treewide: Make exceptions cloneable

This is needed to make it possible to store exceptions in failed values
with each new rethrow getting a fresh copy of the exception object.

.clang-format

@@ -8,7 +8,7 @@ BraceWrapping:
   AfterUnion: true
   SplitEmptyRecord: false
 PointerAlignment: Middle
-FixNamespaceComments: false
+FixNamespaceComments: true
 SortIncludes: Never
 #IndentPPDirectives: BeforeHash
 SpaceAfterCStyleCast: true
@@ -32,3 +32,4 @@ IndentPPDirectives: AfterHash
 PPIndentWidth: 2
 BinPackArguments: false
 BreakBeforeTernaryOperators: true
+SeparateDefinitionBlocks: Always

.coderabbit.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+# Disable CodeRabbit auto-review to prevent verbose comments on PRs.
+# When enabled: false, CodeRabbit won't attempt reviews and won't post
+# "Review skipped" or other automated comments.
+reviews:
+  auto_review:
+    enabled: false
+  review_status: false
+  high_level_summary: false
+  poem: false
+  sequence_diagrams: false
+  changed_files_summary: false
+  tools:
+    github-checks:
+      enabled: false
+chat:
+  art: false
+  auto_reply: false

.git-blame-ignore-revs

@@ -0,0 +1,6 @@
+# bulk initial re-formatting with clang-format
+e4f62e46088919428a68bd8014201dc8e379fed7 # !autorebase ./maintainers/format.sh --until-stable
+# meson re-formatting
+385e2c3542c707d95e3784f7f6d623f67e77ab61 # !autorebase ./maintainers/format.sh --until-stable
+# nixfmt 1.0.0
+1d943f581908f35075a84a3d89c2eba3ff35067f # !autorebase ./maintainers/format.sh --until-stable

.github/CODEOWNERS

@@ -11,16 +11,7 @@
 .github/CODEOWNERS @edolstra
 
 # Documentation of built-in functions
-src/libexpr/primops.cc @roberth @fricklerhandwerk
-
-# Documentation of settings
-src/libexpr/eval-settings.hh @fricklerhandwerk
-src/libstore/globals.hh @fricklerhandwerk
-
-# Documentation
-doc/manual @fricklerhandwerk
-maintainers/*.md @fricklerhandwerk
-src/**/*.md @fricklerhandwerk
+src/libexpr/primops.cc @roberth
 
 # Libstore layer
 /src/libstore @ericson2314

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,36 +1,54 @@
 ---
 name: Bug report
-about: Create a report to help us improve
+about: Report unexpected or incorrect behaviour
 title: ''
 labels: bug
 assignees: ''
 
 ---
 
-**Describe the bug**
+## Describe the bug
 
-A clear and concise description of what the bug is.
+<!--
+  A clear and concise description of what the bug is.
 
-If you have a problem with a specific package or NixOS,
-you probably want to file an issue at https://github.com/NixOS/nixpkgs/issues. 
+  If you have a problem with a specific package or NixOS,
+  you probably want to file an issue at https://github.com/NixOS/nixpkgs/issues.
+-->
 
-**Steps To Reproduce**
+## Steps To Reproduce
 
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
+<!--
+  Example:
 
-**Expected behavior**
+  1. Clone this repository: ...
+  2. Run `nix-... ...`
+  3. Observe unexpected behaviour
+-->
 
-A clear and concise description of what you expected to happen.
+## Expected behavior
 
-**`nix-env --version` output**
+<!-- A clear and concise description of what you expected to happen. -->
 
-**Additional context**
+## Metadata
 
-Add any other context about the problem here.
+<!-- Please insert the output of running `nix-env --version` below this line -->
 
-**Priorities**
+## Additional context
+
+<!-- Add any other context about the problem here. -->
+
+## Checklist
+
+<!-- make sure this issue is not redundant or obsolete -->
+
+- [ ] checked [latest Nix manual] \([source])
+- [ ] checked [open bug issues and pull requests] for possible duplicates
+
+[latest Nix manual]: https://nix.dev/manual/nix/development/
+[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
+[open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug
+
+---
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,24 +1,39 @@
 ---
 name: Feature request
-about: Suggest an idea for this project
+about: Suggest a new feature
 title: ''
 labels: feature
 assignees: ''
 
 ---
 
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+## Is your feature request related to a problem?
 
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
 
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
+## Proposed solution
 
-**Additional context**
-Add any other context or screenshots about the feature request here.
+<!-- A clear and concise description of what you want to happen. -->
 
-**Priorities**
+## Alternative solutions
+
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+## Additional context
+
+<!-- Add any other context or screenshots about the feature request here. -->
+
+## Checklist
+
+<!-- make sure this issue is not redundant or obsolete -->
+
+- [ ] checked [latest Nix manual] \([source])
+- [ ] checked [open feature issues and pull requests] for possible duplicates
+
+[latest Nix manual]: https://nix.dev/manual/nix/development/
+[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
+[open feature issues and pull requests]: https://github.com/NixOS/nix/labels/feature
+
+---
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/installer.md

@@ -23,14 +23,25 @@ assignees: ''
 
