Merge remote-tracking branch 'origin/master' into staging-next

Conflicts:
 pkgs/tools/networking/xh/default.nix

25 files changed, 360 insertions, 89 deletions

diff --git a/nixos/doc/manual/contributing-to-this-manual.chapter.md b/nixos/doc/manual/contributing-to-this-manual.chapter.md
new file mode 100644
index 0000000000000..26813d1042d69
--- /dev/null
+++ b/nixos/doc/manual/contributing-to-this-manual.chapter.md
@@ -0,0 +1,13 @@
+# Contributing to this manual {#chap-contributing}
+
+The DocBook and CommonMark sources of NixOS' manual are in the [nixos/doc/manual](https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual) subdirectory of the [Nixpkgs](https://github.com/NixOS/nixpkgs) repository.
+
+You can quickly check your edits with the following:
+
+```ShellSession
+$ cd /path/to/nixpkgs
+$ ./nixos/doc/manual/md-to-db.sh
+$ nix-build nixos/release.nix -A manual.x86_64-linux
+```
+
+If the build succeeds, the manual will be in `./result/share/doc/nixos/index.html`.
diff --git a/nixos/doc/manual/contributing-to-this-manual.xml b/nixos/doc/manual/contributing-to-this-manual.xml
deleted file mode 100644
index 137e04bb313b3..0000000000000
--- a/nixos/doc/manual/contributing-to-this-manual.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="chap-contributing">
- <title>Contributing to this manual</title>
- <para>
-  The DocBook sources of NixOS' manual are in the <filename
-xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual">
-nixos/doc/manual</filename> subdirectory of the <link
-xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link> repository.
- </para>
- <para>
-  You can quickly check your edits with the following:
- </para>
-<screen>
-<prompt>$ </prompt>cd /path/to/nixpkgs
-<prompt>$ </prompt>nix-build nixos/release.nix -A manual.x86_64-linux
-</screen>
- <para>
-  If the build succeeds, the manual will be in
-  <filename>./result/share/doc/nixos/index.html</filename>.
- </para>
-</chapter>
diff --git a/nixos/doc/manual/development/building-nixos.chapter.md b/nixos/doc/manual/development/building-nixos.chapter.md
new file mode 100644
index 0000000000000..699a75f411522
--- /dev/null
+++ b/nixos/doc/manual/development/building-nixos.chapter.md
@@ -0,0 +1,18 @@
+# Building Your Own NixOS CD {#sec-building-cd}
+Building a NixOS CD is as easy as configuring your own computer. The idea is to use another module which will replace your `configuration.nix` to configure the system that would be installed on the CD.
+
+Default CD/DVD configurations are available inside `nixos/modules/installer/cd-dvd`
+
+```ShellSession
+$ git clone https://github.com/NixOS/nixpkgs.git
+$ cd nixpkgs/nixos
+$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix
+```
+
+Before burning your CD/DVD, you can check the content of the image by mounting anywhere like suggested by the following command:
+
+```ShellSession
+# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
+```
+
+If you want to customize your NixOS CD in more detail, or generate other kinds of images, you might want to check out [nixos-generators](https://github.com/nix-community/nixos-generators). This can also be a good starting point when you want to use Nix to build a 'minimal' image that doesn't include a NixOS installation.
diff --git a/nixos/doc/manual/development/building-nixos.xml b/nixos/doc/manual/development/building-nixos.xml
deleted file mode 100644
index d58b6354d1d36..0000000000000
--- a/nixos/doc/manual/development/building-nixos.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-<chapter xmlns="http://docbook.org/ns/docbook"
-        xmlns:xlink="http://www.w3.org/1999/xlink"
-        xmlns:xi="http://www.w3.org/2001/XInclude"
-        version="5.0"
-        xml:id="sec-building-cd">
- <title>Building Your Own NixOS CD</title>
- <para>
-  Building a NixOS CD is as easy as configuring your own computer. The idea is
-  to use another module which will replace your
-  <filename>configuration.nix</filename> to configure the system that would be
-  installed on the CD.
- </para>
- <para>
-  Default CD/DVD configurations are available inside
-  <filename>nixos/modules/installer/cd-dvd</filename>.
-<screen>
