Add install check for OpenMP{,-V}

Fix openmp buildInputs
Remove unused sys-devices requirement in ld test
2025-12-10 15:56:37 +01:00 · 2025-12-10 15:56:37 +01:00 · 2025-12-10 15:56:36 +01:00 · 2025-12-10 15:56:36 +01:00 · 2025-12-10 15:56:36 +01:00 · 2025-12-10 15:56:36 +01:00
53 changed files with 294 additions and 809 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1767634882,
-        "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
+        "lastModified": 1764522689,
+        "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
+        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
        "type": "github"
      },
      "original": {
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -57,18 +57,6 @@
    };
  };

-  services.fail2ban = {
-    enable = true;
-    maxretry = 5;
-    bantime-increment = {
-      enable = true; # Double ban time on each attack
-      maxtime = "7d"; # Ban up to a week
-    };
-  };
-
-  # Disable SSH login with password, allow only keypair
-  services.openssh.settings.PasswordAuthentication = false;
-
  networking.firewall = {
    extraCommands = ''
      # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -24,7 +24,7 @@
      address = "10.0.40.40";
      prefixLength = 24;
    } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
      address = "10.0.42.40";
      prefixLength = 24;
    } ];
--- a/m/common/base/env.nix
+++ b/m/common/base/env.nix
@@ -2,36 +2,11 @@

 {
  environment.systemPackages = with pkgs; [
-    cmake
-    ethtool
-    file
-    freeipmi
-    git
-    gnumake
-    home-manager
-    htop
-    ipmitool
-    ldns
-    lm_sensors
-    ncdu
-    nix-diff
-    nix-index
-    nix-output-monitor
-    nixfmt-tree
-    nixos-option
-    pciutils
-    perf
-    pv
-    ripgrep
-    tcpdump
-    tmux
-    tree
-    vim
-    wget
-
+    vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
+    nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
+    ncdu perf ldns pv
    # From jungle overlay
-    nixgen
-    osumb
+    osumb nixgen
  ];

  programs.direnv.enable = true;
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -139,7 +139,6 @@
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
        ];
-        shell = pkgs.zsh;
      };

      pmartin1 = {
@@ -194,32 +193,6 @@
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlRX7ZCnqtUJYCxKgWmgSrFCYuA2LHY96rVwqxXPl86 aaguirre@BSC-8488184117"
        ];
      };
-
-      emonteir = {
-        uid = 9656;
-        isNormalUser = true;
-        home = "/home/Computational/emonteir";
-        description = "Erwin Royson Monteiro";
-        group = "Computational";
-        hosts = [ "apex" "fox" ];
-        hashedPassword = "$6$0mU88zd3ZuK5NiJQ$DFWL5RMLH6esQM5UyhBCiiNryw4lDDmvJp7Usz3tmevnsiSJr6u0RsUKAnR/K8GRBFrV1.GocrgNjKjik5GY//";
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKZKot/Y3F5Wq9pQIXlCbyvQuVVeWMCsAC96Nd+LTcG erwin@Oreo"
-        ];
-      };
-
-      ssanzmar = {
-        uid = 9657;
-        isNormalUser = true;
-        home = "/home/Computational/ssanzmar";
-        description = "Sergio Sanz Martínez";
-        group = "Computational";
-        hosts = [ "apex" "fox" ];
-        hashedPassword = "$6$HUjNDJeJMmNQ6M64$laXSOZcXg6o4v2r8Jm8Xj9kmqw7veCY32po3TVDPRR4WlyxvOeqwoKr4NjlUlPPpKN55Oot3ZYHi.9iNXsH5E1";
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIELrsRRHXryrdA2ZBx5XmdGxL4DC5bmJydhBeTWQ0SQ sergio.sanz.martinez@estudiantat.upc.edu"
-        ];
-      };
    };

    groups = {
--- a/m/eudy/kernel/perf.nix
+++ b/m/eudy/kernel/perf.nix
@@ -1,6 +1,11 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:

 {
+  # add the perf tool
+  environment.systemPackages = with pkgs; [
+    config.boot.kernelPackages.perf
+  ];
+
  # allow non-root users to read tracing data from the kernel
  boot.kernel.sysctl."kernel.perf_event_paranoid" = -2;
  boot.kernel.sysctl."kernel.kptr_restrict" = 0;
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -45,7 +45,7 @@
      address = "10.0.40.7";
      prefixLength = 24;
    } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
      address = "10.0.42.7";
      prefixLength = 24;
    } ];
--- a/m/hut/nginx.nix
+++ b/m/hut/nginx.nix
@@ -4,8 +4,8 @@ let
    name = "jungle-web";
    src = pkgs.fetchgit {
      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
-      hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
    };
    buildInputs = [ pkgs.hugo ];
    buildPhase = ''
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -46,7 +46,7 @@
      address = "10.0.40.42";
      prefixLength = 24;
    } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
      address = "10.0.42.42";
      prefixLength = 24;
    } ];
--- a/m/module/tc1-board.nix
+++ b/m/module/tc1-board.nix
@@ -1,27 +0,0 @@
-{ lib, pkgs, ... }:
-
-{
-  # Allow user access to FTDI USB device
-  services.udev.packages = lib.singleton (pkgs.writeTextFile {
-    # Needs to be < 73
-    name = "60-ftdi-tc1.rules";
-    text = ''
-      # Bus 003 Device 003: ID 0403:6011 Future Technology Devices International, Ltd FT4232H Quad HS USB-UART/FIFO IC
-      # Use := to make sure it doesn't get changed later
-      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6011", MODE:="0666"
-    '';
-    destination = "/etc/udev/rules.d/60-ftdi-tc1.rules";
-  });
-
-  # Allow access to USB for docker in GitLab runner
-  services.gitlab-runner = {
-    services.gitlab-bsc-docker = {
-      registrationFlags = [
-        # We need raw access to the USB port to reboot the board
-        "--docker-devices /dev/bus/usb/003/003"
-        # And TTY access for the serial port
-        "--docker-devices /dev/ttyUSB2"
-      ];
-    };
-  };
-}
--- a/m/owl1/configuration.nix
+++ b/m/owl1/configuration.nix
@@ -20,7 +20,7 @@
      address = "10.0.40.1";
      prefixLength = 24;
    } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
      address = "10.0.42.1";
      prefixLength = 24;
    } ];
--- a/m/owl2/configuration.nix
+++ b/m/owl2/configuration.nix
@@ -21,7 +21,7 @@
      prefixLength = 24;
    } ];
    # Watch out! The OmniPath device is not in the same place here:
-    interfaces.ibs801.ipv4.addresses = [ {
+    interfaces.ibp129s0.ipv4.addresses = [ {
      address = "10.0.42.2";
      prefixLength = 24;
    } ];
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -16,7 +16,6 @@
    ../module/p.nix
    ../module/vpn-dac.nix
    ../module/hut-substituter.nix
-    ../module/tc1-board.nix
  ];

