treewide: Make exceptions cloneable

This is needed to make it possible to store exceptions in failed values
with each new rethrow getting a fresh copy of the exception object.

.clang-format

@@ -8,7 +8,7 @@ BraceWrapping:
   AfterUnion: true
   SplitEmptyRecord: false
 PointerAlignment: Middle
-FixNamespaceComments: false
+FixNamespaceComments: true
 SortIncludes: Never
 #IndentPPDirectives: BeforeHash
 SpaceAfterCStyleCast: true
@@ -32,3 +32,4 @@ IndentPPDirectives: AfterHash
 PPIndentWidth: 2
 BinPackArguments: false
 BreakBeforeTernaryOperators: true
+SeparateDefinitionBlocks: Always

.coderabbit.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+# Disable CodeRabbit auto-review to prevent verbose comments on PRs.
+# When enabled: false, CodeRabbit won't attempt reviews and won't post
+# "Review skipped" or other automated comments.
+reviews:
+  auto_review:
+    enabled: false
+  review_status: false
+  high_level_summary: false
+  poem: false
+  sequence_diagrams: false
+  changed_files_summary: false
+  tools:
+    github-checks:
+      enabled: false
+chat:
+  art: false
+  auto_reply: false

.git-blame-ignore-revs

@@ -0,0 +1,6 @@
+# bulk initial re-formatting with clang-format
+e4f62e46088919428a68bd8014201dc8e379fed7 # !autorebase ./maintainers/format.sh --until-stable
+# meson re-formatting
+385e2c3542c707d95e3784f7f6d623f67e77ab61 # !autorebase ./maintainers/format.sh --until-stable
+# nixfmt 1.0.0
+1d943f581908f35075a84a3d89c2eba3ff35067f # !autorebase ./maintainers/format.sh --until-stable

.github/ISSUE_TEMPLATE/bug_report.md

@@ -45,7 +45,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open bug issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -30,7 +30,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open feature issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open feature issues and pull requests]: https://github.com/NixOS/nix/labels/feature
 

.github/ISSUE_TEMPLATE/installer.md

@@ -38,7 +38,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open installer issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open installer issues and pull requests]: https://github.com/NixOS/nix/labels/installer
 

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -22,7 +22,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open documentation issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -15,6 +15,10 @@ so you understand the process and the expectations.
 - volunteering contributions effectively
 - how to get help and our review process.
 
+PR stuck in review? We have two Nix team meetings per week online that are open for everyone in a jitsi conference:
+
+- https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com
+
 -->
 
 ## Motivation

.github/actions/install-nix-action/action.yaml

@@ -0,0 +1,124 @@
+name: "Install Nix"
+description: "Helper action for installing Nix with support for dogfooding from master"
+inputs:
+  dogfood:
+    description: "Whether to use Nix installed from the latest artifact from master branch"
+    required: true # Be explicit about the fact that we are using unreleased artifacts
+  experimental-installer:
+    description: "Whether to use the experimental installer to install Nix"
+    default: false
+  experimental-installer-version:
+    description: "Version of the experimental installer to use. If `latest`, the newest artifact from the default branch is used."
+    # TODO: This should probably be pinned to a release after https://github.com/NixOS/experimental-nix-installer/pull/49 lands in one
+    default: "latest"
+  extra_nix_config:
+    description: "Gets appended to `/etc/nix/nix.conf` if passed."
+  install_url:
+    description: "URL of the Nix installer"
+    required: false
+    default: "https://releases.nixos.org/nix/nix-2.32.1/install"
+  tarball_url:
+    description: "URL of the Nix tarball to use with the experimental installer"
+    required: false
+  github_token:
+    description: "Github token"
+    required: true
+  use_cache:
+    description: "Whether to setup github actions cache (not implemented currently)"
+    default: false
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "Download nix install artifact from master"
+      shell: bash
+      id: download-nix-installer
+      if: inputs.dogfood == 'true'
+      run: |
+        RUN_ID=$(gh run list --repo "$DOGFOOD_REPO" --workflow ci.yml --branch master --status success --json databaseId --jq ".[0].databaseId")
+
+        if [ "$RUNNER_OS" == "Linux" ]; then
+          INSTALLER_ARTIFACT="installer-linux"
+        elif [ "$RUNNER_OS" == "macOS" ]; then
+          INSTALLER_ARTIFACT="installer-darwin"
+        else
+          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
+          exit 1
+        fi
+
+        INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$INSTALLER_ARTIFACT"
+        mkdir -p "$INSTALLER_DOWNLOAD_DIR"
+
+        gh run download "$RUN_ID" --repo "$DOGFOOD_REPO" -n "$INSTALLER_ARTIFACT" -D "$INSTALLER_DOWNLOAD_DIR"
+        echo "installer-path=file://$INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
+        TARBALL_PATH="$(find "$INSTALLER_DOWNLOAD_DIR" -name 'nix*.tar.xz' -print | head -n 1)"
+        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
+
+        echo "::notice ::Dogfooding Nix installer from master (https://github.com/$DOGFOOD_REPO/actions/runs/$RUN_ID)"
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        DOGFOOD_REPO: "NixOS/nix"
+    - name: "Gather system info for experimental installer"
+      shell: bash
+      if: ${{ inputs.experimental-installer == 'true' }}
+      run: |
+        echo "::notice Using experimental installer from $EXPERIMENTAL_INSTALLER_REPO (https://github.com/$EXPERIMENTAL_INSTALLER_REPO)"
+
+        if [ "$RUNNER_OS" == "Linux" ]; then
+          EXPERIMENTAL_INSTALLER_SYSTEM="linux"
+          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
+        elif [ "$RUNNER_OS" == "macOS" ]; then
+          EXPERIMENTAL_INSTALLER_SYSTEM="darwin"
+          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
+        else
+          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
+          exit 1
+        fi
+
+        if [ "$RUNNER_ARCH" == "X64" ]; then
+          EXPERIMENTAL_INSTALLER_ARCH=x86_64
+          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
+        elif [ "$RUNNER_ARCH" == "ARM64" ]; then
+          EXPERIMENTAL_INSTALLER_ARCH=aarch64
+          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
+        else
+          echo "::error ::Unsupported RUNNER_ARCH: $RUNNER_ARCH"
+          exit 1
+        fi
+
+        echo "EXPERIMENTAL_INSTALLER_ARTIFACT=nix-installer-$EXPERIMENTAL_INSTALLER_ARCH-$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
+      env:
+        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
+    - name: "Download latest experimental installer"
+      shell: bash
+      id: download-latest-experimental-installer
+      if: ${{ inputs.experimental-installer == 'true' && inputs.experimental-installer-version == 'latest' }}
+      run: |
+        RUN_ID=$(gh run list --repo "$EXPERIMENTAL_INSTALLER_REPO" --workflow ci.yml --branch main --status success --json databaseId --jq ".[0].databaseId")
+
+        EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$EXPERIMENTAL_INSTALLER_ARTIFACT"
+        mkdir -p "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
+
+        gh run download "$RUN_ID" --repo "$EXPERIMENTAL_INSTALLER_REPO" -n "$EXPERIMENTAL_INSTALLER_ARTIFACT" -D "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
+        # Executable permissions are lost in artifacts
+        find $EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR -type f -exec chmod +x {} +
+        echo "installer-path=$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
+    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
+      if: ${{ inputs.experimental-installer != 'true' }}
+      with:
+        # Ternary operator in GHA: https://www.github.com/actions/runner/issues/409#issuecomment-752775072
+        install_url: ${{ inputs.dogfood == 'true' && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
+        install_options: ${{ inputs.dogfood == 'true' && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
+        extra_nix_config: ${{ inputs.extra_nix_config }}
+    - uses: DeterminateSystems/nix-installer-action@786fff0690178f1234e4e1fe9b536e94f5433196 # v20
+      if: ${{ inputs.experimental-installer == 'true' }}
+      with:
+        diagnostic-endpoint: ""
+        # TODO: It'd be nice to use `artifacts.nixos.org` for both of these, maybe through an `/experimental-installer/latest` endpoint? or `/commit/<hash>`?
+        local-root: ${{ inputs.experimental-installer-version == 'latest' && steps.download-latest-experimental-installer.outputs.installer-path || '' }}
+        source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
+        nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
+        extra-conf: ${{ inputs.extra_nix_config }}

.github/workflows/backport.yml

@@ -0,0 +1,37 @@
+name: Backport
+on:
+  pull_request_target:
+    types: [closed, labeled]
+permissions:
+  contents: read
+jobs:
+  backport:
+    name: Backport Pull Request
+    permissions:
+      # for korthout/backport-action
+      contents: write
+      pull-requests: write
+    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Generate GitHub App token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.CI_APP_ID }}
+          private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          # required to find all branches
+          fetch-depth: 0
+      - name: Create backport PRs
+        uses: korthout/backport-action@c656f5d5851037b2b38fb5db2691a03fa229e3b2 # v4.0.1
+        id: backport
+        with:
+          # Config README: https://github.com/korthout/backport-action#backport-action
+          github_token: ${{ steps.generate-token.outputs.token }}
+          github_workspace: ${{ github.workspace }}
+          auto_merge_enabled: true
+          pull_description: |-
+            Automatic backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/ci.yml

@@ -2,7 +2,21 @@ name: "CI"
 
 on:
   pull_request:
+  merge_group:
   push:
+    branches:
+      - master
+  workflow_dispatch:
+    inputs:
+      dogfood:
+        description: 'Use dogfood Nix build'
+        required: false
+        default: true
+        type: boolean
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 permissions: read-all
 
@@ -10,13 +24,43 @@ jobs:
   eval:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v31
-    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
+    - uses: ./.github/actions/install-nix-action
+      with:
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        extra_nix_config:
+          experimental-features = nix-command flakes
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        use_cache: false
+    - run: nix flake show --all-systems --json
+
+  pre-commit-checks:
+    name: pre-commit checks
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+          extra_nix_config: experimental-features = nix-command flakes
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - run: ./ci/gha/tests/pre-commit-checks
+
+  basic-checks:
+    name: aggregate basic checks
+    if: ${{ always() }}
+    runs-on: ubuntu-24.04
+    needs: [pre-commit-checks, eval]
+    steps:
+      - name: Exit with any errors
+        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+        run: |
+          exit 1
 
   tests:
+    needs: basic-checks
     strategy:
       fail-fast: false
       matrix:
@@ -24,34 +68,74 @@ jobs:
           - scenario: on ubuntu
             runs-on: ubuntu-24.04
             os: linux
+            instrumented: false
+            primary: true
+            stdenv: stdenv
           - scenario: on macos
             runs-on: macos-14
             os: darwin
+            instrumented: false
+            primary: true
+            stdenv: stdenv
+          - scenario: on ubuntu (with sanitizers / coverage)
+            runs-on: ubuntu-24.04
+            os: linux
+            instrumented: true
+            primary: false
+            stdenv: clangStdenv
     name: tests ${{ matrix.scenario }}
     runs-on: ${{ matrix.runs-on }}
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v31
+    - uses: ./.github/actions/install-nix-action
       with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
         # The sandbox would otherwise be disabled by default on Darwin
-        extra_nix_config: |
-          sandbox = true
-          max-jobs = 1
-    - uses: DeterminateSystems/magic-nix-cache-action@main
+        extra_nix_config: "sandbox = true"
     # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
     # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
     - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
       if: matrix.os == 'linux'
-    - run: scripts/build-checks
-    - run: scripts/prepare-installer-for-github-actions
+    - name: Run component tests
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix componentTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}"
+    - name: Run VM tests
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix vmTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}"
+      if: ${{ matrix.os == 'linux' }}
+    - name: Run flake checks and prepare the installer tarball
+      run: |
+        ci/gha/tests/build-checks
+        ci/gha/tests/prepare-installer-for-github-actions
+      if: ${{ matrix.primary }}
+    - name: Collect code coverage
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix codeCoverage.coverageReports -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}" \
+          --out-link coverage-reports
+        cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
+      if: ${{ matrix.instrumented }}
+    - name: Upload coverage reports
+      uses: actions/upload-artifact@v6
+      with:
+        name: coverage-reports
+        path: coverage-reports/
+      if: ${{ matrix.instrumented }}
     - name: Upload installer tarball
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: installer-${{matrix.os}}
         path: out/*
+      if: ${{ matrix.primary }}
 
   installer_test:
     needs: [tests]
@@ -62,25 +146,46 @@ jobs:
           - scenario: on ubuntu
             runs-on: ubuntu-24.04
             os: linux
+            experimental-installer: false
           - scenario: on macos
             runs-on: macos-14
             os: darwin
+            experimental-installer: false
+          - scenario: on ubuntu (experimental)
+            runs-on: ubuntu-24.04
+            os: linux
+            experimental-installer: true
+          - scenario: on macos (experimental)
+            runs-on: macos-14
+            os: darwin
+            experimental-installer: true
     name: installer test ${{ matrix.scenario }}
     runs-on: ${{ matrix.runs-on }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Download installer tarball
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         name: installer-${{matrix.os}}
         path: out
-    - name: Serving installer
-      id: serving_installer
-      run: ./scripts/serve-installer-for-github-actions
-    - uses: cachix/install-nix-action@v31
+    - name: Looking up the installer tarball URL
+      id: installer-tarball-url
+      run: |
+        echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
+        TARBALL_PATH="$(find "$GITHUB_WORKSPACE/out" -name 'nix*.tar.xz' -print | head -n 1)"
+        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
+    - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+      if: ${{ !matrix.experimental-installer }}
       with:
-        install_url: 'http://localhost:8126/install'
-        install_options: "--tarball-url-prefix http://localhost:8126/"
+        install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
+        install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
+    - uses: ./.github/actions/install-nix-action
+      if: ${{ matrix.experimental-installer }}
+      with:
+        dogfood: false
+        experimental-installer: true
+        tarball_url: ${{ steps.installer-tarball-url.outputs.tarball-path }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
     - run: sudo apt install fish zsh
       if: matrix.os == 'linux'
     - run: brew install fish
@@ -92,115 +197,56 @@ jobs:
     - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
     - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"
 
-  # Steps to test CI automation in your own fork.
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check Docker secrets present for installer tests
-    runs-on: ubuntu-24.04
-    outputs:
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for secrets
-        id: secret
-        env:
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
-
-  docker_push_image:
-    needs: [tests, vm_tests, check_secrets]
-    permissions:
-      contents: read
-      packages: write
-    if: >-
-      needs.check_secrets.outputs.docker == 'true' &&
-      github.event_name == 'push' &&
-      github.ref_name == 'master'
-    runs-on: ubuntu-24.04
-    steps:
-    - name: Check for secrets
-      id: secret
-      env:
-        _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-      run: |
-        echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - uses: cachix/install-nix-action@v31
-      with:
-        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - uses: DeterminateSystems/magic-nix-cache-action@main
-    - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
-    - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
-    - run: docker load -i ./result/image.tar.gz
-    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
-    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
-    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
-    #
-    # Push to Docker Hub first
-    - name: Login to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
-    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
-    # Push to GitHub Container Registry as well
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Push image
-      run: |
-        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
-        # Change all uppercase to lowercase
-        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-
-        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
-        docker tag nix:$NIX_VERSION $IMAGE_ID:latest
-        docker push $IMAGE_ID:$NIX_VERSION
-        docker push $IMAGE_ID:latest
-        # deprecated 2024-02-24
-        docker tag nix:$NIX_VERSION $IMAGE_ID:master
-        docker push $IMAGE_ID:master
-
-  vm_tests:
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - run: |
-          nix build -L \
-            .#hydraJobs.tests.functional_user \
-            .#hydraJobs.tests.githubFlakes \
-            .#hydraJobs.tests.nix-docker \
-            .#hydraJobs.tests.tarballFlakes \
-            ;
-
   flake_regressions:
-    needs: vm_tests
+    needs: tests
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout nix
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Checkout flake-regressions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: NixOS/flake-regressions
           path: flake-regressions
       - name: Checkout flake-regressions-data
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: NixOS/flake-regressions-data
           path: flake-regressions/tests
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh
+      - name: Download installer tarball
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: installer-linux
+          path: out
+      - name: Looking up the installer tarball URL
+        id: installer-tarball-url
+        run: |
+          echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+        with:
+          install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
+          install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
+      - name: Run flake regressions tests
+        run: MAX_FLAKES=25 flake-regressions/eval-all.sh
+
+  profile_build:
+    needs: tests
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    if: >-
+      github.event_name == 'push' &&
+      github.ref_name == 'master'
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        extra_nix_config: |
+          experimental-features = flakes nix-command ca-derivations impure-derivations
+          max-jobs = 1
+    - run: |
+        nix build -L --file ./ci/gha/profile-build buildTimeReport --out-link build-time-report.md
+        cat build-time-report.md >> $GITHUB_STEP_SUMMARY

.github/workflows/labels.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
-    - uses: actions/labeler@v5
+    - uses: actions/labeler@v6
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         sync-labels: false

.github/workflows/upload-release.yml

@@ -0,0 +1,80 @@
+name: Upload Release
+on:
+  workflow_dispatch:
+    inputs:
+      eval_id:
+        description: "Hydra evaluation ID"
+        required: true
+        type: number
+      is_latest:
+        description: "Mark as latest release"
+        required: false
+        type: boolean
+        default: false
+permissions:
+  contents: read
+  id-token: write
+  packages: write
+jobs:
+  release:
+    runs-on: ubuntu-24.04
+    environment: releases
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: false # Use stable version
+          use_cache: false # Don't want any cache injection shenanigans
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+      - name: Set NIX_PATH from flake input
+        run: |
+          NIXPKGS_PATH=$(nix build --inputs-from .# nixpkgs#path --print-out-paths --no-link)
+          # Shebangs with perl have issues. Pin nixpkgs this way. nix shell should maybe
+          # get the same uberhack that nix-shell has to support it.
+          echo "NIX_PATH=nixpkgs=$NIXPKGS_PATH" >> "$GITHUB_ENV"
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        with:
+          role-to-assume: "arn:aws:iam::080433136561:role/nix-release"
+          role-session-name: nix-release-oidc-${{ github.run_id }}
+          aws-region: eu-west-1
+      - name: Disable containerd image store
+        run: |
+          # Docker 28+ defaults to the containerd image store, which
+          # pushes layers uncompressed instead of gzip. OCI clients
+          # that only support gzip (e.g. go-containerregistry) fail
+          # with "gzip: invalid header". Disabling the containerd
+          # snapshotter restores the classic storage driver, which
+          # preserves gzip-compressed layers through the
+          # `docker load` / `docker push` pipeline.
+          echo '{"features":{"containerd-snapshotter":false}}' | sudo tee /etc/docker/daemon.json > /dev/null
+          sudo systemctl restart docker
+      - name: Login to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload release
+        run: |
+          ./maintainers/upload-release.pl \
+            ${{ inputs.eval_id }} \
+            --skip-git
+        env:
+          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}
+      - name: Push to GHCR
+        run: |
+          DOCKER_OWNER="ghcr.io/$(echo '${{ github.repository_owner }}' | tr '[A-Z]' '[a-z]')/nix"
+          ./maintainers/upload-release.pl \
+            ${{ inputs.eval_id }} \
+            --skip-git \
+            --skip-s3 \
+            --docker-owner "$DOCKER_OWNER"
+        env:
+          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}

.gitignore

@@ -1,5 +1,7 @@
 # Default meson build dir
 /build
+# Meson creates this file too
+src/.wraplock
 
 # /tests/functional/
 /tests/functional/common/subst-vars.sh
@@ -47,3 +49,6 @@ result-*
 .DS_Store
 
 flake-regressions
+
+# direnv
+.direnv/

.mergify.yml

@@ -1,152 +0,0 @@
-queue_rules:
-  - name: default
-    # all required tests need to go here
-    merge_conditions:
-      - check-success=tests on macos
-      - check-success=tests on ubuntu
-      - check-success=installer test on macos
-      - check-success=installer test on ubuntu
-      - check-success=vm_tests
-    batch_size: 5
-
-pull_request_rules:
-  - name: merge using the merge queue
-    conditions:
-      - base~=master|.+-maintenance
-      - label~=merge-queue|dependencies
-    actions:
-      queue: {}
-
-# The rules below will first create backport pull requests and put those in a merge queue.
-
-  - name: backport patches to 2.18
-    conditions:
-      - label=backport 2.18-maintenance
-    actions:
-      backport:
-        branches:
-          - 2.18-maintenance
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.19
-    conditions:
-      - label=backport 2.19-maintenance
-    actions:
-      backport:
-        branches:
-          - 2.19-maintenance
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.20
-    conditions:
-      - label=backport 2.20-maintenance
-    actions:
-      backport:
-        branches:
-          - 2.20-maintenance
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.21
-    conditions:
-      - label=backport 2.21-maintenance
-    actions:
-      backport:
-        branches:
-          - 2.21-maintenance
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.22
-    conditions:
-      - label=backport 2.22-maintenance
-    actions:
-      backport:
-        branches:
-          - 2.22-maintenance
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.23
-    conditions:
-      - label=backport 2.23-maintenance
-    actions:
-      backport:
-        branches:
-          - 2.23-maintenance
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.24
-    conditions:
-      - label=backport 2.24-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.24-maintenance"
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.25
-    conditions:
-      - label=backport 2.25-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.25-maintenance"
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.26
-    conditions:
-      - label=backport 2.26-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.26-maintenance"
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.27
-    conditions:
-      - label=backport 2.27-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.27-maintenance"
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.28
-    conditions:
-      - label=backport 2.28-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.28-maintenance"
-        labels:
-          - automatic backport
-          - merge-queue
-
-  - name: backport patches to 2.29
-    conditions:
-      - label=backport 2.29-maintenance
-    actions:
-      backport:
-        branches:
-          - "2.29-maintenance"
-        labels:
-          - automatic backport
-          - merge-queue

.version

@@ -1 +1 @@
-2.30.0
+2.34.0

CONTRIBUTING.md

@@ -89,11 +89,13 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 
 ## Making changes to the Nix manual
 
-The Nix reference manual is hosted on https://nixos.org/manual/nix.
+The Nix reference manual is hosted on https://nix.dev/manual/nix.
 The underlying source files are located in [`doc/manual/source`](./doc/manual/source).
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
 For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).
 
+You're encouraged to add line breaks at semantic boundaries, per [sembr](https://sembr.org).
+
 ## Getting help
 
 Whenever you're stuck or do not know how to proceed, you can always ask for help.

COPYING

@@ -1,8 +1,8 @@
-		  GNU LESSER GENERAL PUBLIC LICENSE
-		       Version 2.1, February 1999
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999
 
  Copyright (C) 1991, 1999 Free Software Foundation, Inc.
- 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ <https://fsf.org/>
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
@@ -10,7 +10,7 @@
  as the successor of the GNU Library Public License, version 2, hence
  the version number 2.1.]
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -112,7 +112,7 @@ modification follow.  Pay close attention to the difference between a
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
 
-		  GNU LESSER GENERAL PUBLIC LICENSE
+                  GNU LESSER GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License Agreement applies to any software library or other
@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
   1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@@ -432,7 +432,7 @@ decision will be guided by the two goals of preserving the free status
 of all derivatives of our free software and of promoting the sharing
 and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
 WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
@@ -455,7 +455,7 @@ FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
 SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
 
            How to Apply These Terms to Your New Libraries
 
@@ -484,8 +484,7 @@ convey the exclusion of warranty; and each file should have at least the
     Lesser General Public License for more details.
 
     You should have received a copy of the GNU Lesser General Public
-    License along with this library; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+    License along with this library; if not, see <https://www.gnu.org/licenses/>.
 
 Also add information on how to contact you by electronic and paper mail.
 
@@ -496,9 +495,7 @@ necessary.  Here is a sample; alter the names:
   Yoyodyne, Inc., hereby disclaims all copyright interest in the
   library `Frob' (a library for tweaking knobs) written by James Random Hacker.
 
