btrfs-progs: 4.14.1 -> 4.15.1

(cherry picked from commit 11238ffbe1)
Signed-off-by: Domen Kožar <domen@dev.si>

.mention-bot

@@ -2,7 +2,8 @@
   "userBlacklist": [
     "civodul",
     "jhasse",
-    "shlevy"
+    "shlevy",
+    "bbenoist"
   ],
   "alwaysNotifyForPaths": [
     { "name": "FRidh", "files": ["pkgs/top-level/python-packages.nix", "pkgs/development/interpreters/python/*", "pkgs/development/python-modules/*" ] },

.travis.yml

@@ -18,3 +18,8 @@ matrix:
 env:
     global:
         - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f
+
+notifications:
+    email:
+        on_success: never
+        on_failure: change

README.md

@@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 
 ```
 % git remote update channels
-% git rebase channels/nixos-16.09
+% git rebase channels/nixos-17.03
 ```
 
 For pull-requests, please rebase onto nixpkgs `master`.
@@ -32,9 +32,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
+* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
+* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
 
 Communication:
 

doc/configuration.xml

@@ -227,7 +227,7 @@ packages via <literal>packageOverrides</literal></title>
 
 <para>You can define a function called
 <varname>packageOverrides</varname> in your local
-<filename>~/.config/nixpkgs/config.nix</filename> to overide nix packages.  It
+<filename>~/.config/nixpkgs/config.nix</filename> to override nix packages.  It
 must be a function that takes pkgs as an argument and return modified
 set of packages.
 

doc/default.nix

@@ -68,6 +68,10 @@ pkgs.stdenv.mkDerivation {
       inputFile = ../pkgs/development/r-modules/README.md;
       outputFile = "languages-frameworks/r.xml";
     }
+  + toDocbook {
+      inputFile = ./languages-frameworks/rust.md;
+      outputFile = "./languages-frameworks/rust.xml";
+    }
   + toDocbook {
       inputFile = ./languages-frameworks/vim.md;
       outputFile = "./languages-frameworks/vim.xml";

doc/functions.xml

@@ -70,7 +70,7 @@
 
     <para>
       In the above example, the <varname>separateDebugInfo</varname> attribute is
-      overriden to be true, thus building debug info for
+      overridden to be true, thus building debug info for
       <varname>helloWithDebug</varname>, while all other attributes will be
       retained from the original <varname>hello</varname> package.
     </para>

doc/languages-frameworks/index.xml

@@ -27,6 +27,7 @@ such as Perl or Haskell.  These are described in this chapter.</para>
 <xi:include href="qt.xml" />
 <xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md  -->
 <xi:include href="ruby.xml" />
+<xi:include href="rust.xml" />
 <xi:include href="texlive.xml" />
 <xi:include href="vim.xml" />
 

doc/languages-frameworks/python.md

@@ -3,7 +3,7 @@
 ## User Guide
 
 Several versions of Python are available on Nix as well as a high amount of
-packages. The default interpreter is CPython 3.5.
+packages. The default interpreter is CPython 2.7.
 
 ### Using Python
 
@@ -74,7 +74,6 @@ can do is write a simple Nix expression which sets up an environment for you,
 requiring you only to type `nix-shell`. Say we want to have Python 3.5, `numpy`
 and `toolz`, like before, in an environment. With a `shell.nix` file
 containing
-
 ```nix
 with import <nixpkgs> {};
 
@@ -101,22 +100,25 @@ On Nix all packages are built by functions. The main function in Nix for buildin
 Let's see how we would build the `toolz` package. According to [`python-packages.nix`](https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/python-packages.nix) `toolz` is build using
 
 ```nix
-toolz = buildPythonPackage rec{
-  name = "toolz-${version}";
-  version = "0.7.4";
+{ # ...
 
-  src = pkgs.fetchurl{
-    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
-    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
-  };
+  toolz = buildPythonPackage rec {
+    name = "toolz-${version}";
+    version = "0.7.4";
 
-  meta = {
-    homepage = "http://github.com/pytoolz/toolz/";
-    description = "List processing tools and functional utilities";
-    license = licenses.bsd3;
-    maintainers = with maintainers; [ fridh ];
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
+      sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
+    };
+
+    meta = {
+      homepage = "http://github.com/pytoolz/toolz/";
+      description = "List processing tools and functional utilities";
+      license = licenses.bsd3;
+      maintainers = with maintainers; [ fridh ];
+    };
   };
-};
+}
 ```
 
 What happens here? The function `buildPythonPackage` is called and as argument
@@ -129,7 +131,7 @@ specify some (optional) [meta information](http://nixos.org/nixpkgs/manual/#chap
 
 The output of the function is a derivation, which is an attribute with the name
 `toolz` of the set `pythonPackages`. Actually, sets are created for all interpreter versions,
-so `python27Packages`, `python34Packages`, `python35Packages` and `pypyPackages`.
+so e.g. `python27Packages`, `python35Packages` and `pypyPackages`.
 
 The above example works when you're directly working on
 `pkgs/top-level/python-packages.nix` in the Nixpkgs repository. Often though,
@@ -143,7 +145,7 @@ pkgs.python35Packages.buildPythonPackage rec {
   name = "toolz-${version}";
   version = "0.8.0";
 
-  src = pkgs.fetchurl{
+  src = pkgs.fetchurl {
     url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
     sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
   };
@@ -174,7 +176,7 @@ with import <nixpkgs> {};
       name = "toolz-${version}";
       version = "0.8.0";
 
-      src = pkgs.fetchurl{
+      src = pkgs.fetchurl {
         url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
         sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
       };
@@ -215,25 +217,28 @@ The following example shows which arguments are given to `buildPythonPackage` in
 order to build [`datashape`](https://github.com/blaze/datashape).
 
 ```nix
-datashape = buildPythonPackage rec {
-  name = "datashape-${version}";
-  version = "0.4.7";
+{ # ...
 
-  src = pkgs.fetchurl {
-    url = "mirror://pypi/D/DataShape/${name}.tar.gz";
-    sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
+  datashape = buildPythonPackage rec {
+    name = "datashape-${version}";
+    version = "0.4.7";
+
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/D/DataShape/${name}.tar.gz";
+      sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
+    };
+
+    buildInputs = with self; [ pytest ];
+    propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
+
+    meta = {
+      homepage = https://github.com/ContinuumIO/datashape;
+      description = "A data description language";
+      license = licenses.bsd2;
+      maintainers = with maintainers; [ fridh ];
+    };
   };
-
-  buildInputs = with self; [ pytest ];
-  propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
-
-  meta = {
-    homepage = https://github.com/ContinuumIO/datashape;
-    description = "A data description language";
-    license = licenses.bsd2;
-    maintainers = with maintainers; [ fridh ];
-  };
-};
+}
 ```
 
 We can see several runtime dependencies, `numpy`, `multipledispatch`, and
@@ -247,23 +252,26 @@ Python bindings to `libxml2` and `libxslt`. These libraries are only required
 when building the bindings and are therefore added as `buildInputs`.
 
 ```nix
-lxml = buildPythonPackage rec {
-  name = "lxml-3.4.4";
+{ # ...
 
-  src = pkgs.fetchurl {
-    url = "mirror://pypi/l/lxml/${name}.tar.gz";
-    sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
+  lxml = buildPythonPackage rec {
+    name = "lxml-3.4.4";
+
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/l/lxml/${name}.tar.gz";
+      sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
+    };
+
+    buildInputs = with self; [ pkgs.libxml2 pkgs.libxslt ];
+
+    meta = {
+      description = "Pythonic binding for the libxml2 and libxslt libraries";
+      homepage = http://lxml.de;
+      license = licenses.bsd3;
+      maintainers = with maintainers; [ sjourdois ];
+    };
   };
-
-  buildInputs = with self; [ pkgs.libxml2 pkgs.libxslt ];
-
-  meta = {
-    description = "Pythonic binding for the libxml2 and libxslt libraries";
-    homepage = http://lxml.de;
-    license = licenses.bsd3;
-    maintainers = with maintainers; [ sjourdois ];
-  };
-};
+}
 ```
 
 In this example `lxml` and Nix are able to work out exactly where the relevant
@@ -277,33 +285,37 @@ find each of them in a different folder, and therefore we have to set `LDFLAGS`
 and `CFLAGS`.
 
 ```nix
-pyfftw = buildPythonPackage rec {
-  name = "pyfftw-${version}";
-  version = "0.9.2";
+{ # ...
 
-  src = pkgs.fetchurl {
-    url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
-    sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
+  pyfftw = buildPythonPackage rec {
+    name = "pyfftw-${version}";
+    version = "0.9.2";
+
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
+      sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
+    };
+
+    buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];
+
+    propagatedBuildInputs = with self; [ numpy scipy ];
+
+    # Tests cannot import pyfftw. pyfftw works fine though.
+    doCheck = false;
+
+    preConfigure = ''
+      export LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
+      export CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
+    '';
+
+    meta = {
+      description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
+      homepage = http://hgomersall.github.com/pyFFTW/;
+      license = with licenses; [ bsd2 bsd3 ];
+      maintainer = with maintainers; [ fridh ];
+    };
   };
-
-  buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];
-
-  propagatedBuildInputs = with self; [ numpy scipy ];
-
-  # Tests cannot import pyfftw. pyfftw works fine though.
-  doCheck = false;
-
-  LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
-  CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
-  '';
-
-  meta = {
-    description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
-    homepage = http://hgomersall.github.com/pyFFTW/;
-    license = with licenses; [ bsd2 bsd3 ];
-    maintainer = with maintainers; [ fridh ];
-  };
-};
+}
 ```
 Note also the line `doCheck = false;`, we explicitly disabled running the test-suite.
 
@@ -316,10 +328,7 @@ That way, you can run updated code without having to reinstall after each and ev
 Development mode is also available. Let's see how you can use it.
 
 In the previous Nix expression the source was fetched from an url. We can also refer to a local source instead using
-
-```nix
-src = ./path/to/source/tree;
-```
+`src = ./path/to/source/tree;`
 
 If we create a `shell.nix` file which calls `buildPythonPackage`, and if `src`
 is a local source, and if the local source has a `setup.py`, then development
@@ -331,14 +340,14 @@ other packages we like to have in the environment, all specified with `propagate
 Indeed, we can just add any package we like to have in our environment to `propagatedBuildInputs`.
 
 ```nix
-with import <nixpkgs>;
+with import <nixpkgs> {};
 with pkgs.python35Packages;
 
 buildPythonPackage rec {
   name = "mypackage";
   src = ./path/to/package/source;
   propagatedBuildInputs = [ pytest numpy pkgs.libsndfile ];
-};
+}
 ```
 
 It is important to note that due to how development mode is implemented on Nix it is not possible to have multiple packages simultaneously in development mode.
@@ -371,7 +380,7 @@ buildPythonPackage rec {
   name = "toolz-${version}";
   version = "0.7.4";
 
-  src = pkgs.fetchurl{
+  src = pkgs.fetchurl {
     url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
     sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
   };
@@ -382,7 +391,7 @@ buildPythonPackage rec {
     license = licenses.bsd3;
     maintainers = with maintainers; [ fridh ];
   };
-};
+}
 ```
 
 It takes two arguments, `pkgs` and `buildPythonPackage`.
@@ -392,7 +401,10 @@ We now call this function using `callPackage` in the definition of our environme
 with import <nixpkgs> {};
 
