NixOS
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -190,6 +190,13 @@
      </listitem>
     </itemizedlist>
    </listitem>
+   <listitem>
+    <para>
+     <xref linkend="opt-services.blueman.enable"/> has been added.
+     If you previously had blueman installed via <option>environment.systemPackages</option> please
+     migrate to using the NixOS module, as this would result in an insufficiently configured blueman.
+    </para>
+   </listitem>
   </itemizedlist>
 
  </section>
@@ -563,6 +570,27 @@
        earlier version of NixOS.
      </para>
    </listitem>
+   <listitem>
+     <para>
+       Due to the short lifetime of non-LTS kernel releases package attributes like <literal>linux_5_1</literal>,
+       <literal>linux_5_2</literal> and <literal>linux_5_3</literal> have been removed to discourage dependence
+       on specific non-LTS kernel versions in stable NixOS releases.
+
+       Going forward, versioned attributes like <literal>linux_4_9</literal> will exist for LTS versions only.
+       Please use <literal>linux_latest</literal> or <literal>linux_testing</literal> if you depend on non-LTS
+       releases. Keep in mind that <literal>linux_latest</literal> and <literal>linux_testing</literal> will
+       change versions under the hood during the lifetime of a stable release and might include breaking changes.
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       Because of the systemd upgrade,
+       some network interfaces might change their name. For details see
+       <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History">
+       upstream docs</link> or <link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086">
+       our ticket</link>.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 

diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
@@ -651,7 +651,7 @@ in {
       "d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -"
       "d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -"
       "d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -"
-      "D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -"
+      "d ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -"
       "d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -"
       "d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -"
       "d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -"

diff --git a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix
@@ -3,16 +3,34 @@
 with lib;
 
 let
+  logPrefix = "services.prometheus.exporter.blackbox";
   cfg = config.services.prometheus.exporters.blackbox;
 
-  checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" {
-    preferLocalBuild = true;
-    buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } ''
-    ln -s ${file} $out
-    blackbox_exporter --config.check --config.file $out
-  '';
-in
-{
+  # This ensures that we can deal with string paths, path types and
+  # store-path strings with context.
+  coerceConfigFile = file:
+    if (builtins.isPath file) || (lib.isStorePath file) then
+      file
+    else
+      (lib.warn ''
+        ${logPrefix}: configuration file "${file}" is being copied to the nix-store.
+        If you would like to avoid that, please set enableConfigCheck to false.
+      '' /. + file);
+  checkConfigLocation = file:
+    if lib.hasPrefix "/tmp/" file then
+      throw
+      "${logPrefix}: configuration file must not reside within /tmp - it won't be visible to the systemd service."
+    else
+      true;
+  checkConfig = file:
+    pkgs.runCommand "checked-blackbox-exporter.conf" {
+      preferLocalBuild = true;
+      buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ];
+    } ''
+      ln -s ${coerceConfigFile file} $out
+      blackbox_exporter --config.check --config.file $out
+    '';
+in {
   port = 9115;
   extraOpts = {
     configFile = mkOption {
@@ -21,14 +39,29 @@ in
         Path to configuration file.
       '';
     };
+    enableConfigCheck = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to run a correctness check for the configuration file. This depends
+        on the configuration file residing in the nix-store. Paths passed as string will
+        be copied to the store.
+      '';
+    };
   };
-  serviceOpts = {
+
+  serviceOpts = let
+    adjustedConfigFile = if cfg.enableConfigCheck then
+      checkConfig cfg.configFile
+    else
+      checkConfigLocation cfg.configFile;
+  in {
     serviceConfig = {
       AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes
       ExecStart = ''
         ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
           --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
-          --config.file ${checkConfig cfg.configFile} \
+          --config.file ${adjustedConfigFile} \
           ${concatStringsSep " \\\n  " cfg.extraFlags}
       '';
       ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix
@@ -15,14 +15,15 @@ let
     networkmanager-openconnect
     networkmanager-openvpn
     networkmanager-vpnc
-    wpa_supplicant
-   ];
+  ] ++ optional (!enableIwd) wpa_supplicant;
 
   dynamicHostsEnabled =
     cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {};
 
+  enableIwd = cfg.wifi.backend == "iwd";
+
   # /var/lib/misc is for dnsmasq.leases.
-  stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc";
+  stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc /var/lib/NetworkManager-fortisslvpn";
 
   configFile = pkgs.writeText "NetworkManager.conf" ''
     [main]
@@ -48,6 +49,7 @@ let
 
