summary refs log tree commit diff
path: root/pkgs/os-specific/linux
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux')
-rw-r--r--pkgs/os-specific/linux/915resolution/default.nix4
-rw-r--r--pkgs/os-specific/linux/acpi-call/default.nix14
-rw-r--r--pkgs/os-specific/linux/acpi/default.nix6
-rw-r--r--pkgs/os-specific/linux/acpid/default.nix4
-rw-r--r--pkgs/os-specific/linux/acpitool/default.nix8
-rw-r--r--pkgs/os-specific/linux/afuse/default.nix17
-rw-r--r--pkgs/os-specific/linux/akvcam/default.nix32
-rw-r--r--pkgs/os-specific/linux/alsa-plugins/wrapper.nix4
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch (renamed from pkgs/os-specific/linux/alsa-firmware/cross.patch)0
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix (renamed from pkgs/os-specific/linux/alsa-firmware/default.nix)6
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch (renamed from pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch)0
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix (renamed from pkgs/os-specific/linux/alsa-lib/default.nix)18
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix (renamed from pkgs/os-specific/linux/alsa-oss/default.nix)6
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix (renamed from pkgs/os-specific/linux/alsa-plugins/default.nix)12
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix10
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix (renamed from pkgs/os-specific/linux/alsa-tools/default.nix)12
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix (renamed from pkgs/os-specific/linux/alsa-topology-conf/default.nix)8
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix (renamed from pkgs/os-specific/linux/alsa-ucm-conf/default.nix)8
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix (renamed from pkgs/os-specific/linux/alsa-utils/default.nix)22
-rw-r--r--pkgs/os-specific/linux/amdgpu-pro/default.nix6
-rw-r--r--pkgs/os-specific/linux/anbox/default.nix61
-rw-r--r--pkgs/os-specific/linux/anbox/kmod.nix15
-rw-r--r--pkgs/os-specific/linux/android-udev-rules/default.nix12
-rw-r--r--pkgs/os-specific/linux/apfs/default.nix35
-rw-r--r--pkgs/os-specific/linux/apparmor/default.nix134
-rw-r--r--pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh32
-rw-r--r--pkgs/os-specific/linux/aseq2json/default.nix28
-rw-r--r--pkgs/os-specific/linux/asus-wmi-sensors/default.nix4
-rw-r--r--pkgs/os-specific/linux/ati-drivers/builder.sh302
-rw-r--r--pkgs/os-specific/linux/ati-drivers/default.nix140
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch26
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch14
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch27
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch103
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch11
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch70
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch28
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch25
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch16
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch26
-rw-r--r--pkgs/os-specific/linux/atop/atop.service.patch10
-rw-r--r--pkgs/os-specific/linux/atop/atopacct.service.patch7
-rw-r--r--pkgs/os-specific/linux/atop/default.nix74
-rw-r--r--pkgs/os-specific/linux/atop/fix-paths.patch48
-rw-r--r--pkgs/os-specific/linux/audit/default.nix22
-rw-r--r--pkgs/os-specific/linux/audit/patches/weak-symbols.patch147
-rw-r--r--pkgs/os-specific/linux/autofs/default.nix15
-rw-r--r--pkgs/os-specific/linux/batman-adv/alfred.nix12
-rw-r--r--pkgs/os-specific/linux/batman-adv/batctl.nix12
-rw-r--r--pkgs/os-specific/linux/batman-adv/default.nix8
-rw-r--r--pkgs/os-specific/linux/batman-adv/version.nix8
-rw-r--r--pkgs/os-specific/linux/bbswitch/default.nix4
-rw-r--r--pkgs/os-specific/linux/bcc/default.nix27
-rw-r--r--pkgs/os-specific/linux/beefi/default.nix44
-rw-r--r--pkgs/os-specific/linux/bionic-prebuilt/default.nix113
-rw-r--r--pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch42
-rw-r--r--pkgs/os-specific/linux/blktrace/default.nix6
-rw-r--r--pkgs/os-specific/linux/bluez/default.nix25
-rw-r--r--pkgs/os-specific/linux/bolt/default.nix64
-rw-r--r--pkgs/os-specific/linux/bpftool/default.nix30
-rw-r--r--pkgs/os-specific/linux/bpftools/default.nix38
-rw-r--r--pkgs/os-specific/linux/bpftrace/default.nix26
-rw-r--r--pkgs/os-specific/linux/bridge-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/brillo/default.nix4
-rw-r--r--pkgs/os-specific/linux/broadcom-sta/default.nix14
-rw-r--r--pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch184
-rw-r--r--pkgs/os-specific/linux/btfs/default.nix16
-rw-r--r--pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch71
-rw-r--r--pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch94
-rw-r--r--pkgs/os-specific/linux/busybox/default.nix42
-rw-r--r--pkgs/os-specific/linux/busybox/sandbox-shell.nix3
-rw-r--r--pkgs/os-specific/linux/cachefilesd/default.nix4
-rw-r--r--pkgs/os-specific/linux/can-isotp/default.nix16
-rw-r--r--pkgs/os-specific/linux/can-utils/default.nix4
-rw-r--r--pkgs/os-specific/linux/catfs/default.nix47
-rw-r--r--pkgs/os-specific/linux/checkpolicy/default.nix4
-rw-r--r--pkgs/os-specific/linux/checksec/default.nix12
-rw-r--r--pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch4
-rw-r--r--pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch4
-rw-r--r--pkgs/os-specific/linux/chromium-os/crosvm/default.nix10
-rw-r--r--pkgs/os-specific/linux/chromium-os/default.nix3
-rw-r--r--pkgs/os-specific/linux/chromium-os/libqmi/default.nix4
-rw-r--r--pkgs/os-specific/linux/chromium-os/modem-manager/default.nix2
-rw-r--r--pkgs/os-specific/linux/chromium-os/modem-manager/next.nix6
-rw-r--r--pkgs/os-specific/linux/chromium-os/sommelier/0005-sommelier-don-t-leak-source-absolute-paths.patch (renamed from pkgs/os-specific/linux/chromium-os/sommelier/0003-sommelier-don-t-leak-source-absolute-paths.patch)6
-rw-r--r--pkgs/os-specific/linux/chromium-os/sommelier/0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch (renamed from pkgs/os-specific/linux/chromium-os/sommelier/0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch)6
-rw-r--r--pkgs/os-specific/linux/chromium-os/sommelier/default.nix4
-rw-r--r--pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch48
-rw-r--r--pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch102
-rw-r--r--pkgs/os-specific/linux/chromium-os/vm_protos/default.nix5
-rw-r--r--pkgs/os-specific/linux/cifs-utils/default.nix22
-rw-r--r--pkgs/os-specific/linux/compsize/default.nix25
-rw-r--r--pkgs/os-specific/linux/conky/default.nix12
-rw-r--r--pkgs/os-specific/linux/conntrack-tools/default.nix12
-rw-r--r--pkgs/os-specific/linux/consoletools/default.nix4
-rw-r--r--pkgs/os-specific/linux/conspy/default.nix16
-rw-r--r--pkgs/os-specific/linux/cpufrequtils/default.nix8
-rw-r--r--pkgs/os-specific/linux/cpuid/default.nix50
-rw-r--r--pkgs/os-specific/linux/cpupower/default.nix6
-rw-r--r--pkgs/os-specific/linux/cpuset/default.nix39
-rw-r--r--pkgs/os-specific/linux/cramfsprogs/default.nix4
-rw-r--r--pkgs/os-specific/linux/cramfsswap/default.nix4
-rw-r--r--pkgs/os-specific/linux/crda/default.nix6
-rw-r--r--pkgs/os-specific/linux/criu/default.nix24
-rw-r--r--pkgs/os-specific/linux/cryptodev/default.nix20
-rw-r--r--pkgs/os-specific/linux/cryptsetup/default.nix16
-rw-r--r--pkgs/os-specific/linux/cshatag/default.nix32
-rw-r--r--pkgs/os-specific/linux/cshatag/deps.nix21
-rw-r--r--pkgs/os-specific/linux/dbus-broker/default.nix12
-rw-r--r--pkgs/os-specific/linux/ddcci/default.nix4
-rw-r--r--pkgs/os-specific/linux/deepin-anything/default.nix22
-rw-r--r--pkgs/os-specific/linux/device-tree/default.nix31
-rw-r--r--pkgs/os-specific/linux/device-tree/raspberrypi.nix6
-rw-r--r--pkgs/os-specific/linux/devmem2/default.nix4
-rw-r--r--pkgs/os-specific/linux/digimend/default.nix6
-rw-r--r--pkgs/os-specific/linux/directvnc/default.nix6
-rw-r--r--pkgs/os-specific/linux/disk-indicator/default.nix6
-rw-r--r--pkgs/os-specific/linux/displaylink/99-displaylink.rules1
-rw-r--r--pkgs/os-specific/linux/displaylink/default.nix40
-rw-r--r--pkgs/os-specific/linux/displaylink/udev-installer.patch18
-rw-r--r--pkgs/os-specific/linux/dlm/default.nix26
-rw-r--r--pkgs/os-specific/linux/dmidecode/default.nix48
-rw-r--r--pkgs/os-specific/linux/dmraid/default.nix12
-rw-r--r--pkgs/os-specific/linux/dmtcp/default.nix18
-rw-r--r--pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch14
-rw-r--r--pkgs/os-specific/linux/dpdk-kmods/default.nix34
-rw-r--r--pkgs/os-specific/linux/dpdk/default.nix32
-rw-r--r--pkgs/os-specific/linux/drbd/default.nix4
-rw-r--r--pkgs/os-specific/linux/dropwatch/default.nix41
-rw-r--r--pkgs/os-specific/linux/dstat/default.nix34
-rw-r--r--pkgs/os-specific/linux/dstat/fix_pluginpath.patch15
-rw-r--r--pkgs/os-specific/linux/e1000e/default.nix6
-rw-r--r--pkgs/os-specific/linux/earlyoom/default.nix12
-rw-r--r--pkgs/os-specific/linux/ebtables/default.nix20
-rw-r--r--pkgs/os-specific/linux/edac-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/ell/default.nix22
-rw-r--r--pkgs/os-specific/linux/ell/fix-dbus-tests.patch65
-rw-r--r--pkgs/os-specific/linux/ena/default.nix15
-rw-r--r--pkgs/os-specific/linux/erofs-utils/default.nix25
-rw-r--r--pkgs/os-specific/linux/eudev/default.nix22
-rw-r--r--pkgs/os-specific/linux/evdi/default.nix27
-rw-r--r--pkgs/os-specific/linux/eventstat/default.nix4
-rw-r--r--pkgs/os-specific/linux/exfat/default.nix17
-rw-r--r--pkgs/os-specific/linux/extrace/default.nix4
-rw-r--r--pkgs/os-specific/linux/facetimehd/default.nix6
-rw-r--r--pkgs/os-specific/linux/fatrace/default.nix23
-rw-r--r--pkgs/os-specific/linux/fbterm/default.nix6
-rw-r--r--pkgs/os-specific/linux/ffado/default.nix8
-rw-r--r--pkgs/os-specific/linux/firejail/default.nix63
-rw-r--r--pkgs/os-specific/linux/firejail/default.upstream3
-rw-r--r--pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch11
-rw-r--r--pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch27
-rw-r--r--pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix7
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix16
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-manager/default.nix38
-rw-r--r--pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch50
-rw-r--r--pkgs/os-specific/linux/firmware/fwupd/default.nix216
-rw-r--r--pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch42
-rw-r--r--pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix10
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix18
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix51
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi/default.nix18
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi/tools.nix29
-rw-r--r--pkgs/os-specific/linux/firmware/rt5677/default.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix29
-rw-r--r--pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix23
-rw-r--r--pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix25
-rw-r--r--pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix25
-rw-r--r--pkgs/os-specific/linux/firmware/sof-firmware/default.nix24
-rw-r--r--pkgs/os-specific/linux/firmware/system76-firmware/default.nix39
-rw-r--r--pkgs/os-specific/linux/firmware/zd1211/default.nix4
-rw-r--r--pkgs/os-specific/linux/flashbench/default.nix24
-rw-r--r--pkgs/os-specific/linux/fnotifystat/default.nix4
-rw-r--r--pkgs/os-specific/linux/forkstat/default.nix4
-rw-r--r--pkgs/os-specific/linux/forktty/default.nix10
-rw-r--r--pkgs/os-specific/linux/freefall/default.nix4
-rw-r--r--pkgs/os-specific/linux/fscrypt/default.nix12
-rw-r--r--pkgs/os-specific/linux/fscryptctl/default.nix34
-rw-r--r--pkgs/os-specific/linux/fscryptctl/legacy.nix51
-rw-r--r--pkgs/os-specific/linux/fswebcam/default.nix10
-rw-r--r--pkgs/os-specific/linux/ftop/default.nix4
-rw-r--r--pkgs/os-specific/linux/fuse/common.nix25
-rw-r--r--pkgs/os-specific/linux/fuse/default.nix8
-rw-r--r--pkgs/os-specific/linux/fwts/default.nix10
-rw-r--r--pkgs/os-specific/linux/fwts/module.nix4
-rw-r--r--pkgs/os-specific/linux/fxload/default.nix4
-rw-r--r--pkgs/os-specific/linux/g15daemon/default.nix2
-rw-r--r--pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix38
-rw-r--r--pkgs/os-specific/linux/gfxtablet/default.nix12
-rw-r--r--pkgs/os-specific/linux/gobi_loader/default.nix4
-rw-r--r--pkgs/os-specific/linux/gogoclient/default.nix6
-rw-r--r--pkgs/os-specific/linux/gradm/default.nix14
-rw-r--r--pkgs/os-specific/linux/greetd/default.nix51
-rw-r--r--pkgs/os-specific/linux/gtkgreet/default.nix50
-rw-r--r--pkgs/os-specific/linux/guvcview/default.nix28
-rw-r--r--pkgs/os-specific/linux/hal-flash/default.nix29
-rw-r--r--pkgs/os-specific/linux/hd-idle/default.nix4
-rw-r--r--pkgs/os-specific/linux/hdapsd/default.nix4
-rw-r--r--pkgs/os-specific/linux/hdparm/default.nix12
-rw-r--r--pkgs/os-specific/linux/hibernate/default.nix10
-rw-r--r--pkgs/os-specific/linux/hid-nintendo/default.nix38
-rw-r--r--pkgs/os-specific/linux/hostapd/default.nix15
-rw-r--r--pkgs/os-specific/linux/hwdata/default.nix12
-rw-r--r--pkgs/os-specific/linux/hyperv-daemons/default.nix15
-rw-r--r--pkgs/os-specific/linux/i2c-tools/default.nix23
-rw-r--r--pkgs/os-specific/linux/i810switch/default.nix6
-rw-r--r--pkgs/os-specific/linux/ifenslave/default.nix6
-rw-r--r--pkgs/os-specific/linux/ifmetric/default.nix4
-rw-r--r--pkgs/os-specific/linux/iio-sensor-proxy/default.nix16
-rw-r--r--pkgs/os-specific/linux/ima-evm-utils/default.nix10
-rw-r--r--pkgs/os-specific/linux/input-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/intel-compute-runtime/default.nix21
-rw-r--r--pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch15
-rw-r--r--pkgs/os-specific/linux/intel-ocl/default.nix8
-rw-r--r--pkgs/os-specific/linux/intel-speed-select/default.nix4
-rw-r--r--pkgs/os-specific/linux/ioport/default.nix4
-rw-r--r--pkgs/os-specific/linux/iotop-c/default.nix31
-rw-r--r--pkgs/os-specific/linux/iotop/default.nix4
-rw-r--r--pkgs/os-specific/linux/iproute/default.nix11
-rw-r--r--pkgs/os-specific/linux/iproute/mptcp.nix12
-rw-r--r--pkgs/os-specific/linux/ipsec-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/ipset/default.nix10
-rw-r--r--pkgs/os-specific/linux/iptables/default.nix11
-rw-r--r--pkgs/os-specific/linux/iptstate/default.nix4
-rw-r--r--pkgs/os-specific/linux/iputils/default.nix48
-rw-r--r--pkgs/os-specific/linux/ipvsadm/default.nix6
-rw-r--r--pkgs/os-specific/linux/irqbalance/default.nix17
-rw-r--r--pkgs/os-specific/linux/isgx/default.nix56
-rw-r--r--pkgs/os-specific/linux/it87/default.nix4
-rw-r--r--pkgs/os-specific/linux/iw/default.nix14
-rw-r--r--pkgs/os-specific/linux/iwd/default.nix30
-rw-r--r--pkgs/os-specific/linux/ixgbevf/default.nix4
-rw-r--r--pkgs/os-specific/linux/jfbview/default.nix10
-rw-r--r--pkgs/os-specific/linux/jool/cli.nix6
-rw-r--r--pkgs/os-specific/linux/jool/default.nix4
-rw-r--r--pkgs/os-specific/linux/joycond/default.nix37
-rw-r--r--pkgs/os-specific/linux/jujuutils/default.nix6
-rw-r--r--pkgs/os-specific/linux/kbd/default.nix57
-rw-r--r--pkgs/os-specific/linux/kbd/keymaps.nix36
-rw-r--r--pkgs/os-specific/linux/kbd/search-paths.patch71
-rw-r--r--pkgs/os-specific/linux/kbdlight/default.nix4
-rw-r--r--pkgs/os-specific/linux/kernel-headers/default.nix26
-rw-r--r--pkgs/os-specific/linux/kernel/common-config.nix139
-rw-r--r--pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch11
-rw-r--r--pkgs/os-specific/linux/kernel/generate-config.pl9
-rw-r--r--pkgs/os-specific/linux/kernel/generic.nix68
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/config.nix24
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/patches.json38
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch7
-rwxr-xr-xpkgs/os-specific/linux/kernel/hardened/update.py15
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.14.nix10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.19.nix10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.4.nix9
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.9.nix9
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.10.nix (renamed from pkgs/os-specific/linux/kernel/linux-5.8.nix)10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.12.nix (renamed from pkgs/os-specific/linux/kernel/linux-5.7.nix)10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.13.nix21
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.4.nix10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix2
-rw-r--r--pkgs/os-specific/linux/kernel/linux-libre.nix7
-rw-r--r--pkgs/os-specific/linux/kernel/linux-lqx.nix26
-rw-r--r--pkgs/os-specific/linux/kernel/linux-mptcp-94.nix26
-rw-r--r--pkgs/os-specific/linux/kernel/linux-mptcp-95.nix14
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rpi.nix15
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.10.nix45
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.11.nix45
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.4.nix41
-rw-r--r--pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix47
-rw-r--r--pkgs/os-specific/linux/kernel/linux-testing.nix12
-rw-r--r--pkgs/os-specific/linux/kernel/linux-xanmod.nix54
-rw-r--r--pkgs/os-specific/linux/kernel/linux-zen.nix19
-rw-r--r--pkgs/os-specific/linux/kernel/manual-config.nix104
-rw-r--r--pkgs/os-specific/linux/kernel/mptcp-config.nix4
-rw-r--r--pkgs/os-specific/linux/kernel/patches.nix33
-rw-r--r--pkgs/os-specific/linux/kernel/perf.nix23
-rw-r--r--pkgs/os-specific/linux/kernel/rtl8761b-support.patch33
-rwxr-xr-xpkgs/os-specific/linux/kernel/update-rt.sh79
-rwxr-xr-xpkgs/os-specific/linux/kernel/update.sh3
-rw-r--r--pkgs/os-specific/linux/kexectools/default.nix4
-rw-r--r--pkgs/os-specific/linux/keyutils/default.nix12
-rw-r--r--pkgs/os-specific/linux/kinect-audio-setup/default.nix91
-rw-r--r--pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch23
-rw-r--r--pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch15
-rw-r--r--pkgs/os-specific/linux/klibc/default.nix14
-rw-r--r--pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix4
-rw-r--r--pkgs/os-specific/linux/kmod/darwin.patch12
-rw-r--r--pkgs/os-specific/linux/kmod/default.nix11
-rw-r--r--pkgs/os-specific/linux/kmod/no-name-field.patch24
-rw-r--r--pkgs/os-specific/linux/kmscon/default.nix9
-rw-r--r--pkgs/os-specific/linux/kmscube/default.nix6
-rw-r--r--pkgs/os-specific/linux/kvmfr/default.nix32
-rw-r--r--pkgs/os-specific/linux/latencytop/default.nix10
-rw-r--r--pkgs/os-specific/linux/ldm/default.nix8
-rw-r--r--pkgs/os-specific/linux/ledger-udev-rules/default.nix4
-rw-r--r--pkgs/os-specific/linux/libaio/default.nix18
-rw-r--r--pkgs/os-specific/linux/libatasmart/default.nix6
-rw-r--r--pkgs/os-specific/linux/libbpf/default.nix41
-rw-r--r--pkgs/os-specific/linux/libcap-ng/default.nix8
-rw-r--r--pkgs/os-specific/linux/libcap/default.nix36
-rw-r--r--pkgs/os-specific/linux/libcgroup/default.nix31
-rw-r--r--pkgs/os-specific/linux/libevdevc/default.nix6
-rw-r--r--pkgs/os-specific/linux/libfabric/default.nix10
-rw-r--r--pkgs/os-specific/linux/libgestures/default.nix8
-rw-r--r--pkgs/os-specific/linux/libnl/default.nix9
-rw-r--r--pkgs/os-specific/linux/libpsm2/default.nix15
-rw-r--r--pkgs/os-specific/linux/libratbag/default.nix10
-rw-r--r--pkgs/os-specific/linux/libselinux/default.nix32
-rw-r--r--pkgs/os-specific/linux/libsemanage/default.nix18
-rw-r--r--pkgs/os-specific/linux/libsepol/default.nix17
-rw-r--r--pkgs/os-specific/linux/libsmbios/default.nix6
-rw-r--r--pkgs/os-specific/linux/libudev0-shim/default.nix4
-rw-r--r--pkgs/os-specific/linux/libvolume_id/default.nix6
-rw-r--r--pkgs/os-specific/linux/libwebcam/default.nix9
-rw-r--r--pkgs/os-specific/linux/light/default.nix12
-rw-r--r--pkgs/os-specific/linux/lightum/default.nix10
-rw-r--r--pkgs/os-specific/linux/linuxptp/default.nix10
-rw-r--r--pkgs/os-specific/linux/lksctp-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/lm-sensors/default.nix21
-rw-r--r--pkgs/os-specific/linux/lockdep/default.nix49
-rw-r--r--pkgs/os-specific/linux/logitech-udev-rules/default.nix6
-rw-r--r--pkgs/os-specific/linux/lsiutil/default.nix75
-rw-r--r--pkgs/os-specific/linux/lsscsi/default.nix10
-rw-r--r--pkgs/os-specific/linux/lttng-modules/default.nix16
-rw-r--r--pkgs/os-specific/linux/lvm2/default.nix36
-rw-r--r--pkgs/os-specific/linux/lxc/default.nix10
-rw-r--r--pkgs/os-specific/linux/lxcfs/default.nix20
-rw-r--r--pkgs/os-specific/linux/macchanger/default.nix31
-rw-r--r--pkgs/os-specific/linux/mba6x_bl/default.nix4
-rw-r--r--pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix35
-rw-r--r--pkgs/os-specific/linux/mcelog/default.nix10
-rw-r--r--pkgs/os-specific/linux/mdadm/default.nix8
-rw-r--r--pkgs/os-specific/linux/mdevd/default.nix4
-rw-r--r--pkgs/os-specific/linux/metastore/default.nix4
-rw-r--r--pkgs/os-specific/linux/microcode/amd.nix6
-rw-r--r--pkgs/os-specific/linux/microcode/intel.nix8
-rw-r--r--pkgs/os-specific/linux/microcode/iucode-tool.nix4
-rw-r--r--pkgs/os-specific/linux/mingetty/default.nix4
-rw-r--r--pkgs/os-specific/linux/miraclecast/default.nix8
-rw-r--r--pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix4
-rw-r--r--pkgs/os-specific/linux/mmc-utils/default.nix10
-rw-r--r--pkgs/os-specific/linux/molly-guard/default.nix4
-rw-r--r--pkgs/os-specific/linux/msr-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/mstpd/default.nix4
-rw-r--r--pkgs/os-specific/linux/multipath-tools/default.nix14
-rw-r--r--pkgs/os-specific/linux/musl-fts/default.nix25
-rw-r--r--pkgs/os-specific/linux/musl-obstack/default.nix26
-rw-r--r--pkgs/os-specific/linux/musl/default.nix31
-rw-r--r--pkgs/os-specific/linux/mwprocapture/default.nix20
-rw-r--r--pkgs/os-specific/linux/mxu11x0/default.nix7
-rw-r--r--pkgs/os-specific/linux/ndiswrapper/default.nix15
-rw-r--r--pkgs/os-specific/linux/ndiswrapper/no-sbin.patch6
-rw-r--r--pkgs/os-specific/linux/net-tools/default.nix10
-rw-r--r--pkgs/os-specific/linux/net-tools/mptcp.nix4
-rw-r--r--pkgs/os-specific/linux/netatop/default.nix25
-rw-r--r--pkgs/os-specific/linux/netatop/fix-paths.patch11
-rw-r--r--pkgs/os-specific/linux/netatop/netatop.service.patch7
-rw-r--r--pkgs/os-specific/linux/nfs-utils/default.nix30
-rw-r--r--pkgs/os-specific/linux/nftables/default.nix13
-rw-r--r--pkgs/os-specific/linux/nixos-rebuild/default.nix23
-rwxr-xr-xpkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh527
-rw-r--r--pkgs/os-specific/linux/nmon/default.nix4
-rw-r--r--pkgs/os-specific/linux/nss_ldap/default.nix4
-rw-r--r--pkgs/os-specific/linux/numactl/default.nix12
-rw-r--r--pkgs/os-specific/linux/numad/default.nix6
-rw-r--r--pkgs/os-specific/linux/numatop/default.nix6
-rw-r--r--pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules2
-rw-r--r--pkgs/os-specific/linux/numworks-udev-rules/default.nix21
-rwxr-xr-xpkgs/os-specific/linux/numworks-udev-rules/update.sh3
-rwxr-xr-xpkgs/os-specific/linux/nvidia-x11/builder.sh10
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/default.nix91
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/generic.nix25
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/persistenced.nix21
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/settings.nix12
-rw-r--r--pkgs/os-specific/linux/nvidiabl/default.nix10
-rw-r--r--pkgs/os-specific/linux/nvme-cli/default.nix11
-rw-r--r--pkgs/os-specific/linux/nvmet-cli/default.nix25
-rw-r--r--pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix60
-rw-r--r--pkgs/os-specific/linux/odp-dpdk/default.nix35
-rw-r--r--pkgs/os-specific/linux/ofp/default.nix41
-rw-r--r--pkgs/os-specific/linux/open-iscsi/default.nix22
-rw-r--r--pkgs/os-specific/linux/open-isns/default.nix17
-rw-r--r--pkgs/os-specific/linux/opengl/xorg-sys/default.nix4
-rw-r--r--pkgs/os-specific/linux/openrazer/driver.nix15
-rw-r--r--pkgs/os-specific/linux/openvswitch/default.nix14
-rw-r--r--pkgs/os-specific/linux/openvswitch/lts.nix17
-rw-r--r--pkgs/os-specific/linux/otpw/default.nix6
-rw-r--r--pkgs/os-specific/linux/pagemon/default.nix4
-rw-r--r--pkgs/os-specific/linux/pam/default.nix39
-rw-r--r--pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch33
-rw-r--r--pkgs/os-specific/linux/pam_ccreds/default.nix4
-rw-r--r--pkgs/os-specific/linux/pam_gnupg/default.nix32
-rw-r--r--pkgs/os-specific/linux/pam_krb5/default.nix10
-rw-r--r--pkgs/os-specific/linux/pam_mount/default.nix49
-rw-r--r--pkgs/os-specific/linux/pam_p11/default.nix4
-rw-r--r--pkgs/os-specific/linux/pam_pgsql/default.nix6
-rw-r--r--pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix73
-rw-r--r--pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch53
-rw-r--r--pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch12
-rw-r--r--pkgs/os-specific/linux/pam_u2f/default.nix23
-rw-r--r--pkgs/os-specific/linux/pam_usb/default.nix8
-rw-r--r--pkgs/os-specific/linux/pax-utils/default.nix4
-rw-r--r--pkgs/os-specific/linux/paxctl/default.nix4
-rw-r--r--pkgs/os-specific/linux/paxtest/default.nix4
-rw-r--r--pkgs/os-specific/linux/pcimem/default.nix30
-rw-r--r--pkgs/os-specific/linux/pcm/default.nix8
-rw-r--r--pkgs/os-specific/linux/pcmciautils/default.nix11
-rw-r--r--pkgs/os-specific/linux/perf-tools/default.nix4
-rw-r--r--pkgs/os-specific/linux/phc-intel/default.nix8
-rw-r--r--pkgs/os-specific/linux/piper/default.nix10
-rw-r--r--pkgs/os-specific/linux/pipework/default.nix6
-rw-r--r--pkgs/os-specific/linux/pktgen/configure.patch17
-rw-r--r--pkgs/os-specific/linux/pktgen/default.nix34
-rw-r--r--pkgs/os-specific/linux/ply/default.nix8
-rw-r--r--pkgs/os-specific/linux/plymouth/default.nix105
-rw-r--r--pkgs/os-specific/linux/pm-utils/default.nix12
-rw-r--r--pkgs/os-specific/linux/pmount/default.nix14
-rw-r--r--pkgs/os-specific/linux/policycoreutils/default.nix4
-rw-r--r--pkgs/os-specific/linux/pommed-light/default.nix12
-rw-r--r--pkgs/os-specific/linux/power-profiles-daemon/default.nix68
-rw-r--r--pkgs/os-specific/linux/powercap/default.nix26
-rw-r--r--pkgs/os-specific/linux/powerstat/default.nix12
-rw-r--r--pkgs/os-specific/linux/powertop/default.nix9
-rw-r--r--pkgs/os-specific/linux/pps-tools/default.nix4
-rw-r--r--pkgs/os-specific/linux/prl-tools/default.nix8
-rw-r--r--pkgs/os-specific/linux/procdump/default.nix4
-rw-r--r--pkgs/os-specific/linux/procps-ng/default.nix52
-rw-r--r--pkgs/os-specific/linux/pscircle/default.nix6
-rw-r--r--pkgs/os-specific/linux/psftools/default.nix24
-rw-r--r--pkgs/os-specific/linux/psmisc/default.nix10
-rw-r--r--pkgs/os-specific/linux/r8125/default.nix10
-rw-r--r--pkgs/os-specific/linux/r8168/default.nix8
-rw-r--r--pkgs/os-specific/linux/radeontools/default.nix8
-rw-r--r--pkgs/os-specific/linux/radeontop/default.nix13
-rw-r--r--pkgs/os-specific/linux/raspberrypi-eeprom/default.nix55
-rw-r--r--pkgs/os-specific/linux/rdma-core/default.nix20
-rw-r--r--pkgs/os-specific/linux/read-edid/default.nix2
-rw-r--r--pkgs/os-specific/linux/regionset/default.nix4
-rw-r--r--pkgs/os-specific/linux/rewritefs/default.nix8
-rw-r--r--pkgs/os-specific/linux/rfkill/udev.nix4
-rw-r--r--pkgs/os-specific/linux/roccat-tools/default.nix10
-rw-r--r--pkgs/os-specific/linux/rtkit/default.nix8
-rw-r--r--pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix39
-rw-r--r--pkgs/os-specific/linux/rtl8192eu/default.nix23
-rw-r--r--pkgs/os-specific/linux/rtl8723bs/default.nix10
-rw-r--r--pkgs/os-specific/linux/rtl8812au/default.nix35
-rw-r--r--pkgs/os-specific/linux/rtl8814au/default.nix23
-rw-r--r--pkgs/os-specific/linux/rtl8821au/default.nix22
-rw-r--r--pkgs/os-specific/linux/rtl8821ce/default.nix18
-rw-r--r--pkgs/os-specific/linux/rtl8821cu/default.nix21
-rw-r--r--pkgs/os-specific/linux/rtl88x2bu/default.nix22
-rw-r--r--pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix24
-rw-r--r--pkgs/os-specific/linux/rtlwifi_new/default.nix41
-rw-r--r--pkgs/os-specific/linux/rtw88/default.nix40
-rw-r--r--pkgs/os-specific/linux/rtw89/default.nix40
-rw-r--r--pkgs/os-specific/linux/ryzenadj/default.nix27
-rw-r--r--pkgs/os-specific/linux/s6-linux-init/default.nix22
-rw-r--r--pkgs/os-specific/linux/s6-linux-utils/default.nix8
-rw-r--r--pkgs/os-specific/linux/sch_cake/default.nix4
-rw-r--r--pkgs/os-specific/linux/schedtool/default.nix6
-rw-r--r--pkgs/os-specific/linux/sd-switch/default.nix10
-rw-r--r--pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c22
-rw-r--r--pkgs/os-specific/linux/sdparm/default.nix4
-rw-r--r--pkgs/os-specific/linux/selinux-python/default.nix6
-rw-r--r--pkgs/os-specific/linux/selinux-sandbox/default.nix5
-rw-r--r--pkgs/os-specific/linux/semodule-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/sepolgen/default.nix4
-rw-r--r--pkgs/os-specific/linux/service-wrapper/default.nix4
-rw-r--r--pkgs/os-specific/linux/setools/default.nix14
-rw-r--r--pkgs/os-specific/linux/seturgent/default.nix11
-rw-r--r--pkgs/os-specific/linux/shadow/default.nix22
-rw-r--r--pkgs/os-specific/linux/shadow/runtime-shell.patch13
-rw-r--r--pkgs/os-specific/linux/sinit/default.nix18
-rw-r--r--pkgs/os-specific/linux/speedometer/default.nix4
-rw-r--r--pkgs/os-specific/linux/sssd/default.nix35
-rw-r--r--pkgs/os-specific/linux/statifier/default.nix4
-rw-r--r--pkgs/os-specific/linux/swapview/default.nix23
-rw-r--r--pkgs/os-specific/linux/switcheroo-control/default.nix58
-rw-r--r--pkgs/os-specific/linux/syscall_limiter/default.nix4
-rw-r--r--pkgs/os-specific/linux/sysdig/default.nix49
-rw-r--r--pkgs/os-specific/linux/sysfsutils/default.nix6
-rw-r--r--pkgs/os-specific/linux/sysklogd/default.nix6
-rw-r--r--pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch120
-rw-r--r--pkgs/os-specific/linux/sysklogd/systemd.patch2
-rw-r--r--pkgs/os-specific/linux/syslinux/default.nix15
-rw-r--r--pkgs/os-specific/linux/syslinux/gcc10.patch33
-rw-r--r--pkgs/os-specific/linux/sysstat/default.nix12
-rw-r--r--pkgs/os-specific/linux/system76-acpi/default.nix43
-rw-r--r--pkgs/os-specific/linux/system76-io/default.nix38
-rw-r--r--pkgs/os-specific/linux/system76-power/default.nix30
-rw-r--r--pkgs/os-specific/linux/system76/default.nix44
-rw-r--r--pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch8
-rw-r--r--pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch12
-rw-r--r--pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch12
-rw-r--r--pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch10
-rw-r--r--pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch123
-rw-r--r--pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch10
-rw-r--r--pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch42
-rw-r--r--pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch8
-rw-r--r--pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch32
-rw-r--r--pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch10
-rw-r--r--pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch12
-rw-r--r--pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch313
-rw-r--r--pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch (renamed from pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch)10
-rw-r--r--pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch (renamed from pkgs/os-specific/linux/systemd/0014-add-rootprefix-to-lookup-dir-paths.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch (renamed from pkgs/os-specific/linux/systemd/0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch)10
-rw-r--r--pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch (renamed from pkgs/os-specific/linux/systemd/0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch (renamed from pkgs/os-specific/linux/systemd/0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch (renamed from pkgs/os-specific/linux/systemd/0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch26
-rw-r--r--pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch33
-rw-r--r--pkgs/os-specific/linux/systemd/default.nix469
-rw-r--r--pkgs/os-specific/linux/sysvinit/default.nix12
-rw-r--r--pkgs/os-specific/linux/target-isns/default.nix36
-rw-r--r--pkgs/os-specific/linux/target-isns/install_prefix_path.patch17
-rw-r--r--pkgs/os-specific/linux/targetcli/default.nix8
-rw-r--r--pkgs/os-specific/linux/tbs/default.nix2
-rw-r--r--pkgs/os-specific/linux/tcp-wrappers/default.nix6
-rw-r--r--pkgs/os-specific/linux/teck-udev-rules/default.nix22
-rw-r--r--pkgs/os-specific/linux/thunderbolt/default.nix12
-rw-r--r--pkgs/os-specific/linux/tiptop/default.nix4
-rw-r--r--pkgs/os-specific/linux/tiscamera/default.nix67
-rw-r--r--pkgs/os-specific/linux/tmon/default.nix4
-rw-r--r--pkgs/os-specific/linux/tomb/default.nix10
-rw-r--r--pkgs/os-specific/linux/tp_smapi/default.nix2
-rw-r--r--pkgs/os-specific/linux/tpacpi-bat/default.nix8
-rw-r--r--pkgs/os-specific/linux/trace-cmd/default.nix16
-rw-r--r--pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch24
-rw-r--r--pkgs/os-specific/linux/trace-cmd/kernelshark.nix15
-rw-r--r--pkgs/os-specific/linux/trace-cmd/src.nix5
-rw-r--r--pkgs/os-specific/linux/trezor-udev-rules/default.nix4
-rw-r--r--pkgs/os-specific/linux/trinity/default.nix4
-rw-r--r--pkgs/os-specific/linux/tuigreet/default.nix26
-rw-r--r--pkgs/os-specific/linux/tuna/default.nix62
-rw-r--r--pkgs/os-specific/linux/tunctl/default.nix6
-rw-r--r--pkgs/os-specific/linux/turbostat/default.nix4
-rw-r--r--pkgs/os-specific/linux/tuxedo-keyboard/default.nix15
-rw-r--r--pkgs/os-specific/linux/uclibc/default.nix14
-rw-r--r--pkgs/os-specific/linux/udisks-glue/default.nix10
-rw-r--r--pkgs/os-specific/linux/udisks/1-default.nix10
-rw-r--r--pkgs/os-specific/linux/udisks/2-default.nix20
-rw-r--r--pkgs/os-specific/linux/undervolt/default.nix4
-rw-r--r--pkgs/os-specific/linux/unstick/default.nix4
-rw-r--r--pkgs/os-specific/linux/untie/default.nix4
-rw-r--r--pkgs/os-specific/linux/upower/default.nix10
-rw-r--r--pkgs/os-specific/linux/usbguard/default.nix66
-rw-r--r--pkgs/os-specific/linux/usbip/default.nix11
-rw-r--r--pkgs/os-specific/linux/usbtop/default.nix4
-rw-r--r--pkgs/os-specific/linux/usbutils/default.nix10
-rw-r--r--pkgs/os-specific/linux/usbutils/fix-paths.patch9
-rw-r--r--pkgs/os-specific/linux/usermount/default.nix8
-rw-r--r--pkgs/os-specific/linux/util-linux/default.nix14
-rw-r--r--pkgs/os-specific/linux/uvcdynctrl/default.nix6
-rw-r--r--pkgs/os-specific/linux/v4l-utils/default.nix10
-rw-r--r--pkgs/os-specific/linux/v4l2loopback/default.nix17
-rw-r--r--pkgs/os-specific/linux/v86d/default.nix4
-rw-r--r--pkgs/os-specific/linux/veikk-linux-driver/default.nix35
-rw-r--r--pkgs/os-specific/linux/vendor-reset/default.nix35
-rw-r--r--pkgs/os-specific/linux/wireguard/default.nix12
-rw-r--r--pkgs/os-specific/linux/wireless-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/wlgreet/default.nix26
-rw-r--r--pkgs/os-specific/linux/wooting-udev-rules/default.nix6
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch130
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/default.nix61
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/gui.nix4
-rw-r--r--pkgs/os-specific/linux/x86_energy_perf_policy/default.nix4
-rw-r--r--pkgs/os-specific/linux/x86info/default.nix8
-rw-r--r--pkgs/os-specific/linux/xf86-input-cmt/default.nix8
-rw-r--r--pkgs/os-specific/linux/xf86-input-wacom/default.nix68
-rw-r--r--pkgs/os-specific/linux/xf86-video-nested/default.nix8
-rw-r--r--pkgs/os-specific/linux/xmm7360-pci/default.nix28
-rw-r--r--pkgs/os-specific/linux/xpadneo/default.nix16
-rw-r--r--pkgs/os-specific/linux/xsensors/default.nix4
-rw-r--r--pkgs/os-specific/linux/zenmonitor/default.nix10
-rw-r--r--pkgs/os-specific/linux/zenpower/default.nix4
-rw-r--r--pkgs/os-specific/linux/zenstates/default.nix4
-rw-r--r--pkgs/os-specific/linux/zfs/BACKPORT-Linux-5.8-compat-__vmalloc.patch154
-rw-r--r--pkgs/os-specific/linux/zfs/default.nix114
-rw-r--r--pkgs/os-specific/linux/zsa-udev-rules/default.nix33
585 files changed, 8829 insertions, 5043 deletions
diff --git a/pkgs/os-specific/linux/915resolution/default.nix b/pkgs/os-specific/linux/915resolution/default.nix
index 906ea04293f..57f8ba0d33b 100644
--- a/pkgs/os-specific/linux/915resolution/default.nix
+++ b/pkgs/os-specific/linux/915resolution/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation rec {
   name = "915resolution-0.5.3";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   patchPhase = "rm *.o";
   installPhase = "mkdir -p $out/sbin; cp 915resolution $out/sbin/";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://915resolution.mango-lang.org/";
     description = "A tool to modify Intel 800/900 video BIOS";
     platforms = [ "i686-linux" "x86_64-linux" ];
diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index bb3aef885a7..f986ed790a1 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -1,14 +1,15 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
   pname = "acpi-call";
-  version = "2020-04-07-${kernel.version}";
+  version = "1.2.1";
+  name = "${pname}-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "nix-community";
     repo = "acpi_call";
-    rev = "3d7c9fe5ed3fc5ed5bafd39d54b1fdc7a09ce710";
-    sha256 = "09kp8zl392h99wjwzqrdw2xcfnsc944hzmfwi8n1y7m2slpdybv3";
+    rev = "v${version}";
+    sha256 = "0mr4rjbv6fj4phf038addrgv32940bphghw2v9n1z4awvw7wzkbg";
   };
 
   hardeningDisable = [ "pic" ];
@@ -24,10 +25,11 @@ stdenv.mkDerivation rec {
     install -D -m755 examples/turn_off_gpu.sh $out/bin/test_discrete_video_off.sh
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     maintainers = with maintainers; [ raskin mic92 ];
-    inherit (src.meta) homepage;
+    homepage = "https://github.com/nix-community/acpi_call";
     platforms = platforms.linux;
     description = "A module allowing arbitrary ACPI calls; use case: hybrid video";
+    license = licenses.gpl3Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/acpi/default.nix b/pkgs/os-specific/linux/acpi/default.nix
index 69a36d7bf52..d257553299c 100644
--- a/pkgs/os-specific/linux/acpi/default.nix
+++ b/pkgs/os-specific/linux/acpi/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "acpi";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "01ahldvf0gc29dmbd5zi4rrnrw2i1ajnf30sx2vyaski3jv099fp";
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Show battery status and other ACPI information";
     longDescription = ''
       Linux ACPI client is a small command-line
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
       battery and thermal information.
     '';
     homepage = "https://sourceforge.net/projects/acpiclient/";
-    license = stdenv.lib.licenses.gpl2Plus;
+    license = lib.licenses.gpl2Plus;
     platforms = platforms.linux;
     maintainers = [ ];
   };
diff --git a/pkgs/os-specific/linux/acpid/default.nix b/pkgs/os-specific/linux/acpid/default.nix
index 5ef5e2724b2..d28ff447681 100644
--- a/pkgs/os-specific/linux/acpid/default.nix
+++ b/pkgs/os-specific/linux/acpid/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook }:
+{ lib, stdenv, fetchurl, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   name = "acpid-2.0.32";
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
       --replace "strrchr strtol" "strrchr strtol malloc realloc"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://sourceforge.net/projects/acpid2/";
     description = "A daemon for delivering ACPI events to userspace programs";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/acpitool/default.nix b/pkgs/os-specific/linux/acpitool/default.nix
index 9f2ad5b5c03..4a3d1a36bd7 100644
--- a/pkgs/os-specific/linux/acpitool/default.nix
+++ b/pkgs/os-specific/linux/acpitool/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, fetchpatch}:
+{lib, stdenv, fetchurl, fetchpatch}:
 
 let
    acpitool-patch-051-4 = params: fetchpatch rec {
@@ -44,8 +44,8 @@ in stdenv.mkDerivation rec {
   meta = {
     description = "A small, convenient command-line ACPI client with a lot of features";
     homepage = "https://sourceforge.net/projects/acpitool/";
-    license = stdenv.lib.licenses.gpl2Plus;
-    maintainers = [ stdenv.lib.maintainers.guibert ];
-    platforms = stdenv.lib.platforms.unix;
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.guibert ];
+    platforms = lib.platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/afuse/default.nix b/pkgs/os-specific/linux/afuse/default.nix
index 758c57bb9e1..75c44e11172 100644
--- a/pkgs/os-specific/linux/afuse/default.nix
+++ b/pkgs/os-specific/linux/afuse/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, autoreconfHook, fuse }:
+{ lib, stdenv, fetchurl, pkg-config, autoreconfHook, fuse }:
 
 stdenv.mkDerivation {
   name = "afuse-0.4.1";
@@ -8,14 +8,21 @@ stdenv.mkDerivation {
     sha256 = "1sfhicmxppkvdd4z9klfn63snb71gr9hff6xij1gzk94xg6m0ycc";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ fuse ];
 
+  postPatch = lib.optionalString stdenv.isDarwin ''
+    # Fix the build on macOS with macFUSE installed
+    substituteInPlace configure.ac --replace \
+      'export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH' \
+      ""
+  '';
+
   meta = {
     description = "Automounter in userspace";
     homepage = "https://github.com/pcarrier/afuse";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = [ stdenv.lib.maintainers.marcweber ];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    maintainers = [ lib.maintainers.marcweber ];
+    platforms = lib.platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/akvcam/default.nix b/pkgs/os-specific/linux/akvcam/default.nix
new file mode 100644
index 00000000000..815dc6a2ee3
--- /dev/null
+++ b/pkgs/os-specific/linux/akvcam/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, kernel, qmake }:
+
+stdenv.mkDerivation rec {
+  pname = "akvcam";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "webcamoid";
+    repo = "akvcam";
+    rev = version;
+    sha256 = "0r5xg7pz0wl6pq5029rpzm9fn978vq0md31xjkp2amny7rrgxw72";
+  };
+
+  nativeBuildInputs = [ qmake ];
+  dontWrapQtApps = true;
+
+  qmakeFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -m644 -b -D src/akvcam.ko $out/lib/modules/${kernel.modDirVersion}/akvcam.ko
+  '';
+
+  meta = with lib; {
+    description = "Virtual camera driver for Linux";
+    homepage = "https://github.com/webcamoid/akvcam";
+    maintainers = with maintainers; [ freezeboy ];
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/pkgs/os-specific/linux/alsa-plugins/wrapper.nix b/pkgs/os-specific/linux/alsa-plugins/wrapper.nix
deleted file mode 100644
index 8271088a501..00000000000
--- a/pkgs/os-specific/linux/alsa-plugins/wrapper.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ writeShellScriptBin, stdenv, alsaPlugins }:
-writeShellScriptBin "ap${if stdenv.hostPlatform.system == "i686-linux" then "32" else "64"}" ''
-  ALSA_PLUGIN_DIRS=${alsaPlugins}/lib/alsa-lib "$@"
-''
diff --git a/pkgs/os-specific/linux/alsa-firmware/cross.patch b/pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch
index 989ccea2b98..989ccea2b98 100644
--- a/pkgs/os-specific/linux/alsa-firmware/cross.patch
+++ b/pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch
diff --git a/pkgs/os-specific/linux/alsa-firmware/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
index 01955534bfc..a627a7762a8 100644
--- a/pkgs/os-specific/linux/alsa-firmware/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, autoreconfHook, fetchurl, fetchpatch }:
+{ lib, stdenv, buildPackages, autoreconfHook, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "alsa-firmware-1.2.1";
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "http://www.alsa-project.org/";
     description = "Soundcard firmwares from the alsa project";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch b/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
index b17df9a492e..b17df9a492e 100644
--- a/pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch
+++ b/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
diff --git a/pkgs/os-specific/linux/alsa-lib/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
index 3c5427340ba..a2350271482 100644
--- a/pkgs/os-specific/linux/alsa-lib/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
@@ -1,11 +1,17 @@
-{ stdenv, fetchurl, alsa-ucm-conf, alsa-topology-conf }:
+{ lib
+, stdenv
+, fetchurl
+, alsa-topology-conf
+, alsa-ucm-conf
+}:
 
 stdenv.mkDerivation rec {
-  name = "alsa-lib-1.2.3";
+  pname = "alsa-lib";
+  version = "1.2.5.1";
 
   src = fetchurl {
-    url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "13k7dx1g749z74rz71hs5j8z0pqdjgx7l69pn0vsy7jizhi0kw02";
+    url = "mirror://alsa/lib/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-YoQh2VDOyvI03j+JnVIMCmkjMTyWStdR/6wIHfMxQ44=";
   };
 
   patches = [
@@ -26,7 +32,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "dev" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture libraries";
 
@@ -35,7 +41,7 @@ stdenv.mkDerivation rec {
       MIDI functionality to the Linux-based operating system.
     '';
 
-    license = licenses.gpl3Plus;
+    license = licenses.lgpl21Plus;
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/alsa-oss/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
index 774dc3d8d67..f600b52c5f3 100644
--- a/pkgs/os-specific/linux/alsa-oss/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, alsaLib, gettext, ncurses, libsamplerate}:
+{lib, stdenv, fetchurl, alsa-lib, gettext, ncurses, libsamplerate}:
 
 stdenv.mkDerivation rec {
   pname = "alsa-oss";
@@ -9,14 +9,14 @@ stdenv.mkDerivation rec {
     sha256 = "13nn6n6wpr2sj1hyqx4r9nb9bwxnhnzw8r2f08p8v13yjbswxbb4";
   };
 
-  buildInputs = [ alsaLib ncurses libsamplerate ];
+  buildInputs = [ alsa-lib ncurses libsamplerate ];
   nativeBuildInputs = [ gettext ];
 
   configureFlags = [ "--disable-xmlto" ];
 
   installFlags = [ "ASOUND_STATE_DIR=$(TMPDIR)/dummy" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture alsa-oss emulation";
 
diff --git a/pkgs/os-specific/linux/alsa-plugins/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
index a69d86c5c4d..747979b1037 100644
--- a/pkgs/os-specific/linux/alsa-plugins/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
@@ -1,19 +1,19 @@
-{ stdenv, fetchurl, lib, pkgconfig, alsaLib, libogg, libpulseaudio ? null, libjack2 ? null }:
+{ stdenv, fetchurl, lib, pkg-config, alsa-lib, libogg, libpulseaudio ? null, libjack2 ? null }:
 
 stdenv.mkDerivation rec {
   pname = "alsa-plugins";
-  version = "1.2.2";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/plugins/${pname}-${version}.tar.bz2";
-    sha256 = "0z9k3ssbfk2ky2w13avgyf202j1drsz9sv3834bp33cj1i2hc3qw";
+    sha256 = "086z2g2f95570vfvp9d5bakib4k18fb4bszf3lgx3j6j6f2gkvj2";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
 
   # ToDo: a52, etc.?
   buildInputs =
-    [ alsaLib libogg ]
+    [ alsa-lib libogg ]
     ++ lib.optional (libpulseaudio != null) libpulseaudio
     ++ lib.optional (libjack2 != null) libjack2;
 
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     description = "Various plugins for ALSA";
     homepage = "http://alsa-project.org/";
     license = licenses.lgpl21;
-    maintainers = [maintainers.marcweber];
+    maintainers = [ maintainers.marcweber ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix b/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
new file mode 100644
index 00000000000..992f4886e26
--- /dev/null
+++ b/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
@@ -0,0 +1,10 @@
+{ stdenv
+, alsa-plugins
+, writeShellScriptBin
+}:
+let
+  arch = if stdenv.hostPlatform.system == "i686-linux" then "32" else "64";
+in
+writeShellScriptBin "ap${arch}" ''
+  ALSA_PLUGIN_DIRS=${alsa-plugins}/lib/alsa-lib "$@"
+''
diff --git a/pkgs/os-specific/linux/alsa-tools/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
index 2fef5e07c63..8b9abb74036 100644
--- a/pkgs/os-specific/linux/alsa-tools/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
@@ -1,18 +1,18 @@
-{ stdenv, fetchurl, alsaLib, pkgconfig, gtk2, gtk3, fltk13 }:
+{ lib, stdenv, fetchurl, alsa-lib, pkg-config, gtk2, gtk3, fltk13 }:
 # Comes from upstream as as bundle of several tools,
 # some use gtk2, some gtk3 (and some even fltk13).
 
 stdenv.mkDerivation rec {
   pname = "alsa-tools";
-  version = "1.2.2";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/tools/${pname}-${version}.tar.bz2";
-    sha256 = "0jbkjmq038zapj66a7nkppdf644v2mwj581xbmh6k4i8w6mcglxz";
+    sha256 = "sha256-NacQJ6AfTX3kci4iNSDpQN5os8VwtsZxaRVnrij5iT4=";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ alsaLib gtk2 gtk3 fltk13 ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib gtk2 gtk3 fltk13 ];
 
   patchPhase = ''
     export tools="as10k1 hda-verb hdspmixer echomixer hdajackretask hdspconf hwmixvolume mixartloader rmedigicontrol sscape_ctl vxloader envy24control hdajacksensetest hdsploader ld10k1 pcxhrloader sb16_csp us428control"
@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture tools";
 
diff --git a/pkgs/os-specific/linux/alsa-topology-conf/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
index 54340d017ad..97960f833e1 100644
--- a/pkgs/os-specific/linux/alsa-topology-conf/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "alsa-topology-conf-${version}";
-  version = "1.2.3";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "1zwxc9zhfcmyffjjbibzpdvf4kx7wv9g2zl6xz7y0d6srfr9jgw3";
+    sha256 = "sha256-i/qDBspj4dDL6AvphGYCc7kb1bfdCACmxapx3YyNd1w=";
   };
 
   dontBuild = true;
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.alsa-project.org/";
     description = "ALSA topology configuration files";
 
diff --git a/pkgs/os-specific/linux/alsa-ucm-conf/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
index 2a9f28c855a..0666f3f4793 100644
--- a/pkgs/os-specific/linux/alsa-ucm-conf/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "alsa-ucm-conf-${version}";
-  version = "1.2.3";
+  version = "1.2.5.1";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "000db5yla7dljidjbbwbiaxvc1a7wh1zpw694gipaymj9fh4vhhv";
+    sha256 = "sha256-WEGkRBZty/R523UTA9vDVW9oUIWsfgDwyed1VnYZXZc=";
   };
 
   dontBuild = true;
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.alsa-project.org/";
     description = "ALSA Use Case Manager configuration";
 
diff --git a/pkgs/os-specific/linux/alsa-utils/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
index 470536db4b7..782e6ffce8c 100644
--- a/pkgs/os-specific/linux/alsa-utils/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
@@ -1,27 +1,27 @@
-{stdenv, fetchurl, alsaLib, gettext, ncurses, libsamplerate, pciutils, fftw}:
+{lib, stdenv, fetchurl, alsa-lib, gettext, makeWrapper, ncurses, libsamplerate, pciutils, which, fftw}:
 
 stdenv.mkDerivation rec {
   pname = "alsa-utils";
-  version = "1.2.3";
+  version = "1.2.5.1";
 
   src = fetchurl {
     url = "mirror://alsa/utils/${pname}-${version}.tar.bz2";
-    sha256 = "1ai1z4kf91b1m3qrpwqkc1af5vm2fkdkknqv95xdwf19q94aw6gz";
+    sha256 = "sha256-nBaa43pJKV+bl7kqzncoA9r2tlEKGVdOC3j4flYhGNA=";
   };
 
-  patchPhase = ''
-    substituteInPlace alsa-info/alsa-info.sh \
-      --replace "which" "type -p" \
-      --replace "lspci" "${pciutils}/bin/lspci"
-  '';
-  nativeBuildInputs = [ gettext ];
-  buildInputs = [ alsaLib ncurses libsamplerate fftw ];
+  nativeBuildInputs = [ gettext makeWrapper ];
+  buildInputs = [ alsa-lib ncurses libsamplerate fftw ];
 
   configureFlags = [ "--disable-xmlto" "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ];
 
   installFlags = [ "ASOUND_STATE_DIR=$(TMPDIR)/dummy" ];
 
-  meta = with stdenv.lib; {
+  postFixup = ''
+    mv $out/bin/alsa-info.sh $out/bin/alsa-info
+    wrapProgram $out/bin/alsa-info --prefix PATH : "${lib.makeBinPath [ which pciutils ]}"
+  '';
+
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture utils";
     longDescription = ''
diff --git a/pkgs/os-specific/linux/amdgpu-pro/default.nix b/pkgs/os-specific/linux/amdgpu-pro/default.nix
index 32763fcded5..13dd8302b18 100644
--- a/pkgs/os-specific/linux/amdgpu-pro/default.nix
+++ b/pkgs/os-specific/linux/amdgpu-pro/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, elfutils
+{ lib, stdenv, fetchurl, elfutils
 , xorg, patchelf, openssl, libdrm, udev
 , libxcb, libxshmfence, epoxy, perl, zlib
 , ncurses
@@ -7,7 +7,7 @@
 
 assert (!libsOnly) -> kernel != null;
 
-with stdenv.lib;
+with lib;
 
 let
 
@@ -171,7 +171,7 @@ in stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "AMDGPU-PRO drivers";
     homepage =  "http://support.amd.com/en-us/kb-articles/Pages/AMDGPU-PRO-Beta-Driver-for-Vulkan-Release-Notes.aspx";
     license = licenses.unfree;
diff --git a/pkgs/os-specific/linux/anbox/default.nix b/pkgs/os-specific/linux/anbox/default.nix
index 5f8ca7ac46f..d684e24db91 100644
--- a/pkgs/os-specific/linux/anbox/default.nix
+++ b/pkgs/os-specific/linux/anbox/default.nix
@@ -1,24 +1,28 @@
-{ stdenv, fetchFromGitHub, fetchurl
-, cmake, pkgconfig, dbus, makeWrapper
-, gtest
+{ lib, stdenv, fetchFromGitHub, fetchurl
+, cmake, pkg-config, dbus, makeWrapper
 , boost
+, elfutils # for libdw
+, git
+, glib
+, glm
+, gtest
+, libbfd
 , libcap
-, systemd
-, mesa
+, libdwarf
 , libGL
 , libglvnd
-, glib
-, git
-, SDL2
-, SDL2_image
+, lxc
+, mesa
 , properties-cpp
 , protobuf
 , protobufc
-, python
-, lxc
+, python3
+, runtimeShell
+, SDL2
+, SDL2_image
+, systemd
 , writeText
 , writeScript
-, runtimeShell
 }:
 
 let
@@ -45,27 +49,42 @@ in
 
 stdenv.mkDerivation rec {
   pname = "anbox";
-  version = "unstable-2019-11-15";
+  version = "unstable-2020-11-29";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = "0a49ae08f76de7f886a3dbed4422711c2fa39d10";
-    sha256 = "09l56nv9cnyhykclfmvam6bkcxlamwbql6nrz9n022553w92hkjf";
+    rev = "6c10125a7f13908d2cbe56d2d9ab09872755f265";
+    sha256 = "00bqssh4zcs0jj6w07b91719xkrpdw75vpcplwrvlhwsvl55f901";
+    fetchSubmodules = true;
   };
 
   nativeBuildInputs = [
+    cmake
+    pkg-config
     makeWrapper
   ];
 
   buildInputs = [
-    cmake pkgconfig dbus boost libcap gtest systemd mesa glib
-    SDL2 SDL2_image protobuf protobufc properties-cpp lxc python
+    boost
+    dbus
+    elfutils # libdw
+    glib
+    glm
+    gtest
+    libbfd
+    libcap
+    libdwarf
     libGL
+    lxc
+    mesa
+    properties-cpp
+    protobuf protobufc
+    python3
+    SDL2 SDL2_image
+    systemd
   ];
 
-  NIX_CFLAGS_COMPILE = "-Wno-error=missing-field-initializers";
-
   patchPhase = ''
     patchShebangs scripts
 
@@ -96,7 +115,7 @@ stdenv.mkDerivation rec {
 
   postInstall = ''
     wrapProgram $out/bin/anbox \
-      --prefix LD_LIBRARY_PATH : ${stdenv.lib.makeLibraryPath [libGL libglvnd]} \
+      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [libGL libglvnd]} \
       --prefix PATH : ${git}/bin
 
     mkdir -p $out/share/dbus-1/services
@@ -129,7 +148,7 @@ stdenv.mkDerivation rec {
       };
     }.${stdenv.system} or null;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://anbox.io";
     description = "Android in a box";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/anbox/kmod.nix b/pkgs/os-specific/linux/anbox/kmod.nix
index 6eb74ca25f6..9ce65cd8726 100644
--- a/pkgs/os-specific/linux/anbox/kmod.nix
+++ b/pkgs/os-specific/linux/anbox/kmod.nix
@@ -1,14 +1,14 @@
-{ stdenv, kernel, fetchFromGitHub }:
+{ lib, stdenv, kernel, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "anbox-modules";
-  version = "2019-11-15-" + kernel.version;
+  version = "2020-06-14-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "anbox";
     repo = "anbox-modules";
-    rev = "e0a237e571989987806b32881044c539db25e3e1";
-    sha256 = "1km1nslp4f5znwskh4bb1b61r1inw1dlbwiyyq3rrh0f0agf8d0v";
+    rev = "98f0f3b3b1eeb5a6954ca15ec43e150b76369086";
+    sha256 = "sha256-6xDJQ4YItdbYqle/9VNfOc7D80yFGd9cFyF+CuABaF0=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
@@ -31,13 +31,12 @@ stdenv.mkDerivation {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Anbox ashmem and binder drivers.";
     homepage = "https://github.com/anbox/anbox-modules";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
-    broken = (versionOlder kernel.version "4.4") || (kernel.features.grsecurity);
+    broken = kernel.kernelOlder "4.4" || kernel.kernelAtLeast "5.5";
     maintainers = with maintainers; [ edwtjo ];
   };
-
 }
diff --git a/pkgs/os-specific/linux/android-udev-rules/default.nix b/pkgs/os-specific/linux/android-udev-rules/default.nix
index 1cfa6b5856f..fbe02d69f1a 100644
--- a/pkgs/os-specific/linux/android-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/android-udev-rules/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 ## Usage
 # In NixOS, simply add this package to services.udev.packages:
@@ -6,24 +6,26 @@
 
 stdenv.mkDerivation rec {
   pname = "android-udev-rules";
-  version = "20200410";
+  version = "20210501";
 
   src = fetchFromGitHub {
     owner = "M0Rf30";
     repo = "android-udev-rules";
     rev = version;
-    sha256 = "1ik9a0k9gkaw5a80m25pxx5yfiwq34ffb7iqhwicz4lwz5wsw8d3";
+    sha256 = "sha256-rlTulWclPqMl9LdHdcAtLARXGItiSeF3RX+neZrjgV4=";
   };
 
   installPhase = ''
+    runHook preInstall
     install -D 51-android.rules $out/lib/udev/rules.d/51-android.rules
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/M0Rf30/android-udev-rules";
     description = "Android udev rules list aimed to be the most comprehensive on the net";
     platforms = platforms.linux;
-    license = licenses.gpl3;
+    license = licenses.gpl3Plus;
     maintainers = with maintainers; [ abbradar ];
   };
 }
diff --git a/pkgs/os-specific/linux/apfs/default.nix b/pkgs/os-specific/linux/apfs/default.nix
new file mode 100644
index 00000000000..e27272a6147
--- /dev/null
+++ b/pkgs/os-specific/linux/apfs/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+}:
+
+stdenv.mkDerivation {
+  pname = "apfs";
+  version = "unstable-2021-06-25-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "linux-apfs";
+    repo = "linux-apfs-rw";
+    rev = "2ce6d06dc73036d113da5166c59393233bf54229";
+    sha256 = "sha256-18HFtPr0qcTIZ8njwEtveiPYO+HGlj90bdUoL47UUY0=";
+  };
+
+  hardeningDisable = [ "pic" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "APFS module for linux";
+    homepage = "https://github.com/linux-apfs/linux-apfs-rw";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.19";
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix
index 807ab4fa44b..1b1fb415451 100644
--- a/pkgs/os-specific/linux/apparmor/default.nix
+++ b/pkgs/os-specific/linux/apparmor/default.nix
@@ -1,45 +1,47 @@
 { stdenv, lib, fetchurl, fetchpatch, makeWrapper, autoreconfHook
-, pkgconfig, which
+, pkg-config, which
 , flex, bison
 , linuxHeaders ? stdenv.cc.libc.linuxHeaders
 , gawk
-, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) perl.meta.platforms, perl
-, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) python.meta.platforms, python
+, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, perl
+, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python, python
 , swig
 , ncurses
 , pam
 , libnotify
 , buildPackages
+, coreutils
+, gnugrep
+, gnused
+, kmod
+, writeShellScript
+, closureInfo
+, runCommand
 }:
 
 let
-  apparmor-series = "2.13";
-  apparmor-patchver = "4";
-  apparmor-version = apparmor-series + "." + apparmor-patchver;
+  apparmor-version = "3.0.1";
 
-  apparmor-meta = component: with stdenv.lib; {
+  apparmor-meta = component: with lib; {
     homepage = "https://apparmor.net/";
     description = "A mandatory access control system - ${component}";
     license = licenses.gpl2;
-    maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
+    maintainers = with maintainers; [ joachifm julm phreedom thoughtpolice ];
     platforms = platforms.linux;
   };
 
   apparmor-sources = fetchurl {
-    url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
-    sha256 = "03nislxccnbxld89giak2s8xa4mdbwscfxbdwhmw5qpvgz08dgwh";
+    url = "https://launchpad.net/apparmor/${lib.versions.majorMinor apparmor-version}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
+    sha256 = "096zbg3v7b51x7f1ly61mzd3iy9alad6sd4lam98j2d6v5ragbcg";
   };
 
-  # See <https://gitlab.com/apparmor/apparmor/-/issues/74> This and the
-  # accompanying application in prePatchCommon should be removed in 2.13.5
-  gnumake43Patch = fetchpatch {
-    url = "https://gitlab.com/apparmor/apparmor/-/merge_requests/465.patch";
-    name = "2-23-fix-build-with-make-4.3.patch";
-    sha256 = "0xw028iqp69j9mxv0kbwraplgkj5i5djdlgf0anpkc5cdbsf96r9";
-  };
+  aa-teardown = writeShellScript "aa-teardown" ''
+    PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"
+    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
+    remove_profiles
+  '';
 
   prePatchCommon = ''
-    patch -p1 < ${gnumake43Patch}
     chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
     patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
     substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man"
@@ -48,18 +50,12 @@ let
     substituteInPlace ./common/Make.rules --replace "/usr/share/man" "share/man"
   '';
 
-  patches = stdenv.lib.optionals stdenv.hostPlatform.isMusl [
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
       url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
       name = "0003-Added-missing-typedef-definitions-on-parser.patch";
       sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
     })
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0007-Do-not-build-install-vim-file-with-utils-package.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
-      name = "0007-Do-not-build-install-vim-file-with-utils-package.patch";
-      sha256 = "1m4dx901biqgnr4w4wz8a2z9r9dxyw7wv6m6mqglqwf2lxinqmp4";
-    })
-    # (alpine patches {1,4,5,6,8} are needed for apparmor 2.11, but not 2.12)
     ];
 
   # Set to `true` after the next FIXME gets fixed or this gets some
@@ -76,7 +72,7 @@ let
       autoreconfHook
       bison
       flex
-      pkgconfig
+      pkg-config
       swig
       ncurses
       which
@@ -84,8 +80,8 @@ let
     ];
 
     buildInputs = []
-      ++ stdenv.lib.optional withPerl perl
-      ++ stdenv.lib.optional withPython python;
+      ++ lib.optional withPerl perl
+      ++ lib.optional withPython python;
 
     # required to build apparmor-parser
     dontDisableStatic = true;
@@ -93,21 +89,21 @@ let
     prePatch = prePatchCommon + ''
       substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site
       substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.in --replace install_vendor install_site
-      substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${stdenv.lib.getDev stdenv.cc.libc}/include/netinet/in.h"
-      substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${stdenv.lib.getDev stdenv.cc.libc}/include/netinet/in.h"
+      substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
+      substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
     '';
     inherit patches;
 
     postPatch = "cd ./libraries/libapparmor";
     # https://gitlab.com/apparmor/apparmor/issues/1
     configureFlags = [
-      (stdenv.lib.withFeature withPerl "perl")
-      (stdenv.lib.withFeature withPython "python")
+      (lib.withFeature withPerl "perl")
+      (lib.withFeature withPython "python")
     ];
 
-    outputs = [ "out" ] ++ stdenv.lib.optional withPython "python";
+    outputs = [ "out" ] ++ lib.optional withPython "python";
 
-    postInstall = stdenv.lib.optionalString withPython ''
+    postInstall = lib.optionalString withPython ''
       mkdir -p $python/lib
       mv $out/lib/python* $python/lib/
     '';
@@ -130,21 +126,36 @@ let
       libapparmor.python
     ];
 
-    prePatch = prePatchCommon;
+    prePatch = prePatchCommon +
+      # Do not build vim file
+      lib.optionalString stdenv.hostPlatform.isMusl ''
+        sed -i ./utils/Makefile -e "/\<vim\>/d"
+      '' + ''
+      substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+      substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+      substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+    '';
     inherit patches;
     postPatch = "cd ./utils";
     makeFlags = [ "LANGS=" ];
     installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
 
     postInstall = ''
-      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do
+      sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"
+      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do
         wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH"
       done
 
-      substituteInPlace $out/bin/aa-notify --replace /usr/bin/notify-send ${libnotify}/bin/notify-send
-      # aa-notify checks its name and does not work named ".aa-notify-wrapped"
-      mv $out/bin/aa-notify $out/bin/aa-notify-wrapped
-      makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped
+      substituteInPlace $out/bin/aa-notify \
+        --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \
+        --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"
+
+      substituteInPlace $out/bin/aa-remove-unknown \
+       --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
+      wrapProgram $out/bin/aa-remove-unknown \
+       --prefix PATH : ${lib.makeBinPath [gawk]}
+
+      ln -s ${aa-teardown} $out/bin/aa-teardown
     '';
 
     inherit doCheck;
@@ -159,7 +170,7 @@ let
     src = apparmor-sources;
 
     nativeBuildInputs = [
-      pkgconfig
+      pkg-config
       libapparmor
       gawk
       which
@@ -172,7 +183,7 @@ let
     prePatch = prePatchCommon;
     postPatch = "cd ./binutils";
     makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
-    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "SBINDIR=$(out)/bin" ];
 
     inherit doCheck;
 
@@ -193,6 +204,9 @@ let
       substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
       ## techdoc.pdf still doesn't build ...
       substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
+      substituteInPlace parser/rc.apparmor.functions \
+       --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"
+      sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
     '';
     inherit patches;
     postPatch = "cd ./parser";
@@ -211,7 +225,7 @@ let
     name = "apparmor-pam-${apparmor-version}";
     src = apparmor-sources;
 
-    nativeBuildInputs = [ pkgconfig which ];
+    nativeBuildInputs = [ pkg-config which ];
 
     buildInputs = [ libapparmor pam ];
 
@@ -242,7 +256,7 @@ let
     name = "apparmor-kernel-patches-${apparmor-version}";
     src = apparmor-sources;
 
-    phases = ''unpackPhase installPhase'';
+    phases = "unpackPhase installPhase";
 
     installPhase = ''
       mkdir "$out"
@@ -254,8 +268,35 @@ let
     meta = apparmor-meta "kernel patches";
   };
 
+  # Generate generic AppArmor rules in a file,
+  # from the closure of given rootPaths.
+  # To be included in an AppArmor profile like so:
+  # include "$(apparmorRulesFromClosure {} [pkgs.hello]}"
+  apparmorRulesFromClosure =
+    { # The store path of the derivation is given in $path
+      additionalRules ? []
+      # TODO: factorize here some other common paths
+      # that may emerge from use cases.
+    , baseRules ? [
+        "r $path"
+        "r $path/etc/**"
+        "r $path/share/**"
+        # Note that not all libraries are prefixed with "lib",
+        # eg. glibc-2.30/lib/ld-2.30.so
+        "mr $path/lib/**.so*"
+        # eg. glibc-2.30/lib/gconv/gconv-modules
+        "r $path/lib/**"
+      ]
+    , name ? ""
+    }: rootPaths: runCommand
+      ( "apparmor-closure-rules"
+      + lib.optionalString (name != "") "-${name}" ) {} ''
+    touch $out
+    while read -r path
+    do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}
+    done <${closureInfo {inherit rootPaths;}}/store-paths
+  '';
 in
-
 {
   inherit
     libapparmor
@@ -264,5 +305,6 @@ in
     apparmor-parser
     apparmor-pam
     apparmor-profiles
-    apparmor-kernel-patches;
+    apparmor-kernel-patches
+    apparmorRulesFromClosure;
 }
diff --git a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
new file mode 100644
index 00000000000..ebc1baaa92d
--- /dev/null
+++ b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
@@ -0,0 +1,32 @@
+aa_action() {
+  STRING=$1
+  shift
+  $*
+  rc=$?
+  if [ $rc -eq 0 ] ; then
+    aa_log_success_msg $"$STRING "
+  else
+    aa_log_failure_msg $"$STRING "
+  fi
+  return $rc
+}
+
+aa_log_success_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": done."
+}
+
+aa_log_warning_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Warning."
+}
+
+aa_log_failure_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Failed."
+}
+
+aa_log_skipped_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Skipped."
+}
diff --git a/pkgs/os-specific/linux/aseq2json/default.nix b/pkgs/os-specific/linux/aseq2json/default.nix
new file mode 100644
index 00000000000..646e9f7b7b9
--- /dev/null
+++ b/pkgs/os-specific/linux/aseq2json/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, pkg-config, alsa-lib, glib, json-glib }:
+
+stdenv.mkDerivation {
+  pname = "aseq2json";
+  version = "unstable-2018-04-28";
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "midi-dump-tools";
+    rev = "8572e6313a0d7ec95492dcab04a46c5dd30ef33a";
+    sha256 = "LQ9LLVumi3GN6c9tuMSOd1Bs2pgrwrLLQbs5XF+NZeA=";
+  };
+  sourceRoot = "source/aseq2json";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib glib json-glib ];
+
+  installPhase = ''
+    install -D --target-directory "$out/bin" aseq2json
+  '';
+
+  meta = with lib; {
+    description = "Listens for MIDI events on the Alsa sequencer and outputs as JSON to stdout";
+    homepage = "https://github.com/google/midi-dump-tools";
+    license = licenses.asl20;
+    maintainers = [ maintainers.queezle ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/asus-wmi-sensors/default.nix b/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
index 8eb8a7484e1..3098cbb7253 100644
--- a/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
+++ b/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
   name = "asus-wmi-sensors-${version}-${kernel.version}";
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
     "MODDESTDIR=${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux HWMON (lmsensors) sensors driver for various ASUS Ryzen and Threadripper motherboards";
     homepage = "https://github.com/electrified/asus-wmi-sensors";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ati-drivers/builder.sh b/pkgs/os-specific/linux/ati-drivers/builder.sh
deleted file mode 100644
index a9e5aaef397..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/builder.sh
+++ /dev/null
@@ -1,302 +0,0 @@
-# TODO gentoo removes some tools because there are xorg sources (?)
-
-source $stdenv/setup
-set -x
-
-die(){ echo $@; exit 1; }
-
-unzip $src
-run_file=fglrx-$build/amd-driver-installer-$build-x86.x86_64.run
-sh $run_file --extract .
-
-for patch in $patches;do
-    patch -p1 < $patch
-done
-
-case "$system" in
-  x86_64-linux)
-    arch=x86_64
-    lib_arch=lib64
-    DIR_DEPENDING_ON_XORG_VERSION=xpic_64a
-  ;;
-  i686-linux)
-    arch=x86
-    lib_arch=lib
-    DIR_DEPENDING_ON_XORG_VERSION=xpic
-  ;;
-  *) exit 1;;
-esac
-
-# Handle/Build the kernel module.
-
-if test -z "$libsOnly"; then
-
-  kernelVersion=$(cd ${kernelDir}/lib/modules && ls)
-  kernelBuild=$(echo ${kernelDir}/lib/modules/$kernelVersion/build)
-  linuxsources=$(echo ${kernelDir}/lib/modules/$kernelVersion/source)
-
-  # note: maybe the .config file should be used to determine this ?
-  # current kbuild infrastructure allows using CONFIG_* defines
-  # but ati sources don't use them yet..
-  # copy paste from make.sh
-
-  setSMP(){
-
-    linuxincludes=$kernelBuild/include
-
-    # copied and stripped. source: make.sh:
-    # 3
-    # linux/autoconf.h may contain this: #define CONFIG_SMP 1
-
-    # Before 2.6.33 autoconf.h is under linux/.
-    # For 2.6.33 and later autoconf.h is under generated/.
-    if [ -f $linuxincludes/generated/autoconf.h ]; then
-        autoconf_h=$linuxincludes/generated/autoconf.h
-    else
-        autoconf_h=$linuxincludes/linux/autoconf.h
-    fi
-    src_file=$autoconf_h
-
-    [ -e $src_file ] || die "$src_file not found"
-
-    if [ `cat $src_file | grep "#undef" | grep "CONFIG_SMP" -c` = 0 ]; then
-      SMP=`cat $src_file | grep CONFIG_SMP | cut -d' ' -f3`
-      echo "file $src_file says: SMP=$SMP"
-    fi
-
-    if [ "$SMP" = 0 ]; then
-      echo "assuming default: SMP=$SMP"
-    fi
-    # act on final result
-    if [ ! "$SMP" = 0 ]; then
-      smp="-SMP"
-      def_smp=-D__SMP__
-    fi
-
-  }
-
-  setModVersions(){
-    ! grep CONFIG_MODVERSIONS=y $kernelBuild/.config ||
-    def_modversions="-DMODVERSIONS"
-    # make.sh contains much more code to determine this whether its enabled
-  }
-
-  # ==============================================================
-  # resolve if we are building for a kernel with a fix for CVE-2010-3081
-  # On kernels with the fix, use arch_compat_alloc_user_space instead
-  # of compat_alloc_user_space since the latter is GPL-only
-
-  COMPAT_ALLOC_USER_SPACE=arch_compat_alloc_user_space
-
-  for src_file in \
-    $kernelBuild/arch/x86/include/asm/compat.h \
-    $linuxsources/arch/x86/include/asm/compat.h \
-    $kernelBuild/include/asm-x86_64/compat.h \
-    $linuxsources/include/asm-x86_64/compat.h \
-    $kernelBuild/include/asm/compat.h;
-  do
-    if [ -e $src_file ];
-    then
-      break
-    fi
-  done
-  if [ ! -e $src_file ];
-    then
-    echo "Warning: x86 compat.h not found in kernel headers"
-    echo "neither arch/x86/include/asm/compat.h nor include/asm-x86_64/compat.h"
-    echo "could be found in $kernelBuild or $linuxsources"
-    echo ""
-  else
-    if [ `cat $src_file | grep -c arch_compat_alloc_user_space` -gt 0 ]
-    then
-      COMPAT_ALLOC_USER_SPACE=arch_compat_alloc_user_space
-    fi
-    echo "file $src_file says: COMPAT_ALLOC_USER_SPACE=$COMPAT_ALLOC_USER_SPACE"
-  fi
-
-  # make.sh contains some code figuring out whether to use these or not..
-  PAGE_ATTR_FIX=0
-  setSMP
-  setModVersions
-  CC=gcc
-  MODULE=fglrx
-  LIBIP_PREFIX=$TMP/arch/$arch/lib/modules/fglrx/build_mod
-  [ -d $LIBIP_PREFIX ]
-  GCC_MAJOR="`gcc --version | grep -o -e ") ." | head -1 | cut -d " " -f 2`"
-
-  { # build .ko module
-    cd ./common/lib/modules/fglrx/build_mod/2.6.x
-    echo .lib${MODULE}_ip.a.GCC${GCC_MAJOR}.cmd
-    echo 'This is a dummy file created to suppress this warning: could not find /lib/modules/fglrx/build_mod/2.6.x/.libfglrx_ip.a.GCC4.cmd for /lib/modules/fglrx/build_mod/2.6.x/libfglrx_ip.a.GCC4' > lib${MODULE}_ip.a.GCC${GCC_MAJOR}.cmd
-
-    sed -i -e "s@COMPAT_ALLOC_USER_SPACE@$COMPAT_ALLOC_USER_SPACE@" ../kcl_ioctl.c
-
-    make CC=${CC} \
-      LIBIP_PREFIX=$(echo "$LIBIP_PREFIX" | sed -e 's|^\([^/]\)|../\1|') \
-      MODFLAGS="-DMODULE -DATI -DFGL -DPAGE_ATTR_FIX=$PAGE_ATTR_FIX -DCOMPAT_ALLOC_USER_SPACE=$COMPAT_ALLOC_USER_SPACE $def_smp $def_modversions" \
-      KVER=$kernelVersion \
-      KDIR=$kernelBuild \
-      PAGE_ATTR_FIX=$PAGE_ATTR_FIX \
-      -j4
-
-    cd $TMP
-  }
-
-fi
-
-{ # install
-  mkdir -p $out/lib/xorg
-  cp -r common/usr/include $out
-  cp -r common/usr/sbin $out
-  cp -r common/usr/share $out
-  mkdir $out/bin/
-  cp -f common/usr/X11R6/bin/* $out/bin/
-  # cp -r arch/$arch/lib $out/lib
-  # what are those files used for?
-  cp -r common/etc $out
-  cp -r $DIR_DEPENDING_ON_XORG_VERSION/usr/X11R6/$lib_arch/* $out/lib/xorg
-
-  # install kernel module
-  if test -z "$libsOnly"; then
-    t=$out/lib/modules/${kernelVersion}/kernel/drivers/misc
-    mkdir -p $t
-
-    cp ./common/lib/modules/fglrx/build_mod/2.6.x/fglrx.ko $t
-  fi
-
-  # should this be installed at all?
-  # its used by the example fglrx_gamma only
-  # don't use $out/lib/modules/dri because this will cause the kernel module
-  # aggregator code to see both: kernel version and the dri direcotry. It'll
-  # fail saying different kernel versions
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/modules/dri $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/modules/dri/* $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/*.so* $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/fglrx/fglrx-libGL.so.1.2 $out/lib/fglrx-libGL.so.1.2
-  cp -r $TMP/arch/$arch/usr/$lib_arch/* $out/lib
-  ln -s libatiuki.so.1.0 $out/lib/libatiuki.so.1
-  ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so.1
-  ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so
-  # FIXME : This file is missing or has changed versions
-  #ln -s libfglrx_gamma.so.1.0 $out/lib/libfglrx_gamma.so.1
-  # make xorg use the ati version
-  ln -s $out/lib/xorg/modules/extensions/{fglrx/fglrx-libglx.so,libglx.so}
-  # Correct some paths that are hardcoded into binary libs.
-  if [ "$arch" ==  "x86_64" ]; then
-    for lib in \
-      xorg/modules/extensions/fglrx/fglrx-libglx.so \
-      xorg/modules/glesx.so \
-      dri/fglrx_dri.so \
-      fglrx_dri.so \
-      fglrx-libGL.so.1.2
-    do
-      oldPaths="/usr/X11R6/lib/modules/dri"
-      newPaths="/run/opengl-driver/lib/dri"
-      sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib
-    done
-  else
-    oldPaths="/usr/X11R6/lib32/modules/dri\x00/usr/lib32/dri"
-    newPaths="/run/opengl-driver-32/lib/dri\x00/dev/null/dri"
-    sed -i -e "s|$oldPaths|$newPaths|" \
-      $out/lib/xorg/modules/extensions/fglrx/fglrx-libglx.so
-
-    for lib in \
-      dri/fglrx_dri.so \
-      fglrx_dri.so \
-      xorg/modules/glesx.so
-    do
-      oldPaths="/usr/X11R6/lib32/modules/dri/"
-      newPaths="/run/opengl-driver-32/lib/dri"
-      sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib
-    done
-
-    oldPaths="/usr/X11R6/lib32/modules/dri\x00"
-    newPaths="/run/opengl-driver-32/lib/dri"
-    sed -i -e "s|$oldPaths|$newPaths|" $out/lib/fglrx-libGL.so.1.2
-  fi
-  # libstdc++ and gcc are needed by some libs
-  for pelib1 in \
-    fglrx_dri.so \
-    dri/fglrx_dri.so
-  do
-    patchelf --remove-needed libX11.so.6 $out/lib/$pelib1
-  done
-
-  for pelib2 in \
-    libatiadlxx.so \
-    xorg/modules/glesx.so \
-    dri/fglrx_dri.so \
-    fglrx_dri.so \
-    libaticaldd.so
-  do
-    patchelf --set-rpath $glibcDir/lib/:$libStdCxx/lib/ $out/lib/$pelib2
-  done
-}
-
-if test -z "$libsOnly"; then
-
-{ # build samples
-  mkdir -p $out/bin
-  mkdir -p samples
-  cd samples
-  tar xfz ../common/usr/src/ati/fglrx_sample_source.tgz
-  eval "$patchPhaseSamples"
-
-
-  ( # build and install fgl_glxgears
-    cd fgl_glxgears;
-    gcc -DGL_ARB_texture_multisample=1 -g \
-    -I$libGL/include -I$libGLU/include \
-    -I$out/include \
-    -L$libGL/lib -L$libGLU/lib -lGL -lGLU -lX11 -lm \
-    -o $out/bin/fgl_glxgears -Wall fgl_glxgears.c
-  )
-
-  true || ( # build and install
-
-    ###
-    ## FIXME ?
-    # doesn't build  undefined reference to `FGLRX_X11SetGamma'
-    # which should be contained in -lfglrx_gamma
-    # This should create $out/lib/libfglrx_gamma.so.1.0 ? because there is
-    # a symlink named libfglrx_gamma.so.1 linking to libfglrx_gamma.so.1.0 in $out/lib/
-
-    cd programs/fglrx_gamma
-    gcc -fPIC -I${libXxf86vm.dev}/include \
-      -I${xorgproto}/include \
-      -I$out/X11R6/include \
-      -L$out/lib \
-      -Wall -lm -lfglrx_gamma -lX11 -lXext -o $out/bin/fglrx_xgamma fglrx_xgamma.c
-  )
-
-  {
-    # patch and copy statically linked qt libs used by amdcccle
-    patchelf --set-interpreter $(echo $glibcDir/lib/ld-linux*.so.2) $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 &&
-    patchelf  --set-rpath $gcc/$lib_arch/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 &&
-    patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXrender/lib/:$libSM/lib/:$libICE/lib/:$libfontconfig/lib/:$libfreetype/lib/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 &&
-    mkdir -p $out/share/ati
-    cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 $out/share/ati/
-    cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 $out/share/ati/
-    # copy binaries and wrap them:
-    BIN=$TMP/arch/$arch/usr/X11R6/bin
-    patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/amdcccle
-    patchelf --set-rpath $libXrender/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/aticonfig
-    patchelf --shrink-rpath $BIN/amdcccle
-    for prog in $BIN/*; do
-      cp -f $prog $out/bin &&
-      patchelf --set-interpreter $(echo $glibcDir/lib/ld-linux*.so.2) $out/bin/$(basename $prog) &&
-      wrapProgram $out/bin/$(basename $prog) --prefix LD_LIBRARY_PATH : $out/lib/:$gcc/lib/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/:$libfontconfig/lib/:$libfreetype/lib/${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
-    done
-  }
-
-  rm -f $out/lib/fglrx/switchlibglx && rm -f $out/lib/fglrx/switchlibGL
-
-}
-
-fi
-
-for p in $extraDRIlibs; do
-  for lib in $p/lib/*.so*; do
-    ln -s $lib $out/lib/
-  done
-done
diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix
deleted file mode 100644
index 63f9b5399da..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/default.nix
+++ /dev/null
@@ -1,140 +0,0 @@
-{ stdenv, lib, fetchurl, kernel ? null, which
-, xorg, makeWrapper, glibc, patchelf, unzip
-, fontconfig, freetype, libGLU, libGL # for fgl_glxgears
-, # Whether to build the libraries only (i.e. not the kernel module or
-  # driver utils). Used to support 32-bit binaries on 64-bit
-  # Linux.
-  libsOnly ? false
-}:
-
-assert (!libsOnly) -> kernel != null;
-
-with stdenv.lib;
-
-# This derivation requires a maximum of gcc49, Linux kernel 4.1 and xorg.xserver 1.17
-# and will not build or run using versions newer
-
-# If you want to use a different Xorg version probably
-# DIR_DEPENDING_ON_XORG_VERSION in builder.sh has to be adopted (?)
-# make sure libglx.so of ati is used. xorg.xorgserver does provide it as well
-# which is a problem because it doesn't contain the xorgserver patch supporting
-# the XORG_DRI_DRIVER_PATH env var.
-# See https://marc.info/?l=nix-dev&m=139641585515351 for a
-# workaround (TODO)
-
-# The gentoo ebuild contains much more "magic" and is usually a great resource to
-# find patches XD
-
-# http://wiki.cchtml.com/index.php/Main_Page
-
-# /usr/lib/dri/fglrx_dri.so must point to /run/opengl-driver/lib/fglrx_dri.so
-# This is done in the builder script.
-
-stdenv.mkDerivation rec {
-
-  version = "15.12";
-  pname = "ati-drivers";
-  build = "15.302";
-
-  linuxonly =
-    if stdenv.hostPlatform.system == "i686-linux" then
-      true
-    else if stdenv.hostPlatform.system == "x86_64-linux" then
-      true
-    else throw "ati-drivers are Linux only. Sorry. The build was stopped.";
-
-  name = pname + "-" + version + (optionalString (!libsOnly) "-${kernelDir.version}");
-
-  builder = ./builder.sh;
-  gcc = stdenv.cc.cc;
-  libXinerama = xorg.libXinerama;
-  libXrandr = xorg.libXrandr;
-  libXrender = xorg.libXrender;
-  libXxf86vm = xorg.libXxf86vm;
-  xorgproto = xorg.xorgproto;
-  libSM = xorg.libSM;
-  libICE = xorg.libICE;
-  libfreetype = freetype;
-  libfontconfig = fontconfig;
-  libStdCxx = stdenv.cc.cc.lib;
-
-  src = fetchurl {
-    url =
-    "https://www2.ati.com/drivers/linux/radeon-crimson-15.12-15.302-151217a-297685e.zip";
-    sha256 = "704f2dfc14681f76dae3b4120c87b1ded33cf43d5a1d800b6de5ca292bb61e58";
-    curlOpts = "--referer https://www.amd.com/en/support";
-  };
-
-  hardeningDisable = [ "pic" "format" ];
-
-  patchPhaseSamples = "patch -p2 < ${./patches/patch-samples.patch}";
-  patches = [
-    ./patches/15.12-xstate-fp.patch
-    ./patches/15.9-kcl_str.patch
-    ./patches/15.9-mtrr.patch
-    ./patches/15.9-preempt.patch
-    ./patches/15.9-sep_printf.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.6") )
-               [ ./patches/kernel-4.6-get_user_pages.patch
-                 ./patches/kernel-4.6-page_cache_release-put_page.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.7") )
-               [ ./patches/4.7-arch-cpu_has_pge-v2.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.9") )
-               [ ./patches/4.9-get_user_pages.patch ];
-
-  buildInputs =
-    [ xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM
-      xorg.libXrandr xorg.libXxf86vm xorg.xorgproto xorg.imake xorg.libICE
-      patchelf
-      unzip
-      libGLU libGL
-      fontconfig
-      freetype
-      makeWrapper
-      which
-    ];
-
-  inherit libsOnly;
-
-  kernelDir = if libsOnly then null else kernel.dev;
-
-  # glibc only used for setting the binaries interpreter
-  glibcDir = glibc.out;
-
-  # outputs TODO: probably many fixes are needed;
-  LD_LIBRARY_PATH = makeLibraryPath
-    [ xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM
-      xorg.libXrandr xorg.libXxf86vm xorg.xorgproto xorg.imake xorg.libICE
-      libGLU libGL
-      fontconfig
-      freetype
-      stdenv.cc.cc
-    ];
-
-  # without this some applications like blender don't start, but they start
-  # with nvidia. This causes them to be symlinked to $out/lib so that they
-  # appear in /run/opengl-driver/lib which get's added to LD_LIBRARY_PATH
-
-  extraDRIlibs = [ xorg.libXrandr.out xorg.libXrender.out xorg.libXext.out
-                   xorg.libX11.out xorg.libXinerama.out xorg.libSM.out
-                   xorg.libICE.out ];
-
-  inherit libGLU libGL; # only required to build the examples
-
-  enableParallelBuilding = true;
-
-  meta = with stdenv.lib; {
-    description = "ATI Catalyst display drivers";
-    homepage = "http://support.amd.com/us/gpudownload/Pages/index.aspx";
-    license = licenses.unfree;
-    maintainers = with maintainers; [ marcweber offline jerith666 ];
-    platforms = platforms.linux;
-    hydraPlatforms = [];
-    # Copied from the nvidia default.nix to prevent a store collision.
-    priority = 4;
-  };
-
-}
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch
deleted file mode 100644
index 22e43fc0c7b..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Krzysztof Kolasa <kkolasa@winsoft.pl>
-Date: Thu, 26 Nov 2015 14:28:46 +0100
-Subject: [PATCH] Patch for kernel 4.4.0-rc2
-
-constant change of name XSTATE_XP to name XFEATURE_MASK_FP
----
- firegl_public.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 3626c7b..f071d42 100644
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod//firegl_public.c
-@@ -6463,7 +6463,11 @@ static int KCL_fpu_save_init(struct task_struct *tsk)
-       if (!(fpu->state->xsave.xsave_hdr.xstate_bv & XSTATE_FP))
- #else
- 	  copy_xregs_to_kernel(&fpu->state.xsave);
--      if (!(fpu->state.xsave.header.xfeatures & XSTATE_FP))
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
-+      if (!(fpu->state.xsave.header.xfeatures & XFEATURE_MASK_FP))
-+#else
-+      if (!(fpu->state.xsave.header.xfeatures & XSTATE_FP))
-+#endif
- #endif
-          return 1;
-    } else if (static_cpu_has(X86_FEATURE_FXSR)) {
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch
deleted file mode 100644
index 20c3bc8a169..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/kcl_str.c	2015-09-13 13:47:30.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/kcl_str.c	2015-09-13 13:49:42.000000000 -0400
-@@ -169,7 +169,11 @@ int ATI_API_CALL KCL_STR_Strnicmp(const
-                                   const char* s2,
-                                   KCL_TYPE_SizeSigned count)
- {
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,0,0)
-     return strnicmp(s1, s2, count);
-+#else
-+    return strncasecmp(s1, s2, count);
-+#endif
- }
- 
- /** \brief Locate character in string
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch
deleted file mode 100644
index bdf70b4ccdc..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-19 23:43:22.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-19 23:52:07.000000000 -0400
-@@ -3442,7 +3442,11 @@ int ATI_API_CALL KCL_MEM_MTRR_Support(vo
- int ATI_API_CALL KCL_MEM_MTRR_AddRegionWc(unsigned long base, unsigned long size)
- {
- #ifdef CONFIG_MTRR
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    return arch_phys_wc_add(base, size);
-+#else
-     return mtrr_add(base, size, MTRR_TYPE_WRCOMB, 1);
-+#endif
- #else /* !CONFIG_MTRR */
-     return -EPERM;
- #endif /* !CONFIG_MTRR */
-@@ -3451,7 +3455,12 @@ int ATI_API_CALL KCL_MEM_MTRR_AddRegionW
- int ATI_API_CALL KCL_MEM_MTRR_DeleteRegion(int reg, unsigned long base, unsigned long size)
- {
- #ifdef CONFIG_MTRR
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    arch_phys_wc_del(reg);
-+    return reg;
-+#else
-     return mtrr_del(reg, base, size);
-+#endif
- #else /* !CONFIG_MTRR */
-     return -EPERM;
- #endif /* !CONFIG_MTRR */
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch
deleted file mode 100644
index c6598835133..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch
+++ /dev/null
@@ -1,103 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-08-30 17:36:02.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-08-30 17:39:36.000000000 -0400
-@@ -21,6 +21,8 @@
- !!! since it requires changes to linux/init/main.c.
- #endif /* !MODULE */
- 
-+#include <linux/preempt.h>
-+
- // ============================================================
- #include <linux/version.h>
- 
-@@ -4997,7 +4999,9 @@ static unsigned int kas_spin_unlock(kas_
- unsigned long ATI_API_CALL KAS_GetExecutionLevel(void)
- {
-     unsigned long ret;
-+    preempt_disable();
-     ret = kas_GetExecutionLevel();
-+    preempt_enable();
-     return ret;
- }
- 
-@@ -5022,8 +5026,10 @@ unsigned int ATI_API_CALL KAS_Ih_Execute
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X, 0x%08X\n", ih_routine, ih_context);
- 
-     //Prevent simultaneous entry on some SMP systems.
-+    preempt_disable();
-     if (test_and_set_bit(0, (void *)&(kasContext.in_interrupts[smp_processor_id()])))
-     {
-+    	preempt_enable();
-         KCL_DEBUG1(FN_FIREGL_KAS, "The processor is handling the interrupt\n");
-         return IRQ_NONE;
-     }
-@@ -5036,9 +5042,9 @@ unsigned int ATI_API_CALL KAS_Ih_Execute
- 
-     kasSetExecutionLevel(orig_level);
-     spin_unlock(&kasContext.lock_ih); 
--
-     clear_bit(0, (void *)&(kasContext.in_interrupts[smp_processor_id()]));
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d\n", ret);
-+    preempt_enable();
- 
-     return ret;
- }
-@@ -5256,6 +5262,7 @@ unsigned int ATI_API_CALL KAS_Spinlock_A
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X\n", hSpinLock);
- 
-+    preempt_disable();
-     spin_lock_info.routine_type = spinlock_obj->routine_type;
-     spin_lock_info.plock = &(spinlock_obj->lock);
- 
-@@ -5263,6 +5270,7 @@ unsigned int ATI_API_CALL KAS_Spinlock_A
- 
-     spinlock_obj->acquire_type = spin_lock_info.acquire_type;
-     spinlock_obj->flags = spin_lock_info.flags;
-+    preempt_enable();
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d\n", ret);
-     return ret;
-@@ -6034,6 +6042,8 @@ unsigned int ATI_API_CALL KAS_Interlocke
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X, 0x%08X, 0x%08X\n", hListHead, hListEntry, phPrevEntry);
- 
-+    preempt_disable();
-+
-     /* Protect the operation with spinlock */
-     spin_lock_info.routine_type = listhead_obj->routine_type;
-     spin_lock_info.plock = &(listhead_obj->lock);
-@@ -6041,6 +6051,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     if (!kas_spin_lock(&spin_lock_info))
-     {
-         KCL_DEBUG_ERROR("Unable to grab list spinlock\n");
-+	preempt_enable();
-         return 0; /* No spinlock - no operation */
-     }
- 
-@@ -6065,6 +6076,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_unlock_info.flags = spin_lock_info.flags;
- 
-     ret = kas_spin_unlock(&spin_unlock_info);
-+    preempt_enable();
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d", ret);
-     return ret;
- }
-@@ -6153,8 +6165,10 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_lock_info.routine_type = listhead_obj->routine_type;
-     spin_lock_info.plock = &(listhead_obj->lock);
- 
-+    preempt_disable();
-     if (!kas_spin_lock(&spin_lock_info))
-     {
-+        preempt_enable();
-         KCL_DEBUG_ERROR("Unable to grab list spinlock");
-         return 0; /* No spinlock - no operation */
-     }
-@@ -6178,6 +6192,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_unlock_info.flags = spin_lock_info.flags;
- 
-     ret = kas_spin_unlock(&spin_unlock_info);
-+    preempt_enable();
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d", ret);
-     return ret;
- }
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch
deleted file mode 100644
index 3e4e8d6499a..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-14 15:14:36.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-14 16:18:58.000000000 -0400
-@@ -649,6 +649,8 @@ static int firegl_major_proc_read(struct
-     *eof = 1;
- 
-     len = snprintf(buf, request, "%d\n", major);
-+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    seq_printf(m, "%d\n", major);
- #else
-     len = seq_printf(m, "%d\n", major);
- #endif
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch b/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch
deleted file mode 100644
index cb86f5aff27..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-diff -uNr 16.8/common/lib/modules/fglrx/build_mod/firegl_public.c 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.c
---- 16.8/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-12-18 19:47:41.000000000 +0100
-+++ 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.c	2016-08-15 15:09:37.228538907 +0200
-@@ -4518,7 +4518,11 @@
-     write_cr0(cr0);
-     wbinvd();
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         cr4 = READ_CR4();
-         WRITE_CR4(cr4 & ~X86_CR4_PGE);
-@@ -4532,7 +4536,11 @@
-     wbinvd();
-     __flush_tlb();
-     write_cr0(cr0 & 0xbfffffff);
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         WRITE_CR4(cr4);
-     }
-@@ -4559,7 +4567,11 @@
-     write_cr0(cr0);
-     wbinvd();
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         cr4 = READ_CR4();
-         WRITE_CR4(cr4 & ~X86_CR4_PGE);
-@@ -4572,7 +4584,11 @@
-     wbinvd();
-     __flush_tlb();
-     write_cr0(cr0 & 0xbfffffff);
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         WRITE_CR4(cr4);
-     }
-diff -uNr 16.8/common/lib/modules/fglrx/build_mod/firegl_public.h 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.h
---- 16.8/common/lib/modules/fglrx/build_mod/firegl_public.h	2015-12-18 19:47:41.000000000 +0100
-+++ 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.h	2016-08-15 15:09:05.815141238 +0200
-@@ -650,9 +650,15 @@
- #define cpu_has_pat  test_bit(X86_FEATURE_PAT, (void *) &boot_cpu_data.x86_capability)
- #endif
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+#ifndef boot_cpu_has(X86_FEATURE_PGE)
-+#define boot_cpu_has(X86_FEATURE_PGE) test_bit(X86_FEATURE_PGE, &boot_cpu_data.x86_capability)
-+#endif
-+#else
- #ifndef cpu_has_pge
- #define cpu_has_pge test_bit(X86_FEATURE_PGE, &boot_cpu_data.x86_capability)
- #endif
-+#endif
- 
- /* 2.6.29 defines pgprot_writecombine as a macro which resolves to a
-  * GPL-only function with the same name. So we always use our own
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch b/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch
deleted file mode 100644
index 8a6c42cdb1f..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit b3e4353fc68a6a024dcb95e2d61aa0afd7370233
-Author: Matt McHenry <matt@mchenryfamily.org>
-Date:   Fri Feb 3 20:19:41 2017
-
-    patch for 4.9 only
-
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 4ce095f..3b591e1 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3224,7 +3224,7 @@ int ATI_API_CALL KCL_LockUserPages(unsigned long vaddr, unsigned long* page_list
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 1, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
-@@ -3242,7 +3242,7 @@ int ATI_API_CALL KCL_LockReadOnlyUserPages(unsigned long vaddr, unsigned long* p
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch b/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch
deleted file mode 100644
index 1e7209ed5ed..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 9c70211..b2242af 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3220,7 +3220,7 @@ int ATI_API_CALL KCL_LockUserPages(unsigned long vaddr, unsigned long* page_list
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(current, current->mm, vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
-@@ -3238,7 +3238,7 @@ int ATI_API_CALL KCL_LockReadOnlyUserPages(unsigned long vaddr, unsigned long* p
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(current, current->mm, vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
--- 
-2.9.2
-
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch b/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch
deleted file mode 100644
index 28820790e49..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index b2242af..586129c 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3249,7 +3249,7 @@ void ATI_API_CALL KCL_UnlockUserPages(unsigned long* page_list, unsigned int pag
-     unsigned int i;
-     for (i=0; i<page_cnt; i++)
-     {
--        page_cache_release((struct page*)page_list[i]);
-+        put_page((struct page*)page_list[i]);
-     }
- }
- 
--- 
-2.9.2
-
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch b/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch
deleted file mode 100644
index 8bd24b1d022..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/samples/fgl_glxgears/fgl_glxgears.c b/samples/fgl_glxgears/fgl_glxgears.c
-index 6c8e313..2b8d035 100644
---- a/samples/fgl_glxgears/fgl_glxgears.c
-+++ b/samples/fgl_glxgears/fgl_glxgears.c
-@@ -1096,8 +1096,6 @@ static void event_loop(void)
-                   view_rotx -= 5.0;
-                }
-                else {
--                  r = XLookupString(&event.xkey, buffer, sizeof(buffer),
--                                    NULL, NULL);
-                   if (buffer[0] == 27) {
-                      /* escape */
-                      return;
-
-
-diff -Nur a/samples/fgl_glxgears/fgl_glxgears.c b/samples/fgl_glxgears/fgl_glxgears.c
---- a/samples/fgl_glxgears/fgl_glxgears.c	2012-08-29 09:59:03.000000000 +0300
-+++ b/samples/fgl_glxgears/fgl_glxgears.c	2013-09-07 09:26:11.034723135 +0300
-@@ -78,7 +78,6 @@
- #endif // _WIN32
- 
- #define INT_PTR ptrdiff_t
--#include <GL/glATI.h>
- 
- #ifdef _WIN32
- #include <GL/wglATI.h>
diff --git a/pkgs/os-specific/linux/atop/atop.service.patch b/pkgs/os-specific/linux/atop/atop.service.patch
new file mode 100644
index 00000000000..3ef59e60cbc
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/atop.service.patch
@@ -0,0 +1,10 @@
+--- a/atop.service
++++ b/atop.service
+@@ -9,5 +9,6 @@
+ Environment=LOGPATH=/var/log/atop
+-EnvironmentFile=/etc/default/atop
++EnvironmentFile=-/etc/default/atop
+ ExecStartPre=/bin/sh -c 'test -n "$LOGINTERVAL" -a "$LOGINTERVAL" -eq "$LOGINTERVAL"'
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
++ExecStartPre=/bin/sh -c 'mkdir -p "${LOGPATH}"'
+ ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
diff --git a/pkgs/os-specific/linux/atop/atopacct.service.patch b/pkgs/os-specific/linux/atop/atopacct.service.patch
new file mode 100644
index 00000000000..9f2cd8f2e9c
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/atopacct.service.patch
@@ -0,0 +1,7 @@
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -9,3 +9,3 @@
+ Type=forking
+-PIDFile=/var/run/atopacctd.pid
++PIDFile=/run/atopacctd.pid
+ ExecStart=@out@/bin/atopacctd
diff --git a/pkgs/os-specific/linux/atop/default.nix b/pkgs/os-specific/linux/atop/default.nix
index 0d8392cbcd8..b082c594acb 100644
--- a/pkgs/os-specific/linux/atop/default.nix
+++ b/pkgs/os-specific/linux/atop/default.nix
@@ -1,48 +1,80 @@
-{stdenv, fetchurl, zlib, ncurses}:
+{ lib
+, stdenv
+, fetchurl
+, zlib
+, ncurses
+, findutils
+, systemd
+, python3
+# makes the package unfree via pynvml
+, withAtopgpu ? false
+}:
 
 stdenv.mkDerivation rec {
-  version = "2.4.0";
   pname = "atop";
+  version = "2.6.0";
 
   src = fetchurl {
     url = "https://www.atoptool.nl/download/atop-${version}.tar.gz";
-    sha256 = "0s9xlxlzz688a80zxld840zkrmzw998rdkkg6yc7ssq8fw50275y";
+    sha256 = "nsLKOlcWkvfvqglfmaUQZDK8txzCLNbElZfvBIEFj3I=";
   };
 
-  buildInputs = [zlib ncurses];
+  nativeBuildInputs = lib.optionals withAtopgpu [ python3.pkgs.wrapPython ];
+  buildInputs = [ zlib ncurses ] ++ lib.optionals withAtopgpu [ python3 ];
+  pythonPath = lib.optionals withAtopgpu [ python3.pkgs.pynvml ];
 
   makeFlags = [
-    ''SCRPATH=$out/etc/atop''
-    ''LOGPATH=/var/log/atop''
-    ''INIPATH=$out/etc/rc.d/init.d''
-    ''CRNPATH=$out/etc/cron.d''
-    ''ROTPATH=$out/etc/logrotate.d''
+    "DESTDIR=$(out)"
+    "BINPATH=/bin"
+    "SBINPATH=/bin"
+    "MAN1PATH=/share/man/man1"
+    "MAN5PATH=/share/man/man5"
+    "MAN8PATH=/share/man/man8"
+    "SYSDPATH=/lib/systemd/system"
+    "PMPATHD=/lib/systemd/system-sleep"
+  ];
+
+  patches = [
+    # Fix paths in atop.service, atop-rotate.service, atopgpu.service, atopacct.service,
+    # and atop-pm.sh
+    ./fix-paths.patch
+    # Don't fail on missing /etc/default/atop, make sure /var/log/atop exists pre-start
+    ./atop.service.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./atopacct.service.patch
   ];
 
   preConfigure = ''
-    sed -e "s@/usr/@$out/@g" -i $(find . -type f )
-    sed -e "/mkdir.*LOGPATH/s@mkdir@echo missing dir @" -i Makefile
-    sed -e "/touch.*LOGPATH/s@touch@echo should have created @" -i Makefile
-    sed -e 's/chown/true/g' -i Makefile
-    sed -e '/chkconfig/d' -i Makefile
-    sed -e 's/chmod 04711/chmod 0711/g' -i Makefile
+    for f in *.{sh,service}; do
+      findutils=${findutils} systemd=${systemd} substituteAllInPlace "$f"
+    done
+
+    substituteInPlace Makefile --replace 'chown' 'true'
+    substituteInPlace Makefile --replace 'chmod 04711' 'chmod 0711'
   '';
 
+  installTargets = [ "systemdinstall" ];
   preInstall = ''
-    mkdir -p "$out"/{bin,sbin}
-    make systemdinstall $makeFlags
+    mkdir -p $out/bin
   '';
+  postInstall = ''
+    # remove extra files we don't need
+    rm -r $out/{var,etc} $out/bin/atop{sar,}-${version}
+  '' + (if withAtopgpu then ''
+    wrapPythonPrograms
+  '' else ''
+    rm $out/lib/systemd/system/atopgpu.service $out/bin/atopgpud $out/share/man/man8/atopgpud.8
+  '');
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     platforms = platforms.linux;
     maintainers = with maintainers; [ raskin ];
-    description = ''Console system performance monitor'';
+    description = "Console system performance monitor";
 
     longDescription = ''
       Atop is an ASCII full-screen performance monitor that is capable of reporting the activity of all processes (even if processes have finished during the interval), daily logging of system and process activity for long-term analysis, highlighting overloaded system resources by using colors, etc. At regular intervals, it shows system-level activity related to the CPU, memory, swap, disks and network layers, and for every active process it shows the CPU utilization, memory growth, disk utilization, priority, username, state, and exit code.
     '';
-    inherit version;
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     downloadPage = "http://atoptool.nl/downloadatop.php";
   };
 }
diff --git a/pkgs/os-specific/linux/atop/fix-paths.patch b/pkgs/os-specific/linux/atop/fix-paths.patch
new file mode 100644
index 00000000000..e6cd631d3c1
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/fix-paths.patch
@@ -0,0 +1,48 @@
+--- a/atop.service
++++ b/atop.service
+@@ -12,4 +12,4 @@
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
+-ExecStart=/bin/sh -c 'exec /usr/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
+-ExecStartPost=/usr/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
++ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
++ExecStartPost=@findutils@/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
+ KillSignal=SIGUSR2
+
+--- a/atop-rotate.service
++++ b/atop-rotate.service
+@@ -4,3 +4,3 @@
+ [Service]
+ Type=oneshot
+-ExecStart=/usr/bin/systemctl try-restart atop.service
++ExecStart=@systemd@/bin/systemctl try-restart atop.service
+
+--- a/atopgpu.service
++++ b/atopgpu.service
+@@ -6,5 +6,5 @@
+
+ [Service]
+-ExecStart=/usr/sbin/atopgpud
++ExecStart=@out@/bin/atopgpud
+ Type=oneshot
+ RemainAfterExit=yes
+
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -10,3 +10,3 @@
+ PIDFile=/var/run/atopacctd.pid
+-ExecStart=/usr/sbin/atopacctd
++ExecStart=@out@/bin/atopacctd
+
+--- a/atop-pm.sh
++++ b/atop-pm.sh
+@@ -2,8 +2,8 @@
+
+ case "$1" in
+-	pre)	/usr/bin/systemctl stop atop
++	pre)	@systemd@/bin/systemctl stop atop
+ 		exit 0
+ 		;;
+-	post)	/usr/bin/systemctl start atop
++	post)	@systemd@/bin/systemctl start atop
+ 		exit 0
+ 		;;
diff --git a/pkgs/os-specific/linux/audit/default.nix b/pkgs/os-specific/linux/audit/default.nix
index f77d71c823b..30327fb1082 100644
--- a/pkgs/os-specific/linux/audit/default.nix
+++ b/pkgs/os-specific/linux/audit/default.nix
@@ -1,5 +1,5 @@
 {
-  stdenv, buildPackages, fetchurl, fetchpatch,
+  lib, stdenv, buildPackages, fetchurl, fetchpatch,
   runCommand,
   autoconf, automake, libtool,
   enablePython ? false, python ? null,
@@ -18,9 +18,9 @@ stdenv.mkDerivation rec {
   outputs = [ "bin" "dev" "out" "man" ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = stdenv.lib.optionals stdenv.hostPlatform.isMusl
+  nativeBuildInputs = lib.optionals stdenv.hostPlatform.isMusl
     [ autoconf automake libtool ];
-  buildInputs = stdenv.lib.optional enablePython python;
+  buildInputs = lib.optional enablePython python;
 
   configureFlags = [
     # z/OS plugin is not useful on Linux,
@@ -36,7 +36,8 @@ stdenv.mkDerivation rec {
   # TODO: Remove the musl patches when
   #         https://github.com/linux-audit/audit-userspace/pull/25
   #       is available with the next release.
-  patches = stdenv.lib.optional stdenv.hostPlatform.isMusl [
+  patches = [ ./patches/weak-symbols.patch ]
+  ++ lib.optional stdenv.hostPlatform.isMusl [
     (
       let patch = fetchpatch {
             url = "https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e.patch";
@@ -55,12 +56,19 @@ stdenv.mkDerivation rec {
 
   prePatch = ''
     sed -i 's,#include <sys/poll.h>,#include <poll.h>\n#include <limits.h>,' audisp/audispd.c
+  ''
+  # According to https://stackoverflow.com/questions/13089166
+  # --whole-archive linker flag is required to be sure that linker
+  # correctly chooses strong version of symbol regardless of order of
+  # object files at command line.
+  + lib.optionalString stdenv.hostPlatform.isStatic ''
+    export LDFLAGS=-Wl,--whole-archive
   '';
   meta = {
     description = "Audit Library";
     homepage = "https://people.redhat.com/sgrubb/audit/";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = with stdenv.lib.maintainers; [ ];
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/audit/patches/weak-symbols.patch b/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
new file mode 100644
index 00000000000..301ea9a5476
--- /dev/null
+++ b/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
@@ -0,0 +1,147 @@
+Executables in src/ directory are built from source files in src/
+and are linked to libauparse, with both src/auditd-config.c and
+auparse/auditd-config.c defining "free_config" function.
+
+It is known (although obscure) behaviour of shared libraries that
+symbol defined in binary itself overrides symbol in shared library;
+with static linkage it expectedly results in multiple definition
+error.
+
+This set of fixes explicitly marks libauparse versions of
+conflicting functions as weak to have behaviour coherent with
+dynamic linkage version -- definitions in src/ overriding definition
+in auparse/.
+
+Still, this architecture is very strange and confusing.
+
+diff -r -U5 audit-2.8.5-orig/auparse/auditd-config.c audit-2.8.5/auparse/auditd-config.c
+--- audit-2.8.5-orig/auparse/auditd-config.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/auditd-config.c	2021-01-13 11:36:12.716226498 +0000
+@@ -68,10 +68,11 @@
+ };
+ 
+ /*
+  * Set everything to its default value
+ */
++#pragma weak clear_config
+ void clear_config(struct daemon_conf *config)
+ {
+ 	config->local_events = 1;
+ 	config->qos = QOS_NON_BLOCKING;
+ 	config->sender_uid = 0;
+@@ -322,10 +323,11 @@
+ 	if (config->log_file == NULL)
+ 		return 1;
+ 	return 0;
+ }
+ 
++#pragma weak free_config
+ void free_config(struct daemon_conf *config)
+ {
+ 	free((void*)config->log_file);
+ }
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/interpret.c audit-2.8.5/auparse/interpret.c
+--- audit-2.8.5-orig/auparse/interpret.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/interpret.c	2021-01-13 11:39:42.107217224 +0000
+@@ -545,10 +545,11 @@
+ 	else
+ 		snprintf(buf, size, "unknown(%d)", uid);
+ 	return buf;
+ }
+ 
++#pragma weak aulookup_destroy_uid_list
+ void aulookup_destroy_uid_list(void)
+ {
+ 	if (uid_cache_created == 0)
+ 		return;
+ 
+@@ -2810,10 +2811,11 @@
+ 
+ /*
+  * This is the main entry point for the auparse library. Call chain is:
+  * auparse_interpret_field -> nvlist_interp_cur_val -> interpret
+  */
++#pragma weak interpret
+ const char *interpret(const rnode *r, auparse_esc_t escape_mode)
+ {
+ 	const nvlist *nv = &r->nv;
+ 	int type;
+ 	idata id;
+diff -r -U5 audit-2.8.5-orig/auparse/nvlist.c audit-2.8.5/auparse/nvlist.c
+--- audit-2.8.5-orig/auparse/nvlist.c	2019-02-04 14:26:52.000000000 +0000
++++ audit-2.8.5/auparse/nvlist.c	2021-01-13 11:37:37.190222757 +0000
+@@ -27,10 +27,11 @@
+ #include "nvlist.h"
+ #include "interpret.h"
+ #include "auparse-idata.h"
+ 
+ 
++#pragma weak nvlist_create
+ void nvlist_create(nvlist *l)
+ {
+ 	l->head = NULL;
+ 	l->cur = NULL;
+ 	l->cnt = 0;
+@@ -47,17 +48,19 @@
+ 	while (node->next)
+ 		node = node->next;
+ 	l->cur = node;
+ }
+ 
++#pragma weak nvlist_next
+ nvnode *nvlist_next(nvlist *l)
+ {
+ 	if (l->cur)
+ 		l->cur = l->cur->next;
+ 	return l->cur;
+ }
+ 
++#pragma weak nvlist_append
+ void nvlist_append(nvlist *l, nvnode *node)
+ {
+ 	nvnode* newnode = malloc(sizeof(nvnode));
+ 
+ 	newnode->name = node->name;
+@@ -141,10 +144,11 @@
+ 	if (l->cur->interp_val)
+ 		return l->cur->interp_val;
+ 	return interpret(r, escape_mode);
+ }
+ 
++#pragma weak nvlist_clear
+ void nvlist_clear(nvlist* l)
+ {
+ 	nvnode* nextnode;
+ 	register nvnode* current;
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/strsplit.c audit-2.8.5/auparse/strsplit.c
+--- audit-2.8.5-orig/auparse/strsplit.c	2019-03-01 21:15:30.000000000 +0000
++++ audit-2.8.5/auparse/strsplit.c	2021-01-13 11:38:04.306221556 +0000
+@@ -54,10 +54,11 @@
+ 			return NULL;
+ 		return s;
+ 	}
+ }
+ 
++#pragma weak audit_strsplit
+ char *audit_strsplit(char *s)
+ {
+ 	static char *str = NULL;
+ 	char *ptr;
+ 
+diff -r -U5 audit-2.8.5-orig/lib/strsplit.c audit-2.8.5/lib/strsplit.c
+--- audit-2.8.5-orig/lib/strsplit.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/lib/strsplit.c	2021-01-13 11:38:29.444220443 +0000
+@@ -23,10 +23,11 @@
+ 
+ #include <string.h>
+ #include "libaudit.h"
+ #include "private.h"
+ 
++#pragma weak audit_strsplit_r
+ char *audit_strsplit_r(char *s, char **savedpp)
+ {
+ 	char *ptr;
+ 
+ 	if (s)
diff --git a/pkgs/os-specific/linux/autofs/default.nix b/pkgs/os-specific/linux/autofs/default.nix
index baf3cc6ad55..3055a91161b 100644
--- a/pkgs/os-specific/linux/autofs/default.nix
+++ b/pkgs/os-specific/linux/autofs/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
-, libxml2, kerberos, kmod, openldap, sssd, cyrus_sasl, openssl }:
+{ lib, stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
+, libxml2, libkrb5, kmod, openldap, sssd, cyrus_sasl, openssl, rpcsvc-proto }:
 
 let
   version = "5.1.6";
@@ -28,21 +28,24 @@ in stdenv.mkDerivation {
     unset STRIP # Makefile.rules defines a usable STRIP only without the env var.
   '';
 
+  # configure script is not finding the right path
+  NIX_CFLAGS_COMPILE = [ "-I${libtirpc.dev}/include/tirpc" ];
+
   installPhase = ''
     make install SUBDIRS="lib daemon modules man" # all but samples
     #make install SUBDIRS="samples" # impure!
   '';
 
