328 files changed, 4135 insertions, 2787 deletions

diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index 87535b92e46..f986ed790a1 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -2,13 +2,14 @@
 
 stdenv.mkDerivation rec {
   pname = "acpi-call";
-  version = "2020-04-07-${kernel.version}";
+  version = "1.2.1";
+  name = "${pname}-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "nix-community";
     repo = "acpi_call";
-    rev = "3d7c9fe5ed3fc5ed5bafd39d54b1fdc7a09ce710";
-    sha256 = "09kp8zl392h99wjwzqrdw2xcfnsc944hzmfwi8n1y7m2slpdybv3";
+    rev = "v${version}";
+    sha256 = "0mr4rjbv6fj4phf038addrgv32940bphghw2v9n1z4awvw7wzkbg";
   };
 
   hardeningDisable = [ "pic" ];
@@ -26,8 +27,9 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     maintainers = with maintainers; [ raskin mic92 ];
-    inherit (src.meta) homepage;
+    homepage = "https://github.com/nix-community/acpi_call";
     platforms = platforms.linux;
     description = "A module allowing arbitrary ACPI calls; use case: hybrid video";
+    license = licenses.gpl3Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/afuse/default.nix b/pkgs/os-specific/linux/afuse/default.nix
index 7375f45eb6d..75c44e11172 100644
--- a/pkgs/os-specific/linux/afuse/default.nix
+++ b/pkgs/os-specific/linux/afuse/default.nix
@@ -11,11 +11,18 @@ stdenv.mkDerivation {
   nativeBuildInputs = [ autoreconfHook pkg-config ];
   buildInputs = [ fuse ];
 
+  postPatch = lib.optionalString stdenv.isDarwin ''
+    # Fix the build on macOS with macFUSE installed
+    substituteInPlace configure.ac --replace \
+      'export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH' \
+      ""
+  '';
+
   meta = {
     description = "Automounter in userspace";
     homepage = "https://github.com/pcarrier/afuse";
     license = lib.licenses.gpl2;
     maintainers = [ lib.maintainers.marcweber ];
-    platforms = lib.platforms.linux;
+    platforms = lib.platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/akvcam/default.nix b/pkgs/os-specific/linux/akvcam/default.nix
index 9e745077514..815dc6a2ee3 100644
--- a/pkgs/os-specific/linux/akvcam/default.nix
+++ b/pkgs/os-specific/linux/akvcam/default.nix
@@ -2,16 +2,17 @@
 
 stdenv.mkDerivation rec {
   pname = "akvcam";
-  version = "1.1.1";
+  version = "1.2.0";
 
   src = fetchFromGitHub {
     owner = "webcamoid";
     repo = "akvcam";
     rev = version;
-    sha256 = "ULEhfF+uC/NcVUGAtmP1+BnrcgRgftNS97nLp81avQ8=";
+    sha256 = "0r5xg7pz0wl6pq5029rpzm9fn978vq0md31xjkp2amny7rrgxw72";
   };
 
   nativeBuildInputs = [ qmake ];
+  dontWrapQtApps = true;
 
   qmakeFlags = [
     "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
diff --git a/pkgs/os-specific/linux/alsa-plugins/wrapper.nix b/pkgs/os-specific/linux/alsa-plugins/wrapper.nix
deleted file mode 100644
index 8271088a501..00000000000
--- a/pkgs/os-specific/linux/alsa-plugins/wrapper.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-{ writeShellScriptBin, stdenv, alsaPlugins }:
-writeShellScriptBin "ap${if stdenv.hostPlatform.system == "i686-linux" then "32" else "64"}" ''
-  ALSA_PLUGIN_DIRS=${alsaPlugins}/lib/alsa-lib "$@"
-''
diff --git a/pkgs/os-specific/linux/alsa-firmware/cross.patch b/pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch
index 989ccea2b98..989ccea2b98 100644
--- a/pkgs/os-specific/linux/alsa-firmware/cross.patch
+++ b/pkgs/os-specific/linux/alsa-project/alsa-firmware/cross.patch
diff --git a/pkgs/os-specific/linux/alsa-firmware/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
index a627a7762a8..a627a7762a8 100644
--- a/pkgs/os-specific/linux/alsa-firmware/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-firmware/default.nix
diff --git a/pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch b/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
index b17df9a492e..b17df9a492e 100644
--- a/pkgs/os-specific/linux/alsa-lib/alsa-plugin-conf-multilib.patch
+++ b/pkgs/os-specific/linux/alsa-project/alsa-lib/alsa-plugin-conf-multilib.patch
diff --git a/pkgs/os-specific/linux/alsa-lib/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
index cea26646672..a2350271482 100644
--- a/pkgs/os-specific/linux/alsa-lib/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix
@@ -1,12 +1,17 @@
-{ lib, stdenv, fetchurl, alsa-ucm-conf, alsa-topology-conf }:
+{ lib
+, stdenv
+, fetchurl
+, alsa-topology-conf
+, alsa-ucm-conf
+}:
 
 stdenv.mkDerivation rec {
   pname = "alsa-lib";
-  version = "1.2.4";
+  version = "1.2.5.1";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${pname}-${version}.tar.bz2";
-    sha256 = "sha256-91VL4aVs3/RotY/BwpuVtkhkxZADjdMJx6l4xxFpCPc=";
+    sha256 = "sha256-YoQh2VDOyvI03j+JnVIMCmkjMTyWStdR/6wIHfMxQ44=";
   };
 
   patches = [
diff --git a/pkgs/os-specific/linux/alsa-oss/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
index 9c87dbe8e8c..f600b52c5f3 100644
--- a/pkgs/os-specific/linux/alsa-oss/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-oss/default.nix
@@ -1,4 +1,4 @@
-{lib, stdenv, fetchurl, alsaLib, gettext, ncurses, libsamplerate}:
+{lib, stdenv, fetchurl, alsa-lib, gettext, ncurses, libsamplerate}:
 
 stdenv.mkDerivation rec {
   pname = "alsa-oss";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "13nn6n6wpr2sj1hyqx4r9nb9bwxnhnzw8r2f08p8v13yjbswxbb4";
   };
 
-  buildInputs = [ alsaLib ncurses libsamplerate ];
+  buildInputs = [ alsa-lib ncurses libsamplerate ];
   nativeBuildInputs = [ gettext ];
 
   configureFlags = [ "--disable-xmlto" ];
diff --git a/pkgs/os-specific/linux/alsa-plugins/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
index 602d4278183..747979b1037 100644
--- a/pkgs/os-specific/linux/alsa-plugins/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix
@@ -1,22 +1,21 @@
-{ stdenv, fetchurl, lib, pkg-config, alsaLib, libogg, libpulseaudio ? null, libjack2 ? null }:
+{ stdenv, fetchurl, lib, pkg-config, alsa-lib, libogg, libpulseaudio ? null, libjack2 ? null }:
 
 stdenv.mkDerivation rec {
   pname = "alsa-plugins";
-  version = "1.2.2";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/plugins/${pname}-${version}.tar.bz2";
-    sha256 = "0z9k3ssbfk2ky2w13avgyf202j1drsz9sv3834bp33cj1i2hc3qw";
+    sha256 = "086z2g2f95570vfvp9d5bakib4k18fb4bszf3lgx3j6j6f2gkvj2";
   };
 
   nativeBuildInputs = [ pkg-config ];
 
   # ToDo: a52, etc.?
   buildInputs =
-    [ alsaLib libogg ]
+    [ alsa-lib libogg ]
     ++ lib.optional (libpulseaudio != null) libpulseaudio
-    # https://github.com/NixOS/nixpkgs/issues/96548
-    ++ lib.optional (libjack2 != null && (stdenv.buildPlatform == stdenv.hostPlatform)) libjack2;
+    ++ lib.optional (libjack2 != null) libjack2;
 
   meta = with lib; {
     description = "Various plugins for ALSA";
diff --git a/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix b/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
new file mode 100644
index 00000000000..992f4886e26
--- /dev/null
+++ b/pkgs/os-specific/linux/alsa-project/alsa-plugins/wrapper.nix
@@ -0,0 +1,10 @@
+{ stdenv
+, alsa-plugins
+, writeShellScriptBin
+}:
+let
+  arch = if stdenv.hostPlatform.system == "i686-linux" then "32" else "64";
+in
+writeShellScriptBin "ap${arch}" ''
+  ALSA_PLUGIN_DIRS=${alsa-plugins}/lib/alsa-lib "$@"
+''
diff --git a/pkgs/os-specific/linux/alsa-tools/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
index c4fdbacf95b..8b9abb74036 100644
--- a/pkgs/os-specific/linux/alsa-tools/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-tools/default.nix
@@ -1,18 +1,18 @@
-{ lib, stdenv, fetchurl, alsaLib, pkg-config, gtk2, gtk3, fltk13 }:
+{ lib, stdenv, fetchurl, alsa-lib, pkg-config, gtk2, gtk3, fltk13 }:
 # Comes from upstream as as bundle of several tools,
 # some use gtk2, some gtk3 (and some even fltk13).
 
 stdenv.mkDerivation rec {
   pname = "alsa-tools";
-  version = "1.2.2";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/tools/${pname}-${version}.tar.bz2";
-    sha256 = "0jbkjmq038zapj66a7nkppdf644v2mwj581xbmh6k4i8w6mcglxz";
+    sha256 = "sha256-NacQJ6AfTX3kci4iNSDpQN5os8VwtsZxaRVnrij5iT4=";
   };
 
   nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ alsaLib gtk2 gtk3 fltk13 ];
+  buildInputs = [ alsa-lib gtk2 gtk3 fltk13 ];
 
   patchPhase = ''
     export tools="as10k1 hda-verb hdspmixer echomixer hdajackretask hdspconf hwmixvolume mixartloader rmedigicontrol sscape_ctl vxloader envy24control hdajacksensetest hdsploader ld10k1 pcxhrloader sb16_csp us428control"
diff --git a/pkgs/os-specific/linux/alsa-topology-conf/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
index 2328fea91fd..97960f833e1 100644
--- a/pkgs/os-specific/linux/alsa-topology-conf/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-topology-conf/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "alsa-topology-conf-${version}";
-  version = "1.2.4";
+  version = "1.2.5";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "01zdg6q4s6d01k39z96wi4vbhrfw1i2g4yi5dijwfk6a5vjfdq2m";
+    sha256 = "sha256-i/qDBspj4dDL6AvphGYCc7kb1bfdCACmxapx3YyNd1w=";
   };
 
   dontBuild = true;
diff --git a/pkgs/os-specific/linux/alsa-ucm-conf/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
index d667cd3d51b..0666f3f4793 100644
--- a/pkgs/os-specific/linux/alsa-ucm-conf/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "alsa-ucm-conf-${version}";
-  version = "1.2.4";
+  version = "1.2.5.1";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${name}.tar.bz2";
-    sha256 = "0h6kzi1cfdqyxp4pwpqh5wb89c8s9wrgix315bvamffwfxf56frc";
+    sha256 = "sha256-WEGkRBZty/R523UTA9vDVW9oUIWsfgDwyed1VnYZXZc=";
   };
 
   dontBuild = true;
diff --git a/pkgs/os-specific/linux/alsa-utils/default.nix b/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
index da365fb7d99..782e6ffce8c 100644
--- a/pkgs/os-specific/linux/alsa-utils/default.nix
+++ b/pkgs/os-specific/linux/alsa-project/alsa-utils/default.nix
@@ -1,23 +1,24 @@
-{lib, stdenv, fetchurl, alsaLib, gettext, makeWrapper, ncurses, libsamplerate, pciutils, which, fftw}:
+{lib, stdenv, fetchurl, alsa-lib, gettext, makeWrapper, ncurses, libsamplerate, pciutils, which, fftw}:
 
 stdenv.mkDerivation rec {
   pname = "alsa-utils";
-  version = "1.2.4";
+  version = "1.2.5.1";
 
   src = fetchurl {
     url = "mirror://alsa/utils/${pname}-${version}.tar.bz2";
-    sha256 = "09m4dnn4kplawprd2bl15nwa0b4r1brab3x44ga7f1fyk7aw5zwq";
+    sha256 = "sha256-nBaa43pJKV+bl7kqzncoA9r2tlEKGVdOC3j4flYhGNA=";
   };
 
-  nativeBuildInputs = [ gettext ];
-  buildInputs = [ makeWrapper alsaLib ncurses libsamplerate fftw ];
+  nativeBuildInputs = [ gettext makeWrapper ];
+  buildInputs = [ alsa-lib ncurses libsamplerate fftw ];
 
   configureFlags = [ "--disable-xmlto" "--with-udev-rules-dir=$(out)/lib/udev/rules.d" ];
 
   installFlags = [ "ASOUND_STATE_DIR=$(TMPDIR)/dummy" ];
 
   postFixup = ''
-    wrapProgram $out/bin/alsa-info.sh --prefix PATH : "${lib.makeBinPath [ which pciutils ]}"
+    mv $out/bin/alsa-info.sh $out/bin/alsa-info
+    wrapProgram $out/bin/alsa-info --prefix PATH : "${lib.makeBinPath [ which pciutils ]}"
   '';
 
   meta = with lib; {
diff --git a/pkgs/os-specific/linux/anbox/kmod.nix b/pkgs/os-specific/linux/anbox/kmod.nix
index f62e6ee6aa5..9ce65cd8726 100644
--- a/pkgs/os-specific/linux/anbox/kmod.nix
+++ b/pkgs/os-specific/linux/anbox/kmod.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation {
   pname = "anbox-modules";
-  version = "2019-11-15-" + kernel.version;
+  version = "2020-06-14-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "anbox";
     repo = "anbox-modules";
-    rev = "e0a237e571989987806b32881044c539db25e3e1";
-    sha256 = "1km1nslp4f5znwskh4bb1b61r1inw1dlbwiyyq3rrh0f0agf8d0v";
+    rev = "98f0f3b3b1eeb5a6954ca15ec43e150b76369086";
+    sha256 = "sha256-6xDJQ4YItdbYqle/9VNfOc7D80yFGd9cFyF+CuABaF0=";
   };
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
@@ -34,10 +34,9 @@ stdenv.mkDerivation {
   meta = with lib; {
     description = "Anbox ashmem and binder drivers.";
     homepage = "https://github.com/anbox/anbox-modules";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
-    broken = (versionOlder kernel.version "4.4") || (kernel.features.grsecurity or false);
+    broken = kernel.kernelOlder "4.4" || kernel.kernelAtLeast "5.5";
     maintainers = with maintainers; [ edwtjo ];
   };
-
 }
diff --git a/pkgs/os-specific/linux/android-udev-rules/default.nix b/pkgs/os-specific/linux/android-udev-rules/default.nix
index 3d69f5ce0e5..fbe02d69f1a 100644
--- a/pkgs/os-specific/linux/android-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/android-udev-rules/default.nix
@@ -6,24 +6,26 @@
 
 stdenv.mkDerivation rec {
   pname = "android-udev-rules";
-  version = "20201003";
+  version = "20210501";
 
   src = fetchFromGitHub {
     owner = "M0Rf30";
     repo = "android-udev-rules";
     rev = version;
-    sha256 = "07s5fdjbk5q4km6gz9759ngdavrqdgbnkd2b7z9z5lqw1q0b2422";
+    sha256 = "sha256-rlTulWclPqMl9LdHdcAtLARXGItiSeF3RX+neZrjgV4=";
   };
 
   installPhase = ''
+    runHook preInstall
     install -D 51-android.rules $out/lib/udev/rules.d/51-android.rules
+    runHook postInstall
   '';
 
   meta = with lib; {
     homepage = "https://github.com/M0Rf30/android-udev-rules";
     description = "Android udev rules list aimed to be the most comprehensive on the net";
     platforms = platforms.linux;
-    license = licenses.gpl3;
+    license = licenses.gpl3Plus;
     maintainers = with maintainers; [ abbradar ];
   };
 }
diff --git a/pkgs/os-specific/linux/apfs/default.nix b/pkgs/os-specific/linux/apfs/default.nix
new file mode 100644
index 00000000000..e27272a6147
--- /dev/null
+++ b/pkgs/os-specific/linux/apfs/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, kernel
+}:
+
+stdenv.mkDerivation {
+  pname = "apfs";
+  version = "unstable-2021-06-25-${kernel.version}";
+
+  src = fetchFromGitHub {
+    owner = "linux-apfs";
+    repo = "linux-apfs-rw";
+    rev = "2ce6d06dc73036d113da5166c59393233bf54229";
+    sha256 = "sha256-18HFtPr0qcTIZ8njwEtveiPYO+HGlj90bdUoL47UUY0=";
+  };
+
+  hardeningDisable = [ "pic" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with lib; {
+    description = "APFS module for linux";
+    homepage = "https://github.com/linux-apfs/linux-apfs-rw";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.19";
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix
index 935b5e65b1f..1b1fb415451 100644
--- a/pkgs/os-specific/linux/apparmor/default.nix
+++ b/pkgs/os-specific/linux/apparmor/default.nix
@@ -3,33 +3,44 @@
 , flex, bison
 , linuxHeaders ? stdenv.cc.libc.linuxHeaders
 , gawk
-, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) perl.meta.platforms, perl
-, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) python.meta.platforms, python
+, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, perl
+, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python, python
 , swig
 , ncurses
 , pam
 , libnotify
 , buildPackages
+, coreutils
+, gnugrep
+, gnused
+, kmod
+, writeShellScript
+, closureInfo
+, runCommand
 }:
 
 let
-  apparmor-series = "2.13";
-  apparmor-patchver = "6";
-  apparmor-version = apparmor-series + "." + apparmor-patchver;
+  apparmor-version = "3.0.1";
 
   apparmor-meta = component: with lib; {
     homepage = "https://apparmor.net/";
     description = "A mandatory access control system - ${component}";
     license = licenses.gpl2;
-    maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
+    maintainers = with maintainers; [ joachifm julm phreedom thoughtpolice ];
     platforms = platforms.linux;
   };
 
   apparmor-sources = fetchurl {
-    url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
-    sha256 = "13xshy7905d9q9n8d8i0jmdi9m36wr525g4wlsp8k21n7yvvh9j4";
+    url = "https://launchpad.net/apparmor/${lib.versions.majorMinor apparmor-version}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
+    sha256 = "096zbg3v7b51x7f1ly61mzd3iy9alad6sd4lam98j2d6v5ragbcg";
   };
 
+  aa-teardown = writeShellScript "aa-teardown" ''
+    PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"
+    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
+    remove_profiles
+  '';
+
   prePatchCommon = ''
     chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
     patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
@@ -45,12 +56,6 @@ let
       name = "0003-Added-missing-typedef-definitions-on-parser.patch";
       sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
     })
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0007-Do-not-build-install-vim-file-with-utils-package.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
-      name = "0007-Do-not-build-install-vim-file-with-utils-package.patch";
-      sha256 = "1m4dx901biqgnr4w4wz8a2z9r9dxyw7wv6m6mqglqwf2lxinqmp4";
-    })
-    # (alpine patches {1,4,5,6,8} are needed for apparmor 2.11, but not 2.12)
     ];
 
   # Set to `true` after the next FIXME gets fixed or this gets some
@@ -121,7 +126,11 @@ let
       libapparmor.python
     ];
 
-    prePatch = prePatchCommon + ''
+    prePatch = prePatchCommon +
+      # Do not build vim file
+      lib.optionalString stdenv.hostPlatform.isMusl ''
+        sed -i ./utils/Makefile -e "/\<vim\>/d"
+      '' + ''
       substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
       substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
       substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
@@ -132,14 +141,21 @@ let
     installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
 
     postInstall = ''
-      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do
+      sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"
+      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do
         wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH"
       done
 
-      substituteInPlace $out/bin/aa-notify --replace /usr/bin/notify-send ${libnotify}/bin/notify-send
-      # aa-notify checks its name and does not work named ".aa-notify-wrapped"
-      mv $out/bin/aa-notify $out/bin/aa-notify-wrapped
-      makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped
+      substituteInPlace $out/bin/aa-notify \
+        --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \
+        --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"
+
+      substituteInPlace $out/bin/aa-remove-unknown \
+       --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
+      wrapProgram $out/bin/aa-remove-unknown \
+       --prefix PATH : ${lib.makeBinPath [gawk]}
+
+      ln -s ${aa-teardown} $out/bin/aa-teardown
     '';
 
     inherit doCheck;
@@ -167,7 +183,7 @@ let
     prePatch = prePatchCommon;
     postPatch = "cd ./binutils";
     makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
-    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "SBINDIR=$(out)/bin" ];
 
     inherit doCheck;
 
@@ -188,6 +204,9 @@ let
       substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
       ## techdoc.pdf still doesn't build ...
       substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
+      substituteInPlace parser/rc.apparmor.functions \
+       --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"
+      sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
     '';
     inherit patches;
     postPatch = "cd ./parser";
@@ -249,8 +268,35 @@ let
     meta = apparmor-meta "kernel patches";
   };
 
+  # Generate generic AppArmor rules in a file,
+  # from the closure of given rootPaths.
+  # To be included in an AppArmor profile like so:
+  # include "$(apparmorRulesFromClosure {} [pkgs.hello]}"
+  apparmorRulesFromClosure =
+    { # The store path of the derivation is given in $path
+      additionalRules ? []
+      # TODO: factorize here some other common paths
+      # that may emerge from use cases.
+    , baseRules ? [
+        "r $path"
+        "r $path/etc/**"
+        "r $path/share/**"
+        # Note that not all libraries are prefixed with "lib",
+        # eg. glibc-2.30/lib/ld-2.30.so
+        "mr $path/lib/**.so*"
+        # eg. glibc-2.30/lib/gconv/gconv-modules
+        "r $path/lib/**"
+      ]
+    , name ? ""
+    }: rootPaths: runCommand
+      ( "apparmor-closure-rules"
+      + lib.optionalString (name != "") "-${name}" ) {} ''
+    touch $out
+    while read -r path
+    do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}
+    done <${closureInfo {inherit rootPaths;}}/store-paths
+  '';
 in
-
 {
   inherit
     libapparmor
@@ -259,5 +305,6 @@ in
     apparmor-parser
     apparmor-pam
     apparmor-profiles
-    apparmor-kernel-patches;
+    apparmor-kernel-patches
+    apparmorRulesFromClosure;
 }
diff --git a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
new file mode 100644
index 00000000000..ebc1baaa92d
--- /dev/null
+++ b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh
@@ -0,0 +1,32 @@
+aa_action() {
+  STRING=$1
+  shift
+  $*
+  rc=$?
+  if [ $rc -eq 0 ] ; then
+    aa_log_success_msg $"$STRING "
+  else
+    aa_log_failure_msg $"$STRING "
+  fi
+  return $rc
+}
+
+aa_log_success_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": done."
+}
+
+aa_log_warning_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Warning."
+}
+
+aa_log_failure_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Failed."
+}
+
+aa_log_skipped_msg() {
+   [ -n "$1" ] && echo -n $1
+   echo ": Skipped."
+}
diff --git a/pkgs/os-specific/linux/aseq2json/default.nix b/pkgs/os-specific/linux/aseq2json/default.nix
new file mode 100644
index 00000000000..646e9f7b7b9
--- /dev/null
+++ b/pkgs/os-specific/linux/aseq2json/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, lib, fetchFromGitHub, pkg-config, alsa-lib, glib, json-glib }:
+
+stdenv.mkDerivation {
+  pname = "aseq2json";
+  version = "unstable-2018-04-28";
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "midi-dump-tools";
+    rev = "8572e6313a0d7ec95492dcab04a46c5dd30ef33a";
+    sha256 = "LQ9LLVumi3GN6c9tuMSOd1Bs2pgrwrLLQbs5XF+NZeA=";
+  };
+  sourceRoot = "source/aseq2json";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ alsa-lib glib json-glib ];
+
+  installPhase = ''
+    install -D --target-directory "$out/bin" aseq2json
+  '';
+
+  meta = with lib; {
+    description = "Listens for MIDI events on the Alsa sequencer and outputs as JSON to stdout";
+    homepage = "https://github.com/google/midi-dump-tools";
+    license = licenses.asl20;
+    maintainers = [ maintainers.queezle ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/ati-drivers/builder.sh b/pkgs/os-specific/linux/ati-drivers/builder.sh
deleted file mode 100644
index a9e5aaef397..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/builder.sh
+++ /dev/null
@@ -1,302 +0,0 @@
-# TODO gentoo removes some tools because there are xorg sources (?)
-
-source $stdenv/setup
-set -x
-
-die(){ echo $@; exit 1; }
-
-unzip $src
-run_file=fglrx-$build/amd-driver-installer-$build-x86.x86_64.run
-sh $run_file --extract .
-
-for patch in $patches;do
-    patch -p1 < $patch
-done
-
-case "$system" in
-  x86_64-linux)
-    arch=x86_64
-    lib_arch=lib64
-    DIR_DEPENDING_ON_XORG_VERSION=xpic_64a
-  ;;
-  i686-linux)
-    arch=x86
-    lib_arch=lib
-    DIR_DEPENDING_ON_XORG_VERSION=xpic
-  ;;
-  *) exit 1;;
-esac
-
-# Handle/Build the kernel module.
-
-if test -z "$libsOnly"; then
-
-  kernelVersion=$(cd ${kernelDir}/lib/modules && ls)
-  kernelBuild=$(echo ${kernelDir}/lib/modules/$kernelVersion/build)
-  linuxsources=$(echo ${kernelDir}/lib/modules/$kernelVersion/source)
-
-  # note: maybe the .config file should be used to determine this ?
-  # current kbuild infrastructure allows using CONFIG_* defines
-  # but ati sources don't use them yet..
-  # copy paste from make.sh
-
-  setSMP(){
-
-    linuxincludes=$kernelBuild/include
-
-    # copied and stripped. source: make.sh:
-    # 3
-    # linux/autoconf.h may contain this: #define CONFIG_SMP 1
-
-    # Before 2.6.33 autoconf.h is under linux/.
-    # For 2.6.33 and later autoconf.h is under generated/.
-    if [ -f $linuxincludes/generated/autoconf.h ]; then
-        autoconf_h=$linuxincludes/generated/autoconf.h
-    else
-        autoconf_h=$linuxincludes/linux/autoconf.h
-    fi
-    src_file=$autoconf_h
-
-    [ -e $src_file ] || die "$src_file not found"
-
-    if [ `cat $src_file | grep "#undef" | grep "CONFIG_SMP" -c` = 0 ]; then
-      SMP=`cat $src_file | grep CONFIG_SMP | cut -d' ' -f3`
-      echo "file $src_file says: SMP=$SMP"
-    fi
-
-    if [ "$SMP" = 0 ]; then
-      echo "assuming default: SMP=$SMP"
-    fi
-    # act on final result
-    if [ ! "$SMP" = 0 ]; then
-      smp="-SMP"
-      def_smp=-D__SMP__
-    fi
-
-  }
-
-  setModVersions(){
-    ! grep CONFIG_MODVERSIONS=y $kernelBuild/.config ||
-    def_modversions="-DMODVERSIONS"
-    # make.sh contains much more code to determine this whether its enabled
-  }
-
-  # ==============================================================
-  # resolve if we are building for a kernel with a fix for CVE-2010-3081
-  # On kernels with the fix, use arch_compat_alloc_user_space instead
-  # of compat_alloc_user_space since the latter is GPL-only
-
-  COMPAT_ALLOC_USER_SPACE=arch_compat_alloc_user_space
-
-  for src_file in \
-    $kernelBuild/arch/x86/include/asm/compat.h \
-    $linuxsources/arch/x86/include/asm/compat.h \
-    $kernelBuild/include/asm-x86_64/compat.h \
-    $linuxsources/include/asm-x86_64/compat.h \
-    $kernelBuild/include/asm/compat.h;
-  do
-    if [ -e $src_file ];
-    then
-      break
-    fi
-  done
-  if [ ! -e $src_file ];
-    then
-    echo "Warning: x86 compat.h not found in kernel headers"
-    echo "neither arch/x86/include/asm/compat.h nor include/asm-x86_64/compat.h"
-    echo "could be found in $kernelBuild or $linuxsources"
-    echo ""
-  else
-    if [ `cat $src_file | grep -c arch_compat_alloc_user_space` -gt 0 ]
-    then
-      COMPAT_ALLOC_USER_SPACE=arch_compat_alloc_user_space
-    fi
-    echo "file $src_file says: COMPAT_ALLOC_USER_SPACE=$COMPAT_ALLOC_USER_SPACE"
-  fi
-
-  # make.sh contains some code figuring out whether to use these or not..
-  PAGE_ATTR_FIX=0
-  setSMP
-  setModVersions
-  CC=gcc
-  MODULE=fglrx
-  LIBIP_PREFIX=$TMP/arch/$arch/lib/modules/fglrx/build_mod
-  [ -d $LIBIP_PREFIX ]
-  GCC_MAJOR="`gcc --version | grep -o -e ") ." | head -1 | cut -d " " -f 2`"
-
-  { # build .ko module
-    cd ./common/lib/modules/fglrx/build_mod/2.6.x
-    echo .lib${MODULE}_ip.a.GCC${GCC_MAJOR}.cmd
-    echo 'This is a dummy file created to suppress this warning: could not find /lib/modules/fglrx/build_mod/2.6.x/.libfglrx_ip.a.GCC4.cmd for /lib/modules/fglrx/build_mod/2.6.x/libfglrx_ip.a.GCC4' > lib${MODULE}_ip.a.GCC${GCC_MAJOR}.cmd
-
-    sed -i -e "s@COMPAT_ALLOC_USER_SPACE@$COMPAT_ALLOC_USER_SPACE@" ../kcl_ioctl.c
-
-    make CC=${CC} \
-      LIBIP_PREFIX=$(echo "$LIBIP_PREFIX" | sed -e 's|^\([^/]\)|../\1|') \
-      MODFLAGS="-DMODULE -DATI -DFGL -DPAGE_ATTR_FIX=$PAGE_ATTR_FIX -DCOMPAT_ALLOC_USER_SPACE=$COMPAT_ALLOC_USER_SPACE $def_smp $def_modversions" \
-      KVER=$kernelVersion \
-      KDIR=$kernelBuild \
-      PAGE_ATTR_FIX=$PAGE_ATTR_FIX \
-      -j4
-
-    cd $TMP
-  }
-
-fi
-
-{ # install
-  mkdir -p $out/lib/xorg
-  cp -r common/usr/include $out
-  cp -r common/usr/sbin $out
-  cp -r common/usr/share $out
-  mkdir $out/bin/
-  cp -f common/usr/X11R6/bin/* $out/bin/
-  # cp -r arch/$arch/lib $out/lib
-  # what are those files used for?
-  cp -r common/etc $out
-  cp -r $DIR_DEPENDING_ON_XORG_VERSION/usr/X11R6/$lib_arch/* $out/lib/xorg
-
-  # install kernel module
-  if test -z "$libsOnly"; then
-    t=$out/lib/modules/${kernelVersion}/kernel/drivers/misc
-    mkdir -p $t
-
-    cp ./common/lib/modules/fglrx/build_mod/2.6.x/fglrx.ko $t
-  fi
-
-  # should this be installed at all?
-  # its used by the example fglrx_gamma only
-  # don't use $out/lib/modules/dri because this will cause the kernel module
-  # aggregator code to see both: kernel version and the dri direcotry. It'll
-  # fail saying different kernel versions
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/modules/dri $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/modules/dri/* $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/*.so* $out/lib
-  cp -r $TMP/arch/$arch/usr/X11R6/$lib_arch/fglrx/fglrx-libGL.so.1.2 $out/lib/fglrx-libGL.so.1.2
-  cp -r $TMP/arch/$arch/usr/$lib_arch/* $out/lib
-  ln -s libatiuki.so.1.0 $out/lib/libatiuki.so.1
-  ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so.1
-  ln -s fglrx-libGL.so.1.2 $out/lib/libGL.so
-  # FIXME : This file is missing or has changed versions
-  #ln -s libfglrx_gamma.so.1.0 $out/lib/libfglrx_gamma.so.1
-  # make xorg use the ati version
-  ln -s $out/lib/xorg/modules/extensions/{fglrx/fglrx-libglx.so,libglx.so}
-  # Correct some paths that are hardcoded into binary libs.
-  if [ "$arch" ==  "x86_64" ]; then
-    for lib in \
-      xorg/modules/extensions/fglrx/fglrx-libglx.so \
-      xorg/modules/glesx.so \
-      dri/fglrx_dri.so \
-      fglrx_dri.so \
-      fglrx-libGL.so.1.2
-    do
-      oldPaths="/usr/X11R6/lib/modules/dri"
-      newPaths="/run/opengl-driver/lib/dri"
-      sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib
-    done
-  else
-    oldPaths="/usr/X11R6/lib32/modules/dri\x00/usr/lib32/dri"
-    newPaths="/run/opengl-driver-32/lib/dri\x00/dev/null/dri"
-    sed -i -e "s|$oldPaths|$newPaths|" \
-      $out/lib/xorg/modules/extensions/fglrx/fglrx-libglx.so
-
-    for lib in \
-      dri/fglrx_dri.so \
-      fglrx_dri.so \
-      xorg/modules/glesx.so
-    do
-      oldPaths="/usr/X11R6/lib32/modules/dri/"
-      newPaths="/run/opengl-driver-32/lib/dri"
-      sed -i -e "s|$oldPaths|$newPaths|" $out/lib/$lib
-    done
-
-    oldPaths="/usr/X11R6/lib32/modules/dri\x00"
-    newPaths="/run/opengl-driver-32/lib/dri"
-    sed -i -e "s|$oldPaths|$newPaths|" $out/lib/fglrx-libGL.so.1.2
-  fi
-  # libstdc++ and gcc are needed by some libs
-  for pelib1 in \
-    fglrx_dri.so \
-    dri/fglrx_dri.so
-  do
-    patchelf --remove-needed libX11.so.6 $out/lib/$pelib1
-  done
-
-  for pelib2 in \
-    libatiadlxx.so \
-    xorg/modules/glesx.so \
-    dri/fglrx_dri.so \
-    fglrx_dri.so \
-    libaticaldd.so
-  do
-    patchelf --set-rpath $glibcDir/lib/:$libStdCxx/lib/ $out/lib/$pelib2
-  done
-}
-
-if test -z "$libsOnly"; then
-
-{ # build samples
-  mkdir -p $out/bin
-  mkdir -p samples
-  cd samples
-  tar xfz ../common/usr/src/ati/fglrx_sample_source.tgz
-  eval "$patchPhaseSamples"
-
-
-  ( # build and install fgl_glxgears
-    cd fgl_glxgears;
-    gcc -DGL_ARB_texture_multisample=1 -g \
-    -I$libGL/include -I$libGLU/include \
-    -I$out/include \
-    -L$libGL/lib -L$libGLU/lib -lGL -lGLU -lX11 -lm \
-    -o $out/bin/fgl_glxgears -Wall fgl_glxgears.c
-  )
-
-  true || ( # build and install
-
-    ###
-    ## FIXME ?
-    # doesn't build  undefined reference to `FGLRX_X11SetGamma'
-    # which should be contained in -lfglrx_gamma
-    # This should create $out/lib/libfglrx_gamma.so.1.0 ? because there is
-    # a symlink named libfglrx_gamma.so.1 linking to libfglrx_gamma.so.1.0 in $out/lib/
-
-    cd programs/fglrx_gamma
-    gcc -fPIC -I${libXxf86vm.dev}/include \
-      -I${xorgproto}/include \
-      -I$out/X11R6/include \
-      -L$out/lib \
-      -Wall -lm -lfglrx_gamma -lX11 -lXext -o $out/bin/fglrx_xgamma fglrx_xgamma.c
-  )
-
-  {
-    # patch and copy statically linked qt libs used by amdcccle
-    patchelf --set-interpreter $(echo $glibcDir/lib/ld-linux*.so.2) $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 &&
-    patchelf  --set-rpath $gcc/$lib_arch/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 &&
-    patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXrender/lib/:$libSM/lib/:$libICE/lib/:$libfontconfig/lib/:$libfreetype/lib/ $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 &&
-    mkdir -p $out/share/ati
-    cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtCore.so.4 $out/share/ati/
-    cp -r $TMP/arch/$arch/usr/share/ati/$lib_arch/libQtGui.so.4 $out/share/ati/
-    # copy binaries and wrap them:
-    BIN=$TMP/arch/$arch/usr/X11R6/bin
-    patchelf --set-rpath $gcc/$lib_arch/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/amdcccle
-    patchelf --set-rpath $libXrender/lib/:$libXrandr/lib/ $TMP/arch/$arch/usr/X11R6/bin/aticonfig
-    patchelf --shrink-rpath $BIN/amdcccle
-    for prog in $BIN/*; do
-      cp -f $prog $out/bin &&
-      patchelf --set-interpreter $(echo $glibcDir/lib/ld-linux*.so.2) $out/bin/$(basename $prog) &&
-      wrapProgram $out/bin/$(basename $prog) --prefix LD_LIBRARY_PATH : $out/lib/:$gcc/lib/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/:$libfontconfig/lib/:$libfreetype/lib/${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
-    done
-  }
-
-  rm -f $out/lib/fglrx/switchlibglx && rm -f $out/lib/fglrx/switchlibGL
-
-}
-
-fi
-
-for p in $extraDRIlibs; do
-  for lib in $p/lib/*.so*; do
-    ln -s $lib $out/lib/
-  done
-done
diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix
deleted file mode 100644
index b7301837026..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/default.nix
+++ /dev/null
@@ -1,140 +0,0 @@
-{ stdenv, lib, fetchurl, kernel ? null, which
-, xorg, makeWrapper, glibc, patchelf, unzip
-, fontconfig, freetype, libGLU, libGL # for fgl_glxgears
-, # Whether to build the libraries only (i.e. not the kernel module or
-  # driver utils). Used to support 32-bit binaries on 64-bit
-  # Linux.
-  libsOnly ? false
-}:
-
-assert (!libsOnly) -> kernel != null;
-
-with lib;
-
-# This derivation requires a maximum of gcc49, Linux kernel 4.1 and xorg.xserver 1.17
-# and will not build or run using versions newer
-
-# If you want to use a different Xorg version probably
-# DIR_DEPENDING_ON_XORG_VERSION in builder.sh has to be adopted (?)
-# make sure libglx.so of ati is used. xorg.xorgserver does provide it as well
-# which is a problem because it doesn't contain the xorgserver patch supporting
-# the XORG_DRI_DRIVER_PATH env var.
-# See https://marc.info/?l=nix-dev&m=139641585515351 for a
-# workaround (TODO)
-
-# The gentoo ebuild contains much more "magic" and is usually a great resource to
-# find patches XD
-
-# http://wiki.cchtml.com/index.php/Main_Page
-
-# /usr/lib/dri/fglrx_dri.so must point to /run/opengl-driver/lib/fglrx_dri.so
-# This is done in the builder script.
-
-stdenv.mkDerivation rec {
-
-  version = "15.12";
-  pname = "ati-drivers";
-  build = "15.302";
-
-  linuxonly =
-    if stdenv.hostPlatform.system == "i686-linux" then
-      true
-    else if stdenv.hostPlatform.system == "x86_64-linux" then
-      true
-    else throw "ati-drivers are Linux only. Sorry. The build was stopped.";
-
-  name = pname + "-" + version + (optionalString (!libsOnly) "-${kernelDir.version}");
-
-  builder = ./builder.sh;
-  gcc = stdenv.cc.cc;
-  libXinerama = xorg.libXinerama;
-  libXrandr = xorg.libXrandr;
-  libXrender = xorg.libXrender;
-  libXxf86vm = xorg.libXxf86vm;
-  xorgproto = xorg.xorgproto;
-  libSM = xorg.libSM;
-  libICE = xorg.libICE;
-  libfreetype = freetype;
-  libfontconfig = fontconfig;
-  libStdCxx = stdenv.cc.cc.lib;
-
-  src = fetchurl {
-    url =
-    "https://www2.ati.com/drivers/linux/radeon-crimson-15.12-15.302-151217a-297685e.zip";
-    sha256 = "704f2dfc14681f76dae3b4120c87b1ded33cf43d5a1d800b6de5ca292bb61e58";
-    curlOpts = "--referer https://www.amd.com/en/support";
-  };
-
-  hardeningDisable = [ "pic" "format" ];
-
-  patchPhaseSamples = "patch -p2 < ${./patches/patch-samples.patch}";
-  patches = [
-    ./patches/15.12-xstate-fp.patch
-    ./patches/15.9-kcl_str.patch
-    ./patches/15.9-mtrr.patch
-    ./patches/15.9-preempt.patch
-    ./patches/15.9-sep_printf.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.6") )
-               [ ./patches/kernel-4.6-get_user_pages.patch
-                 ./patches/kernel-4.6-page_cache_release-put_page.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.7") )
-               [ ./patches/4.7-arch-cpu_has_pge-v2.patch ]
-  ++ optionals ( kernel != null &&
-                 (lib.versionAtLeast kernel.version "4.9") )
-               [ ./patches/4.9-get_user_pages.patch ];
-
-  buildInputs =
-    [ xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM
-      xorg.libXrandr xorg.libXxf86vm xorg.xorgproto xorg.imake xorg.libICE
-      patchelf
-      unzip
-      libGLU libGL
-      fontconfig
-      freetype
-      makeWrapper
-      which
-    ];
-
-  inherit libsOnly;
-
-  kernelDir = if libsOnly then null else kernel.dev;
-
-  # glibc only used for setting the binaries interpreter
-  glibcDir = glibc.out;
-
-  # outputs TODO: probably many fixes are needed;
-  LD_LIBRARY_PATH = makeLibraryPath
-    [ xorg.libXrender xorg.libXext xorg.libX11 xorg.libXinerama xorg.libSM
-      xorg.libXrandr xorg.libXxf86vm xorg.xorgproto xorg.imake xorg.libICE
-      libGLU libGL
-      fontconfig
-      freetype
-      stdenv.cc.cc
-    ];
-
-  # without this some applications like blender don't start, but they start
-  # with nvidia. This causes them to be symlinked to $out/lib so that they
-  # appear in /run/opengl-driver/lib which get's added to LD_LIBRARY_PATH
-
-  extraDRIlibs = [ xorg.libXrandr.out xorg.libXrender.out xorg.libXext.out
-                   xorg.libX11.out xorg.libXinerama.out xorg.libSM.out
-                   xorg.libICE.out ];
-
-  inherit libGLU libGL; # only required to build the examples
-
-  enableParallelBuilding = true;
-
-  meta = with lib; {
-    description = "ATI Catalyst display drivers";
-    homepage = "http://support.amd.com/us/gpudownload/Pages/index.aspx";
-    license = licenses.unfree;
-    maintainers = with maintainers; [ marcweber offline jerith666 ];
-    platforms = platforms.linux;
-    hydraPlatforms = [];
-    # Copied from the nvidia default.nix to prevent a store collision.
-    priority = 4;
-  };
-
-}
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch
deleted file mode 100644
index 22e43fc0c7b..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.12-xstate-fp.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Krzysztof Kolasa <kkolasa@winsoft.pl>
-Date: Thu, 26 Nov 2015 14:28:46 +0100
-Subject: [PATCH] Patch for kernel 4.4.0-rc2
-
-constant change of name XSTATE_XP to name XFEATURE_MASK_FP
----
- firegl_public.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 3626c7b..f071d42 100644
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod//firegl_public.c
-@@ -6463,7 +6463,11 @@ static int KCL_fpu_save_init(struct task_struct *tsk)
-       if (!(fpu->state->xsave.xsave_hdr.xstate_bv & XSTATE_FP))
- #else
- 	  copy_xregs_to_kernel(&fpu->state.xsave);
--      if (!(fpu->state.xsave.header.xfeatures & XSTATE_FP))
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
-+      if (!(fpu->state.xsave.header.xfeatures & XFEATURE_MASK_FP))
-+#else
-+      if (!(fpu->state.xsave.header.xfeatures & XSTATE_FP))
-+#endif
- #endif
-          return 1;
-    } else if (static_cpu_has(X86_FEATURE_FXSR)) {
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch
deleted file mode 100644
index 20c3bc8a169..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-kcl_str.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/kcl_str.c	2015-09-13 13:47:30.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/kcl_str.c	2015-09-13 13:49:42.000000000 -0400
-@@ -169,7 +169,11 @@ int ATI_API_CALL KCL_STR_Strnicmp(const
-                                   const char* s2,
-                                   KCL_TYPE_SizeSigned count)
- {
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,0,0)
-     return strnicmp(s1, s2, count);
-+#else
-+    return strncasecmp(s1, s2, count);
-+#endif
- }
- 
- /** \brief Locate character in string
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch
deleted file mode 100644
index bdf70b4ccdc..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-mtrr.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-19 23:43:22.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-19 23:52:07.000000000 -0400
-@@ -3442,7 +3442,11 @@ int ATI_API_CALL KCL_MEM_MTRR_Support(vo
- int ATI_API_CALL KCL_MEM_MTRR_AddRegionWc(unsigned long base, unsigned long size)
- {
- #ifdef CONFIG_MTRR
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    return arch_phys_wc_add(base, size);
-+#else
-     return mtrr_add(base, size, MTRR_TYPE_WRCOMB, 1);
-+#endif
- #else /* !CONFIG_MTRR */
-     return -EPERM;
- #endif /* !CONFIG_MTRR */
-@@ -3451,7 +3455,12 @@ int ATI_API_CALL KCL_MEM_MTRR_AddRegionW
- int ATI_API_CALL KCL_MEM_MTRR_DeleteRegion(int reg, unsigned long base, unsigned long size)
- {
- #ifdef CONFIG_MTRR
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    arch_phys_wc_del(reg);
-+    return reg;
-+#else
-     return mtrr_del(reg, base, size);
-+#endif
- #else /* !CONFIG_MTRR */
-     return -EPERM;
- #endif /* !CONFIG_MTRR */
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch
deleted file mode 100644
index c6598835133..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-preempt.patch
+++ /dev/null
@@ -1,103 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-08-30 17:36:02.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-08-30 17:39:36.000000000 -0400
-@@ -21,6 +21,8 @@
- !!! since it requires changes to linux/init/main.c.
- #endif /* !MODULE */
- 
-+#include <linux/preempt.h>
-+
- // ============================================================
- #include <linux/version.h>
- 
-@@ -4997,7 +4999,9 @@ static unsigned int kas_spin_unlock(kas_
- unsigned long ATI_API_CALL KAS_GetExecutionLevel(void)
- {
-     unsigned long ret;
-+    preempt_disable();
-     ret = kas_GetExecutionLevel();
-+    preempt_enable();
-     return ret;
- }
- 
-@@ -5022,8 +5026,10 @@ unsigned int ATI_API_CALL KAS_Ih_Execute
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X, 0x%08X\n", ih_routine, ih_context);
- 
-     //Prevent simultaneous entry on some SMP systems.
-+    preempt_disable();
-     if (test_and_set_bit(0, (void *)&(kasContext.in_interrupts[smp_processor_id()])))
-     {
-+    	preempt_enable();
-         KCL_DEBUG1(FN_FIREGL_KAS, "The processor is handling the interrupt\n");
-         return IRQ_NONE;
-     }
-@@ -5036,9 +5042,9 @@ unsigned int ATI_API_CALL KAS_Ih_Execute
- 
-     kasSetExecutionLevel(orig_level);
-     spin_unlock(&kasContext.lock_ih); 
--
-     clear_bit(0, (void *)&(kasContext.in_interrupts[smp_processor_id()]));
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d\n", ret);
-+    preempt_enable();
- 
-     return ret;
- }
-@@ -5256,6 +5262,7 @@ unsigned int ATI_API_CALL KAS_Spinlock_A
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X\n", hSpinLock);
- 
-+    preempt_disable();
-     spin_lock_info.routine_type = spinlock_obj->routine_type;
-     spin_lock_info.plock = &(spinlock_obj->lock);
- 
-@@ -5263,6 +5270,7 @@ unsigned int ATI_API_CALL KAS_Spinlock_A
- 
-     spinlock_obj->acquire_type = spin_lock_info.acquire_type;
-     spinlock_obj->flags = spin_lock_info.flags;
-+    preempt_enable();
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d\n", ret);
-     return ret;
-@@ -6034,6 +6042,8 @@ unsigned int ATI_API_CALL KAS_Interlocke
- 
-     KCL_DEBUG5(FN_FIREGL_KAS,"0x%08X, 0x%08X, 0x%08X\n", hListHead, hListEntry, phPrevEntry);
- 
-+    preempt_disable();
-+
-     /* Protect the operation with spinlock */
-     spin_lock_info.routine_type = listhead_obj->routine_type;
-     spin_lock_info.plock = &(listhead_obj->lock);
-@@ -6041,6 +6051,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     if (!kas_spin_lock(&spin_lock_info))
-     {
-         KCL_DEBUG_ERROR("Unable to grab list spinlock\n");
-+	preempt_enable();
-         return 0; /* No spinlock - no operation */
-     }
- 
-@@ -6065,6 +6076,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_unlock_info.flags = spin_lock_info.flags;
- 
-     ret = kas_spin_unlock(&spin_unlock_info);
-+    preempt_enable();
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d", ret);
-     return ret;
- }
-@@ -6153,8 +6165,10 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_lock_info.routine_type = listhead_obj->routine_type;
-     spin_lock_info.plock = &(listhead_obj->lock);
- 
-+    preempt_disable();
-     if (!kas_spin_lock(&spin_lock_info))
-     {
-+        preempt_enable();
-         KCL_DEBUG_ERROR("Unable to grab list spinlock");
-         return 0; /* No spinlock - no operation */
-     }
-@@ -6178,6 +6192,7 @@ unsigned int ATI_API_CALL KAS_Interlocke
-     spin_unlock_info.flags = spin_lock_info.flags;
- 
-     ret = kas_spin_unlock(&spin_unlock_info);
-+    preempt_enable();
-     KCL_DEBUG5(FN_FIREGL_KAS,"%d", ret);
-     return ret;
- }
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch b/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch
deleted file mode 100644
index 3e4e8d6499a..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/15.9-sep_printf.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-14 15:14:36.000000000 -0400
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-09-14 16:18:58.000000000 -0400
-@@ -649,6 +649,8 @@ static int firegl_major_proc_read(struct
-     *eof = 1;
- 
-     len = snprintf(buf, request, "%d\n", major);
-+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,3,0)
-+    seq_printf(m, "%d\n", major);
- #else
-     len = seq_printf(m, "%d\n", major);
- #endif
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch b/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch
deleted file mode 100644
index cb86f5aff27..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/4.7-arch-cpu_has_pge-v2.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-diff -uNr 16.8/common/lib/modules/fglrx/build_mod/firegl_public.c 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.c
---- 16.8/common/lib/modules/fglrx/build_mod/firegl_public.c	2015-12-18 19:47:41.000000000 +0100
-+++ 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.c	2016-08-15 15:09:37.228538907 +0200
-@@ -4518,7 +4518,11 @@
-     write_cr0(cr0);
-     wbinvd();
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         cr4 = READ_CR4();
-         WRITE_CR4(cr4 & ~X86_CR4_PGE);
-@@ -4532,7 +4536,11 @@
-     wbinvd();
-     __flush_tlb();
-     write_cr0(cr0 & 0xbfffffff);
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         WRITE_CR4(cr4);
-     }
-@@ -4559,7 +4567,11 @@
-     write_cr0(cr0);
-     wbinvd();
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         cr4 = READ_CR4();
-         WRITE_CR4(cr4 & ~X86_CR4_PGE);
-@@ -4572,7 +4584,11 @@
-     wbinvd();
-     __flush_tlb();
-     write_cr0(cr0 & 0xbfffffff);
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+    if (boot_cpu_has(X86_FEATURE_PGE))
-+#else
-     if (cpu_has_pge)
-+#endif
-     {
-         WRITE_CR4(cr4);
-     }
-diff -uNr 16.8/common/lib/modules/fglrx/build_mod/firegl_public.h 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.h
---- 16.8/common/lib/modules/fglrx/build_mod/firegl_public.h	2015-12-18 19:47:41.000000000 +0100
-+++ 16.8b/common/lib/modules/fglrx/build_mod/firegl_public.h	2016-08-15 15:09:05.815141238 +0200
-@@ -650,9 +650,15 @@
- #define cpu_has_pat  test_bit(X86_FEATURE_PAT, (void *) &boot_cpu_data.x86_capability)
- #endif
- 
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,7,0)
-+#ifndef boot_cpu_has(X86_FEATURE_PGE)
-+#define boot_cpu_has(X86_FEATURE_PGE) test_bit(X86_FEATURE_PGE, &boot_cpu_data.x86_capability)
-+#endif
-+#else
- #ifndef cpu_has_pge
- #define cpu_has_pge test_bit(X86_FEATURE_PGE, &boot_cpu_data.x86_capability)
- #endif
-+#endif
- 
- /* 2.6.29 defines pgprot_writecombine as a macro which resolves to a
-  * GPL-only function with the same name. So we always use our own
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch b/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch
deleted file mode 100644
index 8a6c42cdb1f..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/4.9-get_user_pages.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit b3e4353fc68a6a024dcb95e2d61aa0afd7370233
-Author: Matt McHenry <matt@mchenryfamily.org>
-Date:   Fri Feb 3 20:19:41 2017
-
-    patch for 4.9 only
-
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 4ce095f..3b591e1 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3224,7 +3224,7 @@ int ATI_API_CALL KCL_LockUserPages(unsigned long vaddr, unsigned long* page_list
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 1, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
-@@ -3242,7 +3242,7 @@ int ATI_API_CALL KCL_LockReadOnlyUserPages(unsigned long vaddr, unsigned long* p
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch b/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch
deleted file mode 100644
index 1e7209ed5ed..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-get_user_pages.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index 9c70211..b2242af 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3220,7 +3220,7 @@ int ATI_API_CALL KCL_LockUserPages(unsigned long vaddr, unsigned long* page_list
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(current, current->mm, vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 1, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
-@@ -3238,7 +3238,7 @@ int ATI_API_CALL KCL_LockReadOnlyUserPages(unsigned long vaddr, unsigned long* p
-     int ret;
- 
-     down_read(&current->mm->mmap_sem);
--    ret = get_user_pages(current, current->mm, vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-+    ret = get_user_pages(vaddr, page_cnt, 0, 0, (struct page **)page_list, NULL);
-     up_read(&current->mm->mmap_sem);
- 
-     return ret;
--- 
-2.9.2
-
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch b/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch
deleted file mode 100644
index 28820790e49..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/kernel-4.6-page_cache_release-put_page.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/common/lib/modules/fglrx/build_mod/firegl_public.c b/common/lib/modules/fglrx/build_mod/firegl_public.c
-index b2242af..586129c 100755
---- a/common/lib/modules/fglrx/build_mod/firegl_public.c
-+++ b/common/lib/modules/fglrx/build_mod/firegl_public.c
-@@ -3249,7 +3249,7 @@ void ATI_API_CALL KCL_UnlockUserPages(unsigned long* page_list, unsigned int pag
-     unsigned int i;
-     for (i=0; i<page_cnt; i++)
-     {
--        page_cache_release((struct page*)page_list[i]);
-+        put_page((struct page*)page_list[i]);
-     }
- }
- 
--- 
-2.9.2
-
diff --git a/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch b/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch
deleted file mode 100644
index 8bd24b1d022..00000000000
--- a/pkgs/os-specific/linux/ati-drivers/patches/patch-samples.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/samples/fgl_glxgears/fgl_glxgears.c b/samples/fgl_glxgears/fgl_glxgears.c
-index 6c8e313..2b8d035 100644
---- a/samples/fgl_glxgears/fgl_glxgears.c
-+++ b/samples/fgl_glxgears/fgl_glxgears.c
-@@ -1096,8 +1096,6 @@ static void event_loop(void)
-                   view_rotx -= 5.0;
-                }
-                else {
--                  r = XLookupString(&event.xkey, buffer, sizeof(buffer),
--                                    NULL, NULL);
-                   if (buffer[0] == 27) {
-                      /* escape */
-                      return;
-
-
-diff -Nur a/samples/fgl_glxgears/fgl_glxgears.c b/samples/fgl_glxgears/fgl_glxgears.c
---- a/samples/fgl_glxgears/fgl_glxgears.c	2012-08-29 09:59:03.000000000 +0300
-+++ b/samples/fgl_glxgears/fgl_glxgears.c	2013-09-07 09:26:11.034723135 +0300
-@@ -78,7 +78,6 @@
- #endif // _WIN32
- 
- #define INT_PTR ptrdiff_t
--#include <GL/glATI.h>
- 
- #ifdef _WIN32
- #include <GL/wglATI.h>
diff --git a/pkgs/os-specific/linux/atop/atop.service.patch b/pkgs/os-specific/linux/atop/atop.service.patch
new file mode 100644
index 00000000000..3ef59e60cbc
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/atop.service.patch
@@ -0,0 +1,10 @@
+--- a/atop.service
++++ b/atop.service
+@@ -9,5 +9,6 @@
+ Environment=LOGPATH=/var/log/atop
+-EnvironmentFile=/etc/default/atop
++EnvironmentFile=-/etc/default/atop
+ ExecStartPre=/bin/sh -c 'test -n "$LOGINTERVAL" -a "$LOGINTERVAL" -eq "$LOGINTERVAL"'
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
++ExecStartPre=/bin/sh -c 'mkdir -p "${LOGPATH}"'
+ ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
diff --git a/pkgs/os-specific/linux/atop/atopacct.service.patch b/pkgs/os-specific/linux/atop/atopacct.service.patch
new file mode 100644
index 00000000000..9f2cd8f2e9c
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/atopacct.service.patch
@@ -0,0 +1,7 @@
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -9,3 +9,3 @@
+ Type=forking
+-PIDFile=/var/run/atopacctd.pid
++PIDFile=/run/atopacctd.pid
+ ExecStart=@out@/bin/atopacctd
diff --git a/pkgs/os-specific/linux/atop/default.nix b/pkgs/os-specific/linux/atop/default.nix
index e1b64c0a4b5..b082c594acb 100644
--- a/pkgs/os-specific/linux/atop/default.nix
+++ b/pkgs/os-specific/linux/atop/default.nix
@@ -1,4 +1,14 @@
-{lib, stdenv, fetchurl, zlib, ncurses}:
+{ lib
+, stdenv
+, fetchurl
+, zlib
+, ncurses
+, findutils
+, systemd
+, python3
+# makes the package unfree via pynvml
+, withAtopgpu ? false
+}:
 
 stdenv.mkDerivation rec {
   pname = "atop";
@@ -9,31 +19,52 @@ stdenv.mkDerivation rec {
     sha256 = "nsLKOlcWkvfvqglfmaUQZDK8txzCLNbElZfvBIEFj3I=";
   };
 
-  buildInputs = [zlib ncurses];
+  nativeBuildInputs = lib.optionals withAtopgpu [ python3.pkgs.wrapPython ];
+  buildInputs = [ zlib ncurses ] ++ lib.optionals withAtopgpu [ python3 ];
+  pythonPath = lib.optionals withAtopgpu [ python3.pkgs.pynvml ];
 
   makeFlags = [
-    "SCRPATH=$out/etc/atop"
-    "LOGPATH=/var/log/atop"
-    "INIPATH=$out/etc/rc.d/init.d"
-    "SYSDPATH=$out/lib/systemd/system"
-    "CRNPATH=$out/etc/cron.d"
-    "DEFPATH=$out/etc/default"
-    "ROTPATH=$out/etc/logrotate.d"
+    "DESTDIR=$(out)"
+    "BINPATH=/bin"
+    "SBINPATH=/bin"
+    "MAN1PATH=/share/man/man1"
+    "MAN5PATH=/share/man/man5"
+    "MAN8PATH=/share/man/man8"
+    "SYSDPATH=/lib/systemd/system"
+    "PMPATHD=/lib/systemd/system-sleep"
+  ];
+
+  patches = [
+    # Fix paths in atop.service, atop-rotate.service, atopgpu.service, atopacct.service,
+    # and atop-pm.sh
+    ./fix-paths.patch
+    # Don't fail on missing /etc/default/atop, make sure /var/log/atop exists pre-start
+    ./atop.service.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./atopacct.service.patch
   ];
 
   preConfigure = ''
-    sed -e "s@/usr/@$out/@g" -i $(find . -type f )
-    sed -e "/mkdir.*LOGPATH/s@mkdir@echo missing dir @" -i Makefile
-    sed -e "/touch.*LOGPATH/s@touch@echo should have created @" -i Makefile
-    sed -e 's/chown/true/g' -i Makefile
-    sed -e '/chkconfig/d' -i Makefile
-    sed -e 's/chmod 04711/chmod 0711/g' -i Makefile
+    for f in *.{sh,service}; do
+      findutils=${findutils} systemd=${systemd} substituteAllInPlace "$f"
+    done
+
+    substituteInPlace Makefile --replace 'chown' 'true'
+    substituteInPlace Makefile --replace 'chmod 04711' 'chmod 0711'
   '';
 
   installTargets = [ "systemdinstall" ];
   preInstall = ''
-    mkdir -p "$out"/{bin,sbin}
+    mkdir -p $out/bin
   '';
+  postInstall = ''
+    # remove extra files we don't need
+    rm -r $out/{var,etc} $out/bin/atop{sar,}-${version}
+  '' + (if withAtopgpu then ''
+    wrapPythonPrograms
+  '' else ''
+    rm $out/lib/systemd/system/atopgpu.service $out/bin/atopgpud $out/share/man/man8/atopgpud.8
+  '');
 
   meta = with lib; {
     platforms = platforms.linux;
@@ -43,7 +74,6 @@ stdenv.mkDerivation rec {
     longDescription = ''
       Atop is an ASCII full-screen performance monitor that is capable of reporting the activity of all processes (even if processes have finished during the interval), daily logging of system and process activity for long-term analysis, highlighting overloaded system resources by using colors, etc. At regular intervals, it shows system-level activity related to the CPU, memory, swap, disks and network layers, and for every active process it shows the CPU utilization, memory growth, disk utilization, priority, username, state, and exit code.
     '';
-    inherit version;
     license = licenses.gpl2Plus;
     downloadPage = "http://atoptool.nl/downloadatop.php";
   };
diff --git a/pkgs/os-specific/linux/atop/fix-paths.patch b/pkgs/os-specific/linux/atop/fix-paths.patch
new file mode 100644
index 00000000000..e6cd631d3c1
--- /dev/null
+++ b/pkgs/os-specific/linux/atop/fix-paths.patch
@@ -0,0 +1,48 @@
+--- a/atop.service
++++ b/atop.service
+@@ -12,4 +12,4 @@
+ ExecStartPre=/bin/sh -c 'test -n "$LOGGENERATIONS" -a "$LOGGENERATIONS" -eq "$LOGGENERATIONS"'
+-ExecStart=/bin/sh -c 'exec /usr/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
+-ExecStartPost=/usr/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
++ExecStart=/bin/sh -c 'exec @out@/bin/atop ${LOGOPTS} -w "${LOGPATH}/atop_$(date +%%Y%%m%%d)" ${LOGINTERVAL}'
++ExecStartPost=@findutils@/bin/find "${LOGPATH}" -name "atop_*" -mtime +${LOGGENERATIONS} -exec rm -v {} \;
+ KillSignal=SIGUSR2
+
+--- a/atop-rotate.service
++++ b/atop-rotate.service
+@@ -4,3 +4,3 @@
+ [Service]
+ Type=oneshot
+-ExecStart=/usr/bin/systemctl try-restart atop.service
++ExecStart=@systemd@/bin/systemctl try-restart atop.service
+
+--- a/atopgpu.service
++++ b/atopgpu.service
+@@ -6,5 +6,5 @@
+
+ [Service]
+-ExecStart=/usr/sbin/atopgpud
++ExecStart=@out@/bin/atopgpud
+ Type=oneshot
+ RemainAfterExit=yes
+
+--- a/atopacct.service
++++ b/atopacct.service
+@@ -10,3 +10,3 @@
+ PIDFile=/var/run/atopacctd.pid
+-ExecStart=/usr/sbin/atopacctd
++ExecStart=@out@/bin/atopacctd
+
+--- a/atop-pm.sh
++++ b/atop-pm.sh
+@@ -2,8 +2,8 @@
+
+ case "$1" in
+-	pre)	/usr/bin/systemctl stop atop
++	pre)	@systemd@/bin/systemctl stop atop
+ 		exit 0
+ 		;;
+-	post)	/usr/bin/systemctl start atop
++	post)	@systemd@/bin/systemctl start atop
+ 		exit 0
+ 		;;
diff --git a/pkgs/os-specific/linux/audit/default.nix b/pkgs/os-specific/linux/audit/default.nix
index 7d72b0eec56..30327fb1082 100644
--- a/pkgs/os-specific/linux/audit/default.nix
+++ b/pkgs/os-specific/linux/audit/default.nix
@@ -36,7 +36,8 @@ stdenv.mkDerivation rec {
   # TODO: Remove the musl patches when
   #         https://github.com/linux-audit/audit-userspace/pull/25
   #       is available with the next release.
-  patches = lib.optional stdenv.hostPlatform.isMusl [
+  patches = [ ./patches/weak-symbols.patch ]
+  ++ lib.optional stdenv.hostPlatform.isMusl [
     (
       let patch = fetchpatch {
             url = "https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e.patch";
@@ -55,6 +56,13 @@ stdenv.mkDerivation rec {
 
   prePatch = ''
     sed -i 's,#include <sys/poll.h>,#include <poll.h>\n#include <limits.h>,' audisp/audispd.c
+  ''
+  # According to https://stackoverflow.com/questions/13089166
+  # --whole-archive linker flag is required to be sure that linker
+  # correctly chooses strong version of symbol regardless of order of
+  # object files at command line.
+  + lib.optionalString stdenv.hostPlatform.isStatic ''
+    export LDFLAGS=-Wl,--whole-archive
   '';
   meta = {
     description = "Audit Library";
diff --git a/pkgs/os-specific/linux/audit/patches/weak-symbols.patch b/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
new file mode 100644
index 00000000000..301ea9a5476
--- /dev/null
+++ b/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
@@ -0,0 +1,147 @@
+Executables in src/ directory are built from source files in src/
+and are linked to libauparse, with both src/auditd-config.c and
+auparse/auditd-config.c defining "free_config" function.
+
+It is known (although obscure) behaviour of shared libraries that
+symbol defined in binary itself overrides symbol in shared library;
+with static linkage it expectedly results in multiple definition
+error.
+
+This set of fixes explicitly marks libauparse versions of
+conflicting functions as weak to have behaviour coherent with
+dynamic linkage version -- definitions in src/ overriding definition
+in auparse/.
+
+Still, this architecture is very strange and confusing.
+
+diff -r -U5 audit-2.8.5-orig/auparse/auditd-config.c audit-2.8.5/auparse/auditd-config.c
+--- audit-2.8.5-orig/auparse/auditd-config.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/auditd-config.c	2021-01-13 11:36:12.716226498 +0000
+@@ -68,10 +68,11 @@
+ };
+ 
+ /*
+  * Set everything to its default value
+ */
++#pragma weak clear_config
+ void clear_config(struct daemon_conf *config)
+ {
+ 	config->local_events = 1;
+ 	config->qos = QOS_NON_BLOCKING;
+ 	config->sender_uid = 0;
+@@ -322,10 +323,11 @@
+ 	if (config->log_file == NULL)
+ 		return 1;
+ 	return 0;
+ }
+ 
++#pragma weak free_config
+ void free_config(struct daemon_conf *config)
+ {
+ 	free((void*)config->log_file);
+ }
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/interpret.c audit-2.8.5/auparse/interpret.c
+--- audit-2.8.5-orig/auparse/interpret.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/auparse/interpret.c	2021-01-13 11:39:42.107217224 +0000
+@@ -545,10 +545,11 @@
+ 	else
+ 		snprintf(buf, size, "unknown(%d)", uid);
+ 	return buf;
+ }
+ 
++#pragma weak aulookup_destroy_uid_list
+ void aulookup_destroy_uid_list(void)
+ {
+ 	if (uid_cache_created == 0)
+ 		return;
+ 
+@@ -2810,10 +2811,11 @@
+ 
+ /*
+  * This is the main entry point for the auparse library. Call chain is:
+  * auparse_interpret_field -> nvlist_interp_cur_val -> interpret
+  */
++#pragma weak interpret
+ const char *interpret(const rnode *r, auparse_esc_t escape_mode)
+ {
+ 	const nvlist *nv = &r->nv;
+ 	int type;
+ 	idata id;
+diff -r -U5 audit-2.8.5-orig/auparse/nvlist.c audit-2.8.5/auparse/nvlist.c
+--- audit-2.8.5-orig/auparse/nvlist.c	2019-02-04 14:26:52.000000000 +0000
++++ audit-2.8.5/auparse/nvlist.c	2021-01-13 11:37:37.190222757 +0000
+@@ -27,10 +27,11 @@
+ #include "nvlist.h"
+ #include "interpret.h"
+ #include "auparse-idata.h"
+ 
+ 
++#pragma weak nvlist_create
+ void nvlist_create(nvlist *l)
+ {
+ 	l->head = NULL;
+ 	l->cur = NULL;
+ 	l->cnt = 0;
+@@ -47,17 +48,19 @@
+ 	while (node->next)
+ 		node = node->next;
+ 	l->cur = node;
+ }
+ 
++#pragma weak nvlist_next
+ nvnode *nvlist_next(nvlist *l)
+ {
+ 	if (l->cur)
+ 		l->cur = l->cur->next;
+ 	return l->cur;
+ }
+ 
++#pragma weak nvlist_append
+ void nvlist_append(nvlist *l, nvnode *node)
+ {
+ 	nvnode* newnode = malloc(sizeof(nvnode));
+ 
+ 	newnode->name = node->name;
+@@ -141,10 +144,11 @@
+ 	if (l->cur->interp_val)
+ 		return l->cur->interp_val;
+ 	return interpret(r, escape_mode);
+ }
+ 
++#pragma weak nvlist_clear
+ void nvlist_clear(nvlist* l)
+ {
+ 	nvnode* nextnode;
+ 	register nvnode* current;
+ 
+diff -r -U5 audit-2.8.5-orig/auparse/strsplit.c audit-2.8.5/auparse/strsplit.c
+--- audit-2.8.5-orig/auparse/strsplit.c	2019-03-01 21:15:30.000000000 +0000
++++ audit-2.8.5/auparse/strsplit.c	2021-01-13 11:38:04.306221556 +0000
+@@ -54,10 +54,11 @@
+ 			return NULL;
+ 		return s;
+ 	}
+ }
+ 
++#pragma weak audit_strsplit
+ char *audit_strsplit(char *s)
+ {
+ 	static char *str = NULL;
+ 	char *ptr;
+ 
+diff -r -U5 audit-2.8.5-orig/lib/strsplit.c audit-2.8.5/lib/strsplit.c
+--- audit-2.8.5-orig/lib/strsplit.c	2019-03-01 20:19:13.000000000 +0000
++++ audit-2.8.5/lib/strsplit.c	2021-01-13 11:38:29.444220443 +0000
+@@ -23,10 +23,11 @@
+ 
+ #include <string.h>
+ #include "libaudit.h"
+ #include "private.h"
+ 
++#pragma weak audit_strsplit_r
+ char *audit_strsplit_r(char *s, char **savedpp)
+ {
+ 	char *ptr;
+ 
+ 	if (s)
diff --git a/pkgs/os-specific/linux/autofs/default.nix b/pkgs/os-specific/linux/autofs/default.nix
index f7ca3f71d43..3055a91161b 100644
--- a/pkgs/os-specific/linux/autofs/default.nix
+++ b/pkgs/os-specific/linux/autofs/default.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
-, libxml2, kerberos, kmod, openldap, sssd, cyrus_sasl, openssl, rpcsvc-proto }:
+, libxml2, libkrb5, kmod, openldap, sssd, cyrus_sasl, openssl, rpcsvc-proto }:
 
 let
   version = "5.1.6";
@@ -36,7 +36,7 @@ in stdenv.mkDerivation {
     #make install SUBDIRS="samples" # impure!
   '';
 