 <details><summary>Output</summary>
 
-```log
+<!-- paste console output inside the below code block -->
 
-<!-- paste console output here and remove this comment -->
+```log
 
 ```
 
 </details>
 
-## Priorities
+## Checklist
+
+<!-- make sure this issue is not redundant or obsolete -->
+
+- [ ] checked [latest Nix manual] \([source])
+- [ ] checked [open installer issues and pull requests] for possible duplicates
+
+[latest Nix manual]: https://nix.dev/manual/nix/development/
+[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
+[open installer issues and pull requests]: https://github.com/NixOS/nix/labels/installer
+
+---
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -22,10 +22,10 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open documentation issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
-[source]: https://github.com/NixOS/nix/tree/master/doc/manual/src
+[latest Nix manual]: https://nix.dev/manual/nix/development/
+[source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation
 
-## Priorities
+---
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,7 +1,32 @@
-# Motivation
+<!--
+
+IMPORTANT
+
+Nix is a non-trivial project, so for your contribution to be successful,
+it really is important to follow the contributing guidelines:
+
+https://github.com/NixOS/nix/blob/master/CONTRIBUTING.md
+
+Even if you've contributed to open source before, take a moment to read it,
+so you understand the process and the expectations.
+
+- what information to include in commit messages
+- proper attribution
+- volunteering contributions effectively
+- how to get help and our review process.
+
+PR stuck in review? We have two Nix team meetings per week online that are open for everyone in a jitsi conference:
+
+- https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com
+
+-->
+
+## Motivation
+
 <!-- Briefly explain what the change is about and why it is desirable. -->
 
-# Context
+## Context
+
 <!-- Provide context. Reference open issues if available. -->
 
 <!-- Non-trivial change: Briefly outline the implementation strategy. -->
@@ -10,7 +35,7 @@
 
 <!-- Large change: Provide instructions to reviewers how to read the diff. -->
 
-# Priorities and Process
+---
 
 Add :+1: to [pull requests you find important](https://github.com/NixOS/nix/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc).
 

.github/STALE-BOT.md

@@ -3,7 +3,7 @@
 - Thanks for your contribution!
 - To remove the stale label, just leave a new comment.
 - _How to find the right people to ping?_ → [`git blame`](https://git-scm.com/docs/git-blame) to the rescue! (or GitHub's history and blame buttons.)
-- You can always ask for help on [our Discourse Forum](https://discourse.nixos.org/) or on [Matrix - #nix:nixos.org](https://matrix.to/#/#nix:nixos.org).
+- You can always ask for help on [our Discourse Forum](https://discourse.nixos.org/) or on [Matrix - #users:nixos.org](https://matrix.to/#/#users:nixos.org).
 
 ## Suggestions for PRs
 

.github/actions/install-nix-action/action.yaml

@@ -0,0 +1,124 @@
+name: "Install Nix"
+description: "Helper action for installing Nix with support for dogfooding from master"
+inputs:
+  dogfood:
+    description: "Whether to use Nix installed from the latest artifact from master branch"
+    required: true # Be explicit about the fact that we are using unreleased artifacts
+  experimental-installer:
+    description: "Whether to use the experimental installer to install Nix"
+    default: false
+  experimental-installer-version:
+    description: "Version of the experimental installer to use. If `latest`, the newest artifact from the default branch is used."
+    # TODO: This should probably be pinned to a release after https://github.com/NixOS/experimental-nix-installer/pull/49 lands in one
+    default: "latest"
+  extra_nix_config:
+    description: "Gets appended to `/etc/nix/nix.conf` if passed."
+  install_url:
+    description: "URL of the Nix installer"
+    required: false
+    default: "https://releases.nixos.org/nix/nix-2.32.1/install"
+  tarball_url:
+    description: "URL of the Nix tarball to use with the experimental installer"
+    required: false
+  github_token:
+    description: "Github token"
+    required: true
+  use_cache:
+    description: "Whether to setup github actions cache (not implemented currently)"
+    default: false
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "Download nix install artifact from master"
+      shell: bash
+      id: download-nix-installer
+      if: inputs.dogfood == 'true'
+      run: |
+        RUN_ID=$(gh run list --repo "$DOGFOOD_REPO" --workflow ci.yml --branch master --status success --json databaseId --jq ".[0].databaseId")
+
+        if [ "$RUNNER_OS" == "Linux" ]; then
+          INSTALLER_ARTIFACT="installer-linux"
+        elif [ "$RUNNER_OS" == "macOS" ]; then
+          INSTALLER_ARTIFACT="installer-darwin"
+        else
+          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
+          exit 1
+        fi
+
+        INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$INSTALLER_ARTIFACT"
+        mkdir -p "$INSTALLER_DOWNLOAD_DIR"
+
+        gh run download "$RUN_ID" --repo "$DOGFOOD_REPO" -n "$INSTALLER_ARTIFACT" -D "$INSTALLER_DOWNLOAD_DIR"
+        echo "installer-path=file://$INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
+        TARBALL_PATH="$(find "$INSTALLER_DOWNLOAD_DIR" -name 'nix*.tar.xz' -print | head -n 1)"
+        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
+
+        echo "::notice ::Dogfooding Nix installer from master (https://github.com/$DOGFOOD_REPO/actions/runs/$RUN_ID)"
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        DOGFOOD_REPO: "NixOS/nix"
+    - name: "Gather system info for experimental installer"
+      shell: bash
+      if: ${{ inputs.experimental-installer == 'true' }}
+      run: |
+        echo "::notice Using experimental installer from $EXPERIMENTAL_INSTALLER_REPO (https://github.com/$EXPERIMENTAL_INSTALLER_REPO)"
+
+        if [ "$RUNNER_OS" == "Linux" ]; then
+          EXPERIMENTAL_INSTALLER_SYSTEM="linux"
+          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
+        elif [ "$RUNNER_OS" == "macOS" ]; then
+          EXPERIMENTAL_INSTALLER_SYSTEM="darwin"
+          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
+        else
+          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
+          exit 1
+        fi
+
+        if [ "$RUNNER_ARCH" == "X64" ]; then
+          EXPERIMENTAL_INSTALLER_ARCH=x86_64
+          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
+        elif [ "$RUNNER_ARCH" == "ARM64" ]; then
+          EXPERIMENTAL_INSTALLER_ARCH=aarch64
+          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
+        else
+          echo "::error ::Unsupported RUNNER_ARCH: $RUNNER_ARCH"
+          exit 1
+        fi
+
+        echo "EXPERIMENTAL_INSTALLER_ARTIFACT=nix-installer-$EXPERIMENTAL_INSTALLER_ARCH-$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
+      env:
+        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
+    - name: "Download latest experimental installer"
+      shell: bash
+      id: download-latest-experimental-installer
+      if: ${{ inputs.experimental-installer == 'true' && inputs.experimental-installer-version == 'latest' }}
+      run: |
+        RUN_ID=$(gh run list --repo "$EXPERIMENTAL_INSTALLER_REPO" --workflow ci.yml --branch main --status success --json databaseId --jq ".[0].databaseId")
+
+        EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$EXPERIMENTAL_INSTALLER_ARTIFACT"
+        mkdir -p "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
+
+        gh run download "$RUN_ID" --repo "$EXPERIMENTAL_INSTALLER_REPO" -n "$EXPERIMENTAL_INSTALLER_ARTIFACT" -D "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
+        # Executable permissions are lost in artifacts
+        find $EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR -type f -exec chmod +x {} +
+        echo "installer-path=$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
+    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
+      if: ${{ inputs.experimental-installer != 'true' }}
+      with:
+        # Ternary operator in GHA: https://www.github.com/actions/runner/issues/409#issuecomment-752775072
+        install_url: ${{ inputs.dogfood == 'true' && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
+        install_options: ${{ inputs.dogfood == 'true' && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
+        extra_nix_config: ${{ inputs.extra_nix_config }}
+    - uses: DeterminateSystems/nix-installer-action@786fff0690178f1234e4e1fe9b536e94f5433196 # v20
+      if: ${{ inputs.experimental-installer == 'true' }}
+      with:
+        diagnostic-endpoint: ""
+        # TODO: It'd be nice to use `artifacts.nixos.org` for both of these, maybe through an `/experimental-installer/latest` endpoint? or `/commit/<hash>`?
+        local-root: ${{ inputs.experimental-installer-version == 'latest' && steps.download-latest-experimental-installer.outputs.installer-path || '' }}
+        source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
+        nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
+        extra-conf: ${{ inputs.extra_nix_config }}

.github/labeler.yml

@@ -1,7 +1,7 @@
 "c api":
   - changed-files:
     - any-glob-to-any-file: "src/lib*-c/**/*"
-    - any-glob-to-any-file: "test/unit/**/nix_api_*"
+    - any-glob-to-any-file: "src/*test*/**/nix_api_*"
     - any-glob-to-any-file: "doc/external-api/**/*"
 
 "contributor-experience":
@@ -9,7 +9,7 @@
     - any-glob-to-any-file: "CONTRIBUTING.md"
     - any-glob-to-any-file: ".github/ISSUE_TEMPLATE/*"
     - any-glob-to-any-file: ".github/PULL_REQUEST_TEMPLATE.md"
-    - any-glob-to-any-file: "doc/manual/src/contributing/**"
+    - any-glob-to-any-file: "doc/manual/source/contributing/**"
 
 "documentation":
   - changed-files:

.github/workflows/backport.yml

@@ -8,25 +8,30 @@ jobs:
   backport:
     name: Backport Pull Request
     permissions:
-      # for zeebe-io/backport-action
+      # for korthout/backport-action
       contents: write
       pull-requests: write
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v4
+      - name: Generate GitHub App token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.CI_APP_ID }}
+          private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           # required to find all branches
           fetch-depth: 0
       - name: Create backport PRs
-        # should be kept in sync with `version`
-        uses: zeebe-io/backport-action@v3.0.2
+        uses: korthout/backport-action@c656f5d5851037b2b38fb5db2691a03fa229e3b2 # v4.0.1
+        id: backport
         with:
-          # Config README: https://github.com/zeebe-io/backport-action#backport-action
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          # Config README: https://github.com/korthout/backport-action#backport-action
+          github_token: ${{ steps.generate-token.outputs.token }}
           github_workspace: ${{ github.workspace }}
+          auto_merge_enabled: true
           pull_description: |-
             Automatic backport to `${target_branch}`, triggered by a label in #${pull_number}.
-          # should be kept in sync with `uses`
-          version: v0.0.5

.github/workflows/ci.yml

@@ -2,123 +2,194 @@ name: "CI"
 
 on:
   pull_request:
+  merge_group:
   push:
+    branches:
+      - master
+  workflow_dispatch:
+    inputs:
+      dogfood:
+        description: 'Use dogfood Nix build'
+        required: false
+        default: true
+        type: boolean
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 permissions: read-all
 
 jobs:
+  eval:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        extra_nix_config:
+          experimental-features = nix-command flakes
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        use_cache: false
+    - run: nix flake show --all-systems --json
+
+  pre-commit-checks:
+    name: pre-commit checks
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+          extra_nix_config: experimental-features = nix-command flakes
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - run: ./ci/gha/tests/pre-commit-checks
+
+  basic-checks:
+    name: aggregate basic checks
+    if: ${{ always() }}
+    runs-on: ubuntu-24.04
+    needs: [pre-commit-checks, eval]
+    steps:
+      - name: Exit with any errors
+        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+        run: |
+          exit 1
 
   tests:
-    needs: [check_secrets]
+    needs: basic-checks
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            os: linux
+            instrumented: false
+            primary: true
+            stdenv: stdenv
+          - scenario: on macos
+            runs-on: macos-14
+            os: darwin
+            instrumented: false
+            primary: true
+            stdenv: stdenv
+          - scenario: on ubuntu (with sanitizers / coverage)
+            runs-on: ubuntu-24.04
+            os: linux
+            instrumented: true
+            primary: false
+            stdenv: clangStdenv
+    name: tests ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@V27
+    - uses: ./.github/actions/install-nix-action
       with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
         # The sandbox would otherwise be disabled by default on Darwin
         extra_nix_config: "sandbox = true"
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v15
-      if: needs.check_secrets.outputs.cachix == 'true'
-      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - if: matrix.os == 'ubuntu-latest'
+    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
+    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+      if: matrix.os == 'linux'
+    - name: Run component tests
       run: |
-        free -h
-        swapon --show
-        swap=$(swapon --show --noheadings | head -n 1 | awk '{print $1}')
-        echo "Found swap: $swap"
-        sudo swapoff $swap
-        # resize it (fallocate)
-        sudo fallocate -l 10G $swap
-        sudo mkswap $swap
-        sudo swapon $swap
-        free -h
-        (
-          while sleep 60; do
-            free -h
-          done
-        ) &
-    - run: nix --experimental-features 'nix-command flakes' flake check -L
-
-  # Steps to test CI automation in your own fork.
-  # Cachix:
-  # 1. Sign-up for https://www.cachix.org/
-  # 2. Create a cache for $githubuser-nix-install-tests
-  # 3. Create a cachix auth token and save it in https://github.com/$githubuser/nix/settings/secrets/actions in "Repository secrets" as CACHIX_AUTH_TOKEN
-  # Dockerhub:
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check Cachix and Docker secrets present for installer tests
-    runs-on: ubuntu-latest
-    outputs:
-      cachix: ${{ steps.secret.outputs.cachix }}
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for secrets
-        id: secret
-        env:
-          _CACHIX_SECRETS: ${{ secrets.CACHIX_SIGNING_KEY }}${{ secrets.CACHIX_AUTH_TOKEN }}
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "::set-output name=cachix::${{ env._CACHIX_SECRETS != '' }}"
-          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
-
-  installer:
-    needs: [tests, check_secrets]
-    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
-    runs-on: ubuntu-latest
-    outputs:
-      installerURL: ${{ steps.prepare-installer.outputs.installerURL }}
-    steps:
-    - uses: actions/checkout@v4
+        nix build --file ci/gha/tests/wrapper.nix componentTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}"
+    - name: Run VM tests
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix vmTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}"
+      if: ${{ matrix.os == 'linux' }}
+    - name: Run flake checks and prepare the installer tarball
+      run: |
+        ci/gha/tests/build-checks
+        ci/gha/tests/prepare-installer-for-github-actions
+      if: ${{ matrix.primary }}
+    - name: Collect code coverage
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix codeCoverage.coverageReports -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}" \
+          --out-link coverage-reports
+        cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
+      if: ${{ matrix.instrumented }}
+    - name: Upload coverage reports
+      uses: actions/upload-artifact@v6
       with:
-        fetch-depth: 0
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@V27
+        name: coverage-reports
+        path: coverage-reports/
+      if: ${{ matrix.instrumented }}
+    - name: Upload installer tarball
+      uses: actions/upload-artifact@v6
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - uses: cachix/cachix-action@v15
-      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-        cachixArgs: '-v'
-    - id: prepare-installer
-      run: scripts/prepare-installer-for-github-actions
+        name: installer-${{matrix.os}}
+        path: out/*
+      if: ${{ matrix.primary }}
 
   installer_test:
-    needs: [installer, check_secrets]
-    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
+    needs: [tests]
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            os: linux
+            experimental-installer: false
+          - scenario: on macos
+            runs-on: macos-14
+            os: darwin
+            experimental-installer: false
+          - scenario: on ubuntu (experimental)
+            runs-on: ubuntu-24.04
+            os: linux
+            experimental-installer: true
+          - scenario: on macos (experimental)
+            runs-on: macos-14
+            os: darwin
+            experimental-installer: true
+    name: installer test ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
     steps:
-    - uses: actions/checkout@v4
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@V27
+    - uses: actions/checkout@v6
+    - name: Download installer tarball
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
-        install_url: '${{needs.installer.outputs.installerURL}}'
-        install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
+        name: installer-${{matrix.os}}
+        path: out
+    - name: Looking up the installer tarball URL
+      id: installer-tarball-url
+      run: |
+        echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
+        TARBALL_PATH="$(find "$GITHUB_WORKSPACE/out" -name 'nix*.tar.xz' -print | head -n 1)"
+        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
+    - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+      if: ${{ !matrix.experimental-installer }}
+      with:
+        install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
+        install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
+    - uses: ./.github/actions/install-nix-action
+      if: ${{ matrix.experimental-installer }}
+      with:
+        dogfood: false
+        experimental-installer: true
+        tarball_url: ${{ steps.installer-tarball-url.outputs.tarball-path }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
     - run: sudo apt install fish zsh
-      if: matrix.os == 'ubuntu-latest'
+      if: matrix.os == 'linux'
     - run: brew install fish
-      if: matrix.os == 'macos-latest'
+      if: matrix.os == 'darwin'
     - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval"
     - run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval"
     - run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval"
@@ -126,105 +197,56 @@ jobs:
     - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
     - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"
 
-  docker_push_image:
-    needs: [check_secrets, tests]
-    permissions:
-      contents: read
-      packages: write
-    if: >-
-      github.event_name == 'push' &&
-      github.ref_name == 'master' &&
-      needs.check_secrets.outputs.cachix == 'true' &&
-      needs.check_secrets.outputs.docker == 'true'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - uses: cachix/install-nix-action@V27
-      with:
-        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#default.version | tr -d \")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v15
-      if: needs.check_secrets.outputs.cachix == 'true'
-      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
-    - run: docker load -i ./result/image.tar.gz
-    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
-    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
-    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
-    #
-    # Push to Docker Hub first
-    - name: Login to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
-    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
-    # Push to GitHub Container Registry as well
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Push image
-      run: |
-        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
-        # Change all uppercase to lowercase
-        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-
-        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
-        docker tag nix:$NIX_VERSION $IMAGE_ID:latest
-        docker push $IMAGE_ID:$NIX_VERSION
-        docker push $IMAGE_ID:latest
-        # deprecated 2024-02-24
-        docker tag nix:$NIX_VERSION $IMAGE_ID:master
-        docker push $IMAGE_ID:master
-
-  vm_tests:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - run: nix build -L .#hydraJobs.tests.githubFlakes .#hydraJobs.tests.tarballFlakes .#hydraJobs.tests.functional_user
-
-  meson_build:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      # Only meson packages that don't have a tests.run derivation.
-      # Those that have it are already built and tested as part of nix flake check.
-      - run: nix build -L .#hydraJobs.build.{nix-cmd,nix-main}.$(nix-instantiate --eval --expr builtins.currentSystem | sed -e 's/"//g')
-
   flake_regressions:
-    needs: vm_tests
-    runs-on: ubuntu-22.04
+    needs: tests
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout nix
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Checkout flake-regressions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: NixOS/flake-regressions
           path: flake-regressions
       - name: Checkout flake-regressions-data
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: NixOS/flake-regressions-data
           path: flake-regressions/tests
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - run: nix build --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH scripts/flake-regressions.sh
+      - name: Download installer tarball
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: installer-linux
+          path: out
+      - name: Looking up the installer tarball URL
+        id: installer-tarball-url
+        run: |
+          echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+        with:
+          install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
+          install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
+      - name: Run flake regressions tests
+        run: MAX_FLAKES=25 flake-regressions/eval-all.sh
+
+  profile_build:
+    needs: tests
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    if: >-
+      github.event_name == 'push' &&
+      github.ref_name == 'master'
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        extra_nix_config: |
+          experimental-features = flakes nix-command ca-derivations impure-derivations
+          max-jobs = 1
+    - run: |
+        nix build -L --file ./ci/gha/profile-build buildTimeReport --out-link build-time-report.md
+        cat build-time-report.md >> $GITHUB_STEP_SUMMARY

.github/workflows/labels.yml

@@ -15,10 +15,10 @@ permissions:
 
 jobs:
   labels:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
-    - uses: actions/labeler@v5
+    - uses: actions/labeler@v6
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         sync-labels: false

.github/workflows/upload-release.yml

@@ -0,0 +1,80 @@
+name: Upload Release
+on:
+  workflow_dispatch:
+    inputs:
+      eval_id:
+        description: "Hydra evaluation ID"
+        required: true
+        type: number
+      is_latest:
+        description: "Mark as latest release"
+        required: false
+        type: boolean
+        default: false
+permissions:
+  contents: read
+  id-token: write
+  packages: write
+jobs:
+  release:
+    runs-on: ubuntu-24.04
+    environment: releases
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: false # Use stable version
+          use_cache: false # Don't want any cache injection shenanigans
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+      - name: Set NIX_PATH from flake input
+        run: |
+          NIXPKGS_PATH=$(nix build --inputs-from .# nixpkgs#path --print-out-paths --no-link)
+          # Shebangs with perl have issues. Pin nixpkgs this way. nix shell should maybe
+          # get the same uberhack that nix-shell has to support it.
+          echo "NIX_PATH=nixpkgs=$NIXPKGS_PATH" >> "$GITHUB_ENV"
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        with:
+          role-to-assume: "arn:aws:iam::080433136561:role/nix-release"
+          role-session-name: nix-release-oidc-${{ github.run_id }}
+          aws-region: eu-west-1
+      - name: Disable containerd image store
+        run: |
+          # Docker 28+ defaults to the containerd image store, which
+          # pushes layers uncompressed instead of gzip. OCI clients
+          # that only support gzip (e.g. go-containerregistry) fail
+          # with "gzip: invalid header". Disabling the containerd
+          # snapshotter restores the classic storage driver, which
+          # preserves gzip-compressed layers through the
+          # `docker load` / `docker push` pipeline.
+          echo '{"features":{"containerd-snapshotter":false}}' | sudo tee /etc/docker/daemon.json > /dev/null
+          sudo systemctl restart docker
+      - name: Login to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload release
+        run: |
+          ./maintainers/upload-release.pl \
+            ${{ inputs.eval_id }} \
+            --skip-git
+        env:
+          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}
+      - name: Push to GHCR
+        run: |
+          DOCKER_OWNER="ghcr.io/$(echo '${{ github.repository_owner }}' | tr '[A-Z]' '[a-z]')/nix"
+          ./maintainers/upload-release.pl \
+            ${{ inputs.eval_id }} \
+            --skip-git \
+            --skip-s3 \
+            --docker-owner "$DOCKER_OWNER"
+        env:
+          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}

.gitignore

@@ -1,113 +1,14 @@
-Makefile.config
-perl/Makefile.config
-
-# /
-/aclocal.m4
-/autom4te.cache
-/precompiled-headers.h.gch
-/config.*
-/configure
-/stamp-h1
-/svn-revision
-/libtool
-/config/config.*
 # Default meson build dir
 /build
-
-# /doc/manual/
-/doc/manual/*.1
-/doc/manual/*.5
-/doc/manual/*.8
-/doc/manual/generated/*
-/doc/manual/nix.json
-/doc/manual/conf-file.json
-/doc/manual/language.json
-/doc/manual/xp-features.json
-/doc/manual/src/SUMMARY.md
-/doc/manual/src/SUMMARY-rl-next.md
-/doc/manual/src/store/types/*
-!/doc/manual/src/store/types/index.md.in
-/doc/manual/src/command-ref/new-cli
-/doc/manual/src/command-ref/conf-file.md
-/doc/manual/src/command-ref/experimental-features-shortlist.md
-/doc/manual/src/contributing/experimental-feature-descriptions.md
-/doc/manual/src/language/builtins.md
-/doc/manual/src/language/builtin-constants.md
-/doc/manual/src/release-notes/rl-next.md
-
-# /scripts/
-/scripts/nix-profile.sh
-/scripts/nix-profile-daemon.sh
-/scripts/nix-profile.fish
-/scripts/nix-profile-daemon.fish
-
-# /src/libexpr/
-/src/libexpr/lexer-tab.cc
-/src/libexpr/lexer-tab.hh
-/src/libexpr/parser-tab.cc
-/src/libexpr/parser-tab.hh
-/src/libexpr/parser-tab.output
-/src/libexpr/nix.tbl
-/src/libexpr/tests
-/tests/unit/libexpr/libnixexpr-tests
-
-# /src/libfetchers
-/tests/unit/libfetchers/libnixfetchers-tests
-
-# /src/libflake
-/tests/unit/libflake/libnixflake-tests
-
-# /src/libstore/
-*.gen.*
-/src/libstore/tests
-/tests/unit/libstore/libnixstore-tests
-
-# /src/libutil/
-/src/libutil/tests
-/tests/unit/libutil/libnixutil-tests
-
-/src/nix/nix
-
-/src/nix/generated-doc
-
-# /src/nix-env/
-/src/nix-env/nix-env
-
-# /src/nix-instantiate/
-/src/nix-instantiate/nix-instantiate
-
-# /src/nix-store/
-/src/nix-store/nix-store
-
-/src/nix-prefetch-url/nix-prefetch-url
-
-/src/nix-collect-garbage/nix-collect-garbage
-
-# /src/nix-channel/
-/src/nix-channel/nix-channel
-
-# /src/nix-build/
-/src/nix-build/nix-build
-
-/src/nix-copy-closure/nix-copy-closure
-
-/src/error-demo/error-demo
-
-/src/build-remote/build-remote
+# Meson creates this file too
+src/.wraplock
 
 # /tests/functional/
-/tests/functional/test-tmp
 /tests/functional/common/subst-vars.sh
-/tests/functional/result*
 /tests/functional/restricted-innocent
-/tests/functional/shell
-/tests/functional/shell.drv
-/tests/functional/config.nix
-/tests/functional/ca/config.nix
-/tests/functional/dyn-drv/config.nix
-/tests/functional/repl-result-out
 /tests/functional/debugger-test-out
 /tests/functional/test-libstoreconsumer/test-libstoreconsumer
+/tests/functional/nix-shell
 
 # /tests/functional/lang/
 /tests/functional/lang/*.out
@@ -115,27 +16,9 @@ perl/Makefile.config
 /tests/functional/lang/*.err
 /tests/functional/lang/*.ast
 
-/perl/lib/Nix/Config.pm
-/perl/lib/Nix/Store.cc
+/outputs
 
-/misc/systemd/nix-daemon.service
-/misc/systemd/nix-daemon.socket
-/misc/systemd/nix-daemon.conf
-/misc/upstart/nix-daemon.conf
-
-outputs/
-
-*.a
-*.o
-*.o.tmp
-*.so
-*.dylib
-*.dll
-*.exe
-*.dep
 *~
-*.pc
-*.plist
 
 # GNU Global
 GPATH
@@ -150,8 +33,6 @@ GTAGS
 compile_commands.json
 *.compile_commands.json
 
-nix-rust/target
-
 result
 result-*
 
@@ -166,3 +47,8 @@ result-*
 
 # Mac OS
 .DS_Store
+
+flake-regressions
+
+# direnv
+.direnv/

.version

@@ -1 +1 @@
-2.25.0
+2.34.0

CONTRIBUTING.md

@@ -52,6 +52,20 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 
      Link related issues to inform interested parties and future contributors about your change.
      If your pull request closes one or multiple issues, mention that in the description using `Closes: #<number>`, as it will then happen automatically when your change is merged.
+   * Credit original authors when you're reusing or building on their work.
+   * Link to relevant changes in other projects, so that others can understand the full context of the change in the future when you or someone else will change or troubleshoot the code.
+     This is especially important when your change is based on work done in other repositories.
+
+     Example:
+     ```
+     This is based on the work of @user in <url>.
+     This solution took inspiration from <url>.
+
+     Co-authored-by: User Name <user@example.com>
+     ```
+
+     When cherry-picking from a different repository, use the `-x` flag, and then amend the commits to turn the hashes into URLs.
+
    * Make sure to have [a clean history of commits on your branch by using rebase](https://www.digitalocean.com/community/tutorials/how-to-rebase-and-update-a-pull-request).
    * [Mark the pull request as draft](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request) if you're not done with the changes.
 
@@ -65,7 +79,7 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
      - Functional tests – [`tests/functional/**.sh`](./tests/functional)
      - Unit tests – [`src/*/tests`](./src/)
      - Integration tests – [`tests/nixos/*`](./tests/nixos)
-   - [ ] User documentation in the [manual](./doc/manual/src)
+   - [ ] User documentation in the [manual](./doc/manual/source)
    - [ ] API documentation in header files
    - [ ] Code and comments are self-explanatory
    - [ ] Commit message explains **why** the change was made
@@ -75,12 +89,14 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 
 ## Making changes to the Nix manual
 
-The Nix reference manual is hosted on https://nixos.org/manual/nix.
-The underlying source files are located in [`doc/manual/src`](./doc/manual/src).
+The Nix reference manual is hosted on https://nix.dev/manual/nix.
+The underlying source files are located in [`doc/manual/source`](./doc/manual/source).
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
 For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).
 
+You're encouraged to add line breaks at semantic boundaries, per [sembr](https://sembr.org).
+
 ## Getting help
 
 Whenever you're stuck or do not know how to proceed, you can always ask for help.
-The appropriate channels to do so can be found on the [NixOS Community](https://nixos.org/community/) page.
+We invite you to use our [Matrix room](https://matrix.to/#/#nix-dev:nixos.org) to ask questions.

COPYING

@@ -1,8 +1,8 @@
-		  GNU LESSER GENERAL PUBLIC LICENSE
-		       Version 2.1, February 1999
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999
 
  Copyright (C) 1991, 1999 Free Software Foundation, Inc.
- 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ <https://fsf.org/>
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
@@ -10,7 +10,7 @@
  as the successor of the GNU Library Public License, version 2, hence
  the version number 2.1.]
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -112,7 +112,7 @@ modification follow.  Pay close attention to the difference between a
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
 
-		  GNU LESSER GENERAL PUBLIC LICENSE
+                  GNU LESSER GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License Agreement applies to any software library or other
@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
   1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@@ -432,7 +432,7 @@ decision will be guided by the two goals of preserving the free status
 of all derivatives of our free software and of promoting the sharing
 and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
 WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
@@ -455,7 +455,7 @@ FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
 SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
 
            How to Apply These Terms to Your New Libraries
 
@@ -484,8 +484,7 @@ convey the exclusion of warranty; and each file should have at least the
     Lesser General Public License for more details.
 
     You should have received a copy of the GNU Lesser General Public
-    License along with this library; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+    License along with this library; if not, see <https://www.gnu.org/licenses/>.
 
 Also add information on how to contact you by electronic and paper mail.
 
@@ -496,9 +495,7 @@ necessary.  Here is a sample; alter the names:
   Yoyodyne, Inc., hereby disclaims all copyright interest in the
   library `Frob' (a library for tweaking knobs) written by James Random Hacker.
 
-  <signature of Ty Coon>, 1 April 1990
-  Ty Coon, President of Vice
+  <signature of Moe Ghoul>, 1 April 1990
+  Moe Ghoul, President of Vice
 
 That's all there is to it!
-
-

HACKING.md

@@ -0,0 +1 @@
+doc/manual/source/development/building.md

Makefile

@@ -1,128 +0,0 @@
-# External build directory support
-
-include mk/build-dir.mk
-
--include $(buildprefix)Makefile.config
-clean-files += $(buildprefix)Makefile.config
-
-# List makefiles
-
-include mk/platform.mk
-
-ifeq ($(ENABLE_BUILD), yes)
-makefiles = \
-  mk/precompiled-headers.mk \
-  local.mk \
-  src/libutil/local.mk \
-  src/libstore/local.mk \
-  src/libfetchers/local.mk \
-  src/libmain/local.mk \
-  src/libexpr/local.mk \
-  src/libflake/local.mk \
-  src/libcmd/local.mk \
-  src/nix/local.mk \
-  src/libutil-c/local.mk \
-  src/libstore-c/local.mk \
-  src/libexpr-c/local.mk
-
-ifdef HOST_UNIX
-makefiles += \
-  scripts/local.mk \
-  maintainers/local.mk \
-  misc/bash/local.mk \
-  misc/fish/local.mk \
-  misc/zsh/local.mk \
-  misc/systemd/local.mk \
-  misc/launchd/local.mk \
-  misc/upstart/local.mk
-endif
-endif
-
-ifeq ($(ENABLE_UNIT_TESTS), yes)
-makefiles += \
-  tests/unit/libutil/local.mk \
-  tests/unit/libutil-support/local.mk \
-  tests/unit/libstore/local.mk \
-  tests/unit/libstore-support/local.mk \
-  tests/unit/libfetchers/local.mk \
-  tests/unit/libexpr/local.mk \
-  tests/unit/libexpr-support/local.mk \
-  tests/unit/libflake/local.mk
-endif
-
-ifeq ($(ENABLE_FUNCTIONAL_TESTS), yes)
-ifdef HOST_UNIX
-makefiles += \
-  tests/functional/local.mk \
-  tests/functional/flakes/local.mk \
-  tests/functional/ca/local.mk \
-  tests/functional/git-hashing/local.mk \
-  tests/functional/dyn-drv/local.mk \
-  tests/functional/local-overlay-store/local.mk \
-  tests/functional/test-libstoreconsumer/local.mk \
-  tests/functional/plugins/local.mk
-endif
-endif
-
-# Some makefiles require access to built programs and must be included late.
-makefiles-late =
-
-ifeq ($(ENABLE_DOC_GEN), yes)
-makefiles-late += doc/manual/local.mk
-endif
-
-# Miscellaneous global Flags
-
-OPTIMIZE = 1
-
-ifeq ($(OPTIMIZE), 1)
-  GLOBAL_CXXFLAGS += -O3 $(CXXLTO)
-  GLOBAL_LDFLAGS += $(CXXLTO)
-else
-  GLOBAL_CXXFLAGS += -O0 -U_FORTIFY_SOURCE
-  unexport NIX_HARDENING_ENABLE
-endif
-
-ifdef HOST_WINDOWS
-  # Windows DLLs are stricter about symbol visibility than Unix shared
-  # objects --- see https://gcc.gnu.org/wiki/Visibility for details.
-  # This is a temporary sledgehammer to export everything like on Unix,
-  # and not detail with this yet.
-  #
-  # TODO do not do this, and instead do fine-grained export annotations.
-  GLOBAL_LDFLAGS += -Wl,--export-all-symbols
-endif
-
-GLOBAL_CXXFLAGS += -g -Wall -Wdeprecated-copy -Wignored-qualifiers -Wimplicit-fallthrough -Werror=unused-result -Werror=suggest-override -include $(buildprefix)config.h -std=c++2a -I src
-
-# Include the main lib, causing rules to be defined
-
-include mk/lib.mk
-
-# Fallback stub rules for better UX when things are disabled
-#
-# These must be defined after `mk/lib.mk`. Otherwise the first rule
-# incorrectly becomes the default target.
-
-ifneq ($(ENABLE_UNIT_TESTS), yes)
-.PHONY: check
-check:
-	@echo "Unit tests are disabled. Configure without '--disable-unit-tests', or avoid calling 'make check'."
-	@exit 1
-endif
-
-ifneq ($(ENABLE_FUNCTIONAL_TESTS), yes)
-.PHONY: installcheck
-installcheck:
-	@echo "Functional tests are disabled. Configure without '--disable-functional-tests', or avoid calling 'make installcheck'."
-	@exit 1
-endif
-
-# Documentation fallback stub rules.
-
-ifneq ($(ENABLE_DOC_GEN), yes)
-.PHONY: manual-html manpages
-manual-html manpages:
-	@echo "Generated docs are disabled. Configure without '--disable-doc-gen', or avoid calling 'make manpages' and 'make manual-html'."
-	@exit 1
-endif

Makefile.config.in

@@ -1,54 +0,0 @@
-AR = @AR@
-BDW_GC_LIBS = @BDW_GC_LIBS@
-BOOST_LDFLAGS = @BOOST_LDFLAGS@
-BUILD_SHARED_LIBS = @BUILD_SHARED_LIBS@
-CC = @CC@
-CFLAGS = @CFLAGS@
-CXX = @CXX@
-CXXFLAGS = @CXXFLAGS@
-CXXLTO = @CXXLTO@
-EDITLINE_LIBS = @EDITLINE_LIBS@
-ENABLE_BUILD = @ENABLE_BUILD@
-ENABLE_DOC_GEN = @ENABLE_DOC_GEN@
-ENABLE_FUNCTIONAL_TESTS = @ENABLE_FUNCTIONAL_TESTS@
-ENABLE_S3 = @ENABLE_S3@
-ENABLE_UNIT_TESTS = @ENABLE_UNIT_TESTS@
-GTEST_LIBS = @GTEST_LIBS@
-HAVE_LIBCPUID = @HAVE_LIBCPUID@
-HAVE_SECCOMP = @HAVE_SECCOMP@
-HOST_OS = @host_os@
-INSTALL_UNIT_TESTS = @INSTALL_UNIT_TESTS@
-LDFLAGS = @LDFLAGS@
-LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
-LIBBROTLI_LIBS = @LIBBROTLI_LIBS@
-LIBCURL_LIBS = @LIBCURL_LIBS@
-LIBGIT2_LIBS = @LIBGIT2_LIBS@
-LIBSECCOMP_LIBS = @LIBSECCOMP_LIBS@
-LOWDOWN_LIBS = @LOWDOWN_LIBS@
-OPENSSL_LIBS = @OPENSSL_LIBS@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-SHELL = @bash@
-SODIUM_LIBS = @SODIUM_LIBS@
-SQLITE3_LIBS = @SQLITE3_LIBS@
-bash = @bash@
-bindir = @bindir@
-checkbindir = @checkbindir@
-checklibdir = @checklibdir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-embedded_sandbox_shell = @embedded_sandbox_shell@
-exec_prefix = @exec_prefix@
-includedir = @includedir@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localstatedir = @localstatedir@
-lsof = @lsof@
-mandir = @mandir@
-pkglibdir = $(libdir)/$(PACKAGE_NAME)
-prefix = @prefix@
-sandbox_shell = @sandbox_shell@
-storedir = @storedir@
-sysconfdir = @sysconfdir@
-system = @system@

README.md

@@ -1,7 +1,7 @@
 # Nix
 
 [![Open Collective supporters](https://opencollective.com/nixos/tiers/supporter/badge.svg?label=Supporters&color=brightgreen)](https://opencollective.com/nixos)
-[![Test](https://github.com/NixOS/nix/workflows/Test/badge.svg)](https://github.com/NixOS/nix/actions)
+[![CI](https://github.com/NixOS/nix/workflows/CI/badge.svg)](https://github.com/NixOS/nix/actions/workflows/ci.yml)
 
 Nix is a powerful package manager for Linux and other Unix systems that makes package
 management reliable and reproducible. Please refer to the [Nix manual](https://nix.dev/reference/nix-manual)
@@ -15,7 +15,7 @@ Full reference documentation can be found in the [Nix manual](https://nix.dev/re
 
 ## Building and developing
 
-Follow instructions in the Nix reference manual to [set up a development environment and build Nix from source](https://nix.dev/manual/nix/development/building.html).
+Follow instructions in the Nix reference manual to [set up a development environment and build Nix from source](https://nix.dev/manual/nix/development/development/building.html).
 
 ## Contributing
 
@@ -31,7 +31,7 @@ Today, a world-wide developer community contributes to Nix and the ecosystem tha
 - [Nixpkgs](https://github.com/NixOS/nixpkgs) is [the largest, most up-to-date free software repository in the world](https://repology.org/repositories/graphs)
 - [NixOS](https://github.com/NixOS/nixpkgs/tree/master/nixos) is a Linux distribution that can be configured fully declaratively
 - [Discourse](https://discourse.nixos.org/)
-- [Matrix](https://matrix.to/#/#nix:nixos.org)
+- Matrix: [#users:nixos.org](https://matrix.to/#/#users:nixos.org) for user support and [#nix-dev:nixos.org](https://matrix.to/#/#nix-dev:nixos.org) for development
 
 ## License
 

build-utils-meson/diagnostics/meson.build

@@ -1,11 +0,0 @@
-add_project_arguments(
-  '-Wdeprecated-copy',
-  '-Werror=suggest-override',
-  '-Werror=switch',
-  '-Werror=switch-enum',
-  '-Werror=unused-result',
-  '-Wignored-qualifiers',
-  '-Wimplicit-fallthrough',
-  '-Wno-deprecated-declarations',
-  language : 'cpp',
-)

build-utils-meson/export/meson.build

@@ -1,30 +0,0 @@
-requires_private = []
-foreach dep : deps_private_subproject
-  requires_private  += dep.name()
-endforeach
-requires_private += deps_private
-
-requires_public  = []
-foreach dep : deps_public_subproject
-  requires_public  += dep.name()
-endforeach
-requires_public += deps_public
-
-import('pkgconfig').generate(
-  this_library,
-  filebase : meson.project_name(),
-  name : 'Nix',
-  description : 'Nix Package Manager',
-  subdirs : ['nix'],
-  extra_cflags : ['-std=c++2a'],
-  requires : requires_public,
-  requires_private : requires_private,
-  libraries_private : libraries_private,
-)
-
-meson.override_dependency(meson.project_name(), declare_dependency(
-  include_directories : include_dirs,
-  link_with : this_library,
-  compile_args : ['-std=c++2a'],
-  dependencies : deps_public_subproject + deps_public,
-))

build-utils-meson/generate-header/meson.build

@@ -1,7 +0,0 @@
-bash = find_program('bash', native: true)
-
-gen_header = generator(
-  bash,
-  arguments : [ '-c', '{ echo \'R"__NIX_STR(\' && cat @INPUT@ && echo \')__NIX_STR"\'; } > "$1"', '_ignored_argv0', '@OUTPUT@' ],
-  output : '@PLAINNAME@.gen.hh',
-)

build-utils-meson/threads/meson.build

@@ -1,6 +0,0 @@
-# This is only conditional to work around
-# https://github.com/mesonbuild/meson/issues/13293. It should be
-# unconditional.
-if not (host_machine.system() == 'windows' and cxx.get_id() == 'gcc')
-  deps_private += dependency('threads')
-endif

ci/gha/profile-build/default.nix

@@ -0,0 +1,101 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+}:
+
+let
+  inherit (pkgs) lib;
+
+  nixComponentsInstrumented =
+    (nixFlake.lib.makeComponents {
+      inherit pkgs;
+      getStdenv = p: p.clangStdenv;
+    }).overrideScope
+      (
+        _: _: {
+          mesonComponentOverrides = finalAttrs: prevAttrs: {
+            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "buildprofile" ];
+            nativeBuildInputs = [ pkgs.clangbuildanalyzer ] ++ prevAttrs.nativeBuildInputs or [ ];
+            __impure = true;
+
+            env = {
+              CFLAGS = "-ftime-trace";
+              CXXFLAGS = "-ftime-trace";
+            };
+
+            preBuild = ''
+              ClangBuildAnalyzer --start $PWD
+            '';
+
+            postBuild = ''
+              ClangBuildAnalyzer --stop $PWD $buildprofile
+            '';
+          };
+        }
+      );
+
+  componentsToProfile = {
+    "nix-util" = { };
+    "nix-util-c" = { };
+    "nix-util-test-support" = { };
+    "nix-util-tests" = { };
+    "nix-store" = { };
+    "nix-store-c" = { };
+    "nix-store-test-support" = { };
+    "nix-store-tests" = { };
+    "nix-fetchers" = { };
+    "nix-fetchers-c" = { };
+    "nix-fetchers-tests" = { };
+    "nix-expr" = { };
+    "nix-expr-c" = { };
+    "nix-expr-test-support" = { };
+    "nix-expr-tests" = { };
+    "nix-flake" = { };
+    "nix-flake-c" = { };
+    "nix-flake-tests" = { };
+    "nix-main" = { };
+    "nix-main-c" = { };
+    "nix-cmd" = { };
+    "nix-cli" = { };
+  };
+
+  componentDerivationsToProfile = builtins.intersectAttrs componentsToProfile nixComponentsInstrumented;
+  componentBuildProfiles = lib.mapAttrs (
+    n: v: lib.getOutput "buildprofile" v
+  ) componentDerivationsToProfile;
+
+  buildTimeReport =
+    pkgs.runCommand "build-time-report"
+      {
+        __impure = true;
+        __structuredAttrs = true;
+        nativeBuildInputs = [ pkgs.clangbuildanalyzer ];
+        inherit componentBuildProfiles;
+      }
+      ''
+        {
+          echo "# Build time performance profile for components:"
+          echo
+          echo "This reports the build profile collected via \`-ftime-trace\` for each component."
+          echo
+        } >> $out
+
+        for name in "''\${!componentBuildProfiles[@]}"; do
+          {
+            echo "<details><summary><strong>$name</strong></summary>"
+            echo
+            echo '````'
+            ClangBuildAnalyzer --analyze "''\${componentBuildProfiles[$name]}"
+            echo '````'
+            echo
+            echo "</details>"
+          } >> $out
+        done
+      '';
+in
+
+{
+  inherit buildTimeReport;
+  inherit componentDerivationsToProfile;
+}

ci/gha/tests/build-checks

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+system=$(nix eval --raw --impure --expr builtins.currentSystem)
+nix eval --json ".#checks.$system" --apply builtins.attrNames | \
+  jq -r '.[]' | \
+  xargs -P0 -I '{}' sh -c "nix build -L .#checks.$system.{} || { echo 'FAILED: \033[0;31mnix build -L .#checks.$system.{}\\033[0m'; kill 0; }"

ci/gha/tests/default.nix

@@ -0,0 +1,257 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+  nixComponents ? (
+    nixFlake.lib.makeComponents {
+      inherit pkgs;
+      inherit getStdenv;
+    }
+  ),
+  getStdenv ? p: p.stdenv,
+  componentTestsPrefix ? "",
+  withSanitizers ? false,
+  withCoverage ? false,
+  ...
+}:
+
+let
+  inherit (pkgs) lib;
+  hydraJobs = nixFlake.hydraJobs;
+  packages' = nixFlake.packages.${system};
+  stdenv = (getStdenv pkgs);
+
+  collectCoverageLayer = finalAttrs: prevAttrs: {
+    env =
+      let
+        # https://clang.llvm.org/docs/SourceBasedCodeCoverage.html#the-code-coverage-workflow
+        coverageFlags = [
+          "-fprofile-instr-generate"
+          "-fcoverage-mapping"
+        ];
+      in
+      {
+        CFLAGS = toString coverageFlags;
+        CXXFLAGS = toString coverageFlags;
+      };
+
+    # Done in a pre-configure hook, because $NIX_BUILD_TOP needs to be substituted.
+    preConfigure = prevAttrs.preConfigure or "" + ''
+      mappingFlag=" -fcoverage-prefix-map=$NIX_BUILD_TOP/${finalAttrs.src.name}=${finalAttrs.src}"
+      CFLAGS+="$mappingFlag"
+      CXXFLAGS+="$mappingFlag"
+    '';
+  };
+
+  componentOverrides = (lib.optional withCoverage collectCoverageLayer);
+in
+
+rec {
+  nixComponentsInstrumented = nixComponents.overrideScope (
+    final: prev: {
+      withASan = withSanitizers;
+      withUBSan = withSanitizers;
+
+      nix-store-tests = prev.nix-store-tests.override { withBenchmarks = true; };
+      # Boehm is incompatible with ASAN.
+      nix-expr = prev.nix-expr.override { enableGC = !withSanitizers; };
+
+      mesonComponentOverrides = lib.composeManyExtensions componentOverrides;
+      # Unclear how to make Perl bindings work with a dynamically linked ASAN.
+      nix-perl-bindings = if withSanitizers then null else prev.nix-perl-bindings;
+    }
+  );
+
+  # Import NixOS tests using the instrumented components
+  nixosTests = import ../../../tests/nixos {
+    inherit lib pkgs;
+    nixComponents = nixComponentsInstrumented;
+    nixpkgs = nixFlake.inputs.nixpkgs;
+    inherit (nixFlake.inputs) nixpkgs-23-11;
+  };
+
+  /**
+    Top-level tests for the flake outputs, as they would be built by hydra.
+    These tests generally can't be overridden to run with sanitizers.
+  */
+  topLevel = {
+    installerScriptForGHA = hydraJobs.installerScriptForGHA.${system};
+    installTests = hydraJobs.installTests.${system};
+    nixpkgsLibTests = hydraJobs.tests.nixpkgsLibTests.${system};
+    rl-next = pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
+      LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${../../../doc/manual/rl-next} >$out
+    '';
+    repl-completion = pkgs.callPackage ../../../tests/repl-completion.nix { inherit (packages') nix; };
+
+    /**
+      Checks for our packaging expressions.
+      This shouldn't build anything significant; just check that things
+      (including derivations) are _set up_ correctly.
+    */
+    packaging-overriding =
+      let
+        nix = packages'.nix;
+      in
+      assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
+      if pkgs.stdenv.buildPlatform.isDarwin then
+        lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
+      else
+        # If this fails, something might be wrong with how we've wired the scope,
+        # or something could be broken in Nixpkgs.
+        pkgs.testers.testEqualContents {
+          assertion = "trivial patch does not change source contents";
+          expected = "${../../..}";
+          actual =
+            # Same for all components; nix-util is an arbitrary pick
+            (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
+        };
+  };
+
+  disable =
+    let
+      inherit (pkgs.stdenv) hostPlatform;
+    in
+    args@{
+      pkgName,
+      testName,
+      test,
+    }:
+    lib.any (b: b) [
+      # FIXME: Nix manual is impure and does not produce all settings on darwin
+      (hostPlatform.isDarwin && pkgName == "nix-manual" && testName == "linkcheck")
+    ];
+
+  componentTests =
+    (lib.concatMapAttrs (
+      pkgName: pkg:
+      lib.concatMapAttrs (
+        testName: test:
+        lib.optionalAttrs (!disable { inherit pkgName testName test; }) {
+          "${componentTestsPrefix}${pkgName}-${testName}" = test;
+        }
+      ) (pkg.tests or { })
+    ) nixComponentsInstrumented)
+    // lib.optionalAttrs (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) {
+      "${componentTestsPrefix}nix-functional-tests" = nixComponentsInstrumented.nix-functional-tests;
+      "${componentTestsPrefix}nix-json-schema-checks" = nixComponentsInstrumented.nix-json-schema-checks;
+    };
+
+  codeCoverage =
+    let
+      componentsTestsToProfile =
+        (builtins.mapAttrs (n: v: nixComponentsInstrumented.${n}.tests.run) {
+          "nix-util-tests" = { };
+          "nix-store-tests" = { };
+          "nix-fetchers-tests" = { };
+          "nix-expr-tests" = { };
+          "nix-flake-tests" = { };
+        })
+        // {
+          inherit (nixComponentsInstrumented) nix-functional-tests;
+        };
+
+      coverageProfileDrvs = lib.mapAttrs (
+        n: v:
+        v.overrideAttrs (
+          finalAttrs: prevAttrs: {
+            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "profraw" ];
+            env = {
+              LLVM_PROFILE_FILE = "${placeholder "profraw"}/%m";
+            };
+          }
+        )
+      ) componentsTestsToProfile;
+
+      coverageProfiles = lib.mapAttrsToList (n: v: lib.getOutput "profraw" v) coverageProfileDrvs;
+
+      mergedProfdata =
+        pkgs.runCommand "merged-profdata"
+          {
+            __structuredAttrs = true;
+            nativeBuildInputs = [ pkgs.llvmPackages.libllvm ];
+            inherit coverageProfiles;
+          }
+          ''
+            rawProfiles=()
+            for dir in "''\${coverageProfiles[@]}"; do
+              rawProfiles+=($dir/*)
+            done
+            llvm-profdata merge -sparse -output $out "''\${rawProfiles[@]}"
+          '';
+
+      coverageReports =
+        let
+          nixComponentDrvs = lib.filter (lib.isDerivation) (lib.attrValues nixComponentsInstrumented);
+        in
+        pkgs.runCommand "code-coverage-report"
+          {
+            nativeBuildInputs = [
+              pkgs.llvmPackages.libllvm
+              pkgs.jq
+            ];
+            __structuredAttrs = true;
+            nixComponents = nixComponentDrvs;
+          }
+          ''
+            # ${toString (lib.map (v: v.src) nixComponentDrvs)}
+
+            binaryFiles=()
+            for dir in "''\${nixComponents[@]}"; do
+              readarray -t filesInDir < <(find "$dir" -type f -executable)
+              binaryFiles+=("''\${filesInDir[@]}")
+            done
+
+            arguments=$(concatStringsSep " -object " binaryFiles)
+            llvm-cov show $arguments -instr-profile ${mergedProfdata} -output-dir $out -format=html
+
+            {
+              echo "# Code coverage summary (generated via \`llvm-cov\`):"
+              echo
+              echo '```'
+              llvm-cov report $arguments -instr-profile ${mergedProfdata} -format=text -use-color=false
+              echo '```'
+              echo
+            } >> $out/index.txt
+
+            llvm-cov export $arguments -instr-profile ${mergedProfdata} -format=text > $out/coverage.json
+
+            mkdir -p $out/nix-support
+
+            coverageTotals=$(jq ".data[0].totals" $out/coverage.json)
+
+            # Mostly inline from pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh [1],
+            # which we can't use here, because we rely on LLVM's infra for source code coverage collection.
+            # [1]: https://github.com/NixOS/nixpkgs/blob/67bb48c4c8e327417d6d5aa7e538244b209e852b/pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh#L16
+            declare -A metricsArray=(["lineCoverage"]="lines" ["functionCoverage"]="functions" ["branchCoverage"]="branches")
+
+            for metricName in "''\${!metricsArray[@]}"; do
+              key="''\${metricsArray[$metricName]}"
+              metric=$(echo "$coverageTotals" | jq ".$key.percent * 10 | round / 10")
+              echo "$metricName $metric %" >> $out/nix-support/hydra-metrics
+            done
+
+            echo "report coverage $out" >> $out/nix-support/hydra-build-products
+          '';
+    in
+    assert withCoverage;
+    assert stdenv.cc.isClang;
+    {
+      inherit coverageProfileDrvs mergedProfdata coverageReports;
+    };
+
+  vmTests = {
+    inherit (nixosTests) s3-binary-cache-store;
+  }
+  // lib.optionalAttrs (!withSanitizers && !withCoverage) {
+    # evalNixpkgs uses non-instrumented components from hydraJobs, so only run it
+    # when not testing with sanitizers to avoid rebuilding nix
+    inherit (hydraJobs.tests) evalNixpkgs;
+    # FIXME: CI times out when building vm tests instrumented
+    inherit (nixosTests)
+      functional_user
+      githubFlakes
+      nix-docker
+      tarballFlakes
+      ;
+  };
+}

ci/gha/tests/pre-commit-checks

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+system=$(nix eval --raw --impure --expr builtins.currentSystem)
+
+echo "::group::Running pre-commit checks"
+
+if nix build ".#checks.$system.pre-commit" -L; then
+    echo "::endgroup::"
+    exit 0
+fi
+
+echo "::error ::Changes do not pass pre-commit checks"
+
+cat <<EOF
+The code isn't formatted or doesn't pass lints. You can run pre-commit locally with:
+
+    nix develop -c ./maintainers/format.sh
+EOF
+
+echo "::endgroup::"
+
+exit 1

ci/gha/tests/prepare-installer-for-github-actions

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+nix build -L ".#installerScriptForGHA" ".#binaryTarball"
+
+mkdir -p out
+cp ./result/install "out/install"
+name="$(basename "$(realpath ./result-1)")"
+# everything before the first dash
+cp -r ./result-1 "out/${name%%-*}"

ci/gha/tests/wrapper.nix

@@ -0,0 +1,16 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+  stdenv ? "stdenv",
+  componentTestsPrefix ? "",
+  withInstrumentation ? false,
+}@args:
+import ./. (
+  args
+  // {
+    getStdenv = p: p.${stdenv};
+    withSanitizers = withInstrumentation;
+    withCoverage = withInstrumentation;
+  }
+)

config/install-sh

@@ -1,527 +0,0 @@
-#!/bin/sh
-# install - install a program, script, or datafile
-
-scriptversion=2011-11-20.07; # UTC
-
-# This originates from X11R5 (mit/util/scripts/install.sh), which was
-# later released in X11R6 (xc/config/util/install.sh) with the
-# following copyright and license.
-#
-# Copyright (C) 1994 X Consortium
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to
-# deal in the Software without restriction, including without limitation the
-# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-# sell copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
-# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
-# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
-# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-# Except as contained in this notice, the name of the X Consortium shall not
-# be used in advertising or otherwise to promote the sale, use or other deal-
-# ings in this Software without prior written authorization from the X Consor-
-# tium.
-#
-#
-# FSF changes to this file are in the public domain.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# 'make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.
-
-nl='
-'
-IFS=" ""	$nl"
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit=${DOITPROG-}
-if test -z "$doit"; then
-  doit_exec=exec
-else
-  doit_exec=$doit
-fi
-
-# Put in absolute file names if you don't have them in your path;
-# or use environment vars.
-
-chgrpprog=${CHGRPPROG-chgrp}
-chmodprog=${CHMODPROG-chmod}
-chownprog=${CHOWNPROG-chown}
-cmpprog=${CMPPROG-cmp}
-cpprog=${CPPROG-cp}
-mkdirprog=${MKDIRPROG-mkdir}
-mvprog=${MVPROG-mv}
-rmprog=${RMPROG-rm}
-stripprog=${STRIPPROG-strip}
-
-posix_glob='?'
-initialize_posix_glob='
-  test "$posix_glob" != "?" || {
-    if (set -f) 2>/dev/null; then
-      posix_glob=
-    else
-      posix_glob=:
-    fi
-  }
-'
-
-posix_mkdir=
-
-# Desired mode of installed file.
-mode=0755
-
-chgrpcmd=
-chmodcmd=$chmodprog
-chowncmd=
-mvcmd=$mvprog
-rmcmd="$rmprog -f"
-stripcmd=
-
-src=
-dst=
-dir_arg=
-dst_arg=
-
-copy_on_change=false
-no_target_directory=
-
-usage="\
-Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
-   or: $0 [OPTION]... SRCFILES... DIRECTORY
-   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
-   or: $0 [OPTION]... -d DIRECTORIES...
-
-In the 1st form, copy SRCFILE to DSTFILE.
-In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
-In the 4th, create DIRECTORIES.
-
-Options:
-     --help     display this help and exit.
-     --version  display version info and exit.
-
-  -c            (ignored)
-  -C            install only if different (preserve the last data modification time)
-  -d            create directories instead of installing files.
-  -g GROUP      $chgrpprog installed files to GROUP.
-  -m MODE       $chmodprog installed files to MODE.
-  -o USER       $chownprog installed files to USER.
-  -s            $stripprog installed files.
-  -t DIRECTORY  install into DIRECTORY.
-  -T            report an error if DSTFILE is a directory.
-
-Environment variables override the default commands:
-  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
-  RMPROG STRIPPROG
-"
-
-while test $# -ne 0; do
-  case $1 in
-    -c) ;;
-
-    -C) copy_on_change=true;;
-
-    -d) dir_arg=true;;
-
-    -g) chgrpcmd="$chgrpprog $2"
-	shift;;
-
-    --help) echo "$usage"; exit $?;;
-
-    -m) mode=$2
-	case $mode in
-	  *' '* | *'	'* | *'
-'*	  | *'*'* | *'?'* | *'['*)
-	    echo "$0: invalid mode: $mode" >&2
-	    exit 1;;
-	esac
-	shift;;
-
-    -o) chowncmd="$chownprog $2"
-	shift;;
-
-    -s) stripcmd=$stripprog;;
-
-    -t) dst_arg=$2
-	# Protect names problematic for 'test' and other utilities.
-	case $dst_arg in
-	  -* | [=\(\)!]) dst_arg=./$dst_arg;;
-	esac
-	shift;;
-
-    -T) no_target_directory=true;;
-
-    --version) echo "$0 $scriptversion"; exit $?;;
-
-    --)	shift
-	break;;
-
-    -*)	echo "$0: invalid option: $1" >&2
-	exit 1;;
-
-    *)  break;;
-  esac
-  shift
-done
-
-if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
-  # When -d is used, all remaining arguments are directories to create.
-  # When -t is used, the destination is already specified.
-  # Otherwise, the last argument is the destination.  Remove it from $@.
-  for arg
-  do
-    if test -n "$dst_arg"; then
-      # $@ is not empty: it contains at least $arg.
-      set fnord "$@" "$dst_arg"
-      shift # fnord
-    fi
-    shift # arg
-    dst_arg=$arg
-    # Protect names problematic for 'test' and other utilities.
-    case $dst_arg in
-      -* | [=\(\)!]) dst_arg=./$dst_arg;;
-    esac
-  done
-fi
-
-if test $# -eq 0; then
-  if test -z "$dir_arg"; then
-    echo "$0: no input file specified." >&2
-    exit 1
-  fi
-  # It's OK to call 'install-sh -d' without argument.
-  # This can happen when creating conditional directories.
-  exit 0
-fi
-
-if test -z "$dir_arg"; then
-  do_exit='(exit $ret); exit $ret'
-  trap "ret=129; $do_exit" 1
-  trap "ret=130; $do_exit" 2
-  trap "ret=141; $do_exit" 13
-  trap "ret=143; $do_exit" 15
-
-  # Set umask so as not to create temps with too-generous modes.
-  # However, 'strip' requires both read and write access to temps.
-  case $mode in
-    # Optimize common cases.
-    *644) cp_umask=133;;
-    *755) cp_umask=22;;
-
-    *[0-7])
-      if test -z "$stripcmd"; then
-	u_plus_rw=
-      else
-	u_plus_rw='% 200'
-      fi
-      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
-    *)
-      if test -z "$stripcmd"; then
-	u_plus_rw=
-      else
-	u_plus_rw=,u+rw
-      fi
-      cp_umask=$mode$u_plus_rw;;
-  esac
-fi
-
-for src
-do
-  # Protect names problematic for 'test' and other utilities.
-  case $src in
-    -* | [=\(\)!]) src=./$src;;
-  esac
-
-  if test -n "$dir_arg"; then
-    dst=$src
-    dstdir=$dst
-    test -d "$dstdir"
-    dstdir_status=$?
-  else
-
-    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
-    # might cause directories to be created, which would be especially bad
-    # if $src (and thus $dsttmp) contains '*'.
-    if test ! -f "$src" && test ! -d "$src"; then
-      echo "$0: $src does not exist." >&2
-      exit 1
-    fi
-
-    if test -z "$dst_arg"; then
-      echo "$0: no destination specified." >&2
-      exit 1
-    fi
-    dst=$dst_arg
-
-    # If destination is a directory, append the input filename; won't work
-    # if double slashes aren't ignored.
-    if test -d "$dst"; then
-      if test -n "$no_target_directory"; then
-	echo "$0: $dst_arg: Is a directory" >&2
-	exit 1
-      fi
-      dstdir=$dst
-      dst=$dstdir/`basename "$src"`
-      dstdir_status=0
-    else
-      # Prefer dirname, but fall back on a substitute if dirname fails.
-      dstdir=`
-	(dirname "$dst") 2>/dev/null ||
-	expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	     X"$dst" : 'X\(//\)[^/]' \| \
-	     X"$dst" : 'X\(//\)$' \| \
-	     X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
-	echo X"$dst" |
-	    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\/\)[^/].*/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\/\)$/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\).*/{
-		   s//\1/
-		   q
-		 }
-		 s/.*/./; q'
-      `
-
-      test -d "$dstdir"
-      dstdir_status=$?
-    fi
-  fi
-
-  obsolete_mkdir_used=false
-
-  if test $dstdir_status != 0; then
-    case $posix_mkdir in
-      '')
-	# Create intermediate dirs using mode 755 as modified by the umask.
-	# This is like FreeBSD 'install' as of 1997-10-28.
-	umask=`umask`
-	case $stripcmd.$umask in
-	  # Optimize common cases.
-	  *[2367][2367]) mkdir_umask=$umask;;
-	  .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
-
-	  *[0-7])
-	    mkdir_umask=`expr $umask + 22 \
-	      - $umask % 100 % 40 + $umask % 20 \
-	      - $umask % 10 % 4 + $umask % 2
-	    `;;
-	  *) mkdir_umask=$umask,go-w;;
-	esac
-
-	# With -d, create the new directory with the user-specified mode.
-	# Otherwise, rely on $mkdir_umask.
-	if test -n "$dir_arg"; then
-	  mkdir_mode=-m$mode
-	else
-	  mkdir_mode=
-	fi
-
-	posix_mkdir=false
-	case $umask in
-	  *[123567][0-7][0-7])
-	    # POSIX mkdir -p sets u+wx bits regardless of umask, which
-	    # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
-	    ;;
-	  *)
-	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
-	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
-
-	    if (umask $mkdir_umask &&
-		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
-	    then
-	      if test -z "$dir_arg" || {
-		   # Check for POSIX incompatibilities with -m.
-		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
-		   # other-writable bit of parent directory when it shouldn't.
-		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
-		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
-		   case $ls_ld_tmpdir in
-		     d????-?r-*) different_mode=700;;
-		     d????-?--*) different_mode=755;;
-		     *) false;;
-		   esac &&
-		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
-		     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
-		     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
-		   }
-		 }
-	      then posix_mkdir=:
-	      fi
-	      rmdir "$tmpdir/d" "$tmpdir"
-	    else
-	      # Remove any dirs left behind by ancient mkdir implementations.
-	      rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
-	    fi
-	    trap '' 0;;
-	esac;;
-    esac
-
-    if
-      $posix_mkdir && (
-	umask $mkdir_umask &&
-	$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
-      )
-    then :
-    else
-
-      # The umask is ridiculous, or mkdir does not conform to POSIX,
-      # or it failed possibly due to a race condition.  Create the
-      # directory the slow way, step by step, checking for races as we go.
-
-      case $dstdir in
-	/*) prefix='/';;
-	[-=\(\)!]*) prefix='./';;
-	*)  prefix='';;
-      esac
-
-      eval "$initialize_posix_glob"
-
-      oIFS=$IFS
-      IFS=/
-      $posix_glob set -f
-      set fnord $dstdir
-      shift
-      $posix_glob set +f
-      IFS=$oIFS
-
-      prefixes=
-
-      for d
-      do
-	test X"$d" = X && continue
-
-	prefix=$prefix$d
-	if test -d "$prefix"; then
-	  prefixes=
-	else
-	  if $posix_mkdir; then
-	    (umask=$mkdir_umask &&
-	     $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
-	    # Don't fail if two instances are running concurrently.
-	    test -d "$prefix" || exit 1
-	  else
-	    case $prefix in
-	      *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
-	      *) qprefix=$prefix;;
-	    esac
-	    prefixes="$prefixes '$qprefix'"
-	  fi
-	fi
-	prefix=$prefix/
-      done
-
-      if test -n "$prefixes"; then
-	# Don't fail if two instances are running concurrently.
-	(umask $mkdir_umask &&
-	 eval "\$doit_exec \$mkdirprog $prefixes") ||
-	  test -d "$dstdir" || exit 1
-	obsolete_mkdir_used=true
-      fi
-    fi
-  fi
-
-  if test -n "$dir_arg"; then
-    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
-    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
-      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
-  else
-
-    # Make a couple of temp file names in the proper directory.
-    dsttmp=$dstdir/_inst.$$_
-    rmtmp=$dstdir/_rm.$$_
-
-    # Trap to clean up those temp files at exit.
-    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
-
-    # Copy the file name to the temp name.
-    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
-
-    # and set any options; do chmod last to preserve setuid bits.
-    #
-    # If any of these fail, we abort the whole thing.  If we want to
-    # ignore errors from any of these, just make sure not to ignore
-    # errors from the above "$doit $cpprog $src $dsttmp" command.
-    #
-    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
-    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
-    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
-
-    # If -C, don't bother to copy if it wouldn't change the file.
-    if $copy_on_change &&
-       old=`LC_ALL=C ls -dlL "$dst"	2>/dev/null` &&
-       new=`LC_ALL=C ls -dlL "$dsttmp"	2>/dev/null` &&
-
-       eval "$initialize_posix_glob" &&
-       $posix_glob set -f &&
-       set X $old && old=:$2:$4:$5:$6 &&
-       set X $new && new=:$2:$4:$5:$6 &&
-       $posix_glob set +f &&
-
-       test "$old" = "$new" &&
-       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
-    then
-      rm -f "$dsttmp"
-    else
-      # Rename the file to the real destination.
-      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
-
-      # The rename failed, perhaps because mv can't rename something else
-      # to itself, or perhaps because mv is so ancient that it does not
-      # support -f.
-      {
-	# Now remove or move aside any old file at destination location.
-	# We try this two ways since rm can't unlink itself on some
-	# systems and the destination file might be busy for other
-	# reasons.  In this case, the final cleanup might fail but the new
-	# file should still install successfully.
-	{
-	  test ! -f "$dst" ||
-	  $doit $rmcmd -f "$dst" 2>/dev/null ||
-	  { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
-	    { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
-	  } ||
-	  { echo "$0: cannot unlink or rename $dst" >&2
-	    (exit 1); exit 1
-	  }
-	} &&
-
-	# Now rename the file to the real destination.
-	$doit $mvcmd "$dsttmp" "$dst"
-      }
-    fi || exit 1
-
-    trap '' 0
-  fi
-done
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
-# time-stamp-end: "; # UTC"
-# End:

configure.ac

@@ -1,447 +0,0 @@
-AC_INIT([nix],[m4_esyscmd(bash -c "echo -n $(cat ./.version)$VERSION_SUFFIX")])
-AC_CONFIG_MACRO_DIRS([m4])
-AC_CONFIG_SRCDIR(README.md)
-AC_CONFIG_AUX_DIR(config)
-
-AC_PROG_SED
-
-# Construct a Nix system name (like "i686-linux"):
-# https://www.gnu.org/software/autoconf/manual/html_node/Canonicalizing.html#index-AC_005fCANONICAL_005fHOST-1
-# The inital value is produced by the `config/config.guess` script:
-# upstream: https://git.savannah.gnu.org/cgit/config.git/tree/config.guess
-# It has the following form, which is not documented anywhere:
-# <cpu>-<vendor>-<os>[<version>][-<abi>]
-# If `./configure` is passed any of the `--host`, `--build`, `--target` options, the value comes from `config/config.sub` instead:
-# upstream: https://git.savannah.gnu.org/cgit/config.git/tree/config.sub
-AC_CANONICAL_HOST
-AC_MSG_CHECKING([for the canonical Nix system name])
-
-AC_ARG_WITH(system, AS_HELP_STRING([--with-system=SYSTEM],[Platform identifier (e.g., `i686-linux').]),
-  [system=$withval],
-  [case "$host_cpu" in
-     i*86)
-        machine_name="i686";;
-     amd64)
-        machine_name="x86_64";;
-     armv6|armv7)
-        machine_name="${host_cpu}l";;
-     *)
-        machine_name="$host_cpu";;
-   esac
-
-   case "$host_os" in
-     linux-gnu*|linux-musl*)
-        # For backward compatibility, strip the `-gnu' part.
-        system="$machine_name-linux";;
-     *)
-        # Strip the version number from names such as `gnu0.3',
-        # `darwin10.2.0', etc.
-        system="$machine_name-`echo $host_os | "$SED" -e's/@<:@0-9.@:>@*$//g'`";;
-   esac])
-
-AC_MSG_RESULT($system)
-AC_SUBST(system)
-AC_DEFINE_UNQUOTED(SYSTEM, ["$system"], [platform identifier ('cpu-os')])
-
-
-# State should be stored in /nix/var, unless the user overrides it explicitly.
-test "$localstatedir" = '${prefix}/var' && localstatedir=/nix/var
-
-# Assign a default value to C{,XX}FLAGS as the default configure script sets them
-# to -O2 otherwise, which we don't want to have hardcoded
-CFLAGS=${CFLAGS-""}
-CXXFLAGS=${CXXFLAGS-""}
-
-AC_PROG_CC
-AC_PROG_CXX
-AC_PROG_CPP
-
-AC_CHECK_TOOL([AR], [ar])
-
-# Use 64-bit file system calls so that we can support files > 2 GiB.
-AC_SYS_LARGEFILE
-
-
-# Solaris-specific stuff.
-case "$host_os" in
-  solaris*)
-    # Solaris requires -lsocket -lnsl for network functions
-    LDFLAGS="-lsocket -lnsl $LDFLAGS"
-    ;;
-esac
-
-
-ENSURE_NO_GCC_BUG_80431
-
-
-# Check for pubsetbuf.
-AC_MSG_CHECKING([for pubsetbuf])
-AC_LANG_PUSH(C++)
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <iostream>
-using namespace std;
-static char buf[1024];]],
-    [[cerr.rdbuf()->pubsetbuf(buf, sizeof(buf));]])],
-    [AC_MSG_RESULT(yes) AC_DEFINE(HAVE_PUBSETBUF, 1, [Whether pubsetbuf is available.])],
-    AC_MSG_RESULT(no))
-AC_LANG_POP(C++)
-
-
-AC_CHECK_FUNCS([statvfs pipe2])
-
-
-# Check for lutimes, optionally used for changing the mtime of
-# symlinks.
-AC_CHECK_FUNCS([lutimes])
-
-
-# Check whether the store optimiser can optimise symlinks.
-AC_MSG_CHECKING([whether it is possible to create a link to a symlink])
-ln -s bla tmp_link
-if ln tmp_link tmp_link2 2> /dev/null; then
-    AC_MSG_RESULT(yes)
-    AC_DEFINE(CAN_LINK_SYMLINK, 1, [Whether link() works on symlinks.])
-else
-    AC_MSG_RESULT(no)
-fi
-rm -f tmp_link tmp_link2
-
-
-# Check for <locale>.
-AC_LANG_PUSH(C++)
-AC_CHECK_HEADERS([locale])
-AC_LANG_POP(C++)
-
-
-AC_DEFUN([NEED_PROG],
-[
-AC_PATH_PROG($1, $2)
-if test -z "$$1"; then
-    AC_MSG_ERROR([$2 is required])
-fi
-])
-
-NEED_PROG(bash, bash)
-AC_PATH_PROG(flex, flex, false)
-AC_PATH_PROG(bison, bison, false)
-AC_PATH_PROG(dot, dot)
-AC_PATH_PROG(lsof, lsof, lsof)
-
-
-AC_SUBST(coreutils, [$(dirname $(type -p cat))])
-
-
-AC_ARG_WITH(store-dir, AS_HELP_STRING([--with-store-dir=PATH],[path of the Nix store (defaults to /nix/store)]),
-  storedir=$withval, storedir='/nix/store')
-AC_SUBST(storedir)
-
-
-# Running the functional tests without building Nix is useful for testing
-# different pre-built versions of Nix against each other.
-AC_ARG_ENABLE(build, AS_HELP_STRING([--disable-build],[Do not build nix]),
-  ENABLE_BUILD=$enableval, ENABLE_BUILD=yes)
-AC_SUBST(ENABLE_BUILD)
-
-# Building without unit tests is useful for bootstrapping with a smaller footprint
-# or running the tests in a separate derivation. Otherwise, we do compile and
-# run them.
-
-AC_ARG_ENABLE(unit-tests, AS_HELP_STRING([--disable-unit-tests],[Do not build the tests]),
-  ENABLE_UNIT_TESTS=$enableval, ENABLE_UNIT_TESTS=$ENABLE_BUILD)
-AC_SUBST(ENABLE_UNIT_TESTS)
-
-AS_IF(
-  [test "$ENABLE_BUILD" == "no" && test "$ENABLE_UNIT_TESTS" == "yes"],
-  [AC_MSG_ERROR([Cannot enable unit tests when building overall is disabled. Please do not pass '--enable-unit-tests' or do not pass '--disable-build'.])])
-
-AC_ARG_ENABLE(functional-tests, AS_HELP_STRING([--disable-functional-tests],[Do not build the tests]),
-  ENABLE_FUNCTIONAL_TESTS=$enableval, ENABLE_FUNCTIONAL_TESTS=yes)
-AC_SUBST(ENABLE_FUNCTIONAL_TESTS)
-
-# documentation generation switch
-AC_ARG_ENABLE(doc-gen, AS_HELP_STRING([--disable-doc-gen],[disable documentation generation]),
-  ENABLE_DOC_GEN=$enableval, ENABLE_DOC_GEN=$ENABLE_BUILD)
-AC_SUBST(ENABLE_DOC_GEN)
-
-AS_IF(
-  [test "$ENABLE_BUILD" == "no" && test "$ENABLE_DOC_GEN" == "yes"],
-  [AC_MSG_ERROR([Cannot enable generated docs when building overall is disabled. Please do not pass '--enable-doc-gen' or do not pass '--disable-build'.])])
-
-AS_IF(
-  [test "$ENABLE_FUNCTIONAL_TESTS" == "yes" || test "$ENABLE_DOC_GEN" == "yes"],
-  [NEED_PROG(jq, jq)])
-
-AS_IF([test "$ENABLE_BUILD" == "yes"],[
-
-# Look for boost, a required dependency.
-# Note that AX_BOOST_BASE only exports *CPP* BOOST_CPPFLAGS, no CXX flags,
-# and CPPFLAGS are not passed to the C++ compiler automatically.
-# Thus we append the returned CPPFLAGS to the CXXFLAGS here.