-  buildInputs = [ linuxHeaders libtirpc libxml2 kerberos kmod openldap sssd
-                  openssl cyrus_sasl ];
+  buildInputs = [ linuxHeaders libtirpc libxml2 libkrb5 kmod openldap sssd
+                  openssl cyrus_sasl rpcsvc-proto ];
 
   nativeBuildInputs = [ flex bison ];
 
   meta = {
     description = "Kernel-based automounter";
     homepage = "https://www.kernel.org/pub/linux/daemons/autofs/";
-    license = stdenv.lib.licenses.gpl2Plus;
+    license = lib.licenses.gpl2Plus;
     executables = [ "automount" ];
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/alfred.nix b/pkgs/os-specific/linux/batman-adv/alfred.nix
index 04217b8989b..96040f2828c 100644
--- a/pkgs/os-specific/linux/batman-adv/alfred.nix
+++ b/pkgs/os-specific/linux/batman-adv/alfred.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, gpsd, libcap, libnl }:
+{ lib, stdenv, fetchurl, pkg-config, gpsd, libcap, libnl }:
 
 let cfg = import ./version.nix; in
 
@@ -11,18 +11,18 @@ stdenv.mkDerivation rec {
     sha256 = cfg.sha256.${pname};
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ gpsd libcap libnl ];
 
   preBuild = ''
-    makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/${pkgconfig.targetPrefix}pkg-config"
+    makeFlags="PREFIX=$out PKG_CONFIG=${pkg-config}/bin/${pkg-config.targetPrefix}pkg-config"
   '';
 
   meta = {
     homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
     description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, information distribution tool";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ fpletz ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/batctl.nix b/pkgs/os-specific/linux/batman-adv/batctl.nix
index 3b1cf183e08..079624c10ad 100644
--- a/pkgs/os-specific/linux/batman-adv/batctl.nix
+++ b/pkgs/os-specific/linux/batman-adv/batctl.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, libnl }:
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
 
 let cfg = import ./version.nix; in
 
@@ -11,18 +11,18 @@ stdenv.mkDerivation rec {
     sha256 = cfg.sha256.${pname};
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl ];
 
   preBuild = ''
-    makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/${pkgconfig.targetPrefix}pkg-config"
+    makeFlags="PREFIX=$out PKG_CONFIG=${pkg-config}/bin/${pkg-config.targetPrefix}pkg-config"
   '';
 
   meta = {
     homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
     description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, control tool";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ fpletz ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix
index 8985949a012..354f4b1bff2 100644
--- a/pkgs/os-specific/linux/batman-adv/default.nix
+++ b/pkgs/os-specific/linux/batman-adv/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
 let cfg = import ./version.nix; in
 
@@ -24,8 +24,8 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
     description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ fpletz ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz hexa ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/version.nix b/pkgs/os-specific/linux/batman-adv/version.nix
index f9f3013e1f9..71c7863cfa8 100644
--- a/pkgs/os-specific/linux/batman-adv/version.nix
+++ b/pkgs/os-specific/linux/batman-adv/version.nix
@@ -1,9 +1,9 @@
 {
-  version = "2019.5";
+  version = "2021.1";
 
   sha256 = {
-    batman-adv = "1v18zvvg12jgywncbhxshgjc93r72ajpxgw22zp0zx22g2q13z99";
-    alfred = "09npizg89ks1wm19l5xz0pq1ljpsbwy030xnprqnd0p53976wywa";
-    batctl = "1b9w4636dq8m38nzr8j0v0j3b0vdsw84c58c2isc33h66dx8brgz";
+    batman-adv = "1l1lk41h4chymrb41ihqrr3p80xdwhhp1kkksr157mzailyq8xxz";
+    alfred = "122y92vqrpp3g6dbjfv8hkhwjlfa3skr91lbzicr0pw8mm6wzqll";
+    batctl = "0xp1cqcw0g0irgw9yhkch01rbn39gzvfxv8b2yya32vbnkmqrcj4";
   };
 }
diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix
index 67cbc6e5c5e..837906fb554 100644
--- a/pkgs/os-specific/linux/bbswitch/default.nix
+++ b/pkgs/os-specific/linux/bbswitch/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, kernel, runtimeShell }:
+{ lib, stdenv, fetchurl, fetchpatch, kernel, runtimeShell }:
 
 let
   baseName = "bbswitch";
@@ -54,7 +54,7 @@ stdenv.mkDerivation {
     chmod +x $out/bin/discrete_vga_poweroff $out/bin/discrete_vga_poweron
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A module for powering off hybrid GPUs";
     platforms = [ "x86_64-linux" "i686-linux" ];
     homepage = "https://github.com/Bumblebee-Project/bbswitch";
diff --git a/pkgs/os-specific/linux/bcc/default.nix b/pkgs/os-specific/linux/bcc/default.nix
index 98de3ed1b11..221f38faa87 100644
--- a/pkgs/os-specific/linux/bcc/default.nix
+++ b/pkgs/os-specific/linux/bcc/default.nix
@@ -1,22 +1,28 @@
-{ stdenv, fetchurl, makeWrapper, cmake, llvmPackages, kernel
+{ lib, stdenv, fetchFromGitHub
+, makeWrapper, cmake, llvmPackages, kernel
 , flex, bison, elfutils, python, luajit, netperf, iperf, libelf
-, systemtap, bash
+, systemtap, bash, libbpf
 }:
 
 python.pkgs.buildPythonApplication rec {
   pname = "bcc";
-  version = "0.15.0";
+  version = "0.20.0";
 
-  src = fetchurl {
-    url = "https://github.com/iovisor/bcc/releases/download/v${version}/bcc-src-with-submodule.tar.gz";
-    sha256 = "1k00xbhdzdvqp4hfxpgg34bbhnx597jjhpg1x6dz2w80r7xzsj28";
+  disabled = !stdenv.isLinux;
+
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo = "bcc";
+    rev = "v${version}";
+    sha256 = "1xnpz2zv445dp5h0160drv6xlvrnwfj23ngc4dp3clcd59jh1baq";
   };
   format = "other";
 
   buildInputs = with llvmPackages; [
-    llvm clang-unwrapped kernel
+    llvm llvm.dev libclang kernel
     elfutils luajit netperf iperf
     systemtap.stapBuild flex bash
+    libbpf
   ];
 
   patches = [
@@ -26,15 +32,16 @@ python.pkgs.buildPythonApplication rec {
   ];
 
   propagatedBuildInputs = [ python.pkgs.netaddr ];
-  nativeBuildInputs = [ makeWrapper cmake flex bison ]
+  nativeBuildInputs = [ makeWrapper cmake flex bison llvmPackages.llvm.dev ]
     # libelf is incompatible with elfutils-libelf
-    ++ stdenv.lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
+    ++ lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
 
   cmakeFlags = [
     "-DBCC_KERNEL_MODULES_DIR=${kernel.dev}/lib/modules"
     "-DREVISION=${version}"
     "-DENABLE_USDT=ON"
     "-DENABLE_CPP_API=ON"
+    "-DCMAKE_USE_LIBBPF_PACKAGE=ON"
   ];
 
   postPatch = ''
@@ -65,7 +72,7 @@ python.pkgs.buildPythonApplication rec {
     wrapPythonProgramsIn "$out/share/bcc/tools" "$out $pythonPath"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Dynamic Tracing Tools for Linux";
     homepage    = "https://iovisor.github.io/bcc/";
     license     = licenses.asl20;
diff --git a/pkgs/os-specific/linux/beefi/default.nix b/pkgs/os-specific/linux/beefi/default.nix
new file mode 100644
index 00000000000..959a43faea9
--- /dev/null
+++ b/pkgs/os-specific/linux/beefi/default.nix
@@ -0,0 +1,44 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, installShellFiles
+, binutils-unwrapped
+, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "beefi";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "jfeick";
+    repo = "beefi";
+    rev = version;
+    sha256 = "1180avalbw414q1gnfqdgc9zg3k9y0401kw9qvcn51qph81d04v5";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  buildInputs = [
+    binutils-unwrapped
+    systemd
+  ];
+
+  patchPhase = ''
+    substituteInPlace beefi \
+      --replace objcopy ${binutils-unwrapped}/bin/objcopy \
+      --replace /usr/lib/systemd ${systemd}/lib/systemd
+  '';
+
+  installPhase = ''
+    install -Dm755 beefi $out/bin/beefi
+    installManPage beefi.1
+  '';
+
+  meta = with lib; {
+    description = "A small script to create bootable EFISTUB kernel images";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ tu-maurice ];
+    homepage = "https://github.com/jfeick/beefi";
+  };
+}
diff --git a/pkgs/os-specific/linux/bionic-prebuilt/default.nix b/pkgs/os-specific/linux/bionic-prebuilt/default.nix
new file mode 100644
index 00000000000..920732a2020
--- /dev/null
+++ b/pkgs/os-specific/linux/bionic-prebuilt/default.nix
@@ -0,0 +1,113 @@
+{ stdenvNoCC, lib, fetchzip, pkgs
+}:
+let
+
+  prebuilt_crt = fetchzip {
+    url =  "https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/+archive/98dce673ad97a9640c5d90bbb1c718e75c21e071/lib/gcc/aarch64-linux-android/4.9.x.tar.gz";
+    sha256 = "sha256-LLD2OJi78sNN5NulOsJZl7Ei4F1EUYItGG6eUsKWULc=";
+    stripRoot = false;
+  };
+
+  prebuilt_libs = fetchzip {
+    url = "https://android.googlesource.com/platform/prebuilts/ndk/+archive/f2c77d8ba8a7f5c2d91771e31164f29be0b8ff98/platform/platforms/android-30/arch-arm64/usr/lib.tar.gz";
+    sha256 = "sha256-TZBV7+D1QvKOCEi+VNGT5SStkgj0xRbyWoLH65zSrjw=";
+    stripRoot = false;
+  };
+
+  prebuilt_ndk_crt = fetchzip {
+    url = "https://android.googlesource.com/toolchain/prebuilts/ndk/r23/+archive/6c5fa4c0d3999b9ee932f6acbd430eb2f31f3151/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/aarch64-linux-android/30.tar.gz";
+    sha256 = "sha256-KHw+cCwAwlm+5Nwp1o8WONqdi4BBDhFaVVr+7GxQ5uE=";
+    stripRoot = false;
+  };
+
+  ndk_support_headers = fetchzip {
+    url ="https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+archive/0e7f808fa26cce046f444c9616d9167dafbfb272/clang-r416183b/include/c++/v1/support.tar.gz";
+    sha256 = "sha256-NBv7Pk1CEaz8ns9moleEERr3x/rFmVmG33LgFSeO6fY=";
+    stripRoot = false;
+  };
+
+  kernelHeaders = pkgs.makeLinuxHeaders {
+    version = "android-common-11-5.4";
+    src = fetchzip {
+      url = "https://android.googlesource.com/kernel/common/+archive/48ffcbf0b9e7f0280bfb8c32c68da0aaf0fdfef6.tar.gz";
+      sha256 = "1y7cmlmcr5vdqydd9n785s139yc4aylc3zhqa59xsylmkaf5habk";
+      stripRoot = false;
+    };
+  };
+
+in
+stdenvNoCC.mkDerivation rec {
+  pname = "bionic-prebuilt";
+  version = "ndk-release-r23";
+
+  src = fetchzip {
+    url = "https://android.googlesource.com/platform/bionic/+archive/00e8ce1142d8823b0d2fc8a98b40119b0f1f02cd.tar.gz";
+    sha256 = "10z5mp4w0acvjvgxv7wlqa7m70hcyarmjdlfxbd9rwzf4mrsr8d1";
+    stripRoot = false;
+  };
+
+  NIX_DONT_SET_RPATH = true;
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  patches = [
+    ./ndk-version.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace libc/include/sys/cdefs.h --replace \
+      "__has_builtin(__builtin_umul_overflow)" "1"
+    substituteInPlace libc/include/bits/ioctl.h --replace \
+      "!defined(BIONIC_IOCTL_NO_SIGNEDNESS_OVERLOAD)" "0"
+  '';
+
+  installPhase= ''
+    # copy the bionic headers
+    mkdir -p $out/include/support $out/include/android
+    cp -vr libc/include/* $out/include
+    # copy the kernel headers
+    cp -vr ${kernelHeaders}/include/*  $out/include/
+
+    chmod -R +w $out/include/linux
+
+    # fix a bunch of kernel headers so that things can actually be found
+    sed -i 's,struct epoll_event {,#include <bits/epoll_event.h>\nstruct Xepoll_event {,' $out/include/linux/eventpoll.h
+    sed -i 's,struct in_addr {,typedef unsigned int in_addr_t;\nstruct in_addr {,' $out/include/linux/in.h
+    sed -i 's,struct udphdr {,struct Xudphdr {,' $out/include/linux/udp.h
+    sed -i 's,union semun {,union Xsemun {,' $out/include/linux/sem.h
+    sed -i 's,struct __kernel_sockaddr_storage,#define sockaddr_storage __kernel_sockaddr_storage\nstruct __kernel_sockaddr_storage,' $out/include/linux/socket.h
+    sed -i 's,#ifndef __UAPI_DEF_.*$,#if 1,' $out/include/linux/libc-compat.h
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imr_" "struct in_addr		imr_"
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imsf_" "struct in_addr		imsf_"
+    substituteInPlace $out/include/linux/sysctl.h --replace "__unused" "_unused"
+
+    # what could possibly live in <linux/compiler.h>
+    touch $out/include/linux/compiler.h
+
+    # copy the support headers
+    cp -vr ${ndk_support_headers}* $out/include/support/
+
+    mkdir $out/lib
+    cp -v ${prebuilt_crt.out}/*.o $out/lib/
+    cp -v ${prebuilt_crt.out}/libgcc.a $out/lib/
+    cp -v ${prebuilt_ndk_crt.out}/*.o $out/lib/
+    for i in libc.so libm.so libdl.so liblog.so; do
+      cp -v ${prebuilt_libs.out}/$i $out/lib/
+    done
+
+    mkdir -p $dev/include
+    cp -v $out/include/*.h $dev/include/
+  '';
+
+  outputs = [ "out" "dev" ];
+  passthru.linuxHeaders = kernelHeaders;
+
+  meta = with lib; {
+    description = "The Android libc implementation";
+    homepage    = "https://android.googlesource.com/platform/bionic/";
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ s1341 ];
+  };
+}
diff --git a/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch b/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
new file mode 100644
index 00000000000..a6842ed479f
--- /dev/null
+++ b/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
@@ -0,0 +1,42 @@
+--- a/libc/include/android/ndk-version.h	2021-04-01 16:08:03.109183965 +0300
++++ b/libc/include/android/ndk-version.h	2021-04-01 16:07:19.811424641 +0300
+@@ -0,0 +1,39 @@
++#pragma once
++
++/**
++ * Set to 1 if this is an NDK, unset otherwise. See
++ * https://android.googlesource.com/platform/bionic/+/master/docs/defines.md.
++ */
++#define __ANDROID_NDK__ 1
++
++/**
++ * Major version of this NDK.
++ *
++ * For example: 16 for r16.
++ */
++#define __NDK_MAJOR__ 22
++
++/**
++ * Minor version of this NDK.
++ *
++ * For example: 0 for r16 and 1 for r16b.
++ */
++#define __NDK_MINOR__ 0
++
++/**
++ * Set to 0 if this is a release build, or 1 for beta 1,
++ * 2 for beta 2, and so on.
++ */
++#define __NDK_BETA__ 0
++
++/**
++ * Build number for this NDK.
++ *
++ * For a local development build of the NDK, this is -1.
++ */
++#define __NDK_BUILD__ 7026061
++
++/**
++ * Set to 1 if this is a canary build, 0 if not.
++ */
++#define __NDK_CANARY__ 0
diff --git a/pkgs/os-specific/linux/blktrace/default.nix b/pkgs/os-specific/linux/blktrace/default.nix
index 4ae449c19aa..fb5a5d06212 100644
--- a/pkgs/os-specific/linux/blktrace/default.nix
+++ b/pkgs/os-specific/linux/blktrace/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libaio }:
+{ lib, stdenv, fetchurl, libaio }:
 
 stdenv.mkDerivation {
   name = "blktrace-1.2.0";
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
 
   meta = {
     description = "Block layer IO tracing mechanism";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix
index 401ab39bca3..040b8fc8478 100644
--- a/pkgs/os-specific/linux/bluez/default.nix
+++ b/pkgs/os-specific/linux/bluez/default.nix
@@ -1,12 +1,14 @@
 { stdenv
 , lib
 , fetchurl
-, alsaLib
+, alsa-lib
 , dbus
+, ell
 , glib
 , json_c
 , libical
-, pkgconfig
+, docutils
+, pkg-config
 , python3
 , readline
 , systemd
@@ -19,16 +21,17 @@
   ];
 in stdenv.mkDerivation rec {
   pname = "bluez";
-  version = "5.54";
+  version = "5.60";
 
   src = fetchurl {
     url = "mirror://kernel/linux/bluetooth/${pname}-${version}.tar.xz";
-    sha256 = "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8";
+    sha256 = "sha256-cQmZWA0B7lnsWF5efAf9lO3e3AAaom/nRkxUb52UUwQ=";
   };
 
   buildInputs = [
-    alsaLib
+    alsa-lib
     dbus
+    ell
     glib
     json_c
     libical
@@ -38,7 +41,8 @@ in stdenv.mkDerivation rec {
   ];
 
   nativeBuildInputs = [
-    pkgconfig
+    docutils
+    pkg-config
     python3.pkgs.wrapPython
   ];
 
@@ -48,6 +52,11 @@ in stdenv.mkDerivation rec {
     substituteInPlace tools/hid2hci.rules \
       --replace /sbin/udevadm ${systemd}/bin/udevadm \
       --replace "hid2hci " "$out/lib/udev/hid2hci "
+    # Disable some tests:
+    # - test-mesh-crypto depends on the following kernel settings:
+    #   CONFIG_CRYPTO_[USER|USER_API|USER_API_AEAD|USER_API_HASH|AES|CCM|AEAD|CMAC]
+    if [[ ! -f unit/test-mesh-crypto.c ]]; then echo "unit/test-mesh-crypto.c no longer exists"; false; fi
+    echo 'int main() { return 77; }' > unit/test-mesh-crypto.c
   '';
 
   configureFlags = [
@@ -55,6 +64,7 @@ in stdenv.mkDerivation rec {
     "--enable-library"
     "--enable-cups"
     "--enable-pie"
+    "--enable-external-ell"
     "--with-dbusconfdir=${placeholder "out"}/share"
     "--with-dbussystembusdir=${placeholder "out"}/share/dbus-1/system-services"
     "--with-dbussessionbusdir=${placeholder "out"}/share/dbus-1/services"
@@ -67,7 +77,6 @@ in stdenv.mkDerivation rec {
     "--enable-nfc"
     "--enable-sap"
     "--enable-sixaxis"
-    "--enable-wiimote"
   ];
 
   # Work around `make install' trying to create /var/lib/bluetooth.
@@ -112,7 +121,7 @@ in stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Bluetooth support for Linux";
     homepage = "http://www.bluez.org/";
     license = with licenses; [ gpl2 lgpl21 ];
diff --git a/pkgs/os-specific/linux/bolt/default.nix b/pkgs/os-specific/linux/bolt/default.nix
index 114a90129ac..d38a97387f5 100644
--- a/pkgs/os-specific/linux/bolt/default.nix
+++ b/pkgs/os-specific/linux/bolt/default.nix
@@ -1,28 +1,50 @@
-{ stdenv, meson, ninja, pkgconfig, fetchFromGitLab,
-  python3, umockdev, gobject-introspection, dbus,
-  asciidoc, libxml2, libxslt, docbook_xml_dtd_45, docbook_xsl,
-  glib, systemd, polkit
+{ lib, stdenv
+, meson
+, ninja
+, pkg-config
+, fetchFromGitLab
+, fetchpatch
+, python3
+, umockdev
+, gobject-introspection
+, dbus
+, asciidoc
+, libxml2
+, libxslt
+, docbook_xml_dtd_45
+, docbook_xsl
+, glib
+, systemd
+, polkit
 }:
 
 stdenv.mkDerivation rec {
   pname = "bolt";
-  version = "0.8";
+  version = "0.9.1";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "bolt";
     repo = "bolt";
     rev = version;
-    sha256 = "1qamls0fll0qc27lqavf56hv1yj6v6n4ry90g7bcnwpvccmd82yd";
+    sha256 = "1phgp8fs0dlj74kbkqlvfniwc32daz47b3pvsxlfxqzyrp77xrfm";
   };
 
   nativeBuildInputs = [
-    meson ninja pkgconfig
-    asciidoc libxml2 libxslt docbook_xml_dtd_45 docbook_xsl
-  ] ++ stdenv.lib.optional (!doCheck) python3;
+    asciidoc
+    docbook_xml_dtd_45
+    docbook_xsl
+    libxml2
+    libxslt
+    meson
+    ninja
+    pkg-config
+  ] ++ lib.optional (!doCheck) python3;
 
   buildInputs = [
-    glib systemd polkit
+    glib
+    polkit
+    systemd
   ];
 
   doCheck = true;
@@ -32,13 +54,25 @@ stdenv.mkDerivation rec {
   '';
 
   checkInputs = [
-    dbus umockdev gobject-introspection
+    dbus
+    gobject-introspection
+    umockdev
     (python3.withPackages
       (p: [ p.pygobject3 p.dbus-python p.python-dbusmock ]))
   ];
 
-  # meson install tries to create /var/lib/boltd
-  patches = [ ./0001-skip-mkdir.patch ];
+  patches = [
+    # meson install tries to create /var/lib/boltd
+    ./0001-skip-mkdir.patch
+
+    # https://github.com/NixOS/nixpkgs/issues/104429
+    # Upstream issue: https://gitlab.freedesktop.org/bolt/bolt/-/issues/167
+    (fetchpatch {
+      name = "disable-atime-tests.diff";
+      url = "https://gitlab.freedesktop.org/roberth/bolt/-/commit/1f672a7de2ebc4dd51590bb90f3b873a8ac0f4e6.diff";
+      sha256 = "134f5s6kjqs6612pwq5pm1miy58crn1kxbyyqhzjnzmf9m57fnc8";
+    })
+    ];
 
   postPatch = ''
     patchShebangs scripts tests
@@ -51,11 +85,11 @@ stdenv.mkDerivation rec {
   PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
   PKG_CONFIG_UDEV_UDEVDIR = "${placeholder "out"}/lib/udev";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Thunderbolt 3 device management daemon";
     homepage = "https://gitlab.freedesktop.org/bolt/bolt";
     license = licenses.lgpl21Plus;
-    maintainers = [ maintainers.callahad ];
+    maintainers = with maintainers; [ callahad ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/bpftool/default.nix b/pkgs/os-specific/linux/bpftool/default.nix
deleted file mode 100644
index 34ddcc3a213..00000000000
--- a/pkgs/os-specific/linux/bpftool/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ stdenv
-, libopcodes, libbfd, libelf
-, linuxPackages_latest, zlib
-, python3
-}:
-
-stdenv.mkDerivation {
-  pname = "bpftool";
-  inherit (linuxPackages_latest.kernel) version src;
-
-  nativeBuildInputs = [ python3 ];
-  buildInputs = [ libopcodes libbfd libelf zlib ];
-
-  preConfigure = ''
-    patchShebangs scripts/bpf_helpers_doc.py
-
-    cd tools/bpf/bpftool
-    substituteInPlace ./Makefile \
-      --replace '/usr/local' "$out" \
-      --replace '/usr'       "$out" \
-      --replace '/sbin'      '/bin'
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Debugging/program analysis tool for the eBPF subsystem";
-    license     = [ licenses.gpl2 licenses.bsd2 ];
-    platforms   = platforms.linux;
-    maintainers = with maintainers; [ thoughtpolice ];
-  };
-}
diff --git a/pkgs/os-specific/linux/bpftools/default.nix b/pkgs/os-specific/linux/bpftools/default.nix
new file mode 100644
index 00000000000..f2ca8d87471
--- /dev/null
+++ b/pkgs/os-specific/linux/bpftools/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, libopcodes, libbfd, libelf, readline
+, linuxPackages_latest, zlib
+, python3, bison, flex
+}:
+
+stdenv.mkDerivation {
+  pname = "bpftools";
+  inherit (linuxPackages_latest.kernel) version src;
+
+  nativeBuildInputs = [ python3 bison flex ];
+  buildInputs = [ libopcodes libbfd libelf zlib readline ];
+
+  preConfigure = ''
+    patchShebangs scripts/bpf_doc.py
+
+    cd tools/bpf
+    substituteInPlace ./bpftool/Makefile \
+      --replace '/usr/local' "$out" \
+      --replace '/usr'       "$out" \
+      --replace '/sbin'      '/bin'
+  '';
+
+  buildFlags = [ "bpftool" "bpf_asm" "bpf_dbg" ];
+
+  installPhase = ''
+    make -C bpftool install
+    install -Dm755 -t $out/bin bpf_asm
+    install -Dm755 -t $out/bin bpf_dbg
+  '';
+
+  meta = with lib; {
+    description = "Debugging/program analysis tools for the eBPF subsystem";
+    license     = [ licenses.gpl2 licenses.bsd2 ];
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}
diff --git a/pkgs/os-specific/linux/bpftrace/default.nix b/pkgs/os-specific/linux/bpftrace/default.nix
index 0c360e60b7e..4d2f29491fc 100644
--- a/pkgs/os-specific/linux/bpftrace/default.nix
+++ b/pkgs/os-specific/linux/bpftrace/default.nix
@@ -1,29 +1,29 @@
-{ stdenv, fetchFromGitHub
-, cmake, pkgconfig, flex, bison
-, llvmPackages, kernel, elfutils, libelf, bcc
+{ lib, stdenv, fetchFromGitHub
+, cmake, pkg-config, flex, bison
+, llvmPackages, kernel, elfutils
+, libelf, libbfd, libbpf, libopcodes, bcc
 }:
 
 stdenv.mkDerivation rec {
   pname = "bpftrace";
-  version = "0.9.4";
+  version = "0.13.0";
 
   src = fetchFromGitHub {
     owner  = "iovisor";
     repo   = "bpftrace";
-    rev    = "refs/tags/v${version}";
-    sha256 = "00fvkq3razwacnpb82zkpv63dgyigbqx3gj6g0ka94nwa74i5i77";
+    rev    = "v${version}";
+    sha256 = "sha256-BKWBdFzj0j7rAfG30A0fwyYCpOG/5NFRPODW46EP1u0=";
   };
 
-  enableParallelBuilding = true;
-
   buildInputs = with llvmPackages;
-    [ llvm clang-unwrapped
+    [ llvm libclang
       kernel elfutils libelf bcc
+      libbpf libbfd libopcodes
     ];
 
-  nativeBuildInputs = [ cmake pkgconfig flex bison ]
+  nativeBuildInputs = [ cmake pkg-config flex bison llvmPackages.llvm.dev ]
     # libelf is incompatible with elfutils-libelf
-    ++ stdenv.lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
+    ++ lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
 
   # patch the source, *then* substitute on @NIX_KERNEL_SRC@ in the result. we could
   # also in theory make this an environment variable around bpftrace, but this works
@@ -41,7 +41,7 @@ stdenv.mkDerivation rec {
   #
   cmakeFlags =
     [ "-DBUILD_TESTING=FALSE"
-      "-DLIBBCC_INCLUDE_DIRS=${bcc}/include/bcc"
+      "-DLIBBCC_INCLUDE_DIRS=${bcc}/include"
     ];
 
   # nuke the example/reference output .txt files, for the included tools,
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "man" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "High-level tracing language for Linux eBPF";
     homepage    = "https://github.com/iovisor/bpftrace";
     license     = licenses.asl20;
diff --git a/pkgs/os-specific/linux/bridge-utils/default.nix b/pkgs/os-specific/linux/bridge-utils/default.nix
index 1aeb4a907fb..12655c3bed6 100644
--- a/pkgs/os-specific/linux/bridge-utils/default.nix
+++ b/pkgs/os-specific/linux/bridge-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook }:
+{ lib, stdenv, fetchurl, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   name = "bridge-utils-1.5";
@@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "https://sourceforge.net/projects/bridge/";
     homepage = "https://wiki.linuxfoundation.org/networking/bridge";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/brillo/default.nix b/pkgs/os-specific/linux/brillo/default.nix
index 5baaa0752aa..0736a13ce12 100644
--- a/pkgs/os-specific/linux/brillo/default.nix
+++ b/pkgs/os-specific/linux/brillo/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitLab , go-md2man, coreutils, substituteAll }:
+{ lib, stdenv, fetchFromGitLab , go-md2man, coreutils, substituteAll }:
 
 stdenv.mkDerivation rec {
   pname = "brillo";
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
 
   installTargets = [ "install-dist" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Backlight and Keyboard LED control tool";
     homepage = "https://gitlab.com/cameronnemo/brillo";
     license = [ licenses.gpl3 licenses.bsd0 ];
diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix
index ecaa3896044..527d2253e5b 100644
--- a/pkgs/os-specific/linux/broadcom-sta/default.nix
+++ b/pkgs/os-specific/linux/broadcom-sta/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
 let
   version = "6.30.223.271";
@@ -7,8 +7,8 @@ let
     x86_64-linux = "1gj485qqr190idilacpxwgqyw21il03zph2rddizgj7fbd6pfyaz";
   };
 
-  arch = stdenv.lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") "_64";
-  tarballVersion = stdenv.lib.replaceStrings ["."] ["_"] version;
+  arch = lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") "_64";
+  tarballVersion = lib.replaceStrings ["."] ["_"] version;
   tarball = "hybrid-v35${arch}-nodebug-pcoem-${tarballVersion}.tar.gz";
 in
 stdenv.mkDerivation {
@@ -37,6 +37,8 @@ stdenv.mkDerivation {
     ./linux-5.1.patch
     # source: https://salsa.debian.org/Herrie82-guest/broadcom-sta/-/commit/247307926e5540ad574a17c062c8da76990d056f
     ./linux-5.6.patch
+    # source: https://gist.github.com/joanbm/5c640ac074d27fd1d82c74a5b67a1290
+    ./linux-5.9.patch
     ./null-pointer-fix.patch
     ./gcc.patch
   ];
@@ -60,8 +62,8 @@ stdenv.mkDerivation {
   meta = {
     description = "Kernel module driver for some Broadcom's wireless cards";
     homepage = "http://www.broadcom.com/support/802.11/linux_sta.php";
-    license = stdenv.lib.licenses.unfreeRedistributable;
-    maintainers = with stdenv.lib.maintainers; [ phreedom ];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.unfreeRedistributable;
+    maintainers = with lib.maintainers; [ phreedom ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch b/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
new file mode 100644
index 00000000000..2a4e6fa89cc
--- /dev/null
+++ b/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
@@ -0,0 +1,184 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 4b3298f..c45ad48 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -41,6 +41,7 @@
+ #include <wlioctl.h>
+ #include <proto/802.11.h>
+ #include <wl_cfg80211_hybrid.h>
++#include <wl_linux.h>
+ 
+ #define EVENT_TYPE(e) dtoh32((e)->event_type)
+ #define EVENT_FLAGS(e) dtoh16((e)->flags)
+@@ -442,30 +443,7 @@ static void key_endian_to_host(struct wl_wsec_key *key)
+ static s32
+ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ {
+-	struct ifreq ifr;
+-	struct wl_ioctl ioc;
+-	mm_segment_t fs;
+-	s32 err = 0;
+-
+-	BUG_ON(len < sizeof(int));
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t)&ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	err = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	err = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return err;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static s32
+diff --git a/src/wl/sys/wl_iw.c b/src/wl/sys/wl_iw.c
+index 9c3c74e..e346b15 100644
+--- a/src/wl/sys/wl_iw.c
++++ b/src/wl/sys/wl_iw.c
+@@ -37,6 +37,7 @@ typedef const struct si_pub	si_t;
+ 
+ #include <wl_dbg.h>
+ #include <wl_iw.h>
++#include <wl_linux.h>
+ 
+ extern bool wl_iw_conn_status_str(uint32 event_type, uint32 status,
+ 	uint32 reason, char* stringBuf, uint buflen);
+@@ -103,29 +104,7 @@ dev_wlc_ioctl(
+ 	int len
+ )
+ {
+-	struct ifreq ifr;
+-	wl_ioctl_t ioc;
+-	mm_segment_t fs;
+-	int ret;
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t) &ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	ret = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	ret = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return ret;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static int
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index c990c70..5bb9480 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -1664,10 +1664,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 		goto done2;
+ 	}
+ 
+-	if (segment_eq(get_fs(), KERNEL_DS))
+-		buf = ioc.buf;
+-
+-	else if (ioc.buf) {
++	if (ioc.buf) {
+ 		if (!(buf = (void *) MALLOC(wl->osh, MAX(ioc.len, WLC_IOCTL_MAXLEN)))) {
+ 			bcmerror = BCME_NORESOURCE;
+ 			goto done2;
+@@ -1688,7 +1685,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 	WL_UNLOCK(wl);
+ 
+ done1:
+-	if (ioc.buf && (ioc.buf != buf)) {
++	if (ioc.buf) {
+ 		if (copy_to_user(ioc.buf, buf, ioc.len))
+ 			bcmerror = BCME_BADADDR;
+ 		MFREE(wl->osh, buf, MAX(ioc.len, WLC_IOCTL_MAXLEN));
+@@ -1701,6 +1698,39 @@ done2:
+ 	return (OSL_ERROR(bcmerror));
+ }
+ 
++int
++wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len)
++{
++	wl_info_t *wl;
++	wl_if_t *wlif;
++	int bcmerror;
++
++	if (!dev)
++		return -ENETDOWN;
++
++	wl = WL_INFO(dev);
++	wlif = WL_DEV_IF(dev);
++	if (wlif == NULL || wl == NULL || wl->dev == NULL)
++		return -ENETDOWN;
++
++	bcmerror = 0;
++
++	WL_TRACE(("wl%d: wlc_ioctl_internal: cmd 0x%x\n", wl->pub->unit, cmd));
++
++	WL_LOCK(wl);
++	if (!capable(CAP_NET_ADMIN)) {
++		bcmerror = BCME_EPERM;
++	} else {
++		bcmerror = wlc_ioctl(wl->wlc, cmd, buf, len, wlif->wlcif);
++	}
++	WL_UNLOCK(wl);
++
++	ASSERT(VALID_BCMERROR(bcmerror));
++	if (bcmerror != 0)
++		wl->pub->bcmerror = bcmerror;
++	return (OSL_ERROR(bcmerror));
++}
++
+ static struct net_device_stats*
+ wl_get_stats(struct net_device *dev)
+ {
+diff --git a/src/wl/sys/wl_linux.h b/src/wl/sys/wl_linux.h
+index 5b1048e..c8c1f41 100644
+--- a/src/wl/sys/wl_linux.h
++++ b/src/wl/sys/wl_linux.h
+@@ -22,6 +22,7 @@
+ #define _wl_linux_h_
+ 
+ #include <wlc_types.h>
++#include <wlc_pub.h>
+ 
+ typedef struct wl_timer {
+ 	struct timer_list 	timer;
+@@ -187,6 +188,7 @@ extern irqreturn_t wl_isr(int irq, void *dev_id, struct pt_regs *ptregs);
+ extern int __devinit wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent);
+ extern void wl_free(wl_info_t *wl);
+ extern int  wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd);
++extern int wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len);
+ extern struct net_device * wl_netdev_get(wl_info_t *wl);
+ 
+ #endif 
+diff --git a/src/wl/sys/wlc_pub.h b/src/wl/sys/wlc_pub.h
+index 53a98b8..2b5a029 100644
+--- a/src/wl/sys/wlc_pub.h
++++ b/src/wl/sys/wlc_pub.h
+@@ -24,6 +24,7 @@
+ 
+ #include <wlc_types.h>
+ #include <wlc_utils.h>
++#include <siutils.h>
+ #include "proto/802.11.h"
+ #include "proto/bcmevent.h"
+ 
diff --git a/pkgs/os-specific/linux/btfs/default.nix b/pkgs/os-specific/linux/btfs/default.nix
index b4107e8ba00..342272f4286 100644
--- a/pkgs/os-specific/linux/btfs/default.nix
+++ b/pkgs/os-specific/linux/btfs/default.nix
@@ -1,27 +1,27 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig
-, python3, boost, fuse, libtorrentRasterbar, curl }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config
+, python3, boost, fuse, libtorrent-rasterbar, curl }:
 
 stdenv.mkDerivation rec {
   pname = "btfs";
-  version = "2.22";
+  version = "2.24";
 
   src = fetchFromGitHub {
     owner  = "johang";
     repo   = pname;
     rev    = "v${version}";
-    sha256 = "1z88bk1z4sns3jdn56x83mvh06snxg0lr5h4v0c24lzlf5wbdifz";
+    sha256 = "sha256-fkS0U/MqFRQNi+n7NE4e1cnNICvfST2IQ9FMoJUyj6w=";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [
-    boost fuse libtorrentRasterbar curl python3
+    boost fuse libtorrent-rasterbar curl python3
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A bittorrent filesystem based on FUSE";
     homepage    = "https://github.com/johang/btfs";
     license     = licenses.gpl3;
     maintainers = with maintainers; [ rnhmjoj ];
-    platforms   = platforms.linux;
+    platforms   = platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch b/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch
deleted file mode 100644
index 029333b57e4..00000000000
--- a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From c29b637b55c93214993f40b1a223233d40b8a7d6 Mon Sep 17 00:00:00 2001
-From: Maximilian Bosch <maximilian@mbosch.me>
-Date: Wed, 19 Feb 2020 22:32:28 +0100
-Subject: [PATCH] Fix build with glibc 2.31
-
-This is derived from the corresponding upstream patch[1], however this
-one doesn't apply cleanly on busybox-1.31.1, so I rebased the patch
-locally and added it directly to nixpkgs.
-
-[1] https://git.busybox.net/busybox/patch/?id=d3539be8f27b8cbfdfee460fe08299158f08bcd9
----
- coreutils/date.c         | 2 +-
- libbb/missing_syscalls.c | 8 --------
- util-linux/rdate.c       | 8 ++++++--
- 3 files changed, 7 insertions(+), 11 deletions(-)
-
-diff --git a/coreutils/date.c b/coreutils/date.c
-index 3414d38..931b7f9 100644
---- a/coreutils/date.c
-+++ b/coreutils/date.c
-@@ -303,7 +303,7 @@ int date_main(int argc UNUSED_PARAM, char **argv)
- 		ts.tv_sec = validate_tm_time(date_str, &tm_time);
- 
- 		/* if setting time, set it */
--		if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) {
-+		if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) {
- 			bb_perror_msg("can't set date");
- 		}
- 	}
-diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c
-index 87cf59b..dc40d91 100644
---- a/libbb/missing_syscalls.c
-+++ b/libbb/missing_syscalls.c
-@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid)
- 	return syscall(__NR_getsid, pid);
- }
- 
--int stime(const time_t *t)
--{
--	struct timeval tv;
--	tv.tv_sec = *t;
--	tv.tv_usec = 0;
--	return settimeofday(&tv, NULL);
--}
--
- int sethostname(const char *name, size_t len)
- {
- 	return syscall(__NR_sethostname, name, len);
-diff --git a/util-linux/rdate.c b/util-linux/rdate.c
-index 70f829e..878375d 100644
---- a/util-linux/rdate.c
-+++ b/util-linux/rdate.c
-@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv)
- 	if (!(flags & 2)) { /* no -p (-s may be present) */
- 		if (time(NULL) == remote_time)
- 			bb_error_msg("current time matches remote time");
--		else
--			if (stime(&remote_time) < 0)
-+		else {
-+			struct timespec ts;
-+			ts.tv_sec = remote_time;
-+			ts.tv_nsec = 0;
-+			if (clock_settime(CLOCK_REALTIME, &ts) < 0)
- 				bb_perror_msg_and_die("can't set time of day");
-+		}
- 	}
- 
- 	if (flags != 1) /* not lone -s */
--- 
-2.25.0
-
diff --git a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch b/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
deleted file mode 100644
index d11cd670d5e..00000000000
--- a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Tue, 19 May 2020 18:20:39 +0100
-Subject: [PATCH] wget: implement TLS verification with
- ENABLE_FEATURE_WGET_OPENSSL
-
-When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
-verification by default. And only ignore verification errors, if
---no-check-certificate was passed.
-
-Also note, that previously OPENSSL implementation did not implement
-TLS verification, nor printed any warning messages that verification
-was not performed.
-
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
-
-CVE-2018-1000500
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
----
- networking/wget.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/networking/wget.c b/networking/wget.c
-index f2fc9e215..6a8c08324 100644
---- a/networking/wget.c
-+++ b/networking/wget.c
-@@ -91,6 +91,9 @@
- //config:	patches, but do want to waste bandwidth expaining how wrong
- //config:	it is, you will be ignored.
- //config:
-+//config:	FEATURE_WGET_OPENSSL does implement TLS verification
-+//config:	using the certificates available to OpenSSL.
-+//config:
- //config:config FEATURE_WGET_OPENSSL
- //config:	bool "Try to connect to HTTPS using openssl"
- //config:	default y
-@@ -115,6 +118,9 @@
- //config:	If openssl can't be executed, internal TLS code will be used
- //config:	(if you enabled it); if openssl can be executed but fails later,
- //config:	wget can't detect this, and download will fail.
-+//config:
-+//config:	By default TLS verification is performed, unless
-+//config:	--no-check-certificate option is passed.
- 
- //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
- 
-@@ -124,8 +130,11 @@
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
- //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:       "	[--no-check-certificate]\n"
-+//usage:	)
- /* Since we ignore these opts, we don't show them in --help */
--/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
-+/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
- /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
- //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
- //usage:	)
-@@ -137,7 +146,9 @@
- //usage:       "Retrieve files via HTTP or FTP\n"
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
--///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	)
- //usage:	)
- //usage:     "\n	-c		Continue retrieval of aborted transfer"
- //usage:     "\n	-q		Quiet"
-@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 	pid = xvfork();
- 	if (pid == 0) {
- 		/* Child */
--		char *argv[8];
-+		char *argv[9];
- 
- 		close(sp[0]);
- 		xmove_fd(sp[1], 0);
-@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 			argv[5] = (char*)"-servername";
- 			argv[6] = (char*)servername;
- 		}
-+		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
-+			argv[7] = (char*)"-verify_return_error";
-+		}
- 
- 		BB_EXECVP(argv[0], argv);
- 		xmove_fd(3, 2);
--- 
-2.28.0
-
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index 728d2d49118..4949cd7c14a 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, lib, buildPackages, fetchurl, fetchzip
-, enableStatic ? false
+{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab
+, enableStatic ? stdenv.hostPlatform.isStatic
 , enableMinimal ? false
 # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
 # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
@@ -32,27 +32,31 @@ let
     CONFIG_FEATURE_WTMP n
   '';
 
-  debianName = "busybox_1.30.1-5";
-  debianTarball = fetchzip {
-    url = "http://deb.debian.org/debian/pool/main/b/busybox/${debianName}.debian.tar.xz";
-    sha256 = "03m4rvs2pd0hj0mdkdm3r4m1gh0bgwr0cvnqds297xnkfi5s01nx";
+  # The debian version lags behind the upstream version and also contains
+  # a debian-specific suffix. We only fetch the debian repository to get the
+  # default.script
+  debianVersion = "1.30.1-6";
+  debianSource = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "installer-team";
+    repo = "busybox";
+    rev = "debian/1%${debianVersion}";
+    sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
   };
-  debianDispatcherScript = "${debianTarball}/tree/udhcpc/etc/udhcpc/default.script";
+  debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
   outDispatchPath = "$out/default.script";
 in
 
 stdenv.mkDerivation rec {
-  # TODO: When bumping this version, please validate whether the wget patch is present upstream
-  # and remove the patch if it is. The patch should be present upstream for all versions 1.32.0+.
-  # See NixOs/nixpkgs#94722 for context.
-  name = "busybox-1.31.1";
+  pname = "busybox";
+  version = "1.33.1";
 
   # Note to whoever is updating busybox: please verify that:
   # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
   # still builds after the update.
   src = fetchurl {
-    url = "https://busybox.net/downloads/${name}.tar.bz2";
-    sha256 = "1659aabzp8w4hayr4z8kcpbk2z1q2wqhw7i1yb0l72b45ykl1yfh";
+    url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
+    sha256 = "0a0dcvsh7nxnhxc5y73fky0z30i9p7r30qfidm2akn0n5fywdkhj";
   };
 
   hardeningDisable = [ "format" "pie" ]
@@ -60,9 +64,7 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./busybox-in-store.patch
-    ./0001-Fix-build-with-glibc-2.31.patch
-    ./0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
 
   postPatch = "patchShebangs .";
 
@@ -116,9 +118,11 @@ stdenv.mkDerivation rec {
     logger() { '$out'/bin/logger "$@"; }\
     ' ${debianDispatcherScript} > ${outDispatchPath}
     chmod 555 ${outDispatchPath}
-    PATH=$out/bin patchShebangs ${outDispatchPath}
+    HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
   '';
 
+  strictDeps = true;
+
   depsBuildBuild = [ buildPackages.stdenv.cc ];
 
   buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ];
@@ -127,10 +131,10 @@ stdenv.mkDerivation rec {
 
   doCheck = false; # tries to access the net
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tiny versions of common UNIX utilities in a single small executable";
     homepage = "https://busybox.net/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = with maintainers; [ TethysSvensson ];
     platforms = platforms.linux;
     priority = 10;
diff --git a/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
index 036ea0a0f48..fa70e5f91d8 100644
--- a/pkgs/os-specific/linux/busybox/sandbox-shell.nix
+++ b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
@@ -1,4 +1,4 @@
-{ busybox, stdenv}:
+{ busybox}:
 
 # Minimal shell for use as basic /bin/sh in sandbox builds
 busybox.override {
@@ -8,6 +8,7 @@ busybox.override {
     CONFIG_FEATURE_FANCY_ECHO y
     CONFIG_FEATURE_SH_MATH y
     CONFIG_FEATURE_SH_MATH_64 y
+    CONFIG_FEATURE_TEST_64 y
 
     CONFIG_ASH y
     CONFIG_ASH_OPTIMIZE_FOR_SIZE y
diff --git a/pkgs/os-specific/linux/cachefilesd/default.nix b/pkgs/os-specific/linux/cachefilesd/default.nix
index 27fd8c9613a..6c52eb4a7f6 100644
--- a/pkgs/os-specific/linux/cachefilesd/default.nix
+++ b/pkgs/os-specific/linux/cachefilesd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "cachefilesd";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     "MANDIR=$(out)/share/man"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Local network file caching management daemon";
     homepage = "https://people.redhat.com/dhowells/fscache/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/can-isotp/default.nix b/pkgs/os-specific/linux/can-isotp/default.nix
index 7f16ecb9e6d..9c30aae86fe 100644
--- a/pkgs/os-specific/linux/can-isotp/default.nix
+++ b/pkgs/os-specific/linux/can-isotp/default.nix
@@ -1,16 +1,16 @@
-{ stdenv, kernel, fetchFromGitHub }:
+{ lib, stdenv, kernel, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "can-isotp";
-  version = "20180629";
+  version = "20200910";
 
   hardeningDisable = [ "pic" ];
-  
+
   src = fetchFromGitHub {
     owner = "hartkopp";
     repo = "can-isotp";
-    rev = "6003f9997587e6a563cebf1f246bcd0eb6deff3d";
-    sha256 = "0b2pqb0vd1wgv2zpl7lvfavqkzr8mrwhrv7zdqkq3rz9givcv8w7";
+    rev = "21a3a59e2bfad246782896841e7af042382fcae7";
+    sha256 = "1laax93czalclg7cy9iq1r7hfh9jigh7igj06y9lski75ap2vhfq";
   };
 
   KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
@@ -25,12 +25,12 @@ stdenv.mkDerivation {
   '';
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
-  
-  meta = with stdenv.lib; {
+
+  meta = with lib; {
     description = "Kernel module for ISO-TP (ISO 15765-2)";
     homepage = "https://github.com/hartkopp/can-isotp";
     license = licenses.gpl2;
     platforms = platforms.linux;
     maintainers = [ maintainers.evck ];
   };
-}  
+}
diff --git a/pkgs/os-specific/linux/can-utils/default.nix b/pkgs/os-specific/linux/can-utils/default.nix
index 2b6b82591b5..90261e82904 100644
--- a/pkgs/os-specific/linux/can-utils/default.nix
+++ b/pkgs/os-specific/linux/can-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "can-utils";
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   preConfigure = ''makeFlagsArray+=(PREFIX="$out")'';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "CAN userspace utilities and tools (for use with Linux SocketCAN)";
     homepage = "https://github.com/linux-can/can-utils";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/catfs/default.nix b/pkgs/os-specific/linux/catfs/default.nix
new file mode 100644
index 00000000000..dbb525e0e29
--- /dev/null
+++ b/pkgs/os-specific/linux/catfs/default.nix
@@ -0,0 +1,47 @@
+{ lib, rustPlatform, fetchFromGitHub
+, fetchpatch
+, fuse
+, pkg-config
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "catfs";
+  version = "unstable-2020-03-21";
+
+  src = fetchFromGitHub {
+    owner = "kahing";
+    repo = pname;
+    rev = "daa2b85798fa8ca38306242d51cbc39ed122e271";
+    sha256 = "0zca0c4n2p9s5kn8c9f9lyxdf3df88a63nmhprpgflj86bh8wgf5";
+  };
+
+  cargoSha256 = "1agcwq409s40kyij487wjrp8mj7942r9l2nqwks4xqlfb0bvaimf";
+
+  cargoPatches = [
+    # update cargo lock
+    (fetchpatch {
+      url = "https://github.com/kahing/catfs/commit/f838c1cf862cec3f1d862492e5be82b6dbe16ac5.patch";
+      sha256 = "1r1p0vbr3j9xyj9r1ahipg4acii3m4ni4m9mp3avbi1rfgzhblhw";
+    })
+  ];
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [ fuse ];
+
+  # require fuse module to be active to run tests
+  # instead, run command
+  doCheck = false;
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/catfs --help > /dev/null
+  '';
+
+  meta = with lib; {
+    description = "Caching filesystem written in Rust";
+    homepage = "https://github.com/kahing/catfs";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jonringer ];
+  };
+}
diff --git a/pkgs/os-specific/linux/checkpolicy/default.nix b/pkgs/os-specific/linux/checkpolicy/default.nix
index fc2faa5b8f5..c3d8928c7ba 100644
--- a/pkgs/os-specific/linux/checkpolicy/default.nix
+++ b/pkgs/os-specific/linux/checkpolicy/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, bison, flex, libsepol }:
+{ lib, stdenv, fetchurl, bison, flex, libsepol }:
 
 stdenv.mkDerivation rec {
   pname = "checkpolicy";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "PREFIX=$(out)"
-    "LIBSEPOLA=${stdenv.lib.getLib libsepol}/lib/libsepol.a"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
   ];
 
   meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
index f94e6d72d59..e0a65589571 100644
--- a/pkgs/os-specific/linux/checksec/default.nix
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -1,23 +1,23 @@
-{ stdenv, fetchFromGitHub, makeWrapper, file, findutils
+{ lib, stdenv, fetchFromGitHub, makeWrapper, file, findutils
 , binutils-unwrapped, glibc, coreutils, sysctl, openssl
 }:
 
 stdenv.mkDerivation rec {
   pname = "checksec";
-  version = "2.2.2";
+  version = "2.4.0";
 
   src = fetchFromGitHub {
     owner = "slimm609";
     repo = "checksec.sh";
     rev = version;
-    sha256 = "0gm438sfh84bif5d40wvaqrfl4dh3fxjvnjk9ab33al8ws3afpsj";
+    sha256 = "1gbbq85d3g3mnm3xvgvi2085aba7qc3cmsbwn76al50ax1518j2q";
   };
 
   patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ];
   nativeBuildInputs = [ makeWrapper ];
 
   installPhase = let
-    path = stdenv.lib.makeBinPath [
+    path = lib.makeBinPath [
       findutils file binutils-unwrapped sysctl openssl
     ];
   in ''
@@ -29,9 +29,9 @@ stdenv.mkDerivation rec {
       --prefix PATH : ${path}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool for checking security bits on executables";
-    homepage    = "http://www.trapkit.de/tools/checksec.html";
+    homepage    = "https://www.trapkit.de/tools/checksec/";
     license     = licenses.bsd3;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ thoughtpolice globin ];
diff --git a/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch b/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch
index 03ec2b1df64..c2e33dbde66 100644
--- a/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch
+++ b/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch
@@ -1,7 +1,7 @@
 From ae0c98ed2715c685b0cb97ac6e5d65101168b625 Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Sun, 24 Nov 2019 16:56:11 +0000
-Subject: [PATCH 1/4] common-mk: don't leak source-absolute paths
+Subject: [PATCH 1/6] common-mk: don't leak source-absolute paths
 
 Source-absolute paths like //vm_tools/whatever were being leaked to
 subprocesses, which of course didn't know how to understand them.
@@ -203,5 +203,5 @@ index e64aedabe0..fb9fb4231d 100644
    }
  }
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch b/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch
index 95f29531fec..a6ac5b1e9ac 100644
--- a/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch
+++ b/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch
@@ -1,7 +1,7 @@
 From 7d33bcd724ec79d00281c2752f9642be25782370 Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Sun, 24 Nov 2019 17:20:46 +0000
-Subject: [PATCH 2/4] common-mk: .gn: don't hardcode env path
+Subject: [PATCH 2/6] common-mk: .gn: don't hardcode env path
 
 This is needlessly non-portable.
 ---
@@ -19,5 +19,5 @@ index e7dba8c91c..e29fcd61ee 100644
 -script_executable = "/usr/bin/env"
 +script_executable = "env"
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/crosvm/default.nix b/pkgs/os-specific/linux/chromium-os/crosvm/default.nix
index f8b6b13e694..25fa4e2d937 100644
--- a/pkgs/os-specific/linux/chromium-os/crosvm/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/crosvm/default.nix
@@ -1,6 +1,6 @@
 { stdenv, lib, rustPlatform, fetchFromGitiles, upstreamInfo
-, pkgconfig, minigbm, minijail, wayland, wayland-protocols, dtc, libusb1, libcap
-, linux
+, pkg-config, minigbm, minijail, wayland, wayland-protocols, dtc, libusb1
+, libcap, linux
 }:
 
 let
@@ -45,9 +45,9 @@ in
       ./VIRTIO_NET_F_MAC.patch
     ];
 
-    cargoSha256 = "1hw9r7vggvn8p0sy4k0i2ijpyk0yb11qww6s6d6wdfvrl1ksbapl";
+    cargoSha256 = "1yhxw19niqwipi1fbrskrpvhs915lrs8sdcpknmqd9izq67r3a06";
 
-    nativeBuildInputs = [ pkgconfig wayland ];
+    nativeBuildInputs = [ pkg-config wayland ];
 
     buildInputs = [ dtc libcap libusb1 minigbm minijail wayland wayland-protocols ];
 
@@ -67,7 +67,7 @@ in
 
     CROSVM_CARGO_TEST_KERNEL_BINARY =
       lib.optionalString (stdenv.buildPlatform == stdenv.hostPlatform)
-        "${linux}/${stdenv.hostPlatform.platform.kernelTarget}";
+        "${linux}/${stdenv.hostPlatform.linux-kernel.target}";
 
     passthru = {
       inherit srcs;
diff --git a/pkgs/os-specific/linux/chromium-os/default.nix b/pkgs/os-specific/linux/chromium-os/default.nix
index 6eb9f335ff3..efdf600756f 100644
--- a/pkgs/os-specific/linux/chromium-os/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/default.nix
@@ -30,7 +30,8 @@ let
     };
 
     linux_5_4 = callPackage ../kernel/linux-cros.nix {
-      inherit (linux_5_4) kernelPatches;
+      kernelPatches =
+        lib.remove kernelPatches.rtl8761b_support linux_5_4.kernelPatches;
     };
 
     linux = self.linux_5_4;
diff --git a/pkgs/os-specific/linux/chromium-os/libqmi/default.nix b/pkgs/os-specific/linux/chromium-os/libqmi/default.nix
index ec4f44c7047..b96b5224b57 100644
--- a/pkgs/os-specific/linux/chromium-os/libqmi/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/libqmi/default.nix
@@ -13,7 +13,9 @@ libqmi.overrideAttrs (
     nativeBuildInputs = nativeBuildInputs ++
       [ autoreconfHook autoconf-archive gtk-doc docbook-xsl-nons ];
 
-    configureFlags = configureFlags ++ [ "--enable-gtk-doc" ];
+    # ModemManager tests fail with QRTR in Chromium OS 91.
+    # Will hopefully be fixed in CrOS 92.
+    configureFlags = configureFlags ++ [ "--enable-gtk-doc" "--disable-qrtr" ];
 
     passthru = passthru // {
       updateScript = ../update.py;
diff --git a/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix b/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix
index c6a5a44b67e..f1d6cbdd465 100644
--- a/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix
@@ -15,6 +15,8 @@ modemmanager.overrideAttrs (
       sha256 = "12wlak8zx914zix4vv5a8sl0nyi58v7593h4gjchgv3i8ysgj9ah";
     };
 
+    patches = [];
+
     nativeBuildInputs = nativeBuildInputs ++ [ autoreconfHook libtool intltool libxslt ];
     buildInputs = buildInputs ++ [ dbus_glib ];
 
diff --git a/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix b/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix
index 17d95c2b3bc..d008470b682 100644
--- a/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix
+++ b/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix
@@ -1,5 +1,5 @@
-{ modemmanager, lib, fetchFromGitiles, upstreamInfo, autoreconfHook
-, autoconf-archive, libqmi, libxslt
+{ modemmanager, lib, fetchFromGitiles, upstreamInfo
+, autoreconfHook, autoconf-archive, gtk-doc, libqmi, libxslt
 }:
 
 (modemmanager.override { inherit libqmi; }).overrideAttrs (
@@ -12,7 +12,7 @@
       upstreamInfo.components."src/third_party/modemmanager-next";
 
     nativeBuildInputs = nativeBuildInputs ++
-      [ autoreconfHook autoconf-archive libxslt ];
+      [ autoreconfHook autoconf-archive gtk-doc libxslt ];
 
     passthru = passthru // {
       updateScript = ../update.py;
diff --git a/pkgs/os-specific/linux/chromium-os/sommelier/0003-sommelier-don-t-leak-source-absolute-paths.patch b/pkgs/os-specific/linux/chromium-os/sommelier/0005-sommelier-don-t-leak-source-absolute-paths.patch
index c37876988f9..d40ff8f022c 100644
--- a/pkgs/os-specific/linux/chromium-os/sommelier/0003-sommelier-don-t-leak-source-absolute-paths.patch
+++ b/pkgs/os-specific/linux/chromium-os/sommelier/0005-sommelier-don-t-leak-source-absolute-paths.patch
@@ -1,7 +1,7 @@
-From e3995d3367ae642f3eb0b4c395813af47464a65f Mon Sep 17 00:00:00 2001
+From 04bdfd44bbaa9f619d3ff03cad3273c46493396e Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Sun, 1 Dec 2019 17:04:04 +0000
-Subject: [PATCH 3/4] sommelier: don't leak source-absolute paths
+Subject: [PATCH 5/6] sommelier: don't leak source-absolute paths
 
 ---
  vm_tools/sommelier/wayland_protocol.gni | 2 +-
@@ -21,5 +21,5 @@ index f894adf81d..28bb5a006b 100644
      }
    }
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/sommelier/0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch b/pkgs/os-specific/linux/chromium-os/sommelier/0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
index 5db01538eae..c7b1eeafc0d 100644
--- a/pkgs/os-specific/linux/chromium-os/sommelier/0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
+++ b/pkgs/os-specific/linux/chromium-os/sommelier/0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
@@ -1,7 +1,7 @@
-From ac39fe3d341cc33dfd5f47d5301c2a6aaf743a34 Mon Sep 17 00:00:00 2001
+From e97193872755e44aae51dd88e9323d8a069a40ca Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Fri, 2 Apr 2021 17:55:55 +0000
-Subject: [PATCH 4/4] Revert "Revert "vm_tools: sommelier: Switch to the stable
+Subject: [PATCH 6/6] Revert "Revert "vm_tools: sommelier: Switch to the stable
  version of xdg-shell""
 
 This reverts commit 32050c0ea6c00c16999915856b40a6a6b8b41bb9.
@@ -1836,5 +1836,5 @@ index 79bcf6a3b3..d3157cd8a9 100644
    struct wl_list link;
  };
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/sommelier/default.nix b/pkgs/os-specific/linux/chromium-os/sommelier/default.nix
index c995689c4f5..b45ab330c34 100644
--- a/pkgs/os-specific/linux/chromium-os/sommelier/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/sommelier/default.nix
@@ -7,8 +7,8 @@ common-mk {
   platformSubdir = "vm_tools/sommelier";
 
   platform2Patches = [
-    ./0003-sommelier-don-t-leak-source-absolute-paths.patch
-    ./0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
+    ./0005-sommelier-don-t-leak-source-absolute-paths.patch
+    ./0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
   ];
 
   buildInputs = [
diff --git a/pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch b/pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch
new file mode 100644
index 00000000000..e921abd8032
--- /dev/null
+++ b/pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch
@@ -0,0 +1,48 @@
+From 211eea8e623c9e9beb61f38720c718f080bae883 Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Mon, 28 Jun 2021 17:10:46 +0000
+Subject: [PATCH 3/6] common-mk: add goproto_library source_relative opt
+
+We need this for the go_package changes in protoc-gen-go 1.5.x.  If we
+didn't use source-relative paths, the full module path would be
+repeated in the output location, so we'd get paths like
+src/chromiumos/vm_tools/vm_crash/chromiumos/vm_tools/vm_crash/vm_crash.pb.go.
+
+To avoid the duplication, we either need to set source_relative, or
+set proto_out_dir to just go/src.  The latter isn't workable, because
+then everything two libraries that both use common.proto will both
+generate outputs called "go/src/common.pb.go", which will upset GN.
+
+Reviewed-by: Cole Helbling <cole.e.helbling@outlook.com>
+---
+ common-mk/proto_library.gni | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/common-mk/proto_library.gni b/common-mk/proto_library.gni
+index fb9fb4231d..23645a134f 100644
+--- a/common-mk/proto_library.gni
++++ b/common-mk/proto_library.gni
+@@ -225,6 +225,9 @@ template("proto_library") {
+ #   proto_lib_dirs (optional)
+ #       Directories to search for protos a proto file depends on.
+ #       proto_in_dir and "${sysroot}/usr/share/proto" are added by default.
++#   source_relative (optional)
++#       If true, the output file is placed in the same relative directory as the
++#       input file (but under proto_out_dir).
+ template("goproto_library") {
+   action(target_name) {
+     forward_variables_from(invoker,
+@@ -254,6 +257,10 @@ template("goproto_library") {
+ 
+     go_plugin_parameters = []
+ 
++    if (defined(invoker.source_relative) && invoker.source_relative) {
++      go_plugin_parameters += [ "paths=source_relative" ]
++    }
++
+     if (defined(invoker.gen_grpc) && invoker.gen_grpc) {
+       go_plugin_parameters += [ "plugins=grpc" ]
+     }
+-- 
+2.32.0
+
diff --git a/pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch b/pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch
new file mode 100644
index 00000000000..d77bcf2bdef
--- /dev/null
+++ b/pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch
@@ -0,0 +1,102 @@
+From fae12c5b06864c0a9687320735c9bed9219c30c8 Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Wed, 16 Jun 2021 16:09:01 +0000
+Subject: [PATCH 4/6] vm_tools: proto: set go_package correctly
+
+protoc-gen-go 1.5.x has become a lot stricter about this.  We have to
+use import_mapping for common.proto because it ends up being included
+in multiple Go libraries.  I'm not sure why it needs to be built once
+per library, but that's the way it works.
+
+Reviewed-by: Cole Helbling <cole.e.helbling@outlook.com>
+---
+ vm_tools/proto/BUILD.gn       | 5 +++++
+ vm_tools/proto/tremplin.proto | 2 +-
+ vm_tools/proto/vm_crash.proto | 2 +-
+ vm_tools/proto/vm_guest.proto | 1 +
+ vm_tools/proto/vm_host.proto  | 1 +
+ 5 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/vm_tools/proto/BUILD.gn b/vm_tools/proto/BUILD.gn
+index 79c9b94c9f..aadc40165c 100644
+--- a/vm_tools/proto/BUILD.gn
++++ b/vm_tools/proto/BUILD.gn
+@@ -60,6 +60,8 @@ goproto_library("vm-crash-gorpcs") {
+   proto_in_dir = "./"
+   proto_out_dir = "go/src/chromiumos/vm_tools/vm_crash"
+   gen_grpc = true
++  source_relative = true
++  import_mapping = [ "common.proto=chromiumos/vm_tools/vm_crash" ]
+   sources = [
+     "${proto_in_dir}/common.proto",
+     "${proto_in_dir}/vm_crash.proto",
+@@ -97,6 +99,7 @@ goproto_library("tremplin-gorpcs") {
+   proto_in_dir = "./"
+   proto_out_dir = "go/src/chromiumos/vm_tools/tremplin_proto"
+   gen_grpc = true
++  source_relative = true
+   sources = [ "${proto_in_dir}/tremplin.proto" ]
+ }
+ 
+@@ -120,6 +123,8 @@ goproto_library("vm-gorpcs") {
+   proto_in_dir = "./"
+   proto_out_dir = "go/src/chromiumos/vm_tools/vm_rpc"
+   gen_grpc = true
++  source_relative = true
++  import_mapping = [ "common.proto=chromiumos/vm_tools/vm_rpc" ]
+   sources = [
+     "${proto_in_dir}/common.proto",
+     "${proto_in_dir}/vm_guest.proto",
+diff --git a/vm_tools/proto/tremplin.proto b/vm_tools/proto/tremplin.proto
+index aac76f7a9e..e6a7bbed0e 100644
+--- a/vm_tools/proto/tremplin.proto
++++ b/vm_tools/proto/tremplin.proto
+@@ -8,7 +8,7 @@ option cc_enable_arenas = true;
+ 
+ // This file defines services for tremplin, the container springboard service.
+ package vm_tools.tremplin;
+-option go_package = "tremplin_proto";
++option go_package = "chromiumos/vm_tools/tremplin_proto";
+ 
+ // This needs to be duplicated because the gyp rule for building
+ // go code makes it difficult to have imports.
+diff --git a/vm_tools/proto/vm_crash.proto b/vm_tools/proto/vm_crash.proto
+index 6e4f62fe13..3cd4279989 100644
+--- a/vm_tools/proto/vm_crash.proto
++++ b/vm_tools/proto/vm_crash.proto
+@@ -7,7 +7,7 @@ syntax = "proto3";
+ option cc_enable_arenas = true;
+ 
+ package vm_tools.cicerone;
+-option go_package = "vm_crash";
++option go_package = "chromiumos/vm_tools/vm_crash";
+ 
+ import "common.proto";
+ 
+diff --git a/vm_tools/proto/vm_guest.proto b/vm_tools/proto/vm_guest.proto
+index 86f11d0812..d0946078d5 100644
+--- a/vm_tools/proto/vm_guest.proto
++++ b/vm_tools/proto/vm_guest.proto
+@@ -8,6 +8,7 @@ option cc_enable_arenas = true;
+ 
+ // This file defines services that will be running in the guest VM.
+ package vm_tools;
++option go_package = "chromiumos/vm_tools/vm_rpc";
+ 
+ import "common.proto";
+ import "google/protobuf/timestamp.proto";
+diff --git a/vm_tools/proto/vm_host.proto b/vm_tools/proto/vm_host.proto
+index a8bd066f61..19759b0271 100644
+--- a/vm_tools/proto/vm_host.proto
++++ b/vm_tools/proto/vm_host.proto
+@@ -8,6 +8,7 @@ option cc_enable_arenas = true;
+ 
+ // This file defines services that will be running on the host for the VM.
+ package vm_tools;
++option go_package = "chromiumos/vm_tools/vm_rpc";
+ 
+ import "common.proto";
+ 
+-- 
+2.32.0
+
diff --git a/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix b/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix
index e87d0c57e78..cded9c988b3 100644
--- a/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix
@@ -7,6 +7,11 @@ common-mk {
   nativeBuildInputs = [ go-protobuf ];
   buildInputs = [ grpc openssl protobuf ];
 
+  platform2Patches = [
+    ./0003-common-mk-add-goproto_library-source_relative-opt.patch
+    ./0004-vm_tools-proto-set-go_package-correctly.patch
+  ];
+
   NIX_CFLAGS_COMPILE = [
     "-Wno-error=array-bounds"
     "-Wno-error=deprecated-declarations"
diff --git a/pkgs/os-specific/linux/cifs-utils/default.nix b/pkgs/os-specific/linux/cifs-utils/default.nix
index ad136b811df..8c587a40196 100644
--- a/pkgs/os-specific/linux/cifs-utils/default.nix
+++ b/pkgs/os-specific/linux/cifs-utils/default.nix
@@ -1,23 +1,27 @@
-{ stdenv, fetchurl, autoreconfHook, docutils, pkgconfig
-, kerberos, keyutils, pam, talloc }:
+{ stdenv, lib, fetchurl, autoreconfHook, docutils, pkg-config
+, libkrb5, keyutils, pam, talloc, python3 }:
 
 stdenv.mkDerivation rec {
   pname = "cifs-utils";
-  version = "6.9";
+  version = "6.13";
 
   src = fetchurl {
     url = "mirror://samba/pub/linux-cifs/cifs-utils/${pname}-${version}.tar.bz2";
-    sha256 = "175cp509wn1zv8p8mv37hkf6sxiskrsxdnq22mhlsg61jazz3n0q";
+    sha256 = "sha256-Q9h4bIYTysz6hJEwgcHWK8JAlXWFTPiVsFtIrwhj0FY=";
   };
 
-  nativeBuildInputs = [ autoreconfHook docutils pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook docutils pkg-config ];
 
-  buildInputs = [ kerberos keyutils pam talloc ];
+  buildInputs = [ libkrb5 keyutils pam talloc python3 ];
 
-  makeFlags = [ "root_sbindir=$(out)/sbin" ];
+  configureFlags = [ "ROOTSBINDIR=$(out)/sbin" ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    # AC_FUNC_MALLOC is broken on cross builds.
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
 
-  meta = with stdenv.lib; {
-    homepage = "http://www.samba.org/linux-cifs/cifs-utils/";
+  meta = with lib; {
+    homepage = "https://wiki.samba.org/index.php/LinuxCIFS_utils";
     description = "Tools for managing Linux CIFS client filesystems";
     platforms = platforms.linux;
     license = licenses.lgpl3;
diff --git a/pkgs/os-specific/linux/compsize/default.nix b/pkgs/os-specific/linux/compsize/default.nix
index dd54df77c34..9d0dbeffaee 100644
--- a/pkgs/os-specific/linux/compsize/default.nix
+++ b/pkgs/os-specific/linux/compsize/default.nix
@@ -1,30 +1,31 @@
-{ stdenv, fetchFromGitHub, btrfs-progs }:
+{ lib, stdenv, fetchFromGitHub, btrfs-progs }:
 
 stdenv.mkDerivation rec {
   pname = "compsize";
-  version = "1.3";
+  version = "1.5";
 
   src = fetchFromGitHub {
     owner = "kilobyte";
-    repo = "compsize";
+    repo = pname;
     rev = "v${version}";
-    sha256 = "1c69whla844nwis30jxbj00zkpiw3ccndhkmzjii8av5358mjn43";
+    sha256 = "sha256-OX41ChtHX36lVRL7O2gH21Dfw6GPPEClD+yafR/PFm8=";
   };
 
   buildInputs = [ btrfs-progs ];
 
-  installPhase = ''
-    mkdir -p $out/bin
+  installFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  preInstall = ''
     mkdir -p $out/share/man/man8
-    install -m 0755 compsize $out/bin
-    install -m 0444 compsize.8 $out/share/man/man8
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "btrfs: Find compression type/ratio on a file or set of files";
-    homepage    = "https://github.com/kilobyte/compsize";
-    license     = licenses.gpl2;
+    homepage = "https://github.com/kilobyte/compsize";
+    license = licenses.gpl2Plus;
     maintainers = with maintainers; [ CrazedProgrammer ];
-    platforms   = platforms.linux;
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/conky/default.nix b/pkgs/os-specific/linux/conky/default.nix
index ee67140cd86..9bd8890e713 100644
--- a/pkgs/os-specific/linux/conky/default.nix
+++ b/pkgs/os-specific/linux/conky/default.nix
@@ -1,4 +1,4 @@
-{ config, stdenv, fetchFromGitHub, pkgconfig, cmake
+{ config, lib, stdenv, fetchFromGitHub, pkg-config, cmake
 
 # dependencies
 , glib, libXinerama
@@ -64,17 +64,17 @@ assert weatherMetarSupport -> curlSupport;
 assert weatherXoapSupport  -> curlSupport && libxml2 != null;
 assert journalSupport      -> systemd != null;
 
-with stdenv.lib;
+with lib;
 
 stdenv.mkDerivation rec {
   pname = "conky";
-  version = "1.11.6";
+  version = "1.12.2";
 
   src = fetchFromGitHub {
     owner = "brndnmtthws";
     repo = "conky";
     rev = "v${version}";
-    sha256 = "0y2g66fjqp2hdk0y1h4ijxhnv34j16gizvxpmbigwh4n6zijcm6v";
+    sha256 = "sha256-x6bR5E5LIvKWiVM15IEoUgGas/hcRp3F/O4MTOhVPb8=";
   };
 
   postPatch = ''
@@ -89,7 +89,7 @@ stdenv.mkDerivation rec {
 
   NIX_LDFLAGS = "-lgcc_s";
 
-  nativeBuildInputs = [ cmake pkgconfig ];
+  nativeBuildInputs = [ cmake pkg-config ];
   buildInputs = [ glib libXinerama ]
     ++ optionals docsSupport        [ docbook2x docbook_xsl docbook_xml_dtd_44 libxslt man less ]
     ++ optional  ncursesSupport     ncurses
@@ -133,7 +133,7 @@ stdenv.mkDerivation rec {
   # src/conky.cc:137:23: fatal error: defconfig.h: No such file or directory
   enableParallelBuilding = false;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://conky.sourceforge.net/";
     description = "Advanced, highly configurable system monitor based on torsmo";
     maintainers = [ maintainers.guibert ];
diff --git a/pkgs/os-specific/linux/conntrack-tools/default.nix b/pkgs/os-specific/linux/conntrack-tools/default.nix
index 80785015e76..0b14398e58f 100644
--- a/pkgs/os-specific/linux/conntrack-tools/default.nix
+++ b/pkgs/os-specific/linux/conntrack-tools/default.nix
@@ -1,6 +1,8 @@
-{ fetchurl, stdenv, flex, bison, pkgconfig, libmnl, libnfnetlink
+{ fetchurl, lib, stdenv, flex, bison, pkg-config, libmnl, libnfnetlink
 , libnetfilter_conntrack, libnetfilter_queue, libnetfilter_cttimeout
-, libnetfilter_cthelper, systemd }:
+, libnetfilter_cthelper, systemd
+, libtirpc
+}:
 
 stdenv.mkDerivation rec {
   pname = "conntrack-tools";
@@ -13,11 +15,11 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     libmnl libnfnetlink libnetfilter_conntrack libnetfilter_queue
-    libnetfilter_cttimeout libnetfilter_cthelper systemd
+    libnetfilter_cttimeout libnetfilter_cthelper systemd libtirpc
   ];
-  nativeBuildInputs = [ flex bison pkgconfig ];
+  nativeBuildInputs = [ flex bison pkg-config ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://conntrack-tools.netfilter.org/";
     description = "Connection tracking userspace tools";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/consoletools/default.nix b/pkgs/os-specific/linux/consoletools/default.nix
index 83de8f5ae1a..8def013b956 100644
--- a/pkgs/os-specific/linux/consoletools/default.nix
+++ b/pkgs/os-specific/linux/consoletools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, SDL }:
+{ lib, stdenv, fetchurl, SDL }:
 
 stdenv.mkDerivation rec {
   pname = "linuxconsoletools";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "PREFIX=\"\"" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://sourceforge.net/projects/linuxconsole/";
     description = "A set of tools for joysticks and serial peripherals";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/conspy/default.nix b/pkgs/os-specific/linux/conspy/default.nix
index 32905b8ec39..480962024f7 100644
--- a/pkgs/os-specific/linux/conspy/default.nix
+++ b/pkgs/os-specific/linux/conspy/default.nix
@@ -1,13 +1,13 @@
-{stdenv, fetchurl, autoconf, automake, ncurses}:
+{lib, stdenv, fetchurl, autoconf, automake, ncurses}:
 let
   s = # Generated upstream information
   rec {
     baseName="conspy";
-    version="1.14";
+    version="1.16";
     name="${baseName}-${version}";
-    hash="069k26xpzsvrn3197ix5yd294zvz03zi2xqj4fip6rlsw74habsf";
-    url="mirror://sourceforge/project/conspy/conspy-1.14-1/conspy-1.14.tar.gz";
-    sha256="069k26xpzsvrn3197ix5yd294zvz03zi2xqj4fip6rlsw74habsf";
+    hash="02andak806vd04bgjlr0y0d2ddx7cazyf8nvca80vlh8x94gcppf";
+    url="mirror://sourceforge/project/conspy/conspy-1.16-1/conspy-1.16.tar.gz";
+    sha256="02andak806vd04bgjlr0y0d2ddx7cazyf8nvca80vlh8x94gcppf";
   };
   buildInputs = [
     autoconf automake ncurses
@@ -30,8 +30,8 @@ stdenv.mkDerivation {
   meta = {
     inherit (s) version;
     description = "Linux text console viewer";
-    license = stdenv.lib.licenses.epl10 ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.epl10 ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/cpufrequtils/default.nix b/pkgs/os-specific/linux/cpufrequtils/default.nix
index 4c0515e94b3..6f94d0f8925 100644
--- a/pkgs/os-specific/linux/cpufrequtils/default.nix
+++ b/pkgs/os-specific/linux/cpufrequtils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libtool, gettext }:
+{ lib, stdenv, fetchurl, libtool, gettext }:
 
 stdenv.mkDerivation rec {
   name = "cpufrequtils-008";
@@ -21,10 +21,10 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ stdenv.cc.libc.linuxHeaders libtool gettext ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tools to display or change the CPU governor settings";
     homepage = "http://ftp.be.debian.org/pub/linux/utils/kernel/cpufreq/cpufrequtils.html";
-    license = licenses.gpl2;
-    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/cpuid/default.nix b/pkgs/os-specific/linux/cpuid/default.nix
new file mode 100644
index 00000000000..ea9ae06130e
--- /dev/null
+++ b/pkgs/os-specific/linux/cpuid/default.nix
@@ -0,0 +1,50 @@
+{ lib, stdenv, fetchurl, perl }:
+
+stdenv.mkDerivation rec {
+  pname = "cpuid";
+  version = "20201006";
+
+  src = fetchurl {
+    name = "${pname}-${version}.src.tar.gz";
+    url = "http://etallen.com/cpuid/${pname}-${version}.src.tar.gz";
+    sha256 = "19jnkh57f979b78ak5mpxmdvnkgc33r55cw9shgd2hc380b3zi8k";
+  };
+
+  # For pod2man during the build process.
+  nativeBuildInputs = [ perl ];
+
+  # As runtime dependency for cpuinfo2cpuid.
+  buildInputs = [ perl ];
+
+  # The Makefile hardcodes $(BUILDROOT)/usr as installation
+  # destination. Just nuke all mentions of /usr to get the right
+  # installation location.
+  patchPhase = ''
+    sed -i -e 's,/usr/,/,' Makefile
+  '';
+
+  installPhase = ''
+    make install BUILDROOT=$out
+
+    if [ ! -x $out/bin/cpuid ]; then
+      echo Failed to properly patch Makefile.
+      exit 1
+    fi
+  '';
+
+  meta = {
+    description = "Linux tool to dump x86 CPUID information about the CPU";
+    longDescription = ''
+      cpuid dumps detailed information about the CPU(s) gathered from the CPUID
+      instruction, and also determines the exact model of CPU(s). It supports
+      Intel, AMD, VIA, Hygon, and Zhaoxin CPUs, as well as older Transmeta,
+      Cyrix, UMC, NexGen, Rise, and SiS CPUs.
+    '';
+
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    license = lib.licenses.gpl2;
+    homepage = "http://etallen.com/cpuid.html";
+    maintainers = with lib.maintainers; [ blitz ];
+  };
+
+}
diff --git a/pkgs/os-specific/linux/cpupower/default.nix b/pkgs/os-specific/linux/cpupower/default.nix
index b6ecaa11de2..cfc0ace8e0a 100644
--- a/pkgs/os-specific/linux/cpupower/default.nix
+++ b/pkgs/os-specific/linux/cpupower/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, kernel, pciutils, gettext }:
+{ lib, stdenv, buildPackages, kernel, pciutils, gettext }:
 
 stdenv.mkDerivation {
   pname = "cpupower";
@@ -20,7 +20,7 @@ stdenv.mkDerivation {
     "LD=${stdenv.cc.targetPrefix}cc"
   ];
 
-  installFlags = stdenv.lib.mapAttrsToList
+  installFlags = lib.mapAttrsToList
     (n: v: "${n}dir=${placeholder "out"}/${v}") {
     bin = "bin";
     sbin = "sbin";
@@ -35,7 +35,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool to examine and tune power saving features";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/cpuset/default.nix b/pkgs/os-specific/linux/cpuset/default.nix
index 0a9b38f2888..e82e3f5901c 100644
--- a/pkgs/os-specific/linux/cpuset/default.nix
+++ b/pkgs/os-specific/linux/cpuset/default.nix
@@ -1,27 +1,44 @@
-{ stdenv
+{ lib
 , fetchFromGitHub
-, python2Packages
+, fetchpatch
+, pythonPackages
 }:
 
-python2Packages.buildPythonApplication rec {
+pythonPackages.buildPythonApplication rec {
   pname = "cpuset";
-  version = "1.5.8";
+  version = "1.6";
 
-  propagatedBuildInputs = [ ];
+  propagatedBuildInputs = with pythonPackages; [
+    configparser
+    future
+  ];
+
+  # https://github.com/lpechacek/cpuset/pull/36
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/MawKKe/cpuset/commit/a4b6b275d0a43d2794ab9e82922d3431aeea9903.patch";
+      sha256 = "1mi1xrql81iczl67s4dk2rm9r1mk36qhsa19wn7zgryf95krsix2";
+    })
+  ];
 
   makeFlags = [ "prefix=$(out)" ];
 
   src = fetchFromGitHub {
-    owner = "wykurz";
+    owner = "lpechacek";
     repo = "cpuset";
     rev = "v${version}";
-    sha256 = "19fl2sn470yrnm2q508giggjwy5b6r2gd94gvwfbdlhf0r9dsbbm";
+    sha256 = "0ig0ml2zd5542d0989872vmy7cs3qg7nxwa93k42bdkm50amhar4";
   };
 
-  meta = with stdenv.lib; {
-    description = "Cpuset is a Python application that forms a wrapper around the standard Linux filesystem calls to make using the cpusets facilities in the Linux kernel easier.";
-    homepage    = "https://github.com/wykurz/cpuset";
+  checkPhase = ''
+    cd t
+    make
+  '';
+
+  meta = with lib; {
+    description = "Python application that forms a wrapper around the standard Linux filesystem calls to make using the cpusets facilities in the Linux kernel easier";
+    homepage    = "https://github.com/lpechacek/cpuset";
     license     = licenses.gpl2;
-    maintainers = with maintainers; [ wykurz ];
+    maintainers = with maintainers; [ thiagokokada wykurz ];
   };
 }
diff --git a/pkgs/os-specific/linux/cramfsprogs/default.nix b/pkgs/os-specific/linux/cramfsprogs/default.nix
index 8633823ab5c..3f3e8a075b1 100644
--- a/pkgs/os-specific/linux/cramfsprogs/default.nix
+++ b/pkgs/os-specific/linux/cramfsprogs/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib, stdenv
 , fetchurl
 , zlib
 }:
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ zlib ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tools to create, check, and extract content of CramFs images";
     homepage = "https://packages.debian.org/jessie/cramfsprogs";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/cramfsswap/default.nix b/pkgs/os-specific/linux/cramfsswap/default.nix
index afb38364c4e..f47482c1111 100644
--- a/pkgs/os-specific/linux/cramfsswap/default.nix
+++ b/pkgs/os-specific/linux/cramfsswap/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, zlib}:
+{lib, stdenv, fetchurl, zlib}:
 
 stdenv.mkDerivation rec {
   pname = "cramfsswap";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     install --target $out/bin -D cramfsswap
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Swap endianess of a cram filesystem (cramfs)";
     homepage = "https://packages.debian.org/sid/utils/cramfsswap";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/crda/default.nix b/pkgs/os-specific/linux/crda/default.nix
index 979b7cf1deb..c337da2fe72 100644
--- a/pkgs/os-specific/linux/crda/default.nix
+++ b/pkgs/os-specific/linux/crda/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, libgcrypt, libnl, pkgconfig, python3Packages, wireless-regdb }:
+{ lib, stdenv, fetchurl, fetchpatch, libgcrypt, libnl, pkg-config, python3Packages, wireless-regdb }:
 
 stdenv.mkDerivation rec {
   pname = "crda";
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libgcrypt libnl ];
   nativeBuildInputs = [
-    pkgconfig
+    pkg-config
     python3Packages.pycrypto
   ];
 
@@ -58,7 +58,7 @@ stdenv.mkDerivation rec {
     rm $out/include/reglib/keys-gcrypt.h
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux wireless Central Regulatory Domain Agent";
     longDescription = ''
       CRDA acts as the udev helper for communication between the kernel and
diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix
index 462658396c8..af772645824 100644
--- a/pkgs/os-specific/linux/criu/default.nix
+++ b/pkgs/os-specific/linux/criu/default.nix
@@ -1,24 +1,25 @@
 { stdenv, lib, fetchurl, protobuf, protobufc, asciidoc, iptables
-, xmlto, docbook_xsl, libpaper, libnl, libcap, libnet, pkgconfig
-, which, python, makeWrapper, docbook_xml_dtd_45 }:
+, xmlto, docbook_xsl, libpaper, libnl, libcap, libnet, pkg-config
+, which, python3, makeWrapper, docbook_xml_dtd_45, perl }:
 
 stdenv.mkDerivation rec {
   pname = "criu";
-  version = "3.14";
+  version = "3.15";
 
   src = fetchurl {
     url    = "https://download.openvz.org/criu/${pname}-${version}.tar.bz2";
-    sha256 = "1jrr3v99g18gc0hriz0avq6ccdvyya0j6wwz888sdsc4icc30gzn";
+    sha256 = "09d0j24x0cyc7wkgi7cnxqgfjk7kbdlm79zxpj8d356sa3rw2z24";
   };
 
   enableParallelBuilding = true;
-  nativeBuildInputs = [ pkgconfig docbook_xsl which makeWrapper docbook_xml_dtd_45 ];
-  buildInputs = [ protobuf protobufc asciidoc xmlto libpaper libnl libcap libnet python iptables ];
+  nativeBuildInputs = [ pkg-config docbook_xsl which makeWrapper docbook_xml_dtd_45 python3 python3.pkgs.wrapPython perl ];
+  buildInputs = [ protobuf protobufc asciidoc xmlto libpaper libnl libcap libnet iptables ];
+  propagatedBuildInputs = with python3.pkgs; [ python python3.pkgs.protobuf ];
 
   postPatch = ''
-    substituteInPlace ./Documentation/Makefile --replace "2>/dev/null" ""
-    substituteInPlace ./Documentation/Makefile --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
-    substituteInPlace ./criu/Makefile --replace "-I/usr/include/libnl3" "-I${libnl.dev}/include/libnl3"
+    substituteInPlace ./Documentation/Makefile \
+      --replace "2>/dev/null" "" \
+      --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
     substituteInPlace ./Makefile --replace "head-name := \$(shell git tag -l v\$(CRIU_VERSION))" "head-name = ${version}.0"
     ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto
   '';
@@ -39,13 +40,14 @@ stdenv.mkDerivation rec {
   postFixup = ''
     wrapProgram $out/bin/criu \
       --prefix PATH : ${lib.makeBinPath [ iptables ]}
+    wrapPythonPrograms
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Userspace checkpoint/restore for Linux";
     homepage    = "https://criu.org";
     license     = licenses.gpl2;
-    platforms   = [ "x86_64-linux" ];
+    platforms   = [ "x86_64-linux" "aarch64-linux" ];
     maintainers = [ maintainers.thoughtpolice ];
   };
 }
diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix
index 321f00b0ef2..f09679ba212 100644
--- a/pkgs/os-specific/linux/cryptodev/default.nix
+++ b/pkgs/os-specific/linux/cryptodev/default.nix
@@ -1,14 +1,14 @@
-{ fetchurl, stdenv, kernel ? false }:
+{ fetchFromGitHub, lib, stdenv, kernel ? false }:
 
 stdenv.mkDerivation rec {
-  pname = "cryptodev-linux-1.9";
+  pname = "cryptodev-linux-1.12";
   name = "${pname}-${kernel.version}";
 
-  src = fetchurl {
-    urls = [
-      "http://nwl.cc/pub/cryptodev-linux/${pname}.tar.gz"
-    ];
-    sha256 = "0l3r8s71vkd0s2h01r7fhqnc3j8cqw4msibrdxvps9hfnd4hnk4z";
+  src = fetchFromGitHub {
+    owner = "cryptodev-linux";
+    repo = "cryptodev-linux";
+    rev = pname;
+    sha256 = "sha256-vJQ10rG5FGbeEOqCUmH/pZ0P77kAW/MtUarywbtIyHw=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -20,8 +20,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Device that allows access to Linux kernel cryptographic drivers";
     homepage = "http://cryptodev-linux.org/";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
-    broken = !stdenv.lib.versionOlder kernel.version "4.13";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix
index caa22b4df3e..e7304e19679 100644
--- a/pkgs/os-specific/linux/cryptsetup/default.nix
+++ b/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchurl, lvm2, json_c
-, openssl, libuuid, pkgconfig, popt }:
+{ lib, stdenv, fetchurl, lvm2, json_c
+, openssl, libuuid, pkg-config, popt }:
 
 stdenv.mkDerivation rec {
   pname = "cryptsetup";
-  version = "2.3.3";
+  version = "2.3.6";
 
   outputs = [ "out" "dev" "man" ];
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/cryptsetup/v2.3/${pname}-${version}.tar.xz";
-    sha256 = "1pw2bq4nv2z3xyycckxkbp7dp9kkp2n6bspna3plryg277z4zjiv";
+    sha256 = "sha256-spa3oh6ldsKxgGEcyxnQauyN3a7ffHBLDGqBIQwlY18=";
   };
 
   # Disable 4 test cases that fail in a sandbox
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
     "--with-crypto_backend=openssl"
   ];
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ lvm2 json_c openssl libuuid popt ];
 
   doCheck = true;
@@ -39,8 +39,8 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "https://gitlab.com/cryptsetup/cryptsetup/";
     description = "LUKS for dm-crypt";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/cshatag/default.nix b/pkgs/os-specific/linux/cshatag/default.nix
new file mode 100644
index 00000000000..bc1b7f7ecf5
--- /dev/null
+++ b/pkgs/os-specific/linux/cshatag/default.nix
@@ -0,0 +1,32 @@
+{ lib, buildGoPackage, fetchFromGitHub }:
+
+buildGoPackage rec {
+  pname = "cshatag";
+  version = "2019-12-03";
+
+  goPackagePath = "github.com/rfjakob/cshatag";
+  goDeps = ./deps.nix;
+
+  src = fetchFromGitHub {
+    owner = "rfjakob";
+    repo = pname;
+    rev = "b169f0a9dd35a7381774eb176d4badf64d403560";
+    sha256 = "16kam3w75avh8khkk6jfdnxwggz2pw6ccv6v7d064j0fbb9y8x0v";
+  };
+
+  makeFlags = [ "PREFIX=$(out)" "GITVERSION=${version}" ];
+
+  postInstall = ''
+    # Install man page
+    cd go/src/${goPackagePath}
+    make install $makeFlags
+  '';
+
+  meta = with lib; {
+    description = "A tool to detect silent data corruption";
+    homepage = "https://github.com/rfjakob/cshatag";
+    license = licenses.mit;
+    platforms = platforms.linux;
+  };
+
+}
diff --git a/pkgs/os-specific/linux/cshatag/deps.nix b/pkgs/os-specific/linux/cshatag/deps.nix
new file mode 100644
index 00000000000..6daad985678
--- /dev/null
+++ b/pkgs/os-specific/linux/cshatag/deps.nix
@@ -0,0 +1,21 @@
+# This file was generated by https://github.com/kamilchm/go2nix v1.3.0
+[
+  {
+    goPackagePath = "github.com/pkg/xattr";
+    fetch = {
+      type = "git";
+      url = "https://github.com/pkg/xattr";
+      rev = "d304131d5e58ca76d8b31ceefbb0c85c7b2d2a36";
+      sha256 = "0bxskiai283zfra13z5f7q7f77zz2cgswaj6l6jr2nwnc3l5m80i";
+    };
+  }
+  {
+    goPackagePath = "golang.org/x/sys";
+    fetch = {
+      type = "git";
+      url = "https://go.googlesource.com/sys";
+      rev = "201ba4db2418b54b698efb4d8082dcb504617cdb";
+      sha256 = "1cqaiwp19kl38g4d6brfhi32822rhnh2q8x1j0i6yg7a8dzfvbz6";
+    };
+  }
+]
diff --git a/pkgs/os-specific/linux/dbus-broker/default.nix b/pkgs/os-specific/linux/dbus-broker/default.nix
index d84676bcda6..b7e0a6b6158 100644
--- a/pkgs/os-specific/linux/dbus-broker/default.nix
+++ b/pkgs/os-specific/linux/dbus-broker/default.nix
@@ -1,22 +1,24 @@
-{ stdenv, fetchFromGitHub, docutils, meson, ninja, pkgconfig
+{ lib, stdenv, fetchFromGitHub, docutils, meson, ninja, pkg-config
 , dbus, linuxHeaders, systemd }:
 
 stdenv.mkDerivation rec {
   pname = "dbus-broker";
-  version = "22";
+  version = "29";
 
   src = fetchFromGitHub {
     owner  = "bus1";
     repo   = "dbus-broker";
     rev    = "v${version}";
-    sha256 = "0vxr73afix5wjxy8g4cckwhl242rrlazm52673iwmdyfz5nskj2x";
+    sha256 = "1abbi8c0mgdqjidlp2wnmy0a88xv173hq88sh5m966c5r1h6alkq";
     fetchSubmodules = true;
   };
 
-  nativeBuildInputs = [ docutils meson ninja pkgconfig ];
+  nativeBuildInputs = [ docutils meson ninja pkg-config ];
 
   buildInputs = [ dbus linuxHeaders systemd ];
 
+  mesonFlags = [ "-D=system-console-users=gdm,sddm,lightdm" ];
+
   PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
   PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "${placeholder "out"}/lib/systemd/user";
   PKG_CONFIG_SYSTEMD_CATALOGDIR = "${placeholder "out"}/lib/systemd/catalog";
@@ -30,7 +32,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux D-Bus Message Broker";
     homepage    = "https://github.com/bus1/dbus-broker/wiki";
     license     = licenses.asl20;
diff --git a/pkgs/os-specific/linux/ddcci/default.nix b/pkgs/os-specific/linux/ddcci/default.nix
index c977db64ee8..7e5f95cb206 100644
--- a/pkgs/os-specific/linux/ddcci/default.nix
+++ b/pkgs/os-specific/linux/ddcci/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitLab, kernel }:
+{ lib, stdenv, fetchFromGitLab, kernel }:
 
 stdenv.mkDerivation rec {
   pname = "ddcci-driver";
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
     "INCLUDEDIR=$(out)/include"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Kernel module driver for DDC/CI monitors";
     homepage = "https://gitlab.com/ddcci-driver-linux/ddcci-driver-linux";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/deepin-anything/default.nix b/pkgs/os-specific/linux/deepin-anything/default.nix
deleted file mode 100644
index 4139cc153cd..00000000000
--- a/pkgs/os-specific/linux/deepin-anything/default.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ stdenv, deepin, kernel }:
-
-stdenv.mkDerivation {
-  pname = "deepin-anything-module";
-  version = "${deepin.deepin-anything.version}-${kernel.version}";
-  src = deepin.deepin-anything.modsrc;
-
-  nativeBuildInputs = kernel.moduleBuildDependencies;
-
-  buildPhase = ''
-    make -C src/deepin-anything-0.0 kdir=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build
-  '';
-
-  installPhase = ''
-     install -m 644 -D -t $out/lib/modules/${kernel.modDirVersion}/extra src/deepin-anything-0.0/*.ko
-  '';
-
-  meta = deepin.deepin-anything.meta // {
-    description = deepin.deepin-anything.meta.description + " (kernel modules)";
-    badPlatforms = [ "aarch64-linux" ];  # the kernel module is not building
-  };
-}
diff --git a/pkgs/os-specific/linux/device-tree/default.nix b/pkgs/os-specific/linux/device-tree/default.nix
index 13d819a08a5..13c609cdf7d 100644
--- a/pkgs/os-specific/linux/device-tree/default.nix
+++ b/pkgs/os-specific/linux/device-tree/default.nix
@@ -1,16 +1,31 @@
-{ stdenvNoCC, dtc, findutils }:
+{ lib, stdenvNoCC, dtc, findutils }:
 
-with stdenvNoCC.lib; {
-  applyOverlays = (base: overlays: stdenvNoCC.mkDerivation {
+with lib; {
+  applyOverlays = (base: overlays': stdenvNoCC.mkDerivation {
     name = "device-tree-overlays";
     nativeBuildInputs = [ dtc findutils ];
     buildCommand = let
-      quotedDtbos = concatMapStringsSep " " (o: "\"${toString o}\"") (toList overlays);
+      overlays = toList overlays';
     in ''
-      for dtb in $(find ${base} -name "*.dtb" ); do
-        outDtb=$out/$(realpath --relative-to "${base}" "$dtb")
-        mkdir -p "$(dirname "$outDtb")"
-        fdtoverlay -o "$outDtb" -i "$dtb" ${quotedDtbos};
+      mkdir -p $out
+      cd ${base}
+      find . -type f -name '*.dtb' -print0 \
+        | xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
+
+      for dtb in $(find $out -type f -name '*.dtb'); do
+        dtbCompat="$( fdtget -t s $dtb / compatible )"
+
+        ${flip (concatMapStringsSep "\n") overlays (o: ''
+        overlayCompat="$( fdtget -t s ${o.dtboFile} / compatible )"
+        # overlayCompat in dtbCompat
+        if [[ "$dtbCompat" =~ "$overlayCompat" ]]; then
+          echo "Applying overlay ${o.name} to $( basename $dtb )"
+          mv $dtb{,.in}
+          fdtoverlay -o "$dtb" -i "$dtb.in" ${o.dtboFile};
+          rm $dtb.in
+        fi
+        '')}
+
       done
     '';
   });
diff --git a/pkgs/os-specific/linux/device-tree/raspberrypi.nix b/pkgs/os-specific/linux/device-tree/raspberrypi.nix
index 5a0d5710392..b4b40f8331f 100644
--- a/pkgs/os-specific/linux/device-tree/raspberrypi.nix
+++ b/pkgs/os-specific/linux/device-tree/raspberrypi.nix
@@ -1,4 +1,4 @@
-{ stdenvNoCC, raspberrypifw }:
+{ lib, stdenvNoCC, raspberrypifw }:
 
 stdenvNoCC.mkDerivation {
   name = "raspberrypi-dtbs-${raspberrypifw.version}";
@@ -30,8 +30,8 @@ stdenvNoCC.mkDerivation {
     # Compatible overlays that may be used
     overlays = "${raspberrypifw}/share/raspberrypi/boot/overlays";
   };
-  meta = with stdenvNoCC.lib; {
-    inherit (raspberrypifw.meta) platforms homepage license;
+  meta = with lib; {
+    inherit (raspberrypifw.meta) homepage license;
     description = "DTBs for the Raspberry Pi";
   };
 }
diff --git a/pkgs/os-specific/linux/devmem2/default.nix b/pkgs/os-specific/linux/devmem2/default.nix
index 9115601e357..86f6f916cef 100644
--- a/pkgs/os-specific/linux/devmem2/default.nix
+++ b/pkgs/os-specific/linux/devmem2/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation {
   name = "devmem2-2004-08-05";
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     install -D devmem2 "$out/bin/devmem2"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Simple program to read/write from/to any location in memory";
     homepage = "http://lartmaker.nl/lartware/port/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/digimend/default.nix b/pkgs/os-specific/linux/digimend/default.nix
index 94f32d2c432..6b5f66f825b 100644
--- a/pkgs/os-specific/linux/digimend/default.nix
+++ b/pkgs/os-specific/linux/digimend/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, fetchpatch, kernel }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel }:
 
-assert stdenv.lib.versionAtLeast kernel.version "3.5";
+assert lib.versionAtLeast kernel.version "3.5";
 
 stdenv.mkDerivation rec {
   pname = "digimend";
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
     "DESTDIR=${placeholder "out"}"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DIGImend graphics tablet drivers for the Linux kernel";
     homepage = "https://digimend.github.io/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/directvnc/default.nix b/pkgs/os-specific/linux/directvnc/default.nix
index c7937190915..d20b69775bf 100644
--- a/pkgs/os-specific/linux/directvnc/default.nix
+++ b/pkgs/os-specific/linux/directvnc/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, directfb, zlib, libjpeg, xorgproto }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, directfb, zlib, libjpeg, xorgproto }:
 
 stdenv.mkDerivation {
   pname = "directvnc";
@@ -11,11 +11,11 @@ stdenv.mkDerivation {
     sha256 = "16x7mr7x728qw7nbi6rqhrwsy73zsbpiz8pbgfzfl2aqhfdiz88b";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
 
   buildInputs = [ directfb zlib libjpeg xorgproto ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DirectFB VNC client";
     homepage = "http://drinkmilk.github.io/directvnc/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix
index b2ae930f193..f754882ccd0 100644
--- a/pkgs/os-specific/linux/disk-indicator/default.nix
+++ b/pkgs/os-specific/linux/disk-indicator/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, libX11 }:
+{ lib, stdenv, fetchgit, libX11 }:
 
 stdenv.mkDerivation {
   name = "disk-indicator-2014-05-19";
@@ -34,7 +34,7 @@ stdenv.mkDerivation {
       Small program for Linux that will turn your Scroll, Caps or Num Lock LED
       or LED on your ThinkPad laptop into a hard disk activity indicator.
     '';
-    license = stdenv.lib.licenses.gpl3;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl3;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/displaylink/99-displaylink.rules b/pkgs/os-specific/linux/displaylink/99-displaylink.rules
new file mode 100644
index 00000000000..ceeb658a415
--- /dev/null
+++ b/pkgs/os-specific/linux/displaylink/99-displaylink.rules
@@ -0,0 +1 @@
+ACTION=="add", SUBSYSTEM=="usb", DRIVERS=="usb", ATTRS{idVendor}=="17e9", ATTR{bInterfaceClass}=="ff", ATTR{bInterfaceProtocol}=="03", TAG+="systemd", ENV{SYSTEMD_WANTS}="dlm.service"
diff --git a/pkgs/os-specific/linux/displaylink/default.nix b/pkgs/os-specific/linux/displaylink/default.nix
index 3db9a7d3005..ca3e38c2e70 100644
--- a/pkgs/os-specific/linux/displaylink/default.nix
+++ b/pkgs/os-specific/linux/displaylink/default.nix
@@ -1,27 +1,36 @@
-{ stdenv, lib, unzip, utillinux,
-  libusb1, evdi, systemd, makeWrapper, requireFile, substituteAll }:
-
+{ stdenv
+, lib
+, unzip
+, util-linux
+, libusb1
+, evdi
+, systemd
+, makeWrapper
+, requireFile
+, substituteAll
+}:
 let
   arch =
     if stdenv.hostPlatform.system == "x86_64-linux" then "x64"
     else if stdenv.hostPlatform.system == "i686-linux" then "x86"
     else throw "Unsupported architecture";
   bins = "${arch}-ubuntu-1604";
-  libPath = lib.makeLibraryPath [ stdenv.cc.cc utillinux libusb1 evdi ];
+  libPath = lib.makeLibraryPath [ stdenv.cc.cc util-linux libusb1 evdi ];
 
-in stdenv.mkDerivation rec {
+in
+stdenv.mkDerivation rec {
   pname = "displaylink";
-  version = "5.3.1.34";
+  version = "5.4.0-55.153";
 
   src = requireFile rec {
     name = "displaylink.zip";
-    sha256 = "1c1kbjgpb71f73qnyl44rvwi6l4ivddq789rwvvh0ahw2jm324hy";
+    sha256 = "1m2l3bnlfwfp94w7khr05npsbysg9mcyi7hi85n78xkd0xdcxml8";
     message = ''
       In order to install the DisplayLink drivers, you must first
       comply with DisplayLink's EULA and download the binaries and
       sources from here:
 
-      https://www.displaylink.com/downloads/file?id=1576
+      https://www.synaptics.com/node/3751
 
       Once you have downloaded the file, please use the following
       commands and re-run the installation:
@@ -39,20 +48,11 @@ in stdenv.mkDerivation rec {
     ./displaylink-driver-${version}.run --target . --noexec --nodiskspace
   '';
 
-  patches = [ (substituteAll {
-    src = ./udev-installer.patch;
-    inherit systemd;
-  })];
-
   installPhase = ''
-    sed -i "s,/opt/displaylink/udev.sh,$out/lib/udev/displaylink.sh,g" udev-installer.sh
-    ( source udev-installer.sh
-      mkdir -p $out/lib/udev/rules.d
-      main systemd "$out/lib/udev/rules.d/99-displaylink.rules" "$out/lib/udev/displaylink.sh"
-    )
-
     install -Dt $out/lib/displaylink *.spkg
     install -Dm755 ${bins}/DisplayLinkManager $out/bin/DisplayLinkManager
+    mkdir -p $out/lib/udev/rules.d
+    cp ${./99-displaylink.rules} $out/lib/udev/rules.d/99-displaylink.rules
     patchelf \
       --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
       --set-rpath ${libPath} \
@@ -65,7 +65,7 @@ in stdenv.mkDerivation rec {
   dontPatchELF = true;
 
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DisplayLink DL-5xxx, DL-41xx and DL-3x00 Driver for Linux";
     maintainers = with maintainers; [ nshalman abbradar peterhoeg eyjhb ];
     platforms = [ "x86_64-linux" "i686-linux" ];
diff --git a/pkgs/os-specific/linux/displaylink/udev-installer.patch b/pkgs/os-specific/linux/displaylink/udev-installer.patch
deleted file mode 100644
index 880c073fbcf..00000000000
--- a/pkgs/os-specific/linux/displaylink/udev-installer.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/udev-installer.sh	2018-12-09 12:05:53.772318942 +0100
-+++ b/udev-installer.sh	2018-12-09 12:06:19.939947629 +0100
-@@ -21,12 +21,12 @@
-   cat <<'EOF'
- start_service()
- {
--  systemctl start displaylink-driver
-+  /run/current-system/systemd/bin/systemctl start --no-block dlm
- }
- 
- stop_service()
- {
--  systemctl stop displaylink-driver
-+  /run/current-system/systemd/bin/systemctl stop dlm
- }
- 
- EOF
-
diff --git a/pkgs/os-specific/linux/dlm/default.nix b/pkgs/os-specific/linux/dlm/default.nix
new file mode 100644
index 00000000000..3b6f4773a29
--- /dev/null
+++ b/pkgs/os-specific/linux/dlm/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromSourcehut
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "dlm";
+  version = "2020-01-07";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = "6b0e11c4f453b1a4d7a32019227539a980b7ce66";
+    sha256 = "1r3w7my0g3v2ya317qnvjx8wnagjahpj7yx72a65hf2pjbf5x42p";
+  };
+
+  cargoSha256 = "01a8k60qnx2pgxb2adgw30c2hjb60w6230khm5hyqgmp7z4rm8k8";
+
+  meta = with lib; {
+    description = "A stupid simple graphical login manager";
+    homepage = "https://git.sr.ht/~kennylevinsen/dlm";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/dmidecode/default.nix b/pkgs/os-specific/linux/dmidecode/default.nix
index 97ad75851a6..a4e09492deb 100644
--- a/pkgs/os-specific/linux/dmidecode/default.nix
+++ b/pkgs/os-specific/linux/dmidecode/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "dmidecode-3.2";
@@ -8,9 +8,53 @@ stdenv.mkDerivation rec {
     sha256 = "1pcfhcgs2ifdjwp7amnsr3lq95pgxpr150bjhdinvl505px0cw07";
   };
 
+  patches = [
+    # suggested patches for 3.2 according to https://www.nongnu.org/dmidecode/
+    (fetchpatch {
+      name = "0001-fix_redfish_hostname_print_length.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=fde47bb227b8fa817c88d7e10a8eb771c46de1df";
+      sha256 = "133nd0c72p68hnqs5m714167761r1pp6bd3kgbsrsrwdx40jlc3m";
+    })
+    (fetchpatch {
+      name = "0002-add_logical_non-volatile_device_to_memory_device_types.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=74dfb854b8199ddb0a27e89296fa565f4706cb9d";
+      sha256 = "0wdpmlcwmqdyyrsmyis8jb7cx3q6fnqpdpc5xly663dj841jcvwh";
+    })
+    (fetchpatch {
+      name = "0003-only-scan-devmem-for-entry-point-on-x86.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=e12ec26e19e02281d3e7258c3aabb88a5cf5ec1d";
+      sha256 = "1y2858n98bfa49syjinx911vza6mm7aa6xalvzjgdlyirhccs30i";
+    })
+    (fetchpatch {
+      name = "0004-fix_formatting_of_tpm_table_output.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=1d0db85949a5bdd96375f6131d393a11204302a6";
+      sha256 = "11s8jciw7xf2668v79qcq2c9w2gwvm3dkcik8dl9v74p654y1nr8";
+    })
+    (fetchpatch {
+      name = "0005-fix_system-slot_information_for_pcie_ssd.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=fd08479625b5845e4d725ab628628f7ebfccc407";
+      sha256 = "07l61wvsw1d8g14zzf6zm7l0ri9kkqz8j5n4h116qwhg1p2k49y4";
+    })
+    (fetchpatch {
+      name = "0006-print_type_33_name_unconditionally.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=65438a7ec0f4cddccf810136da6f280bd148af71";
+      sha256 = "0gqz576ccxys0c8217spf1qmw9lxi9xalw85jjqwsi2bj1k6vy4n";
+    })
+    (fetchpatch {
+      name = "0007-dont_choke_on_invalid_processor_voltage.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=5bb7eb173b72256f70c6b3f3916d7a444be93340";
+      sha256 = "1dkg4lq9kn2g1w5raz1gssn6zqk078zjqbnh9i32f822f727syhp";
+    })
+    (fetchpatch {
+      name = "0008-fix_the_alignment_of_type_25_name.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=557c3c373a9992d45d4358a6a2ccf53b03276f39";
+      sha256 = "18hc91pk7civyqrlilg3kn2nmp2warhh49xlbzrwqi7hgipyf12z";
+    })
+  ];
+
   makeFlags = [ "prefix=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.nongnu.org/dmidecode/";
     description = "A tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix
index 129ccb30456..c1e0dfc5ae4 100644
--- a/pkgs/os-specific/linux/dmraid/default.nix
+++ b/pkgs/os-specific/linux/dmraid/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, lvm2 }:
+{ lib, stdenv, fetchurl, fetchpatch, lvm2 }:
 
 stdenv.mkDerivation rec {
   name = "dmraid-1.0.0.rc16";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
   };
 
   patches = [ ./hardening-format.patch ]
-    ++ stdenv.lib.optionals stdenv.hostPlatform.isMusl [
+    ++ lib.optionals stdenv.hostPlatform.isMusl [
       (fetchpatch {
         url = "https://raw.githubusercontent.com/void-linux/void-packages/fceed4b8e96b3c1da07babf6f67b6ed1588a28b2/srcpkgs/dmraid/patches/006-musl-libc.patch";
         sha256 = "1j8xda0fpz8lxjxnqdidy7qb866qrzwpbca56yjdg6vf4x21hx6w";
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
 
   postPatch = ''
     sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in
-  '' + stdenv.lib.optionalString stdenv.hostPlatform.isMusl ''
+  '' + lib.optionalString stdenv.hostPlatform.isMusl ''
     NIX_CFLAGS_COMPILE+=" -D_GNU_SOURCE"
   '';
 
@@ -42,8 +42,8 @@ stdenv.mkDerivation rec {
       its volumes. May be needed for rescuing an older system or nuking
       the metadata when reformatting.
     '';
-    maintainers = [ stdenv.lib.maintainers.raskin ];
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/dmtcp/default.nix b/pkgs/os-specific/linux/dmtcp/default.nix
index 0f7f2f9817a..50124a2bf45 100644
--- a/pkgs/os-specific/linux/dmtcp/default.nix
+++ b/pkgs/os-specific/linux/dmtcp/default.nix
@@ -1,14 +1,16 @@
-{ stdenv, fetchFromGitHub, bash, perl, python }:
+{ lib, stdenv, fetchFromGitHub, bash, perl, python2 }:
+
+# There are fixes for python3 compatibility on master
 
 stdenv.mkDerivation rec {
   pname = "dmtcp";
-  version = "2.6.0";
+  version = "unstable-2021-03-01";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = version;
-    sha256 = "01skyhr573w1dygvkwz66lvir2jsq443fjwkysglwxvmrdfz9kwd";
+    rev = "f999adbb8e88fe452a0e57ceb43b6eed7b4409f9";
+    sha256 = "sha256-codCHQui3fGfUZSNq8GuH4ad/GjD6I/S9rX83o8oFPc=";
   };
 
   dontDisableStatic = true;
@@ -21,19 +23,19 @@ stdenv.mkDerivation rec {
     substituteInPlace configure \
       --replace '#define ELF_INTERPRETER "$interp"' \
                 "#define ELF_INTERPRETER \"$(cat $NIX_CC/nix-support/dynamic-linker)\""
-    substituteInPlace src/dmtcp_coordinator.cpp \
+    substituteInPlace src/restartscript.cpp \
       --replace /bin/bash ${stdenv.shell}
-    substituteInPlace util/gdb-add-symbol-file \
+    substituteInPlace util/dmtcp_restart_wrapper.sh \
       --replace /bin/bash ${stdenv.shell}
     substituteInPlace test/autotest.py \
       --replace /bin/bash ${bash}/bin/bash \
       --replace /usr/bin/perl ${perl}/bin/perl \
-      --replace /usr/bin/python ${python}/bin/python \
+      --replace /usr/bin/python ${python2}/bin/python \
       --replace "os.environ['USER']" "\"nixbld1\"" \
       --replace "os.getenv('USER')" "\"nixbld1\""
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Distributed MultiThreaded Checkpointing";
     longDescription = ''
       DMTCP (Distributed MultiThreaded Checkpointing) is a tool to
diff --git a/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch b/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
index 5a81dad0cc9..118e52b8e62 100644
--- a/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
+++ b/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
@@ -1,11 +1,13 @@
---- dmtcp-2.5.1-src/src/util_exec.cpp	2017-09-19 13:36:22.947587034 +0200
-+++ dmtcp-2.5.1-src/src/util_exec.cpp	2017-09-19 13:36:32.221313460 +0200
-@@ -178,7 +178,7 @@
- 
- static string ld_linux_so_path(int version, bool is32bitElf = false)
+diff --git a/src/util_exec.cpp b/src/util_exec.cpp
+index 0e8a13c1..0cc99c1e 100644
+--- a/src/util_exec.cpp
++++ b/src/util_exec.cpp
+@@ -300,7 +300,7 @@ Util::elfType(const char *pathname, bool *isElf, bool *is32bitElf)
+ static string
+ ld_linux_so_path(int version, bool is32bitElf = false)
  {
 -  char buf[80];
 +  char buf[128];
+ 
  #if (defined(__x86_64__) || defined(__aarch64__)) && !defined(CONFIG_M32)
    if (is32bitElf) {
-     sprintf(buf, "/lib/ld-linux.so.%d", version);
diff --git a/pkgs/os-specific/linux/dpdk-kmods/default.nix b/pkgs/os-specific/linux/dpdk-kmods/default.nix
new file mode 100644
index 00000000000..a188336cbe5
--- /dev/null
+++ b/pkgs/os-specific/linux/dpdk-kmods/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchzip, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "dpdk-kmods";
+  version = "2021-04-21";
+
+  src = fetchzip {
+    url = "http://git.dpdk.org/dpdk-kmods/snapshot/dpdk-kmods-e13d7af77a1bf98757f85c3c4083f6ee6d0d2372.tar.xz";
+    sha256 = "sha256-8ysWT3X3rIyUAo4/QbkX7cQq5iFeU18/BPsmmWugcIc=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  KSRC = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = "cd linux/igb_uio";
+
+  installPhase = ''
+    make -C ${KSRC} M=$(pwd) modules_install
+  '';
+
+  INSTALL_MOD_PATH = placeholder "out";
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Kernel modules for DPDK";
+    homepage = "https://git.dpdk.org/dpdk-kmods/";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.mic92 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/dpdk/default.nix b/pkgs/os-specific/linux/dpdk/default.nix
index aacbc3cdfbe..ca8905e6240 100644
--- a/pkgs/os-specific/linux/dpdk/default.nix
+++ b/pkgs/os-specific/linux/dpdk/default.nix
@@ -1,30 +1,32 @@
 { stdenv, lib
 , kernel
 , fetchurl
-, pkgconfig, meson, ninja
+, pkg-config, meson, ninja
 , libbsd, numactl, libbpf, zlib, libelf, jansson, openssl, libpcap
 , doxygen, python3
+, withExamples ? []
 , shared ? false }:
 
 let
   mod = kernel != null;
-
+  dpdkVersion = "21.05";
 in stdenv.mkDerivation rec {
-  name = "dpdk-${version}" + lib.optionalString mod "-${kernel.version}";
-  version = "20.05";
+  pname = "dpdk";
+  version = "${dpdkVersion}" + lib.optionalString mod "-${kernel.version}";
 
   src = fetchurl {
-    url = "https://fast.dpdk.org/rel/dpdk-${version}.tar.xz";
-    sha256 = "0h0xv2zwb91b9n29afg5ihn06a8q28in64hag2f112kc19f79jj8";
+    url = "https://fast.dpdk.org/rel/dpdk-${dpdkVersion}.tar.xz";
+    sha256 = "sha256-HhJJm0xfzbV8g+X+GE6mvs3ffPCSiTwsXvLvsO7BLws=";
   };
 
   nativeBuildInputs = [
     doxygen
     meson
     ninja
-    pkgconfig
+    pkg-config
     python3
     python3.pkgs.sphinx
+    python3.pkgs.pyelftools
   ];
   buildInputs = [
     jansson
@@ -42,12 +44,16 @@ in stdenv.mkDerivation rec {
   '';
 
   mesonFlags = [
+    "-Dtests=false"
     "-Denable_docs=true"
-    "-Denable_kmods=${if mod then "true" else "false"}"
+    "-Denable_kmods=${lib.boolToString mod}"
   ]
+  # kni kernel driver is currently not compatble with 5.11
+  ++ lib.optional (mod && kernel.kernelOlder "5.11") "-Ddisable_drivers=kni"
   ++ lib.optional (!shared) "-Ddefault_library=static"
   ++ lib.optional stdenv.isx86_64 "-Dmachine=nehalem"
-  ++ lib.optional mod "-Dkernel_dir=${placeholder "kmod"}/lib/modules/${kernel.modDirVersion}";
+  ++ lib.optional mod "-Dkernel_dir=${placeholder "kmod"}/lib/modules/${kernel.modDirVersion}"
+  ++ lib.optional (withExamples != []) "-Dexamples=${builtins.concatStringsSep "," withExamples}";
 
   # dpdk meson script does not support separate kernel source and installion
   # dirs (except via destdir), so we temporarily link the former into the latter.
@@ -61,15 +67,17 @@ in stdenv.mkDerivation rec {
     rm -f $kmod/lib/modules/${kernel.modDirVersion}/build
   '';
 
-  outputs = [ "out" ] ++ lib.optional mod "kmod";
+  postInstall = lib.optionalString (withExamples != []) ''
+    find examples -type f -executable -exec install {} $out/bin \;
+  '';
 
-  enableParallelBuilding = true;
+  outputs = [ "out" ] ++ lib.optional mod "kmod";
 
   meta = with lib; {
     description = "Set of libraries and drivers for fast packet processing";
     homepage = "http://dpdk.org/";
     license = with licenses; [ lgpl21 gpl2 bsd2 ];
     platforms =  platforms.linux;
-    maintainers = with maintainers; [ domenkozar magenbluten orivej ];
+    maintainers = with maintainers; [ magenbluten orivej mic92 zhaofengli ];
   };
 }
diff --git a/pkgs/os-specific/linux/drbd/default.nix b/pkgs/os-specific/linux/drbd/default.nix
index bbf2535ce3d..ae3e986e14a 100644
--- a/pkgs/os-specific/linux/drbd/default.nix
+++ b/pkgs/os-specific/linux/drbd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, flex, systemd, perl }:
+{ lib, stdenv, fetchurl, flex, systemd, perl }:
 
 stdenv.mkDerivation rec {
   name = "drbd-8.4.4";
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     "INITDIR=$(out)/etc/init.d"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.drbd.org/";
     description = "Distributed Replicated Block Device, a distributed storage system for Linux";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/dropwatch/default.nix b/pkgs/os-specific/linux/dropwatch/default.nix
index 69acfa9682b..c2701c05719 100644
--- a/pkgs/os-specific/linux/dropwatch/default.nix
+++ b/pkgs/os-specific/linux/dropwatch/default.nix
@@ -1,30 +1,47 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig
-, libnl, readline, libbfd, ncurses, zlib }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, libbfd
+, libnl
+, libpcap
+, ncurses
+, readline
+, zlib
+}:
 
 stdenv.mkDerivation rec {
   pname = "dropwatch";
-  version = "1.5.1";
+  version = "1.5.3";
 
   src = fetchFromGitHub {
     owner = "nhorman";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1qmax0l7z1qik42c949fnvjh5r6awk4gpgzdsny8iwnmwzjyp8b8";
+    sha256 = "0axx0zzrs7apqnl0r70jyvmgk7cs5wk185id479mapgngibwkyxy";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
-  buildInputs = [ libbfd libnl ncurses readline zlib ];
-
-  # To avoid running into https://sourceware.org/bugzilla/show_bug.cgi?id=14243 we need to define:
-  NIX_CFLAGS_COMPILE = "-DPACKAGE=${pname} -DPACKAGE_VERSION=${version}";
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+  buildInputs = [
+    libbfd
+    libnl
+    libpcap
+    ncurses
+    readline
+    zlib
+  ];
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux kernel dropped packet monitor";
     homepage = "https://github.com/nhorman/dropwatch";
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = [ maintainers.c0bw3b ];
+    maintainers = with maintainers; [ c0bw3b ];
   };
 }
diff --git a/pkgs/os-specific/linux/dstat/default.nix b/pkgs/os-specific/linux/dstat/default.nix
index 2e235e27f36..d79f9f4c61b 100644
--- a/pkgs/os-specific/linux/dstat/default.nix
+++ b/pkgs/os-specific/linux/dstat/default.nix
@@ -1,24 +1,42 @@
-{ stdenv, fetchurl, python2Packages }:
+{ lib, fetchFromGitHub, fetchpatch, python3Packages }:
 
-python2Packages.buildPythonApplication rec {
+python3Packages.buildPythonApplication rec {
   pname = "dstat";
   format = "other";
-  version = "0.7.3";
+  version = "0.7.4";
 
-  src = fetchurl {
-    url = "https://github.com/dagwieers/dstat/archive/${version}.tar.gz";
-    sha256 = "16286z3y2lc9nsq8njzjkv6k2vyxrj9xiixj1k3gnsbvhlhkirj6";
+  src = fetchFromGitHub {
+    owner = "dstat-real";
+    repo = "dstat";
+    rev = "v${version}";
+    sha256 = "1qnmkhqmjd1m3if05jj29dvr5hn6kayq9bkkkh881w472c0zhp8v";
   };
 