-  buildInputs = [ linuxHeaders libtirpc libxml2 kerberos kmod openldap sssd
+  buildInputs = [ linuxHeaders libtirpc libxml2 libkrb5 kmod openldap sssd
                   openssl cyrus_sasl rpcsvc-proto ];
 
   nativeBuildInputs = [ flex bison ];
diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix
index b2b3dab76a8..354f4b1bff2 100644
--- a/pkgs/os-specific/linux/batman-adv/default.nix
+++ b/pkgs/os-specific/linux/batman-adv/default.nix
@@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
     homepage = "https://www.open-mesh.org/projects/batman-adv/wiki/Wiki";
     description = "B.A.T.M.A.N. routing protocol in a linux kernel module for layer 2";
     license = lib.licenses.gpl2;
-    maintainers = with lib.maintainers; [ fpletz ];
+    maintainers = with lib.maintainers; [ fpletz hexa ];
     platforms = with lib.platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/batman-adv/version.nix b/pkgs/os-specific/linux/batman-adv/version.nix
index d93f8a6c46e..71c7863cfa8 100644
--- a/pkgs/os-specific/linux/batman-adv/version.nix
+++ b/pkgs/os-specific/linux/batman-adv/version.nix
@@ -1,9 +1,9 @@
 {
-  version = "2020.4";
+  version = "2021.1";
 
   sha256 = {
-    batman-adv = "1cxr0zmn9nzisawkrfk0gzd9fx0pg6261c889kz47hwp4f545v6d";
-    alfred = "1ay69nifzghpbvy11fdca5cllkn852h6rg045lci4vzgqf7b2bd2";
-    batctl = "05rrpfbpdhxn5zgdps849qls2ifis6a94cjryb60d4y1nc2n0d7w";
+    batman-adv = "1l1lk41h4chymrb41ihqrr3p80xdwhhp1kkksr157mzailyq8xxz";
+    alfred = "122y92vqrpp3g6dbjfv8hkhwjlfa3skr91lbzicr0pw8mm6wzqll";
+    batctl = "0xp1cqcw0g0irgw9yhkch01rbn39gzvfxv8b2yya32vbnkmqrcj4";
   };
 }
diff --git a/pkgs/os-specific/linux/bcc/default.nix b/pkgs/os-specific/linux/bcc/default.nix
index d994aed6d0f..221f38faa87 100644
--- a/pkgs/os-specific/linux/bcc/default.nix
+++ b/pkgs/os-specific/linux/bcc/default.nix
@@ -1,25 +1,28 @@
-{ lib, stdenv, fetchurl, fetchpatch
+{ lib, stdenv, fetchFromGitHub
 , makeWrapper, cmake, llvmPackages, kernel
 , flex, bison, elfutils, python, luajit, netperf, iperf, libelf
-, systemtap, bash
+, systemtap, bash, libbpf
 }:
 
 python.pkgs.buildPythonApplication rec {
   pname = "bcc";
-  version = "0.18.0";
+  version = "0.20.0";
 
   disabled = !stdenv.isLinux;
 
-  src = fetchurl {
-    url = "https://github.com/iovisor/bcc/releases/download/v${version}/bcc-src-with-submodule.tar.gz";
-    sha256 = "sha256-0F8tppVFu7cnuSnlgcEvbEdykxYhGJnTc04I98/yIVs=";
+  src = fetchFromGitHub {
+    owner = "iovisor";
+    repo = "bcc";
+    rev = "v${version}";
+    sha256 = "1xnpz2zv445dp5h0160drv6xlvrnwfj23ngc4dp3clcd59jh1baq";
   };
   format = "other";
 
   buildInputs = with llvmPackages; [
-    llvm clang-unwrapped kernel
+    llvm llvm.dev libclang kernel
     elfutils luajit netperf iperf
     systemtap.stapBuild flex bash
+    libbpf
   ];
 
   patches = [
@@ -29,7 +32,7 @@ python.pkgs.buildPythonApplication rec {
   ];
 
   propagatedBuildInputs = [ python.pkgs.netaddr ];
-  nativeBuildInputs = [ makeWrapper cmake flex bison ]
+  nativeBuildInputs = [ makeWrapper cmake flex bison llvmPackages.llvm.dev ]
     # libelf is incompatible with elfutils-libelf
     ++ lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
 
@@ -38,6 +41,7 @@ python.pkgs.buildPythonApplication rec {
     "-DREVISION=${version}"
     "-DENABLE_USDT=ON"
     "-DENABLE_CPP_API=ON"
+    "-DCMAKE_USE_LIBBPF_PACKAGE=ON"
   ];
 
   postPatch = ''
diff --git a/pkgs/os-specific/linux/bionic-prebuilt/default.nix b/pkgs/os-specific/linux/bionic-prebuilt/default.nix
new file mode 100644
index 00000000000..920732a2020
--- /dev/null
+++ b/pkgs/os-specific/linux/bionic-prebuilt/default.nix
@@ -0,0 +1,113 @@
+{ stdenvNoCC, lib, fetchzip, pkgs
+}:
+let
+
+  prebuilt_crt = fetchzip {
+    url =  "https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/+archive/98dce673ad97a9640c5d90bbb1c718e75c21e071/lib/gcc/aarch64-linux-android/4.9.x.tar.gz";
+    sha256 = "sha256-LLD2OJi78sNN5NulOsJZl7Ei4F1EUYItGG6eUsKWULc=";
+    stripRoot = false;
+  };
+
+  prebuilt_libs = fetchzip {
+    url = "https://android.googlesource.com/platform/prebuilts/ndk/+archive/f2c77d8ba8a7f5c2d91771e31164f29be0b8ff98/platform/platforms/android-30/arch-arm64/usr/lib.tar.gz";
+    sha256 = "sha256-TZBV7+D1QvKOCEi+VNGT5SStkgj0xRbyWoLH65zSrjw=";
+    stripRoot = false;
+  };
+
+  prebuilt_ndk_crt = fetchzip {
+    url = "https://android.googlesource.com/toolchain/prebuilts/ndk/r23/+archive/6c5fa4c0d3999b9ee932f6acbd430eb2f31f3151/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/aarch64-linux-android/30.tar.gz";
+    sha256 = "sha256-KHw+cCwAwlm+5Nwp1o8WONqdi4BBDhFaVVr+7GxQ5uE=";
+    stripRoot = false;
+  };
+
+  ndk_support_headers = fetchzip {
+    url ="https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+archive/0e7f808fa26cce046f444c9616d9167dafbfb272/clang-r416183b/include/c++/v1/support.tar.gz";
+    sha256 = "sha256-NBv7Pk1CEaz8ns9moleEERr3x/rFmVmG33LgFSeO6fY=";
+    stripRoot = false;
+  };
+
+  kernelHeaders = pkgs.makeLinuxHeaders {
+    version = "android-common-11-5.4";
+    src = fetchzip {
+      url = "https://android.googlesource.com/kernel/common/+archive/48ffcbf0b9e7f0280bfb8c32c68da0aaf0fdfef6.tar.gz";
+      sha256 = "1y7cmlmcr5vdqydd9n785s139yc4aylc3zhqa59xsylmkaf5habk";
+      stripRoot = false;
+    };
+  };
+
+in
+stdenvNoCC.mkDerivation rec {
+  pname = "bionic-prebuilt";
+  version = "ndk-release-r23";
+
+  src = fetchzip {
+    url = "https://android.googlesource.com/platform/bionic/+archive/00e8ce1142d8823b0d2fc8a98b40119b0f1f02cd.tar.gz";
+    sha256 = "10z5mp4w0acvjvgxv7wlqa7m70hcyarmjdlfxbd9rwzf4mrsr8d1";
+    stripRoot = false;
+  };
+
+  NIX_DONT_SET_RPATH = true;
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  patches = [
+    ./ndk-version.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace libc/include/sys/cdefs.h --replace \
+      "__has_builtin(__builtin_umul_overflow)" "1"
+    substituteInPlace libc/include/bits/ioctl.h --replace \
+      "!defined(BIONIC_IOCTL_NO_SIGNEDNESS_OVERLOAD)" "0"
+  '';
+
+  installPhase= ''
+    # copy the bionic headers
+    mkdir -p $out/include/support $out/include/android
+    cp -vr libc/include/* $out/include
+    # copy the kernel headers
+    cp -vr ${kernelHeaders}/include/*  $out/include/
+
+    chmod -R +w $out/include/linux
+
+    # fix a bunch of kernel headers so that things can actually be found
+    sed -i 's,struct epoll_event {,#include <bits/epoll_event.h>\nstruct Xepoll_event {,' $out/include/linux/eventpoll.h
+    sed -i 's,struct in_addr {,typedef unsigned int in_addr_t;\nstruct in_addr {,' $out/include/linux/in.h
+    sed -i 's,struct udphdr {,struct Xudphdr {,' $out/include/linux/udp.h
+    sed -i 's,union semun {,union Xsemun {,' $out/include/linux/sem.h
+    sed -i 's,struct __kernel_sockaddr_storage,#define sockaddr_storage __kernel_sockaddr_storage\nstruct __kernel_sockaddr_storage,' $out/include/linux/socket.h
+    sed -i 's,#ifndef __UAPI_DEF_.*$,#if 1,' $out/include/linux/libc-compat.h
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imr_" "struct in_addr		imr_"
+    substituteInPlace $out/include/linux/in.h --replace "__be32		imsf_" "struct in_addr		imsf_"
+    substituteInPlace $out/include/linux/sysctl.h --replace "__unused" "_unused"
+
+    # what could possibly live in <linux/compiler.h>
+    touch $out/include/linux/compiler.h
+
+    # copy the support headers
+    cp -vr ${ndk_support_headers}* $out/include/support/
+
+    mkdir $out/lib
+    cp -v ${prebuilt_crt.out}/*.o $out/lib/
+    cp -v ${prebuilt_crt.out}/libgcc.a $out/lib/
+    cp -v ${prebuilt_ndk_crt.out}/*.o $out/lib/
+    for i in libc.so libm.so libdl.so liblog.so; do
+      cp -v ${prebuilt_libs.out}/$i $out/lib/
+    done
+
+    mkdir -p $dev/include
+    cp -v $out/include/*.h $dev/include/
+  '';
+
+  outputs = [ "out" "dev" ];
+  passthru.linuxHeaders = kernelHeaders;
+
+  meta = with lib; {
+    description = "The Android libc implementation";
+    homepage    = "https://android.googlesource.com/platform/bionic/";
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ s1341 ];
+  };
+}
diff --git a/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch b/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
new file mode 100644
index 00000000000..a6842ed479f
--- /dev/null
+++ b/pkgs/os-specific/linux/bionic-prebuilt/ndk-version.patch
@@ -0,0 +1,42 @@
+--- a/libc/include/android/ndk-version.h	2021-04-01 16:08:03.109183965 +0300
++++ b/libc/include/android/ndk-version.h	2021-04-01 16:07:19.811424641 +0300
+@@ -0,0 +1,39 @@
++#pragma once
++
++/**
++ * Set to 1 if this is an NDK, unset otherwise. See
++ * https://android.googlesource.com/platform/bionic/+/master/docs/defines.md.
++ */
++#define __ANDROID_NDK__ 1
++
++/**
++ * Major version of this NDK.
++ *
++ * For example: 16 for r16.
++ */
++#define __NDK_MAJOR__ 22
++
++/**
++ * Minor version of this NDK.
++ *
++ * For example: 0 for r16 and 1 for r16b.
++ */
++#define __NDK_MINOR__ 0
++
++/**
++ * Set to 0 if this is a release build, or 1 for beta 1,
++ * 2 for beta 2, and so on.
++ */
++#define __NDK_BETA__ 0
++
++/**
++ * Build number for this NDK.
++ *
++ * For a local development build of the NDK, this is -1.
++ */
++#define __NDK_BUILD__ 7026061
++
++/**
++ * Set to 1 if this is a canary build, 0 if not.
++ */
++#define __NDK_CANARY__ 0
diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix
index 29dceecad6e..040b8fc8478 100644
--- a/pkgs/os-specific/linux/bluez/default.nix
+++ b/pkgs/os-specific/linux/bluez/default.nix
@@ -1,11 +1,13 @@
 { stdenv
 , lib
 , fetchurl
-, alsaLib
+, alsa-lib
 , dbus
+, ell
 , glib
 , json_c
 , libical
+, docutils
 , pkg-config
 , python3
 , readline
@@ -19,16 +21,17 @@
   ];
 in stdenv.mkDerivation rec {
   pname = "bluez";
-  version = "5.55";
+  version = "5.60";
 
   src = fetchurl {
     url = "mirror://kernel/linux/bluetooth/${pname}-${version}.tar.xz";
-    sha256 = "124v9s4y1s7s6klx5vlmzpk1jlr4x84ch7r7scm7x2f42dqp2qw8";
+    sha256 = "sha256-cQmZWA0B7lnsWF5efAf9lO3e3AAaom/nRkxUb52UUwQ=";
   };
 
   buildInputs = [
-    alsaLib
+    alsa-lib
     dbus
+    ell
     glib
     json_c
     libical
@@ -38,6 +41,7 @@ in stdenv.mkDerivation rec {
   ];
 
   nativeBuildInputs = [
+    docutils
     pkg-config
     python3.pkgs.wrapPython
   ];
@@ -48,6 +52,11 @@ in stdenv.mkDerivation rec {
     substituteInPlace tools/hid2hci.rules \
       --replace /sbin/udevadm ${systemd}/bin/udevadm \
       --replace "hid2hci " "$out/lib/udev/hid2hci "
+    # Disable some tests:
+    # - test-mesh-crypto depends on the following kernel settings:
+    #   CONFIG_CRYPTO_[USER|USER_API|USER_API_AEAD|USER_API_HASH|AES|CCM|AEAD|CMAC]
+    if [[ ! -f unit/test-mesh-crypto.c ]]; then echo "unit/test-mesh-crypto.c no longer exists"; false; fi
+    echo 'int main() { return 77; }' > unit/test-mesh-crypto.c
   '';
 
   configureFlags = [
@@ -55,6 +64,7 @@ in stdenv.mkDerivation rec {
     "--enable-library"
     "--enable-cups"
     "--enable-pie"
+    "--enable-external-ell"
     "--with-dbusconfdir=${placeholder "out"}/share"
     "--with-dbussystembusdir=${placeholder "out"}/share/dbus-1/system-services"
     "--with-dbussessionbusdir=${placeholder "out"}/share/dbus-1/services"
@@ -67,7 +77,6 @@ in stdenv.mkDerivation rec {
     "--enable-nfc"
     "--enable-sap"
     "--enable-sixaxis"
-    "--enable-wiimote"
   ];
 
   # Work around `make install' trying to create /var/lib/bluetooth.
diff --git a/pkgs/os-specific/linux/bolt/default.nix b/pkgs/os-specific/linux/bolt/default.nix
index d692e30a03f..d38a97387f5 100644
--- a/pkgs/os-specific/linux/bolt/default.nix
+++ b/pkgs/os-specific/linux/bolt/default.nix
@@ -20,14 +20,14 @@
 
 stdenv.mkDerivation rec {
   pname = "bolt";
-  version = "0.9";
+  version = "0.9.1";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "bolt";
     repo = "bolt";
     rev = version;
-    sha256 = "sha256-lcJE+bMK2S2GObHMy/Fu12WGb3T1HrWjsNyZPz4/f4E=";
+    sha256 = "1phgp8fs0dlj74kbkqlvfniwc32daz47b3pvsxlfxqzyrp77xrfm";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/os-specific/linux/bpftool/default.nix b/pkgs/os-specific/linux/bpftool/default.nix
deleted file mode 100644
index d8c64738d82..00000000000
--- a/pkgs/os-specific/linux/bpftool/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ lib, stdenv
-, libopcodes, libbfd, libelf
-, linuxPackages_latest, zlib
-, python3
-}:
-
-stdenv.mkDerivation {
-  pname = "bpftool";
-  inherit (linuxPackages_latest.kernel) version src;
-
-  nativeBuildInputs = [ python3 ];
-  buildInputs = [ libopcodes libbfd libelf zlib ];
-
-  preConfigure = ''
-    patchShebangs scripts/bpf_helpers_doc.py
-
-    cd tools/bpf/bpftool
-    substituteInPlace ./Makefile \
-      --replace '/usr/local' "$out" \
-      --replace '/usr'       "$out" \
-      --replace '/sbin'      '/bin'
-  '';
-
-  meta = with lib; {
-    description = "Debugging/program analysis tool for the eBPF subsystem";
-    license     = [ licenses.gpl2 licenses.bsd2 ];
-    platforms   = platforms.linux;
-    maintainers = with maintainers; [ thoughtpolice ];
-  };
-}
diff --git a/pkgs/os-specific/linux/bpftools/default.nix b/pkgs/os-specific/linux/bpftools/default.nix
new file mode 100644
index 00000000000..f2ca8d87471
--- /dev/null
+++ b/pkgs/os-specific/linux/bpftools/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv
+, libopcodes, libbfd, libelf, readline
+, linuxPackages_latest, zlib
+, python3, bison, flex
+}:
+
+stdenv.mkDerivation {
+  pname = "bpftools";
+  inherit (linuxPackages_latest.kernel) version src;
+
+  nativeBuildInputs = [ python3 bison flex ];
+  buildInputs = [ libopcodes libbfd libelf zlib readline ];
+
+  preConfigure = ''
+    patchShebangs scripts/bpf_doc.py
+
+    cd tools/bpf
+    substituteInPlace ./bpftool/Makefile \
+      --replace '/usr/local' "$out" \
+      --replace '/usr'       "$out" \
+      --replace '/sbin'      '/bin'
+  '';
+
+  buildFlags = [ "bpftool" "bpf_asm" "bpf_dbg" ];
+
+  installPhase = ''
+    make -C bpftool install
+    install -Dm755 -t $out/bin bpf_asm
+    install -Dm755 -t $out/bin bpf_dbg
+  '';
+
+  meta = with lib; {
+    description = "Debugging/program analysis tools for the eBPF subsystem";
+    license     = [ licenses.gpl2 licenses.bsd2 ];
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}
diff --git a/pkgs/os-specific/linux/bpftrace/default.nix b/pkgs/os-specific/linux/bpftrace/default.nix
index 8edd9257fed..4d2f29491fc 100644
--- a/pkgs/os-specific/linux/bpftrace/default.nix
+++ b/pkgs/os-specific/linux/bpftrace/default.nix
@@ -6,22 +6,22 @@
 
 stdenv.mkDerivation rec {
   pname = "bpftrace";
-  version = "0.11.4";
+  version = "0.13.0";
 
   src = fetchFromGitHub {
     owner  = "iovisor";
     repo   = "bpftrace";
-    rev    = "refs/tags/v${version}";
-    sha256 = "0y4qgm2cpccrsm20rnh92hqplddqsc5q5zhw9nqn2igm3h9i0z7h";
+    rev    = "v${version}";
+    sha256 = "sha256-BKWBdFzj0j7rAfG30A0fwyYCpOG/5NFRPODW46EP1u0=";
   };
 
   buildInputs = with llvmPackages;
-    [ llvm clang-unwrapped
+    [ llvm libclang
       kernel elfutils libelf bcc
       libbpf libbfd libopcodes
     ];
 
-  nativeBuildInputs = [ cmake pkg-config flex bison ]
+  nativeBuildInputs = [ cmake pkg-config flex bison llvmPackages.llvm.dev ]
     # libelf is incompatible with elfutils-libelf
     ++ lib.filter (x: x != libelf) kernel.moduleBuildDependencies;
 
diff --git a/pkgs/os-specific/linux/btfs/default.nix b/pkgs/os-specific/linux/btfs/default.nix
index dc0b13ef59b..342272f4286 100644
--- a/pkgs/os-specific/linux/btfs/default.nix
+++ b/pkgs/os-specific/linux/btfs/default.nix
@@ -3,13 +3,13 @@
 
 stdenv.mkDerivation rec {
   pname = "btfs";
-  version = "2.23";
+  version = "2.24";
 
   src = fetchFromGitHub {
     owner  = "johang";
     repo   = pname;
     rev    = "v${version}";
-    sha256 = "1cfjhyn9cjyyxyd0f08b2ra258pzkljwvkj0iwrjpd0nrbl6wkq5";
+    sha256 = "sha256-fkS0U/MqFRQNi+n7NE4e1cnNICvfST2IQ9FMoJUyj6w=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
@@ -22,6 +22,6 @@ stdenv.mkDerivation rec {
     homepage    = "https://github.com/johang/btfs";
     license     = licenses.gpl3;
     maintainers = with maintainers; [ rnhmjoj ];
-    platforms   = platforms.linux;
+    platforms   = platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index a4a7adeb8b7..4949cd7c14a 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -32,7 +32,7 @@ let
     CONFIG_FEATURE_WTMP n
   '';
 
-  # The debian version lacks behind the upstream version and also contains
+  # The debian version lags behind the upstream version and also contains
   # a debian-specific suffix. We only fetch the debian repository to get the
   # default.script
   debianVersion = "1.30.1-6";
@@ -49,14 +49,14 @@ in
 
 stdenv.mkDerivation rec {
   pname = "busybox";
-  version = "1.32.1";
+  version = "1.33.1";
 
   # Note to whoever is updating busybox: please verify that:
   # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
   # still builds after the update.
   src = fetchurl {
     url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
-    sha256 = "1vhd59qmrdyrr1q7rvxmyl96z192mxl089hi87yl0hcp6fyw8mwx";
+    sha256 = "0a0dcvsh7nxnhxc5y73fky0z30i9p7r30qfidm2akn0n5fywdkhj";
   };
 
   hardeningDisable = [ "format" "pie" ]
@@ -118,9 +118,11 @@ stdenv.mkDerivation rec {
     logger() { '$out'/bin/logger "$@"; }\
     ' ${debianDispatcherScript} > ${outDispatchPath}
     chmod 555 ${outDispatchPath}
-    PATH=$out/bin patchShebangs ${outDispatchPath}
+    HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
   '';
 
+  strictDeps = true;
+
   depsBuildBuild = [ buildPackages.stdenv.cc ];
 
   buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [ stdenv.cc.libc stdenv.cc.libc.static ];
@@ -132,7 +134,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Tiny versions of common UNIX utilities in a single small executable";
     homepage = "https://busybox.net/";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = with maintainers; [ TethysSvensson ];
     platforms = platforms.linux;
     priority = 10;
diff --git a/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
index 036ea0a0f48..fa70e5f91d8 100644
--- a/pkgs/os-specific/linux/busybox/sandbox-shell.nix
+++ b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
@@ -1,4 +1,4 @@
-{ busybox, stdenv}:
+{ busybox}:
 
 # Minimal shell for use as basic /bin/sh in sandbox builds
 busybox.override {
@@ -8,6 +8,7 @@ busybox.override {
     CONFIG_FEATURE_FANCY_ECHO y
     CONFIG_FEATURE_SH_MATH y
     CONFIG_FEATURE_SH_MATH_64 y
+    CONFIG_FEATURE_TEST_64 y
 
     CONFIG_ASH y
     CONFIG_ASH_OPTIMIZE_FOR_SIZE y
diff --git a/pkgs/os-specific/linux/catfs/default.nix b/pkgs/os-specific/linux/catfs/default.nix
index 0ca585fab47..dbb525e0e29 100644
--- a/pkgs/os-specific/linux/catfs/default.nix
+++ b/pkgs/os-specific/linux/catfs/default.nix
@@ -15,7 +15,7 @@ rustPlatform.buildRustPackage rec {
     sha256 = "0zca0c4n2p9s5kn8c9f9lyxdf3df88a63nmhprpgflj86bh8wgf5";
   };
 
-  cargoSha256 = "0v6lxwj4vcph32np68awpncafvf1dwcik9a2asa0lkb7kmfdjsjk";
+  cargoSha256 = "1agcwq409s40kyij487wjrp8mj7942r9l2nqwks4xqlfb0bvaimf";
 
   cargoPatches = [
     # update cargo lock
diff --git a/pkgs/os-specific/linux/cifs-utils/default.nix b/pkgs/os-specific/linux/cifs-utils/default.nix
index c4ed4d4fc0f..8c587a40196 100644
--- a/pkgs/os-specific/linux/cifs-utils/default.nix
+++ b/pkgs/os-specific/linux/cifs-utils/default.nix
@@ -1,18 +1,18 @@
 { stdenv, lib, fetchurl, autoreconfHook, docutils, pkg-config
-, kerberos, keyutils, pam, talloc, python3 }:
+, libkrb5, keyutils, pam, talloc, python3 }:
 
 stdenv.mkDerivation rec {
   pname = "cifs-utils";
-  version = "6.12";
+  version = "6.13";
 
   src = fetchurl {
     url = "mirror://samba/pub/linux-cifs/cifs-utils/${pname}-${version}.tar.bz2";
-    sha256 = "1vw570pvir73kl4y6fhd6ns936ankimkhb1ii43yh8lr0p1xqbcj";
+    sha256 = "sha256-Q9h4bIYTysz6hJEwgcHWK8JAlXWFTPiVsFtIrwhj0FY=";
   };
 
   nativeBuildInputs = [ autoreconfHook docutils pkg-config ];
 
-  buildInputs = [ kerberos keyutils pam talloc python3 ];
+  buildInputs = [ libkrb5 keyutils pam talloc python3 ];
 
   configureFlags = [ "ROOTSBINDIR=$(out)/sbin" ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
     # AC_FUNC_MALLOC is broken on cross builds.
diff --git a/pkgs/os-specific/linux/compsize/default.nix b/pkgs/os-specific/linux/compsize/default.nix
index b1c6f5a8f95..9d0dbeffaee 100644
--- a/pkgs/os-specific/linux/compsize/default.nix
+++ b/pkgs/os-specific/linux/compsize/default.nix
@@ -2,29 +2,30 @@
 
 stdenv.mkDerivation rec {
   pname = "compsize";
-  version = "1.4";
+  version = "1.5";
 
   src = fetchFromGitHub {
     owner = "kilobyte";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0gk2vibfl9fh7biznlbr3dwknrwbm5q5602q95jbjvk185g9z126";
+    sha256 = "sha256-OX41ChtHX36lVRL7O2gH21Dfw6GPPEClD+yafR/PFm8=";
   };
 
   buildInputs = [ btrfs-progs ];
 
-  installPhase = ''
-    mkdir -p $out/bin
+  installFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  preInstall = ''
     mkdir -p $out/share/man/man8
-    install -m 0755 compsize $out/bin
-    install -m 0444 compsize.8 $out/share/man/man8
   '';
 
   meta = with lib; {
     description = "btrfs: Find compression type/ratio on a file or set of files";
-    homepage    = "https://github.com/kilobyte/compsize";
-    license     = licenses.gpl2;
+    homepage = "https://github.com/kilobyte/compsize";
+    license = licenses.gpl2Plus;
     maintainers = with maintainers; [ CrazedProgrammer ];
-    platforms   = platforms.linux;
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/conky/default.nix b/pkgs/os-specific/linux/conky/default.nix
index 61b66c6c861..9bd8890e713 100644
--- a/pkgs/os-specific/linux/conky/default.nix
+++ b/pkgs/os-specific/linux/conky/default.nix
@@ -68,13 +68,13 @@ with lib;
 
 stdenv.mkDerivation rec {
   pname = "conky";
-  version = "1.11.6";
+  version = "1.12.2";
 
   src = fetchFromGitHub {
     owner = "brndnmtthws";
     repo = "conky";
     rev = "v${version}";
-    sha256 = "0y2g66fjqp2hdk0y1h4ijxhnv34j16gizvxpmbigwh4n6zijcm6v";
+    sha256 = "sha256-x6bR5E5LIvKWiVM15IEoUgGas/hcRp3F/O4MTOhVPb8=";
   };
 
   postPatch = ''
diff --git a/pkgs/os-specific/linux/cpufrequtils/default.nix b/pkgs/os-specific/linux/cpufrequtils/default.nix
index d099a62bc81..6f94d0f8925 100644
--- a/pkgs/os-specific/linux/cpufrequtils/default.nix
+++ b/pkgs/os-specific/linux/cpufrequtils/default.nix
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Tools to display or change the CPU governor settings";
     homepage = "http://ftp.be.debian.org/pub/linux/utils/kernel/cpufreq/cpufrequtils.html";
-    license = licenses.gpl2;
-    platforms = platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/cpuset/default.nix b/pkgs/os-specific/linux/cpuset/default.nix
index d1a93e4247e..e82e3f5901c 100644
--- a/pkgs/os-specific/linux/cpuset/default.nix
+++ b/pkgs/os-specific/linux/cpuset/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv
+{ lib
 , fetchFromGitHub
 , fetchpatch
 , pythonPackages
diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix
index f48ed260c76..af772645824 100644
--- a/pkgs/os-specific/linux/criu/default.nix
+++ b/pkgs/os-specific/linux/criu/default.nix
@@ -1,6 +1,6 @@
 { stdenv, lib, fetchurl, protobuf, protobufc, asciidoc, iptables
 , xmlto, docbook_xsl, libpaper, libnl, libcap, libnet, pkg-config
-, which, python3, makeWrapper, docbook_xml_dtd_45 }:
+, which, python3, makeWrapper, docbook_xml_dtd_45, perl }:
 
 stdenv.mkDerivation rec {
   pname = "criu";
@@ -12,14 +12,14 @@ stdenv.mkDerivation rec {
   };
 
   enableParallelBuilding = true;
-  nativeBuildInputs = [ pkg-config docbook_xsl which makeWrapper docbook_xml_dtd_45 python3 python3.pkgs.wrapPython ];
+  nativeBuildInputs = [ pkg-config docbook_xsl which makeWrapper docbook_xml_dtd_45 python3 python3.pkgs.wrapPython perl ];
   buildInputs = [ protobuf protobufc asciidoc xmlto libpaper libnl libcap libnet iptables ];
   propagatedBuildInputs = with python3.pkgs; [ python python3.pkgs.protobuf ];
 
   postPatch = ''
-    substituteInPlace ./Documentation/Makefile --replace "2>/dev/null" ""
-    substituteInPlace ./Documentation/Makefile --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
-    substituteInPlace ./criu/Makefile --replace "-I/usr/include/libnl3" "-I${libnl.dev}/include/libnl3"
+    substituteInPlace ./Documentation/Makefile \
+      --replace "2>/dev/null" "" \
+      --replace "-m custom.xsl" "-m custom.xsl --skip-validation -x ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl"
     substituteInPlace ./Makefile --replace "head-name := \$(shell git tag -l v\$(CRIU_VERSION))" "head-name = ${version}.0"
     ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto
   '';
@@ -47,7 +47,7 @@ stdenv.mkDerivation rec {
     description = "Userspace checkpoint/restore for Linux";
     homepage    = "https://criu.org";
     license     = licenses.gpl2;
-    platforms   = [ "x86_64-linux" ];
+    platforms   = [ "x86_64-linux" "aarch64-linux" ];
     maintainers = [ maintainers.thoughtpolice ];
   };
 }
diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix
index bbd8d35403b..f09679ba212 100644
--- a/pkgs/os-specific/linux/cryptodev/default.nix
+++ b/pkgs/os-specific/linux/cryptodev/default.nix
@@ -1,14 +1,14 @@
 { fetchFromGitHub, lib, stdenv, kernel ? false }:
 
 stdenv.mkDerivation rec {
-  pname = "cryptodev-linux-1.11";
+  pname = "cryptodev-linux-1.12";
   name = "${pname}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "cryptodev-linux";
     repo = "cryptodev-linux";
     rev = pname;
-    sha256 = "1ky850qiyacq8p3lng7n3w6h3x2clqrz4lkv2cv3psy92mg9pvc9";
+    sha256 = "sha256-vJQ10rG5FGbeEOqCUmH/pZ0P77kAW/MtUarywbtIyHw=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -20,6 +20,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Device that allows access to Linux kernel cryptographic drivers";
     homepage = "http://cryptodev-linux.org/";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
     license = lib.licenses.gpl2Plus;
     platforms = lib.platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix
index d0e685cd0fa..e7304e19679 100644
--- a/pkgs/os-specific/linux/cryptsetup/default.nix
+++ b/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -3,13 +3,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cryptsetup";
-  version = "2.3.4";
+  version = "2.3.6";
 
   outputs = [ "out" "dev" "man" ];
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/cryptsetup/v2.3/${pname}-${version}.tar.xz";
-    sha256 = "0wrpz2fzbsszmsgxxbssxjgylpyiindh24z8g13m2fxmjsxyw5lx";
+    sha256 = "sha256-spa3oh6ldsKxgGEcyxnQauyN3a7ffHBLDGqBIQwlY18=";
   };
 
   # Disable 4 test cases that fail in a sandbox
diff --git a/pkgs/os-specific/linux/dbus-broker/default.nix b/pkgs/os-specific/linux/dbus-broker/default.nix
index bffc90260c1..b7e0a6b6158 100644
--- a/pkgs/os-specific/linux/dbus-broker/default.nix
+++ b/pkgs/os-specific/linux/dbus-broker/default.nix
@@ -3,13 +3,13 @@
 
 stdenv.mkDerivation rec {
   pname = "dbus-broker";
-  version = "22";
+  version = "29";
 
   src = fetchFromGitHub {
     owner  = "bus1";
     repo   = "dbus-broker";
     rev    = "v${version}";
-    sha256 = "0vxr73afix5wjxy8g4cckwhl242rrlazm52673iwmdyfz5nskj2x";
+    sha256 = "1abbi8c0mgdqjidlp2wnmy0a88xv173hq88sh5m966c5r1h6alkq";
     fetchSubmodules = true;
   };
 
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ dbus linuxHeaders systemd ];
 
+  mesonFlags = [ "-D=system-console-users=gdm,sddm,lightdm" ];
+
   PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "${placeholder "out"}/lib/systemd/system";
   PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "${placeholder "out"}/lib/systemd/user";
   PKG_CONFIG_SYSTEMD_CATALOGDIR = "${placeholder "out"}/lib/systemd/catalog";
diff --git a/pkgs/os-specific/linux/displaylink/default.nix b/pkgs/os-specific/linux/displaylink/default.nix
index bd50852bd9d..ca3e38c2e70 100644
--- a/pkgs/os-specific/linux/displaylink/default.nix
+++ b/pkgs/os-specific/linux/displaylink/default.nix
@@ -20,17 +20,17 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "displaylink";
-  version = "5.3.1.34";
+  version = "5.4.0-55.153";
 
   src = requireFile rec {
     name = "displaylink.zip";
-    sha256 = "1c1kbjgpb71f73qnyl44rvwi6l4ivddq789rwvvh0ahw2jm324hy";
+    sha256 = "1m2l3bnlfwfp94w7khr05npsbysg9mcyi7hi85n78xkd0xdcxml8";
     message = ''
       In order to install the DisplayLink drivers, you must first
       comply with DisplayLink's EULA and download the binaries and
       sources from here:
 
-      https://www.displaylink.com/downloads/file?id=1576
+      https://www.synaptics.com/node/3751
 
       Once you have downloaded the file, please use the following
       commands and re-run the installation:
diff --git a/pkgs/os-specific/linux/dlm/default.nix b/pkgs/os-specific/linux/dlm/default.nix
new file mode 100644
index 00000000000..3b6f4773a29
--- /dev/null
+++ b/pkgs/os-specific/linux/dlm/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromSourcehut
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "dlm";
+  version = "2020-01-07";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = "6b0e11c4f453b1a4d7a32019227539a980b7ce66";
+    sha256 = "1r3w7my0g3v2ya317qnvjx8wnagjahpj7yx72a65hf2pjbf5x42p";
+  };
+
+  cargoSha256 = "01a8k60qnx2pgxb2adgw30c2hjb60w6230khm5hyqgmp7z4rm8k8";
+
+  meta = with lib; {
+    description = "A stupid simple graphical login manager";
+    homepage = "https://git.sr.ht/~kennylevinsen/dlm";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/dmtcp/default.nix b/pkgs/os-specific/linux/dmtcp/default.nix
index 21458daf966..50124a2bf45 100644
--- a/pkgs/os-specific/linux/dmtcp/default.nix
+++ b/pkgs/os-specific/linux/dmtcp/default.nix
@@ -1,14 +1,16 @@
-{ lib, stdenv, fetchFromGitHub, bash, perl, python }:
+{ lib, stdenv, fetchFromGitHub, bash, perl, python2 }:
+
+# There are fixes for python3 compatibility on master
 
 stdenv.mkDerivation rec {
   pname = "dmtcp";
-  version = "2.6.0";
+  version = "unstable-2021-03-01";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = version;
-    sha256 = "01skyhr573w1dygvkwz66lvir2jsq443fjwkysglwxvmrdfz9kwd";
+    rev = "f999adbb8e88fe452a0e57ceb43b6eed7b4409f9";
+    sha256 = "sha256-codCHQui3fGfUZSNq8GuH4ad/GjD6I/S9rX83o8oFPc=";
   };
 
   dontDisableStatic = true;
@@ -21,14 +23,14 @@ stdenv.mkDerivation rec {
     substituteInPlace configure \
       --replace '#define ELF_INTERPRETER "$interp"' \
                 "#define ELF_INTERPRETER \"$(cat $NIX_CC/nix-support/dynamic-linker)\""
-    substituteInPlace src/dmtcp_coordinator.cpp \
+    substituteInPlace src/restartscript.cpp \
       --replace /bin/bash ${stdenv.shell}
-    substituteInPlace util/gdb-add-symbol-file \
+    substituteInPlace util/dmtcp_restart_wrapper.sh \
       --replace /bin/bash ${stdenv.shell}
     substituteInPlace test/autotest.py \
       --replace /bin/bash ${bash}/bin/bash \
       --replace /usr/bin/perl ${perl}/bin/perl \
-      --replace /usr/bin/python ${python}/bin/python \
+      --replace /usr/bin/python ${python2}/bin/python \
       --replace "os.environ['USER']" "\"nixbld1\"" \
       --replace "os.getenv('USER')" "\"nixbld1\""
   '';
diff --git a/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch b/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
index 5a81dad0cc9..118e52b8e62 100644
--- a/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
+++ b/pkgs/os-specific/linux/dmtcp/ld-linux-so-buffer-size.patch
@@ -1,11 +1,13 @@
---- dmtcp-2.5.1-src/src/util_exec.cpp	2017-09-19 13:36:22.947587034 +0200
-+++ dmtcp-2.5.1-src/src/util_exec.cpp	2017-09-19 13:36:32.221313460 +0200
-@@ -178,7 +178,7 @@
- 
- static string ld_linux_so_path(int version, bool is32bitElf = false)
+diff --git a/src/util_exec.cpp b/src/util_exec.cpp
+index 0e8a13c1..0cc99c1e 100644
+--- a/src/util_exec.cpp
++++ b/src/util_exec.cpp
+@@ -300,7 +300,7 @@ Util::elfType(const char *pathname, bool *isElf, bool *is32bitElf)
+ static string
+ ld_linux_so_path(int version, bool is32bitElf = false)
  {
 -  char buf[80];
 +  char buf[128];
+ 
  #if (defined(__x86_64__) || defined(__aarch64__)) && !defined(CONFIG_M32)
    if (is32bitElf) {
-     sprintf(buf, "/lib/ld-linux.so.%d", version);
diff --git a/pkgs/os-specific/linux/dpdk-kmods/default.nix b/pkgs/os-specific/linux/dpdk-kmods/default.nix
new file mode 100644
index 00000000000..a188336cbe5
--- /dev/null
+++ b/pkgs/os-specific/linux/dpdk-kmods/default.nix
@@ -0,0 +1,34 @@
+{ lib, stdenv, fetchzip, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "dpdk-kmods";
+  version = "2021-04-21";
+
+  src = fetchzip {
+    url = "http://git.dpdk.org/dpdk-kmods/snapshot/dpdk-kmods-e13d7af77a1bf98757f85c3c4083f6ee6d0d2372.tar.xz";
+    sha256 = "sha256-8ysWT3X3rIyUAo4/QbkX7cQq5iFeU18/BPsmmWugcIc=";
+  };
+
+  hardeningDisable = [ "pic" ];
+
+  KSRC = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  preBuild = "cd linux/igb_uio";
+
+  installPhase = ''
+    make -C ${KSRC} M=$(pwd) modules_install
+  '';
+
+  INSTALL_MOD_PATH = placeholder "out";
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    description = "Kernel modules for DPDK";
+    homepage = "https://git.dpdk.org/dpdk-kmods/";
+    license = licenses.gpl2Only;
+    maintainers = [ maintainers.mic92 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/dpdk/default.nix b/pkgs/os-specific/linux/dpdk/default.nix
index ab183936895..ca8905e6240 100644
--- a/pkgs/os-specific/linux/dpdk/default.nix
+++ b/pkgs/os-specific/linux/dpdk/default.nix
@@ -4,18 +4,19 @@
 , pkg-config, meson, ninja
 , libbsd, numactl, libbpf, zlib, libelf, jansson, openssl, libpcap
 , doxygen, python3
+, withExamples ? []
 , shared ? false }:
 
 let
   mod = kernel != null;
-
+  dpdkVersion = "21.05";
 in stdenv.mkDerivation rec {
-  name = "dpdk-${version}" + lib.optionalString mod "-${kernel.version}";
-  version = "20.05";
+  pname = "dpdk";
+  version = "${dpdkVersion}" + lib.optionalString mod "-${kernel.version}";
 
   src = fetchurl {
-    url = "https://fast.dpdk.org/rel/dpdk-${version}.tar.xz";
-    sha256 = "0h0xv2zwb91b9n29afg5ihn06a8q28in64hag2f112kc19f79jj8";
+    url = "https://fast.dpdk.org/rel/dpdk-${dpdkVersion}.tar.xz";
+    sha256 = "sha256-HhJJm0xfzbV8g+X+GE6mvs3ffPCSiTwsXvLvsO7BLws=";
   };
 
   nativeBuildInputs = [
@@ -25,6 +26,7 @@ in stdenv.mkDerivation rec {
     pkg-config
     python3
     python3.pkgs.sphinx
+    python3.pkgs.pyelftools
   ];
   buildInputs = [
     jansson
@@ -42,12 +44,16 @@ in stdenv.mkDerivation rec {
   '';
 
   mesonFlags = [
+    "-Dtests=false"
     "-Denable_docs=true"
     "-Denable_kmods=${lib.boolToString mod}"
   ]
+  # kni kernel driver is currently not compatble with 5.11
+  ++ lib.optional (mod && kernel.kernelOlder "5.11") "-Ddisable_drivers=kni"
   ++ lib.optional (!shared) "-Ddefault_library=static"
   ++ lib.optional stdenv.isx86_64 "-Dmachine=nehalem"
-  ++ lib.optional mod "-Dkernel_dir=${placeholder "kmod"}/lib/modules/${kernel.modDirVersion}";
+  ++ lib.optional mod "-Dkernel_dir=${placeholder "kmod"}/lib/modules/${kernel.modDirVersion}"
+  ++ lib.optional (withExamples != []) "-Dexamples=${builtins.concatStringsSep "," withExamples}";
 
   # dpdk meson script does not support separate kernel source and installion
   # dirs (except via destdir), so we temporarily link the former into the latter.
@@ -61,15 +67,17 @@ in stdenv.mkDerivation rec {
     rm -f $kmod/lib/modules/${kernel.modDirVersion}/build
   '';
 
-  outputs = [ "out" ] ++ lib.optional mod "kmod";
+  postInstall = lib.optionalString (withExamples != []) ''
+    find examples -type f -executable -exec install {} $out/bin \;
+  '';
 
-  enableParallelBuilding = true;
+  outputs = [ "out" ] ++ lib.optional mod "kmod";
 
   meta = with lib; {
     description = "Set of libraries and drivers for fast packet processing";
     homepage = "http://dpdk.org/";
     license = with licenses; [ lgpl21 gpl2 bsd2 ];
     platforms =  platforms.linux;
-    maintainers = with maintainers; [ domenkozar magenbluten orivej ];
+    maintainers = with maintainers; [ magenbluten orivej mic92 zhaofengli ];
   };
 }
diff --git a/pkgs/os-specific/linux/dropwatch/default.nix b/pkgs/os-specific/linux/dropwatch/default.nix
index 288dea85cc8..c2701c05719 100644
--- a/pkgs/os-specific/linux/dropwatch/default.nix
+++ b/pkgs/os-specific/linux/dropwatch/default.nix
@@ -1,30 +1,47 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config
-, libnl, readline, libbfd, ncurses, zlib }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, libbfd
+, libnl
+, libpcap
+, ncurses
+, readline
+, zlib
+}:
 
 stdenv.mkDerivation rec {
   pname = "dropwatch";
-  version = "1.5.1";
+  version = "1.5.3";
 
   src = fetchFromGitHub {
     owner = "nhorman";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1qmax0l7z1qik42c949fnvjh5r6awk4gpgzdsny8iwnmwzjyp8b8";
+    sha256 = "0axx0zzrs7apqnl0r70jyvmgk7cs5wk185id479mapgngibwkyxy";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkg-config ];
-  buildInputs = [ libbfd libnl ncurses readline zlib ];
-
-  # To avoid running into https://sourceware.org/bugzilla/show_bug.cgi?id=14243 we need to define:
-  NIX_CFLAGS_COMPILE = "-DPACKAGE=${pname} -DPACKAGE_VERSION=${version}";
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+  ];
+  buildInputs = [
+    libbfd
+    libnl
+    libpcap
+    ncurses
+    readline
+    zlib
+  ];
 
   enableParallelBuilding = true;
 
   meta = with lib; {
     description = "Linux kernel dropped packet monitor";
     homepage = "https://github.com/nhorman/dropwatch";
-    license = licenses.gpl2;
+    license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = [ maintainers.c0bw3b ];
+    maintainers = with maintainers; [ c0bw3b ];
   };
 }
diff --git a/pkgs/os-specific/linux/dstat/default.nix b/pkgs/os-specific/linux/dstat/default.nix
index 76abeff42db..d79f9f4c61b 100644
--- a/pkgs/os-specific/linux/dstat/default.nix
+++ b/pkgs/os-specific/linux/dstat/default.nix
@@ -18,7 +18,7 @@ python3Packages.buildPythonApplication rec {
     ./fix_pluginpath.patch
     # this fixes another bug with python3
     (fetchpatch {
-      url = https://github.com/efexgee/dstat/commit/220a785321b13b6df92a536080aca6ef1cb644ad.patch ;
+      url = "https://github.com/efexgee/dstat/commit/220a785321b13b6df92a536080aca6ef1cb644ad.patch";
       sha256 = "08kcz3yxvl35m55y7g1pr73x3bjcqnv0qlswxqyq8cqxg9zd64cn";
     })
   ];
@@ -37,5 +37,6 @@ python3Packages.buildPythonApplication rec {
     license = licenses.gpl2;
     platforms = platforms.linux;
     maintainers = with maintainers; [ ];
+    changelog = "https://github.com/dstat-real/dstat/blob/v${version}/ChangeLog";
   };
 }
diff --git a/pkgs/os-specific/linux/ell/default.nix b/pkgs/os-specific/linux/ell/default.nix
index ced77f3fcc9..a43b9eff3c8 100644
--- a/pkgs/os-specific/linux/ell/default.nix
+++ b/pkgs/os-specific/linux/ell/default.nix
@@ -7,14 +7,14 @@
 
 stdenv.mkDerivation rec {
   pname = "ell";
-  version = "0.36";
+  version = "0.41";
 
   outputs = [ "out" "dev" ];
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/libs/${pname}/${pname}.git";
     rev = version;
-    sha256 = "0w7v2hihwwmnqd56bsmbjsiw8yyadr7zbdssjamqxx0pyl3dnrda";
+    sha256 = "sha256-UCE+PgGmbePlOoAc8jXxCX6fHr16qf1AQMKxizfSTJM=";
   };
 
   nativeBuildInputs = [
@@ -38,6 +38,6 @@ stdenv.mkDerivation rec {
     '';
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ mic92 dtzWill ];
+    maintainers = with maintainers; [ mic92 dtzWill maxeaubrey ];
   };
 }
diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix
index dc17f7f1696..1ff0b9a154a 100644
--- a/pkgs/os-specific/linux/ena/default.nix
+++ b/pkgs/os-specific/linux/ena/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel }:
 
 stdenv.mkDerivation rec {
-  version = "2.3.0";
+  version = "2.5.0";
   name = "ena-${version}-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "amzn";
     repo = "amzn-drivers";
     rev = "ena_linux_${version}";
-    sha256 = "sha256-ho6yKCgYo3p50leQUCmzNO/3wqzSzs27Eash3AWBaiE=";
+    sha256 = "sha256-uOf/1624UtjaZtrk7XyQpeUGdTNVDnzZJZMgU86i+SM=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -19,23 +19,28 @@ stdenv.mkDerivation rec {
   NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
 
   configurePhase = ''
+    runHook preConfigure
     cd kernel/linux/ena
     substituteInPlace Makefile --replace '/lib/modules/$(BUILD_KERNEL)' ${kernel.dev}/lib/modules/${kernel.modDirVersion}
+    runHook postConfigure
   '';
 
   installPhase = ''
+    runHook preInstall
     strip -S ena.ko
     dest=$out/lib/modules/${kernel.modDirVersion}/misc
     mkdir -p $dest
     cp ena.ko $dest/
     xz $dest/ena.ko
+    runHook postInstall
   '';
 
   meta = with lib; {
     description = "Amazon Elastic Network Adapter (ENA) driver for Linux";
     homepage = "https://github.com/amzn/amzn-drivers";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = [ maintainers.eelco ];
     platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.5";
   };
 }
diff --git a/pkgs/os-specific/linux/erofs-utils/default.nix b/pkgs/os-specific/linux/erofs-utils/default.nix
index e1ff63bce77..73e50c5740b 100644
--- a/pkgs/os-specific/linux/erofs-utils/default.nix
+++ b/pkgs/os-specific/linux/erofs-utils/default.nix
@@ -2,14 +2,14 @@
 
 stdenv.mkDerivation rec {
   pname = "erofs-utils";
-  version = "1.2";
+  version = "1.2.1";
   outputs = [ "out" "man" ];
 
   src = fetchgit {
     url =
       "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git";
     rev = "v" + version;
-    sha256 = "07hvijq2hsn3gg1kb8abrfk23n83j57yx8kyv4wqgwhhvd30myjc";
+    sha256 = "1vb4mxsb59g29x7l22cffsqa8x743sra4j5zbmx89hjwpwm9vvcg";
   };
 
   buildInputs = [ autoreconfHook pkg-config fuse libuuid lz4 ];
diff --git a/pkgs/os-specific/linux/eudev/default.nix b/pkgs/os-specific/linux/eudev/default.nix
index 3d26fc3b005..c8562cc5f3c 100644
--- a/pkgs/os-specific/linux/eudev/default.nix
+++ b/pkgs/os-specific/linux/eudev/default.nix
@@ -3,10 +3,10 @@ let
   s = # Generated upstream information
   rec {
     baseName="eudev";
-    version = "3.2.9";
+    version = "3.2.10";
     name="${baseName}-${version}";
     url="http://dev.gentoo.org/~blueness/eudev/eudev-${version}.tar.gz";
-    sha256 = "1z6lfhhbjs6j7pbp6ybn17ywjsdl87ql6g1p3m2y26aa10cqcqc9";
+    sha256 = "sha256-h7sCjUcP0bhRaTSbRMVdW3M3M9wtUN3xGW4CZyXq0DQ=";
   };
 
   nativeBuildInputs = [ pkg-config ];
diff --git a/pkgs/os-specific/linux/evdi/default.nix b/pkgs/os-specific/linux/evdi/default.nix
index 0f56d0e95ca..5eb31e9422d 100644
--- a/pkgs/os-specific/linux/evdi/default.nix
+++ b/pkgs/os-specific/linux/evdi/default.nix
@@ -2,15 +2,28 @@
 
 stdenv.mkDerivation rec {
   pname = "evdi";
-  version = "v1.7.2";
+  version = "unstable-2021-06-11";
 
   src = fetchFromGitHub {
     owner = "DisplayLink";
     repo = pname;
-    rev = version;
-    sha256 = "074j0xh037n8mc4isihfz9lap57wvxaxib32pvy6jhjl3wyik632";
+    rev = "65e12fca334f2f42396f4e8d16592d53cab34dd6";
+    sha256 = "sha256-81IfdYKadKT7vRdkmxzfGo4KHa4UJ8uJ0K6djQCr22U=";
   };
 
+  # Linux 5.13 support
+  # The patches break compilation for older kernels
+  patches = lib.optional (kernel.kernelAtLeast "5.13") [
+    (fetchpatch {
+      url = "https://github.com/DisplayLink/evdi/commit/c5f5441d0a115d2cfc8125b8bafaa05b2edc7938.patch";
+      sha256 = "sha256-tWYgBrRh3mXPebhUygOvJ07V87g9JU66hREriACfEVI=";
+    })
+    (fetchpatch {
+      url = "https://github.com/DisplayLink/evdi/commit/5f04d2e2df4cfd21dc15d31f1152c6a66fa48a78.patch";
+      sha256 = "sha256-690/eUiEVWvnT/YAVgKcLo86dgolF9giWRuPxXpL+eQ=";
+    })
+  ];
+
   nativeBuildInputs = kernel.moduleBuildDependencies;
 
   buildInputs = [ kernel libdrm ];
@@ -31,8 +44,8 @@ stdenv.mkDerivation rec {
     description = "Extensible Virtual Display Interface";
     maintainers = with maintainers; [ eyjhb ];
     platforms = platforms.linux;
-    license = with licenses; [ lgpl21 gpl2 ];
+    license = with licenses; [ lgpl21Only gpl2Only ];
     homepage = "https://www.displaylink.com/";
-    broken = versionOlder kernel.version "4.9" || stdenv.isAarch64;
+    broken = kernel.kernelOlder "4.19" || stdenv.isAarch64;
   };
 }
diff --git a/pkgs/os-specific/linux/eventstat/default.nix b/pkgs/os-specific/linux/eventstat/default.nix
index 6eaa58f353a..55b00ab8719 100644
--- a/pkgs/os-specific/linux/eventstat/default.nix
+++ b/pkgs/os-specific/linux/eventstat/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "eventstat";
-  version = "0.04.11";
+  version = "0.04.12";
   src = fetchzip {
     url = "https://kernel.ubuntu.com/~cking/tarballs/eventstat/eventstat-${version}.tar.gz";
-    sha256 = "0hsi5w8dmqwwdahnqvs83bam3j1cagw1ggm06d35dfwy5xknc5i4";
+    sha256 = "sha256-XBSs/jZodCpI9BHgAF8+bE23gRCr2uebYiMJxxB8T5E=";
   };
   buildInputs = [ ncurses ];
   installFlags = [ "DESTDIR=$(out)" ];
diff --git a/pkgs/os-specific/linux/fatrace/default.nix b/pkgs/os-specific/linux/fatrace/default.nix
index a7f754a53ab..2ae8bb2dca2 100644
--- a/pkgs/os-specific/linux/fatrace/default.nix
+++ b/pkgs/os-specific/linux/fatrace/default.nix
@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation rec {
   pname = "fatrace";
-  version = "0.16.1";
+  version = "0.16.3";
 
   src = fetchFromGitHub {
     owner = "martinpitt";
     repo = pname;
     rev = version;
-    sha256 = "0lxfqin2bw9235yah8ylb4p8lc3755050sjg30z3gy7bab0lfyg9";
+    sha256 = "sha256-w7leZPdmiTc+avihP203e6GLvbRzbCtNOJdF8MM2v68=";
   };
 
   buildInputs = [ python3 which ];
diff --git a/pkgs/os-specific/linux/ffado/default.nix b/pkgs/os-specific/linux/ffado/default.nix
index 25f541d7a00..e23591168f6 100644
--- a/pkgs/os-specific/linux/ffado/default.nix
+++ b/pkgs/os-specific/linux/ffado/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv
+{ lib
 , mkDerivation
 , dbus
 , dbus_cplusplus
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
index 6c0b5117e9d..1a9b7e34f5a 100644
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@@ -1,25 +1,18 @@
-{lib, stdenv, fetchurl, fetchpatch, which, xdg-dbus-proxy, nixosTests}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="firejail";
-    version="0.9.64";
-    name="${baseName}-${version}";
-    url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz";
-    sha256="1zgjwy2k57nx0r63fzr15gijah098ig0bll66jd615vc9q3snfz5";
-  };
-  buildInputs = [
-    which
-  ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-    name = "${s.name}.tar.bz2";
+{ lib, stdenv, fetchFromGitHub, fetchpatch, which, xdg-dbus-proxy, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "firejail";
+  version = "0.9.66";
+
+  src = fetchFromGitHub {
+    owner = "netblue30";
+    repo = "firejail";
+    rev = version;
+    sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q=";
   };
 
+  buildInputs = [ which ];
+
   patches = [
     # Adds the /nix directory when using an overlay.
     # Required to run any programs under this mode.
@@ -79,12 +72,10 @@ stdenv.mkDerivation {
   passthru.tests = nixosTests.firejail;
 
   meta = {
-    inherit (s) version;
     description = "Namespace-based sandboxing tool for Linux";
-    license = lib.licenses.gpl2Plus ;
-    maintainers = [lib.maintainers.raskin];
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
     platforms = lib.platforms.linux;
     homepage = "https://firejail.wordpress.com/";
-    downloadPage = "https://sourceforge.net/projects/firejail/files/firejail/";
   };
 }
diff --git a/pkgs/os-specific/linux/firejail/default.upstream b/pkgs/os-specific/linux/firejail/default.upstream
deleted file mode 100644
index 0e6576c44a8..00000000000
--- a/pkgs/os-specific/linux/firejail/default.upstream
+++ /dev/null
@@ -1,3 +0,0 @@
-url https://sourceforge.net/projects/firejail/files/firejail/
-version_link '[-][0-9.]+[.]tar[.][a-z0-9]+/download$'
-SF_redirect
diff --git a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
index 4fd1cf7ef1a..4293f53e47d 100644
--- a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
@@ -2,12 +2,12 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "firmware-linux-nonfree";
-  version = "2020-12-18";
+  version = "2021-07-16";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
-    rev = lib.replaceStrings ["-"] [""] version;
-    sha256 = "1rb5b3fzxk5bi6kfqp76q1qszivi0v1kdz1cwj2llp5sd9ns03b5";
+    rev = "refs/tags/" + lib.replaceStrings ["-"] [""] version;
+    sha256 = "185pnaqf2qmhbcdvvldmbar09zgaxhh3h8x9bxn6079bcdpaskn6";
   };
 
   installFlags = [ "DESTDIR=$(out)" ];
@@ -17,7 +17,7 @@ stdenvNoCC.mkDerivation rec {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "1p7vn2hfwca6w69jhw5zq70w44ji8mdnibm1z959aalax6ndy146";
+  outputHash = "0g470hj2ylpviijfpjqzsndn2k8kkscj27wqwk51xlk8cr3mrahb";
 
   meta = with lib; {
     description = "Binary firmware collection packaged by kernel.org";
diff --git a/pkgs/os-specific/linux/firmware/firmware-manager/default.nix b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
index c4649557b11..ee36ab57442 100644
--- a/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-manager/default.nix
@@ -1,18 +1,18 @@
-{ rustPlatform, lib, fetchFromGitHub, lzma, pkg-config, openssl, dbus, glib, udev, cairo, pango, atk, gdk-pixbuf, gtk3, wrapGAppsHook }:
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, glib, udev, cairo, pango, atk, gdk-pixbuf, gtk3, wrapGAppsHook }:
 rustPlatform.buildRustPackage rec {
   pname = "firmware-manager";
-  version = "0.1.1";
+  version = "0.1.2";
 
   src = fetchFromGitHub {
     owner = "pop-os";
     repo = pname;
     rev = version;
-    sha256 = "0x9604jsflqxvbkfp139mzjicpyx8v21139jj8bp88c14ngvmdlw";
+    sha256 = "sha256-aKatdjHa/k7j48upkR1O6PFxCUfJYE3KhhzZ9Ohe0Jc=";
   };
 
   nativeBuildInputs = [ pkg-config wrapGAppsHook ];
 
