summary refs log tree commit diff
path: root/pkgs/servers
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/servers')
-rw-r--r--pkgs/servers/atlassian/jira.nix4
-rw-r--r--pkgs/servers/dns/bind/default.nix4
-rw-r--r--pkgs/servers/dns/coredns/default.nix17
-rw-r--r--pkgs/servers/dns/knot-resolver/default.nix4
-rw-r--r--pkgs/servers/http/apache-httpd/2.4.nix10
-rw-r--r--pkgs/servers/imgproxy/default.nix6
-rw-r--r--pkgs/servers/invidious/default.nix53
-rw-r--r--pkgs/servers/invidious/lsquic.nix20
-rw-r--r--pkgs/servers/invidious/shards.nix12
-rwxr-xr-xpkgs/servers/invidious/update.sh96
-rw-r--r--pkgs/servers/invidious/use-etc-ssl-certs.patch13
-rw-r--r--pkgs/servers/invidious/versions.json18
-rw-r--r--pkgs/servers/invidious/videojs.nix18
-rw-r--r--pkgs/servers/invidious/videojs.sh9
-rw-r--r--pkgs/servers/jackett/default.nix4
-rw-r--r--pkgs/servers/jackett/deps.nix8
-rw-r--r--pkgs/servers/libreddit/default.nix6
-rw-r--r--pkgs/servers/mastodon/default.nix4
-rw-r--r--pkgs/servers/mautrix-telegram/0002-Don-t-depend-on-pytest-runner.patch24
-rw-r--r--pkgs/servers/mautrix-telegram/default.nix13
-rw-r--r--pkgs/servers/mautrix-whatsapp/default.nix6
-rw-r--r--pkgs/servers/misc/virtiofsd/default.nix6
-rw-r--r--pkgs/servers/monitoring/grafana/default.nix6
-rw-r--r--pkgs/servers/monitoring/prometheus/apcupsd-exporter.nix8
-rw-r--r--pkgs/servers/monitoring/prometheus/wireguard-exporter.nix6
-rw-r--r--pkgs/servers/mpd/default.nix4
-rw-r--r--pkgs/servers/nats-server/default.nix6
-rw-r--r--pkgs/servers/nats-streaming-server/default.nix14
-rw-r--r--pkgs/servers/nextcloud/default.nix17
-rw-r--r--pkgs/servers/owncast/default.nix6
-rw-r--r--pkgs/servers/peertube/default.nix13
-rw-r--r--pkgs/servers/piping-server-rust/default.nix6
-rw-r--r--pkgs/servers/pleroma/default.nix31
-rw-r--r--pkgs/servers/sabnzbd/default.nix4
-rw-r--r--pkgs/servers/sql/materialize/default.nix11
-rw-r--r--pkgs/servers/sql/postgresql/ext/pgroonga.nix4
-rw-r--r--pkgs/servers/tailscale/default.nix4
-rw-r--r--pkgs/servers/unifi/default.nix4
-rw-r--r--pkgs/servers/web-apps/wordpress/default.nix4
39 files changed, 350 insertions, 153 deletions
diff --git a/pkgs/servers/atlassian/jira.nix b/pkgs/servers/atlassian/jira.nix
index 014fbedf643..7880c529c73 100644
--- a/pkgs/servers/atlassian/jira.nix
+++ b/pkgs/servers/atlassian/jira.nix
@@ -8,11 +8,11 @@
 
 stdenv.mkDerivation rec {
   pname = "atlassian-jira";
-  version = "8.21.0";
+  version = "8.22.0";
 
   src = fetchurl {
     url = "https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-${version}.tar.gz";
-    sha256 = "sha256-AJWEm6JBHINca9l0R6dILLMkPGzFVuVjOqD/4AaO5nI=";
+    sha256 = "sha256-swEq8g/A1Ok1P7JtceUDId7kG0GRtBPGblY09xt81Ys=";
   };
 
   buildPhase = ''
diff --git a/pkgs/servers/dns/bind/default.nix b/pkgs/servers/dns/bind/default.nix
index 2601266f4d7..81722805e27 100644
--- a/pkgs/servers/dns/bind/default.nix
+++ b/pkgs/servers/dns/bind/default.nix
@@ -9,11 +9,11 @@
 
 stdenv.mkDerivation rec {
   pname = "bind";
-  version = "9.18.0";
+  version = "9.18.1";
 
   src = fetchurl {
     url = "https://downloads.isc.org/isc/bind9/${version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-VlJb9crwH9j9nZCRCIDMD4qQonqX0WkYfWUdTs8MQRw=";
+    sha256 = "sha256-V8ev2HFpTWFctN77HBvW7QIzUJQ9dFhBTbjUk+9WBCc=";
   };
 
   outputs = [ "out" "lib" "dev" "man" "dnsutils" "host" ];
diff --git a/pkgs/servers/dns/coredns/default.nix b/pkgs/servers/dns/coredns/default.nix
index 7e6347e9ba3..66298866dbc 100644
--- a/pkgs/servers/dns/coredns/default.nix
+++ b/pkgs/servers/dns/coredns/default.nix
@@ -2,23 +2,30 @@
 
 buildGoModule rec {
   pname = "coredns";
-  version = "1.9.0";
+  version = "1.9.1";
 
   src = fetchFromGitHub {
     owner = "coredns";
     repo = "coredns";
     rev = "v${version}";
-    sha256 = "sha256-8IYJxb+HssS2xTboBRo3lz9czklt/Sn098ATlDaO7Gs=";
+    sha256 = "sha256-1lJrbazEgsRHI10qIgA9KgglsxpnMIdxEWpu6RiJ0pQ=";
   };
 
-  vendorSha256 = "sha256-Vxs+k4WF55xwjgdlW/1NM4NWnYqj2EOLOONflj+BoY4=";
+  vendorSha256 = "sha256-ueEuduZ76FUs2wE8oiHGON9+s91jaHhS6gOKr7MNh8g=";
 
-  doCheck = false;
+  postPatch = ''
+    substituteInPlace test/file_cname_proxy_test.go \
+      --replace "TestZoneExternalCNAMELookupWithProxy" \
+                "SkipZoneExternalCNAMELookupWithProxy"
+
+    substituteInPlace test/readme_test.go \
+      --replace "TestReadme" "SkipReadme"
+  '';
 
   meta = with lib; {
     homepage = "https://coredns.io";
     description = "A DNS server that runs middleware";
     license = licenses.asl20;
-    maintainers = with maintainers; [ rushmorem rtreffer deltaevo ];
+    maintainers = with maintainers; [ rushmorem rtreffer deltaevo superherointj ];
   };
 }
diff --git a/pkgs/servers/dns/knot-resolver/default.nix b/pkgs/servers/dns/knot-resolver/default.nix
index 4d12a6d7172..d47b5a3e6a3 100644
--- a/pkgs/servers/dns/knot-resolver/default.nix
+++ b/pkgs/servers/dns/knot-resolver/default.nix
@@ -17,11 +17,11 @@ lua = luajitPackages;
 
 unwrapped = stdenv.mkDerivation rec {
   pname = "knot-resolver";
-  version = "5.4.4";
+  version = "5.5.0";
 
   src = fetchurl {
     url = "https://secure.nic.cz/files/knot-resolver/${pname}-${version}.tar.xz";
-    sha256 = "588964319e943679d391cc9c886d40ef858ecd9b33ae160023b4e2b5182b2cea";
+    sha256 = "4e6f48c74d955f143d603f6072670cb41ab9acdd95d4455d6e74b6908562c55a";
   };
 
   outputs = [ "out" "dev" ];
diff --git a/pkgs/servers/http/apache-httpd/2.4.nix b/pkgs/servers/http/apache-httpd/2.4.nix
index 56d66a2e99c..d72dcb9170b 100644
--- a/pkgs/servers/http/apache-httpd/2.4.nix
+++ b/pkgs/servers/http/apache-httpd/2.4.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, perl, zlib, apr, aprutil, pcre, libiconv, lynx
+{ lib, stdenv, fetchurl, perl, zlib, apr, aprutil, pcre2, libiconv, lynx, which
 , nixosTests
 , proxySupport ? true
 , sslSupport ? true, openssl
@@ -11,17 +11,19 @@
 
 stdenv.mkDerivation rec {
   pname = "apache-httpd";
-  version = "2.4.52";
+  version = "2.4.53";
 
   src = fetchurl {
     url = "mirror://apache/httpd/httpd-${version}.tar.bz2";
-    sha256 = "sha256-ASf33El+mYPpxRR0vtdeRWB/L4cKdnWobckK9tVy9ck=";
+    sha256 = "sha256-0LvREhpXtfKm/5LXuW+AUMWkXT8U2xGPZJedUlhY22M=";
   };
 