-  propagatedBuildInputs = with python2Packages; [ python-wifi ];
+  propagatedBuildInputs = with python3Packages; [ six ];
+
+  patches = [
+    ./fix_pluginpath.patch
+    # this fixes another bug with python3
+    (fetchpatch {
+      url = "https://github.com/efexgee/dstat/commit/220a785321b13b6df92a536080aca6ef1cb644ad.patch";
+      sha256 = "08kcz3yxvl35m55y7g1pr73x3bjcqnv0qlswxqyq8cqxg9zd64cn";
+    })
+  ];
 
   makeFlags = [ "prefix=$(out)" ];
 
-  meta = with stdenv.lib; {
+  # remove deprecation warnings
+  preFixup = ''
+    sed -i "s/import collections/import collections.abc/g" $out/share/dstat/dstat.py $out/bin/dstat
+    sed -i "s/collections.Sequence/collections.abc.Sequence/g" "$out"/bin/dstat
+  '';
+
+  meta = with lib; {
     homepage = "http://dag.wieers.com/home-made/dstat/";
     description = "Versatile resource statistics tool";
     license = licenses.gpl2;
     platforms = platforms.linux;
     maintainers = with maintainers; [ ];
+    changelog = "https://github.com/dstat-real/dstat/blob/v${version}/ChangeLog";
   };
 }
diff --git a/pkgs/os-specific/linux/dstat/fix_pluginpath.patch b/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
new file mode 100644
index 00000000000..06d7793da47
--- /dev/null
+++ b/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
@@ -0,0 +1,15 @@
+diff --git a/dstat b/dstat
+index 3ac7087..c5f089d 100755
+--- a/dstat
++++ b/dstat
+@@ -66,9 +66,7 @@ if sys.version_info < (2, 3):
+ 
+ pluginpath = [
+     os.path.expanduser('~/.dstat/'),                                # home + /.dstat/
+-    os.path.abspath(os.path.dirname(sys.argv[0])) + '/plugins/',    # binary path + /plugins/
+-    '/usr/share/dstat/',
+-    '/usr/local/share/dstat/',
++    os.path.abspath(os.path.dirname(sys.argv[0])) + '/../share/dstat/', # binary path + /../share/dstat/
+ ]
+ 
+ class Options:
diff --git a/pkgs/os-specific/linux/e1000e/default.nix b/pkgs/os-specific/linux/e1000e/default.nix
index d5d6697a01e..51bc6ada07d 100644
--- a/pkgs/os-specific/linux/e1000e/default.nix
+++ b/pkgs/os-specific/linux/e1000e/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
-assert stdenv.lib.versionOlder kernel.version "4.10";
+assert lib.versionOlder kernel.version "4.10";
 
 stdenv.mkDerivation rec {
   name = "e1000e-${version}-${kernel.version}";
@@ -32,6 +32,6 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Linux kernel drivers for Intel Ethernet adapters and LOMs (LAN On Motherboard)";
     homepage = "http://e1000.sf.net/";
-    license = stdenv.lib.licenses.gpl2;
+    license = lib.licenses.gpl2;
   };
 }
diff --git a/pkgs/os-specific/linux/earlyoom/default.nix b/pkgs/os-specific/linux/earlyoom/default.nix
index 575da8aca73..930e9381bb7 100644
--- a/pkgs/os-specific/linux/earlyoom/default.nix
+++ b/pkgs/os-specific/linux/earlyoom/default.nix
@@ -1,17 +1,17 @@
-{ stdenv, fetchFromGitHub, pandoc, installShellFiles, withManpage ? false }:
+{ lib, stdenv, fetchFromGitHub, pandoc, installShellFiles, withManpage ? false }:
 
 stdenv.mkDerivation rec {
   pname = "earlyoom";
-  version = "1.6.1";
+  version = "1.6.2";
 
   src = fetchFromGitHub {
     owner = "rfjakob";
     repo = "earlyoom";
     rev = "v${version}";
-    sha256 = "1cn0bgbgiq69i8mk8zxly1f7j01afm82g672qzccz6swsi2637j4";
+    sha256 = "16iyn51xlrsbshc7p5xl2338yyfzknaqc538sa7mamgccqwgyvvq";
   };
 
-  nativeBuildInputs = stdenv.lib.optionals withManpage [ pandoc installShellFiles ];
+  nativeBuildInputs = lib.optionals withManpage [ pandoc installShellFiles ];
 
   patches = [ ./fix-dbus-path.patch ];
 
@@ -19,11 +19,11 @@ stdenv.mkDerivation rec {
 
   installPhase = ''
     install -D earlyoom $out/bin/earlyoom
-  '' + stdenv.lib.optionalString withManpage ''
+  '' + lib.optionalString withManpage ''
     installManPage earlyoom.1
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Early OOM Daemon for Linux";
     homepage = "https://github.com/rfjakob/earlyoom";
     license = licenses.mit;
diff --git a/pkgs/os-specific/linux/ebtables/default.nix b/pkgs/os-specific/linux/ebtables/default.nix
index d3705195f59..bca24d9c905 100644
--- a/pkgs/os-specific/linux/ebtables/default.nix
+++ b/pkgs/os-specific/linux/ebtables/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "ebtables";
@@ -9,17 +9,23 @@ stdenv.mkDerivation rec {
     sha256 = "0apxgmkhsk3vxn9q3libxn3dgrdljrxyy4mli2gk49m7hi3na7xp";
   };
 
-  makeFlags =
-    [ "LIBDIR=$(out)/lib" "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man"
-      "ETCDIR=$(out)/etc" "INITDIR=$(TMPDIR)" "SYSCONFIGDIR=$(out)/etc/sysconfig"
-      "LOCALSTATEDIR=/var"
-    ];
+  makeFlags = [
+    "LIBDIR=$(out)/lib" "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man"
+    "ETCDIR=$(out)/etc" "INITDIR=$(TMPDIR)" "SYSCONFIGDIR=$(out)/etc/sysconfig"
+    "LOCALSTATEDIR=/var"
+  ];
 
   NIX_CFLAGS_COMPILE = "-Wno-error";
 
   preInstall = "mkdir -p $out/etc/sysconfig";
 
-  meta = with stdenv.lib; {
+  postInstall = ''
+    ln -s $out/sbin/ebtables-legacy          $out/sbin/ebtables
+    ln -s $out/sbin/ebtables-legacy-restore  $out/sbin/ebtables-restore
+    ln -s $out/sbin/ebtables-legacy-save     $out/sbin/ebtables-save
+  '';
+
+  meta = with lib; {
     description = "A filtering tool for Linux-based bridging firewalls";
     homepage = "http://ebtables.sourceforge.net/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/edac-utils/default.nix b/pkgs/os-specific/linux/edac-utils/default.nix
index fb0a6dbf62e..63c539602f1 100644
--- a/pkgs/os-specific/linux/edac-utils/default.nix
+++ b/pkgs/os-specific/linux/edac-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, perl, makeWrapper
+{ lib, stdenv, fetchFromGitHub, perl, makeWrapper
 , sysfsutils, dmidecode, kmod }:
 
 stdenv.mkDerivation {
@@ -25,10 +25,10 @@ stdenv.mkDerivation {
 
   postInstall = ''
     wrapProgram "$out/sbin/edac-ctl" \
-      --set PATH ${stdenv.lib.makeBinPath [ dmidecode kmod ]}
+      --set PATH ${lib.makeBinPath [ dmidecode kmod ]}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/grondo/edac-utils";
     description = "Handles the reporting of hardware-related memory errors";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ell/default.nix b/pkgs/os-specific/linux/ell/default.nix
index a83e02ae6be..a43b9eff3c8 100644
--- a/pkgs/os-specific/linux/ell/default.nix
+++ b/pkgs/os-specific/linux/ell/default.nix
@@ -1,28 +1,24 @@
-{ stdenv
+{ lib, stdenv
 , fetchgit
 , autoreconfHook
-, pkgconfig
+, pkg-config
 , dbus
 }:
 
 stdenv.mkDerivation rec {
   pname = "ell";
-  version = "0.32";
+  version = "0.41";
 
   outputs = [ "out" "dev" ];
 
   src = fetchgit {
-     url = "https://git.kernel.org/pub/scm/libs/${pname}/${pname}.git";
-     rev = version;
-     sha256 = "07hm9lrhhb5y53l13yja2kr3xmjgs0azk3x7w2si99cplwkgxak2";
+    url = "https://git.kernel.org/pub/scm/libs/${pname}/${pname}.git";
+    rev = version;
+    sha256 = "sha256-UCE+PgGmbePlOoAc8jXxCX6fHr16qf1AQMKxizfSTJM=";
   };
 
-  patches = [
-    ./fix-dbus-tests.patch
-  ];
-
   nativeBuildInputs = [
-    pkgconfig
+    pkg-config
     autoreconfHook
   ];
 
@@ -34,7 +30,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://01.org/ell";
     description = "Embedded Linux Library";
     longDescription = ''
@@ -42,6 +38,6 @@ stdenv.mkDerivation rec {
     '';
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ mic92 dtzWill ];
+    maintainers = with maintainers; [ mic92 dtzWill maxeaubrey ];
   };
 }
diff --git a/pkgs/os-specific/linux/ell/fix-dbus-tests.patch b/pkgs/os-specific/linux/ell/fix-dbus-tests.patch
deleted file mode 100644
index b494ba8b43c..00000000000
--- a/pkgs/os-specific/linux/ell/fix-dbus-tests.patch
+++ /dev/null
@@ -1,65 +0,0 @@
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -140,6 +140,7 @@
- ell_libell_private_la_SOURCES = $(ell_libell_la_SOURCES)
- 
- AM_CFLAGS = -fvisibility=hidden -DUNITDIR=\""$(top_srcdir)/unit/"\" \
-+				-DDBUS_DAEMON=\""$(DBUS_DAEMONDIR)/dbus-daemon"\" \
- 				-DCERTDIR=\""$(top_builddir)/unit/"\"
- 
- pkgconfigdir = $(libdir)/pkgconfig
---- a/configure.ac
-+++ b/configure.ac
-@@ -14,6 +14,8 @@
- 
- AC_PREFIX_DEFAULT(/usr/local)
- 
-+PKG_PROG_PKG_CONFIG
-+
- COMPILER_FLAGS
- 
- AC_LANG_C
-@@ -131,6 +133,10 @@
- 	AC_CHECK_PROG(have_xxd, [xxd], [yes], [no])
- fi
- 
-+PKG_CHECK_MODULES(DBUS, dbus-1, dummy=yes,
-+			AC_MSG_ERROR(D-Bus is required for running tests))
-+PKG_CHECK_VAR(DBUS_DAEMONDIR, dbus-1, daemondir)
-+
- AM_CONDITIONAL(DBUS_TESTS, test "${little_endian}" = "yes")
- AM_CONDITIONAL(CERT_TESTS, test "${have_openssl}" = "yes")
- 
---- a/unit/test-dbus-message-fds.c
-+++ b/unit/test-dbus-message-fds.c
-@@ -51,7 +51,7 @@
- 	char *prg_envp[1];
- 	pid_t pid;
- 
--	prg_argv[0] = "/usr/bin/dbus-daemon";
-+	prg_argv[0] = DBUS_DAEMON;
- 	prg_argv[1] = "--nopidfile";
- 	prg_argv[2] = "--nofork";
- 	prg_argv[3] = "--config-file=" UNITDIR "dbus.conf";
---- a/unit/test-dbus-properties.c
-+++ b/unit/test-dbus-properties.c
-@@ -48,7 +48,7 @@
- 	char *prg_envp[1];
- 	pid_t pid;
- 
--	prg_argv[0] = "/usr/bin/dbus-daemon";
-+	prg_argv[0] = DBUS_DAEMON;
- 	prg_argv[1] = "--nopidfile";
- 	prg_argv[2] = "--nofork";
- 	prg_argv[3] = "--config-file=" UNITDIR "dbus.conf";
---- a/unit/test-dbus.c
-+++ b/unit/test-dbus.c
-@@ -45,7 +45,7 @@
- 	char *prg_envp[1];
- 	pid_t pid;
- 
--	prg_argv[0] = "/usr/bin/dbus-daemon";
-+	prg_argv[0] = DBUS_DAEMON;
- 	prg_argv[1] = "--nopidfile";
- 	prg_argv[2] = "--nofork";
- 	prg_argv[3] = "--config-file=" UNITDIR "dbus.conf";
diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix
index a3935d0069e..1ff0b9a154a 100644
--- a/pkgs/os-specific/linux/ena/default.nix
+++ b/pkgs/os-specific/linux/ena/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
-  version = "2.2.7";
+  version = "2.5.0";
   name = "ena-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "amzn";
     repo = "amzn-drivers";
     rev = "ena_linux_${version}";
-    sha256 = "1ap100xh5wrdvy5h2ydcy6rqcklb4fz6xxs33ad3j9yx3h1ixj2d";
+    sha256 = "sha256-uOf/1624UtjaZtrk7XyQpeUGdTNVDnzZJZMgU86i+SM=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -19,23 +19,28 @@ stdenv.mkDerivation rec {
   NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
 
   configurePhase = ''
+    runHook preConfigure
     cd kernel/linux/ena
     substituteInPlace Makefile --replace '/lib/modules/$(BUILD_KERNEL)' ${kernel.dev}/lib/modules/${kernel.modDirVersion}
+    runHook postConfigure
   '';
 
   installPhase = ''
+    runHook preInstall
     strip -S ena.ko
     dest=$out/lib/modules/${kernel.modDirVersion}/misc
     mkdir -p $dest
     cp ena.ko $dest/
     xz $dest/ena.ko
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Amazon Elastic Network Adapter (ENA) driver for Linux";
     homepage = "https://github.com/amzn/amzn-drivers";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = [ maintainers.eelco ];
     platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.5";
   };
 }
diff --git a/pkgs/os-specific/linux/erofs-utils/default.nix b/pkgs/os-specific/linux/erofs-utils/default.nix
new file mode 100644
index 00000000000..73e50c5740b
--- /dev/null
+++ b/pkgs/os-specific/linux/erofs-utils/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchgit, autoreconfHook, pkg-config, fuse, libuuid, lz4 }:
+
+stdenv.mkDerivation rec {
+  pname = "erofs-utils";
+  version = "1.2.1";
+  outputs = [ "out" "man" ];
+
+  src = fetchgit {
+    url =
+      "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git";
+    rev = "v" + version;
+    sha256 = "1vb4mxsb59g29x7l22cffsqa8x743sra4j5zbmx89hjwpwm9vvcg";
+  };
+
+  buildInputs = [ autoreconfHook pkg-config fuse libuuid lz4 ];
+
+  configureFlags = [ "--enable-fuse" ];
+
+  meta = with lib; {
+    description = "Userspace utilities for linux-erofs file system";
+    license = with licenses; [ gpl2 ];
+    maintainers = with maintainers; [ ehmry ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/eudev/default.nix b/pkgs/os-specific/linux/eudev/default.nix
index d087a9e2e26..c8562cc5f3c 100644
--- a/pkgs/os-specific/linux/eudev/default.nix
+++ b/pkgs/os-specific/linux/eudev/default.nix
@@ -1,17 +1,17 @@
-{stdenv, fetchurl, pkgconfig, glib, gperf, utillinux, kmod}:
+{lib, stdenv, fetchurl, pkg-config, glib, gperf, util-linux, kmod}:
 let
   s = # Generated upstream information
   rec {
     baseName="eudev";
-    version = "3.2.9";
+    version = "3.2.10";
     name="${baseName}-${version}";
     url="http://dev.gentoo.org/~blueness/eudev/eudev-${version}.tar.gz";
-    sha256 = "1z6lfhhbjs6j7pbp6ybn17ywjsdl87ql6g1p3m2y26aa10cqcqc9";
+    sha256 = "sha256-h7sCjUcP0bhRaTSbRMVdW3M3M9wtUN3xGW4CZyXq0DQ=";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [
-    glib gperf utillinux kmod
+    glib gperf util-linux kmod
   ];
 in
 stdenv.mkDerivation {
@@ -49,12 +49,12 @@ stdenv.mkDerivation {
   enableParallelBuilding = true;
   meta = {
     inherit (s) version;
-    description = ''An udev fork by Gentoo'';
-    license = stdenv.lib.licenses.gpl2Plus ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
-    homepage = ''https://www.gentoo.org/proj/en/eudev/'';
-    downloadPage = ''http://dev.gentoo.org/~blueness/eudev/'';
+    description = "An udev fork by Gentoo";
+    license = lib.licenses.gpl2Plus ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
+    homepage = "https://www.gentoo.org/proj/en/eudev/";
+    downloadPage = "http://dev.gentoo.org/~blueness/eudev/";
     updateWalker = true;
   };
 }
diff --git a/pkgs/os-specific/linux/evdi/default.nix b/pkgs/os-specific/linux/evdi/default.nix
index 119ba22ca26..5eb31e9422d 100644
--- a/pkgs/os-specific/linux/evdi/default.nix
+++ b/pkgs/os-specific/linux/evdi/default.nix
@@ -1,16 +1,29 @@
-{ stdenv, fetchFromGitHub, fetchpatch, kernel, libdrm }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, libdrm }:
 
 stdenv.mkDerivation rec {
   pname = "evdi";
-  version = "unstable-20200416";
+  version = "unstable-2021-06-11";
 
   src = fetchFromGitHub {
     owner = "DisplayLink";
     repo = pname;
-    rev = "dc595db636845aef39490496bc075f6bf067106c";
-    sha256 = "1yrny6jj9403z0rxbd3nxf49xc4w0rfpl7xsq03pq32pb3vlbqw7";
+    rev = "65e12fca334f2f42396f4e8d16592d53cab34dd6";
+    sha256 = "sha256-81IfdYKadKT7vRdkmxzfGo4KHa4UJ8uJ0K6djQCr22U=";
   };
 
+  # Linux 5.13 support
+  # The patches break compilation for older kernels
+  patches = lib.optional (kernel.kernelAtLeast "5.13") [
+    (fetchpatch {
+      url = "https://github.com/DisplayLink/evdi/commit/c5f5441d0a115d2cfc8125b8bafaa05b2edc7938.patch";
+      sha256 = "sha256-tWYgBrRh3mXPebhUygOvJ07V87g9JU66hREriACfEVI=";
+    })
+    (fetchpatch {
+      url = "https://github.com/DisplayLink/evdi/commit/5f04d2e2df4cfd21dc15d31f1152c6a66fa48a78.patch";
+      sha256 = "sha256-690/eUiEVWvnT/YAVgKcLo86dgolF9giWRuPxXpL+eQ=";
+    })
+  ];
+
   nativeBuildInputs = kernel.moduleBuildDependencies;
 
   buildInputs = [ kernel libdrm ];
@@ -27,12 +40,12 @@ stdenv.mkDerivation rec {
     install -Dm755 library/libevdi.so $out/lib/libevdi.so
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Extensible Virtual Display Interface";
     maintainers = with maintainers; [ eyjhb ];
     platforms = platforms.linux;
-    license = with licenses; [ lgpl21 gpl2 ];
+    license = with licenses; [ lgpl21Only gpl2Only ];
     homepage = "https://www.displaylink.com/";
-    broken = versionOlder kernel.version "4.9" || stdenv.isAarch64;
+    broken = kernel.kernelOlder "4.19" || stdenv.isAarch64;
   };
 }
diff --git a/pkgs/os-specific/linux/eventstat/default.nix b/pkgs/os-specific/linux/eventstat/default.nix
index 6dfaa6ab38b..55b00ab8719 100644
--- a/pkgs/os-specific/linux/eventstat/default.nix
+++ b/pkgs/os-specific/linux/eventstat/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "eventstat";
-  version = "0.04.09";
+  version = "0.04.12";
   src = fetchzip {
     url = "https://kernel.ubuntu.com/~cking/tarballs/eventstat/eventstat-${version}.tar.gz";
-    sha256 = "1b3m58mak62ym2amnmk62c2d6fypk30fw6jsmirh1qz7dwix4bl5";
+    sha256 = "sha256-XBSs/jZodCpI9BHgAF8+bE23gRCr2uebYiMJxxB8T5E=";
   };
   buildInputs = [ ncurses ];
   installFlags = [ "DESTDIR=$(out)" ];
diff --git a/pkgs/os-specific/linux/exfat/default.nix b/pkgs/os-specific/linux/exfat/default.nix
index 59f9c709e5f..958bcdb9f16 100644
--- a/pkgs/os-specific/linux/exfat/default.nix
+++ b/pkgs/os-specific/linux/exfat/default.nix
@@ -5,14 +5,19 @@
 assert lib.versionAtLeast kernel.version  "4.2" || lib.versionOlder kernel.version "4.0";
 
 stdenv.mkDerivation rec {
+  # linux kernel above 5.7 comes with its own exfat implementation https://github.com/arter97/exfat-linux/issues/27
+  # Assertion moved here due to some tests unintenionally triggering it,
+  # e.g. nixosTests.kernel-latest; it's unclear how/why so far.
+  assertion = assert lib.versionOlder kernel.version "5.8"; null;
+
   name = "exfat-nofuse-${version}-${kernel.version}";
-  version = "2019-09-06";
+  version = "2020-04-15";
 
   src = fetchFromGitHub {
-    owner = "AdrianBan";
+    owner = "barrybingo";
     repo = "exfat-nofuse";
-    rev = "5536f067373c196f152061f5000fe0032dc07c48";
-    sha256 = "00mhadsv2iw8z00a6170hwbvk3afx484nn3irmd5f5kmhs34sw7k";
+    rev = "297a5739cd4a942a1d814d05a9cd9b542e7b8fc8";
+    sha256 = "14jahy7n6pr482fjfrlf9ck3f2rkr5ds0n5r85xdfsla37ria26d";
   };
 
   hardeningDisable = [ "pic" ];
@@ -21,8 +26,8 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
-    "ARCH=${stdenv.hostPlatform.platform.kernelArch}"
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
     "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
   ];
 
diff --git a/pkgs/os-specific/linux/extrace/default.nix b/pkgs/os-specific/linux/extrace/default.nix
index 23a9c68b5d5..8a02d9c67b1 100644
--- a/pkgs/os-specific/linux/extrace/default.nix
+++ b/pkgs/os-specific/linux/extrace/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "extrace";
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     install -m644 LICENSE "$out/share/licenses/extrace/LICENSE"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/leahneukirchen/extrace";
     description = "Trace exec() calls system-wide";
     license = with licenses; [ gpl2 bsd2 ];
diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix
index 941e71c3bfc..163001638cd 100644
--- a/pkgs/os-specific/linux/facetimehd/default.nix
+++ b/pkgs/os-specific/linux/facetimehd/default.nix
@@ -1,7 +1,7 @@
 { stdenv, lib, fetchFromGitHub, kernel }:
 
 # facetimehd is not supported for kernels older than 3.19";
-assert stdenv.lib.versionAtLeast kernel.version "3.19";
+assert lib.versionAtLeast kernel.version "3.19";
 
 let
   # Note: When updating this revision:
@@ -14,7 +14,7 @@ let
   #    e. see if the module loads back (apps using the camera won't
   #       recover and will have to be restarted) and the camera
   #       still works.
-  srcParams = if (stdenv.lib.versionAtLeast kernel.version "4.8") then
+  srcParams = if (lib.versionAtLeast kernel.version "4.8") then
     { # Use mainline branch
       version = "unstable-2020-04-16";
       rev = "82626d4892eeb9eb704538bf0dc49a00725ff451";
@@ -51,7 +51,7 @@ stdenv.mkDerivation rec {
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/patjak/bcwc_pcie";
     description = "Linux driver for the Facetime HD (Broadcom 1570) PCIe webcam";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/fatrace/default.nix b/pkgs/os-specific/linux/fatrace/default.nix
index 69d1afad8a6..2ae8bb2dca2 100644
--- a/pkgs/os-specific/linux/fatrace/default.nix
+++ b/pkgs/os-specific/linux/fatrace/default.nix
@@ -1,12 +1,18 @@
-{ stdenv, fetchurl, python3, which }:
+{ lib, stdenv
+, fetchFromGitHub
+, python3
+, which
+}:
 
 stdenv.mkDerivation rec {
   pname = "fatrace";
-  version = "0.13";
+  version = "0.16.3";
 
-  src = fetchurl {
-    url = "https://launchpad.net/fatrace/trunk/${version}/+download/${pname}-${version}.tar.bz2";
-    sha256 = "0hrh45bpzncw0jkxw3x2smh748r65k2yxvfai466043bi5q0d2vx";
+  src = fetchFromGitHub {
+    owner = "martinpitt";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-w7leZPdmiTc+avihP203e6GLvbRzbCtNOJdF8MM2v68=";
   };
 
   buildInputs = [ python3 which ];
@@ -14,16 +20,13 @@ stdenv.mkDerivation rec {
   postPatch = ''
     substituteInPlace power-usage-report \
       --replace "'which'" "'${which}/bin/which'"
-
-    # Avoid a glibc >= 2.25 deprecation warning that gets fatal via -Werror.
-    sed 1i'#include <sys/sysmacros.h>' -i fatrace.c
   '';
 
   makeFlags = [ "PREFIX=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Report system-wide file access events";
-    homepage = "https://launchpad.net/fatrace/";
+    homepage = "https://github.com/martinpitt/fatrace";
     license = licenses.gpl3Plus;
     longDescription = ''
       fatrace reports file access events from all running processes.
diff --git a/pkgs/os-specific/linux/fbterm/default.nix b/pkgs/os-specific/linux/fbterm/default.nix
index 2b049bc6df5..72e886b91f5 100644
--- a/pkgs/os-specific/linux/fbterm/default.nix
+++ b/pkgs/os-specific/linux/fbterm/default.nix
@@ -1,4 +1,4 @@
-{stdenv, lib, fetchurl, gpm, freetype, fontconfig, pkgconfig, ncurses, libx86}:
+{stdenv, lib, fetchurl, gpm, freetype, fontconfig, pkg-config, ncurses, libx86}:
 let
   s = # Generated upstream information
   {
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     inherit (s) url sha256;
   };
 
-  nativeBuildInputs = [ pkgconfig ncurses ];
+  nativeBuildInputs = [ pkg-config ncurses ];
   inherit buildInputs;
 
   preConfigure = ''
@@ -51,7 +51,7 @@ stdenv.mkDerivation {
     ./select.patch
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (s) version;
     description = "Framebuffer terminal emulator";
     homepage = "https://code.google.com/archive/p/fbterm/";
diff --git a/pkgs/os-specific/linux/ffado/default.nix b/pkgs/os-specific/linux/ffado/default.nix
index b93caccc757..e23591168f6 100644
--- a/pkgs/os-specific/linux/ffado/default.nix
+++ b/pkgs/os-specific/linux/ffado/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib
 , mkDerivation
 , dbus
 , dbus_cplusplus
@@ -11,7 +11,7 @@
 , libiec61883
 , libraw1394
 , libxmlxx3
-, pkgconfig
+, pkg-config
 , python3
 , sconsPackages
 , which
@@ -46,7 +46,7 @@ mkDerivation rec {
   nativeBuildInputs = [
     desktop-file-utils
     sconsPackages.scons_3_1_2
-    pkgconfig
+    pkg-config
     which
     python
     pyqt5
@@ -98,7 +98,7 @@ mkDerivation rec {
     wrapQtApp $bin/bin/ffado-mixer
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.ffado.org";
     description = "FireWire audio drivers";
     license = licenses.gpl3;
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
index 272b8612d7a..1a9b7e34f5a 100644
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@@ -1,36 +1,25 @@
-{stdenv, fetchurl, fetchpatch, which, nixosTests}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="firejail";
-    version="0.9.62";
-    name="${baseName}-${version}";
-    url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz";
-    sha256="1q2silgy882fl61p5qa9f9jqkxcqnwa71jig3c729iahx4f0hs05";
-  };
-  buildInputs = [
-    which
-  ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-    name = "${s.name}.tar.bz2";
+{ lib, stdenv, fetchFromGitHub, fetchpatch, which, xdg-dbus-proxy, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "firejail";
+  version = "0.9.66";
+
+  src = fetchFromGitHub {
+    owner = "netblue30";
+    repo = "firejail";
+    rev = version;
+    sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q=";
   };
 
+  buildInputs = [ which ];
+
   patches = [
-    (fetchpatch {
-      name = "CVE-2020-17367.patch";
-      url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch";
-      sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n";
-    })
-    (fetchpatch {
-      name = "CVE-2020-17368.patch";
-      url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch";
-      sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl";
-    })
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
   ];
 
   prePatch = ''
@@ -38,6 +27,10 @@ stdenv.mkDerivation {
     substituteInPlace etc/firejail.config --replace \
       '# follow-symlink-as-user yes' \
       'follow-symlink-as-user no'
+
+    # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
+    substituteInPlace src/include/common.h \
+      --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
   '';
 
   preConfigure = ''
@@ -79,12 +72,10 @@ stdenv.mkDerivation {
   passthru.tests = nixosTests.firejail;
 
   meta = {
-    inherit (s) version;
-    description = ''Namespace-based sandboxing tool for Linux'';
-    license = stdenv.lib.licenses.gpl2Plus ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "Namespace-based sandboxing tool for Linux";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
     homepage = "https://firejail.wordpress.com/";
-    downloadPage = "https://sourceforge.net/projects/firejail/files/firejail/";
   };
 }
diff --git a/pkgs/os-specific/linux/firejail/default.upstream b/pkgs/os-specific/linux/firejail/default.upstream
deleted file mode 100644
index 0e6576c44a8..00000000000
--- a/pkgs/os-specific/linux/firejail/default.upstream
+++ /dev/null
@@ -1,3 +0,0 @@
-url https://sourceforge.net/projects/firejail/files/firejail/
-version_link '[-][0-9.]+[.]tar[.][a-z0-9]+/download$'
-SF_redirect
diff --git a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
new file mode 100644
index 00000000000..6016891655b
--- /dev/null
+++ b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@@ -0,0 +1,11 @@
+--- a/src/fbuilder/build_profile.c
++++ b/src/fbuilder/build_profile.c
+@@ -67,7 +67,7 @@
+ 		errExit("asprintf");
+ 
+ 	char *cmdlist[] = {
+-	  BINDIR "/firejail",
++	  "firejail",
+ 	  "--quiet",
+ 	  "--noprofile",
+ 	  "--caps.drop=all",
diff --git a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
new file mode 100644
index 00000000000..685314f9075
--- /dev/null
+++ b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@@ -0,0 +1,27 @@
+--- a/src/firejail/fs.c
++++ b/src/firejail/fs.c
+@@ -1143,6 +1143,16 @@
+ 		errExit("mounting /dev");
+ 	fs_logger("whitelist /dev");
+ 
++	// mount-bind /nix
++	if (arg_debug)
++		printf("Mounting /nix\n");
++	char *nix;
++	if (asprintf(&nix, "%s/nix", oroot) == -1)
++		errExit("asprintf");
++	if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
++		errExit("mounting /nix");
++	fs_logger("whitelist /nix");
++
+ 	// mount-bind run directory
+ 	if (arg_debug)
+ 		printf("Mounting /run\n");
+@@ -1201,6 +1211,7 @@
+ 	free(odiff);
+ 	free(owork);
+ 	free(dev);
++	free(nix);
+ 	free(run);
+ 	free(tmp);
+ }
diff --git a/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix b/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
index 7cb5d2a9a40..79de65fcb98 100644
--- a/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
+++ b/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "b43-fwcutter-019";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Firmware extractor for cards supported by the b43 kernel module";
     homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
-    license = stdenv.lib.licenses.free;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.free;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix b/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
index 4f03f58b11f..42444d784d5 100644
--- a/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
+++ b/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, b43FirmwareCutter }:
+{ lib, stdenv, fetchurl, b43FirmwareCutter }:
 
 let version = "5.100.138"; in
 
@@ -23,7 +23,7 @@ stdenv.mkDerivation {
   meta = {
     description = "Firmware for cards supported by the b43 kernel module";
     homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
-    license = stdenv.lib.licenses.unfree;
+    license = lib.licenses.unfree;
   };
 }
 
diff --git a/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix b/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
index 3972e52977f..c0226065ea2 100644
--- a/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
+++ b/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, b43FirmwareCutter }:
+{ lib, stdenv, fetchurl, b43FirmwareCutter }:
 
 stdenv.mkDerivation rec {
   pname = "b43-firmware";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     b43-fwcutter -w $out *.wl_apsta.o
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for cards supported by the b43 kernel module";
     homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
     downloadPage = "http://www.lwfinger.com/b43-firmware";
diff --git a/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix b/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
index 314a6b7521b..5118d0a0b9b 100644
--- a/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cabextract, bt-fw-converter }:
+{ lib, stdenv, fetchurl, cabextract, bt-fw-converter }:
 
 # Kernels between 4.2 and 4.7 will not work with
 # this packages as they expect the firmware to be named "BCM.hcd"
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
   outputHashAlgo = "sha256";
   outputHash = "042frb2dmrqfj8q83h5p769q6hg2b3i8fgnyvs9r9a71z7pbsagq";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for Broadcom WIDCOMM® Bluetooth devices";
     homepage = "http://www.catalog.update.microsoft.com/Search.aspx?q=Broadcom+bluetooth";
     license = licenses.unfree;
diff --git a/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix b/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
index 5b4506a10ea..a28189a9e47 100644
--- a/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
+++ b/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, makeWrapper, perl, perlPackages, bluez }:
+{ lib, stdenv, fetchurl, makeWrapper, perl, perlPackages, bluez }:
 
 stdenv.mkDerivation  rec {
   pname = "bt-fw-converter";
@@ -25,11 +25,11 @@ stdenv.mkDerivation  rec {
     wrapProgram $out/bin/bt-fw-converter --set PERL5LIB $PERL5LIB
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/winterheart/broadcom-bt-firmware/";
     description = "A tool that converts hex to hcd based on inf file";
     license = licenses.mit;
     platforms = platforms.linux;
     maintainers = with maintainers; [ zraexy ];
   };
-} 
+}
diff --git a/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix b/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
index 7d735e69f56..1c3d8fbbaf7 100644
--- a/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cpio, xz, pkgs }:
+{ lib, stdenv, fetchurl, cpio, xz, pkgs }:
 
 let
 
@@ -43,7 +43,8 @@ stdenv.mkDerivation {
     curlOpts = "-r ${dmgRange}";
   };
 
-  phases = [ "buildPhase" ];
+  dontUnpack = true;
+  dontInstall = true;
 
   buildInputs = [ cpio xz ];
 
@@ -54,7 +55,7 @@ stdenv.mkDerivation {
     gunzip -c ${firmwareOut}.gz > $out/lib/firmware/facetimehd/${firmwareOut}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "facetimehd firmware";
     homepage = "https://support.apple.com/kb/DL1877";
     license = licenses.unfree;
diff --git a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
index e480b449007..4293f53e47d 100644
--- a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
@@ -1,13 +1,13 @@
-{ stdenv, fetchgit, lib }:
+{ stdenvNoCC, fetchgit, lib }:
 
-stdenv.mkDerivation rec {
+stdenvNoCC.mkDerivation rec {
   pname = "firmware-linux-nonfree";
-  version = "2020-05-19";
+  version = "2021-07-16";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
-    rev = lib.replaceStrings ["-"] [""] version;
-    sha256 = "13yrpgfqxp5l457p3s1c61is410nv0kv6picx9r0m8h1b0v6aym3";
+    rev = "refs/tags/" + lib.replaceStrings ["-"] [""] version;
+    sha256 = "185pnaqf2qmhbcdvvldmbar09zgaxhh3h8x9bxn6079bcdpaskn6";
   };
 
   installFlags = [ "DESTDIR=$(out)" ];
@@ -17,11 +17,11 @@ stdenv.mkDerivation rec {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "0pjl70nwarnknxah8vikb051c75mkg25a5m4h3344cw86x8hcx10";
+  outputHash = "0g470hj2ylpviijfpjqzsndn2k8kkscj27wqwk51xlk8cr3mrahb";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Binary firmware collection packaged by kernel.org";
-    homepage = "http://packages.debian.org/sid/firmware-linux-nonfree";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
     license = licenses.unfreeRedistributableFirmware;
     platforms = platforms.linux;
     maintainers = with maintainers; [ fpletz ];
diff --git a/pkgs/os-specific/linux/firmware/firmware-manager/default.nix b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
new file mode 100644
index 00000000000..ee36ab57442
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
@@ -0,0 +1,38 @@
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, glib, udev, cairo, pango, atk, gdk-pixbuf, gtk3, wrapGAppsHook }:
+rustPlatform.buildRustPackage rec {
+  pname = "firmware-manager";
+  version = "0.1.2";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-aKatdjHa/k7j48upkR1O6PFxCUfJYE3KhhzZ9Ohe0Jc=";
+  };
+
+  nativeBuildInputs = [ pkg-config wrapGAppsHook ];
+
+  buildInputs = [ xz openssl dbus glib udev cairo pango atk gdk-pixbuf gtk3 ];
+
+  depsExtraArgs.postPatch = "make prefix='$(out)' toml-gen";
+
+  postPatch = ''
+    sed -i 's|etc|$(prefix)/etc|' Makefile
+  '';
+
+  buildPhase = "make prefix='$(out)'";
+
+  installPhase = "make prefix='$(out)' install";
+
+  cargoSha256 = "sha256-BUo77ERHvuc8IkDdU3Z/gZZicNHT26IbAgEBnVM3O4U=";
+
+  doCheck = false;
+
+  meta = {
+    description = "Graphical frontend for firmware management";
+    homepage = "https://github.com/pop-os/firmware-manager";
+    license = lib.licenses.gpl3;
+    maintainers = [ lib.maintainers.shlevy ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
index a727e5f4a85..cd42f2f44e2 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
+++ b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
@@ -1,5 +1,5 @@
 diff --git a/data/meson.build b/data/meson.build
-index bb749fd4..b611875b 100644
+index 50154569..f8058a8e 100644
 --- a/data/meson.build
 +++ b/data/meson.build
 @@ -17,7 +17,7 @@ endif
@@ -73,10 +73,10 @@ index 826a3c1d..b78db663 100644
 +  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
  )
 diff --git a/meson.build b/meson.build
-index 87ea67e5..3a4374db 100644
+index b075ca89..8d504d3c 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -175,6 +175,12 @@ endif
+@@ -194,6 +194,12 @@ endif
  mandir = join_paths(prefix, get_option('mandir'))
  localedir = join_paths(prefix, get_option('localedir'))
  
@@ -90,30 +90,14 @@ index 87ea67e5..3a4374db 100644
  gio = dependency('gio-2.0', version : '>= 2.45.8')
  giounix = dependency('gio-unix-2.0', version : '>= 2.45.8', required: false)
 diff --git a/meson_options.txt b/meson_options.txt
-index 3da9b6c4..6c80275b 100644
+index bc76c0ab..8a67d012 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
-@@ -24,6 +24,7 @@ option('plugin_coreboot', type : 'boolean', value : true, description : 'enable
- option('systemd', type : 'boolean', value : true, description : 'enable systemd support')
- option('systemdunitdir', type: 'string', value: '', description: 'Directory for systemd units')
- option('elogind', type : 'boolean', value : false, description : 'enable elogind support')
+@@ -1,3 +1,4 @@
 +option('sysconfdir_install', type: 'string', value: '', description: 'sysconfdir to use during installation')
- option('tests', type : 'boolean', value : true, description : 'enable tests')
- option('udevdir', type: 'string', value: '', description: 'Directory for udev rules')
- option('efi-cc', type : 'string', value : 'gcc', description : 'the compiler to use for EFI modules')
-diff --git a/plugins/ata/meson.build b/plugins/ata/meson.build
-index 8444bb8a..fa4a8ad1 100644
---- a/plugins/ata/meson.build
-+++ b/plugins/ata/meson.build
-@@ -7,7 +7,7 @@ install_data([
- )
- 
- install_data(['ata.conf'],
--  install_dir:  join_paths(sysconfdir, 'fwupd')
-+  install_dir:  join_paths(sysconfdir_install, 'fwupd')
- )
- 
- shared_module('fu_plugin_ata',
+ option('build', type : 'combo', choices : ['all', 'standalone', 'library'], value : 'all', description : 'build type')
+ option('agent', type : 'boolean', value : true, description : 'enable the fwupd agent')
+ option('consolekit', type : 'boolean', value : true, description : 'enable ConsoleKit support')
 diff --git a/plugins/dell-esrt/meson.build b/plugins/dell-esrt/meson.build
 index ed4eee70..76dbdb1d 100644
 --- a/plugins/dell-esrt/meson.build
@@ -126,7 +110,7 @@ index ed4eee70..76dbdb1d 100644
 +  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
  )
 diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
-index 25fc5c7d..77eb9a83 100644
+index 205d1394..3223f404 100644
 --- a/plugins/redfish/meson.build
 +++ b/plugins/redfish/meson.build
 @@ -27,7 +27,7 @@ shared_module('fu_plugin_redfish',
@@ -139,10 +123,10 @@ index 25fc5c7d..77eb9a83 100644
  
  if get_option('tests')
 diff --git a/plugins/thunderbolt/meson.build b/plugins/thunderbolt/meson.build
-index 06ab34ee..297a9182 100644
+index 6b2368fb..2bd06fed 100644
 --- a/plugins/thunderbolt/meson.build
 +++ b/plugins/thunderbolt/meson.build
-@@ -46,7 +46,7 @@ executable('tbtfwucli',
+@@ -31,7 +31,7 @@ fu_plugin_thunderbolt = shared_module('fu_plugin_thunderbolt',
  )
  
  install_data(['thunderbolt.conf'],
@@ -151,14 +135,14 @@ index 06ab34ee..297a9182 100644
  )
  # we use functions from 2.52 in the tests
  if get_option('tests') and umockdev.found() and gio.version().version_compare('>= 2.52')
-diff --git a/plugins/uefi/meson.build b/plugins/uefi/meson.build
-index 5838cecc..9ba3d5cd 100644
---- a/plugins/uefi/meson.build
-+++ b/plugins/uefi/meson.build
-@@ -101,7 +101,7 @@ if get_option('man')
+diff --git a/plugins/uefi-capsule/meson.build b/plugins/uefi-capsule/meson.build
+index 0b793a07..ebd3e5ea 100644
+--- a/plugins/uefi-capsule/meson.build
++++ b/plugins/uefi-capsule/meson.build
+@@ -97,7 +97,7 @@ if get_option('man')
  endif
  
- install_data(['uefi.conf'],
+ install_data(['uefi_capsule.conf'],
 -  install_dir:  join_paths(sysconfdir, 'fwupd')
 +  install_dir:  join_paths(sysconfdir_install, 'fwupd')
  )
diff --git a/pkgs/os-specific/linux/firmware/fwupd/default.nix b/pkgs/os-specific/linux/firmware/fwupd/default.nix
index 0783fb79296..24e23f2b7e9 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/default.nix
+++ b/pkgs/os-specific/linux/firmware/fwupd/default.nix
@@ -1,21 +1,20 @@
 # Updating? Keep $out/etc synchronized with passthru keys
 
-{ stdenv
+{ lib, stdenv
 , fetchurl
-, fetchpatch
+, fetchFromGitHub
 , substituteAll
 , gtk-doc
-, pkgconfig
+, pkg-config
 , gobject-introspection
-, intltool
+, gettext
 , libgudev
 , polkit
 , libxmlb
 , gusb
 , sqlite
 , libarchive
-, glib-networking
-, libsoup
+, curl
 , help2man
 , libjcat
 , libxslt
@@ -23,15 +22,15 @@
 , libsmbios
 , efivar
 , gnu-efi
-, libyaml
 , valgrind
 , meson
 , libuuid
 , colord
 , docbook_xml_dtd_43
-, docbook_xsl
+, docbook-xsl-nons
 , ninja
 , gcab
+, gnutls
 , python3
 , wrapGAppsHook
 , json-glib
@@ -67,10 +66,6 @@ let
     requests
   ]);
 
-  fontsConf = makeFontsConf {
-    fontDirectories = [ freefont_ttf ];
-  };
-
   isx86 = stdenv.isx86_64 || stdenv.isi686;
 
   # Dell isn't supported on Aarch64
@@ -79,6 +74,9 @@ let
   # only redfish for x86_64
   haveRedfish = stdenv.isx86_64;
 
+  # only use msr if x86 (requires cpuid)
+  haveMSR = isx86;
+
   # # Currently broken on Aarch64
   # haveFlashrom = isx86;
   # Experimental
@@ -93,30 +91,51 @@ let
 
   self = stdenv.mkDerivation rec {
     pname = "fwupd";
-    version = "1.4.5";
-
-    src = fetchurl {
-      url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz";
-      sha256 = "0hpqxwqbbqn440c2swpnc06z8dskisrli4ynsxrzzqyp0dan46xw";
-    };
+    version = "1.5.7";
 
     # libfwupd goes to lib
     # daemon, plug-ins and libfwupdplugin go to out
     # CLI programs go to out
     outputs = [ "out" "lib" "dev" "devdoc" "man" "installedTests" ];
 
+    src = fetchurl {
+      url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz";
+      sha256 = "16isrrv6zhdgccbfnz7km5g1cnvfnip7aiidkfhf5dlnrnyb2sxh";
+    };
+
+    patches = [
+      # Do not try to create useless paths in /var.
+      ./fix-paths.patch
+
+      # Allow installing
+      ./add-option-for-installation-sysconfdir.patch
+
+      # Install plug-ins and libfwupdplugin to out,
+      # they are not really part of the library.
+      ./install-fwupdplugin-to-out.patch
+
+      # Installed tests are installed to different output
+      # we also cannot have fwupd-tests.conf in $out/etc since it would form a cycle.
+      (substituteAll {
+        src = ./installed-tests-path.patch;
+        # Needs a different set of modules than po/make-images.
+        inherit installedTestsPython;
+      })
+    ];
+
     nativeBuildInputs = [
       meson
       ninja
       gtk-doc
-      pkgconfig
+      pkg-config
       gobject-introspection
-      intltool
+      gettext
       shared-mime-info
       valgrind
       gcab
+      gnutls
       docbook_xml_dtd_43
-      docbook_xsl
+      docbook-xsl-nons
       help2man
       libxslt
       python
@@ -130,15 +149,13 @@ let
       gusb
       sqlite
       libarchive
-      libsoup
+      curl
       elfutils
       gnu-efi
-      libyaml
       libgudev
       colord
       libjcat
       libuuid
-      glib-networking
       json-glib
       umockdev
       bash-completion
@@ -148,63 +165,29 @@ let
       pango
       tpm2-tss
       efivar
-    ] ++ stdenv.lib.optionals haveDell [
+    ] ++ lib.optionals haveDell [
       libsmbios
     ];
 
-    patches = [
-      ./fix-paths.patch
-      ./add-option-for-installation-sysconfdir.patch
-
-      # Install plug-ins and libfwupdplugin to out,
-      # they are not really part of the library.
-      ./install-fwupdplugin-to-out.patch
-
-      # Installed tests are installed to different output
-      # we also cannot have fwupd-tests.conf in $out/etc since it would form a cycle.
-      (substituteAll {
-        src = ./installed-tests-path.patch;
-        # Needs a different set of modules than po/make-images.
-        inherit installedTestsPython;
-      })
-    ];
-
-    postPatch = ''
-      patchShebangs \
-        contrib/get-version.py \
-        contrib/generate-version-script.py \
-        meson_post_install.sh \
-        po/make-images \
-        po/make-images.sh \
-        po/test-deps
-    '';
-
-    # /etc/os-release not available in sandbox
-    # doCheck = true;
-
-    preFixup = let
-      binPath = [
-        efibootmgr
-        bubblewrap
-        tpm2-tools
-      ] ++ stdenv.lib.optional haveFlashrom flashrom;
-    in ''
-      gappsWrapperArgs+=(
-        --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
-        # See programs reached with fu_common_find_program_in_path in source
-        --prefix PATH : "${stdenv.lib.makeBinPath binPath}"
-      )
-    '';
-
     mesonFlags = [
       "-Dgtkdoc=true"
       "-Dplugin_dummy=true"
+      # We are building the official releases.
+      "-Dsupported_build=true"
+      # Would dlopen libsoup to preserve compatibility with clients linking against older fwupd.
+      # https://github.com/fwupd/fwupd/commit/173d389fa59d8db152a5b9da7cc1171586639c97
+      "-Dsoup_session_compat=false"
       "-Dudevdir=lib/udev"
       "-Dsystemd_root_prefix=${placeholder "out"}"
       "-Dinstalled_test_prefix=${placeholder "installedTests"}"
       "-Defi-libdir=${gnu-efi}/lib"
       "-Defi-ldsdir=${gnu-efi}/lib"
       "-Defi-includedir=${gnu-efi}/include/efi"
+      "-Defi_sbat_distro_id=nixos"
+      "-Defi_sbat_distro_summary=NixOS"
+      "-Defi_sbat_distro_pkgname=fwupd"
+      "-Defi_sbat_distro_version=${version}"
+      "-Defi_sbat_distro_url=https://search.nixos.org/packages?channel=unstable&show=fwupd&from=0&size=50&sort=relevance&query=fwupd"
       "--localstatedir=/var"
       "--sysconfdir=/etc"
       "-Dsysconfdir_install=${placeholder "out"}/etc"
@@ -214,29 +197,83 @@ let
       # Our builder only adds $lib/lib to rpath but some things link
       # against libfwupdplugin which is in $out/lib.
       "-Dc_link_args=-Wl,-rpath,${placeholder "out"}/lib"
-    ] ++ stdenv.lib.optionals (!haveDell) [
+    ] ++ lib.optionals (!haveDell) [
       "-Dplugin_dell=false"
       "-Dplugin_synaptics=false"
-    ] ++ stdenv.lib.optionals (!haveRedfish) [
+    ] ++ lib.optionals (!haveRedfish) [
       "-Dplugin_redfish=false"
-    ] ++ stdenv.lib.optionals haveFlashrom [
+    ] ++ lib.optionals haveFlashrom [
       "-Dplugin_flashrom=true"
+    ] ++ lib.optionals (!haveMSR) [
+      "-Dplugin_msr=false"
     ];
 
-    FONTCONFIG_FILE = fontsConf; # Fontconfig error: Cannot load default config file
+    # TODO: wrapGAppsHook wraps efi capsule even though it is not ELF
+    dontWrapGApps = true;
+
+    # /etc/os-release not available in sandbox
+    # doCheck = true;
+
+    # Environment variables
+
+    # Fontconfig error: Cannot load default config file
+    FONTCONFIG_FILE =
+      let
+        fontsConf = makeFontsConf {
+          fontDirectories = [ freefont_ttf ];
+        };
+      in fontsConf;
 
     # error: “PolicyKit files are missing”
     # https://github.com/NixOS/nixpkgs/pull/67625#issuecomment-525788428
     PKG_CONFIG_POLKIT_GOBJECT_1_ACTIONDIR = "/run/current-system/sw/share/polkit-1/actions";
 
-    # TODO: wrapGAppsHook wraps efi capsule even though it is not elf
-    dontWrapGApps = true;
+    # Phase hooks
+
+    postPatch = ''
+      patchShebangs \
+        contrib/get-version.py \
+        contrib/generate-version-script.py \
+        meson_post_install.sh \
+        plugins/uefi-capsule/efi/generate_sbat.py \
+        plugins/uefi-capsule/efi/generate_binary.py \
+        po/make-images \
+        po/make-images.sh \
+        po/test-deps
+    '';
 
     preCheck = ''
       addToSearchPath XDG_DATA_DIRS "${shared-mime-info}/share"
     '';
 
-    # so we need to wrap the executables manually
+    postInstall =
+      let
+        testFw = fetchFromGitHub {
+          owner = "fwupd";
+          repo = "fwupd-test-firmware";
+          rev = "c13bfb26cae5f4f115dd4e08f9f00b3cb9acc25e";
+          sha256 = "US81i7mtLEe85KdWz5r+fQTk61IhqjVkzykBaBPuKL4=";
+        };
+      in ''
+        # These files have weird licenses so they are shipped separately.
+        cp --recursive --dereference "${testFw}/installed-tests/tests" "$installedTests/libexec/installed-tests/fwupd"
+      '';
+
+    preFixup = let
+      binPath = [
+        efibootmgr
+        bubblewrap
+        tpm2-tools
+      ] ++ lib.optional haveFlashrom flashrom;
+    in ''
+      gappsWrapperArgs+=(
+        --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
+        # See programs reached with fu_common_find_program_in_path in source
+        --prefix PATH : "${lib.makeBinPath binPath}"
+      )
+    '';
+
+    # Since we had to disable wrapGAppsHook, we need to wrap the executables manually.
     postFixup = ''
       find -L "$out/bin" "$out/libexec" -type f -executable -print0 \
         | while IFS= read -r -d ''' file; do
@@ -247,18 +284,18 @@ let
       done
     '';
 
+    separateDebugInfo = true;
+
     passthru = {
       filesInstalledToEtc = [
-        "fwupd/ata.conf"
         "fwupd/daemon.conf"
-        "fwupd/redfish.conf"
         "fwupd/remotes.d/lvfs-testing.conf"
         "fwupd/remotes.d/lvfs.conf"
         "fwupd/remotes.d/vendor.conf"
         "fwupd/remotes.d/vendor-directory.conf"
         "fwupd/thunderbolt.conf"
         "fwupd/upower.conf"
-        "fwupd/uefi.conf"
+        "fwupd/uefi_capsule.conf"
         "pki/fwupd/GPG-KEY-Hughski-Limited"
         "pki/fwupd/GPG-KEY-Linux-Foundation-Firmware"
         "pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service"
@@ -266,18 +303,21 @@ let
         "pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata"
         "pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service"
         "pki/fwupd-metadata/LVFS-CA.pem"
-      ] ++ stdenv.lib.optionals haveDell [
+      ] ++ lib.optionals haveDell [
         "fwupd/remotes.d/dell-esrt.conf"
+      ] ++ lib.optionals haveRedfish [
+        "fwupd/redfish.conf"
       ];
 
-      # BlacklistPlugins key in fwupd/daemon.conf
-      defaultBlacklistedPlugins = [
+      # DisabledPlugins key in fwupd/daemon.conf
+      defaultDisabledPlugins = [
         "test"
+        "test_ble"
         "invalid"
       ];
 
       tests = let
-        listToPy = list: "[${stdenv.lib.concatMapStringsSep ", " (f: "'${f}'") list}]";
+        listToPy = list: "[${lib.concatMapStringsSep ", " (f: "'${f}'") list}]";
       in {
         installedTests = nixosTests.installed-tests.fwupd;
 
@@ -295,19 +335,19 @@ let
 
           config = configparser.RawConfigParser()
           config.read('${self}/etc/fwupd/daemon.conf')
-          package_blacklisted_plugins = config.get('fwupd', 'BlacklistPlugins').rstrip(';').split(';')
-          passthru_blacklisted_plugins = ${listToPy passthru.defaultBlacklistedPlugins}
-          assert package_blacklisted_plugins == passthru_blacklisted_plugins, f'Default blacklisted plug-ins in the package {package_blacklisted_plugins} do not match those listed in passthru.defaultBlacklistedPlugins {passthru_blacklisted_plugins}'
+          package_disabled_plugins = config.get('fwupd', 'DisabledPlugins').rstrip(';').split(';')
+          passthru_disabled_plugins = ${listToPy passthru.defaultDisabledPlugins}
+          assert package_disabled_plugins == passthru_disabled_plugins, f'Default disabled plug-ins in the package {package_disabled_plugins} do not match those listed in passthru.defaultDisabledPlugins {passthru_disabled_plugins}'
 
           pathlib.Path(os.getenv('out')).touch()
         '';
       };
     };
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       homepage = "https://fwupd.org/";
       maintainers = with maintainers; [ jtojnar ];
-      license = [ licenses.gpl2 ];
+      license = licenses.lgpl21Plus;
       platforms = platforms.linux;
     };
   };
diff --git a/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch b/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
index 432056cbe7f..d8f1a533b82 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
+++ b/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
@@ -1,3 +1,5 @@
+diff --git a/data/device-tests/hardware.py b/data/device-tests/hardware.py
+index 7f1e1907..10fee1b8 100755
 --- a/data/device-tests/hardware.py
 +++ b/data/device-tests/hardware.py
 @@ -1,4 +1,4 @@
@@ -6,25 +8,41 @@
  # pylint: disable=wrong-import-position,too-many-locals,unused-argument,wrong-import-order
  #
  # Copyright (C) 2017 Richard Hughes <richard@hughsie.com>
+diff --git a/data/installed-tests/meson.build b/data/installed-tests/meson.build
+index adadbcdd..1b51bb9c 100644
 --- a/data/installed-tests/meson.build
 +++ b/data/installed-tests/meson.build
-@@ -1,4 +1,4 @@
--installed_test_datadir = join_paths(datadir, 'installed-tests', 'fwupd')
-+installed_test_datadir = join_paths(get_option('installed_test_prefix'), 'share', 'installed-tests', 'fwupd')
- 
- con2 = configuration_data()
- con2.set('installedtestsdir', installed_test_datadir)
-@@ -52,5 +52,5 @@ configure_file(
+@@ -65,5 +65,5 @@ configure_file(
    output : 'fwupd-tests.conf',
    configuration : con2,
    install: true,
 -  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
 +  install_dir: join_paths(get_option('installed_test_prefix'), 'etc', 'fwupd', 'remotes.d'),
  )
+diff --git a/meson.build b/meson.build
+index 772b7bbe..f59302cd 100644
+--- a/meson.build
++++ b/meson.build
+@@ -177,8 +177,8 @@ else
+   datadir = join_paths(prefix, get_option('datadir'))
+   sysconfdir = join_paths(prefix, get_option('sysconfdir'))
+   localstatedir = join_paths(prefix, get_option('localstatedir'))
+-  installed_test_bindir = join_paths(libexecdir, 'installed-tests', meson.project_name())
+-  installed_test_datadir = join_paths(datadir, 'installed-tests', meson.project_name())
++  installed_test_bindir = join_paths(get_option('installed_test_prefix'), 'libexec', 'installed-tests', meson.project_name())
++  installed_test_datadir = join_paths(get_option('installed_test_prefix'), 'share', 'installed-tests', meson.project_name())
+ endif
+ mandir = join_paths(prefix, get_option('mandir'))
+ localedir = join_paths(prefix, get_option('localedir'))
+diff --git a/meson_options.txt b/meson_options.txt
+index 0a0e2853..5f68d78b 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
-@@ -1,3 +1,4 @@
-+option('installed_test_prefix', type: 'string', value: '', description: 'Prefix for installed tests')
- option('build', type : 'combo', choices : ['all', 'standalone', 'library'], value : 'all', description : 'build type')
- option('agent', type : 'boolean', value : true, description : 'enable the fwupd agent')
- option('consolekit', type : 'boolean', value : true, description : 'enable ConsoleKit support')
+@@ -25,6 +26,7 @@ option('plugin_coreboot', type : 'boolean', value : true, description : 'enable
+ option('systemd', type : 'boolean', value : true, description : 'enable systemd support')
+ option('systemd_root_prefix', type: 'string', value: '', description: 'Directory to base systemd’s installation directories on')
+ option('elogind', type : 'boolean', value : false, description : 'enable elogind support')
++option('installed_test_prefix', type: 'string', description: 'Prefix for installed tests')
+ option('tests', type : 'boolean', value : true, description : 'enable tests')
+ option('tpm', type : 'boolean', value : true, description : 'enable TPM support')
+ option('udevdir', type: 'string', value: '', description: 'Directory for udev rules')
diff --git a/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix b/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix
index ff0081a71e1..4ef9370c844 100644
--- a/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "openelec-dvb-firmware";
@@ -9,14 +9,16 @@ stdenv.mkDerivation rec {
     sha256 = "cef3ce537d213e020af794cecf9de207e2882c375ceda39102eb6fa2580bad8d";
   };
 
-  phases = [ "unpackPhase" "installPhase" ];
-
   installPhase = ''
+    runHook preInstall
+
     DESTDIR="$out" ./install
     find $out \( -name 'README.*' -or -name 'LICEN[SC]E.*' -or -name '*.txt' \) | xargs rm
+
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DVB firmware from OpenELEC";
     homepage = "https://github.com/OpenELEC/dvb-firmware";
     license = licenses.unfreeRedistributableFirmware;
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix b/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
index 23338684764..e6a03ef7df5 100644
--- a/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
+++ b/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
@@ -1,23 +1,23 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "raspberrypi-wireless-firmware";
-  version = "2019-08-16";
+  version = "2021-01-28";
 
   srcs = [
     (fetchFromGitHub {
       name = "bluez-firmware";
       owner = "RPi-Distro";
       repo = "bluez-firmware";
-      rev = "96eefffcccc725425fd83be5e0704a5c32b79e54";
-      sha256 = "05h57gcxhb2c84h99cyxxx4mzi6kd5fm8pjqkz3nq5vs3nv8cqhr";
+      rev = "e7fd166981ab4bb9a36c2d1500205a078a35714d";
+      sha256 = "1dkg8mzn7n4afi50ibrda2s33nw2qj52jjjdv9w560q601gms47b";
     })
     (fetchFromGitHub {
       name = "firmware-nonfree";
       owner = "RPi-Distro";
       repo = "firmware-nonfree";
-      rev = "130cb86fa30cafbd575d38865fa546350d4c5f9c";
-      sha256 = "0jmhgbpldzz8n8lncpzwfl5ym8zgss05y952rfpwcf9v5c7vgabx";
+      rev = "83938f78ca2d5a0ffe0c223bb96d72ccc7b71ca5";
+      sha256 = "1l4zz86y2hjyvdwjy75abyjwh3wqknd71y3vh1iw5nd0hws8ranp";
     })
   ];
 
@@ -41,10 +41,10 @@ stdenv.mkDerivation {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "1r4alf1fbj6vkkf54d0anm47ymb6gn2ykl4a2hhd34b0hnf1dnhn";
+  outputHash = "0a54gyrq6jfxxvimaa4yjfiyfwf7wv58v0a32l74yrzyarr3ldby";
 
-  meta = with stdenv.lib; {
-    description = "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3 and Zero W";
+  meta = with lib; {
+    description = "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3+ and Zero W";
     homepage = "https://github.com/RPi-Distro/firmware-nonfree";
     license = licenses.unfreeRedistributableFirmware;
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix b/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
new file mode 100644
index 00000000000..52fa4266577
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config }:
+
+let
+  inherit (lib) optionals;
+in
+stdenv.mkDerivation {
+  pname = "raspberrypi-armstubs";
+  version = "2020-10-08";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "tools";
+    rev = "fc0e73c13865450e95edd046200e42a6e52d8256";
+    sha256 = "1g6ikpjcrm5x0rk5aiwjdd8grf997qkvgamcrdxy6k9ln746h25s";
+  };
+
+  NIX_CFLAGS_COMPILE = [
+    "-march=armv8-a+crc"
+  ];
+
+  preConfigure = ''
+    cd armstubs
+  '';
+
+  makeFlags = [
+    "CC8=${stdenv.cc.targetPrefix}cc"
+    "LD8=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY8=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP8=${stdenv.cc.targetPrefix}objdump"
+    "CC7=${stdenv.cc.targetPrefix}cc"
+    "LD7=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY7=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP7=${stdenv.cc.targetPrefix}objdump"
+  ]
+  ++ optionals (stdenv.isAarch64) [ "armstub8.bin" "armstub8-gic.bin" ]
+  ++ optionals (stdenv.isAarch32) [ "armstub7.bin" "armstub8-32.bin" "armstub8-32-gic.bin" ]
+  ;
+
+  installPhase = ''
+    mkdir -vp $out/
+    cp -v *.bin $out/
+  '';
+
+  meta = with lib; {
+    description = "Firmware related ARM stubs for the Raspberry Pi";
+    homepage = https://github.com/raspberrypi/tools;
+    license = licenses.bsd3;
+    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ samueldr ];
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
index 77a28444636..6a826f63966 100644
--- a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
+++ b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
@@ -1,14 +1,15 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenvNoCC, fetchFromGitHub }:
 
-stdenv.mkDerivation rec {
+stdenvNoCC.mkDerivation rec {
+  # NOTE: this should be updated with linux_rpi
   pname = "raspberrypi-firmware";
-  version = "1.20200601";
+  version = "1.20210303";
 
   src = fetchFromGitHub {
     owner = "raspberrypi";
     repo = "firmware";
     rev = version;
-    sha256 = "1vm038f9digwg8gdxl2bypzlip3ycjb6bl56274gh5i9abl6wjvf";
+    sha256 = "0pgiw93hq4gfph5dnwbi8w59g0f7yhmagwzam971k529mh5yl86m";
   };
 
   installPhase = ''
@@ -16,11 +17,14 @@ stdenv.mkDerivation rec {
     cp -R boot/* $out/share/raspberrypi/boot
   '';
 
-  meta = with stdenv.lib; {
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  meta = with lib; {
     description = "Firmware for the Raspberry Pi board";
     homepage = "https://github.com/raspberrypi/firmware";
     license = licenses.unfreeRedistributableFirmware; # See https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
-    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
-    maintainers = with maintainers; [ dezgeg tavyc ];
+    maintainers = with maintainers; [ dezgeg ];
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix b/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix
deleted file mode 100644
index 6c4d49e4e24..00000000000
--- a/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ stdenv, fetchFromGitHub, cmake, pkgconfig }:
-
-stdenv.mkDerivation {
-  pname = "raspberrypi-tools";
-  version = "2020-05-28";
-
-  src = fetchFromGitHub {
-    owner = "raspberrypi";
-    repo = "userland";
-    rev = "f97b1af1b3e653f9da2c1a3643479bfd469e3b74";
-    sha256 = "1r7n05rv96hqjq0rn0qzchmfqs0j7vh3p8jalgh66s6l0vms5mwy";
-  };
-
-  nativeBuildInputs = [ cmake pkgconfig ];
-
-  preConfigure = ''
-    cmakeFlagsArray+=("-DVMCS_INSTALL_PREFIX=$out")
-  '' + stdenv.lib.optionalString stdenv.isAarch64 ''
-    cmakeFlagsArray+=("-DARM64=1")
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Userland tools for the Raspberry Pi board";
-    homepage = "https://github.com/raspberrypi/userland";
-    license = licenses.bsd3;
-    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
-    maintainers = with maintainers; [ dezgeg tavyc ];
-  };
-}
diff --git a/pkgs/os-specific/linux/firmware/rt5677/default.nix b/pkgs/os-specific/linux/firmware/rt5677/default.nix
index af0c07d1059..f5d84179fd2 100644
--- a/pkgs/os-specific/linux/firmware/rt5677/default.nix
+++ b/pkgs/os-specific/linux/firmware/rt5677/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit }:
+{ lib, stdenv, fetchgit }:
 
 stdenv.mkDerivation {
   name = "rt5677-firmware";
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
     cp ./firmware/rt5677_elf_vad $out/lib/firmware
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for Realtek rt5677 device";
     license = licenses.unfreeRedistributableFirmware;
     maintainers = [ maintainers.zohl ];
diff --git a/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
index 9b68a49266f..34c2b683ea4 100644
--- a/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchFromGitHub }:
-with stdenv.lib;
+{ lib, stdenv, fetchFromGitHub }:
+with lib;
 stdenv.mkDerivation {
   name = "rtl8192su-unstable-2016-10-05";
 
@@ -26,7 +26,7 @@ stdenv.mkDerivation {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for Realtek RTL8188SU/RTL8191SU/RTL8192SU";
     homepage = "https://github.com/chunkeey/rtl8192su";
     license = licenses.unfreeRedistributableFirmware;
diff --git a/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
index f95d1efcef7..36580d4b1b9 100644
--- a/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, linuxPackages }:
-with stdenv.lib;
+{ lib, stdenv, linuxPackages }:
+with lib;
 stdenv.mkDerivation {
   name = "rtl8723bs-firmware-${linuxPackages.rtl8723bs.version}";
   inherit (linuxPackages.rtl8723bs) src;
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
     cp rtl8723bs_wowlan.bin "$out/lib/firmware/rtlwifi"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for RealTek 8723bs";
     homepage = "https://github.com/hadess/rtl8723bs";
     license = licenses.unfreeRedistributableFirmware;
diff --git a/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
new file mode 100644
index 00000000000..f2dd36a0e06
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  name = "rtl8761b-firmware";
+
+  src = fetchFromGitHub {
+    owner = "Realtek-OpenSource";
+    repo = "android_hardware_realtek";
+    rev = "rtk1395";
+    sha256 = "sha256-vd9sZP7PGY+cmnqVty3sZibg01w8+UNinv8X85B+dzc=";
+  };
+
+  installPhase = ''
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_fw \
+      $out/lib/firmware/rtl_bt/rtl8761b_fw.bin
+
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_config \
+      $out/lib/firmware/rtl_bt/rtl8761b_config.bin
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek RTL8761b";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ edibopp ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix
deleted file mode 100644
index 673ef686e48..00000000000
--- a/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ stdenv, lib, linuxPackages }:
-
-with lib;
-
-stdenv.mkDerivation rec {
-  name = "rtlwifi_new-firmware-${linuxPackages.rtlwifi_new.version}";
-  inherit (linuxPackages.rtlwifi_new) src;
-
-  dontBuild = true;
-
-  installPhase = ''
-    mkdir -p "$out/lib/firmware"
-    cp -rf firmware/rtlwifi/ "$out/lib/firmware"
-  '';
-
-  meta = {
-    description = "Firmware for the newest Realtek rtlwifi codes";
-    inherit (src.meta) homepage;
-    license = licenses.unfreeRedistributableFirmware;
-    platforms = with platforms; linux;
-    maintainers = with maintainers; [ tvorog ];
-  };
-}
diff --git a/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
new file mode 100644
index 00000000000..b4e07624b6e
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw88-firmware";
+  inherit (linuxPackages.rtw88) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw88
+    cp *.bin $out/lib/firmware/rtw88
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for the newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
new file mode 100644
index 00000000000..8e71770df9c
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw89-firmware";
+  inherit (linuxPackages.rtw89) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw89
+    cp *.bin $out/lib/firmware/rtw89
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Driver for Realtek 8852AE, an 802.11ax device";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
index a9fc44e48cc..2409d9b1aba 100644
--- a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
@@ -1,33 +1,29 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
-with stdenv.lib;
 stdenv.mkDerivation rec {
   pname = "sof-firmware";
-  version = "1.5.1";
+  version = "1.7";
 
   src = fetchFromGitHub {
     owner = "thesofproject";
     repo = "sof-bin";
-    rev = "ae61d2778b0a0f47461a52da0d1f191f651e0763";
-    sha256 = "0j6bpwz49skvdvian46valjw4anwlrnkq703n0snkbngmq78prba";
+    rev = "v${version}";
+    sha256 = "sha256-Z0Z4HLsIIuW8E1kFNhAECmzj1HkJVfbEw13B8V7PZLk=";
   };
 
-  phases = [ "unpackPhase" "installPhase" ];
+  dontFixup = true; # binaries must not be stripped or patchelfed
 
   installPhase = ''
-    mkdir -p $out/lib/firmware/intel
-
-    sed -i 's/ROOT=.*$/ROOT=$out/g' go.sh
-    sed -i 's/VERSION=.*$/VERSION=v${version}/g' go.sh
-
-    ./go.sh
+    mkdir -p $out/lib/firmware/intel/
+    cp -a sof-v${version} $out/lib/firmware/intel/sof
+    cp -a sof-tplg-v${version} $out/lib/firmware/intel/sof-tplg
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Sound Open Firmware";
     homepage = "https://www.sofproject.org/";
     license = with licenses; [ bsd3 isc ];
-    maintainers = with maintainers; [ lblasc evenbrenden ];
+    maintainers = with maintainers; [ lblasc evenbrenden hmenke ];
     platforms = with platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/system76-firmware/default.nix b/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
new file mode 100644
index 00000000000..ca750d89cc5
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
@@ -0,0 +1,39 @@
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, efibootmgr, makeWrapper }:
+rustPlatform.buildRustPackage rec {
+  pname = "system76-firmware";
+  # Check Makefile when updating, make sure postInstall matches make install
+  version = "1.0.24";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-Poe18HKEQusvN3WF4ZAV1WCvU8/3HKpHEqDsfDO62V0=";
+  };
+
+  nativeBuildInputs = [ pkg-config makeWrapper ];
+
+  buildInputs = [ xz openssl dbus ];
+
+  cargoBuildFlags = [ "--workspace" ];
+
+  cargoSha256 = "sha256-gGw3zpxLxQZ3rglpDERO0fSxBOez1Q10Fljis6nyB/4=";
+
+  # Purposefully don't install systemd unit file, that's for NixOS
+  postInstall = ''
+    install -D -m -0644 data/system76-firmware-daemon.conf $out/etc/dbus-1/system.d/system76-firmware-daemon.conf
+
+    for bin in $out/bin/system76-firmware-*
+    do
+      wrapProgram $bin --prefix PATH : "${efibootmgr}/bin"
+    done
+  '';
+
+  meta = with lib; {
+    description = "Tools for managing firmware updates for system76 devices";
+    homepage = "https://github.com/pop-os/system76-firmware";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ shlevy ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/zd1211/default.nix b/pkgs/os-specific/linux/firmware/zd1211/default.nix
index d6963c8eb78..15e53557126 100644
--- a/pkgs/os-specific/linux/firmware/zd1211/default.nix
+++ b/pkgs/os-specific/linux/firmware/zd1211/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   pname = "zd1211-firmware";
@@ -19,6 +19,6 @@ in fetchzip rec {
     description = "Firmware for the ZyDAS ZD1211(b) 802.11a/b/g USB WLAN chip";
     homepage = "https://sourceforge.net/projects/zd1211/";
     license = "GPL";
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/flashbench/default.nix b/pkgs/os-specific/linux/flashbench/default.nix
index 70ad779c239..619aea69aa6 100644
--- a/pkgs/os-specific/linux/flashbench/default.nix
+++ b/pkgs/os-specific/linux/flashbench/default.nix
@@ -1,27 +1,31 @@
-{ stdenv, fetchgit }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
-  pname = "flashbench";
-  version = "2012-06-06";
+  pname = "flashbench-unstable";
+  version = "2020-01-23";
 
-  src = fetchgit {
-    url = "https://github.com/bradfa/flashbench.git";
-    rev = "2e30b1968a66147412f21002ea844122a0d5e2f0";
-    sha256 = "037rhd2alwfip9qk78cy8fwwnc2kdyzccsyc7v2zpmvl4vvpvnhg";
+  src = fetchFromGitHub {
+    owner = "bradfa";
+    repo = "flashbench";
+    rev = "d783b1bd2443812c6deadc31b081f043e43e4c1a";
+    sha256 = "045j1kpay6x2ikz8x54ph862ymfy1nzpbmmqpf3nkapiv32fjqw5";
   };
 
   installPhase = ''
+    runHook preInstall
+
     install -d -m755 $out/bin $out/share/doc/flashbench
     install -v -m755 flashbench $out/bin
     install -v -m755 erase $out/bin/flashbench-erase
     install -v -m644 README $out/share/doc/flashbench
+
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Testing tool for flash based memory devices";
     homepage = "https://github.com/bradfa/flashbench";
     platforms = platforms.linux;
-    license = licenses.gpl2;
-    maintainers = [ maintainers.rycee ];
+    license = licenses.gpl2Only;
   };
 }
diff --git a/pkgs/os-specific/linux/fnotifystat/default.nix b/pkgs/os-specific/linux/fnotifystat/default.nix
index f01c96259a8..baa92decd9f 100644
--- a/pkgs/os-specific/linux/fnotifystat/default.nix
+++ b/pkgs/os-specific/linux/fnotifystat/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "fnotifystat";
-  version = "0.02.06";
+  version = "0.02.07";
   src = fetchurl {
     url = "https://kernel.ubuntu.com/~cking/tarballs/fnotifystat/fnotifystat-${version}.tar.gz";
-    sha256 = "1mr2qzh8r8qq7haz4qgci2k5lcrcy493fm0m3ri40a81vaajfniy";
+    sha256 = "0ipfg2gymbgx7bqlx1sq5p2y89k5j18iqnb0wa27n5s3kh9sh8w0";
   };
   installFlags = [ "DESTDIR=$(out)" ];
   postInstall = ''
diff --git a/pkgs/os-specific/linux/forkstat/default.nix b/pkgs/os-specific/linux/forkstat/default.nix
index d42091085ba..09c9c660285 100644
--- a/pkgs/os-specific/linux/forkstat/default.nix
+++ b/pkgs/os-specific/linux/forkstat/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "forkstat";
-  version = "0.02.15";
+  version = "0.02.16";
   src = fetchurl {
     url = "https://kernel.ubuntu.com/~cking/tarballs/forkstat/forkstat-${version}.tar.xz";
-    sha256 = "11dvg7bbklpfywx6i6vb29vvc28pbfk3mff0g18n5imxvzsd7jxs";
+    sha256 = "1rrzvlws9725dy2jq5k4zfv669ngrb2klhla6wvir8nwh53jms4w";
   };
   installFlags = [ "DESTDIR=$(out)" ];
   postInstall = ''
diff --git a/pkgs/os-specific/linux/forktty/default.nix b/pkgs/os-specific/linux/forktty/default.nix
index 66570bac942..c2e49399582 100644
--- a/pkgs/os-specific/linux/forktty/default.nix
+++ b/pkgs/os-specific/linux/forktty/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 let
   s = # Generated upstream information
   rec {
@@ -28,9 +28,9 @@ stdenv.mkDerivation {
   makeFlags = [ "prefix=$(out)" "manprefix=$(out)/share/" ];
   meta = {
     inherit (s) version;
-    description = ''Tool to detach from controlling TTY and attach to another'';
-    license = stdenv.lib.licenses.gpl2 ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "Tool to detach from controlling TTY and attach to another";
+    license = lib.licenses.gpl2 ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/freefall/default.nix b/pkgs/os-specific/linux/freefall/default.nix
index a6c5a6593d1..683b599e5be 100644
--- a/pkgs/os-specific/linux/freefall/default.nix
+++ b/pkgs/os-specific/linux/freefall/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel }:
+{ lib, stdenv, kernel }:
 
 stdenv.mkDerivation {
   inherit (kernel) version src;
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
 
   makeFlags = [ "PREFIX=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (kernel.meta) homepage license;
 
     description = "Free-fall protection for spinning HP/Dell laptop hard drives";
diff --git a/pkgs/os-specific/linux/fscrypt/default.nix b/pkgs/os-specific/linux/fscrypt/default.nix
index 1086e5ece04..7528fae6bdd 100644
--- a/pkgs/os-specific/linux/fscrypt/default.nix
+++ b/pkgs/os-specific/linux/fscrypt/default.nix
@@ -1,16 +1,16 @@
-{ stdenv, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
+{ lib, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
 
 # Don't use this for anything important yet!
 
 buildGoModule rec {
   pname = "fscrypt";
-  version = "0.2.9";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "fscrypt";
     rev = "v${version}";
-    sha256 = "020hhdarbn3bwlc2j2g89868v8nfx8562z1a778ihpvvsa4ykr31";
+    sha256 = "1zdadi9f7wj6kgmmk9zlkpdm1lb3gfiscg9gkqqdql2si7y6g2nq";
   };
 
   postPatch = ''
@@ -34,11 +34,7 @@ buildGoModule rec {
     make install
   '';
 
-  preFixup = ''
-    remove-references-to -t ${fscrypt-experimental.go} $out/lib/security/pam_fscrypt.so
-  '';
-
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description =
       "A high-level tool for the management of Linux filesystem encryption";
     longDescription = ''
diff --git a/pkgs/os-specific/linux/fscryptctl/default.nix b/pkgs/os-specific/linux/fscryptctl/default.nix
index ecab0350d78..bd1b414f4cb 100644
--- a/pkgs/os-specific/linux/fscryptctl/default.nix
+++ b/pkgs/os-specific/linux/fscryptctl/default.nix
@@ -1,28 +1,38 @@
-{ stdenv, fetchFromGitHub }:
-
-# Don't use this for anything important yet!
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
-  pname = "fscryptctl-unstable";
-  version = "2017-10-23";
+  pname = "fscryptctl";
+  version = "1.0.0";
 
   goPackagePath = "github.com/google/fscrypt";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "fscryptctl";
-    rev = "142326810eb19d6794793db6d24d0775a15aa8e5";
-    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+    rev = "v${version}";
+    sha256 = "1hwj726mm0yhlcf6523n07h0yq1rvkv4km64h3ydpjcrcxklhw6l";
   };
 
-  makeFlags = [ "DESTDIR=$(out)/bin" ];
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
-  meta = with stdenv.lib; {
-    description = ''
-      A low-level tool that handles raw keys and manages policies for Linux
-      filesystem encryption
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
     '';
     inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscryptctl/releases/tag/v{version}";
     license = licenses.asl20;
     platforms = platforms.linux;
     maintainers = with maintainers; [ primeos ];
diff --git a/pkgs/os-specific/linux/fscryptctl/legacy.nix b/pkgs/os-specific/linux/fscryptctl/legacy.nix
new file mode 100644
index 00000000000..64a409fb58b
--- /dev/null
+++ b/pkgs/os-specific/linux/fscryptctl/legacy.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+# Don't use this for anything important!
+# TODO: Drop fscryptctl-experimental after the NixOS 21.03/21.05 release.
+
+stdenv.mkDerivation rec {
+  pname = "fscryptctl";
+  version = "0.1.0";
+
+  goPackagePath = "github.com/google/fscrypt";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscryptctl";
+    rev = "v${version}";
+    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)/bin" ];
+
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
+    '';
+    inherit (src.meta) homepage;
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+    knownVulnerabilities = [ ''
+      fscryptctl version 1.0.0 was released and now uses v2 encryption
+      policies. fscryptctl-experimental will remain at version 0.1.0 which
+      still supports the v1 encryption policies. Please try to switch from the
+      "fscryptctl-experimental" package to "fscryptctl". The v1 encryption
+      policies can be insecure, are hard to use correctly, and have different
+      semantics from v2 policies (which is why they are no longer supported in
+      fscryptctl 1.0.0+).
+    '' ];
+  };
+}
diff --git a/pkgs/os-specific/linux/fswebcam/default.nix b/pkgs/os-specific/linux/fswebcam/default.nix
index 53a1bdbc4c7..18cdc21f0b6 100644
--- a/pkgs/os-specific/linux/fswebcam/default.nix
+++ b/pkgs/os-specific/linux/fswebcam/default.nix
@@ -1,11 +1,11 @@
-{ stdenv, fetchurl, libv4l, gd }:
+{ lib, stdenv, fetchurl, libv4l, gd }:
 
 stdenv.mkDerivation rec {
-  name = "fswebcam-20140113";
+  name = "fswebcam-20200725";
 
   src = fetchurl {
     url = "https://www.sanslogic.co.uk/fswebcam/files/${name}.tar.gz";
-    sha256 = "3ee389f72a7737700d22e0c954720b1e3bbadc8a0daad6426c25489ba9dc3199";
+    sha256 = "1dazsrcaw9s30zz3jpxamk9lkff5dkmflp1s0jjjvdbwa0k6k6ii";
   };
 
   buildInputs =
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Neat and simple webcam app";
     homepage = "http://www.sanslogic.co.uk/fswebcam";
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2;
   };
 }
diff --git a/pkgs/os-specific/linux/ftop/default.nix b/pkgs/os-specific/linux/ftop/default.nix
index d7791cd1a62..abd6d788461 100644
--- a/pkgs/os-specific/linux/ftop/default.nix
+++ b/pkgs/os-specific/linux/ftop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, ncurses }:
+{ lib, stdenv, fetchurl, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "ftop";
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     substituteInPlace configure --replace "curses" "ncurses"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Show progress of open files and file systems";
     homepage = "https://code.google.com/archive/p/ftop/";
     license = licenses.gpl3Plus;
diff --git a/pkgs/os-specific/linux/fuse/common.nix b/pkgs/os-specific/linux/fuse/common.nix
index 2010be53c2d..5adb1b5355a 100644
--- a/pkgs/os-specific/linux/fuse/common.nix
+++ b/pkgs/os-specific/linux/fuse/common.nix
@@ -1,14 +1,14 @@
 { version, sha256Hash }:
 
-{ stdenv, fetchFromGitHub, fetchpatch
-, fusePackages, utillinux, gettext
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, fusePackages, util-linux, gettext, shadow
 , meson, ninja, pkg-config
 , autoreconfHook
 , python3Packages, which
 }:
 
 let
-  isFuse3 = stdenv.lib.hasPrefix "3" version;
+  isFuse3 = lib.hasPrefix "3" version;
 in stdenv.mkDerivation rec {
   pname = "fuse";
   inherit version;
@@ -23,7 +23,7 @@ in stdenv.mkDerivation rec {
   preAutoreconf = "touch config.rpath";
 
   patches =
-    stdenv.lib.optional
+    lib.optional
       (!isFuse3 && stdenv.isAarch64)
       (fetchpatch {
         url = "https://github.com/libfuse/libfuse/commit/914871b20a901e3e1e981c92bc42b1c93b7ab81b.patch";
@@ -37,9 +37,9 @@ in stdenv.mkDerivation rec {
     then [ meson ninja pkg-config ]
     else [ autoreconfHook gettext ];
 
-  outputs = [ "out" ] ++ stdenv.lib.optional isFuse3 "common";
+  outputs = [ "out" ] ++ lib.optional isFuse3 "common";
 
-  mesonFlags = stdenv.lib.optionals isFuse3 [
+  mesonFlags = lib.optionals isFuse3 [
     "-Dudevrulesdir=/udev/rules.d"
     "-Duseroot=false"
   ];
@@ -54,17 +54,14 @@ in stdenv.mkDerivation rec {
     # $PATH, so it should also work on non-NixOS systems.
     export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""
 
-    sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
+    substituteInPlace lib/mount_util.c --replace "/bin/" "${util-linux}/bin/"
     '' + (if isFuse3 then ''
       # The configure phase will delete these files (temporary workaround for
       # ./fuse3-install_man.patch)
       install -D -m444 doc/fusermount3.1 $out/share/man/man1/fusermount3.1
       install -D -m444 doc/mount.fuse3.8 $out/share/man/man8/mount.fuse3.8
-
-      # TODO: Temporary version fix:
-      substituteInPlace meson.build \
-        --replace "version: '3.9.3'" "version: '${version}'"
     '' else ''
+      substituteInPlace util/mount.fuse.c --replace '"su"' '"${shadow.su}/bin/su"'
       sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
       ./makeconf.sh
     '');
@@ -85,9 +82,7 @@ in stdenv.mkDerivation rec {
     cp ${fusePackages.fuse_3.common}/etc/udev/rules.d/99-fuse.rules etc/udev/rules.d/99-fuse.rules
   '');
 
-  enableParallelBuilding = true;
-
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Library that allows filesystems to be implemented in user space";
     longDescription = ''
       FUSE (Filesystem in Userspace) is an interface for userspace programs to
@@ -100,7 +95,7 @@ in stdenv.mkDerivation rec {
     inherit (src.meta) homepage;
     changelog = "https://github.com/libfuse/libfuse/releases/tag/fuse-${version}";
     platforms = platforms.linux;
-    license = with licenses; [ gpl2 lgpl21 ];
+    license = with licenses; [ gpl2Only lgpl21Only ];
     maintainers = [ maintainers.primeos ];
   };
 }
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index 8c342743dfc..b060b908284 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -1,8 +1,8 @@
-{ callPackage, utillinux }:
+{ callPackage, util-linux }:
 
 let
   mkFuse = args: callPackage (import ./common.nix args) {
-    inherit utillinux;
+    inherit util-linux;
   };
 in {
   fuse_2 = mkFuse {
@@ -11,7 +11,7 @@ in {
   };
 
   fuse_3 = mkFuse {
-    version = "3.9.4";
-    sha256Hash = "1j11niqw3p94yd6mfdrkdra0nic8a38fc179y5h9yz81q39m2f3b";
+    version = "3.10.4";
+    sha256Hash = "1ml4bs4wx5dbz5xpnd5g8b9avmn7g7jvf16fbdlk0da8il0qd2rx";
   };
 }
diff --git a/pkgs/os-specific/linux/fwts/default.nix b/pkgs/os-specific/linux/fwts/default.nix
index fd62f07cd9c..1b5a0e3bdff 100644
--- a/pkgs/os-specific/linux/fwts/default.nix
+++ b/pkgs/os-specific/linux/fwts/default.nix
@@ -1,17 +1,17 @@
-{ stdenv, fetchzip, autoreconfHook, pkgconfig, glib, libtool, pcre
+{ lib, stdenv, fetchzip, autoreconfHook, pkg-config, glib, libtool, pcre
 , json_c, flex, bison, dtc, pciutils, dmidecode, iasl, libbsd }:
 
 stdenv.mkDerivation rec {
   pname = "fwts";
-  version = "20.07.00";
+  version = "20.11.00";
 
   src = fetchzip {
     url = "http://fwts.ubuntu.com/release/${pname}-V${version}.tar.gz";
-    sha256 = "0azhcnlfziwn8wvw3fly2jfjyg53m8zba3jlcxgzrasgb0kvzb1c";
+    sha256 = "0s8iz6c9qhyndcsjscs3qail2mzfywpbiys1x232igm5kl089vvr";
     stripRoot = false;
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig libtool ];
+  nativeBuildInputs = [ autoreconfHook pkg-config libtool ];
   buildInputs = [ glib pcre json_c flex bison dtc pciutils dmidecode iasl libbsd ];
 
   postPatch = ''
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://wiki.ubuntu.com/FirmwareTestSuite";
     description = "Firmware Test Suite";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/fwts/module.nix b/pkgs/os-specific/linux/fwts/module.nix
index ef90e0c303b..737d3316e21 100644
--- a/pkgs/os-specific/linux/fwts/module.nix
+++ b/pkgs/os-specific/linux/fwts/module.nix
@@ -1,4 +1,4 @@
-{ stdenv, fwts, kernel }:
+{ lib, stdenv, fwts, kernel }:
 
 stdenv.mkDerivation rec {
   pname = "fwts-efi-runtime";
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
     "INSTALL_MOD_PATH=${placeholder "out"}"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (fwts.meta) homepage license;
     description = fwts.meta.description + "(efi-runtime kernel module)";
     maintainers = with maintainers; [ dtzWill ];
diff --git a/pkgs/os-specific/linux/fxload/default.nix b/pkgs/os-specific/linux/fxload/default.nix
index e77983254e4..3255c992f86 100644
--- a/pkgs/os-specific/linux/fxload/default.nix
+++ b/pkgs/os-specific/linux/fxload/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation {
   name = "fxload-2002_04_11";
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
     mkdir -p $out/share/usb
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://linux-hotplug.sourceforge.net/?selected=usb";
     description = "Tool to upload firmware to Cypress EZ-USB microcontrollers";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/g15daemon/default.nix b/pkgs/os-specific/linux/g15daemon/default.nix
index c670fc86d13..118a17c4c8f 100644
--- a/pkgs/os-specific/linux/g15daemon/default.nix
+++ b/pkgs/os-specific/linux/g15daemon/default.nix
@@ -65,7 +65,7 @@ stdenv.mkDerivation rec {
 
   patches = let
     patch = fname: sha256: fetchurl rec {
-      url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/${pname}-${version}-${fname}.patch?h=packages/${pname}";
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-community/c0b0b6d4d6d7b79eca68123b20e0c9fb82e1c6e1/g15daemon/trunk/${pname}-${version}-${fname}.patch";
       name = "${fname}.patch";
       inherit sha256;
     };
diff --git a/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix b/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
new file mode 100644
index 00000000000..ab2e099d970
--- /dev/null
+++ b/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, fetchFromGitHub
+, kernel
+, kmod
+}:
+
+let
+  kerneldir = "lib/modules/${kernel.modDirVersion}";
+in stdenv.mkDerivation rec {
+  pname = "gcadapter-oc-kmod";
+  version = "1.4";
+
+  src = fetchFromGitHub {
+    owner = "HannesMann";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1nqhj3vqq9rnj37cnm2c4867mnxkr8di3i036shcz44h9qmy9d40";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KERNEL_SOURCE_DIR=${kernel.dev}/${kerneldir}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  installPhase = ''
+    install -D {,$out/${kerneldir}/extra/}gcadapter_oc.ko
+  '';
+
+  meta = with lib; {
+    description = "Kernel module for overclocking the Nintendo Wii U/Mayflash GameCube adapter";
+    homepage = "https://github.com/HannesMann/gcadapter-oc-kmod";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ r-burns ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/gfxtablet/default.nix b/pkgs/os-specific/linux/gfxtablet/default.nix
index 56fa4f1d7d6..608ca8e58cc 100644
--- a/pkgs/os-specific/linux/gfxtablet/default.nix
+++ b/pkgs/os-specific/linux/gfxtablet/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchFromGitHub, linuxHeaders}:
+{lib, stdenv, fetchFromGitHub, linuxHeaders}:
 
 stdenv.mkDerivation rec {
   version = "1.4";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     sha256 = "1i2m98yypfa9phshlmvjlgw7axfisxmldzrvnbzm5spvv5s4kvvb";
   };
 
-  preBuild = ''cd driver-uinput'';
+  preBuild = "cd driver-uinput";
 
   installPhase = ''
     mkdir -p "$out/bin"
@@ -25,9 +25,9 @@ stdenv.mkDerivation rec {
   '';
 
   meta = {
-    description = ''Uinput driver for Android GfxTablet tablet-as-input-device app'';
-    license = stdenv.lib.licenses.mit ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "Uinput driver for Android GfxTablet tablet-as-input-device app";
+    license = lib.licenses.mit ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/gobi_loader/default.nix b/pkgs/os-specific/linux/gobi_loader/default.nix
index b8735354c2c..b7972007719 100644
--- a/pkgs/os-specific/linux/gobi_loader/default.nix
+++ b/pkgs/os-specific/linux/gobi_loader/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib, stdenv
 , fetchurl
 }:
 
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = "prefix=${placeholder "out"}";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware loader for Qualcomm Gobi USB chipsets";
     homepage = "https://www.codon.org.uk/~mjg59/gobi_loader/";
     license = with licenses; [ gpl2 ];
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index d107f18c8da..83ac93fbf71 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, openssl, nettools, iproute, sysctl}:
+{lib, stdenv, fetchurl, openssl, nettools, iproute2, sysctl}:
 
 let baseName = "gogoclient";
     version  = "1.2";
@@ -29,12 +29,12 @@ stdenv.mkDerivation rec {
     substituteInPlace "$out/template/linux.sh" \
       --replace "/sbin/ifconfig" "${nettools}/bin/ifconfig" \
       --replace "/sbin/route"    "${nettools}/bin/route" \
-      --replace "/sbin/ip"       "${iproute}/sbin/ip" \
+      --replace "/sbin/ip"       "${iproute2}/sbin/ip" \
       --replace "/sbin/sysctl"   "${sysctl}/bin/sysctl"
     sed -i -e 's/^.*Exec \$route -A.*$/& metric 128/' $out/template/linux.sh
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://ipv6.ernet.in/Tunnel_broker";
     description = "Client to connect to the Freenet6 IPv6 tunnel broker service";
     maintainers = [ maintainers.bluescreen303 ];
diff --git a/pkgs/os-specific/linux/gradm/default.nix b/pkgs/os-specific/linux/gradm/default.nix
index fee183c8259..cd99dfa5db8 100644
--- a/pkgs/os-specific/linux/gradm/default.nix
+++ b/pkgs/os-specific/linux/gradm/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchurl
+{ lib, stdenv, fetchurl
 , bison, flex
 , pam
 }:
 
 stdenv.mkDerivation rec {
   pname = "gradm";
-  version = "3.1-201903191516";
+  version = "3.1-202102241600";
 
   src  = fetchurl {
-    url    = "http://grsecurity.net/stable/${pname}-${version}.tar.gz";
-    sha256 = "1wszqwaswcf08s9zbvnqzmmfdykyfcy16w8xjia20ypr7wwbd86k";
+    url    = "https://grsecurity.net/stable/${pname}-${version}.tar.gz";
+    sha256 = "02ni34hpggv00140p9gvh0lqi173zdddd2qhfi96hyr1axd5pl50";
   };
 
   nativeBuildInputs = [ bison flex ];
@@ -39,12 +39,12 @@ stdenv.mkDerivation rec {
     mkdir -p "$out/etc/udev/rules.d"
   '';
 
-  postInstall = ''rmdir $out/dev'';
+  postInstall = "rmdir $out/dev";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "grsecurity RBAC administration and policy analysis utility";
     homepage    = "https://grsecurity.net";
-    license     = licenses.gpl2;
+    license     = licenses.gpl2Only;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ thoughtpolice joachifm ];
   };
diff --git a/pkgs/os-specific/linux/greetd/default.nix b/pkgs/os-specific/linux/greetd/default.nix
new file mode 100644
index 00000000000..6f305c5d6eb
--- /dev/null
+++ b/pkgs/os-specific/linux/greetd/default.nix
@@ -0,0 +1,51 @@
+{ rustPlatform
+, lib
+, fetchFromSourcehut
+, pam
+, scdoc
+, installShellFiles
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "greetd";
+  version = "0.7.0";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "b+S3fuJ8gjnSQzLHl3Bs9iO/Un2ynggAplz01GjJvFI=";
+  };
+
+  cargoHash = "sha256-YSC7osyBPwx+lo7P1ftI72mRWeQlDc2srRPzTFqVTxM=";
+
+  nativeBuildInputs = [
+    scdoc
+    installShellFiles
+  ];
+
+  buildInputs = [
+    pam
+  ];
+
+  postInstall = ''
+    for f in man/*; do
+      scdoc < "$f" > "$(sed 's/-\([0-9]\)\.scd$/.\1/' <<< "$f")"
+      rm "$f"
+    done
+    installManPage man/*
+  '';
+
+  meta = with lib; {
+    description = "Minimal and flexible login manager daemon";
+    longDescription = ''
+      greetd is a minimal and flexible login manager daemon
+      that makes no assumptions about what you want to launch.
+      Comes with agreety, a simple, text-based greeter.
+    '';
+    homepage = "https://kl.wtf/projects/greetd/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/gtkgreet/default.nix b/pkgs/os-specific/linux/gtkgreet/default.nix
new file mode 100644
index 00000000000..7ab7c01475b
--- /dev/null
+++ b/pkgs/os-specific/linux/gtkgreet/default.nix
@@ -0,0 +1,50 @@
+{ stdenv
+, lib
+, fetchFromSourcehut
+, pkg-config
+, cmake
+, meson
+, ninja
+, gtk3
+, gtk-layer-shell
+, json_c
+, scdoc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gtkgreet";
+  version = "0.7";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "ms+2FdtzzNlmlzNxFhu4cpX5H+5H+9ZOtZ0p8uVA3lo=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    cmake
+  ];
+
+  buildInputs = [
+    gtk3
+    gtk-layer-shell
+    json_c
+    scdoc
+  ];
+
+  mesonFlags = [
+    "-Dlayershell=enabled"
+  ];
+
+  meta = with lib; {
+    description = "GTK based greeter for greetd, to be run under cage or similar";
+    homepage = "https://git.sr.ht/~kennylevinsen/gtkgreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/guvcview/default.nix b/pkgs/os-specific/linux/guvcview/default.nix
index d780cade786..04eccaf0243 100644
--- a/pkgs/os-specific/linux/guvcview/default.nix
+++ b/pkgs/os-specific/linux/guvcview/default.nix
@@ -1,15 +1,15 @@
 { config
-, stdenv
+, lib, stdenv
 , fetchurl
 , intltool
-, pkgconfig
+, pkg-config
 , portaudio
 , SDL2
 , ffmpeg
 , udev
 , libusb1
 , libv4l
-, alsaLib
+, alsa-lib
 , gsl
 , libpng
 , sfml
@@ -37,15 +37,15 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [
     intltool
-    pkgconfig
+    pkg-config
   ]
-    ++ stdenv.lib.optionals (useGtk) [ wrapGAppsHook ]
-    ++ stdenv.lib.optionals (useQt) [ wrapQtAppsHook ]
+    ++ lib.optionals (useGtk) [ wrapGAppsHook ]
+    ++ lib.optionals (useQt) [ wrapQtAppsHook ]
   ;
 
   buildInputs = [
     SDL2
-    alsaLib
+    alsa-lib
     ffmpeg
     libusb1
     libv4l
@@ -54,21 +54,21 @@ stdenv.mkDerivation rec {
     gsl
     libpng
     sfml
-  ] 
-    ++ stdenv.lib.optionals (pulseaudioSupport) [ libpulseaudio ]
-    ++ stdenv.lib.optionals (useGtk) [ gtk3 ]
-    ++ stdenv.lib.optionals (useQt) [
+  ]
+    ++ lib.optionals (pulseaudioSupport) [ libpulseaudio ]
+    ++ lib.optionals (useGtk) [ gtk3 ]
+    ++ lib.optionals (useQt) [
       qtbase
     ]
   ;
   configureFlags = [
     "--enable-sfml"
   ]
-    ++ stdenv.lib.optionals (useGtk) [ "--enable-gtk3" ]
-    ++ stdenv.lib.optionals (useQt) [ "--enable-qt5" ]
+    ++ lib.optionals (useGtk) [ "--enable-gtk3" ]
+    ++ lib.optionals (useQt) [ "--enable-qt5" ]
   ;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A simple interface for devices supported by the linux UVC driver";
     homepage = "http://guvcview.sourceforge.net";
     maintainers = [ maintainers.coconnor ];
diff --git a/pkgs/os-specific/linux/hal-flash/default.nix b/pkgs/os-specific/linux/hal-flash/default.nix
deleted file mode 100644
index c3463851fd3..00000000000
--- a/pkgs/os-specific/linux/hal-flash/default.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ stdenv, fetchurl, autoconf, automake, dbus, glib, libtool, pkgconfig, udisks2 }:
-
-stdenv.mkDerivation {
-  name = "hal-flash-0.3.3";
-
-  src = fetchurl {
-    url = "https://github.com/cshorler/hal-flash/archive/v0.3.3.tar.gz";
-    sha256 = "0dw9bx190mrh0dycw4rfvfmwwvh2sgypffr99nfnr36b38jrd6y6";
-  };
-
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ autoconf automake dbus glib libtool udisks2 ];
-
-  preConfigure = "libtoolize && aclocal && autoconf && automake --add-missing";
-
-  meta = with stdenv.lib; {
-    homepage = "https://github.com/cshorler/hal-flash";
-    description = "libhal stub library to satisfy the Flash Player DRM requirements";
-    longDescription =
-      ''
-        Stub library based loosely upon libhal.[ch] from the hal-0.5.14
-        package.  Provides the minimum necessary functionality to enable
-        libflashplayer.so/libadobecp.so to play back DRM content.
-      '';
-    license = with licenses; [ afl21 gpl2 ];
-    maintainers = with maintainers; [ malyn ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/pkgs/os-specific/linux/hd-idle/default.nix b/pkgs/os-specific/linux/hd-idle/default.nix
index 5e32e220b2f..3e4b0815146 100644
--- a/pkgs/os-specific/linux/hd-idle/default.nix
+++ b/pkgs/os-specific/linux/hd-idle/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "hd-idle-1.05";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "TARGET_DIR=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Spins down external disks after a period of idle time";
     homepage = "http://hd-idle.sourceforge.net/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/hdapsd/default.nix b/pkgs/os-specific/linux/hdapsd/default.nix
index 893eb4fdd99..39f69ef0144 100644
--- a/pkgs/os-specific/linux/hdapsd/default.nix
+++ b/pkgs/os-specific/linux/hdapsd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 let version = "20141203"; in
 stdenv.mkDerivation {
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
 
   postInstall = builtins.readFile ./postInstall.sh;
 
-  meta = with stdenv.lib;
+  meta = with lib;
     { description = "Hard Drive Active Protection System Daemon";
       homepage = "http://hdaps.sf.net/";
       license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/hdparm/default.nix b/pkgs/os-specific/linux/hdparm/default.nix
index 99464b67db1..300bb499f85 100644
--- a/pkgs/os-specific/linux/hdparm/default.nix
+++ b/pkgs/os-specific/linux/hdparm/default.nix
@@ -1,19 +1,19 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  name = "hdparm-9.58";
+  pname = "hdparm";
+  version = "9.62";
 
   src = fetchurl {
-    url = "mirror://sourceforge/hdparm/${name}.tar.gz";
-    sha256 = "03z1qm8zbgpxagk3994lvp24yqsshjibkwg05v9p3q1w7y48xrws";
-
+    url = "mirror://sourceforge/hdparm/hdparm-${version}.tar.gz";
+    sha256 = "sha256-LA+ddc2+2pKKJaEozT0LcSBEXsCRDAsp1MEDjtG+d38=";
   };
 
   preBuild = ''
     makeFlagsArray=(sbindir=$out/sbin manprefix=$out)
     '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool to get/set ATA/SATA drive parameters under Linux";
     homepage = "https://sourceforge.net/projects/hdparm/";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/hibernate/default.nix b/pkgs/os-specific/linux/hibernate/default.nix
index 8fc6bfdbdcf..1a7dd01e977 100644
--- a/pkgs/os-specific/linux/hibernate/default.nix
+++ b/pkgs/os-specific/linux/hibernate/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, gawk }:
+{ lib, stdenv, fetchurl, gawk }:
 
 let version = "2.0";
 in
@@ -35,12 +35,12 @@ in
       description = "The `hibernate' script for swsusp and Tux-on-Ice";
       longDescription = ''
         This package provides the `hibernate' script, a command-line utility
-	that saves the computer's state to disk and switches it off, turning
-	it into "hibernation".  It works both with Linux swsusp and Tux-on-Ice.
+        that saves the computer's state to disk and switches it off, turning
+        it into "hibernation".  It works both with Linux swsusp and Tux-on-Ice.
       '';
 
-      license = stdenv.lib.licenses.gpl2Plus;
+      license = lib.licenses.gpl2Plus;
       homepage = "http://www.tuxonice.net/";
-      platforms = stdenv.lib.platforms.linux;
+      platforms = lib.platforms.linux;
     };
   }
diff --git a/pkgs/os-specific/linux/hid-nintendo/default.nix b/pkgs/os-specific/linux/hid-nintendo/default.nix
new file mode 100644
index 00000000000..321f96d0d36
--- /dev/null
+++ b/pkgs/os-specific/linux/hid-nintendo/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "hid-nintendo";
+  version = "3.1";
+
+  src = fetchFromGitHub {
+    owner = "nicman23";
+    repo = "dkms-hid-nintendo";
+    rev = version;
+    sha256 = "sha256-IanH3yHfkQhqtKvKD8lh+muc9yX8XJ5bfdy1Or8Vd5g=";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/source/src
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "A Nintendo HID kernel module";
+    homepage = "https://github.com/nicman23/dkms-hid-nintendo";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.rencire ];
+    platforms = platforms.linux;
+    broken = versionOlder kernel.version "4.14";
+  };
+}
diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix
index 991dcbe2615..5d4edc4f7e7 100644
--- a/pkgs/os-specific/linux/hostapd/default.nix
+++ b/pkgs/os-specific/linux/hostapd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, libnl, openssl, sqlite ? null }:
+{ lib, stdenv, fetchurl, fetchpatch, pkg-config, libnl, openssl, sqlite ? null }:
 
 stdenv.mkDerivation rec {
   pname = "hostapd";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1mrbvg4v7vm7mknf0n29mf88k3s4a4qj6r4d51wq8hmjj1m7s7c8";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl openssl sqlite ];
 
   patches = [
@@ -43,6 +43,12 @@ stdenv.mkDerivation rec {
       url = "https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch";
       sha256 = "12npqp2skgrj934wwkqicgqksma0fxz09di29n1b5fm5i4njl8d8";
     })
+    # In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
+    (fetchpatch {
+      name = "CVE-2021-30004.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15";
+      sha256 = "1gbhlz41x1ar1hppnb76pqxj6vimiypy7c4kq6h658637s4am3xg";
+    })
   ];
 
   outputs = [ "out" "man" ];
@@ -75,7 +81,8 @@ stdenv.mkDerivation rec {
     CONFIG_HS20=y
     CONFIG_ACS=y
     CONFIG_GETRANDOM=y
-  '' + stdenv.lib.optionalString (sqlite != null) ''
+    CONFIG_SAE=y
+  '' + lib.optionalString (sqlite != null) ''
     CONFIG_SQLITE=y
   '';
 
@@ -94,7 +101,7 @@ stdenv.mkDerivation rec {
     install -vD hostapd_cli.1 -t $man/share/man/man1
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://hostap.epitest.fi";
     repositories.git = "git://w1.fi/hostap.git";
     description = "A user space daemon for access point and authentication servers";
diff --git a/pkgs/os-specific/linux/hwdata/default.nix b/pkgs/os-specific/linux/hwdata/default.nix
index 9b54f404f72..f700bf035de 100644
--- a/pkgs/os-specific/linux/hwdata/default.nix
+++ b/pkgs/os-specific/linux/hwdata/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "hwdata";
-  version = "0.335";
+  version = "0.347";
 
   src = fetchFromGitHub {
     owner = "vcrhonek";
     repo = "hwdata";
     rev = "v${version}";
-    sha256 = "0f8ikwfrs6xd5sywypd9rq9cln8a0rf3vj6nm0adwzn1p8mgmrb2";
+    sha256 = "19kmz25zq6qqs67ppqhws4mh3qf6zrp55cpyxyw36q95yjdcqp21";
   };
 
   preConfigure = "patchShebangs ./configure";
@@ -19,12 +19,12 @@ stdenv.mkDerivation rec {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "101lppd1805drwd038b4njr5czzjnqqxf3xlf6v3l22wfwr2cn3l";
+  outputHash = "0haaczd6pi9q2vdlvbwn7100sb87zsy64z94xhpbmlari4vzjmz0";
 
   meta = {
     homepage = "https://github.com/vcrhonek/hwdata";
     description = "Hardware Database, including Monitors, pci.ids, usb.ids, and video cards";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.all;
   };
 }
diff --git a/pkgs/os-specific/linux/hyperv-daemons/default.nix b/pkgs/os-specific/linux/hyperv-daemons/default.nix
index 1a111a295a4..a659908a7a0 100644
--- a/pkgs/os-specific/linux/hyperv-daemons/default.nix
+++ b/pkgs/os-specific/linux/hyperv-daemons/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, lib, python, kernel, makeWrapper, writeText
-, gawk, iproute }:
+{ stdenv, lib, python2, python3, kernel, makeWrapper, writeText
+, gawk, iproute2 }:
 
 let
   libexec = "libexec/hypervkvpd";
@@ -9,6 +9,7 @@ let
     inherit (kernel) src version;
 
     nativeBuildInputs = [ makeWrapper ];
+    buildInputs = [ (if lib.versionOlder version "4.19" then python2 else python3) ];
 
     # as of 4.9 compilation will fail due to -Werror=format-security
     hardeningDisable = [ "format" ];
@@ -33,16 +34,12 @@ let
       install -Dm755 hv_get_dhcp_info.sh $out/${libexec}/hv_get_dhcp_info
       install -Dm755 hv_get_dns_info.sh  $out/${libexec}/hv_get_dns_info
 
-      # I don't know why this isn't being handled automatically by fixupPhase
-      substituteInPlace $out/bin/lsvmbus \
-        --replace '/usr/bin/env python' ${python.interpreter}
-
       runHook postInstall
     '';
 
     postFixup = ''
       wrapProgram $out/bin/hv_kvp_daemon \
-        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute ]}
+        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute2 ]}
     '';
   };
 
@@ -86,7 +83,7 @@ in stdenv.mkDerivation {
     Wants=hv-fcopy.service hv-kvp.service hv-vss.service
     EOF
 
-    for f in $lib/lib/systemd/system/* ; do
+    for f in $lib/lib/systemd/system/*.service ; do
       substituteInPlace $f --replace @out@ ${daemons}/bin
     done
 
@@ -98,7 +95,7 @@ in stdenv.mkDerivation {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Integration Services for running NixOS under HyperV";
     longDescription = ''
       This packages contains the daemons that are used by the Hyper-V hypervisor
diff --git a/pkgs/os-specific/linux/i2c-tools/default.nix b/pkgs/os-specific/linux/i2c-tools/default.nix
index 3a00dbefa63..5c05ca6082e 100644
--- a/pkgs/os-specific/linux/i2c-tools/default.nix
+++ b/pkgs/os-specific/linux/i2c-tools/default.nix
@@ -1,12 +1,18 @@
-{ stdenv, fetchurl, perl, read-edid }:
+{ lib
+, stdenv
+, fetchgit
+, perl
+, read-edid
+}:
 
 stdenv.mkDerivation rec {
   pname = "i2c-tools";
-  version = "4.1";
+  version = "4.2";
 
-  src = fetchurl {
-    url = "https://www.kernel.org/pub/software/utils/i2c-tools/${pname}-${version}.tar.xz";
-    sha256 = "1m97hpwqfaqjl9xvr4pvz2vdrsdvxbcn0nnx8pamnyc3s7pikcjp";
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git";
+    rev = "v${version}";
+    sha256 = "0vqrbp10klr7ylarr6cy1q7nafiqaky4iq5my5dqy101h93vg4pg";
   };
 
   buildInputs = [ perl ];
@@ -18,14 +24,17 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
+  outputs = [ "out" "man" ];
+
   postInstall = ''
     rm -rf $out/include # Installs include/linux/i2c-dev.h that conflics with kernel headers
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Set of I2C tools for Linux";
     homepage = "https://i2c.wiki.kernel.org/index.php/I2C_Tools";
-    license = licenses.gpl2;
+    # library is LGPL 2.1 or later; "most tools" GPL 2 or later
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
     maintainers = [ maintainers.dezgeg ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/i810switch/default.nix b/pkgs/os-specific/linux/i810switch/default.nix
index 5b65f2a16fd..ffca983a35e 100644
--- a/pkgs/os-specific/linux/i810switch/default.nix
+++ b/pkgs/os-specific/linux/i810switch/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pciutils }:
+{ lib, stdenv, fetchurl, pciutils }:
 
 stdenv.mkDerivation {
   name = "i810switch-0.6.5";
@@ -20,7 +20,7 @@ stdenv.mkDerivation {
   meta = {
     description = "A utility for switching between the LCD and external VGA display on Intel graphics cards";
     homepage = "http://www16.plala.or.jp/mano-a-mano/i810switch.html";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix
index 1b22c1eafd3..d23fc101bcc 100644
--- a/pkgs/os-specific/linux/ifenslave/default.nix
+++ b/pkgs/os-specific/linux/ifenslave/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "ifenslave";
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   meta = {
     description = "Utility for enslaving networking interfaces under a bond";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/ifmetric/default.nix b/pkgs/os-specific/linux/ifmetric/default.nix
index 1f69d728f60..f5d55db5e41 100644
--- a/pkgs/os-specific/linux/ifmetric/default.nix
+++ b/pkgs/os-specific/linux/ifmetric/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, lynx }:
+{ lib, stdenv, fetchurl, lynx }:
 
 stdenv.mkDerivation rec {
   pname = "ifmetric";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool for setting IP interface metrics";
     longDescription = ''
       ifmetric is a Linux tool for setting the metrics of all IPv4 routes
diff --git a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
index 95f555cef8c..5f44622c512 100644
--- a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
+++ b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
@@ -1,15 +1,16 @@
-{ stdenv, fetchFromGitHub, autoconf-archive, gettext, libtool, intltool, autoconf, automake
-, glib, gtk3, gtk-doc, libgudev, pkgconfig, systemd }:
+{ lib, stdenv, fetchFromGitLab, autoconf-archive, gettext, libtool, intltool, autoconf, automake
+, glib, gtk3, gtk-doc, libgudev, pkg-config, systemd }:
 
 stdenv.mkDerivation rec {
   pname = "iio-sensor-proxy";
-  version = "2.8";
+  version = "3.0";
 
-  src = fetchFromGitHub {
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
     owner  = "hadess";
     repo   = pname;
     rev    = version;
-    sha256 = "07rzm1z2p6lh4iv5pyp0p2x5805m9gsh19kcsjls3fi25p3a2c00";
+    sha256 = "0ngbz1vkbjci3ml6p47jh6c6caipvbkm8mxrc8ayr6vc2p9l1g49";
   };
 
   configurePhase = ''
@@ -37,15 +38,14 @@ stdenv.mkDerivation rec {
     gettext
     intltool
     libtool
-    pkgconfig
+    pkg-config
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Proxy for sending IIO sensor data to D-Bus";
     homepage = "https://github.com/hadess/iio-sensor-proxy";
     license = licenses.gpl3 ;
     maintainers = with maintainers; [ peterhoeg ];
     platforms = platforms.linux;
-    inherit version;
   };
 }
diff --git a/pkgs/os-specific/linux/ima-evm-utils/default.nix b/pkgs/os-specific/linux/ima-evm-utils/default.nix
index 246c109faf3..14ddc21bb6b 100644
--- a/pkgs/os-specific/linux/ima-evm-utils/default.nix
+++ b/pkgs/os-specific/linux/ima-evm-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, autoreconfHook, pkgconfig, openssl, attr, keyutils, asciidoc, libxslt, docbook_xsl }:
+{ lib, stdenv, fetchgit, autoreconfHook, pkg-config, openssl, attr, keyutils, asciidoc, libxslt, docbook_xsl }:
 
 stdenv.mkDerivation rec {
   pname = "ima-evm-utils";
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "1dhfw6d9z4dv82q9zg2g025hgr179kamz9chy7v5w9b71aam8jf8";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ openssl attr keyutils asciidoc libxslt ];
 
   patches = [ ./xattr.patch ];
@@ -20,8 +20,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "evmctl utility to manage digital signatures of the Linux kernel integrity subsystem (IMA/EVM)";
     homepage = "https://sourceforge.net/projects/linux-ima/";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = with stdenv.lib.maintainers; [ tstrobel ];
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ tstrobel ];
   };
 }
diff --git a/pkgs/os-specific/linux/input-utils/default.nix b/pkgs/os-specific/linux/input-utils/default.nix
index 0fc2130d102..36a203a47c7 100644
--- a/pkgs/os-specific/linux/input-utils/default.nix
+++ b/pkgs/os-specific/linux/input-utils/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchurl, linuxHeaders }:
+{ lib, stdenv, fetchurl, linuxHeaders }:
 
 stdenv.mkDerivation rec {
   pname = "input-utils";
   version = "1.3";
-  
+
   src = fetchurl {
     url = "https://www.kraxel.org/releases/input/input-${version}.tar.gz";
     sha256 = "11w0pp20knx6qpgzmawdbk1nj2z3fzp8yd6nag6s8bcga16w6hli";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     "STRIP="
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Input layer utilities, includes lsinput";
     homepage    = "https://www.kraxel.org/blog/linux/input/";
     license     = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/intel-compute-runtime/default.nix b/pkgs/os-specific/linux/intel-compute-runtime/default.nix
index 5a3a5bf7a4d..980b1fad0df 100644
--- a/pkgs/os-specific/linux/intel-compute-runtime/default.nix
+++ b/pkgs/os-specific/linux/intel-compute-runtime/default.nix
@@ -1,8 +1,8 @@
-{ stdenv
+{ lib, stdenv
 , fetchFromGitHub
 , patchelf
 , cmake
-, pkgconfig
+, pkg-config
 
 , intel-gmmlib
 , intel-graphics-compiler
@@ -11,19 +11,16 @@
 
 stdenv.mkDerivation rec {
   pname = "intel-compute-runtime";
-  version = "20.02.15268";
+  version = "20.34.17727";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "compute-runtime";
     rev = version;
-    sha256 = "138gi92w85bn6haw5x38k39pgiyvvzfhiwpvz6hqlx2j03n8cs2k";
+    sha256 = "19scbbr6jf3yp2v7z8xyzzm01g44jym7xfkf1dz64d5nhvjw6ig5";
   };
 
-  # Build script tries to write the ICD to /etc
-  patches = [ ./etc-dir.patch ];
-
-  nativeBuildInputs = [ cmake pkgconfig ];
+  nativeBuildInputs = [ cmake pkg-config ];
 
   buildInputs = [ intel-gmmlib intel-graphics-compiler libva ];
 
@@ -31,7 +28,7 @@ stdenv.mkDerivation rec {
     "-DSKIP_UNIT_TESTS=1"
 
     "-DIGC_DIR=${intel-graphics-compiler}"
-    "-DETC_DIR=${placeholder "out"}/etc"
+    "-DOCL_ICD_VENDORDIR=${placeholder "out"}/etc/OpenCL/vendors"
 
     # The install script assumes this path is relative to CMAKE_INSTALL_PREFIX
     "-DCMAKE_INSTALL_LIBDIR=lib"
@@ -43,13 +40,13 @@ stdenv.mkDerivation rec {
   '';
 
   postFixup = ''
-    patchelf --set-rpath ${stdenv.lib.makeLibraryPath [ intel-gmmlib intel-graphics-compiler libva stdenv.cc.cc.lib ]} \
+    patchelf --set-rpath ${lib.makeLibraryPath [ intel-gmmlib intel-graphics-compiler libva stdenv.cc.cc.lib ]} \
       $out/lib/intel-opencl/libigdrcl.so
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage    = "https://github.com/intel/compute-runtime";
-    description = "Intel Graphics Compute Runtime for OpenCL. Replaces Beignet for Gen8 (Broadwell) and beyond.";
+    description = "Intel Graphics Compute Runtime for OpenCL. Replaces Beignet for Gen8 (Broadwell) and beyond";
     license     = licenses.mit;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ gloaming ];
diff --git a/pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch b/pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch
deleted file mode 100644
index d9a80ffa6f9..00000000000
--- a/pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/package.cmake b/package.cmake
-index 24960d5..e9a21e7 100644
---- a/package.cmake
-+++ b/package.cmake
-@@ -24,7 +24,9 @@ if(UNIX)
- 
-   get_os_release_info(os_name os_version)
- 
--  if("${os_name}" STREQUAL "clear-linux-os")
-+  if(DEFINED ETC_DIR)
-+    set(_dir_etc ${ETC_DIR})
-+  elseif("${os_name}" STREQUAL "clear-linux-os")
-     # clear-linux-os distribution avoids /etc for distribution defaults.
-     set(_dir_etc "/usr/share/defaults/etc")
-   else()
diff --git a/pkgs/os-specific/linux/intel-ocl/default.nix b/pkgs/os-specific/linux/intel-ocl/default.nix
index 95a2cfbd846..06cb18b2377 100644
--- a/pkgs/os-specific/linux/intel-ocl/default.nix
+++ b/pkgs/os-specific/linux/intel-ocl/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchzip, rpmextract, ncurses5, numactl, zlib }:
+{ lib, stdenv, fetchzip, rpmextract, ncurses5, numactl, zlib }:
 
 stdenv.mkDerivation rec {
   pname = "intel-ocl";
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   sourceRoot = ".";
 
