gusb: fixed build, updated to 0.2.4

(cherry picked from commit 0ca664e996)

.version

@@ -1 +1 @@
-14.11
+14.12

README.md

@@ -1,10 +1,10 @@
-Nixpkgs is a collection of packages for [Nix](http://nixos.org/nix/) package
-manager. Nixpkgs also includes [NixOS](http://nixos.org/nixos/) linux distribution source code.
+Nixpkgs is a collection of packages for [Nix](https://nixos.org/nix/) package
+manager. Nixpkgs also includes [NixOS](https://nixos.org/nixos/) linux distribution source code.
 
-* [NixOS installation instructions](http://nixos.org/nixos/manual/#ch-installation)
-* [Manual (How to write packages for Nix)](http://nixos.org/nixpkgs/manual/)
-* [Manual (NixOS)](http://nixos.org/nixos/manual/)
-* [Continuous build](http://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Tests](http://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Mailing list](http://lists.science.uu.nl/mailman/listinfo/nix-dev)
+* [NixOS installation instructions](https://nixos.org/nixos/manual/#ch-installation)
+* [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
+* [Manual (NixOS)](https://nixos.org/nixos/manual/)
+* [Continuous build](https://hydra.nixos.org/jobset/nixos/trunk-combined)
+* [Tests](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
+* [Mailing list](https://lists.science.uu.nl/mailman/listinfo/nix-dev)
 * [IRC - #nixos on freenode.net](irc://irc.freenode.net/#nixos)

default.nix

@@ -1,6 +1,6 @@
 if ! builtins ? nixVersion || builtins.compareVersions "1.7" builtins.nixVersion == 1 then
 
-  abort "This version of Nixpkgs requires Nix >= 1.7, please upgrade!"
+  abort "This version of Nixpkgs requires Nix >= 1.7, please upgrade! See https://nixos.org/wiki/How_to_update_when_nix_is_too_old_to_evaluate_nixpkgs"
 
 else
 

lib/attrsets.nix

@@ -222,6 +222,16 @@ rec {
   isDerivation = x: isAttrs x && x ? type && x.type == "derivation";
 
 
+  /* Convert a store path to a fake derivation. */
+  toDerivation = path:
+    let path' = builtins.storePath path; in
+    { type = "derivation";
+      name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
+      outPath = path';
+      outputs = [ "out" ];
+    };
+
+
   /* If the Boolean `cond' is true, return the attribute set `as',
      otherwise an empty attribute set. */
   optionalAttrs = cond: as: if cond then as else {};

lib/maintainers.nix

@@ -17,6 +17,7 @@
   AndersonTorres = "Anderson Torres <torres.anderson.85@gmail.com>";
   andres = "Andres Loeh <ksnixos@andres-loeh.de>";
   antono = "Antono Vasiljev <self@antono.info>";
+  ardumont = "Antoine R. Dumont <eniotna.t@gmail.com>";
   aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
   arobyn = "Alexei Robyn <shados@shados.net>";
   asppsa = "Alastair Pharo <asppsa@gmail.com>";
@@ -53,6 +54,7 @@
   dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
   doublec = "Chris Double <chris.double@double.co.nz>";
   ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
+  eduarrrd = "Eduard Bachmakov <e.bachmakov@gmail.com>";
   edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
   eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
   eikek = "Eike Kettner <eike.kettner@posteo.de>";
@@ -112,6 +114,7 @@
   nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
   nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
   notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
+  np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
   nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
   ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
   offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
@@ -151,6 +154,7 @@
   smironov = "Sergey Mironov <ierton@gmail.com>";
   sprock = "Roger Mason <rmason@mun.ca>";
   spwhitt = "Spencer Whitt <sw@swhitt.me>";
+  stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
   sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
   tailhook = "Paul Colomiets <paul@colomiets.name>";
   thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
@@ -176,6 +180,7 @@
   wjlroe = "William Roe <willroe@gmail.com>";
   wkennington = "William A. Kennington III <william@wkennington.com>";
   wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
+  wscott = "Wayne Scott <wsc9tt@gmail.com>";
   wyvie = "Elijah Rum <elijahrum@gmail.com>";
   yarr = "Dmitry V. <savraz@gmail.com>";
   z77z = "Marco Maggesi <maggesi@math.unifi.it>";

lib/options.nix

@@ -79,6 +79,7 @@ rec {
           declarations = filter (x: x != unknownModule) opt.declarations;
           internal = opt.internal or false;
           visible = opt.visible or true;
+          type = opt.type.name or null;
         }
         // (if opt ? example then { example = scrubOptionValue opt.example; } else {})
         // (if opt ? default then { default = scrubOptionValue opt.default; } else {})

lib/strings.nix

@@ -208,4 +208,8 @@ rec {
   # standard GNU Autoconf scripts.
   enableFeature = enable: feat: "--${if enable then "enable" else "disable"}-${feat}";
 
+
+  # Check whether a value is a store path.
+  isStorePath = x: builtins.substring 0 1 (toString x) == "/" && dirOf (builtins.toPath x) == (builtins.storeDir or "/nix/store");
+
 }

lib/types.nix

@@ -93,8 +93,10 @@ rec {
     # derivation is a reserved keyword.
     package = mkOptionType {
       name = "derivation";
-      check = isDerivation;
-      merge = mergeOneOption;
+      check = x: isDerivation x || isStorePath x;
+      merge = loc: defs:
+        let res = mergeOneOption loc defs;
+        in if isDerivation res then res else toDerivation res;
     };
 
     path = mkOptionType {

maintainers/docker/Dockerfile

@@ -1,7 +1,7 @@
 FROM busybox
 
 RUN dir=`mktemp -d` && trap 'rm -rf "$dir"' EXIT && \
-    wget -O- http://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2  | bzcat | tar x -C $dir && \
+    wget -O- https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2  | bzcat | tar x -C $dir && \
     mkdir -m 0755 /nix && USER=root sh $dir/*/install && \
     echo ". /root/.nix-profile/etc/profile.d/nix.sh" >> /etc/profile
 

nixos/doc/manual/administration/control-groups.xml

@@ -58,12 +58,10 @@ controls memory allocation limits; by default, all processes are in
 the top-level cgroup, so any service or session can exhaust all
 available memory.  Per-cgroup memory limits can be specified in
 <filename>configuration.nix</filename>; for instance, to limit
-<literal>httpd.service</literal> to 512 MiB of RAM (excluding swap)
-and 640 MiB of RAM (including swap):
+<literal>httpd.service</literal> to 512 MiB of RAM (excluding swap):
 
 <programlisting>
 systemd.services.httpd.serviceConfig.MemoryLimit = "512M";
-systemd.services.httpd.serviceConfig.ControlGroupAttribute = [ "memory.memsw.limit_in_bytes 640M" ];
 </programlisting>
 
 </para>
@@ -72,4 +70,4 @@ systemd.services.httpd.serviceConfig.ControlGroupAttribute = [ "memory.memsw.lim
 continuously updated list of all cgroups with their CPU and memory
 usage.</para>
 
-</chapter>
+</chapter>

nixos/doc/manual/administration/network-problems.xml

@@ -12,9 +12,9 @@ pre-built binary.  That is, whenever a command like
 <command>nixos-rebuild</command> needs a path in the Nix store, Nix
 will try to download that path from the Internet rather than build it
 from source.  The default binary cache is
-<uri>http://cache.nixos.org/</uri>.  If this cache is unreachable, Nix
-operations may take a long time due to HTTP connection timeouts.  You
-can disable the use of the binary cache by adding <option>--option
+<uri>https://cache.nixos.org/</uri>.  If this cache is unreachable,
+Nix operations may take a long time due to HTTP connection timeouts.
+You can disable the use of the binary cache by adding <option>--option
 use-binary-caches false</option>, e.g.
 
 <screen>
@@ -30,4 +30,4 @@ $ nixos-rebuild switch --option binary-caches http://my-cache.example.org/
 
 </para>
 
-</section>
+</section>

nixos/doc/manual/configuration/network-manager.xml

@@ -10,7 +10,7 @@
 use NetworkManager. You can enable NetworkManager by setting:
 
 <programlisting>
-services.networkmanager.enable = true;
+networking.networkmanager.enable = true;
 </programlisting>
 
 some desktop managers (e.g., GNOME) enable NetworkManager
@@ -19,8 +19,8 @@ automatically for you.</para>
 <para>All users that should have permission to change network settings
 must belong to the <code>networkmanager</code> group.</para>
 
-<note><para><code>services.networkmanager</code> and
-<code>services.wireless</code> can not be enabled at the same time:
+<note><para><code>networking.networkmanager</code> and
+<code>networking.wireless</code> can not be enabled at the same time:
 you can still connect to the wireless networks using
 NetworkManager.</para></note>
 

nixos/doc/manual/default.nix

@@ -20,7 +20,8 @@ let
     declarations = map (fn: stripPrefix fn) opt.declarations;
   }
   // optionalAttrs (opt ? example) { example = substFunction opt.example; }
-  // optionalAttrs (opt ? default) { default = substFunction opt.default; });
+  // optionalAttrs (opt ? default) { default = substFunction opt.default; }
+  // optionalAttrs (opt ? type) { type = substFunction opt.type; });
 
   prefix = toString ../../..;
 

nixos/doc/manual/development/option-declarations.xml

@@ -106,6 +106,15 @@ options = {
     </listitem>
   </varlistentry>
 
+  <varlistentry>
+    <term><varname>types.package</varname></term>
+    <listitem>
+      <para>A derivation (such as <literal>pkgs.hello</literal>) or a
+      store path (such as
+      <filename>/nix/store/1ifi1cfbfs5iajmvwgrbmrnrw3a147h9-hello-2.10</filename>).</para>
+    </listitem>
+  </varlistentry>
+
   <varlistentry>
     <term><varname>types.listOf</varname> <replaceable>t</replaceable></term>
     <listitem>
@@ -138,4 +147,4 @@ You can also create new types using the function
 <varname>mkOptionType</varname>.  See
 <filename>lib/types.nix</filename> in Nixpkgs for details.</para>
 
-</section>
+</section>

nixos/doc/manual/development/sources.xml

@@ -50,8 +50,8 @@ Or, to base your local branch on the latest version available in the
 NixOS channel:
 
 <screen>
-$ curl -sI http://nixos.org/channels/nixos-unstable/ | grep Location
-Location: http://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/
+$ curl -sI https://nixos.org/channels/nixos-unstable/ | grep Location
+Location: https://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/
 
 $ git checkout -b local acaf4a6
 </screen>
@@ -92,4 +92,4 @@ to <command>nix-env</command>, as it will break after interpreting expressions
 in <filename>nixos/</filename> as packages.</para>
 -->
 
-</chapter>
+</chapter>

nixos/doc/manual/installation/upgrading.xml

@@ -14,8 +14,8 @@ been built.  These channels are:
 
 <itemizedlist>
   <listitem>
-    <para>Stable channels, such as <literal
-    xlink:href="http://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
+    <para><emphasis>Stable channels</emphasis>, such as <literal
+    xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
     These only get conservative bug fixes and package upgrades.  For
     instance, a channel update may cause the Linux kernel on your
     system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
@@ -23,26 +23,40 @@ been built.  These channels are:
     3.11.<replaceable>x</replaceable> (a major change that has the
     potential to break things).  Stable channels are generally
     maintained until the next stable branch is created.</para>
+    <para></para>
   </listitem>
   <listitem>
-    <para>The unstable channel, <literal
-    xlink:href="http://nixos.org/channels/nixos-unstable">nixos-unstable</literal>.
+    <para>The <emphasis>unstable channel</emphasis>, <literal
+    xlink:href="https://nixos.org/channels/nixos-unstable">nixos-unstable</literal>.
     This corresponds to NixOS’s main development branch, and may thus
     see radical changes between channel updates.  It’s not recommended
     for production systems.</para>
   </listitem>
+  <listitem>
+    <para><emphasis>Small channels</emphasis>, such as <literal
+    xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
+    or <literal
+    xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
+    are identical to the stable and unstable channels described above,
+    except that they contain fewer binary packages. This means they
+    get updated faster than the regular channels (for instance, when a
+    critical security patch is committed to NixOS’s source tree), but
+    may require more packages to be built from source than
+    usual. They’re mostly intended for server environments and as such
+    contain few GUI applications.</para>
+  </listitem>
 </itemizedlist>
 
 To see what channels are available, go to <link
-xlink:href="http://nixos.org/channels"/>.  (Note that the URIs of the
+xlink:href="https://nixos.org/channels"/>.  (Note that the URIs of the
 various channels redirect to a directory that contains the channel’s
 latest version and includes ISO images and VirtualBox
 appliances.)</para>
 
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 14.04 ISO, you will be subscribed to
-the <literal>nixos-14.04</literal> channel.  To see which NixOS
+instance, if you installed from a 14.12 ISO, you will be subscribed to
+the <literal>nixos-14.12</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 
 <screen>
@@ -53,20 +67,26 @@ nixos https://nixos.org/channels/nixos-unstable
 To switch to a different NixOS channel, do
 
 <screen>
-$ nix-channel --add http://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
+$ nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
 </screen>
 
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 14.04 stable channel:
+end.)  For instance, to use the NixOS 14.12 stable channel:
 
 <screen>
-$ nix-channel --add http://nixos.org/channels/nixos-14.04 nixos
+$ nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
 </screen>
 
-But if you want to live on the bleeding edge:
+If you have a server, you may want to use the “small” channel instead:
 
 <screen>
-$ nix-channel --add http://nixos.org/channels/nixos-unstable nixos
+$ nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+</screen>
+
+And if you want to live on the bleeding edge:
+
+<screen>
+$ nix-channel --add https://nixos.org/channels/nixos-unstable nixos
 </screen>
 
 </para>

nixos/doc/manual/man-nixos-install.xml

@@ -11,12 +11,29 @@
 
 <refnamediv>
   <refname><command>nixos-install</command></refname>
-  <refpurpose>install NixOS</refpurpose>
+  <refpurpose>install bootloader and NixOS</refpurpose>
 </refnamediv>
 
 <refsynopsisdiv>
   <cmdsynopsis>
     <command>nixos-install</command>
+    <arg>
+      <arg choice='plain'><option>-I</option></arg>
+      <replaceable>path</replaceable>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--root</option></arg>
+      <replaceable>root</replaceable>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--show-trace</option></arg>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--chroot</option></arg>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--help</option></arg>
+    </arg>
   </cmdsynopsis>
 </refsynopsisdiv>
 
@@ -55,6 +72,56 @@ it.</para>
 
 </refsection>
 
+<refsection><title>Options</title>
+
+<para>This command accepts the following options:</para>
+
+<variablelist>
+
+  <varlistentry>
+    <term><option>--root</option></term>
+    <listitem>
+      <para>Defaults to <filename>/mnt</filename>. If this option is given, treat the directory
+      <replaceable>root</replaceable> as the root of the NixOS installation.
+      </para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>-I</option></term>
+    <listitem>
+      <para>Add a path to the Nix expression search path. This option may be given multiple times.
+        See the NIX_PATH environment variable for information on the semantics of the Nix search path.
+        Paths added through <replaceable>-I</replaceable> take precedence over NIX_PATH.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>--show-trace</option></term>
+    <listitem>
+      <para>Causes Nix to print out a stack trace in case of Nix expression evaluation errors.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>--chroot</option></term>
+    <listitem>
+      <para>Chroot into given installation. Any additional arguments passed are going to be executed inside the chroot.
+      </para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>--help</option></term>
+    <listitem>
+      <para>Synonym for <command>man nixos-install</command>.</para>
+    </listitem>
+  </varlistentry>
+
+</variablelist>
+
+</refsection>
+
 
 <refsection><title>Examples</title>
 
@@ -72,6 +139,7 @@ $ mount /dev/sda1 /mnt
 $ nixos-generate-config --root /mnt
 $ # edit /mnt/etc/nixos/configuration.nix
 $ nixos-install
+$ reboot
 </screen>
 
 </para>

nixos/doc/manual/man-nixos-rebuild.xml

@@ -1,7 +1,7 @@
 <refentry xmlns="http://docbook.org/ns/docbook"
           xmlns:xlink="http://www.w3.org/1999/xlink"
           xmlns:xi="http://www.w3.org/2001/XInclude">
-  
+
 <refmeta>
   <refentrytitle><command>nixos-rebuild</command></refentrytitle>
   <manvolnum>8</manvolnum>
@@ -22,7 +22,8 @@
       <arg choice='plain'><option>boot</option></arg>
       <arg choice='plain'><option>test</option></arg>
       <arg choice='plain'><option>build</option></arg>
-      <arg choice='plain'><option>dry-run</option></arg>
+      <arg choice='plain'><option>dry-build</option></arg>
+      <arg choice='plain'><option>dry-activate</option></arg>
       <arg choice='plain'><option>build-vm</option></arg>
       <arg choice='plain'><option>build-vm-with-bootloader</option></arg>
     </group>
@@ -114,10 +115,22 @@ $ nix-build /path/to/nixpkgs/nixos -A system
   </varlistentry>
 
