
+-                             widget->style->fg_gc[ GTK_WIDGET_STATE 
+-                             (widget) ], theme, 114, 60 + highLow, 
+-                             96, 0, 57, 30 );
+-
+-
++            cairo_set_source_surface (cr, surface, 96-114, 0-(60 + highLow));
++     	    cairo_rectangle(cr, 96, 0, 57, 30);
+             break;
+         default:
+             break;
+     }
+-            
++    cairo_fill(cr);
++    cairo_destroy(cr);
+     return TRUE;
+ }
+ 
+@@ -260,7 +254,7 @@
+ 
+     /* Setup timer for updates. */
+     g_timeout_add( update_time * 1000,
+-                             (GtkFunction) update_sensor_data, 
++                             (GSourceFunc) update_sensor_data,
+ 			     (gpointer) data );
+ 
+     return SUCCESS;
+@@ -460,8 +454,6 @@
+     g_signal_connect( G_OBJECT (mainwindow), "delete_event",
+                       G_CALLBACK (destroy_gui), NULL );
+ 
+-    /* Graphics needed for drawing info. */
+-    cmap = gtk_widget_get_colormap( mainwindow );
+ 
+     /* Set up the image file used for displaying characters. */
+     if ( imagefile == NULL ) {
+@@ -481,12 +473,10 @@
+                        "Image file not found in either location!  Exiting!\n" );
+                 exit( 1 );
+             } else {
+-                theme = gdk_pixmap_colormap_create_from_xpm( NULL, cmap,
+-                        NULL, NULL, "./images/default.xpm" );
++                theme = gdk_pixbuf_new_from_file("./images/default.xpm", NULL );
+             }
+         } else {
+-            theme = gdk_pixmap_colormap_create_from_xpm( NULL, cmap,
+-                    NULL, NULL, imagefile );
++            theme = gdk_pixbuf_new_from_file(imagefile, NULL );
+         }
+     } else {
+         if ( stat( imagefile, &sbuf ) != 0 ) {
+@@ -495,11 +485,15 @@
+                     "Image file not found in specified location!  Exiting!\n" );
+             exit( 1 );
+         } else {
+-            theme = gdk_pixmap_colormap_create_from_xpm( NULL, cmap,
+-                    NULL, NULL, imagefile );
++            theme = gdk_pixbuf_new_from_file(imagefile, NULL );
+         }
+     }
+-    
++    surface = cairo_image_surface_create_for_data(gdk_pixbuf_get_pixels(theme),
++                                        CAIRO_FORMAT_RGB24,
++										gdk_pixbuf_get_width(theme),
++										gdk_pixbuf_get_height(theme),
++										gdk_pixbuf_get_rowstride(theme));
++
+     /* Create notebook for sensors. */
+     notebook = gtk_notebook_new( );
+     gtk_widget_modify_bg( notebook, GTK_STATE_NORMAL, &colorWhite );
diff --git a/nixpkgs/pkgs/os-specific/linux/xsos/default.nix b/nixpkgs/pkgs/os-specific/linux/xsos/default.nix
new file mode 100644
index 000000000000..56516aee8b7b
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/xsos/default.nix
@@ -0,0 +1,52 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, makeWrapper
+, installShellFiles
+, dmidecode
+, ethtool
+, pciutils
+, multipath-tools
+, iproute2
+, sysvinit
+}:
+let
+  binPath = [
+    iproute2
+    dmidecode
+    ethtool
+    pciutils
+    multipath-tools
+    iproute2
+    sysvinit
+  ];
+in
+
+stdenv.mkDerivation rec {
+  pname = "xsos";
+  version = "0.7.19";
+
+  src = fetchFromGitHub {
+    owner = "ryran";
+    repo = "xsos";
+    rev = "v${version}";
+    sha256 = "11cc8z3pz4gl0mwl2fc701mn4cgx50fybygx0rvs9bhvb0jnphay";
+  };
+
+  nativeBuildInputs = [ makeWrapper installShellFiles ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -a xsos $out/bin
+    wrapProgram "$out/bin/xsos" --prefix PATH : ${lib.makeBinPath binPath}
+    installShellCompletion --bash --name xsos.bash xsos-bash-completion.bash
+  '';
+
+  meta = with lib; {
+    description = "Summarize system info from sosreports";
+    homepage = "https://github.com/ryran/xsos";
+    license = licenses.gpl3;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = [ maintainers.nixinator ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zenmonitor/default.nix b/nixpkgs/pkgs/os-specific/linux/zenmonitor/default.nix
new file mode 100644
index 000000000000..8414ac7a1e14
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zenmonitor/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, gtk3, wrapGAppsHook }:
+
+stdenv.mkDerivation rec {
+  pname = "zenmonitor";
+  version = "2.0.0";
+
+  src = fetchFromGitHub {
+    owner = "Ta180m";
+    repo = "zenmonitor3";
+    rev = "v${version}";
+    sha256 = "sha256-2EsuSMXnnMg0e0JD1TXJplsi7sOg9em0qqge2WlC6ro=";
+  };
+
+  buildInputs = [ gtk3 ];
+  nativeBuildInputs = [ pkg-config wrapGAppsHook ];
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Monitoring software for AMD Zen-based CPUs";
+    homepage = "https://github.com/Ta180m/zenmonitor3";
+    license = licenses.mit;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = with maintainers; [ alexbakker artturin ];
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zenpower/default.nix b/nixpkgs/pkgs/os-specific/linux/zenpower/default.nix
new file mode 100644
index 000000000000..1ba01a1c88fb
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zenpower/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, kernel, fetchFromGitHub, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  pname = "zenpower";
+  version = "unstable-2022-04-13";
+
+  src = fetchFromGitHub {
+    owner = "Ta180m";
+    repo = "zenpower3";
+    rev = "c36a86c64b802e9b90b5166caee6a8e8eddaeb56";
+    sha256 = "1i9ap7xgab421f3c68mcmad25xs4h8pfz0g0f9yzg7hxpmb0npxi";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [ "KERNEL_BUILD=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  installPhase = ''
+    install -D zenpower.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon/zenpower/"
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel driver for reading temperature, voltage(SVI2), current(SVI2) and power(SVI2) for AMD Zen family CPUs.";
+    homepage = "https://github.com/Ta180m/zenpower3";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ alexbakker artturin ];
+    platforms = [ "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zenstates/default.nix b/nixpkgs/pkgs/os-specific/linux/zenstates/default.nix
new file mode 100644
index 000000000000..8e31073151ba
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zenstates/default.nix
@@ -0,0 +1,52 @@
+# Zenstates provides access to a variety of CPU tunables no Ryzen processors.