 ( let
-    toolz = pkgs.callPackage ~/path/to/toolz/release.nix { pkgs=pkgs; buildPythonPackage=pkgs.python35Packages.buildPythonPackage; };
+    toolz = pkgs.callPackage /path/to/toolz/release.nix {
+      pkgs = pkgs;
+      buildPythonPackage = pkgs.python35Packages.buildPythonPackage;
+    };
   in pkgs.python35.withPackages (ps: [ ps.numpy toolz ])
 ).env
 ```
@@ -410,8 +422,8 @@ and in this case the `python35` interpreter is automatically used.
 
 ### Interpreters
 
-Versions 2.6, 2.7, 3.3, 3.4 and 3.5 of the CPython interpreter are available as respectively
-`python26`, `python27`, `python33`, `python34` and `python35`. The PyPy interpreter
+Versions 2.7, 3.3, 3.4, 3.5 and 3.6 of the CPython interpreter are available as
+respectively `python27`, `python33`, `python34`, `python35` and `python36`. The PyPy interpreter
 is available as `pypy`. The aliases `python2` and `python3` correspond to respectively `python27` and
 `python35`. The default interpreter, `python`, maps to `python2`.
 The Nix expressions for the interpreters can be found in
@@ -460,6 +472,7 @@ sets are
 * `pkgs.python33Packages`
 * `pkgs.python34Packages`
 * `pkgs.python35Packages`
+* `pkgs.python36Packages`
 * `pkgs.pypyPackages`
 
 and the aliases
@@ -474,22 +487,27 @@ The `buildPythonPackage` function is implemented in
 `pkgs/development/interpreters/python/build-python-package.nix`
 
 The following is an example:
+```nix
+{ # ...
 
-    twisted = buildPythonPackage {
-      name = "twisted-8.1.0";
+  twisted = buildPythonPackage {
+    name = "twisted-8.1.0";
 
-      src = pkgs.fetchurl {
-        url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
-        sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
-      };
+    src = pkgs.fetchurl {
+      url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
+      sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
+    };
 
-      propagatedBuildInputs = [ self.ZopeInterface ];
+    propagatedBuildInputs = [ self.ZopeInterface ];
 
-      meta = {
-        homepage = http://twistedmatrix.com/;
-        description = "Twisted, an event-driven networking engine written in Python";
-        license = stdenv.lib.licenses.mit; };
-      };
+    meta = {
+      homepage = http://twistedmatrix.com/;
+      description = "Twisted, an event-driven networking engine written in Python";
+      license = stdenv.lib.licenses.mit;
+    };
+  };
+}
+```
 
 The `buildPythonPackage` mainly does four things:
 
@@ -539,29 +557,32 @@ Because with an application we're not interested in multiple version the prefix
 Python environments can be created using the low-level `pkgs.buildEnv` function.
 This example shows how to create an environment that has the Pyramid Web Framework.
 Saving the following as `default.nix`
+```nix
+with import <nixpkgs> {};
 
-    with import <nixpkgs> {};
-
-    python.buildEnv.override {
-      extraLibs = [ pkgs.pythonPackages.pyramid ];
-      ignoreCollisions = true;
-    }
+python.buildEnv.override {
+  extraLibs = [ pkgs.pythonPackages.pyramid ];
+  ignoreCollisions = true;
+}
+```
 
 and running `nix-build` will create
-
-    /nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env
+```
+/nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env
+```
 
 with wrapped binaries in `bin/`.
 
 You can also use the `env` attribute to create local environments with needed
 packages installed. This is somewhat comparable to `virtualenv`. For example,
 running `nix-shell` with the following `shell.nix`
+```nix
+with import <nixpkgs> {};
 
-    with import <nixpkgs> {};
-
-    (python3.buildEnv.override {
-      extraLibs = with python3Packages; [ numpy requests2 ];
-    }).env
+(python3.buildEnv.override {
+  extraLibs = with python3Packages; [ numpy requests2 ];
+}).env
+```
 
 will drop you into a shell where Python will have the
 specified packages in its path.
@@ -576,34 +597,40 @@ specified packages in its path.
 #### python.withPackages function
 
 The `python.withPackages` function provides a simpler interface to the `python.buildEnv` functionality.
-It takes a function as an argument that is passed the set of python packages and returns the list 
+It takes a function as an argument that is passed the set of python packages and returns the list
 of the packages to be included in the environment. Using the `withPackages` function, the previous
 example for the Pyramid Web Framework environment can be written like this:
+```nix
+with import <nixpkgs> {};
 
-    with import <nixpkgs> {};
+python.withPackages (ps: [ps.pyramid])
+```
 
-    python.withPackages (ps: [ps.pyramid])
-
-`withPackages` passes the correct package set for the specific interpreter version as an 
+`withPackages` passes the correct package set for the specific interpreter version as an
 argument to the function. In the above example, `ps` equals `pythonPackages`.
 But you can also easily switch to using python3:
-    
-    with import <nixpkgs> {};
+```nix
+with import <nixpkgs> {};
 
-    python3.withPackages (ps: [ps.pyramid])
+python3.withPackages (ps: [ps.pyramid])
+```
 
 Now, `ps` is set to `python3Packages`, matching the version of the interpreter.
 
 As `python.withPackages` simply uses `python.buildEnv` under the hood, it also supports the `env`
 attribute. The `shell.nix` file from the previous section can thus be also written like this:
+```nix
+with import <nixpkgs> {};
 
-    with import <nixpkgs> {};
-
-    (python33.withPackages (ps: [ps.numpy ps.requests2])).env
+(python33.withPackages (ps: [ps.numpy ps.requests2])).env
+```
 
 In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
 such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
 
+Python 2 namespace packages may provide `__init__.py` that collide. In that case `python.buildEnv` 
+should be used with `ignoreCollisions = true`.
+
 ### Development mode
 
 Development or editable mode is supported. To develop Python packages
@@ -613,22 +640,24 @@ install -e . --prefix $TMPDIR/`for the package.
 Warning: `shellPhase` is executed only if `setup.py` exists.
 
 Given a `default.nix`:
+```nix
+with import <nixpkgs> {};
 
-    with import <nixpkgs> {};
+buildPythonPackage { name = "myproject";
 
-    buildPythonPackage { name = "myproject";
+buildInputs = with pkgs.pythonPackages; [ pyramid ];
 
-    buildInputs = with pkgs.pythonPackages; [ pyramid ];
-
-    src = ./.; }
+src = ./.; }
+```
 
 Running `nix-shell` with no arguments should give you
 the environment in which the package would be built with
 `nix-build`.
 
 Shortcut to setup environments with C headers/libraries and python packages:
-
-    $ nix-shell -p pythonPackages.pyramid zlib libjpeg git
+```shell
+nix-shell -p pythonPackages.pyramid zlib libjpeg git
+```
 
 Note: There is a boolean value `lib.inNixShell` set to `true` if nix-shell is invoked.
 
@@ -641,6 +670,19 @@ community to help save time. No tool is preferred at the moment.
 - [pypi2nix](https://github.com/garbas/pypi2nix) by Rok Garbas
 - [pypi2nix](https://github.com/offlinehacker/pypi2nix) by Jaka Hudoklin
 
+### Deterministic builds
+
+Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
+Minor modifications had to be made to the interpreters in order to generate
+deterministic bytecode. This has security implications and is relevant for
+those using Python in a `nix-shell`.
+
+When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1.
+The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
+[PYTHONHASHSEED=0](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
+Both are also exported in `nix-shell`.
+
+
 ## FAQ
 
 ### How can I install a working Python environment?
@@ -663,7 +705,7 @@ with import <nixpkgs> {};
 pkgs.python35.withPackages (ps: with ps; [ numpy ipython ])
 ```
 and install it in your profile with
-```
+```shell
 nix-env -if build.nix
 ```
 Now you can use the Python interpreter, as well as the extra packages that you added to the environment.
@@ -671,15 +713,19 @@ Now you can use the Python interpreter, as well as the extra packages that you a
 #### Environment defined in `~/.nixpkgs/config.nix`
 
 If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
-```
+```nix
+{ # ...
+
   packageOverrides = pkgs: with pkgs; {
     myEnv = python35.withPackages (ps: with ps; [ numpy ipython ]);
   };
+}
 ```
 and install it in your profile with
-```
+```shell
 nix-env -iA nixpkgs.myEnv
 ```
+
 We're installing using the attribute path and assume the channels is named `nixpkgs`.
 Note that I'm using the attribute path here.
 
@@ -688,9 +734,12 @@ Note that I'm using the attribute path here.
 For the sake of completeness, here's another example how to install the environment system-wide.
 
 ```nix
-environment.systemPackages = with pkgs; [
-  (python35.withPackages(ps: with ps; [ numpy ipython ]))
-];
+{ # ...
+
+  environment.systemPackages = with pkgs; [
+    (python35.withPackages(ps: with ps; [ numpy ipython ]))
+  ];
+}
 ```
 
 ### How to solve circular dependencies?
@@ -727,19 +776,18 @@ All packages in the Python package set will now use the updated `scipy` version.
 ```nix
 with import <nixpkgs> {};
 
-(
-let
-  packageOverrides = self: super: {
-    scipy = super.scipy_0_17;
-  };
-in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
+( let
+    packageOverrides = self: super: {
+      scipy = super.scipy_0_17;
+    };
+  in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
 ).env
 ```
 The requested package `blaze` depends on `pandas` which itself depends on `scipy`.
 
 If you want the whole of Nixpkgs to use your modifications, then you can use `overlays`
 as explained in this manual. In the following example we build a `inkscape` using a different version of `numpy`.
-```
+```nix
 let
   pkgs = import <nixpkgs> {};
   newpkgs = import pkgs.path { overlays = [ (pkgsself: pkgssuper: {
@@ -762,32 +810,32 @@ This is because files are included that depend on items in the Nix store which h
 The command `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`, and `nix-shell` sets this to 1. By setting it to a value corresponding to 1980 or later, or by unsetting it, it is possible to build wheels.
 
 Use 1980 as timestamp:
-```
+```shell
 nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"
 ```
 or the current time:
-```
+```shell
 nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
 ```
 or unset:
-```
+```shell
 nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
 ```
 
 ### `install_data` / `data_files` problems
 
 If you get the following error:
-
-    could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
-    Permission denied
-
-This is a [known bug](https://github.com/pypa/setuptools/issues/130) in setuptools.
+```
+could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
+Permission denied
+```
+This is a [known bug](https://github.com/pypa/setuptools/issues/130) in `setuptools`.
 Setuptools `install_data` does not respect `--prefix`. An example of such package using the feature is `pkgs/tools/X11/xpra/default.nix`.
 As workaround install it as an extra `preInstall` step:
-
-    ${python.interpreter} setup.py install_data --install-dir=$out --root=$out
-    sed -i '/ = data\_files/d' setup.py
-
+```shell
+${python.interpreter} setup.py install_data --install-dir=$out --root=$out
+sed -i '/ = data\_files/d' setup.py
+```
 
 ###  Rationale of non-existent global site-packages
 
@@ -811,11 +859,11 @@ and install python modules through `pip` the traditional way.
 
 Create this `default.nix` file, together with a `requirements.txt` and simply execute `nix-shell`.
 
-```
+```nix
 with import <nixpkgs> {};
 with pkgs.python27Packages;
 
