summary refs log tree commit diff
path: root/pkgs/os-specific/linux
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux')
-rw-r--r--pkgs/os-specific/linux/915resolution/default.nix4
-rw-r--r--pkgs/os-specific/linux/acpi-call/default.nix14
-rw-r--r--pkgs/os-specific/linux/acpi/default.nix6
-rw-r--r--pkgs/os-specific/linux/acpid/default.nix4
-rw-r--r--pkgs/os-specific/linux/acpitool/default.nix8
-rw-r--r--pkgs/os-specific/linux/afuse/default.nix17
-rw-r--r--pkgs/os-specific/linux/akvcam/default.nix32
-rw-r--r--pkgs/os-specific/linux/alsa-plugins/wrapper.nix4
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch (renamed from pkgs/os-specific/linux/alsa-firmware/cross.patch)0
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix (renamed from pkgs/os-specific/linux/alsa-firmware/default.nix)6
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch (renamed from pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch)0
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix (renamed from pkgs/os-specific/linux/alsa-lib/default.nix)18
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix (renamed from pkgs/os-specific/linux/alsa-oss/default.nix)6
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix (renamed from pkgs/os-specific/linux/alsa-plugins/default.nix)12
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix10
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix (renamed from pkgs/os-specific/linux/alsa-tools/default.nix)12
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix (renamed from pkgs/os-specific/linux/alsa-topology-conf/default.nix)8
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix (renamed from pkgs/os-specific/linux/alsa-ucm-conf/default.nix)8
-rw-r--r--pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix (renamed from pkgs/os-specific/linux/alsa-utils/default.nix)22
-rw-r--r--pkgs/os-specific/linux/amdgpu-pro/default.nix6
-rw-r--r--pkgs/os-specific/linux/anbox/default.nix61
-rw-r--r--pkgs/os-specific/linux/anbox/kmod.nix15
-rw-r--r--pkgs/os-specific/linux/android-udev-rules/default.nix12
-rw-r--r--pkgs/os-specific/linux/apfs/default.nix35
-rw-r--r--pkgs/os-specific/linux/apparmor/default.nix134
-rw-r--r--pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh32
-rw-r--r--pkgs/os-specific/linux/aseq2json/default.nix28
-rw-r--r--pkgs/os-specific/linux/asus-wmi-sensors/default.nix4
-rw-r--r--pkgs/os-specific/linux/ati-drivers/builder.sh302
-rw-r--r--pkgs/os-specific/linux/ati-drivers/default.nix140
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch26
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch14
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch27
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch103
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch11
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch70
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch28
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch25
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch16
-rw-r--r--pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch26
-rw-r--r--pkgs/os-specific/linux/atop/atop.service.patch10
-rw-r--r--pkgs/os-specific/linux/atop/atopacct.service.patch7
-rw-r--r--pkgs/os-specific/linux/atop/default.nix74
-rw-r--r--pkgs/os-specific/linux/atop/fix-paths.patch48
-rw-r--r--pkgs/os-specific/linux/audit/default.nix22
-rw-r--r--pkgs/os-specific/linux/audit/patches/weak-symbols.patch147
-rw-r--r--pkgs/os-specific/linux/autofs/default.nix15
-rw-r--r--pkgs/os-specific/linux/batman-adv/alfred.nix12
-rw-r--r--pkgs/os-specific/linux/batman-adv/batctl.nix12
-rw-r--r--pkgs/os-specific/linux/batman-adv/default.nix8
-rw-r--r--pkgs/os-specific/linux/batman-adv/version.nix8
-rw-r--r--pkgs/os-specific/linux/bbswitch/default.nix4
-rw-r--r--pkgs/os-specific/linux/bcc/default.nix27
-rw-r--r--pkgs/os-specific/linux/beefi/default.nix44
-rw-r--r--pkgs/os-specific/linux/bionic-prebuilt/default.nix113
-rw-r--r--pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch42
-rw-r--r--pkgs/os-specific/linux/blktrace/default.nix6
-rw-r--r--pkgs/os-specific/linux/bluez/default.nix25
-rw-r--r--pkgs/os-specific/linux/bolt/default.nix64
-rw-r--r--pkgs/os-specific/linux/bpftool/default.nix30
-rw-r--r--pkgs/os-specific/linux/bpftools/default.nix38
-rw-r--r--pkgs/os-specific/linux/bpftrace/default.nix26
-rw-r--r--pkgs/os-specific/linux/bridge-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/brillo/default.nix4
-rw-r--r--pkgs/os-specific/linux/broadcom-sta/default.nix14
-rw-r--r--pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch184
-rw-r--r--pkgs/os-specific/linux/btfs/default.nix16
-rw-r--r--pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch71
-rw-r--r--pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch94
-rw-r--r--pkgs/os-specific/linux/busybox/default.nix42
-rw-r--r--pkgs/os-specific/linux/busybox/sandbox-shell.nix3
-rw-r--r--pkgs/os-specific/linux/cachefilesd/default.nix4
-rw-r--r--pkgs/os-specific/linux/can-isotp/default.nix16
-rw-r--r--pkgs/os-specific/linux/can-utils/default.nix4
-rw-r--r--pkgs/os-specific/linux/catfs/default.nix47
-rw-r--r--pkgs/os-specific/linux/checkpolicy/default.nix4
-rw-r--r--pkgs/os-specific/linux/checksec/default.nix12
-rw-r--r--pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch4
-rw-r--r--pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch4
-rw-r--r--pkgs/os-specific/linux/chromium-os/crosvm/default.nix10
-rw-r--r--pkgs/os-specific/linux/chromium-os/default.nix3
-rw-r--r--pkgs/os-specific/linux/chromium-os/libqmi/default.nix4
-rw-r--r--pkgs/os-specific/linux/chromium-os/modem-manager/default.nix2
-rw-r--r--pkgs/os-specific/linux/chromium-os/modem-manager/next.nix6
-rw-r--r--pkgs/os-specific/linux/chromium-os/sommelier/0005-sommelier-don-t-leak-source-absolute-paths.patch (renamed from pkgs/os-specific/linux/chromium-os/sommelier/0003-sommelier-don-t-leak-source-absolute-paths.patch)6
-rw-r--r--pkgs/os-specific/linux/chromium-os/sommelier/0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch (renamed from pkgs/os-specific/linux/chromium-os/sommelier/0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch)6
-rw-r--r--pkgs/os-specific/linux/chromium-os/sommelier/default.nix4
-rw-r--r--pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch48
-rw-r--r--pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch102
-rw-r--r--pkgs/os-specific/linux/chromium-os/vm_protos/default.nix5
-rw-r--r--pkgs/os-specific/linux/cifs-utils/default.nix22
-rw-r--r--pkgs/os-specific/linux/compsize/default.nix25
-rw-r--r--pkgs/os-specific/linux/conky/default.nix12
-rw-r--r--pkgs/os-specific/linux/conntrack-tools/default.nix12
-rw-r--r--pkgs/os-specific/linux/consoletools/default.nix4
-rw-r--r--pkgs/os-specific/linux/conspy/default.nix16
-rw-r--r--pkgs/os-specific/linux/cpufrequtils/default.nix8
-rw-r--r--pkgs/os-specific/linux/cpuid/default.nix50
-rw-r--r--pkgs/os-specific/linux/cpupower/default.nix6
-rw-r--r--pkgs/os-specific/linux/cpuset/default.nix39
-rw-r--r--pkgs/os-specific/linux/cramfsprogs/default.nix4
-rw-r--r--pkgs/os-specific/linux/cramfsswap/default.nix4
-rw-r--r--pkgs/os-specific/linux/crda/default.nix6
-rw-r--r--pkgs/os-specific/linux/criu/default.nix24
-rw-r--r--pkgs/os-specific/linux/cryptodev/default.nix20
-rw-r--r--pkgs/os-specific/linux/cryptsetup/default.nix16
-rw-r--r--pkgs/os-specific/linux/cshatag/default.nix32
-rw-r--r--pkgs/os-specific/linux/cshatag/deps.nix21
-rw-r--r--pkgs/os-specific/linux/dbus-broker/default.nix12
-rw-r--r--pkgs/os-specific/linux/ddcci/default.nix4
-rw-r--r--pkgs/os-specific/linux/deepin-anything/default.nix22
-rw-r--r--pkgs/os-specific/linux/device-tree/default.nix31
-rw-r--r--pkgs/os-specific/linux/device-tree/raspberrypi.nix6
-rw-r--r--pkgs/os-specific/linux/devmem2/default.nix4
-rw-r--r--pkgs/os-specific/linux/digimend/default.nix6
-rw-r--r--pkgs/os-specific/linux/directvnc/default.nix6
-rw-r--r--pkgs/os-specific/linux/disk-indicator/default.nix6
-rw-r--r--pkgs/os-specific/linux/displaylink/99-displaylink.rules1
-rw-r--r--pkgs/os-specific/linux/displaylink/default.nix40
-rw-r--r--pkgs/os-specific/linux/displaylink/udev-installer.patch18
-rw-r--r--pkgs/os-specific/linux/dlm/default.nix26
-rw-r--r--pkgs/os-specific/linux/dmidecode/default.nix48
-rw-r--r--pkgs/os-specific/linux/dmraid/default.nix12
-rw-r--r--pkgs/os-specific/linux/dmtcp/default.nix18
-rw-r--r--pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch14
-rw-r--r--pkgs/os-specific/linux/dpdk-kmods/default.nix34
-rw-r--r--pkgs/os-specific/linux/dpdk/default.nix32
-rw-r--r--pkgs/os-specific/linux/drbd/default.nix4
-rw-r--r--pkgs/os-specific/linux/dropwatch/default.nix41
-rw-r--r--pkgs/os-specific/linux/dstat/default.nix34
-rw-r--r--pkgs/os-specific/linux/dstat/fix_pluginpath.patch15
-rw-r--r--pkgs/os-specific/linux/e1000e/default.nix6
-rw-r--r--pkgs/os-specific/linux/earlyoom/default.nix12
-rw-r--r--pkgs/os-specific/linux/ebtables/default.nix20
-rw-r--r--pkgs/os-specific/linux/edac-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/ell/default.nix22
-rw-r--r--pkgs/os-specific/linux/ell/fix-dbus-tests.patch65
-rw-r--r--pkgs/os-specific/linux/ena/default.nix15
-rw-r--r--pkgs/os-specific/linux/erofs-utils/default.nix25
-rw-r--r--pkgs/os-specific/linux/eudev/default.nix22
-rw-r--r--pkgs/os-specific/linux/evdi/default.nix27
-rw-r--r--pkgs/os-specific/linux/eventstat/default.nix4
-rw-r--r--pkgs/os-specific/linux/exfat/default.nix17
-rw-r--r--pkgs/os-specific/linux/extrace/default.nix4
-rw-r--r--pkgs/os-specific/linux/facetimehd/default.nix6
-rw-r--r--pkgs/os-specific/linux/fatrace/default.nix23
-rw-r--r--pkgs/os-specific/linux/fbterm/default.nix6
-rw-r--r--pkgs/os-specific/linux/ffado/default.nix8
-rw-r--r--pkgs/os-specific/linux/firejail/default.nix63
-rw-r--r--pkgs/os-specific/linux/firejail/default.upstream3
-rw-r--r--pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch11
-rw-r--r--pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch27
-rw-r--r--pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix7
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix16
-rw-r--r--pkgs/os-specific/linux/firmware/firmware-manager/default.nix38
-rw-r--r--pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch50
-rw-r--r--pkgs/os-specific/linux/firmware/fwupd/default.nix216
-rw-r--r--pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch42
-rw-r--r--pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix10
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix18
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix51
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi/default.nix18
-rw-r--r--pkgs/os-specific/linux/firmware/raspberrypi/tools.nix29
-rw-r--r--pkgs/os-specific/linux/firmware/rt5677/default.nix4
-rw-r--r--pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix6
-rw-r--r--pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix29
-rw-r--r--pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix23
-rw-r--r--pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix25
-rw-r--r--pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix25
-rw-r--r--pkgs/os-specific/linux/firmware/sof-firmware/default.nix24
-rw-r--r--pkgs/os-specific/linux/firmware/system76-firmware/default.nix39
-rw-r--r--pkgs/os-specific/linux/firmware/zd1211/default.nix4
-rw-r--r--pkgs/os-specific/linux/flashbench/default.nix24
-rw-r--r--pkgs/os-specific/linux/fnotifystat/default.nix4
-rw-r--r--pkgs/os-specific/linux/forkstat/default.nix4
-rw-r--r--pkgs/os-specific/linux/forktty/default.nix10
-rw-r--r--pkgs/os-specific/linux/freefall/default.nix4
-rw-r--r--pkgs/os-specific/linux/fscrypt/default.nix12
-rw-r--r--pkgs/os-specific/linux/fscryptctl/default.nix34
-rw-r--r--pkgs/os-specific/linux/fscryptctl/legacy.nix51
-rw-r--r--pkgs/os-specific/linux/fswebcam/default.nix10
-rw-r--r--pkgs/os-specific/linux/ftop/default.nix4
-rw-r--r--pkgs/os-specific/linux/fuse/common.nix25
-rw-r--r--pkgs/os-specific/linux/fuse/default.nix8
-rw-r--r--pkgs/os-specific/linux/fwts/default.nix10
-rw-r--r--pkgs/os-specific/linux/fwts/module.nix4
-rw-r--r--pkgs/os-specific/linux/fxload/default.nix4
-rw-r--r--pkgs/os-specific/linux/g15daemon/default.nix2
-rw-r--r--pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix38
-rw-r--r--pkgs/os-specific/linux/gfxtablet/default.nix12
-rw-r--r--pkgs/os-specific/linux/gobi_loader/default.nix4
-rw-r--r--pkgs/os-specific/linux/gogoclient/default.nix6
-rw-r--r--pkgs/os-specific/linux/gradm/default.nix14
-rw-r--r--pkgs/os-specific/linux/greetd/default.nix51
-rw-r--r--pkgs/os-specific/linux/gtkgreet/default.nix50
-rw-r--r--pkgs/os-specific/linux/guvcview/default.nix28
-rw-r--r--pkgs/os-specific/linux/hal-flash/default.nix29
-rw-r--r--pkgs/os-specific/linux/hd-idle/default.nix4
-rw-r--r--pkgs/os-specific/linux/hdapsd/default.nix4
-rw-r--r--pkgs/os-specific/linux/hdparm/default.nix12
-rw-r--r--pkgs/os-specific/linux/hibernate/default.nix10
-rw-r--r--pkgs/os-specific/linux/hid-nintendo/default.nix38
-rw-r--r--pkgs/os-specific/linux/hostapd/default.nix15
-rw-r--r--pkgs/os-specific/linux/hwdata/default.nix12
-rw-r--r--pkgs/os-specific/linux/hyperv-daemons/default.nix15
-rw-r--r--pkgs/os-specific/linux/i2c-tools/default.nix23
-rw-r--r--pkgs/os-specific/linux/i810switch/default.nix6
-rw-r--r--pkgs/os-specific/linux/ifenslave/default.nix6
-rw-r--r--pkgs/os-specific/linux/ifmetric/default.nix4
-rw-r--r--pkgs/os-specific/linux/iio-sensor-proxy/default.nix16
-rw-r--r--pkgs/os-specific/linux/ima-evm-utils/default.nix10
-rw-r--r--pkgs/os-specific/linux/input-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/intel-compute-runtime/default.nix21
-rw-r--r--pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch15
-rw-r--r--pkgs/os-specific/linux/intel-ocl/default.nix8
-rw-r--r--pkgs/os-specific/linux/intel-speed-select/default.nix4
-rw-r--r--pkgs/os-specific/linux/ioport/default.nix4
-rw-r--r--pkgs/os-specific/linux/iotop-c/default.nix31
-rw-r--r--pkgs/os-specific/linux/iotop/default.nix4
-rw-r--r--pkgs/os-specific/linux/iproute/default.nix11
-rw-r--r--pkgs/os-specific/linux/iproute/mptcp.nix12
-rw-r--r--pkgs/os-specific/linux/ipsec-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/ipset/default.nix10
-rw-r--r--pkgs/os-specific/linux/iptables/default.nix11
-rw-r--r--pkgs/os-specific/linux/iptstate/default.nix4
-rw-r--r--pkgs/os-specific/linux/iputils/default.nix48
-rw-r--r--pkgs/os-specific/linux/ipvsadm/default.nix6
-rw-r--r--pkgs/os-specific/linux/irqbalance/default.nix17
-rw-r--r--pkgs/os-specific/linux/isgx/default.nix56
-rw-r--r--pkgs/os-specific/linux/it87/default.nix4
-rw-r--r--pkgs/os-specific/linux/iw/default.nix14
-rw-r--r--pkgs/os-specific/linux/iwd/default.nix30
-rw-r--r--pkgs/os-specific/linux/ixgbevf/default.nix4
-rw-r--r--pkgs/os-specific/linux/jfbview/default.nix10
-rw-r--r--pkgs/os-specific/linux/jool/cli.nix6
-rw-r--r--pkgs/os-specific/linux/jool/default.nix4
-rw-r--r--pkgs/os-specific/linux/joycond/default.nix37
-rw-r--r--pkgs/os-specific/linux/jujuutils/default.nix6
-rw-r--r--pkgs/os-specific/linux/kbd/default.nix57
-rw-r--r--pkgs/os-specific/linux/kbd/keymaps.nix36
-rw-r--r--pkgs/os-specific/linux/kbd/search-paths.patch71
-rw-r--r--pkgs/os-specific/linux/kbdlight/default.nix4
-rw-r--r--pkgs/os-specific/linux/kernel-headers/default.nix26
-rw-r--r--pkgs/os-specific/linux/kernel/common-config.nix139
-rw-r--r--pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch11
-rw-r--r--pkgs/os-specific/linux/kernel/generate-config.pl9
-rw-r--r--pkgs/os-specific/linux/kernel/generic.nix68
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/config.nix24
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/patches.json38
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch7
-rwxr-xr-xpkgs/os-specific/linux/kernel/hardened/update.py15
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.14.nix10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.19.nix10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.4.nix9
-rw-r--r--pkgs/os-specific/linux/kernel/linux-4.9.nix9
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.10.nix (renamed from pkgs/os-specific/linux/kernel/linux-5.8.nix)10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.12.nix (renamed from pkgs/os-specific/linux/kernel/linux-5.7.nix)10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.13.nix21
-rw-r--r--pkgs/os-specific/linux/kernel/linux-5.4.nix10
-rw-r--r--pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix2
-rw-r--r--pkgs/os-specific/linux/kernel/linux-libre.nix7
-rw-r--r--pkgs/os-specific/linux/kernel/linux-lqx.nix26
-rw-r--r--pkgs/os-specific/linux/kernel/linux-mptcp-94.nix26
-rw-r--r--pkgs/os-specific/linux/kernel/linux-mptcp-95.nix14
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rpi.nix15
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.10.nix45
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.11.nix45
-rw-r--r--pkgs/os-specific/linux/kernel/linux-rt-5.4.nix41
-rw-r--r--pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix47
-rw-r--r--pkgs/os-specific/linux/kernel/linux-testing.nix12
-rw-r--r--pkgs/os-specific/linux/kernel/linux-xanmod.nix54
-rw-r--r--pkgs/os-specific/linux/kernel/linux-zen.nix19
-rw-r--r--pkgs/os-specific/linux/kernel/manual-config.nix104
-rw-r--r--pkgs/os-specific/linux/kernel/mptcp-config.nix4
-rw-r--r--pkgs/os-specific/linux/kernel/patches.nix33
-rw-r--r--pkgs/os-specific/linux/kernel/perf.nix23
-rw-r--r--pkgs/os-specific/linux/kernel/rtl8761b-support.patch33
-rwxr-xr-xpkgs/os-specific/linux/kernel/update-rt.sh79
-rwxr-xr-xpkgs/os-specific/linux/kernel/update.sh3
-rw-r--r--pkgs/os-specific/linux/kexectools/default.nix4
-rw-r--r--pkgs/os-specific/linux/keyutils/default.nix12
-rw-r--r--pkgs/os-specific/linux/kinect-audio-setup/default.nix91
-rw-r--r--pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch23
-rw-r--r--pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch15
-rw-r--r--pkgs/os-specific/linux/klibc/default.nix14
-rw-r--r--pkgs/os-specific/linux/kmod-blacklist-ubuntu/default.nix4
-rw-r--r--pkgs/os-specific/linux/kmod/darwin.patch12
-rw-r--r--pkgs/os-specific/linux/kmod/default.nix11
-rw-r--r--pkgs/os-specific/linux/kmod/no-name-field.patch24
-rw-r--r--pkgs/os-specific/linux/kmscon/default.nix9
-rw-r--r--pkgs/os-specific/linux/kmscube/default.nix6
-rw-r--r--pkgs/os-specific/linux/kvmfr/default.nix32
-rw-r--r--pkgs/os-specific/linux/latencytop/default.nix10
-rw-r--r--pkgs/os-specific/linux/ldm/default.nix8
-rw-r--r--pkgs/os-specific/linux/ledger-udev-rules/default.nix4
-rw-r--r--pkgs/os-specific/linux/libaio/default.nix18
-rw-r--r--pkgs/os-specific/linux/libatasmart/default.nix6
-rw-r--r--pkgs/os-specific/linux/libbpf/default.nix41
-rw-r--r--pkgs/os-specific/linux/libcap-ng/default.nix8
-rw-r--r--pkgs/os-specific/linux/libcap/default.nix36
-rw-r--r--pkgs/os-specific/linux/libcgroup/default.nix31
-rw-r--r--pkgs/os-specific/linux/libevdevc/default.nix6
-rw-r--r--pkgs/os-specific/linux/libfabric/default.nix10
-rw-r--r--pkgs/os-specific/linux/libgestures/default.nix8
-rw-r--r--pkgs/os-specific/linux/libnl/default.nix9
-rw-r--r--pkgs/os-specific/linux/libpsm2/default.nix15
-rw-r--r--pkgs/os-specific/linux/libratbag/default.nix10
-rw-r--r--pkgs/os-specific/linux/libselinux/default.nix32
-rw-r--r--pkgs/os-specific/linux/libsemanage/default.nix18
-rw-r--r--pkgs/os-specific/linux/libsepol/default.nix17
-rw-r--r--pkgs/os-specific/linux/libsmbios/default.nix6
-rw-r--r--pkgs/os-specific/linux/libudev0-shim/default.nix4
-rw-r--r--pkgs/os-specific/linux/libvolume_id/default.nix6
-rw-r--r--pkgs/os-specific/linux/libwebcam/default.nix9
-rw-r--r--pkgs/os-specific/linux/light/default.nix12
-rw-r--r--pkgs/os-specific/linux/lightum/default.nix10
-rw-r--r--pkgs/os-specific/linux/linuxptp/default.nix10
-rw-r--r--pkgs/os-specific/linux/lksctp-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/lm-sensors/default.nix21
-rw-r--r--pkgs/os-specific/linux/lockdep/default.nix49
-rw-r--r--pkgs/os-specific/linux/logitech-udev-rules/default.nix6
-rw-r--r--pkgs/os-specific/linux/lsiutil/default.nix75
-rw-r--r--pkgs/os-specific/linux/lsscsi/default.nix10
-rw-r--r--pkgs/os-specific/linux/lttng-modules/default.nix16
-rw-r--r--pkgs/os-specific/linux/lvm2/default.nix36
-rw-r--r--pkgs/os-specific/linux/lxc/default.nix10
-rw-r--r--pkgs/os-specific/linux/lxcfs/default.nix20
-rw-r--r--pkgs/os-specific/linux/macchanger/default.nix31
-rw-r--r--pkgs/os-specific/linux/mba6x_bl/default.nix4
-rw-r--r--pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix35
-rw-r--r--pkgs/os-specific/linux/mcelog/default.nix10
-rw-r--r--pkgs/os-specific/linux/mdadm/default.nix8
-rw-r--r--pkgs/os-specific/linux/mdevd/default.nix4
-rw-r--r--pkgs/os-specific/linux/metastore/default.nix4
-rw-r--r--pkgs/os-specific/linux/microcode/amd.nix6
-rw-r--r--pkgs/os-specific/linux/microcode/intel.nix8
-rw-r--r--pkgs/os-specific/linux/microcode/iucode-tool.nix4
-rw-r--r--pkgs/os-specific/linux/mingetty/default.nix4
-rw-r--r--pkgs/os-specific/linux/miraclecast/default.nix8
-rw-r--r--pkgs/os-specific/linux/mkinitcpio-nfs-utils/default.nix4
-rw-r--r--pkgs/os-specific/linux/mmc-utils/default.nix10
-rw-r--r--pkgs/os-specific/linux/molly-guard/default.nix4
-rw-r--r--pkgs/os-specific/linux/msr-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/mstpd/default.nix4
-rw-r--r--pkgs/os-specific/linux/multipath-tools/default.nix14
-rw-r--r--pkgs/os-specific/linux/musl-fts/default.nix25
-rw-r--r--pkgs/os-specific/linux/musl-obstack/default.nix26
-rw-r--r--pkgs/os-specific/linux/musl/default.nix31
-rw-r--r--pkgs/os-specific/linux/mwprocapture/default.nix20
-rw-r--r--pkgs/os-specific/linux/mxu11x0/default.nix7
-rw-r--r--pkgs/os-specific/linux/ndiswrapper/default.nix15
-rw-r--r--pkgs/os-specific/linux/ndiswrapper/no-sbin.patch6
-rw-r--r--pkgs/os-specific/linux/net-tools/default.nix10
-rw-r--r--pkgs/os-specific/linux/net-tools/mptcp.nix4
-rw-r--r--pkgs/os-specific/linux/netatop/default.nix25
-rw-r--r--pkgs/os-specific/linux/netatop/fix-paths.patch11
-rw-r--r--pkgs/os-specific/linux/netatop/netatop.service.patch7
-rw-r--r--pkgs/os-specific/linux/nfs-utils/default.nix30
-rw-r--r--pkgs/os-specific/linux/nftables/default.nix13
-rw-r--r--pkgs/os-specific/linux/nixos-rebuild/default.nix23
-rwxr-xr-xpkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh527
-rw-r--r--pkgs/os-specific/linux/nmon/default.nix4
-rw-r--r--pkgs/os-specific/linux/nss_ldap/default.nix4
-rw-r--r--pkgs/os-specific/linux/numactl/default.nix12
-rw-r--r--pkgs/os-specific/linux/numad/default.nix6
-rw-r--r--pkgs/os-specific/linux/numatop/default.nix6
-rw-r--r--pkgs/os-specific/linux/numworks-udev-rules/50-numworks-calculator.rules2
-rw-r--r--pkgs/os-specific/linux/numworks-udev-rules/default.nix21
-rwxr-xr-xpkgs/os-specific/linux/numworks-udev-rules/update.sh3
-rwxr-xr-xpkgs/os-specific/linux/nvidia-x11/builder.sh10
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/default.nix91
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/generic.nix25
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/persistenced.nix21
-rw-r--r--pkgs/os-specific/linux/nvidia-x11/settings.nix12
-rw-r--r--pkgs/os-specific/linux/nvidiabl/default.nix10
-rw-r--r--pkgs/os-specific/linux/nvme-cli/default.nix11
-rw-r--r--pkgs/os-specific/linux/nvmet-cli/default.nix25
-rw-r--r--pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix60
-rw-r--r--pkgs/os-specific/linux/odp-dpdk/default.nix35
-rw-r--r--pkgs/os-specific/linux/ofp/default.nix41
-rw-r--r--pkgs/os-specific/linux/open-iscsi/default.nix22
-rw-r--r--pkgs/os-specific/linux/open-isns/default.nix17
-rw-r--r--pkgs/os-specific/linux/opengl/xorg-sys/default.nix4
-rw-r--r--pkgs/os-specific/linux/openrazer/driver.nix15
-rw-r--r--pkgs/os-specific/linux/openvswitch/default.nix14
-rw-r--r--pkgs/os-specific/linux/openvswitch/lts.nix17
-rw-r--r--pkgs/os-specific/linux/otpw/default.nix6
-rw-r--r--pkgs/os-specific/linux/pagemon/default.nix4
-rw-r--r--pkgs/os-specific/linux/pam/default.nix39
-rw-r--r--pkgs/os-specific/linux/pam/musl-fix-pam_exec.patch33
-rw-r--r--pkgs/os-specific/linux/pam_ccreds/default.nix4
-rw-r--r--pkgs/os-specific/linux/pam_gnupg/default.nix32
-rw-r--r--pkgs/os-specific/linux/pam_krb5/default.nix10
-rw-r--r--pkgs/os-specific/linux/pam_mount/default.nix49
-rw-r--r--pkgs/os-specific/linux/pam_p11/default.nix4
-rw-r--r--pkgs/os-specific/linux/pam_pgsql/default.nix6
-rw-r--r--pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix73
-rw-r--r--pkgs/os-specific/linux/pam_ssh_agent_auth/edcsa-crash-fix.patch53
-rw-r--r--pkgs/os-specific/linux/pam_ssh_agent_auth/multiple-key-files.patch12
-rw-r--r--pkgs/os-specific/linux/pam_u2f/default.nix23
-rw-r--r--pkgs/os-specific/linux/pam_usb/default.nix8
-rw-r--r--pkgs/os-specific/linux/pax-utils/default.nix4
-rw-r--r--pkgs/os-specific/linux/paxctl/default.nix4
-rw-r--r--pkgs/os-specific/linux/paxtest/default.nix4
-rw-r--r--pkgs/os-specific/linux/pcimem/default.nix30
-rw-r--r--pkgs/os-specific/linux/pcm/default.nix8
-rw-r--r--pkgs/os-specific/linux/pcmciautils/default.nix11
-rw-r--r--pkgs/os-specific/linux/perf-tools/default.nix4
-rw-r--r--pkgs/os-specific/linux/phc-intel/default.nix8
-rw-r--r--pkgs/os-specific/linux/piper/default.nix10
-rw-r--r--pkgs/os-specific/linux/pipework/default.nix6
-rw-r--r--pkgs/os-specific/linux/pktgen/configure.patch17
-rw-r--r--pkgs/os-specific/linux/pktgen/default.nix34
-rw-r--r--pkgs/os-specific/linux/ply/default.nix8
-rw-r--r--pkgs/os-specific/linux/plymouth/default.nix105
-rw-r--r--pkgs/os-specific/linux/pm-utils/default.nix12
-rw-r--r--pkgs/os-specific/linux/pmount/default.nix14
-rw-r--r--pkgs/os-specific/linux/policycoreutils/default.nix4
-rw-r--r--pkgs/os-specific/linux/pommed-light/default.nix12
-rw-r--r--pkgs/os-specific/linux/power-profiles-daemon/default.nix68
-rw-r--r--pkgs/os-specific/linux/powercap/default.nix26
-rw-r--r--pkgs/os-specific/linux/powerstat/default.nix12
-rw-r--r--pkgs/os-specific/linux/powertop/default.nix9
-rw-r--r--pkgs/os-specific/linux/pps-tools/default.nix4
-rw-r--r--pkgs/os-specific/linux/prl-tools/default.nix8
-rw-r--r--pkgs/os-specific/linux/procdump/default.nix4
-rw-r--r--pkgs/os-specific/linux/procps-ng/default.nix52
-rw-r--r--pkgs/os-specific/linux/pscircle/default.nix6
-rw-r--r--pkgs/os-specific/linux/psftools/default.nix24
-rw-r--r--pkgs/os-specific/linux/psmisc/default.nix10
-rw-r--r--pkgs/os-specific/linux/r8125/default.nix10
-rw-r--r--pkgs/os-specific/linux/r8168/default.nix8
-rw-r--r--pkgs/os-specific/linux/radeontools/default.nix8
-rw-r--r--pkgs/os-specific/linux/radeontop/default.nix13
-rw-r--r--pkgs/os-specific/linux/raspberrypi-eeprom/default.nix55
-rw-r--r--pkgs/os-specific/linux/rdma-core/default.nix20
-rw-r--r--pkgs/os-specific/linux/read-edid/default.nix2
-rw-r--r--pkgs/os-specific/linux/regionset/default.nix4
-rw-r--r--pkgs/os-specific/linux/rewritefs/default.nix8
-rw-r--r--pkgs/os-specific/linux/rfkill/udev.nix4
-rw-r--r--pkgs/os-specific/linux/roccat-tools/default.nix10
-rw-r--r--pkgs/os-specific/linux/rtkit/default.nix8
-rw-r--r--pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix39
-rw-r--r--pkgs/os-specific/linux/rtl8192eu/default.nix23
-rw-r--r--pkgs/os-specific/linux/rtl8723bs/default.nix10
-rw-r--r--pkgs/os-specific/linux/rtl8812au/default.nix35
-rw-r--r--pkgs/os-specific/linux/rtl8814au/default.nix23
-rw-r--r--pkgs/os-specific/linux/rtl8821au/default.nix22
-rw-r--r--pkgs/os-specific/linux/rtl8821ce/default.nix18
-rw-r--r--pkgs/os-specific/linux/rtl8821cu/default.nix21
-rw-r--r--pkgs/os-specific/linux/rtl88x2bu/default.nix22
-rw-r--r--pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix24
-rw-r--r--pkgs/os-specific/linux/rtlwifi_new/default.nix41
-rw-r--r--pkgs/os-specific/linux/rtw88/default.nix40
-rw-r--r--pkgs/os-specific/linux/rtw89/default.nix40
-rw-r--r--pkgs/os-specific/linux/ryzenadj/default.nix27
-rw-r--r--pkgs/os-specific/linux/s6-linux-init/default.nix22
-rw-r--r--pkgs/os-specific/linux/s6-linux-utils/default.nix8
-rw-r--r--pkgs/os-specific/linux/sch_cake/default.nix4
-rw-r--r--pkgs/os-specific/linux/schedtool/default.nix6
-rw-r--r--pkgs/os-specific/linux/sd-switch/default.nix10
-rw-r--r--pkgs/os-specific/linux/sdnotify-wrapper/sdnotify-wrapper.c22
-rw-r--r--pkgs/os-specific/linux/sdparm/default.nix4
-rw-r--r--pkgs/os-specific/linux/selinux-python/default.nix6
-rw-r--r--pkgs/os-specific/linux/selinux-sandbox/default.nix5
-rw-r--r--pkgs/os-specific/linux/semodule-utils/default.nix6
-rw-r--r--pkgs/os-specific/linux/sepolgen/default.nix4
-rw-r--r--pkgs/os-specific/linux/service-wrapper/default.nix4
-rw-r--r--pkgs/os-specific/linux/setools/default.nix14
-rw-r--r--pkgs/os-specific/linux/seturgent/default.nix11
-rw-r--r--pkgs/os-specific/linux/shadow/default.nix22
-rw-r--r--pkgs/os-specific/linux/shadow/runtime-shell.patch13
-rw-r--r--pkgs/os-specific/linux/sinit/default.nix18
-rw-r--r--pkgs/os-specific/linux/speedometer/default.nix4
-rw-r--r--pkgs/os-specific/linux/sssd/default.nix35
-rw-r--r--pkgs/os-specific/linux/statifier/default.nix4
-rw-r--r--pkgs/os-specific/linux/swapview/default.nix23
-rw-r--r--pkgs/os-specific/linux/switcheroo-control/default.nix58
-rw-r--r--pkgs/os-specific/linux/syscall_limiter/default.nix4
-rw-r--r--pkgs/os-specific/linux/sysdig/default.nix49
-rw-r--r--pkgs/os-specific/linux/sysfsutils/default.nix6
-rw-r--r--pkgs/os-specific/linux/sysklogd/default.nix6
-rw-r--r--pkgs/os-specific/linux/sysklogd/fix-includes-for-musl.patch120
-rw-r--r--pkgs/os-specific/linux/sysklogd/systemd.patch2
-rw-r--r--pkgs/os-specific/linux/syslinux/default.nix15
-rw-r--r--pkgs/os-specific/linux/syslinux/gcc10.patch33
-rw-r--r--pkgs/os-specific/linux/sysstat/default.nix12
-rw-r--r--pkgs/os-specific/linux/system76-acpi/default.nix43
-rw-r--r--pkgs/os-specific/linux/system76-io/default.nix38
-rw-r--r--pkgs/os-specific/linux/system76-power/default.nix30
-rw-r--r--pkgs/os-specific/linux/system76/default.nix44
-rw-r--r--pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch8
-rw-r--r--pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch12
-rw-r--r--pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch12
-rw-r--r--pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch10
-rw-r--r--pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch123
-rw-r--r--pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch10
-rw-r--r--pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch42
-rw-r--r--pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch8
-rw-r--r--pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch32
-rw-r--r--pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch10
-rw-r--r--pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch12
-rw-r--r--pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch313
-rw-r--r--pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch (renamed from pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch)10
-rw-r--r--pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch (renamed from pkgs/os-specific/linux/systemd/0014-add-rootprefix-to-lookup-dir-paths.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch (renamed from pkgs/os-specific/linux/systemd/0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch)10
-rw-r--r--pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch (renamed from pkgs/os-specific/linux/systemd/0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch (renamed from pkgs/os-specific/linux/systemd/0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch (renamed from pkgs/os-specific/linux/systemd/0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch)8
-rw-r--r--pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch26
-rw-r--r--pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch33
-rw-r--r--pkgs/os-specific/linux/systemd/default.nix469
-rw-r--r--pkgs/os-specific/linux/sysvinit/default.nix12
-rw-r--r--pkgs/os-specific/linux/target-isns/default.nix36
-rw-r--r--pkgs/os-specific/linux/target-isns/install_prefix_path.patch17
-rw-r--r--pkgs/os-specific/linux/targetcli/default.nix8
-rw-r--r--pkgs/os-specific/linux/tbs/default.nix2
-rw-r--r--pkgs/os-specific/linux/tcp-wrappers/default.nix6
-rw-r--r--pkgs/os-specific/linux/teck-udev-rules/default.nix22
-rw-r--r--pkgs/os-specific/linux/thunderbolt/default.nix12
-rw-r--r--pkgs/os-specific/linux/tiptop/default.nix4
-rw-r--r--pkgs/os-specific/linux/tiscamera/default.nix67
-rw-r--r--pkgs/os-specific/linux/tmon/default.nix4
-rw-r--r--pkgs/os-specific/linux/tomb/default.nix10
-rw-r--r--pkgs/os-specific/linux/tp_smapi/default.nix2
-rw-r--r--pkgs/os-specific/linux/tpacpi-bat/default.nix8
-rw-r--r--pkgs/os-specific/linux/trace-cmd/default.nix16
-rw-r--r--pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch24
-rw-r--r--pkgs/os-specific/linux/trace-cmd/kernelshark.nix15
-rw-r--r--pkgs/os-specific/linux/trace-cmd/src.nix5
-rw-r--r--pkgs/os-specific/linux/trezor-udev-rules/default.nix4
-rw-r--r--pkgs/os-specific/linux/trinity/default.nix4
-rw-r--r--pkgs/os-specific/linux/tuigreet/default.nix26
-rw-r--r--pkgs/os-specific/linux/tuna/default.nix62
-rw-r--r--pkgs/os-specific/linux/tunctl/default.nix6
-rw-r--r--pkgs/os-specific/linux/turbostat/default.nix4
-rw-r--r--pkgs/os-specific/linux/tuxedo-keyboard/default.nix15
-rw-r--r--pkgs/os-specific/linux/uclibc/default.nix14
-rw-r--r--pkgs/os-specific/linux/udisks-glue/default.nix10
-rw-r--r--pkgs/os-specific/linux/udisks/1-default.nix10
-rw-r--r--pkgs/os-specific/linux/udisks/2-default.nix20
-rw-r--r--pkgs/os-specific/linux/undervolt/default.nix4
-rw-r--r--pkgs/os-specific/linux/unstick/default.nix4
-rw-r--r--pkgs/os-specific/linux/untie/default.nix4
-rw-r--r--pkgs/os-specific/linux/upower/default.nix10
-rw-r--r--pkgs/os-specific/linux/usbguard/default.nix66
-rw-r--r--pkgs/os-specific/linux/usbip/default.nix11
-rw-r--r--pkgs/os-specific/linux/usbtop/default.nix4
-rw-r--r--pkgs/os-specific/linux/usbutils/default.nix10
-rw-r--r--pkgs/os-specific/linux/usbutils/fix-paths.patch9
-rw-r--r--pkgs/os-specific/linux/usermount/default.nix8
-rw-r--r--pkgs/os-specific/linux/util-linux/default.nix14
-rw-r--r--pkgs/os-specific/linux/uvcdynctrl/default.nix6
-rw-r--r--pkgs/os-specific/linux/v4l-utils/default.nix10
-rw-r--r--pkgs/os-specific/linux/v4l2loopback/default.nix17
-rw-r--r--pkgs/os-specific/linux/v86d/default.nix4
-rw-r--r--pkgs/os-specific/linux/veikk-linux-driver/default.nix35
-rw-r--r--pkgs/os-specific/linux/vendor-reset/default.nix35
-rw-r--r--pkgs/os-specific/linux/wireguard/default.nix12
-rw-r--r--pkgs/os-specific/linux/wireless-tools/default.nix6
-rw-r--r--pkgs/os-specific/linux/wlgreet/default.nix26
-rw-r--r--pkgs/os-specific/linux/wooting-udev-rules/default.nix6
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch130
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/default.nix61
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/gui.nix4
-rw-r--r--pkgs/os-specific/linux/x86_energy_perf_policy/default.nix4
-rw-r--r--pkgs/os-specific/linux/x86info/default.nix8
-rw-r--r--pkgs/os-specific/linux/xf86-input-cmt/default.nix8
-rw-r--r--pkgs/os-specific/linux/xf86-input-wacom/default.nix68
-rw-r--r--pkgs/os-specific/linux/xf86-video-nested/default.nix8
-rw-r--r--pkgs/os-specific/linux/xmm7360-pci/default.nix28
-rw-r--r--pkgs/os-specific/linux/xpadneo/default.nix16
-rw-r--r--pkgs/os-specific/linux/xsensors/default.nix4
-rw-r--r--pkgs/os-specific/linux/zenmonitor/default.nix10
-rw-r--r--pkgs/os-specific/linux/zenpower/default.nix4
-rw-r--r--pkgs/os-specific/linux/zenstates/default.nix4
-rw-r--r--pkgs/os-specific/linux/zfs/BACKPORT-Linux-5.8-compat-__vmalloc.patch154
-rw-r--r--pkgs/os-specific/linux/zfs/default.nix114
-rw-r--r--pkgs/os-specific/linux/zsa-udev-rules/default.nix33
585 files changed, 8829 insertions, 5043 deletions
diff --git a/pkgs/os-specific/linux/915resolution/default.nix b/pkgs/os-specific/linux/915resolution/default.nix
index 906ea04293f..57f8ba0d33b 100644
--- a/pkgs/os-specific/linux/915resolution/default.nix
+++ b/pkgs/os-specific/linux/915resolution/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation rec {
   name = "915resolution-0.5.3";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   patchPhase = "rm *.o";
   installPhase = "mkdir -p $out/sbin; cp 915resolution $out/sbin/";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://915resolution.mango-lang.org/";
     description = "A tool to modify Intel 800/900 video BIOS";
     platforms = [ "i686-linux" "x86_64-linux" ];
diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index bb3aef885a7..f986ed790a1 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -1,14 +1,15 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
   pname = "acpi-call";
-  version = "2020-04-07-${kernel.version}";
+  version = "1.2.1";
+  name = "${pname}-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "nix-community";
     repo = "acpi_call";
-    rev = "3d7c9fe5ed3fc5ed5bafd39d54b1fdc7a09ce710";
-    sha256 = "09kp8zl392h99wjwzqrdw2xcfnsc944hzmfwi8n1y7m2slpdybv3";
+    rev = "v${version}";
+    sha256 = "0mr4rjbv6fj4phf038addrgv32940bphghw2v9n1z4awvw7wzkbg";
   };
 
   hardeningDisable = [ "pic" ];
@@ -24,10 +25,11 @@ stdenv.mkDerivation rec {
     install -D -m755 examples/turn_off_gpu.sh $out/bin/test_discrete_video_off.sh
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     maintainers = with maintainers; [ raskin mic92 ];
-    inherit (src.meta) homepage;
+    homepage = "https://github.com/nix-community/acpi_call";
     platforms = platforms.linux;
     description = "A module allowing arbitrary ACPI calls; use case: hybrid video";
+    license = licenses.gpl3Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/acpi/default.nix b/pkgs/os-specific/linux/acpi/default.nix
index 69a36d7bf52..d257553299c 100644
--- a/pkgs/os-specific/linux/acpi/default.nix
+++ b/pkgs/os-specific/linux/acpi/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "acpi";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "01ahldvf0gc29dmbd5zi4rrnrw2i1ajnf30sx2vyaski3jv099fp";
   };
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Show battery status and other ACPI information";
     longDescription = ''
       Linux ACPI client is a small command-line
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
       battery and thermal information.
     '';
     homepage = "https://sourceforge.net/projects/acpiclient/";
-    license = stdenv.lib.licenses.gpl2Plus;
+    license = lib.licenses.gpl2Plus;
     platforms = platforms.linux;
     maintainers = [ ];
   };
diff --git a/pkgs/os-specific/linux/acpid/default.nix b/pkgs/os-specific/linux/acpid/default.nix
index 5ef5e2724b2..d28ff447681 100644
--- a/pkgs/os-specific/linux/acpid/default.nix
+++ b/pkgs/os-specific/linux/acpid/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook }:
+{ lib, stdenv, fetchurl, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   name = "acpid-2.0.32";
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
       --replace "strrchr strtol" "strrchr strtol malloc realloc"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://sourceforge.net/projects/acpid2/";
     description = "A daemon for delivering ACPI events to userspace programs";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/acpitool/default.nix b/pkgs/os-specific/linux/acpitool/default.nix
index 9f2ad5b5c03..4a3d1a36bd7 100644
--- a/pkgs/os-specific/linux/acpitool/default.nix
+++ b/pkgs/os-specific/linux/acpitool/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, fetchpatch}:
+{lib, stdenv, fetchurl, fetchpatch}:
 
 let
    acpitool-patch-051-4 = params: fetchpatch rec {
@@ -44,8 +44,8 @@ in stdenv.mkDerivation rec {
   meta = {
     description = "A small, convenient command-line ACPI client with a lot of features";
     homepage = "https://sourceforge.net/projects/acpitool/";
-    license = stdenv.lib.licenses.gpl2Plus;
-    maintainers = [ stdenv.lib.maintainers.guibert ];
-    platforms = stdenv.lib.platforms.unix;
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.guibert ];
+    platforms = lib.platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/afuse/default.nix b/pkgs/os-specific/linux/afuse/default.nix
index 758c57bb9e1..75c44e11172 100644
--- a/pkgs/os-specific/linux/afuse/default.nix
+++ b/pkgs/os-specific/linux/afuse/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, autoreconfHook, fuse }:
+{ lib, stdenv, fetchurl, pkg-config, autoreconfHook, fuse }:
 
 stdenv.mkDerivation {
   name = "afuse-0.4.1";
@@ -8,14 +8,21 @@ stdenv.mkDerivation {
     sha256 = "1sfhicmxppkvdd4z9klfn63snb71gr9hff6xij1gzk94xg6m0ycc";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ fuse ];
 
+  postPatch = lib.optionalString stdenv.isDarwin ''
+    # Fix the build on macOS with macFUSE installed
+    substituteInPlace configure.ac --replace \
+      'export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH' \
+      ""
+  '';
+
   meta = {
     description = "Automounter in userspace";
     homepage = "https://github.com/pcarrier/afuse";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = [ stdenv.lib.maintainers.marcweber ];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    maintainers = [ lib.maintainers.marcweber ];
+    platforms = lib.platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/akvcam/default.nix b/pkgs/os-specific/linux/akvcam/default.nix
new file mode 100644
index 00000000000..815dc6a2ee3
--- /dev/null
+++ b/pkgs/os-specific/linux/akvcam/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, kernel, qmake }:
+
+stdenv.mkDerivation rec {
+  pname = "akvcam";
+  version = "1.2.0";
+
+  src = fetchFromGitHub {
+    owner = "webcamoid";
+    repo = "akvcam";
+    rev = version;
+    sha256 = "0r5xg7pz0wl6pq5029rpzm9fn978vq0md31xjkp2amny7rrgxw72";
+  };
+
+  nativeBuildInputs = [ qmake ];
+  dontWrapQtApps = true;
+
+  qmakeFlags = [
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -m644 -b -D src/akvcam.ko $out/lib/modules/${kernel.modDirVersion}/akvcam.ko
+  '';
+
+  meta = with lib; {
+    description = "Virtual camera driver for Linux";
+    homepage = "https://github.com/webcamoid/akvcam";
+    maintainers = with maintainers; [ freezeboy ];
+    platforms = platforms.linux;
+    license = licenses.gpl2;
+  };
+}
diff --git a/pkgs/os-specific/linux/alsa-plugins/wrapper.nix b/pkgs/os-specific/linux/alsa-plugins/wrapper.nix
deleted file mode 100644
index 8271088a501..00000000000
--- a/pkgs/os-specific/linux/alsa-plugins/wrapper.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ writeShellScriptBin, stdenv, alsaPlugins }:
-writeShellScriptBin "ap${if stdenv.hostPlatform.system == "i686-linux" then "32" else "64"}" ''
-  ALSA_PLUGIN_DIRS=${alsaPlugins}/lib/alsa-lib "$@"
-''
diff --git a/pkgs/os-specific/linux/alsa-firmware/cross.patch b/pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch
index 989ccea2b98..989ccea2b98 100644
--- a/pkgs/os-specific/linux/alsa-firmware/cross.patch
+++ b/pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch
diff --git a/pkgs/os-specific/linux/alsa-firmware/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
index 01955534bfc..a627a7762a8 100644
--- a/pkgs/os-specific/linux/alsa-firmware/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, autoreconfHook, fetchurl, fetchpatch }:
+{ lib, stdenv, buildPackages, autoreconfHook, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "alsa-firmware-1.2.1";
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "http://www.alsa-project.org/";
     description = "Soundcard firmwares from the alsa project";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch b/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
index b17df9a492e..b17df9a492e 100644
--- a/pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch
+++ b/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
diff --git a/pkgs/os-specific/linux/alsa-lib/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
index 3c5427340ba..a2350271482 100644
--- a/pkgs/os-specific/linux/alsa-lib/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
@@ -1,11 +1,17 @@
-{ stdenv, fetchurl, alsa-ucm-conf, alsa-topology-conf }:
+{ lib
+, stdenv
+, fetchurl
+, alsa-topology-conf
+, alsa-ucm-conf
+}:
 
 stdenv.mkDerivation rec {
-  name = "alsa-lib-1.2.3";
+  pname = "alsa-lib";
+  version = "1.2.5.1";
 
   src = fetchurl {
-    url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "13k7dx1g749z74rz71hs5j8z0pqdjgx7l69pn0vsy7jizhi0kw02";
+    url = "mirror://alsa/lib/${pname}-${version}.tar.bz2";
+    sha256 = "sha256-YoQh2VDOyvI03j+JnVIMCmkjMTyWStdR/6wIHfMxQ44=";
   };
 
   patches = [
@@ -26,7 +32,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "dev" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture libraries";
 
@@ -35,7 +41,7 @@ stdenv.mkDerivation rec {
       MIDI functionality to the Linux-based operating system.
     '';
 
-    license = licenses.gpl3Plus;
+    license = licenses.lgpl21Plus;
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/alsa-oss/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
index 774dc3d8d67..f600b52c5f3 100644
--- a/pkgs/os-specific/linux/alsa-oss/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, alsaLib, gettext, ncurses, libsamplerate}:
+{lib, stdenv, fetchurl, alsa-lib, gettext, ncurses, libsamplerate}:
 
 stdenv.mkDerivation rec {
   pname = "alsa-oss";
@@ -9,14 +9,14 @@ stdenv.mkDerivation rec {
     sha256 = "13nn6n6wpr2sj1hyqx4r9nb9bwxnhnzw8r2f08p8v13yjbswxbb4";
   };
 
-  buildInputs = [ alsaLib ncurses libsamplerate ];
+  buildInputs = [ alsa-lib ncurses libsamplerate ];
   nativeBuildInputs = [ gettext ];
 
   configureFlags = [ "--disable-xmlto" ];
 
   installFlags = [ "ASOUND_STATE_DIR=$(TMPDIR)/dummy" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture alsa-oss emulation";
 
diff --git a/pkgs/os-specific/linux/alsa-plugins/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
index a69d86c5c4d..747979b1037 100644
--- a/pkgs/os-specific/linux/alsa-plugins/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
@@ -1,19 +1,19 @@
-{ stdenv, fetchurl, lib, pkgconfig, alsaLib, libogg, libpulseaudio ? null, libjack2 ? null }:
+{ stdenv, fetchurl, lib, pkg-config, alsa-lib, libogg, libpulseaudio ? null, libjack2 ? null }:
 
 stdenv.mkDerivation rec {
   pname = "alsa-plugins";
-  version = "1.2.2";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/plugins/${pname}-${version}.tar.bz2";
-    sha256 = "0z9k3ssbfk2ky2w13avgyf202j1drsz9sv3834bp33cj1i2hc3qw";
+    sha256 = "086z2g2f95570vfvp9d5bakib4k18fb4bszf3lgx3j6j6f2gkvj2";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
 
   # ToDo: a52, etc.?
   buildInputs =
-    [ alsaLib libogg ]
+    [ alsa-lib libogg ]
     ++ lib.optional (libpulseaudio != null) libpulseaudio
     ++ lib.optional (libjack2 != null) libjack2;
 
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     description = "Various plugins for ALSA";
     homepage = "http://alsa-project.org/";
     license = licenses.lgpl21;
-    maintainers = [maintainers.marcweber];
+    maintainers = [ maintainers.marcweber ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix b/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
new file mode 100644
index 00000000000..992f4886e26
--- /dev/null
+++ b/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
@@ -0,0 +1,10 @@
+{ stdenv
+, alsa-plugins
+, writeShellScriptBin
+}:
+let
+  arch = if stdenv.hostPlatform.system == "i686-linux" then "32" else "64";
+in
+writeShellScriptBin "ap${arch}" ''
+  ALSA_PLUGIN_DIRS=${alsa-plugins}/lib/alsa-lib "$@"
+''
diff --git a/pkgs/os-specific/linux/alsa-tools/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
index 2fef5e07c63..8b9abb74036 100644
--- a/pkgs/os-specific/linux/alsa-tools/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
@@ -1,18 +1,18 @@
-{ stdenv, fetchurl, alsaLib, pkgconfig, gtk2, gtk3, fltk13 }:
+{ lib, stdenv, fetchurl, alsa-lib, pkg-config, gtk2, gtk3, fltk13 }:
 # Comes from upstream as as bundle of several tools,
 # some use gtk2, some gtk3 (and some even fltk13).
 
 stdenv.mkDerivation rec {
   pname = "alsa-tools";
-  version = "1.2.2";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/tools/${pname}-${version}.tar.bz2";
-    sha256 = "0jbkjmq038zapj66a7nkppdf644v2mwj581xbmh6k4i8w6mcglxz";
+    sha256 = "sha256-NacQJ6AfTX3kci4iNSDpQN5os8VwtsZxaRVnrij5iT4=";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ alsaLib gtk2 gtk3 fltk13 ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib gtk2 gtk3 fltk13 ];
 
   patchPhase = ''
     export tools="as10k1 hda-verb hdspmixer echomixer hdajackretask hdspconf hwmixvolume mixartloader rmedigicontrol sscape_ctl vxloader envy24control hdajacksensetest hdsploader ld10k1 pcxhrloader sb16_csp us428control"
@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture tools";
 
diff --git a/pkgs/os-specific/linux/alsa-topology-conf/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
index 54340d017ad..97960f833e1 100644
--- a/pkgs/os-specific/linux/alsa-topology-conf/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "alsa-topology-conf-${version}";
-  version = "1.2.3";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "1zwxc9zhfcmyffjjbibzpdvf4kx7wv9g2zl6xz7y0d6srfr9jgw3";
+    sha256 = "sha256-i/qDBspj4dDL6AvphGYCc7kb1bfdCACmxapx3YyNd1w=";
   };
 
   dontBuild = true;
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.alsa-project.org/";
     description = "ALSA topology configuration files";
 
diff --git a/pkgs/os-specific/linux/alsa-ucm-conf/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
index 2a9f28c855a..0666f3f4793 100644
--- a/pkgs/os-specific/linux/alsa-ucm-conf/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "alsa-ucm-conf-${version}";
-  version = "1.2.3";
+  version = "1.2.5.1";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "000db5yla7dljidjbbwbiaxvc1a7wh1zpw694gipaymj9fh4vhhv";
+    sha256 = "sha256-WEGkRBZty/R523UTA9vDVW9oUIWsfgDwyed1VnYZXZc=";
   };
 
   dontBuild = true;
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.alsa-project.org/";
     description = "ALSA Use Case Manager configuration";
 
diff --git a/pkgs/os-specific/linux/alsa-utils/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
index 470536db4b7..782e6ffce8c 100644
--- a/pkgs/os-specific/linux/alsa-utils/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
@@ -1,27 +1,27 @@
-{stdenv, fetchurl, alsaLib, gettext, ncurses, libsamplerate, pciutils, fftw}:
+{lib, stdenv, fetchurl, alsa-lib, gettext, makeWrapper, ncurses, libsamplerate, pciutils, which, fftw}:
 
 stdenv.mkDerivation rec {
   pname = "alsa-utils";
-  version = "1.2.3";
+  version = "1.2.5.1";
 
   src = fetchurl {
     url = "mirror://alsa/utils/${pname}-${version}.tar.bz2";
-    sha256 = "1ai1z4kf91b1m3qrpwqkc1af5vm2fkdkknqv95xdwf19q94aw6gz";
+    sha256 = "sha256-nBaa43pJKV+bl7kqzncoA9r2tlEKGVdOC3j4flYhGNA=";
   };
 
-  patchPhase = ''
-    substituteInPlace alsa-info/alsa-info.sh \
-      --replace "which" "type -p" \
-      --replace "lspci" "${pciutils}/bin/lspci"
-  '';
-  nativeBuildInputs = [ gettext ];
-  buildInputs = [ alsaLib ncurses libsamplerate fftw ];
+  nativeBuildInputs = [ gettext makeWrapper ];
+  buildInputs = [ alsa-lib ncurses libsamplerate fftw ];
 
   configureFlags = [ "--disable-xmlto" "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ];
 
   installFlags = [ "ASOUND_STATE_DIR=$(TMPDIR)/dummy" ];
 