+#
+# In particular, I am adding Zenstates because I need it to disable the C6
+# sleep state to stabilize wake from sleep on my Lenovo x395 system. After
+# installing Zenstates, I need a before-sleep script like so:
+#
+# before-sleep = pkgs.writeScript "before-sleep" ''
+#   #!${pkgs.bash}/bin/bash
+#   ${pkgs.zenstates}/bin/zenstates --c6-disable
+# '';
+#
+# ...
+#
+# systemd.services.before-sleep = {
+#     description = "Jobs to run before going to sleep";
+#     serviceConfig = {
+#       Type = "oneshot";
+#       ExecStart = "${before-sleep}";
+#     };
+#     wantedBy = [ "sleep.target" ];
+#     before = [ "sleep.target" ];
+#   };
+
+{ lib, stdenv, fetchFromGitHub, python3 }:
+stdenv.mkDerivation rec {
+  pname = "zenstates";
+  version = "0.0.1";
+
+  src = fetchFromGitHub {
+    owner = "r4m0n";
+    repo = "ZenStates-Linux";
+    rev = "0bc27f4740e382f2a2896dc1dabfec1d0ac96818";
+    sha256 = "1h1h2n50d2cwcyw3zp4lamfvrdjy1gjghffvl3qrp6arfsfa615y";
+  };
+
+  buildInputs = [ python3 ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp $src/zenstates.py $out/bin/zenstates
+    chmod +x $out/bin/zenstates
+    patchShebangs --build $out/bin/zenstates
+    '';
+
+  meta = with lib; {
+    description = "Linux utility for Ryzen processors and motherboards";
+    homepage = "https://github.com/r4m0n/ZenStates-Linux";
+    license = licenses.mit;
+    maintainers = with maintainers; [ savannidgerinel ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zfs/default.nix b/nixpkgs/pkgs/os-specific/linux/zfs/default.nix
new file mode 100644
index 000000000000..5d55d1db6574
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zfs/default.nix
@@ -0,0 +1,244 @@
+{ pkgs, lib, stdenv, fetchFromGitHub
+, autoreconfHook269, util-linux, nukeReferences, coreutils
+, perl, nixosTests
+, configFile ? "all"
+
+# Userspace dependencies
+, zlib, libuuid, python3, attr, openssl
+, libtirpc
+, nfs-utils, samba
+, gawk, gnugrep, gnused, systemd
+, smartmontools, enableMail ? false
+, sysstat, pkg-config
+
+# Kernel dependencies
+, kernel ? null
+, enablePython ? true
+
+# for determining the latest compatible linuxPackages
+, linuxPackages_5_18 ? pkgs.linuxKernel.packages.linux_5_18
+}:
+
+let
+  inherit (lib) any optionalString optionals optional makeBinPath;
+
+  smartmon = smartmontools.override { inherit enableMail; };
+
+  buildKernel = any (n: n == configFile) [ "kernel" "all" ];
+  buildUser = any (n: n == configFile) [ "user" "all" ];
+
+  # XXX: You always want to build kernel modules with the same stdenv as the
+  # kernel was built with. However, since zfs can also be built for userspace we
+  # need to correctly pick between the provided/default stdenv, and the one used
+  # by the kernel.
+  # If you don't do this your ZFS builds will fail on any non-standard (e.g.
+  # clang-built) kernels.
+  stdenv' = if kernel == null then stdenv else kernel.stdenv;
+
+  common = { version
+    , sha256
+    , extraPatches ? []
+    , rev ? "zfs-${version}"
+    , isUnstable ? false
+    , latestCompatibleLinuxPackages
+    , kernelCompatible ? null }:
+
+    stdenv'.mkDerivation {
+      name = "zfs-${configFile}-${version}${optionalString buildKernel "-${kernel.version}"}";
+
+      src = fetchFromGitHub {
+        owner = "openzfs";
+        repo = "zfs";
+        inherit rev sha256;
+      };
+
+      patches = extraPatches;
+
+      postPatch = optionalString buildKernel ''
+        patchShebangs scripts
+        # The arrays must remain the same length, so we repeat a flag that is
+        # already part of the command and therefore has no effect.
