Move /src to /subprojects

This will facilitate breaking up Nix into multiple packages for each
component with Meson.

.github/CODEOWNERS

@@ -11,16 +11,16 @@
 .github/CODEOWNERS @edolstra
 
 # Documentation of built-in functions
-src/libexpr/primops.cc @roberth @fricklerhandwerk
+subprojects/libexpr/primops.cc @roberth @fricklerhandwerk
 
 # Documentation of settings
-src/libexpr/eval-settings.hh @fricklerhandwerk
-src/libstore/globals.hh @fricklerhandwerk
+subprojects/libexpr/eval-settings.hh @fricklerhandwerk
+subprojects/libstore/globals.hh @fricklerhandwerk
 
 # Documentation
 doc/manual @fricklerhandwerk
 maintainers/*.md @fricklerhandwerk
-src/**/*.md @fricklerhandwerk
+subprojects/**/*.md @fricklerhandwerk
 
 # Libstore layer
-/src/libstore @ericson2314
+/subprojects/libstore @ericson2314

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,54 +1,36 @@
 ---
 name: Bug report
-about: Report unexpected or incorrect behaviour
+about: Create a report to help us improve
 title: ''
 labels: bug
 assignees: ''
 
 ---
 
-## Describe the bug
+**Describe the bug**
 
-<!--
-  A clear and concise description of what the bug is.
+A clear and concise description of what the bug is.
 
-  If you have a problem with a specific package or NixOS,
-  you probably want to file an issue at https://github.com/NixOS/nixpkgs/issues.
--->
+If you have a problem with a specific package or NixOS,
+you probably want to file an issue at https://github.com/NixOS/nixpkgs/issues. 
 
-## Steps To Reproduce
+**Steps To Reproduce**
 
-<!--
-  Example:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
 
-  1. Clone this repository: ...
-  2. Run `nix-... ...`
-  3. Observe unexpected behaviour
--->
+**Expected behavior**
 
-## Expected behavior
+A clear and concise description of what you expected to happen.
 
-<!-- A clear and concise description of what you expected to happen. -->
+**`nix-env --version` output**
 
-## Metadata
+**Additional context**
 
-<!-- Please insert the output of running `nix-env --version` below this line -->
+Add any other context about the problem here.
 
-## Additional context
-
-<!-- Add any other context about the problem here. -->
-
-## Checklist
-
-<!-- make sure this issue is not redundant or obsolete -->
-
-- [ ] checked [latest Nix manual] \([source])
-- [ ] checked [open bug issues and pull requests] for possible duplicates
-
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
-[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
-[open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug
-
----
+**Priorities**
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,39 +1,24 @@
 ---
 name: Feature request
-about: Suggest a new feature
+about: Suggest an idea for this project
 title: ''
 labels: feature
 assignees: ''
 
 ---
 
-## Is your feature request related to a problem?
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
-<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
 
-## Proposed solution
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
 
-<!-- A clear and concise description of what you want to happen. -->
+**Additional context**
+Add any other context or screenshots about the feature request here.
 
-## Alternative solutions
-
-<!-- A clear and concise description of any alternative solutions or features you've considered. -->
-
-## Additional context
-
-<!-- Add any other context or screenshots about the feature request here. -->
-
-## Checklist
-
-<!-- make sure this issue is not redundant or obsolete -->
-
-- [ ] checked [latest Nix manual] \([source])
-- [ ] checked [open feature issues and pull requests] for possible duplicates
-
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
-[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
-[open feature issues and pull requests]: https://github.com/NixOS/nix/labels/feature
-
----
+**Priorities**
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/installer.md

@@ -23,25 +23,14 @@ assignees: ''
 
 <details><summary>Output</summary>
 
-<!-- paste console output inside the below code block -->
-
 ```log
 
+<!-- paste console output here and remove this comment -->
+
 ```
 
 </details>
 
-## Checklist
-
-<!-- make sure this issue is not redundant or obsolete -->
-
-- [ ] checked [latest Nix manual] \([source])
-- [ ] checked [open installer issues and pull requests] for possible duplicates
-
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
-[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
-[open installer issues and pull requests]: https://github.com/NixOS/nix/labels/installer
-
----
+## Priorities
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -23,9 +23,9 @@ assignees: ''
 - [ ] checked [open documentation issues and pull requests] for possible duplicates
 
 [latest Nix manual]: https://nixos.org/manual/nix/unstable/
-[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
+[source]: https://github.com/NixOS/nix/tree/master/doc/manual/src
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation
 
----
+## Priorities
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/PULL_REQUEST_TEMPLATE.md

@@ -17,12 +17,10 @@ so you understand the process and the expectations.
 
 -->
 
-## Motivation
-
+# Motivation
 <!-- Briefly explain what the change is about and why it is desirable. -->
 
-## Context
-
+# Context
 <!-- Provide context. Reference open issues if available. -->
 
 <!-- Non-trivial change: Briefly outline the implementation strategy. -->
@@ -31,7 +29,7 @@ so you understand the process and the expectations.
 
 <!-- Large change: Provide instructions to reviewers how to read the diff. -->
 
----
+# Priorities and Process
 
 Add :+1: to [pull requests you find important](https://github.com/NixOS/nix/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc).
 

.github/labeler.yml

@@ -1,7 +1,7 @@
 "c api":
   - changed-files:
-    - any-glob-to-any-file: "src/lib*-c/**/*"
-    - any-glob-to-any-file: "src/*test*/**/nix_api_*"
+    - any-glob-to-any-file: "subprojects/lib*-c/**/*"
+    - any-glob-to-any-file: "test/unit/**/nix_api_*"
     - any-glob-to-any-file: "doc/external-api/**/*"
 
 "contributor-experience":
@@ -9,35 +9,35 @@
     - any-glob-to-any-file: "CONTRIBUTING.md"
     - any-glob-to-any-file: ".github/ISSUE_TEMPLATE/*"
     - any-glob-to-any-file: ".github/PULL_REQUEST_TEMPLATE.md"
-    - any-glob-to-any-file: "doc/manual/source/contributing/**"
+    - any-glob-to-any-file: "doc/manual/src/contributing/**"
 
 "documentation":
   - changed-files:
     - any-glob-to-any-file: "doc/manual/**/*"
-    - any-glob-to-any-file: "src/nix/**/*.md"
+    - any-glob-to-any-file: "subprojects/nix/**/*.md"
 
 "store":
   - changed-files:
-    - any-glob-to-any-file: "src/libstore/store-api.*"
-    - any-glob-to-any-file: "src/libstore/*-store.*"
+    - any-glob-to-any-file: "subprojects/libstore/store-api.*"
+    - any-glob-to-any-file: "subprojects/libstore/*-store.*"
 
 "fetching":
   - changed-files:
-    - any-glob-to-any-file: "src/libfetchers/**/*"
+    - any-glob-to-any-file: "subprojects/libfetchers/**/*"
 
 "repl":
   - changed-files:
-    - any-glob-to-any-file: "src/libcmd/repl.*"
-    - any-glob-to-any-file: "src/nix/repl.*"
+    - any-glob-to-any-file: "subprojects/libcmd/repl.*"
+    - any-glob-to-any-file: "subprojects/nix/repl.*"
 
 "new-cli":
   - changed-files:
-    - any-glob-to-any-file: "src/nix/**/*"
+    - any-glob-to-any-file: "subprojects/nix/**/*"
 
 "with-tests":
   - changed-files:
     # Unit tests
-    - any-glob-to-any-file: "src/*/tests/**/*"
+    - any-glob-to-any-file: "subprojects/*/tests/**/*"
     # Functional and integration tests
     - any-glob-to-any-file: "tests/functional/**/*"
 

.github/workflows/ci.yml

@@ -7,34 +7,14 @@ on:
 permissions: read-all
 
 jobs:
-  eval:
-    runs-on: ubuntu-24.04
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - uses: cachix/install-nix-action@v30
-    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
 
   tests:
+    needs: [check_secrets]
     strategy:
       fail-fast: false
       matrix:
-        include:
-          - scenario: on ubuntu
-            runs-on: ubuntu-24.04
-            system: x86_64-linux
-            os: linux
-          - scenario: on macos (aarch64)
-            runs-on: macos-14
-            system: aarch64-darwin
-            os: darwin
-          - scenario: on macos (x86_64)
-            runs-on: macos-14
-            system: x86_64-darwin
-            os: darwin
-    name: tests ${{ matrix.scenario }}
-    runs-on: ${{ matrix.runs-on }}
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     steps:
     - uses: actions/checkout@v4
@@ -43,56 +23,103 @@ jobs:
     - uses: cachix/install-nix-action@v30
       with:
         # The sandbox would otherwise be disabled by default on Darwin
-        extra_nix_config: |
-          sandbox = true
-          max-jobs = 1
-          system = ${{ matrix.system }}
-    - uses: DeterminateSystems/magic-nix-cache-action@main
-    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
-    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
-    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
-      if: matrix.os == 'linux'
-    - run: scripts/build-checks
-    - run: scripts/prepare-installer-for-github-actions
-    - name: Upload installer tarball
-      uses: actions/upload-artifact@v4
+        extra_nix_config: "sandbox = true"
+    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
+    - uses: cachix/cachix-action@v15
+      if: needs.check_secrets.outputs.cachix == 'true'
       with:
-        name: installer-${{matrix.os}}
-        path: out/*
+        name: '${{ env.CACHIX_NAME }}'
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - if: matrix.os == 'ubuntu-latest'
+      run: |
+        free -h
+        swapon --show
+        swap=$(swapon --show --noheadings | head -n 1 | awk '{print $1}')
+        echo "Found swap: $swap"
+        sudo swapoff $swap
+        # resize it (fallocate)
+        sudo fallocate -l 10G $swap
+        sudo mkswap $swap
+        sudo swapon $swap
+        free -h
+        (
+          while sleep 60; do
+            free -h
+          done
+        ) &
+    - run: nix --experimental-features 'nix-command flakes' flake check -L
+    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
+
+  # Steps to test CI automation in your own fork.
+  # Cachix:
+  # 1. Sign-up for https://www.cachix.org/
+  # 2. Create a cache for $githubuser-nix-install-tests
+  # 3. Create a cachix auth token and save it in https://github.com/$githubuser/nix/settings/secrets/actions in "Repository secrets" as CACHIX_AUTH_TOKEN
+  # Dockerhub:
+  # 1. Sign-up for https://hub.docker.com/
+  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
+  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
+  check_secrets:
+    permissions:
+      contents: none
+    name: Check Cachix and Docker secrets present for installer tests
+    runs-on: ubuntu-latest
+    outputs:
+      cachix: ${{ steps.secret.outputs.cachix }}
+      docker: ${{ steps.secret.outputs.docker }}
+    steps:
+      - name: Check for secrets
+        id: secret
+        env:
+          _CACHIX_SECRETS: ${{ secrets.CACHIX_SIGNING_KEY }}${{ secrets.CACHIX_AUTH_TOKEN }}
+          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          echo "::set-output name=cachix::${{ env._CACHIX_SECRETS != '' }}"
+          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
+
+  installer:
+    needs: [tests, check_secrets]
+    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
+    runs-on: ubuntu-latest
+    outputs:
+      installerURL: ${{ steps.prepare-installer.outputs.installerURL }}
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
+    - uses: cachix/install-nix-action@v30
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
+    - uses: cachix/cachix-action@v15
+      with:
+        name: '${{ env.CACHIX_NAME }}'
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+        cachixArgs: '-v'
+    - id: prepare-installer
+      run: scripts/prepare-installer-for-github-actions
 
   installer_test:
-    needs: [tests]
+    needs: [installer, check_secrets]
+    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
     strategy:
       fail-fast: false
       matrix:
-        # No x86_64-darwin (yet?) because of poor performance and similarity to aarch64-darwin
-        include:
-          - scenario: on ubuntu
-            runs-on: ubuntu-24.04
-            os: linux
-          - scenario: on macos
-            runs-on: macos-14
-            os: darwin
-    name: installer test ${{ matrix.scenario }}
-    runs-on: ${{ matrix.runs-on }}
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v4
-    - name: Download installer tarball
-      uses: actions/download-artifact@v4
-      with:
-        name: installer-${{matrix.os}}
-        path: out
-    - name: Serving installer
-      id: serving_installer
-      run: ./scripts/serve-installer-for-github-actions
+    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
     - uses: cachix/install-nix-action@v30
       with:
-        install_url: 'http://localhost:8126/install'
-        install_options: "--tarball-url-prefix http://localhost:8126/"
+        install_url: '${{needs.installer.outputs.installerURL}}'
+        install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
     - run: sudo apt install fish zsh
-      if: matrix.os == 'linux'
+      if: matrix.os == 'ubuntu-latest'
     - run: brew install fish
-      if: matrix.os == 'darwin'
+      if: matrix.os == 'macos-latest'
     - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval"
     - run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval"
     - run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval"
@@ -100,50 +127,32 @@ jobs:
     - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
     - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"
 
-  # Steps to test CI automation in your own fork.
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check Docker secrets present for installer tests
-    runs-on: ubuntu-24.04
-    outputs:
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for secrets
-        id: secret
-        env:
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
-
   docker_push_image:
-    needs: [tests, vm_tests, check_secrets]
+    needs: [check_secrets, tests]
     permissions:
       contents: read
       packages: write
     if: >-
-      needs.check_secrets.outputs.docker == 'true' &&
       github.event_name == 'push' &&
-      github.ref_name == 'master'
-    runs-on: ubuntu-24.04
+      github.ref_name == 'master' &&
+      needs.check_secrets.outputs.cachix == 'true' &&
+      needs.check_secrets.outputs.docker == 'true'
+    runs-on: ubuntu-latest
     steps:
-    - name: Check for secrets
-      id: secret
-      env:
-        _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-      run: |
-        echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - uses: cachix/install-nix-action@v30
       with:
         install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - uses: DeterminateSystems/magic-nix-cache-action@main
+    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
     - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
+    - uses: cachix/cachix-action@v15
+      if: needs.check_secrets.outputs.cachix == 'true'
+      with:
+        name: '${{ env.CACHIX_NAME }}'
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
     - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
     - run: docker load -i ./result/image.tar.gz
     - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
@@ -180,22 +189,16 @@ jobs:
         docker push $IMAGE_ID:master
 
   vm_tests:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
-      - run: |
-          nix build -L \
-            .#hydraJobs.tests.functional_user \
-            .#hydraJobs.tests.githubFlakes \
-            .#hydraJobs.tests.nix-docker \
-            .#hydraJobs.tests.tarballFlakes \
-            ;
+      - run: nix build -L .#hydraJobs.tests.githubFlakes .#hydraJobs.tests.tarballFlakes .#hydraJobs.tests.functional_user
 
   flake_regressions:
     needs: vm_tests
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout nix
         uses: actions/checkout@v4
@@ -211,4 +214,4 @@ jobs:
           path: flake-regressions/tests
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
-      - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh
+      - run: nix build --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH scripts/flake-regressions.sh

.github/workflows/labels.yml

@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   labels:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
     - uses: actions/labeler@v5

.gitignore

@@ -1,12 +1,113 @@
+Makefile.config
+perl/Makefile.config
+
+# /
+/aclocal.m4
+/autom4te.cache
+/precompiled-headers.h.gch
+/config.*
+/configure
+/stamp-h1
+/svn-revision
+/libtool
+/config/config.*
 # Default meson build dir
 /build
 
+# /doc/manual/
+/doc/manual/*.1
+/doc/manual/*.5
+/doc/manual/*.8
+/doc/manual/generated/*
+/doc/manual/nix.json
+/doc/manual/conf-file.json
+/doc/manual/language.json
+/doc/manual/xp-features.json
+/doc/manual/src/SUMMARY.md
+/doc/manual/src/SUMMARY-rl-next.md
+/doc/manual/src/store/types/*
+!/doc/manual/src/store/types/index.md.in
+/doc/manual/src/command-ref/new-cli
+/doc/manual/src/command-ref/conf-file.md
+/doc/manual/src/command-ref/experimental-features-shortlist.md
+/doc/manual/src/contributing/experimental-feature-descriptions.md
+/doc/manual/src/language/builtins.md
+/doc/manual/src/language/builtin-constants.md
+/doc/manual/src/release-notes/rl-next.md
+
+# /scripts/
+/scripts/nix-profile.sh
+/scripts/nix-profile-daemon.sh
+/scripts/nix-profile.fish
+/scripts/nix-profile-daemon.fish
+
+# /subprojects/libexpr/
+/subprojects/libexpr/lexer-tab.cc
+/subprojects/libexpr/lexer-tab.hh
+/subprojects/libexpr/parser-tab.cc
+/subprojects/libexpr/parser-tab.hh
+/subprojects/libexpr/parser-tab.output
+/subprojects/libexpr/nix.tbl
+/subprojects/libexpr/tests
+/tests/unit/libexpr/libnixexpr-tests
+
+# /subprojects/libfetchers
+/tests/unit/libfetchers/libnixfetchers-tests
+
+# /subprojects/libflake
+/tests/unit/libflake/libnixflake-tests
+
+# /subprojects/libstore/
+*.gen.*
+/subprojects/libstore/tests
+/tests/unit/libstore/libnixstore-tests
+
+# /subprojects/libutil/
+/subprojects/libutil/tests
+/tests/unit/libutil/libnixutil-tests
+
+/subprojects/nix/nix
+
+/subprojects/nix/generated-doc
+
+# /subprojects/nix-env/
+/subprojects/nix-env/nix-env
+
+# /subprojects/nix-instantiate/
+/subprojects/nix-instantiate/nix-instantiate
+
+# /subprojects/nix-store/
+/subprojects/nix-store/nix-store
+
+/subprojects/nix-prefetch-url/nix-prefetch-url
+
+/subprojects/nix-collect-garbage/nix-collect-garbage
+
+# /subprojects/nix-channel/
+/subprojects/nix-channel/nix-channel
+
+# /subprojects/nix-build/
+/subprojects/nix-build/nix-build
+
+/subprojects/nix-copy-closure/nix-copy-closure
+
+/subprojects/error-demo/error-demo
+
+/subprojects/build-remote/build-remote
+
 # /tests/functional/
+/tests/functional/test-tmp
 /tests/functional/common/subst-vars.sh
+/tests/functional/result*
 /tests/functional/restricted-innocent
+/tests/functional/shell
+/tests/functional/shell.drv
+/tests/functional/config.nix
+/tests/functional/ca/config.nix
+/tests/functional/dyn-drv/config.nix
+/tests/functional/repl-result-out
 /tests/functional/debugger-test-out
 /tests/functional/test-libstoreconsumer/test-libstoreconsumer
-/tests/functional/nix-shell
 
 # /tests/functional/lang/
 /tests/functional/lang/*.out
@@ -14,9 +115,27 @@
 /tests/functional/lang/*.err
 /tests/functional/lang/*.ast
 
+/perl/lib/Nix/Config.pm
+/perl/lib/Nix/Store.cc
+
+/misc/systemd/nix-daemon.service
+/misc/systemd/nix-daemon.socket
+/misc/systemd/nix-daemon.conf
+/misc/upstart/nix-daemon.conf
+
 outputs/
 
+*.a
+*.o
+*.o.tmp
+*.so
+*.dylib
+*.dll
+*.exe
+*.dep
 *~
+*.pc
+*.plist
 
 # GNU Global
 GPATH
@@ -31,6 +150,8 @@ GTAGS
 compile_commands.json
 *.compile_commands.json
 
+nix-rust/target
+
 result
 result-*
 
@@ -45,5 +166,3 @@ result-*
 
 # Mac OS
 .DS_Store
-
-flake-regressions

.mergify.yml

@@ -2,11 +2,13 @@ queue_rules:
   - name: default
     # all required tests need to go here
     merge_conditions:
-      - check-success=tests on macos
-      - check-success=tests on ubuntu
-      - check-success=installer test on macos
-      - check-success=installer test on ubuntu
+      - check-success=installer
+      - check-success=installer_test (macos-latest)
+      - check-success=installer_test (ubuntu-latest)
+      - check-success=tests (macos-latest)
+      - check-success=tests (ubuntu-latest)
       - check-success=vm_tests
+    merge_method: rebase
     batch_size: 5
 
 pull_request_rules:
@@ -27,7 +29,6 @@ pull_request_rules:
         branches:
           - 2.18-maintenance
         labels:
-          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.19
@@ -38,7 +39,6 @@ pull_request_rules:
         branches:
           - 2.19-maintenance
         labels:
-          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.20
@@ -49,7 +49,6 @@ pull_request_rules:
         branches:
           - 2.20-maintenance
         labels:
-          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.21
@@ -60,7 +59,6 @@ pull_request_rules:
         branches:
           - 2.21-maintenance
         labels:
-          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.22
@@ -71,7 +69,6 @@ pull_request_rules:
         branches:
           - 2.22-maintenance
         labels:
-          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.23
@@ -82,7 +79,6 @@ pull_request_rules:
         branches:
           - 2.23-maintenance
         labels:
-          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.24
@@ -93,27 +89,4 @@ pull_request_rules:
         branches:
           - "2.24-maintenance"
         labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.25
-    conditions:
-      - label=backport 2.25-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.25-maintenance"
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.26
-    conditions:
-      - label=backport 2.26-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.26-maintenance"
-        labels:
-          - automatic backport
           - merge-queue

.version

@@ -1 +1 @@
-2.27.0
+2.25.0

CONTRIBUTING.md

@@ -77,9 +77,9 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
    - [ ] Fixes an [idea approved](https://github.com/NixOS/nix/labels/idea%20approved) issue
    - [ ] Tests, as appropriate:
      - Functional tests – [`tests/functional/**.sh`](./tests/functional)
-     - Unit tests – [`src/*/tests`](./src/)
+     - Unit tests – [`tests/unit/*`](./tests/unit)
      - Integration tests – [`tests/nixos/*`](./tests/nixos)
-   - [ ] User documentation in the [manual](./doc/manual/source)
+   - [ ] User documentation in the [manual](./doc/manual/src)
    - [ ] API documentation in header files
    - [ ] Code and comments are self-explanatory
    - [ ] Commit message explains **why** the change was made
@@ -90,7 +90,7 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 ## Making changes to the Nix manual
 
 The Nix reference manual is hosted on https://nixos.org/manual/nix.
-The underlying source files are located in [`doc/manual/source`](./doc/manual/source).
+The underlying source files are located in [`doc/manual/src`](./doc/manual/src).
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
 For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).
 