     [device]
     wifi.scan-rand-mac-address=${if cfg.wifi.scanRandMacAddress then "yes" else "no"}
+    wifi.backend=${cfg.wifi.backend}
 
     ${cfg.extraConfig}
   '';
@@ -234,6 +236,15 @@ in {
       wifi = {
         macAddress = macAddressOpt;
 
+        backend = mkOption {
+          type = types.enum [ "wpa_supplicant" "iwd" ];
+          default = "wpa_supplicant";
+          description = ''
+            Specify the Wi-Fi backend used for the device.
+            Currently supported are <option>wpa_supplicant</option> or <option>iwd</option> (experimental).
+          '';
+        };
+
         powersave = mkOption {
           type = types.nullOr types.bool;
           default = null;
@@ -509,13 +520,14 @@ in {
       useDHCP = false;
       # use mkDefault to trigger the assertion about the conflict above
       wireless.enable = mkDefault false;
-    };
+    } // (mkIf cfg.enableStrongSwan {
+      networkmanager.packages = [ pkgs.networkmanager_strongswan ];
+    }) // (mkIf enableIwd {
+      wireless.iwd.enable = true;
+    });
 
     security.polkit.extraConfig = polkitConf;
 
-    networking.networkmanager.packages =
-      mkIf cfg.enableStrongSwan [ pkgs.networkmanager_strongswan ];
-
     services.dbus.packages =
       optional cfg.enableStrongSwan pkgs.strongswanNM ++ cfg.packages;
 

diff --git a/pkgs/applications/blockchains/pivx.nix b/pkgs/applications/blockchains/pivx.nix
@@ -1,5 +1,5 @@
-{ fetchFromGitHub, stdenv, pkgconfig, autoreconfHook
-, openssl, db48, boost, zlib, miniupnpc, gmp
+{ fetchFromGitHub, stdenv, pkgconfig, autoreconfHook, wrapQtAppsHook ? null
+, openssl_1_0_2, db48, boost, zlib, miniupnpc, gmp
 , qrencode, glib, protobuf, yasm, libevent
 , utillinux, qtbase ? null, qttools ? null
 , enableUpnp ? false
@@ -9,25 +9,26 @@
 
 with stdenv.lib;
 stdenv.mkDerivation rec {
-  pname = "pivx";
-  version = "3.2.0";
+  name = "pivx-${version}";
+  version = "3.4.0";
 
   src = fetchFromGitHub {
     owner = "PIVX-Project";
     repo= "PIVX";
     rev = "v${version}";
-    sha256 = "1sym6254vhq8qqpxq9qhy10m5167v7x93kqaj1gixc1vwwbxyazy";
+    sha256 = "1fqccdqhbwyvix0ihhbgg2w048i6bhfmazr36h2cn4j65n1fgmi2";
   };
 
-  nativeBuildInputs = [ pkgconfig autoreconfHook ];
-  buildInputs = [ glib gmp openssl db48 yasm boost zlib libevent miniupnpc protobuf utillinux ]
+  nativeBuildInputs = [ pkgconfig autoreconfHook ] ++ optionals withGui [ wrapQtAppsHook ];
+  buildInputs = [ glib gmp openssl_1_0_2 db48 yasm boost zlib libevent miniupnpc protobuf utillinux ]
                   ++ optionals withGui [ qtbase qttools qrencode ];
 
   configureFlags = [ "--with-boost-libdir=${boost.out}/lib" ]
                     ++ optional enableUpnp "--enable-upnp-default"
                     ++ optional disableWallet "--disable-wallet"
                     ++ optional disableDaemon "--disable-daemon"
                     ++ optionals withGui [ "--with-gui=yes"
+                                           "--with-unsupported-ssl" # TODO remove this ASAP
                                            "--with-qt-bindir=${qtbase.dev}/bin:${qttools.dev}/bin"
                                          ];
 
@@ -39,6 +40,11 @@ stdenv.mkDerivation rec {
     cp share/pixmaps/*128.png $out/share/icons/
   '';
 