-stdenv.mkDerivation { 
+stdenv.mkDerivation {
   name = "impurePythonEnv";
   buildInputs = [
     # these packages are required for virtualenv and pip to work:
@@ -823,10 +871,10 @@ stdenv.mkDerivation {
     python27Full
     python27Packages.virtualenv
     python27Packages.pip
-    # the following packages are related to the dependencies of your python 
-    # project. 
-    # In this particular example the python modules listed in the 
-    # requirements.tx require the following packages to be installed locally 
+    # the following packages are related to the dependencies of your python
+    # project.
+    # In this particular example the python modules listed in the
+    # requirements.tx require the following packages to be installed locally
     # in order to compile any binary extensions they may require.
     #
     taglib
@@ -841,7 +889,7 @@ stdenv.mkDerivation {
   shellHook = ''
   # set SOURCE_DATE_EPOCH so that we can use python wheels
   SOURCE_DATE_EPOCH=$(date +%s)
-  virtualenv --no-setuptools venv 
+  virtualenv --no-setuptools venv
   export PATH=$PWD/venv/bin:$PATH
   pip install -r requirements.txt
   '';
@@ -849,10 +897,31 @@ stdenv.mkDerivation {
 ```
 
 Note that the `pip install` is an imperative action. So every time `nix-shell`
-is executed it will attempt to download the python modules listed in 
+is executed it will attempt to download the python modules listed in
 requirements.txt. However these will be cached locally within the `virtualenv`
 folder and not downloaded again.
 
+### How to override a Python package from `configuration.nix`?
+
+If you need to change a package's attribute(s) from `configuration.nix` you could do:
+
+```nix
+  nixpkgs.config.packageOverrides = superP: {
+    pythonPackages = superP.pythonPackages.override {
+      overrides = self: super: {
+        bepasty-server = super.bepasty-server.overrideAttrs ( oldAttrs: {
+          src = pkgs.fetchgit {
+            url = "https://github.com/bepasty/bepasty-server";
+            sha256 = "9ziqshmsf0rjvdhhca55sm0x8jz76fsf2q4rwh4m6lpcf8wr0nps";
+            rev = "e2516e8cf4f2afb5185337073607eb9e84a61d2d";
+          };
+        });
+      };
+    };
+  };
+```
+
+If you are using the `bepasty-server` package somewhere, for example in `systemPackages` or indirectly from `services.bepasty`, then a `nixos-rebuild switch` will rebuild the system but with the `bepasty-server` package using a different `src` attribute. This way one can modify `python` based software/libraries easily. Using `self` and `super` one can also alter dependencies (`buildInputs`) between the old state (`self`) and new state (`super`). 
 
 ## Contributing
 

doc/languages-frameworks/rust.md

@@ -0,0 +1,91 @@
+---
+title: Rust
+author: Matthias Beyer
+date: 2017-03-05
+---
+
+# User's Guide to the Rust Infrastructure
+
+To install the rust compiler and cargo put
+
+```
+rustStable.rustc
+rustStable.cargo
+```
+
+into the `environment.systemPackages` or bring them into scope with
+`nix-shell -p rustStable.rustc -p rustStable.cargo`.
+
+There are also `rustBeta` and `rustNightly` package sets available.
+These are not updated very regulary. For daily builds see
+[Using the Rust nightlies overlay](#using-the-rust-nightlies-overlay)
+
+## Packaging Rust applications
+
+Rust applications are packaged by using the `buildRustPackage` helper from `rustPlatform`:
+
+```
+with rustPlatform;
+
+buildRustPackage rec {
+  name = "ripgrep-${version}";
+  version = "0.4.0";
+
+  src = fetchFromGitHub {
+    owner = "BurntSushi";
+    repo = "ripgrep";
+    rev = "${version}";
+    sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
+  };
+
+  depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
+
+  meta = with stdenv.lib; {
+    description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";
+    homepage = https://github.com/BurntSushi/ripgrep;
+    license = with licenses; [ unlicense ];
+    maintainers = [ maintainers.tailhook ];
+    platforms = platforms.all;
+  };
+}
+```
+
+`buildRustPackage` requires a `depsSha256` attribute which is computed over
+all crate sources of this package. Currently it is obtained by inserting a
+fake checksum into the expression and building the package once. The correct
+checksum can be then take from the failed build.
+
+To install crates with nix there is also an experimental project called
+[nixcrates](https://github.com/fractalide/nixcrates).
+
+## Using the Rust nightlies overlay
+
+Mozilla provides an overlay for nixpkgs to bring a nightly version of Rust into scope.
+This overlay can _also_ be used to install recent unstable or stable versions
+of Rust, if desired.
+
+To use this overlay, clone
+[nixpkgs-mozilla](https://github.com/mozilla/nixpkgs-mozilla),
+and create a symbolic link to the file
+[rust-overlay.nix](https://github.com/mozilla/nixpkgs-mozilla/blob/master/rust-overlay.nix)
+in the `~/.config/nixpkgs/overlays` directory.
+
+    $ git clone https://github.com/mozilla/nixpkgs-mozilla.git
+    $ mkdir -p ~/.config/nixpkgs/overlays
+    $ ln -s $(pwd)/nixpkgs-mozilla/rust-overlay.nix ~/.config/nixpkgs/overlays/rust-overlay.nix
+
+The latest version can be installed with the following command:
+
+    $ nix-env -Ai nixos.rustChannels.stable.rust
+
+Or using the attribute with nix-shell:
+
+    $ nix-shell -p nixos.rustChannels.stable.rust
+
+To install the beta or nightly channel, "stable" should be substituted by
+"nightly" or "beta", or
+use the function provided by this overlay to pull a version based on a
+build date.
+
+The overlay automatically updates itself as it uses the same source as
+[rustup](https://www.rustup.rs/).

doc/multiple-output.xml

@@ -16,7 +16,6 @@
 
 <section><title>Installing a split package</title>
   <para>When installing a package via <varname>systemPackages</varname> or <command>nix-env</command> you have several options:</para>
-  <warning><para>Currently <command>nix-env</command> almost always installs all outputs until https://github.com/NixOS/nix/pull/815 gets merged.</para></warning>
   <itemizedlist>
     <listitem><para>You can install particular outputs explicitly, as each is available in the Nix language as an attribute of the package.  The <varname>outputs</varname> attribute contains a list of output names.</para></listitem>
     <listitem><para>You can let it use the default outputs.  These are handled by <varname>meta.outputsToInstall</varname> attribute that contains a list of output names.</para>

doc/overlays.xml

@@ -34,7 +34,7 @@ first one present is considered, and all the rest are ignored:
 
   <listitem>
 
-    <para>In the directory <filename>~/.nixpkgs/overlays/</filename>.</para>
+    <para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
   </listitem>
 
 </orderedlist>
@@ -50,7 +50,7 @@ the same recipe. In the case where overlays are loaded from a directory, they ar
 alphabetical order.</para>
 
 <para>To install an overlay using the last option, you can clone the overlay's repository and add
-a symbolic link to it in <filename>~/.nixpkgs/overlays/</filename> directory.</para>
+a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
 
 </section>
 
@@ -78,7 +78,7 @@ self: super:
 <para>The first argument, usually named <varname>self</varname>, corresponds to the final package
 set. You should use this set for the dependencies of all packages specified in your
 overlay. For example, all the dependencies of <varname>rr</varname> in the example above come
-from <varname>self</varname>, as well as the overriden dependencies used in the
+from <varname>self</varname>, as well as the overridden dependencies used in the
 <varname>boost</varname> override.</para>
 
 <para>The second argument, usually named <varname>super</varname>,

doc/reviewing-contributions.xml

@@ -18,7 +18,7 @@
 <para>The high change rate of nixpkgs make any pull request that is open for 
   long enough subject to conflicts that will require extra work from the 
   submitter or the merger. Reviewing pull requests in a timely manner and being 
-  responsive to the comments is the key to avoid these. Github provides sort 
+  responsive to the comments is the key to avoid these. GitHub provides sort 
   filters that can be used to see the <link 
     xlink:href="https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc">most 
     recently</link> and the <link 

doc/stdenv.xml

@@ -1156,7 +1156,7 @@ makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello
             <term><option>--replace</option>
             <replaceable>s1</replaceable>
             <replaceable>s2</replaceable></term>
-            <listitem><para>Replace every occurence of the string
+            <listitem><para>Replace every occurrence of the string
             <replaceable>s1</replaceable> by
             <replaceable>s2</replaceable>.</para></listitem>
           </varlistentry>
@@ -1164,7 +1164,7 @@ makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello
           <varlistentry>
             <term><option>--subst-var</option>
             <replaceable>varName</replaceable></term>
-            <listitem><para>Replace every occurence of
+            <listitem><para>Replace every occurrence of
             <literal>@<replaceable>varName</replaceable>@</literal> by
             the contents of the environment variable
             <replaceable>varName</replaceable>.  This is useful for
@@ -1177,7 +1177,7 @@ makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello
             <term><option>--subst-var-by</option>
             <replaceable>varName</replaceable>
             <replaceable>s</replaceable></term>
-            <listitem><para>Replace every occurence of
+            <listitem><para>Replace every occurrence of
             <literal>@<replaceable>varName</replaceable>@</literal> by
             the string <replaceable>s</replaceable>.</para></listitem>
           </varlistentry>
@@ -1225,7 +1225,7 @@ substitute ./foo.in ./foo.out \
     <term><function>substituteAll</function>
     <replaceable>infile</replaceable>
     <replaceable>outfile</replaceable></term>
-    <listitem><para>Replaces every occurence of
+    <listitem><para>Replaces every occurrence of
     <literal>@<replaceable>varName</replaceable>@</literal>, where
     <replaceable>varName</replaceable> is any environment variable, in
     <replaceable>infile</replaceable>, writing the result to
@@ -1528,7 +1528,7 @@ bin/blib.a(bios_console.o): In function `bios_handle_cup':
     depends on such a format string, it will need to be worked around.
     </para>
 
-    <para>Addtionally, some warnings are enabled which might trigger build
+    <para>Additionally, some warnings are enabled which might trigger build
     failures if compiler warnings are treated as errors in the package build.
     In this case, set <option>NIX_CFLAGS_COMPILE</option> to
     <option>-Wno-error=warning-type</option>.</para>
@@ -1558,7 +1558,7 @@ fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute erro
     <term><varname>pic</varname></term>
     <listitem>
     <para>Adds the <option>-fPIC</option> compiler options. This options adds
-    support for position independant code in shared libraries and thus making
+    support for position independent code in shared libraries and thus making
     ASLR possible.</para>
     <para>Most notably, the Linux kernel, kernel modules and other code
     not running in an operating system environment like boot loaders won't

lib/default.nix

@@ -34,6 +34,9 @@ let
   sandbox = import ./sandbox.nix;
   fetchers = import ./fetchers.nix;
 
+  # Eval-time filesystem handling
+  filesystem = import ./filesystem.nix;
+
 in
   { inherit trivial
             attrsets lists strings stringsWithDeps
@@ -41,7 +44,7 @@ in
             modules options types
             licenses platforms systems
             debug generators misc
-            sandbox fetchers;
+            sandbox fetchers filesystem;
   }
   # !!! don't include everything at top-level; perhaps only the most
   # commonly used functions.

lib/filesystem.nix

@@ -0,0 +1,44 @@
+{ # haskellPathsInDir : Path -> Map String Path
+  # A map of all haskell packages defined in the given path,
+  # identified by having a cabal file with the same name as the
+  # directory itself.
+  haskellPathsInDir = root:
+    let # Files in the root
+        root-files = builtins.attrNames (builtins.readDir root);
+        # Files with their full paths
+        root-files-with-paths =
+          map (file:
+            { name = file; value = root + "/${file}"; }
+          ) root-files;
+        # Subdirectories of the root with a cabal file.
+        cabal-subdirs =
+          builtins.filter ({ name, value }:
+            builtins.pathExists (value + "/${name}.cabal")
+          ) root-files-with-paths;
+    in builtins.listToAttrs cabal-subdirs;
+  # locateDominatingFile :  RegExp
+  #                      -> Path
+  #                      -> Nullable { path : Path;
+  #                                    matches : [ MatchResults ];
+  #                                  }
+  # Find the first directory containing a file matching 'pattern'
+  # upward from a given 'file'.
+  # Returns 'null' if no directories contain a file matching 'pattern'.
+  locateDominatingFile = pattern: file:
+    let go = path:
+          let files = builtins.attrNames (builtins.readDir path);
+              matches = builtins.filter (match: match != null)
+                          (map (builtins.match pattern) files);
+          in
+            if builtins.length matches != 0
+              then { inherit path matches; }
+              else if path == /.
+                then null
+                else go (dirOf path);
+        parent = dirOf file;
+        isDir =
+          let base = baseNameOf file;
+              type = (builtins.readDir parent).${base} or null;
+          in file == /. || type == "directory";
+    in go (if isDir then file else parent);
+}

lib/maintainers.nix

@@ -59,7 +59,6 @@
   badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
   balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
   Baughn = "Svein Ove Aas <sveina@gmail.com>";
-  bbenoist = "Baptist BENOIST <return_0@live.com>";
   bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
   bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
   bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
@@ -133,6 +132,7 @@
   dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
   dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
   dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
+  dmjio = "David Johnson <djohnson.m@gmail.com>";
   dochang = "Desmond O. Chang <dochang@gmail.com>";
   domenkozar = "Domen Kozar <domen@dev.si>";
   doublec = "Chris Double <chris.double@double.co.nz>";
@@ -277,6 +277,7 @@
   luispedro = "Luis Pedro Coelho <luis@luispedro.org>";
   lukego = "Luke Gorrie <luke@snabb.co>";
   lw = "Sergey Sofeychuk <lw@fmap.me>";
+  lyt = "Tim Liou <wheatdoge@gmail.com>";
   ma27 = "Maximilian Bosch <maximilian@mbosch.me>";
   madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
   magnetophon = "Bart Brouns <bart@magnetophon.nl>";
@@ -352,6 +353,7 @@
   notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
   np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
   nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
+  xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
   obadz = "obadz <obadz-nixos@obadz.com>";
   ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
   odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
@@ -387,6 +389,7 @@
   pjones = "Peter Jones <pjones@devalot.com>";
   pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
   plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
+  plumps = "Maksim Bronsky <maks.bronsky@web.de";
   pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
   pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
   polyrod = "Maurizio Di Pietro <dc1mdp@gmail.com>";
@@ -418,6 +421,7 @@
   retrry = "Tadas Barzdžius <retrry@gmail.com>";
   rick68 = "Wei-Ming Yang <rick68@gmail.com>";
   rickynils = "Rickard Nilsson <rickynils@gmail.com>";
+  ris = "Robert Scott <code@humanleg.org.uk>";
   rlupton20 = "Richard Lupton <richard.lupton@gmail.com>";
   rnhmjoj = "Michele Guerini Rocco <micheleguerinirocco@me.com>";
   rob = "Rob Vermaas <rob.vermaas@gmail.com>";
@@ -503,9 +507,10 @@
   tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
   twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
   uralbash = "Svintsov Dmitry <root@uralbash.ru>";
-  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
+  #urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
   uwap = "uwap <me@uwap.name>";
   vandenoever = "Jos van den Oever <jos@vandenoever.info>";
+  vanschelven = "Klaas van Schelven <klaas@vanschelven.com>";
   vanzef = "Ivan Solyankin <vanzef@gmail.com>";
   vbgl = "Vincent Laporte <Vincent.Laporte@gmail.com>";
   vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
@@ -532,6 +537,7 @@
   womfoo = "Kranium Gikos Mendoza <kranium@gikos.net>";
   wscott = "Wayne Scott <wsc9tt@gmail.com>";
   wyvie = "Elijah Rum <elijahrum@gmail.com>";
+  xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
   xwvvvvwx = "David Terry <davidterry@posteo.de>";
