Merge master into staging-next

20 files changed, 348 insertions, 97 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 72e77ad76e1..d9ff51ae3df 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -232,29 +232,7 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
        <filename>testing-python.nix</filename> respectively.
      </para>
    </listitem>
-   <listitem>
-     <para>
-       The Mediatomb service declares new options. It also adapts existing
-       options to make the configuration generation lazy. The existing option
-       <literal>customCfg</literal> (defaults to false), when enabled, stops
-       the service configuration generation completely. It then expects the
-       users to provide their own correct configuration at the right location
-       (whereas the configuration was generated and not used at all before).
-       The new option <literal>transcodingOption</literal> (defaults to no)
-       allows a generated configuration. It makes the mediatomb service pulls
-       the necessary runtime dependencies in the nix store (whereas it was
-       generated with hardcoded values before). The new option
-       <literal>mediaDirectories</literal> allows the users to declare autoscan
-       media directories from their nixos configuration:
-       <programlisting>
-       services.mediatomb.mediaDirectories = [
-         { path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
-         { path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
-       ];
-       </programlisting>
-    </para>
-   </listitem>
- </itemizedlist>
+  </itemizedlist>
  </section>
 
  <section xmlns="http://docbook.org/ns/docbook"
@@ -873,6 +851,13 @@ CREATE ROLE postgres LOGIN SUPERUSER;
    </listitem>
    <listitem>
     <para>
+     The <literal>hardware.nvidia.optimus_prime.enable</literal> service has been renamed to
+     <literal>hardware.nvidia.prime.sync.enable</literal> and has many new enhancements.
+     Related nvidia prime settings may have also changed.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
      The package <package>nextcloud17</package> has been removed and <package>nextcloud18</package> was marked as insecure
      since both of them will <link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html">
      will be EOL (end of life) within the lifetime of 20.09</link>.
@@ -897,21 +882,11 @@ CREATE ROLE postgres LOGIN SUPERUSER;
     </para>
    </listitem>
    <listitem>
-     <para>
-       The mediatomb service is now using the new and maintained <literal>gerbera</literal>
-       <literal>gerbera</literal> fork instead of the unmaintained
-       <literal>mediatomb</literal> package. If you want to keep the old
-       behavior, you must declare it with:
-       <programlisting>
-       services.mediatomb.package = pkgs.mediatomb;
-       </programlisting>
-       One new option <literal>openFirewall</literal> has been introduced which
-       defaults to false. If you relied on the service declaration to add the
-       firewall rules itself before, you should now declare it with:
-       <programlisting>
-       services.mediatomb.openFirewall = true;
-       </programlisting>
-     </para>
+    <para>
+      The GNOME desktop manager no longer default installs <package>gnome3.epiphany</package>.
+      It was chosen to do this as it has a usability breaking issue (see issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>)
+      that makes it unsuitable to be a default app.
+    </para>
    </listitem>
   </itemizedlist>
  </section>
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml
index 8ce6219625c..fb1d50434b8 100644
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@@ -82,6 +82,17 @@
      for consistency with other X11 resources.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      A number of options have been renamed in the kicad interface. <literal>oceSupport</literal>
+      has been renamed to <literal>withOCE</literal>, <literal>withOCCT</literal> has been renamed
+      to <literal>withOCC</literal>, <literal>ngspiceSupport</literal> has been renamed to
+      <literal>withNgspice</literal>, and <literal>scriptingSupport</literal> has been renamed to
+      <literal>withScripting</literal>. Additionally, <literal>kicad/base.nix</literal> no longer
+      provides default argument values since these are provided by
+      <literal>kicad/default.nix</literal>.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 39f28773eab..78cfb737177 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -442,6 +442,7 @@
   ./services/misc/dysnomia.nix
   ./services/misc/disnix.nix
   ./services/misc/docker-registry.nix
+  ./services/misc/domoticz.nix
   ./services/misc/errbot.nix
   ./services/misc/etcd.nix
   ./services/misc/ethminer.nix
@@ -466,6 +467,7 @@
   ./services/misc/irkerd.nix
   ./services/misc/jackett.nix
   ./services/misc/jellyfin.nix
+  ./services/misc/klipper.nix
   ./services/misc/logkeys.nix
   ./services/misc/leaps.nix
   ./services/misc/lidarr.nix
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 31fbc361474..5732620f290 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -122,19 +122,22 @@ let
       "--email" data.email
       "--key-type" data.keyType
     ] ++ protocolOpts
-      ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ optionals (acmeServer != null) [ "--server" acmeServer ]
       ++ concatMap (name: [ "-d" name ]) extraDomains
       ++ data.extraLegoFlags;
 
