14 files changed, 397 insertions, 135 deletions
diff --git a/pkgs/tools/admin/bubblewrap/default.nix b/pkgs/tools/admin/bubblewrap/default.nix
index fda6113b59841..92a188b0cb61b 100644
--- a/pkgs/tools/admin/bubblewrap/default.nix
+++ b/pkgs/tools/admin/bubblewrap/default.nix
@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation rec {
   pname = "bubblewrap";
-  version = "0.6.1";
+  version = "0.6.2";
 
   src = fetchFromGitHub {
     owner = "containers";
     repo = "bubblewrap";
     rev = "v${version}";
-    sha256 = "sha256-YmK/Tq9/JTJr5gLNKEH5t6TvvXlNSTDz5Ui7d3ewv2s=";
+    hash = "sha256-J+VFla3sWO+DfB2IxxrKzbiG+KWFJr9caf8sTHyWXY4=";
   };
 
   postPatch = ''
diff --git a/pkgs/tools/admin/salt/0001-Fix-Jinja2-3.1.0.patch b/pkgs/tools/admin/salt/0001-Fix-Jinja2-3.1.0.patch
new file mode 100644
index 0000000000000..bdcc82c708dfa
--- /dev/null
+++ b/pkgs/tools/admin/salt/0001-Fix-Jinja2-3.1.0.patch
@@ -0,0 +1,38 @@
+From 0a763a13ef55964395dff60283ececc16f957792 Mon Sep 17 00:00:00 2001
+From: Derek Kulinski <d@kulinski.us>
+Date: Sun, 8 May 2022 01:30:39 -0700
+Subject: [PATCH] Fix Jinja2 3.1.0
+
+---
+ salt/utils/jinja.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/salt/utils/jinja.py b/salt/utils/jinja.py
+index 0cb70bf64a..322c2f7f46 100644
+--- a/salt/utils/jinja.py
++++ b/salt/utils/jinja.py
+@@ -25,10 +25,11 @@ import salt.utils.json
+ import salt.utils.stringutils
+ import salt.utils.url
+ import salt.utils.yaml
+-from jinja2 import BaseLoader, Markup, TemplateNotFound, nodes
++from jinja2 import BaseLoader, TemplateNotFound, nodes
+ from jinja2.environment import TemplateModule
+ from jinja2.exceptions import TemplateRuntimeError
+ from jinja2.ext import Extension
++from markupsafe import Markup
+ from salt.exceptions import TemplateError
+ from salt.utils.decorators.jinja import jinja_filter, jinja_global, jinja_test
+ from salt.utils.odict import OrderedDict
+@@ -706,7 +707,7 @@ def method_call(obj, f_name, *f_args, **f_kwargs):
+     return getattr(obj, f_name, lambda *args, **kwargs: None)(*f_args, **f_kwargs)
+ 
+ 
+-@jinja2.contextfunction
++@jinja2.pass_context
+ def show_full_context(ctx):
+     return salt.utils.data.simple_types_filter(
+         {key: value for key, value in ctx.items()}
+-- 
+2.35.1
+
diff --git a/pkgs/tools/admin/salt/default.nix b/pkgs/tools/admin/salt/default.nix
index 774ea6c8cfa7a..b59bc46e9c2be 100644
--- a/pkgs/tools/admin/salt/default.nix
+++ b/pkgs/tools/admin/salt/default.nix
@@ -6,30 +6,16 @@
 , extraInputs ? []
 }:
 
-let
-  py = python3.override {
-    packageOverrides = self: super: {
-      # Incompatible with pyzmq 22
-      pyzmq = super.pyzmq.overridePythonAttrs (oldAttrs: rec {
-        version = "21.0.2";
-        src = oldAttrs.src.override {
-          inherit version;
-          sha256 = "CYwTxhmJE8KgaQI1+nTS5JFhdV9mtmO+rsiWUVVMx5w=";
-        };
-      });
-   };
-  };
-in
-py.pkgs.buildPythonApplication rec {
+python3.pkgs.buildPythonApplication rec {
   pname = "salt";
   version = "3004.1";
 
-  src = py.pkgs.fetchPypi {
+  src = python3.pkgs.fetchPypi {
     inherit pname version;
     hash = "sha256-fzRKJDJkik8HjapazMaNzf/hCVzqE+wh5QQTVg8Ewpg=";
   };
 