-  libPath = stdenv.lib.makeLibraryPath [
+  libPath = lib.makeLibraryPath [
     stdenv.cc.cc.lib
     ncurses5
     numactl
@@ -66,8 +66,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Official OpenCL runtime for Intel CPUs";
     homepage    = "https://software.intel.com/en-us/articles/opencl-drivers";
-    license     = stdenv.lib.licenses.unfree;
+    license     = lib.licenses.unfree;
     platforms   = [ "x86_64-linux" ];
-    maintainers = [ stdenv.lib.maintainers.kierdavis ];
+    maintainers = [ lib.maintainers.kierdavis ];
   };
 }
diff --git a/pkgs/os-specific/linux/intel-speed-select/default.nix b/pkgs/os-specific/linux/intel-speed-select/default.nix
index 12536130a86..89b4feff7a5 100644
--- a/pkgs/os-specific/linux/intel-speed-select/default.nix
+++ b/pkgs/os-specific/linux/intel-speed-select/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel }:
+{ lib, stdenv, kernel }:
 
 stdenv.mkDerivation {
   pname = "intel-speed-select";
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
     sed -i 's,/usr,,g' Makefile
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool to enumerate and control the Intel Speed Select Technology features";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ioport/default.nix b/pkgs/os-specific/linux/ioport/default.nix
index fad85335200..543495ec2af 100644
--- a/pkgs/os-specific/linux/ioport/default.nix
+++ b/pkgs/os-specific/linux/ioport/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, perl, fetchurl }:
+{ lib, stdenv, perl, fetchurl }:
 
 stdenv.mkDerivation {
   name = "ioport-1.2";
@@ -7,7 +7,7 @@ stdenv.mkDerivation {
     sha256 = "1h4d5g78y7kla0zl25jgyrk43wy3m3bygqg0blki357bc55irb3z";
   };
   buildInputs = [ perl ];
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Direct access to I/O ports from the command line";
     homepage = "https://people.redhat.com/rjones/ioport/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/iotop-c/default.nix b/pkgs/os-specific/linux/iotop-c/default.nix
new file mode 100644
index 00000000000..47cfa57fe81
--- /dev/null
+++ b/pkgs/os-specific/linux/iotop-c/default.nix
@@ -0,0 +1,31 @@
+{stdenv, fetchFromGitHub, lib, ncurses, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "iotop-c";
+  version = "1.17";
+
+  src = fetchFromGitHub {
+    owner = "Tomas-M";
+    repo = "iotop";
+    rev = "v${version}";
+    sha256 = "0hjy30155c3nijx3jgyn5kpj293632p0j6f3lf5acdfax1ynav86";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ ncurses ];
+  makeFlags = [ "DESTDIR=$(out)" "TARGET=iotop-c" ];
+
+  postInstall = ''
+    mv $out/usr/share/man/man8/{iotop,iotop-c}.8
+    ln -s $out/usr/sbin $out/bin
+    ln -s $out/usr/share $out/share
+  '';
+
+  meta = with lib; {
+    description = "iotop identifies processes that use high amount of input/output requests on your machine";
+    homepage = "https://github.com/Tomas-M/iotop";
+    maintainers = [ maintainers.arezvov ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/iotop/default.nix b/pkgs/os-specific/linux/iotop/default.nix
index 8f742aa01be..a91175aa59f 100644
--- a/pkgs/os-specific/linux/iotop/default.nix
+++ b/pkgs/os-specific/linux/iotop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, python3Packages, fetchpatch }:
+{ lib, fetchurl, python3Packages, fetchpatch }:
 
 python3Packages.buildPythonApplication rec {
   name = "iotop-0.6";
@@ -17,7 +17,7 @@ python3Packages.buildPythonApplication rec {
 
   doCheck = false;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool to find out the processes doing the most IO";
     homepage = "http://guichaz.free.fr/iotop";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/iproute/default.nix b/pkgs/os-specific/linux/iproute/default.nix
index a9fcf455ee4..ea3c4d36958 100644
--- a/pkgs/os-specific/linux/iproute/default.nix
+++ b/pkgs/os-specific/linux/iproute/default.nix
@@ -1,23 +1,20 @@
-{ stdenv, fetchurl
+{ lib, stdenv, fetchurl
 , buildPackages, bison, flex, pkg-config
 , db, iptables, libelf, libmnl
 }:
 
 stdenv.mkDerivation rec {
   pname = "iproute2";
-  version = "5.8.0";
+  version = "5.13.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "0vk4vickrpahdhl3zazr2qn2bf99v5549ncirjpwiy4h0a4izkfg";
+    sha256 = "sha256-cqLlN3TKyeZfe2F97rsgWfh+iWDW6XE+TXiM6pZvGzY=";
   };
 
   preConfigure = ''
     # Don't try to create /var/lib/arpd:
     sed -e '/ARPDDIR/d' -i Makefile
-    # TODO: Drop temporary version fix for 5.8 (53159d81) once 5.9 is out:
-    substituteInPlace include/version.h \
-      --replace "v5.7.0-77-gb687d1067169" "5.8.0"
   '';
 
   outputs = [ "out" "dev" ];
@@ -43,7 +40,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://wiki.linuxfoundation.org/networking/iproute2";
     description = "A collection of utilities for controlling TCP/IP networking and traffic control in Linux";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/iproute/mptcp.nix b/pkgs/os-specific/linux/iproute/mptcp.nix
index 4a58ae9e046..12723213901 100644
--- a/pkgs/os-specific/linux/iproute/mptcp.nix
+++ b/pkgs/os-specific/linux/iproute/mptcp.nix
@@ -1,6 +1,6 @@
-{ stdenv, iproute, fetchFromGitHub }:
+{ lib, iproute2, fetchFromGitHub }:
 
-iproute.overrideAttrs (oa: rec {
+iproute2.overrideAttrs (oa: rec {
   pname = "iproute_mptcp";
   version = "0.95";
 
@@ -11,7 +11,13 @@ iproute.overrideAttrs (oa: rec {
     sha256 = "07fihvwlaj0ng8s8sxqhd0a9h1narcnp4ibk88km9cpsd32xv4q3";
   };
 
-  meta = with stdenv.lib; {
+  preConfigure = ''
+    # Don't try to create /var/lib/arpd:
+    sed -e '/ARPDDIR/d' -i Makefile
+    patchShebangs configure
+  '';
+
+  meta = with lib; {
     homepage = "https://github.com/multipath-tcp/iproute-mptcp";
     description = "IP-Route extensions for MultiPath TCP";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ipsec-tools/default.nix b/pkgs/os-specific/linux/ipsec-tools/default.nix
index bff356ccb6c..33152cc51c1 100644
--- a/pkgs/os-specific/linux/ipsec-tools/default.nix
+++ b/pkgs/os-specific/linux/ipsec-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, kerberos, pam }:
+{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, libkrb5, pam }:
 
 # TODO: These tools are supposed to work under NetBSD and FreeBSD as
 # well, so I guess it's not appropriate to place this expression in
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
     sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf";
   };
 
-  buildInputs = [ readline openssl flex kerberos pam ];
+  buildInputs = [ readline openssl flex libkrb5 pam ];
 
   patches = [
     ./dont-create-localstatedir-during-install.patch
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     "--enable-stats"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://ipsec-tools.sourceforge.net/";
     description = "Port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation";
     license = licenses.bsd3;
diff --git a/pkgs/os-specific/linux/ipset/default.nix b/pkgs/os-specific/linux/ipset/default.nix
index 2c433ba8c29..213ae45f48f 100644
--- a/pkgs/os-specific/linux/ipset/default.nix
+++ b/pkgs/os-specific/linux/ipset/default.nix
@@ -1,20 +1,20 @@
-{ stdenv, fetchurl, pkgconfig, libmnl }:
+{ lib, stdenv, fetchurl, pkg-config, libmnl }:
 
 stdenv.mkDerivation rec {
   pname = "ipset";
-  version = "7.6";
+  version = "7.11";
 
   src = fetchurl {
     url = "http://ipset.netfilter.org/${pname}-${version}.tar.bz2";
-    sha256 = "1ny2spcm6bmpj8vnazssg99k59impr7n84jzkdmdjly1m7548z8f";
+    sha256 = "sha256-MVG6rTDx2eMXsqtPL1qnqfe03BH8+P5zrNDcC126v30=";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libmnl ];
 
   configureFlags = [ "--with-kmod=no" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://ipset.netfilter.org/";
     description = "Administration tool for IP sets";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/iptables/default.nix b/pkgs/os-specific/linux/iptables/default.nix
index c9c342ad768..912d9078c94 100644
--- a/pkgs/os-specific/linux/iptables/default.nix
+++ b/pkgs/os-specific/linux/iptables/default.nix
@@ -1,20 +1,20 @@
-{ stdenv, fetchurl, pkgconfig, pruneLibtoolFiles, flex, bison
+{ lib, stdenv, fetchurl, pkg-config, pruneLibtoolFiles, flex, bison
 , libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap
 , nftablesCompat ? false
 }:
 
-with stdenv.lib;
+with lib;
 
 stdenv.mkDerivation rec {
-  version = "1.8.5";
+  version = "1.8.7";
   pname = "iptables";
 
   src = fetchurl {
     url = "https://www.netfilter.org/projects/${pname}/files/${pname}-${version}.tar.bz2";
-    sha256 = "02a3575ypdpg6a2x752mhk3f7h1381ymkq1n0gss6fp6292xfmyl";
+    sha256 = "1w6qx3sxzkv80shk21f63rq41c84irpx68k62m2cv629n1mwj2f1";
   };
 
-  nativeBuildInputs = [ pkgconfig pruneLibtoolFiles flex bison ];
+  nativeBuildInputs = [ pkg-config pruneLibtoolFiles flex bison ];
 
   buildInputs = [ libmnl libnetfilter_conntrack libnfnetlink libnftnl libpcap ];
 
@@ -50,6 +50,5 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2;
     downloadPage = "https://www.netfilter.org/projects/iptables/files/";
     updateWalker = true;
-    inherit version;
   };
 }
diff --git a/pkgs/os-specific/linux/iptstate/default.nix b/pkgs/os-specific/linux/iptstate/default.nix
index 529a82e9646..94693f1559e 100644
--- a/pkgs/os-specific/linux/iptstate/default.nix
+++ b/pkgs/os-specific/linux/iptstate/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libnetfilter_conntrack, ncurses }:
+{ lib, stdenv, fetchurl, libnetfilter_conntrack, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "iptstate";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libnetfilter_conntrack ncurses ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Conntrack top like tool";
     homepage = "https://github.com/jaymzh/iptstate";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix
index e12c44888a0..495860ef576 100644
--- a/pkgs/os-specific/linux/iputils/default.nix
+++ b/pkgs/os-specific/linux/iputils/default.nix
@@ -1,12 +1,11 @@
-{ stdenv, fetchFromGitHub
-, meson, ninja, pkgconfig, gettext, libxslt, docbook_xsl_ns
-, libcap, systemd, libidn2
+{ lib, stdenv, fetchFromGitHub
+, meson, ninja, pkg-config, gettext, libxslt, docbook_xsl_ns
+, libcap, libidn2
+, apparmorRulesFromClosure
 }:
 
-with stdenv.lib;
-
 let
-  version = "20200821";
+  version = "20210202";
   sunAsIsLicense = {
     fullName = "AS-IS, SUN MICROSYSTEMS license";
     url = "https://github.com/iputils/iputils/blob/s${version}/rdisc.c";
@@ -18,25 +17,48 @@ in stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = "s${version}";
-    sha256 = "1jhbcz75a4ij1myyyi110ma1d8d5hpm3scz9pyw7js6qym50xvh4";
+    rev = version;
+    sha256 = "08j2hfgnfh31vv9rn1ml7090j2lsvm9wdpdz13rz60rmyzrx9dq3";
   };
 
+  outputs = ["out" "apparmor"];
+
   mesonFlags = [
     "-DBUILD_RARPD=true"
     "-DBUILD_TRACEROUTE6=true"
     "-DBUILD_TFTPD=true"
     "-DNO_SETCAP_OR_SUID=true"
     "-Dsystemdunitdir=etc/systemd/system"
+    "-DINSTALL_SYSTEMD_UNITS=true"
   ]
     # Disable idn usage w/musl (https://github.com/iputils/iputils/pull/111):
-    ++ optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
+    ++ lib.optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
 
-  nativeBuildInputs = [ meson ninja pkgconfig gettext libxslt.bin docbook_xsl_ns ];
-  buildInputs = [ libcap systemd ]
-    ++ optional (!stdenv.hostPlatform.isMusl) libidn2;
+  nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ];
+  buildInputs = [ libcap ]
+    ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2;
+  postInstall = ''
+    mkdir $apparmor
+    cat >$apparmor/bin.ping <<EOF
+    include <tunables/global>
+    $out/bin/ping {
+      include <abstractions/base>
+      include <abstractions/consoles>
+      include <abstractions/nameservice>
+      include "${apparmorRulesFromClosure { name = "ping"; }
+       ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}"
+      include <local/bin.ping>
+      capability net_raw,
+      network inet raw,
+      network inet6 raw,
+      mr $out/bin/ping,
+      r $out/share/locale/**,
+      r @{PROC}/@{pid}/environ,
+    }
+    EOF
+  '';
 
-  meta = {
+  meta = with lib; {
     description = "A set of small useful utilities for Linux networking";
     inherit (src.meta) homepage;
     changelog = "https://github.com/iputils/iputils/releases/tag/s${version}";
diff --git a/pkgs/os-specific/linux/ipvsadm/default.nix b/pkgs/os-specific/linux/ipvsadm/default.nix
index 5f91fa5dccd..fbd4d8efdac 100644
--- a/pkgs/os-specific/linux/ipvsadm/default.nix
+++ b/pkgs/os-specific/linux/ipvsadm/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, libnl, popt, gnugrep }:
+{ lib, stdenv, fetchurl, pkg-config, libnl, popt, gnugrep }:
 
 stdenv.mkDerivation rec {
   pname = "ipvsadm";
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     substituteInPlace Makefile --replace "-lnl" "$(pkg-config --libs libnl-genl-3.0)"
   '';
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl popt ];
 
   preBuild = ''
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
     sed -i -e "s|^PATH=.*|PATH=$out/bin:${gnugrep}/bin|" $out/sbin/ipvsadm-{restore,save}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux Virtual Server support programs";
     homepage = "http://www.linuxvirtualserver.org/software/ipvs.html";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/irqbalance/default.nix b/pkgs/os-specific/linux/irqbalance/default.nix
index d61d02b5598..4b7a4527e2c 100644
--- a/pkgs/os-specific/linux/irqbalance/default.nix
+++ b/pkgs/os-specific/linux/irqbalance/default.nix
@@ -1,17 +1,18 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, glib, ncurses, libcap_ng }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, glib, ncurses, libcap_ng }:
 
 stdenv.mkDerivation rec {
   pname = "irqbalance";
-  version = "1.7.0";
+  version = "1.8.0";
 
   src = fetchFromGitHub {
     owner = "irqbalance";
     repo = "irqbalance";
     rev = "v${version}";
-    sha256 = "1677ap6z4hvwga0vb8hrvpc0qggyarg9mlg11pxywz7mq94vdx19";
+    sha256 = "sha256-K+Nv6HqBZb0pwfNV127QDq+suaUD7TTV413S6j8NdUU=";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
   buildInputs = [ glib ncurses libcap_ng ];
 
   LDFLAGS = "-lncurses";
@@ -26,10 +27,12 @@ stdenv.mkDerivation rec {
         --replace ' $IRQBALANCE_ARGS' ""
     '';
 
-  meta = {
+  meta = with lib; {
     homepage = "https://github.com/Irqbalance/irqbalance";
+    changelog = "https://github.com/Irqbalance/irqbalance/releases/tag/v${version}";
     description = "A daemon to help balance the cpu load generated by interrupts across all of a systems cpus";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fortuneteller2k ];
   };
 }
diff --git a/pkgs/os-specific/linux/isgx/default.nix b/pkgs/os-specific/linux/isgx/default.nix
new file mode 100644
index 00000000000..3e551e55917
--- /dev/null
+++ b/pkgs/os-specific/linux/isgx/default.nix
@@ -0,0 +1,56 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, kernel, kernelAtLeast }:
+
+stdenv.mkDerivation rec {
+  name = "isgx-${version}-${kernel.version}";
+  version = "2.11";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx-driver";
+    rev = "sgx_driver_${version}";
+    hash = "sha256-zZ0FgCx63LCNmvQ909O27v/o4+93gefhgEE/oDr/bHw=";
+  };
+
+  patches = [
+    # Fixes build with kernel >= 5.8
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx-driver/commit/276c5c6a064d22358542f5e0aa96b1c0ace5d695.patch";
+      sha256 = "sha256-PmchqYENIbnJ51G/tkdap/g20LUrJEoQ4rDtqy6hj24=";
+    })
+    # Fixes detection with kernel >= 5.11
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx-driver/commit/ed2c256929962db1a8805db53bed09bb8f2f4de3.patch";
+      sha256 = "sha256-MRbgS4U8FTCP1J1n+rhsvbXxKDytfl6B7YlT9Izq05U=";
+    })
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D isgx.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/intel/sgx
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Intel SGX Linux Driver";
+    longDescription = ''
+      The linux-sgx-driver project (isgx) hosts an out-of-tree driver
+      for the Linux* Intel(R) SGX software stack, which would be used
+      until the driver upstreaming process is complete (before 5.11.0).
+
+      It is used to support Enhanced Privacy Identification (EPID)
+      based attestation on the platforms without Flexible Launch Control.
+    '';
+    homepage = "https://github.com/intel/linux-sgx-driver";
+    license = with licenses; [ bsd3 /* OR */ gpl2Only ];
+    maintainers = with maintainers; [ oxalica ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/it87/default.nix b/pkgs/os-specific/linux/it87/default.nix
index c48de130e5a..1e56d3a830c 100644
--- a/pkgs/os-specific/linux/it87/default.nix
+++ b/pkgs/os-specific/linux/it87/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
   name = "it87-${version}-${kernel.version}";
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
     "MODDESTDIR=$(out)/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Patched module for IT87xx superio chip sensors support";
     homepage = "https://github.com/hannesha/it87";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/iw/default.nix b/pkgs/os-specific/linux/iw/default.nix
index 585bbfd165e..7d526db53e9 100644
--- a/pkgs/os-specific/linux/iw/default.nix
+++ b/pkgs/os-specific/linux/iw/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchurl, pkgconfig, libnl }:
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
 
 stdenv.mkDerivation rec {
   pname = "iw";
-  version = "5.4";
+  version = "5.9";
 
   src = fetchurl {
     url = "https://www.kernel.org/pub/software/network/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "0prrgb11pjrr6dw71v7nx2bic127qzrjifvz183v3mw8f1kryim2";
+    sha256 = "1wp1ky1v353qqy5fnrk67apgzsap53jkr7pmghk3czpbk880ffi9";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl ];
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
@@ -23,8 +23,8 @@ stdenv.mkDerivation rec {
       deprecated and it's strongly recommended to switch to iw and nl80211.
     '';
     homepage = "https://wireless.wiki.kernel.org/en/users/Documentation/iw";
-    license = stdenv.lib.licenses.isc;
-    maintainers = with stdenv.lib.maintainers; [ viric primeos ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.isc;
+    maintainers = with lib.maintainers; [ viric primeos ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix
index fd34440f603..e0a1a566d77 100644
--- a/pkgs/os-specific/linux/iwd/default.nix
+++ b/pkgs/os-specific/linux/iwd/default.nix
@@ -1,8 +1,7 @@
-{ stdenv
+{ lib, stdenv
 , fetchgit
-, fetchpatch
 , autoreconfHook
-, pkgconfig
+, pkg-config
 , ell
 , coreutils
 , docutils
@@ -13,20 +12,21 @@
 
 stdenv.mkDerivation rec {
   pname = "iwd";
-  version = "1.8";
+  version = "1.15";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     rev = version;
-    sha256 = "0ds8nhbnkhxzhnnsi7vj3y2v8wq0nxqbmidhiac7mpxgjkc684gf";
+    sha256 = "sha256-qGQDIzJfeBT9VLwr9Ci9vXcM0ZvFvjL2E9PcKoZ8E94=";
   };
 
-  outputs = [ "out" "man" ];
+  outputs = [ "out" "man" ]
+    ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "test";
 
   nativeBuildInputs = [
     autoreconfHook
     docutils
-    pkgconfig
+    pkg-config
     python3Packages.wrapPython
   ];
 
@@ -38,7 +38,9 @@ stdenv.mkDerivation rec {
 
   checkInputs = [ openssl ];
 
-  pythonPath = [
+  # wrapPython wraps the scripts in $test. They pull in gobject-introspection,
+  # which doesn't cross-compile.
+  pythonPath = lib.optionals (stdenv.hostPlatform == stdenv.buildPlatform) [
     python3Packages.dbus-python
     python3Packages.pygobject3
   ];
@@ -55,16 +57,20 @@ stdenv.mkDerivation rec {
   ];
 
   postUnpack = ''
+    mkdir -p iwd/ell
+    ln -s ${ell.src}/ell/useful.h iwd/ell/useful.h
     patchShebangs .
   '';
 
   doCheck = true;
 
   postInstall = ''
-    cp -a test/* $out/bin/
     mkdir -p $out/share
     cp -a doc $out/share/
     cp -a README AUTHORS TODO $out/share/doc/
+  '' + lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
+    mkdir -p $test/bin
+    cp -a test/* $test/bin/
   '';
 
   preFixup = ''
@@ -80,11 +86,11 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     description = "Wireless daemon for Linux";
-    license = licenses.lgpl21;
+    license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ dtzWill fpletz ];
+    maintainers = with maintainers; [ dtzWill fpletz maxeaubrey ];
   };
 }
diff --git a/pkgs/os-specific/linux/ixgbevf/default.nix b/pkgs/os-specific/linux/ixgbevf/default.nix
index 67b9a66a8ab..6a748c47019 100644
--- a/pkgs/os-specific/linux/ixgbevf/default.nix
+++ b/pkgs/os-specific/linux/ixgbevf/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, kernel, kmod }:
+{ lib, stdenv, fetchurl, kernel, kmod }:
 
 stdenv.mkDerivation rec {
   name = "ixgbevf-${version}-${kernel.version}";
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Intel 82599 Virtual Function Driver";
     homepage = "https://sourceforge.net/projects/e1000/files/ixgbevf%20stable/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/jfbview/default.nix b/pkgs/os-specific/linux/jfbview/default.nix
index f8e211fb289..da4135d8a80 100644
--- a/pkgs/os-specific/linux/jfbview/default.nix
+++ b/pkgs/os-specific/linux/jfbview/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchFromGitHub
-, freetype, harfbuzz, jbig2dec, libjpeg, libX11, mupdf, ncurses, openjpeg
+{ lib, stdenv, fetchFromGitHub
+, freetype, harfbuzz, jbig2dec, libjpeg, libX11, mupdf_1_17, ncurses, openjpeg
 , openssl
 
 , imageSupport ? true, imlib2 ? null }:
@@ -32,9 +32,9 @@ stdenv.mkDerivation rec {
   hardeningDisable = [ "format" ];
 
   buildInputs = [
-    freetype harfbuzz jbig2dec libjpeg libX11 mupdf ncurses openjpeg
+    freetype harfbuzz jbig2dec libjpeg libX11 mupdf_1_17 ncurses openjpeg
     openssl
-  ] ++ stdenv.lib.optionals imageSupport [
+  ] ++ lib.optionals imageSupport [
     imlib2
   ];
 
@@ -54,7 +54,7 @@ stdenv.mkDerivation rec {
     install ${toString binaries} $out/bin
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "PDF and image viewer for the Linux framebuffer";
     longDescription = ''
       A very fast PDF and image viewer for the Linux framebuffer with some
diff --git a/pkgs/os-specific/linux/jool/cli.nix b/pkgs/os-specific/linux/jool/cli.nix
index 2d6e624fee6..b1bce496614 100644
--- a/pkgs/os-specific/linux/jool/cli.nix
+++ b/pkgs/os-specific/linux/jool/cli.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, libnl, iptables }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libnl, iptables }:
 
 let
   sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   src = sourceAttrs.src;
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ libnl iptables ];
 
   makeFlags = [ "-C" "src/usr" ];
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     sed -e 's%^XTABLES_SO_DIR = .*%XTABLES_SO_DIR = '"$out"'/lib/xtables%g' -i src/usr/iptables/Makefile
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.jool.mx/";
     description = "Fairly compliant SIIT and Stateful NAT64 for Linux - CLI tools";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index 69c0da33136..58894de6c2e 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 let
   sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
@@ -24,7 +24,7 @@ stdenv.mkDerivation {
     make -C src/mod modules_install INSTALL_MOD_PATH=$out
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.jool.mx/";
     description = "Fairly compliant SIIT and Stateful NAT64 for Linux - kernel modules";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/joycond/default.nix b/pkgs/os-specific/linux/joycond/default.nix
new file mode 100644
index 00000000000..a203073b081
--- /dev/null
+++ b/pkgs/os-specific/linux/joycond/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libevdev, udev }:
+
+stdenv.mkDerivation rec {
+  pname = "joycond";
+  version = "unstable-2021-03-27";
+
+  src = fetchFromGitHub {
+    owner = "DanielOgorchock";
+    repo = "joycond";
+    rev = "2d3f553060291f1bfee2e49fc2ca4a768b289df8";
+    sha256 = "0dpmwspll9ar3pxg9rgnh224934par8h8bixdz9i2pqqbc3dqib7";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libevdev udev ];
+
+  # CMake has hardcoded install paths
+  installPhase = ''
+    mkdir -p $out/{bin,etc/{systemd/system,udev/rules.d},lib/modules-load.d}
+
+    cp ./joycond $out/bin
+    cp $src/udev/{89,72}-joycond.rules $out/etc/udev/rules.d
+    cp $src/systemd/joycond.service $out/etc/systemd/system
+    cp $src/systemd/joycond.conf $out/lib/modules-load.d
+
+    substituteInPlace $out/etc/systemd/system/joycond.service --replace \
+      "ExecStart=/usr/bin/joycond" "ExecStart=$out/bin/joycond"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/DanielOgorchock/joycond";
+    description = "Userspace daemon to combine joy-cons from the hid-nintendo kernel driver";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.ivar ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/jujuutils/default.nix b/pkgs/os-specific/linux/jujuutils/default.nix
index 86b24fe6a5b..554898cedeb 100644
--- a/pkgs/os-specific/linux/jujuutils/default.nix
+++ b/pkgs/os-specific/linux/jujuutils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, linuxHeaders }:
+{ lib, stdenv, fetchurl, linuxHeaders }:
 
 stdenv.mkDerivation {
   name = "jujuutils-0.2";
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = "https://github.com/cladisch/linux-firewire-utils";
     description = "Utilities around FireWire devices connected to a Linux computer";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/kbd/default.nix b/pkgs/os-specific/linux/kbd/default.nix
index 7ee449ff33e..c7a59e59cab 100644
--- a/pkgs/os-specific/linux/kbd/default.nix
+++ b/pkgs/os-specific/linux/kbd/default.nix
@@ -1,15 +1,26 @@
-{ stdenv, fetchurl, autoreconfHook,
-  gzip, bzip2, pkgconfig, flex, check,
-  pam, coreutils
+{ lib
+, stdenv
+, fetchurl
+, nixosTests
+, autoreconfHook
+, pkg-config
+, flex
+, check
+, pam
+, coreutils
+, gzip
+, bzip2
+, xz
+, zstd
 }:
 
 stdenv.mkDerivation rec {
   pname = "kbd";
-  version = "2.0.4";
+  version = "2.4.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/kbd/${pname}-${version}.tar.xz";
-    sha256 = "124swm93dm4ca0pifgkrand3r9gvj3019d4zkfxsj9djpvv0mnaz";
+    sha256 = "17wvrqz2kk0w87idinhyvd31ih1dp7ldfl2yfx7ailygb0279w2m";
   };
 
   configureFlags = [
@@ -18,13 +29,8 @@ stdenv.mkDerivation rec {
     "--disable-nls"
   ];
 
-  patches = [ ./search-paths.patch ];
-
   postPatch =
     ''
-      # Add Neo keymap subdirectory
-      sed -i -e 's,^KEYMAPSUBDIRS *= *,&i386/neo ,' data/Makefile.am
-
       # Renaming keymaps with name clashes, because loadkeys just picks
       # the first keymap it sees. The clashing names lead to e.g.
       # "loadkeys no" defaulting to a norwegian dvorak map instead of
@@ -33,21 +39,16 @@ stdenv.mkDerivation rec {
       mv qwertz/cz{,-qwertz}.map
       mv olpc/es{,-olpc}.map
       mv olpc/pt{,-olpc}.map
-      mv dvorak/{no.map,dvorak-no.map}
       mv fgGIod/trf{,-fgGIod}.map
       mv colemak/{en-latin9,colemak}.map
       popd
 
-      # Fix the path to gzip/bzip2.
-      substituteInPlace src/libkeymap/findfile.c \
-        --replace gzip ${gzip}/bin/gzip \
-        --replace bzip2 ${bzip2.bin}/bin/bzip2 \
-
-      # We get a warning in armv5tel-linux and the fuloong2f, so we
-      # disable -Werror in it.
-      ${stdenv.lib.optionalString (stdenv.isAarch32 || stdenv.hostPlatform.isMips) ''
-        sed -i s/-Werror// src/Makefile.am
-      ''}
+      # Fix paths to decompressors. Trailing space to avoid replacing `xz` in `".xz"`.
+      substituteInPlace src/libkbdfile/kbdfile.c \
+        --replace 'gzip '  '${gzip}/bin/gzip ' \
+        --replace 'bzip2 ' '${bzip2.bin}/bin/bzip2 ' \
+        --replace 'xz '    '${xz.bin}/bin/xz ' \
+        --replace 'zstd '  '${zstd.bin}/bin/zstd '
     '';
 
   postInstall = ''
@@ -57,16 +58,18 @@ stdenv.mkDerivation rec {
     done
   '';
 
-
   buildInputs = [ check pam ];
-  nativeBuildInputs = [ autoreconfHook pkgconfig flex ];
+  nativeBuildInputs = [ autoreconfHook pkg-config flex ];
 
-  makeFlags = [ "setowner=" ];
+  passthru.tests = {
+    inherit (nixosTests) keymap kbd-setfont-decompress;
+  };
 
-  meta = with stdenv.lib; {
-    homepage = "ftp://ftp.altlinux.org/pub/people/legion/kbd/";
-    description = "Linux keyboard utilities and keyboard maps";
+  meta = with lib; {
+    homepage = "https://kbd-project.org/";
+    description = "Linux keyboard tools and keyboard maps";
     platforms = platforms.linux;
     license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ davidak ];
   };
 }
diff --git a/pkgs/os-specific/linux/kbd/keymaps.nix b/pkgs/os-specific/linux/kbd/keymaps.nix
deleted file mode 100644
index b3d5fe1b63c..00000000000
--- a/pkgs/os-specific/linux/kbd/keymaps.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{ stdenv, lib, fetchurl, gzip }:
-
-{
-  dvp = stdenv.mkDerivation rec {
-    pname = "dvp";
-    version = "1.2.1";
-
-    src = fetchurl {
-      url = "http://kaufmann.no/downloads/linux/dvp-${lib.replaceStrings ["."] ["_"] version}.map.gz";
-      sha256 = "0e859211cfe16a18a3b9cbf2ca3e280a23a79b4e40b60d8d01d0fde7336b6d50";
-    };
-
-    nativeBuildInputs = [ gzip ];
-
-    buildCommand = ''
-      mkdir -p $out/share/keymaps/i386/dvorak
-      gzip -c -d $src > $out/share/keymaps/i386/dvorak/dvp.map
-    '';
-  };
-
-  neo = stdenv.mkDerivation {
-    pname = "neo";
-    version = "2476";
-
-    src = fetchurl {
-      name = "neo.map";
-      url = "https://raw.githubusercontent.com/neo-layout/neo-layout/"
-          + "a0dee06fed824abfad658b7f10e6d907b270be0a/linux/console/neo.map";
-      sha256 = "19mfrd31vzpsjiwc7pshxm0b0sz5dd17xrz6k079cy4im1vf0r4g";
-    };
-
-    buildCommand = ''
-      install -D $src $out/share/keymaps/i386/neo/neo.map
-    '';
-  };
-}
diff --git a/pkgs/os-specific/linux/kbd/search-paths.patch b/pkgs/os-specific/linux/kbd/search-paths.patch
deleted file mode 100644
index c9405a56721..00000000000
--- a/pkgs/os-specific/linux/kbd/search-paths.patch
+++ /dev/null
@@ -1,71 +0,0 @@
---- a/src/libkeymap/analyze.l
-+++ b/src/libkeymap/analyze.l
-@@ -101,6 +101,9 @@ stack_pop(struct lk_ctx *ctx, void *scan
- static const char *const include_dirpath0[] = { "", 0 };
- static const char *const include_dirpath1[] = { "", "../include/", "../../include/", 0 };
- static const char *const include_dirpath3[] = {
-+ 	"/etc/kbd/" KEYMAPDIR "/include/",
-+ 	"/etc/kbd/" KEYMAPDIR "/i386/include/",
-+ 	"/etc/kbd/" KEYMAPDIR "/mac/include/",
- 	DATADIR "/" KEYMAPDIR "/include/",
- 	DATADIR "/" KEYMAPDIR "/i386/include/",
- 	DATADIR "/" KEYMAPDIR "/mac/include/", 0
---- a/src/loadkeys.c
-+++ b/src/loadkeys.c
-@@ -27,7 +27,7 @@
- #include "keymap.h"
- 
- static const char *progname         = NULL;
--static const char *const dirpath1[] = { "", DATADIR "/" KEYMAPDIR "/**", KERNDIR "/", 0 };
-+static const char *const dirpath1[] = { "", "/etc/kbd/" KEYMAPDIR "/**", DATADIR "/" KEYMAPDIR "/**", 0 };
- static const char *const suffixes[] = { "", ".kmap", ".map", 0 };
- 
- static void __attribute__((noreturn))
---- a/src/loadunimap.c
-+++ b/src/loadunimap.c
-@@ -30,7 +30,7 @@
- extern char *progname;
- extern int force;
- 
--static const char *const unidirpath[]  = { "", DATADIR "/" UNIMAPDIR "/", 0 };
-+static const char *const unidirpath[]  = { "", "/etc/kbd/" UNIMAPDIR "/", DATADIR "/" UNIMAPDIR "/", 0 };
- static const char *const unisuffixes[] = { "", ".uni", ".sfm", 0 };
- 
- #ifdef MAIN
---- a/src/mapscrn.c
-+++ b/src/mapscrn.c
-@@ -27,7 +27,7 @@ void loadnewmap(int fd, char *mfil);
- static int ctoi(char *);
- 
- /* search for the map file in these directories (with trailing /) */
--static const char *const mapdirpath[]  = { "", DATADIR "/" TRANSDIR "/", 0 };
-+static const char *const mapdirpath[]  = { "", "/etc/kbd/" TRANSDIR "/", DATADIR "/" TRANSDIR "/", 0 };
- static const char *const mapsuffixes[] = { "", ".trans", "_to_uni.trans", ".acm", 0 };
- 
- #ifdef MAIN
---- a/src/resizecons.c
-+++ b/src/resizecons.c
-@@ -101,7 +101,7 @@ static int vga_get_fontheight(void);
- static void vga_set_cursor(int, int);
- static void vga_set_verticaldisplayend_lowbyte(int);
- 
--const char *const dirpath[]  = { "", DATADIR "/" VIDEOMODEDIR "/", 0 };
-+const char *const dirpath[]  = { "", "/etc/kbd/" VIDEOMODEDIR "/", DATADIR "/" VIDEOMODEDIR "/", 0};
- const char *const suffixes[] = { "", 0 };
- 
- int main(int argc, char **argv)
---- a/src/setfont.c
-+++ b/src/setfont.c
-@@ -53,10 +53,10 @@ int force   = 0;
- int debug   = 0;
- 
- /* search for the font in these directories (with trailing /) */
--const char *const fontdirpath[]  = { "", DATADIR "/" FONTDIR "/", 0 };
-+const char *const fontdirpath[]  = { "", "/etc/kbd/" FONTDIR "/", DATADIR "/" FONTDIR "/", 0 };
- const char *const fontsuffixes[] = { "", ".psfu", ".psf", ".cp", ".fnt", 0 };
- /* hide partial fonts a bit - loading a single one is a bad idea */
--const char *const partfontdirpath[]  = { "", DATADIR "/" FONTDIR "/" PARTIALDIR "/", 0 };
-+const char *const partfontdirpath[]  = { "", "/etc/kbd/" FONTDIR "/" PARTIALDIR "/", DATADIR "/" FONTDIR "/" PARTIALDIR "/", 0 };
- const char *const partfontsuffixes[] = { "", 0 };
- 
- static inline int
diff --git a/pkgs/os-specific/linux/kbdlight/default.nix b/pkgs/os-specific/linux/kbdlight/default.nix
index bc2d53b5e5d..0ed575b8254 100644
--- a/pkgs/os-specific/linux/kbdlight/default.nix
+++ b/pkgs/os-specific/linux/kbdlight/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "kbdlight";
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
       --replace 4755 0755
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/hobarrera/kbdlight";
     description = "A very simple application that changes MacBooks' keyboard backlight level";
     license = licenses.isc;
diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix
index c8cf2ac20bc..8b7b5a4fa42 100644
--- a/pkgs/os-specific/linux/kernel-headers/default.nix
+++ b/pkgs/os-specific/linux/kernel-headers/default.nix
@@ -1,4 +1,9 @@
-{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header }:
+{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header
+, bison ? null, flex ? null, python ? null, rsync ? null
+}:
+
+assert stdenvNoCC.hostPlatform.isAndroid ->
+  (flex != null && bison != null && python != null && rsync != null);
 
 rec {
   makeLinuxHeaders = { src, version, patches ? [] }: stdenvNoCC.mkDerivation {
@@ -7,13 +12,17 @@ rec {
     pname = "linux-headers";
     inherit version;
 
-    ARCH = stdenvNoCC.hostPlatform.platform.kernelArch or stdenvNoCC.hostPlatform.kernelArch;
+    ARCH = stdenvNoCC.hostPlatform.linuxArch;
 
     # It may look odd that we use `stdenvNoCC`, and yet explicit depend on a cc.
     # We do this so we have a build->build, not build->host, C compiler.
     depsBuildBuild = [ buildPackages.stdenv.cc ];
     # `elf-header` is null when libc provides `elf.h`.
-    nativeBuildInputs = [ perl elf-header ];
+    nativeBuildInputs = [
+      perl elf-header
+    ] ++ lib.optionals stdenvNoCC.hostPlatform.isAndroid [
+      flex bison python rsync
+    ];
 
     extraIncludeDirs = lib.optional stdenvNoCC.hostPlatform.isPowerPC ["ppc"];
 
@@ -36,9 +45,12 @@ rec {
     # Skip clean on darwin, case-sensitivity issues.
     buildPhase = lib.optionalString (!stdenvNoCC.buildPlatform.isDarwin) ''
       make mrproper $makeFlags
-    '' + ''
+    '' + (if stdenvNoCC.hostPlatform.isAndroid then ''
+      make defconfig
+      make headers_install
+    '' else ''
       make headers $makeFlags
-    '';
+    '');
 
     checkPhase = ''
       make headers_check $makeFlags
@@ -71,12 +83,12 @@ rec {
     ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms
   ];
 
-  linuxHeaders = let version = "5.5"; in
+  linuxHeaders = let version = "5.12"; in
     makeLinuxHeaders {
       inherit version;
       src = fetchurl {
         url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-        sha256 = "0c131fi6s7vgvka1c0597vnvcmwn1pp968rci5kq64iwj3pd9yx6";
+        sha256 = "sha256-fQ328r8jhNaNC9jh/j4HHWQ2Tc3GAC57XIfJLUj6w2Y=";
       };
       patches = linuxHeadersPatches;
     };
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index c0da19dd391..355e653c8ea 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -10,14 +10,14 @@
 # hardware problems with a new one.
 
 # Configuration
-{ stdenv, version
+{ lib, stdenv, version
 
-, features ? { grsecurity = false; }
+, features ? {}
 }:
 
-with stdenv.lib;
-with stdenv.lib.kernel;
-with (stdenv.lib.kernel.whenHelpers version);
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
 
 let
 
@@ -42,7 +42,7 @@ let
       TIMER_STATS               = whenOlder "4.11" yes;
       DEBUG_NX_TEST             = whenOlder "4.11" no;
       DEBUG_STACK_USAGE         = no;
-      DEBUG_STACKOVERFLOW       = mkIf (!features.grsecurity) (option no);
+      DEBUG_STACKOVERFLOW       = option no;
       RCU_TORTURE_TEST          = no;
       SCHEDSTATS                = no;
       DETECT_HUNG_TASK          = yes;
@@ -132,6 +132,7 @@ let
       IP_MROUTE_MULTIPLE_TABLES   = yes;
       IP_MULTICAST                = yes;
       IP_MULTIPLE_TABLES          = yes;
+      IPV6                        = yes;
       IPV6_ROUTER_PREF            = yes;
       IPV6_ROUTE_INFO             = yes;
       IPV6_OPTIMISTIC_DAD         = yes;
@@ -141,6 +142,9 @@ let
       IPV6_MROUTE_MULTIPLE_TABLES = yes;
       IPV6_PIMSM_V2               = yes;
       IPV6_FOU_TUNNEL             = whenAtLeast "4.7" module;
+      IPV6_SEG6_LWTUNNEL          = whenAtLeast "4.10" yes;
+      IPV6_SEG6_HMAC              = whenAtLeast "4.10" yes;
+      IPV6_SEG6_BPF               = whenAtLeast "4.18" yes;
       NET_CLS_BPF                 = whenAtLeast "4.4" module;
       NET_ACT_BPF                 = whenAtLeast "4.4" module;
       NET_SCHED                   = yes;
@@ -173,6 +177,8 @@ let
                                               (whenAtLeast "4.17" yes) ];
       NF_TABLES_NETDEV            = mkMerge [ (whenOlder "4.17" module)
                                               (whenAtLeast "4.17" yes) ];
+      NFT_REJECT_NETDEV           = whenAtLeast "5.11" module;
+
       # IP: Netfilter Configuration
       NF_TABLES_IPV4              = mkMerge [ (whenOlder "4.17" module)
                                               (whenAtLeast "4.17" yes) ];
@@ -190,11 +196,17 @@ let
       NET_DROP_MONITOR = yes;
 
       # needed for ss
-      INET_DIAG         = module;
-      INET_TCP_DIAG     = module;
-      INET_UDP_DIAG     = module;
-      INET_RAW_DIAG     = whenAtLeast "4.14" module;
-      INET_DIAG_DESTROY = whenAtLeast "4.9" yes;
+      # Use a lower priority to allow these options to be overridden in hardened/config.nix
+      INET_DIAG         = mkDefault module;
+      INET_TCP_DIAG     = mkDefault module;
+      INET_UDP_DIAG     = mkDefault module;
+      INET_RAW_DIAG     = whenAtLeast "4.14" (mkDefault module);
+      INET_DIAG_DESTROY = whenAtLeast "4.9" (mkDefault yes);
+
+      # enable multipath-tcp
+      MPTCP           = whenAtLeast "5.6" yes;
+      MPTCP_IPV6      = whenAtLeast "5.6" yes;
+      INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module);
     };
 
     wireless = {
@@ -235,8 +247,9 @@ let
       # Allow specifying custom EDID on the kernel command line
       DRM_LOAD_EDID_FIRMWARE = yes;
       VGA_SWITCHEROO         = yes; # Hybrid graphics support
-      DRM_GMA600             = yes;
-      DRM_GMA3600            = yes;
+      DRM_GMA500             = whenAtLeast "5.12" module;
+      DRM_GMA600             = whenOlder "5.13" yes;
+      DRM_GMA3600            = whenOlder "5.12" yes;
       DRM_VMWGFX_FBCON       = yes;
       # necessary for amdgpu polaris support
       DRM_AMD_POWERPLAY = whenBetween "4.5" "4.9" yes;
@@ -244,6 +257,17 @@ let
       DRM_AMDGPU_SI = whenAtLeast "4.9" yes;
       # (stable) amdgpu support for bonaire and newer chipsets
       DRM_AMDGPU_CIK = whenAtLeast "4.9" yes;
+      # Allow device firmware updates
+      DRM_DP_AUX_CHARDEV = whenAtLeast "4.6" yes;
+      # amdgpu display core (DC) support
+      DRM_AMD_DC_DCN1_0 = whenBetween "4.15" "5.6" yes;
+      DRM_AMD_DC_PRE_VEGA = whenBetween "4.15" "4.18" yes;
+      DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes;
+      DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes;
+      DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes;
+      DRM_AMD_DC_DCN = whenAtLeast "5.11" yes;
+      DRM_AMD_DC_HDCP = whenAtLeast "5.5" yes;
+      DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
       # Intel GVT-g graphics virtualization supports 64-bit only
       DRM_I915_GVT = whenAtLeast "4.16" yes;
@@ -268,21 +292,31 @@ let
       SND_SOC_SOF_TOPLEVEL              = yes;
       SND_SOC_SOF_ACPI                  = module;
       SND_SOC_SOF_PCI                   = module;
-      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_CANNONLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_COFFEELAKE_SUPPORT    = yes;
+      SND_SOC_SOF_APOLLOLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_CANNONLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_CANNONLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COFFEELAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_COFFEELAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COMETLAKE             = whenAtLeast "5.12" module;
       SND_SOC_SOF_COMETLAKE_H_SUPPORT   = whenOlder "5.8" yes;
-      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = yes;
-      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = yes;
-      SND_SOC_SOF_GEMINILAKE_SUPPORT    = yes;
+      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = whenOlder "5.12" yes;
+      SND_SOC_SOF_ELKHARTLAKE           = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = whenOlder "5.12" yes;
+      SND_SOC_SOF_GEMINILAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_GEMINILAKE_SUPPORT    = whenOlder "5.12" yes;
       SND_SOC_SOF_HDA_AUDIO_CODEC       = yes;
       SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
       SND_SOC_SOF_HDA_LINK              = yes;
-      SND_SOC_SOF_ICELAKE_SUPPORT       = yes;
+      SND_SOC_SOF_ICELAKE               = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ICELAKE_SUPPORT       = whenOlder "5.12" yes;
       SND_SOC_SOF_INTEL_TOPLEVEL        = yes;
-      SND_SOC_SOF_JASPERLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_MERRIFIELD_SUPPORT    = yes;
-      SND_SOC_SOF_TIGERLAKE_SUPPORT     = yes;
+      SND_SOC_SOF_JASPERLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_JASPERLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_MERRIFIELD            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_MERRIFIELD_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_TIGERLAKE             = whenAtLeast "5.12" module;
+      SND_SOC_SOF_TIGERLAKE_SUPPORT     = whenOlder "5.12" yes;
     };
 
     usb-serial = {
@@ -350,6 +384,7 @@ let
       F2FS_FS             = module;
       F2FS_FS_SECURITY    = option yes;
       F2FS_FS_ENCRYPTION  = option yes;
+      F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
       UDF_FS              = module;
 
       NFSD_PNFS              = whenBetween "4.0" "4.6" yes;
@@ -396,6 +431,8 @@ let
       NLS_ISO8859_1    = module; # VFAT default for the iocharset= mount option
 
       DEVTMPFS = yes;
+
+      UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems
     };
 
     security = {
@@ -406,14 +443,19 @@ let
       SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
       # Prevent processes from ptracing non-children processes
       SECURITY_YAMA                    = option yes;
-      DEVKMEM                          = mkIf (!features.grsecurity) no; # Disable /dev/kmem
+      DEVKMEM                          = whenOlder "5.13" no; # Disable /dev/kmem
 
       USER_NS                          = yes; # Support for user namespaces
 
       SECURITY_APPARMOR                = yes;
       DEFAULT_SECURITY_APPARMOR        = yes;
 
-      SECURITY_LOCKDOWN_LSM            = whenAtLeast "5.4" yes;
+      RANDOM_TRUST_CPU                 = whenAtLeast "4.19" yes; # allow RDRAND to seed the RNG
+
+      MODULE_SIG            = no; # r13y, generates a random key during build and bakes it in
+      # Depends on MODULE_SIG and only really helps when you sign your modules
+      # and enforce signatures which we don't do by default.
+      SECURITY_LOCKDOWN_LSM = option no;
     } // optionalAttrs (!stdenv.hostPlatform.isAarch32) {
 
       # Detect buffer overflows on the stack
@@ -481,7 +523,7 @@ let
     virtualisation = {
       PARAVIRT = option yes;
 
-      HYPERVISOR_GUEST = mkIf (!features.grsecurity) yes;
+      HYPERVISOR_GUEST = yes;
       PARAVIRT_SPINLOCKS  = option yes;
 
       KVM_APIC_ARCHITECTURE             = whenOlder "4.8" yes;
@@ -489,12 +531,12 @@ let
       KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; };
       KVM_DEVICE_ASSIGNMENT  = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; };
       KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0"  yes;
-      KVM_GUEST                         = mkIf (!features.grsecurity) yes;
+      KVM_GUEST                         = yes;
       KVM_MMIO                          = yes;
       KVM_VFIO                          = yes;
       KSM = yes;
       VIRT_DRIVERS = yes;
-      # We nneed 64 GB (PAE) support for Xen guest support
+      # We need 64 GB (PAE) support for Xen guest support
       HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";};
 
       VFIO_PCI_VGA = mkIf stdenv.is64bit yes;
@@ -618,7 +660,12 @@ let
       XZ_DEC_TEST              = option no;
     };
 
-    criu = optionalAttrs (features.criu or false) ({
+    criu = if (versionAtLeast version "4.19") then {
+      # Unconditionally enabled, because it is required for CRIU and
+      # it provides the kcmp() system call that Mesa depends on.
+      CHECKPOINT_RESTORE  = yes;
+    } else optionalAttrs (features.criu or false) ({
+      # For older kernels, CHECKPOINT_RESTORE is hidden behind EXPERT.
       EXPERT              = yes;
       CHECKPOINT_RESTORE  = yes;
     } // optionalAttrs (features.criu_revert_expert or true) {
@@ -631,7 +678,14 @@ let
       DEBUG_MEMORY_INIT     = option yes;
     });
 
-    misc = {
+    misc = let
+      # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz.
+      # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
+      useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9";
+    in {
+      KERNEL_XZ            = mkIf (!useZstd) yes;
+      KERNEL_ZSTD          = mkIf useZstd yes;
+
       HID_BATTERY_STRENGTH = yes;
       # enabled by default in x86_64 but not arm64, so we do that here
       HIDRAW               = yes;
@@ -644,9 +698,8 @@ let
       THRUSTMASTER_FF    = yes;
       ZEROPLUS_FF        = yes;
 
-      MODULE_COMPRESS    = yes;
+      MODULE_COMPRESS    = whenOlder "5.13" yes;
       MODULE_COMPRESS_XZ = yes;
-      KERNEL_XZ          = yes;
 
       SYSVIPC            = yes;  # System-V IPC
 
@@ -657,7 +710,6 @@ let
       MD                 = yes;     # Device mapper (RAID, LVM, etc.)
 
       # Enable initrd support.
-      BLK_DEV_RAM       = yes;
       BLK_DEV_INITRD    = yes;
 
       PM_TRACE_RTC         = no; # Disable some expensive (?) features.
@@ -731,6 +783,8 @@ let
       MLX4_EN_VXLAN = whenOlder "4.8" yes;
       MLX5_CORE_EN       = option yes;
 
+      NVME_MULTIPATH = whenAtLeast "4.15" yes;
+
       PSI = whenAtLeast "4.20" yes;
 
       MODVERSIONS        = whenOlder "4.9" yes;
@@ -767,6 +821,8 @@ let
       X86_CHECK_BIOS_CORRUPTION = yes;
       X86_MCE                   = yes;
 
+      RAS = yes; # Needed for EDAC support
+
       # Our initrd init uses shebang scripts, so can't be modular.
       BINFMT_SCRIPT = yes;
       # For systemd-binfmt
@@ -788,6 +844,7 @@ let
       PREEMPT_VOLUNTARY = yes;
 
       X86_AMD_PLATFORM_DEVICE = yes;
+      X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes;
 
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
       # Enable CPU/memory hotplug support
@@ -803,12 +860,26 @@ let
       # Bump the maximum number of CPUs to support systems like EC2 x1.*
       # instances and Xeon Phi.
       NR_CPUS = freeform "384";
-    } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
       # Enables support for the Allwinner Display Engine 2.0
       SUN8I_DE2_CCU = whenAtLeast "4.13" yes;
 
       # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647
       CRYPTO_AEGIS128_SIMD = whenAtLeast "5.4" no;
+
+      # Distros should configure the default as a kernel option.
+      # We previously defined it on the kernel command line as cma=
+      # The kernel command line will override a platform-specific configuration from its device tree.
+      # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
+      CMA_SIZE_MBYTES = freeform "32";
+
+      # Many ARM SBCs hand off a pre-configured framebuffer.
+      # This always can can be replaced by the actual native driver.
+      # Keeping it a built-in ensures it will be used if possible.
+      FB_SIMPLE = yes;
+
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux") {
+      ARM_LPAE = yes;
     };
   };
 in
diff --git a/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch b/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
new file mode 100644
index 00000000000..1d8ed6f712c
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
@@ -0,0 +1,11 @@
+Export linux-rt (PREEMPT_RT) specific symbols needed by ZFS.
+(Regular kernel provides them static inline in linux/preempt.h.)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1812 +1812 @@ void migrate_disable(void)
+-EXPORT_SYMBOL_GPL(migrate_disable);
++EXPORT_SYMBOL(migrate_disable);
+@@ -1843 +1843 @@ void migrate_enable(void)
+-EXPORT_SYMBOL_GPL(migrate_enable);
++EXPORT_SYMBOL(migrate_enable);
diff --git a/pkgs/os-specific/linux/kernel/generate-config.pl b/pkgs/os-specific/linux/kernel/generate-config.pl
index 26c559ea908..df807188f14 100644
--- a/pkgs/os-specific/linux/kernel/generate-config.pl
+++ b/pkgs/os-specific/linux/kernel/generate-config.pl
@@ -19,6 +19,7 @@ my $autoModules = $ENV{'AUTO_MODULES'};
 my $preferBuiltin = $ENV{'PREFER_BUILTIN'};
 my $ignoreConfigErrors = $ENV{'ignoreConfigErrors'};
 my $buildRoot = $ENV{'BUILD_ROOT'};
+my $makeFlags = $ENV{'MAKE_FLAGS'};
 $SIG{PIPE} = 'IGNORE';
 
 # Read the answers.
@@ -40,7 +41,7 @@ close ANSWERS;
 sub runConfig {
 
     # Run `make config'.
-    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH}");
+    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH} CC=$ENV{CC} HOSTCC=$ENV{HOSTCC} HOSTCXX=$ENV{HOSTCXX} $makeFlags");
 
     # Parse the output, look for questions and then send an
     # appropriate answer.
@@ -61,6 +62,12 @@ sub runConfig {
             # Remember choice alternatives ("> 1. bla (FOO)" or " 2. bla (BAR) (NEW)").
             if ($line =~ /^\s*>?\s*(\d+)\.\s+.*?\(([A-Za-z0-9_]+)\)(?:\s+\(NEW\))?\s*$/) {
                 $choices{$2} = $1;
+            } else {
+                # The list of choices has ended without us being
+                # asked. This happens for options where only one value
+                # is valid, for instance. The results can foul up
+                # later options, so forget about it.
+                %choices = ();
             }
 
             $line = "";
diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix
index cab11cc87ae..7f4f0f2d6bb 100644
--- a/pkgs/os-specific/linux/kernel/generic.nix
+++ b/pkgs/os-specific/linux/kernel/generic.nix
@@ -6,6 +6,7 @@
 , gmp ? null
 , libmpc ? null
 , mpfr ? null
+, lib
 , stdenv
 
 , # The kernel source tarball.
@@ -20,6 +21,9 @@
 , # Legacy overrides to the intermediate kernel config, as string
   extraConfig ? ""
 
+  # Additional make flags passed to kbuild
+, extraMakeFlags ? []
+
 , # kernel intermediate config overrides, as a set
  structuredExtraConfig ? {}
 
@@ -41,15 +45,19 @@
   # symbolic name and `patch' is the actual patch.  The patch may
   # optionally be compressed with gzip or bzip2.
   kernelPatches ? []
-, ignoreConfigErrors ? stdenv.hostPlatform.platform.name != "pc" ||
+, ignoreConfigErrors ? stdenv.hostPlatform.linux-kernel.name != "pc" ||
                        stdenv.hostPlatform != stdenv.buildPlatform
 , extraMeta ? {}
 
-# easy overrides to stdenv.hostPlatform.platform members
-, autoModules ? stdenv.hostPlatform.platform.kernelAutoModules
-, preferBuiltin ? stdenv.hostPlatform.platform.kernelPreferBuiltin or false
-, kernelArch ? stdenv.hostPlatform.platform.kernelArch
+, isZen      ? false
+, isLibre    ? false
+, isHardened ? false
 
+# easy overrides to stdenv.hostPlatform.linux-kernel members
+, autoModules ? stdenv.hostPlatform.linux-kernel.autoModules
+, preferBuiltin ? stdenv.hostPlatform.linux-kernel.preferBuiltin or false
+, kernelArch ? stdenv.hostPlatform.linuxArch
+, kernelTests ? []
 , ...
 }:
 
@@ -61,22 +69,17 @@
 assert stdenv.isLinux;
 
 let
-
-  lib = stdenv.lib;
-
   # Combine the `features' attribute sets of all the kernel patches.
-  kernelFeatures = lib.fold (x: y: (x.features or {}) // y) ({
+  kernelFeatures = lib.foldr (x: y: (x.features or {}) // y) ({
     iwlwifi = true;
     efiBootStub = true;
     needsCifsUtils = true;
     netfilterRPFilter = true;
-    grsecurity = false;
-    xen_dom0 = false;
     ia32Emulation = true;
   } // features) kernelPatches;
 
   commonStructuredConfig = import ./common-config.nix {
-    inherit stdenv version ;
+    inherit lib stdenv version;
 
     features = kernelFeatures; # Ensure we know of all extra patches, etc.
   };
@@ -84,7 +87,7 @@ let
   intermediateNixConfig = configfile.moduleStructuredConfig.intermediateNixConfig
     # extra config in legacy string format
     + extraConfig
-    + lib.optionalString (stdenv.hostPlatform.platform ? kernelExtraConfig) stdenv.hostPlatform.platform.kernelExtraConfig;
+    + stdenv.hostPlatform.linux-kernel.extraConfig or "";
 
   structuredConfigFromPatches =
         map ({extraStructuredConfig ? {}, ...}: {settings=extraStructuredConfig;}) kernelPatches;
@@ -97,7 +100,7 @@ let
     in lib.concatStringsSep "\n" ([baseConfigStr] ++ configFromPatches);
 
   configfile = stdenv.mkDerivation {
-    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch;
+    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch extraMakeFlags;
     pname = "linux-config";
     inherit version;
 
@@ -108,13 +111,16 @@ let
 
     depsBuildBuild = [ buildPackages.stdenv.cc ];
     nativeBuildInputs = [ perl gmp libmpc mpfr ]
-      ++ lib.optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ];
+      ++ lib.optionals (lib.versionAtLeast version "4.16") [ bison flex ];
 
-    platformName = stdenv.hostPlatform.platform.name;
+    platformName = stdenv.hostPlatform.linux-kernel.name;
     # e.g. "defconfig"
-    kernelBaseConfig = if defconfig != null then defconfig else stdenv.hostPlatform.platform.kernelBaseConfig;
+    kernelBaseConfig = if defconfig != null then defconfig else stdenv.hostPlatform.linux-kernel.baseConfig;
     # e.g. "bzImage"
-    kernelTarget = stdenv.hostPlatform.platform.kernelTarget;
+    kernelTarget = stdenv.hostPlatform.linux-kernel.target;
+
+    makeFlags = lib.optionals (stdenv.hostPlatform.linux-kernel ? makeFlags) stdenv.hostPlatform.linux-kernel.makeFlags
+      ++ extraMakeFlags;
 
     prePatch = kernel.prePatch + ''
       # Patch kconfig to print "###" after every question so that
@@ -128,18 +134,25 @@ let
 
     buildPhase = ''
       export buildRoot="''${buildRoot:-build}"
+      export HOSTCC=$CC_FOR_BUILD
+      export HOSTCXX=$CXX_FOR_BUILD
+      export HOSTAR=$AR_FOR_BUILD
+      export HOSTLD=$LD_FOR_BUILD
 
       # Get a basic config file for later refinement with $generateConfig.
-      make -C .  O="$buildRoot" $kernelBaseConfig \
+      make $makeFlags \
+          -C . O="$buildRoot" $kernelBaseConfig \
           ARCH=$kernelArch \
-          HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc \
-          HOSTCXX=${buildPackages.stdenv.cc.targetPrefix}g++
+          HOSTCC=$HOSTCC HOSTCXX=$HOSTCXX HOSTAR=$HOSTAR HOSTLD=$HOSTLD \
+          CC=$CC OBJCOPY=$OBJCOPY OBJDUMP=$OBJDUMP READELF=$READELF \
+          $makeFlags
 
       # Create the config file.
       echo "generating kernel configuration..."
       ln -s "$kernelConfigPath" "$buildRoot/kernel-config"
       DEBUG=1 ARCH=$kernelArch KERNEL_CONFIG="$buildRoot/kernel-config" AUTO_MODULES=$autoModules \
-           PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. perl -w $generateConfig
+        PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. MAKE_FLAGS="$makeFlags" \
+        perl -w $generateConfig
     '';
 
     installPhase = "mv $buildRoot/.config $out";
@@ -147,7 +160,6 @@ let
     enableParallelBuilding = true;
 
     passthru = rec {
-
       module = import ../../../../nixos/modules/system/boot/kernel_config.nix;
       # used also in apache
       # { modules = [ { options = res.options; config = svc.config or svc; } ];
@@ -167,16 +179,20 @@ let
     };
   }; # end of configfile derivation
 
-  kernel = (callPackage ./manual-config.nix {}) {
-    inherit version modDirVersion src kernelPatches randstructSeed stdenv extraMeta configfile;
+  kernel = (callPackage ./manual-config.nix { inherit buildPackages;  }) {
+    inherit version modDirVersion src kernelPatches randstructSeed lib stdenv extraMakeFlags extraMeta configfile;
 
     config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; };
   };
 
   passthru = {
     features = kernelFeatures;
-    inherit commonStructuredConfig;
+    inherit commonStructuredConfig structuredExtraConfig extraMakeFlags isZen isHardened isLibre modDirVersion;
+    isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+    kernelOlder = lib.versionOlder version;
+    kernelAtLeast = lib.versionAtLeast version;
     passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]);
+    tests = kernelTests;
   };
 
 in lib.extendDerivation true passthru kernel
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index c817f104427..20f9f5aaa14 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -8,11 +8,11 @@
 #
 # See also <nixos/modules/profiles/hardened.nix>
 
-{ stdenv, version }:
+{ lib, version }:
 
-with stdenv.lib;
-with stdenv.lib.kernel;
-with (stdenv.lib.kernel.whenHelpers version);
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
 
 assert (versionAtLeast version "4.9");
 
@@ -55,8 +55,8 @@ assert (versionAtLeast version "4.9");
 
   # Wipe higher-level memory allocations on free() with page_poison=1
   PAGE_POISONING           = yes;
-  PAGE_POISONING_NO_SANITY = yes;
-  PAGE_POISONING_ZERO      = yes;
+  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
+  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;
 
   # Enable the SafeSetId LSM
   SECURITY_SAFESETID = whenAtLeast "5.1" yes;
@@ -65,7 +65,7 @@ assert (versionAtLeast version "4.9");
   PANIC_TIMEOUT = freeform "-1";
 
   GCC_PLUGINS = yes; # Enable gcc plugin options
-  # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
   GCC_PLUGIN_LATENT_ENTROPY = yes;
 
   GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
@@ -79,8 +79,18 @@ assert (versionAtLeast version "4.9");
   PROC_KCORE         = no; # Exposes kernel text image layout
   INET_DIAG          = no; # Has been used for heap based attacks in the past
 
+  # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
+  # make them optional
+  INET_DIAG_DESTROY = option no;
+  INET_RAW_DIAG     = option no;
+  INET_TCP_DIAG     = option no;
+  INET_UDP_DIAG     = option no;
+  INET_MPTCP_DIAG   = option no;
+
   # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
   CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
   CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
 
+  # Detect out-of-bound reads/writes and use-after-free
+  KFENCE = whenAtLeast "5.12" yes;
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json
index 824eb1a6966..412e5041500 100644
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -1,22 +1,32 @@
 {
     "4.14": {
-        "name": "linux-hardened-4.14.194.a.patch",
-        "sha256": "07z3lr3mbm6c95d7fra2qp071n1c45f9241cl19zs63g00avi11p",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.194.a/linux-hardened-4.14.194.a.patch"
+        "extra": "-hardened1",
+        "name": "linux-hardened-4.14.240-hardened1.patch",
+        "sha256": "0j5zp0f8s4w3f60yam2spg3bx56bdjvv0mh632zlhchz8rdk5zs4",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.240-hardened1/linux-hardened-4.14.240-hardened1.patch"
     },
     "4.19": {
-        "name": "linux-hardened-4.19.141.a.patch",
-        "sha256": "0yiqkkp17pf9r6nakpnqhvmf8awpzp5n27cmh15ril7vn1y71sxw",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.141.a/linux-hardened-4.19.141.a.patch"
+        "extra": "-hardened1",
+        "name": "linux-hardened-4.19.198-hardened1.patch",
+        "sha256": "18c5j00xiwc0xn5klcrwazk6wvjiy3cixbfbrw4xj7zal9r5p6q9",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.198-hardened1/linux-hardened-4.19.198-hardened1.patch"
     },
-    "5.4": {
-        "name": "linux-hardened-5.4.60.a.patch",
-        "sha256": "138kms73rlj5zmsb2ivjzz1jr5aa8y8pmwzx02c7j1qk08v82823",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.60.a/linux-hardened-5.4.60.a.patch"
+    "5.10": {
+        "extra": "-hardened1",
+        "name": "linux-hardened-5.10.52-hardened1.patch",
+        "sha256": "062a32rb1g5xk1npiz9fa114k7g4x9pmygycn3alc0phngjmvr98",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.52-hardened1/linux-hardened-5.10.52-hardened1.patch"
+    },
+    "5.12": {
+        "extra": "-hardened1",
+        "name": "linux-hardened-5.12.19-hardened1.patch",
+        "sha256": "1nr3922gd6il69k5cpp9g3knpy6yjb6jsmpi9k4v02bkvypg86dc",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.12.19-hardened1/linux-hardened-5.12.19-hardened1.patch"
     },
-    "5.7": {
-        "name": "linux-hardened-5.7.17.a.patch",
-        "sha256": "181b473y0hkw076hsndw6nfynr2yhcaypj48iqnk25hzcj40nnaz",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.7.17.a/linux-hardened-5.7.17.a.patch"
+    "5.4": {
+        "extra": "-hardened1",
+        "name": "linux-hardened-5.4.134-hardened1.patch",
+        "sha256": "0iay6dxwd1vqj02ljf0ghncrqpr6b0gby90xiza8kkk8wnh3r9hh",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.134-hardened1/linux-hardened-5.4.134-hardened1.patch"
     }
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
deleted file mode 100644
index ff8a3a12797..00000000000
--- a/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
+++ /dev/null
@@ -1,7 +0,0 @@
-diff --git a/localversion-hardened b/localversion-hardened
-new file mode 100644
-index 0000000000..e578045860
---- /dev/null
-+++ b/localversion-hardened
-@@ -0,0 +1 @@
-+-hardened
diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py
index d6443d2e751..e96ac9ca855 100755
--- a/pkgs/os-specific/linux/kernel/hardened/update.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -31,7 +31,7 @@ VersionComponent = Union[int, str]
 Version = List[VersionComponent]
 
 
-Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str})
+Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str})
 
 
 @dataclass
@@ -99,7 +99,10 @@ def verify_openpgp_signature(
             return False
 
 
-def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
+def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
+    release = release_info.release
+    extra = f'-{release_info.version[-1]}'
+
     def find_asset(filename: str) -> str:
         try:
             it: Iterator[str] = (
@@ -130,12 +133,12 @@ def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
     if not sig_ok:
         return None
 
-    return Patch(name=patch_filename, url=patch_url, sha256=sha256)
+    return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra)
 
 
 def parse_version(version_str: str) -> Version:
     version: Version = []
-    for component in version_str.split("."):
+    for component in re.split('\.|\-', version_str):
         try:
             version.append(int(component))
         except ValueError:
@@ -205,7 +208,7 @@ failures = False
 releases = {}
 for release in repo.get_releases():
     version = parse_version(release.tag_name)
-    # needs to look like e.g. 5.6.3.a
+    # needs to look like e.g. 5.6.3-hardened1
     if len(version) < 4:
         continue
 
@@ -252,7 +255,7 @@ for kernel_key in sorted(releases.keys()):
         update = True
 
     if update:
-        patch = fetch_patch(name=name, release=release)
+        patch = fetch_patch(name=name, release_info=release_info)
         if patch is None:
             failures = True
         else:
diff --git a/pkgs/os-specific/linux/kernel/linux-4.14.nix b/pkgs/os-specific/linux/kernel/linux-4.14.nix
index 4807ff7dba4..ccecc433a4a 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "4.14.194";
+  version = "4.14.240";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1q7ssi2790bqjn8s8ra5ihma70hmxykahink7iq5h78738id191y";
+    sha256 = "1k65qwzlnqnh9ym0n2fxpa8nk2qwvykwhwgaixk3b7ndzmr8b6c8";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_14 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.19.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix
index e0c9c69061a..4ed06ee2205 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "4.19.141";
+  version = "4.19.198";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0511vb9rfpy5l6cz69v0v97rw2rk2pscc4hkz2pfmgikagm1shm4";
+    sha256 = "13k0r6a4n8nbni64a18wqzy0pg4vn1zw2li78xrm78rqcrnah85y";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_19 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix
index 033599900ff..6c2595386e0 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@@ -1,11 +1,14 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
+{ buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.4.233";
+  version = "4.4.276";
   extraMeta.branch = "4.4";
+  extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1z77dikgkvkp9ggwxp07hl8vxsf9kq57rhfdpbvhny1x13fqkrlp";
+    sha256 = "1hf9h5kr1ws2lvinzq6cv7aps8af1kx4q8j4bsk2vv4i2zvmfr7y";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_4 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix
index c1da330e4ae..0dc5cfeae6e 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.9.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix
@@ -1,11 +1,14 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
+{ buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.9.233";
+  version = "4.9.276";
   extraMeta.branch = "4.9";
+  extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "19dcwylhy5iqq3dmppqf7s9wy9d16m103djn1n183c9acnqclv9a";
+    sha256 = "16jp05jhmqcp8lawqga69gxn1acdkxsskn3a6wf0635863fky3hv";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_9 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.8.nix b/pkgs/os-specific/linux/kernel/linux-5.10.nix
index 44ce98ce65e..f59cca3e12f 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.8.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.8.3";
+  version = "5.10.52";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0y8prifvkywqsx5lk80bh31m505vinmicpvdrirgg0c9scg7x8lf";
+    sha256 = "0ydf09wsg0pkjm9dk8y730ksg15p5rlbhq445zx8k191zah5g7kn";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_10 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.7.nix b/pkgs/os-specific/linux/kernel/linux-5.12.nix
index 8583b3b1628..e1e7aec2ce2 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.7.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.12.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.7.17";
+  version = "5.12.19";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "09ajavdyvr0025rwvwfp9yv2z8q779nan1i6dck2kkdxr48kd36c";
+    sha256 = "0wscz736n13m833cd12lskn47r0b8ki4fhgpjnwga0jsab9iqf79";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_12 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.13.nix b/pkgs/os-specific/linux/kernel/linux-5.13.nix
new file mode 100644
index 00000000000..dd97944de78
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-5.13.nix
@@ -0,0 +1,21 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.13.5";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0lqh7krxxnbrvr3w1kag92z9r4n9436fr6answjkjfbvw0z7q74m";
+  };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_13 ];
+} // (args.argsOverride or { }))
+
diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix
index 1c903902b61..c4e08b685b5 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.4.60";
+  version = "5.4.134";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "08x2a78n23371k7l5p677mihnl58dpjh7r7bvyiwj3y4hlisplmd";
+    sha256 = "0haqw1w6f8p330ydbsl7iml1x0qqrv63az6921p2a70n88b8dyy9";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_4 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
index ba37c71d134..a64520ab893 100644
--- a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, libelf, utillinux, ... } @ args:
+{ buildPackages, fetchFromGitHub, perl, buildLinux, libelf, util-linux, ... } @ args:
 
 buildLinux (args // rec {
   version = "4.14.165-172";
diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix
index d3ea80ecb22..f02c1ad1250 100644
--- a/pkgs/os-specific/linux/kernel/linux-libre.nix
+++ b/pkgs/os-specific/linux/kernel/linux-libre.nix
@@ -1,8 +1,8 @@
 { stdenv, lib, fetchsvn, linux
 , scripts ? fetchsvn {
     url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
-    rev = "17624";
-    sha256 = "0gs3mpiffny408l9kdrxpj48axarfb2fxvcw4w8zsz5wr7yig0n2";
+    rev = "18191";
+    sha256 = "0ggaccg7z540kh5if48v6sjy39xllzvznqx5srvrlycrs2r89iyr";
   }
 , ...
 }:
@@ -17,6 +17,7 @@ let
 in linux.override {
   argsOverride = {
     modDirVersion = "${linux.modDirVersion}-gnu";
+    isLibre = true;
 
     src = stdenv.mkDerivation {
       name = "${linux.name}-libre-src";
@@ -34,6 +35,8 @@ in linux.override {
       '';
     };
 
+    extraMeta.broken = true;
+
     passthru.updateScript = ./update-libre.sh;
 
     maintainers = [ lib.maintainers.qyliss ];
diff --git a/pkgs/os-specific/linux/kernel/linux-lqx.nix b/pkgs/os-specific/linux/kernel/linux-lqx.nix
new file mode 100644
index 00000000000..23a6b0b2d36
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-lqx.nix
@@ -0,0 +1,26 @@
+{ lib, fetchFromGitHub, buildLinux, linux_zen, ... } @ args:
+
+let
+  version = "5.12.19";
+  suffix = "lqx2";
+in
+
+buildLinux (args // {
+  modDirVersion = "${version}-${suffix}";
+  inherit version;
+  isZen = true;
+
+  src = fetchFromGitHub {
+    owner = "zen-kernel";
+    repo = "zen-kernel";
+    rev = "v${version}-${suffix}";
+    sha256 = "sha256-r2DvKLlm1a1VuJwC81tRuRwCd6H21T3MsBAC3b9TUbs=";
+  };
+
+  extraMeta = {
+    branch = "5.12/master";
+    maintainers = with lib.maintainers; [ atemu ];
+    description = linux_zen.meta.description + " (Same as linux_zen but less aggressive release schedule)";
+  };
+
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp-94.nix b/pkgs/os-specific/linux/kernel/linux-mptcp-94.nix
deleted file mode 100644
index e53c3ceb5c4..00000000000
--- a/pkgs/os-specific/linux/kernel/linux-mptcp-94.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
-let
-  mptcpVersion = "0.94.6";
-  modDirVersion = "4.14.127";
-in
-buildLinux ({
-  version = "${modDirVersion}-mptcp_v${mptcpVersion}";
-  inherit modDirVersion;
-
-  extraMeta = {
-    branch = "4.4";
-    maintainers = with stdenv.lib.maintainers; [ teto layus ];
-  };
-
-  src = fetchFromGitHub {
-    owner = "multipath-tcp";
-    repo = "mptcp";
-    rev = "v${mptcpVersion}";
-    sha256 = "071cx9205wpzhi5gc2da79w2abs3czd60jg0xml7j1szc5wl4yfn";
-  };
-
-  structuredExtraConfig = stdenv.lib.mkMerge [
-    (import ./mptcp-config.nix { inherit stdenv; })
-    structuredExtraConfig
-  ];
-} // args)
diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix b/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
index ad933ff63a7..a6a8d4936d4 100644
--- a/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
+++ b/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
@@ -1,7 +1,7 @@
-{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
+{ lib, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
 let
-  mptcpVersion = "0.95";
-  modDirVersion = "4.19.55";
+  mptcpVersion = "0.95.1";
+  modDirVersion = "4.19.126";
 in
 buildLinux ({
   version = "${modDirVersion}-mptcp_v${mptcpVersion}";
@@ -9,18 +9,18 @@ buildLinux ({
 
   extraMeta = {
     branch = "4.19";
-    maintainers = with stdenv.lib.maintainers; [ teto layus ];
+    maintainers = with lib.maintainers; [ teto layus ];
   };
 
   src = fetchFromGitHub {
     owner = "multipath-tcp";
     repo = "mptcp";
     rev = "v${mptcpVersion}";
-    sha256 = "04a66iq5vsiz8mkpszfxmqknz7y4w3lsckrcz6q1syjpk0pdyiyw";
+    sha256 = "sha256-J9UXhkI49cq83EtojLHieRtp8fT3LXTJNIqb+mUwZdM=";
   };
 
-  structuredExtraConfig = stdenv.lib.mkMerge [
-    (import ./mptcp-config.nix { inherit stdenv; })
+  structuredExtraConfig = lib.mkMerge [
+    (import ./mptcp-config.nix { inherit lib; })
     structuredExtraConfig
   ];
 
diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix
index a3d2bfd4836..8ccf46b402b 100644
--- a/pkgs/os-specific/linux/kernel/linux-rpi.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix
@@ -1,8 +1,9 @@
 { stdenv, lib, buildPackages, fetchFromGitHub, perl, buildLinux, rpiVersion, ... } @ args:
 
 let
-  modDirVersion = "4.19.118";
-  tag = "1.20200601";
+  # NOTE: raspberrypifw & raspberryPiWirelessFirmware should be updated with this
+  modDirVersion = "5.10.17";
+  tag = "1.20210303";
 in
 lib.overrideDerivation (buildLinux (args // {
   version = "${modDirVersion}-${tag}";
@@ -12,7 +13,7 @@ lib.overrideDerivation (buildLinux (args // {
     owner = "raspberrypi";
     repo = "linux";
     rev = "raspberrypi-kernel_${tag}-1";
-    sha256 = "11jzsmnd1qry2ir9vmsv0nfdzjpgkn5yab5ylxcz406plc073anp";
+    sha256 = "0ffsllayl18ka4mgp4rdy9h0da5gy1n6g0kfvinvzdzabb5wzvrx";
   };
 
   defconfig = {
@@ -26,6 +27,14 @@ lib.overrideDerivation (buildLinux (args // {
     efiBootStub = false;
   } // (args.features or {});
 
+  extraConfig = ''
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: error: initialization of 'void (*)(struct drm_crtc *, struct drm_atomic_state *)' from incompatible pointer type 'void (*)(struct drm_crtc *, struct drm_crtc_state *)' [-Werror=incompatible-pointer-types]
+    #   851 |  .atomic_flush = ast_crtc_helper_atomic_flush,
+    #       |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: note: (near initialization for 'ast_crtc_helper_funcs.atomic_flush')
+    DRM_AST n
+  '';
+
   extraMeta = if (rpiVersion < 3) then {
     platforms = with lib.platforms; [ arm ];
     hydraPlatforms = [];
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
new file mode 100644
index 00000000000..83b2fc05093
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
@@ -0,0 +1,45 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.10.52-rt47"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "0ydf09wsg0pkjm9dk8y730ksg15p5rlbhq445zx8k191zah5g7kn";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "1n71nbshma0gxyrifyymrd0wii1q0plj020amc0wdzzm27xs5k2k";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix
new file mode 100644
index 00000000000..5d1b14f1d0f
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix
@@ -0,0 +1,45 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.11.4-rt11"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1i8dfw83ndaylwji7lazfckk113plvnz7kh1yppbfg35r6przrc8";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "1az6cn9jj3bnjgwzzrjy1adnrnn06p2vzsnc1iib4xhs0sfr27hc";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
new file mode 100644
index 00000000000..4c49dc9c42a
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
@@ -0,0 +1,41 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.4.129-rt61"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1ps64gx85lmbriq445hd2hcv4g4b1d1cwf4r3nd90x6i2cj4c9j4";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "0b3hp6a7afkjqd7an4hj423nq6flwzd42kjcyk4pifv5fx6c7pgq";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
index 456913c5e6d..a12633eb6d7 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
@@ -1,22 +1,33 @@
-{ stdenv, buildPackages, fetchgit, fetchpatch, perl, buildLinux, ... } @ args:
+{ lib
+, fetchpatch
+, kernel
+, date ? "2021-07-08"
+, commit ? "3693b2ca83ff9eda49660b31299d2bebe3a1075f"
+, diffHash ? "1sfq3vwc2kxa761s292f2cqrm0vvqvkdx6drpyn5yaxwnapwidcw"
+, kernelPatches # must always be defined in bcachefs' all-packages.nix entry because it's also a top-level attribute supplied by callPackage
+, argsOverride ? {}
+, ...
+} @ args:
 
-buildLinux (args // {
-  version = "5.3.2020.04.04";
-  modDirVersion = "5.3.0";
+kernel.override ( args // {
 
-  src = fetchgit {
-    url = "https://evilpiepirate.org/git/bcachefs.git";
-    rev = "a27d7265e75f6d65c2b972ce4ac27abfc153c230";
-    sha256 = "0wnjl4xs7073d5ipcsplv5qpcxb7zpfqd5gqvh3mhqc5j3qn816x";
-  };
+  argsOverride = {
+    version = "${kernel.version}-bcachefs-unstable-${date}";
+    extraMeta = {
+      branch = "master";
+      maintainers = with lib.maintainers; [ davidak chiiruno ];
+      platforms = [ "x86_64-linux" ];
+    };
+  } // argsOverride;
 
-  extraConfig = "BCACHEFS_FS m";
+  kernelPatches = [ {
+      name = "bcachefs-${commit}";
+      patch = fetchpatch {
+        name = "bcachefs-${commit}.diff";
+        url = "https://evilpiepirate.org/git/bcachefs.git/rawdiff/?id=${commit}&id2=v${lib.versions.majorMinor kernel.version}";
+        sha256 = diffHash;
+      };
+      extraConfig = "BCACHEFS_FS m";
+    } ] ++ kernelPatches;
 
-  extraMeta = {
-    branch = "master";
-    hydraPlatforms = []; # Should the testing kernels ever be built on Hydra?
-    maintainers = with stdenv.lib.maintainers; [ davidak chiiruno ];
-    platforms = [ "x86_64-linux" ];
-  };
-
-} // (args.argsOverride or {}))
+})
diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix
index cf2ca99f6f5..4e2ef7b4652 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing.nix
@@ -1,19 +1,21 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.9-rc2";
-  extraMeta.branch = "5.9";
+  version = "5.13-rc6";
+  extraMeta.branch = "5.12";
 
   # modDirVersion needs to be x.y.z, will always add .0
   modDirVersion = if (modDirVersionArg == null) then builtins.replaceStrings ["-"] [".0-"] version else modDirVersionArg;
 
   src = fetchurl {
     url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz";
-    sha256 = "0mdh6gsd305kcgfqzyfgl5m886asjm5030ahg63gyias3ywzn5wd";
+    sha256 = "sha256-PunFd6tOsmrsPItp2QX4TEVxHnvvi1BMSwWio/DTlMU=";
   };
 
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_testing ];
+
   # Should the testing kernels ever be built on Hydra?
   extraMeta.hydraPlatforms = [];
 
diff --git a/pkgs/os-specific/linux/kernel/linux-xanmod.nix b/pkgs/os-specific/linux/kernel/linux-xanmod.nix
new file mode 100644
index 00000000000..701f5d3b104
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-xanmod.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, buildLinux, fetchFromGitHub, ... } @ args:
+
+let
+  version = "5.13.5";
+  suffix = "xanmod1-cacule";
+in
+buildLinux (args // rec {
+  inherit version;
+  modDirVersion = "${version}-${suffix}";
+
+  src = fetchFromGitHub {
+    owner = "xanmod";
+    repo = "linux";
+    rev = modDirVersion;
+    sha256 = "sha256-Vhshu3mNkQ58TEOUBOuF7jLBlablxg/BioUyd96lI5g=";
+  };
+
+  structuredExtraConfig = with lib.kernel; {
+    # Preemptive Full Tickless Kernel at 500Hz
+    PREEMPT_VOLUNTARY = lib.mkForce no;
+    PREEMPT = lib.mkForce yes;
+    NO_HZ_FULL = yes;
+    HZ_500 = yes;
+
+    # Google's Multigenerational LRU Framework
+    LRU_GEN = yes;
+    LRU_GEN_ENABLED = yes;
+
+    # Google's BBRv2 TCP congestion Control
+    TCP_CONG_BBR2 = yes;
+    DEFAULT_BBR2 = yes;
+
+    # FQ-PIE Packet Scheduling
+    NET_SCH_DEFAULT = yes;
+    DEFAULT_FQ_PIE = yes;
+
+    # Graysky's additional CPU optimizations
+    CC_OPTIMIZE_FOR_PERFORMANCE_O3 = yes;
+
+    # Android Ashmem and Binder IPC Driver as module for Anbox
+    ASHMEM = module;
+    ANDROID = yes;
+    ANDROID_BINDER_IPC = module;
+    ANDROID_BINDERFS = module;
+    ANDROID_BINDER_DEVICES = freeform "binder,hwbinder,vndbinder";
+  };
+
+  extraMeta = {
+    branch = "5.13-cacule";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
+    description = "Built with custom settings and new features built to provide a stable, responsive and smooth desktop experience";
+    broken = stdenv.isAarch64;
+  };
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-zen.nix b/pkgs/os-specific/linux/kernel/linux-zen.nix
index c7d14a45068..caf65508210 100644
--- a/pkgs/os-specific/linux/kernel/linux-zen.nix
+++ b/pkgs/os-specific/linux/kernel/linux-zen.nix
@@ -1,23 +1,26 @@
-{ stdenv, fetchFromGitHub, buildLinux, ... } @ args:
+{ lib, fetchFromGitHub, buildLinux, ... } @ args:
 
 let
-  version = "5.8.1";
+  version = "5.12.19";
+  suffix = "zen2";
 in
 
 buildLinux (args // {
-  modDirVersion = "${version}-zen1";
+  modDirVersion = "${version}-${suffix}";
   inherit version;
+  isZen = true;
 
   src = fetchFromGitHub {
     owner = "zen-kernel";
     repo = "zen-kernel";
-    rev = "v${version}-zen1";
-    sha256 = "122q09d0sybi9lqlaxpq6ffc0ha9127bg3wzjync256lbj5394b7";
+    rev = "v${version}-${suffix}";
+    sha256 = "sha256-l+KIlaXoq/Nzf7mUom9DUjaAsn7UxeKGL6MbYN7mBZk=";
   };
 
   extraMeta = {
-    branch = "5.8/master";
-    maintainers = with stdenv.lib.maintainers; [ atemu ];
+    branch = "5.12/master";
+    maintainers = with lib.maintainers; [ atemu andresilva ];
+    description = "Built using the best configuration and kernel sources for desktop, multimedia, and gaming workloads.";
   };
 
-} // (args.argsOverride or {}))
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 3a2682b2cfe..77add0aef53 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -1,6 +1,5 @@
-{ buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
-, libelf, cpio, elfutils
-, utillinuxMinimal
+{ lib, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
+, libelf, cpio, elfutils, zstd, gawk, python3Minimal
 , writeTextFile
 }:
 
@@ -15,10 +14,13 @@ let
     echo "}" >> $out
   '').outPath;
 in {
+  lib,
   # Allow overriding stdenv on each buildLinux call
   stdenv,
   # The kernel version
   version,
+  # Additional kernel make flags
+  extraMakeFlags ? [],
   # The version of the kernel module directory
   modDirVersion ? version,
   # The kernel source (tarball, git checkout, etc.)
@@ -29,12 +31,18 @@ in {
   configfile,
   # Manually specified nixexpr representing the config
   # If unspecified, this will be autodetected from the .config
-  config ? stdenv.lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+  config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
   # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
   # automatically extended with extra per-version and per-config values.
   randstructSeed ? "",
   # Use defaultMeta // extraMeta
   extraMeta ? {},
+
+  # for module compatibility
+  isZen      ? false,
+  isLibre    ? false,
+  isHardened ? false,
+
   # Whether to utilize the controversial import-from-derivation feature to parse the config
   allowImportFromDerivation ? false,
   # ignored
@@ -42,11 +50,11 @@ in {
 }:
 
 let
-  inherit (stdenv.lib)
+  inherit (lib)
     hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
 
   # Dependencies that are required to build kernel modules
-  moduleBuildDependencies = optional (stdenv.lib.versionAtLeast version "4.14") libelf;
+  moduleBuildDependencies = optional (lib.versionAtLeast version "4.14") libelf;
 
   installkernel = writeTextFile { name = "installkernel"; executable=true; text = ''
     #!${stdenv.shell} -e
@@ -57,10 +65,10 @@ let
 
   commonMakeFlags = [
     "O=$(buildRoot)"
-  ] ++ stdenv.lib.optionals (stdenv.hostPlatform.platform ? kernelMakeFlags)
-    stdenv.hostPlatform.platform.kernelMakeFlags;
+  ] ++ lib.optionals (stdenv.hostPlatform.linux-kernel ? makeFlags)
+    stdenv.hostPlatform.linux-kernel.makeFlags;
 
-  drvAttrs = config_: platform: kernelPatches: configfile:
+  drvAttrs = config_: kernelConf: kernelPatches: configfile:
     let
       config = let attrName = attr: "CONFIG_" + attr; in {
         isSet = attr: hasAttr (attrName attr) config;
@@ -82,11 +90,15 @@ let
 
       installsFirmware = (config.isEnabled "FW_LOADER") &&
         (isModular || (config.isDisabled "FIRMWARE_IN_KERNEL")) &&
-        (stdenv.lib.versionOlder version "4.14");
+        (lib.versionOlder version "4.14");
     in (optionalAttrs isModular { outputs = [ "out" "dev" ]; }) // {
       passthru = {
         inherit version modDirVersion config kernelPatches configfile
           moduleBuildDependencies stdenv;
+        inherit isZen isHardened isLibre;
+        isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+        kernelOlder = lib.versionOlder version;
+        kernelAtLeast = lib.versionAtLeast version;
       };
 
       inherit src;
@@ -94,9 +106,9 @@ let
       patches =
         map (p: p.patch) kernelPatches
         # Required for deterministic builds along with some postPatch magic.
-        ++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch
+        ++ optional (lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch
         # Fixes determinism by normalizing metadata for the archive of kheaders
-        ++ optional (stdenv.lib.versionAtLeast version "5.2" && stdenv.lib.versionOlder version "5.4") ./gen-kheaders-metadata.patch;
+        ++ optional (lib.versionAtLeast version "5.2" && lib.versionOlder version "5.4") ./gen-kheaders-metadata.patch;
 
       prePatch = ''
         for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do
@@ -104,7 +116,14 @@ let
             sed -i "$mf" -e 's|/usr/bin/||g ; s|/bin/||g ; s|/sbin/||g'
         done
         sed -i Makefile -e 's|= depmod|= ${buildPackages.kmod}/bin/depmod|'
-        sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|"
+
+        # Don't include a (random) NT_GNU_BUILD_ID, to make the build more deterministic.
+        # This way kernels can be bit-by-bit reproducible depending on settings
+        # (e.g. MODULE_SIG and SECURITY_LOCKDOWN_LSM need to be disabled).
+        # See also https://kernelnewbies.org/BuildId
+        sed -i Makefile -e 's|--build-id=[^ ]*|--build-id=none|'
+
+        patchShebangs scripts
       '';
 
       postPatch = ''
@@ -154,9 +173,11 @@ let
 
       buildFlags = [
         "KBUILD_BUILD_VERSION=1-NixOS"
-        platform.kernelTarget
+        kernelConf.target
         "vmlinux"  # for "perf" and things like that
-      ] ++ optional isModular "modules";
+      ]
+      ++ optional isModular "modules"
+      ++ extraMakeFlags;
 
       installFlags = [
         "INSTALLKERNEL=${installkernel}"
@@ -169,16 +190,16 @@ let
       '';
 
       # Some image types need special install targets (e.g. uImage is installed with make uinstall)
-      installTargets = [ (
-        if platform ? kernelInstallTarget then platform.kernelInstallTarget
-        else if platform.kernelTarget == "uImage" then "uinstall"
-        else if platform.kernelTarget == "zImage" || platform.kernelTarget == "Image.gz" then "zinstall"
-        else "install"
-      ) ];
+      installTargets = [
+        (kernelConf.installTarget or (
+          /**/ if kernelConf.target == "uImage" then "uinstall"
+          else if kernelConf.target == "zImage" || kernelConf.target == "Image.gz" then "zinstall"
+          else "install"))
+      ];
 
       postInstall = (optionalString installsFirmware ''
         mkdir -p $out/lib/firmware
-      '') + (if (platform ? kernelDTB && platform.kernelDTB) then ''
+      '') + (if (kernelConf.DTB or false) then ''
         make $makeFlags "''${makeFlagsArray[@]}" dtbs dtbs_install INSTALL_DTBS_PATH=$out/dtbs
       '' else "") + (if isModular then ''
         mkdir -p $dev
@@ -234,10 +255,10 @@ let
         rm -fR drivers
 
         # Keep all headers
-        find .  -type f -name '*.h' -print0 | xargs -0 chmod u-w
+        find .  -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
 
         # Keep linker scripts (they are required for out-of-tree modules on aarch64)
-        find .  -type f -name '*.lds' -print0 | xargs -0 chmod u-w
+        find .  -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
 
         # Keep root and arch-specific Makefiles
         chmod u-w Makefile
@@ -247,7 +268,7 @@ let
         chmod u-w -R scripts
 
         # Delete everything not kept
-        find . -type f -perm -u=w -print0 | xargs -0 rm
+        find . -type f -perm -u=w -print0 | xargs -0 -r rm
 
         # Delete empty directories
         find -empty -type d -delete
@@ -266,9 +287,9 @@ let
           "The Linux kernel" +
           (if kernelPatches == [] then "" else
             " (with patches: "
-            + stdenv.lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
+            + lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
             + ")");
-        license = stdenv.lib.licenses.gpl2;
+        license = lib.licenses.gpl2Only;
         homepage = "https://www.kernel.org/";
         repositories.git = "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git";
         maintainers = [
@@ -280,24 +301,23 @@ let
     };
 in
 
-assert (stdenv.lib.versionAtLeast version "4.14" && stdenv.lib.versionOlder version "5.8") -> libelf != null;
-assert stdenv.lib.versionAtLeast version "4.15" -> utillinuxMinimal != null;
-assert stdenv.lib.versionAtLeast version "5.8" -> elfutils != null;
+assert (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") -> libelf != null;
+assert lib.versionAtLeast version "5.8" -> elfutils != null;
 
-stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.platform kernelPatches configfile) // {
+stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile) // {
   pname = "linux";
   inherit version;
 
   enableParallelBuilding = true;
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr ]
-      ++ optional  (stdenv.hostPlatform.platform.kernelTarget == "uImage") buildPackages.ubootTools
-      ++ optional  (stdenv.lib.versionAtLeast version "4.14" && stdenv.lib.versionOlder version "5.8") libelf
-      ++ optional  (stdenv.lib.versionAtLeast version "4.15") utillinuxMinimal
-      ++ optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ]
-      ++ optional  (stdenv.lib.versionAtLeast version "5.2")  cpio
-      ++ optional  (stdenv.lib.versionAtLeast version "5.8")  elfutils
+  nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr gawk zstd python3Minimal ]
+      ++ optional  (stdenv.hostPlatform.linux-kernel.target == "uImage") buildPackages.ubootTools
+      ++ optional  (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") libelf
+      # Removed util-linuxMinimal since it should not be a dependency.
+      ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ]
+      ++ optional  (lib.versionAtLeast version "5.2")  cpio
+      ++ optional  (lib.versionAtLeast version "5.8")  elfutils
       ;
 
   hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];
@@ -306,10 +326,10 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.platform kernelPatches
   makeFlags = commonMakeFlags ++ [
     "CC=${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc"
     "HOSTCC=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc"
-    "ARCH=${stdenv.hostPlatform.platform.kernelArch}"
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
     "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
-  ];
+  ] ++ extraMakeFlags;
 
-  karch = stdenv.hostPlatform.platform.kernelArch;
+  karch = stdenv.hostPlatform.linuxArch;
 })
diff --git a/pkgs/os-specific/linux/kernel/mptcp-config.nix b/pkgs/os-specific/linux/kernel/mptcp-config.nix
index 9752e63d9f9..59b11167ac2 100644
--- a/pkgs/os-specific/linux/kernel/mptcp-config.nix
+++ b/pkgs/os-specific/linux/kernel/mptcp-config.nix
@@ -1,5 +1,5 @@
-{ stdenv }:
-with stdenv.lib.kernel;
+{ lib }:
+with lib.kernel;
 {
     # DRM_AMDGPU = yes;
 
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 678cec34b70..f41cedca0f6 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -1,6 +1,19 @@
 { lib, fetchpatch, fetchurl }:
 
 {
+  ath_regd_optional = rec {
+    name = "ath_regd_optional";
+    patch = fetchpatch {
+      name = name + ".patch";
+      url = "https://github.com/openwrt/openwrt/raw/ed2015c38617ed6624471e77f27fbb0c58c8c660/package/kernel/mac80211/patches/ath/402-ath_regd_optional.patch";
+      sha256 = "1ssDXSweHhF+pMZyd6kSrzeW60eb6MO6tlf0il17RC0=";
+      postFetch = ''
+        sed -i 's/CPTCFG_/CONFIG_/g' $out
+        sed -i '/--- a\/local-symbols/,$d' $out
+      '';
+    };
+  };
+
   bridge_stp_helper =
     { name = "bridge-stp-helper";
       patch = ./bridge-stp-helper.patch;
@@ -33,15 +46,11 @@
 
   cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
 
-  tag_hardened = {
-    name = "tag-hardened";
-    patch = ./hardened/tag-hardened.patch;
-  };
-
   hardened = let
     mkPatch = kernelVersion: src: {
       name = lib.removeSuffix ".patch" src.name;
-      patch = fetchurl src;
+      patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
+      extra = src.extra;
     };
     patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
   in lib.mapAttrs mkPatch patches;
@@ -76,6 +85,18 @@
     };
   };
 
+  # Adapted for Linux 5.4 from:
+  # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04896832c94aae4842100cafb8d3a73e1bed3a45
+  rtl8761b_support =
+    { name = "rtl8761b-support";
+      patch = ./rtl8761b-support.patch;
+    };
+
+  export-rt-sched-migrate = {
+    name = "export-rt-sched-migrate";
+    patch = ./export-rt-sched-migrate.patch;
+  };
+
   # patches from https://lkml.org/lkml/2019/7/15/1748
   mac_nvme_t2 = rec {
     name = "mac_nvme_t2";
diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix
index a3558244297..b58bca352e6 100644
--- a/pkgs/os-specific/linux/kernel/perf.nix
+++ b/pkgs/os-specific/linux/kernel/perf.nix
@@ -1,12 +1,14 @@
 { lib, stdenv, kernel, elfutils, python2, python3, perl, newt, slang, asciidoc, xmlto, makeWrapper
-, docbook_xsl, docbook_xml_dtd_45, libxslt, flex, bison, pkgconfig, libunwind, binutils
+, docbook_xsl, docbook_xml_dtd_45, libxslt, flex, bison, pkg-config, libunwind, binutils
 , libiberty, audit, libbfd, libopcodes, openssl, systemtap, numactl
-, zlib, withGtk ? false, gtk2 ? null
+, zlib
+, withGtk ? false, gtk2
+, withZstd ? true, zstd
+, withLibcap ? true, libcap
 }:
 
 with lib;
 
-assert withGtk -> gtk2 != null;
 assert versionAtLeast kernel.version "3.12";
 
 stdenv.mkDerivation {
@@ -36,13 +38,15 @@ stdenv.mkDerivation {
   # perf refers both to newt and slang
   nativeBuildInputs = [
     asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt
-    flex bison libiberty audit makeWrapper pkgconfig python3
+    flex bison libiberty audit makeWrapper pkg-config python3
   ];
   buildInputs = [
     elfutils newt slang libunwind libbfd zlib openssl systemtap.stapBuild numactl
     libopcodes python3 perl
-  ] ++ stdenv.lib.optional withGtk gtk2
-    ++ (if (versionAtLeast kernel.version "4.19") then [ python3 ] else [ python2 ]);
+  ] ++ lib.optional withGtk gtk2
+    ++ (if (versionAtLeast kernel.version "4.19") then [ python3 ] else [ python2 ])
+    ++ lib.optional withZstd zstd
+    ++ lib.optional withLibcap libcap;
 
   # Note: we don't add elfutils to buildInputs, since it provides a
   # bad `ld' and other stuff.
@@ -55,7 +59,7 @@ stdenv.mkDerivation {
   ];
 
   postPatch = ''
-    patchShebangs scripts/bpf_helpers_doc.py
+    patchShebangs scripts
   '';
 
   doCheck = false; # requires "sparse"
@@ -72,7 +76,8 @@ stdenv.mkDerivation {
   meta = {
     homepage = "https://perf.wiki.kernel.org/";
     description = "Linux tools to profile with performance counters";
-    maintainers = with stdenv.lib.maintainers; [viric];
-    platforms = with stdenv.lib.platforms; linux;
+    maintainers = with lib.maintainers; [viric];
+    platforms = with lib.platforms; linux;
+    broken = kernel.kernelOlder "5";
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/rtl8761b-support.patch b/pkgs/os-specific/linux/kernel/rtl8761b-support.patch
new file mode 100644
index 00000000000..b6d80d5bc8d
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/rtl8761b-support.patch
@@ -0,0 +1,33 @@
+diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
+index 67f4bc21e7c5..3a9afc905f24 100644
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -130,12 +130,19 @@  static const struct id_table ic_id_table[] = {
+ 	  .cfg_name = "rtl_bt/rtl8821c_config" },
+
+ 	/* 8761A */
+-	{ IC_MATCH_FL_LMPSUBV, RTL_ROM_LMP_8761A, 0x0,
++	{ IC_INFO(RTL_ROM_LMP_8761A, 0xa),
+ 	  .config_needed = false,
+ 	  .has_rom_version = true,
+ 	  .fw_name  = "rtl_bt/rtl8761a_fw.bin",
+ 	  .cfg_name = "rtl_bt/rtl8761a_config" },
+
++	/* 8761B */
++	{ IC_INFO(RTL_ROM_LMP_8761A, 0xb),
++	  .config_needed = false,
++	  .has_rom_version = true,
++	  .fw_name  = "rtl_bt/rtl8761b_fw.bin",
++	  .cfg_name = "rtl_bt/rtl8761b_config" },
++
+	/* 8822C with USB interface */
+	{ IC_INFO(RTL_ROM_LMP_8822B, 0xc),
+	  .config_needed = false,
+@@ -251,6 +258,7 @@  static int rtlbt_parse_firmware(struct hci_dev *hdev,
+ 		{ RTL_ROM_LMP_8723B, 9 },	/* 8723D */
+ 		{ RTL_ROM_LMP_8821A, 10 },	/* 8821C */
+ 		{ RTL_ROM_LMP_8822B, 13 },	/* 8822C */
++		{ RTL_ROM_LMP_8761A, 14 },	/* 8761B */
+ 	};
+
+ 	min_size = sizeof(struct rtl_epatch_header) + sizeof(extension_sig) + 3;
diff --git a/pkgs/os-specific/linux/kernel/update-rt.sh b/pkgs/os-specific/linux/kernel/update-rt.sh
new file mode 100755
index 00000000000..ccb01793342
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/update-rt.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# To update all rt kernels run: ./update-rt.sh
+
+# To update just one ./linux-rt-5.X.nix run: ./update-rt.sh ./linux-rt-5.X.nix
+
+# To add a new kernel branch 5.Y run: ./update-rt.sh ./linux-rt-5.Y.nix
+# (with nonexistent .nix file) and update all-packages.nix.
+
+# To commit run with: env COMMIT=1
+
+mirror=https://kernel.org/pub/linux/kernel
+
+main() {
+    if [ $# -ge 1 ]; then
+        update-if-needed "$1"
+    else
+        update-all-if-needed
+    fi
+}
+
+update-all-if-needed() {
+    for f in "$(dirname "$0")"/linux-rt-*.nix; do
+        update-if-needed "$f"
+    done
+}
+
+file-version() {
+    file="$1" # e.g. ./linux-rt-5.4.nix
+    if [ -e "$file" ]; then
+        grep ' version = ' "$file" | grep -o '[0-9].[^"]*'
+    fi
+}
+
+latest-rt-version() {
+    branch="$1" # e.g. 5.4
+    curl -sL "$mirror/projects/rt/$branch/sha256sums.asc" |
+        sed -ne '/.patch.xz/ { s/.*patch-\(.*\).patch.xz/\1/p}' |
+        grep -v '\-rc' |
+        tail -n 1
+}
+
+update-if-needed() {
+    file="$1" # e.g. ./linux-rt-5.4.nix (created if does not exist)
+    branch=$(basename "$file" .nix) # e.g. linux-rt-5.4
+    branch=${branch#linux-rt-} # e.g. 5.4
+    cur=$(file-version "$file") # e.g. 5.4.59-rt36 or empty
+    new=$(latest-rt-version "$branch") # e.g. 5.4.61-rt37
+    kversion=${new%-*} # e.g. 5.4.61
+    major=${branch%.*} # e.g 5
+    nixattr="linux-rt_${branch/./_}"
+    if [ "$new" = "$cur" ]; then
+        echo "$nixattr: $cur (up-to-date)"
+        return
+    fi
+    khash=$(nix-prefetch-url "$mirror/v${major}.x/linux-${kversion}.tar.xz")
+    phash=$(nix-prefetch-url "$mirror/projects/rt/${branch}/older/patch-${new}.patch.xz")
+    if [ "$cur" ]; then
+        msg="$nixattr: $cur -> $new"
+    else
+        msg="$nixattr: init at $new"
+        prev=$(ls -v "$(dirname "$0")"/linux-rt-*.nix | tail -1)
+        cp "$prev" "$file"
+        cur=$(file-version "$file")
+    fi
+    echo "$msg"
+    sed -i "$file" \
+        -e "s/$cur/$new/" \
+        -e "s|kernel/v[0-9]*|kernel/v$major|" \
+        -e "1,/.patch.xz/ s/sha256 = .*/sha256 = \"$khash\";/" \
+        -e "1,/.patch.xz/! s/sha256 = .*/sha256 = \"$phash\";/"
+    if [ "${COMMIT:-}" ]; then
+        git add "$file"
+        git commit -m "$msg"
+    fi
+}
+
+return 2>/dev/null || main "$@"
diff --git a/pkgs/os-specific/linux/kernel/update.sh b/pkgs/os-specific/linux/kernel/update.sh
index 55fdce06c97..560edced36e 100755
--- a/pkgs/os-specific/linux/kernel/update.sh
+++ b/pkgs/os-specific/linux/kernel/update.sh
@@ -58,6 +58,9 @@ ls $NIXPKGS/pkgs/os-specific/linux/kernel | while read FILE; do
   echo "Updated $OLDVER -> $V"
 done
 
+# Update linux-rt
+COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-rt.sh
+
 # Update linux-libre
 COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
 
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index a70cb2e087f..21d803e2b72 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, fetchurl, zlib, fetchpatch }:
+{ lib, stdenv, buildPackages, fetchurl, zlib, fetchpatch }:
 
 stdenv.mkDerivation rec {
   pname = "kexec-tools";
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://horms.net/projects/kexec/kexec-tools";
     description = "Tools related to the kexec Linux feature";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/keyutils/default.nix b/pkgs/os-specific/linux/keyutils/default.nix
index 553b0b87f41..71f708e210d 100644
--- a/pkgs/os-specific/linux/keyutils/default.nix
+++ b/pkgs/os-specific/linux/keyutils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 # Note: this package is used for bootstrapping fetchurl, and thus
 # cannot use fetchpatch! All mutable patches (generated by GitHub or
@@ -7,11 +7,11 @@
 
 stdenv.mkDerivation rec {
   pname = "keyutils";
-  version = "1.6.1";
+  version = "1.6.3";
 
   src = fetchurl {
     url = "https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/snapshot/${pname}-${version}.tar.gz";
-    sha256 = "0mzmw8c7gqmqaxm3sa0xki8ycjla47xxhqg0yh17pl00d7ydqw9w";
+    sha256 = "sha256-ph1XBhNq5MBb1I+GGGvP29iN2L1RB+Phlckkz8Gzm7Q=";
   };
 
   patches = [
@@ -23,9 +23,13 @@ stdenv.mkDerivation rec {
     ./conf-symlink.patch
   ];
 
+  makeFlags = lib.optionals stdenv.hostPlatform.isStatic "NO_SOLIB=1";
+
   BUILDDATE = "1970-01-01";
   outputs = [ "out" "lib" "dev" ];
 
+  enableParallelBuilding = true;
+
   installFlags = [
     "ETCDIR=$(out)/etc"
     "BINDIR=$(out)/bin"
@@ -37,7 +41,7 @@ stdenv.mkDerivation rec {
     "USRLIBDIR=$(lib)/lib"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://people.redhat.com/dhowells/keyutils/";
     description = "Tools used to control the Linux kernel key management system";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/kinect-audio-setup/default.nix b/pkgs/os-specific/linux/kinect-audio-setup/default.nix
new file mode 100644
index 00000000000..94ae4806cf2
--- /dev/null
+++ b/pkgs/os-specific/linux/kinect-audio-setup/default.nix
@@ -0,0 +1,91 @@
+{ lib
+, stdenv
+, fetchgit
+, requireFile
+, pkg-config
+, libusb1
+, p7zip
+}:
+
+let
+  # The last known good firmware package to have been tested
+  # by the upstream projet.
+  # The firmware URL is hardcoded in the upstream project's installation script
+  firmwareUrl = "https://download.microsoft.com/download/F/9/9/F99791F2-D5BE-478A-B77A-830AD14950C3/KinectSDK-v1.0-beta2-x86.msi";
+  # The original URL "https://research.microsoft.com/en-us/um/legal/kinectsdk-tou_noncommercial.htm"
+  # redirects to the following url:
+  licenseUrl = "https://www.microsoft.com/en-us/legal/terms-of-use";
+in
+stdenv.mkDerivation rec {
+  pname = "kinect-audio-setup";
+
+  # On update: Make sure that the `firmwareURL` is still in sync with upstream.
+  # If the project structure hasn't changed you can find the URL in the
+  # `kinect_fetch_fw` file in the project source.
+  version = "0.5";
+
+  # This is an MSI or CAB file
+  FIRMWARE = requireFile rec {
+    name = "UACFirmware";
+    sha256 = "08a2vpgd061cmc6h3h8i6qj3sjvjr1fwcnwccwywqypz3icn8xw1";
+    message = ''
+      In order to install the Kinect Audio Firmware, you need to download the
+      non-redistributable firmware from Microsoft.
+      The firmware is available at ${firmwareUrl} and the license at ${licenseUrl} .
+      Save the file as UACFirmware and use "nix-prefetch-url file://\$PWD/UACFirmware" to
+      add it to the Nix store.
+    '';
+  };
+
+  src = fetchgit {
+    url = "git://git.ao2.it/kinect-audio-setup.git";
+    rev = "v${version}";
+    sha256 = "sha256-bFwmWh822KvFwP/0Gu097nF5K2uCwCLMB1RtP7k+Zt0=";
+  };
+
+  # These patches are not upstream because the project has seen no
+  # activity since 2016
+  patches = [
+    ./libusb-1-import-path.patch
+    ./udev-rules-extra-devices.patch
+  ];
+
+  nativeBuildInputs = [ p7zip libusb1 pkg-config ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "DESTDIR=$(out)"
+    "FIRMWARE_PATH=$(out)/lib/firmware/UACFirmware"
+    "LOADER_PATH=$(out)/libexec/kinect_upload_fw"
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    make -C kinect_upload_fw kinect_upload_fw $makeFlags "''${makeFlagsArray[@]}"
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/libexec/ $out/lib/firmware $out/lib/udev/rules.d
+
+    install -Dm755 kinect_upload_fw/kinect_upload_fw $out/libexec/
+
+    # 7z extract "assume yes on all queries" "only extract/keep files/directories matching UACFIRMWARE.* recursively"
+    7z e -y -r "${FIRMWARE}" "UACFirmware.*" >/dev/null
+    # The filename is bound to change with the Firmware SDK
+    mv UACFirmware.* $out/lib/firmware/UACFirmware
+
+    make install_udev_rules $makeFlags "''${makeFlagsArray[@]}"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tools to enable audio input from the Microsoft Kinect sensor device";
+    homepage = "https://git.ao2.it/kinect-audio-setup.git";
+    maintainers = with maintainers; [ berbiche ];
+    platforms = platforms.linux;
+    license = licenses.unfree;
+  };
+}
diff --git a/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch b/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
new file mode 100644
index 00000000000..a0c5ad99f9f
--- /dev/null
+++ b/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
@@ -0,0 +1,23 @@
+commit 02fd6c4355809e1bff7c66d478e88f30bedde13b
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Wed May 5 23:14:56 2021 -0400
+
+    fix libusb include for Linux
+
+diff --git a/kinect_upload_fw/kinect_upload_fw.c b/kinect_upload_fw/kinect_upload_fw.c
+index 1bd4102..351c94f 100644
+--- a/kinect_upload_fw/kinect_upload_fw.c
++++ b/kinect_upload_fw/kinect_upload_fw.c
+@@ -35,7 +35,12 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <errno.h>
++
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(_WIN32)
+ #include <libusb.h>
++#else
++#include <libusb-1.0/libusb.h>
++#endif
+ 
+ #include "endian.h"
+ 
diff --git a/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch b/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
new file mode 100644
index 00000000000..d58b970c7c0
--- /dev/null
+++ b/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
@@ -0,0 +1,15 @@
+commit afaaa77b0a03811f86428cf264397b60dd795549
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Thu May 6 00:10:37 2021 -0400
+
+    Add support for other Kinect device in udev
+
+diff --git a/contrib/55-kinect_audio.rules.in b/contrib/55-kinect_audio.rules.in
+index 25ea713..9e1b69f 100644
+--- a/contrib/55-kinect_audio.rules.in
++++ b/contrib/55-kinect_audio.rules.in
+@@ -1,2 +1,4 @@
+ # Rule to load the Kinect UAC firmware on the "generic" usb device
+ ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02ad", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
++# Rule to load the Kinect UAC firmware on another supported device
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02bb", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix
index a92970726dc..522a74dea01 100644
--- a/pkgs/os-specific/linux/klibc/default.nix
+++ b/pkgs/os-specific/linux/klibc/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, linuxHeaders, perl }:
+{ lib, stdenv, fetchurl, buildPackages, linuxHeaders, perl }:
 
 let
   commonMakeFlags = [
@@ -9,26 +9,28 @@ in
 
 stdenv.mkDerivation rec {
   pname = "klibc";
-  version = "2.0.7";
+  version = "2.0.9";
 
   src = fetchurl {
     url = "mirror://kernel/linux/libs/klibc/2.0/klibc-${version}.tar.xz";
-    sha256 = "08li3aj9bvzabrih98jdxi3m19h85cp53s8cr7cqad42r8vjdvxb";
+    sha256 = "sha256-bcynCJEzINJjCfBbDCv2gHG/EbPa3MTmx9kjg3/CPuE=";
   };
 
   patches = [ ./no-reinstall-kernel-headers.patch ];
 
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
   nativeBuildInputs = [ perl ];
+  strictDeps = true;
 
   hardeningDisable = [ "format" "stackprotector" ];
 
   makeFlags = commonMakeFlags ++ [
-    "KLIBCARCH=${stdenv.hostPlatform.platform.kernelArch}"
+    "KLIBCARCH=${stdenv.hostPlatform.linuxArch}"
     "KLIBCKERNELSRC=${linuxHeaders}"
   ] # TODO(@Ericson2314): We now can get the ABI from
     # `stdenv.hostPlatform.parsed.abi`, is this still a good idea?
-    ++ stdenv.lib.optional (stdenv.hostPlatform.platform.kernelArch == "arm") "CONFIG_AEABI=y"
-    ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) "CROSS_COMPILE=${stdenv.cc.targetPrefix}";
+    ++ lib.optional (stdenv.hostPlatform.linuxArch == "arm") "CONFIG_AEABI=y"
+    ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) "CROSS_COMPILE=${stdenv.cc.targetPrefix}";
 
   # Install static binaries as well.
   postInstall = ''
diff --git a/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix b/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix
index 17f34f9bbd7..1c7ea22b758 100644
--- a/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix
+++ b/pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, gnugrep, findutils }:
+{ lib, stdenv, fetchurl, gnugrep, findutils }:
 
 let
   version = "22-1.1ubuntu1"; # Zesty
@@ -30,7 +30,7 @@ in stdenv.mkDerivation {
       --replace " xargs " " ${findutils}/bin/xargs "
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://packages.ubuntu.com/source/zesty/kmod";
     description = "Linux kernel module blacklists from Ubuntu";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/kmod/darwin.patch b/pkgs/os-specific/linux/kmod/darwin.patch
index 69dbf479f9f..e112e691525 100644
--- a/pkgs/os-specific/linux/kmod/darwin.patch
+++ b/pkgs/os-specific/linux/kmod/darwin.patch
@@ -121,3 +121,15 @@ index fd2028d..ecb0141 100644
  	if (!cwd)
  		return NULL;
  
+--- a/shared/util.h	2018-01-31 18:10:59.000000000 +0100
++++ b/shared/util.h	2020-12-28 19:48:21.000000000 +0100
+@@ -7,6 +7,9 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#ifdef __APPLE__
++#include <libgen.h>
++#endif
+ 
+ #include <shared/macro.h>
+ 
diff --git a/pkgs/os-specific/linux/kmod/default.nix b/pkgs/os-specific/linux/kmod/default.nix
index f1cc4558b05..ef8296cf16f 100644
--- a/pkgs/os-specific/linux/kmod/default.nix
+++ b/pkgs/os-specific/linux/kmod/default.nix
@@ -1,6 +1,7 @@
-{ stdenv, lib, fetchurl, autoreconfHook, pkgconfig
+{ stdenv, lib, fetchurl, autoreconfHook, pkg-config
 , libxslt, xz, elf-header
-, withStatic ? false }:
+, withStatic ? stdenv.hostPlatform.isStatic
+}:
 
 let
   systems = [ "/run/current-system/kernel-modules" "/run/booted-system/kernel-modules" "" ];
@@ -15,7 +16,7 @@ in stdenv.mkDerivation rec {
     sha256 = "035wzfzjx4nwidk747p8n085mgkvy531ppn16krrajx2dkqzply1";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig libxslt ];
+  nativeBuildInputs = [ autoreconfHook pkg-config libxslt ];
   buildInputs = [ xz ] ++ lib.optional stdenv.isDarwin elf-header;
 
   configureFlags = [
@@ -24,7 +25,7 @@ in stdenv.mkDerivation rec {
     "--with-modulesdirs=${modulesDirs}"
   ] ++ lib.optional withStatic "--enable-static";
 
-  patches = [ ./module-dir.patch ]
+  patches = [ ./module-dir.patch ./no-name-field.patch ]
     ++ lib.optional stdenv.isDarwin ./darwin.patch
     ++ lib.optional withStatic ./enable-static.patch;
 
@@ -37,7 +38,7 @@ in stdenv.mkDerivation rec {
     ln -s bin $out/sbin
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tools for loading and managing Linux kernel modules";
     longDescription = ''
       kmod is a set of tools to handle common tasks with Linux kernel modules
diff --git a/pkgs/os-specific/linux/kmod/no-name-field.patch b/pkgs/os-specific/linux/kmod/no-name-field.patch
new file mode 100644
index 00000000000..282f59e55e5
--- /dev/null
+++ b/pkgs/os-specific/linux/kmod/no-name-field.patch
@@ -0,0 +1,24 @@
+
+---
+ tools/modinfo.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/modinfo.c b/tools/modinfo.c
+index 0231bb0..7b2259e 100644
+--- a/tools/modinfo.c
++++ b/tools/modinfo.c
+@@ -178,7 +178,10 @@ static int modinfo_do(struct kmod_module *mod)
+ 	is_builtin = (filename == NULL);
+ 
+ 	if (is_builtin) {
+-		printf("%-16s%s%c", "name:", kmod_module_get_name(mod), separator);
++		if (field == NULL || field != NULL && streq(field, "name")){
++			printf("%-16s%s%c", "name:",
++			       kmod_module_get_name(mod), separator);
++		}
+ 		filename = "(builtin)";
+ 	}
+ 
+-- 
+2.28.0
+
diff --git a/pkgs/os-specific/linux/kmscon/default.nix b/pkgs/os-specific/linux/kmscon/default.nix
index 29f99629df8..f48895fc017 100644
--- a/pkgs/os-specific/linux/kmscon/default.nix
+++ b/pkgs/os-specific/linux/kmscon/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib, stdenv
 , fetchFromGitHub
 , autoreconfHook
 , libtsm
@@ -8,7 +8,7 @@
 , libGLU, libGL
 , pango
 , pixman
-, pkgconfig
+, pkg-config
 , docbook_xsl
 , libxslt
 }:
@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     autoreconfHook
     docbook_xsl
-    pkgconfig
+    pkg-config
   ];
 
   configureFlags = [
@@ -50,10 +50,11 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "KMS/DRM based System Console";
     homepage = "http://www.freedesktop.org/wiki/Software/kmscon/";
     license = licenses.mit;
+    maintainers = with maintainers; [ omasanori ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/kmscube/default.nix b/pkgs/os-specific/linux/kmscube/default.nix
index e2e63bc10a1..6db3a9583ec 100644
--- a/pkgs/os-specific/linux/kmscube/default.nix
+++ b/pkgs/os-specific/linux/kmscube/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, autoreconfHook, libdrm, libX11, libGL, mesa, pkgconfig }:
+{ lib, stdenv, fetchgit, autoreconfHook, libdrm, libX11, libGL, mesa, pkg-config }:
 
 stdenv.mkDerivation {
   name = "kmscube-2018-06-17";
@@ -9,10 +9,10 @@ stdenv.mkDerivation {
     sha256 = "1q5b5yvyfj3127385mp1bfmcbnpnbdswdk8gspp7g4541xk4k933";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ libdrm libX11 libGL mesa ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Example OpenGL app using KMS/GBM";
     homepage = "https://gitlab.freedesktop.org/mesa/kmscube";
     license = licenses.mit;
diff --git a/pkgs/os-specific/linux/kvmfr/default.nix b/pkgs/os-specific/linux/kvmfr/default.nix
new file mode 100644
index 00000000000..a7949c85c2e
--- /dev/null
+++ b/pkgs/os-specific/linux/kvmfr/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, kernel, kmod, looking-glass-client }:
+
+stdenv.mkDerivation rec {
+  pname = "kvmfr";
+  version = looking-glass-client.version;
+
+  src = looking-glass-client.src;
+  sourceRoot = "source/module";
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D kvmfr.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  meta = with lib; {
+    description = "Optional kernel module for LookingGlass";
+    longDescription = ''
+      This kernel module implements a basic interface to the IVSHMEM device for LookingGlass when using LookingGlass in VM->VM mode
+      Additionally, in VM->host mode, it can be used to generate a shared memory device on the host machine that supports dmabuf
+    '';
+    homepage = "https://github.com/gnif/LookingGlass";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ j-brn ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/latencytop/default.nix b/pkgs/os-specific/linux/latencytop/default.nix
index 40095e543b4..30ec6cdc7b5 100644
--- a/pkgs/os-specific/linux/latencytop/default.nix
+++ b/pkgs/os-specific/linux/latencytop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, ncurses, glib, pkgconfig, gtk2 }:
+{ lib, stdenv, fetchurl, ncurses, glib, pkg-config, gtk2 }:
 
 stdenv.mkDerivation rec {
   name = "latencytop-0.5";
@@ -12,14 +12,14 @@ stdenv.mkDerivation rec {
     sha256 = "1vq3j9zdab6njly2wp900b3d5244mnxfm88j2bkiinbvxbxp4zwy";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ ncurses glib gtk2 ];
 
   meta = {
     homepage = "http://latencytop.org";
     description = "Tool to show kernel reports on latencies (LATENCYTOP option)";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = [ stdenv.lib.maintainers.viric ];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    maintainers = [ lib.maintainers.viric ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/ldm/default.nix b/pkgs/os-specific/linux/ldm/default.nix
index bbc341caf11..072b53b02ec 100644
--- a/pkgs/os-specific/linux/ldm/default.nix
+++ b/pkgs/os-specific/linux/ldm/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, udev, utillinux, mountPath ? "/media/" }:
+{ lib, stdenv, fetchgit, udev, util-linux, mountPath ? "/media/" }:
 
 assert mountPath != "";
 
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     sha256 = "0lxfypnbamfx6p9ar5k9wra20gvwn665l4pp2j4vsx4yi5q7rw2n";
   };
 
-  buildInputs = [ udev utillinux ];
+  buildInputs = [ udev util-linux ];
 
   postPatch = ''
     substituteInPlace ldm.c \
@@ -35,9 +35,9 @@ stdenv.mkDerivation rec {
 
   meta = {
     description = "A lightweight device mounter, with libudev as only dependency";
-    license = stdenv.lib.licenses.mit;
+    license = lib.licenses.mit;
 
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
     repositories.git = git;
   };
 }
diff --git a/pkgs/os-specific/linux/ledger-udev-rules/default.nix b/pkgs/os-specific/linux/ledger-udev-rules/default.nix
index e85eb02f8c8..7b23719c791 100644
--- a/pkgs/os-specific/linux/ledger-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/ledger-udev-rules/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "ledger-udev-rules";
@@ -19,7 +19,7 @@ stdenv.mkDerivation {
     cp 20-hw1.rules $out/lib/udev/rules.d/20-ledger.rules
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "udev rules for Ledger devices";
     license = licenses.asl20;
     maintainers = with maintainers; [ asymmetric ];
diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix
index ac000976a68..046bba5dda0 100644
--- a/pkgs/os-specific/linux/libaio/default.nix
+++ b/pkgs/os-specific/linux/libaio/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchurl, fetchpatch }:
+{ lib, stdenv, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation rec {
-  version = "0.3.111";
+  version = "0.3.112";
   pname = "libaio";
 
   src = fetchurl {
     url = "https://pagure.io/libaio/archive/${pname}-${version}/${pname}-${pname}-${version}.tar.gz";
-    sha256 = "1fih2y2js0dl9qshpyb14m0nnxlms2527shgcxg0hnbflv5igg76";
+    sha256 = "0wi2myh191sja13qj3claxhpfkngvy10x30f78hm9cxzkfr97kxp";
   };
 
   postPatch = ''
@@ -18,18 +18,18 @@ stdenv.mkDerivation rec {
   '';
 
   makeFlags = [
-    "prefix=${placeholder ''out''}"
-  ];
+    "prefix=${placeholder "out"}"
+  ] ++ lib.optional stdenv.hostPlatform.isStatic "ENABLE_SHARED=0";
 
-  hardeningDisable = stdenv.lib.optional (stdenv.isi686) "stackprotector";
+  hardeningDisable = lib.optional (stdenv.isi686) "stackprotector";
 
   checkTarget = "partcheck"; # "check" needs root
 
   meta = {
     description = "Library for asynchronous I/O in Linux";
     homepage = "http://lse.sourceforge.net/io/aio.html";
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.lgpl21;
-    maintainers = with stdenv.lib.maintainers; [ ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.lgpl21;
+    maintainers = with lib.maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/libatasmart/default.nix b/pkgs/os-specific/linux/libatasmart/default.nix
index cf5fc54ed65..c422f5e01bb 100644
--- a/pkgs/os-specific/linux/libatasmart/default.nix
+++ b/pkgs/os-specific/linux/libatasmart/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, udev, buildPackages }:
+{ lib, stdenv, fetchurl, pkg-config, udev, buildPackages }:
 
 stdenv.mkDerivation rec {
   name = "libatasmart-0.19";
@@ -9,10 +9,10 @@ stdenv.mkDerivation rec {
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ udev ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://0pointer.de/blog/projects/being-smart.html";
     description = "Library for querying ATA SMART status";
     license = licenses.lgpl21;
diff --git a/pkgs/os-specific/linux/libbpf/default.nix b/pkgs/os-specific/linux/libbpf/default.nix
index 0a98475384d..2e497584fab 100644
--- a/pkgs/os-specific/linux/libbpf/default.nix
+++ b/pkgs/os-specific/linux/libbpf/default.nix
@@ -1,43 +1,54 @@
-{ stdenv, fetchFromGitHub, pkgconfig
+{ lib, stdenv, fetchFromGitHub, pkg-config
 , libelf, zlib
+, fetchpatch
 }:
 
 with builtins;
 
 stdenv.mkDerivation rec {
   pname = "libbpf";
-  version = "0.0.9";
+  version = "0.1.1";
 
   src = fetchFromGitHub {
-    owner = "libbpf";
-    repo = "libbpf";
-    rev = "v${version}";
-    sha256 = "18l0gff7nm841mwhr7bc7x863xcyvwh58zl7mc0amnsjqlbrvqg7";
+    owner  = "libbpf";
+    repo   = "libbpf";
+    rev    = "v${version}";
+    sha256 = "0ilnnm4q22f8fagwp8kb37licy4ks861i2iqh2djsypqhnxvx3fv";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  patches = [
+    (fetchpatch { # included upstream for > 0.1.0
+      name = "link-zlib.patch";
+      url = "https://github.com/libbpf/libbpf/commit/8b14cb43ff837.diff";
+      sha256 = "17mvjrs7s727drz013a8qlyj0345ldi2kph6pazcmxv6kl1qrz2z";
+    })
+  ];
+  patchFlags = "-p2";
+  # https://github.com/libbpf/libbpf/pull/201#issuecomment-689174740
+  postPatch = ''
+    substituteInPlace ../scripts/check-reallocarray.sh \
+      --replace 'mktemp /tmp/' 'mktemp ' \
+      --replace '/bin/rm' 'rm'
+  '';
+
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libelf zlib ];
 
   sourceRoot = "source/src";
   enableParallelBuilding = true;
   makeFlags = [ "PREFIX=$(out)" ];
 
-  patchPhase = ''
-    substituteInPlace ../scripts/check-reallocarray.sh \
-      --replace '/bin/rm' 'rm'
-  '';
-
-  # FIXME: Multi-output requires some fixes to the way the pkgconfig file is
+  # FIXME: Multi-output requires some fixes to the way the pkg-config file is
   # constructed (it gets put in $out instead of $dev for some reason, with
   # improper paths embedded). Don't enable it for now.
 