-<prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs.git
-<prompt>$ </prompt>cd nixpkgs/nixos
-<prompt>$ </prompt>nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix</screen>
- </para>
- <para>
-  Before burning your CD/DVD, you can check the content of the image by
-  mounting anywhere like suggested by the following command:
-<screen>
-<prompt># </prompt>mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
- </para>
- <para>
- If you want to customize your NixOS CD in more detail, or generate other kinds
- of images, you might want to check out <link
- xlink:href="https://github.com/nix-community/nixos-generators">nixos-generators</link>. This can also be a good starting point when you want to use Nix to build a
- 'minimal' image that doesn't include a NixOS installation.
- </para>
-</chapter>
diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml
index 43f511b3e96ba..78763a7350577 100644
--- a/nixos/doc/manual/development/development.xml
+++ b/nixos/doc/manual/development/development.xml
@@ -13,7 +13,7 @@
  <xi:include href="writing-modules.xml" />
  <xi:include href="building-parts.xml" />
  <xi:include href="writing-documentation.xml" />
- <xi:include href="building-nixos.xml" />
+ <xi:include href="../from_md/development/building-nixos.chapter.xml" />
  <xi:include href="nixos-tests.xml" />
  <xi:include href="testing-installer.xml" />
  <xi:include href="releases.xml" />
diff --git a/nixos/doc/manual/from_md/README.md b/nixos/doc/manual/from_md/README.md
new file mode 100644
index 0000000000000..cc6d08ca0a15a
--- /dev/null
+++ b/nixos/doc/manual/from_md/README.md
@@ -0,0 +1,5 @@
+This directory is temporarily needed while we transition the manual to CommonMark. It stores the output of the ../md-to-db.sh script that converts CommonMark files back to DocBook.
+
+We are choosing to convert the Markdown to DocBook at authoring time instead of manual building time, because we do not want the pandoc toolchain to become part of the NixOS closure.
+
+Do not edit the DocBook files inside this directory or its subdirectories. Instead, edit the corresponding .md file in the normal manual directories, and run ../md-to-db.sh to update the file here.
diff --git a/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml
new file mode 100644
index 0000000000000..a9b0c6a5eefa1
--- /dev/null
+++ b/nixos/doc/manual/from_md/contributing-to-this-manual.chapter.xml
@@ -0,0 +1,22 @@
+<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="chap-contributing">
+  <title>Contributing to this manual</title>
+  <para>
+    The DocBook and CommonMark sources of NixOS’ manual are in the
+    <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual">nixos/doc/manual</link>
+    subdirectory of the
+    <link xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link>
+    repository.
+  </para>
+  <para>
+    You can quickly check your edits with the following:
+  </para>
+  <programlisting>
+$ cd /path/to/nixpkgs
+$ ./nixos/doc/manual/md-to-db.sh
+$ nix-build nixos/release.nix -A manual.x86_64-linux
+</programlisting>
+  <para>
+    If the build succeeds, the manual will be in
+    <literal>./result/share/doc/nixos/index.html</literal>.
+  </para>
+</chapter>
diff --git a/nixos/doc/manual/from_md/development/building-nixos.chapter.xml b/nixos/doc/manual/from_md/development/building-nixos.chapter.xml
new file mode 100644
index 0000000000000..ceb744447dab7
--- /dev/null
+++ b/nixos/doc/manual/from_md/development/building-nixos.chapter.xml
@@ -0,0 +1,33 @@
+<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-building-cd">
+  <title>Building Your Own NixOS CD</title>
+  <para>
+    Building a NixOS CD is as easy as configuring your own computer. The
+    idea is to use another module which will replace your
+    <literal>configuration.nix</literal> to configure the system that
+    would be installed on the CD.
+  </para>
+  <para>
+    Default CD/DVD configurations are available inside
+    <literal>nixos/modules/installer/cd-dvd</literal>
+  </para>
+  <programlisting>
+$ git clone https://github.com/NixOS/nixpkgs.git
+$ cd nixpkgs/nixos
+$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix
+</programlisting>
