kibana: fix 4.6.0 for i686

(cherry picked from commit c3e57f3095)

.travis.yml

@@ -15,8 +15,6 @@ matrix:
         - os: osx
           osx_image: xcode7.3
           script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
-git:
-    depth: 1
 env:
     global:
         - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f

README.md

@@ -15,12 +15,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.03` for the latest
+custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 
 ```
 % git remote update channels
-% git rebase channels/nixos-16.03
+% git rebase channels/nixos-16.09
 ```
 
 For pull-requests, please rebase onto nixpkgs `master`.
@@ -34,9 +34,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.03 release](https://hydra.nixos.org/jobset/nixos/release-16.03)
+* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.03 release](https://hydra.nixos.org/job/nixos/release-16.03/tested#tabs-constituents)
+* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
 
 Communication:
 

doc/languages-frameworks/go.xml

@@ -24,7 +24,7 @@ deis = buildGoPackage rec {
     sha256 = "1qv9lxqx7m18029lj8cw3k7jngvxs4iciwrypdy0gd2nnghc68sw";
   };
 
-  goDeps = ./deps.json; <co xml:id='ex-buildGoPackage-3' />
+  goDeps = ./deps.nix; <co xml:id='ex-buildGoPackage-3' />
 
   buildFlags = "--tags release"; <co xml:id='ex-buildGoPackage-4' />
 }
@@ -56,7 +56,9 @@ the following arguments are of special significance to the function:
   <callout arearefs='ex-buildGoPackage-3'>
     <para>
       <varname>goDeps</varname> is where the Go dependencies of a Go program are listed
-      in a JSON format described below.
+      as a list of package source identified by Go import path.
+      It could be imported as a separate <varname>deps.nix</varname> file for
+      readability. The dependency data structure is described below.
     </para>
   </callout>
 
@@ -70,23 +72,32 @@ the following arguments are of special significance to the function:
 
 </para>
 
-<para>The <varname>goDeps</varname> attribute should point to a JSON file that defines which Go libraries
-  are needed and should be included in <varname>GOPATH</varname> for <varname>buildPhase</varname>.
-
+<para>The <varname>goDeps</varname> attribute can be imported from a separate
+  <varname>nix</varname> file that defines which Go libraries are needed and should
+  be included in <varname>GOPATH</varname> for <varname>buildPhase</varname>.
 </para>
 
-<example xml:id='ex-goDeps'><title>deps.json</title>
+<example xml:id='ex-goDeps'><title>deps.nix</title>
 <programlisting>
 [ <co xml:id='ex-goDeps-1' />
-    {
-        "goPackagePath": "gopkg.in/yaml.v2", <co xml:id='ex-goDeps-2' />
-        "fetch": {
-          "type": "git", <co xml:id='ex-goDeps-3' />
-          "url": "https://gopkg.in/yaml.v2",
-          "rev": "a83829b6f1293c91addabc89d0571c246397bbf4",
-          "sha256": "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh"
-        }
-    }
+  {
+    goPackagePath = "gopkg.in/yaml.v2"; <co xml:id='ex-goDeps-2' />
+    fetch = {
+      type = "git"; <co xml:id='ex-goDeps-3' />
+      url = "https://gopkg.in/yaml.v2";
+      rev = "a83829b6f1293c91addabc89d0571c246397bbf4";
+      sha256 = "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh";
+    };
+  }
+  {
+    goPackagePath = "github.com/docopt/docopt-go";
+    fetch = {
+      type = "git";
+      url = "https://github.com/docopt/docopt-go";
+      rev = "784ddc588536785e7299f7272f39101f7faccc3f";
+      sha256 = "0wwz48jl9fvl1iknvn9dqr4gfy1qs03gxaikrxxp9gry6773v3sj";
+    };
+  }
 ]
 </programlisting>
 </example>

doc/languages-frameworks/python.md

@@ -481,7 +481,7 @@ and the aliases
 #### `buildPythonPackage` function
 
 The `buildPythonPackage` function is implemented in
-`pkgs/development/python-modules/generic/default.nix`
+`pkgs/development/interpreters/python/build-python-package.nix`
 
 and can be used as:
 
@@ -536,6 +536,7 @@ All parameters from `mkDerivation` function are still supported.
 * `installFlags`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"].
 * `format`: Format of the source. Options are `setup` for when the source has a `setup.py` and `setuptools` is used to build a wheel, and `wheel` in case the source is already a binary wheel. The default value is `setup`.
 * `catchConflicts` If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.
+* `checkInputs` Dependencies needed for running the `checkPhase`. These are added to `buildInputs` when `doCheck = true`.
 
 #### `buildPythonApplication` function
 

doc/multiple-output.xml

@@ -29,15 +29,15 @@
 
 <section><title>Using a split package</title>
   <para>In the Nix language the individual outputs can be reached explicitly as attributes, e.g. <varname>coreutils.info</varname>, but the typical case is just using packages as build inputs.</para>
-  <para>When a multiple-output derivation gets into a build input of another derivation, the first output is added (<varname>.dev</varname> by convention) and also <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname>. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
+  <para>When a multiple-output derivation gets into a build input of another derivation, the <varname>dev</varname> output is added if it exists, otherwise the first output is added. In addition to that, <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname> are also added. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
 </section>
 
 
 <section><title>Writing a split derivation</title>
   <para>Here you find how to write a derivation that produces multiple outputs.</para>
   <para>In nixpkgs there is a framework supporting multiple-output derivations. It tries to cover most cases by default behavior.  You can find the source separated in &lt;<filename>nixpkgs/pkgs/build-support/setup-hooks/multiple-outputs.sh</filename>&gt;; it's relatively well-readable.  The whole machinery is triggered by defining the <varname>outputs</varname> attribute to contain the list of desired output names (strings).</para>
-  <programlisting>outputs = [ "dev" "out" "bin" "doc" ];</programlisting>
-  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should usually be <varname>dev</varname>; typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>
+  <programlisting>outputs = [ "bin" "dev" "out" "doc" ];</programlisting>
+  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should contain the executable programs provided by the package as that output is used by Nix in string conversions, allowing references to binaries like <literal>${pkgs.perl}/bin/perl</literal> to always work. Typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>
 
   <note><para>There is a special handling of the <varname>debug</varname> output, described at <xref linkend="stdenv-separateDebugInfo" />.</para></note>
 
@@ -63,7 +63,7 @@
         </para></listitem></varlistentry>
       <varlistentry><term><varname>
         $outputDocdev</varname></term><listitem><para>
-        is for <emphasis>developer</emphasis> documentation.  Currently we count gtk-doc and man3 pages in there.  It goes to <varname>docdev</varname> or is removed (!) by default.  This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.
+        is for <emphasis>developer</emphasis> documentation.  Currently we count gtk-doc and man3 pages in there.  It goes to <varname>devdoc</varname> or is removed (!) by default.  This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.
         </para></listitem></varlistentry>
       <varlistentry><term><varname>
         $outputMan</varname></term><listitem><para>

lib/attrsets.nix

@@ -296,12 +296,17 @@ rec {
 
   /* Converts a store path to a fake derivation. */
   toDerivation = path:
-    let path' = builtins.storePath path; in
-    { type = "derivation";
-      name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
-      outPath = path';
-      outputs = [ "out" ];
-    };
+    let
+      path' = builtins.storePath path;
+      res =
+        { type = "derivation";
+          name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
+          outPath = path';
+          outputs = [ "out" ];
+          out = res;
+          outputName = "out";
+        };
+    in res;
 
 
   /* If `cond' is true, return the attribute set `as',
@@ -454,6 +459,8 @@ rec {
   getLib = getOutput "lib";
   getDev = getOutput "dev";
 
+  /* Pick the outputs of packages to place in buildInputs */
+  chooseDevOutputs = drvs: builtins.map getDev drvs;
 
   /*** deprecated stuff ***/
 

lib/maintainers.nix

@@ -97,6 +97,7 @@
   cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
   DamienCassou = "Damien Cassou <damien@cassou.me>";
   dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
+  danbst = "Danylo Hlynskyi <abcz2.uprola@gmail.com>";
   davidak = "David Kleuker <post@davidak.de>";
   davidrusu = "David Rusu <davidrusu.me@gmail.com>";
   dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";

nixos/doc/manual/release-notes/rl-1609.xml

@@ -4,7 +4,7 @@
          version="5.0"
          xml:id="sec-release-16.09">
 
-<title>Release 16.09 (“Flounder”, 2016/09/??)</title>
+<title>Release 16.09 (“Flounder”, 2016/09/30)</title>
 
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@@ -12,28 +12,137 @@ has the following highlights: </para>
 <itemizedlist>
 
   <listitem>
-    <para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
-    See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
+    <para>Many NixOS configurations and Nix packages now use
+    significantly less disk space, thanks to the <link
+    xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
+    work on closure size reduction</link>. For example, the closure
+    size of a minimal NixOS container went down from ~424 MiB in 16.03
+    to ~212 MiB in 16.09, while the closure size of Firefox went from
+    ~651 MiB to ~259 MiB.</para>
   </listitem>
 
   <listitem>
-    <para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
-    1.17.* is still used due to ABI incompatibility.</para>
+    <para>To improve security, packages are now <link
+    xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
+    using various hardening features</link>. See the Nixpkgs manual
+    for more information.</para>
   </listitem>
+
+  <listitem>
+    <para>Support for PXE netboot.  See <xref
+    linkend="sec-booting-from-pxe" /> for documentation.</para>
+  </listitem>
+
+  <listitem>
+    <para>X.org server 1.18. If you use the
+    <literal>ati_unfree</literal> driver, 1.17 is still used due to an
+    ABI incompatibility.</para>
+  </listitem>
+
+  <listitem>
+    <para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd
+    231. The default Linux kernel remains 4.4.</para>
+  </listitem>
+
 </itemizedlist>
 
 <para>The following new services were added since the last release:</para>
 
-  <itemizedlist>
-    <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
-  </itemizedlist>
-
+<itemizedlist>
+  <listitem><para><literal>hardware/video/amdgpu.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/video/displaylink.nix</literal></para></listitem>
+  <listitem><para><literal>programs/info.nix</literal></para></listitem>
+  <listitem><para><literal>programs/mosh.nix</literal></para></listitem>
+  <listitem><para><literal>programs/spacefm.nix</literal></para></listitem>
+  <listitem><para><literal>programs/tmux.nix</literal></para></listitem>
+  <listitem><para><literal>programs/xonsh.nix</literal></para></listitem>
+  <listitem><para><literal>security/chromium-suid-sandbox.nix</literal></para></listitem>
+  <listitem><para><literal>security/hidepid.nix</literal></para></listitem>
+  <listitem><para><literal>services/audio/squeezelite.nix</literal></para></listitem>
+  <listitem><para><literal>services/backup/znapzend.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/buildkite-agent.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/hydra/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/gocd-agent/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/gocd-server/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/development/hoogle.nix</literal></para></listitem>
+  <listitem><para><literal>services/editors/emacs.nix</literal></para></listitem>
+  <listitem><para><literal>services/games/factorio.nix</literal></para></listitem>
+  <listitem><para><literal>services/games/terraria.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/awstats.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/graylog.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/emby.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/mantisbt.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/nzbget.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/packagekit.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/sonarr.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/spice-vdagentd.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/taskserver</literal></para></listitem>
+  <listitem><para><literal>services/network-filesystems/tahoe.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/coturn.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/ferm.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/gdomap.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/libreswan.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/logmein-hamachi.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/mfi.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/mjpg-streamer.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/mosquitto.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/nntp-proxy.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/offlineimap.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/pptpd.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/sniproxy.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/smokeping.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/toxvpn.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/xl2tpd.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/zerobin.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/oauth2_proxy.nix</literal></para></listitem>
+  <listitem><para><literal>services/torrent/flexget.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/mattermost.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/tt-rss.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-servers/caddy.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-servers/lighttpd/inginious.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/compton.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/xbanish.nix</literal></para></listitem>
+  <listitem><para><literal>system/boot/loader/systemd-boot/systemd-boot.nix</literal></para></listitem>
+  <listitem><para><literal>system/boot/plymouth.nix</literal></para></listitem>
+  <listitem><para><literal>virtualisation/xe-guest-utilities.nix</literal></para></listitem>
+</itemizedlist>
 
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 
 <itemizedlist>
 
+  <listitem>
+    <para>A large number of packages have been converted to use the multiple outputs feature
+      of Nix to greatly reduce the amount of required disk space, as
+      mentioned above. This may require changes
+      to any custom packages to make them build again; see the relevant chapter in the
+      Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
+      related to multiple-output packages
+      <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link>
+      late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>Previous versions of Nixpkgs had support for all versions of the LTS
+    Haskell package set. That support has been dropped. The previously provided
+    <literal>haskell.packages.lts-x_y</literal> package sets still exist in
+    name to aviod breaking user code, but these package sets don't actually
+    contain the versions mandated by the corresponding LTS release. Instead,
+    our package set it loosely based on the latest available LTS release, i.e.
+    LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
+    drop those old names entirely. <link
+    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020585.html">The
+    motivation for this change</link> has been discussed at length on the
+    <literal>nix-dev</literal> mailing list and in <link
+    xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue
+    #14897</link>. Development strategies for Haskell hackers who want to rely
+    on Nix and NixOS have been described in <link
+    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020642.html">another
+    nix-dev article</link>.</para>
+  </listitem>
+
   <listitem>
     <para>Shell aliases for systemd sub-commands
     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
@@ -47,8 +156,27 @@ following incompatible changes:</para>
   </listitem>
 
   <listitem>
-    <para>Gitlab's maintainence script gitlab-runner was removed and split up into the more clearer
-      gitlab-run and gitlab-rake scripts because gitlab-runner is a component of Gitlab CI.</para>
+    <para>
+      <literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command>
+      to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">
+      the pull request</link> for what bugs this caused.
+    </para>
+  </listitem>
+
+  <listitem>
+  <para>
+     Using packages compiled with older Wayland may yield an error "undefined reference to `wl_proxy_*`".
+     Please upgrade those packages and <link xlink:href="https://github.com/NixOS/nixpkgs/issues/16779">see bug report for more details.</link>
+  </para>
+  </listitem>
+
+  <listitem>
+    <para>Gitlab's maintainance script
+    <command>gitlab-runner</command> was removed and split up into the
+    more clearer <command>gitlab-run</command> and
+    <command>gitlab-rake</command> scripts, because
+    <command>gitlab-runner</command> is a component of Gitlab
+    CI.</para>
   </listitem>
 
   <listitem>
@@ -61,11 +189,44 @@ following incompatible changes:</para>
   <listitem>
     <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
     because our presets were obsolete for some time. New presets are hardcoded
-    into freetype; one selects a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
+    into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
     You can customize those presets via ordinary environment variables, using
     <literal>environment.variables</literal>.</para>
   </listitem>
 
+  <listitem>
+    <para>The <literal>audit</literal> service is no longer enabled by default.
+    Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para>
+  </listitem>
+
+  <listitem>
+    <para>
+      <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the
+      kernel modules instead of the VirtualBox user space binaries.
+      If you want to reference the user space binaries, you have to use the new
+      <literal>pkgs.virtualbox</literal> instead.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para><literal>goPackages</literal> was replaced with separated Go
+    applications in appropriate <literal>nixpkgs</literal>
+    categories. Each Go package uses its own dependency set. There's
+    also a new <literal>go2nix</literal> tool introduced to generate a
+    Go package definition from its Go source automatically.</para>
+  </listitem>
+
+  <listitem>
+    <para><literal>services.mongodb.extraConfig</literal> configuration format
+    was changed to YAML.</para>
+  </listitem>
+
+  <listitem>
+    <para>
+      PHP has been upgraded to 7.0
+    </para>
+  </listitem>
+
 </itemizedlist>
 
