expat: patch for CVE-2015-1283 from Mozilla

(Cherry-picked from commit fba4a950685023bc792422665b2dbe9934ebc9c6.)

.travis.yml

@@ -0,0 +1,5 @@
+language: python
+python: "3.4"
+before_install: ./maintainers/scripts/travis-nox-review-pr.sh nix
+install: ./maintainers/scripts/travis-nox-review-pr.sh nox
+script: ./maintainers/scripts/travis-nox-review-pr.sh build

doc/Makefile

@@ -21,18 +21,18 @@ all: NEWS.html NEWS.txt manual.html manual.pdf
 
 NEWS.html: release-notes.xml
 	$(XSLTPROC) --nonet --xinclude --output $@ $(NEWS_OPTS) \
-	  $(docbookxsl)/html/docbook.xsl release-notes.xml
+	  $(docbookxsl)/xhtml/docbook.xsl release-notes.xml
 
 NEWS.txt: release-notes.xml
 	$(XSLTPROC) --nonet --xinclude quote-literals.xsl release-notes.xml | \
 	  $(XSLTPROC) --nonet --output $@.tmp.html $(NEWS_OPTS) \
-	  $(docbookxsl)/html/docbook.xsl -
+	  $(docbookxsl)/xhtml/docbook.xsl -
 	LANG=en_US w3m -dump $@.tmp.html > $@
 	rm $@.tmp.html
 
 manual.html: *.xml
 	$(XSLTPROC) --nonet --xinclude --output manual.html \
-	  $(docbookxsl)/html/docbook.xsl manual.xml
+	  $(docbookxsl)/xhtml/docbook.xsl manual.xml
 
 manual.pdf: *.xml
 	$(dblatex) \

doc/contributing.xml

@@ -0,0 +1,21 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xml:id="chap-contributing">
+
+<title>Contributing</title>
+
+<para>If you make modifications to the manual, it's important to build the manual before contributing:</para>
+
+<orderedlist>
+
+  <listitem><para><command>$ git clone git://github.com/NixOS/nixpkgs.git</command></para></listitem>
+
+  <listitem><para><command>$ cd nixpkgs/pkgs/top-level</command></para></listitem>
+
+  <listitem><para><command>$ nix-build -A tarball release.nix</command></para></listitem>
+  
+  <listitem><para>Inside the built derivation you shall see <literal>manual/index.html</literal> file.</para></listitem>
+
+</orderedlist>
+
+</chapter>

doc/manual.xml

@@ -32,6 +32,7 @@
   <xi:include href="language-support.xml" />
   <xi:include href="package-notes.xml" />
   <xi:include href="coding-conventions.xml" />
+  <xi:include href="contributing.xml" />
   
         
 </book>

doc/meta.xml

@@ -17,7 +17,9 @@ meta = {
     It is fully customizable.
   '';
   homepage = http://www.gnu.org/software/hello/manual/;
-  license = "GPLv3+";
+  license = stdenv.lib.licenses.gpl3Plus;
+  maintainers = [ stdenv.lib.maintainers.eelco ];
+  platforms = stdenv.lib.platforms.all;
 };
 </programlisting>
 
@@ -31,16 +33,42 @@ the package.  The value of a meta-attribute must a string.</para>
 command-line using <command>nix-env</command>:
 