+  <para>
+    Before burning your CD/DVD, you can check the content of the image
+    by mounting anywhere like suggested by the following command:
+  </para>
+  <programlisting>
+# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso&lt;/screen&gt;
+</programlisting>
+  <para>
+    If you want to customize your NixOS CD in more detail, or generate
+    other kinds of images, you might want to check out
+    <link xlink:href="https://github.com/nix-community/nixos-generators">nixos-generators</link>.
+    This can also be a good starting point when you want to use Nix to
+    build a <quote>minimal</quote> image that doesn’t include a NixOS
+    installation.
+  </para>
+</chapter>
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
new file mode 100644
index 0000000000000..abcf3406aa34c
--- /dev/null
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@@ -0,0 +1,15 @@
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="release-21.11">
+  <title>Release 21.11 (<quote>?</quote>, 2021.11/??)</title>
+  <para>
+    In addition to numerous new and upgraded packages, this release has
+    the following highlights:
+  </para>
+  <itemizedlist spacing="compact">
+    <listitem>
+      <para>
+        Support is planned until the end of April 2022, handing over to
+        22.05.
+      </para>
+    </listitem>
+  </itemizedlist>
+</section>
diff --git a/nixos/doc/manual/manual.xml b/nixos/doc/manual/manual.xml
index db9e7313831da..158b3507a58ea 100644
--- a/nixos/doc/manual/manual.xml
+++ b/nixos/doc/manual/manual.xml
@@ -19,6 +19,6 @@
   <xi:include href="./generated/options-db.xml"
                 xpointer="configuration-variable-list" />
  </appendix>
- <xi:include href="contributing-to-this-manual.xml" />
+ <xi:include href="./from_md/contributing-to-this-manual.chapter.xml" />
  <xi:include href="release-notes/release-notes.xml" />
 </book>
diff --git a/nixos/doc/manual/md-to-db.sh b/nixos/doc/manual/md-to-db.sh
new file mode 100755
index 0000000000000..fc4be7da22ba8
--- /dev/null
+++ b/nixos/doc/manual/md-to-db.sh
@@ -0,0 +1,33 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -I nixpkgs=channel:nixpkgs-unstable -i bash -p pandoc
+
+# This script is temporarily needed while we transition the manual to
+# CommonMark. It converts the .md files in the regular manual folder
+# into DocBook files in the from_md folder.
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+pushd $DIR
+
+OUT="$DIR/from_md"
+mapfile -t MD_FILES < <(find . -type f -regex '.*\.md$')
+
+for mf in ${MD_FILES[*]}; do
+  if [ "${mf: -11}" == ".section.md" ]; then
+    mkdir -p $(dirname "$OUT/$mf")
+    pandoc "$mf" -t docbook \
+      --extract-media=media \
+      -f markdown+smart \
+    | cat  > "$OUT/${mf%".section.md"}.section.xml"
+  fi
+
+  if [ "${mf: -11}" == ".chapter.md" ]; then
+    mkdir -p $(dirname "$OUT/$mf")
+    pandoc "$mf" -t docbook \
+      --top-level-division=chapter \
+      --extract-media=media \
+      -f markdown+smart \
+    | cat  > "$OUT/${mf%".chapter.md"}.chapter.xml"
+  fi
+done
+
+popd
diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml
index e083d51406c76..6d7899f6dcdb6 100644
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@@ -8,6 +8,7 @@
   This section lists the release notes for each stable version of NixOS and
   current unstable revision.
  </para>
+ <xi:include href="../from_md/release-notes/rl-2111.section.xml" />
  <xi:include href="rl-2105.xml" />
  <xi:include href="rl-2009.xml" />
  <xi:include href="rl-2003.xml" />
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
new file mode 100644
index 0000000000000..1499249148fb1
--- /dev/null
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -0,0 +1,5 @@
+# Release 21.11 (“?”, 2021.11/??) {#release-21.11}
+
+In addition to numerous new and upgraded packages, this release has the following highlights:
+
+* Support is planned until the end of April 2022, handing over to 22.05.
diff --git a/nixos/modules/hardware/xpadneo.nix b/nixos/modules/hardware/xpadneo.nix
index d504697e61fd9..dbc4ba2125604 100644
--- a/nixos/modules/hardware/xpadneo.nix
+++ b/nixos/modules/hardware/xpadneo.nix
@@ -24,6 +24,6 @@ in
   };
 