-  buildInputs = [ lzma openssl dbus glib udev cairo pango atk gdk-pixbuf gtk3 ];
+  buildInputs = [ xz openssl dbus glib udev cairo pango atk gdk-pixbuf gtk3 ];
 
   depsExtraArgs.postPatch = "make prefix='$(out)' toml-gen";
 
@@ -24,7 +24,7 @@ rustPlatform.buildRustPackage rec {
 
   installPhase = "make prefix='$(out)' install";
 
-  cargoSha256 = "0byc0pqa1w2qnfrx3psrzdq1c8qjslbmzxg872b9v6fr5d4c9cvg";
+  cargoSha256 = "sha256-BUo77ERHvuc8IkDdU3Z/gZZicNHT26IbAgEBnVM3O4U=";
 
   doCheck = false;
 
diff --git a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
index dce4af69aa2..cd42f2f44e2 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
+++ b/pkgs/os-specific/linux/firmware/fwupd/add-option-for-installation-sysconfdir.patch
@@ -1,5 +1,5 @@
 diff --git a/data/meson.build b/data/meson.build
-index 14454458..12a798c0 100644
+index 50154569..f8058a8e 100644
 --- a/data/meson.build
 +++ b/data/meson.build
 @@ -17,7 +17,7 @@ endif
@@ -73,10 +73,10 @@ index 826a3c1d..b78db663 100644
 +  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
  )
 diff --git a/meson.build b/meson.build
-index a6fb55dd..aedb7530 100644
+index b075ca89..8d504d3c 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -183,6 +183,12 @@ endif
+@@ -194,6 +194,12 @@ endif
  mandir = join_paths(prefix, get_option('mandir'))
  localedir = join_paths(prefix, get_option('localedir'))
  
@@ -90,7 +90,7 @@ index a6fb55dd..aedb7530 100644
  gio = dependency('gio-2.0', version : '>= 2.45.8')
  giounix = dependency('gio-unix-2.0', version : '>= 2.45.8', required: false)
 diff --git a/meson_options.txt b/meson_options.txt
-index 0a0e2853..198ae930 100644
+index bc76c0ab..8a67d012 100644
 --- a/meson_options.txt
 +++ b/meson_options.txt
 @@ -1,3 +1,4 @@
@@ -98,19 +98,6 @@ index 0a0e2853..198ae930 100644
  option('build', type : 'combo', choices : ['all', 'standalone', 'library'], value : 'all', description : 'build type')
  option('agent', type : 'boolean', value : true, description : 'enable the fwupd agent')
  option('consolekit', type : 'boolean', value : true, description : 'enable ConsoleKit support')
-diff --git a/plugins/ata/meson.build b/plugins/ata/meson.build
-index f32b97fe..679ccc7b 100644
---- a/plugins/ata/meson.build
-+++ b/plugins/ata/meson.build
-@@ -7,7 +7,7 @@ install_data([
- )
- 
- install_data(['ata.conf'],
--  install_dir:  join_paths(sysconfdir, 'fwupd')
-+  install_dir:  join_paths(sysconfdir_install, 'fwupd')
- )
- 
- shared_module('fu_plugin_ata',
 diff --git a/plugins/dell-esrt/meson.build b/plugins/dell-esrt/meson.build
 index ed4eee70..76dbdb1d 100644
 --- a/plugins/dell-esrt/meson.build
@@ -123,10 +110,10 @@ index ed4eee70..76dbdb1d 100644
 +  install_dir: join_paths(sysconfdir_install, 'fwupd', 'remotes.d'),
  )
 diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
-index 92762791..08bb37ea 100644
+index 205d1394..3223f404 100644
 --- a/plugins/redfish/meson.build
 +++ b/plugins/redfish/meson.build
-@@ -26,7 +26,7 @@ shared_module('fu_plugin_redfish',
+@@ -27,7 +27,7 @@ shared_module('fu_plugin_redfish',
  )
  
  install_data(['redfish.conf'],
@@ -148,14 +135,14 @@ index 6b2368fb..2bd06fed 100644
  )
  # we use functions from 2.52 in the tests
  if get_option('tests') and umockdev.found() and gio.version().version_compare('>= 2.52')
-diff --git a/plugins/uefi/meson.build b/plugins/uefi/meson.build
-index 2d1b2d22..c4217a72 100644
---- a/plugins/uefi/meson.build
-+++ b/plugins/uefi/meson.build
+diff --git a/plugins/uefi-capsule/meson.build b/plugins/uefi-capsule/meson.build
+index 0b793a07..ebd3e5ea 100644
+--- a/plugins/uefi-capsule/meson.build
++++ b/plugins/uefi-capsule/meson.build
 @@ -97,7 +97,7 @@ if get_option('man')
  endif
  
- install_data(['uefi.conf'],
+ install_data(['uefi_capsule.conf'],
 -  install_dir:  join_paths(sysconfdir, 'fwupd')
 +  install_dir:  join_paths(sysconfdir_install, 'fwupd')
  )
diff --git a/pkgs/os-specific/linux/firmware/fwupd/default.nix b/pkgs/os-specific/linux/firmware/fwupd/default.nix
index 5c40a5540dc..24e23f2b7e9 100644
--- a/pkgs/os-specific/linux/firmware/fwupd/default.nix
+++ b/pkgs/os-specific/linux/firmware/fwupd/default.nix
@@ -30,6 +30,7 @@
 , docbook-xsl-nons
 , ninja
 , gcab
+, gnutls
 , python3
 , wrapGAppsHook
 , json-glib
@@ -73,6 +74,9 @@ let
   # only redfish for x86_64
   haveRedfish = stdenv.isx86_64;
 
+  # only use msr if x86 (requires cpuid)
+  haveMSR = isx86;
+
   # # Currently broken on Aarch64
   # haveFlashrom = isx86;
   # Experimental
@@ -87,7 +91,7 @@ let
 
   self = stdenv.mkDerivation rec {
     pname = "fwupd";
-    version = "1.5.3";
+    version = "1.5.7";
 
     # libfwupd goes to lib
     # daemon, plug-ins and libfwupdplugin go to out
@@ -96,7 +100,7 @@ let
 
     src = fetchurl {
       url = "https://people.freedesktop.org/~hughsient/releases/fwupd-${version}.tar.xz";
-      sha256 = "005y5wicmm6f2v8i9m3axx7ivgj3z8mbqps4v9m71bsqmq298j86";
+      sha256 = "16isrrv6zhdgccbfnz7km5g1cnvfnip7aiidkfhf5dlnrnyb2sxh";
     };
 
     patches = [
@@ -129,6 +133,7 @@ let
       shared-mime-info
       valgrind
       gcab
+      gnutls
       docbook_xml_dtd_43
       docbook-xsl-nons
       help2man
@@ -178,6 +183,11 @@ let
       "-Defi-libdir=${gnu-efi}/lib"
       "-Defi-ldsdir=${gnu-efi}/lib"
       "-Defi-includedir=${gnu-efi}/include/efi"
+      "-Defi_sbat_distro_id=nixos"
+      "-Defi_sbat_distro_summary=NixOS"
+      "-Defi_sbat_distro_pkgname=fwupd"
+      "-Defi_sbat_distro_version=${version}"
+      "-Defi_sbat_distro_url=https://search.nixos.org/packages?channel=unstable&show=fwupd&from=0&size=50&sort=relevance&query=fwupd"
       "--localstatedir=/var"
       "--sysconfdir=/etc"
       "-Dsysconfdir_install=${placeholder "out"}/etc"
@@ -194,6 +204,8 @@ let
       "-Dplugin_redfish=false"
     ] ++ lib.optionals haveFlashrom [
       "-Dplugin_flashrom=true"
+    ] ++ lib.optionals (!haveMSR) [
+      "-Dplugin_msr=false"
     ];
 
     # TODO: wrapGAppsHook wraps efi capsule even though it is not ELF
@@ -223,6 +235,8 @@ let
         contrib/get-version.py \
         contrib/generate-version-script.py \
         meson_post_install.sh \
+        plugins/uefi-capsule/efi/generate_sbat.py \
+        plugins/uefi-capsule/efi/generate_binary.py \
         po/make-images \
         po/make-images.sh \
         po/test-deps
@@ -237,8 +251,8 @@ let
         testFw = fetchFromGitHub {
           owner = "fwupd";
           repo = "fwupd-test-firmware";
-          rev = "42b62c62dc85ecfb8e38099fe5de0625af87a722";
-          sha256 = "XUpxE003DZSeLJMtyV5UN5CNHH89/nEVKpCbMStm91Q=";
+          rev = "c13bfb26cae5f4f115dd4e08f9f00b3cb9acc25e";
+          sha256 = "US81i7mtLEe85KdWz5r+fQTk61IhqjVkzykBaBPuKL4=";
         };
       in ''
         # These files have weird licenses so they are shipped separately.
@@ -274,16 +288,14 @@ let
 
     passthru = {
       filesInstalledToEtc = [
-        "fwupd/ata.conf"
         "fwupd/daemon.conf"
-        "fwupd/redfish.conf"
         "fwupd/remotes.d/lvfs-testing.conf"
         "fwupd/remotes.d/lvfs.conf"
         "fwupd/remotes.d/vendor.conf"
         "fwupd/remotes.d/vendor-directory.conf"
         "fwupd/thunderbolt.conf"
         "fwupd/upower.conf"
-        "fwupd/uefi.conf"
+        "fwupd/uefi_capsule.conf"
         "pki/fwupd/GPG-KEY-Hughski-Limited"
         "pki/fwupd/GPG-KEY-Linux-Foundation-Firmware"
         "pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service"
@@ -293,11 +305,14 @@ let
         "pki/fwupd-metadata/LVFS-CA.pem"
       ] ++ lib.optionals haveDell [
         "fwupd/remotes.d/dell-esrt.conf"
+      ] ++ lib.optionals haveRedfish [
+        "fwupd/redfish.conf"
       ];
 
       # DisabledPlugins key in fwupd/daemon.conf
       defaultDisabledPlugins = [
         "test"
+        "test_ble"
         "invalid"
       ];
 
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix b/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
index 041694e2ec1..e6a03ef7df5 100644
--- a/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
+++ b/pkgs/os-specific/linux/firmware/raspberrypi-wireless/default.nix
@@ -2,22 +2,22 @@
 
 stdenv.mkDerivation {
   pname = "raspberrypi-wireless-firmware";
-  version = "2020-12-01";
+  version = "2021-01-28";
 
   srcs = [
     (fetchFromGitHub {
       name = "bluez-firmware";
       owner = "RPi-Distro";
       repo = "bluez-firmware";
-      rev = "1e4ee0c05bae10002124b56c0e44bb9ac6581ddc";
-      sha256 = "10n6ibr3ra71f4hlvbpy8csjlgrapawxrr6jmijn470vkcqcpq27";
+      rev = "e7fd166981ab4bb9a36c2d1500205a078a35714d";
+      sha256 = "1dkg8mzn7n4afi50ibrda2s33nw2qj52jjjdv9w560q601gms47b";
     })
     (fetchFromGitHub {
       name = "firmware-nonfree";
       owner = "RPi-Distro";
       repo = "firmware-nonfree";
-      rev = "b66ab26cebff689d0d3257f56912b9bb03c20567";
-      sha256 = "0cffgsp0w7vv7ylpymdddx0bl9dx3pl7snlh30p4rr9srmn8869f";
+      rev = "83938f78ca2d5a0ffe0c223bb96d72ccc7b71ca5";
+      sha256 = "1l4zz86y2hjyvdwjy75abyjwh3wqknd71y3vh1iw5nd0hws8ranp";
     })
   ];
 
@@ -41,7 +41,7 @@ stdenv.mkDerivation {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "17k9y499kjc4zv7ivnsfrgfibwj0ldr3sqdgia4dackbr70jfg2h";
+  outputHash = "0a54gyrq6jfxxvimaa4yjfiyfwf7wv58v0a32l74yrzyarr3ldby";
 
   meta = with lib; {
     description = "Firmware for builtin Wifi/Bluetooth devices in the Raspberry Pi 3+ and Zero W";
diff --git a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
index 3561916fd6f..6a826f63966 100644
--- a/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
+++ b/pkgs/os-specific/linux/firmware/raspberrypi/default.nix
@@ -3,13 +3,13 @@
 stdenvNoCC.mkDerivation rec {
   # NOTE: this should be updated with linux_rpi
   pname = "raspberrypi-firmware";
-  version = "1.20201201";
+  version = "1.20210303";
 
   src = fetchFromGitHub {
     owner = "raspberrypi";
     repo = "firmware";
     rev = version;
-    sha256 = "09yha3k72yqx29rwnv2j2zm73lzc4jgmcbmcc6yrl1i07x84lx3n";
+    sha256 = "0pgiw93hq4gfph5dnwbi8w59g0f7yhmagwzam971k529mh5yl86m";
   };
 
   installPhase = ''
@@ -25,6 +25,6 @@ stdenvNoCC.mkDerivation rec {
     description = "Firmware for the Raspberry Pi board";
     homepage = "https://github.com/raspberrypi/firmware";
     license = licenses.unfreeRedistributableFirmware; # See https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
-    maintainers = with maintainers; [ dezgeg tavyc ];
+    maintainers = with maintainers; [ dezgeg ];
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix
deleted file mode 100644
index 673ef686e48..00000000000
--- a/pkgs/os-specific/linux/firmware/rtlwifi_new-firmware/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ stdenv, lib, linuxPackages }:
-
-with lib;
-
-stdenv.mkDerivation rec {
-  name = "rtlwifi_new-firmware-${linuxPackages.rtlwifi_new.version}";
-  inherit (linuxPackages.rtlwifi_new) src;
-
-  dontBuild = true;
-
-  installPhase = ''
-    mkdir -p "$out/lib/firmware"
-    cp -rf firmware/rtlwifi/ "$out/lib/firmware"
-  '';
-
-  meta = {
-    description = "Firmware for the newest Realtek rtlwifi codes";
-    inherit (src.meta) homepage;
-    license = licenses.unfreeRedistributableFirmware;
-    platforms = with platforms; linux;
-    maintainers = with maintainers; [ tvorog ];
-  };
-}
diff --git a/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
new file mode 100644
index 00000000000..b4e07624b6e
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtw88-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw88-firmware";
+  inherit (linuxPackages.rtw88) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw88
+    cp *.bin $out/lib/firmware/rtw88
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Firmware for the newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix b/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
new file mode 100644
index 00000000000..8e71770df9c
--- /dev/null
+++ b/pkgs/os-specific/linux/firmware/rtw89-firmware/default.nix
@@ -0,0 +1,25 @@
+{ stdenvNoCC, lib, linuxPackages }:
+
+stdenvNoCC.mkDerivation {
+  pname = "rtw89-firmware";
+  inherit (linuxPackages.rtw89) version src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/firmware/rtw89
+    cp *.bin $out/lib/firmware/rtw89
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Driver for Realtek 8852AE, an 802.11ax device";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = licenses.unfreeRedistributableFirmware;
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
index b474c48e341..2409d9b1aba 100644
--- a/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/sof-firmware/default.nix
@@ -1,31 +1,29 @@
 { lib, stdenv, fetchFromGitHub }:
 
-with lib;
 stdenv.mkDerivation rec {
   pname = "sof-firmware";
-  version = "1.6";
+  version = "1.7";
 
   src = fetchFromGitHub {
     owner = "thesofproject";
     repo = "sof-bin";
-    rev = "cbdec6963b2c2d58b0080955d3c11b96ff4c92f0";
-    sha256 = "0la2pw1zpv50cywiqcfb00cxqvjc73drxwjchyzi54l508817nxh";
+    rev = "v${version}";
+    sha256 = "sha256-Z0Z4HLsIIuW8E1kFNhAECmzj1HkJVfbEw13B8V7PZLk=";
   };
 
-  phases = [ "unpackPhase" "installPhase" ];
+  dontFixup = true; # binaries must not be stripped or patchelfed
 
   installPhase = ''
-    mkdir -p $out/lib/firmware
-
-    patchShebangs go.sh
-    ROOT=$out SOF_VERSION=v${version} ./go.sh
+    mkdir -p $out/lib/firmware/intel/
+    cp -a sof-v${version} $out/lib/firmware/intel/sof
+    cp -a sof-tplg-v${version} $out/lib/firmware/intel/sof-tplg
   '';
 
   meta = with lib; {
     description = "Sound Open Firmware";
     homepage = "https://www.sofproject.org/";
     license = with licenses; [ bsd3 isc ];
-    maintainers = with maintainers; [ lblasc evenbrenden ];
+    maintainers = with maintainers; [ lblasc evenbrenden hmenke ];
     platforms = with platforms; linux;
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/system76-firmware/default.nix b/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
index 84d9dd4f331..ca750d89cc5 100644
--- a/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
+++ b/pkgs/os-specific/linux/firmware/system76-firmware/default.nix
@@ -1,23 +1,23 @@
-{ rustPlatform, lib, fetchFromGitHub, lzma, pkg-config, openssl, dbus, efibootmgr, makeWrapper }:
+{ rustPlatform, lib, fetchFromGitHub, xz, pkg-config, openssl, dbus, efibootmgr, makeWrapper }:
 rustPlatform.buildRustPackage rec {
   pname = "system76-firmware";
   # Check Makefile when updating, make sure postInstall matches make install
-  version = "1.0.20";
+  version = "1.0.24";
 
   src = fetchFromGitHub {
     owner = "pop-os";
     repo = pname;
     rev = version;
-    sha256 = "0yjv3a8r01ks91gc33rdwqmw52cqqwhq9f3rvw2xv3h8cqa5hfz0";
+    sha256 = "sha256-Poe18HKEQusvN3WF4ZAV1WCvU8/3HKpHEqDsfDO62V0=";
   };
 
   nativeBuildInputs = [ pkg-config makeWrapper ];
 
-  buildInputs = [ lzma openssl dbus ];
+  buildInputs = [ xz openssl dbus ];
 
   cargoBuildFlags = [ "--workspace" ];
 
-  cargoSha256 = "1ivn3i6kpnswiipqw5s67p6gsz3y6an0ahf6vwz7dlw2xaha0xbx";
+  cargoSha256 = "sha256-gGw3zpxLxQZ3rglpDERO0fSxBOez1Q10Fljis6nyB/4=";
 
   # Purposefully don't install systemd unit file, that's for NixOS
   postInstall = ''
@@ -29,11 +29,11 @@ rustPlatform.buildRustPackage rec {
     done
   '';
 
-  meta = {
+  meta = with lib; {
     description = "Tools for managing firmware updates for system76 devices";
     homepage = "https://github.com/pop-os/system76-firmware";
-    license = lib.licenses.gpl3;
-    maintainers = [ lib.maintainers.shlevy ];
-    platforms = lib.platforms.linux;
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ shlevy ];
+    platforms = [ "i686-linux" "x86_64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/firmware/zd1211/default.nix b/pkgs/os-specific/linux/firmware/zd1211/default.nix
index 9baa4eee621..15e53557126 100644
--- a/pkgs/os-specific/linux/firmware/zd1211/default.nix
+++ b/pkgs/os-specific/linux/firmware/zd1211/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchzip }:
+{ lib, fetchzip }:
 
 let
   pname = "zd1211-firmware";
diff --git a/pkgs/os-specific/linux/flashbench/default.nix b/pkgs/os-specific/linux/flashbench/default.nix
index 9c14fde319d..619aea69aa6 100644
--- a/pkgs/os-specific/linux/flashbench/default.nix
+++ b/pkgs/os-specific/linux/flashbench/default.nix
@@ -1,27 +1,31 @@
-{ lib, stdenv, fetchgit }:
+{ lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation {
-  pname = "flashbench";
-  version = "2012-06-06";
+  pname = "flashbench-unstable";
+  version = "2020-01-23";
 
-  src = fetchgit {
-    url = "https://github.com/bradfa/flashbench.git";
-    rev = "2e30b1968a66147412f21002ea844122a0d5e2f0";
-    sha256 = "037rhd2alwfip9qk78cy8fwwnc2kdyzccsyc7v2zpmvl4vvpvnhg";
+  src = fetchFromGitHub {
+    owner = "bradfa";
+    repo = "flashbench";
+    rev = "d783b1bd2443812c6deadc31b081f043e43e4c1a";
+    sha256 = "045j1kpay6x2ikz8x54ph862ymfy1nzpbmmqpf3nkapiv32fjqw5";
   };
 
   installPhase = ''
+    runHook preInstall
+
     install -d -m755 $out/bin $out/share/doc/flashbench
     install -v -m755 flashbench $out/bin
     install -v -m755 erase $out/bin/flashbench-erase
     install -v -m644 README $out/share/doc/flashbench
+
+    runHook postInstall
   '';
 
   meta = with lib; {
     description = "Testing tool for flash based memory devices";
     homepage = "https://github.com/bradfa/flashbench";
     platforms = platforms.linux;
-    license = licenses.gpl2;
-    maintainers = [ maintainers.rycee ];
+    license = licenses.gpl2Only;
   };
 }
diff --git a/pkgs/os-specific/linux/fscrypt/default.nix b/pkgs/os-specific/linux/fscrypt/default.nix
index db4b70037c8..7528fae6bdd 100644
--- a/pkgs/os-specific/linux/fscrypt/default.nix
+++ b/pkgs/os-specific/linux/fscrypt/default.nix
@@ -1,16 +1,16 @@
-{ lib, stdenv, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
+{ lib, buildGoModule, fetchFromGitHub, gnum4, pam, fscrypt-experimental }:
 
 # Don't use this for anything important yet!
 
 buildGoModule rec {
   pname = "fscrypt";
-  version = "0.2.9";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "fscrypt";
     rev = "v${version}";
-    sha256 = "020hhdarbn3bwlc2j2g89868v8nfx8562z1a778ihpvvsa4ykr31";
+    sha256 = "1zdadi9f7wj6kgmmk9zlkpdm1lb3gfiscg9gkqqdql2si7y6g2nq";
   };
 
   postPatch = ''
diff --git a/pkgs/os-specific/linux/fscryptctl/default.nix b/pkgs/os-specific/linux/fscryptctl/default.nix
index 204ce6bf992..bd1b414f4cb 100644
--- a/pkgs/os-specific/linux/fscryptctl/default.nix
+++ b/pkgs/os-specific/linux/fscryptctl/default.nix
@@ -1,28 +1,38 @@
 { lib, stdenv, fetchFromGitHub }:
 
-# Don't use this for anything important yet!
-
 stdenv.mkDerivation rec {
-  pname = "fscryptctl-unstable";
-  version = "2017-10-23";
+  pname = "fscryptctl";
+  version = "1.0.0";
 
   goPackagePath = "github.com/google/fscrypt";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "fscryptctl";
-    rev = "142326810eb19d6794793db6d24d0775a15aa8e5";
-    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+    rev = "v${version}";
+    sha256 = "1hwj726mm0yhlcf6523n07h0yq1rvkv4km64h3ydpjcrcxklhw6l";
   };
 
-  makeFlags = [ "DESTDIR=$(out)/bin" ];
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
   meta = with lib; {
-    description = ''
-      A low-level tool that handles raw keys and manages policies for Linux
-      filesystem encryption
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
     '';
     inherit (src.meta) homepage;
+    changelog = "https://github.com/google/fscryptctl/releases/tag/v{version}";
     license = licenses.asl20;
     platforms = platforms.linux;
     maintainers = with maintainers; [ primeos ];
diff --git a/pkgs/os-specific/linux/fscryptctl/legacy.nix b/pkgs/os-specific/linux/fscryptctl/legacy.nix
new file mode 100644
index 00000000000..64a409fb58b
--- /dev/null
+++ b/pkgs/os-specific/linux/fscryptctl/legacy.nix
@@ -0,0 +1,51 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+# Don't use this for anything important!
+# TODO: Drop fscryptctl-experimental after the NixOS 21.03/21.05 release.
+
+stdenv.mkDerivation rec {
+  pname = "fscryptctl";
+  version = "0.1.0";
+
+  goPackagePath = "github.com/google/fscrypt";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "fscryptctl";
+    rev = "v${version}";
+    sha256 = "1853hlpklisbqnkb7a921dsf0vp2nr2im26zpmrs592cnpsvk3hb";
+  };
+
+  makeFlags = [ "DESTDIR=$(out)/bin" ];
+
+  meta = with lib; {
+    description = "Small C tool for Linux filesystem encryption";
+    longDescription = ''
+      fscryptctl is a low-level tool written in C that handles raw keys and
+      manages policies for Linux filesystem encryption, specifically the
+      "fscrypt" kernel interface which is supported by the ext4, f2fs, and
+      UBIFS filesystems.
+      fscryptctl is mainly intended for embedded systems which can't use the
+      full-featured fscrypt tool, or for testing or experimenting with the
+      kernel interface to Linux filesystem encryption. fscryptctl does not
+      handle key generation, key stretching, key wrapping, or PAM integration.
+      Most users should use the fscrypt tool instead, which supports these
+      features and generally is much easier to use.
+      As fscryptctl is intended for advanced users, you should read the kernel
+      documentation for filesystem encryption before using fscryptctl.
+    '';
+    inherit (src.meta) homepage;
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+    knownVulnerabilities = [ ''
+      fscryptctl version 1.0.0 was released and now uses v2 encryption
+      policies. fscryptctl-experimental will remain at version 0.1.0 which
+      still supports the v1 encryption policies. Please try to switch from the
+      "fscryptctl-experimental" package to "fscryptctl". The v1 encryption
+      policies can be insecure, are hard to use correctly, and have different
+      semantics from v2 policies (which is why they are no longer supported in
+      fscryptctl 1.0.0+).
+    '' ];
+  };
+}
diff --git a/pkgs/os-specific/linux/fuse/common.nix b/pkgs/os-specific/linux/fuse/common.nix
index 053ea34c82e..5adb1b5355a 100644
--- a/pkgs/os-specific/linux/fuse/common.nix
+++ b/pkgs/os-specific/linux/fuse/common.nix
@@ -1,7 +1,7 @@
 { version, sha256Hash }:
 
 { lib, stdenv, fetchFromGitHub, fetchpatch
-, fusePackages, util-linux, gettext
+, fusePackages, util-linux, gettext, shadow
 , meson, ninja, pkg-config
 , autoreconfHook
 , python3Packages, which
@@ -54,13 +54,14 @@ in stdenv.mkDerivation rec {
     # $PATH, so it should also work on non-NixOS systems.
     export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""
 
-    sed -e 's@/bin/@${util-linux}/bin/@g' -i lib/mount_util.c
+    substituteInPlace lib/mount_util.c --replace "/bin/" "${util-linux}/bin/"
     '' + (if isFuse3 then ''
       # The configure phase will delete these files (temporary workaround for
       # ./fuse3-install_man.patch)
       install -D -m444 doc/fusermount3.1 $out/share/man/man1/fusermount3.1
       install -D -m444 doc/mount.fuse3.8 $out/share/man/man8/mount.fuse3.8
     '' else ''
+      substituteInPlace util/mount.fuse.c --replace '"su"' '"${shadow.su}/bin/su"'
       sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
       ./makeconf.sh
     '');
@@ -81,8 +82,6 @@ in stdenv.mkDerivation rec {
     cp ${fusePackages.fuse_3.common}/etc/udev/rules.d/99-fuse.rules etc/udev/rules.d/99-fuse.rules
   '');
 
-  enableParallelBuilding = true;
-
   meta = with lib; {
     description = "Library that allows filesystems to be implemented in user space";
     longDescription = ''
@@ -96,7 +95,7 @@ in stdenv.mkDerivation rec {
     inherit (src.meta) homepage;
     changelog = "https://github.com/libfuse/libfuse/releases/tag/fuse-${version}";
     platforms = platforms.linux;
-    license = with licenses; [ gpl2 lgpl21 ];
+    license = with licenses; [ gpl2Only lgpl21Only ];
     maintainers = [ maintainers.primeos ];
   };
 }
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index 0ed6f54a1dc..b060b908284 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -11,7 +11,7 @@ in {
   };
 
   fuse_3 = mkFuse {
-    version = "3.10.1";
-    sha256Hash = "0bb22mac8m0z6qp0s6g4r0x4aj6gc19pfyqr6sdy4hkpwxicgmaf";
+    version = "3.10.4";
+    sha256Hash = "1ml4bs4wx5dbz5xpnd5g8b9avmn7g7jvf16fbdlk0da8il0qd2rx";
   };
 }
diff --git a/pkgs/os-specific/linux/g15daemon/default.nix b/pkgs/os-specific/linux/g15daemon/default.nix
index c670fc86d13..118a17c4c8f 100644
--- a/pkgs/os-specific/linux/g15daemon/default.nix
+++ b/pkgs/os-specific/linux/g15daemon/default.nix
@@ -65,7 +65,7 @@ stdenv.mkDerivation rec {
 
   patches = let
     patch = fname: sha256: fetchurl rec {
-      url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/${pname}-${version}-${fname}.patch?h=packages/${pname}";
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-community/c0b0b6d4d6d7b79eca68123b20e0c9fb82e1c6e1/g15daemon/trunk/${pname}-${version}-${fname}.patch";
       name = "${fname}.patch";
       inherit sha256;
     };
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index b5eb1ce1a50..83ac93fbf71 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -1,4 +1,4 @@
-{lib, stdenv, fetchurl, openssl, nettools, iproute, sysctl}:
+{lib, stdenv, fetchurl, openssl, nettools, iproute2, sysctl}:
 
 let baseName = "gogoclient";
     version  = "1.2";
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     substituteInPlace "$out/template/linux.sh" \
       --replace "/sbin/ifconfig" "${nettools}/bin/ifconfig" \
       --replace "/sbin/route"    "${nettools}/bin/route" \
-      --replace "/sbin/ip"       "${iproute}/sbin/ip" \
+      --replace "/sbin/ip"       "${iproute2}/sbin/ip" \
       --replace "/sbin/sysctl"   "${sysctl}/bin/sysctl"
     sed -i -e 's/^.*Exec \$route -A.*$/& metric 128/' $out/template/linux.sh
   '';
diff --git a/pkgs/os-specific/linux/gradm/default.nix b/pkgs/os-specific/linux/gradm/default.nix
index cdfc91a6837..cd99dfa5db8 100644
--- a/pkgs/os-specific/linux/gradm/default.nix
+++ b/pkgs/os-specific/linux/gradm/default.nix
@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gradm";
-  version = "3.1-201903191516";
+  version = "3.1-202102241600";
 
   src  = fetchurl {
-    url    = "http://grsecurity.net/stable/${pname}-${version}.tar.gz";
-    sha256 = "1wszqwaswcf08s9zbvnqzmmfdykyfcy16w8xjia20ypr7wwbd86k";
+    url    = "https://grsecurity.net/stable/${pname}-${version}.tar.gz";
+    sha256 = "02ni34hpggv00140p9gvh0lqi173zdddd2qhfi96hyr1axd5pl50";
   };
 
   nativeBuildInputs = [ bison flex ];
@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "grsecurity RBAC administration and policy analysis utility";
     homepage    = "https://grsecurity.net";
-    license     = licenses.gpl2;
+    license     = licenses.gpl2Only;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ thoughtpolice joachifm ];
   };
diff --git a/pkgs/os-specific/linux/greetd/default.nix b/pkgs/os-specific/linux/greetd/default.nix
new file mode 100644
index 00000000000..6f305c5d6eb
--- /dev/null
+++ b/pkgs/os-specific/linux/greetd/default.nix
@@ -0,0 +1,51 @@
+{ rustPlatform
+, lib
+, fetchFromSourcehut
+, pam
+, scdoc
+, installShellFiles
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "greetd";
+  version = "0.7.0";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "b+S3fuJ8gjnSQzLHl3Bs9iO/Un2ynggAplz01GjJvFI=";
+  };
+
+  cargoHash = "sha256-YSC7osyBPwx+lo7P1ftI72mRWeQlDc2srRPzTFqVTxM=";
+
+  nativeBuildInputs = [
+    scdoc
+    installShellFiles
+  ];
+
+  buildInputs = [
+    pam
+  ];
+
+  postInstall = ''
+    for f in man/*; do
+      scdoc < "$f" > "$(sed 's/-\([0-9]\)\.scd$/.\1/' <<< "$f")"
+      rm "$f"
+    done
+    installManPage man/*
+  '';
+
+  meta = with lib; {
+    description = "Minimal and flexible login manager daemon";
+    longDescription = ''
+      greetd is a minimal and flexible login manager daemon
+      that makes no assumptions about what you want to launch.
+      Comes with agreety, a simple, text-based greeter.
+    '';
+    homepage = "https://kl.wtf/projects/greetd/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/gtkgreet/default.nix b/pkgs/os-specific/linux/gtkgreet/default.nix
new file mode 100644
index 00000000000..7ab7c01475b
--- /dev/null
+++ b/pkgs/os-specific/linux/gtkgreet/default.nix
@@ -0,0 +1,50 @@
+{ stdenv
+, lib
+, fetchFromSourcehut
+, pkg-config
+, cmake
+, meson
+, ninja
+, gtk3
+, gtk-layer-shell
+, json_c
+, scdoc
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gtkgreet";
+  version = "0.7";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "ms+2FdtzzNlmlzNxFhu4cpX5H+5H+9ZOtZ0p8uVA3lo=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    cmake
+  ];
+
+  buildInputs = [
+    gtk3
+    gtk-layer-shell
+    json_c
+    scdoc
+  ];
+
+  mesonFlags = [
+    "-Dlayershell=enabled"
+  ];
+
+  meta = with lib; {
+    description = "GTK based greeter for greetd, to be run under cage or similar";
+    homepage = "https://git.sr.ht/~kennylevinsen/gtkgreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/guvcview/default.nix b/pkgs/os-specific/linux/guvcview/default.nix
index c241ac02a64..04eccaf0243 100644
--- a/pkgs/os-specific/linux/guvcview/default.nix
+++ b/pkgs/os-specific/linux/guvcview/default.nix
@@ -9,7 +9,7 @@
 , udev
 , libusb1
 , libv4l
-, alsaLib
+, alsa-lib
 , gsl
 , libpng
 , sfml
@@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     SDL2
-    alsaLib
+    alsa-lib
     ffmpeg
     libusb1
     libv4l
diff --git a/pkgs/os-specific/linux/hal-flash/default.nix b/pkgs/os-specific/linux/hal-flash/default.nix
deleted file mode 100644
index 70dab152c72..00000000000
--- a/pkgs/os-specific/linux/hal-flash/default.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ lib, stdenv, fetchurl, autoconf, automake, dbus, glib, libtool, pkg-config, udisks2 }:
-
-stdenv.mkDerivation {
-  name = "hal-flash-0.3.3";
-
-  src = fetchurl {
-    url = "https://github.com/cshorler/hal-flash/archive/v0.3.3.tar.gz";
-    sha256 = "0dw9bx190mrh0dycw4rfvfmwwvh2sgypffr99nfnr36b38jrd6y6";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ autoconf automake dbus glib libtool udisks2 ];
-
-  preConfigure = "libtoolize && aclocal && autoconf && automake --add-missing";
-
-  meta = with lib; {
-    homepage = "https://github.com/cshorler/hal-flash";
-    description = "libhal stub library to satisfy the Flash Player DRM requirements";
-    longDescription =
-      ''
-        Stub library based loosely upon libhal.[ch] from the hal-0.5.14
-        package.  Provides the minimum necessary functionality to enable
-        libflashplayer.so/libadobecp.so to play back DRM content.
-      '';
-    license = with licenses; [ afl21 gpl2 ];
-    maintainers = with maintainers; [ malyn ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/pkgs/os-specific/linux/hdparm/default.nix b/pkgs/os-specific/linux/hdparm/default.nix
index ada0ddef233..300bb499f85 100644
--- a/pkgs/os-specific/linux/hdparm/default.nix
+++ b/pkgs/os-specific/linux/hdparm/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "hdparm";
-  version = "9.60";
+  version = "9.62";
 
   src = fetchurl {
     url = "mirror://sourceforge/hdparm/hdparm-${version}.tar.gz";
-    sha256 = "1k1mcv7naiacw1y6bdd1adnjfiq1kkx2ivsadjwmlkg4fff775w3";
+    sha256 = "sha256-LA+ddc2+2pKKJaEozT0LcSBEXsCRDAsp1MEDjtG+d38=";
   };
 
   preBuild = ''
diff --git a/pkgs/os-specific/linux/hid-nintendo/default.nix b/pkgs/os-specific/linux/hid-nintendo/default.nix
new file mode 100644
index 00000000000..321f96d0d36
--- /dev/null
+++ b/pkgs/os-specific/linux/hid-nintendo/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "hid-nintendo";
+  version = "3.1";
+
+  src = fetchFromGitHub {
+    owner = "nicman23";
+    repo = "dkms-hid-nintendo";
+    rev = version;
+    sha256 = "sha256-IanH3yHfkQhqtKvKD8lh+muc9yX8XJ5bfdy1Or8Vd5g=";
+  };
+
+  setSourceRoot = ''
+    export sourceRoot=$(pwd)/source/src
+  '';
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "-C"
+    "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "M=$(sourceRoot)"
+  ];
+
+  buildFlags = [ "modules" ];
+  installFlags = [ "INSTALL_MOD_PATH=${placeholder "out"}" ];
+  installTargets = [ "modules_install" ];
+
+  meta = with lib; {
+    description = "A Nintendo HID kernel module";
+    homepage = "https://github.com/nicman23/dkms-hid-nintendo";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.rencire ];
+    platforms = platforms.linux;
+    broken = versionOlder kernel.version "4.14";
+  };
+}
diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix
index 06b23bdf1f6..5d4edc4f7e7 100644
--- a/pkgs/os-specific/linux/hostapd/default.nix
+++ b/pkgs/os-specific/linux/hostapd/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkg-config, libnl, openssl, sqlite ? null }:
+{ lib, stdenv, fetchurl, fetchpatch, pkg-config, libnl, openssl, sqlite ? null }:
 
 stdenv.mkDerivation rec {
   pname = "hostapd";
@@ -43,6 +43,12 @@ stdenv.mkDerivation rec {
       url = "https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch";
       sha256 = "12npqp2skgrj934wwkqicgqksma0fxz09di29n1b5fm5i4njl8d8";
     })
+    # In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
+    (fetchpatch {
+      name = "CVE-2021-30004.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15";
+      sha256 = "1gbhlz41x1ar1hppnb76pqxj6vimiypy7c4kq6h658637s4am3xg";
+    })
   ];
 
   outputs = [ "out" "man" ];
@@ -75,6 +81,7 @@ stdenv.mkDerivation rec {
     CONFIG_HS20=y
     CONFIG_ACS=y
     CONFIG_GETRANDOM=y
+    CONFIG_SAE=y
   '' + lib.optionalString (sqlite != null) ''
     CONFIG_SQLITE=y
   '';
diff --git a/pkgs/os-specific/linux/hwdata/default.nix b/pkgs/os-specific/linux/hwdata/default.nix
index 6cee603664d..f700bf035de 100644
--- a/pkgs/os-specific/linux/hwdata/default.nix
+++ b/pkgs/os-specific/linux/hwdata/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "hwdata";
-  version = "0.335";
+  version = "0.347";
 
   src = fetchFromGitHub {
     owner = "vcrhonek";
     repo = "hwdata";
     rev = "v${version}";
-    sha256 = "0f8ikwfrs6xd5sywypd9rq9cln8a0rf3vj6nm0adwzn1p8mgmrb2";
+    sha256 = "19kmz25zq6qqs67ppqhws4mh3qf6zrp55cpyxyw36q95yjdcqp21";
   };
 
   preConfigure = "patchShebangs ./configure";
@@ -19,12 +19,12 @@ stdenv.mkDerivation rec {
 
   outputHashMode = "recursive";
   outputHashAlgo = "sha256";
-  outputHash = "101lppd1805drwd038b4njr5czzjnqqxf3xlf6v3l22wfwr2cn3l";
+  outputHash = "0haaczd6pi9q2vdlvbwn7100sb87zsy64z94xhpbmlari4vzjmz0";
 
   meta = {
     homepage = "https://github.com/vcrhonek/hwdata";
     description = "Hardware Database, including Monitors, pci.ids, usb.ids, and video cards";
-    license = lib.licenses.gpl2;
-    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+    platforms = lib.platforms.all;
   };
 }
diff --git a/pkgs/os-specific/linux/hyperv-daemons/default.nix b/pkgs/os-specific/linux/hyperv-daemons/default.nix
index 2d7644e6bda..a659908a7a0 100644
--- a/pkgs/os-specific/linux/hyperv-daemons/default.nix
+++ b/pkgs/os-specific/linux/hyperv-daemons/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, lib, python, kernel, makeWrapper, writeText
-, gawk, iproute }:
+{ stdenv, lib, python2, python3, kernel, makeWrapper, writeText
+, gawk, iproute2 }:
 
 let
   libexec = "libexec/hypervkvpd";
@@ -9,6 +9,7 @@ let
     inherit (kernel) src version;
 
     nativeBuildInputs = [ makeWrapper ];
+    buildInputs = [ (if lib.versionOlder version "4.19" then python2 else python3) ];
 
     # as of 4.9 compilation will fail due to -Werror=format-security
     hardeningDisable = [ "format" ];
@@ -33,16 +34,12 @@ let
       install -Dm755 hv_get_dhcp_info.sh $out/${libexec}/hv_get_dhcp_info
       install -Dm755 hv_get_dns_info.sh  $out/${libexec}/hv_get_dns_info
 
-      # I don't know why this isn't being handled automatically by fixupPhase
-      substituteInPlace $out/bin/lsvmbus \
-        --replace '/usr/bin/env python' ${python.interpreter}
-
       runHook postInstall
     '';
 
     postFixup = ''
       wrapProgram $out/bin/hv_kvp_daemon \
-        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute ]}
+        --prefix PATH : $out/bin:${lib.makeBinPath [ gawk iproute2 ]}
     '';
   };
 
@@ -86,7 +83,7 @@ in stdenv.mkDerivation {
     Wants=hv-fcopy.service hv-kvp.service hv-vss.service
     EOF
 
-    for f in $lib/lib/systemd/system/* ; do
+    for f in $lib/lib/systemd/system/*.service ; do
       substituteInPlace $f --replace @out@ ${daemons}/bin
     done
 
diff --git a/pkgs/os-specific/linux/i2c-tools/default.nix b/pkgs/os-specific/linux/i2c-tools/default.nix
index 23bc89b7d1c..5c05ca6082e 100644
--- a/pkgs/os-specific/linux/i2c-tools/default.nix
+++ b/pkgs/os-specific/linux/i2c-tools/default.nix
@@ -1,12 +1,18 @@
-{ lib, stdenv, fetchurl, perl, read-edid }:
+{ lib
+, stdenv
+, fetchgit
+, perl
+, read-edid
+}:
 
 stdenv.mkDerivation rec {
   pname = "i2c-tools";
   version = "4.2";
 
-  src = fetchurl {
-    url = "https://www.kernel.org/pub/software/utils/i2c-tools/${pname}-${version}.tar.xz";
-    sha256 = "1mmc1n8awl3winyrp1rcxg94vjsx9dc1y7gj7y88blc2f2ydmwip";
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/i2c-tools/i2c-tools.git";
+    rev = "v${version}";
+    sha256 = "0vqrbp10klr7ylarr6cy1q7nafiqaky4iq5my5dqy101h93vg4pg";
   };
 
   buildInputs = [ perl ];
@@ -18,6 +24,8 @@ stdenv.mkDerivation rec {
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
+  outputs = [ "out" "man" ];
+
   postInstall = ''
     rm -rf $out/include # Installs include/linux/i2c-dev.h that conflics with kernel headers
   '';
@@ -25,7 +33,8 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Set of I2C tools for Linux";
     homepage = "https://i2c.wiki.kernel.org/index.php/I2C_Tools";
-    license = licenses.gpl2;
+    # library is LGPL 2.1 or later; "most tools" GPL 2 or later
+    license = with licenses; [ lgpl21Plus gpl2Plus ];
     maintainers = [ maintainers.dezgeg ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
index 971a1abffdd..5f44622c512 100644
--- a/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
+++ b/pkgs/os-specific/linux/iio-sensor-proxy/default.nix
@@ -1,15 +1,16 @@
-{ lib, stdenv, fetchFromGitHub, autoconf-archive, gettext, libtool, intltool, autoconf, automake
+{ lib, stdenv, fetchFromGitLab, autoconf-archive, gettext, libtool, intltool, autoconf, automake
 , glib, gtk3, gtk-doc, libgudev, pkg-config, systemd }:
 
 stdenv.mkDerivation rec {
   pname = "iio-sensor-proxy";
-  version = "2.8";
+  version = "3.0";
 
-  src = fetchFromGitHub {
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
     owner  = "hadess";
     repo   = pname;
     rev    = version;
-    sha256 = "07rzm1z2p6lh4iv5pyp0p2x5805m9gsh19kcsjls3fi25p3a2c00";
+    sha256 = "0ngbz1vkbjci3ml6p47jh6c6caipvbkm8mxrc8ayr6vc2p9l1g49";
   };
 
   configurePhase = ''
@@ -46,6 +47,5 @@ stdenv.mkDerivation rec {
     license = licenses.gpl3 ;
     maintainers = with maintainers; [ peterhoeg ];
     platforms = platforms.linux;
-    inherit version;
   };
 }
diff --git a/pkgs/os-specific/linux/iotop-c/default.nix b/pkgs/os-specific/linux/iotop-c/default.nix
new file mode 100644
index 00000000000..47cfa57fe81
--- /dev/null
+++ b/pkgs/os-specific/linux/iotop-c/default.nix
@@ -0,0 +1,31 @@
+{stdenv, fetchFromGitHub, lib, ncurses, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "iotop-c";
+  version = "1.17";
+
+  src = fetchFromGitHub {
+    owner = "Tomas-M";
+    repo = "iotop";
+    rev = "v${version}";
+    sha256 = "0hjy30155c3nijx3jgyn5kpj293632p0j6f3lf5acdfax1ynav86";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ ncurses ];
+  makeFlags = [ "DESTDIR=$(out)" "TARGET=iotop-c" ];
+
+  postInstall = ''
+    mv $out/usr/share/man/man8/{iotop,iotop-c}.8
+    ln -s $out/usr/sbin $out/bin
+    ln -s $out/usr/share $out/share
+  '';
+
+  meta = with lib; {
+    description = "iotop identifies processes that use high amount of input/output requests on your machine";
+    homepage = "https://github.com/Tomas-M/iotop";
+    maintainers = [ maintainers.arezvov ];
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/iotop/default.nix b/pkgs/os-specific/linux/iotop/default.nix
index 1924e326c1e..a91175aa59f 100644
--- a/pkgs/os-specific/linux/iotop/default.nix
+++ b/pkgs/os-specific/linux/iotop/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, python3Packages, fetchpatch }:
+{ lib, fetchurl, python3Packages, fetchpatch }:
 
 python3Packages.buildPythonApplication rec {
   name = "iotop-0.6";
diff --git a/pkgs/os-specific/linux/iproute/default.nix b/pkgs/os-specific/linux/iproute/default.nix
index afd495dd6d1..ea3c4d36958 100644
--- a/pkgs/os-specific/linux/iproute/default.nix
+++ b/pkgs/os-specific/linux/iproute/default.nix
@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   pname = "iproute2";
-  version = "5.10.0";
+  version = "5.13.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "1sakmhvh40gh4x55vzgy6cyvizqkhqalcfpvs6r0c14w62p38jm5";
+    sha256 = "sha256-cqLlN3TKyeZfe2F97rsgWfh+iWDW6XE+TXiM6pZvGzY=";
   };
 
   preConfigure = ''
diff --git a/pkgs/os-specific/linux/iproute/mptcp.nix b/pkgs/os-specific/linux/iproute/mptcp.nix
index 6505d1d80ee..12723213901 100644
--- a/pkgs/os-specific/linux/iproute/mptcp.nix
+++ b/pkgs/os-specific/linux/iproute/mptcp.nix
@@ -1,6 +1,6 @@
-{ lib, stdenv, iproute, fetchFromGitHub }:
+{ lib, iproute2, fetchFromGitHub }:
 
-iproute.overrideAttrs (oa: rec {
+iproute2.overrideAttrs (oa: rec {
   pname = "iproute_mptcp";
   version = "0.95";
 
diff --git a/pkgs/os-specific/linux/ipsec-tools/default.nix b/pkgs/os-specific/linux/ipsec-tools/default.nix
index 4e0ae7955be..33152cc51c1 100644
--- a/pkgs/os-specific/linux/ipsec-tools/default.nix
+++ b/pkgs/os-specific/linux/ipsec-tools/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, kerberos, pam }:
+{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, libkrb5, pam }:
 
 # TODO: These tools are supposed to work under NetBSD and FreeBSD as
 # well, so I guess it's not appropriate to place this expression in
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
     sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf";
   };
 
-  buildInputs = [ readline openssl flex kerberos pam ];
+  buildInputs = [ readline openssl flex libkrb5 pam ];
 
   patches = [
     ./dont-create-localstatedir-during-install.patch
diff --git a/pkgs/os-specific/linux/ipset/default.nix b/pkgs/os-specific/linux/ipset/default.nix
index 220a08d993c..213ae45f48f 100644
--- a/pkgs/os-specific/linux/ipset/default.nix
+++ b/pkgs/os-specific/linux/ipset/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "ipset";
-  version = "7.9";
+  version = "7.11";
 
   src = fetchurl {
     url = "http://ipset.netfilter.org/${pname}-${version}.tar.bz2";
-    sha256 = "02mkp7vmsh609dcp02xi290sxmsgq2fsch3875dxkwfxkrl16p5p";
+    sha256 = "sha256-MVG6rTDx2eMXsqtPL1qnqfe03BH8+P5zrNDcC126v30=";
   };
 
   nativeBuildInputs = [ pkg-config ];
diff --git a/pkgs/os-specific/linux/iptables/default.nix b/pkgs/os-specific/linux/iptables/default.nix
index 82157ffa079..912d9078c94 100644
--- a/pkgs/os-specific/linux/iptables/default.nix
+++ b/pkgs/os-specific/linux/iptables/default.nix
@@ -6,12 +6,12 @@
 with lib;
 
 stdenv.mkDerivation rec {
-  version = "1.8.6";
+  version = "1.8.7";
   pname = "iptables";
 
   src = fetchurl {
     url = "https://www.netfilter.org/projects/${pname}/files/${pname}-${version}.tar.bz2";
-    sha256 = "0rvp0k8a72h2snrdx48cfn75bfa0ycrd2xl3kjysbymq7q6gxx50";
+    sha256 = "1w6qx3sxzkv80shk21f63rq41c84irpx68k62m2cv629n1mwj2f1";
   };
 
   nativeBuildInputs = [ pkg-config pruneLibtoolFiles flex bison ];
@@ -50,6 +50,5 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2;
     downloadPage = "https://www.netfilter.org/projects/iptables/files/";
     updateWalker = true;
-    inherit version;
   };
 }
diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix
index 0079aa79a22..495860ef576 100644
--- a/pkgs/os-specific/linux/iputils/default.nix
+++ b/pkgs/os-specific/linux/iputils/default.nix
@@ -1,12 +1,11 @@
-{ lib, stdenv, fetchFromGitHub, fetchpatch
+{ lib, stdenv, fetchFromGitHub
 , meson, ninja, pkg-config, gettext, libxslt, docbook_xsl_ns
 , libcap, libidn2
+, apparmorRulesFromClosure
 }:
 
-with lib;
-
 let
-  version = "20200821";
+  version = "20210202";
   sunAsIsLicense = {
     fullName = "AS-IS, SUN MICROSYSTEMS license";
     url = "https://github.com/iputils/iputils/blob/s${version}/rdisc.c";
@@ -18,17 +17,11 @@ in stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = "s${version}";
-    sha256 = "1jhbcz75a4ij1myyyi110ma1d8d5hpm3scz9pyw7js6qym50xvh4";
+    rev = version;
+    sha256 = "08j2hfgnfh31vv9rn1ml7090j2lsvm9wdpdz13rz60rmyzrx9dq3";
   };
 
-  patches = [
-    # Proposed upstream patch to reduce dependency on systemd: https://github.com/iputils/iputils/pull/297
-    (fetchpatch {
-      url = "https://github.com/iputils/iputils/commit/13d6aefd57fd471ecad06e19073dcc44608dff5e.patch";
-      sha256 = "1n62zxmzp7hgz9qapbbpqv3fxqvc3qyd2a73jhp357x6by84kj49";
-    })
-  ];
+  outputs = ["out" "apparmor"];
 
   mesonFlags = [
     "-DBUILD_RARPD=true"
@@ -39,13 +32,33 @@ in stdenv.mkDerivation rec {
     "-DINSTALL_SYSTEMD_UNITS=true"
   ]
     # Disable idn usage w/musl (https://github.com/iputils/iputils/pull/111):
-    ++ optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
+    ++ lib.optional stdenv.hostPlatform.isMusl "-DUSE_IDN=false";
 
   nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ];
   buildInputs = [ libcap ]
-    ++ optional (!stdenv.hostPlatform.isMusl) libidn2;
+    ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2;
+  postInstall = ''
+    mkdir $apparmor
+    cat >$apparmor/bin.ping <<EOF
+    include <tunables/global>
+    $out/bin/ping {
+      include <abstractions/base>
+      include <abstractions/consoles>
+      include <abstractions/nameservice>
+      include "${apparmorRulesFromClosure { name = "ping"; }
+       ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}"
+      include <local/bin.ping>
+      capability net_raw,
+      network inet raw,
+      network inet6 raw,
+      mr $out/bin/ping,
+      r $out/share/locale/**,
+      r @{PROC}/@{pid}/environ,
+    }
+    EOF
+  '';
 
-  meta = {
+  meta = with lib; {
     description = "A set of small useful utilities for Linux networking";
     inherit (src.meta) homepage;
     changelog = "https://github.com/iputils/iputils/releases/tag/s${version}";
diff --git a/pkgs/os-specific/linux/irqbalance/default.nix b/pkgs/os-specific/linux/irqbalance/default.nix
index 7cb05f7fe98..4b7a4527e2c 100644
--- a/pkgs/os-specific/linux/irqbalance/default.nix
+++ b/pkgs/os-specific/linux/irqbalance/default.nix
@@ -2,16 +2,17 @@
 
 stdenv.mkDerivation rec {
   pname = "irqbalance";
-  version = "1.7.0";
+  version = "1.8.0";
 
   src = fetchFromGitHub {
     owner = "irqbalance";
     repo = "irqbalance";
     rev = "v${version}";
-    sha256 = "1677ap6z4hvwga0vb8hrvpc0qggyarg9mlg11pxywz7mq94vdx19";
+    sha256 = "sha256-K+Nv6HqBZb0pwfNV127QDq+suaUD7TTV413S6j8NdUU=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
+
   buildInputs = [ glib ncurses libcap_ng ];
 
   LDFLAGS = "-lncurses";
@@ -26,10 +27,12 @@ stdenv.mkDerivation rec {
         --replace ' $IRQBALANCE_ARGS' ""
     '';
 
-  meta = {
+  meta = with lib; {
     homepage = "https://github.com/Irqbalance/irqbalance";
+    changelog = "https://github.com/Irqbalance/irqbalance/releases/tag/v${version}";
     description = "A daemon to help balance the cpu load generated by interrupts across all of a systems cpus";
-    license = lib.licenses.gpl2;
-    platforms = lib.platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fortuneteller2k ];
   };
 }
diff --git a/pkgs/os-specific/linux/isgx/default.nix b/pkgs/os-specific/linux/isgx/default.nix
new file mode 100644
index 00000000000..3e551e55917
--- /dev/null
+++ b/pkgs/os-specific/linux/isgx/default.nix
@@ -0,0 +1,56 @@
+{ stdenv, lib, fetchFromGitHub, fetchpatch, kernel, kernelAtLeast }:
+
+stdenv.mkDerivation rec {
+  name = "isgx-${version}-${kernel.version}";
+  version = "2.11";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx-driver";
+    rev = "sgx_driver_${version}";
+    hash = "sha256-zZ0FgCx63LCNmvQ909O27v/o4+93gefhgEE/oDr/bHw=";
+  };
+
+  patches = [
+    # Fixes build with kernel >= 5.8
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx-driver/commit/276c5c6a064d22358542f5e0aa96b1c0ace5d695.patch";
+      sha256 = "sha256-PmchqYENIbnJ51G/tkdap/g20LUrJEoQ4rDtqy6hj24=";
+    })
+    # Fixes detection with kernel >= 5.11
+    (fetchpatch {
+      url = "https://github.com/intel/linux-sgx-driver/commit/ed2c256929962db1a8805db53bed09bb8f2f4de3.patch";
+      sha256 = "sha256-MRbgS4U8FTCP1J1n+rhsvbXxKDytfl6B7YlT9Izq05U=";
+    })
+  ];
+
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+    install -D isgx.ko -t $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/intel/sgx
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Intel SGX Linux Driver";
+    longDescription = ''
+      The linux-sgx-driver project (isgx) hosts an out-of-tree driver
+      for the Linux* Intel(R) SGX software stack, which would be used
+      until the driver upstreaming process is complete (before 5.11.0).
+
+      It is used to support Enhanced Privacy Identification (EPID)
+      based attestation on the platforms without Flexible Launch Control.
+    '';
+    homepage = "https://github.com/intel/linux-sgx-driver";
+    license = with licenses; [ bsd3 /* OR */ gpl2Only ];
+    maintainers = with maintainers; [ oxalica ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix
index 11886e8e9c6..e0a1a566d77 100644
--- a/pkgs/os-specific/linux/iwd/default.nix
+++ b/pkgs/os-specific/linux/iwd/default.nix
@@ -1,6 +1,5 @@
 { lib, stdenv
 , fetchgit
-, fetchpatch
 , autoreconfHook
 , pkg-config
 , ell
@@ -13,12 +12,12 @@
 
 stdenv.mkDerivation rec {
   pname = "iwd";
-  version = "1.11";
+  version = "1.15";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     rev = version;
-    sha256 = "0wnyg0f1swi7gvvgf5kzbiz44g2wscf5d5bp320iwyfwnlbqb1bn";
+    sha256 = "sha256-qGQDIzJfeBT9VLwr9Ci9vXcM0ZvFvjL2E9PcKoZ8E94=";
   };
 
   outputs = [ "out" "man" ]
@@ -58,6 +57,8 @@ stdenv.mkDerivation rec {
   ];
 
   postUnpack = ''
+    mkdir -p iwd/ell
+    ln -s ${ell.src}/ell/useful.h iwd/ell/useful.h
     patchShebangs .
   '';
 
@@ -88,8 +89,8 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     homepage = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     description = "Wireless daemon for Linux";
-    license = licenses.lgpl21;
+    license = licenses.lgpl21Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ dtzWill fpletz ];
+    maintainers = with maintainers; [ dtzWill fpletz maxeaubrey ];
   };
 }
diff --git a/pkgs/os-specific/linux/joycond/default.nix b/pkgs/os-specific/linux/joycond/default.nix
new file mode 100644
index 00000000000..a203073b081
--- /dev/null
+++ b/pkgs/os-specific/linux/joycond/default.nix
@@ -0,0 +1,37 @@
+{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, libevdev, udev }:
+
+stdenv.mkDerivation rec {
+  pname = "joycond";
+  version = "unstable-2021-03-27";
+
+  src = fetchFromGitHub {
+    owner = "DanielOgorchock";
+    repo = "joycond";
+    rev = "2d3f553060291f1bfee2e49fc2ca4a768b289df8";
+    sha256 = "0dpmwspll9ar3pxg9rgnh224934par8h8bixdz9i2pqqbc3dqib7";
+  };
+
+  nativeBuildInputs = [ cmake pkg-config ];
+  buildInputs = [ libevdev udev ];
+
+  # CMake has hardcoded install paths
+  installPhase = ''
+    mkdir -p $out/{bin,etc/{systemd/system,udev/rules.d},lib/modules-load.d}
+
+    cp ./joycond $out/bin
+    cp $src/udev/{89,72}-joycond.rules $out/etc/udev/rules.d
+    cp $src/systemd/joycond.service $out/etc/systemd/system
+    cp $src/systemd/joycond.conf $out/lib/modules-load.d
+
+    substituteInPlace $out/etc/systemd/system/joycond.service --replace \
+      "ExecStart=/usr/bin/joycond" "ExecStart=$out/bin/joycond"
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/DanielOgorchock/joycond";
+    description = "Userspace daemon to combine joy-cons from the hid-nintendo kernel driver";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.ivar ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/kbd/default.nix b/pkgs/os-specific/linux/kbd/default.nix
index 2119c10b9cf..c7a59e59cab 100644
--- a/pkgs/os-specific/linux/kbd/default.nix
+++ b/pkgs/os-specific/linux/kbd/default.nix
@@ -1,15 +1,26 @@
-{ lib, stdenv, fetchurl, autoreconfHook,
-  gzip, bzip2, pkg-config, flex, check,
-  pam, coreutils
+{ lib
+, stdenv
+, fetchurl
+, nixosTests
+, autoreconfHook
+, pkg-config
+, flex
+, check
+, pam
+, coreutils
+, gzip
+, bzip2
+, xz
+, zstd
 }:
 
 stdenv.mkDerivation rec {
   pname = "kbd";
-  version = "2.0.4";
+  version = "2.4.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/kbd/${pname}-${version}.tar.xz";
-    sha256 = "124swm93dm4ca0pifgkrand3r9gvj3019d4zkfxsj9djpvv0mnaz";
+    sha256 = "17wvrqz2kk0w87idinhyvd31ih1dp7ldfl2yfx7ailygb0279w2m";
   };
 
   configureFlags = [
@@ -18,13 +29,8 @@ stdenv.mkDerivation rec {
     "--disable-nls"
   ];
 
-  patches = [ ./search-paths.patch ];
-
   postPatch =
     ''
-      # Add Neo keymap subdirectory
-      sed -i -e 's,^KEYMAPSUBDIRS *= *,&i386/neo ,' data/Makefile.am
-
       # Renaming keymaps with name clashes, because loadkeys just picks
       # the first keymap it sees. The clashing names lead to e.g.
       # "loadkeys no" defaulting to a norwegian dvorak map instead of
@@ -33,21 +39,16 @@ stdenv.mkDerivation rec {
       mv qwertz/cz{,-qwertz}.map
       mv olpc/es{,-olpc}.map
       mv olpc/pt{,-olpc}.map
-      mv dvorak/{no.map,dvorak-no.map}
       mv fgGIod/trf{,-fgGIod}.map
       mv colemak/{en-latin9,colemak}.map
       popd
 
-      # Fix the path to gzip/bzip2.
-      substituteInPlace src/libkeymap/findfile.c \
-        --replace gzip ${gzip}/bin/gzip \
-        --replace bzip2 ${bzip2.bin}/bin/bzip2 \
-
-      # We get a warning in armv5tel-linux and the fuloong2f, so we
-      # disable -Werror in it.
-      ${lib.optionalString (stdenv.isAarch32 || stdenv.hostPlatform.isMips) ''
-        sed -i s/-Werror// src/Makefile.am
-      ''}
+      # Fix paths to decompressors. Trailing space to avoid replacing `xz` in `".xz"`.
+      substituteInPlace src/libkbdfile/kbdfile.c \
+        --replace 'gzip '  '${gzip}/bin/gzip ' \
+        --replace 'bzip2 ' '${bzip2.bin}/bin/bzip2 ' \
+        --replace 'xz '    '${xz.bin}/bin/xz ' \
+        --replace 'zstd '  '${zstd.bin}/bin/zstd '
     '';
 
   postInstall = ''
@@ -57,16 +58,18 @@ stdenv.mkDerivation rec {
     done
   '';
 
-
   buildInputs = [ check pam ];
   nativeBuildInputs = [ autoreconfHook pkg-config flex ];
 