  # Select the this using the ID to avoid mismatches
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -27,7 +27,4 @@
      };
    };
  };
-
-  # Allow gitea user to send mail
-  users.users.gitea.extraGroups = [ "mail-robot" ];
 }
--- a/m/tent/gitlab-runner.nix
+++ b/m/tent/gitlab-runner.nix
@@ -43,7 +43,6 @@
        registrationFlags = [
          # Increase build log length to 64 MiB
          "--output-limit 65536"
-          "--docker-network-mode host"
        ];
        preBuildScript = pkgs.writeScript "setup-container" ''
          mkdir -p -m 0755 /nix/var/log/nix/drvs
--- a/m/tent/nginx.nix
+++ b/m/tent/nginx.nix
@@ -4,8 +4,8 @@ let
    name = "jungle-web";
    src = pkgs.fetchgit {
      url = "https://jungle.bsc.es/git/rarias/jungle-website.git";
-      rev = "5f18335d14126d2fef134c0cd441771436f7dfa1";
-      hash = "sha256-s9VBF91sQ7hg9+lrwNFPYgoXTTyXaQcAulCiGJgWERo=";
+      rev = "52abaf4d71652a9ef77a0b098db14ca33bffff4c";
+      hash = "sha256-/ul9GazbOrOkmlvSgDz/+2W+V+ir5725Y7mVLc3rb0M=";
    };
    buildInputs = [ pkgs.hugo ];
    buildPhase = ''
--- a/m/weasel/configuration.nix
+++ b/m/weasel/configuration.nix
@@ -25,7 +25,7 @@
      address = "10.0.40.6";
      prefixLength = 24;
    } ];
-    interfaces.ibs785.ipv4.addresses = [ {
+    interfaces.ibp5s0.ipv4.addresses = [ {
      address = "10.0.42.6";
      prefixLength = 24;
    } ];
--- a/overlay.nix
+++ b/overlay.nix
@@ -39,16 +39,9 @@ let
    nanos6Debug = final.nanos6.override { enableDebug = true; };
    nixtools = callPackage ./pkgs/nixtools/default.nix { };
    nixgen = callPackage ./pkgs/nixgen/default.nix { };
-    nix-portable = callPackage ./pkgs/nix-portable/default.nix {
-      busybox = final.pkgsStatic.busybox;
-      bwrap = final.pkgsStatic.bubblewrap;
-      gnutar = final.pkgsStatic.gnutar;
-      perl = final.pkgsBuildBuild.perl;
-      xz = final.pkgsStatic.xz;
-      zstd = final.pkgsStatic.zstd;
-      bashInteractive = final.pkgsStatic.bashInteractive;
-    };
-    nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
+    # Broken because of pkgsStatic.libcap
+    # See: https://github.com/NixOS/nixpkgs/pull/268791
+    #nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
    nodes = callPackage ./pkgs/nodes/default.nix { };
    nosv = callPackage ./pkgs/nosv/default.nix { };
    openmp = callPackage ./pkgs/llvm-ompss2/openmp.nix { monorepoSrc = final.clangOmpss2Unwrapped.src; version = final.clangOmpss2Unwrapped.version; };
@@ -56,6 +49,7 @@ let
    osumb = callPackage ./pkgs/osu/default.nix { };
    ovni = callPackage ./pkgs/ovni/default.nix { };
    ovniGit = final.ovni.override { useGit = true; };
+    papi = callPackage ./pkgs/papi/default.nix { papi = prev.papi; };
    paraverKernel = callPackage ./pkgs/paraver/kernel.nix { };
    prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { };
    #pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned
@@ -69,16 +63,6 @@ let
    tagaspi = callPackage ./pkgs/tagaspi/default.nix { };
    tampi = callPackage ./pkgs/tampi/default.nix { };
    upc-qaire-exporter = prev.callPackage ./pkgs/upc-qaire-exporter/default.nix { };
-    upx = prev.upx.overrideAttrs {
-      version = "5.1.0";
-      src = final.fetchFromGitHub {
-        owner = "upx";
-        repo = "upx";
-        tag = "v5.1.0";
-        fetchSubmodules = true;
-        hash = "sha256-FQtDHsbZ/JrgRLwc2Wd2F5ZcBdqrU0YIT9hGQ0k0D+w=";
-      };
-    };
    wxparaver = callPackage ./pkgs/paraver/default.nix { };
  };

--- a/pkgs/amd-uprof/default.nix
+++ b/pkgs/amd-uprof/default.nix
@@ -1,6 +1,8 @@
 { stdenv
 , lib
-, fetchurl
+, curl
+, cacert
+, runCommandLocal
 , autoPatchelfHook
 , elfutils
 , glib
@@ -24,23 +26,28 @@ let
  tarball = "AMDuProf_Linux_x64_${version}.tar.bz2";

  # NOTE: Remember to update the radare2 patch below if AMDuProfPcm changes.
-  src = fetchurl {
-    url = "https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}";
-    sha256 = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
-    curlOptsList = [
-      "-H" "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0"
-      "-H" "'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'"
-      "-H" "Accept-Language: en-US,en;q=0.5"
-      "-H" "Accept-Encoding: gzip, deflate, br, zstd"
-      "-H" "Referer: https://www.amd.com/"
-    ];
-  };
+  uprofSrc = runCommandLocal tarball {
+    nativeBuildInputs = [ curl ];
+    outputHash = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
+    SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt";
+  } ''
+    curl \
+    -o $out \
+    'https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}' \
+    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0' \
+    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
+    -H 'Accept-Language: en-US,en;q=0.5' \
+    -H 'Accept-Encoding: gzip, deflate, br, zstd' \
+    -H 'Referer: https://www.amd.com/' 2>&1 | tr '\r' '\n'
+  '';

 in
  stdenv.mkDerivation {
    pname = "AMD-uProf";
-    inherit src version;
+    inherit version;
+    src = uprofSrc;
    dontStrip = true;
+    strictDeps = true;
    phases = [ "installPhase" "fixupPhase" ];
    nativeBuildInputs = [ autoPatchelfHook radare2 ];
    buildInputs = [
--- a/pkgs/amd-uprof/driver.nix
+++ b/pkgs/amd-uprof/driver.nix
@@ -18,6 +18,7 @@ in stdenv.mkDerivation {
    set +x
  '';
  hardeningDisable = [ "pic" "format" ];
+  strictDeps = true;
  nativeBuildInputs = kernel.moduleBuildDependencies;
  patches = [ ./makefile.patch ./hrtimer.patch ./remove-wr-rdmsrq.patch ];
  makeFlags = [
--- a/pkgs/bench6/default.nix
+++ b/pkgs/bench6/default.nix
@@ -59,6 +59,7 @@ stdenv.mkDerivation rec {
  ];
  hardeningDisable = [ "all" ];
  dontStrip = true;
+  strictDeps = true;

  meta = {
    homepage = "https://gitlab.pm.bsc.es/rarias/bench6";
--- a/pkgs/bigotes/default.nix
+++ b/pkgs/bigotes/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation {
  };
  nativeBuildInputs = [ cmake ];

+  strictDeps = true;
+
  meta = {
    homepage = "https://github.com/rodarima/bigotes";
    description = "Versatile benchmark tool";
--- a/pkgs/cudainfo/default.nix
+++ b/pkgs/cudainfo/default.nix
@@ -10,11 +10,14 @@
 stdenv.mkDerivation (finalAttrs: {
  name = "cudainfo";
  src = ./.;
-  buildInputs = [
+  strictDeps = true;
+  nativeBuildInputs = [
    cudatoolkit # Required for nvcc
-    (lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
    autoAddDriverRunpath
  ];
+  buildInputs = [
+    (lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
+  ];
  installPhase = ''
    mkdir -p $out/bin
    cp -a cudainfo $out/bin
@@ -23,6 +26,7 @@ stdenv.mkDerivation (finalAttrs: {
    name = "cudainfo-test";
    requiredSystemFeatures = [ "cuda" ];
    dontBuild = true;
+    strictDeps = true;
    nativeCheckInputs = [
      finalAttrs.finalPackage # The cudainfo package from above
      strace # When it fails, it will show the trace
--- a/pkgs/extrae/default.nix
+++ b/pkgs/extrae/default.nix
@@ -20,7 +20,7 @@
 #, python3Packages
 , installShellFiles
 , symlinkJoin
-, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
+, enablePapi ? true
 }:

 let
--- a/pkgs/gpi-2/default.nix
+++ b/pkgs/gpi-2/default.nix
@@ -33,6 +33,7 @@ stdenv.mkDerivation rec {
  };

  enableParallelBuilding = true;
+  strictDeps = true;

  patches = [ ./rdma-core.patch ./max-mem.patch ];

--- a/pkgs/intel-oneapi/2023.nix
+++ b/pkgs/intel-oneapi/2023.nix
@@ -128,6 +128,7 @@ let

    phases = [ "installPhase" "fixupPhase" ];
    dontStrip = true;
+    strictDeps = true;
    installPhase = ''
      mkdir -p $out/{bin,etc,lib,include}
      mkdir -p $out/share/man
@@ -179,6 +180,7 @@ let
    ];
    phases = [ "installPhase" "fixupPhase" ];
    dontStrip = true;
+    strictDeps = true;

    autoPatchelfIgnoreMissingDeps = [ "libhwloc.so.5" ];