 
@@ -81,6 +242,60 @@ following incompatible changes:</para>
   functionality.  See <xref linkend="sec-grsecurity" /> for documentation
   </para></listitem>
 
+  <listitem><para>Special filesystems, like <literal>/proc</literal>,
+  <literal>/run</literal> and others, now have the same mount options
+  as recommended by systemd and are unified across different places in
+  NixOS.  Mount options are updated during <command>nixos-rebuild
+  switch</command> if possible. One benefit from this is improved
+  security — most such filesystems are now mounted with
+  <literal>noexec</literal>, <literal>nodev</literal> and/or
+  <literal>nosuid</literal> options.</para></listitem>
+
+  <listitem><para>The reverse path filter was interfering with DHCPv4 server
+  operation in the past. An exception for DHCPv4 and a new option to log
+  packets that were dropped due to the reverse path filter was added
+  (<literal>networking.firewall.logReversePathDrops</literal>) for easier
+  debugging.</para></listitem>
+
+  <listitem><para>Containers configuration within
+  <literal>containers.&lt;name&gt;.config</literal> is <link
+  xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
+  properly typed and checked</link>. In particular, partial
+  configurations are merged correctly.</para></listitem>
+
+  <listitem>
+    <para>The directory container setuid wrapper programs,
+    <filename>/var/setuid-wrappers</filename>, <link
+    xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
+    updated atomically to prevent failures if the switch to a new
+    configuration is interrupted.</link></para>
+  </listitem>
+
+  <listitem>
+    <para><literal>services.xserver.startGnuPGAgent</literal>
+      has been removed due to GnuPG 2.1.x bump. See <link
+        xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
+        how to achieve similar behavior</link>. You might need to
+      <literal>pkill gpg-agent</literal> after the upgrade
+      to prevent a stale agent being in the way.
+    </para>
+  </listitem>
+
+  <listitem><para>
+    <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
+    Declarative users could share the uid due to the bug in
+    the script handling conflict resolution.
+    </link>
+  </para></listitem>
+
+  <listitem><para>
+    Gummi boot has been replaced using systemd-boot.
+  </para></listitem>
+
+  <listitem><para>
+    Hydra package and NixOS module were added for convenience.
+  </para></listitem>
+
 </itemizedlist>
 
 

nixos/lib/test-driver/Machine.pm

@@ -566,14 +566,25 @@ sub getWindowNames {
 }
 
 
+sub hasWindow {
+    my ($self, $regexp) = @_;
+    my @names = $self->getWindowNames;
+    foreach my $n (@names) {
+        if ($n =~ /$regexp/) {
+            $self->log("match '$n' on '$regexp'");
+            return 1;
+        } else {
+            $self->log("no match '$n' on '$regexp'");
+        }
+    }
+}
+
+
 sub waitForWindow {
     my ($self, $regexp) = @_;
     $self->nest("waiting for a window to appear", sub {
         retry sub {
-            my @names = $self->getWindowNames;
-            foreach my $n (@names) {
-                return 1 if $n =~ /$regexp/;
-            }
+            return $self->hasWindow($regexp)
         }
     });
 }

nixos/lib/testing.nix

@@ -157,9 +157,7 @@ rec {
         ${coreutils}/bin/mkdir -p $TMPDIR
         cd $TMPDIR
 
-        $origBuilder $origArgs
-
-        exit $?
+        exec $origBuilder $origArgs
       '';
 
       testScript = ''
@@ -172,9 +170,22 @@ rec {
       '';
 
       vmRunCommand = writeText "vm-run" ''
+        xchg=vm-state-client/xchg
         ${coreutils}/bin/mkdir $out
-        ${coreutils}/bin/mkdir -p vm-state-client/xchg
-        export > vm-state-client/xchg/saved-env
+        ${coreutils}/bin/mkdir -p $xchg
+
+        for i in $passAsFile; do
+          i2=''${i}Path
+          _basename=$(${coreutils}/bin/basename ''${!i2})
+          ${coreutils}/bin/cp ''${!i2} $xchg/$_basename
+          eval $i2=/tmp/xchg/$_basename
+          ${coreutils}/bin/ls -la $xchg
+        done
+
+        unset i i2 _basename
+        export | ${gnugrep}/bin/grep -v '^xchg=' > $xchg/saved-env
+        unset xchg
+
         export tests='${testScript}'
         ${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm
       ''; # */

nixos/modules/config/fonts/fonts.nix

@@ -11,18 +11,28 @@ with lib;
       # TODO: find another name for it.
       fonts = mkOption {
         type = types.listOf types.path;
+        default = [];
         example = literalExample "[ pkgs.dejavu_fonts ]";
         description = "List of primary font paths.";
       };
 
+      enableDefaultFonts = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable a basic set of fonts providing several font styles
+          and families and reasonable coverage of Unicode.
+        '';
+      };
+
     };
 
   };
 
   config = {
 
-    fonts.fonts =
-      [ pkgs.xorg.fontbhttf
+    fonts.fonts = mkIf config.fonts.enableDefaultFonts
+      [
         pkgs.xorg.fontbhlucidatypewriter100dpi
         pkgs.xorg.fontbhlucidatypewriter75dpi
         pkgs.dejavu_fonts

nixos/modules/config/swap.nix

@@ -54,6 +54,10 @@ let
           WARNING: Don't try to hibernate when you have at least one swap partition with
           this option enabled! We have no way to set the partition into which hibernation image
           is saved, so if your image ends up on an encrypted one you would lose it!
+
+          WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
+          when using randomEncryption as the UUIDs and labels will get erased on every boot when
+          the partition is encrypted. Best to use /dev/disk/by-partuuid/…
         '';
       };
 
@@ -72,7 +76,7 @@ let
     config = rec {
       device = mkIf options.label.isDefined
         "/dev/disk/by-label/${config.label}";
-      deviceName = escapeSystemdPath config.device;
+      deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
       realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device;
     };
 
@@ -121,6 +125,8 @@ in
 
         createSwapDevice = sw:
           assert sw.device != "";
+          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);
+          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device);
           let realDevice' = escapeSystemdPath sw.realDevice;
           in nameValuePair "mkswap-${sw.deviceName}"
           { description = "Initialisation of swap device ${sw.device}";

nixos/modules/config/system-path.nix

@@ -34,10 +34,10 @@ let
       config.programs.ssh.package
       pkgs.perl
       pkgs.procps
+      pkgs.rsync # used by nixos-install anyway
       pkgs.strace
       pkgs.su
       pkgs.time
-      pkgs.texinfoInteractive
       pkgs.utillinux
       pkgs.which # 88K size
     ];
@@ -76,7 +76,7 @@ in
       extraOutputsToInstall = mkOption {
         type = types.listOf types.str;
         default = [ ];
-        example = [ "doc" "info" "docdev" ];
+        example = [ "doc" "info" "devdoc" ];
         description = "List of additional package outputs to be symlinked into <filename>/run/current-system/sw</filename>.";
       };
 
@@ -104,7 +104,6 @@ in
         "/etc/xdg"
         "/etc/gtk-2.0"
         "/etc/gtk-3.0"
-        "/info"
         "/lib" # FIXME: remove and update debug-info.nix
         "/sbin"
         "/share/applications"
@@ -112,7 +111,6 @@ in
         "/share/doc"
         "/share/emacs"
         "/share/icons"
-        "/share/info"
         "/share/menus"
         "/share/mime"
         "/share/nano"

nixos/modules/hardware/opengl.nix

@@ -14,7 +14,7 @@ let
     name = "mesa-drivers+txc-${p.mesa_drivers.version}";
     paths =
       [ p.mesa_drivers
-        p.mesa_noglu # mainly for libGL
+        p.mesa_drivers.out # mainly for libGL
         (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
       ];
   };

nixos/modules/hardware/video/displaylink.nix

@@ -0,0 +1,61 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+
+  enabled = elem "displaylink" config.services.xserver.videoDrivers;
+
+  displaylink = config.boot.kernelPackages.displaylink;
+
+in
+
+{
+
+  config = mkIf enabled {
+
+    boot.extraModulePackages = [ displaylink ];
+
+    boot.kernelModules = [ "evdi" ];
+
+    # Those are taken from displaylink-installer.sh and from Arch Linux AUR package.
+
+    services.udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="17e9", ATTR{bNumInterfaces}=="*5", TAG+="uaccess"
+    '';
+
+    powerManagement.powerDownCommands = ''
+      #flush any bytes in pipe
+      while read -n 1 -t 1 SUSPEND_RESULT < /tmp/PmMessagesPort_out; do : ; done;
+
+      #suspend DisplayLinkManager
+      echo "S" > /tmp/PmMessagesPort_in
+
+      #wait until suspend of DisplayLinkManager finish
+      read -n 1 -t 10 SUSPEND_RESULT < /tmp/PmMessagesPort_out
+    '';
+
+    powerManagement.resumeCommands = ''
+      #resume DisplayLinkManager
+      echo "R" > /tmp/PmMessagesPort_in
+    '';
+
+    systemd.services.displaylink = {
+      description = "DisplayLink Manager Service";
+      after = [ "display-manager.service" ];
+      wantedBy = [ "graphical.target" ];
+
+      serviceConfig = {
+        ExecStart = "${displaylink}/bin/DisplayLinkManager";
+        Restart = "always";
+        RestartSec = 5;
+      };
+
+      preStart = ''
+        mkdir -p /var/log/displaylink
+      '';
+    };
+
+  };
+
+}

nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix

@@ -107,4 +107,7 @@ with lib;
       '';
     };
 
+  # Disable large stuff that's not very useful on the installation CD.
+  services.xserver.desktopManager.kde4.enablePIM = false;
+
 }

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -0,0 +1,5 @@
+{
+  x86_64-linux = "/nix/store/i4mwf2gpvar7dqvlpp5m86llbq3ahbvb-nix-1.11.4";
+  i686-linux = "/nix/store/a3gjrbspb0q4hs3sv5g1y2nza43i8nzv-nix-1.11.4";
+  x86_64-darwin = "/nix/store/7v21yd3qpv0nclcy5cqr5njj9bril12s-nix-1.11.4";
+}

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -527,8 +527,11 @@ EOF
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
   # Define on which hard drive you want to install Grub.
-  # boot.loader.grub.device = "/dev/sda";
+  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
 EOF
         }
 

nixos/modules/installer/tools/nixos-install.sh

@@ -92,14 +92,13 @@ fi
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
-mkdir -m 0755 -p $mountPoint/var/setuid-wrappers
+mkdir -m 0755 -p $mountPoint/var
 mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount -t tmpfs -o "mode=0755" none $mountPoint/run
-mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
 for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
@@ -260,7 +259,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 
 
 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && [ -x $mountPoint/var/setuid-wrappers/passwd ] && [ -t 0 ]; then
+if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
     echo "setting root password..."
     chroot $mountPoint /var/setuid-wrappers/passwd
 fi

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -261,9 +261,9 @@ fi
 prebuiltNix() {
     machine="$1"
     if [ "$machine" = x86_64 ]; then
-        echo /nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
+        echo @nix_x86_64_linux@
     elif [[ "$machine" =~ i.86 ]]; then
-        echo /nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
+        echo @nix_i686_linux@
     else
         echo "$0: unsupported platform"
         exit 1

nixos/modules/installer/tools/tools.nix

@@ -32,11 +32,15 @@ let
       "cp refs $out";
   };
 
-  nixos-rebuild = makeProg {
-    name = "nixos-rebuild";
-    src = ./nixos-rebuild.sh;
-    nix = config.nix.package.out;
-  };
+  nixos-rebuild =
+    let fallback = import ./nix-fallback-paths.nix; in
+    makeProg {
+      name = "nixos-rebuild";
+      src = ./nixos-rebuild.sh;
+      nix = config.nix.package.out;
+      nix_x86_64_linux = fallback.x86_64-linux;
+      nix_i686_linux = fallback.i686-linux;
+    };
 
   nixos-generate-config = makeProg {
     name = "nixos-generate-config";

nixos/modules/misc/ids.nix

@@ -120,7 +120,6 @@
       minidlna = 91;
       elasticsearch = 92;
       tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
-      #connman = 94; # unused
       firebird = 95;
       #keys = 96; # unused
       haproxy = 97;
@@ -181,7 +180,6 @@
       systemd-timesync = 154;
       liquidsoap = 155;
       etcd = 156;
-      docker-registry = 157;
       hbase = 158;
       opentsdb = 159;
       scollector = 160;
@@ -377,7 +375,6 @@
       minidlna = 91;
       elasticsearch = 92;
       #tcpcryptd = 93; # unused
-      connman = 94;
       firebird = 95;
       keys = 96;
       haproxy = 97;
@@ -436,7 +433,6 @@
       systemd-timesync = 154;
       liquidsoap = 155;
       #etcd = 156; # unused
-      #docker-registry = 157; # unused
       hbase = 158;
       opentsdb = 159;
       scollector = 160;

nixos/modules/misc/version.nix

@@ -78,7 +78,7 @@ in
     defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-16.09;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 

nixos/modules/module-list.nix

@@ -40,6 +40,7 @@
   ./hardware/video/amdgpu.nix
   ./hardware/video/ati.nix
   ./hardware/video/bumblebee.nix
+  ./hardware/video/displaylink.nix
   ./hardware/video/nvidia.nix
   ./hardware/video/webcam/facetimehd.nix
   ./i18n/input-method/default.nix
@@ -66,8 +67,9 @@
   ./programs/command-not-found/command-not-found.nix
   ./programs/dconf.nix
   ./programs/environment.nix
-  ./programs/freetds.nix
   ./programs/fish.nix
+  ./programs/freetds.nix
+  ./programs/info.nix
   ./programs/kbdlight.nix
   ./programs/light.nix
   ./programs/man.nix
@@ -228,7 +230,6 @@
   ./services/misc/dictd.nix
   ./services/misc/dysnomia.nix
   ./services/misc/disnix.nix
-  ./services/misc/docker-registry.nix
   ./services/misc/emby.nix
   ./services/misc/etcd.nix
   ./services/misc/felix.nix
@@ -332,7 +333,6 @@
   ./services/networking/dnschain.nix
   ./services/networking/dnscrypt-proxy.nix
   ./services/networking/dnsmasq.nix
-  ./services/networking/docker-registry-server.nix
   ./services/networking/ejabberd.nix
   ./services/networking/fan.nix
   ./services/networking/ferm.nix

nixos/modules/profiles/minimal.nix

@@ -11,4 +11,7 @@ with lib;
   # This isn't perfect, but let's expect the user specifies an UTF-8 defaultLocale
   i18n.supportedLocales = [ (config.i18n.defaultLocale + "/UTF-8") ];
   services.nixosManual.enable = mkDefault false;
+
+  programs.man.enable = mkDefault false;
+  programs.info.enable = mkDefault false;
 }

nixos/modules/programs/info.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  options = {
+
+    programs.info.enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to enable info pages and the <command>info</command> command.
+      '';
+    };
+
+  };
+
+
+  config = mkIf config.programs.info.enable {
+
+    environment.systemPackages = [ pkgs.texinfoInteractive ];
+
+    environment.pathsToLink = [ "/info" "/share/info" ];
+
+    environment.extraOutputsToInstall = [ "info" ];
+
+  };
+
+}

nixos/modules/programs/shadow.nix

@@ -99,7 +99,6 @@ in
         groupdel = { rootOK = true; };
         login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
         chpasswd = { rootOK = true; };
-        chgpasswd = { rootOK = true; };
       };
 
     security.setuidPrograms = [ "su" "chfn" ]

nixos/modules/programs/ssh.nix

@@ -56,7 +56,6 @@ in
 
       setXAuthLocation = mkOption {
         type = types.bool;
-        default = config.services.xserver.enable;
         description = ''
           Whether to set the path to <command>xauth</command> for X11-forwarded connections.
           This causes a dependency on X11 packages.
@@ -165,6 +164,9 @@ in
 
   config = {
 
+    programs.ssh.setXAuthLocation =
+      mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11);
+
     assertions =
       [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
           message = "cannot enable X11 forwarding without setting XAuth location";

nixos/modules/programs/zsh/zsh.nix

@@ -99,9 +99,9 @@ in
 
       interactiveShellInit = ''
         # history defaults
-        export SAVEHIST=2000
-        export HISTSIZE=2000
-        export HISTFILE=$HOME/.zsh_history
+        SAVEHIST=2000
+        HISTSIZE=2000
+        HISTFILE=$HOME/.zsh_history
 
         setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK
 

nixos/modules/rename.nix

@@ -140,6 +140,9 @@ with lib;
     # fontconfig-ultimate
     (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
 