-  makeFlags = [ "setowner=" ];
+  passthru.tests = {
+    inherit (nixosTests) keymap kbd-setfont-decompress;
+  };
 
   meta = with lib; {
-    homepage = "ftp://ftp.altlinux.org/pub/people/legion/kbd/";
-    description = "Linux keyboard utilities and keyboard maps";
+    homepage = "https://kbd-project.org/";
+    description = "Linux keyboard tools and keyboard maps";
     platforms = platforms.linux;
     license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ davidak ];
   };
 }
diff --git a/pkgs/os-specific/linux/kbd/keymaps.nix b/pkgs/os-specific/linux/kbd/keymaps.nix
deleted file mode 100644
index b3d5fe1b63c..00000000000
--- a/pkgs/os-specific/linux/kbd/keymaps.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{ stdenv, lib, fetchurl, gzip }:
-
-{
-  dvp = stdenv.mkDerivation rec {
-    pname = "dvp";
-    version = "1.2.1";
-
-    src = fetchurl {
-      url = "http://kaufmann.no/downloads/linux/dvp-${lib.replaceStrings ["."] ["_"] version}.map.gz";
-      sha256 = "0e859211cfe16a18a3b9cbf2ca3e280a23a79b4e40b60d8d01d0fde7336b6d50";
-    };
-
-    nativeBuildInputs = [ gzip ];
-
-    buildCommand = ''
-      mkdir -p $out/share/keymaps/i386/dvorak
-      gzip -c -d $src > $out/share/keymaps/i386/dvorak/dvp.map
-    '';
-  };
-
-  neo = stdenv.mkDerivation {
-    pname = "neo";
-    version = "2476";
-
-    src = fetchurl {
-      name = "neo.map";
-      url = "https://raw.githubusercontent.com/neo-layout/neo-layout/"
-          + "a0dee06fed824abfad658b7f10e6d907b270be0a/linux/console/neo.map";
-      sha256 = "19mfrd31vzpsjiwc7pshxm0b0sz5dd17xrz6k079cy4im1vf0r4g";
-    };
-
-    buildCommand = ''
-      install -D $src $out/share/keymaps/i386/neo/neo.map
-    '';
-  };
-}
diff --git a/pkgs/os-specific/linux/kbd/search-paths.patch b/pkgs/os-specific/linux/kbd/search-paths.patch
deleted file mode 100644
index c9405a56721..00000000000
--- a/pkgs/os-specific/linux/kbd/search-paths.patch
+++ /dev/null
@@ -1,71 +0,0 @@
---- a/src/libkeymap/analyze.l
-+++ b/src/libkeymap/analyze.l
-@@ -101,6 +101,9 @@ stack_pop(struct lk_ctx *ctx, void *scan
- static const char *const include_dirpath0[] = { "", 0 };
- static const char *const include_dirpath1[] = { "", "../include/", "../../include/", 0 };
- static const char *const include_dirpath3[] = {
-+ 	"/etc/kbd/" KEYMAPDIR "/include/",
-+ 	"/etc/kbd/" KEYMAPDIR "/i386/include/",
-+ 	"/etc/kbd/" KEYMAPDIR "/mac/include/",
- 	DATADIR "/" KEYMAPDIR "/include/",
- 	DATADIR "/" KEYMAPDIR "/i386/include/",
- 	DATADIR "/" KEYMAPDIR "/mac/include/", 0
---- a/src/loadkeys.c
-+++ b/src/loadkeys.c
-@@ -27,7 +27,7 @@
- #include "keymap.h"
- 
- static const char *progname         = NULL;
--static const char *const dirpath1[] = { "", DATADIR "/" KEYMAPDIR "/**", KERNDIR "/", 0 };
-+static const char *const dirpath1[] = { "", "/etc/kbd/" KEYMAPDIR "/**", DATADIR "/" KEYMAPDIR "/**", 0 };
- static const char *const suffixes[] = { "", ".kmap", ".map", 0 };
- 
- static void __attribute__((noreturn))
---- a/src/loadunimap.c
-+++ b/src/loadunimap.c
-@@ -30,7 +30,7 @@
- extern char *progname;
- extern int force;
- 
--static const char *const unidirpath[]  = { "", DATADIR "/" UNIMAPDIR "/", 0 };
-+static const char *const unidirpath[]  = { "", "/etc/kbd/" UNIMAPDIR "/", DATADIR "/" UNIMAPDIR "/", 0 };
- static const char *const unisuffixes[] = { "", ".uni", ".sfm", 0 };
- 
- #ifdef MAIN
---- a/src/mapscrn.c
-+++ b/src/mapscrn.c
-@@ -27,7 +27,7 @@ void loadnewmap(int fd, char *mfil);
- static int ctoi(char *);
- 
- /* search for the map file in these directories (with trailing /) */
--static const char *const mapdirpath[]  = { "", DATADIR "/" TRANSDIR "/", 0 };
-+static const char *const mapdirpath[]  = { "", "/etc/kbd/" TRANSDIR "/", DATADIR "/" TRANSDIR "/", 0 };
- static const char *const mapsuffixes[] = { "", ".trans", "_to_uni.trans", ".acm", 0 };
- 
- #ifdef MAIN
---- a/src/resizecons.c
-+++ b/src/resizecons.c
-@@ -101,7 +101,7 @@ static int vga_get_fontheight(void);
- static void vga_set_cursor(int, int);
- static void vga_set_verticaldisplayend_lowbyte(int);
- 
--const char *const dirpath[]  = { "", DATADIR "/" VIDEOMODEDIR "/", 0 };
-+const char *const dirpath[]  = { "", "/etc/kbd/" VIDEOMODEDIR "/", DATADIR "/" VIDEOMODEDIR "/", 0};
- const char *const suffixes[] = { "", 0 };
- 
- int main(int argc, char **argv)
---- a/src/setfont.c
-+++ b/src/setfont.c
-@@ -53,10 +53,10 @@ int force   = 0;
- int debug   = 0;
- 
- /* search for the font in these directories (with trailing /) */
--const char *const fontdirpath[]  = { "", DATADIR "/" FONTDIR "/", 0 };
-+const char *const fontdirpath[]  = { "", "/etc/kbd/" FONTDIR "/", DATADIR "/" FONTDIR "/", 0 };
- const char *const fontsuffixes[] = { "", ".psfu", ".psf", ".cp", ".fnt", 0 };
- /* hide partial fonts a bit - loading a single one is a bad idea */
--const char *const partfontdirpath[]  = { "", DATADIR "/" FONTDIR "/" PARTIALDIR "/", 0 };
-+const char *const partfontdirpath[]  = { "", "/etc/kbd/" FONTDIR "/" PARTIALDIR "/", DATADIR "/" FONTDIR "/" PARTIALDIR "/", 0 };
- const char *const partfontsuffixes[] = { "", 0 };
- 
- static inline int
diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix
index d6ed7bccba3..9d727838b3f 100644
--- a/pkgs/os-specific/linux/kernel-headers/default.nix
+++ b/pkgs/os-specific/linux/kernel-headers/default.nix
@@ -1,4 +1,9 @@
-{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header }:
+{ stdenvNoCC, lib, buildPackages, fetchurl, perl, elf-header
+, bison ? null, flex ? null, python ? null, rsync ? null
+}:
+
+assert stdenvNoCC.hostPlatform.isAndroid ->
+  (flex != null && bison != null && python != null && rsync != null);
 
 let
   makeLinuxHeaders = { src, version, patches ? [] }: stdenvNoCC.mkDerivation {
@@ -13,7 +18,11 @@ let
     # We do this so we have a build->build, not build->host, C compiler.
     depsBuildBuild = [ buildPackages.stdenv.cc ];
     # `elf-header` is null when libc provides `elf.h`.
-    nativeBuildInputs = [ perl elf-header ];
+    nativeBuildInputs = [
+      perl elf-header
+    ] ++ lib.optionals stdenvNoCC.hostPlatform.isAndroid [
+      flex bison python rsync
+    ];
 
     extraIncludeDirs = lib.optional stdenvNoCC.hostPlatform.isPowerPC ["ppc"];
 
@@ -36,9 +45,12 @@ let
     # Skip clean on darwin, case-sensitivity issues.
     buildPhase = lib.optionalString (!stdenvNoCC.buildPlatform.isDarwin) ''
       make mrproper $makeFlags
-    '' + ''
+    '' + (if stdenvNoCC.hostPlatform.isAndroid then ''
+      make defconfig
+      make headers_install
+    '' else ''
       make headers $makeFlags
-    '';
+    '');
 
     checkPhase = ''
       make headers_check $makeFlags
@@ -69,12 +81,12 @@ let
 in {
   inherit makeLinuxHeaders;
 
-  linuxHeaders = let version = "5.10.4"; in
+  linuxHeaders = let version = "5.12"; in
     makeLinuxHeaders {
       inherit version;
       src = fetchurl {
         url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-        sha256 = "1v2nbpp21c3fkw23dgrrfznnnlvi0538kj8wrlb2m6g94rn3jklh";
+        sha256 = "sha256-fQ328r8jhNaNC9jh/j4HHWQ2Tc3GAC57XIfJLUj6w2Y=";
       };
       patches = [
          ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index b8bb91b3b72..355e653c8ea 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -12,7 +12,7 @@
 # Configuration
 { lib, stdenv, version
 
-, features ? { grsecurity = false; xen_dom0 = false; }
+, features ? {}
 }:
 
 with lib;
@@ -42,7 +42,7 @@ let
       TIMER_STATS               = whenOlder "4.11" yes;
       DEBUG_NX_TEST             = whenOlder "4.11" no;
       DEBUG_STACK_USAGE         = no;
-      DEBUG_STACKOVERFLOW       = mkIf (!features.grsecurity) (option no);
+      DEBUG_STACKOVERFLOW       = option no;
       RCU_TORTURE_TEST          = no;
       SCHEDSTATS                = no;
       DETECT_HUNG_TASK          = yes;
@@ -142,6 +142,9 @@ let
       IPV6_MROUTE_MULTIPLE_TABLES = yes;
       IPV6_PIMSM_V2               = yes;
       IPV6_FOU_TUNNEL             = whenAtLeast "4.7" module;
+      IPV6_SEG6_LWTUNNEL          = whenAtLeast "4.10" yes;
+      IPV6_SEG6_HMAC              = whenAtLeast "4.10" yes;
+      IPV6_SEG6_BPF               = whenAtLeast "4.18" yes;
       NET_CLS_BPF                 = whenAtLeast "4.4" module;
       NET_ACT_BPF                 = whenAtLeast "4.4" module;
       NET_SCHED                   = yes;
@@ -174,6 +177,8 @@ let
                                               (whenAtLeast "4.17" yes) ];
       NF_TABLES_NETDEV            = mkMerge [ (whenOlder "4.17" module)
                                               (whenAtLeast "4.17" yes) ];
+      NFT_REJECT_NETDEV           = whenAtLeast "5.11" module;
+
       # IP: Netfilter Configuration
       NF_TABLES_IPV4              = mkMerge [ (whenOlder "4.17" module)
                                               (whenAtLeast "4.17" yes) ];
@@ -191,16 +196,17 @@ let
       NET_DROP_MONITOR = yes;
 
       # needed for ss
-      INET_DIAG         = module;
-      INET_TCP_DIAG     = module;
-      INET_UDP_DIAG     = module;
-      INET_RAW_DIAG     = whenAtLeast "4.14" module;
-      INET_DIAG_DESTROY = whenAtLeast "4.9" yes;
+      # Use a lower priority to allow these options to be overridden in hardened/config.nix
+      INET_DIAG         = mkDefault module;
+      INET_TCP_DIAG     = mkDefault module;
+      INET_UDP_DIAG     = mkDefault module;
+      INET_RAW_DIAG     = whenAtLeast "4.14" (mkDefault module);
+      INET_DIAG_DESTROY = whenAtLeast "4.9" (mkDefault yes);
 
       # enable multipath-tcp
       MPTCP           = whenAtLeast "5.6" yes;
       MPTCP_IPV6      = whenAtLeast "5.6" yes;
-      INET_MPTCP_DIAG = whenAtLeast "5.9" module;
+      INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module);
     };
 
     wireless = {
@@ -241,8 +247,9 @@ let
       # Allow specifying custom EDID on the kernel command line
       DRM_LOAD_EDID_FIRMWARE = yes;
       VGA_SWITCHEROO         = yes; # Hybrid graphics support
-      DRM_GMA600             = yes;
-      DRM_GMA3600            = yes;
+      DRM_GMA500             = whenAtLeast "5.12" module;
+      DRM_GMA600             = whenOlder "5.13" yes;
+      DRM_GMA3600            = whenOlder "5.12" yes;
       DRM_VMWGFX_FBCON       = yes;
       # necessary for amdgpu polaris support
       DRM_AMD_POWERPLAY = whenBetween "4.5" "4.9" yes;
@@ -252,6 +259,15 @@ let
       DRM_AMDGPU_CIK = whenAtLeast "4.9" yes;
       # Allow device firmware updates
       DRM_DP_AUX_CHARDEV = whenAtLeast "4.6" yes;
+      # amdgpu display core (DC) support
+      DRM_AMD_DC_DCN1_0 = whenBetween "4.15" "5.6" yes;
+      DRM_AMD_DC_PRE_VEGA = whenBetween "4.15" "4.18" yes;
+      DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes;
+      DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes;
+      DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes;
+      DRM_AMD_DC_DCN = whenAtLeast "5.11" yes;
+      DRM_AMD_DC_HDCP = whenAtLeast "5.5" yes;
+      DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
       # Intel GVT-g graphics virtualization supports 64-bit only
       DRM_I915_GVT = whenAtLeast "4.16" yes;
@@ -276,21 +292,31 @@ let
       SND_SOC_SOF_TOPLEVEL              = yes;
       SND_SOC_SOF_ACPI                  = module;
       SND_SOC_SOF_PCI                   = module;
-      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_CANNONLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_COFFEELAKE_SUPPORT    = yes;
+      SND_SOC_SOF_APOLLOLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_APOLLOLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_CANNONLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_CANNONLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COFFEELAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_COFFEELAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_COMETLAKE             = whenAtLeast "5.12" module;
       SND_SOC_SOF_COMETLAKE_H_SUPPORT   = whenOlder "5.8" yes;
-      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = yes;
-      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = yes;
-      SND_SOC_SOF_GEMINILAKE_SUPPORT    = yes;
+      SND_SOC_SOF_COMETLAKE_LP_SUPPORT  = whenOlder "5.12" yes;
+      SND_SOC_SOF_ELKHARTLAKE           = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ELKHARTLAKE_SUPPORT   = whenOlder "5.12" yes;
+      SND_SOC_SOF_GEMINILAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_GEMINILAKE_SUPPORT    = whenOlder "5.12" yes;
       SND_SOC_SOF_HDA_AUDIO_CODEC       = yes;
       SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
       SND_SOC_SOF_HDA_LINK              = yes;
-      SND_SOC_SOF_ICELAKE_SUPPORT       = yes;
+      SND_SOC_SOF_ICELAKE               = whenAtLeast "5.12" module;
+      SND_SOC_SOF_ICELAKE_SUPPORT       = whenOlder "5.12" yes;
       SND_SOC_SOF_INTEL_TOPLEVEL        = yes;
-      SND_SOC_SOF_JASPERLAKE_SUPPORT    = yes;
-      SND_SOC_SOF_MERRIFIELD_SUPPORT    = yes;
-      SND_SOC_SOF_TIGERLAKE_SUPPORT     = yes;
+      SND_SOC_SOF_JASPERLAKE            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_JASPERLAKE_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_MERRIFIELD            = whenAtLeast "5.12" module;
+      SND_SOC_SOF_MERRIFIELD_SUPPORT    = whenOlder "5.12" yes;
+      SND_SOC_SOF_TIGERLAKE             = whenAtLeast "5.12" module;
+      SND_SOC_SOF_TIGERLAKE_SUPPORT     = whenOlder "5.12" yes;
     };
 
     usb-serial = {
@@ -358,6 +384,7 @@ let
       F2FS_FS             = module;
       F2FS_FS_SECURITY    = option yes;
       F2FS_FS_ENCRYPTION  = option yes;
+      F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
       UDF_FS              = module;
 
       NFSD_PNFS              = whenBetween "4.0" "4.6" yes;
@@ -404,6 +431,8 @@ let
       NLS_ISO8859_1    = module; # VFAT default for the iocharset= mount option
 
       DEVTMPFS = yes;
+
+      UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems
     };
 
     security = {
@@ -414,13 +443,15 @@ let
       SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
       # Prevent processes from ptracing non-children processes
       SECURITY_YAMA                    = option yes;
-      DEVKMEM                          = mkIf (!features.grsecurity) no; # Disable /dev/kmem
+      DEVKMEM                          = whenOlder "5.13" no; # Disable /dev/kmem
 
       USER_NS                          = yes; # Support for user namespaces
 
       SECURITY_APPARMOR                = yes;
       DEFAULT_SECURITY_APPARMOR        = yes;
 
+      RANDOM_TRUST_CPU                 = whenAtLeast "4.19" yes; # allow RDRAND to seed the RNG
+
       MODULE_SIG            = no; # r13y, generates a random key during build and bakes it in
       # Depends on MODULE_SIG and only really helps when you sign your modules
       # and enforce signatures which we don't do by default.
@@ -492,7 +523,7 @@ let
     virtualisation = {
       PARAVIRT = option yes;
 
-      HYPERVISOR_GUEST = mkIf (!features.grsecurity) yes;
+      HYPERVISOR_GUEST = yes;
       PARAVIRT_SPINLOCKS  = option yes;
 
       KVM_APIC_ARCHITECTURE             = whenOlder "4.8" yes;
@@ -500,12 +531,12 @@ let
       KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; };
       KVM_DEVICE_ASSIGNMENT  = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; };
       KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0"  yes;
-      KVM_GUEST                         = mkIf (!features.grsecurity) yes;
+      KVM_GUEST                         = yes;
       KVM_MMIO                          = yes;
       KVM_VFIO                          = yes;
       KSM = yes;
       VIRT_DRIVERS = yes;
-      # We nneed 64 GB (PAE) support for Xen guest support
+      # We need 64 GB (PAE) support for Xen guest support
       HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";};
 
       VFIO_PCI_VGA = mkIf stdenv.is64bit yes;
@@ -516,13 +547,8 @@ let
       VBOXGUEST = option no;
       DRM_VBOXVIDEO = option no;
 
-    } // optionalAttrs (stdenv.isx86_64 || stdenv.isi686) ({
-      XEN = option yes;
-
-      # XXX: why isn't this in the xen-dom0 conditional section below?
-      XEN_DOM0 = option yes;
-
-    } // optionalAttrs features.xen_dom0 {
+      XEN                         = option yes;
+      XEN_DOM0                    = option yes;
       PCI_XEN                     = option yes;
       HVC_XEN                     = option yes;
       HVC_XEN_FRONTEND            = option yes;
@@ -541,7 +567,7 @@ let
       XEN_SELFBALLOONING          = option yes;
       XEN_STUB                    = option yes;
       XEN_TMEM                    = option yes;
-    });
+    };
 
     media = {
       MEDIA_DIGITAL_TV_SUPPORT = yes;
@@ -634,7 +660,12 @@ let
       XZ_DEC_TEST              = option no;
     };
 
-    criu = optionalAttrs (features.criu or false) ({
+    criu = if (versionAtLeast version "4.19") then {
+      # Unconditionally enabled, because it is required for CRIU and
+      # it provides the kcmp() system call that Mesa depends on.
+      CHECKPOINT_RESTORE  = yes;
+    } else optionalAttrs (features.criu or false) ({
+      # For older kernels, CHECKPOINT_RESTORE is hidden behind EXPERT.
       EXPERT              = yes;
       CHECKPOINT_RESTORE  = yes;
     } // optionalAttrs (features.criu_revert_expert or true) {
@@ -647,7 +678,14 @@ let
       DEBUG_MEMORY_INIT     = option yes;
     });
 
-    misc = {
+    misc = let
+      # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz.
+      # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
+      useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9";
+    in {
+      KERNEL_XZ            = mkIf (!useZstd) yes;
+      KERNEL_ZSTD          = mkIf useZstd yes;
+
       HID_BATTERY_STRENGTH = yes;
       # enabled by default in x86_64 but not arm64, so we do that here
       HIDRAW               = yes;
@@ -660,13 +698,9 @@ let
       THRUSTMASTER_FF    = yes;
       ZEROPLUS_FF        = yes;
 
-      MODULE_COMPRESS    = yes;
+      MODULE_COMPRESS    = whenOlder "5.13" yes;
       MODULE_COMPRESS_XZ = yes;
 
-      # use zstd for kernel compression if newer than 5.9, else xz.
-      KERNEL_XZ          = whenOlder "5.9" yes;
-      KERNEL_ZSTD        = whenAtLeast "5.9" yes;
-
       SYSVIPC            = yes;  # System-V IPC
 
       AIO                = yes;  # POSIX asynchronous I/O
@@ -676,7 +710,6 @@ let
       MD                 = yes;     # Device mapper (RAID, LVM, etc.)
 
       # Enable initrd support.
-      BLK_DEV_RAM       = yes;
       BLK_DEV_INITRD    = yes;
 
       PM_TRACE_RTC         = no; # Disable some expensive (?) features.
@@ -750,6 +783,8 @@ let
       MLX4_EN_VXLAN = whenOlder "4.8" yes;
       MLX5_CORE_EN       = option yes;
 
+      NVME_MULTIPATH = whenAtLeast "4.15" yes;
+
       PSI = whenAtLeast "4.20" yes;
 
       MODVERSIONS        = whenOlder "4.9" yes;
@@ -809,6 +844,7 @@ let
       PREEMPT_VOLUNTARY = yes;
 
       X86_AMD_PLATFORM_DEVICE = yes;
+      X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes;
 
     } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
       # Enable CPU/memory hotplug support
@@ -824,7 +860,7 @@ let
       # Bump the maximum number of CPUs to support systems like EC2 x1.*
       # instances and Xeon Phi.
       NR_CPUS = freeform "384";
-    } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
       # Enables support for the Allwinner Display Engine 2.0
       SUN8I_DE2_CCU = whenAtLeast "4.13" yes;
 
@@ -836,6 +872,14 @@ let
       # The kernel command line will override a platform-specific configuration from its device tree.
       # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
       CMA_SIZE_MBYTES = freeform "32";
+
+      # Many ARM SBCs hand off a pre-configured framebuffer.
+      # This always can can be replaced by the actual native driver.
+      # Keeping it a built-in ensures it will be used if possible.
+      FB_SIMPLE = yes;
+
+    } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux") {
+      ARM_LPAE = yes;
     };
   };
 in
diff --git a/pkgs/os-specific/linux/kernel/export_kernel_fpu_functions_4_14.patch b/pkgs/os-specific/linux/kernel/export_kernel_fpu_functions_4_14.patch
deleted file mode 100644
index 205497aee2d..00000000000
--- a/pkgs/os-specific/linux/kernel/export_kernel_fpu_functions_4_14.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 245e0f743d814c9ff2d1c748175e321301eb16cf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Thu, 2 May 2019 05:28:08 +0100
-Subject: [PATCH] x86/fpu: Export __kernel_fpu_{begin,end}()
-
-This partially undo commit:
-
-12209993  x86/fpu: Don't export __kernel_fpu_{begin,end}()
-
-We need this symbol in zfs for AES-NI/AVX support.
----
- arch/x86/include/asm/fpu/api.h | 2 ++
- arch/x86/kernel/fpu/core.c     | 6 ++++--
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h
-index b56d504af6545..7d53388d266ea 100644
---- a/arch/x86/include/asm/fpu/api.h
-+++ b/arch/x86/include/asm/fpu/api.h
-@@ -18,6 +18,8 @@
-  * If you intend to use the FPU in softirq you need to check first with
-  * irq_fpu_usable() if it is possible.
-  */
-+extern void __kernel_fpu_begin(void);
-+extern void __kernel_fpu_end(void);
- extern void kernel_fpu_begin(void);
- extern void kernel_fpu_end(void);
- extern bool irq_fpu_usable(void);
-diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
-index 2e5003fef51a9..2ea85b32421a0 100644
---- a/arch/x86/kernel/fpu/core.c
-+++ b/arch/x86/kernel/fpu/core.c
-@@ -93,7 +93,7 @@ bool irq_fpu_usable(void)
- }
- EXPORT_SYMBOL(irq_fpu_usable);
- 
--static void __kernel_fpu_begin(void)
-+void __kernel_fpu_begin(void)
- {
- 	struct fpu *fpu = &current->thread.fpu;
- 
-@@ -111,8 +111,9 @@ static void __kernel_fpu_begin(void)
- 		__cpu_invalidate_fpregs_state();
- 	}
- }
-+EXPORT_SYMBOL(__kernel_fpu_begin);
- 
--static void __kernel_fpu_end(void)
-+void __kernel_fpu_end(void)
- {
- 	struct fpu *fpu = &current->thread.fpu;
- 
-@@ -121,6 +122,7 @@ static void __kernel_fpu_end(void)
- 
- 	kernel_fpu_enable();
- }
-+EXPORT_SYMBOL(__kernel_fpu_end);
- 
- void kernel_fpu_begin(void)
- {
diff --git a/pkgs/os-specific/linux/kernel/export_kernel_fpu_functions_5_3.patch b/pkgs/os-specific/linux/kernel/export_kernel_fpu_functions_5_3.patch
deleted file mode 100644
index dc9ca64bdc1..00000000000
--- a/pkgs/os-specific/linux/kernel/export_kernel_fpu_functions_5_3.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 1e010beda2896bdf3082fb37a3e49f8ce20e04d8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Thu, 2 May 2019 05:28:08 +0100
-Subject: [PATCH] x86/fpu: Export kernel_fpu_{begin,end}() with
- EXPORT_SYMBOL_GPL
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We need these symbols in zfs as the fpu implementation breaks userspace:
-
-https://github.com/zfsonlinux/zfs/issues/9346
-Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
----
- arch/x86/kernel/fpu/core.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
-index 12c70840980e..352538b3bb5d 100644
---- a/arch/x86/kernel/fpu/core.c
-+++ b/arch/x86/kernel/fpu/core.c
-@@ -102,7 +102,7 @@ void kernel_fpu_begin(void)
- 	}
- 	__cpu_invalidate_fpregs_state();
- }
--EXPORT_SYMBOL_GPL(kernel_fpu_begin);
-+EXPORT_SYMBOL(kernel_fpu_begin);
- 
- void kernel_fpu_end(void)
- {
-@@ -111,7 +111,7 @@ void kernel_fpu_end(void)
- 	this_cpu_write(in_kernel_fpu, false);
- 	preempt_enable();
- }
--EXPORT_SYMBOL_GPL(kernel_fpu_end);
-+EXPORT_SYMBOL(kernel_fpu_end);
- 
- /*
-  * Save the FPU state (mark it for reload if necessary):
--- 
-2.23.0
-
diff --git a/pkgs/os-specific/linux/kernel/generate-config.pl b/pkgs/os-specific/linux/kernel/generate-config.pl
index 6a2aec809a1..df807188f14 100644
--- a/pkgs/os-specific/linux/kernel/generate-config.pl
+++ b/pkgs/os-specific/linux/kernel/generate-config.pl
@@ -19,6 +19,7 @@ my $autoModules = $ENV{'AUTO_MODULES'};
 my $preferBuiltin = $ENV{'PREFER_BUILTIN'};
 my $ignoreConfigErrors = $ENV{'ignoreConfigErrors'};
 my $buildRoot = $ENV{'BUILD_ROOT'};
+my $makeFlags = $ENV{'MAKE_FLAGS'};
 $SIG{PIPE} = 'IGNORE';
 
 # Read the answers.
@@ -40,7 +41,7 @@ close ANSWERS;
 sub runConfig {
 
     # Run `make config'.
-    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH}");
+    my $pid = open2(\*IN, \*OUT, "make -C $ENV{SRC} O=$buildRoot config SHELL=bash ARCH=$ENV{ARCH} CC=$ENV{CC} HOSTCC=$ENV{HOSTCC} HOSTCXX=$ENV{HOSTCXX} $makeFlags");
 
     # Parse the output, look for questions and then send an
     # appropriate answer.
diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix
index cc7d1a52367..7f4f0f2d6bb 100644
--- a/pkgs/os-specific/linux/kernel/generic.nix
+++ b/pkgs/os-specific/linux/kernel/generic.nix
@@ -21,6 +21,9 @@
 , # Legacy overrides to the intermediate kernel config, as string
   extraConfig ? ""
 
+  # Additional make flags passed to kbuild
+, extraMakeFlags ? []
+
 , # kernel intermediate config overrides, as a set
  structuredExtraConfig ? {}
 
@@ -46,7 +49,6 @@
                        stdenv.hostPlatform != stdenv.buildPlatform
 , extraMeta ? {}
 
-, isXen      ? features.xen_dom0 or false
 , isZen      ? false
 , isLibre    ? false
 , isHardened ? false
@@ -55,7 +57,7 @@
 , autoModules ? stdenv.hostPlatform.linux-kernel.autoModules
 , preferBuiltin ? stdenv.hostPlatform.linux-kernel.preferBuiltin or false
 , kernelArch ? stdenv.hostPlatform.linuxArch
-
+, kernelTests ? []
 , ...
 }:
 
@@ -73,8 +75,6 @@ let
     efiBootStub = true;
     needsCifsUtils = true;
     netfilterRPFilter = true;
-    grsecurity = false;
-    xen_dom0 = false;
     ia32Emulation = true;
   } // features) kernelPatches;
 
@@ -100,7 +100,7 @@ let
     in lib.concatStringsSep "\n" ([baseConfigStr] ++ configFromPatches);
 
   configfile = stdenv.mkDerivation {
-    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch;
+    inherit ignoreConfigErrors autoModules preferBuiltin kernelArch extraMakeFlags;
     pname = "linux-config";
     inherit version;
 
@@ -119,6 +119,9 @@ let
     # e.g. "bzImage"
     kernelTarget = stdenv.hostPlatform.linux-kernel.target;
 
+    makeFlags = lib.optionals (stdenv.hostPlatform.linux-kernel ? makeFlags) stdenv.hostPlatform.linux-kernel.makeFlags
+      ++ extraMakeFlags;
+
     prePatch = kernel.prePatch + ''
       # Patch kconfig to print "###" after every question so that
       # generate-config.pl from the generic builder can answer them.
@@ -131,18 +134,25 @@ let
 
     buildPhase = ''
       export buildRoot="''${buildRoot:-build}"
+      export HOSTCC=$CC_FOR_BUILD
+      export HOSTCXX=$CXX_FOR_BUILD
+      export HOSTAR=$AR_FOR_BUILD
+      export HOSTLD=$LD_FOR_BUILD
 
       # Get a basic config file for later refinement with $generateConfig.
-      make -C .  O="$buildRoot" $kernelBaseConfig \
+      make $makeFlags \
+          -C . O="$buildRoot" $kernelBaseConfig \
           ARCH=$kernelArch \
-          HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc \
-          HOSTCXX=${buildPackages.stdenv.cc.targetPrefix}g++
+          HOSTCC=$HOSTCC HOSTCXX=$HOSTCXX HOSTAR=$HOSTAR HOSTLD=$HOSTLD \
+          CC=$CC OBJCOPY=$OBJCOPY OBJDUMP=$OBJDUMP READELF=$READELF \
+          $makeFlags
 
       # Create the config file.
       echo "generating kernel configuration..."
       ln -s "$kernelConfigPath" "$buildRoot/kernel-config"
       DEBUG=1 ARCH=$kernelArch KERNEL_CONFIG="$buildRoot/kernel-config" AUTO_MODULES=$autoModules \
-           PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. perl -w $generateConfig
+        PREFER_BUILTIN=$preferBuiltin BUILD_ROOT="$buildRoot" SRC=. MAKE_FLAGS="$makeFlags" \
+        perl -w $generateConfig
     '';
 
     installPhase = "mv $buildRoot/.config $out";
@@ -150,7 +160,6 @@ let
     enableParallelBuilding = true;
 
     passthru = rec {
-
       module = import ../../../../nixos/modules/system/boot/kernel_config.nix;
       # used also in apache
       # { modules = [ { options = res.options; config = svc.config or svc; } ];
@@ -170,18 +179,20 @@ let
     };
   }; # end of configfile derivation
 
-  kernel = (callPackage ./manual-config.nix {}) {
-    inherit version modDirVersion src kernelPatches randstructSeed lib stdenv extraMeta configfile;
+  kernel = (callPackage ./manual-config.nix { inherit buildPackages;  }) {
+    inherit version modDirVersion src kernelPatches randstructSeed lib stdenv extraMakeFlags extraMeta configfile;
 
     config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; };
   };
 
   passthru = {
     features = kernelFeatures;
-    inherit commonStructuredConfig isXen isZen isHardened isLibre;
+    inherit commonStructuredConfig structuredExtraConfig extraMakeFlags isZen isHardened isLibre modDirVersion;
+    isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
     kernelOlder = lib.versionOlder version;
     kernelAtLeast = lib.versionAtLeast version;
     passthru = kernel.passthru // (removeAttrs passthru [ "passthru" ]);
+    tests = kernelTests;
   };
 
 in lib.extendDerivation true passthru kernel
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index ffd710e632e..20f9f5aaa14 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -8,7 +8,7 @@
 #
 # See also <nixos/modules/profiles/hardened.nix>
 
-{ lib, stdenv, version }:
+{ lib, version }:
 
 with lib;
 with lib.kernel;
@@ -55,8 +55,8 @@ assert (versionAtLeast version "4.9");
 
   # Wipe higher-level memory allocations on free() with page_poison=1
   PAGE_POISONING           = yes;
-  PAGE_POISONING_NO_SANITY = yes;
-  PAGE_POISONING_ZERO      = yes;
+  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
+  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;
 
   # Enable the SafeSetId LSM
   SECURITY_SAFESETID = whenAtLeast "5.1" yes;
@@ -65,7 +65,7 @@ assert (versionAtLeast version "4.9");
   PANIC_TIMEOUT = freeform "-1";
 
   GCC_PLUGINS = yes; # Enable gcc plugin options
-  # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
+  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
   GCC_PLUGIN_LATENT_ENTROPY = yes;
 
   GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
@@ -79,8 +79,18 @@ assert (versionAtLeast version "4.9");
   PROC_KCORE         = no; # Exposes kernel text image layout
   INET_DIAG          = no; # Has been used for heap based attacks in the past
 
+  # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
+  # make them optional
+  INET_DIAG_DESTROY = option no;
+  INET_RAW_DIAG     = option no;
+  INET_TCP_DIAG     = option no;
+  INET_UDP_DIAG     = option no;
+  INET_MPTCP_DIAG   = option no;
+
   # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
   CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
   CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
 
+  # Detect out-of-bound reads/writes and use-after-free
+  KFENCE = whenAtLeast "5.12" yes;
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json
index 695477417aa..412e5041500 100644
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -1,26 +1,32 @@
 {
     "4.14": {
         "extra": "-hardened1",
-        "name": "linux-hardened-4.14.217-hardened1.patch",
-        "sha256": "1hb5fa06xw9rn0f77lklrlhb6vajr1hjv64qxv5y03l7zqfsi7lx",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.217-hardened1/linux-hardened-4.14.217-hardened1.patch"
+        "name": "linux-hardened-4.14.240-hardened1.patch",
+        "sha256": "0j5zp0f8s4w3f60yam2spg3bx56bdjvv0mh632zlhchz8rdk5zs4",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.240-hardened1/linux-hardened-4.14.240-hardened1.patch"
     },
     "4.19": {
         "extra": "-hardened1",
-        "name": "linux-hardened-4.19.170-hardened1.patch",
-        "sha256": "0wx1bhkxyiqk6r51922dhv29jfkx6kfwk4w3z2rc8shpm6krdngv",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.170-hardened1/linux-hardened-4.19.170-hardened1.patch"
+        "name": "linux-hardened-4.19.198-hardened1.patch",
+        "sha256": "18c5j00xiwc0xn5klcrwazk6wvjiy3cixbfbrw4xj7zal9r5p6q9",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.198-hardened1/linux-hardened-4.19.198-hardened1.patch"
     },
     "5.10": {
         "extra": "-hardened1",
-        "name": "linux-hardened-5.10.10-hardened1.patch",
-        "sha256": "0hm8ng073lzqcj5khgpxvr775z0jns9y00qj8b0n63yq0klm2pqh",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.10-hardened1/linux-hardened-5.10.10-hardened1.patch"
+        "name": "linux-hardened-5.10.52-hardened1.patch",
+        "sha256": "062a32rb1g5xk1npiz9fa114k7g4x9pmygycn3alc0phngjmvr98",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.52-hardened1/linux-hardened-5.10.52-hardened1.patch"
+    },
+    "5.12": {
+        "extra": "-hardened1",
+        "name": "linux-hardened-5.12.19-hardened1.patch",
+        "sha256": "1nr3922gd6il69k5cpp9g3knpy6yjb6jsmpi9k4v02bkvypg86dc",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.12.19-hardened1/linux-hardened-5.12.19-hardened1.patch"
     },
     "5.4": {
         "extra": "-hardened1",
-        "name": "linux-hardened-5.4.92-hardened1.patch",
-        "sha256": "0qklpyrd20xsyrvw6ij8y337vjfnxlkyyvalzk96ngkvlfv5b7qh",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.92-hardened1/linux-hardened-5.4.92-hardened1.patch"
+        "name": "linux-hardened-5.4.134-hardened1.patch",
+        "sha256": "0iay6dxwd1vqj02ljf0ghncrqpr6b0gby90xiza8kkk8wnh3r9hh",
+        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.134-hardened1/linux-hardened-5.4.134-hardened1.patch"
     }
 }
diff --git a/pkgs/os-specific/linux/kernel/linux-4.14.nix b/pkgs/os-specific/linux/kernel/linux-4.14.nix
index d1d9e94e2a6..ccecc433a4a 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix
@@ -1,9 +1,9 @@
-{ lib, stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
 with lib;
 
 buildLinux (args // rec {
-  version = "4.14.217";
+  version = "4.14.240";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "04adj8x7p1has4mh8ygxhqgwb1i08fz9izqw1y6xj5hh8cjnm8v2";
+    sha256 = "1k65qwzlnqnh9ym0n2fxpa8nk2qwvykwhwgaixk3b7ndzmr8b6c8";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_14 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.19.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix
index 2bc5321ea7f..4ed06ee2205 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix
@@ -1,9 +1,9 @@
-{ lib, stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
 with lib;
 
 buildLinux (args // rec {
-  version = "4.19.170";
+  version = "4.19.198";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0jjvwbxpfvmzj4z6gkd2mh3kz9vh8hsgsm0013866hzgz1j043fx";
+    sha256 = "13k0r6a4n8nbni64a18wqzy0pg4vn1zw2li78xrm78rqcrnah85y";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_19 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix
index 9c04ee72238..6c2595386e0 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@@ -1,11 +1,14 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
+{ buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.4.253";
+  version = "4.4.276";
   extraMeta.branch = "4.4";
+  extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0nlqnfhrkaj2s582kc0wxqi0881hgp6l9z85qx4ckflc8jwrh7k6";
+    sha256 = "1hf9h5kr1ws2lvinzq6cv7aps8af1kx4q8j4bsk2vv4i2zvmfr7y";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_4 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix
index df298ade084..0dc5cfeae6e 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.9.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix
@@ -1,11 +1,14 @@
-{ stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
+{ buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.9.253";
+  version = "4.9.276";
   extraMeta.branch = "4.9";
+  extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "065w35vb0qp4fvnwmcx7f92inmx64f9r04zzwcwbs0826nl52nws";
+    sha256 = "16jp05jhmqcp8lawqga69gxn1acdkxsskn3a6wf0635863fky3hv";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_4_9 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.10.nix b/pkgs/os-specific/linux/kernel/linux-5.10.nix
index 0eaa148a49c..f59cca3e12f 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.10.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix
@@ -1,9 +1,9 @@
-{ lib, stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
 with lib;
 
 buildLinux (args // rec {
-  version = "5.10.10";
+  version = "5.10.52";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "06fvgkrn9127xw9kly6l4ws3yv80q8xfqdzaam92lljim5pqdvb0";
+    sha256 = "0ydf09wsg0pkjm9dk8y730ksg15p5rlbhq445zx8k191zah5g7kn";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_10 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.12.nix b/pkgs/os-specific/linux/kernel/linux-5.12.nix
new file mode 100644
index 00000000000..e1e7aec2ce2
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-5.12.nix
@@ -0,0 +1,20 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.12.19";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0wscz736n13m833cd12lskn47r0b8ki4fhgpjnwga0jsab9iqf79";
+  };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_12 ];
+} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.13.nix b/pkgs/os-specific/linux/kernel/linux-5.13.nix
new file mode 100644
index 00000000000..dd97944de78
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-5.13.nix
@@ -0,0 +1,21 @@
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
+
+with lib;
+
+buildLinux (args // rec {
+  version = "5.13.5";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "0lqh7krxxnbrvr3w1kag92z9r4n9436fr6answjkjfbvw0z7q74m";
+  };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_13 ];
+} // (args.argsOverride or { }))
+
diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix
index 0469b731b89..c4e08b685b5 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix
@@ -1,9 +1,9 @@
-{ lib, stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
 with lib;
 
 buildLinux (args // rec {
-  version = "5.4.92";
+  version = "5.4.134";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,8 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1zcl4dadyfrgmx6rh0ncy403rsqb1qs092m6zr6b3i14i3wpz4y0";
+    sha256 = "0haqw1w6f8p330ydbsl7iml1x0qqrv63az6921p2a70n88b8dyy9";
   };
+
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_5_4 ];
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
index a272bd286f3..a64520ab893 100644
--- a/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-hardkernel-4.14.nix
@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, libelf, util-linux, ... } @ args:
+{ buildPackages, fetchFromGitHub, perl, buildLinux, libelf, util-linux, ... } @ args:
 
 buildLinux (args // rec {
   version = "4.14.165-172";
diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix
index a84828aa0c1..f02c1ad1250 100644
--- a/pkgs/os-specific/linux/kernel/linux-libre.nix
+++ b/pkgs/os-specific/linux/kernel/linux-libre.nix
@@ -1,8 +1,8 @@
 { stdenv, lib, fetchsvn, linux
 , scripts ? fetchsvn {
     url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
-    rev = "17812";
-    sha256 = "150rh6qakyfzr6afzchf7c05z0dvc39gj0rpfb4ggr7xqpzhxrcc";
+    rev = "18191";
+    sha256 = "0ggaccg7z540kh5if48v6sjy39xllzvznqx5srvrlycrs2r89iyr";
   }
 , ...
 }:
@@ -35,6 +35,8 @@ in linux.override {
       '';
     };
 
+    extraMeta.broken = true;
+
     passthru.updateScript = ./update-libre.sh;
 
     maintainers = [ lib.maintainers.qyliss ];
diff --git a/pkgs/os-specific/linux/kernel/linux-lqx.nix b/pkgs/os-specific/linux/kernel/linux-lqx.nix
index 35df8e99ddc..23a6b0b2d36 100644
--- a/pkgs/os-specific/linux/kernel/linux-lqx.nix
+++ b/pkgs/os-specific/linux/kernel/linux-lqx.nix
@@ -1,8 +1,8 @@
-{ lib, stdenv, fetchFromGitHub, buildLinux, linux_zen, ... } @ args:
+{ lib, fetchFromGitHub, buildLinux, linux_zen, ... } @ args:
 
 let
-  version = "5.10.9";
-  suffix = "lqx1";
+  version = "5.12.19";
+  suffix = "lqx2";
 in
 
 buildLinux (args // {
@@ -14,13 +14,13 @@ buildLinux (args // {
     owner = "zen-kernel";
     repo = "zen-kernel";
     rev = "v${version}-${suffix}";
-    sha256 = "1j0rz4j1br7kzg9zb5l2xz60ccr4iwjndxq3f4gml8s3fb4cpp6f";
+    sha256 = "sha256-r2DvKLlm1a1VuJwC81tRuRwCd6H21T3MsBAC3b9TUbs=";
   };
 
   extraMeta = {
-    branch = "5.10/master";
+    branch = "5.12/master";
     maintainers = with lib.maintainers; [ atemu ];
     description = linux_zen.meta.description + " (Same as linux_zen but less aggressive release schedule)";
   };
 
-} // (args.argsOverride or {}))
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix b/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
index f7bca36481b..a6a8d4936d4 100644
--- a/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
+++ b/pkgs/os-specific/linux/kernel/linux-mptcp-95.nix
@@ -1,7 +1,7 @@
-{ lib, stdenv, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
+{ lib, buildPackages, fetchFromGitHub, perl, buildLinux, structuredExtraConfig ? {}, ... } @ args:
 let
-  mptcpVersion = "0.95";
-  modDirVersion = "4.19.55";
+  mptcpVersion = "0.95.1";
+  modDirVersion = "4.19.126";
 in
 buildLinux ({
   version = "${modDirVersion}-mptcp_v${mptcpVersion}";
@@ -16,7 +16,7 @@ buildLinux ({
     owner = "multipath-tcp";
     repo = "mptcp";
     rev = "v${mptcpVersion}";
-    sha256 = "04a66iq5vsiz8mkpszfxmqknz7y4w3lsckrcz6q1syjpk0pdyiyw";
+    sha256 = "sha256-J9UXhkI49cq83EtojLHieRtp8fT3LXTJNIqb+mUwZdM=";
   };
 
   structuredExtraConfig = lib.mkMerge [
diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix
index 176c2180f35..8ccf46b402b 100644
--- a/pkgs/os-specific/linux/kernel/linux-rpi.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix
@@ -2,8 +2,8 @@
 
 let
   # NOTE: raspberrypifw & raspberryPiWirelessFirmware should be updated with this
-  modDirVersion = "5.4.79";
-  tag = "1.20201201";
+  modDirVersion = "5.10.17";
+  tag = "1.20210303";
 in
 lib.overrideDerivation (buildLinux (args // {
   version = "${modDirVersion}-${tag}";
@@ -13,7 +13,7 @@ lib.overrideDerivation (buildLinux (args // {
     owner = "raspberrypi";
     repo = "linux";
     rev = "raspberrypi-kernel_${tag}-1";
-    sha256 = "093p5kh5f27djkhbcw371w079lhhihvg3s4by3wzsd40di4fcgn9";
+    sha256 = "0ffsllayl18ka4mgp4rdy9h0da5gy1n6g0kfvinvzdzabb5wzvrx";
   };
 
   defconfig = {
@@ -23,15 +23,18 @@ lib.overrideDerivation (buildLinux (args // {
     "4" = "bcm2711_defconfig";
   }.${toString rpiVersion};
 
-  extraConfig = ''
-    # ../drivers/pci/controller/pcie-altera.c:679:8: error: too few arguments to function 'devm_of_pci_get_host_bridge_resources'
-    PCIE_ALTERA n
-  '';
-
   features = {
     efiBootStub = false;
   } // (args.features or {});
 
+  extraConfig = ''
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: error: initialization of 'void (*)(struct drm_crtc *, struct drm_atomic_state *)' from incompatible pointer type 'void (*)(struct drm_crtc *, struct drm_crtc_state *)' [-Werror=incompatible-pointer-types]
+    #   851 |  .atomic_flush = ast_crtc_helper_atomic_flush,
+    #       |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # ../drivers/gpu/drm/ast/ast_mode.c:851:18: note: (near initialization for 'ast_crtc_helper_funcs.atomic_flush')
+    DRM_AST n
+  '';
+
   extraMeta = if (rpiVersion < 3) then {
     platforms = with lib.platforms; [ arm ];
     hydraPlatforms = [];
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
index d733f0bdfa4..83b2fc05093 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix
@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.10.8-rt24"; # updated by ./update-rt.sh
+  version = "5.10.52-rt47"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -18,16 +18,16 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "1v83wm8xbhq1sgn7c84zi7l40vmd9k1gb653b686jp8n4na85z2w";
+    sha256 = "0ydf09wsg0pkjm9dk8y730ksg15p5rlbhq445zx8k191zah5g7kn";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "06fqwx9flcxzbjr9gb0d7v4hidypzz69r6p2mfzhqh7ii0p89f30";
+      sha256 = "1n71nbshma0gxyrifyymrd0wii1q0plj020amc0wdzzm27xs5k2k";
     };
-  }; in [ rt-patch ] ++ lib.remove rt-patch kernelPatches;
+  }; in [ rt-patch ] ++ kernelPatches;
 
   structuredExtraConfig = with lib.kernel; {
     PREEMPT_RT = yes;
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.6.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix
index 7c77454040d..5d1b14f1d0f 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-5.6.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.11.nix
@@ -6,24 +6,28 @@
 , ... } @ args:
 
 let
-  version = "5.6.19-rt12"; # updated by ./update-rt.sh
+  version = "5.11.4-rt11"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
   inherit version;
 
+  # modDirVersion needs a patch number, change X.Y-rtZ to X.Y.0-rtZ.
+  modDirVersion = if (builtins.match "[^.]*[.][^.]*-.*" version) == null then version
+    else lib.replaceStrings ["-"] [".0-"] version;
+
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "1s0yc1138sglbm4vyizl4r7hnc1l7nykdjp4063ad67yayr2ylv2";
+    sha256 = "1i8dfw83ndaylwji7lazfckk113plvnz7kh1yppbfg35r6przrc8";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "0ia8rx0615x0z2s4ppw1244crg7c5ak07c9n3wbnz7y8bk8hyxws";
+      sha256 = "1az6cn9jj3bnjgwzzrjy1adnrnn06p2vzsnc1iib4xhs0sfr27hc";
     };
-  }; in [ rt-patch ] ++ lib.remove rt-patch kernelPatches;
+  }; in [ rt-patch ] ++ kernelPatches;
 
   structuredExtraConfig = with lib.kernel; {
     PREEMPT_RT = yes;
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
index 25e3172b0f3..4c49dc9c42a 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.4.84-rt47"; # updated by ./update-rt.sh
+  version = "5.4.129-rt61"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -14,16 +14,16 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "058mhczv6whjwxn7jjh1c6n5zrqjdnvbl2mp7jkfrg6frpvgr189";
+    sha256 = "1ps64gx85lmbriq445hd2hcv4g4b1d1cwf4r3nd90x6i2cj4c9j4";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "0nccxf9l9ycvb782f48zrbl59vi674qq7yjyaks97440pgyd1jg0";
+      sha256 = "0b3hp6a7afkjqd7an4hj423nq6flwzd42kjcyk4pifv5fx6c7pgq";
     };
-  }; in [ rt-patch ] ++ lib.remove rt-patch kernelPatches;
+  }; in [ rt-patch ] ++ kernelPatches;
 
   structuredExtraConfig = with lib.kernel; {
     PREEMPT_RT = yes;
diff --git a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
index 5f0f513ff45..a12633eb6d7 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing-bcachefs.nix
@@ -1,23 +1,33 @@
-{ lib, stdenv, buildPackages, fetchFromGitHub, fetchpatch, perl, buildLinux, ... } @ args:
+{ lib
+, fetchpatch
+, kernel
+, date ? "2021-07-08"
+, commit ? "3693b2ca83ff9eda49660b31299d2bebe3a1075f"
+, diffHash ? "1sfq3vwc2kxa761s292f2cqrm0vvqvkdx6drpyn5yaxwnapwidcw"
+, kernelPatches # must always be defined in bcachefs' all-packages.nix entry because it's also a top-level attribute supplied by callPackage
+, argsOverride ? {}
+, ...
+} @ args:
 
-buildLinux (args // {
-  version = "5.9.0-2020.11.20";
-  modDirVersion = "5.9.0";
+kernel.override ( args // {
 
-  src = fetchFromGitHub {
-    owner = "koverstreet";
-    repo = "bcachefs";
-    rev = "6a505b63ed3003faf5000f19fd08bbd477d93fbc";
-    sha256 = "1rf34gzv9npafp1c3i6lymk3b0gnqp4rb0wl33pw6yrpgnsry3cc";
-  };
+  argsOverride = {
+    version = "${kernel.version}-bcachefs-unstable-${date}";
+    extraMeta = {
+      branch = "master";
+      maintainers = with lib.maintainers; [ davidak chiiruno ];
+      platforms = [ "x86_64-linux" ];
+    };
+  } // argsOverride;
 
-  extraConfig = "BCACHEFS_FS m";
+  kernelPatches = [ {
+      name = "bcachefs-${commit}";
+      patch = fetchpatch {
+        name = "bcachefs-${commit}.diff";
+        url = "https://evilpiepirate.org/git/bcachefs.git/rawdiff/?id=${commit}&id2=v${lib.versions.majorMinor kernel.version}";
+        sha256 = diffHash;
+      };
+      extraConfig = "BCACHEFS_FS m";
+    } ] ++ kernelPatches;
 
-  extraMeta = {
-    branch = "master";
-    hydraPlatforms = []; # Should the testing kernels ever be built on Hydra?
-    maintainers = with lib.maintainers; [ davidak chiiruno ];
-    platforms = [ "x86_64-linux" ];
-  };
-
-} // (args.argsOverride or {}))
+})
diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix
index 98fafaadece..4e2ef7b4652 100644
--- a/pkgs/os-specific/linux/kernel/linux-testing.nix
+++ b/pkgs/os-specific/linux/kernel/linux-testing.nix
@@ -1,19 +1,21 @@
-{ lib, stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+{ lib, buildPackages, fetchurl, perl, buildLinux, nixosTests, modDirVersionArg ? null, ... } @ args:
 
 with lib;
 
 buildLinux (args // rec {
-  version = "5.11-rc3";
-  extraMeta.branch = "5.11";
+  version = "5.13-rc6";
+  extraMeta.branch = "5.12";
 
   # modDirVersion needs to be x.y.z, will always add .0
   modDirVersion = if (modDirVersionArg == null) then builtins.replaceStrings ["-"] [".0-"] version else modDirVersionArg;
 
   src = fetchurl {
     url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz";
-    sha256 = "15dfgvicp7s9xqaa3w8lmfffzyjsqrq1fa2gs1a8awzs5rxgsn61";
+    sha256 = "sha256-PunFd6tOsmrsPItp2QX4TEVxHnvvi1BMSwWio/DTlMU=";
   };
 
+  kernelTests = args.kernelTests or [ nixosTests.kernel-generic.linux_testing ];
+
   # Should the testing kernels ever be built on Hydra?
   extraMeta.hydraPlatforms = [];
 
diff --git a/pkgs/os-specific/linux/kernel/linux-xanmod.nix b/pkgs/os-specific/linux/kernel/linux-xanmod.nix
new file mode 100644
index 00000000000..758f6fd998a
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-xanmod.nix
@@ -0,0 +1,54 @@
+{ lib, stdenv, buildLinux, fetchFromGitHub, ... } @ args:
+
+let
+  version = "5.13.4";
+  suffix = "xanmod1-cacule";
+in
+buildLinux (args // rec {
+  inherit version;
+  modDirVersion = "${version}-${suffix}";
+
+  src = fetchFromGitHub {
+    owner = "xanmod";
+    repo = "linux";
+    rev = modDirVersion;
+    sha256 = "sha256-jSV5dL6myB4WeokYBwoBtQaOfLaUgvseYtReyjLGOhU=";
+  };
+
+  structuredExtraConfig = with lib.kernel; {
+    # Preemptive Full Tickless Kernel at 500Hz
+    PREEMPT_VOLUNTARY = lib.mkForce no;
+    PREEMPT = lib.mkForce yes;
+    NO_HZ_FULL = yes;
+    HZ_500 = yes;
+
+    # Google's Multigenerational LRU Framework
+    LRU_GEN = yes;
+    LRU_GEN_ENABLED = yes;
+
+    # Google's BBRv2 TCP congestion Control
+    TCP_CONG_BBR2 = yes;
+    DEFAULT_BBR2 = yes;
+
+    # FQ-PIE Packet Scheduling
+    NET_SCH_DEFAULT = yes;
+    DEFAULT_FQ_PIE = yes;
+
+    # Graysky's additional CPU optimizations
+    CC_OPTIMIZE_FOR_PERFORMANCE_O3 = yes;
+
+    # Android Ashmem and Binder IPC Driver as module for Anbox
+    ASHMEM = module;
+    ANDROID = yes;
+    ANDROID_BINDER_IPC = module;
+    ANDROID_BINDERFS = module;
+    ANDROID_BINDER_DEVICES = freeform "binder,hwbinder,vndbinder";
+  };
+
+  extraMeta = {
+    branch = "5.13-cacule";
+    maintainers = with lib.maintainers; [ fortuneteller2k ];
+    description = "Built with custom settings and new features built to provide a stable, responsive and smooth desktop experience";
+    broken = stdenv.isAarch64;
+  };
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-zen.nix b/pkgs/os-specific/linux/kernel/linux-zen.nix
index aa73e7b8a3e..caf65508210 100644
--- a/pkgs/os-specific/linux/kernel/linux-zen.nix
+++ b/pkgs/os-specific/linux/kernel/linux-zen.nix
@@ -1,8 +1,8 @@
-{ lib, stdenv, fetchFromGitHub, buildLinux, ... } @ args:
+{ lib, fetchFromGitHub, buildLinux, ... } @ args:
 
 let
-  version = "5.10.9";
-  suffix = "zen1";
+  version = "5.12.19";
+  suffix = "zen2";
 in
 
 buildLinux (args // {
@@ -14,13 +14,13 @@ buildLinux (args // {
     owner = "zen-kernel";
     repo = "zen-kernel";
     rev = "v${version}-${suffix}";
-    sha256 = "0p7w2ib8aac0cx16fksr8870kmijw86hbzdkjsq1ww07ifnb4qir";
+    sha256 = "sha256-l+KIlaXoq/Nzf7mUom9DUjaAsn7UxeKGL6MbYN7mBZk=";
   };
 
   extraMeta = {
-    branch = "5.10/master";
+    branch = "5.12/master";
     maintainers = with lib.maintainers; [ atemu andresilva ];
     description = "Built using the best configuration and kernel sources for desktop, multimedia, and gaming workloads.";
   };
 
-} // (args.argsOverride or {}))
+} // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 2fc63322f5b..77add0aef53 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -1,5 +1,5 @@
 { lib, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
-, libelf, cpio, elfutils, zstd, gawk
+, libelf, cpio, elfutils, zstd, gawk, python3Minimal
 , writeTextFile
 }:
 
@@ -19,6 +19,8 @@ in {
   stdenv,
   # The kernel version
   version,
+  # Additional kernel make flags
+  extraMakeFlags ? [],
   # The version of the kernel module directory
   modDirVersion ? version,
   # The kernel source (tarball, git checkout, etc.)
@@ -37,7 +39,6 @@ in {
   extraMeta ? {},
 
   # for module compatibility
-  isXen      ? features.xen_dom0 or false,
   isZen      ? false,
   isLibre    ? false,
   isHardened ? false,
@@ -94,7 +95,8 @@ let
       passthru = {
         inherit version modDirVersion config kernelPatches configfile
           moduleBuildDependencies stdenv;
-        inherit isXen isZen isHardened isLibre;
+        inherit isZen isHardened isLibre;
+        isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
         kernelOlder = lib.versionOlder version;
         kernelAtLeast = lib.versionAtLeast version;
       };
@@ -119,9 +121,9 @@ let
         # This way kernels can be bit-by-bit reproducible depending on settings
         # (e.g. MODULE_SIG and SECURITY_LOCKDOWN_LSM need to be disabled).
         # See also https://kernelnewbies.org/BuildId
-        sed -i Makefile -e 's|--build-id|--build-id=none|'
+        sed -i Makefile -e 's|--build-id=[^ ]*|--build-id=none|'
 
-        patchShebangs scripts/ld-version.sh
+        patchShebangs scripts
       '';
 
       postPatch = ''
@@ -173,7 +175,9 @@ let
         "KBUILD_BUILD_VERSION=1-NixOS"
         kernelConf.target
         "vmlinux"  # for "perf" and things like that
-      ] ++ optional isModular "modules";
+      ]
+      ++ optional isModular "modules"
+      ++ extraMakeFlags;
 
       installFlags = [
         "INSTALLKERNEL=${installkernel}"
@@ -285,7 +289,7 @@ let
             " (with patches: "
             + lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
             + ")");
-        license = lib.licenses.gpl2;
+        license = lib.licenses.gpl2Only;
         homepage = "https://www.kernel.org/";
         repositories.git = "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git";
         maintainers = [
@@ -307,7 +311,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPat
   enableParallelBuilding = true;
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr gawk zstd ]
+  nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr gawk zstd python3Minimal ]
       ++ optional  (stdenv.hostPlatform.linux-kernel.target == "uImage") buildPackages.ubootTools
       ++ optional  (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") libelf
       # Removed util-linuxMinimal since it should not be a dependency.
@@ -325,7 +329,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPat
     "ARCH=${stdenv.hostPlatform.linuxArch}"
   ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) [
     "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
-  ];
+  ] ++ extraMakeFlags;
 
   karch = stdenv.hostPlatform.linuxArch;
 })
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index e7667bf1bc2..f41cedca0f6 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -1,6 +1,19 @@
 { lib, fetchpatch, fetchurl }:
 
 {
+  ath_regd_optional = rec {
+    name = "ath_regd_optional";
+    patch = fetchpatch {
+      name = name + ".patch";
+      url = "https://github.com/openwrt/openwrt/raw/ed2015c38617ed6624471e77f27fbb0c58c8c660/package/kernel/mac80211/patches/ath/402-ath_regd_optional.patch";
+      sha256 = "1ssDXSweHhF+pMZyd6kSrzeW60eb6MO6tlf0il17RC0=";
+      postFetch = ''
+        sed -i 's/CPTCFG_/CONFIG_/g' $out
+        sed -i '/--- a\/local-symbols/,$d' $out
+      '';
+    };
+  };
+
   bridge_stp_helper =
     { name = "bridge-stp-helper";
       patch = ./bridge-stp-helper.patch;
@@ -79,17 +92,6 @@
       patch = ./rtl8761b-support.patch;
     };
 
-  export_kernel_fpu_functions = {
-    "4.14" = {
-      name = "export_kernel_fpu_functions";
-      patch = ./export_kernel_fpu_functions_4_14.patch;
-    };
-    "5.3" = {
-      name = "export_kernel_fpu_functions";
-      patch = ./export_kernel_fpu_functions_5_3.patch;
-    };
-  };
-
   export-rt-sched-migrate = {
     name = "export-rt-sched-migrate";
     patch = ./export-rt-sched-migrate.patch;
diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix
index b28e1659083..b58bca352e6 100644
--- a/pkgs/os-specific/linux/kernel/perf.nix
+++ b/pkgs/os-specific/linux/kernel/perf.nix
@@ -1,12 +1,14 @@
 { lib, stdenv, kernel, elfutils, python2, python3, perl, newt, slang, asciidoc, xmlto, makeWrapper
 , docbook_xsl, docbook_xml_dtd_45, libxslt, flex, bison, pkg-config, libunwind, binutils
 , libiberty, audit, libbfd, libopcodes, openssl, systemtap, numactl
-, zlib, withGtk ? false, gtk2 ? null
+, zlib
+, withGtk ? false, gtk2
+, withZstd ? true, zstd
+, withLibcap ? true, libcap
 }:
 
 with lib;
 
-assert withGtk -> gtk2 != null;
 assert versionAtLeast kernel.version "3.12";
 
 stdenv.mkDerivation {
@@ -42,7 +44,9 @@ stdenv.mkDerivation {
     elfutils newt slang libunwind libbfd zlib openssl systemtap.stapBuild numactl
     libopcodes python3 perl
   ] ++ lib.optional withGtk gtk2
-    ++ (if (versionAtLeast kernel.version "4.19") then [ python3 ] else [ python2 ]);
+    ++ (if (versionAtLeast kernel.version "4.19") then [ python3 ] else [ python2 ])
+    ++ lib.optional withZstd zstd
+    ++ lib.optional withLibcap libcap;
 