   yarr = "Dmitry V. <savraz@gmail.com>";
   yochai = "Yochai <yochai@titat.info>";
@@ -545,4 +551,5 @@
   zohl = "Al Zohali <zohl@fmap.me>";
   zoomulator = "Kim Simmons <zoomulator@gmail.com>";
   zraexy = "David Mell <zraexy@gmail.com>";
+  zx2c4 = "Jason A. Donenfeld <Jason@zx2c4.com>";
 }

lib/trivial.nix

@@ -53,6 +53,15 @@ rec {
   # argument, but it's nice this way if several uses of `extends` are cascaded.
   extends = f: rattrs: self: let super = rattrs self; in super // f self super;
 
+  # Compose two extending functions of the type expected by 'extends'
+  # into one where changes made in the first are available in the
+  # 'super' of the second
+  composeExtensions =
+    f: g: self: super:
+      let fApplied = f self super;
+          super' = super // fApplied;
+      in fApplied // g self super';
+
   # Create an overridable, recursive attribute set. For example:
   #
   #     nix-repl> obj = makeExtensible (self: { })

maintainers/scripts/hydra-eval-failures.py

@@ -5,6 +5,7 @@
 
 import subprocess
 import json
+import sys
 
 import click
 import requests
@@ -47,8 +48,8 @@ def get_maintainers(attr_name):
 @click.command()
 @click.option(
     '--jobset',
-    default="nixos/release-16.09",
-    help='Hydra project like nixos/release-16.09')
+    default="nixos/release-17.03",
+    help='Hydra project like nixos/release-17.03')
 def cli(jobset):
     """
     Given a Hydra project, inspect latest evaluation
@@ -75,12 +76,16 @@ def cli(jobset):
         a = pq(tr)('a')[1]
         print "- [ ] [{}]({})".format(a.text, a.get('href'))
 
+        sys.stdout.flush()
+
         maintainers = get_maintainers(a.text)
         if maintainers:
             print "  - maintainers: {}".format(", ".join(map(lambda u: '@' + u, maintainers)))
         # TODO: print last three persons that touched this file
         # TODO: pinpoint the diff that broke this build, or maybe it's transient or maybe it never worked?
 
+        sys.stdout.flush()
+
 
 if __name__ == "__main__":
     try:

nixos/default.nix

@@ -37,7 +37,4 @@ in
   vm = vmConfig.system.build.vm;
 
   vmWithBootLoader = vmWithBootLoaderConfig.system.build.vm;
-
-  # The following are used by nixos-rebuild.
-  nixFallback = pkgs.nixUnstable.out;
 }

nixos/doc/manual/administration/imperative-containers.xml

@@ -55,7 +55,7 @@ Thus, if something went wrong, you can get status info using
 
 </para>
 
-<para>If the container has started succesfully, you can log in as
+<para>If the container has started successfully, you can log in as
 root using the <command>root-login</command> operation:
 
 <screen>

nixos/doc/manual/configuration/file-systems.xml

@@ -35,6 +35,12 @@ or <literal>ext4</literal>, then it’s best to specify
 <option>fsType</option> to ensure that the kernel module is
 available.</para>
 
+<note><para>System startup will fail if any of the filesystems fails to mount,
+dropping you to the emergency shell.
+You can make a mount asynchronous and non-critical by adding
+<literal>options = [ "nofail" ];</literal>.
+</para></note>
+
 <xi:include href="luks-file-systems.xml" />
 
 </chapter>

nixos/doc/manual/configuration/modularity.xml

@@ -37,7 +37,7 @@ latter might look like this:
 
 { services.xserver.enable = true;
   services.xserver.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.kde5.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
 }
 </programlisting>
 

nixos/doc/manual/configuration/x-windows.xml

@@ -25,7 +25,7 @@ Otherwise, you can only log into a plain undecorated
 <command>xterm</command> window.  Thus you should pick one or more of
 the following lines:
 <programlisting>
-services.xserver.desktopManager.kde5.enable = true;
+services.xserver.desktopManager.plasma5.enable = true;
 services.xserver.desktopManager.xfce.enable = true;
 services.xserver.desktopManager.gnome3.enable = true;
 services.xserver.windowManager.xmonad.enable = true;

nixos/doc/manual/configuration/xfce.xml

@@ -9,10 +9,10 @@
     <para>
         To enable the Xfce Desktop Environment, set
         <programlisting>
-            services.xserver.desktopManager = {
-                xfce.enable = true;
-                default = "xfce";
-            };
+services.xserver.desktopManager = {
+    xfce.enable = true;
+    default = "xfce";
+};
         </programlisting>
     </para>
 
@@ -20,13 +20,13 @@
         Optionally, <emphasis>compton</emphasis>
         can be enabled for nice graphical effects, some example settings:
         <programlisting>
-            services.compton = {
-              enable          = true;
-              fade            = true;
-              inactiveOpacity = "0.9";
-              shadow          = true;
-              fadeDelta       = 4;
-            };
+services.compton = {
+  enable          = true;
+  fade            = true;
+  inactiveOpacity = "0.9";
+  shadow          = true;
+  fadeDelta       = 4;
+};
         </programlisting>
     </para>
 
@@ -34,16 +34,16 @@
         Some Xfce programs are not installed automatically.
         To install them manually (system wide), put them into your
         <literal>environment.systemPackages</literal>.
-	</para>
+    </para>
 
     <para>
-		NixOS’s default <emphasis>display manager</emphasis>is SLiM.
-		(DM is the program that provides a graphical login prompt
-		 and manages the X server.)
-	   	You can, for example, select KDE’s
+        NixOS’s default <emphasis>display manager</emphasis> is SLiM.
+        (DM is the program that provides a graphical login prompt
+         and manages the X server.)
+        You can, for example, select KDE’s
         <command>sddm</command> instead:
         <programlisting>
-            services.xserver.displayManager.sddm.enable = true;
+services.xserver.displayManager.sddm.enable = true;
         </programlisting>
     </para>
 
@@ -55,7 +55,7 @@
             <emphasis>Thunar</emphasis>
             volume support, put
             <programlisting>
-                services.xserver.desktopManager.xfce.enable = true;
+services.xserver.desktopManager.xfce.enable = true;
             </programlisting>
             into your <emphasis>configuration.nix</emphasis>.
         </para>
@@ -84,10 +84,10 @@
             Thunar and/or the desktop takes time to show up.
 
             Thunar will spit out this kind of message on start
-            (look at journalctl --user -b).
+            (look at <command>journalctl --user -b</command>).
 
             <programlisting>
-                Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
+Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
             </programlisting>
 
             This is caused by some needed GNOME services not running.
@@ -95,7 +95,7 @@
             the Advanced tab of the Session and Startup settings panel.
             Alternatively, you can run this command to do the same thing.
             <programlisting>
-                $ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
+$ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
             </programlisting>
             A log-out and re-log will be needed for this to take effect.
         </para>

nixos/doc/manual/development/building-nixos.xml

@@ -12,12 +12,12 @@ your <filename>configuration.nix</filename> to configure the system that
 would be installed on the CD.</para>
 
 <para>Default CD/DVD configurations are available
-inside <filename>nixos/modules/installer/cd-dvd</filename>.  To build them
-you have to set <envar>NIXOS_CONFIG</envar> before
-running <command>nix-build</command> to build the ISO.
+inside <filename>nixos/modules/installer/cd-dvd</filename>.
 
 <screen>
-$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix</screen>
+$ git clone https://github.com/NixOS/nixpkgs.git
+$ cd nixpkgs/nixos
+$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix</screen>
 
 </para>
 

nixos/doc/manual/development/option-declarations.xml

@@ -95,7 +95,7 @@ options = {
   </itemizedlist>
   </para>
 
-  <para>Both approachs have problems.</para>
+  <para>Both approaches have problems.</para>
 
   <para>Making backends independent can quickly become hard to manage. For
     display managers, there can be only one enabled at a time, but the type

nixos/doc/manual/development/option-types.xml

@@ -282,7 +282,7 @@ config.mod.two = { foo = 2; bar = "two"; };</screen></example>
 <screen>
 byte = mkOption {
   description = "An integer between 0 and 255.";
-  type = addCheck (x: x &gt;= 0 &amp;&amp; x &lt;= 255) types.int;
+  type = addCheck types.int (x: x &gt;= 0 &amp;&amp; x &lt;= 255);
 };</screen></example>
 
 <example xml:id='ex-extending-type-check-2'><title>Overriding a type 
@@ -386,7 +386,7 @@ code before creating a new type.</para>
     <listitem><para>For composed types that can take a submodule as type 
         parameter, this function can be used to substitute the parameter of a 
         submodule type. It takes a module as parameter and return the type with 
-        the submodule options substituted. It is usally defined as a type 
+        the submodule options substituted. It is usually defined as a type 
         function call with a recursive call to 
         <literal>substSubModules</literal>, e.g for a type 
         <literal>composedType</literal> that take an <literal>elemtype</literal> 

nixos/doc/manual/development/sources.xml

@@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
 <literal>channels</literal> refers to a read-only repository that
 tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
 for more information about channels). Thus, the Git branch
-<literal>channels/nixos-14.12</literal> will contain the latest built
-and tested version available in the <literal>nixos-14.12</literal>
+<literal>channels/nixos-17.03</literal> will contain the latest built
+and tested version available in the <literal>nixos-17.03</literal>
 channel.</para>
 
 <para>It’s often inconvenient to develop directly on the master
@@ -39,9 +39,9 @@ branch based on your current NixOS version:
 
 <screen>
 $ nixos-version
-14.04.273.ea1952b (Baboon)
+17.09pre104379.6e0b727 (Hummingbird)
 
-$ git checkout -b local ea1952b
+$ git checkout -b local e3938c8
 </screen>
 
 Or, to base your local branch on the latest version available in a
@@ -49,17 +49,17 @@ NixOS channel:
 
 <screen>
 $ git remote update channels
-$ git checkout -b local channels/nixos-14.12
+$ git checkout -b local channels/nixos-17.03
 </screen>
 
-(Replace <literal>nixos-14.12</literal> with the name of the channel
+(Replace <literal>nixos-17.03</literal> with the name of the channel
 you want to use.) You can use <command>git merge</command> or
 <command>git rebase</command> to keep your local branch in sync with
 the channel, e.g.
 
 <screen>
 $ git remote update channels
-$ git merge channels/nixos-14.12
+$ git merge channels/nixos-17.03
 </screen>
 
 You can use <command>git cherry-pick</command> to copy commits from

nixos/doc/manual/installation/installing-usb.xml

@@ -11,7 +11,9 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
 <command>dd if=<replaceable>path-to-image</replaceable>
 of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
 correct drive; you can use the <command>lsblk</command> command to get a list of
-block devices.</para>
+block devices. If you're on OS X you can run <command>diskutil list</command>
+to see the list of devices; the device you'll use for the USB must be ejected
+before writing the image.</para>
 
 <para>The <command>dd</command> utility will write the image verbatim to the drive,
 making it the recommended option for both UEFI and non-UEFI installations. For

nixos/doc/manual/installation/upgrading.xml

@@ -15,12 +15,12 @@ been built.  These channels are:
 <itemizedlist>
   <listitem>
     <para><emphasis>Stable channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
+    xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
     These only get conservative bug fixes and package upgrades.  For
     instance, a channel update may cause the Linux kernel on your
-    system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
-    not from 3.4.<replaceable>x</replaceable> to
-    3.11.<replaceable>x</replaceable> (a major change that has the
+    system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
+    not from 4.9.<replaceable>x</replaceable> to
+    4.11.<replaceable>x</replaceable> (a major change that has the
     potential to break things).  Stable channels are generally
     maintained until the next stable branch is created.</para>
     <para></para>
@@ -34,7 +34,7 @@ been built.  These channels are:
   </listitem>
   <listitem>
     <para><emphasis>Small channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
     or <literal
     xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
     are identical to the stable and unstable channels described above,
@@ -55,8 +55,8 @@ appliances.)</para>
 
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 14.12 ISO, you will be subscribed to
-the <literal>nixos-14.12</literal> channel.  To see which NixOS
+instance, if you installed from a 17.03 ISO, you will be subscribed to
+the <literal>nixos-17.03</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 
 <screen>
@@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
 </screen>
 
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 14.12 stable channel:
+end.)  For instance, to use the NixOS 17.03 stable channel:
 
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
 </screen>
 
 If you have a server, you may want to use the “small” channel instead:
 
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
 </screen>
 
 And if you want to live on the bleeding edge:
@@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.)  You can also
 specify a channel explicitly, e.g.
 
 <programlisting>
-system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
 </programlisting>
 
 </para>

nixos/doc/manual/release-notes/rl-1509.xml

@@ -342,7 +342,7 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc
 
 <listitem>
   <para>
-    Python 2.6 has been marked as broken (as it no longer recieves
+    Python 2.6 has been marked as broken (as it no longer receives
     security updates from upstream).
   </para>
 </listitem>

nixos/doc/manual/release-notes/rl-1603.xml

@@ -362,7 +362,7 @@ services.syncthing = {
   <listitem>
     <para>
       <literal>networking.firewall.allowPing</literal> is now enabled by
-      default. Users are encourarged to configure an approiate rate limit for
+      default. Users are encouraged to configure an appropriate rate limit for
       their machines using the Kernel interface at
       <filename>/proc/sys/net/ipv4/icmp_ratelimit</filename> and
       <filename>/proc/sys/net/ipv6/icmp/ratelimit</filename> or using the

nixos/doc/manual/release-notes/rl-1703.xml

@@ -4,7 +4,15 @@
          version="5.0"
          xml:id="sec-release-17.03">
 
-<title>Release 17.03 (“XXX”, 2017/03/??)</title>
+<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
+
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.03-highlights">
+
+<title>Highlights</title>
 
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@@ -16,19 +24,40 @@ has the following highlights: </para>
     manual</link> for more information.</para>
   </listitem>
 
+  <listitem>
+    <para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
+    232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
+  </listitem>
+
+  <listitem>
+    <para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
+  </listitem>
+
   <listitem>
     <para>The setuid wrapper functionality now supports setting
     capabilities.</para>
   </listitem>
 
   <listitem>
-    <para>X.org server uses branch 1.19.  Due to ABI incompatibilities,
+    <para>X.org server uses branch 1.19. Due to ABI incompatibilities,
       <literal>ati_unfree</literal> keeps forcing 1.17
       and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
   </listitem>
 
   <listitem>
-    <para>PHP now defaults to PHP 7.1</para>
+    <para>
+      Cross compilation has been rewritten. See the nixpkgs manual for
+      details. The most obvious breaking change is that in derivations there is no
+      <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
+      cross by default, not native.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>The <literal>overridePackages</literal> function has been rewritten
+    to be replaced by <link
+    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
+    overlays</link></para>
   </listitem>
 
   <listitem>
@@ -38,16 +67,115 @@ has the following highlights: </para>
     manual</link> for more information.</para>
   </listitem>
 
+  <listitem>
+    <para>PHP now defaults to PHP 7.1</para>
+  </listitem>
+
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.03-new-services">
+
+<title>New Services</title>
+
 <para>The following new services were added since the last release:</para>
 
 <itemizedlist>
-  <listitem>
-    <para></para>
-  </listitem>
+  <listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
+  <listitem><para><literal>programs/adb.nix</literal></para></listitem>
+  <listitem><para><literal>programs/chromium.nix</literal></para></listitem>
+  <listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