+    # Although --must-staple is common to both modes, it is not declared as a
+    # mode-agnostic argument in lego and thus must come after the mode.
     runOpts = escapeShellArgs (
       commonOpts
       ++ [ "run" ]
+      ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRunFlags
     );
     renewOpts = escapeShellArgs (
       commonOpts
       ++ [ "renew" "--reuse-key" ]
+      ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );
 
diff --git a/nixos/modules/services/misc/domoticz.nix b/nixos/modules/services/misc/domoticz.nix
new file mode 100644
index 00000000000..b1353d48404
--- /dev/null
+++ b/nixos/modules/services/misc/domoticz.nix
@@ -0,0 +1,51 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.domoticz;
+  pkgDesc = "Domoticz home automation";
+
+in {
+
+  options = {
+
+    services.domoticz = {
+      enable = mkEnableOption pkgDesc;
+
+      bind = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = "IP address to bind to.";
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 8080;
+        description = "Port to bind to for HTTP, set to 0 to disable HTTP.";
+      };
+
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services."domoticz" = {
+      description = pkgDesc;
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      serviceConfig = {
+        DynamicUser = true;
+        StateDirectory = "domoticz";
+        Restart = "always";
+        ExecStart = ''
+          ${pkgs.domoticz}/bin/domoticz -noupdates -www ${toString cfg.port} -wwwbind ${cfg.bind} -sslwww 0 -userdata /var/lib/domoticz -approot ${pkgs.domoticz}/share/domoticz/ -pidfile /var/run/domoticz.pid
+        '';
+      };
+    };
+
+  };
+
+}
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
index 9896b8023e4..122bc3000b4 100644
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -73,6 +73,11 @@ let
 
   redisConfig.production.url = cfg.redisUrl;
 
+  pagesArgs = [
+    "-pages-domain" gitlabConfig.production.pages.host
+    "-pages-root" "${gitlabConfig.production.shared.path}/pages"
+  ] ++ cfg.pagesExtraArgs;
+
   gitlabConfig = {
     # These are the default settings from config/gitlab.example.yml
     production = flip recursiveUpdate cfg.extraConfig {
@@ -236,6 +241,13 @@ in {
         description = "Reference to the gitaly package";
       };
 
+      packages.pages = mkOption {
+        type = types.package;
+        default = pkgs.gitlab-pages;
+        defaultText = "pkgs.gitlab-pages";
+        description = "Reference to the gitlab-pages package";
+      };
+
       statePath = mkOption {
         type = types.str;
         default = "/var/gitlab/state";
@@ -451,6 +463,12 @@ in {
         };
       };
 
+      pagesExtraArgs = mkOption {
+        type = types.listOf types.str;
+        default = [ "-listen-proxy" "127.0.0.1:8090" ];
+        description = "Arguments to pass to the gitlab-pages daemon";
+      };
+
       secrets.secretFile = mkOption {
         type = with types; nullOr path;
         default = null;
@@ -754,6 +772,26 @@ in {
       };
     };
 