-  <signature of Ty Coon>, 1 April 1990
-  Ty Coon, President of Vice
+  <signature of Moe Ghoul>, 1 April 1990
+  Moe Ghoul, President of Vice
 
 That's all there is to it!
-
-

ci/gha/profile-build/default.nix

@@ -0,0 +1,101 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+}:
+
+let
+  inherit (pkgs) lib;
+
+  nixComponentsInstrumented =
+    (nixFlake.lib.makeComponents {
+      inherit pkgs;
+      getStdenv = p: p.clangStdenv;
+    }).overrideScope
+      (
+        _: _: {
+          mesonComponentOverrides = finalAttrs: prevAttrs: {
+            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "buildprofile" ];
+            nativeBuildInputs = [ pkgs.clangbuildanalyzer ] ++ prevAttrs.nativeBuildInputs or [ ];
+            __impure = true;
+
+            env = {
+              CFLAGS = "-ftime-trace";
+              CXXFLAGS = "-ftime-trace";
+            };
+
+            preBuild = ''
+              ClangBuildAnalyzer --start $PWD
+            '';
+
+            postBuild = ''
+              ClangBuildAnalyzer --stop $PWD $buildprofile
+            '';
+          };
+        }
+      );
+
+  componentsToProfile = {
+    "nix-util" = { };
+    "nix-util-c" = { };
+    "nix-util-test-support" = { };
+    "nix-util-tests" = { };
+    "nix-store" = { };
+    "nix-store-c" = { };
+    "nix-store-test-support" = { };
+    "nix-store-tests" = { };
+    "nix-fetchers" = { };
+    "nix-fetchers-c" = { };
+    "nix-fetchers-tests" = { };
+    "nix-expr" = { };
+    "nix-expr-c" = { };
+    "nix-expr-test-support" = { };
+    "nix-expr-tests" = { };
+    "nix-flake" = { };
+    "nix-flake-c" = { };
+    "nix-flake-tests" = { };
+    "nix-main" = { };
+    "nix-main-c" = { };
+    "nix-cmd" = { };
+    "nix-cli" = { };
+  };
+
+  componentDerivationsToProfile = builtins.intersectAttrs componentsToProfile nixComponentsInstrumented;
+  componentBuildProfiles = lib.mapAttrs (
+    n: v: lib.getOutput "buildprofile" v
+  ) componentDerivationsToProfile;
+
+  buildTimeReport =
+    pkgs.runCommand "build-time-report"
+      {
+        __impure = true;
+        __structuredAttrs = true;
+        nativeBuildInputs = [ pkgs.clangbuildanalyzer ];
+        inherit componentBuildProfiles;
+      }
+      ''
+        {
+          echo "# Build time performance profile for components:"
+          echo
+          echo "This reports the build profile collected via \`-ftime-trace\` for each component."
+          echo
+        } >> $out
+
+        for name in "''\${!componentBuildProfiles[@]}"; do
+          {
+            echo "<details><summary><strong>$name</strong></summary>"
+            echo
+            echo '````'
+            ClangBuildAnalyzer --analyze "''\${componentBuildProfiles[$name]}"
+            echo '````'
+            echo
+            echo "</details>"
+          } >> $out
+        done
+      '';
+in
+
+{
+  inherit buildTimeReport;
+  inherit componentDerivationsToProfile;
+}

ci/gha/tests/default.nix

@@ -0,0 +1,257 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+  nixComponents ? (
+    nixFlake.lib.makeComponents {
+      inherit pkgs;
+      inherit getStdenv;
+    }
+  ),
+  getStdenv ? p: p.stdenv,
+  componentTestsPrefix ? "",
+  withSanitizers ? false,
+  withCoverage ? false,
+  ...
+}:
+
+let
+  inherit (pkgs) lib;
+  hydraJobs = nixFlake.hydraJobs;
+  packages' = nixFlake.packages.${system};
+  stdenv = (getStdenv pkgs);
+
+  collectCoverageLayer = finalAttrs: prevAttrs: {
+    env =
+      let
+        # https://clang.llvm.org/docs/SourceBasedCodeCoverage.html#the-code-coverage-workflow
+        coverageFlags = [
+          "-fprofile-instr-generate"
+          "-fcoverage-mapping"
+        ];
+      in
+      {
+        CFLAGS = toString coverageFlags;
+        CXXFLAGS = toString coverageFlags;
+      };
+
+    # Done in a pre-configure hook, because $NIX_BUILD_TOP needs to be substituted.
+    preConfigure = prevAttrs.preConfigure or "" + ''
+      mappingFlag=" -fcoverage-prefix-map=$NIX_BUILD_TOP/${finalAttrs.src.name}=${finalAttrs.src}"
+      CFLAGS+="$mappingFlag"
+      CXXFLAGS+="$mappingFlag"
+    '';
+  };
+
+  componentOverrides = (lib.optional withCoverage collectCoverageLayer);
+in
+
+rec {
+  nixComponentsInstrumented = nixComponents.overrideScope (
+    final: prev: {
+      withASan = withSanitizers;
+      withUBSan = withSanitizers;
+
+      nix-store-tests = prev.nix-store-tests.override { withBenchmarks = true; };
+      # Boehm is incompatible with ASAN.
+      nix-expr = prev.nix-expr.override { enableGC = !withSanitizers; };
+
+      mesonComponentOverrides = lib.composeManyExtensions componentOverrides;
+      # Unclear how to make Perl bindings work with a dynamically linked ASAN.
+      nix-perl-bindings = if withSanitizers then null else prev.nix-perl-bindings;
+    }
+  );
+
+  # Import NixOS tests using the instrumented components
+  nixosTests = import ../../../tests/nixos {
+    inherit lib pkgs;
+    nixComponents = nixComponentsInstrumented;
+    nixpkgs = nixFlake.inputs.nixpkgs;
+    inherit (nixFlake.inputs) nixpkgs-23-11;
+  };
+
+  /**
+    Top-level tests for the flake outputs, as they would be built by hydra.
+    These tests generally can't be overridden to run with sanitizers.
+  */
+  topLevel = {
+    installerScriptForGHA = hydraJobs.installerScriptForGHA.${system};
+    installTests = hydraJobs.installTests.${system};
+    nixpkgsLibTests = hydraJobs.tests.nixpkgsLibTests.${system};
+    rl-next = pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
+      LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${../../../doc/manual/rl-next} >$out
+    '';
+    repl-completion = pkgs.callPackage ../../../tests/repl-completion.nix { inherit (packages') nix; };
+
+    /**
+      Checks for our packaging expressions.
+      This shouldn't build anything significant; just check that things
+      (including derivations) are _set up_ correctly.
+    */
+    packaging-overriding =
+      let
+        nix = packages'.nix;
+      in
+      assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
+      if pkgs.stdenv.buildPlatform.isDarwin then
+        lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
+      else
+        # If this fails, something might be wrong with how we've wired the scope,
+        # or something could be broken in Nixpkgs.
+        pkgs.testers.testEqualContents {
+          assertion = "trivial patch does not change source contents";
+          expected = "${../../..}";
+          actual =
+            # Same for all components; nix-util is an arbitrary pick
+            (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
+        };
+  };
+
+  disable =
+    let
+      inherit (pkgs.stdenv) hostPlatform;
+    in
+    args@{
+      pkgName,
+      testName,
+      test,
+    }:
+    lib.any (b: b) [
+      # FIXME: Nix manual is impure and does not produce all settings on darwin
+      (hostPlatform.isDarwin && pkgName == "nix-manual" && testName == "linkcheck")
+    ];
+
+  componentTests =
+    (lib.concatMapAttrs (
+      pkgName: pkg:
+      lib.concatMapAttrs (
+        testName: test:
+        lib.optionalAttrs (!disable { inherit pkgName testName test; }) {
+          "${componentTestsPrefix}${pkgName}-${testName}" = test;
+        }
+      ) (pkg.tests or { })
+    ) nixComponentsInstrumented)
+    // lib.optionalAttrs (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) {
+      "${componentTestsPrefix}nix-functional-tests" = nixComponentsInstrumented.nix-functional-tests;
+      "${componentTestsPrefix}nix-json-schema-checks" = nixComponentsInstrumented.nix-json-schema-checks;
+    };
+
+  codeCoverage =
+    let
+      componentsTestsToProfile =
+        (builtins.mapAttrs (n: v: nixComponentsInstrumented.${n}.tests.run) {
+          "nix-util-tests" = { };
+          "nix-store-tests" = { };
+          "nix-fetchers-tests" = { };
+          "nix-expr-tests" = { };
+          "nix-flake-tests" = { };
+        })
+        // {
+          inherit (nixComponentsInstrumented) nix-functional-tests;
+        };
+
+      coverageProfileDrvs = lib.mapAttrs (
+        n: v:
+        v.overrideAttrs (
+          finalAttrs: prevAttrs: {
+            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "profraw" ];
+            env = {
+              LLVM_PROFILE_FILE = "${placeholder "profraw"}/%m";
+            };
+          }
+        )
+      ) componentsTestsToProfile;
+
+      coverageProfiles = lib.mapAttrsToList (n: v: lib.getOutput "profraw" v) coverageProfileDrvs;
+
+      mergedProfdata =
+        pkgs.runCommand "merged-profdata"
+          {
+            __structuredAttrs = true;
+            nativeBuildInputs = [ pkgs.llvmPackages.libllvm ];
+            inherit coverageProfiles;
+          }
+          ''
+            rawProfiles=()
+            for dir in "''\${coverageProfiles[@]}"; do
+              rawProfiles+=($dir/*)
+            done
+            llvm-profdata merge -sparse -output $out "''\${rawProfiles[@]}"
+          '';
+
+      coverageReports =
+        let
+          nixComponentDrvs = lib.filter (lib.isDerivation) (lib.attrValues nixComponentsInstrumented);
+        in
+        pkgs.runCommand "code-coverage-report"
+          {
+            nativeBuildInputs = [
+              pkgs.llvmPackages.libllvm
+              pkgs.jq
+            ];
+            __structuredAttrs = true;
+            nixComponents = nixComponentDrvs;
+          }
+          ''
+            # ${toString (lib.map (v: v.src) nixComponentDrvs)}
+
+            binaryFiles=()
+            for dir in "''\${nixComponents[@]}"; do
+              readarray -t filesInDir < <(find "$dir" -type f -executable)
+              binaryFiles+=("''\${filesInDir[@]}")
+            done
+
+            arguments=$(concatStringsSep " -object " binaryFiles)
+            llvm-cov show $arguments -instr-profile ${mergedProfdata} -output-dir $out -format=html
+
+            {
+              echo "# Code coverage summary (generated via \`llvm-cov\`):"
+              echo
+              echo '```'
+              llvm-cov report $arguments -instr-profile ${mergedProfdata} -format=text -use-color=false
+              echo '```'
+              echo
+            } >> $out/index.txt
+
+            llvm-cov export $arguments -instr-profile ${mergedProfdata} -format=text > $out/coverage.json
+
+            mkdir -p $out/nix-support
+
+            coverageTotals=$(jq ".data[0].totals" $out/coverage.json)
+
+            # Mostly inline from pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh [1],
+            # which we can't use here, because we rely on LLVM's infra for source code coverage collection.
+            # [1]: https://github.com/NixOS/nixpkgs/blob/67bb48c4c8e327417d6d5aa7e538244b209e852b/pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh#L16
+            declare -A metricsArray=(["lineCoverage"]="lines" ["functionCoverage"]="functions" ["branchCoverage"]="branches")
+
+            for metricName in "''\${!metricsArray[@]}"; do
+              key="''\${metricsArray[$metricName]}"
+              metric=$(echo "$coverageTotals" | jq ".$key.percent * 10 | round / 10")
+              echo "$metricName $metric %" >> $out/nix-support/hydra-metrics
+            done
+
+            echo "report coverage $out" >> $out/nix-support/hydra-build-products
+          '';
+    in
+    assert withCoverage;
+    assert stdenv.cc.isClang;
+    {
+      inherit coverageProfileDrvs mergedProfdata coverageReports;
+    };
+
+  vmTests = {
+    inherit (nixosTests) s3-binary-cache-store;
+  }
+  // lib.optionalAttrs (!withSanitizers && !withCoverage) {
+    # evalNixpkgs uses non-instrumented components from hydraJobs, so only run it
+    # when not testing with sanitizers to avoid rebuilding nix
+    inherit (hydraJobs.tests) evalNixpkgs;
+    # FIXME: CI times out when building vm tests instrumented
+    inherit (nixosTests)
+      functional_user
+      githubFlakes
+      nix-docker
+      tarballFlakes
+      ;
+  };
+}

ci/gha/tests/pre-commit-checks

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+system=$(nix eval --raw --impure --expr builtins.currentSystem)
+
+echo "::group::Running pre-commit checks"
+
+if nix build ".#checks.$system.pre-commit" -L; then
+    echo "::endgroup::"
+    exit 0
+fi
+
+echo "::error ::Changes do not pass pre-commit checks"
+
+cat <<EOF
+The code isn't formatted or doesn't pass lints. You can run pre-commit locally with:
+
+    nix develop -c ./maintainers/format.sh
+EOF
+
+echo "::endgroup::"
+
+exit 1

ci/gha/tests/wrapper.nix

@@ -0,0 +1,16 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+  stdenv ? "stdenv",
+  componentTestsPrefix ? "",
+  withInstrumentation ? false,
+}@args:
+import ./. (
+  args
+  // {
+    getStdenv = p: p.${stdenv};
+    withSanitizers = withInstrumentation;
+    withCoverage = withInstrumentation;
+  }
+)

doc/manual/anchors.jq

@@ -3,7 +3,7 @@
 
 
 def transform_anchors_html:
-    . | gsub($empty_anchor_regex; "<a name=\"" + .anchor + "\"></a>")
+    . | gsub($empty_anchor_regex; "<a id=\"" + .anchor + "\"></a>")
       | gsub($anchor_regex; "<a href=\"#" + .anchor + "\" id=\"" + .anchor + "\">" + .text + "</a>");
 
 
@@ -24,8 +24,15 @@ def map_contents_recursively(transformer):
 def process_command:
     .[0] as $context |
     .[1] as $body |
-    $body + {
-        sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
-    };
+    # mdbook 0.5.x uses 'items' instead of 'sections'
+    if $body.items then
+        $body + {
+            items: $body.items | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+        }
+    else
+        $body + {
+            sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+        }
+    end;
 
 process_command

doc/manual/book.toml.in

@@ -7,6 +7,7 @@ additional-css = ["custom.css"]
 additional-js = ["redirects.js"]
 edit-url-template = "https://github.com/NixOS/nix/tree/master/doc/manual/{path}"
 git-repository-url = "https://github.com/NixOS/nix"
+mathjax-support = true
 
 # Handles replacing @docroot@ with a path to ./source relative to that markdown file,
 # {{#include handlebars}}, and the @generated@ syntax used within these. it mostly
@@ -23,12 +24,3 @@ renderers = ["html"]
 command = "jq --from-file ./anchors.jq"
 
 [output.markdown]
-
-[output.linkcheck]
-# no Internet during the build (in the sandbox)
-follow-web-links = false
-
-# mdbook-linkcheck does not understand [foo]{#bar} style links, resulting in
-# excessive "Potential incomplete link" warnings. No other kind of warning was
-# produced at the time of writing.
-warning-policy = "ignore"

doc/manual/expand-includes.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+"""
+Standalone markdown preprocessor for manpage generation.
+
+Expands {{#include}} directives and handles @docroot@ references
+without requiring mdbook.
+"""
+
+from pathlib import Path
+import sys
+import argparse
+import re
+
+
+def expand_includes(
+    content: str,
+    current_file: Path,
+    source_root: Path,
+    generated_root: Path | None,
+    visited: set[Path] | None = None,
+) -> str:
+    """
+    Recursively expand {{#include path}} directives.
+
+    Args:
+        content: Markdown content to process
+        current_file: Path to the current file (for resolving relative includes)
+        source_root: Root of the source directory
+        generated_root: Root of generated files (for @generated@/ includes)
+        visited: Set of already-visited files (for cycle detection)
+    """
+    if visited is None:
+        visited = set()
+
+    # Track current file to detect cycles
+    visited.add(current_file.resolve())
+
+    lines = []
+    include_pattern = re.compile(r'^\s*\{\{#include\s+(.+?)\}\}\s*$')
+
+    for line in content.splitlines(keepends=True):
+        match = include_pattern.match(line)
+        if not match:
+            lines.append(line)
+            continue
+
+        # Found an include directive
+        include_path_str = match.group(1).strip()
+
+        # Resolve the include path
+        if include_path_str.startswith("@generated@/"):
+            # Generated file
+            if generated_root is None:
+                raise ValueError(
+                    f"Cannot resolve @generated@ path '{include_path_str}' "
+                    f"without --generated-root"
+                )
+            include_path = generated_root / include_path_str[12:]
+        else:
+            # Relative to current file
+            include_path = (current_file.parent / include_path_str).resolve()
+
+        # Check for cycles
+        if include_path.resolve() in visited:
+            raise RuntimeError(
+                f"Include cycle detected: {include_path} is already being processed"
+            )
+
+        # Check that file exists
+        if not include_path.exists():
+            raise FileNotFoundError(
+                f"Include file not found: {include_path_str}\n"
+                f"  Resolved to: {include_path}\n"
+                f"  From: {current_file}"
+            )
+
+        # Recursively expand the included file
+        included_content = include_path.read_text()
+        expanded = expand_includes(
+            included_content,
+            include_path,
+            source_root,
+            generated_root,
+            visited.copy(),  # Copy visited set for this branch
+        )
+        lines.append(expanded)
+        # Add newline if the included content doesn't end with one
+        if not expanded.endswith('\n'):
+            lines.append('\n')
+
+    return ''.join(lines)
+
+
+def resolve_docroot(content: str, current_file: Path, source_root: Path, docroot_url: str) -> str:
+    """
+    Replace @docroot@ with nix.dev URL and convert .md to .html.
+
+    For manpages, absolute URLs are more useful than relative paths since
+    manpages are viewed standalone. lowdown will display these as proper
+    references in the manpage output.
+    """
+    # Replace @docroot@ with the base URL
+    content = content.replace("@docroot@", docroot_url)
+
+    # Convert .md extensions to .html for web links
+    # Use lookahead to ensure that .md occurs before a fragment or a possible URL end.
+    content = re.sub(
+        r'(https://nix\.dev/[^)\s]*?)\.md(?=[#)\s]|$)',
+        r'\1.html',
+        content
+    )
+
+    return content
+
+
+def resolve_at_escapes(content: str) -> str:
+    """Replace @_at_ with @"""
+    return content.replace("@_at_", "@")
+
+
+def process_file(
+    input_file: Path,
+    source_root: Path,
+    generated_root: Path | None,
+    docroot_url: str,
+) -> str:
+    """Process a single markdown file."""
+    content = input_file.read_text()
+
+    # Expand includes
+    content = expand_includes(content, input_file, source_root, generated_root)
+
+    # Resolve @docroot@ references
+    content = resolve_docroot(content, input_file, source_root, docroot_url)
+
+    # Resolve @_at_ escapes
+    content = resolve_at_escapes(content)
+
+    return content
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Expand markdown includes for manpage generation",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  # Expand a manpage source file
+  %(prog)s \\
+    --source-root doc/manual/source \\
+    --generated-root build/doc/manual/source \\
+    doc/manual/source/command-ref/nix-store/query.md
+
+  # Pipe to lowdown for manpage generation
+  %(prog)s -s doc/manual/source -g build/doc/manual/source \\
+    doc/manual/source/command-ref/nix-env.md | \\
+    lowdown -sT man -M section=1 -o nix-env.1
+        """,
+    )
+    parser.add_argument(
+        "input_file",
+        type=Path,
+        help="Input markdown file to process",
+    )
+    parser.add_argument(
+        "-s", "--source-root",
+        type=Path,
+        required=True,
+        help="Root directory of markdown sources",
+    )
+    parser.add_argument(
+        "-g", "--generated-root",
+        type=Path,
+        help="Root directory of generated files (for @generated@/ includes)",
+    )
+    parser.add_argument(
+        "-o", "--output",
+        type=Path,
+        help="Output file (default: stdout)",
+    )
+    parser.add_argument(
+        "-u", "--doc-url",
+        type=str,
+        default="https://nix.dev/manual/nix/latest",
+        help="Base URL for documentation links (default: https://nix.dev/manual/nix/latest)",
+    )
+
+    args = parser.parse_args()
+
+    # Validate paths
+    if not args.input_file.exists():
+        print(f"Error: Input file not found: {args.input_file}", file=sys.stderr)
+        return 1
+
+    if not args.source_root.is_dir():
+        print(f"Error: Source root is not a directory: {args.source_root}", file=sys.stderr)
+        return 1
+
+    if args.generated_root and not args.generated_root.is_dir():
+        print(f"Error: Generated root is not a directory: {args.generated_root}", file=sys.stderr)
+        return 1
+
+    try:
+        # Process the file
+        output = process_file(args.input_file, args.source_root, args.generated_root, args.doc_url)
+
+        # Write output
+        if args.output:
+            args.output.write_text(output)
+        else:
+            print(output, end='')
+
+        return 0
+
+    except Exception as e:
+        print(f"Error processing {args.input_file}: {e}", file=sys.stderr)
+        import traceback
+        traceback.print_exc(file=sys.stderr)
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

doc/manual/generate-redirects.py

@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+"""Generate redirects.js from template and JSON data."""
+
+import sys
+
+template_path, json_path, output_path = sys.argv[1:]
+
+with open(json_path) as f:
+    json_content = f.read().rstrip()
+
+with open(template_path) as f:
+    template = f.read()
+
+with open(output_path, 'w') as f:
+    f.write(template.replace('@REDIRECTS_JSON@', json_content))

doc/manual/generate-store-types.nix

@@ -24,9 +24,9 @@ let
     in
     concatStringsSep "\n" (map showEntry storesList);
 
-  "index.md" =
-    replaceStrings [ "@store-types@" ] [ index ]
-      (readFile ./source/store/types/index.md.in);
+  "index.md" = replaceStrings [ "@store-types@" ] [ index ] (
+    readFile ./source/store/types/index.md.in
+  );
 
   tableOfContents =
     let

doc/manual/meson.build

@@ -1,50 +1,70 @@
-project('nix-manual',
+project(
+  'nix-manual',
   version : files('.version'),
   meson_version : '>= 1.1',
   license : 'LGPL-2.1-or-later',
 )
 
+# Compute documentation URL based on version and release type
+version = meson.project_version()
+official_release = get_option('official-release')
+
+if official_release
+  # For official releases, use versioned URL (dropping patch version)
+  version_parts = version.split('.')
+  major_minor = '@0@.@1@'.format(version_parts[0], version_parts[1])
+  doc_url = 'https://nix.dev/manual/nix/@0@'.format(major_minor)
+else
+  # For development builds, use /latest
+  doc_url = 'https://nix.dev/manual/nix/latest'
+endif
+
 nix = find_program('nix', native : true)
 
-mdbook = find_program('mdbook', native : true)
 bash = find_program('bash', native : true)
 
+# HTML manual dependencies (conditional)
+if get_option('html-manual')
+  mdbook = find_program('mdbook', native : true)
+endif
+
 pymod = import('python')
 python = pymod.find_installation('python3')
 
 nix_env_for_docs = {
-  'HOME': '/dummy',
-  'NIX_CONF_DIR': '/dummy',
-  'NIX_SSL_CERT_FILE': '/dummy/no-ca-bundle.crt',
-  'NIX_STATE_DIR': '/dummy',
-  'NIX_CONFIG': 'cores = 0',
+  'HOME' : '/dummy',
+  'NIX_CONF_DIR' : '/dummy',
+  'NIX_SSL_CERT_FILE' : '/dummy/no-ca-bundle.crt',
+  'NIX_STATE_DIR' : '/dummy',
+  'NIX_CONFIG' : 'cores = 0',
 }
 
-nix_for_docs = [nix, '--experimental-features', 'nix-command']
+nix_for_docs = [ nix, '--experimental-features', 'nix-command' ]
 nix_eval_for_docs_common = nix_for_docs + [
   'eval',
-  '-I', 'nix=' + meson.current_source_dir(),
+  '-I',
+  'nix=' + meson.current_source_dir(),
   '--store', 'dummy://',
   '--impure',
 ]
 nix_eval_for_docs = nix_eval_for_docs_common + '--raw'
 
 conf_file_json = custom_target(
-  command : nix_for_docs + ['config', 'show', '--json'],
+  command : nix_for_docs + [ 'config', 'show', '--json' ],
   capture : true,
   output : 'conf-file.json',
   env : nix_env_for_docs,
 )
 
 language_json = custom_target(
-  command: [nix, '__dump-language'],
+  command : [ nix, '__dump-language' ],
   output : 'language.json',
   capture : true,
   env : nix_env_for_docs,
 )
 
 nix3_cli_json = custom_target(
-  command : [nix, '__dump-cli'],
+  command : [ nix, '__dump-cli' ],
   capture : true,
   output : 'nix.json',
   env : nix_env_for_docs,
@@ -54,6 +74,24 @@ generate_manual_deps = files(
   'generate-deps.py',
 )
 
+# Generate redirects.js from template and JSON data
+redirects_js = custom_target(
+  'redirects.js',
+  command : [
+    python,
+    '@INPUT0@',
+    '@INPUT1@',
+    '@INPUT2@',
+    '@OUTPUT@',
+  ],
+  input : [
+    'generate-redirects.py',
+    'redirects.js.in',
+    'redirects.json',
+  ],
+  output : 'redirects.js',
+)
+
 # Generates types
 subdir('source/store')
 # Generates builtins.md and builtin-constants.md.
@@ -74,64 +112,79 @@ else
   nix_input = []
 endif
 