   # FIXME: -dev depends on -doc
   outputs = [ "out" "dev" "man" "doc" ];
   setOutputFlags = false; # it would move $out/modules, etc.
 
+  nativeBuildInputs = [ which ];
+
   buildInputs = [ perl ] ++
     lib.optional brotliSupport brotli ++
     lib.optional sslSupport openssl ++
@@ -42,7 +44,7 @@ stdenv.mkDerivation rec {
     "--with-apr=${apr.dev}"
     "--with-apr-util=${aprutil.dev}"
     "--with-z=${zlib.dev}"
-    "--with-pcre=${pcre.dev}"
+    "--with-pcre=${pcre2.dev}/bin/pcre2-config"
     "--disable-maintainer-mode"
     "--disable-debugger-mode"
     "--enable-mods-shared=all"
diff --git a/pkgs/servers/imgproxy/default.nix b/pkgs/servers/imgproxy/default.nix
index 2b7ed9e1c9c..b6dd99edfdd 100644
--- a/pkgs/servers/imgproxy/default.nix
+++ b/pkgs/servers/imgproxy/default.nix
@@ -3,16 +3,16 @@
 
 buildGoModule rec {
   pname = "imgproxy";
-  version = "3.3.1";
+  version = "3.3.2";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    sha256 = "sha256-GZYaFK6g26gbVa3sHwTZ4fNGMFWBWevqcfJc/3SC890=";
+    sha256 = "sha256-LJsiZeKgetFTqX58I82jDr8fIgYJCDVhb44yg8uc/8w=";
     rev = "v${version}";
   };
 
-  vendorSha256 = "sha256-uV5pnnvVYviw2LnceQUiTJXva3WI51pgW6IeZzVhULc=";
+  vendorSha256 = "sha256-088VEntNx3ZX2p6EiAZ6nSeWmM32XLAOmqXu2sd9QG4=";
 
   doCheck = false;
 
diff --git a/pkgs/servers/invidious/default.nix b/pkgs/servers/invidious/default.nix
index 7e939f51bc9..adcd694bad9 100644
--- a/pkgs/servers/invidious/default.nix
+++ b/pkgs/servers/invidious/default.nix
@@ -1,24 +1,27 @@
-{ lib, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, sqlite, lsquic, nixosTests }:
+{ lib, stdenv, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, shards, sqlite, lsquic, videojs, nixosTests }:
 let
-  # When updating, always update the following:
-  #  * the git revision
-  #  * the version attribute
-  #  * the source hash (sha256)
-  # If the shards.lock file changed, also the following:
-  #  * shards.nix (by running `crystal2nix` in invidious’ source tree)
-  #  * If the lsquic.cr dependency changed: lsquic in lsquic.nix (version, sha256)
-  #  * If the lsquic version changed: boringssl' in lsquic.nix (version, sha256)
-  rev = "21879da80d2dfa97e789a13b90e82e466c4854e3";
+  # All versions, revisions, and checksums are stored in ./versions.json.
+  # The update process is the following:
+  #   * pick the latest commit
+  #   * update .invidious.rev, .invidious.version, and .invidious.sha256
+  #   * prefetch the videojs dependencies with scripts/fetch-player-dependencies.cr
+  #     and update .videojs.sha256 (they are normally fetched during build
+  #     but nix's sandboxing does not allow that)
+  #   * if shard.lock changed
+  #     * recreate shards.nix by running crystal2nix
+  #     * update lsquic and boringssl if necessarry, lsquic.cr depends on
+  #       the same version of lsquic and lsquic requires the boringssl
+  #       commit mentioned in its README
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
 in
 crystal.buildCrystalPackage rec {
   pname = "invidious";
-  version = "unstable-2021-11-08";
+  inherit (versions.invidious) version;
 
   src = fetchFromGitHub {
     owner = "iv-org";
     repo = pname;
-    inherit rev;
-    sha256 = "0jvnwjdh2l0hxfvzim00r3zbs528bb93y1nk0bjrbbrcfv5cn5ss";
+    inherit (versions.invidious) rev sha256;
   };
 
   postPatch =
@@ -33,13 +36,15 @@ crystal.buildCrystalPackage rec {
       assetCommitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}'';
     in
     ''
+      for d in ${videojs}/*; do ln -s "$d" assets/videojs; done
+
       # Use the version metadata from the derivation instead of using git at
       # build-time
       substituteInPlace src/invidious.cr \
           --replace ${lib.escapeShellArg branchTemplate} '"master"' \
-          --replace ${lib.escapeShellArg commitTemplate} '"${lib.substring 0 7 rev}"' \
+          --replace ${lib.escapeShellArg commitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"' \
           --replace ${lib.escapeShellArg versionTemplate} '"${lib.replaceChars ["-"] ["."] (lib.substring 9 10 version)}"' \
-          --replace ${lib.escapeShellArg assetCommitTemplate} '"${lib.substring 0 7 rev}"'
+          --replace ${lib.escapeShellArg assetCommitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"'
 
       # Patch the assets and locales paths to be absolute
       substituteInPlace src/invidious.cr \
@@ -48,19 +53,22 @@ crystal.buildCrystalPackage rec {
           --replace 'File.read("locales/' 'File.read("${placeholder "out"}/share/invidious/locales/'
 
       # Reference sql initialisation/migration scripts by absolute path
-      substituteInPlace src/invidious/helpers/helpers.cr \
+      substituteInPlace src/invidious/database/base.cr \
             --replace 'config/sql' '${placeholder "out"}/share/invidious/config/sql'
 
-      substituteInPlace src/invidious/users.cr \
+      substituteInPlace src/invidious/user/captcha.cr \
           --replace 'Process.run(%(rsvg-convert' 'Process.run(%(${lib.getBin librsvg}/bin/rsvg-convert'
     '';
 
-  nativeBuildInputs = [ pkg-config ];
+  nativeBuildInputs = [ pkg-config shards ];
   buildInputs = [ libxml2 openssl sqlite ];
 
   format = "crystal";
   shardsFile = ./shards.nix;
-  crystalBinaries.invidious.src = "src/invidious.cr";
+  crystalBinaries.invidious = {
+    src = "src/invidious.cr";
+    options = [ "--release" "--progress" "--verbose" "--no-debug" "-Dskip_videojs_download" ];
+  };
 
   postConfigure = ''
     # lib includes nix store paths which can’t be patched, so the links have to
@@ -88,12 +96,17 @@ crystal.buildCrystalPackage rec {
     INVIDIOUS_CONFIG="database_url: sqlite3:///dev/null" $out/bin/invidious --help
   '';
 