+    systemd.services.gitlab-pages = mkIf (gitlabConfig.production.pages.enabled or false) {
+      description = "GitLab static pages daemon";
+      after = [ "network.target" "redis.service" "gitlab.service" ]; # gitlab.service creates configs
+      wantedBy = [ "multi-user.target" ];
+
+      path = [ pkgs.unzip ];
+
+      serviceConfig = {
+        Type = "simple";
+        TimeoutSec = "infinity";
+        Restart = "on-failure";
+
+        User = cfg.user;
+        Group = cfg.group;
+
+        ExecStart = "${cfg.packages.pages}/bin/gitlab-pages ${escapeShellArgs pagesArgs}";
+        WorkingDirectory = gitlabEnv.HOME;
+      };
+    };
+
     systemd.services.gitlab-workhorse = {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
diff --git a/nixos/modules/services/misc/klipper.nix b/nixos/modules/services/misc/klipper.nix
new file mode 100644
index 00000000000..2f04c011a65
--- /dev/null
+++ b/nixos/modules/services/misc/klipper.nix
@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.klipper;
+  package = pkgs.klipper;
+  format = pkgs.formats.ini { mkKeyValue = generators.mkKeyValueDefault {} ":"; };
+in
+{
+  ##### interface
+  options = {
+    services.klipper = {
+      enable = mkEnableOption "Klipper, the 3D printer firmware";
+
+      octoprintIntegration = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Allows Octoprint to control Klipper.";
+      };
+
+      settings = mkOption {
+        type = format.type;
+        default = { };
+        description = ''
+          Configuration for Klipper. See the <link xlink:href="https://www.klipper3d.org/Overview.html#configuration-and-tuning-guides">documentation</link>
+          for supported values.
+        '';
+      };
+    };
+  };
+
+  ##### implementation
+  config = mkIf cfg.enable {
+    assertions = [{
+      assertion = cfg.octoprintIntegration -> config.services.octoprint.enable;
+      message = "Option klipper.octoprintIntegration requires Octoprint to be enabled on this system. Please enable services.octoprint to use it.";
+    }];
+
+    environment.etc."klipper.cfg".source = format.generate "klipper.cfg" cfg.settings;
+
+    systemd.services.klipper = {
+      description = "Klipper 3D Printer Firmware";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        ExecStart = "${package}/lib/klipper/klippy.py --input-tty=/run/klipper/tty /etc/klipper.cfg";
+        RuntimeDirectory = "klipper";
+        SupplementaryGroups = [ "dialout" ];
+        WorkingDirectory = "${package}/lib";
+      } // (if cfg.octoprintIntegration then {
+        Group = config.services.octoprint.group;
+        User = config.services.octoprint.user;
+      } else {
+        DynamicUser = true;
+        User = "klipper";
+      });
+    };
+  };
+}
diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix
index c876b252e8c..2900c37f990 100644
--- a/nixos/modules/services/networking/avahi-daemon.nix
+++ b/nixos/modules/services/networking/avahi-daemon.nix
@@ -239,7 +239,7 @@ in
 
     system.nssModules = optional cfg.nssmdns pkgs.nssmdns;
     system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [
-      [ "mdns_minimal [NOTFOUND=return]" ]
+      (mkOrder 900 [ "mdns_minimal [NOTFOUND=return]" ]) # must be before resolve
       (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns
     ]);
 
diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix
index 8249da69bc1..c48835e7361 100644
--- a/nixos/modules/services/networking/dnsdist.nix
+++ b/nixos/modules/services/networking/dnsdist.nix
@@ -7,7 +7,7 @@ let
   configFile = pkgs.writeText "dndist.conf" ''
     setLocal('${cfg.listenAddress}:${toString cfg.listenPort}')
     ${cfg.extraConfig}
-    '';
+  '';
 in {
   options = {
     services.dnsdist = {
@@ -35,25 +35,18 @@ in {
     };
   };
 
-  config = mkIf config.services.dnsdist.enable {
+  config = mkIf cfg.enable {
+    systemd.packages = [ pkgs.dnsdist ];
+
     systemd.services.dnsdist = {
-      description = "dnsdist load balancer";
       wantedBy = [ "multi-user.target" ];
-      after = ["network.target"];
 