-  propagatedBuildInputs = with py.pkgs; [
+  propagatedBuildInputs = with python3.pkgs; [
     distro
     jinja2
     markupsafe
@@ -39,18 +25,46 @@ py.pkgs.buildPythonApplication rec {
     pyyaml
     pyzmq
     requests
-    tornado
   ] ++ extraInputs;
 
-  patches = [ ./fix-libcrypto-loading.patch ];
+  patches = [
+    ./fix-libcrypto-loading.patch
+
+    # Bug in 3004.1: https://github.com/saltstack/salt/pull/61856
+    ./0001-Fix-Jinja2-3.1.0.patch
+  ];
 
   postPatch = ''
     substituteInPlace "salt/utils/rsax931.py" \
       --subst-var-by "libcrypto" "${lib.getLib openssl}/lib/libcrypto.so"
     substituteInPlace requirements/base.txt \
       --replace contextvars ""
+
+    # Don't require optional dependencies on Darwin, let's use
+    # `extraInputs` like on any other platform
+    echo -n > "requirements/darwin.txt"
+
+    # Bug in 3004.1: https://github.com/saltstack/salt/pull/61839
+    substituteInPlace "salt/utils/entrypoints.py" \
+      --replace 'if sys.version_info >= (3, 10):' 'if False:'
+
+    # Bug in 3004.1: https://github.com/saltstack/salt/issues/61865
+    substituteInPlace "salt/transport/tcp.py" \
+      --replace 'payload = self.pack_publish(package)' 'package = self.pack_publish(package)'
+
+    # 3004.1: requirement of pyzmq was restricted to <22.0.0; looks like that req was incorrect
+    # https://github.com/saltstack/salt/commit/070597e525bb7d56ffadede1aede325dfb1b73a4
+    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259279
+    # https://github.com/saltstack/salt/pull/61163
+    substituteInPlace "requirements/zeromq.txt" \
+      --replace 'pyzmq<=20.0.0 ; python_version < "3.6"' "" \
+      --replace 'pyzmq>=17.0.0,<22.0.0 ; python_version < "3.9"' 'pyzmq>=17.0.0 ; python_version < "3.9"' \
+      --replace 'pyzmq>19.0.2,<22.0.0 ; python_version >= "3.9"' 'pyzmq>19.0.2 ; python_version >= "3.9"'
   '';
 
+  # Don't use fixed dependencies on Darwin
+  USE_STATIC_REQUIREMENTS = "0";
+
   # The tests fail due to socket path length limits at the very least;
   # possibly there are more issues but I didn't leave the test suite running
   # as is it rather long.
diff --git a/pkgs/tools/backup/zbackup/default.nix b/pkgs/tools/backup/zbackup/default.nix
index ee5cc6fd89e90..9b618ccec5051 100644
--- a/pkgs/tools/backup/zbackup/default.nix
+++ b/pkgs/tools/backup/zbackup/default.nix
@@ -20,6 +20,10 @@ stdenv.mkDerivation rec {
     ./protobuf-api-change.patch
   ];
 
+  # zbackup uses dynamic exception specifications which are not
+  # allowed in C++17
+  NIX_CFLAGS_COMPILE = [ "--std=c++14" ];
+
   buildInputs = [ zlib openssl protobuf lzo libunwind ];
   nativeBuildInputs = [ cmake protobufc ];
 
diff --git a/pkgs/tools/misc/bat/default.nix b/pkgs/tools/misc/bat/default.nix
index 558bd4bad3f63..e886616b70795 100644
--- a/pkgs/tools/misc/bat/default.nix
+++ b/pkgs/tools/misc/bat/default.nix
@@ -12,15 +12,15 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "bat";
-  version = "0.20.0";
+  version = "0.21.0";
 
   src = fetchFromGitHub {
     owner = "sharkdp";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-U+EHOZntZsHfvLapLpbiIKXSm8Qc1BRqCTR/AFe6yfQ=";
+    sha256 = "sha256-eCk0oOHGZNqgqz+JJfIhjWdLgBTpBig+mggi1c3EUDk=";
   };
-  cargoSha256 = "sha256-eSBcrKjgCz8mApLJnpNyWVC8pQVUX8dPiYJDIK470U8=";
+  cargoSha256 = "sha256-kYZxtiK9hnHBOMvRoHZK5kyXO9cg/gHBYuaITqKUpbE=";
 
   nativeBuildInputs = [ pkg-config installShellFiles makeWrapper ];
 
diff --git a/pkgs/tools/misc/dotter/default.nix b/pkgs/tools/misc/dotter/default.nix
index 5ca26be420ea7..67401b4d85b8e 100644
--- a/pkgs/tools/misc/dotter/default.nix
+++ b/pkgs/tools/misc/dotter/default.nix
@@ -1,4 +1,4 @@
-{ lib, fetchFromGitHub, rustPlatform, which }:
+{ lib, stdenv, fetchFromGitHub, rustPlatform, CoreServices, which }:
 
 rustPlatform.buildRustPackage rec {
   pname = "dotter";
@@ -13,6 +13,8 @@ rustPlatform.buildRustPackage rec {
 
   cargoHash = "sha256-JpMEC2HjAQLQiXHSE6L0HBDc0vLhd465wDK2+35aBXA=";
 