-  meta = with stdenv.lib; {
+  postFixup = ''
+    mv $out/bin/alsa-info.sh $out/bin/alsa-info
+    wrapProgram $out/bin/alsa-info --prefix PATH : "${lib.makeBinPath [ which pciutils ]}"
+  '';
+
+  meta = with lib; {
     homepage = "http://www.alsa-project.org/";
     description = "ALSA, the Advanced Linux Sound Architecture utils";
     longDescription = ''
diff --git a/pkgs/os-specific/linux/amdgpu-pro/default.nix b/pkgs/os-specific/linux/amdgpu-pro/default.nix
index 32763fcded5..13dd8302b18 100644
--- a/pkgs/os-specific/linux/amdgpu-pro/default.nix
+++ b/pkgs/os-specific/linux/amdgpu-pro/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, elfutils
+{ lib, stdenv, fetchurl, elfutils
 , xorg, patchelf, openssl, libdrm, udev
 , libxcb, libxshmfence, epoxy, perl, zlib
 , ncurses
@@ -7,7 +7,7 @@
 
 assert (!libsOnly) -> kernel != null;
 
-with stdenv.lib;
+with lib;
 
 let
 
@@ -171,7 +171,7 @@ in stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "AMDGPU-PRO drivers";
     homepage =  "http://support.amd.com/en-us/kb-articles/Pages/AMDGPU-PRO-Beta-Driver-for-Vulkan-Release-Notes.aspx";
     license = licenses.unfree;
diff --git a/pkgs/os-specific/linux/anbox/default.nix b/pkgs/os-specific/linux/anbox/default.nix
index 5f8ca7ac46f..d684e24db91 100644
--- a/pkgs/os-specific/linux/anbox/default.nix
+++ b/pkgs/os-specific/linux/anbox/default.nix
@@ -1,24 +1,28 @@
-{ stdenv, fetchFromGitHub, fetchurl
-, cmake, pkgconfig, dbus, makeWrapper
-, gtest
+{ lib, stdenv, fetchFromGitHub, fetchurl
+, cmake, pkg-config, dbus, makeWrapper
 , boost
+, elfutils # for libdw
+, git
+, glib
+, glm
+, gtest
+, libbfd
 , libcap
-, systemd
-, mesa
+, libdwarf
 , libGL
 , libglvnd
-, glib
-, git
-, SDL2
-, SDL2_image
+, lxc
+, mesa
 , properties-cpp
 , protobuf
 , protobufc
-, python
-, lxc
+, python3
+, runtimeShell
+, SDL2
+, SDL2_image
+, systemd
 , writeText
 , writeScript
-, runtimeShell
 }:
 
 let
@@ -45,27 +49,42 @@ in
 
 stdenv.mkDerivation rec {
   pname = "anbox";
-  version = "unstable-2019-11-15";
+  version = "unstable-2020-11-29";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = "0a49ae08f76de7f886a3dbed4422711c2fa39d10";
-    sha256 = "09l56nv9cnyhykclfmvam6bkcxlamwbql6nrz9n022553w92hkjf";
+    rev = "6c10125a7f13908d2cbe56d2d9ab09872755f265";
+    sha256 = "00bqssh4zcs0jj6w07b91719xkrpdw75vpcplwrvlhwsvl55f901";
+    fetchSubmodules = true;
   };
 
   nativeBuildInputs = [
+    cmake
+    pkg-config
     makeWrapper
   ];
 
   buildInputs = [
-    cmake pkgconfig dbus boost libcap gtest systemd mesa glib
-    SDL2 SDL2_image protobuf protobufc properties-cpp lxc python
+    boost
+    dbus
+    elfutils # libdw
+    glib
+    glm
+    gtest
+    libbfd
+    libcap
+    libdwarf
     libGL
+    lxc
+    mesa
+    properties-cpp
+    protobuf protobufc
+    python3
+    SDL2 SDL2_image
+    systemd
   ];
 
-  NIX_CFLAGS_COMPILE = "-Wno-error=missing-field-initializers";
-
   patchPhase = ''
     patchShebangs scripts
 
@@ -96,7 +115,7 @@ stdenv.mkDerivation rec {
 
   postInstall = ''
     wrapProgram $out/bin/anbox \
-      --prefix LD_LIBRARY_PATH : ${stdenv.lib.makeLibraryPath [libGL libglvnd]} \
+      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [libGL libglvnd]} \
       --prefix PATH : ${git}/bin
 
     mkdir -p $out/share/dbus-1/services
@@ -129,7 +148,7 @@ stdenv.mkDerivation rec {
       };
     }.${stdenv.system} or null;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://anbox.io";
     description = "Android in a box";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/anbox/kmod.nix b/pkgs/os-specific/linux/anbox/kmod.nix
index 6eb74ca25f6..9ce65cd8726 100644
--- a/pkgs/os-specific/linux/anbox/kmod.nix
+++ b/pkgs/os-specific/linux/anbox/kmod.nix
@@ -1,14 +1,14 @@
-{ stdenv, kernel, fetchFromGitHub }:
+{ lib, stdenv, kernel, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "anbox-modules";
-  version = "2019-11-15-" + kernel.version;
+  version = "2020-06-14-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "anbox";
     repo = "anbox-modules";
-    rev = "e0a237e571989987806b32881044c539db25e3e1";
-    sha256 = "1km1nslp4f5znwskh4bb1b61r1inw1dlbwiyyq3rrh0f0agf8d0v";
+    rev = "98f0f3b3b1eeb5a6954ca15ec43e150b76369086";
+    sha256 = "sha256-6xDJQ4YItdbYqle/9VNfOc7D80yFGd9cFyF+CuABaF0=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
@@ -31,13 +31,12 @@ stdenv.mkDerivation {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Anbox ashmem and binder drivers.";
     homepage = "https://github.com/anbox/anbox-modules";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
-    broken = (versionOlder kernel.version "4.4") || (kernel.features.grsecurity);
+    broken = kernel.kernelOlder "4.4" || kernel.kernelAtLeast "5.5";
     maintainers = with maintainers; [ edwtjo ];
   };
-
 }
diff --git a/pkgs/os-specific/linux/android-udev-rules/default.nix b/pkgs/os-specific/linux/android-udev-rules/default.nix
index 1cfa6b5856f..fbe02d69f1a 100644
--- a/pkgs/os-specific/linux/android-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/android-udev-rules/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 ## Usage
 # In NixOS, simply add this package to services.udev.packages:
@@ -6,24 +6,26 @@
 
 stdenv.mkDerivation rec {
   pname = "android-udev-rules";
-  version = "20200410";
+  version = "20210501";
 
   src = fetchFromGitHub {
     owner = "M0Rf30";
     repo = "android-udev-rules";
     rev = version;
-    sha256 = "1ik9a0k9gkaw5a80m25pxx5yfiwq34ffb7iqhwicz4lwz5wsw8d3";
+    sha256 = "sha256-rlTulWclPqMl9LdHdcAtLARXGItiSeF3RX+neZrjgV4=";
   };
 
   installPhase = ''
+    runHook preInstall
     install -D 51-android.rules $out/lib/udev/rules.d/51-android.rules
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/M0Rf30/android-udev-rules";
     description = "Android udev rules list aimed to be the most comprehensive on the net";
     platforms = platforms.linux;
-    license = licenses.gpl3;
+    license = licenses.gpl3Plus;
     maintainers = with maintainers; [ abbradar ];
   };
 }
diff --git a/pkgs/os-specific/linux/apfs/default.nix b/pkgs/os-specific/linux/apfs/default.nix
new file mode 100644
index 00000000000..e27272a6147
--- /dev/null
+++ b/pkgs/os-specific/linux/apfs/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+}:
+
+stdenv.mkDerivation {
+  pname = "apfs";
+  version = "unstable-2021-06-25-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "linux-apfs";
+    repo = "linux-apfs-rw";
+    rev = "2ce6d06dc73036d113da5166c59393233bf54229";
+    sha256 = "sha256-18HFtPr0qcTIZ8njwEtveiPYO+HGlj90bdUoL47UUY0=";
+  };
+
+  hardeningDisable = [ "pic" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "APFS module for linux";
+    homepage = "https://github.com/linux-apfs/linux-apfs-rw";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.19";
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix
index 807ab4fa44b..1b1fb415451 100644
--- a/pkgs/os-specific/linux/apparmor/default.nix
+++ b/pkgs/os-specific/linux/apparmor/default.nix
@@ -1,45 +1,47 @@
 { stdenv, lib, fetchurl, fetchpatch, makeWrapper, autoreconfHook
-, pkgconfig, which
+, pkg-config, which
 , flex, bison
 , linuxHeaders ? stdenv.cc.libc.linuxHeaders
 , gawk
-, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) perl.meta.platforms, perl
-, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) python.meta.platforms, python
+, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, perl
+, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python, python
 , swig
 , ncurses
 , pam
 , libnotify
 , buildPackages
+, coreutils
+, gnugrep
+, gnused
+, kmod
+, writeShellScript
+, closureInfo
+, runCommand
 }:
 
 let
-  apparmor-series = "2.13";
-  apparmor-patchver = "4";
-  apparmor-version = apparmor-series + "." + apparmor-patchver;
+  apparmor-version = "3.0.1";
 
-  apparmor-meta = component: with stdenv.lib; {
+  apparmor-meta = component: with lib; {
     homepage = "https://apparmor.net/";
     description = "A mandatory access control system - ${component}";
     license = licenses.gpl2;
-    maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
+    maintainers = with maintainers; [ joachifm julm phreedom thoughtpolice ];
     platforms = platforms.linux;
   };
 
   apparmor-sources = fetchurl {
-    url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
-    sha256 = "03nislxccnbxld89giak2s8xa4mdbwscfxbdwhmw5qpvgz08dgwh";
+    url = "https://launchpad.net/apparmor/${lib.versions.majorMinor apparmor-version}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
+    sha256 = "096zbg3v7b51x7f1ly61mzd3iy9alad6sd4lam98j2d6v5ragbcg";
   };
 
-  # See <https://gitlab.com/apparmor/apparmor/-/issues/74> This and the
-  # accompanying application in prePatchCommon should be removed in 2.13.5
-  gnumake43Patch = fetchpatch {
-    url = "https://gitlab.com/apparmor/apparmor/-/merge_requests/465.patch";
-    name = "2-23-fix-build-with-make-4.3.patch";
-    sha256 = "0xw028iqp69j9mxv0kbwraplgkj5i5djdlgf0anpkc5cdbsf96r9";
-  };
+  aa-teardown = writeShellScript "aa-teardown" ''
+    PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"
+    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
+    remove_profiles
+  '';
 
   prePatchCommon = ''
-    patch -p1 < ${gnumake43Patch}
     chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
     patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
     substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man"
@@ -48,18 +50,12 @@ let
     substituteInPlace ./common/Make.rules --replace "/usr/share/man" "share/man"
   '';
 
-  patches = stdenv.lib.optionals stdenv.hostPlatform.isMusl [
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
       url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
       name = "0003-Added-missing-typedef-definitions-on-parser.patch";
       sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
     })
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0007-Do-not-build-install-vim-file-with-utils-package.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
-      name = "0007-Do-not-build-install-vim-file-with-utils-package.patch";
-      sha256 = "1m4dx901biqgnr4w4wz8a2z9r9dxyw7wv6m6mqglqwf2lxinqmp4";
-    })
-    # (alpine patches {1,4,5,6,8} are needed for apparmor 2.11, but not 2.12)
     ];
 
   # Set to `true` after the next FIXME gets fixed or this gets some
@@ -76,7 +72,7 @@ let
       autoreconfHook
       bison
       flex
-      pkgconfig
+      pkg-config
       swig
       ncurses
       which
@@ -84,8 +80,8 @@ let
     ];
 
     buildInputs = []
-      ++ stdenv.lib.optional withPerl perl
-      ++ stdenv.lib.optional withPython python;
+      ++ lib.optional withPerl perl
+      ++ lib.optional withPython python;
 
     # required to build apparmor-parser
     dontDisableStatic = true;
@@ -93,21 +89,21 @@ let
     prePatch = prePatchCommon + ''
       substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site
       substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.in --replace install_vendor install_site
-      substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${stdenv.lib.getDev stdenv.cc.libc}/include/netinet/in.h"
-      substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${stdenv.lib.getDev stdenv.cc.libc}/include/netinet/in.h"
+      substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
+      substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
     '';
     inherit patches;
 
     postPatch = "cd ./libraries/libapparmor";
     # https://gitlab.com/apparmor/apparmor/issues/1
     configureFlags = [
-      (stdenv.lib.withFeature withPerl "perl")
-      (stdenv.lib.withFeature withPython "python")
+      (lib.withFeature withPerl "perl")
+      (lib.withFeature withPython "python")
     ];
 
-    outputs = [ "out" ] ++ stdenv.lib.optional withPython "python";
+    outputs = [ "out" ] ++ lib.optional withPython "python";
 
-    postInstall = stdenv.lib.optionalString withPython ''
+    postInstall = lib.optionalString withPython ''
       mkdir -p $python/lib
       mv $out/lib/python* $python/lib/
     '';
@@ -130,21 +126,36 @@ let
       libapparmor.python
     ];
 
-    prePatch = prePatchCommon;
+    prePatch = prePatchCommon +
+      # Do not build vim file
+      lib.optionalString stdenv.hostPlatform.isMusl ''
+        sed -i ./utils/Makefile -e "/\<vim\>/d"
+      '' + ''
+      substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+      substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+      substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+    '';
     inherit patches;
     postPatch = "cd ./utils";
     makeFlags = [ "LANGS=" ];
     installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
 
     postInstall = ''
-      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do
+      sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"
+      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do
         wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH"
       done
 
-      substituteInPlace $out/bin/aa-notify --replace /usr/bin/notify-send ${libnotify}/bin/notify-send
-      # aa-notify checks its name and does not work named ".aa-notify-wrapped"
-      mv $out/bin/aa-notify $out/bin/aa-notify-wrapped
-      makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped
+      substituteInPlace $out/bin/aa-notify \
+        --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \
+        --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"
+
+      substituteInPlace $out/bin/aa-remove-unknown \
+       --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
+      wrapProgram $out/bin/aa-remove-unknown \
+       --prefix PATH : ${lib.makeBinPath [gawk]}
+
+      ln -s ${aa-teardown} $out/bin/aa-teardown
     '';
 
     inherit doCheck;
@@ -159,7 +170,7 @@ let
     src = apparmor-sources;
 
     nativeBuildInputs = [
-      pkgconfig
+      pkg-config
       libapparmor
       gawk
       which
@@ -172,7 +183,7 @@ let
     prePatch = prePatchCommon;
     postPatch = "cd ./binutils";
     makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
-    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "SBINDIR=$(out)/bin" ];
 
     inherit doCheck;
 
@@ -193,6 +204,9 @@ let
       substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
       ## techdoc.pdf still doesn't build ...
       substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
+      substituteInPlace parser/rc.apparmor.functions \
+       --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"
+      sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
     '';
     inherit patches;
     postPatch = "cd ./parser";
@@ -211,7 +225,7 @@ let
     name = "apparmor-pam-${apparmor-version}";
     src = apparmor-sources;
 
-    nativeBuildInputs = [ pkgconfig which ];
+    nativeBuildInputs = [ pkg-config which ];
 
     buildInputs = [ libapparmor pam ];
 
@@ -242,7 +256,7 @@ let
     name = "apparmor-kernel-patches-${apparmor-version}";
     src = apparmor-sources;
 
-    phases = ''unpackPhase installPhase'';
+    phases = "unpackPhase installPhase";
 
     installPhase = ''
       mkdir "$out"
@@ -254,8 +268,35 @@ let
     meta = apparmor-meta "kernel patches";
   };
 
+  # Generate generic AppArmor rules in a file,
+  # from the closure of given rootPaths.
+  # To be included in an AppArmor profile like so:
+  # include "$(apparmorRulesFromClosure {} [pkgs.hello]}"
+  apparmorRulesFromClosure =
+    { # The store path of the derivation is given in $path
+      additionalRules ? []
+      # TODO: factorize here some other common paths
+      # that may emerge from use cases.
+    , baseRules ? [
+        "r $path"
+        "r $path/etc/**"
+        "r $path/share/**"
+        # Note that not all libraries are prefixed with "lib",
+        # eg. glibc-2.30/lib/ld-2.30.so
+        "mr $path/lib/**.so*"
+        # eg. glibc-2.30/lib/gconv/gconv-modules
+        "r $path/lib/**"
+      ]
+    , name ? ""
+    }: rootPaths: runCommand
+      ( "apparmor-closure-rules"
+      + lib.optionalString (name != "") "-${name}" ) {} ''
+    touch $out
+    while read -r path
+    do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}
+    done <${closureInfo {inherit rootPaths;}}/store-paths
+  '';
 in
-
 {
   inherit
     libapparmor
@@ -264,5 +305,6 @@ in
     apparmor-parser
     apparmor-pam
     apparmor-profiles
-    apparmor-kernel-patches;
+    apparmor-kernel-patches
+    apparmorRulesFromClosure;
 }
diff --git a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
new file mode 100644
index 00000000000..ebc1baaa92d
--- /dev/null
+++ b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
@@ -0,0 +1,32 @@
+aa_action() {
+  STRING=$1
+  shift
+  $*
+  rc=$?
+  if [ $rc -eq 0 ] ; then
+    aa_log_success_msg $"$STRING "
+  else
+    aa_log_failure_msg $"$STRING "
+  fi
+  return $rc
+}
+
+aa_log_success_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": done."
+}
+
+aa_log_warning_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Warning."
+}
+
+aa_log_failure_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Failed."
+}
+
+aa_log_skipped_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Skipped."
+}
diff --git a/pkgs/os-specific/linux/aseq2json/default.nix b/pkgs/os-specific/linux/aseq2json/default.nix
new file mode 100644
index 00000000000..646e9f7b7b9
--- /dev/null
+++ b/pkgs/os-specific/linux/aseq2json/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, pkg-config, alsa-lib, glib, json-glib }:
+
+stdenv.mkDerivation {
+  pname = "aseq2json";
+  version = "unstable-2018-04-28";
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "midi-dump-tools";
+    rev = "8572e6313a0d7ec95492dcab04a46c5dd30ef33a";
+    sha256 = "LQ9LLVumi3GN6c9tuMSOd1Bs2pgrwrLLQbs5XF+NZeA=";
+  };
+  sourceRoot = "source/aseq2json";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib glib json-glib ];
+
+  installPhase = ''
+    install -D --target-directory "$out/bin" aseq2json
+  '';
+
+  meta = with lib; {
+    description = "Listens for MIDI events on the Alsa sequencer and outputs as JSON to stdout";
+    homepage = "https://github.com/google/midi-dump-tools";
+    license = licenses.asl20;
+    maintainers = [ maintainers.queezle ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/asus-wmi-sensors/default.nix b/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
index 8eb8a7484e1..3098cbb7253 100644
--- a/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
+++ b/pkgs/os-specific/linux/asus-wmi-sensors/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
   name = "asus-wmi-sensors-${version}-${kernel.version}";
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
     "MODDESTDIR=${placeholder "out"}/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux HWMON (lmsensors) sensors driver for various ASUS Ryzen and Threadripper motherboards";
     homepage = "https://github.com/electrified/asus-wmi-sensors";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ati-drivers/builder.sh b/pkgs/os-specific/linux/ati-drivers/builder.sh
deleted file mode 100644
index a9e5aaef397..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/builder.sh
+++ /dev/null
@@ -1,302 +0,0 @@
-# TODO gentoo removes some tools because there are xorg sources (?)
-
-source $stdenv/setup
-set -x
-
-die(){ echo $@; exit 1; }
-
-unzip $src
-run_file=fglrx-$build/amd-driver-installer-$build-x86.x86_64.run
-sh $run_file --extract .
-
-for patch in $patches;do
-    patch -p1 < $patch
-done
-
-case "$system" in
-  x86_64-linux)
-    arch=x86_64
-    lib_arch=lib64
-    DIR_DEPENDING_ON_XORG_VERSION=xpic_64a
-  ;;
-  i686-linux)
-    arch=x86
-    lib_arch=lib
-    DIR_DEPENDING_ON_XORG_VERSION=xpic
-  ;;
-  *) exit 1;;
-esac
-
-# Handle/Build the kernel module.
-
-if test -z "$libsOnly"; then
-
-  kernelVersion=$(cd ${kernelDir}/lib/modules && ls)
-  kernelBuild=$(echo ${kernelDir}/lib/modules/$kernelVersion/build)
-  linuxsources=$(echo ${kernelDir}/lib/modules/$kernelVersion/source)
-
-  # note: maybe the .config file should be used to determine this ?
-  # current kbuild infrastructure allows using CONFIG_* defines
-  # but ati sources don't use them yet..
-  # copy paste from make.sh
-
-  setSMP(){
-
-    linuxincludes=$kernelBuild/include
-
-    # copied and stripped. source: make.sh:
-    # 3
-    # linux/autoconf.h may contain this: #define CONFIG_SMP 1
-
-    # Before 2.6.33 autoconf.h is under linux/.
-    # For 2.6.33 and later autoconf.h is under generated/.
-    if [ -f $linuxincludes/generated/autoconf.h ]; then
-        autoconf_h=$linuxincludes/generated/autoconf.h
-    else
-        autoconf_h=$linuxincludes/linux/autoconf.h
-    fi
-    src_file=$autoconf_h
-
-    [ -e $src_file ] || die "$src_file not found"
-
-    if [ `cat $src_file | grep "#undef" | grep "CONFIG_SMP" -c` = 0 ]; then
-      SMP=`cat $src_file | grep CONFIG_SMP | cut -d' ' -f3`
-      echo "file $src_file says: SMP=$SMP"
-    fi
-
-    if [ "$SMP" = 0 ]; then
-      echo "assuming default: SMP=$SMP"
-    fi
-    # act on final result
-    if [ ! "$SMP" = 0 ]; then
-      smp="-SMP"
-      def_smp=-D__SMP__
-    fi
-
-  }
-
-  setModVersions(){
-    ! grep CONFIG_MODVERSIONS=y $kernelBuild/.config ||
-    def_modversions="-DMODVERSIONS"
-    # make.sh contains much more code to determine this whether its enabled
-  }
-
-  # ==============================================================
-  # resolve if we are building for a kernel with a fix for CVE-2010-3081
-  # On kernels with the fix, use arch_compat_alloc_user_space instead
-  # of compat_alloc_user_space since the latter is GPL-only
-
-  COMPAT_ALLOC_USER_SPACE=arch_compat_alloc_user_space
-
-  for src_file in \
-    $kernelBuild/arch/x86/include/asm/compat.h \
-    $linuxsources/arch/x86/include/asm/compat.h \
-    $kernelBuild/include/asm-x86_64/compat.h \
-    $linuxsources/include/asm-x86_64/compat.h \
-    $kernelBuild/include/asm/compat.h;
-  do
-    if [ -e $src_file ];
-    then
-      break
-    fi
-  done
-  if [ ! -e $src_file ];
-    then
-    echo "Warning: x86 compat.h not found in kernel headers"
-    echo "neither arch/x86/include/asm/compat.h nor include/asm-x86_64/compat.h"
-    echo "could be found in $kernelBuild or $linuxsources"
-    echo ""
-  else
-    if [ `cat $src_file | grep -c arch_compat_alloc_user_space` -gt 0 ]
-    then
-      COMPAT_ALLOC_USER_SPACE=arch_compat_alloc_user_space
-    fi
-    echo "file $src_file says: COMPAT_ALLOC_USER_SPACE=$COMPAT_ALLOC_USER_SPACE"
-  fi
-
-  # make.sh contains some code figuring out whether to use these or not..
-  PAGE_ATTR_FIX=0
-  setSMP
-  setModVersions
-  CC=gcc
-  MODULE=fglrx
-  LIBIP_PREFIX=$TMP/arch/$arch/lib/modules/fglrx/build_mod
-  [ -d $LIBIP_PREFIX ]
-  GCC_MAJOR="`gcc --version | grep -o -e ") ." | head -1 | cut -d " " -f 2`"
-
-  { # build .ko module
-    cd ./common/lib/modules/fglrx/build_mod/2.6.x
-    echo .lib${MODULE}_ip.a.GCC${GCC_MAJOR}.cmd
-    echo 'This is a dummy file created to suppress this warning: could not find /lib/modules/fglrx/build_mod/2.6.x/.libfglrx_ip.a.GCC4.cmd for /lib/modules/fglrx/build_mod/2.6.x/libfglrx_ip.a.GCC4' > lib${MODULE}_ip.a.GCC${GCC_MAJOR}.cmd
-
-    sed -i -e "s@COMPAT_ALLOC_USER_SPACE@$COMPAT_ALLOC_USER_SPACE@" ../kcl_ioctl.c
-
-    make CC=${CC} \
-      LIBIP_PREFIX=$(echo "$LIBIP_PREFIX" | sed -e 's|^\([^/]\)|../\1|') \
-      MODFLAGS="-DMODULE -DATI -DFGL -DPAGE_ATTR_FIX=$PAGE_ATTR_FIX -DCOMPAT_ALLOC_USER_SPACE=$COMPAT_ALLOC_USER_SPACE $def_smp $def_modversions" \
-      KVER=$kernelVersion \
-      KDIR=$kernelBuild \
-      PAGE_ATTR_FIX=$PAGE_ATTR_FIX \
-      -j4
-
-    cd $TMP
-  }
-
-fi
-
-{ # install
-  mkdir -p $out/lib/xorg
-  cp -r common/usr/include $out
-  cp -r common/usr/sbin $out
-  cp -r common/usr/share $out
-  mkdir $out/bin/
-  cp -f common/usr/X11R6/bin/* $out/bin/
-  # cp -r arch/$arch/lib $out/lib
-  # what are those files used for?
-  cp -r common/etc $out
-  cp -r $DIR_DEPENDING_ON_XORG_VERSION/usr/X11R6/$lib_arch/* $out/lib/xorg
-
-  # install kernel module
-  if test -z "$libsOnly"; then
-    t=$out/lib/modules/${kernelVersion}/kernel/drivers/misc
-    mkdir -p $t
-
-    cp ./common/lib/modules/fglrx/build_mod/2.6.x/fglrx.ko $t
-  fi
-
-  # should this be installed at all?
-  # its used by the example fglrx_gamma only
-  # don't use $out/lib/modules/dri because this will cause the kernel module
-  # aggregator code to see both: kernel version and the dri direcotry. It'll
-  # fail saying different kernel versions
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/modules/dri $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/modules/dri/* $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/*.so* $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/fglrx/fglrx-libGL.so.1.2 $out/lib/fglrx-libGL.so.1.2
-  cp -r $TMP/arch/$arch/usr/$lib_arch/* $out/lib
-  ln -s libatiuki.so.1.0 $out/lib/libatiuki.so.1
-  ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so.1
-  ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so
-  # FIXME : This file is missing or has changed versions
-  #ln -s libfglrx_gamma.so.1.0 $out/lib/libfglrx_gamma.so.1
-  # make xorg use the ati version
-  ln -s $out/lib/xorg/modules/extensions/{fglrx/fglrx-libglx.so,libglx.so}
-  # Correct some paths that are hardcoded into binary libs.
-  if [ "$arch" ==  "x86_64" ]; then
-    for lib in \
-      xorg/modules/extensions/fglrx/fglrx-libglx.so \
-      xorg/modules/glesx.so \
-      dri/fglrx_dri.so \
-      fglrx_dri.so \
-      fglrx-libGL.so.1.2
-    do
-      oldPaths="/usr/X11R6/lib/modules/dri"
-      newPaths="/run/opengl-driver/lib/dri"
-      sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib
-    done
-  else
-    oldPaths="/usr/X11R6/lib32/modules/dri\x00/usr/lib32/dri"
-    newPaths="/run/opengl-driver-32/lib/dri\x00/dev/null/dri"
-    sed -i -e "s|$oldPaths|$newPaths|" \
-      $out/lib/xorg/modules/extensions/fglrx/fglrx-libglx.so
-
-    for lib in \
-      dri/fglrx_dri.so \
-      fglrx_dri.so \
-      xorg/modules/glesx.so
-    do
-      oldPaths="/usr/X11R6/lib32/modules/dri/"
-      newPaths="/run/opengl-driver-32/lib/dri"
-      sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib
-    done
-
-    oldPaths="/usr/X11R6/lib32/modules/dri\x00"
-    newPaths="/run/opengl-driver-32/lib/dri"
-    sed -i -e "s|$oldPaths|$newPaths|" $out/lib/fglrx-libGL.so.1.2
-  fi
-  # libstdc++ and gcc are needed by some libs
-  for pelib1 in \
-    fglrx_dri.so \
-    dri/fglrx_dri.so
-  do
-    patchelf --remove-needed libX11.so.6 $out/lib/$pelib1
-  done
-
-  for pelib2 in \
-    libatiadlxx.so \
-    xorg/modules/glesx.so \
-    dri/fglrx_dri.so \
-    fglrx_dri.so \
-    libaticaldd.so
-  do
-    patchelf --set-rpath $glibcDir/lib/:$libStdCxx/lib/ $out/lib/$pelib2
-  done
-}
-
-if test -z "$libsOnly"; then
-
-{ # build samples
-  mkdir -p $out/bin
-  mkdir -p samples
-  cd samples
-  tar xfz ../common/usr/src/ati/fglrx_sample_source.tgz
-  eval "$patchPhaseSamples"
-
-
-  ( # build and install fgl_glxgears
-    cd fgl_glxgears;
-    gcc -DGL_ARB_texture_multisample=1 -g \
-    -I$libGL/include -I$libGLU/include \
-    -I$out/include \
-    -L$libGL/lib -L$libGLU/lib -lGL -lGLU -lX11 -lm \
-    -o $out/bin/fgl_glxgears -Wall fgl_glxgears.c
-  )
-
-  true || ( # build and install
-
-    ###
-    ## FIXME ?
-    # doesn't build  undefined reference to `FGLRX_X11SetGamma'
-    # which should be contained in -lfglrx_gamma
-    # This should create $out/lib/libfglrx_gamma.so.1.0 ? because there is
-    # a symlink named libfglrx_gamma.so.1 linking to libfglrx_gamma.so.1.0 in $out/lib/
-
-    cd programs/fglrx_gamma
-    gcc -fPIC -I${libXxf86vm.dev}/include \
-      -I${xorgproto}/include \
-      -I$out/X11R6/include \
-      -L$out/lib \
-      -Wall -lm -lfglrx_gamma -lX11 -lXext -o $out/bin/fglrx_xgamma fglrx_xgamma.c
-  )
-
-  {
-    # patch and copy statically linked qt libs used by amdcccle
-    patchelf --set-interpreter $(echo $glibcDir/lib/ld-linux*.so.2) $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 &&
-    patchelf  --set-rpath $gcc/$lib_arch/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 &&
-    patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXrender/lib/:$libSM/lib/:$libICE/lib/:$libfontconfig/lib/:$libfreetype/lib/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 &&
-    mkdir -p $out/share/ati
-    cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 $out/share/ati/
-    cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 $out/share/ati/
-    # copy binaries and wrap them:
-    BIN=$TMP/arch/$arch/usr/X11R6/bin
-    patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/amdcccle
-    patchelf --set-rpath $libXrender/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/aticonfig
-    patchelf --shrink-rpath $BIN/amdcccle
-    for prog in $BIN/*; do
-      cp -f $prog $out/bin &&
-      patchelf --set-interpreter $(echo $glibcDir/lib/ld-linux*.so.2) $out/bin/$(basename $prog) &&
-      wrapProgram $out/bin/$(basename $prog) --prefix LD_LIBRARY_PATH : $out/lib/:$gcc/lib/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/:$libfontconfig/lib/:$libfreetype/lib/${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
-    done
-  }
-
-  rm -f $out/lib/fglrx/switchlibglx && rm -f $out/lib/fglrx/switchlibGL
-
-}
-
-fi
-
-for p in $extraDRIlibs; do
-  for lib in $p/lib/*.so*; do
-    ln -s $lib $out/lib/
-  done
-done
diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix
deleted file mode 100644
index 63f9b5399da..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/default.nix
+++ /dev/null
@@ -1,140 +0,0 @@
-{ stdenv, lib, fetchurl, kernel ? null, which
-, xorg, makeWrapper, glibc, patchelf, unzip
-, fontconfig, freetype, libGLU, libGL # for fgl_glxgears
-, # Whether to build the libraries only (i.e. not the kernel module or
-  # driver utils). Used to support 32-bit binaries on 64-bit
-  # Linux.
-  libsOnly ? false
-}:
-
-assert (!libsOnly) -> kernel != null;
-
-with stdenv.lib;
-
-# This derivation requires a maximum of gcc49, Linux kernel 4.1 and xorg.xserver 1.17
-# and will not build or run using versions newer
-
-# If you want to use a different Xorg version probably
-# DIR_DEPENDING_ON_XORG_VERSION in builder.sh has to be adopted (?)
-# make sure libglx.so of ati is used. xorg.xorgserver does provide it as well
-# which is a problem because it doesn't contain the xorgserver patch supporting
-# the XORG_DRI_DRIVER_PATH env var.
-# See https://marc.info/?l=nix-dev&m=139641585515351 for a
-# workaround (TODO)
-
-# The gentoo ebuild contains much more "magic" and is usually a great resource to
-# find patches XD
-
-# http://wiki.cchtml.com/index.php/Main_Page
-
-# /usr/lib/dri/fglrx_dri.so must point to /run/opengl-driver/lib/fglrx_dri.so
-# This is done in the builder script.
-
-stdenv.mkDerivation rec {
-
-  version = "15.12";
-  pname = "ati-drivers";
-  build = "15.302";
-
-  linuxonly =
-    if stdenv.hostPlatform.system == "i686-linux" then
-      true
-    else if stdenv.hostPlatform.system == "x86_64-linux" then
-      true
-    else throw "ati-drivers are Linux only. Sorry. The build was stopped.";
-
-  name = pname + "-" + version + (optionalString (!libsOnly) "-${kernelDir.version}");
-
-  builder = ./builder.sh;
-  gcc = stdenv.cc.cc;
-  libXinerama = xorg.libXinerama;
-  libXrandr = xorg.libXrandr;
-  libXrender = xorg.libXrender;
-  libXxf86vm = xorg.libXxf86vm;
-  xorgproto = xorg.xorgproto;
-  libSM = xorg.libSM;
-  libICE = xorg.libICE;
-  libfreetype = freetype;
-  libfontconfig = fontconfig;
-  libStdCxx = stdenv.cc.cc.lib;
-
-  src = fetchurl {
-    url =
-    "https://www2.ati.com/drivers/linux/radeon-crimson-15.12-15.302-151217a-297685e.zip";
-    sha256 = "704f2dfc14681f76dae3b4120c87b1ded33cf43d5a1d800b6de5ca292bb61e58";
-    curlOpts = "--referer https://www.amd.com/en/support";
-  };
-
-  hardeningDisable = [ "pic" "format" ];
-
-  patchPhaseSamples = "patch -p2 < ${./patches/patch-samples.patch}";
-  patches = [
-    ./patches/15.12-xstate-fp.patch
-    ./patches/15.9-kcl_str.patch
-    ./patches/15.9-mtrr.patch
-    ./patches/15.9-preempt.patch
-    ./patches/15.9-sep_printf.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.6") )
-               [ ./patches/kernel-4.6-get_user_pages.patch
-                 ./patches/kernel-4.6-page_cache_release-put_page.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.7") )
-               [ ./patches/4.7-arch-cpu_has_pge-v2.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.9") )
-               [ ./patches/4.9-get_user_pages.patch ];
-
-  buildInputs =
-    [ xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM
-      xorg.libXrandr xorg.libXxf86vm xorg.xorgproto xorg.imake xorg.libICE
-      patchelf
-      unzip
-      libGLU libGL
-      fontconfig
-      freetype
-      makeWrapper
-      which
-    ];
-
-  inherit libsOnly;
-
-  kernelDir = if libsOnly then null else kernel.dev;
-
-  # glibc only used for setting the binaries interpreter
-  glibcDir = glibc.out;
-
-  # outputs TODO: probably many fixes are needed;
-  LD_LIBRARY_PATH = makeLibraryPath
-    [ xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM
-      xorg.libXrandr xorg.libXxf86vm xorg.xorgproto xorg.imake xorg.libICE
-      libGLU libGL
-      fontconfig
-      freetype
-      stdenv.cc.cc
-    ];
-
-  # without this some applications like blender don't start, but they start
-  # with nvidia. This causes them to be symlinked to $out/lib so that they
-  # appear in /run/opengl-driver/lib which get's added to LD_LIBRARY_PATH
-
-  extraDRIlibs = [ xorg.libXrandr.out xorg.libXrender.out xorg.libXext.out
-                   xorg.libX11.out xorg.libXinerama.out xorg.libSM.out
-                   xorg.libICE.out ];
-
-  inherit libGLU libGL; # only required to build the examples
-
-  enableParallelBuilding = true;
-
-  meta = with stdenv.lib; {
-    description = "ATI Catalyst display drivers";
-    homepage = "http://support.amd.com/us/gpudownload/Pages/index.aspx";
-    license = licenses.unfree;
-    maintainers = with maintainers; [ marcweber offline jerith666 ];
-    platforms = platforms.linux;
-    hydraPlatforms = [];
-    # Copied from the nvidia default.nix to prevent a store collision.
-    priority = 4;
-  };
-
-}
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch
deleted file mode 100644
index 22e43fc0c7b..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Krzysztof Kolasa <kkolasa@winsoft.pl>
-Date: Thu, 26 Nov 2015 14:28:46 +0100
-Subject: [PATCH] Patch for kernel 4.4.0-rc2
-
-constant change of name XSTATE_XP to name XFEATURE_MASK_FP
----
- firegl_public.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 3626c7b..f071d42 100644
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod//firegl_public.c
-@@ -6463,7 +6463,11 @@ static int KCL_fpu_save_init(struct task_struct *tsk)
-       if (!(fpu->state->xsave.xsave_hdr.xstate_bv & XSTATE_FP))
- #else
- 	  copy_xregs_to_kernel(&fpu->state.xsave);
--      if (!(fpu->state.xsave.header.xfeatures & XSTATE_FP))
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
-+      if (!(fpu->state.xsave.header.xfeatures & XFEATURE_MASK_FP))
-+#else
-+      if (!(fpu->state.xsave.header.xfeatures & XSTATE_FP))
-+#endif
- #endif
-          return 1;
-    } else if (static_cpu_has(X86_FEATURE_FXSR)) {
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch
deleted file mode 100644
index 20c3bc8a169..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/kcl_str.c	2015-09-13 13:47:30.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/kcl_str.c	2015-09-13 13:49:42.000000000 -0400
-@@ -169,7 +169,11 @@ int ATI_API_CALL KCL_STR_Strnicmp(const
-                                   const char* s2,
-                                   KCL_TYPE_SizeSigned count)
- {
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,0,0)
-     return strnicmp(s1, s2, count);
-+#else
-+    return strncasecmp(s1, s2, count);
-+#endif
- }
- 
- /** \brief Locate character in string
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch
deleted file mode 100644
index bdf70b4ccdc..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-19 23:43:22.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-19 23:52:07.000000000 -0400
-@@ -3442,7 +3442,11 @@ int ATI_API_CALL KCL_MEM_MTRR_Support(vo
- int ATI_API_CALL KCL_MEM_MTRR_AddRegionWc(unsigned long base, unsigned long size)
- {
- #ifdef CONFIG_MTRR
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    return arch_phys_wc_add(base, size);
-+#else
-     return mtrr_add(base, size, MTRR_TYPE_WRCOMB, 1);
-+#endif
- #else /* !CONFIG_MTRR */
-     return -EPERM;
- #endif /* !CONFIG_MTRR */
-@@ -3451,7 +3455,12 @@ int ATI_API_CALL KCL_MEM_MTRR_AddRegionW
- int ATI_API_CALL KCL_MEM_MTRR_DeleteRegion(int reg, unsigned long base, unsigned long size)
- {
- #ifdef CONFIG_MTRR
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    arch_phys_wc_del(reg);
-+    return reg;
-+#else
-     return mtrr_del(reg, base, size);
-+#endif
- #else /* !CONFIG_MTRR */
-     return -EPERM;
- #endif /* !CONFIG_MTRR */
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch
deleted file mode 100644
index c6598835133..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch
+++ /dev/null
@@ -1,103 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-08-30 17:36:02.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-08-30 17:39:36.000000000 -0400
-@@ -21,6 +21,8 @@
- !!! since it requires changes to linux/init/main.c.
- #endif /* !MODULE */
- 
-+#include <linux/preempt.h>
-+
- // ============================================================
- #include <linux/version.h>
- 
-@@ -4997,7 +4999,9 @@ static unsigned int kas_spin_unlock(kas_
- unsigned long ATI_API_CALL KAS_GetExecutionLevel(void)
- {
-     unsigned long ret;
-+    preempt_disable();
-     ret = kas_GetExecutionLevel();
-+    preempt_enable();
-     return ret;
- }
- 
-@@ -5022,8 +5026,10 @@ unsigned int ATI_API_CALL KAS_Ih_Execute
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X, 0x%08X\n", ih_routine, ih_context);
- 
-     //Prevent simultaneous entry on some SMP systems.
-+    preempt_disable();
-     if (test_and_set_bit(0, (void *)&(kasContext.in_interrupts[smp_processor_id()])))
-     {
-+    	preempt_enable();
-         KCL_DEBUG1(FN_FIREGL_KAS, "The processor is handling the interrupt\n");
-         return IRQ_NONE;
-     }
-@@ -5036,9 +5042,9 @@ unsigned int ATI_API_CALL KAS_Ih_Execute
- 
-     kasSetExecutionLevel(orig_level);
-     spin_unlock(&kasContext.lock_ih); 
--
-     clear_bit(0, (void *)&(kasContext.in_interrupts[smp_processor_id()]));
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d\n", ret);
-+    preempt_enable();
- 
-     return ret;
- }
-@@ -5256,6 +5262,7 @@ unsigned int ATI_API_CALL KAS_Spinlock_A
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X\n", hSpinLock);
- 
-+    preempt_disable();
-     spin_lock_info.routine_type = spinlock_obj->routine_type;
-     spin_lock_info.plock = &(spinlock_obj->lock);
- 
-@@ -5263,6 +5270,7 @@ unsigned int ATI_API_CALL KAS_Spinlock_A
- 
-     spinlock_obj->acquire_type = spin_lock_info.acquire_type;
-     spinlock_obj->flags = spin_lock_info.flags;
-+    preempt_enable();
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d\n", ret);
-     return ret;
-@@ -6034,6 +6042,8 @@ unsigned int ATI_API_CALL KAS_Interlocke
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X, 0x%08X, 0x%08X\n", hListHead, hListEntry, phPrevEntry);
- 
-+    preempt_disable();
-+
-     /* Protect the operation with spinlock */
-     spin_lock_info.routine_type = listhead_obj->routine_type;
-     spin_lock_info.plock = &(listhead_obj->lock);
-@@ -6041,6 +6051,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     if (!kas_spin_lock(&spin_lock_info))
-     {
-         KCL_DEBUG_ERROR("Unable to grab list spinlock\n");
-+	preempt_enable();
-         return 0; /* No spinlock - no operation */
-     }
- 
-@@ -6065,6 +6076,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_unlock_info.flags = spin_lock_info.flags;
- 
-     ret = kas_spin_unlock(&spin_unlock_info);
-+    preempt_enable();
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d", ret);
-     return ret;
- }
-@@ -6153,8 +6165,10 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_lock_info.routine_type = listhead_obj->routine_type;
-     spin_lock_info.plock = &(listhead_obj->lock);
- 
-+    preempt_disable();
-     if (!kas_spin_lock(&spin_lock_info))
-     {
-+        preempt_enable();
-         KCL_DEBUG_ERROR("Unable to grab list spinlock");
-         return 0; /* No spinlock - no operation */
-     }
-@@ -6178,6 +6192,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_unlock_info.flags = spin_lock_info.flags;
- 
-     ret = kas_spin_unlock(&spin_unlock_info);
-+    preempt_enable();
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d", ret);
-     return ret;
- }
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch
deleted file mode 100644
index 3e4e8d6499a..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-14 15:14:36.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-14 16:18:58.000000000 -0400
-@@ -649,6 +649,8 @@ static int firegl_major_proc_read(struct
-     *eof = 1;
- 
-     len = snprintf(buf, request, "%d\n", major);
-+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    seq_printf(m, "%d\n", major);
- #else
-     len = seq_printf(m, "%d\n", major);
- #endif
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch b/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch
deleted file mode 100644
index cb86f5aff27..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-diff -uNr 16.8/common/lib/modules/fglrx/build_mod/firegl_public.c 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.c
---- 16.8/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-12-18 19:47:41.000000000 +0100
-+++ 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.c	2016-08-15 15:09:37.228538907 +0200
-@@ -4518,7 +4518,11 @@
-     write_cr0(cr0);
-     wbinvd();
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         cr4 = READ_CR4();
-         WRITE_CR4(cr4 & ~X86_CR4_PGE);
-@@ -4532,7 +4536,11 @@
-     wbinvd();
-     __flush_tlb();
-     write_cr0(cr0 & 0xbfffffff);
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         WRITE_CR4(cr4);
-     }
-@@ -4559,7 +4567,11 @@
-     write_cr0(cr0);
-     wbinvd();
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         cr4 = READ_CR4();
-         WRITE_CR4(cr4 & ~X86_CR4_PGE);
-@@ -4572,7 +4584,11 @@
-     wbinvd();
-     __flush_tlb();
-     write_cr0(cr0 & 0xbfffffff);
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         WRITE_CR4(cr4);
-     }
-diff -uNr 16.8/common/lib/modules/fglrx/build_mod/firegl_public.h 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.h
---- 16.8/common/lib/modules/fglrx/build_mod/firegl_public.h	2015-12-18 19:47:41.000000000 +0100
-+++ 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.h	2016-08-15 15:09:05.815141238 +0200
-@@ -650,9 +650,15 @@
- #define cpu_has_pat  test_bit(X86_FEATURE_PAT, (void *) &boot_cpu_data.x86_capability)
- #endif
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+#ifndef boot_cpu_has(X86_FEATURE_PGE)
-+#define boot_cpu_has(X86_FEATURE_PGE) test_bit(X86_FEATURE_PGE, &boot_cpu_data.x86_capability)
-+#endif
-+#else
- #ifndef cpu_has_pge
- #define cpu_has_pge test_bit(X86_FEATURE_PGE, &boot_cpu_data.x86_capability)
- #endif
-+#endif
- 
- /* 2.6.29 defines pgprot_writecombine as a macro which resolves to a
-  * GPL-only function with the same name. So we always use our own
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch b/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch
deleted file mode 100644
index 8a6c42cdb1f..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit b3e4353fc68a6a024dcb95e2d61aa0afd7370233
-Author: Matt McHenry <matt@mchenryfamily.org>
-Date:   Fri Feb 3 20:19:41 2017
-
-    patch for 4.9 only
-
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 4ce095f..3b591e1 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3224,7 +3224,7 @@ int ATI_API_CALL KCL_LockUserPages(unsigned long vaddr, unsigned long* page_list
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 1, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
-@@ -3242,7 +3242,7 @@ int ATI_API_CALL KCL_LockReadOnlyUserPages(unsigned long vaddr, unsigned long* p
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch b/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch
deleted file mode 100644
index 1e7209ed5ed..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 9c70211..b2242af 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3220,7 +3220,7 @@ int ATI_API_CALL KCL_LockUserPages(unsigned long vaddr, unsigned long* page_list
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(current, current->mm, vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
-@@ -3238,7 +3238,7 @@ int ATI_API_CALL KCL_LockReadOnlyUserPages(unsigned long vaddr, unsigned long* p
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(current, current->mm, vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
--- 
-2.9.2
-
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch b/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch
deleted file mode 100644
index 28820790e49..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index b2242af..586129c 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3249,7 +3249,7 @@ void ATI_API_CALL KCL_UnlockUserPages(unsigned long* page_list, unsigned int pag
-     unsigned int i;
-     for (i=0; i<page_cnt; i++)
-     {
--        page_cache_release((struct page*)page_list[i]);
-+        put_page((struct page*)page_list[i]);
-     }
- }
- 
--- 
-2.9.2
-
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch b/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch
deleted file mode 100644
index 8bd24b1d022..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/samples/fgl_glxgears/fgl_glxgears.c b/samples/fgl_glxgears/fgl_glxgears.c
-index 6c8e313..2b8d035 100644
---- a/samples/fgl_glxgears/fgl_glxgears.c
-+++ b/samples/fgl_glxgears/fgl_glxgears.c
-@@ -1096,8 +1096,6 @@ static void event_loop(void)
-                   view_rotx -= 5.0;
-                }
-                else {
--                  r = XLookupString(&event.xkey, buffer, sizeof(buffer),
--                                    NULL, NULL);
-                   if (buffer[0] == 27) {
-                      /* escape */
-                      return;
-
-
-diff -Nur a/samples/fgl_glxgears/fgl_glxgears.c b/samples/fgl_glxgears/fgl_glxgears.c
---- a/samples/fgl_glxgears/fgl_glxgears.c	2012-08-29 09:59:03.000000000 +0300
-+++ b/samples/fgl_glxgears/fgl_glxgears.c	2013-09-07 09:26:11.034723135 +0300
-@@ -78,7 +78,6 @@
- #endif // _WIN32
- 
- #define INT_PTR ptrdiff_t
--#include <GL/glATI.h>
- 
- #ifdef _WIN32
- #include <GL/wglATI.h>
diff --git a/pkgs/os-specific/linux/atop/atop.service.patch b/pkgs/os-specific/linux/atop/atop.service.patch
new file mode 100644
index 00000000000..3ef59e60cbc
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/atop.service.patch
@@ -0,0 +1,10 @@
+--- a/atop.service
++++ b/atop.service
+@@ -9,5 +9,6 @@
+ Environment=LOGPATH=/var/log/atop
+-EnvironmentFile=/etc/default/atop
++EnvironmentFile=-/etc/default/atop
+ ExecStartPre=/bin/sh -c 'test -n "$LOGINTERVAL" -a "$LOGINTERVAL" -eq "$LOGINTERVAL"'
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
++ExecStartPre=/bin/sh -c 'mkdir -p "${LOGPATH}"'
+ ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
diff --git a/pkgs/os-specific/linux/atop/atopacct.service.patch b/pkgs/os-specific/linux/atop/atopacct.service.patch
new file mode 100644
index 00000000000..9f2cd8f2e9c
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/atopacct.service.patch
@@ -0,0 +1,7 @@
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -9,3 +9,3 @@
+ Type=forking
+-PIDFile=/var/run/atopacctd.pid
++PIDFile=/run/atopacctd.pid
+ ExecStart=@out@/bin/atopacctd
diff --git a/pkgs/os-specific/linux/atop/default.nix b/pkgs/os-specific/linux/atop/default.nix
index 0d8392cbcd8..b082c594acb 100644
--- a/pkgs/os-specific/linux/atop/default.nix
+++ b/pkgs/os-specific/linux/atop/default.nix
@@ -1,48 +1,80 @@
-{stdenv, fetchurl, zlib, ncurses}:
+{ lib
+, stdenv
+, fetchurl
+, zlib
+, ncurses
+, findutils
+, systemd
+, python3
+# makes the package unfree via pynvml
+, withAtopgpu ? false
+}:
 
 stdenv.mkDerivation rec {
-  version = "2.4.0";
   pname = "atop";
+  version = "2.6.0";
 
   src = fetchurl {
     url = "https://www.atoptool.nl/download/atop-${version}.tar.gz";
-    sha256 = "0s9xlxlzz688a80zxld840zkrmzw998rdkkg6yc7ssq8fw50275y";
+    sha256 = "nsLKOlcWkvfvqglfmaUQZDK8txzCLNbElZfvBIEFj3I=";
   };
 
-  buildInputs = [zlib ncurses];
+  nativeBuildInputs = lib.optionals withAtopgpu [ python3.pkgs.wrapPython ];
+  buildInputs = [ zlib ncurses ] ++ lib.optionals withAtopgpu [ python3 ];
+  pythonPath = lib.optionals withAtopgpu [ python3.pkgs.pynvml ];
 
   makeFlags = [
-    ''SCRPATH=$out/etc/atop''
-    ''LOGPATH=/var/log/atop''
-    ''INIPATH=$out/etc/rc.d/init.d''
-    ''CRNPATH=$out/etc/cron.d''
-    ''ROTPATH=$out/etc/logrotate.d''
+    "DESTDIR=$(out)"
+    "BINPATH=/bin"
+    "SBINPATH=/bin"
+    "MAN1PATH=/share/man/man1"
+    "MAN5PATH=/share/man/man5"
+    "MAN8PATH=/share/man/man8"
+    "SYSDPATH=/lib/systemd/system"
+    "PMPATHD=/lib/systemd/system-sleep"
+  ];
+
+  patches = [
+    # Fix paths in atop.service, atop-rotate.service, atopgpu.service, atopacct.service,
+    # and atop-pm.sh
+    ./fix-paths.patch
+    # Don't fail on missing /etc/default/atop, make sure /var/log/atop exists pre-start
+    ./atop.service.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./atopacct.service.patch
   ];
 
   preConfigure = ''
-    sed -e "s@/usr/@$out/@g" -i $(find . -type f )
-    sed -e "/mkdir.*LOGPATH/s@mkdir@echo missing dir @" -i Makefile
-    sed -e "/touch.*LOGPATH/s@touch@echo should have created @" -i Makefile
-    sed -e 's/chown/true/g' -i Makefile
-    sed -e '/chkconfig/d' -i Makefile
-    sed -e 's/chmod 04711/chmod 0711/g' -i Makefile
+    for f in *.{sh,service}; do
+      findutils=${findutils} systemd=${systemd} substituteAllInPlace "$f"
+    done
+
+    substituteInPlace Makefile --replace 'chown' 'true'
+    substituteInPlace Makefile --replace 'chmod 04711' 'chmod 0711'
   '';
 