HACKING.md

@@ -1 +1 @@
-doc/manual/source/development/building.md
+doc/manual/src/development/building.md

Makefile

@@ -0,0 +1,128 @@
+# External build directory support
+
+include mk/build-dir.mk
+
+-include $(buildprefix)Makefile.config
+clean-files += $(buildprefix)Makefile.config
+
+# List makefiles
+
+include mk/platform.mk
+
+ifeq ($(ENABLE_BUILD), yes)
+makefiles = \
+  mk/precompiled-headers.mk \
+  local.mk \
+  subprojects/libutil/local.mk \
+  subprojects/libstore/local.mk \
+  subprojects/libfetchers/local.mk \
+  subprojects/libmain/local.mk \
+  subprojects/libexpr/local.mk \
+  subprojects/libflake/local.mk \
+  subprojects/libcmd/local.mk \
+  subprojects/nix/local.mk \
+  subprojects/libutil-c/local.mk \
+  subprojects/libstore-c/local.mk \
+  subprojects/libexpr-c/local.mk
+
+ifdef HOST_UNIX
+makefiles += \
+  scripts/local.mk \
+  maintainers/local.mk \
+  misc/bash/local.mk \
+  misc/fish/local.mk \
+  misc/zsh/local.mk \
+  misc/systemd/local.mk \
+  misc/launchd/local.mk \
+  misc/upstart/local.mk
+endif
+endif
+
+ifeq ($(ENABLE_UNIT_TESTS), yes)
+makefiles += \
+  tests/unit/libutil/local.mk \
+  tests/unit/libutil-support/local.mk \
+  tests/unit/libstore/local.mk \
+  tests/unit/libstore-support/local.mk \
+  tests/unit/libfetchers/local.mk \
+  tests/unit/libexpr/local.mk \
+  tests/unit/libexpr-support/local.mk \
+  tests/unit/libflake/local.mk
+endif
+
+ifeq ($(ENABLE_FUNCTIONAL_TESTS), yes)
+ifdef HOST_UNIX
+makefiles += \
+  tests/functional/local.mk \
+  tests/functional/flakes/local.mk \
+  tests/functional/ca/local.mk \
+  tests/functional/git-hashing/local.mk \
+  tests/functional/dyn-drv/local.mk \
+  tests/functional/local-overlay-store/local.mk \
+  tests/functional/test-libstoreconsumer/local.mk \
+  tests/functional/plugins/local.mk
+endif
+endif
+
+# Some makefiles require access to built programs and must be included late.
+makefiles-late =
+
+ifeq ($(ENABLE_DOC_GEN), yes)
+makefiles-late += doc/manual/local.mk
+endif
+
+# Miscellaneous global Flags
+
+OPTIMIZE = 1
+
+ifeq ($(OPTIMIZE), 1)
+  GLOBAL_CXXFLAGS += -O3 $(CXXLTO)
+  GLOBAL_LDFLAGS += $(CXXLTO)
+else
+  GLOBAL_CXXFLAGS += -O0 -U_FORTIFY_SOURCE
+  unexport NIX_HARDENING_ENABLE
+endif
+
+ifdef HOST_WINDOWS
+  # Windows DLLs are stricter about symbol visibility than Unix shared
+  # objects --- see https://gcc.gnu.org/wiki/Visibility for details.
+  # This is a temporary sledgehammer to export everything like on Unix,
+  # and not detail with this yet.
+  #
+  # TODO do not do this, and instead do fine-grained export annotations.
+  GLOBAL_LDFLAGS += -Wl,--export-all-symbols
+endif
+
+GLOBAL_CXXFLAGS += -g -Wall -Wdeprecated-copy -Wignored-qualifiers -Wimplicit-fallthrough -Werror=unused-result -Werror=suggest-override -include $(buildprefix)config.h -std=c++2a -I subprojects
+
+# Include the main lib, causing rules to be defined
+
+include mk/lib.mk
+
+# Fallback stub rules for better UX when things are disabled
+#
+# These must be defined after  Otherwise the first rule
+# incorrectly becomes the default target.
+
+ifneq ($(ENABLE_UNIT_TESTS), yes)
+.PHONY: check
+check:
+	@echo "Unit tests are disabled. Configure without '--disable-unit-tests', or avoid calling 'make check'."
+	@exit 1
+endif
+
+ifneq ($(ENABLE_FUNCTIONAL_TESTS), yes)
+.PHONY: installcheck
+installcheck:
+	@echo "Functional tests are disabled. Configure without '--disable-functional-tests', or avoid calling 'make installcheck'."
+	@exit 1
+endif
+
+# Documentation fallback stub rules.
+
+ifneq ($(ENABLE_DOC_GEN), yes)
+.PHONY: manual-html manpages
+manual-html manpages:
+	@echo "Generated docs are disabled. Configure without '--disable-doc-gen', or avoid calling 'make manpages' and 'make manual-html'."
+	@exit 1
+endif

Makefile.config.in

@@ -0,0 +1,54 @@
+AR = @AR@
+BDW_GC_LIBS = @BDW_GC_LIBS@
+BOOST_LDFLAGS = @BOOST_LDFLAGS@
+BUILD_SHARED_LIBS = @BUILD_SHARED_LIBS@
+CC = @CC@
+CFLAGS = @CFLAGS@
+CXX = @CXX@
+CXXFLAGS = @CXXFLAGS@
+CXXLTO = @CXXLTO@
+EDITLINE_LIBS = @EDITLINE_LIBS@
+ENABLE_BUILD = @ENABLE_BUILD@
+ENABLE_DOC_GEN = @ENABLE_DOC_GEN@
+ENABLE_FUNCTIONAL_TESTS = @ENABLE_FUNCTIONAL_TESTS@
+ENABLE_S3 = @ENABLE_S3@
+ENABLE_UNIT_TESTS = @ENABLE_UNIT_TESTS@
+GTEST_LIBS = @GTEST_LIBS@
+HAVE_LIBCPUID = @HAVE_LIBCPUID@
+HAVE_SECCOMP = @HAVE_SECCOMP@
+HOST_OS = @host_os@
+INSTALL_UNIT_TESTS = @INSTALL_UNIT_TESTS@
+LDFLAGS = @LDFLAGS@
+LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
+LIBBROTLI_LIBS = @LIBBROTLI_LIBS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
+LIBGIT2_LIBS = @LIBGIT2_LIBS@
+LIBSECCOMP_LIBS = @LIBSECCOMP_LIBS@
+LOWDOWN_LIBS = @LOWDOWN_LIBS@
+OPENSSL_LIBS = @OPENSSL_LIBS@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+SHELL = @bash@
+SODIUM_LIBS = @SODIUM_LIBS@
+SQLITE3_LIBS = @SQLITE3_LIBS@
+bash = @bash@
+bindir = @bindir@
+checkbindir = @checkbindir@
+checklibdir = @checklibdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+embedded_sandbox_shell = @embedded_sandbox_shell@
+exec_prefix = @exec_prefix@
+includedir = @includedir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localstatedir = @localstatedir@
+lsof = @lsof@
+mandir = @mandir@
+pkglibdir = $(libdir)/$(PACKAGE_NAME)
+prefix = @prefix@
+sandbox_shell = @sandbox_shell@
+storedir = @storedir@
+sysconfdir = @sysconfdir@
+system = @system@

build-utils-meson/diagnostics/meson.build

@@ -1,10 +1,3 @@
-# This is only conditional to work around
-# https://github.com/mesonbuild/meson/issues/13293. It should be
-# unconditional.
-if not (host_machine.system() == 'windows' and cxx.get_id() == 'gcc')
-  deps_private += dependency('threads')
-endif
-
 add_project_arguments(
   '-Wdeprecated-copy',
   '-Werror=suggest-override',

build-utils-meson/threads/meson.build

@@ -0,0 +1,6 @@
+# This is only conditional to work around
+# https://github.com/mesonbuild/meson/issues/13293. It should be
+# unconditional.
+if not (host_machine.system() == 'windows' and cxx.get_id() == 'gcc')
+  deps_private += dependency('threads')
+endif

config/install-sh

@@ -0,0 +1,527 @@
+#!/bin/sh
+# install - install a program, script, or datafile
+
+scriptversion=2011-11-20.07; # UTC
+
+# This originates from X11R5 (mit/util/scripts/install.sh), which was
+# later released in X11R6 (xc/config/util/install.sh) with the
+# following copyright and license.
+#
+# Copyright (C) 1994 X Consortium
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
+# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
+#
+#
+# FSF changes to this file are in the public domain.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# 'make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+
+nl='
+'
+IFS=" ""	$nl"
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit=${DOITPROG-}
+if test -z "$doit"; then
+  doit_exec=exec
+else
+  doit_exec=$doit
+fi
+
+# Put in absolute file names if you don't have them in your path;
+# or use environment vars.
+
+chgrpprog=${CHGRPPROG-chgrp}
+chmodprog=${CHMODPROG-chmod}
+chownprog=${CHOWNPROG-chown}
+cmpprog=${CMPPROG-cmp}
+cpprog=${CPPROG-cp}
+mkdirprog=${MKDIRPROG-mkdir}
+mvprog=${MVPROG-mv}
+rmprog=${RMPROG-rm}
+stripprog=${STRIPPROG-strip}
+
+posix_glob='?'
+initialize_posix_glob='
+  test "$posix_glob" != "?" || {
+    if (set -f) 2>/dev/null; then
+      posix_glob=
+    else
+      posix_glob=:
+    fi
+  }
+'
+
+posix_mkdir=
+
+# Desired mode of installed file.
+mode=0755
+
+chgrpcmd=
+chmodcmd=$chmodprog
+chowncmd=
+mvcmd=$mvprog
+rmcmd="$rmprog -f"
+stripcmd=
+
+src=
+dst=
+dir_arg=
+dst_arg=
+
+copy_on_change=false
+no_target_directory=
+
+usage="\
+Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
+   or: $0 [OPTION]... SRCFILES... DIRECTORY
+   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
+   or: $0 [OPTION]... -d DIRECTORIES...
+
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
+
+Options:
+     --help     display this help and exit.
+     --version  display version info and exit.
+
+  -c            (ignored)
+  -C            install only if different (preserve the last data modification time)
+  -d            create directories instead of installing files.
+  -g GROUP      $chgrpprog installed files to GROUP.
+  -m MODE       $chmodprog installed files to MODE.
+  -o USER       $chownprog installed files to USER.
+  -s            $stripprog installed files.
+  -t DIRECTORY  install into DIRECTORY.
+  -T            report an error if DSTFILE is a directory.
+
+Environment variables override the default commands:
+  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
+  RMPROG STRIPPROG
+"
+
+while test $# -ne 0; do
+  case $1 in
+    -c) ;;
+
+    -C) copy_on_change=true;;
+
+    -d) dir_arg=true;;
+
+    -g) chgrpcmd="$chgrpprog $2"
+	shift;;
+
+    --help) echo "$usage"; exit $?;;
+
+    -m) mode=$2
+	case $mode in
+	  *' '* | *'	'* | *'
+'*	  | *'*'* | *'?'* | *'['*)
+	    echo "$0: invalid mode: $mode" >&2
+	    exit 1;;
+	esac
+	shift;;
+
+    -o) chowncmd="$chownprog $2"
+	shift;;
+
+    -s) stripcmd=$stripprog;;
+
+    -t) dst_arg=$2
+	# Protect names problematic for 'test' and other utilities.
+	case $dst_arg in
+	  -* | [=\(\)!]) dst_arg=./$dst_arg;;
+	esac
+	shift;;
+
+    -T) no_target_directory=true;;
+
+    --version) echo "$0 $scriptversion"; exit $?;;
+
+    --)	shift
+	break;;
+
+    -*)	echo "$0: invalid option: $1" >&2
+	exit 1;;
+
+    *)  break;;
+  esac
+  shift
+done
+
+if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
+  # When -d is used, all remaining arguments are directories to create.
+  # When -t is used, the destination is already specified.
+  # Otherwise, the last argument is the destination.  Remove it from $@.
+  for arg
+  do
+    if test -n "$dst_arg"; then
+      # $@ is not empty: it contains at least $arg.
+      set fnord "$@" "$dst_arg"
+      shift # fnord
+    fi
+    shift # arg
+    dst_arg=$arg
+    # Protect names problematic for 'test' and other utilities.
+    case $dst_arg in
+      -* | [=\(\)!]) dst_arg=./$dst_arg;;
+    esac
+  done
+fi
+
+if test $# -eq 0; then
+  if test -z "$dir_arg"; then
+    echo "$0: no input file specified." >&2
+    exit 1
+  fi
+  # It's OK to call 'install-sh -d' without argument.
+  # This can happen when creating conditional directories.
+  exit 0
+fi
+
+if test -z "$dir_arg"; then
+  do_exit='(exit $ret); exit $ret'
+  trap "ret=129; $do_exit" 1
+  trap "ret=130; $do_exit" 2
+  trap "ret=141; $do_exit" 13
+  trap "ret=143; $do_exit" 15
+
+  # Set umask so as not to create temps with too-generous modes.
+  # However, 'strip' requires both read and write access to temps.
+  case $mode in
+    # Optimize common cases.
+    *644) cp_umask=133;;
+    *755) cp_umask=22;;
+
+    *[0-7])
+      if test -z "$stripcmd"; then
+	u_plus_rw=
+      else
+	u_plus_rw='% 200'
+      fi
+      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
+    *)
+      if test -z "$stripcmd"; then
+	u_plus_rw=
+      else
+	u_plus_rw=,u+rw
+      fi
+      cp_umask=$mode$u_plus_rw;;
+  esac
+fi
+
+for src
+do
+  # Protect names problematic for 'test' and other utilities.
+  case $src in
+    -* | [=\(\)!]) src=./$src;;
+  esac
+
+  if test -n "$dir_arg"; then
+    dst=$src
+    dstdir=$dst
+    test -d "$dstdir"
+    dstdir_status=$?
+  else
+
+    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
+    # might cause directories to be created, which would be especially bad
+    # if $src (and thus $dsttmp) contains '*'.
+    if test ! -f "$src" && test ! -d "$src"; then
+      echo "$0: $src does not exist." >&2
+      exit 1
+    fi
+
+    if test -z "$dst_arg"; then
+      echo "$0: no destination specified." >&2
+      exit 1
+    fi
+    dst=$dst_arg
+
+    # If destination is a directory, append the input filename; won't work
+    # if double slashes aren't ignored.
+    if test -d "$dst"; then
+      if test -n "$no_target_directory"; then
+	echo "$0: $dst_arg: Is a directory" >&2
+	exit 1
+      fi
+      dstdir=$dst
+      dst=$dstdir/`basename "$src"`
+      dstdir_status=0
+    else
+      # Prefer dirname, but fall back on a substitute if dirname fails.
+      dstdir=`
+	(dirname "$dst") 2>/dev/null ||
+	expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	     X"$dst" : 'X\(//\)[^/]' \| \
+	     X"$dst" : 'X\(//\)$' \| \
+	     X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
+	echo X"$dst" |
+	    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\/\)[^/].*/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\/\)$/{
+		   s//\1/
+		   q
+		 }
+		 /^X\(\/\).*/{
+		   s//\1/
+		   q
+		 }
+		 s/.*/./; q'
+      `
+
+      test -d "$dstdir"
+      dstdir_status=$?
+    fi
+  fi
+
+  obsolete_mkdir_used=false
+
+  if test $dstdir_status != 0; then
+    case $posix_mkdir in
+      '')
+	# Create intermediate dirs using mode 755 as modified by the umask.
+	# This is like FreeBSD 'install' as of 1997-10-28.
+	umask=`umask`
+	case $stripcmd.$umask in
+	  # Optimize common cases.
+	  *[2367][2367]) mkdir_umask=$umask;;
+	  .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
+
+	  *[0-7])
+	    mkdir_umask=`expr $umask + 22 \
+	      - $umask % 100 % 40 + $umask % 20 \
+	      - $umask % 10 % 4 + $umask % 2
+	    `;;
+	  *) mkdir_umask=$umask,go-w;;
+	esac
+
+	# With -d, create the new directory with the user-specified mode.
+	# Otherwise, rely on $mkdir_umask.
+	if test -n "$dir_arg"; then
+	  mkdir_mode=-m$mode
+	else
+	  mkdir_mode=
+	fi
+
+	posix_mkdir=false
+	case $umask in
+	  *[123567][0-7][0-7])
+	    # POSIX mkdir -p sets u+wx bits regardless of umask, which
+	    # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
+	    ;;
+	  *)
+	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+
+	    if (umask $mkdir_umask &&
+		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+	    then
+	      if test -z "$dir_arg" || {
+		   # Check for POSIX incompatibilities with -m.
+		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+		   # other-writable bit of parent directory when it shouldn't.
+		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
+		   case $ls_ld_tmpdir in
+		     d????-?r-*) different_mode=700;;
+		     d????-?--*) different_mode=755;;
+		     *) false;;
+		   esac &&
+		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
+		     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+		     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+		   }
+		 }
+	      then posix_mkdir=:
+	      fi
+	      rmdir "$tmpdir/d" "$tmpdir"
+	    else
+	      # Remove any dirs left behind by ancient mkdir implementations.
+	      rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+	    fi
+	    trap '' 0;;
+	esac;;
+    esac
+
+    if
+      $posix_mkdir && (
+	umask $mkdir_umask &&
+	$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
+      )
+    then :
+    else
+
+      # The umask is ridiculous, or mkdir does not conform to POSIX,
+      # or it failed possibly due to a race condition.  Create the
+      # directory the slow way, step by step, checking for races as we go.
+
+      case $dstdir in
+	/*) prefix='/';;
+	[-=\(\)!]*) prefix='./';;
+	*)  prefix='';;
+      esac
+
+      eval "$initialize_posix_glob"
+
+      oIFS=$IFS
+      IFS=/
+      $posix_glob set -f
+      set fnord $dstdir
+      shift
+      $posix_glob set +f
+      IFS=$oIFS
+
+      prefixes=
+
+      for d
+      do
+	test X"$d" = X && continue
+
+	prefix=$prefix$d
+	if test -d "$prefix"; then
+	  prefixes=
+	else
+	  if $posix_mkdir; then
+	    (umask=$mkdir_umask &&
+	     $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
+	    # Don't fail if two instances are running concurrently.
+	    test -d "$prefix" || exit 1
+	  else
+	    case $prefix in
+	      *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
+	      *) qprefix=$prefix;;
+	    esac
+	    prefixes="$prefixes '$qprefix'"
+	  fi
+	fi
+	prefix=$prefix/
+      done
+
+      if test -n "$prefixes"; then
+	# Don't fail if two instances are running concurrently.
+	(umask $mkdir_umask &&
+	 eval "\$doit_exec \$mkdirprog $prefixes") ||
+	  test -d "$dstdir" || exit 1
+	obsolete_mkdir_used=true
+      fi
+    fi
+  fi
+
+  if test -n "$dir_arg"; then
+    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
+    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
+    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
+      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
+  else
+
+    # Make a couple of temp file names in the proper directory.
+    dsttmp=$dstdir/_inst.$$_
+    rmtmp=$dstdir/_rm.$$_
+
+    # Trap to clean up those temp files at exit.
+    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
+
+    # Copy the file name to the temp name.
+    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
+
+    # and set any options; do chmod last to preserve setuid bits.
+    #
+    # If any of these fail, we abort the whole thing.  If we want to
+    # ignore errors from any of these, just make sure not to ignore
+    # errors from the above "$doit $cpprog $src $dsttmp" command.
+    #
+    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
+    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
+    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
+    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
+
+    # If -C, don't bother to copy if it wouldn't change the file.
+    if $copy_on_change &&
+       old=`LC_ALL=C ls -dlL "$dst"	2>/dev/null` &&
+       new=`LC_ALL=C ls -dlL "$dsttmp"	2>/dev/null` &&
+
+       eval "$initialize_posix_glob" &&
+       $posix_glob set -f &&
+       set X $old && old=:$2:$4:$5:$6 &&
+       set X $new && new=:$2:$4:$5:$6 &&
+       $posix_glob set +f &&
+
+       test "$old" = "$new" &&
+       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
+    then
+      rm -f "$dsttmp"
+    else
+      # Rename the file to the real destination.
+      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
+
+      # The rename failed, perhaps because mv can't rename something else
+      # to itself, or perhaps because mv is so ancient that it does not
+      # support -f.
+      {
+	# Now remove or move aside any old file at destination location.
+	# We try this two ways since rm can't unlink itself on some
+	# systems and the destination file might be busy for other
+	# reasons.  In this case, the final cleanup might fail but the new
+	# file should still install successfully.
+	{
+	  test ! -f "$dst" ||
+	  $doit $rmcmd -f "$dst" 2>/dev/null ||
+	  { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
+	    { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
+	  } ||
+	  { echo "$0: cannot unlink or rename $dst" >&2
+	    (exit 1); exit 1
+	  }
+	} &&
+
+	# Now rename the file to the real destination.
+	$doit $mvcmd "$dsttmp" "$dst"
+      }
+    fi || exit 1
+
+    trap '' 0
+  fi
+done
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:

configure.ac

@@ -0,0 +1,447 @@
+AC_INIT([nix],[m4_esyscmd(bash -c "echo -n $(cat ./.version)$VERSION_SUFFIX")])
+AC_CONFIG_MACRO_DIRS([m4])
+AC_CONFIG_SRCDIR(README.md)
+AC_CONFIG_AUX_DIR(config)
+
+AC_PROG_SED
+
+# Construct a Nix system name (like "i686-linux"):
+# https://www.gnu.org/software/autoconf/manual/html_node/Canonicalizing.html#index-AC_005fCANONICAL_005fHOST-1
+# The inital value is produced by the `config/config.guess` script:
+# upstream: https://git.savannah.gnu.org/cgit/config.git/tree/config.guess
+# It has the following form, which is not documented anywhere:
+# <cpu>-<vendor>-<os>[<version>][-<abi>]
+# If `./configure` is passed any of the `--host`, `--build`, `--target` options, the value comes from `config/config.sub` instead:
+# upstream: https://git.savannah.gnu.org/cgit/config.git/tree/config.sub
+AC_CANONICAL_HOST
+AC_MSG_CHECKING([for the canonical Nix system name])
+
+AC_ARG_WITH(system, AS_HELP_STRING([--with-system=SYSTEM],[Platform identifier (e.g., `i686-linux').]),
+  [system=$withval],
+  [case "$host_cpu" in
+     i*86)
+        machine_name="i686";;
+     amd64)
+        machine_name="x86_64";;
+     armv6|armv7)
+        machine_name="${host_cpu}l";;
+     *)
+        machine_name="$host_cpu";;
+   esac
+
+   case "$host_os" in
+     linux-gnu*|linux-musl*)
+        # For backward compatibility, strip the `-gnu' part.
+        system="$machine_name-linux";;
+     *)
+        # Strip the version number from names such as `gnu0.3',
+        # `darwin10.2.0', etc.
+        system="$machine_name-`echo $host_os | "$SED" -e's/@<:@0-9.@:>@*$//g'`";;
+   esac])
+
+AC_MSG_RESULT($system)
+AC_SUBST(system)
+AC_DEFINE_UNQUOTED(SYSTEM, ["$system"], [platform identifier ('cpu-os')])
+
+
+# State should be stored in /nix/var, unless the user overrides it explicitly.
+test "$localstatedir" = '${prefix}/var' && localstatedir=/nix/var
+
+# Assign a default value to C{,XX}FLAGS as the default configure script sets them
+# to -O2 otherwise, which we don't want to have hardcoded
+CFLAGS=${CFLAGS-""}
+CXXFLAGS=${CXXFLAGS-""}
+
+AC_PROG_CC
+AC_PROG_CXX
+AC_PROG_CPP
+
+AC_CHECK_TOOL([AR], [ar])
+
+# Use 64-bit file system calls so that we can support files > 2 GiB.
+AC_SYS_LARGEFILE
+
+
+# Solaris-specific stuff.
+case "$host_os" in
+  solaris*)
+    # Solaris requires -lsocket -lnsl for network functions
+    LDFLAGS="-lsocket -lnsl $LDFLAGS"
+    ;;
+esac
+
+
+ENSURE_NO_GCC_BUG_80431
+
+
+# Check for pubsetbuf.
+AC_MSG_CHECKING([for pubsetbuf])
+AC_LANG_PUSH(C++)
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <iostream>
+using namespace std;
+static char buf[1024];]],
+    [[cerr.rdbuf()->pubsetbuf(buf, sizeof(buf));]])],
+    [AC_MSG_RESULT(yes) AC_DEFINE(HAVE_PUBSETBUF, 1, [Whether pubsetbuf is available.])],
+    AC_MSG_RESULT(no))
+AC_LANG_POP(C++)
+
+
+AC_CHECK_FUNCS([statvfs pipe2 close_range])
+
+
+# Check for lutimes, optionally used for changing the mtime of
+# symlinks.
+AC_CHECK_FUNCS([lutimes])
+
+
+# Check whether the store optimiser can optimise symlinks.
+AC_MSG_CHECKING([whether it is possible to create a link to a symlink])
+ln -s bla tmp_link
+if ln tmp_link tmp_link2 2> /dev/null; then
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(CAN_LINK_SYMLINK, 1, [Whether link() works on symlinks.])
+else
+    AC_MSG_RESULT(no)
+fi
+rm -f tmp_link tmp_link2
+
+
+# Check for <locale>.
+AC_LANG_PUSH(C++)
+AC_CHECK_HEADERS([locale])
+AC_LANG_POP(C++)
+
+
+AC_DEFUN([NEED_PROG],
+[
+AC_PATH_PROG($1, $2)
+if test -z "$$1"; then
+    AC_MSG_ERROR([$2 is required])
+fi
+])
+
+NEED_PROG(bash, bash)
+AC_PATH_PROG(flex, flex, false)
+AC_PATH_PROG(bison, bison, false)
+AC_PATH_PROG(dot, dot)
+AC_PATH_PROG(lsof, lsof, lsof)
+
+
+AC_SUBST(coreutils, [$(dirname $(type -p cat))])
+
+
+AC_ARG_WITH(store-dir, AS_HELP_STRING([--with-store-dir=PATH],[path of the Nix store (defaults to /nix/store)]),
+  storedir=$withval, storedir='/nix/store')
+AC_SUBST(storedir)
+
+
+# Running the functional tests without building Nix is useful for testing
+# different pre-built versions of Nix against each other.
+AC_ARG_ENABLE(build, AS_HELP_STRING([--disable-build],[Do not build nix]),
+  ENABLE_BUILD=$enableval, ENABLE_BUILD=yes)
+AC_SUBST(ENABLE_BUILD)
+
+# Building without unit tests is useful for bootstrapping with a smaller footprint
+# or running the tests in a separate derivation. Otherwise, we do compile and
+# run them.
+
+AC_ARG_ENABLE(unit-tests, AS_HELP_STRING([--disable-unit-tests],[Do not build the tests]),
+  ENABLE_UNIT_TESTS=$enableval, ENABLE_UNIT_TESTS=$ENABLE_BUILD)
+AC_SUBST(ENABLE_UNIT_TESTS)
+
+AS_IF(
+  [test "$ENABLE_BUILD" == "no" && test "$ENABLE_UNIT_TESTS" == "yes"],
+  [AC_MSG_ERROR([Cannot enable unit tests when building overall is disabled. Please do not pass '--enable-unit-tests' or do not pass '--disable-build'.])])
+
+AC_ARG_ENABLE(functional-tests, AS_HELP_STRING([--disable-functional-tests],[Do not build the tests]),
+  ENABLE_FUNCTIONAL_TESTS=$enableval, ENABLE_FUNCTIONAL_TESTS=yes)
+AC_SUBST(ENABLE_FUNCTIONAL_TESTS)
+
+# documentation generation switch
+AC_ARG_ENABLE(doc-gen, AS_HELP_STRING([--disable-doc-gen],[disable documentation generation]),
+  ENABLE_DOC_GEN=$enableval, ENABLE_DOC_GEN=$ENABLE_BUILD)
+AC_SUBST(ENABLE_DOC_GEN)
+
+AS_IF(
+  [test "$ENABLE_BUILD" == "no" && test "$ENABLE_DOC_GEN" == "yes"],
+  [AC_MSG_ERROR([Cannot enable generated docs when building overall is disabled. Please do not pass '--enable-doc-gen' or do not pass '--disable-build'.])])
+
+AS_IF(
+  [test "$ENABLE_FUNCTIONAL_TESTS" == "yes" || test "$ENABLE_DOC_GEN" == "yes"],
+  [NEED_PROG(jq, jq)])
+
+AS_IF([test "$ENABLE_BUILD" == "yes"],[
+
+# Look for boost, a required dependency.
+# Note that AX_BOOST_BASE only exports *CPP* BOOST_CPPFLAGS, no CXX flags,
+# and CPPFLAGS are not passed to the C++ compiler automatically.
+# Thus we append the returned CPPFLAGS to the CXXFLAGS here.
+AX_BOOST_BASE([1.66], [CXXFLAGS="$BOOST_CPPFLAGS $CXXFLAGS"], [AC_MSG_ERROR([Nix requires boost.])])
+# For unknown reasons, setting this directly in the ACTION-IF-FOUND above
+# ends up with LDFLAGS being empty, so we set it afterwards.
+LDFLAGS="$BOOST_LDFLAGS $LDFLAGS"
+
+# On some platforms, new-style atomics need a helper library
+AC_MSG_CHECKING(whether -latomic is needed)
+AC_LINK_IFELSE([AC_LANG_SOURCE([[
+#include <stdint.h>
+uint64_t v;
+int main() {
+    return (int)__atomic_load_n(&v, __ATOMIC_ACQUIRE);
+}]])], GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC=no, GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC=yes)
+AC_MSG_RESULT($GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC)
+if test "x$GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC" = xyes; then
+    LDFLAGS="-latomic $LDFLAGS"
+fi
+
+AC_ARG_ENABLE(install-unit-tests, AS_HELP_STRING([--enable-install-unit-tests],[Install the unit tests for running later (default no)]),
+  INSTALL_UNIT_TESTS=$enableval, INSTALL_UNIT_TESTS=no)
+AC_SUBST(INSTALL_UNIT_TESTS)
+
+AC_ARG_WITH(check-bin-dir, AS_HELP_STRING([--with-check-bin-dir=PATH],[path to install unit tests for running later (defaults to $libexecdir/nix)]),
+  checkbindir=$withval, checkbindir=$libexecdir/nix)
+AC_SUBST(checkbindir)
+
+AC_ARG_WITH(check-lib-dir, AS_HELP_STRING([--with-check-lib-dir=PATH],[path to install unit tests for running later (defaults to $libdir)]),
+  checklibdir=$withval, checklibdir=$libdir)
+AC_SUBST(checklibdir)
+
+# LTO is currently broken with clang for unknown reasons; ld segfaults in the llvm plugin
+AC_ARG_ENABLE(lto, AS_HELP_STRING([--enable-lto],[Enable LTO (only supported with GCC) [default=no]]),
+  lto=$enableval, lto=no)
+if test "$lto" = yes; then
+    if $CXX --version | grep -q GCC; then
+        AC_SUBST(CXXLTO, [-flto=jobserver])
+    else
+        echo "error: LTO is only supported with GCC at the moment" >&2
+        exit 1
+    fi
+else
+    AC_SUBST(CXXLTO, [""])
+fi
+
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE(shared, AS_HELP_STRING([--enable-shared],[Build shared libraries for Nix [default=yes]]),
+  shared=$enableval, shared=yes)
+if test "$shared" = yes; then
+  AC_SUBST(BUILD_SHARED_LIBS, 1, [Whether to build shared libraries.])
+else
+  AC_SUBST(BUILD_SHARED_LIBS, 0, [Whether to build shared libraries.])
+  PKG_CONFIG="$PKG_CONFIG --static"
+fi
+
+# Look for OpenSSL, a required dependency. FIXME: this is only (maybe)
+# used by S3BinaryCacheStore.
+PKG_CHECK_MODULES([OPENSSL], [libcrypto >= 1.1.1], [CXXFLAGS="$OPENSSL_CFLAGS $CXXFLAGS"])
+
+
+# Look for libarchive.
+PKG_CHECK_MODULES([LIBARCHIVE], [libarchive >= 3.1.2], [CXXFLAGS="$LIBARCHIVE_CFLAGS $CXXFLAGS"])
+# Workaround until https://github.com/libarchive/libarchive/issues/1446 is fixed
+if test "$shared" != yes; then
+    LIBARCHIVE_LIBS+=' -lz'
+fi
+
+# Look for SQLite, a required dependency.
+PKG_CHECK_MODULES([SQLITE3], [sqlite3 >= 3.6.19], [CXXFLAGS="$SQLITE3_CFLAGS $CXXFLAGS"])
+
+# Look for libcurl, a required dependency.
+PKG_CHECK_MODULES([LIBCURL], [libcurl], [CXXFLAGS="$LIBCURL_CFLAGS $CXXFLAGS"])
+
+# Look for editline or readline, a required dependency.
+# The the libeditline.pc file was added only in libeditline >= 1.15.2,
+# see https://github.com/troglobit/editline/commit/0a8f2ef4203c3a4a4726b9dd1336869cd0da8607,
+# Older versions are no longer supported.
+AC_ARG_WITH(
+  [readline-flavor],
+  AS_HELP_STRING([--with-readline-flavor],[Which library to use for nice line editting with the Nix language REPL" [default=editline]]),
+  [readline_flavor=$withval],
+  [readline_flavor=editline])
+AS_CASE(["$readline_flavor"],
+  [editline], [
+    readline_flavor_pc=libeditline
+  ],
+  [readline], [
+    readline_flavor_pc=readline
+    AC_DEFINE([USE_READLINE], [1], [Use readline instead of editline])
+  ],
+  [AC_MSG_ERROR([bad value "$readline_flavor" for --with-readline-flavor, must be one of: editline, readline])])
+PKG_CHECK_MODULES([EDITLINE], [$readline_flavor_pc], [CXXFLAGS="$EDITLINE_CFLAGS $CXXFLAGS"])
+
+# Look for libsodium.
+PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
+
+# Look for libbrotli{enc,dec}.
+PKG_CHECK_MODULES([LIBBROTLI], [libbrotlienc libbrotlidec], [CXXFLAGS="$LIBBROTLI_CFLAGS $CXXFLAGS"])
+
+# Look for libcpuid.
+have_libcpuid=
+if test "$machine_name" = "x86_64"; then
+    AC_ARG_ENABLE([cpuid],
+                  AS_HELP_STRING([--disable-cpuid], [Do not determine microarchitecture levels with libcpuid (relevant to x86_64 only)]))
+    if test "x$enable_cpuid" != "xno"; then
+      PKG_CHECK_MODULES([LIBCPUID], [libcpuid],
+        [CXXFLAGS="$LIBCPUID_CFLAGS $CXXFLAGS"
+         have_libcpuid=1
+         AC_DEFINE([HAVE_LIBCPUID], [1], [Use libcpuid])]
+      )
+    fi
+fi
+AC_SUBST(HAVE_LIBCPUID, [$have_libcpuid])
+
+
+# Look for libseccomp, required for Linux sandboxing.
+case "$host_os" in
+  linux*)
+    AC_ARG_ENABLE([seccomp-sandboxing],
+                  AS_HELP_STRING([--disable-seccomp-sandboxing],[Don't build support for seccomp sandboxing (only recommended if your arch doesn't support libseccomp yet!)
+                                ]))
+    if test "x$enable_seccomp_sandboxing" != "xno"; then
+      PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
+                        [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS" CFLAGS="$LIBSECCOMP_CFLAGS $CFLAGS"])
+      have_seccomp=1
+      AC_DEFINE([HAVE_SECCOMP], [1], [Whether seccomp is available and should be used for sandboxing.])
+      AC_COMPILE_IFELSE([
+        AC_LANG_SOURCE([[
+          #include <seccomp.h>
+          #ifndef __SNR_fchmodat2
+          # error "Missing support for fchmodat2"
+          #endif
+        ]])
+      ], [], [
+        echo "libseccomp is missing __SNR_fchmodat2. Please provide libseccomp 2.5.5 or later"
+        exit 1
+      ])
+    else
+      have_seccomp=
+    fi
+    ;;
+  *)
+    have_seccomp=
+    ;;
+esac
+AC_SUBST(HAVE_SECCOMP, [$have_seccomp])
+
+# Optional dependencies for better normalizing file system data
+AC_CHECK_HEADERS([sys/xattr.h])
+AS_IF([test "$ac_cv_header_sys_xattr_h" = "yes"],[
+  AC_CHECK_FUNCS([llistxattr lremovexattr])
+  AS_IF([test "$ac_cv_func_llistxattr" = "yes" && test "$ac_cv_func_lremovexattr" = "yes"],[
+    AC_DEFINE([HAVE_ACL_SUPPORT], [1], [Define if we can manipulate file system Access Control Lists])
+  ])
+])
+
+# Look for aws-cpp-sdk-s3.
+AC_LANG_PUSH(C++)
+AC_CHECK_HEADERS([aws/s3/S3Client.h],
+  [AC_DEFINE([ENABLE_S3], [1], [Whether to enable S3 support via aws-sdk-cpp.]) enable_s3=1],
+  [AC_DEFINE([ENABLE_S3], [0], [Whether to enable S3 support via aws-sdk-cpp.]) enable_s3=])
+AC_SUBST(ENABLE_S3, [$enable_s3])
+AC_LANG_POP(C++)
+
+
+# Whether to use the Boehm garbage collector.
+AC_ARG_ENABLE(gc, AS_HELP_STRING([--enable-gc],[enable garbage collection in the Nix expression evaluator (requires Boehm GC) [default=yes]]),
+  gc=$enableval, gc=yes)
+if test "$gc" = yes; then
+  PKG_CHECK_MODULES([BDW_GC], [bdw-gc])
+  CXXFLAGS="$BDW_GC_CFLAGS $CXXFLAGS"
+  AC_DEFINE(HAVE_BOEHMGC, 1, [Whether to use the Boehm garbage collector.])
+
+  # See `fixupBoehmStackPointer`, for the integration between Boehm GC
+  # and Boost coroutines.
+  old_CFLAGS="$CFLAGS"
+  # Temporary set `-pthread` just for the next check
+  CFLAGS="$CFLAGS -pthread"
+  AC_CHECK_FUNCS([pthread_attr_get_np pthread_getattr_np])
+  CFLAGS="$old_CFLAGS"
+fi
+
+AS_IF([test "$ENABLE_UNIT_TESTS" == "yes"],[
+
+# Look for gtest.
+PKG_CHECK_MODULES([GTEST], [gtest_main gmock_main])
+
+# Look for rapidcheck.
+PKG_CHECK_MODULES([RAPIDCHECK], [rapidcheck rapidcheck_gtest])
+
+])
+
+# Look for nlohmann/json.
+PKG_CHECK_MODULES([NLOHMANN_JSON], [nlohmann_json >= 3.9])
+
+
+# Look for lowdown library.
+AC_ARG_ENABLE([markdown], AS_HELP_STRING([--enable-markdown], [Enable Markdown rendering in the Nix binary (requires lowdown) [default=auto]]),
+  enable_markdown=$enableval, enable_markdown=auto)
+AS_CASE(["$enable_markdown"],
+  [yes | auto], [
+    PKG_CHECK_MODULES([LOWDOWN], [lowdown >= 0.9.0], [
+      CXXFLAGS="$LOWDOWN_CFLAGS $CXXFLAGS"
+      have_lowdown=1
+      AC_DEFINE(HAVE_LOWDOWN, 1, [Whether lowdown is available and should be used for Markdown rendering.])
+    ], [
+      AS_IF([test "x$enable_markdown" == "xyes"], [AC_MSG_ERROR([--enable-markdown was specified, but lowdown was not found.])])
+    ])
+  ],
+  [no], [have_lowdown=],
+  [AC_MSG_ERROR([bad value "$enable_markdown" for --enable-markdown, must be one of: yes, no, auto])])
+
+
+# Look for libgit2.
+PKG_CHECK_MODULES([LIBGIT2], [libgit2])
+
+
+# Look for toml11, a required dependency.
+AC_LANG_PUSH(C++)
+AC_CHECK_HEADER([toml.hpp], [], [AC_MSG_ERROR([toml11 is not found.])])
+AC_LANG_POP(C++)
+
+# Setuid installations.
+AC_CHECK_FUNCS([setresuid setreuid lchown])
+
+
+# Nice to have, but not essential.
+AC_CHECK_FUNCS([strsignal posix_fallocate sysconf])
+
+
+AC_ARG_WITH(sandbox-shell, AS_HELP_STRING([--with-sandbox-shell=PATH],[path of a statically-linked shell to use as /bin/sh in sandboxes]),
+  sandbox_shell=$withval)
+AC_SUBST(sandbox_shell)
+if test ${cross_compiling:-no} = no && ! test -z ${sandbox_shell+x}; then
+  AC_MSG_CHECKING([whether sandbox-shell has the standalone feature])
+  # busybox shell sometimes allows executing other busybox applets,
+  # even if they are not in the path, breaking our sandbox
+  if PATH= $sandbox_shell -c "busybox" 2>&1 | grep -qv "not found"; then
+    AC_MSG_RESULT(enabled)
+    AC_MSG_ERROR([Please disable busybox FEATURE_SH_STANDALONE])
+  else
+    AC_MSG_RESULT(disabled)
+  fi
+fi
+
+AC_ARG_ENABLE(embedded-sandbox-shell, AS_HELP_STRING([--enable-embedded-sandbox-shell],[include the sandbox shell in the Nix binary [default=no]]),
+  embedded_sandbox_shell=$enableval, embedded_sandbox_shell=no)
+AC_SUBST(embedded_sandbox_shell)
+if test "$embedded_sandbox_shell" = yes; then
+  AC_DEFINE(HAVE_EMBEDDED_SANDBOX_SHELL, 1, [Include the sandbox shell in the Nix binary.])
+fi
+
+])
+
+
+# Expand all variables in config.status.
+test "$prefix" = NONE && prefix=$ac_default_prefix
+test "$exec_prefix" = NONE && exec_prefix='${prefix}'
+for name in $ac_subst_vars; do
+    declare $name="$(eval echo "${!name}")"
+    declare $name="$(eval echo "${!name}")"
+    declare $name="$(eval echo "${!name}")"
+done
+
+rm -f Makefile.config
+
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_FILES([])
+AC_OUTPUT