@@ -222,6 +224,7 @@ let
    ];
    phases = [ "installPhase" "fixupPhase" ];
    dontStrip = true;
+    strictDeps = true;

    autoPatchelfIgnoreMissingDeps = [ "libsycl.so.6" ];

@@ -289,6 +292,7 @@ let
    phases = [ "installPhase" "fixupPhase" ];

    dontStrip = true;
+    strictDeps = true;

    installPhase = ''
      mkdir -p $out/{bin,lib,include}
@@ -377,6 +381,7 @@ let
    phases = [ "installPhase" "fixupPhase" ];

    dontStrip = true;
+    strictDeps = true;

    installPhase = ''
      mkdir -p $out/{bin,lib}
--- a/pkgs/llvm-ompss2/clang.nix
+++ b/pkgs/llvm-ompss2/clang.nix
@@ -48,6 +48,7 @@ in stdenv.mkDerivation {
  inherit (source) src version;

  enableParallelBuilding = true;
+  strictDeps = true;

  passthru = {
    CC = "clang";
--- a/pkgs/llvm-ompss2/openmp.nix
+++ b/pkgs/llvm-ompss2/openmp.nix
@@ -39,7 +39,9 @@ stdenv.mkDerivation rec {
    perl
    pkg-config
    python3
-  ] ++ lib.optionals enableNosv [
+  ];
+
+  buildInputs = lib.optionals enableNosv [
    nosv
  ] ++ lib.optionals enableOvni [
    ovni
@@ -54,6 +56,7 @@ stdenv.mkDerivation rec {
  dontStrip = enableDebug;

  separateDebugInfo = true;
+  strictDeps = true;

  cmakeFlags = [
    "-DLIBOMP_OMPD_SUPPORT=OFF"
@@ -71,6 +74,28 @@ stdenv.mkDerivation rec {
    rm -f $out/libllvmrt/libomp.*
  '';

+  doInstallCheck = true;
+  # There are not cmake flags to force nOS-V, it enables it when found through
+  # pkg-config. If enableNosv is set, but we fail to find it at build time,
+  # the build will succeed but won't use nOS-V (libompv won't be created).
+  # This is a sanity check to ensure that after install we have the proper
+  # files.
+  installCheckPhase =
+    if enableNosv then
+      ''
+        test -f $out/lib/libompv.so
+        test -f $out/libllvmrt/libompv.so
+        test ! -f $out/lib/libomp.so
+        test ! -f $out/libllvmrt/libomp.so
+      ''
+    else
+      ''
+        test -f $out/lib/libomp.so
+        test -f $out/libllvmrt/libomp.so
+        test ! -f $out/lib/libompv.so
+        test ! -f $out/libllvmrt/libompv.so
+      '';
+
  passthru = {
    inherit nosv;
  };
--- a/pkgs/lmbench/default.nix
+++ b/pkgs/lmbench/default.nix
@@ -27,6 +27,7 @@ stdenv.mkDerivation rec {
  hardeningDisable = [ "all" ];

  enableParallelBuilding = false;
+  strictDeps = true;

  preBuild = ''
    makeFlagsArray+=(
--- a/pkgs/meteocat-exporter/default.nix
+++ b/pkgs/meteocat-exporter/default.nix
@@ -9,6 +9,7 @@ python3Packages.buildPythonApplication {
  src = ./.;

  doCheck = false;
+  strictDeps = true;

  build-system = with python3Packages; [
    setuptools
--- a/pkgs/mpich/default.nix
+++ b/pkgs/mpich/default.nix
@@ -53,6 +53,7 @@ in mpich.overrideAttrs (old: {
  '';

  hardeningDisable = [ "all" ];
+  strictDeps = true;

  meta = old.meta // {
    maintainers = old.meta.maintainers ++ (with lib.maintainers.bsc; [ rarias ]);
--- a/pkgs/nanos6/check-papi-version-with-pkgconfig.patch
+++ b/pkgs/nanos6/check-papi-version-with-pkgconfig.patch
@@ -0,0 +1,67 @@
+diff --git a/m4/papi.m4 b/m4/papi.m4
+--- a/m4/papi.m4
+++ b/m4/papi.m4
+@@ -24,12 +24,13 @@ AC_DEFUN([AC_CHECK_PAPI],
+ 		else
+ 			PKG_CHECK_MODULES(
+ 				[papi],
+-				[papi],
+				[papi >= 5.6.0],
+ 				[
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([retrieved from pkg-config])
+ 					papi_CPPFLAGS="${papi_CFLAGS}"
+ 					ac_use_papi=yes
+					ac_papi_version_correct=yes
+ 				], [
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([not available])
+@@ -67,27 +68,29 @@ AC_DEFUN([AC_CHECK_PAPI],
+ 		fi
+ 
+ 		if test x"${ac_use_papi}" = x"yes" ; then
+-			if test x"${ac_cv_use_papi_prefix}" != x"" ; then
+-				papiBinary=${ac_cv_use_papi_prefix}/bin/papi_version
+-			else
+-				papiBinary=papi_version
+-			fi
+-			papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
+			if test x"${ac_papi_version_correct}" != x"yes" ; then
+				if test x"${ac_cv_use_papi_prefix}" != x"" ; then
+					papiBinary=${ac_cv_use_papi_prefix}/bin/papi_version
+				else
+					papiBinary=papi_version
+				fi
+				papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
+ 
+-			AX_COMPARE_VERSION(
+-				[[${papiVersion}]],
+-				[[ge]],
+-				[[5.6.0]],
+-				[[ac_papi_version_correct=yes]],
+-				[[ac_papi_version_correct=no]]
+-			)
+				AX_COMPARE_VERSION(
+					[[${papiVersion}]],
+					[[ge]],
+					[[5.6.0]],
+					[[ac_papi_version_correct=yes]],
+					[[ac_papi_version_correct=no]]
+				)
+ 
+-			if test x"${ac_papi_version_correct}" != x"yes" ; then
+-				AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
+-				ac_use_papi=no
+-			else
+-				AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
+-				AC_MSG_RESULT([${ac_papi_version_correct}])
+				if test x"${ac_papi_version_correct}" != x"yes" ; then
+					AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
+					ac_use_papi=no
+				else
+					AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
+					AC_MSG_RESULT([${ac_papi_version_correct}])
+				fi
+ 			fi
+ 		fi
+ 
--- a/pkgs/nanos6/default.nix
+++ b/pkgs/nanos6/default.nix
@@ -16,7 +16,7 @@
 , jemallocNanos6 ? null
 , cachelineBytes ? 64
 , enableGlibcxxDebug ? false
-, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
+, enablePapi ? true
 , useGit ? false
 , gitUrl ? "ssh://git@bscpm04.bsc.es/nanos6/nanos6"
 , gitBranch ? "master"
@@ -95,16 +95,15 @@ in
    dontStrip = enableDebug;
    separateDebugInfo = true;