   # outputs = [ "out" "dev" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Upstream mirror of libbpf";
     homepage    = "https://github.com/libbpf/libbpf";
     license     = with licenses; [ lgpl21 /* or */ bsd2 ];
-    maintainers = with maintainers; [ thoughtpolice ];
+    maintainers = with maintainers; [ thoughtpolice vcunat ];
     platforms   = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/libcap-ng/default.nix b/pkgs/os-specific/linux/libcap-ng/default.nix
index c9b061fe03b..615f376d79d 100644
--- a/pkgs/os-specific/linux/libcap-ng/default.nix
+++ b/pkgs/os-specific/linux/libcap-ng/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, swig ? null, python2 ? null, python3 ? null }:
+{ lib, stdenv, fetchurl, swig ? null, python2 ? null, python3 ? null }:
 
 assert python2 != null || python3 != null -> swig != null;
 
@@ -6,11 +6,11 @@ stdenv.mkDerivation rec {
   pname = "libcap-ng";
   # When updating make sure to test that the version with
   # all of the python bindings still works
-  version = "0.7.10";
+  version = "0.8.2";
 
   src = fetchurl {
     url = "${meta.homepage}/${pname}-${version}.tar.gz";
-    sha256 = "1gzzy12agfa9ddipdf72h9y68zqqnvsjjylv4vnq6hj4w2safk58";
+    sha256 = "1sasp1n154aqy9fz0knlb966svm7xg1zjhg1vr4q839bgjvq7h2j";
   };
 
   nativeBuildInputs = [ swig ];
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
     (if python3 != null then "--with-python3" else "--without-python3")
   ];
 
-  meta = let inherit (stdenv.lib) platforms licenses; in {
+  meta = let inherit (lib) platforms licenses; in {
     description = "Library for working with POSIX capabilities";
     homepage = "https://people.redhat.com/sgrubb/libcap-ng/";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/libcap/default.nix b/pkgs/os-specific/linux/libcap/default.nix
index 174f1be99db..47fa7c05e79 100644
--- a/pkgs/os-specific/linux/libcap/default.nix
+++ b/pkgs/os-specific/linux/libcap/default.nix
@@ -1,36 +1,39 @@
-{ stdenv, buildPackages, fetchurl, attr, perl, pam }:
+{ stdenv, lib, buildPackages, fetchurl, attr, perl, runtimeShell
+, usePam ? !isStatic, pam ? null
+, isStatic ? stdenv.hostPlatform.isStatic
+}:
+
+assert usePam -> pam != null;
 
 stdenv.mkDerivation rec {
   pname = "libcap";
-  version = "2.27";
+  version = "2.48";
 
   src = fetchurl {
     url = "mirror://kernel/linux/libs/security/linux-privs/libcap2/${pname}-${version}.tar.xz";
-    sha256 = "0sj8kidl7qgf2qwxcbw1vadnlb30y4zvjzxswsmfdghq04npkhfs";
+    sha256 = "sha256-TelZDuCah8KC1Vhzf/tbYXXMv9JtWArdEN9E0PBH9sI=";
   };
 
-  outputs = [ "out" "dev" "lib" "man" "doc" "pam" ];
+  outputs = [ "out" "dev" "lib" "man" "doc" ]
+    ++ lib.optional usePam "pam";
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
   nativeBuildInputs = [ perl ];
 
-  buildInputs = [ pam ];
+  buildInputs = lib.optional usePam pam;
 
   propagatedBuildInputs = [ attr ];
 
   makeFlags = [
     "lib=lib"
-    "PAM_CAP=yes"
+    "PAM_CAP=${if usePam then "yes" else "no"}"
     "BUILD_CC=$(CC_FOR_BUILD)"
     "CC:=$(CC)"
-  ];
+  ] ++ lib.optional isStatic "SHARED=no";
 
   prePatch = ''
-    # use relative bash path
-    substituteInPlace progs/capsh.c --replace "/bin/bash" "bash"
-
-    # ensure capsh can find bash in $PATH
-    substituteInPlace progs/capsh.c --replace execve execvpe
+    # use full path to bash
+    substituteInPlace progs/capsh.c --replace "/bin/bash" "${runtimeShell}"
 
     # set prefixes
     substituteInPlace Make.Rules \
@@ -44,17 +47,18 @@ stdenv.mkDerivation rec {
   installFlags = [ "RAISE_SETFCAP=no" ];
 
   postInstall = ''
-    rm "$lib"/lib/*.a
+    ${lib.optionalString (!isStatic) ''rm "$lib"/lib/*.a''}
     mkdir -p "$doc/share/doc/${pname}-${version}"
     cp License "$doc/share/doc/${pname}-${version}/"
-  '' + stdenv.lib.optionalString (pam != null) ''
+  '' + lib.optionalString usePam ''
     mkdir -p "$pam/lib/security"
     mv "$lib"/lib/security "$pam/lib"
   '';
 
   meta = {
     description = "Library for working with POSIX capabilities";
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.bsd3;
+    homepage = "https://sites.google.com/site/fullycapable";
+    platforms = lib.platforms.linux;
+    license = lib.licenses.bsd3;
   };
 }
diff --git a/pkgs/os-specific/linux/libcgroup/default.nix b/pkgs/os-specific/linux/libcgroup/default.nix
index 4d93c3bb4fe..6d6a8e7c21e 100644
--- a/pkgs/os-specific/linux/libcgroup/default.nix
+++ b/pkgs/os-specific/linux/libcgroup/default.nix
@@ -1,34 +1,29 @@
-{ stdenv, fetchurl, fetchpatch, pam, yacc, flex }:
+{ lib, stdenv, fetchFromGitHub, pam, bison, flex, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "libcgroup";
-  version = "0.41";
+  version = "0.42.2";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/libcg/${pname}-${version}.tar.bz2";
-    sha256 = "0lgvyq37gq84sk30sg18admxaj0j0p5dq3bl6g74a1ppgvf8pqz4";
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1h8s70lm6g7r0wj7j3xgj2g3j9fifvsy2pna6w0j3i5hh42qfms4";
   };
 
-  buildInputs = [ pam yacc flex ];
-
-  patches = [
-    (fetchpatch {
-      name = "CVE-2018-14348.patch";
-      url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
-      sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
-    })
-  ];
+  buildInputs = [ pam bison flex ];
+  nativeBuildInputs = [ autoreconfHook ];
 
   postPatch = ''
-    substituteInPlace src/tools/Makefile.in \
+    substituteInPlace src/tools/Makefile.am \
       --replace 'chmod u+s' 'chmod +x'
   '';
 
   meta = {
     description = "Library and tools to manage Linux cgroups";
     homepage    = "http://libcg.sourceforge.net/";
-    license     = stdenv.lib.licenses.lgpl2;
-    platforms   = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.thoughtpolice ];
+    license     = lib.licenses.lgpl2;
+    platforms   = lib.platforms.linux;
+    maintainers = [ lib.maintainers.thoughtpolice ];
   };
 }
diff --git a/pkgs/os-specific/linux/libevdevc/default.nix b/pkgs/os-specific/linux/libevdevc/default.nix
index e3dfbd3d6c2..2417ef6da9d 100644
--- a/pkgs/os-specific/linux/libevdevc/default.nix
+++ b/pkgs/os-specific/linux/libevdevc/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, coreutils, pkgconfig, glib, jsoncpp }:
+{ lib, stdenv, fetchFromGitHub, coreutils, pkg-config, glib, jsoncpp }:
 
 stdenv.mkDerivation rec {
   name = "libevdevc";
@@ -19,8 +19,8 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];
 
-  meta = with stdenv.lib; {
-    description = "ChromiumOS libevdev. Renamed to avoid conflicts with the standard libevdev found in Linux distros.";
+  meta = with lib; {
+    description = "ChromiumOS libevdev. Renamed to avoid conflicts with the standard libevdev found in Linux distros";
     license = licenses.bsd3;
     platforms = platforms.linux;
     homepage = "https://chromium.googlesource.com/chromiumos/platform/libevdev/";
diff --git a/pkgs/os-specific/linux/libfabric/default.nix b/pkgs/os-specific/linux/libfabric/default.nix
index 40f92f38d16..9a1e44f6af9 100644
--- a/pkgs/os-specific/linux/libfabric/default.nix
+++ b/pkgs/os-specific/linux/libfabric/default.nix
@@ -1,8 +1,8 @@
-{ stdenv, fetchFromGitHub, pkgconfig, autoreconfHook, libpsm2 }:
+{ lib, stdenv, fetchFromGitHub, pkg-config, autoreconfHook, libpsm2 }:
 
 stdenv.mkDerivation rec {
   pname = "libfabric";
-  version = "1.10.1";
+  version = "1.12.1";
 
   enableParallelBuilding = true;
 
@@ -10,16 +10,16 @@ stdenv.mkDerivation rec {
     owner = "ofiwg";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0nf5x4v9rhyd67r6f6q3dw4sraaja8jfdkhhg9g8x41czmx4d456";
+    sha256 = "sha256-J2PoDwjPWYpagX4M2k9E1xitBzgRUZzwX9Gf00H+Tdc=";
   };
 
-  nativeBuildInputs = [ pkgconfig autoreconfHook ] ;
+  nativeBuildInputs = [ pkg-config autoreconfHook ] ;
 
   buildInputs = [ libpsm2 ] ;
 
   configureFlags = [ "--enable-psm2=${libpsm2}" ] ;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://libfabric.org/";
     description = "Open Fabric Interfaces";
     license = with licenses; [ gpl2 bsd2 ];
diff --git a/pkgs/os-specific/linux/libgestures/default.nix b/pkgs/os-specific/linux/libgestures/default.nix
index 4c51525727a..bface8118be 100644
--- a/pkgs/os-specific/linux/libgestures/default.nix
+++ b/pkgs/os-specific/linux/libgestures/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, pkgconfig, glib, jsoncpp }:
+{ lib, stdenv, fetchFromGitHub, pkg-config, glib, jsoncpp }:
 
 stdenv.mkDerivation rec {
   name = "libgestures-${version}";
@@ -17,14 +17,14 @@ stdenv.mkDerivation rec {
       --replace '$(DESTDIR)/usr/include' '$(DESTDIR)/include'
   '';
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ glib jsoncpp ];
 
 
   makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];
 
-  meta = with stdenv.lib; {
-    description = "ChromiumOS libgestures modified to compile for Linux.";
+  meta = with lib; {
+    description = "ChromiumOS libgestures modified to compile for Linux";
     license = licenses.bsd3;
     platforms = platforms.linux;
     homepage = "https://chromium.googlesource.com/chromiumos/platform/gestures";
diff --git a/pkgs/os-specific/linux/libnl/default.nix b/pkgs/os-specific/linux/libnl/default.nix
index 551352fa46c..d6604f9e15b 100644
--- a/pkgs/os-specific/linux/libnl/default.nix
+++ b/pkgs/os-specific/linux/libnl/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, file, lib, fetchFromGitHub, autoreconfHook, bison, flex, pkgconfig
-, pythonSupport ? false, swig ? null, python}:
+{ stdenv, file, lib, fetchFromGitHub, autoreconfHook, bison, flex, pkg-config
+, pythonSupport ? false, swig ? null, python ? null}:
 
 stdenv.mkDerivation rec {
   pname = "libnl";
@@ -16,12 +16,12 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  nativeBuildInputs = [ autoreconfHook bison flex pkgconfig file ]
+  nativeBuildInputs = [ autoreconfHook bison flex pkg-config file ]
     ++ lib.optional pythonSupport swig;
 
   postBuild = lib.optionalString (pythonSupport) ''
       cd python
-      ${python}/bin/python setup.py install --prefix=../pythonlib
+      ${python.interpreter} setup.py install --prefix=../pythonlib
       cd -
   '';
 
@@ -34,7 +34,6 @@ stdenv.mkDerivation rec {
   };
 
   meta = with lib; {
-    inherit version;
     homepage = "http://www.infradead.org/~tgr/libnl/";
     description = "Linux Netlink interface library suite";
     license = licenses.lgpl21;
diff --git a/pkgs/os-specific/linux/libpsm2/default.nix b/pkgs/os-specific/linux/libpsm2/default.nix
index b9e41380da8..1ac4580b13f 100644
--- a/pkgs/os-specific/linux/libpsm2/default.nix
+++ b/pkgs/os-specific/linux/libpsm2/default.nix
@@ -1,9 +1,8 @@
-{ stdenv, fetchFromGitHub, numactl, pkgconfig }:
+{ lib, stdenv, fetchFromGitHub, numactl, pkg-config }:
 
 stdenv.mkDerivation rec {
   pname = "libpsm2";
-  version = "11.2.156";
-  ifs_version = "10_10_2_0_44";
+  version = "11.2.185";
 
   preConfigure= ''
     export UDEVDIR=$out/etc/udev
@@ -12,9 +11,9 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  buildInputs = [ numactl pkgconfig ];
+  buildInputs = [ numactl pkg-config ];
 
-  installFlags = [ 
+  installFlags = [
     "DESTDIR=$(out)"
     "UDEVDIR=/etc/udev"
     "LIBPSM2_COMPAT_CONF_DIR=/etc"
@@ -23,8 +22,8 @@ stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner = "intel";
     repo = "opa-psm2";
-    rev = "IFS_RELEASE_${ifs_version}";
-    sha256 = "0ckrfzih1ga9yvximxjdh0z05kn9l858ykqiblv18w6ka3gra1xz";
+    rev = "PSM2_${version}";
+    sha256 = "062hg4r6gz7pla9df70nqs5i2a3mp1wszmp4l0g771fykhhrxsjg";
   };
 
   postInstall = ''
@@ -32,7 +31,7 @@ stdenv.mkDerivation rec {
     rmdir $out/usr
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/intel/opa-psm2";
     description = "The PSM2 library supports a number of fabric media and stacks";
     license = with licenses; [ gpl2 bsd3 ];
diff --git a/pkgs/os-specific/linux/libratbag/default.nix b/pkgs/os-specific/linux/libratbag/default.nix
index 48ee5d16c5c..a264c454487 100644
--- a/pkgs/os-specific/linux/libratbag/default.nix
+++ b/pkgs/os-specific/linux/libratbag/default.nix
@@ -1,20 +1,20 @@
-{ stdenv, fetchFromGitHub, meson, ninja, pkgconfig
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config
 , glib, systemd, udev, libevdev, gitMinimal, check, valgrind, swig, python3
 , json-glib, libunistring }:
 
 stdenv.mkDerivation rec {
   pname = "libratbag";
-  version = "0.14";
+  version = "0.16";
 
   src = fetchFromGitHub {
     owner  = "libratbag";
     repo   = "libratbag";
     rev    = "v${version}";
-    sha256 = "1fpwp2sj8mf98bqasq2h8qwgprxi7k3iw33gcfid3d1lbyiacw0x";
+    sha256 = "sha256-wJLG0Gxm1RWwW5SCGoa2QscU1VC0r93KZfEMNVg3Tko=";
   };
 
   nativeBuildInputs = [
-    meson ninja pkgconfig gitMinimal swig check valgrind
+    meson ninja pkg-config gitMinimal swig check valgrind
   ];
 
   buildInputs = [
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
     "-Dsystemd-unit-dir=./lib/systemd/system/"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Configuration library for gaming mice";
     homepage    = "https://github.com/libratbag/libratbag";
     license     = licenses.mit;
diff --git a/pkgs/os-specific/linux/libselinux/default.nix b/pkgs/os-specific/linux/libselinux/default.nix
index 741c51e2233..fbf7e4bd995 100644
--- a/pkgs/os-specific/linux/libselinux/default.nix
+++ b/pkgs/os-specific/linux/libselinux/default.nix
@@ -1,26 +1,26 @@
-{ stdenv, fetchurl, pcre, pkgconfig, libsepol
-, enablePython ? true, swig ? null, python ? null
+{ lib, stdenv, fetchurl, pcre, pkg-config, libsepol
+, enablePython ? true, swig ? null, python3 ? null
 , fts
 }:
 
-assert enablePython -> swig != null && python != null;
+assert enablePython -> swig != null && python3 != null;
 
-with stdenv.lib;
+with lib;
 
 stdenv.mkDerivation rec {
   pname = "libselinux";
-  version = "2.9";
+  version = "3.0";
   inherit (libsepol) se_release se_url;
 
   outputs = [ "bin" "out" "dev" "man" ] ++ optional enablePython "py";
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libselinux-${version}.tar.gz";
-    sha256 = "14r69mgmz7najf9wbizvp68q56mqx4yjbkxjlbcqg5a47s3wik0v";
+    sha256 = "0cr4p0qkr4qd5z1x677vwhz6mlz55kxyijwi2dmrvbhxcw7v78if";
   };
 
-  nativeBuildInputs = [ pkgconfig ] ++ optionals enablePython [ swig python ];
-  buildInputs = [ libsepol pcre fts ] ++ optionals enablePython [ python ];
+  nativeBuildInputs = [ pkg-config ] ++ optionals enablePython [ swig python3 ];
+  buildInputs = [ libsepol pcre fts ] ++ optionals enablePython [ python3 ];
 
   # drop fortify here since package uses it by default, leading to compile error:
   # command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror]
@@ -35,14 +35,24 @@ stdenv.mkDerivation rec {
     "MAN3DIR=$(man)/share/man/man3"
     "MAN5DIR=$(man)/share/man/man5"
     "MAN8DIR=$(man)/share/man/man8"
-    "PYTHON=${python.pythonForBuild}/bin/python"
-    "PYTHONLIBDIR=$(py)/${python.sitePackages}"
     "SBINDIR=$(bin)/sbin"
     "SHLIBDIR=$(out)/lib"
 
-    "LIBSEPOLA=${stdenv.lib.getLib libsepol}/lib/libsepol.a"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ] ++ optionals enablePython [
+    "PYTHON=${python3.pythonForBuild.interpreter}"
+    "PYTHONLIBDIR=$(py)/${python3.sitePackages}"
   ];
 
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+    substituteInPlace src/procattr.c \
+      --replace "#include <unistd.h>" ""
+  '';
+
+  preInstall = optionalString enablePython ''
+    mkdir -p $py/${python3.sitePackages}/selinux
+  '';
+
   installTargets = [ "install" ] ++ optional enablePython "install-pywrap";
 
   meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
diff --git a/pkgs/os-specific/linux/libsemanage/default.nix b/pkgs/os-specific/linux/libsemanage/default.nix
index 70b2508451b..11a6f2755d4 100644
--- a/pkgs/os-specific/linux/libsemanage/default.nix
+++ b/pkgs/os-specific/linux/libsemanage/default.nix
@@ -1,8 +1,8 @@
-{ stdenv, fetchurl, pkgconfig, bison, flex, libsepol, libselinux, bzip2, audit
+{ lib, stdenv, fetchurl, pkg-config, bison, flex, libsepol, libselinux, bzip2, audit
 , enablePython ? true, swig ? null, python ? null
 }:
 
-with stdenv.lib;
+with lib;
 
 stdenv.mkDerivation rec {
   pname = "libsemanage";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "dev" "man" ] ++ optional enablePython "py";
 
-  nativeBuildInputs = [ bison flex pkgconfig ];
+  nativeBuildInputs = [ bison flex pkg-config ];
   buildInputs = [ libsepol libselinux bzip2 audit ]
     ++ optionals enablePython [ swig python ];
 
@@ -30,10 +30,20 @@ stdenv.mkDerivation rec {
     "DEFAULT_SEMANAGE_CONF_LOCATION=$(out)/etc/selinux/semanage.conf"
   ];
 
+  # The following turns the 'clobbered' error into a warning
+  # which should fix the following error:
+  #
+  # semanage_store.c: In function 'semanage_exec_prog':
+  # semanage_store.c:1278:6: error: variable 'i' might be clobbered by 'longjmp' or 'vfork' [8;;https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wclobbered-Werror=clobbered8;;]
+  #  1278 |  int i;
+  #       |      ^
+  # cc1: all warnings being treated as errors
+  NIX_CFLAGS_COMPILE = [ "-Wno-error=clobbered" ];
+
   installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
 
   meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
     description = "Policy management tools for SELinux";
-    license = stdenv.lib.licenses.lgpl21;
+    license = lib.licenses.lgpl21;
   };
 }
diff --git a/pkgs/os-specific/linux/libsepol/default.nix b/pkgs/os-specific/linux/libsepol/default.nix
index 497961af11b..732ad88c70d 100644
--- a/pkgs/os-specific/linux/libsepol/default.nix
+++ b/pkgs/os-specific/linux/libsepol/default.nix
@@ -1,18 +1,23 @@
-{ stdenv, fetchurl, flex }:
+{ lib, stdenv, fetchurl, flex }:
 
 stdenv.mkDerivation rec {
   pname = "libsepol";
-  version = "2.9";
-  se_release = "20190315";
+  version = "3.0";
+  se_release = "20191204";
   se_url = "https://github.com/SELinuxProject/selinux/releases/download";
 
   outputs = [ "bin" "out" "dev" "man" ];
 
   src = fetchurl {
     url = "${se_url}/${se_release}/libsepol-${version}.tar.gz";
-    sha256 = "0p8x7w73jn1nysx1d7416wqrhbi0r6isrjxib7jf68fi72q14jx3";
+    sha256 = "0ygb6dh5lng91xs6xiqf5v0nxa68qmjc787p0s5h9w89364f2yjv";
   };
 
+  postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
+    substituteInPlace src/Makefile --replace 'all: $(LIBA) $(LIBSO)' 'all: $(LIBA)'
+    sed -i $'/^\t.*LIBSO/d' src/Makefile
+  '';
+
   nativeBuildInputs = [ flex ];
 
   makeFlags = [
@@ -29,11 +34,11 @@ stdenv.mkDerivation rec {
 
   passthru = { inherit se_release se_url; };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "SELinux binary policy manipulation library";
     homepage = "http://userspace.selinuxproject.org";
     platforms = platforms.linux;
     maintainers = [ maintainers.phreedom ];
-    license = stdenv.lib.licenses.gpl2;
+    license = lib.licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/libsmbios/default.nix b/pkgs/os-specific/linux/libsmbios/default.nix
index 268588f53ab..46d0e94bb14 100644
--- a/pkgs/os-specific/linux/libsmbios/default.nix
+++ b/pkgs/os-specific/linux/libsmbios/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, pkgconfig, autoreconfHook, help2man, gettext
+{ lib, stdenv, fetchFromGitHub, pkg-config, autoreconfHook, help2man, gettext
 , libxml2, perl, python3, doxygen }:
 
 
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     sha256 = "0krwwydyvb9224r884y1mlmzyxhlfrcqw73vi1j8787rl0gl5a2i";
   };
 
-  nativeBuildInputs = [ autoreconfHook doxygen gettext libxml2 help2man perl pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook doxygen gettext libxml2 help2man perl pkg-config ];
 
   buildInputs = [ python3 ];
 
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
 
   preFixup = ''rm -rf "$(pwd)" ''; # Hack to avoid TMPDIR in RPATHs
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/dell/libsmbios";
     description = "A library to obtain BIOS information";
     license = with licenses; [ osl21 gpl2Plus ];
diff --git a/pkgs/os-specific/linux/libudev0-shim/default.nix b/pkgs/os-specific/linux/libudev0-shim/default.nix
index 2073f9f6f56..642dd534232 100644
--- a/pkgs/os-specific/linux/libudev0-shim/default.nix
+++ b/pkgs/os-specific/linux/libudev0-shim/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, udev }:
+{ lib, stdenv, fetchFromGitHub, udev }:
 
 stdenv.mkDerivation rec {
   pname = "libudev0-shim";
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     ln -s "$name" "$out/lib/libudev.so.0"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Shim to preserve libudev.so.0 compatibility";
     homepage = "https://github.com/archlinux/libudev0-shim";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/libvolume_id/default.nix b/pkgs/os-specific/linux/libvolume_id/default.nix
index 98ddc50e2e4..87b7d33c5d8 100644
--- a/pkgs/os-specific/linux/libvolume_id/default.nix
+++ b/pkgs/os-specific/linux/libvolume_id/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation {
   name = "libvolume_id-0.81.1";
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
   };
 
   preBuild = "
-    makeFlagsArray=(prefix=$out E=echo RANLIB=ranlib INSTALL='install -c')
+    makeFlagsArray=(prefix=$out E=echo RANLIB=${stdenv.cc.targetPrefix}ranlib INSTALL='install -c')
   ";
 
   # Work around a broken Makefile.
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     cp -f libvolume_id.so.0 $out/lib/
   ";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     platforms = platforms.linux;
     license = licenses.gpl2;
   };
diff --git a/pkgs/os-specific/linux/libwebcam/default.nix b/pkgs/os-specific/linux/libwebcam/default.nix
index 5cccc82b843..5f87a89496b 100644
--- a/pkgs/os-specific/linux/libwebcam/default.nix
+++ b/pkgs/os-specific/linux/libwebcam/default.nix
@@ -2,7 +2,7 @@
 , stdenv
 , fetchurl
 , cmake
-, pkgconfig
+, pkg-config
 , libxml2
 }:
 
@@ -19,11 +19,8 @@ stdenv.mkDerivation rec {
     ./uvcdynctrl_symlink_support_and_take_data_dir_from_env.patch
   ];
 
-  buildInputs = [
-    cmake
-    pkgconfig
-    libxml2
-  ];
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libxml2 ];
 
   postPatch = ''
     substituteInPlace ./uvcdynctrl/CMakeLists.txt \
diff --git a/pkgs/os-specific/linux/light/default.nix b/pkgs/os-specific/linux/light/default.nix
index 45af4e7ae8e..995381c5340 100644
--- a/pkgs/os-specific/linux/light/default.nix
+++ b/pkgs/os-specific/linux/light/default.nix
@@ -1,13 +1,13 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, coreutils }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, coreutils }:
 
 stdenv.mkDerivation rec {
-  version = "1.2.1";
+  version = "1.2.2";
   pname = "light";
   src = fetchFromGitHub {
     owner = "haikarainen";
     repo = "light";
     rev = "v${version}";
-    sha256 = "0zrjipd392bzjvxx0rjrb0cgi0ix1d83fwgw1mcy8kc4d16cgyjg";
+    sha256 = "1a70zcf88ifsnwll486aicjnh48zisdf8f7vi34ihw61kdadsq9s";
   };
 
   configureFlags = [ "--with-udev" ];
@@ -24,8 +24,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "GNU/Linux application to control backlights";
     homepage = "https://haikarainen.github.io/light/";
-    license = stdenv.lib.licenses.gpl3;
-    maintainers = with stdenv.lib.maintainers; [ puffnfresh dtzWill ];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl3;
+    maintainers = with lib.maintainers; [ puffnfresh dtzWill ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/lightum/default.nix b/pkgs/os-specific/linux/lightum/default.nix
index 3c37b66d231..ec56a89ce88 100644
--- a/pkgs/os-specific/linux/lightum/default.nix
+++ b/pkgs/os-specific/linux/lightum/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, libX11, libXScrnSaver, libXext, glib, dbus, pkgconfig, systemd }:
+{ lib, stdenv, fetchgit, libX11, libXScrnSaver, libXext, glib, dbus, pkg-config, systemd }:
 
 stdenv.mkDerivation {
   name = "lightum-2014-06-07";
@@ -14,7 +14,7 @@ stdenv.mkDerivation {
     libX11
     libXScrnSaver
     libXext
-    pkgconfig
+    pkg-config
     systemd
   ];
 
@@ -31,8 +31,8 @@ stdenv.mkDerivation {
   meta = {
     description = "MacBook automatic light sensor daemon";
     homepage = "https://github.com/poliva/lightum";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ puffnfresh ];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ puffnfresh ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/linuxptp/default.nix b/pkgs/os-specific/linux/linuxptp/default.nix
index 79048064ecc..4c14d2ecae3 100644
--- a/pkgs/os-specific/linux/linuxptp/default.nix
+++ b/pkgs/os-specific/linux/linuxptp/default.nix
@@ -1,13 +1,13 @@
-{ stdenv, fetchurl, linuxHeaders } :
+{ lib, stdenv, fetchurl, linuxHeaders } :
 
 
 stdenv.mkDerivation rec {
   pname = "linuxptp";
-  version = "3.0";
+  version = "3.1.1";
 
   src = fetchurl {
     url = "mirror://sourceforge/linuxptp/${pname}-${version}.tgz";
-    sha256 = "11aps4bc0maihldlb2d0yh2fnj6x4vwjad337kszyny74akyqk6p";
+    sha256 = "1nf0w4xyzg884v8blb81zkk6q8p6zbiq9lx61jdqwbbzkdgqbmll";
   };
 
   postPatch = ''
@@ -23,11 +23,11 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux";
     homepage = "http://linuxptp.sourceforge.net/";
     maintainers = [ maintainers.markuskowa ];
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/lksctp-tools/default.nix b/pkgs/os-specific/linux/lksctp-tools/default.nix
index bef74cd33ba..8bbd3ab7f42 100644
--- a/pkgs/os-specific/linux/lksctp-tools/default.nix
+++ b/pkgs/os-specific/linux/lksctp-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "lksctp-tools-1.0.17";
@@ -8,8 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "05da6c2v3acc18ndvmkrag6x5lf914b7s0xkkr6wkvrbvd621sqs";
   };
 
-  meta = with stdenv.lib; {
-    description = "Linux Kernel Stream Control Transmission Protocol Tools.";
+  meta = with lib; {
+    description = "Linux Kernel Stream Control Transmission Protocol Tools";
     homepage = "http://lksctp.sourceforge.net/";
     license = with licenses; [ gpl2 lgpl21 ]; # library is lgpl21
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/lm-sensors/default.nix b/pkgs/os-specific/linux/lm-sensors/default.nix
index 82ac626d7c9..21324a5d6ce 100644
--- a/pkgs/os-specific/linux/lm-sensors/default.nix
+++ b/pkgs/os-specific/linux/lm-sensors/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchzip, bison, flex, which, perl
+{ lib, stdenv, fetchzip, bison, flex, which, perl
 , sensord ? false, rrdtool ? null
 }:
 
@@ -7,7 +7,7 @@ assert sensord -> rrdtool != null;
 stdenv.mkDerivation rec {
   pname = "lm-sensors";
   version = "3.6.0";
-  dashedVersion = stdenv.lib.replaceStrings ["."] ["-"] version;
+  dashedVersion = lib.replaceStrings ["."] ["-"] version;
 
   src = fetchzip {
     url = "https://github.com/lm-sensors/lm-sensors/archive/V${dashedVersion}.tar.gz";
@@ -16,16 +16,25 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ bison flex which ];
   buildInputs = [ perl ]
-   ++ stdenv.lib.optional sensord rrdtool;
+   ++ lib.optional sensord rrdtool;
 
-  makeFlags = [ "PREFIX=${placeholder "out"}" "ETCDIR=${placeholder "out"}/etc" ]
-    ++ stdenv.lib.optional sensord "PROG_EXTRA=sensord";
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "AR=${stdenv.cc.targetPrefix}ar"
+  ] ++ lib.optional sensord "PROG_EXTRA=sensord";
 
-  meta = with stdenv.lib; {
+  installFlags = [
+    "ETCDIR=${placeholder "out"}/etc"
+  ];
+
+  meta = with lib; {
     homepage = "https://hwmon.wiki.kernel.org/lm_sensors";
     changelog = "https://raw.githubusercontent.com/lm-sensors/lm-sensors/V${dashedVersion}/CHANGES";
     description = "Tools for reading hardware sensors";
     license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = with maintainers; [ pengmeiyu ];
     platforms = platforms.linux;
+    mainProgram = "sensors";
   };
 }
diff --git a/pkgs/os-specific/linux/lockdep/default.nix b/pkgs/os-specific/linux/lockdep/default.nix
index 74abd12868d..190941b1633 100644
--- a/pkgs/os-specific/linux/lockdep/default.nix
+++ b/pkgs/os-specific/linux/lockdep/default.nix
@@ -1,16 +1,47 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl, bash, flex, bison, valgrind }:
 
 stdenv.mkDerivation rec {
   pname = "lockdep";
-  version = "4.1.2";
-  fullver = "4.1.2";
 
+  # it would be nice to be able to pick a kernel version in sync with something
+  # else we already ship, but it seems userspace lockdep isn't very well maintained
+  # and appears broken in many kernel releases
+  version = "5.0.21";
+  fullver = "5.0.21";
   src = fetchurl {
-    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1mdyjhnzhh254cblahqmpsk226z006z6sm9dmwvg6jlhpsw4cjhy";
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "1my2m9hvnvdrvzcg0fgqgaga59y2cd5zlpv7xrfj2nn98sjhglwq";
   };
 
-  preConfigure = "cd tools/lib/lockdep";
+  # ensure *this* kernel's userspace-headers are picked up before we
+  # fall back to those in glibc, as they will be from a mismatched
+  # kernel version
+  postPatch = ''
+    substituteInPlace tools/lib/lockdep/Makefile \
+      --replace 'CONFIG_INCLUDES =' $'CONFIG_INCLUDES = -I../../../usr/include\n#'
+  '';
+
+  nativeBuildInputs = [ flex bison ];
+
+  buildPhase = ''
+    make defconfig
+    make headers_install
+    cd tools/lib/lockdep
+    make
+  '';
+
+  doCheck = true;
+  checkInputs = [ valgrind ];
+  checkPhase = ''
+    # there are more /bin/bash references than just shebangs
+    for f in lockdep run_tests.sh tests/*.sh; do
+      substituteInPlace $f \
+        --replace '/bin/bash' '${bash}/bin/bash'
+    done
+
+    ./run_tests.sh
+  '';
+
   installPhase = ''
     mkdir -p $out/bin $out/lib $out/include
 
@@ -23,8 +54,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Userspace locking validation tool built on the Linux kernel";
     homepage    = "https://kernel.org/";
-    license     = stdenv.lib.licenses.gpl2;
-    platforms   = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.thoughtpolice ];
+    license     = lib.licenses.gpl2;
+    platforms   = lib.platforms.linux;
+    maintainers = [ lib.maintainers.thoughtpolice ];
   };
 }
diff --git a/pkgs/os-specific/linux/logitech-udev-rules/default.nix b/pkgs/os-specific/linux/logitech-udev-rules/default.nix
index 369f412fbfc..0b0e9e8f203 100644
--- a/pkgs/os-specific/linux/logitech-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/logitech-udev-rules/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, solaar }:
+{ lib, stdenv, solaar }:
 
 # ltunifi and solaar both provide udev rules but solaar's rules are more
 # up-to-date so we simply use that instead of having to maintain our own rules
@@ -8,10 +8,10 @@ stdenv.mkDerivation {
   inherit (solaar) version;
 
   buildCommand = ''
-    install -Dm644 -t $out/etc/udev/rules.d ${solaar.src}/rules.d/*.rules
+    install -Dm444 -t $out/etc/udev/rules.d ${solaar.src}/rules.d/*.rules
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "udev rules for Logitech devices";
     inherit (solaar.meta) homepage license platforms;
     maintainers = with maintainers; [ peterhoeg ];
diff --git a/pkgs/os-specific/linux/lsiutil/default.nix b/pkgs/os-specific/linux/lsiutil/default.nix
index da45e202c02..f88cdcda523 100644
--- a/pkgs/os-specific/linux/lsiutil/default.nix
+++ b/pkgs/os-specific/linux/lsiutil/default.nix
@@ -1,41 +1,44 @@
-{ stdenv, fetchurl, unzip }:
+{ lib
+, stdenv
+, fetchurl
+, kmod
+, coreutils
+}:
 
-let
-
-  version = "1.60";
+stdenv.mkDerivation rec {
+  pname = "lsiutil";
+  version = "1.72";
 
   src = fetchurl {
-    name = "lsiutil-${version}.zip";
-    url = "http://www.lsi.com/DistributionSystem/AssetDocument/support/downloads/hbas/fibre_channel/hardware_drivers/LSIUtil%20Kit_${version}.zip";
-    sha256 = "1d4337faa56e24f7d98db87b9de94d6e2c17ab671f4e301b93833eea08b9e426";
-  };  
-
-in
-
-stdenv.mkDerivation {
-  pname = "lsiutils";
-  inherit version;
-  
-  srcs = [ src "Source/lsiutil.tar.gz" ];
-
-  buildInputs = [ unzip ];
-
-  sourceRoot = "lsiutil";
-
-  preBuild =
-    ''
-      mkdir -p $out/bin
-      substituteInPlace Makefile --replace /usr/bin $out/bin
-      substituteInPlace lsiutil.c \
-        --replace /sbin/modprobe modprobe \
-        --replace /bin/mknod $(type -P mknod)
-    '';
-
-  installPhase = "true";
-  
-  meta = {
-    homepage = "http://www.lsi.com/";
-    description = "LSI Logic Fusion MPT command line management tool";
-    license = stdenv.lib.licenses.unfree;
+    url = "https://github.com/exactassembly/meta-xa-stm/raw/f96cf6e13f3c9c980f5651510dd96279b9b2af4f/recipes-support/lsiutil/files/lsiutil-${version}.tar.gz";
+    sha256 = "sha256-aTi+EogY1aDWYq3anjRkjz1mzINVfUPQbOPHthxrvS4=";
+  };
+
+  buildPhase = ''
+    runHook preBuild
+
+    substituteInPlace lsiutil.c \
+      --replace /sbin/modprobe "${kmod}/bin/modprobe" \
+      --replace /bin/mknod "${coreutils}/bin/mknod"
+    gcc -Wall -O lsiutil.c -o lsiutil
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p "$out/bin"
+    install -Dm755 lsiutil "$out/bin/lsiutil"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/exactassembly/meta-xa-stm/tree/master/recipes-support/lsiutil/files";
+    description = "Configuration utility for MPT adapters (FC, SCSI, and SAS/SATA)";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ Luflosi ];
   };
 }
diff --git a/pkgs/os-specific/linux/lsscsi/default.nix b/pkgs/os-specific/linux/lsscsi/default.nix
index 57778357d00..6286735b758 100644
--- a/pkgs/os-specific/linux/lsscsi/default.nix
+++ b/pkgs/os-specific/linux/lsscsi/default.nix
@@ -1,18 +1,18 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation {
-  name = "lsscsi-0.31";
+  name = "lsscsi-0.32";
 
   src = fetchurl {
-    url = "http://sg.danny.cz/scsi/lsscsi-0.31.tgz";
-    sha256 = "1jpk15y9vqjb1lcj4pdzygpg0jf0lja7azjldpywc0s805rikgqj";
+    url = "http://sg.danny.cz/scsi/lsscsi-0.32.tgz";
+    sha256 = "sha256-CoAOnpTcoqtwLWXXJ3eujK4Hjj100Ly+1kughJ6AKaE=";
   };
 
   preConfigure = ''
     substituteInPlace Makefile.in --replace /usr "$out"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     license = licenses.gpl2;
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix
index 30d4a29b166..7f4036c775f 100644
--- a/pkgs/os-specific/linux/lttng-modules/default.nix
+++ b/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -1,13 +1,12 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
 stdenv.mkDerivation rec {
-  pname = "lttng-modules-${version}";
-  name = "${pname}-${kernel.version}";
-  version = "2.10.5";
+  pname = "lttng-modules-${kernel.version}";
+  version = "2.12.6";
 
   src = fetchurl {
     url = "https://lttng.org/files/lttng-modules/lttng-modules-${version}.tar.bz2";
-    sha256 = "07rs01zwr4bmjamplix5qz1c6mb6wdawb68vyn0w6wx68ppbpnxq";
+    sha256 = "sha256-lawqLPkthdI/+9rKah7A18FnIR0eD7hQq5AASj9HXqo=";
   };
 
   buildInputs = kernel.moduleBuildDependencies;
@@ -25,14 +24,11 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux kernel modules for LTTng tracing";
     homepage = "https://lttng.org/";
-    license = with licenses; [ lgpl21 gpl2 mit ];
+    license = with licenses; [ lgpl21Only gpl2Only mit ];
     platforms = platforms.linux;
     maintainers = [ maintainers.bjornfor ];
-    broken = builtins.compareVersions kernel.version "3.18" == -1
-      || builtins.compareVersions kernel.version "4.16" == 1;
   };
-
 }
diff --git a/pkgs/os-specific/linux/lvm2/default.nix b/pkgs/os-specific/linux/lvm2/default.nix
index 7bbd1768c04..d822ceed714 100644
--- a/pkgs/os-specific/linux/lvm2/default.nix
+++ b/pkgs/os-specific/linux/lvm2/default.nix
@@ -1,8 +1,8 @@
-{ stdenv
+{ lib, stdenv
 , fetchpatch
 , fetchurl
-, pkgconfig
-, utillinux
+, pkg-config
+, util-linux
 , libuuid
 , thin-provisioning-tools, libaio
 , enableCmdlib ? false
@@ -15,15 +15,15 @@
 assert enableDmeventd -> enableCmdlib;
 
 stdenv.mkDerivation rec {
-  pname = "lvm2" + stdenv.lib.optionalString enableDmeventd "with-dmeventd";
-  version = "2.03.10";
+  pname = "lvm2" + lib.optionalString enableDmeventd "with-dmeventd";
+  version = "2.03.12";
 
   src = fetchurl {
     url = "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz";
-    sha256 = "1l0fkn9abrgk5mfn6jfh9qhdr86b59l1c5pk6lp8jh0491d69las";
+    sha256 = "1shczwfd0888dchjiaqzd48ampm6f8y0ngsqd99fy4nxlbr5q1vn";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ udev libuuid thin-provisioning-tools libaio ];
 
   configureFlags = [
@@ -32,20 +32,20 @@ stdenv.mkDerivation rec {
     "--with-default-locking-dir=/run/lock/lvm"
     "--with-default-run-dir=/run/lvm"
     "--with-systemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
-  ] ++ stdenv.lib.optionals (!enableCmdlib) [
+  ] ++ lib.optionals (!enableCmdlib) [
     "--bindir=${placeholder "bin"}/bin"
     "--sbindir=${placeholder "bin"}/bin"
     "--libdir=${placeholder "lib"}/lib"
-  ] ++ stdenv.lib.optional enableCmdlib "--enable-cmdlib"
-  ++ stdenv.lib.optionals enableDmeventd [
+  ] ++ lib.optional enableCmdlib "--enable-cmdlib"
+  ++ lib.optionals enableDmeventd [
     "--enable-dmeventd"
     "--with-dmeventd-pidfile=/run/dmeventd/pid"
     "--with-default-dm-run-dir=/run/dmeventd"
-  ] ++ stdenv.lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
     "ac_cv_func_malloc_0_nonnull=yes"
     "ac_cv_func_realloc_0_nonnull=yes"
   ] ++
-  stdenv.lib.optionals (udev != null) [
+  lib.optionals (udev != null) [
     "--enable-udev_rules"
     "--enable-udev_sync"
   ];
@@ -68,7 +68,7 @@ stdenv.mkDerivation rec {
   '';
 
 
-  patches = stdenv.lib.optionals stdenv.hostPlatform.isMusl [
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
       name = "fix-stdio-usage.patch";
       url = "https://git.alpinelinux.org/aports/plain/main/lvm2/fix-stdio-usage.patch?h=3.7-stable&id=31bd4a8c2dc00ae79a821f6fe0ad2f23e1534f50";
@@ -88,7 +88,7 @@ stdenv.mkDerivation rec {
 
   doCheck = false; # requires root
 
-  makeFlags = stdenv.lib.optionals (udev != null) [
+  makeFlags = lib.optionals (udev != null) [
     "SYSTEMD_GENERATOR_DIR=$(out)/lib/systemd/system-generators"
   ];
 
@@ -96,7 +96,7 @@ stdenv.mkDerivation rec {
   installFlags = [ "OWNER=" "GROUP=" "confdir=$(out)/etc" ];
 
   # Install systemd stuff.
-  installTargets = [ "install" ] ++ stdenv.lib.optionals (udev != null) [
+  installTargets = [ "install" ] ++ lib.optionals (udev != null) [
     "install_systemd_generators"
     "install_systemd_units"
     "install_tmpfiles_configuration"
@@ -107,18 +107,18 @@ stdenv.mkDerivation rec {
     "out"
     "dev"
     "man"
-  ] ++ stdenv.lib.optionals (enableCmdlib != true) [
+  ] ++ lib.optionals (enableCmdlib != true) [
     "bin"
     "lib"
   ];
 
-  postInstall = stdenv.lib.optionalString (enableCmdlib != true) ''
+  postInstall = lib.optionalString (enableCmdlib != true) ''
     moveToOutput lib/libdevmapper.so $lib
   '';
 
   passthru.tests.installer = nixosTests.installer.lvm;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://sourceware.org/lvm2/";
     description = "Tools to support Logical Volume Management (LVM) on Linux";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/lxc/default.nix b/pkgs/os-specific/linux/lxc/default.nix
index 21c1eede9d7..e10af3abf92 100644
--- a/pkgs/os-specific/linux/lxc/default.nix
+++ b/pkgs/os-specific/linux/lxc/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook, pkgconfig, perl, docbook2x
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, perl, docbook2x
 , docbook_xml_dtd_45, python3Packages, pam
 
 # Optional Dependencies
@@ -6,18 +6,18 @@
 , libcap ? null, systemd ? null
 }:
 
-with stdenv.lib;
+with lib;
 stdenv.mkDerivation rec {
   pname = "lxc";
-  version = "4.0.4";
+  version = "4.0.10";
 
   src = fetchurl {
     url = "https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz";
-    sha256 = "15frszz5am9bnr8vh1zpg89x0xigcfm19jax0z16cazd42xahr9w";
+    sha256 = "1sgsic9dzj3wv2k5bx2vhcgappivhp1glkqfc2yrgr6jas052351";
   };
 
   nativeBuildInputs = [
-    autoreconfHook pkgconfig perl docbook2x python3Packages.wrapPython
+    autoreconfHook pkg-config perl docbook2x python3Packages.wrapPython
   ];
   buildInputs = [
     pam libapparmor gnutls libselinux libseccomp libcap
diff --git a/pkgs/os-specific/linux/lxcfs/default.nix b/pkgs/os-specific/linux/lxcfs/default.nix
index bcc8614bc6a..3ed80269d3a 100644
--- a/pkgs/os-specific/linux/lxcfs/default.nix
+++ b/pkgs/os-specific/linux/lxcfs/default.nix
@@ -1,23 +1,23 @@
-{ config, stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, help2man, fuse
-, utillinux, makeWrapper
+{ config, lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, help2man, fuse
+, util-linux, makeWrapper
 , enableDebugBuild ? config.lxcfs.enableDebugBuild or false }:
 
-with stdenv.lib;
+with lib;
 stdenv.mkDerivation rec {
   pname = "lxcfs";
-  version = "4.0.5";
+  version = "4.0.9";
 
   src = fetchFromGitHub {
     owner = "lxc";
     repo = "lxcfs";
     rev = "lxcfs-${version}";
-    sha256 = "12mk9hgqzzh1874389lrpvldlp87qxxa1sxzk5zr0d0n1857am5y";
+    sha256 = "0zx58lair8hwi4bxm5h7i8n1j5fcdgw5cr6f4wk9qhks0sr5dip5";
   };
 
-  nativeBuildInputs = [ pkgconfig help2man autoreconfHook ];
-  buildInputs = [ fuse makeWrapper ];
+  nativeBuildInputs = [ pkg-config help2man autoreconfHook makeWrapper ];
+  buildInputs = [ fuse ];
 
-  preConfigure = stdenv.lib.optionalString enableDebugBuild ''
+  preConfigure = lib.optionalString enableDebugBuild ''
     sed -i 's,#AM_CFLAGS += -DDEBUG,AM_CFLAGS += -DDEBUG,' Makefile.am
   '';
 
@@ -30,9 +30,9 @@ stdenv.mkDerivation rec {
   installFlags = [ "SYSTEMD_UNIT_DIR=\${out}/lib/systemd" ];
 
   postInstall = ''
-    # `mount` hook requires access to the `mount` command from `utillinux`:
+    # `mount` hook requires access to the `mount` command from `util-linux`:
     wrapProgram "$out/share/lxcfs/lxc.mount.hook" \
-      --prefix PATH : "${utillinux}/bin"
+      --prefix PATH : "${util-linux}/bin"
   '';
 
   postFixup = ''
diff --git a/pkgs/os-specific/linux/macchanger/default.nix b/pkgs/os-specific/linux/macchanger/default.nix
index 29d2a3914a2..1c516707049 100644
--- a/pkgs/os-specific/linux/macchanger/default.nix
+++ b/pkgs/os-specific/linux/macchanger/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, texinfo }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, texinfo }:
 
 stdenv.mkDerivation rec {
   pname = "macchanger";
@@ -11,15 +11,38 @@ stdenv.mkDerivation rec {
     sha256 = "1hypx6sxhd2b1nsxj314hpkhj7q4x9p2kfaaf20rjkkkig0nck9r";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/02-fix_usage_message.patch";
+      sha256 = "0pxljmq0l0znylbhms09i19qwil74gm8gx3xx2ffx00dajaizj18";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/06-update_OUI_list.patch";
+      sha256 = "04kbd784z9nwkjva5ckkvb0yb3pim9valb1viywn1yyh577d0y7w";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/08-fix_random_MAC_choice.patch";
+      sha256 = "1vz3appxxsdf1imzrn57amazfwlbrvx6g78b6n88aqgwzy5dm34d";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/check-random-device-read-errors.patch";
+      sha256 = "0pra6qnk39crjlidspg3l6hpaqiw43cypahx793l59mqn956cngc";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/verify-changed-MAC.patch";
+      sha256 = "0vjhf2fnj1hlghjl821p6idrfc8hmd4lgps5lf1l68ylqvwjw0zj";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook texinfo ];
 
   outputs = [ "out" "info" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A utility for viewing/manipulating the MAC address of network interfaces";
-    maintainers = with maintainers; [ joachifm ma27 ];
+    maintainers = with maintainers; [ joachifm ma27 dotlambda ];
     license = licenses.gpl2Plus;
-    homepage = "https://www.gnu.org/software/macchanger";
+    homepage = "https://github.com/alobbs/macchanger";
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/mba6x_bl/default.nix b/pkgs/os-specific/linux/mba6x_bl/default.nix
index f48a3dbb62f..441476d5f06 100644
--- a/pkgs/os-specific/linux/mba6x_bl/default.nix
+++ b/pkgs/os-specific/linux/mba6x_bl/default.nix
@@ -1,4 +1,4 @@
-{ fetchFromGitHub, kernel, stdenv }:
+{ fetchFromGitHub, kernel, lib, stdenv }:
 
 stdenv.mkDerivation {
   name = "mba6x_bl-2016-12-08";
@@ -20,7 +20,7 @@ stdenv.mkDerivation {
     "INSTALL_MOD_PATH=$(out)"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "MacBook Air 6,1 and 6,2 (mid 2013) backlight driver";
     homepage = "https://github.com/patjak/mba6x_bl";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix b/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
new file mode 100644
index 00000000000..070b4a6207e
--- /dev/null
+++ b/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, kernel, fetchFromGitHub, }:
+
+stdenv.mkDerivation rec {
+  pname = "mbp2018-bridge-drv";
+  version = "2020-01-31";
+
+  src = fetchFromGitHub {
+    owner = "MCMrARM";
+    repo = "mbp2018-bridge-drv";
+    rev = "b43fcc069da73e051072fde24af4014c9c487286";
+    sha256 = "sha256-o6yGiR+Y5SnX1johdi7fQWP5ts7HdDMqeju75UOhgik=";
+  };
+
+  buildPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
+      -j$NIX_BUILD_CORES M=$(pwd) modules
+  '';
+
+  installPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build  \
+      INSTALL_MOD_PATH=$out M=$(pwd) modules_install
+  '';
+
+  meta = with lib; {
+    description = "A driver for MacBook models 2018 and newer, which makes the keyboard, mouse and audio output work.";
+    longDescription = ''
+      A driver for MacBook models 2018 and newer, implementing the VHCI (required for mouse/keyboard/etc.) and audio functionality.
+    '';
+    homepage = "https://github.com/MCMrARM/mbp2018-bridge-drv";
+    license = lib.licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = [ lib.maintainers.hlolli ];
+    broken = kernel.kernelOlder "5.4";
+  };
+}
diff --git a/pkgs/os-specific/linux/mcelog/default.nix b/pkgs/os-specific/linux/mcelog/default.nix
index 9ead1f6ad4b..b20632be334 100644
--- a/pkgs/os-specific/linux/mcelog/default.nix
+++ b/pkgs/os-specific/linux/mcelog/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, utillinux }:
+{ lib, stdenv, fetchFromGitHub, util-linux }:
 
 stdenv.mkDerivation rec {
   pname = "mcelog";
-  version = "169";
+  version = "175";
 
   src = fetchFromGitHub {
     owner  = "andikleen";
     repo   = "mcelog";
     rev    = "v${version}";
-    sha256 = "0ghkwfaky026qwj6hmcvz2w2hm8qqj3ysbkxxi603vslmwj56chv";
+    sha256 = "sha256-Xzbck/nRdTR9H5o2XVFlFdNLz2ve65KEcefKAKe0eW8=";
   };
 
   postPatch = ''
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     substituteInPlace Makefile --replace '"unknown"' '"${version}"'
 
     for i in triggers/*; do
-      substituteInPlace $i --replace 'logger' '${utillinux}/bin/logger'
+      substituteInPlace $i --replace 'logger' '${util-linux}/bin/logger'
     done
   '';
 
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
       --replace /usr/sbin $out/bin
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Log x86 machine checks: memory, IO, and CPU hardware errors";
     longDescription = ''
       The mcelog daemon accounts memory and some other errors in various ways
diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix
index 6a71196157b..935ded63709 100644
--- a/pkgs/os-specific/linux/mdadm/default.nix
+++ b/pkgs/os-specific/linux/mdadm/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, utillinux, coreutils, fetchurl, groff, system-sendmail }:
+{ lib, stdenv, util-linux, coreutils, fetchurl, groff, system-sendmail }:
 
 stdenv.mkDerivation rec {
   name = "mdadm-4.1";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     "SYSTEMD_DIR=$(out)/lib/systemd/system"
     "MANDIR=$(out)/share/man" "RUN_DIR=/dev/.mdadm"
     "STRIP="
-  ] ++ stdenv.lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
     "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
   ];
 
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
         -e 's@/usr/sbin/sendmail@${system-sendmail}/bin/sendmail@' -i Makefile
     sed -i \
         -e 's@/usr/bin/basename@${coreutils}/bin/basename@g' \
-        -e 's@BINDIR/blkid@${utillinux}/bin/blkid@g' \
+        -e 's@BINDIR/blkid@${util-linux}/bin/blkid@g' \
         *.rules
   '';
 
@@ -41,7 +41,7 @@ stdenv.mkDerivation rec {
     grep -r $out $out/bin && false || true
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Programs for managing RAID arrays under Linux";
     homepage = "http://neil.brown.name/blog/mdadm";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/mdevd/default.nix b/pkgs/os-specific/linux/mdevd/default.nix
index b88e3ad1e6f..58299ba5e87 100644
--- a/pkgs/os-specific/linux/mdevd/default.nix
+++ b/pkgs/os-specific/linux/mdevd/default.nix
@@ -4,8 +4,8 @@ with skawarePackages;
 
 buildPackage {
   pname = "mdevd";
-  version = "0.1.3.0";
-  sha256 = "0spvw27xxd0m6j8bl8xysmgsx18fl769smr6dsh25s2d5h3sp2dy";
+  version = "0.1.4.0";
+  sha256 = "1lnwk7qa6x7iia0v12i2jckg42ypi35hk3sa7cjm23ngnhiv5lzz";
 
   description = "mdev-compatible Linux hotplug manager daemon";
   platforms = lib.platforms.linux;
diff --git a/pkgs/os-specific/linux/metastore/default.nix b/pkgs/os-specific/linux/metastore/default.nix
index 590b931ac92..c9875297186 100644
--- a/pkgs/os-specific/linux/metastore/default.nix
+++ b/pkgs/os-specific/linux/metastore/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, libbsd, fetchFromGitHub }:
+{ lib, stdenv, libbsd, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   version = "1.1.2";
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ libbsd ];
   installFlags = [ "PREFIX=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Store and restore metadata from a filesystem";
     homepage = "https://software.przemoc.net/#metastore";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/microcode/amd.nix b/pkgs/os-specific/linux/microcode/amd.nix
index a1a37db9dd6..72f413f9cb6 100644
--- a/pkgs/os-specific/linux/microcode/amd.nix
+++ b/pkgs/os-specific/linux/microcode/amd.nix
@@ -1,4 +1,4 @@
-{ stdenv, firmwareLinuxNonfree, libarchive }:
+{ lib, stdenv, firmwareLinuxNonfree, libarchive }:
 
 stdenv.mkDerivation {
   name = "amd-ucode-${firmwareLinuxNonfree.version}";
@@ -20,9 +20,9 @@ stdenv.mkDerivation {
     echo kernel/x86/microcode/AuthenticAMD.bin | bsdcpio -o -H newc -R 0:0 > $out/amd-ucode.img
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "AMD Processor microcode patch";
-    homepage = "http://www.amd64.org/support/microcode.html";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
     license = licenses.unfreeRedistributableFirmware;
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/microcode/intel.nix b/pkgs/os-specific/linux/microcode/intel.nix
index 475288a0b6f..f8bb7c67d8e 100644
--- a/pkgs/os-specific/linux/microcode/intel.nix
+++ b/pkgs/os-specific/linux/microcode/intel.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, libarchive, iucode-tool }:
+{ lib, stdenv, fetchFromGitHub, libarchive, iucode-tool }:
 
 stdenv.mkDerivation rec {
   pname = "microcode-intel";
-  version = "20200616";
+  version = "20210608";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "Intel-Linux-Processor-Microcode-Data-Files";
     rev = "microcode-${version}";
-    sha256 = "13jrs8hwh7dhjjb9kncb8lk199afaxglkh1cfisl6zca1h36g563";
+    sha256 = "08nk353z2lcqsjbm2qdsfapfgrvlfw0rj7r9scr9pllzkjj5n9x3";
   };
 
   nativeBuildInputs = [ iucode-tool libarchive ];
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.intel.com/";
     description = "Microcode for Intel processors";
     license = licenses.unfreeRedistributableFirmware;
diff --git a/pkgs/os-specific/linux/microcode/iucode-tool.nix b/pkgs/os-specific/linux/microcode/iucode-tool.nix
index 65cb01c84a5..e38dd83e0db 100644
--- a/pkgs/os-specific/linux/microcode/iucode-tool.nix
+++ b/pkgs/os-specific/linux/microcode/iucode-tool.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitLab, autoreconfHook }:
+{ lib, stdenv, fetchFromGitLab, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "iucode-tool";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Intel® 64 and IA-32 processor microcode tool";
     homepage = "https://gitlab.com/iucode-tool/iucode-tool";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/mingetty/default.nix b/pkgs/os-specific/linux/mingetty/default.nix
index 775910d30d6..8a2cf69dd36 100644
--- a/pkgs/os-specific/linux/mingetty/default.nix
+++ b/pkgs/os-specific/linux/mingetty/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation {
   name = "mingetty-1.08";
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
     makeFlagsArray=(SBINDIR=$out/sbin MANDIR=$out/share/man/man8)
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://sourceforge.net/projects/mingetty";
     license = licenses.gpl2;
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/miraclecast/default.nix b/pkgs/os-specific/linux/miraclecast/default.nix
index d04695ef619..b5efaa40afe 100644
--- a/pkgs/os-specific/linux/miraclecast/default.nix
+++ b/pkgs/os-specific/linux/miraclecast/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, meson, ninja, pkgconfig
+{ lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config
 , glib, readline, pcre, systemd, udev }:
 
 stdenv.mkDerivation {
@@ -12,18 +12,16 @@ stdenv.mkDerivation {
     sha256 = "05afqi33rv7k6pbkkw4mynj6p97vkzhhh13y5nh0yxkyhcgf45pm";
   };
 
-  nativeBuildInputs = [ meson ninja pkgconfig ];
+  nativeBuildInputs = [ meson ninja pkg-config ];
 
   buildInputs = [ glib pcre readline systemd udev ];
 
-  enableParallelBuilding = true;
-
   mesonFlags = [
     "-Drely-udev=true"
     "-Dbuild-tests=true"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Connect external monitors via Wi-Fi";
     homepage    = "https://github.com/albfan/miraclecast";
     license     = licenses.lgpl21Plus;
diff --git a/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix b/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix
index 8a20a2f733a..eeea1d74dca 100644
--- a/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix
+++ b/pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "mkinitcpio-nfs-utils-0.3";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     rm -rf $out/usr
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://archlinux.org/";
     description = "ipconfig and nfsmount tools for root on NFS, ported from klibc";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/mmc-utils/default.nix b/pkgs/os-specific/linux/mmc-utils/default.nix
index 61ad327c394..7430182e5d2 100644
--- a/pkgs/os-specific/linux/mmc-utils/default.nix
+++ b/pkgs/os-specific/linux/mmc-utils/default.nix
@@ -1,13 +1,13 @@
-{ stdenv, fetchgit }:
+{ lib, stdenv, fetchgit }:
 
 stdenv.mkDerivation {
   pname = "mmc-utils";
-  version = "2018-12-14";
+  version = "2021-05-11";
 
   src = fetchgit {
     url = "git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc-utils.git";
-    rev = "aef913e31b659462fe6b9320d241676cba97f67b";
-    sha256 = "1mak9rqjp6yvqk2h5hfil5a9gfx138h62n3cryckfbhr6fmaylm7";
+    rev = "43282e80e174cc73b09b81a4d17cb3a7b4dc5cfc";
+    sha256 = "0l06ahmprqshh75pkdpagb8fgnp2bwn8q8hwp1yl3laww2ghm8i5";
   };
 
   makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" ];
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     cp man/mmc.1 $out/share/man/man1/
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Configure MMC storage devices from userspace";
     homepage = "http://git.kernel.org/cgit/linux/kernel/git/cjb/mmc-utils.git/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/molly-guard/default.nix b/pkgs/os-specific/linux/molly-guard/default.nix
index c9bdff9de3e..de396e4f5c7 100644
--- a/pkgs/os-specific/linux/molly-guard/default.nix
+++ b/pkgs/os-specific/linux/molly-guard/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, dpkg, busybox, systemd }:
+{ lib, stdenv, fetchurl, dpkg, busybox, systemd }:
 
 stdenv.mkDerivation rec {
   pname = "molly-guard";
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
     done;
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Attempts to prevent you from accidentally shutting down or rebooting machines";
     homepage    = "https://salsa.debian.org/debian/molly-guard";
     license     = licenses.artistic2;
diff --git a/pkgs/os-specific/linux/msr-tools/default.nix b/pkgs/os-specific/linux/msr-tools/default.nix
index f7b81bd3915..1e6a55a4d65 100644
--- a/pkgs/os-specific/linux/msr-tools/default.nix
+++ b/pkgs/os-specific/linux/msr-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, unzip }:
+{ lib, stdenv, fetchurl, unzip }:
 
 stdenv.mkDerivation rec {
   pname = "msr-tools";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "07hxmddg0l31kjfmaq84ni142lbbvgq6391r8bd79wpm819pnigr";
   };
 
-  buildInputs = [ unzip ];
+  nativeBuildInputs = [ unzip ];
 
   preInstall = ''
     mkdir -p $out/bin
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
       --replace /usr/sbin $out/bin
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool to read/write from/to MSR CPU registers on Linux";
     license = licenses.gpl2;
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/mstpd/default.nix b/pkgs/os-specific/linux/mstpd/default.nix
index 4a7c6282d4c..389acdf91e6 100644
--- a/pkgs/os-specific/linux/mstpd/default.nix
+++ b/pkgs/os-specific/linux/mstpd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, fetchpatch, autoreconfHook }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "mstpd";
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
     "--libexecdir=$(out)/lib"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Multiple Spanning Tree Protocol daemon";
     homepage = "https://github.com/mstpd/mstpd";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix
index 02853f6497f..24149805723 100644
--- a/pkgs/os-specific/linux/multipath-tools/default.nix
+++ b/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, perl, lvm2, libaio, gzip, readline, systemd, liburcu, json_c }:
+{ lib, stdenv, fetchurl, pkg-config, perl, lvm2, libaio, gzip, readline, systemd, liburcu, json_c, kmod }:
 
 stdenv.mkDerivation rec {
   pname = "multipath-tools";
@@ -16,7 +16,13 @@ stdenv.mkDerivation rec {
   ];
 
   postPatch = ''
-    substituteInPlace libmultipath/Makefile --replace /usr/include/libdevmapper.h ${stdenv.lib.getDev lvm2}/include/libdevmapper.h
+    substituteInPlace libmultipath/Makefile \
+      --replace /usr/include/libdevmapper.h ${lib.getDev lvm2}/include/libdevmapper.h
+
+    substituteInPlace multipathd/multipathd.service \
+      --replace /sbin/modprobe ${lib.getBin kmod}/sbin/modprobe \
+      --replace /sbin/multipathd "$out/bin/multipathd"
+
     sed -i -re '
       s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'",
     ' libmultipath/defaults.h
@@ -26,7 +32,7 @@ stdenv.mkDerivation rec {
       $(find * -name Makefile\*)
   '';
 
-  nativeBuildInputs = [ gzip pkgconfig perl ];
+  nativeBuildInputs = [ gzip pkg-config perl ];
   buildInputs = [ systemd lvm2 libaio readline liburcu json_c ];
 
   makeFlags = [
@@ -38,7 +44,7 @@ stdenv.mkDerivation rec {
     "SYSTEMDPATH=lib"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tools for the Linux multipathing driver";
     homepage = "http://christophe.varoqui.free.fr/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/musl-fts/default.nix b/pkgs/os-specific/linux/musl-fts/default.nix
new file mode 100644
index 00000000000..cdb1cca47c6
--- /dev/null
+++ b/pkgs/os-specific/linux/musl-fts/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-fts";
+  version = "1.2.7";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-fts";
+    rev = "v${version}";
+    sha256 = "Azw5qrz6OKDcpYydE6jXzVxSM5A8oYWAztrHr+O/DOE=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-fts";
+    description = "An implementation of fts(3) for musl-libc";
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/pkgs/os-specific/linux/musl-obstack/default.nix b/pkgs/os-specific/linux/musl-obstack/default.nix
new file mode 100644
index 00000000000..f7682d37efd
--- /dev/null
+++ b/pkgs/os-specific/linux/musl-obstack/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-obstack";
+  version = "1.2.2";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-obstack";
+    rev = "v${version}";
+    sha256 = "v0RTnrqAmJfOeGsJFc04lqFR8QZhYiLyvy8oRYiuC80=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-obstack";
+    description =
+      "An extraction of the obstack functions and macros from GNU libiberty for use with musl-libc";
+    platforms = platforms.linux;
+    license = licenses.lgpl21Plus;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/pkgs/os-specific/linux/musl/default.nix b/pkgs/os-specific/linux/musl/default.nix
index 67d08454a84..ae175a36324 100644
--- a/pkgs/os-specific/linux/musl/default.nix
+++ b/pkgs/os-specific/linux/musl/default.nix
@@ -16,6 +16,11 @@ let
     sha256 = "14igk6k00bnpfw660qhswagyhvr0gfqg4q55dxvaaq7ikfkrir71";
   };
 
+  stack_chk_fail_local_c = fetchurl {
+    url = "https://git.alpinelinux.org/aports/plain/main/musl/__stack_chk_fail_local.c?h=3.10-stable";
+    sha256 = "1nhkzzy9pklgjcq2yg89d3l18jif331srd3z3vhy5qwxl1spv6i9";
+  };
+
   # iconv tool, implemented by musl author.
   # Original: http://git.etalabs.net/cgit/noxcuse/plain/src/iconv.c?id=02d288d89683e99fd18fe9f54d4e731a6c474a4f
   # We use copy from Alpine which fixes error messages, see:
@@ -35,11 +40,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "musl";
-  version = "1.2.0";
+  version = "1.2.2";
 
   src = fetchurl {
-    url    = "https://www.musl-libc.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "1s6lix02k1ijm4nmhzpmwzk5w6xfkhn70nvvk8zjs51r24cpppn6";
+    url    = "https://musl.libc.org/releases/${pname}-${version}.tar.gz";
+    sha256 = "1p8r6bac64y98ln0wzmnixysckq3crca69ys7p16sy9d04i975lv";
   };
 
   enableParallelBuilding = true;
@@ -81,6 +86,16 @@ stdenv.mkDerivation rec {
 
   NIX_DONT_SET_RPATH = true;
 
+  preBuild = ''
+    ${if (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32) then
+    "# the -x c flag is required since the file extension confuses gcc
+    # that detect the file as a linker script.
+    $CC -x c -c ${stack_chk_fail_local_c} -o __stack_chk_fail_local.o
+    $AR r libssp_nonshared.a __stack_chk_fail_local.o"
+      else ""
+    }
+  '';
+
   postInstall = ''
     # Not sure why, but link in all but scsi directory as that's what uclibc/glibc do.
     # Apparently glibc provides scsi itself?
@@ -90,6 +105,13 @@ stdenv.mkDerivation rec {
     $STRIP -S $out/lib/libc.a
     mkdir -p $out/bin
 
+
+    ${if (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32) then
+      "install -D libssp_nonshared.a $out/lib/libssp_nonshared.a
+      $STRIP -S $out/lib/libssp_nonshared.a"
+      else ""
+    }
+
     # Create 'ldd' symlink, builtin
     ln -rs $out/lib/libc.so $out/bin/ldd
 
@@ -121,7 +143,8 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "An efficient, small, quality libc implementation";
-    homepage    = "http://www.musl-libc.org";
+    homepage    = "https://musl.libc.org/";
+    changelog   = "https://git.musl-libc.org/cgit/musl/tree/WHATSNEW?h=v${version}";
     license     = licenses.mit;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ thoughtpolice dtzWill ];
diff --git a/pkgs/os-specific/linux/mwprocapture/default.nix b/pkgs/os-specific/linux/mwprocapture/default.nix
index c5f293011db..ca5b82b8785 100644
--- a/pkgs/os-specific/linux/mwprocapture/default.nix
+++ b/pkgs/os-specific/linux/mwprocapture/default.nix
@@ -1,28 +1,25 @@
-{ stdenv, fetchurl, kernel, alsaLib }:
+{ lib, stdenv, fetchurl, kernel, alsa-lib }:
 
-with stdenv.lib;
-
-# The Magewell Pro Capture drivers are not supported for kernels older than 3.2
-assert versionAtLeast kernel.version "3.2.0";
+with lib;
 
 let
   bits =
   if stdenv.is64bit then "64"
   else "32";
 
-  libpath = makeLibraryPath [ stdenv.cc.cc stdenv.glibc alsaLib ];
+  libpath = makeLibraryPath [ stdenv.cc.cc stdenv.glibc alsa-lib ];
 
 in
 stdenv.mkDerivation rec {
-  name = "mwprocapture-1.2.${version}-${kernel.version}";
-  version = "4177";
+  name = "mwprocapture-1.3.0.${version}-${kernel.version}";
+  version = "4236";
 
   src = fetchurl {
-    url = "http://www.magewell.com/files/drivers/ProCaptureForLinux_${version}.tar.gz";
-    sha256 = "1nf51w9yixpvr767k49sfdb9n9rv5qc72f5yki1mkghbmabw7vys";
+    url = "https://www.magewell.com/files/drivers/ProCaptureForLinux_${version}.tar.gz";
+    sha256 = "1mfgj84km276sq5i8dny1vqp2ycqpvgplrmpbqwnk230d0w3qs74";
   };
 
-  nativeBuildInputs = [ kernel.moduleBuildDependencies ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
 
   preConfigure =
   ''
@@ -63,5 +60,6 @@ stdenv.mkDerivation rec {
     license = licenses.unfreeRedistributable;
     maintainers = with maintainers; [ MP2E ];
     platforms = platforms.linux;
+    broken = kernel.kernelOlder "3.2.0";
   };
 }
diff --git a/pkgs/os-specific/linux/mxu11x0/default.nix b/pkgs/os-specific/linux/mxu11x0/default.nix
index ab0b927f1bd..3498625be75 100644
--- a/pkgs/os-specific/linux/mxu11x0/default.nix
+++ b/pkgs/os-specific/linux/mxu11x0/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
 stdenv.mkDerivation {
   name = "mxu11x0-1.4-${kernel.version}";
@@ -14,7 +14,7 @@ stdenv.mkDerivation {
     sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' driver/mxconf
     sed -i -e 's|/lib/modules|${kernel.dev}/lib/modules|' driver/Makefile
   '';
-  
+
   installPhase = ''
     install -v -D -m 644 ./driver/mxu11x0.ko "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/usb/serial/mxu11x0.ko"
     install -v -D -m 644 ./driver/mxu11x0.ko "$out/lib/modules/${kernel.modDirVersion}/misc/mxu11x0.ko"
@@ -26,11 +26,12 @@ stdenv.mkDerivation {
 
   hardeningDisable = [ "pic" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "MOXA UPort 11x0 USB to Serial Hub driver";
     homepage = "https://www.moxa.com/en/products/industrial-edge-connectivity/usb-to-serial-converters-usb-hubs/usb-to-serial-converters/uport-1000-series";
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ uralbash ];
     platforms = platforms.linux;
+    broken = kernel.kernelAtLeast "5.4";
   };
 }
diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix
index 34c77bc3e6a..2db046e6392 100644
--- a/pkgs/os-specific/linux/ndiswrapper/default.nix
+++ b/pkgs/os-specific/linux/ndiswrapper/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, kernel, perl, kmod, libelf }:
+{ lib, stdenv, fetchurl, kernel, perl, kmod, libelf }:
 let
-  version = "1.62-pre";
+  version = "1.63";
 in
 stdenv.mkDerivation {
   name = "ndiswrapper-${version}-${kernel.version}";
@@ -14,7 +14,6 @@ stdenv.mkDerivation {
   kernel = kernel.dev;
 
   buildPhase = "
-    cd ndiswrapper
     echo make KBUILD=$(echo \$kernel/lib/modules/*/build);
     echo -n $kernel/lib/modules/*/build > kbuild_path
     export PATH=${kmod}/sbin:$PATH
@@ -30,12 +29,9 @@ stdenv.mkDerivation {
     patchShebangs $out/sbin
   '';
 
-  # should we use unstable?
-  src = fetchFromGitHub {
-    owner = "pgiri";
-    repo = "ndiswrapper";
-    rev = "5e29f6a9d41df949b435066c173e3b1947f179d3";
-    sha256 = "0sprrmxxkf170bmh1nz9xw00gs89dddr84djlf666bn5bhy6jffi";
+  src = fetchurl {
+    url = "mirror://sourceforge/ndiswrapper/files/stable/ndiswrapper-${version}.tar.gz";
+    sha256 = "1v6b66jhisl110jfl00hm43lmnrav32vs39d85gcbxrjqnmcx08g";
   };
 
   buildInputs = [ perl libelf ];
@@ -45,5 +41,6 @@ stdenv.mkDerivation {
     homepage = "https://sourceforge.net/projects/ndiswrapper";
     license = "GPL";
     platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = lib.versionAtLeast kernel.version "5.8";
   };
 }
diff --git a/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch b/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch
index 34965540d24..373965fb085 100644
--- a/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch
+++ b/pkgs/os-specific/linux/ndiswrapper/no-sbin.patch
@@ -1,7 +1,5 @@
-diff --git a/ndiswrapper/driver/Makefile b/ndiswrapper/driver/Makefile
-index bf42f7bc..ad23aa2d 100644
---- a/ndiswrapper/driver/Makefile
-+++ b/ndiswrapper/driver/Makefile
+--- a/driver/Makefile
++++ b/driver/Makefile
 @@ -191,7 +191,7 @@ clean:
  	rm -rf .tmp_versions
  
diff --git a/pkgs/os-specific/linux/net-tools/default.nix b/pkgs/os-specific/linux/net-tools/default.nix
index 9095b652b42..c9410c27df9 100644
--- a/pkgs/os-specific/linux/net-tools/default.nix
+++ b/pkgs/os-specific/linux/net-tools/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "net-tools";
-  version = "1.60_p20180626073013";
+  version = "2.10";
 
   src = fetchurl {
     url = "mirror://gentoo/distfiles/${pname}-${version}.tar.xz";
-    sha256 = "0mzsjjmz5kn676w2glmxwwd8bj0xy9dhhn21aplb435b767045q4";
+    sha256 = "sha256-smJDWlJB6Jv6UcPKvVEzdTlS96e3uT8y4Iy52W9YDWk=";
   };
 
   preBuild =
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "http://net-tools.sourceforge.net/";
     description = "A set of tools for controlling the network subsystem in Linux";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/net-tools/mptcp.nix b/pkgs/os-specific/linux/net-tools/mptcp.nix
index 6e798e6807d..577b7c25311 100644
--- a/pkgs/os-specific/linux/net-tools/mptcp.nix
+++ b/pkgs/os-specific/linux/net-tools/mptcp.nix
@@ -1,4 +1,4 @@
-{ stdenv, nettools, fetchFromGitHub  }:
+{ lib, nettools, fetchFromGitHub  }:
 
 nettools.overrideAttrs(oa: rec {
   name = "net-tools-mptcp";
@@ -11,7 +11,7 @@ nettools.overrideAttrs(oa: rec {
     sha256 = "0i7gr1y699nc7j9qllsx8kicqkpkhw51x4chcmyl5xs06b2mdjri";
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/multipath-tcp/net-tools";
     description = "A set of tools for controlling the network subsystem in Linux";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix
index 93bb1316d20..28f989929a4 100644
--- a/pkgs/os-specific/linux/netatop/default.nix
+++ b/pkgs/os-specific/linux/netatop/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, kernel, zlib }:
+{ lib, stdenv, fetchurl, kernel, kmod, zlib }:
 
 let
-  version = "2.0";
+  version = "3.1";
 in
 
 stdenv.mkDerivation {
@@ -9,13 +9,19 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "http://www.atoptool.nl/download/netatop-${version}.tar.gz";
-    sha256 = "03n248p1l3ps7gj2hdlcbrb1fsw1zcmgzypj4j4l4rynjjh7qvf6";
+    sha256 = "0qjw8glfdmngfvbn1w63q128vxdz2jlabw13y140ga9i5ibl6vvk";
   };
 
-  buildInputs = [ zlib ];
+  buildInputs = [ kmod zlib ];
 
   hardeningDisable = [ "pic" ];
 
+  patches = [
+    # fix paths in netatop.service
+    ./fix-paths.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./netatop.service.patch
+  ];
   preConfigure = ''
     patchShebangs mkversion
     sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \
@@ -24,19 +30,22 @@ stdenv.mkDerivation {
         -e s,/usr,$out, \
         -e /init.d/d \
         -e /depmod/d \
+        -e s,/lib/systemd,$out/lib/systemd, \
         Makefile
+
+    kmod=${kmod} substituteAllInPlace netatop.service
   '';
 
   preInstall = ''
-    mkdir -p $out/bin $out/sbin $out/share/man/man{4,8}
+    mkdir -p $out/lib/systemd/system $out/bin $out/sbin $out/share/man/man{4,8}
     mkdir -p $out/lib/modules/${kernel.modDirVersion}/extra
   '';
 
   meta = {
     description = "Network monitoring module for atop";
     homepage = "https://www.atoptool.nl/downloadnetatop.php";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = with stdenv.lib.maintainers; [viric];
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ viric ];
   };
 }
diff --git a/pkgs/os-specific/linux/netatop/fix-paths.patch b/pkgs/os-specific/linux/netatop/fix-paths.patch
new file mode 100644
index 00000000000..0e71c4efdd3
--- /dev/null
+++ b/pkgs/os-specific/linux/netatop/fix-paths.patch
@@ -0,0 +1,11 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -8,5 +8,5 @@
+ Type=oneshot
+-ExecStartPre=/sbin/modprobe netatop
+-ExecStart=/usr/sbin/netatopd
+-ExecStopPost=/sbin/rmmod netatop
++ExecStartPre=@kmod@/bin/modprobe netatop
++ExecStart=@out@/bin/netatopd
++ExecStopPost=@kmod@/bin/rmmod netatop
+ PIDFile=/var/run/netatop.pid
diff --git a/pkgs/os-specific/linux/netatop/netatop.service.patch b/pkgs/os-specific/linux/netatop/netatop.service.patch
new file mode 100644
index 00000000000..c7c798ee06b
--- /dev/null
+++ b/pkgs/os-specific/linux/netatop/netatop.service.patch
@@ -0,0 +1,7 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -11,3 +11,3 @@
+ ExecStopPost=@kmod@/bin/rmmod netatop
+-PIDFile=/var/run/netatop.pid
++PIDFile=/run/netatop.pid
+ RemainAfterExit=yes
diff --git a/pkgs/os-specific/linux/nfs-utils/default.nix b/pkgs/os-specific/linux/nfs-utils/default.nix
index 719ded4d70f..7b5f6e72001 100644
--- a/pkgs/os-specific/linux/nfs-utils/default.nix
+++ b/pkgs/os-specific/linux/nfs-utils/default.nix
@@ -1,31 +1,31 @@
-{ stdenv, fetchurl, fetchpatch, lib, pkgconfig, utillinux, libcap, libtirpc, libevent
-, sqlite, kerberos, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers
-, python3, buildPackages, nixosTests
+{ stdenv, fetchurl, fetchpatch, lib, pkg-config, util-linux, libcap, libtirpc, libevent
+, sqlite, libkrb5, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers
+, python3, buildPackages, nixosTests, rpcsvc-proto
 , enablePython ? true
 }:
 
 let
-  statdPath = lib.makeBinPath [ systemd utillinux coreutils ];
+  statdPath = lib.makeBinPath [ systemd util-linux coreutils ];
 in
 
 stdenv.mkDerivation rec {
   pname = "nfs-utils";
-  version = "2.4.1";
+  version = "2.5.1";
 
   src = fetchurl {
     url = "https://kernel.org/pub/linux/utils/nfs-utils/${version}/${pname}-${version}.tar.xz";
-    sha256 = "0dkp11a7i01c378ri68bf6k56z27kz8zzvpqm7mip6s7jkd4l9w5";
+    sha256 = "1i1h3n2m35q9ixs1i2qf1rpjp10cipa3c25zdf1xj1vaw5q8270g";
   };
 
   # libnfsidmap is built together with nfs-utils from the same source,
   # put it in the "lib" output, and the headers in "dev"
   outputs = [ "out" "dev" "lib" "man" ];
 
-  nativeBuildInputs = [ pkgconfig buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ pkg-config buildPackages.stdenv.cc rpcsvc-proto ];
 
   buildInputs = [
     libtirpc libcap libevent sqlite lvm2
-    libuuid keyutils kerberos tcp_wrappers
+    libuuid keyutils libkrb5 tcp_wrappers
   ] ++ lib.optional enablePython python3;
 
   enableParallelBuilding = true;
@@ -33,20 +33,20 @@ stdenv.mkDerivation rec {
   preConfigure =
     ''
       substituteInPlace configure \
-        --replace '$dir/include/gssapi' ${lib.getDev kerberos}/include/gssapi \
-        --replace '$dir/bin/krb5-config' ${lib.getDev kerberos}/bin/krb5-config
+        --replace '$dir/include/gssapi' ${lib.getDev libkrb5}/include/gssapi \
+        --replace '$dir/bin/krb5-config' ${lib.getDev libkrb5}/bin/krb5-config
     '';
 
   configureFlags =
     [ "--enable-gss"
       "--enable-svcgss"
       "--with-statedir=/var/lib/nfs"
-      "--with-krb5=${lib.getLib kerberos}"
+      "--with-krb5=${lib.getLib libkrb5}"
       "--with-systemd=${placeholder "out"}/etc/systemd/system"
       "--enable-libmount-mount"
       "--with-pluginpath=${placeholder "lib"}/lib/libnfsidmap" # this installs libnfsidmap
-    ]
-    ++ lib.optional (stdenv ? glibc) "--with-rpcgen=${stdenv.glibc.bin}/bin/rpcgen";
+      "--with-rpcgen=${buildPackages.rpcsvc-proto}/bin/rpcgen"
+    ];
 
   patches = lib.optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
@@ -106,7 +106,7 @@ stdenv.mkDerivation rec {
   # https://bugzilla.kernel.org/show_bug.cgi?id=203793
   doCheck = false;
 
-  disallowedReferences = [ (lib.getDev kerberos) ];
+  disallowedReferences = [ (lib.getDev libkrb5) ];
 
   passthru.tests = {
     nfs3-simple = nixosTests.nfs3.simple;
@@ -114,7 +114,7 @@ stdenv.mkDerivation rec {
     nfs4-kerberos = nixosTests.nfs4.kerberos;
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux user-space NFS utilities";
 
     longDescription = ''
diff --git a/pkgs/os-specific/linux/nftables/default.nix b/pkgs/os-specific/linux/nftables/default.nix
index 9ec42ad66b0..f5fdee14c15 100644
--- a/pkgs/os-specific/linux/nftables/default.nix
+++ b/pkgs/os-specific/linux/nftables/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, bison, file, flex
+{ lib, stdenv, fetchurl, pkg-config, bison, file, flex
 , asciidoc, libxslt, findXMLCatalogs, docbook_xml_dtd_45, docbook_xsl
 , libmnl, libnftnl, libpcap
 , gmp, jansson, readline
@@ -7,20 +7,20 @@
 , withXtables ? false , iptables
 }:
 
-with stdenv.lib;
+with lib;
 
 stdenv.mkDerivation rec {
-  version = "0.9.6";
+  version = "0.9.9";
   pname = "nftables";
 
   src = fetchurl {
     url = "https://netfilter.org/projects/nftables/files/${pname}-${version}.tar.bz2";
-    sha256 = "0vmn6xwqa1nq6crfxshh049b199d0aj6hfgin7k068xhibzgvmk8";
+    sha256 = "1d7iwc8xlyfsbgn6qx1sdfcq7jhpl8wpfj39hcd06y8dzp3jvvvn";
   };
 
   nativeBuildInputs = [
-    pkgconfig bison file flex
-    asciidoc docbook_xml_dtd_45 docbook_xsl findXMLCatalogs libxslt 
+    pkg-config bison file flex
+    asciidoc docbook_xml_dtd_45 docbook_xsl findXMLCatalogs libxslt
   ];
 
   buildInputs = [
@@ -45,5 +45,6 @@ stdenv.mkDerivation rec {
     homepage = "https://netfilter.org/projects/nftables/";
     license = licenses.gpl2;
     platforms = platforms.linux;
+    maintainers = with maintainers; [ izorkin ];
   };
 }
diff --git a/pkgs/os-specific/linux/nixos-rebuild/default.nix b/pkgs/os-specific/linux/nixos-rebuild/default.nix
new file mode 100644
index 00000000000..b317c5a1fbf
--- /dev/null
+++ b/pkgs/os-specific/linux/nixos-rebuild/default.nix
@@ -0,0 +1,23 @@
+{ substituteAll
+, runtimeShell
+, coreutils
+, gnused
+, gnugrep
+, jq
+, nix
+, lib
+}:
+let
+  fallback = import ./../../../../nixos/modules/installer/tools/nix-fallback-paths.nix;
+in
+substituteAll {
+  name = "nixos-rebuild";
+  src = ./nixos-rebuild.sh;
+  dir = "bin";
+  isExecutable = true;
+  inherit runtimeShell nix;
+  nix_x86_64_linux = fallback.x86_64-linux;
+  nix_i686_linux = fallback.i686-linux;
+  nix_aarch64_linux = fallback.aarch64-linux;
+  path = lib.makeBinPath [ coreutils jq gnused gnugrep ];
+}
diff --git a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
new file mode 100755
index 00000000000..69e0dee1d20
--- /dev/null
+++ b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
@@ -0,0 +1,527 @@
+#! @runtimeShell@
+
+if [ -x "@runtimeShell@" ]; then export SHELL="@runtimeShell@"; fi;
+
+set -e
+set -o pipefail
+
+export PATH=@path@:$PATH
+
+showSyntax() {
+    exec man nixos-rebuild
+    exit 1
+}
+
+
+# Parse the command line.
+origArgs=("$@")
+extraBuildFlags=()
+lockFlags=()
+flakeFlags=()
+action=
+buildNix=1
+fast=
+rollback=
+upgrade=
+upgrade_all=
+profile=/nix/var/nix/profiles/system
+buildHost=
+targetHost=
+maybeSudo=()
+
+while [ "$#" -gt 0 ]; do
+    i="$1"; shift 1
+    case "$i" in
+      --help)
+        showSyntax
+        ;;
+      switch|boot|test|build|edit|dry-build|dry-run|dry-activate|build-vm|build-vm-with-bootloader)
+        if [ "$i" = dry-run ]; then i=dry-build; fi
+        action="$i"
+        ;;
+      --install-grub)
+        echo "$0: --install-grub deprecated, use --install-bootloader instead" >&2
+        export NIXOS_INSTALL_BOOTLOADER=1
+        ;;
+      --install-bootloader)
+        export NIXOS_INSTALL_BOOTLOADER=1
+        ;;
+      --no-build-nix)
+        buildNix=
+        ;;
+      --rollback)
+        rollback=1
+        ;;
+      --upgrade)
+        upgrade=1
+        ;;
+      --upgrade-all)
+        upgrade=1
+        upgrade_all=1
+        ;;
+      --max-jobs|-j|--cores|-I|--builders)
+        j="$1"; shift 1
+        extraBuildFlags+=("$i" "$j")
+        ;;
+      --show-trace|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*|-L|--refresh|--no-net|--offline|--impure)
+        extraBuildFlags+=("$i")
+        ;;
+      --option)
+        j="$1"; shift 1
+        k="$1"; shift 1
+        extraBuildFlags+=("$i" "$j" "$k")
+        ;;
+      --fast)
+        buildNix=
+        fast=1
+        ;;
+      --profile-name|-p)
+        if [ -z "$1" ]; then
+            echo "$0: ‘--profile-name’ requires an argument"
+            exit 1
+        fi
+        if [ "$1" != system ]; then
+            profile="/nix/var/nix/profiles/system-profiles/$1"
+            mkdir -p -m 0755 "$(dirname "$profile")"
+        fi
+        shift 1
+        ;;
+      --build-host|h)
+        buildHost="$1"
+        shift 1
+        ;;
+      --target-host|t)
+        targetHost="$1"
+        shift 1
+        ;;
+      --use-remote-sudo)
+        maybeSudo=(sudo --)
+        ;;
+      --flake)
+        flake="$1"
+        flakeFlags=(--extra-experimental-features 'nix-command flakes')
+        shift 1
+        ;;
+      --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
+        lockFlags+=("$i")
+        ;;
+      --update-input)
+        j="$1"; shift 1
+        lockFlags+=("$i" "$j")
+        ;;
+      --override-input)
+        j="$1"; shift 1
+        k="$1"; shift 1
+        lockFlags+=("$i" "$j" "$k")
+        ;;
+      *)
+        echo "$0: unknown option \`$i'"
+        exit 1
+        ;;
+    esac
+done
+
+if [ -n "$SUDO_USER" ]; then
+    maybeSudo=(sudo --)
+fi
+
+if [ -z "$buildHost" -a -n "$targetHost" ]; then
+    buildHost="$targetHost"
+fi
+if [ "$targetHost" = localhost ]; then
+    targetHost=
+fi
+if [ "$buildHost" = localhost ]; then
+    buildHost=
+fi
+
+buildHostCmd() {
+    if [ -z "$buildHost" ]; then
+        "$@"
+    elif [ -n "$remoteNix" ]; then
+        ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" env PATH="$remoteNix":'$PATH' "$@"
+    else
+        ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" "$@"
+    fi
+}
+
+targetHostCmd() {
+    if [ -z "$targetHost" ]; then
+        "${maybeSudo[@]}" "$@"
+    else
+        ssh $SSHOPTS "$targetHost" "${maybeSudo[@]}" "$@"
+    fi
+}
+
+copyToTarget() {
+    if ! [ "$targetHost" = "$buildHost" ]; then
+        if [ -z "$targetHost" ]; then
+            NIX_SSHOPTS=$SSHOPTS nix-copy-closure --from "$buildHost" "$1"
+        elif [ -z "$buildHost" ]; then
+            NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$targetHost" "$1"
+        else
+            buildHostCmd nix-copy-closure --to "$targetHost" "$1"
+        fi
+    fi
+}
+
+nixBuild() {
+    if [ -z "$buildHost" ]; then
+        nix-build "$@"
+    else
+        local instArgs=()
+        local buildArgs=()
+        local drv=
+
+        while [ "$#" -gt 0 ]; do
+            local i="$1"; shift 1
+            case "$i" in
+              -o)
+                local out="$1"; shift 1
+                buildArgs+=("--add-root" "$out" "--indirect")
+                ;;
+              -A)
+                local j="$1"; shift 1
+                instArgs+=("$i" "$j")
+                ;;
+              -I) # We don't want this in buildArgs
+                shift 1
+                ;;
+              --no-out-link) # We don't want this in buildArgs
+                ;;
+              "<"*) # nix paths
+                instArgs+=("$i")
+                ;;
+              *)
+                buildArgs+=("$i")
+                ;;
+            esac
+        done
+
+        drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
+        if [ -a "$drv" ]; then
+            NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$buildHost" "$drv"
+            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
+        else
+            echo "nix-instantiate failed"
+            exit 1
+        fi
+  fi
+}
+
+nixFlakeBuild() {
+    if [[ -z "$buildHost" && -z "$targetHost" ]] &&
+       ! [ "$action" = switch -o "$action" = boot ]
+    then
+        nix "${flakeFlags[@]}" build "$@"
+        readlink -f ./result
+    elif [ -z "$buildHost" ]; then
+        nix "${flakeFlags[@]}" build "$@" --out-link "${tmpDir}/result"
+        readlink -f "${tmpDir}/result"
+    else
+        local attr="$1"
+        shift 1
+        local evalArgs=()
+        local buildArgs=()
+        local drv=
+
+        while [ "$#" -gt 0 ]; do
+            local i="$1"; shift 1
+            case "$i" in
+              --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
+                evalArgs+=("$i")
+                ;;
+              --update-input)
+                local j="$1"; shift 1
+                evalArgs+=("$i" "$j")
+                ;;
+              --override-input)
+                local j="$1"; shift 1
+                local k="$1"; shift 1
+                evalArgs+=("$i" "$j" "$k")
+                ;;
+              *)
+                buildArgs+=("$i")
+                ;;
+            esac
+        done
+
+        drv="$(nix "${flakeFlags[@]}" eval --raw "${attr}.drvPath" "${evalArgs[@]}" "${extraBuildFlags[@]}")"
+        if [ -a "$drv" ]; then
+            NIX_SSHOPTS=$SSHOPTS nix "${flakeFlags[@]}" copy --derivation --to "ssh://$buildHost" "$drv"
+            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
+        else
+            echo "nix eval failed"
+            exit 1
+        fi
+    fi
+}
+
+
+if [ -z "$action" ]; then showSyntax; fi
+
+# Only run shell scripts from the Nixpkgs tree if the action is
+# "switch", "boot", or "test". With other actions (such as "build"),
+# the user may reasonably expect that no code from the Nixpkgs tree is
+# executed, so it's safe to run nixos-rebuild against a potentially
+# untrusted tree.
+canRun=
+if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then
+    canRun=1
+fi
+
+
+# If ‘--upgrade’ or `--upgrade-all` is given,
+# run ‘nix-channel --update nixos’.
+if [[ -n $upgrade && -z $_NIXOS_REBUILD_REEXEC && -z $flake ]]; then
+    # If --upgrade-all is passed, or there are other channels that
+    # contain a file called ".update-on-nixos-rebuild", update them as
+    # well. Also upgrade the nixos channel.
+
+    for channelpath in /nix/var/nix/profiles/per-user/root/channels/*; do
+        channel_name=$(basename "$channelpath")
+
+        if [[ "$channel_name" == "nixos" ]]; then
+            nix-channel --update "$channel_name"
+        elif [ -e "$channelpath/.update-on-nixos-rebuild" ]; then
+            nix-channel --update "$channel_name"
+        elif [[ -n $upgrade_all ]] ; then
+            nix-channel --update "$channel_name"
+        fi
+    done
+fi
+
+# Make sure that we use the Nix package we depend on, not something
+# else from the PATH for nix-{env,instantiate,build}.  This is
+# important, because NixOS defaults the architecture of the rebuilt
+# system to the architecture of the nix-* binaries used.  So if on an
+# amd64 system the user has an i686 Nix package in her PATH, then we
+# would silently downgrade the whole system to be i686 NixOS on the
+# next reboot.
+if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
+    export PATH=@nix@/bin:$PATH
+fi
+
+# Use /etc/nixos/flake.nix if it exists. It can be a symlink to the
+# actual flake.
+if [[ -z $flake && -e /etc/nixos/flake.nix ]]; then
+    flake="$(dirname "$(readlink -f /etc/nixos/flake.nix)")"
+fi
+
+# Re-execute nixos-rebuild from the Nixpkgs tree.
+# FIXME: get nixos-rebuild from $flake.
+if [[ -z $_NIXOS_REBUILD_REEXEC && -n $canRun && -z $fast && -z $flake ]]; then
+    if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
+        export _NIXOS_REBUILD_REEXEC=1
+        exec "$p/bin/nixos-rebuild" "${origArgs[@]}"
+        exit 1
+    fi
+fi
+
+# For convenience, use the hostname as the default configuration to
+# build from the flake.
+if [[ -n $flake ]]; then
+    if [[ $flake =~ ^(.*)\#([^\#\"]*)$ ]]; then
+       flake="${BASH_REMATCH[1]}"
+       flakeAttr="${BASH_REMATCH[2]}"
+    fi
+    if [[ -z $flakeAttr ]]; then
+        read -r hostname < /proc/sys/kernel/hostname
+        if [[ -z $hostname ]]; then
+            hostname=default
+        fi
+        flakeAttr="nixosConfigurations.\"$hostname\""
+    else
+        flakeAttr="nixosConfigurations.\"$flakeAttr\""
+    fi
+fi
+
+# Resolve the flake.
+if [[ -n $flake ]]; then
+    flake=$(nix "${flakeFlags[@]}" flake metadata --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url)
+fi
+
+# Find configuration.nix and open editor instead of building.
+if [ "$action" = edit ]; then
+    if [[ -z $flake ]]; then
+        NIXOS_CONFIG=${NIXOS_CONFIG:-$(nix-instantiate --find-file nixos-config)}
+        if [[ -d $NIXOS_CONFIG ]]; then
+            NIXOS_CONFIG=$NIXOS_CONFIG/default.nix
+        fi
+        exec ${EDITOR:-nano} "$NIXOS_CONFIG"
+    else
+        exec nix "${flakeFlags[@]}" edit "${lockFlags[@]}" -- "$flake#$flakeAttr"
+    fi
+    exit 1
+fi
+
+
+tmpDir=$(mktemp -t -d nixos-rebuild.XXXXXX)
+SSHOPTS="$NIX_SSHOPTS -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-%n -o ControlPersist=60"
+
+cleanup() {
+    for ctrl in "$tmpDir"/ssh-*; do
+        ssh -o ControlPath="$ctrl" -O exit dummyhost 2>/dev/null || true
+    done
+    rm -rf "$tmpDir"
+}
+trap cleanup EXIT
+
+
+# First build Nix, since NixOS may require a newer version than the
+# current one.
+if [ -n "$rollback" -o "$action" = dry-build ]; then
+    buildNix=
+fi
+
+nixSystem() {
+    machine="$(uname -m)"
+    if [[ "$machine" =~ i.86 ]]; then
+        machine=i686
+    fi
+    echo $machine-linux
+}
+
+prebuiltNix() {
+    machine="$1"
+    if [ "$machine" = x86_64 ]; then
+        echo @nix_x86_64_linux@
+    elif [[ "$machine" =~ i.86 ]]; then
+        echo @nix_i686_linux@
+    elif [[ "$machine" = aarch64 ]]; then
+        echo @nix_aarch64_linux@
+    else
+        echo "$0: unsupported platform"
+        exit 1
+    fi
+}
+
+if [[ -n $buildNix && -z $flake ]]; then
+    echo "building Nix..." >&2
+    nixDrv=
+    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root "$tmpDir/nix.drv" --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
+        if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root "$tmpDir/nix.drv" --indirect -A nix "${extraBuildFlags[@]}")"; then
+            if ! nixStorePath="$(nix-instantiate --eval '<nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix>' -A "$(nixSystem)" | sed -e 's/^"//' -e 's/"$//')"; then
+                nixStorePath="$(prebuiltNix "$(uname -m)")"
+            fi
+            if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
+                --option extra-binary-caches https://cache.nixos.org/; then
+                echo "warning: don't know how to get latest Nix" >&2
+            fi
+            # Older version of nix-store -r don't support --add-root.
+            [ -e "$tmpDir/nix" ] || ln -sf "$nixStorePath" "$tmpDir/nix"
+            if [ -n "$buildHost" ]; then
+                remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
+                remoteNix="$remoteNixStorePath/bin"
+                if ! buildHostCmd nix-store -r "$remoteNixStorePath" \
+                  --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
+                    remoteNix=
+                    echo "warning: don't know how to get latest Nix" >&2
+                fi
+            fi
+        fi
+    fi
+    if [ -a "$nixDrv" ]; then
+        nix-store -r "$nixDrv"'!'"out" --add-root "$tmpDir/nix" --indirect >/dev/null
+        if [ -n "$buildHost" ]; then
+            nix-copy-closure --to "$buildHost" "$nixDrv"
+            # The nix build produces multiple outputs, we add them all to the remote path
+            for p in $(buildHostCmd nix-store -r "$(readlink "$nixDrv")" "${buildArgs[@]}"); do
+                remoteNix="$remoteNix${remoteNix:+:}$p/bin"
+            done
+        fi
+    fi
+    PATH="$tmpDir/nix/bin:$PATH"
+fi
+
+
+# Update the version suffix if we're building from Git (so that
+# nixos-version shows something useful).
+if [[ -n $canRun && -z $flake ]]; then
+    if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
+        suffix=$($SHELL "$nixpkgs/nixos/modules/installer/tools/get-version-suffix" "${extraBuildFlags[@]}" || true)
+        if [ -n "$suffix" ]; then
+            echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
+        fi
+    fi
+fi
+
+
+if [ "$action" = dry-build ]; then
+    extraBuildFlags+=(--dry-run)
+fi
+
+
+# Either upgrade the configuration in the system profile (for "switch"
+# or "boot"), or just build it and create a symlink "result" in the
+# current directory (for "build" and "test").
+if [ -z "$rollback" ]; then
+    echo "building the system configuration..." >&2
+    if [ "$action" = switch -o "$action" = boot ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+        copyToTarget "$pathToConfig"
+        targetHostCmd nix-env -p "$profile" --set "$pathToConfig"
+    elif [ "$action" = test -o "$action" = build -o "$action" = dry-build -o "$action" = dry-activate ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    elif [ "$action" = build-vm ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vm" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    elif [ "$action" = build-vm-with-bootloader ]; then
+        if [[ -z $flake ]]; then
+            pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}")"
+        else
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vmWithBootLoader" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
+        fi
+    else
+        showSyntax
+    fi
+    # Copy build to target host if we haven't already done it
+    if ! [ "$action" = switch -o "$action" = boot ]; then
+        copyToTarget "$pathToConfig"
+    fi
+else # [ -n "$rollback" ]
+    if [ "$action" = switch -o "$action" = boot ]; then
+        targetHostCmd nix-env --rollback -p "$profile"
+        pathToConfig="$profile"
+    elif [ "$action" = test -o "$action" = build ]; then
+        systemNumber=$(
+            targetHostCmd nix-env -p "$profile" --list-generations |
+            sed -n '/current/ {g; p;}; s/ *\([0-9]*\).*/\1/; h'
+        )
+        pathToConfig="$profile"-${systemNumber}-link
+        if [ -z "$targetHost" ]; then
+            ln -sT "$pathToConfig" ./result
+        fi
+    else
+        showSyntax
+    fi
+fi
+
+
+# If we're not just building, then make the new configuration the boot
+# default and/or activate it now.
+if [ "$action" = switch -o "$action" = boot -o "$action" = test -o "$action" = dry-activate ]; then
+    if ! targetHostCmd "$pathToConfig/bin/switch-to-configuration" "$action"; then
+        echo "warning: error(s) occurred while switching to the new configuration" >&2
+        exit 1
+    fi
+fi
+
+
+if [ "$action" = build-vm ]; then
+    cat >&2 <<EOF
+
+Done.  The virtual machine can be started by running $(echo $pathToConfig/bin/run-*-vm)
+EOF
+fi
diff --git a/pkgs/os-specific/linux/nmon/default.nix b/pkgs/os-specific/linux/nmon/default.nix
index 9de18401d7b..7ec84443cfe 100644
--- a/pkgs/os-specific/linux/nmon/default.nix
+++ b/pkgs/os-specific/linux/nmon/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, stdenv, ncurses }:
+{ fetchurl, lib, stdenv, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "nmon";
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
     cp nmon $out/bin
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "AIX & Linux Performance Monitoring tool";
     homepage = "http://nmon.sourceforge.net";
     license = licenses.gpl3Plus;
diff --git a/pkgs/os-specific/linux/nss_ldap/default.nix b/pkgs/os-specific/linux/nss_ldap/default.nix
index 74369060ba9..0121c4a6f1c 100644
--- a/pkgs/os-specific/linux/nss_ldap/default.nix
+++ b/pkgs/os-specific/linux/nss_ldap/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, openldap, perl}:
+{lib, stdenv, fetchurl, openldap, perl}:
 
 stdenv.mkDerivation {
   name = "nss_ldap-265";
@@ -30,7 +30,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ openldap perl ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "LDAP module for the Solaris Nameservice Switch (NSS)";
     license = licenses.gpl2;
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/numactl/default.nix b/pkgs/os-specific/linux/numactl/default.nix
index 8505fbc750f..2f8a4feb030 100644
--- a/pkgs/os-specific/linux/numactl/default.nix
+++ b/pkgs/os-specific/linux/numactl/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, autoreconfHook }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "numactl";
-  version = "2.0.13";
+  version = "2.0.14";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "08xj0n27qh0ly8hjallnx774gicz15nfq0yyxz8zhgy6pq8l33vv";
+    sha256 = "0hahpdp5xqy9cbg251bdxqkml341djn2h856g435h4ngz63sr9fs";
   };
 
   nativeBuildInputs = [ autoreconfHook ];
@@ -17,15 +17,17 @@ stdenv.mkDerivation rec {
     patchShebangs test
   '';
 
+  LDFLAGS = lib.optionalString stdenv.hostPlatform.isRiscV "-latomic";
+
   # You probably shouldn't ever run these! They will reconfigure Linux
   # NUMA settings, which on my build machine makes the rest of package
   # building ~5% slower until reboot. Ugh!
   doCheck = false; # never ever!
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Library and tools for non-uniform memory access (NUMA) machines";
     homepage = "https://github.com/numactl/numactl";
     license = with licenses; [ gpl2 lgpl21 ]; # libnuma is lgpl21
-    platforms = [ "i686-linux" "x86_64-linux" "aarch64-linux" ];
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix
index 47af20152db..21d5a871f4e 100644
--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "numad-0.5";
@@ -19,11 +19,11 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "prefix=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A user-level daemon that monitors NUMA topology and processes resource consumption to facilitate good NUMA resource access";
     homepage = "https://fedoraproject.org/wiki/Features/numad";
     license = licenses.lgpl21;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ domenkozar ];
+    maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/numatop/default.nix b/pkgs/os-specific/linux/numatop/default.nix
index 57ee511bbad..ba972bb6916 100644
--- a/pkgs/os-specific/linux/numatop/default.nix
+++ b/pkgs/os-specific/linux/numatop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, numactl, ncurses, check }:
+{ lib, stdenv, fetchurl, pkg-config, numactl, ncurses, check }:
 
 stdenv.mkDerivation rec {
   pname = "numatop";
@@ -8,13 +8,13 @@ stdenv.mkDerivation rec {
     sha256 = "1s7psq1xyswj0lpx10zg5lnppav2xy9safkfx3rssrs9c2fp5d76";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ numactl ncurses ];
   checkInputs = [ check ];
 
   doCheck  = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool for runtime memory locality characterization and analysis of processes and threads on a NUMA system";
     homepage = "https://01.org/numatop";
     license = licenses.bsd3;
diff --git a/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules b/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules
new file mode 100644
index 00000000000..ab07de99718
--- /dev/null
+++ b/pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules
@@ -0,0 +1,2 @@
+SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="a291", TAG+="uaccess"
+SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="df11", TAG+="uaccess"
diff --git a/pkgs/os-specific/linux/numworks-udev-rules/default.nix b/pkgs/os-specific/linux/numworks-udev-rules/default.nix
new file mode 100644
index 00000000000..aae7507f50c
--- /dev/null
+++ b/pkgs/os-specific/linux/numworks-udev-rules/default.nix
@@ -0,0 +1,21 @@
+{ lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "numworks-udev-rules";
+  version = "unstable-2020-08-31";
+
+  udevRules = ./50-numworks-calculator.rules;
+  dontUnpack = true;
+
+  installPhase = ''
+    install -Dm 644 "${udevRules}" "$out/lib/udev/rules.d/50-numworks-calculator.rules"
+  '';
+
+  meta = with lib; {
+    description = "Udev rules for Numworks calculators";
+    homepage = "https://numworks.com";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ shamilton ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/numworks-udev-rules/update.sh b/pkgs/os-specific/linux/numworks-udev-rules/update.sh
new file mode 100755
index 00000000000..3949f6fd8f4
--- /dev/null
+++ b/pkgs/os-specific/linux/numworks-udev-rules/update.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+wget -O 50-numworks-calculator.rules "https://workshop.numworks.com/files/drivers/linux/50-numworks-calculator.rules"
diff --git a/pkgs/os-specific/linux/nvidia-x11/builder.sh b/pkgs/os-specific/linux/nvidia-x11/builder.sh
index dbe18ace40a..e6ad62b1128 100755
--- a/pkgs/os-specific/linux/nvidia-x11/builder.sh
+++ b/pkgs/os-specific/linux/nvidia-x11/builder.sh
@@ -20,7 +20,7 @@ buildPhase() {
         sysSrc=$(echo $kernel/lib/modules/$kernelVersion/source)
         sysOut=$(echo $kernel/lib/modules/$kernelVersion/build)
         unset src # used by the nv makefile
-        make SYSSRC=$sysSrc SYSOUT=$sysOut module -j$NIX_BUILD_CORES
+        make IGNORE_PREEMPT_RT_PRESENCE=1 NV_BUILD_SUPPORTS_HMM=1 SYSSRC=$sysSrc SYSOUT=$sysOut module -j$NIX_BUILD_CORES
 
         cd ..
     fi
@@ -84,8 +84,14 @@ installPhase() {
             else
                 sed -E "s#(libGLX_nvidia)#$i/lib/\\1#" nvidia_icd.json > nvidia_icd.json.fixed
             fi
-            install -Dm644 nvidia_icd.json.fixed $i/share/vulkan/icd.d/nvidia.json
+
+            if [ "$system" = "i686-linux" ]; then
+                install -Dm644 nvidia_icd.json.fixed $i/share/vulkan/icd.d/nvidia_icd.i686.json
+            else
+                install -Dm644 nvidia_icd.json.fixed $i/share/vulkan/icd.d/nvidia_icd.json
+            fi
         fi
+
         if [ -e nvidia_layers.json ]; then
             sed -E "s#(libGLX_nvidia)#$i/lib/\\1#" nvidia_layers.json > nvidia_layers.json.fixed
             install -Dm644 nvidia_layers.json.fixed $i/share/vulkan/implicit_layer.d/nvidia_layers.json
diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix
index df71a953fee..2cf9cddef4d 100644
--- a/pkgs/os-specific/linux/nvidia-x11/default.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -1,44 +1,57 @@
-{ lib, callPackage, fetchpatch, fetchurl, stdenv }:
+{ lib, callPackage, fetchpatch, fetchurl, stdenv, pkgsi686Linux }:
 
 let
-
-generic = args:
-if ((!lib.versionOlder args.version "391")
+  generic = args: let
+    imported = import ./generic.nix args;
+  in if ((!lib.versionOlder args.version "391")
     && stdenv.hostPlatform.system != "x86_64-linux") then null
-  else callPackage (import ./generic.nix args) { };
+  else callPackage imported {
+    lib32 = (pkgsi686Linux.callPackage imported {
+      libsOnly = true;
+      kernel = null;
+    }).out;
+  };
+
   kernel = callPackage # a hacky way of extracting parameters from callPackage
     ({ kernel, libsOnly ? false }: if libsOnly then { } else kernel) { };
-
-  maybePatch_drm_legacy =
-    lib.optional (lib.versionOlder "4.14" (kernel.version or "0"))
-      (fetchurl {
-        url = "https://raw.githubusercontent.com/MilhouseVH/LibreELEC.tv/b5d2d6a1"
-            + "/packages/x11/driver/xf86-video-nvidia-legacy/patches/"
-            + "xf86-video-nvidia-legacy-0010-kernel-4.14.patch";
-        sha256 = "18clfpw03g8dxm61bmdkmccyaxir3gnq451z6xqa2ilm3j820aa5";
-      });
 in
 rec {
   # Policy: use the highest stable version as the default (on our master).
   stable = if stdenv.hostPlatform.system == "x86_64-linux"
     then generic {
-      version = "450.66";
-      sha256_64bit = "1a6va0gvbzpkyza693v2ml1is4xbv8wxasqk0zd5y7rxin94c1ms";
-      settingsSha256 = "0mkgs91gx7xb7f24xkq9fl7i8d4l7s0wr9a44b1gm1vkw82fm7lj";
-      persistencedSha256 = "02id8cg8fba7c1j4m6vj4gp2mv39lz2k557kdjw8lszcpw6f1fhh";
+      version = "460.73.01";
+      sha256_64bit = "120ymf59l6nipczszf82lrm2p4ihhqyv2pfwwfg9wy96vqcckc8i";
+      settingsSha256 = "08jh7g34p9yxv5fh1cw0r2pjx65ryiv3w2lk1qg0gxn2r7xypkx0";
+      persistencedSha256 = "040gx4wqp3hxcfb4aba4sl7b01ixr5slhzw0xldwcqlmhpwqphi5";
     }
     else legacy_390;
 
-  # No active beta right now
-  beta = stable;
+  beta = generic {
+    version = "470.42.01";
+    sha256_64bit = "04w9nmi3vyww07pmgbd2r1x37s5p6xiy4qg9s06a1kjwzpm59xfd";
+    settingsSha256 = "Ohbkm7j0/V0kzcxfsHujBkrdnaefneoLutf2Rju2hIQ=";
+    persistencedSha256 = "1gfj4ffkidbhgjzdi6sv2sngdcb27w7b0rvfnj129rs36mcxy02j";
+  };
+
+  # Vulkan developer beta driver
+  # See here for more information: https://developer.nvidia.com/vulkan-driver
+  vulkan_beta = generic rec {
+    version = "455.46.04";
+    persistencedVersion = "455.45.01";
+    settingsVersion = "455.45.01";
+    sha256_64bit = "1iv42w3x1vc00bgn6y4w1hnfsvnh6bvj3vcrq8hw47760sqwa4xa";
+    settingsSha256 = "09v86y2c8xas9ql0bqr7vrjxx3if6javccwjzyly11dzffm02h7g";
+    persistencedSha256 = "13s4b73il0lq2hs81q03176n16mng737bfsp3bxnxgnrv3whrayz";
+    url = "https://developer.nvidia.com/vulkan-beta-${lib.concatStrings (lib.splitString "." version)}-linux";
+  };
 
