unittest-cpp: init at 1.6.1

(cherry picked from commit 800a379cb3)
minisat: Fix build on Darwin
2026-01-13 03:22:53 +08:00 · 2017-03-22 14:45:15 +00:00 · 2016-12-09 19:58:56 +01:00 · 2016-12-09 16:09:59 +01:00 · 2016-12-09 16:09:53 +01:00 · 2016-06-20 18:50:34 +02:00
1165 changed files with 796603 additions and 25414 deletions
--- a/.version
+++ b/.version
@@ -1 +1 @@
-15.08
+15.09
--- a/README.md
+++ b/README.md
@@ -33,8 +33,10 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
 * [Continuous package builds for 14.12 release](https://hydra.nixos.org/jobset/nixos/release-14.12)
+* [Continuous package builds for 15.09 release](https://hydra.nixos.org/jobset/nixos/release-15.09)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
 * [Tests for 14.12 release](https://hydra.nixos.org/job/nixos/release-14.12/tested#tabs-constituents)
+* [Tests for 15.09 release](https://hydra.nixos.org/job/nixos/release-15.09/tested#tabs-constituents)

 Communication:

--- a/default.nix
+++ b/default.nix
@@ -1,6 +1,8 @@
-if ! builtins ? nixVersion || builtins.compareVersions "1.8" builtins.nixVersion == 1 then
+let requiredVersion = "1.8"; in

-  abort "This version of Nixpkgs requires Nix >= 1.8, please upgrade! See https://nixos.org/wiki/How_to_update_when_nix_is_too_old_to_evaluate_nixpkgs"
+if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.nixVersion == 1 then
+
+  abort "This version of Nixpkgs requires Nix >= ${requiredVersion}, please upgrade! See https://nixos.org/wiki/How_to_update_when_Nix_is_too_old_to_evaluate_Nixpkgs"

 else

--- a/doc/functions.xml
+++ b/doc/functions.xml
@@ -236,6 +236,20 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
    <literal>runScript</literal> parameter, which is a command that would be
    executed inside the sandbox and passed all the command line arguments. It
    default to <literal>bash</literal>.
+  </para>
+  <para>
+    It also uses <literal>CHROOTENV_EXTRA_BINDS</literal> environment variable
+    for binding extra directories in the sandbox to outside places. The format of
+    the variable is <literal>/mnt=test-mnt:/data</literal>, where
+    <literal>/mnt</literal> would be mounted as <literal>/test-mnt</literal>
+    and <literal>/data</literal> would be mounted as <literal>/data</literal>.
+    <literal>extraBindMounts</literal> array argument to
+    <function>buildFHSUserEnv</function> function is prepended to this variable.
+    Latter entries take priority if defined several times -- i.e. in case of
+    <literal>/data=data1:/data=data2</literal> the actual bind path would be
+    <literal>/data2</literal>.
+  </para>
+  <para>
    One can create a simple environment using a <literal>shell.nix</literal>
    like that:
  </para>
@@ -248,7 +262,7 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
  targetPkgs = pkgs: (with pkgs;
    [ udev
      alsaLib
-    ]) ++ (with pkgs.xlibs;
+    ]) ++ (with pkgs.xorg;
    [ libX11
      libXcursor
      libXrandr
--- a/doc/haskell-users-guide.xml
+++ b/doc/haskell-users-guide.xml
@@ -11,14 +11,13 @@
    registered on
    <link xlink:href="http://hackage.haskell.org/">Hackage</link>, but
    strangely enough normal Nix package lookups don't seem to discover
-    any of them:
+    any of them, except for the default version of ghc, cabal-install, and stack:
  </para>
  <programlisting>
-$ nix-env -qa cabal-install
-error: selector ‘cabal-install’ matches no derivations
-
-$ nix-env -i ghc
-error: selector ‘ghc’ matches no derivations
+$ nix-env -i alex
+error: selector ‘alex’ matches no derivations
+$ nix-env -qa ghc
+ghc-7.10.2
 </programlisting>
  <para>
    The Haskell package set is not registered in the top-level namespace
@@ -95,7 +94,7 @@ $ nix-env -qaP coreutils
 nixos.coreutils  coreutils-8.23
 </programlisting>
  <para>
-    If your system responds like that (most NixOS installatios will),
+    If your system responds like that (most NixOS installations will),
    then the attribute path to <literal>haskellPackages</literal> is
    <literal>nixos.haskellPackages</literal>. Thus, if you want to
    use <literal>nix-env</literal> without giving an explicit
@@ -119,7 +118,7 @@ $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A haskell.packages.ghc763
 </programlisting>
  <para>
    The name <literal>haskellPackages</literal> is really just a synonym
-    for <literal>haskell.packages.ghc7101</literal>, because we prefer
+    for <literal>haskell.packages.ghc7102</literal>, because we prefer
    that package set internally and recommend it to our users as their
    default choice, but ultimately you are free to compile your Haskell
    packages with any GHC version you please. The following command
@@ -134,7 +133,7 @@ haskell.compiler.ghc722         ghc-7.2.2
 haskell.compiler.ghc742         ghc-7.4.2
 haskell.compiler.ghc763         ghc-7.6.3
 haskell.compiler.ghc784         ghc-7.8.4
-haskell.compiler.ghc7101        ghc-7.10.1
+haskell.compiler.ghc7102        ghc-7.10.2
 haskell.compiler.ghcHEAD        ghc-7.11.20150402
 haskell.compiler.ghcNokinds     ghc-nokinds-7.11.20150704
 haskell.compiler.ghcjs          ghcjs-0.1.0
@@ -167,7 +166,7 @@ $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.ghc haskellPackages
    <para>
      Instead of the default package set
      <literal>haskellPackages</literal>, you can also use the more
-      precise name <literal>haskell.compiler.ghc7101</literal>, which
+      precise name <literal>haskell.compiler.ghc7102</literal>, which
      has the advantage that it refers to the same GHC version
      regardless of what Nixpkgs considers &quot;default&quot; at any
      given time.
@@ -254,7 +253,7 @@ $ nix-shell -p haskell.compiler.ghc784 --command &quot;cabal configure&quot;
 $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;

 [nix-shell:~]$ ghc-pkg list mtl
-/nix/store/zy79...-ghc-7.10.1/lib/ghc-7.10.1/package.conf.d:
+/nix/store/zy79...-ghc-7.10.2/lib/ghc-7.10.2/package.conf.d:
    mtl-2.2.1
 </programlisting>
    <para>
@@ -266,7 +265,7 @@ $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;
 {
  packageOverrides = super: let self = super.pkgs; in
  {
-    myHaskellEnv = self.haskell.packages.ghc7101.ghcWithPackages
+    myHaskellEnv = self.haskell.packages.ghc7102.ghcWithPackages
                     (haskellPackages: with haskellPackages; [
                       # libraries
                       arrows async cgi criterion
@@ -281,7 +280,7 @@ $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;
      <literal>nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA myHaskellEnv</literal>.
      If you'd like to switch that development environment to a
      different version of GHC, just replace the
-      <literal>ghc7101</literal> bit in the previous definition with the
+      <literal>ghc7102</literal> bit in the previous definition with the
      appropriate name. Of course, it's also possible to define any
      number of these development environments! (You can't install two
      of them into the same profile at the same time, though, because
@@ -296,11 +295,11 @@ $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;
    <programlisting>
 $ cat $(type -p ghc)
 #! /nix/store/xlxj...-bash-4.3-p33/bin/bash -e
-export NIX_GHC=/nix/store/19sm...-ghc-7.10.1/bin/ghc
-export NIX_GHCPKG=/nix/store/19sm...-ghc-7.10.1/bin/ghc-pkg
-export NIX_GHC_DOCDIR=/nix/store/19sm...-ghc-7.10.1/share/doc/ghc/html
-export NIX_GHC_LIBDIR=/nix/store/19sm...-ghc-7.10.1/lib/ghc-7.10.1
-exec /nix/store/j50p...-ghc-7.10.1/bin/ghc &quot;-B$NIX_GHC_LIBDIR&quot; &quot;$@&quot;
+export NIX_GHC=/nix/store/19sm...-ghc-7.10.2/bin/ghc
+export NIX_GHCPKG=/nix/store/19sm...-ghc-7.10.2/bin/ghc-pkg
+export NIX_GHC_DOCDIR=/nix/store/19sm...-ghc-7.10.2/share/doc/ghc/html
+export NIX_GHC_LIBDIR=/nix/store/19sm...-ghc-7.10.2/lib/ghc-7.10.2
+exec /nix/store/j50p...-ghc-7.10.2/bin/ghc &quot;-B$NIX_GHC_LIBDIR&quot; &quot;$@&quot;
 </programlisting>
    <para>
      The variables <literal>$NIX_GHC</literal>,
@@ -354,6 +353,90 @@ if [ -e ~/.nix-profile/bin/ghc ]; then
 fi
 </programlisting>
  </section>
+  <section xml:id="how-to-install-a-compiler-with-indexes">
+    <title>How to install a compiler with libraries, hoogle and documentation indexes</title>
+    <para>
+      If you plan to use your environment for interactive programming,
+      not just compiling random Haskell code, you might want to
+      replace <literal>ghcWithPackages</literal> in all the listings
+      above with <literal>ghcWithHoogle</literal>.
+    </para>
+    <para>
+      This environment generator not only produces an environment with
+      GHC and all the specified libraries, but also generates a
+      <literal>hoogle</literal> and <literal>haddock</literal> indexes
+      for all the packages, and provides a wrapper script around
+      <literal>hoogle</literal> binary that uses all those things. A
+      precise name for this thing would be
+      "<literal>ghcWithPackagesAndHoogleAndDocumentationIndexes</literal>",
+      which is, regrettably, too long and scary.
+    </para>
+    <para>
+      For example, installing the following environment
+    </para>
+    <programlisting>
+{
+  packageOverrides = super: let self = super.pkgs; in
+  {
+    myHaskellEnv = self.haskellPackages.ghcWithHoogle
+                     (haskellPackages: with haskellPackages; [
+                       # libraries
+                       arrows async cgi criterion
+                       # tools
+                       cabal-install haskintex
+                     ]);
+  };
+}
+</programlisting>
+    <para>
+      allows one to browse module documentation index <link
+      xlink:href="https://downloads.haskell.org/~ghc/latest/docs/html/libraries/index.html">not
+      too dissimilar to this</link> for all the specified packages and
+      their dependencies by directing a browser of choice to
+      <literal>~/.nix-profiles/share/doc/hoogle/index.html</literal>
+      (or
+      <literal>/run/current-system/sw/share/doc/hoogle/index.html</literal>
+      in case you put it in
+      <literal>environment.systemPackages</literal> in NixOS).
+    </para>
+    <para>
+      After you've marveled enough at that try adding the following to
+      your <literal>~/.ghc/ghci.conf</literal>
+    </para>
+    <programlisting>
+:def hoogle \s -> return $ ":! hoogle search -cl --count=15 \"" ++ s ++ "\""
+:def doc \s -> return $ ":! hoogle search -cl --info \"" ++ s ++ "\""
+</programlisting>
+    <para>
+      and test it by typing into <literal>ghci</literal>:
+    </para>
+    <programlisting>
+:hoogle a -> a
+:doc a -> a
+</programlisting>
+    <para>
+      Be sure to note the links to <literal>haddock</literal> files in
+      the output. With any modern and properly configured terminal
+      emulator you can just click those links to navigate there.
+    </para>
+    <para>
+      Finally, you can run
+    </para>
+    <programlisting>
+hoogle server -p 8080
+</programlisting>
+    <para>
+      and navigate to <link xlink:href="http://localhost:8080/"/> for
+      your own local <link
+      xlink:href="https://www.haskell.org/hoogle/">Hoogle</link>.
+      Note, however, that Firefox and possibly other browsers disallow
+      navigation from <literal>http:</literal> to
+      <literal>file:</literal> URIs for security reasons, which might
+      be quite an inconvenience. See <link
+      xlink:href="http://kb.mozillazine.org/Links_to_local_pages_do_not_work">this
+      page</link> for workarounds.
+    </para>
+  </section>
  <section xml:id="how-to-create-ad-hoc-environments-for-nix-shell">
    <title>How to create ad hoc environments for
    <literal>nix-shell</literal></title>
@@ -371,7 +454,7 @@ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: with pkgs; [mtl pandoc
      <literal>shell.nix</literal> that looks like this:
    </para>
    <programlisting>
-{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7101&quot; }:
+{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7102&quot; }:
 let
  inherit (nixpkgs) pkgs;
  ghc = pkgs.haskell.packages.${compiler}.ghcWithPackages (ps: with ps; [
@@ -451,7 +534,7 @@ $ cabal2nix . &gt;foo.nix
      <literal>default.nix</literal>:
    </para>
    <programlisting>
-{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7101&quot; }:
+{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7102&quot; }:
 nixpkgs.pkgs.haskell.packages.${compiler}.callPackage ./foo.nix { }
 </programlisting>
    <para>
@@ -459,7 +542,7 @@ nixpkgs.pkgs.haskell.packages.${compiler}.callPackage ./foo.nix { }
      <literal>shell.nix</literal>:
    </para>
    <programlisting>
-{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7101&quot; }:
+{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7102&quot; }:
 (import ./default.nix { inherit nixpkgs compiler; }).env
 </programlisting>
    <para>
@@ -600,6 +683,12 @@ $ nix-shell &quot;&lt;nixpkgs&gt;&quot; -A haskellPackages.bar.env
  };
 }
 </programlisting>
+    <para>
+        Then, replace instances of <literal>haskellPackages</literal> in the
+        <literal>cabal2nix</literal>-generated <literal>default.nix</literal>
+        or <literal>shell.nix</literal> files with
+        <literal>profiledHaskellPackages</literal>.
+    </para>
  </section>
  <section xml:id="how-to-override-package-versions-in-a-compiler-specific-package-set">
    <title>How to override package versions in a compiler-specific
@@ -755,4 +844,69 @@ export NIX_CFLAGS_LINK=&quot;-L/usr/lib&quot;
  </section>
 </section>

+<section xml:id="other-resources">
+  <title>Other resources</title>
+  <itemizedlist>
+    <listitem>
+      <para>
+        The Youtube video
+        <link xlink:href="https://www.youtube.com/watch?v=BsBhi_r-OeE">Nix
+        Loves Haskell</link> provides an introduction into Haskell NG
+        aimed at beginners. The slides are available at
+        http://cryp.to/nixos-meetup-3-slides.pdf and also -- in a form
+        ready for cut &amp; paste -- at
+        https://github.com/NixOS/cabal2nix/blob/master/doc/nixos-meetup-3-slides.md.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        Another Youtube video is
+        <link xlink:href="https://www.youtube.com/watch?v=mQd3s57n_2Y">Escaping
+        Cabal Hell with Nix</link>, which discusses the subject of
+        Haskell development with Nix but also provides a basic
+        introduction to Nix as well, i.e. it's suitable for viewers with
+        almost no prior Nix experience.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        Oliver Charles wrote a very nice
+        <link xlink:href="http://wiki.ocharles.org.uk/Nix">Tutorial how to
+        develop Haskell packages with Nix</link>.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        The <emphasis>Journey into the Haskell NG
+        infrastructure</emphasis> series of postings describe the new
+        Haskell infrastructure in great detail:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>
+            <link xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-January/015591.html">Part
+            1</link> explains the differences between the old and the
+            new code and gives instructions how to migrate to the new
+            setup.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            <link xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-January/015608.html">Part
+            2</link> looks in-depth at how to tweak and configure your
+            setup by means of overrides.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            <link xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-April/016912.html">Part
+            3</link> describes the infrastructure that keeps the
+            Haskell package set in Nixpkgs up-to-date.
+          </para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+  </itemizedlist>
+</section>
+
 </chapter>
--- a/doc/meta.xml
+++ b/doc/meta.xml
@@ -61,7 +61,7 @@ $ nix-env -qa hello --meta --json
                "i686-openbsd",
                "x86_64-openbsd"
            ],
-            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/ex-2/default.nix:14"
+            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/default.nix:14"
        },
        "name": "hello-2.9",
        "system": "x86_64-linux"
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@@ -56,7 +56,7 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>

        <listitem>
          <para>GNU Hello: <link
-          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/misc/hello/ex-2/default.nix"><filename>pkgs/applications/misc/hello/ex-2/default.nix</filename></link>.
+          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/misc/hello/default.nix"><filename>pkgs/applications/misc/hello/default.nix</filename></link>.
          Trivial package, which specifies some <varname>meta</varname>
          attributes which is good practice.</para>
        </listitem>
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -899,6 +899,34 @@ following:
    phase.</para></listitem>
  </varlistentry>

+  <varlistentry>
+    <term><varname>separateDebugInfo</varname></term>
+    <listitem><para>If set to <literal>true</literal>, the standard
+    environment will enable debug information in C/C++ builds. After
+    installation, the debug information will be separated from the
+    executables and stored in the output named
+    <literal>debug</literal>. (This output is enabled automatically;
+    you don’t need to set the <varname>outputs</varname> attribute
+    explicitly.) To be precise, the debug information is stored in
+    <filename><replaceable>debug</replaceable>/lib/debug/.build-id/<replaceable>XX</replaceable>/<replaceable>YYYY…</replaceable></filename>,
+    where <replaceable>XXYYYY…</replaceable> is the <replaceable>build
+    ID</replaceable> of the binary — a SHA-1 hash of the contents of
+    the binary. Debuggers like GDB use the build ID to look up the
+    separated debug information.</para>
+
+    <para>For example, with GDB, you can add
+
+<programlisting>
+set debug-file-directory ~/.nix-profile/lib/debug
+</programlisting>
+
+    to <filename>~/.gdbinit</filename>. GDB will then be able to find
+    debug information installed via <literal>nix-env
+    -i</literal>.</para>
+
+    </listitem>
+  </varlistentry>
+
 </variablelist>

 </section>
--- a/lib/customisation.nix
+++ b/lib/customisation.nix
@@ -164,4 +164,23 @@ rec {
      drv' = (lib.head outputsList).value;
    in lib.deepSeq drv' drv';

+  /* Make a set of packages with a common scope. All packages called
+     with the provided `callPackage' will be evaluated with the same
+     arguments. Any package in the set may depend on any other. The
+     `override' function allows subsequent modification of the package
+     set in a consistent way, i.e. all packages in the set will be
+     called with the overridden packages. The package sets may be
+     hierarchical: the packages in the set are called with the scope
+     provided by `newScope' and the set provides a `newScope' attribute
+     which can form the parent scope for later package sets. */
+  makeScope = newScope: f:
+    let self = f self // {
+          newScope = scope: newScope (self // scope);
+          callPackage = self.newScope {};
+          override = g: makeScope newScope (self_:
+            let super = f self_;
+            in super // g super self_);
+        };
+    in self;
+
 }
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@@ -155,6 +155,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
    fullName = "GNU Free Documentation License v1.2";
  };

+  fdl13 = spdx {
+    spdxId = "GFDL-1.3";
+    fullName = "GNU Free Documentation License v1.2";
+  };
+
  free = {
    fullName = "Unspecified free software license";
  };
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -7,6 +7,7 @@
     so it's easy to ping a package @maintainer.
  */