default.nix

@@ -1,9 +1,10 @@
-(import (
-  let
-    lock = builtins.fromJSON (builtins.readFile ./flake.lock);
-  in
-  fetchTarball {
-    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
-    sha256 = lock.nodes.flake-compat.locked.narHash;
-  }
-) { src = ./.; }).defaultNix
+(import
+  (
+    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
+    fetchTarball {
+      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+      sha256 = lock.nodes.flake-compat.locked.narHash;
+    }
+  )
+  { src = ./.; }
+).defaultNix

doc/manual/book.toml

@@ -1,6 +1,5 @@
 [book]
-title = "Nix @version@ Reference Manual"
-src = "source"
+title = "Nix Reference Manual"
 
 [output.html]
 additional-css = ["custom.css"]
@@ -8,7 +7,7 @@ additional-js = ["redirects.js"]
 edit-url-template = "https://github.com/NixOS/nix/tree/master/doc/manual/{path}"
 git-repository-url = "https://github.com/NixOS/nix"
 
-# Handles replacing @docroot@ with a path to ./source relative to that markdown file,
+# Handles replacing @docroot@ with a path to ./src relative to that markdown file,
 # {{#include handlebars}}, and the @generated@ syntax used within these. it mostly
 # but not entirely replaces the links preprocessor (which we cannot simply use due
 # to @generated@ files living in a different directory to make meson happy). we do

doc/manual/generate-builtins.nix

@@ -5,15 +5,7 @@ in
 
 builtinsInfo:
 let
-  showBuiltin =
-    name:
-    {
-      doc,
-      type ? null,
-      args ? [ ],
-      experimental-feature ? null,
-      impure-only ? false,
-    }:
+  showBuiltin = name: { doc, type ? null, args ? [ ], experimental-feature ? null, impure-only ? false }:
     let
       type' = optionalString (type != null) " (${type})";
 

doc/manual/generate-manpage.nix

@@ -32,13 +32,7 @@ let
 
   commandInfo = fromJSON commandDump;
 
-  showCommand =
-    {
-      command,
-      details,
-      filename,
-      toplevel,
-    }:
+  showCommand = { command, details, filename, toplevel }:
     let
 
       result = ''
@@ -62,27 +56,26 @@ let
         ${maybeOptions}
       '';
 
-      showSynopsis =
-        command: args:
+      showSynopsis = command: args:
         let
-          showArgument = arg: "*${arg.label}*" + optionalString (!arg ? arity) "...";
+          showArgument = arg: "*${arg.label}*" + optionalString (! arg ? arity) "...";
           arguments = concatStringsSep " " (map showArgument args);
-        in
-        ''
+        in ''
           `${command}` [*option*...] ${arguments}
         '';
 
-      maybeSubcommands = optionalString (details ? commands && details.commands != { }) ''
-        where *subcommand* is one of the following:
+      maybeSubcommands = optionalString (details ? commands && details.commands != {})
+        ''
+          where *subcommand* is one of the following:
 
-        ${subcommands}
-      '';
+          ${subcommands}
+        '';
 
-      subcommands = if length categories > 1 then listCategories else listSubcommands details.commands;
+      subcommands = if length categories > 1
+        then listCategories
+        else listSubcommands details.commands;
 
-      categories = sort (x: y: x.id < y.id) (
-        unique (map (cmd: cmd.category) (attrValues details.commands))
-      );
+      categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues details.commands)));
 
       listCategories = concatStrings (map showCategory categories);
 
@@ -106,39 +99,38 @@ let
 
             ${allStores}
           '';
-          index =
-            replaceStrings
-              [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
-              [ storesOverview "#local-store" "#local-daemon-store" ]
-              details.doc;
+          index = replaceStrings
+            [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
+            [ storesOverview "#local-store" "#local-daemon-store" ]
+            details.doc;
           storesOverview =
             let
-              showEntry = store: "- [${store.name}](#${store.slug})";
+              showEntry = store:
+                "- [${store.name}](#${store.slug})";
             in
             concatStringsSep "\n" (map showEntry storesList) + "\n";
           allStores = concatStringsSep "\n" (attrValues storePages);
-          storePages = listToAttrs (
-            map (s: {
-              name = s.filename;
-              value = s.page;
-            }) storesList
-          );
+          storePages = listToAttrs
+            (map (s: { name = s.filename; value = s.page; }) storesList);
           storesList = showStoreDocs {
             storeInfo = commandInfo.stores;
             inherit inlineHTML;
           };
-          hasInfix =
-            infix: content:
+          hasInfix = infix: content:
             builtins.stringLength content != builtins.stringLength (replaceStrings [ infix ] [ "" ] content);
         in
         optionalString (details ? doc) (
           # An alternate implementation with builtins.match stack overflowed on some systems.
-          if hasInfix "@store-types@" details.doc then help-stores else details.doc
+          if hasInfix "@store-types@" details.doc
+          then help-stores
+          else details.doc
         );
 
       maybeOptions =
         let
-          allVisibleOptions = filterAttrs (_: o: !o.hiddenCategory) (details.flags // toplevel.flags);
+          allVisibleOptions = filterAttrs
+            (_: o: ! o.hiddenCategory)
+            (details.flags // toplevel.flags);
         in
         optionalString (allVisibleOptions != { }) ''
           # Options
@@ -150,73 +142,55 @@ let
           > See [`man nix.conf`](@docroot@/command-ref/conf-file.md#command-line-flags) for overriding configuration settings with command line flags.
         '';
 
-      showOptions =
-        inlineHTML: allOptions:
+      showOptions = inlineHTML: allOptions:
         let
           showCategory = cat: opts: ''
             ${optionalString (cat != "") "## ${cat}"}
 
             ${concatStringsSep "\n" (attrValues (mapAttrs showOption opts))}
           '';
-          showOption =
-            name: option:
+          showOption = name: option:
             let
               result = trim ''
                 - ${item}
 
                   ${option.description}
               '';
-              item =
-                if inlineHTML then
-                  ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
-                else
-                  "`--${name}` ${shortName} ${labels}";
-              shortName = optionalString (option ? shortName) ("/ `-${option.shortName}`");
-              labels = optionalString (option ? labels) (concatStringsSep " " (map (s: "*${s}*") option.labels));
-            in
-            result;
-          categories =
-            mapAttrs
-              # Convert each group from a list of key-value pairs back to an attrset
-              (_: listToAttrs)
-              (groupBy (cmd: cmd.value.category) (attrsToList allOptions));
-        in
-        concatStrings (attrValues (mapAttrs showCategory categories));
-    in
-    squash result;
+              item = if inlineHTML
+                then ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
+                else "`--${name}` ${shortName} ${labels}";
+              shortName = optionalString
+                (option ? shortName)
+                ("/ `-${option.shortName}`");
+              labels = optionalString
+                (option ? labels)
+                (concatStringsSep " " (map (s: "*${s}*") option.labels));
+            in result;
+          categories = mapAttrs
+            # Convert each group from a list of key-value pairs back to an attrset
+            (_: listToAttrs)
+            (groupBy
+              (cmd: cmd.value.category)
+              (attrsToList allOptions));
+        in concatStrings (attrValues (mapAttrs showCategory categories));
+    in squash result;
 
   appendName = filename: name: (if filename == "nix" then "nix3" else filename) + "-" + name;
 
-  processCommand =
-    {
-      command,
-      details,
-      filename,
-      toplevel,
-    }:
+  processCommand = { command, details, filename, toplevel }:
     let
       cmd = {
         inherit command;
         name = filename + ".md";
-        value = showCommand {
-          inherit
-            command
-            details
-            filename
-            toplevel
-            ;
-        };
+        value = showCommand { inherit command details filename toplevel; };
       };
-      subcommand =
-        subCmd:
-        processCommand {
-          command = command + " " + subCmd;
-          details = details.commands.${subCmd};
-          filename = appendName filename subCmd;
-          inherit toplevel;
-        };
-    in
-    [ cmd ] ++ concatMap subcommand (attrNames details.commands or { });
+      subcommand = subCmd: processCommand {
+        command = command + " " + subCmd;
+        details = details.commands.${subCmd};
+        filename = appendName filename subCmd;
+        inherit toplevel;
+      };
+    in [ cmd ] ++ concatMap subcommand (attrNames details.commands or {});
 
   manpages = processCommand {
     command = "nix";
@@ -225,11 +199,9 @@ let
     toplevel = commandInfo.args;
   };
 
-  tableOfContents =
-    let
-      showEntry = page: "    - [${page.command}](command-ref/new-cli/${page.name})";
-    in
-    concatStringsSep "\n" (map showEntry manpages) + "\n";
+  tableOfContents = let
+    showEntry = page:
+      "    - [${page.command}](command-ref/new-cli/${page.name})";
+    in concatStringsSep "\n" (map showEntry manpages) + "\n";
 
-in
-(listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }
+in (listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }

doc/manual/generate-settings.nix

@@ -1,99 +1,67 @@
 let
-  inherit (builtins)
-    attrValues
-    concatStringsSep
-    isAttrs
-    isBool
-    mapAttrs
-    ;
-  inherit (import <nix/utils.nix>)
-    concatStrings
-    indent
-    optionalString
-    squash
-    ;
+  inherit (builtins) attrValues concatStringsSep isAttrs isBool mapAttrs;
+  inherit (import <nix/utils.nix>) concatStrings indent optionalString squash;
 in
 
 # `inlineHTML` is a hack to accommodate inconsistent output from `lowdown`
-{
-  prefix,
-  inlineHTML ? true,
-}:
-settingsInfo:
+{ prefix, inlineHTML ? true }: settingsInfo:
 
 let
 
-  showSetting =
-    prefix: setting:
-    {
-      description,
-      documentDefault,
-      defaultValue,
-      aliases,
-      value,
-      experimentalFeature,
-    }:
+  showSetting = prefix: setting: { description, documentDefault, defaultValue, aliases, value, experimentalFeature }:
     let
       result = squash ''
-        - ${item}
+          - ${item}
 
-        ${indent "  " body}
-      '';
-      item =
-        if inlineHTML then
-          ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
-        else
-          "`${setting}`";
+          ${indent "  " body}
+        '';
+      item = if inlineHTML
+        then ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
+        else "`${setting}`";
       # separate body to cleanly handle indentation
       body = ''
-        ${experimentalFeatureNote}
+          ${experimentalFeatureNote}
 
-        ${description}
+          ${description}
 
-        **Default:** ${showDefault documentDefault defaultValue}
+          **Default:** ${showDefault documentDefault defaultValue}
 
-        ${showAliases aliases}
-      '';
+          ${showAliases aliases}
+        '';
 
       experimentalFeatureNote = optionalString (experimentalFeature != null) ''
-        > **Warning**
-        >
-        > This setting is part of an
-        > [experimental feature](@docroot@/development/experimental-features.md).
-        >
-        > To change this setting, make sure the
-        > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
-        > is enabled.
-        > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
-        >
-        > ```
-        > extra-experimental-features = ${experimentalFeature}
-        > ${setting} = ...
-        > ```
-      '';
+          > **Warning**
+          >
+          > This setting is part of an
+          > [experimental feature](@docroot@/development/experimental-features.md).
+          >
+          > To change this setting, make sure the
+          > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
+          > is enabled.
+          > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
+          >
+          > ```
+          > extra-experimental-features = ${experimentalFeature}
+          > ${setting} = ...
+          > ```
+        '';
 
-      showDefault =
-        documentDefault: defaultValue:
+      showDefault = documentDefault: defaultValue:
         if documentDefault then
           # a StringMap value type is specified as a string, but
           # this shows the value type. The empty stringmap is `null` in
           # JSON, but that converts to `{ }` here.
-          if defaultValue == "" || defaultValue == [ ] || isAttrs defaultValue then
-            "*empty*"
-          else if isBool defaultValue then
-            if defaultValue then "`true`" else "`false`"
-          else
-            "`${toString defaultValue}`"
-        else
-          "*machine-specific*";
+          if defaultValue == "" || defaultValue == [] || isAttrs defaultValue
+            then "*empty*"
+            else if isBool defaultValue then
+              if defaultValue then "`true`" else "`false`"
+            else "`${toString defaultValue}`"
+        else "*machine-specific*";
 
-      showAliases =
-        aliases:
-        optionalString (aliases != [ ])
-          "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";
+      showAliases = aliases:
+          optionalString (aliases != [])
+            "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";
 
-    in
-    result;
+    in result;
 
-in
-concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))
+in concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))

doc/manual/generate-store-info.nix

@@ -1,20 +1,6 @@
 let
-  inherit (builtins)
-    attrNames
-    listToAttrs
-    concatStringsSep
-    readFile
-    replaceStrings
-    ;
-  inherit (import <nix/utils.nix>)
-    optionalString
-    filterAttrs
-    trim
-    squash
-    toLower
-    unique
-    indent
-    ;
+  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
+  inherit (import <nix/utils.nix>) optionalString filterAttrs trim squash toLower unique indent;
   showSettings = import <nix/generate-settings.nix>;
 in
 
@@ -28,13 +14,7 @@ in
 
 let
 
-  showStore =
-    { name, slug }:
-    {
-      settings,
-      doc,
-      experimentalFeature,
-    }:
+  showStore = { name, slug }: { settings, doc, experimentalFeature }:
     let
       result = squash ''
         # ${name}
@@ -45,10 +25,7 @@ let
 
         ## Settings
 
-        ${showSettings {
-          prefix = "store-${slug}";
-          inherit inlineHTML;
-        } settings}
+        ${showSettings { prefix = "store-${slug}"; inherit inlineHTML; } settings}
       '';
 
       experimentalFeatureNote = optionalString (experimentalFeature != null) ''
@@ -66,15 +43,15 @@ let
         > extra-experimental-features = ${experimentalFeature}
         > ```
       '';
-    in
-    result;
+    in result;
 
-  storesList = map (name: rec {
-    inherit name;
-    slug = replaceStrings [ " " ] [ "-" ] (toLower name);
-    filename = "${slug}.md";
-    page = showStore { inherit name slug; } storeInfo.${name};
-  }) (attrNames storeInfo);
+  storesList = map
+    (name: rec {
+      inherit name;
+      slug = replaceStrings [ " " ] [ "-" ] (toLower name);
+      filename = "${slug}.md";
+      page = showStore { inherit name slug; } storeInfo.${name};
+    })
+    (attrNames storeInfo);
 
-in
-storesList
+in storesList

doc/manual/generate-store-types.nix

@@ -1,11 +1,5 @@
 let
-  inherit (builtins)
-    attrNames
-    listToAttrs
-    concatStringsSep
-    readFile
-    replaceStrings
-    ;
+  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
   showSettings = import <nix/generate-settings.nix>;
   showStoreDocs = import <nix/generate-store-info.nix>;
 in
@@ -20,28 +14,26 @@ let
 
   index =
     let
-      showEntry = store: "- [${store.name}](./${store.filename})";
+      showEntry = store:
+        "- [${store.name}](./${store.filename})";
     in
     concatStringsSep "\n" (map showEntry storesList);
 
-  "index.md" =
-    replaceStrings [ "@store-types@" ] [ index ]
-      (readFile ./source/store/types/index.md.in);
+  "index.md" = replaceStrings
+    [ "@store-types@" ] [ index ]
+    (readFile ./src/store/types/index.md.in);
 
   tableOfContents =
     let
-      showEntry = store: "    - [${store.name}](store/types/${store.filename})";
+      showEntry = store:
+        "    - [${store.name}](store/types/${store.filename})";
     in
     concatStringsSep "\n" (map showEntry storesList) + "\n";
 