+    # murmur
+    (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
+
     # Options that are obsolete and have no replacement.
     (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
     (mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
@@ -151,7 +154,7 @@ with lib;
     (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "")
     (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "")
     (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]
-      "See the 16.03 release notes for more information.")
+      "See the 16.09 release notes for more information.")
     (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
     (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
   ];

nixos/modules/security/acme.nix

@@ -166,7 +166,8 @@ in
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
                 acmeService = {
                   description = "Renew ACME Certificate for ${cert}";
-                  after = [ "network.target" ];
+                  after = [ "network.target" "network-online.target" ];
+                  wants = [ "network-online.target" ];
                   serviceConfig = {
                     Type = "oneshot";
                     SuccessExitStatus = [ "0" "1" ];

nixos/modules/security/audit.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.security.audit;
+  enabled = cfg.enable == "lock" || cfg.enable;
 
   failureModes = {
     silent = 0;
@@ -11,6 +12,13 @@ let
     panic  = 2;
   };
 
+  disableScript = pkgs.writeScript "audit-disable" ''
+    #!${pkgs.stdenv.shell} -eu
+    # Explicitly disable everything, as otherwise journald might start it.
+    auditctl -D
+    auditctl -e 0 -a task,never
+  '';
+
   # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if
   # put in the store like this. At the same time, it doesn't feel like a huge deal and working
   # around that is a pain so I'm leaving it like this for now.
@@ -47,7 +55,7 @@ in {
     security.audit = {
       enable = mkOption {
         type        = types.enum [ false true "lock" ];
-        default     = true; # The kernel seems to enable it by default with no rules anyway
+        default     = false;
         description = ''
           Whether to enable the Linux audit system. The special `lock' value can be used to
           enable auditing and prevent disabling it until a restart. Be careful about locking
@@ -91,7 +99,7 @@ in {
     };
   };
 
-  config = mkIf (cfg.enable == "lock" || cfg.enable) {
+  config = {
     systemd.services.audit = {
       description = "Kernel Auditing";
       wantedBy = [ "basic.target" ];
@@ -103,8 +111,8 @@ in {
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
-        ExecStart = "@${startScript} audit-start";
-        ExecStop  = "@${stopScript}  audit-stop";
+        ExecStart = "@${if enabled then startScript else disableScript} audit-start";
+        ExecStop  = "@${stopScript} audit-stop";
       };
     };
   };

nixos/modules/security/hidepid.nix

@@ -20,6 +20,6 @@ with lib;
   config = mkIf config.security.hideProcessInformation {
     users.groups.proc.gid = config.ids.gids.proc;
 
-    fileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
+    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
   };
 }

nixos/modules/security/pam.nix

@@ -105,6 +105,16 @@ let
         '';
       };
 
+      setEnvironment = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether the service should set the environment variables
+          listed in <option>environment.sessionVariables</option>
+          using <literal>pam_env.so</literal>.
+        '';
+      };
+
       setLoginUid = mkOption {
         type = types.bool;
         description = ''
@@ -284,7 +294,9 @@ let
               "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
 
           # Session management.
-          session required pam_env.so envfile=${config.system.build.pamEnvironment}
+          ${optionalString cfg.setEnvironment ''
+            session required pam_env.so envfile=${config.system.build.pamEnvironment}
+          ''}
           session required pam_unix.so
           ${optionalString cfg.setLoginUid
               "session ${
@@ -477,6 +489,13 @@ in
         vlock = {};
         xlock = {};
         xscreensaver = {};
+
+        runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
+
+        /* FIXME: should runuser -l start a systemd session? Currently
+           it complains "Cannot create session: Already running in a
+           session". */
+        runuser-l = { rootOK = true; unixAuth = false; };
       };
 
   };

nixos/modules/security/rngd.nix

@@ -18,7 +18,7 @@ with lib;
   config = mkIf config.security.rngd.enable {
     services.udev.extraRules = ''
       KERNEL=="random", TAG+="systemd"
-      SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
+      SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
       KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
       ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''}
     '';

nixos/modules/security/setuid-wrappers.nix

@@ -12,7 +12,7 @@ let
     installPhase = ''
       mkdir -p $out/bin
       cp ${./setuid-wrapper.c} setuid-wrapper.c
-      gcc -Wall -O2 -DWRAPPER_DIR=\"${wrapperDir}\" \
+      gcc -Wall -O2 -DWRAPPER_DIR=\"/run/setuid-wrapper-dirs\" \
           setuid-wrapper.c -o $out/bin/setuid-wrapper
     '';
   };
@@ -102,11 +102,11 @@ in
                 source=/nix/var/nix/profiles/default/bin/${program}
             fi
 
-            cp ${setuidWrapper}/bin/setuid-wrapper ${wrapperDir}/${program}
-            echo -n "$source" > ${wrapperDir}/${program}.real
-            chmod 0000 ${wrapperDir}/${program} # to prevent races
-            chown ${owner}.${group} ${wrapperDir}/${program}
-            chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${wrapperDir}/${program}
+            cp ${setuidWrapper}/bin/setuid-wrapper $wrapperDir/${program}
+            echo -n "$source" > $wrapperDir/${program}.real
+            chmod 0000 $wrapperDir/${program} # to prevent races
+            chown ${owner}.${group} $wrapperDir/${program}
+            chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
           '';
 
       in stringAfter [ "users" ]
@@ -115,9 +115,30 @@ in
           # programs to be wrapped.
           SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
-          rm -f ${wrapperDir}/* # */
+          mkdir -p /run/setuid-wrapper-dirs
+          wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX)
+          chmod a+rx $wrapperDir
 
           ${concatMapStrings makeSetuidWrapper setuidPrograms}
+
+          if [ -L ${wrapperDir} ]; then
+            # Atomically replace the symlink
+            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
+            old=$(readlink ${wrapperDir})
+            ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
+            mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
+            rm --force --recursive $old
+          elif [ -d ${wrapperDir} ]; then
+            # Compatibility with old state, just remove the folder and symlink
+            rm -f ${wrapperDir}/*
+            # if it happens to be a tmpfs
+            ${pkgs.utillinux}/bin/umount ${wrapperDir} || true
+            rm -d ${wrapperDir}
+            ln -d --symbolic $wrapperDir ${wrapperDir}
+          else
+            # For initial setup
+            ln --symbolic $wrapperDir ${wrapperDir}
+          fi
         '';
 
   };

nixos/modules/services/databases/influxdb.nix

@@ -66,16 +66,16 @@ let
       enabled = false;
     }];
 
-    collectd = {
+    collectd = [{
       enabled = false;
       typesdb = "${pkgs.collectd}/share/collectd/types.db";
       database = "collectd_db";
       port = 25826;
-    };
+    }];
 
-    opentsdb = {
+    opentsdb = [{
       enabled = false;
-    };
+    }];
 
     continuous_queries = {
       enabled = true;
@@ -171,6 +171,11 @@ in
         mkdir -m 0770 -p ${cfg.dataDir}
         if [ "$(id -u)" = 0 ]; then chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}; fi
       '';
+      postStart = mkBefore ''
+        until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://127.0.0.1${toString configOptions.http.bind-address}'/ping; do
+          sleep 1;
+        done
+      '';
     };
 
     users.extraUsers = optional (cfg.user == "influxdb") {

nixos/modules/services/databases/mongodb.nix

@@ -12,13 +12,11 @@ let
 
   mongoCnf = pkgs.writeText "mongodb.conf"
   ''
-    bind_ip = ${cfg.bind_ip}
-    ${optionalString cfg.quiet "quiet = true"}
-    dbpath = ${cfg.dbpath}
-    syslog = true
-    fork = true
-    pidfilepath = ${cfg.pidFile}
-    ${optionalString (cfg.replSetName != "") "replSet = ${cfg.replSetName}"}
+    net.bindIp: ${cfg.bind_ip}
+    ${optionalString cfg.quiet "systemLog.quiet: true"}
+    systemLog.destination: syslog
+    storage.dbPath: ${cfg.dbpath}
+    ${optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"}
     ${cfg.extraConfig}
   '';
 
@@ -84,9 +82,9 @@ in
       extraConfig = mkOption {
         default = "";
         example = ''
-          nojournal = true
+          storage.journal.enabled: false
         '';
-        description = "MongoDB extra configuration";
+        description = "MongoDB extra configuration in YAML format";
       };
     };
 
@@ -112,7 +110,7 @@ in
         after = [ "network.target" ];
 
         serviceConfig = {
-          ExecStart = "${mongodb}/bin/mongod --quiet --config ${mongoCnf}";
+          ExecStart = "${mongodb}/bin/mongod --quiet --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
           User = cfg.user;
           PIDFile = cfg.pidFile;
           Type = "forking";

nixos/modules/services/databases/postgresql.nix

@@ -11,12 +11,14 @@ let
     if cfg.extraPlugins == [] then pg
     else pkgs.buildEnv {
       name = "postgresql-and-plugins-${(builtins.parseDrvName pg.name).version}";
-      paths = [ pg ] ++ cfg.extraPlugins;
+      paths = [ pg pg.lib ] ++ cfg.extraPlugins;
+      buildInputs = [ pkgs.makeWrapper ];
       postBuild =
         ''
           mkdir -p $out/bin
           rm $out/bin/{pg_config,postgres,pg_ctl}
           cp --target-directory=$out/bin ${pg}/bin/{postgres,pg_config,pg_ctl}
+          wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
         '';
     };
 

nixos/modules/services/misc/docker-registry.nix

@@ -1,81 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.dockerRegistry;
-
-in {
-  ###### interface
-
-  options.services.dockerRegistry = {
-    enable = mkOption {
-      description = "Whether to enable docker registry server.";
-      default = false;
-      type = types.bool;
-    };
-
-    listenAddress = mkOption {
-      description = "Docker registry host or ip to bind to.";
-      default = "127.0.0.1";
-      type = types.str;
-    };
-
-    port = mkOption {
-      description = "Docker registry port to bind to.";
-      default = 5000;
-      type = types.int;
-    };
-
-    storagePath = mkOption {
-      type = types.path;
-      default = "/var/lib/docker-registry";
-      description = "Docker registry storage path.";
-    };
-
-    extraConfig = mkOption {
-      description = ''
-        Docker extra registry configuration. See
-        <link xlink:href="https://github.com/docker/docker-registry/blob/master/config/config_sample.yml"/>
-      '';
-      default = {};
-      type = types.attrsOf types.str;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    systemd.services.docker-registry = {
-      description = "Docker Container Registry";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-
-      environment = {
-        REGISTRY_HOST = cfg.listenAddress;
-        REGISTRY_PORT = toString cfg.port;
-        GUNICORN_OPTS = "[--preload]"; # see https://github.com/docker/docker-registry#sqlalchemy
-        STORAGE_PATH = cfg.storagePath;
-      } // cfg.extraConfig;
-
-      serviceConfig = {
-        ExecStart = "${pkgs.pythonPackages.docker_registry}/bin/docker-registry";
-        User = "docker-registry";
-        Group = "docker";
-        PermissionsStartOnly = true;
-        WorkingDirectory = cfg.storagePath;
-      };
-
-      postStart = ''
-        until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/'; do
-          sleep 1;
-        done
-      '';
-    };
-
-    users.extraGroups.docker.gid = mkDefault config.ids.gids.docker;
-    users.extraUsers.docker-registry = {
-      createHome = true;
-      home = cfg.storagePath;
-      uid = config.ids.uids.docker-registry;
-    };
-  };
-}

nixos/modules/services/misc/gitlab.nix

@@ -449,13 +449,15 @@ in {
         Group = cfg.group;
         TimeoutSec = "300";
         Restart = "on-failure";
+        WorkingDirectory = gitlabEnv.HOME;
         ExecStart =
           "${cfg.packages.gitlab-workhorse}/bin/gitlab-workhorse "
           + "-listenUmask 0 "
           + "-listenNetwork unix "
           + "-listenAddr /run/gitlab/gitlab-workhorse.socket "
           + "-authSocket ${gitlabSocket} "
-          + "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public";
+          + "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public "
+          + "-secretPath ${cfg.packages.gitlab}/share/gitlab/.gitlab_workhorse_secret";
       };
     };
 
@@ -525,17 +527,23 @@ in {
             psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
             ${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
             touch "${cfg.statePath}/db-created"
-
-            # The gitlab:setup task is horribly broken somehow, these two tasks will do the same for setting up the initial database
-            ${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production
-            ${gitlab-rake}/bin/gitlab-rake db:seed_fu RAILS_ENV=production \
-              GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}";
           fi
         fi
 
+        # enable required pg_trgm extension for gitlab
+        psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
         # Always do the db migrations just to be sure the database is up-to-date
         ${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production
 