-AX_BOOST_BASE([1.66], [CXXFLAGS="$BOOST_CPPFLAGS $CXXFLAGS"], [AC_MSG_ERROR([Nix requires boost.])])
-# For unknown reasons, setting this directly in the ACTION-IF-FOUND above
-# ends up with LDFLAGS being empty, so we set it afterwards.
-LDFLAGS="$BOOST_LDFLAGS $LDFLAGS"
-
-# On some platforms, new-style atomics need a helper library
-AC_MSG_CHECKING(whether -latomic is needed)
-AC_LINK_IFELSE([AC_LANG_SOURCE([[
-#include <stdint.h>
-uint64_t v;
-int main() {
-    return (int)__atomic_load_n(&v, __ATOMIC_ACQUIRE);
-}]])], GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC=no, GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC=yes)
-AC_MSG_RESULT($GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC)
-if test "x$GCC_ATOMIC_BUILTINS_NEED_LIBATOMIC" = xyes; then
-    LDFLAGS="-latomic $LDFLAGS"
-fi
-
-AC_ARG_ENABLE(install-unit-tests, AS_HELP_STRING([--enable-install-unit-tests],[Install the unit tests for running later (default no)]),
-  INSTALL_UNIT_TESTS=$enableval, INSTALL_UNIT_TESTS=no)
-AC_SUBST(INSTALL_UNIT_TESTS)
-
-AC_ARG_WITH(check-bin-dir, AS_HELP_STRING([--with-check-bin-dir=PATH],[path to install unit tests for running later (defaults to $libexecdir/nix)]),
-  checkbindir=$withval, checkbindir=$libexecdir/nix)
-AC_SUBST(checkbindir)
-
-AC_ARG_WITH(check-lib-dir, AS_HELP_STRING([--with-check-lib-dir=PATH],[path to install unit tests for running later (defaults to $libdir)]),
-  checklibdir=$withval, checklibdir=$libdir)
-AC_SUBST(checklibdir)
-
-# LTO is currently broken with clang for unknown reasons; ld segfaults in the llvm plugin
-AC_ARG_ENABLE(lto, AS_HELP_STRING([--enable-lto],[Enable LTO (only supported with GCC) [default=no]]),
-  lto=$enableval, lto=no)
-if test "$lto" = yes; then
-    if $CXX --version | grep -q GCC; then
-        AC_SUBST(CXXLTO, [-flto=jobserver])
-    else
-        echo "error: LTO is only supported with GCC at the moment" >&2
-        exit 1
-    fi
-else
-    AC_SUBST(CXXLTO, [""])
-fi
-
-PKG_PROG_PKG_CONFIG
-
-AC_ARG_ENABLE(shared, AS_HELP_STRING([--enable-shared],[Build shared libraries for Nix [default=yes]]),
-  shared=$enableval, shared=yes)
-if test "$shared" = yes; then
-  AC_SUBST(BUILD_SHARED_LIBS, 1, [Whether to build shared libraries.])
-else
-  AC_SUBST(BUILD_SHARED_LIBS, 0, [Whether to build shared libraries.])
-  PKG_CONFIG="$PKG_CONFIG --static"
-fi
-
-# Look for OpenSSL, a required dependency. FIXME: this is only (maybe)
-# used by S3BinaryCacheStore.
-PKG_CHECK_MODULES([OPENSSL], [libcrypto >= 1.1.1], [CXXFLAGS="$OPENSSL_CFLAGS $CXXFLAGS"])
-
-
-# Look for libarchive.
-PKG_CHECK_MODULES([LIBARCHIVE], [libarchive >= 3.1.2], [CXXFLAGS="$LIBARCHIVE_CFLAGS $CXXFLAGS"])
-# Workaround until https://github.com/libarchive/libarchive/issues/1446 is fixed
-if test "$shared" != yes; then
-    LIBARCHIVE_LIBS+=' -lz'
-fi
-
-# Look for SQLite, a required dependency.
-PKG_CHECK_MODULES([SQLITE3], [sqlite3 >= 3.6.19], [CXXFLAGS="$SQLITE3_CFLAGS $CXXFLAGS"])
-
-# Look for libcurl, a required dependency.
-PKG_CHECK_MODULES([LIBCURL], [libcurl], [CXXFLAGS="$LIBCURL_CFLAGS $CXXFLAGS"])
-
-# Look for editline or readline, a required dependency.
-# The the libeditline.pc file was added only in libeditline >= 1.15.2,
-# see https://github.com/troglobit/editline/commit/0a8f2ef4203c3a4a4726b9dd1336869cd0da8607,
-# Older versions are no longer supported.
-AC_ARG_WITH(
-  [readline-flavor],
-  AS_HELP_STRING([--with-readline-flavor],[Which library to use for nice line editting with the Nix language REPL" [default=editline]]),
-  [readline_flavor=$withval],
-  [readline_flavor=editline])
-AS_CASE(["$readline_flavor"],
-  [editline], [
-    readline_flavor_pc=libeditline
-  ],
-  [readline], [
-    readline_flavor_pc=readline
-    AC_DEFINE([USE_READLINE], [1], [Use readline instead of editline])
-  ],
-  [AC_MSG_ERROR([bad value "$readline_flavor" for --with-readline-flavor, must be one of: editline, readline])])
-PKG_CHECK_MODULES([EDITLINE], [$readline_flavor_pc], [CXXFLAGS="$EDITLINE_CFLAGS $CXXFLAGS"])
-
-# Look for libsodium.
-PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
-
-# Look for libbrotli{enc,dec}.
-PKG_CHECK_MODULES([LIBBROTLI], [libbrotlienc libbrotlidec], [CXXFLAGS="$LIBBROTLI_CFLAGS $CXXFLAGS"])
-
-# Look for libcpuid.
-have_libcpuid=
-if test "$machine_name" = "x86_64"; then
-    AC_ARG_ENABLE([cpuid],
-                  AS_HELP_STRING([--disable-cpuid], [Do not determine microarchitecture levels with libcpuid (relevant to x86_64 only)]))
-    if test "x$enable_cpuid" != "xno"; then
-      PKG_CHECK_MODULES([LIBCPUID], [libcpuid],
-        [CXXFLAGS="$LIBCPUID_CFLAGS $CXXFLAGS"
-         have_libcpuid=1
-         AC_DEFINE([HAVE_LIBCPUID], [1], [Use libcpuid])]
-      )
-    fi
-fi
-AC_SUBST(HAVE_LIBCPUID, [$have_libcpuid])
-
-
-# Look for libseccomp, required for Linux sandboxing.
-case "$host_os" in
-  linux*)
-    AC_ARG_ENABLE([seccomp-sandboxing],
-                  AS_HELP_STRING([--disable-seccomp-sandboxing],[Don't build support for seccomp sandboxing (only recommended if your arch doesn't support libseccomp yet!)
-                                ]))
-    if test "x$enable_seccomp_sandboxing" != "xno"; then
-      PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
-                        [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS" CFLAGS="$LIBSECCOMP_CFLAGS $CFLAGS"])
-      have_seccomp=1
-      AC_DEFINE([HAVE_SECCOMP], [1], [Whether seccomp is available and should be used for sandboxing.])
-      AC_COMPILE_IFELSE([
-        AC_LANG_SOURCE([[
-          #include <seccomp.h>
-          #ifndef __SNR_fchmodat2
-          # error "Missing support for fchmodat2"
-          #endif
-        ]])
-      ], [], [
-        echo "libseccomp is missing __SNR_fchmodat2. Please provide libseccomp 2.5.5 or later"
-        exit 1
-      ])
-    else
-      have_seccomp=
-    fi
-    ;;
-  *)
-    have_seccomp=
-    ;;
-esac
-AC_SUBST(HAVE_SECCOMP, [$have_seccomp])
-
-# Optional dependencies for better normalizing file system data
-AC_CHECK_HEADERS([sys/xattr.h])
-AS_IF([test "$ac_cv_header_sys_xattr_h" = "yes"],[
-  AC_CHECK_FUNCS([llistxattr lremovexattr])
-  AS_IF([test "$ac_cv_func_llistxattr" = "yes" && test "$ac_cv_func_lremovexattr" = "yes"],[
-    AC_DEFINE([HAVE_ACL_SUPPORT], [1], [Define if we can manipulate file system Access Control Lists])
-  ])
-])
-
-# Look for aws-cpp-sdk-s3.
-AC_LANG_PUSH(C++)
-AC_CHECK_HEADERS([aws/s3/S3Client.h],
-  [AC_DEFINE([ENABLE_S3], [1], [Whether to enable S3 support via aws-sdk-cpp.]) enable_s3=1],
-  [AC_DEFINE([ENABLE_S3], [0], [Whether to enable S3 support via aws-sdk-cpp.]) enable_s3=])
-AC_SUBST(ENABLE_S3, [$enable_s3])
-AC_LANG_POP(C++)
-
-
-# Whether to use the Boehm garbage collector.
-AC_ARG_ENABLE(gc, AS_HELP_STRING([--enable-gc],[enable garbage collection in the Nix expression evaluator (requires Boehm GC) [default=yes]]),
-  gc=$enableval, gc=yes)
-if test "$gc" = yes; then
-  PKG_CHECK_MODULES([BDW_GC], [bdw-gc])
-  CXXFLAGS="$BDW_GC_CFLAGS $CXXFLAGS"
-  AC_DEFINE(HAVE_BOEHMGC, 1, [Whether to use the Boehm garbage collector.])
-
-  # See `fixupBoehmStackPointer`, for the integration between Boehm GC
-  # and Boost coroutines.
-  old_CFLAGS="$CFLAGS"
-  # Temporary set `-pthread` just for the next check
-  CFLAGS="$CFLAGS -pthread"
-  AC_CHECK_FUNCS([pthread_attr_get_np pthread_getattr_np])
-  CFLAGS="$old_CFLAGS"
-fi
-
-AS_IF([test "$ENABLE_UNIT_TESTS" == "yes"],[
-
-# Look for gtest.
-PKG_CHECK_MODULES([GTEST], [gtest_main gmock_main])
-
-# Look for rapidcheck.
-PKG_CHECK_MODULES([RAPIDCHECK], [rapidcheck rapidcheck_gtest])
-
-])
-
-# Look for nlohmann/json.
-PKG_CHECK_MODULES([NLOHMANN_JSON], [nlohmann_json >= 3.9])
-
-
-# Look for lowdown library.
-AC_ARG_ENABLE([markdown], AS_HELP_STRING([--enable-markdown], [Enable Markdown rendering in the Nix binary (requires lowdown) [default=auto]]),
-  enable_markdown=$enableval, enable_markdown=auto)
-AS_CASE(["$enable_markdown"],
-  [yes | auto], [
-    PKG_CHECK_MODULES([LOWDOWN], [lowdown >= 0.9.0], [
-      CXXFLAGS="$LOWDOWN_CFLAGS $CXXFLAGS"
-      have_lowdown=1
-      AC_DEFINE(HAVE_LOWDOWN, 1, [Whether lowdown is available and should be used for Markdown rendering.])
-    ], [
-      AS_IF([test "x$enable_markdown" == "xyes"], [AC_MSG_ERROR([--enable-markdown was specified, but lowdown was not found.])])
-    ])
-  ],
-  [no], [have_lowdown=],
-  [AC_MSG_ERROR([bad value "$enable_markdown" for --enable-markdown, must be one of: yes, no, auto])])
-
-
-# Look for libgit2.
-PKG_CHECK_MODULES([LIBGIT2], [libgit2])
-
-
-# Look for toml11, a required dependency.
-AC_LANG_PUSH(C++)
-AC_CHECK_HEADER([toml.hpp], [], [AC_MSG_ERROR([toml11 is not found.])])
-AC_LANG_POP(C++)
-
-# Setuid installations.
-AC_CHECK_FUNCS([setresuid setreuid lchown])
-
-
-# Nice to have, but not essential.
-AC_CHECK_FUNCS([strsignal posix_fallocate sysconf])
-
-
-AC_ARG_WITH(sandbox-shell, AS_HELP_STRING([--with-sandbox-shell=PATH],[path of a statically-linked shell to use as /bin/sh in sandboxes]),
-  sandbox_shell=$withval)
-AC_SUBST(sandbox_shell)
-if test ${cross_compiling:-no} = no && ! test -z ${sandbox_shell+x}; then
-  AC_MSG_CHECKING([whether sandbox-shell has the standalone feature])
-  # busybox shell sometimes allows executing other busybox applets,
-  # even if they are not in the path, breaking our sandbox
-  if PATH= $sandbox_shell -c "busybox" 2>&1 | grep -qv "not found"; then
-    AC_MSG_RESULT(enabled)
-    AC_MSG_ERROR([Please disable busybox FEATURE_SH_STANDALONE])
-  else
-    AC_MSG_RESULT(disabled)
-  fi
-fi
-
-AC_ARG_ENABLE(embedded-sandbox-shell, AS_HELP_STRING([--enable-embedded-sandbox-shell],[include the sandbox shell in the Nix binary [default=no]]),
-  embedded_sandbox_shell=$enableval, embedded_sandbox_shell=no)
-AC_SUBST(embedded_sandbox_shell)
-if test "$embedded_sandbox_shell" = yes; then
-  AC_DEFINE(HAVE_EMBEDDED_SANDBOX_SHELL, 1, [Include the sandbox shell in the Nix binary.])
-fi
-
-])
-
-
-# Expand all variables in config.status.
-test "$prefix" = NONE && prefix=$ac_default_prefix
-test "$exec_prefix" = NONE && exec_prefix='${prefix}'
-for name in $ac_subst_vars; do
-    declare $name="$(eval echo "${!name}")"
-    declare $name="$(eval echo "${!name}")"
-    declare $name="$(eval echo "${!name}")"
-done
-
-rm -f Makefile.config
-
-AC_CONFIG_HEADERS([config.h])
-AC_CONFIG_FILES([])
-AC_OUTPUT

default.nix

@@ -1,10 +1,9 @@
-(import
-  (
-    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
-    fetchTarball {
-      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
-      sha256 = lock.nodes.flake-compat.locked.narHash;
-    }
-  )
-  { src = ./.; }
-).defaultNix
+(import (
+  let
+    lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  in
+  fetchTarball {
+    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+    sha256 = lock.nodes.flake-compat.locked.narHash;
+  }
+) { src = ./.; }).defaultNix

doc/manual/.version

@@ -0,0 +1 @@
+../../.version

doc/manual/anchors.jq

@@ -3,7 +3,7 @@
 
 
 def transform_anchors_html:
-    . | gsub($empty_anchor_regex; "<a name=\"" + .anchor + "\"></a>")
+    . | gsub($empty_anchor_regex; "<a id=\"" + .anchor + "\"></a>")
       | gsub($anchor_regex; "<a href=\"#" + .anchor + "\" id=\"" + .anchor + "\">" + .text + "</a>");
 
 
@@ -24,8 +24,15 @@ def map_contents_recursively(transformer):
 def process_command:
     .[0] as $context |
     .[1] as $body |
-    $body + {
-        sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
-    };
+    # mdbook 0.5.x uses 'items' instead of 'sections'
+    if $body.items then
+        $body + {
+            items: $body.items | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+        }
+    else
+        $body + {
+            sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+        }
+    end;
 
 process_command

doc/manual/book.toml

@@ -1,21 +0,0 @@
-[book]
-title = "Nix Reference Manual"
-
-[output.html]
-additional-css = ["custom.css"]
-additional-js = ["redirects.js"]
-edit-url-template = "https://github.com/NixOS/nix/tree/master/doc/manual/{path}"
-git-repository-url = "https://github.com/NixOS/nix"
-
-[preprocessor.anchors]
-renderers = ["html"]
-command = "jq --from-file doc/manual/anchors.jq"
-
-[output.linkcheck]
-# no Internet during the build (in the sandbox)
-follow-web-links = false
-
-# mdbook-linkcheck does not understand [foo]{#bar} style links, resulting in
-# excessive "Potential incomplete link" warnings. No other kind of warning was
-# produced at the time of writing.
-warning-policy = "ignore"

doc/manual/book.toml.in

@@ -0,0 +1,26 @@
+[book]
+title = "Nix @version@ Reference Manual"
+src = "source"
+
+[output.html]
+additional-css = ["custom.css"]
+additional-js = ["redirects.js"]
+edit-url-template = "https://github.com/NixOS/nix/tree/master/doc/manual/{path}"
+git-repository-url = "https://github.com/NixOS/nix"
+mathjax-support = true
+
+# Handles replacing @docroot@ with a path to ./source relative to that markdown file,
+# {{#include handlebars}}, and the @generated@ syntax used within these. it mostly
+# but not entirely replaces the links preprocessor (which we cannot simply use due
+# to @generated@ files living in a different directory to make meson happy). we do
+# not want to disable the links preprocessor entirely though because that requires
+# disabling *all* built-in preprocessors and selectively reenabling those we want.
+[preprocessor.substitute]
+command = "python3 ./substitute.py"
+before = ["anchors", "links"]
+
+[preprocessor.anchors]
+renderers = ["html"]
+command = "jq --from-file ./anchors.jq"
+
+[output.markdown]

doc/manual/custom.css

@@ -12,8 +12,8 @@ h1.menu-title::before {
 }
 
 
-h1.menu-title {
-  padding: 0.5em;
+.menu-bar {
+  padding: 0.5em 0em;
 }
 
 .sidebar .sidebar-scrollbox {

doc/manual/expand-includes.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+"""
+Standalone markdown preprocessor for manpage generation.
+
+Expands {{#include}} directives and handles @docroot@ references
+without requiring mdbook.
+"""
+
+from pathlib import Path
+import sys
+import argparse
+import re
+
+
+def expand_includes(
+    content: str,
+    current_file: Path,
+    source_root: Path,
+    generated_root: Path | None,
+    visited: set[Path] | None = None,
+) -> str:
+    """
+    Recursively expand {{#include path}} directives.
+
+    Args:
+        content: Markdown content to process
+        current_file: Path to the current file (for resolving relative includes)
+        source_root: Root of the source directory
+        generated_root: Root of generated files (for @generated@/ includes)
+        visited: Set of already-visited files (for cycle detection)
+    """
+    if visited is None:
+        visited = set()
+
+    # Track current file to detect cycles
+    visited.add(current_file.resolve())
+
+    lines = []
+    include_pattern = re.compile(r'^\s*\{\{#include\s+(.+?)\}\}\s*$')
+
+    for line in content.splitlines(keepends=True):
+        match = include_pattern.match(line)
+        if not match:
+            lines.append(line)
+            continue
+
+        # Found an include directive
+        include_path_str = match.group(1).strip()
+
+        # Resolve the include path
+        if include_path_str.startswith("@generated@/"):
+            # Generated file
+            if generated_root is None:
+                raise ValueError(
+                    f"Cannot resolve @generated@ path '{include_path_str}' "
+                    f"without --generated-root"
+                )
+            include_path = generated_root / include_path_str[12:]
+        else:
+            # Relative to current file
+            include_path = (current_file.parent / include_path_str).resolve()
+
+        # Check for cycles
+        if include_path.resolve() in visited:
+            raise RuntimeError(
+                f"Include cycle detected: {include_path} is already being processed"
+            )
+
+        # Check that file exists
+        if not include_path.exists():
+            raise FileNotFoundError(
+                f"Include file not found: {include_path_str}\n"
+                f"  Resolved to: {include_path}\n"
+                f"  From: {current_file}"
+            )
+
+        # Recursively expand the included file
+        included_content = include_path.read_text()
+        expanded = expand_includes(
+            included_content,
+            include_path,
+            source_root,
+            generated_root,
+            visited.copy(),  # Copy visited set for this branch
+        )
+        lines.append(expanded)
+        # Add newline if the included content doesn't end with one
+        if not expanded.endswith('\n'):
+            lines.append('\n')
+
+    return ''.join(lines)
+
+
+def resolve_docroot(content: str, current_file: Path, source_root: Path, docroot_url: str) -> str:
+    """
+    Replace @docroot@ with nix.dev URL and convert .md to .html.
+
+    For manpages, absolute URLs are more useful than relative paths since
+    manpages are viewed standalone. lowdown will display these as proper
+    references in the manpage output.
+    """
+    # Replace @docroot@ with the base URL
+    content = content.replace("@docroot@", docroot_url)
+
+    # Convert .md extensions to .html for web links
+    # Use lookahead to ensure that .md occurs before a fragment or a possible URL end.
+    content = re.sub(
+        r'(https://nix\.dev/[^)\s]*?)\.md(?=[#)\s]|$)',
+        r'\1.html',
+        content
+    )
+
+    return content
+
+
+def resolve_at_escapes(content: str) -> str:
+    """Replace @_at_ with @"""
+    return content.replace("@_at_", "@")
+
+
+def process_file(
+    input_file: Path,
+    source_root: Path,
+    generated_root: Path | None,
+    docroot_url: str,
+) -> str:
+    """Process a single markdown file."""
+    content = input_file.read_text()
+
+    # Expand includes
+    content = expand_includes(content, input_file, source_root, generated_root)
+
+    # Resolve @docroot@ references
+    content = resolve_docroot(content, input_file, source_root, docroot_url)
+
+    # Resolve @_at_ escapes
+    content = resolve_at_escapes(content)
+
+    return content
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Expand markdown includes for manpage generation",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  # Expand a manpage source file
+  %(prog)s \\
+    --source-root doc/manual/source \\
+    --generated-root build/doc/manual/source \\
+    doc/manual/source/command-ref/nix-store/query.md
+
+  # Pipe to lowdown for manpage generation
+  %(prog)s -s doc/manual/source -g build/doc/manual/source \\
+    doc/manual/source/command-ref/nix-env.md | \\
+    lowdown -sT man -M section=1 -o nix-env.1
+        """,
+    )
+    parser.add_argument(
+        "input_file",
+        type=Path,
+        help="Input markdown file to process",
+    )
+    parser.add_argument(
+        "-s", "--source-root",
+        type=Path,
+        required=True,
+        help="Root directory of markdown sources",
+    )
+    parser.add_argument(
+        "-g", "--generated-root",
+        type=Path,
+        help="Root directory of generated files (for @generated@/ includes)",
+    )
+    parser.add_argument(
+        "-o", "--output",
+        type=Path,
+        help="Output file (default: stdout)",
+    )
+    parser.add_argument(
+        "-u", "--doc-url",
+        type=str,
+        default="https://nix.dev/manual/nix/latest",
+        help="Base URL for documentation links (default: https://nix.dev/manual/nix/latest)",
+    )
+
+    args = parser.parse_args()
+
+    # Validate paths
+    if not args.input_file.exists():
+        print(f"Error: Input file not found: {args.input_file}", file=sys.stderr)
+        return 1
+
+    if not args.source_root.is_dir():
+        print(f"Error: Source root is not a directory: {args.source_root}", file=sys.stderr)
+        return 1
+
+    if args.generated_root and not args.generated_root.is_dir():
+        print(f"Error: Generated root is not a directory: {args.generated_root}", file=sys.stderr)
+        return 1
+
+    try:
+        # Process the file
+        output = process_file(args.input_file, args.source_root, args.generated_root, args.doc_url)
+
+        # Write output
+        if args.output:
+            args.output.write_text(output)
+        else:
+            print(output, end='')
+
+        return 0
+
+    except Exception as e:
+        print(f"Error processing {args.input_file}: {e}", file=sys.stderr)
+        import traceback
+        traceback.print_exc(file=sys.stderr)
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

doc/manual/generate-builtins.nix

@@ -5,7 +5,15 @@ in
 
 builtinsInfo:
 let
-  showBuiltin = name: { doc, type ? null, args ? [ ], experimental-feature ? null, impure-only ? false }:
+  showBuiltin =
+    name:
+    {
+      doc,
+      type ? null,
+      args ? [ ],
+      experimental-feature ? null,
+      impure-only ? false,
+    }:
     let
       type' = optionalString (type != null) " (${type})";
 

doc/manual/generate-deps.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+
+import glob
+import sys
+
+# meson expects makefile-style dependency declarations, i.e.
+#
+#   target: dependency...
+#
+# meson seems to pass depfiles straight on to ninja even though
+# it also parses the file itself (or at least has code to do so
+# in its tree), so we must live by ninja's rules: only slashes,
+# spaces and octothorpes can be escaped, anything else is taken
+# literally. since the rules for these aren't even the same for
+# all three we will just fail when we encounter any of them (if
+# asserts are off for some reason the depfile will likely point
+# to nonexistent paths, making everything phony and thus fine.)
+for path in glob.glob(sys.argv[1] + '/**', recursive=True):
+    assert '\\' not in path
+    assert ' ' not in path
+    assert '#' not in path
+    print("ignored:", path)

doc/manual/generate-manpage.nix

@@ -32,7 +32,13 @@ let
 
   commandInfo = fromJSON commandDump;
 
-  showCommand = { command, details, filename, toplevel }:
+  showCommand =
+    {
+      command,
+      details,
+      filename,
+      toplevel,
+    }:
     let
 
       result = ''
@@ -56,26 +62,27 @@ let
         ${maybeOptions}
       '';
 
-      showSynopsis = command: args:
+      showSynopsis =
+        command: args:
         let
-          showArgument = arg: "*${arg.label}*" + optionalString (! arg ? arity) "...";
+          showArgument = arg: "*${arg.label}*" + optionalString (!arg ? arity) "...";
           arguments = concatStringsSep " " (map showArgument args);
-        in ''
+        in
+        ''
           `${command}` [*option*...] ${arguments}
         '';
 
-      maybeSubcommands = optionalString (details ? commands && details.commands != {})
-        ''
-          where *subcommand* is one of the following:
+      maybeSubcommands = optionalString (details ? commands && details.commands != { }) ''
+        where *subcommand* is one of the following:
 
-          ${subcommands}
-        '';
+        ${subcommands}
+      '';
 
-      subcommands = if length categories > 1
-        then listCategories
-        else listSubcommands details.commands;
+      subcommands = if length categories > 1 then listCategories else listSubcommands details.commands;
 
-      categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues details.commands)));
+      categories = sort (x: y: x.id < y.id) (
+        unique (map (cmd: cmd.category) (attrValues details.commands))
+      );
 
       listCategories = concatStrings (map showCategory categories);
 
@@ -99,38 +106,39 @@ let
 
             ${allStores}
           '';
-          index = replaceStrings
-            [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
-            [ storesOverview "#local-store" "#local-daemon-store" ]
-            details.doc;
+          index =
+            replaceStrings
+              [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
+              [ storesOverview "#local-store" "#local-daemon-store" ]
+              details.doc;
           storesOverview =
             let
-              showEntry = store:
-                "- [${store.name}](#${store.slug})";
+              showEntry = store: "- [${store.name}](#${store.slug})";
             in
             concatStringsSep "\n" (map showEntry storesList) + "\n";
           allStores = concatStringsSep "\n" (attrValues storePages);
-          storePages = listToAttrs
-            (map (s: { name = s.filename; value = s.page; }) storesList);
+          storePages = listToAttrs (
+            map (s: {
+              name = s.filename;
+              value = s.page;
+            }) storesList
+          );
           storesList = showStoreDocs {
             storeInfo = commandInfo.stores;
             inherit inlineHTML;
           };
-          hasInfix = infix: content:
+          hasInfix =
+            infix: content:
             builtins.stringLength content != builtins.stringLength (replaceStrings [ infix ] [ "" ] content);
         in
         optionalString (details ? doc) (
           # An alternate implementation with builtins.match stack overflowed on some systems.
-          if hasInfix "@store-types@" details.doc
-          then help-stores
-          else details.doc
+          if hasInfix "@store-types@" details.doc then help-stores else details.doc
         );
 
       maybeOptions =
         let
-          allVisibleOptions = filterAttrs
-            (_: o: ! o.hiddenCategory)
-            (details.flags // toplevel.flags);
+          allVisibleOptions = filterAttrs (_: o: !o.hiddenCategory) (details.flags // toplevel.flags);
         in
         optionalString (allVisibleOptions != { }) ''
           # Options
@@ -142,55 +150,73 @@ let
           > See [`man nix.conf`](@docroot@/command-ref/conf-file.md#command-line-flags) for overriding configuration settings with command line flags.
         '';
 
-      showOptions = inlineHTML: allOptions:
+      showOptions =
+        inlineHTML: allOptions:
         let
           showCategory = cat: opts: ''
             ${optionalString (cat != "") "## ${cat}"}
 
             ${concatStringsSep "\n" (attrValues (mapAttrs showOption opts))}
           '';
-          showOption = name: option:
+          showOption =
+            name: option:
             let
               result = trim ''
                 - ${item}
 
                   ${option.description}
               '';
-              item = if inlineHTML
-                then ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
-                else "`--${name}` ${shortName} ${labels}";
-              shortName = optionalString
-                (option ? shortName)
-                ("/ `-${option.shortName}`");
-              labels = optionalString
-                (option ? labels)
-                (concatStringsSep " " (map (s: "*${s}*") option.labels));
-            in result;
-          categories = mapAttrs
-            # Convert each group from a list of key-value pairs back to an attrset
-            (_: listToAttrs)
-            (groupBy
-              (cmd: cmd.value.category)
-              (attrsToList allOptions));
-        in concatStrings (attrValues (mapAttrs showCategory categories));
-    in squash result;
+              item =
+                if inlineHTML then
+                  ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
+                else
+                  "`--${name}` ${shortName} ${labels}";
+              shortName = optionalString (option ? shortName) ("/ `-${option.shortName}`");
+              labels = optionalString (option ? labels) (concatStringsSep " " (map (s: "*${s}*") option.labels));
+            in
+            result;
+          categories =
+            mapAttrs
+              # Convert each group from a list of key-value pairs back to an attrset
+              (_: listToAttrs)
+              (groupBy (cmd: cmd.value.category) (attrsToList allOptions));
+        in
+        concatStrings (attrValues (mapAttrs showCategory categories));
+    in
+    squash result;
 
   appendName = filename: name: (if filename == "nix" then "nix3" else filename) + "-" + name;
 
-  processCommand = { command, details, filename, toplevel }:
+  processCommand =
+    {
+      command,
+      details,
+      filename,
+      toplevel,
+    }:
     let
       cmd = {
         inherit command;
         name = filename + ".md";
-        value = showCommand { inherit command details filename toplevel; };
+        value = showCommand {
+          inherit
+            command
+            details
+            filename
+            toplevel
+            ;
+        };
       };
-      subcommand = subCmd: processCommand {
-        command = command + " " + subCmd;
-        details = details.commands.${subCmd};
-        filename = appendName filename subCmd;
-        inherit toplevel;
-      };
-    in [ cmd ] ++ concatMap subcommand (attrNames details.commands or {});
+      subcommand =
+        subCmd:
+        processCommand {
+          command = command + " " + subCmd;
+          details = details.commands.${subCmd};
+          filename = appendName filename subCmd;
+          inherit toplevel;
+        };
+    in
+    [ cmd ] ++ concatMap subcommand (attrNames details.commands or { });
 
   manpages = processCommand {
     command = "nix";
@@ -199,9 +225,11 @@ let
     toplevel = commandInfo.args;
   };
 
-  tableOfContents = let
-    showEntry = page:
-      "    - [${page.command}](command-ref/new-cli/${page.name})";
-    in concatStringsSep "\n" (map showEntry manpages) + "\n";
+  tableOfContents =
+    let
+      showEntry = page: "    - [${page.command}](command-ref/new-cli/${page.name})";
+    in
+    concatStringsSep "\n" (map showEntry manpages) + "\n";
 
-in (listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }
+in
+(listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }

doc/manual/generate-redirects.py

@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+"""Generate redirects.js from template and JSON data."""
+
+import sys
+
+template_path, json_path, output_path = sys.argv[1:]
+
+with open(json_path) as f:
+    json_content = f.read().rstrip()
+
+with open(template_path) as f:
+    template = f.read()
+
+with open(output_path, 'w') as f:
+    f.write(template.replace('@REDIRECTS_JSON@', json_content))

doc/manual/generate-settings.nix

@@ -1,67 +1,99 @@
 let
-  inherit (builtins) attrValues concatStringsSep isAttrs isBool mapAttrs;
-  inherit (import <nix/utils.nix>) concatStrings indent optionalString squash;
+  inherit (builtins)
+    attrValues
+    concatStringsSep
+    isAttrs
+    isBool
+    mapAttrs
+    ;
+  inherit (import <nix/utils.nix>)
+    concatStrings
+    indent
+    optionalString
+    squash
+    ;
 in
 
 # `inlineHTML` is a hack to accommodate inconsistent output from `lowdown`
-{ prefix, inlineHTML ? true }: settingsInfo:
+{
+  prefix,
+  inlineHTML ? true,
+}:
+settingsInfo:
 
 let
 
-  showSetting = prefix: setting: { description, documentDefault, defaultValue, aliases, value, experimentalFeature }:
+  showSetting =
+    prefix: setting:
+    {
+      description,
+      documentDefault,
+      defaultValue,
+      aliases,
+      value,
+      experimentalFeature,
+    }:
     let
       result = squash ''
-          - ${item}
+        - ${item}
 
-          ${indent "  " body}
-        '';
-      item = if inlineHTML
-        then ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
-        else "`${setting}`";
+        ${indent "  " body}
+      '';
+      item =
+        if inlineHTML then
+          ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
+        else
+          "`${setting}`";
       # separate body to cleanly handle indentation
       body = ''
-          ${experimentalFeatureNote}
+        ${experimentalFeatureNote}
 
-          ${description}
+        ${description}
 
-          **Default:** ${showDefault documentDefault defaultValue}
+        **Default:** ${showDefault documentDefault defaultValue}
 
-          ${showAliases aliases}
-        '';
+        ${showAliases aliases}
+      '';
 
       experimentalFeatureNote = optionalString (experimentalFeature != null) ''
-          > **Warning**
-          >
-          > This setting is part of an
-          > [experimental feature](@docroot@/development/experimental-features.md).
-          >
-          > To change this setting, make sure the
-          > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
-          > is enabled.
-          > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
-          >
-          > ```
-          > extra-experimental-features = ${experimentalFeature}
-          > ${setting} = ...
-          > ```
-        '';
+        > **Warning**
+        >
+        > This setting is part of an
+        > [experimental feature](@docroot@/development/experimental-features.md).
+        >
+        > To change this setting, make sure the
+        > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
+        > is enabled.
+        > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
+        >
+        > ```
+        > extra-experimental-features = ${experimentalFeature}
+        > ${setting} = ...
+        > ```
+      '';
 
-      showDefault = documentDefault: defaultValue:
+      showDefault =
+        documentDefault: defaultValue:
         if documentDefault then
           # a StringMap value type is specified as a string, but
           # this shows the value type. The empty stringmap is `null` in
           # JSON, but that converts to `{ }` here.
-          if defaultValue == "" || defaultValue == [] || isAttrs defaultValue
-            then "*empty*"
-            else if isBool defaultValue then
-              if defaultValue then "`true`" else "`false`"
-            else "`${toString defaultValue}`"
-        else "*machine-specific*";
+          if defaultValue == "" || defaultValue == [ ] || isAttrs defaultValue then
+            "*empty*"
+          else if isBool defaultValue then
+            if defaultValue then "`true`" else "`false`"
+          else
+            "`${toString defaultValue}`"
+        else
+          "*machine-specific*";
 
-      showAliases = aliases:
-          optionalString (aliases != [])
-            "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";
+      showAliases =
+        aliases:
+        optionalString (aliases != [ ])
+          "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";
 
-    in result;
+    in
+    result;
 
-in concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))
+in
+concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))

doc/manual/generate-store-info.nix

@@ -1,6 +1,20 @@
 let
-  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
-  inherit (import <nix/utils.nix>) optionalString filterAttrs trim squash toLower unique indent;
+  inherit (builtins)
+    attrNames
+    listToAttrs
+    concatStringsSep
+    readFile
+    replaceStrings
+    ;
+  inherit (import <nix/utils.nix>)
+    optionalString
+    filterAttrs
+    trim
+    squash
+    toLower
+    unique
+    indent
+    ;
   showSettings = import <nix/generate-settings.nix>;
 in
 
@@ -14,7 +28,14 @@ in
 
 let
 
-  showStore = { name, slug }: { settings, doc, experimentalFeature }:
+  showStore =
+    { name, slug }:
+    {
+      settings,
+      doc,
+      uri-schemes,
+      experimentalFeature,
+    }:
     let
       result = squash ''
         # ${name}
@@ -25,7 +46,10 @@ let
 
         ## Settings
 
-        ${showSettings { prefix = "store-${slug}"; inherit inlineHTML; } settings}
+        ${showSettings {
+          prefix = "store-${slug}";
+          inherit inlineHTML;
+        } settings}
       '';
 
       experimentalFeatureNote = optionalString (experimentalFeature != null) ''
@@ -43,15 +67,15 @@ let
         > extra-experimental-features = ${experimentalFeature}
         > ```
       '';
-    in result;
+    in
+    result;
 
-  storesList = map
-    (name: rec {
-      inherit name;
-      slug = replaceStrings [ " " ] [ "-" ] (toLower name);
-      filename = "${slug}.md";
-      page = showStore { inherit name slug; } storeInfo.${name};
-    })
-    (attrNames storeInfo);
+  storesList = map (name: rec {
+    inherit name;
+    slug = replaceStrings [ " " ] [ "-" ] (toLower name);
+    filename = "${slug}.md";
+    page = showStore { inherit name slug; } storeInfo.${name};
+  }) (attrNames storeInfo);
 
-in storesList
+in
+storesList

doc/manual/generate-store-types.nix

@@ -1,5 +1,11 @@
 let
-  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
+  inherit (builtins)
+    attrNames
+    listToAttrs
+    concatStringsSep
+    readFile
+    replaceStrings
+    ;
   showSettings = import <nix/generate-settings.nix>;
   showStoreDocs = import <nix/generate-store-info.nix>;
 in
@@ -14,26 +20,28 @@ let
 
   index =
     let
-      showEntry = store:
-        "- [${store.name}](./${store.filename})";
+      showEntry = store: "- [${store.name}](./${store.filename})";
     in
     concatStringsSep "\n" (map showEntry storesList);
 
-  "index.md" = replaceStrings
-    [ "@store-types@" ] [ index ]
-    (readFile ./src/store/types/index.md.in);
+  "index.md" = replaceStrings [ "@store-types@" ] [ index ] (
+    readFile ./source/store/types/index.md.in
+  );
 
   tableOfContents =
     let
-      showEntry = store:
-        "    - [${store.name}](store/types/${store.filename})";
+      showEntry = store: "    - [${store.name}](store/types/${store.filename})";
     in
     concatStringsSep "\n" (map showEntry storesList) + "\n";
 
   "SUMMARY.md" = tableOfContents;
 
-  storePages = listToAttrs
-    (map (s: { name = s.filename; value = s.page; }) storesList);
+  storePages = listToAttrs (
+    map (s: {
+      name = s.filename;
+      value = s.page;
+    }) storesList
+  );
 
 in
 storePages // { inherit "index.md" "SUMMARY.md"; }

doc/manual/generate-xp-features-shortlist.nix

@@ -2,8 +2,8 @@ with builtins;
 with import <nix/utils.nix>;
 
 let
-  showExperimentalFeature = name: doc:
-    ''
-      - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
-    '';
-in xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))
+  showExperimentalFeature = name: doc: ''
+    - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
+  '';