+        substituteInPlace ./module/os/linux/zfs/zfs_ctldir.c \
+          --replace '"/usr/bin/env", "umount"' '"${util-linux}/bin/umount", "-n"' \
+          --replace '"/usr/bin/env", "mount"'  '"${util-linux}/bin/mount", "-n"'
+      '' + optionalString buildUser ''
+        substituteInPlace ./lib/libshare/os/linux/nfs.c --replace "/usr/sbin/exportfs" "${
+          # We don't *need* python support, but we set it like this to minimize closure size:
+          # If it's disabled by default, no need to enable it, even if we have python enabled
+          # And if it's enabled by default, only change that if we explicitly disable python to remove python from the closure
+          nfs-utils.override (old: { enablePython = old.enablePython or true && enablePython; })
+        }/bin/exportfs"
+        substituteInPlace ./lib/libshare/smb.h        --replace "/usr/bin/net"            "${samba}/bin/net"
+        substituteInPlace ./config/user-systemd.m4    --replace "/usr/lib/modules-load.d" "$out/etc/modules-load.d"
+        substituteInPlace ./config/zfs-build.m4       --replace "\$sysconfdir/init.d"     "$out/etc/init.d" \
+                                                      --replace "/etc/default"            "$out/etc/default"
+        substituteInPlace ./etc/zfs/Makefile.am       --replace "\$(sysconfdir)"          "$out/etc"
+
+        substituteInPlace ./contrib/initramfs/hooks/Makefile.am \
+          --replace "/usr/share/initramfs-tools/hooks" "$out/usr/share/initramfs-tools/hooks"
+        substituteInPlace ./contrib/initramfs/Makefile.am \
+          --replace "/usr/share/initramfs-tools" "$out/usr/share/initramfs-tools"
+        substituteInPlace ./contrib/initramfs/scripts/Makefile.am \
+          --replace "/usr/share/initramfs-tools/scripts" "$out/usr/share/initramfs-tools/scripts"
+        substituteInPlace ./contrib/initramfs/scripts/local-top/Makefile.am \
+          --replace "/usr/share/initramfs-tools/scripts/local-top" "$out/usr/share/initramfs-tools/scripts/local-top"
+        substituteInPlace ./contrib/initramfs/scripts/Makefile.am \
+          --replace "/usr/share/initramfs-tools/scripts" "$out/usr/share/initramfs-tools/scripts"
+        substituteInPlace ./contrib/initramfs/scripts/local-top/Makefile.am \
+          --replace "/usr/share/initramfs-tools/scripts/local-top" "$out/usr/share/initramfs-tools/scripts/local-top"
+        substituteInPlace ./etc/systemd/system/Makefile.am \
+          --replace '$(DESTDIR)$(systemdunitdir)' "$out"'$(DESTDIR)$(systemdunitdir)'
+
+        substituteInPlace ./contrib/initramfs/conf.d/Makefile.am \
+          --replace "/usr/share/initramfs-tools/conf.d" "$out/usr/share/initramfs-tools/conf.d"
+        substituteInPlace ./contrib/initramfs/conf-hooks.d/Makefile.am \
+          --replace "/usr/share/initramfs-tools/conf-hooks.d" "$out/usr/share/initramfs-tools/conf-hooks.d"
+
+        substituteInPlace ./cmd/vdev_id/vdev_id \
+          --replace "PATH=/bin:/sbin:/usr/bin:/usr/sbin" \
+          "PATH=${makeBinPath [ coreutils gawk gnused gnugrep systemd ]}"
+      '';
+
+      nativeBuildInputs = [ autoreconfHook269 nukeReferences ]
+        ++ optionals buildKernel (kernel.moduleBuildDependencies ++ [ perl ])
+        ++ optional buildUser pkg-config;
+      buildInputs = optionals buildUser [ zlib libuuid attr libtirpc ]
+        ++ optional buildUser openssl
+        ++ optional (buildUser && enablePython) python3;
+
+      # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work
+      NIX_CFLAGS_LINK = "-lgcc_s";
+
+      hardeningDisable = [ "fortify" "stackprotector" "pic" ];
+
+      configureFlags = [
+        "--with-config=${configFile}"
+        "--with-tirpc=1"
+        (lib.withFeatureAs (buildUser && enablePython) "python" python3.interpreter)
+      ] ++ optionals buildUser [
+        "--with-dracutdir=$(out)/lib/dracut"
+        "--with-udevdir=$(out)/lib/udev"
+        "--with-systemdunitdir=$(out)/etc/systemd/system"
+        "--with-systemdpresetdir=$(out)/etc/systemd/system-preset"
+        "--with-systemdgeneratordir=$(out)/lib/systemd/system-generator"
+        "--with-mounthelperdir=$(out)/bin"
+        "--libexecdir=$(out)/libexec"
+        "--sysconfdir=/etc"
+        "--localstatedir=/var"
+        "--enable-systemd"
+      ] ++ optionals buildKernel ([
+        "--with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
+        "--with-linux-obj=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+      ] ++ kernel.makeFlags);
+
+      makeFlags = optionals buildKernel kernel.makeFlags;
+
+      enableParallelBuilding = true;
+
+      installFlags = [
+        "sysconfdir=\${out}/etc"
+        "DEFAULT_INITCONF_DIR=\${out}/default"
+        "INSTALL_MOD_PATH=\${out}"
+      ];
+
+      # Enabling BTF causes zfs to be build with debug symbols.