-manual = custom_target(
-  'manual',
-  command : [
-    bash,
-    '-euo', 'pipefail',
-    '-c',
-    '''
-        @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
-        @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
-        sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
-        rsync -r --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
-        (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
-        rm -rf @2@/manual
-        mv @2@/html @2@/manual
-        find @2@/manual -iname meson.build -delete
-    '''.format(
-      python.full_path(),
-      mdbook.full_path(),
-      meson.current_build_dir(),
-      meson.project_version(),
-    ),
-  ],
-  input : [
-    generate_manual_deps,
-    'substitute.py',
-    'book.toml.in',
-    'anchors.jq',
-    'custom.css',
-    nix3_cli_files,
-    experimental_features_shortlist_md,
-    experimental_feature_descriptions_md,
-    types_dir,
-    conf_file_md,
-    builtins_md,
-    rl_next_generated,
-    summary_rl_next,
-    nix_input,
-  ],
-  output : [
+# HTML manual build (conditional)
+if get_option('html-manual')
+  manual = custom_target(
     'manual',
-    'markdown',
-  ],
-  depfile : 'manual.d',
-  env : {
-    'RUST_LOG': 'info',
-    'MDBOOK_SUBSTITUTE_SEARCH': meson.current_build_dir() / 'source',
-  },
-)
-manual_html = manual[0]
-manual_md = manual[1]
+    command : [
+      bash,
+      '-euo',
+      'pipefail',
+      '-c',
+      '''
+          @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
+          @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
+          sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
+          # Copy source to build directory, excluding the build directory itself
+          # (which is present when built as an individual component).
+          # Use tar with --dereference to copy symlink targets (e.g., JSON examples from tests).
+          (cd @CURRENT_SOURCE_DIR@ && find . -mindepth 1 -maxdepth 1 ! -name build | tar -c --dereference -T - -f -) | (cd @2@ && tar -xf -)
+          chmod -R u+w @2@
+          find @2@ -name '*.drv' -delete
+          (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
+          rm -rf @2@/manual
+          mv @2@/html @2@/manual
+          # Remove Mathjax 2.7, because we will actually use MathJax 3.x
+          find @2@/manual | grep .html | xargs sed -i -e '/2.7.1.MathJax.js/d'
+          find @2@/manual -iname meson.build -delete
+      '''.format(
+        python.full_path(),
+        mdbook.full_path(),
+        meson.current_build_dir(),
+        meson.project_version(),
+      ),
+    ],
+    input : [
+      generate_manual_deps,
+      'substitute.py',
+      'book.toml.in',
+      'anchors.jq',
+      'custom.css',
+      redirects_js,
+      nix3_cli_files,
+      experimental_features_shortlist_md,
+      experimental_feature_descriptions_md,
+      types_dir,
+      conf_file_md,
+      builtins_md,
+      rl_next_generated,
+      summary_rl_next,
+      json_schema_generated_files,
+      nix_input,
+    ],
+    output : [
+      'manual',
+      'markdown',
+    ],
+    depfile : 'manual.d',
+    build_by_default : true,
+    env : {
+      'RUST_LOG' : 'info',
+      'MDBOOK_SUBSTITUTE_SEARCH' : meson.current_build_dir() / 'source',
+    },
+  )
+  manual_html = manual[0]
+  manual_md = manual[1]
 
-install_subdir(
-  manual_html.full_path(),
-  install_dir : get_option('datadir') / 'doc/nix',
-)
+  install_subdir(
+    manual_html.full_path(),
+    install_dir : get_option('datadir') / 'doc/nix',
+  )
+endif
 
 nix_nested_manpages = [
-  [ 'nix-env',
+  [
+    'nix-env',
     [
       'delete-generations',
       'install',
@@ -146,7 +199,8 @@ nix_nested_manpages = [
       'upgrade',
     ],
   ],
-  [ 'nix-store',
+  [
+    'nix-store',
     [
       'add-fixed',
       'add',
@@ -172,6 +226,7 @@ nix_nested_manpages = [
   ],
 ]
 
+# Manpage generation (standalone, no mdbook dependency)
 foreach command : nix_nested_manpages
   foreach page : command[1]
     title = command[0] + ' --' + page
@@ -179,15 +234,19 @@ foreach command : nix_nested_manpages
     custom_target(
       command : [
         bash,
-        files('./render-manpage.sh'),
+        '@INPUT0@',
         '--out-no-smarty',
         title,
         section,
-        '@INPUT0@/command-ref' / command[0] / (page + '.md'),
+        meson.current_source_dir() / 'source',
+        meson.current_build_dir() / 'source',
+        doc_url,
+        meson.current_source_dir() / 'source/command-ref' / command[0] / (page + '.md'),
         '@OUTPUT0@',
       ],
       input : [
-        manual_md,
+        files('./render-manpage.sh'),
+        files('./expand-includes.py'),
         nix_input,
       ],
       output : command[0] + '-' + page + '.1',
@@ -246,11 +305,11 @@ nix3_manpages = [
   'nix3-nar',
   'nix3-path-info',
   'nix3-print-dev-env',
+  'nix3-profile',
+  'nix3-profile-add',
   'nix3-profile-diff-closures',
   'nix3-profile-history',
-  'nix3-profile-install',
   'nix3-profile-list',
-  'nix3-profile',
   'nix3-profile-remove',
   'nix3-profile-rollback',
   'nix3-profile-upgrade',
@@ -296,14 +355,21 @@ foreach page : nix3_manpages
     command : [
       bash,
       '@INPUT0@',
+      # Note: no --out-no-smarty flag (original behavior)
       page,
       section,
-      '@INPUT1@/command-ref/new-cli/@0@.md'.format(page),
+      meson.current_source_dir() / 'source',
+      meson.current_build_dir() / 'source',
+      doc_url,
+      meson.current_build_dir() / 'source/command-ref/new-cli/@0@.md'.format(
+        page,
+      ),
       '@OUTPUT@',
     ],
     input : [
       files('./render-manpage.sh'),
-      manual_md,
+      files('./expand-includes.py'),
+      nix3_cli_files,
       nix_input,
     ],
     output : page + '.1',
@@ -323,7 +389,12 @@ nix_manpages = [
   [ 'nix-channel', 1 ],
   [ 'nix-hash', 1 ],
   [ 'nix-copy-closure', 1 ],
-  [ 'nix.conf', 5, conf_file_md.full_path() ],
+  [
+    'nix.conf',
+    5,
+    conf_file_md.full_path(),
+    [ conf_file_md, experimental_features_shortlist_md ],
+  ],
   [ 'nix-daemon', 8 ],
   [ 'nix-profiles', 5, 'files/profiles.md' ],
 ]
@@ -335,19 +406,24 @@ foreach entry : nix_manpages
   # Therefore we use an optional third element of this array to override the name pattern
   md_file = entry.get(2, title + '.md')
   section = entry[1].to_string()
-  md_file_resolved = join_paths('@INPUT1@/command-ref/', md_file)
+  input_file = meson.current_source_dir() / 'source/command-ref' / md_file
+
   custom_target(
     command : [
       bash,
       '@INPUT0@',
+      # Note: no --out-no-smarty flag (original behavior)
       title,
       section,
-      md_file_resolved,
+      meson.current_source_dir() / 'source',
+      meson.current_build_dir() / 'source',
+      doc_url,
+      input_file,
       '@OUTPUT@',
     ],
     input : [
       files('./render-manpage.sh'),
-      manual_md,
+      files('./expand-includes.py'),
       entry.get(3, []),
       nix_input,
     ],

doc/manual/meson.options

@@ -0,0 +1,13 @@
+option(
+  'official-release',
+  type : 'boolean',
+  value : true,
+  description : 'Whether this is an official release build (affects documentation URLs)',
+)
+
+option(
+  'html-manual',
+  type : 'boolean',
+  value : true,
+  description : 'Whether to build the HTML manual (requires mdbook)',
+)

doc/manual/package.nix

@@ -1,22 +1,31 @@
 {
   lib,
+  callPackage,
   mkMesonDerivation,
+  runCommand,
 
   meson,
   ninja,
   lowdown-unsandboxed,
   mdbook,
-  mdbook-linkcheck,
   jq,
   python3,
-  rsync,
   nix-cli,
   changelog-d,
+  json-schema-for-humans,
   officialRelease,
 
   # Configuration Options
 
   version,
+  /**
+    Whether to build the HTML manual.
+    When false, only manpages are built, avoiding the mdbook dependency.
+  */
+  buildHtmlManual ? true,
+
+  # `tests` attribute
+  testers,
 }:
 
 let
@@ -32,6 +41,20 @@ mkMesonDerivation (finalAttrs: {
     fileset.difference
       (fileset.unions [
         ../../.version
+        # For example JSON
+        ../../src/libutil-tests/data/memory-source-accessor
+        ../../src/libutil-tests/data/hash
+        ../../src/libstore-tests/data/content-address
+        ../../src/libstore-tests/data/store-path
+        ../../src/libstore-tests/data/realisation
+        ../../src/libstore-tests/data/derivation
+        ../../src/libstore-tests/data/derived-path
+        ../../src/libstore-tests/data/path-info
+        ../../src/libstore-tests/data/nar-info
+        ../../src/libstore-tests/data/build-result
+        ../../src/libstore-tests/data/dummy-store
+        # For derivation examples referenced by symlinks in doc/manual/source/protocols/json/schema/
+        ../../tests/functional/derivation
         # Too many different types of files to filter for now
         ../../doc/manual
         ./.
@@ -40,33 +63,41 @@ mkMesonDerivation (finalAttrs: {
       ../../doc/manual/package.nix;
 
   # TODO the man pages should probably be separate
-  outputs = [
-    "out"
-    "man"
+  outputs =
+    if buildHtmlManual then
+      [
+        "out"
+        "man"
+      ]
+    else
+      [ "out" ]; # Only one output when HTML manual is disabled; use "out" for manpages
+
+  # When HTML manual is disabled, install manpages to "out" instead of "man"
+  mesonFlags = [
+    (lib.mesonBool "official-release" officialRelease)
+    (lib.mesonBool "html-manual" buildHtmlManual)
+  ]
+  ++ lib.optionals (!buildHtmlManual) [
+    "--mandir=${placeholder "out"}/share/man"
   ];
 
-  # Hack for sake of the dev shell
-  passthru.externalNativeBuildInputs =
-    [
-      meson
-      ninja
-      (lib.getBin lowdown-unsandboxed)
-      mdbook
-      mdbook-linkcheck
-      jq
-      python3
-      rsync
-      changelog-d
-    ]
-    ++ lib.optionals (!officialRelease) [
-      # When not an official release, we likely have changelog entries that have
-      # yet to be rendered.
-      # When released, these are rendered into a committed file to save a dependency.
-      changelog-d
-    ];
-
-  nativeBuildInputs = finalAttrs.passthru.externalNativeBuildInputs ++ [
+  nativeBuildInputs = [
     nix-cli
+    meson
+    ninja
+    (lib.getBin lowdown-unsandboxed)
+    jq
+    python3
+  ]
+  ++ lib.optionals buildHtmlManual [
+    mdbook
+    json-schema-for-humans
+  ]
+  ++ lib.optionals (!officialRelease && buildHtmlManual) [
+    # When not an official release, we likely have changelog entries that have
+    # yet to be rendered.
+    # When released, these are rendered into a committed file to save a dependency.
+    changelog-d
   ];
 
   preConfigure = ''
@@ -74,11 +105,49 @@ mkMesonDerivation (finalAttrs: {
     echo ${finalAttrs.version} > ./.version
   '';
 
-  postInstall = ''
+  postInstall = lib.optionalString buildHtmlManual ''
     mkdir -p ''$out/nix-support
     echo "doc manual ''$out/share/doc/nix/manual" >> ''$out/nix-support/hydra-build-products
   '';
 
+  passthru = lib.optionalAttrs buildHtmlManual {
+    /**
+      The root of the HTML manual.
+      E.g. "${nix-manual.site}/index.html" exists.
+    */
+
+    site = finalAttrs.finalPackage + "/share/doc/nix/manual";
+
+    tests =
+      let
+        redirect-targets = callPackage ./redirect-targets-html.nix { };
+      in
+      {
+        # https://nixos.org/manual/nixpkgs/stable/index.html#tester-lycheeLinkCheck
+        linkcheck = testers.lycheeLinkCheck {
+          site =
+            let
+              plain = finalAttrs.finalPackage.site;
+            in
+            runCommand "nix-manual-with-redirect-targets" { } ''
+              cp -r ${plain} $out
+              chmod -R u+w $out
+              cp ${redirect-targets}/redirect-targets.html $out/redirect-targets.html
+            '';
+          extraConfig = {
+            exclude = [
+              # Exclude auto-generated JSON schema documentation which has
+              # auto-generated fragment IDs that don't match the link references
+              ".*/protocols/json/.*\\.html"
+              # Exclude undocumented builtins
+              ".*/language/builtins\\.html#builtins-addErrorContext"
+              ".*/language/builtins\\.html#builtins-appendContext"
+            ];
+          };
+        };
+      };
+  };
+
   meta = {
     platforms = lib.platforms.all;
   };

doc/manual/redirect-targets-html.nix

@@ -0,0 +1,62 @@
+# Generates redirect-targets.html containing all redirect targets for link checking.
+# Used by: doc/manual/package.nix (passthru.tests.linkcheck)
+
+{
+  stdenv,
+  lib,
+  jq,
+}:
+
+stdenv.mkDerivation {
+  name = "redirect-targets-html";
+
+  src = lib.fileset.toSource {
+    root = ./.;
+    fileset = ./redirects.json;
+  };
+
+  nativeBuildInputs = [ jq ];
+
+  installPhase = ''
+    mkdir -p $out
+
+    {
+      echo '<!DOCTYPE html>'
+      echo '<html><head><title>Nix Manual Redirect Targets</title></head><body>'
+      echo '<h1>Redirect Targets to Check</h1>'
+      echo '<p>This document contains all redirect targets from the Nix manual.</p>'
+
+      echo '<h2>Client-side redirects (from redirects.json)</h2>'
+      echo '<ul>'
+
+      # Extract all redirects with their source pages to properly resolve relative paths
+      jq -r 'to_entries[] | .key as $page | .value | to_entries[] | "\($page)\t\(.value)"' \
+        redirects.json | while IFS=$'\t' read -r page target; do
+
+        page_dir=$(dirname "$page")
+
+        # Handle fragment-only targets (e.g., #primitives)
+        if [[ "$target" == \#* ]]; then
+          # Fragment is on the same page
+          resolved="$page$target"
+          echo "<li><a href=\"$resolved\">$resolved</a> (fragment on $page)</li>"
+          continue
+        fi
+
+        # Resolve relative path based on the source page location
+        resolved="$page_dir/$target"
+
+        echo "<li><a href=\"$resolved\">$resolved</a> (from $page)</li>"
+      done
+
+      echo '</ul>'
+      echo '</body></html>'
+    } > $out/redirect-targets.html
+
+    echo "Generated redirect targets document with $(grep -c '<li>' $out/redirect-targets.html) links"
+  '';
+
+  meta = {
+    description = "HTML document listing all Nix manual redirect targets for link checking";
+  };
+}