   <varlistentry>
-    <term><option>dry-run</option></term>
+    <term><option>dry-build</option></term>
     <listitem>
-      <para>Simply show what store paths would be built or downloaded
-      by any of the operations above.</para>
+      <para>Show what store paths would be built or downloaded by any
+      of the operations above, but otherwise do nothing.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>dry-activate</option></term>
+    <listitem>
+      <para>Build the new configuration, but instead of activating it,
+      show what changes would be performed by the activation (i.e. by
+      <command>nixos-rebuild test</command>). For
+      instance, this command will print which systemd units would be
+      restarted. The list of changes is not guaranteed to be
+      complete.</para>
     </listitem>
   </varlistentry>
 

nixos/doc/manual/man-pages.xml

@@ -15,7 +15,7 @@
     </author>
 
     <copyright>
-      <year>2007-2013</year>
+      <year>2007-2015</year>
       <holder>Eelco Dolstra</holder>
     </copyright>
 

nixos/doc/manual/manual.xml

@@ -32,6 +32,7 @@
   <xi:include href="configuration/configuration.xml" />
   <xi:include href="administration/running.xml" />
   <!-- <xi:include href="userconfiguration.xml" /> -->
+  <xi:include href="development/development.xml" />
   <xi:include href="release-notes/release-notes.xml" />
 
   <appendix xml:id="ch-options">

nixos/doc/manual/options-to-docbook.xsl

@@ -34,6 +34,14 @@
                                select="attr[@name = 'description']/string/@value" />
                </para>
 
+               <xsl:if test="attr[@name = 'type']">
+                 <para>
+                   <emphasis>Type:</emphasis>
+                   <xsl:text> </xsl:text>
+                   <xsl:apply-templates select="attr[@name = 'type']" mode="top" />
+                 </para>
+               </xsl:if>
+
                <xsl:if test="attr[@name = 'default']">
                  <para>
                    <emphasis>Default:</emphasis>

nixos/doc/manual/release-notes/release-notes.xml

@@ -10,7 +10,7 @@
 <para>This section lists the release notes for each stable version of NixOS.</para>
 </partintro>
 
-<xi:include href="rl-1411.xml" />
+<xi:include href="rl-1412.xml" />
 <xi:include href="rl-1404.xml" />
 <xi:include href="rl-1310.xml" />
 

nixos/doc/manual/release-notes/rl-1411.xml

@@ -1,37 +0,0 @@
-<chapter xmlns="http://docbook.org/ns/docbook"
-        xmlns:xlink="http://www.w3.org/1999/xlink"
-        xmlns:xi="http://www.w3.org/2001/XInclude"
-        version="5.0"
-        xml:id="sec-release-14.11">
-
-<title>Release 14.11 (“Caterpillar”, 2014/11/??)</title>
-
-<para>When upgrading from a previous release, please be aware of the
-following incompatible changes:
-
-<itemizedlist>
-
-  <listitem><para>The default version of Apache httpd is now 2.4. If
-  you use the <option>extraConfig</option> option to pass literal
-  Apache configuration text, you may need to update it — see <link
-  xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s
-  documentation</link> for details. If you wish to continue to use
-  httpd 2.2, add the following line to your NixOS configuration:
-
-<programlisting>
-services.httpd.package = pkgs.apacheHttpd_2_2;
-</programlisting>
-
-  </para></listitem>
-
-  <listitem><para>The host side of a container virtual Ethernet pair
-  is now called <literal>ve-<replaceable>container-name</replaceable></literal>
-  rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
-
-  <listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
-
-</itemizedlist>
-
-</para>
-
-</chapter>

nixos/doc/manual/release-notes/rl-1412.xml

@@ -0,0 +1,177 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+        xmlns:xlink="http://www.w3.org/1999/xlink"
+        xmlns:xi="http://www.w3.org/2001/XInclude"
+        version="5.0"
+        xml:id="sec-release-14.12">
+
+<title>Release 14.12 (“Caterpillar”, 2014/12/30)</title>
+
+<para>In addition to numerous new and upgraded packages, this release has the following highlights:
+
+<itemizedlist>
+
+<listitem><para>Systemd has been updated to version 217, which has numerous
+<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link></para></listitem>
+
+<listitem><para><link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165">
+Nix has been updated to 1.8.</link></para></listitem>
+
+<listitem><para>NixOS is now based on Glibc 2.20.</para></listitem>
+
+<listitem><para>KDE has been updated to 4.14.</para></listitem>
+
+<listitem><para>The default Linux kernel has been updated to 3.14.</para></listitem>
+
+<listitem><para>If <option>users.mutableUsers</option> is enabled (the
+default), changes made to the declaration of a user or group will be
+correctly realised when running <command>nixos-rebuild</command>. For
+instance, removing a user specification from
+<filename>configuration.nix</filename> will cause the actual user
+account to be deleted. If <option>users.mutableUsers</option> is
+disabled, it is no longer necessary to specify UIDs or GIDs; if
+omitted, they are allocated dynamically.</para></listitem>
+
+</itemizedlist></para>
+
+<para>Following new services were added since the last release:
+
+<itemizedlist>
+<listitem><para><literal>atftpd</literal></para></listitem>
+<listitem><para><literal>bosun</literal></para></listitem>
+<listitem><para><literal>bspwm</literal></para></listitem>
+<listitem><para><literal>chronos</literal></para></listitem>
+<listitem><para><literal>collectd</literal></para></listitem>
+<listitem><para><literal>consul</literal></para></listitem>
+<listitem><para><literal>cpuminer-cryptonight</literal></para></listitem>
+<listitem><para><literal>crashplan</literal></para></listitem>
+<listitem><para><literal>dnscrypt-proxy</literal></para></listitem>
+<listitem><para><literal>docker-registry</literal></para></listitem>
+<listitem><para><literal>docker</literal></para></listitem>
+<listitem><para><literal>etcd</literal></para></listitem>
+<listitem><para><literal>fail2ban</literal></para></listitem>
+<listitem><para><literal>fcgiwrap</literal></para></listitem>
+<listitem><para><literal>fleet</literal></para></listitem>
+<listitem><para><literal>fluxbox</literal></para></listitem>
+<listitem><para><literal>gdm</literal></para></listitem>
+<listitem><para><literal>geoclue2</literal></para></listitem>
+<listitem><para><literal>gitlab</literal></para></listitem>
+<listitem><para><literal>gitolite</literal></para></listitem>
+<listitem><para><literal>gnome3.gnome-documents</literal></para></listitem>
+<listitem><para><literal>gnome3.gnome-online-miners</literal></para></listitem>
+<listitem><para><literal>gnome3.gvfs</literal></para></listitem>
+<listitem><para><literal>gnome3.seahorse</literal></para></listitem>
+<listitem><para><literal>hbase</literal></para></listitem>
+<listitem><para><literal>i2pd</literal></para></listitem>
+<listitem><para><literal>influxdb</literal></para></listitem>
+<listitem><para><literal>kubernetes</literal></para></listitem>
+<listitem><para><literal>liquidsoap</literal></para></listitem>
+<listitem><para><literal>lxc</literal></para></listitem>
+<listitem><para><literal>mailpile</literal></para></listitem>
+<listitem><para><literal>mesos</literal></para></listitem>
+<listitem><para><literal>mlmmj</literal></para></listitem>
+<listitem><para><literal>monetdb</literal></para></listitem>
+<listitem><para><literal>mopidy</literal></para></listitem>
+<listitem><para><literal>neo4j</literal></para></listitem>
+<listitem><para><literal>nsd</literal></para></listitem>
+<listitem><para><literal>openntpd</literal></para></listitem>
+<listitem><para><literal>opentsdb</literal></para></listitem>
+<listitem><para><literal>openvswitch</literal></para></listitem>
+<listitem><para><literal>parallels-guest</literal></para></listitem>
+<listitem><para><literal>peerflix</literal></para></listitem>
+<listitem><para><literal>phd</literal></para></listitem>
+<listitem><para><literal>polipo</literal></para></listitem>
+<listitem><para><literal>prosody</literal></para></listitem>
+<listitem><para><literal>radicale</literal></para></listitem>
+<listitem><para><literal>redmine</literal></para></listitem>
+<listitem><para><literal>riemann</literal></para></listitem>
+<listitem><para><literal>scollector</literal></para></listitem>
+<listitem><para><literal>seeks</literal></para></listitem>
+<listitem><para><literal>siproxd</literal></para></listitem>
+<listitem><para><literal>strongswan</literal></para></listitem>
+<listitem><para><literal>tcsd</literal></para></listitem>
+<listitem><para><literal>teamspeak3</literal></para></listitem>
+<listitem><para><literal>thermald</literal></para></listitem>
+<listitem><para><literal>torque/mrom</literal></para></listitem>
+<listitem><para><literal>torque/server</literal></para></listitem>
+<listitem><para><literal>uhub</literal></para></listitem>
+<listitem><para><literal>unifi</literal></para></listitem>
+<listitem><para><literal>znc</literal></para></listitem>
+<listitem><para><literal>zookeeper</literal></para></listitem>
+</itemizedlist>
+</para>
+
+<para>When upgrading from a previous release, please be aware of the
+following incompatible changes:
+
+<itemizedlist>
+
+<listitem><para>The default version of Apache httpd is now 2.4. If
+you use the <option>extraConfig</option> option to pass literal
+Apache configuration text, you may need to update it — see <link
+xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s
+documentation</link> for details. If you wish to continue to use
+httpd 2.2, add the following line to your NixOS configuration:
+
+<programlisting>
+services.httpd.package = pkgs.apacheHttpd_2_2;
+</programlisting>
+
+</para></listitem>
+
+<listitem><para>PHP 5.3 has been removed because it is no longer
+supported by the PHP project. A <link
+xlink:href="http://php.net/migration54">migration guide</link> is
+available.</para></listitem>
+
+<listitem><para>The host side of a container virtual Ethernet pair
+is now called <literal>ve-<replaceable>container-name</replaceable></literal>
+rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
+
+<listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
+
+<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users
+may be required to run <command>rm -rf /tmp/.vbox*</command>. The line
+<literal>imports = [ &lt;nixpkgs/nixos/modules/programs/virtualbox.nix&gt; ]</literal> is
+no longer necessary, use <literal>services.virtualboxHost.enable =
+true</literal> instead.
+</para>
+<para>Also, hardening mode is now enabled by default, which means that unless you want to use
+USB support, you no longer need to be a member of the <literal>vboxusers</literal> group.
+</para></listitem>
+
+<listitem><para>Chromium has been updated to 39.0.2171.65. <option>enablePepperPDF</option> is now enabled by default.
+<literal>chromium*Wrapper</literal> packages no longer exist, because upstream removed NSAPI support.
+<literal>chromium-stable</literal> has been renamed to <literal>chromium</literal>.
+</para></listitem>
+
+<listitem><para>Python packaging documentation is now part of nixpkgs manual. To override
+the python packages available to a custom python you now use <literal>pkgs.pythonFull.buildEnv.override</literal>
+instead of <literal>pkgs.pythonFull.override</literal>.
+</para></listitem>
+
+<listitem><para><literal>boot.resumeDevice = "8:6"</literal> is no longer supported. Most users will
+want to leave it undefined, which takes the swap partitions automatically. There is an evaluation
+assertion to ensure that the string starts with a slash.
+</para></listitem>
+
+<listitem><para>The system-wide default timezone for NixOS installations
+changed from <literal>CET</literal> to <literal>UTC</literal>. To choose
+a different timezone for your system, configure
+<literal>time.timeZone</literal> in
+<literal>configuration.nix</literal>. A fairly complete list of possible
+values for that setting is available at <link
+xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</para></listitem>
+
+<listitem><para>GNU screen has been updated to 4.2.1, which breaks
+the ability to connect to sessions created by older versions of
+screen.</para></listitem>
+
+<listitem><para>The Intel GPU driver was updated to the 3.x prerelease
+version (used by most distributions) and supports DRI3
+now.</para></listitem>
+
+</itemizedlist>
+
+</para>
+
+</chapter>

nixos/lib/eval-config.nix

@@ -11,15 +11,16 @@
 , prefix ? []
 }:
 
-let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; in
-
-rec {
+let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system;
+    extraModules = let e = builtins.getEnv "NIXOS_EXTRA_MODULE_PATH";
+                   in if e == "" then [] else [(import (builtins.toPath e))];
+in rec {
 
   # Merge the option definitions in all modules, forming the full
   # system configuration.
   inherit (pkgs.lib.evalModules {
     inherit prefix;
-    modules = modules ++ baseModules;
+    modules = modules ++ extraModules ++ baseModules;
     args = extraArgs;
     check = check && options.environment.checkConfigurationOptions.value;
   }) config options;

nixos/lib/testing.nix

@@ -47,7 +47,7 @@ rec {
         ''
           mkdir -p $out/nix-support
 
-          LOGFILE=$out/log.xml tests='eval $ENV{testScript}; die $@ if $@;' ${driver}/bin/nixos-test-driver || failed=1
+          LOGFILE=$out/log.xml tests='eval $ENV{testScript}; die $@ if $@;' ${driver}/bin/nixos-test-driver
 
           # Generate a pretty-printed log.
           xsltproc --output $out/log.html ${./test-driver/log2html.xsl} $out/log.xml
@@ -63,8 +63,6 @@ rec {
             mkdir -p $out/coverage-data
             mv $i $out/coverage-data/$(dirname $(dirname $i))
           done
-
-          [ -z "$failed" ] || touch $out/nix-support/failed
         ''; # */
     };
 

nixos/maintainers/scripts/ec2/create-ebs-amis.py

@@ -12,7 +12,7 @@ from nixops.statefile import StateFile, get_default_state_file
 
 parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI')
 parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in')
-parser.add_argument('--channel', dest='channel', default="13.10", help='Channel to use')
+parser.add_argument('--channel', dest='channel', default="14.12", help='Channel to use')
 parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use')
 parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image')
 parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob")
@@ -34,13 +34,13 @@ ebs_size = 20
 # Start a NixOS machine in the given region.
 f = open("ebs-creator-config.nix", "w")
 f.write('''{{
-  resources.ec2KeyPairs.keypair.accessKeyId = "logicblox-dev";
+  resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
   resources.ec2KeyPairs.keypair.region = "{0}";
 
   machine =
     {{ pkgs, ... }}:
     {{
-      deployment.ec2.accessKeyId = "logicblox-dev";
+      deployment.ec2.accessKeyId = "lb-nixos";
       deployment.ec2.region = "{0}";
       deployment.ec2.blockDeviceMapping."/dev/xvdg".size = pkgs.lib.mkOverride 10 {1};
     }};
@@ -54,7 +54,7 @@ try:
 except Exception:
     depl = db.create_deployment()
     depl.name = "ebs-creator"
-depl.auto_response = "y"
+depl.logger.set_autoresponse("y")
 depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")]
 if not args.keep: depl.destroy_resources()
 depl.deploy(allow_reboot=True)
@@ -75,7 +75,7 @@ m.run_command("mount {0} /mnt".format(device))
 m.run_command("touch /mnt/.ebs")
 m.run_command("mkdir -p /mnt/etc/nixos")
 
-m.run_command("nix-channel --add http://nixos.org/channels/nixos-{} nixos".format(args.channel))
+m.run_command("nix-channel --add https://nixos.org/channels/nixos-{} nixos".format(args.channel))
 m.run_command("nix-channel --update")
 
 version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip()
@@ -140,6 +140,7 @@ common_args = dict(
         )
 if not args.hvm:
     common_args['kernel_id']=aki.id
+
 ami_id = m._conn.register_image(**common_args)
 
 print >> sys.stderr, "registered AMI {0}".format(ami_id)
@@ -161,16 +162,16 @@ f.write(
     {{
       network.description = "NixOS EBS test";
 
-      resources.ec2KeyPairs.keypair.accessKeyId = "logicblox-dev";
+      resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
       resources.ec2KeyPairs.keypair.region = "{0}";
 
       machine = {{ config, pkgs, resources, ... }}: {{
         deployment.targetEnv = "ec2";
-        deployment.ec2.accessKeyId = "logicblox-dev";
+        deployment.ec2.accessKeyId = "lb-nixos";
         deployment.ec2.region = "{0}";
         deployment.ec2.instanceType = "{2}";
         deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-        deployment.ec2.securityGroups = [ "admin" ];
+        deployment.ec2.securityGroups = [ "public-ssh" ];
         deployment.ec2.ami = "{1}";
       }};
     }}
@@ -185,23 +186,31 @@ test_depl.deploy(create_only=True)
 test_depl.machines['machine'].run_command("nixos-version")
 
 # Log the AMI ID.
-f = open("{0}.{1}.ami-id".format(args.region, image_type), "w")
-f.write("{0}".format(ami_id))
-f.close()
+f = open("ec2-amis.nix".format(args.region, image_type), "w")
+f.write("{\n")
 
 for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']:
+    copy_image = None
     if args.region != dest:
-        print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest)
-        conn = boto.ec2.connect_to_region(dest)
-        copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None)
+        try:
+            print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest)
+            conn = boto.ec2.connect_to_region(dest)
+            copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None)
+        except :
+            print >> sys.stderr, "FAILED!"
 