+        # The gitlab:setup task is horribly broken somehow, the db:migrate
+        # task above and the db:seed_fu below will do the same for setting
+        # up the initial database
+        if ! test -e "${cfg.statePath}/db-seeded"; then
+          ${gitlab-rake}/bin/gitlab-rake db:seed_fu RAILS_ENV=production \
+            GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}"
+          touch "${cfg.statePath}/db-seeded"
+        fi
+
         # Change permissions in the last step because some of the
         # intermediary scripts like to create directories as root.
         chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}

nixos/modules/services/monitoring/cadvisor.nix

@@ -90,6 +90,7 @@ in {
             ${optionalString cfg.storageDriverSecure "-storage_driver_secure"}
           ''}
         '';
+        TimeoutStartSec=300;
       };
     };
 

nixos/modules/services/network-filesystems/samba.nix

@@ -56,6 +56,7 @@ let
       serviceConfig = {
         ExecStart = "${samba}/sbin/${appName} ${args}";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        Type = "notify";
       };
 
       restartTriggers = [ configFile ];
@@ -167,12 +168,12 @@ in
         type = types.attrsOf (types.attrsOf types.unspecified);
         example =
           { public =
-             { path = "/srv/public";
-               "read only" = true;
-               browseable = "yes";
-               "guest ok" = "yes";
-                comment = "Public samba share.";
-             };
+            { path = "/srv/public";
+              "read only" = true;
+              browseable = "yes";
+              "guest ok" = "yes";
+              comment = "Public samba share.";
+            };
           };
       };
 

nixos/modules/services/networking/avahi-daemon.nix

@@ -75,7 +75,8 @@ in
       };
 
       browseDomains = mkOption {
-        default = [ "0pointer.de" "zeroconf.org" ];
+        default = [ ];
+        example = [ "0pointer.de" "zeroconf.org" ];
         description = ''
           List of non-local DNS domains to be browsed.
         '';

nixos/modules/services/networking/docker-registry-server.nix

@@ -1,98 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.nodeDockerRegistry;
-
-in {
-  options.services.nodeDockerRegistry = {
-    enable = mkEnableOption "docker registry service";
-
-    port = mkOption {
-      description = "Docker registry listening port.";
-      default = 8080;
-      type = types.int;
-    };
-
-    users = mkOption {
-      description = "Docker registry list of users.";
-      default = [];
-      options = [{
-        user = mkOption {
-          description = "Docker registry user username.";
-          type = types.str;
-        };
-
-        pass = mkOption {
-          description = "Docker registry user password.";
-          type = types.str;
-        };
-      }];
-      type = types.listOf types.optionSet;
-    };
-
-    onTag = mkOption {
-      description = "Docker registry hook triggered when an image is tagged.";
-      default = "";
-      type = types.str;
-    };
-
-    onImage = mkOption {
-      description = "Docker registry hook triggered when an image metadata is uploaded.";
-      default = "";
-      type = types.str;
-    };
-
-    onLayer = mkOption {
-      description = "Docker registry hook triggered when an when an image layer is uploaded.";
-      default = "";
-      type = types.str;
-    };
-
-    onVerify = mkOption {
-      description = "Docker registry hook triggered when an image layer+metadata has been verified.";
-      default = "";
-      type = types.str;
-    };
-
-    onIndex = mkOption {
-      description = "Docker registry hook triggered when an when an image file system data has been indexed.";
-      default = "";
-      type = types.str;
-    };
-
-    dataDir = mkOption {
-      description = "Docker registry data directory";
-      default = "/var/lib/docker-registry";
-      type = types.path;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    systemd.services.docker-registry-server = {
-      description = "Docker Registry Service.";
-      wantedBy = ["multi-user.target"];
-      after = ["network.target"];
-      script = ''
-        ${pkgs.nodePackages.docker-registry-server}/bin/docker-registry-server \
-          --dir ${cfg.dataDir} \
-          --port ${toString cfg.port} \
-          ${concatMapStringsSep " " (u: "--user ${u.user}:${u.pass}") cfg.users} \
-          ${optionalString (cfg.onTag != "") "--on-tag '${cfg.onTag}'"} \
-          ${optionalString (cfg.onImage != "") "--on-image '${cfg.onImage}'"} \
-          ${optionalString (cfg.onVerify != "") "--on-verify '${cfg.onVerify}'"} \
-          ${optionalString (cfg.onIndex != "") "--on-index '${cfg.onIndex}'"}
-      '';
-
-      serviceConfig.User = "docker-registry";
-    };
-
-    users.extraUsers.docker-registry = {
-      uid = config.ids.uids.docker-registry;
-      description = "Docker registry user";
-      createHome = true;
-      home = cfg.dataDir;
-    };
-  };
-}

nixos/modules/services/networking/firewall.nix

@@ -490,7 +490,8 @@ in
 
     systemd.services.firewall = {
       description = "Firewall";
-      wantedBy = [ "network-pre.target" ];
+      wantedBy = [ "multi-user.target" "sysinit.target" ];
+      wants = [ "network-pre.target" ];
       before = [ "network-pre.target" ];
       after = [ "systemd-modules-load.service" ];
 

nixos/modules/services/networking/mjpg-streamer.nix

@@ -59,8 +59,12 @@ in {
       description = "mjpg-streamer webcam streamer";
       wantedBy = [ "multi-user.target" ];
 
-      serviceConfig.User = cfg.user;
-      serviceConfig.Group = cfg.group;
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Restart = "on-failure";
+        RestartSec = 1;
+      };
 
       script = ''
         IPLUGIN="${cfg.inputPlugin}"

nixos/modules/services/networking/murmur.nix

@@ -15,7 +15,7 @@ let
     logfile=/var/log/murmur/murmurd.log
     pidfile=${cfg.pidfile}
 
-    welcome="${cfg.welcome}"
+    welcometext="${cfg.welcometext}"
     port=${toString cfg.port}
 
     ${if cfg.hostName == "" then "" else "host="+cfg.hostName}
@@ -84,7 +84,7 @@ in
         description = "Path to PID file for Murmur daemon.";
       };
 
-      welcome = mkOption {
+      welcometext = mkOption {
         type = types.str;
         default = "";
         description = "Welcome message for connected clients.";

nixos/modules/services/networking/ssh/sshd.nix

@@ -85,7 +85,7 @@ in
 
       forwardX11 = mkOption {
         type = types.bool;
-        default = cfgc.setXAuthLocation;
+        default = false;
         description = ''
           Whether to allow X11 connections to be forwarded.
         '';
@@ -227,6 +227,8 @@ in
 
   config = mkIf cfg.enable {
 
+    programs.ssh.setXAuthLocation = mkForce cfg.forwardX11;
+
     users.extraUsers.sshd =
       { isSystemUser = true;
         description = "SSH privilege separation user";

nixos/modules/services/networking/supplicant.nix

@@ -34,7 +34,7 @@ let
       '';
     in
       { description = "Supplicant ${iface}${optionalString (iface=="WLAN"||iface=="LAN") " %I"}";
-        wantedBy = [ "network.target" ];
+        wantedBy = [ "network.target" ] ++ deps;
         bindsTo = deps;
         after = deps;
         before = [ "network.target" ];

nixos/modules/services/networking/unbound.nix

@@ -43,14 +43,10 @@ in
   options = {
     services.unbound = {
 
-      enable = mkOption {
-        default = false;
-        type = types.bool;
-        description = "Whether to enable the Unbound domain name server.";
-      };
+      enable = mkEnableOption "Unbound domain name server";
 
       allowedAccess = mkOption {
-        default = ["127.0.0.0/24"];
+        default = [ "127.0.0.0/24" ];
         type = types.listOf types.str;
         description = "What networks are allowed to use unbound as a resolver.";
       };
@@ -97,7 +93,7 @@ in
     };
 
     systemd.services.unbound = {
-      description="Unbound recursive Domain Name Server";
+      description = "Unbound recursive Domain Name Server";
       after = [ "network.target" ];
       before = [ "nss-lookup.target" ];
       wants = [" nss-lookup.target" ];

nixos/modules/services/networking/zerotierone.nix

@@ -7,11 +7,19 @@ let
 in
 {
   options.services.zerotierone.enable = mkEnableOption "ZeroTierOne";
-  
+  options.services.zerotierone.package = mkOption {
+    default = pkgs.zerotierone;
+    defaultText = "pkgs.zerotierone";
+    type = types.package;
+    description = ''
+      ZeroTier One package to use.
+    '';
+  };
+
   config = mkIf cfg.enable {
     systemd.services.zerotierone = {
       description = "ZeroTierOne";
-      path = [ pkgs.zerotierone ];
+      path = [ cfg.package ];
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart =
@@ -21,7 +29,7 @@ in
         chown -R root:root /var/lib/zerotier-one
         '';
       serviceConfig = {
-        ExecStart = "${pkgs.zerotierone}/bin/zerotier-one";
+        ExecStart = "${cfg.package}/bin/zerotier-one";
         Restart = "always";
         KillMode = "process";
       };
@@ -30,6 +38,6 @@ in
     # ZeroTier does not issue DHCP leases, but some strangers might...
     networking.dhcpcd.denyInterfaces = [ "zt0" ];
 
-    environment.systemPackages = [ pkgs.zerotierone ];
+    environment.systemPackages = [ cfg.package ];
   };
 }

nixos/modules/services/system/dbus.nix

@@ -8,7 +8,7 @@ let
 
   cfg = config.services.dbus;
 
-  homeDir = "/var/run/dbus";
+  homeDir = "/run/dbus";
 
   systemExtraxml = concatStrings (flip concatMap cfg.packages (d: [
     "<servicedir>${d}/share/dbus-1/system-services</servicedir>"
@@ -20,6 +20,8 @@ let
     "<includedir>${d}/etc/dbus-1/session.d</includedir>"
   ]));
 
+  daemonArgs = "--address=systemd: --nofork --nopidfile --systemd-activation";
+
   configDir = pkgs.stdenv.mkDerivation {
     name = "dbus-conf";
 
@@ -29,6 +31,14 @@ let
     buildCommand = ''
       mkdir -p $out
 
+      cp ${pkgs.dbus.out}/share/dbus-1/{system,session}.conf $out
+
+      # avoid circular includes
+      sed -ri 's@(<include ignore_missing="yes">/etc/dbus-1/(system|session)\.conf</include>)@<!-- \1 -->@g' $out/{system,session}.conf
+
+      # include by full path
+      sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
+
       sed '${./dbus-system-local.conf.in}' \
         -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
         -e 's,@extra@,${systemExtraxml},' \
@@ -75,16 +85,21 @@ in
         '';
       };
 
+      socketActivated = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Make the user instance socket activated.
+        '';
+      };
     };
-
   };
 
-
   ###### implementation
 
   config = mkIf cfg.enable {
 
-    environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus_tools ];
+    environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ];
 
     environment.etc = singleton
       { source = configDir;
@@ -104,7 +119,7 @@ in
 
     security.setuidOwners = singleton
       { program = "dbus-daemon-launch-helper";
-        source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper";
+        source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
         owner = "root";
         group = "messagebus";
         setuid = true;
@@ -117,13 +132,29 @@ in
       config.system.path
     ];
 
-    # Don't restart dbus-daemon. Bad things tend to happen if we do.
-    systemd.services.dbus.reloadIfChanged = true;
+    systemd.services.dbus = {
+      # Don't restart dbus-daemon. Bad things tend to happen if we do.
+      reloadIfChanged = true;
+      restartTriggers = [ configDir ];
+      serviceConfig.ExecStart = [
+        ""
+        "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=${configDir}/system.conf ${daemonArgs}"
+      ];
+    };
 
-    systemd.services.dbus.restartTriggers = [ configDir ];
+    systemd.user = {
+      services.dbus = {
+        # Don't restart dbus-daemon. Bad things tend to happen if we do.
+        reloadIfChanged = true;
+        restartTriggers = [ configDir ];
+        serviceConfig.ExecStart = [
+          ""
+          "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=${configDir}/session.conf ${daemonArgs}"
+        ];
+      };
+      sockets.dbus.wantedBy = mkIf cfg.socketActivated [ "sockets.target" ];
+    };
 
     environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ];
-
   };
-
 }

nixos/modules/services/web-servers/apache-httpd/mediawiki.nix

@@ -83,11 +83,11 @@ let
 
   # Unpack Mediawiki and put the config file in its root directory.
   mediawikiRoot = pkgs.stdenv.mkDerivation rec {
-    name= "mediawiki-1.23.13";
+    name= "mediawiki-1.27.1";
 
     src = pkgs.fetchurl {
-      url = "http://download.wikimedia.org/mediawiki/1.23/${name}.tar.gz";
-      sha256 = "168wpf53n4ksj2g5q5r0hxapx6238dvsfng5ff9ixk6axsn0j5d0";
+      url = "http://download.wikimedia.org/mediawiki/1.27/${name}.tar.gz";
+      sha256 = "0sm3ymz93qragbwhzzbwq7f127mbj29inv0afg2z6p32jb1pd9h8";
     };
 
     skins = config.skins;

nixos/modules/services/web-servers/apache-httpd/moodle.nix

@@ -63,6 +63,10 @@ let
         cp -r * $out
         cp ${moodleConfig} $out/config.php
       '';
+    # Marked as broken due to needing an update for security issues.
+    # See: https://github.com/NixOS/nixpkgs/issues/18856
+    meta.broken = true;
+
   };
 
 in

nixos/modules/services/web-servers/apache-httpd/wordpress.nix

@@ -5,7 +5,8 @@ with lib;
 
 let
 
-  version = "4.3.1";
+  # Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
+  version = "4.6.1";
   fullversion = "${version}";
 
   # Our bare-bones wp-config.php file using the above settings
@@ -74,7 +75,7 @@ let
       owner = "WordPress";
       repo = "WordPress";
       rev = "${fullversion}";
-      sha256 = "1rk10vcv4z9p04hfzc0wkbilrgx7m9ssyr6c3w6vw3vl1bcgqxza";
+      sha256 = "0n82xgjg1ry2p73hhgpslnkdzrma5n6hxxq76s7qskkzj0qjfvpn";
     };
     installPhase = ''
       mkdir -p $out
@@ -98,7 +99,7 @@ let
       # symlink additional plugin(s)
       ${concatMapStrings (plugin: "ln -s ${plugin} $out/wp-content/plugins/${plugin.name}\n") (config.plugins) }
 
-      # symlink additional translation(s) 
+      # symlink additional translation(s)
       mkdir -p $out/wp-content/languages
       ${concatMapStrings (language: "ln -s ${language}/*.mo ${language}/*.po $out/wp-content/languages/\n") (selectedLanguages) }
     '';
@@ -123,7 +124,7 @@ in
   options = {
     dbHost = mkOption {
       default = "localhost";
-      description = "The location of the database server.";  
+      description = "The location of the database server.";
       example = "localhost";
     };
     dbName = mkOption {
@@ -253,7 +254,7 @@ in
       done
       ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
       ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'
-    else 
+    else
       echo "Good, no need to do anything database related."
     fi
   '';

nixos/modules/services/web-servers/nginx/default.nix

@@ -114,17 +114,18 @@ let
         port = if vhost.port != null then vhost.port else (if ssl then 443 else 80);
         listenString = toString port + optionalString ssl " ssl http2"
           + optionalString vhost.default " default";
-        acmeLocation = optionalString vhost.enableACME ''
+        acmeLocation = optionalString vhost.enableACME (''
           location /.well-known/acme-challenge {
-            try_files $uri @acme-fallback;
+            ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
             root ${vhost.acmeRoot};
             auth_basic off;
           }
+        '' + (optionalString (vhost.acmeFallbackHost != null) ''
           location @acme-fallback {
             auth_basic off;
             proxy_pass http://${vhost.acmeFallbackHost};
           }
-        '';
+        ''));
       in ''
         ${optionalString vhost.forceSSL ''
           server {

nixos/modules/services/web-servers/nginx/vhost-options.nix

@@ -39,8 +39,8 @@ with lib;
     };
 
     acmeFallbackHost = mkOption {
-      type = types.str;
-      default = "0.0.0.0";
+      type = types.nullOr types.str;
+      default = null;
       description = ''
         Host which to proxy requests to if acme challenge is not found. Useful
         if you want multiple hosts to be able to verify the same domain name.

nixos/modules/services/web-servers/tomcat.nix

@@ -10,6 +10,10 @@ in
 
 {
 
+  meta = {
+    maintainers = with maintainers; [ danbst ];
+  };
+
   ###### interface
 
   options = {
@@ -74,8 +78,8 @@ in
 
       webapps = mkOption {
         type = types.listOf types.package;
-        default = [ tomcat ];
-        defaultText = "[ tomcat ]";
+        default = [ tomcat.webapps ];
+        defaultText = "[ tomcat.webapps ]";
         description = "List containing WAR files or directories with WAR files which are web applications to be deployed on Tomcat";
       };
 

nixos/modules/services/x11/desktop-managers/kde4.nix

@@ -14,7 +14,7 @@ let
   # files), segfault sometimes and consume significant resources.
   # They can be re-enabled in the KDE System Settings under "Desktop
   # Search".
-  nepomukConfig = pkgs.writeTextFile
+  disableNepomuk = pkgs.writeTextFile
     { name = "nepomuk-config";
       destination = "/share/config/nepomukserverrc";
       text =
@@ -70,6 +70,18 @@ in
         type = types.package;
         description = "Custom kde-workspace, used for NixOS rebranding.";
       };
+
+      enablePIM = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to enable PIM support. Note that enabling this pulls in Akonadi and MariaDB as dependencies.";
+      };
+
+      enableNepomuk = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable Nepomuk (deprecated).";
+      };
     };
   };
 