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/test_pivx
+  '';
+
   meta = with stdenv.lib; {
     description = "An open source crypto-currency focused on fast private transactions";
     longDescription = ''
@@ -50,12 +56,9 @@ stdenv.mkDerivation rec {
     homepage = https://www.dash.org;
     maintainers = with maintainers; [ wucke13 ];
     platforms = platforms.unix;
-
+    # TODO
     # upstream doesn't support newer openssl versions
     # https://github.com/PIVX-Project/PIVX/issues/748
-    # "Your system is most probably using openssl 1.1 which is not the
-    # officialy supported version. Either use 1.0.1 or run again configure
-    # with the given option."
-    broken = true;
+    # openssl_1_0_2 should be replaced with openssl ASAP
   };
 }
diff --git a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix
@@ -376,7 +376,11 @@ stdenv.mkDerivation rec {
     cp $desktopItem/share/applications"/"* $out/share/applications
     sed -i $out/share/applications/torbrowser.desktop \
         -e "s,Exec=.*,Exec=$out/bin/tor-browser," \
-        -e "s,Icon=.*,Icon=web-browser,"
+        -e "s,Icon=.*,Icon=tor-browser,"
+    for i in 16 32 48 64 128; do
+      mkdir -p $out/share/icons/hicolor/''${i}x''${i}/apps/
+      ln -s $out/share/tor-browser/browser/chrome/icons/default/default$i.png $out/share/icons/hicolor/''${i}x''${i}/apps/tor-browser.png
+    done
 
     # Check installed apps
     echo "Checking bundled Tor ..."

diff --git a/pkgs/applications/networking/sync/rsync/rrsync.nix b/pkgs/applications/networking/sync/rsync/rrsync.nix
@@ -8,8 +8,7 @@ stdenv.mkDerivation {
 
   src = base.src;
 
-  buildInputs = [ rsync ];
-  nativeBuildInputs = [perl];
+  buildInputs = [ rsync perl ];
 
   # Skip configure and build phases.
   # We just want something from the support directory

diff --git a/pkgs/applications/video/kazam/default.nix b/pkgs/applications/video/kazam/default.nix
@@ -1,5 +1,6 @@
 { stdenv, fetchurl, substituteAll, python3, gst_all_1, wrapGAppsHook, gobject-introspection
-, gtk3, libwnck3, keybinder3, intltool, libcanberra-gtk3, libappindicator-gtk3, libpulseaudio }:
+, gtk3, libwnck3, keybinder3, intltool, libcanberra-gtk3, libappindicator-gtk3, libpulseaudio
+, fetchpatch }:
 
 python3.pkgs.buildPythonApplication rec {
   name = "kazam-${version}";
@@ -18,6 +19,9 @@ python3.pkgs.buildPythonApplication rec {
   ];
 
   propagatedBuildInputs = with python3.pkgs; [ pygobject3 pyxdg pycairo dbus-python ];
+
+  # workaround https://github.com/NixOS/nixpkgs/issues/56943
+  strictDeps = false;
 
   patches = [
     # Fix paths
@@ -26,10 +30,10 @@ python3.pkgs.buildPythonApplication rec {
       libcanberra = libcanberra-gtk3;
       inherit libpulseaudio;
     })
-    # Fix compability with Python 3.4
-    (fetchurl {
-      url = https://sources.debian.org/data/main/k/kazam/1.4.5-2/debian/patches/configparser_api_changes.patch;
-      sha256 = "0yvmipnh98s7y07cp1f113l0qqfw65k13an96byq707z3ymv1c2h";
+    # https://github.com/hzbd/kazam/pull/21
+    (fetchpatch {
+      url = https://github.com/hzbd/kazam/commit/37e53a5aa61f4223a9ea03ceeda26eeba2b9d37b.patch;
+      sha256 = "1q5dpmdm6cvgzw8xa7bwclnqa05xc73ja1lszwmwv5glyik0fk4z";
     })
   ];
 

diff --git a/pkgs/development/compilers/go/1.12.nix b/pkgs/development/compilers/go/1.12.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, tzdata, iana-etc, runCommand
+{ stdenv, fetchurl, tzdata, iana-etc, runCommand
 , perl, which, pkgconfig, patch, procps, pcre, cacert, Security, Foundation
 , mailcap, runtimeShell
 , buildPackages, pkgsTargetTarget
@@ -96,6 +96,12 @@ stdenv.mkDerivation rec {
     # Disable cgo lookup tests not works, they depend on resolver
     rm src/net/cgo_unix_test.go
 
+    # Disable TestGcSys because it's flakey in our tests, but the failure is not
+    # reproducible by multiple people in other environments.
+    # See https://github.com/NixOS/nixpkgs/issues/68361#issuecomment-537849272 and following
+    # NOTE: Try re-enabling for releases newer than 1.12.9
+    sed -i '/TestGcSys/areturn' src/runtime/gc_test.go
+
   '' + optionalString stdenv.isLinux ''
     sed -i 's,/usr/share/zoneinfo/,${tzdata}/share/zoneinfo/,' src/time/zoneinfo_unix.go
   '' + optionalString stdenv.isAarch32 ''
@@ -137,11 +143,6 @@ stdenv.mkDerivation rec {
     ./skip-nohup-tests.patch
     # breaks under load: https://github.com/golang/go/issues/25628
     ./skip-test-extra-files-on-386.patch
-    (fetchpatch { # probably included in >= 1.12.10
-      url = "https://github.com/golang/go/commit/aae0b5b0b.diff";
-      name = "TestGcSys-too-much-memory.diff";
-      sha256 = "1bl9d2pl6n99n9g65cq91sygmp1iva5rmrxbprwn4xd0ql36psa8";
-    })
   ];
 