         # Log the AMI ID.
-        f = open("{0}.{1}.ami-id".format(dest, image_type), "w")
-        f.write("{0}".format(copy_image.image_id))
-        f.close()
+        if copy_image != None:
+            f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,dest,"hvm" if args.hvm else "ebs",copy_image.image_id))
+    else:
+        f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,args.region,"hvm" if args.hvm else "ebs",ami_id))
 
 
+f.write("}\n")
+f.close()
+
 if not args.keep:
+    test_depl.logger.set_autoresponse("y")
     test_depl.destroy_resources()
     test_depl.delete()
 

nixos/maintainers/scripts/ec2/create-s3-amis.sh

@@ -31,17 +31,22 @@ buildAndUploadFor() {
             -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" --location "$s3location" \
             --url http://s3.amazonaws.com
 
-        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.03-$arch*" --region "$region" | cut -f 2)
+        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
         echo "using PV-GRUB kernel $kernel"
 
-        ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" \
+        ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" \
             --region "$region" --kernel "$kernel" | cut -f 2)
 
         echo "AMI ID is $ami"
 
-        echo $ami >> $region.s3.ami-id
+        echo "  \"14.12\".\"$region\".s3 = \"$ami\";" >> ec2-amis.nix
 
-        ec2-modify-image-attribute --region "$region" "$ami" -l -a all
+        ec2-modify-image-attribute --region "$region" "$ami" -l -a all -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY"
+
+        for cp_region in us-east-1 us-west-1 us-west-2 eu-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
+          new_ami=$(aws ec2 copy-image --source-image-id $ami --source-region $region --region $cp_region --name "$name" | json ImageId)
+          echo "  \"14.12\".\"$cp_region\".s3 = \"$new_ami\";" >> ec2-amis.nix  
+        done
     done
 }
 

nixos/maintainers/scripts/ec2/ebs-creator.nix

@@ -5,10 +5,9 @@
     { config, pkgs, resources, ... }:
     { deployment.targetEnv = "ec2";
       deployment.ec2.instanceType = "c3.large";
-      deployment.ec2.securityGroups = [ "admin" ];
+      deployment.ec2.securityGroups = [ "public-ssh" ];
       deployment.ec2.ebsBoot = false;
       deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-      deployment.ec2.zone = "us-east-1e";
       environment.systemPackages = [ pkgs.parted ];
     };
 }

nixos/maintainers/scripts/gce/create-gce.sh

@@ -1,6 +1,6 @@
 #! /bin/sh -e
 
-BUCKET_NAME=${BUCKET_NAME:-nixos}
+BUCKET_NAME=${BUCKET_NAME:-nixos-images}
 export NIX_PATH=nixpkgs=../../../..
 export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
 export TIMESTAMP=$(date +%Y%m%d%H%M)

nixos/modules/config/fonts/fontconfig-ultimate.nix

@@ -122,7 +122,7 @@ in
           <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
           <fontconfig>
 
-            ${optionalString ultimate.allowBitmaps ''
+            ${optionalString (!ultimate.allowBitmaps) ''
             <!-- Reject bitmap fonts -->
             <selectfont>
               <rejectfont>

nixos/modules/config/fonts/fontconfig.nix

@@ -204,7 +204,7 @@ with lib;
             ${optionalString (fontconfig.dpi != 0) ''
             <match target="pattern">
               <edit name="dpi" mode="assign">
-                <double>${fontconfig.dpi}</double>
+                <double>${toString fontconfig.dpi}</double>
               </edit>
             </match>
             ''}

nixos/modules/config/update-users-groups.pl

@@ -174,12 +174,12 @@ foreach my $u (@{$spec->{users}}) {
         } elsif (defined $u->{initialHashedPassword}) {
             $u->{hashedPassword} = $u->{initialHashedPassword};
         }
+    }
 
-        # Create a home directory.
-        if ($u->{createHome}) {
-            make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
-            chown $u->{uid}, $u->{gid}, $u->{home};
-        }
+    # Create a home directory.
+    if ($u->{createHome} && ! -e $u->{home}) {
+        make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
+        chown $u->{uid}, $u->{gid}, $u->{home};
     }
 
     if (defined $u->{passwordFile}) {

nixos/modules/config/users-groups.nix

@@ -25,6 +25,11 @@ let
     options.
   '';
 
+  hashedPasswordDescription = ''
+    To generate hashed password install <literal>mkpassword</literal>
+    package and run <literal>mkpasswd -m sha-512</literal>.
+  '';
+
   userOpts = { name, config, ... }: {
 
     options = {
@@ -165,6 +170,7 @@ let
         description = ''
           Specifies the hashed password for the user.
           ${passwordDescription}
+          ${hashedPasswordDescription}
         '';
       };
 
@@ -202,6 +208,8 @@ let
           password can be changed subsequently using the
           <command>passwd</command> command. Otherwise, it's
           equivalent to setting the <option>password</option> option.
+
+          ${hashedPasswordDescription}
         '';
       };
 
@@ -366,21 +374,24 @@ in {
       type = types.bool;
       default = true;
       description = ''
-        If true, you are free to add new users and groups to the system
+        If set to <literal>true</literal>, you are free to add new users and groups to the system
         with the ordinary <literal>useradd</literal> and
         <literal>groupadd</literal> commands. On system activation, the
         existing contents of the <literal>/etc/passwd</literal> and
         <literal>/etc/group</literal> files will be merged with the
         contents generated from the <literal>users.extraUsers</literal> and
-        <literal>users.extraGroups</literal> options. If
-        <literal>mutableUsers</literal> is false, the contents of the user and
-        group files will simply be replaced on system activation. This also
-        holds for the user passwords; if this option is false, all changed
-        passwords will be reset according to the
-        <literal>users.extraUsers</literal> configuration on activation. If
-        this option is true, the initial password for a user will be set
+        <literal>users.extraGroups</literal> options.
+        The initial password for a user will be set
         according to <literal>users.extraUsers</literal>, but existing passwords
         will not be changed.
+
+        <warning><para>
+        If set to <literal>false</literal>, the contents of the user and
+        group files will simply be replaced on system activation. This also
+        holds for the user passwords; all changed
+        passwords will be reset according to the
+        <literal>users.extraUsers</literal> configuration on activation.
+        </para></warning>
       '';
     };
 
@@ -478,6 +489,7 @@ in {
       utmp.gid = ids.gids.utmp;
       adm.gid = ids.gids.adm;
       grsecurity.gid = ids.gids.grsecurity;
+      input.gid = ids.gids.input;
     };
 
     system.activationScripts.users = stringAfter [ "etc" ]

nixos/modules/hardware/opengl.nix

@@ -16,7 +16,6 @@ let
       [ p.mesa_drivers
         p.mesa_noglu # mainly for libGL
         (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
-        p.udev
       ];
   };
 

nixos/modules/hardware/video/nvidia.nix

@@ -11,20 +11,21 @@ let
   # FIXME: should introduce an option like
   # ‘hardware.video.nvidia.package’ for overriding the default NVIDIA
   # driver.
-  enabled = elem "nvidia" drivers || elem "nvidiaLegacy173" drivers
-    || elem "nvidiaLegacy304" drivers || elem "nvidiaLegacy340" drivers;
-
-  nvidia_x11 =
+  nvidiaForKernel = kernelPackages:
     if elem "nvidia" drivers then
-      config.boot.kernelPackages.nvidia_x11
+      kernelPackages.nvidia_x11
     else if elem "nvidiaLegacy173" drivers then
-      config.boot.kernelPackages.nvidia_x11_legacy173
+      kernelPackages.nvidia_x11_legacy173
     else if elem "nvidiaLegacy304" drivers then
-      config.boot.kernelPackages.nvidia_x11_legacy304
+      kernelPackages.nvidia_x11_legacy304
     else if elem "nvidiaLegacy340" drivers then
-      config.boot.kernelPackages.nvidia_x11_legacy340
-    else throw "impossible";
+      kernelPackages.nvidia_x11_legacy340
+    else null;
 
+  nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;
+  nvidia_libs32 = (nvidiaForKernel pkgs_i686.linuxPackages).override { libsOnly = true; kernel = null; };
+
+  enabled = nvidia_x11 != null;
 in
 
 {
@@ -40,12 +41,21 @@ in
       '';
 
     hardware.opengl.package = nvidia_x11;
-    hardware.opengl.package32 = pkgs_i686.linuxPackages.nvidia_x11.override { libsOnly = true; kernel = null; };
+    hardware.opengl.package32 = nvidia_libs32;
 
     environment.systemPackages = [ nvidia_x11 ];
 
     boot.extraModulePackages = [ nvidia_x11 ];
 
+    # nvidia-uvm is required by CUDA applications.
+    boot.kernelModules = [ "nvidia-uvm" ];
+
+    # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
+    services.udev.extraRules =
+      ''
+        KERNEL=="nvidia_uvm", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \  -f 1) 0'"
+      '';
+
     boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
 
     services.acpid.enable = true;

nixos/modules/installer/cd-dvd/system-tarball-pc-readme.txt

@@ -80,7 +80,7 @@ had booted this nixos. Run:
 *  `grep local-cmds run/current-system/init`
 
 Then you can proceed normally subscribing to a nixos channel:
-  nix-channel --add http://nixos.org/channels/nixos-unstable
+  nix-channel --add https://nixos.org/channels/nixos-unstable
   nix-channel --update
 
 Testing:

nixos/modules/installer/tools/nixos-install.sh

@@ -30,8 +30,7 @@ while [ "$#" -gt 0 ]; do
     case "$i" in
         -I)
             given_path="$1"; shift 1
-            absolute_path=$(readlink -m $given_path)
-            extraBuildFlags+=("$i" "/mnt$absolute_path")
+            extraBuildFlags+=("$i" "$given_path")
             ;;
         --root)
             mountPoint="$1"; shift 1
@@ -78,6 +77,7 @@ mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/et
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
 mkdir -m 0755 -p $mountPoint/var/setuid-wrappers
+mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
@@ -89,6 +89,12 @@ ln -s /run $mountPoint/var/run
 rm -f $mountPoint/etc/{resolv.conf,hosts}
 cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
 
+if [ -e "$SSL_CERT_FILE" ]; then
+    cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
+    export SSL_CERT_FILE=/tmp/ca-cert.crt
+    # For Nix 1.7
+    export CURL_CA_BUNDLE=/tmp/ca-cert.crt
+fi
 
 if [ -n "$runChroot" ]; then
     if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
@@ -244,7 +250,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 
 
 # Ask the user to set a root password.
-if [ -t 0 ] ; then
+if [ "$(chroot $mountPoint nix-instantiate --eval '<nixos>' -A config.users.mutableUsers)" = true ] && [ -t 0 ] ; then
     echo "setting root password..."
     chroot $mountPoint /var/setuid-wrappers/passwd
 fi

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -26,7 +26,8 @@ while [ "$#" -gt 0 ]; do
       --help)
         showSyntax
         ;;
-      switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader)
+      switch|boot|test|build|dry-build|dry-run|dry-activate|build-vm|build-vm-with-bootloader)
+        if [ "$i" = dry-run ]; then i=dry-build; fi
         action="$i"
         ;;
       --install-grub)
@@ -137,7 +138,7 @@ fi
 
 # First build Nix, since NixOS may require a newer version than the
 # current one.
-if [ -n "$rollback" -o "$action" = dry-run ]; then
+if [ -n "$rollback" -o "$action" = dry-build ]; then
     buildNix=
 fi
 
@@ -148,15 +149,15 @@ if [ -n "$buildNix" ]; then
             if ! nix-build '<nixpkgs>' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
                 machine="$(uname -m)"
                 if [ "$machine" = x86_64 ]; then
-                    nixStorePath=/nix/store/d34q3q2zj9nriq4ifhn3dnnngqvinjb3-nix-1.7
+                    nixStorePath=/nix/store/ffig6yaggbh12dh9y5pnf1grf5lqyipz-nix-1.8
                 elif [[ "$machine" =~ i.86 ]]; then
-                    nixStorePath=/nix/store/qlah0darpcn6sf3lr2226rl04l1gn4xz-nix-1.7
+                    nixStorePath=/nix/store/lglhfp4mimfa5wzjjf1kqz6f5wlsj2mn-nix-1.8
                 else
                     echo "$0: unsupported platform"
                     exit 1
                 fi
                 if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
-                    --option extra-binary-caches http://cache.nixos.org/; then
+                    --option extra-binary-caches https://cache.nixos.org/; then
                     echo "warning: don't know how to get latest Nix" >&2
                 fi
                 # Older version of nix-store -r don't support --add-root.
@@ -180,7 +181,7 @@ if [ -n "$canRun" ]; then
 fi
 
 
-if [ "$action" = dry-run ]; then
+if [ "$action" = dry-build ]; then
     extraBuildFlags+=(--dry-run)
 fi
 
@@ -193,7 +194,7 @@ if [ -z "$rollback" ]; then
     if [ "$action" = switch -o "$action" = boot ]; then
         nix-env "${extraBuildFlags[@]}" -p "$profile" -f '<nixpkgs/nixos>' --set -A system
         pathToConfig="$profile"
-    elif [ "$action" = test -o "$action" = build -o "$action" = dry-run ]; then
+    elif [ "$action" = test -o "$action" = build -o "$action" = dry-build -o "$action" = dry-activate ]; then
         nix-build '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}" > /dev/null
         pathToConfig=./result
     elif [ "$action" = build-vm ]; then
@@ -224,7 +225,7 @@ fi
 
 # If we're not just building, then make the new configuration the boot
 # default and/or activate it now.
-if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then
+if [ "$action" = switch -o "$action" = boot -o "$action" = test -o "$action" = dry-activate ]; then
     if ! $pathToConfig/bin/switch-to-configuration "$action"; then
         echo "warning: error(s) occured while switching to the new configuration" >&2
         exit 1

nixos/modules/misc/ids.nix

@@ -172,6 +172,7 @@
       kubernetes = 162;
       peerflix = 163;
       chronos = 164;
+      gitlab = 165;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -308,6 +309,8 @@
       bosun = 157;
       kubernetes = 158;
       fleet = 159;
+      gitlab = 160;
+      input = 174;
 
       # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
 

nixos/modules/misc/version.nix

@@ -33,7 +33,7 @@ with lib;
     system.defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-14.12;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 

nixos/modules/module-list.nix

@@ -102,6 +102,8 @@
   ./services/backup/rsnapshot.nix
   ./services/backup/sitecopy-backup.nix
   ./services/backup/tarsnap.nix
+  ./services/cluster/fleet.nix
+  ./services/cluster/kubernetes.nix
   ./services/computing/torque/server.nix
   ./services/computing/torque/mom.nix
   ./services/continuous-integration/jenkins/default.nix
@@ -174,6 +176,7 @@
   ./services/misc/etcd.nix
   ./services/misc/felix.nix
   ./services/misc/folding-at-home.nix
+  ./services/misc/gitlab.nix
   ./services/misc/gitolite.nix
   ./services/misc/gpsd.nix
   ./services/misc/mesos-master.nix
@@ -303,6 +306,7 @@
   ./services/security/fprot.nix
   ./services/security/frandom.nix
   ./services/security/haveged.nix
+  ./services/security/torify.nix
   ./services/security/tor.nix
   ./services/security/torsocks.nix
   ./services/system/dbus.nix
@@ -400,11 +404,9 @@
   ./virtualisation/container-config.nix
   ./virtualisation/containers.nix
   ./virtualisation/docker.nix
-  ./virtualisation/fleet.nix
-  ./virtualisation/kubernetes.nix
   ./virtualisation/libvirtd.nix
   ./virtualisation/lxc.nix
-  #./virtualisation/nova.nix
+  ./virtualisation/amazon-options.nix
   ./virtualisation/openvswitch.nix
   ./virtualisation/parallels-guest.nix
   ./virtualisation/virtualbox-guest.nix

nixos/modules/programs/bash/bash.nix

@@ -105,7 +105,7 @@ in
       };
 
       enableCompletion = mkOption {
-        default = true;
+        default = false;
         description = ''
           Enable Bash completion for all interactive bash shells.
         '';

nixos/modules/programs/shell.nix

@@ -53,7 +53,7 @@ in
           # Set up a default Nix expression from which to install stuff.
           if [ ! -e $HOME/.nix-defexpr -o -L $HOME/.nix-defexpr ]; then
               rm -f $HOME/.nix-defexpr
-              mkdir $HOME/.nix-defexpr
+              mkdir -p $HOME/.nix-defexpr
               if [ "$USER" != root ]; then
                   ln -s /nix/var/nix/profiles/per-user/root/channels $HOME/.nix-defexpr/channels_root
               fi

nixos/modules/programs/ssh.nix

@@ -61,7 +61,8 @@ in
 
       agentTimeout = mkOption {
         type = types.nullOr types.string;
-        default = "1h";
+        default = null;
+        example = "1h";
         description = ''
           How long to keep the private keys in memory. Use null to keep them forever.
         '';

nixos/modules/programs/virtualbox-host.nix

@@ -3,34 +3,74 @@
 with lib;
 
 let
-  virtualbox = config.boot.kernelPackages.virtualbox;
+  cfg = config.services.virtualboxHost;
+  virtualbox = config.boot.kernelPackages.virtualbox.override {
+    inherit (cfg) enableHardening;
+  };
+
 in
 