@@ -138,7 +150,6 @@ in
 
           pkgs.kde4.kde_wallpapers # contains kdm's default background
           pkgs.kde4.oxygen_icons
-          pkgs.virtuoso # to enable Nepomuk to find Virtuoso
 
           # Starts KDE's Polkit authentication agent.
           pkgs.kde4.polkit_kde_agent
@@ -149,20 +160,26 @@ in
           xorg.xmessage # so that startkde can show error messages
           xorg.xset # used by startkde, non-essential
           xorg.xauth # used by kdesu
-          pkgs.shared_desktop_ontologies # used by nepomuk
-          pkgs.strigi # used by nepomuk
+        ]
+      ++ optionals cfg.enablePIM
+        [ pkgs.kde4.kdepim_runtime
           pkgs.kde4.akonadi
           pkgs.mysql # used by akonadi
-          pkgs.kde4.kdepim_runtime
         ]
-      ++ lib.optional config.hardware.pulseaudio.enable pkgs.kde4.kmix  # Perhaps this should always be enabled
-      ++ lib.optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
-      ++ lib.optional config.networking.networkmanager.enable pkgs.kde4.plasma-nm
-      ++ [ nepomukConfig ] ++ phononBackendPackages;
+      ++ (if cfg.enableNepomuk then
+        [ pkgs.shared_desktop_ontologies # used by nepomuk
+          pkgs.strigi # used by nepomuk
+          pkgs.virtuoso # to enable Nepomuk to find Virtuoso
+        ] else
+        [ disableNepomuk ])
+      ++ optional config.hardware.pulseaudio.enable pkgs.kde4.kmix  # Perhaps this should always be enabled
+      ++ optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
+      ++ optional config.networking.networkmanager.enable pkgs.kde4.plasma-nm
+      ++ phononBackendPackages;
 
     environment.pathsToLink = [ "/share" ];
 
-    environment.profileRelativeEnvVars = mkIf (lib.elem "gstreamer" cfg.phononBackends) {
+    environment.profileRelativeEnvVars = mkIf (elem "gstreamer" cfg.phononBackends) {
       GST_PLUGIN_SYSTEM_PATH = [ "/lib/gstreamer-0.10" ];
     };
 

nixos/modules/services/x11/desktop-managers/xfce.nix

@@ -69,7 +69,7 @@ in
     services.xserver.updateDbusEnvironment = true;
 
     environment.systemPackages =
-      [ pkgs.gtk # To get GTK+'s themes.
+      [ pkgs.gtk.out # To get GTK+'s themes and gtk-update-icon-cache
         pkgs.hicolor_icon_theme
         pkgs.tango-icon-theme
         pkgs.shared_mime_info
@@ -100,6 +100,7 @@ in
         pkgs.xfce.tumbler       # found via dbus
       ]
       ++ optional config.powerManagement.enable pkgs.xfce.xfce4_power_manager
+      ++ optional config.networking.networkmanager.enable pkgs.networkmanagerapplet
       ++ optionals (!cfg.noDesktop)
          [ pkgs.xfce.xfce4panel
            pkgs.xfce.xfdesktop

nixos/modules/services/x11/display-managers/default.nix

@@ -134,13 +134,8 @@ let
         (*) echo "$0: Desktop manager '$desktopManager' not found.";;
       esac
 
-      # FIXME: gdbus should not be in glib.dev!
-      ${optionalString (cfg.startDbusSession && cfg.updateDbusEnvironment) ''
-        ${pkgs.glib.dev}/bin/gdbus call --session \
-          --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus \
-          --method org.freedesktop.DBus.UpdateActivationEnvironment \
-          "{$(env | ${pkgs.gnused}/bin/sed "s/'/\\\\'/g; s/\([^=]*\)=\(.*\)/'\1':'\2'/" \
-                  | ${pkgs.coreutils}/bin/paste -sd,)}"
+      ${optionalString cfg.updateDbusEnvironment ''
+        ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all
       ''}
 
       test -n "$waitPID" && wait "$waitPID"

nixos/modules/services/x11/xserver.nix

@@ -654,6 +654,8 @@ in
         ${xrandrMonitorSections}
       '';
 
+    fonts.enableDefaultFonts = mkDefault true;
+
   };
 
 }

nixos/modules/system/activation/activation-script.nix

@@ -12,11 +12,13 @@ let
     '';
   });
 
-  path = map getBin
-    [ pkgs.coreutils pkgs.gnugrep pkgs.findutils
-      pkgs.glibc # needed for getent
-      pkgs.shadow
-      pkgs.nettools # needed for hostname
+  path = with pkgs; map getBin
+    [ coreutils
+      gnugrep
+      findutils
+      glibc # needed for getent
+      shadow
+      nettools # needed for hostname
     ];
 
 in
@@ -137,8 +139,13 @@ in
 
         mkdir -m 1777 -p /var/tmp
 
-        # Empty, read-only home directory of many system accounts.
-        mkdir -m 0555 -p /var/empty
+        # Empty, immutable home directory of many system accounts.
+        mkdir -p /var/empty
+        # Make sure it's really empty
+        ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
+        find /var/empty -mindepth 1 -delete
+        chmod 0555 /var/empty
+        ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null

nixos/modules/system/activation/switch-to-configuration.pl

@@ -213,33 +213,30 @@ while (my ($unit, $state) = each %{$activePrev}) {
                 elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes") || boolIsTrue($unitInfo->{'RefuseManualStop'} // "no") ) {
                     $unitsToSkip{$unit} = 1;
                 } else {
-                    # If this unit is socket-activated, then stop the
-                    # socket unit(s) as well, and restart the
-                    # socket(s) instead of the service.
-                    my $socketActivated = 0;
-                    if ($unit =~ /\.service$/) {
-                        my @sockets = split / /, ($unitInfo->{Sockets} // "");
-                        if (scalar @sockets == 0) {
-                            @sockets = ("$baseName.socket");
-                        }
-                        foreach my $socket (@sockets) {
-                            if (defined $activePrev->{$socket}) {
-                                $unitsToStop{$unit} = 1;
-                                $unitsToStart{$unit} = 1;
-                                recordUnit($startListFile, $socket);
-                                $socketActivated = 1;
-                            }
-                        }
-                    }
-
                     if (!boolIsTrue($unitInfo->{'X-StopIfChanged'} // "yes")) {
-
                         # This unit should be restarted instead of
                         # stopped and started.
                         $unitsToRestart{$unit} = 1;
                         recordUnit($restartListFile, $unit);
-
                     } else {
+                        # If this unit is socket-activated, then stop the
+                        # socket unit(s) as well, and restart the
+                        # socket(s) instead of the service.
+                        my $socketActivated = 0;
+                        if ($unit =~ /\.service$/) {
+                            my @sockets = split / /, ($unitInfo->{Sockets} // "");
+                            if (scalar @sockets == 0) {
+                                @sockets = ("$baseName.socket");
+                            }
+                            foreach my $socket (@sockets) {
+                                if (defined $activePrev->{$socket}) {
+                                    $unitsToStop{$socket} = 1;
+                                    $unitsToStart{$socket} = 1;
+                                    recordUnit($startListFile, $socket);
+                                    $socketActivated = 1;
+                                }
+                            }
+                        }
 
                         # If the unit is not socket-activated, record
                         # that this unit needs to be started below.
@@ -251,7 +248,6 @@ while (my ($unit, $state) = each %{$activePrev}) {
                         }
 
                         $unitsToStop{$unit} = 1;
-
                     }
                 }
             }

nixos/modules/system/activation/top-level.nix

@@ -98,7 +98,7 @@ let
   # `switch-to-configuration' that activates the configuration and
   # makes it bootable.
   baseSystem = showWarnings (
-    if [] == failed then pkgs.stdenv.mkDerivation {
+    if [] == failed then pkgs.stdenvNoCC.mkDerivation {
       name = let hn = config.networking.hostName;
                  nn = if (hn != "") then hn else "unnamed";
           in "nixos-system-${nn}-${config.system.nixosLabel}";

nixos/modules/system/boot/kernel.nix

@@ -203,6 +203,12 @@ in
         # Misc. stuff.
         "pcips2" "atkbd"
 
+        # Temporary fix for https://github.com/NixOS/nixpkgs/issues/18451
+        # Remove as soon as upstream gets fixed - marking it:
+        # TODO
+        # FIXME
+        "i8042"
+
         # To wait for SCSI devices to appear.
         "scsi_wait_scan"
 

nixos/modules/system/boot/loader/grub/grub.nix

@@ -55,7 +55,7 @@ let
       inherit (cfg)
         version extraConfig extraPerEntryConfig extraEntries
         extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
-        default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios;
+        default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios;
       path = (makeBinPath ([
         pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
         pkgs.utillinux ] ++ (if cfg.efiSupport && (cfg.version == 2) then [pkgs.efibootmgr ] else [])
@@ -357,6 +357,44 @@ in
         '';
       };
 
+      efiInstallAsRemovable = mkOption {
+        default = false;
+        example = true;
+        type = types.bool;
+        description = ''
+          Whether to invoke <literal>grub-install</literal> with
+          <literal>--removable</literal>.</para>
+
+          <para>Unless you turn this on, GRUB will install itself somewhere in
+          <literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where
+          depends on other config variables). If you've set
+          <literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you
+          are currently booted in UEFI mode, then GRUB will use
+          <literal>efibootmgr</literal> to modify the boot order in the
+          EFI variables of your firmware to include this location. If you are
+          *not* booted in UEFI mode at the time GRUB is being installed, the
+          NVRAM will not be modified, and your system will not find GRUB at
+          boot time. However, GRUB will still return success so you may miss
+          the warning that gets printed ("<literal>efibootmgr: EFI variables
+          are not supported on this system.</literal>").</para>
+
+          <para>If you turn this feature on, GRUB will install itself in a
+          special location within <literal>efiSysMountPoint</literal> (namely
+          <literal>EFI/boot/boot$arch.efi</literal>) which the firmwares
+          are hardcoded to try first, regardless of NVRAM EFI variables.</para>
+
+          <para>To summarize, turn this on if:
+          <itemizedlist>
+            <listitem><para>You are installing NixOS and want it to boot in UEFI mode,
+            but you are currently booted in legacy mode</para></listitem>
+            <listitem><para>You want to make a drive that will boot regardless of
+            the NVRAM state of the computer (like a USB "removable" drive)</para></listitem>
+            <listitem><para>You simply dislike the idea of depending on NVRAM
+            state to make your drive bootable</para></listitem>
+          </itemizedlist>
+        '';
+      };
+
       enableCryptodisk = mkOption {
         default = false;
         type = types.bool;
@@ -425,13 +463,20 @@ in
         { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
       ];
 
-      system.build.installBootLoader = pkgs.writeScript "install-grub.sh" (''
+      system.build.installBootLoader =
+        let
+          install-grub-pl = pkgs.substituteAll {
+            src = ./install-grub.pl;
+            inherit (pkgs) utillinux;
+            btrfsprogs = pkgs.btrfs-progs;
+          };
+        in pkgs.writeScript "install-grub.sh" (''
         #!${pkgs.stdenv.shell}
         set -e
         export PERL5LIB=${makePerlPath (with pkgs.perlPackages; [ FileSlurp XMLLibXML XMLSAX ListCompare ])}
         ${optionalString cfg.enableCryptodisk "export GRUB_ENABLE_CRYPTODISK=y"}
       '' + flip concatMapStrings cfg.mirroredBoots (args: ''
-        ${pkgs.perl}/bin/perl ${./install-grub.pl} ${grubConfig args} $@
+        ${pkgs.perl}/bin/perl ${install-grub-pl} ${grubConfig args} $@
       ''));
 
       system.build.grub = grub;
@@ -477,6 +522,14 @@ in
           assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";
           message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";
         }
+        {
+          assertion = cfg.efiInstallAsRemovable -> cfg.efiSupport;
+          message = "If you wish to to use boot.loader.grub.efiInstallAsRemovable, then turn on boot.loader.grub.efiSupport";
+        }
+        {
+          assertion = cfg.efiInstallAsRemovable -> !config.boot.loader.efi.canTouchEfiVariables;
+          message = "If you wish to to use boot.loader.grub.efiInstallAsRemovable, then turn off boot.loader.efi.canTouchEfiVariables";
+        }
       ] ++ flip concatMap cfg.mirroredBoots (args: [
         {
           assertion = args.devices != [ ];

nixos/modules/system/boot/loader/grub/install-grub.pl

@@ -12,8 +12,10 @@ require List::Compare;
 use POSIX;
 use Cwd;
 
+# system.build.toplevel path
 my $defaultConfig = $ARGV[1] or die;
 
+# Grub config XML generated by grubConfig function in grub.nix
 my $dom = XML::LibXML->load_xml(location => $ARGV[0]);
 
 sub get { my ($name) = @_; return $dom->findvalue("/expr/attrs/attr[\@name = '$name']/*/\@value"); }
@@ -58,6 +60,7 @@ my $grubTargetEfi = get("grubTargetEfi");
 my $bootPath = get("bootPath");
 my $storePath = get("storePath");
 my $canTouchEfiVariables = get("canTouchEfiVariables");
+my $efiInstallAsRemovable = get("efiInstallAsRemovable");
 my $efiSysMountPoint = get("efiSysMountPoint");
 my $gfxmodeEfi = get("gfxmodeEfi");
 my $gfxmodeBios = get("gfxmodeBios");
@@ -97,6 +100,8 @@ sub PathInMount {
     }
     return 1;
 }
+
+# Figure out what filesystem is used for the directory with init/initrd/kernel files
 sub GetFs {
     my ($dir) = @_;
     my $bestFs = Fs->new(device => "", type => "", mount => "");
@@ -136,7 +141,10 @@ my $driveid = 1;
 sub GrubFs {
     my ($dir) = @_;
     my $fs = GetFs($dir);
-    my $path = "/" . substr($dir, length($fs->mount));
+    my $path = substr($dir, length($fs->mount));
+    if (substr($path, 0, 1) ne "/") {
+      $path = "/$path";
+    }
     my $search = "";
 
     if ($grubVersion > 1) {
@@ -169,7 +177,7 @@ sub GrubFs {
                 $search = $types{$fsIdentifier} . ' ';
 
                 # Based on the type pull in the identifier from the system
-                my ($status, @devInfo) = runCommand("blkid -o export @{[$fs->device]}");
+                my ($status, @devInfo) = runCommand("@utillinux@/bin/blkid -o export @{[$fs->device]}");
                 if ($status != 0) {
                     die "Failed to get blkid info for @{[$fs->mount]} on @{[$fs->device]}";
                 }
@@ -182,7 +190,7 @@ sub GrubFs {
 