+  aaronschif = "Aaron Schif <aaronschif@gmail.com>";
  abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
  abbradar = "Nikolay Amiantov <ab@fmap.me>";
  adev	   = "Adrien Devresse <adev@adev.name>";
@@ -14,6 +15,7 @@
  aflatter = "Alexander Flatter <flatter@fastmail.fm>";
  aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
+  akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
  akc = "Anders Claesson <akc@akc.is>";
  algorith = "Dries Van Daele <dries_van_daele@telenet.be>";
  all = "Nix Committers <nix-commits@lists.science.uu.nl>";
@@ -67,7 +69,7 @@
  couchemar = "Andrey Pavlov <couchemar@yandex.ru>";
  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
  cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
-  DamienCassou = "Damien Cassou <damien.cassou@gmail.com>";
+  DamienCassou = "Damien Cassou <damien@cassou.me>";
  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
@@ -84,10 +86,11 @@
  eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
  eikek = "Eike Kettner <eike.kettner@posteo.de>";
  ellis = "Ellis Whitehead <nixos@ellisw.net>";
-  emery = "Emery Hemingway <emery@vfemail.net>";
+  ehmry = "Emery Hemingway <emery@vfemail.net>";
  epitrochoid = "Mabry Cervin <mpcervin@uncg.edu>";
  ericbmerritt = "Eric Merritt <eric@afiniate.com>";
  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
+  exi = "Reno Reckling <nixos@reckling.org>";
  exlevan = "Alexey Levan <exlevan@gmail.com>";
  falsifian = "James Cook <james.cook@utoronto.ca>";
  flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
@@ -123,6 +126,7 @@
  jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
  jb55 = "William Casarin <bill@casarin.me>";
  jcumming = "Jack Cummings <jack@mudshark.org>";
+  jefdaj = "Jeffrey David Johnson <jefdaj@gmail.com>";
  jfb = "James Felix Black <james@yamtime.com>";
  jgeerds = "Jascha Geerds <jg@ekby.de>";
  jirkamarsik = "Jirka Marsik <jiri.marsik89@gmail.com>";
@@ -135,6 +139,7 @@
  jwilberding = "Jordan Wilberding <jwilberding@afiniate.com>";
  jzellner = "Jeff Zellner <jeffz@eml.cc>";
  kamilchm = "Kamil Chmielewski <kamil.chm@gmail.com>";
+  khumba = "Bryan Gardiner <bog@khumba.net>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  koral = "Koral <koral@mailoo.org>";
  kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
@@ -150,6 +155,7 @@
  linus = "Linus Arver <linusarver@gmail.com>";
  lnl7 = "Daiderd Jordan <daiderd@gmail.com>";
  lovek323 = "Jason O'Conal <jason@oconal.id.au>";
+  lowfatcomputing = "Andreas Wagner <andreas.wagner@lowfatcomputing.org>";
  lsix = "Lancelot SIX <lsix@lancelotsix.com>";
  ludo = "Ludovic Courtès <ludo@gnu.org>";
  madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
@@ -164,12 +170,14 @@
  mathnerd314 = "Mathnerd314 <mathnerd314.gph+hs@gmail.com>";
  matthiasbeyer = "Matthias Beyer <mail@beyermatthias.de>";
  mbakke = "Marius Bakke <ymse@tuta.io>";
+  mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
  meditans = "Carlo Nucera <meditans@gmail.com>";
  meisternu = "Matt Miemiec <meister@krutt.org>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
  mschristiansen = "Mikkel Christiansen <mikkel@rheosystems.com>";
  modulistic = "Pablo Costa <modulistic@gmail.com>";
+  mog = "Matthew O'Gorman <mog-lists@rldn.net>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
@@ -193,9 +201,10 @@
  pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
  pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
-  phausmann = "Philipp Hausmann <nix@314.ch>";
+  phile314 = "Philipp Hausmann <nix@314.ch>";
  philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
  phreedom = "Evgeny Egorochkin <phreedom@yandex.ru>";
+  phunehehe = "Hoang Xuan Phu <phunehehe@gmail.com>";
  pierron = "Nicolas B. Pierron <nixos@nbp.name>";
  piotr = "Piotr Pietraszkiewicz <ppietrasa@gmail.com>";
  pjones = "Peter Jones <pjones@devalot.com>";
@@ -204,6 +213,7 @@
  pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
+  psibi = "Sibi <sibi@psibi.in>";
  pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
  puffnfresh = "Brian McKenna <brian@brianmckenna.org>";
  qknight = "Joachim Schiele <js@lastlog.de>";
@@ -238,6 +248,7 @@
  skeidel = "Sven Keidel <svenkeidel@gmail.com>";
  smironov = "Sergey Mironov <ierton@gmail.com>";
  spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
+  spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
  sprock = "Roger Mason <rmason@mun.ca>";
  spwhitt = "Spencer Whitt <sw@swhitt.me>";
  stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
@@ -251,6 +262,7 @@
  theuni = "Christian Theune <ct@flyingcircus.io>";
  thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
  titanous = "Jonathan Rudenberg <jonathan@titanous.com>";
+  tokudan = "Daniel Frank <git@danielfrank.net>";
  tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
  travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
  trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
--- a/lib/strings.nix
+++ b/lib/strings.nix
@@ -185,9 +185,13 @@ rec {
  versionAtLeast = v1: v2: !versionOlder v1 v2;


-  # Get the version of the specified derivation, as specified in its
-  # ‘name’ attribute.
-  getVersion = drv: (builtins.parseDrvName drv.name).version;
+  # This function takes an argument that's either a derivation or a
+  # derivation's "name" attribute and extracts the version part from that
+  # argument. For example:
+  #
+  #    lib.getVersion "youtube-dl-2016.01.01" ==> "2016.01.01"
+  #    lib.getVersion pkgs.youtube-dl         ==> "2016.01.01"
+  getVersion = x: (builtins.parseDrvName (x.name or x)).version;


  # Extract name with version from URL. Ask for separator which is
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@@ -12,8 +12,46 @@ rec {
  and = x: y: x && y;
  mergeAttrs = x: y: x // y;

-  # Take a function and evaluate it with its own returned value.
-  fix = f: let result = f result; in result;
+  # Compute the fixed point of the given function `f`, which is usually an
+  # attribute set that expects its final, non-recursive representation as an
+  # argument:
+  #
+  #     f = self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; }
+  #
+  # Nix evaluates this recursion until all references to `self` have been
+  # resolved. At that point, the final result is returned and `f x = x` holds:
+  #
+  #     nix-repl> fix f
+  #     { bar = "bar"; foo = "foo"; foobar = "foobar"; }
+  #
+  # See https://en.wikipedia.org/wiki/Fixed-point_combinator for further
+  # details.
+  fix = f: let x = f x; in x;
+
+  # A variant of `fix` that records the original recursive attribute set in the
+  # result. This is useful in combination with the `extends` function to
+  # implement deep overriding. See pkgs/development/haskell-modules/default.nix
+  # for a concrete example.
+  fix' = f: let x = f x // { __unfix__ = f; }; in x;
+
+  # Modify the contents of an explicitly recursive attribute set in a way that
+  # honors `self`-references. This is accomplished with a function
+  #
+  #     g = self: super: { foo = super.foo + " + "; }
+  #
+  # that has access to the unmodified input (`super`) as well as the final
+  # non-recursive representation of the attribute set (`self`). `extends`
+  # differs from the native `//` operator insofar as that it's applied *before*
+  # references to `self` are resolved:
+  #
+  #     nix-repl> fix (extends g f)
+  #     { bar = "bar"; foo = "foo + "; foobar = "foo + bar"; }
+  #
+  # The name of the function is inspired by object-oriented inheritance, i.e.
+  # think of it as an infix operator `g extends f` that mimics the syntax from
+  # Java. It may seem counter-intuitive to have the "base class" as the second
+  # argument, but it's nice this way if several uses of `extends` are cascaded.
+  extends = f: rattrs: self: let super = rattrs self; in super // f self super;

  # Flip the order of the arguments of a binary function.
  flip = f: a: b: f b a;
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -213,11 +213,18 @@ rec {
        substSubModules = m: submodule m;
      };

-    enum = values: mkOptionType {
-      name = "one of ${concatStringsSep ", " values}";
-      check = flip elem values;
-      merge = mergeOneOption;
-    };
+    enum = values:
+      let
+        show = v:
+               if builtins.isString v then ''"${v}"''
+          else if builtins.isInt v then builtins.toString v
+          else ''<${builtins.typeOf v}>'';
+      in
+      mkOptionType {
+        name = "one of ${concatMapStringsSep ", " show values}";
+        check = flip elem values;
+        merge = mergeOneOption;
+      };

    either = t1: t2: mkOptionType {
      name = "${t1.name} or ${t2.name}";
--- a/maintainers/scripts/copy-tarballs.pl
+++ b/maintainers/scripts/copy-tarballs.pl
@@ -1,97 +1,151 @@
-#! /run/current-system/sw/bin/perl -w
+#! /usr/bin/env nix-shell
+#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 nixUnstable
+
+# This command uploads tarballs to tarballs.nixos.org, the
+# content-addressed cache used by fetchurl as a fallback for when
+# upstream tarballs disappear or change. Usage:
+#
+# 1) To upload a single file:
+#
+#    $ copy-tarballs.pl --file /path/to/tarball.tar.gz
+#
+# 2) To upload all files obtained via calls to fetchurl in a Nix derivation:
+#
+#    $ copy-tarballs.pl --expr '(import <nixpkgs> {}).hello'

 use strict;
-use XML::Simple;
+use warnings;
 use File::Basename;
 use File::Path;
-use File::Copy 'cp';
-use IPC::Open2;
+use JSON;
+use Net::Amazon::S3;
 use Nix::Store;

-my $myDir = dirname($0);
+# S3 setup.
+my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die;
+my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die;

-my $tarballsCache = $ENV{'NIX_TARBALLS_CACHE'} // "/tarballs";
+my $s3 = Net::Amazon::S3->new(
+    { aws_access_key_id     => $aws_access_key_id,
+      aws_secret_access_key => $aws_secret_access_key,
+      retry                 => 1,
+    });

-my $xml = `nix-instantiate --eval-only --xml --strict '<nixpkgs/maintainers/scripts/find-tarballs.nix>'`;
-die "$0: evaluation failed\n" if $? != 0;
+my $bucket = $s3->bucket("nixpkgs-tarballs") or die;

-my $data = XMLin($xml) or die;
-
-mkpath($tarballsCache);
-mkpath("$tarballsCache/md5");
-mkpath("$tarballsCache/sha1");
-mkpath("$tarballsCache/sha256");
-
-foreach my $file (@{$data->{list}->{attrs}}) {
-    my $url = $file->{attr}->{url}->{string}->{value};
-    my $algo = $file->{attr}->{type}->{string}->{value};
-    my $hash = $file->{attr}->{hash}->{string}->{value};
-
-    if ($url !~ /^http:/ && $url !~ /^https:/ && $url !~ /^ftp:/ && $url !~ /^mirror:/) {
-        print STDERR "skipping $url (unsupported scheme)\n";
-        next;
-    }
-
-    $url =~ /([^\/]+)$/;
-    my $fn = $1;
-
-    if (!defined $fn) {
-        print STDERR "skipping $url (no file name)\n";
-        next;
-    }
-
-    if ($fn =~ /[&?=%]/ || $fn =~ /^\./) {
-        print STDERR "skipping $url (bad character in file name)\n";
-        next;
-    }
-
-    if ($fn !~ /[a-zA-Z]/) {
-        print STDERR "skipping $url (no letter in file name)\n";
-        next;
-    }
-
-    if ($fn !~ /[0-9]/) {
-        print STDERR "skipping $url (no digit in file name)\n";
-        next;
-    }
-
-    if ($fn !~ /[-_\.]/) {
-        print STDERR "skipping $url (no dash/dot/underscore in file name)\n";
-        next;
-    }
-
-    my $dstPath = "$tarballsCache/$fn";
-
-    next if -e $dstPath;
-
-    print "downloading $url to $dstPath...\n";
-
-    next if $ENV{DRY_RUN};
-
-    $ENV{QUIET} = 1;
-    $ENV{PRINT_PATH} = 1;
-    my $fh;
-    my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
-    waitpid($pid, 0) or die;
-    if ($? != 0) {
-        print STDERR "failed to fetch $url: $?\n";
-        next;
-    }
-    <$fh>; my $storePath = <$fh>; chomp $storePath;
-
-    die unless -e $storePath;
-
-    cp($storePath, $dstPath) or die;
-
-    my $md5 = hashFile("md5", 0, $storePath) or die;
-    symlink("../$fn", "$tarballsCache/md5/$md5");
-
-    my $sha1 = hashFile("sha1", 0, $storePath) or die;
-    symlink("../$fn", "$tarballsCache/sha1/$sha1");
-
-    my $sha256 = hashFile("sha256", 0, $storePath) or die;
-    symlink("../$fn", "$tarballsCache/sha256/$sha256");
-
-    $sha256 = hashFile("sha256", 1, $storePath) or die;
-    symlink("../$fn", "$tarballsCache/sha256/$sha256");
+sub alreadyMirrored {
+    my ($algo, $hash) = @_;
+    return defined $bucket->get_key("$algo/$hash");
+}
+
+sub uploadFile {
+    my ($fn, $name) = @_;
+
+    my $md5_16 = hashFile("md5", 0, $fn) or die;
+    my $sha1_16 = hashFile("sha1", 0, $fn) or die;
+    my $sha256_32 = hashFile("sha256", 1, $fn) or die;
+    my $sha256_16 = hashFile("sha256", 0, $fn) or die;
+    my $sha512_32 = hashFile("sha512", 1, $fn) or die;
+    my $sha512_16 = hashFile("sha512", 0, $fn) or die;
+
+    my $mainKey = "sha512/$sha512_16";
+
+    # Upload the file as sha512/<hash-in-base-16>.
+    print STDERR "uploading $fn to $mainKey...\n";
+    $bucket->add_key_filename($mainKey, $fn, { 'x-amz-meta-original-name' => $name })
+        or die "failed to upload $fn to $mainKey\n";
+
+    # Create redirects from the other hash types.
+    sub redirect {
+        my ($name, $dest) = @_;
+        #print STDERR "linking $name to $dest...\n";
+        $bucket->add_key($name, "", { 'x-amz-website-redirect-location' => "/" . $dest })
+            or die "failed to create redirect from $name to $dest\n";
+    }
+    redirect "md5/$md5_16", $mainKey;
+    redirect "sha1/$sha1_16", $mainKey;
+    redirect "sha256/$sha256_32", $mainKey;
+    redirect "sha256/$sha256_16", $mainKey;
+    redirect "sha512/$sha512_32", $mainKey;
+}
+
+my $op = shift @ARGV;
+
+if ($op eq "--file") {
+    my $res = 0;
+    foreach my $fn (@ARGV) {
+	eval {
+	    if (alreadyMirrored("sha512", hashFile("sha512", 0, $fn))) {
+		print STDERR "$fn is already mirrored\n";
+	    } else {
+		uploadFile($fn, basename $fn);
+	    }
+	};
+	if ($@) {
+	    warn "$@\n";
+	    $res = 1;
+	}
+    }
+    exit $res;
+}
+
+elsif ($op eq "--expr") {
+
+    # Evaluate find-tarballs.nix.
+    my $expr = $ARGV[0] // die "$0: --expr requires a Nix expression\n";
+    my $pid = open(JSON, "-|", "nix-instantiate", "--eval-only", "--json", "--strict",
+                   "<nixpkgs/maintainers/scripts/find-tarballs.nix>",
+                   "--arg", "expr", $expr);
+    my $stdout = <JSON>;
+    waitpid($pid, 0);
+    die "$0: evaluation failed\n" if $?;
+    close JSON;
+
+    my $fetches = decode_json($stdout);
+
+    print STDERR "evaluation returned ", scalar(@{$fetches}), " tarballs\n";
+
+    # Check every fetchurl call discovered by find-tarballs.nix.
+    my $mirrored = 0;
+    my $have = 0;
+    foreach my $fetch (@{$fetches}) {
+        my $url = $fetch->{url};
+        my $algo = $fetch->{type};
+        my $hash = $fetch->{hash};
+
+        if ($url !~ /^http:/ && $url !~ /^https:/ && $url !~ /^ftp:/ && $url !~ /^mirror:/) {
+            print STDERR "skipping $url (unsupported scheme)\n";
+            next;
+        }
+
+        if (alreadyMirrored($algo, $hash)) {
+            $have++;
+            next;
+        }
+
+        print STDERR "mirroring $url...\n";
+
+        next if $ENV{DRY_RUN};
+
+        # Download the file using nix-prefetch-url.
+        $ENV{QUIET} = 1;
+        $ENV{PRINT_PATH} = 1;
+        my $fh;
+        my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
+        waitpid($pid, 0) or die;
+        if ($? != 0) {
+            print STDERR "failed to fetch $url: $?\n";
+            next;
+        }
+        <$fh>; my $storePath = <$fh>; chomp $storePath;
+
+        uploadFile($storePath, $url);
+        $mirrored++;
+    }
+
+    print STDERR "mirrored $mirrored files, already have $have files\n";
+}
+
+else {
+    die "Syntax: $0 --file FILENAMES... | --expr EXPR\n";
 }
--- a/maintainers/scripts/find-tarballs.nix
+++ b/maintainers/scripts/find-tarballs.nix
@@ -4,9 +4,11 @@
 with import ../.. { };
 with lib;

+{ expr ? removeAttrs (import ../../pkgs/top-level/release.nix { }) [ "tarball" "unstable" ] }:
+
 let

-  root = removeAttrs (import ../../pkgs/top-level/release.nix { }) [ "tarball" "unstable" ];
+  root = expr;

  uniqueUrls = map (x: x.file) (genericClosure {
    startSet = map (file: { key = file.url; inherit file; }) urls;
@@ -15,7 +17,10 @@ let

  urls = map (drv: { url = head drv.urls; hash = drv.outputHash; type = drv.outputHashAlgo; }) fetchurlDependencies;

-  fetchurlDependencies = filter (drv: drv.outputHash or "" != "" && drv ? urls) dependencies;
+  fetchurlDependencies =
+    filter
+      (drv: drv.outputHash or "" != "" && drv.outputHashMode == "flat" && drv.postFetch or "" == "" && drv ? urls)
+      dependencies;

  dependencies = map (x: x.value) (genericClosure {
    startSet = map keyDrv (derivationsIn' root);
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@@ -61,6 +61,12 @@ by default because it’s not free software.  You can enable it as follows:
 <programlisting>
 services.xserver.videoDrivers = [ "nvidia" ];
 </programlisting>
+Or if you have an older card, you may have to use one of the legacy drivers:
+<programlisting>
+services.xserver.videoDrivers = [ "nvidiaLegacy340" ];
+services.xserver.videoDrivers = [ "nvidiaLegacy304" ];
+services.xserver.videoDrivers = [ "nvidiaLegacy173" ];
+</programlisting>
 You may need to reboot after enabling this driver to prevent a clash
 with other kernel modules.</para>

--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@@ -31,10 +31,8 @@ let
    else
      fn;

-  # Convert the list of options into an XML file.  The builtin
-  # unsafeDiscardStringContext is used to prevent the realisation of
-  # the store paths which are used in options definitions.
-  optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext (builtins.toXML optionsList'));
+  # Convert the list of options into an XML file.
+  optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList');

  optionsDocBook = runCommand "options-db.xml" {} ''
    optionsXML=${optionsXML}
@@ -139,6 +137,8 @@ in rec {
    ''; # */

    meta.description = "The NixOS manual in HTML format";
+
+    allowedReferences = ["out"];
  };

  manualPDF = stdenv.mkDerivation {
@@ -190,6 +190,8 @@ in rec {
        ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
        ./man-pages.xml
    '';
+
+    allowedReferences = ["out"];
  };

 }
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@@ -107,4 +107,30 @@ newer Nix version, which may involve an upgrade of Nix’s database
 schema.  This cannot be undone easily, so in that case you will not be
 able to go back to your original channel.</para></warning>

+
+<section><title>Automatic Upgrades</title>
+
+<para>You can keep a NixOS system up-to-date automatically by adding
+the following to <filename>configuration.nix</filename>:
+
+<programlisting>
+system.autoUpgrade.enable = true;
+</programlisting>
+
+This enables a periodically executed systemd service named
+<literal>nixos-upgrade.service</literal>. It runs
+<command>nixos-rebuild switch --upgrade</command> to upgrade NixOS to
+the latest version in the current channel. (To see when the service
+runs, see <command>systemctl list-timers</command>.)  You can also
+specify a channel explicitly, e.g.
+
+<programlisting>
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
+</programlisting>
+
+</para>
+
+</section>
+
+
 </chapter>
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@@ -9,7 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>