   postPatch = ''

diff --git a/pkgs/development/haskell-modules/configuration-ghc-8.8.x.nix b/pkgs/development/haskell-modules/configuration-ghc-8.8.x.nix
@@ -70,11 +70,10 @@ self: super: {
       sha256 = "1p1pinca33vd10iy7hl20c1fc99vharcgcai6z3ngqbq50k2pd3q";
     };
   };
-  vector-th-unbox = appendPatch super.vector-th-unbox (pkgs.fetchpatch {
+  vector-th-unbox = appendPatch (doJailbreak super.vector-th-unbox) (pkgs.fetchpatch {
     url = "https://raw.githubusercontent.com/hvr/head.hackage/master/patches/vector-th-unbox-0.2.1.6.patch";
     sha256 = "0169yf9ms1g5mmkc5l6hpffzm34zdrqdng4df02nbdmfgba45h19";
   });
-  cabal-doctest = super.cabal-doctest_1_0_7;
   regex-base = overrideCabal (appendPatch super.regex-base (pkgs.fetchpatch {
     url = "https://raw.githubusercontent.com/hvr/head.hackage/master/patches/regex-base-0.93.2.patch";
     sha256 = "01d1plrdx6hcspwn2h6y9pyi5366qk926vb5cl5qcl6x4m23l6y1";
@@ -85,7 +84,7 @@ self: super: {
     url = "https://raw.githubusercontent.com/hvr/head.hackage/master/patches/regex-posix-0.95.2.patch";
     sha256 = "006yli58jpqp786zm1xlncjsilc38iv3a09r4pv94l587sdzasd2";
   });
-  haskell-src-exts = appendPatch super.haskell-src-exts (pkgs.fetchpatch {
+  haskell-src-exts = appendPatch (doJailbreak super.haskell-src-exts) (pkgs.fetchpatch {
     url = "https://raw.githubusercontent.com/hvr/head.hackage/master/patches/haskell-src-exts-1.21.0.patch";
     sha256 = "0alb28hcsp774c9s73dgrajcb44vgv1xqfg2n5a9y2bpyngqscs3";
   });
@@ -122,7 +121,7 @@ self: super: {
     url = "https://raw.githubusercontent.com/hvr/head.hackage/master/patches/shakespeare-2.0.20.patch";
     sha256 = "1dgx41ylahj4wk8r422aik0d7qdpawdga4gqz905nvlnhqjla58y";
   });
-  socks = appendPatch super.socks (pkgs.fetchpatch {
+  socks = appendPatch (doJailbreak super.socks) (pkgs.fetchpatch {
     url = "https://raw.githubusercontent.com/hvr/head.hackage/master/patches/socks-0.6.0.patch";
     sha256 = "1dsqmx0sw62x4glh43c0sbizd2y00v5xybiqadn96v6pmfrap5cp";
   });
@@ -159,7 +158,6 @@ self: super: {
     '';
   });
   system-fileio = doJailbreak super.system-fileio;
-  yaml = self.yaml_0_11_1_2;
   haskell-src-meta = appendPatch (dontCheck (doJailbreak super.haskell-src-meta)) (pkgs.fetchpatch {
     url = "https://gitlab.haskell.org/ghc/head.hackage/raw/8be3fb8a6779d0317066d501a3b9dffdf6bb06b0/patches/haskell-src-meta-0.8.2.patch";
     sha256 = "146im1amywyl29kcldvgrxpwj22lrpzxysl7vc8rmn3hrq130dyc";
@@ -169,4 +167,9 @@ self: super: {
     sha256 = "0a3159rnaw6shjzdm46799crd4pxh33s23qy51xa7z6nv5q8wsb5";
   });
   tls = self.tls_1_5_1;
+  alex = appendPatch (super.alex) (pkgs.fetchpatch {
+    url = "https://github.com/simonmar/alex/commit/deaae6eddef5186bfd0e42e2c3ced39e26afa4d6.patch";
+    sha256 = "1v40gmnw4lqyk271wngdwz8whpfdhmza58srbkka8icwwwrck3l5";
+  });
+  connection = doJailbreak super.connection;
 }