             # BTRFS is a special case in that we need to fix the referrenced path based on subvolumes
             if ($fs->type eq 'btrfs') {
-                my ($status, @id_info) = runCommand("btrfs subvol show @{[$fs->mount]}");
+                my ($status, @id_info) = runCommand("@btrfsprogs@/bin/btrfs subvol show @{[$fs->mount]}");
                 if ($status != 0) {
                     die "Failed to retrieve subvolume info for @{[$fs->mount]}\n";
                 }
@@ -190,7 +198,7 @@ sub GrubFs {
                 if ($#ids > 0) {
                     die "Btrfs subvol name for @{[$fs->device]} listed multiple times in mount\n"
                 } elsif ($#ids == 0) {
-                    my ($status, @path_info) = runCommand("btrfs subvol list @{[$fs->mount]}");
+                    my ($status, @path_info) = runCommand("@btrfsprogs@/bin/btrfs subvol list @{[$fs->mount]}");
                     if ($status != 0) {
                         die "Failed to find @{[$fs->mount]} subvolume id from btrfs\n";
                     }
@@ -537,13 +545,15 @@ if (($requireNewInstall != 0) && ($efiTarget eq "no" || $efiTarget eq "both")) {
 # install EFI GRUB
 if (($requireNewInstall != 0) && ($efiTarget eq "only" || $efiTarget eq "both")) {
     print STDERR "installing the GRUB $grubVersion EFI boot loader into $efiSysMountPoint...\n";
+    my @command = ("$grubEfi/sbin/grub-install", "--recheck", "--target=$grubTargetEfi", "--boot-directory=$bootPath", "--efi-directory=$efiSysMountPoint");
     if ($canTouchEfiVariables eq "true") {
-        system("$grubEfi/sbin/grub-install", "--recheck", "--target=$grubTargetEfi", "--boot-directory=$bootPath", "--efi-directory=$efiSysMountPoint", "--bootloader-id=$bootloaderId") == 0
-                or die "$0: installation of GRUB EFI into $efiSysMountPoint failed\n";
+        push @command, "--bootloader-id=$bootloaderId";
     } else {
-        system("$grubEfi/sbin/grub-install", "--recheck", "--target=$grubTargetEfi", "--boot-directory=$bootPath", "--efi-directory=$efiSysMountPoint", "--no-nvram") == 0
-                or die "$0: installation of GRUB EFI into $efiSysMountPoint failed\n";
+        push @command, "--no-nvram";
+        push @command, "--removable" if $efiInstallAsRemovable eq "true";
     }
+
+    (system @command) == 0 or die "$0: installation of GRUB EFI into $efiSysMountPoint failed\n";
 }
 
 

nixos/modules/system/boot/stage-1.nix

@@ -198,9 +198,10 @@ let
       preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;
 
     resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")
-                    (filter (sd: (sd ? label || hasPrefix "/dev/" sd.device) && !sd.randomEncryption 
-                    # Don't include zram devices
-                    && !(hasPrefix "/dev/zram" sd.device)) config.swapDevices);
+                    (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption
+                             # Don't include zram devices
+                             && !(hasPrefix "/dev/zram" sd.device)
+                            ) config.swapDevices);
 
     fsInfo =
       let f = fs: [ fs.mountPoint (if fs.device != null then fs.device else "/dev/disk/by-label/${fs.label}") fs.fsType (builtins.concatStringsSep "," fs.options) ];

nixos/modules/system/boot/stage-2-init.sh

@@ -29,7 +29,7 @@ setPath "@path@"
 # Normally, stage 1 mounts the root filesystem read/writable.
 # However, in some environments, stage 2 is executed directly, and the
 # root is read-only.  So make it writable here.
-if [ "$container" != systemd-nspawn ]; then
+if [ -z "$container" ]; then
     mount -n -o remount,rw none /
 fi
 
@@ -141,13 +141,6 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then
     cat /etc/resolv.conf | resolvconf -m 1000 -a host
 fi
 
-
-# Create /var/setuid-wrappers as a tmpfs.
-rm -rf /var/setuid-wrappers
-mkdir -m 0755 -p /var/setuid-wrappers
-mount -t tmpfs -o "mode=0755" tmpfs /var/setuid-wrappers
-
-
 # Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
 # Only at this point are all the necessary prerequisites ready for these commands.
 exec {logOutFd}>&1 {logErrFd}>&2

nixos/modules/system/boot/systemd-unit-options.nix

@@ -309,7 +309,7 @@ in rec {
     };
 
     startAt = mkOption {
-      type = types.str;
+      type = with types; either str (listOf str);
       default = "";
       example = "Sun 14:00:00";
       description = ''

nixos/modules/system/boot/systemd.nix

@@ -803,6 +803,8 @@ in
     systemd.services.systemd-user-sessions.restartIfChanged = false; # Restart kills all active sessions.
     systemd.services.systemd-logind.restartTriggers = [ config.environment.etc."systemd/logind.conf".source ];
     systemd.services.systemd-logind.stopIfChanged = false;
+    systemd.services.systemd-journald.restartTriggers = [ config.environment.etc."systemd/journald.conf".source ];
+    systemd.services.systemd-journald.stopIfChanged = false;
     systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true;
     systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true;
     systemd.services.systemd-binfmt.wants = [ "proc-sys-fs-binfmt_misc.automount" ];

nixos/modules/system/etc/etc.nix

@@ -8,7 +8,7 @@ let
 
   etc' = filter (f: f.enable) (attrValues config.environment.etc);
 
-  etc = pkgs.stdenv.mkDerivation {
+  etc = pkgs.stdenvNoCC.mkDerivation {
     name = "etc";
 
     builder = ./make-etc.sh;

nixos/modules/tasks/filesystems.nix

@@ -20,7 +20,7 @@ let
 
   specialFSTypes = [ "proc" "sysfs" "tmpfs" "devtmpfs" "devpts" ];
 
-  fileSystemOpts = { name, config, ... }: {
+  coreFileSystemOpts = { name, config, ... }: {
 
     options = {
 
@@ -37,13 +37,6 @@ let
         description = "Location of the device.";
       };
 
-      label = mkOption {
-        default = null;
-        example = "root-partition";
-        type = types.nullOr types.str;
-        description = "Label of the device (if any).";
-      };
-
       fsType = mkOption {
         default = "auto";
         example = "ext3";
@@ -55,12 +48,28 @@ let
         default = [ "defaults" ];
         example = [ "data=journal" ];
         description = "Options used to mount the file system.";
-      } // (if versionAtLeast lib.nixpkgsVersion "16.09" then {
         type = types.listOf types.str;
-      } else {
-        type = types.either types.commas (types.listOf types.str);
-        apply = x: if isList x then x else lib.strings.splitString "," (builtins.trace "warning: passing a comma-separated string for filesystem options is deprecated; use a list of strings instead. This will become a hard error in 16.09." x);
-      });
+      };
+
+    };
+
+    config = {
+      mountPoint = mkDefault name;
+      device = mkIf (elem config.fsType specialFSTypes) (mkDefault config.fsType);
+    };
+
+  };
+
+  fileSystemOpts = { config, ... }: {
+
+    options = {
+
+      label = mkOption {
+        default = null;
+        example = "root-partition";
+        type = types.nullOr types.str;
+        description = "Label of the device (if any).";
+      };
 
       autoFormat = mkOption {
         default = false;
@@ -99,22 +108,9 @@ let
         description = "Disable running fsck on this filesystem.";
       };
 
-      early = mkOption {
-        default = false;
-        type = types.bool;
-        internal = true;
-        description = ''
-	  Mount this filesystem very early during boot. At the moment of
-	  mounting no disks are exposed, so this option is primarily for
-          special file systems.
-        '';
-      };
-
     };
 
     config = {
-      mountPoint = mkDefault name;
-      device = mkIf (elem config.fsType specialFSTypes) (mkDefault config.fsType);
       options = mkIf config.autoResize [ "x-nixos.autoresize" ];
 
       # -F needed to allow bare block device without partitions
@@ -151,7 +147,7 @@ in
           "/bigdisk".label = "bigdisk";
         }
       '';
-      type = types.loaOf (types.submodule fileSystemOpts);
+      type = types.loaOf (types.submodule [coreFileSystemOpts fileSystemOpts]);
       description = ''
         The file systems to be mounted.  It must include an entry for
         the root directory (<literal>mountPoint = "/"</literal>).  Each
@@ -183,6 +179,15 @@ in
       description = "Names of supported filesystem types.";
     };
 
+    boot.specialFileSystems = mkOption {
+      default = {};
+      type = types.loaOf (types.submodule coreFileSystemOpts);
+      internal = true;
+      description = ''
+        Special filesystems that are mounted very early during boot.
+      '';
+    };
+
   };
 
 
@@ -196,14 +201,11 @@ in
       { assertion = ! (fileSystems' ? "cycle");
         message = "The ‘fileSystems’ option can't be topologically sorted: mountpoint dependency path ${ls " -> " fileSystems'.cycle} loops to ${ls ", " fileSystems'.loops}";
       }
-      { assertion = all (x: !x.early || (x.label == null && !x.autoFormat && !x.autoResize)) fileSystems;
-        message = "Early filesystems don't support mounting by label, auto formatting and resizing";
-      }
     ];
 
     # Export for use in other modules
     system.build.fileSystems = fileSystems;
-    system.build.earlyMountScript = makeSpecialMounts (filter (fs: fs.early) fileSystems);
+    system.build.earlyMountScript = makeSpecialMounts (toposort fsBefore (attrValues config.boot.specialFileSystems)).result;
 
     boot.supportedFilesystems = map (fs: fs.fsType) fileSystems;
 
@@ -234,7 +236,7 @@ in
             + " " + (if skipCheck fs then "0" else
                      if fs.mountPoint == "/" then "1" else "2")
             + "\n"
-        ) (filter (fs: !fs.early) fileSystems)}
+        ) fileSystems}
 
         # Swap devices.
         ${flip concatMapStrings config.swapDevices (sw:
@@ -256,7 +258,7 @@ in
           let
             mountPoint' = "${escapeSystemdPath fs.mountPoint}.mount";
             device'  = escapeSystemdPath fs.device;
-            device'' = "${device}.device";
+            device'' = "${device'}.device";
           in nameValuePair "mkfs-${device'}"
           { description = "Initialisation of Filesystem ${fs.device}";
             wantedBy = [ mountPoint' ];
@@ -282,13 +284,17 @@ in
       in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems));
 
     # Sync mount options with systemd's src/core/mount-setup.c: mount_table.
-    fileSystems = mapAttrs (n: fs: fs // { early = true; }) {
+    boot.specialFileSystems = {
       "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; };
-      "/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; };
-      "/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
+      "/run" = { fsType = "tmpfs"; options = [ "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
       "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; };
       "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; };
       "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };
+    } // optionalAttrs (!config.boot.isContainer) {
+      # systemd-nspawn populates /sys by itself, and remounting it causes all
+      # kinds of weird issues (most noticeably, waiting for host disk device
+      # nodes).
+      "/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; };
     };
 
   };

nixos/modules/tasks/filesystems/nfs.nix

@@ -38,15 +38,17 @@ in
         default = null;
         example = 4000;
         description = ''
-          Use fixed port for rpc.statd, useful if NFS server is behind firewall.
+          Use a fixed port for <command>rpc.statd</command>. This is
+          useful if the NFS server is behind a firewall.
         '';
       };
       lockdPort = mkOption {
         default = null;
         example = 4001;
         description = ''
-          Use fixed port for NFS lock manager kernel module (lockd/nlockmgr),
-          useful if NFS server is behind firewall.
+          Use a fixed port for the NFS lock manager kernel module
+          (<literal>lockd/nlockmgr</literal>).  This is useful if the
+          NFS server is behind a firewall.
         '';
       };
     };
@@ -68,13 +70,16 @@ in
 
     boot.initrd.kernelModules = mkIf inInitrd [ "nfs" ];
 
+    # FIXME: should use upstream units from nfs-utils.
+
     systemd.services.statd =
       { description = "NFSv3 Network Status Monitor";
 
         path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
 
-        wantedBy = [ "remote-fs-pre.target" ];
+        wants = [ "remote-fs-pre.target" ];
         before = [ "remote-fs-pre.target" ];
+        wantedBy = [ "remote-fs.target" ];
         requires = [ "basic.target" "rpcbind.service" ];
         after = [ "basic.target" "rpcbind.service" ];
 
@@ -100,8 +105,9 @@ in
 
         path = [ pkgs.sysvtools pkgs.utillinux ];
 
-        wantedBy = [ "remote-fs-pre.target" ];
+        wants = [ "remote-fs-pre.target" ];
         before = [ "remote-fs-pre.target" ];
+        wantedBy = [ "remote-fs.target" ];
         requires = [ "rpcbind.service" ];
         after = [ "rpcbind.service" ];
 

nixos/modules/tasks/network-interfaces.nix

@@ -391,7 +391,7 @@ in
     };
 
     networking.localCommands = mkOption {
-      type = types.str;
+      type = types.lines;
       default = "";
       example = "text=anything; echo You can put $text here.";
       description = ''

nixos/modules/virtualisation/brightbox-image.nix

@@ -20,7 +20,7 @@ in
 
           postVM =
             ''
-              PATH=$PATH:${stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
+              PATH=$PATH:${lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
               pushd $out
               ${pkgs.qemu_kvm}/bin/qemu-img convert -c -O qcow2 $diskImageBase nixos.qcow2
               rm $diskImageBase

nixos/modules/virtualisation/containers.nix

@@ -12,21 +12,21 @@ let
         ''
         echo "Bringing ${name} up"
         ip link set dev ${name} up
-        ${optionalString (cfg . "localAddress" or null != null) ''
+        ${optionalString (cfg.localAddress != null) ''
           echo "Setting ip for ${name}"
-          ip addr add ${cfg . "localAddress"} dev ${name}
+          ip addr add ${cfg.localAddress} dev ${name}
         ''}
-        ${optionalString (cfg . "localAddress6" or null != null) ''
+        ${optionalString (cfg.localAddress6 != null) ''
           echo "Setting ip6 for ${name}"
-          ip -6 addr add ${cfg . "localAddress6"} dev ${name}
+          ip -6 addr add ${cfg.localAddress6} dev ${name}
         ''}
-        ${optionalString (cfg . "hostAddress" or null != null) ''
+        ${optionalString (cfg.hostAddress != null) ''
           echo "Setting route to host for ${name}"
-          ip route add ${cfg . "hostAddress"} dev ${name}
+          ip route add ${cfg.hostAddress} dev ${name}
         ''}
-        ${optionalString (cfg . "hostAddress6" or null != null) ''
+        ${optionalString (cfg.hostAddress6 != null) ''
           echo "Setting route6 to host for ${name}"
-          ip -6 route add ${cfg . "hostAddress6"} dev ${name}
+          ip -6 route add ${cfg.hostAddress6} dev ${name}
         ''}
         ''
         );
@@ -56,9 +56,7 @@ let
             ip -6 route add default via $HOST_ADDRESS6
           fi
 
-          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg . "extraVeths" or {})}
-          ip a
-          ip r
+          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)}
         fi
 
         # Start the regular stage 1 script.
@@ -67,7 +65,8 @@ let
     );
 
   nspawnExtraVethArgs = (name: cfg: "--network-veth-extra=${name}");
-  startScript = (cfg:
+
+  startScript = cfg:
     ''
       mkdir -p -m 0755 "$root/etc" "$root/var/lib"
       mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers
@@ -92,11 +91,7 @@ let
         fi
       fi
 
-      ${if cfg . "extraVeths" or null != null then
-        ''extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg . "extraVeths" or {})}"''
-        else
-          ''# No extra veth pairs to create''
-      }
+      extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}"
 
       for iface in $INTERFACES; do
         extraFlags+=" --network-interface=$iface"
@@ -135,10 +130,9 @@ let
         --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
         --setenv PATH="$PATH" \
         ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init"
-    ''
-    );
+    '';
 