doc/manual/redirects.js

@@ -1,460 +0,0 @@
-// redirect rules for URL fragments (client-side) to prevent link rot.
-// this must be done on the client side, as web servers do not see the fragment part of the URL.
-// it will only work with JavaScript enabled in the browser, but this is the best we can do here.
-// see source/_redirects for path redirects (server-side)
-
-// redirects are declared as follows:
-// each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
-//
-//     IMPORTANT: it must specify the full path with file name and suffix
-//
-// each entry is itself a set of key-value pairs, where
-// - keys are anchors on the matched path.
-// - values are redirection targets relative to the current path.
-
-const redirects = {
- "index.html": {
-    "part-advanced-topics": "advanced-topics/index.html",
-    "chap-tuning-cores-and-jobs": "advanced-topics/cores-vs-jobs.html",
-    "chap-diff-hook": "advanced-topics/diff-hook.html",
-    "check-dirs-are-unregistered": "advanced-topics/diff-hook.html#check-dirs-are-unregistered",
-    "chap-distributed-builds": "command-ref/conf-file.html#conf-builders",
-    "chap-post-build-hook": "advanced-topics/post-build-hook.html",
-    "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
-    "chap-writing-nix-expressions": "language/index.html",
-    "part-command-ref": "command-ref/index.html",
-    "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
-    "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
-    "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
-    "conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
-    "conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",
-    "conf-binary-cache-public-keys": "command-ref/conf-file.html#conf-binary-cache-public-keys",
-    "conf-binary-caches": "command-ref/conf-file.html#conf-binary-caches",
-    "conf-build-compress-log": "command-ref/conf-file.html#conf-build-compress-log",
-    "conf-build-cores": "command-ref/conf-file.html#conf-build-cores",
-    "conf-build-extra-chroot-dirs": "command-ref/conf-file.html#conf-build-extra-chroot-dirs",
-    "conf-build-extra-sandbox-paths": "command-ref/conf-file.html#conf-build-extra-sandbox-paths",
-    "conf-build-fallback": "command-ref/conf-file.html#conf-build-fallback",
-    "conf-build-max-jobs": "command-ref/conf-file.html#conf-build-max-jobs",
-    "conf-build-max-log-size": "command-ref/conf-file.html#conf-build-max-log-size",
-    "conf-build-max-silent-time": "command-ref/conf-file.html#conf-build-max-silent-time",
-    "conf-build-timeout": "command-ref/conf-file.html#conf-build-timeout",
-    "conf-build-use-chroot": "command-ref/conf-file.html#conf-build-use-chroot",
-    "conf-build-use-sandbox": "command-ref/conf-file.html#conf-build-use-sandbox",
-    "conf-build-use-substitutes": "command-ref/conf-file.html#conf-build-use-substitutes",
-    "conf-build-users-group": "command-ref/conf-file.html#conf-build-users-group",
-    "conf-builders": "command-ref/conf-file.html#conf-builders",
-    "conf-builders-use-substitutes": "command-ref/conf-file.html#conf-builders-use-substitutes",
-    "conf-compress-build-log": "command-ref/conf-file.html#conf-compress-build-log",
-    "conf-connect-timeout": "command-ref/conf-file.html#conf-connect-timeout",
-    "conf-cores": "command-ref/conf-file.html#conf-cores",
-    "conf-diff-hook": "command-ref/conf-file.html#conf-diff-hook",
-    "conf-env-keep-derivations": "command-ref/conf-file.html#conf-env-keep-derivations",
-    "conf-extra-binary-caches": "command-ref/conf-file.html#conf-extra-binary-caches",
-    "conf-extra-platforms": "command-ref/conf-file.html#conf-extra-platforms",
-    "conf-extra-sandbox-paths": "command-ref/conf-file.html#conf-extra-sandbox-paths",
-    "conf-extra-substituters": "command-ref/conf-file.html#conf-extra-substituters",
-    "conf-fallback": "command-ref/conf-file.html#conf-fallback",
-    "conf-fsync-metadata": "command-ref/conf-file.html#conf-fsync-metadata",
-    "conf-gc-keep-derivations": "command-ref/conf-file.html#conf-gc-keep-derivations",
-    "conf-gc-keep-outputs": "command-ref/conf-file.html#conf-gc-keep-outputs",
-    "conf-hashed-mirrors": "command-ref/conf-file.html#conf-hashed-mirrors",
-    "conf-http-connections": "command-ref/conf-file.html#conf-http-connections",
-    "conf-keep-build-log": "command-ref/conf-file.html#conf-keep-build-log",
-    "conf-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
-    "conf-keep-env-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
-    "conf-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
-    "conf-max-build-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
-    "conf-max-free": "command-ref/conf-file.html#conf-max-free",
-    "conf-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
-    "conf-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
-    "conf-min-free": "command-ref/conf-file.html#conf-min-free",
-    "conf-narinfo-cache-negative-ttl": "command-ref/conf-file.html#conf-narinfo-cache-negative-ttl",
-    "conf-narinfo-cache-positive-ttl": "command-ref/conf-file.html#conf-narinfo-cache-positive-ttl",
-    "conf-netrc-file": "command-ref/conf-file.html#conf-netrc-file",
-    "conf-plugin-files": "command-ref/conf-file.html#conf-plugin-files",
-    "conf-post-build-hook": "command-ref/conf-file.html#conf-post-build-hook",
-    "conf-pre-build-hook": "command-ref/conf-file.html#conf-pre-build-hook",
-    "conf-require-sigs": "command-ref/conf-file.html#conf-require-sigs",
-    "conf-restrict-eval": "command-ref/conf-file.html#conf-restrict-eval",
-    "conf-run-diff-hook": "command-ref/conf-file.html#conf-run-diff-hook",
-    "conf-sandbox": "command-ref/conf-file.html#conf-sandbox",
-    "conf-sandbox-dev-shm-size": "command-ref/conf-file.html#conf-sandbox-dev-shm-size",
-    "conf-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
-    "conf-secret-key-files": "command-ref/conf-file.html#conf-secret-key-files",
-    "conf-show-trace": "command-ref/conf-file.html#conf-show-trace",
-    "conf-stalled-download-timeout": "command-ref/conf-file.html#conf-stalled-download-timeout",
-    "conf-substitute": "command-ref/conf-file.html#conf-substitute",
-    "conf-substituters": "command-ref/conf-file.html#conf-substituters",
-    "conf-system": "command-ref/conf-file.html#conf-system",
-    "conf-system-features": "command-ref/conf-file.html#conf-system-features",
-    "conf-tarball-ttl": "command-ref/conf-file.html#conf-tarball-ttl",
-    "conf-timeout": "command-ref/conf-file.html#conf-timeout",
-    "conf-trace-function-calls": "command-ref/conf-file.html#conf-trace-function-calls",
-    "conf-trusted-binary-caches": "command-ref/conf-file.html#conf-trusted-binary-caches",
-    "conf-trusted-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
-    "conf-trusted-substituters": "command-ref/conf-file.html#conf-trusted-substituters",
-    "conf-trusted-users": "command-ref/conf-file.html#conf-trusted-users",
-    "extra-sandbox-paths": "command-ref/conf-file.html#extra-sandbox-paths",
-    "sec-conf-file": "command-ref/conf-file.html",
-    "env-NIX_PATH": "command-ref/env-common.html#env-NIX_PATH",
-    "env-common": "command-ref/env-common.html",
-    "envar-remote": "command-ref/env-common.html#env-NIX_REMOTE",
-    "sec-common-env": "command-ref/env-common.html",
-    "ch-files": "command-ref/files.html",
-    "ch-main-commands": "command-ref/main-commands.html",
-    "opt-out-link": "command-ref/nix-build.html#opt-out-link",
-    "sec-nix-build": "command-ref/nix-build.html",
-    "sec-nix-channel": "command-ref/nix-channel.html",
-    "sec-nix-collect-garbage": "command-ref/nix-collect-garbage.html",
-    "sec-nix-copy-closure": "command-ref/nix-copy-closure.html",
-    "sec-nix-daemon": "command-ref/nix-daemon.html",
-    "refsec-nix-env-install-examples": "command-ref/nix-env.html#examples",
-    "rsec-nix-env-install": "command-ref/nix-env.html#operation---install",
-    "rsec-nix-env-set": "command-ref/nix-env.html#operation---set",
-    "rsec-nix-env-set-flag": "command-ref/nix-env.html#operation---set-flag",
-    "rsec-nix-env-upgrade": "command-ref/nix-env.html#operation---upgrade",
-    "sec-nix-env": "command-ref/nix-env.html",
-    "ssec-version-comparisons": "command-ref/nix-env.html#versions",
-    "sec-nix-hash": "command-ref/nix-hash.html",
-    "sec-nix-instantiate": "command-ref/nix-instantiate.html",
-    "sec-nix-prefetch-url": "command-ref/nix-prefetch-url.html",
-    "sec-nix-shell": "command-ref/nix-shell.html",
-    "ssec-nix-shell-shebang": "command-ref/nix-shell.html#use-as-a--interpreter",
-    "nixref-queries": "command-ref/nix-store.html#queries",
-    "opt-add-root": "command-ref/nix-store.html#opt-add-root",
-    "refsec-nix-store-dump": "command-ref/nix-store.html#operation---dump",
-    "refsec-nix-store-export": "command-ref/nix-store.html#operation---export",
-    "refsec-nix-store-import": "command-ref/nix-store.html#operation---import",
-    "refsec-nix-store-query": "command-ref/nix-store.html#operation---query",
-    "refsec-nix-store-verify": "command-ref/nix-store.html#operation---verify",
-    "rsec-nix-store-gc": "command-ref/nix-store.html#operation---gc",
-    "rsec-nix-store-generate-binary-cache-key": "command-ref/nix-store.html#operation---generate-binary-cache-key",
-    "rsec-nix-store-realise": "command-ref/nix-store.html#operation---realise",
-    "rsec-nix-store-serve": "command-ref/nix-store.html#operation---serve",
-    "sec-nix-store": "command-ref/nix-store.html",
-    "opt-I": "command-ref/opt-common.html#opt-I",
-    "opt-attr": "command-ref/opt-common.html#opt-attr",
-    "opt-common": "command-ref/opt-common.html",
-    "opt-cores": "command-ref/opt-common.html#opt-cores",
-    "opt-log-format": "command-ref/opt-common.html#opt-log-format",
-    "opt-max-jobs": "command-ref/opt-common.html#opt-max-jobs",
-    "opt-max-silent-time": "command-ref/opt-common.html#opt-max-silent-time",
-    "opt-timeout": "command-ref/opt-common.html#opt-timeout",
-    "sec-common-options": "command-ref/opt-common.html",
-    "ch-utilities": "command-ref/utilities.html",
-    "chap-hacking": "development/building.html",
-    "adv-attr-allowSubstitutes": "language/advanced-attributes.html#adv-attr-allowSubstitutes",
-    "adv-attr-allowedReferences": "language/advanced-attributes.html#adv-attr-allowedReferences",
-    "adv-attr-allowedRequisites": "language/advanced-attributes.html#adv-attr-allowedRequisites",
-    "adv-attr-disallowedReferences": "language/advanced-attributes.html#adv-attr-disallowedReferences",
-    "adv-attr-disallowedRequisites": "language/advanced-attributes.html#adv-attr-disallowedRequisites",
-    "adv-attr-exportReferencesGraph": "language/advanced-attributes.html#adv-attr-exportReferencesGraph",
-    "adv-attr-impureEnvVars": "language/advanced-attributes.html#adv-attr-impureEnvVars",
-    "adv-attr-outputHash": "language/advanced-attributes.html#adv-attr-outputHash",
-    "adv-attr-outputHashAlgo": "language/advanced-attributes.html#adv-attr-outputHashAlgo",
-    "adv-attr-outputHashMode": "language/advanced-attributes.html#adv-attr-outputHashMode",
-    "adv-attr-passAsFile": "language/advanced-attributes.html#adv-attr-passAsFile",
-    "adv-attr-preferLocalBuild": "language/advanced-attributes.html#adv-attr-preferLocalBuild",
-    "fixed-output-drvs": "language/advanced-attributes.html#adv-attr-outputHash",
-    "sec-advanced-attributes": "language/advanced-attributes.html",
-    "builtin-abort": "language/builtins.html#builtins-abort",
-    "builtin-add": "language/builtins.html#builtins-add",
-    "builtin-all": "language/builtins.html#builtins-all",
-    "builtin-any": "language/builtins.html#builtins-any",
-    "builtin-attrNames": "language/builtins.html#builtins-attrNames",
-    "builtin-attrValues": "language/builtins.html#builtins-attrValues",
-    "builtin-baseNameOf": "language/builtins.html#builtins-baseNameOf",
-    "builtin-bitAnd": "language/builtins.html#builtins-bitAnd",
-    "builtin-bitOr": "language/builtins.html#builtins-bitOr",
-    "builtin-bitXor": "language/builtins.html#builtins-bitXor",
-    "builtin-builtins": "language/builtins.html#builtins-builtins",
-    "builtin-compareVersions": "language/builtins.html#builtins-compareVersions",
-    "builtin-concatLists": "language/builtins.html#builtins-concatLists",
-    "builtin-concatStringsSep": "language/builtins.html#builtins-concatStringsSep",
-    "builtin-currentSystem": "language/builtins.html#builtins-currentSystem",
-    "builtin-deepSeq": "language/builtins.html#builtins-deepSeq",
-    "builtin-derivation": "language/builtins.html#builtins-derivation",
-    "builtin-dirOf": "language/builtins.html#builtins-dirOf",
-    "builtin-div": "language/builtins.html#builtins-div",
-    "builtin-elem": "language/builtins.html#builtins-elem",
-    "builtin-elemAt": "language/builtins.html#builtins-elemAt",
-    "builtin-fetchGit": "language/builtins.html#builtins-fetchGit",
-    "builtin-fetchTarball": "language/builtins.html#builtins-fetchTarball",
-    "builtin-fetchurl": "language/builtins.html#builtins-fetchurl",
-    "builtin-filterSource": "language/builtins.html#builtins-filterSource",
-    "builtin-foldl-prime": "language/builtins.html#builtins-foldl-prime",
-    "builtin-fromJSON": "language/builtins.html#builtins-fromJSON",
-    "builtin-functionArgs": "language/builtins.html#builtins-functionArgs",
-    "builtin-genList": "language/builtins.html#builtins-genList",
-    "builtin-getAttr": "language/builtins.html#builtins-getAttr",
-    "builtin-getEnv": "language/builtins.html#builtins-getEnv",
-    "builtin-hasAttr": "language/builtins.html#builtins-hasAttr",
-    "builtin-hashFile": "language/builtins.html#builtins-hashFile",
-    "builtin-hashString": "language/builtins.html#builtins-hashString",
-    "builtin-head": "language/builtins.html#builtins-head",
-    "builtin-import": "language/builtins.html#builtins-import",
-    "builtin-intersectAttrs": "language/builtins.html#builtins-intersectAttrs",
-    "builtin-isAttrs": "language/builtins.html#builtins-isAttrs",
-    "builtin-isBool": "language/builtins.html#builtins-isBool",
-    "builtin-isFloat": "language/builtins.html#builtins-isFloat",
-    "builtin-isFunction": "language/builtins.html#builtins-isFunction",
-    "builtin-isInt": "language/builtins.html#builtins-isInt",
-    "builtin-isList": "language/builtins.html#builtins-isList",
-    "builtin-isNull": "language/builtins.html#builtins-isNull",
-    "builtin-isString": "language/builtins.html#builtins-isString",
-    "builtin-length": "language/builtins.html#builtins-length",
-    "builtin-lessThan": "language/builtins.html#builtins-lessThan",
-    "builtin-listToAttrs": "language/builtins.html#builtins-listToAttrs",
-    "builtin-map": "language/builtins.html#builtins-map",
-    "builtin-match": "language/builtins.html#builtins-match",
-    "builtin-mul": "language/builtins.html#builtins-mul",
-    "builtin-parseDrvName": "language/builtins.html#builtins-parseDrvName",
-    "builtin-path": "language/builtins.html#builtins-path",
-    "builtin-pathExists": "language/builtins.html#builtins-pathExists",
-    "builtin-placeholder": "language/builtins.html#builtins-placeholder",
-    "builtin-readDir": "language/builtins.html#builtins-readDir",
-    "builtin-readFile": "language/builtins.html#builtins-readFile",
-    "builtin-removeAttrs": "language/builtins.html#builtins-removeAttrs",
-    "builtin-replaceStrings": "language/builtins.html#builtins-replaceStrings",
-    "builtin-seq": "language/builtins.html#builtins-seq",
-    "builtin-sort": "language/builtins.html#builtins-sort",
-    "builtin-split": "language/builtins.html#builtins-split",
-    "builtin-splitVersion": "language/builtins.html#builtins-splitVersion",
-    "builtin-stringLength": "language/builtins.html#builtins-stringLength",
-    "builtin-sub": "language/builtins.html#builtins-sub",
-    "builtin-substring": "language/builtins.html#builtins-substring",
-    "builtin-tail": "language/builtins.html#builtins-tail",
-    "builtin-throw": "language/builtins.html#builtins-throw",
-    "builtin-toFile": "language/builtins.html#builtins-toFile",
-    "builtin-toJSON": "language/builtins.html#builtins-toJSON",
-    "builtin-toPath": "language/builtins.html#builtins-toPath",
-    "builtin-toString": "language/builtins.html#builtins-toString",
-    "builtin-toXML": "language/builtins.html#builtins-toXML",
-    "builtin-trace": "language/builtins.html#builtins-trace",
-    "builtin-tryEval": "language/builtins.html#builtins-tryEval",
-    "builtin-typeOf": "language/builtins.html#builtins-typeOf",
-    "ssec-builtins": "language/builtins.html",
-    "attr-system": "language/derivations.html#attr-system",
-    "ssec-derivation": "language/derivations.html",
-    "ch-expression-language": "language/index.html",
-    "sec-constructs": "language/syntax.html",
-    "sect-let-language": "language/syntax.html#let-expressions",
-    "ss-functions": "language/syntax.html#functions",
-    "sec-language-operators": "language/operators.html",
-    "table-operators": "language/operators.html",
-    "ssec-values": "language/types.html",
-    "gloss-closure": "glossary.html#gloss-closure",
-    "gloss-derivation": "glossary.html#gloss-derivation",
-    "gloss-deriver": "glossary.html#gloss-deriver",
-    "gloss-nar": "glossary.html#gloss-nar",
-    "gloss-output-path": "glossary.html#gloss-output-path",
-    "gloss-profile": "glossary.html#gloss-profile",
-    "gloss-reachable": "glossary.html#gloss-reachable",
-    "gloss-reference": "glossary.html#gloss-reference",
-    "gloss-substitute": "glossary.html#gloss-substitute",
-    "gloss-user-env": "glossary.html#gloss-user-env",
-    "gloss-validity": "glossary.html#gloss-validity",
-    "part-glossary": "glossary.html",
-    "sec-building-source": "installation/building-source.html",
-    "ch-env-variables": "installation/env-variables.html",
-    "sec-installer-proxy-settings": "installation/env-variables.html#proxy-environment-variables",
-    "sec-nix-ssl-cert-file": "installation/env-variables.html#nix_ssl_cert_file",
-    "sec-nix-ssl-cert-file-with-nix-daemon-and-macos": "installation/env-variables.html#nix_ssl_cert_file-with-macos-and-the-nix-daemon",
-    "chap-installation": "installation/index.html",
-    "ch-installing-binary": "installation/installing-binary.html",
-    "sect-macos-installation": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-change-store-prefix": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-encrypted-volume": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-recommended-notes": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-symlink": "installation/installing-binary.html#macos-installation",
-    "sect-multi-user-installation": "installation/installing-binary.html#multi-user-installation",
-    "sect-nix-install-binary-tarball": "installation/installing-binary.html#installing-from-a-binary-tarball",
-    "sect-nix-install-pinned-version-url": "installation/installing-binary.html#installing-a-pinned-nix-version-from-a-url",
-    "sect-single-user-installation": "installation/installing-binary.html#single-user-installation",
-    "ch-installing-source": "installation/installing-source.html",
-    "ssec-multi-user": "installation/multi-user.html",
-    "ch-nix-security": "installation/nix-security.html",
-    "sec-obtaining-source": "installation/obtaining-source.html",
-    "sec-prerequisites-source": "installation/prerequisites-source.html",
-    "sec-single-user": "installation/single-user.html",
-    "ch-supported-platforms": "installation/supported-platforms.html",
-    "ch-upgrading-nix": "installation/upgrading.html",
-    "ch-about-nix": "introduction.html",
-    "chap-introduction": "introduction.html",
-    "ch-basic-package-mgmt": "package-management/basic-package-mgmt.html",
-    "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
-    "sec-channels": "command-ref/nix-channel.html",
-    "ssec-copy-closure": "command-ref/nix-copy-closure.html",
-    "sec-garbage-collection": "package-management/garbage-collection.html",
-    "ssec-gc-roots": "package-management/garbage-collector-roots.html",
-    "chap-package-management": "package-management/index.html",
-    "sec-profiles": "package-management/profiles.html",
-    "ssec-s3-substituter": "store/types/s3-substituter.html",
-    "ssec-s3-substituter-anonymous-reads": "store/types/s3-substituter.html#anonymous-reads-to-your-s3-compatible-binary-cache",
-    "ssec-s3-substituter-authenticated-reads": "store/types/s3-substituter.html#authenticated-reads-to-your-s3-binary-cache",
-    "ssec-s3-substituter-authenticated-writes": "store/types/s3-substituter.html#authenticated-writes-to-your-s3-compatible-binary-cache",
-    "sec-sharing-packages": "package-management/sharing-packages.html",
-    "ssec-ssh-substituter": "package-management/ssh-substituter.html",
-    "chap-quick-start": "quick-start.html",
-    "sec-relnotes": "release-notes/index.html",
-    "ch-relnotes-0.10.1": "release-notes/rl-0.10.1.html",
-    "ch-relnotes-0.10": "release-notes/rl-0.10.html",
-    "ssec-relnotes-0.11": "release-notes/rl-0.11.html",
-    "ssec-relnotes-0.12": "release-notes/rl-0.12.html",
-    "ssec-relnotes-0.13": "release-notes/rl-0.13.html",
-    "ssec-relnotes-0.14": "release-notes/rl-0.14.html",
-    "ssec-relnotes-0.15": "release-notes/rl-0.15.html",
-    "ssec-relnotes-0.16": "release-notes/rl-0.16.html",
-    "ch-relnotes-0.5": "release-notes/rl-0.5.html",
-    "ch-relnotes-0.6": "release-notes/rl-0.6.html",
-    "ch-relnotes-0.7": "release-notes/rl-0.7.html",
-    "ch-relnotes-0.8.1": "release-notes/rl-0.8.1.html",
-    "ch-relnotes-0.8": "release-notes/rl-0.8.html",
-    "ch-relnotes-0.9.1": "release-notes/rl-0.9.1.html",
-    "ch-relnotes-0.9.2": "release-notes/rl-0.9.2.html",
-    "ch-relnotes-0.9": "release-notes/rl-0.9.html",
-    "ssec-relnotes-1.0": "release-notes/rl-1.0.html",
-    "ssec-relnotes-1.1": "release-notes/rl-1.1.html",
-    "ssec-relnotes-1.10": "release-notes/rl-1.10.html",
-    "ssec-relnotes-1.11.10": "release-notes/rl-1.11.10.html",
-    "ssec-relnotes-1.11": "release-notes/rl-1.11.html",
-    "ssec-relnotes-1.2": "release-notes/rl-1.2.html",
-    "ssec-relnotes-1.3": "release-notes/rl-1.3.html",
-    "ssec-relnotes-1.4": "release-notes/rl-1.4.html",
-    "ssec-relnotes-1.5.1": "release-notes/rl-1.5.1.html",
-    "ssec-relnotes-1.5.2": "release-notes/rl-1.5.2.html",
-    "ssec-relnotes-1.5": "release-notes/rl-1.5.html",
-    "ssec-relnotes-1.6.1": "release-notes/rl-1.6.1.html",
-    "ssec-relnotes-1.6.0": "release-notes/rl-1.6.html",
-    "ssec-relnotes-1.7": "release-notes/rl-1.7.html",
-    "ssec-relnotes-1.8": "release-notes/rl-1.8.html",
-    "ssec-relnotes-1.9": "release-notes/rl-1.9.html",
-    "ssec-relnotes-2.0": "release-notes/rl-2.0.html",
-    "ssec-relnotes-2.1": "release-notes/rl-2.1.html",
-    "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
-    "ssec-relnotes-2.3": "release-notes/rl-2.3.html",
-  },
-  "language/types.html": {
-    "simple-values": "#primitives",
-    "lists": "#list",
-    "strings": "#string",
-    "attribute-sets": "#attribute-set",
-    "type-number": "#type-int",
-  },
-  "language/syntax.html": {
-    "scoping-rules": "scoping.html",
-    "string-literal": "string-literals.html",
-  },
-  "language/derivations.md": {
-    "builder-execution": "store/drv/building.md#builder-execution",
-  },
-  "installation/installing-binary.html": {
-    "linux": "uninstall.html#linux",
-    "macos": "uninstall.html#macos",
-    "uninstalling": "uninstall.html",
-  },
-  "development/building.html": {
-    "nix-with-flakes": "#building-nix-with-flakes",
-    "classic-nix": "#building-nix",
-    "running-tests": "testing.html#running-tests",
-    "unit-tests": "testing.html#unit-tests",
-    "functional-tests": "testing.html#functional-tests",
-    "debugging-failing-functional-tests": "testing.html#debugging-failing-functional-tests",
-    "integration-tests": "testing.html#integration-tests",
-    "installer-tests": "testing.html#installer-tests",
-    "one-time-setup": "testing.html#one-time-setup",
-    "using-the-ci-generated-installer-for-manual-testing": "testing.html#using-the-ci-generated-installer-for-manual-testing",
-    "characterization-testing": "testing.html#characterisation-testing-unit",
-    "add-a-release-note": "contributing.html#add-a-release-note",
-    "add-an-entry": "contributing.html#add-an-entry",
-    "build-process": "contributing.html#build-process",
-    "reverting": "contributing.html#reverting",
-    "branches": "contributing.html#branches",
-  },
-  "glossary.html": {
-    "gloss-local-store": "store/types/local-store.html",
-    "package-attribute-set": "#package",
-    "gloss-chroot-store": "store/types/local-store.html",
-    "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation",
-  },
-};
-
-// the following code matches the current page's URL against the set of redirects.
-//
-// it is written to minimize the latency between page load and redirect.
-// therefore we avoid function calls, copying data, and unnecessary loops.
-// IMPORTANT: we use stateful array operations and their order matters!
-//
-// matching URLs is more involved than it should be:
-//
-// 1. `document.location.pathname` can have an arbitrary prefix.
-//
-// 2. `path_to_root` is set by mdBook. it consists only of `../`s and
-//    determines the depth of `<path>` relative to the prefix:
-//
-//          `document.location.pathname`
-//        |------------------------------|
-//        /<prefix>/<path>/[<file>[.html]][#<anchor>]
-//                  |----|
-//              `path_to_root` has same number of path segments
-//
-//    source: https://phaiax.github.io/mdBook/format/theme/index-hbs.html#data
-//
-// 3. the following paths are equivalent:
-//
-//        /foo/bar/
-//        /foo/bar/index.html
-//        /foo/bar/index
-//
-//  4. the following paths are also equivalent:
-//
-//        /foo/bar/baz
-//        /foo/bar/baz.html
-//
-
-let segments = document.location.pathname.split('/');
-
-let file = segments.pop();
-
-// normalize file name
-if (file === '') { file = "index.html"; }
-else if (!file.endsWith('.html')) { file = file + '.html'; }
-
-segments.push(file);
-
-// use `path_to_root` to discern prefix from path.
-const depth = path_to_root.split('/').length;
-
-// remove segments containing prefix. the following works because
-// 1. the original `document.location.pathname` is absolute,
-//    hence first element of `segments` is always empty.
-// 2. last element of splitting `path_to_root` is also always empty.
-// 3. last element of `segments` is the file name.
-//
-// visual example:
-//
-//     '/foo/bar/baz.html'.split('/') -> [ '', 'foo', 'bar', 'baz.html' ]
-//          '../'.split('/')          -> [ '..', '' ]
-//
-// the following operations will then result in
-//
-//     path = 'bar/baz.html'
-//
-segments.splice(0, segments.length - depth);
-const path = segments.join('/');
-
-// anchor starts with the hash character (`#`),
-// but our redirect declarations don't, so we strip it.
-// example:
-//     document.location.hash -> '#foo'
-//     document.location.hash.substring(1) -> 'foo'
-const anchor = document.location.hash.substring(1);
-
-const redirect = redirects[path];
-if (redirect) {
-  const target = redirect[anchor];
-  if (target) {
-    document.location.href = target;
-  }
-}

doc/manual/redirects.js.in

@@ -0,0 +1,94 @@
+// redirect rules for URL fragments (client-side) to prevent link rot.
+// this must be done on the client side, as web servers do not see the fragment part of the URL.
+// it will only work with JavaScript enabled in the browser, but this is the best we can do here.
+// see source/_redirects for path redirects (server-side)
+
+// redirects are declared as follows:
+// each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
+//
+//     IMPORTANT: it must specify the full path with file name and suffix
+//
+// each entry is itself a set of key-value pairs, where
+// - keys are anchors on the matched path.
+// - values are redirection targets relative to the current path.
+
+const redirects = @REDIRECTS_JSON@;
+
+// the following code matches the current page's URL against the set of redirects.
+//
+// it is written to minimize the latency between page load and redirect.
+// therefore we avoid function calls, copying data, and unnecessary loops.
+// IMPORTANT: we use stateful array operations and their order matters!
+//
+// matching URLs is more involved than it should be:
+//
+// 1. `document.location.pathname` can have an arbitrary prefix.
+//
+// 2. `path_to_root` is set by mdBook. it consists only of `../`s and
+//    determines the depth of `<path>` relative to the prefix:
+//
+//          `document.location.pathname`
+//        |------------------------------|
+//        /<prefix>/<path>/[<file>[.html]][#<anchor>]
+//                  |----|
+//              `path_to_root` has same number of path segments
+//
+//    source: https://phaiax.github.io/mdBook/format/theme/index-hbs.html#data
+//
+// 3. the following paths are equivalent:
+//
+//        /foo/bar/
+//        /foo/bar/index.html
+//        /foo/bar/index
+//
+//  4. the following paths are also equivalent:
+//
+//        /foo/bar/baz
+//        /foo/bar/baz.html
+//
+
+let segments = document.location.pathname.split('/');
+
+let file = segments.pop();
+
+// normalize file name
+if (file === '') { file = "index.html"; }
+else if (!file.endsWith('.html')) { file = file + '.html'; }
+
+segments.push(file);
+
+// use `path_to_root` to discern prefix from path.
+const depth = path_to_root.split('/').length;
+
+// remove segments containing prefix. the following works because
+// 1. the original `document.location.pathname` is absolute,
+//    hence first element of `segments` is always empty.
+// 2. last element of splitting `path_to_root` is also always empty.
+// 3. last element of `segments` is the file name.
+//
+// visual example:
+//
+//     '/foo/bar/baz.html'.split('/') -> [ '', 'foo', 'bar', 'baz.html' ]
+//          '../'.split('/')          -> [ '..', '' ]
+//
+// the following operations will then result in
+//
+//     path = 'bar/baz.html'
+//
+segments.splice(0, segments.length - depth);
+const path = segments.join('/');
+
+// anchor starts with the hash character (`#`),
+// but our redirect declarations don't, so we strip it.
+// example:
+//     document.location.hash -> '#foo'
+//     document.location.hash.substring(1) -> 'foo'
+const anchor = document.location.hash.substring(1);
+
+const redirect = redirects[path];
+if (redirect) {
+  const target = redirect[anchor];
+  if (target) {
+    document.location.href = target;
+  }
+}