   # Note: we don't add elfutils to buildInputs, since it provides a
   # bad `ld' and other stuff.
@@ -55,7 +59,7 @@ stdenv.mkDerivation {
   ];
 
   postPatch = ''
-    patchShebangs scripts/bpf_helpers_doc.py
+    patchShebangs scripts
   '';
 
   doCheck = false; # requires "sparse"
@@ -74,5 +78,6 @@ stdenv.mkDerivation {
     description = "Linux tools to profile with performance counters";
     maintainers = with lib.maintainers; [viric];
     platforms = with lib.platforms; linux;
+    broken = kernel.kernelOlder "5";
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/update-rt.sh b/pkgs/os-specific/linux/kernel/update-rt.sh
index 4cbd45524a8..ccb01793342 100755
--- a/pkgs/os-specific/linux/kernel/update-rt.sh
+++ b/pkgs/os-specific/linux/kernel/update-rt.sh
@@ -36,7 +36,9 @@ file-version() {
 latest-rt-version() {
     branch="$1" # e.g. 5.4
     curl -sL "$mirror/projects/rt/$branch/sha256sums.asc" |
-        sed -ne '/.patch.xz/ { s/.*patch-\(.*\).patch.xz/\1/; p; q }'
+        sed -ne '/.patch.xz/ { s/.*patch-\(.*\).patch.xz/\1/p}' |
+        grep -v '\-rc' |
+        tail -n 1
 }
 
 update-if-needed() {
diff --git a/pkgs/os-specific/linux/kinect-audio-setup/default.nix b/pkgs/os-specific/linux/kinect-audio-setup/default.nix
new file mode 100644
index 00000000000..94ae4806cf2
--- /dev/null
+++ b/pkgs/os-specific/linux/kinect-audio-setup/default.nix
@@ -0,0 +1,91 @@
+{ lib
+, stdenv
+, fetchgit
+, requireFile
+, pkg-config
+, libusb1
+, p7zip
+}:
+
+let
+  # The last known good firmware package to have been tested
+  # by the upstream projet.
+  # The firmware URL is hardcoded in the upstream project's installation script
+  firmwareUrl = "https://download.microsoft.com/download/F/9/9/F99791F2-D5BE-478A-B77A-830AD14950C3/KinectSDK-v1.0-beta2-x86.msi";
+  # The original URL "https://research.microsoft.com/en-us/um/legal/kinectsdk-tou_noncommercial.htm"
+  # redirects to the following url:
+  licenseUrl = "https://www.microsoft.com/en-us/legal/terms-of-use";
+in
+stdenv.mkDerivation rec {
+  pname = "kinect-audio-setup";
+
+  # On update: Make sure that the `firmwareURL` is still in sync with upstream.
+  # If the project structure hasn't changed you can find the URL in the
+  # `kinect_fetch_fw` file in the project source.
+  version = "0.5";
+
+  # This is an MSI or CAB file
+  FIRMWARE = requireFile rec {
+    name = "UACFirmware";
+    sha256 = "08a2vpgd061cmc6h3h8i6qj3sjvjr1fwcnwccwywqypz3icn8xw1";
+    message = ''
+      In order to install the Kinect Audio Firmware, you need to download the
+      non-redistributable firmware from Microsoft.
+      The firmware is available at ${firmwareUrl} and the license at ${licenseUrl} .
+      Save the file as UACFirmware and use "nix-prefetch-url file://\$PWD/UACFirmware" to
+      add it to the Nix store.
+    '';
+  };
+
+  src = fetchgit {
+    url = "git://git.ao2.it/kinect-audio-setup.git";
+    rev = "v${version}";
+    sha256 = "sha256-bFwmWh822KvFwP/0Gu097nF5K2uCwCLMB1RtP7k+Zt0=";
+  };
+
+  # These patches are not upstream because the project has seen no
+  # activity since 2016
+  patches = [
+    ./libusb-1-import-path.patch
+    ./udev-rules-extra-devices.patch
+  ];
+
+  nativeBuildInputs = [ p7zip libusb1 pkg-config ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+    "DESTDIR=$(out)"
+    "FIRMWARE_PATH=$(out)/lib/firmware/UACFirmware"
+    "LOADER_PATH=$(out)/libexec/kinect_upload_fw"
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    make -C kinect_upload_fw kinect_upload_fw $makeFlags "''${makeFlagsArray[@]}"
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/libexec/ $out/lib/firmware $out/lib/udev/rules.d
+
+    install -Dm755 kinect_upload_fw/kinect_upload_fw $out/libexec/
+
+    # 7z extract "assume yes on all queries" "only extract/keep files/directories matching UACFIRMWARE.* recursively"
+    7z e -y -r "${FIRMWARE}" "UACFirmware.*" >/dev/null
+    # The filename is bound to change with the Firmware SDK
+    mv UACFirmware.* $out/lib/firmware/UACFirmware
+
+    make install_udev_rules $makeFlags "''${makeFlagsArray[@]}"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tools to enable audio input from the Microsoft Kinect sensor device";
+    homepage = "https://git.ao2.it/kinect-audio-setup.git";
+    maintainers = with maintainers; [ berbiche ];
+    platforms = platforms.linux;
+    license = licenses.unfree;
+  };
+}
diff --git a/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch b/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
new file mode 100644
index 00000000000..a0c5ad99f9f
--- /dev/null
+++ b/pkgs/os-specific/linux/kinect-audio-setup/libusb-1-import-path.patch
@@ -0,0 +1,23 @@
+commit 02fd6c4355809e1bff7c66d478e88f30bedde13b
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Wed May 5 23:14:56 2021 -0400
+
+    fix libusb include for Linux
+
+diff --git a/kinect_upload_fw/kinect_upload_fw.c b/kinect_upload_fw/kinect_upload_fw.c
+index 1bd4102..351c94f 100644
+--- a/kinect_upload_fw/kinect_upload_fw.c
++++ b/kinect_upload_fw/kinect_upload_fw.c
+@@ -35,7 +35,12 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <errno.h>
++
++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(_WIN32)
+ #include <libusb.h>
++#else
++#include <libusb-1.0/libusb.h>
++#endif
+ 
+ #include "endian.h"
+ 
diff --git a/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch b/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
new file mode 100644
index 00000000000..d58b970c7c0
--- /dev/null
+++ b/pkgs/os-specific/linux/kinect-audio-setup/udev-rules-extra-devices.patch
@@ -0,0 +1,15 @@
+commit afaaa77b0a03811f86428cf264397b60dd795549
+Author: Nicolas Berbiche <nicolas@normie.dev>
+Date:   Thu May 6 00:10:37 2021 -0400
+
+    Add support for other Kinect device in udev
+
+diff --git a/contrib/55-kinect_audio.rules.in b/contrib/55-kinect_audio.rules.in
+index 25ea713..9e1b69f 100644
+--- a/contrib/55-kinect_audio.rules.in
++++ b/contrib/55-kinect_audio.rules.in
+@@ -1,2 +1,4 @@
+ # Rule to load the Kinect UAC firmware on the "generic" usb device
+ ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02ad", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
++# Rule to load the Kinect UAC firmware on another supported device
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="045e", ATTRS{idProduct}=="02bb", RUN+="@LOADER_PATH@ @FIRMWARE_PATH@"
diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix
index dc96f3b6a62..522a74dea01 100644
--- a/pkgs/os-specific/linux/klibc/default.nix
+++ b/pkgs/os-specific/linux/klibc/default.nix
@@ -9,11 +9,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "klibc";
-  version = "2.0.8";
+  version = "2.0.9";
 
   src = fetchurl {
     url = "mirror://kernel/linux/libs/klibc/2.0/klibc-${version}.tar.xz";
-    sha256 = "0dmlkhnn5q8fc6rkzsisir4chkzmmiq6xkjmvyvf0g7yihwz2j2f";
+    sha256 = "sha256-bcynCJEzINJjCfBbDCv2gHG/EbPa3MTmx9kjg3/CPuE=";
   };
 
   patches = [ ./no-reinstall-kernel-headers.patch ];
diff --git a/pkgs/os-specific/linux/kmod/darwin.patch b/pkgs/os-specific/linux/kmod/darwin.patch
index 69dbf479f9f..e112e691525 100644
--- a/pkgs/os-specific/linux/kmod/darwin.patch
+++ b/pkgs/os-specific/linux/kmod/darwin.patch
@@ -121,3 +121,15 @@ index fd2028d..ecb0141 100644
  	if (!cwd)
  		return NULL;
  
+--- a/shared/util.h	2018-01-31 18:10:59.000000000 +0100
++++ b/shared/util.h	2020-12-28 19:48:21.000000000 +0100
+@@ -7,6 +7,9 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#ifdef __APPLE__
++#include <libgen.h>
++#endif
+ 
+ #include <shared/macro.h>
+ 
diff --git a/pkgs/os-specific/linux/kvmfr/default.nix b/pkgs/os-specific/linux/kvmfr/default.nix
new file mode 100644
index 00000000000..a7949c85c2e
--- /dev/null
+++ b/pkgs/os-specific/linux/kvmfr/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub, kernel, kmod, looking-glass-client }:
+
+stdenv.mkDerivation rec {
+  pname = "kvmfr";
+  version = looking-glass-client.version;
+
+  src = looking-glass-client.src;
+  sourceRoot = "source/module";
+  hardeningDisable = [ "pic" "format" ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D kvmfr.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  meta = with lib; {
+    description = "Optional kernel module for LookingGlass";
+    longDescription = ''
+      This kernel module implements a basic interface to the IVSHMEM device for LookingGlass when using LookingGlass in VM->VM mode
+      Additionally, in VM->host mode, it can be used to generate a shared memory device on the host machine that supports dmabuf
+    '';
+    homepage = "https://github.com/gnif/LookingGlass";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ j-brn ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix
index 8cbc8466a91..046bba5dda0 100644
--- a/pkgs/os-specific/linux/libaio/default.nix
+++ b/pkgs/os-specific/linux/libaio/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "prefix=${placeholder "out"}"
-  ];
+  ] ++ lib.optional stdenv.hostPlatform.isStatic "ENABLE_SHARED=0";
 
   hardeningDisable = lib.optional (stdenv.isi686) "stackprotector";
 
diff --git a/pkgs/os-specific/linux/libcap-ng/default.nix b/pkgs/os-specific/linux/libcap-ng/default.nix
index f8f9b5b80ba..615f376d79d 100644
--- a/pkgs/os-specific/linux/libcap-ng/default.nix
+++ b/pkgs/os-specific/linux/libcap-ng/default.nix
@@ -6,11 +6,11 @@ stdenv.mkDerivation rec {
   pname = "libcap-ng";
   # When updating make sure to test that the version with
   # all of the python bindings still works
-  version = "0.8";
+  version = "0.8.2";
 
   src = fetchurl {
     url = "${meta.homepage}/${pname}-${version}.tar.gz";
-    sha256 = "08cy59iassiwbmfxa5v0kb374r80290vv32f5q1mnip11av26kgi";
+    sha256 = "1sasp1n154aqy9fz0knlb966svm7xg1zjhg1vr4q839bgjvq7h2j";
   };
 
   nativeBuildInputs = [ swig ];
diff --git a/pkgs/os-specific/linux/libcap/default.nix b/pkgs/os-specific/linux/libcap/default.nix
index 4c4238a7e0e..47fa7c05e79 100644
--- a/pkgs/os-specific/linux/libcap/default.nix
+++ b/pkgs/os-specific/linux/libcap/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, buildPackages, fetchurl, attr, perl
+{ stdenv, lib, buildPackages, fetchurl, attr, perl, runtimeShell
 , usePam ? !isStatic, pam ? null
 , isStatic ? stdenv.hostPlatform.isStatic
 }:
@@ -7,15 +7,13 @@ assert usePam -> pam != null;
 
 stdenv.mkDerivation rec {
   pname = "libcap";
-  version = "2.44";
+  version = "2.48";
 
   src = fetchurl {
     url = "mirror://kernel/linux/libs/security/linux-privs/libcap2/${pname}-${version}.tar.xz";
-    sha256 = "1qf80lifygbnxwvqjf8jz5j24n6fqqx4ixnkbf76xs2vrmcq664j";
+    sha256 = "sha256-TelZDuCah8KC1Vhzf/tbYXXMv9JtWArdEN9E0PBH9sI=";
   };
 
-  patches = lib.optional isStatic ./no-shared-lib.patch;
-
   outputs = [ "out" "dev" "lib" "man" "doc" ]
     ++ lib.optional usePam "pam";
 
@@ -31,14 +29,11 @@ stdenv.mkDerivation rec {
     "PAM_CAP=${if usePam then "yes" else "no"}"
     "BUILD_CC=$(CC_FOR_BUILD)"
     "CC:=$(CC)"
-  ];
+  ] ++ lib.optional isStatic "SHARED=no";
 
   prePatch = ''
-    # use relative bash path
-    substituteInPlace progs/capsh.c --replace "/bin/bash" "bash"
-
-    # ensure capsh can find bash in $PATH
-    substituteInPlace progs/capsh.c --replace execve execvpe
+    # use full path to bash
+    substituteInPlace progs/capsh.c --replace "/bin/bash" "${runtimeShell}"
 
     # set prefixes
     substituteInPlace Make.Rules \
diff --git a/pkgs/os-specific/linux/libcap/no-shared-lib.patch b/pkgs/os-specific/linux/libcap/no-shared-lib.patch
deleted file mode 100644
index 73dc7de063d..00000000000
--- a/pkgs/os-specific/linux/libcap/no-shared-lib.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/libcap/Makefile b/libcap/Makefile
-index de6a28d..7e4d8ac 100644
---- a/libcap/Makefile
-+++ b/libcap/Makefile
-@@ -22,7 +22,7 @@ MAJLIBNAME=$(LIBNAME).$(VERSION)
- MINLIBNAME=$(MAJLIBNAME).$(MINOR)
- GPERF_OUTPUT = _caps_output.gperf
- 
--all: $(MINLIBNAME) $(STACAPLIBNAME) pcs $(STAPSXLIBNAME)
-+all: $(STACAPLIBNAME) pcs $(STAPSXLIBNAME)
- 
- pcs: libcap.pc libpsx.pc
- 
-@@ -93,7 +93,7 @@ cap_test: cap_test.c libcap.h
- test: cap_test
- 	./cap_test
- 
--install: install-static install-shared
-+install: install-static
- 
- install-static: install-static-cap install-static-psx
- 
diff --git a/pkgs/os-specific/linux/libcgroup/default.nix b/pkgs/os-specific/linux/libcgroup/default.nix
index b43d70f21bb..6d6a8e7c21e 100644
--- a/pkgs/os-specific/linux/libcgroup/default.nix
+++ b/pkgs/os-specific/linux/libcgroup/default.nix
@@ -1,26 +1,21 @@
-{ lib, stdenv, fetchurl, fetchpatch, pam, yacc, flex }:
+{ lib, stdenv, fetchFromGitHub, pam, bison, flex, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "libcgroup";
-  version = "0.41";
+  version = "0.42.2";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/libcg/${pname}-${version}.tar.bz2";
-    sha256 = "0lgvyq37gq84sk30sg18admxaj0j0p5dq3bl6g74a1ppgvf8pqz4";
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1h8s70lm6g7r0wj7j3xgj2g3j9fifvsy2pna6w0j3i5hh42qfms4";
   };
 
-  buildInputs = [ pam yacc flex ];
-
-  patches = [
-    (fetchpatch {
-      name = "CVE-2018-14348.patch";
-      url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/libcgroup/files/libcgroup-0.41-remove-umask.patch?id=33e9f4c81de754bbf76b893ea1133ed023f2a0e5";
-      sha256 = "1x0x29ld0cgmfwq4qy13s6d5c8sym1frfh1j2q47d8gfw6qaxka5";
-    })
-  ];
+  buildInputs = [ pam bison flex ];
+  nativeBuildInputs = [ autoreconfHook ];
 
   postPatch = ''
-    substituteInPlace src/tools/Makefile.in \
+    substituteInPlace src/tools/Makefile.am \
       --replace 'chmod u+s' 'chmod +x'
   '';
 
diff --git a/pkgs/os-specific/linux/libfabric/default.nix b/pkgs/os-specific/linux/libfabric/default.nix
index b1f9bada315..9a1e44f6af9 100644
--- a/pkgs/os-specific/linux/libfabric/default.nix
+++ b/pkgs/os-specific/linux/libfabric/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   pname = "libfabric";
-  version = "1.11.1";
+  version = "1.12.1";
 
   enableParallelBuilding = true;
 
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     owner = "ofiwg";
     repo = pname;
     rev = "v${version}";
-    sha256 = "17qq96mlfhbkbmsvbazhxzkjnh6x37xlh3r0ngp0rfqbl05z2pcr";
+    sha256 = "sha256-J2PoDwjPWYpagX4M2k9E1xitBzgRUZzwX9Gf00H+Tdc=";
   };
 
   nativeBuildInputs = [ pkg-config autoreconfHook ] ;
diff --git a/pkgs/os-specific/linux/libnl/default.nix b/pkgs/os-specific/linux/libnl/default.nix
index b7d08344e40..d6604f9e15b 100644
--- a/pkgs/os-specific/linux/libnl/default.nix
+++ b/pkgs/os-specific/linux/libnl/default.nix
@@ -1,5 +1,5 @@
 { stdenv, file, lib, fetchFromGitHub, autoreconfHook, bison, flex, pkg-config
-, pythonSupport ? false, swig ? null, python}:
+, pythonSupport ? false, swig ? null, python ? null}:
 
 stdenv.mkDerivation rec {
   pname = "libnl";
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
 
   postBuild = lib.optionalString (pythonSupport) ''
       cd python
-      ${python}/bin/python setup.py install --prefix=../pythonlib
+      ${python.interpreter} setup.py install --prefix=../pythonlib
       cd -
   '';
 
@@ -34,7 +34,6 @@ stdenv.mkDerivation rec {
   };
 
   meta = with lib; {
-    inherit version;
     homepage = "http://www.infradead.org/~tgr/libnl/";
     description = "Linux Netlink interface library suite";
     license = licenses.lgpl21;
diff --git a/pkgs/os-specific/linux/libratbag/default.nix b/pkgs/os-specific/linux/libratbag/default.nix
index 14773d69440..a264c454487 100644
--- a/pkgs/os-specific/linux/libratbag/default.nix
+++ b/pkgs/os-specific/linux/libratbag/default.nix
@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libratbag";
-  version = "0.15";
+  version = "0.16";
 
   src = fetchFromGitHub {
     owner  = "libratbag";
     repo   = "libratbag";
     rev    = "v${version}";
-    sha256 = "0z6ps5aqwjmbdvahs80fh9cdgcvp4q4w3kfycmzv4kzgzihjki7b";
+    sha256 = "sha256-wJLG0Gxm1RWwW5SCGoa2QscU1VC0r93KZfEMNVg3Tko=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/os-specific/linux/libselinux/default.nix b/pkgs/os-specific/linux/libselinux/default.nix
index 6582c6d8e8d..fbf7e4bd995 100644
--- a/pkgs/os-specific/linux/libselinux/default.nix
+++ b/pkgs/os-specific/linux/libselinux/default.nix
@@ -35,15 +35,21 @@ stdenv.mkDerivation rec {
     "MAN3DIR=$(man)/share/man/man3"
     "MAN5DIR=$(man)/share/man/man5"
     "MAN8DIR=$(man)/share/man/man8"
-    "PYTHON=${python3.pythonForBuild}/bin/python"
-    "PYTHONLIBDIR=$(py)/${python3.sitePackages}"
     "SBINDIR=$(bin)/sbin"
     "SHLIBDIR=$(out)/lib"
 
     "LIBSEPOLA=${lib.getLib libsepol}/lib/libsepol.a"
+  ] ++ optionals enablePython [
+    "PYTHON=${python3.pythonForBuild.interpreter}"
+    "PYTHONLIBDIR=$(py)/${python3.sitePackages}"
   ];
 
-  preInstall = ''
+  postPatch = lib.optionalString stdenv.hostPlatform.isMusl ''
+    substituteInPlace src/procattr.c \
+      --replace "#include <unistd.h>" ""
+  '';
+
+  preInstall = optionalString enablePython ''
     mkdir -p $py/${python3.sitePackages}/selinux
   '';
 
diff --git a/pkgs/os-specific/linux/libsemanage/default.nix b/pkgs/os-specific/linux/libsemanage/default.nix
index d7255ac4587..11a6f2755d4 100644
--- a/pkgs/os-specific/linux/libsemanage/default.nix
+++ b/pkgs/os-specific/linux/libsemanage/default.nix
@@ -30,6 +30,16 @@ stdenv.mkDerivation rec {
     "DEFAULT_SEMANAGE_CONF_LOCATION=$(out)/etc/selinux/semanage.conf"
   ];
 
+  # The following turns the 'clobbered' error into a warning
+  # which should fix the following error:
+  #
+  # semanage_store.c: In function 'semanage_exec_prog':
+  # semanage_store.c:1278:6: error: variable 'i' might be clobbered by 'longjmp' or 'vfork' [8;;https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wclobbered-Werror=clobbered8;;]
+  #  1278 |  int i;
+  #       |      ^
+  # cc1: all warnings being treated as errors
+  NIX_CFLAGS_COMPILE = [ "-Wno-error=clobbered" ];
+
   installTargets = [ "install" ] ++ optionals enablePython [ "install-pywrap" ];
 
   meta = removeAttrs libsepol.meta ["outputsToInstall"] // {
diff --git a/pkgs/os-specific/linux/libsepol/default.nix b/pkgs/os-specific/linux/libsepol/default.nix
index 12a94d6fc42..732ad88c70d 100644
--- a/pkgs/os-specific/linux/libsepol/default.nix
+++ b/pkgs/os-specific/linux/libsepol/default.nix
@@ -13,6 +13,11 @@ stdenv.mkDerivation rec {
     sha256 = "0ygb6dh5lng91xs6xiqf5v0nxa68qmjc787p0s5h9w89364f2yjv";
   };
 
+  postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
+    substituteInPlace src/Makefile --replace 'all: $(LIBA) $(LIBSO)' 'all: $(LIBA)'
+    sed -i $'/^\t.*LIBSO/d' src/Makefile
+  '';
+
   nativeBuildInputs = [ flex ];
 
   makeFlags = [
@@ -34,6 +39,6 @@ stdenv.mkDerivation rec {
     homepage = "http://userspace.selinuxproject.org";
     platforms = platforms.linux;
     maintainers = [ maintainers.phreedom ];
-    license = lib.licenses.gpl2;
+    license = lib.licenses.gpl2Plus;
   };
 }
diff --git a/pkgs/os-specific/linux/libvolume_id/default.nix b/pkgs/os-specific/linux/libvolume_id/default.nix
index f6b76066863..87b7d33c5d8 100644
--- a/pkgs/os-specific/linux/libvolume_id/default.nix
+++ b/pkgs/os-specific/linux/libvolume_id/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
   };
 
   preBuild = "
-    makeFlagsArray=(prefix=$out E=echo RANLIB=ranlib INSTALL='install -c')
+    makeFlagsArray=(prefix=$out E=echo RANLIB=${stdenv.cc.targetPrefix}ranlib INSTALL='install -c')
   ";
 
   # Work around a broken Makefile.
diff --git a/pkgs/os-specific/linux/linuxptp/default.nix b/pkgs/os-specific/linux/linuxptp/default.nix
index c9de5f874a3..4c14d2ecae3 100644
--- a/pkgs/os-specific/linux/linuxptp/default.nix
+++ b/pkgs/os-specific/linux/linuxptp/default.nix
@@ -3,11 +3,11 @@
 
 stdenv.mkDerivation rec {
   pname = "linuxptp";
-  version = "3.1";
+  version = "3.1.1";
 
   src = fetchurl {
     url = "mirror://sourceforge/linuxptp/${pname}-${version}.tgz";
-    sha256 = "0zff502w3nlycgv2ad8cy8nd0hqf34kzpzcygi7prp0lrw8mp3zm";
+    sha256 = "1nf0w4xyzg884v8blb81zkk6q8p6zbiq9lx61jdqwbbzkdgqbmll";
   };
 
   postPatch = ''
@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
     description = "Implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux";
     homepage = "http://linuxptp.sourceforge.net/";
     maintainers = [ maintainers.markuskowa ];
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/lm-sensors/default.nix b/pkgs/os-specific/linux/lm-sensors/default.nix
index 915609e8868..21324a5d6ce 100644
--- a/pkgs/os-specific/linux/lm-sensors/default.nix
+++ b/pkgs/os-specific/linux/lm-sensors/default.nix
@@ -20,16 +20,21 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "PREFIX=${placeholder "out"}"
-    "ETCDIR=${placeholder "out"}/etc"
     "CC=${stdenv.cc.targetPrefix}cc"
     "AR=${stdenv.cc.targetPrefix}ar"
   ] ++ lib.optional sensord "PROG_EXTRA=sensord";
 
+  installFlags = [
+    "ETCDIR=${placeholder "out"}/etc"
+  ];
+
   meta = with lib; {
     homepage = "https://hwmon.wiki.kernel.org/lm_sensors";
     changelog = "https://raw.githubusercontent.com/lm-sensors/lm-sensors/V${dashedVersion}/CHANGES";
     description = "Tools for reading hardware sensors";
     license = with licenses; [ lgpl21Plus gpl2Plus ];
+    maintainers = with maintainers; [ pengmeiyu ];
     platforms = platforms.linux;
+    mainProgram = "sensors";
   };
 }
diff --git a/pkgs/os-specific/linux/logitech-udev-rules/default.nix b/pkgs/os-specific/linux/logitech-udev-rules/default.nix
index fde75fdcd65..0b0e9e8f203 100644
--- a/pkgs/os-specific/linux/logitech-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/logitech-udev-rules/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
   inherit (solaar) version;
 
   buildCommand = ''
-    install -Dm644 -t $out/etc/udev/rules.d ${solaar.src}/rules.d/*.rules
+    install -Dm444 -t $out/etc/udev/rules.d ${solaar.src}/rules.d/*.rules
   '';
 
   meta = with lib; {
diff --git a/pkgs/os-specific/linux/lsiutil/default.nix b/pkgs/os-specific/linux/lsiutil/default.nix
index 4cb70faee96..f88cdcda523 100644
--- a/pkgs/os-specific/linux/lsiutil/default.nix
+++ b/pkgs/os-specific/linux/lsiutil/default.nix
@@ -1,41 +1,44 @@
-{ lib, stdenv, fetchurl, unzip }:
+{ lib
+, stdenv
+, fetchurl
+, kmod
+, coreutils
+}:
 
-let
-
-  version = "1.60";
+stdenv.mkDerivation rec {
+  pname = "lsiutil";
+  version = "1.72";
 
   src = fetchurl {
-    name = "lsiutil-${version}.zip";
-    url = "http://www.lsi.com/DistributionSystem/AssetDocument/support/downloads/hbas/fibre_channel/hardware_drivers/LSIUtil%20Kit_${version}.zip";
-    sha256 = "1d4337faa56e24f7d98db87b9de94d6e2c17ab671f4e301b93833eea08b9e426";
+    url = "https://github.com/exactassembly/meta-xa-stm/raw/f96cf6e13f3c9c980f5651510dd96279b9b2af4f/recipes-support/lsiutil/files/lsiutil-${version}.tar.gz";
+    sha256 = "sha256-aTi+EogY1aDWYq3anjRkjz1mzINVfUPQbOPHthxrvS4=";
   };
 
-in
-
-stdenv.mkDerivation {
-  pname = "lsiutils";
-  inherit version;
+  buildPhase = ''
+    runHook preBuild
 
-  srcs = [ src "Source/lsiutil.tar.gz" ];
+    substituteInPlace lsiutil.c \
+      --replace /sbin/modprobe "${kmod}/bin/modprobe" \
+      --replace /bin/mknod "${coreutils}/bin/mknod"
+    gcc -Wall -O lsiutil.c -o lsiutil
 
-  buildInputs = [ unzip ];
+    runHook postBuild
+  '';
 
-  sourceRoot = "lsiutil";
+  installPhase = ''
+    runHook preInstall
 
-  preBuild =
-    ''
-      mkdir -p $out/bin
-      substituteInPlace Makefile --replace /usr/bin $out/bin
-      substituteInPlace lsiutil.c \
-        --replace /sbin/modprobe modprobe \
-        --replace /bin/mknod $(type -P mknod)
-    '';
+    mkdir -p "$out/bin"
+    install -Dm755 lsiutil "$out/bin/lsiutil"
 
-  installPhase = "true";
+    runHook postInstall
+  '';
 
-  meta = {
-    homepage = "http://www.lsi.com/";
-    description = "LSI Logic Fusion MPT command line management tool";
-    license = lib.licenses.unfree;
+  meta = with lib; {
+    homepage = "https://github.com/exactassembly/meta-xa-stm/tree/master/recipes-support/lsiutil/files";
+    description = "Configuration utility for MPT adapters (FC, SCSI, and SAS/SATA)";
+    license = licenses.unfree;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ Luflosi ];
   };
 }
diff --git a/pkgs/os-specific/linux/lsscsi/default.nix b/pkgs/os-specific/linux/lsscsi/default.nix
index 90c0361bce3..6286735b758 100644
--- a/pkgs/os-specific/linux/lsscsi/default.nix
+++ b/pkgs/os-specific/linux/lsscsi/default.nix
@@ -1,11 +1,11 @@
 { lib, stdenv, fetchurl }:
 
 stdenv.mkDerivation {
-  name = "lsscsi-0.31";
+  name = "lsscsi-0.32";
 
   src = fetchurl {
-    url = "http://sg.danny.cz/scsi/lsscsi-0.31.tgz";
-    sha256 = "1jpk15y9vqjb1lcj4pdzygpg0jf0lja7azjldpywc0s805rikgqj";
+    url = "http://sg.danny.cz/scsi/lsscsi-0.32.tgz";
+    sha256 = "sha256-CoAOnpTcoqtwLWXXJ3eujK4Hjj100Ly+1kughJ6AKaE=";
   };
 
   preConfigure = ''
diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix
index 8e20ffda346..7f4036c775f 100644
--- a/pkgs/os-specific/linux/lttng-modules/default.nix
+++ b/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -1,13 +1,12 @@
 { lib, stdenv, fetchurl, kernel }:
 
 stdenv.mkDerivation rec {
-  pname = "lttng-modules-${version}";
-  name = "${pname}-${kernel.version}";
-  version = "2.10.5";
+  pname = "lttng-modules-${kernel.version}";
+  version = "2.12.6";
 
   src = fetchurl {
     url = "https://lttng.org/files/lttng-modules/lttng-modules-${version}.tar.bz2";
-    sha256 = "07rs01zwr4bmjamplix5qz1c6mb6wdawb68vyn0w6wx68ppbpnxq";
+    sha256 = "sha256-lawqLPkthdI/+9rKah7A18FnIR0eD7hQq5AASj9HXqo=";
   };
 
   buildInputs = kernel.moduleBuildDependencies;
@@ -28,11 +27,8 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Linux kernel modules for LTTng tracing";
     homepage = "https://lttng.org/";
-    license = with licenses; [ lgpl21 gpl2 mit ];
+    license = with licenses; [ lgpl21Only gpl2Only mit ];
     platforms = platforms.linux;
     maintainers = [ maintainers.bjornfor ];
-    broken = builtins.compareVersions kernel.version "3.18" == -1
-      || builtins.compareVersions kernel.version "4.16" == 1;
   };
-
 }
diff --git a/pkgs/os-specific/linux/lvm2/default.nix b/pkgs/os-specific/linux/lvm2/default.nix
index 76a74299ae5..d822ceed714 100644
--- a/pkgs/os-specific/linux/lvm2/default.nix
+++ b/pkgs/os-specific/linux/lvm2/default.nix
@@ -16,11 +16,11 @@ assert enableDmeventd -> enableCmdlib;
 
 stdenv.mkDerivation rec {
   pname = "lvm2" + lib.optionalString enableDmeventd "with-dmeventd";
-  version = "2.03.10";
+  version = "2.03.12";
 
   src = fetchurl {
     url = "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz";
-    sha256 = "1l0fkn9abrgk5mfn6jfh9qhdr86b59l1c5pk6lp8jh0491d69las";
+    sha256 = "1shczwfd0888dchjiaqzd48ampm6f8y0ngsqd99fy4nxlbr5q1vn";
   };
 
   nativeBuildInputs = [ pkg-config ];
diff --git a/pkgs/os-specific/linux/lxc/default.nix b/pkgs/os-specific/linux/lxc/default.nix
index e6bdd70b915..e10af3abf92 100644
--- a/pkgs/os-specific/linux/lxc/default.nix
+++ b/pkgs/os-specific/linux/lxc/default.nix
@@ -9,11 +9,11 @@
 with lib;
 stdenv.mkDerivation rec {
   pname = "lxc";
-  version = "4.0.6";
+  version = "4.0.10";
 
   src = fetchurl {
     url = "https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz";
-    sha256 = "0qz4l7mlhq7hx53q606qgvkyzyr01glsw290v8ppzvxn1fydlrci";
+    sha256 = "1sgsic9dzj3wv2k5bx2vhcgappivhp1glkqfc2yrgr6jas052351";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/os-specific/linux/lxcfs/default.nix b/pkgs/os-specific/linux/lxcfs/default.nix
index ab148af72f2..3ed80269d3a 100644
--- a/pkgs/os-specific/linux/lxcfs/default.nix
+++ b/pkgs/os-specific/linux/lxcfs/default.nix
@@ -5,17 +5,17 @@
 with lib;
 stdenv.mkDerivation rec {
   pname = "lxcfs";
-  version = "4.0.7";
+  version = "4.0.9";
 
   src = fetchFromGitHub {
     owner = "lxc";
     repo = "lxcfs";
     rev = "lxcfs-${version}";
-    sha256 = "sha256-gC1Q+kG/oKfYvuHVKstpRWfL/thsemULrimPrV/eeaI=";
+    sha256 = "0zx58lair8hwi4bxm5h7i8n1j5fcdgw5cr6f4wk9qhks0sr5dip5";
   };
 
-  nativeBuildInputs = [ pkg-config help2man autoreconfHook ];
-  buildInputs = [ fuse makeWrapper ];
+  nativeBuildInputs = [ pkg-config help2man autoreconfHook makeWrapper ];
+  buildInputs = [ fuse ];
 
   preConfigure = lib.optionalString enableDebugBuild ''
     sed -i 's,#AM_CFLAGS += -DDEBUG,AM_CFLAGS += -DDEBUG,' Makefile.am
diff --git a/pkgs/os-specific/linux/macchanger/default.nix b/pkgs/os-specific/linux/macchanger/default.nix
index 5c3646f7b3c..1c516707049 100644
--- a/pkgs/os-specific/linux/macchanger/default.nix
+++ b/pkgs/os-specific/linux/macchanger/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, texinfo }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, texinfo }:
 
 stdenv.mkDerivation rec {
   pname = "macchanger";
@@ -11,15 +11,38 @@ stdenv.mkDerivation rec {
     sha256 = "1hypx6sxhd2b1nsxj314hpkhj7q4x9p2kfaaf20rjkkkig0nck9r";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/02-fix_usage_message.patch";
+      sha256 = "0pxljmq0l0znylbhms09i19qwil74gm8gx3xx2ffx00dajaizj18";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/06-update_OUI_list.patch";
+      sha256 = "04kbd784z9nwkjva5ckkvb0yb3pim9valb1viywn1yyh577d0y7w";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/08-fix_random_MAC_choice.patch";
+      sha256 = "1vz3appxxsdf1imzrn57amazfwlbrvx6g78b6n88aqgwzy5dm34d";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/check-random-device-read-errors.patch";
+      sha256 = "0pra6qnk39crjlidspg3l6hpaqiw43cypahx793l59mqn956cngc";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.org/data/main/m/macchanger/1.7.0-5.3/debian/patches/verify-changed-MAC.patch";
+      sha256 = "0vjhf2fnj1hlghjl821p6idrfc8hmd4lgps5lf1l68ylqvwjw0zj";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook texinfo ];
 
   outputs = [ "out" "info" ];
 
   meta = with lib; {
     description = "A utility for viewing/manipulating the MAC address of network interfaces";
-    maintainers = with maintainers; [ joachifm ma27 ];
+    maintainers = with maintainers; [ joachifm ma27 dotlambda ];
     license = licenses.gpl2Plus;
-    homepage = "https://www.gnu.org/software/macchanger";
+    homepage = "https://github.com/alobbs/macchanger";
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix b/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
new file mode 100644
index 00000000000..070b4a6207e
--- /dev/null
+++ b/pkgs/os-specific/linux/mbp-modules/mbp2018-bridge-drv/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, kernel, fetchFromGitHub, }:
+
+stdenv.mkDerivation rec {
+  pname = "mbp2018-bridge-drv";
+  version = "2020-01-31";
+
+  src = fetchFromGitHub {
+    owner = "MCMrARM";
+    repo = "mbp2018-bridge-drv";
+    rev = "b43fcc069da73e051072fde24af4014c9c487286";
+    sha256 = "sha256-o6yGiR+Y5SnX1johdi7fQWP5ts7HdDMqeju75UOhgik=";
+  };
+
+  buildPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
+      -j$NIX_BUILD_CORES M=$(pwd) modules
+  '';
+
+  installPhase = ''
+    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build  \
+      INSTALL_MOD_PATH=$out M=$(pwd) modules_install
+  '';
+
+  meta = with lib; {
+    description = "A driver for MacBook models 2018 and newer, which makes the keyboard, mouse and audio output work.";
+    longDescription = ''
+      A driver for MacBook models 2018 and newer, implementing the VHCI (required for mouse/keyboard/etc.) and audio functionality.
+    '';
+    homepage = "https://github.com/MCMrARM/mbp2018-bridge-drv";
+    license = lib.licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = [ lib.maintainers.hlolli ];
+    broken = kernel.kernelOlder "5.4";
+  };
+}
diff --git a/pkgs/os-specific/linux/mcelog/default.nix b/pkgs/os-specific/linux/mcelog/default.nix
index de2c1afb065..b20632be334 100644
--- a/pkgs/os-specific/linux/mcelog/default.nix
+++ b/pkgs/os-specific/linux/mcelog/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "mcelog";
-  version = "173";
+  version = "175";
 
   src = fetchFromGitHub {
     owner  = "andikleen";
     repo   = "mcelog";
     rev    = "v${version}";
-    sha256 = "1ili11kqacn6jkjpk11vhycgygdl92mymgb1sx22lcwq2x0d248m";
+    sha256 = "sha256-Xzbck/nRdTR9H5o2XVFlFdNLz2ve65KEcefKAKe0eW8=";
   };
 
   postPatch = ''
diff --git a/pkgs/os-specific/linux/mdevd/default.nix b/pkgs/os-specific/linux/mdevd/default.nix
new file mode 100644
index 00000000000..58299ba5e87
--- /dev/null
+++ b/pkgs/os-specific/linux/mdevd/default.nix
@@ -0,0 +1,28 @@
+{ lib, skawarePackages }:
+
+with skawarePackages;
+
+buildPackage {
+  pname = "mdevd";
+  version = "0.1.4.0";
+  sha256 = "1lnwk7qa6x7iia0v12i2jckg42ypi35hk3sa7cjm23ngnhiv5lzz";
+
+  description = "mdev-compatible Linux hotplug manager daemon";
+  platforms = lib.platforms.linux;
+
+  outputs = [ "bin" "out" "dev" "doc" ];
+
+  configureFlags = [
+    "--with-sysdeps=${skalibs.lib}/lib/skalibs/sysdeps"
+    "--with-include=${skalibs.dev}/include"
+    "--with-lib=${skalibs.lib}/lib"
+  ];
+
+  postInstall = ''
+    # remove all mdevd executables from build directory
+    rm $(find -type f -mindepth 1 -maxdepth 1 -executable)
+
+    mv doc $doc/share/doc/mdevd/html
+    mv examples $doc/share/doc/mdevd/examples
+  '';
+}
diff --git a/pkgs/os-specific/linux/microcode/intel.nix b/pkgs/os-specific/linux/microcode/intel.nix
index d6d04f12f88..f8bb7c67d8e 100644
--- a/pkgs/os-specific/linux/microcode/intel.nix
+++ b/pkgs/os-specific/linux/microcode/intel.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "microcode-intel";
-  version = "20201118";
+  version = "20210608";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "Intel-Linux-Processor-Microcode-Data-Files";
     rev = "microcode-${version}";
-    sha256 = "1xs3f2rbfqnpz9qs7a1kl363qdyb8fybmmyd37v573clqf7l4lgg";
+    sha256 = "08nk353z2lcqsjbm2qdsfapfgrvlfw0rj7r9scr9pllzkjj5n9x3";
   };
 
   nativeBuildInputs = [ iucode-tool libarchive ];
diff --git a/pkgs/os-specific/linux/miraclecast/default.nix b/pkgs/os-specific/linux/miraclecast/default.nix
index 8545d31c71a..b5efaa40afe 100644
--- a/pkgs/os-specific/linux/miraclecast/default.nix
+++ b/pkgs/os-specific/linux/miraclecast/default.nix
@@ -16,8 +16,6 @@ stdenv.mkDerivation {
 
   buildInputs = [ glib pcre readline systemd udev ];
 
-  enableParallelBuilding = true;
-
   mesonFlags = [
     "-Drely-udev=true"
     "-Dbuild-tests=true"
diff --git a/pkgs/os-specific/linux/mmc-utils/default.nix b/pkgs/os-specific/linux/mmc-utils/default.nix
index aff847c20ff..7430182e5d2 100644
--- a/pkgs/os-specific/linux/mmc-utils/default.nix
+++ b/pkgs/os-specific/linux/mmc-utils/default.nix
@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation {
   pname = "mmc-utils";
-  version = "2019-10-04";
+  version = "2021-05-11";
 
   src = fetchgit {
     url = "git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc-utils.git";
-    rev = "73d6c59af8d1bcedf5de4aa1f5d5b7f765f545f5";
-    sha256 = "18a7qm86gavg15gv4h6xfnapgq24v4dyvhwfp53lkssxyhjbli0z";
+    rev = "43282e80e174cc73b09b81a4d17cb3a7b4dc5cfc";
+    sha256 = "0l06ahmprqshh75pkdpagb8fgnp2bwn8q8hwp1yl3laww2ghm8i5";
   };
 
   makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" ];
diff --git a/pkgs/os-specific/linux/msr-tools/default.nix b/pkgs/os-specific/linux/msr-tools/default.nix
index 67356719ffd..1e6a55a4d65 100644
--- a/pkgs/os-specific/linux/msr-tools/default.nix
+++ b/pkgs/os-specific/linux/msr-tools/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "07hxmddg0l31kjfmaq84ni142lbbvgq6391r8bd79wpm819pnigr";
   };
 
-  buildInputs = [ unzip ];
+  nativeBuildInputs = [ unzip ];
 
   preInstall = ''
     mkdir -p $out/bin
diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix
index 4784abc6c28..24149805723 100644
--- a/pkgs/os-specific/linux/multipath-tools/default.nix
+++ b/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkg-config, perl, lvm2, libaio, gzip, readline, systemd, liburcu, json_c }:
+{ lib, stdenv, fetchurl, pkg-config, perl, lvm2, libaio, gzip, readline, systemd, liburcu, json_c, kmod }:
 
 stdenv.mkDerivation rec {
   pname = "multipath-tools";
@@ -16,7 +16,13 @@ stdenv.mkDerivation rec {
   ];
 
   postPatch = ''
-    substituteInPlace libmultipath/Makefile --replace /usr/include/libdevmapper.h ${lib.getDev lvm2}/include/libdevmapper.h
+    substituteInPlace libmultipath/Makefile \
+      --replace /usr/include/libdevmapper.h ${lib.getDev lvm2}/include/libdevmapper.h
+
+    substituteInPlace multipathd/multipathd.service \
+      --replace /sbin/modprobe ${lib.getBin kmod}/sbin/modprobe \
+      --replace /sbin/multipathd "$out/bin/multipathd"
+
     sed -i -re '
       s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'",
     ' libmultipath/defaults.h
diff --git a/pkgs/os-specific/linux/musl-fts/default.nix b/pkgs/os-specific/linux/musl-fts/default.nix
new file mode 100644
index 00000000000..cdb1cca47c6
--- /dev/null
+++ b/pkgs/os-specific/linux/musl-fts/default.nix
@@ -0,0 +1,25 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-fts";
+  version = "1.2.7";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-fts";
+    rev = "v${version}";
+    sha256 = "Azw5qrz6OKDcpYydE6jXzVxSM5A8oYWAztrHr+O/DOE=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-fts";
+    description = "An implementation of fts(3) for musl-libc";
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/pkgs/os-specific/linux/musl-obstack/default.nix b/pkgs/os-specific/linux/musl-obstack/default.nix
new file mode 100644
index 00000000000..f7682d37efd
--- /dev/null
+++ b/pkgs/os-specific/linux/musl-obstack/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config }:
+
+stdenv.mkDerivation rec {
+  pname = "musl-obstack";
+  version = "1.2.2";
+
+  src = fetchFromGitHub {
+    owner = "void-linux";
+    repo = "musl-obstack";
+    rev = "v${version}";
+    sha256 = "v0RTnrqAmJfOeGsJFc04lqFR8QZhYiLyvy8oRYiuC80=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
+
+  enableParallelBuilding = true;
+
+  meta = with lib; {
+    homepage = "https://github.com/void-linux/musl-obstack";
+    description =
+      "An extraction of the obstack functions and macros from GNU libiberty for use with musl-libc";
+    platforms = platforms.linux;
+    license = licenses.lgpl21Plus;
+    maintainers = [ maintainers.pjjw ];
+  };
+}
diff --git a/pkgs/os-specific/linux/musl/default.nix b/pkgs/os-specific/linux/musl/default.nix
index 63d8114ac77..ae175a36324 100644
--- a/pkgs/os-specific/linux/musl/default.nix
+++ b/pkgs/os-specific/linux/musl/default.nix
@@ -16,6 +16,11 @@ let
     sha256 = "14igk6k00bnpfw660qhswagyhvr0gfqg4q55dxvaaq7ikfkrir71";
   };
 
+  stack_chk_fail_local_c = fetchurl {
+    url = "https://git.alpinelinux.org/aports/plain/main/musl/__stack_chk_fail_local.c?h=3.10-stable";
+    sha256 = "1nhkzzy9pklgjcq2yg89d3l18jif331srd3z3vhy5qwxl1spv6i9";
+  };
+
   # iconv tool, implemented by musl author.
   # Original: http://git.etalabs.net/cgit/noxcuse/plain/src/iconv.c?id=02d288d89683e99fd18fe9f54d4e731a6c474a4f
   # We use copy from Alpine which fixes error messages, see:
@@ -35,11 +40,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "musl";
-  version = "1.2.1";
+  version = "1.2.2";
 
   src = fetchurl {
-    url    = "https://www.musl-libc.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "0jz8fzwgvfyjgxjbpw35ixdglp2apqjvp8m386f6yr4zacc6xbv8";
+    url    = "https://musl.libc.org/releases/${pname}-${version}.tar.gz";
+    sha256 = "1p8r6bac64y98ln0wzmnixysckq3crca69ys7p16sy9d04i975lv";
   };
 
   enableParallelBuilding = true;
@@ -62,12 +67,6 @@ stdenv.mkDerivation rec {
       url = "https://raw.githubusercontent.com/openwrt/openwrt/87606e25afac6776d1bbc67ed284434ec5a832b4/toolchain/musl/patches/300-relative.patch";
       sha256 = "0hfadrycb60sm6hb6by4ycgaqc9sgrhh42k39v8xpmcvdzxrsq2n";
     })
-    # wcsnrtombs destination buffer overflow, remove >= 1.2.2
-    (fetchurl {
-      name = "CVE-2020-28928.patch";
-      url = "https://www.openwall.com/lists/oss-security/2020/11/20/4/1";
-      sha256 = "077n2p165504nz9di6n8y5421591r3lsbcxgih8z26l6mvkhcs2h";
-    })
   ];
   CFLAGS = [ "-fstack-protector-strong" ]
     ++ lib.optional stdenv.hostPlatform.isPower "-mlong-double-64";
@@ -87,6 +86,16 @@ stdenv.mkDerivation rec {
 
   NIX_DONT_SET_RPATH = true;
 
+  preBuild = ''
+    ${if (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32) then
+    "# the -x c flag is required since the file extension confuses gcc
+    # that detect the file as a linker script.
+    $CC -x c -c ${stack_chk_fail_local_c} -o __stack_chk_fail_local.o
+    $AR r libssp_nonshared.a __stack_chk_fail_local.o"
+      else ""
+    }
+  '';
+
   postInstall = ''
     # Not sure why, but link in all but scsi directory as that's what uclibc/glibc do.
     # Apparently glibc provides scsi itself?
@@ -96,6 +105,13 @@ stdenv.mkDerivation rec {
     $STRIP -S $out/lib/libc.a
     mkdir -p $out/bin
 
+
+    ${if (stdenv.targetPlatform.libc == "musl" && stdenv.targetPlatform.isx86_32) then
+      "install -D libssp_nonshared.a $out/lib/libssp_nonshared.a
+      $STRIP -S $out/lib/libssp_nonshared.a"
+      else ""
+    }
+
     # Create 'ldd' symlink, builtin
     ln -rs $out/lib/libc.so $out/bin/ldd
 
@@ -127,7 +143,8 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "An efficient, small, quality libc implementation";
-    homepage    = "http://www.musl-libc.org";
+    homepage    = "https://musl.libc.org/";
+    changelog   = "https://git.musl-libc.org/cgit/musl/tree/WHATSNEW?h=v${version}";
     license     = licenses.mit;
     platforms   = platforms.linux;
     maintainers = with maintainers; [ thoughtpolice dtzWill ];
diff --git a/pkgs/os-specific/linux/mwprocapture/default.nix b/pkgs/os-specific/linux/mwprocapture/default.nix
index c21cf2bb648..ca5b82b8785 100644
--- a/pkgs/os-specific/linux/mwprocapture/default.nix
+++ b/pkgs/os-specific/linux/mwprocapture/default.nix
@@ -1,28 +1,25 @@
-{ lib, stdenv, fetchurl, kernel, alsaLib }:
+{ lib, stdenv, fetchurl, kernel, alsa-lib }:
 
 with lib;
 
-# The Magewell Pro Capture drivers are not supported for kernels older than 3.2
-assert versionAtLeast kernel.version "3.2.0";
-
 let
   bits =
   if stdenv.is64bit then "64"
   else "32";
 
-  libpath = makeLibraryPath [ stdenv.cc.cc stdenv.glibc alsaLib ];
+  libpath = makeLibraryPath [ stdenv.cc.cc stdenv.glibc alsa-lib ];
 
 in
 stdenv.mkDerivation rec {
-  name = "mwprocapture-1.2.${version}-${kernel.version}";
-  version = "4177";
+  name = "mwprocapture-1.3.0.${version}-${kernel.version}";
+  version = "4236";
 
   src = fetchurl {
-    url = "http://www.magewell.com/files/drivers/ProCaptureForLinux_${version}.tar.gz";
-    sha256 = "1nf51w9yixpvr767k49sfdb9n9rv5qc72f5yki1mkghbmabw7vys";
+    url = "https://www.magewell.com/files/drivers/ProCaptureForLinux_${version}.tar.gz";
+    sha256 = "1mfgj84km276sq5i8dny1vqp2ycqpvgplrmpbqwnk230d0w3qs74";
   };
 
-  nativeBuildInputs = [ kernel.moduleBuildDependencies ];
+  nativeBuildInputs = kernel.moduleBuildDependencies;
 
   preConfigure =
   ''
@@ -63,5 +60,6 @@ stdenv.mkDerivation rec {
     license = licenses.unfreeRedistributable;
     maintainers = with maintainers; [ MP2E ];
     platforms = platforms.linux;
+    broken = kernel.kernelOlder "3.2.0";
   };
 }
diff --git a/pkgs/os-specific/linux/mxu11x0/default.nix b/pkgs/os-specific/linux/mxu11x0/default.nix
index ac9f27e2e6b..3498625be75 100644
--- a/pkgs/os-specific/linux/mxu11x0/default.nix
+++ b/pkgs/os-specific/linux/mxu11x0/default.nix
@@ -32,5 +32,6 @@ stdenv.mkDerivation {
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ uralbash ];
     platforms = platforms.linux;
+    broken = kernel.kernelAtLeast "5.4";
   };
 }
diff --git a/pkgs/os-specific/linux/net-tools/default.nix b/pkgs/os-specific/linux/net-tools/default.nix
index 461a65c007b..c9410c27df9 100644
--- a/pkgs/os-specific/linux/net-tools/default.nix
+++ b/pkgs/os-specific/linux/net-tools/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "net-tools";
-  version = "1.60_p20180626073013";
+  version = "2.10";
 
   src = fetchurl {
     url = "mirror://gentoo/distfiles/${pname}-${version}.tar.xz";
-    sha256 = "0mzsjjmz5kn676w2glmxwwd8bj0xy9dhhn21aplb435b767045q4";
+    sha256 = "sha256-smJDWlJB6Jv6UcPKvVEzdTlS96e3uT8y4Iy52W9YDWk=";
   };
 
   preBuild =
diff --git a/pkgs/os-specific/linux/net-tools/mptcp.nix b/pkgs/os-specific/linux/net-tools/mptcp.nix
index a9f99874367..577b7c25311 100644
--- a/pkgs/os-specific/linux/net-tools/mptcp.nix
+++ b/pkgs/os-specific/linux/net-tools/mptcp.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, nettools, fetchFromGitHub  }:
+{ lib, nettools, fetchFromGitHub  }:
 
 nettools.overrideAttrs(oa: rec {
   name = "net-tools-mptcp";
diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix
index fb0a4eb7188..28f989929a4 100644
--- a/pkgs/os-specific/linux/netatop/default.nix
+++ b/pkgs/os-specific/linux/netatop/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, kernel, zlib }:
+{ lib, stdenv, fetchurl, kernel, kmod, zlib }:
 
 let
   version = "3.1";
@@ -12,10 +12,16 @@ stdenv.mkDerivation {
     sha256 = "0qjw8glfdmngfvbn1w63q128vxdz2jlabw13y140ga9i5ibl6vvk";
   };
 
-  buildInputs = [ zlib ];
+  buildInputs = [ kmod zlib ];
 
   hardeningDisable = [ "pic" ];
 
+  patches = [
+    # fix paths in netatop.service
+    ./fix-paths.patch
+    # Specify PIDFile in /run, not /var/run to silence systemd warning
+    ./netatop.service.patch
+  ];
   preConfigure = ''
     patchShebangs mkversion
     sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \
@@ -24,12 +30,14 @@ stdenv.mkDerivation {
         -e s,/usr,$out, \
         -e /init.d/d \
         -e /depmod/d \
-        -e /netatop.service/d \
+        -e s,/lib/systemd,$out/lib/systemd, \
         Makefile
+
+    kmod=${kmod} substituteAllInPlace netatop.service
   '';
 
   preInstall = ''
-    mkdir -p $out/bin $out/sbin $out/share/man/man{4,8}
+    mkdir -p $out/lib/systemd/system $out/bin $out/sbin $out/share/man/man{4,8}
     mkdir -p $out/lib/modules/${kernel.modDirVersion}/extra
   '';
 
@@ -38,6 +46,6 @@ stdenv.mkDerivation {
     homepage = "https://www.atoptool.nl/downloadnetatop.php";
     license = lib.licenses.gpl2;
     platforms = lib.platforms.linux;
-    maintainers = with lib.maintainers; [viric];
+    maintainers = with lib.maintainers; [ viric ];
   };
 }
diff --git a/pkgs/os-specific/linux/netatop/fix-paths.patch b/pkgs/os-specific/linux/netatop/fix-paths.patch
new file mode 100644
index 00000000000..0e71c4efdd3
--- /dev/null
+++ b/pkgs/os-specific/linux/netatop/fix-paths.patch
@@ -0,0 +1,11 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -8,5 +8,5 @@
+ Type=oneshot
+-ExecStartPre=/sbin/modprobe netatop
+-ExecStart=/usr/sbin/netatopd
+-ExecStopPost=/sbin/rmmod netatop
++ExecStartPre=@kmod@/bin/modprobe netatop
++ExecStart=@out@/bin/netatopd
++ExecStopPost=@kmod@/bin/rmmod netatop
+ PIDFile=/var/run/netatop.pid
diff --git a/pkgs/os-specific/linux/netatop/netatop.service.patch b/pkgs/os-specific/linux/netatop/netatop.service.patch
new file mode 100644
index 00000000000..c7c798ee06b
--- /dev/null
+++ b/pkgs/os-specific/linux/netatop/netatop.service.patch
@@ -0,0 +1,7 @@
+--- a/netatop.service
++++ b/netatop.service
+@@ -11,3 +11,3 @@
+ ExecStopPost=@kmod@/bin/rmmod netatop
+-PIDFile=/var/run/netatop.pid
++PIDFile=/run/netatop.pid
+ RemainAfterExit=yes
diff --git a/pkgs/os-specific/linux/nfs-utils/default.nix b/pkgs/os-specific/linux/nfs-utils/default.nix
index c2d2996c54d..7b5f6e72001 100644
--- a/pkgs/os-specific/linux/nfs-utils/default.nix
+++ b/pkgs/os-specific/linux/nfs-utils/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, fetchpatch, lib, pkg-config, util-linux, libcap, libtirpc, libevent
-, sqlite, kerberos, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers
+, sqlite, libkrb5, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers
 , python3, buildPackages, nixosTests, rpcsvc-proto
 , enablePython ? true
 }:
@@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     libtirpc libcap libevent sqlite lvm2
-    libuuid keyutils kerberos tcp_wrappers
+    libuuid keyutils libkrb5 tcp_wrappers
   ] ++ lib.optional enablePython python3;
 
   enableParallelBuilding = true;
@@ -33,15 +33,15 @@ stdenv.mkDerivation rec {
   preConfigure =
     ''
       substituteInPlace configure \
-        --replace '$dir/include/gssapi' ${lib.getDev kerberos}/include/gssapi \
-        --replace '$dir/bin/krb5-config' ${lib.getDev kerberos}/bin/krb5-config
+        --replace '$dir/include/gssapi' ${lib.getDev libkrb5}/include/gssapi \
+        --replace '$dir/bin/krb5-config' ${lib.getDev libkrb5}/bin/krb5-config
     '';
 
   configureFlags =
     [ "--enable-gss"
       "--enable-svcgss"
       "--with-statedir=/var/lib/nfs"
-      "--with-krb5=${lib.getLib kerberos}"
+      "--with-krb5=${lib.getLib libkrb5}"
       "--with-systemd=${placeholder "out"}/etc/systemd/system"
       "--enable-libmount-mount"
       "--with-pluginpath=${placeholder "lib"}/lib/libnfsidmap" # this installs libnfsidmap
@@ -106,7 +106,7 @@ stdenv.mkDerivation rec {
   # https://bugzilla.kernel.org/show_bug.cgi?id=203793
   doCheck = false;
 
-  disallowedReferences = [ (lib.getDev kerberos) ];
+  disallowedReferences = [ (lib.getDev libkrb5) ];
 
   passthru.tests = {
     nfs3-simple = nixosTests.nfs3.simple;
diff --git a/pkgs/os-specific/linux/nftables/default.nix b/pkgs/os-specific/linux/nftables/default.nix
index 115c12ec5e4..f5fdee14c15 100644
--- a/pkgs/os-specific/linux/nftables/default.nix
+++ b/pkgs/os-specific/linux/nftables/default.nix
@@ -10,12 +10,12 @@
 with lib;
 
 stdenv.mkDerivation rec {
-  version = "0.9.7";
+  version = "0.9.9";
   pname = "nftables";
 
   src = fetchurl {
     url = "https://netfilter.org/projects/nftables/files/${pname}-${version}.tar.bz2";
-    sha256 = "1c1c2475nifncv0ng8z77h2dpanlsx0bhqm15k00jb3a6a68lszy";
+    sha256 = "1d7iwc8xlyfsbgn6qx1sdfcq7jhpl8wpfj39hcd06y8dzp3jvvvn";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/os-specific/linux/nixos-rebuild/default.nix b/pkgs/os-specific/linux/nixos-rebuild/default.nix
index 9fb7e366465..b317c5a1fbf 100644
--- a/pkgs/os-specific/linux/nixos-rebuild/default.nix
+++ b/pkgs/os-specific/linux/nixos-rebuild/default.nix
@@ -18,5 +18,6 @@ substituteAll {
   inherit runtimeShell nix;
   nix_x86_64_linux = fallback.x86_64-linux;
   nix_i686_linux = fallback.i686-linux;
+  nix_aarch64_linux = fallback.aarch64-linux;
   path = lib.makeBinPath [ coreutils jq gnused gnugrep ];
 }
diff --git a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
index e452e24d263..69e0dee1d20 100644..100755
--- a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
+++ b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
@@ -24,7 +24,6 @@ fast=
 rollback=
 upgrade=
 upgrade_all=
-repair=
 profile=/nix/var/nix/profiles/system
 buildHost=
 targetHost=
@@ -60,15 +59,11 @@ while [ "$#" -gt 0 ]; do
         upgrade=1
         upgrade_all=1
         ;;
-      --repair)
-        repair=1
-        extraBuildFlags+=("$i")
-        ;;
       --max-jobs|-j|--cores|-I|--builders)
         j="$1"; shift 1
         extraBuildFlags+=("$i" "$j")
         ;;
-      --show-trace|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*|-L|--refresh|--no-net|--impure)
+      --show-trace|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*|-L|--refresh|--no-net|--offline|--impure)
         extraBuildFlags+=("$i")
         ;;
       --option)
@@ -79,7 +74,6 @@ while [ "$#" -gt 0 ]; do
       --fast)
         buildNix=
         fast=1
-        extraBuildFlags+=(--show-trace)
         ;;
       --profile-name|-p)
         if [ -z "$1" ]; then
@@ -105,7 +99,7 @@ while [ "$#" -gt 0 ]; do
         ;;
       --flake)
         flake="$1"
-        flakeFlags=(--experimental-features 'nix-command flakes')
+        flakeFlags=(--extra-experimental-features 'nix-command flakes')
         shift 1
         ;;
       --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
@@ -145,7 +139,7 @@ buildHostCmd() {
     if [ -z "$buildHost" ]; then
         "$@"
     elif [ -n "$remoteNix" ]; then
-        ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "${maybeSudo[@]}" "$@"
+        ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" env PATH="$remoteNix":'$PATH' "$@"
     else
         ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" "$@"
     fi
@@ -177,6 +171,7 @@ nixBuild() {
     else
         local instArgs=()
         local buildArgs=()
+        local drv=
 
         while [ "$#" -gt 0 ]; do
             local i="$1"; shift 1
@@ -203,7 +198,7 @@ nixBuild() {
             esac
         done
 
-        local drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
+        drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
         if [ -a "$drv" ]; then
             NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$buildHost" "$drv"
             buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
@@ -214,6 +209,54 @@ nixBuild() {
   fi
 }
 
+nixFlakeBuild() {
+    if [[ -z "$buildHost" && -z "$targetHost" ]] &&
+       ! [ "$action" = switch -o "$action" = boot ]
+    then
+        nix "${flakeFlags[@]}" build "$@"
+        readlink -f ./result
+    elif [ -z "$buildHost" ]; then
+        nix "${flakeFlags[@]}" build "$@" --out-link "${tmpDir}/result"
+        readlink -f "${tmpDir}/result"
+    else
+        local attr="$1"
+        shift 1
+        local evalArgs=()
+        local buildArgs=()
+        local drv=
+
+        while [ "$#" -gt 0 ]; do
+            local i="$1"; shift 1
+            case "$i" in
+              --recreate-lock-file|--no-update-lock-file|--no-write-lock-file|--no-registries|--commit-lock-file)
+                evalArgs+=("$i")
+                ;;
+              --update-input)
+                local j="$1"; shift 1
+                evalArgs+=("$i" "$j")
+                ;;
+              --override-input)
+                local j="$1"; shift 1
+                local k="$1"; shift 1
+                evalArgs+=("$i" "$j" "$k")
+                ;;
+              *)
+                buildArgs+=("$i")
+                ;;
+            esac
+        done
+
+        drv="$(nix "${flakeFlags[@]}" eval --raw "${attr}.drvPath" "${evalArgs[@]}" "${extraBuildFlags[@]}")"
+        if [ -a "$drv" ]; then
+            NIX_SSHOPTS=$SSHOPTS nix "${flakeFlags[@]}" copy --derivation --to "ssh://$buildHost" "$drv"
+            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
+        else
+            echo "nix eval failed"
+            exit 1
+        fi
+    fi
+}
+
 
 if [ -z "$action" ]; then showSyntax; fi
 
@@ -270,7 +313,7 @@ fi
 if [[ -z $_NIXOS_REBUILD_REEXEC && -n $canRun && -z $fast && -z $flake ]]; then
     if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
         export _NIXOS_REBUILD_REEXEC=1
-        exec $p/bin/nixos-rebuild "${origArgs[@]}"
+        exec "$p/bin/nixos-rebuild" "${origArgs[@]}"
         exit 1
     fi
 fi
@@ -295,7 +338,7 @@ fi
 
 # Resolve the flake.
 if [[ -n $flake ]]; then
-    flake=$(nix "${flakeFlags[@]}" flake info --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url)
+    flake=$(nix "${flakeFlags[@]}" flake metadata --json "${extraBuildFlags[@]}" "${lockFlags[@]}" -- "$flake" | jq -r .url)
 fi
 
 # Find configuration.nix and open editor instead of building.
@@ -325,20 +368,6 @@ cleanup() {
 trap cleanup EXIT
 
 
-
-# If the Nix daemon is running, then use it.  This allows us to use
-# the latest Nix from Nixpkgs (below) for expression evaluation, while
-# still using the old Nix (via the daemon) for actual store access.
-# This matters if the new Nix in Nixpkgs has a schema change.  It
-# would upgrade the schema, which should only happen once we actually
-# switch to the new configuration.
-# If --repair is given, don't try to use the Nix daemon, because the
-# flag can only be used directly.
-if [ -z "$repair" ] && systemctl show nix-daemon.socket nix-daemon.service | grep -q ActiveState=active; then
-    export NIX_REMOTE=${NIX_REMOTE-daemon}
-fi
-
-
 # First build Nix, since NixOS may require a newer version than the
 # current one.
 if [ -n "$rollback" -o "$action" = dry-build ]; then
@@ -359,20 +388,20 @@ prebuiltNix() {
         echo @nix_x86_64_linux@
     elif [[ "$machine" =~ i.86 ]]; then
         echo @nix_i686_linux@
+    elif [[ "$machine" = aarch64 ]]; then
+        echo @nix_aarch64_linux@
     else
         echo "$0: unsupported platform"
         exit 1
     fi
 }
 