-  preStartScript = (cfg:
+  preStartScript = cfg:
     ''
       # Clean up existing machined registration and interfaces.
       machinectl terminate "$INSTANCE" 2> /dev/null || true
@@ -151,45 +145,43 @@ let
       ${concatStringsSep "\n" (
         mapAttrsToList (name: cfg:
           ''ip link del dev ${name} 2> /dev/null || true ''
-        ) cfg . "extraVeths" or {}
+        ) cfg.extraVeths
       )}
-   ''
-    );
+   '';
+
   postStartScript = (cfg:
     let
-      ipcall = (cfg: ipcmd: variable: attribute:
-        if cfg . attribute or null == null then
+      ipcall = cfg: ipcmd: variable: attribute:
+        if cfg.${attribute} == null then
           ''
             if [ -n "${variable}" ]; then
               ${ipcmd} add ${variable} dev $ifaceHost
             fi
           ''
         else
-          ''${ipcmd} add ${cfg . attribute} dev $ifaceHost''
-        );
-      renderExtraVeth = (name: cfg:
-        if cfg . "hostBridge" or null != null then
+          ''${ipcmd} add ${cfg.${attribute}} dev $ifaceHost'';
+      renderExtraVeth = name: cfg:
+        if cfg.hostBridge != null then
           ''
             # Add ${name} to bridge ${cfg.hostBridge}
             ip link set dev ${name} master ${cfg.hostBridge} up
           ''
         else
           ''
-          # Set IPs and routes for ${name}
-          ${optionalString (cfg . "hostAddress" or null != null) ''
-            ip addr add ${cfg . "hostAddress"} dev ${name}
-          ''}
-          ${optionalString (cfg . "hostAddress6" or null != null) ''
-            ip -6 addr add ${cfg . "hostAddress6"} dev ${name}
-          ''}
-          ${optionalString (cfg . "localAddress" or null != null) ''
-            ip route add ${cfg . "localAddress"} dev ${name}
-          ''}
-          ${optionalString (cfg . "localAddress6" or null != null) ''
-            ip -6 route add ${cfg . "localAddress6"} dev ${name}
-          ''}
-          ''
-        );
+            # Set IPs and routes for ${name}
+            ${optionalString (cfg.hostAddress != null) ''
+              ip addr add ${cfg.hostAddress} dev ${name}
+            ''}
+            ${optionalString (cfg.hostAddress6 != null) ''
+              ip -6 addr add ${cfg.hostAddress6} dev ${name}
+            ''}
+            ${optionalString (cfg.localAddress != null) ''
+              ip route add ${cfg.localAddress} dev ${name}
+            ''}
+            ${optionalString (cfg.localAddress6 != null) ''
+              ip -6 route add ${cfg.localAddress6} dev ${name}
+            ''}
+          '';
     in
       ''
         if [ "$PRIVATE_NETWORK" = 1 ]; then
@@ -202,7 +194,7 @@ let
             ${ipcall cfg "ip route" "$LOCAL_ADDRESS" "localAddress"}
             ${ipcall cfg "ip -6 route" "$LOCAL_ADDRESS6" "localAddress6"}
           fi
-          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg . "extraVeths" or {})}
+          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)}
         fi
 
         # Get the leader PID so that we can signal it in
@@ -307,6 +299,15 @@ let
 
   };
 
+  dummyConfig =
+    {
+      extraVeths = {};
+      hostAddress = null;
+      hostAddress6 = null;
+      localAddress = null;
+      localAddress6 = null;
+    };
+
 in
 
 {
@@ -451,7 +452,7 @@ in
         containers.  Each container appears as a service
         <literal>container-<replaceable>name</replaceable></literal>
         on the host system, allowing it to be started and stopped via
-        <command>systemctl</command> .
+        <command>systemctl</command>.
       '';
     };
 
@@ -470,11 +471,11 @@ in
       environment.INSTANCE = "%i";
       environment.root = "/var/lib/containers/%i";
 
-      preStart = preStartScript {};
+      preStart = preStartScript dummyConfig;
 
-      script = startScript {};
+      script = startScript dummyConfig;
 
-      postStart = postStartScript {};
+      postStart = postStartScript dummyConfig;
 
       preStop =
         ''

nixos/modules/virtualisation/docker.nix

@@ -40,13 +40,25 @@ in
       };
     storageDriver =
       mkOption {
-        type = types.enum ["aufs" "btrfs" "devicemapper" "overlay" "zfs"];
-        default = "devicemapper";
+        type = types.nullOr (types.enum ["aufs" "btrfs" "devicemapper" "overlay" "overlay2" "zfs"]);
+        default = null;
         description =
           ''
-            This option determines which Docker storage driver to use.
+            This option determines which Docker storage driver to use. By default
+            it let's docker automatically choose preferred storage driver.
           '';
       };
+
+    logDriver =
+      mkOption {
+        type = types.enum ["none" "json-file" "syslog" "journald" "gelf" "fluentd" "awslogs" "splunk" "etwlogs" "gcplogs"];
+        default = "journald";
+        description =
+          ''
+            This option determines which Docker log driver to use.
+          '';
+      };
+
     extraOptions =
       mkOption {
         type = types.separatedString " ";
@@ -88,7 +100,12 @@ in
         after = [ "network.target" ] ++ (optional cfg.socketActivation "docker.socket") ;
         requires = optional cfg.socketActivation "docker.socket";
         serviceConfig = {
-          ExecStart = "${pkgs.docker}/bin/docker daemon --group=docker --storage-driver=${cfg.storageDriver} ${optionalString cfg.socketActivation "--host=fd://"} ${cfg.extraOptions}";
+          ExecStart = ''${pkgs.docker}/bin/dockerd \
+            --group=docker --log-driver=${cfg.logDriver} \
+            ${optionalString (cfg.storageDriver != null) "--storage-driver=${cfg.storageDriver}"} \
+            ${optionalString cfg.socketActivation "--host=fd://"} \
+            ${cfg.extraOptions}
+          '';
           #  I'm not sure if that limits aren't too high, but it's what
           #  goes in config bundled with docker itself
           LimitNOFILE = 1048576;

nixos/modules/virtualisation/virtualbox-host.nix

@@ -4,8 +4,13 @@ with lib;
 
 let
   cfg = config.virtualisation.virtualbox.host;
-  virtualbox = config.boot.kernelPackages.virtualbox.override {
-    inherit (cfg) enableHardening;
+
+  virtualbox = pkgs.virtualbox.override {
+    inherit (cfg) enableHardening headless;
+  };
+
+  kernelModules = config.boot.kernelPackages.virtualbox.override {
+    inherit virtualbox;
   };
 
 in
@@ -47,11 +52,20 @@ in
         </para></important>
       '';
     };
+
+    headless = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers
+        and when virtual machines are controlled only via SSH.
+      '';
+    };
   };
 
   config = mkIf cfg.enable (mkMerge [{
     boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
-    boot.extraModulePackages = [ virtualbox ];
+    boot.extraModulePackages = [ kernelModules ];
     environment.systemPackages = [ virtualbox ];
 
     security.setuidOwners = let

nixos/modules/virtualisation/virtualbox-image.nix

@@ -34,7 +34,7 @@ in {
       postVM =
         ''
           export HOME=$PWD
-          export PATH=${pkgs.linuxPackages.virtualbox}/bin:$PATH
+          export PATH=${pkgs.virtualbox}/bin:$PATH
 
           echo "creating VirtualBox pass-through disk wrapper (no copying invovled)..."
           VBoxManage internalcommands createrawvmdk -filename disk.vmdk -rawdisk $diskImage

nixos/release-combined.nix

@@ -73,6 +73,7 @@ in rec {
         (all nixos.tests.ipv6)
         (all nixos.tests.i3wm)
         (all nixos.tests.kde4)
+        (all nixos.tests.kde5)
         #(all nixos.tests.lightdm)
         (all nixos.tests.login)
         (all nixos.tests.misc)
@@ -88,6 +89,7 @@ in rec {
         (all nixos.tests.networking.scripted.sit)
         (all nixos.tests.networking.scripted.vlan)
         (all nixos.tests.nfs3)
+        (all nixos.tests.nfs4)
         (all nixos.tests.openssh)
         (all nixos.tests.printing)
         (all nixos.tests.proxy)

nixos/release.nix

@@ -9,7 +9,7 @@ let
 
   version = fileContents ../.version;
   versionSuffix =
-    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "beta") + "${toString (nixpkgs.revCount - 90538)}.${nixpkgs.shortRev}";
 
   forAllSystems = genAttrs supportedSystems;
 
@@ -228,12 +228,12 @@ in rec {
   tests.containers-imperative = callTest tests/containers-imperative.nix {};
   tests.containers-extra_veth = callTest tests/containers-extra_veth.nix {};
   tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; });
-  tests.dockerRegistry = hydraJob (import tests/docker-registry.nix { system = "x86_64-linux"; });
   tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; };
   tests.ecryptfs = callTest tests/ecryptfs.nix {};
   tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; });
   tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops;
   tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config;
+  tests.ferm = callTest tests/ferm.nix {};
   tests.firefox = callTest tests/firefox.nix {};
   tests.firewall = callTest tests/firewall.nix {};
   tests.fleet = hydraJob (import tests/fleet.nix { system = "x86_64-linux"; });
@@ -250,6 +250,7 @@ in rec {
   tests.ipv6 = callTest tests/ipv6.nix {};
   tests.jenkins = callTest tests/jenkins.nix {};
   tests.kde4 = callTest tests/kde4.nix {};
+  tests.kde5 = callTest tests/kde5.nix {};
   tests.keymap = callSubTests tests/keymap.nix {};
   tests.initrdNetwork = callTest tests/initrd-network.nix {};
   tests.kubernetes = hydraJob (import tests/kubernetes.nix { system = "x86_64-linux"; });
@@ -259,6 +260,7 @@ in rec {
   #tests.logstash = callTest tests/logstash.nix {};
   tests.mathics = callTest tests/mathics.nix {};
   tests.misc = callTest tests/misc.nix {};
+  tests.mongodb = callTest tests/mongodb.nix {};
   tests.mumble = callTest tests/mumble.nix {};
   tests.munin = callTest tests/munin.nix {};
   tests.mysql = callTest tests/mysql.nix {};
@@ -273,7 +275,7 @@ in rec {
   tests.nfs4 = callTest tests/nfs.nix { version = 4; };
   tests.nsd = callTest tests/nsd.nix {};
   tests.openssh = callTest tests/openssh.nix {};
-  tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; });
+  #tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; });
   tests.peerflix = callTest tests/peerflix.nix {};
   tests.postgresql = callTest tests/postgresql.nix {};
   tests.printing = callTest tests/printing.nix {};
@@ -281,8 +283,8 @@ in rec {
   tests.pumpio = callTest tests/pump.io.nix {};
   tests.quake3 = callTest tests/quake3.nix {};
   tests.runInMachine = callTest tests/run-in-machine.nix {};
+  tests.samba = callTest tests/samba.nix {};
   tests.sddm = callTest tests/sddm.nix {};
-  tests.sddm-kde5 = callTest tests/sddm-kde5.nix {};
   tests.simple = callTest tests/simple.nix {};
   tests.smokeping = callTest tests/smokeping.nix {};
   tests.taskserver = callTest tests/taskserver.nix {};

nixos/tests/avahi.nix

@@ -28,6 +28,8 @@ import ./make-test.nix ({ pkgs, ... } : {
        # mDNS.
        $one->waitForUnit("network.target");
        $two->waitForUnit("network.target");
+       $one->waitForUnit("avahi-daemon.service");
+       $two->waitForUnit("avahi-daemon.service");
 
        $one->succeed("avahi-resolve-host-name one.local | tee out >&2");
        $one->succeed("test \"`cut -f1 < out`\" = one.local");

nixos/tests/blivet.nix

@@ -69,6 +69,7 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec {
     sed -i \
       -e '1i import tempfile' \
       -e 's|_STORE_FILE_PATH = .*|_STORE_FILE_PATH = tempfile.gettempdir()|' \
+      -e 's|DEFAULT_STORE_SIZE = .*|DEFAULT_STORE_SIZE = 409600|' \
       tests/loopbackedtestcase.py
 
     PYTHONPATH=".:$(< "${pkgs.stdenv.mkDerivation {

nixos/tests/cadvisor.nix

@@ -13,10 +13,6 @@ import ./make-test.nix ({ pkgs, ... } : {
       services.cadvisor.enable = true;
       services.cadvisor.storageDriver = "influxdb";
       services.influxdb.enable = true;
-      systemd.services.influxdb.postStart = mkAfter ''
-        ${pkgs.curl.bin}/bin/curl -X POST 'http://localhost:8086/db?u=root&p=root' \
-          -d '{"name": "root"}'
-      '';
     };
   };
 
@@ -27,6 +23,12 @@ import ./make-test.nix ({ pkgs, ... } : {
       $machine->succeed("curl http://localhost:8080/containers/");
 
       $influxdb->waitForUnit("influxdb.service");
+
+      # create influxdb database
+      $influxdb->succeed(q~
+        curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE root"
+      ~);
+
       $influxdb->waitForUnit("cadvisor.service");
       $influxdb->succeed("curl http://localhost:8080/containers/");
     '';

nixos/tests/docker-registry.nix

@@ -1,43 +0,0 @@
-# This test runs docker-registry and check if it works
-
-import ./make-test.nix ({ pkgs, ...} : {
-  name = "docker-registry";
-  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ offline ];
-  };
-
-  nodes = {
-    registry = { config, pkgs, ... }: {
-      services.dockerRegistry.enable = true;
-      services.dockerRegistry.port = 8080;
-      services.dockerRegistry.host = "0.0.0.0";
-      networking.firewall.allowedTCPPorts = [ 8080 ];
-    };
-
-    client1 = { config, pkgs, ...}: {
-      virtualisation.docker.enable = true;
-      virtualisation.docker.extraOptions = "--insecure-registry registry:8080";
-    };
-
-    client2 = { config, pkgs, ...}: {
-      virtualisation.docker.enable = true;
-      virtualisation.docker.extraOptions = "--insecure-registry registry:8080";
-    };
-  };
-
-  testScript = ''
-    $client1->start();
-    $client1->waitForUnit("docker.service");
-    $client1->succeed("tar cv --files-from /dev/null | docker import - scratch");
-    $client1->succeed("docker tag scratch registry:8080/scratch");
-
-    $registry->start();
-    $registry->waitForUnit("docker-registry.service");
-    $client1->succeed("docker push registry:8080/scratch");
-
-    $client2->start();
-    $client2->waitForUnit("docker.service");
-    $client2->succeed("docker pull registry:8080/scratch");
-    $client2->succeed("docker images | grep scratch");
-  '';
-})

nixos/tests/docker.nix

@@ -11,9 +11,6 @@ import ./make-test.nix ({ pkgs, ...} : {
       { config, pkgs, ... }:
         {
           virtualisation.docker.enable = true;
-          # FIXME: The default "devicemapper" storageDriver fails in NixOS VM
-          # tests.
-          virtualisation.docker.storageDriver = "overlay";
         };
     };
 

nixos/tests/ferm.nix

@@ -0,0 +1,72 @@
+
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "ferm";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ mic92 ];
+  };
+
+  nodes =
+    { client =
+        { config, pkgs, ... }:
+        with pkgs.lib;
+        {
+          networking = {
+            interfaces.eth1.ip6 = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
+            interfaces.eth1.ip4 = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
+          };
+      };
+      server =
+        { config, pkgs, ... }:
+        with pkgs.lib;
+        {
+          networking = {
+            interfaces.eth1.ip6 = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
+            interfaces.eth1.ip4 = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
+          };
+
+          services = {
+            ferm.enable = true;
+            ferm.config = ''
+              domain (ip ip6) table filter chain INPUT {
+                interface lo ACCEPT;
+                proto tcp dport 8080 REJECT reject-with tcp-reset;
+              }
+            '';
+            nginx.enable = true;
+            nginx.httpConfig = ''
+              server {
+                listen 80;
+                listen [::]:80;
+                listen 8080;
+                listen [::]:8080;
+
+                location /status { stub_status on; }
+              }
+            '';
+          };
+        };
+    };
+
+  testScript =
+    ''
+      startAll;
+
+      $client->waitForUnit("network.target");
+      $server->waitForUnit("ferm.service");
+      $server->waitForUnit("nginx.service");
+      $server->waitUntilSucceeds("ss -ntl | grep -q 80");
+
+      subtest "port 80 is allowed", sub {
+          $client->succeed("curl --fail -g http://192.168.1.1:80/status");
+          $client->succeed("curl --fail -g http://[fd00::1]:80/status");
+      };
+
+      subtest "port 8080 is not allowed", sub {
+          $server->succeed("curl --fail -g http://192.168.1.1:8080/status");
+          $server->succeed("curl --fail -g http://[fd00::1]:8080/status");
+
+          $client->fail("curl --fail -g http://192.168.1.1:8080/status");
+          $client->fail("curl --fail -g http://[fd00::1]:8080/status");
+      };
+    '';
+})

nixos/tests/influxdb.nix

@@ -17,23 +17,17 @@ import ./make-test.nix ({ pkgs, ...} : {
   
     $one->waitForUnit("influxdb.service");
 