+  <listitem><para><literal>programs/java.nix</literal></para></listitem>
+  <listitem><para><literal>programs/mtr.nix</literal></para></listitem>
+  <listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
+  <listitem><para><literal>programs/vim.nix</literal></para></listitem>
+  <listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
+  <listitem><para><literal>security/dhparams.nix</literal></para></listitem>
+  <listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
+  <listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
+  <listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
+  <listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
+  <listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
+  <listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
+  <listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
+  <listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
+  <listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
+  <listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
+  <listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
+  <listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
+  <listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
+  <listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
+  <listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
+  <listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
+  <listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
+  <listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
+  <listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
+  <listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.03-incompatibilities">
+
+<title>Backward Incompatibilities</title>
 
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
@@ -55,10 +183,8 @@ following incompatible changes:</para>
 <itemizedlist>
   <listitem>
     <para>
-      Cross compilation has been rewritten. See the nixpkgs manual for
-      details. The most obvious breaking change is that derivations absent a
-      <literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
-      cross by default, not native.
+      Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> 
+      and are now cross by default, not native.
     </para>
   </listitem>
 
@@ -95,15 +221,6 @@ following incompatible changes:</para>
     </para>
   </listitem>
 
-  <listitem>
-    <para>
-      The Yama LSM is now enabled by default in the kernel,
-      which prevents ptracing non-child processes.
-      This means you will not be able to attach gdb to an existing process,
-      but will need to start that process from gdb (so it is a child).
-    </para>
-  </listitem>
-
   <listitem>
     <para>
       The <literal>stripHash</literal> bash function in <literal>stdenv</literal>
@@ -183,7 +300,7 @@ following incompatible changes:</para>
     <para><literal>overridePackages</literal> function no longer exists.
     It is replaced by <link
     xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
-    overlays</link>.  For example, the following code:
+    overlays</link>. For example, the following code:
 
 <programlisting>
   let
@@ -228,7 +345,7 @@ following incompatible changes:</para>
   <listitem>
     <para>
     Iputils no longer provide ping6 and traceroute6. The functionality of
-    these tools have been integrated into ping and traceroute respectively. To
+    these tools has been integrated into ping and traceroute respectively. To
     enforce an address family the new flags <literal>-4</literal> and
     <literal>-6</literal> have been added. One notable incompatibility is that
     specifying an interface (for link-local IPv6 for instance) is no longer done
@@ -237,10 +354,60 @@ following incompatible changes:</para>
     </para>
   </listitem>
 
+  <listitem>
+    <para>
+      The socket handling of the <literal>services.rmilter</literal> module
+      has been fixed and refactored. As rmilter doesn't support binding to
+      more than one socket, the options <literal>bindUnixSockets</literal>
+      and <literal>bindInetSockets</literal> have been replaced by
+      <literal>services.rmilter.bindSocket.*</literal>. The default is still
+      a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to
+      the options documentation for more information.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The <literal>fetch*</literal> functions no longer support md5,
+      please use sha256 instead.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The dnscrypt-proxy module interface has been streamlined around the
+      <option>extraArgs</option> option. Where possible, legacy option
+      declarations are mapped to <option>extraArgs</option> but will emit
+      warnings. The <option>resolverList</option> has been outright
+      removed: to use an unlisted resolver, use the
+      <option>customResolver</option> option.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      torbrowser now stores local state under
+      <filename>~/.local/share/tor-browser</filename> by default. Any
+      browser profile data from the old location,
+      <filename>~/.torbrowser4</filename>, must be migrated manually.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
+    </para>
+  </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.03-notable-changes">
 
-<para>Other notable improvements:</para>
+<title>Other Notable Changes</title>
 
 <itemizedlist>
 
@@ -261,7 +428,87 @@ following incompatible changes:</para>
     </para>
   </listitem>
 
+  <listitem>
+    <para>Python 2.6 interpreter and package set have been removed.</para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The Python 2.7 interpreter does not use modules anymore. Instead, all
+      CPython interpreters now include the whole standard library except for `tkinter`,
+      which is available in the Python package set.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
+      Minor modifications had to be made to the interpreters in order to generate
+      deterministic bytecode. This has security implications and is relevant for
+      those using Python in a <literal>nix-shell</literal>. See the Nixpkgs manual
+      for details.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The Python package sets now use a fixed-point combinator and the sets are
+      available as attributes of the interpreters.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The Python function <literal>buildPythonPackage</literal> has been improved and can be
+      used to build from Setuptools source, Flit source, and precompiled Wheels.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      When adding new or updating current Python libraries, the expressions should be put
+      in separate files in <literal>pkgs/development/python-modules</literal> and
+      called from <literal>python-packages.nix</literal>.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The dnscrypt-proxy service supports synchronizing the list of public
+      resolvers without working DNS resolution. This fixes issues caused by the
+      resolver list becoming outdated. It also improves the viability of
+      DNSCrypt only configurations.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      Containers using bridged networking no longer lose their connection after
+      changes to the host networking.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      ZFS supports pool auto scrubbing.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      The bind DNS utilities (e.g. dig) have been split into their own output and
+      are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
+      necessary to pull in all of <literal>bind</literal> to use them.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      Per-user configuration was moved from <filename>~/.nixpkgs</filename> to
+      <filename>~/.config/nixpkgs</filename>. The former is still valid for
+      <filename>config.nix</filename> for backwards compatibility.
+    </para>
+  </listitem>
 </itemizedlist>
-
-
+</section>
 </section>

nixos/lib/test-driver/test-driver.pl

@@ -35,7 +35,7 @@ foreach my $vlan (split / /, $ENV{VLANS} || "") {
     if ($pid == 0) {
         dup2(fileno($pty->slave), 0);
         dup2(fileno($stdoutW), 1);
-        exec "vde_switch -s $socket" or _exit(1);
+        exec "vde_switch -s $socket --dirmode 0700" or _exit(1);
     }
     close $stdoutW;
     print $pty "version\n";

nixos/lib/testing.nix

@@ -108,16 +108,16 @@ rec {
           mkdir -p $out/bin
           echo "$testScript" > $out/test-script
           ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
-          vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
+          vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
           wrapProgram $out/bin/nixos-test-driver \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
             ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
             --run "testScript=\"\$(cat $out/test-script)\"" \
             --set testScript '$testScript' \
             --set VLANS '${toString vlans}'
           ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
           wrapProgram $out/bin/nixos-run-vms \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
             ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
             --set tests 'startAll; joinAll;' \
             --set VLANS '${toString vlans}' \

nixos/modules/config/i18n.nix

@@ -37,7 +37,7 @@ in
           <literal>"all"</literal> means that all locales supported by
           Glibc will be installed.  A full list of supported locales
           can be found at <link
-          xlink:href="http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc"/>.
+          xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>.
         '';
       };
 

nixos/modules/config/ldap.nix

@@ -19,7 +19,6 @@ let
       bind_policy ${config.users.ldap.bind.policy}
       ${optionalString config.users.ldap.useTLS ''
         ssl start_tls
-        tls_checkpeer no
       ''}
       ${optionalString (config.users.ldap.bind.distinguishedName != "") ''
         binddn ${config.users.ldap.bind.distinguishedName}

nixos/modules/config/pulseaudio.nix

@@ -274,6 +274,8 @@ in {
           RestartSec = "500ms";
         };
       };
+
+      environment.variables.PULSE_COOKIE = "${stateDir}/.config/pulse/cookie";
     })
   ];
 

nixos/modules/config/sysctl.nix

@@ -64,5 +64,9 @@ in
     # Removed under grsecurity.
     boot.kernel.sysctl."kernel.kptr_restrict" =
       if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1;
+
+    # Disable YAMA by default to allow easy debugging.
+    boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
+
   };
 }

nixos/modules/config/update-users-groups.pl

@@ -177,7 +177,7 @@ foreach my $u (@{$spec->{users}}) {
     }
 
     # Create a home directory.
-    if ($u->{createHome} && ! -e $u->{home}) {
+    if ($u->{createHome}) {
         make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
         chown $u->{uid}, $u->{gid}, $u->{home};
     }

nixos/modules/hardware/all-firmware.nix

@@ -2,7 +2,9 @@
 
 with lib;
 
-{
+let
+  cfg = config.hardware;
+in {
 
   ###### interface
 
@@ -12,7 +14,16 @@ with lib;
       default = false;
       type = types.bool;
       description = ''
-        Turn on this option if you want to enable all the firmware shipped in linux-firmware.
+        Turn on this option if you want to enable all the firmware.
+      '';
+    };
+
+    hardware.enableRedistributableFirmware = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Turn on this option if you want to enable all the firmware with a license allowing redistribution.
+        (i.e. free firmware and <literal>firmware-linux-nonfree</literal>)
       '';
     };
 
@@ -21,12 +32,26 @@ with lib;
 
   ###### implementation
 
-  config = mkIf config.hardware.enableAllFirmware {
-    hardware.firmware = with pkgs; [
-      firmwareLinuxNonfree
-      intel2200BGFirmware
-      rtl8723bs-firmware
-    ];
-  };
-
+  config = mkMerge [
+    (mkIf (cfg.enableAllFirmware || cfg.enableRedistributableFirmware) {
+      hardware.firmware = with pkgs; [
+        firmwareLinuxNonfree
+        intel2200BGFirmware
+        rtl8723bs-firmware
+      ];
+    })
+    (mkIf cfg.enableAllFirmware {
+      assertions = [{
+        assertion = !cfg.enableAllFirmware || (config.nixpkgs.config.allowUnfree or false);
+        message = ''
+          the list of hardware.enableAllFirmware contains non-redistributable licensed firmware files.
+            This requires nixpkgs.config.allowUnfree to be true.
+            An alternative is to use the hardware.enableRedistributableFirmware option.
+        '';
+      }];
+      hardware.firmware = with pkgs; [
+        broadcom-bt-firmware
+      ];
+    })
+  ];
 }

nixos/modules/hardware/network/broadcom-43xx.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/intel-2030.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/intel-2100bg.nix

@@ -23,7 +23,7 @@
 
   config = lib.mkIf config.networking.enableIntel2100BGFirmware {
 
-    hardware.enableAllFirmware = true;
+    hardware.enableRedistributableFirmware = true;
 
   };
 

nixos/modules/hardware/network/intel-3945abg.nix

@@ -22,7 +22,7 @@
 
   config = lib.mkIf config.networking.enableIntel3945ABGFirmware {
 
-    hardware.enableAllFirmware = true;
+    hardware.enableRedistributableFirmware = true;
 
   };
 

nixos/modules/hardware/network/intel-4965agn.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/intel-5000.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/intel-5150.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/intel-6000.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/intel-6000g2a.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/intel-6000g2b.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/hardware/network/ralink.nix

@@ -20,7 +20,7 @@
   ###### implementation
 
   config = lib.mkIf config.networking.enableRalinkFirmware {
-    hardware.enableAllFirmware = true;
+    hardware.enableRedistributableFirmware = true;
   };
 
 }

nixos/modules/hardware/network/rtl8192c.nix

@@ -20,7 +20,7 @@
   ###### implementation
 
   config = lib.mkIf config.networking.enableRTL8192cFirmware {
-    hardware.enableAllFirmware = true;
+    hardware.enableRedistributableFirmware = true;
   };
 
 }

nixos/modules/hardware/video/displaylink.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -6,7 +6,11 @@ let
 
   enabled = elem "displaylink" config.services.xserver.videoDrivers;
 
-  displaylink = config.boot.kernelPackages.displaylink;
+  evdi = config.boot.kernelPackages.evdi;
+
+  displaylink = pkgs.displaylink.override {
+    inherit evdi;
+  };
 
 in
 
@@ -14,15 +18,11 @@ in
 
   config = mkIf enabled {
 
-    boot.extraModulePackages = [ displaylink ];
-
-    boot.kernelModules = [ "evdi" ];
+    boot.extraModulePackages = [ evdi ];
 
     # Those are taken from displaylink-installer.sh and from Arch Linux AUR package.
 
-    services.udev.extraRules = ''
-      ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="17e9", ATTR{bNumInterfaces}=="*5", TAG+="uaccess"
-    '';
+    services.udev.packages = [ displaylink ];
 
     powerManagement.powerDownCommands = ''
       #flush any bytes in pipe
@@ -32,7 +32,10 @@ in
       echo "S" > /tmp/PmMessagesPort_in
 
       #wait until suspend of DisplayLinkManager finish
-      read -n 1 -t 10 SUSPEND_RESULT < /tmp/PmMessagesPort_out
+      if [ -f /tmp/PmMessagesPort_out ]; then
+        #wait until suspend of DisplayLinkManager finish
+        read -n 1 -t 10 SUSPEND_RESULT < /tmp/PmMessagesPort_out
+      fi
     '';
 
     powerManagement.resumeCommands = ''
@@ -40,10 +43,11 @@ in
       echo "R" > /tmp/PmMessagesPort_in
     '';
 
-    systemd.services.displaylink = {
+    systemd.services.dlm = {
       description = "DisplayLink Manager Service";
       after = [ "display-manager.service" ];
-      wantedBy = [ "graphical.target" ];
+      conflicts = [ "getty@tty7.service" ];
+      path = [ pkgs.kmod ];
 
       serviceConfig = {
         ExecStart = "${displaylink}/bin/DisplayLinkManager";
@@ -53,6 +57,7 @@ in
 
       preStart = ''
         mkdir -p /var/log/displaylink
+        modprobe evdi
       '';
     };
 

nixos/modules/hardware/video/nvidia.nix

@@ -28,7 +28,7 @@ let
   nvidia_libs32 = (nvidiaForKernel pkgs_i686.linuxPackages).override { libsOnly = true; kernel = null; };
 
   nvidiaPackage = nvidia: pkgs:
-    if !nvidia.useGLVND then nvidia
+    if !nvidia.useGLVND then nvidia.out
     else pkgs.buildEnv {
       name = "nvidia-libs";
       paths = [ pkgs.libglvnd nvidia.out ];
@@ -56,7 +56,8 @@ in
     hardware.opengl.package = nvidiaPackage nvidia_x11 pkgs;
     hardware.opengl.package32 = nvidiaPackage nvidia_libs32 pkgs_i686;
 
-    environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings nvidia_x11.persistenced ];
+    environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ]
+      ++ lib.filter (p: p != null) [ nvidia_x11.persistenced ];
 
     boot.extraModulePackages = [ nvidia_x11.bin ];
 

nixos/modules/hardware/video/radeon.nix

@@ -1,3 +1,3 @@
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix

@@ -18,7 +18,7 @@ with lib;
       autoLogin = true;
     };
 
-    desktopManager.kde5 = {
+    desktopManager.plasma5 = {
       enable = true;
       enableQt4Support = false;
     };
@@ -66,7 +66,7 @@ with lib;
   in ''
     mkdir -p /root/Desktop
     ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop
-    ln -sfT ${pkgs.kdeApplications.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
+    ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
     ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
   '';
 

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -172,7 +172,6 @@ in
 
     isoImage.includeSystemBuildDependencies = mkOption {
       default = false;
-      example = true;
       description = ''
         Set this option to include all the needed sources etc in the
         image. It significantly increases image size. Use that when
@@ -280,7 +279,7 @@ in
         options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ];
       };
 
-    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" ];
+    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" "uas" ];
 
     boot.blacklistedKernelModules = [ "nouveau" ];
 

nixos/modules/installer/scan/not-detected.nix

@@ -5,5 +5,5 @@
 with lib;
 
 {
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 }

nixos/modules/installer/tools/auto-upgrade.nix

@@ -48,7 +48,7 @@ let cfg = config.system.autoUpgrade; in
         description = ''
           Specification (in the format described by
           <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
           which the update will occur.
         '';
       };

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/4ssykr786d0wp7y6m4xd4qwqs4nrry1z-nix-1.11.7";
-  i686-linux = "/nix/store/61ggxx2072y2g877m01asy0lsn7xpn06-nix-1.11.7";
-  x86_64-darwin = "/nix/store/pxf5ri5kdbfqkhd10sw4lpj8sn385ks5-nix-1.11.7";
+  x86_64-linux = "/nix/store/xrqssm90gsrnqdn79rpfcs6dwx8597d2-nix-1.11.14";
+  i686-linux = "/nix/store/3vjphivqs2iy6m9yb3bd80nd3518510k-nix-1.11.14";
+  x86_64-darwin = "/nix/store/4j9jacx8mjd4jlj53wvymyhxq7dqyj5d-nix-1.11.14";
 }

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -607,7 +607,7 @@ $bootLoaderConfig
 
   # Enable the KDE Desktop Environment.
   # services.xserver.displayManager.sddm.enable = true;
-  # services.xserver.desktopManager.kde5.enable = true;
+  # services.xserver.desktopManager.plasma5.enable = true;
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
   # users.extraUsers.guest = {

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -278,24 +278,22 @@ if [ -n "$buildNix" ]; then
     echo "building Nix..." >&2
     nixDrv=
     if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
-        if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then
-            if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
-                nixStorePath="$(prebuiltNix "$(uname -m)")"
-                if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
-                    --option extra-binary-caches https://cache.nixos.org/; then
+        if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
+            nixStorePath="$(prebuiltNix "$(uname -m)")"
+            if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
+                --option extra-binary-caches https://cache.nixos.org/; then
+                echo "warning: don't know how to get latest Nix" >&2
+            fi
+            # Older version of nix-store -r don't support --add-root.
+            [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
+            if [ -n "$buildHost" ]; then
+                remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
+                remoteNix="$remoteNixStorePath/bin"
+                if ! buildHostCmd nix-store -r $remoteNixStorePath \
+                  --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
+                    remoteNix=
                     echo "warning: don't know how to get latest Nix" >&2
                 fi
-                # Older version of nix-store -r don't support --add-root.
-                [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
-                if [ -n "$buildHost" ]; then
-                    remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
-                    remoteNix="$remoteNixStorePath/bin"
-                    if ! buildHostCmd nix-store -r $remoteNixStorePath \
-                      --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
-                        remoteNix=
-                        echo "warning: don't know how to get latest Nix" >&2
-                    fi
-                fi
             fi
         fi
     fi

nixos/modules/misc/ids.nix

@@ -288,6 +288,8 @@
       kresd = 270;
       rpc = 271;
       geoip = 272;
+      fcron = 273;
+      rslsync = 279;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -545,6 +547,8 @@
       kresd = 270;
       #rpc = 271; # unused
       #geoip = 272; # unused
+      fcron = 273;
+      rslsync = 279;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/misc/locate.nix

@@ -104,13 +104,13 @@ in {
     users.extraGroups = mkIf isMLocate { mlocate = {}; };
 
     security.wrappers = mkIf isMLocate {
-      mlocate = {
+      locate = {
         group = "mlocate";
         owner = "root";
         permissions = "u+rx,g+x,o+x";
         setgid = true;
         setuid = false;
-        program = "locate";
+        source = "${cfg.locate}/bin/locate";
       };
     };
 
@@ -131,9 +131,9 @@ in {
         path = mkIf (!isMLocate) [ pkgs.su ];
         script =
           ''
-            install -m ${if isMLocate then "0750" else "0755"} -o root -g ${if isMLocate then "mlocate" else "root"} -d $(dirname ${cfg.output})
+            mkdir -m 0755 -p ${dirOf cfg.output}
             exec ${cfg.locate}/bin/updatedb \
-              ${optionalString (cfg.localuser != null) ''--localuser=${cfg.localuser}''} \
+              ${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \
               --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
           '';
         environment = {

nixos/modules/misc/version.nix

@@ -78,7 +78,7 @@ in
     defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-17.03;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 

nixos/modules/module-list.nix

@@ -99,7 +99,9 @@
   ./programs/wvdial.nix
   ./programs/xfs_quota.nix
   ./programs/xonsh.nix
+  ./programs/zsh/oh-my-zsh.nix
   ./programs/zsh/zsh.nix
+  ./programs/zsh/zsh-syntax-highlighting.nix
   ./rename.nix
   ./security/acme.nix
   ./security/apparmor.nix
@@ -136,7 +138,6 @@
   ./services/backup/mysql-backup.nix
   ./services/backup/postgresql-backup.nix
   ./services/backup/rsnapshot.nix
-  ./services/backup/sitecopy-backup.nix
   ./services/backup/tarsnap.nix
   ./services/backup/znapzend.nix
   ./services/cluster/fleet.nix
@@ -315,7 +316,7 @@
   ./services/monitoring/cadvisor.nix
   ./services/monitoring/collectd.nix
   ./services/monitoring/das_watchdog.nix
-  ./services/monitoring/dd-agent.nix
+  ./services/monitoring/dd-agent/dd-agent.nix
   ./services/monitoring/grafana.nix
   ./services/monitoring/graphite.nix
   ./services/monitoring/hdaps.nix
@@ -332,6 +333,7 @@
   ./services/monitoring/prometheus/nginx-exporter.nix
   ./services/monitoring/prometheus/node-exporter.nix
   ./services/monitoring/prometheus/snmp-exporter.nix
+  ./services/monitoring/prometheus/unifi-exporter.nix
   ./services/monitoring/prometheus/varnish-exporter.nix
   ./services/monitoring/riemann.nix
   ./services/monitoring/riemann-dash.nix
@@ -449,13 +451,14 @@
   ./services/networking/prayer.nix
   ./services/networking/privoxy.nix
   ./services/networking/prosody.nix
-  ./services/networking/quagga.nix
+  # ./services/networking/quagga.nix
   ./services/networking/quassel.nix
   ./services/networking/racoon.nix
   ./services/networking/radicale.nix
   ./services/networking/radvd.nix
   ./services/networking/rdnssd.nix
   ./services/networking/redsocks.nix
+  ./services/networking/resilio.nix
   ./services/networking/rpcbind.nix
   ./services/networking/sabnzbd.nix
   ./services/networking/searx.nix

nixos/modules/profiles/all-hardware.nix

@@ -50,7 +50,7 @@
     ];
 
   # Include lots of firmware.
-  hardware.enableAllFirmware = true;
+  hardware.enableRedistributableFirmware = true;
 
   imports =
     [ ../hardware/network/zydas-zd1211.nix ];

nixos/modules/profiles/graphical.nix

@@ -1,5 +1,5 @@
-# This module defines a NixOS configuration that contains X11 and
-# KDE 4.  It's used by the graphical installation CD.
+# This module defines a NixOS configuration with the Plasma 5 desktop.
+# It's used by the graphical installation CD.
 
 { config, pkgs, ... }:
 
@@ -7,7 +7,7 @@
   services.xserver = {
     enable = true;
     displayManager.sddm.enable = true;
-    desktopManager.kde5.enable = true;
+    desktopManager.plasma5.enable = true;
     synaptics.enable = true; # for touchpad support on many laptops
   };
 

nixos/modules/programs/adb.nix

@@ -10,7 +10,6 @@ with lib;
     programs.adb = {
       enable = mkOption {
         default = false;
-        example = true;
         type = types.bool;
         description = ''
           Whether to configure system to use Android Debug Bridge (adb).

nixos/modules/programs/fish.nix

@@ -27,6 +27,30 @@ in
         '';
         type = types.bool;
       };
+      
+      vendor.config.enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether fish should source configuration snippets provided by other packages.
+        '';
+      };
+
+      vendor.completions.enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether fish should use completion files provided by other packages.
+        '';
+      };
+      
+      vendor.functions.enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether fish should autoload fish functions provided by other packages.
+        '';
+      };
 
       shellAliases = mkOption {
         default = config.environment.shellAliases;
@@ -79,31 +103,74 @@ in
     environment.etc."fish/foreign-env/loginShellInit".text = cfge.loginShellInit;
     environment.etc."fish/foreign-env/interactiveShellInit".text = cfge.interactiveShellInit;
 
+    environment.etc."fish/nixos-env-preinit.fish".text = ''
+      # This happens before $__fish_datadir/config.fish sets fish_function_path, so it is currently
+      # unset. We set it and then completely erase it, leaving its configuration to $__fish_datadir/config.fish
+      set fish_function_path ${pkgs.fish-foreign-env}/share/fish-foreign-env/functions $__fish_datadir/functions
+      
+      # source the NixOS environment config
+      fenv source ${config.system.build.setEnvironment}
+
+      # clear fish_function_path so that it will be correctly set when we return to $__fish_datadir/config.fish
+      set -e fish_function_path
+    '';
+
     environment.etc."fish/config.fish".text = ''
       # /etc/fish/config.fish: DO NOT EDIT -- this file has been generated automatically.
 
-      set fish_function_path $fish_function_path ${pkgs.fish-foreign-env}/share/fish-foreign-env/functions
+      # if we haven't sourced the general config, do it
+      if not set -q __fish_nixos_general_config_sourced
+        set fish_function_path ${pkgs.fish-foreign-env}/share/fish-foreign-env/functions $fish_function_path
+        fenv source /etc/fish/foreign-env/shellInit > /dev/null
+        set -e fish_function_path[1]
+        
+        ${cfg.shellInit}
 
-      fenv source ${config.system.build.setEnvironment} > /dev/null ^&1
-      fenv source /etc/fish/foreign-env/shellInit > /dev/null
-
-      ${cfg.shellInit}
-
-      if status --is-login
-        fenv source /etc/fish/foreign-env/loginShellInit > /dev/null
-        ${cfg.loginShellInit}
+        # and leave a note so we don't source this config section again from
+        # this very shell (children will source the general config anew)
+        set -g __fish_nixos_general_config_sourced 1
       end
 
-      if status --is-interactive
+      # if we haven't sourced the login config, do it
+      status --is-login; and not set -q __fish_nixos_login_config_sourced
+      and begin
+        set fish_function_path ${pkgs.fish-foreign-env}/share/fish-foreign-env/functions $fish_function_path
+        fenv source /etc/fish/foreign-env/loginShellInit > /dev/null
+        set -e fish_function_path[1]
+        
+        ${cfg.loginShellInit}
+
+        # and leave a note so we don't source this config section again from
+        # this very shell (children will source the general config anew)
+        set -g __fish_nixos_login_config_sourced 1
+      end
+
+      # if we haven't sourced the interactive config, do it
+      status --is-interactive; and not set -q __fish_nixos_interactive_config_sourced
+      and begin
         ${fishAliases}
+        
+
+        set fish_function_path ${pkgs.fish-foreign-env}/share/fish-foreign-env/functions $fish_function_path
         fenv source /etc/fish/foreign-env/interactiveShellInit > /dev/null
+        set -e fish_function_path[1]
+        
+        ${cfg.promptInit}
         ${cfg.interactiveShellInit}
+
+        # and leave a note so we don't source this config section again from
+        # this very shell (children will source the general config anew,
+        # allowing configuration changes in, e.g, aliases, to propagate)
+        set -g __fish_nixos_interactive_config_sourced 1
       end
     '';
 
     # include programs that bring their own completions
-    environment.pathsToLink = [ "/share/fish/vendor_completions.d" ];
-
+    environment.pathsToLink = []
+      ++ optional cfg.vendor.config.enable "/share/fish/vendor_conf.d"
+      ++ optional cfg.vendor.completions.enable "/share/fish/vendor_completions.d"
+      ++ optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d";
+    
     environment.systemPackages = [ pkgs.fish ];
 
     environment.shells = [

nixos/modules/programs/gphoto2.nix

@@ -10,7 +10,6 @@ with lib;
     programs.gphoto2 = {
       enable = mkOption {
         default = false;
-        example = true;
         type = types.bool;
         description = ''
           Whether to configure system to use gphoto2.

nixos/modules/programs/mosh.nix

@@ -14,7 +14,6 @@ in
         Whether to enable mosh. Note, this will open ports in your firewall!
       '';
       default = false;
-      example = true;
       type = lib.types.bool;
     };
   };

nixos/modules/programs/ssmtp.nix

@@ -22,7 +22,6 @@ in
       directDelivery = mkOption {
         type = types.bool;
         default = false;
-        example = true;
         description = ''
           Use the trivial Mail Transfer Agent (MTA)
           <command>ssmtp</command> package to allow programs to send
@@ -65,7 +64,6 @@ in
       useTLS = mkOption {
         type = types.bool;
         default = false;
-        example = true;
         description = ''
           Whether TLS should be used to connect to the default mail
           server.
@@ -75,7 +73,6 @@ in
       useSTARTTLS = mkOption {
         type = types.bool;
         default = false;
-        example = true;
         description = ''
           Whether the STARTTLS should be used to connect to the default
           mail server.  (This is needed for TLS-capable mail servers

nixos/modules/programs/tmux.nix

@@ -65,7 +65,6 @@ in {
 
       aggressiveResize = mkOption {
         default = false;
-        example = true;
         type = types.bool;
         description = ''
           Resize the window to the size of the smallest session for which it is the current window.
@@ -81,14 +80,12 @@ in {
 
       clock24 = mkOption {
         default = false;
-        example = true;
         type = types.bool;
         description = "Use 24 hour clock.";
       };
 
       customPaneNavigationAndResize = mkOption {
         default = false;
-        example = true;
         type = types.bool;
         description = "Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.";
       };
@@ -124,14 +121,12 @@ in {
 
       newSession = mkOption {
         default = false;
-        example = true;
         type = types.bool;
         description = "Automatically spawn a session if trying to attach and none are running.";
       };
 
       reverseSplit = mkOption {
         default = false;
-        example = true;
         type = types.bool;
         description = "Reverse the window split shortcuts.";
       };

nixos/modules/programs/venus.nix

@@ -45,7 +45,7 @@ in
         description = ''
           Specification (in the format described by
           <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
           which the Venus will collect feeds.
         '';
       };

nixos/modules/programs/vim.nix

@@ -9,7 +9,6 @@ in {
     defaultEditor = mkOption {
       type = types.bool;
       default = false;
-      example = true;
       description = ''
         When enabled, installs vim and configures vim to be the default editor
         using the EDITOR environment variable.

nixos/modules/programs/zsh/oh-my-zsh.nix

@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.zsh.ohMyZsh;
+in
+  {
+    options = {
+      programs.zsh.ohMyZsh = {
+        enable = mkOption {
+          default = false;
+          description = ''
+            Enable oh-my-zsh.