+in
+xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))

doc/manual/generate-xp-features.nix

@@ -2,7 +2,8 @@ with builtins;
 with import <nix/utils.nix>;
 
 let
-  showExperimentalFeature = name: doc:
+  showExperimentalFeature =
+    name: doc:
     squash ''
       ## [`${name}`]{#xp-feature-${name}}
 

doc/manual/local.mk

@@ -1,231 +0,0 @@
-# The version of Nix used to generate the doc. Can also be
-# `$(nix_INSTALL_PATH)` or just `nix` (to grap ambient from the `PATH`),
-# if one prefers.
-doc_nix = $(nix_PATH)
-
-MANUAL_SRCS := \
-	$(call rwildcard, $(d)/src, *.md) \
-	$(call rwildcard, $(d)/src, */*.md)
-
-man-pages := $(foreach n, \
-	nix-env.1 nix-store.1 \
-	nix-build.1 nix-shell.1 nix-instantiate.1 \
-	nix-collect-garbage.1 \
-	nix-prefetch-url.1 nix-channel.1 \
-	nix-hash.1 nix-copy-closure.1 \
-	nix.conf.5 nix-daemon.8 \
-	nix-profiles.5 \
-, $(d)/$(n))
-
-# man pages for subcommands
-# convert from `$(d)/src/command-ref/nix-{1}/{2}.md` to `$(d)/nix-{1}-{2}.1`
-# FIXME: unify with how nix3-cli man pages are generated
-man-pages += $(foreach subcommand, \
-	$(filter-out %opt-common.md %env-common.md, $(wildcard $(d)/src/command-ref/nix-*/*.md)), \
-	$(d)/$(subst /,-,$(subst $(d)/src/command-ref/,,$(subst .md,.1,$(subcommand)))))
-
-clean-files += $(d)/*.1 $(d)/*.5 $(d)/*.8
-
-# Provide a dummy environment for nix, so that it will not access files outside the macOS sandbox.
-# Set cores to 0 because otherwise `nix config show` resolves the cores based on the current machine
-dummy-env = env -i \
-	HOME=/dummy \
-	NIX_CONF_DIR=/dummy \
-	NIX_SSL_CERT_FILE=/dummy/no-ca-bundle.crt \
-	NIX_STATE_DIR=/dummy \
-	NIX_CONFIG='cores = 0'
-
-nix-eval = $(dummy-env) $(doc_nix) eval --experimental-features nix-command -I nix=doc/manual --store dummy:// --impure --raw
-
-# re-implement mdBook's include directive to make it usable for terminal output and for proper @docroot@ substitution
-define process-includes
-	while read -r line; do \
-		set -euo pipefail; \
-		filename="$$(dirname $(1))/$$(sed 's/{{#include \(.*\)}}/\1/'<<< $$line)"; \
-		test -f "$$filename" || ( echo "#include-d file '$$filename' does not exist." >&2; exit 1; ); \
-		matchline="$$(sed 's|/|\\/|g' <<< $$line)"; \
-		sed -i "/$$matchline/r $$filename" $(2); \
-		sed -i "s/$$matchline//" $(2); \
-	done < <(grep '{{#include' $(1))
-endef
-
-$(d)/nix-env-%.1: $(d)/src/command-ref/nix-env/%.md
-	@printf "Title: %s\n\n" "$(subst nix-env-,nix-env --,$$(basename "$@" .1))" > $^.tmp
-	$(render-subcommand)
-
-$(d)/nix-store-%.1: $(d)/src/command-ref/nix-store/%.md
-	@printf -- 'Title: %s\n\n' "$(subst nix-store-,nix-store --,$$(basename "$@" .1))" > $^.tmp
-	$(render-subcommand)
-
-# FIXME: there surely is some more deduplication to be achieved here with even darker Make magic
-define render-subcommand
-  @cat $^ >> $^.tmp
-	@$(call process-includes,$^,$^.tmp)
-	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=1 $^.tmp -o $@
-	@# fix up `lowdown`'s automatic escaping of `--`
-	@# https://github.com/kristapsdz/lowdown/blob/edca6ce6d5336efb147321a43c47a698de41bb7c/entity.c#L202
-	@sed -i 's/\e\[u2013\]/--/' $@
-	@rm $^.tmp
-endef
-
-
-$(d)/%.1: $(d)/src/command-ref/%.md
-	@printf "Title: %s\n\n" "$$(basename $@ .1)" > $^.tmp
-	@cat $^ >> $^.tmp
-	@$(call process-includes,$^,$^.tmp)
-	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=1 $^.tmp -o $@
-	@rm $^.tmp
-
-$(d)/%.8: $(d)/src/command-ref/%.md
-	@printf "Title: %s\n\n" "$$(basename $@ .8)" > $^.tmp
-	@cat $^ >> $^.tmp
-	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=8 $^.tmp -o $@
-	@rm $^.tmp
-
-$(d)/nix.conf.5: $(d)/src/command-ref/conf-file.md
-	@printf "Title: %s\n\n" "$$(basename $@ .5)" > $^.tmp
-	@cat $^ >> $^.tmp
-	@$(call process-includes,$^,$^.tmp)
-	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=5 $^.tmp -o $@
-	@rm $^.tmp
-
-$(d)/nix-profiles.5: $(d)/src/command-ref/files/profiles.md
-	@printf "Title: %s\n\n" "$$(basename $@ .5)" > $^.tmp
-	@cat $^ >> $^.tmp
-	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=5 $^.tmp -o $@
-	@rm $^.tmp
-
-$(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/SUMMARY-rl-next.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/development/experimental-feature-descriptions.md
-	@cp $< $@
-	@$(call process-includes,$@,$@)
-
-$(d)/src/store/types: $(d)/nix.json $(d)/utils.nix $(d)/generate-store-info.nix  $(d)/generate-store-types.nix $(d)/src/store/types/index.md.in $(doc_nix)
-	@# FIXME: build out of tree!
-	@rm -rf $@.tmp
-	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-store-types.nix (builtins.fromJSON (builtins.readFile $<)).stores'
-	@# do not destroy existing contents
-	@mv $@.tmp/* $@/
-
-$(d)/src/command-ref/new-cli: $(d)/nix.json $(d)/utils.nix $(d)/generate-manpage.nix $(d)/generate-settings.nix $(d)/generate-store-info.nix $(doc_nix)
-	@rm -rf $@ $@.tmp
-	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-manpage.nix true (builtins.readFile $<)'
-	@mv $@.tmp $@
-
-$(d)/src/command-ref/conf-file.md: $(d)/conf-file.json $(d)/utils.nix $(d)/generate-settings.nix $(d)/src/command-ref/conf-file-prefix.md $(d)/src/command-ref/experimental-features-shortlist.md $(doc_nix)
-	@cat doc/manual/src/command-ref/conf-file-prefix.md > $@.tmp
-	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-settings.nix { prefix = "conf"; } (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
-	@mv $@.tmp $@
-
-$(d)/nix.json: $(doc_nix)
-	$(trace-gen) $(dummy-env) $(doc_nix) __dump-cli > $@.tmp
-	@mv $@.tmp $@
-
-$(d)/conf-file.json: $(doc_nix)
-	$(trace-gen) $(dummy-env) $(doc_nix) config show --json --experimental-features nix-command > $@.tmp
-	@mv $@.tmp $@
-
-$(d)/src/development/experimental-feature-descriptions.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features.nix $(doc_nix)
-	@rm -rf $@ $@.tmp
-	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-xp-features.nix (builtins.fromJSON (builtins.readFile $<))'
-	@mv $@.tmp $@
-
-$(d)/src/command-ref/experimental-features-shortlist.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features-shortlist.nix $(doc_nix)
-	@rm -rf $@ $@.tmp
-	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-xp-features-shortlist.nix (builtins.fromJSON (builtins.readFile $<))'
-	@mv $@.tmp $@
-
-$(d)/xp-features.json: $(doc_nix)
-	$(trace-gen) $(dummy-env) $(doc_nix) __dump-xp-features > $@.tmp
-	@mv $@.tmp $@
-
-$(d)/src/language/builtins.md: $(d)/language.json $(d)/generate-builtins.nix $(d)/src/language/builtins-prefix.md $(doc_nix)
-	@cat doc/manual/src/language/builtins-prefix.md > $@.tmp
-	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
-	@cat doc/manual/src/language/builtins-suffix.md >> $@.tmp
-	@mv $@.tmp $@
-
-$(d)/language.json: $(doc_nix)
-	$(trace-gen) $(dummy-env) $(doc_nix) __dump-language > $@.tmp
-	@mv $@.tmp $@
-
-# Generate "Upcoming release" notes (or clear it and remove from menu)
-$(d)/src/release-notes/rl-next.md: $(d)/rl-next $(d)/rl-next/*
-	@if type -p changelog-d > /dev/null; then \
-		echo "  GEN   " $@; \
-		changelog-d doc/manual/rl-next > $@; \
-	else \
-		echo "  NULL  " $@; \
-		true > $@; \
-	fi
-
-$(d)/src/SUMMARY-rl-next.md: $(d)/src/release-notes/rl-next.md
-	$(trace-gen) true
-	@if [ -s $< ]; then \
-		echo '  - [Upcoming release](release-notes/rl-next.md)' > $@; \
-	else \
-	  true > $@; \
-	fi
-
-# Generate the HTML manual.
-.PHONY: manual-html
-manual-html: $(docdir)/manual/index.html
-
-# Open the built HTML manual in the default browser.
-manual-html-open: $(docdir)/manual/index.html
-	@echo "  OPEN  " $<; \
-	  xdg-open $< \
-		  || open $< \
-			|| { \
-		echo "Could not open the manual in a browser. Please open '$<'" >&2; \
-		false; \
-		}
-install: $(docdir)/manual/index.html
-
-# Generate 'nix' manpages.
-.PHONY: manpages
-manpages: $(mandir)/man1/nix3-manpages
-install: $(mandir)/man1/nix3-manpages
-man: doc/manual/generated/man1/nix3-manpages
-all: doc/manual/generated/man1/nix3-manpages
-
-# FIXME: unify with how the other man pages are generated.
-# this one works differently and does not use any of the amenities provided by `/mk/lib.mk`.
-$(mandir)/man1/nix3-manpages: doc/manual/generated/man1/nix3-manpages
-	@mkdir -p $(DESTDIR)$$(dirname $@)
-	$(trace-install) install -m 0644 $$(dirname $<)/* $(DESTDIR)$$(dirname $@)
-
-doc/manual/generated/man1/nix3-manpages: $(d)/src/command-ref/new-cli
-	@mkdir -p $(DESTDIR)$$(dirname $@)
-	$(trace-gen) for i in doc/manual/src/command-ref/new-cli/*.md; do \
-		name=$$(basename $$i .md); \
-		tmpFile=$$(mktemp); \
-		if [[ $$name = SUMMARY ]]; then continue; fi; \
-		printf "Title: %s\n\n" "$$name" > $$tmpFile; \
-		cat $$i >> $$tmpFile; \
-		lowdown -sT man --nroff-nolinks -M section=1 $$tmpFile -o $(DESTDIR)$$(dirname $@)/$$name.1; \
-		rm $$tmpFile; \
-	done
-	@touch $@
-
-# the `! -name 'documentation.md'` filter excludes the one place where
-# `@docroot@` is to be preserved for documenting the mechanism
-# FIXME: maybe contributing guides should live right next to the code
-# instead of in the manual
-$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/development/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md $(d)/src/release-notes/rl-next.md $(d)/src/figures $(d)/src/favicon.png $(d)/src/favicon.svg
-	$(trace-gen) \
-		tmp="$$(mktemp -d)"; \
-		cp -r doc/manual "$$tmp"; \
-		find "$$tmp" -name '*.md' | while read -r file; do \
-			$(call process-includes,$$file,$$file); \
-		done; \
-		find "$$tmp" -name '*.md' ! -name 'documentation.md' | while read -r file; do \
-			docroot="$$(realpath --relative-to="$$(dirname "$$file")" $$tmp/manual/src)"; \
-			sed -i "s,@docroot@,$$docroot,g" "$$file"; \
-		done; \
-		set -euo pipefail; \
-		RUST_LOG=warn mdbook build "$$tmp/manual" -d $(DESTDIR)$(docdir)/manual.tmp 2>&1 \
-			| { grep -Fv "because fragment resolution isn't implemented" || :; }; \
-		rm -rf "$$tmp/manual"
-	@rm -rf $(DESTDIR)$(docdir)/manual
-	@mv $(DESTDIR)$(docdir)/manual.tmp/html $(DESTDIR)$(docdir)/manual
-	@rm -rf $(DESTDIR)$(docdir)/manual.tmp

doc/manual/meson.build

@@ -0,0 +1,434 @@
+project(
+  'nix-manual',
+  version : files('.version'),
+  meson_version : '>= 1.1',
+  license : 'LGPL-2.1-or-later',
+)
+
+# Compute documentation URL based on version and release type
+version = meson.project_version()
+official_release = get_option('official-release')
+
+if official_release
+  # For official releases, use versioned URL (dropping patch version)
+  version_parts = version.split('.')
+  major_minor = '@0@.@1@'.format(version_parts[0], version_parts[1])
+  doc_url = 'https://nix.dev/manual/nix/@0@'.format(major_minor)
+else
+  # For development builds, use /latest
+  doc_url = 'https://nix.dev/manual/nix/latest'
+endif
+
+nix = find_program('nix', native : true)
+
+bash = find_program('bash', native : true)
+
+# HTML manual dependencies (conditional)
+if get_option('html-manual')
+  mdbook = find_program('mdbook', native : true)
+endif
+
+pymod = import('python')
+python = pymod.find_installation('python3')
+
+nix_env_for_docs = {
+  'HOME' : '/dummy',
+  'NIX_CONF_DIR' : '/dummy',
+  'NIX_SSL_CERT_FILE' : '/dummy/no-ca-bundle.crt',
+  'NIX_STATE_DIR' : '/dummy',
+  'NIX_CONFIG' : 'cores = 0',
+}
+
+nix_for_docs = [ nix, '--experimental-features', 'nix-command' ]
+nix_eval_for_docs_common = nix_for_docs + [
+  'eval',
+  '-I',
+  'nix=' + meson.current_source_dir(),
+  '--store', 'dummy://',
+  '--impure',
+]
+nix_eval_for_docs = nix_eval_for_docs_common + '--raw'
+
+conf_file_json = custom_target(
+  command : nix_for_docs + [ 'config', 'show', '--json' ],
+  capture : true,
+  output : 'conf-file.json',
+  env : nix_env_for_docs,
+)
+
+language_json = custom_target(
+  command : [ nix, '__dump-language' ],
+  output : 'language.json',
+  capture : true,
+  env : nix_env_for_docs,
+)
+
+nix3_cli_json = custom_target(
+  command : [ nix, '__dump-cli' ],
+  capture : true,
+  output : 'nix.json',
+  env : nix_env_for_docs,
+)
+
+generate_manual_deps = files(
+  'generate-deps.py',
+)
+
+# Generate redirects.js from template and JSON data
+redirects_js = custom_target(
+  'redirects.js',
+  command : [
+    python,
+    '@INPUT0@',
+    '@INPUT1@',
+    '@INPUT2@',
+    '@OUTPUT@',
+  ],
+  input : [
+    'generate-redirects.py',
+    'redirects.js.in',
+    'redirects.json',
+  ],
+  output : 'redirects.js',
+)
+
+# Generates types
+subdir('source/store')
+# Generates builtins.md and builtin-constants.md.
+subdir('source/language')
+# Generates new-cli pages, experimental-features-shortlist.md, and conf-file.md.
+subdir('source/command-ref')
+# Generates experimental-feature-descriptions.md.
+subdir('source/development')
+# Generates rl-next-generated.md.
+subdir('source/release-notes')
+subdir('source')
+
+# Hacky way to figure out if `nix` is an `ExternalProgram` or
+# `Executable`. Only the latter can occur in custom target input lists.
+if nix.full_path().startswith(meson.build_root())
+  nix_input = nix
+else
+  nix_input = []
+endif
+
+# HTML manual build (conditional)
+if get_option('html-manual')
+  manual = custom_target(
+    'manual',
+    command : [
+      bash,
+      '-euo',
+      'pipefail',
+      '-c',
+      '''
+          @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
+          @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
+          sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
+          # Copy source to build directory, excluding the build directory itself
+          # (which is present when built as an individual component).
+          # Use tar with --dereference to copy symlink targets (e.g., JSON examples from tests).
+          (cd @CURRENT_SOURCE_DIR@ && find . -mindepth 1 -maxdepth 1 ! -name build | tar -c --dereference -T - -f -) | (cd @2@ && tar -xf -)
+          chmod -R u+w @2@
+          find @2@ -name '*.drv' -delete
+          (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
+          rm -rf @2@/manual
+          mv @2@/html @2@/manual
+          # Remove Mathjax 2.7, because we will actually use MathJax 3.x
+          find @2@/manual | grep .html | xargs sed -i -e '/2.7.1.MathJax.js/d'
+          find @2@/manual -iname meson.build -delete
+      '''.format(
+        python.full_path(),
+        mdbook.full_path(),
+        meson.current_build_dir(),
+        meson.project_version(),
+      ),
+    ],
+    input : [
+      generate_manual_deps,
+      'substitute.py',
+      'book.toml.in',
+      'anchors.jq',
+      'custom.css',
+      redirects_js,
+      nix3_cli_files,
+      experimental_features_shortlist_md,
+      experimental_feature_descriptions_md,
+      types_dir,
+      conf_file_md,
+      builtins_md,
+      rl_next_generated,
+      summary_rl_next,
+      json_schema_generated_files,
+      nix_input,
+    ],
+    output : [
+      'manual',
+      'markdown',
+    ],
+    depfile : 'manual.d',
+    build_by_default : true,
+    env : {
+      'RUST_LOG' : 'info',
+      'MDBOOK_SUBSTITUTE_SEARCH' : meson.current_build_dir() / 'source',
+    },
+  )
+  manual_html = manual[0]
+  manual_md = manual[1]
+
+  install_subdir(
+    manual_html.full_path(),
+    install_dir : get_option('datadir') / 'doc/nix',
+  )
+endif
+
+nix_nested_manpages = [
+  [
+    'nix-env',
+    [
+      'delete-generations',
+      'install',
+      'list-generations',
+      'query',
+      'rollback',
+      'set-flag',
+      'set',
+      'switch-generation',
+      'switch-profile',
+      'uninstall',
+      'upgrade',
+    ],
+  ],
+  [
+    'nix-store',
+    [
+      'add-fixed',
+      'add',
+      'delete',
+      'dump-db',
+      'dump',
+      'export',
+      'gc',
+      'generate-binary-cache-key',
+      'import',
+      'load-db',
+      'optimise',
+      'print-env',
+      'query',
+      'read-log',
+      'realise',
+      'repair-path',
+      'restore',
+      'serve',
+      'verify',
+      'verify-path',
+    ],
+  ],
+]
+
+# Manpage generation (standalone, no mdbook dependency)
+foreach command : nix_nested_manpages
+  foreach page : command[1]
+    title = command[0] + ' --' + page
+    section = '1'
+    custom_target(
+      command : [
+        bash,
+        '@INPUT0@',
+        '--out-no-smarty',
+        title,
+        section,
+        meson.current_source_dir() / 'source',
+        meson.current_build_dir() / 'source',
+        doc_url,
+        meson.current_source_dir() / 'source/command-ref' / command[0] / (page + '.md'),
+        '@OUTPUT0@',
+      ],
+      input : [
+        files('./render-manpage.sh'),
+        files('./expand-includes.py'),
+        nix_input,
+      ],
+      output : command[0] + '-' + page + '.1',
+      install : true,
+      install_dir : get_option('mandir') / 'man1',
+    )
+  endforeach
+endforeach
+
+nix3_manpages = [
+  'nix3-build',
+  'nix3-bundle',
+  'nix3-config',
+  'nix3-config-check',
+  'nix3-config-show',
+  'nix3-copy',
+  'nix3-daemon',
+  'nix3-derivation-add',
+  'nix3-derivation',
+  'nix3-derivation-show',
+  'nix3-develop',
+  'nix3-edit',
+  'nix3-env-shell',
+  'nix3-eval',
+  'nix3-flake-archive',
+  'nix3-flake-check',
+  'nix3-flake-clone',
+  'nix3-flake-info',
+  'nix3-flake-init',
+  'nix3-flake-lock',
+  'nix3-flake',
+  'nix3-flake-metadata',
+  'nix3-flake-new',
+  'nix3-flake-prefetch',
+  'nix3-flake-show',
+  'nix3-flake-update',
+  'nix3-fmt',
+  'nix3-hash-file',
+  'nix3-hash',
+  'nix3-hash-convert',
+  'nix3-hash-path',
+  'nix3-hash-to-base16',
+  'nix3-hash-to-base32',
+  'nix3-hash-to-base64',
+  'nix3-hash-to-sri',
+  'nix3-help',
+  'nix3-help-stores',
+  'nix3-key-convert-secret-to-public',
+  'nix3-key-generate-secret',
+  'nix3-key',
+  'nix3-log',
+  'nix3-nar-cat',
+  'nix3-nar-dump-path',
+  'nix3-nar-ls',
+  'nix3-nar-pack',
+  'nix3-nar',
+  'nix3-path-info',
+  'nix3-print-dev-env',
+  'nix3-profile',
+  'nix3-profile-add',
+  'nix3-profile-diff-closures',
+  'nix3-profile-history',
+  'nix3-profile-list',
+  'nix3-profile-remove',
+  'nix3-profile-rollback',
+  'nix3-profile-upgrade',
+  'nix3-profile-wipe-history',
+  'nix3-realisation-info',
+  'nix3-realisation',
+  'nix3-registry-add',
+  'nix3-registry-list',
+  'nix3-registry',
+  'nix3-registry-pin',
+  'nix3-registry-remove',
+  'nix3-repl',
+  'nix3-run',
+  'nix3-search',
+  'nix3-store-add',
+  'nix3-store-add-file',
+  'nix3-store-add-path',
+  'nix3-store-cat',
+  'nix3-store-copy-log',
+  'nix3-store-copy-sigs',
+  'nix3-store-delete',
+  'nix3-store-diff-closures',
+  'nix3-store-dump-path',
+  'nix3-store-gc',
+  'nix3-store-info',
+  'nix3-store-ls',
+  'nix3-store-make-content-addressed',
+  'nix3-store',
+  'nix3-store-optimise',
+  'nix3-store-path-from-hash-part',
+  'nix3-store-prefetch-file',
+  'nix3-store-repair',
+  'nix3-store-sign',
+  'nix3-store-verify',
+  'nix3-upgrade-nix',
+  'nix3-why-depends',
+  'nix',
+]
+
+foreach page : nix3_manpages
+  section = '1'
+  custom_target(
+    command : [
+      bash,
+      '@INPUT0@',
+      # Note: no --out-no-smarty flag (original behavior)
+      page,
+      section,
+      meson.current_source_dir() / 'source',
+      meson.current_build_dir() / 'source',
+      doc_url,
+      meson.current_build_dir() / 'source/command-ref/new-cli/@0@.md'.format(
+        page,
+      ),
+      '@OUTPUT@',
+    ],
+    input : [
+      files('./render-manpage.sh'),
+      files('./expand-includes.py'),
+      nix3_cli_files,
+      nix_input,
+    ],
+    output : page + '.1',
+    install : true,
+    install_dir : get_option('mandir') / 'man1',
+  )
+endforeach
+
+nix_manpages = [
+  [ 'nix-env', 1 ],
+  [ 'nix-store', 1 ],
+  [ 'nix-build', 1 ],
+  [ 'nix-shell', 1 ],
+  [ 'nix-instantiate', 1 ],
+  [ 'nix-collect-garbage', 1 ],
+  [ 'nix-prefetch-url', 1 ],
+  [ 'nix-channel', 1 ],
+  [ 'nix-hash', 1 ],
+  [ 'nix-copy-closure', 1 ],
+  [
+    'nix.conf',
+    5,
+    conf_file_md.full_path(),
+    [ conf_file_md, experimental_features_shortlist_md ],
+  ],
+  [ 'nix-daemon', 8 ],
+  [ 'nix-profiles', 5, 'files/profiles.md' ],
+]
+
+foreach entry : nix_manpages
+  title = entry[0]
+  # nix.conf.5 and nix-profiles.5 are based off of conf-file.md and files/profiles.md,
+  # rather than a stem identical to its mdbook source.
+  # Therefore we use an optional third element of this array to override the name pattern
+  md_file = entry.get(2, title + '.md')
+  section = entry[1].to_string()
+  input_file = meson.current_source_dir() / 'source/command-ref' / md_file
+
+  custom_target(
+    command : [
+      bash,
+      '@INPUT0@',
+      # Note: no --out-no-smarty flag (original behavior)
+      title,
+      section,
+      meson.current_source_dir() / 'source',
+      meson.current_build_dir() / 'source',
+      doc_url,
+      input_file,
+      '@OUTPUT@',
+    ],
+    input : [
+      files('./render-manpage.sh'),
+      files('./expand-includes.py'),
+      entry.get(3, []),
+      nix_input,
+    ],
+    output : '@0@.@1@'.format(entry[0], entry[1]),
+    install : true,
+    install_dir : get_option('mandir') / 'man@0@'.format(entry[1]),
+  )
+endforeach

doc/manual/meson.options

@@ -0,0 +1,13 @@
+option(
+  'official-release',
+  type : 'boolean',
+  value : true,
+  description : 'Whether this is an official release build (affects documentation URLs)',
+)
+
+option(
+  'html-manual',
+  type : 'boolean',
+  value : true,
+  description : 'Whether to build the HTML manual (requires mdbook)',
+)

doc/manual/package.nix

@@ -0,0 +1,154 @@
+{
+  lib,
+  callPackage,
+  mkMesonDerivation,
+  runCommand,
+
+  meson,
+  ninja,
+  lowdown-unsandboxed,
+  mdbook,
+  jq,
+  python3,
+  nix-cli,
+  changelog-d,
+  json-schema-for-humans,
+  officialRelease,
+
+  # Configuration Options
+
+  version,
+  /**
+    Whether to build the HTML manual.
+    When false, only manpages are built, avoiding the mdbook dependency.
+  */
+  buildHtmlManual ? true,
+
+  # `tests` attribute
+  testers,
+}:
+
+let
+  inherit (lib) fileset;
+in
+
+mkMesonDerivation (finalAttrs: {
+  pname = "nix-manual";
+  inherit version;
+
+  workDir = ./.;
+  fileset =
+    fileset.difference
+      (fileset.unions [
+        ../../.version
+        # For example JSON
+        ../../src/libutil-tests/data/memory-source-accessor
+        ../../src/libutil-tests/data/hash
+        ../../src/libstore-tests/data/content-address
+        ../../src/libstore-tests/data/store-path
+        ../../src/libstore-tests/data/realisation
+        ../../src/libstore-tests/data/derivation
+        ../../src/libstore-tests/data/derived-path
+        ../../src/libstore-tests/data/path-info
+        ../../src/libstore-tests/data/nar-info
+        ../../src/libstore-tests/data/build-result
+        ../../src/libstore-tests/data/dummy-store
+        # For derivation examples referenced by symlinks in doc/manual/source/protocols/json/schema/
+        ../../tests/functional/derivation
+        # Too many different types of files to filter for now
+        ../../doc/manual
+        ./.
+      ])
+      # Do a blacklist instead
+      ../../doc/manual/package.nix;
+
+  # TODO the man pages should probably be separate
+  outputs =
+    if buildHtmlManual then
+      [
+        "out"
+        "man"
+      ]
+    else
+      [ "out" ]; # Only one output when HTML manual is disabled; use "out" for manpages
+
+  # When HTML manual is disabled, install manpages to "out" instead of "man"
+  mesonFlags = [
+    (lib.mesonBool "official-release" officialRelease)
+    (lib.mesonBool "html-manual" buildHtmlManual)
+  ]
+  ++ lib.optionals (!buildHtmlManual) [
+    "--mandir=${placeholder "out"}/share/man"
+  ];
+
+  nativeBuildInputs = [
+    nix-cli
+    meson
+    ninja
+    (lib.getBin lowdown-unsandboxed)
+    jq
+    python3
+  ]
+  ++ lib.optionals buildHtmlManual [
+    mdbook
+    json-schema-for-humans
+  ]
+  ++ lib.optionals (!officialRelease && buildHtmlManual) [
+    # When not an official release, we likely have changelog entries that have
+    # yet to be rendered.
+    # When released, these are rendered into a committed file to save a dependency.
+    changelog-d
+  ];
+
+  preConfigure = ''
+    chmod u+w ./.version
+    echo ${finalAttrs.version} > ./.version
+  '';
+
+  postInstall = lib.optionalString buildHtmlManual ''
+    mkdir -p ''$out/nix-support
+    echo "doc manual ''$out/share/doc/nix/manual" >> ''$out/nix-support/hydra-build-products
+  '';
+
+  passthru = lib.optionalAttrs buildHtmlManual {
+    /**
+      The root of the HTML manual.
+      E.g. "${nix-manual.site}/index.html" exists.
+    */
+
+    site = finalAttrs.finalPackage + "/share/doc/nix/manual";
+
+    tests =
+      let
+        redirect-targets = callPackage ./redirect-targets-html.nix { };
+      in
+      {
+        # https://nixos.org/manual/nixpkgs/stable/index.html#tester-lycheeLinkCheck
+        linkcheck = testers.lycheeLinkCheck {
+          site =
+            let
+              plain = finalAttrs.finalPackage.site;
+            in
+            runCommand "nix-manual-with-redirect-targets" { } ''
+              cp -r ${plain} $out
+              chmod -R u+w $out
+              cp ${redirect-targets}/redirect-targets.html $out/redirect-targets.html
+            '';
+          extraConfig = {
+            exclude = [
+              # Exclude auto-generated JSON schema documentation which has
+              # auto-generated fragment IDs that don't match the link references
+              ".*/protocols/json/.*\\.html"
+              # Exclude undocumented builtins
+              ".*/language/builtins\\.html#builtins-addErrorContext"
+              ".*/language/builtins\\.html#builtins-appendContext"
+            ];
+          };
+        };
+      };
+  };
+
+  meta = {
+    platforms = lib.platforms.all;
+  };
+})

doc/manual/redirect-targets-html.nix

@@ -0,0 +1,62 @@
+# Generates redirect-targets.html containing all redirect targets for link checking.
+# Used by: doc/manual/package.nix (passthru.tests.linkcheck)
+
+{
+  stdenv,
+  lib,
+  jq,
+}:
+
+stdenv.mkDerivation {
+  name = "redirect-targets-html";
+
+  src = lib.fileset.toSource {
+    root = ./.;
+    fileset = ./redirects.json;
+  };
+
+  nativeBuildInputs = [ jq ];
+
+  installPhase = ''
+    mkdir -p $out
+
+    {
+      echo '<!DOCTYPE html>'
+      echo '<html><head><title>Nix Manual Redirect Targets</title></head><body>'
+      echo '<h1>Redirect Targets to Check</h1>'
+      echo '<p>This document contains all redirect targets from the Nix manual.</p>'
+
+      echo '<h2>Client-side redirects (from redirects.json)</h2>'
+      echo '<ul>'
+
+      # Extract all redirects with their source pages to properly resolve relative paths
+      jq -r 'to_entries[] | .key as $page | .value | to_entries[] | "\($page)\t\(.value)"' \
+        redirects.json | while IFS=$'\t' read -r page target; do
+
+        page_dir=$(dirname "$page")
+
+        # Handle fragment-only targets (e.g., #primitives)
+        if [[ "$target" == \#* ]]; then
+          # Fragment is on the same page
+          resolved="$page$target"
+          echo "<li><a href=\"$resolved\">$resolved</a> (fragment on $page)</li>"
+          continue
+        fi
+
+        # Resolve relative path based on the source page location
+        resolved="$page_dir/$target"
+
+        echo "<li><a href=\"$resolved\">$resolved</a> (from $page)</li>"
+      done
+
+      echo '</ul>'
+      echo '</body></html>'
+    } > $out/redirect-targets.html
+
+    echo "Generated redirect targets document with $(grep -c '<li>' $out/redirect-targets.html) links"
+  '';
+
+  meta = {
+    description = "HTML document listing all Nix manual redirect targets for link checking";
+  };
+}

doc/manual/redirects.js

@@ -1,455 +0,0 @@
-// redirect rules for URL fragments (client-side) to prevent link rot.
-// this must be done on the client side, as web servers do not see the fragment part of the URL.
-// it will only work with JavaScript enabled in the browser, but this is the best we can do here.
-// see src/_redirects for path redirects (server-side)
-
-// redirects are declared as follows:
-// each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
-//
-//     IMPORTANT: it must specify the full path with file name and suffix
-//
-// each entry is itself a set of key-value pairs, where
-// - keys are anchors on the matched path.
-// - values are redirection targets relative to the current path.
-
-const redirects = {
- "index.html": {
-    "part-advanced-topics": "advanced-topics/index.html",
-    "chap-tuning-cores-and-jobs": "advanced-topics/cores-vs-jobs.html",
-    "chap-diff-hook": "advanced-topics/diff-hook.html",
-    "check-dirs-are-unregistered": "advanced-topics/diff-hook.html#check-dirs-are-unregistered",
-    "chap-distributed-builds": "command-ref/conf-file.html#conf-builders",
-    "chap-post-build-hook": "advanced-topics/post-build-hook.html",
-    "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
-    "chap-writing-nix-expressions": "language/index.html",
-    "part-command-ref": "command-ref/index.html",
-    "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
-    "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
-    "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
-    "conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
-    "conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",
-    "conf-binary-cache-public-keys": "command-ref/conf-file.html#conf-binary-cache-public-keys",
-    "conf-binary-caches": "command-ref/conf-file.html#conf-binary-caches",
-    "conf-build-compress-log": "command-ref/conf-file.html#conf-build-compress-log",
-    "conf-build-cores": "command-ref/conf-file.html#conf-build-cores",
-    "conf-build-extra-chroot-dirs": "command-ref/conf-file.html#conf-build-extra-chroot-dirs",
-    "conf-build-extra-sandbox-paths": "command-ref/conf-file.html#conf-build-extra-sandbox-paths",
-    "conf-build-fallback": "command-ref/conf-file.html#conf-build-fallback",
-    "conf-build-max-jobs": "command-ref/conf-file.html#conf-build-max-jobs",
-    "conf-build-max-log-size": "command-ref/conf-file.html#conf-build-max-log-size",
-    "conf-build-max-silent-time": "command-ref/conf-file.html#conf-build-max-silent-time",
-    "conf-build-timeout": "command-ref/conf-file.html#conf-build-timeout",
-    "conf-build-use-chroot": "command-ref/conf-file.html#conf-build-use-chroot",
-    "conf-build-use-sandbox": "command-ref/conf-file.html#conf-build-use-sandbox",
-    "conf-build-use-substitutes": "command-ref/conf-file.html#conf-build-use-substitutes",
-    "conf-build-users-group": "command-ref/conf-file.html#conf-build-users-group",
-    "conf-builders": "command-ref/conf-file.html#conf-builders",
-    "conf-builders-use-substitutes": "command-ref/conf-file.html#conf-builders-use-substitutes",
-    "conf-compress-build-log": "command-ref/conf-file.html#conf-compress-build-log",
-    "conf-connect-timeout": "command-ref/conf-file.html#conf-connect-timeout",
-    "conf-cores": "command-ref/conf-file.html#conf-cores",
-    "conf-diff-hook": "command-ref/conf-file.html#conf-diff-hook",
-    "conf-env-keep-derivations": "command-ref/conf-file.html#conf-env-keep-derivations",
-    "conf-extra-binary-caches": "command-ref/conf-file.html#conf-extra-binary-caches",
-    "conf-extra-platforms": "command-ref/conf-file.html#conf-extra-platforms",
-    "conf-extra-sandbox-paths": "command-ref/conf-file.html#conf-extra-sandbox-paths",
-    "conf-extra-substituters": "command-ref/conf-file.html#conf-extra-substituters",
-    "conf-fallback": "command-ref/conf-file.html#conf-fallback",
-    "conf-fsync-metadata": "command-ref/conf-file.html#conf-fsync-metadata",
-    "conf-gc-keep-derivations": "command-ref/conf-file.html#conf-gc-keep-derivations",
-    "conf-gc-keep-outputs": "command-ref/conf-file.html#conf-gc-keep-outputs",
-    "conf-hashed-mirrors": "command-ref/conf-file.html#conf-hashed-mirrors",
-    "conf-http-connections": "command-ref/conf-file.html#conf-http-connections",
-    "conf-keep-build-log": "command-ref/conf-file.html#conf-keep-build-log",
-    "conf-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
-    "conf-keep-env-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
-    "conf-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
-    "conf-max-build-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
-    "conf-max-free": "command-ref/conf-file.html#conf-max-free",
-    "conf-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
-    "conf-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
-    "conf-min-free": "command-ref/conf-file.html#conf-min-free",
-    "conf-narinfo-cache-negative-ttl": "command-ref/conf-file.html#conf-narinfo-cache-negative-ttl",
-    "conf-narinfo-cache-positive-ttl": "command-ref/conf-file.html#conf-narinfo-cache-positive-ttl",
-    "conf-netrc-file": "command-ref/conf-file.html#conf-netrc-file",
-    "conf-plugin-files": "command-ref/conf-file.html#conf-plugin-files",
-    "conf-post-build-hook": "command-ref/conf-file.html#conf-post-build-hook",
-    "conf-pre-build-hook": "command-ref/conf-file.html#conf-pre-build-hook",
-    "conf-require-sigs": "command-ref/conf-file.html#conf-require-sigs",
-    "conf-restrict-eval": "command-ref/conf-file.html#conf-restrict-eval",
-    "conf-run-diff-hook": "command-ref/conf-file.html#conf-run-diff-hook",
-    "conf-sandbox": "command-ref/conf-file.html#conf-sandbox",
-    "conf-sandbox-dev-shm-size": "command-ref/conf-file.html#conf-sandbox-dev-shm-size",
-    "conf-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
-    "conf-secret-key-files": "command-ref/conf-file.html#conf-secret-key-files",
-    "conf-show-trace": "command-ref/conf-file.html#conf-show-trace",
-    "conf-stalled-download-timeout": "command-ref/conf-file.html#conf-stalled-download-timeout",
-    "conf-substitute": "command-ref/conf-file.html#conf-substitute",
-    "conf-substituters": "command-ref/conf-file.html#conf-substituters",
-    "conf-system": "command-ref/conf-file.html#conf-system",
-    "conf-system-features": "command-ref/conf-file.html#conf-system-features",
-    "conf-tarball-ttl": "command-ref/conf-file.html#conf-tarball-ttl",
-    "conf-timeout": "command-ref/conf-file.html#conf-timeout",
-    "conf-trace-function-calls": "command-ref/conf-file.html#conf-trace-function-calls",
-    "conf-trusted-binary-caches": "command-ref/conf-file.html#conf-trusted-binary-caches",
-    "conf-trusted-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
-    "conf-trusted-substituters": "command-ref/conf-file.html#conf-trusted-substituters",
-    "conf-trusted-users": "command-ref/conf-file.html#conf-trusted-users",
-    "extra-sandbox-paths": "command-ref/conf-file.html#extra-sandbox-paths",
-    "sec-conf-file": "command-ref/conf-file.html",
-    "env-NIX_PATH": "command-ref/env-common.html#env-NIX_PATH",
-    "env-common": "command-ref/env-common.html",
-    "envar-remote": "command-ref/env-common.html#env-NIX_REMOTE",
-    "sec-common-env": "command-ref/env-common.html",
-    "ch-files": "command-ref/files.html",
-    "ch-main-commands": "command-ref/main-commands.html",
-    "opt-out-link": "command-ref/nix-build.html#opt-out-link",
-    "sec-nix-build": "command-ref/nix-build.html",
-    "sec-nix-channel": "command-ref/nix-channel.html",
-    "sec-nix-collect-garbage": "command-ref/nix-collect-garbage.html",
-    "sec-nix-copy-closure": "command-ref/nix-copy-closure.html",
-    "sec-nix-daemon": "command-ref/nix-daemon.html",
-    "refsec-nix-env-install-examples": "command-ref/nix-env.html#examples",
-    "rsec-nix-env-install": "command-ref/nix-env.html#operation---install",
-    "rsec-nix-env-set": "command-ref/nix-env.html#operation---set",
-    "rsec-nix-env-set-flag": "command-ref/nix-env.html#operation---set-flag",
-    "rsec-nix-env-upgrade": "command-ref/nix-env.html#operation---upgrade",
-    "sec-nix-env": "command-ref/nix-env.html",
-    "ssec-version-comparisons": "command-ref/nix-env.html#versions",
-    "sec-nix-hash": "command-ref/nix-hash.html",
-    "sec-nix-instantiate": "command-ref/nix-instantiate.html",
-    "sec-nix-prefetch-url": "command-ref/nix-prefetch-url.html",
-    "sec-nix-shell": "command-ref/nix-shell.html",
-    "ssec-nix-shell-shebang": "command-ref/nix-shell.html#use-as-a--interpreter",
-    "nixref-queries": "command-ref/nix-store.html#queries",
-    "opt-add-root": "command-ref/nix-store.html#opt-add-root",
-    "refsec-nix-store-dump": "command-ref/nix-store.html#operation---dump",
-    "refsec-nix-store-export": "command-ref/nix-store.html#operation---export",
-    "refsec-nix-store-import": "command-ref/nix-store.html#operation---import",
-    "refsec-nix-store-query": "command-ref/nix-store.html#operation---query",
-    "refsec-nix-store-verify": "command-ref/nix-store.html#operation---verify",
-    "rsec-nix-store-gc": "command-ref/nix-store.html#operation---gc",
-    "rsec-nix-store-generate-binary-cache-key": "command-ref/nix-store.html#operation---generate-binary-cache-key",
-    "rsec-nix-store-realise": "command-ref/nix-store.html#operation---realise",
-    "rsec-nix-store-serve": "command-ref/nix-store.html#operation---serve",
-    "sec-nix-store": "command-ref/nix-store.html",
-    "opt-I": "command-ref/opt-common.html#opt-I",
-    "opt-attr": "command-ref/opt-common.html#opt-attr",
-    "opt-common": "command-ref/opt-common.html",
-    "opt-cores": "command-ref/opt-common.html#opt-cores",
-    "opt-log-format": "command-ref/opt-common.html#opt-log-format",
-    "opt-max-jobs": "command-ref/opt-common.html#opt-max-jobs",
-    "opt-max-silent-time": "command-ref/opt-common.html#opt-max-silent-time",
-    "opt-timeout": "command-ref/opt-common.html#opt-timeout",
-    "sec-common-options": "command-ref/opt-common.html",
-    "ch-utilities": "command-ref/utilities.html",
-    "chap-hacking": "development/building.html",
-    "adv-attr-allowSubstitutes": "language/advanced-attributes.html#adv-attr-allowSubstitutes",
-    "adv-attr-allowedReferences": "language/advanced-attributes.html#adv-attr-allowedReferences",
-    "adv-attr-allowedRequisites": "language/advanced-attributes.html#adv-attr-allowedRequisites",
-    "adv-attr-disallowedReferences": "language/advanced-attributes.html#adv-attr-disallowedReferences",
-    "adv-attr-disallowedRequisites": "language/advanced-attributes.html#adv-attr-disallowedRequisites",
-    "adv-attr-exportReferencesGraph": "language/advanced-attributes.html#adv-attr-exportReferencesGraph",