 <screen>
-$ nix-env -qa hello --meta --xml
-&lt;?xml version='1.0' encoding='utf-8'?>
-&lt;items>
-  &lt;item attrPath="hello" name="hello-2.3" system="i686-linux">
-    &lt;meta name="description" value="A program that produces a familiar, friendly greeting" />
-    &lt;meta name="homepage" value="http://www.gnu.org/software/hello/manual/" />
-    &lt;meta name="license" value="GPLv3+" />
-    &lt;meta name="longDescription" value="GNU Hello is a program that prints &amp;quot;Hello, world!&amp;quot; when you run it.&amp;#xA;It is fully customizable.&amp;#xA;" />
-  &lt;/item>
-&lt;/items>
+$ nix-env -qa hello --meta --json
+{
+    "hello": {
+        "meta": {
+            "description": "A program that produces a familiar, friendly greeting",
+            "homepage": "http://www.gnu.org/software/hello/manual/",
+            "license": {
+                "fullName": "GNU General Public License version 3 or later",
+                "shortName": "GPLv3+",
+                "url": "http://www.fsf.org/licensing/licenses/gpl.html"
+            },
+            "longDescription": "GNU Hello is a program that prints \"Hello, world!\" when you run it.\nIt is fully customizable.\n",
+            "maintainers": [
+                "Ludovic Court\u00e8s &lt;ludo@gnu.org>"
+            ],
+            "platforms": [
+                "i686-linux",
+                "x86_64-linux",
+                "armv5tel-linux",
+                "armv7l-linux",
+                "mips64el-linux",
+                "x86_64-darwin",
+                "i686-cygwin",
+                "i686-freebsd",
+                "x86_64-freebsd",
+                "i686-openbsd",
+                "x86_64-openbsd"
+            ],
+            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/ex-2/default.nix:14"
+        },
+        "name": "hello-2.9",
+        "system": "x86_64-linux"
+    }
+}
+
+
 </screen>
 
 <command>nix-env</command> knows about the
@@ -92,20 +120,23 @@ interpretation:</para>
 
   <varlistentry>
     <term><varname>license</varname></term>
-    <listitem><para>The license for the package.  See below for the
-    allowed values.</para></listitem>
+    <listitem><para>The license for the package. One from attribute set defined in
+      <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix">
+      <filename>nixpkgs/lib/licenses.nix</filename></link>.
+      Example:
+      <literal>stdenv.lib.licenses.gpl3</literal>.</para></listitem>
+      See details in <xref linkend='sec-meta-license'/>,
   </varlistentry>
 
   <varlistentry>
     <term><varname>maintainers</varname></term>
     <listitem><para>A list of names and e-mail addresses of the
-    maintainers of this Nix expression, e.g. <literal>["Alice
-    &lt;alice@example.org>" "Bob &lt;bob@example.com>"]</literal>.  If
-    you are the maintainer of multiple packages, you may want to add
+    maintainers of this Nix expression. If
+    you would like to be a maintainer of a package, you may want to add
     yourself to <link
-    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/lib/maintainers.nix"><filename>pkgs/lib/maintainers.nix</filename></link>
-    and write something like <literal>[stdenv.lib.maintainers.alice
-    stdenv.lib.maintainers.bob]</literal>.</para></listitem>
+    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/maintainers.nix"><filename>nixpkgs/lib/maintainers.nix</filename></link>
+    and write something like <literal>[ stdenv.lib.maintainers.alice
+    stdenv.lib.maintainers.bob ]</literal>.</para></listitem>
   </varlistentry>
 
   <varlistentry>
@@ -121,29 +152,25 @@ interpretation:</para>
   <varlistentry>
     <term><varname>platforms</varname></term>
     <listitem><para>The list of Nix platform types on which the
-    package is supported.  If this attribute is set, the package will
-    refuse to build, and won’t show up in <literal>nix-env
-    -qa</literal> output, on any platform not listed
-    here.  An example is:
+    package is supported. Hydra builds packages according to the
+    platform specified. If no platform is specified, the package does
+    not have prebuilt binaries. An example is:
 
 <programlisting>
-meta.platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" ];
-</programlisting>
-
-    The set <varname>lib.platforms</varname> defines various common
-    lists of platforms types, so it’s more typical to write:
-
-<programlisting>
-meta.platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
+meta.platforms = stdenv.lib.platforms.linux;
 </programlisting>
 
+    Attribute Set <varname>stdenv.lib.platforms</varname> in
+    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/platforms.nix">
+    <filename>nixpkgs/lib/platforms.nix</filename></link> defines various common
+    lists of platforms types.
     </para></listitem>
   </varlistentry>
 
   <varlistentry>
     <term><varname>hydraPlatforms</varname></term>
     <listitem><para>The list of Nix platform types for which the Hydra
-    instance at <literal>hydra.nixos.org</literal> should build the
+    instance at <literal>hydra.nixos.org</literal> will build the
     package.  (Hydra is the Nix-based continuous build system.)  It
     defaults to the value of <varname>meta.platforms</varname>.  Thus,
     the only reason to set <varname>meta.hydraPlatforms</varname> is
@@ -176,80 +203,23 @@ meta.hydraPlatforms = [];
 
 <section xml:id="sec-meta-license"><title>Licenses</title>
 
-<note><para>This is just a first attempt at standardising the license
-attribute.</para></note>
-
-<para>The <varname>meta.license</varname> attribute must be one of the
-following:
+<para>The <varname>meta.license</varname> attribute should preferrably contain
+a value from <varname>stdenv.lib.licenses</varname> defined in
+<link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix">
+<filename>nixpkgs/lib/licenses.nix</filename></link>,
+or in-place license description of the same format if the license is
+unlikely to be useful in another expression.
 