+      # Since zfs compress kernel modules on installation, our strip hooks skip stripping them.
+      # Hence we strip modules prior to compression.
+      postBuild = optionalString buildKernel ''
+         find . -name "*.ko" -print0 | xargs -0 -P$NIX_BUILD_CORES ${stdenv.cc.targetPrefix}strip --strip-debug
+      '';
+
+      postInstall = optionalString buildKernel ''
+        # Add reference that cannot be detected due to compressed kernel module
+        mkdir -p "$out/nix-support"
+        echo "${util-linux}" >> "$out/nix-support/extra-refs"
+      '' + optionalString buildUser ''
+        # Remove provided services as they are buggy
+        rm $out/etc/systemd/system/zfs-import-*.service
+
+        sed -i '/zfs-import-scan.service/d' $out/etc/systemd/system/*
+
+        for i in $out/etc/systemd/system/*; do
+        substituteInPlace $i --replace "zfs-import-cache.service" "zfs-import.target"
+        done
+
+        # Remove tests because they add a runtime dependency on gcc
+        rm -rf $out/share/zfs/zfs-tests
+
+        # Add Bash completions.
+        install -v -m444 -D -t $out/share/bash-completion/completions contrib/bash_completion.d/zfs
+        (cd $out/share/bash-completion/completions; ln -s zfs zpool)
+      '';
+
+      postFixup = let
+        path = "PATH=${makeBinPath [ coreutils gawk gnused gnugrep util-linux smartmon sysstat ]}:$PATH";
+      in ''
+        for i in $out/libexec/zfs/zpool.d/*; do
+          sed -i '2i${path}' $i
+        done
+      '';
+
+      outputs = [ "out" ] ++ optionals buildUser [ "dev" ];
+
+      passthru = {
+        inherit enableMail latestCompatibleLinuxPackages;
+
+        tests =
+          if isUnstable then [
+            nixosTests.zfs.unstable
+          ] else [
+            nixosTests.zfs.installer
+            nixosTests.zfs.stable
+          ];
+      };
+
+      meta = {
+        description = "ZFS Filesystem Linux Kernel module";
+        longDescription = ''
+          ZFS is a filesystem that combines a logical volume manager with a
+          Copy-On-Write filesystem with data integrity detection and repair,
+          snapshotting, cloning, block devices, deduplication, and more.
+        '';
+        homepage = "https://github.com/openzfs/zfs";
+        changelog = "https://github.com/openzfs/zfs/releases/tag/zfs-${version}";
+        license = lib.licenses.cddl;
+        platforms = lib.platforms.linux;
+        maintainers = with lib.maintainers; [ hmenke jcumming jonringer wizeman globin ];
+        mainProgram = "zfs";
+        # If your Linux kernel version is not yet supported by zfs, try zfsUnstable.
+        # On NixOS set the option boot.zfs.enableUnstable.
+        broken = buildKernel && (kernelCompatible != null) && !kernelCompatible;
+      };
+    };
+in {
+  # also check if kernel version constraints in
+  # ./nixos/modules/tasks/filesystems/zfs.nix needs
+  # to be adapted
+  zfsStable = common {
+    # check the release notes for compatible kernels
+    kernelCompatible = kernel.kernelOlder "5.19";
+    latestCompatibleLinuxPackages = linuxPackages_5_18;
+
+    # this package should point to the latest release.
+    version = "2.1.5";
+
+    sha256 = "sha256-a9rmuPO8R8UfxdHvwjfFuYRGn97a1MPmLZRvr3l0swE=";
+  };
+
+  zfsUnstable = common {
+    # check the release notes for compatible kernels
+    kernelCompatible = kernel.kernelOlder "5.19";
+    latestCompatibleLinuxPackages = linuxPackages_5_18;
+
+    # this package should point to a version / git revision compatible with the latest kernel release
+    # IMPORTANT: Always use a tagged release candidate or commits from the
+    # zfs-<version>-staging branch, because this is tested by the OpenZFS
+    # maintainers.