+  installTargets = [ "systemdinstall" ];
   preInstall = ''
-    mkdir -p "$out"/{bin,sbin}
-    make systemdinstall $makeFlags
+    mkdir -p $out/bin
   '';
+  postInstall = ''
+    # remove extra files we don't need
+    rm -r $out/{var,etc} $out/bin/atop{sar,}-${version}
+  '' + (if withAtopgpu then ''
+    wrapPythonPrograms
+  '' else ''
+    rm $out/lib/systemd/system/atopgpu.service $out/bin/atopgpud $out/share/man/man8/atopgpud.8
+  '');
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     platforms = platforms.linux;
     maintainers = with maintainers; [ raskin ];
-    description = ''Console system performance monitor'';
+    description = "Console system performance monitor";
 
     longDescription = ''
       Atop is an ASCII full-screen performance monitor that is capable of reporting the activity of all processes (even if processes have finished during the interval), daily logging of system and process activity for long-term analysis, highlighting overloaded system resources by using colors, etc. At regular intervals, it shows system-level activity related to the CPU, memory, swap, disks and network layers, and for every active process it shows the CPU utilization, memory growth, disk utilization, priority, username, state, and exit code.
     '';
-    inherit version;
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     downloadPage = "http://atoptool.nl/downloadatop.php";
   };
 }
diff --git a/pkgs/os-specific/linux/atop/fix-paths.patch b/pkgs/os-specific/linux/atop/fix-paths.patch
new file mode 100644
index 00000000000..e6cd631d3c1
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/fix-paths.patch
@@ -0,0 +1,48 @@
+--- a/atop.service
++++ b/atop.service
+@@ -12,4 +12,4 @@
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
+-ExecStart=/bin/sh -c 'exec /usr/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
+-ExecStartPost=/usr/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
++ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
++ExecStartPost=@findutils@/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
+ KillSignal=SIGUSR2
+
+--- a/atop-rotate.service
++++ b/atop-rotate.service
+@@ -4,3 +4,3 @@
+ [Service]
+ Type=oneshot
+-ExecStart=/usr/bin/systemctl try-restart atop.service
++ExecStart=@systemd@/bin/systemctl try-restart atop.service
+
+--- a/atopgpu.service
++++ b/atopgpu.service
+@@ -6,5 +6,5 @@
+
+ [Service]
+-ExecStart=/usr/sbin/atopgpud
++ExecStart=@out@/bin/atopgpud
+ Type=oneshot
+ RemainAfterExit=yes
+
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -10,3 +10,3 @@
+ PIDFile=/var/run/atopacctd.pid
+-ExecStart=/usr/sbin/atopacctd
++ExecStart=@out@/bin/atopacctd
+
+--- a/atop-pm.sh
++++ b/atop-pm.sh
+@@ -2,8 +2,8 @@
+
+ case "$1" in
+-	pre)	/usr/bin/systemctl stop atop
++	pre)	@systemd@/bin/systemctl stop atop
+ 		exit 0
+ 		;;
+-	post)	/usr/bin/systemctl start atop
++	post)	@systemd@/bin/systemctl start atop
+ 		exit 0
+ 		;;
diff --git a/pkgs/os-specific/linux/audit/default.nix b/pkgs/os-specific/linux/audit/default.nix
index f77d71c823b..30327fb1082 100644
--- a/pkgs/os-specific/linux/audit/default.nix
+++ b/pkgs/os-specific/linux/audit/default.nix
@@ -1,5 +1,5 @@
 {
-  stdenv, buildPackages, fetchurl, fetchpatch,
+  lib, stdenv, buildPackages, fetchurl, fetchpatch,
   runCommand,
   autoconf, automake, libtool,
   enablePython ? false, python ? null,
@@ -18,9 +18,9 @@ stdenv.mkDerivation rec {
   outputs = [ "bin" "dev" "out" "man" ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = stdenv.lib.optionals stdenv.hostPlatform.isMusl
+  nativeBuildInputs = lib.optionals stdenv.hostPlatform.isMusl
     [ autoconf automake libtool ];
-  buildInputs = stdenv.lib.optional enablePython python;
+  buildInputs = lib.optional enablePython python;
 
   configureFlags = [
     # z/OS plugin is not useful on Linux,
@@ -36,7 +36,8 @@ stdenv.mkDerivation rec {
   # TODO: Remove the musl patches when
   #         https://github.com/linux-audit/audit-userspace/pull/25
   #       is available with the next release.
-  patches = stdenv.lib.optional stdenv.hostPlatform.isMusl [
+  patches = [ ./patches/weak-symbols.patch ]
+  ++ lib.optional stdenv.hostPlatform.isMusl [
     (
       let patch = fetchpatch {
             url = "https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e.patch";
@@ -55,12 +56,19 @@ stdenv.mkDerivation rec {
 
   prePatch = ''
     sed -i 's,#include <sys/poll.h>,#include <poll.h>\n#include <limits.h>,' audisp/audispd.c
+  ''
+  # According to https://stackoverflow.com/questions/13089166
+  # --whole-archive linker flag is required to be sure that linker
+  # correctly chooses strong version of symbol regardless of order of
+  # object files at command line.
+  + lib.optionalString stdenv.hostPlatform.isStatic ''
+    export LDFLAGS=-Wl,--whole-archive
   '';
   meta = {
     description = "Audit Library";
     homepage = "https://people.redhat.com/sgrubb/audit/";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = with stdenv.lib.maintainers; [ ];
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/audit/patches/weak-symbols.patch b/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
new file mode 100644
index 00000000000..301ea9a5476
--- /dev/null
+++ b/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
@@ -0,0 +1,147 @@
+Executables in src/ directory are built from source files in src/
+and are linked to libauparse, with both src/auditd-config.c and
+auparse/auditd-config.c defining "free_config" function.
+
+It is known (although obscure) behaviour of shared libraries that
+symbol defined in binary itself overrides symbol in shared library;
+with static linkage it expectedly results in multiple definition
+error.
+
+This set of fixes explicitly marks libauparse versions of
+conflicting functions as weak to have behaviour coherent with
+dynamic linkage version -- definitions in src/ overriding definition
+in auparse/.
+
+Still, this architecture is very strange and confusing.
+
+diff -r -U5 audit-2.8.5-orig/auparse/auditd-config.c audit-2.8.5/auparse/auditd-config.c
+--- audit-2.8.5-orig/auparse/auditd-config.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/auditd-config.c	2021-01-13 11:36:12.716226498 +0000
+@@ -68,10 +68,11 @@
+ };
+ 
+ /*
+  * Set everything to its default value
+ */
++#pragma weak clear_config
+ void clear_config(struct daemon_conf *config)
+ {
+ 	config->local_events = 1;
+ 	config->qos = QOS_NON_BLOCKING;
+ 	config->sender_uid = 0;
+@@ -322,10 +323,11 @@
+ 	if (config->log_file == NULL)
+ 		return 1;
+ 	return 0;
+ }
+ 
++#pragma weak free_config
+ void free_config(struct daemon_conf *config)
+ {
+ 	free((void*)config->log_file);
+ }
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/interpret.c audit-2.8.5/auparse/interpret.c
+--- audit-2.8.5-orig/auparse/interpret.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/interpret.c	2021-01-13 11:39:42.107217224 +0000
+@@ -545,10 +545,11 @@
+ 	else
+ 		snprintf(buf, size, "unknown(%d)", uid);
+ 	return buf;
+ }
+ 
++#pragma weak aulookup_destroy_uid_list
+ void aulookup_destroy_uid_list(void)
+ {
+ 	if (uid_cache_created == 0)
+ 		return;
+ 
+@@ -2810,10 +2811,11 @@
+ 
+ /*
+  * This is the main entry point for the auparse library. Call chain is:
+  * auparse_interpret_field -> nvlist_interp_cur_val -> interpret
+  */
++#pragma weak interpret
+ const char *interpret(const rnode *r, auparse_esc_t escape_mode)
+ {
+ 	const nvlist *nv = &r->nv;
+ 	int type;
+ 	idata id;
+diff -r -U5 audit-2.8.5-orig/auparse/nvlist.c audit-2.8.5/auparse/nvlist.c
+--- audit-2.8.5-orig/auparse/nvlist.c	2019-02-04 14:26:52.000000000 +0000
++++ audit-2.8.5/auparse/nvlist.c	2021-01-13 11:37:37.190222757 +0000
+@@ -27,10 +27,11 @@
+ #include "nvlist.h"
+ #include "interpret.h"
+ #include "auparse-idata.h"
+ 
+ 
++#pragma weak nvlist_create
+ void nvlist_create(nvlist *l)
+ {
+ 	l->head = NULL;
+ 	l->cur = NULL;
+ 	l->cnt = 0;
+@@ -47,17 +48,19 @@
+ 	while (node->next)
+ 		node = node->next;
+ 	l->cur = node;
+ }
+ 
++#pragma weak nvlist_next
+ nvnode *nvlist_next(nvlist *l)
+ {
+ 	if (l->cur)
+ 		l->cur = l->cur->next;
+ 	return l->cur;
+ }
+ 
++#pragma weak nvlist_append
+ void nvlist_append(nvlist *l, nvnode *node)
+ {
+ 	nvnode* newnode = malloc(sizeof(nvnode));
+ 
+ 	newnode->name = node->name;
+@@ -141,10 +144,11 @@
+ 	if (l->cur->interp_val)
+ 		return l->cur->interp_val;
+ 	return interpret(r, escape_mode);
+ }
+ 
++#pragma weak nvlist_clear
+ void nvlist_clear(nvlist* l)
+ {
+ 	nvnode* nextnode;
+ 	register nvnode* current;
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/strsplit.c audit-2.8.5/auparse/strsplit.c
+--- audit-2.8.5-orig/auparse/strsplit.c	2019-03-01 21:15:30.000000000 +0000
++++ audit-2.8.5/auparse/strsplit.c	2021-01-13 11:38:04.306221556 +0000
+@@ -54,10 +54,11 @@
+ 			return NULL;
+ 		return s;
+ 	}
+ }
+ 
++#pragma weak audit_strsplit
+ char *audit_strsplit(char *s)
+ {
+ 	static char *str = NULL;
+ 	char *ptr;
+ 
+diff -r -U5 audit-2.8.5-orig/lib/strsplit.c audit-2.8.5/lib/strsplit.c
+--- audit-2.8.5-orig/lib/strsplit.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/lib/strsplit.c	2021-01-13 11:38:29.444220443 +0000
+@@ -23,10 +23,11 @@
+ 
+ #include <string.h>
+ #include "libaudit.h"
+ #include "private.h"
+ 
++#pragma weak audit_strsplit_r
+ char *audit_strsplit_r(char *s, char **savedpp)
+ {
+ 	char *ptr;
+ 
+ 	if (s)
diff --git a/pkgs/os-specific/linux/autofs/default.nix b/pkgs/os-specific/linux/autofs/default.nix
index baf3cc6ad55..3055a91161b 100644
--- a/pkgs/os-specific/linux/autofs/default.nix
+++ b/pkgs/os-specific/linux/autofs/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
-, libxml2, kerberos, kmod, openldap, sssd, cyrus_sasl, openssl }:
+{ lib, stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
+, libxml2, libkrb5, kmod, openldap, sssd, cyrus_sasl, openssl, rpcsvc-proto }:
 
 let
   version = "5.1.6";
@@ -28,21 +28,24 @@ in stdenv.mkDerivation {
     unset STRIP # Makefile.rules defines a usable STRIP only without the env var.
   '';
 
+  # configure script is not finding the right path
+  NIX_CFLAGS_COMPILE = [ "-I${libtirpc.dev}/include/tirpc" ];
+
   installPhase = ''
     make install SUBDIRS="lib daemon modules man" # all but samples
     #make install SUBDIRS="samples" # impure!
   '';
 
-  buildInputs = [ linuxHeaders libtirpc libxml2 kerberos kmod openldap sssd
-                  openssl cyrus_sasl ];
+  buildInputs = [ linuxHeaders libtirpc libxml2 libkrb5 kmod openldap sssd
+                  openssl cyrus_sasl rpcsvc-proto ];
 
   nativeBuildInputs = [ flex bison ];
 
   meta = {
     description = "Kernel-based automounter";
     homepage = "https://www.kernel.org/pub/linux/daemons/autofs/";
-    license = stdenv.lib.licenses.gpl2Plus;
+    license = lib.licenses.gpl2Plus;
     executables = [ "automount" ];
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/alfred.nix b/pkgs/os-specific/linux/batman-adv/alfred.nix
index 04217b8989b..96040f2828c 100644
--- a/pkgs/os-specific/linux/batman-adv/alfred.nix
+++ b/pkgs/os-specific/linux/batman-adv/alfred.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, gpsd, libcap, libnl }:
+{ lib, stdenv, fetchurl, pkg-config, gpsd, libcap, libnl }:
 
 let cfg = import ./version.nix; in
 
@@ -11,18 +11,18 @@ stdenv.mkDerivation rec {
     sha256 = cfg.sha256.${pname};
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ gpsd libcap libnl ];
 
   preBuild = ''
-    makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/${pkgconfig.targetPrefix}pkg-config"
+    makeFlags="PREFIX=$out PKG_CONFIG=${pkg-config}/bin/${pkg-config.targetPrefix}pkg-config"
   '';
 
   meta = {
     homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
     description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, information distribution tool";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ fpletz ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/batctl.nix b/pkgs/os-specific/linux/batman-adv/batctl.nix
index 3b1cf183e08..079624c10ad 100644
--- a/pkgs/os-specific/linux/batman-adv/batctl.nix
+++ b/pkgs/os-specific/linux/batman-adv/batctl.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, libnl }:
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
 
 let cfg = import ./version.nix; in
 
@@ -11,18 +11,18 @@ stdenv.mkDerivation rec {
     sha256 = cfg.sha256.${pname};
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl ];
 
   preBuild = ''
-    makeFlags="PREFIX=$out PKG_CONFIG=${pkgconfig}/bin/${pkgconfig.targetPrefix}pkg-config"
+    makeFlags="PREFIX=$out PKG_CONFIG=${pkg-config}/bin/${pkg-config.targetPrefix}pkg-config"
   '';
 
   meta = {
     homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
     description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2, control tool";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ fpletz ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix
index 8985949a012..354f4b1bff2 100644
--- a/pkgs/os-specific/linux/batman-adv/default.nix
+++ b/pkgs/os-specific/linux/batman-adv/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
 let cfg = import ./version.nix; in
 
@@ -24,8 +24,8 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
     description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ fpletz ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ fpletz hexa ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/version.nix b/pkgs/os-specific/linux/batman-adv/version.nix
index f9f3013e1f9..71c7863cfa8 100644
--- a/pkgs/os-specific/linux/batman-adv/version.nix
+++ b/pkgs/os-specific/linux/batman-adv/version.nix
@@ -1,9 +1,9 @@
 {
-  version = "2019.5";
+  version = "2021.1";
 
   sha256 = {
-    batman-adv = "1v18zvvg12jgywncbhxshgjc93r72ajpxgw22zp0zx22g2q13z99";
-    alfred = "09npizg89ks1wm19l5xz0pq1ljpsbwy030xnprqnd0p53976wywa";
-    batctl = "1b9w4636dq8m38nzr8j0v0j3b0vdsw84c58c2isc33h66dx8brgz";
+    batman-adv = "1l1lk41h4chymrb41ihqrr3p80xdwhhp1kkksr157mzailyq8xxz";
+    alfred = "122y92vqrpp3g6dbjfv8hkhwjlfa3skr91lbzicr0pw8mm6wzqll";
+    batctl = "0xp1cqcw0g0irgw9yhkch01rbn39gzvfxv8b2yya32vbnkmqrcj4";
   };
 }
diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix
index 67cbc6e5c5e..837906fb554 100644
--- a/pkgs/os-specific/linux/bbswitch/default.nix
+++ b/pkgs/os-specific/linux/bbswitch/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, kernel, runtimeShell }:
+{ lib, stdenv, fetchurl, fetchpatch, kernel, runtimeShell }:
 
 let
   baseName = "bbswitch";
@@ -54,7 +54,7 @@ stdenv.mkDerivation {
     chmod +x $out/bin/discrete_vga_poweroff $out/bin/discrete_vga_poweron
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A module for powering off hybrid GPUs";
     platforms = [ "x86_64-linux" "i686-linux" ];
     homepage = "https://github.com/Bumblebee-Project/bbswitch";
diff --git a/pkgs/os-specific/linux/bcc/default.nix b/pkgs/os-specific/linux/bcc/default.nix
index 98de3ed1b11..221f38faa87 100644
--- a/pkgs/os-specific/linux/bcc/default.nix
+++ b/pkgs/os-specific/linux/bcc/default.nix
@@ -1,22 +1,28 @@
-{ stdenv, fetchurl, makeWrapper, cmake, llvmPackages, kernel
+{ lib, stdenv, fetchFromGitHub
+, makeWrapper, cmake, llvmPackages, kernel
 , flex, bison, elfutils, python, luajit, netperf, iperf, libelf
-, systemtap, bash
+, systemtap, bash, libbpf
 }:
 
 python.pkgs.buildPythonApplication rec {
   pname = "bcc";
-  version = "0.15.0";
+  version = "0.20.0";
 
-  src = fetchurl {
-    url = "https://github.com/iovisor/bcc/releases/download/v${version}/bcc-src-with-submodule.tar.gz";
-    sha256 = "1k00xbhdzdvqp4hfxpgg34bbhnx597jjhpg1x6dz2w80r7xzsj28";
+  disabled = !stdenv.isLinux;
+
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo = "bcc";
+    rev = "v${version}";
+    sha256 = "1xnpz2zv445dp5h0160drv6xlvrnwfj23ngc4dp3clcd59jh1baq";
   };
   format = "other";
 
   buildInputs = with llvmPackages; [
-    llvm clang-unwrapped kernel
+    llvm llvm.dev libclang kernel
     elfutils luajit netperf iperf
     systemtap.stapBuild flex bash
+    libbpf
   ];
 
   patches = [
@@ -26,15 +32,16 @@ python.pkgs.buildPythonApplication rec {
   ];
 
   propagatedBuildInputs = [ python.pkgs.netaddr ];
-  nativeBuildInputs = [ makeWrapper cmake flex bison ]
+  nativeBuildInputs = [ makeWrapper cmake flex bison llvmPackages.llvm.dev ]
     # libelf is incompatible with elfutils-libelf
-    ++ stdenv.lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
+    ++ lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
 
   cmakeFlags = [
     "-DBCC_KERNEL_MODULES_DIR=${kernel.dev}/lib/modules"
     "-DREVISION=${version}"
     "-DENABLE_USDT=ON"
     "-DENABLE_CPP_API=ON"
+    "-DCMAKE_USE_LIBBPF_PACKAGE=ON"
   ];
 
   postPatch = ''
@@ -65,7 +72,7 @@ python.pkgs.buildPythonApplication rec {
     wrapPythonProgramsIn "$out/share/bcc/tools" "$out $pythonPath"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Dynamic Tracing Tools for Linux";
     homepage    = "https://iovisor.github.io/bcc/";
     license     = licenses.asl20;
diff --git a/pkgs/os-specific/linux/beefi/default.nix b/pkgs/os-specific/linux/beefi/default.nix
new file mode 100644
index 00000000000..959a43faea9
--- /dev/null
+++ b/pkgs/os-specific/linux/beefi/default.nix
@@ -0,0 +1,44 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, installShellFiles
+, binutils-unwrapped
+, systemd }:
+
+stdenv.mkDerivation rec {
+  pname = "beefi";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "jfeick";
+    repo = "beefi";
+    rev = version;
+    sha256 = "1180avalbw414q1gnfqdgc9zg3k9y0401kw9qvcn51qph81d04v5";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  buildInputs = [
+    binutils-unwrapped
+    systemd
+  ];
+
+  patchPhase = ''
+    substituteInPlace beefi \
+      --replace objcopy ${binutils-unwrapped}/bin/objcopy \
+      --replace /usr/lib/systemd ${systemd}/lib/systemd
+  '';
+
+  installPhase = ''
+    install -Dm755 beefi $out/bin/beefi
+    installManPage beefi.1
+  '';
+
+  meta = with lib; {
+    description = "A small script to create bootable EFISTUB kernel images";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ tu-maurice ];
+    homepage = "https://github.com/jfeick/beefi";
+  };
+}
diff --git a/pkgs/os-specific/linux/bionic-prebuilt/default.nix b/pkgs/os-specific/linux/bionic-prebuilt/default.nix
new file mode 100644
index 00000000000..920732a2020
--- /dev/null
+++ b/pkgs/os-specific/linux/bionic-prebuilt/default.nix
@@ -0,0 +1,113 @@
+{ stdenvNoCC, lib, fetchzip, pkgs
+}:
+let
+
+  prebuilt_crt = fetchzip {
+    url =  "https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/+archive/98dce673ad97a9640c5d90bbb1c718e75c21e071/lib/gcc/aarch64-linux-android/4.9.x.tar.gz";
+    sha256 = "sha256-LLD2OJi78sNN5NulOsJZl7Ei4F1EUYItGG6eUsKWULc=";
+    stripRoot = false;
+  };
+
+  prebuilt_libs = fetchzip {
+    url = "https://android.googlesource.com/platform/prebuilts/ndk/+archive/f2c77d8ba8a7f5c2d91771e31164f29be0b8ff98/platform/platforms/android-30/arch-arm64/usr/lib.tar.gz";
+    sha256 = "sha256-TZBV7+D1QvKOCEi+VNGT5SStkgj0xRbyWoLH65zSrjw=";
+    stripRoot = false;
+  };
+
+  prebuilt_ndk_crt = fetchzip {
+    url = "https://android.googlesource.com/toolchain/prebuilts/ndk/r23/+archive/6c5fa4c0d3999b9ee932f6acbd430eb2f31f3151/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/aarch64-linux-android/30.tar.gz";
+    sha256 = "sha256-KHw+cCwAwlm+5Nwp1o8WONqdi4BBDhFaVVr+7GxQ5uE=";
+    stripRoot = false;
+  };
+
+  ndk_support_headers = fetchzip {
+    url ="https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+archive/0e7f808fa26cce046f444c9616d9167dafbfb272/clang-r416183b/include/c++/v1/support.tar.gz";
+    sha256 = "sha256-NBv7Pk1CEaz8ns9moleEERr3x/rFmVmG33LgFSeO6fY=";
+    stripRoot = false;
+  };
+
+  kernelHeaders = pkgs.makeLinuxHeaders {
+    version = "android-common-11-5.4";
+    src = fetchzip {
+      url = "https://android.googlesource.com/kernel/common/+archive/48ffcbf0b9e7f0280bfb8c32c68da0aaf0fdfef6.tar.gz";
+      sha256 = "1y7cmlmcr5vdqydd9n785s139yc4aylc3zhqa59xsylmkaf5habk";
+      stripRoot = false;
+    };
+  };
+
+in
+stdenvNoCC.mkDerivation rec {
+  pname = "bionic-prebuilt";
+  version = "ndk-release-r23";
+
+  src = fetchzip {
+    url = "https://android.googlesource.com/platform/bionic/+archive/00e8ce1142d8823b0d2fc8a98b40119b0f1f02cd.tar.gz";
+    sha256 = "10z5mp4w0acvjvgxv7wlqa7m70hcyarmjdlfxbd9rwzf4mrsr8d1";
+    stripRoot = false;
+  };
+
+  NIX_DONT_SET_RPATH = true;
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  patches = [
+    ./ndk-version.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace libc/include/sys/cdefs.h --replace \
+      "__has_builtin(__builtin_umul_overflow)" "1"
+    substituteInPlace libc/include/bits/ioctl.h --replace \
+      "!defined(BIONIC_IOCTL_NO_SIGNEDNESS_OVERLOAD)" "0"
+  '';
+
+  installPhase= ''
+    # copy the bionic headers
+    mkdir -p $out/include/support $out/include/android
+    cp -vr libc/include/* $out/include
+    # copy the kernel headers
+    cp -vr ${kernelHeaders}/include/*  $out/include/
+
+    chmod -R +w $out/include/linux
+
+    # fix a bunch of kernel headers so that things can actually be found
+    sed -i 's,struct epoll_event {,#include <bits/epoll_event.h>\nstruct Xepoll_event {,' $out/include/linux/eventpoll.h
+    sed -i 's,struct in_addr {,typedef unsigned int in_addr_t;\nstruct in_addr {,' $out/include/linux/in.h
+    sed -i 's,struct udphdr {,struct Xudphdr {,' $out/include/linux/udp.h
+    sed -i 's,union semun {,union Xsemun {,' $out/include/linux/sem.h
+    sed -i 's,struct __kernel_sockaddr_storage,#define sockaddr_storage __kernel_sockaddr_storage\nstruct __kernel_sockaddr_storage,' $out/include/linux/socket.h
+    sed -i 's,#ifndef __UAPI_DEF_.*$,#if 1,' $out/include/linux/libc-compat.h
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imr_" "struct in_addr		imr_"
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imsf_" "struct in_addr		imsf_"
+    substituteInPlace $out/include/linux/sysctl.h --replace "__unused" "_unused"
+
+    # what could possibly live in <linux/compiler.h>
+    touch $out/include/linux/compiler.h
+
+    # copy the support headers
+    cp -vr ${ndk_support_headers}* $out/include/support/
+
+    mkdir $out/lib
+    cp -v ${prebuilt_crt.out}/*.o $out/lib/
+    cp -v ${prebuilt_crt.out}/libgcc.a $out/lib/
+    cp -v ${prebuilt_ndk_crt.out}/*.o $out/lib/
+    for i in libc.so libm.so libdl.so liblog.so; do
+      cp -v ${prebuilt_libs.out}/$i $out/lib/
+    done
+
+    mkdir -p $dev/include
+    cp -v $out/include/*.h $dev/include/
+  '';
+
+  outputs = [ "out" "dev" ];
+  passthru.linuxHeaders = kernelHeaders;
+
+  meta = with lib; {
+    description = "The Android libc implementation";
+    homepage    = "https://android.googlesource.com/platform/bionic/";
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ s1341 ];
+  };
+}
diff --git a/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch b/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
new file mode 100644
index 00000000000..a6842ed479f
--- /dev/null
+++ b/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
@@ -0,0 +1,42 @@
+--- a/libc/include/android/ndk-version.h	2021-04-01 16:08:03.109183965 +0300
++++ b/libc/include/android/ndk-version.h	2021-04-01 16:07:19.811424641 +0300
+@@ -0,0 +1,39 @@
++#pragma once
++
++/**
++ * Set to 1 if this is an NDK, unset otherwise. See
++ * https://android.googlesource.com/platform/bionic/+/master/docs/defines.md.
++ */
++#define __ANDROID_NDK__ 1
++
++/**
++ * Major version of this NDK.
++ *
++ * For example: 16 for r16.
++ */
++#define __NDK_MAJOR__ 22
++
++/**
++ * Minor version of this NDK.
++ *
++ * For example: 0 for r16 and 1 for r16b.
++ */
++#define __NDK_MINOR__ 0
++
++/**
++ * Set to 0 if this is a release build, or 1 for beta 1,
++ * 2 for beta 2, and so on.
++ */
++#define __NDK_BETA__ 0
++
++/**
++ * Build number for this NDK.
++ *
++ * For a local development build of the NDK, this is -1.
++ */
++#define __NDK_BUILD__ 7026061
++
++/**
++ * Set to 1 if this is a canary build, 0 if not.
++ */
++#define __NDK_CANARY__ 0
diff --git a/pkgs/os-specific/linux/blktrace/default.nix b/pkgs/os-specific/linux/blktrace/default.nix
index 4ae449c19aa..fb5a5d06212 100644
--- a/pkgs/os-specific/linux/blktrace/default.nix
+++ b/pkgs/os-specific/linux/blktrace/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libaio }:
+{ lib, stdenv, fetchurl, libaio }:
 
 stdenv.mkDerivation {
   name = "blktrace-1.2.0";
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
 
   meta = {
     description = "Block layer IO tracing mechanism";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix
index 401ab39bca3..040b8fc8478 100644
--- a/pkgs/os-specific/linux/bluez/default.nix
+++ b/pkgs/os-specific/linux/bluez/default.nix
@@ -1,12 +1,14 @@
 { stdenv
 , lib
 , fetchurl
-, alsaLib
+, alsa-lib
 , dbus
+, ell
 , glib
 , json_c
 , libical
-, pkgconfig
+, docutils
+, pkg-config
 , python3
 , readline
 , systemd
@@ -19,16 +21,17 @@
   ];
 in stdenv.mkDerivation rec {
   pname = "bluez";
-  version = "5.54";
+  version = "5.60";
 
   src = fetchurl {
     url = "mirror://kernel/linux/bluetooth/${pname}-${version}.tar.xz";
-    sha256 = "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8";
+    sha256 = "sha256-cQmZWA0B7lnsWF5efAf9lO3e3AAaom/nRkxUb52UUwQ=";
   };
 
   buildInputs = [
-    alsaLib
+    alsa-lib
     dbus
+    ell
     glib
     json_c
     libical
@@ -38,7 +41,8 @@ in stdenv.mkDerivation rec {
   ];
 
   nativeBuildInputs = [
-    pkgconfig
+    docutils
+    pkg-config
     python3.pkgs.wrapPython
   ];
 
@@ -48,6 +52,11 @@ in stdenv.mkDerivation rec {
     substituteInPlace tools/hid2hci.rules \
       --replace /sbin/udevadm ${systemd}/bin/udevadm \
       --replace "hid2hci " "$out/lib/udev/hid2hci "
+    # Disable some tests:
+    # - test-mesh-crypto depends on the following kernel settings:
+    #   CONFIG_CRYPTO_[USER|USER_API|USER_API_AEAD|USER_API_HASH|AES|CCM|AEAD|CMAC]
+    if [[ ! -f unit/test-mesh-crypto.c ]]; then echo "unit/test-mesh-crypto.c no longer exists"; false; fi
+    echo 'int main() { return 77; }' > unit/test-mesh-crypto.c
   '';
 
   configureFlags = [
@@ -55,6 +64,7 @@ in stdenv.mkDerivation rec {
     "--enable-library"
     "--enable-cups"
     "--enable-pie"
+    "--enable-external-ell"
     "--with-dbusconfdir=${placeholder "out"}/share"
     "--with-dbussystembusdir=${placeholder "out"}/share/dbus-1/system-services"
     "--with-dbussessionbusdir=${placeholder "out"}/share/dbus-1/services"
@@ -67,7 +77,6 @@ in stdenv.mkDerivation rec {
     "--enable-nfc"
     "--enable-sap"
     "--enable-sixaxis"
-    "--enable-wiimote"
   ];
 
   # Work around `make install' trying to create /var/lib/bluetooth.
@@ -112,7 +121,7 @@ in stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Bluetooth support for Linux";
     homepage = "http://www.bluez.org/";
     license = with licenses; [ gpl2 lgpl21 ];
diff --git a/pkgs/os-specific/linux/bolt/default.nix b/pkgs/os-specific/linux/bolt/default.nix
index 114a90129ac..d38a97387f5 100644
--- a/pkgs/os-specific/linux/bolt/default.nix
+++ b/pkgs/os-specific/linux/bolt/default.nix
@@ -1,28 +1,50 @@
-{ stdenv, meson, ninja, pkgconfig, fetchFromGitLab,
-  python3, umockdev, gobject-introspection, dbus,
-  asciidoc, libxml2, libxslt, docbook_xml_dtd_45, docbook_xsl,
-  glib, systemd, polkit
+{ lib, stdenv
+, meson
+, ninja
+, pkg-config
+, fetchFromGitLab
+, fetchpatch
+, python3
+, umockdev
+, gobject-introspection
+, dbus
+, asciidoc
+, libxml2
+, libxslt
+, docbook_xml_dtd_45
+, docbook_xsl
+, glib
+, systemd
+, polkit
 }:
 
 stdenv.mkDerivation rec {
   pname = "bolt";
-  version = "0.8";
+  version = "0.9.1";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "bolt";
     repo = "bolt";
     rev = version;
-    sha256 = "1qamls0fll0qc27lqavf56hv1yj6v6n4ry90g7bcnwpvccmd82yd";
+    sha256 = "1phgp8fs0dlj74kbkqlvfniwc32daz47b3pvsxlfxqzyrp77xrfm";
   };
 
   nativeBuildInputs = [
-    meson ninja pkgconfig
-    asciidoc libxml2 libxslt docbook_xml_dtd_45 docbook_xsl
-  ] ++ stdenv.lib.optional (!doCheck) python3;
+    asciidoc
+    docbook_xml_dtd_45
+    docbook_xsl
+    libxml2
+    libxslt
+    meson
+    ninja
+    pkg-config
+  ] ++ lib.optional (!doCheck) python3;
 
   buildInputs = [
-    glib systemd polkit
+    glib
+    polkit
+    systemd
   ];
 
   doCheck = true;
@@ -32,13 +54,25 @@ stdenv.mkDerivation rec {
   '';
 
   checkInputs = [
-    dbus umockdev gobject-introspection
+    dbus
+    gobject-introspection
+    umockdev
     (python3.withPackages
       (p: [ p.pygobject3 p.dbus-python p.python-dbusmock ]))
   ];
 
-  # meson install tries to create /var/lib/boltd
-  patches = [ ./0001-skip-mkdir.patch ];
+  patches = [
+    # meson install tries to create /var/lib/boltd
+    ./0001-skip-mkdir.patch
+
+    # https://github.com/NixOS/nixpkgs/issues/104429
+    # Upstream issue: https://gitlab.freedesktop.org/bolt/bolt/-/issues/167
+    (fetchpatch {
+      name = "disable-atime-tests.diff";
+      url = "https://gitlab.freedesktop.org/roberth/bolt/-/commit/1f672a7de2ebc4dd51590bb90f3b873a8ac0f4e6.diff";
+      sha256 = "134f5s6kjqs6612pwq5pm1miy58crn1kxbyyqhzjnzmf9m57fnc8";
+    })
+    ];
 
   postPatch = ''
     patchShebangs scripts tests
@@ -51,11 +85,11 @@ stdenv.mkDerivation rec {
   PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
   PKG_CONFIG_UDEV_UDEVDIR = "${placeholder "out"}/lib/udev";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Thunderbolt 3 device management daemon";
     homepage = "https://gitlab.freedesktop.org/bolt/bolt";
     license = licenses.lgpl21Plus;
-    maintainers = [ maintainers.callahad ];
+    maintainers = with maintainers; [ callahad ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/bpftool/default.nix b/pkgs/os-specific/linux/bpftool/default.nix
deleted file mode 100644
index 34ddcc3a213..00000000000
--- a/pkgs/os-specific/linux/bpftool/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ stdenv
-, libopcodes, libbfd, libelf
-, linuxPackages_latest, zlib
-, python3
-}:
-
-stdenv.mkDerivation {
-  pname = "bpftool";
-  inherit (linuxPackages_latest.kernel) version src;
-
-  nativeBuildInputs = [ python3 ];
-  buildInputs = [ libopcodes libbfd libelf zlib ];
-
-  preConfigure = ''
-    patchShebangs scripts/bpf_helpers_doc.py
-
-    cd tools/bpf/bpftool
-    substituteInPlace ./Makefile \
-      --replace '/usr/local' "$out" \
-      --replace '/usr'       "$out" \
-      --replace '/sbin'      '/bin'
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Debugging/program analysis tool for the eBPF subsystem";
-    license     = [ licenses.gpl2 licenses.bsd2 ];
-    platforms   = platforms.linux;
-    maintainers = with maintainers; [ thoughtpolice ];
-  };
-}
diff --git a/pkgs/os-specific/linux/bpftools/default.nix b/pkgs/os-specific/linux/bpftools/default.nix
new file mode 100644
index 00000000000..f2ca8d87471
--- /dev/null
+++ b/pkgs/os-specific/linux/bpftools/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, libopcodes, libbfd, libelf, readline
+, linuxPackages_latest, zlib
+, python3, bison, flex
+}:
+
+stdenv.mkDerivation {
+  pname = "bpftools";
+  inherit (linuxPackages_latest.kernel) version src;
+
+  nativeBuildInputs = [ python3 bison flex ];
+  buildInputs = [ libopcodes libbfd libelf zlib readline ];
+
+  preConfigure = ''
+    patchShebangs scripts/bpf_doc.py
+
+    cd tools/bpf
+    substituteInPlace ./bpftool/Makefile \
+      --replace '/usr/local' "$out" \
+      --replace '/usr'       "$out" \
+      --replace '/sbin'      '/bin'
+  '';
+
+  buildFlags = [ "bpftool" "bpf_asm" "bpf_dbg" ];
+
+  installPhase = ''
+    make -C bpftool install
+    install -Dm755 -t $out/bin bpf_asm
+    install -Dm755 -t $out/bin bpf_dbg
+  '';
+
+  meta = with lib; {
+    description = "Debugging/program analysis tools for the eBPF subsystem";
+    license     = [ licenses.gpl2 licenses.bsd2 ];
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}
diff --git a/pkgs/os-specific/linux/bpftrace/default.nix b/pkgs/os-specific/linux/bpftrace/default.nix
index 0c360e60b7e..4d2f29491fc 100644
--- a/pkgs/os-specific/linux/bpftrace/default.nix
+++ b/pkgs/os-specific/linux/bpftrace/default.nix
@@ -1,29 +1,29 @@
-{ stdenv, fetchFromGitHub
-, cmake, pkgconfig, flex, bison
-, llvmPackages, kernel, elfutils, libelf, bcc
+{ lib, stdenv, fetchFromGitHub
+, cmake, pkg-config, flex, bison
+, llvmPackages, kernel, elfutils
+, libelf, libbfd, libbpf, libopcodes, bcc
 }:
 
 stdenv.mkDerivation rec {
   pname = "bpftrace";
-  version = "0.9.4";
+  version = "0.13.0";
 
   src = fetchFromGitHub {
     owner  = "iovisor";
     repo   = "bpftrace";
-    rev    = "refs/tags/v${version}";
-    sha256 = "00fvkq3razwacnpb82zkpv63dgyigbqx3gj6g0ka94nwa74i5i77";
+    rev    = "v${version}";
+    sha256 = "sha256-BKWBdFzj0j7rAfG30A0fwyYCpOG/5NFRPODW46EP1u0=";
   };
 
-  enableParallelBuilding = true;
-
   buildInputs = with llvmPackages;
-    [ llvm clang-unwrapped
+    [ llvm libclang
       kernel elfutils libelf bcc
+      libbpf libbfd libopcodes
     ];
 
-  nativeBuildInputs = [ cmake pkgconfig flex bison ]
+  nativeBuildInputs = [ cmake pkg-config flex bison llvmPackages.llvm.dev ]
     # libelf is incompatible with elfutils-libelf
-    ++ stdenv.lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
+    ++ lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
 
   # patch the source, *then* substitute on @NIX_KERNEL_SRC@ in the result. we could
   # also in theory make this an environment variable around bpftrace, but this works
@@ -41,7 +41,7 @@ stdenv.mkDerivation rec {
   #
   cmakeFlags =
     [ "-DBUILD_TESTING=FALSE"
-      "-DLIBBCC_INCLUDE_DIRS=${bcc}/include/bcc"
+      "-DLIBBCC_INCLUDE_DIRS=${bcc}/include"
     ];
 
   # nuke the example/reference output .txt files, for the included tools,
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "man" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "High-level tracing language for Linux eBPF";
     homepage    = "https://github.com/iovisor/bpftrace";
     license     = licenses.asl20;
diff --git a/pkgs/os-specific/linux/bridge-utils/default.nix b/pkgs/os-specific/linux/bridge-utils/default.nix
index 1aeb4a907fb..12655c3bed6 100644
--- a/pkgs/os-specific/linux/bridge-utils/default.nix
+++ b/pkgs/os-specific/linux/bridge-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook }:
+{ lib, stdenv, fetchurl, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   name = "bridge-utils-1.5";
@@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "https://sourceforge.net/projects/bridge/";
     homepage = "https://wiki.linuxfoundation.org/networking/bridge";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/brillo/default.nix b/pkgs/os-specific/linux/brillo/default.nix
index 5baaa0752aa..0736a13ce12 100644
--- a/pkgs/os-specific/linux/brillo/default.nix
+++ b/pkgs/os-specific/linux/brillo/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitLab , go-md2man, coreutils, substituteAll }:
+{ lib, stdenv, fetchFromGitLab , go-md2man, coreutils, substituteAll }:
 
 stdenv.mkDerivation rec {
   pname = "brillo";
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
 
   installTargets = [ "install-dist" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Backlight and Keyboard LED control tool";
     homepage = "https://gitlab.com/cameronnemo/brillo";
     license = [ licenses.gpl3 licenses.bsd0 ];
diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix
index ecaa3896044..527d2253e5b 100644
--- a/pkgs/os-specific/linux/broadcom-sta/default.nix
+++ b/pkgs/os-specific/linux/broadcom-sta/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
 let
   version = "6.30.223.271";
@@ -7,8 +7,8 @@ let
     x86_64-linux = "1gj485qqr190idilacpxwgqyw21il03zph2rddizgj7fbd6pfyaz";
   };
 
-  arch = stdenv.lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") "_64";
-  tarballVersion = stdenv.lib.replaceStrings ["."] ["_"] version;
+  arch = lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") "_64";
+  tarballVersion = lib.replaceStrings ["."] ["_"] version;
   tarball = "hybrid-v35${arch}-nodebug-pcoem-${tarballVersion}.tar.gz";
 in
 stdenv.mkDerivation {
@@ -37,6 +37,8 @@ stdenv.mkDerivation {
     ./linux-5.1.patch
     # source: https://salsa.debian.org/Herrie82-guest/broadcom-sta/-/commit/247307926e5540ad574a17c062c8da76990d056f
     ./linux-5.6.patch
+    # source: https://gist.github.com/joanbm/5c640ac074d27fd1d82c74a5b67a1290
+    ./linux-5.9.patch
     ./null-pointer-fix.patch
     ./gcc.patch
   ];
@@ -60,8 +62,8 @@ stdenv.mkDerivation {
   meta = {
     description = "Kernel module driver for some Broadcom's wireless cards";
     homepage = "http://www.broadcom.com/support/802.11/linux_sta.php";
-    license = stdenv.lib.licenses.unfreeRedistributable;
-    maintainers = with stdenv.lib.maintainers; [ phreedom ];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.unfreeRedistributable;
+    maintainers = with lib.maintainers; [ phreedom ];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch b/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
new file mode 100644
index 00000000000..2a4e6fa89cc
--- /dev/null
+++ b/pkgs/os-specific/linux/broadcom-sta/linux-5.9.patch
@@ -0,0 +1,184 @@
+diff --git a/src/wl/sys/wl_cfg80211_hybrid.c b/src/wl/sys/wl_cfg80211_hybrid.c
+index 4b3298f..c45ad48 100644
+--- a/src/wl/sys/wl_cfg80211_hybrid.c
++++ b/src/wl/sys/wl_cfg80211_hybrid.c
+@@ -41,6 +41,7 @@
+ #include <wlioctl.h>
+ #include <proto/802.11.h>
+ #include <wl_cfg80211_hybrid.h>
++#include <wl_linux.h>
+ 
+ #define EVENT_TYPE(e) dtoh32((e)->event_type)
+ #define EVENT_FLAGS(e) dtoh16((e)->flags)
+@@ -442,30 +443,7 @@ static void key_endian_to_host(struct wl_wsec_key *key)
+ static s32
+ wl_dev_ioctl(struct net_device *dev, u32 cmd, void *arg, u32 len)
+ {
+-	struct ifreq ifr;
+-	struct wl_ioctl ioc;
+-	mm_segment_t fs;
+-	s32 err = 0;
+-
+-	BUG_ON(len < sizeof(int));
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t)&ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	err = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	err = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return err;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static s32
+diff --git a/src/wl/sys/wl_iw.c b/src/wl/sys/wl_iw.c
+index 9c3c74e..e346b15 100644
+--- a/src/wl/sys/wl_iw.c
++++ b/src/wl/sys/wl_iw.c
+@@ -37,6 +37,7 @@ typedef const struct si_pub	si_t;
+ 
+ #include <wl_dbg.h>
+ #include <wl_iw.h>
++#include <wl_linux.h>
+ 
+ extern bool wl_iw_conn_status_str(uint32 event_type, uint32 status,
+ 	uint32 reason, char* stringBuf, uint buflen);
+@@ -103,29 +104,7 @@ dev_wlc_ioctl(
+ 	int len
+ )
+ {
+-	struct ifreq ifr;
+-	wl_ioctl_t ioc;
+-	mm_segment_t fs;
+-	int ret;
+-
+-	memset(&ioc, 0, sizeof(ioc));
+-	ioc.cmd = cmd;
+-	ioc.buf = arg;
+-	ioc.len = len;
+-
+-	strcpy(ifr.ifr_name, dev->name);
+-	ifr.ifr_data = (caddr_t) &ioc;
+-
+-	fs = get_fs();
+-	set_fs(KERNEL_DS);
+-#if defined(WL_USE_NETDEV_OPS)
+-	ret = dev->netdev_ops->ndo_do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#else
+-	ret = dev->do_ioctl(dev, &ifr, SIOCDEVPRIVATE);
+-#endif
+-	set_fs(fs);
+-
+-	return ret;
++	return wlc_ioctl_internal(dev, cmd, arg, len);
+ }
+ 
+ static int
+diff --git a/src/wl/sys/wl_linux.c b/src/wl/sys/wl_linux.c
+index c990c70..5bb9480 100644
+--- a/src/wl/sys/wl_linux.c
++++ b/src/wl/sys/wl_linux.c
+@@ -1664,10 +1664,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 		goto done2;
+ 	}
+ 
+-	if (segment_eq(get_fs(), KERNEL_DS))
+-		buf = ioc.buf;
+-
+-	else if (ioc.buf) {
++	if (ioc.buf) {
+ 		if (!(buf = (void *) MALLOC(wl->osh, MAX(ioc.len, WLC_IOCTL_MAXLEN)))) {
+ 			bcmerror = BCME_NORESOURCE;
+ 			goto done2;
+@@ -1688,7 +1685,7 @@ wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 	WL_UNLOCK(wl);
+ 
+ done1:
+-	if (ioc.buf && (ioc.buf != buf)) {
++	if (ioc.buf) {
+ 		if (copy_to_user(ioc.buf, buf, ioc.len))
+ 			bcmerror = BCME_BADADDR;
+ 		MFREE(wl->osh, buf, MAX(ioc.len, WLC_IOCTL_MAXLEN));
+@@ -1701,6 +1698,39 @@ done2:
+ 	return (OSL_ERROR(bcmerror));
+ }
+ 
++int
++wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len)
++{
++	wl_info_t *wl;
++	wl_if_t *wlif;
++	int bcmerror;
++
++	if (!dev)
++		return -ENETDOWN;
++
++	wl = WL_INFO(dev);
++	wlif = WL_DEV_IF(dev);
++	if (wlif == NULL || wl == NULL || wl->dev == NULL)
++		return -ENETDOWN;
++
++	bcmerror = 0;
++
++	WL_TRACE(("wl%d: wlc_ioctl_internal: cmd 0x%x\n", wl->pub->unit, cmd));
++
++	WL_LOCK(wl);
++	if (!capable(CAP_NET_ADMIN)) {
++		bcmerror = BCME_EPERM;
++	} else {
++		bcmerror = wlc_ioctl(wl->wlc, cmd, buf, len, wlif->wlcif);
++	}
++	WL_UNLOCK(wl);
++
++	ASSERT(VALID_BCMERROR(bcmerror));
++	if (bcmerror != 0)
++		wl->pub->bcmerror = bcmerror;
++	return (OSL_ERROR(bcmerror));
++}
++
+ static struct net_device_stats*
+ wl_get_stats(struct net_device *dev)
+ {
+diff --git a/src/wl/sys/wl_linux.h b/src/wl/sys/wl_linux.h
+index 5b1048e..c8c1f41 100644
+--- a/src/wl/sys/wl_linux.h
++++ b/src/wl/sys/wl_linux.h
+@@ -22,6 +22,7 @@
+ #define _wl_linux_h_
+ 
+ #include <wlc_types.h>
++#include <wlc_pub.h>
+ 
+ typedef struct wl_timer {
+ 	struct timer_list 	timer;
+@@ -187,6 +188,7 @@ extern irqreturn_t wl_isr(int irq, void *dev_id, struct pt_regs *ptregs);
+ extern int __devinit wl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent);
+ extern void wl_free(wl_info_t *wl);
+ extern int  wl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd);
++extern int wlc_ioctl_internal(struct net_device *dev, int cmd, void *buf, int len);
+ extern struct net_device * wl_netdev_get(wl_info_t *wl);
+ 
+ #endif 
+diff --git a/src/wl/sys/wlc_pub.h b/src/wl/sys/wlc_pub.h
+index 53a98b8..2b5a029 100644
+--- a/src/wl/sys/wlc_pub.h
++++ b/src/wl/sys/wlc_pub.h
+@@ -24,6 +24,7 @@
+ 
+ #include <wlc_types.h>
+ #include <wlc_utils.h>
++#include <siutils.h>
+ #include "proto/802.11.h"
+ #include "proto/bcmevent.h"
+ 
diff --git a/pkgs/os-specific/linux/btfs/default.nix b/pkgs/os-specific/linux/btfs/default.nix
index b4107e8ba00..342272f4286 100644
--- a/pkgs/os-specific/linux/btfs/default.nix
+++ b/pkgs/os-specific/linux/btfs/default.nix
@@ -1,27 +1,27 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig
-, python3, boost, fuse, libtorrentRasterbar, curl }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config
+, python3, boost, fuse, libtorrent-rasterbar, curl }:
 
 stdenv.mkDerivation rec {
   pname = "btfs";
-  version = "2.22";
+  version = "2.24";
 
   src = fetchFromGitHub {
     owner  = "johang";
     repo   = pname;
     rev    = "v${version}";
-    sha256 = "1z88bk1z4sns3jdn56x83mvh06snxg0lr5h4v0c24lzlf5wbdifz";
+    sha256 = "sha256-fkS0U/MqFRQNi+n7NE4e1cnNICvfST2IQ9FMoJUyj6w=";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [
-    boost fuse libtorrentRasterbar curl python3
+    boost fuse libtorrent-rasterbar curl python3
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A bittorrent filesystem based on FUSE";
     homepage    = "https://github.com/johang/btfs";
     license     = licenses.gpl3;
     maintainers = with maintainers; [ rnhmjoj ];
-    platforms   = platforms.linux;
+    platforms   = platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch b/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch
deleted file mode 100644
index 029333b57e4..00000000000
--- a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From c29b637b55c93214993f40b1a223233d40b8a7d6 Mon Sep 17 00:00:00 2001
-From: Maximilian Bosch <maximilian@mbosch.me>
-Date: Wed, 19 Feb 2020 22:32:28 +0100
-Subject: [PATCH] Fix build with glibc 2.31
-
-This is derived from the corresponding upstream patch[1], however this
-one doesn't apply cleanly on busybox-1.31.1, so I rebased the patch
-locally and added it directly to nixpkgs.
-
-[1] https://git.busybox.net/busybox/patch/?id=d3539be8f27b8cbfdfee460fe08299158f08bcd9
----
- coreutils/date.c         | 2 +-
- libbb/missing_syscalls.c | 8 --------
- util-linux/rdate.c       | 8 ++++++--
- 3 files changed, 7 insertions(+), 11 deletions(-)
-
-diff --git a/coreutils/date.c b/coreutils/date.c
-index 3414d38..931b7f9 100644
---- a/coreutils/date.c
-+++ b/coreutils/date.c
-@@ -303,7 +303,7 @@ int date_main(int argc UNUSED_PARAM, char **argv)
- 		ts.tv_sec = validate_tm_time(date_str, &tm_time);
- 
- 		/* if setting time, set it */
--		if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) {
-+		if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) {
- 			bb_perror_msg("can't set date");
- 		}
- 	}
-diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c
-index 87cf59b..dc40d91 100644
---- a/libbb/missing_syscalls.c
-+++ b/libbb/missing_syscalls.c
-@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid)
- 	return syscall(__NR_getsid, pid);
- }
- 
--int stime(const time_t *t)
--{
--	struct timeval tv;
--	tv.tv_sec = *t;
--	tv.tv_usec = 0;
--	return settimeofday(&tv, NULL);
--}
--
- int sethostname(const char *name, size_t len)
- {
- 	return syscall(__NR_sethostname, name, len);
-diff --git a/util-linux/rdate.c b/util-linux/rdate.c
-index 70f829e..878375d 100644
---- a/util-linux/rdate.c
-+++ b/util-linux/rdate.c
-@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv)
- 	if (!(flags & 2)) { /* no -p (-s may be present) */
- 		if (time(NULL) == remote_time)
- 			bb_error_msg("current time matches remote time");
--		else
--			if (stime(&remote_time) < 0)
-+		else {
-+			struct timespec ts;
-+			ts.tv_sec = remote_time;
-+			ts.tv_nsec = 0;
-+			if (clock_settime(CLOCK_REALTIME, &ts) < 0)
- 				bb_perror_msg_and_die("can't set time of day");
-+		}
- 	}
- 
- 	if (flags != 1) /* not lone -s */
--- 
-2.25.0
-
diff --git a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch b/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
deleted file mode 100644
index d11cd670d5e..00000000000
--- a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Tue, 19 May 2020 18:20:39 +0100
-Subject: [PATCH] wget: implement TLS verification with
- ENABLE_FEATURE_WGET_OPENSSL
-
-When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
-verification by default. And only ignore verification errors, if
---no-check-certificate was passed.
-
-Also note, that previously OPENSSL implementation did not implement
-TLS verification, nor printed any warning messages that verification
-was not performed.
-
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
-
-CVE-2018-1000500
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
----
- networking/wget.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/networking/wget.c b/networking/wget.c
-index f2fc9e215..6a8c08324 100644
---- a/networking/wget.c
-+++ b/networking/wget.c
-@@ -91,6 +91,9 @@
- //config:	patches, but do want to waste bandwidth expaining how wrong
- //config:	it is, you will be ignored.
- //config:
-+//config:	FEATURE_WGET_OPENSSL does implement TLS verification
-+//config:	using the certificates available to OpenSSL.
-+//config:
- //config:config FEATURE_WGET_OPENSSL
- //config:	bool "Try to connect to HTTPS using openssl"
- //config:	default y
-@@ -115,6 +118,9 @@
- //config:	If openssl can't be executed, internal TLS code will be used
- //config:	(if you enabled it); if openssl can be executed but fails later,
- //config:	wget can't detect this, and download will fail.
-+//config:
-+//config:	By default TLS verification is performed, unless
-+//config:	--no-check-certificate option is passed.
- 
- //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
- 
-@@ -124,8 +130,11 @@
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
- //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:       "	[--no-check-certificate]\n"
-+//usage:	)
- /* Since we ignore these opts, we don't show them in --help */
--/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
-+/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
- /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
- //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
- //usage:	)
-@@ -137,7 +146,9 @@
- //usage:       "Retrieve files via HTTP or FTP\n"
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
--///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	)
- //usage:	)
- //usage:     "\n	-c		Continue retrieval of aborted transfer"
- //usage:     "\n	-q		Quiet"
-@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 	pid = xvfork();
- 	if (pid == 0) {
- 		/* Child */
--		char *argv[8];
-+		char *argv[9];
- 
- 		close(sp[0]);
- 		xmove_fd(sp[1], 0);
-@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 			argv[5] = (char*)"-servername";
- 			argv[6] = (char*)servername;
- 		}
-+		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
-+			argv[7] = (char*)"-verify_return_error";
-+		}
- 
- 		BB_EXECVP(argv[0], argv);
- 		xmove_fd(3, 2);
--- 
-2.28.0
-
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index 728d2d49118..4949cd7c14a 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, lib, buildPackages, fetchurl, fetchzip
-, enableStatic ? false
+{ stdenv, lib, buildPackages, fetchurl, fetchFromGitLab
+, enableStatic ? stdenv.hostPlatform.isStatic
 , enableMinimal ? false
 # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
 # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
@@ -32,27 +32,31 @@ let
     CONFIG_FEATURE_WTMP n
   '';
 
-  debianName = "busybox_1.30.1-5";
-  debianTarball = fetchzip {
-    url = "http://deb.debian.org/debian/pool/main/b/busybox/${debianName}.debian.tar.xz";
-    sha256 = "03m4rvs2pd0hj0mdkdm3r4m1gh0bgwr0cvnqds297xnkfi5s01nx";
+  # The debian version lags behind the upstream version and also contains
+  # a debian-specific suffix. We only fetch the debian repository to get the
+  # default.script
+  debianVersion = "1.30.1-6";
+  debianSource = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "installer-team";
+    repo = "busybox";
+    rev = "debian/1%${debianVersion}";
+    sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
   };
-  debianDispatcherScript = "${debianTarball}/tree/udhcpc/etc/udhcpc/default.script";
+  debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
   outDispatchPath = "$out/default.script";
 in
 
 stdenv.mkDerivation rec {
-  # TODO: When bumping this version, please validate whether the wget patch is present upstream
-  # and remove the patch if it is. The patch should be present upstream for all versions 1.32.0+.
-  # See NixOs/nixpkgs#94722 for context.
-  name = "busybox-1.31.1";
+  pname = "busybox";
+  version = "1.33.1";
 
   # Note to whoever is updating busybox: please verify that:
   # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
   # still builds after the update.
   src = fetchurl {
-    url = "https://busybox.net/downloads/${name}.tar.bz2";
-    sha256 = "1659aabzp8w4hayr4z8kcpbk2z1q2wqhw7i1yb0l72b45ykl1yfh";
+    url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
+    sha256 = "0a0dcvsh7nxnhxc5y73fky0z30i9p7r30qfidm2akn0n5fywdkhj";
   };
 
   hardeningDisable = [ "format" "pie" ]
@@ -60,9 +64,7 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./busybox-in-store.patch
-    ./0001-Fix-build-with-glibc-2.31.patch
-    ./0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
 
   postPatch = "patchShebangs .";
 
@@ -116,9 +118,11 @@ stdenv.mkDerivation rec {
     logger() { '$out'/bin/logger "$@"; }\
     ' ${debianDispatcherScript} > ${outDispatchPath}
     chmod 555 ${outDispatchPath}
-    PATH=$out/bin patchShebangs ${outDispatchPath}
+    HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
   '';
 
+  strictDeps = true;
+
   depsBuildBuild = [ buildPackages.stdenv.cc ];
 
   buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ];
@@ -127,10 +131,10 @@ stdenv.mkDerivation rec {
 
   doCheck = false; # tries to access the net
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tiny versions of common UNIX utilities in a single small executable";
     homepage = "https://busybox.net/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = with maintainers; [ TethysSvensson ];
     platforms = platforms.linux;
     priority = 10;
diff --git a/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
index 036ea0a0f48..fa70e5f91d8 100644
--- a/pkgs/os-specific/linux/busybox/sandbox-shell.nix
+++ b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
@@ -1,4 +1,4 @@
-{ busybox, stdenv}:
+{ busybox}:
 
 # Minimal shell for use as basic /bin/sh in sandbox builds
 busybox.override {
@@ -8,6 +8,7 @@ busybox.override {
     CONFIG_FEATURE_FANCY_ECHO y
     CONFIG_FEATURE_SH_MATH y
     CONFIG_FEATURE_SH_MATH_64 y
+    CONFIG_FEATURE_TEST_64 y
 
     CONFIG_ASH y
     CONFIG_ASH_OPTIMIZE_FOR_SIZE y
diff --git a/pkgs/os-specific/linux/cachefilesd/default.nix b/pkgs/os-specific/linux/cachefilesd/default.nix
index 27fd8c9613a..6c52eb4a7f6 100644
--- a/pkgs/os-specific/linux/cachefilesd/default.nix
+++ b/pkgs/os-specific/linux/cachefilesd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "cachefilesd";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     "MANDIR=$(out)/share/man"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Local network file caching management daemon";
     homepage = "https://people.redhat.com/dhowells/fscache/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/can-isotp/default.nix b/pkgs/os-specific/linux/can-isotp/default.nix
index 7f16ecb9e6d..9c30aae86fe 100644
--- a/pkgs/os-specific/linux/can-isotp/default.nix
+++ b/pkgs/os-specific/linux/can-isotp/default.nix
@@ -1,16 +1,16 @@
-{ stdenv, kernel, fetchFromGitHub }:
+{ lib, stdenv, kernel, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "can-isotp";
-  version = "20180629";
+  version = "20200910";
 
   hardeningDisable = [ "pic" ];
-  
+
   src = fetchFromGitHub {
     owner = "hartkopp";
     repo = "can-isotp";
-    rev = "6003f9997587e6a563cebf1f246bcd0eb6deff3d";
-    sha256 = "0b2pqb0vd1wgv2zpl7lvfavqkzr8mrwhrv7zdqkq3rz9givcv8w7";
+    rev = "21a3a59e2bfad246782896841e7af042382fcae7";
+    sha256 = "1laax93czalclg7cy9iq1r7hfh9jigh7igj06y9lski75ap2vhfq";
   };
 
   KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
@@ -25,12 +25,12 @@ stdenv.mkDerivation {
   '';
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
-  
-  meta = with stdenv.lib; {
+
+  meta = with lib; {
     description = "Kernel module for ISO-TP (ISO 15765-2)";
     homepage = "https://github.com/hartkopp/can-isotp";
     license = licenses.gpl2;
     platforms = platforms.linux;
     maintainers = [ maintainers.evck ];
   };
-}  
+}
diff --git a/pkgs/os-specific/linux/can-utils/default.nix b/pkgs/os-specific/linux/can-utils/default.nix
index 2b6b82591b5..90261e82904 100644
--- a/pkgs/os-specific/linux/can-utils/default.nix
+++ b/pkgs/os-specific/linux/can-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "can-utils";
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   preConfigure = ''makeFlagsArray+=(PREFIX="$out")'';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "CAN userspace utilities and tools (for use with Linux SocketCAN)";
     homepage = "https://github.com/linux-can/can-utils";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/catfs/default.nix b/pkgs/os-specific/linux/catfs/default.nix
new file mode 100644
index 00000000000..dbb525e0e29
--- /dev/null
+++ b/pkgs/os-specific/linux/catfs/default.nix
@@ -0,0 +1,47 @@
+{ lib, rustPlatform, fetchFromGitHub
+, fetchpatch
+, fuse
+, pkg-config
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "catfs";
+  version = "unstable-2020-03-21";
+
+  src = fetchFromGitHub {
+    owner = "kahing";
+    repo = pname;
+    rev = "daa2b85798fa8ca38306242d51cbc39ed122e271";
+    sha256 = "0zca0c4n2p9s5kn8c9f9lyxdf3df88a63nmhprpgflj86bh8wgf5";
+  };
+
+  cargoSha256 = "1agcwq409s40kyij487wjrp8mj7942r9l2nqwks4xqlfb0bvaimf";
+
+  cargoPatches = [
+    # update cargo lock
+    (fetchpatch {
+      url = "https://github.com/kahing/catfs/commit/f838c1cf862cec3f1d862492e5be82b6dbe16ac5.patch";
+      sha256 = "1r1p0vbr3j9xyj9r1ahipg4acii3m4ni4m9mp3avbi1rfgzhblhw";
+    })
+  ];
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [ fuse ];
+
+  # require fuse module to be active to run tests
+  # instead, run command
+  doCheck = false;
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/catfs --help > /dev/null
+  '';
+
+  meta = with lib; {
+    description = "Caching filesystem written in Rust";
+    homepage = "https://github.com/kahing/catfs";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jonringer ];
+  };
+}
diff --git a/pkgs/os-specific/linux/checkpolicy/default.nix b/pkgs/os-specific/linux/checkpolicy/default.nix
index fc2faa5b8f5..c3d8928c7ba 100644
--- a/pkgs/os-specific/linux/checkpolicy/default.nix
+++ b/pkgs/os-specific/linux/checkpolicy/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, bison, flex, libsepol }:
+{ lib, stdenv, fetchurl, bison, flex, libsepol }:
 
 stdenv.mkDerivation rec {
   pname = "checkpolicy";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "PREFIX=$(out)"
-    "LIBSEPOLA=${stdenv.lib.getLib libsepol}/lib/libsepol.a"
+    "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
   ];
 
   meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
index f94e6d72d59..e0a65589571 100644
--- a/pkgs/os-specific/linux/checksec/default.nix
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -1,23 +1,23 @@
-{ stdenv, fetchFromGitHub, makeWrapper, file, findutils
+{ lib, stdenv, fetchFromGitHub, makeWrapper, file, findutils
 , binutils-unwrapped, glibc, coreutils, sysctl, openssl
 }:
 
 stdenv.mkDerivation rec {
   pname = "checksec";
-  version = "2.2.2";
+  version = "2.4.0";
 
   src = fetchFromGitHub {
     owner = "slimm609";
     repo = "checksec.sh";
     rev = version;
-    sha256 = "0gm438sfh84bif5d40wvaqrfl4dh3fxjvnjk9ab33al8ws3afpsj";
+    sha256 = "1gbbq85d3g3mnm3xvgvi2085aba7qc3cmsbwn76al50ax1518j2q";
   };
 
   patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ];
   nativeBuildInputs = [ makeWrapper ];
 
   installPhase = let
-    path = stdenv.lib.makeBinPath [
+    path = lib.makeBinPath [
       findutils file binutils-unwrapped sysctl openssl
     ];
   in ''
@@ -29,9 +29,9 @@ stdenv.mkDerivation rec {
       --prefix PATH : ${path}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool for checking security bits on executables";
-    homepage    = "http://www.trapkit.de/tools/checksec.html";
+    homepage    = "https://www.trapkit.de/tools/checksec/";
     license     = licenses.bsd3;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ thoughtpolice globin ];
diff --git a/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch b/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch
index 03ec2b1df64..c2e33dbde66 100644
--- a/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch
+++ b/pkgs/os-specific/linux/chromium-os/common-mk/0001-common-mk-don-t-leak-source-absolute-paths.patch
@@ -1,7 +1,7 @@
 From ae0c98ed2715c685b0cb97ac6e5d65101168b625 Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Sun, 24 Nov 2019 16:56:11 +0000
-Subject: [PATCH 1/4] common-mk: don't leak source-absolute paths
+Subject: [PATCH 1/6] common-mk: don't leak source-absolute paths
 
 Source-absolute paths like //vm_tools/whatever were being leaked to
 subprocesses, which of course didn't know how to understand them.
@@ -203,5 +203,5 @@ index e64aedabe0..fb9fb4231d 100644
    }
  }
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch b/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch
index 95f29531fec..a6ac5b1e9ac 100644
--- a/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch
+++ b/pkgs/os-specific/linux/chromium-os/common-mk/0002-common-mk-.gn-don-t-hardcode-env-path.patch
@@ -1,7 +1,7 @@
 From 7d33bcd724ec79d00281c2752f9642be25782370 Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Sun, 24 Nov 2019 17:20:46 +0000
-Subject: [PATCH 2/4] common-mk: .gn: don't hardcode env path
+Subject: [PATCH 2/6] common-mk: .gn: don't hardcode env path
 
 This is needlessly non-portable.
 ---
@@ -19,5 +19,5 @@ index e7dba8c91c..e29fcd61ee 100644
 -script_executable = "/usr/bin/env"
 +script_executable = "env"
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/crosvm/default.nix b/pkgs/os-specific/linux/chromium-os/crosvm/default.nix
index f8b6b13e694..25fa4e2d937 100644
--- a/pkgs/os-specific/linux/chromium-os/crosvm/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/crosvm/default.nix
@@ -1,6 +1,6 @@
 { stdenv, lib, rustPlatform, fetchFromGitiles, upstreamInfo
-, pkgconfig, minigbm, minijail, wayland, wayland-protocols, dtc, libusb1, libcap
-, linux
+, pkg-config, minigbm, minijail, wayland, wayland-protocols, dtc, libusb1
+, libcap, linux
 }:
 
 let
@@ -45,9 +45,9 @@ in
       ./VIRTIO_NET_F_MAC.patch
     ];
 
-    cargoSha256 = "1hw9r7vggvn8p0sy4k0i2ijpyk0yb11qww6s6d6wdfvrl1ksbapl";
+    cargoSha256 = "1yhxw19niqwipi1fbrskrpvhs915lrs8sdcpknmqd9izq67r3a06";
 
-    nativeBuildInputs = [ pkgconfig wayland ];
+    nativeBuildInputs = [ pkg-config wayland ];
 
     buildInputs = [ dtc libcap libusb1 minigbm minijail wayland wayland-protocols ];
 
@@ -67,7 +67,7 @@ in
 
     CROSVM_CARGO_TEST_KERNEL_BINARY =
       lib.optionalString (stdenv.buildPlatform == stdenv.hostPlatform)
-        "${linux}/${stdenv.hostPlatform.platform.kernelTarget}";
+        "${linux}/${stdenv.hostPlatform.linux-kernel.target}";
 
     passthru = {
       inherit srcs;
diff --git a/pkgs/os-specific/linux/chromium-os/default.nix b/pkgs/os-specific/linux/chromium-os/default.nix
index 6eb9f335ff3..efdf600756f 100644
--- a/pkgs/os-specific/linux/chromium-os/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/default.nix
@@ -30,7 +30,8 @@ let
     };
 
     linux_5_4 = callPackage ../kernel/linux-cros.nix {
-      inherit (linux_5_4) kernelPatches;
+      kernelPatches =
+        lib.remove kernelPatches.rtl8761b_support linux_5_4.kernelPatches;
     };
 
     linux = self.linux_5_4;
diff --git a/pkgs/os-specific/linux/chromium-os/libqmi/default.nix b/pkgs/os-specific/linux/chromium-os/libqmi/default.nix
index ec4f44c7047..b96b5224b57 100644
--- a/pkgs/os-specific/linux/chromium-os/libqmi/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/libqmi/default.nix
@@ -13,7 +13,9 @@ libqmi.overrideAttrs (
     nativeBuildInputs = nativeBuildInputs ++
       [ autoreconfHook autoconf-archive gtk-doc docbook-xsl-nons ];
 
-    configureFlags = configureFlags ++ [ "--enable-gtk-doc" ];
+    # ModemManager tests fail with QRTR in Chromium OS 91.
+    # Will hopefully be fixed in CrOS 92.
+    configureFlags = configureFlags ++ [ "--enable-gtk-doc" "--disable-qrtr" ];
 
     passthru = passthru // {
       updateScript = ../update.py;
diff --git a/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix b/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix
index c6a5a44b67e..f1d6cbdd465 100644
--- a/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/modem-manager/default.nix
@@ -15,6 +15,8 @@ modemmanager.overrideAttrs (
       sha256 = "12wlak8zx914zix4vv5a8sl0nyi58v7593h4gjchgv3i8ysgj9ah";
     };
 
+    patches = [];
+
     nativeBuildInputs = nativeBuildInputs ++ [ autoreconfHook libtool intltool libxslt ];
     buildInputs = buildInputs ++ [ dbus_glib ];
 
diff --git a/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix b/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix
index 17d95c2b3bc..d008470b682 100644
--- a/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix
+++ b/pkgs/os-specific/linux/chromium-os/modem-manager/next.nix
@@ -1,5 +1,5 @@
-{ modemmanager, lib, fetchFromGitiles, upstreamInfo, autoreconfHook
-, autoconf-archive, libqmi, libxslt
+{ modemmanager, lib, fetchFromGitiles, upstreamInfo
+, autoreconfHook, autoconf-archive, gtk-doc, libqmi, libxslt
 }:
 
 (modemmanager.override { inherit libqmi; }).overrideAttrs (
@@ -12,7 +12,7 @@
       upstreamInfo.components."src/third_party/modemmanager-next";
 
     nativeBuildInputs = nativeBuildInputs ++
-      [ autoreconfHook autoconf-archive libxslt ];
+      [ autoreconfHook autoconf-archive gtk-doc libxslt ];
 
     passthru = passthru // {
       updateScript = ../update.py;
diff --git a/pkgs/os-specific/linux/chromium-os/sommelier/0003-sommelier-don-t-leak-source-absolute-paths.patch b/pkgs/os-specific/linux/chromium-os/sommelier/0005-sommelier-don-t-leak-source-absolute-paths.patch
index c37876988f9..d40ff8f022c 100644
--- a/pkgs/os-specific/linux/chromium-os/sommelier/0003-sommelier-don-t-leak-source-absolute-paths.patch
+++ b/pkgs/os-specific/linux/chromium-os/sommelier/0005-sommelier-don-t-leak-source-absolute-paths.patch
@@ -1,7 +1,7 @@
-From e3995d3367ae642f3eb0b4c395813af47464a65f Mon Sep 17 00:00:00 2001
+From 04bdfd44bbaa9f619d3ff03cad3273c46493396e Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Sun, 1 Dec 2019 17:04:04 +0000
-Subject: [PATCH 3/4] sommelier: don't leak source-absolute paths
+Subject: [PATCH 5/6] sommelier: don't leak source-absolute paths
 
 ---
  vm_tools/sommelier/wayland_protocol.gni | 2 +-
@@ -21,5 +21,5 @@ index f894adf81d..28bb5a006b 100644
      }
    }
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/sommelier/0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch b/pkgs/os-specific/linux/chromium-os/sommelier/0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
index 5db01538eae..c7b1eeafc0d 100644
--- a/pkgs/os-specific/linux/chromium-os/sommelier/0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
+++ b/pkgs/os-specific/linux/chromium-os/sommelier/0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
@@ -1,7 +1,7 @@
-From ac39fe3d341cc33dfd5f47d5301c2a6aaf743a34 Mon Sep 17 00:00:00 2001
+From e97193872755e44aae51dd88e9323d8a069a40ca Mon Sep 17 00:00:00 2001
 From: Alyssa Ross <hi@alyssa.is>
 Date: Fri, 2 Apr 2021 17:55:55 +0000
-Subject: [PATCH 4/4] Revert "Revert "vm_tools: sommelier: Switch to the stable
+Subject: [PATCH 6/6] Revert "Revert "vm_tools: sommelier: Switch to the stable
  version of xdg-shell""
 
 This reverts commit 32050c0ea6c00c16999915856b40a6a6b8b41bb9.
@@ -1836,5 +1836,5 @@ index 79bcf6a3b3..d3157cd8a9 100644
    struct wl_list link;
  };
 -- 
-2.31.1
+2.32.0
 
diff --git a/pkgs/os-specific/linux/chromium-os/sommelier/default.nix b/pkgs/os-specific/linux/chromium-os/sommelier/default.nix
index c995689c4f5..b45ab330c34 100644
--- a/pkgs/os-specific/linux/chromium-os/sommelier/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/sommelier/default.nix
@@ -7,8 +7,8 @@ common-mk {
   platformSubdir = "vm_tools/sommelier";
 
   platform2Patches = [
-    ./0003-sommelier-don-t-leak-source-absolute-paths.patch
-    ./0004-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
+    ./0005-sommelier-don-t-leak-source-absolute-paths.patch
+    ./0006-Revert-Revert-vm_tools-sommelier-Switch-to-the-stabl.patch
   ];
 
   buildInputs = [
diff --git a/pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch b/pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch
new file mode 100644
index 00000000000..e921abd8032
--- /dev/null
+++ b/pkgs/os-specific/linux/chromium-os/vm_protos/0003-common-mk-add-goproto_library-source_relative-opt.patch
@@ -0,0 +1,48 @@
+From 211eea8e623c9e9beb61f38720c718f080bae883 Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Mon, 28 Jun 2021 17:10:46 +0000
+Subject: [PATCH 3/6] common-mk: add goproto_library source_relative opt
+
+We need this for the go_package changes in protoc-gen-go 1.5.x.  If we
+didn't use source-relative paths, the full module path would be
+repeated in the output location, so we'd get paths like
+src/chromiumos/vm_tools/vm_crash/chromiumos/vm_tools/vm_crash/vm_crash.pb.go.
+
+To avoid the duplication, we either need to set source_relative, or
+set proto_out_dir to just go/src.  The latter isn't workable, because
+then everything two libraries that both use common.proto will both
+generate outputs called "go/src/common.pb.go", which will upset GN.
+
+Reviewed-by: Cole Helbling <cole.e.helbling@outlook.com>
+---
+ common-mk/proto_library.gni | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/common-mk/proto_library.gni b/common-mk/proto_library.gni
+index fb9fb4231d..23645a134f 100644
+--- a/common-mk/proto_library.gni
++++ b/common-mk/proto_library.gni
+@@ -225,6 +225,9 @@ template("proto_library") {
+ #   proto_lib_dirs (optional)
+ #       Directories to search for protos a proto file depends on.
+ #       proto_in_dir and "${sysroot}/usr/share/proto" are added by default.
++#   source_relative (optional)
++#       If true, the output file is placed in the same relative directory as the
++#       input file (but under proto_out_dir).
+ template("goproto_library") {
+   action(target_name) {
+     forward_variables_from(invoker,
+@@ -254,6 +257,10 @@ template("goproto_library") {
+ 
+     go_plugin_parameters = []
+ 
++    if (defined(invoker.source_relative) && invoker.source_relative) {
++      go_plugin_parameters += [ "paths=source_relative" ]
++    }
++
+     if (defined(invoker.gen_grpc) && invoker.gen_grpc) {
+       go_plugin_parameters += [ "plugins=grpc" ]
+     }
+-- 
+2.32.0
+
diff --git a/pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch b/pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch
new file mode 100644
index 00000000000..d77bcf2bdef
--- /dev/null
+++ b/pkgs/os-specific/linux/chromium-os/vm_protos/0004-vm_tools-proto-set-go_package-correctly.patch
@@ -0,0 +1,102 @@
+From fae12c5b06864c0a9687320735c9bed9219c30c8 Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Wed, 16 Jun 2021 16:09:01 +0000
+Subject: [PATCH 4/6] vm_tools: proto: set go_package correctly
+
+protoc-gen-go 1.5.x has become a lot stricter about this.  We have to
+use import_mapping for common.proto because it ends up being included
+in multiple Go libraries.  I'm not sure why it needs to be built once
+per library, but that's the way it works.
+
+Reviewed-by: Cole Helbling <cole.e.helbling@outlook.com>
+---
+ vm_tools/proto/BUILD.gn       | 5 +++++
+ vm_tools/proto/tremplin.proto | 2 +-
+ vm_tools/proto/vm_crash.proto | 2 +-
+ vm_tools/proto/vm_guest.proto | 1 +
+ vm_tools/proto/vm_host.proto  | 1 +
+ 5 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/vm_tools/proto/BUILD.gn b/vm_tools/proto/BUILD.gn
+index 79c9b94c9f..aadc40165c 100644
+--- a/vm_tools/proto/BUILD.gn
++++ b/vm_tools/proto/BUILD.gn
+@@ -60,6 +60,8 @@ goproto_library("vm-crash-gorpcs") {
+   proto_in_dir = "./"
+   proto_out_dir = "go/src/chromiumos/vm_tools/vm_crash"
+   gen_grpc = true
++  source_relative = true
++  import_mapping = [ "common.proto=chromiumos/vm_tools/vm_crash" ]
+   sources = [
+     "${proto_in_dir}/common.proto",
+     "${proto_in_dir}/vm_crash.proto",
+@@ -97,6 +99,7 @@ goproto_library("tremplin-gorpcs") {
+   proto_in_dir = "./"
+   proto_out_dir = "go/src/chromiumos/vm_tools/tremplin_proto"
+   gen_grpc = true
++  source_relative = true
+   sources = [ "${proto_in_dir}/tremplin.proto" ]
+ }
+ 
+@@ -120,6 +123,8 @@ goproto_library("vm-gorpcs") {
+   proto_in_dir = "./"
+   proto_out_dir = "go/src/chromiumos/vm_tools/vm_rpc"
+   gen_grpc = true
++  source_relative = true
++  import_mapping = [ "common.proto=chromiumos/vm_tools/vm_rpc" ]
+   sources = [
+     "${proto_in_dir}/common.proto",
+     "${proto_in_dir}/vm_guest.proto",
+diff --git a/vm_tools/proto/tremplin.proto b/vm_tools/proto/tremplin.proto
+index aac76f7a9e..e6a7bbed0e 100644
+--- a/vm_tools/proto/tremplin.proto
++++ b/vm_tools/proto/tremplin.proto
+@@ -8,7 +8,7 @@ option cc_enable_arenas = true;
+ 
+ // This file defines services for tremplin, the container springboard service.
+ package vm_tools.tremplin;
+-option go_package = "tremplin_proto";
++option go_package = "chromiumos/vm_tools/tremplin_proto";
+ 
+ // This needs to be duplicated because the gyp rule for building
+ // go code makes it difficult to have imports.
+diff --git a/vm_tools/proto/vm_crash.proto b/vm_tools/proto/vm_crash.proto
+index 6e4f62fe13..3cd4279989 100644
+--- a/vm_tools/proto/vm_crash.proto
++++ b/vm_tools/proto/vm_crash.proto
+@@ -7,7 +7,7 @@ syntax = "proto3";
+ option cc_enable_arenas = true;
+ 
+ package vm_tools.cicerone;
+-option go_package = "vm_crash";
++option go_package = "chromiumos/vm_tools/vm_crash";
+ 
+ import "common.proto";
+ 
+diff --git a/vm_tools/proto/vm_guest.proto b/vm_tools/proto/vm_guest.proto
+index 86f11d0812..d0946078d5 100644
+--- a/vm_tools/proto/vm_guest.proto
++++ b/vm_tools/proto/vm_guest.proto
+@@ -8,6 +8,7 @@ option cc_enable_arenas = true;
+ 
+ // This file defines services that will be running in the guest VM.
+ package vm_tools;
++option go_package = "chromiumos/vm_tools/vm_rpc";
+ 
+ import "common.proto";
+ import "google/protobuf/timestamp.proto";
+diff --git a/vm_tools/proto/vm_host.proto b/vm_tools/proto/vm_host.proto
+index a8bd066f61..19759b0271 100644
+--- a/vm_tools/proto/vm_host.proto
++++ b/vm_tools/proto/vm_host.proto
+@@ -8,6 +8,7 @@ option cc_enable_arenas = true;
+ 
+ // This file defines services that will be running on the host for the VM.
+ package vm_tools;
++option go_package = "chromiumos/vm_tools/vm_rpc";
+ 
+ import "common.proto";
+ 
+-- 
+2.32.0
+
diff --git a/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix b/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix
index e87d0c57e78..cded9c988b3 100644
--- a/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix
+++ b/pkgs/os-specific/linux/chromium-os/vm_protos/default.nix
@@ -7,6 +7,11 @@ common-mk {
   nativeBuildInputs = [ go-protobuf ];
   buildInputs = [ grpc openssl protobuf ];
 
+  platform2Patches = [
+    ./0003-common-mk-add-goproto_library-source_relative-opt.patch
+    ./0004-vm_tools-proto-set-go_package-correctly.patch
+  ];
+
   NIX_CFLAGS_COMPILE = [
     "-Wno-error=array-bounds"
     "-Wno-error=deprecated-declarations"
diff --git a/pkgs/os-specific/linux/cifs-utils/default.nix b/pkgs/os-specific/linux/cifs-utils/default.nix
index ad136b811df..8c587a40196 100644
--- a/pkgs/os-specific/linux/cifs-utils/default.nix
+++ b/pkgs/os-specific/linux/cifs-utils/default.nix
@@ -1,23 +1,27 @@
-{ stdenv, fetchurl, autoreconfHook, docutils, pkgconfig
-, kerberos, keyutils, pam, talloc }:
+{ stdenv, lib, fetchurl, autoreconfHook, docutils, pkg-config
+, libkrb5, keyutils, pam, talloc, python3 }:
 
 stdenv.mkDerivation rec {
   pname = "cifs-utils";
-  version = "6.9";
+  version = "6.13";
 
   src = fetchurl {
     url = "mirror://samba/pub/linux-cifs/cifs-utils/${pname}-${version}.tar.bz2";
-    sha256 = "175cp509wn1zv8p8mv37hkf6sxiskrsxdnq22mhlsg61jazz3n0q";
+    sha256 = "sha256-Q9h4bIYTysz6hJEwgcHWK8JAlXWFTPiVsFtIrwhj0FY=";
   };
 
-  nativeBuildInputs = [ autoreconfHook docutils pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook docutils pkg-config ];
 
-  buildInputs = [ kerberos keyutils pam talloc ];
+  buildInputs = [ libkrb5 keyutils pam talloc python3 ];
 
-  makeFlags = [ "root_sbindir=$(out)/sbin" ];
+  configureFlags = [ "ROOTSBINDIR=$(out)/sbin" ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    # AC_FUNC_MALLOC is broken on cross builds.
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
 
-  meta = with stdenv.lib; {
-    homepage = "http://www.samba.org/linux-cifs/cifs-utils/";
+  meta = with lib; {
+    homepage = "https://wiki.samba.org/index.php/LinuxCIFS_utils";
     description = "Tools for managing Linux CIFS client filesystems";
     platforms = platforms.linux;
     license = licenses.lgpl3;
diff --git a/pkgs/os-specific/linux/compsize/default.nix b/pkgs/os-specific/linux/compsize/default.nix
index dd54df77c34..9d0dbeffaee 100644
--- a/pkgs/os-specific/linux/compsize/default.nix
+++ b/pkgs/os-specific/linux/compsize/default.nix
@@ -1,30 +1,31 @@
-{ stdenv, fetchFromGitHub, btrfs-progs }:
+{ lib, stdenv, fetchFromGitHub, btrfs-progs }:
 
 stdenv.mkDerivation rec {
   pname = "compsize";
-  version = "1.3";
+  version = "1.5";
 
   src = fetchFromGitHub {
     owner = "kilobyte";
-    repo = "compsize";
+    repo = pname;
     rev = "v${version}";
-    sha256 = "1c69whla844nwis30jxbj00zkpiw3ccndhkmzjii8av5358mjn43";
+    sha256 = "sha256-OX41ChtHX36lVRL7O2gH21Dfw6GPPEClD+yafR/PFm8=";
   };
 
   buildInputs = [ btrfs-progs ];
 
-  installPhase = ''
-    mkdir -p $out/bin
+  installFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  preInstall = ''
     mkdir -p $out/share/man/man8
-    install -m 0755 compsize $out/bin
-    install -m 0444 compsize.8 $out/share/man/man8
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "btrfs: Find compression type/ratio on a file or set of files";
-    homepage    = "https://github.com/kilobyte/compsize";
-    license     = licenses.gpl2;
+    homepage = "https://github.com/kilobyte/compsize";
+    license = licenses.gpl2Plus;
     maintainers = with maintainers; [ CrazedProgrammer ];
-    platforms   = platforms.linux;
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/conky/default.nix b/pkgs/os-specific/linux/conky/default.nix
index ee67140cd86..9bd8890e713 100644
--- a/pkgs/os-specific/linux/conky/default.nix
+++ b/pkgs/os-specific/linux/conky/default.nix
@@ -1,4 +1,4 @@
-{ config, stdenv, fetchFromGitHub, pkgconfig, cmake
+{ config, lib, stdenv, fetchFromGitHub, pkg-config, cmake
 
 # dependencies
 , glib, libXinerama
@@ -64,17 +64,17 @@ assert weatherMetarSupport -> curlSupport;
 assert weatherXoapSupport  -> curlSupport && libxml2 != null;
 assert journalSupport      -> systemd != null;
 
-with stdenv.lib;
+with lib;
 
 stdenv.mkDerivation rec {
   pname = "conky";
-  version = "1.11.6";
+  version = "1.12.2";
 
   src = fetchFromGitHub {
     owner = "brndnmtthws";
     repo = "conky";
     rev = "v${version}";
-    sha256 = "0y2g66fjqp2hdk0y1h4ijxhnv34j16gizvxpmbigwh4n6zijcm6v";
+    sha256 = "sha256-x6bR5E5LIvKWiVM15IEoUgGas/hcRp3F/O4MTOhVPb8=";
   };
 
   postPatch = ''
@@ -89,7 +89,7 @@ stdenv.mkDerivation rec {
 
   NIX_LDFLAGS = "-lgcc_s";
 
-  nativeBuildInputs = [ cmake pkgconfig ];
+  nativeBuildInputs = [ cmake pkg-config ];
   buildInputs = [ glib libXinerama ]
     ++ optionals docsSupport        [ docbook2x docbook_xsl docbook_xml_dtd_44 libxslt man less ]
     ++ optional  ncursesSupport     ncurses
@@ -133,7 +133,7 @@ stdenv.mkDerivation rec {
   # src/conky.cc:137:23: fatal error: defconfig.h: No such file or directory
   enableParallelBuilding = false;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://conky.sourceforge.net/";
     description = "Advanced, highly configurable system monitor based on torsmo";
     maintainers = [ maintainers.guibert ];
diff --git a/pkgs/os-specific/linux/conntrack-tools/default.nix b/pkgs/os-specific/linux/conntrack-tools/default.nix
index 80785015e76..0b14398e58f 100644
--- a/pkgs/os-specific/linux/conntrack-tools/default.nix
+++ b/pkgs/os-specific/linux/conntrack-tools/default.nix
@@ -1,6 +1,8 @@
-{ fetchurl, stdenv, flex, bison, pkgconfig, libmnl, libnfnetlink
+{ fetchurl, lib, stdenv, flex, bison, pkg-config, libmnl, libnfnetlink
 , libnetfilter_conntrack, libnetfilter_queue, libnetfilter_cttimeout
-, libnetfilter_cthelper, systemd }:
+, libnetfilter_cthelper, systemd
+, libtirpc
+}:
 
 stdenv.mkDerivation rec {
   pname = "conntrack-tools";
@@ -13,11 +15,11 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     libmnl libnfnetlink libnetfilter_conntrack libnetfilter_queue
-    libnetfilter_cttimeout libnetfilter_cthelper systemd
+    libnetfilter_cttimeout libnetfilter_cthelper systemd libtirpc
   ];
-  nativeBuildInputs = [ flex bison pkgconfig ];
+  nativeBuildInputs = [ flex bison pkg-config ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://conntrack-tools.netfilter.org/";
     description = "Connection tracking userspace tools";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/consoletools/default.nix b/pkgs/os-specific/linux/consoletools/default.nix
index 83de8f5ae1a..8def013b956 100644
--- a/pkgs/os-specific/linux/consoletools/default.nix
+++ b/pkgs/os-specific/linux/consoletools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, SDL }:
+{ lib, stdenv, fetchurl, SDL }:
 
 stdenv.mkDerivation rec {
   pname = "linuxconsoletools";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "PREFIX=\"\"" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://sourceforge.net/projects/linuxconsole/";
     description = "A set of tools for joysticks and serial peripherals";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/conspy/default.nix b/pkgs/os-specific/linux/conspy/default.nix
index 32905b8ec39..480962024f7 100644
--- a/pkgs/os-specific/linux/conspy/default.nix
+++ b/pkgs/os-specific/linux/conspy/default.nix
@@ -1,13 +1,13 @@
-{stdenv, fetchurl, autoconf, automake, ncurses}:
+{lib, stdenv, fetchurl, autoconf, automake, ncurses}:
 let
   s = # Generated upstream information
   rec {
     baseName="conspy";
-    version="1.14";
+    version="1.16";
     name="${baseName}-${version}";
-    hash="069k26xpzsvrn3197ix5yd294zvz03zi2xqj4fip6rlsw74habsf";
-    url="mirror://sourceforge/project/conspy/conspy-1.14-1/conspy-1.14.tar.gz";
-    sha256="069k26xpzsvrn3197ix5yd294zvz03zi2xqj4fip6rlsw74habsf";
+    hash="02andak806vd04bgjlr0y0d2ddx7cazyf8nvca80vlh8x94gcppf";
+    url="mirror://sourceforge/project/conspy/conspy-1.16-1/conspy-1.16.tar.gz";
+    sha256="02andak806vd04bgjlr0y0d2ddx7cazyf8nvca80vlh8x94gcppf";
   };
   buildInputs = [
     autoconf automake ncurses
@@ -30,8 +30,8 @@ stdenv.mkDerivation {
   meta = {
     inherit (s) version;
     description = "Linux text console viewer";
-    license = stdenv.lib.licenses.epl10 ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.epl10 ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/cpufrequtils/default.nix b/pkgs/os-specific/linux/cpufrequtils/default.nix
index 4c0515e94b3..6f94d0f8925 100644
--- a/pkgs/os-specific/linux/cpufrequtils/default.nix
+++ b/pkgs/os-specific/linux/cpufrequtils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libtool, gettext }:
+{ lib, stdenv, fetchurl, libtool, gettext }:
 
 stdenv.mkDerivation rec {
   name = "cpufrequtils-008";
@@ -21,10 +21,10 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ stdenv.cc.libc.linuxHeaders libtool gettext ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tools to display or change the CPU governor settings";
     homepage = "http://ftp.be.debian.org/pub/linux/utils/kernel/cpufreq/cpufrequtils.html";
-    license = licenses.gpl2;
-    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/cpuid/default.nix b/pkgs/os-specific/linux/cpuid/default.nix
new file mode 100644
index 00000000000..ea9ae06130e
--- /dev/null
+++ b/pkgs/os-specific/linux/cpuid/default.nix
@@ -0,0 +1,50 @@
+{ lib, stdenv, fetchurl, perl }:
+
+stdenv.mkDerivation rec {
+  pname = "cpuid";
+  version = "20201006";
+
+  src = fetchurl {
+    name = "${pname}-${version}.src.tar.gz";
+    url = "http://etallen.com/cpuid/${pname}-${version}.src.tar.gz";
+    sha256 = "19jnkh57f979b78ak5mpxmdvnkgc33r55cw9shgd2hc380b3zi8k";
+  };
+
+  # For pod2man during the build process.
+  nativeBuildInputs = [ perl ];
+
+  # As runtime dependency for cpuinfo2cpuid.
+  buildInputs = [ perl ];
+
+  # The Makefile hardcodes $(BUILDROOT)/usr as installation
+  # destination. Just nuke all mentions of /usr to get the right
+  # installation location.
+  patchPhase = ''
+    sed -i -e 's,/usr/,/,' Makefile
+  '';
+
+  installPhase = ''
+    make install BUILDROOT=$out
+
+    if [ ! -x $out/bin/cpuid ]; then
+      echo Failed to properly patch Makefile.
+      exit 1
+    fi
+  '';
+
+  meta = {
+    description = "Linux tool to dump x86 CPUID information about the CPU";
+    longDescription = ''
+      cpuid dumps detailed information about the CPU(s) gathered from the CPUID
+      instruction, and also determines the exact model of CPU(s). It supports
+      Intel, AMD, VIA, Hygon, and Zhaoxin CPUs, as well as older Transmeta,
+      Cyrix, UMC, NexGen, Rise, and SiS CPUs.
+    '';
+
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    license = lib.licenses.gpl2;
+    homepage = "http://etallen.com/cpuid.html";
+    maintainers = with lib.maintainers; [ blitz ];
+  };
+
+}
diff --git a/pkgs/os-specific/linux/cpupower/default.nix b/pkgs/os-specific/linux/cpupower/default.nix
index b6ecaa11de2..cfc0ace8e0a 100644
--- a/pkgs/os-specific/linux/cpupower/default.nix
+++ b/pkgs/os-specific/linux/cpupower/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, kernel, pciutils, gettext }:
+{ lib, stdenv, buildPackages, kernel, pciutils, gettext }:
 
 stdenv.mkDerivation {
   pname = "cpupower";
@@ -20,7 +20,7 @@ stdenv.mkDerivation {
     "LD=${stdenv.cc.targetPrefix}cc"
   ];
 
-  installFlags = stdenv.lib.mapAttrsToList
+  installFlags = lib.mapAttrsToList
     (n: v: "${n}dir=${placeholder "out"}/${v}") {
     bin = "bin";
     sbin = "sbin";
@@ -35,7 +35,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool to examine and tune power saving features";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/cpuset/default.nix b/pkgs/os-specific/linux/cpuset/default.nix
index 0a9b38f2888..e82e3f5901c 100644
--- a/pkgs/os-specific/linux/cpuset/default.nix
+++ b/pkgs/os-specific/linux/cpuset/default.nix
@@ -1,27 +1,44 @@
-{ stdenv
+{ lib
 , fetchFromGitHub
-, python2Packages
+, fetchpatch
+, pythonPackages
 }:
 
-python2Packages.buildPythonApplication rec {
+pythonPackages.buildPythonApplication rec {
   pname = "cpuset";
-  version = "1.5.8";
+  version = "1.6";
 
-  propagatedBuildInputs = [ ];
+  propagatedBuildInputs = with pythonPackages; [
+    configparser
+    future
+  ];
+
+  # https://github.com/lpechacek/cpuset/pull/36
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/MawKKe/cpuset/commit/a4b6b275d0a43d2794ab9e82922d3431aeea9903.patch";
+      sha256 = "1mi1xrql81iczl67s4dk2rm9r1mk36qhsa19wn7zgryf95krsix2";
+    })
+  ];
 
   makeFlags = [ "prefix=$(out)" ];
 
   src = fetchFromGitHub {
-    owner = "wykurz";
+    owner = "lpechacek";
     repo = "cpuset";
     rev = "v${version}";
-    sha256 = "19fl2sn470yrnm2q508giggjwy5b6r2gd94gvwfbdlhf0r9dsbbm";
+    sha256 = "0ig0ml2zd5542d0989872vmy7cs3qg7nxwa93k42bdkm50amhar4";
   };
 
-  meta = with stdenv.lib; {
-    description = "Cpuset is a Python application that forms a wrapper around the standard Linux filesystem calls to make using the cpusets facilities in the Linux kernel easier.";
-    homepage    = "https://github.com/wykurz/cpuset";
+  checkPhase = ''
+    cd t
+    make
+  '';
+
+  meta = with lib; {
+    description = "Python application that forms a wrapper around the standard Linux filesystem calls to make using the cpusets facilities in the Linux kernel easier";
+    homepage    = "https://github.com/lpechacek/cpuset";
     license     = licenses.gpl2;
-    maintainers = with maintainers; [ wykurz ];
+    maintainers = with maintainers; [ thiagokokada wykurz ];
   };
 }
diff --git a/pkgs/os-specific/linux/cramfsprogs/default.nix b/pkgs/os-specific/linux/cramfsprogs/default.nix
index 8633823ab5c..3f3e8a075b1 100644
--- a/pkgs/os-specific/linux/cramfsprogs/default.nix
+++ b/pkgs/os-specific/linux/cramfsprogs/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib, stdenv
 , fetchurl
 , zlib
 }:
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ zlib ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tools to create, check, and extract content of CramFs images";
     homepage = "https://packages.debian.org/jessie/cramfsprogs";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/cramfsswap/default.nix b/pkgs/os-specific/linux/cramfsswap/default.nix
index afb38364c4e..f47482c1111 100644
--- a/pkgs/os-specific/linux/cramfsswap/default.nix
+++ b/pkgs/os-specific/linux/cramfsswap/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, zlib}:
+{lib, stdenv, fetchurl, zlib}:
 
 stdenv.mkDerivation rec {
   pname = "cramfsswap";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     install --target $out/bin -D cramfsswap
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Swap endianess of a cram filesystem (cramfs)";
     homepage = "https://packages.debian.org/sid/utils/cramfsswap";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/crda/default.nix b/pkgs/os-specific/linux/crda/default.nix
index 979b7cf1deb..c337da2fe72 100644
--- a/pkgs/os-specific/linux/crda/default.nix
+++ b/pkgs/os-specific/linux/crda/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, libgcrypt, libnl, pkgconfig, python3Packages, wireless-regdb }:
+{ lib, stdenv, fetchurl, fetchpatch, libgcrypt, libnl, pkg-config, python3Packages, wireless-regdb }:
 
 stdenv.mkDerivation rec {
   pname = "crda";
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libgcrypt libnl ];
   nativeBuildInputs = [
-    pkgconfig
+    pkg-config
     python3Packages.pycrypto
   ];
 
@@ -58,7 +58,7 @@ stdenv.mkDerivation rec {
     rm $out/include/reglib/keys-gcrypt.h
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux wireless Central Regulatory Domain Agent";
     longDescription = ''
       CRDA acts as the udev helper for communication between the kernel and
diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix
index 462658396c8..af772645824 100644
--- a/pkgs/os-specific/linux/criu/default.nix
+++ b/pkgs/os-specific/linux/criu/default.nix
@@ -1,24 +1,25 @@
 { stdenv, lib, fetchurl, protobuf, protobufc, asciidoc, iptables
-, xmlto, docbook_xsl, libpaper, libnl, libcap, libnet, pkgconfig
-, which, python, makeWrapper, docbook_xml_dtd_45 }:
+, xmlto, docbook_xsl, libpaper, libnl, libcap, libnet, pkg-config
+, which, python3, makeWrapper, docbook_xml_dtd_45, perl }:
 
 stdenv.mkDerivation rec {
   pname = "criu";
-  version = "3.14";
+  version = "3.15";
 
   src = fetchurl {
     url    = "https://download.openvz.org/criu/${pname}-${version}.tar.bz2";
-    sha256 = "1jrr3v99g18gc0hriz0avq6ccdvyya0j6wwz888sdsc4icc30gzn";
+    sha256 = "09d0j24x0cyc7wkgi7cnxqgfjk7kbdlm79zxpj8d356sa3rw2z24";
   };
 
   enableParallelBuilding = true;
-  nativeBuildInputs = [ pkgconfig docbook_xsl which makeWrapper docbook_xml_dtd_45 ];
-  buildInputs = [ protobuf protobufc asciidoc xmlto libpaper libnl libcap libnet python iptables ];
+  nativeBuildInputs = [ pkg-config docbook_xsl which makeWrapper docbook_xml_dtd_45 python3 python3.pkgs.wrapPython perl ];
+  buildInputs = [ protobuf protobufc asciidoc xmlto libpaper libnl libcap libnet iptables ];
+  propagatedBuildInputs = with python3.pkgs; [ python python3.pkgs.protobuf ];
 
   postPatch = ''
-    substituteInPlace ./Documentation/Makefile --replace "2>/dev/null" ""
-    substituteInPlace ./Documentation/Makefile --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
-    substituteInPlace ./criu/Makefile --replace "-I/usr/include/libnl3" "-I${libnl.dev}/include/libnl3"
+    substituteInPlace ./Documentation/Makefile \
+      --replace "2>/dev/null" "" \
+      --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
     substituteInPlace ./Makefile --replace "head-name := \$(shell git tag -l v\$(CRIU_VERSION))" "head-name = ${version}.0"
     ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto
   '';
@@ -39,13 +40,14 @@ stdenv.mkDerivation rec {
   postFixup = ''
     wrapProgram $out/bin/criu \
       --prefix PATH : ${lib.makeBinPath [ iptables ]}
+    wrapPythonPrograms
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Userspace checkpoint/restore for Linux";
     homepage    = "https://criu.org";
     license     = licenses.gpl2;
-    platforms   = [ "x86_64-linux" ];
+    platforms   = [ "x86_64-linux" "aarch64-linux" ];
     maintainers = [ maintainers.thoughtpolice ];
   };
 }
diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix
index 321f00b0ef2..f09679ba212 100644
--- a/pkgs/os-specific/linux/cryptodev/default.nix
+++ b/pkgs/os-specific/linux/cryptodev/default.nix
@@ -1,14 +1,14 @@
-{ fetchurl, stdenv, kernel ? false }:
+{ fetchFromGitHub, lib, stdenv, kernel ? false }:
 
 stdenv.mkDerivation rec {
-  pname = "cryptodev-linux-1.9";
+  pname = "cryptodev-linux-1.12";
   name = "${pname}-${kernel.version}";
 
-  src = fetchurl {
-    urls = [
-      "http://nwl.cc/pub/cryptodev-linux/${pname}.tar.gz"
-    ];
-    sha256 = "0l3r8s71vkd0s2h01r7fhqnc3j8cqw4msibrdxvps9hfnd4hnk4z";
+  src = fetchFromGitHub {
+    owner = "cryptodev-linux";
+    repo = "cryptodev-linux";
+    rev = pname;
+    sha256 = "sha256-vJQ10rG5FGbeEOqCUmH/pZ0P77kAW/MtUarywbtIyHw=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -20,8 +20,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Device that allows access to Linux kernel cryptographic drivers";
     homepage = "http://cryptodev-linux.org/";
-    license = stdenv.lib.licenses.gpl2Plus;
-    platforms = stdenv.lib.platforms.linux;
-    broken = !stdenv.lib.versionOlder kernel.version "4.13";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix
index caa22b4df3e..e7304e19679 100644
--- a/pkgs/os-specific/linux/cryptsetup/default.nix
+++ b/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchurl, lvm2, json_c
-, openssl, libuuid, pkgconfig, popt }:
+{ lib, stdenv, fetchurl, lvm2, json_c
+, openssl, libuuid, pkg-config, popt }:
 
 stdenv.mkDerivation rec {
   pname = "cryptsetup";
-  version = "2.3.3";
+  version = "2.3.6";
 
   outputs = [ "out" "dev" "man" ];
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/cryptsetup/v2.3/${pname}-${version}.tar.xz";
-    sha256 = "1pw2bq4nv2z3xyycckxkbp7dp9kkp2n6bspna3plryg277z4zjiv";
+    sha256 = "sha256-spa3oh6ldsKxgGEcyxnQauyN3a7ffHBLDGqBIQwlY18=";
   };
 
   # Disable 4 test cases that fail in a sandbox
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
     "--with-crypto_backend=openssl"
   ];
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ lvm2 json_c openssl libuuid popt ];
 
   doCheck = true;
@@ -39,8 +39,8 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = "https://gitlab.com/cryptsetup/cryptsetup/";
     description = "LUKS for dm-crypt";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = with stdenv.lib.maintainers; [ ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/cshatag/default.nix b/pkgs/os-specific/linux/cshatag/default.nix
new file mode 100644
index 00000000000..bc1b7f7ecf5
--- /dev/null
+++ b/pkgs/os-specific/linux/cshatag/default.nix
@@ -0,0 +1,32 @@
+{ lib, buildGoPackage, fetchFromGitHub }:
+
+buildGoPackage rec {
+  pname = "cshatag";
+  version = "2019-12-03";
+
+  goPackagePath = "github.com/rfjakob/cshatag";
+  goDeps = ./deps.nix;
+
+  src = fetchFromGitHub {
+    owner = "rfjakob";
+    repo = pname;
+    rev = "b169f0a9dd35a7381774eb176d4badf64d403560";
+    sha256 = "16kam3w75avh8khkk6jfdnxwggz2pw6ccv6v7d064j0fbb9y8x0v";
+  };
+
+  makeFlags = [ "PREFIX=$(out)" "GITVERSION=${version}" ];
+
+  postInstall = ''
+    # Install man page
+    cd go/src/${goPackagePath}
+    make install $makeFlags
+  '';
+
+  meta = with lib; {
+    description = "A tool to detect silent data corruption";
+    homepage = "https://github.com/rfjakob/cshatag";
+    license = licenses.mit;
+    platforms = platforms.linux;
+  };
+
+}
diff --git a/pkgs/os-specific/linux/cshatag/deps.nix b/pkgs/os-specific/linux/cshatag/deps.nix
new file mode 100644
index 00000000000..6daad985678
--- /dev/null
+++ b/pkgs/os-specific/linux/cshatag/deps.nix
@@ -0,0 +1,21 @@
+# This file was generated by https://github.com/kamilchm/go2nix v1.3.0
+[
+  {
+    goPackagePath = "github.com/pkg/xattr";
+    fetch = {
+      type = "git";
+      url = "https://github.com/pkg/xattr";
+      rev = "d304131d5e58ca76d8b31ceefbb0c85c7b2d2a36";
+      sha256 = "0bxskiai283zfra13z5f7q7f77zz2cgswaj6l6jr2nwnc3l5m80i";
+    };
+  }
+  {
+    goPackagePath = "golang.org/x/sys";
+    fetch = {
+      type = "git";
+      url = "https://go.googlesource.com/sys";
+      rev = "201ba4db2418b54b698efb4d8082dcb504617cdb";
+      sha256 = "1cqaiwp19kl38g4d6brfhi32822rhnh2q8x1j0i6yg7a8dzfvbz6";
+    };
+  }
+]
diff --git a/pkgs/os-specific/linux/dbus-broker/default.nix b/pkgs/os-specific/linux/dbus-broker/default.nix
index d84676bcda6..b7e0a6b6158 100644
--- a/pkgs/os-specific/linux/dbus-broker/default.nix
+++ b/pkgs/os-specific/linux/dbus-broker/default.nix
@@ -1,22 +1,24 @@
-{ stdenv, fetchFromGitHub, docutils, meson, ninja, pkgconfig
+{ lib, stdenv, fetchFromGitHub, docutils, meson, ninja, pkg-config
 , dbus, linuxHeaders, systemd }:
 
 stdenv.mkDerivation rec {
   pname = "dbus-broker";
-  version = "22";
+  version = "29";
 
   src = fetchFromGitHub {
     owner  = "bus1";
     repo   = "dbus-broker";
     rev    = "v${version}";
-    sha256 = "0vxr73afix5wjxy8g4cckwhl242rrlazm52673iwmdyfz5nskj2x";
+    sha256 = "1abbi8c0mgdqjidlp2wnmy0a88xv173hq88sh5m966c5r1h6alkq";
     fetchSubmodules = true;
   };
 
-  nativeBuildInputs = [ docutils meson ninja pkgconfig ];
+  nativeBuildInputs = [ docutils meson ninja pkg-config ];
 
   buildInputs = [ dbus linuxHeaders systemd ];
 
+  mesonFlags = [ "-D=system-console-users=gdm,sddm,lightdm" ];
+
   PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
   PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "${placeholder "out"}/lib/systemd/user";
   PKG_CONFIG_SYSTEMD_CATALOGDIR = "${placeholder "out"}/lib/systemd/catalog";
@@ -30,7 +32,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux D-Bus Message Broker";
     homepage    = "https://github.com/bus1/dbus-broker/wiki";
     license     = licenses.asl20;
diff --git a/pkgs/os-specific/linux/ddcci/default.nix b/pkgs/os-specific/linux/ddcci/default.nix
index c977db64ee8..7e5f95cb206 100644
--- a/pkgs/os-specific/linux/ddcci/default.nix
+++ b/pkgs/os-specific/linux/ddcci/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitLab, kernel }:
+{ lib, stdenv, fetchFromGitLab, kernel }:
 
 stdenv.mkDerivation rec {
   pname = "ddcci-driver";
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
     "INCLUDEDIR=$(out)/include"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Kernel module driver for DDC/CI monitors";
     homepage = "https://gitlab.com/ddcci-driver-linux/ddcci-driver-linux";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/deepin-anything/default.nix b/pkgs/os-specific/linux/deepin-anything/default.nix
deleted file mode 100644
index 4139cc153cd..00000000000
--- a/pkgs/os-specific/linux/deepin-anything/default.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ stdenv, deepin, kernel }:
-
-stdenv.mkDerivation {
-  pname = "deepin-anything-module";
-  version = "${deepin.deepin-anything.version}-${kernel.version}";
-  src = deepin.deepin-anything.modsrc;
-
-  nativeBuildInputs = kernel.moduleBuildDependencies;
-
-  buildPhase = ''
-    make -C src/deepin-anything-0.0 kdir=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build
-  '';
-
-  installPhase = ''
-     install -m 644 -D -t $out/lib/modules/${kernel.modDirVersion}/extra src/deepin-anything-0.0/*.ko
-  '';
-
-  meta = deepin.deepin-anything.meta // {
-    description = deepin.deepin-anything.meta.description + " (kernel modules)";
-    badPlatforms = [ "aarch64-linux" ];  # the kernel module is not building
-  };
-}
diff --git a/pkgs/os-specific/linux/device-tree/default.nix b/pkgs/os-specific/linux/device-tree/default.nix
index 13d819a08a5..13c609cdf7d 100644
--- a/pkgs/os-specific/linux/device-tree/default.nix
+++ b/pkgs/os-specific/linux/device-tree/default.nix
@@ -1,16 +1,31 @@
-{ stdenvNoCC, dtc, findutils }:
+{ lib, stdenvNoCC, dtc, findutils }:
 
-with stdenvNoCC.lib; {
-  applyOverlays = (base: overlays: stdenvNoCC.mkDerivation {
+with lib; {
+  applyOverlays = (base: overlays': stdenvNoCC.mkDerivation {
     name = "device-tree-overlays";
     nativeBuildInputs = [ dtc findutils ];
     buildCommand = let
-      quotedDtbos = concatMapStringsSep " " (o: "\"${toString o}\"") (toList overlays);
+      overlays = toList overlays';
     in ''
-      for dtb in $(find ${base} -name "*.dtb" ); do
-        outDtb=$out/$(realpath --relative-to "${base}" "$dtb")
-        mkdir -p "$(dirname "$outDtb")"
-        fdtoverlay -o "$outDtb" -i "$dtb" ${quotedDtbos};
+      mkdir -p $out
+      cd ${base}
+      find . -type f -name '*.dtb' -print0 \
+        | xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
+
+      for dtb in $(find $out -type f -name '*.dtb'); do
+        dtbCompat="$( fdtget -t s $dtb / compatible )"
+
+        ${flip (concatMapStringsSep "\n") overlays (o: ''
+        overlayCompat="$( fdtget -t s ${o.dtboFile} / compatible )"
+        # overlayCompat in dtbCompat
+        if [[ "$dtbCompat" =~ "$overlayCompat" ]]; then
+          echo "Applying overlay ${o.name} to $( basename $dtb )"
+          mv $dtb{,.in}
+          fdtoverlay -o "$dtb" -i "$dtb.in" ${o.dtboFile};
+          rm $dtb.in
+        fi
+        '')}
+
       done
     '';
   });
diff --git a/pkgs/os-specific/linux/device-tree/raspberrypi.nix b/pkgs/os-specific/linux/device-tree/raspberrypi.nix
index 5a0d5710392..b4b40f8331f 100644
--- a/pkgs/os-specific/linux/device-tree/raspberrypi.nix
+++ b/pkgs/os-specific/linux/device-tree/raspberrypi.nix
@@ -1,4 +1,4 @@
-{ stdenvNoCC, raspberrypifw }:
+{ lib, stdenvNoCC, raspberrypifw }:
 
 stdenvNoCC.mkDerivation {
   name = "raspberrypi-dtbs-${raspberrypifw.version}";
@@ -30,8 +30,8 @@ stdenvNoCC.mkDerivation {
     # Compatible overlays that may be used
     overlays = "${raspberrypifw}/share/raspberrypi/boot/overlays";
   };
-  meta = with stdenvNoCC.lib; {
-    inherit (raspberrypifw.meta) platforms homepage license;
+  meta = with lib; {
+    inherit (raspberrypifw.meta) homepage license;
     description = "DTBs for the Raspberry Pi";
   };
 }
diff --git a/pkgs/os-specific/linux/devmem2/default.nix b/pkgs/os-specific/linux/devmem2/default.nix
index 9115601e357..86f6f916cef 100644
--- a/pkgs/os-specific/linux/devmem2/default.nix
+++ b/pkgs/os-specific/linux/devmem2/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation {
   name = "devmem2-2004-08-05";
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     install -D devmem2 "$out/bin/devmem2"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Simple program to read/write from/to any location in memory";
     homepage = "http://lartmaker.nl/lartware/port/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/digimend/default.nix b/pkgs/os-specific/linux/digimend/default.nix
index 94f32d2c432..6b5f66f825b 100644
--- a/pkgs/os-specific/linux/digimend/default.nix
+++ b/pkgs/os-specific/linux/digimend/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, fetchpatch, kernel }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel }:
 
-assert stdenv.lib.versionAtLeast kernel.version "3.5";
+assert lib.versionAtLeast kernel.version "3.5";
 
 stdenv.mkDerivation rec {
   pname = "digimend";
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
     "DESTDIR=${placeholder "out"}"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DIGImend graphics tablet drivers for the Linux kernel";
     homepage = "https://digimend.github.io/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/directvnc/default.nix b/pkgs/os-specific/linux/directvnc/default.nix
index c7937190915..d20b69775bf 100644
--- a/pkgs/os-specific/linux/directvnc/default.nix
+++ b/pkgs/os-specific/linux/directvnc/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, directfb, zlib, libjpeg, xorgproto }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, directfb, zlib, libjpeg, xorgproto }:
 
 stdenv.mkDerivation {
   pname = "directvnc";
@@ -11,11 +11,11 @@ stdenv.mkDerivation {
     sha256 = "16x7mr7x728qw7nbi6rqhrwsy73zsbpiz8pbgfzfl2aqhfdiz88b";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
 
   buildInputs = [ directfb zlib libjpeg xorgproto ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DirectFB VNC client";
     homepage = "http://drinkmilk.github.io/directvnc/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix
index b2ae930f193..f754882ccd0 100644
--- a/pkgs/os-specific/linux/disk-indicator/default.nix
+++ b/pkgs/os-specific/linux/disk-indicator/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, libX11 }:
+{ lib, stdenv, fetchgit, libX11 }:
 
 stdenv.mkDerivation {
   name = "disk-indicator-2014-05-19";
@@ -34,7 +34,7 @@ stdenv.mkDerivation {
       Small program for Linux that will turn your Scroll, Caps or Num Lock LED
       or LED on your ThinkPad laptop into a hard disk activity indicator.
     '';
-    license = stdenv.lib.licenses.gpl3;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl3;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/displaylink/99-displaylink.rules b/pkgs/os-specific/linux/displaylink/99-displaylink.rules
new file mode 100644
index 00000000000..ceeb658a415
--- /dev/null
+++ b/pkgs/os-specific/linux/displaylink/99-displaylink.rules
@@ -0,0 +1 @@
+ACTION=="add", SUBSYSTEM=="usb", DRIVERS=="usb", ATTRS{idVendor}=="17e9", ATTR{bInterfaceClass}=="ff", ATTR{bInterfaceProtocol}=="03", TAG+="systemd", ENV{SYSTEMD_WANTS}="dlm.service"
diff --git a/pkgs/os-specific/linux/displaylink/default.nix b/pkgs/os-specific/linux/displaylink/default.nix
index 3db9a7d3005..ca3e38c2e70 100644
--- a/pkgs/os-specific/linux/displaylink/default.nix
+++ b/pkgs/os-specific/linux/displaylink/default.nix
@@ -1,27 +1,36 @@
-{ stdenv, lib, unzip, utillinux,
-  libusb1, evdi, systemd, makeWrapper, requireFile, substituteAll }:
-
+{ stdenv
+, lib
+, unzip
+, util-linux
+, libusb1
+, evdi
+, systemd
+, makeWrapper
+, requireFile
+, substituteAll
+}:
 let
   arch =
     if stdenv.hostPlatform.system == "x86_64-linux" then "x64"
     else if stdenv.hostPlatform.system == "i686-linux" then "x86"
     else throw "Unsupported architecture";
   bins = "${arch}-ubuntu-1604";
-  libPath = lib.makeLibraryPath [ stdenv.cc.cc utillinux libusb1 evdi ];
+  libPath = lib.makeLibraryPath [ stdenv.cc.cc util-linux libusb1 evdi ];
 
-in stdenv.mkDerivation rec {
+in
+stdenv.mkDerivation rec {
   pname = "displaylink";
-  version = "5.3.1.34";
+  version = "5.4.0-55.153";
 
   src = requireFile rec {
     name = "displaylink.zip";
-    sha256 = "1c1kbjgpb71f73qnyl44rvwi6l4ivddq789rwvvh0ahw2jm324hy";
+    sha256 = "1m2l3bnlfwfp94w7khr05npsbysg9mcyi7hi85n78xkd0xdcxml8";
     message = ''
       In order to install the DisplayLink drivers, you must first
       comply with DisplayLink's EULA and download the binaries and
       sources from here:
 
-      https://www.displaylink.com/downloads/file?id=1576
+      https://www.synaptics.com/node/3751
 
       Once you have downloaded the file, please use the following
       commands and re-run the installation:
@@ -39,20 +48,11 @@ in stdenv.mkDerivation rec {
     ./displaylink-driver-${version}.run --target . --noexec --nodiskspace
   '';
 
-  patches = [ (substituteAll {
-    src = ./udev-installer.patch;
-    inherit systemd;
-  })];
-
   installPhase = ''
-    sed -i "s,/opt/displaylink/udev.sh,$out/lib/udev/displaylink.sh,g" udev-installer.sh
-    ( source udev-installer.sh
-      mkdir -p $out/lib/udev/rules.d
-      main systemd "$out/lib/udev/rules.d/99-displaylink.rules" "$out/lib/udev/displaylink.sh"
-    )
-
     install -Dt $out/lib/displaylink *.spkg
     install -Dm755 ${bins}/DisplayLinkManager $out/bin/DisplayLinkManager
+    mkdir -p $out/lib/udev/rules.d
+    cp ${./99-displaylink.rules} $out/lib/udev/rules.d/99-displaylink.rules
     patchelf \
       --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
       --set-rpath ${libPath} \
@@ -65,7 +65,7 @@ in stdenv.mkDerivation rec {
   dontPatchELF = true;
 