   meta = {
-    maintainers = with maintainers; [ metadark ];
+    maintainers = with maintainers; [ kira-bruneau ];
   };
 }
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 33b4d01ebff73..aa4e2ccc46bce 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -238,6 +238,7 @@
   ./services/amqp/activemq/default.nix
   ./services/amqp/rabbitmq.nix
   ./services/audio/alsa.nix
+  ./services/audio/botamusique.nix
   ./services/audio/jack.nix
   ./services/audio/icecast.nix
   ./services/audio/jmusicbot.nix
diff --git a/nixos/modules/programs/bash/undistract-me.nix b/nixos/modules/programs/bash/undistract-me.nix
index 378144f598b56..0e6465e048a10 100644
--- a/nixos/modules/programs/bash/undistract-me.nix
+++ b/nixos/modules/programs/bash/undistract-me.nix
@@ -31,6 +31,6 @@ in
   };
 
   meta = {
-    maintainers = with maintainers; [ metadark ];
+    maintainers = with maintainers; [ kira-bruneau ];
   };
 }
diff --git a/nixos/modules/services/audio/botamusique.nix b/nixos/modules/services/audio/botamusique.nix
new file mode 100644
index 0000000000000..14614d2dd1613
--- /dev/null
+++ b/nixos/modules/services/audio/botamusique.nix
@@ -0,0 +1,114 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.botamusique;
+
+  format = pkgs.formats.ini {};
+  configFile = format.generate "botamusique.ini" cfg.settings;
+in
+{
+  meta.maintainers = with lib.maintainers; [ hexa ];
+
+  options.services.botamusique = {
+    enable = mkEnableOption "botamusique, a bot to play audio streams on mumble";
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.botamusique;
+      description = "The botamusique package to use.";
+    };
+
+    settings = mkOption {
+      type = with types; submodule {
+        freeformType = format.type;
+        options = {
+          server.host = mkOption {
+            type = types.str;
+            default = "localhost";
+            example = "mumble.example.com";
+            description = "Hostname of the mumble server to connect to.";
+          };
+
+          server.port = mkOption {
+            type = types.port;
+            default = 64738;
+            description = "Port of the mumble server to connect to.";
+          };
+
+          bot.username = mkOption {
+            type = types.str;
+            default = "botamusique";
+            description = "Name the bot should appear with.";
+          };
+
+          bot.comment = mkOption {
+            type = types.str;
+            default = "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!";
+            description = "Comment displayed for the bot.";
+          };
+        };
+      };
+      default = {};
+      description = ''
+        Your <filename>configuration.ini</filename> as a Nix attribute set. Look up
+        possible options in the <link xlink:href="https://github.com/azlux/botamusique/blob/master/configuration.example.ini">configuration.example.ini</link>.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.botamusique = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      unitConfig.Documentation = "https://github.com/azlux/botamusique/wiki";
+
+      environment.HOME = "/var/lib/botamusique";
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/botamusique --config ${configFile}";
+        Restart = "always"; # the bot exits when the server connection is lost
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DynamicUser = true;
+        IPAddressDeny = [
+          "link-local"
+          "multicast"
+        ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        ProcSubset = "pid";
+        PrivateDevices = true;
+        PrivateUsers = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        StateDirectory = "botamusique";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
+        WorkingDirectory = "/var/lib/botamusique";
+      };
+    };
+  };
+}
diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix
index e72e3fa59cf92..b764db1f14e4a 100644
--- a/nixos/modules/services/backup/syncoid.nix
+++ b/nixos/modules/services/backup/syncoid.nix
@@ -197,14 +197,14 @@ in {
                ])) (attrValues cfg.commands);
         after = [ "zfs.target" ];
         serviceConfig = {
-          ExecStartPre = (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "hold,send" pool
-          ]) (getPools "source")) ++
-          (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "create,mount,receive,rollback" pool
-          ]) (getPools "target"));
+          ExecStartPre = let
+            allowCmd = permissions: pool: lib.escapeShellArgs [
+              "+/run/booted-system/sw/bin/zfs" "allow"
+              cfg.user (concatStringsSep "," permissions) pool
+            ];
+          in
+            (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++
+            (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target"));
           User = cfg.user;
           Group = cfg.group;
         };
diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix
index 290b5af1d6061..dff587453042d 100644
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@@ -699,12 +699,12 @@ in {
     ];
 