-  passthru.tests = { inherit (nixosTests) invidious; };
+  passthru = {
+    inherit lsquic;
+    tests = { inherit (nixosTests) invidious; };
+    updateScript = ./update.sh;
+  };
 
   meta = with lib; {
     description = "An open source alternative front-end to YouTube";
     homepage = "https://invidious.io/";
     license = licenses.agpl3;
     maintainers = with maintainers; [ infinisil sbruder ];
+    broken = stdenv.isDarwin && stdenv.isAarch64;
   };
 }
diff --git a/pkgs/servers/invidious/lsquic.nix b/pkgs/servers/invidious/lsquic.nix
index acc9b97ae5d..292d37ce6cd 100644
--- a/pkgs/servers/invidious/lsquic.nix
+++ b/pkgs/servers/invidious/lsquic.nix
@@ -1,24 +1,30 @@
 { lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent }:
 let
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+
   # lsquic requires a specific boringssl version (noted in its README)
-  boringssl' = boringssl.overrideAttrs (old: rec {
-    version = "251b5169fd44345f455438312ec4e18ae07fd58c";
+  boringssl' = boringssl.overrideAttrs (old: {
+    version = versions.boringssl.rev;
     src = fetchgit {
       url = "https://boringssl.googlesource.com/boringssl";
-      rev = version;
-      sha256 = "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A=";
+      inherit (versions.boringssl) rev sha256;
     };
+
+    patches = [
+      # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem
+      ./use-etc-ssl-certs.patch
+    ];
   });
 in
 stdenv.mkDerivation rec {
   pname = "lsquic";
-  version = "2.18.1";
+  version = versions.lsquic.version;
 
   src = fetchFromGitHub {
     owner = "litespeedtech";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=";
+    inherit (versions.lsquic) sha256;
     fetchSubmodules = true;
   };
 
@@ -49,6 +55,8 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
+  passthru.boringssl = boringssl';
+
   meta = with lib; {
     description = "A library for QUIC and HTTP/3 (version for Invidious)";
     homepage = "https://github.com/litespeedtech/lsquic";
diff --git a/pkgs/servers/invidious/shards.nix b/pkgs/servers/invidious/shards.nix
index 778b34496a6..582a4083e7d 100644
--- a/pkgs/servers/invidious/shards.nix
+++ b/pkgs/servers/invidious/shards.nix
@@ -59,10 +59,22 @@
     rev = "v0.4.1";
     sha256 = "1l08cydkdidq9yyil1wl240hvk41iycv04jrg6nx5mkvzw4z1bzg";
   };
+  spectator = {
+    owner = "icy-arctic-fox";
+    repo = "spectator";
+    rev = "v0.10.4";
+    sha256 = "0rcxq2nbslvwrd8m9ajw6dzaw3hagxmkdy9s8p34cgnr4c9dijdq";
+  };
   sqlite3 = {
     owner = "crystal-lang";
     repo = "crystal-sqlite3";
     rev = "v0.18.0";
     sha256 = "03nnvpchhq9f9ywsm3pk2rrj4a3figw7xs96zdziwgr5znkz6x93";
   };
+  ameba = {
+    owner = "crystal-ameba";
+    repo = "ameba";
+    rev = "v0.14.3";
+    sha256 = "1cfr95xi6hsyxw1wlrh571hc775xhwmssk3k14i8b7dgbwfmm5x1";
+  };
 }
diff --git a/pkgs/servers/invidious/update.sh b/pkgs/servers/invidious/update.sh
new file mode 100755
index 00000000000..580d6136388
--- /dev/null
+++ b/pkgs/servers/invidious/update.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl crystal crystal2nix jq git moreutils nix nix-prefetch pkg-config
+git_url='https://github.com/iv-org/invidious.git'
+git_branch='master'
+git_dir='/var/tmp/invidious.git'
+pkg='invidious'
+
+set -euo pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+info() {
+    if [ -t 2 ]; then
+        set -- '\033[32m%s\033[39m\n' "$@"
+    else
+        set -- '%s\n' "$@"
+    fi
+    printf "$@" >&2
+}
+
+json_get() {
+    jq -r "$1" < 'versions.json'
+}
+
+json_set() {
+    jq --arg x "$2" "$1 = \$x" < 'versions.json' | sponge 'versions.json'
+}
+
+old_rev=$(json_get '.invidious.rev')
+old_version=$(json_get '.invidious.version')
+today=$(LANG=C date -u +'%Y-%m-%d')
+
+info "fetching $git_url..."
+if [ ! -d "$git_dir" ]; then
+    git init --initial-branch="$git_branch" "$git_dir"
+    git -C "$git_dir" remote add origin "$git_url"
+fi
+git -C "$git_dir" fetch origin "$git_branch"
+
+# use latest commit before today, we should not call the version *today*
+# because there might still be commits coming
+# use the day of the latest commit we picked as version
+new_rev=$(git -C "$git_dir" log -n 1 --format='format:%H' --before="${today}T00:00:00Z" "origin/$git_branch")
+new_version="unstable-$(git -C "$git_dir" log -n 1 --format='format:%cs' "$new_rev")"
+info "latest commit before $today: $new_rev"
+
+if [ "$new_rev" = "$old_rev" ]; then
+    info "$pkg is up-to-date."
+    exit
+fi
+
+json_set '.invidious.version' "$new_version"
+json_set '.invidious.rev' "$new_rev"
+new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "$pkg")
+json_set '.invidious.sha256' "$new_sha256"
+commit_msg="$pkg: $old_version -> $new_version"
+
+# fetch video.js dependencies
+info "Running scripts/fetch-player-dependencies.cr..."
+git -C "$git_dir" reset --hard "$new_rev"
+(cd "$git_dir" && crystal run scripts/fetch-player-dependencies.cr -- --minified)
+rm -f "$git_dir/assets/videojs/.gitignore"
+videojs_new_sha256=$(nix hash-path --type sha256 --base32 "$git_dir/assets/videojs")
+json_set '.videojs.sha256' "$videojs_new_sha256"
+
+if git -C "$git_dir" diff-tree --quiet "${old_rev}..${new_rev}" -- 'shard.lock'; then
+    info "shard.lock did not change since $old_rev."
+else
+    info "Updating shards.nix..."
+    crystal2nix -- "$git_dir/shard.lock"  # argv's index seems broken
+
+    lsquic_old_version=$(json_get '.lsquic.version')
+    # lsquic.cr's version tracks lsquic's, so lsquic must be updated to the
+    # version in the shards file
+    lsquic_new_version=$(nix eval --raw -f 'shards.nix' lsquic.rev \
+        | sed -e 's/^v//' -e 's/-[0-9]*$//')
+    if [ "$lsquic_old_version" != "$lsquic_new_version" ]; then
+        info "Updating lsquic to $lsquic_new_version..."
+        json_set '.lsquic.version' "$lsquic_new_version"
+        lsquic_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic")
+        json_set '.lsquic.sha256' "$lsquic_new_sha256"
+
+        info "Updating boringssl..."
+        # lsquic specifies the boringssl commit it requires in its README
+        boringssl_new_rev=$(curl -LSsf "https://github.com/litespeedtech/lsquic/raw/v${lsquic_new_version}/README.md" \
+            | grep -Pom1 '(?<=^git checkout ).*')
+        json_set '.boringssl.rev' "$boringssl_new_rev"
+        boringssl_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic.boringssl")
+        json_set '.boringssl.sha256' "$boringssl_new_sha256"
+        commit_msg="$commit_msg
+
+lsquic: $lsquic_old_version -> $lsquic_new_version"
+    fi
+fi
+
+git commit --verbose --message "$commit_msg" -- versions.json shards.nix
diff --git a/pkgs/servers/invidious/use-etc-ssl-certs.patch b/pkgs/servers/invidious/use-etc-ssl-certs.patch
new file mode 100644
index 00000000000..b60b0b1f1a1
--- /dev/null
+++ b/pkgs/servers/invidious/use-etc-ssl-certs.patch
@@ -0,0 +1,13 @@
+diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
+index d2bc3e5c1..329580075 100644
+--- a/crypto/x509/x509_def.c
++++ b/crypto/x509/x509_def.c
+@@ -67,7 +67,7 @@
+ 
+ #define X509_CERT_AREA          OPENSSLDIR
+ #define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
+ #define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+ #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
diff --git a/pkgs/servers/invidious/versions.json b/pkgs/servers/invidious/versions.json
new file mode 100644
index 00000000000..cec068a09bf
--- /dev/null
+++ b/pkgs/servers/invidious/versions.json
@@ -0,0 +1,18 @@
+{
+  "boringssl": {
+    "rev": "251b5169fd44345f455438312ec4e18ae07fd58c",
+    "sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A="
+  },
+  "invidious": {
+    "rev": "ed265cfdcd131b9df5398d899cc5d7036a5b7846",
+    "sha256": "0hhnq4s0slwbgxra7gxapl7dcz60a7k71cndi4crqcikmazzac3b",
+    "version": "unstable-2022-03-16"
+  },
+  "lsquic": {
+    "sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=",
+    "version": "2.18.1"
+  },
+  "videojs": {
+    "sha256": "0b4vxd29kpvy60yhqm376r1872gds17s6wljqw0zlr16j762k50r"
+  }
+}
diff --git a/pkgs/servers/invidious/videojs.nix b/pkgs/servers/invidious/videojs.nix
new file mode 100644
index 00000000000..e4470793e51
--- /dev/null
+++ b/pkgs/servers/invidious/videojs.nix
@@ -0,0 +1,18 @@
+{ stdenvNoCC, cacert, crystal, openssl, pkg-config, invidious }:
+
+let
+  versions = builtins.fromJSON (builtins.readFile ./versions.json);
+in
+stdenvNoCC.mkDerivation {
+  name = "videojs";
+
+  inherit (invidious) src;
+
+  builder = ./videojs.sh;
+
+  nativeBuildInputs = [ cacert crystal openssl pkg-config ];
+
+  outputHashAlgo = "sha256";
+  outputHashMode = "recursive";
+  outputHash = versions.videojs.sha256;
+}
diff --git a/pkgs/servers/invidious/videojs.sh b/pkgs/servers/invidious/videojs.sh
new file mode 100644
index 00000000000..31609db14eb
--- /dev/null
+++ b/pkgs/servers/invidious/videojs.sh
@@ -0,0 +1,9 @@
+source $stdenv/setup
+
+unpackPhase
+cd source
+# this helper downloads the videojs files and checks their checksums
+# against videojs-dependencies.yml so it should be pure
+crystal run scripts/fetch-player-dependencies.cr -- --minified
+rm -f assets/videojs/.gitignore
+mv assets/videojs "$out"
diff --git a/pkgs/servers/jackett/default.nix b/pkgs/servers/jackett/default.nix
index 865c4490a04..69e891fe595 100644
--- a/pkgs/servers/jackett/default.nix
+++ b/pkgs/servers/jackett/default.nix
@@ -9,13 +9,13 @@
 