       serviceConfig = {
-        Restart="on-failure";
-        RestartSec="1";
         DynamicUser = true;
-        StartLimitInterval="0";
-        PrivateDevices=true;
-        AmbientCapabilities="CAP_NET_BIND_SERVICE";
-        CapabilityBoundingSet="CAP_NET_BIND_SERVICE";
-        ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}";
-        ProtectHome=true;
-        RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
-        LimitNOFILE="16384";
-        TasksMax="8192";
+
+        # upstream overrides for better nixos compatibility
+        ExecStartPre = [ "" "${pkgs.dnsdist}/bin/dnsdist --check-config --config ${configFile}" ];
+        ExecStart = [ "" "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}" ];
       };
     };
   };
diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix
index a4edcca72c9..acccbdb9950 100644
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@@ -374,7 +374,9 @@ in
         baobab
         cheese
         eog
-        epiphany
+        /* Not in good standing on nixos:
+         * https://github.com/NixOS/nixpkgs/issues/98819
+        /* epiphany */
         gedit
         gnome-calculator
         gnome-calendar
diff --git a/nixos/modules/services/x11/window-managers/xmonad.nix b/nixos/modules/services/x11/window-managers/xmonad.nix
index dba25da8260..b9013ca1ff9 100644
--- a/nixos/modules/services/x11/window-managers/xmonad.nix
+++ b/nixos/modules/services/x11/window-managers/xmonad.nix
@@ -4,13 +4,15 @@ with lib;
 let
   inherit (lib) mkOption mkIf optionals literalExample;
   cfg = config.services.xserver.windowManager.xmonad;
-  xmonad = pkgs.xmonad-with-packages.override {
+
+  xmonad-vanilla = pkgs.xmonad-with-packages.override {
     ghcWithPackages = cfg.haskellPackages.ghcWithPackages;
     packages = self: cfg.extraPackages self ++
                      optionals cfg.enableContribAndExtras
                      [ self.xmonad-contrib self.xmonad-extras ];
   };
-  xmonadBin = pkgs.writers.writeHaskell "xmonad" {
+
+  xmonad-config = pkgs.writers.writeHaskellBin "xmonad" {
     ghc = cfg.haskellPackages.ghc;
     libraries = [ cfg.haskellPackages.xmonad ] ++
                 cfg.extraPackages cfg.haskellPackages ++
@@ -19,8 +21,10 @@ let
     inherit (cfg) ghcArgs;
   } cfg.config;
 
-in
-{
+  xmonad = if (cfg.config != null) then xmonad-config else xmonad-vanilla;
+in {
+  meta.maintainers = with maintainers; [ lassulus xaverdh ];
+
   options = {
     services.xserver.windowManager.xmonad = {
       enable = mkEnableOption "xmonad";
@@ -62,19 +66,50 @@ in
         default = null;
         type = with lib.types; nullOr (either path str);
         description = ''
-          Configuration from which XMonad gets compiled. If no value
-          is specified, the xmonad config from $HOME/.xmonad is taken.
-          If you use xmonad --recompile, $HOME/.xmonad will be taken as
-          the configuration, but on the next restart of display-manager
-          this config will be reapplied.
+          Configuration from which XMonad gets compiled. If no value is
+          specified, a vanilla xmonad binary is put in PATH, which will
+          attempt to recompile and exec your xmonad config from $HOME/.xmonad.
+          This setup is then analogous to other (non-NixOS) linux distributions.
+
+          If you do set this option, you likely want to use "launch" as your
+          entry point for xmonad (as in the example), to avoid xmonads
+          recompilation logic on startup. Doing so will render the default
+          "mod+q" restart key binding dysfunctional though, because that attempts
+          to call your binary with the "--restart" command line option, unless
+          you implement that yourself. You way mant to bind "mod+q" to
+          <literal>(restart "xmonad" True)</literal> instead, which will just restart
+          xmonad from PATH. This allows e.g. switching to the new xmonad binary,
+          after rebuilding your system with nixos-rebuild.
+
+          If you actually want to run xmonad with a config specified here, but
+          also be able to recompile and restart it from a copy of that source in
+          $HOME/.xmonad on the fly, you will have to implement that yourself
+          using something like "compileRestart" from the example.
+          This should allow you to switch at will between the local xmonad and
+          the one NixOS puts in your PATH.
         '';
         example = ''
           import XMonad
+          import XMonad.Util.EZConfig (additionalKeys)
+          import Text.Printf (printf)
+          import System.Posix.Process (executeFile)
+          import System.Info (arch,os)
+          import System.Environment (getArgs)
+          import System.FilePath ((</>))
+
+          compiledConfig = printf "xmonad-%s-%s" arch os
+
+          compileRestart = whenX (recompile True) . catchIO $ do
+              dir  <- getXMonadDataDir
+              args <- getArgs
+              executeFile (dir </> compiledConfig) False args Nothing
 
           main = launch defaultConfig
-                 { modMask = mod4Mask -- Use Super instead of Alt
-                 , terminal = "urxvt"
-                 }
+              { modMask = mod4Mask -- Use Super instead of Alt
+              , terminal = "urxvt" }
+              `additionalKeys`
+              [ ( (mod4Mask,xK_r), compileRestart )
+              , ( (mod4Mask,xK_q), restart "xmonad" True ) ]
         '';
       };
 