+    strictDeps = true;
+    patches = [ ./check-papi-version-with-pkgconfig.patch ];
+
    nativeBuildInputs = [
      autoconf
      automake
      libtool
      pkg-config
-
-      # TODO: papi_version is needed for configure:
-      # ./configure: line 27378: papi_version: command not found
-      # This probably breaks cross-compilation
-    ] ++ lib.optionals enablePapi [ papi ];
+    ];

    buildInputs = [
      boost
--- a/pkgs/nanos6/jemalloc.nix
+++ b/pkgs/nanos6/jemalloc.nix
@@ -5,7 +5,6 @@ jemalloc.overrideAttrs (old: {
    "--with-jemalloc-prefix=nanos6_je_"
    "--enable-stats"
  ];
-  enableParallelBuilding = true;
  hardeningDisable = [ "all" ];
  meta = old.meta // {
    description = old.meta.description + " (for Nanos6)";
--- a/pkgs/nix-portable/default.nix
+++ b/pkgs/nix-portable/default.nix
@@ -1,645 +0,0 @@
-with builtins;
-{
-  bwrap,
-  nix,
-  unzip,
-  zip,
-  unixtools,
-  stdenv,
-  buildPackages,
-  upx,
-
-  bootstrapPrograms ? [
-    "gitMinimal"
-    "netcat-openbsd"
-    "openssh"
-    "bashInteractive"
-  ],
-
-  busybox,
-  cacert ? pkgs.cacert,
-  compression ? "zstd -19 -T0",
-  gnutar ? pkgs.pkgsStatic.gnutar,
-  lib ? pkgs.lib,
-  perl ? pkgs.perl,
-  pkgs ? import <nixpkgs> {},
-  xz ? pkgs.pkgsStatic.xz,
-  zstd ? pkgs.pkgsStatic.zstd,
-  nixStatic,
-  # hardcode executable to run. Useful when creating a bundle.
-  bundledPackage ? null,
-  ...
-}@inp:
-with lib;
-let
-
-  pname =
-    if bundledPackage == null
-    then "nix-portable"
-    else lib.getName bundledPackage;
-
-  bundledExe = lib.getExe bundledPackage;
-
-  nixpkgsSrc = pkgs.path;
-
-  maketar = targets:
-    let
-      closureInfo = buildPackages.closureInfo { rootPaths = targets; };
-    in
-    stdenv.mkDerivation {
-      name = "nix-portable-store-tarball";
-      nativeBuildInputs = [ perl pkgs.zstd ];
-      exportReferencesGraph = map (x: [("closure-" + baseNameOf x) x]) targets;
-      buildCommand = ''
-        storePaths=$(cat ${closureInfo}/store-paths)
-        mkdir $out
-        echo $storePaths > $out/index
-        cp -r ${closureInfo} $out/closureInfo
-
-        tar -cf - \
-          --owner=0 --group=0 --mode=u+rw,uga+r \
-          --hard-dereference \
-          $storePaths | ${compression} > $out/tar
-      '';
-    };
-
-  packStaticBin = binPath: let
-      binName = (last (splitString "/" binPath)); in
-    pkgs.runCommand
-    binName
-    { nativeBuildInputs = [ upx ]; }
-    ''
-      mkdir -p $out/bin
-      theBinPath=${binPath}
-
-      if [[ -L "$theBinPath" ]]; then
-        theBinPath=$(readlink -f "$theBinPath")
-      fi
-
-      upx -9 -o $out/bin/${binName} $theBinPath
-    '';
-
-  installBin = pkg: bin: ''
-    unzip -qqoj "\$self" ${ lib.removePrefix "/" "${pkg}/bin/${bin}"} -d \$dir/bin
-    chmod +wx \$dir/bin/${bin};
-  '';
-
-  installDynamic = pkgname: let
-    out = pkgs.${pkgname}.out;
-  in ''
-    if [ ! -e \$store${lib.removePrefix "/nix/store" pkgs.${pkgname}.out} ] ; then
-      debug "Installing ${pkgname}"
-      \$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix build --impure --no-link --expr "
-        (import ${nixpkgsSrc} {}).${pkgname}.out
-      "
-    else
-      debug "${pkgname} already installed"
-    fi
-
-    export PATH="${out}/bin:\$PATH"
-  '';
-
-  caBundleZstd = pkgs.runCommand "cacerts" {
-    nativeBuildInputs = [ pkgs.zstd ];
-  } "cat ${cacert}/etc/ssl/certs/ca-bundle.crt | zstd -19 > $out";
-
-  bwrap = packStaticBin "${inp.bwrap}/bin/bwrap";
-  nixStatic = packStaticBin "${inp.nixStatic}/bin/nix";
-  zstd = packStaticBin "${inp.zstd}/bin/zstd";
-
-  # the default nix store contents to extract when first used
-  storeTar = maketar ([ cacert nix nixpkgsSrc ] ++ lib.optional (bundledPackage != null) bundledPackage);
-
-
-  # The runtime script which unpacks the necessary files to $HOME/.nix-portable
-  # and then executes nix via bwrap
-  # Some shell expressions will be evaluated at build time and some at run time.
-  # Variables/expressions escaped via `\$` will be evaluated at run time
-  runtimeScript = ''
-    #!/usr/bin/env bash
-
-    set -eo pipefail
-
-    start=\$(date +%s%N)  # start time in nanoseconds
-
-    # dump environment on exit if debug is enabled
-    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
-      trap "declare -p > \''${TMPDIR:-/tmp}/np_env" EXIT
-    fi
-
-    set -e
-    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 2 ]; then
-      set -x
-    fi
-
-    # &3 is our error out which we either forward to &2 or to /dev/null
-    # depending on the setting
-    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
-      debug(){
-        echo \$@ || true
-      }
-      exec 3>&2
-    else
-      debug(){
-        true
-      }
-      exec 3>/dev/null
-    fi
-
-    # to reference this script's file
-    self="\$(realpath \''${BASH_SOURCE[0]})"
-
-    # fingerprint will be inserted by builder
-    fingerprint="_FINGERPRINT_PLACEHOLDER_"
-
-    # user specified location for program files and nix store
-    [ -z "\$NP_LOCATION" ] && NP_LOCATION="\$HOME"
-    NP_LOCATION="\$(readlink -f "\$NP_LOCATION")"
-    dir="\$NP_LOCATION/.nix-portable"
-
-    # Create NP_LOCATION and remove sgid bit
-    mkdir -p \$dir
-    if [ ! -z "\$BSC_MACHINE" ]; then
-      # Attempt to avoid issues with sgid folders
-      chmod g-s \$dir
-      chgrp bsc \$dir
-    fi
-
-    store="\$dir/nix/store"
-    # create /nix/var/nix to prevent nix from falling back to chroot store.
-    mkdir -p \$dir/{bin,nix/var/nix,nix/store}
-
-    # create minimal drv file for nix to spawn a nix shell
-    echo 'builtins.derivation {name="foo"; builder="/bin/sh"; args = ["-c" "echo hello \> \\\$out"]; system=builtins.currentSystem;}' > "\$dir/mini-drv.nix"
-
-    # the fingerprint being present inside a file indicates that
-    # this version of nix-portable has already been initialized
-    if test -e \$dir/conf/fingerprint && [ "\$(cat \$dir/conf/fingerprint)" == "\$fingerprint" ]; then
-      newNPVersion=false
-    else
-      newNPVersion=true
-    fi
-
-    # Nix portable ships its own nix.conf
-    export NIX_CONF_DIR=\$dir/conf/
-
-    NP_CONF_SANDBOX=\''${NP_CONF_SANDBOX:-false}
-    NP_CONF_STORE=\''${NP_CONF_STORE:-auto}
-
-
-    recreate_nix_conf(){
-      mkdir -p "\$NIX_CONF_DIR"
-      rm -f "\$NIX_CONF_DIR/nix.conf"
-
-      # static config
-      echo "build-users-group = " >> \$dir/conf/nix.conf
-      echo "experimental-features = nix-command flakes" >> \$dir/conf/nix.conf
-      echo "ignored-acls = security.selinux system.nfs4_acl" >> \$dir/conf/nix.conf
-      echo "sandbox-paths = /bin/sh=\$dir/busybox/bin/busybox" >> \$dir/conf/nix.conf
-      echo "extra-substituters = https://jungle.bsc.es/cache">> \$dir/conf/nix.conf
-      echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> \$dir/conf/nix.conf
-
-      echo "extra-system-features = sys-devices" >> \$dir/conf/nix.conf
-      echo "extra-sandbox-paths = /sys/devices/system/cpu=/sys/devices/system/cpu /sys/devices/system/node=/sys/devices/system/node" >> \$dir/conf/nix.conf
-      echo "extra-trusted-users = @bsc" >> \$dir/conf/nix.conf
-
-
-      # configurable config
-      echo "sandbox = \$NP_CONF_SANDBOX" >> \$dir/conf/nix.conf
-      echo "store = \$NP_CONF_STORE" >> \$dir/conf/nix.conf
-    }
-
-
-    ### install files
-
-    PATH_OLD="\$PATH"
-
-    # as soon as busybox is unpacked, restrict PATH to busybox to ensure reproducibility of this script
-    # only unpack binaries if necessary
-    if [ "\$newNPVersion" == "false" ]; then
-
-      debug "binaries already installed"
-      # our busybox does not run on termux, therefore we suffix the PATH only on termux
-      export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
-