   "SUMMARY.md" = tableOfContents;
 
-  storePages = listToAttrs (
-    map (s: {
-      name = s.filename;
-      value = s.page;
-    }) storesList
-  );
+  storePages = listToAttrs
+    (map (s: { name = s.filename; value = s.page; }) storesList);
 
 in
 storePages // { inherit "index.md" "SUMMARY.md"; }

doc/manual/generate-xp-features-shortlist.nix

@@ -2,8 +2,8 @@ with builtins;
 with import <nix/utils.nix>;
 
 let
-  showExperimentalFeature = name: doc: ''
-    - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
-  '';
-in
-xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))
+  showExperimentalFeature = name: doc:
+    ''
+      - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
+    '';
+in xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))

doc/manual/generate-xp-features.nix

@@ -2,8 +2,7 @@ with builtins;
 with import <nix/utils.nix>;
 
 let
-  showExperimentalFeature =
-    name: doc:
+  showExperimentalFeature = name: doc:
     squash ''
       ## [`${name}`]{#xp-feature-${name}}
 

doc/manual/local.mk

@@ -0,0 +1,236 @@
+# The version of Nix used to generate the doc. Can also be
+# `$(nix_INSTALL_PATH)` or just `nix` (to grap ambient from the `PATH`),
+# if one prefers.
+doc_nix = $(nix_PATH)
+
+MANUAL_SRCS := \
+	$(call rwildcard, $(d)/src, *.md) \
+	$(call rwildcard, $(d)/src, */*.md)
+
+man-pages := $(foreach n, \
+	nix-env.1 nix-store.1 \
+	nix-build.1 nix-shell.1 nix-instantiate.1 \
+	nix-collect-garbage.1 \
+	nix-prefetch-url.1 nix-channel.1 \
+	nix-hash.1 nix-copy-closure.1 \
+	nix.conf.5 nix-daemon.8 \
+	nix-profiles.5 \
+, $(d)/$(n))
+
+# man pages for subcommands
+# convert from `$(d)/src/command-ref/nix-{1}/{2}.md` to `$(d)/nix-{1}-{2}.1`
+# FIXME: unify with how nix3-cli man pages are generated
+man-pages += $(foreach subcommand, \
+	$(filter-out %opt-common.md %env-common.md, $(wildcard $(d)/src/command-ref/nix-*/*.md)), \
+	$(d)/$(subst /,-,$(subst $(d)/src/command-ref/,,$(subst .md,.1,$(subcommand)))))
+
+clean-files += $(d)/*.1 $(d)/*.5 $(d)/*.8
+
+# Provide a dummy environment for nix, so that it will not access files outside the macOS sandbox.
+# Set cores to 0 because otherwise `nix config show` resolves the cores based on the current machine
+dummy-env = env -i \
+	HOME=/dummy \
+	NIX_CONF_DIR=/dummy \
+	NIX_SSL_CERT_FILE=/dummy/no-ca-bundle.crt \
+	NIX_STATE_DIR=/dummy \
+	NIX_CONFIG='cores = 0'
+
+nix-eval = $(dummy-env) $(doc_nix) eval --experimental-features nix-command -I nix=doc/manual --store dummy:// --impure --raw
+
+# re-implement mdBook's include directive to make it usable for terminal output and for proper @docroot@ substitution
+define process-includes
+	while read -r line; do \
+		set -euo pipefail; \
+		filename="$$(dirname $(1))/$$(sed 's/{{#include \(.*\)}}/\1/'<<< $$line)"; \
+		test -f "$$filename" || ( echo "#include-d file '$$filename' does not exist." >&2; exit 1; ); \
+		matchline="$$(sed 's|/|\\/|g' <<< $$line)"; \
+		sed -i "/$$matchline/r $$filename" $(2); \
+		sed -i "s/$$matchline//" $(2); \
+	done < <(grep '{{#include' $(1))
+endef
+
+$(d)/nix-env-%.1: $(d)/src/command-ref/nix-env/%.md
+	@printf "Title: %s\n\n" "$(subst nix-env-,nix-env --,$$(basename "$@" .1))" > $^.tmp
+	$(render-subcommand)
+
+$(d)/nix-store-%.1: $(d)/src/command-ref/nix-store/%.md
+	@printf -- 'Title: %s\n\n' "$(subst nix-store-,nix-store --,$$(basename "$@" .1))" > $^.tmp
+	$(render-subcommand)
+
+# FIXME: there surely is some more deduplication to be achieved here with even darker Make magic
+define render-subcommand
+  @cat $^ >> $^.tmp
+	@$(call process-includes,$^,$^.tmp)
+	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=1 $^.tmp -o $@
+	@# fix up `lowdown`'s automatic escaping of `--`
+	@# https://github.com/kristapsdz/lowdown/blob/edca6ce6d5336efb147321a43c47a698de41bb7c/entity.c#L202
+	@sed -i 's/\e\[u2013\]/--/' $@
+	@rm $^.tmp
+endef
+
+
+$(d)/%.1: $(d)/src/command-ref/%.md
+	@printf "Title: %s\n\n" "$$(basename $@ .1)" > $^.tmp
+	@cat $^ >> $^.tmp
+	@$(call process-includes,$^,$^.tmp)
+	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=1 $^.tmp -o $@
+	@rm $^.tmp
+
+$(d)/%.8: $(d)/src/command-ref/%.md
+	@printf "Title: %s\n\n" "$$(basename $@ .8)" > $^.tmp
+	@cat $^ >> $^.tmp
+	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=8 $^.tmp -o $@
+	@rm $^.tmp
+
+$(d)/nix.conf.5: $(d)/src/command-ref/conf-file.md
+	@printf "Title: %s\n\n" "$$(basename $@ .5)" > $^.tmp
+	@cat $^ >> $^.tmp
+	@$(call process-includes,$^,$^.tmp)
+	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=5 $^.tmp -o $@
+	@rm $^.tmp
+
+$(d)/nix-profiles.5: $(d)/src/command-ref/files/profiles.md
+	@printf "Title: %s\n\n" "$$(basename $@ .5)" > $^.tmp
+	@cat $^ >> $^.tmp
+	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=5 $^.tmp -o $@
+	@rm $^.tmp
+
+$(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/SUMMARY-rl-next.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/development/experimental-feature-descriptions.md
+	@cp $< $@
+	@$(call process-includes,$@,$@)
+
+$(d)/src/store/types: $(d)/nix.json $(d)/utils.nix $(d)/generate-store-info.nix  $(d)/generate-store-types.nix $(d)/src/store/types/index.md.in $(doc_nix)
+	@# FIXME: build out of tree!
+	@rm -rf $@.tmp
+	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-store-types.nix (builtins.fromJSON (builtins.readFile $<)).stores'
+	@# do not destroy existing contents
+	@mv $@.tmp/* $@/
+
+$(d)/src/command-ref/new-cli: $(d)/nix.json $(d)/utils.nix $(d)/generate-manpage.nix $(d)/generate-settings.nix $(d)/generate-store-info.nix $(doc_nix)
+	@rm -rf $@ $@.tmp
+	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-manpage.nix true (builtins.readFile $<)'
+	@mv $@.tmp $@
+
+$(d)/src/command-ref/conf-file.md: $(d)/conf-file.json $(d)/utils.nix $(d)/generate-settings.nix $(d)/src/command-ref/conf-file-prefix.md $(d)/src/command-ref/experimental-features-shortlist.md $(doc_nix)
+	@cat doc/manual/src/command-ref/conf-file-prefix.md > $@.tmp
+	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-settings.nix { prefix = "conf"; } (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
+	@mv $@.tmp $@
+
+$(d)/nix.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) $(doc_nix) __dump-cli > $@.tmp
+	@mv $@.tmp $@
+
+$(d)/conf-file.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) $(doc_nix) config show --json --experimental-features nix-command > $@.tmp
+	@mv $@.tmp $@
+
+$(d)/src/development/experimental-feature-descriptions.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features.nix $(doc_nix)
+	@rm -rf $@ $@.tmp
+	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-xp-features.nix (builtins.fromJSON (builtins.readFile $<))'
+	@mv $@.tmp $@
+
+$(d)/src/command-ref/experimental-features-shortlist.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features-shortlist.nix $(doc_nix)
+	@rm -rf $@ $@.tmp
+	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-xp-features-shortlist.nix (builtins.fromJSON (builtins.readFile $<))'
+	@mv $@.tmp $@
+
+$(d)/xp-features.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) $(doc_nix) __dump-xp-features > $@.tmp
+	@mv $@.tmp $@
+
+$(d)/src/language/builtins.md: $(d)/language.json $(d)/generate-builtins.nix $(d)/src/language/builtins-prefix.md $(doc_nix)
+	@cat doc/manual/src/language/builtins-prefix.md > $@.tmp
+	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
+	@cat doc/manual/src/language/builtins-suffix.md >> $@.tmp
+	@mv $@.tmp $@
+
+$(d)/language.json: $(doc_nix)
+	$(trace-gen) $(dummy-env) $(doc_nix) __dump-language > $@.tmp
+	@mv $@.tmp $@
+
+# Generate "Upcoming release" notes (or clear it and remove from menu)
+$(d)/src/release-notes/rl-next.md: $(d)/rl-next $(d)/rl-next/*
+	@if type -p changelog-d > /dev/null; then \
+		echo "  GEN   " $@; \
+		changelog-d doc/manual/rl-next > $@; \
+	else \
+		echo "  NULL  " $@; \
+		true > $@; \
+	fi
+
+$(d)/src/SUMMARY-rl-next.md: $(d)/src/release-notes/rl-next.md
+	$(trace-gen) true
+	@if [ -s $< ]; then \
+		echo '  - [Upcoming release](release-notes/rl-next.md)' > $@; \
+	else \
+	  true > $@; \
+	fi
+
+# Generate the HTML manual.
+.PHONY: manual-html
+manual-html: $(docdir)/manual/index.html
+
+# Open the built HTML manual in the default browser.
+manual-html-open: $(docdir)/manual/index.html
+	@echo "  OPEN  " $<; \
+	  xdg-open $< \
+		  || open $< \
+			|| { \
+		echo "Could not open the manual in a browser. Please open '$<'" >&2; \
+		false; \
+		}
+install: $(docdir)/manual/index.html
+
+# Generate 'nix' manpages.
+.PHONY: manpages
+manpages: $(mandir)/man1/nix3-manpages
+install: $(mandir)/man1/nix3-manpages
+man: doc/manual/generated/man1/nix3-manpages
+all: doc/manual/generated/man1/nix3-manpages
+
+# FIXME: unify with how the other man pages are generated.
+# this one works differently and does not use any of the amenities provided by `/mk/lib.mk`.
+$(mandir)/man1/nix3-manpages: doc/manual/generated/man1/nix3-manpages
+	@mkdir -p $(DESTDIR)$$(dirname $@)
+	$(trace-install) install -m 0644 $$(dirname $<)/* $(DESTDIR)$$(dirname $@)
+
+doc/manual/generated/man1/nix3-manpages: $(d)/src/command-ref/new-cli
+	@mkdir -p $(DESTDIR)$$(dirname $@)
+	$(trace-gen) for i in doc/manual/src/command-ref/new-cli/*.md; do \
+		name=$$(basename $$i .md); \
+		tmpFile=$$(mktemp); \
+		if [[ $$name = SUMMARY ]]; then continue; fi; \
+		printf "Title: %s\n\n" "$$name" > $$tmpFile; \
+		cat $$i >> $$tmpFile; \
+		lowdown -sT man --nroff-nolinks -M section=1 $$tmpFile -o $(DESTDIR)$$(dirname $@)/$$name.1; \
+		rm $$tmpFile; \
+	done
+	@touch $@
+
+# the `! -name 'documentation.md'` filter excludes the one place where
+# `@docroot@` is to be preserved for documenting the mechanism
+# FIXME: maybe contributing guides should live right next to the code
+# instead of in the manual
+$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/development/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md $(d)/src/release-notes/rl-next.md $(d)/src/figures $(d)/src/favicon.png $(d)/src/favicon.svg
+	$(trace-gen) \
+		tmp="$$(mktemp -d)"; \
+		cp -r doc/manual "$$tmp"; \
+		find "$$tmp" -name '*.md' | while read -r file; do \
+			$(call process-includes,$$file,$$file); \
+		done; \
+		find "$$tmp" -name '*.md' ! -name 'documentation.md' | while read -r file; do \
+			docroot="$$(realpath --relative-to="$$(dirname "$$file")" $$tmp/manual/src)"; \
+			sed -i "s,@docroot@,$$docroot,g" "$$file"; \
+		done; \
+		set -euo pipefail; \
+		( \
+		    cd "$$tmp/manual"; \
+		    RUST_LOG=warn \
+		        MDBOOK_SUBSTITUTE_SEARCH=$(d)/src \
+		        mdbook build -d $(DESTDIR)$(docdir)/manual.tmp 2>&1 \
+			    | { grep -Fv "because fragment resolution isn't implemented" || :; } \
+		); \
+		rm -rf "$$tmp/manual"
+	@rm -rf $(DESTDIR)$(docdir)/manual
+	@mv $(DESTDIR)$(docdir)/manual.tmp/html $(DESTDIR)$(docdir)/manual
+	@rm -rf $(DESTDIR)$(docdir)/manual.tmp

doc/manual/meson.build

@@ -55,16 +55,16 @@ generate_manual_deps = files(
 )
 
 # Generates types
-subdir('source/store')
+subdir('src/store')
 # Generates builtins.md and builtin-constants.md.
-subdir('source/language')
+subdir('src/language')
 # Generates new-cli pages, experimental-features-shortlist.md, and conf-file.md.
-subdir('source/command-ref')
+subdir('src/command-ref')
 # Generates experimental-feature-descriptions.md.
-subdir('source/development')
+subdir('src/development')
 # Generates rl-next-generated.md.
-subdir('source/release-notes')
-subdir('source')
+subdir('src/release-notes')
+subdir('src')
 
 # Hacky way to figure out if `nix` is an `ExternalProgram` or
 # `Exectuable`. Only the latter can occur in custom target input lists.
@@ -82,8 +82,7 @@ manual = custom_target(
     '-c',
     '''
         @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
-        @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
-        sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
+        @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/src/SUMMARY.md.in > @2@/src/SUMMARY.md
         rsync -r --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
         (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
         rm -rf @2@/manual
@@ -93,13 +92,12 @@ manual = custom_target(
       python.full_path(),
       mdbook.full_path(),
       meson.current_build_dir(),
-      meson.project_version(),
     ),
   ],
   input : [
     generate_manual_deps,
     'substitute.py',
-    'book.toml.in',
+    'book.toml',
     'anchors.jq',
     'custom.css',
     nix3_cli_files,
@@ -119,7 +117,7 @@ manual = custom_target(
   depfile : 'manual.d',
   env : {
     'RUST_LOG': 'info',
-    'MDBOOK_SUBSTITUTE_SEARCH': meson.current_build_dir() / 'source',
+    'MDBOOK_SUBSTITUTE_SEARCH': meson.current_build_dir() / 'src',
   },
 )
 manual_html = manual[0]
@@ -201,7 +199,6 @@ nix3_manpages = [
   'nix3-build',
   'nix3-bundle',
   'nix3-config',
-  'nix3-config-check',
   'nix3-config-show',
   'nix3-copy',
   'nix3-daemon',
@@ -209,8 +206,8 @@ nix3_manpages = [
   'nix3-derivation',
   'nix3-derivation-show',
   'nix3-develop',
+  #'nix3-doctor',
   'nix3-edit',
-  'nix3-env-shell',
   'nix3-eval',
   'nix3-flake-archive',
   'nix3-flake-check',
@@ -227,7 +224,6 @@ nix3_manpages = [
   'nix3-fmt',
   'nix3-hash-file',
   'nix3-hash',
-  'nix3-hash-convert',
   'nix3-hash-path',
   'nix3-hash-to-base16',
   'nix3-hash-to-base32',
@@ -242,7 +238,6 @@ nix3_manpages = [
   'nix3-nar-cat',
   'nix3-nar-dump-path',
   'nix3-nar-ls',
-  'nix3-nar-pack',
   'nix3-nar',
   'nix3-path-info',
   'nix3-print-dev-env',
@@ -265,7 +260,7 @@ nix3_manpages = [
   'nix3-repl',
   'nix3-run',
   'nix3-search',
-  'nix3-store-add',
+  #'nix3-shell',
   'nix3-store-add-file',
   'nix3-store-add-path',
   'nix3-store-cat',
@@ -275,7 +270,6 @@ nix3_manpages = [
   'nix3-store-diff-closures',
   'nix3-store-dump-path',
   'nix3-store-gc',
-  'nix3-store-info',
   'nix3-store-ls',
   'nix3-store-make-content-addressed',
   'nix3-store',

doc/manual/package.nix

@@ -1,20 +1,19 @@
-{
-  lib,
-  mkMesonDerivation,
+{ lib
+, mkMesonDerivation
 
-  meson,
-  ninja,
-  lowdown-unsandboxed,
-  mdbook,
-  mdbook-linkcheck,
-  jq,
-  python3,
-  rsync,
-  nix-cli,
+, meson
+, ninja
+, lowdown
+, mdbook
+, mdbook-linkcheck
+, jq
+, python3
+, rsync
+, nix-cli
 
-  # Configuration Options
+# Configuration Options
 
-  version,
+, version
 }:
 
 let
@@ -26,28 +25,24 @@ mkMesonDerivation (finalAttrs: {
   inherit version;
 
   workDir = ./.;
-  fileset =
-    fileset.difference
-      (fileset.unions [
-        ../../.version
-        # Too many different types of files to filter for now
-        ../../doc/manual
-        ./.
-      ])
-      # Do a blacklist instead
-      ../../doc/manual/package.nix;
+  fileset = fileset.difference
+    (fileset.unions [
+      ../../.version
+      # Too many different types of files to filter for now
+      ../../doc/manual
+      ./.
+    ])
+    # Do a blacklist instead
+    ../../doc/manual/package.nix;
 
   # TODO the man pages should probably be separate
-  outputs = [
-    "out"
-    "man"
-  ];
+  outputs = [ "out" "man" ];
 
   # Hack for sake of the dev shell
   passthru.externalNativeBuildInputs = [
     meson
     ninja
-    (lib.getBin lowdown-unsandboxed)
+    (lib.getBin lowdown)
     mdbook
     mdbook-linkcheck
     jq
@@ -59,10 +54,11 @@ mkMesonDerivation (finalAttrs: {
     nix-cli
   ];
 
-  preConfigure = ''
-    chmod u+w ./.version
-    echo ${finalAttrs.version} > ./.version
-  '';
+  preConfigure =
+    ''
+      chmod u+w ./.version
+      echo ${finalAttrs.version} > ./.version
+    '';
 
   postInstall = ''
     mkdir -p ''$out/nix-support

doc/manual/redirects.js

@@ -1,7 +1,7 @@
 // redirect rules for URL fragments (client-side) to prevent link rot.
 // this must be done on the client side, as web servers do not see the fragment part of the URL.
 // it will only work with JavaScript enabled in the browser, but this is the best we can do here.
-// see source/_redirects for path redirects (server-side)
+// see src/_redirects for path redirects (server-side)
 
 // redirects are declared as follows:
 // each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
@@ -346,9 +346,6 @@ const redirects = {
     "scoping-rules": "scoping.html",
     "string-literal": "string-literals.html",
   },
-  "language/derivations.md": {
-    "builder-execution": "store/drv/building.md#builder-execution",
-  },
   "installation/installing-binary.html": {
     "linux": "uninstall.html#linux",
     "macos": "uninstall.html#macos",
@@ -375,7 +372,6 @@ const redirects = {
   "glossary.html": {
     "gloss-local-store": "store/types/local-store.html",
     "gloss-chroot-store": "store/types/local-store.html",
-    "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation",
   },
 };
 

doc/manual/rl-next/add-nix-state-home.md

@@ -0,0 +1,14 @@
+---
+synopsis: Use envvars NIX_CACHE_HOME, NIX_CONFIG_HOME, NIX_DATA_HOME, NIX_STATE_HOME if defined
+prs: [11351]
+---
+
+Added new environment variables:
+
+- `NIX_CACHE_HOME`
+- `NIX_CONFIG_HOME`
+- `NIX_DATA_HOME`
+- `NIX_STATE_HOME`
+
+Each, if defined, takes precedence over the corresponding [XDG environment variable](@docroot@/command-ref/env-common.md#xdg-base-directories).
+This provides more fine-grained control over where Nix looks for files, and allows to have a stand-alone Nix environment, which only uses files in a specific directory, and doesn't interfere with the user environment.