@@ -101,10 +136,8 @@ in
     services.xserver.windowManager = {
       session = [{
         name = "xmonad";
-        start = let
-          xmonadCommand = if (cfg.config != null) then xmonadBin else "${xmonad}/bin/xmonad";
-        in ''
-           systemd-cat -t xmonad -- ${xmonadCommand} ${lib.escapeShellArgs cfg.xmonadCliArgs} &
+        start = ''
+           systemd-cat -t xmonad -- ${xmonad}/bin/xmonad ${lib.escapeShellArgs cfg.xmonadCliArgs} &
            waitPID=$!
         '';
       }];
diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix
index 70716a35485..55d3e742ef7 100644
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@@ -711,7 +711,7 @@ in
 
     system.extraDependencies = singleton (pkgs.runCommand "xkb-validated" {
       inherit (cfg) xkbModel layout xkbVariant xkbOptions;
-      nativeBuildInputs = [ pkgs.xkbvalidate ];
+      nativeBuildInputs = with pkgs.buildPackages; [ xkbvalidate ];
       preferLocalBuild = true;
     } ''
       xkbvalidate "$xkbModel" "$layout" "$xkbVariant" "$xkbOptions"
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index 64193ed8498..eb152cf51a6 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -97,6 +97,19 @@ in import ./make-test-python.nix ({ lib, ... }: {
         };
       };
 
+      # Test OCSP Stapling
+      specialisation.ocsp-stapling.configuration = { pkgs, ... }: {
+        security.acme.certs."a.example.test" = {
+          ocspMustStaple = true;
+        };
+        services.nginx.virtualHosts."a.example.com" = {
+          extraConfig = ''
+            ssl_stapling on;
+            ssl_stapling_verify on;
+          '';
+        };
+      };
+
       # Test using Apache HTTPD
       specialisation.httpd-aliases.configuration = { pkgs, config, lib, ... }: {
         services.nginx.enable = lib.mkForce false;
@@ -163,6 +176,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
 
   testScript = {nodes, ...}:
     let
+      caDomain = nodes.acme.config.test-support.acme.caDomain;
       newServerSystem = nodes.webserver.config.system.build.toplevel;
       switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";
     in
@@ -246,6 +260,22 @@ in import ./make-test-python.nix ({ lib, ... }: {
               return check_connection_key_bits(node, domain, bits, retries - 1)
 
 
+      def check_stapling(node, domain, retries=3):
+          assert retries >= 0
+
+          # Pebble doesn't provide a full OCSP responder, so just check the URL
+          result = node.succeed(
+              "openssl s_client -CAfile /tmp/ca.crt"
+              f" -servername {domain} -connect {domain}:443 < /dev/null"
+              " | openssl x509 -noout -ocsp_uri"
+          )
+          print("OCSP Responder URL:", result)
+
+          if "${caDomain}:4002" not in result.lower():
+              time.sleep(1)
+              return check_stapling(node, domain, retries - 1)
+
+
       client.start()
       dnsserver.start()
 
@@ -253,7 +283,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
       client.wait_for_unit("default.target")
 
       client.succeed(
-          'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
+          'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
       )
 
       acme.start()
@@ -262,8 +292,8 @@ in import ./make-test-python.nix ({ lib, ... }: {
       acme.wait_for_unit("default.target")
       acme.wait_for_unit("pebble.service")
 
-      client.succeed("curl https://acme.test:15000/roots/0 > /tmp/ca.crt")
-      client.succeed("curl https://acme.test:15000/intermediate-keys/0 >> /tmp/ca.crt")
+      client.succeed("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt")
+      client.succeed("curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt")
 
       with subtest("Can request certificate with HTTPS-01 challenge"):
           webserver.wait_for_unit("acme-finished-a.example.test.target")
@@ -290,6 +320,11 @@ in import ./make-test-python.nix ({ lib, ... }: {
           check_connection_key_bits(client, "a.example.test", "384")
           webserver.succeed("grep testing /var/lib/acme/a.example.test/test")
 