-    # Check if admin interface is avalible
-    $one->waitUntilSucceeds("curl -f 127.0.0.1:8083");
-
     # create database
     $one->succeed(q~
-      curl -X POST 'http://localhost:8086/db?u=root&p=root' \
-        -d '{"name": "test"}'
+      curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE test"
     ~);
 
     # write some points and run simple query
     $one->succeed(q~
-      curl -X POST 'http://localhost:8086/db/test/series?u=root&p=root' \
-        -d '[{"name":"foo","columns":["val"],"points":[[6666]]}]'
+      curl -XPOST 'http://localhost:8086/write?db=test' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'
     ~);
     $one->succeed(q~
-      curl -G 'http://localhost:8086/db/test/series?u=root&p=root' \
-        --data-urlencode 'q=select * from foo limit 1' | grep 6666
+      curl -GET 'http://localhost:8086/query' --data-urlencode "db=test" --data-urlencode "q=SELECT \"value\" FROM \"cpu_load_short\" WHERE \"region\"='us-west'"  | grep "0\.64"
     ~);
   '';
 })

nixos/tests/kde5.nix

@@ -1,7 +1,7 @@
 import ./make-test.nix ({ pkgs, ...} :
 
 {
-  name = "sddm";
+  name = "kde5";
   meta = with pkgs.stdenv.lib.maintainers; {
     maintainers = [ ttuegel ];
   };
@@ -24,29 +24,26 @@ import ./make-test.nix ({ pkgs, ...} :
 
   testScript = { nodes, ... }:
   let xdo = "${pkgs.xdotool}/bin/xdotool"; in
-   ''     
-    sub krunner {
-      my ($win,) = @_;
-      $machine->execute("${xdo} key Alt+F2 sleep 1 type $win");
-      $machine->execute("${xdo} search --sync --onlyvisible --class krunner sleep 5 key Return");
-    }
+   ''
+    startAll;
+
+    $machine->waitForFile("/home/alice/.Xauthority");
+    $machine->succeed("xauth merge ~alice/.Xauthority");
 
     $machine->waitUntilSucceeds("pgrep plasmashell");
-    $machine->succeed("xauth merge ~alice/.Xauthority");    
-    $machine->waitForWindow(qr/Desktop.*/);
+    $machine->waitForWindow("^Desktop ");
 
     # Check that logging in has given the user ownership of devices.
     $machine->succeed("getfacl /dev/snd/timer | grep -q alice");
-    
-    krunner("dolphin");
-    $machine->waitForWindow(qr/.*Dolphin/);
-    
-    krunner("konsole");
-    $machine->waitForWindow(qr/.*Konsole/);
-    
-    krunner("systemsettings5");
-    $machine->waitForWindow(qr/.*Settings/);
-    $machine->sleep(20);
+
+    $machine->execute("su - alice -c 'DISPLAY=:0.0 dolphin &'");
+    $machine->waitForWindow(" Dolphin");
+
+    $machine->execute("su - alice -c 'DISPLAY=:0.0 konsole &'");
+    $machine->waitForWindow("Konsole");
+
+    $machine->execute("su - alice -c 'DISPLAY=:0.0 systemsettings5 &'");
+    $machine->waitForWindow("Settings");
 
     $machine->execute("${xdo} key Alt+F1 sleep 10");
     $machine->screenshot("screen");

nixos/tests/mongodb.nix

@@ -0,0 +1,34 @@
+# This test start mongodb, runs a query using mongo shell
+
+import ./make-test.nix ({ pkgs, ...} : let
+  testQuery = pkgs.writeScript "nixtest.js" ''
+    db.greetings.insert({ "greeting": "hello" });
+    print(db.greetings.findOne().greeting);
+  '';
+in {
+  name = "mongodb";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ bluescreen303 offline wkennington cstrahan rvl ];
+  };
+
+  nodes = {
+    one =
+      { config, pkgs, ... }:
+        {
+          services = {
+           mongodb.enable = true;
+           mongodb.extraConfig = ''
+             # Allow starting engine with only a small virtual disk
+             storage.journal.enabled: false
+             storage.mmapv1.smallFiles: true
+           '';
+          };
+        };
+    };
+
+  testScript = ''
+    startAll;
+    $one->waitForUnit("mongodb.service");
+    $one->succeed("mongo nixtest ${testQuery}") =~ /hello/ or die;
+  '';
+})

nixos/tests/mumble.nix

@@ -33,23 +33,69 @@ in
     $client1->execute("mumble mumble://client1\@server/test &");
     $client2->execute("mumble mumble://client2\@server/test &");
 
-    # cancel client audio configuration
-    $client1->waitForWindow(qr/Audio Tuning Wizard/);
-    $client2->waitForWindow(qr/Audio Tuning Wizard/);
-    $client1->sendKeys("esc");
-    $client2->sendKeys("esc");
+    sub retry {
+        my ($coderef) = @_;
+        my $n;
+        for ($n = 0; $n < 900; $n++) {
+            return if &$coderef;
+            sleep 1;
+        }
+        die "action timed out after $n seconds";
+    }
 
-    # cancel client cert configuration
-    $client1->waitForWindow(qr/Certificate Management/);
-    $client2->waitForWindow(qr/Certificate Management/);
-    $client1->sendKeys("esc");
-    $client2->sendKeys("esc");
+    my @clients = ($client1, $client2);
+    foreach my $cl (@clients) {
+        # cancel client audio configuration
+        my $audiore = qr/Audio Tuning Wizard/;
+        $cl->waitForWindow($audiore);
+        $cl->sleep(5);
+        $cl->nest("Cancel Audio Tuning Wizard", sub {
+          my $c = 0;
+          retry(sub {
+            return 1 if !$cl->hasWindow($audiore);
+            if ($c % 2 > 0) {
+              $cl->sendKeys("alt-tab");
+              $cl->sleep(5);
+            }
+            $cl->sendKeys("esc");
+            $c++;
+          });
+        });
 
-    # accept server certificate
-    $client1->waitForWindow(qr/^Mumble$/);
-    $client2->waitForWindow(qr/^Mumble$/);
-    $client1->sendChars("y");
-    $client2->sendChars("y");
+        # cancel client cert configuration
+        my $certre = qr/Certificate Management/;
+        $cl->waitForWindow($certre);
+        $cl->sleep(5);
+        $cl->nest("Cancel Certificate Management", sub {
+          my $c = 0;
+          retry(sub {
+            return 1 if !$cl->hasWindow($certre);
+            if ($c % 2 > 0) {
+              $cl->sendKeys("alt-tab");
+              $cl->sleep(5);
+            }
+            $cl->sendKeys("esc");
+            $c++;
+          });
+        });
+
+        # accept server certificate
+        my $acceptre = qr/^Mumble$/;
+        $cl->waitForWindow($acceptre);
+        $cl->sleep(5);
+        $cl->nest("Accept Server Certificate", sub {
+          my $c = 0;
+          retry(sub {
+            return 1 if !$cl->hasWindow($acceptre);
+            if ($c % 2 > 0) {
+              $cl->sendKeys("alt-tab");
+              $cl->sleep(5);
+            }
+            $cl->sendChars("y");
+            $c++;
+          });
+        });
+    }
 
     # Find clients in logs
     $server->waitUntilSucceeds("grep -q 'client1' /var/log/murmur/murmurd.log");

nixos/tests/postgis.nix

@@ -0,0 +1,30 @@
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "postgis";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ lsix ];
+  };
+
+  nodes = {
+    master =
+      { pkgs, config, ... }:
+
+      {
+        services.postgresql = let mypg = pkgs.postgresql95; in {
+            enable = true;
+            package = mypg;
+            extraPlugins = [ (pkgs.postgis.override { postgresql = mypg; }).v_2_2_1 ];
+            initialScript =  pkgs.writeText "postgresql-init.sql"
+          ''
+          CREATE ROLE postgres WITH superuser login createdb;
+          '';
+          };
+      };
+  };
+
+  testScript = ''
+    startAll;
+    $master->waitForUnit("postgresql");
+    $master->sleep(10); # Hopefully this is long enough!!
+    $master->succeed("sudo -u postgres psql -c 'CREATE EXTENSION postgis;'");
+  '';
+})

nixos/tests/pump.io.nix

@@ -77,11 +77,11 @@ in {
            }; };
            mongodb.enable = true;
            mongodb.extraConfig = ''
-             nojournal = true
+             storage.journal.enabled: false
            '';
           };
           systemd.services.mongodb.unitConfig.Before = "pump.io.service";
-          systemd.services.mongodb.unitConfig.RequiredBy = "pump.io.service";
+          systemd.services."pump.io".unitConfig.Requires = "mongodb.service";
         };
     };
 

nixos/tests/samba.nix

@@ -0,0 +1,48 @@
+import ./make-test.nix ({ pkgs, ... }:
+
+{
+  name = "samba";
+
+  meta.maintainers = [ pkgs.lib.maintainers.eelco ];
+
+  nodes =
+    { client =
+        { config, pkgs, ... }:
+        { fileSystems = pkgs.lib.mkVMOverride
+            { "/public" = {
+                fsType = "cifs";
+                device = "//server/public";
+                options = [ "guest" ];
+              };
+            };
+        };
+
+      server =
+        { config, pkgs, ... }:
+        { services.samba.enable = true;
+          services.samba.shares.public =
+            { path = "/public";
+              "read only" = true;
+              browseable = "yes";
+              "guest ok" = "yes";
+              comment = "Public samba share.";
+            };
+          networking.firewall.allowedTCPPorts = [ 139 445 ];
+          networking.firewall.allowedUDPPorts = [ 137 138 ];
+        };
+    };
+
+  # client# [    4.542997] mount[777]: sh: systemd-ask-password: command not found
+
+  testScript =
+    ''
+      $server->start;
+      $server->waitForUnit("samba-smbd");
+      $server->waitForUnit("samba-nmbd");
+      $server->succeed("mkdir -p /public; echo bar > /public/foo");
+
+      $client->start;
+      $client->waitForUnit("network.target");
+      $client->succeed("[[ \$(cat /public/foo) = bar ]]");
+    '';
+})

nixos/tests/tomcat.nix

@@ -23,9 +23,8 @@ import ./make-test.nix ({ pkgs, ...} : {
     startAll;
 
     $server->waitForUnit("tomcat");
-    $server->sleep(30); # Dirty, but it takes a while before Tomcat handles to requests properly
     $client->waitForUnit("network.target");
-    $client->succeed("curl --fail http://server/examples/servlets/servlet/HelloWorldExample");
-    $client->succeed("curl --fail http://server/examples/jsp/jsp2/simpletag/hello.jsp");
+    $client->waitUntilSucceeds("curl --fail http://server/examples/servlets/servlet/HelloWorldExample");
+    $client->waitUntilSucceeds("curl --fail http://server/examples/jsp/jsp2/simpletag/hello.jsp");
   '';
 })

nixos/tests/virtualbox.nix

@@ -144,6 +144,7 @@ let
       "--uart1 0x3F8 4"
       "--uartmode1 client /run/virtualbox-log-${name}.sock"
       "--memory 768"
+      "--audio none"
     ] ++ (attrs.vmFlags or []));
 
     controllerFlags = mkFlags [
@@ -273,9 +274,12 @@ let
 
       sub shutdownVM_${name} {
         $machine->succeed(ru "touch ${sharePath}/shutdown");
-        $machine->waitUntilSucceeds(
-          "test ! -e ${sharePath}/shutdown ".
-          "  -a ! -e ${sharePath}/boot-done"
+        $machine->execute(
+          'set -e; i=0; '.
+          'while test -e ${sharePath}/shutdown '.
+          '        -o -e ${sharePath}/boot-done; do '.
+          'sleep 1; i=$(($i + 1)); [ $i -le 3600 ]; '.
+          'done'
         );
         waitForShutdown_${name};
       }
@@ -314,6 +318,9 @@ let
 
     test2.vmFlags = hostonlyVMFlags;
     test2.vmScript = dhcpScript;
+
+    headless.virtualisation.virtualbox.headless = true;
+    headless.services.xserver.enable = false;
   };
 
   mkVBoxTest = name: testScript: makeTest {
@@ -383,6 +390,7 @@ in mapAttrs mkVBoxTest {
     $machine->sendKeys("ctrl-q");
     $machine->sleep(5);
     $machine->screenshot("gui_manager_stopped");
+    destroyVM_simple;
   '';
 
   simple-cli = ''
@@ -400,6 +408,16 @@ in mapAttrs mkVBoxTest {
     });
 
     shutdownVM_simple;
+    destroyVM_simple;
+  '';
+
+  headless = ''
+    createVM_headless;
+    $machine->succeed(ru("VBoxHeadless --startvm headless & disown %1"));
+    waitForStartup_headless;
+    waitForVMBoot_headless;
+    shutdownVM_headless;
+    destroyVM_headless;
   '';
 
   host-usb-permissions = ''

nixos/tests/wordpress.nix

@@ -0,0 +1,60 @@
+import ./make-test.nix ({ pkgs, ... }:
+
+{
+  name = "wordpress";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ grahamc ]; # under duress!
+  };
+
+  nodes =
+    { web =
+        { config, pkgs, ... }:
+        {
+          services.mysql.enable = true;
+          services.mysql.package = pkgs.mysql;
+          services.mysql.initialScript = pkgs.writeText "start.sql" ''
+            CREATE DATABASE wordpress;
+	    CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'wordpress';
+            GRANT ALL on wordpress.* TO 'wordpress'@'localhost';
+          '';
+
+          services.httpd = {
+            enable = true;
+            logPerVirtualHost = true;
+            adminAddr="js@lastlog.de";
+            extraModules = [
+              { name = "php7"; path = "${pkgs.php}/modules/libphp7.so"; }
+            ];
+
+            virtualHosts = [
+              {
+                hostName = "wordpress";
+                extraSubservices =
+                  [
+                    {
+                      serviceType = "wordpress";
+                      dbPassword = "wordpress";
+                      wordpressUploads = "/data/uploads";
+                      languages = [ "de_DE" "en_GB" ];
+                    }
+                  ];
+              }
+            ];
+          };
+        };
+    };
+
+  testScript =
+    { nodes, ... }:
+    ''
+      startAll;
+
+      $web->waitForUnit("mysql");
+      $web->waitForUnit("httpd");
+
+      $web->succeed("curl -L 127.0.0.1:80 | grep 'Welcome to the famous'");
+
+
+    '';
+
+})