-<xi:include href="rl-unstable.xml" />
+<xi:include href="rl-1509.xml" />
 <xi:include href="rl-1412.xml" />
 <xi:include href="rl-1404.xml" />
 <xi:include href="rl-1310.xml" />
--- a/nixos/doc/manual/release-notes/rl-1509.xml
+++ b/nixos/doc/manual/release-notes/rl-1509.xml
@@ -0,0 +1,491 @@
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-15.09">
+
+<title>Release 15.09 (“Dingo”, 2015/09/30)</title>
+
+<para>In addition to numerous new and upgraded packages, this release
+has the following highlights:</para>
+
+<itemizedlist>
+
+  <listitem>
+    <para>Gnome has been upgraded to 3.16.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>Xfce has been upgraded to 4.12.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>KDE 5 has been upgraded to KDE Frameworks 5.10,
+      Plasma 5.3.2 and Applications 15.04.3.
+      KDE 4 has been updated to kdelibs-4.14.10.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>E19 has been upgraded to 0.16.8.15.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>The <link xlink:href="http://haskell.org/">Haskell</link>
+    packages infrastructure has been re-designed from the ground up
+    (&quot;Haskell NG&quot;). NixOS now distributes the latest version
+    of every single package registered on <link
+    xlink:href="http://hackage.haskell.org/">Hackage</link> -- well in
+    excess of 8,000 Haskell packages. Detailed instructions on how to
+    use that infrastructure can be found in the <link
+    xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
+    Guide to the Haskell Infrastructure</link>. Users migrating from an
+    earlier release may find helpful information below, in the list of
+    backwards-incompatible changes. Furthermore, we distribute 51(!)
+    additional Haskell package sets that provide every single <link
+    xlink:href="http://www.stackage.org/">LTS Haskell</link> release
+    since version 0.0 as well as the most recent <link
+    xlink:href="http://www.stackage.org/">Stackage Nightly</link>
+    snapshot. The announcement <link
+    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-September/018138.html">&quot;Full
+    Stackage Support in Nixpkgs&quot;</link> gives additional
+    details.</para>
+  </listitem>
+
+  <listitem>
+    <para>Nix has been updated to version 1.10, which among other
+    improvements enables cryptographic signatures on binary caches for
+    improved security.</para>
+  </listitem>
+
+  <listitem>
+    <para>You can now keep your NixOS system up to date automatically
+    by setting
+
+<programlisting>
+system.autoUpgrade.enable = true;
+</programlisting>
+
+    This will cause the system to periodically check for updates in
+    your current channel and run <command>nixos-rebuild</command>.</para>
+  </listitem>
+
+  <listitem>
+    <para>This release is based on Glibc 2.21, GCC 4.9 and Linux
+    3.18.</para>
+  </listitem>
+
+</itemizedlist>
+
+
+  <para>Following new services were added since the last release:
+
+  <itemizedlist>
+    <listitem><para><literal>services/mail/exim.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/apache-kafka.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/canto-daemon.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/confd.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/devmon.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/gitit.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/ihaskell.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/mbpfan.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/mediatomb.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/mwlib.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/parsoid.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/plex.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/ripple-rest.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/ripple-data-api.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/subsonic.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/sundtek.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/cadvisor.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/das_watchdog.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/grafana.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/riemann-tools.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/teamviewer.nix</literal></para></listitem>
+    <listitem><para><literal>services/network-filesystems/u9fs.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/aiccu.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/asterisk.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/bird.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/charybdis.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/docker-registry-server.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/fan.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/firefox/sync-server.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/gateone.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/heyefi.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/i2p.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/lambdabot.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/mstpd.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/nix-serve.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/nylon.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/racoon.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/skydns.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/shout.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/softether.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/sslh.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tinc.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tlsdated.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tox-bootstrapd.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tvheadend.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/zerotierone.nix</literal></para></listitem>
+    <listitem><para><literal>services/scheduling/marathon.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/fprintd.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/hologram.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/munge.nix</literal></para></listitem>
+    <listitem><para><literal>services/system/cloud-init.nix</literal></para></listitem>
+    <listitem><para><literal>services/web-servers/shellinabox.nix</literal></para></listitem>
+    <listitem><para><literal>services/web-servers/uwsgi.nix</literal></para></listitem>
+    <listitem><para><literal>services/x11/unclutter.nix</literal></para></listitem>
+    <listitem><para><literal>services/x11/display-managers/sddm.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/coredump.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/loader/loader.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/loader/generic-extlinux-compatible</literal></para></listitem>
+    <listitem><para><literal>system/boot/networkd.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/resolved.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/timesyncd.nix</literal></para></listitem>
+    <listitem><para><literal>tasks/filesystems/exfat.nix</literal></para></listitem>
+    <listitem><para><literal>tasks/filesystems/ntfs.nix</literal></para></listitem>
+    <listitem><para><literal>tasks/filesystems/vboxsf.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/virtualbox-host.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/vmware-guest.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/xen-dom0.nix</literal></para></listitem>
+  </itemizedlist>
+  </para>
+
+
+<para>When upgrading from a previous release, please be aware of the
+following incompatible changes:
+
+<itemizedlist>
+
+<listitem><para><command>sshd</command> no longer supports DSA and ECDSA
+host keys by default. If you have existing systems with such host keys
+and want to continue to use them, please set
+
+<programlisting>
+system.stateVersion = "14.12";
+</programlisting>
+
+The new option <option>system.stateVersion</option> ensures that
+certain configuration changes that could break existing systems (such
+as the <command>sshd</command> host key setting) will maintain
+compatibility with the specified NixOS release. NixOps sets the state
+version of existing deployments automatically.</para></listitem>
+
+<listitem><para><command>cron</command> is no longer enabled by
+default, unless you have a non-empty
+<option>services.cron.systemCronJobs</option>. To force
+<command>cron</command> to be enabled, set
+<option>services.cron.enable = true</option>.</para></listitem>
+
+<listitem><para>Nix now requires binary caches to be cryptographically
+signed. If you have unsigned binary caches that you want to continue
+to use, you should set <option>nix.requireSignedBinaryCaches =
+false</option>.</para></listitem>
+
+<listitem><para>Steam now doesn't need root rights to work. Instead of using
+<literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>.
+<literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>,
+and old <literal>steam</literal> package -- to <literal>steamOriginal</literal>.
+</para></listitem>
+
+<listitem><para>CMPlayer has been renamed to bomi upstream. Package
+<literal>cmplayer</literal> was accordingly renamed to
+<literal>bomi</literal> </para></listitem>
+
+<listitem><para>Atom Shell has been renamed to Electron upstream.  Package <literal>atom-shell</literal>
+was accordingly renamed to <literal>electron</literal>
+</para></listitem>
+
+<listitem><para>Elm is not released on Hackage anymore. You should now use <literal>elmPackages.elm</literal>
+which contains the latest Elm platform.</para></listitem>
+
+<listitem>
+  <para>The CUPS printing service has been updated to version
+  <literal>2.0.2</literal>.  Furthermore its systemd service has been
+  renamed to <literal>cups.service</literal>.</para>
+
+  <para>Local printers are no longer shared or advertised by
+  default. This behavior can be changed by enabling
+  <option>services.printing.defaultShared</option> or
+  <option>services.printing.browsing</option> respectively.</para>
+</listitem>
+
+<listitem>
+  <para>
+    The VirtualBox host and guest options have been named more
+    consistently. They can now found in
+    <option>virtualisation.virtualbox.host.*</option> instead of
+    <option>services.virtualboxHost.*</option> and
+    <option>virtualisation.virtualbox.guest.*</option> instead of
+    <option>services.virtualboxGuest.*</option>.
+  </para>
+
+  <para>
+    Also, there now is support for the <literal>vboxsf</literal> file
+    system using the <option>fileSystems</option> configuration
+    attribute. An example of how this can be used in a configuration:
+
+<programlisting>
+fileSystems."/shiny" = {
+  device = "myshinysharedfolder";
+  fsType = "vboxsf";
+};
+</programlisting>
+
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    &quot;<literal>nix-env -qa</literal>&quot; no longer discovers
+    Haskell packages by name. The only packages visible in the global
+    scope are <literal>ghc</literal>, <literal>cabal-install</literal>,
+    and <literal>stack</literal>, but all other packages are hidden. The
+    reason for this inconvenience is the sheer size of the Haskell
+    package set. Name-based lookups are expensive, and most
+    <literal>nix-env -qa</literal> operations would become much slower
+    if we'd add the entire Hackage database into the top level attribute
+    set. Instead, the list of Haskell packages can be displayed by
+    running:
+  </para>
+  <programlisting>
+nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A haskellPackages
+</programlisting>
+  <para>
+    Executable programs written in Haskell can be installed with:
+  </para>
+  <programlisting>
+nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.pandoc
+</programlisting>
+  <para>
+    Installing Haskell <emphasis>libraries</emphasis> this way, however, is no
+    longer supported. See the next item for more details.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    Previous versions of NixOS came with a feature called
+    <literal>ghc-wrapper</literal>, a small script that allowed GHC to
+    transparently pick up on libraries installed in the user's profile. This
+    feature has been deprecated; <literal>ghc-wrapper</literal> was removed
+    from the distribution. The proper way to register Haskell libraries with
+    the compiler now is the <literal>haskellPackages.ghcWithPackages</literal>
+    function. The <link
+    xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
+    Guide to the Haskell Infrastructure</link> provides more information about
+    this subject.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    All Haskell builds that have been generated with version 1.x of
+    the <literal>cabal2nix</literal> utility are now invalid and need
+    to be re-generated with a current version of
+    <literal>cabal2nix</literal> to function. The most recent version
+    of this tool can be installed by running
+    <literal>nix-env -i cabal2nix</literal>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The <literal>haskellPackages</literal> set in Nixpkgs used to have a
+    function attribute called <literal>extension</literal> that users
+    could override in their <literal>~/.nixpkgs/config.nix</literal>
+    files to configure additional attributes, etc. That function still
+    exists, but it's now called <literal>overrides</literal>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The OpenBLAS library has been updated to version
+    <literal>0.2.14</literal>. Support for the
+    <literal>x86_64-darwin</literal> platform was added. Dynamic
+    architecture detection was enabled; OpenBLAS now selects
+    microarchitecture-optimized routines at runtime, so optimal
+    performance is achieved without the need to rebuild OpenBLAS
+    locally. OpenBLAS has replaced ATLAS in most packages which use an
+    optimized BLAS or LAPACK implementation.
+ </para>
+</listitem>
+
+<listitem>
+  <para>
+    The <literal>phpfpm</literal> is now using the default PHP version
+    (<literal>pkgs.php</literal>) instead of PHP 5.4 (<literal>pkgs.php54</literal>).
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The <literal>locate</literal> service no longer indexes the Nix store
+    by default, preventing packages with potentially numerous versions from
+    cluttering the output. Indexing the store can be activated by setting
+    <option>services.locate.includeStore = true</option>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The Nix expression search path (<envar>NIX_PATH</envar>) no longer
+    contains <filename>/etc/nixos/nixpkgs</filename> by default. You
+    can override <envar>NIX_PATH</envar> by setting
+    <option>nix.nixPath</option>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    Python 2.6 has been marked as broken (as it no longer recieves
+    security updates from upstream).
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    Any use of module arguments such as <varname>pkgs</varname> to access
+    library functions, or to define <literal>imports</literal> attributes
+    will now lead to an infinite loop at the time of the evaluation.
+  </para>
+
+  <para>
+    In case of an infinite loop, use the <command>--show-trace</command>
+    command line argument and read the line just above the error message.
+
+<screen>
+$ nixos-rebuild build --show-trace
+…
+while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix":
+infinite recursion encountered
+</screen>
+  </para>
+
+
+  <para>
+    Any use of <literal>pkgs.lib</literal>, should be replaced by
+    <varname>lib</varname>, after adding it as argument of the module.  The
+    following module
+
+<programlisting>
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+  options = {
+    foo = mkOption { … };
+  };
+  config = mkIf config.foo { … };
+}
+</programlisting>
+
+   should be modified to look like:
+
+<programlisting>
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  options = {
+    foo = mkOption { <replaceable>option declaration</replaceable> };
+  };
+  config = mkIf config.foo { <replaceable>option definition</replaceable> };
+}
+</programlisting>
+  </para>
+
+  <para>
+    When <varname>pkgs</varname> is used to download other projects to
+    import their modules, and only in such cases, it should be replaced by
+    <literal>(import &lt;nixpkgs&gt; {})</literal>.  The following module
+
+<programlisting>
+{ config, pkgs, ... }:
+
+let
+  myProject = pkgs.fetchurl {
+    src = <replaceable>url</replaceable>;
+    sha256 = <replaceable>hash</replaceable>;
+  };
+in
+
+{
+  imports = [ "${myProject}/module.nix" ];
+}
+</programlisting>
+
+    should be modified to look like:
+
+<programlisting>
+{ config, pkgs, ... }:
+
+let
+  myProject = (import &lt;nixpkgs&gt; {}).fetchurl {
+    src = <replaceable>url</replaceable>;
+    sha256 = <replaceable>hash</replaceable>;
+  };
+in
+
+{
+  imports = [ "${myProject}/module.nix" ];
+}
+</programlisting>
+  </para>
+
+</listitem>
+
+</itemizedlist>
+</para>
+
+
+<para>Other notable improvements:
+
+<itemizedlist>
+
+  <listitem><para>The nixos and nixpkgs channels were unified,
+    so one <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal>
+    instead of <literal>nix-env -iA nixos.pkgs.bash</literal>.
+    See <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the commit</link> for details.
+  </para></listitem>
+
+  <listitem>
+    <para>
+      Users running an SSH server who worry about the quality of their
+      <literal>/etc/ssh/moduli</literal> file with respect to the
+      <link
+      xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities
+      discovered in the Diffie-Hellman key exchange</link> can now
+      replace OpenSSH's default version with one they generated
+      themselves using the new
+      <option>services.openssh.moduliFile</option> option.
+      </para>
+  </listitem>
+
+  <listitem> <para>
+    A newly packaged TeX Live 2015 is provided in <literal>pkgs.texlive</literal>,
+    split into 6500 nix packages. For basic user documentation see
+    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive-new/default.nix#L1"
+      >the source</link>.
+    Beware of <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757"
+      >an issue</link> when installing a too large package set.
+
+    The plan is to deprecate and maybe delete the original TeX packages
+    until the next release.
+  </para> </listitem>
+
+  <listitem><para>
+    <option>buildEnv.env</option> on all Python interpreters
+    is now available for nix-shell interoperability.
+  </para> </listitem>
+</itemizedlist>
+
+</para>
+
+</section>
--- a/nixos/doc/manual/release-notes/rl-unstable.xml
+++ b/nixos/doc/manual/release-notes/rl-unstable.xml
@@ -1,231 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xmlns:xi="http://www.w3.org/2001/XInclude"
-         version="5.0"
-         xml:id="sec-release-unstable">
-
-<title>Release 15.07 (“Dingo”, 2015/07/??)</title>
-
-<para>In addition to numerous new and upgraded packages, this release has the following highlights:
-
-  <itemizedlist>
-    <listitem>
-      <para>
-        The Haskell packages infrastructure has been re-designed from the ground up.
-        NixOS now distributes the latest version of every single package registered on
-        <link xlink:href="http://hackage.haskell.org/">Hackage</link>, i.e. well over
-        8000 Haskell packages. Further information and usage instructions for the
-        improved infrastructure are available at <link
-        xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link>.
-        Users migrating from an earlier release will find also find helpful information
-        below, in the list of backwards-incompatible changes.
-      </para>
-    </listitem>
-
-    <listitem>
-      <para>
-        Users running an SSH server who worry about the quality of their
-        <literal>/etc/ssh/moduli</literal> file with respect to the <link
-        xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities
-        discovered in the Diffie-Hellman key exchange</link> can now replace OpenSSH's
-        default version with one they generated themselves using the new
-        <literal>services.openssh.moduliFile</literal> option.
-      </para>
-    </listitem>
-  </itemizedlist>
-
-</para>
-
-
-<para>When upgrading from a previous release, please be aware of the
-following incompatible changes:
-
-<itemizedlist>
-
-<listitem><para><command>sshd</command> no longer supports DSA and ECDSA
-host keys by default. If you have existing systems with such host keys
-and want to continue to use them, please set
-
-<programlisting>
-system.stateVersion = "14.12";
-</programlisting>
-
-(The new option <option>system.stateVersion</option> ensures that
-certain configuration changes that could break existing systems (such
-as the <command>sshd</command> host key setting) will maintain
-compatibility with the specified NixOS release.)</para></listitem>
-
-<listitem><para><command>cron</command> is no longer enabled by
-default, unless you have a non-empty
-<option>services.cron.systemCronJobs</option>. To force
-<command>cron</command> to be enabled, set
-<option>services.cron.enable = true</option>.</para></listitem>
-
-<listitem><para>Nix now requires binary caches to be cryptographically
-signed. If you have unsigned binary caches that you want to continue
-to use, you should set <option>nix.requireSignedBinaryCaches =
-false</option>.</para></listitem>
-
-<listitem><para>Steam now doesn't need root rights to work. Instead of using
-<literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>.
-<literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>,
-and old <literal>steam</literal> package -- to <literal>steamOriginal</literal>.
-</para></listitem>
-
-<listitem><para>CMPlayer has been renamed to bomi upstream. Package <literal>cmplayer</literal>
-was accordingly renamed to <literal>bomi</literal>
-</para></listitem>
-
-<listitem><para>Atom Shell has been renamed to Electron upstream.  Package <literal>atom-shell</literal>
-was accordingly renamed to <literal>electron</literal>
-</para></listitem>
-
-<listitem><para>Elm is not released on Hackage anymore. You should now use <literal>elmPackages.elm</literal>
-which contains the latest Elm platform.</para></listitem>
-
-<listitem>
-  <para>
-	The CUPS printing service has been updated to version <literal>2.0.2</literal>.
-	Furthermore its systemd service has been renamed to <literal>cups.service</literal>.
-  </para>
-  <para>
-	Local printers are no longer shared or advertised by default. This behavior
-	can be changed by enabling <literal>services.printing.defaultShared</literal>
-	or <literal>services.printing.browsing</literal> respectively.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The VirtualBox host and guest options have been moved/renamed more
-    consistently and less confusing to be now found in
-    <literal>virtualisation.virtualbox.host.*</literal> instead of
-    <literal>services.virtualboxHost.*</literal> and
-    <literal>virtualisation.virtualbox.guest.*</literal> instead of
-    <literal>services.virtualboxGuest.*</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    Haskell packages can no longer be found by name, i.e. the commands
-    <literal>nix-env -qa cabal-install</literal> and <literal>nix-env -i
-    ghc</literal> will fail, even though we <emphasis>do</emphasis> ship
-    both <literal>cabal-install</literal> and <literal>ghc</literal>.
-    The reason for this inconvenience is the sheer size of the Haskell
-    package set: name-based lookups such as these would become much
-    slower than they are today if we'd add the entire Hackage database
-    into the top level attribute set. Instead, the list of Haskell
-    packages can be displayed by
-  </para>
-  <programlisting>
-nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A haskellPackages
-</programlisting>
-  <para>
-    and packages can be installed with:
-  </para>
-  <programlisting>
-nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.cabal-install
-</programlisting>
-</listitem>
-
-<listitem>
-  <para>
-    Previous versions of NixOS came with a feature called
-    <literal>ghc-wrapper</literal>, a small wrapper script that allows
-    GHC to transparently pick up on libraries installed in the user's
-    profile. This feature has been deprecated;
-    <literal>ghc-wrapper</literal> was removed from the distribution.
-    The proper way to register Haskell libraries with the compiler now
-    is the <literal>haskellPackages.ghcWithPackages</literal>
-    function.
-    <link xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link>
-    provides much information about this subject.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    All Haskell builds that have been generated with version 1.x of
-    the <literal>cabal2nix</literal> utility are now invalid and need
-    to be re-generated with a current version of
-    <literal>cabal2nix</literal> to function. The most recent version
-    of this tool can be installed by running
-    <literal>nix-env -i cabal2nix</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The <literal>haskellPackages</literal> set in Nixpkgs used to have a
-    function attribute called <literal>extension</literal> that users
-    could override in their <literal>~/.nixpkgs/config.nix</literal>
-    files to configure additional attributes, etc. That function still
-    exists, but it's now called <literal>overrides</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The OpenBLAS library has been updated to version
-    <literal>0.2.14</literal>. Support for the
-    <literal>x86_64-darwin</literal> platform was added. Dynamic
-    architecture detection was enabled; OpenBLAS now selects
-    microarchitecture-optimized routines at runtime, so optimal
-    performance is achieved without the need to rebuild OpenBLAS
-    locally. OpenBLAS has replaced ATLAS in most packages which use an
-    optimized BLAS or LAPACK implementation.
- </para>
-</listitem>
-
-<listitem>
-  <para>
-    The <literal>phpfpm</literal> is now using the default PHP version
-    (<literal>pkgs.php</literal>) instead of PHP 5.4 (<literal>pkgs.php54</literal>).
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The <literal>locate</literal> service no longer indexes the Nix store
-    by default, preventing packages with potentially numerous versions from
-    cluttering the output. Indexing the store can be activated by setting
-    <literal>services.locate.includeStore = true</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The Nix expression search path (<envar>NIX_PATH</envar>) no longer
-    contains <filename>/etc/nixos/nixpkgs</filename> by default. You
-    can override <envar>NIX_PATH</envar> by setting
-    <option>nix.nixPath</option>.
-  </para>
-</listitem>
-
-</itemizedlist>
-</para>
-
-
-<para>The following new services were added since the last release:
-
-<itemizedlist>
-<listitem><para><literal>brltty</literal></para></listitem>
-<listitem><para><literal>marathon</literal></para></listitem>
-<listitem><para><literal>tvheadend</literal></para></listitem>
-</itemizedlist>
-</para>
-
-
-<para>Other notable improvements:
-
-<itemizedlist>
-  <listitem><para>The nixos and nixpkgs channels were unified,
-    so one <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal>
-    instead of <literal>nix-env -iA nixos.pkgs.bash</literal>.
-    See <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the commit</link> for details.
-  </para></listitem>
-</itemizedlist>
-</para>
-
-</section>
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@@ -0,0 +1,117 @@
+{ pkgs
+, lib
+
+, # The NixOS configuration to be installed onto the disk image.
+  config
+
+, # The size of the disk, in megabytes.
+  diskSize
+
+, # Whether the disk should be partitioned (with a single partition
+  # containing the root filesystem) or contain the root filesystem
+  # directly.
+  partitioned ? true
+
+, # The root file system type.
+  fsType ? "ext4"
+
+, # The initial NixOS configuration file to be copied to
+  # /etc/nixos/configuration.nix.
+  configFile ? null
+
+, # Shell code executed after the VM has finished.
+  postVM ? ""
+
+, name ? "nixos-disk-image"
+}:
+
+with lib;
+
+pkgs.vmTools.runInLinuxVM (
+  pkgs.runCommand name
+    { preVM =
+        ''
+          mkdir $out
+          diskImage=$out/nixos.img
+          ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "${toString diskSize}M"
+          mv closure xchg/
+        '';
+      buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ];
+      exportReferencesGraph =
+        [ "closure" config.system.build.toplevel ];
+      inherit postVM;
+      memSize = 1024;
+    }
+    ''
+      ${if partitioned then ''
+        # Create a single / partition.
+        parted /dev/vda mklabel msdos
+        parted /dev/vda -- mkpart primary ext2 1M -1s
+        . /sys/class/block/vda1/uevent
+        mknod /dev/vda1 b $MAJOR $MINOR
+        rootDisk=/dev/vda1
+      '' else ''
+        rootDisk=/dev/vda
+      ''}
+
+      # Create an empty filesystem and mount it.
+      mkfs.${fsType} -L nixos $rootDisk
+      ${optionalString (fsType == "ext4") ''
+        tune2fs -c 0 -i 0 $rootDisk
+      ''}
+      mkdir /mnt
+      mount $rootDisk /mnt
+
+      # The initrd expects these directories to exist.
+      mkdir /mnt/dev /mnt/proc /mnt/sys
+
+      mount -o bind /proc /mnt/proc
+      mount -o bind /dev /mnt/dev
+      mount -o bind /sys /mnt/sys
+
+      # Copy all paths in the closure to the filesystem.
+      storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
+
+      mkdir -p /mnt/nix/store
+      echo "copying everything (will take a while)..."
+      set -f
+      cp -prd $storePaths /mnt/nix/store/
+
+      # Register the paths in the Nix database.
+      printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
+          chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
+
+      # Add missing size/hash fields to the database. FIXME:
+      # exportReferencesGraph should provide these directly.
+      chroot /mnt ${config.nix.package}/bin/nix-store --verify --check-contents
+
+      # Create the system profile to allow nixos-rebuild to work.
+      chroot /mnt ${config.nix.package}/bin/nix-env --option build-users-group "" \
+          -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
+
+      # `nixos-rebuild' requires an /etc/NIXOS.
+      mkdir -p /mnt/etc
+      touch /mnt/etc/NIXOS
+
+      # `switch-to-configuration' requires a /bin/sh
+      mkdir -p /mnt/bin
+      ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
+
+      # Install a configuration.nix.
+      mkdir -p /mnt/etc/nixos
+      ${optionalString (configFile != null) ''
+        cp ${configFile} /mnt/etc/nixos/configuration.nix
+      ''}
+
+      # Generate the GRUB menu.
+      ln -s vda /dev/xvda
+      ln -s vda /dev/sda
+      chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
+
+      umount /mnt/proc /mnt/dev /mnt/sys
+      umount /mnt
+
+      # Do a fsck to make sure resize2fs works.
+      fsck.${fsType} -f -y $rootDisk
+    ''
+)
--- a/nixos/lib/make-iso9660-image.nix
+++ b/nixos/lib/make-iso9660-image.nix
@@ -39,7 +39,6 @@