+A few generic options are available, although it's typically better
+to indicate the specific license:
 <variablelist>
 
-  <varlistentry>
-    <term><varname>GPL</varname></term>
-    <listitem><para>GNU General Public License; version not
-    specified.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>GPLv2</varname></term>
-    <listitem><para>GNU General Public License, version
-    2.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>GPLv2+</varname></term>
-    <listitem><para>GNU General Public License, version
-    2 or higher.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>GPLv3</varname></term>
-    <listitem><para>GNU General Public License, version
-    3.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>GPLv3+</varname></term>
-    <listitem><para>GNU General Public License, version
-    3 or higher.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>bsd</varname></term>
-    <listitem><para>Catch-all for licenses that are essentially
-    similar to <link
-    xlink:href="http://www.gnu.org/licenses/license-list.html#ModifiedBSD">the
-    original BSD license with the advertising clause removed</link>,
-    i.e. permissive non-copyleft free software licenses.  This
-    includes the <link
-    xlink:href="http://www.gnu.org/licenses/license-list.html#X11License">X11
-    (“MIT”) License</link>.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>perl5</varname></term>
-    <listitem><para>The Perl 5 license (Artistic License, version 1
-    and GPL, version 1 or later).</para></listitem>
-  </varlistentry>
-
   <varlistentry>
     <term><varname>free</varname></term>
     <listitem><para>Catch-all for free software licenses not listed
     above.</para></listitem>
   </varlistentry>
 
-  <varlistentry>
-    <term><varname>free-copyleft</varname></term>
-    <listitem><para>Catch-all for free, copyleft software licenses not
-    listed above.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>free-non-copyleft</varname></term>
-    <listitem><para>Catch-all for free, non-copyleft software licenses
-    not listed above.</para></listitem>
-  </varlistentry>
-
   <varlistentry>
     <term><varname>unfree-redistributable</varname></term>
     <listitem><para>Unfree package that can be redistributed in binary

doc/quick-start.xml

@@ -155,9 +155,10 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>
         </listitem>
 
         <listitem>
-          <para>You can use <command>nix-prefetch-url</command>
+          <para>You can use <command>nix-prefetch-url</command> (or similar nix-prefetch-git, etc)
           <replaceable>url</replaceable> to get the SHA-256 hash of
-          source distributions.</para>
+          source distributions. There are similar commands as <command>nix-prefetch-git</command> and
+          <command>nix-prefetch-hg</command> available in <literal>nix-prefetch-scripts</literal> package.</para>
         </listitem>
 
         <listitem>
@@ -221,17 +222,10 @@ $ nix-env -f . -iA libfoo</screen>
   </listitem>
 
   <listitem>
-    <para>Optionally commit the new package, or send a patch to
+    <para>Optionally commit the new package and open a pull request, or send a patch to
     <literal>nix-dev@cs.uu.nl</literal>.</para>
   </listitem>
 
-  <listitem>
-    <para>If you want the TU Delft build farm to build binaries of the
-    package and make them available in the <link
-    xlink:href="http://nixos.org/releases/nixpkgs/channels/nixpkgs-unstable/"><literal>nixpkgs</literal>
-    channel</link>, add it to <link
-    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/release.nix"><filename>pkgs/top-level/release.nix</filename></link>.</para>
-  </listitem>
 
 </orderedlist>
 

doc/release-notes.xml

@@ -446,7 +446,7 @@ xlink:href='http://nixos.org/releases/nix/nix-0.10/'>Nix
   <literal>stdenv</literal>; the formed changes the C compiler, and
   the latter adds additional packages to the front of
   <literal>stdenv</literal>’s initial <envar>PATH</envar>, allowing
-  tools to be overriden.</para>
+  tools to be overridden.</para>
 