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DisplayLink DL-5xxx, DL-41xx and DL-3x00 Driver for Linux";
     maintainers = with maintainers; [ nshalman abbradar peterhoeg eyjhb ];
     platforms = [ "x86_64-linux" "i686-linux" ];
diff --git a/pkgs/os-specific/linux/displaylink/udev-installer.patch b/pkgs/os-specific/linux/displaylink/udev-installer.patch
deleted file mode 100644
index 880c073fbcf..00000000000
--- a/pkgs/os-specific/linux/displaylink/udev-installer.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/udev-installer.sh	2018-12-09 12:05:53.772318942 +0100
-+++ b/udev-installer.sh	2018-12-09 12:06:19.939947629 +0100
-@@ -21,12 +21,12 @@
-   cat <<'EOF'
- start_service()
- {
--  systemctl start displaylink-driver
-+  /run/current-system/systemd/bin/systemctl start --no-block dlm
- }
- 
- stop_service()
- {
--  systemctl stop displaylink-driver
-+  /run/current-system/systemd/bin/systemctl stop dlm
- }
- 
- EOF
-
diff --git a/pkgs/os-specific/linux/dlm/default.nix b/pkgs/os-specific/linux/dlm/default.nix
new file mode 100644
index 00000000000..3b6f4773a29
--- /dev/null
+++ b/pkgs/os-specific/linux/dlm/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromSourcehut
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "dlm";
+  version = "2020-01-07";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = "6b0e11c4f453b1a4d7a32019227539a980b7ce66";
+    sha256 = "1r3w7my0g3v2ya317qnvjx8wnagjahpj7yx72a65hf2pjbf5x42p";
+  };
+
+  cargoSha256 = "01a8k60qnx2pgxb2adgw30c2hjb60w6230khm5hyqgmp7z4rm8k8";
+
+  meta = with lib; {
+    description = "A stupid simple graphical login manager";
+    homepage = "https://git.sr.ht/~kennylevinsen/dlm";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/dmidecode/default.nix b/pkgs/os-specific/linux/dmidecode/default.nix
index 97ad75851a6..a4e09492deb 100644
--- a/pkgs/os-specific/linux/dmidecode/default.nix
+++ b/pkgs/os-specific/linux/dmidecode/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "dmidecode-3.2";
@@ -8,9 +8,53 @@ stdenv.mkDerivation rec {
     sha256 = "1pcfhcgs2ifdjwp7amnsr3lq95pgxpr150bjhdinvl505px0cw07";
   };
 
+  patches = [
+    # suggested patches for 3.2 according to https://www.nongnu.org/dmidecode/
+    (fetchpatch {
+      name = "0001-fix_redfish_hostname_print_length.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=fde47bb227b8fa817c88d7e10a8eb771c46de1df";
+      sha256 = "133nd0c72p68hnqs5m714167761r1pp6bd3kgbsrsrwdx40jlc3m";
+    })
+    (fetchpatch {
+      name = "0002-add_logical_non-volatile_device_to_memory_device_types.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=74dfb854b8199ddb0a27e89296fa565f4706cb9d";
+      sha256 = "0wdpmlcwmqdyyrsmyis8jb7cx3q6fnqpdpc5xly663dj841jcvwh";
+    })
+    (fetchpatch {
+      name = "0003-only-scan-devmem-for-entry-point-on-x86.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=e12ec26e19e02281d3e7258c3aabb88a5cf5ec1d";
+      sha256 = "1y2858n98bfa49syjinx911vza6mm7aa6xalvzjgdlyirhccs30i";
+    })
+    (fetchpatch {
+      name = "0004-fix_formatting_of_tpm_table_output.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=1d0db85949a5bdd96375f6131d393a11204302a6";
+      sha256 = "11s8jciw7xf2668v79qcq2c9w2gwvm3dkcik8dl9v74p654y1nr8";
+    })
+    (fetchpatch {
+      name = "0005-fix_system-slot_information_for_pcie_ssd.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=fd08479625b5845e4d725ab628628f7ebfccc407";
+      sha256 = "07l61wvsw1d8g14zzf6zm7l0ri9kkqz8j5n4h116qwhg1p2k49y4";
+    })
+    (fetchpatch {
+      name = "0006-print_type_33_name_unconditionally.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=65438a7ec0f4cddccf810136da6f280bd148af71";
+      sha256 = "0gqz576ccxys0c8217spf1qmw9lxi9xalw85jjqwsi2bj1k6vy4n";
+    })
+    (fetchpatch {
+      name = "0007-dont_choke_on_invalid_processor_voltage.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=5bb7eb173b72256f70c6b3f3916d7a444be93340";
+      sha256 = "1dkg4lq9kn2g1w5raz1gssn6zqk078zjqbnh9i32f822f727syhp";
+    })
+    (fetchpatch {
+      name = "0008-fix_the_alignment_of_type_25_name.patch";
+      url = "https://git.savannah.gnu.org/cgit/dmidecode.git/patch/?id=557c3c373a9992d45d4358a6a2ccf53b03276f39";
+      sha256 = "18hc91pk7civyqrlilg3kn2nmp2warhh49xlbzrwqi7hgipyf12z";
+    })
+  ];
+
   makeFlags = [ "prefix=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.nongnu.org/dmidecode/";
     description = "A tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix
index 129ccb30456..c1e0dfc5ae4 100644
--- a/pkgs/os-specific/linux/dmraid/default.nix
+++ b/pkgs/os-specific/linux/dmraid/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, lvm2 }:
+{ lib, stdenv, fetchurl, fetchpatch, lvm2 }:
 
 stdenv.mkDerivation rec {
   name = "dmraid-1.0.0.rc16";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
   };
 
   patches = [ ./hardening-format.patch ]
-    ++ stdenv.lib.optionals stdenv.hostPlatform.isMusl [
+    ++ lib.optionals stdenv.hostPlatform.isMusl [
       (fetchpatch {
         url = "https://raw.githubusercontent.com/void-linux/void-packages/fceed4b8e96b3c1da07babf6f67b6ed1588a28b2/srcpkgs/dmraid/patches/006-musl-libc.patch";
         sha256 = "1j8xda0fpz8lxjxnqdidy7qb866qrzwpbca56yjdg6vf4x21hx6w";
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
 
   postPatch = ''
     sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in
-  '' + stdenv.lib.optionalString stdenv.hostPlatform.isMusl ''
+  '' + lib.optionalString stdenv.hostPlatform.isMusl ''
     NIX_CFLAGS_COMPILE+=" -D_GNU_SOURCE"
   '';
 
@@ -42,8 +42,8 @@ stdenv.mkDerivation rec {
       its volumes. May be needed for rescuing an older system or nuking
       the metadata when reformatting.
     '';
-    maintainers = [ stdenv.lib.maintainers.raskin ];
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/dmtcp/default.nix b/pkgs/os-specific/linux/dmtcp/default.nix
index 0f7f2f9817a..50124a2bf45 100644
--- a/pkgs/os-specific/linux/dmtcp/default.nix
+++ b/pkgs/os-specific/linux/dmtcp/default.nix
@@ -1,14 +1,16 @@
-{ stdenv, fetchFromGitHub, bash, perl, python }:
+{ lib, stdenv, fetchFromGitHub, bash, perl, python2 }:
+
+# There are fixes for python3 compatibility on master
 
 stdenv.mkDerivation rec {
   pname = "dmtcp";
-  version = "2.6.0";
+  version = "unstable-2021-03-01";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = version;
-    sha256 = "01skyhr573w1dygvkwz66lvir2jsq443fjwkysglwxvmrdfz9kwd";
+    rev = "f999adbb8e88fe452a0e57ceb43b6eed7b4409f9";
+    sha256 = "sha256-codCHQui3fGfUZSNq8GuH4ad/GjD6I/S9rX83o8oFPc=";
   };
 
   dontDisableStatic = true;
@@ -21,19 +23,19 @@ stdenv.mkDerivation rec {
     substituteInPlace configure \
       --replace '#define ELF_INTERPRETER "$interp"' \
                 "#define ELF_INTERPRETER \"$(cat $NIX_CC/nix-support/dynamic-linker)\""
-    substituteInPlace src/dmtcp_coordinator.cpp \
+    substituteInPlace src/restartscript.cpp \
       --replace /bin/bash ${stdenv.shell}
-    substituteInPlace util/gdb-add-symbol-file \
+    substituteInPlace util/dmtcp_restart_wrapper.sh \
       --replace /bin/bash ${stdenv.shell}
     substituteInPlace test/autotest.py \
       --replace /bin/bash ${bash}/bin/bash \
       --replace /usr/bin/perl ${perl}/bin/perl \
-      --replace /usr/bin/python ${python}/bin/python \
+      --replace /usr/bin/python ${python2}/bin/python \
       --replace "os.environ['USER']" "\"nixbld1\"" \
       --replace "os.getenv('USER')" "\"nixbld1\""
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Distributed MultiThreaded Checkpointing";
     longDescription = ''
       DMTCP (Distributed MultiThreaded Checkpointing) is a tool to
diff --git a/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch b/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
index 5a81dad0cc9..118e52b8e62 100644
--- a/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
+++ b/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
@@ -1,11 +1,13 @@
---- dmtcp-2.5.1-src/src/util_exec.cpp	2017-09-19 13:36:22.947587034 +0200
-+++ dmtcp-2.5.1-src/src/util_exec.cpp	2017-09-19 13:36:32.221313460 +0200
-@@ -178,7 +178,7 @@
- 
- static string ld_linux_so_path(int version, bool is32bitElf = false)
+diff --git a/src/util_exec.cpp b/src/util_exec.cpp
+index 0e8a13c1..0cc99c1e 100644
+--- a/src/util_exec.cpp
++++ b/src/util_exec.cpp
+@@ -300,7 +300,7 @@ Util::elfType(const char *pathname, bool *isElf, bool *is32bitElf)
+ static string
+ ld_linux_so_path(int version, bool is32bitElf = false)
  {
 -  char buf[80];
 +  char buf[128];
+ 
  #if (defined(__x86_64__) || defined(__aarch64__)) && !defined(CONFIG_M32)
    if (is32bitElf) {
-     sprintf(buf, "/lib/ld-linux.so.%d", version);
diff --git a/pkgs/os-specific/linux/dpdk-kmods/default.nix b/pkgs/os-specific/linux/dpdk-kmods/default.nix
new file mode 100644
index 00000000000..a188336cbe5
--- /dev/null
+++ b/pkgs/os-specific/linux/dpdk-kmods/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchzip, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "dpdk-kmods";
+  version = "2021-04-21";
+
+  src = fetchzip {
+    url = "http://git.dpdk.org/dpdk-kmods/snapshot/dpdk-kmods-e13d7af77a1bf98757f85c3c4083f6ee6d0d2372.tar.xz";
+    sha256 = "sha256-8ysWT3X3rIyUAo4/QbkX7cQq5iFeU18/BPsmmWugcIc=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  KSRC = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = "cd linux/igb_uio";
+
+  installPhase = ''
+    make -C ${KSRC} M=$(pwd) modules_install
+  '';
+
+  INSTALL_MOD_PATH = placeholder "out";
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Kernel modules for DPDK";
+    homepage = "https://git.dpdk.org/dpdk-kmods/";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.mic92 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/dpdk/default.nix b/pkgs/os-specific/linux/dpdk/default.nix
index aacbc3cdfbe..ca8905e6240 100644
--- a/pkgs/os-specific/linux/dpdk/default.nix
+++ b/pkgs/os-specific/linux/dpdk/default.nix
@@ -1,30 +1,32 @@
 { stdenv, lib
 , kernel
 , fetchurl
-, pkgconfig, meson, ninja
+, pkg-config, meson, ninja
 , libbsd, numactl, libbpf, zlib, libelf, jansson, openssl, libpcap
 , doxygen, python3
+, withExamples ? []
 , shared ? false }:
 
 let
   mod = kernel != null;
-
+  dpdkVersion = "21.05";
 in stdenv.mkDerivation rec {
-  name = "dpdk-${version}" + lib.optionalString mod "-${kernel.version}";
-  version = "20.05";
+  pname = "dpdk";
+  version = "${dpdkVersion}" + lib.optionalString mod "-${kernel.version}";
 
   src = fetchurl {
-    url = "https://fast.dpdk.org/rel/dpdk-${version}.tar.xz";
-    sha256 = "0h0xv2zwb91b9n29afg5ihn06a8q28in64hag2f112kc19f79jj8";
+    url = "https://fast.dpdk.org/rel/dpdk-${dpdkVersion}.tar.xz";
+    sha256 = "sha256-HhJJm0xfzbV8g+X+GE6mvs3ffPCSiTwsXvLvsO7BLws=";
   };
 
   nativeBuildInputs = [
     doxygen
     meson
     ninja
-    pkgconfig
+    pkg-config
     python3
     python3.pkgs.sphinx
+    python3.pkgs.pyelftools
   ];
   buildInputs = [
     jansson
@@ -42,12 +44,16 @@ in stdenv.mkDerivation rec {
   '';
 
   mesonFlags = [
+    "-Dtests=false"
     "-Denable_docs=true"
-    "-Denable_kmods=${if mod then "true" else "false"}"
+    "-Denable_kmods=${lib.boolToString mod}"
   ]
+  # kni kernel driver is currently not compatble with 5.11
+  ++ lib.optional (mod && kernel.kernelOlder "5.11") "-Ddisable_drivers=kni"
   ++ lib.optional (!shared) "-Ddefault_library=static"
   ++ lib.optional stdenv.isx86_64 "-Dmachine=nehalem"
-  ++ lib.optional mod "-Dkernel_dir=${placeholder "kmod"}/lib/modules/${kernel.modDirVersion}";
+  ++ lib.optional mod "-Dkernel_dir=${placeholder "kmod"}/lib/modules/${kernel.modDirVersion}"
+  ++ lib.optional (withExamples != []) "-Dexamples=${builtins.concatStringsSep "," withExamples}";
 
   # dpdk meson script does not support separate kernel source and installion
   # dirs (except via destdir), so we temporarily link the former into the latter.
@@ -61,15 +67,17 @@ in stdenv.mkDerivation rec {
     rm -f $kmod/lib/modules/${kernel.modDirVersion}/build
   '';
 
-  outputs = [ "out" ] ++ lib.optional mod "kmod";
+  postInstall = lib.optionalString (withExamples != []) ''
+    find examples -type f -executable -exec install {} $out/bin \;
+  '';
 
-  enableParallelBuilding = true;
+  outputs = [ "out" ] ++ lib.optional mod "kmod";
 
   meta = with lib; {
     description = "Set of libraries and drivers for fast packet processing";
     homepage = "http://dpdk.org/";
     license = with licenses; [ lgpl21 gpl2 bsd2 ];
     platforms =  platforms.linux;
-    maintainers = with maintainers; [ domenkozar magenbluten orivej ];
+    maintainers = with maintainers; [ magenbluten orivej mic92 zhaofengli ];
   };
 }
diff --git a/pkgs/os-specific/linux/drbd/default.nix b/pkgs/os-specific/linux/drbd/default.nix
index bbf2535ce3d..ae3e986e14a 100644
--- a/pkgs/os-specific/linux/drbd/default.nix
+++ b/pkgs/os-specific/linux/drbd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, flex, systemd, perl }:
+{ lib, stdenv, fetchurl, flex, systemd, perl }:
 
 stdenv.mkDerivation rec {
   name = "drbd-8.4.4";
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     "INITDIR=$(out)/etc/init.d"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.drbd.org/";
     description = "Distributed Replicated Block Device, a distributed storage system for Linux";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/dropwatch/default.nix b/pkgs/os-specific/linux/dropwatch/default.nix
index 69acfa9682b..c2701c05719 100644
--- a/pkgs/os-specific/linux/dropwatch/default.nix
+++ b/pkgs/os-specific/linux/dropwatch/default.nix
@@ -1,30 +1,47 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig
-, libnl, readline, libbfd, ncurses, zlib }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, libbfd
+, libnl
+, libpcap
+, ncurses
+, readline
+, zlib
+}:
 
 stdenv.mkDerivation rec {
   pname = "dropwatch";
-  version = "1.5.1";
+  version = "1.5.3";
 
   src = fetchFromGitHub {
     owner = "nhorman";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1qmax0l7z1qik42c949fnvjh5r6awk4gpgzdsny8iwnmwzjyp8b8";
+    sha256 = "0axx0zzrs7apqnl0r70jyvmgk7cs5wk185id479mapgngibwkyxy";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
-  buildInputs = [ libbfd libnl ncurses readline zlib ];
-
-  # To avoid running into https://sourceware.org/bugzilla/show_bug.cgi?id=14243 we need to define:
-  NIX_CFLAGS_COMPILE = "-DPACKAGE=${pname} -DPACKAGE_VERSION=${version}";
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+  buildInputs = [
+    libbfd
+    libnl
+    libpcap
+    ncurses
+    readline
+    zlib
+  ];
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux kernel dropped packet monitor";
     homepage = "https://github.com/nhorman/dropwatch";
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = [ maintainers.c0bw3b ];
+    maintainers = with maintainers; [ c0bw3b ];
   };
 }
diff --git a/pkgs/os-specific/linux/dstat/default.nix b/pkgs/os-specific/linux/dstat/default.nix
index 2e235e27f36..d79f9f4c61b 100644
--- a/pkgs/os-specific/linux/dstat/default.nix
+++ b/pkgs/os-specific/linux/dstat/default.nix
@@ -1,24 +1,42 @@
-{ stdenv, fetchurl, python2Packages }:
+{ lib, fetchFromGitHub, fetchpatch, python3Packages }:
 
-python2Packages.buildPythonApplication rec {
+python3Packages.buildPythonApplication rec {
   pname = "dstat";
   format = "other";
-  version = "0.7.3";
+  version = "0.7.4";
 
-  src = fetchurl {
-    url = "https://github.com/dagwieers/dstat/archive/${version}.tar.gz";
-    sha256 = "16286z3y2lc9nsq8njzjkv6k2vyxrj9xiixj1k3gnsbvhlhkirj6";
+  src = fetchFromGitHub {
+    owner = "dstat-real";
+    repo = "dstat";
+    rev = "v${version}";
+    sha256 = "1qnmkhqmjd1m3if05jj29dvr5hn6kayq9bkkkh881w472c0zhp8v";
   };
 
-  propagatedBuildInputs = with python2Packages; [ python-wifi ];
+  propagatedBuildInputs = with python3Packages; [ six ];
+
+  patches = [
+    ./fix_pluginpath.patch
+    # this fixes another bug with python3
+    (fetchpatch {
+      url = "https://github.com/efexgee/dstat/commit/220a785321b13b6df92a536080aca6ef1cb644ad.patch";
+      sha256 = "08kcz3yxvl35m55y7g1pr73x3bjcqnv0qlswxqyq8cqxg9zd64cn";
+    })
+  ];
 
   makeFlags = [ "prefix=$(out)" ];
 
-  meta = with stdenv.lib; {
+  # remove deprecation warnings
+  preFixup = ''
+    sed -i "s/import collections/import collections.abc/g" $out/share/dstat/dstat.py $out/bin/dstat
+    sed -i "s/collections.Sequence/collections.abc.Sequence/g" "$out"/bin/dstat
+  '';
+
+  meta = with lib; {
     homepage = "http://dag.wieers.com/home-made/dstat/";
     description = "Versatile resource statistics tool";
     license = licenses.gpl2;
     platforms = platforms.linux;
     maintainers = with maintainers; [ ];
+    changelog = "https://github.com/dstat-real/dstat/blob/v${version}/ChangeLog";
   };
 }
diff --git a/pkgs/os-specific/linux/dstat/fix_pluginpath.patch b/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
new file mode 100644
index 00000000000..06d7793da47
--- /dev/null
+++ b/pkgs/os-specific/linux/dstat/fix_pluginpath.patch
@@ -0,0 +1,15 @@
+diff --git a/dstat b/dstat
+index 3ac7087..c5f089d 100755
+--- a/dstat
++++ b/dstat
+@@ -66,9 +66,7 @@ if sys.version_info < (2, 3):
+ 
+ pluginpath = [
+     os.path.expanduser('~/.dstat/'),                                # home + /.dstat/
+-    os.path.abspath(os.path.dirname(sys.argv[0])) + '/plugins/',    # binary path + /plugins/
+-    '/usr/share/dstat/',
+-    '/usr/local/share/dstat/',
++    os.path.abspath(os.path.dirname(sys.argv[0])) + '/../share/dstat/', # binary path + /../share/dstat/
+ ]
+ 
+ class Options:
diff --git a/pkgs/os-specific/linux/e1000e/default.nix b/pkgs/os-specific/linux/e1000e/default.nix
index d5d6697a01e..51bc6ada07d 100644
--- a/pkgs/os-specific/linux/e1000e/default.nix
+++ b/pkgs/os-specific/linux/e1000e/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchurl, kernel }:
+{ lib, stdenv, fetchurl, kernel }:
 
-assert stdenv.lib.versionOlder kernel.version "4.10";
+assert lib.versionOlder kernel.version "4.10";
 
 stdenv.mkDerivation rec {
   name = "e1000e-${version}-${kernel.version}";
@@ -32,6 +32,6 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Linux kernel drivers for Intel Ethernet adapters and LOMs (LAN On Motherboard)";
     homepage = "http://e1000.sf.net/";
-    license = stdenv.lib.licenses.gpl2;
+    license = lib.licenses.gpl2;
   };
 }
diff --git a/pkgs/os-specific/linux/earlyoom/default.nix b/pkgs/os-specific/linux/earlyoom/default.nix
index 575da8aca73..930e9381bb7 100644
--- a/pkgs/os-specific/linux/earlyoom/default.nix
+++ b/pkgs/os-specific/linux/earlyoom/default.nix
@@ -1,17 +1,17 @@
-{ stdenv, fetchFromGitHub, pandoc, installShellFiles, withManpage ? false }:
+{ lib, stdenv, fetchFromGitHub, pandoc, installShellFiles, withManpage ? false }:
 
 stdenv.mkDerivation rec {
   pname = "earlyoom";
-  version = "1.6.1";
+  version = "1.6.2";
 
   src = fetchFromGitHub {
     owner = "rfjakob";
     repo = "earlyoom";
     rev = "v${version}";
-    sha256 = "1cn0bgbgiq69i8mk8zxly1f7j01afm82g672qzccz6swsi2637j4";
+    sha256 = "16iyn51xlrsbshc7p5xl2338yyfzknaqc538sa7mamgccqwgyvvq";
   };
 
-  nativeBuildInputs = stdenv.lib.optionals withManpage [ pandoc installShellFiles ];
+  nativeBuildInputs = lib.optionals withManpage [ pandoc installShellFiles ];
 
   patches = [ ./fix-dbus-path.patch ];
 
@@ -19,11 +19,11 @@ stdenv.mkDerivation rec {
 
   installPhase = ''
     install -D earlyoom $out/bin/earlyoom
-  '' + stdenv.lib.optionalString withManpage ''
+  '' + lib.optionalString withManpage ''
     installManPage earlyoom.1
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Early OOM Daemon for Linux";
     homepage = "https://github.com/rfjakob/earlyoom";
     license = licenses.mit;
diff --git a/pkgs/os-specific/linux/ebtables/default.nix b/pkgs/os-specific/linux/ebtables/default.nix
index d3705195f59..bca24d9c905 100644
--- a/pkgs/os-specific/linux/ebtables/default.nix
+++ b/pkgs/os-specific/linux/ebtables/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "ebtables";
@@ -9,17 +9,23 @@ stdenv.mkDerivation rec {
     sha256 = "0apxgmkhsk3vxn9q3libxn3dgrdljrxyy4mli2gk49m7hi3na7xp";
   };
 
-  makeFlags =
-    [ "LIBDIR=$(out)/lib" "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man"
-      "ETCDIR=$(out)/etc" "INITDIR=$(TMPDIR)" "SYSCONFIGDIR=$(out)/etc/sysconfig"
-      "LOCALSTATEDIR=/var"
-    ];
+  makeFlags = [
+    "LIBDIR=$(out)/lib" "BINDIR=$(out)/sbin" "MANDIR=$(out)/share/man"
+    "ETCDIR=$(out)/etc" "INITDIR=$(TMPDIR)" "SYSCONFIGDIR=$(out)/etc/sysconfig"
+    "LOCALSTATEDIR=/var"
+  ];
 
   NIX_CFLAGS_COMPILE = "-Wno-error";
 
   preInstall = "mkdir -p $out/etc/sysconfig";
 
-  meta = with stdenv.lib; {
+  postInstall = ''
+    ln -s $out/sbin/ebtables-legacy          $out/sbin/ebtables
+    ln -s $out/sbin/ebtables-legacy-restore  $out/sbin/ebtables-restore
+    ln -s $out/sbin/ebtables-legacy-save     $out/sbin/ebtables-save
+  '';
+
+  meta = with lib; {
     description = "A filtering tool for Linux-based bridging firewalls";
     homepage = "http://ebtables.sourceforge.net/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/edac-utils/default.nix b/pkgs/os-specific/linux/edac-utils/default.nix
index fb0a6dbf62e..63c539602f1 100644
--- a/pkgs/os-specific/linux/edac-utils/default.nix
+++ b/pkgs/os-specific/linux/edac-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, perl, makeWrapper
+{ lib, stdenv, fetchFromGitHub, perl, makeWrapper
 , sysfsutils, dmidecode, kmod }:
 
 stdenv.mkDerivation {
@@ -25,10 +25,10 @@ stdenv.mkDerivation {
 
   postInstall = ''
     wrapProgram "$out/sbin/edac-ctl" \
-      --set PATH ${stdenv.lib.makeBinPath [ dmidecode kmod ]}
+      --set PATH ${lib.makeBinPath [ dmidecode kmod ]}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/grondo/edac-utils";
     description = "Handles the reporting of hardware-related memory errors";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ell/default.nix b/pkgs/os-specific/linux/ell/default.nix
index a83e02ae6be..a43b9eff3c8 100644
--- a/pkgs/os-specific/linux/ell/default.nix
+++ b/pkgs/os-specific/linux/ell/default.nix
@@ -1,28 +1,24 @@
-{ stdenv
+{ lib, stdenv
 , fetchgit
 , autoreconfHook
-, pkgconfig
+, pkg-config
 , dbus
 }:
 
 stdenv.mkDerivation rec {
   pname = "ell";
-  version = "0.32";
+  version = "0.41";
 
   outputs = [ "out" "dev" ];
 
   src = fetchgit {
-     url = "https://git.kernel.org/pub/scm/libs/${pname}/${pname}.git";
-     rev = version;
-     sha256 = "07hm9lrhhb5y53l13yja2kr3xmjgs0azk3x7w2si99cplwkgxak2";
+    url = "https://git.kernel.org/pub/scm/libs/${pname}/${pname}.git";
+    rev = version;
+    sha256 = "sha256-UCE+PgGmbePlOoAc8jXxCX6fHr16qf1AQMKxizfSTJM=";
   };
 
-  patches = [
-    ./fix-dbus-tests.patch
-  ];
-
   nativeBuildInputs = [
-    pkgconfig
+    pkg-config
     autoreconfHook
   ];
 
@@ -34,7 +30,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://01.org/ell";
     description = "Embedded Linux Library";
     longDescription = ''
@@ -42,6 +38,6 @@ stdenv.mkDerivation rec {
     '';
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ mic92 dtzWill ];
+    maintainers = with maintainers; [ mic92 dtzWill maxeaubrey ];
   };
 }
diff --git a/pkgs/os-specific/linux/ell/fix-dbus-tests.patch b/pkgs/os-specific/linux/ell/fix-dbus-tests.patch
deleted file mode 100644
index b494ba8b43c..00000000000
--- a/pkgs/os-specific/linux/ell/fix-dbus-tests.patch
+++ /dev/null
@@ -1,65 +0,0 @@
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -140,6 +140,7 @@
- ell_libell_private_la_SOURCES = $(ell_libell_la_SOURCES)
- 
- AM_CFLAGS = -fvisibility=hidden -DUNITDIR=\""$(top_srcdir)/unit/"\" \
-+				-DDBUS_DAEMON=\""$(DBUS_DAEMONDIR)/dbus-daemon"\" \
- 				-DCERTDIR=\""$(top_builddir)/unit/"\"
- 
- pkgconfigdir = $(libdir)/pkgconfig
---- a/configure.ac
-+++ b/configure.ac
-@@ -14,6 +14,8 @@
- 
- AC_PREFIX_DEFAULT(/usr/local)
- 
-+PKG_PROG_PKG_CONFIG
-+
- COMPILER_FLAGS
- 
- AC_LANG_C
-@@ -131,6 +133,10 @@
- 	AC_CHECK_PROG(have_xxd, [xxd], [yes], [no])
- fi
- 
-+PKG_CHECK_MODULES(DBUS, dbus-1, dummy=yes,
-+			AC_MSG_ERROR(D-Bus is required for running tests))
-+PKG_CHECK_VAR(DBUS_DAEMONDIR, dbus-1, daemondir)
-+
- AM_CONDITIONAL(DBUS_TESTS, test "${little_endian}" = "yes")
- AM_CONDITIONAL(CERT_TESTS, test "${have_openssl}" = "yes")
- 
---- a/unit/test-dbus-message-fds.c
-+++ b/unit/test-dbus-message-fds.c
-@@ -51,7 +51,7 @@
- 	char *prg_envp[1];
- 	pid_t pid;
- 
--	prg_argv[0] = "/usr/bin/dbus-daemon";
-+	prg_argv[0] = DBUS_DAEMON;
- 	prg_argv[1] = "--nopidfile";
- 	prg_argv[2] = "--nofork";
- 	prg_argv[3] = "--config-file=" UNITDIR "dbus.conf";
---- a/unit/test-dbus-properties.c
-+++ b/unit/test-dbus-properties.c
-@@ -48,7 +48,7 @@
- 	char *prg_envp[1];
- 	pid_t pid;
- 
--	prg_argv[0] = "/usr/bin/dbus-daemon";
-+	prg_argv[0] = DBUS_DAEMON;
- 	prg_argv[1] = "--nopidfile";
- 	prg_argv[2] = "--nofork";
- 	prg_argv[3] = "--config-file=" UNITDIR "dbus.conf";
---- a/unit/test-dbus.c
-+++ b/unit/test-dbus.c
-@@ -45,7 +45,7 @@
- 	char *prg_envp[1];
- 	pid_t pid;
- 
--	prg_argv[0] = "/usr/bin/dbus-daemon";
-+	prg_argv[0] = DBUS_DAEMON;
- 	prg_argv[1] = "--nopidfile";
- 	prg_argv[2] = "--nofork";
- 	prg_argv[3] = "--config-file=" UNITDIR "dbus.conf";
diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix
index a3935d0069e..1ff0b9a154a 100644
--- a/pkgs/os-specific/linux/ena/default.nix
+++ b/pkgs/os-specific/linux/ena/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
-  version = "2.2.7";
+  version = "2.5.0";
   name = "ena-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "amzn";
     repo = "amzn-drivers";
     rev = "ena_linux_${version}";
-    sha256 = "1ap100xh5wrdvy5h2ydcy6rqcklb4fz6xxs33ad3j9yx3h1ixj2d";
+    sha256 = "sha256-uOf/1624UtjaZtrk7XyQpeUGdTNVDnzZJZMgU86i+SM=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -19,23 +19,28 @@ stdenv.mkDerivation rec {
   NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
 
   configurePhase = ''
+    runHook preConfigure
     cd kernel/linux/ena
     substituteInPlace Makefile --replace '/lib/modules/$(BUILD_KERNEL)' ${kernel.dev}/lib/modules/${kernel.modDirVersion}
+    runHook postConfigure
   '';
 
   installPhase = ''
+    runHook preInstall
     strip -S ena.ko
     dest=$out/lib/modules/${kernel.modDirVersion}/misc
     mkdir -p $dest
     cp ena.ko $dest/
     xz $dest/ena.ko
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Amazon Elastic Network Adapter (ENA) driver for Linux";
     homepage = "https://github.com/amzn/amzn-drivers";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = [ maintainers.eelco ];
     platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.5";
   };
 }
diff --git a/pkgs/os-specific/linux/erofs-utils/default.nix b/pkgs/os-specific/linux/erofs-utils/default.nix
new file mode 100644
index 00000000000..73e50c5740b
--- /dev/null
+++ b/pkgs/os-specific/linux/erofs-utils/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchgit, autoreconfHook, pkg-config, fuse, libuuid, lz4 }:
+
+stdenv.mkDerivation rec {
+  pname = "erofs-utils";
+  version = "1.2.1";
+  outputs = [ "out" "man" ];
+
+  src = fetchgit {
+    url =
+      "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git";
+    rev = "v" + version;
+    sha256 = "1vb4mxsb59g29x7l22cffsqa8x743sra4j5zbmx89hjwpwm9vvcg";
+  };
+
+  buildInputs = [ autoreconfHook pkg-config fuse libuuid lz4 ];
+
+  configureFlags = [ "--enable-fuse" ];
+
+  meta = with lib; {
+    description = "Userspace utilities for linux-erofs file system";
+    license = with licenses; [ gpl2 ];
+    maintainers = with maintainers; [ ehmry ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/eudev/default.nix b/pkgs/os-specific/linux/eudev/default.nix
index d087a9e2e26..c8562cc5f3c 100644
--- a/pkgs/os-specific/linux/eudev/default.nix
+++ b/pkgs/os-specific/linux/eudev/default.nix
@@ -1,17 +1,17 @@
-{stdenv, fetchurl, pkgconfig, glib, gperf, utillinux, kmod}:
+{lib, stdenv, fetchurl, pkg-config, glib, gperf, util-linux, kmod}:
 let
   s = # Generated upstream information
   rec {
     baseName="eudev";
-    version = "3.2.9";
+    version = "3.2.10";
     name="${baseName}-${version}";
     url="http://dev.gentoo.org/~blueness/eudev/eudev-${version}.tar.gz";
-    sha256 = "1z6lfhhbjs6j7pbp6ybn17ywjsdl87ql6g1p3m2y26aa10cqcqc9";
+    sha256 = "sha256-h7sCjUcP0bhRaTSbRMVdW3M3M9wtUN3xGW4CZyXq0DQ=";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [
-    glib gperf utillinux kmod
+    glib gperf util-linux kmod
   ];
 in
 stdenv.mkDerivation {
@@ -49,12 +49,12 @@ stdenv.mkDerivation {
   enableParallelBuilding = true;
   meta = {
     inherit (s) version;
-    description = ''An udev fork by Gentoo'';
-    license = stdenv.lib.licenses.gpl2Plus ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
-    homepage = ''https://www.gentoo.org/proj/en/eudev/'';
-    downloadPage = ''http://dev.gentoo.org/~blueness/eudev/'';
+    description = "An udev fork by Gentoo";
+    license = lib.licenses.gpl2Plus ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
+    homepage = "https://www.gentoo.org/proj/en/eudev/";
+    downloadPage = "http://dev.gentoo.org/~blueness/eudev/";
     updateWalker = true;
   };
 }
diff --git a/pkgs/os-specific/linux/evdi/default.nix b/pkgs/os-specific/linux/evdi/default.nix
index 119ba22ca26..5eb31e9422d 100644
--- a/pkgs/os-specific/linux/evdi/default.nix
+++ b/pkgs/os-specific/linux/evdi/default.nix
@@ -1,16 +1,29 @@
-{ stdenv, fetchFromGitHub, fetchpatch, kernel, libdrm }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, libdrm }:
 
 stdenv.mkDerivation rec {
   pname = "evdi";
-  version = "unstable-20200416";
+  version = "unstable-2021-06-11";
 
   src = fetchFromGitHub {
     owner = "DisplayLink";
     repo = pname;
-    rev = "dc595db636845aef39490496bc075f6bf067106c";
-    sha256 = "1yrny6jj9403z0rxbd3nxf49xc4w0rfpl7xsq03pq32pb3vlbqw7";
+    rev = "65e12fca334f2f42396f4e8d16592d53cab34dd6";
+    sha256 = "sha256-81IfdYKadKT7vRdkmxzfGo4KHa4UJ8uJ0K6djQCr22U=";
   };
 
+  # Linux 5.13 support
+  # The patches break compilation for older kernels
+  patches = lib.optional (kernel.kernelAtLeast "5.13") [
+    (fetchpatch {
+      url = "https://github.com/DisplayLink/evdi/commit/c5f5441d0a115d2cfc8125b8bafaa05b2edc7938.patch";
+      sha256 = "sha256-tWYgBrRh3mXPebhUygOvJ07V87g9JU66hREriACfEVI=";
+    })
+    (fetchpatch {
+      url = "https://github.com/DisplayLink/evdi/commit/5f04d2e2df4cfd21dc15d31f1152c6a66fa48a78.patch";
+      sha256 = "sha256-690/eUiEVWvnT/YAVgKcLo86dgolF9giWRuPxXpL+eQ=";
+    })
+  ];
+
   nativeBuildInputs = kernel.moduleBuildDependencies;
 
   buildInputs = [ kernel libdrm ];
@@ -27,12 +40,12 @@ stdenv.mkDerivation rec {
     install -Dm755 library/libevdi.so $out/lib/libevdi.so
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Extensible Virtual Display Interface";
     maintainers = with maintainers; [ eyjhb ];
     platforms = platforms.linux;
-    license = with licenses; [ lgpl21 gpl2 ];
+    license = with licenses; [ lgpl21Only gpl2Only ];
     homepage = "https://www.displaylink.com/";
-    broken = versionOlder kernel.version "4.9" || stdenv.isAarch64;
+    broken = kernel.kernelOlder "4.19" || stdenv.isAarch64;
   };
 }
diff --git a/pkgs/os-specific/linux/eventstat/default.nix b/pkgs/os-specific/linux/eventstat/default.nix
index 6dfaa6ab38b..55b00ab8719 100644
--- a/pkgs/os-specific/linux/eventstat/default.nix
+++ b/pkgs/os-specific/linux/eventstat/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "eventstat";
-  version = "0.04.09";
+  version = "0.04.12";
   src = fetchzip {
     url = "https://kernel.ubuntu.com/~cking/tarballs/eventstat/eventstat-${version}.tar.gz";
-    sha256 = "1b3m58mak62ym2amnmk62c2d6fypk30fw6jsmirh1qz7dwix4bl5";
+    sha256 = "sha256-XBSs/jZodCpI9BHgAF8+bE23gRCr2uebYiMJxxB8T5E=";
   };
   buildInputs = [ ncurses ];
   installFlags = [ "DESTDIR=$(out)" ];
diff --git a/pkgs/os-specific/linux/exfat/default.nix b/pkgs/os-specific/linux/exfat/default.nix
index 59f9c709e5f..958bcdb9f16 100644
--- a/pkgs/os-specific/linux/exfat/default.nix
+++ b/pkgs/os-specific/linux/exfat/default.nix
@@ -5,14 +5,19 @@
 assert lib.versionAtLeast kernel.version  "4.2" || lib.versionOlder kernel.version "4.0";
 
 stdenv.mkDerivation rec {
+  # linux kernel above 5.7 comes with its own exfat implementation https://github.com/arter97/exfat-linux/issues/27
+  # Assertion moved here due to some tests unintenionally triggering it,
+  # e.g. nixosTests.kernel-latest; it's unclear how/why so far.
+  assertion = assert lib.versionOlder kernel.version "5.8"; null;
+
   name = "exfat-nofuse-${version}-${kernel.version}";
-  version = "2019-09-06";
+  version = "2020-04-15";
 
   src = fetchFromGitHub {
-    owner = "AdrianBan";
+    owner = "barrybingo";
     repo = "exfat-nofuse";
-    rev = "5536f067373c196f152061f5000fe0032dc07c48";
-    sha256 = "00mhadsv2iw8z00a6170hwbvk3afx484nn3irmd5f5kmhs34sw7k";
+    rev = "297a5739cd4a942a1d814d05a9cd9b542e7b8fc8";
+    sha256 = "14jahy7n6pr482fjfrlf9ck3f2rkr5ds0n5r85xdfsla37ria26d";
   };
 
   hardeningDisable = [ "pic" ];
@@ -21,8 +26,8 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
-    "ARCH=${stdenv.hostPlatform.platform.kernelArch}"
-  ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+  ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
     "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
   ];
 
diff --git a/pkgs/os-specific/linux/extrace/default.nix b/pkgs/os-specific/linux/extrace/default.nix
index 23a9c68b5d5..8a02d9c67b1 100644
--- a/pkgs/os-specific/linux/extrace/default.nix
+++ b/pkgs/os-specific/linux/extrace/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "extrace";
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     install -m644 LICENSE "$out/share/licenses/extrace/LICENSE"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/leahneukirchen/extrace";
     description = "Trace exec() calls system-wide";
     license = with licenses; [ gpl2 bsd2 ];
diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix
index 941e71c3bfc..163001638cd 100644
--- a/pkgs/os-specific/linux/facetimehd/default.nix
+++ b/pkgs/os-specific/linux/facetimehd/default.nix
@@ -1,7 +1,7 @@
 { stdenv, lib, fetchFromGitHub, kernel }:
 
 # facetimehd is not supported for kernels older than 3.19";
-assert stdenv.lib.versionAtLeast kernel.version "3.19";
+assert lib.versionAtLeast kernel.version "3.19";
 
 let
   # Note: When updating this revision:
@@ -14,7 +14,7 @@ let
   #    e. see if the module loads back (apps using the camera won't
   #       recover and will have to be restarted) and the camera
   #       still works.
-  srcParams = if (stdenv.lib.versionAtLeast kernel.version "4.8") then
+  srcParams = if (lib.versionAtLeast kernel.version "4.8") then
     { # Use mainline branch
       version = "unstable-2020-04-16";
       rev = "82626d4892eeb9eb704538bf0dc49a00725ff451";
@@ -51,7 +51,7 @@ stdenv.mkDerivation rec {
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/patjak/bcwc_pcie";
     description = "Linux driver for the Facetime HD (Broadcom 1570) PCIe webcam";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/fatrace/default.nix b/pkgs/os-specific/linux/fatrace/default.nix
index 69d1afad8a6..2ae8bb2dca2 100644
--- a/pkgs/os-specific/linux/fatrace/default.nix
+++ b/pkgs/os-specific/linux/fatrace/default.nix
@@ -1,12 +1,18 @@
-{ stdenv, fetchurl, python3, which }:
+{ lib, stdenv
+, fetchFromGitHub
+, python3
+, which
+}:
 
 stdenv.mkDerivation rec {
   pname = "fatrace";
-  version = "0.13";
+  version = "0.16.3";
 
-  src = fetchurl {
-    url = "https://launchpad.net/fatrace/trunk/${version}/+download/${pname}-${version}.tar.bz2";
-    sha256 = "0hrh45bpzncw0jkxw3x2smh748r65k2yxvfai466043bi5q0d2vx";
+  src = fetchFromGitHub {
+    owner = "martinpitt";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-w7leZPdmiTc+avihP203e6GLvbRzbCtNOJdF8MM2v68=";
   };
 
   buildInputs = [ python3 which ];
@@ -14,16 +20,13 @@ stdenv.mkDerivation rec {
   postPatch = ''
     substituteInPlace power-usage-report \
       --replace "'which'" "'${which}/bin/which'"
-
-    # Avoid a glibc >= 2.25 deprecation warning that gets fatal via -Werror.
-    sed 1i'#include <sys/sysmacros.h>' -i fatrace.c
   '';
 
   makeFlags = [ "PREFIX=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Report system-wide file access events";
-    homepage = "https://launchpad.net/fatrace/";
+    homepage = "https://github.com/martinpitt/fatrace";
     license = licenses.gpl3Plus;
     longDescription = ''
       fatrace reports file access events from all running processes.
diff --git a/pkgs/os-specific/linux/fbterm/default.nix b/pkgs/os-specific/linux/fbterm/default.nix
index 2b049bc6df5..72e886b91f5 100644
--- a/pkgs/os-specific/linux/fbterm/default.nix
+++ b/pkgs/os-specific/linux/fbterm/default.nix
@@ -1,4 +1,4 @@
-{stdenv, lib, fetchurl, gpm, freetype, fontconfig, pkgconfig, ncurses, libx86}:
+{stdenv, lib, fetchurl, gpm, freetype, fontconfig, pkg-config, ncurses, libx86}:
 let
   s = # Generated upstream information
   {
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     inherit (s) url sha256;
   };
 
-  nativeBuildInputs = [ pkgconfig ncurses ];
+  nativeBuildInputs = [ pkg-config ncurses ];
   inherit buildInputs;
 
   preConfigure = ''
@@ -51,7 +51,7 @@ stdenv.mkDerivation {
     ./select.patch
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (s) version;
     description = "Framebuffer terminal emulator";
     homepage = "https://code.google.com/archive/p/fbterm/";
diff --git a/pkgs/os-specific/linux/ffado/default.nix b/pkgs/os-specific/linux/ffado/default.nix
index b93caccc757..e23591168f6 100644
--- a/pkgs/os-specific/linux/ffado/default.nix
+++ b/pkgs/os-specific/linux/ffado/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib
 , mkDerivation
 , dbus
 , dbus_cplusplus
@@ -11,7 +11,7 @@
 , libiec61883
 , libraw1394
 , libxmlxx3
-, pkgconfig
+, pkg-config
 , python3
 , sconsPackages
 , which
@@ -46,7 +46,7 @@ mkDerivation rec {
   nativeBuildInputs = [
     desktop-file-utils
     sconsPackages.scons_3_1_2
-    pkgconfig
+    pkg-config
     which
     python
     pyqt5
@@ -98,7 +98,7 @@ mkDerivation rec {
     wrapQtApp $bin/bin/ffado-mixer
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://www.ffado.org";
     description = "FireWire audio drivers";
     license = licenses.gpl3;
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
index 272b8612d7a..1a9b7e34f5a 100644
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@@ -1,36 +1,25 @@
-{stdenv, fetchurl, fetchpatch, which, nixosTests}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="firejail";
-    version="0.9.62";
-    name="${baseName}-${version}";
-    url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz";
-    sha256="1q2silgy882fl61p5qa9f9jqkxcqnwa71jig3c729iahx4f0hs05";
-  };
-  buildInputs = [
-    which
-  ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-    name = "${s.name}.tar.bz2";
+{ lib, stdenv, fetchFromGitHub, fetchpatch, which, xdg-dbus-proxy, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "firejail";
+  version = "0.9.66";
+
+  src = fetchFromGitHub {
+    owner = "netblue30";
+    repo = "firejail";
+    rev = version;
+    sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q=";
   };
 
+  buildInputs = [ which ];
+
   patches = [
-    (fetchpatch {
-      name = "CVE-2020-17367.patch";
-      url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch";
-      sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n";
-    })
-    (fetchpatch {
-      name = "CVE-2020-17368.patch";
-      url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch";
-      sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl";
-    })
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
   ];
 
   prePatch = ''
@@ -38,6 +27,10 @@ stdenv.mkDerivation {
     substituteInPlace etc/firejail.config --replace \
       '# follow-symlink-as-user yes' \
       'follow-symlink-as-user no'
+
+    # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
+    substituteInPlace src/include/common.h \
+      --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
   '';
 
   preConfigure = ''
@@ -79,12 +72,10 @@ stdenv.mkDerivation {
   passthru.tests = nixosTests.firejail;
 
   meta = {
-    inherit (s) version;
-    description = ''Namespace-based sandboxing tool for Linux'';
-    license = stdenv.lib.licenses.gpl2Plus ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "Namespace-based sandboxing tool for Linux";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
     homepage = "https://firejail.wordpress.com/";
-    downloadPage = "https://sourceforge.net/projects/firejail/files/firejail/";
   };
 }
diff --git a/pkgs/os-specific/linux/firejail/default.upstream b/pkgs/os-specific/linux/firejail/default.upstream
deleted file mode 100644
index 0e6576c44a8..00000000000
--- a/pkgs/os-specific/linux/firejail/default.upstream
+++ /dev/null
@@ -1,3 +0,0 @@
-url https://sourceforge.net/projects/firejail/files/firejail/
-version_link '[-][0-9.]+[.]tar[.][a-z0-9]+/download$'
-SF_redirect
diff --git a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
new file mode 100644
index 00000000000..6016891655b
--- /dev/null
+++ b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@@ -0,0 +1,11 @@
+--- a/src/fbuilder/build_profile.c
++++ b/src/fbuilder/build_profile.c
+@@ -67,7 +67,7 @@
+ 		errExit("asprintf");
+ 
+ 	char *cmdlist[] = {
+-	  BINDIR "/firejail",
++	  "firejail",
+ 	  "--quiet",
+ 	  "--noprofile",
+ 	  "--caps.drop=all",
diff --git a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
new file mode 100644
index 00000000000..685314f9075
--- /dev/null
+++ b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@@ -0,0 +1,27 @@
+--- a/src/firejail/fs.c
++++ b/src/firejail/fs.c
+@@ -1143,6 +1143,16 @@
+ 		errExit("mounting /dev");
+ 	fs_logger("whitelist /dev");
+ 
++	// mount-bind /nix
++	if (arg_debug)
++		printf("Mounting /nix\n");
++	char *nix;
++	if (asprintf(&nix, "%s/nix", oroot) == -1)
++		errExit("asprintf");
++	if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
++		errExit("mounting /nix");
++	fs_logger("whitelist /nix");
++
+ 	// mount-bind run directory
+ 	if (arg_debug)
+ 		printf("Mounting /run\n");
+@@ -1201,6 +1211,7 @@
+ 	free(odiff);
+ 	free(owork);
+ 	free(dev);
++	free(nix);
+ 	free(run);
+ 	free(tmp);
+ }
diff --git a/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix b/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
index 7cb5d2a9a40..79de65fcb98 100644
--- a/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
+++ b/pkgs/os-specific/linux/firmware/b43-firmware-cutter/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "b43-fwcutter-019";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Firmware extractor for cards supported by the b43 kernel module";
     homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
-    license = stdenv.lib.licenses.free;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.free;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix b/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
index 4f03f58b11f..42444d784d5 100644
--- a/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
+++ b/pkgs/os-specific/linux/firmware/b43-firmware/5.1.138.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, b43FirmwareCutter }:
+{ lib, stdenv, fetchurl, b43FirmwareCutter }:
 
 let version = "5.100.138"; in
 
@@ -23,7 +23,7 @@ stdenv.mkDerivation {
   meta = {
     description = "Firmware for cards supported by the b43 kernel module";
     homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
-    license = stdenv.lib.licenses.unfree;
+    license = lib.licenses.unfree;
   };
 }
 
diff --git a/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix b/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
index 3972e52977f..c0226065ea2 100644
--- a/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
+++ b/pkgs/os-specific/linux/firmware/b43-firmware/6.30.163.46.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, b43FirmwareCutter }:
+{ lib, stdenv, fetchurl, b43FirmwareCutter }:
 
 stdenv.mkDerivation rec {
   pname = "b43-firmware";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     b43-fwcutter -w $out *.wl_apsta.o
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for cards supported by the b43 kernel module";
     homepage = "http://wireless.kernel.org/en/users/Drivers/b43";
     downloadPage = "http://www.lwfinger.com/b43-firmware";
diff --git a/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix b/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
index 314a6b7521b..5118d0a0b9b 100644
--- a/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/broadcom-bt-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cabextract, bt-fw-converter }:
+{ lib, stdenv, fetchurl, cabextract, bt-fw-converter }:
 
 # Kernels between 4.2 and 4.7 will not work with
 # this packages as they expect the firmware to be named "BCM.hcd"
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
   outputHashAlgo = "sha256";
   outputHash = "042frb2dmrqfj8q83h5p769q6hg2b3i8fgnyvs9r9a71z7pbsagq";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for Broadcom WIDCOMM® Bluetooth devices";
     homepage = "http://www.catalog.update.microsoft.com/Search.aspx?q=Broadcom+bluetooth";
     license = licenses.unfree;
diff --git a/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix b/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
index 5b4506a10ea..a28189a9e47 100644
--- a/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
+++ b/pkgs/os-specific/linux/firmware/bt-fw-converter/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, makeWrapper, perl, perlPackages, bluez }:
+{ lib, stdenv, fetchurl, makeWrapper, perl, perlPackages, bluez }:
 
 stdenv.mkDerivation  rec {
   pname = "bt-fw-converter";
@@ -25,11 +25,11 @@ stdenv.mkDerivation  rec {
     wrapProgram $out/bin/bt-fw-converter --set PERL5LIB $PERL5LIB
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/winterheart/broadcom-bt-firmware/";
     description = "A tool that converts hex to hcd based on inf file";
     license = licenses.mit;
     platforms = platforms.linux;
     maintainers = with maintainers; [ zraexy ];
   };
-} 
+}
diff --git a/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix b/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
index 7d735e69f56..1c3d8fbbaf7 100644
--- a/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/facetimehd-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cpio, xz, pkgs }:
+{ lib, stdenv, fetchurl, cpio, xz, pkgs }:
 
 let
 
@@ -43,7 +43,8 @@ stdenv.mkDerivation {
     curlOpts = "-r ${dmgRange}";
   };
 
-  phases = [ "buildPhase" ];
+  dontUnpack = true;
+  dontInstall = true;
 
   buildInputs = [ cpio xz ];
 
@@ -54,7 +55,7 @@ stdenv.mkDerivation {
     gunzip -c ${firmwareOut}.gz > $out/lib/firmware/facetimehd/${firmwareOut}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "facetimehd firmware";
     homepage = "https://support.apple.com/kb/DL1877";
     license = licenses.unfree;
diff --git a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
index e480b449007..4293f53e47d 100644
--- a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
@@ -1,13 +1,13 @@
-{ stdenv, fetchgit, lib }:
+{ stdenvNoCC, fetchgit, lib }:
 
-stdenv.mkDerivation rec {
+stdenvNoCC.mkDerivation rec {
   pname = "firmware-linux-nonfree";
-  version = "2020-05-19";
+  version = "2021-07-16";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
-    rev = lib.replaceStrings ["-"] [""] version;
-    sha256 = "13yrpgfqxp5l457p3s1c61is410nv0kv6picx9r0m8h1b0v6aym3";
+    rev = "refs/tags/" + lib.replaceStrings ["-"] [""] version;
+    sha256 = "185pnaqf2qmhbcdvvldmbar09zgaxhh3h8x9bxn6079bcdpaskn6";
   };
 
   installFlags = [ "DESTDIR=$(out)" ];
@@ -17,11 +17,11 @@ stdenv.mkDerivation rec {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "0pjl70nwarnknxah8vikb051c75mkg25a5m4h3344cw86x8hcx10";
+  outputHash = "0g470hj2ylpviijfpjqzsndn2k8kkscj27wqwk51xlk8cr3mrahb";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Binary firmware collection packaged by kernel.org";
-    homepage = "http://packages.debian.org/sid/firmware-linux-nonfree";
+    homepage = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
     license = licenses.unfreeRedistributableFirmware;
     platforms = platforms.linux;
     maintainers = with maintainers; [ fpletz ];
diff --git a/pkgs/os-specific/linux/firmware/firmware-manager/default.nix b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
new file mode 100644
index 00000000000..ee36ab57442
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
@@ -0,0 +1,38 @@
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, glib, udev, cairo, pango, atk, gdk-pixbuf, gtk3, wrapGAppsHook }:
+rustPlatform.buildRustPackage rec {
+  pname = "firmware-manager";
+  version = "0.1.2";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-aKatdjHa/k7j48upkR1O6PFxCUfJYE3KhhzZ9Ohe0Jc=";
+  };
+
+  nativeBuildInputs = [ pkg-config wrapGAppsHook ];
+
+  buildInputs = [ xz openssl dbus glib udev cairo pango atk gdk-pixbuf gtk3 ];
+
+  depsExtraArgs.postPatch = "make prefix='$(out)' toml-gen";
+
+  postPatch = ''
+    sed -i 's|etc|$(prefix)/etc|' Makefile
+  '';
+
+  buildPhase = "make prefix='$(out)'";
+
+  installPhase = "make prefix='$(out)' install";
+
+  cargoSha256 = "sha256-BUo77ERHvuc8IkDdU3Z/gZZicNHT26IbAgEBnVM3O4U=";
+
+  doCheck = false;
+
+  meta = {
+    description = "Graphical frontend for firmware management";
+    homepage = "https://github.com/pop-os/firmware-manager";
+    license = lib.licenses.gpl3;
+    maintainers = [ lib.maintainers.shlevy ];
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
index a727e5f4a85..cd42f2f44e2 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
+++ b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
@@ -1,5 +1,5 @@
 diff --git a/data/meson.build b/data/meson.build
-index bb749fd4..b611875b 100644
+index 50154569..f8058a8e 100644
 --- a/data/meson.build
 +++ b/data/meson.build
 @@ -17,7 +17,7 @@ endif
@@ -73,10 +73,10 @@ index 826a3c1d..b78db663 100644
 +  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
  )
 diff --git a/meson.build b/meson.build
-index 87ea67e5..3a4374db 100644
+index b075ca89..8d504d3c 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -175,6 +175,12 @@ endif
+@@ -194,6 +194,12 @@ endif
  mandir = join_paths(prefix, get_option('mandir'))
  localedir = join_paths(prefix, get_option('localedir'))
  
@@ -90,30 +90,14 @@ index 87ea67e5..3a4374db 100644
  gio = dependency('gio-2.0', version : '>= 2.45.8')
  giounix = dependency('gio-unix-2.0', version : '>= 2.45.8', required: false)
 diff --git a/meson_options.txt b/meson_options.txt
-index 3da9b6c4..6c80275b 100644
+index bc76c0ab..8a67d012 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
-@@ -24,6 +24,7 @@ option('plugin_coreboot', type : 'boolean', value : true, description : 'enable
- option('systemd', type : 'boolean', value : true, description : 'enable systemd support')
- option('systemdunitdir', type: 'string', value: '', description: 'Directory for systemd units')
- option('elogind', type : 'boolean', value : false, description : 'enable elogind support')
+@@ -1,3 +1,4 @@
 +option('sysconfdir_install', type: 'string', value: '', description: 'sysconfdir to use during installation')
- option('tests', type : 'boolean', value : true, description : 'enable tests')
- option('udevdir', type: 'string', value: '', description: 'Directory for udev rules')
- option('efi-cc', type : 'string', value : 'gcc', description : 'the compiler to use for EFI modules')
-diff --git a/plugins/ata/meson.build b/plugins/ata/meson.build
-index 8444bb8a..fa4a8ad1 100644
---- a/plugins/ata/meson.build
-+++ b/plugins/ata/meson.build
-@@ -7,7 +7,7 @@ install_data([
- )
- 
- install_data(['ata.conf'],
--  install_dir:  join_paths(sysconfdir, 'fwupd')
-+  install_dir:  join_paths(sysconfdir_install, 'fwupd')
- )
- 
- shared_module('fu_plugin_ata',
+ option('build', type : 'combo', choices : ['all', 'standalone', 'library'], value : 'all', description : 'build type')
+ option('agent', type : 'boolean', value : true, description : 'enable the fwupd agent')
+ option('consolekit', type : 'boolean', value : true, description : 'enable ConsoleKit support')
 diff --git a/plugins/dell-esrt/meson.build b/plugins/dell-esrt/meson.build
 index ed4eee70..76dbdb1d 100644
 --- a/plugins/dell-esrt/meson.build
@@ -126,7 +110,7 @@ index ed4eee70..76dbdb1d 100644
 +  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
  )
 diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
-index 25fc5c7d..77eb9a83 100644
+index 205d1394..3223f404 100644
 --- a/plugins/redfish/meson.build
 +++ b/plugins/redfish/meson.build
 @@ -27,7 +27,7 @@ shared_module('fu_plugin_redfish',
@@ -139,10 +123,10 @@ index 25fc5c7d..77eb9a83 100644
  
  if get_option('tests')
 diff --git a/plugins/thunderbolt/meson.build b/plugins/thunderbolt/meson.build
-index 06ab34ee..297a9182 100644
+index 6b2368fb..2bd06fed 100644
 --- a/plugins/thunderbolt/meson.build
 +++ b/plugins/thunderbolt/meson.build
-@@ -46,7 +46,7 @@ executable('tbtfwucli',
+@@ -31,7 +31,7 @@ fu_plugin_thunderbolt = shared_module('fu_plugin_thunderbolt',
  )
  
  install_data(['thunderbolt.conf'],
@@ -151,14 +135,14 @@ index 06ab34ee..297a9182 100644
  )
  # we use functions from 2.52 in the tests
  if get_option('tests') and umockdev.found() and gio.version().version_compare('>= 2.52')
-diff --git a/plugins/uefi/meson.build b/plugins/uefi/meson.build
-index 5838cecc..9ba3d5cd 100644
---- a/plugins/uefi/meson.build
-+++ b/plugins/uefi/meson.build
-@@ -101,7 +101,7 @@ if get_option('man')
+diff --git a/plugins/uefi-capsule/meson.build b/plugins/uefi-capsule/meson.build
+index 0b793a07..ebd3e5ea 100644
+--- a/plugins/uefi-capsule/meson.build
++++ b/plugins/uefi-capsule/meson.build
+@@ -97,7 +97,7 @@ if get_option('man')
  endif
  