+    version = "2.1.5";
+    # rev = "0000000000000000000000000000000000000000";
+
+    sha256 = "sha256-a9rmuPO8R8UfxdHvwjfFuYRGn97a1MPmLZRvr3l0swE=";
+
+    isUnstable = true;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/zsa-udev-rules/default.nix b/nixpkgs/pkgs/os-specific/linux/zsa-udev-rules/default.nix
new file mode 100644
index 000000000000..3dfc2354fae3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/zsa-udev-rules/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "zsa-udev-rules";
+  version = "2.1.3";
+
+  src = fetchFromGitHub {
+    owner = "zsa";
+    repo = "wally";
+    rev = "${version}-linux";
+    sha256 = "mZzXKFKlO/jAitnqzfvmIHp46A+R3xt2gOhVC3qN6gM=";
+  };
+
+  # Only copies udevs rules
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  installPhase = ''
+    mkdir -p $out/lib/udev/rules.d
+    cp dist/linux64/50-oryx.rules $out/lib/udev/rules.d/
+    cp dist/linux64/50-wally.rules $out/lib/udev/rules.d/
+  '';
+
+  meta = with lib; {
+    description = "udev rules for ZSA devices";
+    license = licenses.mit;
+    maintainers = with maintainers; [ davidak ];
+    platforms = platforms.linux;
+    homepage = "https://github.com/zsa/wally/wiki/Linux-install#2-create-a-udev-rule-file";
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/solo5/default.nix b/nixpkgs/pkgs/os-specific/solo5/default.nix
new file mode 100644
index 000000000000..c50cea7b3850
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/solo5/default.nix
@@ -0,0 +1,77 @@
+{ lib, stdenv, fetchurl, dosfstools, libseccomp, makeWrapper, mtools, parted
+, pkg-config, qemu, syslinux, util-linux }:
+
+let
+  version = "0.7.3";
+  # list of all theoretically available targets
+  targets = [
+    "genode"
+    "hvt"
+    "muen"
+    "spt"
+    "virtio"
+    "xen"
+  ];
+in stdenv.mkDerivation {
+  pname = "solo5";
+  inherit version;
+
+  nativeBuildInputs = [ makeWrapper pkg-config ];
+  buildInputs = lib.optional (stdenv.hostPlatform.isLinux) libseccomp;
+
+  src = fetchurl {
+    url = "https://github.com/Solo5/solo5/releases/download/v${version}/solo5-v${version}.tar.gz";
+    sha256 = "sha256-8LftT22XzmmWxgYez+BAHDX4HOyl5DrwrpuO2+bqqcY=";
+  };
+
+  patches = [ ./fix_paths.patch ./test_sleep.patch ];
+
+  hardeningEnable = [ "pie" ];
+
+  configurePhase = ''
+    runHook preConfigure
+    sh configure.sh --prefix=/
+    runHook postConfigure
+  '';
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+    export DESTDIR=$out
+    export PREFIX=$out
+    make install
+
+    substituteInPlace $out/bin/solo5-virtio-mkimage \
+      --replace "/usr/lib/syslinux" "${syslinux}/share/syslinux" \
+      --replace "/usr/share/syslinux" "${syslinux}/share/syslinux" \
+      --replace "cp " "cp --no-preserve=mode "
+
+    wrapProgram $out/bin/solo5-virtio-mkimage \
+      --prefix PATH : ${lib.makeBinPath [ dosfstools mtools parted syslinux ]}
+
+    runHook postInstall
+  '';
+
+  doCheck = stdenv.hostPlatform.isLinux;
+  checkInputs = [ util-linux qemu ];
+  checkPhase = ''
+    runHook preCheck
+    patchShebangs tests
+    ./tests/bats-core/bats ./tests/tests.bats
+    runHook postCheck
+  '';
+
+  meta = with lib; {
+    description = "Sandboxed execution environment";
+    homepage = "https://github.com/solo5/solo5";
+    license = licenses.isc;
+    maintainers = [ maintainers.ehmry ];
+    platforms = builtins.map ({arch, os}: "${arch}-${os}")
+      (cartesianProductOfSets {
+        arch = [ "aarch64" "x86_64" ];
+        os = [ "freebsd" "genode" "linux" "openbsd" ];
+      });
+  };
+
+}
diff --git a/nixpkgs/pkgs/os-specific/solo5/fix_paths.patch b/nixpkgs/pkgs/os-specific/solo5/fix_paths.patch
new file mode 100644
index 000000000000..8895de311dae
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/solo5/fix_paths.patch
@@ -0,0 +1,29 @@
+diff --git a/toolchain/cc.in b/toolchain/cc.in
+index 337562a..0ec9315 100644
+--- a/toolchain/cc.in
++++ b/toolchain/cc.in
+@@ -30,9 +30,9 @@
+ # symbols.
+ 
+ prog="$(basename $0)"
+-I="$(dirname $0)/../include"
++I="$(realpath $0 | xargs dirname)/../include"
+ [ ! -d "${I}" ] && echo "$prog: Could not determine include path" 1>&2 && exit 1
+-L="$(dirname $0)/../lib/@@CONFIG_TARGET_TRIPLE@@"
++L="$(realpath $0 | xargs dirname)/../lib/@@CONFIG_TARGET_TRIPLE@@"
+ [ ! -d "${L}" ] && echo "$prog: Could not determine library path" 1>&2 && exit 1
+ # we can't really tell if 'cc' is called with no input, but work around the
+ # most obvious cases and stop them from "succeeding" and producing an "a.out"
+diff --git a/toolchain/ld.in b/toolchain/ld.in
+index 01dffa8..13dca2c 100644
+--- a/toolchain/ld.in
++++ b/toolchain/ld.in
+@@ -28,7 +28,7 @@
+ # linking a unikernel. No default for ABI is provided, as it is expected that a
+ # caller directly using 'ld' knows what they are doing.