 , # The volume ID.
  volumeID ? ""
-
 }:

 assert bootable -> bootImage != "";
@@ -47,7 +46,7 @@ assert efiBootable -> efiBootImage != "";
 assert usbBootable -> isohybridMbrImage != "";

 stdenv.mkDerivation {
-  name = "iso9660-image";
+  name = isoName;
  builder = ./make-iso9660-image.sh;
  buildInputs = [perl xorriso syslinux];

--- a/nixos/lib/make-iso9660-image.sh
+++ b/nixos/lib/make-iso9660-image.sh
@@ -129,3 +129,4 @@ fi

 mkdir -p $out/nix-support
 echo $system > $out/nix-support/system
+echo "file iso $out/iso/$isoName" >> $out/nix-support/hydra-build-products
--- a/nixos/lib/test-driver/Machine.pm
+++ b/nixos/lib/test-driver/Machine.pm
@@ -538,7 +538,7 @@ sub waitForX {
        retry sub {
            my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'session opened'");
            return 0 if $status != 0;
-            ($status, $out) = $self->execute("xwininfo -root > /dev/null 2>&1");
+            ($status, $out) = $self->execute("[ -e /tmp/.X11-unix/X0 ]");
            return 1 if $status == 0;
        }
    });
--- a/nixos/maintainers/scripts/ec2/amazon-base-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-base-config.nix
@@ -1,5 +0,0 @@
-{ modulesPath, ...}:
-{
-  imports = [ "${modulesPath}/virtualisation/amazon-init.nix" ];
-  services.journald.rateLimitBurst = 0;
-}
--- a/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix
@@ -1,5 +0,0 @@
-{ config, pkgs, ...}:
-{
-  imports = [ ./amazon-base-config.nix ];
-  ec2.hvm = true;
-}
--- a/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
@@ -1,34 +0,0 @@
-{ config, pkgs, lib, ...}:
-let
-  cloudUtils = pkgs.fetchurl {
-    url = "https://launchpad.net/cloud-utils/trunk/0.27/+download/cloud-utils-0.27.tar.gz";
-    sha256 = "16shlmg36lidp614km41y6qk3xccil02f5n3r4wf6d1zr5n4v8vd";
-  };
-  growpart = pkgs.stdenv.mkDerivation {
-    name = "growpart";
-    src = cloudUtils;
-    buildPhase = ''
-      cp bin/growpart $out
-      sed -i 's|awk|gawk|' $out
-      sed -i 's|sed|gnused|' $out
-    '';
-    dontInstall = true;
-    dontPatchShebangs = true;
-  };
-in
-{
-  imports = [ ./amazon-base-config.nix ];
-  ec2.hvm = true;
-  boot.loader.grub.device = lib.mkOverride 0 "/dev/xvdg";
-  boot.kernelParams = [ "console=ttyS0" ];
-
-  boot.initrd.extraUtilsCommands = ''
-    copy_bin_and_libs ${pkgs.gawk}/bin/gawk
-    copy_bin_and_libs ${pkgs.gnused}/bin/sed
-    copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk
-    cp -v ${growpart} $out/bin/growpart
-  '';
-  boot.initrd.postDeviceCommands = ''
-    [ -e /dev/xvda ] && [ -e /dev/xvda1 ] && TMPDIR=/run sh $(type -P growpart) /dev/xvda 1
-  '';
-}
--- a/nixos/maintainers/scripts/ec2/amazon-image.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-image.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  imports =
+    [ ../../../modules/installer/cd-dvd/channel.nix
+      ../../../modules/virtualisation/amazon-image.nix
+    ];
+
+  system.build.amazonImage = import ../../../lib/make-disk-image.nix {
+    inherit pkgs lib config;
+    partitioned = config.ec2.hvm;
+    diskSize = if config.ec2.hvm then 2048 else 8192;
+    configFile = pkgs.writeText "configuration.nix"
+      ''
+        {
+          imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
+          ${optionalString config.ec2.hvm ''
+            ec2.hvm = true;
+          ''}
+        }
+      '';
+  };
+
+}
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@@ -0,0 +1,217 @@
+#! /bin/sh -e
+
+set -o pipefail
+#set -x
+
+stateDir=${TMPDIR:-/tmp}/ec2-image
+echo "keeping state in $stateDir"
+mkdir -p $stateDir
+
+version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
+echo "NixOS version is $version"
+
+rm -f ec2-amis.nix
+
+
+for type in hvm pv; do
+    link=$stateDir/$type
+    imageFile=$link/nixos.img
+    system=x86_64-linux
+    arch=x86_64
+
+    # Build the image.
+    if ! [ -L $link ]; then
+        if [ $type = pv ]; then hvmFlag=false; else hvmFlag=true; fi
+
+        echo "building image type '$type'..."
+        nix-build -o $link \
+            '<nixpkgs/nixos>' \
+            -A config.system.build.amazonImage \
+            --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }"
+    fi
+
+    for store in ebs s3; do
+
+        bucket=nixos-amis
+        bucketDir="$version-$type-$store"
+
+        prevAmi=
+        prevRegion=
+
+        #for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
+        for region in eu-west-1 us-east-1; do
+
+            name=nixos-$version-$arch-$type-$store
+            description="NixOS $system $version ($type-$store)"
+
+            amiFile=$stateDir/$region.$type.$store.ami-id
+
+            if ! [ -e $amiFile ]; then
+
+                echo "doing $name in $region..."
+
+                if [ -n "$prevAmi" ]; then
+                    ami=$(ec2-copy-image \
+                        --region "$region" \
+                        --source-region "$prevRegion" --source-ami-id "$prevAmi" \
+                        --name "$name" --description "$description" | cut -f 2)
+                else
+
+                    if [ $store = s3 ]; then
+
+                        # Bundle the image.
+                        imageDir=$stateDir/$type-bundled
+
+                        if ! [ -d $imageDir ]; then
+                            rm -rf $imageDir.tmp
+                            mkdir -p $imageDir.tmp
+                            ec2-bundle-image \
+                                -d $imageDir.tmp \
+                                -i $imageFile --arch $arch \
+                                --user "$AWS_ACCOUNT" -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY"
+                            mv $imageDir.tmp $imageDir
+                        fi
+
+                        # Upload the bundle to S3.
+                        if ! [ -e $imageDir/uploaded ]; then
+                            echo "uploading bundle to S3..."
+                            ec2-upload-bundle \
+                                -m $imageDir/nixos.img.manifest.xml \
+                                -b "$bucket/$bucketDir" \
+                                -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \
+                                --location EU
+                            touch $imageDir/uploaded
+                        fi
+
+                        extraFlags="$bucket/$bucketDir/nixos.img.manifest.xml"
+
+                    else
+
+                        # Convert the image to vhd format so we don't have
+                        # to upload a huge raw image.
+                        vhdFile=$stateDir/$type.vhd
+                        if ! [ -e $vhdFile ]; then
+                            qemu-img convert -O vpc $imageFile $vhdFile.tmp
+                            mv $vhdFile.tmp $vhdFile
+                        fi
+
+                        taskId=$(cat $stateDir/$region.$type.task-id 2> /dev/null || true)
+                        volId=$(cat $stateDir/$region.$type.vol-id 2> /dev/null || true)
+                        snapId=$(cat $stateDir/$region.$type.snap-id 2> /dev/null || true)
+
+                        # Import the VHD file.
+                        if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then
+                            echo "importing $vhdFile..."
+                            taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \
+                                --region "$region" -z "${region}a" \
+                                --bucket "$bucket" --prefix "$bucketDir/" \
+                                | tee /dev/stderr \
+                                | sed 's/.*\(import-vol-[0-9a-z]\+\).*/\1/ ; t ; d')
+                            echo -n "$taskId" > $stateDir/$region.$type.task-id
+                        fi
+
+                        if [ -z "$snapId" -a -z "$volId" ]; then
+                            ec2-resume-import  $vhdFile -t "$taskId" --region "$region" \
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY"
+                        fi
+
+                        # Wait for the volume creation to finish.
+                        if [ -z "$snapId" -a -z "$volId" ]; then
+                            echo "waiting for import to finish..."
+                            while true; do
+                                volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d')
+                                if [ -n "$volId" ]; then break; fi
+                                sleep 10
+                            done
+
+                            echo -n "$volId" > $stateDir/$region.$type.vol-id
+                        fi
+
+                        # Delete the import task.
+                        if [ -n "$volId" -a -n "$taskId" ]; then
+                            echo "removing import task..."
+                            ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true
+                            rm -f $stateDir/$region.$type.task-id
+                        fi
+
+                        # Create a snapshot.
+                        if [ -z "$snapId" ]; then
+                            echo "creating snapshot..."
+                            snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2)
+                            echo -n "$snapId" > $stateDir/$region.$type.snap-id
+                            ec2-create-tags "$snapId" -t "Name=$description" --region "$region"
+                        fi
+
+                        # Wait for the snapshot to finish.
+                        echo "waiting for snapshot to finish..."
+                        while true; do
+                            status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4)
+                            if [ "$status" = completed ]; then break; fi
+                            sleep 10
+                        done
+
+                        # Delete the volume.
+                        if [ -n "$volId" ]; then
+                            echo "deleting volume..."
+                            ec2-delete-volume "$volId" --region "$region" || true
+                            rm -f $stateDir/$region.$type.vol-id
+                        fi
+
+                        extraFlags="-b /dev/sda1=$snapId:20:true:gp2"
+
+                        if [ $type = pv ]; then
+                            extraFlags+=" --root-device-name=/dev/sda1"
+                        fi
+
+                        extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3"
+                    fi
+
+                    # Register the AMI.
+                    if [ $type = pv ]; then
+                        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
+                        [ -n "$kernel" ]
+                        echo "using PV-GRUB kernel $kernel"
+                        extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
+                    else
+                        extraFlags+=" --virtualization-type hvm"
+                    fi
+
+                    set -x
+                    ami=$(ec2-register \
+                        -n "$name" \
+                        -d "$description" \
+                        --region "$region" \
+                        --architecture "$arch" \
+                        $extraFlags | cut -f 2)
+                fi
+
+                echo -n "$ami" > $amiFile
+                echo "created AMI $ami of type '$type' in $region..."
+
+            else
+                ami=$(cat $amiFile)
+            fi
+
+            echo "waiting for AMI..."
+            while true; do
+                status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5)
+                if [ "$status" = available ]; then break; fi
+                sleep 10
+            done
+
+            ec2-modify-image-attribute \
+                --region "$region" "$ami" -l -a all
+
+            echo "region = $region, type = $type, store = $store, ami = $ami"
+            if [ -z "$prevAmi" ]; then
+                prevAmi="$ami"
+                prevRegion="$region"
+            fi
+
+            echo "  \"15.09\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
+        done
+
+    done
+
+done
--- a/nixos/maintainers/scripts/ec2/create-ebs-amis.py
+++ b/nixos/maintainers/scripts/ec2/create-ebs-amis.py
@@ -1,216 +0,0 @@
-#! /usr/bin/env python
-
-import os
-import sys
-import time
-import argparse
-import nixops.util
-from nixops import deployment
-from boto.ec2.blockdevicemapping import BlockDeviceMapping, BlockDeviceType
-import boto.ec2
-from nixops.statefile import StateFile, get_default_state_file
-
-parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI')
-parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in')
-parser.add_argument('--channel', dest='channel', default="14.12", help='Channel to use')
-parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use')
-parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image')
-parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob")
-args = parser.parse_args()
-
-instance_type = "m3.medium" if args.hvm else "m1.small"
-
-if args.hvm:
-    virtualization_type = "hvm"
-    root_block = "/dev/sda1"
-    image_type = 'hvm'
-else:
-    virtualization_type = "paravirtual"
-    root_block = "/dev/sda"
-    image_type = 'ebs'
-
-ebs_size = 20
-
-# Start a NixOS machine in the given region.
-f = open("ebs-creator-config.nix", "w")
-f.write('''{{
-  resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
-  resources.ec2KeyPairs.keypair.region = "{0}";
-
-  machine =
-    {{ pkgs, ... }}:
-    {{
-      deployment.ec2.accessKeyId = "lb-nixos";
-      deployment.ec2.region = "{0}";
-      deployment.ec2.blockDeviceMapping."/dev/xvdg".size = pkgs.lib.mkOverride 10 {1};
-    }};
-}}
-'''.format(args.region, ebs_size))
-f.close()
-
-db = StateFile(get_default_state_file())
-try:
-    depl = db.open_deployment("ebs-creator")
-except Exception:
-    depl = db.create_deployment()
-    depl.name = "ebs-creator"
-depl.logger.set_autoresponse("y")
-depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")]
-if not args.keep: depl.destroy_resources()
-depl.deploy(allow_reboot=True)
-
-m = depl.machines['machine']
-
-# Do the installation.
-device="/dev/xvdg"
-if args.hvm:
-    m.run_command('parted -s /dev/xvdg -- mklabel msdos')
-    m.run_command('parted -s /dev/xvdg -- mkpart primary ext2 1M -1s')
-    device="/dev/xvdg1"
-
-m.run_command("if mountpoint -q /mnt; then umount /mnt; fi")
-m.run_command("mkfs.ext4 -L nixos {0}".format(device))
-m.run_command("mkdir -p /mnt")
-m.run_command("mount {0} /mnt".format(device))
-m.run_command("touch /mnt/.ebs")
-m.run_command("mkdir -p /mnt/etc/nixos")
-
-m.run_command("nix-channel --add https://nixos.org/channels/nixos-{} nixos".format(args.channel))
-m.run_command("nix-channel --update")
-
-version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip()
-print >> sys.stderr, "NixOS version is {0}".format(version)
-if args.hvm:
-    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/amazon-base-config.nix")
-    m.upload_file("./amazon-hvm-config.nix", "/mnt/etc/nixos/configuration.nix")
-    m.upload_file("./amazon-hvm-install-config.nix", "/mnt/etc/nixos/amazon-hvm-install-config.nix")
-    m.run_command("NIXOS_CONFIG=/etc/nixos/amazon-hvm-install-config.nix nixos-install")
-else:
-    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
-    m.run_command("nixos-install")
-
-m.run_command("umount /mnt")
-
-if args.hvm:
-    ami_name = "nixos-{0}-x86_64-hvm".format(version)
-    description = "NixOS {0} (x86_64; EBS root; hvm)".format(version)
-else:
-    ami_name = "nixos-{0}-x86_64-ebs".format(version)
-    description = "NixOS {0} (x86_64; EBS root)".format(version)
-
-
-# Wait for the snapshot to finish.
-def check():
-    status = snapshot.update()
-    print >> sys.stderr, "snapshot status is {0}".format(status)
-    return status == '100%'
-
-m.connect()
-volume = m._conn.get_all_volumes([], filters={'attachment.instance-id': m.resource_id, 'attachment.device': "/dev/sdg"})[0]
-
-# Create a snapshot.
-snapshot = volume.create_snapshot(description=description)
-print >> sys.stderr, "created snapshot {0}".format(snapshot.id)
-
-nixops.util.check_wait(check, max_tries=120)
-
-m._conn.create_tags([snapshot.id], {'Name': ami_name})
-
-if not args.keep: depl.destroy_resources()
-
-# Register the image.
-aki = m._conn.get_all_images(filters={'manifest-location': 'ec2*pv-grub-hd0_1.03-x86_64*'})[0]
-print >> sys.stderr, "using kernel image {0} - {1}".format(aki.id, aki.location)
-
-block_map = BlockDeviceMapping()
-block_map[root_block] = BlockDeviceType(snapshot_id=snapshot.id, delete_on_termination=True, size=ebs_size, volume_type="gp2")
-block_map['/dev/sdb'] = BlockDeviceType(ephemeral_name="ephemeral0")
-block_map['/dev/sdc'] = BlockDeviceType(ephemeral_name="ephemeral1")
-block_map['/dev/sdd'] = BlockDeviceType(ephemeral_name="ephemeral2")
-block_map['/dev/sde'] = BlockDeviceType(ephemeral_name="ephemeral3")
-
-common_args = dict(
-        name=ami_name,
-        description=description,
-        architecture="x86_64",
-        root_device_name=root_block,
-        block_device_map=block_map,
-        virtualization_type=virtualization_type,
-        delete_root_volume_on_termination=True
-        )
-if not args.hvm:
-    common_args['kernel_id']=aki.id
-
-ami_id = m._conn.register_image(**common_args)
-
-print >> sys.stderr, "registered AMI {0}".format(ami_id)
-
-print >> sys.stderr, "sleeping a bit..."
-time.sleep(30)
-
-print >> sys.stderr, "setting image name..."
-m._conn.create_tags([ami_id], {'Name': ami_name})
-
-print >> sys.stderr, "making image public..."
-image = m._conn.get_all_images(image_ids=[ami_id])[0]
-image.set_launch_permissions(user_ids=[], group_names=["all"])
-
-# Do a test deployment to make sure that the AMI works.
-f = open("ebs-test.nix", "w")
-f.write(
-    '''
-    {{
-      network.description = "NixOS EBS test";
-
-      resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
-      resources.ec2KeyPairs.keypair.region = "{0}";
-
-      machine = {{ config, pkgs, resources, ... }}: {{
-        deployment.targetEnv = "ec2";
-        deployment.ec2.accessKeyId = "lb-nixos";
-        deployment.ec2.region = "{0}";
-        deployment.ec2.instanceType = "{2}";
-        deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-        deployment.ec2.securityGroups = [ "public-ssh" ];
-        deployment.ec2.ami = "{1}";
-      }};
-    }}
-    '''.format(args.region, ami_id, instance_type))
-f.close()
-
-test_depl = db.create_deployment()
-test_depl.auto_response = "y"
-test_depl.name = "ebs-creator-test"
-test_depl.nix_exprs = [os.path.abspath("./ebs-test.nix")]
-test_depl.deploy(create_only=True)
-test_depl.machines['machine'].run_command("nixos-version")
-
-# Log the AMI ID.
-f = open("ec2-amis.nix".format(args.region, image_type), "w")
-f.write("{\n")
-
-for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']:
-    copy_image = None
-    if args.region != dest:
-        try:
-            print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest)
-            conn = boto.ec2.connect_to_region(dest)
-            copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None)
-        except :
-            print >> sys.stderr, "FAILED!"
-
-        # Log the AMI ID.
-        if copy_image != None:
-            f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,dest,"hvm" if args.hvm else "ebs",copy_image.image_id))
-    else:
-        f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,args.region,"hvm" if args.hvm else "ebs",ami_id))
-
-
-f.write("}\n")
-f.close()
-
-if not args.keep:
-    test_depl.logger.set_autoresponse("y")
-    test_depl.destroy_resources()
-    test_depl.delete()
-
--- a/nixos/maintainers/scripts/ec2/create-s3-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-s3-amis.sh
@@ -1,53 +0,0 @@
-#! /bin/sh -e
-
-export NIXOS_CONFIG=$(dirname $(readlink -f $0))/amazon-base-config.nix
-
-version=$(nix-instantiate --eval-only '<nixpkgs/nixos>' -A config.system.nixosVersion | sed s/'"'//g)
-echo "NixOS version is $version"
-
-buildAndUploadFor() {
-    system="$1"
-    arch="$2"
-
-    echo "building $system image..."
-    nix-build '<nixpkgs/nixos>' \
-        -A config.system.build.amazonImage --argstr system "$system" -o ec2-ami
-
-    ec2-bundle-image -i ./ec2-ami/nixos.img --user "$AWS_ACCOUNT" --arch "$arch" \
-        -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY"
-
-    for region in eu-west-1; do
-        echo "uploading $system image for $region..."
-
-        name=nixos-$version-$arch-s3
-        bucket="$(echo $name-$region | tr '[A-Z]_' '[a-z]-')"
-
-        if [ "$region" = eu-west-1 ]; then s3location=EU;
-        elif [ "$region" = us-east-1 ]; then s3location=US;
-        else s3location="$region"
-        fi
-
-        ec2-upload-bundle -b "$bucket" -m /tmp/nixos.img.manifest.xml \
-            -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" --location "$s3location" \
-            --url http://s3.amazonaws.com
-
-        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
-        echo "using PV-GRUB kernel $kernel"
-
-        ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" \
-            --region "$region" --kernel "$kernel" | cut -f 2)
-
-        echo "AMI ID is $ami"
-
-        echo "  \"14.12\".\"$region\".s3 = \"$ami\";" >> ec2-amis.nix
-
-        ec2-modify-image-attribute --region "$region" "$ami" -l -a all -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY"
-
-        for cp_region in us-east-1 us-west-1 us-west-2 eu-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
-          new_ami=$(aws ec2 copy-image --source-image-id $ami --source-region $region --region $cp_region --name "$name" | json ImageId)
-          echo "  \"14.12\".\"$cp_region\".s3 = \"$new_ami\";" >> ec2-amis.nix  
-        done
-    done
-}
-
-buildAndUploadFor x86_64-linux x86_64
--- a/nixos/maintainers/scripts/ec2/ebs-creator.nix
+++ b/nixos/maintainers/scripts/ec2/ebs-creator.nix
@@ -1,13 +0,0 @@
-{
-  network.description = "NixOS EBS creator";
-
-  machine =
-    { config, pkgs, resources, ... }:
-    { deployment.targetEnv = "ec2";
-      deployment.ec2.instanceType = "c3.large";
-      deployment.ec2.securityGroups = [ "public-ssh" ];
-      deployment.ec2.ebsBoot = false;
-      deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-      environment.systemPackages = [ pkgs.parted ];
-    };
-}
--- a/nixos/modules/config/debug-info.nix
+++ b/nixos/modules/config/debug-info.nix
@@ -0,0 +1,46 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  options = {
+
+    environment.enableDebugInfo = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Some NixOS packages provide debug symbols. However, these are
+        not included in the system closure by default to save disk
+        space. Enabling this option causes the debug symbols to appear
+        in <filename>/run/current-system/sw/lib/debug/.build-id</filename>,
+        where tools such as <command>gdb</command> can find them.
+        If you need debug symbols for a package that doesn't
+        provide them by default, you can enable them as follows:
+        <!-- FIXME: ugly, see #10721 -->
+        <programlisting>
+        nixpkgs.config.packageOverrides = pkgs: {
+          hello = overrideDerivation pkgs.hello (attrs: {
+            outputs = attrs.outputs or ["out"] ++ ["debug"];
+            buildInputs = attrs.buildInputs ++ [&lt;nixpkgs/pkgs/build-support/setup-hooks/separate-debug-info.sh>];
+          });
+        };
+        </programlisting>
+      '';
+    };
+
+  };
+
+
+  config = {
+
+    # FIXME: currently disabled because /lib is already in
+    # environment.pathsToLink, and we can't have both.
+    #environment.pathsToLink = [ "/lib/debug/.build-id" ];
+
+    environment.outputsToLink =
+      optional config.environment.enableDebugInfo "debug";
+
+  };
+
+}
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@@ -70,8 +70,8 @@ in
      type = types.attrsOf (types.listOf types.str);
      example = { PATH = [ "/bin" "/sbin" ]; MANPATH = [ "/man" "/share/man" ]; };
      description = ''
-	Attribute set of environment variable.  Each attribute maps to a list
-	of relative paths.  Each relative path is appended to the each profile
+        Attribute set of environment variable.  Each attribute maps to a list
+        of relative paths.  Each relative path is appended to the each profile
        of <option>environment.profiles</option> to form the content of the
        corresponding environment variable.
      '';
@@ -136,6 +136,7 @@ in
        "''${pkgs.dash}/bin/dash"
      '';
      type = types.path;
+      visible = false;
      description = ''
        The shell executable that is linked system-wide to
        <literal>/bin/sh</literal>. Please note that NixOS assumes all
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@@ -34,7 +34,6 @@ let
      pkgs.xz
      pkgs.less
      pkgs.libcap
-      pkgs.man
      pkgs.nano
      pkgs.ncurses
      pkgs.netcat
@@ -78,8 +77,16 @@ in
        # to work.
        default = [];
        example = ["/"];
-        description = "List of directories to be symlinked in `/run/current-system/sw'.";
+        description = "List of directories to be symlinked in <filename>/run/current-system/sw</filename>.";
      };
+
+      outputsToLink = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        example = [ "doc" ];
+        description = "List of package outputs to be symlinked into <filename>/run/current-system/sw</filename>.";
+      };
+
    };