+      with subtest("Correctly implements OCSP stapling"):
+          switch_to(webserver, "ocsp-stapling")
+          webserver.wait_for_unit("acme-finished-a.example.test.target")
+          check_stapling(client, "a.example.test")
+
       with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):
           switch_to(webserver, "slow-startup")
           webserver.wait_for_unit("acme-finished-slow.example.com.target")
diff --git a/nixos/tests/agda.nix b/nixos/tests/agda.nix
index e158999e57d..3b3eb2803bd 100644
--- a/nixos/tests/agda.nix
+++ b/nixos/tests/agda.nix
@@ -31,7 +31,7 @@ in
     machine.succeed('echo "import IO" > TestIO.agda')
     machine.succeed("agda -l standard-library -i . TestIO.agda")
 
-    # # Hello world
+    # Hello world
     machine.succeed(
         "cp ${hello-world} HelloWorld.agda"
     )
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 0dc14e527d1..6564a958d5b 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -26,6 +26,7 @@ in
   agda = handleTest ./agda.nix {};
   atd = handleTest ./atd.nix {};
   avahi = handleTest ./avahi.nix {};
+  avahi-with-resolved = handleTest ./avahi.nix { networkd = true; };
   babeld = handleTest ./babeld.nix {};
   bazarr = handleTest ./bazarr.nix {};
   bcachefs = handleTestOn ["x86_64-linux"] ./bcachefs.nix {}; # linux-4.18.2018.10.12 is unsupported on aarch64
@@ -112,6 +113,7 @@ in
   fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
   freeswitch = handleTest ./freeswitch.nix {};
   fsck = handleTest ./fsck.nix {};
+  ft2-clone = handleTest ./ft2-clone.nix {};
   gerrit = handleTest ./gerrit.nix {};
   gotify-server = handleTest ./gotify-server.nix {};
   grocy = handleTest ./grocy.nix {};
diff --git a/nixos/tests/avahi.nix b/nixos/tests/avahi.nix
index fe027c14d5a..66cff3009f7 100644
--- a/nixos/tests/avahi.nix
+++ b/nixos/tests/avahi.nix
@@ -1,5 +1,11 @@
+{ system ? builtins.currentSystem
+, config ? {}
+, pkgs ? import ../.. { inherit system config; }
+# bool: whether to use networkd in the tests
+, networkd ? false }:
+
 # Test whether `avahi-daemon' and `libnss-mdns' work as expected.
-import ./make-test-python.nix ({ pkgs, ... } : {
+import ./make-test-python.nix ({ ... } : {
   name = "avahi";
   meta = with pkgs.stdenv.lib.maintainers; {
     maintainers = [ eelco ];
@@ -17,6 +23,11 @@ import ./make-test-python.nix ({ pkgs, ... } : {
         publish.workstation = true;
         extraServiceFiles.ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
       };
+    } // pkgs.lib.optionalAttrs (networkd) {
+      networking = {
+        useNetworkd = true;
+        useDHCP = false;
+      };
     };
   in {
     one = cfg;
diff --git a/nixos/tests/cagebreak.nix b/nixos/tests/cagebreak.nix
index ecbb69646a9..e5f9a29fb18 100644
--- a/nixos/tests/cagebreak.nix
+++ b/nixos/tests/cagebreak.nix
@@ -5,7 +5,6 @@ let
     workspaces 1
     escape C-t
     bind t exec env DISPLAY=:0 ${pkgs.xterm}/bin/xterm -cm -pc
-    bind a exec ${pkgs.alacritty}/bin/alacritty
   '';
 in
 {
@@ -20,7 +19,7 @@ in
   in {
     imports = [ ./common/user-account.nix ];
 
-    environment.systemPackages = [ pkgs.cagebreak ];
+    environment.systemPackages = [ pkgs.cagebreak pkgs.wallutils ];
     services.xserver = {
       enable = true;
       displayManager.autoLogin = {
@@ -32,7 +31,7 @@ in
       manage = "desktop";
       name = "cagebreak";
       start = ''
-        export XDG_RUNTIME_DIR=/run/user/${toString alice.uid}
+        export XDG_RUNTIME_DIR="/run/user/${toString alice.uid}"
         ${pkgs.cagebreak}/bin/cagebreak &
         waitPID=$!
       '';
@@ -74,24 +73,20 @@ in
 
   testScript = { nodes, ... }: let
     user = nodes.machine.config.users.users.alice;
+    XDG_RUNTIME_DIR = "/run/user/${toString user.uid}";
   in ''
     start_all()
     machine.wait_for_unit("multi-user.target")
-    machine.wait_for_file("/run/user/${toString user.uid}/wayland-0")
+    machine.wait_for_file("${XDG_RUNTIME_DIR}/wayland-0")
 