   # Last one supporting x86
   legacy_390 = generic {
-    version = "390.138";
-    sha256_32bit = "0y3qjygl0kfz9qs0rp9scn1k3l8ym9dib7wpkyh5gs4klcip7xkv";
-    sha256_64bit = "0rnnb5l4i8s76vlg6yvlrxhm2x9wdqw7k5hgf4fyaa3cr3k1kysz";
-    settingsSha256 = "0ad6hwl56nvbdv9g85lw7ywadqvc2gaq9x6d2vjcia9kg4vrmfqx";
-    persistencedSha256 = "15jciyq6i3pz1g67xzqlwmc62v3xswzhjcqmfcdndvlvhcibsimr";
+    version = "390.143";
+    sha256_32bit = "AelrdTTeo/3+ZdXK0iniZDB8gJUkeZQtNoRm25z+bQY=";
+    sha256_64bit = "tyKqcPM71ErK8ZZHLPtxmgrWzv6tfEmxBRveCSwTlO8=";
+    settingsSha256 = "EJPXZbxZS1CMENAYk9dCAIsHsRTXJpj473+JLuhGkWI=";
+    persistencedSha256 = "FtlPF3jCNr18NnImTmr8zJsaK9wbj/aWZ9LwoLr5SeE=";
   };
 
   legacy_340 = generic {
@@ -51,32 +64,4 @@ rec {
 
     patches = [ ./vm_operations_struct-fault.patch ];
   };
-
-  legacy_304 = generic {
-    version = "304.137";
-    sha256_32bit = "1y34c2gvmmacxk2c72d4hsysszncgfndc4s1nzldy2q9qagkg66a";
-    sha256_64bit = "1qp3jv6279k83k3z96p6vg3dd35y9bhmlyyyrkii7sib7bdmc7zb";
-    settingsSha256 = "129f0j0hxzjd7g67qwxn463rxp295fsq8lycwm6272qykmab46cj";
-    persistencedSha256 = null;
-    useGLVND = false;
-    useProfiles = false;
-    settings32Bit = true;
-
-    prePatch = let
-      debPatches = fetchurl {
-        url = "mirror://debian/pool/non-free/n/nvidia-graphics-drivers-legacy-304xx/"
-            + "nvidia-graphics-drivers-legacy-304xx_304.137-5.debian.tar.xz";
-        sha256 = "0n8512mfcnvklfbg8gv4lzbkm3z6nncwj6ix2b8ngdkmc04f3b6l";
-      };
-      prefix = "debian/module/debian/patches";
-      applyPatches = pnames: if pnames == [] then null else
-        ''
-          tar xf '${debPatches}'
-          sed 's|^\([+-]\{3\} [ab]\)/|\1/kernel/|' -i ${prefix}/*.patch
-          patches="$patches ${lib.concatMapStringsSep " " (pname: "${prefix}/${pname}.patch") pnames}"
-        '';
-    in applyPatches [ "fix-typos" ];
-    patches = maybePatch_drm_legacy;
-    broken = stdenv.lib.versionAtLeast kernel.version "4.18";
-  };
 }
diff --git a/pkgs/os-specific/linux/nvidia-x11/generic.nix b/pkgs/os-specific/linux/nvidia-x11/generic.nix
index d62ade04e63..2d325ab3d56 100644
--- a/pkgs/os-specific/linux/nvidia-x11/generic.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/generic.nix
@@ -1,8 +1,11 @@
 { version
+, url ? null
 , sha256_32bit ? null
 , sha256_64bit
 , settingsSha256
+, settingsVersion ? version
 , persistencedSha256
+, persistencedVersion ? version
 , useGLVND ? true
 , useProfiles ? true
 , preferGtk2 ? false
@@ -11,17 +14,22 @@
 , prePatch ? ""
 , patches ? []
 , broken ? false
-}:
+}@args:
 
-{ stdenv, callPackage, pkgs, pkgsi686Linux, fetchurl
+{ lib, stdenv, callPackage, pkgs, pkgsi686Linux, fetchurl
 , kernel ? null, perl, nukeReferences
 , # Whether to build the libraries only (i.e. not the kernel module or
   # nvidia-settings).  Used to support 32-bit binaries on 64-bit
   # Linux.
   libsOnly ? false
+, # don't include the bundled 32-bit libraries on 64-bit platforms,
+  # even if it’s in downloaded binary
+  disable32Bit ? false
+  # 32 bit libs only version of this package
+, lib32 ? null
 }:
 
-with stdenv.lib;
+with lib;
 
 assert !libsOnly -> kernel != null;
 assert versionOlder version "391" -> sha256_32bit != null;
@@ -30,7 +38,7 @@ assert ! versionOlder version "391" -> stdenv.hostPlatform.system == "x86_64-lin
 let
   nameSuffix = optionalString (!libsOnly) "-${kernel.version}";
   pkgSuffix = optionalString (versionOlder version "304") "-pkg0";
-  i686bundled = versionAtLeast version "391";
+  i686bundled = versionAtLeast version "391" && !disable32Bit;
 
   libPathFor = pkgs: pkgs.lib.makeLibraryPath [ pkgs.libdrm pkgs.xorg.libXext pkgs.xorg.libX11
     pkgs.xorg.libXv pkgs.xorg.libXrandr pkgs.xorg.libxcb pkgs.zlib pkgs.stdenv.cc.cc ];
@@ -43,12 +51,12 @@ let
     src =
       if stdenv.hostPlatform.system == "x86_64-linux" then
         fetchurl {
-          url = "https://download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run";
+          url = args.url or "https://us.download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run";
           sha256 = sha256_64bit;
         }
       else if stdenv.hostPlatform.system == "i686-linux" then
         fetchurl {
-          url = "https://download.nvidia.com/XFree86/Linux-x86/${version}/NVIDIA-Linux-x86-${version}${pkgSuffix}.run";
+          url = args.url or "https://download.nvidia.com/XFree86/Linux-x86/${version}/NVIDIA-Linux-x86-${version}${pkgSuffix}.run";
           sha256 = sha256_32bit;
         }
       else throw "nvidia-x11 does not support platform ${stdenv.hostPlatform.system}";
@@ -86,9 +94,12 @@ let
         withGtk3 = !preferGtk2;
       };
       persistenced = mapNullable (hash: callPackage (import ./persistenced.nix self hash) { }) persistencedSha256;
+      inherit persistencedVersion settingsVersion;
+    } // optionalAttrs (!i686bundled) {
+      inherit lib32;
     };
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       homepage = "https://www.nvidia.com/object/unix.html";
       description = "X.org driver and kernel module for NVIDIA graphics cards";
       license = licenses.unfreeRedistributable;
diff --git a/pkgs/os-specific/linux/nvidia-x11/persistenced.nix b/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
index de36ad06c60..9a3daa3d270 100644
--- a/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/persistenced.nix
@@ -1,19 +1,25 @@
 nvidia_x11: sha256:
 
-{ stdenv, fetchFromGitHub, m4 }:
-
-stdenv.mkDerivation {
+{ stdenv
+, lib
+, fetchFromGitHub
+, m4
+, libtirpc
+}:
+
+stdenv.mkDerivation rec {
   pname = "nvidia-persistenced";
-  inherit (nvidia_x11) version;
+  version = nvidia_x11.persistencedVersion;
 
   src = fetchFromGitHub {
     owner = "NVIDIA";
     repo = "nvidia-persistenced";
-    rev = nvidia_x11.version;
+    rev = nvidia_x11.persistencedVersion;
     inherit sha256;
   };
 
   nativeBuildInputs = [ m4 ];
+  buildInputs = [ libtirpc ];
 
   installFlags = [ "PREFIX=$(out)" ];
 
@@ -27,7 +33,10 @@ stdenv.mkDerivation {
       $out/bin/nvidia-persistenced
   '';
 
-  meta = with stdenv.lib; {
+  NIX_CFLAGS_COMPILE = [ "-I${libtirpc.dev}/include/tirpc" ];
+  NIX_LDFLAGS = [ "-ltirpc" ];
+
+  meta = with lib; {
     homepage = "https://www.nvidia.com/object/unix.html";
     description = "Settings application for NVIDIA graphics cards";
     license = licenses.unfreeRedistributable;
diff --git a/pkgs/os-specific/linux/nvidia-x11/settings.nix b/pkgs/os-specific/linux/nvidia-x11/settings.nix
index b1250e56ee0..d5bbf40e2b8 100644
--- a/pkgs/os-specific/linux/nvidia-x11/settings.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/settings.nix
@@ -1,6 +1,6 @@
 nvidia_x11: sha256:
 
-{ stdenv, lib, fetchFromGitHub, pkgconfig, m4, jansson, gtk2, dbus, gtk3, libXv, libXrandr, libXext, libXxf86vm, libvdpau
+{ stdenv, lib, fetchFromGitHub, pkg-config, m4, jansson, gtk2, dbus, gtk3, libXv, libXrandr, libXext, libXxf86vm, libvdpau
 , librsvg, wrapGAppsHook
 , withGtk2 ? false, withGtk3 ? true
 }:
@@ -9,13 +9,13 @@ let
   src = fetchFromGitHub {
     owner = "NVIDIA";
     repo = "nvidia-settings";
-    rev = nvidia_x11.version;
+    rev = nvidia_x11.settingsVersion;
     inherit sha256;
   };
 
   libXNVCtrl = stdenv.mkDerivation {
     pname = "libXNVCtrl";
-    inherit (nvidia_x11) version;
+    version = nvidia_x11.settingsVersion;
     inherit src;
 
     buildInputs = [ libXrandr libXext ];
@@ -42,10 +42,10 @@ in
 
 stdenv.mkDerivation {
   pname = "nvidia-settings";
-  inherit (nvidia_x11) version;
+  version = nvidia_x11.settingsVersion;
   inherit src;
 
-  nativeBuildInputs = [ pkgconfig m4 ];
+  nativeBuildInputs = [ pkg-config m4 ];
 
   buildInputs = [ jansson libXv libXrandr libXext libXxf86vm libvdpau nvidia_x11 gtk2 dbus ]
              ++ lib.optionals withGtk3 [ gtk3 librsvg wrapGAppsHook ];
@@ -97,7 +97,7 @@ stdenv.mkDerivation {
     inherit libXNVCtrl;
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.nvidia.com/object/unix.html";
     description = "Settings application for NVIDIA graphics cards";
     license = licenses.unfreeRedistributable;
diff --git a/pkgs/os-specific/linux/nvidiabl/default.nix b/pkgs/os-specific/linux/nvidiabl/default.nix
index 08af09d3d05..7ce7c313485 100644
--- a/pkgs/os-specific/linux/nvidiabl/default.nix
+++ b/pkgs/os-specific/linux/nvidiabl/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
   name = "nvidiabl-${version}-${kernel.version}";
-  version = "2017-09-26";
+  version = "2020-10-01";
 
   # We use a fork which adds support for newer kernels -- upstream has been abandoned.
   src = fetchFromGitHub {
     owner = "yorickvP";
     repo = "nvidiabl";
-    rev = "2d909f4dfceb24ce98479fd571411c6ec3b71bea";
-    sha256 = "0dsar8fsaxwywjh6rbrxkhdp142vqjnsyxfz6bgpbqml6slpiqs1";
+    rev = "9e21bdcb7efedf29450373a2e9ff2913d1b5e3ab";
+    sha256 = "1z57gbnayjid2jv782rpfpp13qdchmbr1vr35g995jfnj624nlgy";
   };
 
   hardeningDisable = [ "pic" ];
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
     "KVER=${kernel.modDirVersion}"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux driver for setting the backlight brightness on laptops using NVIDIA GPU";
     homepage = "https://github.com/guillaumezin/nvidiabl";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/nvme-cli/default.nix b/pkgs/os-specific/linux/nvme-cli/default.nix
index 80a00082b81..3a306508488 100644
--- a/pkgs/os-specific/linux/nvme-cli/default.nix
+++ b/pkgs/os-specific/linux/nvme-cli/default.nix
@@ -1,17 +1,20 @@
-{ lib, stdenv, fetchFromGitHub, pkg-config }:
+{ lib, stdenv, fetchFromGitHub, pkg-config
+, libuuid
+}:
 
 stdenv.mkDerivation rec {
   pname = "nvme-cli";
-  version = "1.12";
+  version = "1.14";
 
   src = fetchFromGitHub {
     owner = "linux-nvme";
     repo = "nvme-cli";
     rev = "v${version}";
-    sha256 = "0ldky34sn0m5c4hgiip0fkzm465nca69bhxicpd5dg8wxhzxqrp3";
+    sha256 = "0dpadz945482srqpsbfx1bh7rc499fgpyzz1flhk9g9xjbpapkzc";
   };
 
   nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libuuid ];
 
   makeFlags = [ "DESTDIR=$(out)" "PREFIX=" ];
 
@@ -32,6 +35,6 @@ stdenv.mkDerivation rec {
     '';
     license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ primeos tavyc ];
+    maintainers = with maintainers; [ mic92 ];
   };
 }
diff --git a/pkgs/os-specific/linux/nvmet-cli/default.nix b/pkgs/os-specific/linux/nvmet-cli/default.nix
new file mode 100644
index 00000000000..4196efeae67
--- /dev/null
+++ b/pkgs/os-specific/linux/nvmet-cli/default.nix
@@ -0,0 +1,25 @@
+{ lib, python3Packages, fetchurl }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "nvmet-cli";
+  version = "0.7";
+
+  src = fetchurl {
+    url = "ftp://ftp.infradead.org/pub/nvmetcli/nvmetcli-${version}.tar.gz";
+    sha256 = "051y1b9w46azy35118154c353v3mhjkdzh6h59brdgn5054hayj2";
+  };
+
+  buildInputs = with python3Packages; [ nose2 ];
+
+  propagatedBuildInputs = with python3Packages; [ configshell ];
+
+  # This package requires the `nvmet` kernel module to be loaded for tests.
+  doCheck = false;
+
+  meta = with lib; {
+    description = "NVMe target CLI";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ hoverbear ];
+  };
+}
diff --git a/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix b/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
new file mode 100644
index 00000000000..511dd162785
--- /dev/null
+++ b/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
@@ -0,0 +1,60 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, go-md2man
+, installShellFiles
+, pkg-config
+, bcc
+, libseccomp
+}:
+
+buildGoModule rec {
+  pname = "oci-seccomp-bpf-hook";
+  version = "1.2.3";
+  src = fetchFromGitHub {
+    owner = "containers";
+    repo = "oci-seccomp-bpf-hook";
+    rev = "v${version}";
+    sha256 = "sha256-EKD6tkdQCPlVlb9ScvRwDxYAtbbv9PIqBHH6SvtPDsE=";
+  };
+  vendorSha256 = null;
+
+  outputs = [ "out" "man" ];
+  nativeBuildInputs = [
+    go-md2man
+    installShellFiles
+    pkg-config
+  ];
+  buildInputs = [
+    bcc
+    libseccomp
+  ];
+
+  checkPhase = ''
+    go test -v ./...
+  '';
+
+  buildPhase = ''
+    make
+  '';
+
+  postBuild = ''
+    substituteInPlace oci-seccomp-bpf-hook.json --replace HOOK_BIN_DIR "$out/bin"
+  '';
+
+  installPhase = ''
+    install -Dm755 bin/* -t $out/bin
+    install -Dm644 oci-seccomp-bpf-hook.json -t $out
+    installManPage docs/*.[1-9]
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/containers/oci-seccomp-bpf-hook";
+    description = ''
+      OCI hook to trace syscalls and generate a seccomp profile
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ saschagrunert ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/odp-dpdk/default.nix b/pkgs/os-specific/linux/odp-dpdk/default.nix
index 39bb2f3e411..66b39b2c89e 100644
--- a/pkgs/os-specific/linux/odp-dpdk/default.nix
+++ b/pkgs/os-specific/linux/odp-dpdk/default.nix
@@ -1,29 +1,32 @@
-{ stdenv, fetchurl, autoreconfHook, pkgconfig
-, dpdk, libconfig, libpcap, numactl, openssl, zlib, libbsd, libelf, jansson
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config
+, dpdk, libbpf, libconfig, libpcap, numactl, openssl, zlib, libbsd, libelf, jansson
 }: let
-  dpdk_18_11 = dpdk.overrideAttrs (old: rec {
-    version = "18.11.5";
+  dpdk_19_11 = dpdk.overrideAttrs (old: rec {
+    version = "19.11";
     src = fetchurl {
       url = "https://fast.dpdk.org/rel/dpdk-${version}.tar.xz";
-      sha256 = "1n6nfaj7703l19jcw540lm8avni48hj9q1rq4mfp8b8gd4zjprj0";
+      sha256 = "sha256-RnEzlohDZ3uxwna7dKNFiqfAAswh4pXFHjvWVJexEqs=";
     };
+    mesonFlags = old.mesonFlags ++ [
+      "-Denable_docs=false"
+    ];
   });
 
 in stdenv.mkDerivation rec {
   pname = "odp-dpdk";
-  version = "1.22.0.0_DPDK_18.11";
+  version = "1.30.1.0_DPDK_19.11";
 
   src = fetchurl {
     url = "https://git.linaro.org/lng/odp-dpdk.git/snapshot/${pname}-${version}.tar.gz";
-    sha256 = "1m8xhmfjqlj2gkkigq5ka3yh0xgzrcpfpaxp1pnh8d1g99094vbx";
+    sha256 = "sha256-R3PsqQiHlHPzIYYWTVEC7Ikg3KR5I0jWGgftDA9Jj1o=";
   };
 
   nativeBuildInputs = [
     autoreconfHook
-    pkgconfig
+    pkg-config
   ];
   buildInputs = [
-    dpdk_18_11
+    dpdk_19_11
     libconfig
     libpcap
     numactl
@@ -32,25 +35,15 @@ in stdenv.mkDerivation rec {
     libbsd
     libelf
     jansson
+    libbpf
   ];
 
-  NIX_CFLAGS_COMPILE = [ "-Wno-error=address-of-packed-member" ];
-
-  # for some reason, /build/odp-dpdk-1.22.0.0_DPDK_18.11/lib/.libs ends up in all binaries,
-  # while it should be $out/lib instead.
-  # prepend rpath with the proper location, the /build will get removed during rpath shrinking
-  preFixup = ''
-    for prog in $out/bin/*; do
-      patchelf --set-rpath $out/lib:`patchelf --print-rpath $prog` $prog
-    done
-  '';
-
   # binaries will segfault otherwise
   dontStrip = true;
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Open Data Plane optimized for DPDK";
     homepage = "https://www.opendataplane.org";
     license = licenses.bsd3;
diff --git a/pkgs/os-specific/linux/ofp/default.nix b/pkgs/os-specific/linux/ofp/default.nix
deleted file mode 100644
index 7467f7d8713..00000000000
--- a/pkgs/os-specific/linux/ofp/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ stdenv, fetchFromGitHub, pkgconfig, autoreconfHook
-, openssl, libpcap, odp-dpdk, dpdk
-}:
-
-stdenv.mkDerivation rec {
-  pname = "ofp";
-  version = "2.0.0";
-
-  src = fetchFromGitHub {
-    owner = "OpenFastPath";
-    repo = "ofp";
-    rev = version;
-    sha256 = "05902593fycgkwzk5g7wzgk0k40nrrgybplkdka3rqnlj6aydhqf";
-  };
-
-  nativeBuildInputs = [ pkgconfig autoreconfHook ];
-  buildInputs = [ openssl libpcap odp-dpdk dpdk ];
-
-  dontDisableStatic = true;
-
-  postPatch = ''
-    substituteInPlace configure.ac --replace m4_esyscmd m4_esyscmd_s
-    substituteInPlace scripts/git_hash.sh --replace /bin/bash ${stdenv.shell}
-    echo ${version} > .scmversion
-  '';
-
-  configureFlags = [
-    "--with-odp=${odp-dpdk}"
-    "--with-odp-lib=odp-dpdk"
-    "--disable-shared"
-  ];
-
-  meta = with stdenv.lib; {
-    description = "High performance TCP/IP stack";
-    homepage = "http://www.openfastpath.org";
-    license = licenses.bsd3;
-    platforms =  [ "x86_64-linux" ];
-    maintainers = [ maintainers.abuibrahim ];
-    broken = true;
-  };
-}
diff --git a/pkgs/os-specific/linux/open-iscsi/default.nix b/pkgs/os-specific/linux/open-iscsi/default.nix
index 01bbd9a9cc1..0640316b627 100644
--- a/pkgs/os-specific/linux/open-iscsi/default.nix
+++ b/pkgs/os-specific/linux/open-iscsi/default.nix
@@ -1,19 +1,19 @@
-{ stdenv, fetchFromGitHub, automake, autoconf, libtool, gettext
-, utillinux, openisns, openssl, kmod, perl, systemd, pkgconf
+{ lib, stdenv, fetchFromGitHub, automake, autoconf, libtool, gettext
+, util-linux, open-isns, openssl, kmod, perl, systemd, pkgconf
 }:
 
 stdenv.mkDerivation rec {
   pname = "open-iscsi";
-  version = "2.1.2";
+  version = "2.1.4";
 
   nativeBuildInputs = [ autoconf automake gettext libtool perl pkgconf ];
-  buildInputs = [ kmod openisns.lib openssl systemd utillinux ];
+  buildInputs = [ kmod open-isns.lib openssl systemd util-linux ];
 
   src = fetchFromGitHub {
     owner = "open-iscsi";
     repo = "open-iscsi";
     rev = version;
-    sha256 = "0fazf2ighj0akrvcj3jm3kd6wl9lgznvr38g6icwfkqk7bykjkam";
+    sha256 = "sha256-HnvLLwxOnu7Oiige6A6zk9NmAI2ImcILp9eCfbdGiyI=";
   };
 
   DESTDIR = "$(out)";
@@ -25,8 +25,16 @@ stdenv.mkDerivation rec {
     sed -i 's|/usr|/|' Makefile
   '';
 
+  installFlags = [
+    "install"
+    "install_systemd"
+  ];
+
   postInstall = ''
     cp usr/iscsistart $out/sbin/
+    for f in $out/lib/systemd/system/*; do
+      substituteInPlace $f --replace /sbin $out/bin
+    done
     $out/sbin/iscsistart -v
   '';
 
@@ -34,9 +42,9 @@ stdenv.mkDerivation rec {
     sed -i "s|/sbin/iscsiadm|$out/bin/iscsiadm|" $out/bin/iscsi_fw_login
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A high performance, transport independent, multi-platform implementation of RFC3720";
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     homepage = "https://www.open-iscsi.com";
     platforms = platforms.linux;
     maintainers = with maintainers; [ cleverca22 zaninime ];
diff --git a/pkgs/os-specific/linux/open-isns/default.nix b/pkgs/os-specific/linux/open-isns/default.nix
index 1617696e00e..3f939024a48 100644
--- a/pkgs/os-specific/linux/open-isns/default.nix
+++ b/pkgs/os-specific/linux/open-isns/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, openssl, fetchFromGitHub }:
+{ lib, stdenv, openssl, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "open-isns";
-  version = "0.99";
+  version = "0.101";
 
   src = fetchFromGitHub {
-    owner = "gonzoleeman";
+    owner = "open-iscsi";
     repo = "open-isns";
     rev = "v${version}";
-    sha256 = "0m294aiv80rkihacw5094093pc0kd5bkbxqgs6i32jsglxy33hvf";
+    sha256 = "1g7kp1j2f8afsach6sbl4k05ybz1yz2s8yg073bv4gnv48gyxb2p";
   };
 
   propagatedBuildInputs = [ openssl ];
@@ -20,10 +20,11 @@ stdenv.mkDerivation rec {
   installFlags = [ "etcdir=$(out)/etc" "vardir=$(out)/var/lib/isns" ];
   installTargets = [ "install" "install_hdrs" "install_lib" ];
 
-  meta = {
+  meta = with lib; {
     description = "iSNS server and client for Linux";
-    license = stdenv.lib.licenses.lgpl21;
-    homepage = "https://github.com/gonzoleeman/open-isns";
-    platforms = stdenv.lib.platforms.linux;
+    license = licenses.lgpl21Only;
+    homepage = "https://github.com/open-iscsi/open-isns";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.markuskowa ];
   };
 }
diff --git a/pkgs/os-specific/linux/opengl/xorg-sys/default.nix b/pkgs/os-specific/linux/opengl/xorg-sys/default.nix
index f4043f70030..33df8c0cc34 100644
--- a/pkgs/os-specific/linux/opengl/xorg-sys/default.nix
+++ b/pkgs/os-specific/linux/opengl/xorg-sys/default.nix
@@ -6,7 +6,7 @@
 # Of course, use of the driver in /usr/lib is highly impure.  But it
 # might actually work ;-)
 
-{stdenv, xorg, expat, libdrm}:
+{lib, stdenv, xorg, expat, libdrm}:
 
 stdenv.mkDerivation {
   name = "xorg-sys-opengl-3";
@@ -15,6 +15,6 @@ stdenv.mkDerivation {
     [xorg.libXxf86vm xorg.libXext expat libdrm stdenv.cc.cc];
 
   meta = {
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/openrazer/driver.nix b/pkgs/os-specific/linux/openrazer/driver.nix
index a6bf67db098..07113e62862 100644
--- a/pkgs/os-specific/linux/openrazer/driver.nix
+++ b/pkgs/os-specific/linux/openrazer/driver.nix
@@ -2,14 +2,16 @@
 , fetchFromGitHub
 , kernel
 , stdenv
-, utillinux
+, lib
+, util-linux
 }:
 
 let
-  common = import ../../../development/python-modules/openrazer/common.nix { inherit stdenv fetchFromGitHub; };
+  common = import ../../../development/python-modules/openrazer/common.nix { inherit lib fetchFromGitHub; };
 in
 stdenv.mkDerivation (common // {
-  name = "openrazer-${common.version}-${kernel.version}";
+  pname = "openrazer";
+  version = "${common.version}-${kernel.version}";
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
 
@@ -18,6 +20,8 @@ stdenv.mkDerivation (common // {
   ];
 
   installPhase = ''
+    runHook preInstall
+
     binDir="$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hid"
     mkdir -p "$binDir"
     cp -v driver/*.ko "$binDir"
@@ -28,12 +32,15 @@ stdenv.mkDerivation (common // {
     substituteInPlace $RAZER_RULES_OUT \
       --replace razer_mount $RAZER_MOUNT_OUT
     substituteInPlace $RAZER_MOUNT_OUT \
-      --replace /usr/bin/logger ${utillinux}/bin/logger \
+      --replace /usr/bin/logger ${util-linux}/bin/logger \
       --replace chgrp ${coreutils}/bin/chgrp \
       --replace "PATH='/sbin:/bin:/usr/sbin:/usr/bin'" ""
+
+    runHook postInstall
   '';
 
   meta = common.meta // {
     description = "An entirely open source Linux driver that allows you to manage your Razer peripherals on GNU/Linux";
+    broken = kernel.kernelOlder "4.19";
   };
 })
diff --git a/pkgs/os-specific/linux/openvswitch/default.nix b/pkgs/os-specific/linux/openvswitch/default.nix
index f0fb0a834ff..5faccc14ce7 100644
--- a/pkgs/os-specific/linux/openvswitch/default.nix
+++ b/pkgs/os-specific/linux/openvswitch/default.nix
@@ -1,25 +1,25 @@
-{ stdenv, fetchurl, makeWrapper, pkgconfig, utillinux, which
+{ lib, stdenv, fetchurl, makeWrapper, pkg-config, util-linux, which
 , procps, libcap_ng, openssl, python3 , perl
 , kernel ? null }:
 
-with stdenv.lib;
+with lib;
 
 let
   _kernel = kernel;
   pythonEnv = python3.withPackages (ps: with ps; [ six ]);
 in stdenv.mkDerivation rec {
-  version = "2.13.0";
+  version = "2.14.2";
   pname = "openvswitch";
 
   src = fetchurl {
     url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "0cd5vmfr6zwgcnkwys6rag6cmz68v0librpaplianv734xs74pyx";
+    sha256 = "sha256-ZfQg+VTiUNiV+y2yKhMuHLVgvF4rkFHoNFETSBCOWXo=";
   };
 
   kernel = optional (_kernel != null) _kernel.dev;
 
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ makeWrapper utillinux openssl libcap_ng pythonEnv
+  nativeBuildInputs = [ pkg-config makeWrapper ];
+  buildInputs = [ util-linux openssl libcap_ng pythonEnv
                   perl procps which ];
 
   configureFlags = [
@@ -44,7 +44,7 @@ in stdenv.mkDerivation rec {
   enableParallelBuilding = true;
   doCheck = false; # bash-completion test fails with "compgen: command not found"
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     platforms = platforms.linux;
     description = "A multilayer virtual switch";
     longDescription =
diff --git a/pkgs/os-specific/linux/openvswitch/lts.nix b/pkgs/os-specific/linux/openvswitch/lts.nix
index 358a8b39917..15c6c05b061 100644
--- a/pkgs/os-specific/linux/openvswitch/lts.nix
+++ b/pkgs/os-specific/linux/openvswitch/lts.nix
@@ -1,27 +1,26 @@
-{ stdenv, fetchurl, makeWrapper, pkgconfig, utillinux, which
-, procps, libcap_ng, openssl, python2, iproute , perl
+{ lib, stdenv, fetchurl, makeWrapper, pkg-config, util-linux, which
+, procps, libcap_ng, openssl, python2, perl
 , automake, autoconf, libtool, kernel ? null }:
 
-with stdenv.lib;
+with lib;
 
 let
   _kernel = kernel;
 in stdenv.mkDerivation rec {
-  version = "2.5.9";
+  version = "2.5.12";
   pname = "openvswitch";
 
   src = fetchurl {
     url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "0iv0ncwl6s4qyyb655yj5xvqrjr1zbymmab96q259wa09xnyw7b7";
+    sha256 = "0a8wa1lj5p28x3vq0yaxjhqmppp4hvds6hhm0j3czpp8mc09fsfq";
   };
 
   patches = [ ./patches/lts-ssl.patch ];
 
   kernel = optional (_kernel != null) _kernel.dev;
 
-  nativeBuildInputs = [ autoconf libtool automake pkgconfig  ];
-  buildInputs = [ makeWrapper utillinux openssl libcap_ng python2
-                  perl procps which ];
+  nativeBuildInputs = [ autoconf libtool automake pkg-config makeWrapper ];
+  buildInputs = [ util-linux openssl libcap_ng python2 perl procps which ];
 
   preConfigure = "./boot.sh";
 
@@ -61,7 +60,7 @@ in stdenv.mkDerivation rec {
       --replace "self.cert_dir" "root_prefix + self.cert_dir"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     platforms = platforms.linux;
     description = "A multilayer virtual switch";
     longDescription =
diff --git a/pkgs/os-specific/linux/otpw/default.nix b/pkgs/os-specific/linux/otpw/default.nix
index c9597ab0fe4..fed7930bf14 100644
--- a/pkgs/os-specific/linux/otpw/default.nix
+++ b/pkgs/os-specific/linux/otpw/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pam }:
+{ lib, stdenv, fetchurl, pam }:
 
 stdenv.mkDerivation rec {
   name = "otpw-1.3";
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "http://www.cl.cam.ac.uk/~mgk25/otpw.html";
     description = "A one-time password login package";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/pagemon/default.nix b/pkgs/os-specific/linux/pagemon/default.nix
index 64177fa5d00..2ce72391357 100644
--- a/pkgs/os-specific/linux/pagemon/default.nix
+++ b/pkgs/os-specific/linux/pagemon/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, ncurses }:
+{ lib, stdenv, fetchFromGitHub, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "pagemon";
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     "MANDIR=$(out)/share/man/man8"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (src.meta) homepage;
     description = "Interactive memory/page monitor for Linux";
     longDescription = ''
diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index fb969d7574a..fb993699494 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -1,34 +1,25 @@
-{ stdenv, buildPackages, fetchurl, fetchpatch, flex, cracklib, db4 }:
+{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext
+, nixosTests
+, withLibxcrypt ? false, libxcrypt
+}:
 
 stdenv.mkDerivation rec {
   pname = "linux-pam";
-  version = "1.3.1";
+  version = "1.5.1";
 
   src = fetchurl {
-    url    = "https://github.com/linux-pam/linux-pam/releases/download/v1.3.1/Linux-PAM-${version}.tar.xz";
-    sha256 = "1nyh9kdi3knhxcbv5v4snya0g3gff0m671lnvqcbygw3rm77mx7g";
+    url    = "https://github.com/linux-pam/linux-pam/releases/download/v${version}/Linux-PAM-${version}.tar.xz";
+    sha256 = "sha256-IB1AcwsRNbGzzeoJ8sKKxjTXMYHM0Bcs7d7jZJxXkvw=";
   };
 
-  patches = stdenv.lib.optionals (stdenv.hostPlatform.libc == "musl") [
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/main/linux-pam/fix-compat.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc";
-      sha256 = "1h5yp5h2mqp1fcwiwwklyfpa69a3i03ya32pivs60fd7g5bqa7sf";
-    })
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/main/linux-pam/libpam-fix-build-with-eglibc-2.16.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc";
-      sha256 = "1ib6shhvgzinjsc603k2x1lxh9dic6qq449fnk110gc359m23j81";
-    })
-    # From adelie's package repo, using local copy since it seems to be currently offline.
-    # (we previously used similar patch from void, but stopped working with update to 1.3.1)
-    ./musl-fix-pam_exec.patch
-  ];
-
   outputs = [ "out" "doc" "man" /* "modules" */ ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ flex ];
+  nativeBuildInputs = [ flex ]
+    ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
 
-  buildInputs = [ cracklib db4 ];
+  buildInputs = [ cracklib db4 ]
+    ++ lib.optional withLibxcrypt libxcrypt;
 
   enableParallelBuilding = true;
 
@@ -44,7 +35,7 @@ stdenv.mkDerivation rec {
   # which is done by dlopening $out/lib/security/pam_foo.so
   # $out/etc was also missed: pam_env(login:session): Unable to open config file
 
-  preConfigure = stdenv.lib.optionalString (stdenv.hostPlatform.libc == "musl") ''
+  preConfigure = lib.optionalString (stdenv.hostPlatform.libc == "musl") ''
       # export ac_cv_search_crypt=no
       # (taken from Alpine linux, apparently insecure but also doesn't build O:))
       # disable insecure modules
@@ -63,7 +54,11 @@ stdenv.mkDerivation rec {
 
   doCheck = false; # fails
 
-  meta = with stdenv.lib; {
+  passthru.tests = {
+    inherit (nixosTests) pam-oath-login pam-u2f shadow;
+  };
+
+  meta = with lib; {
     homepage = "http://www.linux-pam.org/";
     description = "Pluggable Authentication Modules, a flexible mechanism for authenticating user";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch b/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch
deleted file mode 100644
index 194e47b9e5b..00000000000
--- a/pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch
+++ /dev/null
@@ -1,33 +0,0 @@
---- ./modules/pam_exec/pam_exec.c.orig
-+++ ./modules/pam_exec/pam_exec.c
-@@ -103,11 +103,14 @@
-   int optargc;
-   const char *logfile = NULL;
-   const char *authtok = NULL;
-+  char authtok_buf[PAM_MAX_RESP_SIZE+1];
-+
-   pid_t pid;
-   int fds[2];
-   int stdout_fds[2];
-   FILE *stdout_file = NULL;
- 
-+  memset(authtok_buf, 0, sizeof(authtok_buf));
-   if (argc < 1) {
-     pam_syslog (pamh, LOG_ERR,
- 		"This module needs at least one argument");
-@@ -180,12 +183,12 @@
- 	      if (resp)
- 		{
- 		  pam_set_item (pamh, PAM_AUTHTOK, resp);
--		  authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
-+		  authtok = strncpy(authtok_buf, resp, sizeof(authtok_buf));
- 		  _pam_drop (resp);
- 		}
- 	    }
- 	  else
--	    authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
-+	    authtok = strncpy(authtok_buf, void_pass, sizeof(authtok_buf));
- 
- 	  if (pipe(fds) != 0)
- 	    {
-
diff --git a/pkgs/os-specific/linux/pam_ccreds/default.nix b/pkgs/os-specific/linux/pam_ccreds/default.nix
index c4abfe5c44c..bfe9ac7c830 100644
--- a/pkgs/os-specific/linux/pam_ccreds/default.nix
+++ b/pkgs/os-specific/linux/pam_ccreds/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, pam, openssl, db}:
+{lib, stdenv, fetchurl, pam, openssl, db}:
 
 stdenv.mkDerivation rec {
   name = "pam_ccreds-10";
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pam openssl db ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.padl.com/OSS/pam_ccreds.html";
     description = "PAM module to locally authenticate using an enterprise identity when the network is unavailable";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/pam_gnupg/default.nix b/pkgs/os-specific/linux/pam_gnupg/default.nix
new file mode 100644
index 00000000000..ffb397334c1
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pam, gnupg }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_gnupg";
+  version = "0.3";
+
+  src = fetchFromGitHub {
+    owner = "cruegge";
+    repo = "pam-gnupg";
+    rev = "v${version}";
+    sha256 = "sha256-NDl6MsvIDAXkaLqXt7Wa0T7aulT31P5Z/d/Vb+ILya0=";
+  };
+
+  configureFlags = [
+    "--with-moduledir=${placeholder "out"}/lib/security"
+  ];
+
+  buildInputs = [ pam gnupg ];
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  meta = with lib; {
+    description = "Unlock GnuPG keys on login";
+    longDescription = ''
+      A PAM module that hands over your login password to gpg-agent. This can
+      be useful if you are using a GnuPG-based password manager like pass.
+    '';
+    homepage = "https://github.com/cruegge/pam-gnupg";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ mtreca ];
+  };
+}
diff --git a/pkgs/os-specific/linux/pam_krb5/default.nix b/pkgs/os-specific/linux/pam_krb5/default.nix
index 7a384c793d2..cb04fa5b424 100644
--- a/pkgs/os-specific/linux/pam_krb5/default.nix
+++ b/pkgs/os-specific/linux/pam_krb5/default.nix
@@ -1,16 +1,16 @@
-{ stdenv, fetchurl, pam, kerberos }:
+{ lib, stdenv, fetchurl, pam, libkrb5 }:
 
 stdenv.mkDerivation rec {
-  name = "pam-krb5-4.9";
+  name = "pam-krb5-4.10";
 
   src = fetchurl {
     url = "https://archives.eyrie.org/software/kerberos/${name}.tar.gz";
-    sha256 = "0kzz6mjkzw571pkv684vyczhl874f6p7lih3dj7s764gxdxnv4y5";
+    sha256 = "09wzxd5zrj5bzqpb01qf148npj5k8hmd2bx2ij1qsy40hdxqyq79";
   };
 
-  buildInputs = [ pam kerberos ];
+  buildInputs = [ pam libkrb5 ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.eyrie.org/~eagle/software/pam-krb5/";
     description = "PAM module allowing PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC";
     longDescription = ''
diff --git a/pkgs/os-specific/linux/pam_mount/default.nix b/pkgs/os-specific/linux/pam_mount/default.nix
index 18bc84effa0..5e4e15c364b 100644
--- a/pkgs/os-specific/linux/pam_mount/default.nix
+++ b/pkgs/os-specific/linux/pam_mount/default.nix
@@ -1,37 +1,46 @@
-{ stdenv, fetchurl, autoconf, automake, pkgconfig, libtool, pam, libHX, libxml2, pcre, perl, openssl, cryptsetup, utillinux }:
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, libtool, pam, libHX, libxml2, pcre, perl, openssl, cryptsetup, util-linux }:
 
 stdenv.mkDerivation rec {
-  name = "pam_mount-2.16";
+  pname = "pam_mount";
+  version = "2.17";
 
   src = fetchurl {
-    url = "mirror://sourceforge/pam-mount/pam_mount/2.16/${name}.tar.xz";
-    sha256 = "1rvi4irb7ylsbhvx1cr6islm2xxw1a4b19q6z4a9864ndkm0f0mf";
+    url = "mirror://sourceforge/pam-mount/pam_mount/${pname}-${version}.tar.xz";
+    sha256 = "1q2n6a2ah6nghdn8i6ad2wj247njwb5nx48cggxknaa6lqxylidy";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ autoconf automake libtool pam libHX utillinux libxml2 pcre perl openssl cryptsetup ];
+  patches = [
+    ./insert_utillinux_path_hooks.patch
+  ];
 
-  patches = [ ./insert_utillinux_path_hooks.patch ];
+  postPatch = ''
+    substituteInPlace src/mtcrypt.c \
+      --replace @@NIX_UTILLINUX@@ ${util-linux}/bin
+  '';
 
-  preConfigure = ''
-    substituteInPlace src/mtcrypt.c --replace @@NIX_UTILLINUX@@ ${utillinux}/bin
-    sh autogen.sh --prefix=$out
-    '';
+  nativeBuildInputs = [ autoreconfHook libtool pkg-config ];
 
-  makeFlags = [ "DESTDIR=$(out)" ];
+  buildInputs = [ pam libHX util-linux libxml2 pcre perl openssl cryptsetup ];
+
+  enableParallelBuilding = true;
+
+  configureFlags = [
+    "--prefix=${placeholder "out"}"
+    "--localstatedir=${placeholder "out"}/var"
+    "--sbindir=${placeholder "out"}/bin"
+    "--sysconfdir=${placeholder "out"}/etc"
+    "--with-slibdir=${placeholder "out"}/lib"
+  ];
 
-  # Probably a hack, but using DESTDIR and PREFIX makes everything work!
   postInstall = ''
-    mkdir -p $out
-    cp -r $out/$out/* $out
-    rm -r $out/nix
-    '';
+    rm -r $out/var
+  '';
 
-  meta = with stdenv.lib; {
-    homepage = "http://pam-mount.sourceforge.net/";
+  meta = with lib; {
     description = "PAM module to mount volumes for a user session";
-    maintainers = [ maintainers.tstrobel ];
+    homepage = "https://pam-mount.sourceforge.net/";
     license = with licenses; [ gpl2 gpl3 lgpl21 lgpl3 ];
+    maintainers = with maintainers; [ tstrobel ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/pam_p11/default.nix b/pkgs/os-specific/linux/pam_p11/default.nix
index d5336cc9f4c..1ed47ba53c2 100644
--- a/pkgs/os-specific/linux/pam_p11/default.nix
+++ b/pkgs/os-specific/linux/pam_p11/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam }:
 
 stdenv.mkDerivation rec {
   pname = "pam_p11";
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ pam openssl libp11 ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/OpenSC/pam_p11";
     description = "Authentication with PKCS#11 modules";
     license = licenses.lgpl21Plus;
diff --git a/pkgs/os-specific/linux/pam_pgsql/default.nix b/pkgs/os-specific/linux/pam_pgsql/default.nix
index 6aa1c3be1e2..bca02c17066 100644
--- a/pkgs/os-specific/linux/pam_pgsql/default.nix
+++ b/pkgs/os-specific/linux/pam_pgsql/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, postgresql, libgcrypt, pam }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, postgresql, libgcrypt, pam }:
 
 stdenv.mkDerivation rec {
   pname = "pam_pgsql";
@@ -11,10 +11,10 @@ stdenv.mkDerivation rec {
     sha256 = "1a68krq5m07zspdxwl1wmkr5j98zr9bdg4776kvplrsdcg97h4jk";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ libgcrypt pam postgresql ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Support to authenticate against PostgreSQL for PAM-enabled appliations";
     homepage = "https://github.com/pam-pgsql/pam-pgsql";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
index 3ab1ae28a7b..f28cb28ef37 100644
--- a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
+++ b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
@@ -1,48 +1,55 @@
-{ stdenv, fetchpatch, fetchurl, pam, openssl, perl }:
+{ lib, stdenv, fetchpatch, fetchFromGitHub, pam, openssl, perl }:
 
 stdenv.mkDerivation rec {
-  name = "pam_ssh_agent_auth-0.10.3";
+  pname = "pam_ssh_agent_auth";
+  version = "0.10.4";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/pamsshagentauth/${name}.tar.bz2";
-    sha256 = "0qx78x7nvqdscyp04hfijl4rgyf64xy03prr28hipvgasrcd6lrw";
+  src = fetchFromGitHub {
+    owner = "jbeverly";
+    repo = "pam_ssh_agent_auth";
+    rev = "pam_ssh_agent_auth-${version}";
+    sha256 = "YD1R8Cox0UoNiuWleKGzWSzxJ5lhDRCB2mZPp9OM6Cs=";
   };
 
-  patches =
-    [ # Allow multiple colon-separated authorized keys files to be
-      # specified in the file= option.
-      ./multiple-key-files.patch
-      (fetchpatch {
-        name = "openssl-1.1.1-1.patch";
-        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-1.patch";
-        sha256 = "1ndp5j4xfhzshhnl345gb4mkldx6vjfa7284xgng6ikhzpc6y7pf";
-      })
-      (fetchpatch {
-        name = "openssl-1.1.1-2.patch";
-        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-2.patch";
-        sha256 = "0ksrs4xr417by8klf7862n3dircvnw30an1akq4pnsd3ichscmww";
-      })
-    ];
+  ed25519-donna = fetchFromGitHub {
+    owner = "floodyberry";
+    repo = "ed25519-donna";
+    rev = "8757bd4cd209cb032853ece0ce413f122eef212c";
+    sha256 = "ETFpIaWQnlYG8ZuDG2dNjUJddlvibB4ukHquTFn3NZM=";
+  };
 
   buildInputs = [ pam openssl perl ];
 
-  # It's not clear to me why this is necessary, but without it, you see:
-  #
-  # checking OpenSSL header version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
-  # checking OpenSSL library version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
-  # checking whether OpenSSL's headers match the library... no
-  # configure: WARNING: Your OpenSSL headers do not match your
-  # library. Check config.log for details.
-  #
-  # ...despite the fact that clearly the values match
-  configureFlags = [ "--without-openssl-header-check" ];
+  patches = [
+    # Allow multiple colon-separated authorized keys files to be
+    # specified in the file= option.
+    ./multiple-key-files.patch
+    ./edcsa-crash-fix.patch
+  ];
+
+  configureFlags = [
+    # It's not clear to me why this is necessary, but without it, you see:
+    #
+    # checking OpenSSL header version... 1010108f (OpenSSL 1.1.1h  22 Sep 2020)
+    # checking OpenSSL library version... 1010108f (OpenSSL 1.1.1h  22 Sep 2020)
+    # checking whether OpenSSL's headers match the library... no
+    # configure: WARNING: Your OpenSSL headers do not match your
+    # library. Check config.log for details.
+    #
+    # ...despite the fact that clearly the values match
+    "--without-openssl-header-check"
+    # Make sure it can find ed25519-donna
+    "--with-cflags=-I$PWD"
+  ];
+
+  prePatch = "cp -r ${ed25519-donna}/. ed25519-donna/.";
 
   enableParallelBuilding = true;
 
   meta = {
-    homepage = "http://pamsshagentauth.sourceforge.net/";
+    homepage = "https://github.com/jbeverly/pam_ssh_agent_auth";
     description = "PAM module for authentication through the SSH agent";
-    maintainers = [ stdenv.lib.maintainers.eelco ];
-    platforms = stdenv.lib.platforms.linux;
+    maintainers = [ lib.maintainers.eelco ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch b/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch
new file mode 100644
index 00000000000..45ee8745816
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch
@@ -0,0 +1,53 @@
+commit 1b0d9bcc5f5cd78b0bb1357d6a11da5d616ad26f
+Author: Wout Mertens <Wout.Mertens@gmail.com>
+Date:   Thu Jun 11 18:08:13 2020 +0200
+
+    fix segfault when using ECDSA keys.
+    
+    Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+    Bug-Ubuntu: https://bugs.launchpad.net/bugs/1869512
+
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index 5b13b30..5bf29cc 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -46,7 +46,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+     u_int len, dlen;
+     Buffer b, bb;
+ #if OPENSSL_VERSION_NUMBER >= 0x10100005L
+-	BIGNUM *r, *s;
++	BIGNUM *r = NULL, *s = NULL;
+ #endif
+ 
+     if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+@@ -137,20 +137,27 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 
+     /* parse signature */
+     if ((sig = ECDSA_SIG_new()) == NULL)
+-        pamsshagentauth_fatal("ssh_ecdsa_verify: DSA_SIG_new failed");
++        pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_new failed");
+ 
+     pamsshagentauth_buffer_init(&b);
+     pamsshagentauth_buffer_append(&b, sigblob, len);
+ #if OPENSSL_VERSION_NUMBER < 0x10100005L
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
++        pamsshagentauth_fatal("ssh_ecdsa_verify:"
++            "pamsshagentauth_buffer_get_bignum2_ret failed");
+ #else
+-    DSA_SIG_get0(sig, &r, &s);
++    if ((r = BN_new()) == NULL)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
++    if ((s = BN_new()) == NULL)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed");
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1))
+-#endif
+         pamsshagentauth_fatal("ssh_ecdsa_verify:"
+             "pamsshagentauth_buffer_get_bignum2_ret failed");
++    if (ECDSA_SIG_set0(sig, r, s) != 1)
++        pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_set0 failed");
++#endif
+ 
+     /* clean up */
+     memset(sigblob, 0, len);
diff --git a/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch b/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch
index 190325251c9..71d8e08ecd0 100644
--- a/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch
+++ b/pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch
@@ -87,21 +87,27 @@ diff -u pam_ssh_agent_auth-0.10.3-orig/pam_ssh_agent_auth.c pam_ssh_agent_auth-0
  
      /*
       * PAM_USER and PAM_RUSER do not necessarily have to get set by the calling application, and we may be unable to divine the latter.
-@@ -187,16 +184,17 @@
+@@ -184,5 +181,5 @@
       */
  
      if(user && strlen(ruser) > 0) {
 -        pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
 +        pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
  
+@@ -201,3 +197,3 @@
+                 retval = PAM_SUCCESS;
+-                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file_input);
+ 
+@@ -211,11 +208,12 @@
          /*
           * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
           */
 -        if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
--            pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+-            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
 +        const char *key_file;
 +        if((key_file = pamsshagentauth_find_authorized_keys(user, ruser, servicename))) { /* getpwnam(ruser)->pw_uid)) { */
-+            pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, key_file);
++            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, key_file);
              retval = PAM_SUCCESS;
          } else {
 -            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
diff --git a/pkgs/os-specific/linux/pam_u2f/default.nix b/pkgs/os-specific/linux/pam_u2f/default.nix
index 30acb86d860..30a55f2b9c0 100644
--- a/pkgs/os-specific/linux/pam_u2f/default.nix
+++ b/pkgs/os-specific/linux/pam_u2f/default.nix
@@ -1,25 +1,30 @@
-{ stdenv, fetchurl, pkgconfig, libu2f-host, libu2f-server, pam }:
+{ lib, stdenv, fetchurl, pkg-config, libfido2, pam, openssl }:
 
 stdenv.mkDerivation rec {
   pname = "pam_u2f";
-  version = "1.0.8";
+  version = "1.1.1";
 
   src     = fetchurl {
     url = "https://developers.yubico.com/pam-u2f/Releases/${pname}-${version}.tar.gz";
-    sha256 = "16awjzx348imjz141fzzldy00qpdmw2g37rnq430w5mnzak078jj";
+    sha256 = "12p3pkrp32vzpg7707cgx8zgvgj8iqwhy39sm761k7plqi027mmp";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ libu2f-host libu2f-server pam ];
-
-  # Fix the broken include in 1.0.1
-  CFLAGS = "-I${libu2f-host}/include/u2f-host";
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libfido2 pam openssl ];
 
   preConfigure = ''
     configureFlagsArray+=("--with-pam-dir=$out/lib/security")
   '';
 
-  meta = with stdenv.lib; {
+  # a no-op makefile to prevent building the fuzz targets
+  postConfigure = ''
+    cat > fuzz/Makefile <<EOF
+    all:
+    install:
+    EOF
+  '';
+
+  meta = with lib; {
     homepage = "https://developers.yubico.com/pam-u2f/";
     description = "A PAM module for allowing authentication with a U2F device";
     license = licenses.bsd2;
diff --git a/pkgs/os-specific/linux/pam_usb/default.nix b/pkgs/os-specific/linux/pam_usb/default.nix
index 3e01b1bd455..1a66e986d8b 100644
--- a/pkgs/os-specific/linux/pam_usb/default.nix
+++ b/pkgs/os-specific/linux/pam_usb/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, makeWrapper, dbus, libxml2, pam, pkgconfig, pmount, pythonPackages, writeScript, runtimeShell }:
+{ lib, stdenv, fetchurl, makeWrapper, dbus, libxml2, pam, pkg-config, pmount, pythonPackages, writeScript, runtimeShell }:
 
 let
 
@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
   buildInputs = [
     makeWrapper
     # pam_usb dependencies
-    dbus libxml2 pam pmount pkgconfig
+    dbus libxml2 pam pmount pkg-config
     # pam_usb's tools dependencies
     python
     # cElementTree is included with python 2.5 and later.
@@ -70,7 +70,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "http://pamusb.org/";
     description = "Authentication using USB Flash Drives";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/pax-utils/default.nix b/pkgs/os-specific/linux/pax-utils/default.nix
index f69b2bd7fce..40159cd2acd 100644
--- a/pkgs/os-specific/linux/pax-utils/default.nix
+++ b/pkgs/os-specific/linux/pax-utils/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "pax-utils";
-  version = "1.2.6";
+  version = "1.2.8";
 
   src = fetchurl {
     url = "http://distfiles.gentoo.org/distfiles/${pname}-${version}.tar.xz";
-    sha256 = "08bzvgv1z3371sqf7zlm9i0b1y3wdymj2dqdvzvf192k3nix4hlp";
+    sha256 = "sha256-urTIhG4dLMNmnPqSMdIdszWEHX1Y+eGc0Jn+bOYmsVc=";
   };
 
   makeFlags = [ "PREFIX=$(out)" ];
diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix
index 754f6bcac33..da9928a66e3 100644
--- a/pkgs/os-specific/linux/paxctl/default.nix
+++ b/pkgs/os-specific/linux/paxctl/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, stdenv, elf-header }:
+{ fetchurl, lib, stdenv, elf-header }:
 
 stdenv.mkDerivation rec {
   pname = "paxctl";
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
 
   setupHook = ./setup-hook.sh;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool for controlling PaX flags on a per binary basis";
     homepage    = "https://pax.grsecurity.net";
     license     = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/paxtest/default.nix b/pkgs/os-specific/linux/paxtest/default.nix
index 6bd59e1e7fd..aae8c1296c6 100644
--- a/pkgs/os-specific/linux/paxtest/default.nix
+++ b/pkgs/os-specific/linux/paxtest/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, paxctl }:
+{ lib, stdenv, fetchurl, paxctl }:
 
 stdenv.mkDerivation rec {
   pname = "paxtest";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   makeFlags    = [ "PAXBIN=${paxctl}/bin/paxctl" "BINDIR=$(out)/bin" "RUNDIR=$(out)/lib/paxtest" ];
   installFlags = [ "DESTDIR=\"\"" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Test various memory protection measures";
     license     = licenses.gpl2;
     platforms   = platforms.linux;
diff --git a/pkgs/os-specific/linux/pcimem/default.nix b/pkgs/os-specific/linux/pcimem/default.nix
new file mode 100644
index 00000000000..dda4d0fff0b
--- /dev/null
+++ b/pkgs/os-specific/linux/pcimem/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "pcimem";
+  version = "unstable-2018-08-29";
+
+  src = fetchFromGitHub {
+    owner = "billfarrow";
+    repo = pname;
+    rev = "09724edb1783a98da2b7ae53c5aaa87493aabc9b";
+    sha256 = "0zlbvcl5q4hgna11p3w00px1p8qgn8ga79lh6a2m7d597g86kbq3";
+  };
+
+  outputs = [ "out" "doc" ];
+
+  makeFlags = [ "CFLAGS=-Wno-maybe-uninitialized" ];
+
+  installPhase = ''
+    install -D pcimem "$out/bin/pcimem"
+    install -D README "$doc/doc/README"
+  '';
+
+  meta = with lib; {
+    description = "Simple method of reading and writing to memory registers on a PCI card";
+    homepage = "https://github.com/billfarrow/pcimem";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mafo ];
+  };
+}
diff --git a/pkgs/os-specific/linux/pcm/default.nix b/pkgs/os-specific/linux/pcm/default.nix
index 06126a92958..c0b8b59ebb5 100644
--- a/pkgs/os-specific/linux/pcm/default.nix
+++ b/pkgs/os-specific/linux/pcm/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
-  version = "202007";
+  version = "202101";
   pname = "pcm";
 
   src = fetchFromGitHub {
     owner = "opcm";
     repo = "pcm";
     rev = version;
-    sha256 = "1qqp51mvi52jvf6zf4g1fzv6nh9p37y0i7r2y273gwcdygbidzma";
+    sha256 = "sha256-xiC9XDuFcAzD2lVuzBWUvHy1Z1shEXM2KPFabKvgh1Y=";
   };
 
   installPhase = ''
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     cp pcm*.x $out/bin
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Processor counter monitor";
     homepage = "https://www.intel.com/software/pcm";
     license = licenses.bsd3;
diff --git a/pkgs/os-specific/linux/pcmciautils/default.nix b/pkgs/os-specific/linux/pcmciautils/default.nix
index 820ef7f9612..a4da6be691e 100644
--- a/pkgs/os-specific/linux/pcmciautils/default.nix
+++ b/pkgs/os-specific/linux/pcmciautils/default.nix
@@ -1,5 +1,5 @@
 { config, lib, stdenv, fetchurl
-, yacc, flex
+, bison, flex
 , sysfsutils, kmod, udev
 , firmware   ? config.pcmciaUtils.firmware or [] # Special pcmcia cards.
 , configOpts ? config.pcmciaUtils.config or null # Special hardware (map memory & port & irq)
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
     sha256 = "0sfm3w2n73kl5w7gb1m6q8gy5k4rgwvzz79n6yhs9w3sag3ix8sk";
   };
 
-  buildInputs = [udev yacc sysfsutils kmod flex];
+  buildInputs = [udev bison sysfsutils kmod flex];
 
   patchPhase = ''
     sed -i "
@@ -27,8 +27,7 @@ stdenv.mkDerivation rec {
     " src/{startup.c,pcmcia-check-broken-cis.c} # fix-color */
   ''
   + (if firmware == [] then ''sed -i "s,STARTUP = true,STARTUP = false," Makefile'' else "")
-  + (if configOpts == null then "" else ''
-    ln -sf ${configOpts} ./config/config.opts'')
+  + (if configOpts == null then "" else "ln -sf ${configOpts} ./config/config.opts")
   ;
 
   makeFlags = [ "LEX=flex" ];
@@ -49,7 +48,7 @@ stdenv.mkDerivation rec {
       the PCMCIA subsystem to behave (almost) as every other
       hotpluggable bus system.
     ";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/perf-tools/default.nix b/pkgs/os-specific/linux/perf-tools/default.nix
index 1a18c6ea272..7d5d6d59ea8 100644
--- a/pkgs/os-specific/linux/perf-tools/default.nix
+++ b/pkgs/os-specific/linux/perf-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, perl }:
+{ lib, stdenv, fetchFromGitHub, perl }:
 
 stdenv.mkDerivation {
   name = "perf-tools-20171219";
@@ -34,7 +34,7 @@ stdenv.mkDerivation {
       mv $d/man $out/share/
     '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     platforms = platforms.linux;
     homepage = "https://github.com/brendangregg/perf-tools";
     description = "Performance analysis tools based on Linux perf_events (aka perf) and ftrace";
diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix
index 2d5d149292c..34693564e0a 100644
--- a/pkgs/os-specific/linux/phc-intel/default.nix
+++ b/pkgs/os-specific/linux/phc-intel/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, kernel, which }:
+{ lib, stdenv, fetchurl, kernel, which }:
 
 # Don't bother with older versions, though some might even work:
-assert stdenv.lib.versionAtLeast kernel.version "4.10";
+assert lib.versionAtLeast kernel.version "4.10";
 
 let
   release = "0.4.0";
@@ -36,7 +36,7 @@ in stdenv.mkDerivation rec {
     install -m 644 *.ko $out/lib/modules/${kernel.modDirVersion}/extra/
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Undervolting kernel driver for Intel processors";
     longDescription = ''
       PHC is a Linux kernel patch to undervolt processors. This can divide the
@@ -48,6 +48,6 @@ in stdenv.mkDerivation rec {
     downloadPage = "http://www.linux-phc.org/forum/viewtopic.php?f=7&t=267";
     license = licenses.gpl2;
     platforms = [ "x86_64-linux" "i686-linux" ];
-    broken = stdenv.lib.versionAtLeast kernel.version "4.18";
+    broken = lib.versionAtLeast kernel.version "4.18";
   };
 }
diff --git a/pkgs/os-specific/linux/piper/default.nix b/pkgs/os-specific/linux/piper/default.nix
index 641c8b8ba81..5edcd263f0d 100644
--- a/pkgs/os-specific/linux/piper/default.nix
+++ b/pkgs/os-specific/linux/piper/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, meson, ninja, pkgconfig, gettext, fetchFromGitHub, python3
-, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome3
+{ lib, meson, ninja, pkg-config, gettext, fetchFromGitHub, python3
+, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome
 , gobject-introspection }:
 
 python3.pkgs.buildPythonApplication rec {
@@ -15,9 +15,9 @@ python3.pkgs.buildPythonApplication rec {
     sha256 = "1nfjnsiwg2rs6gkjsxzhr2708i6di149dgwq3cf6l12rxqpb8arj";
   };
 
-  nativeBuildInputs = [ meson ninja gettext pkgconfig wrapGAppsHook desktop-file-utils appstream-glib gobject-introspection ];
+  nativeBuildInputs = [ meson ninja gettext pkg-config wrapGAppsHook desktop-file-utils appstream-glib gobject-introspection ];
   buildInputs = [
-    gtk3 glib gnome3.adwaita-icon-theme python3
+    gtk3 glib gnome.adwaita-icon-theme python3
   ];
   propagatedBuildInputs = with python3.pkgs; [ lxml evdev pygobject3 ] ++ [
     gobject-introspection # fixes https://github.com/NixOS/nixpkgs/issues/56943 for now
@@ -28,7 +28,7 @@ python3.pkgs.buildPythonApplication rec {
     patchShebangs meson_install.sh
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "GTK frontend for ratbagd mouse config daemon";
     homepage    = "https://github.com/libratbag/piper";
     license     = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/pipework/default.nix b/pkgs/os-specific/linux/pipework/default.nix
index 14d1eb85998..33192392888 100644
--- a/pkgs/os-specific/linux/pipework/default.nix
+++ b/pkgs/os-specific/linux/pipework/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, fetchFromGitHub, makeWrapper
-, bridge-utils, iproute, lxc, openvswitch, docker, busybox, dhcpcd, dhcp
+, bridge-utils, iproute2, lxc, openvswitch, docker, busybox, dhcpcd, dhcp
 }:
 
 stdenv.mkDerivation {
@@ -11,11 +11,11 @@ stdenv.mkDerivation {
     rev = "ae42f1b5fef82b3bc23fe93c95c345e7af65fef3";
     sha256 = "0c342m0bpq6ranr7dsxk9qi5mg3j5aw9wv85ql8gprdb2pz59qy8";
   };
-  buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ];
   installPhase = ''
     install -D pipework $out/bin/pipework
     wrapProgram $out/bin/pipework --prefix PATH : \
-      ${lib.makeBinPath [ bridge-utils iproute lxc openvswitch docker busybox dhcpcd dhcp ]};
+      ${lib.makeBinPath [ bridge-utils iproute2 lxc openvswitch docker busybox dhcpcd dhcp ]};
   '';
   meta = with lib; {
     description = "Software-Defined Networking tools for LXC";
diff --git a/pkgs/os-specific/linux/pktgen/configure.patch b/pkgs/os-specific/linux/pktgen/configure.patch
deleted file mode 100644
index b4933313a51..00000000000
--- a/pkgs/os-specific/linux/pktgen/configure.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-1. librte_process_info does not exist.
-2. lua5.3 library is liblua.
-3. app/meson.build uses undeclared drivers_install_subdir.
---- a/lib/common/meson.build
-+++ b/lib/common/meson.build
-@@ -34,1 +34,1 @@
--libs = ['eal', 'kvargs', 'cmdline', 'process_info']
-+libs = ['eal', 'kvargs', 'cmdline']
---- a/lib/lua/meson.build
-+++ b/lib/lua/meson.build
-@@ -31 +31 @@ endforeach
--ext_deps += cc.find_library('lua5.3', required: true)
-+ext_deps += cc.find_library('lua', required: true)
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -0,0 +1,1 @@
-+option('drivers_install_subdir', type: 'string', value: '')
diff --git a/pkgs/os-specific/linux/pktgen/default.nix b/pkgs/os-specific/linux/pktgen/default.nix
index 41db6e93661..5a1a56ab691 100644
--- a/pkgs/os-specific/linux/pktgen/default.nix
+++ b/pkgs/os-specific/linux/pktgen/default.nix
@@ -1,32 +1,36 @@
-{ stdenv, lib, fetchurl, meson, ninja, pkgconfig
-, dpdk, libbsd, libpcap, lua5_3, numactl, utillinux
+{ stdenv, lib, fetchFromGitHub, meson, ninja, pkg-config
+, dpdk, libbsd, libpcap, lua5_3, numactl, util-linux
 , gtk2, which, withGtk ? false
 }:
 
 stdenv.mkDerivation rec {
   pname = "pktgen";
-  version = "19.12.0";
+  version = "21.05.0";
 
-  src = fetchurl {
-    url = "http://dpdk.org/browse/apps/pktgen-dpdk/snapshot/${pname}-${version}.tar.xz";
-    sha256 = "1clfviz1qa4hysslcg6i29vsxwl9f6j1y7zf9wwx9br3yq08x956";
+  src = fetchFromGitHub {
+    owner = "pktgen";
+    repo = "Pktgen-DPDK";
+    rev = "pktgen-${version}";
+    sha256 = "sha256-7lLDtbd14olEHO+1BuI6KTEUNRM/zAyRXau/OZbYbGA=";
   };
 
-  nativeBuildInputs = [ meson ninja pkgconfig ];
+  nativeBuildInputs = [ meson ninja pkg-config ];
 
-  buildInputs =
-    [ dpdk libbsd libpcap lua5_3 numactl which ]
-    ++ stdenv.lib.optionals withGtk [gtk2];
+  buildInputs = [
+    dpdk libbsd libpcap lua5_3 numactl which
+  ] ++ lib.optionals withGtk [
+    gtk2
+  ];
 
   RTE_SDK = dpdk;
-  GUI = stdenv.lib.optionalString withGtk "true";
+  GUI = lib.optionalString withGtk "true";
 
   NIX_CFLAGS_COMPILE = "-msse3";
-
-  patches = [ ./configure.patch ];
+  # requires symbols from this file
+  NIX_LDFLAGS = "-lrte_net_bond";
 
   postPatch = ''
-    substituteInPlace lib/common/lscpu.h --replace /usr/bin/lscpu ${utillinux}/bin/lscpu
+    substituteInPlace lib/common/lscpu.h --replace /usr/bin/lscpu ${util-linux}/bin/lscpu
   '';
 
   postInstall = ''
@@ -35,7 +39,7 @@ stdenv.mkDerivation rec {
     rm -rf $out/include $out/lib
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Traffic generator powered by DPDK";
     homepage = "http://dpdk.org/";
     license = licenses.bsdOriginal;
diff --git a/pkgs/os-specific/linux/ply/default.nix b/pkgs/os-specific/linux/ply/default.nix
index 1d98cfb0cd1..e62716e4796 100644
--- a/pkgs/os-specific/linux/ply/default.nix
+++ b/pkgs/os-specific/linux/ply/default.nix
@@ -1,13 +1,13 @@
-{ stdenv, kernel, fetchFromGitHub, autoreconfHook, yacc, flex, p7zip, rsync }:
+{ lib, stdenv, kernel, fetchFromGitHub, autoreconfHook, bison, flex, p7zip, rsync }:
 
-assert kernel != null -> stdenv.lib.versionAtLeast kernel.version "4.0";
+assert kernel != null -> lib.versionAtLeast kernel.version "4.0";
 
 let
   version = "1.0.beta1-9e810b1";
 in stdenv.mkDerivation {
   pname = "ply";
   inherit version;
-  nativeBuildInputs = [ autoreconfHook flex yacc p7zip rsync ];
+  nativeBuildInputs = [ autoreconfHook flex bison p7zip rsync ];
 
   src = fetchFromGitHub {
     owner = "iovisor";
@@ -33,7 +33,7 @@ in stdenv.mkDerivation {
     ./autogen.sh --prefix=$out
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "dynamic Tracing in Linux";
     homepage = "https://wkz.github.io/ply/";
     license = [ licenses.gpl2 ];
diff --git a/pkgs/os-specific/linux/plymouth/default.nix b/pkgs/os-specific/linux/plymouth/default.nix
index 7a6c227f401..8cb2a00987e 100644
--- a/pkgs/os-specific/linux/plymouth/default.nix
+++ b/pkgs/os-specific/linux/plymouth/default.nix
@@ -1,64 +1,111 @@
-{ stdenv, fetchurl, autoreconfHook, pkgconfig, libxslt, docbook_xsl
-, gtk3, udev, systemd, lib
+{ lib
+, stdenv
+, fetchpatch
+, fetchFromGitLab
+, pkg-config
+, autoreconfHook
+, libxslt
+, docbook-xsl-nons
+, gettext
+, gtk3
+, systemd
+, pango
+, cairo
+, libdrm
 }:
 
 stdenv.mkDerivation rec {
-  pname = "plymouth";
-  version = "0.9.4";
+  pname = "plymouth-unstable";
+  version = "2020-12-07";
 
-  src = fetchurl {
-    url = "https://www.freedesktop.org/software/plymouth/releases/${pname}-${version}.tar.xz";
-    sha256 = "0l8kg7b2vfxgz9gnrn0v2w4jvysj2cirp0nxads5sy05397pl6aa";
+  outputs = [
+    "out"
+    "dev"
+  ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "plymouth";
+    repo = "plymouth";
+    rev = "c4ced2a2d70edea7fbb95274aa1d01d95928df1b";
+    sha256 = "7CPuKMA0fTt8DBsaA4Td74kHT/O7PW8N3awP04nUnOI=";
   };
 
   nativeBuildInputs = [
-    autoreconfHook pkgconfig libxslt docbook_xsl
+    autoreconfHook
+    docbook-xsl-nons
+    gettext
+    libxslt
+    pkg-config
   ];
 
   buildInputs = [
-    gtk3 udev systemd
+    cairo
+    gtk3
+    libdrm
+    pango
+    systemd
+  ];
+
+  patches = [
+    # KillMode=none is deprecated
+    # https://gitlab.freedesktop.org/plymouth/plymouth/-/issues/123
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/plymouth/plymouth/-/commit/b406b0895a95949db2adfedaeda451f36f2b51c3.patch";
+      sha256 = "/UBImNuFO0G/oxlttjGIXon8YXMXlc9XU8uVuR9QuxY=";
+    })
   ];
 
   postPatch = ''
     sed -i \
-      -e "s#\$(\$PKG_CONFIG --variable=systemdsystemunitdir systemd)#$out/etc/systemd/system#g" \
       -e "s#plymouthplugindir=.*#plymouthplugindir=/etc/plymouth/plugins/#" \
       -e "s#plymouththemedir=.*#plymouththemedir=/etc/plymouth/themes#" \
       -e "s#plymouthpolicydir=.*#plymouthpolicydir=/etc/plymouth/#" \
+      -e "s#plymouthconfdir=.*#plymouthconfdir=/etc/plymouth/#" \
       configure.ac
   '';
 
+  configurePlatforms = [ "host" ];
+
   configureFlags = [
-    "--sysconfdir=/etc"
-    "--with-systemdunitdir=${placeholder "out"}/etc/systemd/system"
+    "--enable-documentation"
+    "--enable-drm"
+    "--enable-gtk"
+    "--enable-pango"
+    "--enable-systemd-integration"
+    "--enable-tracing"
     "--localstatedir=/var"
-    "--with-logo=/etc/plymouth/logo.png"
+    "--sysconfdir=/etc"
     "--with-background-color=0x000000"
-    "--with-background-start-color-stop=0x000000"
     "--with-background-end-color-stop=0x000000"
+    "--with-background-start-color-stop=0x000000"
+    "--with-logo=/etc/plymouth/logo.png"
     "--with-release-file=/etc/os-release"
-    "--without-system-root-install"
+    "--with-runtimedir=/run"
+    "--with-systemdunitdir=${placeholder "out"}/etc/systemd/system"
     "--without-rhgb-compat-link"
-    "--enable-tracing"
-    "--enable-systemd-integration"
-    "--enable-pango"
-    "--enable-gdm-transition"
-    "--enable-gtk"
+    "--without-system-root-install"
     "ac_cv_path_SYSTEMD_ASK_PASSWORD_AGENT=${lib.getBin systemd}/bin/systemd-tty-ask-password-agent"
   ];
 
-  configurePlatforms = [ "host" ];
-
   installFlags = [
-    "plymouthd_defaultsdir=$(out)/share/plymouth"
-    "plymouthd_confdir=$(out)/etc/plymouth"
+    "localstatedir=\${TMPDIR}"
+    "plymouthd_confdir=${placeholder "out"}/etc/plymouth"
+    "plymouthd_defaultsdir=${placeholder "out"}/share/plymouth"
+    "sysconfdir=${placeholder "out"}/etc"
   ];
 
-  meta = with stdenv.lib; {
-    homepage = "http://www.freedesktop.org/wiki/Software/Plymouth";
-    description = "A graphical boot animation";
-    license = licenses.gpl2;
-    maintainers = [ maintainers.goibhniu ];
+  postInstall = ''
+    # Makes a symlink to /usr/share/pixmaps/system-logo-white.png
+    # We'll handle it in the nixos module.
+    rm $out/share/plymouth/themes/spinfinity/header-image.png
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.freedesktop.org/wiki/Software/Plymouth/";
+    description = "Boot splash and boot logger";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.goibhniu teams.gnome.members ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/pm-utils/default.nix b/pkgs/os-specific/linux/pm-utils/default.nix
index 1d8314923d3..17723983c69 100644
--- a/pkgs/os-specific/linux/pm-utils/default.nix
+++ b/pkgs/os-specific/linux/pm-utils/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchurl, coreutils, gnugrep, utillinux, kmod
+{ lib, stdenv, fetchurl, coreutils, gnugrep, util-linux, kmod
 , procps, kbd, dbus }:
 
 let
 
-  binPath = stdenv.lib.makeBinPath
-    [ coreutils gnugrep utillinux kmod procps kbd dbus ];
+  binPath = lib.makeBinPath
+    [ coreutils gnugrep util-linux kmod procps kbd dbus ];
 
-  sbinPath = stdenv.lib.makeSearchPathOutput "bin" "sbin"
+  sbinPath = lib.makeSearchPathOutput "bin" "sbin"
     [ procps ];
 
 in
@@ -49,7 +49,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "https://pm-utils.freedesktop.org/wiki/";
     description = "A small collection of scripts that handle suspend and resume on behalf of HAL";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/pmount/default.nix b/pkgs/os-specific/linux/pmount/default.nix
index 63d0c88c1f8..0f65e0278ca 100644
--- a/pkgs/os-specific/linux/pmount/default.nix
+++ b/pkgs/os-specific/linux/pmount/default.nix
@@ -1,11 +1,11 @@
-{ stdenv, fetchurl, intltool, ntfs3g, utillinux
+{ lib, stdenv, fetchurl, intltool, ntfs3g, util-linux
 , mediaDir ? "/media/"
 , lockDir ? "/var/lock/pmount"
 , whiteList ? "/etc/pmount.allow"
 }:
 
 # constraint mention in the configure.ac
-assert stdenv.lib.hasSuffix "/" mediaDir;
+assert lib.hasSuffix "/" mediaDir;
 
 stdenv.mkDerivation rec {
   pname = "pmount";
@@ -16,14 +16,14 @@ stdenv.mkDerivation rec {
     sha256 = "db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036";
   };
 
-  buildInputs = [ intltool utillinux ];
+  buildInputs = [ intltool util-linux ];
 
   configureFlags = [
     "--with-media-dir=${mediaDir}"
     "--with-lock-dir=${lockDir}"
     "--with-whitelist=${whiteList}"
-    "--with-mount-prog=${utillinux}/bin/mount"
-    "--with-umount-prog=${utillinux}/bin/umount"
+    "--with-mount-prog=${util-linux}/bin/mount"
+    "--with-umount-prog=${util-linux}/bin/umount"
     "--with-mount-ntfs3g=${ntfs3g}/sbin/mount.ntfs-3g"
   ];
 
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "https://bazaar.launchpad.net/~fourmond/pmount/main/files";
     description = "Mount removable devices as normal user";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/policycoreutils/default.nix b/pkgs/os-specific/linux/policycoreutils/default.nix
index f9e3a7fb5d4..7e2ff29325a 100644
--- a/pkgs/os-specific/linux/policycoreutils/default.nix
+++ b/pkgs/os-specific/linux/policycoreutils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }:
+{ lib, stdenv, fetchurl, gettext, libsepol, libselinux, libsemanage }:
 
 stdenv.mkDerivation rec {
   pname = "policycoreutils";
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
     "MAN5DIR=$(out)/share/man/man5"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "SELinux policy core utilities";
     license = licenses.gpl2;
     inherit (libsepol.meta) homepage platforms maintainers;
diff --git a/pkgs/os-specific/linux/pommed-light/default.nix b/pkgs/os-specific/linux/pommed-light/default.nix
index 31697823e52..0797656f653 100644
--- a/pkgs/os-specific/linux/pommed-light/default.nix
+++ b/pkgs/os-specific/linux/pommed-light/default.nix
@@ -1,10 +1,10 @@
-{ stdenv
+{ lib, stdenv
 , fetchFromGitHub
 , pciutils
 , libconfuse
-, alsaLib
+, alsa-lib
 , audiofile
-, pkgconfig
+, pkg-config
 , zlib
 , eject
 }:
@@ -28,11 +28,11 @@ stdenv.mkDerivation rec {
     substituteInPlace pommed/cd_eject.c --replace /usr/bin/eject ${eject}/bin/eject
   '';
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [
     pciutils
     libconfuse
-    alsaLib
+    alsa-lib
     audiofile
     zlib
     eject
@@ -60,6 +60,6 @@ stdenv.mkDerivation rec {
     '';
     homepage = "https://github.com/bytbox/pommed-light";
     platforms = [ "x86_64-linux" ];
-    license = stdenv.lib.licenses.gpl2;
+    license = lib.licenses.gpl2;
   };
 }
diff --git a/pkgs/os-specific/linux/power-profiles-daemon/default.nix b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
new file mode 100644
index 00000000000..03267b8e9ae
--- /dev/null
+++ b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
@@ -0,0 +1,68 @@
+{ stdenv
+, lib
+, pkg-config
+, meson
+, ninja
+, fetchFromGitLab
+, libgudev
+, glib
+, gobject-introspection
+, gettext
+, gtk-doc
+, docbook-xsl-nons
+, docbook_xml_dtd_412
+, libxml2
+, libxslt
+, upower
+, systemd
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "power-profiles-daemon";
+  version = "0.8.1";
+
+  outputs = [ "out" "devdoc" ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = "power-profiles-daemon";
+    rev = version;
+    sha256 = "sha256-OnCUr7KWVPpYGDseBUcJD/PdOobvFnyNA97NhnKbTKY=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    gettext
+    gtk-doc
+    docbook-xsl-nons
+    docbook_xml_dtd_412
+    libxml2 # for xmllint for stripping GResources
+    libxslt # for xsltproc for building docs
+    gobject-introspection
+  ];
+
+  buildInputs = [
+    libgudev
+    systemd
+    upower
+    glib
+    (python3.withPackages (ps: with ps; [ ps.pygobject3 ])) # for cli tool
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
+    "-Dgtk_doc=true"
+  ];
+
+  meta = with lib; {
+    homepage = "https://gitlab.freedesktop.org/hadess/power-profiles-daemon";
+    description = "Makes user-selected power profiles handling available over D-Bus";
+    platforms = platforms.linux;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ mvnetbiz ];
+  };
+}
diff --git a/pkgs/os-specific/linux/powercap/default.nix b/pkgs/os-specific/linux/powercap/default.nix
new file mode 100644
index 00000000000..ad9de9f75d5
--- /dev/null
+++ b/pkgs/os-specific/linux/powercap/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, cmake }:
+
+stdenv.mkDerivation rec {
+  pname = "powercap";
+  version = "0.3.1";
+
+  src = fetchFromGitHub {
+    owner = "powercap";
+    repo = "powercap";
+    rev = "v${version}";
+    sha256 = "0f1sg1zsskcfralg9khwq7lmz25gvnyknza3bb0hmh1a9lw0jhdn";
+  };
+
+  nativeBuildInputs = [ cmake ];
+
+  cmakeFlags = [
+    "-DBUILD_SHARED_LIBS=On"
+  ];
+
+  meta = with lib; {
+    description = "Tools and library to read/write to the Linux power capping framework (sysfs interface)";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ rowanG077 ];
+  };
+}
diff --git a/pkgs/os-specific/linux/powerstat/default.nix b/pkgs/os-specific/linux/powerstat/default.nix
index 6020139ad4b..f80b7425cd4 100644
--- a/pkgs/os-specific/linux/powerstat/default.nix
+++ b/pkgs/os-specific/linux/powerstat/default.nix
@@ -2,20 +2,20 @@
 
 stdenv.mkDerivation rec {
   pname = "powerstat";
-  version = "0.02.24";
-  
+  version = "0.02.25";
+
   src = fetchurl {
     url = "https://kernel.ubuntu.com/~cking/tarballs/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "0yrc1xi9flxn2mvmzp0b0vd0md5z4p8fd4y8bszc67xy12qiqy0j";
+    sha256 = "sha256-C6MCOXnElDI69QkLKd2X2SLved8cRCN0Q6BhUvvqsTY=";
   };
-  
+
   installFlags = [ "DESTDIR=${placeholder "out"}" ];
-  
+
   postInstall = ''
     mv $out/usr/* $out
     rm -r $out/usr
   '';
-  
+
   meta = with lib; {
     description = "Laptop power measuring tool";
     homepage = "https://kernel.ubuntu.com/~cking/powerstat/";
diff --git a/pkgs/os-specific/linux/powertop/default.nix b/pkgs/os-specific/linux/powertop/default.nix
index 4bf318d743e..bbcf6e390f0 100644
--- a/pkgs/os-specific/linux/powertop/default.nix
+++ b/pkgs/os-specific/linux/powertop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, gettext, libnl, ncurses, pciutils, pkgconfig, zlib }:
+{ lib, stdenv, fetchurl, fetchpatch, gettext, libnl, ncurses, pciutils, pkg-config, zlib }:
 
 stdenv.mkDerivation rec {
   pname = "powertop";
@@ -11,10 +11,10 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "man" ];
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ gettext libnl ncurses pciutils zlib ];
 
-  patches = stdenv.lib.optional stdenv.hostPlatform.isMusl (
+  patches = lib.optional stdenv.hostPlatform.isMusl (
     fetchpatch {
       name = "strerror_r.patch";
       url = "https://git.alpinelinux.org/aports/plain/main/powertop/strerror_r.patch?id=3b9214d436f1611f297b01f72469d66bfe729d6e";
@@ -25,9 +25,10 @@ stdenv.mkDerivation rec {
   postPatch = ''
     substituteInPlace src/main.cpp --replace "/sbin/modprobe" "modprobe"
     substituteInPlace src/calibrate/calibrate.cpp --replace "/usr/bin/xset" "xset"
+    substituteInPlace src/tuning/bluetooth.cpp --replace "/usr/bin/hcitool" "hcitool"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Analyze power consumption on Intel-based laptops";
     homepage = "https://01.org/powertop";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/pps-tools/default.nix b/pkgs/os-specific/linux/pps-tools/default.nix
index fd5225c5cfe..146c9457ed3 100644
--- a/pkgs/os-specific/linux/pps-tools/default.nix
+++ b/pkgs/os-specific/linux/pps-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   baseName = "pps-tools";
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
     rm -rf $out/usr/
   '';
 
-  meta = with stdenv.lib;{
+  meta = with lib;{
     description = "User-space tools for LinuxPPS";
     homepage = "http://linuxpps.org/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/prl-tools/default.nix b/pkgs/os-specific/linux/prl-tools/default.nix
index e71dcb497a2..431e0ed58b1 100644
--- a/pkgs/os-specific/linux/prl-tools/default.nix
+++ b/pkgs/os-specific/linux/prl-tools/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, makeWrapper, p7zip
-, gawk, utillinux, xorg, glib, dbus-glib, zlib
+, gawk, util-linux, xorg, glib, dbus-glib, zlib
 , kernel ? null, libsOnly ? false
 , undmg, fetchurl
 }:
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
 
   kernelVersion = if libsOnly then "" else lib.getName kernel.name;
   kernelDir = if libsOnly then "" else "${kernel.dev}/lib/modules/${kernelVersion}";
-  scriptPath = lib.concatStringsSep ":" (lib.optionals (!libsOnly) [ "${utillinux}/bin" "${gawk}/bin" ]);
+  scriptPath = lib.concatStringsSep ":" (lib.optionals (!libsOnly) [ "${util-linux}/bin" "${gawk}/bin" ]);
 
   buildPhase = ''
     if test -z "$libsOnly"; then
@@ -64,7 +64,7 @@ stdenv.mkDerivation rec {
   '';
 
   libPath = with xorg;
-            stdenv.lib.makeLibraryPath ([ stdenv.cc.cc libXrandr libXext libX11 libXcomposite libXinerama ]
+            lib.makeLibraryPath ([ stdenv.cc.cc libXrandr libXext libX11 libXcomposite libXinerama ]
             ++ lib.optionals (!libsOnly) [ libXi glib dbus-glib zlib ]);
 
 
@@ -156,7 +156,7 @@ stdenv.mkDerivation rec {
   dontStrip = true;
   dontPatchELF = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Parallels Tools for Linux guests";
     homepage = "https://parallels.com";
     platforms = [ "i686-linux" "x86_64-linux" ];
diff --git a/pkgs/os-specific/linux/procdump/default.nix b/pkgs/os-specific/linux/procdump/default.nix
index 74ee1533e46..75ca2cb165e 100644
--- a/pkgs/os-specific/linux/procdump/default.nix
+++ b/pkgs/os-specific/linux/procdump/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, bash, coreutils, gdb, zlib }:
+{ lib, stdenv, fetchFromGitHub, bash, coreutils, gdb, zlib }:
 
 stdenv.mkDerivation rec {
   pname = "procdump";
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     runHook postInstallCheck
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A Linux version of the ProcDump Sysinternals tool";
     homepage = "https://github.com/Microsoft/ProcDump-for-Linux";
     license = licenses.mit;
diff --git a/pkgs/os-specific/linux/procps-ng/default.nix b/pkgs/os-specific/linux/procps-ng/default.nix
index 466e66a8713..1d19d915117 100644
--- a/pkgs/os-specific/linux/procps-ng/default.nix
+++ b/pkgs/os-specific/linux/procps-ng/default.nix
@@ -1,14 +1,19 @@
-{ lib, stdenv, fetchurl, ncurses, pkgconfig
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, ncurses
+, pkg-config
 
-# `ps` with systemd support is able to properly report different
-# attributes like unit name, so we want to have it on linux.
+  # `ps` with systemd support is able to properly report different
+  # attributes like unit name, so we want to have it on linux.
 , withSystemd ? stdenv.isLinux
-, systemd ? null
+, systemd
 
-# procps is mostly Linux-only. Most commands require a running Linux
-# system (or very similar like that found in Cygwin). The one
-# exception is ‘watch’ which is portable enough to run on pretty much
-# any UNIX-compatible system.
+  # procps is mostly Linux-only. Most commands require a running Linux
+  # system (or very similar like that found in Cygwin). The one
+  # exception is ‘watch’ which is portable enough to run on pretty much
+  # any UNIX-compatible system.
 , watchOnly ? !(stdenv.isLinux || stdenv.isCygwin)
 }:
 
@@ -22,33 +27,42 @@ stdenv.mkDerivation rec {
     sha256 = "1br0g93ysqhlv13i1k4lfbimsgxnpy5rgs4lxfc9rkzdbpbaqplj";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://gitlab.com/procps-ng/procps/-/commit/bb96fc42956c9ed926a1b958ab715f8b4a663dec.diff";
+      sha256 = "0fzsb6ns3fvrszyzsz28qvbmcn135ilr4nwh2z1a0vlpl2fw961z";
+      name = "sysconf-argmax-sanity.patch";
+    })
+  ];
+
   buildInputs = [ ncurses ]
     ++ lib.optional withSystemd systemd;
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
 
   makeFlags = [ "usrbin_execdir=$(out)/bin" ]
-    ++ lib.optionals watchOnly [ "watch" "PKG_LDFLAGS="];
+    ++ lib.optionals watchOnly [ "watch" "PKG_LDFLAGS=" ];
 
   enableParallelBuilding = true;
 
   # Too red
   configureFlags = [ "--disable-modern-top" ]
     ++ lib.optional withSystemd "--with-systemd"
-    ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform)
-    [ "ac_cv_func_malloc_0_nonnull=yes"
-      "ac_cv_func_realloc_0_nonnull=yes" ];
+    ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
 
-  installPhase = if watchOnly then ''
+  installPhase = lib.optionalString watchOnly ''
     install -m 0755 -D watch $out/bin/watch
     install -m 0644 -D watch.1 $out/share/man/man1/watch.1
-  '' else null;
+  '';
 
-  meta = {
+  meta = with lib; {
     homepage = "https://gitlab.com/procps-ng/procps";
     description = "Utilities that give information about processes using the /proc filesystem";
     priority = 11; # less than coreutils, which also provides "kill" and "uptime"
-    license = lib.licenses.gpl2;
-    platforms = lib.platforms.unix;
-    maintainers = [ lib.maintainers.typetetris ];
+    license = licenses.gpl2;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.typetetris ];
   };
 }
diff --git a/pkgs/os-specific/linux/pscircle/default.nix b/pkgs/os-specific/linux/pscircle/default.nix
index 9dd4ba6cd37..ef7dbc55a9a 100644
--- a/pkgs/os-specific/linux/pscircle/default.nix
+++ b/pkgs/os-specific/linux/pscircle/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitLab, meson, pkgconfig, ninja, cairo }:
+{ lib, stdenv, fetchFromGitLab, meson, pkg-config, ninja, cairo }:
 
 stdenv.mkDerivation rec {
   pname = "pscircle";
@@ -13,12 +13,12 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
       meson
-      pkgconfig
+      pkg-config
       cairo
       ninja
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://gitlab.com/mildlyparallel/pscircle";
     description = "Visualize Linux processes in a form of a radial tree";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/psftools/default.nix b/pkgs/os-specific/linux/psftools/default.nix
new file mode 100644
index 00000000000..f7bcc2fd6ad
--- /dev/null
+++ b/pkgs/os-specific/linux/psftools/default.nix
@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchurl }:
+stdenv.mkDerivation rec {
+  pname = "psftools";
+  version = "1.0.14";
+  src = fetchurl {
+    url = "https://www.seasip.info/Unix/PSF/${pname}-${version}.tar.gz";
+    sha256 = "17nia5n5rabbh42gz51c8y53rjwddria4j3wvzk8dd0llj7k1y6w";
+  };
+  outputs = ["out" "man" "dev" "lib"];
+
+  meta = with lib; {
+    homepage = "https://www.seasip.info/Unix/PSF";
+    description = "Conversion tools for .PSF fonts";
+    longDescription = ''
+      The PSFTOOLS are designed to manipulate fixed-width bitmap fonts,
+      such as DOS or Linux console fonts. Both the PSF1 (8 pixels wide)
+      and PSF2 (any width) formats are supported; the default output
+      format is PSF2.
+    '';
+    platforms = platforms.unix;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ kaction ];
+  };
+}
diff --git a/pkgs/os-specific/linux/psmisc/default.nix b/pkgs/os-specific/linux/psmisc/default.nix
index 4379ee3ae49..4cf3e1f7dd1 100644
--- a/pkgs/os-specific/linux/psmisc/default.nix
+++ b/pkgs/os-specific/linux/psmisc/default.nix
@@ -1,20 +1,20 @@
-{stdenv, fetchFromGitLab, autoconf, automake, gettext, ncurses}:
+{lib, stdenv, fetchFromGitLab, autoconf, automake, gettext, ncurses}:
 
 stdenv.mkDerivation rec {
   pname = "psmisc";
-  version = "23.3";
+  version = "23.4";
 
   src = fetchFromGitLab {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "1132xvrldv0dar2mf221mv5kvajq0v6yrq8k3nl0wslnh5baa0r0";
+    sha256 = "sha256-s7omgtsNooYqhr4JUTZ6WCtPaZVC1ujJGz6KxUBWIs8=";
   };
 
   nativeBuildInputs = [ autoconf automake gettext ];
   buildInputs = [ ncurses ];
 
-  preConfigure = stdenv.lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
+  preConfigure = lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
     # Goes past the rpl_malloc linking failure
     export ac_cv_func_malloc_0_nonnull=yes
     export ac_cv_func_realloc_0_nonnull=yes
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     ./autogen.sh
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://gitlab.com/psmisc/psmisc";
     description = "A set of small useful utilities that use the proc filesystem (such as fuser, killall and pstree)";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/r8125/default.nix b/pkgs/os-specific/linux/r8125/default.nix
index 8cdf11f80ad..30f8da7d5f4 100644
--- a/pkgs/os-specific/linux/r8125/default.nix
+++ b/pkgs/os-specific/linux/r8125/default.nix
@@ -4,16 +4,16 @@ stdenv.mkDerivation rec {
   pname = "r8125";
   # On update please verify (using `diff -r`) that the source matches the
   # realtek version.
-  version = "9.003.05";
+  version = "9.004.01";
 
   # This is a mirror. The original website[1] doesn't allow non-interactive
   # downloads, instead emailing you a download link.
   # [1] https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software
   src = fetchFromGitHub {
-    owner = "ibmibmibm";
+    owner = "louistakepillz";
     repo = "r8125";
     rev = version;
-    sha256 = "016vh997xjs01si0zzs572vgflq3czxd0v4m7h1m3qxcv2cvq7i0";
+    sha256 = "0h2y4mzydhc7var5281bk2jj1knig6i64k11ii4b94az3g9dbq24";
   };
 
   hardeningDisable = [ "pic" ];
@@ -32,12 +32,14 @@ stdenv.mkDerivation rec {
   buildFlags = [ "modules" ];
 
   meta = with lib; {
-    homepage = "https://github.com/ibmibmibm/r8125";
+    homepage = "https://github.com/louistakepillz/r8125";
     downloadPage = "https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software";
     description = "Realtek r8125 driver";
     longDescription = ''
       A kernel module for Realtek 8125 2.5G network cards.
     '';
+    # r8125 has been integrated into the kernel as of v5.9.1
+    broken = lib.versionAtLeast kernel.version "5.9.1";
     license = licenses.gpl2Plus;
     platforms = platforms.linux;
     maintainers = with maintainers; [ peelz ];
diff --git a/pkgs/os-specific/linux/r8168/default.nix b/pkgs/os-specific/linux/r8168/default.nix
index b3d8965704f..91e15db2eeb 100644
--- a/pkgs/os-specific/linux/r8168/default.nix
+++ b/pkgs/os-specific/linux/r8168/default.nix
@@ -6,7 +6,7 @@ let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wi
 in stdenv.mkDerivation rec {
   name = "r8168-${kernel.version}-${version}";
   # on update please verify that the source matches the realtek version
-  version = "8.047.04";
+  version = "8.048.03";
 
   # This is a mirror. The original website[1] doesn't allow non-interactive
   # downloads, instead emailing you a download link.
@@ -17,7 +17,7 @@ in stdenv.mkDerivation rec {
     owner = "mtorromeo";
     repo = "r8168";
     rev = version;
-    sha256 = "1rni8jimwdhyx75603mdcylrdxgfwfpyprf1lf5x5cli2i4bbijg";
+    sha256 = "1l8llpcnapcaafxp7wlyny2ywh7k6q5zygwwjl9h0l6p04cghss4";
   };
 
   hardeningDisable = [ "pic" ];
@@ -29,8 +29,8 @@ in stdenv.mkDerivation rec {
   # based on the ArchLinux pkgbuild: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/r8168
   preBuild = ''
     makeFlagsArray+=("-C${kernel.dev}/lib/modules/${kernel.modDirVersion}/build")
-    makeFlagsArray+=("SUBDIRS=$PWD/src")
-    makeFlagsArray+=("EXTRA_CFLAGS=-DCONFIG_R8168_NAPI -DCONFIG_R8168_VLAN")
+    makeFlagsArray+=("M=$PWD/src")
+    makeFlagsArray+=("EXTRA_CFLAGS=-DCONFIG_R8168_NAPI -DCONFIG_R8168_VLAN -DCONFIG_ASPM -DENABLE_S5WOL -DENABLE_EEE")
     makeFlagsArray+=("modules")
   '';
 
diff --git a/pkgs/os-specific/linux/radeontools/default.nix b/pkgs/os-specific/linux/radeontools/default.nix
index d2c3c11c939..01b83f87911 100644
--- a/pkgs/os-specific/linux/radeontools/default.nix
+++ b/pkgs/os-specific/linux/radeontools/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl
+{ lib, stdenv, fetchurl
 , autoreconfHook
 , pciutils
-, pkgconfig
+, pkg-config
 , xorg
 }:
 
@@ -14,10 +14,10 @@ stdenv.mkDerivation rec {
     sha256 = "0mjk9wr9rsb17yy92j6yi16hfpa6v5r1dbyiy60zp4r125wr63za";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ xorg.libpciaccess ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Lowlevel tools to tweak register and dump state on radeon GPUs";
     homepage = "https://airlied.livejournal.com/";
     license = licenses.zlib;
diff --git a/pkgs/os-specific/linux/radeontop/default.nix b/pkgs/os-specific/linux/radeontop/default.nix
index 3d26914d4f9..b172fad6adc 100644
--- a/pkgs/os-specific/linux/radeontop/default.nix
+++ b/pkgs/os-specific/linux/radeontop/default.nix
@@ -1,19 +1,19 @@
-{ stdenv, fetchFromGitHub, pkgconfig, gettext, makeWrapper
+{ lib, stdenv, fetchFromGitHub, pkg-config, gettext, makeWrapper
 , ncurses, libdrm, libpciaccess, libxcb }:
 
 stdenv.mkDerivation rec {
   pname = "radeontop";
-  version = "2019-06-03";
+  version = "1.3";
 
   src = fetchFromGitHub {
-    sha256 = "1b1m30r2nfwqkajqw6m01xmfhlq83z1qylyijxg7962mp9x2k0gw";
-    rev = "v1.2";
+    sha256 = "sha256-tnIxM0+RfOIt714fEUWRP/4rEPHaOuCZFit9/RPdxis=";
+    rev = "v${version}";
     repo = "radeontop";
     owner = "clbr";
   };
 
   buildInputs = [ ncurses libdrm libpciaccess libxcb ];
-  nativeBuildInputs = [ pkgconfig gettext makeWrapper ];
+  nativeBuildInputs = [ pkg-config gettext makeWrapper ];
 
   enableParallelBuilding = true;
 
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
       --prefix LD_LIBRARY_PATH : $out/lib
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Top-like tool for viewing AMD Radeon GPU utilization";
     longDescription = ''
       View GPU utilization, both for the total activity percent and individual
@@ -40,6 +40,5 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/clbr/radeontop";
     platforms = platforms.linux;
     license = licenses.gpl3;
-    maintainers = with maintainers; [ rycee ];
   };
 }
diff --git a/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix b/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
new file mode 100644
index 00000000000..5113d3c1070
--- /dev/null
+++ b/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
@@ -0,0 +1,55 @@
+{ stdenvNoCC, lib, fetchFromGitHub, makeWrapper
+, python3, binutils-unwrapped, findutils, kmod, pciutils, libraspberrypi
+}:
+stdenvNoCC.mkDerivation rec {
+  pname = "raspberrypi-eeprom";
+  version = "2021.04.29-138a1";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "rpi-eeprom";
+    rev = "v${version}";
+    sha256 = "sha256-nzAMPa4gqCAcROFa7z34IoMA3aoMHX9fYCsPFde9dac=";
+  };
+
+  buildInputs = [ python3 ];
+  nativeBuildInputs = [ makeWrapper ];
+
+  postPatch = ''
+    # Don't try to verify md5 signatures from /var/lib/dpkg and
+    # fix path to the configuration.
+    substituteInPlace rpi-eeprom-update \
+      --replace 'IGNORE_DPKG_CHECKSUMS=''${LOCAL_MODE}' 'IGNORE_DPKG_CHECKSUMS=1' \
+      --replace '/etc/default' '/etc'
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/share/rpi-eeprom
+
+    cp rpi-eeprom-config rpi-eeprom-update $out/bin
+    cp -r firmware/{beta,critical,old,stable} $out/share/rpi-eeprom
+  '';
+
+  fixupPhase = ''
+    patchShebangs $out/bin
+    wrapProgram $out/bin/rpi-eeprom-update \
+      --set FIRMWARE_ROOT $out/share/rpi-eeprom \
+      ${lib.optionalString stdenvNoCC.isAarch64 "--set VCMAILBOX ${libraspberrypi}/bin/vcmailbox"} \
+      --prefix PATH : "${lib.makeBinPath ([
+        binutils-unwrapped
+        findutils
+        kmod
+        pciutils
+        (placeholder "out")
+      ] ++ lib.optionals stdenvNoCC.isAarch64 [
+        libraspberrypi
+      ])}"
+  '';
+
+  meta = with lib; {
+    description = "Installation scripts and binaries for the closed sourced Raspberry Pi 4 EEPROMs";
+    homepage = "https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md";
+    license = with licenses; [ bsd3 unfreeRedistributableFirmware ];
+    maintainers = with maintainers; [ das_j ];
+  };
+}
diff --git a/pkgs/os-specific/linux/rdma-core/default.nix b/pkgs/os-specific/linux/rdma-core/default.nix
index b1770a4d618..25a8f3bdafa 100644
--- a/pkgs/os-specific/linux/rdma-core/default.nix
+++ b/pkgs/os-specific/linux/rdma-core/default.nix
@@ -1,10 +1,9 @@
-{ stdenv, fetchFromGitHub, cmake, pkgconfig, docutils
-, pandoc, ethtool, iproute, libnl, udev, python, perl
-, makeWrapper
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, docutils
+, pandoc, ethtool, iproute2, libnl, udev, python3, perl
 } :
 
 let
-  version = "30.0";
+  version = "35.0";
 
 in stdenv.mkDerivation {
   pname = "rdma-core";
@@ -14,11 +13,11 @@ in stdenv.mkDerivation {
     owner = "linux-rdma";
     repo = "rdma-core";
     rev = "v${version}";
-    sha256 = "1czfh6s0qz2cv2k7ha7nr9qiwcrj5lvwqnvyrvsds463m8ndpg12";
+    sha256 = "0ra0m1s0029qgcq0li7md6pkri7pcc4iy3cd6jrrqs9c6n1clnnd";
   };
 
-  nativeBuildInputs = [ cmake pkgconfig pandoc docutils makeWrapper ];
-  buildInputs = [ libnl ethtool iproute udev python perl ];
+  nativeBuildInputs = [ cmake pkg-config pandoc docutils ];
+  buildInputs = [ libnl ethtool iproute2 udev python3 perl ];
 
   cmakeFlags = [
     "-DCMAKE_INSTALL_RUNDIR=/run"
@@ -39,14 +38,15 @@ in stdenv.mkDerivation {
   postFixup = ''
     for pls in $out/bin/{ibfindnodesusing.pl,ibidsverify.pl}; do
       echo "wrapping $pls"
-      wrapProgram $pls --prefix PERL5LIB : "$out/${perl.libPrefix}"
+      substituteInPlace $pls --replace \
+        "${perl}/bin/perl" "${perl}/bin/perl -I $out/${perl.libPrefix}"
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "RDMA Core Userspace Libraries and Daemons";
     homepage = "https://github.com/linux-rdma/rdma-core";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
     maintainers = with maintainers; [ markuskowa ];
   };
diff --git a/pkgs/os-specific/linux/read-edid/default.nix b/pkgs/os-specific/linux/read-edid/default.nix
index 36020d831ac..24ad0674976 100644
--- a/pkgs/os-specific/linux/read-edid/default.nix
+++ b/pkgs/os-specific/linux/read-edid/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     substituteInPlace CMakeLists.txt --replace 'COPYING' 'LICENSE'
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool for reading and parsing EDID data from monitors";
     homepage = "http://www.polypux.org/projects/read-edid/";
     license = licenses.bsd2; # Quoted: "This is an unofficial license. Let's call it BSD-like."
diff --git a/pkgs/os-specific/linux/regionset/default.nix b/pkgs/os-specific/linux/regionset/default.nix
index 15030d1b19a..f685eec1948 100644
--- a/pkgs/os-specific/linux/regionset/default.nix
+++ b/pkgs/os-specific/linux/regionset/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 let version = "0.2"; in
 stdenv.mkDerivation {
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
     install -Dm644 {.,$out/share/man/man8}/regionset.8
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit version;
     homepage = "http://linvdr.org/projects/regionset/";
     description = "Tool for changing the region code setting of DVD players";
diff --git a/pkgs/os-specific/linux/rewritefs/default.nix b/pkgs/os-specific/linux/rewritefs/default.nix
index a852e43b38f..161db99114b 100644
--- a/pkgs/os-specific/linux/rewritefs/default.nix
+++ b/pkgs/os-specific/linux/rewritefs/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, pkgconfig, fuse, pcre }: 
+{ lib, stdenv, fetchFromGitHub, pkg-config, fuse, pcre }:
 
 stdenv.mkDerivation {
   pname = "rewritefs";
@@ -10,8 +10,8 @@ stdenv.mkDerivation {
     rev    = "33fb844d8e8ff441a3fc80d2715e8c64f8563d81";
     sha256 = "15bcxprkxf0xqxljsqhb0jpi7p1vwqcb00sjs7nzrj7vh2p7mqla";
   };
- 
-  nativeBuildInputs = [ pkgconfig ];
+
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ fuse pcre ];
 
   prePatch = ''
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   preConfigure = "substituteInPlace Makefile --replace /usr/local $out";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = ''A FUSE filesystem intended to be used
       like Apache mod_rewrite'';
     homepage    = "https://github.com/sloonz/rewritefs";
diff --git a/pkgs/os-specific/linux/rfkill/udev.nix b/pkgs/os-specific/linux/rfkill/udev.nix
index a24c947673d..e1a14a80162 100644
--- a/pkgs/os-specific/linux/rfkill/udev.nix
+++ b/pkgs/os-specific/linux/rfkill/udev.nix
@@ -1,4 +1,4 @@
-{ stdenv, substituteAll }:
+{ lib, stdenv, substituteAll }:
 
 # Provides a facility to hook into rfkill changes.
 #
@@ -47,7 +47,7 @@ in stdenv.mkDerivation {
     cp ${rfkillHook} "$out/bin/rfkill-hook.sh"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://wireless.kernel.org/en/users/Documentation/rfkill";
     description = "Rules+hook for udev to catch rfkill state changes";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/roccat-tools/default.nix b/pkgs/os-specific/linux/roccat-tools/default.nix
index f8a1b836a6c..1eba2511b98 100644
--- a/pkgs/os-specific/linux/roccat-tools/default.nix
+++ b/pkgs/os-specific/linux/roccat-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cmake, pkgconfig, gettext
+{ lib, stdenv, fetchurl, cmake, pkg-config, gettext
 , dbus, dbus-glib, libgaminggear, libgudev, lua
 , harfbuzz
 }:
@@ -21,11 +21,9 @@ stdenv.mkDerivation rec {
     }' libroccat/roccat_helper.c
   '';
 
-  nativeBuildInputs = [ cmake pkgconfig gettext ];
+  nativeBuildInputs = [ cmake pkg-config gettext ];
   buildInputs = [ dbus dbus-glib libgaminggear libgudev lua ];
 
-  enableParallelBuilding = true;
-
   cmakeFlags = [
     "-DUDEVDIR=\${out}/lib/udev/rules.d"
     "-DCMAKE_MODULE_PATH=${libgaminggear.dev}/lib/cmake"
@@ -38,7 +36,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Tools to configure ROCCAT devices";
     homepage = "http://roccat.sourceforge.net/";
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/rtkit/default.nix b/pkgs/os-specific/linux/rtkit/default.nix
index b3f73e6c3bb..fb41863c431 100644
--- a/pkgs/os-specific/linux/rtkit/default.nix
+++ b/pkgs/os-specific/linux/rtkit/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchFromGitHub, fetchpatch
-, meson, ninja, pkgconfig, unixtools
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, meson, ninja, pkg-config, unixtools
 , dbus, libcap, polkit, systemd
 }:
 
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  nativeBuildInputs = [ meson ninja pkgconfig unixtools.xxd ];
+  nativeBuildInputs = [ meson ninja pkg-config unixtools.xxd ];
   buildInputs = [ dbus libcap polkit systemd ];
 
   mesonFlags = [
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     "-Dsystemd_systemunitdir=${placeholder "out"}/etc/systemd/system"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/heftig/rtkit";
     description = "A daemon that hands out real-time priority to processes";
     license = with licenses; [ gpl3 bsd0 ]; # lib is bsd license
diff --git a/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix b/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
new file mode 100644
index 00000000000..93a91f0447a
--- /dev/null
+++ b/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation {
+  pname = "rtl8188eus-aircrack";
+  version = "${kernel.version}-unstable-2021-05-04";
+
+  src = fetchFromGitHub {
+    owner = "aircrack-ng";
+    repo = "rtl8188eus";
+    rev = "6146193406b62e942d13d4d43580ed94ac70c218";
+    sha256 = "sha256-85STELbFB7QmTaM8GvJNlWvAg6KPAXeYRiMb4cGA6RY=";
+  };
+
+  nativeBuildInputs = [ bc ];
+
+  buildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  meta = with lib; {
+    description = "RealTek RTL8188eus WiFi driver with monitor mode & frame injection support";
+    homepage = "https://github.com/aircrack-ng/rtl8188eus";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
+    broken = kernel.isHardened;
+  };
+}
diff --git a/pkgs/os-specific/linux/rtl8192eu/default.nix b/pkgs/os-specific/linux/rtl8192eu/default.nix
index c6527ac285d..b66a56a8f8b 100644
--- a/pkgs/os-specific/linux/rtl8192eu/default.nix
+++ b/pkgs/os-specific/linux/rtl8192eu/default.nix
@@ -5,37 +5,40 @@ with lib;
 let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtl8192eu";
 
 in stdenv.mkDerivation rec {
-  name = "rtl8192eu-${kernel.version}-${version}";
-  version = "4.4.1.20200620";
+  pname = "rtl8192eu";
+  version = "${kernel.version}-4.4.1.20210403";
 
   src = fetchFromGitHub {
     owner = "Mange";
     repo = "rtl8192eu-linux-driver";
-    rev = "925ac2be34dd608a7ca42daebf9713f0c1bcec74";
-    sha256 = "159vg0scq47wnn600karpgzx3naaiyl1rg8608c8d28nhm62gvjz";
+    rev = "ab35c7e9672f37d75b7559758c99f6d027607687";
+    sha256 = "sha256-sTIaye4oWNYEnNuXlrTLobaFKXzBLsfJXdJuc10EdJI=";
   };
 
   hardeningDisable = [ "pic" ];
 
-  nativeBuildInputs = kernel.moduleBuildDependencies;
-
-  buildInputs = [ bc ];
+  nativeBuildInputs = kernel.moduleBuildDependencies ++ [ bc ];
 
   makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
 
   enableParallelBuilding = true;
 
   installPhase = ''
+    runHook preInstall
+
     mkdir -p ${modDestDir}
     find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
     find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
   '';
 
-  meta = {
+  meta = with lib; {
     description = "Realtek rtl8192eu driver";
     homepage = "https://github.com/Mange/rtl8192eu-linux-driver";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = stdenv.hostPlatform.isAarch64;
     maintainers = with maintainers; [ troydm ];
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8723bs/default.nix b/pkgs/os-specific/linux/rtl8723bs/default.nix
index 323d6a82073..a862b351716 100644
--- a/pkgs/os-specific/linux/rtl8723bs/default.nix
+++ b/pkgs/os-specific/linux/rtl8723bs/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchFromGitHub, nukeReferences, kernel }:
-with stdenv.lib;
+{ lib, stdenv, fetchFromGitHub, nukeReferences, kernel }:
+with lib;
 stdenv.mkDerivation rec {
   name = "rtl8723bs-${kernel.version}-${version}";
   version = "2017-04-06";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ nukeReferences ];
 
   makeFlags = [
-    "ARCH=${stdenv.hostPlatform.platform.kernelArch}" # Normally not needed, but the Makefile sets ARCH in a broken way.
+    "ARCH=${stdenv.hostPlatform.linuxArch}" # Normally not needed, but the Makefile sets ARCH in a broken way.
     "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" # Makefile uses $(uname -r); breaks us.
   ];
 
@@ -33,8 +33,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Realtek SDIO Wi-Fi driver";
     homepage = "https://github.com/hadess/rtl8723bs";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
     broken = (! versionOlder kernel.version "4.12"); # Now in kernel staging drivers
     maintainers = with maintainers; [ elitak ];
   };
diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix
index cb93c635afe..43396a99b96 100644
--- a/pkgs/os-specific/linux/rtl8812au/default.nix
+++ b/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -1,34 +1,36 @@
-{ stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
 
 stdenv.mkDerivation rec {
-  name = "rtl8812au-${kernel.version}-${version}";
-  version = "5.6.4.2_35491.20200318";
+  pname = "rtl8812au";
+  version = "${kernel.version}-5.9.3.2.20210427";
 
   src = fetchFromGitHub {
     owner = "gordboy";
-    repo = "rtl8812au-5.6.4.2";
-    rev = "49e98ff9bfdbe2ddce843808713de383132002e0";
-    sha256 = "0f4isqasm9rli5v6a7xpphyh509wdxs1zcfvgdsnyhnv8amhqxgs";
+    repo = "rtl8812au-5.9.3.2";
+    rev = "6ef5d8fcdb0b94b7490a9a38353877708fca2cd4";
+    sha256 = "sha256-czExf4z0nf7XEJ1YnRSB3CrGV6NTmUKDiZjLmrh6Hwo=";
   };
 
   nativeBuildInputs = [ bc nukeReferences ];
+
   buildInputs = kernel.moduleBuildDependencies;
 
   hardeningDisable = [ "pic" "format" ];
 
   prePatch = ''
-    substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
-    substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}"
-    substituteInPlace ./Makefile --replace /sbin/depmod \#
-    substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
 
   makeFlags = [
-    "ARCH=${stdenv.hostPlatform.platform.kernelArch}"
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
     "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
     ("CONFIG_PLATFORM_I386_PC=" + (if (stdenv.hostPlatform.isi686 || stdenv.hostPlatform.isx86_64) then "y" else "n"))
     ("CONFIG_PLATFORM_ARM_RPI=" + (if (stdenv.hostPlatform.isAarch32 || stdenv.hostPlatform.isAarch64) then "y" else "n"))
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
     "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
   ];
 
@@ -40,11 +42,12 @@ stdenv.mkDerivation rec {
     nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod";
-    homepage = "https://github.com/zebulon2/rtl8812au-driver-5.2.20";
-    license = licenses.gpl2;
+    homepage = "https://github.com/gordboy/rtl8812au-5.9.3.2";
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ danielfullmer ];
+    maintainers = with maintainers; [ fortuneteller2k ];
+    broken = kernel.kernelOlder "4.10" || kernel.isHardened;
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8814au/default.nix b/pkgs/os-specific/linux/rtl8814au/default.nix
index 99d22e2f999..2b0fb9622a4 100644
--- a/pkgs/os-specific/linux/rtl8814au/default.nix
+++ b/pkgs/os-specific/linux/rtl8814au/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
-stdenv.mkDerivation rec {
-  name = "rtl8814au-${kernel.version}-${version}";
-  version = "4.3.21";
+stdenv.mkDerivation {
+  pname = "rtl8814au";
+  version = "${kernel.version}-unstable-2021-05-18";
 
   src = fetchFromGitHub {
-    owner = "zebulon2";
-    repo = "rtl8814au";
-    rev = "a58c56a5a6cb99ffb872f07cb67b68197911854f";
-    sha256 = "1ffm67da183nz009gm5v9w1bab081hrm113kk8knl9s5qbqnn13q";
+    owner = "morrownr";
+    repo = "8814au";
+    rev = "388786c864f9b1437fc4d934b1eccf6d7f1e1355";
+    sha256 = "sha256-2EnheODPFWTGN/fz45LWRSOGeV6pTENEUrehahj+PJ4=";
   };
 
   buildInputs = kernel.moduleBuildDependencies;
@@ -29,11 +29,10 @@ stdenv.mkDerivation rec {
     mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Realtek 8814AU USB WiFi driver";
-    homepage = "https://github.com/zebulon2/rtl8814au";
-    license = licenses.gpl2;
+    homepage = "https://github.com/morrownr/8814au";
+    license = licenses.gpl2Only;
     maintainers = [ maintainers.lassulus ];
-    platforms = [ "x86_64-linux" "i686-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8821au/default.nix b/pkgs/os-specific/linux/rtl8821au/default.nix
index f3d68cf7919..08e097b0d5f 100644
--- a/pkgs/os-specific/linux/rtl8821au/default.nix
+++ b/pkgs/os-specific/linux/rtl8821au/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
+{ lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
 
 stdenv.mkDerivation rec {
-  name = "rtl8821au-${kernel.version}-${version}";
-  version = "5.1.5+41";
+  pname = "rtl8821au";
+  version = "${kernel.version}-unstable-2021-05-18";
 
   src = fetchFromGitHub {
-    owner = "zebulon2";
-    repo = "rtl8812au";
-    rev = "ecd3494c327c54110d21346ca335ef9e351cb0be";
-    sha256 = "1kmdxgbh0s0v9809kdsi39p0jbm5cf10ivy40h8qj9hn70g1gw8q";
+    owner = "morrownr";
+    repo = "8821au";
+    rev = "6f6a9d5772bb2b75f18374c01c82c6b3e8e3244d";
+    sha256 = "sha256-RqtLR3sNcLXhUrNloSTRKubL1SVwzbVe73AsBYYSXNE=";
   };
 
   nativeBuildInputs = [ bc nukeReferences ];
@@ -34,10 +34,10 @@ stdenv.mkDerivation rec {
     nuke-refs $out/lib/modules/*/kernel/net/wireless/*.ko
   '';
 
-  meta = with stdenv.lib; {
-    description = "rtl8821AU, rtl8812AU and rtl8811AU chipset driver with firmware";
-    homepage = "https://github.com/zebulon2/rtl8812au";
-    license = licenses.gpl2;
+  meta = with lib; {
+    description = "rtl8821AU and rtl8812AU chipset driver with firmware";
+    homepage = "https://github.com/morrownr/8821au";
+    license = licenses.gpl2Only;
     platforms = [ "x86_64-linux" "i686-linux" ];
     maintainers = with maintainers; [ plchldr ];
   };
diff --git a/pkgs/os-specific/linux/rtl8821ce/default.nix b/pkgs/os-specific/linux/rtl8821ce/default.nix
index ae6586262a5..b4def6f001c 100644
--- a/pkgs/os-specific/linux/rtl8821ce/default.nix
+++ b/pkgs/os-specific/linux/rtl8821ce/default.nix
@@ -1,13 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel, bc }:
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
 stdenv.mkDerivation rec {
-  name = "rtl8821ce-${kernel.version}-${version}";
-  version = "5.5.2_34066.20200325";
+  pname = "rtl8821ce";
+  version = "${kernel.version}-unstable-2021-05-28";
 
   src = fetchFromGitHub {
     owner = "tomaspinho";
     repo = "rtl8821ce";
-    rev = "8d7edbe6a78fd79cfab85d599dad9dc34138abd1";
-    sha256 = "1hsf8lqjnkrkvk0gps8yb3lx72mvws6xbgkbdmgdkz7qdxmha8bp";
+    rev = "f93db734666f75ebf65e44ceb943c19b598b1647";
+    sha256 = "sha256-cqXV52U+6Jl9Jje1nEOYDvmH4rgA1QdrwNCfYeul3hU=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -27,11 +28,12 @@ stdenv.mkDerivation rec {
     mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Realtek rtl8821ce driver";
     homepage = "https://github.com/tomaspinho/rtl8821ce";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ hhm samuelgrf ];
+    broken = stdenv.isAarch64;
+    maintainers = with maintainers; [ hhm ];
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8821cu/default.nix b/pkgs/os-specific/linux/rtl8821cu/default.nix
index 62ea8aaaab5..556fd793915 100644
--- a/pkgs/os-specific/linux/rtl8821cu/default.nix
+++ b/pkgs/os-specific/linux/rtl8821cu/default.nix
@@ -1,13 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel, bc }:
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
 stdenv.mkDerivation rec {
-  name = "rtl8821cu-${kernel.version}-${version}";
-  version = "unstable-2020-05-16";
+  pname = "rtl8821cu";
+  version = "${kernel.version}-unstable-2021-05-19";
 
   src = fetchFromGitHub {
-    owner = "brektrou";
-    repo = "rtl8821cu";
-    rev = "5c510c9f14352fed4906a10921040b9e46b58346";
-    sha256 = "1n74h1m3l2dj35caswaghzcjwcv5qlv3gj6j1rqdddbyg5khl4ag";
+    owner = "morrownr";
+    repo = "8821cu";
+    rev = "2430c354c9b15fa6193a263c99ce57211d50c66f";
+    sha256 = "sha256-PkrpwebZYh/hBukqDQf6pxfbkVyA+CpYtte5pmzgLtw=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -27,10 +28,10 @@ stdenv.mkDerivation rec {
     mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Realtek rtl8821cu driver";
-    homepage = "https://github.com/brektrou/rtl8821CU";
-    license = licenses.gpl2;
+    homepage = "https://github.com/morrownr/8821cu";
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
     maintainers = [ maintainers.contrun ];
   };
diff --git a/pkgs/os-specific/linux/rtl88x2bu/default.nix b/pkgs/os-specific/linux/rtl88x2bu/default.nix
index 3d461d52556..4b194bb2f33 100644
--- a/pkgs/os-specific/linux/rtl88x2bu/default.nix
+++ b/pkgs/os-specific/linux/rtl88x2bu/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel, bc }:
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
 
 stdenv.mkDerivation rec {
-  name = "rtl88x2bu-${kernel.version}-${version}";
-  version = "unstable-2020-05-19";
+  pname = "rtl88x2bu";
+  version = "${kernel.version}-unstable-2021-05-18";
 
   src = fetchFromGitHub {
-    owner = "cilynx";
-    repo = "rtl88x2BU";
-    rev = "0f159d7cd937a12b818121cb1f1c4910bd1adc72";
-    sha256 = "0flqnvzfdb4wsiiqv9vf5gfwd5fgpjvhs9zhqknnv1cmp8msgw6y";
+    owner = "morrownr";
+    repo = "88x2bu";
+    rev = "80b03962e33f86f99e898305d8d597140503de03";
+    sha256 = "sha256-C7XOpKgwxM9UbfW3wHteInTmAUM3FFqN1MHMKxP8gBA=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ bc ];
   buildInputs = kernel.moduleBuildDependencies;
 
-  prePatch = ''
+ prePatch = ''
     substituteInPlace ./Makefile \
       --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
       --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
@@ -28,10 +28,10 @@ stdenv.mkDerivation rec {
     mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Realtek rtl88x2bu driver";
-    homepage = "https://github.com/cilynx/rtl88x2bu";
-    license = licenses.gpl2;
+    homepage = "https://github.com/morrownr/88x2bu";
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
     maintainers = [ maintainers.ralith ];
   };
diff --git a/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix b/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
index a86d76a3be5..d65a601fd9e 100644
--- a/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
+++ b/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
@@ -1,15 +1,17 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel }:
 