   <para>For instance, the package <varname>strategoxt</varname>
   doesn’t build with the GNU Make in <literal>stdenv</literal>

doc/stdenv.xml

@@ -56,7 +56,7 @@ details.)</para>
 <para>Often it is necessary to override or modify some aspect of the
 build.  To make this easier, the standard environment breaks the
 package build into a number of <emphasis>phases</emphasis>, all of
-which can be overriden or modified individually: unpacking the
+which can be overridden or modified individually: unpacking the
 sources, applying patches, configuring, building, and installing.
 (There are some others; see <xref linkend="ssec-stdenv-phases"/>.)
 For instance, a package that doesn’t supply a makefile but instead has
@@ -233,7 +233,7 @@ specific parts of the build (e.g., unpacking the sources or installing
 the binaries).  Furthermore, it allows a nicer presentation of build
 logs in the Nix build farm.</para>
 
-<para>Each phase can be overriden in its entirety either by setting
+<para>Each phase can be overridden in its entirety either by setting
 the environment variable
 <varname><replaceable>name</replaceable>Phase</varname> to a string
 containing some shell commands to be executed, or by redefining the

lib/maintainers.nix

@@ -18,19 +18,23 @@
   aszlig = "aszlig <aszlig@redmoonstudios.org>";
   bbenoist = "Baptist BENOIST <return_0@live.com>";
   bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
+  berdario = "Dario Bertini <berdario@gmail.com>";
   bjg = "Brian Gough <bjg@gnu.org>";
   bjornfor = "Bjørn Forsman <bjorn.forsman@gmail.com>";
   bluescreen303 = "Mathijs Kwik <mathijs@bluescreen303.nl>";
   bodil = "Bodil Stokke <nix@bodil.org>";
   calrama = "Moritz Maxeiner <moritz@ucworks.org>";
+  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
   chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
   coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
   coroa = "Jonas Hörsch <jonas@chaoflow.net>";
+  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
   edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
   eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
   emery = "Emery Hemingawy <emery@vfemail.net>";
   ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
   falsifian = "James Cook <james.cook@utoronto.ca>";
+  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
   garbas = "Rok Garbas <rok@garbas.si>";
   goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
   guibert = "David Guibert <david.guibert@gmail.com>";
@@ -64,6 +68,7 @@
   qknight = "Joachim Schiele <js@lastlog.de>";
   raskin = "Michael Raskin <7c6f434c@mail.ru>";
   redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
+  relrod = "Ricky Elrod <ricky@elrod.me>";
   rickynils = "Rickard Nilsson <rickynils@gmail.com>";
   rob = "Rob Vermaas <rob.vermaas@gmail.com>";
   roconnor = "Russell O'Connor <roconnor@theorem.ca>";
@@ -81,12 +86,14 @@
   tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
   ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
   urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
+  vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
   vcunat = "Vladimír Čunát <vcunat@gmail.com>";
   viric = "Lluís Batlle i Rossell <viric@viric.name>";
   vizanto = "Danny Wilson <danny@prime.vc>";
   vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
   winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";
   wizeman = "Ricardo M. Correia <rcorreia@wizy.org>";
+  wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
   z77z = "Marco Maggesi <maggesi@math.unifi.it>";
   zef = "Zef Hemel <zef@zef.me>";
   zimbatm = "zimbatm <zimbatm@zimbatm.com>";

lib/modules.nix

@@ -319,6 +319,8 @@ rec {
   mkForce = mkOverride 50;
   mkVMOverride = mkOverride 10; # used by ‘nixos-rebuild build-vm’
 
+  mkStrict = builtins.trace "`mkStrict' is obsolete; use `mkOverride 0' instead." (mkOverride 0);
+
   mkFixStrictness = id; # obsolete, no-op
 
   mkOrder = priority: content:

lib/platforms.nix

@@ -2,7 +2,7 @@ let lists = import ./lists.nix; in
 
 rec {
   gnu = linux; /* ++ hurd ++ kfreebsd ++ ... */
-  linux = ["i686-linux" "x86_64-linux" "armv5tel-linux" "armv7l-linux" "mips64el-linux"];
+  linux = ["i686-linux" "x86_64-linux" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "mips64el-linux"];
   darwin = ["x86_64-darwin"];
   freebsd = ["i686-freebsd" "x86_64-freebsd"];
   openbsd = ["i686-openbsd" "x86_64-openbsd"];

lib/strings.nix

@@ -160,6 +160,16 @@ rec {
       else
         s;
 