doc/manual/redirects.json

@@ -0,0 +1,372 @@
+{
+    "index.html": {
+        "part-advanced-topics": "advanced-topics/index.html",
+        "chap-tuning-cores-and-jobs": "advanced-topics/cores-vs-jobs.html",
+        "chap-diff-hook": "advanced-topics/diff-hook.html",
+        "check-dirs-are-unregistered": "advanced-topics/diff-hook.html#check-dirs-are-unregistered",
+        "chap-distributed-builds": "command-ref/conf-file.html#conf-builders",
+        "chap-post-build-hook": "advanced-topics/post-build-hook.html",
+        "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
+        "chap-writing-nix-expressions": "language/index.html",
+        "part-command-ref": "command-ref/index.html",
+        "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
+        "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
+        "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
+        "conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
+        "conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",
+        "conf-binary-cache-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
+        "conf-binary-caches": "command-ref/conf-file.html#conf-substituters",
+        "conf-build-compress-log": "command-ref/conf-file.html#conf-compress-build-log",
+        "conf-build-cores": "command-ref/conf-file.html#conf-cores",
+        "conf-build-extra-chroot-dirs": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-build-extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-build-fallback": "command-ref/conf-file.html#conf-fallback",
+        "conf-build-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
+        "conf-build-max-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
+        "conf-build-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
+        "conf-build-timeout": "command-ref/conf-file.html#conf-timeout",
+        "conf-build-use-chroot": "command-ref/conf-file.html#conf-sandbox",
+        "conf-build-use-sandbox": "command-ref/conf-file.html#conf-sandbox",
+        "conf-build-use-substitutes": "command-ref/conf-file.html#conf-substitute",
+        "conf-build-users-group": "command-ref/conf-file.html#conf-build-users-group",
+        "conf-builders": "command-ref/conf-file.html#conf-builders",
+        "conf-builders-use-substitutes": "command-ref/conf-file.html#conf-builders-use-substitutes",
+        "conf-compress-build-log": "command-ref/conf-file.html#conf-compress-build-log",
+        "conf-connect-timeout": "command-ref/conf-file.html#conf-connect-timeout",
+        "conf-cores": "command-ref/conf-file.html#conf-cores",
+        "conf-diff-hook": "command-ref/conf-file.html#conf-diff-hook",
+        "conf-env-keep-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
+        "conf-extra-binary-caches": "command-ref/conf-file.html#conf-substituters",
+        "conf-extra-platforms": "command-ref/conf-file.html#conf-extra-platforms",
+        "conf-extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-extra-substituters": "command-ref/conf-file.html#conf-substituters",
+        "conf-fallback": "command-ref/conf-file.html#conf-fallback",
+        "conf-fsync-metadata": "command-ref/conf-file.html#conf-fsync-metadata",
+        "conf-gc-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
+        "conf-gc-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
+        "conf-hashed-mirrors": "command-ref/conf-file.html#conf-hashed-mirrors",
+        "conf-http-connections": "command-ref/conf-file.html#conf-http-connections",
+        "conf-keep-build-log": "command-ref/conf-file.html#conf-keep-build-log",
+        "conf-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
+        "conf-keep-env-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
+        "conf-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
+        "conf-max-build-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
+        "conf-max-free": "command-ref/conf-file.html#conf-max-free",
+        "conf-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
+        "conf-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
+        "conf-min-free": "command-ref/conf-file.html#conf-min-free",
+        "conf-narinfo-cache-negative-ttl": "command-ref/conf-file.html#conf-narinfo-cache-negative-ttl",
+        "conf-narinfo-cache-positive-ttl": "command-ref/conf-file.html#conf-narinfo-cache-positive-ttl",
+        "conf-netrc-file": "command-ref/conf-file.html#conf-netrc-file",
+        "conf-plugin-files": "command-ref/conf-file.html#conf-plugin-files",
+        "conf-post-build-hook": "command-ref/conf-file.html#conf-post-build-hook",
+        "conf-pre-build-hook": "command-ref/conf-file.html#conf-pre-build-hook",
+        "conf-require-sigs": "command-ref/conf-file.html#conf-require-sigs",
+        "conf-restrict-eval": "command-ref/conf-file.html#conf-restrict-eval",
+        "conf-run-diff-hook": "command-ref/conf-file.html#conf-run-diff-hook",
+        "conf-sandbox": "command-ref/conf-file.html#conf-sandbox",
+        "conf-sandbox-dev-shm-size": "command-ref/conf-file.html#conf-sandbox-dev-shm-size",
+        "conf-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-secret-key-files": "command-ref/conf-file.html#conf-secret-key-files",
+        "conf-show-trace": "command-ref/conf-file.html#conf-show-trace",
+        "conf-stalled-download-timeout": "command-ref/conf-file.html#conf-stalled-download-timeout",
+        "conf-substitute": "command-ref/conf-file.html#conf-substitute",
+        "conf-substituters": "command-ref/conf-file.html#conf-substituters",
+        "conf-system": "command-ref/conf-file.html#conf-system",
+        "conf-system-features": "command-ref/conf-file.html#conf-system-features",
+        "conf-tarball-ttl": "command-ref/conf-file.html#conf-tarball-ttl",
+        "conf-timeout": "command-ref/conf-file.html#conf-timeout",
+        "conf-trace-function-calls": "command-ref/conf-file.html#conf-trace-function-calls",
+        "conf-trusted-binary-caches": "command-ref/conf-file.html#conf-trusted-substituters",
+        "conf-trusted-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
+        "conf-trusted-substituters": "command-ref/conf-file.html#conf-trusted-substituters",
+        "conf-trusted-users": "command-ref/conf-file.html#conf-trusted-users",
+        "extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "sec-conf-file": "command-ref/conf-file.html",
+        "env-NIX_PATH": "command-ref/env-common.html#env-NIX_PATH",
+        "env-common": "command-ref/env-common.html",
+        "envar-remote": "command-ref/env-common.html#env-NIX_REMOTE",
+        "sec-common-env": "command-ref/env-common.html",
+        "ch-files": "command-ref/files.html",
+        "ch-main-commands": "command-ref/main-commands.html",
+        "opt-out-link": "command-ref/nix-build.html#opt-out-link",
+        "sec-nix-build": "command-ref/nix-build.html",
+        "sec-nix-channel": "command-ref/nix-channel.html",
+        "sec-nix-collect-garbage": "command-ref/nix-collect-garbage.html",
+        "sec-nix-copy-closure": "command-ref/nix-copy-closure.html",
+        "sec-nix-daemon": "command-ref/nix-daemon.html",
+        "refsec-nix-env-install-examples": "command-ref/nix-env/install.html#examples",
+        "rsec-nix-env-install": "command-ref/nix-env/install.html",
+        "rsec-nix-env-set": "command-ref/nix-env/set.html",
+        "rsec-nix-env-set-flag": "command-ref/nix-env/set-flag.html",
+        "rsec-nix-env-upgrade": "command-ref/nix-env/upgrade.html",
+        "sec-nix-env": "command-ref/nix-env.html",
+        "ssec-version-comparisons": "command-ref/nix-env.html#selectors",
+        "sec-nix-hash": "command-ref/nix-hash.html",
+        "sec-nix-instantiate": "command-ref/nix-instantiate.html",
+        "sec-nix-prefetch-url": "command-ref/nix-prefetch-url.html",
+        "sec-nix-shell": "command-ref/nix-shell.html",
+        "ssec-nix-shell-shebang": "command-ref/nix-shell.html#use-as-a--interpreter",
+        "nixref-queries": "command-ref/nix-store/query.html#queries",
+        "opt-add-root": "command-ref/nix-store/query.html#opt-add-root",
+        "refsec-nix-store-dump": "command-ref/nix-store/dump.html",
+        "refsec-nix-store-export": "command-ref/nix-store/export.html",
+        "refsec-nix-store-import": "command-ref/nix-store/import.html",
+        "refsec-nix-store-query": "command-ref/nix-store/query.html",
+        "refsec-nix-store-verify": "command-ref/nix-store/verify.html",
+        "rsec-nix-store-gc": "command-ref/nix-store/gc.html",
+        "rsec-nix-store-generate-binary-cache-key": "command-ref/nix-store/generate-binary-cache-key.html",
+        "rsec-nix-store-realise": "command-ref/nix-store/realise.html",
+        "rsec-nix-store-serve": "command-ref/nix-store/serve.html",
+        "sec-nix-store": "command-ref/nix-store.html",
+        "opt-I": "command-ref/opt-common.html#opt-I",
+        "opt-attr": "command-ref/opt-common.html#opt-attr",
+        "opt-common": "command-ref/opt-common.html",
+        "opt-cores": "command-ref/opt-common.html#opt-cores",
+        "opt-log-format": "command-ref/opt-common.html#opt-log-format",
+        "opt-max-jobs": "command-ref/opt-common.html#opt-max-jobs",
+        "opt-max-silent-time": "command-ref/opt-common.html#opt-max-silent-time",
+        "opt-timeout": "command-ref/opt-common.html#opt-timeout",
+        "sec-common-options": "command-ref/opt-common.html",
+        "ch-utilities": "command-ref/utilities.html",
+        "chap-hacking": "development/building.html",
+        "adv-attr-allowSubstitutes": "language/advanced-attributes.html#adv-attr-allowSubstitutes",
+        "adv-attr-allowedReferences": "language/advanced-attributes.html#adv-attr-allowedReferences",
+        "adv-attr-allowedRequisites": "language/advanced-attributes.html#adv-attr-allowedRequisites",
+        "adv-attr-disallowedReferences": "language/advanced-attributes.html#adv-attr-disallowedReferences",
+        "adv-attr-disallowedRequisites": "language/advanced-attributes.html#adv-attr-disallowedRequisites",
+        "adv-attr-exportReferencesGraph": "language/advanced-attributes.html#adv-attr-exportReferencesGraph",
+        "adv-attr-impureEnvVars": "language/advanced-attributes.html#adv-attr-impureEnvVars",
+        "adv-attr-outputHash": "language/advanced-attributes.html#adv-attr-outputHash",
+        "adv-attr-outputHashAlgo": "language/advanced-attributes.html#adv-attr-outputHashAlgo",
+        "adv-attr-outputHashMode": "language/advanced-attributes.html#adv-attr-outputHashMode",
+        "adv-attr-passAsFile": "language/advanced-attributes.html#adv-attr-passAsFile",
+        "adv-attr-preferLocalBuild": "language/advanced-attributes.html#adv-attr-preferLocalBuild",
+        "fixed-output-drvs": "language/advanced-attributes.html#adv-attr-outputHash",
+        "sec-advanced-attributes": "language/advanced-attributes.html",
+        "builtin-abort": "language/builtins.html#builtins-abort",
+        "builtin-add": "language/builtins.html#builtins-add",
+        "builtin-all": "language/builtins.html#builtins-all",
+        "builtin-any": "language/builtins.html#builtins-any",
+        "builtin-attrNames": "language/builtins.html#builtins-attrNames",
+        "builtin-attrValues": "language/builtins.html#builtins-attrValues",
+        "builtin-baseNameOf": "language/builtins.html#builtins-baseNameOf",
+        "builtin-bitAnd": "language/builtins.html#builtins-bitAnd",
+        "builtin-bitOr": "language/builtins.html#builtins-bitOr",
+        "builtin-bitXor": "language/builtins.html#builtins-bitXor",
+        "builtin-builtins": "language/builtins.html#builtins-builtins",
+        "builtin-compareVersions": "language/builtins.html#builtins-compareVersions",
+        "builtin-concatLists": "language/builtins.html#builtins-concatLists",
+        "builtin-concatStringsSep": "language/builtins.html#builtins-concatStringsSep",
+        "builtin-currentSystem": "language/builtins.html#builtins-currentSystem",
+        "builtin-deepSeq": "language/builtins.html#builtins-deepSeq",
+        "builtin-derivation": "language/builtins.html#builtins-derivation",
+        "builtin-dirOf": "language/builtins.html#builtins-dirOf",
+        "builtin-div": "language/builtins.html#builtins-div",
+        "builtin-elem": "language/builtins.html#builtins-elem",
+        "builtin-elemAt": "language/builtins.html#builtins-elemAt",
+        "builtin-fetchGit": "language/builtins.html#builtins-fetchGit",
+        "builtin-fetchTarball": "language/builtins.html#builtins-fetchTarball",
+        "builtin-fetchurl": "language/builtins.html#builtins-fetchurl",
+        "builtin-filterSource": "language/builtins.html#builtins-filterSource",
+        "builtin-foldl-prime": "language/builtins.html#builtins-foldl'",
+        "builtin-fromJSON": "language/builtins.html#builtins-fromJSON",
+        "builtin-functionArgs": "language/builtins.html#builtins-functionArgs",
+        "builtin-genList": "language/builtins.html#builtins-genList",
+        "builtin-getAttr": "language/builtins.html#builtins-getAttr",
+        "builtin-getEnv": "language/builtins.html#builtins-getEnv",
+        "builtin-hasAttr": "language/builtins.html#builtins-hasAttr",
+        "builtin-hashFile": "language/builtins.html#builtins-hashFile",
+        "builtin-hashString": "language/builtins.html#builtins-hashString",
+        "builtin-head": "language/builtins.html#builtins-head",
+        "builtin-import": "language/builtins.html#builtins-import",
+        "builtin-intersectAttrs": "language/builtins.html#builtins-intersectAttrs",
+        "builtin-isAttrs": "language/builtins.html#builtins-isAttrs",
+        "builtin-isBool": "language/builtins.html#builtins-isBool",
+        "builtin-isFloat": "language/builtins.html#builtins-isFloat",
+        "builtin-isFunction": "language/builtins.html#builtins-isFunction",
+        "builtin-isInt": "language/builtins.html#builtins-isInt",
+        "builtin-isList": "language/builtins.html#builtins-isList",
+        "builtin-isNull": "language/builtins.html#builtins-isNull",
+        "builtin-isString": "language/builtins.html#builtins-isString",
+        "builtin-length": "language/builtins.html#builtins-length",
+        "builtin-lessThan": "language/builtins.html#builtins-lessThan",
+        "builtin-listToAttrs": "language/builtins.html#builtins-listToAttrs",
+        "builtin-map": "language/builtins.html#builtins-map",
+        "builtin-match": "language/builtins.html#builtins-match",
+        "builtin-mul": "language/builtins.html#builtins-mul",
+        "builtin-parseDrvName": "language/builtins.html#builtins-parseDrvName",
+        "builtin-path": "language/builtins.html#builtins-path",
+        "builtin-pathExists": "language/builtins.html#builtins-pathExists",
+        "builtin-placeholder": "language/builtins.html#builtins-placeholder",
+        "builtin-readDir": "language/builtins.html#builtins-readDir",
+        "builtin-readFile": "language/builtins.html#builtins-readFile",
+        "builtin-removeAttrs": "language/builtins.html#builtins-removeAttrs",
+        "builtin-replaceStrings": "language/builtins.html#builtins-replaceStrings",
+        "builtin-seq": "language/builtins.html#builtins-seq",
+        "builtin-sort": "language/builtins.html#builtins-sort",
+        "builtin-split": "language/builtins.html#builtins-split",
+        "builtin-splitVersion": "language/builtins.html#builtins-splitVersion",
+        "builtin-stringLength": "language/builtins.html#builtins-stringLength",
+        "builtin-sub": "language/builtins.html#builtins-sub",
+        "builtin-substring": "language/builtins.html#builtins-substring",
+        "builtin-tail": "language/builtins.html#builtins-tail",
+        "builtin-throw": "language/builtins.html#builtins-throw",
+        "builtin-toFile": "language/builtins.html#builtins-toFile",
+        "builtin-toJSON": "language/builtins.html#builtins-toJSON",
+        "builtin-toPath": "language/builtins.html#builtins-toPath",
+        "builtin-toString": "language/builtins.html#builtins-toString",
+        "builtin-toXML": "language/builtins.html#builtins-toXML",
+        "builtin-trace": "language/builtins.html#builtins-trace",
+        "builtin-tryEval": "language/builtins.html#builtins-tryEval",
+        "builtin-typeOf": "language/builtins.html#builtins-typeOf",
+        "ssec-builtins": "language/builtins.html",
+        "attr-system": "language/derivations.html#attr-system",
+        "ssec-derivation": "language/derivations.html",
+        "ch-expression-language": "language/index.html",
+        "sec-constructs": "language/syntax.html",
+        "sect-let-language": "language/syntax.html#let-expressions",
+        "ss-functions": "language/syntax.html#functions",
+        "sec-language-operators": "language/operators.html",
+        "table-operators": "language/operators.html",
+        "ssec-values": "language/types.html",
+        "gloss-closure": "glossary.html#gloss-closure",
+        "gloss-derivation": "glossary.html#gloss-derivation",
+        "gloss-deriver": "glossary.html#gloss-deriver",
+        "gloss-nar": "glossary.html#gloss-nar",
+        "gloss-output-path": "glossary.html#gloss-output-path",
+        "gloss-profile": "glossary.html#gloss-profile",
+        "gloss-reachable": "glossary.html#gloss-reachable",
+        "gloss-reference": "glossary.html#gloss-reference",
+        "gloss-substitute": "glossary.html#gloss-substitute",
+        "gloss-user-env": "glossary.html#gloss-user-env",
+        "gloss-validity": "glossary.html#gloss-validity",
+        "part-glossary": "glossary.html",
+        "sec-building-source": "installation/building-source.html",
+        "ch-env-variables": "installation/env-variables.html",
+        "sec-installer-proxy-settings": "installation/env-variables.html#proxy-environment-variables",
+        "sec-nix-ssl-cert-file": "installation/env-variables.html#nix_ssl_cert_file",
+        "sec-nix-ssl-cert-file-with-nix-daemon-and-macos": "installation/env-variables.html#nix_ssl_cert_file",
+        "chap-installation": "installation/index.html",
+        "ch-installing-binary": "installation/installing-binary.html",
+        "sect-macos-installation": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-change-store-prefix": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-encrypted-volume": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-recommended-notes": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-symlink": "installation/installing-binary.html#macos-installation",
+        "sect-multi-user-installation": "installation/installing-binary.html#multi-user-installation",
+        "sect-nix-install-binary-tarball": "installation/installing-binary.html#installing-from-a-binary-tarball",
+        "sect-nix-install-pinned-version-url":
+            "installation/installing-binary.html#installing-a-pinned-nix-version-from-a-url",
+        "sect-single-user-installation": "installation/installing-binary.html#single-user-installation",
+        "ch-installing-source": "installation/installing-source.html",
+        "ssec-multi-user": "installation/multi-user.html",
+        "ch-nix-security": "installation/nix-security.html",
+        "sec-obtaining-source": "installation/obtaining-source.html",
+        "sec-prerequisites-source": "installation/prerequisites-source.html",
+        "sec-single-user": "installation/single-user.html",
+        "ch-supported-platforms": "installation/supported-platforms.html",
+        "ch-upgrading-nix": "installation/upgrading.html",
+        "ch-about-nix": "introduction.html",
+        "chap-introduction": "introduction.html",
+        "ch-basic-package-mgmt": "package-management/index.html",
+        "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
+        "sec-channels": "command-ref/nix-channel.html",
+        "ssec-copy-closure": "command-ref/nix-copy-closure.html",
+        "sec-garbage-collection": "package-management/garbage-collection.html",
+        "ssec-gc-roots": "package-management/garbage-collector-roots.html",
+        "chap-package-management": "package-management/index.html",
+        "sec-profiles": "package-management/profiles.html",
+        "ssec-s3-substituter": "store/types/s3-binary-cache-store.html",
+        "ssec-s3-substituter-anonymous-reads":
+            "store/types/s3-binary-cache-store.html#anonymous-reads-to-your-s3-compatible-binary-cache",
+        "ssec-s3-substituter-authenticated-reads":
+            "store/types/s3-binary-cache-store.html#authenticated-reads-to-your-s3-binary-cache",
+        "ssec-s3-substituter-authenticated-writes":
+            "store/types/s3-binary-cache-store.html#authenticated-writes-to-your-s3-compatible-binary-cache",
+        "sec-sharing-packages": "package-management/sharing-packages.html",
+        "ssec-ssh-substituter": "package-management/ssh-substituter.html",
+        "chap-quick-start": "quick-start.html",
+        "sec-relnotes": "release-notes/index.html",
+        "ch-relnotes-0.10.1": "release-notes/rl-0.10.1.html",
+        "ch-relnotes-0.10": "release-notes/rl-0.10.html",
+        "ssec-relnotes-0.11": "release-notes/rl-0.11.html",
+        "ssec-relnotes-0.12": "release-notes/rl-0.12.html",
+        "ssec-relnotes-0.13": "release-notes/rl-0.13.html",
+        "ssec-relnotes-0.14": "release-notes/rl-0.14.html",
+        "ssec-relnotes-0.15": "release-notes/rl-0.15.html",
+        "ssec-relnotes-0.16": "release-notes/rl-0.16.html",
+        "ch-relnotes-0.5": "release-notes/rl-0.5.html",
+        "ch-relnotes-0.6": "release-notes/rl-0.6.html",
+        "ch-relnotes-0.7": "release-notes/rl-0.7.html",
+        "ch-relnotes-0.8.1": "release-notes/rl-0.8.1.html",
+        "ch-relnotes-0.8": "release-notes/rl-0.8.html",
+        "ch-relnotes-0.9.1": "release-notes/rl-0.9.1.html",
+        "ch-relnotes-0.9.2": "release-notes/rl-0.9.2.html",
+        "ch-relnotes-0.9": "release-notes/rl-0.9.html",
+        "ssec-relnotes-1.0": "release-notes/rl-1.0.html",
+        "ssec-relnotes-1.1": "release-notes/rl-1.1.html",
+        "ssec-relnotes-1.10": "release-notes/rl-1.10.html",
+        "ssec-relnotes-1.11.10": "release-notes/rl-1.11.10.html",
+        "ssec-relnotes-1.11": "release-notes/rl-1.11.html",
+        "ssec-relnotes-1.2": "release-notes/rl-1.2.html",
+        "ssec-relnotes-1.3": "release-notes/rl-1.3.html",
+        "ssec-relnotes-1.4": "release-notes/rl-1.4.html",
+        "ssec-relnotes-1.5.1": "release-notes/rl-1.5.html",
+        "ssec-relnotes-1.5.2": "release-notes/rl-1.5.2.html",
+        "ssec-relnotes-1.5": "release-notes/rl-1.5.html",
+        "ssec-relnotes-1.6.1": "release-notes/rl-1.6.1.html",
+        "ssec-relnotes-1.6.0": "release-notes/rl-1.6.html",
+        "ssec-relnotes-1.7": "release-notes/rl-1.7.html",
+        "ssec-relnotes-1.8": "release-notes/rl-1.8.html",
+        "ssec-relnotes-1.9": "release-notes/rl-1.9.html",
+        "ssec-relnotes-2.0": "release-notes/rl-2.0.html",
+        "ssec-relnotes-2.1": "release-notes/rl-2.1.html",
+        "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
+        "ssec-relnotes-2.3": "release-notes/rl-2.3.html"
+    },
+    "language/types.html": {
+        "simple-values": "#primitives",
+        "lists": "#type-list",
+        "strings": "#type-string",
+        "attribute-sets": "#type-attrs",
+        "type-number": "#type-int"
+    },
+    "language/syntax.html": {
+        "scoping-rules": "scope.html",
+        "string-literal": "string-literals.html"
+    },
+    "language/derivations.html": {
+        "builder-execution": "../store/building.html#builder-execution"
+    },
+    "installation/installing-binary.html": {
+        "linux": "uninstall.html#linux",
+        "macos": "uninstall.html#macos",
+        "uninstalling": "uninstall.html"
+    },
+    "development/building.html": {
+        "nix-with-flakes": "#building-nix-with-flakes",
+        "classic-nix": "#building-nix",
+        "running-tests": "testing.html#running-tests",
+        "unit-tests": "testing.html#unit-tests",
+        "functional-tests": "testing.html#functional-tests",
+        "debugging-failing-functional-tests": "testing.html#debugging-failing-functional-tests",
+        "integration-tests": "testing.html#integration-tests",
+        "installer-tests": "testing.html#installer-tests",
+        "one-time-setup": "testing.html#one-time-setup",
+        "using-the-ci-generated-installer-for-manual-testing":
+            "testing.html#using-the-ci-generated-installer-for-manual-testing",
+        "characterization-testing": "testing.html#characterisation-testing-unit",
+        "add-a-release-note": "contributing.html#add-a-release-note",
+        "add-an-entry": "contributing.html#add-an-entry",
+        "build-process": "contributing.html#build-process",
+        "reverting": "contributing.html#reverting",
+        "branches": "contributing.html#branches"
+    },
+    "glossary.html": {
+        "gloss-local-store": "store/types/local-store.html",
+        "package-attribute-set": "#package",
+        "gloss-chroot-store": "store/types/local-store.html",
+        "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation"
+    }
+}

doc/manual/render-manpage.sh

@@ -1,25 +1,55 @@
 #!/usr/bin/env bash
+#
+# Standalone manpage renderer that doesn't require mdbook.
+# Uses expand-includes.py to preprocess markdown, then lowdown to generate manpages.
 
 set -euo pipefail
 
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
 lowdown_args=
 
+# Optional --out-no-smarty flag for compatibility with nix_nested_manpages
 if [ "$1" = --out-no-smarty ]; then
     lowdown_args=--out-no-smarty
     shift
 fi
 
-[ "$#" = 4 ] || {
-    echo "wrong number of args passed" >&2
+[ "$#" = 7 ] || {
+    cat >&2 <<EOF
+Usage: $0 [--out-no-smarty] <title> <section> <source-root> <generated-root> <doc-url> <infile> <outfile>
+
+Arguments:
+  title           - Manpage title (e.g., "nix-env --install")
+  section         - Manpage section number (1, 5, 8, etc.)
+  source-root     - Root directory of markdown sources
+  generated-root  - Root directory of generated markdown files
+  doc-url         - Base URL for documentation links
+  infile          - Input markdown file (relative to build directory)
+  outfile         - Output manpage file
+
+Examples:
+  $0 "nix-store --query" 1 doc/manual/source build/doc/manual/source \\
+     https://nix.dev/manual/nix/latest \\
+     build/doc/manual/source/command-ref/nix-store/query.md nix-store-query.1
+EOF
     exit 1
 }
 
 title="$1"
 section="$2"
-infile="$3"
-outfile="$4"
+source_root="$3"
+generated_root="$4"
+doc_url="$5"
+infile="$6"
+outfile="$7"
 
+# Expand includes and pipe to lowdown
 (
     printf "Title: %s\n\n" "$title"
-    cat "$infile"
+    python3 "$script_dir/expand-includes.py" \
+        --source-root "$source_root" \
+        --generated-root "$generated_root" \
+        --doc-url "$doc_url" \
+        "$infile"
 ) | lowdown -sT man --nroff-nolinks $lowdown_args -M section="$section" -o "$outfile"

doc/manual/rl-next/beta-installer

@@ -0,0 +1,29 @@
+---
+synopsis: "Rust nix-installer in beta"
+prs: []
+---
+
+The Rust-based rewrite of the Nix installer is now in beta.
+We'd love help testing it out!
+
+To test out the new installer, run:
+```
+curl -sSfL https://artifacts.nixos.org/nix-installer | sh -s -- install
+```
+
+This installer can be run even when you have an existing, script-based Nix installation without any adjustments.
+
+This new installer also comes with the ability to uninstall your Nix installation; run:
+```
+/nix/nix-installer uninstall
+```
+
+This will get rid of your entire Nix installation (even if you installed over an existing, script-based installation).
+
+This installer is a modified version of the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer) by Determinate Systems.
+Thanks to Determinate Systems for all the investment they've put into the installer.
+
+Source for the installer is in https://github.com/NixOS/nix-installer.
+Report any issues in that repo.
+
+For CI usage, a GitHub Action to install Nix using this installer is available at https://github.com/NixOS/nix-installer-action.

doc/manual/rl-next/c-api-new-store-methods.md

@@ -0,0 +1,9 @@
+---
+synopsis: "C API: New store API methods"
+prs: [14766]
+---
+
+The C API now includes additional methods:
+
+- `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part
+- `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking

doc/manual/rl-next/ignore-gc-delete-failure.md

@@ -0,0 +1,10 @@
+---
+synopsis: "New setting `ignore-gc-delete-failure` for local stores"
+prs: [15054]
+---
+
+A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added.
+When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths.
+This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store.
+
+This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature.

doc/manual/rl-next/mtls-substituter.md

@@ -0,0 +1,15 @@
+---
+synopsis: Support HTTPS binary caches using mTLS (client certificate) authentication
+issues: [13002]
+prs: [13030]
+---
+
+Added support for `tls-certificate` and `tls-private-key` options in substituter URLs.
+
+Example:
+
+```
+https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem
+```
+
+When these options are configured, Nix will use this certificate/private key pair to authenticate to the server.