-    "adv-attr-impureEnvVars": "language/advanced-attributes.html#adv-attr-impureEnvVars",
-    "adv-attr-outputHash": "language/advanced-attributes.html#adv-attr-outputHash",
-    "adv-attr-outputHashAlgo": "language/advanced-attributes.html#adv-attr-outputHashAlgo",
-    "adv-attr-outputHashMode": "language/advanced-attributes.html#adv-attr-outputHashMode",
-    "adv-attr-passAsFile": "language/advanced-attributes.html#adv-attr-passAsFile",
-    "adv-attr-preferLocalBuild": "language/advanced-attributes.html#adv-attr-preferLocalBuild",
-    "fixed-output-drvs": "language/advanced-attributes.html#adv-attr-outputHash",
-    "sec-advanced-attributes": "language/advanced-attributes.html",
-    "builtin-abort": "language/builtins.html#builtins-abort",
-    "builtin-add": "language/builtins.html#builtins-add",
-    "builtin-all": "language/builtins.html#builtins-all",
-    "builtin-any": "language/builtins.html#builtins-any",
-    "builtin-attrNames": "language/builtins.html#builtins-attrNames",
-    "builtin-attrValues": "language/builtins.html#builtins-attrValues",
-    "builtin-baseNameOf": "language/builtins.html#builtins-baseNameOf",
-    "builtin-bitAnd": "language/builtins.html#builtins-bitAnd",
-    "builtin-bitOr": "language/builtins.html#builtins-bitOr",
-    "builtin-bitXor": "language/builtins.html#builtins-bitXor",
-    "builtin-builtins": "language/builtins.html#builtins-builtins",
-    "builtin-compareVersions": "language/builtins.html#builtins-compareVersions",
-    "builtin-concatLists": "language/builtins.html#builtins-concatLists",
-    "builtin-concatStringsSep": "language/builtins.html#builtins-concatStringsSep",
-    "builtin-currentSystem": "language/builtins.html#builtins-currentSystem",
-    "builtin-deepSeq": "language/builtins.html#builtins-deepSeq",
-    "builtin-derivation": "language/builtins.html#builtins-derivation",
-    "builtin-dirOf": "language/builtins.html#builtins-dirOf",
-    "builtin-div": "language/builtins.html#builtins-div",
-    "builtin-elem": "language/builtins.html#builtins-elem",
-    "builtin-elemAt": "language/builtins.html#builtins-elemAt",
-    "builtin-fetchGit": "language/builtins.html#builtins-fetchGit",
-    "builtin-fetchTarball": "language/builtins.html#builtins-fetchTarball",
-    "builtin-fetchurl": "language/builtins.html#builtins-fetchurl",
-    "builtin-filterSource": "language/builtins.html#builtins-filterSource",
-    "builtin-foldl-prime": "language/builtins.html#builtins-foldl-prime",
-    "builtin-fromJSON": "language/builtins.html#builtins-fromJSON",
-    "builtin-functionArgs": "language/builtins.html#builtins-functionArgs",
-    "builtin-genList": "language/builtins.html#builtins-genList",
-    "builtin-getAttr": "language/builtins.html#builtins-getAttr",
-    "builtin-getEnv": "language/builtins.html#builtins-getEnv",
-    "builtin-hasAttr": "language/builtins.html#builtins-hasAttr",
-    "builtin-hashFile": "language/builtins.html#builtins-hashFile",
-    "builtin-hashString": "language/builtins.html#builtins-hashString",
-    "builtin-head": "language/builtins.html#builtins-head",
-    "builtin-import": "language/builtins.html#builtins-import",
-    "builtin-intersectAttrs": "language/builtins.html#builtins-intersectAttrs",
-    "builtin-isAttrs": "language/builtins.html#builtins-isAttrs",
-    "builtin-isBool": "language/builtins.html#builtins-isBool",
-    "builtin-isFloat": "language/builtins.html#builtins-isFloat",
-    "builtin-isFunction": "language/builtins.html#builtins-isFunction",
-    "builtin-isInt": "language/builtins.html#builtins-isInt",
-    "builtin-isList": "language/builtins.html#builtins-isList",
-    "builtin-isNull": "language/builtins.html#builtins-isNull",
-    "builtin-isString": "language/builtins.html#builtins-isString",
-    "builtin-length": "language/builtins.html#builtins-length",
-    "builtin-lessThan": "language/builtins.html#builtins-lessThan",
-    "builtin-listToAttrs": "language/builtins.html#builtins-listToAttrs",
-    "builtin-map": "language/builtins.html#builtins-map",
-    "builtin-match": "language/builtins.html#builtins-match",
-    "builtin-mul": "language/builtins.html#builtins-mul",
-    "builtin-parseDrvName": "language/builtins.html#builtins-parseDrvName",
-    "builtin-path": "language/builtins.html#builtins-path",
-    "builtin-pathExists": "language/builtins.html#builtins-pathExists",
-    "builtin-placeholder": "language/builtins.html#builtins-placeholder",
-    "builtin-readDir": "language/builtins.html#builtins-readDir",
-    "builtin-readFile": "language/builtins.html#builtins-readFile",
-    "builtin-removeAttrs": "language/builtins.html#builtins-removeAttrs",
-    "builtin-replaceStrings": "language/builtins.html#builtins-replaceStrings",
-    "builtin-seq": "language/builtins.html#builtins-seq",
-    "builtin-sort": "language/builtins.html#builtins-sort",
-    "builtin-split": "language/builtins.html#builtins-split",
-    "builtin-splitVersion": "language/builtins.html#builtins-splitVersion",
-    "builtin-stringLength": "language/builtins.html#builtins-stringLength",
-    "builtin-sub": "language/builtins.html#builtins-sub",
-    "builtin-substring": "language/builtins.html#builtins-substring",
-    "builtin-tail": "language/builtins.html#builtins-tail",
-    "builtin-throw": "language/builtins.html#builtins-throw",
-    "builtin-toFile": "language/builtins.html#builtins-toFile",
-    "builtin-toJSON": "language/builtins.html#builtins-toJSON",
-    "builtin-toPath": "language/builtins.html#builtins-toPath",
-    "builtin-toString": "language/builtins.html#builtins-toString",
-    "builtin-toXML": "language/builtins.html#builtins-toXML",
-    "builtin-trace": "language/builtins.html#builtins-trace",
-    "builtin-tryEval": "language/builtins.html#builtins-tryEval",
-    "builtin-typeOf": "language/builtins.html#builtins-typeOf",
-    "ssec-builtins": "language/builtins.html",
-    "attr-system": "language/derivations.html#attr-system",
-    "ssec-derivation": "language/derivations.html",
-    "ch-expression-language": "language/index.html",
-    "sec-constructs": "language/syntax.html",
-    "sect-let-language": "language/syntax.html#let-expressions",
-    "ss-functions": "language/syntax.html#functions",
-    "sec-language-operators": "language/operators.html",
-    "table-operators": "language/operators.html",
-    "ssec-values": "language/types.html",
-    "gloss-closure": "glossary.html#gloss-closure",
-    "gloss-derivation": "glossary.html#gloss-derivation",
-    "gloss-deriver": "glossary.html#gloss-deriver",
-    "gloss-nar": "glossary.html#gloss-nar",
-    "gloss-output-path": "glossary.html#gloss-output-path",
-    "gloss-profile": "glossary.html#gloss-profile",
-    "gloss-reachable": "glossary.html#gloss-reachable",
-    "gloss-reference": "glossary.html#gloss-reference",
-    "gloss-substitute": "glossary.html#gloss-substitute",
-    "gloss-user-env": "glossary.html#gloss-user-env",
-    "gloss-validity": "glossary.html#gloss-validity",
-    "part-glossary": "glossary.html",
-    "sec-building-source": "installation/building-source.html",
-    "ch-env-variables": "installation/env-variables.html",
-    "sec-installer-proxy-settings": "installation/env-variables.html#proxy-environment-variables",
-    "sec-nix-ssl-cert-file": "installation/env-variables.html#nix_ssl_cert_file",
-    "sec-nix-ssl-cert-file-with-nix-daemon-and-macos": "installation/env-variables.html#nix_ssl_cert_file-with-macos-and-the-nix-daemon",
-    "chap-installation": "installation/index.html",
-    "ch-installing-binary": "installation/installing-binary.html",
-    "sect-macos-installation": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-change-store-prefix": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-encrypted-volume": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-recommended-notes": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-symlink": "installation/installing-binary.html#macos-installation",
-    "sect-multi-user-installation": "installation/installing-binary.html#multi-user-installation",
-    "sect-nix-install-binary-tarball": "installation/installing-binary.html#installing-from-a-binary-tarball",
-    "sect-nix-install-pinned-version-url": "installation/installing-binary.html#installing-a-pinned-nix-version-from-a-url",
-    "sect-single-user-installation": "installation/installing-binary.html#single-user-installation",
-    "ch-installing-source": "installation/installing-source.html",
-    "ssec-multi-user": "installation/multi-user.html",
-    "ch-nix-security": "installation/nix-security.html",
-    "sec-obtaining-source": "installation/obtaining-source.html",
-    "sec-prerequisites-source": "installation/prerequisites-source.html",
-    "sec-single-user": "installation/single-user.html",
-    "ch-supported-platforms": "installation/supported-platforms.html",
-    "ch-upgrading-nix": "installation/upgrading.html",
-    "ch-about-nix": "introduction.html",
-    "chap-introduction": "introduction.html",
-    "ch-basic-package-mgmt": "package-management/basic-package-mgmt.html",
-    "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
-    "sec-channels": "command-ref/nix-channel.html",
-    "ssec-copy-closure": "command-ref/nix-copy-closure.html",
-    "sec-garbage-collection": "package-management/garbage-collection.html",
-    "ssec-gc-roots": "package-management/garbage-collector-roots.html",
-    "chap-package-management": "package-management/index.html",
-    "sec-profiles": "package-management/profiles.html",
-    "ssec-s3-substituter": "store/types/s3-substituter.html",
-    "ssec-s3-substituter-anonymous-reads": "store/types/s3-substituter.html#anonymous-reads-to-your-s3-compatible-binary-cache",
-    "ssec-s3-substituter-authenticated-reads": "store/types/s3-substituter.html#authenticated-reads-to-your-s3-binary-cache",
-    "ssec-s3-substituter-authenticated-writes": "store/types/s3-substituter.html#authenticated-writes-to-your-s3-compatible-binary-cache",
-    "sec-sharing-packages": "package-management/sharing-packages.html",
-    "ssec-ssh-substituter": "package-management/ssh-substituter.html",
-    "chap-quick-start": "quick-start.html",
-    "sec-relnotes": "release-notes/index.html",
-    "ch-relnotes-0.10.1": "release-notes/rl-0.10.1.html",
-    "ch-relnotes-0.10": "release-notes/rl-0.10.html",
-    "ssec-relnotes-0.11": "release-notes/rl-0.11.html",
-    "ssec-relnotes-0.12": "release-notes/rl-0.12.html",
-    "ssec-relnotes-0.13": "release-notes/rl-0.13.html",
-    "ssec-relnotes-0.14": "release-notes/rl-0.14.html",
-    "ssec-relnotes-0.15": "release-notes/rl-0.15.html",
-    "ssec-relnotes-0.16": "release-notes/rl-0.16.html",
-    "ch-relnotes-0.5": "release-notes/rl-0.5.html",
-    "ch-relnotes-0.6": "release-notes/rl-0.6.html",
-    "ch-relnotes-0.7": "release-notes/rl-0.7.html",
-    "ch-relnotes-0.8.1": "release-notes/rl-0.8.1.html",
-    "ch-relnotes-0.8": "release-notes/rl-0.8.html",
-    "ch-relnotes-0.9.1": "release-notes/rl-0.9.1.html",
-    "ch-relnotes-0.9.2": "release-notes/rl-0.9.2.html",
-    "ch-relnotes-0.9": "release-notes/rl-0.9.html",
-    "ssec-relnotes-1.0": "release-notes/rl-1.0.html",
-    "ssec-relnotes-1.1": "release-notes/rl-1.1.html",
-    "ssec-relnotes-1.10": "release-notes/rl-1.10.html",
-    "ssec-relnotes-1.11.10": "release-notes/rl-1.11.10.html",
-    "ssec-relnotes-1.11": "release-notes/rl-1.11.html",
-    "ssec-relnotes-1.2": "release-notes/rl-1.2.html",
-    "ssec-relnotes-1.3": "release-notes/rl-1.3.html",
-    "ssec-relnotes-1.4": "release-notes/rl-1.4.html",
-    "ssec-relnotes-1.5.1": "release-notes/rl-1.5.1.html",
-    "ssec-relnotes-1.5.2": "release-notes/rl-1.5.2.html",
-    "ssec-relnotes-1.5": "release-notes/rl-1.5.html",
-    "ssec-relnotes-1.6.1": "release-notes/rl-1.6.1.html",
-    "ssec-relnotes-1.6.0": "release-notes/rl-1.6.html",
-    "ssec-relnotes-1.7": "release-notes/rl-1.7.html",
-    "ssec-relnotes-1.8": "release-notes/rl-1.8.html",
-    "ssec-relnotes-1.9": "release-notes/rl-1.9.html",
-    "ssec-relnotes-2.0": "release-notes/rl-2.0.html",
-    "ssec-relnotes-2.1": "release-notes/rl-2.1.html",
-    "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
-    "ssec-relnotes-2.3": "release-notes/rl-2.3.html",
-  },
-  "language/types.html": {
-    "simple-values": "#primitives",
-    "lists": "#list",
-    "strings": "#string",
-    "attribute-sets": "#attribute-set",
-    "type-number": "#type-int",
-  },
-  "language/syntax.html": {
-    "scoping-rules": "scoping.html",
-    "string-literal": "string-literals.html",
-  },
-  "installation/installing-binary.html": {
-    "linux": "uninstall.html#linux",
-    "macos": "uninstall.html#macos",
-    "uninstalling": "uninstall.html",
-  },
-  "development/building.html": {
-    "nix-with-flakes": "#building-nix-with-flakes",
-    "classic-nix": "#building-nix",
-    "running-tests": "testing.html#running-tests",
-    "unit-tests": "testing.html#unit-tests",
-    "functional-tests": "testing.html#functional-tests",
-    "debugging-failing-functional-tests": "testing.html#debugging-failing-functional-tests",
-    "integration-tests": "testing.html#integration-tests",
-    "installer-tests": "testing.html#installer-tests",
-    "one-time-setup": "testing.html#one-time-setup",
-    "using-the-ci-generated-installer-for-manual-testing": "testing.html#using-the-ci-generated-installer-for-manual-testing",
-    "characterization-testing": "testing.html#characterisation-testing-unit",
-    "add-a-release-note": "contributing.html#add-a-release-note",
-    "add-an-entry": "contributing.html#add-an-entry",
-    "build-process": "contributing.html#build-process",
-    "reverting": "contributing.html#reverting",
-    "branches": "contributing.html#branches",
-  },
-  "glossary.html": {
-    "gloss-local-store": "store/types/local-store.html",
-    "gloss-chroot-store": "store/types/local-store.html",
-  },
-};
-
-// the following code matches the current page's URL against the set of redirects.
-//
-// it is written to minimize the latency between page load and redirect.
-// therefore we avoid function calls, copying data, and unnecessary loops.
-// IMPORTANT: we use stateful array operations and their order matters!
-//
-// matching URLs is more involved than it should be:
-//
-// 1. `document.location.pathname` can have an arbitrary prefix.
-//
-// 2. `path_to_root` is set by mdBook. it consists only of `../`s and
-//    determines the depth of `<path>` relative to the prefix:
-//
-//          `document.location.pathname`
-//        |------------------------------|
-//        /<prefix>/<path>/[<file>[.html]][#<anchor>]
-//                  |----|
-//              `path_to_root` has same number of path segments
-//
-//    source: https://phaiax.github.io/mdBook/format/theme/index-hbs.html#data
-//
-// 3. the following paths are equivalent:
-//
-//        /foo/bar/
-//        /foo/bar/index.html
-//        /foo/bar/index
-//
-//  4. the following paths are also equivalent:
-//
-//        /foo/bar/baz
-//        /foo/bar/baz.html
-//
-
-let segments = document.location.pathname.split('/');
-
-let file = segments.pop();
-
-// normalize file name
-if (file === '') { file = "index.html"; }
-else if (!file.endsWith('.html')) { file = file + '.html'; }
-
-segments.push(file);
-
-// use `path_to_root` to discern prefix from path.
-const depth = path_to_root.split('/').length;
-
-// remove segments containing prefix. the following works because
-// 1. the original `document.location.pathname` is absolute,
-//    hence first element of `segments` is always empty.
-// 2. last element of splitting `path_to_root` is also always empty.
-// 3. last element of `segments` is the file name.
-//
-// visual example:
-//
-//     '/foo/bar/baz.html'.split('/') -> [ '', 'foo', 'bar', 'baz.html' ]
-//          '../'.split('/')          -> [ '..', '' ]
-//
-// the following operations will then result in
-//
-//     path = 'bar/baz.html'
-//
-segments.splice(0, segments.length - depth);
-const path = segments.join('/');
-
-// anchor starts with the hash character (`#`),
-// but our redirect declarations don't, so we strip it.
-// example:
-//     document.location.hash -> '#foo'
-//     document.location.hash.substring(1) -> 'foo'
-const anchor = document.location.hash.substring(1);
-
-const redirect = redirects[path];
-if (redirect) {
-  const target = redirect[anchor];
-  if (target) {
-    document.location.href = target;
-  }
-}

doc/manual/redirects.js.in

@@ -0,0 +1,94 @@
+// redirect rules for URL fragments (client-side) to prevent link rot.
+// this must be done on the client side, as web servers do not see the fragment part of the URL.
+// it will only work with JavaScript enabled in the browser, but this is the best we can do here.
+// see source/_redirects for path redirects (server-side)
+
+// redirects are declared as follows:
+// each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
+//
+//     IMPORTANT: it must specify the full path with file name and suffix
+//
+// each entry is itself a set of key-value pairs, where
+// - keys are anchors on the matched path.
+// - values are redirection targets relative to the current path.
+
+const redirects = @REDIRECTS_JSON@;
+
+// the following code matches the current page's URL against the set of redirects.
+//
+// it is written to minimize the latency between page load and redirect.
+// therefore we avoid function calls, copying data, and unnecessary loops.
+// IMPORTANT: we use stateful array operations and their order matters!
+//
+// matching URLs is more involved than it should be:
+//
+// 1. `document.location.pathname` can have an arbitrary prefix.
+//
+// 2. `path_to_root` is set by mdBook. it consists only of `../`s and
+//    determines the depth of `<path>` relative to the prefix:
+//
+//          `document.location.pathname`
+//        |------------------------------|
+//        /<prefix>/<path>/[<file>[.html]][#<anchor>]
+//                  |----|
+//              `path_to_root` has same number of path segments
+//
+//    source: https://phaiax.github.io/mdBook/format/theme/index-hbs.html#data
+//
+// 3. the following paths are equivalent:
+//
+//        /foo/bar/
+//        /foo/bar/index.html
+//        /foo/bar/index
+//
+//  4. the following paths are also equivalent:
+//
+//        /foo/bar/baz
+//        /foo/bar/baz.html
+//
+
+let segments = document.location.pathname.split('/');
+
+let file = segments.pop();
+
+// normalize file name
+if (file === '') { file = "index.html"; }
+else if (!file.endsWith('.html')) { file = file + '.html'; }
+
+segments.push(file);
+
+// use `path_to_root` to discern prefix from path.
+const depth = path_to_root.split('/').length;
+
+// remove segments containing prefix. the following works because
+// 1. the original `document.location.pathname` is absolute,
+//    hence first element of `segments` is always empty.
+// 2. last element of splitting `path_to_root` is also always empty.
+// 3. last element of `segments` is the file name.
+//
+// visual example:
+//
+//     '/foo/bar/baz.html'.split('/') -> [ '', 'foo', 'bar', 'baz.html' ]
+//          '../'.split('/')          -> [ '..', '' ]
+//
+// the following operations will then result in
+//
+//     path = 'bar/baz.html'
+//
+segments.splice(0, segments.length - depth);
+const path = segments.join('/');
+
+// anchor starts with the hash character (`#`),
+// but our redirect declarations don't, so we strip it.
+// example:
+//     document.location.hash -> '#foo'
+//     document.location.hash.substring(1) -> 'foo'
+const anchor = document.location.hash.substring(1);
+
+const redirect = redirects[path];
+if (redirect) {
+  const target = redirect[anchor];
+  if (target) {
+    document.location.href = target;
+  }
+}

doc/manual/redirects.json

@@ -0,0 +1,372 @@
+{
+    "index.html": {
+        "part-advanced-topics": "advanced-topics/index.html",
+        "chap-tuning-cores-and-jobs": "advanced-topics/cores-vs-jobs.html",
+        "chap-diff-hook": "advanced-topics/diff-hook.html",
+        "check-dirs-are-unregistered": "advanced-topics/diff-hook.html#check-dirs-are-unregistered",
+        "chap-distributed-builds": "command-ref/conf-file.html#conf-builders",
+        "chap-post-build-hook": "advanced-topics/post-build-hook.html",
+        "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
+        "chap-writing-nix-expressions": "language/index.html",
+        "part-command-ref": "command-ref/index.html",
+        "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
+        "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
+        "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
+        "conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
+        "conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",
+        "conf-binary-cache-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
+        "conf-binary-caches": "command-ref/conf-file.html#conf-substituters",
+        "conf-build-compress-log": "command-ref/conf-file.html#conf-compress-build-log",
+        "conf-build-cores": "command-ref/conf-file.html#conf-cores",
+        "conf-build-extra-chroot-dirs": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-build-extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-build-fallback": "command-ref/conf-file.html#conf-fallback",
+        "conf-build-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
+        "conf-build-max-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
+        "conf-build-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
+        "conf-build-timeout": "command-ref/conf-file.html#conf-timeout",
+        "conf-build-use-chroot": "command-ref/conf-file.html#conf-sandbox",
+        "conf-build-use-sandbox": "command-ref/conf-file.html#conf-sandbox",
+        "conf-build-use-substitutes": "command-ref/conf-file.html#conf-substitute",
+        "conf-build-users-group": "command-ref/conf-file.html#conf-build-users-group",
+        "conf-builders": "command-ref/conf-file.html#conf-builders",
+        "conf-builders-use-substitutes": "command-ref/conf-file.html#conf-builders-use-substitutes",
+        "conf-compress-build-log": "command-ref/conf-file.html#conf-compress-build-log",
+        "conf-connect-timeout": "command-ref/conf-file.html#conf-connect-timeout",
+        "conf-cores": "command-ref/conf-file.html#conf-cores",
+        "conf-diff-hook": "command-ref/conf-file.html#conf-diff-hook",
+        "conf-env-keep-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
+        "conf-extra-binary-caches": "command-ref/conf-file.html#conf-substituters",
+        "conf-extra-platforms": "command-ref/conf-file.html#conf-extra-platforms",
+        "conf-extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-extra-substituters": "command-ref/conf-file.html#conf-substituters",
+        "conf-fallback": "command-ref/conf-file.html#conf-fallback",
+        "conf-fsync-metadata": "command-ref/conf-file.html#conf-fsync-metadata",
+        "conf-gc-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
+        "conf-gc-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
+        "conf-hashed-mirrors": "command-ref/conf-file.html#conf-hashed-mirrors",
+        "conf-http-connections": "command-ref/conf-file.html#conf-http-connections",
+        "conf-keep-build-log": "command-ref/conf-file.html#conf-keep-build-log",
+        "conf-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
+        "conf-keep-env-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
+        "conf-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
+        "conf-max-build-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
+        "conf-max-free": "command-ref/conf-file.html#conf-max-free",
+        "conf-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
+        "conf-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
+        "conf-min-free": "command-ref/conf-file.html#conf-min-free",
+        "conf-narinfo-cache-negative-ttl": "command-ref/conf-file.html#conf-narinfo-cache-negative-ttl",
+        "conf-narinfo-cache-positive-ttl": "command-ref/conf-file.html#conf-narinfo-cache-positive-ttl",
+        "conf-netrc-file": "command-ref/conf-file.html#conf-netrc-file",
+        "conf-plugin-files": "command-ref/conf-file.html#conf-plugin-files",
+        "conf-post-build-hook": "command-ref/conf-file.html#conf-post-build-hook",
+        "conf-pre-build-hook": "command-ref/conf-file.html#conf-pre-build-hook",
+        "conf-require-sigs": "command-ref/conf-file.html#conf-require-sigs",
+        "conf-restrict-eval": "command-ref/conf-file.html#conf-restrict-eval",
+        "conf-run-diff-hook": "command-ref/conf-file.html#conf-run-diff-hook",
+        "conf-sandbox": "command-ref/conf-file.html#conf-sandbox",
+        "conf-sandbox-dev-shm-size": "command-ref/conf-file.html#conf-sandbox-dev-shm-size",
+        "conf-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-secret-key-files": "command-ref/conf-file.html#conf-secret-key-files",
+        "conf-show-trace": "command-ref/conf-file.html#conf-show-trace",
+        "conf-stalled-download-timeout": "command-ref/conf-file.html#conf-stalled-download-timeout",
+        "conf-substitute": "command-ref/conf-file.html#conf-substitute",
+        "conf-substituters": "command-ref/conf-file.html#conf-substituters",
+        "conf-system": "command-ref/conf-file.html#conf-system",
+        "conf-system-features": "command-ref/conf-file.html#conf-system-features",
+        "conf-tarball-ttl": "command-ref/conf-file.html#conf-tarball-ttl",
+        "conf-timeout": "command-ref/conf-file.html#conf-timeout",
+        "conf-trace-function-calls": "command-ref/conf-file.html#conf-trace-function-calls",
+        "conf-trusted-binary-caches": "command-ref/conf-file.html#conf-trusted-substituters",
+        "conf-trusted-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
+        "conf-trusted-substituters": "command-ref/conf-file.html#conf-trusted-substituters",
+        "conf-trusted-users": "command-ref/conf-file.html#conf-trusted-users",
+        "extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "sec-conf-file": "command-ref/conf-file.html",
+        "env-NIX_PATH": "command-ref/env-common.html#env-NIX_PATH",
+        "env-common": "command-ref/env-common.html",
+        "envar-remote": "command-ref/env-common.html#env-NIX_REMOTE",
+        "sec-common-env": "command-ref/env-common.html",
+        "ch-files": "command-ref/files.html",
+        "ch-main-commands": "command-ref/main-commands.html",
+        "opt-out-link": "command-ref/nix-build.html#opt-out-link",
+        "sec-nix-build": "command-ref/nix-build.html",
+        "sec-nix-channel": "command-ref/nix-channel.html",
+        "sec-nix-collect-garbage": "command-ref/nix-collect-garbage.html",
+        "sec-nix-copy-closure": "command-ref/nix-copy-closure.html",
+        "sec-nix-daemon": "command-ref/nix-daemon.html",
+        "refsec-nix-env-install-examples": "command-ref/nix-env/install.html#examples",
+        "rsec-nix-env-install": "command-ref/nix-env/install.html",
+        "rsec-nix-env-set": "command-ref/nix-env/set.html",
+        "rsec-nix-env-set-flag": "command-ref/nix-env/set-flag.html",
+        "rsec-nix-env-upgrade": "command-ref/nix-env/upgrade.html",
+        "sec-nix-env": "command-ref/nix-env.html",
+        "ssec-version-comparisons": "command-ref/nix-env.html#selectors",
+        "sec-nix-hash": "command-ref/nix-hash.html",
+        "sec-nix-instantiate": "command-ref/nix-instantiate.html",
+        "sec-nix-prefetch-url": "command-ref/nix-prefetch-url.html",
+        "sec-nix-shell": "command-ref/nix-shell.html",
+        "ssec-nix-shell-shebang": "command-ref/nix-shell.html#use-as-a--interpreter",
+        "nixref-queries": "command-ref/nix-store/query.html#queries",
+        "opt-add-root": "command-ref/nix-store/query.html#opt-add-root",
+        "refsec-nix-store-dump": "command-ref/nix-store/dump.html",
+        "refsec-nix-store-export": "command-ref/nix-store/export.html",
+        "refsec-nix-store-import": "command-ref/nix-store/import.html",
+        "refsec-nix-store-query": "command-ref/nix-store/query.html",
+        "refsec-nix-store-verify": "command-ref/nix-store/verify.html",
+        "rsec-nix-store-gc": "command-ref/nix-store/gc.html",
+        "rsec-nix-store-generate-binary-cache-key": "command-ref/nix-store/generate-binary-cache-key.html",
+        "rsec-nix-store-realise": "command-ref/nix-store/realise.html",
+        "rsec-nix-store-serve": "command-ref/nix-store/serve.html",
+        "sec-nix-store": "command-ref/nix-store.html",
+        "opt-I": "command-ref/opt-common.html#opt-I",
+        "opt-attr": "command-ref/opt-common.html#opt-attr",
+        "opt-common": "command-ref/opt-common.html",
+        "opt-cores": "command-ref/opt-common.html#opt-cores",
+        "opt-log-format": "command-ref/opt-common.html#opt-log-format",
+        "opt-max-jobs": "command-ref/opt-common.html#opt-max-jobs",
+        "opt-max-silent-time": "command-ref/opt-common.html#opt-max-silent-time",
+        "opt-timeout": "command-ref/opt-common.html#opt-timeout",
+        "sec-common-options": "command-ref/opt-common.html",
+        "ch-utilities": "command-ref/utilities.html",
+        "chap-hacking": "development/building.html",
+        "adv-attr-allowSubstitutes": "language/advanced-attributes.html#adv-attr-allowSubstitutes",
+        "adv-attr-allowedReferences": "language/advanced-attributes.html#adv-attr-allowedReferences",
+        "adv-attr-allowedRequisites": "language/advanced-attributes.html#adv-attr-allowedRequisites",
+        "adv-attr-disallowedReferences": "language/advanced-attributes.html#adv-attr-disallowedReferences",
+        "adv-attr-disallowedRequisites": "language/advanced-attributes.html#adv-attr-disallowedRequisites",
+        "adv-attr-exportReferencesGraph": "language/advanced-attributes.html#adv-attr-exportReferencesGraph",
+        "adv-attr-impureEnvVars": "language/advanced-attributes.html#adv-attr-impureEnvVars",
+        "adv-attr-outputHash": "language/advanced-attributes.html#adv-attr-outputHash",
+        "adv-attr-outputHashAlgo": "language/advanced-attributes.html#adv-attr-outputHashAlgo",
+        "adv-attr-outputHashMode": "language/advanced-attributes.html#adv-attr-outputHashMode",
+        "adv-attr-passAsFile": "language/advanced-attributes.html#adv-attr-passAsFile",
+        "adv-attr-preferLocalBuild": "language/advanced-attributes.html#adv-attr-preferLocalBuild",
+        "fixed-output-drvs": "language/advanced-attributes.html#adv-attr-outputHash",
+        "sec-advanced-attributes": "language/advanced-attributes.html",
+        "builtin-abort": "language/builtins.html#builtins-abort",
+        "builtin-add": "language/builtins.html#builtins-add",
+        "builtin-all": "language/builtins.html#builtins-all",
+        "builtin-any": "language/builtins.html#builtins-any",
+        "builtin-attrNames": "language/builtins.html#builtins-attrNames",
+        "builtin-attrValues": "language/builtins.html#builtins-attrValues",
+        "builtin-baseNameOf": "language/builtins.html#builtins-baseNameOf",
+        "builtin-bitAnd": "language/builtins.html#builtins-bitAnd",
+        "builtin-bitOr": "language/builtins.html#builtins-bitOr",
+        "builtin-bitXor": "language/builtins.html#builtins-bitXor",
+        "builtin-builtins": "language/builtins.html#builtins-builtins",
+        "builtin-compareVersions": "language/builtins.html#builtins-compareVersions",
+        "builtin-concatLists": "language/builtins.html#builtins-concatLists",
+        "builtin-concatStringsSep": "language/builtins.html#builtins-concatStringsSep",
+        "builtin-currentSystem": "language/builtins.html#builtins-currentSystem",
+        "builtin-deepSeq": "language/builtins.html#builtins-deepSeq",
+        "builtin-derivation": "language/builtins.html#builtins-derivation",
+        "builtin-dirOf": "language/builtins.html#builtins-dirOf",
+        "builtin-div": "language/builtins.html#builtins-div",
+        "builtin-elem": "language/builtins.html#builtins-elem",
+        "builtin-elemAt": "language/builtins.html#builtins-elemAt",
+        "builtin-fetchGit": "language/builtins.html#builtins-fetchGit",
+        "builtin-fetchTarball": "language/builtins.html#builtins-fetchTarball",
+        "builtin-fetchurl": "language/builtins.html#builtins-fetchurl",
+        "builtin-filterSource": "language/builtins.html#builtins-filterSource",
+        "builtin-foldl-prime": "language/builtins.html#builtins-foldl'",
+        "builtin-fromJSON": "language/builtins.html#builtins-fromJSON",
+        "builtin-functionArgs": "language/builtins.html#builtins-functionArgs",
+        "builtin-genList": "language/builtins.html#builtins-genList",
+        "builtin-getAttr": "language/builtins.html#builtins-getAttr",
+        "builtin-getEnv": "language/builtins.html#builtins-getEnv",
+        "builtin-hasAttr": "language/builtins.html#builtins-hasAttr",
+        "builtin-hashFile": "language/builtins.html#builtins-hashFile",
+        "builtin-hashString": "language/builtins.html#builtins-hashString",
+        "builtin-head": "language/builtins.html#builtins-head",
+        "builtin-import": "language/builtins.html#builtins-import",
+        "builtin-intersectAttrs": "language/builtins.html#builtins-intersectAttrs",
+        "builtin-isAttrs": "language/builtins.html#builtins-isAttrs",
+        "builtin-isBool": "language/builtins.html#builtins-isBool",
+        "builtin-isFloat": "language/builtins.html#builtins-isFloat",
+        "builtin-isFunction": "language/builtins.html#builtins-isFunction",
+        "builtin-isInt": "language/builtins.html#builtins-isInt",
+        "builtin-isList": "language/builtins.html#builtins-isList",
+        "builtin-isNull": "language/builtins.html#builtins-isNull",
+        "builtin-isString": "language/builtins.html#builtins-isString",
+        "builtin-length": "language/builtins.html#builtins-length",
+        "builtin-lessThan": "language/builtins.html#builtins-lessThan",
+        "builtin-listToAttrs": "language/builtins.html#builtins-listToAttrs",
+        "builtin-map": "language/builtins.html#builtins-map",
+        "builtin-match": "language/builtins.html#builtins-match",
+        "builtin-mul": "language/builtins.html#builtins-mul",
+        "builtin-parseDrvName": "language/builtins.html#builtins-parseDrvName",
+        "builtin-path": "language/builtins.html#builtins-path",
+        "builtin-pathExists": "language/builtins.html#builtins-pathExists",
+        "builtin-placeholder": "language/builtins.html#builtins-placeholder",
+        "builtin-readDir": "language/builtins.html#builtins-readDir",
+        "builtin-readFile": "language/builtins.html#builtins-readFile",
+        "builtin-removeAttrs": "language/builtins.html#builtins-removeAttrs",
+        "builtin-replaceStrings": "language/builtins.html#builtins-replaceStrings",
+        "builtin-seq": "language/builtins.html#builtins-seq",
+        "builtin-sort": "language/builtins.html#builtins-sort",
+        "builtin-split": "language/builtins.html#builtins-split",
+        "builtin-splitVersion": "language/builtins.html#builtins-splitVersion",
+        "builtin-stringLength": "language/builtins.html#builtins-stringLength",
+        "builtin-sub": "language/builtins.html#builtins-sub",
+        "builtin-substring": "language/builtins.html#builtins-substring",
+        "builtin-tail": "language/builtins.html#builtins-tail",
+        "builtin-throw": "language/builtins.html#builtins-throw",
+        "builtin-toFile": "language/builtins.html#builtins-toFile",
+        "builtin-toJSON": "language/builtins.html#builtins-toJSON",
+        "builtin-toPath": "language/builtins.html#builtins-toPath",
+        "builtin-toString": "language/builtins.html#builtins-toString",
+        "builtin-toXML": "language/builtins.html#builtins-toXML",
+        "builtin-trace": "language/builtins.html#builtins-trace",
+        "builtin-tryEval": "language/builtins.html#builtins-tryEval",
+        "builtin-typeOf": "language/builtins.html#builtins-typeOf",
+        "ssec-builtins": "language/builtins.html",
+        "attr-system": "language/derivations.html#attr-system",
+        "ssec-derivation": "language/derivations.html",
+        "ch-expression-language": "language/index.html",
+        "sec-constructs": "language/syntax.html",
+        "sect-let-language": "language/syntax.html#let-expressions",
+        "ss-functions": "language/syntax.html#functions",
+        "sec-language-operators": "language/operators.html",
+        "table-operators": "language/operators.html",
+        "ssec-values": "language/types.html",
+        "gloss-closure": "glossary.html#gloss-closure",
+        "gloss-derivation": "glossary.html#gloss-derivation",
+        "gloss-deriver": "glossary.html#gloss-deriver",
+        "gloss-nar": "glossary.html#gloss-nar",
+        "gloss-output-path": "glossary.html#gloss-output-path",
+        "gloss-profile": "glossary.html#gloss-profile",
+        "gloss-reachable": "glossary.html#gloss-reachable",
+        "gloss-reference": "glossary.html#gloss-reference",
+        "gloss-substitute": "glossary.html#gloss-substitute",
+        "gloss-user-env": "glossary.html#gloss-user-env",
+        "gloss-validity": "glossary.html#gloss-validity",
+        "part-glossary": "glossary.html",
+        "sec-building-source": "installation/building-source.html",
+        "ch-env-variables": "installation/env-variables.html",
+        "sec-installer-proxy-settings": "installation/env-variables.html#proxy-environment-variables",
+        "sec-nix-ssl-cert-file": "installation/env-variables.html#nix_ssl_cert_file",
+        "sec-nix-ssl-cert-file-with-nix-daemon-and-macos": "installation/env-variables.html#nix_ssl_cert_file",
+        "chap-installation": "installation/index.html",
+        "ch-installing-binary": "installation/installing-binary.html",
+        "sect-macos-installation": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-change-store-prefix": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-encrypted-volume": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-recommended-notes": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-symlink": "installation/installing-binary.html#macos-installation",