-remotePATH=
-
 if [[ -n $buildNix && -z $flake ]]; then
     echo "building Nix..." >&2
     nixDrv=
-    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
-        if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
-            if ! nixStorePath="$(nix-instantiate --eval '<nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix>' -A $(nixSystem) | sed -e 's/^"//' -e 's/"$//')"; then
+    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root "$tmpDir/nix.drv" --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
+        if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root "$tmpDir/nix.drv" --indirect -A nix "${extraBuildFlags[@]}")"; then
+            if ! nixStorePath="$(nix-instantiate --eval '<nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix>' -A "$(nixSystem)" | sed -e 's/^"//' -e 's/"$//')"; then
                 nixStorePath="$(prebuiltNix "$(uname -m)")"
             fi
             if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
@@ -380,11 +409,11 @@ if [[ -n $buildNix && -z $flake ]]; then
                 echo "warning: don't know how to get latest Nix" >&2
             fi
             # Older version of nix-store -r don't support --add-root.
-            [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
+            [ -e "$tmpDir/nix" ] || ln -sf "$nixStorePath" "$tmpDir/nix"
             if [ -n "$buildHost" ]; then
                 remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
                 remoteNix="$remoteNixStorePath/bin"
-                if ! buildHostCmd nix-store -r $remoteNixStorePath \
+                if ! buildHostCmd nix-store -r "$remoteNixStorePath" \
                   --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
                     remoteNix=
                     echo "warning: don't know how to get latest Nix" >&2
@@ -393,7 +422,7 @@ if [[ -n $buildNix && -z $flake ]]; then
         fi
     fi
     if [ -a "$nixDrv" ]; then
-        nix-store -r "$nixDrv"'!'"out" --add-root $tmpDir/nix --indirect >/dev/null
+        nix-store -r "$nixDrv"'!'"out" --add-root "$tmpDir/nix" --indirect >/dev/null
         if [ -n "$buildHost" ]; then
             nix-copy-closure --to "$buildHost" "$nixDrv"
             # The nix build produces multiple outputs, we add them all to the remote path
@@ -410,7 +439,7 @@ fi
 # nixos-version shows something useful).
 if [[ -n $canRun && -z $flake ]]; then
     if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
-        suffix=$($SHELL $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true)
+        suffix=$($SHELL "$nixpkgs/nixos/modules/installer/tools/get-version-suffix" "${extraBuildFlags[@]}" || true)
         if [ -n "$suffix" ]; then
             echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
         fi
@@ -432,10 +461,7 @@ if [ -z "$rollback" ]; then
         if [[ -z $flake ]]; then
             pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")"
         else
-            outLink=$tmpDir/result
-            nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" \
-              "${extraBuildFlags[@]}" "${lockFlags[@]}" --out-link $outLink
-            pathToConfig="$(readlink -f $outLink)"
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
         fi
         copyToTarget "$pathToConfig"
         targetHostCmd nix-env -p "$profile" --set "$pathToConfig"
@@ -443,24 +469,19 @@ if [ -z "$rollback" ]; then
         if [[ -z $flake ]]; then
             pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}")"
         else
-            nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}"
-            pathToConfig="$(readlink -f ./result)"
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.toplevel" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
         fi
     elif [ "$action" = build-vm ]; then
         if [[ -z $flake ]]; then
             pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}")"
         else
-            nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.vm" \
-              "${extraBuildFlags[@]}" "${lockFlags[@]}"
-            pathToConfig="$(readlink -f ./result)"
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vm" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
         fi
     elif [ "$action" = build-vm-with-bootloader ]; then
         if [[ -z $flake ]]; then
             pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}")"
         else
-            nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.vmWithBootLoader" \
-              "${extraBuildFlags[@]}" "${lockFlags[@]}"
-            pathToConfig="$(readlink -f ./result)"
+            pathToConfig="$(nixFlakeBuild "$flake#$flakeAttr.config.system.build.vmWithBootLoader" "${extraBuildFlags[@]}" "${lockFlags[@]}")"
         fi
     else
         showSyntax
@@ -491,7 +512,7 @@ fi
 # If we're not just building, then make the new configuration the boot
 # default and/or activate it now.
 if [ "$action" = switch -o "$action" = boot -o "$action" = test -o "$action" = dry-activate ]; then
-    if ! targetHostCmd $pathToConfig/bin/switch-to-configuration "$action"; then
+    if ! targetHostCmd "$pathToConfig/bin/switch-to-configuration" "$action"; then
         echo "warning: error(s) occurred while switching to the new configuration" >&2
         exit 1
     fi
diff --git a/pkgs/os-specific/linux/numactl/default.nix b/pkgs/os-specific/linux/numactl/default.nix
index d796bf579f1..2f8a4feb030 100644
--- a/pkgs/os-specific/linux/numactl/default.nix
+++ b/pkgs/os-specific/linux/numactl/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
     patchShebangs test
   '';
 
+  LDFLAGS = lib.optionalString stdenv.hostPlatform.isRiscV "-latomic";
+
   # You probably shouldn't ever run these! They will reconfigure Linux
   # NUMA settings, which on my build machine makes the rest of package
   # building ~5% slower until reboot. Ugh!
@@ -26,6 +28,6 @@ stdenv.mkDerivation rec {
     description = "Library and tools for non-uniform memory access (NUMA) machines";
     homepage = "https://github.com/numactl/numactl";
     license = with licenses; [ gpl2 lgpl21 ]; # libnuma is lgpl21
-    platforms = [ "i686-linux" "x86_64-linux" "aarch64-linux" ];
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix
index cab5fe15e66..21d5a871f4e 100644
--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@@ -24,6 +24,6 @@ stdenv.mkDerivation rec {
     homepage = "https://fedoraproject.org/wiki/Features/numad";
     license = licenses.lgpl21;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ domenkozar ];
+    maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/os-specific/linux/nvidia-x11/builder.sh b/pkgs/os-specific/linux/nvidia-x11/builder.sh
index 5baa4aa51e5..e6ad62b1128 100755
--- a/pkgs/os-specific/linux/nvidia-x11/builder.sh
+++ b/pkgs/os-specific/linux/nvidia-x11/builder.sh
@@ -20,7 +20,7 @@ buildPhase() {
         sysSrc=$(echo $kernel/lib/modules/$kernelVersion/source)
         sysOut=$(echo $kernel/lib/modules/$kernelVersion/build)
         unset src # used by the nv makefile
-        make SYSSRC=$sysSrc SYSOUT=$sysOut module -j$NIX_BUILD_CORES
+        make IGNORE_PREEMPT_RT_PRESENCE=1 NV_BUILD_SUPPORTS_HMM=1 SYSSRC=$sysSrc SYSOUT=$sysOut module -j$NIX_BUILD_CORES
 
         cd ..
     fi
diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix
index 004858964a7..2cf9cddef4d 100644
--- a/pkgs/os-specific/linux/nvidia-x11/default.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -1,39 +1,36 @@
-{ lib, callPackage, fetchpatch, fetchurl, stdenv }:
+{ lib, callPackage, fetchpatch, fetchurl, stdenv, pkgsi686Linux }:
 
 let
-
-generic = args:
-if ((!lib.versionOlder args.version "391")
+  generic = args: let
+    imported = import ./generic.nix args;
+  in if ((!lib.versionOlder args.version "391")
     && stdenv.hostPlatform.system != "x86_64-linux") then null
-  else callPackage (import ./generic.nix args) { };
+  else callPackage imported {
+    lib32 = (pkgsi686Linux.callPackage imported {
+      libsOnly = true;
+      kernel = null;
+    }).out;
+  };
+
   kernel = callPackage # a hacky way of extracting parameters from callPackage
     ({ kernel, libsOnly ? false }: if libsOnly then { } else kernel) { };
-
-  maybePatch_drm_legacy =
-    lib.optional (lib.versionOlder "4.14" (kernel.version or "0"))
-      (fetchurl {
-        url = "https://raw.githubusercontent.com/MilhouseVH/LibreELEC.tv/b5d2d6a1"
-            + "/packages/x11/driver/xf86-video-nvidia-legacy/patches/"
-            + "xf86-video-nvidia-legacy-0010-kernel-4.14.patch";
-        sha256 = "18clfpw03g8dxm61bmdkmccyaxir3gnq451z6xqa2ilm3j820aa5";
-      });
 in
 rec {
   # Policy: use the highest stable version as the default (on our master).
   stable = if stdenv.hostPlatform.system == "x86_64-linux"
     then generic {
-      version = "460.32.03";
-      sha256_64bit = "0qb0f8djys55b7qgvpbwafw5lkwvmcslqz3i2kr3jm354gy248ag";
-      settingsSha256 = "0mfkw0s4gy1dx671cp1kbpkpkf9c4271w5dz0ykiacz22simi83l";
-      persistencedSha256 = "1zrnmwlwqg3pgy1jvldy9iv994wr823rl7vjr1kqnngdmn7bflxl";
+      version = "460.73.01";
+      sha256_64bit = "120ymf59l6nipczszf82lrm2p4ihhqyv2pfwwfg9wy96vqcckc8i";
+      settingsSha256 = "08jh7g34p9yxv5fh1cw0r2pjx65ryiv3w2lk1qg0gxn2r7xypkx0";
+      persistencedSha256 = "040gx4wqp3hxcfb4aba4sl7b01ixr5slhzw0xldwcqlmhpwqphi5";
     }
     else legacy_390;
 
   beta = generic {
-    version = "460.27.04";
-    sha256_64bit = "plTqtc5QZQwM0f3MeMZV0N5XOiuSXCCDklL/qyy8HM8=";
-    settingsSha256 = "hU9J0VSrLXs7N14zq6U5LbBLZXEIyTfih/Bj6eFcMf0=";
-    persistencedSha256 = "PmqhoPskqhJe2FxMrQh9zX1BWQCR2kkfDwvA89+XALA=";
+    version = "470.42.01";
+    sha256_64bit = "04w9nmi3vyww07pmgbd2r1x37s5p6xiy4qg9s06a1kjwzpm59xfd";
+    settingsSha256 = "Ohbkm7j0/V0kzcxfsHujBkrdnaefneoLutf2Rju2hIQ=";
+    persistencedSha256 = "1gfj4ffkidbhgjzdi6sv2sngdcb27w7b0rvfnj129rs36mcxy02j";
   };
 
   # Vulkan developer beta driver
@@ -50,11 +47,11 @@ rec {
 
   # Last one supporting x86
   legacy_390 = generic {
-    version = "390.138";
-    sha256_32bit = "0y3qjygl0kfz9qs0rp9scn1k3l8ym9dib7wpkyh5gs4klcip7xkv";
-    sha256_64bit = "0rnnb5l4i8s76vlg6yvlrxhm2x9wdqw7k5hgf4fyaa3cr3k1kysz";
-    settingsSha256 = "0ad6hwl56nvbdv9g85lw7ywadqvc2gaq9x6d2vjcia9kg4vrmfqx";
-    persistencedSha256 = "15jciyq6i3pz1g67xzqlwmc62v3xswzhjcqmfcdndvlvhcibsimr";
+    version = "390.143";
+    sha256_32bit = "AelrdTTeo/3+ZdXK0iniZDB8gJUkeZQtNoRm25z+bQY=";
+    sha256_64bit = "tyKqcPM71ErK8ZZHLPtxmgrWzv6tfEmxBRveCSwTlO8=";
+    settingsSha256 = "EJPXZbxZS1CMENAYk9dCAIsHsRTXJpj473+JLuhGkWI=";
+    persistencedSha256 = "FtlPF3jCNr18NnImTmr8zJsaK9wbj/aWZ9LwoLr5SeE=";
   };
 
   legacy_340 = generic {
@@ -67,32 +64,4 @@ rec {
 
     patches = [ ./vm_operations_struct-fault.patch ];
   };
-
-  legacy_304 = generic {
-    version = "304.137";
-    sha256_32bit = "1y34c2gvmmacxk2c72d4hsysszncgfndc4s1nzldy2q9qagkg66a";
-    sha256_64bit = "1qp3jv6279k83k3z96p6vg3dd35y9bhmlyyyrkii7sib7bdmc7zb";
-    settingsSha256 = "129f0j0hxzjd7g67qwxn463rxp295fsq8lycwm6272qykmab46cj";
-    persistencedSha256 = null;
-    useGLVND = false;
-    useProfiles = false;
-    settings32Bit = true;
-
-    prePatch = let
-      debPatches = fetchurl {
-        url = "mirror://debian/pool/non-free/n/nvidia-graphics-drivers-legacy-304xx/"
-            + "nvidia-graphics-drivers-legacy-304xx_304.137-5.debian.tar.xz";
-        sha256 = "0n8512mfcnvklfbg8gv4lzbkm3z6nncwj6ix2b8ngdkmc04f3b6l";
-      };
-      prefix = "debian/module/debian/patches";
-      applyPatches = pnames: if pnames == [] then null else
-        ''
-          tar xf '${debPatches}'
-          sed 's|^\([+-]\{3\} [ab]\)/|\1/kernel/|' -i ${prefix}/*.patch
-          patches="$patches ${lib.concatMapStringsSep " " (pname: "${prefix}/${pname}.patch") pnames}"
-        '';
-    in applyPatches [ "fix-typos" ];
-    patches = maybePatch_drm_legacy;
-    broken = lib.versionAtLeast kernel.version "4.18";
-  };
 }
diff --git a/pkgs/os-specific/linux/nvidia-x11/generic.nix b/pkgs/os-specific/linux/nvidia-x11/generic.nix
index 2543da74ca6..2d325ab3d56 100644
--- a/pkgs/os-specific/linux/nvidia-x11/generic.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/generic.nix
@@ -25,6 +25,8 @@
 , # don't include the bundled 32-bit libraries on 64-bit platforms,
   # even if it’s in downloaded binary
   disable32Bit ? false
+  # 32 bit libs only version of this package
+, lib32 ? null
 }:
 
 with lib;
@@ -49,7 +51,7 @@ let
     src =
       if stdenv.hostPlatform.system == "x86_64-linux" then
         fetchurl {
-          url = args.url or "https://download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run";
+          url = args.url or "https://us.download.nvidia.com/XFree86/Linux-x86_64/${version}/NVIDIA-Linux-x86_64-${version}${pkgSuffix}.run";
           sha256 = sha256_64bit;
         }
       else if stdenv.hostPlatform.system == "i686-linux" then
@@ -93,6 +95,8 @@ let
       };
       persistenced = mapNullable (hash: callPackage (import ./persistenced.nix self hash) { }) persistencedSha256;
       inherit persistencedVersion settingsVersion;
+    } // optionalAttrs (!i686bundled) {
+      inherit lib32;
     };
 
     meta = with lib; {
diff --git a/pkgs/os-specific/linux/nvme-cli/default.nix b/pkgs/os-specific/linux/nvme-cli/default.nix
index b848a868274..3a306508488 100644
--- a/pkgs/os-specific/linux/nvme-cli/default.nix
+++ b/pkgs/os-specific/linux/nvme-cli/default.nix
@@ -1,17 +1,20 @@
-{ lib, stdenv, fetchFromGitHub, pkg-config }:
+{ lib, stdenv, fetchFromGitHub, pkg-config
+, libuuid
+}:
 
 stdenv.mkDerivation rec {
   pname = "nvme-cli";
-  version = "1.13";
+  version = "1.14";
 
   src = fetchFromGitHub {
     owner = "linux-nvme";
     repo = "nvme-cli";
     rev = "v${version}";
-    sha256 = "1d538kp841bjh8h8d9q7inqz56rdcwb3m78zfx8607ddykv7wcqb";
+    sha256 = "0dpadz945482srqpsbfx1bh7rc499fgpyzz1flhk9g9xjbpapkzc";
   };
 
   nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libuuid ];
 
   makeFlags = [ "DESTDIR=$(out)" "PREFIX=" ];
 
@@ -32,6 +35,6 @@ stdenv.mkDerivation rec {
     '';
     license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ primeos tavyc ];
+    maintainers = with maintainers; [ mic92 ];
   };
 }
diff --git a/pkgs/os-specific/linux/nvmet-cli/default.nix b/pkgs/os-specific/linux/nvmet-cli/default.nix
new file mode 100644
index 00000000000..4196efeae67
--- /dev/null
+++ b/pkgs/os-specific/linux/nvmet-cli/default.nix
@@ -0,0 +1,25 @@
+{ lib, python3Packages, fetchurl }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "nvmet-cli";
+  version = "0.7";
+
+  src = fetchurl {
+    url = "ftp://ftp.infradead.org/pub/nvmetcli/nvmetcli-${version}.tar.gz";
+    sha256 = "051y1b9w46azy35118154c353v3mhjkdzh6h59brdgn5054hayj2";
+  };
+
+  buildInputs = with python3Packages; [ nose2 ];
+
+  propagatedBuildInputs = with python3Packages; [ configshell ];
+
+  # This package requires the `nvmet` kernel module to be loaded for tests.
+  doCheck = false;
+
+  meta = with lib; {
+    description = "NVMe target CLI";
+    license = licenses.asl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ hoverbear ];
+  };
+}
diff --git a/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix b/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
index c74810d24d5..511dd162785 100644
--- a/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
+++ b/pkgs/os-specific/linux/oci-seccomp-bpf-hook/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv
+{ lib
 , buildGoModule
 , fetchFromGitHub
 , go-md2man
@@ -10,15 +10,14 @@
 
 buildGoModule rec {
   pname = "oci-seccomp-bpf-hook";
-  version = "1.2.0";
+  version = "1.2.3";
   src = fetchFromGitHub {
     owner = "containers";
     repo = "oci-seccomp-bpf-hook";
     rev = "v${version}";
-    sha256 = "143x4daixzhhhpli1l14r7dr7dn3q42w8dddr16jzhhwighsirqw";
+    sha256 = "sha256-EKD6tkdQCPlVlb9ScvRwDxYAtbbv9PIqBHH6SvtPDsE=";
   };
   vendorSha256 = null;
-  doCheck = false;
 
   outputs = [ "out" "man" ];
   nativeBuildInputs = [
@@ -31,6 +30,10 @@ buildGoModule rec {
     libseccomp
   ];
 
+  checkPhase = ''
+    go test -v ./...
+  '';
+
   buildPhase = ''
     make
   '';
@@ -53,6 +56,5 @@ buildGoModule rec {
     license = licenses.asl20;
     maintainers = with maintainers; [ saschagrunert ];
     platforms = platforms.linux;
-    badPlatforms = [ "aarch64-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/odp-dpdk/default.nix b/pkgs/os-specific/linux/odp-dpdk/default.nix
index b5610d35dde..66b39b2c89e 100644
--- a/pkgs/os-specific/linux/odp-dpdk/default.nix
+++ b/pkgs/os-specific/linux/odp-dpdk/default.nix
@@ -1,21 +1,24 @@
 { lib, stdenv, fetchurl, autoreconfHook, pkg-config
-, dpdk, libconfig, libpcap, numactl, openssl, zlib, libbsd, libelf, jansson
+, dpdk, libbpf, libconfig, libpcap, numactl, openssl, zlib, libbsd, libelf, jansson
 }: let
-  dpdk_18_11 = dpdk.overrideAttrs (old: rec {
-    version = "18.11.5";
+  dpdk_19_11 = dpdk.overrideAttrs (old: rec {
+    version = "19.11";
     src = fetchurl {
       url = "https://fast.dpdk.org/rel/dpdk-${version}.tar.xz";
-      sha256 = "1n6nfaj7703l19jcw540lm8avni48hj9q1rq4mfp8b8gd4zjprj0";
+      sha256 = "sha256-RnEzlohDZ3uxwna7dKNFiqfAAswh4pXFHjvWVJexEqs=";
     };
+    mesonFlags = old.mesonFlags ++ [
+      "-Denable_docs=false"
+    ];
   });
 
 in stdenv.mkDerivation rec {
   pname = "odp-dpdk";
-  version = "1.22.0.0_DPDK_18.11";
+  version = "1.30.1.0_DPDK_19.11";
 
   src = fetchurl {
     url = "https://git.linaro.org/lng/odp-dpdk.git/snapshot/${pname}-${version}.tar.gz";
-    sha256 = "1m8xhmfjqlj2gkkigq5ka3yh0xgzrcpfpaxp1pnh8d1g99094vbx";
+    sha256 = "sha256-R3PsqQiHlHPzIYYWTVEC7Ikg3KR5I0jWGgftDA9Jj1o=";
   };
 
   nativeBuildInputs = [
@@ -23,7 +26,7 @@ in stdenv.mkDerivation rec {
     pkg-config
   ];
   buildInputs = [
-    dpdk_18_11
+    dpdk_19_11
     libconfig
     libpcap
     numactl
@@ -32,19 +35,9 @@ in stdenv.mkDerivation rec {
     libbsd
     libelf
     jansson
+    libbpf
   ];
 
-  NIX_CFLAGS_COMPILE = [ "-Wno-error=address-of-packed-member" ];
-
-  # for some reason, /build/odp-dpdk-1.22.0.0_DPDK_18.11/lib/.libs ends up in all binaries,
-  # while it should be $out/lib instead.
-  # prepend rpath with the proper location, the /build will get removed during rpath shrinking
-  preFixup = ''
-    for prog in $out/bin/*; do
-      patchelf --set-rpath $out/lib:`patchelf --print-rpath $prog` $prog
-    done
-  '';
-
   # binaries will segfault otherwise
   dontStrip = true;
 
diff --git a/pkgs/os-specific/linux/ofp/default.nix b/pkgs/os-specific/linux/ofp/default.nix
deleted file mode 100644
index 5defafeba80..00000000000
--- a/pkgs/os-specific/linux/ofp/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, pkg-config, autoreconfHook
-, openssl, libpcap, odp-dpdk, dpdk
-}:
-
-stdenv.mkDerivation rec {
-  pname = "ofp";
-  version = "2.0.0";
-
-  src = fetchFromGitHub {
-    owner = "OpenFastPath";
-    repo = "ofp";
-    rev = version;
-    sha256 = "05902593fycgkwzk5g7wzgk0k40nrrgybplkdka3rqnlj6aydhqf";
-  };
-
-  nativeBuildInputs = [ pkg-config autoreconfHook ];
-  buildInputs = [ openssl libpcap odp-dpdk dpdk ];
-
-  dontDisableStatic = true;
-
-  postPatch = ''
-    substituteInPlace configure.ac --replace m4_esyscmd m4_esyscmd_s
-    substituteInPlace scripts/git_hash.sh --replace /bin/bash ${stdenv.shell}
-    echo ${version} > .scmversion
-  '';
-
-  configureFlags = [
-    "--with-odp=${odp-dpdk}"
-    "--with-odp-lib=odp-dpdk"
-    "--disable-shared"
-  ];
-
-  meta = with lib; {
-    description = "High performance TCP/IP stack";
-    homepage = "http://www.openfastpath.org";
-    license = licenses.bsd3;
-    platforms =  [ "x86_64-linux" ];
-    maintainers = [ maintainers.abuibrahim ];
-    broken = true;
-  };
-}
diff --git a/pkgs/os-specific/linux/open-iscsi/default.nix b/pkgs/os-specific/linux/open-iscsi/default.nix
index 5894d4f506e..0640316b627 100644
--- a/pkgs/os-specific/linux/open-iscsi/default.nix
+++ b/pkgs/os-specific/linux/open-iscsi/default.nix
@@ -1,19 +1,19 @@
 { lib, stdenv, fetchFromGitHub, automake, autoconf, libtool, gettext
-, util-linux, openisns, openssl, kmod, perl, systemd, pkgconf
+, util-linux, open-isns, openssl, kmod, perl, systemd, pkgconf
 }:
 
 stdenv.mkDerivation rec {
   pname = "open-iscsi";
-  version = "2.1.3";
+  version = "2.1.4";
 
   nativeBuildInputs = [ autoconf automake gettext libtool perl pkgconf ];
-  buildInputs = [ kmod openisns.lib openssl systemd util-linux ];
+  buildInputs = [ kmod open-isns.lib openssl systemd util-linux ];
 
   src = fetchFromGitHub {
     owner = "open-iscsi";
     repo = "open-iscsi";
     rev = version;
-    sha256 = "14rcf4xmrmz522z57sm8bb3mn79dqsdwz84rl6id84fgjbwbsp6b";
+    sha256 = "sha256-HnvLLwxOnu7Oiige6A6zk9NmAI2ImcILp9eCfbdGiyI=";
   };
 
   DESTDIR = "$(out)";
diff --git a/pkgs/os-specific/linux/open-isns/default.nix b/pkgs/os-specific/linux/open-isns/default.nix
index 71cee65602c..3f939024a48 100644
--- a/pkgs/os-specific/linux/open-isns/default.nix
+++ b/pkgs/os-specific/linux/open-isns/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "open-isns";
-  version = "0.99";
+  version = "0.101";
 
   src = fetchFromGitHub {
-    owner = "gonzoleeman";
+    owner = "open-iscsi";
     repo = "open-isns";
     rev = "v${version}";
-    sha256 = "0m294aiv80rkihacw5094093pc0kd5bkbxqgs6i32jsglxy33hvf";
+    sha256 = "1g7kp1j2f8afsach6sbl4k05ybz1yz2s8yg073bv4gnv48gyxb2p";
   };
 
   propagatedBuildInputs = [ openssl ];
@@ -20,10 +20,11 @@ stdenv.mkDerivation rec {
   installFlags = [ "etcdir=$(out)/etc" "vardir=$(out)/var/lib/isns" ];
   installTargets = [ "install" "install_hdrs" "install_lib" ];
 
-  meta = {
+  meta = with lib; {
     description = "iSNS server and client for Linux";
-    license = lib.licenses.lgpl21;
-    homepage = "https://github.com/gonzoleeman/open-isns";
-    platforms = lib.platforms.linux;
+    license = licenses.lgpl21Only;
+    homepage = "https://github.com/open-iscsi/open-isns";
+    platforms = platforms.linux;
+    maintainers = [ maintainers.markuskowa ];
   };
 }
diff --git a/pkgs/os-specific/linux/openrazer/driver.nix b/pkgs/os-specific/linux/openrazer/driver.nix
index 32c99a8be13..07113e62862 100644
--- a/pkgs/os-specific/linux/openrazer/driver.nix
+++ b/pkgs/os-specific/linux/openrazer/driver.nix
@@ -7,10 +7,11 @@
 }:
 
 let
-  common = import ../../../development/python-modules/openrazer/common.nix { inherit lib stdenv fetchFromGitHub; };
+  common = import ../../../development/python-modules/openrazer/common.nix { inherit lib fetchFromGitHub; };
 in
 stdenv.mkDerivation (common // {
-  name = "openrazer-${common.version}-${kernel.version}";
+  pname = "openrazer";
+  version = "${common.version}-${kernel.version}";
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
 
@@ -19,6 +20,8 @@ stdenv.mkDerivation (common // {
   ];
 
   installPhase = ''
+    runHook preInstall
+
     binDir="$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hid"
     mkdir -p "$binDir"
     cp -v driver/*.ko "$binDir"
@@ -32,9 +35,12 @@ stdenv.mkDerivation (common // {
       --replace /usr/bin/logger ${util-linux}/bin/logger \
       --replace chgrp ${coreutils}/bin/chgrp \
       --replace "PATH='/sbin:/bin:/usr/sbin:/usr/bin'" ""
+
+    runHook postInstall
   '';
 
   meta = common.meta // {
     description = "An entirely open source Linux driver that allows you to manage your Razer peripherals on GNU/Linux";
+    broken = kernel.kernelOlder "4.19";
   };
 })
diff --git a/pkgs/os-specific/linux/openvswitch/default.nix b/pkgs/os-specific/linux/openvswitch/default.nix
index cbd1bbdf763..5faccc14ce7 100644
--- a/pkgs/os-specific/linux/openvswitch/default.nix
+++ b/pkgs/os-specific/linux/openvswitch/default.nix
@@ -8,18 +8,18 @@ let
   _kernel = kernel;
   pythonEnv = python3.withPackages (ps: with ps; [ six ]);
 in stdenv.mkDerivation rec {
-  version = "2.14.0";
+  version = "2.14.2";
   pname = "openvswitch";
 
   src = fetchurl {
     url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "0q52k6mq1jfsv0ix55mjd5ljlalhklhqfrma3l61dzhgihmfawa1";
+    sha256 = "sha256-ZfQg+VTiUNiV+y2yKhMuHLVgvF4rkFHoNFETSBCOWXo=";
   };
 
   kernel = optional (_kernel != null) _kernel.dev;
 
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ makeWrapper util-linux openssl libcap_ng pythonEnv
+  nativeBuildInputs = [ pkg-config makeWrapper ];
+  buildInputs = [ util-linux openssl libcap_ng pythonEnv
                   perl procps which ];
 
   configureFlags = [
diff --git a/pkgs/os-specific/linux/openvswitch/lts.nix b/pkgs/os-specific/linux/openvswitch/lts.nix
index ddb5eff9723..15c6c05b061 100644
--- a/pkgs/os-specific/linux/openvswitch/lts.nix
+++ b/pkgs/os-specific/linux/openvswitch/lts.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, fetchurl, makeWrapper, pkg-config, util-linux, which
-, procps, libcap_ng, openssl, python2, iproute , perl
+, procps, libcap_ng, openssl, python2, perl
 , automake, autoconf, libtool, kernel ? null }:
 
 with lib;
@@ -7,21 +7,20 @@ with lib;
 let
   _kernel = kernel;
 in stdenv.mkDerivation rec {
-  version = "2.5.9";
+  version = "2.5.12";
   pname = "openvswitch";
 
   src = fetchurl {
     url = "https://www.openvswitch.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "0iv0ncwl6s4qyyb655yj5xvqrjr1zbymmab96q259wa09xnyw7b7";
+    sha256 = "0a8wa1lj5p28x3vq0yaxjhqmppp4hvds6hhm0j3czpp8mc09fsfq";
   };
 
   patches = [ ./patches/lts-ssl.patch ];
 
   kernel = optional (_kernel != null) _kernel.dev;
 
-  nativeBuildInputs = [ autoconf libtool automake pkg-config  ];
-  buildInputs = [ makeWrapper util-linux openssl libcap_ng python2
-                  perl procps which ];
+  nativeBuildInputs = [ autoconf libtool automake pkg-config makeWrapper ];
+  buildInputs = [ util-linux openssl libcap_ng python2 perl procps which ];
 
   preConfigure = "./boot.sh";
 
diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index 42b7ea91092..fb993699494 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -1,5 +1,6 @@
-{ lib, stdenv, buildPackages, fetchurl, fetchpatch, flex, cracklib, db4
+{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext
 , nixosTests
+, withLibxcrypt ? false, libxcrypt
 }:
 
 stdenv.mkDerivation rec {
@@ -11,23 +12,14 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-IB1AcwsRNbGzzeoJ8sKKxjTXMYHM0Bcs7d7jZJxXkvw=";
   };
 
-  patches = lib.optionals (stdenv.hostPlatform.libc == "musl") [
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/main/linux-pam/fix-compat.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc";
-      sha256 = "1h5yp5h2mqp1fcwiwwklyfpa69a3i03ya32pivs60fd7g5bqa7sf";
-    })
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/main/linux-pam/libpam-fix-build-with-eglibc-2.16.patch?id=05a62bda8ec255d7049a2bd4cf0fdc4b32bdb2cc";
-      sha256 = "1ib6shhvgzinjsc603k2x1lxh9dic6qq449fnk110gc359m23j81";
-    })
-  ];
-
   outputs = [ "out" "doc" "man" /* "modules" */ ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ flex ];
+  nativeBuildInputs = [ flex ]
+    ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
 
-  buildInputs = [ cracklib db4 ];
+  buildInputs = [ cracklib db4 ]
+    ++ lib.optional withLibxcrypt libxcrypt;
 
   enableParallelBuilding = true;
 
diff --git a/pkgs/os-specific/linux/pam_gnupg/default.nix b/pkgs/os-specific/linux/pam_gnupg/default.nix
index 6ffc6050055..ffb397334c1 100644
--- a/pkgs/os-specific/linux/pam_gnupg/default.nix
+++ b/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pam_gnupg";
-  version = "0.2";
+  version = "0.3";
 
   src = fetchFromGitHub {
     owner = "cruegge";
     repo = "pam-gnupg";
     rev = "v${version}";
-    sha256 = "1d8046clv7r3bl77dbpza4f1zlkjffvdczbb5bci3prz7dyfrwsz";
+    sha256 = "sha256-NDl6MsvIDAXkaLqXt7Wa0T7aulT31P5Z/d/Vb+ILya0=";
   };
 
   configureFlags = [
diff --git a/pkgs/os-specific/linux/pam_krb5/default.nix b/pkgs/os-specific/linux/pam_krb5/default.nix
index 8abfe5fee9d..cb04fa5b424 100644
--- a/pkgs/os-specific/linux/pam_krb5/default.nix
+++ b/pkgs/os-specific/linux/pam_krb5/default.nix
@@ -1,14 +1,14 @@
-{ lib, stdenv, fetchurl, pam, kerberos }:
+{ lib, stdenv, fetchurl, pam, libkrb5 }:
 
 stdenv.mkDerivation rec {
-  name = "pam-krb5-4.9";
+  name = "pam-krb5-4.10";
 
   src = fetchurl {
     url = "https://archives.eyrie.org/software/kerberos/${name}.tar.gz";
-    sha256 = "0kzz6mjkzw571pkv684vyczhl874f6p7lih3dj7s764gxdxnv4y5";
+    sha256 = "09wzxd5zrj5bzqpb01qf148npj5k8hmd2bx2ij1qsy40hdxqyq79";
   };
 
-  buildInputs = [ pam kerberos ];
+  buildInputs = [ pam libkrb5 ];
 
   meta = with lib; {
     homepage = "https://www.eyrie.org/~eagle/software/pam-krb5/";
diff --git a/pkgs/os-specific/linux/pam_mount/default.nix b/pkgs/os-specific/linux/pam_mount/default.nix
index 7f26ae80ed6..5e4e15c364b 100644
--- a/pkgs/os-specific/linux/pam_mount/default.nix
+++ b/pkgs/os-specific/linux/pam_mount/default.nix
@@ -2,16 +2,15 @@
 
 stdenv.mkDerivation rec {
   pname = "pam_mount";
-  version = "2.16";
+  version = "2.17";
 
   src = fetchurl {
-    url = "mirror://sourceforge/pam-mount/pam_mount/${version}/${pname}-${version}.tar.xz";
-    sha256 = "1rvi4irb7ylsbhvx1cr6islm2xxw1a4b19q6z4a9864ndkm0f0mf";
+    url = "mirror://sourceforge/pam-mount/pam_mount/${pname}-${version}.tar.xz";
+    sha256 = "1q2n6a2ah6nghdn8i6ad2wj247njwb5nx48cggxknaa6lqxylidy";
   };
 
   patches = [
     ./insert_utillinux_path_hooks.patch
-    ./support_luks2.patch
   ];
 
   postPatch = ''
@@ -31,7 +30,6 @@ stdenv.mkDerivation rec {
     "--sbindir=${placeholder "out"}/bin"
     "--sysconfdir=${placeholder "out"}/etc"
     "--with-slibdir=${placeholder "out"}/lib"
-    "--with-ssbindir=${placeholder "out"}/bin"
   ];
 
   postInstall = ''
diff --git a/pkgs/os-specific/linux/pam_mount/support_luks2.patch b/pkgs/os-specific/linux/pam_mount/support_luks2.patch
deleted file mode 100644
index 0b8557f1bae..00000000000
--- a/pkgs/os-specific/linux/pam_mount/support_luks2.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-commit d4434c05e7c0cf05d87089404cfa2deedc60811a
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Mon Oct 29 16:47:40 2018 +0100
-
-    crypto: Add support for LUKS2
-    
-    Cryptsetup version 2.0 added support for LUKS2.
-    This patch adds support for mounting LUKS2 volumes with
-    pam_mount.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/src/crypto-dmc.c b/src/crypto-dmc.c
-index d0ab6ca..abd0358 100644
---- a/src/crypto-dmc.c
-+++ b/src/crypto-dmc.c
-@@ -21,6 +21,12 @@
- #include "libcryptmount.h"
- #include "pam_mount.h"
- 
-+#ifndef CRYPT_LUKS
-+	#define CRYPT_LUKS	NULL /* Passing NULL to crypt_load will
-+					default to LUKS(1) on older
-+					libcryptsetup versions. */
-+#endif
-+
- /**
-  * dmc_is_luks - check if @path points to a LUKS volume (cf. normal dm-crypt)
-  * @path:	path to the crypto container
-@@ -48,7 +54,7 @@ EXPORT_SYMBOL int ehd_is_luks(const char *path, bool blkdev)
- 
- 	ret = crypt_init(&cd, device);
- 	if (ret == 0) {
--		ret = crypt_load(cd, CRYPT_LUKS1, NULL);
-+		ret = crypt_load(cd, CRYPT_LUKS, NULL);
- 		if (ret == -EINVAL)
- 			ret = false;
- 		else if (ret == 0)
-@@ -106,7 +112,7 @@ static bool dmc_run(const struct ehd_mount_request *req,
- #endif
- 	}
- 
--	ret = crypt_load(cd, CRYPT_LUKS1, NULL);
-+	ret = crypt_load(cd, CRYPT_LUKS, NULL);
- 	if (ret == 0) {
- 		ret = crypt_activate_by_passphrase(cd, mt->crypto_name,
- 		      CRYPT_ANY_SLOT, req->key_data, req->key_size, flags);
diff --git a/pkgs/os-specific/linux/pam_u2f/default.nix b/pkgs/os-specific/linux/pam_u2f/default.nix
index 760af73fecd..30a55f2b9c0 100644
--- a/pkgs/os-specific/linux/pam_u2f/default.nix
+++ b/pkgs/os-specific/linux/pam_u2f/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "pam_u2f";
-  version = "1.1.0";
+  version = "1.1.1";
 
   src     = fetchurl {
     url = "https://developers.yubico.com/pam-u2f/Releases/${pname}-${version}.tar.gz";
-    sha256 = "01fwbrfnjkv93vvqm54jywdcxa1p7d4r32azicwnx75nxfbbzhqd";
+    sha256 = "12p3pkrp32vzpg7707cgx8zgvgj8iqwhy39sm761k7plqi027mmp";
   };
 
   nativeBuildInputs = [ pkg-config ];
@@ -16,6 +16,14 @@ stdenv.mkDerivation rec {
     configureFlagsArray+=("--with-pam-dir=$out/lib/security")
   '';
 
+  # a no-op makefile to prevent building the fuzz targets
+  postConfigure = ''
+    cat > fuzz/Makefile <<EOF
+    all:
+    install:
+    EOF
+  '';
+
   meta = with lib; {
     homepage = "https://developers.yubico.com/pam-u2f/";
     description = "A PAM module for allowing authentication with a U2F device";
diff --git a/pkgs/os-specific/linux/pax-utils/default.nix b/pkgs/os-specific/linux/pax-utils/default.nix
index f69b2bd7fce..40159cd2acd 100644
--- a/pkgs/os-specific/linux/pax-utils/default.nix
+++ b/pkgs/os-specific/linux/pax-utils/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "pax-utils";
-  version = "1.2.6";
+  version = "1.2.8";
 
   src = fetchurl {
     url = "http://distfiles.gentoo.org/distfiles/${pname}-${version}.tar.xz";
-    sha256 = "08bzvgv1z3371sqf7zlm9i0b1y3wdymj2dqdvzvf192k3nix4hlp";
+    sha256 = "sha256-urTIhG4dLMNmnPqSMdIdszWEHX1Y+eGc0Jn+bOYmsVc=";
   };
 
   makeFlags = [ "PREFIX=$(out)" ];
diff --git a/pkgs/os-specific/linux/pcm/default.nix b/pkgs/os-specific/linux/pcm/default.nix
index f791661d2ef..c0b8b59ebb5 100644
--- a/pkgs/os-specific/linux/pcm/default.nix
+++ b/pkgs/os-specific/linux/pcm/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub }:
 
 stdenv.mkDerivation rec {
-  version = "202011";
+  version = "202101";
   pname = "pcm";
 
   src = fetchFromGitHub {
     owner = "opcm";
     repo = "pcm";
     rev = version;
-    sha256 = "09p8drp9xvvs5bahgnr9xx6987fryz27xs2zaf1mr7a9wsh5j912";
+    sha256 = "sha256-xiC9XDuFcAzD2lVuzBWUvHy1Z1shEXM2KPFabKvgh1Y=";
   };
 
   installPhase = ''
diff --git a/pkgs/os-specific/linux/pcmciautils/default.nix b/pkgs/os-specific/linux/pcmciautils/default.nix
index ff3100cbb22..a4da6be691e 100644
--- a/pkgs/os-specific/linux/pcmciautils/default.nix
+++ b/pkgs/os-specific/linux/pcmciautils/default.nix
@@ -1,5 +1,5 @@
 { config, lib, stdenv, fetchurl
-, yacc, flex
+, bison, flex
 , sysfsutils, kmod, udev
 , firmware   ? config.pcmciaUtils.firmware or [] # Special pcmcia cards.
 , configOpts ? config.pcmciaUtils.config or null # Special hardware (map memory & port & irq)
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
     sha256 = "0sfm3w2n73kl5w7gb1m6q8gy5k4rgwvzz79n6yhs9w3sag3ix8sk";
   };
 
-  buildInputs = [udev yacc sysfsutils kmod flex];
+  buildInputs = [udev bison sysfsutils kmod flex];
 
   patchPhase = ''
     sed -i "
diff --git a/pkgs/os-specific/linux/piper/default.nix b/pkgs/os-specific/linux/piper/default.nix
index 1ef304c617f..5edcd263f0d 100644
--- a/pkgs/os-specific/linux/piper/default.nix
+++ b/pkgs/os-specific/linux/piper/default.nix
@@ -1,5 +1,5 @@
-{ lib, stdenv, meson, ninja, pkg-config, gettext, fetchFromGitHub, python3
-, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome3
+{ lib, meson, ninja, pkg-config, gettext, fetchFromGitHub, python3
+, wrapGAppsHook, gtk3, glib, desktop-file-utils, appstream-glib, gnome
 , gobject-introspection }:
 
 python3.pkgs.buildPythonApplication rec {
@@ -17,7 +17,7 @@ python3.pkgs.buildPythonApplication rec {
 
   nativeBuildInputs = [ meson ninja gettext pkg-config wrapGAppsHook desktop-file-utils appstream-glib gobject-introspection ];
   buildInputs = [
-    gtk3 glib gnome3.adwaita-icon-theme python3
+    gtk3 glib gnome.adwaita-icon-theme python3
   ];
   propagatedBuildInputs = with python3.pkgs; [ lxml evdev pygobject3 ] ++ [
     gobject-introspection # fixes https://github.com/NixOS/nixpkgs/issues/56943 for now
diff --git a/pkgs/os-specific/linux/pipework/default.nix b/pkgs/os-specific/linux/pipework/default.nix
index 14d1eb85998..33192392888 100644
--- a/pkgs/os-specific/linux/pipework/default.nix
+++ b/pkgs/os-specific/linux/pipework/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, fetchFromGitHub, makeWrapper
-, bridge-utils, iproute, lxc, openvswitch, docker, busybox, dhcpcd, dhcp
+, bridge-utils, iproute2, lxc, openvswitch, docker, busybox, dhcpcd, dhcp
 }:
 
 stdenv.mkDerivation {
@@ -11,11 +11,11 @@ stdenv.mkDerivation {
     rev = "ae42f1b5fef82b3bc23fe93c95c345e7af65fef3";
     sha256 = "0c342m0bpq6ranr7dsxk9qi5mg3j5aw9wv85ql8gprdb2pz59qy8";
   };
-  buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ];
   installPhase = ''
     install -D pipework $out/bin/pipework
     wrapProgram $out/bin/pipework --prefix PATH : \
-      ${lib.makeBinPath [ bridge-utils iproute lxc openvswitch docker busybox dhcpcd dhcp ]};
+      ${lib.makeBinPath [ bridge-utils iproute2 lxc openvswitch docker busybox dhcpcd dhcp ]};
   '';
   meta = with lib; {
     description = "Software-Defined Networking tools for LXC";
diff --git a/pkgs/os-specific/linux/pktgen/configure.patch b/pkgs/os-specific/linux/pktgen/configure.patch
deleted file mode 100644
index b4933313a51..00000000000
--- a/pkgs/os-specific/linux/pktgen/configure.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-1. librte_process_info does not exist.
-2. lua5.3 library is liblua.
-3. app/meson.build uses undeclared drivers_install_subdir.
---- a/lib/common/meson.build
-+++ b/lib/common/meson.build
-@@ -34,1 +34,1 @@
--libs = ['eal', 'kvargs', 'cmdline', 'process_info']
-+libs = ['eal', 'kvargs', 'cmdline']
---- a/lib/lua/meson.build
-+++ b/lib/lua/meson.build
-@@ -31 +31 @@ endforeach
--ext_deps += cc.find_library('lua5.3', required: true)
-+ext_deps += cc.find_library('lua', required: true)
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -0,0 +1,1 @@
-+option('drivers_install_subdir', type: 'string', value: '')
diff --git a/pkgs/os-specific/linux/pktgen/default.nix b/pkgs/os-specific/linux/pktgen/default.nix
index 47ca709c44b..5a1a56ab691 100644
--- a/pkgs/os-specific/linux/pktgen/default.nix
+++ b/pkgs/os-specific/linux/pktgen/default.nix
@@ -1,29 +1,33 @@
-{ stdenv, lib, fetchurl, meson, ninja, pkg-config
+{ stdenv, lib, fetchFromGitHub, meson, ninja, pkg-config
 , dpdk, libbsd, libpcap, lua5_3, numactl, util-linux
 , gtk2, which, withGtk ? false
 }:
 
 stdenv.mkDerivation rec {
   pname = "pktgen";
-  version = "19.12.0";
+  version = "21.05.0";
 
-  src = fetchurl {
-    url = "http://dpdk.org/browse/apps/pktgen-dpdk/snapshot/${pname}-${version}.tar.xz";
-    sha256 = "1clfviz1qa4hysslcg6i29vsxwl9f6j1y7zf9wwx9br3yq08x956";
+  src = fetchFromGitHub {
+    owner = "pktgen";
+    repo = "Pktgen-DPDK";
+    rev = "pktgen-${version}";
+    sha256 = "sha256-7lLDtbd14olEHO+1BuI6KTEUNRM/zAyRXau/OZbYbGA=";
   };
 
   nativeBuildInputs = [ meson ninja pkg-config ];
 
-  buildInputs =
-    [ dpdk libbsd libpcap lua5_3 numactl which ]
-    ++ lib.optionals withGtk [gtk2];
+  buildInputs = [
+    dpdk libbsd libpcap lua5_3 numactl which
+  ] ++ lib.optionals withGtk [
+    gtk2
+  ];
 
   RTE_SDK = dpdk;
   GUI = lib.optionalString withGtk "true";
 
   NIX_CFLAGS_COMPILE = "-msse3";
-
-  patches = [ ./configure.patch ];
+  # requires symbols from this file
+  NIX_LDFLAGS = "-lrte_net_bond";
 
   postPatch = ''
     substituteInPlace lib/common/lscpu.h --replace /usr/bin/lscpu ${util-linux}/bin/lscpu
diff --git a/pkgs/os-specific/linux/ply/default.nix b/pkgs/os-specific/linux/ply/default.nix
index 2844badc730..e62716e4796 100644
--- a/pkgs/os-specific/linux/ply/default.nix
+++ b/pkgs/os-specific/linux/ply/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, kernel, fetchFromGitHub, autoreconfHook, yacc, flex, p7zip, rsync }:
+{ lib, stdenv, kernel, fetchFromGitHub, autoreconfHook, bison, flex, p7zip, rsync }:
 
 assert kernel != null -> lib.versionAtLeast kernel.version "4.0";
 
@@ -7,7 +7,7 @@ let
 in stdenv.mkDerivation {
   pname = "ply";
   inherit version;
-  nativeBuildInputs = [ autoreconfHook flex yacc p7zip rsync ];
+  nativeBuildInputs = [ autoreconfHook flex bison p7zip rsync ];
 
   src = fetchFromGitHub {
     owner = "iovisor";
diff --git a/pkgs/os-specific/linux/plymouth/default.nix b/pkgs/os-specific/linux/plymouth/default.nix
index c167b202c8d..8cb2a00987e 100644
--- a/pkgs/os-specific/linux/plymouth/default.nix
+++ b/pkgs/os-specific/linux/plymouth/default.nix
@@ -1,64 +1,111 @@
-{ stdenv, fetchurl, autoreconfHook, pkg-config, libxslt, docbook_xsl
-, gtk3, udev, systemd, lib
+{ lib
+, stdenv
+, fetchpatch
+, fetchFromGitLab
+, pkg-config
+, autoreconfHook
+, libxslt
+, docbook-xsl-nons
+, gettext
+, gtk3
+, systemd
+, pango
+, cairo
+, libdrm
 }:
 
 stdenv.mkDerivation rec {
-  pname = "plymouth";
-  version = "0.9.4";
+  pname = "plymouth-unstable";
+  version = "2020-12-07";
 
-  src = fetchurl {
-    url = "https://www.freedesktop.org/software/plymouth/releases/${pname}-${version}.tar.xz";
-    sha256 = "0l8kg7b2vfxgz9gnrn0v2w4jvysj2cirp0nxads5sy05397pl6aa";
+  outputs = [
+    "out"
+    "dev"
+  ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "plymouth";
+    repo = "plymouth";
+    rev = "c4ced2a2d70edea7fbb95274aa1d01d95928df1b";
+    sha256 = "7CPuKMA0fTt8DBsaA4Td74kHT/O7PW8N3awP04nUnOI=";
   };
 
   nativeBuildInputs = [
-    autoreconfHook pkg-config libxslt docbook_xsl
+    autoreconfHook
+    docbook-xsl-nons
+    gettext
+    libxslt
+    pkg-config
   ];
 
   buildInputs = [
-    gtk3 udev systemd
+    cairo
+    gtk3
+    libdrm
+    pango
+    systemd
+  ];
+
+  patches = [
+    # KillMode=none is deprecated
+    # https://gitlab.freedesktop.org/plymouth/plymouth/-/issues/123
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/plymouth/plymouth/-/commit/b406b0895a95949db2adfedaeda451f36f2b51c3.patch";
+      sha256 = "/UBImNuFO0G/oxlttjGIXon8YXMXlc9XU8uVuR9QuxY=";
+    })
   ];
 
   postPatch = ''
     sed -i \
-      -e "s#\$(\$PKG_CONFIG --variable=systemdsystemunitdir systemd)#$out/etc/systemd/system#g" \
       -e "s#plymouthplugindir=.*#plymouthplugindir=/etc/plymouth/plugins/#" \
       -e "s#plymouththemedir=.*#plymouththemedir=/etc/plymouth/themes#" \
       -e "s#plymouthpolicydir=.*#plymouthpolicydir=/etc/plymouth/#" \
+      -e "s#plymouthconfdir=.*#plymouthconfdir=/etc/plymouth/#" \
       configure.ac
   '';
 
+  configurePlatforms = [ "host" ];
+
   configureFlags = [
-    "--sysconfdir=/etc"
-    "--with-systemdunitdir=${placeholder "out"}/etc/systemd/system"
+    "--enable-documentation"
+    "--enable-drm"
+    "--enable-gtk"
+    "--enable-pango"
+    "--enable-systemd-integration"
+    "--enable-tracing"
     "--localstatedir=/var"
-    "--with-logo=/etc/plymouth/logo.png"
+    "--sysconfdir=/etc"
     "--with-background-color=0x000000"
-    "--with-background-start-color-stop=0x000000"
     "--with-background-end-color-stop=0x000000"
+    "--with-background-start-color-stop=0x000000"
+    "--with-logo=/etc/plymouth/logo.png"
     "--with-release-file=/etc/os-release"
-    "--without-system-root-install"
+    "--with-runtimedir=/run"
+    "--with-systemdunitdir=${placeholder "out"}/etc/systemd/system"
     "--without-rhgb-compat-link"
-    "--enable-tracing"
-    "--enable-systemd-integration"
-    "--enable-pango"
-    "--enable-gdm-transition"
-    "--enable-gtk"
+    "--without-system-root-install"
     "ac_cv_path_SYSTEMD_ASK_PASSWORD_AGENT=${lib.getBin systemd}/bin/systemd-tty-ask-password-agent"
   ];
 
-  configurePlatforms = [ "host" ];
-
   installFlags = [
-    "plymouthd_defaultsdir=$(out)/share/plymouth"
-    "plymouthd_confdir=$(out)/etc/plymouth"
+    "localstatedir=\${TMPDIR}"
+    "plymouthd_confdir=${placeholder "out"}/etc/plymouth"
+    "plymouthd_defaultsdir=${placeholder "out"}/share/plymouth"
+    "sysconfdir=${placeholder "out"}/etc"
   ];
 
+  postInstall = ''
+    # Makes a symlink to /usr/share/pixmaps/system-logo-white.png
+    # We'll handle it in the nixos module.
+    rm $out/share/plymouth/themes/spinfinity/header-image.png
+  '';
+
   meta = with lib; {
-    homepage = "http://www.freedesktop.org/wiki/Software/Plymouth";
-    description = "A graphical boot animation";
-    license = licenses.gpl2;
-    maintainers = [ maintainers.goibhniu ];
+    homepage = "https://www.freedesktop.org/wiki/Software/Plymouth/";
+    description = "Boot splash and boot logger";
+    license = licenses.gpl2Plus;
+    maintainers = [ maintainers.goibhniu teams.gnome.members ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/pommed-light/default.nix b/pkgs/os-specific/linux/pommed-light/default.nix
index 9e9cf149fef..0797656f653 100644
--- a/pkgs/os-specific/linux/pommed-light/default.nix
+++ b/pkgs/os-specific/linux/pommed-light/default.nix
@@ -2,7 +2,7 @@
 , fetchFromGitHub
 , pciutils
 , libconfuse
-, alsaLib
+, alsa-lib
 , audiofile
 , pkg-config
 , zlib
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
   buildInputs = [
     pciutils
     libconfuse
-    alsaLib
+    alsa-lib
     audiofile
     zlib
     eject
diff --git a/pkgs/os-specific/linux/power-profiles-daemon/default.nix b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
new file mode 100644
index 00000000000..03267b8e9ae
--- /dev/null
+++ b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
@@ -0,0 +1,68 @@
+{ stdenv
+, lib
+, pkg-config
+, meson
+, ninja
+, fetchFromGitLab
+, libgudev
+, glib
+, gobject-introspection
+, gettext
+, gtk-doc
+, docbook-xsl-nons
+, docbook_xml_dtd_412
+, libxml2
+, libxslt
+, upower
+, systemd
+, python3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "power-profiles-daemon";
+  version = "0.8.1";
+
+  outputs = [ "out" "devdoc" ];
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = "power-profiles-daemon";
+    rev = version;
+    sha256 = "sha256-OnCUr7KWVPpYGDseBUcJD/PdOobvFnyNA97NhnKbTKY=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    meson
+    ninja
+    gettext
+    gtk-doc
+    docbook-xsl-nons
+    docbook_xml_dtd_412
+    libxml2 # for xmllint for stripping GResources
+    libxslt # for xsltproc for building docs
+    gobject-introspection
+  ];
+
+  buildInputs = [
+    libgudev
+    systemd
+    upower
+    glib
+    (python3.withPackages (ps: with ps; [ ps.pygobject3 ])) # for cli tool
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
+    "-Dgtk_doc=true"
+  ];
+
+  meta = with lib; {
+    homepage = "https://gitlab.freedesktop.org/hadess/power-profiles-daemon";
+    description = "Makes user-selected power profiles handling available over D-Bus";
+    platforms = platforms.linux;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ mvnetbiz ];
+  };
+}
diff --git a/pkgs/os-specific/linux/powercap/default.nix b/pkgs/os-specific/linux/powercap/default.nix
new file mode 100644
index 00000000000..ad9de9f75d5
--- /dev/null
+++ b/pkgs/os-specific/linux/powercap/default.nix
@@ -0,0 +1,26 @@
+{ lib, stdenv, fetchFromGitHub, cmake }:
+
+stdenv.mkDerivation rec {
+  pname = "powercap";
+  version = "0.3.1";
+
+  src = fetchFromGitHub {
+    owner = "powercap";
+    repo = "powercap";
+    rev = "v${version}";
+    sha256 = "0f1sg1zsskcfralg9khwq7lmz25gvnyknza3bb0hmh1a9lw0jhdn";
+  };
+
+  nativeBuildInputs = [ cmake ];
+
+  cmakeFlags = [
+    "-DBUILD_SHARED_LIBS=On"
+  ];
+
+  meta = with lib; {
+    description = "Tools and library to read/write to the Linux power capping framework (sysfs interface)";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ rowanG077 ];
+  };
+}
diff --git a/pkgs/os-specific/linux/powerstat/default.nix b/pkgs/os-specific/linux/powerstat/default.nix
index 12a92c36c69..f80b7425cd4 100644
--- a/pkgs/os-specific/linux/powerstat/default.nix
+++ b/pkgs/os-specific/linux/powerstat/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "powerstat";
-  version = "0.02.24";
+  version = "0.02.25";
 
   src = fetchurl {
     url = "https://kernel.ubuntu.com/~cking/tarballs/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "0yrc1xi9flxn2mvmzp0b0vd0md5z4p8fd4y8bszc67xy12qiqy0j";
+    sha256 = "sha256-C6MCOXnElDI69QkLKd2X2SLved8cRCN0Q6BhUvvqsTY=";
   };
 
   installFlags = [ "DESTDIR=${placeholder "out"}" ];
diff --git a/pkgs/os-specific/linux/procps-ng/default.nix b/pkgs/os-specific/linux/procps-ng/default.nix
index 9f12ab69539..1d19d915117 100644
--- a/pkgs/os-specific/linux/procps-ng/default.nix
+++ b/pkgs/os-specific/linux/procps-ng/default.nix
@@ -1,14 +1,19 @@
-{ lib, stdenv, fetchurl, fetchpatch, ncurses, pkg-config
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, ncurses
+, pkg-config
 
-# `ps` with systemd support is able to properly report different
-# attributes like unit name, so we want to have it on linux.
+  # `ps` with systemd support is able to properly report different
+  # attributes like unit name, so we want to have it on linux.
 , withSystemd ? stdenv.isLinux
-, systemd ? null
+, systemd
 
-# procps is mostly Linux-only. Most commands require a running Linux
-# system (or very similar like that found in Cygwin). The one
-# exception is ‘watch’ which is portable enough to run on pretty much
-# any UNIX-compatible system.
+  # procps is mostly Linux-only. Most commands require a running Linux
+  # system (or very similar like that found in Cygwin). The one
+  # exception is ‘watch’ which is portable enough to run on pretty much
+  # any UNIX-compatible system.
 , watchOnly ? !(stdenv.isLinux || stdenv.isCygwin)
 }:
 
@@ -35,28 +40,29 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkg-config ];
 
   makeFlags = [ "usrbin_execdir=$(out)/bin" ]
-    ++ lib.optionals watchOnly [ "watch" "PKG_LDFLAGS="];
+    ++ lib.optionals watchOnly [ "watch" "PKG_LDFLAGS=" ];
 
   enableParallelBuilding = true;
 
   # Too red
   configureFlags = [ "--disable-modern-top" ]
     ++ lib.optional withSystemd "--with-systemd"
-    ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform)
-    [ "ac_cv_func_malloc_0_nonnull=yes"
-      "ac_cv_func_realloc_0_nonnull=yes" ];
+    ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    "ac_cv_func_malloc_0_nonnull=yes"
+    "ac_cv_func_realloc_0_nonnull=yes"
+  ];
 
-  installPhase = if watchOnly then ''
+  installPhase = lib.optionalString watchOnly ''
     install -m 0755 -D watch $out/bin/watch
     install -m 0644 -D watch.1 $out/share/man/man1/watch.1
-  '' else null;
+  '';
 
-  meta = {
+  meta = with lib; {
     homepage = "https://gitlab.com/procps-ng/procps";
     description = "Utilities that give information about processes using the /proc filesystem";
     priority = 11; # less than coreutils, which also provides "kill" and "uptime"
-    license = lib.licenses.gpl2;
-    platforms = lib.platforms.unix;
-    maintainers = [ lib.maintainers.typetetris ];
+    license = licenses.gpl2;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.typetetris ];
   };
 }
diff --git a/pkgs/os-specific/linux/psmisc/default.nix b/pkgs/os-specific/linux/psmisc/default.nix
index 0902ce3d612..4cf3e1f7dd1 100644
--- a/pkgs/os-specific/linux/psmisc/default.nix
+++ b/pkgs/os-specific/linux/psmisc/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "psmisc";
-  version = "23.3";
+  version = "23.4";
 
   src = fetchFromGitLab {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "1132xvrldv0dar2mf221mv5kvajq0v6yrq8k3nl0wslnh5baa0r0";
+    sha256 = "sha256-s7omgtsNooYqhr4JUTZ6WCtPaZVC1ujJGz6KxUBWIs8=";
   };
 
   nativeBuildInputs = [ autoconf automake gettext ];
diff --git a/pkgs/os-specific/linux/radeontop/default.nix b/pkgs/os-specific/linux/radeontop/default.nix
index e6aa07e6cd1..b172fad6adc 100644
--- a/pkgs/os-specific/linux/radeontop/default.nix
+++ b/pkgs/os-specific/linux/radeontop/default.nix
@@ -40,6 +40,5 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/clbr/radeontop";
     platforms = platforms.linux;
     license = licenses.gpl3;
-    maintainers = with maintainers; [ rycee ];
   };
 }
diff --git a/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix b/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
index ee5ead73bc1..5113d3c1070 100644
--- a/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
+++ b/pkgs/os-specific/linux/raspberrypi-eeprom/default.nix
@@ -1,15 +1,15 @@
 { stdenvNoCC, lib, fetchFromGitHub, makeWrapper
 , python3, binutils-unwrapped, findutils, kmod, pciutils, libraspberrypi
 }:
-stdenvNoCC.mkDerivation {
+stdenvNoCC.mkDerivation rec {
   pname = "raspberrypi-eeprom";
-  version = "2020-12-11";
+  version = "2021.04.29-138a1";
 
   src = fetchFromGitHub {
     owner = "raspberrypi";
     repo = "rpi-eeprom";
-    rev = "54a9796abbee59067bff9da6b90c1014178f2c21";
-    sha256 = "0yp7bn444n6yisp4hiblrm00rrvrf213amzb4sh96mlb5nhxspqk";
+    rev = "v${version}";
+    sha256 = "sha256-nzAMPa4gqCAcROFa7z34IoMA3aoMHX9fYCsPFde9dac=";
   };
 
   buildInputs = [ python3 ];
@@ -19,7 +19,7 @@ stdenvNoCC.mkDerivation {
     # Don't try to verify md5 signatures from /var/lib/dpkg and
     # fix path to the configuration.
     substituteInPlace rpi-eeprom-update \
-      --replace 'IGNORE_DPKG_CHECKSUMS=$LOCAL_MODE' 'IGNORE_DPKG_CHECKSUMS=1' \
+      --replace 'IGNORE_DPKG_CHECKSUMS=''${LOCAL_MODE}' 'IGNORE_DPKG_CHECKSUMS=1' \
       --replace '/etc/default' '/etc'
   '';
 
@@ -28,7 +28,6 @@ stdenvNoCC.mkDerivation {
 
     cp rpi-eeprom-config rpi-eeprom-update $out/bin
     cp -r firmware/{beta,critical,old,stable} $out/share/rpi-eeprom
-    cp -r firmware/vl805 $out/bin
   '';
 
   fixupPhase = ''
diff --git a/pkgs/os-specific/linux/rdma-core/default.nix b/pkgs/os-specific/linux/rdma-core/default.nix
index b001ce966a9..25a8f3bdafa 100644
--- a/pkgs/os-specific/linux/rdma-core/default.nix
+++ b/pkgs/os-specific/linux/rdma-core/default.nix
@@ -1,10 +1,9 @@
 { lib, stdenv, fetchFromGitHub, cmake, pkg-config, docutils
-, pandoc, ethtool, iproute, libnl, udev, python, perl
-, makeWrapper
+, pandoc, ethtool, iproute2, libnl, udev, python3, perl
 } :
 
 let
-  version = "33.0";
+  version = "35.0";
 
 in stdenv.mkDerivation {
   pname = "rdma-core";
@@ -14,11 +13,11 @@ in stdenv.mkDerivation {
     owner = "linux-rdma";
     repo = "rdma-core";
     rev = "v${version}";
-    sha256 = "04q4z95nxxxjc674qnbwn19bv18nl3x7xwp6aql17h1cw3gdmhw4";
+    sha256 = "0ra0m1s0029qgcq0li7md6pkri7pcc4iy3cd6jrrqs9c6n1clnnd";
   };
 
-  nativeBuildInputs = [ cmake pkg-config pandoc docutils makeWrapper ];
-  buildInputs = [ libnl ethtool iproute udev python perl ];
+  nativeBuildInputs = [ cmake pkg-config pandoc docutils ];
+  buildInputs = [ libnl ethtool iproute2 udev python3 perl ];
 
   cmakeFlags = [
     "-DCMAKE_INSTALL_RUNDIR=/run"
@@ -39,14 +38,15 @@ in stdenv.mkDerivation {
   postFixup = ''
     for pls in $out/bin/{ibfindnodesusing.pl,ibidsverify.pl}; do
       echo "wrapping $pls"
-      wrapProgram $pls --prefix PERL5LIB : "$out/${perl.libPrefix}"
+      substituteInPlace $pls --replace \
+        "${perl}/bin/perl" "${perl}/bin/perl -I $out/${perl.libPrefix}"
     done
   '';
 
   meta = with lib; {
     description = "RDMA Core Userspace Libraries and Daemons";
     homepage = "https://github.com/linux-rdma/rdma-core";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
     maintainers = with maintainers; [ markuskowa ];
   };
diff --git a/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix b/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
new file mode 100644
index 00000000000..93a91f0447a
--- /dev/null
+++ b/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix
@@ -0,0 +1,39 @@
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
+
+stdenv.mkDerivation {
+  pname = "rtl8188eus-aircrack";
+  version = "${kernel.version}-unstable-2021-05-04";
+
+  src = fetchFromGitHub {
+    owner = "aircrack-ng";
+    repo = "rtl8188eus";
+    rev = "6146193406b62e942d13d4d43580ed94ac70c218";
+    sha256 = "sha256-85STELbFB7QmTaM8GvJNlWvAg6KPAXeYRiMb4cGA6RY=";
+  };
+
+  nativeBuildInputs = [ bc ];
+
+  buildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  prePatch = ''
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  preInstall = ''
+    mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+  '';
+
+  meta = with lib; {
+    description = "RealTek RTL8188eus WiFi driver with monitor mode & frame injection support";
+    homepage = "https://github.com/aircrack-ng/rtl8188eus";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
+    broken = kernel.isHardened;
+  };
+}
diff --git a/pkgs/os-specific/linux/rtl8192eu/default.nix b/pkgs/os-specific/linux/rtl8192eu/default.nix
index d921eb71b0e..b66a56a8f8b 100644
--- a/pkgs/os-specific/linux/rtl8192eu/default.nix
+++ b/pkgs/os-specific/linux/rtl8192eu/default.nix
@@ -5,37 +5,40 @@ with lib;
 let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtl8192eu";
 
 in stdenv.mkDerivation rec {
-  name = "rtl8192eu-${kernel.version}-${version}";
-  version = "4.4.1.20200620";
+  pname = "rtl8192eu";
+  version = "${kernel.version}-4.4.1.20210403";
 
   src = fetchFromGitHub {
     owner = "Mange";
     repo = "rtl8192eu-linux-driver";
-    rev = "925ac2be34dd608a7ca42daebf9713f0c1bcec74";
-    sha256 = "159vg0scq47wnn600karpgzx3naaiyl1rg8608c8d28nhm62gvjz";
+    rev = "ab35c7e9672f37d75b7559758c99f6d027607687";
+    sha256 = "sha256-sTIaye4oWNYEnNuXlrTLobaFKXzBLsfJXdJuc10EdJI=";
   };
 
   hardeningDisable = [ "pic" ];
 