 buildDotnetModule rec {
   pname = "jackett";
-  version = "0.20.671";
+  version = "0.20.709";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "AoOaBryZHkqp5SabfKeW5E1YoJCwGhg2luK8SQvabow=";
+    sha256 = "Gx1VHjs37XBcvw20pQNrA/meLuVmogdGIzroRXvTv5Q=";
   };
 
   projectFile = "src/Jackett.Server/Jackett.Server.csproj";
diff --git a/pkgs/servers/jackett/deps.nix b/pkgs/servers/jackett/deps.nix
index 3b0fb8cb78b..022c604d0a9 100644
--- a/pkgs/servers/jackett/deps.nix
+++ b/pkgs/servers/jackett/deps.nix
@@ -152,6 +152,9 @@
   (fetchNuGet { pname = "Microsoft.Extensions.Primitives"; version = "5.0.0"; sha256 = "0swqcknyh87ns82w539z1mvy804pfwhgzs97cr3nwqk6g5s42gd6"; })
   (fetchNuGet { pname = "Microsoft.Extensions.Primitives"; version = "6.0.0"; sha256 = "1kjiw6s4yfz9gm7mx3wkhp06ghnbs95icj9hi505shz9rjrg42q2"; })
   (fetchNuGet { pname = "Microsoft.Extensions.WebEncoders"; version = "2.2.0"; sha256 = "1mhnichccw6mjf37d38q2i1kr7qp485m7apa1b872ji0q16yy1y3"; })
+  (fetchNuGet { pname = "Microsoft.Net.Http.Headers"; version = "2.1.0"; sha256 = "1a02bll0flsin9grd3jxbi76ycl42qamynalbp7qbqcsprabw3ai"; })
+  (fetchNuGet { pname = "Microsoft.Net.Http.Headers"; version = "2.2.0"; sha256 = "0w6lrk9z67bcirq2cj2ldfhnizc6id77ba6i30hjzgqjlyhh1gx5"; })
+  (fetchNuGet { pname = "Microsoft.NET.Test.Sdk"; version = "17.0.0"; sha256 = "0bknyf5kig5icwjxls7pcn51x2b2qf91dz9qv67fl70v6cczaz2r"; })
   (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "1.0.1"; sha256 = "01al6cfxp68dscl15z7rxfw9zvhm64dncsw09a1vmdkacsa2v6lr"; })
   (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "1.1.0"; sha256 = "08vh1r12g6ykjygq5d3vq09zylgb84l63k49jc4v8faw9g93iqqm"; })
   (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "5.0.0"; sha256 = "0mwpwdflidzgzfx2dlpkvvnkgkr2ayaf0s80737h4wa35gaj11rc"; })
@@ -159,9 +162,6 @@
   (fetchNuGet { pname = "Microsoft.NETCore.Targets"; version = "1.1.0"; sha256 = "193xwf33fbm0ni3idxzbr5fdq3i2dlfgihsac9jj7whj0gd902nh"; })
   (fetchNuGet { pname = "Microsoft.NETFramework.ReferenceAssemblies"; version = "1.0.0"; sha256 = "0na724xhvqm63vq9y18fl9jw9q2v99bdwr353378s5fsi11qzxp9"; })
   (fetchNuGet { pname = "Microsoft.NETFramework.ReferenceAssemblies.net461"; version = "1.0.0"; sha256 = "00vkn4c6i0rn1l9pv912y0wgb9h6ks76qah8hvk441nari8fqbm1"; })
-  (fetchNuGet { pname = "Microsoft.Net.Http.Headers"; version = "2.1.0"; sha256 = "1a02bll0flsin9grd3jxbi76ycl42qamynalbp7qbqcsprabw3ai"; })
-  (fetchNuGet { pname = "Microsoft.Net.Http.Headers"; version = "2.2.0"; sha256 = "0w6lrk9z67bcirq2cj2ldfhnizc6id77ba6i30hjzgqjlyhh1gx5"; })
-  (fetchNuGet { pname = "Microsoft.NET.Test.Sdk"; version = "17.0.0"; sha256 = "0bknyf5kig5icwjxls7pcn51x2b2qf91dz9qv67fl70v6cczaz2r"; })
   (fetchNuGet { pname = "Microsoft.TestPlatform.ObjectModel"; version = "17.0.0"; sha256 = "1bh5scbvl6ndldqv20sl34h4y257irm9ziv2wyfc3hka6912fhn7"; })
   (fetchNuGet { pname = "Microsoft.TestPlatform.TestHost"; version = "17.0.0"; sha256 = "06mn31cgpp7d8lwdyjanh89prc66j37dchn74vrd9s588rq0y70r"; })
   (fetchNuGet { pname = "Microsoft.Win32.Primitives"; version = "4.3.0"; sha256 = "0j0c1wj4ndj21zsgivsc24whiya605603kxrbiw6wkfdync464wq"; })
@@ -185,8 +185,8 @@
   (fetchNuGet { pname = "NLog.Web.AspNetCore"; version = "4.14.0"; sha256 = "1q2v44inp4xjynncxpv432k2qjkfara1bpipmv3p3in0yv14l3wg"; })
   (fetchNuGet { pname = "NuGet.Frameworks"; version = "5.0.0"; sha256 = "18ijvmj13cwjdrrm52c8fpq021531zaz4mj4b4zapxaqzzxf2qjr"; })
   (fetchNuGet { pname = "NUnit"; version = "3.13.2"; sha256 = "00bkjgarkwbj497da9d7lajala1ns67h1kx53w4bapwkf32jlcvn"; })
-  (fetchNuGet { pname = "NUnit3TestAdapter"; version = "4.1.0"; sha256 = "1z5g15npmsjszhfmkrdmp4ds7jpxzhxblss2rjl5mfn5sihy4cww"; })
   (fetchNuGet { pname = "NUnit.ConsoleRunner"; version = "3.12.0"; sha256 = "00ihk6i3wzqndrn6yyh1csh4b3h226x5kwdp3716p75p4nljs1ik"; })
+  (fetchNuGet { pname = "NUnit3TestAdapter"; version = "4.1.0"; sha256 = "1z5g15npmsjszhfmkrdmp4ds7jpxzhxblss2rjl5mfn5sihy4cww"; })
   (fetchNuGet { pname = "Polly"; version = "7.2.2"; sha256 = "0s15n5zwj44i6sw3v40ca8l6j0ijydxcakvad49j52rp49iwrmkn"; })
   (fetchNuGet { pname = "runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl"; version = "4.3.0"; sha256 = "16rnxzpk5dpbbl1x354yrlsbvwylrq456xzpsha1n9y3glnhyx9d"; })
   (fetchNuGet { pname = "runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl"; version = "4.3.0"; sha256 = "0hkg03sgm2wyq8nqk6dbm9jh5vcq57ry42lkqdmfklrw89lsmr59"; })
diff --git a/pkgs/servers/libreddit/default.nix b/pkgs/servers/libreddit/default.nix
index 121eeb991f9..7724c4cf381 100644
--- a/pkgs/servers/libreddit/default.nix
+++ b/pkgs/servers/libreddit/default.nix
@@ -8,16 +8,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "libreddit";
-  version = "0.21.7";
+  version = "0.22.1";
 