 {
-  options = {
-    services.virtualboxHost.enable = mkEnableOption "VirtualBox Host support";
+  options.services.virtualboxHost = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable host-side support for VirtualBox.
+
+        <note><para>
+          In order to pass USB devices from the host to the guests, the user
+          needs to be in the <literal>vboxusers</literal> group.
+        </para></note>
+      '';
+    };
+
+    addNetworkInterface = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Automatically set up a vboxnet0 host-only network interface.
+      '';
+    };
+
+    enableHardening = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Enable hardened VirtualBox, which ensures that only the binaries in the
+        system path get access to the devices exposed by the kernel modules
+        instead of all users in the vboxusers group.
+
+        <important><para>
+          Disabling this can put your system's security at risk, as local users
+          in the vboxusers group can tamper with the VirtualBox device files.
+        </para></important>
+      '';
+    };
   };
 
-  config = mkIf config.services.virtualboxHost.enable {
+  config = mkIf cfg.enable (mkMerge [{
     boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
     boot.extraModulePackages = [ virtualbox ];
     environment.systemPackages = [ virtualbox ];
 
     security.setuidOwners = let
-      mkVboxStub = program: {
+      mkSuid = program: {
         inherit program;
+        source = "${virtualbox}/libexec/virtualbox/${program}";
         owner = "root";
         group = "vboxusers";
         setuid = true;
       };
-    in map mkVboxStub [
-      "VBoxBFE"
-      "VBoxBalloonCtrl"
+    in mkIf cfg.enableHardening (map mkSuid [
       "VBoxHeadless"
-      "VBoxManage"
+      "VBoxNetAdpCtl"
+      "VBoxNetDHCP"
+      "VBoxNetNAT"
       "VBoxSDL"
+      "VBoxVolInfo"
       "VirtualBox"
-    ];
+    ]);
 
     users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
 
@@ -46,7 +86,7 @@ in
       '';
 
     # Since we lack the right setuid binaries, set up a host-only network by default.
-
+  } (mkIf cfg.addNetworkInterface {
     systemd.services."vboxnet0" =
       { description = "VirtualBox vboxnet0 Interface";
         requires = [ "dev-vboxnetctl.device" ];
@@ -55,10 +95,13 @@ in
         path = [ virtualbox ];
         serviceConfig.RemainAfterExit = true;
         serviceConfig.Type = "oneshot";
+        serviceConfig.PrivateTmp = true;
+        environment.VBOX_USER_HOME = "/tmp";
         script =
           ''
             if ! [ -e /sys/class/net/vboxnet0 ]; then
               VBoxManage hostonlyif create
+              cat /tmp/VBoxSVC.log >&2
             fi
           '';
         postStop =
@@ -68,5 +111,5 @@ in
       };
 
     networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
-  };
+  })]);
 }

nixos/modules/rename.nix

@@ -33,7 +33,8 @@ let
   zipModules = list:
     zipAttrsWith (n: v:
       if tail v != [] then
-        if n == "_type" then (head v)
+        if all (o: isAttrs o && o ? _type) v then mkMerge v
+        else if n == "_type" then head v
         else if n == "warnings" then concatLists v
         else if n == "description" || n == "apply" then
           abort "Cannot rename an option to multiple options."
@@ -115,8 +116,8 @@ in zipModules ([]
 ++ obsolete [ "nix" "proxy" ] [ "networking" "proxy" "default" ]
 
 # KDE
-++ deprecated [ "kde" "extraPackages" ] [ "environment" "kdePackages" ]
-# ++ obsolete [ "environment" "kdePackages" ] [ "environment" "systemPackages" ] # !!! doesn't work!
+++ deprecated [ "kde" "extraPackages" ] [ "environment" "systemPackages" ]
+++ obsolete [ "environment" "kdePackages" ] [ "environment" "systemPackages" ]
 
 # Multiple efi bootloaders now
 ++ obsolete [ "boot" "loader" "efi" "efibootmgr" "enable" ] [ "boot" "loader" "efi" "canTouchEfiVariables" ]

nixos/modules/security/ca.nix

@@ -2,15 +2,66 @@
 
 with lib;
 
+let
+
+  caBundle = pkgs.runCommand "ca-bundle.crt"
+    { files =
+        config.security.pki.certificateFiles ++
+        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
+     }
+    ''
+      cat $files > $out
+    '';
+
+in
+
 {
 
+  options = {
+
+    security.pki.certificateFiles = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      example = literalExample "[ \"\${pkgs.cacert}/etc/ca-bundle.crt\" ]";
+      description = ''
+        A list of files containing trusted root certificates in PEM
+        format. These are concatenated to form
+        <filename>/etc/ssl/certs/ca-bundle.crt</filename>, which is
+        used by many programs that use OpenSSL, such as
+        <command>curl</command> and <command>git</command>.
+      '';
+    };
+
+    security.pki.certificates = mkOption {
+      type = types.listOf types.string;
+      default = [];
+      example = singleton ''
+        NixOS.org
+        =========
+        -----BEGIN CERTIFICATE-----
+        MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+        TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+        ...
+        -----END CERTIFICATE-----
+      '';
+      description = ''
+        A list of trusted root certificates in PEM format.
+      '';
+    };
+
+  };
+
   config = {
 
-    environment.etc =
-      [ { source = "${pkgs.cacert}/etc/ca-bundle.crt";
-          target = "ssl/certs/ca-bundle.crt";
-        }
-      ];
+    security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ca-bundle.crt" ];
+
+    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
+
+    # CentOS/Fedora compatibility.
+    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
+
+    # Debian/Ubuntu/Arch/Gentoo compatibility.
+    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
 
     environment.sessionVariables =
       { SSL_CERT_FILE          = "/etc/ssl/certs/ca-bundle.crt";

nixos/modules/security/duosec.nix

@@ -110,7 +110,7 @@ in
         default = false;
         description = ''
           Print the contents of <literal>/etc/motd</literal> to screen
-          after a succesful login.
+          after a successful login.
         '';
       };
 
@@ -145,7 +145,7 @@ in
 
           When $DUO_PASSCODE is non-empty, it will override
           autopush. The SSH client will need SendEnv DUO_PASSCODE in
-          its configuration, and the SSH server will similarily need
+          its configuration, and the SSH server will similarly need
           AcceptEnv DUO_PASSCODE.
         '';
       };

nixos/modules/security/pam.nix

@@ -54,6 +54,14 @@ let
         '';
       };
 
+      oathAuth = mkOption {
+        default = config.security.pam.enableOATH;
+        type = types.bool;
+        description = ''
+          If set, the OATH Toolkit will be used.
+        '';
+      };
+
       sshAgentAuth = mkOption {
         default = false;
         type = types.bool;
@@ -185,6 +193,8 @@ let
               "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
           ${optionalString cfg.otpwAuth
               "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
+          ${optionalString cfg.oathAuth
+              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
           ${optionalString config.users.ldap.enable
               "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
           ${optionalString config.krb5.enable ''
@@ -220,6 +230,8 @@ let
               "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
           ${optionalString cfg.otpwAuth
               "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
+          ${optionalString cfg.oathAuth
+              "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
           ${optionalString cfg.startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
           ${optionalString cfg.forwardXAuth
@@ -317,6 +329,13 @@ in
       '';
     };
 
+    security.pam.enableOATH = mkOption {
+      default = false;
+      description = ''
+        Enable the OATH (one-time password) PAM module.
+      '';
+    };
+
     users.motd = mkOption {
       default = null;
       example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
@@ -336,7 +355,8 @@ in
       [ pkgs.pam ]
       ++ optional config.users.ldap.enable pam_ldap
       ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
-      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ];
+      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
+      ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ];
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

nixos/modules/security/sudo.nix

@@ -64,7 +64,7 @@ in
     security.sudo.configFile =
       ''
         # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
-        # and security.sudo.extraConfig instead.
+        # or ‘security.sudo.extraConfig’ instead.
 
         # Environment variables to keep for root and %wheel.
         Defaults:root,%wheel env_keep+=TERMINFO_DIRS
@@ -90,11 +90,10 @@ in
     environment.etc = singleton
       { source =
           pkgs.runCommand "sudoers"
-	  {src = pkgs.writeText "sudoers-in" cfg.configFile; }
+          { src = pkgs.writeText "sudoers-in" cfg.configFile; }
           # Make sure that the sudoers file is syntactically valid.
           # (currently disabled - NIXOS-66)
-          "${pkgs.sudo}/sbin/visudo -f $src -c &&
-	      cp $src $out";
+          "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
         target = "sudoers";
         mode = "0440";
       };

nixos/modules/services/cluster/fleet.nix

@@ -3,12 +3,12 @@
 with lib;
 
 let
-  cfg = config.virtualisation.fleet;
+  cfg = config.services.fleet;
 
 in {
 
   ##### Interface
-  options.virtualisation.fleet = {
+  options.services.fleet = {
     enable = mkOption {
       type = types.bool;
       default = false;

nixos/modules/services/cluster/kubernetes.nix

@@ -3,13 +3,13 @@
 with lib;
 
 let
-  cfg = config.virtualisation.kubernetes;
+  cfg = config.services.kubernetes;
 
 in {
 
   ###### interface
 
-  options.virtualisation.kubernetes = {
+  options.services.kubernetes = {
     package = mkOption {
       description = "Kubernetes package to use.";
       type = types.package;
@@ -420,15 +420,15 @@ in {
     })
 
     (mkIf (any (el: el == "master") cfg.roles) {
-      virtualisation.kubernetes.apiserver.enable = mkDefault true;
-      virtualisation.kubernetes.scheduler.enable = mkDefault true;
-      virtualisation.kubernetes.controllerManager.enable = mkDefault true;
+      services.kubernetes.apiserver.enable = mkDefault true;
+      services.kubernetes.scheduler.enable = mkDefault true;
+      services.kubernetes.controllerManager.enable = mkDefault true;
     })
 
     (mkIf (any (el: el == "node") cfg.roles) {
       virtualisation.docker.enable = mkDefault true;
-      virtualisation.kubernetes.kubelet.enable = mkDefault true;
-      virtualisation.kubernetes.proxy.enable = mkDefault true;
+      services.kubernetes.kubelet.enable = mkDefault true;
+      services.kubernetes.proxy.enable = mkDefault true;
     })
 
     (mkIf (any (el: el == "node" || el == "master") cfg.roles) {
@@ -442,7 +442,7 @@ in {
         cfg.kubelet.enable ||
         cfg.proxy.enable
     ) {
-      virtualisation.kubernetes.package = mkDefault pkgs.kubernetes; 
+      services.kubernetes.package = mkDefault pkgs.kubernetes;
 
       environment.systemPackages = [ cfg.package ];
 

nixos/modules/services/desktops/gnome3/gvfs.nix

@@ -1,6 +1,6 @@
 # gvfs backends
 
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -37,6 +37,8 @@ in
 
     services.dbus.packages = [ gnome3.gvfs ];
 
+    services.udev.packages = [ pkgs.libmtp ];
+
   };
 
 }

nixos/modules/services/hardware/udev.nix

@@ -236,7 +236,10 @@ in
 
     system.activationScripts.udevd =
       ''
-        echo "" > /proc/sys/kernel/hotplug
+        # The deprecated hotplug uevent helper is not used anymore
+        if [ -e /proc/sys/kernel/hotplug ]; then
+          echo "" > /proc/sys/kernel/hotplug
+        fi
 
         # Regenerate the hardware database /var/lib/udev/hwdb.bin
         # whenever systemd changes.

nixos/modules/services/mail/mlmmj.nix

@@ -90,7 +90,7 @@ in
       enable = true;
       recipientDelimiter= "+";
       extraMasterConf = ''
-        mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-recieve -F -L ${spoolDir}/$nextHop
+        mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L ${spoolDir}/$nextHop
       '';
 
       extraAliases = concatMapStrings (alias cfg.listDomain) cfg.mailLists;

nixos/modules/services/mail/postfix.nix

@@ -380,6 +380,7 @@ in
             ${pkgs.coreutils}/bin/chmod -R ug+rwX /var/postfix/queue
             ${pkgs.coreutils}/bin/chown root:root /var/spool/mail
             ${pkgs.coreutils}/bin/chmod a+rwxt /var/spool/mail
+            ${pkgs.coreutils}/bin/ln -sf /var/spool/mail /var/mail
 