+  removeSuffix = suf: s:
+    let
+      sufLen = stringLength suf;
+      sLen = stringLength s;
+    in
+      if sufLen <= sLen && suf == substring (sLen - sufLen) sufLen s then
+        substring 0 (sLen - sufLen) s
+      else
+        s;
+
   # Return true iff string v1 denotes a version older than v2.
   versionOlder = v1: v2: builtins.compareVersions v2 v1 == 1;
 

lib/types.nix

@@ -194,6 +194,18 @@ rec {
             args = { name = ""; }; }).options;
       };
 
+    enum = values: mkOptionType {
+      name = "one of ${concatStringsSep ", " values}";
+      check = flip elem values;
+      merge = mergeOneOption;
+    };
+
+    either = t1: t2: mkOptionType {
+      name = "${t1.name} or ${t2.name}";
+      check = x: t1.check x || t2.check x;
+      merge = mergeOneOption;
+    };
+
     # Obsolete alternative to configOf.  It takes its option
     # declarations from the ‘options’ attribute of containing option
     # declaration.

maintainers/scripts/copy-tarballs.pl

@@ -75,7 +75,6 @@ foreach my $file (@{$data->{list}->{attrs}}) {
     waitpid($pid, 0) or die;
     if ($? != 0) {
         print STDERR "failed to fetch $url: $?\n";
-        last if $? >> 8 == 255;
         next;
     }
     <$fh>; my $storePath = <$fh>; chomp $storePath;
@@ -92,4 +91,7 @@ foreach my $file (@{$data->{list}->{attrs}}) {
 
     my $sha256 = hashFile("sha256", 0, $storePath) or die;
     symlink("../$fn", "$tarballsCache/sha256/$sha256");
+
+    $sha256 = hashFile("sha256", 1, $storePath) or die;
+    symlink("../$fn", "$tarballsCache/sha256/$sha256");
 }

maintainers/scripts/travis-nox-review-pr.sh

@@ -0,0 +1,42 @@
+#! /usr/bin/env bash
+set -e
+
+export NIX_CURL_FLAGS=-sS
+
+if [[ $1 == nix ]]; then
+    echo "=== Installing Nix..."
+    # Install Nix
+    bash <(curl -sS https://nixos.org/nix/install)
+    source $HOME/.nix-profile/etc/profile.d/nix.sh
+
+    # Make sure we can use hydra's binary cache
+    sudo mkdir /etc/nix
+    sudo tee /etc/nix/nix.conf <<EOF >/dev/null
+binary-caches = http://cache.nixos.org http://hydra.nixos.org
+trusted-binary-caches = http://hydra.nixos.org
+build-max-jobs = 4
+EOF
+
+    # Verify evaluation
+    echo "=== Verifying that nixpkgs evaluates..."
+    nix-env -f. -qa --json >/dev/null
+elif [[ $1 == nox ]]; then
+    echo "=== Installing nox..."
+    git clone -q https://github.com/madjar/nox
+    pip --quiet install -e nox
+elif [[ $1 == build ]]; then
+    source $HOME/.nix-profile/etc/profile.d/nix.sh
+
+    if [[ $TRAVIS_PULL_REQUEST == false ]]; then
+        echo "===> Not a pull request, checking evaluation"
+        nix-build pkgs/top-level/release.nix -A tarball
+    else
+        echo "=== Checking PR"
+        # The current HEAD is the PR merged into origin/master, so we compare
+        # against origin/master
+        nox-review wip --against origin/master
+    fi
+else
+    echo "$0: Unknown option $1" >&2
+    false
+fi

nixos/doc/manual/configuration.xml

@@ -1195,7 +1195,7 @@ driver from a set of X.org drivers (such as <literal>vesa</literal>
 and <literal>intel</literal>).  You can also specify a driver
 manually, e.g.
 <programlisting>
-hardware.opengl.videoDrivers = [ "r128" ];
+services.xserver.videoDrivers = [ "r128" ];
 </programlisting>
 to enable X.org’s <literal>xf86-video-r128</literal> driver.</para>
 