-  nativeBuildInputs = kernel.moduleBuildDependencies;
-
-  buildInputs = [ bc ];
+  nativeBuildInputs = kernel.moduleBuildDependencies ++ [ bc ];
 
   makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
 
   enableParallelBuilding = true;
 
   installPhase = ''
+    runHook preInstall
+
     mkdir -p ${modDestDir}
     find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
     find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
   '';
 
-  meta = {
+  meta = with lib; {
     description = "Realtek rtl8192eu driver";
     homepage = "https://github.com/Mange/rtl8192eu-linux-driver";
-    license = lib.licenses.gpl2;
-    platforms = lib.platforms.linux;
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    broken = stdenv.hostPlatform.isAarch64;
     maintainers = with maintainers; [ troydm ];
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix
index 68a88fb6778..43396a99b96 100644
--- a/pkgs/os-specific/linux/rtl8812au/default.nix
+++ b/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -1,26 +1,28 @@
 { lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
 
 stdenv.mkDerivation rec {
-  name = "rtl8812au-${kernel.version}-${version}";
-  version = "5.6.4.2_35491.20200702";
+  pname = "rtl8812au";
+  version = "${kernel.version}-5.9.3.2.20210427";
 
   src = fetchFromGitHub {
     owner = "gordboy";
-    repo = "rtl8812au-5.6.4.2";
-    rev = "3110ad65d0f03532bd97b1017cae67ca86dd34f6";
-    sha256 = "0p0cv67dfr41npxn0c1frr0k9wiv0pdbvlzlmclgixn39xc6n5qz";
+    repo = "rtl8812au-5.9.3.2";
+    rev = "6ef5d8fcdb0b94b7490a9a38353877708fca2cd4";
+    sha256 = "sha256-czExf4z0nf7XEJ1YnRSB3CrGV6NTmUKDiZjLmrh6Hwo=";
   };
 
   nativeBuildInputs = [ bc nukeReferences ];
+
   buildInputs = kernel.moduleBuildDependencies;
 
   hardeningDisable = [ "pic" "format" ];
 
   prePatch = ''
-    substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
-    substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}"
-    substituteInPlace ./Makefile --replace /sbin/depmod \#
-    substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
+    substituteInPlace ./Makefile \
+      --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
+      --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
+      --replace /sbin/depmod \# \
+      --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
 
   makeFlags = [
@@ -42,9 +44,10 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod";
-    homepage = "https://github.com/gordboy/rtl8812au-5.6.4.2";
-    license = licenses.gpl2;
+    homepage = "https://github.com/gordboy/rtl8812au-5.9.3.2";
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ danielfullmer ];
+    maintainers = with maintainers; [ fortuneteller2k ];
+    broken = kernel.kernelOlder "4.10" || kernel.isHardened;
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8814au/default.nix b/pkgs/os-specific/linux/rtl8814au/default.nix
index a710ef34e95..2b0fb9622a4 100644
--- a/pkgs/os-specific/linux/rtl8814au/default.nix
+++ b/pkgs/os-specific/linux/rtl8814au/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel }:
 
-stdenv.mkDerivation rec {
-  name = "rtl8814au-${kernel.version}-${version}";
-  version = "4.3.21";
+stdenv.mkDerivation {
+  pname = "rtl8814au";
+  version = "${kernel.version}-unstable-2021-05-18";
 
   src = fetchFromGitHub {
-    owner = "zebulon2";
-    repo = "rtl8814au";
-    rev = "a58c56a5a6cb99ffb872f07cb67b68197911854f";
-    sha256 = "1ffm67da183nz009gm5v9w1bab081hrm113kk8knl9s5qbqnn13q";
+    owner = "morrownr";
+    repo = "8814au";
+    rev = "388786c864f9b1437fc4d934b1eccf6d7f1e1355";
+    sha256 = "sha256-2EnheODPFWTGN/fz45LWRSOGeV6pTENEUrehahj+PJ4=";
   };
 
   buildInputs = kernel.moduleBuildDependencies;
@@ -31,9 +31,8 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "Realtek 8814AU USB WiFi driver";
-    homepage = "https://github.com/zebulon2/rtl8814au";
-    license = licenses.gpl2;
+    homepage = "https://github.com/morrownr/8814au";
+    license = licenses.gpl2Only;
     maintainers = [ maintainers.lassulus ];
-    platforms = [ "x86_64-linux" "i686-linux" ];
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8821au/default.nix b/pkgs/os-specific/linux/rtl8821au/default.nix
index 908220a1f28..08e097b0d5f 100644
--- a/pkgs/os-specific/linux/rtl8821au/default.nix
+++ b/pkgs/os-specific/linux/rtl8821au/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel, bc, nukeReferences }:
 
 stdenv.mkDerivation rec {
-  name = "rtl8821au-${kernel.version}-${version}";
-  version = "5.1.5+41";
+  pname = "rtl8821au";
+  version = "${kernel.version}-unstable-2021-05-18";
 
   src = fetchFromGitHub {
-    owner = "zebulon2";
-    repo = "rtl8812au";
-    rev = "ecd3494c327c54110d21346ca335ef9e351cb0be";
-    sha256 = "1kmdxgbh0s0v9809kdsi39p0jbm5cf10ivy40h8qj9hn70g1gw8q";
+    owner = "morrownr";
+    repo = "8821au";
+    rev = "6f6a9d5772bb2b75f18374c01c82c6b3e8e3244d";
+    sha256 = "sha256-RqtLR3sNcLXhUrNloSTRKubL1SVwzbVe73AsBYYSXNE=";
   };
 
   nativeBuildInputs = [ bc nukeReferences ];
@@ -35,9 +35,9 @@ stdenv.mkDerivation rec {
   '';
 
   meta = with lib; {
-    description = "rtl8821AU, rtl8812AU and rtl8811AU chipset driver with firmware";
-    homepage = "https://github.com/zebulon2/rtl8812au";
-    license = licenses.gpl2;
+    description = "rtl8821AU and rtl8812AU chipset driver with firmware";
+    homepage = "https://github.com/morrownr/8821au";
+    license = licenses.gpl2Only;
     platforms = [ "x86_64-linux" "i686-linux" ];
     maintainers = with maintainers; [ plchldr ];
   };
diff --git a/pkgs/os-specific/linux/rtl8821ce/default.nix b/pkgs/os-specific/linux/rtl8821ce/default.nix
index 81c129fae3e..b4def6f001c 100644
--- a/pkgs/os-specific/linux/rtl8821ce/default.nix
+++ b/pkgs/os-specific/linux/rtl8821ce/default.nix
@@ -1,13 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel, bc }:
+
 stdenv.mkDerivation rec {
-  name = "rtl8821ce-${kernel.version}-${version}";
-  version = "5.5.2_34066.20200325";
+  pname = "rtl8821ce";
+  version = "${kernel.version}-unstable-2021-05-28";
 
   src = fetchFromGitHub {
     owner = "tomaspinho";
     repo = "rtl8821ce";
-    rev = "8d7edbe6a78fd79cfab85d599dad9dc34138abd1";
-    sha256 = "1hsf8lqjnkrkvk0gps8yb3lx72mvws6xbgkbdmgdkz7qdxmha8bp";
+    rev = "f93db734666f75ebf65e44ceb943c19b598b1647";
+    sha256 = "sha256-cqXV52U+6Jl9Jje1nEOYDvmH4rgA1QdrwNCfYeul3hU=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -30,8 +31,9 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Realtek rtl8821ce driver";
     homepage = "https://github.com/tomaspinho/rtl8821ce";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ hhm samuelgrf ];
+    broken = stdenv.isAarch64;
+    maintainers = with maintainers; [ hhm ];
   };
 }
diff --git a/pkgs/os-specific/linux/rtl8821cu/default.nix b/pkgs/os-specific/linux/rtl8821cu/default.nix
index 20bb590895b..556fd793915 100644
--- a/pkgs/os-specific/linux/rtl8821cu/default.nix
+++ b/pkgs/os-specific/linux/rtl8821cu/default.nix
@@ -1,13 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel, bc }:
+
 stdenv.mkDerivation rec {
-  name = "rtl8821cu-${kernel.version}-${version}";
-  version = "unstable-2020-12-21";
+  pname = "rtl8821cu";
+  version = "${kernel.version}-unstable-2021-05-19";
 
   src = fetchFromGitHub {
-    owner = "brektrou";
-    repo = "rtl8821cu";
-    rev = "428a0820487418ec69c0edb91726d1cf19763b1e";
-    sha256 = "1ccl94727yq7gzn37ky91k0736cambgnkaa37r2f2hinpl9qdd8q";
+    owner = "morrownr";
+    repo = "8821cu";
+    rev = "2430c354c9b15fa6193a263c99ce57211d50c66f";
+    sha256 = "sha256-PkrpwebZYh/hBukqDQf6pxfbkVyA+CpYtte5pmzgLtw=";
   };
 
   hardeningDisable = [ "pic" ];
@@ -29,8 +30,8 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "Realtek rtl8821cu driver";
-    homepage = "https://github.com/brektrou/rtl8821CU";
-    license = licenses.gpl2;
+    homepage = "https://github.com/morrownr/8821cu";
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
     maintainers = [ maintainers.contrun ];
   };
diff --git a/pkgs/os-specific/linux/rtl88x2bu/default.nix b/pkgs/os-specific/linux/rtl88x2bu/default.nix
index fb94b14d9ea..4b194bb2f33 100644
--- a/pkgs/os-specific/linux/rtl88x2bu/default.nix
+++ b/pkgs/os-specific/linux/rtl88x2bu/default.nix
@@ -1,30 +1,22 @@
-{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, bc }:
+{ lib, stdenv, fetchFromGitHub, kernel, bc }:
 
 stdenv.mkDerivation rec {
-  name = "rtl88x2bu-${kernel.version}-${version}";
-  version = "unstable-2020-08-20";
+  pname = "rtl88x2bu";
+  version = "${kernel.version}-unstable-2021-05-18";
 
   src = fetchFromGitHub {
-    owner = "cilynx";
-    repo = "rtl88x2BU";
-    rev = "a1c53f43fb9995fbe3ad26567079d6384626d350";
-    sha256 = "1cby66jg511zxs1i535mflafhryla9764mnrzacxppimxpancv3s";
+    owner = "morrownr";
+    repo = "88x2bu";
+    rev = "80b03962e33f86f99e898305d8d597140503de03";
+    sha256 = "sha256-C7XOpKgwxM9UbfW3wHteInTmAUM3FFqN1MHMKxP8gBA=";
   };
 
-  patches = [
-    # https://github.com/cilynx/rtl88x2bu/pull/58
-    (fetchpatch {
-      url = "https://github.com/cilynx/rtl88x2bu/pull/58.patch";
-      sha256 = "0md9cv61nx85pk3v60y9wviyb9fgj54q9m26wiv3dc7smr70h8l6";
-    })
-  ];
-
   hardeningDisable = [ "pic" ];
 
   nativeBuildInputs = [ bc ];
   buildInputs = kernel.moduleBuildDependencies;
 
-  prePatch = ''
+ prePatch = ''
     substituteInPlace ./Makefile \
       --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
       --replace '$(shell uname -r)' "${kernel.modDirVersion}" \
@@ -38,8 +30,8 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "Realtek rtl88x2bu driver";
-    homepage = "https://github.com/cilynx/rtl88x2bu";
-    license = licenses.gpl2;
+    homepage = "https://github.com/morrownr/88x2bu";
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
     maintainers = [ maintainers.ralith ];
   };
diff --git a/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix b/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
index c37c9502d2d..d65a601fd9e 100644
--- a/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
+++ b/pkgs/os-specific/linux/rtl88xxau-aircrack/default.nix
@@ -1,15 +1,17 @@
-{ lib, stdenv, fetchFromGitHub, kernel }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel }:
 
+let
+  rev = "3a64331a1c809bbbc21eca63b825970f213ec5ac";
+in
 stdenv.mkDerivation rec {
-  name = "rtl88xxau-aircrack-${kernel.version}-${version}";
-  rev = "fc0194c1d90453bf4943089ca237159ef19a7374";
-  version = "${builtins.substring 0 6 rev}";
+  pname = "rtl88xxau-aircrack";
+  version = "${kernel.version}-${builtins.substring 0 6 rev}";
 
   src = fetchFromGitHub {
     owner = "aircrack-ng";
     repo = "rtl8812au";
     inherit rev;
-    sha256 = "0hf7mrvxaskc6qcjar5w81y9xc7s2rlsxp34achyqly2hjg7fgmy";
+    sha256 = "sha256-goaN80imfCeUwiHokJd10CFKskE3iL5BO/xOQk6PtHE=";
   };
 
   buildInputs = kernel.moduleBuildDependencies;
@@ -18,6 +20,14 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types";
 
+  # Fix build for 5.12 kernels
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/aircrack-ng/rtl8812au/commit/9b4c60a89c2a55f36454b950a86246b6b86a9681.patch";
+      sha256 = "sha256-HPhTLstqAePF3H6WeM9Fu4/8UjNL+9xl4L8xq3NOWuM=";
+    })
+  ];
+
   prePatch = ''
     substituteInPlace ./Makefile \
       --replace /lib/modules/ "${kernel.dev}/lib/modules/" \
@@ -33,7 +43,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Aircrack-ng kernel module for Realtek 88XXau network cards\n(8811au, 8812au, 8814au and 8821au chipsets) with monitor mode and injection support.";
     homepage = "https://github.com/aircrack-ng/rtl8812au";
-    license = licenses.gpl2;
+    license = licenses.gpl2Only;
     maintainers = [ maintainers.jethro ];
     platforms = [ "x86_64-linux" "i686-linux" ];
   };
diff --git a/pkgs/os-specific/linux/rtlwifi_new/default.nix b/pkgs/os-specific/linux/rtlwifi_new/default.nix
deleted file mode 100644
index ef71cd82541..00000000000
--- a/pkgs/os-specific/linux/rtlwifi_new/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ stdenv, lib, fetchFromGitHub, kernel }:
-
-with lib;
-
-let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtlwifi";
-
-in stdenv.mkDerivation rec {
-  pname = "rtlwifi_new";
-  version = "2019-08-21";
-  # When updating see https://github.com/lwfinger/rtl8723be/issues/17#issuecomment-657326751
-
-  src = fetchFromGitHub {
-    owner = "rtlwifi-linux";
-    repo = "rtlwifi_new";
-    rev = "a108e3de87c2ed30b71c3c4595b79ab7a2f9e348";
-    sha256 = "15kjs9i9vvmn1cdzccd5cljf3m45r4ssm65klkj2fdkf3kljj38k";
-  };
-
-  hardeningDisable = [ "pic" "format" ];
-
-  nativeBuildInputs = kernel.moduleBuildDependencies;
-
-  makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
-
-  enableParallelBuilding = true;
-
-  installPhase = ''
-    mkdir -p ${modDestDir}
-    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
-    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
-  '';
-
-  meta = {
-    description = "The newest Realtek rtlwifi codes";
-    inherit (src.meta) homepage;
-    license = lib.licenses.gpl2;
-    platforms = with platforms; linux;
-    maintainers = with maintainers; [ tvorog ];
-    priority = -1;
-  };
-}
diff --git a/pkgs/os-specific/linux/rtw88/default.nix b/pkgs/os-specific/linux/rtw88/default.nix
new file mode 100644
index 00000000000..42302351240
--- /dev/null
+++ b/pkgs/os-specific/linux/rtw88/default.nix
@@ -0,0 +1,40 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw88";
+in
+stdenv.mkDerivation {
+  pname = "rtw88";
+  version = "unstable-2021-04-19";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw88";
+    rev = "0f3cc6a5973bc386d9cb542fc85a6ba027edff5d";
+    hash = "sha256-PRzWXC1lre8gt1GfVdnaG836f5YK57P9a8tG20yef0w=";
+  };
+
+  makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "The newest Realtek rtlwifi codes";
+    homepage = "https://github.com/lwfinger/rtw88";
+    license = with licenses; [ bsd3 gpl2Only ];
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "4.14";
+    priority = -1;
+  };
+}
diff --git a/pkgs/os-specific/linux/rtw89/default.nix b/pkgs/os-specific/linux/rtw89/default.nix
new file mode 100644
index 00000000000..86ca72c537c
--- /dev/null
+++ b/pkgs/os-specific/linux/rtw89/default.nix
@@ -0,0 +1,40 @@
+{ stdenv, lib, fetchFromGitHub, kernel }:
+
+let
+  modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/rtw89";
+in
+stdenv.mkDerivation {
+  pname = "rtw89";
+  version = "unstable-2021-07-03";
+
+  src = fetchFromGitHub {
+    owner = "lwfinger";
+    repo = "rtw89";
+    rev = "cebafc6dc839e66c725b92c0fabf131bc908f607";
+    sha256 = "1vw67a423gajpzd5d51bxnja1qpppx9x5ii2vcfkj6cbnqwr83af";
+  };
+
+  makeFlags = [ "KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p ${modDestDir}
+    find . -name '*.ko' -exec cp --parents {} ${modDestDir} \;
+    find ${modDestDir} -name '*.ko' -exec xz -f {} \;
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = " Driver for Realtek 8852AE, an 802.11ax device";
+    homepage = "https://github.com/lwfinger/rtw89";
+    license = with licenses; [ gpl2Only ];
+    maintainers = with maintainers; [ tvorog ];
+    platforms = platforms.linux;
+    broken = kernel.kernelOlder "5.4";
+    priority = -1;
+  };
+}
diff --git a/pkgs/os-specific/linux/ryzenadj/default.nix b/pkgs/os-specific/linux/ryzenadj/default.nix
new file mode 100644
index 00000000000..e50cb7e8d53
--- /dev/null
+++ b/pkgs/os-specific/linux/ryzenadj/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub, pciutils, cmake }:
+stdenv.mkDerivation rec {
+  pname = "ryzenadj";
+  version = "0.8.2";
+
+  src = fetchFromGitHub {
+    owner = "FlyGoat";
+    repo = "RyzenAdj";
+    rev = "v${version}";
+    sha256 = "182l9nchlpl4yr568n86086glkr607rif92wnwc7v3aym62ch6ld";
+  };
+
+  nativeBuildInputs = [ pciutils cmake ];
+
+  installPhase = ''
+    install -D libryzenadj.so $out/lib/libryzenadj.so
+    install -D ryzenadj $out/bin/ryzenadj
+  '';
+
+  meta = with lib; {
+    description = "Adjust power management settings for Ryzen Mobile Processors.";
+    homepage = "https://github.com/FlyGoat/RyzenAdj";
+    license = licenses.lgpl3Only;
+    maintainers = with maintainers; [ asbachb ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/os-specific/linux/s6-linux-init/default.nix b/pkgs/os-specific/linux/s6-linux-init/default.nix
index 2fb6c9441ed..5d6941259e1 100644
--- a/pkgs/os-specific/linux/s6-linux-init/default.nix
+++ b/pkgs/os-specific/linux/s6-linux-init/default.nix
@@ -1,11 +1,11 @@
-{ lib, stdenv, skawarePackages }:
+{ lib, skawarePackages }:
 
 with skawarePackages;
 
 buildPackage {
   pname = "s6-linux-init";
-  version = "1.0.6.0";
-  sha256 = "0kzif3dqhm7h4h7c6npzdbcy7w756222g8ysw116fgb8j385dr6w";
+  version = "1.0.6.2";
+  sha256 = "06xcmn2a89fvng056lcnnyrl2ak0y7cblkc90lj9a2liyhawy9dr";
 
   description = "A set of minimalistic tools used to create a s6-based init system, including a /sbin/init binary, on a Linux kernel";
   platforms = lib.platforms.linux;
diff --git a/pkgs/os-specific/linux/s6-linux-utils/default.nix b/pkgs/os-specific/linux/s6-linux-utils/default.nix
index 209f596d273..3596ab23e72 100644
--- a/pkgs/os-specific/linux/s6-linux-utils/default.nix
+++ b/pkgs/os-specific/linux/s6-linux-utils/default.nix
@@ -1,11 +1,11 @@
-{ lib, stdenv, skawarePackages }:
+{ lib, skawarePackages }:
 
 with skawarePackages;
 
 buildPackage {
   pname = "s6-linux-utils";
-  version = "2.5.1.4";
-  sha256 = "02gxzc9igid2kf2rvm3v6kc9806mpjmdq7cpanv4cml0ip68vbfq";
+  version = "2.5.1.5";
+  sha256 = "1fj5ldlrc6bx40pphg29rp3byd6fal6869v85kw86c2kdgrxn063";
 
   description = "A set of minimalistic Linux-specific system utilities";
   platforms = lib.platforms.linux;
diff --git a/pkgs/os-specific/linux/sd-switch/default.nix b/pkgs/os-specific/linux/sd-switch/default.nix
index 026488a24de..987f32664c1 100644
--- a/pkgs/os-specific/linux/sd-switch/default.nix
+++ b/pkgs/os-specific/linux/sd-switch/default.nix
@@ -1,17 +1,17 @@
-{ lib, stdenv, fetchFromGitLab, rustPlatform, pkg-config, dbus }:
+{ lib, fetchFromGitLab, rustPlatform, pkg-config, dbus }:
 
 rustPlatform.buildRustPackage rec {
   pname = "sd-switch";
-  version = "0.2.0";
+  version = "0.2.3";
 
   src = fetchFromGitLab {
     owner = "rycee";
     repo = pname;
     rev = version;
-    sha256 = "1bhks4ma3sn95bsszs6lj9cwfr8zgmja0hqfp8xr5iq77ww2p6k3";
+    sha256 = "12h2d7v7pdz7b0hrna64561kf35nbpwb2kzxa791xk8raxc2b72k";
   };
 
-  cargoSha256 = "0lskxakzh3yji0rzk8jcfz1sv4j19b5kmdsaj7401m5w84s1cbjw";
+  cargoSha256 = "12ny3cir2nxzrmf4vwq6sgc35dbpq88hav53xqdp44rigdf4vzbs";
 
   nativeBuildInputs = [ pkg-config ];
   buildInputs = [ dbus ];
diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix
index bcdb622866b..842a525353d 100644
--- a/pkgs/os-specific/linux/setools/default.nix
+++ b/pkgs/os-specific/linux/setools/default.nix
@@ -1,5 +1,6 @@
-{ lib, stdenv, fetchFromGitHub, python3
+{ lib, fetchFromGitHub, python3
 , libsepol, libselinux, checkpolicy
+, fetchpatch
 , withGraphics ? false
 }:
 
@@ -17,6 +18,13 @@ buildPythonApplication rec {
     sha256 = "0vr20bi8w147z5lclqz1l0j1b34137zg2r04pkafkgqqk7qbyjk6";
   };
 
+  patches = [
+    (fetchpatch { # included in 4.4.0
+      url = "https://github.com/SELinuxProject/setools/commit/f1b4a5d375be05fbccedb258c940d771bff8e524.diff";
+      sha256 = "1r38s6i4i6bdr2zdp5wcg1yifpf3pd018c73a511mgynyg7d11xy";
+    })
+  ];
+
   nativeBuildInputs = [ cython ];
   buildInputs = [ libsepol ];
   propagatedBuildInputs = [ enum34 libselinux networkx ]
diff --git a/pkgs/os-specific/linux/seturgent/default.nix b/pkgs/os-specific/linux/seturgent/default.nix
index a2ffcae3d6b..2e9e445eddc 100644
--- a/pkgs/os-specific/linux/seturgent/default.nix
+++ b/pkgs/os-specific/linux/seturgent/default.nix
@@ -8,8 +8,9 @@ stdenv.mkDerivation {
     sha256 = "0q1sr6aljkw2jr9b4xxzbc01qvnd5vk3pxrypif9yd8xjw4wqwri";
   };
 
+  nativeBuildInputs = [ unzip ];
   buildInputs = [
-    libX11 xorgproto unzip
+    libX11 xorgproto
   ];
 
   installPhase = ''
diff --git a/pkgs/os-specific/linux/shadow/default.nix b/pkgs/os-specific/linux/shadow/default.nix
index 0ff6fa1f341..e20023b2b6e 100644
--- a/pkgs/os-specific/linux/shadow/default.nix
+++ b/pkgs/os-specific/linux/shadow/default.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt
-, libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison
+, libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell
 , pam ? null, glibcCross ? null
 }:
 
@@ -38,8 +38,11 @@ stdenv.mkDerivation rec {
       # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
       ./respect-xml-catalog-files-var.patch
       dots_in_usernames
+      ./runtime-shell.patch
     ];
 
+  RUNTIME_SHELL = runtimeShell;
+
   # The nix daemon often forbids even creating set[ug]id files.
   postPatch =
     ''sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
@@ -77,6 +80,8 @@ stdenv.mkDerivation rec {
       mv $out/bin/su $su/bin
     '';
 
+  disallowedReferences = lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) stdenv.shellPackage;
+
   meta = with lib; {
     homepage = "https://github.com/shadow-maint";
     description = "Suite containing authentication-related tools such as passwd and su";
diff --git a/pkgs/os-specific/linux/shadow/runtime-shell.patch b/pkgs/os-specific/linux/shadow/runtime-shell.patch
new file mode 100644
index 00000000000..0b2e68e330e
--- /dev/null
+++ b/pkgs/os-specific/linux/shadow/runtime-shell.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index e4c6aaec..03883ad7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -682,7 +682,7 @@ if test "$enable_utmpx" = "yes"; then
+ 	          [Define if utmpx should be used])
+ fi
+ 
+-AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
++AC_DEFINE_UNQUOTED(SHELL, ["$RUNTIME_SHELL"], [The runtime shell.])
+ 
+ AM_GNU_GETTEXT_VERSION(0.16)
+ AM_GNU_GETTEXT([external], [need-ngettext])
diff --git a/pkgs/os-specific/linux/speedometer/default.nix b/pkgs/os-specific/linux/speedometer/default.nix
index e4d374b0c41..2801334688b 100644
--- a/pkgs/os-specific/linux/speedometer/default.nix
+++ b/pkgs/os-specific/linux/speedometer/default.nix
@@ -5,7 +5,7 @@ pythonPackages.buildPythonApplication rec {
   version = "2.8";
 
   src = fetchurl {
-    url = "http://excess.org/speedometer/speedometer-${version}.tar.gz";
+    url = "https://excess.org/speedometer/speedometer-${version}.tar.gz";
     sha256 = "060bikv3gwr203jbdmvawsfhc0yq0bg1m42dk8czx1nqvwvgv6fm";
   };
 
@@ -18,7 +18,7 @@ pythonPackages.buildPythonApplication rec {
 
   meta = with lib; {
     description = "Measure and display the rate of data across a network connection or data being stored in a file";
-    homepage = "http://excess.org/speedometer/";
+    homepage = "https://excess.org/speedometer/";
     license = licenses.lgpl21Plus;
     platforms = platforms.linux;
     maintainers = with maintainers; [ Baughn ];
diff --git a/pkgs/os-specific/linux/sssd/default.nix b/pkgs/os-specific/linux/sssd/default.nix
index 2973b87210b..94b1a6d799d 100644
--- a/pkgs/os-specific/linux/sssd/default.nix
+++ b/pkgs/os-specific/linux/sssd/default.nix
@@ -1,7 +1,7 @@
-{ lib, stdenv, fetchurl, fetchpatch, glibc, augeas, dnsutils, c-ares, curl,
+{ lib, stdenv, fetchFromGitHub, autoreconfHook, fetchpatch, glibc, augeas, dnsutils, c-ares, curl,
   cyrus_sasl, ding-libs, libnl, libunistring, nss, samba, nfs-utils, doxygen,
   python, python3, pam, popt, talloc, tdb, tevent, pkg-config, ldb, openldap,
-  pcre, kerberos, cifs-utils, glib, keyutils, dbus, fakeroot, libxslt, libxml2,
+  pcre, libkrb5, cifs-utils, glib, keyutils, dbus, fakeroot, libxslt, libxml2,
   libuuid, ldap, systemd, nspr, check, cmocka, uid_wrapper,
   nss_wrapper, ncurses, Po4a, http-parser, jansson,
   docbook_xsl, docbook_xml_dtd_44,
@@ -12,11 +12,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "sssd";
-  version = "1.16.4";
+  version = "1.16.5";
 
-  src = fetchurl {
-    url = "https://fedorahosted.org/released/sssd/${pname}-${version}.tar.gz";
-    sha256 = "0ngr7cgimyjc6flqkm7psxagp1m4jlzpqkn28pliifbmdg6i5ckb";
+  src = fetchFromGitHub {
+    owner = "SSSD";
+    repo = pname;
+    rev = "${pname}-${lib.replaceStrings ["."] ["_"] version}";
+    sha256 = "0zbs04lkjbp7y92anmafl7gzamcnq1f147p13hc4byyvjk9rg6f7";
   };
   patches = [
     # Fix build failure against samba 4.12.0rc1
@@ -60,9 +62,10 @@ stdenv.mkDerivation rec {
   '';
 
   enableParallelBuilding = true;
+  nativeBuildInputs = [ autoreconfHook pkg-config doxygen ];
   buildInputs = [ augeas dnsutils c-ares curl cyrus_sasl ding-libs libnl libunistring nss
-                  samba nfs-utils doxygen python python3 popt
-                  talloc tdb tevent pkg-config ldb pam openldap pcre kerberos
+                  samba nfs-utils python python3 popt
+                  talloc tdb tevent ldb pam openldap pcre libkrb5
                   cifs-utils glib keyutils dbus fakeroot libxslt libxml2
                   libuuid ldap systemd nspr check cmocka uid_wrapper
                   nss_wrapper ncurses Po4a http-parser jansson ];
@@ -95,8 +98,9 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     description = "System Security Services Daemon";
-    homepage = "https://fedorahosted.org/sssd/";
-    license = licenses.gpl3;
+    homepage = "https://sssd.io/";
+    changelog = "https://sssd.io/release-notes/sssd-${version}.html";
+    license = licenses.gpl3Plus;
     platforms = platforms.linux;
     maintainers = [ maintainers.e-user ];
   };
diff --git a/pkgs/os-specific/linux/swapview/default.nix b/pkgs/os-specific/linux/swapview/default.nix
index c88c8757db3..8eb45550105 100644
--- a/pkgs/os-specific/linux/swapview/default.nix
+++ b/pkgs/os-specific/linux/swapview/default.nix
@@ -11,7 +11,7 @@ rustPlatform.buildRustPackage rec {
     sha256 = "0339biydk997j5r72vzp7djwkscsz89xr3936nshv23fmxjh2rzj";
   };
 
-  cargoSha256 = "0z99pqd41y8cci3yvwsnm5zbq7pzli62z8qqqghmz1hcq5pb5q7g";
+  cargoSha256 = "03yi6bsjjnl8hznxr1nrnxx5lrqb574625j2lkxqbl9vrg9mswdz";
 
   meta = with lib; {
     description = "A simple program to view processes' swap usage on Linux";
diff --git a/pkgs/os-specific/linux/switcheroo-control/default.nix b/pkgs/os-specific/linux/switcheroo-control/default.nix
new file mode 100644
index 00000000000..38945c70622
--- /dev/null
+++ b/pkgs/os-specific/linux/switcheroo-control/default.nix
@@ -0,0 +1,58 @@
+{ lib
+, ninja
+, meson
+, fetchFromGitLab
+, systemd
+, libgudev
+, pkg-config
+, glib
+, python3
+, gobject-introspection
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "switcheroo-control";
+  version = "2.3";
+
+  format = "other";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.freedesktop.org";
+    owner = "hadess";
+    repo = pname;
+    rev = version;
+    hash = "sha256-1Pze2TJ9mggfcpiLFwJ7/9WhsdJx4G3GoA7+Z47shuc=";
+  };
+
+  nativeBuildInputs = [
+    ninja
+    meson
+    pkg-config
+
+    # needed for glib-compile-resources
+    glib
+  ];
+
+  buildInputs = [
+    systemd
+    libgudev
+  ];
+
+  propagatedBuildInputs = [
+    python3.pkgs.pygobject3
+  ];
+
+  mesonFlags = [
+    "-Dsystemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "-Dhwdbdir=${placeholder "out"}/etc/udev/hwdb.d"
+  ];
+
+  meta = with lib; {
+    description = "D-Bus service to check the availability of dual-GPU";
+    homepage = "https://gitlab.freedesktop.org/hadess/switcheroo-control/";
+    changelog = "https://gitlab.freedesktop.org/hadess/switcheroo-control/-/blob/${version}/NEWS";
+    license = licenses.gpl3Plus;
+    maintainers = [ ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix
index ecbd23e117f..23e78dd848e 100644
--- a/pkgs/os-specific/linux/sysdig/default.nix
+++ b/pkgs/os-specific/linux/sysdig/default.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, fetchFromGitHub, cmake, kernel, installShellFiles
-, luajit, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl, jq, gcc, elfutils, tbb, c-ares, protobuf, grpc
+, luajit, ncurses, perl, jsoncpp, libb64, openssl, curl, jq, gcc, elfutils, tbb, protobuf, grpc
 }:
 
 with lib;
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ cmake perl installShellFiles ];
   buildInputs = [
-    zlib luajit ncurses jsoncpp libb64 openssl curl jq gcc elfutils tbb c-ares protobuf grpc
+    luajit ncurses jsoncpp libb64 openssl curl jq gcc elfutils tbb protobuf grpc
   ] ++ optionals (kernel != null) kernel.moduleBuildDependencies;
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix
index 1b2415dd805..4ca7f50b7d1 100644
--- a/pkgs/os-specific/linux/syslinux/default.nix
+++ b/pkgs/os-specific/linux/syslinux/default.nix
@@ -23,12 +23,12 @@ stdenv.mkDerivation {
       sha256 = "06ifgzbpjj4picpj17zgprsfi501zf4pp85qjjgn29i5rs291zni";
     })
     (fetchurl {
-      url = "https://git.archlinux.org/svntogit/packages.git/plain/trunk/0005-gnu-efi-version-compatibility.patch?id=821c3da473d1399d930d5b4a086e46a4179eaa45";
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/821c3da473d1399d930d5b4a086e46a4179eaa45/trunk/0005-gnu-efi-version-compatibility.patch";
       name = "0005-gnu-efi-version-compatibility.patch";
       sha256 = "1mz2idg8cwn0mvd3jixxynhkn7rhmi5fp8cc8zznh5f0ysfra446";
     })
     (fetchurl {
-      url = "https://git.archlinux.org/svntogit/packages.git/plain/trunk/0025-reproducible-build.patch?id=821c3da473d1399d930d5b4a086e46a4179eaa45";
+      url = "https://raw.githubusercontent.com/archlinux/svntogit-packages/821c3da473d1399d930d5b4a086e46a4179eaa45/trunk/0025-reproducible-build.patch";
       name = "0025-reproducible-build.patch";
       sha256 = "0qk6wc6z3648828y3961pn4pi7xhd20a6fqn6z1mnj22bbvzcxls";
     })
@@ -63,8 +63,8 @@ stdenv.mkDerivation {
     touch gnu-efi/inc/ia32/gnu/stubs-32.h
   '';
 
-  nativeBuildInputs = [ nasm perl python3 ];
-  buildInputs = [ libuuid makeWrapper ];
+  nativeBuildInputs = [ nasm perl python3 makeWrapper ];
+  buildInputs = [ libuuid ];
 
   enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
   hardeningDisable = [ "pic" "stackprotector" "fortify" ];
diff --git a/pkgs/os-specific/linux/sysstat/default.nix b/pkgs/os-specific/linux/sysstat/default.nix
index 2d54223edb5..2eff999ac7c 100644
--- a/pkgs/os-specific/linux/sysstat/default.nix
+++ b/pkgs/os-specific/linux/sysstat/default.nix
@@ -1,11 +1,11 @@
 { lib, stdenv, fetchurl, gettext, bzip2 }:
 
 stdenv.mkDerivation rec {
-  name = "sysstat-12.3.2";
+  name = "sysstat-12.4.3";
 
   src = fetchurl {
     url = "http://pagesperso-orange.fr/sebastien.godard/${name}.tar.xz";
-    sha256 = "0gaas16q2f7qmrv4sbqk2l2mrc7yr64s33bzw4094p59fkylm7k4";
+    sha256 = "sha256-rkMkMfRarLyrrPu+Ep4lBeIVyvqc6ZbXVQxgkaRvC/0=";
   };
 
   buildInputs = [ gettext ];
diff --git a/pkgs/os-specific/linux/system76-power/default.nix b/pkgs/os-specific/linux/system76-power/default.nix
new file mode 100644
index 00000000000..fbc26ca8719
--- /dev/null
+++ b/pkgs/os-specific/linux/system76-power/default.nix
@@ -0,0 +1,30 @@
+{ pkg-config, libusb1, dbus, lib, rustPlatform, fetchFromGitHub }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "system76-power";
+  version = "1.1.16";
+
+  src = fetchFromGitHub {
+    owner = "pop-os";
+    repo = "system76-power";
+    rev = version;
+    sha256 = "sha256-OtrhvUkNNgg6KlrqjwiBKL4zuQZBWevb0xgtSlEW2rQ=";
+  };
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ dbus libusb1 ];
+
+  cargoSha256 = "sha256-ImACDbnUbwc0ZXgF3xxzes8+vUjt76B1xxgqzhgAYX4=";
+
+  postInstall = ''
+    install -D -m 0644 data/system76-power.conf $out/etc/dbus-1/system.d/system76-power.conf
+  '';
+
+  meta = with lib; {
+    description = "System76 Power Management";
+    homepage = "https://github.com/pop-os/system76-power";
+    license = licenses.gpl3Plus;
+    platforms = [ "i686-linux" "x86_64-linux" ];
+    maintainers = [ maintainers.jwoudenberg ];
+  };
+}
diff --git a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
index b3b241b570a..ac2d0018160 100644
--- a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
+++ b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
@@ -1,7 +1,7 @@
-From dd2ec741aaa7c587eb7719bbf4b305fe28168b77 Mon Sep 17 00:00:00 2001
+From 2f4a5e9c9ef1cd57662e8bd4c24e1029a00d55b5 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:46:30 +0100
-Subject: [PATCH 01/18] Start device units for uninitialised encrypted devices
+Subject: [PATCH 01/19] Start device units for uninitialised encrypted devices
 
 This is necessary because the NixOS service that initialises the
 filesystem depends on the appearance of the device unit.  Also, this
@@ -13,7 +13,7 @@ unit.  (However, this ignores the fsck unit, so it's not perfect...)
  1 file changed, 4 deletions(-)
 
 diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
-index d2f595d18e..941a7c1ba3 100644
+index 7c22eefdb7..e3a55e00b5 100644
 --- a/rules.d/99-systemd.rules.in
 +++ b/rules.d/99-systemd.rules.in
 @@ -17,10 +17,6 @@ SUBSYSTEM=="ubi", TAG+="systemd"
@@ -28,5 +28,5 @@ index d2f595d18e..941a7c1ba3 100644
  SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root"
  SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks"
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
index 1f3a1b64684..f54430f764e 100644
--- a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
+++ b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
@@ -1,7 +1,7 @@
-From ab3dab997695db5346f8efbf8566ac96612f0c6e Mon Sep 17 00:00:00 2001
+From 4e96b2e074c4a4f4ce900409872ce2f86704ee5b Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Fri, 12 Apr 2013 13:16:57 +0200
-Subject: [PATCH 02/18] Don't try to unmount /nix or /nix/store
+Subject: [PATCH 02/19] Don't try to unmount /nix or /nix/store
 
 They'll still be remounted read-only.
 
@@ -38,5 +38,5 @@ index 3a72a13e1a..541320dc9d 100644
                  || path_equal(path, "/usr")
  #endif
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
index 56f52b9971e..37caffb97d7 100644
--- a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
+++ b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
@@ -1,7 +1,7 @@
-From 3581f8f30270e6340c671a640fe551e954715f8e Mon Sep 17 00:00:00 2001
+From 3d1b2e56a6ed6cc86a64f6f89765a2900e576402 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Wed, 16 Apr 2014 10:59:28 +0200
-Subject: [PATCH 03/18] Fix NixOS containers
+Subject: [PATCH 03/19] Fix NixOS containers
 
 In NixOS containers, the init script is bind-mounted into the
 container, so checking early whether it exists will fail.
@@ -10,10 +10,10 @@ container, so checking early whether it exists will fail.
  1 file changed, 2 insertions(+)
 
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 0842731c18..f790853104 100644
+index 7515380fcd..14f8a82eb8 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -5319,6 +5319,7 @@ static int run(int argc, char *argv[]) {
+@@ -5323,6 +5323,7 @@ static int run(int argc, char *argv[]) {
                                  goto finish;
                          }
                  } else {
@@ -21,7 +21,7 @@ index 0842731c18..f790853104 100644
                          const char *p, *q;
  
                          if (arg_pivot_root_new)
-@@ -5333,6 +5334,7 @@ static int run(int argc, char *argv[]) {
+@@ -5337,6 +5338,7 @@ static int run(int argc, char *argv[]) {
                                  r = -EINVAL;
                                  goto finish;
                          }
@@ -30,5 +30,5 @@ index 0842731c18..f790853104 100644
  
          } else {
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
index 4d3729556d6..2f14a9d6a7e 100644
--- a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
+++ b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
@@ -1,17 +1,17 @@
-From 12b63d8c1d2ca85d9bb7ea07e8eb5e623e1b58e9 Mon Sep 17 00:00:00 2001
+From 3a721cf70e952e933ef5374006bbb11a3a0ad36a Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Thu, 1 May 2014 14:10:10 +0200
-Subject: [PATCH 04/18] Look for fsck in the right place
+Subject: [PATCH 04/19] Look for fsck in the right place
 
 ---
  src/fsck/fsck.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c
-index 04752fe9dc..ad0ccf91c0 100644
+index 510689f3b7..25cab5acae 100644
 --- a/src/fsck/fsck.c
 +++ b/src/fsck/fsck.c
-@@ -369,7 +369,7 @@ static int run(int argc, char *argv[]) {
+@@ -368,7 +368,7 @@ static int run(int argc, char *argv[]) {
                  } else
                          dash_c[0] = 0;
  
@@ -21,5 +21,5 @@ index 04752fe9dc..ad0ccf91c0 100644
                  cmdline[i++] = "-T";
  
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
index 476ebe06e70..0acccacd613 100644
--- a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
+++ b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
@@ -1,24 +1,23 @@
-From 6ede8baac88aba769030f5bc5f5b2070098c7428 Mon Sep 17 00:00:00 2001
+From 8b7f881cf22e98e907506f4c403b9e304e332bf9 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Fri, 19 Dec 2014 14:46:17 +0100
-Subject: [PATCH 05/18] Add some NixOS-specific unit directories
+Subject: [PATCH 05/19] Add some NixOS-specific unit directories
 
-Look in `/nix/var/nix/profiles/default/lib/systemd` for units provided
-by packages installed into the default profile via
-`nix-env -iA nixos.$package`, and into `/etc/systemd-mutable/system` for
-persistent, mutable units (used for Dysnomia).
+Look in `/nix/var/nix/profiles/default/lib/systemd/{system,user}` for
+units provided by packages installed into the default profile via
+`nix-env -iA nixos.$package`.
 
 Also, remove /usr and /lib as these don't exist on NixOS.
 ---
- src/basic/path-lookup.c | 20 +++++---------------
+ src/basic/path-lookup.c | 17 ++---------------
  src/core/systemd.pc.in  |  5 +++--
- 2 files changed, 8 insertions(+), 17 deletions(-)
+ 2 files changed, 5 insertions(+), 17 deletions(-)
 
 diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c
-index 96b82170d0..b9fbed5c61 100644
+index 96b82170d0..bf66bd6b77 100644
 --- a/src/basic/path-lookup.c
 +++ b/src/basic/path-lookup.c
-@@ -94,17 +94,14 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
+@@ -94,11 +94,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
  }
  
  static const char* const user_data_unit_paths[] = {
@@ -30,18 +29,10 @@ index 96b82170d0..b9fbed5c61 100644
          NULL
  };
  
- static const char* const user_config_unit_paths[] = {
-         USER_CONFIG_UNIT_DIR,
-         "/etc/systemd/user",
-+        "/etc/systemd-mutable/user",
-         NULL
- };
- 
-@@ -616,15 +613,14 @@ int lookup_paths_init(
+@@ -616,15 +612,13 @@ int lookup_paths_init(
                                          persistent_config,
                                          SYSTEM_CONFIG_UNIT_DIR,
                                          "/etc/systemd/system",
-+                                        "/etc/systemd-mutable/system",
 +                                        "/nix/var/nix/profiles/default/lib/systemd/system",
                                          STRV_IFNOTNULL(persistent_attached),
                                          runtime_config,
@@ -55,11 +46,10 @@ index 96b82170d0..b9fbed5c61 100644
                                          STRV_IFNOTNULL(generator_late));
                          break;
  
-@@ -640,14 +636,12 @@ int lookup_paths_init(
+@@ -640,14 +634,11 @@ int lookup_paths_init(
                                          persistent_config,
                                          USER_CONFIG_UNIT_DIR,
                                          "/etc/systemd/user",
-+                                        "/etc/systemd-mutable/user",
 +                                        "/nix/var/nix/profiles/default/lib/systemd/user",
                                          runtime_config,
                                          "/run/systemd/user",
@@ -72,7 +62,7 @@ index 96b82170d0..b9fbed5c61 100644
                                          STRV_IFNOTNULL(generator_late));
                          break;
  
-@@ -797,7 +791,6 @@ char **generator_binary_paths(UnitFileScope scope) {
+@@ -797,7 +788,6 @@ char **generator_binary_paths(UnitFileScope scope) {
                  case UNIT_FILE_SYSTEM:
                          add = strv_new("/run/systemd/system-generators",
                                         "/etc/systemd/system-generators",
@@ -80,7 +70,7 @@ index 96b82170d0..b9fbed5c61 100644
                                         SYSTEM_GENERATOR_DIR);
                          break;
  
-@@ -805,7 +798,6 @@ char **generator_binary_paths(UnitFileScope scope) {
+@@ -805,7 +795,6 @@ char **generator_binary_paths(UnitFileScope scope) {
                  case UNIT_FILE_USER:
                          add = strv_new("/run/systemd/user-generators",
                                         "/etc/systemd/user-generators",
@@ -88,7 +78,7 @@ index 96b82170d0..b9fbed5c61 100644
                                         USER_GENERATOR_DIR);
                          break;
  
-@@ -844,12 +836,10 @@ char **env_generator_binary_paths(bool is_system) {
+@@ -844,12 +833,10 @@ char **env_generator_binary_paths(bool is_system) {
                  if (is_system)
                          add = strv_new("/run/systemd/system-environment-generators",
                                          "/etc/systemd/system-environment-generators",
@@ -102,7 +92,7 @@ index 96b82170d0..b9fbed5c61 100644
  
                  if (!add)
 diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index f2c045511d..ccb382e421 100644
+index b5cc8f94a5..a701cd05f8 100644
 --- a/src/core/systemd.pc.in
 +++ b/src/core/systemd.pc.in
 @@ -38,10 +38,11 @@ systemdsystemconfdir=${systemd_system_conf_dir}
@@ -110,15 +100,15 @@ index f2c045511d..ccb382e421 100644
  systemduserconfdir=${systemd_user_conf_dir}
  
 -systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemd_system_unit_dir}:/usr/lib/systemd/system:/lib/systemd/system
-+systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/etc/systemd-mutable/system:/nix/var/nix/profiles/default/lib/systemd/system:/run/systemd/system:${systemdsystemunitdir}
++systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/nix/var/nix/profiles/default/lib/systemd/system:/run/systemd/system:${systemdsystemunitdir}
  systemdsystemunitpath=${systemd_system_unit_path}
  
 -systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user
-+systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/etc/systemd-mutable/user:/nix/var/nix/profiles/default/lib/systemd/user:/run/systemd/user:${systemduserunitdir}
++systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/nix/var/nix/profiles/default/lib/systemd/user:/run/systemd/user:${systemduserunitdir}
 +
  systemduserunitpath=${systemd_user_unit_path}
  
  systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
index 99e68c37c20..bda27ac1762 100644
--- a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
+++ b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
@@ -1,7 +1,7 @@
-From 3aeb3a10c4a7ad387b004bf41efbd171913bcca9 Mon Sep 17 00:00:00 2001
+From 7a6529ee27028860b93bc539e8bbf3f2374d712f Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Mon, 11 May 2015 15:39:38 +0200
-Subject: [PATCH 06/18] Get rid of a useless message in user sessions
+Subject: [PATCH 06/19] Get rid of a useless message in user sessions
 
 Namely lots of variants of
 
@@ -27,5 +27,5 @@ index 45a417a090..8af3cb08d6 100644
          /* A unit we need to run is gone. Sniff. Let's stop this. */
          r = manager_add_job(u->manager, JOB_STOP, u, JOB_FAIL, NULL, &error, NULL);
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
index aeb734f94df..d51e1c0f566 100644
--- a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
+++ b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
@@ -1,7 +1,7 @@
-From a1454e8edb7a1a87093808dc7db540232147df3d Mon Sep 17 00:00:00 2001
+From 5580303956ca7d8eb431d23c2af0030c9cc0e6e9 Mon Sep 17 00:00:00 2001
 From: Gabriel Ebner <gebner@gebner.org>
 Date: Sun, 6 Dec 2015 14:26:36 +0100
-Subject: [PATCH 07/18] hostnamed, localed, timedated: disable methods that
+Subject: [PATCH 07/19] hostnamed, localed, timedated: disable methods that
  change system settings.
 
 ---
@@ -69,7 +69,7 @@ index 736dacdee9..53e0ee935e 100644
          model = empty_to_null(model);
          variant = empty_to_null(variant);
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index 8bfcfd5cdc..a0ee03f134 100644
+index 76fe04900d..e87c4c8919 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
 @@ -646,6 +646,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
@@ -90,10 +90,10 @@ index 8bfcfd5cdc..a0ee03f134 100644
 +        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
 +            "Changing system settings via systemd is not supported on NixOS.");
 +
-         if (lrtc == c->local_rtc)
+         if (lrtc == c->local_rtc && !fix_system)
                  return sd_bus_reply_method_return(m, NULL);
  
-@@ -905,6 +912,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
+@@ -907,6 +914,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
          if (r < 0)
                  return r;
  
@@ -104,5 +104,5 @@ index 8bfcfd5cdc..a0ee03f134 100644
          if (r < 0)
                  return r;
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
index 0da52477bb3..2b1c02b233c 100644
--- a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
@@ -1,7 +1,7 @@
-From 27680c555713e36d16198fc5f60b0f85e0777d30 Mon Sep 17 00:00:00 2001
+From 874698425f6d68fc0d662cb17c7c29e0af3e8c25 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 7 Jul 2016 02:47:13 +0300
-Subject: [PATCH 08/18] Fix hwdb paths
+Subject: [PATCH 08/19] Fix hwdb paths
 
 Patch by vcunat.
 ---
@@ -28,5 +28,5 @@ index cb3c77ce96..7b8c80071f 100644
  _public_ int sd_hwdb_new(sd_hwdb **ret) {
          _cleanup_(sd_hwdb_unrefp) sd_hwdb *hwdb = NULL;
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
index 2b05cea435c..a1e8ec963c7 100644
--- a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+++ b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
@@ -1,7 +1,7 @@
-From b423ce2560bd380abd80796a890454d95cd8926c Mon Sep 17 00:00:00 2001
+From 367d0dad3d1853048569e315931cb8a27e16a098 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Tue, 11 Oct 2016 13:12:08 +0300
-Subject: [PATCH 09/18] Change /usr/share/zoneinfo to /etc/zoneinfo
+Subject: [PATCH 09/19] Change /usr/share/zoneinfo to /etc/zoneinfo
 
 NixOS uses this path.
 ---
@@ -13,7 +13,7 @@ NixOS uses this path.
  5 files changed, 12 insertions(+), 12 deletions(-)
 
 diff --git a/man/localtime.xml b/man/localtime.xml
-index 73c1b8e5a3..4ab4276283 100644
+index e486474c44..5f373d0723 100644
 --- a/man/localtime.xml
 +++ b/man/localtime.xml
 @@ -20,7 +20,7 @@
@@ -79,7 +79,7 @@ index 742b43f9fc..f2cb121816 100644
          (void) mkdir_parents(etc_localtime, 0755);
          if (symlink(e, etc_localtime) < 0)
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index f790853104..74b51f4d28 100644
+index 14f8a82eb8..8632dadec6 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
 @@ -1810,8 +1810,8 @@ static int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t u
@@ -94,7 +94,7 @@ index f790853104..74b51f4d28 100644
  
  static bool etc_writable(void) {
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index a0ee03f134..9ecacad25e 100644
+index e87c4c8919..964a40ba81 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
 @@ -269,7 +269,7 @@ static int context_read_data(Context *c) {
@@ -128,5 +128,5 @@ index a0ee03f134..9ecacad25e 100644
                          return -ENOMEM;
  
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
index 1d17bc4cf77..334156495fc 100644
--- a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
+++ b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
@@ -1,7 +1,7 @@
-From aff592e0bf9a911e7f44ce07b66517c38456b627 Mon Sep 17 00:00:00 2001
+From bf285fe7e12bd22f95c14bcefbb5008888c32bfa Mon Sep 17 00:00:00 2001
 From: Imuli <i@imu.li>
 Date: Wed, 19 Oct 2016 08:46:47 -0400
-Subject: [PATCH 10/18] localectl: use /etc/X11/xkb for list-x11-*
+Subject: [PATCH 10/19] localectl: use /etc/X11/xkb for list-x11-*
 
 NixOS has an option to link the xkb data files to /etc/X11, but not to
 /usr/share/X11.
@@ -23,5 +23,5 @@ index 7d2e887660..91c5139eed 100644
                  return log_error_errno(errno, "Failed to open keyboard mapping list. %m");
  
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
index 8c185c52a27..902018ee4b9 100644
--- a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
+++ b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
@@ -1,17 +1,17 @@
-From d410a7a6d1bb0fe730c3ef690676232bfaa49f85 Mon Sep 17 00:00:00 2001
+From 293b19c5fdbda1b4ee579a7e8ba12f024a6f34c9 Mon Sep 17 00:00:00 2001
 From: Franz Pletz <fpletz@fnordicwalking.de>
 Date: Sun, 11 Feb 2018 04:37:44 +0100
-Subject: [PATCH 11/18] build: don't create statedir and don't touch prefixdir
+Subject: [PATCH 11/19] build: don't create statedir and don't touch prefixdir
 
 ---
  meson.build | 3 ---
  1 file changed, 3 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index f406d595e6..f05f579816 100644
+index 580964c3fa..f99d4f3ab5 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -3517,9 +3517,6 @@ install_data('LICENSE.GPL2',
+@@ -3518,9 +3518,6 @@ install_data('LICENSE.GPL2',
               'src/libsystemd/sd-bus/GVARIANT-SERIALIZATION',
               install_dir : docdir)
  
@@ -22,5 +22,5 @@ index f406d595e6..f05f579816 100644
  
  check_help = find_program('tools/check-help.sh')
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch b/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
index 00d085d8a70..05fce10e856 100644
--- a/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
+++ b/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
@@ -1,7 +1,7 @@
-From a569dc0bdb43edb79e338c897f06de2dfa81cfc7 Mon Sep 17 00:00:00 2001
+From 63777e7f690b67952bf4571f8e09e5d8e769d3c0 Mon Sep 17 00:00:00 2001
 From: Andreas Rammhold <andreas@rammhold.de>
 Date: Fri, 2 Nov 2018 21:15:42 +0100
-Subject: [PATCH 12/18] inherit systemd environment when calling generators.
+Subject: [PATCH 12/19] inherit systemd environment when calling generators.
 