    system = {
@@ -103,23 +110,27 @@ in
      [ "/bin"
        "/etc/xdg"
        "/info"
-        "/lib"
-        "/man"
+        "/lib" # FIXME: remove and update debug-info.nix
        "/sbin"
+        "/share/applications"
+        "/share/desktop-directories"
        "/share/doc"
        "/share/emacs"
+        "/share/icons"
        "/share/info"
-        "/share/man"
+        "/share/menus"
+        "/share/mime"
        "/share/nano"
        "/share/org"
        "/share/terminfo"
+        "/share/themes"
        "/share/vim-plugins"
      ];

    system.path = pkgs.buildEnv {
      name = "system-path";
      paths = config.environment.systemPackages;
-      inherit (config.environment) pathsToLink;
+      inherit (config.environment) pathsToLink outputsToLink;
      ignoreCollisions = true;
      # !!! Hacky, should modularise.
      postBuild =
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -216,7 +216,7 @@ let
          exist. If <option>users.mutableUsers</option> is true, the
          password can be changed subsequently using the
          <command>passwd</command> command. Otherwise, it's
-          equivalent to setting the <option>password</option> option.
+          equivalent to setting the <option>hashedPassword</option> option.

          ${hashedPasswordDescription}
        '';
@@ -336,13 +336,13 @@ let
    map (range: "${user.name}:${toString range.startUid}:${toString range.count}\n")
      user.subUidRanges);

-  subuidFile = concatStrings (map mkSubuidEntry (attrValues cfg.extraUsers));
+  subuidFile = concatStrings (map mkSubuidEntry (attrValues cfg.users));

  mkSubgidEntry = user: concatStrings (
    map (range: "${user.name}:${toString range.startGid}:${toString range.count}\n")
        user.subGidRanges);

-  subgidFile = concatStrings (map mkSubgidEntry (attrValues cfg.extraUsers));
+  subgidFile = concatStrings (map mkSubgidEntry (attrValues cfg.users));

  idsAreUnique = set: idAttr: !(fold (name: args@{ dup, acc }:
    let
@@ -354,8 +354,8 @@ let
      else { dup = false; acc = newAcc; }
    ) { dup = false; acc = {}; } (builtins.attrNames set)).dup;

-  uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.extraUsers) "uid";
-  gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.extraGroups) "gid";
+  uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.users) "uid";
+  gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid";

  spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
    inherit (cfg) mutableUsers;
@@ -364,13 +364,13 @@ let
          name uid group description home shell createHome isSystemUser
          password passwordFile hashedPassword
          initialPassword initialHashedPassword;
-      }) cfg.extraUsers;
+      }) cfg.users;
    groups = mapAttrsToList (n: g:
      { inherit (g) name gid;
        members = g.members ++ (mapAttrsToList (n: u: u.name) (
-          filterAttrs (n: u: elem g.name u.extraGroups) cfg.extraUsers
+          filterAttrs (n: u: elem g.name u.extraGroups) cfg.users
        ));
-      }) cfg.extraGroups;
+      }) cfg.groups;
  });

 in {
@@ -388,10 +388,10 @@ in {
        <literal>groupadd</literal> commands. On system activation, the
        existing contents of the <literal>/etc/passwd</literal> and
        <literal>/etc/group</literal> files will be merged with the
-        contents generated from the <literal>users.extraUsers</literal> and
-        <literal>users.extraGroups</literal> options.
+        contents generated from the <literal>users.users</literal> and
+        <literal>users.groups</literal> options.
        The initial password for a user will be set
-        according to <literal>users.extraUsers</literal>, but existing passwords
+        according to <literal>users.users</literal>, but existing passwords
        will not be changed.

        <warning><para>
@@ -399,7 +399,7 @@ in {
        group files will simply be replaced on system activation. This also
        holds for the user passwords; all changed
        passwords will be reset according to the
-        <literal>users.extraUsers</literal> configuration on activation.
+        <literal>users.users</literal> configuration on activation.
        </para></warning>
      '';
    };
@@ -412,7 +412,7 @@ in {
      '';
    };

-    users.extraUsers = mkOption {
+    users.users = mkOption {
      default = {};
      type = types.loaOf types.optionSet;
      example = {
@@ -433,7 +433,7 @@ in {
      options = [ userOpts ];
    };

-    users.extraGroups = mkOption {
+    users.groups = mkOption {
      default = {};
      example =
        { students.gid = 1001;
@@ -461,7 +461,7 @@ in {

  config = {

-    users.extraUsers = {
+    users.users = {
      root = {
        uid = ids.uids.root;
        description = "System administrator";
@@ -478,7 +478,7 @@ in {
      };
    };

-    users.extraGroups = {
+    users.groups = {
      root.gid = ids.gids.root;
      wheel.gid = ids.gids.wheel;
      disk.gid = ids.gids.disk;
@@ -525,6 +525,27 @@ in {
      { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
        message = "UIDs and GIDs must be unique!";
      }
+      { # If mutableUsers is false, to prevent users creating a
+        # configuration that locks them out of the system, ensure that
+        # there is at least one "privileged" account that has a
+        # password or an SSH authorized key. Privileged accounts are
+        # root and users in the wheel group.
+        assertion = !cfg.mutableUsers ->
+          any id (mapAttrsToList (name: cfg:
+            (name == "root"
+             || cfg.group == "wheel"
+             || elem "wheel" cfg.extraGroups)
+            &&
+            ((cfg.hashedPassword != null && cfg.hashedPassword != "!")
+             || cfg.password != null
+             || cfg.passwordFile != null
+             || cfg.openssh.authorizedKeys.keys != []
+             || cfg.openssh.authorizedKeys.keyFiles != [])
+          ) cfg.users);
+        message = ''
+          Neither the root account nor any wheel user has a password or SSH authorized key.
+          You must set one to prevent being locked out of your system.'';
+      }
    ];

  };
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@@ -17,7 +17,9 @@ let
      mkdir -p $out
      cp -prd ${pkgs.path} $out/nixos
      chmod -R u+w $out/nixos
-      ln -s . $out/nixos/nixpkgs
+      if [ ! -e $out/nixos/nixpkgs ]; then
+        ln -s . $out/nixos/nixpkgs
+      fi
      rm -rf $out/nixos/.git
      echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
    '';
@@ -33,7 +35,7 @@ in
        echo "unpacking the NixOS/Nixpkgs sources..."
        mkdir -p /nix/var/nix/profiles/per-user/root
        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \
-          -i ${channelSources} --quiet --option use-substitutes false
+          -i ${channelSources} --quiet --option build-use-substitutes false
        mkdir -m 0700 -p /root/.nix-defexpr
        ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels
        mkdir -m 0755 -p /var/lib/nixos
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@@ -43,6 +43,13 @@ let
    LINUX /boot/bzImage
    APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
    INITRD /boot/initrd
+
+    # A variant to boot with 'nomodeset'
+    LABEL boot-nomodeset
+    MENU LABEL NixOS ${config.system.nixosVersion}${config.isoImage.appendToMenuLabel} (with nomodeset)
+    LINUX /boot/bzImage
+    APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset
+    INITRD /boot/initrd
  '';

  isolinuxMemtest86Entry = ''
@@ -59,10 +66,18 @@ let
    mkdir -p $out/EFI/boot
    cp -v ${pkgs.gummiboot}/lib/gummiboot/gummiboot${targetArch}.efi $out/EFI/boot/boot${targetArch}.efi
    mkdir -p $out/loader/entries
+
    echo "title NixOS Live CD" > $out/loader/entries/nixos-livecd.conf
    echo "linux /boot/bzImage" >> $out/loader/entries/nixos-livecd.conf
    echo "initrd /boot/initrd" >> $out/loader/entries/nixos-livecd.conf
    echo "options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}" >> $out/loader/entries/nixos-livecd.conf
+
+    # A variant to boot with 'nomodeset'
+    echo "title NixOS Live CD (with nomodeset)" > $out/loader/entries/nixos-livecd-nomodeset.conf
+    echo "linux /boot/bzImage" >> $out/loader/entries/nixos-livecd-nomodeset.conf
+    echo "initrd /boot/initrd" >> $out/loader/entries/nixos-livecd-nomodeset.conf
+    echo "options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset" >> $out/loader/entries/nixos-livecd-nomodeset.conf
+
    echo "default nixos-livecd" > $out/loader/loader.conf
    echo "timeout ${builtins.toString config.boot.loader.gummiboot.timeout}" >> $out/loader/loader.conf
  '';
@@ -230,7 +245,6 @@ in
    boot.kernelParams =
      [ "root=LABEL=${config.isoImage.volumeID}"
        "boot.shell_on_fail"
-        "nomodeset"
      ];

    fileSystems."/" =
--- a/nixos/modules/installer/tools/auto-upgrade.nix
+++ b/nixos/modules/installer/tools/auto-upgrade.nix
@@ -42,6 +42,17 @@ let cfg = config.system.autoUpgrade; in
        '';
      };

+      dates = mkOption {
+        default = "04:40";
+        type = types.str;
+        description = ''
+          Specification (in the format described by
+          <citerefentry><refentrytitle>systemd.time</refentrytitle>
+          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          which the update will occur.
+        '';
+      };
+
    };

  };
@@ -70,10 +81,10 @@ let cfg = config.system.autoUpgrade; in
      path = [ pkgs.gnutar pkgs.xz config.nix.package ];

      script = ''
-        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild test ${toString cfg.flags}
+        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch ${toString cfg.flags}
      '';

-      startAt = mkIf cfg.enable "04:40";
+      startAt = optionalString cfg.enable cfg.dates;
    };

  };
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -148,7 +148,7 @@ sub pciCheck {
         $device eq "0x4331" || $device eq "0x43a0" || $device eq "0x43b1"
        ) )
     {
-        push @modulePackages, "\${config.boot.kernelPackages.broadcom_sta}";
+        push @modulePackages, "config.boot.kernelPackages.broadcom_sta";
        push @kernelModules, "wl";
     }

@@ -406,13 +406,20 @@ EOF

 # Generate the hardware configuration file.

-sub toNixExpr {
+sub toNixStringList {
    my $res = "";
    foreach my $s (@_) {
        $res .= " \"$s\"";
    }
    return $res;
 }
+sub toNixList {
+    my $res = "";
+    foreach my $s (@_) {
+        $res .= " $s";
+    }
+    return $res;
+}

 sub multiLineList {
    my $indent = shift;
@@ -428,9 +435,9 @@ sub multiLineList {
    return $res;
 }

-my $initrdAvailableKernelModules = toNixExpr(uniq @initrdAvailableKernelModules);
-my $kernelModules = toNixExpr(uniq @kernelModules);
-my $modulePackages = toNixExpr(uniq @modulePackages);
+my $initrdAvailableKernelModules = toNixStringList(uniq @initrdAvailableKernelModules);
+my $kernelModules = toNixStringList(uniq @kernelModules);
+my $modulePackages = toNixList(uniq @modulePackages);

 my $fsAndSwap = "";
 if (!$noFilesystems) {
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -157,9 +157,9 @@ if [ -n "$buildNix" ]; then
            if ! nix-build '<nixpkgs>' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
                machine="$(uname -m)"
                if [ "$machine" = x86_64 ]; then
-                    nixStorePath=/nix/store/664kxr14kfgx4dl095crvmr7pbh9xlh5-nix-1.9
+                    nixStorePath=/nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
                elif [[ "$machine" =~ i.86 ]]; then
-                    nixStorePath=/nix/store/p7xdvz72xx3rhm121jclsbdmmcds7xh6-nix-1.9
+                    nixStorePath=/nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
                else
                    echo "$0: unsupported platform"
                    exit 1
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -229,6 +229,7 @@
      riak = 205;
      shout = 206;
      gateone = 207;
+      nm-openvpn = 217;

      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!

@@ -436,6 +437,7 @@
      riak = 205;
      #shout = 206; #unused
      gateone = 207;
+      nm-openvpn = 217;

      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -56,7 +56,7 @@ with lib;
    system.defaultChannel = mkOption {
      internal = true;
      type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-15.09;
      description = "Default NixOS channel to which the root user is subscribed.";
    };

--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1,7 +1,8 @@
 [
+  ./config/debug-info.nix
  ./config/fonts/corefonts.nix
-  ./config/fonts/fontconfig.nix
  ./config/fonts/fontconfig-ultimate.nix
+  ./config/fonts/fontconfig.nix
  ./config/fonts/fontdir.nix
  ./config/fonts/fonts.nix
  ./config/fonts/ghostscript.nix
@@ -22,9 +23,9 @@
  ./config/system-environment.nix
  ./config/system-path.nix
  ./config/timezone.nix
-  ./config/vpnc.nix
  ./config/unix-odbc-drivers.nix
  ./config/users-groups.nix
+  ./config/vpnc.nix
  ./config/zram.nix
  ./hardware/all-firmware.nix
  ./hardware/cpu/amd-microcode.nix
@@ -61,9 +62,11 @@
  ./programs/command-not-found/command-not-found.nix
  ./programs/dconf.nix
  ./programs/environment.nix
+  ./programs/freetds.nix
  ./programs/ibus.nix
  ./programs/kbdlight.nix
  ./programs/light.nix
+  ./programs/man.nix
  ./programs/nano.nix
  ./programs/screen.nix
  ./programs/shadow.nix
@@ -73,7 +76,6 @@
  ./programs/uim.nix
  ./programs/venus.nix
  ./programs/wvdial.nix
-  ./programs/freetds.nix
  ./programs/xfs_quota.nix
  ./programs/zsh/zsh.nix
  ./rename.nix
@@ -116,6 +118,7 @@
  ./services/computing/slurm/slurm.nix
  ./services/continuous-integration/jenkins/default.nix
  ./services/continuous-integration/jenkins/slave.nix
+  ./services/continuous-integration/jenkins/job-builder.nix
  ./services/databases/4store-endpoint.nix
  ./services/databases/4store.nix
  ./services/databases/couchdb.nix
@@ -468,6 +471,7 @@
  ./tasks/filesystems/ntfs.nix
  ./tasks/filesystems/reiserfs.nix
  ./tasks/filesystems/unionfs-fuse.nix
+  ./tasks/filesystems/vboxsf.nix
  ./tasks/filesystems/vfat.nix
  ./tasks/filesystems/xfs.nix
  ./tasks/filesystems/zfs.nix
--- a/nixos/modules/programs/command-not-found/command-not-found.nix
+++ b/nixos/modules/programs/command-not-found/command-not-found.nix
@@ -57,9 +57,9 @@ in
          if [ $? = 126 ]; then
            "$@"
          fi
-	else
+        else
          # Indicate than there was an error so ZSH falls back to its default handler
-	  return 127
+          return 127
        fi
      }
    '';
--- a/nixos/modules/programs/command-not-found/command-not-found.pl
+++ b/nixos/modules/programs/command-not-found/command-not-found.pl
@@ -30,11 +30,11 @@ The program ‘$program’ is currently not installed. It is provided by
 the package ‘$package’, which I will now install for you.
 EOF
        ;
-        exit 126 if system("nix-env", "-i", $package) == 0;
+        exit 126 if system("nix-env", "-iA", "nixos.$package") == 0;
    } else {
        print STDERR <<EOF;
 The program ‘$program’ is currently not installed. You can install it by typing:
-  nix-env -i $package
+  nix-env -iA nixos.$package
 EOF
    }
 } else {
@@ -42,7 +42,7 @@ EOF
 The program ‘$program’ is currently not installed. It is provided by
 several packages. You can install it by typing one of the following:
 EOF
-    print STDERR "  nix-env -i $_->{package}\n" foreach @$res;
+    print STDERR "  nix-env -iA nixos.$_->{package}\n" foreach @$res;
 }

 exit 127;
--- a/nixos/modules/programs/man.nix
+++ b/nixos/modules/programs/man.nix
@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  options = {
+
+    programs.man.enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to enable manual pages and the <command>man</command> command.
+      '';
+    };
+
+  };
+
+
+  config = mkIf config.programs.man.enable {
+
+    environment.systemPackages = [ pkgs.man ];
+
+    environment.pathsToLink = [ "/share/man" ];
+
+    environment.outputsToLink = [ "man" ];
+
+  };
+
+}
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -18,6 +18,14 @@ let
      exec ${askPassword}
    '';