+ 
+-L="$(dirname $0)/../lib/@@CONFIG_TARGET_TRIPLE@@"
++L="$(realpath $0 | xargs dirname)/../lib/@@CONFIG_TARGET_TRIPLE@@"
+ [ ! -d "${L}" ] && echo "$0: Could not determine library path" 1>&2 && exit 1
+ # ld accepts -z solo5-abi=ABI, but does not provide a default ABI
+ # this is intentional
diff --git a/nixpkgs/pkgs/os-specific/solo5/test_sleep.patch b/nixpkgs/pkgs/os-specific/solo5/test_sleep.patch
new file mode 100644
index 000000000000..f86a83d09dec
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/solo5/test_sleep.patch
@@ -0,0 +1,22 @@
+diff --git a/tests/test_time/test_time.c b/tests/test_time/test_time.c
+index 931500b..cde64ad 100644
+--- a/tests/test_time/test_time.c
++++ b/tests/test_time/test_time.c
+@@ -110,7 +110,8 @@ int solo5_app_main(const struct solo5_start_info *si __attribute__((unused)))
+         /*
+          * Verify that we did not sleep less than requested (see above).
+          */
+-        if (delta < NSEC_PER_SEC) {
++        const solo5_time_t slack = 100000000ULL;
++        if (delta < NSEC_PER_SEC - slack) {
+             printf("[%d] ERROR: slept too little (expected at least %llu ns)\n",
+                     iters, (unsigned long long)NSEC_PER_SEC);
+             failed = true;
+@@ -120,7 +121,6 @@ int solo5_app_main(const struct solo5_start_info *si __attribute__((unused)))
+          * Verify that we did not sleep more than requested, within reason
+          * (scheduling delays, general inaccuracy of the current timing code).
+          */
+-        const solo5_time_t slack = 100000000ULL;
+         if (delta > (NSEC_PER_SEC + slack)) {
+             printf("[%d] ERROR: slept too much (expected at most %llu ns)\n",
+                     iters, (unsigned long long)slack);
diff --git a/nixpkgs/pkgs/os-specific/windows/cygwin-setup/default.nix b/nixpkgs/pkgs/os-specific/windows/cygwin-setup/default.nix
new file mode 100644
index 000000000000..91dad81f1f52
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/cygwin-setup/default.nix
@@ -0,0 +1,46 @@
+{ lib, stdenv, fetchcvs, autoconf, automake, libtool, flex, bison, pkg-config
+, zlib, bzip2, xz, libgcrypt
+}:
+
+with lib;
+
+stdenv.mkDerivation rec {
+  pname = "cygwin-setup";
+  version = "20131101";
+
+  src = fetchcvs {
+    cvsRoot = ":pserver:anoncvs@cygwin.com:/cvs/cygwin-apps";
+    module = "setup";
+    date = version;
+    sha256 = "024wxaaxkf7p1i78bh5xrsqmfz7ss2amigbfl2r5w9h87zqn9aq3";
+  };
+
+  nativeBuildInputs = [ autoconf automake libtool flex bison pkg-config ];
+
+  buildInputs = let
+    mkStatic = flip overrideDerivation (o: {
+      dontDisableStatic = true;
+      configureFlags = toList (o.configureFlags or []) ++ [ "--enable-static" ];
+      buildInputs = map mkStatic (o.buildInputs or []);
+      propagatedBuildInputs = map mkStatic (o.propagatedBuildInputs or []);
+    });
+  in map mkStatic [ zlib bzip2 xz libgcrypt ];
+
+  configureFlags = [ "--disable-shared" ];
+
+  dontDisableStatic = true;
+
+  preConfigure = ''
+    autoreconf -vfi
+  '';
+
+  installPhase = ''
+    install -vD setup.exe "$out/bin/setup.exe"
+  '';
+
+  meta = {
+    homepage = "https://sourceware.org/cygwin-apps/setup.html";
+    description = "A tool for installing Cygwin";
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/default.nix b/nixpkgs/pkgs/os-specific/windows/default.nix
new file mode 100644
index 000000000000..c34f97a17db2
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/default.nix
@@ -0,0 +1,47 @@
+{ lib, stdenv, buildPackages
+, newScope, overrideCC, crossLibcStdenv, libcCross
+}:
+
+lib.makeScope newScope (self: with self; {
+
+  cygwinSetup = callPackage ./cygwin-setup { };
+
+  jom = callPackage ./jom { };
+
+  w32api = callPackage ./w32api { };
+
+  mingwrt = callPackage ./mingwrt { };
+  mingw_runtime = mingwrt;
+
+  mingw_w64 = callPackage ./mingw-w64 {
+    stdenv = crossLibcStdenv;
+  };
+
+  crossThreadsStdenv = overrideCC crossLibcStdenv
+    (if stdenv.hostPlatform.useLLVM or false
+     then buildPackages.llvmPackages_8.clangNoLibcxx
+     else buildPackages.gccCrossStageStatic.override (old: {
+       bintools = old.bintools.override {
+         libc = libcCross;
+       };
+       libc = libcCross;
+     }));
+
+  mingw_w64_headers = callPackage ./mingw-w64/headers.nix { };
+
+  mingw_w64_pthreads = callPackage ./mingw-w64/pthreads.nix {
+    stdenv = crossThreadsStdenv;
+  };
+
+  mcfgthreads = callPackage ./mcfgthreads {
+    stdenv = crossThreadsStdenv;
+  };
+
+  npiperelay = callPackage ./npiperelay { };
+
+  pthreads = callPackage ./pthread-w32 { };
+
+  wxMSW = callPackage ./wxMSW-2.8 { };
+
+  libgnurx = callPackage ./libgnurx { };
+})
diff --git a/nixpkgs/pkgs/os-specific/windows/jom/default.nix b/nixpkgs/pkgs/os-specific/windows/jom/default.nix
new file mode 100644
index 000000000000..dfd3f3ff19c3
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/jom/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchgit, qt48, qmake4Hook, flex }:
+
+# At the time of committing this, the expression fails for me to cross-build in
+# both mingw32 and mingw64.