 Systemd generators need access to the environment configured in
 stage-2-init.sh since it schedules fsck and mkfs executions based on
@@ -16,10 +16,10 @@ executables that are being called from managers.
  1 file changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 1f1450b97c..26b9e41d78 100644
+index 6858950107..07a599ede7 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -4111,9 +4111,14 @@ static int manager_run_generators(Manager *m) {
+@@ -4142,9 +4142,14 @@ static int manager_run_generators(Manager *m) {
          argv[4] = NULL;
  
          RUN_WITH_UMASK(0022)
@@ -38,5 +38,5 @@ index 1f1450b97c..26b9e41d78 100644
  
  finish:
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch b/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
index 51fc4cc30d7..b9bab2d387e 100644
--- a/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
@@ -1,7 +1,7 @@
-From d36d688e32b8f2368499af091c67a7825fadf5ad Mon Sep 17 00:00:00 2001
+From 561dc3b864d96753b5dc448e6e1a80460d5f0bc4 Mon Sep 17 00:00:00 2001
 From: Andreas Rammhold <andreas@rammhold.de>
 Date: Thu, 9 May 2019 11:15:22 +0200
-Subject: [PATCH 13/18] add rootprefix to lookup dir paths
+Subject: [PATCH 13/19] add rootprefix to lookup dir paths
 
 systemd does not longer use the UDEVLIBEXEC directory as root for
 discovery default udev rules. By adding `$out/lib` to the lookup paths
@@ -34,5 +34,5 @@ index 2e60abb4f1..732ec51d36 100644
  #define CONF_PATHS(n)                           \
          CONF_PATHS_USR(n)                       \
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
index 57499d1feec..c737b61e749 100644
--- a/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+++ b/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
@@ -1,7 +1,7 @@
-From c02b7eb62e46145ec5b544ebd9338c29b9b8f32c Mon Sep 17 00:00:00 2001
+From 8f619304804b02f4e9d7a340ca90359f96adc6e8 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 25 Jul 2019 20:45:55 +0300
-Subject: [PATCH 14/18] systemd-shutdown: execute scripts in
+Subject: [PATCH 14/19] systemd-shutdown: execute scripts in
  /etc/systemd/system-shutdown
 
 This is needed for NixOS to use such scripts as systemd directory is immutable.
@@ -23,5 +23,5 @@ index 0d07865542..26d974ef73 100644
          /* The log target defaults to console, but the original systemd process will pass its log target in through a
           * command line argument, which will override this default. Also, ensure we'll never log to the journal or
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
index fa72b66911a..3059216f7c5 100644
--- a/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+++ b/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
@@ -1,7 +1,7 @@
-From f01b73709d68d4581ad561fbb20c59f895132a99 Mon Sep 17 00:00:00 2001
+From 577b11afe38fc185d785ca8f125f518a4eb21a00 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 25 Jul 2019 20:46:58 +0300
-Subject: [PATCH 15/18] systemd-sleep: execute scripts in
+Subject: [PATCH 15/19] systemd-sleep: execute scripts in
  /etc/systemd/system-sleep
 
 This is needed for NixOS to use such scripts as systemd directory is immutable.
@@ -22,5 +22,5 @@ index 39ab554290..880ac7ccb0 100644
          };
  
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch b/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
index 887864baec3..ad19d910e1e 100644
--- a/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
+++ b/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
@@ -1,7 +1,7 @@
-From 3db343c08a09a0009da049f37e3f981519eac62f Mon Sep 17 00:00:00 2001
+From ba19f629c1806ca2d2ab58154e45bce4ae4a3f0c Mon Sep 17 00:00:00 2001
 From: Florian Klink <flokli@flokli.de>
 Date: Sat, 7 Mar 2020 22:40:27 +0100
-Subject: [PATCH 16/18] kmod-static-nodes.service: Update ConditionFileNotEmpty
+Subject: [PATCH 16/19] kmod-static-nodes.service: Update ConditionFileNotEmpty
 
 On NixOS, kernel modules of the currently booted systems are located at
 /run/booted-system/kernel-modules/lib/modules/%v/, not /lib/modules/%v/.
@@ -23,5 +23,5 @@ index f4170d6a99..9a6a591bea 100644
  [Service]
  Type=oneshot
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
index ad92291c258..585a0aa112e 100644
--- a/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+++ b/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
@@ -1,7 +1,7 @@
-From 6f0e9a60dcd2160bcab01366bd521630f6f5dc76 Mon Sep 17 00:00:00 2001
+From c639f311bd27c2bff62a22c34bc92613aaf77587 Mon Sep 17 00:00:00 2001
 From: Florian Klink <flokli@flokli.de>
 Date: Sun, 8 Mar 2020 01:05:54 +0100
-Subject: [PATCH 17/18] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
+Subject: [PATCH 17/19] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
 
 This will be the $PATH used to lookup ExecStart= etc. options, which
 systemd itself uses extensively.
@@ -29,5 +29,5 @@ index d613709f0b..5cced4c115 100644
  #if HAVE_SPLIT_USR
  #  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch b/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
index 52a749a16b6..f634e74e663 100644
--- a/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
+++ b/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
@@ -1,7 +1,7 @@
-From 120b53a3279ba098ee8e5a346b39cb2b7ef4a106 Mon Sep 17 00:00:00 2001
+From ebb37f81c28aaa80acd9187a7d77dcb3cb3828db Mon Sep 17 00:00:00 2001
 From: Thomas Tuegel <ttuegel@mailbox.org>
 Date: Mon, 26 Oct 2020 21:21:38 +0100
-Subject: [PATCH 18/18] logind-seat-debus: show CanMultiSession again
+Subject: [PATCH 18/19] logind-seat-debus: show CanMultiSession again
 
 Fixes the "switch user" function in Plasma < 5.20.
 ---
@@ -22,5 +22,5 @@ index a60ed2d3c2..69b6271075 100644
          SD_BUS_PROPERTY("CanGraphical", "b", property_get_can_graphical, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
          SD_BUS_PROPERTY("Sessions", "a(so)", property_get_sessions, 0, 0),
 -- 
-2.29.2
+2.30.1
 
diff --git a/pkgs/os-specific/linux/systemd/0019-Revert-pkg-config-prefix-is-not-really-configurable-.patch b/pkgs/os-specific/linux/systemd/0019-Revert-pkg-config-prefix-is-not-really-configurable-.patch
deleted file mode 100644
index 11e61959328..00000000000
--- a/pkgs/os-specific/linux/systemd/0019-Revert-pkg-config-prefix-is-not-really-configurable-.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From cd5b1075499b8498d9c700a317ad11a3199c447a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Sun, 6 Dec 2020 08:34:19 +0100
-Subject: [PATCH 19/19] Revert "pkg-config: prefix is not really configurable,
- don't pretend it was"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit 6e65df89c348242dbd10036abc7dd5e8181cf733.
-
-Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
----
- src/core/systemd.pc.in | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index ccb382e421..8a35e53a4a 100644
---- a/src/core/systemd.pc.in
-+++ b/src/core/systemd.pc.in
-@@ -11,7 +11,7 @@
- # considered deprecated (though there is no plan to remove them). New names
- # shall have underscores.
- 
--prefix=/usr
-+prefix=@prefix@
- root_prefix=@rootprefix_noslash@
- rootprefix=${root_prefix}
- sysconf_dir=@sysconfdir@
-@@ -26,10 +26,10 @@ systemdsystemunitdir=${systemd_system_unit_dir}
- systemd_system_preset_dir=${rootprefix}/lib/systemd/system-preset
- systemdsystempresetdir=${systemd_system_preset_dir}
- 
--systemd_user_unit_dir=/usr/lib/systemd/user
-+systemd_user_unit_dir=${prefix}/lib/systemd/user
- systemduserunitdir=${systemd_user_unit_dir}
- 
--systemd_user_preset_dir=/usr/lib/systemd/user-preset
-+systemd_user_preset_dir=${prefix}/lib/systemd/user-preset
- systemduserpresetdir=${systemd_user_preset_dir}
- 
- systemd_system_conf_dir=${sysconfdir}/systemd/system
-@@ -48,7 +48,7 @@ systemduserunitpath=${systemd_user_unit_path}
- systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
- systemdsystemgeneratordir=${systemd_system_generator_dir}
- 
--systemd_user_generator_dir=/usr/lib/systemd/user-generators
-+systemd_user_generator_dir=${prefix}/lib/systemd/user-generators
- systemdusergeneratordir=${systemd_user_generator_dir}
- 
- systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:/usr/local/lib/systemd/system-generators:${systemd_system_generator_dir}
-@@ -63,7 +63,7 @@ systemdsleepdir=${systemd_sleep_dir}
- systemd_shutdown_dir=${root_prefix}/lib/systemd/system-shutdown
- systemdshutdowndir=${systemd_shutdown_dir}
- 
--tmpfiles_dir=/usr/lib/tmpfiles.d
-+tmpfiles_dir=${prefix}/lib/tmpfiles.d
- tmpfilesdir=${tmpfiles_dir}
- 
- sysusers_dir=${rootprefix}/lib/sysusers.d
-@@ -78,7 +78,7 @@ binfmtdir=${binfmt_dir}
- modules_load_dir=${rootprefix}/lib/modules-load.d
- modulesloaddir=${modules_load_dir}
- 
--catalog_dir=/usr/lib/systemd/catalog
-+catalog_dir=${prefix}/lib/systemd/catalog
- catalogdir=${catalog_dir}
- 
- system_uid_max=@SYSTEM_UID_MAX@
--- 
-2.29.2
-
diff --git a/pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch b/pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch
new file mode 100644
index 00000000000..2d93cdef9a3
--- /dev/null
+++ b/pkgs/os-specific/linux/systemd/0019-pkg-config-derive-prefix-from-prefix.patch
@@ -0,0 +1,33 @@
+From 5439a516995f9fd57fc91c2cdd016bb18f31aadf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sun, 6 Dec 2020 08:34:19 +0100
+Subject: [PATCH 19/19] pkg-config: derive prefix from --prefix
+
+Point prefix to the one configured, instead of `/usr` `systemd` has limited
+support for making the pkgconfig prefix overridable, and interpolates those
+values later down.
+
+So we only need to patch this one value to get the correct paths.
+See systemd/systemd@bc4e6e27922a2873985ab9367d79fb099f70b505 for details.
+
+Co-Authored-By: Florian Klink <flokli@flokli.de>
+---
+ src/core/systemd.pc.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
+index a701cd05f8..85d6911bdf 100644
+--- a/src/core/systemd.pc.in
++++ b/src/core/systemd.pc.in
+@@ -11,7 +11,7 @@
+ # considered deprecated (though there is no plan to remove them). New names
+ # shall have underscores.
+ 
+-prefix=/usr
++prefix=@prefix@
+ root_prefix=@rootprefix_noslash@
+ rootprefix=${root_prefix}
+ sysconf_dir=@sysconfdir@
+-- 
+2.30.1
+
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 421fc5986af..a33bb3c1a1d 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -1,3 +1,5 @@
+# NOTE: Make sure to (re-)format this file on changes with `nixpkgs-fmt`!
+
 { stdenv
 , lib
 , fetchFromGitHub
@@ -49,9 +51,9 @@
 , iptables
 , withSelinux ? false
 , libselinux
-, withLibseccomp ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) libseccomp.meta.platforms
+, withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp
 , libseccomp
-, withKexectools ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) kexectools.meta.platforms
+, withKexectools ? lib.meta.availableOn stdenv.hostPlatform kexectools
 , kexectools
 , bashInteractive
 , libmicrohttpd
@@ -111,7 +113,7 @@ assert withCryptsetup ->
 let
   wantCurl = withRemote || withImportd;
 
-  version = "247.2";
+  version = "247.6";
 in
 stdenv.mkDerivation {
   inherit version pname;
@@ -122,12 +124,12 @@ stdenv.mkDerivation {
     owner = "systemd";
     repo = "systemd-stable";
     rev = "v${version}";
-    sha256 = "091pwrvxz3gcf80shlp28d6l4gvjzc6pb61v4mwxmk9d71qaq7ry";
+    sha256 = "sha256-7XYEq3Qw25suwjbtPzx9lVPHUu9ZY/1bADXl2wQbkJc=";
   };
 
   # If these need to be regenerated, `git am path/to/00*.patch` them into a
   # systemd worktree, rebase to the more recent systemd version, and export the
-  # patches again via `git format-patch v${version}`.
+  # patches again via `git -c format.signoff=false format-patch v${version}`.
   # Use `find . -name "*.patch" | sort` to get an up-to-date listing of all patches
   patches = [
     ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch
@@ -148,7 +150,20 @@ stdenv.mkDerivation {
     ./0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
     ./0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
     ./0018-logind-seat-debus-show-CanMultiSession-again.patch
-    ./0019-Revert-pkg-config-prefix-is-not-really-configurable-.patch
+    ./0019-pkg-config-derive-prefix-from-prefix.patch
+
+    # Fix -Werror=format.
+    (fetchpatch {
+      url = "https://github.com/systemd/systemd/commit/ab1aa6368a883bce88e3162fee2bea14aacedf23.patch";
+      sha256 = "1b280l5jrjsg8qhsang199mpqjhkpix4c8bm3blknjnq9iv43add";
+    })
+
+    # Fix CVE-2021-33910, disclosed 2021-07-20
+    (fetchpatch {
+      name = "CVE-2021-33910.patch";
+      url = "https://github.com/systemd/systemd/commit/441e0115646d54f080e5c3bb0ba477c892861ab9.patch";
+      sha256 = "1g1lk95igaadg67kah9bpi4zsc01rg398sd1247ghjsvl5hxn4v4";
+    })
   ];
 
   postPatch = ''
@@ -160,83 +175,87 @@ stdenv.mkDerivation {
       --replace \
       "find_program('objcopy'" \
       "find_program('${stdenv.cc.bintools.targetPrefix}objcopy'"
-  '' + (let
-
-    # The folllowing dlopen patches ensure that all the features that are
-    # implemented via dlopen(3) are available (or explicitly deactivated) by
-    # pointing dlopen to the absolute store path instead of relying on the
-    # linkers runtime lookup code.
-    #
-    # All of the dlopen calls have to be handled. When new ones are introduced
-    # by upstream (or one of our patches) they must be explicitly declared,
-    # otherwise the build will fail.
-    #
-    # As of systemd version 247 we've seen a few errors like `libpcre2.… not
-    # found` when using e.g. --grep with journalctl. Those errors should
-    # become less unexpected now.
-    #
-    # There are generally two classes of dlopen(3) calls. Those that we want to
-    # support and those that should be deactivated / unsupported. This change
-    # enforces that we handle all dlopen calls explicitly. Meaning: There is
-    # not a single dlopen call in the source code tree that we did not
-    # explicitly handle.
-    #
-    # In order to do this we introduced a list of attributes that maps from
-    # shared object name to the package that contains them. The package can be
-    # null meaning the reference should be nuked and the shared object will
-    # never be loadable during runtime (because it points at an invalid store
-    # path location).
-    #
-    # To get a list of dynamically loaded libraries issue something like
-    # `grep -ri 'dlopen("lib' $src` and update the below list.
-    dlopenLibs = [
-      # We did never provide support for libxkbcommon & qrencode
-      { name = "libxkbcommon.so.0"; pkg = null; }
-      { name = "libqrencode.so.4"; pkg = null; }
-
-      # We did not provide libpwquality before so it is safe to disable it for
-      # now.
-      { name = "libpwquality.so.1"; pkg = null; }
-
-      # Only include cryptsetup if it is enabled. We might not be able to
-      # provide it during "bootstrap" in e.g. the minimal systemd build as
-      # cryptsetup has udev (aka systemd) in it's dependencies.
-      { name = "libcryptsetup.so.12"; pkg = if withCryptsetup then cryptsetup else null; }
-
-      # We are using libidn2 so we only provide that and ignore the others.
-      # Systemd does this decision during configure time and uses ifdef's to
-      # enable specific branches. We can safely ignore (nuke) the libidn "v1"
-      # libraries.
-      { name = "libidn2.so.0"; pkg = libidn2; }
-      { name = "libidn.so.12"; pkg = null; }
-      { name = "libidn.so.11"; pkg = null; }
-
-      # journalctl --grep requires libpcre so lets provide it
-      { name = "libpcre2-8.so.0"; pkg = pcre2; }
-    ];
-
-    patchDlOpen = dl: let
-      library = "${lib.makeLibraryPath [dl.pkg]}/${dl.name}";
-    in if dl.pkg == null then ''
-      # remove the dependency on the library by replacing it with an invalid path
-      for file in $(grep -lr 'dlopen("${dl.name}"' src); do
-        echo "patching dlopen(\"${dl.name}\", …) in $file to an invalid store path ("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}")…"
-        substituteInPlace "$file" --replace 'dlopen("${dl.name}"' 'dlopen("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}"'
-      done
-    '' else ''
-      # ensure that the library we provide actually exists
-      if ! [ -e ${library} ]; then
-        echo 'The shared library `${library}` does not exist but was given as subtitute for `${dl.name}`'
-        exit 1
-      fi
-      # make the path to the dependency explicit
-      for file in $(grep -lr 'dlopen("${dl.name}"' src); do
-        echo "patching dlopen(\"${dl.name}\", …) in $file to ${library}…"
-        substituteInPlace "$file" --replace 'dlopen("${dl.name}"' 'dlopen("${library}"'
-      done
-    '';
-  in # patch all the dlopen calls to contain absolute paths to the libraries
-  lib.concatMapStringsSep "\n" patchDlOpen dlopenLibs)
+  '' + (
+    let
+      # The folllowing dlopen patches ensure that all the features that are
+      # implemented via dlopen(3) are available (or explicitly deactivated) by
+      # pointing dlopen to the absolute store path instead of relying on the
+      # linkers runtime lookup code.
+      #
+      # All of the dlopen calls have to be handled. When new ones are introduced
+      # by upstream (or one of our patches) they must be explicitly declared,
+      # otherwise the build will fail.
+      #
+      # As of systemd version 247 we've seen a few errors like `libpcre2.… not
+      # found` when using e.g. --grep with journalctl. Those errors should
+      # become less unexpected now.
+      #
+      # There are generally two classes of dlopen(3) calls. Those that we want to
+      # support and those that should be deactivated / unsupported. This change
+      # enforces that we handle all dlopen calls explicitly. Meaning: There is
+      # not a single dlopen call in the source code tree that we did not
+      # explicitly handle.
+      #
+      # In order to do this we introduced a list of attributes that maps from
+      # shared object name to the package that contains them. The package can be
+      # null meaning the reference should be nuked and the shared object will
+      # never be loadable during runtime (because it points at an invalid store
+      # path location).
+      #
+      # To get a list of dynamically loaded libraries issue something like
+      # `grep -ri 'dlopen("lib' $src` and update the below list.
+      dlopenLibs = [
+        # We did never provide support for libxkbcommon & qrencode
+        { name = "libxkbcommon.so.0"; pkg = null; }
+        { name = "libqrencode.so.4"; pkg = null; }
+
+        # We did not provide libpwquality before so it is safe to disable it for
+        # now.
+        { name = "libpwquality.so.1"; pkg = null; }
+
+        # Only include cryptsetup if it is enabled. We might not be able to
+        # provide it during "bootstrap" in e.g. the minimal systemd build as
+        # cryptsetup has udev (aka systemd) in it's dependencies.
+        { name = "libcryptsetup.so.12"; pkg = if withCryptsetup then cryptsetup else null; }
+
+        # We are using libidn2 so we only provide that and ignore the others.
+        # Systemd does this decision during configure time and uses ifdef's to
+        # enable specific branches. We can safely ignore (nuke) the libidn "v1"
+        # libraries.
+        { name = "libidn2.so.0"; pkg = libidn2; }
+        { name = "libidn.so.12"; pkg = null; }
+        { name = "libidn.so.11"; pkg = null; }
+
+        # journalctl --grep requires libpcre so lets provide it
+        { name = "libpcre2-8.so.0"; pkg = pcre2; }
+      ];
+
+      patchDlOpen = dl:
+        let
+          library = "${lib.makeLibraryPath [ dl.pkg ]}/${dl.name}";
+        in
+        if dl.pkg == null then ''
+          # remove the dependency on the library by replacing it with an invalid path
+          for file in $(grep -lr 'dlopen("${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to an invalid store path ("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}")…"
+            substituteInPlace "$file" --replace 'dlopen("${dl.name}"' 'dlopen("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-not-implemented/${dl.name}"'
+          done
+        '' else ''
+          # ensure that the library we provide actually exists
+          if ! [ -e ${library} ]; then
+            echo 'The shared library `${library}` does not exist but was given as subtitute for `${dl.name}`'
+            exit 1
+          fi
+          # make the path to the dependency explicit
+          for file in $(grep -lr 'dlopen("${dl.name}"' src); do
+            echo "patching dlopen(\"${dl.name}\", …) in $file to ${library}…"
+            substituteInPlace "$file" --replace 'dlopen("${dl.name}"' 'dlopen("${library}"'
+          done
+        '';
+    in
+    # patch all the dlopen calls to contain absolute paths to the libraries
+    lib.concatMapStringsSep "\n" patchDlOpen dlopenLibs
+  )
   # finally ensure that there are no left-over dlopen calls that we didn't handle
   + ''
     if grep -qr 'dlopen("[^/]' src; then
@@ -409,6 +428,7 @@ stdenv.mkDerivation {
       src/shared/generator.c \
       src/shutdown/shutdown.c \
       units/emergency.service.in \
+      units/modprobe@.service \
       units/rescue.service.in \
       units/systemd-logind.service.in \
       units/systemd-nspawn@.service.in; \
@@ -501,8 +521,6 @@ stdenv.mkDerivation {
     rm -rf $out/share/doc
   '';
 
-  enableParallelBuilding = true;
-
   # The interface version prevents NixOS from switching to an
   # incompatible systemd at runtime.  (Switching across reboots is
   # fine, of course.)  It should be increased whenever systemd changes
diff --git a/pkgs/os-specific/linux/targetcli/default.nix b/pkgs/os-specific/linux/targetcli/default.nix
index ba1c063cc05..f08ac284f23 100644
--- a/pkgs/os-specific/linux/targetcli/default.nix
+++ b/pkgs/os-specific/linux/targetcli/default.nix
@@ -1,14 +1,14 @@
-{ lib, stdenv, python3, fetchFromGitHub }:
+{ lib, python3, fetchFromGitHub }:
 
 python3.pkgs.buildPythonApplication rec {
   pname = "targetcli";
-  version = "2.1.53";
+  version = "2.1.54";
 
   src = fetchFromGitHub {
     owner = "open-iscsi";
     repo = "${pname}-fb";
     rev = "v${version}";
-    sha256 = "1qrq7y5hnghzbxgrxgl153n8jlhw31kqjbr93jsvlvhz5b3ci750";
+    sha256 = "1kbbvx0lba96ynr5iwws9jpi319m4rzph4bmcj7yfb37k8mi161v";
   };
 
   propagatedBuildInputs = with python3.pkgs; [ configshell rtslib ];
diff --git a/pkgs/os-specific/linux/teck-udev-rules/default.nix b/pkgs/os-specific/linux/teck-udev-rules/default.nix
new file mode 100644
index 00000000000..eec5eac344e
--- /dev/null
+++ b/pkgs/os-specific/linux/teck-udev-rules/default.nix
@@ -0,0 +1,22 @@
+{ lib, stdenv, teck-programmer }:
+
+stdenv.mkDerivation {
+  pname = "teck-udev-rules";
+  version = lib.getVersion teck-programmer;
+
+  inherit (teck-programmer) src;
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install 40-teck.rules -D -t $out/etc/udev/rules.d/
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "udev rules for TECK keyboards";
+    inherit (teck-programmer.meta) license;
+    maintainers = [ lib.maintainers.lourkeur ];
+  };
+}
diff --git a/pkgs/os-specific/linux/tiscamera/default.nix b/pkgs/os-specific/linux/tiscamera/default.nix
index f9196fc1686..38bc7c3eaff 100644
--- a/pkgs/os-specific/linux/tiscamera/default.nix
+++ b/pkgs/os-specific/linux/tiscamera/default.nix
@@ -14,24 +14,27 @@
 , libunwind
 , elfutils
 , orc
-, python3
+, python3Packages
 , libuuid
+, wrapGAppsHook
 }:
 
 stdenv.mkDerivation rec {
   pname = "tiscamera";
-  version = "0.11.1";
+  version = "0.13.1";
 
   src = fetchFromGitHub {
     owner = "TheImagingSource";
     repo = pname;
     rev = "v-${pname}-${version}";
-    sha256 = "07vp6khgl6qd3a4519dmx1s5bfw7pld793p50pjn29fqh91fm93g";
+    sha256 = "0hpy9yhc4mn6w8gvzwif703smmcys0j2jqbz2xfghqxcyb0ykplj";
   };
 
   nativeBuildInputs = [
     cmake
     pkg-config
+    python3Packages.wrapPython
+    wrapGAppsHook
   ];
 
   buildInputs = [
@@ -47,33 +50,43 @@ stdenv.mkDerivation rec {
     libunwind
     elfutils
     orc
-    python3
     libuuid
+    python3Packages.python
+    python3Packages.pyqt5
   ];
 
+  pythonPath = with python3Packages; [ pyqt5 pygobject3 ];
+
+  propagatedBuildInputs = pythonPath;
+
   cmakeFlags = [
     "-DBUILD_ARAVIS=OFF" # For GigE support. Won't need it as our camera is usb.
     "-DBUILD_GST_1_0=ON"
     "-DBUILD_TOOLS=ON"
     "-DBUILD_V4L2=ON"
     "-DBUILD_LIBUSB=ON"
+    "-DBUILD_TESTS=ON"
     "-DTCAM_INSTALL_UDEV=${placeholder "out"}/lib/udev/rules.d"
     "-DTCAM_INSTALL_UVCDYNCTRL=${placeholder "out"}/share/uvcdynctrl/data/199e"
     "-DTCAM_INSTALL_GST_1_0=${placeholder "out"}/lib/gstreamer-1.0"
     "-DTCAM_INSTALL_GIR=${placeholder "out"}/share/gir-1.0"
     "-DTCAM_INSTALL_TYPELIB=${placeholder "out"}/lib/girepository-1.0"
     "-DTCAM_INSTALL_SYSTEMD=${placeholder "out"}/etc/systemd/system"
+    "-DTCAM_INSTALL_PYTHON3_MODULES=${placeholder "out"}/lib/${python3Packages.python.libPrefix}/site-packages"
+    "-DGSTREAMER_1.0_INCLUDEDIR=${placeholder "out"}/include/gstreamer-1.0"
     # There are gobject introspection commands launched as part of the build. Those have a runtime
     # dependency on `libtcam` (which itself is built as part of this build). In order to allow
     # that, we set the dynamic linker's path to point on the build time location of the library.
     "-DCMAKE_SKIP_BUILD_RPATH=OFF"
   ];
 
-  postPatch = ''
-    substituteInPlace ./src/BackendLoader.cpp \
-      --replace '"libtcam-v4l2.so"' "\"$out/lib/tcam-0/libtcam-v4l2.so\"" \
-      --replace '"libtcam-aravis.so"' "\"$out/lib/tcam-0/libtcam-aravis.so\"" \
-      --replace '"libtcam-libusb.so"' "\"$out/lib/tcam-0/libtcam-libusb.so\""
+  doCheck = true;
+
+  # gstreamer tests requires, besides gst-plugins-bad, plugins installed by this expression.
+  checkPhase = "ctest --force-new-ctest-process -E gstreamer";
+
+  postFixup = ''
+    wrapPythonPrograms "$out $pythonPath"
   '';
 
   meta = with lib; {
diff --git a/pkgs/os-specific/linux/trace-cmd/default.nix b/pkgs/os-specific/linux/trace-cmd/default.nix
index 27dbc6f583a..0a7860c0238 100644
--- a/pkgs/os-specific/linux/trace-cmd/default.nix
+++ b/pkgs/os-specific/linux/trace-cmd/default.nix
@@ -1,9 +1,13 @@
 { lib, stdenv, fetchgit, asciidoc, docbook_xsl, libxslt }:
-stdenv.mkDerivation {
+stdenv.mkDerivation rec {
   pname = "trace-cmd";
-  version = "2.9-dev";
+  version = "2.9.1";
 
-  src = fetchgit (import ./src.nix);
+  src = fetchgit {
+    url    = "git://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
+    rev    = "trace-cmd-v${version}";
+    sha256 = "19c63a0qmcppm1456qf4k6a0d1agcvpa6jnbzrdcyc520yax6khw";
+  };
 
   patches = [ ./fix-Makefiles.patch ];
 
diff --git a/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch b/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch
index db194e16fdb..1e783999af6 100644
--- a/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch
+++ b/pkgs/os-specific/linux/trace-cmd/fix-Makefiles.patch
@@ -1,30 +1,30 @@
 diff --git a/Makefile b/Makefile
-index bbdf15e..deb8ef7 100644
+index b034042..b8a06bc 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -288,7 +288,7 @@ libtraceevent.a: $(LIBTRACEEVENT_STATIC)
- libtracecmd.a: $(LIBTRACECMD_STATIC)
- libtracecmd.so: $(LIBTRACECMD_SHARED)
+@@ -338,6 +338,7 @@ libtracefs.a: $(LIBTRACEFS_STATIC)
+ libtracefs.so: $(LIBTRACEFS_SHARED)
  
--libs: $(LIBTRACECMD_SHARED) $(LIBTRACEEVENT_SHARED)
-+libs: $(LIBTRACECMD_SHARED) $(LIBTRACEEVENT_SHARED) $(LIBTRACECMD_STATIC) $(LIBTRACEEVENT_STATIC)
+ libs: $(LIBTRACECMD_SHARED) $(LIBTRACEEVENT_SHARED) $(LIBTRACEFS_SHARED)
++libs: $(LIBTRACECMD_STATIC) $(LIBTRACEEVENT_STATIC) $(LIBTRACEFS_STATIC)
  
- plugins: force $(obj)/lib/traceevent/plugins/traceevent_plugin_dir $(obj)/lib/traceevent/plugins/trace_python_dir
- 	$(Q)$(MAKE) -C $(src)/lib/traceevent/plugins
-@@ -344,6 +344,8 @@ install_gui: install_cmd gui
- install_libs: libs
+ test: force $(LIBTRACEEVENT_STATIC) $(LIBTRACEFS_STATIC) $(LIBTRACECMD_STATIC)
+ ifneq ($(CUNIT_INSTALLED),1)
+@@ -414,6 +415,9 @@ install_libs: libs
  	$(Q)$(call do_install,$(LIBTRACECMD_SHARED),$(libdir_SQ)/trace-cmd)
  	$(Q)$(call do_install,$(LIBTRACEEVENT_SHARED),$(libdir_SQ)/traceevent)
+ 	$(Q)$(call do_install,$(LIBTRACEFS_SHARED),$(libdir_SQ)/tracefs)
 +	$(Q)$(call do_install,$(LIBTRACECMD_STATIC),$(libdir_SQ)/trace-cmd)
 +	$(Q)$(call do_install,$(LIBTRACEEVENT_STATIC),$(libdir_SQ)/traceevent)
++	$(Q)$(call do_install,$(LIBTRACEFS_STATIC),$(libdir_SQ)/tracefs)
  	$(Q)$(call do_install,$(src)/include/traceevent/event-parse.h,$(includedir_SQ)/traceevent)
  	$(Q)$(call do_install,$(src)/include/traceevent/trace-seq.h,$(includedir_SQ)/traceevent)
  	$(Q)$(call do_install,$(src)/include/trace-cmd/trace-cmd.h,$(includedir_SQ)/trace-cmd)
 diff --git a/kernel-shark/src/CMakeLists.txt b/kernel-shark/src/CMakeLists.txt
-index e20a030..7fce165 100644
+index 457c100..687e150 100644
 --- a/kernel-shark/src/CMakeLists.txt
 +++ b/kernel-shark/src/CMakeLists.txt
-@@ -93,7 +93,7 @@ if (Qt5Widgets_FOUND AND Qt5Network_FOUND)
+@@ -92,7 +92,7 @@ if (Qt5Widgets_FOUND AND Qt5Network_FOUND)
              DESTINATION ${_INSTALL_PREFIX}/share/icons/${KS_APP_NAME})
  
      install(FILES "${KS_DIR}/org.freedesktop.kshark-record.policy"
diff --git a/pkgs/os-specific/linux/trace-cmd/kernelshark.nix b/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
index 4db4d64bc93..45d984c7863 100644
--- a/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
+++ b/pkgs/os-specific/linux/trace-cmd/kernelshark.nix
@@ -1,9 +1,13 @@
-{ lib, stdenv, mkDerivation, fetchgit, qtbase, cmake, asciidoc, docbook_xsl, json_c, mesa_glu, freeglut, trace-cmd, pkg-config }:
-mkDerivation {
+{ lib, mkDerivation, fetchgit, qtbase, cmake, asciidoc, docbook_xsl, json_c, mesa_glu, freeglut, trace-cmd, pkg-config }:
+mkDerivation rec {
   pname = "kernelshark";
-  version = "1.1.0";
+  version = "1.2";
 
-  src = fetchgit (import ./src.nix);
+  src = fetchgit {
+    url    = "git://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
+    rev    = "kernelshark-v${version}";
+    sha256 = "0wzzm2imk9n94v96v6sbvbff6j47lz4qj0snhiyv3nj3slg0anvh";
+  };
 
   patches = [ ./fix-Makefiles.patch ];
 
@@ -21,6 +25,7 @@ mkDerivation {
     "-DTRACECMD_INCLUDE_DIR=${trace-cmd.dev}/include"
     "-DTRACECMD_LIBRARY=${trace-cmd.lib}/lib/trace-cmd/libtracecmd.a"
     "-DTRACEEVENT_LIBRARY=${trace-cmd.lib}/lib/traceevent/libtraceevent.a"
+    "-DTRACEFS_LIBRARY=${trace-cmd.lib}/lib/tracefs/libtracefs.a"
   ];
 
   preInstall = ''
diff --git a/pkgs/os-specific/linux/trace-cmd/src.nix b/pkgs/os-specific/linux/trace-cmd/src.nix
deleted file mode 100644
index 47c1b82fdd4..00000000000
--- a/pkgs/os-specific/linux/trace-cmd/src.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  url    = "git://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/";
-  rev    = "ab370b78b9278fe16657742d46cb95c0a65b47d5"; # branch: kernelshark-v1.1
-  sha256 = "0qngwc4qgadrkwlwpz73f12prdkx94kl0bg7g9hib95ipvsdmk1c";
-}
diff --git a/pkgs/os-specific/linux/tuigreet/default.nix b/pkgs/os-specific/linux/tuigreet/default.nix
new file mode 100644
index 00000000000..89dfe85c082
--- /dev/null
+++ b/pkgs/os-specific/linux/tuigreet/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "tuigreet";
+  version = "0.5.0";
+
+  src = fetchFromGitHub {
+    owner = "apognu";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-Ip/GhpHgTgWFyCdujcCni1CLFDDirUbJuzCj8QiUsFc=";
+  };
+
+  cargoSha256 = "sha256-G/E/2wjeSY57bQJgrZYUA1sWUwtk5mRavmLwy1EgHRM=";
+
+  meta = with lib; {
+    description = "Graphical console greter for greetd";
+    homepage = "https://github.com/apognu/tuigreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/tuna/default.nix b/pkgs/os-specific/linux/tuna/default.nix
new file mode 100644
index 00000000000..0e621a24f08
--- /dev/null
+++ b/pkgs/os-specific/linux/tuna/default.nix
@@ -0,0 +1,62 @@
+{ lib
+, buildPythonApplication
+, fetchgit
+, pygobject3
+, pytestCheckHook
+, gdk-pixbuf
+, glib
+, gobject-introspection
+, gtk3
+, python-linux-procfs
+, python-ethtool
+, wrapGAppsHook
+}:
+
+buildPythonApplication rec {
+  pname = "tuna";
+  version = "0.15";
+
+  src = fetchgit {
+    url = "https://git.kernel.org/pub/scm/utils/${pname}/${pname}.git";
+    rev = "v${version}";
+    sha256 = "sha256-lRHlbdCQ0NcjcWgLvCze67kN8NsK0f5RmKfPbkHhk78=";
+  };
+
+  patchPhase = ''
+    mv tuna-cmd.py tuna/cmd.py
+
+    substituteInPlace setup.py \
+      --replace 'packages = ["tuna", "tuna/gui"],' \
+                'packages = ["tuna", "tuna/gui"], entry_points={"console_scripts":["tuna=tuna.cmd:main"]},'
+
+    substituteInPlace tuna/tuna_gui.py \
+      --replace "self.binpath + 'pkexec'" "'/run/wrappers/bin/pkexec'" \
+      --replace 'tuna_glade_dirs = [".", "tuna", "/usr/share/tuna"]' "tuna_glade_dirs = [ \"$out/share/tuna\" ]"
+  '';
+
+  nativeBuildInputs = [
+    glib.dev
+    gobject-introspection
+    gtk3
+    wrapGAppsHook
+  ];
+
+  propagatedBuildInputs = [ pygobject3 python-linux-procfs python-ethtool ];
+
+  postInstall = ''
+    mkdir -p $out/share/tuna
+    cp tuna/tuna_gui.glade $out/share/tuna/
+  '';
+
+  # contains no tests
+  doCheck = false;
+  pythonImportsCheck = [ "tuna" ];
+
+  meta = with lib; {
+    description = "Thread and IRQ affinity setting GUI and cmd line tool";
+    homepage = "https://git.kernel.org/pub/scm/utils/tuna/tuna.git";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ elohmeier ];
+  };
+}
diff --git a/pkgs/os-specific/linux/tuxedo-keyboard/default.nix b/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
index 3187ba6d4db..17f8b3a28c4 100644
--- a/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
+++ b/pkgs/os-specific/linux/tuxedo-keyboard/default.nix
@@ -1,16 +1,18 @@
-{ lib, stdenv, fetchFromGitHub, kernel, kmod }:
+{ lib, stdenv, fetchFromGitHub, kernel, linuxHeaders }:
 
 stdenv.mkDerivation rec {
   pname = "tuxedo-keyboard-${kernel.version}";
-  version = "2019-08-26";
+  version = "3.0.7";
 
   src = fetchFromGitHub {
     owner = "tuxedocomputers";
     repo = "tuxedo-keyboard";
-    rev = "d65e76e84cfd8169591fc2a0a7c9219fa19da1b5";
-    sha256 = "1s48qpwybwh5pwqas2d1v2a7x4r97sm4hr9i4902r1d7h384bv17";
+    rev = "v${version}";
+    sha256 = "sha256-JloLwfJfDdVowx1hOehjxPbnaKBCAMn7SZe09SE03HU=";
   };
 
+  buildInputs = [ linuxHeaders ];
+
   makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
 
   installPhase = ''
@@ -21,8 +23,9 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Full color keyboard driver for tuxedo computers laptops";
     homepage = "https://github.com/tuxedocomputers/tuxedo-keyboard/";
-    license = licenses.gpl2;
+    license = licenses.gpl3Plus;
     platforms = platforms.linux;
+    broken = stdenv.isAarch64;
     maintainers = [ maintainers.blanky0230 ];
   };
 }
diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix
index 7508e1faf15..8dc0d4613f4 100644
--- a/pkgs/os-specific/linux/uclibc/default.nix
+++ b/pkgs/os-specific/linux/uclibc/default.nix
@@ -48,7 +48,7 @@ let
     UCLIBC_HAS_FPU n
   '';
 
-  version = "1.0.34";
+  version = "1.0.37";
 in
 
 stdenv.mkDerivation {
@@ -58,7 +58,7 @@ stdenv.mkDerivation {
   src = fetchurl {
     url = "https://downloads.uclibc-ng.org/releases/${version}/uClibc-ng-${version}.tar.bz2";
     # from "${url}.sha256";
-    sha256 = "025z0072inw1ibnrlwckslp9iayl9c35ysf0h7jjrxlzslzp4yjg";
+    sha256 = "sha256-wThkkRBA42CskGC8kUlgmxk88Qy2Z8qRfLqD6kP8JY0=";
   };
 
   # 'ftw' needed to build acl, a coreutils dependency
diff --git a/pkgs/os-specific/linux/undervolt/default.nix b/pkgs/os-specific/linux/undervolt/default.nix
index 5f4ffb50c07..cc9fb737465 100644
--- a/pkgs/os-specific/linux/undervolt/default.nix
+++ b/pkgs/os-specific/linux/undervolt/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, python3Packages }:
+{ lib, fetchFromGitHub, python3Packages }:
 
 python3Packages.buildPythonApplication rec {
   version = "0.3.0";
diff --git a/pkgs/os-specific/linux/usbip/default.nix b/pkgs/os-specific/linux/usbip/default.nix
index 923eab71b7a..43c22a8fd12 100644
--- a/pkgs/os-specific/linux/usbip/default.nix
+++ b/pkgs/os-specific/linux/usbip/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, kernel, udev, autoconf, automake, libtool, kernelOlder }:
+{ lib, stdenv, kernel, udev, autoconf, automake, libtool, hwdata, kernelOlder }:
 
 stdenv.mkDerivation {
   name = "usbip-${kernel.name}";
@@ -22,10 +22,12 @@ stdenv.mkDerivation {
     ./autogen.sh
   '';
 
+  configureFlags = [ "--with-usbids-dir=${hwdata}/share/hwdata/" ];
+
   meta = with lib; {
     homepage = "https://github.com/torvalds/linux/tree/master/tools/usb/usbip";
     description = "allows to pass USB device from server to client over the network";
-    license = licenses.gpl2;
+    license = with licenses; [ gpl2Only gpl2Plus ];
     platforms = platforms.linux;
     broken = kernelOlder "4.10";
   };
diff --git a/pkgs/os-specific/linux/usbutils/default.nix b/pkgs/os-specific/linux/usbutils/default.nix
index 9e298697d4b..fba025b29d9 100644
--- a/pkgs/os-specific/linux/usbutils/default.nix
+++ b/pkgs/os-specific/linux/usbutils/default.nix
@@ -1,11 +1,11 @@
 { lib, stdenv, fetchurl, substituteAll, autoreconfHook, pkg-config, libusb1, hwdata , python3 }:
 
 stdenv.mkDerivation rec {
-  name = "usbutils-012";
+  name = "usbutils-013";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/usb/usbutils/${name}.tar.xz";
-    sha256 = "0iiy0q7fzikavmdsjsb0sl9kp3gfh701qwyjjccvqh0qz4jlcqw8";
+    sha256 = "0f0klk6d3hmbpf6p4dcwa1qjzblmkhbxs1wsw87aidvqri7lj8wy";
   };
 
   patches = [
diff --git a/pkgs/os-specific/linux/usbutils/fix-paths.patch b/pkgs/os-specific/linux/usbutils/fix-paths.patch
index d75c68505ef..ef63a41e726 100644
--- a/pkgs/os-specific/linux/usbutils/fix-paths.patch
+++ b/pkgs/os-specific/linux/usbutils/fix-paths.patch
@@ -1,7 +1,7 @@
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -51,11 +51,11 @@
- 	usbreset.c
+@@ -61,7 +61,7 @@ EXTRA_DIST = \
+ 	LICENSES/GPL-3.0-only.txt
  
  lsusb.py: $(srcdir)/lsusb.py.in
 -	sed 's|VERSION|$(VERSION)|g;s|@usbids@|$(datadir)/usb.ids|g' $< >$@
@@ -9,8 +9,3 @@
  	chmod 755 $@
  
  lsusb.8: $(srcdir)/lsusb.8.in
--	sed 's|VERSION|$(VERSION)|g;s|@usbids@|$(datadir)/usb.ids|g' $< >$@
-+	sed 's|VERSION|$(VERSION)|g;s|@usbids@|@hwdata@/share/hwdata/usb.ids|g' $< >$@
- 
- usb-devices.1: $(srcdir)/usb-devices.1.in
- 	sed 's|VERSION|$(VERSION)|g' $< >$@
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index d7629f0df04..73f321f2631 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -1,22 +1,17 @@
-{ lib, stdenv, fetchurl, fetchpatch, pkg-config, zlib, shadow
+{ lib, stdenv, fetchurl, pkg-config, zlib, shadow, libcap_ng
 , ncurses ? null, perl ? null, pam, systemd ? null, minimal ? false }:
 
 stdenv.mkDerivation rec {
   pname = "util-linux";
-  version = "2.36.1";
+  version = "2.36.2";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "1vbyydl1b13lx73di4bhc4br9ih24hcqv7bky0kyrn1c2x1c5yh9";
+    sha256 = "0psc0asjp1rmfx1j7468zfnk9nphlphybw2n8dcl74v8v2lnnlgp";
   };
 
   patches = [
     ./rtcwake-search-PATH-for-shutdown.patch
-    # Remove patch below in 2.36.2, see https://github.com/karelzak/util-linux/issues/1193
-    (fetchpatch {
-      url = "https://github.com/karelzak/util-linux/commit/52f730e47869ce630fafb24fd46f755dc7ffc691.patch";
-      sha256 = "1fz3p9127lfvmrdj1j1s8jds0jjz2dzkvmia66555ihv7hcfajbg";
-    })
   ];
 
   outputs = [ "bin" "dev" "out" "man" ];
@@ -57,7 +52,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkg-config ];
   buildInputs =
-    [ zlib pam ]
+    [ zlib pam libcap_ng ]
     ++ lib.filter (p: p != null) [ ncurses systemd perl ];
 
   doCheck = false; # "For development purpose only. Don't execute on production system!"
@@ -71,7 +66,9 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     homepage = "https://www.kernel.org/pub/linux/utils/util-linux/";
     description = "A set of system utilities for Linux";
-    license = licenses.gpl2; # also contains parts under more permissive licenses
+    changelog = "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v${lib.versions.majorMinor version}/v${version}-ReleaseNotes";
+    # https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/README.licensing
+    license = with licenses; [ gpl2Only gpl2Plus gpl3Plus lgpl21Plus bsd3 bsdOriginalUC publicDomain ];
     platforms = platforms.linux;
     priority = 6; # lower priority than coreutils ("kill") and shadow ("login" etc.) packages
   };
diff --git a/pkgs/os-specific/linux/v4l-utils/default.nix b/pkgs/os-specific/linux/v4l-utils/default.nix
index 81a5f74c42f..90a052fdef9 100644
--- a/pkgs/os-specific/linux/v4l-utils/default.nix
+++ b/pkgs/os-specific/linux/v4l-utils/default.nix
@@ -1,7 +1,7 @@
 { stdenv, lib, fetchurl, pkg-config, perl
 , libjpeg, udev
 , withUtils ? true
-, withGUI ? true, alsaLib, libX11, qtbase, libGLU, wrapQtAppsHook
+, withGUI ? true, alsa-lib, libX11, qtbase, libGLU, wrapQtAppsHook
 }:
 
 # See libv4l in all-packages.nix for the libs only (overrides alsa, libX11 & QT)
@@ -35,7 +35,7 @@ in stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkg-config perl ] ++ lib.optional withQt wrapQtAppsHook;
 
-  buildInputs = [ udev ] ++ lib.optionals withQt [ alsaLib libX11 qtbase libGLU ];
+  buildInputs = [ udev ] ++ lib.optionals withQt [ alsa-lib libX11 qtbase libGLU ];
 
   propagatedBuildInputs = [ libjpeg ];
 
diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix
index 5e0125da00a..53f37e805fa 100644
--- a/pkgs/os-specific/linux/v4l2loopback/default.nix
+++ b/pkgs/os-specific/linux/v4l2loopback/default.nix
@@ -1,14 +1,14 @@
 { lib, stdenv, fetchFromGitHub, kernel, kmod }:
 
 stdenv.mkDerivation rec {
-  name = "v4l2loopback-${version}-${kernel.version}";
-  version = "0.12.5";
+  pname = "v4l2loopback";
+  version = "unstable-2020-04-22-${kernel.version}";
 
   src = fetchFromGitHub {
     owner = "umlaeute";
     repo = "v4l2loopback";
-    rev = "v${version}";
-    sha256 = "1qi4l6yam8nrlmc3zwkrz9vph0xsj1cgmkqci4652mbpbzigg7vn";
+    rev = "d26e624b4ead762d34152f9f825b3a51fb92fb9c";
+    sha256 = "sha256-OA45vmuVieoL7J83D3TD5qi3SBsiqi0kiQn4i1K6dVE=";
   };
 
   hardeningDisable = [ "format" "pic" ];
@@ -20,6 +20,7 @@ stdenv.mkDerivation rec {
   '';
 
   nativeBuildInputs = kernel.moduleBuildDependencies;
+
   buildInputs = [ kmod ];
 
   makeFlags = [
@@ -30,8 +31,8 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "A kernel module to create V4L2 loopback devices";
     homepage = "https://github.com/umlaeute/v4l2loopback";
-    license = licenses.gpl2;
-    maintainers = [ maintainers.domenkozar ];
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ fortuneteller2k ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/veikk-linux-driver/default.nix b/pkgs/os-specific/linux/veikk-linux-driver/default.nix
new file mode 100644
index 00000000000..a1019d7b7fd
--- /dev/null
+++ b/pkgs/os-specific/linux/veikk-linux-driver/default.nix
@@ -0,0 +1,35 @@
+{ lib, stdenv, fetchFromGitHub, kernel }:
+
+stdenv.mkDerivation rec {
+  pname = "veikk-linux-driver";
+  version = "2.0";
+
+  src = fetchFromGitHub {
+    owner = "jlam55555";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "11mg74ds58jwvdmi3i7c4chxs6v9g09r9ll22pc2kbxjdnrp8zrn";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  buildInputs = [ kernel ];
+
+  buildPhase = ''
+    make BUILD_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build
+  '';
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+    install -Dm755 veikk.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/veikk
+  '';
+
+  meta = with lib; {
+    description = "Linux driver for VEIKK-brand digitizers";
+    homepage = "https://github.com/jlam55555/veikk-linux-driver/";
+    license = licenses.gpl2Only;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ nicbk ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/pkgs/os-specific/linux/vendor-reset/default.nix b/pkgs/os-specific/linux/vendor-reset/default.nix
new file mode 100644
index 00000000000..8f1bde7ecbd
--- /dev/null
+++ b/pkgs/os-specific/linux/vendor-reset/default.nix
@@ -0,0 +1,35 @@
+{ stdenv, fetchFromGitHub, kernel, lib }:
+
+stdenv.mkDerivation rec {
+  name = "vendor-reset-${version}-${kernel.version}";
+  version = "unstable-2021-02-16";
+
+  src = fetchFromGitHub {
+    owner = "gnif";
+    repo = "vendor-reset";
+    rev = "225a49a40941e350899e456366265cf82b87ad25";
+    sha256 = "sha256-xa7P7+mRk4FVgi+YYCcsFLfyNqPmXvy3xhGoTDVqPxw=";
+  };
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+
+  hardeningDisable = [ "pic" ];
+
+  makeFlags = [
+    "KVER=${kernel.modDirVersion}"
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D vendor-reset.ko -t "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc/"
+  '';
+
+  meta = with lib; {
+    description = "Linux kernel vendor specific hardware reset module";
+    homepage = "https://github.com/gnif/vendor-reset";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ wedens ];
+    platforms = [ "x86_64-linux" ];
+    broken = kernel.kernelOlder "4.19";
+  };
+}
diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index 41ab1a0f539..e183b4ac5d4 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -7,11 +7,11 @@ assert lib.versionOlder kernel.version "5.6";
 
 stdenv.mkDerivation rec {
   pname = "wireguard";
-  version = "1.0.20201221";
+  version = "1.0.20210606";
 
   src = fetchzip {
     url = "https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${version}.tar.xz";
-    sha256 = "sha256-8RPJEk+6NaJP3LNZYEncLlkdrw2jHxNekKwEr+YpHeQ=";
+    sha256 = "sha256-ha7x6+41oPRRhuRwEb1ojRWLF1dlEMoJtqXrzRKQ408=";
   };
 
   hardeningDisable = [ "pic" ];
diff --git a/pkgs/os-specific/linux/wlgreet/default.nix b/pkgs/os-specific/linux/wlgreet/default.nix
new file mode 100644
index 00000000000..4758945e41a
--- /dev/null
+++ b/pkgs/os-specific/linux/wlgreet/default.nix
@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromSourcehut
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "wlgreet";
+  version = "0.3";
+
+  src = fetchFromSourcehut {
+    owner = "~kennylevinsen";
+    repo = pname;
+    rev = version;
+    sha256 = "0n0lzg3y1z5s9s6kfkdj5q8w67bqpw08hqfccc5kz0ninzy9j0cc";
+  };
+
+  cargoSha256 = "1lwy8xmkl9n3fj3wlf80wp728nn9p5rjnbgmm2cbpqxklcgbmxhm";
+
+  meta = with lib; {
+    description = "Raw wayland greeter for greetd, to be run under sway or similar";
+    homepage = "https://git.sr.ht/~kennylevinsen/wlgreet";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ luc65r ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/wooting-udev-rules/default.nix b/pkgs/os-specific/linux/wooting-udev-rules/default.nix
index 75924ad02a7..f1ae2069235 100644
--- a/pkgs/os-specific/linux/wooting-udev-rules/default.nix
+++ b/pkgs/os-specific/linux/wooting-udev-rules/default.nix
@@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
   # Source: https://wooting.helpscoutdocs.com/article/68-wootility-configuring-device-access-for-wootility-under-linux-udev-rules
   src = [ ./wooting.rules ];
 
-  unpackPhase = ":";
+  dontUnpack = true;
 
   installPhase = ''
     install -Dpm644 $src $out/lib/udev/rules.d/70-wooting.rules
diff --git a/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch b/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
new file mode 100644
index 00000000000..d459de8a7f3
--- /dev/null
+++ b/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
@@ -0,0 +1,130 @@
+From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Fri, 19 Feb 2021 19:44:21 +0100
+Subject: [PATCH] Implement read-only mode for ssids
+
+With this change it's possible to define `network=`-sections in a second
+config file specified via `-I` without having changes written to
+`/etc/wpa_supplicant.conf`.
+
+This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
+and imperative (i.e. mutable) networks.
+---
+ wpa_supplicant/config.h         | 2 +-
+ wpa_supplicant/config_file.c    | 5 +++--
+ wpa_supplicant/config_none.c    | 2 +-
+ wpa_supplicant/config_ssid.h    | 2 ++
+ wpa_supplicant/wpa_supplicant.c | 8 ++++----
+ 5 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
+index 6a297ecfe..adaf4d398 100644
+--- a/wpa_supplicant/config.h
++++ b/wpa_supplicant/config.h
+@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
+  *
+  * Each configuration backend needs to implement this function.
+  */
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
+ 
+ /**
+  * wpa_config_write - Write or update configuration data
+diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
+index 77c326df5..d5ed051b9 100644
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
+ #endif /* CONFIG_NO_CONFIG_BLOBS */
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	FILE *f;
+ 	char buf[512], *pos;
+@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+ 	while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
+ 		if (os_strcmp(pos, "network={") == 0) {
+ 			ssid = wpa_config_read_network(f, &line, id++);
++			ssid->ro = ro;
+ 			if (ssid == NULL) {
+ 				wpa_printf(MSG_ERROR, "Line %d: failed to "
+ 					   "parse network block.", line);
+@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
+ 	}
+ 
+ 	for (ssid = config->ssid; ssid; ssid = ssid->next) {
+-		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
++		if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
+ 			continue; /* do not save temporary networks */
+ 		if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
+ 		    !ssid->passphrase)
+diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
+index 2aac28fa3..02191b425 100644
+--- a/wpa_supplicant/config_none.c
++++ b/wpa_supplicant/config_none.c
+@@ -17,7 +17,7 @@
+ #include "base64.h"
+ 
+ 
+-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
++struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
+ {
+ 	struct wpa_config *config;
+ 
+diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
+index d5c5c00a9..fd80c079c 100644
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -93,6 +93,8 @@ struct wpa_ssid {
+ 	 */
+ 	int id;
+ 
++	int ro;
++
+ 	/**
+ 	 * priority - Priority group
+ 	 *
+diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+index 911d79d17..cb0cb99b1 100644
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
+ 
+ 	if (wpa_s->confname == NULL)
+ 		return -1;
+-	conf = wpa_config_read(wpa_s->confname, NULL);
++	conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 	if (conf == NULL) {
+ 		wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
+ 			"file '%s' - exiting", wpa_s->confname);
+ 		return -1;
+ 	}
+ 	if (wpa_s->confanother &&
+-	    !wpa_config_read(wpa_s->confanother, conf)) {
++	    !wpa_config_read(wpa_s->confanother, conf, 1)) {
+ 		wpa_msg(wpa_s, MSG_ERROR,
+ 			"Failed to parse the configuration file '%s' - exiting",
+ 			wpa_s->confanother);
+@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ #else /* CONFIG_BACKEND_FILE */
+ 		wpa_s->confname = os_strdup(iface->confname);
+ #endif /* CONFIG_BACKEND_FILE */
+-		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
++		wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
+ 		if (wpa_s->conf == NULL) {
+ 			wpa_printf(MSG_ERROR, "Failed to read or parse "
+ 				   "configuration '%s'.", wpa_s->confname);
+@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
+ 		}
+ 		wpa_s->confanother = os_rel2abs_path(iface->confanother);
+ 		if (wpa_s->confanother &&
+-		    !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
++		    !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
+ 			wpa_printf(MSG_ERROR,
+ 				   "Failed to read or parse configuration '%s'.",
+ 				   wpa_s->confanother);
+-- 
+2.29.2
+
diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix
index 32b61b02bee..1dbe281e096 100644
--- a/pkgs/os-specific/linux/wpa_supplicant/default.nix
+++ b/pkgs/os-specific/linux/wpa_supplicant/default.nix
@@ -1,5 +1,8 @@
-{ lib, stdenv, fetchurl, openssl, pkg-config, libnl
-, dbus, readline ? null, pcsclite ? null
+{ lib, stdenv, fetchurl, fetchpatch, openssl, pkg-config, libnl
+, withDbus ? true, dbus
+, withReadline ? true, readline
+, withPcsclite ? true, pcsclite
+, readOnlyModeSSIDs ? false
 }:
 
 with lib;
@@ -19,6 +22,33 @@ stdenv.mkDerivation rec {
       url = "https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch";
       sha256 = "15xjyy7crb557wxpx898b5lnyblxghlij0xby5lmj9hpwwss34dz";
     })
+    (fetchpatch {
+      # Expose OWE key management capability over DBus, remove >= 2.10
+      name = "dbus-Export-OWE-capability-and-OWE-BSS-key_mgmt.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=7800725afb27397f7d6033d4969e2aeb61af4737";
+      sha256 = "0c1la7inf4m5y9gzdjjdnhpkx32pm8vi6m5knih8p77q4mbrdgg8";
+    })
+    # P2P: Fix copying of secondary device types for P2P group client (https://w1.fi/security/2020-2/)
+    (fetchurl {
+      name = "CVE-2021-0326.patch";
+      url = "https://w1.fi/security/2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch";
+      sha256 = "19f4hx0p547mdx8y8arb3vclwyy4w9c8a6a40ryj7q33730mrmn4";
+    })
+    # P2P: Fix a corner case in peer addition based on PD Request (https://w1.fi/security/2021-1/)
+    (fetchurl {
+      name = "CVE-2021-27803.patch";
+      url = "https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch";
+      sha256 = "04cnds7hmbqc44jasabjvrdnh66i5hwvk2h2m5z94pmgbzncyh3z";
+    })
+    # In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
+    (fetchpatch {
+      name = "CVE-2021-30004.patch";
+      url = "https://w1.fi/cgit/hostap/patch/?id=a0541334a6394f8237a4393b7372693cd7e96f15";
+      sha256 = "1gbhlz41x1ar1hppnb76pqxj6vimiypy7c4kq6h658637s4am3xg";
+    })
+  ] ++ lib.optionals readOnlyModeSSIDs [
+    # Allow read-only networks
+    ./0001-Implement-read-only-mode-for-ssids.patch
   ];
 
   # TODO: Patch epoll so that the dbus actually responds
@@ -32,6 +62,7 @@ stdenv.mkDerivation rec {
     CONFIG_EAP_SAKE=y
     CONFIG_EAP_GPSK=y
     CONFIG_EAP_GPSK_SHA256=y
+    CONFIG_OWE=y
     CONFIG_WPS=y
     CONFIG_WPS_ER=y
     CONFIG_WPS_NFS=y
@@ -56,16 +87,17 @@ stdenv.mkDerivation rec {
     CONFIG_P2P=y
     CONFIG_TDLS=y
     CONFIG_BGSCAN_SIMPLE=y
-  '' + optionalString (pcsclite != null) ''
+    CONFIG_BGSCAN_LEARN=y
+  '' + optionalString withPcsclite ''
     CONFIG_EAP_SIM=y
     CONFIG_EAP_AKA=y
     CONFIG_EAP_AKA_PRIME=y
     CONFIG_PCSC=y
-  '' + optionalString (dbus != null) ''
+  '' + optionalString withDbus ''
     CONFIG_CTRL_IFACE_DBUS=y
     CONFIG_CTRL_IFACE_DBUS_NEW=y
     CONFIG_CTRL_IFACE_DBUS_INTRO=y
-  '' + (if readline != null then ''
+  '' + (if withReadline then ''
     CONFIG_READLINE=y
   '' else ''
     CONFIG_WPA_CLI_EDIT=y
@@ -82,10 +114,13 @@ stdenv.mkDerivation rec {
     substituteInPlace Makefile --replace /usr/local $out
     export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE \
       -I$(echo "${lib.getDev libnl}"/include/libnl*/) \
-      -I${lib.getDev pcsclite}/include/PCSC/"
+      ${optionalString withPcsclite "-I${lib.getDev pcsclite}/include/PCSC/"}"
   '';
 
-  buildInputs = [ openssl libnl dbus readline pcsclite ];
+  buildInputs = [ openssl libnl ]
+    ++ optional withDbus dbus
+    ++ optional withReadline readline
+    ++ optional withPcsclite pcsclite;
 
   nativeBuildInputs = [ pkg-config ];
 
@@ -105,10 +140,10 @@ stdenv.mkDerivation rec {
   '';
 
   meta = with lib; {
-    homepage = "https://hostap.epitest.fi/wpa_supplicant/";
+    homepage = "https://w1.fi/wpa_supplicant/";
     description = "A tool for connecting to WPA and WPA2-protected wireless networks";
     license = licenses.bsd3;
-    maintainers = with maintainers; [ marcweber ];
+    maintainers = with maintainers; [ marcweber ma27 ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/wpa_supplicant/gui.nix b/pkgs/os-specific/linux/wpa_supplicant/gui.nix
index ab1cece0f33..d2d59ba21a5 100644
--- a/pkgs/os-specific/linux/wpa_supplicant/gui.nix
+++ b/pkgs/os-specific/linux/wpa_supplicant/gui.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, mkDerivation, fetchpatch, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }:
+{ lib, mkDerivation, fetchpatch, qtbase, qmake, inkscape, imagemagick, wpa_supplicant }:
 
 mkDerivation {
   name = "wpa_gui-${wpa_supplicant.version}";
diff --git a/pkgs/os-specific/linux/xf86-input-wacom/default.nix b/pkgs/os-specific/linux/xf86-input-wacom/default.nix
index e404ac72f5c..4ebc4ed7663 100644
--- a/pkgs/os-specific/linux/xf86-input-wacom/default.nix
+++ b/pkgs/os-specific/linux/xf86-input-wacom/default.nix
@@ -1,31 +1,61 @@
-{ lib, stdenv, fetchurl
-, xorgproto, libX11, libXext, libXi, libXrandr, libXrender
-, ncurses, pkg-config, xorgserver, udev, libXinerama, pixman }:
+{ lib
+, stdenv
+, autoreconfHook
+, fetchFromGitHub
+, xorgproto
+, libX11
+, libXext
+, libXi
+, libXinerama
+, libXrandr
+, libXrender
+, ncurses
+, pixman
+, pkg-config
+, udev
+, utilmacros
+, xorgserver
+}:
 
 stdenv.mkDerivation rec {
-  name = "xf86-input-wacom-0.36.0";
+  pname = "xf86-input-wacom";
+  version = "0.40.0";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/linuxwacom/${name}.tar.bz2";
-    sha256 = "1xi39hl8ddgj9m7m2k2ll2r3wh0k0aq45fvrsv43651bhz9cbrza";
+  src = fetchFromGitHub {
+    owner = "linuxwacom";
+    repo = pname;
+    rev = "${pname}-${version}";
+    sha256 = "sha256-0U4pAB5vsIlBewCBqQ4SLHDrwqtr9nh7knZpXZMkzck=";
   };
 
-  buildInputs = [ xorgproto libX11 libXext libXi libXrandr libXrender
-    ncurses pkg-config xorgserver udev libXinerama pixman ];
+  nativeBuildInputs = [ autoreconfHook pkg-config ];
 
-  preConfigure = ''
-    mkdir -p $out/share/X11/xorg.conf.d
-    configureFlags="--with-xorg-module-dir=$out/lib/xorg/modules
-    --with-sdkdir=$out/include/xorg --with-xorg-conf-dir=$out/share/X11/xorg.conf.d"
-  '';
+  buildInputs = [
+    libX11
+    libXext
+    libXi
+    libXinerama
+    libXrandr
+    libXrender
+    ncurses
+    udev
+    utilmacros
+    pixman
+    xorgproto
+    xorgserver
+  ];
 
-  CFLAGS = "-I${pixman}/include/pixman-1";
+  configureFlags = [
+    "--with-xorg-module-dir=${placeholder "out"}/lib/xorg/modules"
+    "--with-sdkdir=${placeholder "out"}/include/xorg"
+    "--with-xorg-conf-dir=${placeholder "out"}/share/X11/xorg.conf.d"
+  ];
 
   meta = with lib; {
-    maintainers = [ maintainers.goibhniu ];
+    maintainers = with maintainers; [ goibhniu fortuneteller2k ];
     description = "Wacom digitizer driver for X11";
     homepage = "http://linuxwacom.sourceforge.net";
-    license = licenses.gpl2;
-    platforms = platforms.linux; # Probably, works with other unices as well
+    license = licenses.gpl2Only;
+    platforms = platforms.linux; # Probably, works with other unixes as well
   };
 }
diff --git a/pkgs/os-specific/linux/xmm7360-pci/default.nix b/pkgs/os-specific/linux/xmm7360-pci/default.nix
new file mode 100644
index 00000000000..115299ff50b
--- /dev/null
+++ b/pkgs/os-specific/linux/xmm7360-pci/default.nix
@@ -0,0 +1,28 @@
+{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel, perl, bc, breakpointHook }:
+
+stdenv.mkDerivation rec {
+  pname = "xmm7360-pci";
+  version = "unstable-2021-07-19";
+
+  src = fetchFromGitHub {
+    owner = "xmm7360";
+    repo = "xmm7360-pci";
+    rev = "7086b80bb609180b1b89fb478751e5e8414ab64f";
+    sha256 = "1wdb0phqg9rj9g9ycqdya0m7lx24kzjlh25yw0ifp898ddxrrr0c";
+  };
+
+  makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  INSTALL_MOD_PATH = placeholder "out";
+  installFlags = [ "DEPMOD=true" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/xmm7360/xmm7360-pci";
+    description = "PCI driver for Fibocom L850-GL modem based on Intel XMM7360 modem";
+    downloadPage = "https://github.com/xmm7360/xmm7360-pci";
+    license = licenses.isc;
+    maintainers = with maintainers; [ flokli hexa ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/os-specific/linux/xpadneo/default.nix b/pkgs/os-specific/linux/xpadneo/default.nix
index e0e2bcc21d9..c1874877620 100644
--- a/pkgs/os-specific/linux/xpadneo/default.nix
+++ b/pkgs/os-specific/linux/xpadneo/default.nix
@@ -2,25 +2,19 @@
 
 stdenv.mkDerivation rec {
   pname = "xpadneo";
-  version = "0.8.4";
+  version = "0.9.1";
 
   src = fetchFromGitHub {
     owner = "atar-axis";
     repo = pname;
     rev = "v${version}";
-    sha256 = "113xa2mxs2hc4fpjdk3jhhchy81kli6jxdd6vib7zz61n10cjb85";
+    hash = "sha256-VUcS4OzvPj0o627ZWIOBqEAQJ4JuMCMjgaZoMkL/IHc=";
   };
 
   setSourceRoot = ''
     export sourceRoot=$(pwd)/source/hid-xpadneo/src
   '';
 
-  postPatch = ''
-    # Set kernel module version
-    substituteInPlace hid-xpadneo.c \
-      --subst-var-by DO_NOT_CHANGE ${version}
-  '';
-
   nativeBuildInputs = kernel.moduleBuildDependencies;
   buildInputs = [ bluez ];
 
@@ -28,6 +22,7 @@ stdenv.mkDerivation rec {
     "-C"
     "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
     "M=$(sourceRoot)"
+    "VERSION=${version}"
   ];
 
   buildFlags = [ "modules" ];
@@ -38,7 +33,7 @@ stdenv.mkDerivation rec {
     description = "Advanced Linux driver for Xbox One wireless controllers";
     homepage = "https://atar-axis.github.io/xpadneo";
     license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ metadark ];
+    maintainers = with maintainers; [ kira-bruneau ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix
index 86deebb5014..7784aa8e03f 100644
--- a/pkgs/os-specific/linux/zfs/default.nix
+++ b/pkgs/os-specific/linux/zfs/default.nix
@@ -1,15 +1,15 @@
-{ lib, stdenv, fetchFromGitHub, fetchpatch
+{ lib, stdenv, fetchFromGitHub
 , autoreconfHook269, util-linux, nukeReferences, coreutils
-, perl, buildPackages
+, perl, nixosTests
 , configFile ? "all"
 
 # Userspace dependencies
 , zlib, libuuid, python3, attr, openssl
 , libtirpc
-, nfs-utils
+, nfs-utils, samba
 , gawk, gnugrep, gnused, systemd
-, smartmontools, sysstat, sudo
-, pkg-config
+, smartmontools, enableMail ? false
+, sysstat, pkg-config
 
 # Kernel dependencies
 , kernel ? null
@@ -18,6 +18,8 @@
 
 with lib;
 let
+  smartmon = smartmontools.override { inherit enableMail; };
+
   buildKernel = any (n: n == configFile) [ "kernel" "all" ];
   buildUser = any (n: n == configFile) [ "user" "all" ];
 
@@ -26,7 +28,7 @@ let
     , extraPatches ? []
     , rev ? "zfs-${version}"
     , isUnstable ? false
-    , incompatibleKernelVersion ? null }:
+    , kernelCompatible ? null }:
 
     stdenv.mkDerivation {
       name = "zfs-${configFile}-${version}${optionalString buildKernel "-${kernel.version}"}";
@@ -53,6 +55,7 @@ let
           # And if it's enabled by default, only change that if we explicitly disable python to remove python from the closure
           nfs-utils.override (old: { enablePython = old.enablePython or true && enablePython; })
         }/bin/exportfs"
+        substituteInPlace ./lib/libshare/smb.h        --replace "/usr/bin/net"            "${samba}/bin/net"
         substituteInPlace ./config/user-systemd.m4    --replace "/usr/lib/modules-load.d" "$out/etc/modules-load.d"
         substituteInPlace ./config/zfs-build.m4       --replace "\$sysconfdir/init.d"     "$out/etc/init.d" \
                                                       --replace "/etc/default"            "$out/etc/default"
@@ -148,14 +151,26 @@ let
       '';
 
       postFixup = let
-        path = "PATH=${makeBinPath [ coreutils gawk gnused gnugrep util-linux smartmontools sysstat ]}:$PATH";
+        path = "PATH=${makeBinPath [ coreutils gawk gnused gnugrep util-linux smartmon sysstat ]}:$PATH";
       in ''
         for i in $out/libexec/zfs/zpool.d/*; do
           sed -i '2i${path}' $i
         done
       '';
 
-      outputs = [ "out" ] ++ optionals buildUser [ "lib" "dev" ];
+      outputs = [ "out" ] ++ optionals buildUser [ "dev" ];
+
+      passthru = {
+        inherit enableMail;
+
+        tests =
+          if isUnstable then [
+            nixosTests.zfs.unstable
+          ] else [
+            nixosTests.zfs.installer
+            nixosTests.zfs.stable
+          ];
+      };
 
       meta = {
         description = "ZFS Filesystem Linux Kernel module";
@@ -165,16 +180,13 @@ let
           snapshotting, cloning, block devices, deduplication, and more.
         '';
         homepage = "https://github.com/openzfs/zfs";
+        changelog = "https://github.com/openzfs/zfs/releases/tag/zfs-${version}";
         license = licenses.cddl;
         platforms = platforms.linux;
         maintainers = with maintainers; [ hmenke jcumming jonringer wizeman fpletz globin mic92 ];
-        broken = if
-          buildKernel && (incompatibleKernelVersion != null) && versionAtLeast kernel.version incompatibleKernelVersion
-          then builtins.trace ''
-            Linux v${kernel.version} is not yet supported by zfsonlinux v${version}.
-            ${lib.optionalString (!isUnstable) "Try zfsUnstable or set the NixOS option boot.zfs.enableUnstable."}
-          '' true
-          else false;
+        # If your Linux kernel version is not yet supported by zfs, try zfsUnstable.
+        # On NixOS set the option boot.zfs.enableUnstable.
+        broken = buildKernel && (kernelCompatible != null) && !kernelCompatible;
       };
     };
 in {
@@ -182,26 +194,24 @@ in {
   # ./nixos/modules/tasks/filesystems/zfs.nix needs
   # to be adapted
   zfsStable = common {
-    # comment/uncomment if breaking kernel versions are known
-    # incompatibleKernelVersion = "4.20";
+    # check the release notes for compatible kernels
+    kernelCompatible = kernel.kernelAtLeast "3.10" && kernel.kernelOlder "5.14";
 
     # this package should point to the latest release.
-    version = "2.0.1";
-
-    sha256 = "0wmw823ildwm9rcfyk22pvzg100yhps3y9hfjlrpspfd1hhkbp0d";
+    version = "2.1.0";
 
-    extraPatches = [ ];
+    sha256 = "sha256-YdY4SStXZGBBdAHdM3R/unco7ztxI3s0/buPSNSeh5o=";
   };
 
   zfsUnstable = common {
-    # comment/uncomment if breaking kernel versions are known
-    # incompatibleKernelVersion = "4.19";
+    # check the release notes for compatible kernels
+    kernelCompatible = kernel.kernelAtLeast "3.10" && kernel.kernelOlder "5.14";
 
     # this package should point to a version / git revision compatible with the latest kernel release
-    version = "2.0.1";
+    version = "2.1.0";
 
-    sha256 = "0wmw823ildwm9rcfyk22pvzg100yhps3y9hfjlrpspfd1hhkbp0d";
+    sha256 = "sha256-YdY4SStXZGBBdAHdM3R/unco7ztxI3s0/buPSNSeh5o=";
 
-    extraPatches = [ ];
+    isUnstable = true;
   };
 }