-    else
-
-      debug "installing files"
-
-      mkdir -p \$dir/emptyroot
-
-      # install busybox
-      mkdir -p \$dir/busybox/bin
-      (base64 -d> "\$dir/busybox/bin/busybox" && chmod +x "\$dir/busybox/bin/busybox") << END
-    $(cat ${busybox}/bin/busybox | base64)
-    END
-      busyBins="${toString (attrNames (filterAttrs (d: type: type == "symlink") (readDir "${inp.busybox}/bin")))}"
-      for bin in \$busyBins; do
-        [ ! -e "\$dir/busybox/bin/\$bin" ] && ln -s busybox "\$dir/busybox/bin/\$bin"
-      done
-
-      # our busybox does not run on termux, therefore we suffix the PATH only on termux
-      export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
-
-      # install other binaries
-      ${installBin zstd "zstd"}
-      ${installBin bwrap "bwrap"}
-      ${installBin nixStatic "nix"}
-
-      # install ssl cert bundle
-      unzip -poj "\$self" ${ lib.removePrefix "/" "${caBundleZstd}"} | \$dir/bin/zstd -d > \$dir/ca-bundle.crt
-
-      recreate_nix_conf
-    fi
-
-    # Override $SHELL with nix bashInteractive
-    export SHELL="${pkgs.bashInteractive.out}/bin/bash"
-    export PS1="\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
-
-    # unset bash function aliases
-    unset -f which ml module
-
-    ### setup SSL
-    # find ssl certs or use from nixpkgs
-    debug "figuring out ssl certs"
-    if [ -z "\$SSL_CERT_FILE" ]; then
-      debug "SSL_CERT_FILE not defined. trying to find certs automatically"
-      if [ -e /etc/ssl/certs/ca-bundle.crt ]; then
-        export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-bundle.crt)
-        debug "found /etc/ssl/certs/ca-bundle.crt with real path \$SSL_CERT_FILE"
-      elif [ -e /etc/ssl/certs/ca-certificates.crt ]; then
-        export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-certificates.crt)
-        debug "found /etc/ssl/certs/ca-certificates.crt with real path \$SSL_CERT_FILE"
-      elif [ ! -e /etc/ssl/certs ]; then
-        debug "/etc/ssl/certs does not exist. Will use certs from nixpkgs."
-        export SSL_CERT_FILE=\$dir/ca-bundle.crt
-      else
-        debug "certs seem to reside in /etc/ssl/certs. No need to set up anything"
-      fi
-    fi
-    if [ -n "\$SSL_CERT_FILE" ]; then
-      sslBind="\$(realpath \$SSL_CERT_FILE) \$dir/ca-bundle.crt"
-      export SSL_CERT_FILE="\$dir/ca-bundle.crt"
-    else
-      sslBind="/etc/ssl /etc/ssl"
-    fi
-
-    if [ -n "\$NP_GIT" ]; then
-      echo "WARN: NP_GIT is not supported, using nix version instead"
-    fi
-
-
-
-    storePathOfFile(){
-      file=\$(realpath \$1)
-      sPath="\$(echo \$file | awk -F "/" 'BEGIN{OFS="/";}{print \$2,\$3,\$4}')"
-      echo "/\$sPath"
-    }
-
-
-    collectBinds(){
-      pathsTopLevel="/boot /run /sys \$PWD /gpfs /tmp /scratch"
-
-      toBind=""
-      for p in \$pathsTopLevel; do
-        if [ -e "\$p" ]; then
-          real=\$(realpath \$p)
-          if [ -e "\$real" ]; then
-            if [[ "\$real" == /nix/store/* ]]; then
-              storePath=\$(storePathOfFile \$real)
-              toBind="\$toBind \$storePath \$storePath"
-            else
-              toBind="\$toBind \$real \$p"
-            fi
-          fi
-        fi
-      done
-
-
-      # TODO: add /var/run/dbus/system_bus_socket
-      paths="/etc/host.conf /etc/hosts /etc/hosts.equiv /etc/mtab /etc/netgroup /etc/networks /etc/passwd /etc/group /etc/nsswitch.conf /etc/resolv.conf /etc/localtime \$HOME"
-
-      for p in \$paths; do
-        if [ -e "\$p" ]; then
-          real=\$(realpath \$p)
-          if [ -e "\$real" ]; then
-            if [[ "\$real" == /nix/store/* ]]; then
-              storePath=\$(storePathOfFile \$real)
-              toBind="\$toBind \$storePath \$storePath"
-            else
-              toBind="\$toBind \$real \$real"
-            fi
-          fi
-        fi
-      done
-
-      # provide /bin/sh via the shipped busybox
-      toBind="\$toBind \$dir/busybox/bin/busybox /bin/sh"
-      toBind="\$toBind \$dir/busybox/bin/busybox /usr/bin/env"
-
-      # on termux, make sure termux packages still work inside the nix-portable environment
-      if [ -n "\$TERMUX_VERSION" ]; then
-        # binds required so termux native packages still run inside the nix-portable sandbox
-        # TODO: this doesn't quite work yet. debug and fix
-        toBind="\$toBind /system/lib64/libc.so /system/lib64/libc.so"
-        toBind="\$toBind /system/lib64/ld-android.so /system/lib64/ld-android.so"
-        toBind="\$toBind /system/lib64/libdl.so /system/lib64/libdl.so"
-        toBind="\$toBind /system/bin /system/bin"
-        toBind="\$toBind /system/lib64 /system/lib64"
-        toBind="\$toBind /apex/com.android.runtime/bin /apex/com.android.runtime/bin"
-        toBind="\$toBind /linkerconfig/ld.config.txt /linkerconfig/ld.config.txt"
-        toBind="\$toBind \$dir/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt"
-        toBind="\$toBind \$(realpath \$HOME/../usr/etc/resolv.conf) /etc/resolv.conf"
-      fi
-
-    }
-
-
-    makeBindArgs(){
-      arg=\$1; shift
-      sep=\$1; shift
-      binds=""
-      while :; do
-        if [ -n "\$1" ]; then
-          from="\$1"; shift
-          to="\$1"; shift || { echo "no bind destination provided for \$from!"; exit 3; }
-          binds="\$binds \$arg \$from\$sep\$to";
-        else
-          break
-        fi
-      done
-    }
-
-
-
-    ### select container runtime
-    debug "figuring out which runtime to use"
-    [ -z "\$NP_BWRAP" ] && NP_BWRAP=\$dir/bin/bwrap
-    debug "bwrap executable: \$NP_BWRAP"
-    [ -z "\$NP_NIX" ] && NP_NIX=\$dir/bin/nix
-    debug "nix executable: \$NP_NIX"
-    debug "testing all available runtimes..."
-    if [ -z "\$NP_RUNTIME" ]; then
-      # read last automatic selected runtime from disk
-      if [ "\$newNPVersion" == "true" ]; then
-        debug "removing cached auto selected runtime"
-        rm -f "\$dir/conf/last_auto_runtime"
-      fi
-      if [ -f "\$dir/conf/last_auto_runtime" ]; then
-        last_auto_runtime="\$(cat "\$dir/conf/last_auto_runtime")"
-      else
-        last_auto_runtime=
-      fi
-      debug "last auto selected runtime: \$last_auto_runtime"
-      if [ "\$last_auto_runtime" != "" ]; then
-        NP_RUNTIME="\$last_auto_runtime"
-      # check if nix --store works
-      elif \\
-          debug "testing nix --store" \\
-          && mkdir -p \$dir/tmp/ \\
-          && touch \$dir/tmp/testfile \\
-          && "\$NP_NIX" --store "\$dir/tmp/__store" shell -f "\$dir/mini-drv.nix" -c "\$dir/bin/nix" store add-file --store "\$dir/tmp/__store" "\$dir/tmp/testfile" >/dev/null 2>&3; then
-        chmod -R +w \$dir/tmp/__store
-        rm -r \$dir/tmp/__store
-        debug "nix --store works on this system -> will use nix as runtime"
-        NP_RUNTIME=nix
-      # check if bwrap works properly
-      elif \\
-          debug "nix --store failed -> testing bwrap" \\
-          && \$NP_BWRAP --bind \$dir/emptyroot / --bind \$dir/ /nix --bind \$dir/busybox/bin/busybox "\$dir/true" "\$dir/true" 2>&3 ; then
-        debug "bwrap seems to work on this system -> will use bwrap"
-        NP_RUNTIME=bwrap
-      else
-        debug "bwrap doesn't work on this system -> will use proot"
-        NP_RUNTIME=proot
-      fi
-      echo -n "\$NP_RUNTIME" > "\$dir/conf/last_auto_runtime"
-    else
-      debug "runtime selected via NP_RUNTIME: \$NP_RUNTIME"
-    fi
-    debug "NP_RUNTIME: \$NP_RUNTIME"
-    if [ "\$NP_RUNTIME" == "nix" ]; then
-      run="\$NP_NIX shell -f \$dir/mini-drv.nix -c"
-      export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
-      NP_CONF_STORE="\$dir"
-      recreate_nix_conf
-    elif [ "\$NP_RUNTIME" == "bwrap" ]; then
-      collectBinds