doc/manual/rl-next/ban-integer-overflow.md

@@ -0,0 +1,21 @@
+---
+synopsis: Define integer overflow in the Nix language as an error
+issues: [10968]
+prs: [11188]
+---
+
+Previously, integer overflow in the Nix language invoked C++ level signed overflow, which was undefined behaviour, but *usually* manifested as wrapping around on overflow.
+
+Since prior to the public release of Lix, Lix had C++ signed overflow defined to crash the process and nobody noticed this having accidentally removed overflow from the Nix language for three months until it was caught by fiddling around.
+Given the significant body of actual Nix code that has been evaluated by Lix in that time, it does not appear that nixpkgs or much of importance depends on integer overflow, so it appears safe to turn into an error.
+
+Some other overflows were fixed:
+- `builtins.fromJSON` of values greater than the maximum representable value in a signed 64-bit integer will generate an error.
+- `nixConfig` in flakes will no longer accept negative values for configuration options.
+
+Integer overflow now looks like the following:
+
+```
+$ nix eval --expr '9223372036854775807 + 1'
+error: integer overflow in adding 9223372036854775807 + 1
+```

doc/manual/rl-next/build-hook-default.md

@@ -0,0 +1,22 @@
+---
+synopsis: |-
+  The `build-hook` setting's default is less useful when using `libnixstore` as a library
+prs:
+- 11178
+---
+
+*This is an obscure issue that only affects usage of the `libnixstore` library outside of the Nix executable.*
+
+As part the ongoing [rewrite of the build system](https://github.com/NixOS/nix/issues/2503) to use [Meson](https://mesonbuild.com/), we are also switching to packaging individual Nix components separately (and building them in separate derivations).
+This means that when building `libnixstore` we do not know where the Nix binaries will be installed --- `libnixstore` doesn't know about downstream consumers like the Nix binaries at all.
+
+*This is also unrelated to the _`post`_-`build-hook`*, which is often used for pushing to a cache.*
+
+This has a small adverse affect on remote building --- the `build-remote` executable that is specified from the [`build-hook`](@docroot@/command-ref/conf-file.md#conf-build-hook) setting will not be gotten from the (presumed) installation location, but instead looked up on the `PATH`.
+This means that other applications linking `libnixstore` that wish to use remote building must arrange for the `nix` command to be on the PATH (or manually overriding `build-hook`) in order for that to work.
+
+Long term we don't envision this being a downside, because we plan to [get rid of `build-remote` and the build hook setting entirely](https://github.com/NixOS/nix/issues/1221).
+There should simply be no need to have an extra, intermediate layer of remote-procedure-calling when we want to connect to a remote builder.
+The build hook protocol did in principle support custom ways of remote building, but that can also be accomplished with a custom service for the ssh or daemon/ssh-ng protocols, or with a custom [store type](@docroot@/store/types/index.md) i.e. `Store` subclass. <!-- we normally don't mention classes, but consider that this release note is about a library use case -->
+
+The Perl bindings no longer expose `getBinDir` either, since the underlying C++ libraries those bindings wrap no longer know the location of installed binaries as described above.

doc/manual/rl-next/curl-cloexec.md

@@ -1,10 +0,0 @@
----
-synopsis: Set FD_CLOEXEC on sockets created by curl
-issues: []
-prs: [12439]
----
-
-
-Curl creates sockets without setting FD_CLOEXEC/SOCK_CLOEXEC, this can cause connections to remain open forever when using commands like `nix shell`
-
-This change sets the FD_CLOEXEC flag using a CURLOPT_SOCKOPTFUNCTION callback.

doc/manual/rl-next/filesystem-errors.md

@@ -0,0 +1,14 @@
+---
+synopsis: wrap filesystem exceptions more correctly
+issues: []
+prs: [11378]
+---
+
+
+With the switch to `std::filesystem` in different places, Nix started to throw `std::filesystem::filesystem_error` in many places instead of its own exceptions.
+
+This lead to no longer generating error traces, for example when listing a non-existing directory, and can also lead to crashes inside the Nix REPL.
+
+This version catches these types of exception correctly and wrap them into Nix's own exeception type.
+
+Author: [**@Mic92**](https://github.com/Mic92)

doc/manual/rl-next/fsync-store-paths.md

@@ -0,0 +1,9 @@
+---
+synopsis: Add setting `fsync-store-paths`
+issues: [1218]
+prs: [7126]
+---
+
+Nix now has a setting `fsync-store-paths` that ensures that new store paths are durably written to disk before they are registered as "valid" in Nix's database. This can prevent Nix store corruption if the system crashes or there is a power loss. This setting defaults to `false`.
+
+Author: [**@squalus**](https://github.com/squalus)

doc/manual/rl-next/git-lfs-support.md

@@ -1,18 +0,0 @@
----
-synopsis: "Git LFS support"
-prs: [10153, 12468]
----
-
-The Git fetcher now supports Large File Storage (LFS). This can be enabled by passing the attribute `lfs = true` to the fetcher, e.g.
-```console
-nix flake prefetch 'git+ssh://git@github.com/Apress/repo-with-large-file-storage.git?lfs=1'
-```
-
-A flake can also declare that it requires lfs to be enabled:
-```
-{
-  inputs.self.lfs = true;
-}
-```
-
-Author: [**@b-camacho**](https://github.com/b-camacho), [**@kip93**](https://github.com/kip93)

doc/manual/rl-next/nix-flake-show-description.md

@@ -0,0 +1,25 @@
+---
+synopsis: Show package descriptions with `nix flake show`
+issues: [10977]
+prs: [10980]
+---
+
+`nix flake show` will now display a package's `meta.description` if it exists. If the description does not fit in the terminal it will be truncated to fit the terminal width. If the size of the terminal width is unknown the description will be capped at 80 characters.
+
+```
+$ nix flake show
+└───packages
+    └───x86_64-linux
+        ├───builderImage: package 'docker-image-ara-builder-image.tar.gz' - 'Docker image hosting the nix build environment'
+        └───runnerImage: package 'docker-image-gitlab-runner.tar.gz' - 'Docker image hosting the gitlab-runner executable'
+```
+
+In a narrower terminal:
+
+```
+$ nix flake show
+└───packages
+    └───x86_64-linux
+        ├───builderImage: package 'docker-image-ara-builder-image.tar.gz' - 'Docker image hosting the nix b...
+        └───runnerImage: package 'docker-image-gitlab-runner.tar.gz' - 'Docker image hosting the gitlab-run...
+```

doc/manual/rl-next/nix-fmt-default-argument.md

@@ -0,0 +1,17 @@
+---
+synopsis: Removing the default argument passed to the `nix fmt` formatter
+issues: []
+prs: [11438]
+---
+
+The underlying formatter no longer receives the ". " default argument when `nix fmt` is called with no arguments.
+
+This change was necessary as the formatter wasn't able to distinguish between
+a user wanting to format the current folder with `nix fmt .` or the generic
+`nix fmt`.
+
+The default behaviour is now the responsibility of the formatter itself, and
+allows tools such as treefmt to format the whole tree instead of only the
+current directory and below.
+
+Author: [**@zimbatm**](https://github.com/zimbatm)

doc/manual/rl-next/no-flake-substitution.md

@@ -0,0 +1,8 @@
+---
+synopsis: Flakes are no longer substituted
+prs: [10612]
+---
+
+Nix will no longer attempt to substitute the source code of flakes from a binary cache. This functionality was broken because it could lead to different evaluation results depending on whether the flake was available in the binary cache, or even depending on whether the flake was already in the local store.
+
+Author: [**@edolstra**](https://github.com/edolstra)

doc/manual/rl-next/self-submodules-attr.md

@@ -1,12 +0,0 @@
----
-synopsis: "`inputs.self.submodules` flake attribute"
-prs: [12421]
----
-
-Flakes in Git repositories can now declare that they need Git submodules to be enabled:
-```
-{
-  inputs.self.submodules = true;
-}
-```
-Thus, it's no longer needed for the caller of the flake to pass `submodules = true`.

doc/manual/rl-next/verify-tls.md

@@ -0,0 +1,8 @@
+---
+synopsis: "`<nix/fetchurl.nix>` uses TLS verification"
+prs: [11585]
+---
+
+Previously `<nix/fetchurl.nix>` did not do TLS verification. This was because the Nix sandbox in the past did not have access to TLS certificates, and Nix checks the hash of the fetched file anyway. However, this can expose authentication data from `netrc` and URLs to man-in-the-middle attackers. In addition, Nix now in some cases (such as when using impure derivations) does *not* check the hash. Therefore we have now enabled TLS verification. This means that downloads by `<nix/fetchurl.nix>` will now fail if you're fetching from a HTTPS server that does not have a valid certificate.
+
+`<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue.

doc/manual/source/advanced-topics/distributed-builds.md

@@ -1,108 +0,0 @@
-# Remote Builds
-
-A local Nix installation can forward Nix builds to other machines,
-this allows multiple builds to be performed in parallel.
-
-Remote builds also allow Nix to perform multi-platform builds in a
-semi-transparent way. For example, if you perform a build for a
-`x86_64-darwin` on an `i686-linux` machine, Nix can automatically
-forward the build to a `x86_64-darwin` machine, if one is available.
-
-## Requirements
-
-For a local machine to forward a build to a remote machine, the remote machine must:
-
-- Have Nix installed
-- Be running an SSH server, e.g. `sshd`
-- Be accessible via SSH from the local machine over the network
-- Have the local machine's public SSH key in `/etc/ssh/authorized_keys.d/<username>`
-- Have the username of the SSH user in the `trusted-users` setting in `nix.conf`
-
-## Testing
-
-To test connecting to a remote Nix instance (in this case `mac`), run:
-
-```console
-nix store info --store ssh://username@mac
-```
-
-To specify an SSH identity file as part of the remote store URI add a
-query paramater, e.g.
-
-```console
-nix store info --store ssh://username@mac?ssh-key=/home/alice/my-key
-```
-
-Since builds should be non-interactive, the key should not have a
-passphrase. Alternatively, you can load identities ahead of time into
-`ssh-agent` or `gpg-agent`.
-
-In a multi-user installation (default), builds are executed by the Nix
-Daemon. The Nix Daemon cannot prompt for a passphrase via the terminal
-or `ssh-agent`, so the SSH key must not have a passphrase.
-
-In addition, the Nix Daemon's user (typically root) needs to have SSH
-access to the remote builder.
-
-Access can be verified by running `sudo su`, and then validating SSH
-access, e.g. by running `ssh mac`. SSH identity files for root users
-are usually stored in `/root/.ssh/` (Linux) or `/var/root/.ssh` (MacOS).
-
-If you get the error
-
-```console
-bash: nix: command not found
-error: cannot connect to 'mac'
-```
-
-then you need to ensure that the `PATH` of non-interactive login shells
-contains Nix.
-
-The [list of remote build machines](@docroot@/command-ref/conf-file.md#conf-builders) can be specified on the command line or in the Nix configuration file.
-For example, the following command allows you to build a derivation for `x86_64-darwin` on a Linux machine:
-
-```console
-uname
-```
-
-```console
-Linux
-```
-
-```console
-nix build --impure \
- --expr '(with import <nixpkgs> { system = "x86_64-darwin"; }; runCommand "foo" {} "uname > $out")' \
- --builders 'ssh://mac x86_64-darwin'
-```
-
-```console
-[1/0/1 built, 0.0 MiB DL] building foo on ssh://mac
-```
-
-```console
-cat ./result
-```
-
-```console
-Darwin
-```
-
-It is possible to specify multiple build machines separated by a semicolon or a newline, e.g.
-
-```console
-  --builders 'ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd'
-```
-
-Remote build machines can also be configured in [`nix.conf`](@docroot@/command-ref/conf-file.md), e.g.
-
-    builders = ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd
-
-After making changes to `nix.conf`, restart the Nix daemon for changes to take effect.
-
-Finally, remote build machines can be configured in a separate configuration
-file included in `builders` via the syntax `@/path/to/file`. For example,
-
-    builders = @/etc/nix/machines
-
-causes the list of machines in `/etc/nix/machines` to be included.
-(This is the default.)

doc/manual/source/development/debugging.md

@@ -1,73 +0,0 @@
-# Debugging Nix
-
-This section shows how to build and debug Nix with debug symbols enabled.
-
-Additionally, see [Testing Nix](./testing.md) for further instructions on how to debug Nix in the context of a unit test or functional test.
-
-## Building Nix with Debug Symbols
-
-In the development shell, set the `mesonBuildType` environment variable to `debug` before configuring the build:
-
-```console
-[nix-shell]$ export mesonBuildType=debugoptimized
-```
-
-Then, proceed to build Nix as described in [Building Nix](./building.md).
-This will build Nix with debug symbols, which are essential for effective debugging.
-
-It is also possible to build without debugging for faster build:
-
-```console
-[nix-shell]$ NIX_HARDENING_ENABLE=$(printLines $NIX_HARDENING_ENABLE | grep -v fortify)
-[nix-shell]$ export mesonBuildType=debug
-```
-
-(The first line is needed because `fortify` hardening requires at least some optimization.)
-
-## Debugging the Nix Binary
-
-Obtain your preferred debugger within the development shell:
-
-```console
-[nix-shell]$ nix-shell -p gdb
-```
-
-On macOS, use `lldb`:
-
-```console
-[nix-shell]$ nix-shell -p lldb
-```
-
-### Launching the Debugger
-
-To debug the Nix binary, run:
-
-```console
-[nix-shell]$ gdb --args ../outputs/out/bin/nix
-```
-
-On macOS, use `lldb`:
-
-```console
-[nix-shell]$ lldb -- ../outputs/out/bin/nix
-```
-
-### Using the Debugger
-
-Inside the debugger, you can set breakpoints, run the program, and inspect variables.
-
-```gdb
-(gdb) break main
-(gdb) run <arguments>
-```
-
-Refer to the [GDB Documentation](https://www.gnu.org/software/gdb/documentation/) for comprehensive usage instructions.
-
-On macOS, use `lldb`:
-
-```lldb
-(lldb) breakpoint set --name main
-(lldb) process launch -- <arguments>
-```
-
-Refer to the [LLDB Tutorial](https://lldb.llvm.org/use/tutorial.html) for comprehensive usage instructions.

doc/manual/source/protocols/derivation-aterm.md

@@ -1,38 +0,0 @@
-# Derivation "ATerm" file format
-
-For historical reasons, [store derivations][store derivation] are stored on-disk in [ATerm](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html) format.
-
-## The ATerm format used
-
-Derivations are serialised in one of the following formats:
-
-- ```
-  Derive(...)
-  ```
-
-  For all stable derivations.
-
-- ```
-  DrvWithVersion(<version-string>, ...)
-  ```
-
-  The only `version-string`s that are in use today are for [experimental features](@docroot@/development/experimental-features.md):
-
-  - `"xp-dyn-drv"` for the [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations) experimental feature.
-
-## Use for encoding to store object
-
-When derivation is encoded to a [store object] we make the following choices:
-
-- The store path name is the derivation name with `.drv` suffixed at the end
-
-  Indeed, the ATerm format above does *not* contain the name of the derivation, on the assumption that a store path will also be provided out-of-band.
-
-- The derivation is content-addressed using the ["Text" method] of content-addressing derivations
-
-Currently we always encode derivations to store object using the ATerm format (and the previous two choices),
-but we reserve the option to encode new sorts of derivations differently in the future.
-
-[store derivation]: @docroot@/glossary.md#gloss-store-derivation
-[store object]: @docroot@/glossary.md#gloss-store-object
-["Text" method]: @docroot@/store/store-object/content-address.md#method-text