+          '';
+        };
+
+        plugins = mkOption {
+          default = [];
+          type = types.listOf(types.str);
+          description = ''
+            List of oh-my-zsh plugins
+          '';
+        };
+
+        custom = mkOption {
+          default = "";
+          type = types.str;
+          description = ''
+            Path to a custom oh-my-zsh package to override config of oh-my-zsh.
+          '';
+        };
+
+        theme = mkOption {
+          default = "";
+          type = types.str;
+          description = ''
+            Name of the theme to be used by oh-my-zsh.
+          '';
+        };
+      };
+    };
+
+    config = mkIf cfg.enable {
+      environment.systemPackages = with pkgs; [ oh-my-zsh ];
+
+      programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
+        # oh-my-zsh configuration generated by NixOS
+        export ZSH=${oh-my-zsh}/share/oh-my-zsh
+
+        ${optionalString (length(cfg.plugins) > 0)
+          "plugins=(${concatStringsSep " " cfg.plugins})"
+        }
+
+        ${optionalString (stringLength(cfg.custom) > 0)
+          "ZSH_CUSTOM=\"${cfg.custom}\""
+        }
+
+        ${optionalString (stringLength(cfg.theme) > 0)
+          "ZSH_THEME=\"${cfg.theme}\""
+        }
+
+        source $ZSH/oh-my-zsh.sh
+      '';
+    };
+  }

nixos/modules/programs/zsh/zsh-syntax-highlighting.nix

@@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.zsh.syntaxHighlighting;
+in
+  {
+    options = {
+      programs.zsh.syntaxHighlighting = {
+        enable = mkEnableOption "zsh-syntax-highlighting";
+
+        highlighters = mkOption {
+          default = [ "main" ];
+
+          # https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
+          type = types.listOf(types.enum([
+            "main"
+            "brackets"
+            "pattern"
+            "cursor"
+            "root"
+            "line"
+          ]));
+
+          description = ''
+            Specifies the highlighters to be used by zsh-syntax-highlighting.
+
+            The following defined options can be found here:
+            https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
+          '';
+        };
+
+        patterns = mkOption {
+          default = {};
+          type = types.attrsOf types.string;
+
+          example = literalExample ''
+            {
+              "rm -rf *" = "fg=white,bold,bg=red";
+            }
+          '';
+
+          description = ''
+            Specifies custom patterns to be highlighted by zsh-syntax-highlighting.
+
+            Please refer to the docs for more information about the usage:
+            https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/pattern.md
+          '';
+        };
+      };
+    };
+
+    config = mkIf cfg.enable {
+      environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ];
+
+      programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
+        source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+
+        ${optionalString (length(cfg.highlighters) > 0)
+          "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
+        }
+
+        ${let
+            n = attrNames cfg.patterns;
+          in
+            optionalString (length(n) > 0)
+              (assert(elem "pattern" cfg.highlighters); (foldl (
+                a: b:
+                  ''
+                    ${a}
+                    ZSH_HIGHLIGHT_PATTERNS+=('${b}' '${attrByPath [b] "" cfg.patterns}')
+                  ''
+              ) "") n)
+        }
+      '';
+    };
+  }

nixos/modules/programs/zsh/zsh.nix

@@ -84,14 +84,6 @@ in
         type = types.bool;
       };
 
-      enableSyntaxHighlighting = mkOption {
-        default = false;
-        description = ''
-          Enable zsh-syntax-highlighting
-        '';
-        type = types.bool;
-      };
-      
       enableAutosuggestions = mkOption {
         default = false;
         description = ''
@@ -130,10 +122,6 @@ in
 
         ${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""}
 
-        ${optionalString (cfg.enableSyntaxHighlighting)
-          "source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
-        }
-
         ${optionalString (cfg.enableAutosuggestions)
           "source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh"
         }
@@ -143,7 +131,6 @@ in
 
         ${cfge.interactiveShellInit}
 
-
         HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
       '';
 
@@ -206,8 +193,7 @@ in
     environment.etc."zinputrc".source = ./zinputrc;
 
     environment.systemPackages = [ pkgs.zsh ]
-      ++ optional cfg.enableCompletion pkgs.nix-zsh-completions
-      ++ optional cfg.enableSyntaxHighlighting pkgs.zsh-syntax-highlighting;
+      ++ optional cfg.enableCompletion pkgs.nix-zsh-completions;
 
     environment.pathsToLink = optional cfg.enableCompletion "/share/zsh";
 

nixos/modules/rename.nix

@@ -103,9 +103,6 @@ with lib;
     (mkRenamedOptionModule [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
     (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
 
-    # DNSCrypt-proxy
-    (mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ])
-
     (mkRenamedOptionModule [ "services" "hostapd" "extraCfg" ] [ "services" "hostapd" "extraConfig" ])
 
     # Enlightenment
@@ -195,5 +192,17 @@ with lib;
       "See the 16.09 release notes for more information.")
     (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
     (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
+    (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
+      "Set the option `services.xserver.displayManager.sddm.package' instead.")
+
+    # ZSH
+    (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
+    (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
+    (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ])
+    (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ])
+    (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ])
+    (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ])
+    (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ])
+    (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ])
   ];
 }

nixos/modules/security/acme.nix

@@ -13,12 +13,18 @@ let
         description = ''
           Where the webroot of the HTTP vhost is located.
           <filename>.well-known/acme-challenge/</filename> directory
-          will be created automatically if it doesn't exist.
+          will be created below the webroot if it doesn't exist.
           <literal>http://example.org/.well-known/acme-challenge/</literal> must also
           be available (notice unencrypted HTTP).
         '';
       };
 
+      domain = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Domain to fetch certificate for (defaults to the entry name)";
+      };
+
       email = mkOption {
         type = types.nullOr types.str;
         default = null;
@@ -40,7 +46,10 @@ let
       allowKeysForGroup = mkOption {
         type = types.bool;
         default = false;
-        description = "Give read permissions to the specified group to read SSL private certificates.";
+        description = ''
+          Give read permissions to the specified group
+          (<option>security.acme.group</option>) to read SSL private certificates.
+        '';
       };
 
       postRun = mkOption {
@@ -59,21 +68,24 @@ let
           "cert.der" "cert.pem" "chain.pem" "external.sh"
           "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
         ]);
-        default = [ "fullchain.pem" "key.pem" "account_key.json" ];
+        default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
         description = ''
           Plugins to enable. With default settings simp_le will
-          store public certificate bundle in <filename>fullchain.pem</filename>
-          and private key in <filename>key.pem</filename> in its state directory.
+          store public certificate bundle in <filename>fullchain.pem</filename>,
+          private key in <filename>key.pem</filename> and those two previous
+          files combined in <filename>full.pem</filename> in its state directory.
         '';
       };
 
       extraDomains = mkOption {
         type = types.attrsOf (types.nullOr types.str);
         default = {};
-        example = {
-          "example.org" = "/srv/http/nginx";
-          "mydomain.org" = null;
-        };
+        example = literalExample ''
+          {
+            "example.org" = "/srv/http/nginx";
+            "mydomain.org" = null;
+          }
+        '';
         description = ''
           Extra domain names for which certificates are to be issued, with their
           own server roots if needed.
@@ -110,7 +122,7 @@ in
         description = ''
           Systemd calendar expression when to check for renewal. See
           <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>.
+          <manvolnum>7</manvolnum></citerefentry>.
         '';
       };
 
@@ -133,17 +145,19 @@ in
         description = ''
           Attribute set of certificates to get signed and renewed.
         '';
-        example = {
-          "example.com" = {
-            webroot = "/var/www/challenges/";
-            email = "foo@example.com";
-            extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
-          };
-          "bar.example.com" = {
-            webroot = "/var/www/challenges/";
-            email = "bar@example.com";
-          };
-        };
+        example = literalExample ''
+          {
+            "example.com" = {
+              webroot = "/var/www/challenges/";
+              email = "foo@example.com";
+              extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
+            };
+            "bar.example.com" = {
+              webroot = "/var/www/challenges/";
+              email = "bar@example.com";
+            };
+          }
+        '';
       };
     };
   };
@@ -157,9 +171,10 @@ in
           servicesLists = mapAttrsToList certToServices cfg.certs;
           certToServices = cert: data:
               let
+                domain = if data.domain != null then data.domain else cert;
                 cpath = "${cfg.directory}/${cert}";
                 rights = if data.allowKeysForGroup then "750" else "700";
-                cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
+                cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
                           ++ optionals (data.email != null) [ "--email" data.email ]
                           ++ concatMap (p: [ "-f" p ]) data.plugins
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
@@ -178,7 +193,7 @@ in
                   path = [ pkgs.simp_le ];
                   preStart = ''
                     mkdir -p '${cfg.directory}'
-                    chown '${data.user}:${data.group}' '${cfg.directory}'
+                    chown -R '${data.user}:${data.group}' '${cfg.directory}'
                     if [ ! -d '${cpath}' ]; then
                       mkdir '${cpath}'
                     fi
@@ -228,6 +243,9 @@ in
                       mv $workdir/server.key ${cpath}/key.pem
                       mv $workdir/server.crt ${cpath}/fullchain.pem
 
+                      # Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates)
+                      cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem"
+
                       # Clean up working directory
                       rm $workdir/server.csr
                       rm $workdir/server.pass.key
@@ -237,6 +255,8 @@ in
                       chown '${data.user}:${data.group}' '${cpath}/key.pem'
                       chmod ${rights} '${cpath}/fullchain.pem'
                       chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
+                      chmod ${rights} '${cpath}/full.pem'
+                      chown '${data.user}:${data.group}' '${cpath}/full.pem'
                     '';
                   serviceConfig = {
                     Type = "oneshot";
@@ -265,15 +285,14 @@ in
                 )
               );
           servicesAttr = listToAttrs services;
-          nginxAttr = {
-            nginx = {
-              after = [ "acme-selfsigned-certificates.target" ];
-              wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
-            };
+          injectServiceDep = {
+            after = [ "acme-selfsigned-certificates.target" ];
+            wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
           };
         in
           servicesAttr //
-          (if config.services.nginx.enable then nginxAttr else {});
+          (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) //
+          (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {});
 
       systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
         ("acme-${cert}")

nixos/modules/security/dhparams.nix

@@ -19,6 +19,12 @@ in
             Note: The name of the DH params is taken as being the name of the
             service it serves: the params will be generated before the said
             service is started.
+
+            Warning: If you are removing all dhparams from this list, you have
+            to leave security.dhparams.enable for at least one activation in
+            order to have them be cleaned up. This also means if you rollback to
+            a version without any dhparams the existing ones won't be cleaned
+            up.
           '';
         type = with types; attrsOf int;
         default = {};
@@ -34,57 +40,68 @@ in
         type = types.str;
         default = "/var/lib/dhparams";
       };
+
+      enable = mkOption {
+        description =
+          ''
+            Whether to generate new DH params and clean up old DH params.
+          '';
+        default = false;
+        type = types.bool;
+      };
     };
   };
 
-  config.systemd.services = {
-    dhparams-init = {
-      description = "Cleanup old Diffie-Hellman parameters";
-      wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
-      serviceConfig.Type = "oneshot";
-      script =
-        # Create directory
-        ''
-          if [ ! -d ${cfg.path} ]; then
-            mkdir -p ${cfg.path}
-          fi
-        '' +
-        # Remove old dhparams
-        ''
-          for file in ${cfg.path}/*; do
-            if [ ! -f "$file" ]; then
-              continue
+  config = mkIf cfg.enable {
+    systemd.services = {
+      dhparams-init = {
+        description = "Cleanup old Diffie-Hellman parameters";
+        wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
+        serviceConfig.Type = "oneshot";
+        script =
+          # Create directory
+          ''
+            if [ ! -d ${cfg.path} ]; then
+              mkdir -p ${cfg.path}
             fi
-        '' + concatStrings (mapAttrsToList (name: value:
-        ''
-            if [ "$file" == "${cfg.path}/${name}.pem" ] && \
-                ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
-              continue
-            fi
-        ''
-        ) cfg.params) +
-        ''
-            rm $file
-          done
+          '' +
+          # Remove old dhparams
+          ''
+            for file in ${cfg.path}/*; do
+              if [ ! -f "$file" ]; then
+                continue
+              fi
+          '' + concatStrings (mapAttrsToList (name: value:
+          ''
+              if [ "$file" == "${cfg.path}/${name}.pem" ] && \
+                  ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
+                continue
+              fi
+          ''
+          ) cfg.params) +
+          ''
+              rm $file
+            done
 
-          # TODO: Ideally this would be removing the *former* cfg.path, though this
-          # does not seem really important
-          rmdir -p --ignore-fail-on-non-empty ${cfg.path}
-        '';
-    };
-  } //
-    mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
-      description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
-      after = [ "dhparams-init.service" ];
-      before = [ "${name}.service" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig.Type = "oneshot";
-      script =
-        ''
-          mkdir -p ${cfg.path}
-          if [ ! -f ${cfg.path}/${name}.pem ]; then
-            ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
-          fi
-        '';
-    }) cfg.params;
+            # TODO: Ideally this would be removing the *former* cfg.path, though this
+            # does not seem really important as changes to it are quite unlikely
+            rmdir --ignore-fail-on-non-empty ${cfg.path}
+          '';
+      };
+    } //
+      mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
+        description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
+        after = [ "dhparams-init.service" ];
+        before = [ "${name}.service" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig.Type = "oneshot";
+        script =
+          ''
+            mkdir -p ${cfg.path}
+            if [ ! -f ${cfg.path}/${name}.pem ]; then
+              ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
+            fi
+          '';
+      }) cfg.params;
+  };
 }

nixos/modules/security/grsecurity.nix

@@ -13,7 +13,7 @@ in
 
 {
   meta = {