- install_data(['uefi.conf'],
+ install_data(['uefi_capsule.conf'],
 -  install_dir:  join_paths(sysconfdir, 'fwupd')
 +  install_dir:  join_paths(sysconfdir_install, 'fwupd')
  )
diff --git a/pkgs/os-specific/linux/firmware/fwupd/default.nix b/pkgs/os-specific/linux/firmware/fwupd/default.nix
index 0783fb79296..24e23f2b7e9 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/default.nix
+++ b/pkgs/os-specific/linux/firmware/fwupd/default.nix
@@ -1,21 +1,20 @@
 # Updating? Keep $out/etc synchronized with passthru keys
 
-{ stdenv
+{ lib, stdenv
 , fetchurl
-, fetchpatch
+, fetchFromGitHub
 , substituteAll
 , gtk-doc
-, pkgconfig
+, pkg-config
 , gobject-introspection
-, intltool
+, gettext
 , libgudev
 , polkit
 , libxmlb
 , gusb
 , sqlite
 , libarchive
-, glib-networking
-, libsoup
+, curl
 , help2man
 , libjcat
 , libxslt
@@ -23,15 +22,15 @@
 , libsmbios
 , efivar
 , gnu-efi
-, libyaml
 , valgrind
 , meson
 , libuuid
 , colord
 , docbook_xml_dtd_43
-, docbook_xsl
+, docbook-xsl-nons
 , ninja
 , gcab
+, gnutls
 , python3
 , wrapGAppsHook
 , json-glib
@@ -67,10 +66,6 @@ let
     requests
   ]);
 
-  fontsConf = makeFontsConf {
-    fontDirectories = [ freefont_ttf ];
-  };
-
   isx86 = stdenv.isx86_64 || stdenv.isi686;
 
   # Dell isn't supported on Aarch64
@@ -79,6 +74,9 @@ let
   # only redfish for x86_64
   haveRedfish = stdenv.isx86_64;
 
+  # only use msr if x86 (requires cpuid)
+  haveMSR = isx86;
+
   # # Currently broken on Aarch64
   # haveFlashrom = isx86;
   # Experimental
@@ -93,30 +91,51 @@ let
 
   self = stdenv.mkDerivation rec {
     pname = "fwupd";
-    version = "1.4.5";
-
-    src = fetchurl {
-      url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz";
-      sha256 = "0hpqxwqbbqn440c2swpnc06z8dskisrli4ynsxrzzqyp0dan46xw";
-    };
+    version = "1.5.7";
 
     # libfwupd goes to lib
     # daemon, plug-ins and libfwupdplugin go to out
     # CLI programs go to out
     outputs = [ "out" "lib" "dev" "devdoc" "man" "installedTests" ];
 
+    src = fetchurl {
+      url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz";
+      sha256 = "16isrrv6zhdgccbfnz7km5g1cnvfnip7aiidkfhf5dlnrnyb2sxh";
+    };
+
+    patches = [
+      # Do not try to create useless paths in /var.
+      ./fix-paths.patch
+
+      # Allow installing
+      ./add-option-for-installation-sysconfdir.patch
+
+      # Install plug-ins and libfwupdplugin to out,
+      # they are not really part of the library.
+      ./install-fwupdplugin-to-out.patch
+
+      # Installed tests are installed to different output
+      # we also cannot have fwupd-tests.conf in $out/etc since it would form a cycle.
+      (substituteAll {
+        src = ./installed-tests-path.patch;
+        # Needs a different set of modules than po/make-images.
+        inherit installedTestsPython;
+      })
+    ];
+
     nativeBuildInputs = [
       meson
       ninja
       gtk-doc
-      pkgconfig
+      pkg-config
       gobject-introspection
-      intltool
+      gettext
       shared-mime-info
       valgrind
       gcab
+      gnutls
       docbook_xml_dtd_43
-      docbook_xsl
+      docbook-xsl-nons
       help2man
       libxslt
       python
@@ -130,15 +149,13 @@ let
       gusb
       sqlite
       libarchive
-      libsoup
+      curl
       elfutils
       gnu-efi
-      libyaml
       libgudev
       colord
       libjcat
       libuuid
-      glib-networking
       json-glib
       umockdev
       bash-completion
@@ -148,63 +165,29 @@ let
       pango
       tpm2-tss
       efivar
-    ] ++ stdenv.lib.optionals haveDell [
+    ] ++ lib.optionals haveDell [
       libsmbios
     ];
 
-    patches = [
-      ./fix-paths.patch
-      ./add-option-for-installation-sysconfdir.patch
-
-      # Install plug-ins and libfwupdplugin to out,
-      # they are not really part of the library.
-      ./install-fwupdplugin-to-out.patch
-
-      # Installed tests are installed to different output
-      # we also cannot have fwupd-tests.conf in $out/etc since it would form a cycle.
-      (substituteAll {
-        src = ./installed-tests-path.patch;
-        # Needs a different set of modules than po/make-images.
-        inherit installedTestsPython;
-      })
-    ];
-
-    postPatch = ''
-      patchShebangs \
-        contrib/get-version.py \
-        contrib/generate-version-script.py \
-        meson_post_install.sh \
-        po/make-images \
-        po/make-images.sh \
-        po/test-deps
-    '';
-
-    # /etc/os-release not available in sandbox
-    # doCheck = true;
-
-    preFixup = let
-      binPath = [
-        efibootmgr
-        bubblewrap
-        tpm2-tools
-      ] ++ stdenv.lib.optional haveFlashrom flashrom;
-    in ''
-      gappsWrapperArgs+=(
-        --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
-        # See programs reached with fu_common_find_program_in_path in source
-        --prefix PATH : "${stdenv.lib.makeBinPath binPath}"
-      )
-    '';
-
     mesonFlags = [
       "-Dgtkdoc=true"
       "-Dplugin_dummy=true"
+      # We are building the official releases.
+      "-Dsupported_build=true"
+      # Would dlopen libsoup to preserve compatibility with clients linking against older fwupd.
+      # https://github.com/fwupd/fwupd/commit/173d389fa59d8db152a5b9da7cc1171586639c97
+      "-Dsoup_session_compat=false"
       "-Dudevdir=lib/udev"
       "-Dsystemd_root_prefix=${placeholder "out"}"
       "-Dinstalled_test_prefix=${placeholder "installedTests"}"
       "-Defi-libdir=${gnu-efi}/lib"
       "-Defi-ldsdir=${gnu-efi}/lib"
       "-Defi-includedir=${gnu-efi}/include/efi"
+      "-Defi_sbat_distro_id=nixos"
+      "-Defi_sbat_distro_summary=NixOS"
+      "-Defi_sbat_distro_pkgname=fwupd"
+      "-Defi_sbat_distro_version=${version}"
+      "-Defi_sbat_distro_url=https://search.nixos.org/packages?channel=unstable&show=fwupd&from=0&size=50&sort=relevance&query=fwupd"
       "--localstatedir=/var"
       "--sysconfdir=/etc"
       "-Dsysconfdir_install=${placeholder "out"}/etc"
@@ -214,29 +197,83 @@ let
       # Our builder only adds $lib/lib to rpath but some things link
       # against libfwupdplugin which is in $out/lib.
       "-Dc_link_args=-Wl,-rpath,${placeholder "out"}/lib"
-    ] ++ stdenv.lib.optionals (!haveDell) [
+    ] ++ lib.optionals (!haveDell) [
       "-Dplugin_dell=false"
       "-Dplugin_synaptics=false"
-    ] ++ stdenv.lib.optionals (!haveRedfish) [
+    ] ++ lib.optionals (!haveRedfish) [
       "-Dplugin_redfish=false"
-    ] ++ stdenv.lib.optionals haveFlashrom [
+    ] ++ lib.optionals haveFlashrom [
       "-Dplugin_flashrom=true"
+    ] ++ lib.optionals (!haveMSR) [
+      "-Dplugin_msr=false"
     ];
 
-    FONTCONFIG_FILE = fontsConf; # Fontconfig error: Cannot load default config file
+    # TODO: wrapGAppsHook wraps efi capsule even though it is not ELF
+    dontWrapGApps = true;
+
+    # /etc/os-release not available in sandbox
+    # doCheck = true;
+
+    # Environment variables
+
+    # Fontconfig error: Cannot load default config file
+    FONTCONFIG_FILE =
+      let
+        fontsConf = makeFontsConf {
+          fontDirectories = [ freefont_ttf ];
+        };
+      in fontsConf;
 
     # error: “PolicyKit files are missing”
     # https://github.com/NixOS/nixpkgs/pull/67625#issuecomment-525788428
     PKG_CONFIG_POLKIT_GOBJECT_1_ACTIONDIR = "/run/current-system/sw/share/polkit-1/actions";
 
-    # TODO: wrapGAppsHook wraps efi capsule even though it is not elf
-    dontWrapGApps = true;
+    # Phase hooks
+
+    postPatch = ''
+      patchShebangs \
+        contrib/get-version.py \
+        contrib/generate-version-script.py \
+        meson_post_install.sh \
+        plugins/uefi-capsule/efi/generate_sbat.py \
+        plugins/uefi-capsule/efi/generate_binary.py \
+        po/make-images \
+        po/make-images.sh \
+        po/test-deps
+    '';
 
     preCheck = ''
       addToSearchPath XDG_DATA_DIRS "${shared-mime-info}/share"
     '';
 
-    # so we need to wrap the executables manually
+    postInstall =
+      let
+        testFw = fetchFromGitHub {
+          owner = "fwupd";
+          repo = "fwupd-test-firmware";
+          rev = "c13bfb26cae5f4f115dd4e08f9f00b3cb9acc25e";
+          sha256 = "US81i7mtLEe85KdWz5r+fQTk61IhqjVkzykBaBPuKL4=";
+        };
+      in ''
+        # These files have weird licenses so they are shipped separately.
+        cp --recursive --dereference "${testFw}/installed-tests/tests" "$installedTests/libexec/installed-tests/fwupd"
+      '';
+
+    preFixup = let
+      binPath = [
+        efibootmgr
+        bubblewrap
+        tpm2-tools
+      ] ++ lib.optional haveFlashrom flashrom;
+    in ''
+      gappsWrapperArgs+=(
+        --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
+        # See programs reached with fu_common_find_program_in_path in source
+        --prefix PATH : "${lib.makeBinPath binPath}"
+      )
+    '';
+
+    # Since we had to disable wrapGAppsHook, we need to wrap the executables manually.
     postFixup = ''
       find -L "$out/bin" "$out/libexec" -type f -executable -print0 \
         | while IFS= read -r -d ''' file; do
@@ -247,18 +284,18 @@ let
       done
     '';
 
+    separateDebugInfo = true;
+
     passthru = {
       filesInstalledToEtc = [
-        "fwupd/ata.conf"
         "fwupd/daemon.conf"
-        "fwupd/redfish.conf"
         "fwupd/remotes.d/lvfs-testing.conf"
         "fwupd/remotes.d/lvfs.conf"
         "fwupd/remotes.d/vendor.conf"
         "fwupd/remotes.d/vendor-directory.conf"
         "fwupd/thunderbolt.conf"
         "fwupd/upower.conf"
-        "fwupd/uefi.conf"
+        "fwupd/uefi_capsule.conf"
         "pki/fwupd/GPG-KEY-Hughski-Limited"
         "pki/fwupd/GPG-KEY-Linux-Foundation-Firmware"
         "pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service"
@@ -266,18 +303,21 @@ let
         "pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata"
         "pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service"
         "pki/fwupd-metadata/LVFS-CA.pem"
-      ] ++ stdenv.lib.optionals haveDell [
+      ] ++ lib.optionals haveDell [
         "fwupd/remotes.d/dell-esrt.conf"
+      ] ++ lib.optionals haveRedfish [
+        "fwupd/redfish.conf"
       ];
 
-      # BlacklistPlugins key in fwupd/daemon.conf
-      defaultBlacklistedPlugins = [
+      # DisabledPlugins key in fwupd/daemon.conf
+      defaultDisabledPlugins = [
         "test"
+        "test_ble"
         "invalid"
       ];
 
       tests = let
-        listToPy = list: "[${stdenv.lib.concatMapStringsSep ", " (f: "'${f}'") list}]";
+        listToPy = list: "[${lib.concatMapStringsSep ", " (f: "'${f}'") list}]";
       in {
         installedTests = nixosTests.installed-tests.fwupd;
 
@@ -295,19 +335,19 @@ let
 
           config = configparser.RawConfigParser()
           config.read('${self}/etc/fwupd/daemon.conf')
-          package_blacklisted_plugins = config.get('fwupd', 'BlacklistPlugins').rstrip(';').split(';')
-          passthru_blacklisted_plugins = ${listToPy passthru.defaultBlacklistedPlugins}
-          assert package_blacklisted_plugins == passthru_blacklisted_plugins, f'Default blacklisted plug-ins in the package {package_blacklisted_plugins} do not match those listed in passthru.defaultBlacklistedPlugins {passthru_blacklisted_plugins}'
+          package_disabled_plugins = config.get('fwupd', 'DisabledPlugins').rstrip(';').split(';')
+          passthru_disabled_plugins = ${listToPy passthru.defaultDisabledPlugins}
+          assert package_disabled_plugins == passthru_disabled_plugins, f'Default disabled plug-ins in the package {package_disabled_plugins} do not match those listed in passthru.defaultDisabledPlugins {passthru_disabled_plugins}'
 
           pathlib.Path(os.getenv('out')).touch()
         '';
       };
     };
 
-    meta = with stdenv.lib; {
+    meta = with lib; {
       homepage = "https://fwupd.org/";
       maintainers = with maintainers; [ jtojnar ];
-      license = [ licenses.gpl2 ];
+      license = licenses.lgpl21Plus;
       platforms = platforms.linux;
     };
   };
diff --git a/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch b/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
index 432056cbe7f..d8f1a533b82 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
+++ b/pkgs/os-specific/linux/firmware/fwupd/installed-tests-path.patch
@@ -1,3 +1,5 @@
+diff --git a/data/device-tests/hardware.py b/data/device-tests/hardware.py
+index 7f1e1907..10fee1b8 100755
 --- a/data/device-tests/hardware.py
 +++ b/data/device-tests/hardware.py
 @@ -1,4 +1,4 @@
@@ -6,25 +8,41 @@
  # pylint: disable=wrong-import-position,too-many-locals,unused-argument,wrong-import-order
  #
  # Copyright (C) 2017 Richard Hughes <richard@hughsie.com>
+diff --git a/data/installed-tests/meson.build b/data/installed-tests/meson.build
+index adadbcdd..1b51bb9c 100644
 --- a/data/installed-tests/meson.build
 +++ b/data/installed-tests/meson.build
-@@ -1,4 +1,4 @@
--installed_test_datadir = join_paths(datadir, 'installed-tests', 'fwupd')
-+installed_test_datadir = join_paths(get_option('installed_test_prefix'), 'share', 'installed-tests', 'fwupd')
- 
- con2 = configuration_data()
- con2.set('installedtestsdir', installed_test_datadir)
-@@ -52,5 +52,5 @@ configure_file(
+@@ -65,5 +65,5 @@ configure_file(
    output : 'fwupd-tests.conf',
    configuration : con2,
    install: true,
 -  install_dir: join_paths(sysconfdir, 'fwupd', 'remotes.d'),
 +  install_dir: join_paths(get_option('installed_test_prefix'), 'etc', 'fwupd', 'remotes.d'),
  )
+diff --git a/meson.build b/meson.build
+index 772b7bbe..f59302cd 100644
+--- a/meson.build
++++ b/meson.build
+@@ -177,8 +177,8 @@ else
+   datadir = join_paths(prefix, get_option('datadir'))
+   sysconfdir = join_paths(prefix, get_option('sysconfdir'))
+   localstatedir = join_paths(prefix, get_option('localstatedir'))
+-  installed_test_bindir = join_paths(libexecdir, 'installed-tests', meson.project_name())
+-  installed_test_datadir = join_paths(datadir, 'installed-tests', meson.project_name())
++  installed_test_bindir = join_paths(get_option('installed_test_prefix'), 'libexec', 'installed-tests', meson.project_name())
++  installed_test_datadir = join_paths(get_option('installed_test_prefix'), 'share', 'installed-tests', meson.project_name())
+ endif
+ mandir = join_paths(prefix, get_option('mandir'))
+ localedir = join_paths(prefix, get_option('localedir'))
+diff --git a/meson_options.txt b/meson_options.txt
+index 0a0e2853..5f68d78b 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
-@@ -1,3 +1,4 @@
-+option('installed_test_prefix', type: 'string', value: '', description: 'Prefix for installed tests')
- option('build', type : 'combo', choices : ['all', 'standalone', 'library'], value : 'all', description : 'build type')
- option('agent', type : 'boolean', value : true, description : 'enable the fwupd agent')
- option('consolekit', type : 'boolean', value : true, description : 'enable ConsoleKit support')
+@@ -25,6 +26,7 @@ option('plugin_coreboot', type : 'boolean', value : true, description : 'enable
+ option('systemd', type : 'boolean', value : true, description : 'enable systemd support')
+ option('systemd_root_prefix', type: 'string', value: '', description: 'Directory to base systemd’s installation directories on')
+ option('elogind', type : 'boolean', value : false, description : 'enable elogind support')
++option('installed_test_prefix', type: 'string', description: 'Prefix for installed tests')
+ option('tests', type : 'boolean', value : true, description : 'enable tests')
+ option('tpm', type : 'boolean', value : true, description : 'enable TPM support')
+ option('udevdir', type: 'string', value: '', description: 'Directory for udev rules')
diff --git a/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix b/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix
index ff0081a71e1..4ef9370c844 100644
--- a/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/openelec-dvb-firmware/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "openelec-dvb-firmware";
@@ -9,14 +9,16 @@ stdenv.mkDerivation rec {
     sha256 = "cef3ce537d213e020af794cecf9de207e2882c375ceda39102eb6fa2580bad8d";
   };
 
-  phases = [ "unpackPhase" "installPhase" ];
-
   installPhase = ''
+    runHook preInstall
+
     DESTDIR="$out" ./install
     find $out \( -name 'README.*' -or -name 'LICEN[SC]E.*' -or -name '*.txt' \) | xargs rm
+
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "DVB firmware from OpenELEC";
     homepage = "https://github.com/OpenELEC/dvb-firmware";
     license = licenses.unfreeRedistributableFirmware;
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix b/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
index 23338684764..e6a03ef7df5 100644
--- a/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
+++ b/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
@@ -1,23 +1,23 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
   pname = "raspberrypi-wireless-firmware";
-  version = "2019-08-16";
+  version = "2021-01-28";
 
   srcs = [
     (fetchFromGitHub {
       name = "bluez-firmware";
       owner = "RPi-Distro";
       repo = "bluez-firmware";
-      rev = "96eefffcccc725425fd83be5e0704a5c32b79e54";
-      sha256 = "05h57gcxhb2c84h99cyxxx4mzi6kd5fm8pjqkz3nq5vs3nv8cqhr";
+      rev = "e7fd166981ab4bb9a36c2d1500205a078a35714d";
+      sha256 = "1dkg8mzn7n4afi50ibrda2s33nw2qj52jjjdv9w560q601gms47b";
     })
     (fetchFromGitHub {
       name = "firmware-nonfree";
       owner = "RPi-Distro";
       repo = "firmware-nonfree";
-      rev = "130cb86fa30cafbd575d38865fa546350d4c5f9c";
-      sha256 = "0jmhgbpldzz8n8lncpzwfl5ym8zgss05y952rfpwcf9v5c7vgabx";
+      rev = "83938f78ca2d5a0ffe0c223bb96d72ccc7b71ca5";
+      sha256 = "1l4zz86y2hjyvdwjy75abyjwh3wqknd71y3vh1iw5nd0hws8ranp";
     })
   ];
 
@@ -41,10 +41,10 @@ stdenv.mkDerivation {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "1r4alf1fbj6vkkf54d0anm47ymb6gn2ykl4a2hhd34b0hnf1dnhn";
+  outputHash = "0a54gyrq6jfxxvimaa4yjfiyfwf7wv58v0a32l74yrzyarr3ldby";
 
-  meta = with stdenv.lib; {
-    description = "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3 and Zero W";
+  meta = with lib; {
+    description = "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3+ and Zero W";
     homepage = "https://github.com/RPi-Distro/firmware-nonfree";
     license = licenses.unfreeRedistributableFirmware;
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix b/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
new file mode 100644
index 00000000000..52fa4266577
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/raspberrypi/armstubs.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config }:
+
+let
+  inherit (lib) optionals;
+in
+stdenv.mkDerivation {
+  pname = "raspberrypi-armstubs";
+  version = "2020-10-08";
+
+  src = fetchFromGitHub {
+    owner = "raspberrypi";
+    repo = "tools";
+    rev = "fc0e73c13865450e95edd046200e42a6e52d8256";
+    sha256 = "1g6ikpjcrm5x0rk5aiwjdd8grf997qkvgamcrdxy6k9ln746h25s";
+  };
+
+  NIX_CFLAGS_COMPILE = [
+    "-march=armv8-a+crc"
+  ];
+
+  preConfigure = ''
+    cd armstubs
+  '';
+
+  makeFlags = [
+    "CC8=${stdenv.cc.targetPrefix}cc"
+    "LD8=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY8=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP8=${stdenv.cc.targetPrefix}objdump"
+    "CC7=${stdenv.cc.targetPrefix}cc"
+    "LD7=${stdenv.cc.targetPrefix}ld"
+    "OBJCOPY7=${stdenv.cc.targetPrefix}objcopy"
+    "OBJDUMP7=${stdenv.cc.targetPrefix}objdump"
+  ]
+  ++ optionals (stdenv.isAarch64) [ "armstub8.bin" "armstub8-gic.bin" ]
+  ++ optionals (stdenv.isAarch32) [ "armstub7.bin" "armstub8-32.bin" "armstub8-32-gic.bin" ]
+  ;
+
+  installPhase = ''
+    mkdir -vp $out/
+    cp -v *.bin $out/
+  '';
+
+  meta = with lib; {
+    description = "Firmware related ARM stubs for the Raspberry Pi";
+    homepage = https://github.com/raspberrypi/tools;
+    license = licenses.bsd3;
+    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
+    maintainers = with maintainers; [ samueldr ];
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
index 77a28444636..6a826f63966 100644
--- a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
+++ b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
@@ -1,14 +1,15 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenvNoCC, fetchFromGitHub }:
 
-stdenv.mkDerivation rec {
+stdenvNoCC.mkDerivation rec {
+  # NOTE: this should be updated with linux_rpi
   pname = "raspberrypi-firmware";
-  version = "1.20200601";
+  version = "1.20210303";
 
   src = fetchFromGitHub {
     owner = "raspberrypi";
     repo = "firmware";
     rev = version;
-    sha256 = "1vm038f9digwg8gdxl2bypzlip3ycjb6bl56274gh5i9abl6wjvf";
+    sha256 = "0pgiw93hq4gfph5dnwbi8w59g0f7yhmagwzam971k529mh5yl86m";
   };
 
   installPhase = ''
@@ -16,11 +17,14 @@ stdenv.mkDerivation rec {
     cp -R boot/* $out/share/raspberrypi/boot
   '';
 
-  meta = with stdenv.lib; {
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  meta = with lib; {
     description = "Firmware for the Raspberry Pi board";
     homepage = "https://github.com/raspberrypi/firmware";
     license = licenses.unfreeRedistributableFirmware; # See https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
-    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
-    maintainers = with maintainers; [ dezgeg tavyc ];
+    maintainers = with maintainers; [ dezgeg ];
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix b/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix
deleted file mode 100644
index 6c4d49e4e24..00000000000
--- a/pkgs/os-specific/linux/firmware/raspberrypi/tools.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ stdenv, fetchFromGitHub, cmake, pkgconfig }:
-
-stdenv.mkDerivation {
-  pname = "raspberrypi-tools";
-  version = "2020-05-28";
-
-  src = fetchFromGitHub {
-    owner = "raspberrypi";
-    repo = "userland";
-    rev = "f97b1af1b3e653f9da2c1a3643479bfd469e3b74";
-    sha256 = "1r7n05rv96hqjq0rn0qzchmfqs0j7vh3p8jalgh66s6l0vms5mwy";
-  };
-
-  nativeBuildInputs = [ cmake pkgconfig ];
-
-  preConfigure = ''
-    cmakeFlagsArray+=("-DVMCS_INSTALL_PREFIX=$out")
-  '' + stdenv.lib.optionalString stdenv.isAarch64 ''
-    cmakeFlagsArray+=("-DARM64=1")
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Userland tools for the Raspberry Pi board";
-    homepage = "https://github.com/raspberrypi/userland";
-    license = licenses.bsd3;
-    platforms = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ];
-    maintainers = with maintainers; [ dezgeg tavyc ];
-  };
-}
diff --git a/pkgs/os-specific/linux/firmware/rt5677/default.nix b/pkgs/os-specific/linux/firmware/rt5677/default.nix
index af0c07d1059..f5d84179fd2 100644
--- a/pkgs/os-specific/linux/firmware/rt5677/default.nix
+++ b/pkgs/os-specific/linux/firmware/rt5677/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit }:
+{ lib, stdenv, fetchgit }:
 
 stdenv.mkDerivation {
   name = "rt5677-firmware";
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
     cp ./firmware/rt5677_elf_vad $out/lib/firmware
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for Realtek rt5677 device";
     license = licenses.unfreeRedistributableFirmware;
     maintainers = [ maintainers.zohl ];
diff --git a/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
index 9b68a49266f..34c2b683ea4 100644
--- a/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/rtl8192su-firmware/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchFromGitHub }:
-with stdenv.lib;
+{ lib, stdenv, fetchFromGitHub }:
+with lib;
 stdenv.mkDerivation {
   name = "rtl8192su-unstable-2016-10-05";
 
@@ -26,7 +26,7 @@ stdenv.mkDerivation {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for Realtek RTL8188SU/RTL8191SU/RTL8192SU";
     homepage = "https://github.com/chunkeey/rtl8192su";
     license = licenses.unfreeRedistributableFirmware;
diff --git a/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
index f95d1efcef7..36580d4b1b9 100644
--- a/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/rtl8723bs-firmware/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, linuxPackages }:
-with stdenv.lib;
+{ lib, stdenv, linuxPackages }:
+with lib;
 stdenv.mkDerivation {
   name = "rtl8723bs-firmware-${linuxPackages.rtl8723bs.version}";
   inherit (linuxPackages.rtl8723bs) src;
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
     cp rtl8723bs_wowlan.bin "$out/lib/firmware/rtlwifi"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware for RealTek 8723bs";
     homepage = "https://github.com/hadess/rtl8723bs";
     license = licenses.unfreeRedistributableFirmware;
diff --git a/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
new file mode 100644
index 00000000000..f2dd36a0e06
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtl8761b-firmware/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation {
+  name = "rtl8761b-firmware";
+
+  src = fetchFromGitHub {
+    owner = "Realtek-OpenSource";
+    repo = "android_hardware_realtek";
+    rev = "rtk1395";
+    sha256 = "sha256-vd9sZP7PGY+cmnqVty3sZibg01w8+UNinv8X85B+dzc=";
+  };
+
+  installPhase = ''
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_fw \
+      $out/lib/firmware/rtl_bt/rtl8761b_fw.bin
+
+    install -D -pm644 \
+      bt/rtkbt/Firmware/BT/rtl8761b_config \
+      $out/lib/firmware/rtl_bt/rtl8761b_config.bin
+  '';
+
+  meta = with lib; {
+    description = "Firmware for Realtek RTL8761b";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ edibopp ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix
deleted file mode 100644
index 673ef686e48..00000000000
--- a/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ stdenv, lib, linuxPackages }:
-
-with lib;
-
-stdenv.mkDerivation rec {
-  name = "rtlwifi_new-firmware-${linuxPackages.rtlwifi_new.version}";
-  inherit (linuxPackages.rtlwifi_new) src;
-
-  dontBuild = true;
-
-  installPhase = ''
-    mkdir -p "$out/lib/firmware"
-    cp -rf firmware/rtlwifi/ "$out/lib/firmware"
-  '';
-
-  meta = {
-    description = "Firmware for the newest Realtek rtlwifi codes";
-    inherit (src.meta) homepage;
-    license = licenses.unfreeRedistributableFirmware;
-    platforms = with platforms; linux;
-    maintainers = with maintainers; [ tvorog ];
-  };
-}
diff --git a/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
new file mode 100644
index 00000000000..b4e07624b6e
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw88-firmware";
+  inherit (linuxPackages.rtw88) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw88
+    cp *.bin $out/lib/firmware/rtw88
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for the newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
new file mode 100644
index 00000000000..8e71770df9c
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw89-firmware";
+  inherit (linuxPackages.rtw89) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw89
+    cp *.bin $out/lib/firmware/rtw89
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Driver for Realtek 8852AE, an 802.11ax device";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
index a9fc44e48cc..2409d9b1aba 100644
--- a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
@@ -1,33 +1,29 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
-with stdenv.lib;
 stdenv.mkDerivation rec {
   pname = "sof-firmware";
-  version = "1.5.1";
+  version = "1.7";
 
   src = fetchFromGitHub {
     owner = "thesofproject";
     repo = "sof-bin";
-    rev = "ae61d2778b0a0f47461a52da0d1f191f651e0763";
-    sha256 = "0j6bpwz49skvdvian46valjw4anwlrnkq703n0snkbngmq78prba";
+    rev = "v${version}";
+    sha256 = "sha256-Z0Z4HLsIIuW8E1kFNhAECmzj1HkJVfbEw13B8V7PZLk=";
   };
 
-  phases = [ "unpackPhase" "installPhase" ];
+  dontFixup = true; # binaries must not be stripped or patchelfed
 
   installPhase = ''
-    mkdir -p $out/lib/firmware/intel
-
-    sed -i 's/ROOT=.*$/ROOT=$out/g' go.sh
-    sed -i 's/VERSION=.*$/VERSION=v${version}/g' go.sh
-
-    ./go.sh
+    mkdir -p $out/lib/firmware/intel/
+    cp -a sof-v${version} $out/lib/firmware/intel/sof
+    cp -a sof-tplg-v${version} $out/lib/firmware/intel/sof-tplg
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Sound Open Firmware";
     homepage = "https://www.sofproject.org/";
     license = with licenses; [ bsd3 isc ];
-    maintainers = with maintainers; [ lblasc evenbrenden ];
+    maintainers = with maintainers; [ lblasc evenbrenden hmenke ];
     platforms = with platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/system76-firmware/default.nix b/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
new file mode 100644
index 00000000000..ca750d89cc5
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
@@ -0,0 +1,39 @@
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, efibootmgr, makeWrapper }:
+rustPlatform.buildRustPackage rec {
+  pname = "system76-firmware";
+  # Check Makefile when updating, make sure postInstall matches make install
+  version = "1.0.24";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-Poe18HKEQusvN3WF4ZAV1WCvU8/3HKpHEqDsfDO62V0=";
+  };
+
+  nativeBuildInputs = [ pkg-config makeWrapper ];
+
+  buildInputs = [ xz openssl dbus ];
+
+  cargoBuildFlags = [ "--workspace" ];
+
+  cargoSha256 = "sha256-gGw3zpxLxQZ3rglpDERO0fSxBOez1Q10Fljis6nyB/4=";
+
+  # Purposefully don't install systemd unit file, that's for NixOS
+  postInstall = ''
+    install -D -m -0644 data/system76-firmware-daemon.conf $out/etc/dbus-1/system.d/system76-firmware-daemon.conf
+
+    for bin in $out/bin/system76-firmware-*
+    do
+      wrapProgram $bin --prefix PATH : "${efibootmgr}/bin"
+    done
+  '';
+
+  meta = with lib; {
+    description = "Tools for managing firmware updates for system76 devices";
+    homepage = "https://github.com/pop-os/system76-firmware";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ shlevy ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/zd1211/default.nix b/pkgs/os-specific/linux/firmware/zd1211/default.nix
index d6963c8eb78..15e53557126 100644
--- a/pkgs/os-specific/linux/firmware/zd1211/default.nix
+++ b/pkgs/os-specific/linux/firmware/zd1211/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   pname = "zd1211-firmware";
@@ -19,6 +19,6 @@ in fetchzip rec {
     description = "Firmware for the ZyDAS ZD1211(b) 802.11a/b/g USB WLAN chip";
     homepage = "https://sourceforge.net/projects/zd1211/";
     license = "GPL";
-    platforms = stdenv.lib.platforms.linux;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/flashbench/default.nix b/pkgs/os-specific/linux/flashbench/default.nix
index 70ad779c239..619aea69aa6 100644
--- a/pkgs/os-specific/linux/flashbench/default.nix
+++ b/pkgs/os-specific/linux/flashbench/default.nix
@@ -1,27 +1,31 @@
-{ stdenv, fetchgit }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
-  pname = "flashbench";
-  version = "2012-06-06";
+  pname = "flashbench-unstable";
+  version = "2020-01-23";
 
-  src = fetchgit {
-    url = "https://github.com/bradfa/flashbench.git";
-    rev = "2e30b1968a66147412f21002ea844122a0d5e2f0";
-    sha256 = "037rhd2alwfip9qk78cy8fwwnc2kdyzccsyc7v2zpmvl4vvpvnhg";
+  src = fetchFromGitHub {
+    owner = "bradfa";
+    repo = "flashbench";
+    rev = "d783b1bd2443812c6deadc31b081f043e43e4c1a";
+    sha256 = "045j1kpay6x2ikz8x54ph862ymfy1nzpbmmqpf3nkapiv32fjqw5";
   };
 
   installPhase = ''
+    runHook preInstall
+
     install -d -m755 $out/bin $out/share/doc/flashbench
     install -v -m755 flashbench $out/bin
     install -v -m755 erase $out/bin/flashbench-erase
     install -v -m644 README $out/share/doc/flashbench
+
+    runHook postInstall
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Testing tool for flash based memory devices";
     homepage = "https://github.com/bradfa/flashbench";
     platforms = platforms.linux;
-    license = licenses.gpl2;
-    maintainers = [ maintainers.rycee ];
+    license = licenses.gpl2Only;
   };
 }
diff --git a/pkgs/os-specific/linux/fnotifystat/default.nix b/pkgs/os-specific/linux/fnotifystat/default.nix
index f01c96259a8..baa92decd9f 100644
--- a/pkgs/os-specific/linux/fnotifystat/default.nix
+++ b/pkgs/os-specific/linux/fnotifystat/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "fnotifystat";
-  version = "0.02.06";
+  version = "0.02.07";
   src = fetchurl {
     url = "https://kernel.ubuntu.com/~cking/tarballs/fnotifystat/fnotifystat-${version}.tar.gz";
-    sha256 = "1mr2qzh8r8qq7haz4qgci2k5lcrcy493fm0m3ri40a81vaajfniy";
+    sha256 = "0ipfg2gymbgx7bqlx1sq5p2y89k5j18iqnb0wa27n5s3kh9sh8w0";
   };
   installFlags = [ "DESTDIR=$(out)" ];
   postInstall = ''
diff --git a/pkgs/os-specific/linux/forkstat/default.nix b/pkgs/os-specific/linux/forkstat/default.nix
index d42091085ba..09c9c660285 100644
--- a/pkgs/os-specific/linux/forkstat/default.nix
+++ b/pkgs/os-specific/linux/forkstat/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "forkstat";
-  version = "0.02.15";
+  version = "0.02.16";
   src = fetchurl {
     url = "https://kernel.ubuntu.com/~cking/tarballs/forkstat/forkstat-${version}.tar.xz";
-    sha256 = "11dvg7bbklpfywx6i6vb29vvc28pbfk3mff0g18n5imxvzsd7jxs";
+    sha256 = "1rrzvlws9725dy2jq5k4zfv669ngrb2klhla6wvir8nwh53jms4w";
   };
   installFlags = [ "DESTDIR=$(out)" ];
   postInstall = ''
diff --git a/pkgs/os-specific/linux/forktty/default.nix b/pkgs/os-specific/linux/forktty/default.nix
index 66570bac942..c2e49399582 100644
--- a/pkgs/os-specific/linux/forktty/default.nix
+++ b/pkgs/os-specific/linux/forktty/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 let
   s = # Generated upstream information
   rec {
@@ -28,9 +28,9 @@ stdenv.mkDerivation {
   makeFlags = [ "prefix=$(out)" "manprefix=$(out)/share/" ];
   meta = {
     inherit (s) version;
-    description = ''Tool to detach from controlling TTY and attach to another'';
-    license = stdenv.lib.licenses.gpl2 ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "Tool to detach from controlling TTY and attach to another";
+    license = lib.licenses.gpl2 ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/freefall/default.nix b/pkgs/os-specific/linux/freefall/default.nix
index a6c5a6593d1..683b599e5be 100644
--- a/pkgs/os-specific/linux/freefall/default.nix
+++ b/pkgs/os-specific/linux/freefall/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel }:
+{ lib, stdenv, kernel }:
 
 stdenv.mkDerivation {
   inherit (kernel) version src;
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
 
   makeFlags = [ "PREFIX=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (kernel.meta) homepage license;
 
     description = "Free-fall protection for spinning HP/Dell laptop hard drives";
diff --git a/pkgs/os-specific/linux/fscrypt/default.nix b/pkgs/os-specific/linux/fscrypt/default.nix
index 1086e5ece04..7528fae6bdd 100644
--- a/pkgs/os-specific/linux/fscrypt/default.nix
+++ b/pkgs/os-specific/linux/fscrypt/default.nix
@@ -1,16 +1,16 @@
-{ stdenv, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
+{ lib, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
 
 # Don't use this for anything important yet!
 
 buildGoModule rec {
   pname = "fscrypt";
-  version = "0.2.9";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "fscrypt";
     rev = "v${version}";
-    sha256 = "020hhdarbn3bwlc2j2g89868v8nfx8562z1a778ihpvvsa4ykr31";
+    sha256 = "1zdadi9f7wj6kgmmk9zlkpdm1lb3gfiscg9gkqqdql2si7y6g2nq";
   };
 
   postPatch = ''
@@ -34,11 +34,7 @@ buildGoModule rec {
     make install
   '';
 
-  preFixup = ''
-    remove-references-to -t ${fscrypt-experimental.go} $out/lib/security/pam_fscrypt.so
-  '';
-
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description =
       "A high-level tool for the management of Linux filesystem encryption";
     longDescription = ''
diff --git a/pkgs/os-specific/linux/fscryptctl/default.nix b/pkgs/os-specific/linux/fscryptctl/default.nix
index ecab0350d78..bd1b414f4cb 100644
--- a/pkgs/os-specific/linux/fscryptctl/default.nix
+++ b/pkgs/os-specific/linux/fscryptctl/default.nix
@@ -1,28 +1,38 @@
-{ stdenv, fetchFromGitHub }:
-
-# Don't use this for anything important yet!
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
-  pname = "fscryptctl-unstable";
-  version = "2017-10-23";
+  pname = "fscryptctl";
+  version = "1.0.0";
 
   goPackagePath = "github.com/google/fscrypt";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "fscryptctl";
-    rev = "142326810eb19d6794793db6d24d0775a15aa8e5";
-    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+    rev = "v${version}";
+    sha256 = "1hwj726mm0yhlcf6523n07h0yq1rvkv4km64h3ydpjcrcxklhw6l";
   };
 
-  makeFlags = [ "DESTDIR=$(out)/bin" ];
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
-  meta = with stdenv.lib; {
-    description = ''
-      A low-level tool that handles raw keys and manages policies for Linux
-      filesystem encryption
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
     '';
     inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscryptctl/releases/tag/v{version}";
     license = licenses.asl20;
     platforms = platforms.linux;
     maintainers = with maintainers; [ primeos ];
diff --git a/pkgs/os-specific/linux/fscryptctl/legacy.nix b/pkgs/os-specific/linux/fscryptctl/legacy.nix
new file mode 100644
index 00000000000..64a409fb58b
--- /dev/null
+++ b/pkgs/os-specific/linux/fscryptctl/legacy.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+# Don't use this for anything important!
+# TODO: Drop fscryptctl-experimental after the NixOS 21.03/21.05 release.
+
+stdenv.mkDerivation rec {
+  pname = "fscryptctl";
+  version = "0.1.0";
+
+  goPackagePath = "github.com/google/fscrypt";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscryptctl";
+    rev = "v${version}";
+    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)/bin" ];
+
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
+    '';
+    inherit (src.meta) homepage;
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+    knownVulnerabilities = [ ''
+      fscryptctl version 1.0.0 was released and now uses v2 encryption
+      policies. fscryptctl-experimental will remain at version 0.1.0 which
+      still supports the v1 encryption policies. Please try to switch from the
+      "fscryptctl-experimental" package to "fscryptctl". The v1 encryption
+      policies can be insecure, are hard to use correctly, and have different
+      semantics from v2 policies (which is why they are no longer supported in
+      fscryptctl 1.0.0+).
+    '' ];
+  };
+}
diff --git a/pkgs/os-specific/linux/fswebcam/default.nix b/pkgs/os-specific/linux/fswebcam/default.nix
index 53a1bdbc4c7..18cdc21f0b6 100644
--- a/pkgs/os-specific/linux/fswebcam/default.nix
+++ b/pkgs/os-specific/linux/fswebcam/default.nix
@@ -1,11 +1,11 @@
-{ stdenv, fetchurl, libv4l, gd }:
+{ lib, stdenv, fetchurl, libv4l, gd }:
 
 stdenv.mkDerivation rec {
-  name = "fswebcam-20140113";
+  name = "fswebcam-20200725";
 
   src = fetchurl {
     url = "https://www.sanslogic.co.uk/fswebcam/files/${name}.tar.gz";
-    sha256 = "3ee389f72a7737700d22e0c954720b1e3bbadc8a0daad6426c25489ba9dc3199";
+    sha256 = "1dazsrcaw9s30zz3jpxamk9lkff5dkmflp1s0jjjvdbwa0k6k6ii";
   };
 
   buildInputs =
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Neat and simple webcam app";
     homepage = "http://www.sanslogic.co.uk/fswebcam";
-    platforms = stdenv.lib.platforms.linux;
-    license = stdenv.lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2;
   };
 }
diff --git a/pkgs/os-specific/linux/ftop/default.nix b/pkgs/os-specific/linux/ftop/default.nix
index d7791cd1a62..abd6d788461 100644
--- a/pkgs/os-specific/linux/ftop/default.nix
+++ b/pkgs/os-specific/linux/ftop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, ncurses }:
+{ lib, stdenv, fetchurl, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "ftop";
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     substituteInPlace configure --replace "curses" "ncurses"
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Show progress of open files and file systems";
     homepage = "https://code.google.com/archive/p/ftop/";
     license = licenses.gpl3Plus;
diff --git a/pkgs/os-specific/linux/fuse/common.nix b/pkgs/os-specific/linux/fuse/common.nix
index 2010be53c2d..5adb1b5355a 100644
--- a/pkgs/os-specific/linux/fuse/common.nix
+++ b/pkgs/os-specific/linux/fuse/common.nix
@@ -1,14 +1,14 @@
 { version, sha256Hash }:
 
-{ stdenv, fetchFromGitHub, fetchpatch
-, fusePackages, utillinux, gettext
+{ lib, stdenv, fetchFromGitHub, fetchpatch
+, fusePackages, util-linux, gettext, shadow
 , meson, ninja, pkg-config
 , autoreconfHook
 , python3Packages, which
 }:
 
 let
-  isFuse3 = stdenv.lib.hasPrefix "3" version;
+  isFuse3 = lib.hasPrefix "3" version;
 in stdenv.mkDerivation rec {
   pname = "fuse";
   inherit version;
@@ -23,7 +23,7 @@ in stdenv.mkDerivation rec {
   preAutoreconf = "touch config.rpath";
 
   patches =
-    stdenv.lib.optional
+    lib.optional
       (!isFuse3 && stdenv.isAarch64)
       (fetchpatch {
         url = "https://github.com/libfuse/libfuse/commit/914871b20a901e3e1e981c92bc42b1c93b7ab81b.patch";
@@ -37,9 +37,9 @@ in stdenv.mkDerivation rec {
     then [ meson ninja pkg-config ]
     else [ autoreconfHook gettext ];
 
-  outputs = [ "out" ] ++ stdenv.lib.optional isFuse3 "common";
+  outputs = [ "out" ] ++ lib.optional isFuse3 "common";
 
-  mesonFlags = stdenv.lib.optionals isFuse3 [
+  mesonFlags = lib.optionals isFuse3 [
     "-Dudevrulesdir=/udev/rules.d"
     "-Duseroot=false"
   ];
@@ -54,17 +54,14 @@ in stdenv.mkDerivation rec {
     # $PATH, so it should also work on non-NixOS systems.
     export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""
 
-    sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
+    substituteInPlace lib/mount_util.c --replace "/bin/" "${util-linux}/bin/"
     '' + (if isFuse3 then ''
       # The configure phase will delete these files (temporary workaround for
       # ./fuse3-install_man.patch)
       install -D -m444 doc/fusermount3.1 $out/share/man/man1/fusermount3.1
       install -D -m444 doc/mount.fuse3.8 $out/share/man/man8/mount.fuse3.8
-
-      # TODO: Temporary version fix:
-      substituteInPlace meson.build \
-        --replace "version: '3.9.3'" "version: '${version}'"
     '' else ''
+      substituteInPlace util/mount.fuse.c --replace '"su"' '"${shadow.su}/bin/su"'
       sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
       ./makeconf.sh
     '');
@@ -85,9 +82,7 @@ in stdenv.mkDerivation rec {
     cp ${fusePackages.fuse_3.common}/etc/udev/rules.d/99-fuse.rules etc/udev/rules.d/99-fuse.rules
   '');
 
-  enableParallelBuilding = true;
-
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Library that allows filesystems to be implemented in user space";
     longDescription = ''
       FUSE (Filesystem in Userspace) is an interface for userspace programs to
@@ -100,7 +95,7 @@ in stdenv.mkDerivation rec {
     inherit (src.meta) homepage;
     changelog = "https://github.com/libfuse/libfuse/releases/tag/fuse-${version}";
     platforms = platforms.linux;
-    license = with licenses; [ gpl2 lgpl21 ];
+    license = with licenses; [ gpl2Only lgpl21Only ];
     maintainers = [ maintainers.primeos ];
   };
 }
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index 8c342743dfc..b060b908284 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -1,8 +1,8 @@
-{ callPackage, utillinux }:
+{ callPackage, util-linux }:
 
 let
   mkFuse = args: callPackage (import ./common.nix args) {
-    inherit utillinux;
+    inherit util-linux;
   };
 in {
   fuse_2 = mkFuse {
@@ -11,7 +11,7 @@ in {
   };
 
   fuse_3 = mkFuse {
-    version = "3.9.4";
-    sha256Hash = "1j11niqw3p94yd6mfdrkdra0nic8a38fc179y5h9yz81q39m2f3b";
+    version = "3.10.4";
+    sha256Hash = "1ml4bs4wx5dbz5xpnd5g8b9avmn7g7jvf16fbdlk0da8il0qd2rx";
   };
 }
diff --git a/pkgs/os-specific/linux/fwts/default.nix b/pkgs/os-specific/linux/fwts/default.nix
index fd62f07cd9c..1b5a0e3bdff 100644
--- a/pkgs/os-specific/linux/fwts/default.nix
+++ b/pkgs/os-specific/linux/fwts/default.nix
@@ -1,17 +1,17 @@
-{ stdenv, fetchzip, autoreconfHook, pkgconfig, glib, libtool, pcre
+{ lib, stdenv, fetchzip, autoreconfHook, pkg-config, glib, libtool, pcre
 , json_c, flex, bison, dtc, pciutils, dmidecode, iasl, libbsd }:
 
 stdenv.mkDerivation rec {
   pname = "fwts";
-  version = "20.07.00";
+  version = "20.11.00";
 
   src = fetchzip {
     url = "http://fwts.ubuntu.com/release/${pname}-V${version}.tar.gz";
-    sha256 = "0azhcnlfziwn8wvw3fly2jfjyg53m8zba3jlcxgzrasgb0kvzb1c";
+    sha256 = "0s8iz6c9qhyndcsjscs3qail2mzfywpbiys1x232igm5kl089vvr";
     stripRoot = false;
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig libtool ];
+  nativeBuildInputs = [ autoreconfHook pkg-config libtool ];
   buildInputs = [ glib pcre json_c flex bison dtc pciutils dmidecode iasl libbsd ];
 
   postPatch = ''
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://wiki.ubuntu.com/FirmwareTestSuite";
     description = "Firmware Test Suite";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/fwts/module.nix b/pkgs/os-specific/linux/fwts/module.nix
index ef90e0c303b..737d3316e21 100644
--- a/pkgs/os-specific/linux/fwts/module.nix
+++ b/pkgs/os-specific/linux/fwts/module.nix
@@ -1,4 +1,4 @@
-{ stdenv, fwts, kernel }:
+{ lib, stdenv, fwts, kernel }:
 
 stdenv.mkDerivation rec {
   pname = "fwts-efi-runtime";
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
     "INSTALL_MOD_PATH=${placeholder "out"}"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     inherit (fwts.meta) homepage license;
     description = fwts.meta.description + "(efi-runtime kernel module)";
     maintainers = with maintainers; [ dtzWill ];
diff --git a/pkgs/os-specific/linux/fxload/default.nix b/pkgs/os-specific/linux/fxload/default.nix
index e77983254e4..3255c992f86 100644
--- a/pkgs/os-specific/linux/fxload/default.nix
+++ b/pkgs/os-specific/linux/fxload/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl}:
+{lib, stdenv, fetchurl}:
 
 stdenv.mkDerivation {
   name = "fxload-2002_04_11";
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
     mkdir -p $out/share/usb
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://linux-hotplug.sourceforge.net/?selected=usb";
     description = "Tool to upload firmware to Cypress EZ-USB microcontrollers";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/g15daemon/default.nix b/pkgs/os-specific/linux/g15daemon/default.nix
index c670fc86d13..118a17c4c8f 100644
--- a/pkgs/os-specific/linux/g15daemon/default.nix
+++ b/pkgs/os-specific/linux/g15daemon/default.nix
@@ -65,7 +65,7 @@ stdenv.mkDerivation rec {
 
   patches = let
     patch = fname: sha256: fetchurl rec {
-      url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/${pname}-${version}-${fname}.patch?h=packages/${pname}";
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-community/c0b0b6d4d6d7b79eca68123b20e0c9fb82e1c6e1/g15daemon/trunk/${pname}-${version}-${fname}.patch";
       name = "${fname}.patch";
       inherit sha256;
     };
diff --git a/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix b/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
new file mode 100644
index 00000000000..ab2e099d970
--- /dev/null
+++ b/pkgs/os-specific/linux/gcadapter-oc-kmod/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, fetchFromGitHub
+, kernel
+, kmod
+}:
+
+let
+  kerneldir = "lib/modules/${kernel.modDirVersion}";
+in stdenv.mkDerivation rec {
+  pname = "gcadapter-oc-kmod";
+  version = "1.4";
+
+  src = fetchFromGitHub {
+    owner = "HannesMann";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1nqhj3vqq9rnj37cnm2c4867mnxkr8di3i036shcz44h9qmy9d40";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KERNEL_SOURCE_DIR=${kernel.dev}/${kerneldir}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  installPhase = ''
+    install -D {,$out/${kerneldir}/extra/}gcadapter_oc.ko
+  '';
+
+  meta = with lib; {
+    description = "Kernel module for overclocking the Nintendo Wii U/Mayflash GameCube adapter";
+    homepage = "https://github.com/HannesMann/gcadapter-oc-kmod";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ r-burns ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/gfxtablet/default.nix b/pkgs/os-specific/linux/gfxtablet/default.nix
index 56fa4f1d7d6..608ca8e58cc 100644
--- a/pkgs/os-specific/linux/gfxtablet/default.nix
+++ b/pkgs/os-specific/linux/gfxtablet/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchFromGitHub, linuxHeaders}:
+{lib, stdenv, fetchFromGitHub, linuxHeaders}:
 
 stdenv.mkDerivation rec {
   version = "1.4";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     sha256 = "1i2m98yypfa9phshlmvjlgw7axfisxmldzrvnbzm5spvv5s4kvvb";
   };
 
-  preBuild = ''cd driver-uinput'';
+  preBuild = "cd driver-uinput";
 
   installPhase = ''
     mkdir -p "$out/bin"
@@ -25,9 +25,9 @@ stdenv.mkDerivation rec {
   '';
 
   meta = {
-    description = ''Uinput driver for Android GfxTablet tablet-as-input-device app'';
-    license = stdenv.lib.licenses.mit ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "Uinput driver for Android GfxTablet tablet-as-input-device app";
+    license = lib.licenses.mit ;
+    maintainers = [lib.maintainers.raskin];
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/gobi_loader/default.nix b/pkgs/os-specific/linux/gobi_loader/default.nix
index b8735354c2c..b7972007719 100644
--- a/pkgs/os-specific/linux/gobi_loader/default.nix
+++ b/pkgs/os-specific/linux/gobi_loader/default.nix
@@ -1,4 +1,4 @@
-{ stdenv
+{ lib, stdenv
 , fetchurl
 }:
 
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = "prefix=${placeholder "out"}";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Firmware loader for Qualcomm Gobi USB chipsets";
     homepage = "https://www.codon.org.uk/~mjg59/gobi_loader/";
     license = with licenses; [ gpl2 ];
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index d107f18c8da..83ac93fbf71 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, openssl, nettools, iproute, sysctl}:
+{lib, stdenv, fetchurl, openssl, nettools, iproute2, sysctl}:
 
 let baseName = "gogoclient";
     version  = "1.2";
@@ -29,12 +29,12 @@ stdenv.mkDerivation rec {
     substituteInPlace "$out/template/linux.sh" \
       --replace "/sbin/ifconfig" "${nettools}/bin/ifconfig" \
       --replace "/sbin/route"    "${nettools}/bin/route" \
-      --replace "/sbin/ip"       "${iproute}/sbin/ip" \
+      --replace "/sbin/ip"       "${iproute2}/sbin/ip" \
       --replace "/sbin/sysctl"   "${sysctl}/bin/sysctl"
     sed -i -e 's/^.*Exec \$route -A.*$/& metric 128/' $out/template/linux.sh
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://ipv6.ernet.in/Tunnel_broker";
     description = "Client to connect to the Freenet6 IPv6 tunnel broker service";
     maintainers = [ maintainers.bluescreen303 ];
diff --git a/pkgs/os-specific/linux/gradm/default.nix b/pkgs/os-specific/linux/gradm/default.nix
index fee183c8259..cd99dfa5db8 100644
--- a/pkgs/os-specific/linux/gradm/default.nix
+++ b/pkgs/os-specific/linux/gradm/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchurl
+{ lib, stdenv, fetchurl
 , bison, flex
 , pam
 }:
 
 stdenv.mkDerivation rec {
   pname = "gradm";
-  version = "3.1-201903191516";
+  version = "3.1-202102241600";
 
   src  = fetchurl {
-    url    = "http://grsecurity.net/stable/${pname}-${version}.tar.gz";
-    sha256 = "1wszqwaswcf08s9zbvnqzmmfdykyfcy16w8xjia20ypr7wwbd86k";
+    url    = "https://grsecurity.net/stable/${pname}-${version}.tar.gz";
+    sha256 = "02ni34hpggv00140p9gvh0lqi173zdddd2qhfi96hyr1axd5pl50";
   };
 
   nativeBuildInputs = [ bison flex ];
@@ -39,12 +39,12 @@ stdenv.mkDerivation rec {
     mkdir -p "$out/etc/udev/rules.d"
   '';
 