doc/manual/source/release-notes/rl-2.25.md

@@ -1,144 +0,0 @@
-# Release 2.25.0 (2024-11-07)
-
-- New environment variables to override XDG locations [#11351](https://github.com/NixOS/nix/pull/11351)
-
-  Added new environment variables:
-
-  - `NIX_CACHE_HOME`
-  - `NIX_CONFIG_HOME`
-  - `NIX_DATA_HOME`
-  - `NIX_STATE_HOME`
-
-  Each, if defined, takes precedence over the corresponding [XDG environment variable](@docroot@/command-ref/env-common.md#xdg-base-directories).
-  This provides more fine-grained control over where Nix looks for files. It allows having a stand-alone Nix environment that only uses files in a specific directory and that doesn't interfere with the user environment.
-
-- Define integer overflow in the Nix language as an error [#10968](https://github.com/NixOS/nix/issues/10968) [#11188](https://github.com/NixOS/nix/pull/11188)
-
-  Previously, integer overflow in the Nix language invoked C++ level signed overflow, which manifested as wrapping around on overflow. It now looks like this:
-
-  ```
-  $ nix eval --expr '9223372036854775807 + 1'
-  error: integer overflow in adding 9223372036854775807 + 1
-  ```
-
-  Some other overflows were fixed:
-  - `builtins.fromJSON` of values greater than the maximum representable value in a signed 64-bit integer will generate an error.
-  - `nixConfig` in flakes will no longer accept negative values for configuration options.
-
-- The `build-hook` setting no longer has a useful default when using `libnixstore` as a library [#11178](https://github.com/NixOS/nix/pull/11178)
-
-  *This is an obscure issue that only affects usage of the `libnixstore` library outside of the Nix executable. It is unrelated to the `post-build-hook` settings, which is often used for pushing to a cache.*
-
-  As part the ongoing [rewrite of the build system](https://github.com/NixOS/nix/issues/2503) to use [Meson](https://mesonbuild.com/), we are also switching to packaging individual Nix components separately (and building them in separate derivations).
-  This means that when building `libnixstore` we do not know where the Nix binaries will be installed --- `libnixstore` doesn't know about downstream consumers like the Nix binaries at all.
-
-  This has a small adverse affect on remote building --- the `build-remote` executable that is specified from the [`build-hook`](@docroot@/command-ref/conf-file.md#conf-build-hook) setting will not be gotten from the (presumed) installation location, but instead looked up on the `PATH`.
-  This means that other applications linking `libnixstore` that wish to use remote building must arrange for the `nix` command to be on the PATH (or manually overriding `build-hook`) in order for that to work.
-
-  Long term we don't envision this being a downside, because we plan to [get rid of `build-remote` and the build hook setting entirely](https://github.com/NixOS/nix/issues/1221).
-  There should simply be no need to have an extra, intermediate layer of remote-procedure-calling when we want to connect to a remote builder.
-  The build hook protocol did in principle support custom ways of remote building, but that can also be accomplished with a custom service for the ssh or daemon/ssh-ng protocols, or with a custom [store type](@docroot@/store/types/index.md) i.e. `Store` subclass. <!-- we normally don't mention classes, but consider that this release note is about a library use case -->
-
-  The Perl bindings no longer expose `getBinDir` either, since the underlying C++ libraries those bindings wrap no longer know the location of installed binaries as described above.
-
-- Wrap filesystem exceptions more correctly [#11378](https://github.com/NixOS/nix/pull/11378)
-
-  With the switch to `std::filesystem` in different places, Nix started to throw `std::filesystem::filesystem_error` in many places instead of its own exceptions.
-  As a result, Nix no longer generated error traces when (for example) listing a non-existing directory. It could also lead to crashes inside the Nix REPL.
-
-  This version catches these types of exception correctly and wraps them into Nix's own exception type.
-
-  Author: [**@Mic92**](https://github.com/Mic92)
-
-- Add setting `fsync-store-paths` [#1218](https://github.com/NixOS/nix/issues/1218) [#7126](https://github.com/NixOS/nix/pull/7126)
-
-  Nix now has a setting `fsync-store-paths` that ensures that new store paths are durably written to disk before they are registered as "valid" in Nix's database. This can prevent Nix store corruption if the system crashes or there is a power loss. This setting defaults to `false`.
-
-  Author: [**@squalus**](https://github.com/squalus)
-
-- Removing the default argument passed to the `nix fmt` formatter [#11438](https://github.com/NixOS/nix/pull/11438)
-
-  The underlying formatter no longer receives the "." default argument when `nix fmt` is called with no arguments.
-
-  This change was necessary as the formatter wasn't able to distinguish between
-  a user wanting to format the current folder with `nix fmt .` or the generic
-  `nix fmt`.
-
-  The default behavior is now the responsibility of the formatter itself, and
-  allows tools such as `treefmt` to format the whole tree instead of only the
-  current directory and below.
-
-  Author: [**@zimbatm**](https://github.com/zimbatm)
-
-- `<nix/fetchurl.nix>` uses TLS verification [#11585](https://github.com/NixOS/nix/pull/11585)
-
-  Previously `<nix/fetchurl.nix>` did not do TLS verification. This was because the Nix sandbox in the past did not have access to TLS certificates, and Nix checks the hash of the fetched file anyway. However, this can expose authentication data from `netrc` and URLs to man-in-the-middle attackers. In addition, Nix now in some cases (such as when using impure derivations) does *not* check the hash. Therefore we have now enabled TLS verification. This means that downloads by `<nix/fetchurl.nix>` will now fail if you're fetching from a HTTPS server that does not have a valid certificate.
-
-  `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue.
-
-
-# Contributors
-
-This release was made possible by the following 58 contributors:
-
-- 1444 [**(@0x5a4)**](https://github.com/0x5a4)
-- Adrian Hesketh [**(@a-h)**](https://github.com/a-h)
-- Aleksana [**(@Aleksanaa)**](https://github.com/Aleksanaa)
-- Alyssa Ross [**(@alyssais)**](https://github.com/alyssais)
-- Andrew Marshall [**(@amarshall)**](https://github.com/amarshall)
-- Artemis Tosini [**(@artemist)**](https://github.com/artemist)
-- Artturin [**(@Artturin)**](https://github.com/Artturin)
-- Bjørn Forsman [**(@bjornfor)**](https://github.com/bjornfor)
-- Brian McGee [**(@brianmcgee)**](https://github.com/brianmcgee)
-- Brian McKenna [**(@puffnfresh)**](https://github.com/puffnfresh)
-- Bryan Honof [**(@bryanhonof)**](https://github.com/bryanhonof)
-- Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
-- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
-- Eman Resu [**(@llakala)**](https://github.com/llakala)
-- Emery Hemingway [**(@ehmry)**](https://github.com/ehmry)
-- Emil Petersen [**(@leetemil)**](https://github.com/leetemil)
-- Emily [**(@emilazy)**](https://github.com/emilazy)
-- Geoffrey Thomas [**(@geofft)**](https://github.com/geofft)
-- Gerg-L [**(@Gerg-L)**](https://github.com/Gerg-L)
-- Ivan Tkachev
-- Jacek Galowicz [**(@tfc)**](https://github.com/tfc)
-- Jan Hrcek [**(@jhrcek)**](https://github.com/jhrcek)
-- Jason Yundt [**(@Jayman2000)**](https://github.com/Jayman2000)
-- Jeremy Kerfs [**(@jkerfs)**](https://github.com/jkerfs)
-- Jeremy Kolb [**(@kjeremy)**](https://github.com/kjeremy)
-- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
-- Jonas Chevalier [**(@zimbatm)**](https://github.com/zimbatm)
-- Jordan Justen [**(@jljusten)**](https://github.com/jljusten)
-- Josh Heinrichs [**(@joshheinrichs-shopify)**](https://github.com/joshheinrichs-shopify)
-- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
-- Kevin Cox [**(@kevincox)**](https://github.com/kevincox)
-- Michael Gallagher [**(@mjgallag)**](https://github.com/mjgallag)
-- Michael [**(@michaelvanstraten)**](https://github.com/michaelvanstraten)
-- Nikodem Rabuliński [**(@nrabulinski)**](https://github.com/nrabulinski)
-- Noam Yorav-Raphael [**(@noamraph)**](https://github.com/noamraph)
-- Onni Hakala [**(@onnimonni)**](https://github.com/onnimonni)
-- Parker Hoyes [**(@parkerhoyes)**](https://github.com/parkerhoyes)
-- Philipp Otterbein
-- Pol Dellaiera [**(@drupol)**](https://github.com/drupol)
-- Robert Hensing [**(@roberth)**](https://github.com/roberth)
-- Ryan Hendrickson [**(@rhendric)**](https://github.com/rhendric)
-- Sandro [**(@SuperSandro2000)**](https://github.com/SuperSandro2000)
-- Seggy Umboh [**(@secobarbital)**](https://github.com/secobarbital)
-- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
-- Shivaraj B H [**(@shivaraj-bh)**](https://github.com/shivaraj-bh)
-- Siddhant Kumar [**(@siddhantk232)**](https://github.com/siddhantk232)
-- Tim [**(@Jaculabilis)**](https://github.com/Jaculabilis)
-- Tom Bereknyei
-- Travis A. Everett [**(@abathur)**](https://github.com/abathur)
-- Valentin Gagarin [**(@fricklerhandwerk)**](https://github.com/fricklerhandwerk)
-- Vinayak Kaushik [**(@VinayakKaushikDH)**](https://github.com/VinayakKaushikDH)
-- Yann Hamdaoui [**(@yannham)**](https://github.com/yannham)
-- Yuriy Taraday [**(@YorikSar)**](https://github.com/YorikSar)
-- bryango [**(@bryango)**](https://github.com/bryango)
-- emhamm [**(@emhamm)**](https://github.com/emhamm)
-- jade [**(@lf-)**](https://github.com/lf-)
-- kenji [**(@a-kenji)**](https://github.com/a-kenji)
-- pennae [**(@pennae)**](https://github.com/pennae)
-- puckipedia [**(@puckipedia)**](https://github.com/puckipedia)
-- squalus [**(@squalus)**](https://github.com/squalus)
-- tomberek [**(@tomberek)**](https://github.com/tomberek)

doc/manual/source/release-notes/rl-2.26.md

@@ -1,128 +0,0 @@
-# Release 2.26.0 (2025-01-22)
-
-- Support for relative path inputs [#10089](https://github.com/NixOS/nix/pull/10089)
-
-  Flakes can now refer to other flakes in the same repository using relative paths, e.g.
-  ```nix
-  inputs.foo.url = "path:./foo";
-  ```
-  uses the flake in the `foo` subdirectory of the referring flake. For more information, see the documentation on [the `path` flake input type](@docroot@/command-ref/new-cli/nix3-flake.md#path-fetcher).
-
-  This feature required a change to the lock file format. Previous Nix versions will not be able to use lock files that have locks for relative path inputs in them.
-
-- Flake lock file generation now ignores local registries [#12019](https://github.com/NixOS/nix/pull/12019)
-
-  When resolving indirect flake references like `nixpkgs` in `flake.nix` files, Nix will no longer use the system and user flake registries. It will only use the global flake registry and overrides given on the command line via `--override-flake`.
-
-  This avoids accidents where users have local registry overrides that map `nixpkgs` to a `path:` flake in the local file system, which then end up in committed lock files pushed to other users.
-
-  In the future, we may remove the use of the registry during lock file generation altogether. It's better to explicitly specify the URL of a flake input. For example, instead of
-  ```nix
-  {
-    outputs = { self, nixpkgs }: { ... };
-  }
-  ```
-  write
-  ```nix
-  {
-    inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
-    outputs = { self, nixpkgs }: { ... };
-  }
-  ```
-
-- `nix copy` supports `--profile` and `--out-link` [#11657](https://github.com/NixOS/nix/pull/11657)
-
-  The `nix copy` command now has flags `--profile` and `--out-link`, similar to `nix build`. `--profile` makes a profile point to the
-  top-level store path, while `--out-link` create symlinks to the top-level store paths.
-
-  For example, when updating the local NixOS system profile from a NixOS system closure on a remote machine, instead of
-  ```
-  # nix copy --from ssh://server $path
-  # nix build --profile /nix/var/nix/profiles/system $path
-  ```
-  you can now do
-  ```
-  # nix copy --from ssh://server --profile /nix/var/nix/profiles/system $path
-  ```
-  The advantage is that this avoids a time window where *path* is not a garbage collector root, and so could be deleted by a concurrent `nix store gc` process.
-
-- `nix-instantiate --eval` now supports `--raw` [#12119](https://github.com/NixOS/nix/pull/12119)
-
-  The `nix-instantiate --eval` command now supports a `--raw` flag, when used
-  the evaluation result must be a string, which is printed verbatim without
-  quotation marks or escaping.
-
-- Improved `NIX_SSHOPTS` parsing for better SSH option handling [#5181](https://github.com/NixOS/nix/issues/5181) [#12020](https://github.com/NixOS/nix/pull/12020)
-
-  The parsing of the `NIX_SSHOPTS` environment variable has been improved to handle spaces and quotes correctly.
-  Previously, incorrectly split SSH options could cause failures in commands like `nix-copy-closure`,
-  especially when using complex SSH invocations such as `-o ProxyCommand="ssh -W %h:%p ..."`.
-
-  This change introduces a `shellSplitString` function to ensure
-  that `NIX_SSHOPTS` is parsed in a manner consistent with shell
-  behavior, addressing common parsing errors.
-
-  For example, the following now works as expected:
-
-  ```bash
-  export NIX_SSHOPTS='-o ProxyCommand="ssh -W %h:%p ..."'
-  ```
-
-  This update improves the reliability of SSH-related operations using `NIX_SSHOPTS` across Nix CLIs.
-
-- Nix is now built using Meson
-
-  As proposed in [RFC 132](https://github.com/NixOS/rfcs/pull/132), Nix's build system now uses Meson/Ninja. The old Make-based build system has been removed.
-
-- Evaluation caching now works for dirty Git workdirs [#11992](https://github.com/NixOS/nix/pull/11992)
-
-# Contributors
-
-This release was made possible by the following 45 contributors:
-
-- Anatoli Babenia [**(@abitrolly)**](https://github.com/abitrolly)
-- Domagoj Mišković [**(@allrealmsoflife)**](https://github.com/allrealmsoflife)
-- Yaroslav Bolyukin [**(@CertainLach)**](https://github.com/CertainLach)
-- bryango [**(@bryango)**](https://github.com/bryango)
-- tomberek [**(@tomberek)**](https://github.com/tomberek)
-- Matej Urbas [**(@mupdt)**](https://github.com/mupdt)
-- elikoga [**(@elikoga)**](https://github.com/elikoga)
-- wh0 [**(@wh0)**](https://github.com/wh0)
-- Félix [**(@picnoir)**](https://github.com/picnoir)
-- Valentin Gagarin [**(@fricklerhandwerk)**](https://github.com/fricklerhandwerk)
-- Gavin John [**(@Pandapip1)**](https://github.com/Pandapip1)
-- Travis A. Everett [**(@abathur)**](https://github.com/abathur)
-- Vladimir Panteleev [**(@CyberShadow)**](https://github.com/CyberShadow)
-- Ilja [**(@suruaku)**](https://github.com/suruaku)
-- Jason Yundt [**(@Jayman2000)**](https://github.com/Jayman2000)
-- Mike Kusold [**(@kusold)**](https://github.com/kusold)
-- Andy Hamon [**(@andrewhamon)**](https://github.com/andrewhamon)
-- Brian McKenna [**(@puffnfresh)**](https://github.com/puffnfresh)
-- Greg Curtis [**(@gcurtis)**](https://github.com/gcurtis)
-- Andrew Poelstra [**(@apoelstra)**](https://github.com/apoelstra)
-- Linus Heckemann [**(@lheckemann)**](https://github.com/lheckemann)
-- Tristan Ross [**(@RossComputerGuy)**](https://github.com/RossComputerGuy)
-- Dominique Martinet [**(@martinetd)**](https://github.com/martinetd)
-- h0nIg [**(@h0nIg)**](https://github.com/h0nIg)
-- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
-- Shahar "Dawn" Or [**(@mightyiam)**](https://github.com/mightyiam)
-- NAHO [**(@trueNAHO)**](https://github.com/trueNAHO)
-- Ryan Hendrickson [**(@rhendric)**](https://github.com/rhendric)
-- the-sun-will-rise-tomorrow [**(@the-sun-will-rise-tomorrow)**](https://github.com/the-sun-will-rise-tomorrow)
-- Connor Baker [**(@ConnorBaker)**](https://github.com/ConnorBaker)
-- Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
-- Jack Wilsdon [**(@jackwilsdon)**](https://github.com/jackwilsdon)
-- ‮rekcäH nitraM‮ [**(@dwt)**](https://github.com/dwt)
-- Martin Fischer [**(@not-my-profile)**](https://github.com/not-my-profile)
-- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
-- Graham Christensen [**(@grahamc)**](https://github.com/grahamc)
-- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
-- Siddarth Kumar [**(@siddarthkay)**](https://github.com/siddarthkay)
-- Sergei Trofimovich [**(@trofi)**](https://github.com/trofi)
-- Robert Hensing [**(@roberth)**](https://github.com/roberth)
-- Mutsuha Asada [**(@momeemt)**](https://github.com/momeemt)
-- Parker Jones [**(@knotapun)**](https://github.com/knotapun)
-- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
-- dbdr [**(@dbdr)**](https://github.com/dbdr)
-- myclevorname [**(@myclevorname)**](https://github.com/myclevorname)
-- Philipp Otterbein

doc/manual/source/store/building.md

@@ -1,97 +0,0 @@
-# Building
-
-## Normalizing derivation inputs
-
-- Each input must be [realised] prior to building the derivation in question.
-
-[realised]: @docroot@/glossary.md#gloss-realise
-
-- Once this is done, the derivation is *normalized*, replacing each input deriving path with its store path, which we now know from realising the input.
-
-## Builder Execution
-
-The [`builder`](./drv.md#builder) is executed as follows:
-
-- A temporary directory is created under the directory specified by
-  `TMPDIR` (default `/tmp`) where the build will take place. The
-  current directory is changed to this directory.
-
-- The environment is cleared and set to the derivation attributes, as
-  specified above.
-
-- In addition, the following variables are set:
-
-  - `NIX_BUILD_TOP` contains the path of the temporary directory for
-    this build.
-
-  - Also, `TMPDIR`, `TEMPDIR`, `TMP`, `TEMP` are set to point to the
-    temporary directory. This is to prevent the builder from
-    accidentally writing temporary files anywhere else. Doing so
-    might cause interference by other processes.
-
-  - `PATH` is set to `/path-not-set` to prevent shells from
-    initialising it to their built-in default value.
-
-  - `HOME` is set to `/homeless-shelter` to prevent programs from
-    using `/etc/passwd` or the like to find the user's home
-    directory, which could cause impurity. Usually, when `HOME` is
-    set, it is used as the location of the home directory, even if
-    it points to a non-existent path.
-
-  - `NIX_STORE` is set to the path of the top-level Nix store
-    directory (typically, `/nix/store`).
-
-  - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
-    is set to `true` for the derivation. A detailed explanation of this
-    behavior can be found in the
-    [section about structured attrs](@docroot@/language/advanced-attributes.md#adv-attr-structuredAttrs).
-
-  - For each output declared in `outputs`, the corresponding
-    environment variable is set to point to the intended path in the
-    Nix store for that output. Each output path is a concatenation
-    of the cryptographic hash of all build inputs, the `name`
-    attribute and the output name. (The output name is omitted if
-    it’s `out`.)
-
-- If an output path already exists, it is removed. Also, locks are
-  acquired to prevent multiple Nix instances from performing the same
-  build at the same time.
-
-- A log of the combined standard output and error is written to
-  `/nix/var/log/nix`.
-
-- The builder is executed with the arguments specified by the
-  attribute `args`. If it exits with exit code 0, it is considered to
-  have succeeded.
-
-- The temporary directory is removed (unless the `-K` option was
-  specified).
-
-## Processing outputs
-
-If the builder exited successfully, the following steps happen in order to turn the output directories left behind by the builder into proper store objects:
-
-- **Normalize the file permissions**
-
-  Nix sets the last-modified timestamp on all files
-  in the build result to 1 (00:00:01 1/1/1970 UTC), sets the group to
-  the default group, and sets the mode of the file to 0444 or 0555
-  (i.e., read-only, with execute permission enabled if the file was
-  originally executable). Any possible `setuid` and `setgid`
-  bits are cleared.
-
-  > **Note**
-  >
-  > Setuid and setgid programs are not currently supported by Nix.
-  > This is because the Nix archives used in deployment have no concept of ownership information,
-  > and because it makes the build result dependent on the user performing the build.
-
-- **Calculate the references**
-
-  Nix scans each output path for
-  references to input paths by looking for the hash parts of the input
-  paths. Since these are potential runtime dependencies, Nix registers
-  them as dependencies of the output paths.
-
-  Nix also scans for references to other outputs' paths in the same way, because outputs are allowed to refer to each other.
-  If the outputs' references to each other form a cycle, this is an error, because the references of store objects much be acyclic.