             ln -sf "${pkgs.postfix}/share/postfix/conf/"* /var/postfix/conf
 

nixos/modules/services/misc/defaultUnicornConfig.rb

@@ -0,0 +1,206 @@
+# The following was taken from github.com/crohr/syslogger and is BSD
+# licensed.
+require 'syslog'
+require 'logger'
+require 'thread'
+
+class Syslogger
+
+  VERSION = "1.6.0"
+
+  attr_reader :level, :ident, :options, :facility, :max_octets
+  attr_accessor :formatter
+
+  MAPPING = {
+    Logger::DEBUG => Syslog::LOG_DEBUG,
+    Logger::INFO => Syslog::LOG_INFO,
+    Logger::WARN => Syslog::LOG_WARNING,
+    Logger::ERROR => Syslog::LOG_ERR,
+    Logger::FATAL => Syslog::LOG_CRIT,
+    Logger::UNKNOWN => Syslog::LOG_ALERT
+  }
+
+  #
+  # Initializes default options for the logger
+  # <tt>ident</tt>:: the name of your program [default=$0].
+  # <tt>options</tt>::  syslog options [default=<tt>Syslog::LOG_PID | Syslog::LOG_CONS</tt>].
+  #                     Correct values are:
+  #                       LOG_CONS    : writes the message on the console if an error occurs when sending the message;
+  #                       LOG_NDELAY  : no delay before sending the message;
+  #                       LOG_PERROR  : messages will also be written on STDERR;
+  #                       LOG_PID     : adds the process number to the message (just after the program name)
+  # <tt>facility</tt>:: the syslog facility [default=nil] Correct values include:
+  #                       Syslog::LOG_DAEMON
+  #                       Syslog::LOG_USER
+  #                       Syslog::LOG_SYSLOG
+  #                       Syslog::LOG_LOCAL2
+  #                       Syslog::LOG_NEWS
+  #                       etc.
+  #
+  # Usage:
+  #   logger = Syslogger.new("my_app", Syslog::LOG_PID | Syslog::LOG_CONS, Syslog::LOG_LOCAL0)
+  #   logger.level = Logger::INFO # use Logger levels
+  #   logger.warn "warning message"
+  #   logger.debug "debug message"
+  #
+  def initialize(ident = $0, options = Syslog::LOG_PID | Syslog::LOG_CONS, facility = nil)
+    @ident = ident
+    @options = options || (Syslog::LOG_PID | Syslog::LOG_CONS)
+    @facility = facility
+    @level = Logger::INFO
+    @mutex = Mutex.new
+    @formatter = Logger::Formatter.new
+  end
+
+  %w{debug info warn error fatal unknown}.each do |logger_method|
+    # Accepting *args as message could be nil.
+    #  Default params not supported in ruby 1.8.7
+    define_method logger_method.to_sym do |*args, &block|
+      return true if @level > Logger.const_get(logger_method.upcase)
+      message = args.first || block && block.call
+      add(Logger.const_get(logger_method.upcase), message)
+    end
+
+    unless logger_method == 'unknown'
+      define_method "#{logger_method}?".to_sym do
+        @level <= Logger.const_get(logger_method.upcase)
+      end
+    end
+  end
+
+  # Log a message at the Logger::INFO level. Useful for use with Rack::CommonLogger
+  def write(msg)
+    add(Logger::INFO, msg)
+  end
+
+  # Logs a message at the Logger::INFO level.
+  def <<(msg)
+    add(Logger::INFO, msg)
+  end
+
+  # Low level method to add a message.
+  # +severity+::  the level of the message. One of Logger::DEBUG, Logger::INFO, Logger::WARN, Logger::ERROR, Logger::FATAL, Logger::UNKNOWN
+  # +message+:: the message string.
+  #             If nil, the method will call the block and use the result as the message string.
+  #             If both are nil or no block is given, it will use the progname as per the behaviour of both the standard Ruby logger, and the Rails BufferedLogger.
+  # +progname+:: optionally, overwrite the program name that appears in the log message.
+  def add(severity, message = nil, progname = nil, &block)
+    if message.nil? && block.nil? && !progname.nil?
+      message, progname = progname, nil
+    end
+    progname ||= @ident
+
+    @mutex.synchronize do
+      Syslog.open(progname, @options, @facility) do |s|
+        s.mask = Syslog::LOG_UPTO(MAPPING[@level])
+        communication = clean(message || block && block.call)
+        if self.max_octets
+          buffer = "#{tags_text}"
+          communication.bytes do |byte|
+            buffer.concat(byte)
+            # if the last byte we added is potentially part of an escape, we'll go ahead and add another byte
+            if buffer.bytesize >= self.max_octets && !['%'.ord,'\\'.ord].include?(byte)
+              s.log(MAPPING[severity],buffer)
+              buffer = ""
+            end
+          end
+          s.log(MAPPING[severity],buffer) unless buffer.empty?
+        else
+          s.log(MAPPING[severity],"#{tags_text}#{communication}")
+        end
+      end
+    end
+  end
+
+  # Set the max octets of the messages written to the log
+  def max_octets=(max_octets)
+    @max_octets = max_octets
+  end
+
+  # Sets the minimum level for messages to be written in the log.
+  # +level+:: one of <tt>Logger::DEBUG</tt>, <tt>Logger::INFO</tt>, <tt>Logger::WARN</tt>, <tt>Logger::ERROR</tt>, <tt>Logger::FATAL</tt>, <tt>Logger::UNKNOWN</tt>
+  def level=(level)
+    level = Logger.const_get(level.to_s.upcase) if level.is_a?(Symbol)
+
+    unless level.is_a?(Fixnum)
+      raise ArgumentError.new("Invalid logger level `#{level.inspect}`")
+    end
+
+    @level = level
+  end
+
+  # Sets the ident string passed along to Syslog
+  def ident=(ident)
+    @ident = ident
+  end
+
+  # Tagging code borrowed from ActiveSupport gem
+  def tagged(*tags)
+    new_tags = push_tags(*tags)
+    yield self
+  ensure
+    pop_tags(new_tags.size)
+  end
+
+  def push_tags(*tags)
+    tags.flatten.reject{ |i| i.respond_to?(:empty?) ? i.empty? : !i }.tap do |new_tags|
+      current_tags.concat new_tags
+    end
+  end
+
+  def pop_tags(size = 1)
+    current_tags.pop size
+  end
+
+  def clear_tags!
+    current_tags.clear
+  end
+
+  protected
+
+  # Borrowed from SyslogLogger.
+  def clean(message)
+    message = message.to_s.dup
+    message.strip! # remove whitespace
+    message.gsub!(/\n/, '\\n') # escape newlines
+    message.gsub!(/%/, '%%') # syslog(3) freaks on % (printf)
+    message.gsub!(/\e\[[^m]*m/, '') # remove useless ansi color codes
+    message
+  end
+
+  private
+
+  def tags_text
+    tags = current_tags
+    if tags.any?
+      tags.collect { |tag| "[#{tag}] " }.join
+    end
+  end
+
+  def current_tags
+    Thread.current[:syslogger_tagged_logging_tags] ||= []
+  end
+end
+
+worker_processes 2
+working_directory ENV["GITLAB_PATH"]
+pid ENV["UNICORN_PATH"] + "/tmp/pids/unicorn.pid"
+
+listen ENV["UNICORN_PATH"] + "/tmp/sockets/gitlab.socket", :backlog => 1024
+listen "127.0.0.1:8080", :tcp_nopush => true
+
+timeout 60
+
+logger Syslogger.new
+
+preload_app true
+
+GC.respond_to?(:copy_on_write_friendly=) and
+  GC.copy_on_write_friendly = true
+
+check_client_connection false
+
+after_fork do |server, worker|
+  defined?(ActiveRecord::Base) and
+    ActiveRecord::Base.establish_connection
+end

nixos/modules/services/misc/disnix.nix

@@ -132,7 +132,7 @@ in
 
           restartIfChanged = false;
           
-          path = [ pkgs.nix pkgs.disnix dysnomia ];
+          path = [ pkgs.nix pkgs.disnix dysnomia "/run/current-system/sw" ];
           
           environment = {
             HOME = "/root";

nixos/modules/services/misc/gitlab.nix

@@ -0,0 +1,295 @@
+{ config, lib, pkgs, ... }:
+
+# TODO: support non-postgresql
+
+with lib;
+
+let
+  cfg = config.services.gitlab;
+
+  ruby = pkgs.ruby;
+  rubyLibs = pkgs.rubyLibs;
+
+  databaseYml = ''
+    production:
+      adapter: postgresql
+      database: ${cfg.databaseName}
+      host: ${cfg.databaseHost}
+      password: ${cfg.databasePassword}
+      username: ${cfg.databaseUsername}
+      encoding: utf8
+  '';
+  gitlabShellYml = ''
+    user: gitlab
+    gitlab_url: "http://${cfg.host}:${toString cfg.port}/"
+    http_settings:
+      self_signed_cert: false
+    repos_path: "${cfg.stateDir}/repositories"
+    log_file: "${cfg.stateDir}/log/gitlab-shell.log"
+    redis:
+      bin: ${pkgs.redis}/bin/redis-cli
+      host: 127.0.0.1
+      port: 6379
+      database: 0
+      namespace: resque:gitlab
+  '';
+
+  unicornConfig = builtins.readFile ./defaultUnicornConfig.rb;
+
+  gitlab-runner = pkgs.stdenv.mkDerivation rec {
+    name = "gitlab-runner";
+    buildInputs = [ pkgs.gitlab pkgs.rubyLibs.bundler pkgs.makeWrapper ];
+    phases = "installPhase fixupPhase";
+    buildPhase = "";
+    installPhase = ''
+      mkdir -p $out/bin
+      makeWrapper ${rubyLibs.bundler}/bin/bundle $out/bin/gitlab-runner\
+          --set RAKEOPT '"-f ${pkgs.gitlab}/share/gitlab/Rakefile"'\
+          --set UNICORN_PATH "${cfg.stateDir}/"\
+          --set GITLAB_PATH "${pkgs.gitlab}/share/gitlab/"\
+          --set GITLAB_APPLICATION_LOG_PATH "${cfg.stateDir}/log/application.log"\
+          --set GITLAB_SATELLITES_PATH "${cfg.stateDir}/satellites"\
+          --set GITLAB_SHELL_PATH "${pkgs.gitlab-shell}"\
+          --set GITLAB_REPOSITORIES_PATH "${cfg.stateDir}/repositories"\
+          --set GITLAB_SHELL_HOOKS_PATH "${cfg.stateDir}/shell/hooks"\
+          --set BUNDLE_GEMFILE "${pkgs.gitlab}/share/gitlab/Gemfile"\
+          --set GITLAB_EMAIL_FROM "${cfg.emailFrom}"\
+          --set GITLAB_SHELL_CONFIG_PATH "${cfg.stateDir}/shell/config.yml"\
+          --set GITLAB_SHELL_SECRET_PATH "${cfg.stateDir}/config/gitlab_shell_secret"\
+          --set GITLAB_HOST "${cfg.host}"\
+          --set GITLAB_PORT "${toString cfg.port}"\
+          --set GITLAB_BACKUP_PATH"${cfg.backupPath}"\
+          --set RAILS_ENV "production"
+    '';
+  };
+
+in {
+
+  options = {
+    services.gitlab = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable the gitlab service.
+        '';
+      };
+
+      satelliteDir = mkOption {
+        type = types.str;
+        default = "/var/gitlab/git-satellites";
+        description = "Gitlab directory to store checked out git trees requires for operation.";
+      };
+
+      stateDir = mkOption {
+        type = types.str;
+        default = "/var/gitlab/state";
+        description = "Gitlab state directory, logs are stored here.";
+      };
+
+      backupPath = mkOption {
+        type = types.str;
+        default = cfg.stateDir + "/backup";
+        description = "Gitlab path for backups.";
+      };
+
+      databaseHost = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = "Gitlab database hostname.";
+      };
+
+      databasePassword = mkOption {
+        type = types.str;
+        default = "";
+        description = "Gitlab database user password.";
+      };
+
+      databaseName = mkOption {
+        type = types.str;
+        default = "gitlab";
+        description = "Gitlab database name.";
+      };
+
+      databaseUsername = mkOption {
+        type = types.str;
+        default = "gitlab";
+        description = "Gitlab database user.";
+      };
+
+      emailFrom = mkOption {
+        type = types.str;
+        default = "example@example.org";
+        description = "The source address for emails sent by gitlab.";
+      };
+
+      host = mkOption {
+        type = types.str;
+        default = config.networking.hostName;
+        description = "Gitlab host name. Used e.g. for copy-paste URLs.";
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 8080;
+        description = "Gitlab server listening port.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = [ gitlab-runner pkgs.gitlab-shell ];
+
+    assertions = [
+      { assertion = cfg.databasePassword != "";
+        message = "databasePassword must be set";
+      }
+    ];
+
+    # Redis is required for the sidekiq queue runner.
+    services.redis.enable = mkDefault true;
+    # We use postgres as the main data store.
+    services.postgresql.enable = mkDefault true;
+    services.postgresql.package = mkDefault pkgs.postgresql;
+    # Use postfix to send out mails.
+    services.postfix.enable = mkDefault true;
+
+    users.extraUsers = [
+      { name = "gitlab";
+        group = "gitlab";
+        home = "${cfg.stateDir}/home";
+        shell = "${pkgs.bash}/bin/bash";
+        uid = config.ids.uids.gitlab;
+      } ];
+
+    users.extraGroups = [
+      { name = "gitlab";
+        gid = config.ids.gids.gitlab;
+      } ];
+
+    systemd.services.gitlab-sidekiq = {
+      after = [ "network.target" "redis.service" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.HOME = "${cfg.stateDir}/home";
+      environment.UNICORN_PATH = "${cfg.stateDir}/";
+      environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
+      environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
+      environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
+      environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
+      environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
+      environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
+      environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
+      environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
+      environment.GITLAB_SHELL_CONFIG_PATH = "${cfg.stateDir}/shell/config.yml";
+      environment.GITLAB_SHELL_SECRET_PATH = "${cfg.stateDir}/config/gitlab_shell_secret";
+      environment.GITLAB_HOST = "${cfg.host}";
+      environment.GITLAB_PORT = "${toString cfg.port}";
+      environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
+      environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
+      environment.RAILS_ENV = "production";
+      path = with pkgs; [
+        config.services.postgresql.package
+        gitAndTools.git
+        ruby
+        openssh
+        nodejs
+      ];
+      serviceConfig = {
+        Type = "simple";
+        User = "gitlab";
+        Group = "gitlab";
+        TimeoutSec = "300";
+        WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
+        ExecStart="${rubyLibs.bundler}/bin/bundle exec \"sidekiq -q post_receive -q mailer -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.stateDir}/tmp/sidekiq.pid\"";
+      };
+    };
+
+    systemd.services.gitlab = {
+      after = [ "network.target" "postgresql.service" "redis.service" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.HOME = "${cfg.stateDir}/home";
+      environment.UNICORN_PATH = "${cfg.stateDir}/";
+      environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
+      environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
+      environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
+      environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
+      environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
+      environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
+      environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
+      environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
+      environment.GITLAB_HOST = "${cfg.host}";
+      environment.GITLAB_PORT = "${toString cfg.port}";
+      environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
+      environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
+      environment.RAILS_ENV = "production";
+      path = with pkgs; [
+        config.services.postgresql.package
+        gitAndTools.git
+        ruby
+        openssh
+        nodejs
+      ];
+      preStart = ''
+        # TODO: use env vars
+        mkdir -p ${cfg.stateDir}
+        mkdir -p ${cfg.stateDir}/log
+        mkdir -p ${cfg.stateDir}/satellites
+        mkdir -p ${cfg.stateDir}/repositories
+        mkdir -p ${cfg.stateDir}/shell/hooks
+        mkdir -p ${cfg.stateDir}/tmp/pids
+        mkdir -p ${cfg.stateDir}/tmp/sockets
+        rm -rf ${cfg.stateDir}/config
+        mkdir -p ${cfg.stateDir}/config
+        # TODO: What exactly is gitlab-shell doing with the secret?
+        head -c 20 /dev/urandom > ${cfg.stateDir}/config/gitlab_shell_secret
+        mkdir -p ${cfg.stateDir}/home/.ssh
+        touch ${cfg.stateDir}/home/.ssh/authorized_keys
+
+        cp -rf ${pkgs.gitlab}/share/gitlab/config ${cfg.stateDir}/
+        cp ${pkgs.gitlab}/share/gitlab/VERSION ${cfg.stateDir}/VERSION
+
+        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.stateDir}/config/database.yml
+        ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.stateDir}/config/unicorn.rb
+
+        chown -R gitlab:gitlab ${cfg.stateDir}/
+        chmod -R 755 ${cfg.stateDir}/
+
+        if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
+          if ! test -e "${cfg.stateDir}/db-created"; then
+            psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
+            ${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
+            touch "${cfg.stateDir}/db-created"
+
+            # force=yes disables the manual-interaction yes/no prompt
+            # which breaks without an stdin.
+            force=yes ${rubyLibs.bundler}/bin/bundle exec rake -f ${pkgs.gitlab}/share/gitlab/Rakefile gitlab:setup RAILS_ENV=production
+          fi
+        fi
+
+      # Install the shell required to push repositories
+      ln -fs ${pkgs.writeText "config.yml" gitlabShellYml} ${cfg.stateDir}/shell/config.yml
+      export GITLAB_SHELL_CONFIG_PATH=""${cfg.stateDir}/shell/config.yml
+      ${pkgs.gitlab-shell}/bin/install
+
+      # Change permissions in the last step because some of the
+      # intermediary scripts like to create directories as root.
+      chown -R gitlab:gitlab ${cfg.stateDir}/
+      chmod -R 755 ${cfg.stateDir}/
+      '';
+
+      serviceConfig = {
+        PermissionsStartOnly = true; # preStart must be run as root
+        Type = "simple";
+        User = "gitlab";
+        Group = "gitlab";
+        TimeoutSec = "300";
+        WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
+        ExecStart="${rubyLibs.bundler}/bin/bundle exec \"unicorn -c ${cfg.stateDir}/config/unicorn.rb -E production\"";
+      };
+
+    };
+
+  };
+
+}

nixos/modules/services/misc/nix-daemon.nix

@@ -41,6 +41,8 @@ let
         build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
         binary-caches = ${toString cfg.binaryCaches}
         trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
+        trusted-users = ${toString cfg.trustedUsers}
+        allowed-users = ${toString cfg.allowedUsers}
         $extraOptions
         END
       '';
@@ -82,9 +84,10 @@ in
         description = ''
           This option defines the maximum number of concurrent tasks during
           one build. It affects, e.g., -j option for make. The default is 1.
-          Some builds may become non-deterministic with this option; use with
-          care! Packages will only be affected if enableParallelBuilding is
-          set for them.
+          The special value 0 means that the builder should use all
+          available CPU cores in the system. Some builds may become
+          non-deterministic with this option; use with care! Packages will
+          only be affected if enableParallelBuilding is set for them.
         '';
       };
 
@@ -225,7 +228,7 @@ in
 
       binaryCaches = mkOption {
         type = types.listOf types.str;
-        default = [ http://cache.nixos.org/ ];
+        default = [ https://cache.nixos.org/ ];
         description = ''
           List of binary cache URLs used to obtain pre-built binaries
           of Nix packages.
@@ -244,6 +247,36 @@ in
         '';
       };
 
+      trustedUsers = mkOption {
+        type = types.listOf types.str;
+        default = [ "root" ];
+        example = [ "root" "alice" "@wheel" ];
+        description = ''
+          A list of names of users that have additional rights when
+          connecting to the Nix daemon, such as the ability to specify
+          additional binary caches, or to import unsigned NARs. You
+          can also specify groups by prefixing them with
+          <literal>@</literal>; for instance,
+          <literal>@wheel</literal> means all users in the wheel
+          group.
+        '';
+      };
+
+      allowedUsers = mkOption {
+        type = types.listOf types.str;
+        default = [ "*" ];
+        example = [ "@wheel" "@builders" "alice" "bob" ];
+        description = ''
+          A list of names of users (separated by whitespace) that are
+          allowed to connect to the Nix daemon. As with
+          <option>nix.trustedUsers</option>, you can specify groups by
+          prefixing them with <literal>@</literal>. Also, you can
+          allow all users by specifying <literal>*</literal>. The
+          default is <literal>*</literal>. Note that trusted users are
+          always allowed to connect.
+        '';
+      };
+
     };
 