-  postInstall = ''rmdir $out/dev'';
+  postInstall = "rmdir $out/dev";
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "grsecurity RBAC administration and policy analysis utility";
     homepage    = "https://grsecurity.net";
-    license     = licenses.gpl2;
+    license     = licenses.gpl2Only;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ thoughtpolice joachifm ];
   };
diff --git a/pkgs/os-specific/linux/greetd/default.nix b/pkgs/os-specific/linux/greetd/default.nix
new file mode 100644
index 00000000000..6f305c5d6eb
--- /dev/null
+++ b/pkgs/os-specific/linux/greetd/default.nix
@@ -0,0 +1,51 @@
+{ rustPlatform
+, lib
+, fetchFromSourcehut
+, pam
+, scdoc
+, installShellFiles
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "greetd";
+  version = "0.7.0";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "b+S3fuJ8gjnSQzLHl3Bs9iO/Un2ynggAplz01GjJvFI=";
+  };
+
+  cargoHash = "sha256-YSC7osyBPwx+lo7P1ftI72mRWeQlDc2srRPzTFqVTxM=";
+
+  nativeBuildInputs = [
+    scdoc
+    installShellFiles
+  ];
+
+  buildInputs = [
+    pam
+  ];
+
+  postInstall = ''
+    for f in man/*; do
+      scdoc < "$f" > "$(sed 's/-\([0-9]\)\.scd$/.\1/' <<< "$f")"
+      rm "$f"
+    done
+    installManPage man/*
+  '';
+
+  meta = with lib; {
+    description = "Minimal and flexible login manager daemon";
+    longDescription = ''
+      greetd is a minimal and flexible login manager daemon
+      that makes no assumptions about what you want to launch.
+      Comes with agreety, a simple, text-based greeter.
+    '';
+    homepage = "https://kl.wtf/projects/greetd/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/gtkgreet/default.nix b/pkgs/os-specific/linux/gtkgreet/default.nix
new file mode 100644
index 00000000000..7ab7c01475b
--- /dev/null
+++ b/pkgs/os-specific/linux/gtkgreet/default.nix
@@ -0,0 +1,50 @@
+{ stdenv
+, lib
+, fetchFromSourcehut
+, pkg-config
+, cmake
+, meson
+, ninja
+, gtk3
+, gtk-layer-shell
+, json_c
+, scdoc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gtkgreet";
+  version = "0.7";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "ms+2FdtzzNlmlzNxFhu4cpX5H+5H+9ZOtZ0p8uVA3lo=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    cmake
+  ];
+
+  buildInputs = [
+    gtk3
+    gtk-layer-shell
+    json_c
+    scdoc
+  ];
+
+  mesonFlags = [
+    "-Dlayershell=enabled"
+  ];
+
+  meta = with lib; {
+    description = "GTK based greeter for greetd, to be run under cage or similar";
+    homepage = "https://git.sr.ht/~kennylevinsen/gtkgreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/guvcview/default.nix b/pkgs/os-specific/linux/guvcview/default.nix
index d780cade786..04eccaf0243 100644
--- a/pkgs/os-specific/linux/guvcview/default.nix
+++ b/pkgs/os-specific/linux/guvcview/default.nix
@@ -1,15 +1,15 @@
 { config
-, stdenv
+, lib, stdenv
 , fetchurl
 , intltool
-, pkgconfig
+, pkg-config
 , portaudio
 , SDL2
 , ffmpeg
 , udev
 , libusb1
 , libv4l
-, alsaLib
+, alsa-lib
 , gsl
 , libpng
 , sfml
@@ -37,15 +37,15 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [
     intltool
-    pkgconfig
+    pkg-config
   ]
-    ++ stdenv.lib.optionals (useGtk) [ wrapGAppsHook ]
-    ++ stdenv.lib.optionals (useQt) [ wrapQtAppsHook ]
+    ++ lib.optionals (useGtk) [ wrapGAppsHook ]
+    ++ lib.optionals (useQt) [ wrapQtAppsHook ]
   ;
 
   buildInputs = [
     SDL2
-    alsaLib
+    alsa-lib
     ffmpeg
     libusb1
     libv4l
@@ -54,21 +54,21 @@ stdenv.mkDerivation rec {
     gsl
     libpng
     sfml
-  ] 
-    ++ stdenv.lib.optionals (pulseaudioSupport) [ libpulseaudio ]
-    ++ stdenv.lib.optionals (useGtk) [ gtk3 ]
-    ++ stdenv.lib.optionals (useQt) [
+  ]
+    ++ lib.optionals (pulseaudioSupport) [ libpulseaudio ]
+    ++ lib.optionals (useGtk) [ gtk3 ]
+    ++ lib.optionals (useQt) [
       qtbase
     ]
   ;
   configureFlags = [
     "--enable-sfml"
   ]
-    ++ stdenv.lib.optionals (useGtk) [ "--enable-gtk3" ]
-    ++ stdenv.lib.optionals (useQt) [ "--enable-qt5" ]
+    ++ lib.optionals (useGtk) [ "--enable-gtk3" ]
+    ++ lib.optionals (useQt) [ "--enable-qt5" ]
   ;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A simple interface for devices supported by the linux UVC driver";
     homepage = "http://guvcview.sourceforge.net";
     maintainers = [ maintainers.coconnor ];
diff --git a/pkgs/os-specific/linux/hal-flash/default.nix b/pkgs/os-specific/linux/hal-flash/default.nix
deleted file mode 100644
index c3463851fd3..00000000000
--- a/pkgs/os-specific/linux/hal-flash/default.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ stdenv, fetchurl, autoconf, automake, dbus, glib, libtool, pkgconfig, udisks2 }:
-
-stdenv.mkDerivation {
-  name = "hal-flash-0.3.3";
-
-  src = fetchurl {
-    url = "https://github.com/cshorler/hal-flash/archive/v0.3.3.tar.gz";
-    sha256 = "0dw9bx190mrh0dycw4rfvfmwwvh2sgypffr99nfnr36b38jrd6y6";
-  };
-
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ autoconf automake dbus glib libtool udisks2 ];
-
-  preConfigure = "libtoolize && aclocal && autoconf && automake --add-missing";
-
-  meta = with stdenv.lib; {
-    homepage = "https://github.com/cshorler/hal-flash";
-    description = "libhal stub library to satisfy the Flash Player DRM requirements";
-    longDescription =
-      ''
-        Stub library based loosely upon libhal.[ch] from the hal-0.5.14
-        package.  Provides the minimum necessary functionality to enable
-        libflashplayer.so/libadobecp.so to play back DRM content.
-      '';
-    license = with licenses; [ afl21 gpl2 ];
-    maintainers = with maintainers; [ malyn ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/pkgs/os-specific/linux/hd-idle/default.nix b/pkgs/os-specific/linux/hd-idle/default.nix
index 5e32e220b2f..3e4b0815146 100644
--- a/pkgs/os-specific/linux/hd-idle/default.nix
+++ b/pkgs/os-specific/linux/hd-idle/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   name = "hd-idle-1.05";
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "TARGET_DIR=$(out)" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Spins down external disks after a period of idle time";
     homepage = "http://hd-idle.sourceforge.net/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/hdapsd/default.nix b/pkgs/os-specific/linux/hdapsd/default.nix
index 893eb4fdd99..39f69ef0144 100644
--- a/pkgs/os-specific/linux/hdapsd/default.nix
+++ b/pkgs/os-specific/linux/hdapsd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 let version = "20141203"; in
 stdenv.mkDerivation {
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
 
   postInstall = builtins.readFile ./postInstall.sh;
 
-  meta = with stdenv.lib;
+  meta = with lib;
     { description = "Hard Drive Active Protection System Daemon";
       homepage = "http://hdaps.sf.net/";
       license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/hdparm/default.nix b/pkgs/os-specific/linux/hdparm/default.nix
index 99464b67db1..300bb499f85 100644
--- a/pkgs/os-specific/linux/hdparm/default.nix
+++ b/pkgs/os-specific/linux/hdparm/default.nix
@@ -1,19 +1,19 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  name = "hdparm-9.58";
+  pname = "hdparm";
+  version = "9.62";
 
   src = fetchurl {
-    url = "mirror://sourceforge/hdparm/${name}.tar.gz";
-    sha256 = "03z1qm8zbgpxagk3994lvp24yqsshjibkwg05v9p3q1w7y48xrws";
-
+    url = "mirror://sourceforge/hdparm/hdparm-${version}.tar.gz";
+    sha256 = "sha256-LA+ddc2+2pKKJaEozT0LcSBEXsCRDAsp1MEDjtG+d38=";
   };
 
   preBuild = ''
     makeFlagsArray=(sbindir=$out/sbin manprefix=$out)
     '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool to get/set ATA/SATA drive parameters under Linux";
     homepage = "https://sourceforge.net/projects/hdparm/";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/hibernate/default.nix b/pkgs/os-specific/linux/hibernate/default.nix
index 8fc6bfdbdcf..1a7dd01e977 100644
--- a/pkgs/os-specific/linux/hibernate/default.nix
+++ b/pkgs/os-specific/linux/hibernate/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, gawk }:
+{ lib, stdenv, fetchurl, gawk }:
 
 let version = "2.0";
 in
@@ -35,12 +35,12 @@ in
       description = "The `hibernate' script for swsusp and Tux-on-Ice";
       longDescription = ''
         This package provides the `hibernate' script, a command-line utility
-	that saves the computer's state to disk and switches it off, turning
-	it into "hibernation".  It works both with Linux swsusp and Tux-on-Ice.
+        that saves the computer's state to disk and switches it off, turning
+        it into "hibernation".  It works both with Linux swsusp and Tux-on-Ice.
       '';
 
-      license = stdenv.lib.licenses.gpl2Plus;
+      license = lib.licenses.gpl2Plus;
       homepage = "http://www.tuxonice.net/";
-      platforms = stdenv.lib.platforms.linux;
+      platforms = lib.platforms.linux;
     };
   }
diff --git a/pkgs/os-specific/linux/hid-nintendo/default.nix b/pkgs/os-specific/linux/hid-nintendo/default.nix
new file mode 100644
index 00000000000..321f96d0d36
--- /dev/null
+++ b/pkgs/os-specific/linux/hid-nintendo/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "hid-nintendo";
+  version = "3.1";
+
+  src = fetchFromGitHub {
+    owner = "nicman23";
+    repo = "dkms-hid-nintendo";
+    rev = version;
+    sha256 = "sha256-IanH3yHfkQhqtKvKD8lh+muc9yX8XJ5bfdy1Or8Vd5g=";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/source/src
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "A Nintendo HID kernel module";
+    homepage = "https://github.com/nicman23/dkms-hid-nintendo";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.rencire ];
+    platforms = platforms.linux;
+    broken = versionOlder kernel.version "4.14";
+  };
+}
diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix
index 991dcbe2615..5d4edc4f7e7 100644
--- a/pkgs/os-specific/linux/hostapd/default.nix
+++ b/pkgs/os-specific/linux/hostapd/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, libnl, openssl, sqlite ? null }:
+{ lib, stdenv, fetchurl, fetchpatch, pkg-config, libnl, openssl, sqlite ? null }:
 
 stdenv.mkDerivation rec {
   pname = "hostapd";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1mrbvg4v7vm7mknf0n29mf88k3s4a4qj6r4d51wq8hmjj1m7s7c8";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl openssl sqlite ];
 
   patches = [
@@ -43,6 +43,12 @@ stdenv.mkDerivation rec {
       url = "https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch";
       sha256 = "12npqp2skgrj934wwkqicgqksma0fxz09di29n1b5fm5i4njl8d8";
     })
+    # In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
+    (fetchpatch {
+      name = "CVE-2021-30004.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15";
+      sha256 = "1gbhlz41x1ar1hppnb76pqxj6vimiypy7c4kq6h658637s4am3xg";
+    })
   ];
 
   outputs = [ "out" "man" ];
@@ -75,7 +81,8 @@ stdenv.mkDerivation rec {
     CONFIG_HS20=y
     CONFIG_ACS=y
     CONFIG_GETRANDOM=y
-  '' + stdenv.lib.optionalString (sqlite != null) ''
+    CONFIG_SAE=y
+  '' + lib.optionalString (sqlite != null) ''
     CONFIG_SQLITE=y
   '';
 
@@ -94,7 +101,7 @@ stdenv.mkDerivation rec {
     install -vD hostapd_cli.1 -t $man/share/man/man1
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://hostap.epitest.fi";
     repositories.git = "git://w1.fi/hostap.git";
     description = "A user space daemon for access point and authentication servers";
diff --git a/pkgs/os-specific/linux/hwdata/default.nix b/pkgs/os-specific/linux/hwdata/default.nix
index 9b54f404f72..f700bf035de 100644
--- a/pkgs/os-specific/linux/hwdata/default.nix
+++ b/pkgs/os-specific/linux/hwdata/default.nix
@@ -1,14 +1,14 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "hwdata";
-  version = "0.335";
+  version = "0.347";
 
   src = fetchFromGitHub {
     owner = "vcrhonek";
     repo = "hwdata";
     rev = "v${version}";
-    sha256 = "0f8ikwfrs6xd5sywypd9rq9cln8a0rf3vj6nm0adwzn1p8mgmrb2";
+    sha256 = "19kmz25zq6qqs67ppqhws4mh3qf6zrp55cpyxyw36q95yjdcqp21";
   };
 
   preConfigure = "patchShebangs ./configure";
@@ -19,12 +19,12 @@ stdenv.mkDerivation rec {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "101lppd1805drwd038b4njr5czzjnqqxf3xlf6v3l22wfwr2cn3l";
+  outputHash = "0haaczd6pi9q2vdlvbwn7100sb87zsy64z94xhpbmlari4vzjmz0";
 
   meta = {
     homepage = "https://github.com/vcrhonek/hwdata";
     description = "Hardware Database, including Monitors, pci.ids, usb.ids, and video cards";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.all;
   };
 }
diff --git a/pkgs/os-specific/linux/hyperv-daemons/default.nix b/pkgs/os-specific/linux/hyperv-daemons/default.nix
index 1a111a295a4..a659908a7a0 100644
--- a/pkgs/os-specific/linux/hyperv-daemons/default.nix
+++ b/pkgs/os-specific/linux/hyperv-daemons/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, lib, python, kernel, makeWrapper, writeText
-, gawk, iproute }:
+{ stdenv, lib, python2, python3, kernel, makeWrapper, writeText
+, gawk, iproute2 }:
 
 let
   libexec = "libexec/hypervkvpd";
@@ -9,6 +9,7 @@ let
     inherit (kernel) src version;
 
     nativeBuildInputs = [ makeWrapper ];
+    buildInputs = [ (if lib.versionOlder version "4.19" then python2 else python3) ];
 
     # as of 4.9 compilation will fail due to -Werror=format-security
     hardeningDisable = [ "format" ];
@@ -33,16 +34,12 @@ let
       install -Dm755 hv_get_dhcp_info.sh $out/${libexec}/hv_get_dhcp_info
       install -Dm755 hv_get_dns_info.sh  $out/${libexec}/hv_get_dns_info
 
-      # I don't know why this isn't being handled automatically by fixupPhase
-      substituteInPlace $out/bin/lsvmbus \
-        --replace '/usr/bin/env python' ${python.interpreter}
-
       runHook postInstall
     '';
 
     postFixup = ''
       wrapProgram $out/bin/hv_kvp_daemon \
-        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute ]}
+        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute2 ]}
     '';
   };
 
@@ -86,7 +83,7 @@ in stdenv.mkDerivation {
     Wants=hv-fcopy.service hv-kvp.service hv-vss.service
     EOF
 
-    for f in $lib/lib/systemd/system/* ; do
+    for f in $lib/lib/systemd/system/*.service ; do
       substituteInPlace $f --replace @out@ ${daemons}/bin
     done
 
@@ -98,7 +95,7 @@ in stdenv.mkDerivation {
     done
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Integration Services for running NixOS under HyperV";
     longDescription = ''
       This packages contains the daemons that are used by the Hyper-V hypervisor
diff --git a/pkgs/os-specific/linux/i2c-tools/default.nix b/pkgs/os-specific/linux/i2c-tools/default.nix
index 3a00dbefa63..5c05ca6082e 100644
--- a/pkgs/os-specific/linux/i2c-tools/default.nix
+++ b/pkgs/os-specific/linux/i2c-tools/default.nix
@@ -1,12 +1,18 @@
-{ stdenv, fetchurl, perl, read-edid }:
+{ lib
+, stdenv
+, fetchgit
+, perl
+, read-edid
+}:
 
 stdenv.mkDerivation rec {
   pname = "i2c-tools";
-  version = "4.1";
+  version = "4.2";
 
-  src = fetchurl {
-    url = "https://www.kernel.org/pub/software/utils/i2c-tools/${pname}-${version}.tar.xz";
-    sha256 = "1m97hpwqfaqjl9xvr4pvz2vdrsdvxbcn0nnx8pamnyc3s7pikcjp";
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git";
+    rev = "v${version}";
+    sha256 = "0vqrbp10klr7ylarr6cy1q7nafiqaky4iq5my5dqy101h93vg4pg";
   };
 
   buildInputs = [ perl ];
@@ -18,14 +24,17 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
+  outputs = [ "out" "man" ];
+
   postInstall = ''
     rm -rf $out/include # Installs include/linux/i2c-dev.h that conflics with kernel headers
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Set of I2C tools for Linux";
     homepage = "https://i2c.wiki.kernel.org/index.php/I2C_Tools";
-    license = licenses.gpl2;
+    # library is LGPL 2.1 or later; "most tools" GPL 2 or later
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
     maintainers = [ maintainers.dezgeg ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/i810switch/default.nix b/pkgs/os-specific/linux/i810switch/default.nix
index 5b65f2a16fd..ffca983a35e 100644
--- a/pkgs/os-specific/linux/i810switch/default.nix
+++ b/pkgs/os-specific/linux/i810switch/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pciutils }:
+{ lib, stdenv, fetchurl, pciutils }:
 
 stdenv.mkDerivation {
   name = "i810switch-0.6.5";
@@ -20,7 +20,7 @@ stdenv.mkDerivation {
   meta = {
     description = "A utility for switching between the LCD and external VGA display on Intel graphics cards";
     homepage = "http://www16.plala.or.jp/mano-a-mano/i810switch.html";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix
index 1b22c1eafd3..d23fc101bcc 100644
--- a/pkgs/os-specific/linux/ifenslave/default.nix
+++ b/pkgs/os-specific/linux/ifenslave/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
   pname = "ifenslave";
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   meta = {
     description = "Utility for enslaving networking interfaces under a bond";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/ifmetric/default.nix b/pkgs/os-specific/linux/ifmetric/default.nix
index 1f69d728f60..f5d55db5e41 100644
--- a/pkgs/os-specific/linux/ifmetric/default.nix
+++ b/pkgs/os-specific/linux/ifmetric/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, lynx }:
+{ lib, stdenv, fetchurl, lynx }:
 
 stdenv.mkDerivation rec {
   pname = "ifmetric";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool for setting IP interface metrics";
     longDescription = ''
       ifmetric is a Linux tool for setting the metrics of all IPv4 routes
diff --git a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
index 95f555cef8c..5f44622c512 100644
--- a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
+++ b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
@@ -1,15 +1,16 @@
-{ stdenv, fetchFromGitHub, autoconf-archive, gettext, libtool, intltool, autoconf, automake
-, glib, gtk3, gtk-doc, libgudev, pkgconfig, systemd }:
+{ lib, stdenv, fetchFromGitLab, autoconf-archive, gettext, libtool, intltool, autoconf, automake
+, glib, gtk3, gtk-doc, libgudev, pkg-config, systemd }:
 
 stdenv.mkDerivation rec {
   pname = "iio-sensor-proxy";
-  version = "2.8";
+  version = "3.0";
 
-  src = fetchFromGitHub {
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
     owner  = "hadess";
     repo   = pname;
     rev    = version;
-    sha256 = "07rzm1z2p6lh4iv5pyp0p2x5805m9gsh19kcsjls3fi25p3a2c00";
+    sha256 = "0ngbz1vkbjci3ml6p47jh6c6caipvbkm8mxrc8ayr6vc2p9l1g49";
   };
 
   configurePhase = ''
@@ -37,15 +38,14 @@ stdenv.mkDerivation rec {
     gettext
     intltool
     libtool
-    pkgconfig
+    pkg-config
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Proxy for sending IIO sensor data to D-Bus";
     homepage = "https://github.com/hadess/iio-sensor-proxy";
     license = licenses.gpl3 ;
     maintainers = with maintainers; [ peterhoeg ];
     platforms = platforms.linux;
-    inherit version;
   };
 }
diff --git a/pkgs/os-specific/linux/ima-evm-utils/default.nix b/pkgs/os-specific/linux/ima-evm-utils/default.nix
index 246c109faf3..14ddc21bb6b 100644
--- a/pkgs/os-specific/linux/ima-evm-utils/default.nix
+++ b/pkgs/os-specific/linux/ima-evm-utils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchgit, autoreconfHook, pkgconfig, openssl, attr, keyutils, asciidoc, libxslt, docbook_xsl }:
+{ lib, stdenv, fetchgit, autoreconfHook, pkg-config, openssl, attr, keyutils, asciidoc, libxslt, docbook_xsl }:
 
 stdenv.mkDerivation rec {
   pname = "ima-evm-utils";
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "1dhfw6d9z4dv82q9zg2g025hgr179kamz9chy7v5w9b71aam8jf8";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ openssl attr keyutils asciidoc libxslt ];
 
   patches = [ ./xattr.patch ];
@@ -20,8 +20,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "evmctl utility to manage digital signatures of the Linux kernel integrity subsystem (IMA/EVM)";
     homepage = "https://sourceforge.net/projects/linux-ima/";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = with stdenv.lib.maintainers; [ tstrobel ];
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ tstrobel ];
   };
 }
diff --git a/pkgs/os-specific/linux/input-utils/default.nix b/pkgs/os-specific/linux/input-utils/default.nix
index 0fc2130d102..36a203a47c7 100644
--- a/pkgs/os-specific/linux/input-utils/default.nix
+++ b/pkgs/os-specific/linux/input-utils/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchurl, linuxHeaders }:
+{ lib, stdenv, fetchurl, linuxHeaders }:
 
 stdenv.mkDerivation rec {
   pname = "input-utils";
   version = "1.3";
-  
+
   src = fetchurl {
     url = "https://www.kraxel.org/releases/input/input-${version}.tar.gz";
     sha256 = "11w0pp20knx6qpgzmawdbk1nj2z3fzp8yd6nag6s8bcga16w6hli";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     "STRIP="
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Input layer utilities, includes lsinput";
     homepage    = "https://www.kraxel.org/blog/linux/input/";
     license     = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/intel-compute-runtime/default.nix b/pkgs/os-specific/linux/intel-compute-runtime/default.nix
index 5a3a5bf7a4d..980b1fad0df 100644
--- a/pkgs/os-specific/linux/intel-compute-runtime/default.nix
+++ b/pkgs/os-specific/linux/intel-compute-runtime/default.nix
@@ -1,8 +1,8 @@
-{ stdenv
+{ lib, stdenv
 , fetchFromGitHub
 , patchelf
 , cmake
-, pkgconfig
+, pkg-config
 
 , intel-gmmlib
 , intel-graphics-compiler
@@ -11,19 +11,16 @@
 
 stdenv.mkDerivation rec {
   pname = "intel-compute-runtime";
-  version = "20.02.15268";
+  version = "20.34.17727";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "compute-runtime";
     rev = version;
-    sha256 = "138gi92w85bn6haw5x38k39pgiyvvzfhiwpvz6hqlx2j03n8cs2k";
+    sha256 = "19scbbr6jf3yp2v7z8xyzzm01g44jym7xfkf1dz64d5nhvjw6ig5";
   };
 
-  # Build script tries to write the ICD to /etc
-  patches = [ ./etc-dir.patch ];
-
-  nativeBuildInputs = [ cmake pkgconfig ];
+  nativeBuildInputs = [ cmake pkg-config ];
 
   buildInputs = [ intel-gmmlib intel-graphics-compiler libva ];
 
@@ -31,7 +28,7 @@ stdenv.mkDerivation rec {
     "-DSKIP_UNIT_TESTS=1"
 
     "-DIGC_DIR=${intel-graphics-compiler}"
-    "-DETC_DIR=${placeholder "out"}/etc"
+    "-DOCL_ICD_VENDORDIR=${placeholder "out"}/etc/OpenCL/vendors"
 
     # The install script assumes this path is relative to CMAKE_INSTALL_PREFIX
     "-DCMAKE_INSTALL_LIBDIR=lib"
@@ -43,13 +40,13 @@ stdenv.mkDerivation rec {
   '';
 
   postFixup = ''
-    patchelf --set-rpath ${stdenv.lib.makeLibraryPath [ intel-gmmlib intel-graphics-compiler libva stdenv.cc.cc.lib ]} \
+    patchelf --set-rpath ${lib.makeLibraryPath [ intel-gmmlib intel-graphics-compiler libva stdenv.cc.cc.lib ]} \
       $out/lib/intel-opencl/libigdrcl.so
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage    = "https://github.com/intel/compute-runtime";
-    description = "Intel Graphics Compute Runtime for OpenCL. Replaces Beignet for Gen8 (Broadwell) and beyond.";
+    description = "Intel Graphics Compute Runtime for OpenCL. Replaces Beignet for Gen8 (Broadwell) and beyond";
     license     = licenses.mit;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ gloaming ];
diff --git a/pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch b/pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch
deleted file mode 100644
index d9a80ffa6f9..00000000000
--- a/pkgs/os-specific/linux/intel-compute-runtime/etc-dir.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/package.cmake b/package.cmake
-index 24960d5..e9a21e7 100644
---- a/package.cmake
-+++ b/package.cmake
-@@ -24,7 +24,9 @@ if(UNIX)
- 
-   get_os_release_info(os_name os_version)
- 
--  if("${os_name}" STREQUAL "clear-linux-os")
-+  if(DEFINED ETC_DIR)
-+    set(_dir_etc ${ETC_DIR})
-+  elseif("${os_name}" STREQUAL "clear-linux-os")
-     # clear-linux-os distribution avoids /etc for distribution defaults.
-     set(_dir_etc "/usr/share/defaults/etc")
-   else()
diff --git a/pkgs/os-specific/linux/intel-ocl/default.nix b/pkgs/os-specific/linux/intel-ocl/default.nix
index 95a2cfbd846..06cb18b2377 100644
--- a/pkgs/os-specific/linux/intel-ocl/default.nix
+++ b/pkgs/os-specific/linux/intel-ocl/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchzip, rpmextract, ncurses5, numactl, zlib }:
+{ lib, stdenv, fetchzip, rpmextract, ncurses5, numactl, zlib }:
 
 stdenv.mkDerivation rec {
   pname = "intel-ocl";
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   sourceRoot = ".";
 
-  libPath = stdenv.lib.makeLibraryPath [
+  libPath = lib.makeLibraryPath [
     stdenv.cc.cc.lib
     ncurses5
     numactl
@@ -66,8 +66,8 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Official OpenCL runtime for Intel CPUs";
     homepage    = "https://software.intel.com/en-us/articles/opencl-drivers";
-    license     = stdenv.lib.licenses.unfree;
+    license     = lib.licenses.unfree;
     platforms   = [ "x86_64-linux" ];
-    maintainers = [ stdenv.lib.maintainers.kierdavis ];
+    maintainers = [ lib.maintainers.kierdavis ];
   };
 }
diff --git a/pkgs/os-specific/linux/intel-speed-select/default.nix b/pkgs/os-specific/linux/intel-speed-select/default.nix
index 12536130a86..89b4feff7a5 100644
--- a/pkgs/os-specific/linux/intel-speed-select/default.nix
+++ b/pkgs/os-specific/linux/intel-speed-select/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, kernel }:
+{ lib, stdenv, kernel }:
 
 stdenv.mkDerivation {
   pname = "intel-speed-select";
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
     sed -i 's,/usr,,g' Makefile
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Tool to enumerate and control the Intel Speed Select Technology features";
     homepage = "https://www.kernel.org/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ioport/default.nix b/pkgs/os-specific/linux/ioport/default.nix
index fad85335200..543495ec2af 100644
--- a/pkgs/os-specific/linux/ioport/default.nix
+++ b/pkgs/os-specific/linux/ioport/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, perl, fetchurl }:
+{ lib, stdenv, perl, fetchurl }:
 
 stdenv.mkDerivation {
   name = "ioport-1.2";
@@ -7,7 +7,7 @@ stdenv.mkDerivation {
     sha256 = "1h4d5g78y7kla0zl25jgyrk43wy3m3bygqg0blki357bc55irb3z";
   };
   buildInputs = [ perl ];
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Direct access to I/O ports from the command line";
     homepage = "https://people.redhat.com/rjones/ioport/";
     license = licenses.gpl2Plus;
diff --git a/pkgs/os-specific/linux/iotop-c/default.nix b/pkgs/os-specific/linux/iotop-c/default.nix
new file mode 100644
index 00000000000..47cfa57fe81
--- /dev/null
+++ b/pkgs/os-specific/linux/iotop-c/default.nix
@@ -0,0 +1,31 @@
+{stdenv, fetchFromGitHub, lib, ncurses, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "iotop-c";
+  version = "1.17";
+
+  src = fetchFromGitHub {
+    owner = "Tomas-M";
+    repo = "iotop";
+    rev = "v${version}";
+    sha256 = "0hjy30155c3nijx3jgyn5kpj293632p0j6f3lf5acdfax1ynav86";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ ncurses ];
+  makeFlags = [ "DESTDIR=$(out)" "TARGET=iotop-c" ];
+
+  postInstall = ''
+    mv $out/usr/share/man/man8/{iotop,iotop-c}.8
+    ln -s $out/usr/sbin $out/bin
+    ln -s $out/usr/share $out/share
+  '';
+
+  meta = with lib; {
+    description = "iotop identifies processes that use high amount of input/output requests on your machine";
+    homepage = "https://github.com/Tomas-M/iotop";
+    maintainers = [ maintainers.arezvov ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/iotop/default.nix b/pkgs/os-specific/linux/iotop/default.nix
index 8f742aa01be..a91175aa59f 100644
--- a/pkgs/os-specific/linux/iotop/default.nix
+++ b/pkgs/os-specific/linux/iotop/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, python3Packages, fetchpatch }:
+{ lib, fetchurl, python3Packages, fetchpatch }:
 
 python3Packages.buildPythonApplication rec {
   name = "iotop-0.6";
@@ -17,7 +17,7 @@ python3Packages.buildPythonApplication rec {
 
   doCheck = false;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A tool to find out the processes doing the most IO";
     homepage = "http://guichaz.free.fr/iotop";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/iproute/default.nix b/pkgs/os-specific/linux/iproute/default.nix
index a9fcf455ee4..ea3c4d36958 100644
--- a/pkgs/os-specific/linux/iproute/default.nix
+++ b/pkgs/os-specific/linux/iproute/default.nix
@@ -1,23 +1,20 @@
-{ stdenv, fetchurl
+{ lib, stdenv, fetchurl
 , buildPackages, bison, flex, pkg-config
 , db, iptables, libelf, libmnl
 }:
 
 stdenv.mkDerivation rec {
   pname = "iproute2";
-  version = "5.8.0";
+  version = "5.13.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "0vk4vickrpahdhl3zazr2qn2bf99v5549ncirjpwiy4h0a4izkfg";
+    sha256 = "sha256-cqLlN3TKyeZfe2F97rsgWfh+iWDW6XE+TXiM6pZvGzY=";
   };
 
   preConfigure = ''
     # Don't try to create /var/lib/arpd:
     sed -e '/ARPDDIR/d' -i Makefile
-    # TODO: Drop temporary version fix for 5.8 (53159d81) once 5.9 is out:
-    substituteInPlace include/version.h \
-      --replace "v5.7.0-77-gb687d1067169" "5.8.0"
   '';
 
   outputs = [ "out" "dev" ];
@@ -43,7 +40,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://wiki.linuxfoundation.org/networking/iproute2";
     description = "A collection of utilities for controlling TCP/IP networking and traffic control in Linux";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/iproute/mptcp.nix b/pkgs/os-specific/linux/iproute/mptcp.nix
index 4a58ae9e046..12723213901 100644
--- a/pkgs/os-specific/linux/iproute/mptcp.nix
+++ b/pkgs/os-specific/linux/iproute/mptcp.nix
@@ -1,6 +1,6 @@
-{ stdenv, iproute, fetchFromGitHub }:
+{ lib, iproute2, fetchFromGitHub }:
 
-iproute.overrideAttrs (oa: rec {
+iproute2.overrideAttrs (oa: rec {
   pname = "iproute_mptcp";
   version = "0.95";
 
@@ -11,7 +11,13 @@ iproute.overrideAttrs (oa: rec {
     sha256 = "07fihvwlaj0ng8s8sxqhd0a9h1narcnp4ibk88km9cpsd32xv4q3";
   };
 
-  meta = with stdenv.lib; {
+  preConfigure = ''
+    # Don't try to create /var/lib/arpd:
+    sed -e '/ARPDDIR/d' -i Makefile
+    patchShebangs configure
+  '';
+
+  meta = with lib; {
     homepage = "https://github.com/multipath-tcp/iproute-mptcp";
     description = "IP-Route extensions for MultiPath TCP";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/ipsec-tools/default.nix b/pkgs/os-specific/linux/ipsec-tools/default.nix
index bff356ccb6c..33152cc51c1 100644
--- a/pkgs/os-specific/linux/ipsec-tools/default.nix
+++ b/pkgs/os-specific/linux/ipsec-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, kerberos, pam }:
+{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, libkrb5, pam }:
 
 # TODO: These tools are supposed to work under NetBSD and FreeBSD as
 # well, so I guess it's not appropriate to place this expression in
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
     sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf";
   };
 
-  buildInputs = [ readline openssl flex kerberos pam ];
+  buildInputs = [ readline openssl flex libkrb5 pam ];
 
   patches = [
     ./dont-create-localstatedir-during-install.patch
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     "--enable-stats"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://ipsec-tools.sourceforge.net/";
     description = "Port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation";
     license = licenses.bsd3;
diff --git a/pkgs/os-specific/linux/ipset/default.nix b/pkgs/os-specific/linux/ipset/default.nix
index 2c433ba8c29..213ae45f48f 100644
--- a/pkgs/os-specific/linux/ipset/default.nix
+++ b/pkgs/os-specific/linux/ipset/default.nix
@@ -1,20 +1,20 @@
-{ stdenv, fetchurl, pkgconfig, libmnl }:
+{ lib, stdenv, fetchurl, pkg-config, libmnl }:
 
 stdenv.mkDerivation rec {
   pname = "ipset";
-  version = "7.6";
+  version = "7.11";
 
   src = fetchurl {
     url = "http://ipset.netfilter.org/${pname}-${version}.tar.bz2";
-    sha256 = "1ny2spcm6bmpj8vnazssg99k59impr7n84jzkdmdjly1m7548z8f";
+    sha256 = "sha256-MVG6rTDx2eMXsqtPL1qnqfe03BH8+P5zrNDcC126v30=";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libmnl ];
 
   configureFlags = [ "--with-kmod=no" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "http://ipset.netfilter.org/";
     description = "Administration tool for IP sets";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/iptables/default.nix b/pkgs/os-specific/linux/iptables/default.nix
index c9c342ad768..912d9078c94 100644
--- a/pkgs/os-specific/linux/iptables/default.nix
+++ b/pkgs/os-specific/linux/iptables/default.nix
@@ -1,20 +1,20 @@
-{ stdenv, fetchurl, pkgconfig, pruneLibtoolFiles, flex, bison
+{ lib, stdenv, fetchurl, pkg-config, pruneLibtoolFiles, flex, bison
 , libmnl, libnetfilter_conntrack, libnfnetlink, libnftnl, libpcap
 , nftablesCompat ? false
 }:
 
-with stdenv.lib;
+with lib;
 
 stdenv.mkDerivation rec {
-  version = "1.8.5";
+  version = "1.8.7";
   pname = "iptables";
 
   src = fetchurl {
     url = "https://www.netfilter.org/projects/${pname}/files/${pname}-${version}.tar.bz2";
-    sha256 = "02a3575ypdpg6a2x752mhk3f7h1381ymkq1n0gss6fp6292xfmyl";
+    sha256 = "1w6qx3sxzkv80shk21f63rq41c84irpx68k62m2cv629n1mwj2f1";
   };
 
-  nativeBuildInputs = [ pkgconfig pruneLibtoolFiles flex bison ];
+  nativeBuildInputs = [ pkg-config pruneLibtoolFiles flex bison ];
 
   buildInputs = [ libmnl libnetfilter_conntrack libnfnetlink libnftnl libpcap ];
 
@@ -50,6 +50,5 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2;
     downloadPage = "https://www.netfilter.org/projects/iptables/files/";
     updateWalker = true;
-    inherit version;
   };
 }
diff --git a/pkgs/os-specific/linux/iptstate/default.nix b/pkgs/os-specific/linux/iptstate/default.nix
index 529a82e9646..94693f1559e 100644
--- a/pkgs/os-specific/linux/iptstate/default.nix
+++ b/pkgs/os-specific/linux/iptstate/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libnetfilter_conntrack, ncurses }:
+{ lib, stdenv, fetchurl, libnetfilter_conntrack, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "iptstate";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libnetfilter_conntrack ncurses ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Conntrack top like tool";
     homepage = "https://github.com/jaymzh/iptstate";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix
index e12c44888a0..495860ef576 100644
--- a/pkgs/os-specific/linux/iputils/default.nix
+++ b/pkgs/os-specific/linux/iputils/default.nix
@@ -1,12 +1,11 @@
-{ stdenv, fetchFromGitHub
-, meson, ninja, pkgconfig, gettext, libxslt, docbook_xsl_ns
-, libcap, systemd, libidn2
+{ lib, stdenv, fetchFromGitHub
+, meson, ninja, pkg-config, gettext, libxslt, docbook_xsl_ns
+, libcap, libidn2
+, apparmorRulesFromClosure
 }:
 
-with stdenv.lib;
-
 let
-  version = "20200821";
+  version = "20210202";
   sunAsIsLicense = {
     fullName = "AS-IS, SUN MICROSYSTEMS license";
     url = "https://github.com/iputils/iputils/blob/s${version}/rdisc.c";
@@ -18,25 +17,48 @@ in stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = "s${version}";
-    sha256 = "1jhbcz75a4ij1myyyi110ma1d8d5hpm3scz9pyw7js6qym50xvh4";
+    rev = version;
+    sha256 = "08j2hfgnfh31vv9rn1ml7090j2lsvm9wdpdz13rz60rmyzrx9dq3";
   };
 
+  outputs = ["out" "apparmor"];
+
   mesonFlags = [
     "-DBUILD_RARPD=true"
     "-DBUILD_TRACEROUTE6=true"
     "-DBUILD_TFTPD=true"
     "-DNO_SETCAP_OR_SUID=true"
     "-Dsystemdunitdir=etc/systemd/system"
+    "-DINSTALL_SYSTEMD_UNITS=true"
   ]
     # Disable idn usage w/musl (https://github.com/iputils/iputils/pull/111):
-    ++ optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
+    ++ lib.optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
 
-  nativeBuildInputs = [ meson ninja pkgconfig gettext libxslt.bin docbook_xsl_ns ];
-  buildInputs = [ libcap systemd ]
-    ++ optional (!stdenv.hostPlatform.isMusl) libidn2;
+  nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ];
+  buildInputs = [ libcap ]
+    ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2;
+  postInstall = ''
+    mkdir $apparmor
+    cat >$apparmor/bin.ping <<EOF
+    include <tunables/global>
+    $out/bin/ping {
+      include <abstractions/base>
+      include <abstractions/consoles>
+      include <abstractions/nameservice>
+      include "${apparmorRulesFromClosure { name = "ping"; }
+       ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}"
+      include <local/bin.ping>
+      capability net_raw,
+      network inet raw,
+      network inet6 raw,
+      mr $out/bin/ping,
+      r $out/share/locale/**,
+      r @{PROC}/@{pid}/environ,
+    }
+    EOF
+  '';
 
-  meta = {
+  meta = with lib; {
     description = "A set of small useful utilities for Linux networking";
     inherit (src.meta) homepage;
     changelog = "https://github.com/iputils/iputils/releases/tag/s${version}";
diff --git a/pkgs/os-specific/linux/ipvsadm/default.nix b/pkgs/os-specific/linux/ipvsadm/default.nix
index 5f91fa5dccd..fbd4d8efdac 100644
--- a/pkgs/os-specific/linux/ipvsadm/default.nix
+++ b/pkgs/os-specific/linux/ipvsadm/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, libnl, popt, gnugrep }:
+{ lib, stdenv, fetchurl, pkg-config, libnl, popt, gnugrep }:
 
 stdenv.mkDerivation rec {
   pname = "ipvsadm";
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     substituteInPlace Makefile --replace "-lnl" "$(pkg-config --libs libnl-genl-3.0)"
   '';
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl popt ];
 
   preBuild = ''
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
     sed -i -e "s|^PATH=.*|PATH=$out/bin:${gnugrep}/bin|" $out/sbin/ipvsadm-{restore,save}
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Linux Virtual Server support programs";
     homepage = "http://www.linuxvirtualserver.org/software/ipvs.html";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/irqbalance/default.nix b/pkgs/os-specific/linux/irqbalance/default.nix
index d61d02b5598..4b7a4527e2c 100644
--- a/pkgs/os-specific/linux/irqbalance/default.nix
+++ b/pkgs/os-specific/linux/irqbalance/default.nix
@@ -1,17 +1,18 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, glib, ncurses, libcap_ng }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, glib, ncurses, libcap_ng }:
 
 stdenv.mkDerivation rec {
   pname = "irqbalance";
-  version = "1.7.0";
+  version = "1.8.0";
 
   src = fetchFromGitHub {
     owner = "irqbalance";
     repo = "irqbalance";
     rev = "v${version}";
-    sha256 = "1677ap6z4hvwga0vb8hrvpc0qggyarg9mlg11pxywz7mq94vdx19";
+    sha256 = "sha256-K+Nv6HqBZb0pwfNV127QDq+suaUD7TTV413S6j8NdUU=";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
   buildInputs = [ glib ncurses libcap_ng ];
 
   LDFLAGS = "-lncurses";
@@ -26,10 +27,12 @@ stdenv.mkDerivation rec {
         --replace ' $IRQBALANCE_ARGS' ""
     '';
 
-  meta = {
+  meta = with lib; {
     homepage = "https://github.com/Irqbalance/irqbalance";
+    changelog = "https://github.com/Irqbalance/irqbalance/releases/tag/v${version}";
     description = "A daemon to help balance the cpu load generated by interrupts across all of a systems cpus";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fortuneteller2k ];
   };
 }
diff --git a/pkgs/os-specific/linux/isgx/default.nix b/pkgs/os-specific/linux/isgx/default.nix
new file mode 100644
index 00000000000..3e551e55917
--- /dev/null
+++ b/pkgs/os-specific/linux/isgx/default.nix
@@ -0,0 +1,56 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, kernel, kernelAtLeast }:
+
+stdenv.mkDerivation rec {
+  name = "isgx-${version}-${kernel.version}";
+  version = "2.11";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx-driver";
+    rev = "sgx_driver_${version}";
+    hash = "sha256-zZ0FgCx63LCNmvQ909O27v/o4+93gefhgEE/oDr/bHw=";
+  };
+
+  patches = [
+    # Fixes build with kernel >= 5.8
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx-driver/commit/276c5c6a064d22358542f5e0aa96b1c0ace5d695.patch";
+      sha256 = "sha256-PmchqYENIbnJ51G/tkdap/g20LUrJEoQ4rDtqy6hj24=";
+    })
+    # Fixes detection with kernel >= 5.11
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx-driver/commit/ed2c256929962db1a8805db53bed09bb8f2f4de3.patch";
+      sha256 = "sha256-MRbgS4U8FTCP1J1n+rhsvbXxKDytfl6B7YlT9Izq05U=";
+    })
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D isgx.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/intel/sgx
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Intel SGX Linux Driver";
+    longDescription = ''
+      The linux-sgx-driver project (isgx) hosts an out-of-tree driver
+      for the Linux* Intel(R) SGX software stack, which would be used
+      until the driver upstreaming process is complete (before 5.11.0).
+
+      It is used to support Enhanced Privacy Identification (EPID)
+      based attestation on the platforms without Flexible Launch Control.
+    '';
+    homepage = "https://github.com/intel/linux-sgx-driver";
+    license = with licenses; [ bsd3 /* OR */ gpl2Only ];
+    maintainers = with maintainers; [ oxalica ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/it87/default.nix b/pkgs/os-specific/linux/it87/default.nix
index c48de130e5a..1e56d3a830c 100644
--- a/pkgs/os-specific/linux/it87/default.nix
+++ b/pkgs/os-specific/linux/it87/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
   name = "it87-${version}-${kernel.version}";
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
     "MODDESTDIR=$(out)/lib/modules/${kernel.modDirVersion}/kernel/drivers/hwmon"
   ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Patched module for IT87xx superio chip sensors support";
     homepage = "https://github.com/hannesha/it87";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/iw/default.nix b/pkgs/os-specific/linux/iw/default.nix
index 585bbfd165e..7d526db53e9 100644
--- a/pkgs/os-specific/linux/iw/default.nix
+++ b/pkgs/os-specific/linux/iw/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchurl, pkgconfig, libnl }:
+{ lib, stdenv, fetchurl, pkg-config, libnl }:
 
 stdenv.mkDerivation rec {
   pname = "iw";
-  version = "5.4";
+  version = "5.9";
 
   src = fetchurl {
     url = "https://www.kernel.org/pub/software/network/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "0prrgb11pjrr6dw71v7nx2bic127qzrjifvz183v3mw8f1kryim2";
+    sha256 = "1wp1ky1v353qqy5fnrk67apgzsap53jkr7pmghk3czpbk880ffi9";
   };
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libnl ];
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
@@ -23,8 +23,8 @@ stdenv.mkDerivation rec {
       deprecated and it's strongly recommended to switch to iw and nl80211.
     '';
     homepage = "https://wireless.wiki.kernel.org/en/users/Documentation/iw";
-    license = stdenv.lib.licenses.isc;
-    maintainers = with stdenv.lib.maintainers; [ viric primeos ];
-    platforms = with stdenv.lib.platforms; linux;
+    license = lib.licenses.isc;
+    maintainers = with lib.maintainers; [ viric primeos ];
+    platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix
index fd34440f603..e0a1a566d77 100644
--- a/pkgs/os-specific/linux/iwd/default.nix
+++ b/pkgs/os-specific/linux/iwd/default.nix
@@ -1,8 +1,7 @@
-{ stdenv
+{ lib, stdenv
 , fetchgit
-, fetchpatch
 , autoreconfHook
-, pkgconfig
+, pkg-config
 , ell
 , coreutils
 , docutils
@@ -13,20 +12,21 @@
 
 stdenv.mkDerivation rec {
   pname = "iwd";
-  version = "1.8";
+  version = "1.15";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     rev = version;
-    sha256 = "0ds8nhbnkhxzhnnsi7vj3y2v8wq0nxqbmidhiac7mpxgjkc684gf";
+    sha256 = "sha256-qGQDIzJfeBT9VLwr9Ci9vXcM0ZvFvjL2E9PcKoZ8E94=";
   };
 
-  outputs = [ "out" "man" ];
+  outputs = [ "out" "man" ]
+    ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) "test";
 
   nativeBuildInputs = [
     autoreconfHook
     docutils
-    pkgconfig
+    pkg-config
     python3Packages.wrapPython
   ];
 
@@ -38,7 +38,9 @@ stdenv.mkDerivation rec {
 
   checkInputs = [ openssl ];
 
-  pythonPath = [
+  # wrapPython wraps the scripts in $test. They pull in gobject-introspection,
+  # which doesn't cross-compile.
+  pythonPath = lib.optionals (stdenv.hostPlatform == stdenv.buildPlatform) [
     python3Packages.dbus-python
     python3Packages.pygobject3
   ];
@@ -55,16 +57,20 @@ stdenv.mkDerivation rec {
   ];
 
   postUnpack = ''
+    mkdir -p iwd/ell
+    ln -s ${ell.src}/ell/useful.h iwd/ell/useful.h
     patchShebangs .
   '';
 
   doCheck = true;
 
   postInstall = ''
-    cp -a test/* $out/bin/
     mkdir -p $out/share
     cp -a doc $out/share/
     cp -a README AUTHORS TODO $out/share/doc/
+  '' + lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
+    mkdir -p $test/bin
+    cp -a test/* $test/bin/
   '';
 
   preFixup = ''
@@ -80,11 +86,11 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     description = "Wireless daemon for Linux";
-    license = licenses.lgpl21;
+    license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ dtzWill fpletz ];
+    maintainers = with maintainers; [ dtzWill fpletz maxeaubrey ];
   };
 }
diff --git a/pkgs/os-specific/linux/ixgbevf/default.nix b/pkgs/os-specific/linux/ixgbevf/default.nix
index 67b9a66a8ab..6a748c47019 100644
--- a/pkgs/os-specific/linux/ixgbevf/default.nix
+++ b/pkgs/os-specific/linux/ixgbevf/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, kernel, kmod }:
+{ lib, stdenv, fetchurl, kernel, kmod }:
 
 stdenv.mkDerivation rec {
   name = "ixgbevf-${version}-${kernel.version}";
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "Intel 82599 Virtual Function Driver";
     homepage = "https://sourceforge.net/projects/e1000/files/ixgbevf%20stable/";
     license = licenses.gpl2;
diff --git a/pkgs/os-specific/linux/jfbview/default.nix b/pkgs/os-specific/linux/jfbview/default.nix
index f8e211fb289..da4135d8a80 100644
--- a/pkgs/os-specific/linux/jfbview/default.nix
+++ b/pkgs/os-specific/linux/jfbview/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchFromGitHub
-, freetype, harfbuzz, jbig2dec, libjpeg, libX11, mupdf, ncurses, openjpeg
+{ lib, stdenv, fetchFromGitHub
+, freetype, harfbuzz, jbig2dec, libjpeg, libX11, mupdf_1_17, ncurses, openjpeg
 , openssl
 
 , imageSupport ? true, imlib2 ? null }:
@@ -32,9 +32,9 @@ stdenv.mkDerivation rec {
   hardeningDisable = [ "format" ];
 
   buildInputs = [
-    freetype harfbuzz jbig2dec libjpeg libX11 mupdf ncurses openjpeg
+    freetype harfbuzz jbig2dec libjpeg libX11 mupdf_1_17 ncurses openjpeg
     openssl
-  ] ++ stdenv.lib.optionals imageSupport [
+  ] ++ lib.optionals imageSupport [
     imlib2
   ];
 
@@ -54,7 +54,7 @@ stdenv.mkDerivation rec {
     install ${toString binaries} $out/bin
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "PDF and image viewer for the Linux framebuffer";
     longDescription = ''
       A very fast PDF and image viewer for the Linux framebuffer with some
diff --git a/pkgs/os-specific/linux/jool/cli.nix b/pkgs/os-specific/linux/jool/cli.nix
index 2d6e624fee6..b1bce496614 100644
--- a/pkgs/os-specific/linux/jool/cli.nix
+++ b/pkgs/os-specific/linux/jool/cli.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, libnl, iptables }:
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, libnl, iptables }:
 
 let
   sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   src = sourceAttrs.src;
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ libnl iptables ];
 
   makeFlags = [ "-C" "src/usr" ];
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     sed -e 's%^XTABLES_SO_DIR = .*%XTABLES_SO_DIR = '"$out"'/lib/xtables%g' -i src/usr/iptables/Makefile
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.jool.mx/";
     description = "Fairly compliant SIIT and Stateful NAT64 for Linux - CLI tools";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index 69c0da33136..58894de6c2e 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, kernel }:
 
 let
   sourceAttrs = (import ./source.nix) { inherit fetchFromGitHub; };
@@ -24,7 +24,7 @@ stdenv.mkDerivation {
     make -C src/mod modules_install INSTALL_MOD_PATH=$out
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://www.jool.mx/";
     description = "Fairly compliant SIIT and Stateful NAT64 for Linux - kernel modules";
     platforms = platforms.linux;
diff --git a/pkgs/os-specific/linux/joycond/default.nix b/pkgs/os-specific/linux/joycond/default.nix
new file mode 100644
index 00000000000..a203073b081
--- /dev/null
+++ b/pkgs/os-specific/linux/joycond/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libevdev, udev }:
+
+stdenv.mkDerivation rec {
+  pname = "joycond";
+  version = "unstable-2021-03-27";
+
+  src = fetchFromGitHub {
+    owner = "DanielOgorchock";
+    repo = "joycond";
+    rev = "2d3f553060291f1bfee2e49fc2ca4a768b289df8";
+    sha256 = "0dpmwspll9ar3pxg9rgnh224934par8h8bixdz9i2pqqbc3dqib7";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libevdev udev ];
+
+  # CMake has hardcoded install paths
+  installPhase = ''
+    mkdir -p $out/{bin,etc/{systemd/system,udev/rules.d},lib/modules-load.d}
+
+    cp ./joycond $out/bin
+    cp $src/udev/{89,72}-joycond.rules $out/etc/udev/rules.d
+    cp $src/systemd/joycond.service $out/etc/systemd/system
+    cp $src/systemd/joycond.conf $out/lib/modules-load.d
+
+    substituteInPlace $out/etc/systemd/system/joycond.service --replace \
+      "ExecStart=/usr/bin/joycond" "ExecStart=$out/bin/joycond"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/DanielOgorchock/joycond";
+    description = "Userspace daemon to combine joy-cons from the hid-nintendo kernel driver";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.ivar ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/jujuutils/default.nix b/pkgs/os-specific/linux/jujuutils/default.nix
index 86b24fe6a5b..554898cedeb 100644
--- a/pkgs/os-specific/linux/jujuutils/default.nix
+++ b/pkgs/os-specific/linux/jujuutils/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, linuxHeaders }:
+{ lib, stdenv, fetchurl, linuxHeaders }:
 
 stdenv.mkDerivation {
   name = "jujuutils-0.2";
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = "https://github.com/cladisch/linux-firewire-utils";
     description = "Utilities around FireWire devices connected to a Linux computer";
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/kbd/default.nix b/pkgs/os-specific/linux/kbd/default.nix
index 7ee449ff33e..c7a59e59cab 100644
--- a/pkgs/os-specific/linux/kbd/default.nix
+++ b/pkgs/os-specific/linux/kbd/default.nix
@@ -1,15 +1,26 @@
-{ stdenv, fetchurl, autoreconfHook,
-  gzip, bzip2, pkgconfig, flex, check,
-  pam, coreutils
+{ lib
+, stdenv
+, fetchurl
+, nixosTests
+, autoreconfHook
+, pkg-config
+, flex
+, check
+, pam
+, coreutils
+, gzip
+, bzip2
+, xz
+, zstd
 }:
 
 stdenv.mkDerivation rec {
   pname = "kbd";
-  version = "2.0.4";
+  version = "2.4.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/kbd/${pname}-${version}.tar.xz";
-    sha256 = "124swm93dm4ca0pifgkrand3r9gvj3019d4zkfxsj9djpvv0mnaz";
+    sha256 = "17wvrqz2kk0w87idinhyvd31ih1dp7ldfl2yfx7ailygb0279w2m";
   };
 
   configureFlags = [
@@ -18,13 +29,8 @@ stdenv.mkDerivation rec {
     "--disable-nls"
   ];
 
-  patches = [ ./search-paths.patch ];
-
   postPatch =
     ''
-      # Add Neo keymap subdirectory
-      sed -i -e 's,^KEYMAPSUBDIRS *= *,&i386/neo ,' data/Makefile.am
-
       # Renaming keymaps with name clashes, because loadkeys just picks
       # the first keymap it sees. The clashing names lead to e.g.
       # "loadkeys no" defaulting to a norwegian dvorak map instead of
@@ -33,21 +39,16 @@ stdenv.mkDerivation rec {
       mv qwertz/cz{,-qwertz}.map
       mv olpc/es{,-olpc}.map
       mv olpc/pt{,-olpc}.map
-      mv dvorak/{no.map,dvorak-no.map}
       mv fgGIod/trf{,-fgGIod}.map
       mv colemak/{en-latin9,colemak}.map
       popd
 
-      # Fix the path to gzip/bzip2.
-      substituteInPlace src/libkeymap/findfile.c \
-        --replace gzip ${gzip}/bin/gzip \
-        --replace bzip2 ${bzip2.bin}/bin/bzip2 \
-
-      # We get a warning in armv5tel-linux and the fuloong2f, so we
-      # disable -Werror in it.
-      ${stdenv.lib.optionalString (stdenv.isAarch32 || stdenv.hostPlatform.isMips) ''
-        sed -i s/-Werror// src/Makefile.am
-      ''}
+      # Fix paths to decompressors. Trailing space to avoid replacing `xz` in `".xz"`.
+      substituteInPlace src/libkbdfile/kbdfile.c \
+        --replace 'gzip '  '${gzip}/bin/gzip ' \
+        --replace 'bzip2 ' '${bzip2.bin}/bin/bzip2 ' \
+        --replace 'xz '    '${xz.bin}/bin/xz ' \
+        --replace 'zstd '  '${zstd.bin}/bin/zstd '
     '';
 
   postInstall = ''
@@ -57,16 +58,18 @@ stdenv.mkDerivation rec {
     done
   '';
 
-
   buildInputs = [ check pam ];
-  nativeBuildInputs = [ autoreconfHook pkgconfig flex ];
+  nativeBuildInputs = [ autoreconfHook pkg-config flex ];
 
-  makeFlags = [ "setowner=" ];
+  passthru.tests = {
+    inherit (nixosTests) keymap kbd-setfont-decompress;
+  };
 
-  meta = with stdenv.lib; {
-    homepage = "ftp://ftp.altlinux.org/pub/people/legion/kbd/";
-    description = "Linux keyboard utilities and keyboard maps";
+  meta = with lib; {
+    homepage = "https://kbd-project.org/";
+    description = "Linux keyboard tools and keyboard maps";
     platforms = platforms.linux;
     license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ davidak ];
   };
 }
diff --git a/pkgs/os-specific/linux/kbd/keymaps.nix b/pkgs/os-specific/linux/kbd/keymaps.nix
deleted file mode 100644
index b3d5fe1b63c..00000000000
--- a/pkgs/os-specific/linux/kbd/keymaps.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{ stdenv, lib, fetchurl, gzip }:
-
-{
-  dvp = stdenv.mkDerivation rec {
-    pname = "dvp";
-    version = "1.2.1";
-
-    src = fetchurl {
-      url = "http://kaufmann.no/downloads/linux/dvp-${lib.replaceStrings ["."] ["_"] version}.map.gz";
-      sha256 = "0e859211cfe16a18a3b9cbf2ca3e280a23a79b4e40b60d8d01d0fde7336b6d50";
-    };
-
-    nativeBuildInputs = [ gzip ];
-
-    buildCommand = ''
-      mkdir -p $out/share/keymaps/i386/dvorak
-      gzip -c -d $src > $out/share/keymaps/i386/dvorak/dvp.map
-    '';
-  };
-
-  neo = stdenv.mkDerivation {
-    pname = "neo";
-    version = "2476";
-
-    src = fetchurl {
-      name = "neo.map";
-      url = "https://raw.githubusercontent.com/neo-layout/neo-layout/"
-          + "a0dee06fed824abfad658b7f10e6d907b270be0a/linux/console/neo.map";
-      sha256 = "19mfrd31vzpsjiwc7pshxm0b0sz5dd17xrz6k079cy4im1vf0r4g";
-    };
-
-    buildCommand = ''
-      install -D $src $out/share/keymaps/i386/neo/neo.map
-    '';
-  };
-}
diff --git a/pkgs/os-specific/linux/kbd/search-paths.patch b/pkgs/os-specific/linux/kbd/search-paths.patch
deleted file mode 100644
index c9405a56721..00000000000
--- a/pkgs/os-specific/linux/kbd/search-paths.patch
+++ /dev/null
@@ -1,71 +0,0 @@
---- a/src/libkeymap/analyze.l
-+++ b/src/libkeymap/analyze.l
-@@ -101,6 +101,9 @@ stack_pop(struct lk_ctx *ctx, void *scan
- static const char *const include_dirpath0[] = { "", 0 };
- static const char *const include_dirpath1[] = { "", "../include/", "../../include/", 0 };
- static const char *const include_dirpath3[] = {
-+ 	"/etc/kbd/" KEYMAPDIR "/include/",
-+ 	"/etc/kbd/" KEYMAPDIR "/i386/include/",
-+ 	"/etc/kbd/" KEYMAPDIR "/mac/include/",
- 	DATADIR "/" KEYMAPDIR "/include/",
- 	DATADIR "/" KEYMAPDIR "/i386/include/",
- 	DATADIR "/" KEYMAPDIR "/mac/include/", 0
---- a/src/loadkeys.c
-+++ b/src/loadkeys.c
-@@ -27,7 +27,7 @@
- #include "keymap.h"
- 
- static const char *progname         = NULL;
--static const char *const dirpath1[] = { "", DATADIR "/" KEYMAPDIR "/**", KERNDIR "/", 0 };
-+static const char *const dirpath1[] = { "", "/etc/kbd/" KEYMAPDIR "/**", DATADIR "/" KEYMAPDIR "/**", 0 };
- static const char *const suffixes[] = { "", ".kmap", ".map", 0 };
- 
- static void __attribute__((noreturn))
---- a/src/loadunimap.c
-+++ b/src/loadunimap.c
-@@ -30,7 +30,7 @@
- extern char *progname;
- extern int force;
- 
--static const char *const unidirpath[]  = { "", DATADIR "/" UNIMAPDIR "/", 0 };
-+static const char *const unidirpath[]  = { "", "/etc/kbd/" UNIMAPDIR "/", DATADIR "/" UNIMAPDIR "/", 0 };
- static const char *const unisuffixes[] = { "", ".uni", ".sfm", 0 };
- 
- #ifdef MAIN
---- a/src/mapscrn.c
-+++ b/src/mapscrn.c
-@@ -27,7 +27,7 @@ void loadnewmap(int fd, char *mfil);
- static int ctoi(char *);
- 
- /* search for the map file in these directories (with trailing /) */
--static const char *const mapdirpath[]  = { "", DATADIR "/" TRANSDIR "/", 0 };
-+static const char *const mapdirpath[]  = { "", "/etc/kbd/" TRANSDIR "/", DATADIR "/" TRANSDIR "/", 0 };
- static const char *const mapsuffixes[] = { "", ".trans", "_to_uni.trans", ".acm", 0 };
- 
- #ifdef MAIN
---- a/src/resizecons.c
-+++ b/src/resizecons.c
-@@ -101,7 +101,7 @@ static int vga_get_fontheight(void);
- static void vga_set_cursor(int, int);
- static void vga_set_verticaldisplayend_lowbyte(int);
- 
--const char *const dirpath[]  = { "", DATADIR "/" VIDEOMODEDIR "/", 0 };
-+const char *const dirpath[]  = { "", "/etc/kbd/" VIDEOMODEDIR "/", DATADIR "/" VIDEOMODEDIR "/", 0};
- const char *const suffixes[] = { "", 0 };
- 
- int main(int argc, char **argv)
---- a/src/setfont.c
-+++ b/src/setfont.c
-@@ -53,10 +53,10 @@ int force   = 0;
- int debug   = 0;
- 
- /* search for the font in these directories (with trailing /) */
--const char *const fontdirpath[]  = { "", DATADIR "/" FONTDIR "/", 0 };
-+const char *const fontdirpath[]  = { "", "/etc/kbd/" FONTDIR "/", DATADIR "/" FONTDIR "/", 0 };
- const char *const fontsuffixes[] = { "", ".psfu", ".psf", ".cp", ".fnt", 0 };
- /* hide partial fonts a bit - loading a single one is a bad idea */
--const char *const partfontdirpath[]  = { "", DATADIR "/" FONTDIR "/" PARTIALDIR "/", 0 };
-+const char *const partfontdirpath[]  = { "", "/etc/kbd/" FONTDIR "/" PARTIALDIR "/", DATADIR "/" FONTDIR "/" PARTIALDIR "/", 0 };
- const char *const partfontsuffixes[] = { "", 0 };
- 
- static inline int
diff --git a/pkgs/os-specific/linux/kbdlight/default.nix b/pkgs/os-specific/linux/kbdlight/default.nix
index bc2d53b5e5d..0ed575b8254 100644
--- a/pkgs/os-specific/linux/kbdlight/default.nix
+++ b/pkgs/os-specific/linux/kbdlight/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
   pname = "kbdlight";
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
       --replace 4755 0755
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     homepage = "https://github.com/hobarrera/kbdlight";
     description = "A very simple application that changes MacBooks' keyboard backlight level";
     license = licenses.isc;
diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix
index c8cf2ac20bc..8b7b5a4fa42 100644
--- a/pkgs/os-specific/linux/kernel-headers/default.nix
+++ b/pkgs/os-specific/linux/kernel-headers/default.nix
@@ -1,4 +1,9 @@
-{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header }:
+{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header
+, bison ? null, flex ? null, python ? null, rsync ? null
+}:
+
+assert stdenvNoCC.hostPlatform.isAndroid ->
+  (flex != null && bison != null && python != null && rsync != null);
 
 rec {
   makeLinuxHeaders = { src, version, patches ? [] }: stdenvNoCC.mkDerivation {
@@ -7,13 +12,17 @@ rec {
     pname = "linux-headers";
     inherit version;
 
-    ARCH = stdenvNoCC.hostPlatform.platform.kernelArch or stdenvNoCC.hostPlatform.kernelArch;
+    ARCH = stdenvNoCC.hostPlatform.linuxArch;
 
     # It may look odd that we use `stdenvNoCC`, and yet explicit depend on a cc.
     # We do this so we have a build->build, not build->host, C compiler.
     depsBuildBuild = [ buildPackages.stdenv.cc ];
     # `elf-header` is null when libc provides `elf.h`.
-    nativeBuildInputs = [ perl elf-header ];
+    nativeBuildInputs = [
+      perl elf-header
+    ] ++ lib.optionals stdenvNoCC.hostPlatform.isAndroid [
+      flex bison python rsync
+    ];
 
     extraIncludeDirs = lib.optional stdenvNoCC.hostPlatform.isPowerPC ["ppc"];
 
@@ -36,9 +45,12 @@ rec {
     # Skip clean on darwin, case-sensitivity issues.
     buildPhase = lib.optionalString (!stdenvNoCC.buildPlatform.isDarwin) ''
       make mrproper $makeFlags
-    '' + ''
+    '' + (if stdenvNoCC.hostPlatform.isAndroid then ''
+      make defconfig
+      make headers_install
+    '' else ''
       make headers $makeFlags
-    '';
+    '');
 
     checkPhase = ''
       make headers_check $makeFlags
@@ -71,12 +83,12 @@ rec {
     ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms
   ];
 
-  linuxHeaders = let version = "5.5"; in
+  linuxHeaders = let version = "5.12"; in
     makeLinuxHeaders {
       inherit version;
       src = fetchurl {
         url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-        sha256 = "0c131fi6s7vgvka1c0597vnvcmwn1pp968rci5kq64iwj3pd9yx6";
+        sha256 = "sha256-fQ328r8jhNaNC9jh/j4HHWQ2Tc3GAC57XIfJLUj6w2Y=";
       };
       patches = linuxHeadersPatches;
     };
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index c0da19dd391..355e653c8ea 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -10,14 +10,14 @@
 # hardware problems with a new one.
 