+
+stdenv.mkDerivation {
+  pname = "jom";
+  version = "1.0.11";
+
+  src = fetchgit {
+    url = "git://gitorious.org/qt-labs/jom.git";
+    rev = "c91a204b05f97eef3c73aaaba3036e20f79fd487";
+    sha256 = "6d3ac84f83bb045213903d9d5340c0447c8fe41671d1dcdeae5c40b66d62ccbf";
+  };
+
+  buildInputs = [ qt48 ];
+  nativeBuildInputs = [ flex qmake4Hook ];
+
+  QTDIR = qt48;
+
+  # cmakeFlags = [ "-DWIN32=1" "-DCMAKE_SYSTEM_NAME=Windows" "-DCMAKE_RC_COMPILER=${stdenv.cc.targetPrefix}windres" ];
+
+  preBuild = lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) ''
+    export NIX_CROSS_CFLAGS_COMPILE=-fpermissive
+  '';
+
+  meta = {
+    homepage = "https://qt-project.org/wiki/jom";
+    description = "Clone of nmake supporting multiple independent commands in parallel";
+    license = lib.licenses.gpl2Plus; # Explicitly, GPLv2 or GPLv3, but not later.
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/libgnurx/default.nix b/nixpkgs/pkgs/os-specific/windows/libgnurx/default.nix
new file mode 100644
index 000000000000..e760bddabfbf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/libgnurx/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl }:
+
+let
+  version = "2.5.1";
+in stdenv.mkDerivation rec {
+  pname = "libgnurx";
+  inherit version;
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw/Other/UserContributed/regex/mingw-regex-${version}/mingw-${pname}-${version}-src.tar.gz";
+    sha256 = "0xjxcxgws3bblybw5zsp9a4naz2v5bs1k3mk8dw00ggc0vwbfivi";
+  };
+
+  # file looks for libgnurx.a when compiling statically
+  postInstall = lib.optionalString stdenv.hostPlatform.isStatic ''
+    ln -s $out/lib/libgnurx{.dll.a,.a}
+  '';
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mcfgthreads/default.nix b/nixpkgs/pkgs/os-specific/windows/mcfgthreads/default.nix
new file mode 100644
index 000000000000..45c80ab89796
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mcfgthreads/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchFromGitHub, autoreconfHook }:
+
+stdenv.mkDerivation {
+  pname = "mcfgthreads";
+  version = "git";
+
+  src = fetchFromGitHub {
+    owner = "lhmouse";
+    repo = "mcfgthread";
+    rev = "c446cf4fcdc262fc899a188a4bb7136284c34222";
+    sha256 = "1ib90lrd4dz8irq4yvzwhxqa86i5vxl2q2z3z04sf1i8hw427p2f";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  # Don't want prebuilt binaries sneaking in.
+  postUnpack = ''
+    rm -r "$sourceRoot/debug" "$sourceRoot/release"
+  '';
+
+  nativeBuildInputs = [
+    autoreconfHook
+  ];
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingw-w64/default.nix b/nixpkgs/pkgs/os-specific/windows/mingw-w64/default.nix
new file mode 100644
index 000000000000..569b149868ff
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingw-w64/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, windows, fetchurl }:
+
+let
+  version = "9.0.0";
+in stdenv.mkDerivation {
+  pname = "mingw-w64";
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw-w64/mingw-w64-v${version}.tar.bz2";
+    sha256 = "10a15bi4lyfi0k0haj0klqambicwma6yi7vssgbz8prg815vja8r";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  configureFlags = [
+    "--enable-idl"
+    "--enable-secure-api"
+  ];
+
+  enableParallelBuilding = true;
+
+  buildInputs = [ windows.mingw_w64_headers ];
+  hardeningDisable = [ "stackprotector" "fortify" ];
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingw-w64/headers.nix b/nixpkgs/pkgs/os-specific/windows/mingw-w64/headers.nix
new file mode 100644
index 000000000000..1fd27a8c4573
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingw-w64/headers.nix
@@ -0,0 +1,11 @@
+{ stdenvNoCC, mingw_w64 }:
+
+stdenvNoCC.mkDerivation {
+  name = "${mingw_w64.name}-headers";
+  inherit (mingw_w64) src meta;
+
+  preConfigure = ''
+    cd mingw-w64-headers
+  '';
+
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingw-w64/pthreads.nix b/nixpkgs/pkgs/os-specific/windows/mingw-w64/pthreads.nix
new file mode 100644
index 000000000000..3b143efed1d7
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingw-w64/pthreads.nix
@@ -0,0 +1,16 @@
+{ stdenv, mingw_w64 }:
+
+stdenv.mkDerivation {
+  name = "${mingw_w64.name}-pthreads";
+  inherit (mingw_w64) src meta;
+
+  configureFlags = [
+    # Rustc require 'libpthread.a' when targeting 'x86_64-pc-windows-gnu'.