   };

nixos/modules/services/monitoring/dd-agent.nix

@@ -23,6 +23,7 @@ let
     # proxy_password: password
 
     # tags: mytag0, mytag1
+    ${optionalString (cfg.tags != null ) "tags: ${concatStringsSep "," cfg.tags }"}
 
     # collect_ec2_tags: no
     # recent_point_threshold: 30
@@ -80,6 +81,13 @@ in {
       type = types.str;
     };
 
+    tags = mkOption {
+      description = "The tags to mark this Datadog agent";
+      example = [ "test" "service" ];
+      default = null;
+      type = types.nullOr (types.listOf types.str);
+    };
+
     hostname = mkOption {
       description = "The hostname to show in the Datadog dashboard (optional)";
       default = null;
@@ -140,6 +148,7 @@ in {
         Restart = "always";
         RestartSec = 2;
       };
+      environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
       restartTriggers = [ pkgs.dd-agent ddConf postgresqlConfig nginxConfig ];
     };
 

nixos/modules/services/monitoring/munin.nix

@@ -34,7 +34,7 @@ let
         cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
 
         wrapProgram $file \
-          --set PATH "/run/current-system/sw/bin:/run/current-system/sw/sbin" \
+          --set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" \
           --set MUNIN_LIBDIR "${pkgs.munin}/lib" \
           --set MUNIN_PLUGSTATE "/var/run/munin"
 
@@ -194,7 +194,7 @@ in
 
         mkdir -p /etc/munin/plugins
         rm -rf /etc/munin/plugins/*
-        PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+        PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
       '';
       serviceConfig = {
         ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";

nixos/modules/services/monitoring/scollector.nix

@@ -20,6 +20,10 @@ let
           cfg.collectors)}
     '';
 
+  cmdLineOpts = concatStringsSep " " (
+    [ "-h=${cfg.bosunHost}" "-c=${collectors}" ] ++ cfg.extraOpts
+  );
+
 in {
 
   options = {
@@ -69,7 +73,7 @@ in {
       };
 
       collectors = mkOption {
-        type = types.attrs;
+        type = with types; attrsOf (listOf path);
         default = {};
         example = literalExample "{ 0 = [ \"\${postgresStats}/bin/collect-stats\" ]; }";
         description = ''
@@ -79,6 +83,15 @@ in {
         '';
       };
 
+      extraOpts = mkOption {
+        type = with types; listOf str;
+        default = [];
+        example = [ "-d" ];
+        description = ''
+          Extra scollector command line options
+        '';
+      };
+
     };
 
   };
@@ -95,9 +108,7 @@ in {
         PermissionsStartOnly = true;
         User = cfg.user;
         Group = cfg.group;
-        ExecStart = ''
-          ${cfg.package}/bin/scollector -h=${cfg.bosunHost} -c=${collectors}
-        '';
+        ExecStart = "${cfg.package}/bin/scollector ${cmdLineOpts}";
       };
     };
 

nixos/modules/services/monitoring/statsd.nix

@@ -53,7 +53,7 @@ in
     };
 
     mgmt_address = mkOption {
-      description = "Address to run managment TCP interface on";
+      description = "Address to run management TCP interface on";
       default = "127.0.0.1";
       type = types.str;
     };
@@ -65,7 +65,7 @@ in
     };
 
     backends = mkOption {
-      description = "List of backends statsd will use for data persistance";
+      description = "List of backends statsd will use for data persistence";
       default = ["graphite"];
       example = ["graphite" pkgs.nodePackages."statsd-influxdb-backend"];
       type = types.listOf (types.either types.str types.package);

nixos/modules/services/network-filesystems/nfsd.nix

@@ -61,7 +61,7 @@ in
           default = null;
           example = 4002;
           description = ''
-            Use fixed port for rpc.mountd, usefull if server is behind firewall.
+            Use fixed port for rpc.mountd, useful if server is behind firewall.
           '';
         };
 

nixos/modules/services/networking/dnsmasq.nix

@@ -28,6 +28,7 @@ in
     services.dnsmasq = {
 
       enable = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           Whether to run dnsmasq.
@@ -35,14 +36,16 @@ in
       };
 
       resolveLocalQueries = mkOption {
+        type = types.bool;
         default = true;
         description = ''
           Whether dnsmasq should resolve local queries (i.e. add 127.0.0.1 to
-          /etc/resolv.conf)
+          /etc/resolv.conf).
         '';
       };
 
       servers = mkOption {
+        type = types.listOf types.string;
         default = [];
         example = [ "8.8.8.8" "8.8.4.4" ];
         description = ''
@@ -51,11 +54,11 @@ in
       };
 
       extraConfig = mkOption {
-        type = types.string;
+        type = types.lines;
         default = "";
         description = ''
           Extra configuration directives that should be added to
-          <literal>dnsmasq.conf</literal>
+          <literal>dnsmasq.conf</literal>.
         '';
       };
 
@@ -81,8 +84,8 @@ in
       };
 
     systemd.services.dnsmasq = {
-        description = "dnsmasq daemon";
-        after = [ "network.target" "systemd-resolved.conf" ];
+        description = "Dnsmasq Daemon";
+        after = [ "network.target" "systemd-resolved.service" ];
         wantedBy = [ "multi-user.target" ];
         path = [ dnsmasq ];
         preStart = ''

nixos/modules/services/networking/i2pd.nix

@@ -142,7 +142,7 @@ in
           type = types.int;
           default = 80;
           description = ''
-            Port to forward incoming trafic to. 80 by default.
+            Port to forward incoming traffic to. 80 by default.
           '';
         };
         keyFile = mkOption {
@@ -195,4 +195,4 @@ in
     };
   };
 }
-#
+#

nixos/modules/services/networking/minidlna.nix

@@ -97,7 +97,7 @@ in
             Type = "forking";
             PIDFile = "/run/minidlna/pid";
             ExecStart =
-              "@${pkgs.minidlna}/sbin/minidlna minidlna -P /run/minidlna/pid" +
+              "@${pkgs.minidlna}/sbin/minidlnad minidlnad -P /run/minidlna/pid" +
               " -f ${pkgs.writeText "minidlna.conf" cfg.config}";
           };
       };

nixos/modules/services/networking/networkmanager.nix

@@ -194,7 +194,7 @@ in {
     };
 
     powerManagement.resumeCommands = ''
-      Systemctl restart network-manager
+      ${config.systemd.package}/bin/systemctl restart network-manager
     '';
 
     security.polkit.extraConfig = polkitConf;

nixos/modules/services/networking/ntpd.nix

@@ -11,19 +11,15 @@ let
   ntpUser = "ntp";
 
   configFile = pkgs.writeText "ntp.conf" ''
-    # Keep the drift file in ${stateDir}/ntp.drift.  However, since we
-    # chroot to ${stateDir}, we have to specify it as /ntp.drift.
-    driftfile /ntp.drift
+    driftfile ${stateDir}/ntp.drift
 
-    restrict default kod nomodify notrap nopeer noquery
-    restrict -6 default kod nomodify notrap nopeer noquery
     restrict 127.0.0.1
     restrict -6 ::1
 
     ${toString (map (server: "server " + server + " iburst\n") config.services.ntp.servers)}
   '';
 
-  ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup -i ${stateDir}";
+  ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup";
 
 in
 
@@ -64,7 +60,7 @@ in
 
   config = mkIf config.services.ntp.enable {
 
-    # Make tools such as ntpq available in the system path
+    # Make tools such as ntpq available in the system path.
     environment.systemPackages = [ pkgs.ntp ];
 
     users.extraUsers = singleton
@@ -74,20 +70,21 @@ in
         home = stateDir;
       };
 
-    jobs.ntpd =
+    systemd.services.ntpd =
       { description = "NTP Daemon";
 
         wantedBy = [ "multi-user.target" ];
 
-        path = [ ntp ];
-
         preStart =
           ''
             mkdir -m 0755 -p ${stateDir}
             chown ${ntpUser} ${stateDir}
           '';
 
-        exec = "ntpd -g -n ${ntpFlags}";
+        serviceConfig = {
+          ExecStart = "@${ntp}/bin/ntpd ntpd -g ${ntpFlags}";
+          Type = "forking";
+        };
       };
 
   };

nixos/modules/services/networking/ssh/sshd.nix

@@ -17,13 +17,11 @@ let
 
   knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
 
-  knownHostsFile = pkgs.runCommand "ssh_known_hosts" {} ''
-    touch "$out"
-    ${flip concatMapStrings knownHosts (h: ''
-      pubkeyfile=${builtins.toFile "host.pub" (if h.publicKey == null then readFile h.publicKeyFile else h.publicKey)}
-      ${pkgs.gnused}/bin/sed 's/^/${concatStringsSep "," h.hostNames} /' $pubkeyfile >> "$out"
-    '')}
-  '';
+  knownHostsText = flip (concatMapStringsSep "\n") knownHosts
+    (h:
+      concatStringsSep "," h.hostNames + " "
+      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+    );
 
   userOptions = {
 
@@ -277,6 +275,16 @@ in
         };
       };
 
+      moduliFile = mkOption {
+        example = "services.openssh.moduliFile = /etc/my-local-ssh-moduli;";
+        type = types.path;
+        description = ''
+          Path to <literal>moduli</literal> file to install in
+          <literal>/etc/ssh/moduli</literal>. If this option is unset, then
+          the <literal>moduli</literal> file shipped with OpenSSH will be used.
+        '';
+      };
+
     };
 
     users.extraUsers = mkOption {
@@ -297,11 +305,13 @@ in
         home = "/var/empty";
       };
 
+    services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";
+
     environment.etc = authKeysFiles ++ [
-      { source = "${cfgc.package}/etc/ssh/moduli";
+      { source = cfg.moduliFile;
         target = "ssh/moduli";
       }
-      { source = knownHostsFile;
+      { text = knownHostsText;
         target = "ssh/ssh_known_hosts";
       }
     ];

nixos/modules/services/networking/strongswan.nix

@@ -118,7 +118,7 @@ in
     systemd.services.strongswan = {
       description = "strongSwan IPSec Service";
       wantedBy = [ "multi-user.target" ];
-      path = with pkgs; [ kmod ]; # XXX Linux
+      path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
       wants = [ "keys.target" ];
       after = [ "network.target" "keys.target" ];
       environment = {

nixos/modules/services/networking/tcpcrypt.nix

@@ -44,6 +44,8 @@ in
       path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ];
 
       preStart = ''
+        mkdir -p /var/run/tcpcryptd
+        chown tcpcryptd /var/run/tcpcryptd
         sysctl -n net.ipv4.tcp_ecn >/run/pre-tcpcrypt-ecn-state
         sysctl -w net.ipv4.tcp_ecn=0
 

nixos/modules/services/networking/tftpd.nix

@@ -9,16 +9,18 @@ with lib;
   options = {
 
     services.tftpd.enable = mkOption {
+      type = types.bool;
       default = false;
       description = ''
-        Whether to enable the anonymous FTP user.
+        Whether to enable tftpd, a Trivial File Transfer Protocol server.
       '';
     };
 
     services.tftpd.path = mkOption {
+      type = types.path;
       default = "/home/tftp";
       description = ''
-        Where the tftp server files are stored
+        Where the tftp server files are stored.
       '';
     };
 

nixos/modules/services/printing/cupsd.nix

@@ -11,20 +11,16 @@ let
   additionalBackends = pkgs.runCommand "additional-cups-backends" { }
     ''
       mkdir -p $out
-      if [ ! -e ${pkgs.cups}/lib/cups/backend/smb ]; then
+      if [ ! -e ${cups}/lib/cups/backend/smb ]; then
         mkdir -p $out/lib/cups/backend
         ln -sv ${pkgs.samba}/bin/smbspool $out/lib/cups/backend/smb
       fi
 
       # Provide support for printing via HTTPS.
-      if [ ! -e ${pkgs.cups}/lib/cups/backend/https ]; then
+      if [ ! -e ${cups}/lib/cups/backend/https ]; then
         mkdir -p $out/lib/cups/backend
-        ln -sv ${pkgs.cups}/lib/cups/backend/ipp $out/lib/cups/backend/https
+        ln -sv ${cups}/lib/cups/backend/ipp $out/lib/cups/backend/https
       fi
-
-      # Import filter configuration from Ghostscript.
-      mkdir -p $out/share/cups/mime/
-      ln -v -s "${pkgs.ghostscript}/etc/cups/"* $out/share/cups/mime/
     '';
 
   # Here we can enable additional backends, filters, etc. that are not
@@ -90,6 +86,15 @@ in
         '';
       };
 
+      cupsFilesConf = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          The contents of the configuration file of the CUPS daemon
+          (<filename>cups-files.conf</filename>).
+        '';
+      };
+
       extraConf = mkOption {
         type = types.lines;
         default = "";
@@ -153,13 +158,9 @@ in
 
     environment.systemPackages = [ cups ];
 
-    environment.variables.CUPS_SERVERROOT = "/etc/cups";
-
-    environment.etc = [
-      { source = pkgs.writeText "client.conf" cfg.clientConf;
-        target = "cups/client.conf";
-      }
-    ];
+    environment.etc."cups/client.conf".text = cfg.clientConf;
+    environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf;
+    environment.etc."cups/cupsd.conf".text = cfg.cupsdConf;
 
     services.dbus.packages = [ cups ];
 
@@ -186,35 +187,26 @@ in
           '';
 
         serviceConfig.Type = "forking";
-        serviceConfig.ExecStart = "@${cups}/sbin/cupsd cupsd -c ${pkgs.writeText "cupsd.conf" cfg.cupsdConf}";
+        serviceConfig.ExecStart = "@${cups}/sbin/cupsd cupsd";
+
+        restartTriggers =
+          [ config.environment.etc."cups/cups-files.conf".source
+            config.environment.etc."cups/cupsd.conf".source
+          ];
       };
 
     services.printing.drivers =
-      [ pkgs.cups pkgs.ghostscript pkgs.cups_filters additionalBackends
+      [ cups pkgs.ghostscript pkgs.cups_filters additionalBackends
         pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep
       ];
 
-    services.printing.cupsdConf =
+    services.printing.cupsFilesConf =
       ''
-        LogLevel info
-
         SystemGroup root wheel
 
-        ${concatMapStrings (addr: ''
-          Listen ${addr}
-        '') cfg.listenAddresses}
-        Listen /var/run/cups/cups.sock
-
-        # Note: we can't use ${cups}/etc/cups as the ServerRoot, since
-        # CUPS will write in the ServerRoot when e.g. adding new printers
-        # through the web interface.
-        ServerRoot /etc/cups
-
         ServerBin ${bindir}/lib/cups
         DataDir ${bindir}/share/cups
 
-        SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin:${bindir}/sbin
-
         AccessLog syslog
         ErrorLog syslog
         PageLog syslog
@@ -227,6 +219,18 @@ in
         # these programs to run as `lp' as well.
         User cups
         Group lp
+      '';
+
+    services.printing.cupsdConf =
+      ''
+        LogLevel info
+
+        ${concatMapStrings (addr: ''
+          Listen ${addr}
+        '') cfg.listenAddresses}
+        Listen /var/run/cups/cups.sock
+
+        SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin:${bindir}/sbin
 
         Browsing On
         BrowseOrder allow,deny
@@ -272,6 +276,7 @@ in
             Order deny,allow
           </Limit>
         </Policy>
+
         ${cfg.extraConf}
       '';
 

nixos/modules/services/scheduling/cron.nix

@@ -97,12 +97,10 @@ in
 
     environment.systemPackages = [ cronNixosPkg ];
 
-    jobs.cron =
+    systemd.services.cron =
       { description = "Cron Daemon";
 
-        startOn = "startup";
-
-        path = [ cronNixosPkg ];
+        wantedBy = [ "multi-user.target" ];
 
         preStart =
           ''
@@ -119,7 +117,8 @@ in
             fi
           '';
 
-        exec = "cron -n";
+        restartTriggers = [ config.environment.etc.localtime.source ];
+        serviceConfig.ExecStart = "${cronNixosPkg}/bin/cron -n";
       };
 
   };

nixos/modules/services/security/tor.nix

@@ -17,7 +17,8 @@ let
   ''
   # Client connection config
   + optionalString cfg.client.enable  ''
-    SOCKSPort ${cfg.client.socksListenAddress}
+    SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
+    SOCKSPort ${cfg.client.socksListenAddressFaster}
     ${opt "SocksPolicy" cfg.client.socksPolicy}
   ''
   # Relay config
@@ -93,10 +94,23 @@ in
           example = "192.168.0.1:9100";
           description = ''
             Bind to this address to listen for connections from
-            Socks-speaking applications.
+            Socks-speaking applications. Provides strong circuit
+            isolation, separate circuit per IP address.
           '';
         };
 