doc/manual/rl-next/outpath-and-sourceinfo-fixes.md

@@ -1,17 +0,0 @@
----
-synopsis: Non-flake inputs now contain a `sourceInfo` attribute
-issues: 13164
-prs: 13170
----
-
-Flakes have always a `sourceInfo` attribute which describes the source of the flake.
-The `sourceInfo.outPath` is often identical to the flake's `outPath`, however it can differ when the flake is located in a subdirectory of its source.
-
-Non-flake inputs (i.e. inputs with `flake = false`) can also be located at some path _within_ a wider source.
-This usually happens when defining a relative path input within the same source as the parent flake, e.g. `inputs.foo.url = ./some-file.nix`.
-Such relative inputs will now inherit their parent's `sourceInfo`.
-
-This also means it is now possible to use `?dir=subdir` on non-flake inputs.
-
-This iterates on the work done in 2.26 to improve relative path support ([#10089](https://github.com/NixOS/nix/pull/10089)),
-and resolves a regression introduced in 2.28 relating to nested relative path inputs ([#13164](https://github.com/NixOS/nix/issues/13164)).

doc/manual/rl-next/revert-77.md

@@ -1,17 +0,0 @@
----
-synopsis: Revert incomplete closure mixed download and build feature
-issues: [77, 12628]
-prs: [13176]
----
-
-Since Nix 1.3 (299141ecbd08bae17013226dbeae71e842b4fdd7 in 2013) Nix has attempted to mix together upstream fresh builds and downstream substitutions when remote substuters contain an "incomplete closure" (have some store objects, but not the store objects they reference).
-This feature is now removed.
-
-Worst case, removing this feature could cause more building downstream, but it should not cause outright failures, since this is not happening for opaque store objects that we don't know how to build if we decide not to substitute.
-In practice, however, we doubt even the more building is very likely to happen.
-Remote stores that are missing dependencies in arbitrary ways (e.g. corruption) don't seem to be very common.
-
-On the contrary, when remote stores fail to implement the [closure property](@docroot@/store/store-object.md#closure-property), it is usually an *intentional* choice on the part of the remote store, because it wishes to serve as an "overlay" store over another store, such as `https://cache.nixos.org`.
-If an "incomplete closure" is encountered in that situation, the right fix is not to do some sort of "franken-building" as this feature implemented, but instead to make sure both substituters are enabled in the settings.
-
-(In the future, we should make it easier for remote stores to indicate this to clients, to catch settings that won't work in general before a missing dependency is actually encountered.)

doc/manual/rl-next/roots-daemon.md

@@ -0,0 +1,11 @@
+---
+synopsis: New command `nix store roots-daemon` for serving GC roots
+prs: [15143]
+---
+
+New command [`nix store roots-daemon`](@docroot@/command-ref/new-cli/nix3-store-roots-daemon.md) runs a daemon that serves garbage collector roots over a Unix domain socket.
+It enables the garbage collector to discover runtime roots when the main Nix daemon doesn't have `CAP_SYS_PTRACE` capability and therefore cannot scan `/proc`.
+
+The garbage collector can be configured to use this daemon via the [`use-roots-daemon`](@docroot@/store/types/local-store.md#store-experimental-option-use-roots-daemon) store setting.
+
+This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store).

doc/manual/rl-next/s3-virtual-hosted-style.md

@@ -0,0 +1,32 @@
+---
+synopsis: S3 binary caches now use virtual-hosted-style addressing by default
+issues: [15208]
+---
+
+S3 binary caches now use virtual-hosted-style URLs
+(`https://bucket.s3.region.amazonaws.com/key`) instead of path-style URLs
+(`https://s3.region.amazonaws.com/bucket/key`) when connecting to standard AWS
+S3 endpoints. This enables HTTP/2 multiplexing and fixes TCP connection
+exhaustion (TIME_WAIT socket accumulation) under high-concurrency workloads.
+
+A new `addressing-style` store option controls this behavior:
+
+- `auto` (default): virtual-hosted-style for standard AWS endpoints, path-style
+  for custom endpoints.
+- `path`: forces path-style addressing (deprecated by AWS).
+- `virtual`: forces virtual-hosted-style addressing (bucket names must not
+  contain dots).
+
+Bucket names containing dots (e.g., `my.bucket.name`) automatically fall back
+to path-style addressing in `auto` mode, because dotted names create
+multi-level subdomains that break TLS wildcard certificate validation.
+
+Example using path-style for backwards compatibility:
+
+```
+s3://my-bucket/key?region=us-east-1&addressing-style=path
+```
+
+Additionally, TCP keep-alive is now enabled on all HTTP connections, preventing
+idle connections from being silently dropped by intermediate network devices
+(NATs, firewalls, load balancers).

doc/manual/source/SUMMARY.md.in

@@ -26,9 +26,13 @@
     - [Derivation Outputs and Types of Derivations](store/derivation/outputs/index.md)
       - [Content-addressing derivation outputs](store/derivation/outputs/content-address.md)
       - [Input-addressing derivation outputs](store/derivation/outputs/input-address.md)
+  - [Build Trace](store/build-trace.md)
+  - [Derivation Resolution](store/resolution.md)
   - [Building](store/building.md)
+  - [Secrets](store/secrets.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
+  - [Appendix: Math notation](store/math-notation.md)
 - [Nix Language](language/index.md)
   - [Data Types](language/types.md)
     - [String context](language/string-context.md)
@@ -57,6 +61,7 @@
   - [Tuning Cores and Jobs](advanced-topics/cores-vs-jobs.md)
   - [Verifying Build Reproducibility](advanced-topics/diff-hook.md)
   - [Using the `post-build-hook`](advanced-topics/post-build-hook.md)
+  - [Evaluation profiler](advanced-topics/eval-profiler.md)
 - [Command Reference](command-ref/index.md)
   - [Common Options](command-ref/opt-common.md)
   - [Common Environment Variables](command-ref/env-common.md)
@@ -116,17 +121,29 @@
 - [Architecture and Design](architecture/architecture.md)
 - [Formats and Protocols](protocols/index.md)
   - [JSON Formats](protocols/json/index.md)
+    - [File System Object](protocols/json/file-system-object.md)
+    - [Hash](protocols/json/hash.md)
+    - [Content Address](protocols/json/content-address.md)
+    - [Store Path](protocols/json/store-path.md)
     - [Store Object Info](protocols/json/store-object-info.md)
-    - [Derivation](protocols/json/derivation.md)
+    - [Derivation](protocols/json/derivation/index.md)
+      - [Derivation Options](protocols/json/derivation/options.md)
+    - [Deriving Path](protocols/json/deriving-path.md)
+    - [Build Trace Entry](protocols/json/build-trace-entry.md)
+    - [Build Result](protocols/json/build-result.md)
+    - [Store](protocols/json/store.md)
   - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
   - [Store Path Specification](protocols/store-path.md)
-  - [Nix Archive (NAR) Format](protocols/nix-archive.md)
+  - [Nix Archive (NAR) Format](protocols/nix-archive/index.md)
+  - [Nix Cache Info Format](protocols/nix-cache-info.md)
   - [Derivation "ATerm" file format](protocols/derivation-aterm.md)
+  - [Nix32 Encoding](protocols/nix32.md)
 - [C API](c-api.md)
 - [Glossary](glossary.md)
 - [Development](development/index.md)
   - [Building](development/building.md)
   - [Testing](development/testing.md)
+  - [Benchmarking](development/benchmarking.md)
   - [Debugging](development/debugging.md)
   - [Documentation](development/documentation.md)
   - [CLI guideline](development/cli-guideline.md)
@@ -136,6 +153,10 @@
   - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
+  - [Release 2.33 (2025-12-09)](release-notes/rl-2.33.md)
+  - [Release 2.32 (2025-10-06)](release-notes/rl-2.32.md)
+  - [Release 2.31 (2025-08-21)](release-notes/rl-2.31.md)
+  - [Release 2.30 (2025-07-07)](release-notes/rl-2.30.md)
   - [Release 2.29 (2025-05-14)](release-notes/rl-2.29.md)
   - [Release 2.28 (2025-04-02)](release-notes/rl-2.28.md)
   - [Release 2.27 (2025-03-03)](release-notes/rl-2.27.md)

doc/manual/source/advanced-topics/eval-profiler.md

@@ -0,0 +1,33 @@
+# Using the `eval-profiler`
+
+Nix evaluator supports [evaluation](@docroot@/language/evaluation.md)
+[profiling](<https://en.wikipedia.org/wiki/Profiling_(computer_programming)>)
+compatible with `flamegraph.pl`. The profiler samples the nix
+function call stack at regular intervals. It can be enabled with the
+[`eval-profiler`](@docroot@/command-ref/conf-file.md#conf-eval-profiler)
+setting:
+
+```console
+$ nix-instantiate "<nixpkgs>" -A hello --eval-profiler flamegraph
+```
+
+Stack sampling frequency and the output file path can be configured with
+[`eval-profile-file`](@docroot@/command-ref/conf-file.md#conf-eval-profile-file)
+and [`eval-profiler-frequency`](@docroot@/command-ref/conf-file.md#conf-eval-profiler-frequency).
+By default the collected profile is saved to `nix.profile` file in the current working directory.
+
+The collected profile can be directly consumed by `flamegraph.pl`:
+
+```console
+$ flamegraph.pl nix.profile > flamegraph.svg
+```
+
+The line information in the profile contains the location of the [call
+site](https://en.wikipedia.org/wiki/Call_site) position and the name of the
+function being called (when available). For example:
+
+```
+/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5:primop import
+```
+
+Here `import` primop is called at `/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5`.

doc/manual/source/command-ref/env-common.md

@@ -57,11 +57,6 @@ Most Nix commands interpret the following environment variables:
 
   Overrides the location of the Nix store (default `prefix/store`).
 
-- <span id="env-NIX_DATA_DIR">[`NIX_DATA_DIR`](#env-NIX_DATA_DIR)</span>
-
-  Overrides the location of the Nix static data directory (default
-  `prefix/share`).
-
 - <span id="env-NIX_LOG_DIR">[`NIX_LOG_DIR`](#env-NIX_LOG_DIR)</span>
 
   Overrides the location of the Nix log directory (default
@@ -75,7 +70,7 @@ Most Nix commands interpret the following environment variables:
 - <span id="env-NIX_CONF_DIR">[`NIX_CONF_DIR`](#env-NIX_CONF_DIR)</span>
 
   Overrides the location of the system Nix configuration directory
-  (default `prefix/etc/nix`).
+  (default `sysconfdir/nix`, i.e. `/etc/nix` on most systems).
 
 - <span id="env-NIX_CONFIG">[`NIX_CONFIG`](#env-NIX_CONFIG)</span>
 

doc/manual/source/command-ref/files/default-nix-expression.md

@@ -39,11 +39,11 @@ This makes all subscribed channels available as attributes in the default expres
 A symlink that ensures that [`nix-env`] can find the current user's [channels]:
 
 - `~/.nix-defexpr/channels`
-- `$XDG_STATE_HOME/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
+- `$XDG_STATE_HOME/nix/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
 
 This symlink points to:
 
-- `$XDG_STATE_HOME/profiles/channels` for regular users
+- `$XDG_STATE_HOME/nix/profiles/channels` for regular users
 - `$NIX_STATE_DIR/profiles/per-user/root/channels` for `root`
 
 In a multi-user installation, you may also have `~/.nix-defexpr/channels_root`, which links to the channels of the root user.

doc/manual/source/command-ref/files/manifest.nix.md

@@ -114,9 +114,9 @@ Here is an example of how this file might look like after installing `hello` fro
   };
   name = "hello-2.12.1";
   out = {
-    outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
+    outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
   };
-  outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
+  outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
   outputs = [ "out" ];
   system = "x86_64-linux";
   type = "derivation";

doc/manual/source/command-ref/files/profiles.md

@@ -37,13 +37,13 @@ dr-xr-xr-x 4 root root 4096 Jan  1  1970 share
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/bin:
 total 20
-lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/ijm5k0zqisvkdwjkc77mb9qzb35xfi4m-chromium-86.0.4240.111/bin/chromium
+lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/cyxny9d1zjb9l9103fr6j6kavp3bqjxf-chromium-86.0.4240.111/bin/chromium
 lrwxrwxrwx 7 root root 87 Jan  1  1970 spotify -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/bin/spotify
 lrwxrwxrwx 3 root root 79 Jan  1  1970 zoom-us -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/bin/zoom-us
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/share/applications:
 total 12
-lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/4cf803y4vzfm3gyk3vzhzb2327v0kl8a-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
+lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/sqzyx2l85i6j2a77pnyvglh3bvzwmjjp-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
 lrwxrwxrwx 7 root root 110 Jan  1  1970 spotify.desktop -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/share/applications/spotify.desktop
 lrwxrwxrwx 3 root root 107 Jan  1  1970 us.zoom.Zoom.desktop -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/share/applications/us.zoom.Zoom.desktop
 

doc/manual/source/command-ref/meson.build

@@ -1,13 +1,13 @@
 xp_features_json = custom_target(
-  command : [nix, '__dump-xp-features'],
+  command : [ nix, '__dump-xp-features' ],
   capture : true,
   output : 'xp-features.json',
+  env : nix_env_for_docs,
 )
 
 experimental_features_shortlist_md = custom_target(
   command : nix_eval_for_docs + [
-    '--expr',
-    'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
   ],
   input : [
     '../../generate-xp-features-shortlist.nix',
@@ -19,14 +19,8 @@ experimental_features_shortlist_md = custom_target(
 )
 
 nix3_cli_files = custom_target(
-  command : [
-    python.full_path(),
-    '@INPUT0@',
-    '@OUTPUT@',
-    '--'
-  ] + nix_eval_for_docs + [
-    '--expr',
-    'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
+  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
+    '--expr', 'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
   ],
   input : [
     '../../remove_before_wrapper.py',
@@ -40,8 +34,7 @@ nix3_cli_files = custom_target(
 conf_file_md_body = custom_target(
   command : [
     nix_eval_for_docs,
-    '--expr',
-    'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr', 'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
   ],
   capture : true,
   input : [

doc/manual/source/command-ref/nix-build.md

@@ -36,7 +36,7 @@ to a temporary location. The tarball must include a single top-level
 directory containing at least a file named `default.nix`.
 
 `nix-build` is essentially a wrapper around
-[`nix-instantiate`](nix-instantiate.md) (to translate a high-level Nix
+[`nix-instantiate`](./nix-instantiate.md) (to translate a high-level Nix
 expression to a low-level [store derivation]) and [`nix-store
 --realise`](@docroot@/command-ref/nix-store/realise.md) (to build the store
 derivation).
@@ -52,8 +52,8 @@ derivation).
 # Options
 
 All options not listed here are passed to
-[`nix-store --realise`](nix-store/realise.md),
-except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](nix-instantiate.md).
+[`nix-store --realise`](./nix-store/realise.md),
+except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](./nix-instantiate.md).
 
 - <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>
 

doc/manual/source/command-ref/nix-channel.md

@@ -11,10 +11,10 @@
 Channels are a mechanism for referencing remote Nix expressions and conveniently retrieving their latest version.
 
 The moving parts of channels are:
-- The official channels listed at <https://nixos.org/channels>
+- The official channels listed at <https://channels.nixos.org>
 - The user-specific list of [subscribed channels](#subscribed-channels)
 - The [downloaded channel contents](#channels)
-- The [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path), set with the [`-I` option](#opt-i) or the [`NIX_PATH` environment variable](#env-NIX_PATH)
+- The [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path), set with the [`-I` option](#opt-I) or the [`NIX_PATH` environment variable](#env-NIX_PATH)
 
 > **Note**
 >
@@ -53,6 +53,11 @@ This command has the following operations:
   Download the Nix expressions of subscribed channels and create a new generation.
   Update all channels if none is specified, and only those included in *names* otherwise.
 
+  > **Note**
+  >
+  > Downloaded channel contents are cached.
+  > Use `--tarball-ttl` or the [`tarball-ttl` configuration option](@docroot@/command-ref/conf-file.md#conf-tarball-ttl) to change the validity period of cached downloads.
+
 - `--list-generations`
 
   Prints a list of all the current existing generations for the
@@ -83,9 +88,9 @@ This command has the following operations:
 Subscribe to the Nixpkgs channel and run `hello` from the GNU Hello package:
 
 ```console
-$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+$ nix-channel --add https://channels.nixos.org/nixpkgs-unstable
 $ nix-channel --list
-nixpkgs https://nixos.org/channels/nixpkgs
+nixpkgs https://channels.nixos.org/nixpkgs
 $ nix-channel --update
 $ nix-shell -p hello --run hello
 hello

doc/manual/source/command-ref/nix-copy-closure.md

@@ -72,11 +72,11 @@ When using public key authentication, you can avoid typing the passphrase with `
 > $ storePath="$(nix-build '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello --no-out-link)"
 > $ nix-copy-closure --to alice@itchy.example.org "$storePath"
 > copying 5 paths...
-> copying path '/nix/store/nrwkk6ak3rgkrxbqhsscb01jpzmslf2r-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/gm61h1y42pqyl6178g90x8zm22n6pyy5-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/ddfzjdykw67s20c35i7a6624by3iz5jv-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/apab5i73dqa09wx0q27b6fbhd1r18ihl-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/g1n2vryg06amvcc1avb2mcq36faly0mh-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/h6q8sqsqfbd3252f9gixqn3z282wds7m-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/imnwvn96lw355giswsk36hx105j4wnpj-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/85301indj7scg34spnfczkz72jgv8wa9-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/ypwfsaljwhzw9iffiysxmxnhjj8v7np0-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/0dklv59zppdsqdvgf0qdvjgzcs5wbwxa-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
 > ```
 
 > **Example**

doc/manual/source/command-ref/nix-env/install.md

@@ -204,7 +204,7 @@ To install a specific [store derivation] (typically created by
 `nix-instantiate`):
 
 ```console
-$ nix-env --install /nix/store/fibjb1bfbpm5mrsxc4mh2d8n37sxh91i-gcc-3.4.3.drv
+$ nix-env --install /nix/store/8la6y31fmm6i4wfmby6avly1wf718xnj-gcc-3.4.3.drv
 ```
 
 To install a specific output path:
@@ -232,7 +232,7 @@ $ nix-env --file '<nixpkgs>' --install --attr hello --dry-run
 (dry run; not doing anything)
 installing ‘hello-2.10’
 this path will be fetched (0.04 MiB download, 0.19 MiB unpacked):
-  /nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10
+  /nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10
   ...
 ```
 

doc/manual/source/command-ref/nix-env/upgrade.md

@@ -22,7 +22,7 @@ left untouched; this is not an error. It is also not an error if an
 element of *args* matches no installed derivations.
 
 For a description of how *args* is mapped to a set of store paths, see
-[`--install`](#operation---install). If *args* describes multiple
+[`--install`](./install.md). If *args* describes multiple
 store paths with the same symbolic name, only the one with the highest
 version is installed.
 

doc/manual/source/command-ref/nix-hash.md

@@ -34,7 +34,7 @@ md5sum`.
   Print the cryptographic hash of the contents of each regular file *path*.
   That is, instead of computing
   the hash of the [Nix Archive (NAR)](@docroot@/store/file-system-object/content-address.md#serial-nix-archive) of *path*,
-  just [directly hash]((@docroot@/store/file-system-object/content-address.md#serial-flat) *path* as is.
+  just [directly hash](@docroot@/store/file-system-object/content-address.md#serial-flat) *path* as is.
   This requires *path* to resolve to a regular file rather than directory.
   The result is identical to that produced by the GNU commands
   `md5sum` and `sha1sum`.

doc/manual/source/command-ref/nix-instantiate.md

@@ -32,7 +32,7 @@ standard input.
 
 - `--add-root` *path*
 
-  See the [corresponding option](nix-store.md) in `nix-store`.
+  See the [corresponding option](./nix-store.md) in `nix-store`.
 
 - `--parse`
 

doc/manual/source/command-ref/nix-prefetch-url.md

@@ -76,7 +76,7 @@ $ nix-prefetch-url ftp://ftp.gnu.org/pub/gnu/hello/hello-2.10.tar.gz
 ```console
 $ nix-prefetch-url --print-path mirror://gnu/hello/hello-2.10.tar.gz
 0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i
-/nix/store/3x7dwzq014bblazs7kq20p9hyzz0qh8g-hello-2.10.tar.gz
+/nix/store/8alrpdaasjd1x6g1fczchmzbpqm936a3-hello-2.10.tar.gz
 ```
 
 ```console

doc/manual/source/command-ref/nix-shell.md

@@ -19,7 +19,7 @@
 
 This man page describes the command `nix-shell`, which is distinct from `nix
 shell`. For documentation on the latter, run `nix shell --help` or see `man
-nix3-shell`.
+nix3-env-shell`.
 
 # Description
 

doc/manual/source/command-ref/nix-store/add-fixed.md

@@ -34,6 +34,6 @@ This operation has the following options:
 
 ```console
 $ nix-store --add-fixed sha256 ./hello-2.10.tar.gz
-/nix/store/3x7dwzq014bblazs7kq20p9hyzz0qh8g-hello-2.10.tar.gz
+/nix/store/8alrpdaasjd1x6g1fczchmzbpqm936a3-hello-2.10.tar.gz
 ```
 

doc/manual/source/command-ref/nix-store/delete.md

@@ -27,7 +27,7 @@ paths in the store that refer to it (i.e., depend on it).
 # Example
 
 ```console
-$ nix-store --delete /nix/store/zq0h41l75vlb4z45kzgjjmsjxvcv1qk7-mesa-6.4
+$ nix-store --delete /nix/store/gjak3al7lj61x4gj6rln4f5pc5v0f67n-mesa-6.4
 0 bytes freed (0.00 MiB)
-error: cannot delete path `/nix/store/zq0h41l75vlb4z45kzgjjmsjxvcv1qk7-mesa-6.4' since it is still alive
+error: cannot delete path `/nix/store/gjak3al7lj61x4gj6rln4f5pc5v0f67n-mesa-6.4' since it is still alive
 ```

doc/manual/source/command-ref/nix-store/gc.md

@@ -48,8 +48,7 @@ The behaviour of the collector is also influenced by the
 configuration file.
 
 By default, the collector prints the total number of freed bytes when it
-finishes (or when it is interrupted). With `--print-dead`, it prints the
-number of bytes that would be freed.
+finishes (or when it is interrupted).
 
 {{#include ./opt-common.md}}
 

doc/manual/source/command-ref/nix-store/query.md

@@ -184,9 +184,9 @@ Print the build-time dependencies of `svn`:
 
 ```console
 $ nix-store --query --requisites $(nix-store --query --deriver $(which svn))
-/nix/store/02iizgn86m42q905rddvg4ja975bk2i4-grep-2.5.1.tar.bz2.drv
-/nix/store/07a2bzxmzwz5hp58nf03pahrv2ygwgs3-gcc-wrapper.sh
-/nix/store/0ma7c9wsbaxahwwl04gbw3fcd806ski4-glibc-2.3.4.drv
+/nix/store/y6qa66l9h0pw161crnlk6y16rdrcljx4-grep-2.5.1.tar.bz2.drv
+/nix/store/z716h753s97jhnzvfank2srqbljswpgm-gcc-wrapper.sh
+/nix/store/f39x0q73rjdyvzm93y9wrkfr6x39lb7f-glibc-2.3.4.drv
 ... lots of other paths ...
 ```
 
@@ -199,10 +199,10 @@ Show the build-time dependencies as a tree:
 ```console
 $ nix-store --query --tree $(nix-store --query --deriver $(which svn))
 /nix/store/7i5082kfb6yjbqdbiwdhhza0am2xvh6c-subversion-1.1.4.drv
-+---/nix/store/d8afh10z72n8l1cr5w42366abiblgn54-builder.sh
-+---/nix/store/fmzxmpjx2lh849ph0l36snfj9zdibw67-bash-3.0.drv
-|   +---/nix/store/570hmhmx3v57605cqg9yfvvyh0nnb8k8-bash
-|   +---/nix/store/p3srsbd8dx44v2pg6nbnszab5mcwx03v-builder.sh
++---/nix/store/vxnmkc8l8d2ijjha4xwhkfgx9vvc3q4c-builder.sh
++---/nix/store/rn9776dy82n5qrgz7xbcl1iw4vfkcrkk-bash-3.0.drv
+|   +---/nix/store/x9j20hz6bln1crzn55qifk0bbsm8v5ac-bash
+|   +---/nix/store/ajnn1mcm45wjvn0rlc22gvx2cwhjnazx-builder.sh
 ...
 ```
 

doc/manual/source/command-ref/nix-store/realise.md

@@ -76,7 +76,7 @@ This operation is typically used to build [store derivation]s produced by
 