+  knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
+
+  knownHostsText = flip (concatMapStringsSep "\n") knownHosts
+    (h: assert h.hostNames != [];
+      concatStringsSep "," h.hostNames + " "
+      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+    );
+
 in
 {
  ###### interface
@@ -28,7 +36,6 @@ in

      askPassword = mkOption {
        type = types.str;
-        default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
        description = ''Program used by SSH to ask for passwords.'';
      };

@@ -92,16 +99,76 @@ in
        '';
      };

+      knownHosts = mkOption {
+        default = {};
+        type = types.loaOf (types.submodule ({ name, ... }: {
+          options = {
+            hostNames = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              description = ''
+                A list of host names and/or IP numbers used for accessing
+                the host's ssh service.
+              '';
+            };
+            publicKey = mkOption {
+              default = null;
+              type = types.nullOr types.str;
+              example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
+              description = ''
+                The public key data for the host. You can fetch a public key
+                from a running SSH server with the <command>ssh-keyscan</command>
+                command. The public key should not include any host names, only
+                the key type and the key itself.
+              '';
+            };
+            publicKeyFile = mkOption {
+              default = null;
+              type = types.nullOr types.path;
+              description = ''
+                The path to the public key file for the host. The public
+                key file is read at build time and saved in the Nix store.
+                You can fetch a public key file from a running SSH server
+                with the <command>ssh-keyscan</command> command. The content
+                of the file should follow the same format as described for
+                the <literal>publicKey</literal> option.
+              '';
+            };
+          };
+          config = {
+            hostNames = mkDefault [ name ];
+          };
+        }));
+        description = ''
+          The set of system-wide known SSH hosts.
+        '';
+        example = [
+          {
+            hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
+            publicKeyFile = literalExample "./pubkeys/myhost_ssh_host_dsa_key.pub";
+          }
+          {
+            hostNames = [ "myhost2" ];
+            publicKeyFile = literalExample "./pubkeys/myhost2_ssh_host_dsa_key.pub";
+          }
+        ];
+      };
+
    };

  };

  config = {

-    assertions = singleton
-      { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
-        message = "cannot enable X11 forwarding without setting XAuth location";
-      };
+    assertions =
+      [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
+          message = "cannot enable X11 forwarding without setting XAuth location";
+        }
+      ] ++ flip mapAttrsToList cfg.knownHosts (name: data: {
+        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                    (data.publicKey != null && data.publicKeyFile == null);
+        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+      });

    # SSH configuration. Slight duplication of the sshd_config
    # generation in the sshd service.
@@ -118,6 +185,8 @@ in
        ${cfg.extraConfig}
      '';

+    environment.etc."ssh/ssh_known_hosts".text = knownHostsText;
+
    # FIXME: this should really be socket-activated for über-awesomeness.
    systemd.user.services.ssh-agent =
      { enable = cfg.startAgent;
@@ -153,5 +222,7 @@ in
        export SSH_ASKPASS=${askPassword}
      '';

+    programs.ssh.askPassword = mkDefault "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
+
  };
 }
--- a/nixos/modules/programs/venus.nix
+++ b/nixos/modules/programs/venus.nix
@@ -99,7 +99,6 @@ in
      };

      outputTheme = mkOption {
-        default = "${pkgs.venus}/themes/classic_fancy";
        type = types.path;
        description = ''
          Directory containing a config.ini file which is merged with this one.
@@ -170,5 +169,7 @@ in
        startAt = cfg.dates;
      };

+    services.venus.outputTheme = mkDefault "${pkgs.venus}/themes/classic_fancy";
+
  };
 }
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -77,6 +77,8 @@ in zipModules ([]
 ++ obsolete [ "environment" "nix" ] [ "nix" "package" ]
 ++ obsolete [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ]
 ++ obsolete [ "fonts" "extraFonts" ] [ "fonts" "fonts" ]
++ alias [ "users" "extraUsers" ] [ "users" "users" ]
++ alias [ "users" "extraGroups" ] [ "users" "groups" ]

 ++ obsolete [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ]
 ++ obsolete [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ]
@@ -110,6 +112,7 @@ in zipModules ([]
 ++ obsolete [ "services" "sshd" "permitRootLogin" ] [ "services" "openssh" "permitRootLogin" ]
 ++ obsolete [ "services" "xserver" "startSSHAgent" ] [ "services" "xserver" "startOpenSSHAgent" ]
 ++ obsolete [ "services" "xserver" "startOpenSSHAgent" ] [ "programs" "ssh" "startAgent" ]
++ alias [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]

 # VirtualBox
 ++ obsolete [ "services" "virtualbox" "enable" ] [ "virtualisation" "virtualbox" "guest" "enable" ]
--- a/nixos/modules/services/amqp/activemq/default.nix
+++ b/nixos/modules/services/amqp/activemq/default.nix
@@ -32,7 +32,6 @@ in {
        '';
      };
      configurationDir = mkOption {
-        default = "${activemq}/conf";
        description = ''
          The base directory for ActiveMQ's configuration.
          By default, this directory is searched for a file named activemq.xml,
@@ -126,6 +125,8 @@ in {
      '';
    };

+    services.activemq.configurationDir = mkDefault "${activemq}/conf";
+
  };

 }
--- a/nixos/modules/services/cluster/kubernetes.nix
+++ b/nixos/modules/services/cluster/kubernetes.nix
@@ -105,7 +105,7 @@ in {
      tokenAuth = mkOption {
        description = ''
          Kubernetes apiserver token authentication file. See
-          <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/>
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/>
        '';
        default = {};
        example = literalExample ''
@@ -120,7 +120,7 @@ in {
      authorizationMode = mkOption {
        description = ''
          Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See
-          <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
        '';
        default = "AlwaysAllow";
        type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"];
@@ -129,7 +129,7 @@ in {
      authorizationPolicy = mkOption {
        description = ''
          Kubernetes apiserver authorization policy file. See
-          <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
        '';
        default = [];
        example = literalExample ''
@@ -159,18 +159,37 @@ in {
      };

      runtimeConfig = mkOption {
-        description = "Api runtime configuration";
+        description = ''
+          Api runtime configuration. See
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/>
+        '';
        default = "";
        example = "api/all=false,api/v1=true";
        type = types.str;
      };

      admissionControl = mkOption {
-        description = "Kubernetes admission control plugins to use.";
+        description = ''
+          Kubernetes admission control plugins to use. See
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/>
+        '';
        default = ["AlwaysAdmit"];
+        example = [
+          "NamespaceLifecycle" "NamespaceExists" "LimitRanger"
+          "SecurityContextDeny" "ServiceAccount" "ResourceQuota"
+        ];
        type = types.listOf types.str;
      };

+      serviceAccountKey = mkOption {
+        description = ''
+          Kubernetes apiserver PEM-encoded x509 RSA private or public key file,
+          used to verify ServiceAccount tokens.
+        '';
+        default = null;
+        type = types.nullOr types.path;
+      };
+
      extraOpts = mkOption {
        description = "Kubernetes apiserver extra command line options.";
        default = "";
@@ -235,8 +254,26 @@ in {
        type = types.str;
      };

+      serviceAccountPrivateKey = mkOption {
+        description = ''
+          Kubernetes controller manager PEM-encoded private RSA key file used to
+          sign service account tokens
+        '';
+        default = null;
+        type = types.nullOr types.path;
+      };
+
+      rootCaFile = mkOption {
+        description = ''
+          Kubernetes controller manager certificate authority file included in
+          service account's token secret.
+        '';
+        default = null;
+        type = types.nullOr types.path;
+      };
+
      extraOpts = mkOption {
-        description = "Kubernetes controller extra command line options.";
+        description = "Kubernetes controller manager extra command line options.";
        default = "";
        type = types.str;
      };
@@ -294,7 +331,10 @@ in {
      };

      apiServers = mkOption {
-        description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services.";
+        description = ''
+          Kubernetes kubelet list of Kubernetes API servers for publishing events,
+          and reading pods and services.
+        '';
        default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"];
        type = types.listOf types.str;
      };
@@ -413,17 +453,14 @@ in {
            ${optionalString (cfg.apiserver.runtimeConfig!="")
              "--runtime-config=${cfg.apiserver.runtimeConfig}"} \
            --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \
+            ${optionalString (cfg.apiserver.serviceAccountKey!=null)
+              "--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \
            --logtostderr=true \
            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
            ${cfg.apiserver.extraOpts}
          '';
          User = "kubernetes";
        };
-        postStart = ''
-          until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do
-            sleep 1;
-          done
-        '';
      };
    })

@@ -456,6 +493,10 @@ in {
            --address=${cfg.controllerManager.address} \
            --port=${toString cfg.controllerManager.port} \
            --master=${cfg.controllerManager.master} \
+            ${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null)
+              "--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \
+            ${optionalString (cfg.controllerManager.rootCaFile!=null)
+              "--root-ca-file=${cfg.controllerManager.rootCaFile}"} \
            --logtostderr=true \
            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
            ${cfg.controllerManager.extraOpts}
@@ -509,6 +550,8 @@ in {
            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
            ${cfg.proxy.extraOpts}
          '';
+          Restart = "always"; # Retry connection
+          RestartSec = "5s";
        };
      };
    })
--- a/nixos/modules/services/continuous-integration/jenkins/default.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/default.nix
@@ -48,11 +48,33 @@ in {
        '';
      };

+      listenAddress = mkOption {
+        default = "0.0.0.0";
+        example = "localhost";
+        type = types.str;
+        description = ''
+          Specifies the bind address on which the jenkins HTTP interface listens.
+          The default is the wildcard address.
+        '';
+      };
+
      port = mkOption {
        default = 8080;
        type = types.int;
        description = ''
-          Specifies port number on which the jenkins HTTP interface listens. The default is 8080.
+          Specifies port number on which the jenkins HTTP interface listens.
+          The default is 8080.
+        '';
+      };
+
+      prefix = mkOption {
+        default = "";
+        example = "/jenkins";
+        type = types.str;
+        description = ''
+          Specifies a urlPrefix to use with jenkins.
+          If the example /jenkins is given, the jenkins server will be
+          accessible using localhost:8080/jenkins.
        '';
      };

@@ -65,18 +87,22 @@ in {
      };

      environment = mkOption {
-        default = { NIX_REMOTE = "daemon"; };
+        default = { };
        type = with types; attrsOf str;
        description = ''
          Additional environment variables to be passed to the jenkins process.
-          The environment will always include JENKINS_HOME.
+          As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and
+          GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,
+          NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to
+          the value of <option>services.jenkins.home</option>. This option has
+          precedence and can be used to override those mentioned variables.
        '';
      };

      extraOptions = mkOption {
        type = types.listOf types.str;
        default = [ ];
-        example = [ "--debug=9" "--httpListenAddress=localhost" ];
+        example = [ "--debug=9" ];
        description = ''
          Additional command line arguments to pass to Jenkins.
        '';
@@ -106,27 +132,39 @@ in {
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

-      environment = {
-        JENKINS_HOME = cfg.home;
-      } // cfg.environment;
+      environment =
+        let
+          selectedSessionVars =
+            lib.filterAttrs (n: v: builtins.elem n
+                [ "NIX_PATH"
+                  "SSL_CERT_FILE"
+                  "GIT_SSL_CAINFO"
+                ])
+              config.environment.sessionVariables;
+        in
+          selectedSessionVars //
+          { JENKINS_HOME = cfg.home;
+            NIX_REMOTE = "daemon";
+          } //
+          cfg.environment;

      path = cfg.packages;

+      # Force .war (re)extraction, or else we might run stale Jenkins.
+      preStart = ''
+        rm -rf ${cfg.home}/war
+      '';
+
      script = ''
-        ${pkgs.jdk}/bin/java -jar ${pkgs.jenkins} --httpPort=${toString cfg.port} ${concatStringsSep " " cfg.extraOptions}
+        ${pkgs.jdk}/bin/java -jar ${pkgs.jenkins} --httpListenAddress=${cfg.listenAddress} \
+                                                  --httpPort=${toString cfg.port} \
+                                                  --prefix=${cfg.prefix} \
+                                                  ${concatStringsSep " " cfg.extraOptions}
      '';

      postStart = ''
-        until ${pkgs.curl}/bin/curl -s -L localhost:${toString cfg.port} ; do
-          sleep 10
-        done
-        while true ; do
-          index=`${pkgs.curl}/bin/curl -s -L localhost:${toString cfg.port}`
-          if [[ !("$index" =~ 'Please wait while Jenkins is restarting' ||
-                  "$index" =~ 'Please wait while Jenkins is getting ready to work') ]]; then
-            exit 0
-          fi
-          sleep 30
+        until ${pkgs.curl}/bin/curl -s -L --fail --head http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} >/dev/null; do
+            sleep 2
        done
      '';

--- a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
@@ -0,0 +1,155 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  jenkinsCfg = config.services.jenkins;
+  cfg = config.services.jenkins.jobBuilder;
+
+in {
+  options = {
+    services.jenkins.jobBuilder = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether or not to enable the Jenkins Job Builder (JJB) service. It
+          allows defining jobs for Jenkins in a declarative manner.
+
+          Jobs managed through the Jenkins WebUI (or by other means) are left
+          unchanged.
+
+          Note that it really is declarative configuration; if you remove a
+          previously defined job, the corresponding job directory will be
+          deleted.
+
+          Please see the Jenkins Job Builder documentation for more info:
+          <link xlink:href="http://docs.openstack.org/infra/jenkins-job-builder/">
+          http://docs.openstack.org/infra/jenkins-job-builder/</link>
+        '';
+      };
+
+      yamlJobs = mkOption {
+        default = "";
+        type = types.lines;
+        example = ''
+          - job:
+              name: jenkins-job-test-1
+              builders:
+                - shell: echo 'Hello world!'
+        '';
+        description = ''
+          Job descriptions for Jenkins Job Builder in YAML format.
+        '';
+      };
+
+      jsonJobs = mkOption {
+        default = [ ];
+        type = types.listOf types.str;
+        example = literalExample ''
+          [
+            '''
+              [ { "job":
+                  { "name": "jenkins-job-test-2",
+                    "builders": [ "shell": "echo 'Hello world!'" ]
+                  }
+                }
+              ]
+            '''
+          ]
+        '';
+        description = ''
+          Job descriptions for Jenkins Job Builder in JSON format.
+        '';
+      };
+
+      nixJobs = mkOption {
+        default = [ ];
+        type = types.listOf types.attrs;
+        example = literalExample ''
+          [ { job =
+              { name = "jenkins-job-test-3";
+                builders = [
+                  { shell = "echo 'Hello world!'"; }
+                ];
+              };
+            }
+          ];
+        '';
+        description = ''
+          Job descriptions for Jenkins Job Builder in Nix format.
+
+          This is a trivial wrapper around jsonJobs, using builtins.toJSON
+          behind the scene.
+        '';
+      };
+    };
+  };
+
+  config = mkIf (jenkinsCfg.enable && cfg.enable) {
+    systemd.services.jenkins-job-builder = {
+      description = "Jenkins Job Builder Service";
+      # JJB can run either before or after jenkins. We chose after, so we can
+      # always use curl to notify (running) jenkins to reload its config.
+      after = [ "jenkins.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ jenkins-job-builder curl ];
+
+      # Q: Why manipulate files directly instead of using "jenkins-jobs upload [...]"?
+      # A: Because this module is for administering a local jenkins install,
+      #    and using local file copy allows us to not worry about
+      #    authentication.
+      script =
+        let
+          yamlJobsFile = builtins.toFile "jobs.yaml" cfg.yamlJobs;
+          jsonJobsFiles =
+            map (x: (builtins.toFile "jobs.json" x))
+              (cfg.jsonJobs ++ [(builtins.toJSON cfg.nixJobs)]);
+          jobBuilderOutputDir = "/run/jenkins-job-builder/output";
+          # Stamp file is placed in $JENKINS_HOME/jobs/$JOB_NAME/ to indicate
+          # ownership. Enables tracking and removal of stale jobs.
+          ownerStamp = ".config-xml-managed-by-nixos-jenkins-job-builder";
+        in
+          ''
+            rm -rf ${jobBuilderOutputDir}
+            cur_decl_jobs=/run/jenkins-job-builder/declarative-jobs
+            rm -f "$cur_decl_jobs"
+
+            # Create / update jobs
+            mkdir -p ${jobBuilderOutputDir}
+            for inputFile in ${yamlJobsFile} ${concatStringsSep " " jsonJobsFiles}; do
+                HOME="${jenkinsCfg.home}" "${pkgs.jenkins-job-builder}/bin/jenkins-jobs" --ignore-cache test -o "${jobBuilderOutputDir}" "$inputFile"
+            done
+
+            for file in "${jobBuilderOutputDir}/"*; do
+                test -f "$file" || continue
+                jobname="$(basename $file)"
+                jobdir="${jenkinsCfg.home}/jobs/$jobname"
+                echo "Creating / updating job \"$jobname\""
+                mkdir -p "$jobdir"
+                touch "$jobdir/${ownerStamp}"
+                cp "$file" "$jobdir/config.xml"
+                echo "$jobname" >> "$cur_decl_jobs"
+            done
+
+            # Remove stale jobs
+            for file in "${jenkinsCfg.home}"/jobs/*/${ownerStamp}; do
+                test -f "$file" || continue
+                jobdir="$(dirname $file)"
+                jobname="$(basename "$jobdir")"
+                grep --quiet --line-regexp "$jobname" "$cur_decl_jobs" 2>/dev/null && continue
+                echo "Deleting stale job \"$jobname\""
+                rm -rf "$jobdir"
+            done
+
+            echo "Asking Jenkins to reload config"
+            curl --silent -X POST http://${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/reload
+          '';
+      serviceConfig = {
+        User = jenkinsCfg.user;
+        RuntimeDirectory = "jenkins-job-builder";
+      };
+    };
+  };
+}
--- a/nixos/modules/services/databases/opentsdb.nix
+++ b/nixos/modules/services/databases/opentsdb.nix
@@ -5,10 +5,7 @@ with lib;
 let
  cfg = config.services.opentsdb;

-  configFile = pkgs.writeText "opentsdb.conf" ''
-    tsd.core.auto_create_metrics = true
-    tsd.http.request.enable_chunked  = true
-  '';
+  configFile = pkgs.writeText "opentsdb.conf" cfg.config;

 in {

@@ -59,6 +56,17 @@ in {
        '';
      };

+      config = mkOption {
+        type = types.lines;
+        default = ''
+          tsd.core.auto_create_metrics = true
+          tsd.http.request.enable_chunked  = true
+        '';
+        description = ''
+          The contents of OpenTSDB's configuration file
+        '';
+      };
+
    };

  };
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -122,8 +122,8 @@ in
        example = literalExample "pkgs.postgis";
        description = ''
          When this list contains elements a new store path is created.
-          PostgreSQL and the elments are symlinked into it. Then pg_config,
-          postgres and pc_ctl are copied to make them use the new
+          PostgreSQL and the elements are symlinked into it. Then pg_config,
+          postgres and pg_ctl are copied to make them use the new
          $out/lib directory as pkglibdir. This makes it possible to use postgis
          without patching the .sql files which reference $libdir/postgis-1.5.
        '';
@@ -202,6 +202,8 @@ in
                  # For non-root operation.
                  initdb
                fi
+                # See postStart!
+                touch "${cfg.dataDir}/.first_startup"
            fi

            ln -sfn "${configFile}" "${cfg.dataDir}/postgresql.conf"
--- a/nixos/modules/services/hardware/sane.nix
+++ b/nixos/modules/services/hardware/sane.nix
@@ -36,7 +36,6 @@ in

    hardware.sane.configDir = mkOption {
      type = types.string;
-      default = "${saneConfig}/etc/sane.d";
      description = "The value of SANE_CONFIG_DIR.";
    };