   src = fetchFromGitHub {
     owner = "spikecodes";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-pALPhSoamsU5xEbSoXFe+Cikl16gxTXccUATMkYB97M=";
+    sha256 = "sha256-k6GAxEGmDzC6nUCMYXahw/MTQanpZw8UMBVPCA4zSTs=";
   };
 
-  cargoSha256 = "sha256-/P8wyFPCcCoGINtJ0qom3xLlkunH6xZPd7/7ynXmTy4=";
+  cargoSha256 = "sha256-K31z5j/pBN84Egrfwe4/V3hpbIrlzn6ppFFNWFXFVcc=";
 
   buildInputs = lib.optional stdenv.isDarwin Security;
 
diff --git a/pkgs/servers/mastodon/default.nix b/pkgs/servers/mastodon/default.nix
index a173c594c6b..9173f72eecc 100644
--- a/pkgs/servers/mastodon/default.nix
+++ b/pkgs/servers/mastodon/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, nodejs-slim, mkYarnPackage, fetchFromGitHub, fetchpatch, bundlerEnv
+{ lib, stdenv, nodejs-slim, mkYarnPackage, fetchFromGitHub, fetchpatch, bundlerEnv, nixosTests
 , yarn, callPackage, imagemagick, ffmpeg, file, ruby_3_0, writeShellScript
 
   # Allow building a fork or custom version of Mastodon:
@@ -119,6 +119,8 @@ stdenv.mkDerivation rec {
     ln -s ${run-streaming} $out/run-streaming.sh
   '';
 
+  passthru.tests.mastodon = nixosTests.mastodon;
+
   meta = with lib; {
     description = "Self-hosted, globally interconnected microblogging software based on ActivityPub";
     homepage = "https://joinmastodon.org";
diff --git a/pkgs/servers/mautrix-telegram/0002-Don-t-depend-on-pytest-runner.patch b/pkgs/servers/mautrix-telegram/0002-Don-t-depend-on-pytest-runner.patch
deleted file mode 100644
index f1ec3e622cf..00000000000
--- a/pkgs/servers/mautrix-telegram/0002-Don-t-depend-on-pytest-runner.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From eb39954acf73096d65ba1e9575cbeb3d4307d5df Mon Sep 17 00:00:00 2001
-From: Maximilian Bosch <maximilian@mbosch.me>
-Date: Sun, 29 Nov 2020 20:55:17 +0100
-Subject: [PATCH 2/2] Don't depend on pytest-runner
-
----
- setup.py | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/setup.py b/setup.py
-index 95dbf89..89ea2a7 100644
---- a/setup.py
-+++ b/setup.py
-@@ -57,7 +57,6 @@ setuptools.setup(
-         ]
-     },
- 
--    setup_requires=["pytest-runner"],
-     tests_require=["pytest", "pytest-asyncio", "pytest-mock"],
- 
-     classifiers=[
--- 
-2.28.0
-
diff --git a/pkgs/servers/mautrix-telegram/default.nix b/pkgs/servers/mautrix-telegram/default.nix
index 267f89182fb..e96427f30f3 100644
--- a/pkgs/servers/mautrix-telegram/default.nix
+++ b/pkgs/servers/mautrix-telegram/default.nix
@@ -6,11 +6,11 @@ let
   python = python3.override {
     packageOverrides = self: super: {
       tulir-telethon = self.telethon.overridePythonAttrs (oldAttrs: rec {
-        version = "1.25.0a3";
+        version = "1.25.0a5";
         pname = "tulir-telethon";
         src = oldAttrs.src.override {
           inherit pname version;
-          sha256 = "sha256-/kau9Q2+7giVx52tmjvYIbcDcY1/om31X9BlRvZipuk=";
+          sha256 = "sha256-WFiWczuw6eVVid2Z1LsnGE6BCEhqeCuiQ/p0d2Ahbi8=";
         };
       });
     };
@@ -25,22 +25,17 @@ let
 
 in python.pkgs.buildPythonPackage rec {
   pname = "mautrix-telegram";
-  version = "0.11.1";
+  version = "0.11.2";
   disabled = python.pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "mautrix";
     repo = "telegram";
     rev = "v${version}";
-    sha256 = "sha256-Df+v1Q+5Iaa9GKcwIabMKjJwmVd5Qub8M54jEEiAPFc=";
+    sha256 = "sha256-ZECTHAP5l9tAk9Ies8XuPpH9jqYDJSRSHVKz1lA6Sjg=";
   };
 
   patches = [ ./0001-Re-add-entrypoint.patch ];
-  postPatch = ''
-    substituteInPlace requirements.txt \
-      --replace "telethon>=1.22,<1.23" "telethon"
-  '';
-
 
   propagatedBuildInputs = with python.pkgs; ([
     Mako
diff --git a/pkgs/servers/mautrix-whatsapp/default.nix b/pkgs/servers/mautrix-whatsapp/default.nix
index 92f6d1f15ac..e26743b9edf 100644
--- a/pkgs/servers/mautrix-whatsapp/default.nix
+++ b/pkgs/servers/mautrix-whatsapp/default.nix
@@ -2,18 +2,18 @@
 
 buildGoModule rec {
   pname = "mautrix-whatsapp";
-  version = "0.2.4";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "mautrix";
     repo = "whatsapp";
     rev = "v${version}";
-    sha256 = "lBAnMrU292URrZIxPvPIAO50GAFvvZHfUjKMYxZwGb8=";
+    sha256 = "M44APMnpQU+9TTJu4NF528o0JvGvWja4H7XUcAHtxrA=";
   };
 
   buildInputs = [ olm ];
 