 # Configuration
-{ stdenv, version
+{ lib, stdenv, version
 
-, features ? { grsecurity = false; }
+, features ? {}
 }:
 
-with stdenv.lib;
-with stdenv.lib.kernel;
-with (stdenv.lib.kernel.whenHelpers version);
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
 
 let
 
@@ -42,7 +42,7 @@ let
       TIMER_STATS               = whenOlder "4.11" yes;
       DEBUG_NX_TEST             = whenOlder "4.11" no;
       DEBUG_STACK_USAGE         = no;
-      DEBUG_STACKOVERFLOW       = mkIf (!features.grsecurity) (option no);
+      DEBUG_STACKOVERFLOW       = option no;
       RCU_TORTURE_TEST          = no;
       SCHEDSTATS                = no;
       DETECT_HUNG_TASK          = yes;
@@ -132,6 +132,7 @@ let
       IP_MROUTE_MULTIPLE_TABLES   = yes;
       IP_MULTICAST                = yes;
       IP_MULTIPLE_TABLES          = yes;
+      IPV6                        = yes;
       IPV6_ROUTER_PREF            = yes;
       IPV6_ROUTE_INFO             = yes;
       IPV6_OPTIMISTIC_DAD         = yes;
@@ -141,6 +142,9 @@ let
       IPV6_MROUTE_MULTIPLE_TABLES = yes;
       IPV6_PIMSM_V2               = yes;
       IPV6_FOU_TUNNEL             = whenAtLeast "4.7" module;
+      IPV6_SEG6_LWTUNNEL          = whenAtLeast "4.10" yes;
+      IPV6_SEG6_HMAC              = whenAtLeast "4.10" yes;
+      IPV6_SEG6_BPF               = whenAtLeast "4.18" yes;
       NET_CLS_BPF                 = whenAtLeast "4.4" module;
       NET_ACT_BPF                 = whenAtLeast "4.4" module;
       NET_SCHED                   = yes;
@@ -173,6 +177,8 @@ let
                                               (whenAtLeast "4.17" yes) ];
       NF_TABLES_NETDEV            = mkMerge [ (whenOlder "4.17" module)
                                               (whenAtLeast "4.17" yes) ];
+      NFT_REJECT_NETDEV           = whenAtLeast "5.11" module;
+
       # IP: Netfilter Configuration
       NF_TABLES_IPV4              = mkMerge [ (whenOlder "4.17" module)
                                               (whenAtLeast "4.17" yes) ];
@@ -190,11 +196,17 @@ let
       NET_DROP_MONITOR = yes;
 
       # needed for ss
-      INET_DIAG         = module;
-      INET_TCP_DIAG     = module;
-      INET_UDP_DIAG     = module;
-      INET_RAW_DIAG     = whenAtLeast "4.14" module;
-      INET_DIAG_DESTROY = whenAtLeast "4.9" yes;
+      # Use a lower priority to allow these options to be overridden in hardened/config.nix
+      INET_DIAG         = mkDefault module;
+      INET_TCP_DIAG     = mkDefault module;
+      INET_UDP_DIAG     = mkDefault module;
+      INET_RAW_DIAG     = whenAtLeast "4.14" (mkDefault module);
+      INET_DIAG_DESTROY = whenAtLeast "4.9" (mkDefault yes);
+
+      # enable multipath-tcp
+      MPTCP           = whenAtLeast "5.6" yes;
+      MPTCP_IPV6      = whenAtLeast "5.6" yes;
+      INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module);
     };
 
     wireless = {
@@ -235,8 +247,9 @@ let
       # Allow specifying custom EDID on the kernel command line
       DRM_LOAD_EDID_FIRMWARE = yes;
       VGA_SWITCHEROO         = yes; # Hybrid graphics support
-      DRM_GMA600             = yes;
-      DRM_GMA3600            = yes;
+      DRM_GMA500             = whenAtLeast "5.12" module;
+      DRM_GMA600             = whenOlder "5.13" yes;
+      DRM_GMA3600            = whenOlder "5.12" yes;
       DRM_VMWGFX_FBCON       = yes;
       # necessary for amdgpu polaris support
       DRM_AMD_POWERPLAY = whenBetween "4.5" "4.9" yes;
@@ -244,6 +257,17 @@ let
       DRM_AMDGPU_SI = whenAtLeast "4.9" yes;
       # (stable) amdgpu support for bonaire and newer chipsets
       DRM_AMDGPU_CIK = whenAtLeast "4.9" yes;
+      # Allow device firmware updates
+      DRM_DP_AUX_CHARDEV = whenAtLeast "4.6" yes;
+      # amdgpu display core (DC) support
+      DRM_AMD_DC_DCN1_0 = whenBetween "4.15" "5.6" yes;
+      DRM_AMD_DC_PRE_VEGA = whenBetween "4.15" "4.18" yes;
+      DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes;
+      DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes;
+      DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes;
+      DRM_AMD_DC_DCN = whenAtLeast "5.11" yes;
+      DRM_AMD_DC_HDCP = whenAtLeast "5.5" yes;
+      DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
       # Intel GVT-g graphics virtualization supports 64-bit only
       DRM_I915_GVT = whenAtLeast "4.16" yes;
@@ -268,21 +292,31 @@ let
       SND_SOC_SOF_TOPLEVEL              = yes;
       SND_SOC_SOF_ACPI                  = module;
       SND_SOC_SOF_PCI                   = module;
-      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_CANNONLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_COFFEELAKE_SUPPORT    = yes;
+      SND_SOC_SOF_APOLLOLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_CANNONLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_CANNONLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COFFEELAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_COFFEELAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COMETLAKE             = whenAtLeast "5.12" module;
       SND_SOC_SOF_COMETLAKE_H_SUPPORT   = whenOlder "5.8" yes;
-      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = yes;
-      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = yes;
-      SND_SOC_SOF_GEMINILAKE_SUPPORT    = yes;
+      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = whenOlder "5.12" yes;
+      SND_SOC_SOF_ELKHARTLAKE           = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = whenOlder "5.12" yes;
+      SND_SOC_SOF_GEMINILAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_GEMINILAKE_SUPPORT    = whenOlder "5.12" yes;
       SND_SOC_SOF_HDA_AUDIO_CODEC       = yes;
       SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
       SND_SOC_SOF_HDA_LINK              = yes;
-      SND_SOC_SOF_ICELAKE_SUPPORT       = yes;
+      SND_SOC_SOF_ICELAKE               = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ICELAKE_SUPPORT       = whenOlder "5.12" yes;
       SND_SOC_SOF_INTEL_TOPLEVEL        = yes;
-      SND_SOC_SOF_JASPERLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_MERRIFIELD_SUPPORT    = yes;
-      SND_SOC_SOF_TIGERLAKE_SUPPORT     = yes;
+      SND_SOC_SOF_JASPERLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_JASPERLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_MERRIFIELD            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_MERRIFIELD_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_TIGERLAKE             = whenAtLeast "5.12" module;
+      SND_SOC_SOF_TIGERLAKE_SUPPORT     = whenOlder "5.12" yes;
     };
 
     usb-serial = {
@@ -350,6 +384,7 @@ let
       F2FS_FS             = module;
       F2FS_FS_SECURITY    = option yes;
       F2FS_FS_ENCRYPTION  = option yes;
+      F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
       UDF_FS              = module;
 
       NFSD_PNFS              = whenBetween "4.0" "4.6" yes;
@@ -396,6 +431,8 @@ let
       NLS_ISO8859_1    = module; # VFAT default for the iocharset= mount option
 
       DEVTMPFS = yes;
+
+      UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems
     };
 
     security = {
@@ -406,14 +443,19 @@ let
       SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
       # Prevent processes from ptracing non-children processes
       SECURITY_YAMA                    = option yes;
-      DEVKMEM                          = mkIf (!features.grsecurity) no; # Disable /dev/kmem
+      DEVKMEM                          = whenOlder "5.13" no; # Disable /dev/kmem
 
       USER_NS                          = yes; # Support for user namespaces
 
       SECURITY_APPARMOR                = yes;
       DEFAULT_SECURITY_APPARMOR        = yes;
 
-      SECURITY_LOCKDOWN_LSM            = whenAtLeast "5.4" yes;
+      RANDOM_TRUST_CPU                 = whenAtLeast "4.19" yes; # allow RDRAND to seed the RNG
+
+      MODULE_SIG            = no; # r13y, generates a random key during build and bakes it in
+      # Depends on MODULE_SIG and only really helps when you sign your modules
+      # and enforce signatures which we don't do by default.
+      SECURITY_LOCKDOWN_LSM = option no;
     } // optionalAttrs (!stdenv.hostPlatform.isAarch32) {
 
       # Detect buffer overflows on the stack
@@ -481,7 +523,7 @@ let
     virtualisation = {
       PARAVIRT = option yes;
 
-      HYPERVISOR_GUEST = mkIf (!features.grsecurity) yes;
+      HYPERVISOR_GUEST = yes;
       PARAVIRT_SPINLOCKS  = option yes;
 
       KVM_APIC_ARCHITECTURE             = whenOlder "4.8" yes;
@@ -489,12 +531,12 @@ let
       KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; };
       KVM_DEVICE_ASSIGNMENT  = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; };
       KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0"  yes;
-      KVM_GUEST                         = mkIf (!features.grsecurity) yes;
+      KVM_GUEST                         = yes;
       KVM_MMIO                          = yes;
       KVM_VFIO                          = yes;
       KSM = yes;
       VIRT_DRIVERS = yes;
-      # We nneed 64 GB (PAE) support for Xen guest support
+      # We need 64 GB (PAE) support for Xen guest support
       HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";};
 
       VFIO_PCI_VGA = mkIf stdenv.is64bit yes;
@@ -618,7 +660,12 @@ let
       XZ_DEC_TEST              = option no;
     };
 
-    criu = optionalAttrs (features.criu or false) ({
+    criu = if (versionAtLeast version "4.19") then {
+      # Unconditionally enabled, because it is required for CRIU and
+      # it provides the kcmp() system call that Mesa depends on.
+      CHECKPOINT_RESTORE  = yes;
+    } else optionalAttrs (features.criu or false) ({
+      # For older kernels, CHECKPOINT_RESTORE is hidden behind EXPERT.
       EXPERT              = yes;
       CHECKPOINT_RESTORE  = yes;
     } // optionalAttrs (features.criu_revert_expert or true) {
@@ -631,7 +678,14 @@ let
       DEBUG_MEMORY_INIT     = option yes;
     });
 
-    misc = {
+    misc = let
+      # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz.
+      # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
+      useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9";
+    in {
+      KERNEL_XZ            = mkIf (!useZstd) yes;
+      KERNEL_ZSTD          = mkIf useZstd yes;
+
       HID_BATTERY_STRENGTH = yes;
       # enabled by default in x86_64 but not arm64, so we do that here
       HIDRAW               = yes;
@@ -644,9 +698,8 @@ let
       THRUSTMASTER_FF    = yes;
       ZEROPLUS_FF        = yes;
 
-      MODULE_COMPRESS    = yes;
+      MODULE_COMPRESS    = whenOlder "5.13" yes;
       MODULE_COMPRESS_XZ = yes;
-      KERNEL_XZ          = yes;
 
       SYSVIPC            = yes;  # System-V IPC
 
@@ -657,7 +710,6 @@ let
       MD                 = yes;     # Device mapper (RAID, LVM, etc.)
 
       # Enable initrd support.
-      BLK_DEV_RAM       = yes;
       BLK_DEV_INITRD    = yes;
 
       PM_TRACE_RTC         = no; # Disable some expensive (?) features.
@@ -731,6 +783,8 @@ let
       MLX4_EN_VXLAN = whenOlder "4.8" yes;
       MLX5_CORE_EN       = option yes;
 
+      NVME_MULTIPATH = whenAtLeast "4.15" yes;
+
       PSI = whenAtLeast "4.20" yes;
 
       MODVERSIONS        = whenOlder "4.9" yes;
@@ -767,6 +821,8 @@ let
       X86_CHECK_BIOS_CORRUPTION = yes;
       X86_MCE                   = yes;
 
+      RAS = yes; # Needed for EDAC support
+
       # Our initrd init uses shebang scripts, so can't be modular.
       BINFMT_SCRIPT = yes;
       # For systemd-binfmt
@@ -788,6 +844,7 @@ let
       PREEMPT_VOLUNTARY = yes;
 
       X86_AMD_PLATFORM_DEVICE = yes;
+      X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes;
 
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
       # Enable CPU/memory hotplug support
@@ -803,12 +860,26 @@ let
       # Bump the maximum number of CPUs to support systems like EC2 x1.*
       # instances and Xeon Phi.
       NR_CPUS = freeform "384";
-    } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
       # Enables support for the Allwinner Display Engine 2.0
       SUN8I_DE2_CCU = whenAtLeast "4.13" yes;
 
       # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647
       CRYPTO_AEGIS128_SIMD = whenAtLeast "5.4" no;
+
+      # Distros should configure the default as a kernel option.
+      # We previously defined it on the kernel command line as cma=
+      # The kernel command line will override a platform-specific configuration from its device tree.
+      # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
+      CMA_SIZE_MBYTES = freeform "32";
+
+      # Many ARM SBCs hand off a pre-configured framebuffer.
+      # This always can can be replaced by the actual native driver.
+      # Keeping it a built-in ensures it will be used if possible.
+      FB_SIMPLE = yes;
+
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux") {
+      ARM_LPAE = yes;
     };
   };
 in
diff --git a/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch b/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
new file mode 100644
index 00000000000..1d8ed6f712c
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/export-rt-sched-migrate.patch
@@ -0,0 +1,11 @@
+Export linux-rt (PREEMPT_RT) specific symbols needed by ZFS.
+(Regular kernel provides them static inline in linux/preempt.h.)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1812 +1812 @@ void migrate_disable(void)
+-EXPORT_SYMBOL_GPL(migrate_disable);
++EXPORT_SYMBOL(migrate_disable);
+@@ -1843 +1843 @@ void migrate_enable(void)
+-EXPORT_SYMBOL_GPL(migrate_enable);
++EXPORT_SYMBOL(migrate_enable);
diff --git a/pkgs/os-specific/linux/kernel/generate-config.pl b/pkgs/os-specific/linux/kernel/generate-config.pl
index 26c559ea908..df807188f14 100644
--- a/pkgs/os-specific/linux/kernel/generate-config.pl
+++ b/pkgs/os-specific/linux/kernel/generate-config.pl
@@ -19,6 +19,7 @@ my $autoModules = $ENV{'AUTO_MODULES'};
 my $preferBuiltin = $ENV{'PREFER_BUILTIN'};
 my $ignoreConfigErrors = $ENV{'ignoreConfigErrors'};
 my $buildRoot = $ENV{'BUILD_ROOT'};
+my $makeFlags = $ENV{'MAKE_FLAGS'};
 $SIG{PIPE} = 'IGNORE';
 
 # Read the answers.
@@ -40,7 +41,7 @@ close ANSWERS;
 sub runConfig {
 
     # Run `make config'.
-    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH}");
+    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH} CC=$ENV{CC} HOSTCC=$ENV{HOSTCC} HOSTCXX=$ENV{HOSTCXX} $makeFlags");
 
     # Parse the output, look for questions and then send an
     # appropriate answer.
@@ -61,6 +62,12 @@ sub runConfig {
             # Remember choice alternatives ("> 1. bla (FOO)" or " 2. bla (BAR) (NEW)").
             if ($line =~ /^\s*>?\s*(\d+)\.\s+.*?\(([A-Za-z0-9_]+)\)(?:\s+\(NEW\))?\s*$/) {
                 $choices{$2} = $1;
+            } else {
+                # The list of choices has ended without us being
+                # asked. This happens for options where only one value
+                # is valid, for instance. The results can foul up
+                # later options, so forget about it.
+                %choices = ();
             }
 
             $line = "";
diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix
index cab11cc87ae..7f4f0f2d6bb 100644
--- a/pkgs/os-specific/linux/kernel/generic.nix
+++ b/pkgs/os-specific/linux/kernel/generic.nix
@@ -6,6 +6,7 @@
 , gmp ? null
 , libmpc ? null
 , mpfr ? null
+, lib
 , stdenv
 
 , # The kernel source tarball.
@@ -20,6 +21,9 @@
 , # Legacy overrides to the intermediate kernel config, as string
   extraConfig ? ""
 
+  # Additional make flags passed to kbuild
+, extraMakeFlags ? []
+
 , # kernel intermediate config overrides, as a set
  structuredExtraConfig ? {}
 
@@ -41,15 +45,19 @@
   # symbolic name and `patch' is the actual patch.  The patch may
   # optionally be compressed with gzip or bzip2.
   kernelPatches ? []
-, ignoreConfigErrors ? stdenv.hostPlatform.platform.name != "pc" ||
+, ignoreConfigErrors ? stdenv.hostPlatform.linux-kernel.name != "pc" ||
                        stdenv.hostPlatform != stdenv.buildPlatform
 , extraMeta ? {}
 
-# easy overrides to stdenv.hostPlatform.platform members
-, autoModules ? stdenv.hostPlatform.platform.kernelAutoModules
-, preferBuiltin ? stdenv.hostPlatform.platform.kernelPreferBuiltin or false
-, kernelArch ? stdenv.hostPlatform.platform.kernelArch
+, isZen      ? false
+, isLibre    ? false
+, isHardened ? false
 
+# easy overrides to stdenv.hostPlatform.linux-kernel members
+, autoModules ? stdenv.hostPlatform.linux-kernel.autoModules
+, preferBuiltin ? stdenv.hostPlatform.linux-kernel.preferBuiltin or false
+, kernelArch ? stdenv.hostPlatform.linuxArch
+, kernelTests ? []
 , ...
 }:
 
@@ -61,22 +69,17 @@
 assert stdenv.isLinux;
 
 let
-
-  lib = stdenv.lib;
-
   # Combine the `features' attribute sets of all the kernel patches.
-  kernelFeatures = lib.fold (x: y: (x.features or {}) // y) ({
+  kernelFeatures = lib.foldr (x: y: (x.features or {}) // y) ({
     iwlwifi = true;
     efiBootStub = true;
     needsCifsUtils = true;
     netfilterRPFilter = true;
-    grsecurity = false;
-    xen_dom0 = false;
     ia32Emulation = true;
   } // features) kernelPatches;
 
   commonStructuredConfig = import ./common-config.nix {
-    inherit stdenv version ;
+    inherit lib stdenv version;
 
     features = kernelFeatures; # Ensure we know of all extra patches, etc.
   };
@@ -84,7 +87,7 @@ let
   intermediateNixConfig = configfile.moduleStructuredConfig.intermediateNixConfig
     # extra config in legacy string format
     + extraConfig
-    + lib.optionalString (stdenv.hostPlatform.platform ? kernelExtraConfig) stdenv.hostPlatform.platform.kernelExtraConfig;
+    + stdenv.hostPlatform.linux-kernel.extraConfig or "";
 
   structuredConfigFromPatches =
         map ({extraStructuredConfig ? {}, ...}: {settings=extraStructuredConfig;}) kernelPatches;
@@ -97,7 +100,7 @@ let
     in lib.concatStringsSep "\n" ([baseConfigStr] ++ configFromPatches);
 
   configfile = stdenv.mkDerivation {
-    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch;
+    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch extraMakeFlags;
     pname = "linux-config";
     inherit version;
 
@@ -108,13 +111,16 @@ let
 
     depsBuildBuild = [ buildPackages.stdenv.cc ];
     nativeBuildInputs = [ perl gmp libmpc mpfr ]
-      ++ lib.optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ];
+      ++ lib.optionals (lib.versionAtLeast version "4.16") [ bison flex ];
 
-    platformName = stdenv.hostPlatform.platform.name;
+    platformName = stdenv.hostPlatform.linux-kernel.name;
     # e.g. "defconfig"
-    kernelBaseConfig = if defconfig != null then defconfig else stdenv.hostPlatform.platform.kernelBaseConfig;
+    kernelBaseConfig = if defconfig != null then defconfig else stdenv.hostPlatform.linux-kernel.baseConfig;
     # e.g. "bzImage"
-    kernelTarget = stdenv.hostPlatform.platform.kernelTarget;
+    kernelTarget = stdenv.hostPlatform.linux-kernel.target;
+
+    makeFlags = lib.optionals (stdenv.hostPlatform.linux-kernel ? makeFlags) stdenv.hostPlatform.linux-kernel.makeFlags
+      ++ extraMakeFlags;
 
     prePatch = kernel.prePatch + ''
       # Patch kconfig to print "###" after every question so that
@@ -128,18 +134,25 @@ let
 
     buildPhase = ''
       export buildRoot="''${buildRoot:-build}"
+      export HOSTCC=$CC_FOR_BUILD
+      export HOSTCXX=$CXX_FOR_BUILD
+      export HOSTAR=$AR_FOR_BUILD
+      export HOSTLD=$LD_FOR_BUILD
 
       # Get a basic config file for later refinement with $generateConfig.
-      make -C .  O="$buildRoot" $kernelBaseConfig \
+      make $makeFlags \
+          -C . O="$buildRoot" $kernelBaseConfig \
           ARCH=$kernelArch \
-          HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc \
-          HOSTCXX=${buildPackages.stdenv.cc.targetPrefix}g++
+          HOSTCC=$HOSTCC HOSTCXX=$HOSTCXX HOSTAR=$HOSTAR HOSTLD=$HOSTLD \
+          CC=$CC OBJCOPY=$OBJCOPY OBJDUMP=$OBJDUMP READELF=$READELF \
+          $makeFlags
 
       # Create the config file.
       echo "generating kernel configuration..."
       ln -s "$kernelConfigPath" "$buildRoot/kernel-config"
       DEBUG=1 ARCH=$kernelArch KERNEL_CONFIG="$buildRoot/kernel-config" AUTO_MODULES=$autoModules \
-           PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. perl -w $generateConfig
+        PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. MAKE_FLAGS="$makeFlags" \
+        perl -w $generateConfig
     '';
 
     installPhase = "mv $buildRoot/.config $out";
@@ -147,7 +160,6 @@ let
     enableParallelBuilding = true;
 
     passthru = rec {
-
       module = import ../../../../nixos/modules/system/boot/kernel_config.nix;
       # used also in apache
       # { modules = [ { options = res.options; config = svc.config or svc; } ];
@@ -167,16 +179,20 @@ let
     };
   }; # end of configfile derivation
 
-  kernel = (callPackage ./manual-config.nix {}) {
-    inherit version modDirVersion src kernelPatches randstructSeed stdenv extraMeta configfile;
+  kernel = (callPackage ./manual-config.nix { inherit buildPackages;  }) {
+    inherit version modDirVersion src kernelPatches randstructSeed lib stdenv extraMakeFlags extraMeta configfile;
 
     config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; };
   };
 
   passthru = {
     features = kernelFeatures;
-    inherit commonStructuredConfig;
+    inherit commonStructuredConfig structuredExtraConfig extraMakeFlags isZen isHardened isLibre modDirVersion;
+    isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+    kernelOlder = lib.versionOlder version;
+    kernelAtLeast = lib.versionAtLeast version;
     passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]);
+    tests = kernelTests;
   };
 
 in lib.extendDerivation true passthru kernel
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index c817f104427..20f9f5aaa14 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -8,11 +8,11 @@
 #
 # See also <nixos/modules/profiles/hardened.nix>
 
-{ stdenv, version }:
+{ lib, version }:
 
-with stdenv.lib;
-with stdenv.lib.kernel;
-with (stdenv.lib.kernel.whenHelpers version);
+with lib;
+with lib.kernel;
+with (lib.kernel.whenHelpers version);
 
 assert (versionAtLeast version "4.9");
 
@@ -55,8 +55,8 @@ assert (versionAtLeast version "4.9");
 
   # Wipe higher-level memory allocations on free() with page_poison=1
   PAGE_POISONING           = yes;
-  PAGE_POISONING_NO_SANITY = yes;
-  PAGE_POISONING_ZERO      = yes;
+  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
+  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;
 
   # Enable the SafeSetId LSM
   SECURITY_SAFESETID = whenAtLeast "5.1" yes;
@@ -65,7 +65,7 @@ assert (versionAtLeast version "4.9");
   PANIC_TIMEOUT = freeform "-1";
 
   GCC_PLUGINS = yes; # Enable gcc plugin options
-  # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
   GCC_PLUGIN_LATENT_ENTROPY = yes;
 
   GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
@@ -79,8 +79,18 @@ assert (versionAtLeast version "4.9");
   PROC_KCORE         = no; # Exposes kernel text image layout
   INET_DIAG          = no; # Has been used for heap based attacks in the past
 
+  # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
+  # make them optional
+  INET_DIAG_DESTROY = option no;
+  INET_RAW_DIAG     = option no;
+  INET_TCP_DIAG     = option no;
+  INET_UDP_DIAG     = option no;
+  INET_MPTCP_DIAG   = option no;
+
   # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
   CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
   CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
 
+  # Detect out-of-bound reads/writes and use-after-free
+  KFENCE = whenAtLeast "5.12" yes;
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json
index 824eb1a6966..412e5041500 100644
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -1,22 +1,32 @@
 {
     "4.14": {
-        "name": "linux-hardened-4.14.194.a.patch",
-        "sha256": "07z3lr3mbm6c95d7fra2qp071n1c45f9241cl19zs63g00avi11p",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.194.a/linux-hardened-4.14.194.a.patch"
+        "extra": "-hardened1",
+        "name": "linux-hardened-4.14.240-hardened1.patch",
+        "sha256": "0j5zp0f8s4w3f60yam2spg3bx56bdjvv0mh632zlhchz8rdk5zs4",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.240-hardened1/linux-hardened-4.14.240-hardened1.patch"
     },
     "4.19": {
-        "name": "linux-hardened-4.19.141.a.patch",
-        "sha256": "0yiqkkp17pf9r6nakpnqhvmf8awpzp5n27cmh15ril7vn1y71sxw",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.141.a/linux-hardened-4.19.141.a.patch"
+        "extra": "-hardened1",
+        "name": "linux-hardened-4.19.198-hardened1.patch",
+        "sha256": "18c5j00xiwc0xn5klcrwazk6wvjiy3cixbfbrw4xj7zal9r5p6q9",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.198-hardened1/linux-hardened-4.19.198-hardened1.patch"
     },
-    "5.4": {
-        "name": "linux-hardened-5.4.60.a.patch",
-        "sha256": "138kms73rlj5zmsb2ivjzz1jr5aa8y8pmwzx02c7j1qk08v82823",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.60.a/linux-hardened-5.4.60.a.patch"
+    "5.10": {
+        "extra": "-hardened1",
+        "name": "linux-hardened-5.10.52-hardened1.patch",
+        "sha256": "062a32rb1g5xk1npiz9fa114k7g4x9pmygycn3alc0phngjmvr98",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.52-hardened1/linux-hardened-5.10.52-hardened1.patch"
+    },
+    "5.12": {
+        "extra": "-hardened1",
+        "name": "linux-hardened-5.12.19-hardened1.patch",
+        "sha256": "1nr3922gd6il69k5cpp9g3knpy6yjb6jsmpi9k4v02bkvypg86dc",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.12.19-hardened1/linux-hardened-5.12.19-hardened1.patch"
     },
-    "5.7": {
-        "name": "linux-hardened-5.7.17.a.patch",
-        "sha256": "181b473y0hkw076hsndw6nfynr2yhcaypj48iqnk25hzcj40nnaz",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.7.17.a/linux-hardened-5.7.17.a.patch"
+    "5.4": {
+        "extra": "-hardened1",
+        "name": "linux-hardened-5.4.134-hardened1.patch",
+        "sha256": "0iay6dxwd1vqj02ljf0ghncrqpr6b0gby90xiza8kkk8wnh3r9hh",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.134-hardened1/linux-hardened-5.4.134-hardened1.patch"
     }
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
deleted file mode 100644
index ff8a3a12797..00000000000
--- a/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
+++ /dev/null
@@ -1,7 +0,0 @@
-diff --git a/localversion-hardened b/localversion-hardened
-new file mode 100644
-index 0000000000..e578045860
---- /dev/null
-+++ b/localversion-hardened
-@@ -0,0 +1 @@
-+-hardened
diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py
index d6443d2e751..e96ac9ca855 100755
--- a/pkgs/os-specific/linux/kernel/hardened/update.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -31,7 +31,7 @@ VersionComponent = Union[int, str]
 Version = List[VersionComponent]
 
 
-Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str})
+Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str})
 
 
 @dataclass
@@ -99,7 +99,10 @@ def verify_openpgp_signature(
             return False
 
 
-def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
+def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
+    release = release_info.release
+    extra = f'-{release_info.version[-1]}'
+
     def find_asset(filename: str) -> str:
         try:
             it: Iterator[str] = (
@@ -130,12 +133,12 @@ def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
     if not sig_ok:
         return None
 
-    return Patch(name=patch_filename, url=patch_url, sha256=sha256)
+    return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra)
 
 
 def parse_version(version_str: str) -> Version:
     version: Version = []
-    for component in version_str.split("."):
+    for component in re.split('\.|\-', version_str):
         try:
             version.append(int(component))
         except ValueError:
@@ -205,7 +208,7 @@ failures = False
 releases = {}
 for release in repo.get_releases():
     version = parse_version(release.tag_name)
-    # needs to look like e.g. 5.6.3.a
+    # needs to look like e.g. 5.6.3-hardened1
     if len(version) < 4:
         continue
 
@@ -252,7 +255,7 @@ for kernel_key in sorted(releases.keys()):
         update = True
 
     if update:
-        patch = fetch_patch(name=name, release=release)
+        patch = fetch_patch(name=name, release_info=release_info)
         if patch is None:
             failures = True
         else:
diff --git a/pkgs/os-specific/linux/kernel/linux-4.14.nix b/pkgs/os-specific/linux/kernel/linux-4.14.nix
index 4807ff7dba4..ccecc433a4a 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "4.14.194";
+  version = "4.14.240";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1q7ssi2790bqjn8s8ra5ihma70hmxykahink7iq5h78738id191y";
+    sha256 = "1k65qwzlnqnh9ym0n2fxpa8nk2qwvykwhwgaixk3b7ndzmr8b6c8";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_14 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.19.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix
index e0c9c69061a..4ed06ee2205 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "4.19.141";
+  version = "4.19.198";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0511vb9rfpy5l6cz69v0v97rw2rk2pscc4hkz2pfmgikagm1shm4";
+    sha256 = "13k0r6a4n8nbni64a18wqzy0pg4vn1zw2li78xrm78rqcrnah85y";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_19 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix
index 033599900ff..6c2595386e0 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@@ -1,11 +1,14 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
+{ buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.4.233";
+  version = "4.4.276";
   extraMeta.branch = "4.4";
+  extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1z77dikgkvkp9ggwxp07hl8vxsf9kq57rhfdpbvhny1x13fqkrlp";
+    sha256 = "1hf9h5kr1ws2lvinzq6cv7aps8af1kx4q8j4bsk2vv4i2zvmfr7y";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_4 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix
index c1da330e4ae..0dc5cfeae6e 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.9.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix
@@ -1,11 +1,14 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
+{ buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.9.233";
+  version = "4.9.276";
   extraMeta.branch = "4.9";
+  extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "19dcwylhy5iqq3dmppqf7s9wy9d16m103djn1n183c9acnqclv9a";
+    sha256 = "16jp05jhmqcp8lawqga69gxn1acdkxsskn3a6wf0635863fky3hv";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_9 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.8.nix b/pkgs/os-specific/linux/kernel/linux-5.10.nix
index 44ce98ce65e..f59cca3e12f 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.8.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.8.3";
+  version = "5.10.52";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0y8prifvkywqsx5lk80bh31m505vinmicpvdrirgg0c9scg7x8lf";
+    sha256 = "0ydf09wsg0pkjm9dk8y730ksg15p5rlbhq445zx8k191zah5g7kn";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_10 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.7.nix b/pkgs/os-specific/linux/kernel/linux-5.12.nix
index 8583b3b1628..e1e7aec2ce2 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.7.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.12.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.7.17";
+  version = "5.12.19";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "09ajavdyvr0025rwvwfp9yv2z8q779nan1i6dck2kkdxr48kd36c";
+    sha256 = "0wscz736n13m833cd12lskn47r0b8ki4fhgpjnwga0jsab9iqf79";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_12 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.13.nix b/pkgs/os-specific/linux/kernel/linux-5.13.nix
new file mode 100644
index 00000000000..dd97944de78
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-5.13.nix
@@ -0,0 +1,21 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.13.5";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0lqh7krxxnbrvr3w1kag92z9r4n9436fr6answjkjfbvw0z7q74m";
+  };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_13 ];
+} // (args.argsOverride or { }))
+
diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix
index 1c903902b61..c4e08b685b5 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix
@@ -1,9 +1,9 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.4.60";
+  version = "5.4.134";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "08x2a78n23371k7l5p677mihnl58dpjh7r7bvyiwj3y4hlisplmd";
+    sha256 = "0haqw1w6f8p330ydbsl7iml1x0qqrv63az6921p2a70n88b8dyy9";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_4 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
index ba37c71d134..a64520ab893 100644
--- a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, libelf, utillinux, ... } @ args:
+{ buildPackages, fetchFromGitHub, perl, buildLinux, libelf, util-linux, ... } @ args:
 
 buildLinux (args // rec {
   version = "4.14.165-172";
diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix
index d3ea80ecb22..f02c1ad1250 100644
--- a/pkgs/os-specific/linux/kernel/linux-libre.nix
+++ b/pkgs/os-specific/linux/kernel/linux-libre.nix
@@ -1,8 +1,8 @@
 { stdenv, lib, fetchsvn, linux
 , scripts ? fetchsvn {
     url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
-    rev = "17624";
-    sha256 = "0gs3mpiffny408l9kdrxpj48axarfb2fxvcw4w8zsz5wr7yig0n2";
+    rev = "18191";
+    sha256 = "0ggaccg7z540kh5if48v6sjy39xllzvznqx5srvrlycrs2r89iyr";
   }
 , ...
 }:
@@ -17,6 +17,7 @@ let
 in linux.override {
   argsOverride = {
     modDirVersion = "${linux.modDirVersion}-gnu";
+    isLibre = true;
 
     src = stdenv.mkDerivation {
       name = "${linux.name}-libre-src";
@@ -34,6 +35,8 @@ in linux.override {
       '';
     };
 
+    extraMeta.broken = true;
+
     passthru.updateScript = ./update-libre.sh;
 
     maintainers = [ lib.maintainers.qyliss ];
diff --git a/pkgs/os-specific/linux/kernel/linux-lqx.nix b/pkgs/os-specific/linux/kernel/linux-lqx.nix
new file mode 100644
index 00000000000..23a6b0b2d36
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-lqx.nix
@@ -0,0 +1,26 @@
+{ lib, fetchFromGitHub, buildLinux, linux_zen, ... } @ args:
+
+let
+  version = "5.12.19";
+  suffix = "lqx2";
+in
+
+buildLinux (args // {
+  modDirVersion = "${version}-${suffix}";
+  inherit version;
+  isZen = true;
+
+  src = fetchFromGitHub {
+    owner = "zen-kernel";
+    repo = "zen-kernel";
+    rev = "v${version}-${suffix}";
+    sha256 = "sha256-r2DvKLlm1a1VuJwC81tRuRwCd6H21T3MsBAC3b9TUbs=";
+  };
+
+  extraMeta = {
+    branch = "5.12/master";
+    maintainers = with lib.maintainers; [ atemu ];
+    description = linux_zen.meta.description + " (Same as linux_zen but less aggressive release schedule)";
+  };
+
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp-94.nix b/pkgs/os-specific/linux/kernel/linux-mptcp-94.nix
deleted file mode 100644
index e53c3ceb5c4..00000000000
--- a/pkgs/os-specific/linux/kernel/linux-mptcp-94.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
-let
-  mptcpVersion = "0.94.6";
-  modDirVersion = "4.14.127";
-in
-buildLinux ({
-  version = "${modDirVersion}-mptcp_v${mptcpVersion}";
-  inherit modDirVersion;
-
-  extraMeta = {
-    branch = "4.4";
-    maintainers = with stdenv.lib.maintainers; [ teto layus ];
-  };
-
-  src = fetchFromGitHub {
-    owner = "multipath-tcp";
-    repo = "mptcp";
-    rev = "v${mptcpVersion}";
-    sha256 = "071cx9205wpzhi5gc2da79w2abs3czd60jg0xml7j1szc5wl4yfn";
-  };
-
-  structuredExtraConfig = stdenv.lib.mkMerge [
-    (import ./mptcp-config.nix { inherit stdenv; })
-    structuredExtraConfig
-  ];
-} // args)
diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix b/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
index ad933ff63a7..a6a8d4936d4 100644
--- a/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
+++ b/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
@@ -1,7 +1,7 @@
-{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
+{ lib, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
 let
-  mptcpVersion = "0.95";
-  modDirVersion = "4.19.55";
+  mptcpVersion = "0.95.1";
+  modDirVersion = "4.19.126";
 in
 buildLinux ({
   version = "${modDirVersion}-mptcp_v${mptcpVersion}";
@@ -9,18 +9,18 @@ buildLinux ({
 
   extraMeta = {
     branch = "4.19";
-    maintainers = with stdenv.lib.maintainers; [ teto layus ];
+    maintainers = with lib.maintainers; [ teto layus ];
   };
 
   src = fetchFromGitHub {
     owner = "multipath-tcp";
     repo = "mptcp";
     rev = "v${mptcpVersion}";
-    sha256 = "04a66iq5vsiz8mkpszfxmqknz7y4w3lsckrcz6q1syjpk0pdyiyw";
+    sha256 = "sha256-J9UXhkI49cq83EtojLHieRtp8fT3LXTJNIqb+mUwZdM=";
   };
 
-  structuredExtraConfig = stdenv.lib.mkMerge [
-    (import ./mptcp-config.nix { inherit stdenv; })
+  structuredExtraConfig = lib.mkMerge [
+    (import ./mptcp-config.nix { inherit lib; })
     structuredExtraConfig
   ];
 
diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix
index a3d2bfd4836..8ccf46b402b 100644
--- a/pkgs/os-specific/linux/kernel/linux-rpi.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix
@@ -1,8 +1,9 @@
 { stdenv, lib, buildPackages, fetchFromGitHub, perl, buildLinux, rpiVersion, ... } @ args:
 
 let
-  modDirVersion = "4.19.118";
-  tag = "1.20200601";
+  # NOTE: raspberrypifw & raspberryPiWirelessFirmware should be updated with this
+  modDirVersion = "5.10.17";
+  tag = "1.20210303";
 in
 lib.overrideDerivation (buildLinux (args // {
   version = "${modDirVersion}-${tag}";
@@ -12,7 +13,7 @@ lib.overrideDerivation (buildLinux (args // {
     owner = "raspberrypi";
     repo = "linux";
     rev = "raspberrypi-kernel_${tag}-1";
-    sha256 = "11jzsmnd1qry2ir9vmsv0nfdzjpgkn5yab5ylxcz406plc073anp";
+    sha256 = "0ffsllayl18ka4mgp4rdy9h0da5gy1n6g0kfvinvzdzabb5wzvrx";
   };
 
   defconfig = {
@@ -26,6 +27,14 @@ lib.overrideDerivation (buildLinux (args // {
     efiBootStub = false;
   } // (args.features or {});
 
+  extraConfig = ''
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: error: initialization of 'void (*)(struct drm_crtc *, struct drm_atomic_state *)' from incompatible pointer type 'void (*)(struct drm_crtc *, struct drm_crtc_state *)' [-Werror=incompatible-pointer-types]
+    #   851 |  .atomic_flush = ast_crtc_helper_atomic_flush,
+    #       |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: note: (near initialization for 'ast_crtc_helper_funcs.atomic_flush')
+    DRM_AST n
+  '';
+
   extraMeta = if (rpiVersion < 3) then {
     platforms = with lib.platforms; [ arm ];
     hydraPlatforms = [];
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
new file mode 100644
index 00000000000..83b2fc05093
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
@@ -0,0 +1,45 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.10.52-rt47"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "0ydf09wsg0pkjm9dk8y730ksg15p5rlbhq445zx8k191zah5g7kn";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "1n71nbshma0gxyrifyymrd0wii1q0plj020amc0wdzzm27xs5k2k";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix
new file mode 100644
index 00000000000..5d1b14f1d0f
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix
@@ -0,0 +1,45 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.11.4-rt11"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1i8dfw83ndaylwji7lazfckk113plvnz7kh1yppbfg35r6przrc8";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "1az6cn9jj3bnjgwzzrjy1adnrnn06p2vzsnc1iib4xhs0sfr27hc";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
new file mode 100644
index 00000000000..4c49dc9c42a
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
@@ -0,0 +1,41 @@
+{ lib, buildLinux, fetchurl
+, kernelPatches ? [ ]
+, structuredExtraConfig ? {}
+, extraMeta ? {}
+, argsOverride ? {}
+, ... } @ args:
+
+let
+  version = "5.4.129-rt61"; # updated by ./update-rt.sh
+  branch = lib.versions.majorMinor version;
+  kversion = builtins.elemAt (lib.splitString "-" version) 0;
+in buildLinux (args // {
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
+    sha256 = "1ps64gx85lmbriq445hd2hcv4g4b1d1cwf4r3nd90x6i2cj4c9j4";
+  };
+
+  kernelPatches = let rt-patch = {
+    name = "rt";
+    patch = fetchurl {
+      url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
+      sha256 = "0b3hp6a7afkjqd7an4hj423nq6flwzd42kjcyk4pifv5fx6c7pgq";
+    };
+  }; in [ rt-patch ] ++ kernelPatches;
+
+  structuredExtraConfig = with lib.kernel; {
+    PREEMPT_RT = yes;
+    # Fix error: unused option: PREEMPT_RT.
+    EXPERT = yes; # PREEMPT_RT depends on it (in kernel/Kconfig.preempt)
+    # Fix error: option not set correctly: PREEMPT_VOLUNTARY (wanted 'y', got 'n').
+    PREEMPT_VOLUNTARY = lib.mkForce no; # PREEMPT_RT deselects it.
+    # Fix error: unused option: RT_GROUP_SCHED.
+    RT_GROUP_SCHED = lib.mkForce (option no); # Removed by sched-disable-rt-group-sched-on-rt.patch.
+  } // structuredExtraConfig;
+
+  extraMeta = extraMeta // {
+    inherit branch;
+  };
+} // argsOverride)
diff --git a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
index 456913c5e6d..a12633eb6d7 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
@@ -1,22 +1,33 @@
-{ stdenv, buildPackages, fetchgit, fetchpatch, perl, buildLinux, ... } @ args:
+{ lib
+, fetchpatch
+, kernel
+, date ? "2021-07-08"
+, commit ? "3693b2ca83ff9eda49660b31299d2bebe3a1075f"
+, diffHash ? "1sfq3vwc2kxa761s292f2cqrm0vvqvkdx6drpyn5yaxwnapwidcw"
+, kernelPatches # must always be defined in bcachefs' all-packages.nix entry because it's also a top-level attribute supplied by callPackage
+, argsOverride ? {}
+, ...
+} @ args:
 
-buildLinux (args // {
-  version = "5.3.2020.04.04";
-  modDirVersion = "5.3.0";
+kernel.override ( args // {
 
-  src = fetchgit {
-    url = "https://evilpiepirate.org/git/bcachefs.git";
-    rev = "a27d7265e75f6d65c2b972ce4ac27abfc153c230";
-    sha256 = "0wnjl4xs7073d5ipcsplv5qpcxb7zpfqd5gqvh3mhqc5j3qn816x";
-  };
+  argsOverride = {
+    version = "${kernel.version}-bcachefs-unstable-${date}";
+    extraMeta = {
+      branch = "master";
+      maintainers = with lib.maintainers; [ davidak chiiruno ];
+      platforms = [ "x86_64-linux" ];
+    };
+  } // argsOverride;
 
-  extraConfig = "BCACHEFS_FS m";
+  kernelPatches = [ {
+      name = "bcachefs-${commit}";
+      patch = fetchpatch {
+        name = "bcachefs-${commit}.diff";
+        url = "https://evilpiepirate.org/git/bcachefs.git/rawdiff/?id=${commit}&id2=v${lib.versions.majorMinor kernel.version}";
+        sha256 = diffHash;
+      };
+      extraConfig = "BCACHEFS_FS m";
+    } ] ++ kernelPatches;
 
-  extraMeta = {
-    branch = "master";
-    hydraPlatforms = []; # Should the testing kernels ever be built on Hydra?
-    maintainers = with stdenv.lib.maintainers; [ davidak chiiruno ];
-    platforms = [ "x86_64-linux" ];
-  };
-
-} // (args.argsOverride or {}))
+})
diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix
index cf2ca99f6f5..4e2ef7b4652 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing.nix
@@ -1,19 +1,21 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
-with stdenv.lib;
+with lib;
 
 buildLinux (args // rec {
-  version = "5.9-rc2";
-  extraMeta.branch = "5.9";
+  version = "5.13-rc6";
+  extraMeta.branch = "5.12";
 
   # modDirVersion needs to be x.y.z, will always add .0
   modDirVersion = if (modDirVersionArg == null) then builtins.replaceStrings ["-"] [".0-"] version else modDirVersionArg;
 
   src = fetchurl {
     url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz";
-    sha256 = "0mdh6gsd305kcgfqzyfgl5m886asjm5030ahg63gyias3ywzn5wd";
+    sha256 = "sha256-PunFd6tOsmrsPItp2QX4TEVxHnvvi1BMSwWio/DTlMU=";
   };
 
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_testing ];
+
   # Should the testing kernels ever be built on Hydra?
   extraMeta.hydraPlatforms = [];
 
diff --git a/pkgs/os-specific/linux/kernel/linux-xanmod.nix b/pkgs/os-specific/linux/kernel/linux-xanmod.nix
new file mode 100644
index 00000000000..701f5d3b104
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-xanmod.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, buildLinux, fetchFromGitHub, ... } @ args:
+
+let
+  version = "5.13.5";
+  suffix = "xanmod1-cacule";
+in
+buildLinux (args // rec {
+  inherit version;
+  modDirVersion = "${version}-${suffix}";
+
+  src = fetchFromGitHub {
+    owner = "xanmod";
+    repo = "linux";
+    rev = modDirVersion;
+    sha256 = "sha256-Vhshu3mNkQ58TEOUBOuF7jLBlablxg/BioUyd96lI5g=";
+  };
+
+  structuredExtraConfig = with lib.kernel; {
+    # Preemptive Full Tickless Kernel at 500Hz
+    PREEMPT_VOLUNTARY = lib.mkForce no;
+    PREEMPT = lib.mkForce yes;
+    NO_HZ_FULL = yes;
+    HZ_500 = yes;
+
+    # Google's Multigenerational LRU Framework
+    LRU_GEN = yes;
+    LRU_GEN_ENABLED = yes;
+
+    # Google's BBRv2 TCP congestion Control
+    TCP_CONG_BBR2 = yes;
+    DEFAULT_BBR2 = yes;
+
+    # FQ-PIE Packet Scheduling
+    NET_SCH_DEFAULT = yes;
+    DEFAULT_FQ_PIE = yes;
+
+    # Graysky's additional CPU optimizations
+    CC_OPTIMIZE_FOR_PERFORMANCE_O3 = yes;
+
+    # Android Ashmem and Binder IPC Driver as module for Anbox
+    ASHMEM = module;
+    ANDROID = yes;
+    ANDROID_BINDER_IPC = module;
+    ANDROID_BINDERFS = module;
+    ANDROID_BINDER_DEVICES = freeform "binder,hwbinder,vndbinder";
+  };
+
+  extraMeta = {
+    branch = "5.13-cacule";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
+    description = "Built with custom settings and new features built to provide a stable, responsive and smooth desktop experience";
+    broken = stdenv.isAarch64;
+  };
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-zen.nix b/pkgs/os-specific/linux/kernel/linux-zen.nix
index c7d14a45068..caf65508210 100644
--- a/pkgs/os-specific/linux/kernel/linux-zen.nix
+++ b/pkgs/os-specific/linux/kernel/linux-zen.nix
@@ -1,23 +1,26 @@
-{ stdenv, fetchFromGitHub, buildLinux, ... } @ args:
+{ lib, fetchFromGitHub, buildLinux, ... } @ args:
 
 let
-  version = "5.8.1";
+  version = "5.12.19";
+  suffix = "zen2";
 in
 
 buildLinux (args // {
-  modDirVersion = "${version}-zen1";
+  modDirVersion = "${version}-${suffix}";
   inherit version;
+  isZen = true;
 
   src = fetchFromGitHub {
     owner = "zen-kernel";
     repo = "zen-kernel";
-    rev = "v${version}-zen1";
-    sha256 = "122q09d0sybi9lqlaxpq6ffc0ha9127bg3wzjync256lbj5394b7";
+    rev = "v${version}-${suffix}";
+    sha256 = "sha256-l+KIlaXoq/Nzf7mUom9DUjaAsn7UxeKGL6MbYN7mBZk=";
   };
 
   extraMeta = {
-    branch = "5.8/master";
-    maintainers = with stdenv.lib.maintainers; [ atemu ];
+    branch = "5.12/master";
+    maintainers = with lib.maintainers; [ atemu andresilva ];
+    description = "Built using the best configuration and kernel sources for desktop, multimedia, and gaming workloads.";
   };
 
-} // (args.argsOverride or {}))
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 3a2682b2cfe..77add0aef53 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -1,6 +1,5 @@
-{ buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
-, libelf, cpio, elfutils
-, utillinuxMinimal
+{ lib, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
+, libelf, cpio, elfutils, zstd, gawk, python3Minimal
 , writeTextFile
 }:
 
@@ -15,10 +14,13 @@ let
     echo "}" >> $out
   '').outPath;
 in {
+  lib,
   # Allow overriding stdenv on each buildLinux call
   stdenv,
   # The kernel version
   version,
+  # Additional kernel make flags
+  extraMakeFlags ? [],
   # The version of the kernel module directory
   modDirVersion ? version,
   # The kernel source (tarball, git checkout, etc.)
@@ -29,12 +31,18 @@ in {
   configfile,
   # Manually specified nixexpr representing the config
   # If unspecified, this will be autodetected from the .config
-  config ? stdenv.lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+  config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
   # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
   # automatically extended with extra per-version and per-config values.
   randstructSeed ? "",
   # Use defaultMeta // extraMeta
   extraMeta ? {},
+
+  # for module compatibility
+  isZen      ? false,
+  isLibre    ? false,
+  isHardened ? false,
+
   # Whether to utilize the controversial import-from-derivation feature to parse the config
   allowImportFromDerivation ? false,
   # ignored
@@ -42,11 +50,11 @@ in {
 }:
 
 let
-  inherit (stdenv.lib)
+  inherit (lib)
     hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
 
   # Dependencies that are required to build kernel modules
-  moduleBuildDependencies = optional (stdenv.lib.versionAtLeast version "4.14") libelf;
+  moduleBuildDependencies = optional (lib.versionAtLeast version "4.14") libelf;
 
   installkernel = writeTextFile { name = "installkernel"; executable=true; text = ''
     #!${stdenv.shell} -e
@@ -57,10 +65,10 @@ let
 
   commonMakeFlags = [
     "O=$(buildRoot)"
-  ] ++ stdenv.lib.optionals (stdenv.hostPlatform.