+let
+  rev = "3a64331a1c809bbbc21eca63b825970f213ec5ac";
+in
 stdenv.mkDerivation rec {
-  name = "rtl88xxau-aircrack-${kernel.version}-${version}";
-  rev = "fc0194c1d90453bf4943089ca237159ef19a7374";
-  version = "${builtins.substring 0 6 rev}";
+  pname = "rtl88xxau-aircrack";
+  version = "${kernel.version}-${builtins.substring 0 6 rev}";
 
   src = fetchFromGitHub {
     owner = "aircrack-ng";
     repo = "rtl8812au";
     inherit rev;
-    sha256 = "0hf7mrvxaskc6qcjar5w81y9xc7s2rlsxp34achyqly2hjg7fgmy";
+    sha256 = "sha256-goaN80imfCeUwiHokJd10CFKskE3iL5BO/xOQk6PtHE=";
   };
 
   buildInputs = kernel.moduleBuildDependencies;
@@ -18,6 +20,14 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types";
 
+  # Fix build for 5.12 kernels
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/aircrack-ng/rtl8812au/commit/9b4c60a89c2a55f36454b950a86246b6b86a9681.patch";
+      sha256 = "sha256-HPhTLstqAePF3H6WeM9Fu4/8UjNL+9xl4L8xq3NOWuM=";
+    })
+  ];
+
   prePatch = ''
     substituteInPlace ./Makefile \
       --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
@@ -30,10 +40,10 @@ stdenv.mkDerivation rec {
     mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Aircrack-ng kernel module for Realtek 88XXau network cards\n(8811au, 8812au, 8814au and 8821au chipsets) with monitor mode and injection support.";
     homepage = "https://github.com/aircrack-ng/rtl8812au";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = [ maintainers.jethro ];
     platforms = [ "x86_64-linux" "i686-linux" ];
   };
diff --git a/pkgs/os-specific/linux/rtlwifi_new/default.nix b/pkgs/os-specific/linux/rtlwifi_new/default.nix
deleted file mode 100644
index 78e5510ad17..00000000000
--- a/pkgs/os-specific/linux/rtlwifi_new/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ stdenv, lib, fetchFromGitHub, kernel }:
-
-with lib;
-
-let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtlwifi";
-
-in stdenv.mkDerivation rec {
-  pname = "rtlwifi_new";
-  version = "2019-08-21";
-  # When updating see https://github.com/lwfinger/rtl8723be/issues/17#issuecomment-657326751
-
-  src = fetchFromGitHub {
-    owner = "rtlwifi-linux";
-    repo = "rtlwifi_new";
-    rev = "a108e3de87c2ed30b71c3c4595b79ab7a2f9e348";
-    sha256 = "15kjs9i9vvmn1cdzccd5cljf3m45r4ssm65klkj2fdkf3kljj38k";
-  };
-
-  hardeningDisable = [ "pic" "format" ];
-
-  nativeBuildInputs = kernel.moduleBuildDependencies;
-
-  makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
-
-  enableParallelBuilding = true;
-
-  installPhase = ''
-    mkdir -p ${modDestDir}
-    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
-    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
-  '';
-
-  meta = {
-    description = "The newest Realtek rtlwifi codes";
-    inherit (src.meta) homepage;
-    license = stdenv.lib.licenses.gpl2;
-    platforms = with platforms; linux;
-    maintainers = with maintainers; [ tvorog ];
-    priority = -1;
-  };
-}
diff --git a/pkgs/os-specific/linux/rtw88/default.nix b/pkgs/os-specific/linux/rtw88/default.nix
new file mode 100644
index 00000000000..42302351240
--- /dev/null
+++ b/pkgs/os-specific/linux/rtw88/default.nix
@@ -0,0 +1,40 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw88";
+in
+stdenv.mkDerivation {
+  pname = "rtw88";
+  version = "unstable-2021-04-19";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw88";
+    rev = "0f3cc6a5973bc386d9cb542fc85a6ba027edff5d";
+    hash = "sha256-PRzWXC1lre8gt1GfVdnaG836f5YK57P9a8tG20yef0w=";
+  };
+
+  makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "The newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = with licenses; [ bsd3 gpl2Only ];
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.14";
+    priority = -1;
+  };
+}
diff --git a/pkgs/os-specific/linux/rtw89/default.nix b/pkgs/os-specific/linux/rtw89/default.nix
new file mode 100644
index 00000000000..86ca72c537c
--- /dev/null
+++ b/pkgs/os-specific/linux/rtw89/default.nix
@@ -0,0 +1,40 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw89";
+in
+stdenv.mkDerivation {
+  pname = "rtw89";
+  version = "unstable-2021-07-03";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw89";
+    rev = "cebafc6dc839e66c725b92c0fabf131bc908f607";
+    sha256 = "1vw67a423gajpzd5d51bxnja1qpppx9x5ii2vcfkj6cbnqwr83af";
+  };
+
+  makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = " Driver for Realtek 8852AE, an 802.11ax device";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = with licenses; [ gpl2Only ];
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.4";
+    priority = -1;
+  };
+}
diff --git a/pkgs/os-specific/linux/ryzenadj/default.nix b/pkgs/os-specific/linux/ryzenadj/default.nix
new file mode 100644
index 00000000000..e50cb7e8d53
--- /dev/null
+++ b/pkgs/os-specific/linux/ryzenadj/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub, pciutils, cmake }:
+stdenv.mkDerivation rec {
+  pname = "ryzenadj";
+  version = "0.8.2";
+
+  src = fetchFromGitHub {
+    owner = "FlyGoat";
+    repo = "RyzenAdj";
+    rev = "v${version}";
+    sha256 = "182l9nchlpl4yr568n86086glkr607rif92wnwc7v3aym62ch6ld";
+  };
+
+  nativeBuildInputs = [ pciutils cmake ];
+
+  installPhase = ''
+    install -D libryzenadj.so $out/lib/libryzenadj.so
+    install -D ryzenadj $out/bin/ryzenadj
+  '';
+
+  meta = with lib; {
+    description = "Adjust power management settings for Ryzen Mobile Processors.";
+    homepage = "https://github.com/FlyGoat/RyzenAdj";
+    license = licenses.lgpl3Only;
+    maintainers = with maintainers; [ asbachb ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/s6-linux-init/default.nix b/pkgs/os-specific/linux/s6-linux-init/default.nix
index f5c77a653b9..5d6941259e1 100644
--- a/pkgs/os-specific/linux/s6-linux-init/default.nix
+++ b/pkgs/os-specific/linux/s6-linux-init/default.nix
@@ -4,28 +4,36 @@ with skawarePackages;
 
 buildPackage {
   pname = "s6-linux-init";
-  version = "1.0.3.1";
-  sha256 = "1yq2xnp41a1lqpjzvq5jawgy64jwaxalvjdnlvgdpi9bkicgasi1";
+  version = "1.0.6.2";
+  sha256 = "06xcmn2a89fvng056lcnnyrl2ak0y7cblkc90lj9a2liyhawy9dr";
 
-  description = "Automated /sbin/init creation for s6-based Linux systems";
+  description = "A set of minimalistic tools used to create a s6-based init system, including a /sbin/init binary, on a Linux kernel";
   platforms = lib.platforms.linux;
 
   outputs = [ "bin" "dev" "doc" "out" ];
 
   configureFlags = [
+    "--bindir=\${bin}/bin"
     "--includedir=\${dev}/include"
     "--with-sysdeps=${skalibs.lib}/lib/skalibs/sysdeps"
     "--with-include=${skalibs.dev}/include"
-    "--with-include=${s6.dev}/include"
     "--with-include=${execline.dev}/include"
+    "--with-include=${s6.dev}/include"
     "--with-lib=${skalibs.lib}/lib"
+    "--with-lib=${s6.out}/lib"
+    "--with-lib=${execline.lib}/lib"
     "--with-dynlib=${skalibs.lib}/lib"
-    "--with-lib=${s6}/lib"
+    "--with-dynlib=${execline.lib}/lib"
+    "--with-dynlib=${s6.out}/lib"
   ];
 
   postInstall = ''
-    find . -type f -executable -delete
-    rm lib*.a.*
+    # remove all s6 executables from build directory
+    rm $(find -name "s6-*" -type f -mindepth 1 -maxdepth 1 -executable)
+    rm libs6_linux_init.* libhpr.*
+    rm -rf skel
+
     mv doc $doc/share/doc/s6-linux-init/html
   '';
+
 }
diff --git a/pkgs/os-specific/linux/s6-linux-utils/default.nix b/pkgs/os-specific/linux/s6-linux-utils/default.nix
index 74bf913df98..3596ab23e72 100644
--- a/pkgs/os-specific/linux/s6-linux-utils/default.nix
+++ b/pkgs/os-specific/linux/s6-linux-utils/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, skawarePackages }:
+{ lib, skawarePackages }:
 
 with skawarePackages;
 
 buildPackage {
   pname = "s6-linux-utils";
-  version = "2.5.1.2";
-  sha256 = "0w4jms9qyb5kx9zcyd3gzri60rrii2rbmh08s59ckg4awy27py86";
+  version = "2.5.1.5";
+  sha256 = "1fj5ldlrc6bx40pphg29rp3byd6fal6869v85kw86c2kdgrxn063";
 
   description = "A set of minimalistic Linux-specific system utilities";
-  platforms = stdenv.lib.platforms.linux;
+  platforms = lib.platforms.linux;
 
   outputs = [ "bin" "dev" "doc" "out" ];
 
diff --git a/pkgs/os-specific/linux/sch_cake/default.nix b/pkgs/os-specific/linux/sch_cake/default.nix
index ef2ebaa0362..851a903cf07 100644
--- a/pkgs/os-specific/linux/sch_cake/default.nix
+++ b/pkgs/os-specific/linux/sch_cake/default.nix
@@ -1,6 +1,6 @@
 { stdenv, lib, fetchFromGitHub, kernel }:
 
-assert stdenv.lib.versionAtLeast kernel.version "4.4";
+assert lib.versionAtLeast kernel.version "4.4";
 
 stdenv.mkDerivation {
   name = "sch_cake-2017-07-16";
@@ -30,6 +30,6 @@ stdenv.mkDerivation {
     license = with licenses; [ bsd3 gpl2 ];
     maintainers = with maintainers; [ fpletz ];
     platforms = platforms.linux;
-    broken = !stdenv.lib.versionOlder kernel.version "4.13";
+    broken = !lib.versionOlder kernel.version "4.13";
   };
 }
diff --git a/pkgs/os-specific/linux/schedtool/default.nix b/pkgs/os-specific/linux/schedtool/default.nix
index de947a9cd34..98d9248e3f4 100644
--- a/pkgs/os-specific/linux/schedtool/default.nix
+++ b/pkgs/os-specific/linux/schedtool/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "schedtool";
@@ -13,9 +13,9 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "DESTDIR=$(out)" "DESTPREFIX=" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Query or alter a process' scheduling policy under Linux";
-    homepage = "http://freequaos.host.sk/schedtool/";
+    homepage = "https://freequaos.host.sk/schedtool/";
     license = licenses.gpl2;
     platforms = platforms.linux;
     maintainers = with maintainers; [ abbradar ];
diff --git a/pkgs/os-specific/linux/sd-switch/default.nix b/pkgs/os-specific/linux/sd-switch/default.nix
index 7cbad8d6df3..987f32664c1 100644
--- a/pkgs/os-specific/linux/sd-switch/default.nix
+++ b/pkgs/os-specific/linux/sd-switch/default.nix
@@ -1,22 +1,22 @@
-{ stdenv, fetchFromGitLab, rustPlatform, pkg-config, dbus }:
+{ lib, fetchFromGitLab, rustPlatform, pkg-config, dbus }:
 
 rustPlatform.buildRustPackage rec {
   pname = "sd-switch";
-  version = "0.2.0";
+  version = "0.2.3";
 
   src = fetchFromGitLab {
     owner = "rycee";
     repo = pname;
     rev = version;
-    sha256 = "1bhks4ma3sn95bsszs6lj9cwfr8zgmja0hqfp8xr5iq77ww2p6k3";
+    sha256 = "12h2d7v7pdz7b0hrna64561kf35nbpwb2kzxa791xk8raxc2b72k";
   };
 
-  cargoSha256 = "0lskxakzh3yji0rzk8jcfz1sv4j19b5kmdsaj7401m5w84s1cbjw";
+  cargoSha256 = "12ny3cir2nxzrmf4vwq6sgc35dbpq88hav53xqdp44rigdf4vzbs";
 
   nativeBuildInputs = [ pkg-config ];
   buildInputs = [ dbus ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A systemd unit switcher for Home Manager";
     homepage = "https://gitlab.com/rycee/sd-switch";
     license = licenses.gpl3Plus;
diff --git a/pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c b/pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c
index 0d1ae96068a..bb71a732bf9 100644
--- a/pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c
+++ b/pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c
@@ -1,5 +1,5 @@
 /*
-   Copyright: (C)2015-2017 Laurent Bercot.  http://skarnet.org/
+   Copyright: (C)2015-2020 Laurent Bercot.  http://skarnet.org/
    ISC license. See http://opensource.org/licenses/ISC
 
    Build-time requirements: skalibs.  http://skarnet.org/software/skalibs/
@@ -53,20 +53,24 @@
 #include <sys/types.h>
 #include <string.h>
 #include <unistd.h>
+#include <stdlib.h>
 #include <errno.h>
 #include <sys/socket.h>
 #include <sys/un.h>
+
 #include <skalibs/uint64.h>
 #include <skalibs/types.h>
 #include <skalibs/bytestr.h>
 #include <skalibs/sgetopt.h>
 #include <skalibs/strerr2.h>
-#include <skalibs/env.h>
 #include <skalibs/allreadwrite.h>
 #include <skalibs/tai.h>
 #include <skalibs/iopause.h>
 #include <skalibs/djbunix.h>
-#include <skalibs/webipc.h>
+//#include <skalibs/webipc.h>
+// svanderburg: This header no longer exists, but socket.h provides the functions this module needs
+#include <skalibs/socket.h>
+#include <skalibs/exec.h>
 
 #define USAGE "sdnotify-wrapper [ -d fd ] [ -f ] [ -t timeout ] [ -k ] prog..."
 #define dieusage() strerr_dieusage(100, USAGE)
@@ -123,9 +127,9 @@ static inline int run_child (int fd, unsigned int timeout, pid_t pid, char const
   return 0 ;
 }
 
-int main (int argc, char const *const *argv, char const *const *envp)
+int main (int argc, char const *const *argv)
 {
-  char const *s = env_get2(envp, VAR) ;
+  char const *s = getenv(VAR) ;
   unsigned int fd = 1 ;
   unsigned int timeout = 0 ;
   int df = 1, keep = 0 ;
@@ -134,7 +138,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
     subgetopt_t l = SUBGETOPT_ZERO ;
     for (;;)
     {
-      register int opt = subgetopt_r(argc, argv, "d:ft:k", &l) ;
+      int opt = subgetopt_r(argc, argv, "d:ft:k", &l) ;
       if (opt == -1) break ;
       switch (opt)
       {
@@ -149,7 +153,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
   }
   if (!argc) dieusage() ;
 
-  if (!s) xpathexec_run(argv[0], argv, envp) ;
+  if (!s) xexec(argv) ;
   else
   {
     pid_t parent = getpid() ;
@@ -166,7 +170,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
     }
     close(p[0]) ;
     if (fd_move((int)fd, p[1]) < 0) strerr_diefu1sys(111, "move descriptor") ;
-    if (keep) xpathexec_run(argv[0], argv, envp) ;
-    else xpathexec_r(argv, envp, env_len(envp), VAR, sizeof(VAR)) ;
+    if (keep) xexec(argv) ;
+    else xmexec_m(argv, VAR, sizeof(VAR)) ;
   }
 }
diff --git a/pkgs/os-specific/linux/sdparm/default.nix b/pkgs/os-specific/linux/sdparm/default.nix
index e0392e442bf..08e61a98f6b 100644
--- a/pkgs/os-specific/linux/sdparm/default.nix
+++ b/pkgs/os-specific/linux/sdparm/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation rec {
   pname = "sdparm";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1nqjc4w2w47zavcbf5xmm53x1zbwgljaw1lpajcdi537cgy32fa8";
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://sg.danny.cz/sg/sdparm.html";
     description = "A utility to access SCSI device parameters";
     license = licenses.bsd3;
diff --git a/pkgs/os-specific/linux/selinux-python/default.nix b/pkgs/os-specific/linux/selinux-python/default.nix
index 57aa5d49fac..32ed5bc2e7d 100644
--- a/pkgs/os-specific/linux/selinux-python/default.nix
+++ b/pkgs/os-specific/linux/selinux-python/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchurl, python3
+{ lib, stdenv, fetchurl, python3
 , libselinux, libsemanage, libsepol, setools }:
 
 # this is python3 only because setools only supports python3
 
-with stdenv.lib;
+with lib;
 with python3.pkgs;
 
 stdenv.mkDerivation rec {
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     "BASHCOMPLETIONDIR=$(out)/share/bash-completion/completions"
     "PYTHON=python"
     "PYTHONLIBDIR=$(out)/${python.sitePackages}"
-    "LIBSEPOLA=${stdenv.lib.getLib libsepol}/lib/libsepol.a"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
   ];
 
 
diff --git a/pkgs/os-specific/linux/selinux-sandbox/default.nix b/pkgs/os-specific/linux/selinux-sandbox/default.nix
index 387db08e1d6..a10588bacf1 100644
--- a/pkgs/os-specific/linux/selinux-sandbox/default.nix
+++ b/pkgs/os-specific/linux/selinux-sandbox/default.nix
@@ -1,10 +1,10 @@
-{ stdenv, fetchurl, bash, coreutils, python3
+{ lib, stdenv, fetchurl, bash, coreutils, python3
 , libcap_ng, policycoreutils, selinux-python, dbus
 , xorgserver, openbox, xmodmap }:
 
 # this is python3 only as it depends on selinux-python
 
-with stdenv.lib; 
+with lib;
 with python3.pkgs;
 
 stdenv.mkDerivation rec {
@@ -58,4 +58,3 @@ stdenv.mkDerivation rec {
     platforms = platforms.linux;
   };
 }
-
diff --git a/pkgs/os-specific/linux/semodule-utils/default.nix b/pkgs/os-specific/linux/semodule-utils/default.nix
index bf1f36835b4..b76e715dbc2 100644
--- a/pkgs/os-specific/linux/semodule-utils/default.nix
+++ b/pkgs/os-specific/linux/semodule-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libsepol }:
+{ lib, stdenv, fetchurl, libsepol }:
 
 stdenv.mkDerivation rec {
   pname = "semodule-utils";
@@ -15,10 +15,10 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "PREFIX=$(out)"
-    "LIBSEPOLA=${stdenv.lib.getLib libsepol}/lib/libsepol.a"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "SELinux policy core utilities (packaging additions)";
     license = licenses.gpl2;
     inherit (libsepol.meta) homepage platforms;
diff --git a/pkgs/os-specific/linux/sepolgen/default.nix b/pkgs/os-specific/linux/sepolgen/default.nix
index 53250b345e8..f7ef1cb9c3a 100644
--- a/pkgs/os-specific/linux/sepolgen/default.nix
+++ b/pkgs/os-specific/linux/sepolgen/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libsepol, python }:
+{ lib, stdenv, fetchurl, libsepol, python }:
 
 stdenv.mkDerivation rec {
   pname = "sepolgen";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     makeFlagsArray+=("PYTHONLIBDIR=lib/${python.libPrefix}/site-packages")
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (libsepol.meta) homepage platforms maintainers;
     description = "SELinux policy generation library";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/service-wrapper/default.nix b/pkgs/os-specific/linux/service-wrapper/default.nix
index 150262158da..381f0699697 100644
--- a/pkgs/os-specific/linux/service-wrapper/default.nix
+++ b/pkgs/os-specific/linux/service-wrapper/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, runCommand, substituteAll, coreutils }:
+{ lib, stdenv, runCommand, substituteAll, coreutils }:
 
 let
   name = "service-wrapper-${version}";
@@ -12,7 +12,7 @@ runCommand name {
     inherit coreutils;
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A convenient wrapper for the systemctl commands, borrow from Ubuntu";
     license     = licenses.gpl2Plus;
     platforms   = platforms.linux;
diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix
index c0ed4102aaf..842a525353d 100644
--- a/pkgs/os-specific/linux/setools/default.nix
+++ b/pkgs/os-specific/linux/setools/default.nix
@@ -1,9 +1,10 @@
-{ stdenv, fetchFromGitHub, python3
+{ lib, fetchFromGitHub, python3
 , libsepol, libselinux, checkpolicy
+, fetchpatch
 , withGraphics ? false
 }:
 
-with stdenv.lib;
+with lib;
 with python3.pkgs;
 
 buildPythonApplication rec {
@@ -17,6 +18,13 @@ buildPythonApplication rec {
     sha256 = "0vr20bi8w147z5lclqz1l0j1b34137zg2r04pkafkgqqk7qbyjk6";
   };
 
+  patches = [
+    (fetchpatch { # included in 4.4.0
+      url = "https://github.com/SELinuxProject/setools/commit/f1b4a5d375be05fbccedb258c940d771bff8e524.diff";
+      sha256 = "1r38s6i4i6bdr2zdp5wcg1yifpf3pd018c73a511mgynyg7d11xy";
+    })
+  ];
+
   nativeBuildInputs = [ cython ];
   buildInputs = [ libsepol ];
   propagatedBuildInputs = [ enum34 libselinux networkx ]
@@ -30,7 +38,7 @@ buildPythonApplication rec {
   setupPyBuildFlags = [ "-i" ];
 
   preBuild = ''
-    export SEPOL="${stdenv.lib.getLib libsepol}/lib/libsepol.a"
+    export SEPOL="${lib.getLib libsepol}/lib/libsepol.a"
   '';
 
   meta = {
diff --git a/pkgs/os-specific/linux/seturgent/default.nix b/pkgs/os-specific/linux/seturgent/default.nix
index 8cfc9d35940..2e9e445eddc 100644
--- a/pkgs/os-specific/linux/seturgent/default.nix
+++ b/pkgs/os-specific/linux/seturgent/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libX11, xorgproto, unzip }:
+{ lib, stdenv, fetchurl, libX11, xorgproto, unzip }:
 
 stdenv.mkDerivation {
   name = "seturgent-2012-08-17";
@@ -8,8 +8,9 @@ stdenv.mkDerivation {
     sha256 = "0q1sr6aljkw2jr9b4xxzbc01qvnd5vk3pxrypif9yd8xjw4wqwri";
   };
 
+  nativeBuildInputs = [ unzip ];
   buildInputs = [
-    libX11 xorgproto unzip
+    libX11 xorgproto
   ];
 
   installPhase = ''
@@ -18,10 +19,10 @@ stdenv.mkDerivation {
   '';
 
   meta = {
-      platforms = stdenv.lib.platforms.linux;
+      platforms = lib.platforms.linux;
       description = "Set an application's urgency hint (or not)";
-      maintainers = [ stdenv.lib.maintainers.yarr ];
+      maintainers = [ lib.maintainers.yarr ];
       homepage = "https://github.com/hiltjo/seturgent";
-      license = stdenv.lib.licenses.mit;
+      license = lib.licenses.mit;
   };
 }
diff --git a/pkgs/os-specific/linux/shadow/default.nix b/pkgs/os-specific/linux/shadow/default.nix
index fbcecf05f18..e20023b2b6e 100644
--- a/pkgs/os-specific/linux/shadow/default.nix
+++ b/pkgs/os-specific/linux/shadow/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt, libxml2
-, docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison
+{ lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt
+, libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell
 , pam ? null, glibcCross ? null
 }:
 
@@ -19,16 +19,16 @@ in
 
 stdenv.mkDerivation rec {
   pname = "shadow";
-  version = "4.8";
+  version = "4.8.1";
 
   src = fetchFromGitHub {
     owner = "shadow-maint";
     repo = "shadow";
     rev = version;
-    sha256 = "05a636dqxip09l5jjrrs30lvwq6xkhjrdgjbbj3bg6b6z7hc67qk";
+    sha256 = "13407r6qwss00504qy740jghb2dzd561la7dhp47rg8w3g8jarpn";
   };
 
-  buildInputs = stdenv.lib.optional (pam != null && stdenv.isLinux) pam;
+  buildInputs = lib.optional (pam != null && stdenv.isLinux) pam;
   nativeBuildInputs = [autoreconfHook libxslt libxml2
     docbook_xml_dtd_45 docbook_xsl flex bison itstool
     ];
@@ -38,8 +38,11 @@ stdenv.mkDerivation rec {
       # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
       ./respect-xml-catalog-files-var.patch
       dots_in_usernames
+      ./runtime-shell.patch
     ];
 
+  RUNTIME_SHELL = runtimeShell;
+
   # The nix daemon often forbids even creating set[ug]id files.
   postPatch =
     ''sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
@@ -59,9 +62,9 @@ stdenv.mkDerivation rec {
   configureFlags = [
     "--enable-man"
     "--with-group-name-max-length=32"
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd";
+  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd";
 
-  preBuild = stdenv.lib.optionalString (stdenv.hostPlatform.libc == "glibc")
+  preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc")
     ''
       substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc.bin}/bin/nscd
     '';
@@ -77,7 +80,9 @@ stdenv.mkDerivation rec {
       mv $out/bin/su $su/bin
     '';
 
-  meta = with stdenv.lib; {
+  disallowedReferences = lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) stdenv.shellPackage;
+
+  meta = with lib; {
     homepage = "https://github.com/shadow-maint";
     description = "Suite containing authentication-related tools such as passwd and su";
     license = licenses.bsd3;
@@ -86,5 +91,6 @@ stdenv.mkDerivation rec {
 
   passthru = {
     shellPath = "/bin/nologin";
+    tests = { inherit (nixosTests) shadow; };
   };
 }
diff --git a/pkgs/os-specific/linux/shadow/runtime-shell.patch b/pkgs/os-specific/linux/shadow/runtime-shell.patch
new file mode 100644
index 00000000000..0b2e68e330e
--- /dev/null
+++ b/pkgs/os-specific/linux/shadow/runtime-shell.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index e4c6aaec..03883ad7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -682,7 +682,7 @@ if test "$enable_utmpx" = "yes"; then
+ 	          [Define if utmpx should be used])
+ fi
+ 
+-AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
++AC_DEFINE_UNQUOTED(SHELL, ["$RUNTIME_SHELL"], [The runtime shell.])
+ 
+ AM_GNU_GETTEXT_VERSION(0.16)
+ AM_GNU_GETTEXT([external], [need-ngettext])
diff --git a/pkgs/os-specific/linux/sinit/default.nix b/pkgs/os-specific/linux/sinit/default.nix
index 71bd887535b..830087013fe 100644
--- a/pkgs/os-specific/linux/sinit/default.nix
+++ b/pkgs/os-specific/linux/sinit/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchgit, rcinit ? null, rcshutdown ? null, rcreboot ? null}:
+{lib, stdenv, fetchgit, rcinit ? null, rcshutdown ? null, rcreboot ? null}:
 let
   s = # Generated upstream information
   rec {
@@ -10,7 +10,7 @@ let
     rev = "refs/tags/v${version}";
   };
   buildInputs = [
-    (stdenv.lib.getOutput "static" stdenv.cc.libc)
+    (lib.getOutput "static" stdenv.cc.libc)
   ];
 in
 stdenv.mkDerivation {
@@ -21,16 +21,16 @@ stdenv.mkDerivation {
   };
   makeFlags = ["PREFIX=$(out)"];
   preConfigure = ""
-    + (stdenv.lib.optionalString (rcinit != null) ''sed -re 's@(rcinitcmd[^"]*")[^"]*"@\1${rcinit}"@' -i config.def.h; '')
-    + (stdenv.lib.optionalString (rcshutdown != null) ''sed -re 's@(rc(reboot|poweroff)cmd[^"]*")[^"]*"@\1${rcshutdown}"@' -i config.def.h; '')
-    + (stdenv.lib.optionalString (rcreboot != null) ''sed -re 's@(rc(reboot)cmd[^"]*")[^"]*"@\1${rcreboot}"@' -i config.def.h; '')
+    + (lib.optionalString (rcinit != null) ''sed -re 's@(rcinitcmd[^"]*")[^"]*"@\1${rcinit}"@' -i config.def.h; '')
+    + (lib.optionalString (rcshutdown != null) ''sed -re 's@(rc(reboot|poweroff)cmd[^"]*")[^"]*"@\1${rcshutdown}"@' -i config.def.h; '')
+    + (lib.optionalString (rcreboot != null) ''sed -re 's@(rc(reboot)cmd[^"]*")[^"]*"@\1${rcreboot}"@' -i config.def.h; '')
     ;
   meta = {
     inherit (s) version;
-    description = ''A very minimal Linux init implementation from suckless.org'';
-    license = stdenv.lib.licenses.mit ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "A very minimal Linux init implementation from suckless.org";
+    license = lib.licenses.mit ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
     homepage = "https://tools.suckless.org/sinit";
     downloadPage = "https://git.suckless.org/sinit";
   };
diff --git a/pkgs/os-specific/linux/speedometer/default.nix b/pkgs/os-specific/linux/speedometer/default.nix
index e4d374b0c41..2801334688b 100644
--- a/pkgs/os-specific/linux/speedometer/default.nix
+++ b/pkgs/os-specific/linux/speedometer/default.nix
@@ -5,7 +5,7 @@ pythonPackages.buildPythonApplication rec {
   version = "2.8";
 
   src = fetchurl {
-    url = "http://excess.org/speedometer/speedometer-${version}.tar.gz";
+    url = "https://excess.org/speedometer/speedometer-${version}.tar.gz";
     sha256 = "060bikv3gwr203jbdmvawsfhc0yq0bg1m42dk8czx1nqvwvgv6fm";
   };
 
@@ -18,7 +18,7 @@ pythonPackages.buildPythonApplication rec {
 
   meta = with lib; {
     description = "Measure and display the rate of data across a network connection or data being stored in a file";
-    homepage = "http://excess.org/speedometer/";
+    homepage = "https://excess.org/speedometer/";
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
     maintainers = with maintainers; [ Baughn ];
diff --git a/pkgs/os-specific/linux/sssd/default.nix b/pkgs/os-specific/linux/sssd/default.nix
index 22e2da79c8c..94b1a6d799d 100644
--- a/pkgs/os-specific/linux/sssd/default.nix
+++ b/pkgs/os-specific/linux/sssd/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, fetchpatch, glibc, augeas, dnsutils, c-ares, curl,
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, fetchpatch, glibc, augeas, dnsutils, c-ares, curl,
   cyrus_sasl, ding-libs, libnl, libunistring, nss, samba, nfs-utils, doxygen,
-  python, python3, pam, popt, talloc, tdb, tevent, pkgconfig, ldb, openldap,
-  pcre, kerberos, cifs-utils, glib, keyutils, dbus, fakeroot, libxslt, libxml2,
+  python, python3, pam, popt, talloc, tdb, tevent, pkg-config, ldb, openldap,
+  pcre, libkrb5, cifs-utils, glib, keyutils, dbus, fakeroot, libxslt, libxml2,
   libuuid, ldap, systemd, nspr, check, cmocka, uid_wrapper,
   nss_wrapper, ncurses, Po4a, http-parser, jansson,
   docbook_xsl, docbook_xml_dtd_44,
@@ -12,11 +12,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "sssd";
-  version = "1.16.4";
+  version = "1.16.5";
 
-  src = fetchurl {
-    url = "https://fedorahosted.org/released/sssd/${pname}-${version}.tar.gz";
-    sha256 = "0ngr7cgimyjc6flqkm7psxagp1m4jlzpqkn28pliifbmdg6i5ckb";
+  src = fetchFromGitHub {
+    owner = "SSSD";
+    repo = pname;
+    rev = "${pname}-${lib.replaceStrings ["."] ["_"] version}";
+    sha256 = "0zbs04lkjbp7y92anmafl7gzamcnq1f147p13hc4byyvjk9rg6f7";
   };
   patches = [
     # Fix build failure against samba 4.12.0rc1
@@ -24,6 +26,11 @@ stdenv.mkDerivation rec {
       url = "https://github.com/SSSD/sssd/commit/bc56b10aea999284458dcc293b54cf65288e325d.patch";
       sha256 = "0q74sx5n41srq3kdn55l5j1sq4xrjsnl5y4v8yh5mwsijj74yh4g";
     })
+    # Fix collision with external nss symbol
+    (fetchpatch {
+      url = "https://github.com/SSSD/sssd/commit/fe9eeb51be06059721e873f77092b1e9ba08e6c1.patch";
+      sha256 = "0b83b2w0rnvm26pg03a4lpmkmi7n3gqxg7lk751q61q79gnzrpz4";
+    })
   ];
 
   # Something is looking for <libxml/foo.h> instead of <libxml2/libxml/foo.h>
@@ -50,14 +57,15 @@ stdenv.mkDerivation rec {
       --with-ldb-lib-dir=$out/modules/ldb
       --with-nscd=${glibc.bin}/sbin/nscd
     )
-  '' + stdenv.lib.optionalString withSudo ''
+  '' + lib.optionalString withSudo ''
     configureFlagsArray+=("--with-sudo")
   '';
 
   enableParallelBuilding = true;
+  nativeBuildInputs = [ autoreconfHook pkg-config doxygen ];
   buildInputs = [ augeas dnsutils c-ares curl cyrus_sasl ding-libs libnl libunistring nss
-                  samba nfs-utils doxygen python python3 popt
-                  talloc tdb tevent pkgconfig ldb pam openldap pcre kerberos
+                  samba nfs-utils python python3 popt
+                  talloc tdb tevent ldb pam openldap pcre libkrb5
                   cifs-utils glib keyutils dbus fakeroot libxslt libxml2
                   libuuid ldap systemd nspr check cmocka uid_wrapper
                   nss_wrapper ncurses Po4a http-parser jansson ];
@@ -88,10 +96,11 @@ stdenv.mkDerivation rec {
     find "$out" -depth -type d -exec rmdir --ignore-fail-on-non-empty {} \;
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "System Security Services Daemon";
-    homepage = "https://fedorahosted.org/sssd/";
-    license = licenses.gpl3;
+    homepage = "https://sssd.io/";
+    changelog = "https://sssd.io/release-notes/sssd-${version}.html";
+    license = licenses.gpl3Plus;
     platforms = platforms.linux;
     maintainers = [ maintainers.e-user ];
   };
diff --git a/pkgs/os-specific/linux/statifier/default.nix b/pkgs/os-specific/linux/statifier/default.nix
index 376ae47ffbe..5afb399fc16 100644
--- a/pkgs/os-specific/linux/statifier/default.nix
+++ b/pkgs/os-specific/linux/statifier/default.nix
@@ -1,4 +1,4 @@
-{ multiStdenv, fetchurl }:
+{ lib, multiStdenv, fetchurl }:
 
 let version = "1.7.4"; in
 multiStdenv.mkDerivation {
@@ -16,7 +16,7 @@ multiStdenv.mkDerivation {
     sed -e s@/bin/bash@"${multiStdenv.shell}"@g -i src/*.sh
   '';
 
-  meta = with multiStdenv.lib; {
+  meta = with lib; {
     description = "Tool for creating static Linux binaries";
     platforms = platforms.linux;
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/swapview/default.nix b/pkgs/os-specific/linux/swapview/default.nix
new file mode 100644
index 00000000000..8eb45550105
--- /dev/null
+++ b/pkgs/os-specific/linux/swapview/default.nix
@@ -0,0 +1,23 @@
+{ lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "swapview";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "lilydjwg";
+    repo = "swapview";
+    rev = "v${version}";
+    sha256 = "0339biydk997j5r72vzp7djwkscsz89xr3936nshv23fmxjh2rzj";
+  };
+
+  cargoSha256 = "03yi6bsjjnl8hznxr1nrnxx5lrqb574625j2lkxqbl9vrg9mswdz";
+
+  meta = with lib; {
+    description = "A simple program to view processes' swap usage on Linux";
+    homepage = "https://github.com/lilydjwg/swapview";
+    platforms = platforms.linux;
+    license = with licenses; [ bsd3 ];
+    maintainers = with maintainers; [ oxalica ];
+  };
+}
diff --git a/pkgs/os-specific/linux/switcheroo-control/default.nix b/pkgs/os-specific/linux/switcheroo-control/default.nix
new file mode 100644
index 00000000000..38945c70622
--- /dev/null
+++ b/pkgs/os-specific/linux/switcheroo-control/default.nix
@@ -0,0 +1,58 @@
+{ lib
+, ninja
+, meson
+, fetchFromGitLab
+, systemd
+, libgudev
+, pkg-config
+, glib
+, python3
+, gobject-introspection
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "switcheroo-control";
+  version = "2.3";
+
+  format = "other";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = pname;
+    rev = version;
+    hash = "sha256-1Pze2TJ9mggfcpiLFwJ7/9WhsdJx4G3GoA7+Z47shuc=";
+  };
+
+  nativeBuildInputs = [
+    ninja
+    meson
+    pkg-config
+
+    # needed for glib-compile-resources
+    glib
+  ];
+
+  buildInputs = [
+    systemd
+    libgudev
+  ];
+
+  propagatedBuildInputs = [
+    python3.pkgs.pygobject3
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "-Dhwdbdir=${placeholder "out"}/etc/udev/hwdb.d"
+  ];
+
+  meta = with lib; {
+    description = "D-Bus service to check the availability of dual-GPU";
+    homepage = "https://gitlab.freedesktop.org/hadess/switcheroo-control/";
+    changelog = "https://gitlab.freedesktop.org/hadess/switcheroo-control/-/blob/${version}/NEWS";
+    license = licenses.gpl3Plus;
+    maintainers = [ ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/syscall_limiter/default.nix b/pkgs/os-specific/linux/syscall_limiter/default.nix
index 0354abf46e1..329ec522c42 100644
--- a/pkgs/os-specific/linux/syscall_limiter/default.nix
+++ b/pkgs/os-specific/linux/syscall_limiter/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib, stdenv
 , fetchFromGitHub
 , libseccomp
 , perl
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
       --replace which ${which}/bin/which
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Start Linux programs with only selected syscalls enabled";
     homepage    = "https://github.com/vi/syscall_limiter";
     license     = licenses.mit;
diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix
index 59577eb8d51..23e78dd848e 100644
--- a/pkgs/os-specific/linux/sysdig/default.nix
+++ b/pkgs/os-specific/linux/sysdig/default.nix
@@ -1,22 +1,22 @@
-{ stdenv, fetchFromGitHub, cmake, kernel
-, luajit, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl, jq, gcc, elfutils, tbb, c-ares, protobuf, grpc
+{ lib, stdenv, fetchFromGitHub, cmake, kernel, installShellFiles
+, luajit, ncurses, perl, jsoncpp, libb64, openssl, curl, jq, gcc, elfutils, tbb, protobuf, grpc
 }:
 
-with stdenv.lib;
+with lib;
 stdenv.mkDerivation rec {
   pname = "sysdig";
-  version = "0.26.7";
+  version = "0.27.1";
 
   src = fetchFromGitHub {
     owner = "draios";
     repo = "sysdig";
     rev = version;
-    sha256 = "09m6j2cl70jxb0k4ydsgrida381bipf0v026xz661152cy23r3ff";
+    sha256 = "sha256-lYjMvxMIReANNwMr62u881Nugrs9piOaN3EmrvGzRns=";
   };
 
-  nativeBuildInputs = [ cmake perl ];
+  nativeBuildInputs = [ cmake perl installShellFiles ];
   buildInputs = [
-    zlib luajit ncurses jsoncpp libb64 openssl curl jq gcc elfutils tbb c-ares protobuf grpc
+    luajit ncurses jsoncpp libb64 openssl curl jq gcc elfutils tbb protobuf grpc
   ] ++ optionals (kernel != null) kernel.moduleBuildDependencies;
 
   hardeningDisable = [ "pic" ];
@@ -38,19 +38,28 @@ stdenv.mkDerivation rec {
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   '';
 
-  postInstall = optionalString (kernel != null) ''
-    make install_driver
-    kernel_dev=${kernel.dev}
-    kernel_dev=''${kernel_dev#/nix/store/}
-    kernel_dev=''${kernel_dev%%-linux*dev*}
-    if test -f "$out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko"; then
-        sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko
-    else
-        xz -d $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko.xz
-        sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko
-        xz $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko
-    fi
-  '';
+  postInstall =
+    ''
+      # Fix the bash completion location
+      installShellCompletion --bash $out/etc/bash_completion.d/sysdig
+      rm $out/etc/bash_completion.d/sysdig
+      rmdir $out/etc/bash_completion.d
+      rmdir $out/etc
+    ''
+    + optionalString (kernel != null) ''
+      make install_driver
+      kernel_dev=${kernel.dev}
+      kernel_dev=''${kernel_dev#/nix/store/}
+      kernel_dev=''${kernel_dev%%-linux*dev*}
+      if test -f "$out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko"; then
+          sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko
+      else
+          xz -d $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko.xz
+          sed -i "s#$kernel_dev#................................#g" $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko
+          xz $out/lib/modules/${kernel.modDirVersion}/extra/sysdig-probe.ko
+      fi
+    '';
+
 
   meta = {
     description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)";
diff --git a/pkgs/os-specific/linux/sysfsutils/default.nix b/pkgs/os-specific/linux/sysfsutils/default.nix
index 3b2d54bc83a..4daac076e58 100644
--- a/pkgs/os-specific/linux/sysfsutils/default.nix
+++ b/pkgs/os-specific/linux/sysfsutils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "sysfsutils-2.1.0";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
         filesystem in Linux kernel versions 2.5+ that exposes a system's
         device tree.
       '';
-    license = with stdenv.lib.licenses; [ gpl2 lgpl21 ];
-    platforms = stdenv.lib.platforms.linux;
+    license = with lib.licenses; [ gpl2 lgpl21 ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/sysklogd/default.nix b/pkgs/os-specific/linux/sysklogd/default.nix
index f93e9012e05..af180b5e524 100644
--- a/pkgs/os-specific/linux/sysklogd/default.nix
+++ b/pkgs/os-specific/linux/sysklogd/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation {
   name = "sysklogd-1.5.1";
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "00f2wy6f0qng7qzga4iicyzl9j8b7mp6mrpfky5jxj93ms2w2rji";
   };
 
-  patches = [ ./systemd.patch ./union-wait.patch ];
+  patches = [ ./systemd.patch ./union-wait.patch ./fix-includes-for-musl.patch ];
 
   NIX_CFLAGS_COMPILE = "-DSYSV";
 
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   preInstall = "mkdir -p $out/share/man/man5/ $out/share/man/man8/ $out/sbin";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A system logging daemon";
     platforms = platforms.linux;
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch b/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch
new file mode 100644
index 00000000000..87e56a10db8
--- /dev/null
+++ b/pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch
@@ -0,0 +1,120 @@
+# this patch both fixes some include paths as well as removes glibc
+# gates around defines that musl-libc also depends on.
+diff -u sysklogd-1.5.1.orig/klogd.c sysklogd-1.5.1/klogd.c
+--- sysklogd-1.5.1.orig/klogd.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/klogd.c	2021-01-18 23:09:23.000000000 -0500
+@@ -260,11 +260,8 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <errno.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+-#if !defined(__GLIBC__)
+-#include <linux/time.h>
+-#endif /* __GLIBC__ */
+ #include <stdarg.h>
+ #include <paths.h>
+ #include <stdlib.h>
+@@ -277,13 +274,8 @@
+ 
+ #define __LIBRARY__
+ #include <linux/unistd.h>
+-#if !defined(__GLIBC__)
+-# define __NR_ksyslog __NR_syslog
+-_syscall3(int,ksyslog,int, type, char *, buf, int, len);
+-#else
+ #include <sys/klog.h>
+ #define ksyslog klogctl
+-#endif
+ 
+ #define LOG_BUFFER_SIZE 4096
+ #define LOG_LINE_LENGTH 1000
+diff -u sysklogd-1.5.1.orig/ksym_mod.c sysklogd-1.5.1/ksym_mod.c
+--- sysklogd-1.5.1.orig/ksym_mod.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/ksym_mod.c	2021-01-18 23:09:57.000000000 -0500
+@@ -113,12 +113,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <errno.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include "module.h"
+-#if !defined(__GLIBC__)
+-#include <linux/time.h>
+-#endif /* __GLIBC__ */
+ #include <stdarg.h>
+ #include <paths.h>
+ #include <linux/version.h>
+diff -u sysklogd-1.5.1.orig/pidfile.c sysklogd-1.5.1/pidfile.c
+--- sysklogd-1.5.1.orig/pidfile.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/pidfile.c	2021-01-18 23:23:55.000000000 -0500
+@@ -25,6 +25,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/stat.h>
+ #include <sys/file.h>
+diff -u sysklogd-1.5.1.orig/syslog.c sysklogd-1.5.1/syslog.c
+--- sysklogd-1.5.1.orig/syslog.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/syslog.c	2021-01-18 23:11:45.000000000 -0500
+@@ -55,7 +55,6 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/file.h>
+-#include <sys/signal.h>
+ #include <sys/syslog.h>
+ #if 0
+ #include "syslog.h"
+@@ -64,6 +63,8 @@
+ 
+ #include <sys/uio.h>
+ #include <sys/wait.h>
++#include <signal.h>
++#include <fcntl.h>
+ #include <netdb.h>
+ #include <string.h>
+ #include <time.h>
+diff -u sysklogd-1.5.1.orig/syslogd.c sysklogd-1.5.1/syslogd.c
+--- sysklogd-1.5.1.orig/syslogd.c	2014-10-04 15:47:18.000000000 -0400
++++ sysklogd-1.5.1/syslogd.c	2021-01-18 23:13:25.000000000 -0500
+@@ -519,9 +519,9 @@
+ #include <time.h>
+ 
+ #define SYSLOG_NAMES
++#include <errno.h>
+ #include <sys/syslog.h>
+ #include <sys/param.h>
+-#include <sys/errno.h>
+ #include <sys/ioctl.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+@@ -818,9 +818,7 @@
+ void init();
+ void cfline(char *line, register struct filed *f);
+ int decode(char *name, struct code *codetab);
+-#if defined(__GLIBC__)
+ #define dprintf mydprintf
+-#endif /* __GLIBC__ */
+ static void dprintf(char *, ...);
+ static void allocate_log(void);
+ void sighup_handler();
+@@ -840,15 +838,9 @@
+ 	register char *p;
+ #ifndef TESTING
+ 	ssize_t msglen;
+-#endif
+-#if !defined(__GLIBC__)
+-	int len, num_fds;
+-#else /* __GLIBC__ */
+-#ifndef TESTING
+ 	socklen_t len;
+ #endif
+ 	int num_fds;
+-#endif /* __GLIBC__ */
+ 	/*
+ 	 * It took me quite some time to figure out how this is
+ 	 * supposed to work so I guess I should better write it down.
diff --git a/pkgs/os-specific/linux/sysklogd/systemd.patch b/pkgs/os-specific/linux/sysklogd/systemd.patch
index 0a7fb166bd7..a170f67cadb 100644
--- a/pkgs/os-specific/linux/sysklogd/systemd.patch
+++ b/pkgs/os-specific/linux/sysklogd/systemd.patch
@@ -71,9 +71,9 @@ diff -ruN -x '*~' sysklogd-1.5-old/sd-daemon.c sysklogd-1.5/sd-daemon.c
 +#include <sys/stat.h>
 +#include <sys/socket.h>
 +#include <sys/un.h>
-+#include <sys/fcntl.h>
 +#include <netinet/in.h>
 +#include <stdlib.h>
++#include <fcntl.h>
 +#include <errno.h>
 +#include <unistd.h>
 +#include <string.h>
diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix
index 28681aed564..4ca7f50b7d1 100644
--- a/pkgs/os-specific/linux/syslinux/default.nix
+++ b/pkgs/os-specific/linux/syslinux/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, fetchurl, fetchpatch, nasm, perl, python3, libuuid, mtools, makeWrapper }:
+{ lib, stdenv, fetchgit, fetchurl, fetchpatch, nasm, perl, python3, libuuid, mtools, makeWrapper }:
 
 stdenv.mkDerivation {
   pname = "syslinux";
@@ -23,12 +23,12 @@ stdenv.mkDerivation {
       sha256 = "06ifgzbpjj4picpj17zgprsfi501zf4pp85qjjgn29i5rs291zni";
     })
     (fetchurl {
-      url = "https://git.archlinux.org/svntogit/packages.git/plain/trunk/0005-gnu-efi-version-compatibility.patch?id=821c3da473d1399d930d5b4a086e46a4179eaa45";
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/821c3da473d1399d930d5b4a086e46a4179eaa45/trunk/0005-gnu-efi-version-compatibility.patch";
       name = "0005-gnu-efi-version-compatibility.patch";
       sha256 = "1mz2idg8cwn0mvd3jixxynhkn7rhmi5fp8cc8zznh5f0ysfra446";
     })
     (fetchurl {
-      url = "https://git.archlinux.org/svntogit/packages.git/plain/trunk/0025-reproducible-build.patch?id=821c3da473d1399d930d5b4a086e46a4179eaa45";
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/821c3da473d1399d930d5b4a086e46a4179eaa45/trunk/0025-reproducible-build.patch";
       name = "0025-reproducible-build.patch";
       sha256 = "0qk6wc6z3648828y3961pn4pi7xhd20a6fqn6z1mnj22bbvzcxls";
     })
@@ -47,6 +47,7 @@ stdenv.mkDerivation {
       url = mkURL "26f0e7b2" "0018-prevent-pow-optimization.patch";
       sha256 = "1c8g0jz5yj9a0rsmryx9vdjsw4hw8mjfcg05c9pmyjg85w3dfp3m";
     })
+    ./gcc10.patch
   ];
 
   postPatch = ''
@@ -62,8 +63,8 @@ stdenv.mkDerivation {
     touch gnu-efi/inc/ia32/gnu/stubs-32.h
   '';
 
-  nativeBuildInputs = [ nasm perl python3 ];
-  buildInputs = [ libuuid makeWrapper ];
+  nativeBuildInputs = [ nasm perl python3 makeWrapper ];
+  buildInputs = [ libuuid ];
 
   enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
   hardeningDisable = [ "pic" "stackprotector" "fortify" ];
@@ -78,7 +79,7 @@ stdenv.mkDerivation {
     "PERL=perl"
     "HEXDATE=0x00000000"
   ]
-    ++ stdenv.lib.optionals stdenv.hostPlatform.isi686 [ "bios" "efi32" ];
+    ++ lib.optionals stdenv.hostPlatform.isi686 [ "bios" "efi32" ];
 
   doCheck = false; # fails. some fail in a sandbox, others require qemu
 
@@ -90,7 +91,7 @@ stdenv.mkDerivation {
     rm -rf $out/share/syslinux/com32
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.syslinux.org/";
     description = "A lightweight bootloader";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/syslinux/gcc10.patch b/pkgs/os-specific/linux/syslinux/gcc10.patch
new file mode 100644
index 00000000000..f4893a91231
--- /dev/null
+++ b/pkgs/os-specific/linux/syslinux/gcc10.patch
@@ -0,0 +1,33 @@
+diff --git a/dos/string.h b/dos/string.h
+index f648de2..a502132 100644
+--- a/dos/string.h
++++ b/dos/string.h
+@@ -5,12 +5,13 @@
+ #ifndef _STRING_H
+ #define _STRING_H
+ 
++#include <stddef.h>
++
+ /* Standard routines */
+ #define memcpy(a,b,c)	__builtin_memcpy(a,b,c)
+ #define memmove(a,b,c)	__builtin_memmove(a,b,c)
+ #define memset(a,b,c)	__builtin_memset(a,b,c)
+ #define strcpy(a,b)	__builtin_strcpy(a,b)
+-#define strlen(a)	__builtin_strlen(a)
+ 
+ /* This only returns true or false */
+ static inline int memcmp(const void *__m1, const void *__m2, unsigned int __n)
+@@ -21,6 +22,13 @@ static inline int memcmp(const void *__m1, const void *__m2, unsigned int __n)
+     return rv;
+ }
+ 
++static inline size_t strlen(const char *s)
++{
++    size_t len = 0;
++    while (*s++) len++;
++    return len;
++}
++
+ extern char *strchr(const char *s, int c);
+ 
+ #endif /* _STRING_H */
diff --git a/pkgs/os-specific/linux/sysstat/default.nix b/pkgs/os-specific/linux/sysstat/default.nix
index 258da07c40b..2eff999ac7c 100644
--- a/pkgs/os-specific/linux/sysstat/default.nix
+++ b/pkgs/os-specific/linux/sysstat/default.nix
@@ -1,11 +1,11 @@
-{ stdenv, fetchurl, gettext, bzip2 }:
+{ lib, stdenv, fetchurl, gettext, bzip2 }:
 
 stdenv.mkDerivation rec {
-  name = "sysstat-12.3.2";
+  name = "sysstat-12.4.3";
 
   src = fetchurl {
     url = "http://pagesperso-orange.fr/sebastien.godard/${name}.tar.xz";
-    sha256 = "0gaas16q2f7qmrv4sbqk2l2mrc7yr64s33bzw4094p59fkylm7k4";
+    sha256 = "sha256-rkMkMfRarLyrrPu+Ep4lBeIVyvqc6ZbXVQxgkaRvC/0=";
   };
 
   buildInputs = [ gettext ];
@@ -25,8 +25,8 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "http://sebastien.godard.pagesperso-orange.fr/";
     description = "A collection of performance monitoring tools for Linux (such as sar, iostat and pidstat)";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.eelco ];
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+    maintainers = [ lib.maintainers.eelco ];
   };
 }
diff --git a/pkgs/os-specific/linux/system76-acpi/default.nix b/pkgs/os-specific/linux/system76-acpi/default.nix
new file mode 100644
index 00000000000..f642fad6978
--- /dev/null
+++ b/pkgs/os-specific/linux/system76-acpi/default.nix
@@ -0,0 +1,43 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.1";
+  sha256 = "0jmm9h607f7k20yassm6af9mh5l00yih5248wwv4i05bd68yw3p5";
+in
+stdenv.mkDerivation {
+  name = "system76-acpi-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76_acpi";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-acpi-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76_acpi.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76_acpi.ko
+    mkdir -p $out/lib/udev/hwdb.d
+    mv lib/udev/hwdb.d/* $out/lib/udev/hwdb.d
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Only ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+    description = "System76 ACPI Driver (DKMS)";
+    homepage = "https://github.com/pop-os/system76-acpi-dkms";
+    longDescription = ''
+      This provides the system76_acpi in-tree driver for systems missing it.
+    '';
+  };
+}
diff --git a/pkgs/os-specific/linux/system76-io/default.nix b/pkgs/os-specific/linux/system76-io/default.nix
new file mode 100644
index 00000000000..fb697430f61
--- /dev/null
+++ b/pkgs/os-specific/linux/system76-io/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.1";
+  sha256 = "0qkgkkjy1isv6ws6hrcal75dxjz98rpnvqbm7agdcc6yv0c17wwh";
+in
+stdenv.mkDerivation {
+  name = "system76-io-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76_io";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-io-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76-io.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76-io.ko
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Plus ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+    description = "DKMS module for controlling System76 I/O board";
+    homepage = "https://github.com/pop-os/system76-io-dkms";
+  };
+}
diff --git a/pkgs/os-specific/linux/system76-power/default.nix b/pkgs/os-specific/linux/system76-power/default.nix
new file mode 100644
index 00000000000..fbc26ca8719
--- /dev/null
+++ b/pkgs/os-specific/linux/system76-power/default.nix
@@ -0,0 +1,30 @@
+{ pkg-config, libusb1, dbus, lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "system76-power";
+  version = "1.1.16";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-power";
+    rev = version;
+    sha256 = "sha256-OtrhvUkNNgg6KlrqjwiBKL4zuQZBWevb0xgtSlEW2rQ=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus libusb1 ];
+
+  cargoSha256 = "sha256-ImACDbnUbwc0ZXgF3xxzes8+vUjt76B1xxgqzhgAYX4=";
+
+  postInstall = ''
+    install -D -m 0644 data/system76-power.conf $out/etc/dbus-1/system.d/system76-power.conf
+  '';
+
+  meta = with lib; {
+    description = "System76 Power Management";
+    homepage = "https://github.com/pop-os/system76-power";
+    license = licenses.gpl3Plus;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = [ maintainers.jwoudenberg ];
+  };
+}
diff --git a/pkgs/os-specific/linux/system76/default.nix b/pkgs/os-specific/linux/system76/default.nix
new file mode 100644
index 00000000000..84c153c2f82
--- /dev/null
+++ b/pkgs/os-specific/linux/system76/default.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+let
+  version = "1.0.9";
+  sha256 = "0i4825y2vd679kdjv30ifzj1i1066d3x37z4lgk39hx16993k162";
+in
+stdenv.mkDerivation {
+  name = "system76-module-${version}-${kernel.version}";
+
+  passthru.moduleName = "system76";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-dkms";
+    rev = version;
+    inherit sha256;
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D system76.ko $out/lib/modules/${kernel.modDirVersion}/misc/system76.ko
+    mkdir -p $out/lib/udev/hwdb.d
+    mv lib/udev/hwdb.d/* $out/lib/udev/hwdb.d
+  '';
+
+  meta = with lib; {
+    maintainers = [ maintainers.khumba ];
+    license = [ licenses.gpl2Plus ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    broken = versionOlder kernel.version "4.14";
+    description = "System76 DKMS driver";
+    homepage = "https://github.com/pop-os/system76-dkms";
+    longDescription = ''
+      The System76 DKMS driver. On newer System76 laptops, this driver controls
+      some of the hotkeys and allows for custom fan control.
+    '';
+  };
+}
diff --git a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
index ab04ea91644..ac2d0018160 100644
--- a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
+++ b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
@@ -1,7 +1,7 @@
-From 22f46f55c81d84e83a4614856d84e63c8400165c Mon Sep 17 00:00:00 2001
+From 2f4a5e9c9ef1cd57662e8bd4c24e1029a00d55b5 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:46:30 +0100
-Subject: [PATCH 01/18] Start device units for uninitialised encrypted devices
+Subject: [PATCH 01/19] Start device units for uninitialised encrypted devices
 
 This is necessary because the NixOS service that initialises the
 filesystem depends on the appearance of the device unit.  Also, this
@@ -13,7 +13,7 @@ unit.  (However, this ignores the fsck unit, so it's not perfect...)
  1 file changed, 4 deletions(-)
 
 diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
-index c34b606216..3ab8c1c3fe 100644
+index 7c22eefdb7..e3a55e00b5 100644
 --- a/rules.d/99-systemd.rules.in
 +++ b/rules.d/99-systemd.rules.in
 @@ -17,10 +17,6 @@ SUBSYSTEM=="ubi", TAG+="systemd"
@@ -28,5 +28,5 @@ index c34b606216..3ab8c1c3fe 100644
  SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root"
  SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks"
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
index c52a13c9a41..f54430f764e 100644
--- a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
+++ b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
@@ -1,7 +1,7 @@
-From e5b2b1e90d055068936336f6f01639bcde251b96 Mon Sep 17 00:00:00 2001
+From 4e96b2e074c4a4f4ce900409872ce2f86704ee5b Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Fri, 12 Apr 2013 13:16:57 +0200
-Subject: [PATCH 02/18] Don't try to unmount /nix or /nix/store
+Subject: [PATCH 02/19] Don't try to unmount /nix or /nix/store
 
 They'll still be remounted read-only.
 
@@ -12,7 +12,7 @@ https://github.com/NixOS/nixos/issues/126
  2 files changed, 4 insertions(+)
 
 diff --git a/src/shared/fstab-util.c b/src/shared/fstab-util.c
-index b19127be09..f9adca1100 100644
+index 292b97cd69..791b8e6b7e 100644
 --- a/src/shared/fstab-util.c
 +++ b/src/shared/fstab-util.c
 @@ -40,6 +40,8 @@ bool fstab_is_extrinsic(const char *mount, const char *opts) {
@@ -25,10 +25,10 @@ index b19127be09..f9adca1100 100644
                          "/etc"))
                  return true;
 diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c
-index 8a5e80eeaa..fab35ed6f3 100644
+index 3a72a13e1a..541320dc9d 100644
 --- a/src/shutdown/umount.c
 +++ b/src/shutdown/umount.c
-@@ -414,6 +414,8 @@ static int delete_dm(dev_t devnum) {
+@@ -500,6 +500,8 @@ static int delete_md(MountPoint *m) {
  
  static bool nonunmountable_path(const char *path) {
          return path_equal(path, "/")
@@ -38,5 +38,5 @@ index 8a5e80eeaa..fab35ed6f3 100644
                  || path_equal(path, "/usr")
  #endif
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
index e96593a5938..37caffb97d7 100644
--- a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
+++ b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
@@ -1,7 +1,7 @@
-From ca7f6286c518d7ef3877458bbdf8e01f5518ab0e Mon Sep 17 00:00:00 2001
+From 3d1b2e56a6ed6cc86a64f6f89765a2900e576402 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Wed, 16 Apr 2014 10:59:28 +0200
-Subject: [PATCH 03/18] Fix NixOS containers
+Subject: [PATCH 03/19] Fix NixOS containers
 
 In NixOS containers, the init script is bind-mounted into the
 container, so checking early whether it exists will fail.
@@ -10,10 +10,10 @@ container, so checking early whether it exists will fail.
  1 file changed, 2 insertions(+)
 
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 51d0c2a75b..4d3451ff3b 100644
+index 7515380fcd..14f8a82eb8 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -5017,6 +5017,7 @@ static int run(int argc, char *argv[]) {
+@@ -5323,6 +5323,7 @@ static int run(int argc, char *argv[]) {
                                  goto finish;
                          }
                  } else {
@@ -21,7 +21,7 @@ index 51d0c2a75b..4d3451ff3b 100644
                          const char *p, *q;
  
                          if (arg_pivot_root_new)
-@@ -5031,6 +5032,7 @@ static int run(int argc, char *argv[]) {
+@@ -5337,6 +5338,7 @@ static int run(int argc, char *argv[]) {
                                  r = -EINVAL;
                                  goto finish;
                          }
@@ -30,5 +30,5 @@ index 51d0c2a75b..4d3451ff3b 100644
  
          } else {
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
index 4b2c059afd5..2f14a9d6a7e 100644
--- a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
+++ b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
@@ -1,17 +1,17 @@
-From c87cc5b1cf9c37f195e6b362352279e14289554e Mon Sep 17 00:00:00 2001
+From 3a721cf70e952e933ef5374006bbb11a3a0ad36a Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Thu, 1 May 2014 14:10:10 +0200
-Subject: [PATCH 04/18] Look for fsck in the right place
+Subject: [PATCH 04/19] Look for fsck in the right place
 
 ---
  src/fsck/fsck.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c
-index 80f7107b9d..74e48a385f 100644
+index 510689f3b7..25cab5acae 100644
 --- a/src/fsck/fsck.c
 +++ b/src/fsck/fsck.c
-@@ -370,7 +370,7 @@ static int run(int argc, char *argv[]) {
+@@ -368,7 +368,7 @@ static int run(int argc, char *argv[]) {
                  } else
                          dash_c[0] = 0;
  
@@ -21,5 +21,5 @@ index 80f7107b9d..74e48a385f 100644
                  cmdline[i++] = "-T";
  
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
index a8f3f0e21fd..0acccacd613 100644
--- a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
+++ b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
@@ -1,62 +1,38 @@
-From 450c133c1815b473136b2a5540f9213fef5506ee Mon Sep 17 00:00:00 2001
+From 8b7f881cf22e98e907506f4c403b9e304e332bf9 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Fri, 19 Dec 2014 14:46:17 +0100
-Subject: [PATCH 05/18] Add some NixOS-specific unit directories
+Subject: [PATCH 05/19] Add some NixOS-specific unit directories
 
-Look in `/nix/var/nix/profiles/default/lib/systemd` for units provided
-by packages installed into the default profile via
-`nix-env -iA nixos.$package`, and into `/etc/systemd-mutable/system` for
-persistent, mutable units (used for Dysnomia).
+Look in `/nix/var/nix/profiles/default/lib/systemd/{system,user}` for
+units provided by packages installed into the default profile via
+`nix-env -iA nixos.$package`.
 
 Also, remove /usr and /lib as these don't exist on NixOS.
 ---
- src/core/systemd.pc.in   |  4 ++--
- src/shared/path-lookup.c | 18 +++++-------------
- 2 files changed, 7 insertions(+), 15 deletions(-)
+ src/basic/path-lookup.c | 17 ++---------------
+ src/core/systemd.pc.in  |  5 +++--
+ 2 files changed, 5 insertions(+), 17 deletions(-)
 
-diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index 8331832c7a..bedb97115d 100644
---- a/src/core/systemd.pc.in
-+++ b/src/core/systemd.pc.in
-@@ -17,8 +17,8 @@ systemduserunitdir=${prefix}/lib/systemd/user
- systemduserpresetdir=${prefix}/lib/systemd/user-preset
- systemdsystemconfdir=${sysconfdir}/systemd/system
- systemduserconfdir=${sysconfdir}/systemd/user
--systemdsystemunitpath=${systemdsystemconfdir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemdsystemunitdir}:/usr/lib/systemd/system:/lib/systemd/system
--systemduserunitpath=${systemduserconfdir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemduserunitdir}:/usr/lib/systemd/user:/usr/share/systemd/user
-+systemdsystemunitpath=${systemdsystemconfdir}:/etc/systemd/system:/etc/systemd-mutable/system:/nix/var/nix/profiles/default/lib/systemd/system:/run/systemd/system:${systemdsystemunitdir}
-+systemduserunitpath=${systemduserconfdir}:/etc/systemd/user:/etc/systemd-mutable/user:/nix/var/nix/profiles/default/lib/systemd/user:/run/systemd/user:${systemduserunitdir}
- systemdsystemgeneratordir=${rootprefix}/lib/systemd/system-generators
- systemdusergeneratordir=${prefix}/lib/systemd/user-generators
- systemdsystemgeneratorpath=/run/systemd/system-generators:/etc/systemd/system-generators:/usr/local/lib/systemd/system-generators:${systemdsystemgeneratordir}
-diff --git a/src/shared/path-lookup.c b/src/shared/path-lookup.c
-index 48e0eec09a..a9d38f16d0 100644
---- a/src/shared/path-lookup.c
-+++ b/src/shared/path-lookup.c
-@@ -98,17 +98,14 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
+diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c
+index 96b82170d0..bf66bd6b77 100644
+--- a/src/basic/path-lookup.c
++++ b/src/basic/path-lookup.c
+@@ -94,11 +94,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
  }
  
  static const char* const user_data_unit_paths[] = {
 -        "/usr/local/lib/systemd/user",
 -        "/usr/local/share/systemd/user",
-         USER_DATA_UNIT_PATH,
+         USER_DATA_UNIT_DIR,
 -        "/usr/lib/systemd/user",
 -        "/usr/share/systemd/user",
          NULL
  };
  
- static const char* const user_config_unit_paths[] = {
-         USER_CONFIG_UNIT_PATH,
-         "/etc/systemd/user",
-+        "/etc/systemd-mutable/user",
-         NULL
- };
- 
-@@ -604,15 +601,14 @@ int lookup_paths_init(
+@@ -616,15 +612,13 @@ int lookup_paths_init(
                                          persistent_config,
-                                         SYSTEM_CONFIG_UNIT_PATH,
+                                         SYSTEM_CONFIG_UNIT_DIR,
                                          "/etc/systemd/system",
-+                                        "/etc/systemd-mutable/system",
 +                                        "/nix/var/nix/profiles/default/lib/systemd/system",
                                          STRV_IFNOTNULL(persistent_attached),
                                          runtime_config,
@@ -70,11 +46,10 @@ index 48e0eec09a..a9d38f16d0 100644
                                          STRV_IFNOTNULL(generator_late));
                          break;
  
-@@ -628,14 +624,12 @@ int lookup_paths_init(
+@@ -640,14 +634,11 @@ int lookup_paths_init(
                                          persistent_config,
-                                         USER_CONFIG_UNIT_PATH,
+                                         USER_CONFIG_UNIT_DIR,
                                          "/etc/systemd/user",
-+                                        "/etc/systemd-mutable/user",
 +                                        "/nix/var/nix/profiles/default/lib/systemd/user",
                                          runtime_config,
                                          "/run/systemd/user",
@@ -82,26 +57,58 @@ index 48e0eec09a..a9d38f16d0 100644
 -                                        "/usr/local/share/systemd/user",
 -                                        "/usr/share/systemd/user",
 -                                        "/usr/local/lib/systemd/user",
-                                         USER_DATA_UNIT_PATH,
+                                         USER_DATA_UNIT_DIR,
 -                                        "/usr/lib/systemd/user",
                                          STRV_IFNOTNULL(generator_late));
                          break;
  
-@@ -824,14 +818,12 @@ char **generator_binary_paths(UnitFileScope scope) {
-         case UNIT_FILE_SYSTEM:
-                 return strv_new("/run/systemd/system-generators",
-                                 "/etc/systemd/system-generators",
--                                "/usr/local/lib/systemd/system-generators",
-                                 SYSTEM_GENERATOR_PATH);
+@@ -797,7 +788,6 @@ char **generator_binary_paths(UnitFileScope scope) {
+                 case UNIT_FILE_SYSTEM:
+                         add = strv_new("/run/systemd/system-generators",
+                                        "/etc/systemd/system-generators",
+-                                       "/usr/local/lib/systemd/system-generators",
+                                        SYSTEM_GENERATOR_DIR);
+                         break;
+ 
+@@ -805,7 +795,6 @@ char **generator_binary_paths(UnitFileScope scope) {
+                 case UNIT_FILE_USER:
+                         add = strv_new("/run/systemd/user-generators",
+                                        "/etc/systemd/user-generators",
+-                                       "/usr/local/lib/systemd/user-generators",
+                                        USER_GENERATOR_DIR);
+                         break;
+ 
+@@ -844,12 +833,10 @@ char **env_generator_binary_paths(bool is_system) {
+                 if (is_system)
+                         add = strv_new("/run/systemd/system-environment-generators",
+                                         "/etc/systemd/system-environment-generators",
+-                                        "/usr/local/lib/systemd/system-environment-generators",
+                                         SYSTEM_ENV_GENERATOR_DIR);
+                 else
+                         add = strv_new("/run/systemd/user-environment-generators",
+                                        "/etc/systemd/user-environment-generators",
+-                                       "/usr/local/lib/systemd/user-environment-generators",
+                                        USER_ENV_GENERATOR_DIR);
+ 
+                 if (!add)
+diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
+index b5cc8f94a5..a701cd05f8 100644
+--- a/src/core/systemd.pc.in
++++ b/src/core/systemd.pc.in
+@@ -38,10 +38,11 @@ systemdsystemconfdir=${systemd_system_conf_dir}
+ systemd_user_conf_dir=${sysconfdir}/systemd/user
+ systemduserconfdir=${systemd_user_conf_dir}
+ 
+-systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemd_system_unit_dir}:/usr/lib/systemd/system:/lib/systemd/system
++systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/nix/var/nix/profiles/default/lib/systemd/system:/run/systemd/system:${systemdsystemunitdir}
+ systemdsystemunitpath=${systemd_system_unit_path}
  
-         case UNIT_FILE_GLOBAL:
-         case UNIT_FILE_USER:
-                 return strv_new("/run/systemd/user-generators",
-                                 "/etc/systemd/user-generators",
--                                "/usr/local/lib/systemd/user-generators",
-                                 USER_GENERATOR_PATH);
+-systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user
++systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/nix/var/nix/profiles/default/lib/systemd/user:/run/systemd/user:${systemduserunitdir}
++
+ systemduserunitpath=${systemd_user_unit_path}
  
-         default:
+ systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
index ac3d3b0bd6f..bda27ac1762 100644
--- a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
+++ b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
@@ -1,7 +1,7 @@
-From f88a9bb1e6080b539ed0116caa9781e7f6755f54 Mon Sep 17 00:00:00 2001
+From 7a6529ee27028860b93bc539e8bbf3f2374d712f Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Mon, 11 May 2015 15:39:38 +0200
-Subject: [PATCH 06/18] Get rid of a useless message in user sessions
+Subject: [PATCH 06/19] Get rid of a useless message in user sessions
 
 Namely lots of variants of
 
@@ -13,10 +13,10 @@ in containers.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/src/core/unit.c b/src/core/unit.c
-index c306183555..3db39fa435 100644
+index 45a417a090..8af3cb08d6 100644
 --- a/src/core/unit.c
 +++ b/src/core/unit.c
-@@ -2043,7 +2043,8 @@ static void unit_check_binds_to(Unit *u) {
+@@ -2163,7 +2163,8 @@ static void unit_check_binds_to(Unit *u) {
          }
  
          assert(other);
@@ -27,5 +27,5 @@ index c306183555..3db39fa435 100644
          /* A unit we need to run is gone. Sniff. Let's stop this. */
          r = manager_add_job(u->manager, JOB_STOP, u, JOB_FAIL, NULL, &error, NULL);
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
index cef3280aba8..d51e1c0f566 100644
--- a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
+++ b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
@@ -1,20 +1,20 @@
-From e2b25ce3606d05ff8a387185c41ab32fb2a36161 Mon Sep 17 00:00:00 2001
+From 5580303956ca7d8eb431d23c2af0030c9cc0e6e9 Mon Sep 17 00:00:00 2001
 From: Gabriel Ebner <gebner@gebner.org>
 Date: Sun, 6 Dec 2015 14:26:36 +0100
-Subject: [PATCH 07/18] hostnamed, localed, timedated: disable methods that
+Subject: [PATCH 07/19] hostnamed, localed, timedated: disable methods that
  change system settings.
 
 ---
- src/hostname/hostnamed.c |  9 +++++++++
+ src/hostname/hostnamed.c |  6 ++++++
  src/locale/localed.c     |  9 +++++++++
  src/timedate/timedated.c | 10 ++++++++++
- 3 files changed, 28 insertions(+)
+ 3 files changed, 25 insertions(+)
 
 diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
-index 21f6471495..8c5af7619f 100644
+index a1794bdab1..77134731e1 100644
 --- a/src/hostname/hostnamed.c
 +++ b/src/hostname/hostnamed.c
-@@ -478,6 +481,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
+@@ -643,6 +643,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
          if (r < 0)
                  return r;
  
@@ -23,8 +23,8 @@ index 21f6471495..8c5af7619f 100644
 +
          name = empty_to_null(name);
  
-         if (streq_ptr(name, c->data[PROP_STATIC_HOSTNAME]))
-@@ -535,6 +541,9 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
+         context_read_etc_hostname(c);
+@@ -702,6 +705,9 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
          if (r < 0)
                  return r;
  
@@ -33,12 +33,12 @@ index 21f6471495..8c5af7619f 100644
 +
          name = empty_to_null(name);
  
-         if (streq_ptr(name, c->data[prop]))
+         context_read_machine_info(c);
 diff --git a/src/locale/localed.c b/src/locale/localed.c
-index 09f16d25f4..c1cb87cef1 100644
+index 736dacdee9..53e0ee935e 100644
 --- a/src/locale/localed.c
 +++ b/src/locale/localed.c
-@@ -275,6 +275,9 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
+@@ -317,6 +317,9 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
          if (r < 0)
                  return r;
  
@@ -46,9 +46,9 @@ index 09f16d25f4..c1cb87cef1 100644
 +            "Changing system settings via systemd is not supported on NixOS.");
 +
          /* If single locale without variable name is provided, then we assume it is LANG=. */
-         if (strv_length(l) == 1 && !strchr(*l, '=')) {
-                 if (!locale_is_valid(*l))
-@@ -410,6 +413,9 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
+         if (strv_length(l) == 1 && !strchr(l[0], '=')) {
+                 if (!locale_is_valid(l[0]))
+@@ -432,6 +435,9 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
          if (r < 0)
                  return r;
  
@@ -58,7 +58,7 @@ index 09f16d25f4..c1cb87cef1 100644
          keymap = empty_to_null(keymap);
          keymap_toggle = empty_to_null(keymap_toggle);
  
-@@ -586,6 +592,9 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
+@@ -606,6 +612,9 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
          if (r < 0)
                  return r;
  
@@ -69,10 +69,10 @@ index 09f16d25f4..c1cb87cef1 100644
          model = empty_to_null(model);
          variant = empty_to_null(variant);
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index 5e2fb50d83..63865f557c 100644
+index 76fe04900d..e87c4c8919 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
-@@ -652,6 +652,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
+@@ -646,6 +646,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
          if (r < 0)
                  return r;
  
@@ -83,17 +83,17 @@ index 5e2fb50d83..63865f557c 100644
          if (!timezone_is_valid(z, LOG_DEBUG))
                  return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid or not installed time zone '%s'", z);
  
-@@ -731,6 +735,9 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
+@@ -725,6 +729,9 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
          if (r < 0)
                  return r;
  
 +        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
 +            "Changing system settings via systemd is not supported on NixOS.");
 +
-         if (lrtc == c->local_rtc)
+         if (lrtc == c->local_rtc && !fix_system)
                  return sd_bus_reply_method_return(m, NULL);
  
-@@ -923,6 +930,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
+@@ -907,6 +914,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
          if (r < 0)
                  return r;
  
@@ -104,5 +104,5 @@ index 5e2fb50d83..63865f557c 100644
          if (r < 0)
                  return r;
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
index 36d82e22f8c..2b1c02b233c 100644
--- a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
@@ -1,7 +1,7 @@
-From 5a6aad633a7ceffd62b009ce0c4ab6673129f7ff Mon Sep 17 00:00:00 2001
+From 874698425f6d68fc0d662cb17c7c29e0af3e8c25 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 7 Jul 2016 02:47:13 +0300
-Subject: [PATCH 08/18] Fix hwdb paths
+Subject: [PATCH 08/19] Fix hwdb paths
 
 Patch by vcunat.
 ---
@@ -9,7 +9,7 @@ Patch by vcunat.
  1 file changed, 1 insertion(+), 6 deletions(-)
 
 diff --git a/src/libsystemd/sd-hwdb/sd-hwdb.c b/src/libsystemd/sd-hwdb/sd-hwdb.c
-index b3febdbb31..eba00a5bc7 100644
+index cb3c77ce96..7b8c80071f 100644
 --- a/src/libsystemd/sd-hwdb/sd-hwdb.c
 +++ b/src/libsystemd/sd-hwdb/sd-hwdb.c
 @@ -297,13 +297,8 @@ static int trie_search_f(sd_hwdb *hwdb, const char *search) {
@@ -28,5 +28,5 @@ index b3febdbb31..eba00a5bc7 100644
  _public_ int sd_hwdb_new(sd_hwdb **ret) {
          _cleanup_(sd_hwdb_unrefp) sd_hwdb *hwdb = NULL;
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
index 8b5c807e4a8..a1e8ec963c7 100644
--- a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+++ b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
@@ -1,7 +1,7 @@
-From b509dbd302a7933ae0002f44b99aac6a1fd5775b Mon Sep 17 00:00:00 2001
+From 367d0dad3d1853048569e315931cb8a27e16a098 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Tue, 11 Oct 2016 13:12:08 +0300
-Subject: [PATCH 09/18] Change /usr/share/zoneinfo to /etc/zoneinfo
+Subject: [PATCH 09/19] Change /usr/share/zoneinfo to /etc/zoneinfo
 
 NixOS uses this path.
 ---
@@ -13,7 +13,7 @@ NixOS uses this path.
  5 files changed, 12 insertions(+), 12 deletions(-)
 
 diff --git a/man/localtime.xml b/man/localtime.xml
-index 0f1652ee2e..71c4f95c2e 100644
+index e486474c44..5f373d0723 100644
 --- a/man/localtime.xml
 +++ b/man/localtime.xml
 @@ -20,7 +20,7 @@
@@ -35,10 +35,10 @@ index 0f1652ee2e..71c4f95c2e 100644
      <literal>Etc/UTC</literal>. The resulting link should lead to the
      corresponding binary
 diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index 105584e2e7..5238f69931 100644
+index 5318d6378d..04069dc27b 100644
 --- a/src/basic/time-util.c
 +++ b/src/basic/time-util.c
-@@ -1217,7 +1217,7 @@ int get_timezones(char ***ret) {
+@@ -1277,7 +1277,7 @@ int get_timezones(char ***ret) {
          n_allocated = 2;
          n_zones = 1;
  
@@ -47,7 +47,7 @@ index 105584e2e7..5238f69931 100644
          if (f) {
                  for (;;) {
                          _cleanup_free_ char *line = NULL;
-@@ -1312,7 +1312,7 @@ bool timezone_is_valid(const char *name, int log_level) {
+@@ -1372,7 +1372,7 @@ bool timezone_is_valid(const char *name, int log_level) {
          if (p - name >= PATH_MAX)
                  return false;
  
@@ -56,7 +56,7 @@ index 105584e2e7..5238f69931 100644
  
          fd = open(t, O_RDONLY|O_CLOEXEC);
          if (fd < 0) {
-@@ -1410,7 +1410,7 @@ int get_timezone(char **ret) {
+@@ -1470,7 +1470,7 @@ int get_timezone(char **ret) {
          if (r < 0)
                  return r; /* returns EINVAL if not a symlink */
  
@@ -66,10 +66,10 @@ index 105584e2e7..5238f69931 100644
                  return -EINVAL;
  
 diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
-index 901fbf0815..b57bdd8fbe 100644
+index 742b43f9fc..f2cb121816 100644
 --- a/src/firstboot/firstboot.c
 +++ b/src/firstboot/firstboot.c
-@@ -431,7 +431,7 @@ static int process_timezone(void) {
+@@ -459,7 +459,7 @@ static int process_timezone(void) {
          if (isempty(arg_timezone))
                  return 0;
  
@@ -79,10 +79,10 @@ index 901fbf0815..b57bdd8fbe 100644
          (void) mkdir_parents(etc_localtime, 0755);
          if (symlink(e, etc_localtime) < 0)
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 4d3451ff3b..1adb91335c 100644
+index 14f8a82eb8..8632dadec6 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -1657,8 +1657,8 @@ static int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t u
+@@ -1810,8 +1810,8 @@ static int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t u
  static const char *timezone_from_path(const char *path) {
          return PATH_STARTSWITH_SET(
                          path,
@@ -94,10 +94,10 @@ index 4d3451ff3b..1adb91335c 100644
  
  static bool etc_writable(void) {
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index 63865f557c..8021a8b753 100644
+index e87c4c8919..964a40ba81 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
-@@ -264,7 +264,7 @@ static int context_read_data(Context *c) {
+@@ -269,7 +269,7 @@ static int context_read_data(Context *c) {
  
          r = get_timezone(&t);
          if (r == -EINVAL)
@@ -106,7 +106,7 @@ index 63865f557c..8021a8b753 100644
          else if (r < 0)
                  log_warning_errno(r, "Failed to get target of /etc/localtime: %m");
  
-@@ -288,7 +288,7 @@ static int context_write_data_timezone(Context *c) {
+@@ -293,7 +293,7 @@ static int context_write_data_timezone(Context *c) {
  
          if (isempty(c->zone) || streq(c->zone, "UTC")) {
  
@@ -115,7 +115,7 @@ index 63865f557c..8021a8b753 100644
  
                          if (unlink("/etc/localtime") < 0 && errno != ENOENT)
                                  return -errno;
-@@ -296,9 +296,9 @@ static int context_write_data_timezone(Context *c) {
+@@ -301,9 +301,9 @@ static int context_write_data_timezone(Context *c) {
                          return 0;
                  }
  
@@ -128,5 +128,5 @@ index 63865f557c..8021a8b753 100644
                          return -ENOMEM;
  
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
index b18ffb40166..334156495fc 100644
--- a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
+++ b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
@@ -1,7 +1,7 @@
-From b5665ef8b9266c662c3a137df1ef1721cdff346e Mon Sep 17 00:00:00 2001
+From bf285fe7e12bd22f95c14bcefbb5008888c32bfa Mon Sep 17 00:00:00 2001
 From: Imuli <i@imu.li>
 Date: Wed, 19 Oct 2016 08:46:47 -0400
-Subject: [PATCH 10/18] localectl: use /etc/X11/xkb for list-x11-*
+Subject: [PATCH 10/19] localectl: use /etc/X11/xkb for list-x11-*
 
 NixOS has an option to link the xkb data files to /etc/X11, but not to
 /usr/share/X11.
@@ -10,10 +10,10 @@ NixOS has an option to link the xkb data files to /etc/X11, but not to
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/locale/localectl.c b/src/locale/localectl.c
-index 6f2d37d222..7aa2310d48 100644
+index 7d2e887660..91c5139eed 100644
 --- a/src/locale/localectl.c
 +++ b/src/locale/localectl.c
-@@ -286,7 +286,7 @@ static int list_x11_keymaps(int argc, char **argv, void *userdata) {
+@@ -277,7 +277,7 @@ static int list_x11_keymaps(int argc, char **argv, void *userdata) {
          } state = NONE, look_for;
          int r;
  
@@ -23,5 +23,5 @@ index 6f2d37d222..7aa2310d48 100644
                  return log_error_errno(errno, "Failed to open keyboard mapping list. %m");
  
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
index bc9efaed23e..902018ee4b9 100644
--- a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
+++ b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
@@ -1,17 +1,17 @@
-From be6b5c37779302384079b22b7fd767daad878fa9 Mon Sep 17 00:00:00 2001
+From 293b19c5fdbda1b4ee579a7e8ba12f024a6f34c9 Mon Sep 17 00:00:00 2001
 From: Franz Pletz <fpletz@fnordicwalking.de>
 Date: Sun, 11 Feb 2018 04:37:44 +0100
-Subject: [PATCH 11/18] build: don't create statedir and don't touch prefixdir
+Subject: [PATCH 11/19] build: don't create statedir and don't touch prefixdir
 
 ---
  meson.build | 3 ---
  1 file changed, 3 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index c09115e06a..62eba4186c 100644
+index 580964c3fa..f99d4f3ab5 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -3184,9 +3184,6 @@ install_data('LICENSE.GPL2',
+@@ -3518,9 +3518,6 @@ install_data('LICENSE.GPL2',
               'src/libsystemd/sd-bus/GVARIANT-SERIALIZATION',
               install_dir : docdir)
  
@@ -20,7 +20,7 @@ index c09115e06a..62eba4186c 100644
 -
  ############################################################
  
- meson_check_help = find_program('tools/meson-check-help.sh')
+ check_help = find_program('tools/check-help.sh')
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch b/pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch
deleted file mode 100644
index 5d67ce0ca31..00000000000
--- a/pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch
+++ /dev/null
@@ -1,313 +0,0 @@
-From 9262f52b0e30cf8c39d9f7684a8c0e8fd4887cd5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Mon, 26 Feb 2018 14:25:57 +0000
-Subject: [PATCH 12/18] Install default configuration into $out/share/factory
-
-By default systemd should read all its configuration from /etc. Therefor
-we rely on -Dsysconfdir=/etc in meson as default value. Unfortunately
-this would also lead to installation of systemd's own configuration
-files to `/etc` whereas we are limited to /nix/store. To counter that
-this commit introduces two new configuration variables `factoryconfdir`
-and `factorypkgconfdir` to install systemd's own configuration into nix
-store again, while having executables looking up files in /etc.
----
- hwdb.d/meson.build             |  2 +-
- meson.build                    | 11 +++++++----
- network/meson.build            |  2 +-
- src/core/meson.build           | 10 +++++-----
- src/coredump/meson.build       |  2 +-
- src/journal-remote/meson.build |  4 ++--
- src/journal/meson.build        |  2 +-
- src/kernel-install/meson.build |  2 +-
- src/login/meson.build          |  2 +-
- src/network/meson.build        |  2 +-
- src/pstore/meson.build         |  2 +-
- src/resolve/meson.build        |  2 +-
- src/timesync/meson.build       |  2 +-
- src/udev/meson.build           |  4 ++--
- sysctl.d/meson.build           |  2 +-
- tmpfiles.d/meson.build         |  2 +-
- units/meson.build              |  2 +-
- 17 files changed, 29 insertions(+), 26 deletions(-)
-
-diff --git a/hwdb.d/meson.build b/hwdb.d/meson.build
-index 4df6dabf89..02d8d69095 100644
---- a/hwdb.d/meson.build
-+++ b/hwdb.d/meson.build
-@@ -27,7 +27,7 @@ if conf.get('ENABLE_HWDB') == 1
-                      install_dir : udevhwdbdir)
- 
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'udev/hwdb.d')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'udev/hwdb.d')))
- 
-         meson.add_install_script('sh', '-c',
-                                  'test -n "$DESTDIR" || @0@/systemd-hwdb update'
-diff --git a/meson.build b/meson.build
-index 62eba4186c..b0b2edbb5a 100644
---- a/meson.build
-+++ b/meson.build
-@@ -154,6 +154,9 @@ udevhwdbdir = join_paths(udevlibexecdir, 'hwdb.d')
- catalogdir = join_paths(prefixdir, 'lib/systemd/catalog')
- kernelinstalldir = join_paths(prefixdir, 'lib/kernel/install.d')
- factorydir = join_paths(datadir, 'factory')
-+factoryconfdir = join_paths(datadir, 'factory/etc')
-+factorypkgconfdir = join_paths(datadir, 'factory/etc/systemd')
-+factoryxinitrcdir = join_paths(datadir, 'factory/etc/X11/xinit/xinitrc.d')
- bootlibdir = join_paths(prefixdir, 'lib/systemd/boot/efi')
- testsdir = join_paths(prefixdir, 'lib/systemd/tests')
- systemdstatedir = join_paths(localstatedir, 'lib/systemd')
-@@ -2511,7 +2514,7 @@ if conf.get('ENABLE_BINFMT') == 1
-         meson.add_install_script('sh', '-c',
-                                  mkdir_p.format(binfmtdir))
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'binfmt.d')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'binfmt.d')))
- endif
- 
- if conf.get('ENABLE_REPART') == 1
-@@ -2612,7 +2615,7 @@ executable('systemd-sleep',
-            install_dir : rootlibexecdir)
- 
- install_data('src/sleep/sleep.conf',
--             install_dir : pkgsysconfdir)
-+             install_dir : factorypkgconfdir)
- 
- exe = executable('systemd-sysctl',
-                  'src/sysctl/sysctl.c',
-@@ -2924,7 +2927,7 @@ if conf.get('HAVE_KMOD') == 1
-         meson.add_install_script('sh', '-c',
-                                  mkdir_p.format(modulesloaddir))
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'modules-load.d')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'modules-load.d')))
- endif
- 
- exe = executable('systemd-nspawn',
-@@ -3167,7 +3170,7 @@ install_subdir('factory/etc',
-                install_dir : factorydir)
- 
- install_data('xorg/50-systemd-user.sh',
--             install_dir : xinitrcdir)
-+             install_dir : factoryxinitrcdir)
- install_data('modprobe.d/systemd.conf',
-              install_dir : modprobedir)
- install_data('LICENSE.GPL2',
-diff --git a/network/meson.build b/network/meson.build
-index 544dcf4387..1828c50863 100644
---- a/network/meson.build
-+++ b/network/meson.build
-@@ -10,7 +10,7 @@ if conf.get('ENABLE_NETWORKD') == 1
-                      install_dir : networkdir)
- 
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'systemd/network')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'systemd/network')))
- endif
- 
- install_data('99-default.link',
-diff --git a/src/core/meson.build b/src/core/meson.build
-index 3586838f59..02ddf1a123 100644
---- a/src/core/meson.build
-+++ b/src/core/meson.build
-@@ -179,8 +179,8 @@ libcore = static_library(
- systemd_sources = files('main.c')
- 
- in_files = [['macros.systemd',   rpmmacrosdir],
--            ['system.conf',      pkgsysconfdir],
--            ['user.conf',        pkgsysconfdir],
-+            ['system.conf',      factorypkgconfdir],
-+            ['user.conf',        factorypkgconfdir],
-             ['systemd.pc',       pkgconfigdatadir],
-             ['triggers.systemd', '']]
- 
-@@ -212,6 +212,6 @@ meson.add_install_script('sh', '-c', mkdir_p.format(systemsleepdir))
- meson.add_install_script('sh', '-c', mkdir_p.format(systemgeneratordir))
- meson.add_install_script('sh', '-c', mkdir_p.format(usergeneratordir))
- 
--meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(pkgsysconfdir, 'system')))
--meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(pkgsysconfdir, 'user')))
--meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(sysconfdir, 'xdg/systemd')))
-+meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(factorypkgconfdir, 'system')))
-+meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(factorypkgconfdir, 'user')))
-+meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(factorypkgconfdir, 'xdg/systemd')))
-diff --git a/src/coredump/meson.build b/src/coredump/meson.build
-index 7fa5942697..34c865dfa0 100644
---- a/src/coredump/meson.build
-+++ b/src/coredump/meson.build
-@@ -15,7 +15,7 @@ coredumpctl_sources = files('coredumpctl.c')
- 
- if conf.get('ENABLE_COREDUMP') == 1
-         install_data('coredump.conf',
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- endif
- 
- tests += [
-diff --git a/src/journal-remote/meson.build b/src/journal-remote/meson.build
-index 87b8ba6495..daff8ec967 100644
---- a/src/journal-remote/meson.build
-+++ b/src/journal-remote/meson.build
-@@ -49,7 +49,7 @@ if conf.get('ENABLE_REMOTE') ==1 and conf.get('HAVE_LIBCURL') == 1
-                 output : 'journal-upload.conf',
-                 configuration : substs)
-         install_data(journal_upload_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- endif
- 
- if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
-@@ -58,7 +58,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
-                 output : 'journal-remote.conf',
-                 configuration : substs)
-         install_data(journal_remote_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         install_data('browse.html',
-                      install_dir : join_paths(pkgdatadir, 'gatewayd'))
-diff --git a/src/journal/meson.build b/src/journal/meson.build
-index 5796f77cac..75d975c260 100644
---- a/src/journal/meson.build
-+++ b/src/journal/meson.build
-@@ -109,7 +109,7 @@ if conf.get('HAVE_QRENCODE') == 1
- endif
- 
- install_data('journald.conf',
--             install_dir : pkgsysconfdir)
-+             install_dir : factorypkgconfdir)
- 
- if get_option('create-log-dirs')
-         meson.add_install_script(
-diff --git a/src/kernel-install/meson.build b/src/kernel-install/meson.build
-index 261c3aaae4..dbc5e23513 100644
---- a/src/kernel-install/meson.build
-+++ b/src/kernel-install/meson.build
-@@ -11,4 +11,4 @@ install_data('00-entry-directory.install',
-              install_dir : kernelinstalldir)
- 
- meson.add_install_script('sh', '-c',
--                         mkdir_p.format(join_paths(sysconfdir, 'kernel/install.d')))
-+                         mkdir_p.format(join_paths(factoryconfdir, 'kernel/install.d')))
-diff --git a/src/login/meson.build b/src/login/meson.build
-index 0a7d3d5440..ff90149c1c 100644
---- a/src/login/meson.build
-+++ b/src/login/meson.build
-@@ -75,7 +75,7 @@ if conf.get('ENABLE_LOGIND') == 1
-                 output : 'logind.conf',
-                 configuration : substs)
-         install_data(logind_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         install_data('org.freedesktop.login1.conf',
-                      install_dir : dbuspolicydir)
-diff --git a/src/network/meson.build b/src/network/meson.build
-index c1c02cfda1..1bfa79a03b 100644
---- a/src/network/meson.build
-+++ b/src/network/meson.build
-@@ -201,7 +201,7 @@ if conf.get('ENABLE_NETWORKD') == 1
-         endif
- 
-         install_data('networkd.conf',
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         fuzzers += [
-     [['src/network/fuzz-netdev-parser.c',
-diff --git a/src/pstore/meson.build b/src/pstore/meson.build
-index adbac24b54..e9dc88dfa2 100644
---- a/src/pstore/meson.build
-+++ b/src/pstore/meson.build
-@@ -6,5 +6,5 @@ systemd_pstore_sources = files('''
- 
- if conf.get('ENABLE_PSTORE') == 1
-         install_data('pstore.conf',
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- endif
-diff --git a/src/resolve/meson.build b/src/resolve/meson.build
-index c4d8d4e5d9..f550c289a5 100644
---- a/src/resolve/meson.build
-+++ b/src/resolve/meson.build
-@@ -170,7 +170,7 @@ if conf.get('ENABLE_RESOLVE') == 1
-                 output : 'resolved.conf',
-                 configuration : substs)
-         install_data(resolved_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         install_data('resolv.conf',
-                      install_dir : rootlibexecdir)
-diff --git a/src/timesync/meson.build b/src/timesync/meson.build
-index e5c118c8db..19235df9ca 100644
---- a/src/timesync/meson.build
-+++ b/src/timesync/meson.build
-@@ -27,7 +27,7 @@ if conf.get('ENABLE_TIMESYNCD') == 1
-                 output : 'timesyncd.conf',
-                 configuration : substs)
-         install_data(timesyncd_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
-         install_data('org.freedesktop.timesync1.conf',
-                      install_dir : dbuspolicydir)
-         install_data('org.freedesktop.timesync1.service',
-diff --git a/src/udev/meson.build b/src/udev/meson.build
-index 173b10be50..82638cf5a9 100644
---- a/src/udev/meson.build
-+++ b/src/udev/meson.build
-@@ -187,7 +187,7 @@ foreach prog : [['ata_id/ata_id.c'],
- endforeach
- 
- install_data('udev.conf',
--             install_dir : join_paths(sysconfdir, 'udev'))
-+             install_dir : join_paths(factoryconfdir, 'udev'))
- 
- configure_file(
-         input : 'udev.pc.in',
-@@ -196,7 +196,7 @@ configure_file(
-         install_dir : pkgconfigdatadir == 'no' ? '' : pkgconfigdatadir)
- 
- meson.add_install_script('sh', '-c',
--                         mkdir_p.format(join_paths(sysconfdir, 'udev/rules.d')))
-+                         mkdir_p.format(join_paths(factoryconfdir, 'udev/rules.d')))
- 
- fuzzers += [
-         [['src/udev/net/fuzz-link-parser.c',
-diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build
-index 3f072e3db7..bd9f843eba 100644
---- a/sysctl.d/meson.build
-+++ b/sysctl.d/meson.build
-@@ -27,4 +27,4 @@ foreach file : in_files
- endforeach
- 
- meson.add_install_script('sh', '-c',
--                         mkdir_p.format(join_paths(sysconfdir, 'sysctl.d')))
-+                         mkdir_p.format(join_paths(factoryconfdir, 'sysctl.d')))
-diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
-index e77f46d06b..04d2ef621d 100644
---- a/tmpfiles.d/meson.build
-+++ b/tmpfiles.d/meson.build
-@@ -57,5 +57,5 @@ endforeach
- if enable_tmpfiles
-         meson.add_install_script(
-                 'sh', '-c',
--                mkdir_p.format(join_paths(sysconfdir, 'tmpfiles.d')))
-+                mkdir_p.format(join_paths(factoryconfdir, 'tmpfiles.d')))
- endif
-diff --git a/units/meson.build b/units/meson.build
-index ea91f0cc9e..8622054ca5 100644
---- a/units/meson.build
-+++ b/units/meson.build
-@@ -323,7 +323,7 @@ install_data('user-.slice.d/10-defaults.conf',
- 
- meson.add_install_script(meson_make_symlink,
-                          join_paths(pkgsysconfdir, 'user'),
--                         join_paths(sysconfdir, 'xdg/systemd/user'))
-+                         join_paths(factorypkgconfdir, 'xdg/systemd/user'))
- meson.add_install_script(meson_make_symlink,
-                          join_paths(dbussystemservicedir, 'org.freedesktop.systemd1.service'),
-                          join_paths(dbussessionservicedir, 'org.freedesktop.systemd1.service'))
--- 
-2.26.2
-
diff --git a/pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch b/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
index 11d2dc26e38..05fce10e856 100644
--- a/pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch
+++ b/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
@@ -1,7 +1,7 @@
-From 05c2761f6a981c8576fc47a3dd8beb5a2af3ef09 Mon Sep 17 00:00:00 2001
+From 63777e7f690b67952bf4571f8e09e5d8e769d3c0 Mon Sep 17 00:00:00 2001
 From: Andreas Rammhold <andreas@rammhold.de>
 Date: Fri, 2 Nov 2018 21:15:42 +0100
-Subject: [PATCH 13/18] inherit systemd environment when calling generators.
+Subject: [PATCH 12/19] inherit systemd environment when calling generators.
 
 Systemd generators need access to the environment configured in
 stage-2-init.sh since it schedules fsck and mkfs executions based on
@@ -16,10 +16,10 @@ executables that are being called from managers.
  1 file changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 4412e7a849..b799eeca95 100644
+index 6858950107..07a599ede7 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -3901,9 +3901,14 @@ static int manager_run_generators(Manager *m) {
+@@ -4142,9 +4142,14 @@ static int manager_run_generators(Manager *m) {
          argv[4] = NULL;
  
          RUN_WITH_UMASK(0022)
@@ -38,5 +38,5 @@ index 4412e7a849..b799eeca95 100644
  
  finish:
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0014-add-rootprefix-to-lookup-dir-paths.patch b/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
index 06b00b82cb9..b9bab2d387e 100644
--- a/pkgs/os-specific/linux/systemd/0014-add-rootprefix-to-lookup-dir-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
@@ -1,7 +1,7 @@
-From c70029539d0aec5df0c1e4203359335a3841a1e5 Mon Sep 17 00:00:00 2001
+From 561dc3b864d96753b5dc448e6e1a80460d5f0bc4 Mon Sep 17 00:00:00 2001
 From: Andreas Rammhold <andreas@rammhold.de>
 Date: Thu, 9 May 2019 11:15:22 +0200
-Subject: [PATCH 14/18] add rootprefix to lookup dir paths
+Subject: [PATCH 13/19] add rootprefix to lookup dir paths
 
 systemd does not longer use the UDEVLIBEXEC directory as root for
 discovery default udev rules. By adding `$out/lib` to the lookup paths
@@ -12,7 +12,7 @@ files that I might have missed.
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/src/basic/def.h b/src/basic/def.h
-index 970654a1ad..bb261040f8 100644
+index 2e60abb4f1..732ec51d36 100644
 --- a/src/basic/def.h
 +++ b/src/basic/def.h
 @@ -39,13 +39,15 @@
@@ -34,5 +34,5 @@ index 970654a1ad..bb261040f8 100644
  #define CONF_PATHS(n)                           \
          CONF_PATHS_USR(n)                       \
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
index 6431b56ea3e..c737b61e749 100644
--- a/pkgs/os-specific/linux/systemd/0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+++ b/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
@@ -1,7 +1,7 @@
-From 98580b4aa34f3d2e7401f54d6561c5af27ea3437 Mon Sep 17 00:00:00 2001
+From 8f619304804b02f4e9d7a340ca90359f96adc6e8 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 25 Jul 2019 20:45:55 +0300
-Subject: [PATCH 15/18] systemd-shutdown: execute scripts in
+Subject: [PATCH 14/19] systemd-shutdown: execute scripts in
  /etc/systemd/system-shutdown
 
 This is needed for NixOS to use such scripts as systemd directory is immutable.
@@ -10,10 +10,10 @@ This is needed for NixOS to use such scripts as systemd directory is immutable.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c
-index 523040b57c..561d91c94c 100644
+index 0d07865542..26d974ef73 100644
 --- a/src/shutdown/shutdown.c
 +++ b/src/shutdown/shutdown.c
-@@ -299,7 +299,7 @@ int main(int argc, char *argv[]) {
+@@ -312,7 +312,7 @@ int main(int argc, char *argv[]) {
          _cleanup_free_ char *cgroup = NULL;
          char *arguments[3], *watchdog_device;
          int cmd, r, umount_log_level = LOG_INFO;
@@ -23,5 +23,5 @@ index 523040b57c..561d91c94c 100644
          /* The log target defaults to console, but the original systemd process will pass its log target in through a
           * command line argument, which will override this default. Also, ensure we'll never log to the journal or
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
index c27d1a10d58..3059216f7c5 100644
--- a/pkgs/os-specific/linux/systemd/0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+++ b/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
@@ -1,7 +1,7 @@
-From 3821e20966ee20f74986041f33c4934ad20385b2 Mon Sep 17 00:00:00 2001
+From 577b11afe38fc185d785ca8f125f518a4eb21a00 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 25 Jul 2019 20:46:58 +0300
-Subject: [PATCH 16/18] systemd-sleep: execute scripts in
+Subject: [PATCH 15/19] systemd-sleep: execute scripts in
  /etc/systemd/system-sleep
 
 This is needed for NixOS to use such scripts as systemd directory is immutable.
@@ -10,7 +10,7 @@ This is needed for NixOS to use such scripts as systemd directory is immutable.
  1 file changed, 1 insertion(+)
 
 diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c
-index fbfddc0262..d2530b9421 100644
+index 39ab554290..880ac7ccb0 100644
 --- a/src/sleep/sleep.c
 +++ b/src/sleep/sleep.c
 @@ -178,6 +178,7 @@ static int execute(char **modes, char **states) {
@@ -22,5 +22,5 @@ index fbfddc0262..d2530b9421 100644
          };
  
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch b/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
index 9fae2d5767c..ad19d910e1e 100644
--- a/pkgs/os-specific/linux/systemd/0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
+++ b/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
@@ -1,7 +1,7 @@
-From b07defe819e0f66d08563690b3a5abea5da08620 Mon Sep 17 00:00:00 2001
+From ba19f629c1806ca2d2ab58154e45bce4ae4a3f0c Mon Sep 17 00:00:00 2001
 From: Florian Klink <flokli@flokli.de>
 Date: Sat, 7 Mar 2020 22:40:27 +0100
-Subject: [PATCH 17/18] kmod-static-nodes.service: Update ConditionFileNotEmpty
+Subject: [PATCH 16/19] kmod-static-nodes.service: Update ConditionFileNotEmpty
 
 On NixOS, kernel modules of the currently booted systems are located at
 /run/booted-system/kernel-modules/lib/modules/%v/, not /lib/modules/%v/.
@@ -10,7 +10,7 @@ On NixOS, kernel modules of the currently booted systems are located at
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/units/kmod-static-nodes.service.in b/units/kmod-static-nodes.service.in
-index 0971edf9ec..87105a87b9 100644
+index f4170d6a99..9a6a591bea 100644
 --- a/units/kmod-static-nodes.service.in
 +++ b/units/kmod-static-nodes.service.in
 @@ -12,7 +12,7 @@ Description=Create list of static device nodes for the current kernel
@@ -23,5 +23,5 @@ index 0971edf9ec..87105a87b9 100644
  [Service]
  Type=oneshot
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
index 321817dad6f..585a0aa112e 100644
--- a/pkgs/os-specific/linux/systemd/0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+++ b/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
@@ -1,7 +1,7 @@
-From 9c1ac48a7d95c09bef5a924bb5db6908596403b4 Mon Sep 17 00:00:00 2001
+From c639f311bd27c2bff62a22c34bc92613aaf77587 Mon Sep 17 00:00:00 2001
 From: Florian Klink <flokli@flokli.de>
 Date: Sun, 8 Mar 2020 01:05:54 +0100
-Subject: [PATCH 18/18] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
+Subject: [PATCH 17/19] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
 
 This will be the $PATH used to lookup ExecStart= etc. options, which
 systemd itself uses extensively.
@@ -10,7 +10,7 @@ systemd itself uses extensively.
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/src/basic/path-util.h b/src/basic/path-util.h
-index 30031fca8e..d97145539a 100644
+index d613709f0b..5cced4c115 100644
 --- a/src/basic/path-util.h
 +++ b/src/basic/path-util.h
 @@ -24,11 +24,11 @@
@@ -29,5 +29,5 @@ index 30031fca8e..d97145539a 100644
  #if HAVE_SPLIT_USR
  #  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
 -- 
-2.26.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch b/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
new file mode 100644
index 00000000000..f634e74e663
--- /dev/null
+++ b/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
@@ -0,0 +1,26 @@
+From ebb37f81c28aaa80acd9187a7d77dcb3cb3828db Mon Sep 17 00:00:00 2001
+From: Thomas Tuegel <ttuegel@mailbox.org>
+Date: Mon, 26 Oct 2020 21:21:38 +0100
+Subject: [PATCH 18/19] logind-seat-debus: show CanMultiSession again
+
+Fixes the "switch user" function in Plasma < 5.20.
+---
+ src/login/logind-seat-dbus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
+index a60ed2d3c2..69b6271075 100644
+--- a/src/login/logind-seat-dbus.c
++++ b/src/login/logind-seat-dbus.c
+@@ -450,7 +450,7 @@ static const sd_bus_vtable seat_vtable[] = {
+ 
+         SD_BUS_PROPERTY("Id", "s", NULL, offsetof(Seat, id), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("ActiveSession", "(so)", property_get_active_session, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
+-        SD_BUS_PROPERTY("CanMultiSession", "b", property_get_const_true, 0, SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_HIDDEN),
++        SD_BUS_PROPERTY("CanMultiSession", "b", property_get_const_true, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("CanTTY", "b", property_get_can_tty, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("CanGraphical", "b", property_get_can_graphical, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
+         SD_BUS_PROPERTY("Sessions", "a(so)", property_get_sessions, 0, 0),
+-- 
+2.30.1
+
diff --git a/pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch b/pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch
new file mode 100644
index 00000000000..2d93cdef9a3
--- /dev/null
+++ b/pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch
@@ -0,0 +1,33 @@
+From 5439a516995f9fd57fc91c2cdd016bb18f31aadf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sun, 6 Dec 2020 08:34:19 +0100
+Subject: [PATCH 19/19] pkg-config: derive prefix from --prefix
+
+Point prefix to the one configured, instead of `/usr` `systemd` has limited
+support for making the pkgconfig prefix overridable, and interpolates those
+values later down.
+
+So we only need to patch this one value to get the correct paths.
+See systemd/systemd@bc4e6e27922a2873985ab9367d79fb099f70b505 for details.
+
+Co-Authored-By: Florian Klink <flokli@flokli.de>
+---
+ src/core/systemd.pc.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
+index a701cd05f8..85d6911bdf 100644
+--- a/src/core/systemd.pc.in
++++ b/src/core/systemd.pc.in
+@@ -11,7 +11,7 @@
+ # considered deprecated (though there is no plan to remove them). New names
+ # shall have underscores.
+ 
+-prefix=/usr
++prefix=@prefix@
+ root_prefix=@rootprefix_noslash@
+ rootprefix=${root_prefix}
+ sysconf_dir=@sysconfdir@
+-- 
+2.30.1
+
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index c0163dcafe6..a33bb3c1a1d 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -1,50 +1,136 @@
-{ stdenv, lib, fetchFromGitHub, pkgconfig, intltool, gperf, libcap
-, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, e2fsprogs, utillinux, libffi
-, glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor
-, audit, lz4, bzip2, pcre2
-, linuxHeaders ? stdenv.cc.libc.linuxHeaders
-, iptables, gnu-efi, bashInteractive
-, gettext, docbook_xsl, docbook_xml_dtd_42, docbook_xml_dtd_45
-, ninja, meson, python3Packages, glibcLocales
+# NOTE: Make sure to (re-)format this file on changes with `nixpkgs-fmt`!
+
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchpatch
+, buildPackages
+, ninja
+, meson
+, m4
+, pkg-config
+, coreutils
+, gperf
+, getent
 , patchelf
+, glibcLocales
+, glib
 , substituteAll
-, getent
-, cryptsetup, lvm2
-, buildPackages
-, perl
-, withSelinux ? false, libselinux
-, withLibseccomp ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) libseccomp.meta.platforms, libseccomp
-, withKexectools ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) kexectools.meta.platforms, kexectools
+, gettext
+, python3Packages
+
+  # Mandatory dependencies
+, libcap
+, util-linux
+, kbd
+, kmod
+
+  # Optional dependencies
+, pam
+, cryptsetup
+, lvm2
+, audit
+, acl
+, lz4
+, libgcrypt
+, libgpgerror
+, libidn2
+, curl
+, gnutar
+, gnupg
+, zlib
+, xz
+, libuuid
+, libapparmor
+, intltool
+, bzip2
+, pcre2
+, e2fsprogs
+, linuxHeaders ? stdenv.cc.libc.linuxHeaders
+, gnu-efi
+, iptables
+, withSelinux ? false
+, libselinux
+, withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp
+, libseccomp
+, withKexectools ? lib.meta.availableOn stdenv.hostPlatform kexectools
+, kexectools
+, bashInteractive
+, libmicrohttpd
+
+, withAnalyze ? true
+, withApparmor ? true
+, withCompression ? true  # adds bzip2, lz4 and xz
+, withCoredump ? true
+, withCryptsetup ? true
+, withDocumentation ? true
+, withEfi ? stdenv.hostPlatform.isEfi
+, withHomed ? false
+, withHostnamed ? true
+, withHwdb ? true
+, withImportd ? true
+, withLocaled ? true
+, withLogind ? true
+, withMachined ? true
+, withNetworkd ? true
+, withNss ? true
+, withOomd ? false
+, withPCRE2 ? true
+, withPolkit ? true
+, withPortabled ? false
+, withRemote ? true
+, withResolved ? true
+, withShellCompletions ? true
+, withTimedated ? true
+, withTimesyncd ? true
+, withUserDb ? true
+, libfido2
+, p11-kit
+
+  # name argument
+, pname ? "systemd"
+
+
+, libxslt
+, docbook_xsl
+, docbook_xml_dtd_42
+, docbook_xml_dtd_45
 }:
 
-let gnupg-minimal = gnupg.override {
-  enableMinimal = true;
-  guiSupport = false;
-  pcsclite = null;
-  sqlite = null;
-  pinentry = null;
-  adns = null;
-  gnutls = null;
-  libusb1 = null;
-  openldap = null;
-  readline = null;
-  zlib = null;
-  bzip2 = null;
-};
-
-in stdenv.mkDerivation {
-  version = "245.7";
-  pname = "systemd";
-
-  # When updating, use https://github.com/systemd/systemd-stable tree, not the development one!
-  # Also fresh patches should be cherry-picked from that tree to our current one.
+assert withResolved -> (libgcrypt != null && libgpgerror != null);
+assert withImportd ->
+(curl.dev != null && zlib != null && xz != null && libgcrypt != null
+  && gnutar != null && gnupg != null && withCompression);
+
+assert withEfi -> (gnu-efi != null);
+assert withRemote -> lib.getDev curl != null;
+assert withCoredump -> withCompression;
+
+assert withHomed -> withCryptsetup;
+
+assert withCryptsetup ->
+(cryptsetup != null);
+let
+  wantCurl = withRemote || withImportd;
+
+  version = "247.6";
+in
+stdenv.mkDerivation {
+  inherit version pname;
+
+  # We use systemd/systemd-stable for src, and ship NixOS-specific patches inside nixpkgs directly
+  # This has proven to be less error-prone than the previous systemd fork.
   src = fetchFromGitHub {
     owner = "systemd";
     repo = "systemd-stable";
-    rev = "1e6233ed07f7af08550fffa7a885cac1ac67a2c3";
-    sha256 = "1hd5kc3mm7mg4i7hhi82wg4cpg4fpi2k6hzjq9sv07pkn2lw390w";
+    rev = "v${version}";
+    sha256 = "sha256-7XYEq3Qw25suwjbtPzx9lVPHUu9ZY/1bADXl2wQbkJc=";
   };
 
+  # If these need to be regenerated, `git am path/to/00*.patch` them into a
+  # systemd worktree, rebase to the more recent systemd version, and export the
+  # patches again via `git -c format.signoff=false format-patch v${version}`.
+  # Use `find . -name "*.patch" | sort` to get an up-to-date listing of all patches
   patches = [
     ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch
     ./0002-Don-t-try-to-unmount-nix-or-nix-store.patch
@@ -57,13 +143,27 @@ in stdenv.mkDerivation {
     ./0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
     ./0010-localectl-use-etc-X11-xkb-for-list-x11.patch
     ./0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
-    ./0012-Install-default-configuration-into-out-share-factory.patch
-    ./0013-inherit-systemd-environment-when-calling-generators.patch
-    ./0014-add-rootprefix-to-lookup-dir-paths.patch
-    ./0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
-    ./0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
-    ./0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
-    ./0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+    ./0012-inherit-systemd-environment-when-calling-generators.patch
+    ./0013-add-rootprefix-to-lookup-dir-paths.patch
+    ./0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+    ./0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+    ./0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
+    ./0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+    ./0018-logind-seat-debus-show-CanMultiSession-again.patch
+    ./0019-pkg-config-derive-prefix-from-prefix.patch
+
+    # Fix -Werror=format.
+    (fetchpatch {
+      url = "https://github.com/systemd/systemd/commit/ab1aa6368a883bce88e3162fee2bea14aacedf23.patch";
+      sha256 = "1b280l5jrjsg8qhsang199mpqjhkpix4c8bm3blknjnq9iv43add";
+    })
+
+    # Fix CVE-2021-33910, disclosed 2021-07-20
+    (fetchpatch {
+      name = "CVE-2021-33910.patch";
+      url = "https://github.com/systemd/systemd/commit/441e0115646d54f080e5c3bb0ba477c892861ab9.patch";
+      sha256 = "1g1lk95igaadg67kah9bpi4zsc01rg398sd1247ghjsvl5hxn4v4";
+    })
   ];
 
   postPatch = ''
@@ -75,29 +175,148 @@ in stdenv.mkDerivation {
       --replace \
       "find_program('objcopy'" \
       "find_program('${stdenv.cc.bintools.targetPrefix}objcopy'"
+  '' + (
+    let
+      # The folllowing dlopen patches ensure that all the features that are
+      # implemented via dlopen(3) are available (or explicitly deactivated) by
+      # pointing dlopen to the absolute store path instead of relying on the
+      # linkers runtime lookup code.
+      #
+      # All of the dlopen calls have to be handled. When new ones are introduced
+      # by upstream (or one of our patches) they must be explicitly declared,
+      # otherwise the build will fail.
+      #
+      # As of systemd version 247 we've seen a few errors like `libpcre2.… not
+      # found` when using e.g. --grep with journalctl. Those errors should
+      # become less unexpected now.
+      #
+      # There are generally two classes of dlopen(3) calls. Those that we want to
+      # support and those that should be deactivated / unsupported. This change
+      # enforces that we handle all dlopen calls explicitly. Meaning: There is
+      # not a single dlopen call in the source code tree that we did not
+      # explicitly handle.
+      #
+      # In order to do this we introduced a list of attributes that maps from
+      # shared object name to the package that contains them. The package can be
+      # null meaning the reference should be nuked and the shared object will
+      # never be loadable during runtime (because it points at an invalid store
+      # path location).
+      #
+      # To get a list of dynamically loaded libraries issue something like
+      # `grep -ri 'dlopen("lib' $src` and update the below list.
+      dlopenLibs = [
+        # We did never provide support for libxkbcommon & qrencode
+        { name = "libxkbcommon.so.0"; pkg = null; }
+        { name = "libqrencode.so.4"; pkg = null; }
+
+        # We did not provide libpwquality before so it is safe to disable it for
+        # now.
+        { name = "libpwquality.so.1"; pkg = null; }
+
+        # Only include cryptsetup if it is enabled. We might not be able to
+        # provide it during "bootstrap" in e.g. the minimal systemd build as
+        # cryptsetup has udev (aka systemd) in it's dependencies.
+        { name = "libcryptsetup.so.12"; pkg = if withCryptsetup then cryptsetup else null; }
+
+        # We are using libidn2 so we only provide that and ignore the others.
+        # Systemd does this decision during configure time and uses ifdef's to
+        # enable specific branches. We can safely ignore (nuke) the libidn "v1"
+        # libraries.
+        { name = "libidn2.so.0"; pkg = libidn2; }
+        { name = "libidn.so.12"; pkg = null; }
+        { name = "libidn.so.11"; pkg = null; }
+
+        # journalctl --grep requires libpcre so lets provide it
+        { name = "libpcre2-8.so.0"; pkg = pcre2; }
+      ];
+
+      patchDlOpen = dl:
+        let
+          library = "${lib.makeLibraryPath [ dl.pkg ]}/${dl.name}";
+        in
+        if dl.pkg == null then ''
+          # remove the dependency on the library by replacing it with an invalid path
+          for file in $(grep -lr 'dlopen("${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to an invalid store path ("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}")…"
+            substituteInPlace "$file" --replace 'dlopen("${dl.name}"' 'dlopen("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}"'
+          done
+        '' else ''
+          # ensure that the library we provide actually exists
+          if ! [ -e ${library} ]; then
+            echo 'The shared library `${library}` does not exist but was given as subtitute for `${dl.name}`'
+            exit 1
+          fi
+          # make the path to the dependency explicit
+          for file in $(grep -lr 'dlopen("${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to ${library}…"
+            substituteInPlace "$file" --replace 'dlopen("${dl.name}"' 'dlopen("${library}"'
+          done
+        '';
+    in
+    # patch all the dlopen calls to contain absolute paths to the libraries
+    lib.concatMapStringsSep "\n" patchDlOpen dlopenLibs
+  )
+  # finally ensure that there are no left-over dlopen calls that we didn't handle
+  + ''
+    if grep -qr 'dlopen("[^/]' src; then
+      echo "Found unhandled dlopen calls: "
+      grep -r 'dlopen("[^/]' src
+      exit 1
+    fi
   '';
 
-  outputs = [ "out" "lib" "man" "dev" ];
+  outputs = [ "out" "man" "dev" ];
 
   nativeBuildInputs =
-    [ pkgconfig intltool gperf libxslt gettext docbook_xsl docbook_xml_dtd_42 docbook_xml_dtd_45
-      ninja meson
+    [
+      pkg-config
+      gperf
+      ninja
+      meson
       coreutils # meson calls date, stat etc.
       glibcLocales
-      patchelf getent m4
-      perl # to patch the libsystemd.so and remove dependencies on aarch64
-
-      (buildPackages.python3Packages.python.withPackages ( ps: with ps; [ python3Packages.lxml ]))
+      patchelf
+      getent
+      m4
+
+      intltool
+      gettext
+
+      libxslt
+      docbook_xsl
+      docbook_xml_dtd_42
+      docbook_xml_dtd_45
+      (buildPackages.python3Packages.python.withPackages (ps: with ps; [ python3Packages.lxml ]))
     ];
+
   buildInputs =
-    [ linuxHeaders libcap curl.dev kmod xz pam acl
-      cryptsetup libuuid glib libgcrypt libgpgerror libidn2
-      pcre2 ] ++
-      stdenv.lib.optional withKexectools kexectools ++
-      stdenv.lib.optional withLibseccomp libseccomp ++
-    [ libffi audit lz4 bzip2 libapparmor
-      iptables gnu-efi
-    ] ++ stdenv.lib.optional withSelinux libselinux;
+    [
+      acl
+      audit
+      glib
+      kmod
+      libcap
+      libgcrypt
+      libidn2
+      libuuid
+      linuxHeaders
+      pam
+    ]
+
+    ++ lib.optional withApparmor libapparmor
+    ++ lib.optional wantCurl (lib.getDev curl)
+    ++ lib.optionals withCompression [ bzip2 lz4 xz ]
+    ++ lib.optional withCryptsetup (lib.getDev cryptsetup.dev)
+    ++ lib.optional withEfi gnu-efi
+    ++ lib.optional withKexectools kexectools
+    ++ lib.optional withLibseccomp libseccomp
+    ++ lib.optional withNetworkd iptables
+    ++ lib.optional withPCRE2 pcre2
+    ++ lib.optional withResolved libgpgerror
+    ++ lib.optional withSelinux libselinux
+    ++ lib.optional withRemote libmicrohttpd
+    ++ lib.optionals withHomed [ p11-kit libfido2 ]
+  ;
 