     users.users.matrix-synapse = {
-        group = "matrix-synapse";
-        home = cfg.dataDir;
-        createHome = true;
-        shell = "${pkgs.bash}/bin/bash";
-        uid = config.ids.uids.matrix-synapse;
-      };
+      group = "matrix-synapse";
+      home = cfg.dataDir;
+      createHome = true;
+      shell = "${pkgs.bash}/bin/bash";
+      uid = config.ids.uids.matrix-synapse;
+    };
 
     users.groups.matrix-synapse = {
       gid = config.ids.gids.matrix-synapse;
@@ -726,6 +726,10 @@ in {
         User = "matrix-synapse";
         Group = "matrix-synapse";
         WorkingDirectory = cfg.dataDir;
+        ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" ''
+          chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key
+          chmod 0600 ${cfg.dataDir}/homeserver.signing.key
+        '')) ];
         ExecStart = ''
           ${cfg.package}/bin/homeserver \
             ${ concatMapStringsSep "\n  " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }
@@ -733,6 +737,7 @@ in {
         '';
         ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
         Restart = "on-failure";
+        UMask = "0077";
       };
     };
   };
diff --git a/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixos/modules/services/x11/desktop-managers/cinnamon.nix
index 43220e3c5952c..101c64c7b3edf 100644
--- a/nixos/modules/services/x11/desktop-managers/cinnamon.nix
+++ b/nixos/modules/services/x11/desktop-managers/cinnamon.nix
@@ -128,6 +128,7 @@ in
         cinnamon-session
         cinnamon-desktop
         cinnamon-menus
+        cinnamon-translations
 
         # utils needed by some scripts
         killall
@@ -137,6 +138,9 @@ in
         # cinnamon-killer-daemon: provided by cinnamon-common
         gnome.networkmanagerapplet # session requirement - also nm-applet not needed
 
+        # For a polkit authentication agent
+        polkit_gnome
+
         # packages
         nemo
         cinnamon-control-center
diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix
index 693179e485294..b6be524aea663 100644
--- a/nixos/modules/services/x11/desktop-managers/plasma5.nix
+++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix
@@ -316,6 +316,7 @@ in
         ++ lib.optionals config.hardware.bluetooth.enable [ bluedevil bluez-qt pkgs.openobex pkgs.obexftp ]
         ++ lib.optional config.networking.networkmanager.enable plasma-nm
         ++ lib.optional config.hardware.pulseaudio.enable plasma-pa
+        ++ lib.optional config.services.pipewire.pulse.enable plasma-pa
         ++ lib.optional config.powerManagement.enable powerdevil
         ++ lib.optional config.services.colord.enable pkgs.colord-kde
         ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ]
diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
index a158509a77ace..f3f318412df1b 100644
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -428,7 +428,7 @@ let
       extraVeths = {};
       additionalCapabilities = [];
       ephemeral = false;
-      timeoutStartSec = "15s";
+      timeoutStartSec = "1min";
       allowedDevices = [];
       hostAddress = null;
       hostAddress6 = null;
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 4ada4a5de8048..99393e5b18421 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -47,6 +47,7 @@ in
   boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64
   boot-stage1 = handleTest ./boot-stage1.nix {};
   borgbackup = handleTest ./borgbackup.nix {};
+  botamusique = handleTest ./botamusique.nix {};
   buildbot = handleTest ./buildbot.nix {};
   buildkite-agents = handleTest ./buildkite-agents.nix {};
   caddy = handleTest ./caddy.nix {};
diff --git a/nixos/tests/botamusique.nix b/nixos/tests/botamusique.nix
new file mode 100644
index 0000000000000..ccb105dc142f2
--- /dev/null
+++ b/nixos/tests/botamusique.nix
@@ -0,0 +1,47 @@
+import ./make-test-python.nix ({ pkgs, lib, ...} :
+
+{
+  name = "botamusique";
+  meta.maintainers = with lib.maintainers; [ hexa ];
+
+  nodes = {
+    machine = { config, ... }: {
+      services.murmur = {
+        enable = true;
+        registerName = "NixOS tests";
+      };
+
+      services.botamusique = {
+        enable = true;
+        settings = {
+          server = {
+            channel = "NixOS tests";
+          };
+          bot = {
+            version = false;
+            auto_check_update = false;
+          };
+        };
+      };
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("murmur.service")
+    machine.wait_for_unit("botamusique.service")
+
+    machine.sleep(10)
+
+    machine.wait_until_succeeds(
+        "journalctl -u murmur.service -e | grep -q '<1:botamusique(-1)> Authenticated'"
+    )
+
+    with subtest("Check systemd hardening"):
+        output = machine.execute("systemctl show botamusique.service")[1]
+        machine.log(output)
+        output = machine.execute("systemd-analyze security botamusique.service")[1]
+        machine.log(output)
+  '';
+})
diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix
index da6d4c9ffe828..c691bfc08ef72 100644
--- a/nixos/tests/sanoid.nix
+++ b/nixos/tests/sanoid.nix
@@ -33,14 +33,22 @@ in {
 