+        "sect-multi-user-installation": "installation/installing-binary.html#multi-user-installation",
+        "sect-nix-install-binary-tarball": "installation/installing-binary.html#installing-from-a-binary-tarball",
+        "sect-nix-install-pinned-version-url":
+            "installation/installing-binary.html#installing-a-pinned-nix-version-from-a-url",
+        "sect-single-user-installation": "installation/installing-binary.html#single-user-installation",
+        "ch-installing-source": "installation/installing-source.html",
+        "ssec-multi-user": "installation/multi-user.html",
+        "ch-nix-security": "installation/nix-security.html",
+        "sec-obtaining-source": "installation/obtaining-source.html",
+        "sec-prerequisites-source": "installation/prerequisites-source.html",
+        "sec-single-user": "installation/single-user.html",
+        "ch-supported-platforms": "installation/supported-platforms.html",
+        "ch-upgrading-nix": "installation/upgrading.html",
+        "ch-about-nix": "introduction.html",
+        "chap-introduction": "introduction.html",
+        "ch-basic-package-mgmt": "package-management/index.html",
+        "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
+        "sec-channels": "command-ref/nix-channel.html",
+        "ssec-copy-closure": "command-ref/nix-copy-closure.html",
+        "sec-garbage-collection": "package-management/garbage-collection.html",
+        "ssec-gc-roots": "package-management/garbage-collector-roots.html",
+        "chap-package-management": "package-management/index.html",
+        "sec-profiles": "package-management/profiles.html",
+        "ssec-s3-substituter": "store/types/s3-binary-cache-store.html",
+        "ssec-s3-substituter-anonymous-reads":
+            "store/types/s3-binary-cache-store.html#anonymous-reads-to-your-s3-compatible-binary-cache",
+        "ssec-s3-substituter-authenticated-reads":
+            "store/types/s3-binary-cache-store.html#authenticated-reads-to-your-s3-binary-cache",
+        "ssec-s3-substituter-authenticated-writes":
+            "store/types/s3-binary-cache-store.html#authenticated-writes-to-your-s3-compatible-binary-cache",
+        "sec-sharing-packages": "package-management/sharing-packages.html",
+        "ssec-ssh-substituter": "package-management/ssh-substituter.html",
+        "chap-quick-start": "quick-start.html",
+        "sec-relnotes": "release-notes/index.html",
+        "ch-relnotes-0.10.1": "release-notes/rl-0.10.1.html",
+        "ch-relnotes-0.10": "release-notes/rl-0.10.html",
+        "ssec-relnotes-0.11": "release-notes/rl-0.11.html",
+        "ssec-relnotes-0.12": "release-notes/rl-0.12.html",
+        "ssec-relnotes-0.13": "release-notes/rl-0.13.html",
+        "ssec-relnotes-0.14": "release-notes/rl-0.14.html",
+        "ssec-relnotes-0.15": "release-notes/rl-0.15.html",
+        "ssec-relnotes-0.16": "release-notes/rl-0.16.html",
+        "ch-relnotes-0.5": "release-notes/rl-0.5.html",
+        "ch-relnotes-0.6": "release-notes/rl-0.6.html",
+        "ch-relnotes-0.7": "release-notes/rl-0.7.html",
+        "ch-relnotes-0.8.1": "release-notes/rl-0.8.1.html",
+        "ch-relnotes-0.8": "release-notes/rl-0.8.html",
+        "ch-relnotes-0.9.1": "release-notes/rl-0.9.1.html",
+        "ch-relnotes-0.9.2": "release-notes/rl-0.9.2.html",
+        "ch-relnotes-0.9": "release-notes/rl-0.9.html",
+        "ssec-relnotes-1.0": "release-notes/rl-1.0.html",
+        "ssec-relnotes-1.1": "release-notes/rl-1.1.html",
+        "ssec-relnotes-1.10": "release-notes/rl-1.10.html",
+        "ssec-relnotes-1.11.10": "release-notes/rl-1.11.10.html",
+        "ssec-relnotes-1.11": "release-notes/rl-1.11.html",
+        "ssec-relnotes-1.2": "release-notes/rl-1.2.html",
+        "ssec-relnotes-1.3": "release-notes/rl-1.3.html",
+        "ssec-relnotes-1.4": "release-notes/rl-1.4.html",
+        "ssec-relnotes-1.5.1": "release-notes/rl-1.5.html",
+        "ssec-relnotes-1.5.2": "release-notes/rl-1.5.2.html",
+        "ssec-relnotes-1.5": "release-notes/rl-1.5.html",
+        "ssec-relnotes-1.6.1": "release-notes/rl-1.6.1.html",
+        "ssec-relnotes-1.6.0": "release-notes/rl-1.6.html",
+        "ssec-relnotes-1.7": "release-notes/rl-1.7.html",
+        "ssec-relnotes-1.8": "release-notes/rl-1.8.html",
+        "ssec-relnotes-1.9": "release-notes/rl-1.9.html",
+        "ssec-relnotes-2.0": "release-notes/rl-2.0.html",
+        "ssec-relnotes-2.1": "release-notes/rl-2.1.html",
+        "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
+        "ssec-relnotes-2.3": "release-notes/rl-2.3.html"
+    },
+    "language/types.html": {
+        "simple-values": "#primitives",
+        "lists": "#type-list",
+        "strings": "#type-string",
+        "attribute-sets": "#type-attrs",
+        "type-number": "#type-int"
+    },
+    "language/syntax.html": {
+        "scoping-rules": "scope.html",
+        "string-literal": "string-literals.html"
+    },
+    "language/derivations.html": {
+        "builder-execution": "../store/building.html#builder-execution"
+    },
+    "installation/installing-binary.html": {
+        "linux": "uninstall.html#linux",
+        "macos": "uninstall.html#macos",
+        "uninstalling": "uninstall.html"
+    },
+    "development/building.html": {
+        "nix-with-flakes": "#building-nix-with-flakes",
+        "classic-nix": "#building-nix",
+        "running-tests": "testing.html#running-tests",
+        "unit-tests": "testing.html#unit-tests",
+        "functional-tests": "testing.html#functional-tests",
+        "debugging-failing-functional-tests": "testing.html#debugging-failing-functional-tests",
+        "integration-tests": "testing.html#integration-tests",
+        "installer-tests": "testing.html#installer-tests",
+        "one-time-setup": "testing.html#one-time-setup",
+        "using-the-ci-generated-installer-for-manual-testing":
+            "testing.html#using-the-ci-generated-installer-for-manual-testing",
+        "characterization-testing": "testing.html#characterisation-testing-unit",
+        "add-a-release-note": "contributing.html#add-a-release-note",
+        "add-an-entry": "contributing.html#add-an-entry",
+        "build-process": "contributing.html#build-process",
+        "reverting": "contributing.html#reverting",
+        "branches": "contributing.html#branches"
+    },
+    "glossary.html": {
+        "gloss-local-store": "store/types/local-store.html",
+        "package-attribute-set": "#package",
+        "gloss-chroot-store": "store/types/local-store.html",
+        "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation"
+    }
+}

doc/manual/remove_before_wrapper.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+
+import os
+import subprocess
+import sys
+import shutil
+import typing as t
+
+def main():
+    if len(sys.argv) < 4 or '--' not in sys.argv:
+        print("Usage: remove-before-wrapper <output> -- <nix command...>")
+        sys.exit(1)
+
+    # Extract the parts
+    output: str = sys.argv[1]
+    nix_command_idx: int = sys.argv.index('--') + 1
+    nix_command: t.List[str] = sys.argv[nix_command_idx:]
+
+    output_temp: str = output + '.tmp'
+
+    # Remove the output and temp output in case they exist
+    shutil.rmtree(output, ignore_errors=True)
+    shutil.rmtree(output_temp, ignore_errors=True)
+
+    # Execute nix command with `--write-to` tempary output
+    nix_command_write_to = nix_command + ['--write-to', output_temp]
+    subprocess.run(nix_command_write_to, check=True)
+
+    # Move the temporary output to the intended location
+    os.rename(output_temp, output)
+
+if __name__ == "__main__":
+    main()

doc/manual/render-manpage.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# Standalone manpage renderer that doesn't require mdbook.
+# Uses expand-includes.py to preprocess markdown, then lowdown to generate manpages.
+
+set -euo pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+lowdown_args=
+
+# Optional --out-no-smarty flag for compatibility with nix_nested_manpages
+if [ "$1" = --out-no-smarty ]; then
+    lowdown_args=--out-no-smarty
+    shift
+fi
+
+[ "$#" = 7 ] || {
+    cat >&2 <<EOF
+Usage: $0 [--out-no-smarty] <title> <section> <source-root> <generated-root> <doc-url> <infile> <outfile>
+
+Arguments:
+  title           - Manpage title (e.g., "nix-env --install")
+  section         - Manpage section number (1, 5, 8, etc.)
+  source-root     - Root directory of markdown sources
+  generated-root  - Root directory of generated markdown files
+  doc-url         - Base URL for documentation links
+  infile          - Input markdown file (relative to build directory)
+  outfile         - Output manpage file
+
+Examples:
+  $0 "nix-store --query" 1 doc/manual/source build/doc/manual/source \\
+     https://nix.dev/manual/nix/latest \\
+     build/doc/manual/source/command-ref/nix-store/query.md nix-store-query.1
+EOF
+    exit 1
+}
+
+title="$1"
+section="$2"
+source_root="$3"
+generated_root="$4"
+doc_url="$5"
+infile="$6"
+outfile="$7"
+
+# Expand includes and pipe to lowdown
+(
+    printf "Title: %s\n\n" "$title"
+    python3 "$script_dir/expand-includes.py" \
+        --source-root "$source_root" \
+        --generated-root "$generated_root" \
+        --doc-url "$doc_url" \
+        "$infile"
+) | lowdown -sT man --nroff-nolinks $lowdown_args -M section="$section" -o "$outfile"

doc/manual/rl-next/ban-integer-overflow.md

@@ -1,21 +0,0 @@
----
-synopsis: Define integer overflow in the Nix language as an error
-issues: [10968]
-prs: [11188]
----
-
-Previously, integer overflow in the Nix language invoked C++ level signed overflow, which was undefined behaviour, but *usually* manifested as wrapping around on overflow.
-
-Since prior to the public release of Lix, Lix had C++ signed overflow defined to crash the process and nobody noticed this having accidentally removed overflow from the Nix language for three months until it was caught by fiddling around.
-Given the significant body of actual Nix code that has been evaluated by Lix in that time, it does not appear that nixpkgs or much of importance depends on integer overflow, so it appears safe to turn into an error.
-
-Some other overflows were fixed:
-- `builtins.fromJSON` of values greater than the maximum representable value in a signed 64-bit integer will generate an error.
-- `nixConfig` in flakes will no longer accept negative values for configuration options.
-
-Integer overflow now looks like the following:
-
-```
-$ nix eval --expr '9223372036854775807 + 1'
-error: integer overflow in adding 9223372036854775807 + 1
-```

doc/manual/rl-next/beta-installer

@@ -0,0 +1,29 @@
+---
+synopsis: "Rust nix-installer in beta"
+prs: []
+---
+
+The Rust-based rewrite of the Nix installer is now in beta.
+We'd love help testing it out!
+
+To test out the new installer, run:
+```
+curl -sSfL https://artifacts.nixos.org/nix-installer | sh -s -- install
+```
+
+This installer can be run even when you have an existing, script-based Nix installation without any adjustments.
+
+This new installer also comes with the ability to uninstall your Nix installation; run:
+```
+/nix/nix-installer uninstall
+```
+
+This will get rid of your entire Nix installation (even if you installed over an existing, script-based installation).
+
+This installer is a modified version of the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer) by Determinate Systems.
+Thanks to Determinate Systems for all the investment they've put into the installer.
+
+Source for the installer is in https://github.com/NixOS/nix-installer.
+Report any issues in that repo.
+
+For CI usage, a GitHub Action to install Nix using this installer is available at https://github.com/NixOS/nix-installer-action.

doc/manual/rl-next/build-hook-default.md

@@ -1,22 +0,0 @@
----
-synopsis: |-
-  The `build-hook` setting's default is less useful when using `libnixstore` as a library
-prs:
-- 11178
----
-
-*This is an obscure issue that only affects usage of the `libnixstore` library outside of the Nix executable.*
-
-As part the ongoing [rewrite of the build system](https://github.com/NixOS/nix/issues/2503) to use [Meson](https://mesonbuild.com/), we are also switching to packaging individual Nix components separately (and building them in separate derivations).
-This means that when building `libnixstore` we do not know where the Nix binaries will be installed --- `libnixstore` doesn't know about downstream consumers like the Nix binaries at all.
-
-*This is also unrelated to the _`post`_-`build-hook`*, which is often used for pushing to a cache.*
-
-This has a small adverse affect on remote building --- the `build-remote` executable that is specified from the [`build-hook`](@docroot@/command-ref/conf-file.md#conf-build-hook) setting will not be gotten from the (presumed) installation location, but instead looked up on the `PATH`.
-This means that other applications linking `libnixstore` that wish to use remote building must arrange for the `nix` command to be on the PATH (or manually overriding `build-hook`) in order for that to work.
-
-Long term we don't envision this being a downside, because we plan to [get rid of `build-remote` and the build hook setting entirely](https://github.com/NixOS/nix/issues/1221).
-There is simply no need to add a second layer of remote-procedure-calling when we want to connect to a remote builder.
-The build hook protocol did in principle support custom ways of remote building, but that can also be accomplished with a custom service for the ssh or daemon/ssh-ng protocols, or with a custom [store type](@docroot@/store/types/) i.e. `Store` subclass. <!-- we normally don't mention classes, but consider that this release note is about a library use case -->
-
-The Perl bindings no longer expose `getBinDir` either, since they libraries those bindings wrap no longer know the location of installed binaries as described above.

doc/manual/rl-next/c-api-new-store-methods.md

@@ -0,0 +1,9 @@
+---
+synopsis: "C API: New store API methods"
+prs: [14766]
+---
+
+The C API now includes additional methods:
+
+- `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part
+- `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking

doc/manual/rl-next/ignore-gc-delete-failure.md

@@ -0,0 +1,10 @@
+---
+synopsis: "New setting `ignore-gc-delete-failure` for local stores"
+prs: [15054]
+---
+
+A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added.
+When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths.
+This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store.
+
+This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature.

doc/manual/rl-next/mtls-substituter.md

@@ -0,0 +1,15 @@
+---
+synopsis: Support HTTPS binary caches using mTLS (client certificate) authentication
+issues: [13002]
+prs: [13030]
+---
+
+Added support for `tls-certificate` and `tls-private-key` options in substituter URLs.
+
+Example:
+
+```
+https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem
+```
+
+When these options are configured, Nix will use this certificate/private key pair to authenticate to the server.

doc/manual/rl-next/roots-daemon.md

@@ -0,0 +1,11 @@
+---
+synopsis: New command `nix store roots-daemon` for serving GC roots
+prs: [15143]
+---
+
+New command [`nix store roots-daemon`](@docroot@/command-ref/new-cli/nix3-store-roots-daemon.md) runs a daemon that serves garbage collector roots over a Unix domain socket.
+It enables the garbage collector to discover runtime roots when the main Nix daemon doesn't have `CAP_SYS_PTRACE` capability and therefore cannot scan `/proc`.
+
+The garbage collector can be configured to use this daemon via the [`use-roots-daemon`](@docroot@/store/types/local-store.md#store-experimental-option-use-roots-daemon) store setting.
+
+This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store).

doc/manual/rl-next/s3-virtual-hosted-style.md

@@ -0,0 +1,32 @@
+---
+synopsis: S3 binary caches now use virtual-hosted-style addressing by default
+issues: [15208]
+---
+
+S3 binary caches now use virtual-hosted-style URLs
+(`https://bucket.s3.region.amazonaws.com/key`) instead of path-style URLs
+(`https://s3.region.amazonaws.com/bucket/key`) when connecting to standard AWS
+S3 endpoints. This enables HTTP/2 multiplexing and fixes TCP connection
+exhaustion (TIME_WAIT socket accumulation) under high-concurrency workloads.
+
+A new `addressing-style` store option controls this behavior:
+
+- `auto` (default): virtual-hosted-style for standard AWS endpoints, path-style
+  for custom endpoints.
+- `path`: forces path-style addressing (deprecated by AWS).
+- `virtual`: forces virtual-hosted-style addressing (bucket names must not
+  contain dots).
+
+Bucket names containing dots (e.g., `my.bucket.name`) automatically fall back
+to path-style addressing in `auto` mode, because dotted names create
+multi-level subdomains that break TLS wildcard certificate validation.
+
+Example using path-style for backwards compatibility:
+
+```
+s3://my-bucket/key?region=us-east-1&addressing-style=path
+```
+
+Additionally, TCP keep-alive is now enabled on all HTTP connections, preventing
+idle connections from being silently dropped by intermediate network devices
+(NATs, firewalls, load balancers).

doc/manual/source/SUMMARY.md.in

@@ -22,12 +22,22 @@
   - [Store Object](store/store-object.md)
     - [Content-Addressing Store Objects](store/store-object/content-address.md)
   - [Store Path](store/store-path.md)
+  - [Store Derivation and Deriving Path](store/derivation/index.md)
+    - [Derivation Outputs and Types of Derivations](store/derivation/outputs/index.md)
+      - [Content-addressing derivation outputs](store/derivation/outputs/content-address.md)
+      - [Input-addressing derivation outputs](store/derivation/outputs/input-address.md)
+  - [Build Trace](store/build-trace.md)
+  - [Derivation Resolution](store/resolution.md)
+  - [Building](store/building.md)
+  - [Secrets](store/secrets.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
+  - [Appendix: Math notation](store/math-notation.md)
 - [Nix Language](language/index.md)
   - [Data Types](language/types.md)
     - [String context](language/string-context.md)
   - [Syntax and semantics](language/syntax.md)
+    - [Evaluation](language/evaluation.md)
     - [Variables](language/variables.md)
     - [String literals](language/string-literals.md)
     - [Identifiers](language/identifiers.md)
@@ -51,6 +61,7 @@
   - [Tuning Cores and Jobs](advanced-topics/cores-vs-jobs.md)
   - [Verifying Build Reproducibility](advanced-topics/diff-hook.md)
   - [Using the `post-build-hook`](advanced-topics/post-build-hook.md)
+  - [Evaluation profiler](advanced-topics/eval-profiler.md)
 - [Command Reference](command-ref/index.md)
   - [Common Options](command-ref/opt-common.md)
   - [Common Environment Variables](command-ref/env-common.md)
@@ -110,17 +121,30 @@
 - [Architecture and Design](architecture/architecture.md)
 - [Formats and Protocols](protocols/index.md)
   - [JSON Formats](protocols/json/index.md)
+    - [File System Object](protocols/json/file-system-object.md)
+    - [Hash](protocols/json/hash.md)
+    - [Content Address](protocols/json/content-address.md)
+    - [Store Path](protocols/json/store-path.md)
     - [Store Object Info](protocols/json/store-object-info.md)
-    - [Derivation](protocols/json/derivation.md)
+    - [Derivation](protocols/json/derivation/index.md)
+      - [Derivation Options](protocols/json/derivation/options.md)
+    - [Deriving Path](protocols/json/deriving-path.md)
+    - [Build Trace Entry](protocols/json/build-trace-entry.md)
+    - [Build Result](protocols/json/build-result.md)
+    - [Store](protocols/json/store.md)
   - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
   - [Store Path Specification](protocols/store-path.md)
-  - [Nix Archive (NAR) Format](protocols/nix-archive.md)
+  - [Nix Archive (NAR) Format](protocols/nix-archive/index.md)
+  - [Nix Cache Info Format](protocols/nix-cache-info.md)
   - [Derivation "ATerm" file format](protocols/derivation-aterm.md)
+  - [Nix32 Encoding](protocols/nix32.md)
 - [C API](c-api.md)
 - [Glossary](glossary.md)
 - [Development](development/index.md)
   - [Building](development/building.md)
   - [Testing](development/testing.md)
+  - [Benchmarking](development/benchmarking.md)
+  - [Debugging](development/debugging.md)
   - [Documentation](development/documentation.md)
   - [CLI guideline](development/cli-guideline.md)
   - [JSON guideline](development/json-guideline.md)
@@ -129,6 +153,15 @@
   - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
+  - [Release 2.33 (2025-12-09)](release-notes/rl-2.33.md)
+  - [Release 2.32 (2025-10-06)](release-notes/rl-2.32.md)
+  - [Release 2.31 (2025-08-21)](release-notes/rl-2.31.md)
+  - [Release 2.30 (2025-07-07)](release-notes/rl-2.30.md)
+  - [Release 2.29 (2025-05-14)](release-notes/rl-2.29.md)
+  - [Release 2.28 (2025-04-02)](release-notes/rl-2.28.md)
+  - [Release 2.27 (2025-03-03)](release-notes/rl-2.27.md)
+  - [Release 2.26 (2025-01-22)](release-notes/rl-2.26.md)
+  - [Release 2.25 (2024-11-07)](release-notes/rl-2.25.md)
   - [Release 2.24 (2024-07-31)](release-notes/rl-2.24.md)
   - [Release 2.23 (2024-06-03)](release-notes/rl-2.23.md)
   - [Release 2.22 (2024-04-23)](release-notes/rl-2.22.md)

doc/manual/source/advanced-topics/distributed-builds.md

@@ -0,0 +1,110 @@
+# Remote Builds
+
+A local Nix installation can forward Nix builds to other machines,
+this allows multiple builds to be performed in parallel.
+
+Remote builds also allow Nix to perform multi-platform builds in a
+semi-transparent way. For example, if you perform a build for a
+`x86_64-darwin` on an `i686-linux` machine, Nix can automatically
+forward the build to a `x86_64-darwin` machine, if one is available.
+
+## Requirements
+
+For a local machine to forward a build to a remote machine, the remote machine must:
+
+- Have Nix installed
+- Be running an SSH server, e.g. `sshd`
+- Be accessible via SSH from the local machine over the network
+- Have the local machine's public SSH key in `/etc/ssh/authorized_keys.d/<username>`
+- Have the username of the SSH user in the `trusted-users` setting in `nix.conf`
+
+## Testing
+
+To test connecting to a remote [Nix instance] (in this case `mac`), run:
+
+```console
+nix store info --store ssh://username@mac
+```
+
+To specify an SSH identity file as part of the remote store URI add a
+query parameter, e.g.
+
+```console
+nix store info --store ssh://username@mac?ssh-key=/home/alice/my-key
+```
+
+Since builds should be non-interactive, the key should not have a
+passphrase. Alternatively, you can load identities ahead of time into
+`ssh-agent` or `gpg-agent`.
+
+In a multi-user installation (default), builds are executed by the Nix
+Daemon. The Nix Daemon cannot prompt for a passphrase via the terminal
+or `ssh-agent`, so the SSH key must not have a passphrase.
+
+In addition, the Nix Daemon's user (typically root) needs to have SSH
+access to the remote builder.
+
+Access can be verified by running `sudo su`, and then validating SSH
+access, e.g. by running `ssh mac`. SSH identity files for root users
+are usually stored in `/root/.ssh/` (Linux) or `/var/root/.ssh` (MacOS).
+
+If you get the error
+
+```console
+bash: nix: command not found
+error: cannot connect to 'mac'
+```
+
+then you need to ensure that the `PATH` of non-interactive login shells
+contains Nix.
+
+The [list of remote build machines](@docroot@/command-ref/conf-file.md#conf-builders) can be specified on the command line or in the Nix configuration file.
+For example, the following command allows you to build a derivation for `x86_64-darwin` on a Linux machine:
+
+```console
+uname
+```
+
+```console
+Linux
+```
+
+```console
+nix build --impure \
+ --expr '(with import <nixpkgs> { system = "x86_64-darwin"; }; runCommand "foo" {} "uname > $out")' \
+ --builders 'ssh://mac x86_64-darwin'
+```
+
+```console
+[1/0/1 built, 0.0 MiB DL] building foo on ssh://mac
+```
+
+```console
+cat ./result
+```
+
+```console
+Darwin
+```
+
+It is possible to specify multiple build machines separated by a semicolon or a newline, e.g.
+
+```console
+  --builders 'ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd'
+```
+
+Remote build machines can also be configured in [`nix.conf`](@docroot@/command-ref/conf-file.md), e.g.
+
+    builders = ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd
+
+After making changes to `nix.conf`, restart the Nix daemon for changes to take effect.
+
+Finally, remote build machines can be configured in a separate configuration
+file included in `builders` via the syntax `@/path/to/file`. For example,
+
+    builders = @/etc/nix/machines
+
+causes the list of machines in `/etc/nix/machines` to be included.
+(This is the default.)
+
+[Nix instance]: @docroot@/glossary.md#gloss-nix-instance

doc/manual/source/advanced-topics/eval-profiler.md

@@ -0,0 +1,33 @@
+# Using the `eval-profiler`
+
+Nix evaluator supports [evaluation](@docroot@/language/evaluation.md)
+[profiling](<https://en.wikipedia.org/wiki/Profiling_(computer_programming)>)
+compatible with `flamegraph.pl`. The profiler samples the nix
+function call stack at regular intervals. It can be enabled with the
+[`eval-profiler`](@docroot@/command-ref/conf-file.md#conf-eval-profiler)
+setting:
+
+```console
+$ nix-instantiate "<nixpkgs>" -A hello --eval-profiler flamegraph
+```
+
+Stack sampling frequency and the output file path can be configured with
+[`eval-profile-file`](@docroot@/command-ref/conf-file.md#conf-eval-profile-file)
+and [`eval-profiler-frequency`](@docroot@/command-ref/conf-file.md#conf-eval-profiler-frequency).
+By default the collected profile is saved to `nix.profile` file in the current working directory.
+
+The collected profile can be directly consumed by `flamegraph.pl`:
+
+```console
+$ flamegraph.pl nix.profile > flamegraph.svg
+```
+
+The line information in the profile contains the location of the [call
+site](https://en.wikipedia.org/wiki/Call_site) position and the name of the
+function being called (when available). For example:
+
+```
+/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5:primop import
+```
+
+Here `import` primop is called at `/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5`.

doc/manual/source/architecture/architecture.md

@@ -22,9 +22,9 @@ The following [concept map] shows its main components (rectangles), the objects
            |                   |
 +----------|-------------------|--------------------------------+
 | Nix      |                   V                                |
-|          |      +-------------------------+                   |
-|          |      | commmand line interface |------.            |
-|          |      +-------------------------+      |            |
+|          |       +------------------------+                   |
+|          |       | command line interface |------.            |
+|          |       +------------------------+      |            |
 |          |                   |                   |            |
 |    evaluated by            calls              manages         |
 |          |                   |                   |            |
@@ -69,7 +69,7 @@ It can also execute build plans to produce new data, which are made available to
 A build plan itself is a series of *build tasks*, together with their build inputs.
 
 > **Important**
-> A build task in Nix is called [derivation](@docroot@/glossary.md#gloss-derivation).
+> A build task in Nix is called [store derivation](@docroot@/glossary.md#gloss-store-derivation).
 
 Each build task has a special build input executed as *build instructions* in order to perform the build.
 The result of a build task can be input to another build task.

doc/manual/source/command-ref/env-common.md

@@ -57,11 +57,6 @@ Most Nix commands interpret the following environment variables:
 
   Overrides the location of the Nix store (default `prefix/store`).
 
-- <span id="env-NIX_DATA_DIR">[`NIX_DATA_DIR`](#env-NIX_DATA_DIR)</span>
-
-  Overrides the location of the Nix static data directory (default
-  `prefix/share`).
-
 - <span id="env-NIX_LOG_DIR">[`NIX_LOG_DIR`](#env-NIX_LOG_DIR)</span>
 
   Overrides the location of the Nix log directory (default
@@ -75,7 +70,7 @@ Most Nix commands interpret the following environment variables:
 - <span id="env-NIX_CONF_DIR">[`NIX_CONF_DIR`](#env-NIX_CONF_DIR)</span>
 
   Overrides the location of the system Nix configuration directory
-  (default `prefix/etc/nix`).
+  (default `sysconfdir/nix`, i.e. `/etc/nix` on most systems).
 
 - <span id="env-NIX_CONFIG">[`NIX_CONFIG`](#env-NIX_CONFIG)</span>
 
@@ -138,6 +133,19 @@ The following environment variables are used to determine locations of various s
 - [`XDG_STATE_HOME`]{#env-XDG_STATE_HOME} (default `~/.local/state`)
 - [`XDG_CACHE_HOME`]{#env-XDG_CACHE_HOME} (default `~/.cache`)
 
-
 [XDG Base Directory Specification]: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
 [`use-xdg-base-directories`]: @docroot@/command-ref/conf-file.md#conf-use-xdg-base-directories
+
+In addition, setting the following environment variables overrides the XDG base directories:
+
+- [`NIX_CONFIG_HOME`]{#env-NIX_CONFIG_HOME} (default `$XDG_CONFIG_HOME/nix`)
+- [`NIX_STATE_HOME`]{#env-NIX_STATE_HOME} (default `$XDG_STATE_HOME/nix`)
+- [`NIX_CACHE_HOME`]{#env-NIX_CACHE_HOME} (default `$XDG_CACHE_HOME/nix`)
+
+When [`use-xdg-base-directories`] is enabled, the configuration directory is:
+
+1. `$NIX_CONFIG_HOME`, if it is defined
+2. Otherwise, `$XDG_CONFIG_HOME/nix`, if `XDG_CONFIG_HOME` is defined
+3. Otherwise, `~/.config/nix`.
+
+Likewise for the state and cache directories.

doc/manual/source/command-ref/files/default-nix-expression.md

@@ -1,6 +1,6 @@
 ## Default Nix expression
 
-The source for the default [Nix expressions](@docroot@/language/index.md) used by [`nix-env`]:
+The source for the [Nix expressions](@docroot@/glossary.md#gloss-nix-expression) used by [`nix-env`] by default:
 
 - `~/.nix-defexpr`
 - `$XDG_STATE_HOME/nix/defexpr` if [`use-xdg-base-directories`] is set to `true`.
@@ -18,35 +18,37 @@ Then, the resulting expression is interpreted like this:
 - If the expression is an attribute set, it is used as the default Nix expression.
 - If the expression is a function, an empty set is passed as argument and the return value is used as the default Nix expression.
 
-
-For example, if the default expression contains two files, `foo.nix` and `bar.nix`, then the default Nix expression will be equivalent to
-
-```nix
-{
-  foo = import ~/.nix-defexpr/foo.nix;
-  bar = import ~/.nix-defexpr/bar.nix;
-}
-```
+> **Example**
+>
+> If the default expression contains two files, `foo.nix` and `bar.nix`, then the default Nix expression will be equivalent to
+>
+> ```nix
+> {
+>   foo = import ~/.nix-defexpr/foo.nix;
+>   bar = import ~/.nix-defexpr/bar.nix;
+> }
+> ```
 
 The file [`manifest.nix`](@docroot@/command-ref/files/manifest.nix.md) is always ignored.
 
-The command [`nix-channel`] places a symlink to the user's current [channels profile](@docroot@/command-ref/files/channels.md) in this directory.
+The command [`nix-channel`] places a symlink to the current user's [channels] in this directory, the [user channel link](#user-channel-link).
 This makes all subscribed channels available as attributes in the default expression.
 
 ## User channel link
 
-A symlink that ensures that [`nix-env`] can find your channels:
+A symlink that ensures that [`nix-env`] can find the current user's [channels]:
 
 - `~/.nix-defexpr/channels`
-- `$XDG_STATE_HOME/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
+- `$XDG_STATE_HOME/nix/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
 
 This symlink points to:
 
-- `$XDG_STATE_HOME/profiles/channels` for regular users
+- `$XDG_STATE_HOME/nix/profiles/channels` for regular users
 - `$NIX_STATE_DIR/profiles/per-user/root/channels` for `root`
 
-In a multi-user installation, you may also have `~/.nix-defexpr/channels_root`, which links to the channels of the root user.[`nix-env`]: ../nix-env.md
+In a multi-user installation, you may also have `~/.nix-defexpr/channels_root`, which links to the channels of the root user.
 
-[`nix-env`]: @docroot@/command-ref/nix-env.md
 [`nix-channel`]: @docroot@/command-ref/nix-channel.md
+[`nix-env`]: @docroot@/command-ref/nix-env.md
 [`use-xdg-base-directories`]: @docroot@/command-ref/conf-file.md#conf-use-xdg-base-directories
+[channels]: @docroot@/command-ref/files/channels.md

doc/manual/source/command-ref/files/manifest.nix.md

@@ -114,9 +114,9 @@ Here is an example of how this file might look like after installing `hello` fro
   };
   name = "hello-2.12.1";
   out = {
-    outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
+    outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
   };
-  outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
+  outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
   outputs = [ "out" ];
   system = "x86_64-linux";
   type = "derivation";

doc/manual/source/command-ref/files/profiles.md

@@ -37,13 +37,13 @@ dr-xr-xr-x 4 root root 4096 Jan  1  1970 share
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/bin:
 total 20
-lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/ijm5k0zqisvkdwjkc77mb9qzb35xfi4m-chromium-86.0.4240.111/bin/chromium
+lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/cyxny9d1zjb9l9103fr6j6kavp3bqjxf-chromium-86.0.4240.111/bin/chromium
 lrwxrwxrwx 7 root root 87 Jan  1  1970 spotify -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/bin/spotify
 lrwxrwxrwx 3 root root 79 Jan  1  1970 zoom-us -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/bin/zoom-us
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/share/applications:
 total 12
-lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/4cf803y4vzfm3gyk3vzhzb2327v0kl8a-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
+lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/sqzyx2l85i6j2a77pnyvglh3bvzwmjjp-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
 lrwxrwxrwx 7 root root 110 Jan  1  1970 spotify.desktop -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/share/applications/spotify.desktop
 lrwxrwxrwx 3 root root 107 Jan  1  1970 us.zoom.Zoom.desktop -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/share/applications/us.zoom.Zoom.desktop
 

doc/manual/source/command-ref/meson.build

@@ -0,0 +1,56 @@
+xp_features_json = custom_target(
+  command : [ nix, '__dump-xp-features' ],
+  capture : true,
+  output : 'xp-features.json',
+  env : nix_env_for_docs,
+)
+
+experimental_features_shortlist_md = custom_target(
+  command : nix_eval_for_docs + [
+    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+  ],
+  input : [
+    '../../generate-xp-features-shortlist.nix',
+    xp_features_json,
+  ],
+  output : 'experimental-features-shortlist.md',
+  capture : true,
+  env : nix_env_for_docs,
+)
+
+nix3_cli_files = custom_target(
+  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
+    '--expr', 'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
+  ],
+  input : [
+    '../../remove_before_wrapper.py',
+    '../../generate-manpage.nix',
+    nix3_cli_json,
+  ],
+  output : 'new-cli',
+  env : nix_env_for_docs,
+)
+
+conf_file_md_body = custom_target(
+  command : [
+    nix_eval_for_docs,
+    '--expr', 'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+  ],
+  capture : true,
+  input : [
+    '../../generate-settings.nix',
+    conf_file_json,
+  ],
+  output : 'conf-file.body.md',
+  env : nix_env_for_docs,
+)
+
+conf_file_md = custom_target(
+  command : [ 'cat', '@INPUT0@', '@INPUT1@' ],
+  capture : true,
+  input : [
+    'conf-file-prefix.md',
+    conf_file_md_body,
+  ],
+  output : 'conf-file.md',
+)

doc/manual/source/command-ref/nix-build.md

@@ -36,7 +36,7 @@ to a temporary location. The tarball must include a single top-level
 directory containing at least a file named `default.nix`.
 
 `nix-build` is essentially a wrapper around
-[`nix-instantiate`](nix-instantiate.md) (to translate a high-level Nix
+[`nix-instantiate`](./nix-instantiate.md) (to translate a high-level Nix
 expression to a low-level [store derivation]) and [`nix-store
 --realise`](@docroot@/command-ref/nix-store/realise.md) (to build the store
 derivation).
@@ -52,8 +52,8 @@ derivation).
 # Options
 
 All options not listed here are passed to
-[`nix-store --realise`](nix-store/realise.md),
-except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](nix-instantiate.md).
+[`nix-store --realise`](./nix-store/realise.md),
+except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](./nix-instantiate.md).
 
 - <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>
 

doc/manual/source/command-ref/nix-channel.md

@@ -11,10 +11,10 @@
 Channels are a mechanism for referencing remote Nix expressions and conveniently retrieving their latest version.
 
 The moving parts of channels are:
-- The official channels listed at <https://nixos.org/channels>
+- The official channels listed at <https://channels.nixos.org>
 - The user-specific list of [subscribed channels](#subscribed-channels)
 - The [downloaded channel contents](#channels)
-- The [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path), set with the [`-I` option](#opt-i) or the [`NIX_PATH` environment variable](#env-NIX_PATH)
+- The [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path), set with the [`-I` option](#opt-I) or the [`NIX_PATH` environment variable](#env-NIX_PATH)
 
 > **Note**
 >
@@ -53,6 +53,11 @@ This command has the following operations:
   Download the Nix expressions of subscribed channels and create a new generation.
   Update all channels if none is specified, and only those included in *names* otherwise.
 
+  > **Note**
+  >
+  > Downloaded channel contents are cached.
+  > Use `--tarball-ttl` or the [`tarball-ttl` configuration option](@docroot@/command-ref/conf-file.md#conf-tarball-ttl) to change the validity period of cached downloads.
+
 - `--list-generations`
 
   Prints a list of all the current existing generations for the
@@ -83,9 +88,9 @@ This command has the following operations:
 Subscribe to the Nixpkgs channel and run `hello` from the GNU Hello package:
 