+    # Enabling this makes it work out of the box instead of failing.
+    "--enable-static"
+  ];
+
+  preConfigure = ''
+    cd mingw-w64-libraries/winpthreads
+  '';
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/mingwrt/default.nix b/nixpkgs/pkgs/os-specific/windows/mingwrt/default.nix
new file mode 100644
index 000000000000..5bf6951cd434
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/mingwrt/default.nix
@@ -0,0 +1,18 @@
+{ stdenv, lib, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "mingwrt";
+  version = "5.0.2";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw/MinGW/Base/mingwrt/mingwrt-${version}/mingwrt-${version}-mingw32-src.tar.xz";
+    sha256 = "1vj6f578wcffdmy7zzf7xz1lw57kxjy08j0k1n28f0j4ylrk68vp";
+  };
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+
+  dontStrip = true;
+  hardeningDisable = [ "stackprotector" "fortify" ];
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/npiperelay/default.nix b/nixpkgs/pkgs/os-specific/windows/npiperelay/default.nix
new file mode 100644
index 000000000000..edc83a27e551
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/npiperelay/default.nix
@@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "npiperelay";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "jstarks";
+    repo = "npiperelay";
+    rev = "v${version}";
+    sha256 = "sha256-cg4aZmpTysc8m1euxIO2XPv8OMnBk1DwhFcuIFHF/1o=";
+  };
+
+  vendorSha256 = null;
+
+  meta = {
+    description = "Access Windows named pipes from WSL";
+    homepage = "https://github.com/jstarks/npiperelay";
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.shlevy ];
+    platforms = lib.platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/pthread-w32/default.nix b/nixpkgs/pkgs/os-specific/windows/pthread-w32/default.nix
new file mode 100644
index 000000000000..da0fe569a480
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/pthread-w32/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchzip }:
+
+stdenv.mkDerivation {
+  pname = "pthreads-w32";
+  version = "2.9.1";
+
+  src = fetchzip {
+    url = "https://sourceware.org/pub/pthreads-win32/pthreads-w32-2-9-1-release.tar.gz";
+    sha256 = "1s8iny7g06z289ahdj0kzaxj0cd3wvjbd8j3bh9xlg7g444lhy9w";
+  };
+
+  makeFlags = [ "CROSS=${stdenv.cc.targetPrefix}" "GC-static" ];
+
+  installPhase = ''
+    runHook preInstall
+
+    install -D libpthreadGC2.a $out/lib/libpthread.a
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "POSIX threads library for Windows";
+    homepage = "https://sourceware.org/pthreads-win32";
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ yana ];
+    platforms = platforms.windows;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/w32api/default.nix b/nixpkgs/pkgs/os-specific/windows/w32api/default.nix
new file mode 100644
index 000000000000..99faeeb7a8bf
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/w32api/default.nix
@@ -0,0 +1,17 @@
+{ stdenv, fetchurl, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "w32api";
+  version = "3.17-2";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mingw/MinGW/Base/w32api/w32api-${lib.versions.majorMinor version}/w32api-${version}-mingw32-src.tar.lzma";
+    sha256 = "09rhnl6zikmdyb960im55jck0rdy5z9nlg3akx68ixn7khf3j8wb";
+  };
+
+  meta = {
+    platforms = lib.platforms.windows;
+  };
+
+  dontStrip = true;
+}
diff --git a/nixpkgs/pkgs/os-specific/windows/wxMSW-2.8/default.nix b/nixpkgs/pkgs/os-specific/windows/wxMSW-2.8/default.nix
new file mode 100644
index 000000000000..bf1e73f67b9a
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/windows/wxMSW-2.8/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchurl, compat24 ? false, compat26 ? true, unicode ? true }:
+
+stdenv.mkDerivation rec {
+  pname = "wxMSW";
+  version = "2.8.11";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/wxwindows/wxWidgets-${version}.tar.gz";
+    sha256 = "0icxd21g18d42n1ygshkpw0jnflm03iqki6r623pb5hhd7fm2ksj";
+  };
+
+  configureFlags = [
+    (if compat24 then "--enable-compat24" else "--disable-compat24")
+    (if compat26 then "--enable-compat26" else "--disable-compat26")
+    "--disable-precomp-headers"
+    (if unicode then "--enable-unicode" else "")
+    "--with-opengl"
+  ];
+
+  preConfigure = "
+    substituteInPlace configure --replace /usr /no-such-path
+  ";
+
+  postBuild = "(cd contrib/src && make)";
+
+  postInstall = "
+    (cd contrib/src && make install)
+    (cd $out/include && ln -s wx-*/* .)
+  ";
+
+  passthru = { inherit compat24 compat26 unicode; };
+
+  meta = {
+    platforms = lib.platforms.windows;
+
+    broken = true;
+  };
+}