+  buildInputs = lib.optionals stdenv.isDarwin [ CoreServices ];
+
   checkInputs = [ which ];
 
   meta = with lib; {
diff --git a/pkgs/tools/misc/esptool/default.nix b/pkgs/tools/misc/esptool/default.nix
index e1ec37063deaf..b4439363d4ada 100644
--- a/pkgs/tools/misc/esptool/default.nix
+++ b/pkgs/tools/misc/esptool/default.nix
@@ -2,19 +2,27 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "esptool";
-  version = "3.3";
+  version = "3.3.1";
 
   src = fetchFromGitHub {
     owner = "espressif";
     repo = "esptool";
     rev = "v${version}";
-    sha256 = "sha256-CmGie+M3AboOk8X+LkRhIxTRQZgDlklouzmz8kiIZuI=";
+    hash = "sha256-9WmiLji7Zoad5WIzgkpvkI9t96sfdkCtFh6zqVxF7qo=";
   };
 
-  checkInputs = with python3.pkgs;
-    [ flake8 flake8-future-import flake8-import-order openssl ];
-  propagatedBuildInputs = with python3.pkgs;
-    [ pyserial pyaes ecdsa reedsolo bitstring cryptography ];
+  postPatch = ''
+    substituteInPlace test/test_imagegen.py \
+      --replace "sys.executable, ESPTOOL_PY" "ESPTOOL_PY"
+  '';
+
+  propagatedBuildInputs = with python3.pkgs; [
+    bitstring
+    cryptography
+    ecdsa
+    pyserial
+    reedsolo
+  ];
 
   # wrapPythonPrograms will overwrite esptool.py with a bash script,
   # but espefuse.py tries to import it. Since we don't add any binary paths,
@@ -28,6 +36,23 @@ python3.pkgs.buildPythonApplication rec {
     done
   '';
 
+  checkInputs = with python3.pkgs; [
+    pyelftools
+  ];
+
+  # tests mentioned in `.github/workflows/test_esptool.yml`
+  checkPhase = ''
+    runHook preCheck
+
+    export ESPTOOL_PY=$out/bin/esptool.py
+    ${python3.interpreter} test/test_imagegen.py
+    ${python3.interpreter} test/test_espsecure.py
+    ${python3.interpreter} test/test_merge_bin.py
+    ${python3.interpreter} test/test_modules.py
+
+    runHook postCheck
+  '';
+
   meta = with lib; {
     description = "ESP8266 and ESP32 serial bootloader utility";
     homepage = "https://github.com/espressif/esptool";
diff --git a/pkgs/tools/misc/nb/default.nix b/pkgs/tools/misc/nb/default.nix
new file mode 100644
index 0000000000000..422e315fc9a64
--- /dev/null
+++ b/pkgs/tools/misc/nb/default.nix
@@ -0,0 +1,67 @@
+{ stdenv, lib, fetchFromGitHub, installShellFiles }:
+
+stdenv.mkDerivation rec {
+  pname = "nb";
+  version = "6.10.1";
+
+  src = fetchFromGitHub {
+    owner = "xwmx";
+    repo = "nb";
+    rev = version;
+    sha256 = "00c0k12yc2vqx0am1mhcjbn7fh3dab2zixslyh1smzcww275rk59";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/bin/
+    mv nb $out/bin/
+    runHook postInstall
+  '';
+
+  postInstall = ''
+    installShellCompletion etc/nb-completion.{bash,zsh}
+  '';
+
+  meta = with lib; {
+    description = "A command line note-taking, bookmarking, archiving, and knowledge base application";
+    longDescription = ''
+      `nb` creates notes in text-based formats like Markdown, Emacs Org mode,
+      and LaTeX, can work with files in any format, can import and export notes
+      to many document formats, and can create private, password-protected
+      encrypted notes and bookmarks. With `nb`, you can write notes using Vim,
+      Emacs, VS Code, Sublime Text, and any other text editor you like. `nb`
+      works in any standard Linux / Unix environment, including macOS and
+      Windows via WSL. Optional dependencies can be installed to enhance
+      functionality, but `nb` works great without them.
+
+      `nb` is also a powerful text-based CLI bookmarking system. Page
+      information is automatically downloaded, compiled, and saved into normal
+      Markdown documents made for humans, so bookmarks are easy to edit just
+      like any other note.
+
+      `nb` uses Git in the background to automatically record changes and sync
+      notebooks with remote repositories. `nb` can also be configured to sync
+      notebooks using a general purpose syncing utility like Dropbox so notes
+      can be edited in other apps on any device.
+
+      `nb` is designed to be portable, future-focused, and vendor independent,
+      providing a full-featured and intuitive experience within a highly
+      composable user-centric text interface. The entire program is a single
+      well-tested shell script that can be installed, copied, or curled almost
+      anywhere and just work, using progressive enhancement for various
+      experience improvements in more capable environments. `nb` works great
+      whether you have one notebook with just a few notes or dozens of
+      notebooks containing thousands of notes, bookmarks, and other items. `nb`
+      makes it easy to incorporate other tools, writing apps, and workflows.
+      `nb` can be used a little, a lot, once in a while, or for just a subset
+      of features. `nb` is flexible.
+    '';
+    homepage = "https://xwmx.github.io/nb/";
+    license = licenses.agpl3Plus;
+    maintainers = [ maintainers.toonn ];
+    platforms = platforms.all;
+  };
+}
diff --git a/pkgs/tools/networking/aircrack-ng/default.nix b/pkgs/tools/networking/aircrack-ng/default.nix
index f836fdf052f9b..b4cab28e3ebdf 100644
--- a/pkgs/tools/networking/aircrack-ng/default.nix
+++ b/pkgs/tools/networking/aircrack-ng/default.nix
@@ -4,11 +4,11 @@
 