 ```console
-$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+$ nix-channel --add https://channels.nixos.org/nixpkgs-unstable
 $ nix-channel --list
-nixpkgs https://nixos.org/channels/nixpkgs
+nixpkgs https://channels.nixos.org/nixpkgs
 $ nix-channel --update
 $ nix-shell -p hello --run hello
 hello

doc/manual/source/command-ref/nix-collect-garbage.md

@@ -36,7 +36,7 @@ Instead, it looks in a few locations, and acts on all profiles it finds there:
    >
    > Not stable; subject to change
    >
-   > Do not rely on this functionality; it just exists for migration purposes and is may change in the future.
+   > Do not rely on this functionality; it just exists for migration purposes and may change in the future.
    > These deprecated paths remain a private implementation detail of Nix.
 
    `$NIX_STATE_DIR/profiles` and `$NIX_STATE_DIR/profiles/per-user`.
@@ -62,6 +62,15 @@ These options are for deleting old [profiles] prior to deleting unreachable [sto
   This is the equivalent of invoking [`nix-env --delete-generations <period>`](@docroot@/command-ref/nix-env/delete-generations.md#generations-time) on each found profile.
   See the documentation of that command for additional information about the *period* argument.
 
+  - <span id="opt-max-freed">[`--max-freed`](#opt-max-freed)</span> *bytes*
+
+<!-- duplication from https://github.com/NixOS/nix/blob/442a2623e48357ff72c77bb11cf2cf06d94d2f90/doc/manual/source/command-ref/nix-store/gc.md?plain=1#L39-L44 -->
+
+  Keep deleting paths until at least *bytes* bytes have been deleted,
+  then stop. The argument *bytes* can be followed by the
+  multiplicative suffix `K`, `M`, `G` or `T`, denoting KiB, MiB, GiB
+  or TiB units.
+  
 {{#include ./opt-common.md}}
 
 {{#include ./env-common.md}}

doc/manual/source/command-ref/nix-copy-closure.md

@@ -72,11 +72,11 @@ When using public key authentication, you can avoid typing the passphrase with `
 > $ storePath="$(nix-build '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello --no-out-link)"
 > $ nix-copy-closure --to alice@itchy.example.org "$storePath"
 > copying 5 paths...
-> copying path '/nix/store/nrwkk6ak3rgkrxbqhsscb01jpzmslf2r-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/gm61h1y42pqyl6178g90x8zm22n6pyy5-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/ddfzjdykw67s20c35i7a6624by3iz5jv-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/apab5i73dqa09wx0q27b6fbhd1r18ihl-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/g1n2vryg06amvcc1avb2mcq36faly0mh-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/h6q8sqsqfbd3252f9gixqn3z282wds7m-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/imnwvn96lw355giswsk36hx105j4wnpj-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/85301indj7scg34spnfczkz72jgv8wa9-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/ypwfsaljwhzw9iffiysxmxnhjj8v7np0-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/0dklv59zppdsqdvgf0qdvjgzcs5wbwxa-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
 > ```
 
 > **Example**
@@ -84,7 +84,7 @@ When using public key authentication, you can avoid typing the passphrase with `
 > Copy GNU Hello from a remote machine using a known store path, and run it:
 >
 > ```shell-session
-> $ storePath="$(nix-instantiate --eval '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath | tr -d '"')"
+> $ storePath="$(nix-instantiate --eval --raw '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath)"
 > $ nix-copy-closure --from alice@itchy.example.org "$storePath"
 > $ "$storePath"/bin/hello
 > Hello, world!

doc/manual/source/command-ref/nix-env.md

@@ -62,7 +62,7 @@ These pages can be viewed offline:
 
 Several operations, such as [`nix-env --query`](./nix-env/query.md) and [`nix-env --install`](./nix-env/install.md), take a list of *arguments* that specify the packages on which to operate.
 
-Packages are identified based on a `name` part and a `version` part of a [symbolic derivation name](@docroot@/language/derivations.md#attr-names):
+Packages are identified based on a `name` part and a `version` part of a [symbolic derivation name](@docroot@/language/derivations.md#attr-name):
 
 - `name`: Everything up to but not including the first dash (`-`) that is *not* followed by a letter.
 - `version`: The rest, excluding the separating dash.

doc/manual/source/command-ref/nix-env/delete-generations.md

@@ -27,7 +27,7 @@ This operation deletes the specified generations of the current profile.
   >
   > Older *and newer* generations will be deleted by this operation.
   >
-  > One might expect this to just delete older generations than the curent one, but that is only true if the current generation is also the latest.
+  > One might expect this to just delete older generations than the current one, but that is only true if the current generation is also the latest.
   > Because one can roll back to a previous generation, it is possible to have generations newer than the current one.
   > They will also be deleted.