-    with subtest("ensure wayland works with alacritty"):
-        machine.send_key("ctrl-t")
-        machine.send_key("a")
-        machine.wait_until_succeeds("pgrep alacritty")
-        machine.wait_for_text("alice@machine")
-        machine.screenshot("screen")
-        machine.send_key("ctrl-d")
+    with subtest("ensure wayland works with wayinfo from wallutils"):
+        machine.succeed("env XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR} wayinfo")
 
     with subtest("ensure xwayland works with xterm"):
         machine.send_key("ctrl-t")
         machine.send_key("t")
         machine.wait_until_succeeds("pgrep xterm")
-        machine.wait_for_text("alice@machine")
+        machine.wait_for_text("${user.name}@machine")
         machine.screenshot("screen")
         machine.send_key("ctrl-d")
   '';
diff --git a/nixos/tests/common/acme/server/default.nix b/nixos/tests/common/acme/server/default.nix
index 4d8e664c4e1..cea10c16900 100644
--- a/nixos/tests/common/acme/server/default.nix
+++ b/nixos/tests/common/acme/server/default.nix
@@ -70,7 +70,7 @@ let
     privateKey = testCerts.${domain}.key;
     httpPort = 80;
     tlsPort = 443;
-    ocspResponderURL = "http://0.0.0.0:4002";
+    ocspResponderURL = "http://${domain}:4002";
     strict = true;
   };
 
diff --git a/nixos/tests/ft2-clone.nix b/nixos/tests/ft2-clone.nix
new file mode 100644
index 00000000000..c877054234e
--- /dev/null
+++ b/nixos/tests/ft2-clone.nix
@@ -0,0 +1,35 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "ft2-clone";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ fgaz ];
+  };
+
+  machine = { config, pkgs, ... }: {
+    imports = [
+      ./common/x11.nix
+    ];
+
+    services.xserver.enable = true;
+    sound.enable = true;
+    environment.systemPackages = [ pkgs.ft2-clone ];
+  };
+
+  enableOCR = true;
+
+  testScript =
+    ''
+      machine.wait_for_x()
+      # Add a dummy sound card, or the program won't start
+      machine.execute("modprobe snd-dummy")
+
+      machine.execute("ft2-clone &")
+
+      machine.wait_for_window(r"Fasttracker")
+      machine.sleep(5)
+      # One of the few words that actually get recognized
+      if "Songlen" not in machine.get_screen_text():
+          raise Exception("Program did not start successfully")
+      machine.screenshot("screen")
+    '';
+})
+
diff --git a/nixos/tests/xmonad.nix b/nixos/tests/xmonad.nix
index 56baae8b9d3..308dbca154f 100644
--- a/nixos/tests/xmonad.nix
+++ b/nixos/tests/xmonad.nix
@@ -14,9 +14,16 @@ import ./make-test-python.nix ({ pkgs, ...} : {
       extraPackages = with pkgs.haskellPackages; haskellPackages: [ xmobar ];
       config = ''
         import XMonad
+        import XMonad.Operations (restart)
         import XMonad.Util.EZConfig
-        main = launch $ def `additionalKeysP` myKeys
-        myKeys = [ ("M-C-x", spawn "xterm") ]
+        import XMonad.Util.SessionStart
+
+        main = launch $ def { startupHook = startup } `additionalKeysP` myKeys
+
+        startup = isSessionStart >>= \sessInit ->
+          if sessInit then setSessionStarted else spawn "xterm"
+
+        myKeys = [ ("M-C-x", spawn "xterm"), ("M-q", restart "xmonad" True) ]
       '';
     };
   };
@@ -30,12 +37,11 @@ import ./make-test-python.nix ({ pkgs, ...} : {
     machine.send_key("alt-ctrl-x")
     machine.wait_for_window("${user.name}.*machine")
     machine.sleep(1)
-    machine.screenshot("terminal")
-    machine.wait_until_succeeds("xmonad --restart")
+    machine.screenshot("terminal1")
+    machine.send_key("alt-q")
     machine.sleep(3)
-    machine.send_key("alt-shift-ret")
     machine.wait_for_window("${user.name}.*machine")
     machine.sleep(1)
-    machine.screenshot("terminal")
+    machine.screenshot("terminal2")
   '';
 })