 stdenv.mkDerivation rec {
   pname = "aircrack-ng";
-  version = "1.6";
+  version = "1.7";
 
   src = fetchurl {
     url = "https://download.aircrack-ng.org/aircrack-ng-${version}.tar.gz";
-    sha256 = "0ix2k64qg7x3w0bzdsbk1m50kcpq1ws59g3zkwiafvpwdr4gs2sg";
+    sha256 = "1hsq1gwmafka4bahs6rc8p98yi542h9a502h64bjlygpr3ih99q5";
   };
 
   nativeBuildInputs = [ pkg-config makeWrapper autoreconfHook ];
diff --git a/pkgs/tools/networking/httpie/default.nix b/pkgs/tools/networking/httpie/default.nix
deleted file mode 100644
index a6c6ddfe5bba9..0000000000000
--- a/pkgs/tools/networking/httpie/default.nix
+++ /dev/null
@@ -1,80 +0,0 @@
-{ lib
-, fetchFromGitHub
-, installShellFiles
-, python3
-, pandoc
-}:
-
-python3.pkgs.buildPythonApplication rec {
-  pname = "httpie";
-  version = "3.1.0";
-  format = "setuptools";
-
-  src = fetchFromGitHub {
-    owner = "httpie";
-    repo = "httpie";
-    rev = version;
-    hash = "sha256-x7Zucb2i8D4Xbn77eBzSxOAcc2fGg5MFKFiyJhytQ0s=";
-  };
-
-  nativeBuildInputs = [
-    installShellFiles
-    pandoc
-  ];
-
-  propagatedBuildInputs = with python3.pkgs; [
-    charset-normalizer
-    defusedxml
-    multidict
-    pygments
-    requests
-    requests-toolbelt
-    setuptools
-  ];
-
-  checkInputs = with python3.pkgs; [
-    mock
-    pytest
-    pytest-httpbin
-    pytest-lazy-fixture
-    pytestCheckHook
-    responses
-  ];
-
-  postInstall = ''
-    # install completions
-    installShellCompletion --bash \
-      --name http.bash extras/httpie-completion.bash
-    installShellCompletion --fish \
-      --name http.fish extras/httpie-completion.fish
-
-    # convert the docs/README.md file
-    pandoc --standalone -f markdown -t man docs/README.md -o docs/http.1
-    installManPage docs/http.1
-  '';
-
-  pytestFlagsArray = [
-    "httpie"
-    "tests"
-  ];
-
-  disabledTests = [
-    "test_chunked"
-    "test_verbose_chunked"
-    "test_multipart_chunked"
-    "test_request_body_from_file_by_path_chunked"
-    # Part of doctest
-    "httpie.encoding.detect_encoding"
-  ];
-
-  pythonImportsCheck = [
-    "httpie"
-  ];
-
-  meta = with lib; {
-    description = "A command line HTTP client whose goal is to make CLI human-friendly";
-    homepage = "https://httpie.org/";
-    license = licenses.bsd3;
-    maintainers = with maintainers; [ antono relrod schneefux SuperSandro2000 ];
-  };
-}
diff --git a/pkgs/tools/networking/httpie/strip-venv.patch b/pkgs/tools/networking/httpie/strip-venv.patch
deleted file mode 100644
index 9cfddbfdf78f4..0000000000000
--- a/pkgs/tools/networking/httpie/strip-venv.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/tests/test_docs.py b/tests/test_docs.py
-index 340e64d..a6b4dc9 100644
---- a/tests/test_docs.py
-+++ b/tests/test_docs.py
-@@ -42,15 +42,10 @@ assert filenames
- # HACK: hardcoded paths, venv should be irrelevant, etc.
- # TODO: simplify by using the Python API instead of a subprocess
- #       then we wont’t need the paths.
--VENV_BIN = Path(__file__).parent.parent / 'venv/bin'
--VENV_PYTHON = VENV_BIN / 'python'
--VENV_RST2PSEUDOXML = VENV_BIN / 'rst2pseudoxml.py'
-+VENV_PYTHON = 'python'
-+VENV_RST2PSEUDOXML = 'rst2pseudoxml.py'
- 
- 
--@pytest.mark.skipif(
--    not VENV_RST2PSEUDOXML.exists(),
--    reason='docutils not installed',
--)
- @pytest.mark.parametrize('filename', filenames)
- def test_rst_file_syntax(filename):
-     p = subprocess.Popen(
diff --git a/pkgs/tools/security/yubihsm-connector/default.nix b/pkgs/tools/security/yubihsm-connector/default.nix