-  vendorSha256 = "KiNABUZ92gYprTdNAKKMjygr0BzQGVYVPRPMxvYi1VQ=";
+  vendorSha256 = "o3KTcnMd6Tqt9QIfW29wvN8POIFThNg8AdeGDF5wbVc=";
 
   doCheck = false;
 
diff --git a/pkgs/servers/misc/virtiofsd/default.nix b/pkgs/servers/misc/virtiofsd/default.nix
index 6d5ebbb76c0..d8ae7ca61d9 100644
--- a/pkgs/servers/misc/virtiofsd/default.nix
+++ b/pkgs/servers/misc/virtiofsd/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "virtiofsd";
-  version = "1.0.0";
+  version = "1.1.0";
 
   src = fetchFromGitLab {
     owner = "virtio-fs";
     repo = "virtiofsd";
     rev = "v${version}";
-    sha256 = "010xf482qip91mv91wy9zjdsq0gfg1fd6iclrcry0nfnwlbigbwd";
+    sha256 = "sha256-WB0zu2M/5enBOoOUUSXnNAkbsA+JzDgtoLncE1YcDLs=";
   };
 
-  cargoSha256 = "0bfvqbmvkf17slra5k0nnva6j6w07769k226qnbzb3947zf4x2ga";
+  cargoSha256 = "sha256-uRPmZE/xc0yeurBZ4rnrZua5d4lbPwStMUacFgbquuk=";
 
   buildInputs = [ libcap_ng libseccomp ];
 
diff --git a/pkgs/servers/monitoring/grafana/default.nix b/pkgs/servers/monitoring/grafana/default.nix
index bc669bbf502..2b3ae9f64de 100644
--- a/pkgs/servers/monitoring/grafana/default.nix
+++ b/pkgs/servers/monitoring/grafana/default.nix
@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "grafana";
-  version = "8.4.3";
+  version = "8.4.4";
 
   excludedPackages = "\\(alert_webhook_listener\\|clean-swagger\\|release_publisher\\|slow_proxy\\|slow_proxy_mac\\|macaron\\)";
 
@@ -10,12 +10,12 @@ buildGoModule rec {
     rev = "v${version}";
     owner = "grafana";
     repo = "grafana";
-    sha256 = "sha256-+d4pcuNLbM2PY1rFpnIjoakpr63kMqI/SjpTRZecRXw=";
+    sha256 = "sha256-WLmmf2GlP7axuYj0TLJlDwe1k/9xNQbLvAggG+AshKg=";
   };
 
   srcStatic = fetchurl {
     url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz";
-    sha256 = "sha256-l3GPSUci812KbHKMXHtS4OlvYyuKlBOeQCLtLvvkhzI=";
+    sha256 = "sha256-eH6L7X1WvvL+9+R9FrpvVMxVJYcrHicaLkH2LUJs3AQ=";
   };
 
   vendorSha256 = "sha256-RugV5cHlpR739CA1C/7FkXasvkv18m7pPsK6mxfSkC0=";
diff --git a/pkgs/servers/monitoring/prometheus/apcupsd-exporter.nix b/pkgs/servers/monitoring/prometheus/apcupsd-exporter.nix
index 64105c9c58f..c2f90322850 100644
--- a/pkgs/servers/monitoring/prometheus/apcupsd-exporter.nix
+++ b/pkgs/servers/monitoring/prometheus/apcupsd-exporter.nix
@@ -2,18 +2,16 @@
 
 buildGoModule rec {
   pname = "apcupsd-exporter";
-  version = "0.2.0";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "mdlayher";
     repo = "apcupsd_exporter";
     rev = "v${version}";
-    sha256 = "0gjj23qdjs7rqimq95rbfw43m4l6g73j840svxjlmpd1vzzz2v2q";
+    sha256 = "sha256-c0LsUqpJbmWQmbmSGdEy7Bbk20my6iWNLeqtU5BjYlw=";
   };
 
-  vendorSha256 = "09x8y8pmgfn897hvnk122ry460y12b8a7y5fafri5wn9vxab9r82";
-
-  doCheck = false;
+  vendorSha256 = "sha256-bvLwHLviIAGmxYY1O0wFDWAMginEUklicrbjIbbPuUw=";
 
   passthru.tests = { inherit (nixosTests.prometheus-exporters) apcupsd; };
 
diff --git a/pkgs/servers/monitoring/prometheus/wireguard-exporter.nix b/pkgs/servers/monitoring/prometheus/wireguard-exporter.nix
index 1dbb3179627..61cf36f882d 100644
--- a/pkgs/servers/monitoring/prometheus/wireguard-exporter.nix
+++ b/pkgs/servers/monitoring/prometheus/wireguard-exporter.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "wireguard-exporter";
-  version = "3.5.0";
+  version = "3.6.2";
 
   src = fetchFromGitHub {
     owner = "MindFlavor";
     repo = "prometheus_wireguard_exporter";
     rev = version;
-    sha256 = "sha256-LHhqQ0p2qt6ZAdkpY1SEAcGXH47TPhHvlDv+eL8GC58=";
+    sha256 = "sha256-eVGyBynKZLGlsaLwUOx7cJWdRHl65S0Wk1K5c9T8ysQ=";
   };
 
-  cargoSha256 = "sha256-lNFsO7FSmH1+DLM7ID0vn6234qTdtUoaLSnqKcbHoXE=";
+  cargoSha256 = "sha256-JbFoaMTs6TPYq2qgBkT7WX1itMXohgcWbC1UvaXOi8o=";
 
   buildInputs = lib.optionals stdenv.isDarwin [ libiconv Security ];
 
diff --git a/pkgs/servers/mpd/default.nix b/pkgs/servers/mpd/default.nix
index 8eb78270377..c83d6e3e1fb 100644
--- a/pkgs/servers/mpd/default.nix
+++ b/pkgs/servers/mpd/default.nix
@@ -116,13 +116,13 @@ let
 
     in stdenv.mkDerivation rec {
       pname = "mpd";
-      version = "0.23.5";
+      version = "0.23.6";
 
       src = fetchFromGitHub {
         owner  = "MusicPlayerDaemon";
         repo   = "MPD";
         rev    = "v${version}";
-        sha256 = "sha256-zsxh/rUJtcuke0zYBrh225Qd6RKo1SiFDbMmROdkyjI=";
+        sha256 = "sha256-pVIbaCg3qDw7bjhLQHz6Rr3m498LeKNQVhRk4m5tpVQ=";
       };
 
       buildInputs = [
diff --git a/pkgs/servers/nats-server/default.nix b/pkgs/servers/nats-server/default.nix
index 695480a05c9..7b6b1238d4d 100644
--- a/pkgs/servers/nats-server/default.nix
+++ b/pkgs/servers/nats-server/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname   = "nats-server";
-  version = "2.7.2";
+  version = "2.7.4";
 
   src = fetchFromGitHub {
     rev    = "v${version}";
     owner  = "nats-io";
     repo   = pname;
-    sha256 = "0w4hjz1x6zwcxhnd1y3874agyn8nsdra4fky6kc2rrfikjcw003y";
+    sha256 = "sha256-lMwFh+njzQr1hOJFbO3LnPdBK7U4XmX4F/6MlIRILlU=";
   };
 