+        socksListenAddressFaster = mkOption {
+          type = types.str;
+          default = "127.0.0.1:9063";
+          example = "192.168.0.1:9101";
+          description = ''
+            Bind to this address to listen for connections from
+            Socks-speaking applications. Same as socksListenAddress
+            but uses weaker circuit isolation to provide performance
+            suitable for a web browser.
+           '';
+         };
+
         socksPolicy = mkOption {
           type = types.nullOr types.str;
           default = null;
@@ -108,6 +122,22 @@ in
             SocksListenAddress.
           '';
         };
+
+        privoxy.enable = mkOption {
+          default = true;
+          description = ''
+            Whether to enable and configure the system Privoxy to use Tor's
+            faster port, suitable for HTTP.
+
+            To have anonymity, protocols need to be scrubbed of identifying
+            information, and this can be accomplished for HTTP by Privoxy.
+
+            Privoxy can also be useful for KDE torification. A good setup would be:
+            setting SOCKS proxy to the default Tor port, providing maximum
+            circuit isolation where possible; and setting HTTP proxy to Privoxy
+            to route HTTP traffic over faster, but less isolated port.
+          '';
+        };
       };
 
       relay = {
@@ -322,5 +352,16 @@ in
       };
 
     environment.systemPackages = [ pkgs.tor ];
+
+    services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) {
+      enable = true;
+      extraConfig = ''
+        forward-socks4a / ${cfg.client.socksListenAddressFaster} .
+        toggle  1
+        enable-remote-toggle 0
+        enable-edit-actions 0
+        enable-remote-http-toggle 0
+      '';
+    };
   };
 }

nixos/modules/services/security/torify.nix

@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+
+  cfg = config.services.tor;
+
+  torify = pkgs.writeTextFile {
+    name = "tsocks";
+    text = ''
+        #!${pkgs.stdenv.shell}
+        TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.tsocks.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" "$@"
+    '';
+    executable = true;
+    destination = "/bin/tsocks";
+  };
+
+in
+
+{
+
+  ###### interface
+  
+  options = {
+  
+    services.tor.tsocks = {
+
+      enable = mkOption {
+        default = cfg.enable && cfg.client.enable;
+        description = ''
+          Whether to build tsocks wrapper script to relay application traffic via TOR.
+        '';
+      };
+
+      server = mkOption {
+        default = "localhost:9050";
+        example = "192.168.0.20";
+        description = ''
+          IP address of TOR client to use.
+        '';
+      };
+
+      config = mkOption {
+        default = "";
+        description = ''
+          Extra configuration. Contents will be added verbatim to TSocks
+          configuration file.
+        '';
+      };
+
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.tsocks.enable {
+
+    environment.systemPackages = [ torify ];  # expose it to the users
+
+    services.tor.tsocks.config = ''
+      server = ${toString(head (splitString ":" cfg.tsocks.server))}
+      server_port = ${toString(tail (splitString ":" cfg.tsocks.server))}
+
+      local = 127.0.0.0/255.128.0.0
+      local = 127.128.0.0/255.192.0.0
+    '';
+  };
+
+}

nixos/modules/services/security/torsocks.nix

@@ -6,9 +6,9 @@ let
   cfg = config.services.tor.torsocks;
   optionalNullStr = b: v: optionalString (b != null) v;
 
-  configFile = ''
-    TorAddress ${toString (head (splitString ":" cfg.server))}
-    TorPort    ${toString (tail (splitString ":" cfg.server))}
+  configFile = server: ''
+    TorAddress ${toString (head (splitString ":" server))}
+    TorPort    ${toString (tail (splitString ":" server))}
 
     OnionAddrRange ${cfg.onionAddrRange}
 
@@ -19,13 +19,24 @@ let
 
     AllowInbound ${if cfg.allowInbound then "1" else "0"}
   '';
+
+  wrapTorsocks = name: server: pkgs.writeTextFile {
+    name = name;
+    text = ''
+        #!${pkgs.stdenv.shell}
+        TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@"
+    '';
+    executable = true;
+    destination = "/bin/${name}";
+  };
+
 in
 {
   options = {
     services.tor.torsocks = {
       enable = mkOption {
         type        = types.bool;
-        default     = false;
+        default     = config.services.tor.enable && config.services.tor.client.enable;
         description = ''
           Whether to build <literal>/etc/tor/torsocks.conf</literal>
           containing the specified global torsocks configuration.
@@ -42,6 +53,16 @@ in
         '';
       };
 
+      fasterServer = mkOption {
+        type    = types.str;
+        default = "127.0.0.1:9063";
+        example = "192.168.0.20:1234";
+        description = ''
+          IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP.
+          Currently, hostnames are NOT supported by torsocks.
+        '';
+      };
+
       onionAddrRange = mkOption {
         type    = types.str;
         default = "127.42.42.0/24";
@@ -89,10 +110,10 @@ in
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.torsocks ];
+    environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ];
 
     environment.etc =
-      [ { source = pkgs.writeText "torsocks.conf" configFile;
+      [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server);
           target = "tor/torsocks.conf";
         }
       ];

nixos/modules/services/system/dbus.nix

@@ -130,6 +130,11 @@ in
         config.system.path
       ];
 
+    # Don't restart dbus-daemon. Bad things tend to happen if we do.
+    systemd.services.dbus.reloadIfChanged = true;
+
+    systemd.services.dbus.restartTriggers = [ configDir ];
+
     environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ];
 
   };

nixos/modules/services/web-servers/apache-httpd/default.nix

@@ -98,9 +98,6 @@ let
       # Authorization: is the user allowed access?
       "authz_user" "authz_groupfile" "authz_host"
 
-      # For compatibility with old configurations, the new module mod_access_compat is provided.
-      (if version24 then "access_compat" else "")
-
       # Other modules.
       "ext_filter" "include" "log_config" "env" "mime_magic"
       "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
@@ -115,6 +112,8 @@ let
       "cache" "cache_disk"
       "slotmem_shm"
       "socache_shmcb"
+      # For compatibility with old configurations, the new module mod_access_compat is provided.
+      "access_compat"
     ]
     ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
     ++ optional enableSSL "ssl"
@@ -229,6 +228,9 @@ let
     ${if cfg.sslServerCert != null then ''
       SSLCertificateFile ${cfg.sslServerCert}
       SSLCertificateKeyFile ${cfg.sslServerKey}
+      ${if cfg.sslServerChain != null then ''
+        SSLCertificateChainFile ${cfg.sslServerChain}
+      '' else ""}
     '' else ""}
 
     ${if cfg.enableSSL then ''

nixos/modules/services/web-servers/apache-httpd/per-server-options.nix

@@ -56,6 +56,13 @@ with lib;
     description = "Path to server SSL certificate key.";
   };
 
+  sslServerChain = mkOption {
+    type = types.nullOr types.path;
+    default = null;
+    example = "/var/ca.pem";
+    description = "Path to server SSL extra chain file.";
+  };
+
   adminAddr = mkOption ({
     type = types.nullOr types.str;
     example = "admin@example.org";

nixos/modules/services/web-servers/zope2.nix

@@ -24,7 +24,7 @@ let
       http_address = mkOption {
         default = "localhost:8080";
         type = types.string;
-        description = "Give a port and adress for the HTTP server.";
+        description = "Give a port and address for the HTTP server.";
       };
 
       user = mkOption {

nixos/modules/services/x11/desktop-managers/kde4.nix

@@ -70,14 +70,6 @@ in
         description = "Custom kde-workspace, used for NixOS rebranding.";
       };
     };
-
-    environment.kdePackages = mkOption {
-      default = [];
-      example = literalExample "[ pkgs.kde4.kdesdk ]";
-      type = types.listOf types.package;
-      description = "This option is obsolete.  Please use <option>environment.systemPackages</option> instead.";
-    };
-
   };
 
 

nixos/modules/services/x11/display-managers/default.nix

@@ -25,7 +25,7 @@ let
 
   fontconfig = config.fonts.fontconfig;
   xresourcesXft = pkgs.writeText "Xresources-Xft" ''
-    ${optionalString (fontconfig.dpi != 0) ''Xft.dpi: ${fontconfig.dpi}''}
+    ${optionalString (fontconfig.dpi != 0) ''Xft.dpi: ${toString fontconfig.dpi}''}
     Xft.antialias: ${if fontconfig.antialias then "1" else "0"}
     Xft.rgba: ${fontconfig.subpixel.rgba}
     Xft.lcdfilter: lcd${fontconfig.subpixel.lcdfilter}
@@ -189,7 +189,7 @@ in
       xserverArgs = mkOption {
         type = types.listOf types.str;
         default = [];
-        example = [ "-ac" "-logverbose" "-nolisten tcp" ];
+        example = [ "-ac" "-logverbose" "-verbose" "-nolisten tcp" ];
         description = "List of arguments for the X server.";
         apply = toString;
       };

nixos/modules/services/x11/xserver.nix

@@ -483,8 +483,6 @@ in
 
     services.xserver.displayManager.xserverArgs =
       [ "-ac"
-        "-logverbose"
-        "-verbose"
         "-terminate"
         "-logfile" "/var/log/X.${toString cfg.display}.log"
         "-config ${configFile}"

nixos/modules/system/activation/switch-to-configuration.pl

@@ -9,19 +9,21 @@ use Cwd 'abs_path';
 
 my $out = "@out@";
 
+# To be robust against interruption, record what units need to be started etc.
 my $startListFile = "/run/systemd/start-list";
 my $restartListFile = "/run/systemd/restart-list";
 my $reloadListFile = "/run/systemd/reload-list";
 
 my $action = shift @ARGV;
 
-if (!defined $action || ($action ne "switch" && $action ne "boot" && $action ne "test")) {
+if (!defined $action || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) {
     print STDERR <<EOF;
 Usage: $0 [switch|boot|test]
 
-switch: make the configuration the boot default and activate now
-boot:   make the configuration the boot default
-test:   activate the configuration, but don\'t make it the boot default
+switch:       make the configuration the boot default and activate now
+boot:         make the configuration the boot default
+test:         activate the configuration, but don\'t make it the boot default
+dry-activate: show what would be done if this configuration were activated
 EOF
     exit 1;
 }
@@ -56,8 +58,6 @@ EOF
     exit 100;
 }
 
-syslog(LOG_NOTICE, "switching to system configuration $out");
-
 # Ignore SIGHUP so that we're not killed if we're running on (say)
 # virtual console 1 and we restart the "tty1" unit.
 $SIG{PIPE} = "IGNORE";
@@ -116,6 +116,11 @@ sub boolIsTrue {
     return $s eq "yes" || $s eq "true";
 }
 
+sub recordUnit {
+    my ($fn, $unit) = @_;
+    write_file($fn, { append => 1 }, "$unit\n") if $action ne "dry-activate";
+}
+
 # As a fingerprint for determining whether a unit has changed, we use
 # its absolute path. If it has an override file, we append *its*
 # absolute path as well.
@@ -124,9 +129,20 @@ sub fingerprintUnit {
     return abs_path($s) . (-f "${s}.d/overrides.conf" ? " " . abs_path "${s}.d/overrides.conf" : "");
 }
 
-# Stop all services that no longer exist or have changed in the new
-# configuration.
-my (@unitsToStop, @unitsToSkip);
+# Figure out what units need to be stopped, started, restarted or reloaded.
+my (%unitsToStop, %unitsToSkip, %unitsToStart, %unitsToRestart, %unitsToReload);
+
+my %unitsToFilter; # units not shown
+
+$unitsToStart{$_} = 1 foreach
+    split('\n', read_file($startListFile, err_mode => 'quiet') // "");
+
+$unitsToRestart{$_} = 1 foreach
+    split('\n', read_file($restartListFile, err_mode => 'quiet') // "");
+
+$unitsToReload{$_} = 1 foreach
+    split '\n', read_file($reloadListFile, err_mode => 'quiet') // "";
+
 my $activePrev = getActiveUnits;
 while (my ($unit, $state) = each %{$activePrev}) {
     my $baseUnit = $unit;
@@ -141,7 +157,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
 
     if (-e $prevUnitFile && ($state->{state} eq "active" || $state->{state} eq "activating")) {
         if (! -e $newUnitFile || abs_path($newUnitFile) eq "/dev/null") {
-            push @unitsToStop, $unit;
+            $unitsToStop{$unit} = 1;
         }
 
         elsif ($unit =~ /\.target$/) {
@@ -155,7 +171,10 @@ while (my ($unit, $state) = each %{$activePrev}) {
             # should not be the case.  Just ignore it.
             if ($unit ne "suspend.target" && $unit ne "hibernate.target" && $unit ne "hybrid-sleep.target") {
                 unless (boolIsTrue($unitInfo->{'RefuseManualStart'} // "no")) {
-                    write_file($startListFile, { append => 1 }, "$unit\n");
+                    $unitsToStart{$unit} = 1;
+                    recordUnit($startListFile, $unit);
+                    # Don't spam the user with target units that always get started.
+                    $unitsToFilter{$unit} = 1;
                 }
             }
 
@@ -171,7 +190,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
             # (unless there is a PartOf dependency), so this is just a
             # bookkeeping thing to get systemd to do the right thing.
             if (boolIsTrue($unitInfo->{'X-StopOnReconfiguration'} // "no")) {
-                push @unitsToStop, $unit;
+                $unitsToStop{$unit} = 1;
             }
         }
 
@@ -180,16 +199,18 @@ while (my ($unit, $state) = each %{$activePrev}) {
                 # Do nothing.  These cannot be restarted directly.
             } elsif ($unit =~ /\.mount$/) {
                 # Reload the changed mount unit to force a remount.
-                write_file($reloadListFile, { append => 1 }, "$unit\n");
-            } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/) {
+                $unitsToReload{$unit} = 1;
+                recordUnit($reloadListFile, $unit);
+            } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/ || $unit =~ /\.slice$/) {
                 # FIXME: do something?
             } else {
                 my $unitInfo = parseUnit($newUnitFile);
                 if (boolIsTrue($unitInfo->{'X-ReloadIfChanged'} // "no")) {
-                    write_file($reloadListFile, { append => 1 }, "$unit\n");
+                    $unitsToReload{$unit} = 1;
+                    recordUnit($reloadListFile, $unit);
                 }
                 elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes") || boolIsTrue($unitInfo->{'RefuseManualStop'} // "no") ) {
-                    push @unitsToSkip, $unit;
+                    $unitsToSkip{$unit} = 1;
                 } else {
                     # If this unit is socket-activated, then stop the
                     # socket unit(s) as well, and restart the
@@ -202,8 +223,9 @@ while (my ($unit, $state) = each %{$activePrev}) {
                         }
                         foreach my $socket (@sockets) {
                             if (defined $activePrev->{$socket}) {
-                                push @unitsToStop, $socket;
-                                write_file($startListFile, { append => 1 }, "$socket\n");
+                                $unitsToStop{$unit} = 1;
+                                $unitsToStart{$unit} = 1;
+                                recordUnit($startListFile, $socket);
                                 $socketActivated = 1;
                             }
                         }
@@ -213,7 +235,8 @@ while (my ($unit, $state) = each %{$activePrev}) {
 
                         # This unit should be restarted instead of
                         # stopped and started.
-                        write_file($restartListFile, { append => 1 }, "$unit\n");
+                        $unitsToRestart{$unit} = 1;
+                        recordUnit($restartListFile, $unit);
 
                     } else {
 
@@ -222,10 +245,11 @@ while (my ($unit, $state) = each %{$activePrev}) {
                         # We write this to a file to ensure that the
                         # service gets restarted if we're interrupted.
                         if (!$socketActivated) {
-                            write_file($startListFile, { append => 1 }, "$unit\n");
+                            $unitsToStart{$unit} = 1;
+                            recordUnit($startListFile, $unit);
                         }
 
-                        push @unitsToStop, $unit;
+                        $unitsToStop{$unit} = 1;
 
                     }
                 }
@@ -268,14 +292,16 @@ foreach my $mountPoint (keys %$prevFss) {
     my $unit = pathToUnitName($mountPoint) . ".mount";
     if (!defined $new) {
         # Filesystem entry disappeared, so unmount it.
-        push @unitsToStop, $unit;
+        $unitsToStop{$unit} = 1;
     } elsif ($prev->{fsType} ne $new->{fsType} || $prev->{device} ne $new->{device}) {
         # Filesystem type or device changed, so unmount and mount it.
-        write_file($startListFile, { append => 1 }, "$unit\n");
-        push @unitsToStop, $unit;
+        $unitsToStop{$unit} = 1;
+        $unitsToStart{$unit} = 1;
+        recordUnit($startListFile, $unit);
     } elsif ($prev->{options} ne $new->{options}) {
         # Mount options changes, so remount it.
-        write_file($reloadListFile, { append => 1 }, "$unit\n");
+        $unitsToReload{$unit} = 1;
+        recordUnit($reloadListFile, $unit);
     }
 }
 