-    maintainers = with maintainers; [ joachifm ];
+    maintainers = with maintainers; [ ];
     doc = ./grsecurity.xml;
   };
 
@@ -21,7 +21,6 @@ in
 
     enable = mkOption {
       type = types.bool;
-      example = true;
       default = false;
       description = ''
         Enable grsecurity/PaX.
@@ -30,7 +29,6 @@ in
 
     lockTunables = mkOption {
       type = types.bool;
-      example = false;
       default = true;
       description = ''
         Whether to automatically lock grsecurity tunables
@@ -43,7 +41,6 @@ in
 
     disableEfiRuntimeServices = mkOption {
       type = types.bool;
-      example = false;
       default = true;
       description = ''
         Whether to disable access to EFI runtime services.  Enabling EFI runtime

nixos/modules/security/grsecurity.xml

@@ -26,9 +26,11 @@
     <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
     Linux wiki page on grsecurity</link>.
 
-    <note><para>grsecurity/PaX is only available for the latest linux -stable
-    kernel; patches against older kernels are available from upstream only for
-    a fee.</para></note>
+    <warning><para>Upstream has ceased free support for grsecurity/PaX.  See
+    <link xlink:href="https://grsecurity.net/passing_the_baton.php">
+    the announcement</link> for more information.  Consequently, NixOS
+    support for grsecurity/PaX also must cease.  Enabling this module will
+    result in a build error.</para></warning>
     <note><para>We standardise on a desktop oriented configuration primarily due
     to lack of resources.  The grsecurity/PaX configuration state space is huge
     and each configuration requires quite a bit of testing to ensure that the
@@ -214,8 +216,8 @@
             GRKERNSEC_CONFIG_SERVER y
             GRKERNSEC_CONFIG_SECURITY y
           '';
-          };
-      }
+        };
+      };
     </programlisting>
   </para>
 
@@ -312,7 +314,7 @@
       Overflows in boot critical code (e.g., the root filesystem module) can
       render the system unbootable.  Work around by setting
       <programlisting>
-        boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];
+        boot.kernelParams = [ "pax_size_overflow_report_only" ];
       </programlisting>
     </para></listitem>
 

nixos/modules/security/wrappers/default.nix

@@ -80,8 +80,8 @@ let
                     group = "root";
                   } // s)
           else if 
-             (s ? "setuid"  && s.setuid  == true) ||
-             (s ? "setguid" && s.setguid == true) ||
+             (s ? "setuid" && s.setuid) ||
+             (s ? "setgid" && s.setgid) ||
              (s ? "permissions")
           then mkSetuidProgram s
           else mkSetuidProgram
@@ -179,21 +179,31 @@ in
 
           # Remove the old /var/setuid-wrappers path from the system...
           #
-          # TODO: this is only necessary for ugprades 16.09 => 17.x;
+          # TODO: this is only necessary for upgrades 16.09 => 17.x;
           # this conditional removal block needs to be removed after
           # the release.
           if [ -d /var/setuid-wrappers ]; then
             rm -rf /var/setuid-wrappers
+            ln -s /run/wrappers/bin /var/setuid-wrappers
           fi
 
           # Remove the old /run/setuid-wrappers-dir path from the
           # system as well...
           #
-          # TODO: this is only necessary for ugprades 16.09 => 17.x;
+          # TODO: this is only necessary for upgrades 16.09 => 17.x;
           # this conditional removal block needs to be removed after
           # the release.
           if [ -d /run/setuid-wrapper-dirs ]; then
             rm -rf /run/setuid-wrapper-dirs
+            ln -s /run/wrappers/bin /run/setuid-wrapper-dirs
+          fi
+
+          # TODO: this is only necessary for upgrades 16.09 => 17.x;
+          # this conditional removal block needs to be removed after
+          # the release.
+          if readlink -f /run/booted-system | grep nixos-17 > /dev/null; then
+            rm -rf /run/setuid-wrapper-dirs
+            rm -rf /var/setuid-wrappers
           fi
 
           # We want to place the tmpdirs for the wrappers to the parent dir.

nixos/modules/services/backup/rsnapshot.nix

@@ -26,7 +26,6 @@ in
       enableManualRsnapshot = mkOption {
         description = "Whether to enable manual usage of the rsnapshot command with this module.";
         default = true;
-        example = false;
         type = types.bool;
       };
 

nixos/modules/services/backup/sitecopy-backup.nix

@@ -1,106 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  inherit (pkgs) sitecopy;
-
-  stateDir = "/var/spool/sitecopy";
-
-  sitecopyCron = backup : ''
-    ${if backup ? period then backup.period else config.services.sitecopy.period} root ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${backup.name}.conf --update ${backup.name} >> /var/log/sitecopy.log 2>&1
-  '';
-in
-
-{
-
-  options = {
-
-    services.sitecopy = {
-
-      enable = mkOption {
-        default = false;
-        description = ''
-          Whether to enable <command>sitecopy</command> backups of specified
-          directories.
-        '';
-      };
-
-      period = mkOption {
-        default = "15 04 * * *";
-        description = ''
-          This option defines (in the format used by <command>cron</command>)
-          when the <command>sitecopy</command> backups are to be run.
-          The default is to update at 04:15 (at night) every day.
-        '';
-      };
-
-      backups = mkOption {
-        example = [
-          { name = "test";
-            local = "/tmp/backup";
-            remote = "/staff-groups/ewi/st/strategoxt/backup/test";
-            server = "webdata.tudelft.nl";
-            protocol = "webdav";
-            https = true ;
-            symlinks = "maintain" ;
-          }
-        ];
-        default = [];
-        description = ''
-           List of attribute sets describing the backups.
-
-           Username/password are extracted from
-           <filename>${stateDir}/sitecopy.secrets</filename> at activation
-           time. The secrets file lines should have the following structure:
-           <screen>
-             server username password
-           </screen>
-        '';
-      };
-
-    };
-
-  };
-
-  config = mkIf config.services.sitecopy.enable {
-    environment.systemPackages = [ sitecopy ];
-
-    services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
-
-    system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "users" ]
-      ''
-        mkdir -m 0700 -p ${stateDir}
-        chown root ${stateDir}
-        touch ${stateDir}/sitecopy.secrets
-        chown root ${stateDir}/sitecopy.secrets
-
-        ${lib.concatStrings (map ( b: ''
-            unset secrets
-            unset secret
-            secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
-            secret=($secrets)
-            cat > ${stateDir}/${b.name}.conf << EOF
-              site ${b.name}
-              server ${b.server}
-              protocol ${b.protocol}
-              username ''${secret[1]}
-              password ''${secret[2]}
-              local ${b.local}
-              remote ${b.remote}
-              symlinks ${b.symlinks}
-              ${if b.https then "http secure" else ""}
-            EOF
-            chmod 0600 ${stateDir}/${b.name}.conf
-            if ! test -e ${stateDir}/${b.name} ; then
-              echo " * Initializing sitecopy '${b.name}'"
-              ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${b.name}.conf --initialize ${b.name}
-            else
-              echo " * Sitecopy '${b.name}' already initialized"
-            fi
-          '' ) config.services.sitecopy.backups
-        )}
-      '';
-  };
-
-}

nixos/modules/services/cluster/kubernetes.nix

@@ -40,7 +40,7 @@ let
   });
 
   policyFile = pkgs.writeText "kube-policy"
-    concatStringsSep "\n" (map (builtins.toJSON cfg.apiserver.authorizationPolicy));
+    (concatStringsSep "\n" (map builtins.toJSON cfg.apiserver.authorizationPolicy));
 
   cniConfig = pkgs.buildEnv {
     name = "kubernetes-cni-config";
@@ -76,6 +76,7 @@ in {
       description = "Kubernetes package to use.";
       type = types.package;
       default = pkgs.kubernetes;
+      defaultText = "pkgs.kubernetes";
     };
 
     verbose = mkOption {

nixos/modules/services/computing/boinc/client.nix

@@ -12,7 +12,6 @@ in
       enable = mkOption {
         type = types.bool;
         default = false;
-        example = true;
         description = ''
           Whether to enable the BOINC distributed computing client. If this
           option is set to true, the boinc_client daemon will be run as a
@@ -41,7 +40,6 @@ in
       allowRemoteGuiRpc = mkOption {
         type = types.bool;
         default = false;
-        example = true;
         description = ''
           If set to true, any remote host can connect to and control this BOINC
           client (subject to password authentication). If instead set to false,

nixos/modules/services/continuous-integration/buildbot/master.nix

@@ -66,7 +66,7 @@ in {
       };
 
       masterCfg = mkOption {
-        type = types.str;
+        type = types.nullOr types.str;
         description = ''
           Optionally pass raw master.cfg file as string.
           Other options in this configuration will be ignored.
@@ -183,16 +183,17 @@ in {
       package = mkOption {
         type = types.package;
         default = pkgs.buildbot-ui;
+        defaultText = "pkgs.buildbot-ui";
         description = ''
           Package to use for buildbot.
           <literal>buildbot-full</literal> is required in order to use local workers.
         '';
-        example = pkgs.buildbot-full;
+        example = literalExample "pkgs.buildbot-full";
       };
 
       packages = mkOption {
         default = [ ];
-        example = [ pkgs.git ];
+        example = literalExample "[ pkgs.git ]";
         type = types.listOf types.package;
         description = "Packages to add to PATH for the buildbot process.";
       };

nixos/modules/services/continuous-integration/buildbot/worker.nix

@@ -68,13 +68,14 @@ in {
       package = mkOption {
         type = types.package;
         default = pkgs.buildbot-worker;
+        defaultText = "pkgs.buildbot-worker";
         description = "Package to use for buildbot worker.";
-        example = pkgs.buildbot-worker;
+        example = literalExample "pkgs.buildbot-worker";
       };
 
       packages = mkOption {
         default = [ ];
-        example = [ pkgs.git ];
+        example = literalExample "[ pkgs.git ]";
         type = types.listOf types.package;
         description = "Packages to add to PATH for the buildbot process.";
       };

nixos/modules/services/continuous-integration/hydra/default.nix

@@ -233,6 +233,7 @@ in
           hydra_logo ${cfg.logo}
         ''}
         gc_roots_dir ${cfg.gcRootsDir}
+        use-substitutes = ${if cfg.useSubstitutes then "1" else "0"}
       '';
 
     environment.systemPackages = [ cfg.package ];
@@ -307,6 +308,7 @@ in
         requires = [ "hydra-init.service" ];
         after = [ "hydra-init.service" ];
         environment = serverEnv;
+        restartTriggers = [ hydraConf ];
         serviceConfig =
           { ExecStart =
               "@${cfg.package}/bin/hydra-server hydra-server -f -h '${cfg.listenHost}' "
@@ -323,6 +325,7 @@ in
         requires = [ "hydra-init.service" ];
         after = [ "hydra-init.service" "network.target" ];
         path = [ cfg.package pkgs.nettools pkgs.openssh pkgs.bzip2 config.nix.package ];
+        restartTriggers = [ hydraConf ];
         environment = env // {
           PGPASSFILE = "${baseDir}/pgpass-queue-runner"; # grrr
           IN_SYSTEMD = "1"; # to get log severity levels
@@ -343,7 +346,8 @@ in
       { wantedBy = [ "multi-user.target" ];
         requires = [ "hydra-init.service" ];
         after = [ "hydra-init.service" "network.target" ];
-        path = [ cfg.package pkgs.nettools ];
+        path = with pkgs; [ cfg.package nettools jq ];
+        restartTriggers = [ hydraConf ];
         environment = env;
         serviceConfig =
           { ExecStart = "@${cfg.package}/bin/hydra-evaluator hydra-evaluator";

nixos/modules/services/databases/cassandra.nix

@@ -310,7 +310,6 @@ in {
     autoBootstrap = mkOption {
       description = "It makes new (non-seed) nodes automatically migrate the right data to themselves.";
       default = true;
-      example = true;
       type = types.bool;
     };
     streamingSocketTimoutInMS = mkOption {

nixos/modules/services/databases/neo4j.nix

@@ -27,9 +27,7 @@ let
     ''}
     dbms.shell.enabled=true
     ${cfg.extraServerConfig}
-  '';
 
-  wrapperConfig = pkgs.writeText "neo4j-wrapper.conf" ''
     # Default JVM parameters from neo4j.conf
     dbms.jvm.additional=-XX:+UseG1GC
     dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
@@ -130,16 +128,16 @@ in {
         ExecStart = "${cfg.package}/bin/neo4j console";
         User = "neo4j";
         PermissionsStartOnly = true;
+        LimitNOFILE = 40000;
       };
       preStart = ''
         mkdir -m 0700 -p ${cfg.dataDir}/{data/graph.db,conf,logs}
         ln -fs ${serverConfig} ${cfg.dataDir}/conf/neo4j.conf
-        ln -fs ${wrapperConfig} ${cfg.dataDir}/conf/neo4j-wrapper.conf
         if [ "$(id -u)" = 0 ]; then chown -R neo4j ${cfg.dataDir}; fi
       '';
     };
 
-    environment.systemPackages = [ pkgs.neo4j ];
+    environment.systemPackages = [ cfg.package ];
 
     users.extraUsers = singleton {
       name = "neo4j";

nixos/modules/services/databases/openldap.nix

@@ -25,7 +25,6 @@ in
         description = "
           Whether to enable the ldap server.
         ";
-        example = true;
       };
 
       user = mkOption {
@@ -68,10 +67,10 @@ in
         ";
         example = literalExample ''
             '''
-            include ${pkgs.openldap.out}/etc/openldap/schema/core.schema
-            include ${pkgs.openldap.out}/etc/openldap/schema/cosine.schema
-            include ${pkgs.openldap.out}/etc/openldap/schema/inetorgperson.schema
-            include ${pkgs.openldap.out}/etc/openldap/schema/nis.schema
+            include ${pkgs.openldap.out}/etc/schema/core.schema
+            include ${pkgs.openldap.out}/etc/schema/cosine.schema
+            include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema
+            include ${pkgs.openldap.out}/etc/schema/nis.schema
 
             database bdb 
             suffix dc=example,dc=org 

nixos/modules/services/editors/emacs.nix

@@ -21,7 +21,6 @@ in {
     enable = mkOption {
       type = types.bool;
       default = false;
-      example = true;
       description = ''
         Whether to enable a user service for the Emacs daemon. Use <literal>emacsclient</literal> to connect to the
         daemon. If <literal>true</literal>, <varname>services.emacs.install</varname> is
@@ -32,7 +31,6 @@ in {
     install = mkOption {
       type = types.bool;
       default = false;
-      example = true;
       description = ''
         Whether to install a user service for the Emacs daemon. Once
         the service is started, use emacsclient to connect to the
@@ -57,7 +55,6 @@ in {
     defaultEditor = mkOption {
       type = types.bool;
       default = false;
-      example = true;
       description = ''
         When enabled, configures emacsclient to be the default editor
         using the EDITOR environment variable.

nixos/modules/services/games/factorio.nix

@@ -39,7 +39,7 @@ let
     admins = [];
   };
   serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings));
-  modDir = pkgs.factorio-mkModDirDrv cfg.mods;
+  modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods;
 in
 {
   options = {

nixos/modules/services/hardware/tlp.nix

@@ -57,7 +57,12 @@ in
     powerManagement.scsiLinkPolicy = null;
     powerManagement.cpuFreqGovernor = null;
 
+    systemd.sockets."systemd-rfkill".enable = false;
+
     systemd.services = {
+      "systemd-rfkill@".enable = false;
+      "systemd-rfkill".enable = false;
+
       tlp = {
         description = "TLP system startup/shutdown";
 

nixos/modules/services/hardware/udev.nix

@@ -35,6 +35,7 @@ let
   udevRules = pkgs.runCommand "udev-rules"
     { preferLocalBuild = true;
       allowSubstitutes = false;
+      packages = unique (map toString cfg.packages);
     }
     ''
       mkdir -p $out
@@ -45,7 +46,7 @@ let
       echo 'ENV{PATH}="${udevPath}/bin:${udevPath}/sbin"' > $out/00-path.rules
 
       # Add the udev rules from other packages.
-      for i in ${toString cfg.packages}; do
+      for i in $packages; do
         echo "Adding rules for package $i"
         for j in $i/{etc,lib}/udev/rules.d/*; do
           echo "Copying $j to $out/$(basename $j)"
@@ -132,10 +133,11 @@ let
   hwdbBin = pkgs.runCommand "hwdb.bin"
     { preferLocalBuild = true;
       allowSubstitutes = false;
+      packages = unique (map toString ([udev] ++ cfg.packages));
     }
     ''
       mkdir -p etc/udev/hwdb.d
-      for i in ${toString ([udev] ++ cfg.packages)}; do
+      for i in $packages; do
         echo "Adding hwdb files for package $i"
         for j in $i/{etc,lib}/udev/hwdb.d/*; do
           ln -s $j etc/udev/hwdb.d/$(basename $j)