-  vendorSha256 = "1gvvjwx1g8mhcqi3ssb3k5ylkz0afpmnf6h2zfny9rc4dk2cp2dy";
+  vendorSha256 = "sha256-EEOvDOqMbqfB0S3Nf7RQMKGSZX802eqa3eGaNjUHxQ4=";
 
   doCheck = false;
 
diff --git a/pkgs/servers/nats-streaming-server/default.nix b/pkgs/servers/nats-streaming-server/default.nix
index 4d6fdbda636..247f9d84007 100644
--- a/pkgs/servers/nats-streaming-server/default.nix
+++ b/pkgs/servers/nats-streaming-server/default.nix
@@ -1,19 +1,23 @@
-{  buildGoPackage, fetchFromGitHub, lib  }:
+{ buildGoModule, fetchFromGitHub, lib  }:
 
 with lib;
 
-buildGoPackage rec {
+buildGoModule rec {
   pname   = "nats-streaming-server";
-  version = "0.23.0";
-  goPackagePath = "github.com/nats-io/${pname}";
+  version = "0.24.3";
 
   src = fetchFromGitHub {
     rev    = "v${version}";
     owner  = "nats-io";
     repo   = pname;
-    sha256 = "sha256-Uol1A4+0V4dUQ7Qw0qRUWHzFBugVDYSulDGTJZ4a+ts=";
+    sha256 = "sha256-vpDOiFuxLpqor+9SztdZrJvwC8QGwt5+df4R2OTcxlA=";
   };
 
+  vendorSha256 = "sha256:1m783cq20xlv5aglf252g5127r5ilfq4fqj00vim38v271511hmy";
+
+  # tests fail and ask to `go install`
+  doCheck = false;
+
   meta = {
     description = "NATS Streaming System Server";
     license = licenses.asl20;
diff --git a/pkgs/servers/nextcloud/default.nix b/pkgs/servers/nextcloud/default.nix
index 735bfdeafb1..d9a4465a10a 100644
--- a/pkgs/servers/nextcloud/default.nix
+++ b/pkgs/servers/nextcloud/default.nix
@@ -33,23 +33,18 @@ let
     };
   };
 in {
-  nextcloud20 = throw ''
-    Nextcloud v20 has been removed from `nixpkgs` as the support for it was dropped
-    by upstream in 2021-10. Please upgrade to at least Nextcloud v21 by declaring
+  nextcloud21 = throw ''
+    Nextcloud v21 has been removed from `nixpkgs` as the support for it was dropped
+    by upstream in 2022-02. Please upgrade to at least Nextcloud v22 by declaring
 
-        services.nextcloud.package = pkgs.nextcloud21;
+        services.nextcloud.package = pkgs.nextcloud22;
 
     in your NixOS config.
 
-    WARNING: if you were on Nextcloud 19 on NixOS 21.05 you have to upgrade to Nextcloud 20
-    first on 21.05 because Nextcloud doesn't support upgrades accross multiple major versions!
+    WARNING: if you were on Nextcloud 20 on NixOS 21.11 you have to upgrade to Nextcloud 21
+    first on 21.11 because Nextcloud doesn't support upgrades accross multiple major versions!
   '';
 
-  nextcloud21 = generic {
-    version = "21.0.9";
-    sha256 = "sha256-p6bvgTXmmjGN3TRQpG88f3YPksh0QzWG9j9KnEjcrqE=";
-  };
-
   nextcloud22 = generic {
     version = "22.2.5";
     sha256 = "sha256-gb5N0u5tu4/nI2xIpjXwm2hiSDCrBhIDyN6gKGOsdS8=";
diff --git a/pkgs/servers/owncast/default.nix b/pkgs/servers/owncast/default.nix
index 68591f45823..774f51bc0f6 100644
--- a/pkgs/servers/owncast/default.nix
+++ b/pkgs/servers/owncast/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "owncast";
-  version = "0.0.10";
+  version = "0.0.11";
 
   src = fetchFromGitHub {
     owner = "owncast";
     repo = "owncast";
     rev = "v${version}";
-    sha256 = "sha256-OcolQ4KnZbSgS1dpphbCML40jlheKAxbac7rjRul6Oc=";
+    sha256 = "sha256-SVe7CH+qx3hFZ/cay6Hh5+vx0ncHACiNSM6k7fCDH18=";
   };
 
-  vendorSha256 = "sha256-NARHYeOVT7sxfL1BdJc/CPCgHNZzjWE7kACJvrEC71Y=";
+  vendorSha256 = "sha256-19FTfUCG1omk5y1HC2yb7/0CM2x6k5BGSM+sZwlKrxY=";
 
   propagatedBuildInputs = [ ffmpeg ];
 
diff --git a/pkgs/servers/peertube/default.nix b/pkgs/servers/peertube/default.nix
index 9961e9d581a..558c21c6cd1 100644
--- a/pkgs/servers/peertube/default.nix
+++ b/pkgs/servers/peertube/default.nix
@@ -6,13 +6,13 @@ let
     if stdenv.hostPlatform.system == "x86_64-linux" then "linux-x64"
     else throw "Unsupported architecture: ${stdenv.hostPlatform.system}";
 
-  version = "4.1.0";
+  version = "4.1.1";
 
   source = fetchFromGitHub {
     owner = "Chocobozzz";
     repo = "PeerTube";
     rev = "v${version}";
-    sha256 = "sha256-gW/dzWns6wK3zzNjbW19HrV2jqzjdXR5uMMNXL4Xfdw=";
+    sha256 = "sha256-yBRontvkcVU3BNUIB6WfH2a5blU9u3CNyHrou16h42s=";
   };
 
   yarnOfflineCacheServer = fetchYarnDeps {
@@ -27,7 +27,7 @@ let
 
   yarnOfflineCacheClient = fetchYarnDeps {
     yarnLock = "${source}/client/yarn.lock";
-    sha256 = "sha256-wniMvtz7i3I4pn9xyzfNi1k7gQuzDl1GmEO8LqPBMKg=";
+    sha256 = "sha256-cBa0lNq9JsYi34EJzl0pPbDXSYL9a8g6MmiL6Ge65ms=";
   };
 
   bcrypt_version = "5.0.1";
@@ -75,10 +75,15 @@ in stdenv.mkDerivation rec {
     cd ~
 
     # Build PeerTube server
-    npm run build:server
+    npm run tsc -- --build ./tsconfig.json
+    npm run resolve-tspaths:server
+    cp -r "./server/static" "./server/assets" "./dist/server"
+    cp -r "./server/lib/emails" "./dist/server/lib"
 
     # Build PeerTube tools
+    cp -r "./server/tools/node_modules" "./dist/server/tools"
     npm run tsc -- --build ./server/tools/tsconfig.json
+    npm run resolve-tspaths:cli
 
     # Build PeerTube client
     npm run build:client
diff --git a/pkgs/servers/piping-server-rust/default.nix b/pkgs/servers/piping-server-rust/default.nix
index 7cf9442f13b..8885179de4d 100644
--- a/pkgs/servers/piping-server-rust/default.nix
+++ b/pkgs/servers/piping-server-rust/default.nix
@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "piping-server-rust";
-  version = "0.12.0";
+  version = "0.12.1";
 
   src = fetchFromGitHub {
     owner = "nwtgck";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-eDO2y/4660IAcD9vf1Vt6t3nv3Rc+zCRRFBbW/FeKIw=";
+    sha256 = "sha256-L15ofIM5a/qoJHGXmkuTsmQLLmERG/PxAJ4+z1nn7w4=";
   };
 