@@ -294,14 +320,51 @@ foreach my $device (keys %$prevSwaps) {
     # FIXME: update swap options (i.e. its priority).
 }
 
-if (scalar @unitsToStop > 0) {
-    @unitsToStop = unique(@unitsToStop);
-    print STDERR "stopping the following units: ", join(", ", sort(@unitsToStop)), "\n";
-    system("systemctl", "stop", "--", @unitsToStop); # FIXME: ignore errors?
+
+# Should we have systemd re-exec itself?
+my $restartSystemd = abs_path("/proc/1/exe") ne abs_path("@systemd@/lib/systemd/systemd");
+
+
+sub filterUnits {
+    my ($units) = @_;
+    my @res;
+    foreach my $unit (sort(keys %{$units})) {
+        push @res, $unit if !defined $unitsToFilter{$unit};
+    }
+    return @res;
 }
 
-print STDERR "NOT restarting the following units: ", join(", ", sort(@unitsToSkip)), "\n"
-    if scalar @unitsToSkip > 0;
+my @unitsToStopFiltered = filterUnits(\%unitsToStop);
+my @unitsToStartFiltered = filterUnits(\%unitsToStart);
+
+
+# Show dry-run actions.
+if ($action eq "dry-activate") {
+    print STDERR "would stop the following units: ", join(", ", @unitsToStopFiltered), "\n"
+        if scalar @unitsToStopFiltered > 0;
+    print STDERR "would NOT stop the following changed units: ", join(", ", sort(keys %unitsToSkip)), "\n"
+        if scalar(keys %unitsToSkip) > 0;
+    print STDERR "would restart systemd\n" if $restartSystemd;
+    print STDERR "would restart the following units: ", join(", ", sort(keys %unitsToRestart)), "\n"
+        if scalar(keys %unitsToRestart) > 0;
+    print STDERR "would start the following units: ", join(", ", @unitsToStartFiltered), "\n"
+        if scalar @unitsToStartFiltered;
+    print STDERR "would reload the following units: ", join(", ", sort(keys %unitsToReload)), "\n"
+        if scalar(keys %unitsToReload) > 0;
+    exit 0;
+}
+
+
+syslog(LOG_NOTICE, "switching to system configuration $out");
+
+if (scalar (keys %unitsToStop) > 0) {
+    print STDERR "stopping the following units: ", join(", ", @unitsToStopFiltered), "\n"
+        if scalar @unitsToStopFiltered;
+    system("systemctl", "stop", "--", sort(keys %unitsToStop)); # FIXME: ignore errors?
+}
+
+print STDERR "NOT restarting the following changed units: ", join(", ", sort(keys %unitsToSkip)), "\n"
+    if scalar(keys %unitsToSkip) > 0;
 
 # Activate the new configuration (i.e., update /etc, make accounts,
 # and so on).
@@ -310,7 +373,7 @@ print STDERR "activating the configuration...\n";
 system("$out/activate", "$out") == 0 or $res = 2;
 
 # Restart systemd if necessary.
-if (abs_path("/proc/1/exe") ne abs_path("@systemd@/lib/systemd/systemd")) {
+if ($restartSystemd) {
     print STDERR "restarting systemd...\n";
     system("@systemd@/bin/systemctl", "daemon-reexec") == 0 or $res = 2;
 }
@@ -321,16 +384,19 @@ system("@systemd@/bin/systemctl", "reset-failed");
 # Make systemd reload its units.
 system("@systemd@/bin/systemctl", "daemon-reload") == 0 or $res = 3;
 
-# Signal dbus to reload its configuration before starting other units.
-# Other units may rely on newly installed policy files under /etc/dbus-1
-system("@systemd@/bin/systemctl", "reload", "dbus.service");
+# Reload units that need it. This includes remounting changed mount
+# units.
+if (scalar(keys %unitsToReload) > 0) {
+    print STDERR "reloading the following units: ", join(", ", sort(keys %unitsToReload)), "\n";
+    system("@systemd@/bin/systemctl", "reload", "--", sort(keys %unitsToReload)) == 0 or $res = 4;
+    unlink($reloadListFile);
+}
 
 # Restart changed services (those that have to be restarted rather
 # than stopped and started).
-my @restart = unique(split('\n', read_file($restartListFile, err_mode => 'quiet') // ""));
-if (scalar @restart > 0) {
-    print STDERR "restarting the following units: ", join(", ", sort(@restart)), "\n";
-    system("@systemd@/bin/systemctl", "restart", "--", @restart) == 0 or $res = 4;
+if (scalar(keys %unitsToRestart) > 0) {
+    print STDERR "restarting the following units: ", join(", ", sort(keys %unitsToRestart)), "\n";
+    system("@systemd@/bin/systemctl", "restart", "--", sort(keys %unitsToRestart)) == 0 or $res = 4;
     unlink($restartListFile);
 }
 
@@ -340,20 +406,11 @@ if (scalar @restart > 0) {
 # that are symlinks to other units.  We shouldn't start both at the
 # same time because we'll get a "Failed to add path to set" error from
 # systemd.
-my @start = unique("default.target", "timers.target", "sockets.target", split('\n', read_file($startListFile, err_mode => 'quiet') // ""));
-print STDERR "starting the following units: ", join(", ", sort(@start)), "\n";
-system("@systemd@/bin/systemctl", "start", "--", @start) == 0 or $res = 4;
+print STDERR "starting the following units: ", join(", ", @unitsToStartFiltered), "\n"
+    if scalar @unitsToStartFiltered;
+system("@systemd@/bin/systemctl", "start", "--", sort(keys %unitsToStart)) == 0 or $res = 4;
 unlink($startListFile);
 
-# Reload units that need it.  This includes remounting changed mount
-# units.
-my @reload = unique(split '\n', read_file($reloadListFile, err_mode => 'quiet') // "");
-if (scalar @reload > 0) {
-    print STDERR "reloading the following units: ", join(", ", sort(@reload)), "\n";
-    system("@systemd@/bin/systemctl", "reload", "--", @reload) == 0 or $res = 4;
-    unlink($reloadListFile);
-}
-
 
 # Print failed and new units.
 my (@failed, @new, @restarting);

nixos/modules/system/activation/top-level.nix

@@ -88,7 +88,7 @@ let
 
   failed = map (x: x.message) (filter (x: !x.assertion) config.assertions);
 
-  showWarnings = res: fold (w: x: builtins.trace "^[[1;31mwarning: ${w}^[[0m" x) res config.warnings;
+  showWarnings = res: fold (w: x: builtins.trace "warning: ${w}" x) res config.warnings;
 
   # Putting it all together.  This builds a store path containing
   # symlinks to the various parts of the built configuration (the

nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py

@@ -63,7 +63,8 @@ def get_generations(profile):
         "@nix@/bin/nix-env",
         "--list-generations",
         "-p",
-        "/nix/var/nix/profiles/%s" % (profile)
+        "/nix/var/nix/profiles/%s" % (profile),
+        "--option", "build-users-group", ""
         ])
     gen_lines = gen_list.split('\n')
     gen_lines.pop()

nixos/modules/system/boot/modprobe.nix

@@ -94,7 +94,7 @@ with lib;
         echo ${config.system.sbin.modprobe}/sbin/modprobe > /proc/sys/kernel/modprobe
       '';
 
-    environment.variables.MODULE_DIR = "/run/current-system/kernel-modules/lib/modules";
+    environment.sessionVariables.MODULE_DIR = "/run/current-system/kernel-modules/lib/modules";
 
   };
 

nixos/modules/system/boot/stage-1-init.sh

@@ -56,9 +56,10 @@ echo
 
 
 # Mount special file systems.
-mkdir -p /etc
+mkdir -p /etc/udev
 touch /etc/fstab # to shut up mount
 touch /etc/mtab # to shut up mke2fs
+touch /etc/udev/hwdb.bin # to shut up udeev
 touch /etc/initrd-release
 mkdir -p /proc
 mount -t proc proc /proc
@@ -174,20 +175,24 @@ fi
 if test -e /sys/power/resume -a -e /sys/power/disk; then
     if test -n "@resumeDevice@"; then
         resumeDev="@resumeDevice@"
+        resumeInfo="$(udevadm info -q property "$resumeDev" )"
     else
         for sd in @resumeDevices@; do
             # Try to detect resume device. According to Ubuntu bug:
             # https://bugs.launchpad.net/ubuntu/+source/pm-utils/+bug/923326/comments/1
             # When there are multiple swap devices, we can't know where will hibernate
             # image reside. We can check all of them for swsuspend blkid.
-            if [ "$(udevadm info -q property "$sd" | sed -n 's/^ID_FS_TYPE=//p')" = "swsuspend" ]; then
+            resumeInfo="$(udevadm info -q property "$sd" )"
+            if [ "$(echo "$resumeInfo" | sed -n 's/^ID_FS_TYPE=//p')" = "swsuspend" ]; then
                 resumeDev="$sd"
                 break
             fi
         done
     fi
-    if test -n "$resumeDev"; then
-        readlink -f "$resumeDev" > /sys/power/resume 2> /dev/null || echo "failed to resume..."
+    if test -e "$resumeDev"; then
+        resumeMajor="$(echo "$resumeInfo" | sed -n 's/^MAJOR=//p')"
+        resumeMinor="$(echo "$resumeInfo" | sed -n 's/^MINOR=//p')"
+        echo "$resumeMajor:$resumeMinor" > /sys/power/resume 2> /dev/null || echo "failed to resume..."
     fi
 fi
 
@@ -215,6 +220,9 @@ checkFS() {
     # Don't check resilient COWs as they validate the fs structures at mount time
     if [ "$fsType" = btrfs -o "$fsType" = zfs ]; then return 0; fi
 
+    # Skip fsck for inherently readonly filesystems.
+    if [ "$fsType" = squashfs ]; then return 0; fi
+
     # If we couldn't figure out the FS type, then skip fsck.
     if [ "$fsType" = auto ]; then
         echo 'cannot check filesystem with type "auto"!'

nixos/modules/system/boot/stage-1.nix

@@ -240,8 +240,9 @@ in
       example = "/dev/sda3";
       description = ''
         Device for manual resume attempt during boot. This should be used primarily
-        if you want to resume from file. Specify here the device where the file
-        resides. You should also use <varname>boot.kernelParams</varname> to specify
+        if you want to resume from file. If left empty, the swap partitions are used.
+        Specify here the device where the file resides.
+        You should also use <varname>boot.kernelParams</varname> to specify
         <literal><replaceable>resume_offset</replaceable></literal>.
       '';
     };
@@ -355,10 +356,17 @@ in
 
   config = mkIf (!config.boot.isContainer) {
 
-    assertions = singleton
+    assertions = [
       { assertion = any (fs: fs.mountPoint == "/") (attrValues config.fileSystems);
         message = "The ‘fileSystems’ option does not specify your root file system.";
-      };
+      }
+      { assertion = let inherit (config.boot) resumeDevice; in
+          resumeDevice == "" || builtins.substring 0 1 resumeDevice == "/";
+        message = "boot.resumeDevice has to be an absolute path."
+          + " Old \"x:y\" style is no longer supported.";
+      }
+    ];
+
 
     system.build.bootStage1 = bootStage1;
     system.build.initialRamdisk = initialRamdisk;

nixos/modules/system/boot/stage-2-init.sh

@@ -50,8 +50,10 @@ echo "booting system configuration $systemConfig" > /dev/kmsg
 # Make /nix/store a read-only bind mount to enforce immutability of
 # the Nix store.  Note that we can't use "chown root:nixbld" here
 # because users/groups might not exist yet.
-chown 0:30000 /nix/store
-chmod 1775 /nix/store
+# Silence chown/chmod to fail gracefully on a readonly filesystem
+# like squashfs.
+chown -f 0:30000 /nix/store
+chmod -f 1775 /nix/store
 if [ -n "@readOnlyStore@" ]; then
     if ! readonly-mountpoint /nix/store; then
         mount --bind /nix/store /nix/store
@@ -91,6 +93,7 @@ mkdir -m 01777 -p /tmp
 mkdir -m 0755 -p /var /var/log /var/lib /var/db
 mkdir -m 0755 -p /nix/var
 mkdir -m 0700 -p /root
+chmod 0700 /root
 mkdir -m 0755 -p /bin # for the /bin/sh symlink
 mkdir -m 0755 -p /home
 mkdir -m 0755 -p /etc/nixos

nixos/modules/system/boot/systemd.nix

@@ -695,21 +695,21 @@ in
       default = {};
       type = types.attrsOf types.optionSet;
       options = [ linkOptions ];
-      description = "Definiton of systemd network links.";
+      description = "Definition of systemd network links.";
     };
 
     systemd.network.netdevs = mkOption {
       default = {};
       type = types.attrsOf types.optionSet;
       options = [ netdevOptions ];
-      description = "Definiton of systemd network devices.";
+      description = "Definition of systemd network devices.";
     };
 
     systemd.network.networks = mkOption {
       default = {};
       type = types.attrsOf types.optionSet;
       options = [ networkOptions networkConfig ];
-      description = "Definiton of systemd networks.";
+      description = "Definition of systemd networks.";
     };
 
     systemd.network.units = mkOption {
@@ -858,6 +858,13 @@ in
       description = "Definition of systemd per-user service units.";
     };
 
+    systemd.user.timers = mkOption {
+      default = {};
+      type = types.attrsOf types.optionSet;
+      options = [ timerOptions unitConfig ];
+      description = "Definition of systemd per-user timer units.";
+    };
+
     systemd.user.sockets = mkOption {
       default = {};
       type = types.attrsOf types.optionSet;
@@ -978,8 +985,9 @@ in
       // mapAttrs' (n: v: nameValuePair "${n}.network" (networkToUnit n v)) cfg.network.networks;
 
     systemd.user.units =
-      mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.user.services
-      // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.user.sockets;
+         mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.user.services
+      // mapAttrs' (n: v: nameValuePair "${n}.socket"  (socketToUnit  n v)) cfg.user.sockets
+      // mapAttrs' (n: v: nameValuePair "${n}.timer"   (timerToUnit   n v)) cfg.user.timers;
 
     system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled
       [ "DEVTMPFS" "CGROUPS" "INOTIFY_USER" "SIGNALFD" "TIMERFD" "EPOLL" "NET"

nixos/modules/tasks/filesystems/nfs.nix

@@ -38,7 +38,7 @@ in
         default = null;
         example = 4000;
         description = ''
-          Use fixed port for rpc.statd, usefull if NFS server is behind firewall.
+          Use fixed port for rpc.statd, useful if NFS server is behind firewall.
         '';
       };
       lockdPort = mkOption {
@@ -46,7 +46,7 @@ in
         example = 4001;
         description = ''
           Use fixed port for NFS lock manager kernel module (lockd/nlockmgr),
-          usefull if NFS server is behind firewall.
+          useful if NFS server is behind firewall.
         '';
       };
     };

nixos/modules/tasks/network-interfaces-scripted.nix

@@ -101,7 +101,7 @@ in
             ips = interfaceIps i;
           in
           nameValuePair "network-addresses-${i.name}"
-          { description = "Addresss configuration of ${i.name}";
+          { description = "Address configuration of ${i.name}";
             wantedBy = [ "network-interfaces.target" ];
             before = [ "network-interfaces.target" ];
             bindsTo = [ (subsystemDevice i.name) ];

nixos/modules/testing/test-instrumentation.nix

@@ -38,6 +38,11 @@ let kernel = config.boot.kernelPackages.kernel; in
     systemd.services."serial-getty@ttyS0".enable = false;
     systemd.services."serial-getty@hvc0".enable = false;
 
+    # Don't use a pager when executing backdoor actions. Because we
+    # use a tty, commands like systemctl or nix-store get confused
+    # into thinking they're running interactively.
+    environment.variables.PAGER = "";
+
     boot.initrd.postDeviceCommands =
       ''
         # Using acpi_pm as a clock source causes the guest clock to

nixos/modules/virtualisation/amazon-image.nix

@@ -7,17 +7,6 @@ in
 {
   imports = [ ../profiles/headless.nix ./ec2-data.nix ];
 
-  options = {
-    ec2 = {
-      hvm = mkOption {
-        default = false;
-        description = ''
-          Whether the EC2 instance is a HVM instance.
-        '';
-      };
-    };
-  };
-
   config = {
     system.build.amazonImage =
       pkgs.vmTools.runInLinuxVM (

nixos/modules/virtualisation/amazon-options.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+{
+  options = {
+    ec2 = {
+      hvm = lib.mkOption {
+        default = false;
+        internal = true;
+        description = ''
+          Whether the EC2 instance is a HVM instance.
+        '';
+      };
+    };
+  };
+
+  config = {};
+}