@@ -47,6 +46,8 @@ in

  config = mkIf config.hardware.sane.enable {

+    hardware.sane.configDir = mkDefault "${saneConfig}/etc/sane.d";
+
    environment.systemPackages = backends;
    environment.sessionVariables = {
      SANE_CONFIG_DIR = config.hardware.sane.configDir;
--- a/nixos/modules/services/hardware/tlp.nix
+++ b/nixos/modules/services/hardware/tlp.nix
@@ -8,7 +8,16 @@ cfg = config.services.tlp;

 tlp = pkgs.tlp.override { kmod = config.system.sbin.modprobe; };

-confFile = pkgs.writeText "tlp" (builtins.readFile "${tlp}/etc/default/tlp" + cfg.extraConfig);
+# XXX: We can't use writeTextFile + readFile here because it triggers
+# TLP build to get the .drv (even on --dry-run).
+confFile = pkgs.runCommand "tlp"
+  { config = cfg.extraConfig;
+    passAsFile = [ "config" ];
+  }
+  ''
+    cat ${tlp}/etc/default/tlp > $out
+    cat $configPath >> $out
+  '';

 in

--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@@ -180,9 +180,7 @@ in
        firmware to function).  If multiple packages contain firmware
        files with the same name, the first package in the list takes
        precedence.  Note that you must rebuild your system if you add
-        files to any of these directories.  For quick testing,
-        put firmware files in <filename>/root/test-firmware</filename>
-        and add that directory to the list.
+        files to any of these directories.
      '';
      apply = list: pkgs.buildEnv {
        name = "firmware";
--- a/nixos/modules/services/logging/logstash.nix
+++ b/nixos/modules/services/logging/logstash.nix
@@ -84,10 +84,10 @@ in
        type = types.lines;
        default = ''stdin { type => "example" }'';
        description = "Logstash input configuration.";
-        example = ''
+        example = literalExample ''
          # Read from journal
          pipe {
-            command => "${pkgs.systemd}/bin/journalctl -f -o json"
+            command => "''${pkgs.systemd}/bin/journalctl -f -o json"
            type => "syslog" codec => json {}
          }
        '';
@@ -132,6 +132,7 @@ in
      description = "Logstash Daemon";
      wantedBy = [ "multi-user.target" ];
      environment = { JAVA_HOME = jre; };
+      path = [ pkgs.bash ];
      serviceConfig = {
        ExecStart =
          "${cfg.package}/bin/logstash agent " +
--- a/nixos/modules/services/mail/opensmtpd.nix
+++ b/nixos/modules/services/mail/opensmtpd.nix
@@ -9,6 +9,11 @@ let
  conf = writeText "smtpd.conf" cfg.serverConfiguration;
  args = concatStringsSep " " cfg.extraServerArgs;

+  sendmail = pkgs.runCommand "opensmtpd-sendmail" {} ''
+    mkdir -p $out/bin
+    ln -s ${opensmtpd}/sbin/smtpctl $out/bin/sendmail
+  '';
+
 in {

  ###### interface
@@ -23,6 +28,15 @@ in {
        description = "Whether to enable the OpenSMTPD server.";
      };

+      addSendmailToSystemPath = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to add OpenSMTPD's sendmail binary to the
+          system path or not.
+        '';
+      };
+
      extraServerArgs = mkOption {
        type = types.listOf types.str;
        default = [];
@@ -53,7 +67,7 @@ in {

  ###### implementation

-  config = mkIf config.services.opensmtpd.enable {
+  config = mkIf cfg.enable {
    users.extraGroups = {
      smtpd.gid = config.ids.gids.smtpd;
      smtpq.gid = config.ids.gids.smtpq;
@@ -80,9 +94,6 @@ in {
      serviceConfig.ExecStart = "${opensmtpd}/sbin/smtpd -d -f ${conf} ${args}";
    };

-    environment.systemPackages = [ (pkgs.runCommand "opensmtpd-sendmail" {} ''
-      mkdir -p $out/bin
-      ln -s ${opensmtpd}/sbin/smtpctl $out/bin/sendmail
-    '') ];
+    environment.systemPackages = mkIf cfg.addSendmailToSystemPath [ sendmail ];
  };
 }
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -379,7 +379,7 @@ in
          ${pkgs.coreutils}/bin/chmod -R ug+rwX /var/postfix/queue
          ${pkgs.coreutils}/bin/chown root:root /var/spool/mail
          ${pkgs.coreutils}/bin/chmod a+rwxt /var/spool/mail
-          ${pkgs.coreutils}/bin/ln -sf /var/spool/mail /var/mail
+          ${pkgs.coreutils}/bin/ln -sf /var/spool/mail /var/

          ln -sf "${pkgs.postfix}/etc/postfix/"* /var/postfix/conf

--- a/nixos/modules/services/misc/disnix.nix
+++ b/nixos/modules/services/misc/disnix.nix
@@ -121,6 +121,7 @@ in
      disnix =
        { description = "Disnix server";
        
+          wants = [ "dysnomia.target" ];
          wantedBy = [ "multi-user.target" ];
          after = [ "dbus.service" ]
            ++ optional config.services.httpd.enable "httpd.service"
@@ -137,6 +138,17 @@ in
          environment = {
            HOME = "/root";
          };
+          
+          preStart = ''
+            mkdir -p /etc/systemd-mutable/system
+            if [ ! -f /etc/systemd-mutable/system/dysnomia.target ]
+            then
+                ( echo "[Unit]"
+                  echo "Description=Services that are activated and deactivated by Dysnomia"
+                  echo "After=final.target"
+                ) > /etc/systemd-mutable/system/dysnomia.target
+            fi
+          '';

          exec = "disnix-service";
        };
--- a/nixos/modules/services/misc/nixos-manual.nix
+++ b/nixos/modules/services/misc/nixos-manual.nix
@@ -80,7 +80,6 @@ in

    services.nixosManual.browser = mkOption {
      type = types.path;
-      default = "${pkgs.w3m}/bin/w3m";
      description = ''
        Browser used to show the manual.
      '';
@@ -93,7 +92,9 @@ in

    system.build.manual = manual;

-    environment.systemPackages = [ manual.manpages help ];
+    environment.systemPackages =
+      [ manual.manual help ]
+      ++ optional config.programs.man.enable manual.manpages;

    boot.extraTTYs = mkIf cfg.showManual ["tty${cfg.ttyNumber}"];

@@ -116,6 +117,8 @@ in
    services.mingetty.helpLine = mkIf cfg.showManual
      "\nPress <Alt-F${toString cfg.ttyNumber}> for the NixOS manual.";

+    services.nixosManual.browser = mkDefault "${pkgs.w3m}/bin/w3m";
+
  };

 }
--- a/nixos/modules/services/misc/redmine.nix
+++ b/nixos/modules/services/misc/redmine.nix
@@ -124,7 +124,7 @@ in {

    assertions = [
      { assertion = cfg.databasePassword != "";
-        message = "databasePassword must be set";
+        message = "services.redmine.databasePassword must be set";
      }
    ];

--- a/nixos/modules/services/misc/subsonic.nix
+++ b/nixos/modules/services/misc/subsonic.nix
@@ -97,7 +97,6 @@ in

      transcoders = mkOption {
        type = types.listOf types.path;
-        default = [ "${pkgs.ffmpeg}/bin/ffmpeg" ];
        description = ''
          List of paths to transcoder executables that should be accessible
          from Subsonic. Symlinks will be created to each executable inside
@@ -153,5 +152,8 @@ in
    };

    users.extraGroups.subsonic.gid = config.ids.gids.subsonic;
+
+    services.subsonic.transcoders = mkDefault [ "${pkgs.ffmpeg}/bin/ffmpeg" ];
+
  };
 }
--- a/nixos/modules/services/monitoring/bosun.nix
+++ b/nixos/modules/services/monitoring/bosun.nix
@@ -9,7 +9,7 @@ let
    tsdbHost = ${cfg.opentsdbHost}
    httpListen = ${cfg.listenAddress}
    stateFile = ${cfg.stateFile}
-    checkFrequency = 5m
+    checkFrequency = ${cfg.checkFrequency}

    ${cfg.extraConfig}
  '';
@@ -30,6 +30,7 @@ in {

      package = mkOption {
        type = types.package;
+        default = pkgs.bosun;
        example = literalExample "pkgs.bosun";
        description = ''
          bosun binary to use.
@@ -76,6 +77,14 @@ in {
        '';
      };

+      checkFrequency = mkOption {
+        type = types.str;
+        default = "5m";
+        description = ''
+          Bosun's check frequency
+        '';
+      };
+
      extraConfig = mkOption {
        type = types.string;
        default = "";
@@ -95,8 +104,6 @@ in {

  config = mkIf cfg.enable {
  
-    services.bosun.package = mkDefault pkgs.bosun; 
-
    systemd.services.bosun = {
      description = "bosun metrics collector (part of Bosun)";
      wantedBy = [ "multi-user.target" ];
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@@ -7,150 +7,37 @@ let

  b2s = val: if val then "true" else "false";

-  cfgFile = pkgs.writeText "grafana.ini" ''
-    app_name = grafana
-    app_mode = production
+  envOptions = {
+    PATHS_DATA = cfg.dataDir;
+    PATHS_LOGS = "${cfg.dataDir}/log";

-    [server]
-    ; protocol (http or https)
-    protocol = ${cfg.protocol}
-    ; the ip address to bind to, empty will bind to all interfaces
-    http_addr = ${cfg.addr}
-    ; the http port  to use
-    http_port = ${toString cfg.port}
-    ; The public facing domain name used to access grafana from a browser
-    domain = ${cfg.domain}
-    ; the full public facing url
-    root_url = ${cfg.rootUrl}
-    router_logging = false
-    ; the path relative to the binary where the static (html/js/css) files are placed
-    static_root_path = ${cfg.staticRootPath}
-    ; enable gzip
-    enable_gzip = false
-    ; https certs & key file
-    cert_file = ${cfg.certFile}
-    cert_key = ${cfg.certKey}
+    SERVER_PROTOCOL = cfg.protocol;
+    SERVER_HTTP_ADDR = cfg.addr;
+    SERVER_HTTP_PORT = cfg.port;
+    SERVER_DOMAIN = cfg.domain;
+    SERVER_ROOT_URL = cfg.rootUrl;
+    SERVER_STATIC_ROOT_PATH = cfg.staticRootPath;
+    SERVER_CERT_FILE = cfg.certFile;
+    SERVER_CERT_KEY = cfg.certKey;

-    [analytics]
-    # Server reporting, sends usage counters to stats.grafana.org every 24 hours.
-    # No ip addresses are being tracked, only simple counters to track
-    # running instances, dashboard and error counts. It is very helpful to us.
-    # Change this option to false to disable reporting.
-    reporting_enabled = true
-    ; Google Analytics universal tracking code, only enabled if you specify an id here
-    google_analytics_ua_id =
+    DATABASE_TYPE = cfg.database.type;
+    DATABASE_HOST = cfg.database.host;
+    DATABASE_NAME = cfg.database.name;
+    DATABASE_USER = cfg.database.user;
+    DATABASE_PASSWORD = cfg.database.password;
+    DATABASE_PATH = cfg.database.path;

-    [database]
-    ; Either "mysql", "postgres" or "sqlite3", it's your choice
-    type = ${cfg.database.type}
-    host = ${cfg.database.host}
-    name = ${cfg.database.name}
-    user = ${cfg.database.user}
-    password = ${cfg.database.password}
-    ; For "postgres" only, either "disable", "require" or "verify-full"
-    ssl_mode = disable
-    ; For "sqlite3" only
-    path = ${cfg.database.path}
+    SECURITY_ADMIN_USER = cfg.security.adminUser;
+    SECURITY_ADMIN_PASSWORD = cfg.security.adminPassword;
+    SECURITY_SECRET_KEY = cfg.security.secretKey;

-    [session]
-    ; Either "memory", "file", "redis", "mysql", default is "memory"
-    provider = file
-    ; Provider config options
-    ; memory: not have any config yet
-    ; file: session file path, e.g. `data/sessions`
-    ; redis: config like redis server addr, poolSize, password, e.g. `127.0.0.1:6379,100,grafana`
-    ; mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1)/database_name`
-    provider_config = data/sessions
-    ; Session cookie name
-    cookie_name = grafana_sess
-    ; If you use session in https only, default is false
-    cookie_secure = false
-    ; Session life time, default is 86400
-    session_life_time = 86400
-    ; session id hash func, Either "sha1", "sha256" or "md5" default is sha1
-    session_id_hashfunc = sha1
-    ; Session hash key, default is use random string
-    session_id_hashkey =
+    USERS_ALLOW_SIGN_UP = b2s cfg.users.allowSignUp;
+    USERS_ALLOW_ORG_CREATE = b2s cfg.users.allowOrgCreate;
+    USERS_AUTO_ASSIGN_ORG = b2s cfg.users.autoAssignOrg;
+    USERS_AUTO_ASSIGN_ORG_ROLE = cfg.users.autoAssignOrgRole;

-    [security]
-    ; default admin user, created on startup
-    admin_user = ${cfg.security.adminUser}
-    ; default admin password, can be changed before first start of grafana,  or in profile settings
-    admin_password = ${cfg.security.adminPassword}
-    ; used for signing
-    secret_key = ${cfg.security.secretKey}
-    ; Auto-login remember days
-    login_remember_days = 7
-    cookie_username = grafana_user
-    cookie_remember_name = grafana_remember
-
-    [users]
-    ; disable user signup / registration
-    allow_sign_up = ${b2s cfg.users.allowSignUp}
-    ; Allow non admin users to create organizations
-    allow_org_create = ${b2s cfg.users.allowOrgCreate}
-    # Set to true to automatically assign new users to the default organization (id 1)
-    auto_assign_org = ${b2s cfg.users.autoAssignOrg}
-    ; Default role new users will be automatically assigned (if disabled above is set to true)
-    auto_assign_org_role = ${cfg.users.autoAssignOrgRole}
-
-    [auth.anonymous]
-    ; enable anonymous access
-    enabled = ${b2s cfg.auth.anonymous.enable}
-    ; specify organization name that should be used for unauthenticated users
-    org_name = Main Org.
-    ; specify role for unauthenticated users
-    org_role = Viewer
-
-    [auth.github]
-    enabled = false
-    client_id = some_id
-    client_secret = some_secret
-    scopes = user:email
-    auth_url = https://github.com/login/oauth/authorize
-    token_url = https://github.com/login/oauth/access_token
-
-    [auth.google]
-    enabled = false
-    client_id = some_client_id
-    client_secret = some_client_secret
-    scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
-    auth_url = https://accounts.google.com/o/oauth2/auth
-    token_url = https://accounts.google.com/o/oauth2/token
-
-    [log]
-    root_path = data/log
-    ; Either "console", "file", default is "console"
-    ; Use comma to separate multiple modes, e.g. "console, file"
-    mode = console
-    ; Buffer length of channel, keep it as it is if you don't know what it is.
-    buffer_len = 10000
-    ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
-    level = Info
-
-    ; For "console" mode only
-    [log.console]
-    level =
-
-    ; For "file" mode only
-    [log.file]
-    level =
-    ; This enables automated log rotate(switch of following options), default is true
-    log_rotate = true
-    ; Max line number of single file, default is 1000000
-    max_lines = 1000000
-    ; Max size shift of single file, default is 28 means 1 << 28, 256MB
-    max_lines_shift = 28
-    ; Segment log daily, default is true
-    daily_rotate = true
-    ; Expired days of log file(delete after max days), default is 7
-    max_days = 7
-
-    [event_publisher]
-    enabled = false
-    rabbitmq_url = amqp://localhost/
-    exchange = grafana_events
-  '';
+    AUTH_ANONYMOUS_ENABLE = b2s cfg.auth.anonymous.enable;
+  } // cfg.extraOptions;

 in {
  options.services.grafana = {
@@ -200,13 +87,12 @@ in {

    staticRootPath = mkOption {
      description = "Root path for static assets.";
-      default = "${cfg.package}/share/go/src/github.com/grafana/grafana/public";
      type = types.str;
    };

    package = mkOption {
      description = "Package to use.";
-      default = pkgs.goPackages.grafana;
+      default = pkgs.grafana;
      type = types.package;
    };

@@ -307,22 +193,36 @@ in {
        type = types.bool;
      };
    };
+
+    extraOptions = mkOption {
+      description = ''
+        Extra configuration options passed as env variables as specified in
+        <link xlink:href="http://docs.grafana.org/installation/configuration/">documentation</link>,
+        but without GF_ prefix
+      '';
+      default = {};
+      type = types.attrsOf types.str;
+    };
  };

  config = mkIf cfg.enable {
    warnings = [
-      "Grafana passwords will be stored as plaintext in nix store!"
+      "Grafana passwords will be stored as plaintext in the Nix store!"
    ];

    systemd.services.grafana = {
      description = "Grafana Service Daemon";
      wantedBy = ["multi-user.target"];
      after = ["networking.target"];
+      environment = mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions;
      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/grafana --config ${cfgFile} web";
+        ExecStart = "${cfg.package}/bin/grafana -homepath ${cfg.dataDir}";
        WorkingDirectory = cfg.dataDir;
        User = "grafana";
      };
+      preStart = ''
+        ln -fs ${cfg.package}/share/grafana/conf ${cfg.dataDir}
+      '';
    };

    users.extraUsers.grafana = {
@@ -331,5 +231,8 @@ in {
      home = cfg.dataDir;
      createHome = true;
    };
+
+    services.grafana.staticRootPath = mkDefault "${cfg.package}/share/grafana/public";
+
  };
 }
--- a/nixos/modules/services/monitoring/graphite.nix
+++ b/nixos/modules/services/monitoring/graphite.nix
@@ -249,13 +249,13 @@ in {
      };

      enableAggregator = mkOption {
-        description = "Whether to enable carbon agregator, the carbon buffering service.";
+        description = "Whether to enable carbon aggregator, the carbon buffering service.";
        default = false;
        type = types.bool;
      };

      aggregationRules = mkOption {
-        description = "Defines if and how received metrics will be agregated.";
+        description = "Defines if and how received metrics will be aggregated.";
        default = null;
        type = types.uniq (types.nullOr types.string);
        example = ''
--- a/nixos/modules/services/monitoring/teamviewer.nix
+++ b/nixos/modules/services/monitoring/teamviewer.nix
@@ -14,7 +14,7 @@ in

  options = {

-    services.teamviewer.enable = mkEnableOption "teamviewer daemon";
+    services.teamviewer.enable = mkEnableOption "TeamViewer daemon";
      
  };

@@ -27,8 +27,9 @@ in
    systemd.services.teamviewerd = {
      description = "TeamViewer remote control daemon";

-      wantedBy = [ "graphical.target" ];
+      wantedBy = [ "multi-user.target" ];
      after = [ "NetworkManager-wait-online.service" "network.target" ];
+      preStart = "mkdir -pv /var/lib/teamviewer /var/log/teamviewer";

      serviceConfig = {
        Type = "forking";
--- a/nixos/modules/services/network-filesystems/nfsd.nix
+++ b/nixos/modules/services/network-filesystems/nfsd.nix
@@ -88,10 +88,7 @@ in

    environment.systemPackages = [ pkgs.nfs-utils ];

-    environment.etc = singleton
-      { source = exports;
-        target = "exports";
-      };
+    environment.etc.exports.source = exports;

    boot.kernelModules = [ "nfsd" ];

--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@@ -97,8 +97,8 @@ in
        description = ''
          Enabling this will add a line directly after pam_unix.so.
          Whenever a password is changed the samba password will be updated as well.
-          However you still yave to add the samba password once using smbpasswd -a user
-          If you don't want to maintain an extra pwd database you still can send plain text
+          However, you still have to add the samba password once, using smbpasswd -a user.
+          If you don't want to maintain an extra password database, you still can send plain text
          passwords which is not secure.
        '';
      };
--- a/nixos/modules/services/networking/asterisk.nix
+++ b/nixos/modules/services/networking/asterisk.nix
@@ -201,6 +201,7 @@ in
        for d in '${varlibdir}' '${spooldir}' '${logdir}'; do
          # TODO: Make exceptions for /var directories that likely should be updated
          if [ ! -e "$d" ]; then
+            mkdir -p "$d"
            cp --recursive ${pkgs.asterisk}/"$d" "$d"
            chown --recursive ${asteriskUser} "$d"
            find "$d" -type d | xargs chmod 0755
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -52,10 +52,7 @@ in
        default = "opendns";
        type = types.nullOr types.string;
        description = ''
-          The name of the upstream DNSCrypt resolver to use. See
-          <literal>${resolverListFile}</literal> for alternative resolvers
-          (e.g., if you are concerned about logging and/or server
-          location).
+          The name of the upstream DNSCrypt resolver to use.
        '';
      };
      customResolver = mkOption {
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@@ -40,7 +40,6 @@ let
    polkit.addRule(function(action, subject) {
      if (
        subject.isInGroup("networkmanager")
-        && subject.active
        && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
            || action.id.indexOf("org.freedesktop.ModemManager")  == 0
        ))
@@ -207,10 +206,18 @@ in {

    environment.systemPackages = cfg.packages;