-      makeBindArgs --bind " " \$toBind \$sslBind
-      run="\$NP_BWRAP \$BWRAP_ARGS \\
-        --bind \$dir/emptyroot /\\
-        --dev-bind /dev /dev\\
-        --proc /proc\\
-        --bind \$dir/nix /nix\\
-        \$binds"
-        # --bind \$dir/busybox/bin/busybox /bin/sh\\
-    else
-      echo "\$NP_RUNTIME not available"
-      exit 1
-    fi
-    debug "base command will be: \$run"
-
-
-
-    ### setup environment
-    export NIX_PATH="\$dir/channels:nixpkgs=\$dir/channels/nixpkgs"
-    mkdir -p \$dir/channels
-    [ -h \$dir/channels/nixpkgs ] || ln -s ${nixpkgsSrc} \$dir/channels/nixpkgs
-
-
-    ### install nix store
-    # Install all the nix store paths necessary for the current nix-portable version
-    # We only unpack missing store paths from the tar archive.
-    index="$(cat ${storeTar}/index)"
-
-    export missing=\$(
-      for path in \$index; do
-        basepath=\$(basename \$path)
-        if [ ! -e \$store/\$basepath ]; then
-          echo "nix/store/\$basepath"
-        fi
-      done
-    )
-
-    if [ -n "\$missing" ]; then
-      debug "extracting missing store paths"
-      (
-        mkdir -p \$dir/tmp \$store/
-        rm -rf \$dir/tmp/*
-        cd \$dir/tmp
-        unzip -qqp "\$self" ${ lib.removePrefix "/" "${storeTar}/tar"} \
-          | \$dir/bin/zstd -d \
-          | tar -x \$missing --strip-components 2
-        mv \$dir/tmp/* \$store/
-      )
-      rm -rf \$dir/tmp
-    fi
-
-    if [ -n "\$missing" ]; then
-      debug "registering new store paths to DB"
-      reg="$(cat ${storeTar}/closureInfo/registration)"
-      cmd="\$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix-store --load-db"
-      debug "running command: \$cmd"
-      echo "\$reg" | \$cmd
-    fi
-
-
-    ### select executable
-    # the executable can either be selected by
-    # - executing './nix-portable BIN_NAME',
-    # - symlinking to nix-portable, in which case the name of the symlink selects the nix executable
-    # Alternatively the executable can be hardcoded by specifying the argument 'executable' of nix-portable's default.nix file.
-    executable="${if bundledPackage == null then "" else bundledExe}"
-    if [ "\$executable" != "" ]; then
-      bin="\$executable"
-      debug "executable is hardcoded to: \$bin"
-
-    elif [[ "\$(basename \$0)" == nix-portable* ]]; then\
-      if [ -z "\$1" ]; then
-        echo "Error: please specify the nix binary to execute"
-        echo "Alternatively symlink against \$0"
-        exit 1
-      elif [ "\$1" == "debug" ]; then
-        bin="\$(which \$2)"
-        shift; shift
-      else
-        bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$1"
-        shift
-      fi
-    # for binary selection via symlink
-    else
-      bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$(basename \$0)"
-    fi
-
-
-
-    ### check which runtime has been used previously
-    if [ -f "\$dir/conf/last_runtime" ]; then
-      lastRuntime=\$(cat "\$dir/conf/last_runtime")
-    else
-      lastRuntime=
-    fi
-
-
-
-    ### check if nix is functional with or without sandbox
-    # sandbox-fallback is not reliable: https://github.com/NixOS/nix/issues/4719
-    if [ "\$newNPVersion" == "true" ] || [ "\$lastRuntime" != "\$NP_RUNTIME" ]; then
-      nixBin="\$(dirname \$bin)/nix"
-      debug "Testing if nix can build stuff without sandbox"
-      if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox false >&3 2>&3; then
-        echo "Fatal error: nix is unable to build packages"
-        exit 1
-      fi
-
-      debug "Testing if nix sandbox is functional"
-      if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox true >&3 2>&3; then
-        debug "Sandbox doesn't work -> disabling sandbox"
-        NP_CONF_SANDBOX=false
-        recreate_nix_conf
-      else
-        debug "Sandboxed builds work -> enabling sandbox"
-        NP_CONF_SANDBOX=true
-        recreate_nix_conf
-      fi
-
-    fi
-
-
-    ### save fingerprint and lastRuntime
-    if [ "\$newNPVersion" == "true" ]; then
-      echo -n "\$fingerprint" > "\$dir/conf/fingerprint"
-    fi
-    if [ "\$lastRuntime" != \$NP_RUNTIME ]; then
-      echo -n \$NP_RUNTIME > "\$dir/conf/last_runtime"
-    fi
-
-
-
-    ### set PATH
-    export PATH="\$dir/busybox/bin"
-    export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
-
-    ### install programs via nix
-    ${concatMapStringsSep "\n" installDynamic bootstrapPrograms}
-
-    ### print elapsed time
-    end=\$(date +%s%N)  # end time in nanoseconds
-    # time elapsed in millis with two decimal places
-
-    # print stats about initialization time of nix-portable
-    # skipt for termux, as it doesn't have bc installed
-    if [ -z "\$TERMUX_VERSION" ]; then
-      elapsed=\$(echo "scale=2; (\$end - \$start)/1000000" | bc)
-      debug "Time to initialize nix-portable: \$elapsed millis"
-    fi
-
-
-    ### run commands
-    [ -z "\$NP_RUN" ] && NP_RUN="\$run"
-    cmd="\$NP_RUN \$bin \$@"
-    debug "running command: \$cmd"
-    exec \$NP_RUN \$bin "\$@"
-    exit
-  '';
-
-  runtimeScriptEscaped = replaceStrings ["\""] ["\\\""] runtimeScript;
-
-  nixPortable = pkgs.runCommand pname {
-    nativeBuildInputs = [unixtools.xxd unzip pkgs.zip];
-
-    meta = {
-      homepage = "https://github.com/DavHau/nix-portable";
-      description = "Nix - Static, Permissionless, Installation-free, Pre-configured for mn5";
-      maintainers = with lib.maintainers.bsc; [ abonerib ];
-      platforms = lib.platforms.linux;
-      license = lib.licenses.mit;
-    };
-  } ''
-    mkdir -p $out/bin
-    echo "${runtimeScriptEscaped}" > $out/bin/nix-portable.zip
-    xxd $out/bin/nix-portable.zip | tail
-
-    sizeA=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
-    echo 504b 0304 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
-    echo 0000 0000 0000 0000 0000 0200 0000 4242 | xxd -r -p >> $out/bin/nix-portable.zip
-
-    sizeB=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
-    echo 504b 0102 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
-    echo 0000 0000 0000 0000 0000 0000 0200 0000 | xxd -r -p >> $out/bin/nix-portable.zip
-    echo 0000 0000 0000 0000 0000 $sizeA 4242 | xxd -r -p >> $out/bin/nix-portable.zip
-
-    echo 504b 0506 0000 0000 0000 0100 3000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
-    echo $sizeB 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
-
-    unzip -vl $out/bin/nix-portable.zip
-
-    zip="zip -0"
-    $zip $out/bin/nix-portable.zip ${bwrap}/bin/bwrap
-    $zip $out/bin/nix-portable.zip ${nixStatic}/bin/nix
-    $zip $out/bin/nix-portable.zip ${zstd}/bin/zstd
-    $zip $out/bin/nix-portable.zip ${storeTar}/tar
-    $zip $out/bin/nix-portable.zip ${caBundleZstd}
-
-    # create fingerprint
-    fp=$(sha256sum $out/bin/nix-portable.zip | cut -d " "  -f 1)
-    sed -i "s/_FINGERPRINT_PLACEHOLDER_/$fp/g" $out/bin/nix-portable.zip
-    # fix broken zip header due to manual modification
-    zip -F $out/bin/nix-portable.zip --out $out/bin/nix-portable-fixed.zip
-
-    rm $out/bin/nix-portable.zip
-    executable=${if bundledPackage == null then "" else bundledExe}
-    if [ "$executable" == "" ]; then
-      target="$out/bin/nix-portable"
-    else
-      target="$out/bin/$(basename "$executable")"
-    fi
-    mv $out/bin/nix-portable-fixed.zip "$target"
-    chmod +x "$target"
-  '';
-in
-nixPortable.overrideAttrs (prev: {
-  passthru = (prev.passthru or {}) // {
-    inherit bwrap;
-  };
-})
--- a/pkgs/nix-wrap/default.nix
+++ b/pkgs/nix-wrap/default.nix
@@ -14,7 +14,7 @@ let
  nixConfDir = "share";
  nix_wrap_sh = writeText "nix-wrap.sh" ''
    #!/usr/bin/env bash
-
+    #
    busybox_bin="${nixPrefix}${busybox}/bin"
    bubblewrap_bin="${nixPrefix}/${bubblewrap}/bin"