new file mode 100644
index 0000000000000..24371f8a983e3
--- /dev/null
+++ b/pkgs/tools/security/yubihsm-connector/default.nix
@@ -0,0 +1,40 @@
+{ lib, libusb1, buildGoModule, fetchFromGitHub, pkg-config }:
+
+buildGoModule rec {
+  pname = "yubihsm-connector";
+  version = "3.0.2";
+
+  src = fetchFromGitHub {
+    owner = "Yubico";
+    repo = "yubihsm-connector";
+    rev = version;
+    sha256 = "FQ64tSZN55QpXjMZITzlWOPTKSgnoCpkRngQUQHVavc=";
+  };
+
+  vendorSha256 = "kVBzdJk/1LvjdUtLqHAw9ZxDfCo3mBWVMYG/nQXpDrk=";
+
+  patches = [
+    # Awaiting a new release to fix the upstream lockfile
+    # https://github.com/Yubico/yubihsm-connector/issues/36
+    ./lockfile-fix.patch
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    libusb1
+  ];
+
+  preBuild = ''
+    go generate
+  '';
+
+  meta = with lib; {
+    description = "yubihsm-connector performs the communication between the YubiHSM 2 and applications that use it";
+    homepage = "https://developers.yubico.com/yubihsm-connector/";
+    maintainers = with maintainers; [ matthewcroughan ];
+    license = licenses.asl20;
+  };
+}
diff --git a/pkgs/tools/security/yubihsm-connector/lockfile-fix.patch b/pkgs/tools/security/yubihsm-connector/lockfile-fix.patch
new file mode 100644
index 0000000000000..96fdb0ec64b8a
--- /dev/null
+++ b/pkgs/tools/security/yubihsm-connector/lockfile-fix.patch
@@ -0,0 +1,115 @@
+diff --git a/go.mod b/go.mod
+index ac22dc6..0ef56b2 100644
+--- a/go.mod
++++ b/go.mod
+@@ -1,21 +1,32 @@
+ module github.com/Yubico/yubihsm-connector
+
++go 1.17
++
+ require (
+ 	github.com/google/gousb v1.1.0
+ 	github.com/google/uuid v1.1.1
+ 	github.com/kardianos/service v1.0.0
++	github.com/notdpate/evloghook v0.0.0-20180503050227-f202fa6c9ebb
++	github.com/sirupsen/logrus v1.4.2
++	github.com/spf13/cobra v0.0.5
++	github.com/spf13/viper v1.4.0
++	gopkg.in/yaml.v2 v2.2.2
++)
++
++require (
++	github.com/fsnotify/fsnotify v1.4.7 // indirect
++	github.com/hashicorp/hcl v1.0.0 // indirect
++	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+ 	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
+ 	github.com/magiconair/properties v1.8.1 // indirect
+-	github.com/notdpate/evloghook v0.0.0-20180503050227-f202fa6c9ebb
++	github.com/mitchellh/mapstructure v1.1.2 // indirect
+ 	github.com/pelletier/go-toml v1.4.0 // indirect
+-	github.com/sirupsen/logrus v1.4.2
+ 	github.com/spf13/afero v1.2.2 // indirect
+-	github.com/spf13/cobra v0.0.5
++	github.com/spf13/cast v1.3.0 // indirect
+ 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+-	github.com/spf13/viper v1.4.0
++	github.com/spf13/pflag v1.0.3 // indirect
+ 	github.com/stretchr/testify v1.4.0 // indirect
+ 	golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 // indirect
+ 	golang.org/x/text v0.3.2 // indirect
+ 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+-	gopkg.in/yaml.v2 v2.2.2
+ )
+diff --git a/go.sum b/go.sum
+index 71df42d..8d977ff 100644
+--- a/go.sum
++++ b/go.sum
+@@ -1,4 +1,5 @@
+ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
++github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+@@ -16,6 +17,7 @@ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7
+ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+ github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
++github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+@@ -45,6 +47,7 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
+ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
++github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
+ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+ github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+@@ -53,10 +56,13 @@ github.com/kardianos/service v1.0.0/go.mod h1:8CzDhVuCuugtsHyZoTvsOBuvonN/UDBvl0
+ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
++github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
+ github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
++github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
++github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+ github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+ github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
+@@ -66,12 +72,14 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
+ github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
++github.com/notdpate/evloghook v0.0.0-20180503050227-f202fa6c9ebb h1:GFmMJZvdCkRfbfo07+lUKrB+jh2cJ+a2l6qD/3hxZ6M=
+ github.com/notdpate/evloghook v0.0.0-20180503050227-f202fa6c9ebb/go.mod h1:ukoRZyzBppMQypxM7KqEvHc4DB5uNW6NXFp1sVeXamM=
+ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+ github.com/pelletier/go-toml v1.4.0 h1:u3Z1r+oOXJIkxqw34zVhyPgjBsm6X2wn21NWs/HfSeg=
+ github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo=
+ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
++github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+ github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+@@ -107,6 +115,7 @@ github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/y
+ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
++github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+ github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+@@ -156,6 +165,7 @@ google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij
+ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
++gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+ gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+ gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+
+
diff --git a/pkgs/tools/security/yubihsm-shell/default.nix b/pkgs/tools/security/yubihsm-shell/default.nix
new file mode 100644
index 0000000000000..06a1452400de5
--- /dev/null
+++ b/pkgs/tools/security/yubihsm-shell/default.nix
@@ -0,0 +1,59 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, openssl
+, libusb1
+, libedit
+, curl
+, gengetopt
+, pkg-config
+, pcsclite
+, help2man
+}:
+
+stdenv.mkDerivation rec {
+  pname = "yubihsm-shell";
+  version = "2.3.1";
+
+  src = fetchFromGitHub {
+    owner = "Yubico";
+    repo = "yubihsm-shell";
+    rev = version;
+    sha256 = "D0kXiwc+i6mKA4oHuHjgXUmLMsmY5o/VI+1aCWtNjC0=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    cmake
+    help2man
+    gengetopt
+  ];
+
+  buildInputs = [
+    libusb1
+    libedit
+    curl
+    pcsclite
+    openssl
+  ];
+
+  cmakeFlags = [
+    # help2man fails without this
+    "-DCMAKE_SKIP_BUILD_RPATH=OFF"
+  ];
+
+  postPatch = ''
+    # Can't find libyubihsm at runtime because of dlopen() in C code
+    substituteInPlace lib/yubihsm.c \
+      --replace "libyubihsm_usb.so" "$out/lib/libyubihsm_usb.so" \
+      --replace "libyubihsm_http.so" "$out/lib/libyubihsm_http.so"
+  '';
+
+  meta = with lib; {
+    description = "yubihsm-shell and libyubihsm";
+    homepage = "https://github.com/Yubico/yubihsm-shell";
+    maintainers = with maintainers; [ matthewcroughan ];
+    license = licenses.asl20;
+  };
+}