 ```console
 $ nix-store --realise $(nix-instantiate ./test.nix)
-/nix/store/31axcgrlbfsxzmfff1gyj1bf62hvkby2-aterm-2.3.1
+/nix/store/6gwmy5jcnwdlz6aqqhksz863f1l8xc2w-aterm-2.3.1
 ```
 
 This is essentially what [`nix-build`](@docroot@/command-ref/nix-build.md) does.

doc/manual/source/development/benchmarking.md

@@ -0,0 +1,187 @@
+# Running Benchmarks
+
+This guide explains how to build and run performance benchmarks in the Nix codebase.
+
+## Overview
+
+Nix uses the [Google Benchmark](https://github.com/google/benchmark) framework for performance testing. Benchmarks help measure and track the performance of critical operations like derivation parsing.
+
+## Building Benchmarks
+
+Benchmarks are disabled by default and must be explicitly enabled during the build configuration. For accurate results, use a debug-optimized release build.
+
+### Development Environment Setup
+
+First, enter the development shell which includes the necessary dependencies:
+
+```bash
+nix develop .#native-ccacheStdenv
+```
+
+### Configure Build with Benchmarks
+
+From the project root, configure the build with benchmarks enabled and optimization:
+
+```bash
+cd build
+meson configure -Dbenchmarks=true -Dbuildtype=debugoptimized
+```
+
+The `debugoptimized` build type provides:
+- Compiler optimizations for realistic performance measurements
+- Debug symbols for profiling and analysis
+- Balance between performance and debuggability
+
+### Build the Benchmarks
+
+Build the project including benchmarks:
+
+```bash
+ninja
+```
+
+This will create benchmark executables in the build directory. Currently available:
+- `build/src/libstore-tests/nix-store-benchmarks` - Store-related performance benchmarks
+
+Additional benchmark executables will be created as more benchmarks are added to the codebase.
+
+## Running Benchmarks
+
+### Basic Usage
+
+Run benchmark executables directly. For example, to run store benchmarks:
+
+```bash
+./build/src/libstore-tests/nix-store-benchmarks
+```
+
+As more benchmark executables are added, run them similarly from their respective build directories.
+
+### Filtering Benchmarks
+
+Run specific benchmarks using regex patterns:
+
+```bash
+# Run only derivation parser benchmarks
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter="derivation.*"
+
+# Run only benchmarks for hello.drv
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter=".*hello.*"
+```
+
+### Output Formats
+
+Generate benchmark results in different formats:
+
+```bash
+# JSON output
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > results.json
+
+# CSV output
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=csv > results.csv
+```
+
+### Advanced Options
+
+```bash
+# Run benchmarks multiple times for better statistics
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_repetitions=10
+
+# Set minimum benchmark time (useful for micro-benchmarks)
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_min_time=2
+
+# Compare against baseline
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
+
+# Display time in custom units
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_time_unit=ms
+```
+
+## Writing New Benchmarks
+
+To add new benchmarks:
+
+1. Create a new `.cc` file in the appropriate `*-tests` directory
+2. Include the benchmark header:
+   ```cpp
+   #include <benchmark/benchmark.h>
+   ```
+
+3. Write benchmark functions:
+   ```cpp
+   static void BM_YourBenchmark(benchmark::State & state)
+   {
+       // Setup code here
+
+       for (auto _ : state) {
+           // Code to benchmark
+       }
+   }
+   BENCHMARK(BM_YourBenchmark);
+   ```
+
+4. Add the file to the corresponding `meson.build`:
+   ```meson
+   benchmarks_sources = files(
+       'your-benchmark.cc',
+       # existing benchmarks...
+   )
+   ```
+
+## Profiling with Benchmarks
+
+For deeper performance analysis, combine benchmarks with profiling tools:
+
+```bash
+# Using Linux perf
+perf record ./build/src/libstore-tests/nix-store-benchmarks
+perf report
+```
+
+### Using Valgrind Callgrind
+
+Valgrind's callgrind tool provides detailed profiling information that can be visualized with kcachegrind:
+
+```bash
+# Profile with callgrind
+valgrind --tool=callgrind ./build/src/libstore-tests/nix-store-benchmarks
+
+# Visualize the results with kcachegrind
+kcachegrind callgrind.out.*
+```
+
+This provides:
+- Function call graphs
+- Instruction-level profiling
+- Source code annotation
+- Interactive visualization of performance bottlenecks
+
+## Continuous Performance Testing
+
+```bash
+# Save baseline results
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > baseline.json
+
+# Compare against baseline in CI
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
+```
+
+## Troubleshooting
+
+### Benchmarks not building
+
+Ensure benchmarks are enabled:
+```bash
+meson configure build | grep benchmarks
+# Should show: benchmarks true
+```
+
+### Inconsistent results
+
+- Ensure your system is not under heavy load
+- Disable CPU frequency scaling for consistent results
+- Run benchmarks multiple times with `--benchmark_repetitions`
+
+## See Also
+
+- [Google Benchmark documentation](https://github.com/google/benchmark/blob/main/docs/user_guide.md)

doc/manual/source/development/building.md

@@ -3,6 +3,10 @@
 This section provides some notes on how to start hacking on Nix.
 To get the latest version of Nix from GitHub:
 
+> **Note**
+>
+> When checking out the repo on Windows, make sure you have the git setting `core.symlinks` enabled, before cloning, as there are symlinks in the repo.
+
 ```console
 $ git clone https://github.com/NixOS/nix.git
 $ cd nix
@@ -23,7 +27,7 @@ $ nix-shell
 To get a shell with one of the other [supported compilation environments](#compilation-environments):
 
 ```console
-$ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
+$ nix-shell --attr devShells.x86_64-linux.native-clangStdenv
 ```
 
 > **Note**
@@ -34,7 +38,7 @@ $ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
 To build Nix itself in this shell:
 
 ```console
-[nix-shell]$ mesonFlags+=" --prefix=$(pwd)/outputs/out"
+[nix-shell]$ out="$(pwd)/outputs/out" dev=$out debug=$out mesonFlags+=" --prefix=${out}"
 [nix-shell]$ dontAddPrefix=1 configurePhase
 [nix-shell]$ buildPhase
 ```
@@ -66,7 +70,7 @@ You can also build Nix for one of the [supported platforms](#platforms).
 This section assumes you are using Nix with the [`flakes`] and [`nix-command`] experimental features enabled.
 
 [`flakes`]: @docroot@/development/experimental-features.md#xp-feature-flakes
-[`nix-command`]: @docroot@/development/experimental-features.md#xp-nix-command
+[`nix-command`]: @docroot@/development/experimental-features.md#xp-feature-nix-command
 
 To build all dependencies and start a shell in which all environment variables are set up so that those dependencies can be found:
 
@@ -215,14 +219,18 @@ nix build .#nix-everything-x86_64-w64-mingw32
 
 For historic reasons and backward-compatibility, some CPU and OS identifiers are translated as follows:
 
-| `config.guess`             | Nix                 |
-|----------------------------|---------------------|
-| `amd64`                    | `x86_64`            |
-| `i*86`                     | `i686`              |
-| `arm6`                     | `arm6l`             |
-| `arm7`                     | `arm7l`             |
-| `linux-gnu*`               | `linux`             |
-| `linux-musl*`              | `linux`             |
+| `host_machine.cpu_family()` | `host_machine.endian()` | Nix                 |
+|-----------------------------|-------------------------|---------------------|
+| `x86`                       |                         | `i686`              |
+| `arm`                       |                         | `host_machine.cpu()`|
+| `ppc`                       | `little`                | `powerpcle`         |
+| `ppc64`                     | `little`                | `powerpc64le`       |
+| `ppc`                       | `big`                   | `powerpc`           |
+| `ppc64`                     | `big`                   | `powerpc64`         |
+| `mips`                      | `little`                | `mipsel`            |
+| `mips64`                    | `little`                | `mips64el`          |
+| `mips`                      | `big`                   | `mips`              |
+| `mips64`                    | `big`                   | `mips64`            |
 
 ## Compilation environments
 
@@ -252,7 +260,7 @@ You can use any of the other supported environments in place of `nix-cli-ccacheS
 ## Editor integration
 
 The `clangd` LSP server is installed by default on the `clang`-based `devShell`s.
-See [supported compilation environments](#compilation-environments) and instructions how to set up a shell [with flakes](#nix-with-flakes) or in [classic Nix](#classic-nix).
+See [supported compilation environments](#compilation-environments) and instructions how to set up a shell [with flakes](#building-nix-with-flakes) or in [classic Nix](#building-nix).
 
 To use the LSP with your editor, you will want a `compile_commands.json` file telling `clangd` how we are compiling the code.
 Meson's configure always produces this inside the build directory.

doc/manual/source/development/debugging.md

@@ -6,16 +6,9 @@ Additionally, see [Testing Nix](./testing.md) for further instructions on how to
 
 ## Building Nix with Debug Symbols
 
-In the development shell, set the `mesonBuildType` environment variable to `debug` before configuring the build:
+In the development shell, `mesonBuildType` is set automatically to `debugoptimized`. This builds Nix with debug symbols, which are essential for effective debugging.
 
-```console
-[nix-shell]$ export mesonBuildType=debugoptimized
-```
-
-Then, proceed to build Nix as described in [Building Nix](./building.md).
-This will build Nix with debug symbols, which are essential for effective debugging.
-
-It is also possible to build without debugging for faster build:
+It is also possible to build without optimization for faster build:
 
 ```console
 [nix-shell]$ NIX_HARDENING_ENABLE=$(printLines $NIX_HARDENING_ENABLE | grep -v fortify)
@@ -24,6 +17,19 @@ It is also possible to build without debugging for faster build:
 
 (The first line is needed because `fortify` hardening requires at least some optimization.)
 
+## Building Nix with sanitizers
+
+Nix can be built with [Address](https://clang.llvm.org/docs/AddressSanitizer.html) and
+[UB](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html) sanitizers using LLVM
+or GCC. This is useful when debugging memory corruption issues.
+
+```console
+[nix-shell]$ export mesonBuildType=debugoptimized
+[nix-shell]$ appendToVar mesonFlags "-Dlibexpr:gc=disabled" # Disable Boehm
+[nix-shell]$ appendToVar mesonFlags "-Dbindings=false" # Disable nix-perl
+[nix-shell]$ appendToVar mesonFlags "-Db_sanitize=address,undefined"
+```
+
 ## Debugging the Nix Binary
 
 Obtain your preferred debugger within the development shell:

doc/manual/source/development/documentation.md

@@ -25,20 +25,31 @@ nix build .#nix-manual
 and open `./result/share/doc/nix/manual/index.html`.
 
 
-To build the manual incrementally, [enter the development shell](./building.md) and run:
+To build the manual incrementally, [enter the development shell](./building.md) and configure with `doc-gen` enabled:
+
+**If using interactive `nix develop`:**
 
 ```console
-make manual-html-open -j $NIX_BUILD_CORES
+$ nix develop
+$ mesonFlags="$mesonFlags -Ddoc-gen=true" mesonConfigurePhase
 ```
 
-In order to reflect changes to the [Makefile for the manual], clear all generated files before re-building:
-
-[Makefile for the manual]: https://github.com/NixOS/nix/blob/master/doc/manual/local.mk
+**If using direnv:**
 
 ```console
-rm $(git ls-files doc/manual/ -o | grep -F '.md') && rmdir doc/manual/source/command-ref/new-cli && make manual-html -j $NIX_BUILD_CORES
+$ direnv allow
+$ bash -c 'source $stdenv/setup && mesonFlags="$mesonFlags -Ddoc-gen=true" mesonConfigurePhase'
 ```
 
+Then build the manual:
+
+```console
+$ cd build
+$ meson compile manual
+```
+
+The HTML manual will be generated at `build/src/nix-manual/manual/index.html`.
+
 ## Style guide
 
 The goal of this style guide is to make it such that
@@ -229,3 +240,9 @@ $ configurePhase
 $ ninja src/external-api-docs/html
 $ xdg-open src/external-api-docs/html/index.html
 ```
+
+If you use direnv, or otherwise want to run `configurePhase` in a transient shell, use:
+
+```bash
+nix-shell -A devShells.x86_64-linux.native-clangStdenv --command 'appendToVar mesonFlags "-Ddoc-gen=true"; mesonConfigurePhase'
+```

doc/manual/source/development/meson.build

@@ -1,12 +1,12 @@
 experimental_feature_descriptions_md = custom_target(
   command : nix_eval_for_docs + [
-    '--expr',
-    'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
+    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
   ],
   input : [
     '../../generate-xp-features.nix',
     xp_features_json,
   ],
   capture : true,
+  env : nix_env_for_docs,
   output : 'experimental-feature-descriptions.md',
 )

doc/manual/source/development/testing.md

@@ -119,7 +119,7 @@ This will:
 
 3. Stop the program when the test fails, allowing the user to then issue arbitrary commands to GDB.
 
-### Characterisation testing { #characaterisation-testing-unit }
+### Characterisation testing { #characterisation-testing-unit }
 
 See [functional characterisation testing](#characterisation-testing-functional) for a broader discussion of characterisation testing.
 
@@ -137,6 +137,12 @@ $ _NIX_TEST_ACCEPT=1 meson test nix-store-tests -v
 will regenerate the "golden master" expected result for the `libnixstore` characterisation tests.
 The characterisation tests will mark themselves "skipped" since they regenerated the expected result instead of actually testing anything.
 
+### JSON Schema testing
+
+In `doc/manual/source/protocols/json/` we have a number of manual pages generated from [JSON Schema](https://json-schema.org/).
+That JSON schema is tested against the JSON file test data used in [characterisation tests](#characterisation-testing-unit ) for JSON (de)serialization, in `src/json-schema-checks`.
+Between the JSON (de)serialization testing, and this testing of the same data against the schema, we make sure that the manual, the implementation, and a machine-readable schema are are all in sync.
+
 ### Unit test support libraries
 
 There are headers and code which are not just used to test the library in question, but also downstream libraries.

doc/manual/source/glossary.md

@@ -31,9 +31,22 @@
 
   The industry term for storage and retrieval systems using [content addressing](#gloss-content-address). A Nix store also has [input addressing](#gloss-input-addressed-store-object), and metadata.
 
+- [derivation]{#gloss-derivation}
+
+  A derivation can be thought of as a [pure function](https://en.wikipedia.org/wiki/Pure_function) that produces new [store objects][store object] from existing store objects.
+
+  Derivations are implemented as [operating system processes that run in a sandbox](@docroot@/store/building.md#builder-execution).
+  This sandbox by default only allows reading from store objects specified as inputs, and only allows writing to designated [outputs][output] to be [captured as store objects](@docroot@/store/building.md#processing-outputs).
+
+  A derivation is typically specified as a [derivation expression] in the [Nix language], and [instantiated][instantiate] to a [store derivation].
+  There are multiple ways of obtaining store objects from store derivatons, collectively called [realisation][realise].
+
+  [derivation]: #gloss-derivation
+
 - [store derivation]{#gloss-store-derivation}
 
-  A single build task.
+  A [derivation] represented as a [store object].
+
   See [Store Derivation](@docroot@/store/derivation/index.md#store-derivation) for details.
 
   [store derivation]: #gloss-store-derivation
@@ -57,10 +70,7 @@
 
 - [derivation expression]{#gloss-derivation-expression}
 
-  A description of a [store derivation] in the Nix language.
-  The output(s) of a derivation are store objects.
-  Derivations are typically specified in Nix expressions using the [`derivation` primitive](./language/derivations.md).
-  These are translated into store layer *derivations* (implicitly by `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).
+  A description of a [store derivation] using the [`derivation` primitive](./language/derivations.md) in the [Nix language].
 
   [derivation expression]: #gloss-derivation-expression
 
@@ -126,7 +136,7 @@
 
   > **Example**
   >
-  > `/nix/store/a040m110amc4h71lds2jmr8qrkj2jhxd-git-2.38.1`
+  > `/nix/store/jf6gn2dzna4nmsfbdxsd7kwhsk6gnnlr-git-2.38.1`
 
   See [Store Path](@docroot@/store/store-path.md) for details.
 
@@ -198,7 +208,7 @@
 
 - [impure derivation]{#gloss-impure-derivation}
 
-  [An experimental feature](#@docroot@/development/experimental-features.md#xp-feature-impure-derivations) that allows derivations to be explicitly marked as impure,
+  [An experimental feature](@docroot@/development/experimental-features.md#xp-feature-impure-derivations) that allows derivations to be explicitly marked as impure,
   so that they are always rebuilt, and their outputs not reused by subsequent calls to realise them.
 
 - [Nix database]{#gloss-nix-database}
@@ -269,7 +279,7 @@
 
   See [References](@docroot@/store/store-object.md#references) for details.
 
-- [referrer]{#gloss-reference}
+- [referrer]{#gloss-referrer}
 
   A reversed edge from one [store object] to another.
 
@@ -357,8 +367,8 @@
 
   Nix represents files as [file system objects][file system object], and how they belong together is encoded as [references][reference] between [store objects][store object] that contain these file system objects.
 
-  The [Nix language] allows denoting packages in terms of [attribute sets](@docroot@/language/types.md#attribute-set) containing:
-  - attributes that refer to the files of a package, typically in the form of [derivation outputs](#output),
+  The [Nix language] allows denoting packages in terms of [attribute sets](@docroot@/language/types.md#type-attrs) containing:
+  - attributes that refer to the files of a package, typically in the form of [derivation outputs](#gloss-output),
   - attributes with metadata, such as information about how the package is supposed to be used.
 
   The exact shape of these attribute sets is up to convention.
@@ -373,7 +383,7 @@
 
   [string]: ./language/types.md#type-string
   [path]: ./language/types.md#type-path
-  [attribute name]: ./language/types.md#attribute-set
+  [attribute name]: ./language/types.md#type-attrs
 
 - [base directory]{#gloss-base-directory}
 

doc/manual/source/installation/building-source.md

@@ -6,14 +6,23 @@ It is broken up into multiple Meson packages, which are optionally combined in a
 There are no mandatory extra steps to the building process:
 generic Meson installation instructions like [this](https://mesonbuild.com/Quick-guide.html#using-meson-as-a-distro-packager) should work.
 
-The installation path can be specified by passing the `-Dprefix=prefix`
-to `configure`. The default installation directory is `/usr/local`. You
+```bash
+git clone https://github.com/NixOS/nix.git
+cd nix
+meson setup build
+cd build
+ninja
+(sudo) ninja install
+```
+
+The installation path can be specified by passing `-Dprefix=prefix`
+to `meson setup build`. The default installation directory is `/usr/local`. You
 can change this to any location you like. You must have write permission
 to the *prefix* path.
 
 Nix keeps its *store* (the place where packages are stored) in
 `/nix/store` by default. This can be changed using
-`-Dstore-dir=path`.
+`-Dlibstore:store-dir=path`.
 
 > **Warning**
 >

doc/manual/source/installation/installing-binary.md

@@ -25,7 +25,7 @@ This performs the default type of installation for your platform:
 
 We recommend the multi-user installation if it supports your platform and you can authenticate with `sudo`.
 
-The installer can configured with various command line arguments and environment variables.
+The installer can be configured with various command line arguments and environment variables.
 To show available command line flags:
 
 ```console

doc/manual/source/installation/installing-docker.md

@@ -3,19 +3,21 @@
 To run the latest stable release of Nix with Docker run the following command:
 
 ```console
-$ docker run -ti ghcr.io/nixos/nix
-Unable to find image 'ghcr.io/nixos/nix:latest' locally
-latest: Pulling from ghcr.io/nixos/nix
+$ docker run -ti docker.io/nixos/nix
+Unable to find image 'docker.io/nixos/nix:latest' locally
+latest: Pulling from docker.io/nixos/nix
 5843afab3874: Pull complete
 b52bf13f109c: Pull complete
 1e2415612aa3: Pull complete
 Digest: sha256:27f6e7f60227e959ee7ece361f75d4844a40e1cc6878b6868fe30140420031ff
-Status: Downloaded newer image for ghcr.io/nixos/nix:latest
+Status: Downloaded newer image for docker.io/nixos/nix:latest
 35ca4ada6e96:/# nix --version
 nix (Nix) 2.3.12
 35ca4ada6e96:/# exit
 ```
 
+> If you want the latest pre-release you can use ghcr.io/nixos/nix and view them at https://github.com/nixos/nix/pkgs/container/nix
+
 # What is included in Nix's Docker image?
 
 The official Docker image is created using `pkgs.dockerTools.buildLayeredImage`

doc/manual/source/installation/prerequisites-source.md

@@ -10,7 +10,7 @@
   - Bash Shell. The `./configure` script relies on bashisms, so Bash is
     required.
 
-  - A version of GCC or Clang that supports C++20.
+  - A version of GCC or Clang that supports C++23.
 
   - `pkg-config` to locate dependencies. If your distribution does not
     provide it, you can get it from

doc/manual/source/installation/uninstall.md

@@ -41,6 +41,38 @@ There may also be references to Nix in
 
 which you may remove.
 
+### FreeBSD
+
+1. Stop and remove the Nix daemon service:
+
+   ```console
+   sudo service nix-daemon stop
+   sudo rm -f /usr/local/etc/rc.d/nix-daemon
+   sudo sysrc -x nix_daemon_enable
+   ```
+
+2. Remove files created by Nix:
+
+   ```console
+   sudo rm -rf /etc/nix /usr/local/etc/profile.d/nix.sh /nix ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
+   ```
+
+3. Remove build users and their group:
+
+   ```console
+   for i in $(seq 1 32); do
+     sudo pw userdel nixbld$i
+   done
+   sudo pw groupdel nixbld
+   ```
+
+4. There may also be references to Nix in:
+   - `/usr/local/etc/bashrc`
+   - `/usr/local/etc/zshrc`
+   - Shell configuration files in users' home directories
+
+   which you may remove.
+
 ### macOS
 
 > **Updating to macOS 15 Sequoia**

doc/manual/source/introduction.md

@@ -8,7 +8,7 @@ stores packages in the _Nix store_, usually the directory
 `/nix/store`, where each package has its own unique subdirectory such
 as
 
-    /nix/store/b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z-firefox-33.1/
+    /nix/store/q06x3jll2yfzckz2bzqak089p43ixkkq-firefox-33.1/
 
 where `b6gvzjyb2pg0…` is a unique identifier for the package that
 captures all its dependencies (it’s a cryptographic hash of the

doc/manual/source/language/advanced-attributes.md

@@ -53,23 +53,13 @@ Derivations can declare some infrequently used optional attributes.
 
   - [`__structuredAttrs`]{#adv-attr-structuredAttrs}\
     If the special attribute `__structuredAttrs` is set to `true`, the other derivation
-    attributes are serialised into a file in JSON format. The environment variable
-    `NIX_ATTRS_JSON_FILE` points to the exact location of that file both in a build
-    and a [`nix-shell`](../command-ref/nix-shell.md). This obviates the need for
-    [`passAsFile`](#adv-attr-passAsFile) since JSON files have no size restrictions,
-    unlike process environments.
+    attributes are serialised into a file in JSON format.
 
-    It also makes it possible to tweak derivation settings in a structured way; see
-    [`outputChecks`](#adv-attr-outputChecks) for example.
+    This obviates the need for [`passAsFile`](#adv-attr-passAsFile) since JSON files have no size restrictions, unlike process environments.
+    It also makes it possible to tweak derivation settings in a structured way;
+    see [`outputChecks`](#adv-attr-outputChecks) for example.
 
-    As a convenience to Bash builders,
-    Nix writes a script that initialises shell variables
-    corresponding to all attributes that are representable in Bash. The
-    environment variable `NIX_ATTRS_SH_FILE` points to the exact
-    location of the script, both in a build and a
-    [`nix-shell`](../command-ref/nix-shell.md). This includes non-nested
-    (associative) arrays. For example, the attribute `hardening.format = true`
-    ends up as the Bash associative array element `${hardening[format]}`.
+    See the [corresponding section in the derivation page](@docroot@/store/derivation/index.md#structured-attrs) for further details.
 
     > **Warning**
     >
@@ -170,7 +160,6 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
 ## Other output modifications
 
   - [`unsafeDiscardReferences`]{#adv-attr-unsafeDiscardReferences}\
-
     When using [structured attributes](#adv-attr-structuredAttrs), the
     attribute `unsafeDiscardReferences` is an attribute set with a boolean value for each output name.
     If set to `true`, it disables scanning the output for runtime dependencies.
@@ -205,7 +194,6 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
     [`builder`]: ./derivations.md#attr-builder
 
 - [`requiredSystemFeatures`]{#adv-attr-requiredSystemFeatures}\
-
   If a derivation has the `requiredSystemFeatures` attribute, then Nix will only build it on a machine that has the corresponding features set in its [`system-features` configuration](@docroot@/command-ref/conf-file.md#conf-system-features).
 
   For example, setting
@@ -345,12 +333,12 @@ Here is more information on the `output*` attributes, and what values they may b
 
     `outputHashAlgo` can only be `null` when `outputHash` follows the SRI format, because in that case the choice of hash algorithm is determined by `outputHash`.
 
-  - [`outputHash`]{#adv-attr-outputHashAlgo}; [`outputHash`]{#adv-attr-outputHashMode}
+  - [`outputHash`]{#adv-attr-outputHash}
 
     This will specify the output hash of the single output of a [fixed-output derivation].
 
     The `outputHash` attribute must be a string containing the hash in either hexadecimal or "nix32" encoding, or following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
-    The "nix32" encoding is an adaptation of base-32 encoding.
+    The ["nix32" encoding](@docroot@/protocols/nix32.md) is Nix's variant of base-32 encoding.
 
     > **Note**
     >

doc/manual/source/language/builtins-prefix.md

@@ -5,12 +5,28 @@ All built-ins are available through the global [`builtins`](#builtins-builtins)
 
 Some built-ins are also exposed directly in the global scope:
 
-<!-- TODO(@rhendric, #10970): this list is incomplete -->
-
 - [`derivation`](#builtins-derivation)
-- [`import`](#builtins-import)
+- `derivationStrict`
 - [`abort`](#builtins-abort)
+- [`baseNameOf`](#builtins-baseNameOf)
+- [`break`](#builtins-break)
+- [`dirOf`](#builtins-dirOf)
+- [`false`](#builtins-false)
+- [`fetchGit`](#builtins-fetchGit)
+- `fetchMercurial`
+- [`fetchTarball`](#builtins-fetchTarball)
+- [`fetchTree`](#builtins-fetchTree)
+- [`fromTOML`](#builtins-fromTOML)
+- [`import`](#builtins-import)
+- [`isNull`](#builtins-isNull)
+- [`map`](#builtins-map)
+- [`null`](#builtins-null)
+- [`placeholder`](#builtins-placeholder)
+- [`removeAttrs`](#builtins-removeAttrs)
+- [`scopedImport`](#builtins-scopedImport)
 - [`throw`](#builtins-throw)
+- [`toString`](#builtins-toString)
+- [`true`](#builtins-true)
 
 <dl>
   <dt id="builtins-derivation"><a href="#builtins-derivation"><code>derivation <var>attrs</var></code></a></dt>

doc/manual/source/language/derivations.md

@@ -16,7 +16,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 - [`name`]{#attr-name} ([String](@docroot@/language/types.md#type-string))
 
   A symbolic name for the derivation.
-  See [derivation outputs](@docroot@/store/derivation/index.md#outputs) for what this is affects.
+  See [derivation outputs](@docroot@/store/derivation/outputs/index.md#outputs) for what this is affects.
 
   [store path]: @docroot@/store/store-path.md
 

doc/manual/source/language/evaluation.md

@@ -74,4 +74,48 @@ in f { x = throw "error"; y = throw "error"; }
 => "ok"
 ```
 