@@ -69,6 +69,7 @@ stdenv.mkDerivation rec {
  name = "nix-wrap";
  buildInputs = [
    bashInteractive
+    busybox
    nix
  ];
  src = null;
@@ -91,6 +92,7 @@ stdenv.mkDerivation rec {
    homepage = null;
    description = "nix bubblewrap wrapper";
    maintainers = [ ];
+    broken = true;
    platforms = lib.platforms.linux;
    license = lib.licenses.mit;
  };
--- a/pkgs/nixgen/default.nix
+++ b/pkgs/nixgen/default.nix
@@ -8,6 +8,7 @@ stdenv.mkDerivation {
  version = "0.0.1";
  src = ./nixgen;
  dontUnpack = true;
+  strictDeps = true;
  phases = [ "installPhase" ];
  installPhase = ''
    mkdir -p $out/bin
--- a/pkgs/nixtools/default.nix
+++ b/pkgs/nixtools/default.nix
@@ -16,6 +16,7 @@ stdenv.mkDerivation rec {
  makeFlags = [ "DESTDIR=$(out)" ];
  preBuild = "env";
  dontPatchShebangs = true;
+  strictDeps = true;

  meta = {
    homepage = "https://gitlab.pm.bsc.es/rarias/nixtools";
--- a/pkgs/nodes/default.nix
+++ b/pkgs/nodes/default.nix
@@ -48,6 +48,7 @@ in
    enableParallelBuilding = true;
    dontStrip = true;
    separateDebugInfo = true;
+    strictDeps = true;

    configureFlags = [
      "--with-nosv=${nosv}"
--- a/pkgs/nosv/check-papi-version-with-pkgconfig.patch
+++ b/pkgs/nosv/check-papi-version-with-pkgconfig.patch
@@ -0,0 +1,68 @@
+diff --git a/m4/papi.m4 b/m4/papi.m4
+index de905848..fa3db9a1 100644
+--- a/m4/papi.m4
+++ b/m4/papi.m4
+@@ -24,12 +24,13 @@ AC_DEFUN([AC_CHECK_PAPI],
+ 		else
+ 			PKG_CHECK_MODULES(
+ 				[papi],
+-				[papi],
+				[papi >= 5.6.0],
+ 				[
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([retrieved from pkg-config])
+ 					papi_CFLAGS="${papi_CFLAGS}"
+ 					ac_use_papi=yes
+					ac_papi_version_correct=yes
+ 				], [
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([not available])
+@@ -67,27 +68,29 @@ AC_DEFUN([AC_CHECK_PAPI],
+ 		fi
+ 
+ 		if test x"${ac_use_papi}" = x"yes" ; then
+-			if test x"${ac_cv_use_papi_prefix}" != x"" ; then
+-				papiBinary=${ac_cv_use_papi_prefix}/bin/papi_version
+-			else
+-				papiBinary=papi_version
+-			fi
+-			papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
+			if test x"${ac_papi_version_correct}" != x"yes" ; then
+				if test x"${ac_cv_use_papi_prefix}" != x"" ; then
+					papiBinary=${ac_cv_use_papi_prefix}/bin/papi_version
+				else
+					papiBinary=papi_version
+				fi
+				papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
+ 
+-			AX_COMPARE_VERSION(
+-				[[${papiVersion}]],
+-				[[ge]],
+-				[[5.6.0]],
+-				[[ac_papi_version_correct=yes]],
+-				[[ac_papi_version_correct=no]]
+-			)
+				AX_COMPARE_VERSION(
+					[[${papiVersion}]],
+					[[ge]],
+					[[5.6.0]],
+					[[ac_papi_version_correct=yes]],
+					[[ac_papi_version_correct=no]]
+				)
+ 
+-			if test x"${ac_papi_version_correct}" != x"yes" ; then
+-				AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
+-				ac_use_papi=no
+-			else
+-				AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
+-				AC_MSG_RESULT([${ac_papi_version_correct}])
+				if test x"${ac_papi_version_correct}" != x"yes" ; then
+					AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
+					ac_use_papi=no
+				else
+					AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
+					AC_MSG_RESULT([${ac_papi_version_correct}])
+				fi
+ 			fi
+ 		fi
+ 
--- a/pkgs/nosv/default.nix
+++ b/pkgs/nosv/default.nix
@@ -7,7 +7,7 @@
 , numactl
 , hwloc
 , papi
-, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
+, enablePapi ? true
 , cacheline ? 64 # bits
 , ovni ? null
 , useGit ? false
@@ -40,12 +40,14 @@ let

  source = if (useGit) then git else release;
 in
-  stdenv.mkDerivation rec {
+  stdenv.mkDerivation {
    pname = "nosv";
    inherit (source) src version;
    hardeningDisable = [ "all" ];
    dontStrip = true;
    separateDebugInfo = true;
+    strictDeps = true;
+    patches = [ ./check-papi-version-with-pkgconfig.patch ];
    configureFlags = [
      "--with-ovni=${ovni}"
      "CACHELINE_WIDTH=${toString cacheline}"
--- a/pkgs/osu/default.nix
+++ b/pkgs/osu/default.nix
@@ -24,6 +24,7 @@ stdenv.mkDerivation rec {