-  cargoSha256 = "sha256-U68R543l28osPe0DjuERqB/G6ur/BZDpWMZIO9RObaM=";
+  cargoSha256 = "sha256-CcIM7T7P4LbPxPK1ZqoJRP0IsLMEwMZg9DcuRu0aJHM=";
 
   buildInputs = lib.optionals stdenv.isDarwin [ CoreServices Security ];
 
diff --git a/pkgs/servers/pleroma/default.nix b/pkgs/servers/pleroma/default.nix
index ec7de2ac57c..dd4025a76c0 100644
--- a/pkgs/servers/pleroma/default.nix
+++ b/pkgs/servers/pleroma/default.nix
@@ -1,7 +1,8 @@
 { lib, beamPackages
 , fetchFromGitHub, fetchFromGitLab
-, file, cmake
+, file, cmake, bash
 , nixosTests, writeText
+, cookieFile ? null
 , ...
 }:
 
@@ -17,6 +18,34 @@ beamPackages.mixRelease rec {
     sha256 = "sha256-RcqqNNNCR4cxETUCyjChkpq+cQ1QzNOHHzdqBLtOc6g=";
   };
 
+  preFixup = if (cookieFile != null) then ''
+    # There's no way to use a subprocess to cat the content of the
+    # file cookie using wrapProgram: it gets escaped (by design) with
+    # a pair of backticks :(
+    # We have to come up with our own custom wrapper to do this.
+    function wrapWithCookie () {
+        local hidden
+        hidden="$(dirname "$1")/.$(basename "$1")"-wrapped
+        while [ -e "$hidden" ]; do
+            hidden="''${hidden}_"
+        done
+        mv "$1" "''${hidden}"
+
+        cat > "$1" << EOF
+    #!${bash}/bin/bash
+    export RELEASE_COOKIE="\$(cat "${cookieFile}")"
+    exec -a "\$0" "''${hidden}" "\$@"
+    EOF
+        chmod +x "$1"
+    }
+
+    for f in "$out"/bin/*; do
+        if [[ -x "$f" ]]; then
+            wrapWithCookie "$f"
+        fi
+    done
+  '' else "";
+
   mixNixDeps = import ./mix.nix {
     inherit beamPackages lib;
     overrides = (final: prev: {
diff --git a/pkgs/servers/sabnzbd/default.nix b/pkgs/servers/sabnzbd/default.nix
index 764c61356f3..5f12ae0ee95 100644
--- a/pkgs/servers/sabnzbd/default.nix
+++ b/pkgs/servers/sabnzbd/default.nix
@@ -24,14 +24,14 @@ let
   ]);
   path = lib.makeBinPath [ par2cmdline unrar unzip p7zip ];
 in stdenv.mkDerivation rec {
-  version = "3.5.2";
+  version = "3.5.3";
   pname = "sabnzbd";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = version;
-    sha256 = "sha256-dGmZxnrxuUj6HwFI5QkSy9FnGYQpsNPFbUKXoJWpDfM=";
+    sha256 = "sha256-pdYTTahdn9YVFreU5KhMGlUzQxHviN5G4TxWKKRBxOc=";
   };
 
   nativeBuildInputs = [ makeWrapper ];
diff --git a/pkgs/servers/sql/materialize/default.nix b/pkgs/servers/sql/materialize/default.nix
index ce91c322af1..9dcfb8fe3e5 100644
--- a/pkgs/servers/sql/materialize/default.nix
+++ b/pkgs/servers/sql/materialize/default.nix
@@ -40,17 +40,17 @@ let
 in
 rustPlatform.buildRustPackage rec {
   pname = "materialize";
-  version = "0.15.0";
-  MZ_DEV_BUILD_SHA = "f79f63205649d6011822893c5b55396b2bef7b0b";
+  version = "0.17.0";
+  MZ_DEV_BUILD_SHA = "9f8cf75b461d288335cb6a7a73aaa670bab4a466";
 
   src = fetchFromGitHub {
     owner = "MaterializeInc";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-/A6+0fehBa8XEB8P8QUV5Lsl9Lwfz4FhQLgotvBG1Gw=";
+    hash = "sha256-wKYU5S77VoOX7UA9/d21Puz9NYs/om08eNM69/m3Orc=";
   };
 
-  cargoHash = "sha256-NJvAIy9b39HWJaG860Mlf3WasanUnz+Nq39k4WpddB0=";
+  cargoHash = "sha256-GTkn/fUprkpsDeQxtzdmS7Fub9QODO5/4nh9ERswOY0=";
 
   nativeBuildInputs = [ cmake perl pkg-config ]
     # Provides the mig command used by the krb5-src build script
@@ -71,9 +71,6 @@ rustPlatform.buildRustPackage rec {
     "--skip test_client_subject_and_references"
     "--skip test_no_block"
     "--skip test_safe_mode"
-    # this test is broken on 0.15.0
-    # TODO: re-add it in a subsequent release
-    "--skip test_threads"
     "--skip test_tls"
   ];
 
diff --git a/pkgs/servers/sql/postgresql/ext/pgroonga.nix b/pkgs/servers/sql/postgresql/ext/pgroonga.nix
index c0d05fc1769..d4085b00ec5 100644
--- a/pkgs/servers/sql/postgresql/ext/pgroonga.nix
+++ b/pkgs/servers/sql/postgresql/ext/pgroonga.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "pgroonga";
-  version = "2.3.4";
+  version = "2.3.5";
 
   src = fetchurl {
     url = "https://packages.groonga.org/source/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "sha256-XE669KfHEyY5TghMUC0GcIqdPTsdAs04pA/t84k+i2E=";
+    sha256 = "sha256-Auw9dBS2JVvnsJM00PCfLeDl1M+HOYJRCbD0Bro6dlg=";
   };
 
   nativeBuildInputs = [ pkg-config ];
diff --git a/pkgs/servers/tailscale/default.nix b/pkgs/servers/tailscale/default.nix
index 8decb2f4d29..7c7bb84e15b 100644
--- a/pkgs/servers/tailscale/default.nix
+++ b/pkgs/servers/tailscale/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "tailscale";
-  version = "1.22.1";
+  version = "1.22.2";
 
   src = fetchFromGitHub {
     owner = "tailscale";
     repo = "tailscale";
     rev = "v${version}";
-    sha256 = "sha256-VUML5GwHrRYPd9lnOZuMA3T1SfdC0rVLP5m1yf+SA0A=";
+    sha256 = "sha256-W4BcUDMxUZKFXueSI/Xlml17Jabi/hnnOyXgitao76A=";
   };
 
   nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper ];
diff --git a/pkgs/servers/unifi/default.nix b/pkgs/servers/unifi/default.nix
index 4902123181d..ea4ef814195 100644
--- a/pkgs/servers/unifi/default.nix
+++ b/pkgs/servers/unifi/default.nix
@@ -65,7 +65,7 @@ in rec {
   };
 
   unifi7 = generic {
-    version = "7.0.20-894288bd9b";
-    sha256 = "sha256-lDSU4D159svqkv+e61v/RWIyw0KOrF8X0nNpo9eQe50=";
+    version = "7.0.23";
+    sha256 = "1y2z02blgbqa6xvwjrvzx6mfwbbbmmv50rq409rsg1hkkzispxmw";
   };
 }
diff --git a/pkgs/servers/web-apps/wordpress/default.nix b/pkgs/servers/web-apps/wordpress/default.nix
index 343a1c345c6..1e6b40865ee 100644
--- a/pkgs/servers/web-apps/wordpress/default.nix
+++ b/pkgs/servers/web-apps/wordpress/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "wordpress";
-  version = "5.9";
+  version = "5.9.2";
 
   src = fetchurl {
     url = "https://wordpress.org/${pname}-${version}.tar.gz";
-    sha256 = "sha256-RVg45GvS0wqEka6b0lv3Acgu1p28fImAbioTCGjG/7c=";
+    sha256 = "sha256-d2Xy3SpWzpIHmXh8x5BKWF9jNlvKK6D3uwbqIGDGn4s=";
   };
 
   installPhase = ''
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-21 01:18:21 +0000