-    users.extraGroups = singleton {
+    users.extraGroups = [{
      name = "networkmanager";
      gid = config.ids.gids.networkmanager;
-    };
+    }
+    {
+      name = "nm-openvpn";
+      gid = config.ids.gids.nm-openvpn;
+    }];
+    users.extraUsers = [{
+      name = "nm-openvpn";
+      uid = config.ids.uids.nm-openvpn;
+    }];

    systemd.packages = cfg.packages;

--- a/nixos/modules/services/networking/nix-serve.nix
+++ b/nixos/modules/services/networking/nix-serve.nix
@@ -56,7 +56,7 @@ in

      serviceConfig = {
        ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
-          "--port ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
+          "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
        User = "nix-serve";
        Group = "nogroup";
      };
--- a/nixos/modules/services/networking/seeks.nix
+++ b/nixos/modules/services/networking/seeks.nix
@@ -33,7 +33,7 @@ in
        type = types.str;
        description = "
          The Seeks server configuration. If it is not specified,
-          a default configuration is used (${seeks}/etc/seeks).
+          a default configuration is used.
        ";
      };

--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -9,14 +9,6 @@ let

  nssModulesPath = config.system.nssModules.path;

-  knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
-
-  knownHostsText = flip (concatMapStringsSep "\n") knownHosts
-    (h:
-      concatStringsSep "," h.hostNames + " "
-      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-    );
-
  userOptions = {

    openssh.authorizedKeys = {
@@ -48,8 +40,7 @@ let
  };

  authKeysFiles = let
-    mkAuthKeyFile = u: {
-      target = "ssh/authorized_keys.d/${u.name}";
+    mkAuthKeyFile = u: nameValuePair "ssh/authorized_keys.d/${u.name}" {
      mode = "0444";
      source = pkgs.writeText "${u.name}-authorized_keys" ''
        ${concatStringsSep "\n" u.openssh.authorizedKeys.keys}
@@ -59,7 +50,7 @@ let
    usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u:
      length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
    ));
-  in map mkAuthKeyFile usersWithKeys;
+  in listToAttrs (map mkAuthKeyFile usersWithKeys);

 in

@@ -211,57 +202,6 @@ in
        description = "Verbatim contents of <filename>sshd_config</filename>.";
      };

-      knownHosts = mkOption {
-        default = {};
-        type = types.loaOf types.optionSet;
-        description = ''
-          The set of system-wide known SSH hosts.
-        '';
-        example = [
-          {
-            hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = literalExample "./pubkeys/myhost_ssh_host_dsa_key.pub";
-          }
-          {
-            hostNames = [ "myhost2" ];
-            publicKeyFile = literalExample "./pubkeys/myhost2_ssh_host_dsa_key.pub";
-          }
-        ];
-        options = {
-          hostNames = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            description = ''
-              A list of host names and/or IP numbers used for accessing
-              the host's ssh service.
-            '';
-          };
-          publicKey = mkOption {
-            default = null;
-            type = types.nullOr types.str;
-            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-            description = ''
-              The public key data for the host. You can fetch a public key
-              from a running SSH server with the <command>ssh-keyscan</command>
-              command. The public key should not include any host names, only
-              the key type and the key itself.
-            '';
-          };
-          publicKeyFile = mkOption {
-            default = null;
-            type = types.nullOr types.path;
-            description = ''
-              The path to the public key file for the host. The public
-              key file is read at build time and saved in the Nix store.
-              You can fetch a public key file from a running SSH server
-              with the <command>ssh-keyscan</command> command. The content
-              of the file should follow the same format as described for
-              the <literal>publicKey</literal> option.
-            '';
-          };
-        };
-      };
-
      moduliFile = mkOption {
        example = "services.openssh.moduliFile = /etc/my-local-ssh-moduli;";
        type = types.path;
@@ -274,7 +214,7 @@ in

    };

-    users.extraUsers = mkOption {
+    users.users = mkOption {
      options = [ userOptions ];
    };

@@ -292,14 +232,8 @@ in

    services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";

-    environment.etc = authKeysFiles ++ [
-      { source = cfg.moduliFile;
-        target = "ssh/moduli";
-      }
-      { text = knownHostsText;
-        target = "ssh/ssh_known_hosts";
-      }
-    ];
+    environment.etc = authKeysFiles //
+      { "ssh/moduli".source = cfg.moduliFile; };

    systemd =
      let
@@ -417,11 +351,6 @@ in

    assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
                    message = "cannot enable X11 forwarding without setting xauth location";}]
-      ++ flip mapAttrsToList cfg.knownHosts (name: data: {
-        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
-                    (data.publicKey != null && data.publicKeyFile == null);
-        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-      })
      ++ flip map cfg.listenAddresses ({ addr, port, ... }: {
        assertion = addr != null;
        message = "addr must be specified in each listenAddresses entry";
--- a/nixos/modules/services/networking/syncthing.nix
+++ b/nixos/modules/services/networking/syncthing.nix
@@ -21,7 +21,7 @@ in
        description = ''
          Whether to enable the Syncthing, self-hosted open-source alternative
          to Dropbox and BittorrentSync. Initial interface will be
-          available on http://127.0.0.1:8080/.
+          available on http://127.0.0.1:8384/.
        '';
      };

@@ -42,6 +42,17 @@ in
        '';
      };

+      package = mkOption {
+        type = types.package;
+        default = pkgs.syncthing;
+        example = literalExample "pkgs.syncthing";
+        description = ''
+          Syncthing package to use.
+        '';
+      };
+
+
+
    };

  };
@@ -71,7 +82,7 @@ in

      };

-    environment.systemPackages = [ pkgs.syncthing ];
+    environment.systemPackages = [ cfg.package ];

  };

--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@@ -50,20 +50,20 @@ in

      jails = mkOption {
        default = { };
-        example =
-          { "apache-nohome-iptables" =
-              ''
-                # Block an IP address if it accesses a non-existent
-                # home directory more than 5 times in 10 minutes,
-                # since that indicates that it's scanning.
-                filter   = apache-nohome
-                action   = iptables-multiport[name=HTTP, port="http,https"]
-                logpath  = /var/log/httpd/error_log*
-                findtime = 600
-                bantime  = 600
-                maxretry = 5
-              '';
-          };
+        example = literalExample ''
+          { apache-nohome-iptables = '''
+              # Block an IP address if it accesses a non-existent
+              # home directory more than 5 times in 10 minutes,
+              # since that indicates that it's scanning.
+              filter   = apache-nohome
+              action   = iptables-multiport[name=HTTP, port="http,https"]
+              logpath  = /var/log/httpd/error_log*
+              findtime = 600
+              bantime  = 600
+              maxretry = 5
+            ''';
+          }
+        '';
        type = types.attrsOf types.lines;
        description =
          ''
@@ -138,6 +138,7 @@ in
        findtime = 600
        maxretry = 3
        backend  = systemd
+        enabled  = true
       '';

    # Block SSH if there are too many failing connection attempts.
--- a/nixos/modules/services/security/hologram.nix
+++ b/nixos/modules/services/security/hologram.nix
@@ -95,7 +95,7 @@ in {
      wantedBy    = [ "multi-user.target" ];

      serviceConfig = {
-        ExecStart = "${pkgs.goPackages.hologram}/bin/hologram-server --debug --conf ${cfgFile}";
+        ExecStart = "${pkgs.goPackages.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}";
      };
    };
  };
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -117,7 +117,6 @@ let
    ]
    ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
    ++ optional enableSSL "ssl"
-    ++ optional mainCfg.enableCompression "deflate"
    ++ extraApacheModules;


@@ -177,27 +176,6 @@ let
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!EXP
  '';

-  # From http://paulstamatiou.com/how-to-optimize-your-apache-site-with-mod-deflate/
-  compressConf = ''
-    SetOutputFilter DEFLATE
-
-    # Don't compress binaries
-    SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|iso|tar|bz2|sit|rar) no-gzip dont-vary
-    # Don't compress images
-    SetEnvIfNoCase Request_URI .(?:gif|jpe?g|jpg|ico|png)  no-gzip dont-vary
-    # Don't compress PDFs
-    SetEnvIfNoCase Request_URI .pdf no-gzip dont-vary
-    # Don't compress flash files (only relevant if you host your own videos)
-    SetEnvIfNoCase Request_URI .flv no-gzip dont-vary
-    # Netscape 4.X has some problems
-    BrowserMatch ^Mozilla/4 gzip-only-text/html
-    # Netscape 4.06-4.08 have some more problems
-    BrowserMatch ^Mozilla/4.0[678] no-gzip
-    # MSIE masquerades as Netscape, but it is fine
-    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-    # Make sure proxies don't deliver the wrong content
-    Header append Vary User-Agent env=!dont-vary
-  '';

  mimeConf = ''
    TypesConfig ${httpd}/conf/mime.types
@@ -373,7 +351,6 @@ let
    ${mimeConf}
    ${loggingConf}
    ${browserHacks}
-    ${optionalString mainCfg.enableCompression compressConf}

    Include ${httpd}/conf/extra/httpd-default.conf
    Include ${httpd}/conf/extra/httpd-autoindex.conf
@@ -446,7 +423,7 @@ in
      enable = mkOption {
        type = types.bool;
        default = false;
-        description = "Enable the Apache HTTP Server.";
+        description = "Whether to enable the Apache HTTP Server.";
      };

      package = mkOption {
@@ -609,12 +586,6 @@ in
        description =
          "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
      };
-
-      enableCompression = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Enable compression of responses using mod_deflate.";
-      };
    }

    # Include the options shared between the main server and virtual hosts.
--- a/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
@@ -83,11 +83,11 @@ let

  # Unpack Mediawiki and put the config file in its root directory.
  mediawikiRoot = pkgs.stdenv.mkDerivation rec {
-    name= "mediawiki-1.23.9";
+    name= "mediawiki-1.23.13";

    src = pkgs.fetchurl {
      url = "http://download.wikimedia.org/mediawiki/1.23/${name}.tar.gz";
-      sha256 = "1l7k4g0pgz92yvrfr52w26x740s4362v0gc95pk0i30vn2sp5bql";
+      sha256 = "168wpf53n4ksj2g5q5r0hxapx6238dvsfng5ff9ixk6axsn0j5d0";
    };

    skins = config.skins;
--- a/nixos/modules/services/web-servers/apache-httpd/trac.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/trac.nix
@@ -5,14 +5,19 @@ with lib;
 let

  # Build a Subversion instance with Apache modules and Swig/Python bindings.
-  subversion = pkgs.subversion.override (origArgs: {
+  subversion = pkgs.subversion.override {
    bdbSupport = true;
    httpServer = true;
    pythonBindings = true;
-  });
+    apacheHttpd = httpd;
+  };

  pythonLib = p: "${p}/";

+  httpd = serverInfo.serverConfig.package;
+
+  versionPre24 = versionOlder httpd.version "2.4";
+
 in

 {
@@ -82,7 +87,7 @@ in
        AuthName "${config.ldapAuthentication.name}"
        AuthBasicProvider "ldap"
        AuthLDAPURL "${config.ldapAuthentication.url}"
-        authzldapauthoritative Off
+        ${if versionPre24 then "authzldapauthoritative Off" else ""}
        require valid-user
      </LocationMatch>
    '' else ""}
--- a/nixos/modules/services/web-servers/lighttpd/default.nix
+++ b/nixos/modules/services/web-servers/lighttpd/default.nix
@@ -44,7 +44,6 @@ let
    "mod_flv_streaming"
    "mod_magnet"
    "mod_mysql_vhost"
-    "mod_rewrite"
    "mod_scgi"
    "mod_setenv"
    "mod_trigger_b4_dl"
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -8,9 +8,12 @@ let
  configFile = pkgs.writeText "nginx.conf" ''
    user ${cfg.user} ${cfg.group};
    daemon off;
+
    ${cfg.config}
+
    ${optionalString (cfg.httpConfig != "") ''
    http {
+      include ${cfg.package}/conf/mime.types;
      ${cfg.httpConfig}
    }
    ''}
--- a/nixos/modules/services/web-servers/phpfpm.nix
+++ b/nixos/modules/services/web-servers/phpfpm.nix
@@ -44,8 +44,7 @@ in {

      phpIni = mkOption {
        type = types.path;
-        default = "${cfg.phpPackage}/etc/php-recommended.ini";
-        description = "php.ini file to use.";
+        description = "PHP configuration file to use.";
      };

      poolConfigs = mkOption {
@@ -86,5 +85,7 @@ in {
      };
    };

+    services.phpfpm.phpIni = mkDefault "${cfg.phpPackage}/etc/php-recommended.ini";
+
  };
 }
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@@ -99,7 +99,6 @@ in {
    networking.networkmanager.enable = mkDefault true;
    services.upower.enable = config.powerManagement.enable;
    hardware.bluetooth.enable = mkDefault true;
-    services.xserver.displayManager.desktopManagerHandlesLidAndPower = false; # true doesn't make sense here, GNOME just doesn't handle it anymore

    fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ];

--- a/nixos/modules/services/x11/desktop-managers/kde4.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde4.nix
@@ -107,6 +107,12 @@ in
                sed -e '/nix\\store\|nix\/store/ d' -i $HOME/.config/Trolltech.conf
            fi

+            # Load PulseAudio module for routing support.
+            # See http://colin.guthr.ie/2009/10/so-how-does-the-kde-pulseaudio-support-work-anyway/
+            ${optionalString config.hardware.pulseaudio.enable ''
+              ${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
+            ''}
+
            # Start KDE.
            exec ${kde_workspace}/bin/startkde
          '';
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@@ -76,7 +76,15 @@ in
    services.xserver.desktopManager.session = singleton {
      name = "kde5";
      bgSupport = true;
-      start = ''exec ${plasma5.plasma-workspace}/bin/startkde;'';
+      start = ''
+        # Load PulseAudio module for routing support.
+        # See http://colin.guthr.ie/2009/10/so-how-does-the-kde-pulseaudio-support-work-anyway/
+        ${optionalString config.hardware.pulseaudio.enable ''
+          ${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
+        ''}
+
+        exec ${plasma5.plasma-workspace}/bin/startkde
+      '';
    };

    security.setuidOwners = singleton {
--- a/nixos/modules/services/x11/desktop-managers/kodi.nix
+++ b/nixos/modules/services/x11/desktop-managers/kodi.nix
@@ -28,4 +28,4 @@ in

    environment.systemPackages = [ pkgs.kodi ];
  };
-}
+}
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@@ -62,7 +62,7 @@ let
        if [ -z "$_INHIBITION_LOCK_TAKEN" ]; then
          export _INHIBITION_LOCK_TAKEN=1
          if ! ${config.systemd.package}/bin/loginctl show-session $XDG_SESSION_ID | grep -q '^RemoteHost='; then
-            exec ${config.systemd.package}/bin/systemd-inhibit --what=handle-lid-switch:handle-power-key --why="See NixOS configuration option 'services.xserver.displayManager.desktopManagerHandlesLidAndPower' for more information." "$0" "$sessionType"
+            exec ${config.systemd.package}/bin/systemd-inhibit --what=handle-lid-switch:handle-power-key --why="Desktop environment handles power events" "$0" "$sessionType"
          fi
        fi

@@ -90,9 +90,6 @@ let

        # Publish access credentials in the root window.
        ${config.hardware.pulseaudio.package}/bin/pactl load-module module-x11-publish "display=$DISPLAY"
-
-        # Keep track of devices.  Mostly useful for Phonon/KDE.
-        ${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
      ''}

      # Tell systemd about our $DISPLAY. This is needed by the
@@ -114,6 +111,10 @@ let
      rm -rf $HOME/.compose-cache
      mkdir $HOME/.compose-cache

+      # Work around KDE errors when a user first logs in and
+      # .local/share doesn't exist yet.
+      mkdir -p $HOME/.local/share
+
      ${cfg.displayManager.sessionCommands}

      # Allow the user to execute commands at the beginning of the X session.
@@ -161,7 +162,11 @@ let
      exit 0
    '';

-  mkDesktops = names: pkgs.runCommand "desktops" {}
+  mkDesktops = names: pkgs.runCommand "desktops"
+    { # trivial derivation
+      preferLocalBuild = true;
+      allowSubstitutes = false;
+    }
    ''
      mkdir -p $out
      ${concatMapStrings (n: ''
@@ -225,7 +230,7 @@ in

      desktopManagerHandlesLidAndPower = mkOption {
        type = types.bool;
-        default = true;
+        default = false;
        description = ''
          Whether the display manager should prevent systemd from handling
          lid and power events. This is normally handled by the desktop
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@@ -65,7 +65,7 @@ in
    systemd.services.display-manager.wants = [ "systemd-machined.service" ];
    systemd.services.display-manager.after = [ "systemd-machined.service" ];

-    systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou pkgs.xlibs.xhost pkgs.dbus_tools ];
+    systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou pkgs.xorg.xhost pkgs.dbus_tools ];

    services.dbus.packages = [ gdm ];

--- a/nixos/modules/services/x11/display-managers/kdm.nix
+++ b/nixos/modules/services/x11/display-managers/kdm.nix
@@ -19,7 +19,7 @@ let
      ''}

      [X-*-Core]
-      Xrdb=${pkgs.xlibs.xrdb}/bin/xrdb
+      Xrdb=${pkgs.xorg.xrdb}/bin/xrdb
      SessionsDirs=${dmcfg.session.desktops}
      Session=${dmcfg.session.script}
      FailsafeClient=${pkgs.xterm}/bin/xterm
@@ -57,6 +57,7 @@ let
  kdmrc = pkgs.stdenv.mkDerivation {
    name = "kdmrc";
    config = defaultConfig + cfg.extraConfig;
+    preferLocalBuild = true;
    buildCommand =
      ''
        echo "$config" > $out
--- a/nixos/modules/services/x11/display-managers/lightdm.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm.nix
@@ -104,7 +104,6 @@ in
      };

      background = mkOption {
-        default = "${pkgs.nixos-artwork}/share/artwork/gnome/Gnome_Dark.png";
        description = ''
          The background image or color to use.
        '';
@@ -172,5 +171,8 @@ in
    };

    users.extraGroups.lightdm.gid = config.ids.gids.lightdm;
+
+    services.xserver.displayManager.lightdm.background = mkDefault "${pkgs.nixos-artwork}/share/artwork/gnome/Gnome_Dark.png";
+
  };
 }
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@@ -469,6 +469,7 @@ in
        xorg.xsetroot
        xorg.xinput
        xorg.xprop
+        xorg.xauth
        pkgs.xterm
        pkgs.xdg_utils
      ]
@@ -487,7 +488,7 @@ in
    systemd.services.display-manager =
      { description = "X11 Server";

-        after = [ "systemd-udev-settle.service" "local-fs.target" "acpid.service" ];
+        after = [ "systemd-udev-settle.service" "local-fs.target" "acpid.service" "systemd-logind.service" ];

        restartIfChanged = false;

@@ -516,8 +517,7 @@ in
      };

    services.xserver.displayManager.xserverArgs =
-      [ "-ac"
-        "-terminate"
+      [ "-terminate"
        "-logfile" "/var/log/X.${toString cfg.display}.log"
        "-config ${configFile}"
        ":${toString cfg.display}" "vt${toString cfg.tty}"
--- a/nixos/modules/system/activation/top-level.nix
+++ b/nixos/modules/system/activation/top-level.nix
@@ -176,9 +176,10 @@ in
      default = false;
      description = ''
        If enabled, copies the NixOS configuration file
-        <literal>$NIXOS_CONFIG</literal> (usually
-        <filename>/etc/nixos/configuration.nix</filename>)
-        to the system store path.
+        (usually <filename>/etc/nixos/configuration.nix</filename>)
+        and links it from the resulting system
+        (getting to <filename>/run/current-system/configuration.nix</filename>).
+        Note that only this single file is copied, even if it imports others.
      '';
    };

@@ -236,7 +237,9 @@ in
    system.extraSystemBuilderCmds =
      optionalString
        config.system.copySystemConfiguration
-        "cp ${maybeEnv "NIXOS_CONFIG" "/etc/nixos/configuration.nix"} $out";
+        ''ln -s '${import ../../../lib/from-env.nix "NIXOS_CONFIG" <nixos-config>}' \
+            "$out/configuration.nix"
+        '';

    system.build.toplevel = system;

--- a/nixos/modules/system/boot/kernel.nix
+++ b/nixos/modules/system/boot/kernel.nix
@@ -158,7 +158,7 @@ in

    boot.kernel.sysctl."kernel.printk" = config.boot.consoleLogLevel;

-    boot.kernelModules = [ "loop" "configs" "atkbd" ];
+    boot.kernelModules = [ "loop" "atkbd" ];

    boot.initrd.availableKernelModules =
      [ # Note: most of these (especially the SATA/PATA modules)
@@ -197,9 +197,6 @@ in
        "hid_generic" "hid_lenovo"
        "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"

-        # Unix domain sockets (needed by udev).
-        "unix"
-
        # Misc. stuff.
        "pcips2" "atkbd"

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .08
 .09