  doCheck = true;
  enableParallelBuilding = true;
+  strictDeps = true;
  nativeBuildInputs = [ mpiAll ];
  buildInputs = [ mpiAll ];
  hardeningDisable = [ "all" ];
--- a/pkgs/ovni/default.nix
+++ b/pkgs/ovni/default.nix
@@ -40,6 +40,7 @@ in
    inherit (source) src version;
    dontStrip = true;
    separateDebugInfo = true;
+    strictDeps = true;
    postPatch = ''
      patchShebangs --build test/
    '';
--- a/pkgs/papi/default.nix
+++ b/pkgs/papi/default.nix
@@ -0,0 +1,22 @@
+{
+  stdenv,
+  papi,
+}:
+
+if stdenv.hostPlatform == stdenv.buildPlatform then
+  papi
+else
+  papi.overrideAttrs (old: {
+    configureFlags = (old.configureFlags or [ ]) ++ [
+      "--enable-perf_event_uncore=no"
+      "--with-sysdetect=no"
+      "--with-ffsll"
+      "--with-tls=__thread"
+      "--with-virtualtimer=clock_thread_cputime_id"
+      "--with-walltimer=clock_realtime"
+      "--with-perf-events"
+      "--with-CPU=${stdenv.hostPlatform.uname.processor}"
+      "--with-arch=${stdenv.hostPlatform.uname.processor}"
+    ];
+    patches = (old.patches or [ ]) ++ [ ./fix-ar-cross.patch ];
+  })
--- a/pkgs/papi/fix-ar-cross.patch
+++ b/pkgs/papi/fix-ar-cross.patch
@@ -0,0 +1,19 @@
+diff --git a/sde_lib/Makefile b/sde_lib/Makefile
+index 8518f92..90a9953 100644
+--- a/sde_lib/Makefile
+++ b/sde_lib/Makefile
+@@ -1,4 +1,5 @@
+ CC ?= gcc
+AR ?= ar
+ SDE_INC = -I. -I..
+ SDE_LD = -ldl -pthread
+ CFLAGS += -Wextra -Wall -O2
+@@ -18,7 +19,7 @@ dynamic: $(DOBJS)
+ 	rm -f *_d.o
+ 
+ static: $(SOBJS)
+-	ar rs libsde.a $(SOBJS)
+	$(AR) rs libsde.a $(SOBJS)
+ 	rm -f *_s.o
+ 
+ clean:
--- a/pkgs/paraver/default.nix
+++ b/pkgs/paraver/default.nix
@@ -47,6 +47,7 @@ stdenv.mkDerivation rec {

  dontStrip = true;
  enableParallelBuilding = true;
+  strictDeps = true;

  preConfigure = ''
    export CFLAGS="-O3"
--- a/pkgs/paraver/kernel.nix
+++ b/pkgs/paraver/kernel.nix
@@ -34,6 +34,7 @@ stdenv.mkDerivation rec {
  enableParallelBuilding = true;

  dontStrip = true;
+  strictDeps = true;

  preConfigure = ''
    export CFLAGS="-O3 -DPARALLEL_ENABLED"
--- a/pkgs/slurm-exporter/default.nix
+++ b/pkgs/slurm-exporter/default.nix
@@ -13,6 +13,7 @@ buildGoModule rec {

  vendorHash = "sha256-A1dd9T9SIEHDCiVT2UwV6T02BSLh9ej6LC/2l54hgwI=";
  doCheck = false;
+  strictDeps = true;

  meta = with lib; {
    description = "Prometheus SLURM Exporter";
--- a/pkgs/sonar/default.nix
+++ b/pkgs/sonar/default.nix
@@ -18,6 +18,7 @@ stdenv.mkDerivation rec {
  };
  hardeningDisable = [ "all" ];
  dontStrip = true;
+  strictDeps = true;
  configureFlags = [ "--with-ovni=${ovni}" ];

  nativeBuildInputs = [
--- a/pkgs/tagaspi/default.nix
+++ b/pkgs/tagaspi/default.nix
@@ -17,6 +17,7 @@ stdenv.mkDerivation rec {
  pname = "tagaspi";
  enableParallelBuilding = true;
  separateDebugInfo = true;
+  strictDeps = true;

  version = "2.0";
  src = fetchFromGitHub {
--- a/pkgs/tampi/default.nix
+++ b/pkgs/tampi/default.nix
@@ -45,6 +45,7 @@ in stdenv.mkDerivation {
  inherit (source) src version;
  enableParallelBuilding = true;
  separateDebugInfo = true;
+  strictDeps = true;

  nativeBuildInputs = [
    autoconf
--- a/pkgs/upc-qaire-exporter/default.nix
+++ b/pkgs/upc-qaire-exporter/default.nix
@@ -9,6 +9,7 @@ python3Packages.buildPythonApplication {
  src = ./.;

  doCheck = false;
+  strictDeps = true;

  build-system = with python3Packages; [
    setuptools
--- a/test/compilers/clang-openmp-ld.nix
+++ b/test/compilers/clang-openmp-ld.nix
@@ -23,9 +23,6 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;

-  # nOS-V requires access to /sys/devices to request NUMA information
-  requiredSystemFeatures = [ "sys-devices" ];
-
  buildInputs = [ openmp ];

  buildPhase = ''
Author	SHA1	Message	Date
Aleix Boné	a0f2e2639b	Add install check for OpenMP{,-V}	2025-12-10 15:56:37 +01:00
Aleix Boné	bda1f10dd7	Fix openmp buildInputs	2025-12-10 15:56:37 +01:00
Aleix Boné	734b3f0450	Remove unused sys-devices requirement in ld test	2025-12-10 15:56:36 +01:00
Aleix Boné	109ec07800	Enable papi when cross-compiling	2025-12-10 15:56:36 +01:00
Aleix Boné	881a08dd37	Fix papi cross compilation	2025-12-10 15:56:36 +01:00
Aleix Boné	fad79643fa	Use pkg-config instead of papi_version_check	2025-12-10 15:56:36 +01:00
Aleix Boné	1e36c3b204	Fix cudainfo buildInputs	2025-12-10 15:56:33 +01:00
Aleix Boné	972518c2d8	Set strictDeps to true on all our packages	2025-12-10 15:56:33 +01:00
Aleix Boné	ee9af71da0	Remove conflicting definitions in amd-uprof-driver See: https://lkml.org/lkml/2025/4/9/1709	2025-12-10 14:34:53 +01:00
Aleix Boné	1d3bda33a0	Mark mcxx as broken and remove from package list	2025-12-03 10:15:17 +01:00
Aleix Boné	87bf095dae	Fix moved package linuxPackages.perf is now perf	2025-12-03 10:15:17 +01:00
Aleix Boné	2264e15102	Fix replaced nixseparatedebuginfod nixseparatedebuginfod has been replaced by nixseparatedebuginfod2	2025-12-03 10:15:17 +01:00
Aleix Boné	209f8a582e	Use standard gcc for intel packages This reverts `26f52aa27d`	2025-12-03 10:15:16 +01:00
Aleix Boné	1457d85f4c	Fix renamed option watchdog.runtimeTime The option 'systemd.watchdog.runtimeTime' has been renamed to 'systemd.settings.Manager.RuntimeWatchdogSec'.	2025-12-02 17:53:14 +01:00
Aleix Boné	ad812ea32d	Replace wrapGAppsHook with wrapGAppsHook3	2025-12-02 17:53:13 +01:00
Aleix Boné	5bc928c407	Fix changed cudaPackages.cuda_cudart output See: https://github.com/NixOS/nixpkgs/pull/437723	2025-12-02 17:53:13 +01:00
Aleix Boné	eb9358abab	Set pyproject=true in buildPythonApplication The buildPythonPackage and buildPythonApplication functions now require an explicit format attribute. Previously the default format used setuptools and called setup.py from the source tree, which is deprecated. The modern alternative is to configure pyproject = true with build-system = [ setuptools ].	2025-12-02 17:53:13 +01:00
Aleix Boné	d2025d35d9	Fix renamed llvm bintools Moved from llvmPackages_latest.tools.bintools to llvmPackages_latest.bintools	2025-12-02 17:53:13 +01:00
Aleix Boné	6e089344da	Upgrade nixpkgs to 25.11	2025-12-02 17:53:13 +01:00