           autosnap = true;
         };
-        datasets."pool/test".useTemplate = [ "test" ];
+        datasets."pool/sanoid".useTemplate = [ "test" ];
+        extraArgs = [ "--verbose" ];
       };
 
       services.syncoid = {
         enable = true;
         sshKey = "/var/lib/syncoid/id_ecdsa";
-        commonArgs = [ "--no-sync-snap" ];
-        commands."pool/test".target = "root@target:pool/test";
+        commands = {
+          # Sync snapshot taken by sanoid
+          "pool/sanoid" = {
+            target = "root@target:pool/sanoid";
+            extraArgs = [ "--no-sync-snap" ];
+          };
+          # Take snapshot and sync
+          "pool/syncoid".target = "root@target:pool/syncoid";
+        };
       };
     };
     target = { ... }: {
@@ -54,18 +62,19 @@ in {
 
   testScript = ''
     source.succeed(
-        "mkdir /tmp/mnt",
+        "mkdir /mnt",
         "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s",
         "udevadm settle",
-        "zpool create pool /dev/vdb1",
-        "zfs create -o mountpoint=legacy pool/test",
-        "mount -t zfs pool/test /tmp/mnt",
+        "zpool create pool -R /mnt /dev/vdb1",
+        "zfs create pool/sanoid",
+        "zfs create pool/syncoid",
         "udevadm settle",
     )
     target.succeed(
+        "mkdir /mnt",
         "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s",
         "udevadm settle",
-        "zpool create pool /dev/vdb1",
+        "zpool create pool -R /mnt /dev/vdb1",
         "udevadm settle",
     )
 
@@ -76,16 +85,15 @@ in {
         "chown -R syncoid:syncoid /var/lib/syncoid/",
     )
 
-    source.succeed("touch /tmp/mnt/test.txt")
+    # Take snapshot with sanoid
+    source.succeed("touch /mnt/pool/sanoid/test.txt")
     source.systemctl("start --wait sanoid.service")
 
+    # Sync snapshots
     target.wait_for_open_port(22)
+    source.succeed("touch /mnt/pool/syncoid/test.txt")
     source.systemctl("start --wait syncoid.service")
-    target.succeed(
-        "mkdir /tmp/mnt",
-        "zfs set mountpoint=legacy pool/test",
-        "mount -t zfs pool/test /tmp/mnt",
-    )
-    target.succeed("cat /tmp/mnt/test.txt")
+    target.succeed("cat /mnt/pool/sanoid/test.txt")
+    target.succeed("cat /mnt/pool/syncoid/test.txt")
   '';
 })