+## Evaluation order
+
+The order in which expressions are evaluated is generally unspecified, because it does not affect successful evaluation outcomes.
+This allows more freedom for the evaluator to evolve and to evaluate efficiently.
+
+Data dependencies naturally impose some ordering constraints: a value cannot be used before it is computed.
+Beyond these constraints, the evaluator is free to choose any order.
+
+The order in which side effects such as [`builtins.trace`](@docroot@/language/builtins.md#builtins-trace) output occurs is not defined, but may be expected to follow data dependencies. <!-- we may want to be more specific about this. -->
+
+In a lazy language, evaluation order is often opposite to expectations from strict languages.
+For example, in `let wrap = x: { wrapped = x; }; in wrap (1 + 2)`, the function body produces a result (`{ wrapped = ...; }`) *before* evaluating `x`.
+
+## Infinite recursion and stack overflow
+
+During evaluation, two types of errors can occur when expressions reference themselves or call functions too deeply:
+
+### Infinite recursion
+
+This error occurs when a value depends on itself through a cycle, making it impossible to compute.
+
+```nix
+let x = x; in x
+=> error: infinite recursion encountered
+```
+
+Infinite recursion happens at the value level when evaluating an expression requires evaluating the same expression again.
+
+Despite the name, infinite recursion is cheap to compute and does not involve a stack overflow.
+The cycle is finite and fairly easy to detect.
+
+### Stack overflow
+
+This error occurs when the call depth exceeds the maximum allowed limit.
+
+```nix
+let f = x: f (x + 1);
+in f 0
+=> error: stack overflow; max-call-depth exceeded
+```
+
+Stack overflow happens when too many function calls are nested without returning.
+The maximum call depth is controlled by the [`max-call-depth` setting](@docroot@/command-ref/conf-file.md#conf-max-call-depth).
+
 [C API]: @docroot@/c-api.md

doc/manual/source/language/identifiers.md

@@ -16,7 +16,7 @@ An *identifier* is an [ASCII](https://en.wikipedia.org/wiki/ASCII) character seq
 
 # Names
 
-A *name* can be written as an [identifier](#identifier) or a [string literal](./string-literals.md).
+A *name* can be written as an [identifier](#identifiers) or a [string literal](./string-literals.md).
 
 > **Syntax**
 >

doc/manual/source/language/index.md

@@ -1,6 +1,6 @@
 # Nix Language
 
-The Nix language is designed for conveniently creating and composing *derivations* – precise descriptions of how contents of existing files are used to derive new files.
+The Nix language is designed for conveniently creating and composing [derivations](@docroot@/glossary.md#gloss-derivation) – precise descriptions of how contents of existing files are used to derive new files.
 
 > **Tip**
 >
@@ -137,7 +137,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Booleans](@docroot@/language/types.md#type-boolean)
+   [Booleans](@docroot@/language/types.md#type-bool)
 
   </td>
  </tr>
@@ -245,7 +245,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   An [attribute set](@docroot@/language/types.md#attribute-set) with attributes named `x` and `y`
+   An [attribute set](@docroot@/language/types.md#type-attrs) with attributes named `x` and `y`
 
   </td>
  </tr>
@@ -285,7 +285,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Lists](@docroot@/language/types.md#list) with three elements.
+   [Lists](@docroot@/language/types.md#type-list) with three elements.
 
   </td>
  </tr>
@@ -369,7 +369,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Attribute selection](@docroot@/language/types.md#attribute-set) (evaluates to `1`)
+   [Attribute selection](@docroot@/language/types.md#type-attrs) (evaluates to `1`)
 
   </td>
  </tr>
@@ -381,7 +381,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Attribute selection](@docroot@/language/types.md#attribute-set) with default (evaluates to `3`)
+   [Attribute selection](@docroot@/language/types.md#type-attrs) with default (evaluates to `3`)
 
   </td>
  </tr>

doc/manual/source/language/meson.build

@@ -1,19 +1,13 @@
 builtins_md = custom_target(
-  command : [
-    python.full_path(),
-    '@INPUT0@',
-    '@OUTPUT@',
-    '--'
-  ] + nix_eval_for_docs + [
-    '--expr',
-    '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
+  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
+    '--expr', '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
   ],
   input : [
     '../../remove_before_wrapper.py',
     '../../generate-builtins.nix',
     language_json,
     'builtins-prefix.md',
-    'builtins-suffix.md'
+    'builtins-suffix.md',
   ],
   output : 'builtins.md',
   env : nix_env_for_docs,

doc/manual/source/language/operators.md

@@ -23,8 +23,8 @@
 | [Greater than or equal to][Comparison] | *expr* `>=` *expr*                         | none          | 10         |
 | [Equality]                             | *expr* `==` *expr*                         | none          | 11         |
 | Inequality                             | *expr* `!=` *expr*                         | none          | 11         |
-| Logical conjunction (`AND`)            | *bool* `&&` *bool*                         | left          | 12         |
-| Logical disjunction (`OR`)             | *bool* <code>\|\|</code> *bool*            | left          | 13         |
+| [Logical conjunction] (`AND`)          | *bool* `&&` *bool*                         | left          | [12](#precedence-and-disjunctive-normal-form)         |
+| [Logical disjunction] (`OR`)           | *bool* <code>\|\|</code> *bool*            | left          | [13](#precedence-and-disjunctive-normal-form)         |
 | [Logical implication]                  | *bool* `->` *bool*                         | right         | 14         |
 | [Pipe operator] (experimental)         | *expr* `\|>` *func*                        | left          | 15         |
 | [Pipe operator] (experimental)         | *func* `<\|` *expr*                        | right         | 15         |
@@ -162,6 +162,9 @@ Update [attribute set] *attrset1* with names and values from *attrset2*.
 The returned attribute set will have all of the attributes in *attrset1* and *attrset2*.
 If an attribute name is present in both, the attribute value from the latter is taken.
 
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in both *attrset1* and *attrset2*.
+That means that both arguments are evaluated to [weak head normal form](@docroot@/language/evaluation.md#values), so the attribute sets themselves are evaluated, but their attribute values are not evaluated.
+
 [Update]: #update
 
 ## Comparison
@@ -185,18 +188,95 @@ All comparison operators are implemented in terms of `<`, and the following equi
 
 ## Equality
 
-- [Attribute sets][attribute set] and [lists][list] are compared recursively, and therefore are fully evaluated.
-- Comparison of [functions][function] always returns `false`.
+- [Attribute sets][attribute set] are compared first by attribute names and then by items until a difference is found.
+- [Lists][list] are compared first by length and then by items until a difference is found.
+- Comparison of distinct [functions][function] returns `false`, but identical functions may be subject to [value identity optimization](#value-identity-optimization).
 - Numbers are type-compatible, see [arithmetic] operators.
 - Floating point numbers only differ up to a limited precision.
 
+The `==` operator is [strict](@docroot@/language/evaluation.md#strictness) in both arguments; when comparing composite types ([attribute sets][attribute set] and [lists][list]), it is partially strict in their contained values: they are evaluated until a difference is found. <!-- this is woefully underspecified, affecting which expressions evaluate correctly; not just "ordering" or error messages. -->
+
+### Value identity optimization
+
+Nix performs equality comparisons of nested values by pointer equality or more abstractly, _identity_.
+Nix semantics ideally do not assign a unique identity to values as they are created, but equality is an exception to this rule.
+The disputable benefit of this is that it is more efficient, and it allows cyclical structures to be compared, e.g. `let x = { x = x; }; in x == x` evaluates to `true`.
+However, as a consequence, it makes a function equal to itself when the comparison is made in a list or attribute set, in contradiction to a simple direct comparison.
+
 [function]: ./syntax.md#functions
 
 [Equality]: #equality
 
+## Logical conjunction
+
+> **Syntax**
+>
+> *bool1* `&&` *bool2*
+
+Logical AND. Equivalent to `if` *bool1* `then` *bool2* `else false`.
+
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in *bool1*, but only evaluates *bool2* if *bool1* is `true`.
+
+> **Example**
+>
+> ```nix
+> true && false
+> => false
+>
+> false && throw "never evaluated"
+> => false
+> ```
+
+[Logical conjunction]: #logical-conjunction
+
+## Logical disjunction
+
+> **Syntax**
+>
+> *bool1* `||` *bool2*
+
+Logical OR. Equivalent to `if` *bool1* `then true` `else` *bool2*.
+
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in *bool1*, but only evaluates *bool2* if *bool1* is `false`.
+
+> **Example**
+>
+> ```nix
+> true || false
+> => true
+>
+> true || throw "never evaluated"
+> => true
+> ```
+
+[Logical disjunction]: #logical-disjunction
+
+### Precedence and disjunctive normal form
+
+The precedence of `&&` and `||` aligns with disjunctive normal form.
+Without parentheses, an expression describes multiple "permissible situations" (connected by `||`), where each situation consists of multiple simultaneous conditions (connected by `&&`).
+
+For example, `A || B && C || D && E` is parsed as `A || (B && C) || (D && E)`, describing three permissible situations: A holds, or both B and C hold, or both D and E hold.
+
 ## Logical implication
 
-Equivalent to `!`*b1* `||` *b2*.
+> **Syntax**
+>
+> *bool1* `->` *bool2*
+
+Logical implication. Equivalent to `!`*bool1* `||` *bool2* (or `if` *bool1* `then` *bool2* `else true`).
+
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in *bool1*, but only evaluates *bool2* if *bool1* is `true`.
+
+> **Example**
+>
+> ```nix
+> true -> false
+> => false
+>
+> false -> throw "never evaluated"
+> => true
+> ```
 
 [Logical implication]: #logical-implication
 

doc/manual/source/language/string-context.md

@@ -34,12 +34,12 @@ String context elements come in different forms:
     > [`builtins.storePath`] creates a string with a single constant string context element:
     >
     > ```nix
-    > builtins.getContext (builtins.storePath "/nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10")
+    > builtins.getContext (builtins.storePath "/nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10")
     > ```
     > evaluates to
     > ```nix
     > {
-    >   "/nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10" = {
+    >   "/nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10" = {
     >     path = true;
     >   };
     > }
@@ -111,7 +111,7 @@ It creates an [attribute set] representing the string context, which can be insp
 
 [`builtins.hasContext`]: ./builtins.md#builtins-hasContext
 [`builtins.getContext`]: ./builtins.md#builtins-getContext
-[attribute set]: ./types.md#attribute-set
+[attribute set]: ./types.md#type-attrs
 
 ## Clearing string contexts
 

doc/manual/source/language/string-interpolation.md

@@ -6,7 +6,7 @@ Such a construct is called *interpolated string*, and the expression inside is a
 
 [string]: ./types.md#type-string
 [path]: ./types.md#type-path
-[attribute set]: ./types.md#attribute-set
+[attribute set]: ./types.md#type-attrs
 
 > **Syntax**
 >
@@ -181,7 +181,7 @@ A derivation interpolates to the [store path] of its first [output](./derivation
 > "${pkgs.hello}"
 > ```
 >
->     "/nix/store/4xpfqf29z4m8vbhrqcz064wfmb46w5r7-hello-2.12.1"
+>     "/nix/store/qnlr7906z0mrl2syrkdbpicffq02nw07-hello-2.12.1"
 
 An attribute set interpolates to the return value of the function in the `__toString` applied to the attribute set itself.
 

doc/manual/source/language/syntax.md

@@ -51,7 +51,8 @@ See [String literals](string-literals.md).
 
   Path literals can also include [string interpolation], besides being [interpolated into other expressions].
 
-  [interpolated into other expressions]: ./string-interpolation.md#interpolated-expressions
+  [string interpolation]: ./string-interpolation.md
+  [interpolated into other expressions]: ./string-interpolation.md#interpolated-expression
 
   At least one slash (`/`) must appear *before* any interpolated expression for the result to be recognized as a path.
 
@@ -225,8 +226,8 @@ passed in first , e.g.,
 
 ```nix
 let add = { __functor = self: x: x + self.x; };
-    inc = add // { x = 1; };
-in inc 1
+    inc = add // { x = 1; }; # inc is { x = 1; __functor = (...) }
+in inc 1 # equivalent of `add.__functor add 1` i.e. `1 + self.x`
 ```
 
 evaluates to `2`. This can be used to attach metadata to a function
@@ -235,7 +236,7 @@ of object-oriented programming, for example.
 
 ## Recursive sets
 
-Recursive sets are like normal [attribute sets](./types.md#attribute-set), but the attributes can refer to each other.
+Recursive sets are like normal [attribute sets](./types.md#type-attrs), but the attributes can refer to each other.
 
 > *rec-attrset* = `rec {` [ *name* `=` *expr* `;` `]`... `}`
 
@@ -272,7 +273,7 @@ will crash with an `infinite recursion encountered` error message.
 
 A let-expression allows you to define local variables for an expression.
 
-> *let-in* = `let` [ *identifier* = *expr* ]... `in` *expr*
+> *let-in* = `let` [ *identifier* = *expr* `;` ]... `in` *expr*
 
 Example:
 
@@ -285,9 +286,30 @@ in x + y
 
 This evaluates to `"foobar"`.
 
+There is also another, older, syntax for let expressions that should not be used in new code:
+
+> *let* = `let` `{` *identifier* = *expr* `;` [ *identifier* = *expr* `;`]...  `}`
+
+In this form, the attribute set between the `{` `}` is recursive.
+
+One of the attributes must have the special name `body`,
+which is the result of the expression.
+
+Example:
+
+```nix
+let {
+  foo = bar;
+  bar = "baz";
+  body = foo;
+}
+```
+
+This evaluates to "baz".
+
 ## Inheriting attributes
 
-When defining an [attribute set](./types.md#attribute-set) or in a [let-expression](#let-expressions) it is often convenient to copy variables from the surrounding lexical scope (e.g., when you want to propagate attributes).
+When defining an [attribute set](./types.md#type-attrs) or in a [let-expression](#let-expressions) it is often convenient to copy variables from the surrounding lexical scope (e.g., when you want to propagate attributes).
 This can be shortened using the `inherit` keyword.
 
 Example:

doc/manual/source/meson.build

@@ -1,7 +1,11 @@
+# Process JSON schema documentation
+subdir('protocols')
+
 summary_rl_next = custom_target(
   command : [
     bash,
-    '-euo', 'pipefail',
+    '-euo',
+    'pipefail',
     '-c',
     '''
       if [ -e "@INPUT@" ]; then
@@ -12,6 +16,6 @@ summary_rl_next = custom_target(
   input : [
     rl_next_generated,
   ],
-  capture: true,
+  capture : true,
   output : 'SUMMARY-rl-next.md',
 )

doc/manual/source/package-management/binary-cache-substituter.md

@@ -19,17 +19,16 @@ whatever port you like:
 $ nix-serve -p 8080
 ```
 
-To check whether it works, try the following on the client:
+To check whether it works, try fetching the [`nix-cache-info`](@docroot@/protocols/nix-cache-info.md) file on the client:
 
 ```console
 $ curl http://avalon:8080/nix-cache-info
+StoreDir: /nix/store
+WantMassQuery: 1
+Priority: 30
 ```
 
-which should print something like:
-
-    StoreDir: /nix/store
-    WantMassQuery: 1
-    Priority: 30
+When writing to a binary cache (e.g., with [`nix copy`](@docroot@/command-ref/new-cli/nix3-copy.md)), Nix creates [`nix-cache-info`](@docroot@/protocols/nix-cache-info.md) automatically if it doesn't exist.
 
 On the client side, you can tell Nix to use your binary cache using
 `--substituters`, e.g.:

doc/manual/source/package-management/garbage-collector-roots.md

@@ -12,7 +12,7 @@ $ ln -s /nix/store/d718ef...-foo /nix/var/nix/gcroots/bar
 That is, after this command, the garbage collector will not remove
 `/nix/store/d718ef...-foo` or any of its dependencies.
 
-Subdirectories of `prefix/nix/var/nix/gcroots` are also searched for
-symlinks. Symlinks to non-store paths are followed and searched for
-roots, but symlinks to non-store paths *inside* the paths reached in
-that way are not followed to prevent infinite recursion.
+Subdirectories of `prefix/nix/var/nix/gcroots` are searched
+recursively. Symlinks to store paths count as roots. Symlinks to
+non-store paths are ignored, unless the non-store path is itself a
+symlink to a store path.

doc/manual/source/protocols/derivation-aterm.md

@@ -1,6 +1,8 @@
 # Derivation "ATerm" file format
 
-For historical reasons, [store derivations][store derivation] are stored on-disk in [ATerm](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html) format.
+For historical reasons, [store derivations][store derivation] are stored on-disk in "Annotated Term" (ATerm) format
+([guide](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html),
+[paper](https://doi.org/10.1002/(SICI)1097-024X(200003)30:3%3C259::AID-SPE298%3E3.0.CO;2-Y)).
 
 ## The ATerm format used
 

doc/manual/source/protocols/json/build-result.md

@@ -0,0 +1,21 @@
+{{#include build-result-v1-fixed.md}}
+
+## Examples
+
+### Successful build
+
+```json
+{{#include schema/build-result-v1/success.json}}
+```
+
+### Failed build (output rejected)
+
+```json
+{{#include schema/build-result-v1/output-rejected.json}}
+```
+
+### Failed build (non-deterministic)
+
+```json
+{{#include schema/build-result-v1/not-deterministic.json}}
+```

doc/manual/source/protocols/json/build-trace-entry.md

@@ -0,0 +1,21 @@
+{{#include build-trace-entry-v2-fixed.md}}
+
+## Examples
+
+### Simple build trace entry
+
+```json
+{{#include schema/build-trace-entry-v2/simple.json}}
+```
+
+### Build trace entry with signature
+
+```json
+{{#include schema/build-trace-entry-v2/with-signature.json}}
+```
+
+<!--
+## Raw Schema
+
+[JSON Schema for Build Trace Entry v1](schema/build-trace-entry-v2.json)
+-->

doc/manual/source/protocols/json/content-address.md

@@ -0,0 +1,21 @@
+{{#include content-address-v1-fixed.md}}
+
+## Examples
+
+### [Text](@docroot@/store/store-object/content-address.html#method-text) method
+
+```json
+{{#include schema/content-address-v1/text.json}}
+```
+
+### [Nix Archive](@docroot@/store/store-object/content-address.html#method-nix-archive) method
+
+```json
+{{#include schema/content-address-v1/nar.json}}
+```
+
+<!-- need to convert YAML to JSON first
+## Raw Schema
+
+[JSON Schema for Hash v1](schema/content-address-v1.json)
+-->

doc/manual/source/protocols/json/derivation.md

@@ -1,93 +0,0 @@
-# Derivation JSON Format
-
-> **Warning**
->
-> This JSON format is currently
-> [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
-> and subject to change.
-
-The JSON serialization of a
-[derivations](@docroot@/glossary.md#gloss-store-derivation)
-is a JSON object with the following fields:
-
-* `name`:
-  The name of the derivation.
-  This is used when calculating the store paths of the derivation's outputs.
-
-* `outputs`:
-  Information about the output paths of the derivation.
-  This is a JSON object with one member per output, where the key is the output name and the value is a JSON object with these fields:
-
-  * `path`:
-    The output path, if it is known in advanced.
-    Otherwise, `null`.
-
-
-  * `method`:
-    For an output which will be [content addressed], a string representing the [method](@docroot@/store/store-object/content-address.md) of content addressing that is chosen.
-    Valid method strings are:
-
-    - [`flat`](@docroot@/store/store-object/content-address.md#method-flat)
-    - [`nar`](@docroot@/store/store-object/content-address.md#method-nix-archive)
-    - [`text`](@docroot@/store/store-object/content-address.md#method-text)
-    - [`git`](@docroot@/store/store-object/content-address.md#method-git)
-
-    Otherwise, `null`.
-
-  * `hashAlgo`:
-    For an output which will be [content addressed], the name of the hash algorithm used.
-    Valid algorithm strings are:
-
-    - `blake3`
-    - `md5`
-    - `sha1`
-    - `sha256`
-    - `sha512`
-
-  * `hash`:
-    For fixed-output derivations, the expected content hash in base-16.
-
-  > **Example**
-  >
-  > ```json
-  > "outputs": {
-  >   "out": {
-  >     "path": "/nix/store/2543j7c6jn75blc3drf4g5vhb1rhdq29-source",
-  >     "method": "nar",
-  >     "hashAlgo": "sha256",
-  >     "hash": "6fc80dcc62179dbc12fc0b5881275898f93444833d21b89dfe5f7fbcbb1d0d62"
-  >   }
-  > }
-  > ```
-
-* `inputSrcs`:
-  A list of store paths on which this derivation depends.
-
-* `inputDrvs`:
-  A JSON object specifying the derivations on which this derivation depends, and what outputs of those derivations.
-
-  > **Example**
-  >
-  > ```json
-  > "inputDrvs": {
-  >   "/nix/store/6lkh5yi7nlb7l6dr8fljlli5zfd9hq58-curl-7.73.0.drv": ["dev"],
-  >   "/nix/store/fn3kgnfzl5dzym26j8g907gq3kbm8bfh-unzip-6.0.drv": ["out"]
-  > }
-  > ```
-
-  specifies that this derivation depends on the `dev` output of `curl`, and the `out` output of `unzip`.
-
-* `system`:
-  The system type on which this derivation is to be built
-  (e.g. `x86_64-linux`).
-
-* `builder`:
-  The absolute path of the program to be executed to run the build.
-  Typically this is the `bash` shell
-  (e.g. `/nix/store/r3j288vpmczbl500w6zz89gyfa4nr0b1-bash-4.4-p23/bin/bash`).
-
-* `args`:
-  The command-line arguments passed to the `builder`.
-
-* `env`:
-  The environment passed to the `builder`.

doc/manual/source/protocols/json/derivation/index.md

@@ -0,0 +1,7 @@
+{{#include ../derivation-v4-fixed.md}}
+
+<!-- need to convert YAML to JSON first
+## Raw Schema
+
+[JSON Schema for Derivation v4](schema/derivation-v4.json)
+-->

doc/manual/source/protocols/json/derivation/options.md

@@ -0,0 +1,49 @@
+{{#include ../derivation-options-v1-fixed.md}}
+
+## Examples
+
+### Input-addressed derivations
+
+#### Default options
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/defaults.json}}
+```
+
+#### All options set
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/all_set.json}}
+```
+
+#### Default options (structured attributes)
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/structuredAttrs_defaults.json}}
+```
+
+#### All options set (structured attributes)
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/structuredAttrs_all_set.json}}
+```
+
+### Content-addressed derivations
+
+#### All options set
+
+```json
+{{#include ../schema/derivation-options-v1/ca/derivation-options/all_set.json}}
+```
+
+#### All options set (structured attributes)
+
+```json
+{{#include ../schema/derivation-options-v1/ca/derivation-options/structuredAttrs_all_set.json}}
+```
+
+<!-- need to convert YAML to JSON first
+## Raw Schema
+
+[JSON Schema for Derivation Options v1](schema/derivation-options-v1.json)
+-->