   #dontAddPrefix = true;
 
@@ -107,36 +326,47 @@ in stdenv.mkDerivation {
     "-Ddbussystemservicedir=${placeholder "out"}/share/dbus-1/system-services"
     "-Dpamconfdir=${placeholder "out"}/etc/pam.d"
     "-Drootprefix=${placeholder "out"}"
-    "-Drootlibdir=${placeholder "lib"}/lib"
     "-Dpkgconfiglibdir=${placeholder "dev"}/lib/pkgconfig"
     "-Dpkgconfigdatadir=${placeholder "dev"}/share/pkgconfig"
     "-Dloadkeys-path=${kbd}/bin/loadkeys"
     "-Dsetfont-path=${kbd}/bin/setfont"
     "-Dtty-gid=3" # tty in NixOS has gid 3
     "-Ddebug-shell=${bashInteractive}/bin/bash"
+    "-Dglib=${lib.boolToString (glib != null)}"
     # while we do not run tests we should also not build them. Removes about 600 targets
     "-Dtests=false"
-    "-Dimportd=true"
-    "-Dlz4=true"
-    "-Dhomed=false"
-    "-Dhostnamed=true"
-    "-Dnetworkd=true"
-    "-Dportabled=false"
-    "-Dremote=false"
+    "-Danalyze=${lib.boolToString withAnalyze}"
+    "-Dgcrypt=${lib.boolToString (libgcrypt != null)}"
+    "-Dimportd=${lib.boolToString withImportd}"
+    "-Dlz4=${lib.boolToString withCompression}"
+    "-Dhomed=${lib.boolToString withHomed}"
+    "-Dlogind=${lib.boolToString withLogind}"
+    "-Dlocaled=${lib.boolToString withLocaled}"
+    "-Dhostnamed=${lib.boolToString withHostnamed}"
+    "-Dmachined=${lib.boolToString withMachined}"
+    "-Dnetworkd=${lib.boolToString withNetworkd}"
+    "-Doomd=${lib.boolToString withOomd}"
+    "-Dpolkit=${lib.boolToString withPolkit}"
+    "-Dcryptsetup=${lib.boolToString withCryptsetup}"
+    "-Dportabled=${lib.boolToString withPortabled}"
+    "-Dhwdb=${lib.boolToString withHwdb}"
+    "-Dremote=${lib.boolToString withRemote}"
     "-Dsysusers=false"
-    "-Dtimedated=true"
-    "-Dtimesyncd=true"
+    "-Dtimedated=${lib.boolToString withTimedated}"
+    "-Dtimesyncd=${lib.boolToString withTimesyncd}"
+    "-Duserdb=${lib.boolToString withUserDb}"
+    "-Dcoredump=${lib.boolToString withCoredump}"
     "-Dfirstboot=false"
-    "-Dlocaled=true"
-    "-Dresolve=true"
+    "-Dresolve=${lib.boolToString withResolved}"
     "-Dsplit-usr=false"
-    "-Dlibcurl=true"
+    "-Dlibcurl=${lib.boolToString wantCurl}"
     "-Dlibidn=false"
     "-Dlibidn2=true"
     "-Dquotacheck=false"
     "-Dldconfig=false"
     "-Dsmack=true"
     "-Db_pie=true"
+    "-Dinstall-sysconfdir=false"
     /*
     As of now, systemd doesn't allow runtime configuration of these values. So
     the settings in /etc/login.defs have no effect on it. Many people think this
@@ -151,26 +381,36 @@ in stdenv.mkDerivation {
     "-Dsystem-gid-max=999"
     # "-Dtime-epoch=1"
 
-    (if !stdenv.hostPlatform.isEfi then "-Dgnu-efi=false" else "-Dgnu-efi=true")
-    "-Defi-libdir=${toString gnu-efi}/lib"
-    "-Defi-includedir=${toString gnu-efi}/include/efi"
-    "-Defi-ldsdir=${toString gnu-efi}/lib"
-
     "-Dsysvinit-path="
     "-Dsysvrcnd-path="
 
     "-Dkill-path=${coreutils}/bin/kill"
     "-Dkmod-path=${kmod}/bin/kmod"
-    "-Dsulogin-path=${utillinux}/bin/sulogin"
-    "-Dmount-path=${utillinux}/bin/mount"
-    "-Dumount-path=${utillinux}/bin/umount"
+    "-Dsulogin-path=${util-linux}/bin/sulogin"
+    "-Dmount-path=${util-linux}/bin/mount"
+    "-Dumount-path=${util-linux}/bin/umount"
     "-Dcreate-log-dirs=false"
-    # Upstream uses cgroupsv2 by default. To support docker and other
-    # container managers we still need v1.
-    "-Ddefault-hierarchy=hybrid"
+
+    # Use cgroupsv2. This is already the upstream default, but better be explicit.
+    "-Ddefault-hierarchy=unified"
     # Upstream defaulted to disable manpages since they optimize for the much
     # more frequent development builds
     "-Dman=true"
+
+    "-Defi=${lib.boolToString withEfi}"
+    "-Dgnu-efi=${lib.boolToString withEfi}"
+  ] ++ lib.optionals withEfi [
+    "-Defi-libdir=${toString gnu-efi}/lib"
+    "-Defi-includedir=${toString gnu-efi}/include/efi"
+    "-Defi-ldsdir=${toString gnu-efi}/lib"
+  ] ++ lib.optionals (withShellCompletions == false) [
+    "-Dbashcompletiondir=no"
+    "-Dzshcompletiondir=no"
+  ] ++ lib.optionals (!withNss) [
+    "-Dnss-myhostname=false"
+    "-Dnss-mymachines=false"
+    "-Dnss-resolve=false"
+    "-Dnss-systemd=false"
   ];
 
   preConfigure = ''
@@ -182,13 +422,13 @@ in stdenv.mkDerivation {
       src/core/mount.c \
       src/core/swap.c \
       src/cryptsetup/cryptsetup-generator.c \
-      src/fsck/fsck.c \
       src/journal/cat.c \
       src/nspawn/nspawn.c \
       src/remount-fs/remount-fs.c \
       src/shared/generator.c \
       src/shutdown/shutdown.c \
       units/emergency.service.in \
+      units/modprobe@.service \
       units/rescue.service.in \
       units/systemd-logind.service.in \
       units/systemd-nspawn@.service.in; \
@@ -196,26 +436,24 @@ in stdenv.mkDerivation {
       test -e $i
       substituteInPlace $i \
         --replace /usr/bin/getent ${getent}/bin/getent \
-        --replace /sbin/mkswap ${lib.getBin utillinux}/sbin/mkswap \
-        --replace /sbin/swapon ${lib.getBin utillinux}/sbin/swapon \
-        --replace /sbin/swapoff ${lib.getBin utillinux}/sbin/swapoff \
-        --replace /sbin/mke2fs ${lib.getBin e2fsprogs}/sbin/mke2fs \
-        --replace /sbin/fsck ${lib.getBin utillinux}/sbin/fsck \
+        --replace /sbin/mkswap ${lib.getBin util-linux}/sbin/mkswap \
+        --replace /sbin/swapon ${lib.getBin util-linux}/sbin/swapon \
+        --replace /sbin/swapoff ${lib.getBin util-linux}/sbin/swapoff \
         --replace /bin/echo ${coreutils}/bin/echo \
         --replace /bin/cat ${coreutils}/bin/cat \
-        --replace /sbin/sulogin ${lib.getBin utillinux}/sbin/sulogin \
+        --replace /sbin/sulogin ${lib.getBin util-linux}/sbin/sulogin \
         --replace /sbin/modprobe ${lib.getBin kmod}/sbin/modprobe \
         --replace /usr/lib/systemd/systemd-fsck $out/lib/systemd/systemd-fsck \
         --replace /bin/plymouth /run/current-system/sw/bin/plymouth # To avoid dependency
     done
 
-    for dir in tools src/resolve test src/test; do
+    for dir in tools src/resolve test src/test src/shared; do
       patchShebangs $dir
     done
 
     # absolute paths to gpg & tar
     substituteInPlace src/import/pull-common.c \
-      --replace '"gpg"' '"${gnupg-minimal}/bin/gpg"'
+      --replace '"gpg"' '"${gnupg}/bin/gpg"'
     for file in src/import/{{export,import,pull}-tar,import-common}.c; do
       substituteInPlace $file \
         --replace '"tar"' '"${gnutar}/bin/tar"'
@@ -237,14 +475,17 @@ in stdenv.mkDerivation {
   NIX_CFLAGS_COMPILE = toString [
     # Can't say ${polkit.bin}/bin/pkttyagent here because that would
     # lead to a cyclic dependency.
-    "-UPOLKIT_AGENT_BINARY_PATH" "-DPOLKIT_AGENT_BINARY_PATH=\"/run/current-system/sw/bin/pkttyagent\""
+    "-UPOLKIT_AGENT_BINARY_PATH"
+    "-DPOLKIT_AGENT_BINARY_PATH=\"/run/current-system/sw/bin/pkttyagent\""
 
     # Set the release_agent on /sys/fs/cgroup/systemd to the
     # currently running systemd (/run/current-system/systemd) so
     # that we don't use an obsolete/garbage-collected release agent.
-    "-USYSTEMD_CGROUP_AGENT_PATH" "-DSYSTEMD_CGROUP_AGENT_PATH=\"/run/current-system/systemd/lib/systemd/systemd-cgroups-agent\""
+    "-USYSTEMD_CGROUP_AGENT_PATH"
+    "-DSYSTEMD_CGROUP_AGENT_PATH=\"/run/current-system/systemd/lib/systemd/systemd-cgroups-agent\""
 
-    "-USYSTEMD_BINARY_PATH" "-DSYSTEMD_BINARY_PATH=\"/run/current-system/systemd/lib/systemd/systemd\""
+    "-USYSTEMD_BINARY_PATH"
+    "-DSYSTEMD_BINARY_PATH=\"/run/current-system/systemd/lib/systemd/systemd\""
   ];
 
   doCheck = false; # fails a bunch of tests
@@ -276,36 +517,8 @@ in stdenv.mkDerivation {
 
     # "kernel-install" shouldn't be used on NixOS.
     find $out -name "*kernel-install*" -exec rm {} \;
-
-    # Keep only libudev and libsystemd in the lib output.
-    mkdir -p $out/lib
-    mv $lib/lib/security $lib/lib/libnss* $out/lib/
-  ''; # */
-
-  enableParallelBuilding = true;
-
-  # On aarch64 we "leak" a reference to $out/lib/systemd/catalog in the lib
-  # output. The result of that is a dependency cycle between $out and $lib.
-  # Thus nix (rightfully) marks the build as failed. That reference originates
-  # from an array of strings (catalog_file_dirs) in systemd
-  # (src/src/journal/catalog.{c,h}).  The only consumer (as of v242) of the
-  # symbol is the main function of journalctl.  Still libsystemd.so contains
-  # the VALUE but not the symbol.  Systemd seems to be properly using function
-  # & data sections together with the linker flags to garbage collect unused
-  # sections (-Wl,--gc-sections).  For unknown reasons those flags do not
-  # eliminate the unused string constants, in this case on aarch64-linux. The
-  # hacky way is to just remove the reference after we finished compiling.
-  # Since it can not be used (there is no symbol to actually refer to it) there
-  # should not be any harm.  It is a bit odd and I really do not like starting
-  # these kind of hacks but there doesn't seem to be a straight forward way at
-  # this point in time.
-  # The reference will be replaced by the same reference the usual nukeRefs
-  # tooling uses.  The standard tooling can not / should not be uesd since it
-  # is a bit too excessive and could potentially do us some (more) harm.
-  postFixup = ''
-    nukedRef=$(echo $out | sed -e "s,$NIX_STORE/[^-]*-\(.*\),$NIX_STORE/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-\1,")
-    cat $lib/lib/libsystemd.so | perl -pe "s|$out/lib/systemd/catalog|$nukedRef/lib/systemd/catalog|" > $lib/lib/libsystemd.so.tmp
-    mv $lib/lib/libsystemd.so.tmp $(readlink -f $lib/lib/libsystemd.so)
+  '' + lib.optionalString (!withDocumentation) ''
+    rm -rf $out/share/doc
   '';
 
   # The interface version prevents NixOS from switching to an
@@ -316,12 +529,12 @@ in stdenv.mkDerivation {
   # runtime; otherwise we can't and we need to reboot.
   passthru.interfaceVersion = 2;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.freedesktop.org/wiki/Software/systemd/";
     description = "A system and service manager for Linux";
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
     priority = 10;
-    maintainers = with maintainers; [ andir eelco flokli ];
+    maintainers = with maintainers; [ andir eelco flokli kloenk ];
   };
 }
diff --git a/pkgs/os-specific/linux/sysvinit/default.nix b/pkgs/os-specific/linux/sysvinit/default.nix
index 0fc5acba4da..8f9acdf0662 100644
--- a/pkgs/os-specific/linux/sysvinit/default.nix
+++ b/pkgs/os-specific/linux/sysvinit/default.nix
@@ -1,13 +1,13 @@
-{ stdenv, fetchurl, withoutInitTools ? false }:
+{ lib, stdenv, fetchurl, withoutInitTools ? false }:
 
-let version = "2.96"; in
+let version = "2.97"; in
 
 stdenv.mkDerivation {
   name = (if withoutInitTools then "sysvtools" else "sysvinit") + "-" + version;
 
   src = fetchurl {
     url = "mirror://savannah/sysvinit/sysvinit-${version}.tar.xz";
-    sha256 = "11xmcamvjmrw874zp0vc37hrqc4hz02i0iy8n4xa4dd25avjcbia";
+    sha256 = "042iyayyh3j28vfbypzn822b73r3nfmyn79f9mixigqrfn2rcn9d";
   };
 
   prePatch = ''
@@ -26,7 +26,7 @@ stdenv.mkDerivation {
     mv $out/sbin/killall5 $out/bin
     ln -sf killall5 $out/bin/pidof
   ''
-    + stdenv.lib.optionalString withoutInitTools
+    + lib.optionalString withoutInitTools
     ''
       shopt -s extglob
       rm -rf $out/sbin/!(sulogin)
@@ -39,7 +39,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = "https://www.nongnu.org/sysvinit/";
     description = "Utilities related to booting and shutdown";
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/target-isns/default.nix b/pkgs/os-specific/linux/target-isns/default.nix
new file mode 100644
index 00000000000..fdc0c52a0bf
--- /dev/null
+++ b/pkgs/os-specific/linux/target-isns/default.nix
@@ -0,0 +1,36 @@
+{ lib, stdenv, cmake, fetchFromGitHub, fetchpatch } :
+
+stdenv.mkDerivation rec {
+  pname = "target-isns";
+  version = "0.6.8";
+
+  src = fetchFromGitHub {
+    owner = "open-iscsi";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1b6jjalvvkkjyjbg1pcgk8vmvc6xzzksyjnh2pfi45bbpya4zxim";
+  };
+
+  patches = [
+    # fix absoulute paths
+    ./install_prefix_path.patch
+
+    # fix gcc 10 compiler warning, remove with next update
+    (fetchpatch {
+      url = "https://github.com/open-iscsi/target-isns/commit/3d0c47dd89bcf83d828bcc22ecaaa5f58d78b58e.patch";
+      sha256 = "1x2bkc1ff15621svhpq1r11m0q4ajv0j4fng6hm7wkkbr2s6d1vx";
+    })
+  ];
+
+  cmakeFlags = [ "-DSUPPORT_SYSTEMD=ON" ];
+
+  nativeBuildInputs = [ cmake ];
+
+  meta = with lib; {
+    description = "iSNS client for the Linux LIO iSCSI target";
+    homepage = "https://github.com/open-iscsi/target-isns";
+    maintainers = [ maintainers.markuskowa ];
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/target-isns/install_prefix_path.patch b/pkgs/os-specific/linux/target-isns/install_prefix_path.patch
new file mode 100644
index 00000000000..f98fc21b7a2
--- /dev/null
+++ b/pkgs/os-specific/linux/target-isns/install_prefix_path.patch
@@ -0,0 +1,17 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index f46144d..aeac3e4 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -14,10 +14,10 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror")
+ option(SUPPORT_SYSTEMD "Support service control via systemd" OFF)
+
+ add_subdirectory(src)
+-install(FILES target-isns.conf DESTINATION /etc/)
++install(FILES target-isns.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/etc/)
+ install(FILES target-isns.8 DESTINATION ${CMAKE_INSTALL_PREFIX}/share/man/man8/)
+ if (SUPPORT_SYSTEMD)
+-  install(FILES target-isns.service DESTINATION /usr/lib/systemd/system/)
++  install(FILES target-isns.service DESTINATION ${CMAKE_INSTALL_PREFIX}/lib/systemd/system/)
+ endif (SUPPORT_SYSTEMD)
+
+ add_subdirectory(tests)
diff --git a/pkgs/os-specific/linux/targetcli/default.nix b/pkgs/os-specific/linux/targetcli/default.nix
index 94920c4012a..f08ac284f23 100644
--- a/pkgs/os-specific/linux/targetcli/default.nix
+++ b/pkgs/os-specific/linux/targetcli/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, python3, fetchFromGitHub }:
+{ lib, python3, fetchFromGitHub }:
 
 python3.pkgs.buildPythonApplication rec {
   pname = "targetcli";
-  version = "2.1.53";
+  version = "2.1.54";
 
   src = fetchFromGitHub {
     owner = "open-iscsi";
     repo = "${pname}-fb";
     rev = "v${version}";
-    sha256 = "1qrq7y5hnghzbxgrxgl153n8jlhw31kqjbr93jsvlvhz5b3ci750";
+    sha256 = "1kbbvx0lba96ynr5iwws9jpi319m4rzph4bmcj7yfb37k8mi161v";
   };
 
   propagatedBuildInputs = with python3.pkgs; [ configshell rtslib ];
@@ -18,7 +18,7 @@ python3.pkgs.buildPythonApplication rec {
     install -D targetclid.8 -t $out/share/man/man8/
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A command shell for managing the Linux LIO kernel target";
     homepage = "https://github.com/open-iscsi/targetcli-fb";
     license = licenses.asl20;
diff --git a/pkgs/os-specific/linux/tbs/default.nix b/pkgs/os-specific/linux/tbs/default.nix
index 6502cc9c38e..d2b0bc08071 100644
--- a/pkgs/os-specific/linux/tbs/default.nix
+++ b/pkgs/os-specific/linux/tbs/default.nix
@@ -58,6 +58,6 @@ in stdenv.mkDerivation {
     license = licenses.gpl2;
     maintainers = with maintainers; [ ck3d ];
     priority = -1;
-    broken = stdenv.lib.versionAtLeast kernel.version "4.18";
+    broken = lib.versionAtLeast kernel.version "4.18";
   };
 }
diff --git a/pkgs/os-specific/linux/tcp-wrappers/default.nix b/pkgs/os-specific/linux/tcp-wrappers/default.nix
index b3d59cf5a6a..92a6b328b2c 100644
--- a/pkgs/os-specific/linux/tcp-wrappers/default.nix
+++ b/pkgs/os-specific/linux/tcp-wrappers/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, stdenv, libnsl }:
+{ fetchurl, lib, stdenv, libnsl }:
 
 let
   vanillaVersion = "7.6.q";
@@ -28,7 +28,7 @@ in stdenv.mkDerivation rec {
   # Fix __BEGIN_DECLS usage (even if it wasn't non-standard, this doesn't include sys/cdefs.h)
   patches = [ ./cdecls.patch ];
 
-  postPatch = stdenv.lib.optionalString stdenv.hostPlatform.isMusl ''
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
     substituteInPlace Makefile \
       --replace '-DNETGROUP' '-DUSE_GETDOMAIN'
   '';
@@ -70,6 +70,6 @@ in stdenv.mkDerivation rec {
 
     homepage = "ftp://ftp.porcupine.org/pub/security/index.html";
     license = "BSD-style";
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/teck-udev-rules/default.nix b/pkgs/os-specific/linux/teck-udev-rules/default.nix
new file mode 100644
index 00000000000..eec5eac344e
--- /dev/null
+++ b/pkgs/os-specific/linux/teck-udev-rules/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, teck-programmer }:
+
+stdenv.mkDerivation {
+  pname = "teck-udev-rules";
+  version = lib.getVersion teck-programmer;
+
+  inherit (teck-programmer) src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install 40-teck.rules -D -t $out/etc/udev/rules.d/
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "udev rules for TECK keyboards";
+    inherit (teck-programmer.meta) license;
+    maintainers = [ lib.maintainers.lourkeur ];
+  };
+}
diff --git a/pkgs/os-specific/linux/thunderbolt/default.nix b/pkgs/os-specific/linux/thunderbolt/default.nix
index d9817a6c04b..e532f9965aa 100644
--- a/pkgs/os-specific/linux/thunderbolt/default.nix
+++ b/pkgs/os-specific/linux/thunderbolt/default.nix
@@ -1,8 +1,8 @@
-{ stdenv
+{ lib, stdenv
 , boost
 , cmake
 , fetchFromGitHub
-, pkgconfig
+, pkg-config
 , txt2tags
 }:
 
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     sha256 = "02w1bfm7xvq0dzkhwqiq0camkzz9kvciyhnsis61c8vzp39cwx0x";
   };
 
-  nativeBuildInputs = [ cmake pkgconfig txt2tags ];
+  nativeBuildInputs = [ cmake pkg-config txt2tags ];
   buildInputs = [ boost ];
 
   cmakeFlags = [
@@ -26,9 +26,9 @@ stdenv.mkDerivation rec {
 
   meta = {
     description = "Thunderbolt(TM) user-space components";
-    license = stdenv.lib.licenses.bsd3;
-    maintainers = [ stdenv.lib.maintainers.ryantrinkle ];
+    license = lib.licenses.bsd3;
+    maintainers = [ lib.maintainers.ryantrinkle ];
     homepage = "https://01.org/thunderbolt-sw";
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/tiptop/default.nix b/pkgs/os-specific/linux/tiptop/default.nix
index 03db9e3bb0e..c6870d2a4c4 100644
--- a/pkgs/os-specific/linux/tiptop/default.nix
+++ b/pkgs/os-specific/linux/tiptop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, libxml2, ncurses, bison, flex }:
+{ lib, stdenv, fetchurl, fetchpatch, libxml2, ncurses, bison, flex }:
 
 stdenv.mkDerivation rec {
   pname = "tiptop";
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = "-I${libxml2.dev}/include/libxml2";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Performance monitoring tool for Linux";
     homepage = "http://tiptop.gforge.inria.fr";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/tiscamera/default.nix b/pkgs/os-specific/linux/tiscamera/default.nix
index fb2773b4d3a..38bc7c3eaff 100644
--- a/pkgs/os-specific/linux/tiscamera/default.nix
+++ b/pkgs/os-specific/linux/tiscamera/default.nix
@@ -2,7 +2,7 @@
 , stdenv
 , fetchFromGitHub
 , cmake
-, pkgconfig
+, pkg-config
 , pcre
 , tinyxml
 , libusb1
@@ -12,27 +12,29 @@
 , gst_all_1
 , libwebcam
 , libunwind
-, gstreamer
 , elfutils
 , orc
-, python3
+, python3Packages
 , libuuid
+, wrapGAppsHook
 }:
 
 stdenv.mkDerivation rec {
   pname = "tiscamera";
-  version = "0.11.1";
+  version = "0.13.1";
 
   src = fetchFromGitHub {
     owner = "TheImagingSource";
     repo = pname;
     rev = "v-${pname}-${version}";
-    sha256 = "07vp6khgl6qd3a4519dmx1s5bfw7pld793p50pjn29fqh91fm93g";
+    sha256 = "0hpy9yhc4mn6w8gvzwif703smmcys0j2jqbz2xfghqxcyb0ykplj";
   };
 
   nativeBuildInputs = [
     cmake
-    pkgconfig
+    pkg-config
+    python3Packages.wrapPython
+    wrapGAppsHook
   ];
 
   buildInputs = [
@@ -46,13 +48,16 @@ stdenv.mkDerivation rec {
     gst_all_1.gst-plugins-base
     libwebcam
     libunwind
-    gstreamer
     elfutils
     orc
-    python3
     libuuid
+    python3Packages.python
+    python3Packages.pyqt5
   ];
 
+  pythonPath = with python3Packages; [ pyqt5 pygobject3 ];
+
+  propagatedBuildInputs = pythonPath;
 
   cmakeFlags = [
     "-DBUILD_ARAVIS=OFF" # For GigE support. Won't need it as our camera is usb.
@@ -60,38 +65,28 @@ stdenv.mkDerivation rec {
     "-DBUILD_TOOLS=ON"
     "-DBUILD_V4L2=ON"
     "-DBUILD_LIBUSB=ON"
+    "-DBUILD_TESTS=ON"
+    "-DTCAM_INSTALL_UDEV=${placeholder "out"}/lib/udev/rules.d"
+    "-DTCAM_INSTALL_UVCDYNCTRL=${placeholder "out"}/share/uvcdynctrl/data/199e"
+    "-DTCAM_INSTALL_GST_1_0=${placeholder "out"}/lib/gstreamer-1.0"
+    "-DTCAM_INSTALL_GIR=${placeholder "out"}/share/gir-1.0"
+    "-DTCAM_INSTALL_TYPELIB=${placeholder "out"}/lib/girepository-1.0"
+    "-DTCAM_INSTALL_SYSTEMD=${placeholder "out"}/etc/systemd/system"
+    "-DTCAM_INSTALL_PYTHON3_MODULES=${placeholder "out"}/lib/${python3Packages.python.libPrefix}/site-packages"
+    "-DGSTREAMER_1.0_INCLUDEDIR=${placeholder "out"}/include/gstreamer-1.0"
+    # There are gobject introspection commands launched as part of the build. Those have a runtime
+    # dependency on `libtcam` (which itself is built as part of this build). In order to allow
+    # that, we set the dynamic linker's path to point on the build time location of the library.
+    "-DCMAKE_SKIP_BUILD_RPATH=OFF"
   ];
 
-  postPatch = ''
-    substituteInPlace ./data/udev/80-theimagingsource-cameras.rules.in \
-      --replace "/usr/bin/uvcdynctrl" "${libwebcam}/bin/uvcdynctrl" \
-      --replace "/path/to/tiscamera/uvc-extensions" "$out/share/uvcdynctrl/data/199e"
-
-    substituteInPlace ./src/BackendLoader.cpp \
-      --replace '"libtcam-v4l2.so"' "\"$out/lib/tcam-0/libtcam-v4l2.so\"" \
-      --replace '"libtcam-aravis.so"' "\"$out/lib/tcam-0/libtcam-aravis.so\"" \
-      --replace '"libtcam-libusb.so"' "\"$out/lib/tcam-0/libtcam-libusb.so\""
-  '';
-
-  preConfigure = ''
-    cmakeFlagsArray=(
-      $cmakeFlagsArray
-      "-DCMAKE_INSTALL_PREFIX=$out"
-      "-DTCAM_INSTALL_UDEV=$out/lib/udev/rules.d"
-      "-DTCAM_INSTALL_UVCDYNCTRL=$out/share/uvcdynctrl/data/199e"
-      "-DTCAM_INSTALL_GST_1_0=$out/lib/gstreamer-1.0"
-      "-DTCAM_INSTALL_GIR=$out/share/gir-1.0"
-      "-DTCAM_INSTALL_TYPELIB=$out/lib/girepository-1.0"
-      "-DTCAM_INSTALL_SYSTEMD=$out/etc/systemd/system"
-    )
-  '';
+  doCheck = true;
 
+  # gstreamer tests requires, besides gst-plugins-bad, plugins installed by this expression.
+  checkPhase = "ctest --force-new-ctest-process -E gstreamer";
 
-  # There are gobject introspection commands launched as part of the build. Those have a runtime
-  # dependency on `libtcam` (which itself is built as part of this build). In order to allow
-  # that, we set the dynamic linker's path to point on the build time location of the library.
-  preBuild = ''
-    export LD_LIBRARY_PATH=$PWD/src''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+  postFixup = ''
+    wrapPythonPrograms "$out $pythonPath"
   '';
 
   meta = with lib; {
diff --git a/pkgs/os-specific/linux/tmon/default.nix b/pkgs/os-specific/linux/tmon/default.nix
index f8438f8d40f..5a14d3d2ee3 100644
--- a/pkgs/os-specific/linux/tmon/default.nix
+++ b/pkgs/os-specific/linux/tmon/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel, ncurses }:
+{ lib, stdenv, kernel, ncurses }:
 
 stdenv.mkDerivation {
   name = "tmon-${kernel.version}";
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Monitoring and Testing Tool for Linux kernel thermal subsystem";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/tomb/default.nix b/pkgs/os-specific/linux/tomb/default.nix
index 150c64a0451..af04476aa1d 100644
--- a/pkgs/os-specific/linux/tomb/default.nix
+++ b/pkgs/os-specific/linux/tomb/default.nix
@@ -1,16 +1,16 @@
 { stdenv, lib, fetchFromGitHub, makeWrapper
-, gettext, zsh, pinentry, cryptsetup, gnupg, utillinux, e2fsprogs, sudo
+, gettext, zsh, pinentry, cryptsetup, gnupg, util-linux, e2fsprogs, sudo
 }:
 
 stdenv.mkDerivation rec {
   pname = "tomb";
-  version = "2.7";
+  version = "2.9";
 
   src = fetchFromGitHub {
     owner  = "dyne";
     repo   = "Tomb";
     rev    = "v${version}";
-    sha256 = "1vzkpzci6cp1r1q2n34pcgcns78i726k8d89dd6pibyj0vfnkl57";
+    sha256 = "0d6vmfcf4kd0p2bcljmdnyc2fmbwvar81cc472zx86r7yc3ih102";
   };
 
   buildInputs = [ sudo zsh pinentry ];
@@ -31,10 +31,10 @@ stdenv.mkDerivation rec {
     install -Dm644 doc/tomb.1 $out/share/man/man1/tomb.1
 
     wrapProgram $out/bin/tomb \
-      --prefix PATH : $out/bin:${lib.makeBinPath [ cryptsetup gettext gnupg pinentry utillinux e2fsprogs ]}
+      --prefix PATH : $out/bin:${lib.makeBinPath [ cryptsetup gettext gnupg pinentry util-linux e2fsprogs ]}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "File encryption on GNU/Linux";
     homepage    = "https://www.dyne.org/software/tomb/";
     license     = licenses.gpl3;
diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix
index 5e0e9c539ea..d9b4333d249 100644
--- a/pkgs/os-specific/linux/tp_smapi/default.nix
+++ b/pkgs/os-specific/linux/tp_smapi/default.nix
@@ -40,7 +40,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "IBM ThinkPad hardware functions driver";
     homepage = "https://github.com/evgeni/tp_smapi";
-    license = stdenv.lib.licenses.gpl2;
+    license = lib.licenses.gpl2;
     maintainers = [ ];
     # driver is only ment for linux thinkpads i think  bellow platforms should cover it.
     platforms = [ "x86_64-linux" "i686-linux" ];
diff --git a/pkgs/os-specific/linux/tpacpi-bat/default.nix b/pkgs/os-specific/linux/tpacpi-bat/default.nix
index bb6d51669e6..5512eed63ab 100644
--- a/pkgs/os-specific/linux/tpacpi-bat/default.nix
+++ b/pkgs/os-specific/linux/tpacpi-bat/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, perl, kmod, coreutils }:
+{ lib, stdenv, fetchFromGitHub, perl, kmod, coreutils }:
 
 # Requires the acpi_call kernel module in order to run.
 stdenv.mkDerivation rec {
@@ -26,9 +26,9 @@ stdenv.mkDerivation rec {
   '';
 
   meta = {
-    maintainers = [stdenv.lib.maintainers.orbekk];
-    platforms = stdenv.lib.platforms.linux;
+    maintainers = [lib.maintainers.orbekk];
+    platforms = lib.platforms.linux;
     description = "Tool to set battery charging thesholds on Lenovo Thinkpad";
-    license = stdenv.lib.licenses.gpl3Plus;
+    license = lib.licenses.gpl3Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/trace-cmd/default.nix b/pkgs/os-specific/linux/trace-cmd/default.nix
index a80635c53ce..0a7860c0238 100644
--- a/pkgs/os-specific/linux/trace-cmd/default.nix
+++ b/pkgs/os-specific/linux/trace-cmd/default.nix
@@ -1,9 +1,13 @@
-{ stdenv, fetchgit, asciidoc, docbook_xsl, libxslt }:
-stdenv.mkDerivation {
+{ lib, stdenv, fetchgit, asciidoc, docbook_xsl, libxslt }:
+stdenv.mkDerivation rec {
   pname = "trace-cmd";
-  version = "2.9-dev";
+  version = "2.9.1";
 
-  src = fetchgit (import ./src.nix);
+  src = fetchgit {
+    url    = "git://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
+    rev    = "trace-cmd-v${version}";
+    sha256 = "19c63a0qmcppm1456qf4k6a0d1agcvpa6jnbzrdcyc520yax6khw";
+  };
 
   patches = [ ./fix-Makefiles.patch ];
 
@@ -23,10 +27,10 @@ stdenv.mkDerivation {
     "man_dir=${placeholder "man"}/share/man"
     "libdir=${placeholder "lib"}/lib"
     "includedir=${placeholder "dev"}/include"
-    "BASH_COMPLETE_DIR=${placeholder "out"}/etc/bash_completion.d"
+    "BASH_COMPLETE_DIR=${placeholder "out"}/share/bash-completion/completions"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "User-space tools for the Linux kernel ftrace subsystem";
     homepage    = "https://kernelshark.org/";
     license     = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch b/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch
index db194e16fdb..1e783999af6 100644
--- a/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch
+++ b/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch
@@ -1,30 +1,30 @@
 diff --git a/Makefile b/Makefile
-index bbdf15e..deb8ef7 100644
+index b034042..b8a06bc 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -288,7 +288,7 @@ libtraceevent.a: $(LIBTRACEEVENT_STATIC)
- libtracecmd.a: $(LIBTRACECMD_STATIC)
- libtracecmd.so: $(LIBTRACECMD_SHARED)
+@@ -338,6 +338,7 @@ libtracefs.a: $(LIBTRACEFS_STATIC)
+ libtracefs.so: $(LIBTRACEFS_SHARED)
  
--libs: $(LIBTRACECMD_SHARED) $(LIBTRACEEVENT_SHARED)
-+libs: $(LIBTRACECMD_SHARED) $(LIBTRACEEVENT_SHARED) $(LIBTRACECMD_STATIC) $(LIBTRACEEVENT_STATIC)
+ libs: $(LIBTRACECMD_SHARED) $(LIBTRACEEVENT_SHARED) $(LIBTRACEFS_SHARED)
++libs: $(LIBTRACECMD_STATIC) $(LIBTRACEEVENT_STATIC) $(LIBTRACEFS_STATIC)
  
- plugins: force $(obj)/lib/traceevent/plugins/traceevent_plugin_dir $(obj)/lib/traceevent/plugins/trace_python_dir
- 	$(Q)$(MAKE) -C $(src)/lib/traceevent/plugins
-@@ -344,6 +344,8 @@ install_gui: install_cmd gui
- install_libs: libs
+ test: force $(LIBTRACEEVENT_STATIC) $(LIBTRACEFS_STATIC) $(LIBTRACECMD_STATIC)
+ ifneq ($(CUNIT_INSTALLED),1)
+@@ -414,6 +415,9 @@ install_libs: libs
  	$(Q)$(call do_install,$(LIBTRACECMD_SHARED),$(libdir_SQ)/trace-cmd)
  	$(Q)$(call do_install,$(LIBTRACEEVENT_SHARED),$(libdir_SQ)/traceevent)
+ 	$(Q)$(call do_install,$(LIBTRACEFS_SHARED),$(libdir_SQ)/tracefs)
 +	$(Q)$(call do_install,$(LIBTRACECMD_STATIC),$(libdir_SQ)/trace-cmd)
 +	$(Q)$(call do_install,$(LIBTRACEEVENT_STATIC),$(libdir_SQ)/traceevent)
++	$(Q)$(call do_install,$(LIBTRACEFS_STATIC),$(libdir_SQ)/tracefs)
  	$(Q)$(call do_install,$(src)/include/traceevent/event-parse.h,$(includedir_SQ)/traceevent)
  	$(Q)$(call do_install,$(src)/include/traceevent/trace-seq.h,$(includedir_SQ)/traceevent)
  	$(Q)$(call do_install,$(src)/include/trace-cmd/trace-cmd.h,$(includedir_SQ)/trace-cmd)
 diff --git a/kernel-shark/src/CMakeLists.txt b/kernel-shark/src/CMakeLists.txt
-index e20a030..7fce165 100644
+index 457c100..687e150 100644
 --- a/kernel-shark/src/CMakeLists.txt
 +++ b/kernel-shark/src/CMakeLists.txt
-@@ -93,7 +93,7 @@ if (Qt5Widgets_FOUND AND Qt5Network_FOUND)
+@@ -92,7 +92,7 @@ if (Qt5Widgets_FOUND AND Qt5Network_FOUND)
              DESTINATION ${_INSTALL_PREFIX}/share/icons/${KS_APP_NAME})
  
      install(FILES "${KS_DIR}/org.freedesktop.kshark-record.policy"
diff --git a/pkgs/os-specific/linux/trace-cmd/kernelshark.nix b/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
index 3a280b8af0b..45d984c7863 100644
--- a/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
+++ b/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
@@ -1,9 +1,13 @@
-{ stdenv, mkDerivation, fetchgit, qtbase, cmake, asciidoc, docbook_xsl, json_c, mesa_glu, freeglut, trace-cmd, pkg-config }:
-mkDerivation {
+{ lib, mkDerivation, fetchgit, qtbase, cmake, asciidoc, docbook_xsl, json_c, mesa_glu, freeglut, trace-cmd, pkg-config }:
+mkDerivation rec {
   pname = "kernelshark";
-  version = "1.1.0";
+  version = "1.2";
 
-  src = fetchgit (import ./src.nix);
+  src = fetchgit {
+    url    = "git://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
+    rev    = "kernelshark-v${version}";
+    sha256 = "0wzzm2imk9n94v96v6sbvbff6j47lz4qj0snhiyv3nj3slg0anvh";
+  };
 
   patches = [ ./fix-Makefiles.patch ];
 
@@ -21,6 +25,7 @@ mkDerivation {
     "-DTRACECMD_INCLUDE_DIR=${trace-cmd.dev}/include"
     "-DTRACECMD_LIBRARY=${trace-cmd.lib}/lib/trace-cmd/libtracecmd.a"
     "-DTRACEEVENT_LIBRARY=${trace-cmd.lib}/lib/traceevent/libtraceevent.a"
+    "-DTRACEFS_LIBRARY=${trace-cmd.lib}/lib/tracefs/libtracefs.a"
   ];
 
   preInstall = ''
@@ -30,7 +35,7 @@ mkDerivation {
     pushd kernel-shark/build
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem";
     homepage    = "https://kernelshark.org/";
     license     = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/trace-cmd/src.nix b/pkgs/os-specific/linux/trace-cmd/src.nix
deleted file mode 100644
index 47c1b82fdd4..00000000000
--- a/pkgs/os-specific/linux/trace-cmd/src.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  url    = "git://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
-  rev    = "ab370b78b9278fe16657742d46cb95c0a65b47d5"; # branch: kernelshark-v1.1
-  sha256 = "0qngwc4qgadrkwlwpz73f12prdkx94kl0bg7g9hib95ipvsdmk1c";
-}
diff --git a/pkgs/os-specific/linux/trezor-udev-rules/default.nix b/pkgs/os-specific/linux/trezor-udev-rules/default.nix
index c2be8137376..e5d20171c5c 100644
--- a/pkgs/os-specific/linux/trezor-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/trezor-udev-rules/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "trezor-udev-rules";
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     cp 51-trezor.rules $out/lib/udev/rules.d/51-trezor.rules
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Udev rules for Trezor";
     license = licenses.gpl3;
     maintainers = with maintainers; [ prusnak ];
diff --git a/pkgs/os-specific/linux/trinity/default.nix b/pkgs/os-specific/linux/trinity/default.nix
index 6d9848ab712..9bfe0e942ee 100644
--- a/pkgs/os-specific/linux/trinity/default.nix
+++ b/pkgs/os-specific/linux/trinity/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "trinity";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "DESTDIR=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A Linux System call fuzz tester";
     homepage = "https://codemonkey.org.uk/projects/trinity/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/tuigreet/default.nix b/pkgs/os-specific/linux/tuigreet/default.nix
new file mode 100644
index 00000000000..89dfe85c082
--- /dev/null
+++ b/pkgs/os-specific/linux/tuigreet/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "tuigreet";
+  version = "0.5.0";
+
+  src = fetchFromGitHub {
+    owner = "apognu";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-Ip/GhpHgTgWFyCdujcCni1CLFDDirUbJuzCj8QiUsFc=";
+  };
+
+  cargoSha256 = "sha256-G/E/2wjeSY57bQJgrZYUA1sWUwtk5mRavmLwy1EgHRM=";
+
+  meta = with lib; {
+    description = "Graphical console greter for greetd";
+    homepage = "https://github.com/apognu/tuigreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/tuna/default.nix b/pkgs/os-specific/linux/tuna/default.nix
new file mode 100644
index 00000000000..0e621a24f08
--- /dev/null
+++ b/pkgs/os-specific/linux/tuna/default.nix
@@ -0,0 +1,62 @@
+{ lib
+, buildPythonApplication
+, fetchgit
+, pygobject3
+, pytestCheckHook
+, gdk-pixbuf
+, glib
+, gobject-introspection
+, gtk3
+, python-linux-procfs
+, python-ethtool
+, wrapGAppsHook
+}:
+
+buildPythonApplication rec {
+  pname = "tuna";
+  version = "0.15";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/${pname}/${pname}.git";
+    rev = "v${version}";
+    sha256 = "sha256-lRHlbdCQ0NcjcWgLvCze67kN8NsK0f5RmKfPbkHhk78=";
+  };
+
+  patchPhase = ''
+    mv tuna-cmd.py tuna/cmd.py
+
+    substituteInPlace setup.py \
+      --replace 'packages = ["tuna", "tuna/gui"],' \
+                'packages = ["tuna", "tuna/gui"], entry_points={"console_scripts":["tuna=tuna.cmd:main"]},'
+
+    substituteInPlace tuna/tuna_gui.py \
+      --replace "self.binpath + 'pkexec'" "'/run/wrappers/bin/pkexec'" \
+      --replace 'tuna_glade_dirs = [".", "tuna", "/usr/share/tuna"]' "tuna_glade_dirs = [ \"$out/share/tuna\" ]"
+  '';
+
+  nativeBuildInputs = [
+    glib.dev
+    gobject-introspection
+    gtk3
+    wrapGAppsHook
+  ];
+
+  propagatedBuildInputs = [ pygobject3 python-linux-procfs python-ethtool ];
+
+  postInstall = ''
+    mkdir -p $out/share/tuna
+    cp tuna/tuna_gui.glade $out/share/tuna/
+  '';
+
+  # contains no tests
+  doCheck = false;
+  pythonImportsCheck = [ "tuna" ];
+
+  meta = with lib; {
+    description = "Thread and IRQ affinity setting GUI and cmd line tool";
+    homepage = "https://git.kernel.org/pub/scm/utils/tuna/tuna.git";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ elohmeier ];
+  };
+}
diff --git a/pkgs/os-specific/linux/tunctl/default.nix b/pkgs/os-specific/linux/tunctl/default.nix
index c20c3e98f55..549a607b152 100644
--- a/pkgs/os-specific/linux/tunctl/default.nix
+++ b/pkgs/os-specific/linux/tunctl/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation {
   name = "tunctl-1.5";
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = "http://tunctl.sourceforge.net/";
     description = "Utility to set up and maintain TUN/TAP network interfaces";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/turbostat/default.nix b/pkgs/os-specific/linux/turbostat/default.nix
index 035dddcc4ec..fb1bcf582fb 100644
--- a/pkgs/os-specific/linux/turbostat/default.nix
+++ b/pkgs/os-specific/linux/turbostat/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel, libcap }:
+{ lib, stdenv, kernel, libcap }:
 
 stdenv.mkDerivation {
   pname = "turbostat";
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
     cd tools/power/x86/turbostat
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Report processor frequency and idle statistics";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/tuxedo-keyboard/default.nix b/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
index b67bf2d3dab..17f8b3a28c4 100644
--- a/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
+++ b/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
@@ -1,16 +1,18 @@
-{ stdenv, fetchFromGitHub, kernel, kmod }:
+{ lib, stdenv, fetchFromGitHub, kernel, linuxHeaders }:
 
 stdenv.mkDerivation rec {
   pname = "tuxedo-keyboard-${kernel.version}";
-  version = "2019-08-26";
+  version = "3.0.7";
 
   src = fetchFromGitHub {
     owner = "tuxedocomputers";
     repo = "tuxedo-keyboard";
-    rev = "d65e76e84cfd8169591fc2a0a7c9219fa19da1b5";
-    sha256 = "1s48qpwybwh5pwqas2d1v2a7x4r97sm4hr9i4902r1d7h384bv17";
+    rev = "v${version}";
+    sha256 = "sha256-JloLwfJfDdVowx1hOehjxPbnaKBCAMn7SZe09SE03HU=";
   };
 
+  buildInputs = [ linuxHeaders ];
+
   makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
 
   installPhase = ''
@@ -18,11 +20,12 @@ stdenv.mkDerivation rec {
     mv src/tuxedo_keyboard.ko $out/lib/modules/${kernel.modDirVersion}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Full color keyboard driver for tuxedo computers laptops";
     homepage = "https://github.com/tuxedocomputers/tuxedo-keyboard/";
-    license = licenses.gpl2;
+    license = licenses.gpl3Plus;
     platforms = platforms.linux;
+    broken = stdenv.isAarch64;
     maintainers = [ maintainers.blanky0230 ];
   };
 }
diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix
index 125a8608c15..8dc0d4613f4 100644
--- a/pkgs/os-specific/linux/uclibc/default.nix
+++ b/pkgs/os-specific/linux/uclibc/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages
+{ lib, stdenv, buildPackages
 , fetchurl, linuxHeaders, libiconvReal
 , extraConfig ? ""
 }:
@@ -39,7 +39,7 @@ let
     UCLIBC_SUSV4_LEGACY y
     UCLIBC_HAS_THREADS_NATIVE y
     KERNEL_HEADERS "${linuxHeaders}/include"
-  '' + stdenv.lib.optionalString (stdenv.isAarch32 && stdenv.buildPlatform != stdenv.hostPlatform) ''
+  '' + lib.optionalString (stdenv.isAarch32 && stdenv.buildPlatform != stdenv.hostPlatform) ''
     CONFIG_ARM_EABI y
     ARCH_WANTS_BIG_ENDIAN n
     ARCH_BIG_ENDIAN n
@@ -48,7 +48,7 @@ let
     UCLIBC_HAS_FPU n
   '';
 
-  version = "1.0.34";
+  version = "1.0.37";
 in
 
 stdenv.mkDerivation {
@@ -58,7 +58,7 @@ stdenv.mkDerivation {
   src = fetchurl {
     url = "https://downloads.uclibc-ng.org/releases/${version}/uClibc-ng-${version}.tar.bz2";
     # from "${url}.sha256";
-    sha256 = "025z0072inw1ibnrlwckslp9iayl9c35ysf0h7jjrxlzslzp4yjg";
+    sha256 = "sha256-wThkkRBA42CskGC8kUlgmxk88Qy2Z8qRfLqD6kP8JY0=";
   };
 
   # 'ftw' needed to build acl, a coreutils dependency
@@ -68,7 +68,7 @@ stdenv.mkDerivation {
     cat << EOF | parseconfig
     ${nixConfig}
     ${extraConfig}
-    ${stdenv.hostPlatform.platform.uclibc.extraConfig or ""}
+    ${stdenv.hostPlatform.uclibc.extraConfig or ""}
     EOF
     ( set +o pipefail; yes "" | make oldconfig )
   '';
@@ -83,7 +83,7 @@ stdenv.mkDerivation {
   makeFlags = [
     "ARCH=${stdenv.hostPlatform.parsed.cpu.name}"
     "VERBOSE=1"
-  ] ++ stdenv.lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
+  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
     "CROSS=${stdenv.cc.targetPrefix}"
   ];
 
@@ -104,7 +104,7 @@ stdenv.mkDerivation {
     libiconv = libiconvReal;
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://uclibc-ng.org";
     description = "A small implementation of the C library";
     maintainers = with maintainers; [ rasendubi ];
diff --git a/pkgs/os-specific/linux/udisks-glue/default.nix b/pkgs/os-specific/linux/udisks-glue/default.nix
index 60a1f8a619d..453df94f8fb 100644
--- a/pkgs/os-specific/linux/udisks-glue/default.nix
+++ b/pkgs/os-specific/linux/udisks-glue/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, automake, autoconf, udisks1, dbus-glib, glib, libconfuse }:
+{ lib, stdenv, fetchurl, pkg-config, automake, autoconf, udisks1, dbus-glib, glib, libconfuse }:
 
 stdenv.mkDerivation {
   name = "udisks-glue-1.3.5";
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "317d25bf249278dc8f6a5dcf18f760512427c772b9afe3cfe34e6e1baa258176";
   };
 
-  nativeBuildInputs = [ pkgconfig automake autoconf ];
+  nativeBuildInputs = [ pkg-config automake autoconf ];
   buildInputs = [ udisks1 dbus-glib glib libconfuse ];
 
   preConfigure = "sh autogen.sh";
@@ -16,9 +16,9 @@ stdenv.mkDerivation {
   meta = {
     homepage = "https://github.com/fernandotcl/udisks-glue";
     description = "A tool to associate udisks events to user-defined actions";
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = with stdenv.lib.maintainers; [pSub];
-    license = stdenv.lib.licenses.bsd2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [pSub];
+    license = lib.licenses.bsd2;
     broken = true;
     hydraPlatforms = [];
   };
diff --git a/pkgs/os-specific/linux/udisks/1-default.nix b/pkgs/os-specific/linux/udisks/1-default.nix
index f8876e5d155..f20dc6b6076 100644
--- a/pkgs/os-specific/linux/udisks/1-default.nix
+++ b/pkgs/os-specific/linux/udisks/1-default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchurl, pkgconfig, sg3_utils, udev, glib, dbus, dbus-glib
+{ lib, stdenv, fetchurl, pkg-config, sg3_utils, udev, glib, dbus, dbus-glib
 , polkit, parted, lvm2, libatasmart, intltool, libuuid, mdadm
-, libxslt, docbook_xsl, utillinux, libgudev }:
+, libxslt, docbook_xsl, util-linux, libgudev }:
 
 stdenv.mkDerivation rec {
   name = "udisks-1.0.5";
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
 
       substituteInPlace src/main.c --replace \
         "/sbin:/bin:/usr/sbin:/usr/bin" \
-        "${utillinux}/bin:${mdadm}/sbin:/run/current-system/sw/bin:/run/current-system/sw/bin"
+        "${util-linux}/bin:${mdadm}/sbin:/run/current-system/sw/bin:/run/current-system/sw/bin"
     '';
 
   buildInputs =
@@ -31,11 +31,11 @@ stdenv.mkDerivation rec {
       lvm2 libatasmart intltool libuuid libxslt docbook_xsl
     ];
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
 
   configureFlags = [ "--localstatedir=/var" "--enable-lvm2" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.freedesktop.org/wiki/Software/udisks";
     description = "A daemon and command-line utility for querying and manipulating storage devices";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/udisks/2-default.nix b/pkgs/os-specific/linux/udisks/2-default.nix
index 3b502dbe48f..7be729f4ac8 100644
--- a/pkgs/os-specific/linux/udisks/2-default.nix
+++ b/pkgs/os-specific/linux/udisks/2-default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, fetchpatch, substituteAll, libtool, pkgconfig, gettext, gnused
+{ lib, stdenv, fetchFromGitHub, fetchpatch, substituteAll, libtool, pkg-config, gettext, gnused
 , gtk-doc, acl, systemd, glib, libatasmart, polkit, coreutils, bash, which
-, expat, libxslt, docbook_xsl, utillinux, mdadm, libgudev, libblockdev, parted
+, expat, libxslt, docbook_xsl, util-linux, mdadm, libgudev, libblockdev, parted
 , gobject-introspection, docbook_xml_dtd_412, docbook_xml_dtd_43, autoconf, automake
 , xfsprogs, f2fs-tools, dosfstools, e2fsprogs, btrfs-progs, exfat, nilfs-utils, ntfs3g
 }:
@@ -16,13 +16,13 @@ stdenv.mkDerivation rec {
     sha256 = "01wx2x8xyal595dhdih7rva2bz7gqzgwdp56gi0ikjdzayx17wcf";
   };
 
-  outputs = [ "out" "man" "dev" ] ++ stdenv.lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "devdoc";
+  outputs = [ "out" "man" "dev" ] ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "devdoc";
 
   patches = [
     (substituteAll {
       src = ./fix-paths.patch;
       bash = "${bash}/bin/bash";
-      blkid = "${utillinux}/bin/blkid";
+      blkid = "${util-linux}/bin/blkid";
       false = "${coreutils}/bin/false";
       mdadm = "${mdadm}/bin/mdadm";
       sed = "${gnused}/bin/sed";
@@ -32,9 +32,9 @@ stdenv.mkDerivation rec {
     })
     (substituteAll {
       src = ./force-path.patch;
-      path = stdenv.lib.makeBinPath [
+      path = lib.makeBinPath [
         btrfs-progs coreutils dosfstools e2fsprogs exfat f2fs-tools nilfs-utils
-        xfsprogs ntfs3g parted utillinux
+        xfsprogs ntfs3g parted util-linux
       ];
     })
 
@@ -46,11 +46,11 @@ stdenv.mkDerivation rec {
   ];
 
   nativeBuildInputs = [
-    autoconf automake pkgconfig libtool gettext which gobject-introspection
+    autoconf automake pkg-config libtool gettext which gobject-introspection
     gtk-doc libxslt docbook_xml_dtd_412 docbook_xml_dtd_43 docbook_xsl
   ];
 
-  postPatch = stdenv.lib.optionalString stdenv.hostPlatform.isMusl ''
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
       substituteInPlace udisks/udisksclient.c \
         --replace 'defined( __GNUC_PREREQ)' 1 \
         --replace '__GNUC_PREREQ(4,6)' 1
@@ -63,7 +63,7 @@ stdenv.mkDerivation rec {
   preConfigure = "NOCONFIGURE=1 ./autogen.sh";
 
   configureFlags = [
-    (stdenv.lib.enableFeature (stdenv.buildPlatform == stdenv.hostPlatform) "gtk-doc")
+    (lib.enableFeature (stdenv.buildPlatform == stdenv.hostPlatform) "gtk-doc")
     "--localstatedir=/var"
     "--with-systemdsystemunitdir=$(out)/etc/systemd/system"
     "--with-udevdir=$(out)/lib/udev"
@@ -79,7 +79,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A daemon, tools and libraries to access and manipulate disks, storage devices and technologies";
     homepage = "https://www.freedesktop.org/wiki/Software/udisks/";
     license = with licenses; [ lgpl2Plus gpl2Plus ]; # lgpl2Plus for the library, gpl2Plus for the tools & daemon
diff --git a/pkgs/os-specific/linux/undervolt/default.nix b/pkgs/os-specific/linux/undervolt/default.nix
index 2f03ee8c820..cc9fb737465 100644
--- a/pkgs/os-specific/linux/undervolt/default.nix
+++ b/pkgs/os-specific/linux/undervolt/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, python3Packages }:
+{ lib, fetchFromGitHub, python3Packages }:
 
 python3Packages.buildPythonApplication rec {
   version = "0.3.0";
@@ -11,7 +11,7 @@ python3Packages.buildPythonApplication rec {
     sha256 = "1aybk8vbb4745raz7rvpkk6b98xrdiwjhkpbv3kwsgsr9sj42lp0";
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/georgewhewell/undervolt/";
     description = "A program for undervolting Intel CPUs on Linux";
 
diff --git a/pkgs/os-specific/linux/unstick/default.nix b/pkgs/os-specific/linux/unstick/default.nix
index cca6e6210cb..7d839f8acdb 100644
--- a/pkgs/os-specific/linux/unstick/default.nix
+++ b/pkgs/os-specific/linux/unstick/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, meson, ninja, pkgconfig, libseccomp }:
+{ stdenv, lib, fetchFromGitHub, meson, ninja, pkg-config, libseccomp }:
 
 stdenv.mkDerivation rec {
   name = "unstick";
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
 
   sourceRoot = "source/src";
 
-  nativeBuildInputs = [ meson ninja pkgconfig ];
+  nativeBuildInputs = [ meson ninja pkg-config ];
   buildInputs = [ libseccomp ];
 
   meta = {
diff --git a/pkgs/os-specific/linux/untie/default.nix b/pkgs/os-specific/linux/untie/default.nix
index 9ca1c37e11b..947ae2ca8d8 100644
--- a/pkgs/os-specific/linux/untie/default.nix
+++ b/pkgs/os-specific/linux/untie/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "untie";
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "PREFIX=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool to run processes untied from some of the namespaces";
     maintainers = with maintainers; [ raskin ];
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/upower/default.nix b/pkgs/os-specific/linux/upower/default.nix
index e9d9eff007c..08bebefed13 100644
--- a/pkgs/os-specific/linux/upower/default.nix
+++ b/pkgs/os-specific/linux/upower/default.nix
@@ -1,6 +1,6 @@
-{ stdenv
+{ lib, stdenv
 , fetchurl
-, pkgconfig
+, pkg-config
 , libxslt
 , docbook_xsl
 , udev
@@ -30,7 +30,7 @@ stdenv.mkDerivation {
     gettext
     gobject-introspection
     libxslt
-    pkgconfig
+    pkg-config
   ];
 
   buildInputs = [
@@ -39,7 +39,7 @@ stdenv.mkDerivation {
     udev
     systemd
   ]
-  ++ stdenv.lib.optional useIMobileDevice libimobiledevice
+  ++ lib.optional useIMobileDevice libimobiledevice
   ;
 
   propagatedBuildInputs = [
@@ -62,7 +62,7 @@ stdenv.mkDerivation {
     "sysconfdir=${placeholder "out"}/etc"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://upower.freedesktop.org/";
     description = "A D-Bus service for power management";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/usbguard/default.nix b/pkgs/os-specific/linux/usbguard/default.nix
index ad751b9cfe0..7d4563baee4 100644
--- a/pkgs/os-specific/linux/usbguard/default.nix
+++ b/pkgs/os-specific/linux/usbguard/default.nix
@@ -1,30 +1,45 @@
-{
-  stdenv, fetchurl, lib,
-  pkgconfig, libxslt, libxml2, docbook_xml_dtd_45, docbook_xsl, asciidoc,
-  dbus-glib, libcap_ng, libqb, libseccomp, polkit, protobuf,
-  audit,
-  libgcrypt ? null,
-  libsodium ? null
+{ stdenv
+, lib
+, fetchFromGitHub
+, autoreconfHook
+, installShellFiles
+, nixosTests
+, asciidoc
+, pkg-config
+, libxslt
+, libxml2
+, docbook_xml_dtd_45
+, docbook_xsl
+, dbus-glib
+, libcap_ng
+, libqb
+, libseccomp
+, polkit
+, protobuf
+, audit
+, libgcrypt
+, libsodium
 }:
 
-with stdenv.lib;
-
 assert libgcrypt != null -> libsodium == null;
 
 stdenv.mkDerivation rec {
-  version = "0.7.8";
+  version = "1.0.0";
   pname = "usbguard";
 
-  repo = "https://github.com/USBGuard/usbguard";
-
-  src = fetchurl {
-    url = "${repo}/releases/download/${pname}-${version}/${pname}-${version}.tar.gz";
-    sha256 = "1il5immqfxh2cj8wn1bfk7l42inflzgjf07yqprpz7r3lalbxc25";
+  src = fetchFromGitHub {
+    owner = "USBGuard";
+    repo = pname;
+    rev = "usbguard-${version}";
+    sha256 = "sha256-CPuBQmDOpXWn0jPo4HRyDCZUpDy5NmbvUHxXoVbMd/I=";
+    fetchSubmodules = true;
   };
 
   nativeBuildInputs = [
+    autoreconfHook
+    installShellFiles
     asciidoc
-    pkgconfig
+    pkg-config
     libxslt # xsltproc
     libxml2 # xmllint
     docbook_xml_dtd_45
@@ -54,10 +69,23 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = {
-    description = "The USBGuard software framework helps to protect your computer against BadUSB.";
+  postInstall = ''
+    installShellCompletion --bash --name usbguard.bash scripts/bash_completion/usbguard
+    installShellCompletion --zsh --name _usbguard scripts/usbguard-zsh-completion
+  '';
+
+  passthru.tests = nixosTests.usbguard;
+
+  meta = with lib; {
+    description = "The USBGuard software framework helps to protect your computer against BadUSB";
+    longDescription = ''
+      USBGuard is a software framework for implementing USB device authorization
+      policies (what kind of USB devices are authorized) as well as method of
+      use policies (how a USB device may interact with the system). Simply put,
+      it is a USB device whitelisting tool.
+    '';
     homepage = "https://usbguard.github.io/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     maintainers = [ maintainers.tnias ];
   };
 }
diff --git a/pkgs/os-specific/linux/usbip/default.nix b/pkgs/os-specific/linux/usbip/default.nix
index ffd33b6ff85..43c22a8fd12 100644
--- a/pkgs/os-specific/linux/usbip/default.nix
+++ b/pkgs/os-specific/linux/usbip/default.nix
@@ -1,11 +1,11 @@
-{ lib, stdenv, kernel, udev, autoconf, automake, libtool }:
+{ lib, stdenv, kernel, udev, autoconf, automake, libtool, hwdata, kernelOlder }:
 
 stdenv.mkDerivation {
   name = "usbip-${kernel.name}";
 
   src = kernel.src;
 
-  patches = lib.optionals (lib.versionAtLeast "5.4" kernel.version) [
+  patches = lib.optionals (kernelOlder "5.4") [
     # fixes build with gcc8
     ./fix-snprintf-truncation.patch
     # fixes build with gcc9
@@ -22,10 +22,13 @@ stdenv.mkDerivation {
     ./autogen.sh
   '';
 
-  meta = with stdenv.lib; {
+  configureFlags = [ "--with-usbids-dir=${hwdata}/share/hwdata/" ];
+
+  meta = with lib; {
     homepage = "https://github.com/torvalds/linux/tree/master/tools/usb/usbip";
     description = "allows to pass USB device from server to client over the network";
-    license = licenses.gpl2;
+    license = with licenses; [ gpl2Only gpl2Plus ];
     platforms = platforms.linux;
+    broken = kernelOlder "4.10";
   };
 }
diff --git a/pkgs/os-specific/linux/usbtop/default.nix b/pkgs/os-specific/linux/usbtop/default.nix
index 0ff8fcf0ddf..6948d51e5dc 100644
--- a/pkgs/os-specific/linux/usbtop/default.nix
+++ b/pkgs/os-specific/linux/usbtop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub
+{ lib, stdenv, fetchFromGitHub
 , cmake
 , libpcap, boost }:
 
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ cmake ];
   buildInputs = [ libpcap boost ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/aguinet/usbtop";
     description = "A top utility that shows an estimated instantaneous bandwidth on USB buses and devices";
     maintainers = with maintainers; [ etu ];
diff --git a/pkgs/os-specific/linux/usbutils/default.nix b/pkgs/os-specific/linux/usbutils/default.nix
index 41db602bce5..fba025b29d9 100644
--- a/pkgs/os-specific/linux/usbutils/default.nix
+++ b/pkgs/os-specific/linux/usbutils/default.nix
@@ -1,11 +1,11 @@
-{ stdenv, fetchurl, substituteAll, autoreconfHook, pkgconfig, libusb1, hwdata , python3 }:
+{ lib, stdenv, fetchurl, substituteAll, autoreconfHook, pkg-config, libusb1, hwdata , python3 }:
 
 stdenv.mkDerivation rec {
-  name = "usbutils-012";
+  name = "usbutils-013";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/usb/usbutils/${name}.tar.xz";
-    sha256 = "0iiy0q7fzikavmdsjsb0sl9kp3gfh701qwyjjccvqh0qz4jlcqw8";
+    sha256 = "0f0klk6d3hmbpf6p4dcwa1qjzblmkhbxs1wsw87aidvqri7lj8wy";
   };
 
   patches = [
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ libusb1 python3 ];
 
   outputs = [ "out" "man" "python" ];
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     moveToOutput "bin/lsusb.py" "$python"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.linux-usb.org/";
     description = "Tools for working with USB devices, such as lsusb";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/usbutils/fix-paths.patch b/pkgs/os-specific/linux/usbutils/fix-paths.patch
index d75c68505ef..ef63a41e726 100644
--- a/pkgs/os-specific/linux/usbutils/fix-paths.patch
+++ b/pkgs/os-specific/linux/usbutils/fix-paths.patch
@@ -1,7 +1,7 @@
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -51,11 +51,11 @@
- 	usbreset.c
+@@ -61,7 +61,7 @@ EXTRA_DIST = \
+ 	LICENSES/GPL-3.0-only.txt
  
  lsusb.py: $(srcdir)/lsusb.py.in
 -	sed 's|VERSION|$(VERSION)|g;s|@usbids@|$(datadir)/usb.ids|g' $< >$@
@@ -9,8 +9,3 @@
  	chmod 755 $@
  
  lsusb.8: $(srcdir)/lsusb.8.in
--	sed 's|VERSION|$(VERSION)|g;s|@usbids@|$(datadir)/usb.ids|g' $< >$@
-+	sed 's|VERSION|$(VERSION)|g;s|@usbids@|@hwdata@/share/hwdata/usb.ids|g' $< >$@
- 
- usb-devices.1: $(srcdir)/usb-devices.1.in
- 	sed 's|VERSION|$(VERSION)|g' $< >$@
diff --git a/pkgs/os-specific/linux/usermount/default.nix b/pkgs/os-specific/linux/usermount/default.nix
index 85f769d9dba..d0c690a9527 100644
--- a/pkgs/os-specific/linux/usermount/default.nix
+++ b/pkgs/os-specific/linux/usermount/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, pkgconfig, dbus, libnotify, udisks2, gdk-pixbuf }:
+{ lib, stdenv, fetchgit, pkg-config, dbus, libnotify, udisks2, gdk-pixbuf }:
 
 stdenv.mkDerivation {
   name = "usermount-0.1";
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0gpp0vwiwr7kgbhh26jspv3255662mnvnav6g8i2h0qxar8hf8w2";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ dbus libnotify udisks2 gdk-pixbuf ];
 
   NIX_CFLAGS_COMPILE = "-DENABLE_NOTIFICATIONS";
@@ -22,7 +22,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = "https://github.com/tom5760/usermount";
     description = "A simple tool to automatically mount removable drives using UDisks2 and D-Bus";
-    license = stdenv.lib.licenses.mit;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.mit;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index fafa8fe6e83..73f321f2631 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -1,13 +1,13 @@
-{ lib, stdenv, fetchurl, pkgconfig, zlib, shadow
+{ lib, stdenv, fetchurl, pkg-config, zlib, shadow, libcap_ng
 , ncurses ? null, perl ? null, pam, systemd ? null, minimal ? false }:
 
 stdenv.mkDerivation rec {
   pname = "util-linux";
-  version = "2.35.2";
+  version = "2.36.2";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "12mm5qvkq1vpllfv99gq93lkxlvysp1yxgh1392dkg7nh8g47dr1";
+    sha256 = "0psc0asjp1rmfx1j7468zfnk9nphlphybw2n8dcl74v8v2lnnlgp";
   };
 
   patches = [
@@ -50,9 +50,9 @@ stdenv.mkDerivation rec {
     "usrsbin_execdir=${placeholder "bin"}/sbin"
   ];
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs =
-    [ zlib pam ]
+    [ zlib pam libcap_ng ]
     ++ lib.filter (p: p != null) [ ncurses systemd perl ];
 
   doCheck = false; # "For development purpose only. Don't execute on production system!"
@@ -66,7 +66,9 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     homepage = "https://www.kernel.org/pub/linux/utils/util-linux/";
     description = "A set of system utilities for Linux";
-    license = licenses.gpl2; # also contains parts under more permissive licenses
+    changelog = "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v${lib.versions.majorMinor version}/v${version}-ReleaseNotes";
+    # https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/README.licensing
+    license = with licenses; [ gpl2Only gpl2Plus gpl3Plus lgpl21Plus bsd3 bsdOriginalUC publicDomain ];
     platforms = platforms.linux;
     priority = 6; # lower priority than coreutils ("kill") and shadow ("login" etc.) packages
   };
diff --git a/pkgs/os-specific/linux/uvcdynctrl/default.nix b/pkgs/os-specific/linux/uvcdynctrl/default.nix
index f022023fcbb..d5f3a729978 100644
--- a/pkgs/os-specific/linux/uvcdynctrl/default.nix
+++ b/pkgs/os-specific/linux/uvcdynctrl/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, cmake, pkgconfig, libxml2 }:
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libxml2 }:
 
 stdenv.mkDerivation {
   version = "0.3.0";
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
     sha256 = "0s15xxgdx8lnka7vi8llbf6b0j4rhbjl6yp0qxaihysf890xj73s";
   };
 
-  nativeBuildInputs = [ cmake pkgconfig ];
+  nativeBuildInputs = [ cmake pkg-config ];
   buildInputs = [ libxml2 ];
 
   prePatch = ''
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A simple interface for devices supported by the linux UVC driver";
     homepage = "http://guvcview.sourceforge.net";
     license = licenses.gpl3Plus;
diff --git a/pkgs/os-specific/linux/v4l-utils/default.nix b/pkgs/os-specific/linux/v4l-utils/default.nix
index 2c9b395949a..90a052fdef9 100644
--- a/pkgs/os-specific/linux/v4l-utils/default.nix
+++ b/pkgs/os-specific/linux/v4l-utils/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, lib, fetchurl, pkgconfig, perl
+{ stdenv, lib, fetchurl, pkg-config, perl
 , libjpeg, udev
 , withUtils ? true
-, withGUI ? true, alsaLib, libX11, qtbase, libGLU, wrapQtAppsHook
+, withGUI ? true, alsa-lib, libX11, qtbase, libGLU, wrapQtAppsHook
 }:
 
 # See libv4l in all-packages.nix for the libs only (overrides alsa, libX11 & QT)
@@ -33,9 +33,9 @@ in stdenv.mkDerivation rec {
     ln -s "$dev/include/libv4l1-videodev.h" "$dev/include/videodev.h"
   '';
 
-  nativeBuildInputs = [ pkgconfig perl ] ++ lib.optional withQt wrapQtAppsHook;
+  nativeBuildInputs = [ pkg-config perl ] ++ lib.optional withQt wrapQtAppsHook;
 
-  buildInputs = [ udev ] ++ lib.optionals withQt [ alsaLib libX11 qtbase libGLU ];
+  buildInputs = [ udev ] ++ lib.optionals withQt [ alsa-lib libX11 qtbase libGLU ];
 
   propagatedBuildInputs = [ libjpeg ];
 
@@ -44,7 +44,7 @@ in stdenv.mkDerivation rec {
     patchShebangs utils/libcecutil/cec-gen.pl
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "V4L utils and libv4l, provide common image formats regardless of the v4l device";
     homepage = "https://linuxtv.org/projects.php";
     license = licenses.lgpl21Plus;
diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix
index 32ae45fbb0e..53f37e805fa 100644
--- a/pkgs/os-specific/linux/v4l2loopback/default.nix
+++ b/pkgs/os-specific/linux/v4l2loopback/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel, kmod }:
+{ lib, stdenv, fetchFromGitHub, kernel, kmod }:
 
 stdenv.mkDerivation rec {
-  name = "v4l2loopback-${version}-${kernel.version}";
-  version = "0.12.5";
+  pname = "v4l2loopback";
+  version = "unstable-2020-04-22-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "umlaeute";
     repo = "v4l2loopback";
-    rev = "v${version}";
-    sha256 = "1qi4l6yam8nrlmc3zwkrz9vph0xsj1cgmkqci4652mbpbzigg7vn";
+    rev = "d26e624b4ead762d34152f9f825b3a51fb92fb9c";
+    sha256 = "sha256-OA45vmuVieoL7J83D3TD5qi3SBsiqi0kiQn4i1K6dVE=";
   };
 
   hardeningDisable = [ "format" "pic" ];
@@ -20,6 +20,7 @@ stdenv.mkDerivation rec {
   '';
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
+
   buildInputs = [ kmod ];
 
   makeFlags = [
@@ -27,11 +28,11 @@ stdenv.mkDerivation rec {
     "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A kernel module to create V4L2 loopback devices";
     homepage = "https://github.com/umlaeute/v4l2loopback";
-    license = licenses.gpl2;
-    maintainers = [ maintainers.domenkozar ];
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix
index ec0c318042a..36270cdfcc0 100644
--- a/pkgs/os-specific/linux/v86d/default.nix
+++ b/pkgs/os-specific/linux/v86d/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl
+{ lib, stdenv, fetchurl
 , kernel, klibc
 }:
 
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ klibc ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A daemon to run x86 code in an emulated environment";
     homepage = "https://github.com/mjanusz/v86d";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/veikk-linux-driver/default.nix b/pkgs/os-specific/linux/veikk-linux-driver/default.nix
new file mode 100644
index 00000000000..a1019d7b7fd
--- /dev/null
+++ b/pkgs/os-specific/linux/veikk-linux-driver/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "veikk-linux-driver";
+  version = "2.0";
+
+  src = fetchFromGitHub {
+    owner = "jlam55555";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "11mg74ds58jwvdmi3i7c4chxs6v9g09r9ll22pc2kbxjdnrp8zrn";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildInputs = [ kernel ];
+
+  buildPhase = ''
+    make BUILD_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+    install -Dm755 veikk.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for VEIKK-brand digitizers";
+    homepage = "https://github.com/jlam55555/veikk-linux-driver/";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ nicbk ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/pkgs/os-specific/linux/vendor-reset/default.nix b/pkgs/os-specific/linux/vendor-reset/default.nix
new file mode 100644
index 00000000000..8f1bde7ecbd
--- /dev/null
+++ b/pkgs/os-specific/linux/vendor-reset/default.nix
@@ -0,0 +1,35 @@
+{ stdenv, fetchFromGitHub, kernel, lib }:
+
+stdenv.mkDerivation rec {
+  name = "vendor-reset-${version}-${kernel.version}";
+  version = "unstable-2021-02-16";
+
+  src = fetchFromGitHub {
+    owner = "gnif";
+    repo = "vendor-reset";
+    rev = "225a49a40941e350899e456366265cf82b87ad25";
+    sha256 = "sha256-xa7P7+mRk4FVgi+YYCcsFLfyNqPmXvy3xhGoTDVqPxw=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D vendor-reset.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel vendor specific hardware reset module";
+    homepage = "https://github.com/gnif/vendor-reset";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ wedens ];
+    platforms = [ "x86_64-linux" ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index fa578372876..e183b4ac5d4 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -1,17 +1,17 @@
-{ stdenv, fetchzip, kernel, perl, wireguard-tools, bc }:
+{ lib, stdenv, fetchzip, kernel, perl, wireguard-tools, bc }:
 
 # module requires Linux >= 3.10 https://www.wireguard.io/install/#kernel-requirements
-assert stdenv.lib.versionAtLeast kernel.version "3.10";
+assert lib.versionAtLeast kernel.version "3.10";
 # wireguard upstreamed since 5.6 https://lists.zx2c4.com/pipermail/wireguard/2019-December/004704.html
-assert stdenv.lib.versionOlder kernel.version "5.6";
+assert lib.versionOlder kernel.version "5.6";
 
 stdenv.mkDerivation rec {
   pname = "wireguard";
-  version = "1.0.20200729";
+  version = "1.0.20210606";
 
   src = fetchzip {
     url = "https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${version}.tar.xz";
-    sha256 = "0fk2i65q8pk11n46a31017059aan7hbbx0xv6d2c9d80dzrw5a36";
+    sha256 = "sha256-ha7x6+41oPRRhuRwEb1ojRWLF1dlEMoJtqXrzRKQ408=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     inherit (wireguard-tools) tests;
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (wireguard-tools.meta) homepage license maintainers;
     description = "Kernel module for the WireGuard secure network tunnel";
     downloadPage = "https://git.zx2c4.com/wireguard-linux-compat/refs/";
diff --git a/pkgs/os-specific/linux/wireless-tools/default.nix b/pkgs/os-specific/linux/wireless-tools/default.nix
index 687bb7647cf..fbe5d95e2a6 100644
--- a/pkgs/os-specific/linux/wireless-tools/default.nix
+++ b/pkgs/os-specific/linux/wireless-tools/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation rec {
   pname = "wireless-tools";
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
   ];
 
   meta = {
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2;
   };
 }
diff --git a/pkgs/os-specific/linux/wlgreet/default.nix b/pkgs/os-specific/linux/wlgreet/default.nix
new file mode 100644
index 00000000000..4758945e41a
--- /dev/null
+++ b/pkgs/os-specific/linux/wlgreet/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromSourcehut
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "wlgreet";
+  version = "0.3";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "0n0lzg3y1z5s9s6kfkdj5q8w67bqpw08hqfccc5kz0ninzy9j0cc";
+  };
+
+  cargoSha256 = "1lwy8xmkl9n3fj3wlf80wp728nn9p5rjnbgmm2cbpqxklcgbmxhm";
+
+  meta = with lib; {
+    description = "Raw wayland greeter for greetd, to be run under sway or similar";
+    homepage = "https://git.sr.ht/~kennylevinsen/wlgreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/wooting-udev-rules/default.nix b/pkgs/os-specific/linux/wooting-udev-rules/default.nix
index 0093603c250..f1ae2069235 100644
--- a/pkgs/os-specific/linux/wooting-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/wooting-udev-rules/default.nix
@@ -1,4 +1,4 @@
-{ stdenv }:
+{ lib, stdenv }:
 
 stdenv.mkDerivation rec {
   pname = "wooting-udev-rules";
@@ -7,13 +7,13 @@ stdenv.mkDerivation rec {
   # Source: https://wooting.helpscoutdocs.com/article/68-wootility-configuring-device-access-for-wootility-under-linux-udev-rules
   src = [ ./wooting.rules ];
 
-  unpackPhase = ":";
+  dontUnpack = true;
 
   installPhase = ''
     install -Dpm644 $src $out/lib/udev/rules.d/70-wooting.rules
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://wooting.helpscoutdocs.com/article/34-linux-udev-rules";
     description = "udev rules that give NixOS permission to communicate with Wooting keyboards";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch b/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
new file mode 100644
index 00000000000..d459de8a7f3
--- /dev/null
+++ b/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
@@ -0,0 +1,130 @@
+From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 19 Feb 2021 19:44:21 +0100
+Subject: [PATCH] Implement read-only mode for ssids
+
+With this change it's possible to define `network=`-sections in a second
+config file specified via `-I` without having changes written to
+`/etc/wpa_supplicant.conf`.
+
+This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
+and imperative (i.e. mutable) networks.
+---
+ wpa_supplicant/config.h         | 2 +-
+ wpa_supplicant/config_file.c    | 5 +++--
+ wpa_supplicant/config_none.c    | 2 +-
+ wpa_supplicant/config_ssid.h    | 2 ++
+ wpa_supplicant/wpa_supplicant.c | 8 ++++----
+ 5 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
+index 6a297ecfe..adaf4d398 100644
+--- a/wpa_supplicant/config.h
++++ b/wpa_supplicant/config.h
+@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
+  *
+  * Each configuration backend needs to implement this function.
+  */
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
+ 
+ /**
+  * wpa_config_write - Write or update configuration data
+diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
+index 77c326df5..d5ed051b9 100644
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
+ #endif /* CONFIG_NO_CONFIG_BLOBS */
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	FILE *f;
+ 	char buf[512], *pos;
+@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+ 	while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
+ 		if (os_strcmp(pos, "network={") == 0) {
+ 			ssid = wpa_config_read_network(f, &line, id++);
++			ssid->ro = ro;
+ 			if (ssid == NULL) {
+ 				wpa_printf(MSG_ERROR, "Line %d: failed to "
+ 					   "parse network block.", line);
+@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
+ 	}
+ 
+ 	for (ssid = config->ssid; ssid; ssid = ssid->next) {
+-		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
++		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
+ 			continue; /* do not save temporary networks */
+ 		if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
+ 		    !ssid->passphrase)
+diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
+index 2aac28fa3..02191b425 100644
+--- a/wpa_supplicant/config_none.c
++++ b/wpa_supplicant/config_none.c
+@@ -17,7 +17,7 @@
+ #include "base64.h"
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	struct wpa_config *config;
+ 
+diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
+index d5c5c00a9..fd80c079c 100644
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -93,6 +93,8 @@ struct wpa_ssid {
+ 	 */
+ 	int id;
+ 
++	int ro;
++
+ 	/**
+ 	 * priority - Priority group
+ 	 *
+diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+index 911d79d17..cb0cb99b1 100644
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
+ 
+ 	if (wpa_s->confname == NULL)
+ 		return -1;
+-	conf = wpa_config_read(wpa_s->confname, NULL);
++	conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 	if (conf == NULL) {
+ 		wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
+ 			"file '%s' - exiting", wpa_s->confname);
+ 		return -1;
+ 	}
+ 	if (wpa_s->confanother &&
+-	    !wpa_config_read(wpa_s->confanother, conf)) {
++	    !wpa_config_read(wpa_s->confanother, conf, 1)) {
+ 		wpa_msg(wpa_s, MSG_ERROR,
+ 			"Failed to parse the configuration file '%s' - exiting",
+ 			wpa_s->confanother);
+@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ #else /* CONFIG_BACKEND_FILE */
+ 		wpa_s->confname = os_strdup(iface->confname);
+ #endif /* CONFIG_BACKEND_FILE */
+-		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
++		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 		if (wpa_s->conf == NULL) {
+ 			wpa_printf(MSG_ERROR, "Failed to read or parse "
+ 				   "configuration '%s'.", wpa_s->confname);
+@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ 		}
+ 		wpa_s->confanother = os_rel2abs_path(iface->confanother);
+ 		if (wpa_s->confanother &&
+-		    !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
++		    !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
+ 			wpa_printf(MSG_ERROR,
+ 				   "Failed to read or parse configuration '%s'.",
+ 				   wpa_s->confanother);
+-- 
+2.29.2
+
diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix
index 5cd440bcdfc..1dbe281e096 100644
--- a/pkgs/os-specific/linux/wpa_supplicant/default.nix
+++ b/pkgs/os-specific/linux/wpa_supplicant/default.nix
@@ -1,8 +1,11 @@
-{ stdenv, fetchurl, openssl, pkgconfig, libnl
-, dbus, readline ? null, pcsclite ? null
+{ lib, stdenv, fetchurl, fetchpatch, openssl, pkg-config, libnl
+, withDbus ? true, dbus
+, withReadline ? true, readline
+, withPcsclite ? true, pcsclite
+, readOnlyModeSSIDs ? false
 }:
 
-with stdenv.lib;
+with lib;
 stdenv.mkDerivation rec {
   version = "2.9";
 
@@ -19,6 +22,33 @@ stdenv.mkDerivation rec {
       url = "https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch";
       sha256 = "15xjyy7crb557wxpx898b5lnyblxghlij0xby5lmj9hpwwss34dz";
     })
+    (fetchpatch {
+      # Expose OWE key management capability over DBus, remove >= 2.10
+      name = "dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=7800725afb27397f7d6033d4969e2aeb61af4737";
+      sha256 = "0c1la7inf4m5y9gzdjjdnhpkx32pm8vi6m5knih8p77q4mbrdgg8";
+    })
+    # P2P: Fix copying of secondary device types for P2P group client (https://w1.fi/security/2020-2/)
+    (fetchurl {
+      name = "CVE-2021-0326.patch";
+      url = "https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch";
+      sha256 = "19f4hx0p547mdx8y8arb3vclwyy4w9c8a6a40ryj7q33730mrmn4";
+    })
+    # P2P: Fix a corner case in peer addition based on PD Request (https://w1.fi/security/2021-1/)
+    (fetchurl {
+      name = "CVE-2021-27803.patch";
+      url = "https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch";
+      sha256 = "04cnds7hmbqc44jasabjvrdnh66i5hwvk2h2m5z94pmgbzncyh3z";
+    })
+    # In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
+    (fetchpatch {
+      name = "CVE-2021-30004.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15";
+      sha256 = "1gbhlz41x1ar1hppnb76pqxj6vimiypy7c4kq6h658637s4am3xg";
+    })
+  ] ++ lib.optionals readOnlyModeSSIDs [
+    # Allow read-only networks
+    ./0001-Implement-read-only-mode-for-ssids.patch
   ];
 
   # TODO: Patch epoll so that the dbus actually responds
@@ -32,6 +62,7 @@ stdenv.mkDerivation rec {
     CONFIG_EAP_SAKE=y
     CONFIG_EAP_GPSK=y
     CONFIG_EAP_GPSK_SHA256=y
+    CONFIG_OWE=y
     CONFIG_WPS=y
     CONFIG_WPS_ER=y
     CONFIG_WPS_NFS=y
@@ -56,16 +87,17 @@ stdenv.mkDerivation rec {
     CONFIG_P2P=y
     CONFIG_TDLS=y
     CONFIG_BGSCAN_SIMPLE=y
-  '' + optionalString (pcsclite != null) ''
+    CONFIG_BGSCAN_LEARN=y
+  '' + optionalString withPcsclite ''
     CONFIG_EAP_SIM=y
     CONFIG_EAP_AKA=y
     CONFIG_EAP_AKA_PRIME=y
     CONFIG_PCSC=y
-  '' + optionalString (dbus != null) ''
+  '' + optionalString withDbus ''
     CONFIG_CTRL_IFACE_DBUS=y
     CONFIG_CTRL_IFACE_DBUS_NEW=y
     CONFIG_CTRL_IFACE_DBUS_INTRO=y
-  '' + (if readline != null then ''
+  '' + (if withReadline then ''
     CONFIG_READLINE=y
   '' else ''
     CONFIG_WPA_CLI_EDIT=y
@@ -81,13 +113,16 @@ stdenv.mkDerivation rec {
     cat -n .config
     substituteInPlace Makefile --replace /usr/local $out
     export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE \
-      -I$(echo "${stdenv.lib.getDev libnl}"/include/libnl*/) \
-      -I${stdenv.lib.getDev pcsclite}/include/PCSC/"
+      -I$(echo "${lib.getDev libnl}"/include/libnl*/) \
+      ${optionalString withPcsclite "-I${lib.getDev pcsclite}/include/PCSC/"}"
   '';
 
-  buildInputs = [ openssl libnl dbus readline pcsclite ];
+  buildInputs = [ openssl libnl ]
+    ++ optional withDbus dbus
+    ++ optional withReadline readline
+    ++ optional withPcsclite pcsclite;
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
 
   postInstall = ''
     mkdir -p $out/share/man/man5 $out/share/man/man8
@@ -104,11 +139,11 @@ stdenv.mkDerivation rec {
     install -Dm444 wpa_supplicant.conf $out/share/doc/wpa_supplicant/wpa_supplicant.conf.example
   '';
 
-  meta = with stdenv.lib; {
-    homepage = "https://hostap.epitest.fi/wpa_supplicant/";
+  meta = with lib; {
+    homepage = "https://w1.fi/wpa_supplicant/";
     description = "A tool for connecting to WPA and WPA2-protected wireless networks";
     license = licenses.bsd3;
-    maintainers = with maintainers; [ marcweber ];
+    maintainers = with maintainers; [ marcweber ma27 ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/wpa_supplicant/gui.nix b/pkgs/os-specific/linux/wpa_supplicant/gui.nix
index 132cad4b6d2..d2d59ba21a5 100644
--- a/pkgs/os-specific/linux/wpa_supplicant/gui.nix
+++ b/pkgs/os-specific/linux/wpa_supplicant/gui.nix
@@ -1,4 +1,4 @@
-{ stdenv, mkDerivation, fetchpatch, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }:
+{ lib, mkDerivation, fetchpatch, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }:
 
 mkDerivation {
   name = "wpa_gui-${wpa_supplicant.version}";
@@ -32,7 +32,7 @@ mkDerivation {
     cp -av icons/hicolor $out/share/icons
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Qt-based GUI for wpa_supplicant";
     homepage = "https://hostap.epitest.fi/wpa_supplicant/";
     license = licenses.bsd3;
diff --git a/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix b/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix
index 880456afbde..4b57ed4ceae 100644
--- a/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix
+++ b/pkgs/os-specific/linux/x86_energy_perf_policy/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel }:
+{ lib, stdenv, kernel }:
 
 stdenv.mkDerivation {
   name = "x86_energy_perf_policy-${kernel.version}";
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   makeFlags = [ "DESTDIR=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Set the energy versus performance policy preference bias on recent X86 processors";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/x86info/default.nix b/pkgs/os-specific/linux/x86info/default.nix
index 9b745315b1c..dbda35670f6 100644
--- a/pkgs/os-specific/linux/x86info/default.nix
+++ b/pkgs/os-specific/linux/x86info/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, pciutils, python}:
+{lib, stdenv, fetchurl, pciutils, python}:
 
 stdenv.mkDerivation rec {
   version = "1.30";
@@ -30,11 +30,11 @@ stdenv.mkDerivation rec {
       x86info will identify all Intel/AMD/Centaur/Cyrix/VIA CPUs. It leverages
       the cpuid kernel module where possible.  it supports parsing model specific
       registers (MSRs) via the msr kernel module.  it will approximate processor
-      frequency, and identify the cache sizes and layout. 
+      frequency, and identify the cache sizes and layout.
     '';
     platforms = [ "i686-linux" "x86_64-linux" ];
-    license = stdenv.lib.licenses.gpl2;
+    license = lib.licenses.gpl2;
     homepage = "http://codemonkey.org.uk/projects/x86info/";
-    maintainers = with stdenv.lib.maintainers; [jcumming];
+    maintainers = with lib.maintainers; [jcumming];
   };
 }
diff --git a/pkgs/os-specific/linux/xf86-input-cmt/default.nix b/pkgs/os-specific/linux/xf86-input-cmt/default.nix
index 9f9b278d6f7..a973f844fd4 100644
--- a/pkgs/os-specific/linux/xf86-input-cmt/default.nix
+++ b/pkgs/os-specific/linux/xf86-input-cmt/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, pkgconfig, xorgserver, xorgproto,
+{ lib, stdenv, fetchFromGitHub, pkg-config, xorgserver, xorgproto,
   utilmacros, libgestures, libevdevc }:
 
 stdenv.mkDerivation rec {
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     ./apply_patches.sh
   '';
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [
     xorgserver xorgproto utilmacros
     libgestures libevdevc
@@ -26,8 +26,8 @@ stdenv.mkDerivation rec {
     "--with-sdkdir=${placeholder "out"}"
   ];
 
-  meta = with stdenv.lib; {
-    description = "Chromebook touchpad driver.";
+  meta = with lib; {
+    description = "Chromebook touchpad driver";
     license = licenses.bsd3;
     platforms = platforms.linux;
     homepage = "https://www.github.com/hugegreenbug/xf86-input-cmt";
diff --git a/pkgs/os-specific/linux/xf86-input-wacom/default.nix b/pkgs/os-specific/linux/xf86-input-wacom/default.nix
index 8a7541afa69..4ebc4ed7663 100644
--- a/pkgs/os-specific/linux/xf86-input-wacom/default.nix
+++ b/pkgs/os-specific/linux/xf86-input-wacom/default.nix
@@ -1,31 +1,61 @@
-{ stdenv, fetchurl
-, xorgproto, libX11, libXext, libXi, libXrandr, libXrender
-, ncurses, pkgconfig, xorgserver, udev, libXinerama, pixman }:
+{ lib
+, stdenv
+, autoreconfHook
+, fetchFromGitHub
+, xorgproto
+, libX11
+, libXext
+, libXi
+, libXinerama
+, libXrandr
+, libXrender
+, ncurses
+, pixman
+, pkg-config
+, udev
+, utilmacros
+, xorgserver
+}:
 
 stdenv.mkDerivation rec {
-  name = "xf86-input-wacom-0.36.0";
+  pname = "xf86-input-wacom";
+  version = "0.40.0";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/linuxwacom/${name}.tar.bz2";
-    sha256 = "1xi39hl8ddgj9m7m2k2ll2r3wh0k0aq45fvrsv43651bhz9cbrza";
+  src = fetchFromGitHub {
+    owner = "linuxwacom";
+    repo = pname;
+    rev = "${pname}-${version}";
+    sha256 = "sha256-0U4pAB5vsIlBewCBqQ4SLHDrwqtr9nh7knZpXZMkzck=";
   };
 
-  buildInputs = [ xorgproto libX11 libXext libXi libXrandr libXrender
-    ncurses pkgconfig xorgserver udev libXinerama pixman ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
 
-  preConfigure = ''
-    mkdir -p $out/share/X11/xorg.conf.d
-    configureFlags="--with-xorg-module-dir=$out/lib/xorg/modules
-    --with-sdkdir=$out/include/xorg --with-xorg-conf-dir=$out/share/X11/xorg.conf.d"
-  '';
+  buildInputs = [
+    libX11
+    libXext
+    libXi
+    libXinerama
+    libXrandr
+    libXrender
+    ncurses
+    udev
+    utilmacros
+    pixman
+    xorgproto
+    xorgserver
+  ];
 
-  CFLAGS = "-I${pixman}/include/pixman-1";
+  configureFlags = [
+    "--with-xorg-module-dir=${placeholder "out"}/lib/xorg/modules"
+    "--with-sdkdir=${placeholder "out"}/include/xorg"
+    "--with-xorg-conf-dir=${placeholder "out"}/share/X11/xorg.conf.d"
+  ];
 
-  meta = with stdenv.lib; {
-    maintainers = [ maintainers.goibhniu ];
+  meta = with lib; {
+    maintainers = with maintainers; [ goibhniu fortuneteller2k ];
     description = "Wacom digitizer driver for X11";
     homepage = "http://linuxwacom.sourceforge.net";
-    license = licenses.gpl2;
-    platforms = platforms.linux; # Probably, works with other unices as well
+    license = licenses.gpl2Only;
+    platforms = platforms.linux; # Probably, works with other unixes as well
   };
 }
diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix
index f86393cba84..7c93fa91854 100644
--- a/pkgs/os-specific/linux/xf86-video-nested/default.nix
+++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchgit, autoreconfHook, xorgproto, libX11, libXext
-, pixman, pkgconfig, utilmacros, xorgserver
+{ lib, stdenv, fetchgit, autoreconfHook, xorgproto, libX11, libXext
+, pixman, pkg-config, utilmacros, xorgserver
 }:
 
 stdenv.mkDerivation {
@@ -13,14 +13,14 @@ stdenv.mkDerivation {
 
   buildInputs =
     [ autoreconfHook xorgproto libX11 libXext pixman
-      pkgconfig utilmacros xorgserver
+      pkg-config utilmacros xorgserver
     ];
 
   hardeningDisable = [ "fortify" ];
 
   CFLAGS = "-I${pixman}/include/pixman-1";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://cgit.freedesktop.org/xorg/driver/xf86-video-nested";
     description = "A driver to run Xorg on top of Xorg or something else";
     maintainers = [ maintainers.goibhniu ];
diff --git a/pkgs/os-specific/linux/xmm7360-pci/default.nix b/pkgs/os-specific/linux/xmm7360-pci/default.nix
new file mode 100644
index 00000000000..115299ff50b
--- /dev/null
+++ b/pkgs/os-specific/linux/xmm7360-pci/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, perl, bc, breakpointHook }:
+
+stdenv.mkDerivation rec {
+  pname = "xmm7360-pci";
+  version = "unstable-2021-07-19";
+
+  src = fetchFromGitHub {
+    owner = "xmm7360";
+    repo = "xmm7360-pci";
+    rev = "7086b80bb609180b1b89fb478751e5e8414ab64f";
+    sha256 = "1wdb0phqg9rj9g9ycqdya0m7lx24kzjlh25yw0ifp898ddxrrr0c";
+  };
+
+  makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  INSTALL_MOD_PATH = placeholder "out";
+  installFlags = [ "DEPMOD=true" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/xmm7360/xmm7360-pci";
+    description = "PCI driver for Fibocom L850-GL modem based on Intel XMM7360 modem";
+    downloadPage = "https://github.com/xmm7360/xmm7360-pci";
+    license = licenses.isc;
+    maintainers = with maintainers; [ flokli hexa ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/xpadneo/default.nix b/pkgs/os-specific/linux/xpadneo/default.nix
index 7a1c2d1cec9..c1874877620 100644
--- a/pkgs/os-specific/linux/xpadneo/default.nix
+++ b/pkgs/os-specific/linux/xpadneo/default.nix
@@ -1,26 +1,20 @@
-{ stdenv, fetchFromGitHub, kernel, bluez }:
+{ lib, stdenv, fetchFromGitHub, kernel, bluez }:
 
 stdenv.mkDerivation rec {
   pname = "xpadneo";
-  version = "0.8.2";
+  version = "0.9.1";
 
   src = fetchFromGitHub {
     owner = "atar-axis";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0v688j7jx2b68zlwnrr5y63zxzhldygw1lcp8f3irayhcp8ikzzy";
+    hash = "sha256-VUcS4OzvPj0o627ZWIOBqEAQJ4JuMCMjgaZoMkL/IHc=";
   };
 
   setSourceRoot = ''
     export sourceRoot=$(pwd)/source/hid-xpadneo/src
   '';
 
-  postPatch = ''
-    # Set kernel module version
-    substituteInPlace hid-xpadneo.c \
-      --subst-var-by DO_NOT_CHANGE ${version}
-  '';
-
   nativeBuildInputs = kernel.moduleBuildDependencies;
   buildInputs = [ bluez ];
 
@@ -28,16 +22,18 @@ stdenv.mkDerivation rec {
     "-C"
     "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
     "M=$(sourceRoot)"
+    "VERSION=${version}"
   ];
 
   buildFlags = [ "modules" ];
   installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
   installTargets = [ "modules_install" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Advanced Linux driver for Xbox One wireless controllers";
     homepage = "https://atar-axis.github.io/xpadneo";
     license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ kira-bruneau ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/xsensors/default.nix b/pkgs/os-specific/linux/xsensors/default.nix
index 440a797a723..02ce560d8a9 100644
--- a/pkgs/os-specific/linux/xsensors/default.nix
+++ b/pkgs/os-specific/linux/xsensors/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, gtk2, pkgconfig, lm_sensors }:
+{ stdenv, lib, fetchurl, gtk2, pkg-config, lm_sensors }:
 
 stdenv.mkDerivation rec {
   pname = "xsensors";
@@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
     url = "http://www.linuxhardware.org/xsensors/xsensors-${version}.tar.gz";
     sha256 = "1siplsfgvcxamyqf44h71jx6jdfmvhfm7mh0y1q8ps4zs6pj2zwh";
   };
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [
     gtk2 lm_sensors
   ];
diff --git a/pkgs/os-specific/linux/zenmonitor/default.nix b/pkgs/os-specific/linux/zenmonitor/default.nix
index ac6e85b8049..43cfd87cba5 100644
--- a/pkgs/os-specific/linux/zenmonitor/default.nix
+++ b/pkgs/os-specific/linux/zenmonitor/default.nix
@@ -1,22 +1,22 @@
-{ stdenv, fetchFromGitHub, pkgconfig, gtk3, wrapGAppsHook }:
+{ lib, stdenv, fetchFromGitHub, pkg-config, gtk3, wrapGAppsHook }:
 
 stdenv.mkDerivation rec {
   pname = "zenmonitor";
-  version = "1.4.1";
+  version = "1.4.2";
 
   src = fetchFromGitHub {
     owner = "ocerman";
     repo = "zenmonitor";
     rev = "v${version}";
-    sha256 = "1g6sk2mcd7znjq6zmbf2fgn02a0yimyv2dw2143aciq2pxqjawmp";
+    sha256 = "0smv94vi36hziw42gasivyw25h5n1sgwwk1cv78id5g85w0kw246";
   };
 
   buildInputs = [ gtk3 ];
-  nativeBuildInputs = [ pkgconfig wrapGAppsHook ];
+  nativeBuildInputs = [ pkg-config wrapGAppsHook ];
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Monitoring software for AMD Zen-based CPUs";
     homepage = "https://github.com/ocerman/zenmonitor";
     license = licenses.mit;
diff --git a/pkgs/os-specific/linux/zenpower/default.nix b/pkgs/os-specific/linux/zenpower/default.nix
index 43885027d9e..af59ec8e37b 100644
--- a/pkgs/os-specific/linux/zenpower/default.nix
+++ b/pkgs/os-specific/linux/zenpower/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel, fetchFromGitHub, fetchpatch }:
+{ lib, stdenv, kernel, fetchFromGitHub, fetchpatch }:
 
 stdenv.mkDerivation rec {
   pname = "zenpower";
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     install -D zenpower.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon/zenpower/"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux kernel driver for reading temperature, voltage(SVI2), current(SVI2) and power(SVI2) for AMD Zen family CPUs.";
     homepage = "https://github.com/ocerman/zenpower";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/zenstates/default.nix b/pkgs/os-specific/linux/zenstates/default.nix
index 4ac77c00aa3..a56337cfef2 100644
--- a/pkgs/os-specific/linux/zenstates/default.nix
+++ b/pkgs/os-specific/linux/zenstates/default.nix
@@ -21,7 +21,7 @@
 #     before = [ "sleep.target" ];
 #   };
 
-{ stdenv, fetchFromGitHub, python3 }:
+{ lib, stdenv, fetchFromGitHub, python3 }:
 stdenv.mkDerivation rec {
   pname = "zenstates";
   version = "0.0.1";
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
     patchShebangs --build $out/bin/zenstates
     '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux utility for Ryzen processors and motherboards";
     homepage = "https://github.com/r4m0n/ZenStates-Linux";
     license = licenses.mit;
diff --git a/pkgs/os-specific/linux/zfs/BACKPORT-Linux-5.8-compat-__vmalloc.patch b/pkgs/os-specific/linux/zfs/BACKPORT-Linux-5.8-compat-__vmalloc.patch
deleted file mode 100644
index 780ce83d84f..00000000000
--- a/pkgs/os-specific/linux/zfs/BACKPORT-Linux-5.8-compat-__vmalloc.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From 6cc95288ccea12ad7b67b2b5b3997dfad8e5b5c9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20Niew=C3=B6hner?=
- <c0d3z3r0@users.noreply.github.com>
-Date: Tue, 9 Jun 2020 01:32:02 +0200
-Subject: [PATCH] BACKPORT: Linux 5.8 compat: __vmalloc()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The `pgprot` argument has been removed from `__vmalloc` in Linux 5.8,
-being `PAGE_KERNEL` always now [1].
-
-Detect this during configure and define a wrapper for older kernels.
-
-[1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/mm/vmalloc.c?h=next-20200605&id=88dca4ca5a93d2c09e5bbc6a62fbfc3af83c4fca
-
-Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
-Co-authored-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
-Co-authored-by: Michael Niewöhner <foss@mniewoehner.de>
-Signed-off-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
-Signed-off-by: Michael Niewöhner <foss@mniewoehner.de>
-Closes #10422
----
- config/kernel-kmem.m4       | 26 ++++++++++++++++++++++++++
- config/kernel.m4            |  2 ++
- include/spl/sys/kmem.h      |  9 +++++++++
- module/spl/spl-kmem-cache.c |  4 ++--
- module/spl/spl-kmem.c       |  9 ++++-----
- 5 files changed, 43 insertions(+), 7 deletions(-)
-
-diff --git a/config/kernel-kmem.m4 b/config/kernel-kmem.m4
-index cc055e530..f1c0d2412 100644
---- a/config/kernel-kmem.m4
-+++ b/config/kernel-kmem.m4
-@@ -56,3 +56,29 @@ AC_DEFUN([SPL_AC_DEBUG_KMEM_TRACKING], [
- 	AC_MSG_CHECKING([whether detailed kmem tracking is enabled])
- 	AC_MSG_RESULT([$enable_debug_kmem_tracking])
- ])
-+
-+dnl #
-+dnl # 5.8 API,
-+dnl # __vmalloc PAGE_KERNEL removal
-+dnl #
-+AC_DEFUN([ZFS_AC_KERNEL_SRC_VMALLOC_PAGE_KERNEL], [
-+	ZFS_LINUX_TEST_SRC([__vmalloc], [
-+		#include <linux/mm.h>
-+		#include <linux/vmalloc.h>
-+	],[
-+		void *p __attribute__ ((unused));
-+
-+		p = __vmalloc(0, GFP_KERNEL, PAGE_KERNEL);
-+	])
-+])
-+
-+AC_DEFUN([ZFS_AC_KERNEL_VMALLOC_PAGE_KERNEL], [
-+	AC_MSG_CHECKING([whether __vmalloc(ptr, flags, pageflags) is available])
-+	ZFS_LINUX_TEST_RESULT([__vmalloc], [
-+		AC_MSG_RESULT(yes)
-+		AC_DEFINE(HAVE_VMALLOC_PAGE_KERNEL, 1, [__vmalloc page flags exists])
-+	],[
-+		AC_MSG_RESULT(no)
-+	])
-+])
-+-
-diff --git a/config/kernel.m4 b/config/kernel.m4
-index b67fcef8c..23edfdcd8 100644
---- a/config/kernel.m4
-+++ b/config/kernel.m4
-@@ -45,6 +45,7 @@ AC_DEFUN([ZFS_AC_KERNEL_TEST_SRC], [
- 	ZFS_AC_KERNEL_SRC_SCHED
- 	ZFS_AC_KERNEL_SRC_USLEEP_RANGE
- 	ZFS_AC_KERNEL_SRC_KMEM_CACHE
-+	ZFS_AC_KERNEL_SRC_VMALLOC_PAGE_KERNEL
- 	ZFS_AC_KERNEL_SRC_WAIT
- 	ZFS_AC_KERNEL_SRC_INODE_TIMES
- 	ZFS_AC_KERNEL_SRC_INODE_LOCK
-@@ -163,6 +164,7 @@ AC_DEFUN([ZFS_AC_KERNEL_TEST_RESULT], [
- 	ZFS_AC_KERNEL_SCHED
- 	ZFS_AC_KERNEL_USLEEP_RANGE
- 	ZFS_AC_KERNEL_KMEM_CACHE
-+	ZFS_AC_KERNEL_VMALLOC_PAGE_KERNEL
- 	ZFS_AC_KERNEL_WAIT
- 	ZFS_AC_KERNEL_INODE_TIMES
- 	ZFS_AC_KERNEL_INODE_LOCK
-diff --git a/include/spl/sys/kmem.h b/include/spl/sys/kmem.h
-index 72d3a7765..ca15bfe7f 100644
---- a/include/spl/sys/kmem.h
-+++ b/include/spl/sys/kmem.h
-@@ -169,6 +169,15 @@ extern void *spl_kmem_alloc(size_t sz, int fl, const char *func, int line);
- extern void *spl_kmem_zalloc(size_t sz, int fl, const char *func, int line);
- extern void spl_kmem_free(const void *ptr, size_t sz);
- 
-+/*
-+ * 5.8 API change, pgprot_t argument removed.
-+ */
-+#ifdef HAVE_VMALLOC_PAGE_KERNEL
-+#define	spl_vmalloc(size, flags)	__vmalloc(size, flags, PAGE_KERNEL)
-+#else
-+#define	spl_vmalloc(size, flags)	__vmalloc(size, flags)
-+#endif
-+
- /*
-  * The following functions are only available for internal use.
-  */
-diff --git a/module/spl/spl-kmem-cache.c b/module/spl/spl-kmem-cache.c
-index d71b4b348..4866b2993 100644
---- a/module/spl/spl-kmem-cache.c
-+++ b/module/spl/spl-kmem-cache.c
-@@ -203,7 +203,7 @@ kv_alloc(spl_kmem_cache_t *skc, int size, int flags)
- 		ASSERT(ISP2(size));
- 		ptr = (void *)__get_free_pages(lflags, get_order(size));
- 	} else {
--		ptr = __vmalloc(size, lflags | __GFP_HIGHMEM, PAGE_KERNEL);
-+		ptr = spl_vmalloc(size, lflags | __GFP_HIGHMEM);
- 	}
- 
- 	/* Resulting allocated memory will be page aligned */
-@@ -1242,7 +1242,7 @@ spl_cache_grow(spl_kmem_cache_t *skc, int flags, void **obj)
- 	 * allocation.
- 	 *
- 	 * However, this can't be applied to KVM_VMEM due to a bug that
--	 * __vmalloc() doesn't honor gfp flags in page table allocation.
-+	 * spl_vmalloc() doesn't honor gfp flags in page table allocation.
- 	 */
- 	if (!(skc->skc_flags & KMC_VMEM)) {
- 		rc = __spl_cache_grow(skc, flags | KM_NOSLEEP);
-diff --git a/module/spl/spl-kmem.c b/module/spl/spl-kmem.c
-index cee69ad43..ca1fc145f 100644
---- a/module/spl/spl-kmem.c
-+++ b/module/spl/spl-kmem.c
-@@ -172,16 +172,15 @@ spl_kmem_alloc_impl(size_t size, int flags, int node)
- 		 * kmem_zalloc() callers.
- 		 *
- 		 * For vmem_alloc() and vmem_zalloc() callers it is permissible
--		 * to use __vmalloc().  However, in general use of __vmalloc()
--		 * is strongly discouraged because a global lock must be
--		 * acquired.  Contention on this lock can significantly
-+		 * to use spl_vmalloc().  However, in general use of
-+		 * spl_vmalloc() is strongly discouraged because a global lock
-+		 * must be acquired.  Contention on this lock can significantly
- 		 * impact performance so frequently manipulating the virtual
- 		 * address space is strongly discouraged.
- 		 */
- 		if ((size > spl_kmem_alloc_max) || use_vmem) {
- 			if (flags & KM_VMEM) {
--				ptr = __vmalloc(size, lflags | __GFP_HIGHMEM,
--				    PAGE_KERNEL);
-+				ptr = spl_vmalloc(size, lflags | __GFP_HIGHMEM);
- 			} else {
- 				return (NULL);
- 			}
--- 
-2.25.1
-
diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix
index 56b36d4f368..7784aa8e03f 100644
--- a/pkgs/os-specific/linux/zfs/default.nix
+++ b/pkgs/os-specific/linux/zfs/default.nix
@@ -1,22 +1,25 @@
-{ stdenv, fetchFromGitHub, fetchpatch
-, autoreconfHook, utillinux, nukeReferences, coreutils
-, perl, buildPackages
+{ lib, stdenv, fetchFromGitHub
+, autoreconfHook269, util-linux, nukeReferences, coreutils
+, perl, nixosTests
 , configFile ? "all"
 
 # Userspace dependencies
 , zlib, libuuid, python3, attr, openssl
 , libtirpc
-, nfs-utils
+, nfs-utils, samba
 , gawk, gnugrep, gnused, systemd
-, smartmontools, sysstat, sudo
+, smartmontools, enableMail ? false
+, sysstat, pkg-config
 
 # Kernel dependencies
 , kernel ? null
 , enablePython ? true
 }:
 
-with stdenv.lib;
+with lib;
 let
+  smartmon = smartmontools.override { inherit enableMail; };
+
   buildKernel = any (n: n == configFile) [ "kernel" "all" ];
   buildUser = any (n: n == configFile) [ "user" "all" ];
 
@@ -25,15 +28,9 @@ let
     , extraPatches ? []
     , rev ? "zfs-${version}"
     , isUnstable ? false
-    , incompatibleKernelVersion ? null }:
-    if buildKernel &&
-      (incompatibleKernelVersion != null) &&
-        versionAtLeast kernel.version incompatibleKernelVersion then
-       throw ''
-         Linux v${kernel.version} is not yet supported by zfsonlinux v${version}.
-         ${stdenv.lib.optionalString (!isUnstable) "Try zfsUnstable or set the NixOS option boot.zfs.enableUnstable."}
-       ''
-    else stdenv.mkDerivation {
+    , kernelCompatible ? null }:
+
+    stdenv.mkDerivation {
       name = "zfs-${configFile}-${version}${optionalString buildKernel "-${kernel.version}"}";
 
       src = fetchFromGitHub {
@@ -42,27 +39,27 @@ let
         inherit rev sha256;
       };
 
-      patches = [ ./BACKPORT-Linux-5.8-compat-__vmalloc.patch ] ++ extraPatches;
+      patches = extraPatches;
 
       postPatch = optionalString buildKernel ''
         patchShebangs scripts
         # The arrays must remain the same length, so we repeat a flag that is
         # already part of the command and therefore has no effect.
-        substituteInPlace ./module/zfs/zfs_ctldir.c --replace '"/usr/bin/env", "umount"' '"${utillinux}/bin/umount", "-n"' \
-                                                    --replace '"/usr/bin/env", "mount"'  '"${utillinux}/bin/mount", "-n"'
+        substituteInPlace ./module/os/linux/zfs/zfs_ctldir.c \
+          --replace '"/usr/bin/env", "umount"' '"${util-linux}/bin/umount", "-n"' \
+          --replace '"/usr/bin/env", "mount"'  '"${util-linux}/bin/mount", "-n"'
       '' + optionalString buildUser ''
-        substituteInPlace ./lib/libzfs/libzfs_mount.c --replace "/bin/umount"             "${utillinux}/bin/umount" \
-                                                      --replace "/bin/mount"              "${utillinux}/bin/mount"
-        substituteInPlace ./lib/libshare/nfs.c        --replace "/usr/sbin/exportfs"      "${
+        substituteInPlace ./lib/libshare/os/linux/nfs.c --replace "/usr/sbin/exportfs" "${
           # We don't *need* python support, but we set it like this to minimize closure size:
           # If it's disabled by default, no need to enable it, even if we have python enabled
           # And if it's enabled by default, only change that if we explicitly disable python to remove python from the closure
           nfs-utils.override (old: { enablePython = old.enablePython or true && enablePython; })
         }/bin/exportfs"
+        substituteInPlace ./lib/libshare/smb.h        --replace "/usr/bin/net"            "${samba}/bin/net"
         substituteInPlace ./config/user-systemd.m4    --replace "/usr/lib/modules-load.d" "$out/etc/modules-load.d"
-        substituteInPlace ./config/zfs-build.m4       --replace "\$sysconfdir/init.d"     "$out/etc/init.d"
+        substituteInPlace ./config/zfs-build.m4       --replace "\$sysconfdir/init.d"     "$out/etc/init.d" \
+                                                      --replace "/etc/default"            "$out/etc/default"
         substituteInPlace ./etc/zfs/Makefile.am       --replace "\$(sysconfdir)"          "$out/etc"
-        substituteInPlace ./cmd/zed/Makefile.am       --replace "\$(sysconfdir)"          "$out/etc"
 
         substituteInPlace ./contrib/initramfs/hooks/Makefile.am \
           --replace "/usr/share/initramfs-tools/hooks" "$out/usr/share/initramfs-tools/hooks"
@@ -79,23 +76,22 @@ let
         substituteInPlace ./etc/systemd/system/Makefile.am \
           --replace '$(DESTDIR)$(systemdunitdir)' "$out"'$(DESTDIR)$(systemdunitdir)'
 
-        substituteInPlace ./etc/systemd/system/zfs-share.service.in \
-          --replace "/bin/rm " "${coreutils}/bin/rm "
+        substituteInPlace ./contrib/initramfs/conf.d/Makefile.am \
+          --replace "/usr/share/initramfs-tools/conf.d" "$out/usr/share/initramfs-tools/conf.d"
+        substituteInPlace ./contrib/initramfs/conf-hooks.d/Makefile.am \
+          --replace "/usr/share/initramfs-tools/conf-hooks.d" "$out/usr/share/initramfs-tools/conf-hooks.d"
 
         substituteInPlace ./cmd/vdev_id/vdev_id \
           --replace "PATH=/bin:/sbin:/usr/bin:/usr/sbin" \
           "PATH=${makeBinPath [ coreutils gawk gnused gnugrep systemd ]}"
-      '' + optionalString stdenv.hostPlatform.isMusl ''
-        substituteInPlace config/user-libtirpc.m4 \
-          --replace /usr/include/tirpc ${libtirpc}/include/tirpc
       '';
 
-      nativeBuildInputs = [ autoreconfHook nukeReferences ]
-        ++ optionals buildKernel (kernel.moduleBuildDependencies ++ [ perl ]);
-      buildInputs = optionals buildUser [ zlib libuuid attr ]
+      nativeBuildInputs = [ autoreconfHook269 nukeReferences ]
+        ++ optionals buildKernel (kernel.moduleBuildDependencies ++ [ perl ])
+        ++ optional buildUser pkg-config;
+      buildInputs = optionals buildUser [ zlib libuuid attr libtirpc ]
         ++ optional buildUser openssl
-        ++ optional (buildUser && enablePython) python3
-        ++ optional stdenv.hostPlatform.isMusl libtirpc;
+        ++ optional (buildUser && enablePython) python3;
 
       # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work
       NIX_CFLAGS_LINK = "-lgcc_s";
@@ -104,6 +100,7 @@ let
 
       configureFlags = [
         "--with-config=${configFile}"
+        "--with-tirpc=1"
         (withFeatureAs (buildUser && enablePython) "python" python3.interpreter)
       ] ++ optionals buildUser [
         "--with-dracutdir=$(out)/lib/dracut"
@@ -134,7 +131,7 @@ let
       postInstall = optionalString buildKernel ''
         # Add reference that cannot be detected due to compressed kernel module
         mkdir -p "$out/nix-support"
-        echo "${utillinux}" >> "$out/nix-support/extra-refs"
+        echo "${util-linux}" >> "$out/nix-support/extra-refs"
       '' + optionalString buildUser ''
         # Remove provided services as they are buggy
         rm $out/etc/systemd/system/zfs-import-*.service
@@ -145,9 +142,6 @@ let
         substituteInPlace $i --replace "zfs-import-cache.service" "zfs-import.target"
         done
 
-        # Fix pkgconfig.
-        ln -s ../share/pkgconfig $out/lib/pkgconfig
-
         # Remove tests because they add a runtime dependency on gcc
         rm -rf $out/share/zfs/zfs-tests
 
@@ -156,14 +150,27 @@ let
         (cd $out/share/bash-completion/completions; ln -s zfs zpool)
       '';
 
-      postFixup = ''
-        path="PATH=${makeBinPath [ coreutils gawk gnused gnugrep utillinux smartmontools sysstat sudo ]}"
+      postFixup = let
+        path = "PATH=${makeBinPath [ coreutils gawk gnused gnugrep util-linux smartmon sysstat ]}:$PATH";
+      in ''
         for i in $out/libexec/zfs/zpool.d/*; do
-          sed -i "2i$path" $i
+          sed -i '2i${path}' $i
         done
       '';
 
-      outputs = [ "out" ] ++ optionals buildUser [ "lib" "dev" ];
+      outputs = [ "out" ] ++ optionals buildUser [ "dev" ];
+
+      passthru = {
+        inherit enableMail;
+
+        tests =
+          if isUnstable then [
+            nixosTests.zfs.unstable
+          ] else [
+            nixosTests.zfs.installer
+            nixosTests.zfs.stable
+          ];
+      };
 
       meta = {
         description = "ZFS Filesystem Linux Kernel module";
@@ -172,10 +179,14 @@ let
           Copy-On-Write filesystem with data integrity detection and repair,
           snapshotting, cloning, block devices, deduplication, and more.
         '';
-        homepage = "https://zfsonlinux.org/";
+        homepage = "https://github.com/openzfs/zfs";
+        changelog = "https://github.com/openzfs/zfs/releases/tag/zfs-${version}";
         license = licenses.cddl;
         platforms = platforms.linux;
-        maintainers = with maintainers; [ jcumming wizeman fpletz globin ];
+        maintainers = with maintainers; [ hmenke jcumming jonringer wizeman fpletz globin mic92 ];
+        # If your Linux kernel version is not yet supported by zfs, try zfsUnstable.
+        # On NixOS set the option boot.zfs.enableUnstable.
+        broken = buildKernel && (kernelCompatible != null) && !kernelCompatible;
       };
     };
 in {
@@ -183,23 +194,24 @@ in {
   # ./nixos/modules/tasks/filesystems/zfs.nix needs
   # to be adapted
   zfsStable = common {
-    # comment/uncomment if breaking kernel versions are known
-    # incompatibleKernelVersion = "4.20";
+    # check the release notes for compatible kernels
+    kernelCompatible = kernel.kernelAtLeast "3.10" && kernel.kernelOlder "5.14";
 
     # this package should point to the latest release.
-    version = "0.8.4";
+    version = "2.1.0";
 
-    sha256 = "1hl4n900d24gl4vd65qdzq4m62b7bpvckldazcbd1xqcn8xhi6wp";
+    sha256 = "sha256-YdY4SStXZGBBdAHdM3R/unco7ztxI3s0/buPSNSeh5o=";
   };
 
   zfsUnstable = common {
-    # comment/uncomment if breaking kernel versions are known
-    # incompatibleKernelVersion = "4.19";
+    # check the release notes for compatible kernels
+    kernelCompatible = kernel.kernelAtLeast "3.10" && kernel.kernelOlder "5.14";
 
     # this package should point to a version / git revision compatible with the latest kernel release
-    version = "0.8.4";
+    version = "2.1.0";
+
+    sha256 = "sha256-YdY4SStXZGBBdAHdM3R/unco7ztxI3s0/buPSNSeh5o=";
 
-    sha256 = "1hl4n900d24gl4vd65qdzq4m62b7bpvckldazcbd1xqcn8xhi6wp";
     isUnstable = true;
   };
 }
diff --git a/pkgs/os-specific/linux/zsa-udev-rules/default.nix b/pkgs/os-specific/linux/zsa-udev-rules/default.nix
new file mode 100644
index 00000000000..ac69dc13b47
--- /dev/null
+++ b/pkgs/os-specific/linux/zsa-udev-rules/default.nix
@@ -0,0 +1,33 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  pname = "zsa-udev-rules";
+  version = "unstable-2020-12-16";
+
+  # TODO: use version and source from nixpkgs/pkgs/development/tools/wally-cli/default.nix after next release
+  src = fetchFromGitHub {
+    owner = "zsa";
+    repo = "wally";
+    rev = "e5dde3c700beab39fb941c6941e55535bf9b2af6";
+    sha256 = "0pkybi32r1hrmpa1mc8qlzhv7xy5n5rr5ah25lbr0cipp1bda417";
+  };
+
+  # it only installs files
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  installPhase = ''
+    mkdir -p $out/lib/udev/rules.d
+    cp dist/linux64/50-oryx.rules $out/lib/udev/rules.d/
+    cp dist/linux64/50-wally.rules $out/lib/udev/rules.d/
+  '';
+
+  meta = with lib; {
+    description = "udev rules for ZSA devices";
+    license = licenses.mit;
+    maintainers = with maintainers; [ davidak ];
+    platforms = platforms.linux;
+    homepage = "https://github.com/zsa/wally/wiki/Linux-install#2-create-a-udev-rule-file";
+  };
+}