doc/manual/source/store/drv.md

@@ -1,310 +0,0 @@
-# Store Derivation and Deriving Path
-
-Besides functioning as a [content addressed store] the Nix store layer works as a [build system].
-Other system (like Git or IPFS) also store and transfer immutable data, but they don't concern themselves with *how* that data was created.
-
-This is where Nix distinguishes itself.
-*Derivations* represent individual build steps, and *deriving paths* are needed to refer to the *outputs* of those build steps before they are built.
-<!-- The two concepts need to be introduced together because, as described below, each depends on the other. -->
-
-## Store Derivation {#store-derivation}
-
-A derivation is a specification for running an executable on precisely defined input files to repeatably produce output files at uniquely determined file system paths.
-
-A derivation consists of:
-
- - A name
-
- - A set of [*inputs*][inputs], a set of [deriving paths][deriving path]
-
- - A map of [*outputs*][outputs], from names to other data
-
- - The ["system" type][system] (e.g. `x86_64-linux`) where the executable is to run.
-
- - The [process creation fields]: to spawn the arbitrary process which will perform the build step.
-
-[store derivation]: #store-derivation
-[inputs]: #inputs
-[input]: #inputs
-[outputs]: #outputs
-[output]: #outputs
-[process creation fields]: #process-creation-fields
-[builder]: #builder
-[args]: #args
-[env]: #env
-[system]: #system
-
-### Referencing derivations {#derivation-path}
-
-Derivations are always referred to by the [store path] of the store object they are encoded to.
-See the [encoding section](#derivation-encoding) for more details on how this encoding works, and thus what exactly what store path we would end up with for a given derivation.
-
-The store path of the store object which encodes a derivation is often called a *derivation path* for brevity.
-
-## Deriving path {#deriving-path}
-
-Deriving paths are a way to refer to [store objects][store object] that may or may not yet be [realised][realise].
-There are two forms:
-
-- [*constant*]{#deriving-path-constant}: just a [store path].
-  It can be made [valid][validity] by copying it into the store: from the evaluator, command line interface or another store.
-
-- [*output*]{#deriving-path-output}: a pair of a [store path] to a [store derivation] and an [output] name.
-
-In pseudo code:
-
-```typescript
-type OutputName = String;
-
-type ConstantPath = {
-  path: StorePath;
-};
-
-type OutputPath = {
-  drvPath: StorePath;
-  output: OutputName;
-};
-
-type DerivingPath = ConstantPath | OutputPath;
-```
-
-Deriving paths are necessary because, in general and particularly for [content-addressing derivations][content-addressing derivation], the [store path] of an [output] is not known in advance.
-We can use an output deriving path to refer to such an out, instead of the store path which we do not yet know.
-
-[deriving path]: #deriving-path
-[validity]: @docroot@/glossary.md#gloss-validity
-
-## Parts of a derivation
-
-A derivation is constructed from the parts documented in the following subsections.
-
-### Inputs {#inputs}
-
-The inputs are a set of [deriving paths][deriving path], refering to all store objects needed in order to perform this build step.
-
-The [process creation fields] will presumably include many [store paths][store path]:
-
- - The path to the executable normally starts with a store path
- - The arguments and environment variables likely contain many other store paths.
-
-But rather than somehow scanning all the other fields for inputs, Nix requires that all inputs be explicitly collected in the inputs field. It is instead the responsibility of the creator of a derivation (e.g. the evaluator) to  ensure that every store object referenced in another field (e.g. referenced by store path) is included in this inputs field.
-
-### Outputs {#outputs}
-
-The outputs are the derivations are the [store objects][store object] it is obligated to produce.
-
-Outputs are assigned names, and also consistent of other information based on the type of derivation.
-
-Output names can be any string which is also a valid [store path] name.
-The store path of the output store object (also called an [output path] for short), has a name based on the derivation name and the output name.
-In the general case, store paths have name `derivationName + "-" + outputName`.
-However, an output named "out" has a store path with name is just the derivation name.
-This is to allow derivations with a single output to avoid a superfluous `"-${outputName}"` in their single output's name when no disambiguation is needed.
-
-> **Example**
->
-> A derivation is named `hello`, and has two outputs, `out`, and `dev`
->
-> - The derivation's path will be: `/nix/store/<hash>-hello.drv`.
->
-> - The store path of `out` will be: `/nix/store/<hash>-hello`.
->
-> - The store path of `dev` will be: `/nix/store/<hash>-hello-dev`.
-
-### System {#system}
-
-The system type on which the [`builder`](#attr-builder) executable is meant to be run.
-
-A necessary condition for Nix to schedule a given derivation on some Nix instance is for the "system" of that derivation to match that instance's [`system` configuration option].
-
-By putting the `system` in each derivation, Nix allows *heterogenous* build plans, where not all steps can be run on the same machine or same sort of machine.
-Nix can schedule builds such that it automatically builds on other platforms by [forwarding build requests](@docroot@/advanced-topics/distributed-builds.md) to other Nix instances.
-
-[`system` configuration option]: @docroot@/command-ref/conf-file.md#conf-system
-
-[content-addressing derivation]: @docroot@/glossary.md#gloss-content-addressing-derivation
-[realise]: @docroot@/glossary.md#gloss-realise
-[store object]: @docroot@/store/store-object.md
-[store path]: @docroot@/store/store-path.md
-
-### Process creation fields {#process-creation-fields}
-
-These are the three fields which describe how to spawn the process which (along with any of its own child processes) will perform the build.
-You may note that this has everything needed for an `execve` system call.
-
-#### Builder {#builder}
-
-This is the path to an executable that will perform the build and produce the [outputs].
-
-#### Arguments {#args}
-
-Command-line arguments to be passed to the [`builder`](#builder) executable.
-
-Note that these are the arguments after the first argument.
-The first argument passed to the `builder` will be the value of `builder`, as per the usual convention on Unix.
-See [Wikipedia](https://en.wikipedia.org/wiki/Argv) for details.
-
-#### Environment Variables {#env}
-
-Environment variables which will be passed to the [builder](#builder) executable.
-
-### Placeholders
-
-Placeholders are opaque values used within the [process creation fields] to [store objects] for which we don't yet know [store path]s.
-They are strings in the form `/<hash>` that are embedded anywhere within the strings of those fields, and we are [considering](https://github.com/NixOS/nix/issues/12361) to add store-path-like placeholders.
-
-> **Note**
->
-> Output Deriving Path exist to solve the same problem as placeholders --- that is, referring to store objects for which we don't yet know a store path.
-> They also have a string syntax with `^`, [described in the encoding section](#deriving-path-encoding).
-> We could use that syntax instead of `/<hash>` for placeholders, but its human-legibility would cause problems.
-
-There are two types of placeholder, corresponding to the two cases where this problem arises:
-
-- [Output placeholder]{#output-placeholder}:
-
-  This is a placeholder for a derivation's own output.
-
-- [Input placeholder]{#input-placeholder}:
-
-  This is a placeholder to a derivation's non-constant [input],
-  i.e. an input that is an [output derived path].
-
-> **Explanation**
->
-> In general, we need to realise [realise] a [store object] in order to be sure to have a store object for it.
-> But for these two cases this is either impossible or impractical:
->
-> - In the output case this is impossible:
->
->   We cannot build the output until we have a correct derivation, and we cannot have a correct derivation (without using placeholders) until we have the output path.
->
-> - In the input case this is impractical:
->
->   If we always build a dependency first, and then refer to its output by store path, we would lose the ability for a derivation graph to describe an entire build plan consisting of multiple build steps.
-
-## Encoding
-
-### Derivation {#derivation-encoding}
-
-There are two formats, documented separately:
-
-- The legacy ["ATerm" format](@docroot@/protocols/derivation-aterm.md)
-
-- The experimental, currently under development and changing [JSON format](@docroot@/protocols/json/derivation.md)
-
-Every derivation has a canonical choice of encoding used to serialize it to a store object.
-This ensures that there is a canonical [store path] used to refer to the derivation, as described in [Referencing derivations](#derivation-path).
-
-> **Note**
->
-> Currently, the canonical encoding for every derivation is the "ATerm" format,
-> but this is subject to change for types derivations which are not yet stable.
-
-Regardless of the format used, when serializing a derivation to a store object, that store object will be content-addressed.
-
-In the common case, the inputs to store objects are either:
-
- - [constant deriving paths](#deriving-path-constant) for content-addressed source objects, which are "initial inputs" rather than the outputs of some other derivation
-
- - the outputs of other derivations
-
-If those other derivations *also* abide by this common case (and likewise for transitive inputs), then the entire closure of the serialized derivation will be content-addressed.
-
-### Deriving Path {#deriving-path-encoding}
-
-- *constant*
-
-  Constant deriving paths are encoded simply as the underlying store path is.
-  Thus, we see that every encoded store path is also a valid encoded (constant) deriving path.
-
-- *output*
-
-  Output deriving paths are encoded by
-
-  - encoding of a store path referring to a derivation
-
-  - a `^` separator (or `!` in some legacy contexts)
-
-  - the name of an output of the previously referred derivation
-
-  > **Example**
-  >
-  > ```
-  > /nix/store/lxrn8v5aamkikg6agxwdqd1jz7746wz4-firefox-98.0.2.drv^out
-  > ```
-  >
-  > This parses like so:
-  >
-  > ```
-  > /nix/store/lxrn8v5aamkikg6agxwdqd1jz7746wz4-firefox-98.0.2.drv^out
-  > |------------------------------------------------------------| |-|
-  > store path (usual encoding)                                    output name
-  >                                                           |--|
-  >                                                           note the ".drv"
-  > ```
-
-## Extending the model to be higher-order
-
-**Experimental feature**: [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations)
-
-So far, we have used store paths to refer to derivations.
-That works because we've implicitly assumed that all derivations are created *statically* --- created by some mechanism out of band, and then manually inserted into the store.
-But what if derivations could also be created dynamically within Nix?
-In other words, what if derivations could be the outputs of other derivations?
-
-:::{.note}
-In the parlance of "Build Systems à la carte", we are generalizing the Nix store layer to be a "Monadic" instead of "Applicative" build system.
-:::
-
-How should we refer to such derivations?
-A deriving path works, the same as how we refer to other derivation outputs.
-But what about a dynamic derivations output?
-(i.e. how do we refer to the output of an output of a derivation?)
-For that we need to generalize the definition of deriving path, replacing the store path used to refer to the derivation with a nested deriving path:
-
-```diff
- type OutputPath = {
--  drvPath: StorePath;
-+  drvPath: DerivingPath;
-   output: OutputName;
- };
-```
-
-Now, the `drvPath` field of `OutputPath` is itself a `DerivingPath` instead of a `StorePath`.
-
-With that change, here is updated definition:
-
-```typescript
-type OutputName = String;
-
-type ConstantPath = {
-  path: StorePath;
-};
-
-type OutputPath = {
-  drvPath: DerivingPath;
-  output: OutputName;
-};
-
-type DerivingPath = ConstantPath | OutputPath;
-```
-
-Under this extended model, `DerivingPath`s are thus inductively built up from a root `ConstantPath`, wrapped with zero or more outer `OutputPath`s.
-
-### Encoding {#deriving-path-encoding}
-
-The encoding is adjusted in the natural way, encoding the `drv` field recursively using the same deriving path encoding.
-The result of this is that it is possible to have a chain of `^<output-name>` at the end of the final string, as opposed to just a single one.
-
-> **Example**
->
-> ```
-> /nix/store/lxrn8v5aamkikg6agxwdqd1jz7746wz4-firefox-98.0.2.drv^foo.drv^bar.drv^out
-> |----------------------------------------------------------------------------| |-|
-> inner deriving path (usual encoding)                                           output name
-> |--------------------------------------------------------------------| |-----|
-> even more inner deriving path (usual encoding)                         output name
-> |------------------------------------------------------------| |-----|
-> innermost constant store path (usual encoding)                 output name
-> ```

doc/manual/src/SUMMARY.md.in

@@ -22,8 +22,6 @@
   - [Store Object](store/store-object.md)
     - [Content-Addressing Store Objects](store/store-object/content-address.md)
   - [Store Path](store/store-path.md)
-  - [Store Derivation and Deriving Path](store/drv.md)
-  - [Building](store/building.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
 - [Nix Language](language/index.md)
@@ -123,7 +121,6 @@
 - [Development](development/index.md)
   - [Building](development/building.md)
   - [Testing](development/testing.md)
-  - [Debugging](development/debugging.md)
   - [Documentation](development/documentation.md)
   - [CLI guideline](development/cli-guideline.md)
   - [JSON guideline](development/json-guideline.md)
@@ -132,8 +129,6 @@
   - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
-  - [Release 2.26 (2025-01-22)](release-notes/rl-2.26.md)
-  - [Release 2.25 (2024-11-07)](release-notes/rl-2.25.md)
   - [Release 2.24 (2024-07-31)](release-notes/rl-2.24.md)
   - [Release 2.23 (2024-06-03)](release-notes/rl-2.23.md)
   - [Release 2.22 (2024-04-23)](release-notes/rl-2.22.md)

doc/manual/src/advanced-topics/distributed-builds.md

@@ -0,0 +1,71 @@
+# Remote Builds
+
+Nix supports remote builds, where a local Nix installation can forward
+Nix builds to other machines. This allows multiple builds to be
+performed in parallel and allows Nix to perform multi-platform builds in
+a semi-transparent way. For instance, if you perform a build for a
+`x86_64-darwin` on an `i686-linux` machine, Nix can automatically
+forward the build to a `x86_64-darwin` machine, if available.
+
+To forward a build to a remote machine, it’s required that the remote
+machine is accessible via SSH and that it has Nix installed. You can
+test whether connecting to the remote Nix instance works, e.g.
+
+```console
+$ nix store ping --store ssh://mac
+```
+
+will try to connect to the machine named `mac`. It is possible to
+specify an SSH identity file as part of the remote store URI, e.g.
+
+```console
+$ nix store ping --store ssh://mac?ssh-key=/home/alice/my-key
+```
+
+Since builds should be non-interactive, the key should not have a
+passphrase. Alternatively, you can load identities ahead of time into
+`ssh-agent` or `gpg-agent`.
+
+If you get the error
+
+```console
+bash: nix-store: command not found
+error: cannot connect to 'mac'
+```
+
+then you need to ensure that the `PATH` of non-interactive login shells
+contains Nix.
+
+The [list of remote build machines](@docroot@/command-ref/conf-file.md#conf-builders) can be specified on the command line or in the Nix configuration file.
+For example, the following command allows you to build a derivation for `x86_64-darwin` on a Linux machine:
+
+```console
+$ uname
+Linux
+
+$ nix build --impure \
+  --expr '(with import <nixpkgs> { system = "x86_64-darwin"; }; runCommand "foo" {} "uname > $out")' \
+  --builders 'ssh://mac x86_64-darwin'
+[1/0/1 built, 0.0 MiB DL] building foo on ssh://mac
+
+$ cat ./result
+Darwin
+```
+
+It is possible to specify multiple build machines separated by a semicolon or a newline, e.g.
+
+```console
+  --builders 'ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd'
+```
+
+Remote build machines can also be configured in [`nix.conf`](@docroot@/command-ref/conf-file.md), e.g.
+
+    builders = ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd
+
+Finally, remote build machines can be configured in a separate configuration
+file included in `builders` via the syntax `@/path/to/file`. For example,
+
+    builders = @/etc/nix/machines
+
+causes the list of machines in `/etc/nix/machines` to be included.
+(This is the default.)

doc/manual/src/architecture/architecture.md

@@ -69,7 +69,7 @@ It can also execute build plans to produce new data, which are made available to
 A build plan itself is a series of *build tasks*, together with their build inputs.
 
 > **Important**
-> A build task in Nix is called [store derivation](@docroot@/glossary.md#gloss-store-derivation).
+> A build task in Nix is called [derivation](@docroot@/glossary.md#gloss-derivation).
 
 Each build task has a special build input executed as *build instructions* in order to perform the build.
 The result of a build task can be input to another build task.

doc/manual/src/command-ref/nix-collect-garbage.md

@@ -36,7 +36,7 @@ Instead, it looks in a few locations, and acts on all profiles it finds there:
    >
    > Not stable; subject to change
    >
-   > Do not rely on this functionality; it just exists for migration purposes and may change in the future.
+   > Do not rely on this functionality; it just exists for migration purposes and is may change in the future.
    > These deprecated paths remain a private implementation detail of Nix.
 
    `$NIX_STATE_DIR/profiles` and `$NIX_STATE_DIR/profiles/per-user`.
@@ -62,15 +62,6 @@ These options are for deleting old [profiles] prior to deleting unreachable [sto
   This is the equivalent of invoking [`nix-env --delete-generations <period>`](@docroot@/command-ref/nix-env/delete-generations.md#generations-time) on each found profile.
   See the documentation of that command for additional information about the *period* argument.
 
-  - <span id="opt-max-freed">[`--max-freed`](#opt-max-freed)</span> *bytes*
-
-<!-- duplication from https://github.com/NixOS/nix/blob/442a2623e48357ff72c77bb11cf2cf06d94d2f90/doc/manual/source/command-ref/nix-store/gc.md?plain=1#L39-L44 -->
-
-  Keep deleting paths until at least *bytes* bytes have been deleted,
-  then stop. The argument *bytes* can be followed by the
-  multiplicative suffix `K`, `M`, `G` or `T`, denoting KiB, MiB, GiB
-  or TiB units.
-  
 {{#include ./opt-common.md}}
 
 {{#include ./env-common.md}}

doc/manual/src/command-ref/nix-copy-closure.md

@@ -84,7 +84,7 @@ When using public key authentication, you can avoid typing the passphrase with `
 > Copy GNU Hello from a remote machine using a known store path, and run it:
 >
 > ```shell-session
-> $ storePath="$(nix-instantiate --eval --raw '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath)"
+> $ storePath="$(nix-instantiate --eval '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath | tr -d '"')"
 > $ nix-copy-closure --from alice@itchy.example.org "$storePath"
 > $ "$storePath"/bin/hello
 > Hello, world!

doc/manual/src/command-ref/nix-env/install.md

@@ -11,7 +11,6 @@
   [`--from-profile` *path*]
   [`--preserve-installed` | `-P`]
   [`--remove-all` | `-r`]
-  [`--priority` *priority*]
 
 # Description
 
@@ -22,11 +21,11 @@ It is based on the current generation of the active [profile](@docroot@/command-
 
 The arguments *args* map to store paths in a number of possible ways:
 
-- By default, *args* is a set of names denoting derivations in the [default Nix expression].
+- By default, *args* is a set of [derivation] names denoting derivations in the [default Nix expression].
   These are [realised], and the resulting output paths are installed.
   Currently installed derivations with a name equal to the name of a derivation being added are removed unless the option `--preserve-installed` is specified.
 
-  [derivation expression]: @docroot@/glossary.md#gloss-derivation-expression
+  [derivation]: @docroot@/glossary.md#gloss-derivation
   [default Nix expression]: @docroot@/command-ref/files/default-nix-expression.md
   [realised]: @docroot@/glossary.md#gloss-realise
 
@@ -62,15 +61,11 @@ The arguments *args* map to store paths in a number of possible ways:
   The derivations returned by those function calls are installed.
   This allows derivations to be specified in an unambiguous way, which is necessary if there are multiple derivations with the same name.
 
-- If `--priority` *priority* is given, the priority of the derivations being installed is set to *priority*.
-  This can be used to override the priority of the derivations being installed.
-  This is useful if *args* are [store paths], which don't have any priority information.
+- If *args* are [store derivations](@docroot@/glossary.md#gloss-store-derivation), then these are [realised], and the resulting output paths are installed.
 
-- If *args* are [store paths] that point to [store derivations][store derivation], then those store derivations are [realised], and the resulting output paths are installed.
+- If *args* are [store paths] that are not store derivations, then these are [realised] and installed.
 
-- If *args* are [store paths] that do not point to store derivations, then these are [realised] and installed.
-
-- By default all [outputs](@docroot@/language/derivations.md#attr-outputs) are installed for each [store derivation].
+- By default all [outputs](@docroot@/language/derivations.md#attr-outputs) are installed for each [derivation].
   This can be overridden by adding a `meta.outputsToInstall` attribute on the derivation listing a subset of the output names.
 
   Example:
@@ -122,8 +117,6 @@ The arguments *args* map to store paths in a number of possible ways:
   manifest.nix
   ```
 
-[store derivation]: @docroot@/glossary.md#gloss-store-derivation
-
 # Options
 
 - `--prebuilt-only` / `-b`
@@ -242,3 +235,4 @@ channel:
 ```console
 $ nix-env --file https://github.com/NixOS/nixpkgs/archive/nixos-14.12.tar.gz --install --attr firefox
 ```
+

doc/manual/src/command-ref/nix-env/query.md

@@ -125,10 +125,7 @@ derivation is shown unless `--no-name` is specified.
 
   - `--drv-path`
 
-    Print the [store path] to the [store derivation].
-
-    [store path]: @docroot@/glossary.md#gloss-store-path
-    [store derivation]: @docroot@/glossary.md#gloss-derivation
+    Print the path of the [store derivation](@docroot@/glossary.md#gloss-store-derivation).
 
   - `--out-path`
 

doc/manual/src/command-ref/nix-hash.md

@@ -67,7 +67,7 @@ md5sum`.
 - `--type` *hashAlgo*
 
   Use the specified cryptographic hash algorithm, which can be one of
-  `blake3`, `md5`, `sha1`, `sha256`, and `sha512`.
+  `md5`, `sha1`, `sha256`, and `sha512`.
 
 - `--to-base16`
 

doc/manual/src/command-ref/nix-instantiate.md

@@ -5,7 +5,7 @@
 # Synopsis
 
 `nix-instantiate`
-  [`--parse` | `--eval` [`--strict`] [`--raw` | `--json` | `--xml`] ]
+  [`--parse` | `--eval` [`--strict`] [`--json`] [`--xml`] ]
   [`--read-write-mode`]
   [`--arg` *name* *value*]
   [{`--attr`| `-A`} *attrPath*]
@@ -42,8 +42,8 @@ standard input.
 - `--eval`
 
   Just parse and evaluate the input files, and print the resulting
-  values on standard output.
-  Store derivations are not serialized and written to the store, but instead just hashed and discarded.
+  values on standard output. No instantiation of store derivations
+  takes place.
 
   > **Warning**
   >
@@ -102,11 +102,6 @@ standard input.
   > This option can cause non-termination, because lazy data
   > structures can be infinitely large.
 
-- `--raw`
-
-  When used with `--eval`, the evaluation result must be a string,
-  which is printed verbatim, without quoting, escaping or trailing newline.
-
 - `--json`
 
   When used with `--eval`, print the resulting value as an JSON

doc/manual/src/command-ref/nix-prefetch-url.md

@@ -42,7 +42,7 @@ the path of the downloaded file in the Nix store is also printed.
 - `--type` *hashAlgo*
 
   Use the specified cryptographic hash algorithm,
-  which can be one of `blake3`, `md5`, `sha1`, `sha256`, and `sha512`.
+  which can be one of `md5`, `sha1`, `sha256`, and `sha512`.
   The default is `sha256`.
 
 - `--print-path`