@@ -1238,7 +1238,7 @@ $ systemctl start display-manager.service
 has better 3D performance than the X.org drivers.  It is not enabled
 by default because it’s not free software.  You can enable it as follows:
 <programlisting>
-hardware.opengl.videoDrivers = [ "nvidia" ];
+services.xserver.videoDrivers = [ "nvidia" ];
 </programlisting>
 You may need to reboot after enabling this driver to prevent a clash
 with other kernel modules.</para>

nixos/doc/manual/default.nix

@@ -5,22 +5,31 @@ with pkgs.lib;
 let
 
   # Remove invisible and internal options.
-  options' = filter (opt: opt.visible && !opt.internal) (optionAttrSetToDocList options);
+  optionsList = filter (opt: opt.visible && !opt.internal) (optionAttrSetToDocList options);
+
+  # Replace functions by the string <function>
+  substFunction = x:
+    if builtins.isAttrs x then mapAttrs (name: substFunction) x
+    else if builtins.isList x then map substFunction x
+    else if builtins.isFunction x then "<function>"
+    else x;
 
   # Clean up declaration sites to not refer to the NixOS source tree.
-  options'' = flip map options' (opt: opt // {
+  optionsList' = flip map optionsList (opt: opt // {
     declarations = map (fn: stripPrefix fn) opt.declarations;
-  });
+  }
+  // optionalAttrs (opt ? example) { example = substFunction opt.example; }
+  // optionalAttrs (opt ? default) { default = substFunction opt.default; });
 
-  prefix = toString pkgs.path;
+  prefix = toString ../../..;
 
   stripPrefix = fn:
     if substring 0 (stringLength prefix) fn == prefix then
-      substring (add (stringLength prefix) 1) 1000 fn
+      substring (stringLength prefix + 1) 1000 fn
     else
       fn;
 
-  optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext (builtins.toXML options''));
+  optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext (builtins.toXML optionsList'));
 
   optionsDocBook = pkgs.runCommand "options-db.xml" {} ''
     if grep /nixpkgs/nixos/modules ${optionsXML}; then
@@ -37,6 +46,26 @@ let
 
 in rec {
 
+  # The NixOS options in JSON format.
+  optionsJSON = pkgs.stdenv.mkDerivation {
+    name = "options-json";
+
+    buildCommand = ''
+      # Export list of options in different format.
+      dst=$out/share/doc/nixos
+      mkdir -p $dst
+
+      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
+        (listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
+      } $dst/options.json
+
+      mkdir -p $out/nix-support
+      echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
+    ''; # */
+
+    meta.description = "List of NixOS options in JSON format";
+  };
+
   # Generate the NixOS manual.
   manual = pkgs.stdenv.mkDerivation {
     name = "nixos-manual";

nixos/doc/manual/development.xml

@@ -39,7 +39,37 @@ This will check out the latest NixOS sources to
 and the Nixpkgs sources to
 <filename><replaceable>/my/sources</replaceable>/nixpkgs</filename>.
 (The NixOS source tree lives in a subdirectory of the Nixpkgs
-repository.)  If you want to rebuild your system using your (modified)
+repository.)</para>
+
+<para>It’s often inconvenient to develop directly on the master
+branch, since if somebody has just committed (say) a change to GCC,
+then the binary cache may not have caught up yet and you’ll have to
+rebuild everything from source. So you may want to create a local
+branch based on your current NixOS version:
+
+<screen>
+$ nixos-version
+14.04.273.ea1952b (Baboon)
+
+$ git checkout -b local ea1952b
+</screen>
+
+Or, to base your local branch on the latest version available in the
+NixOS channel:
+
+<screen>
+$ curl -sI http://nixos.org/channels/nixos-unstable/ | grep Location
+Location: http://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/
+
+$ git checkout -b local acaf4a6
+</screen>
+
+You can then use <command>git rebase</command> to sync your local
+branch with the upstream branch, and use <command>git
+cherry-pick</command> to copy commits from your local branch to the
+upstream branch.</para>
+
+<para>If you want to rebuild your system using your (modified)
 sources, you need to tell <command>nixos-rebuild</command> about them
 using the <option>-I</option> flag:
 

nixos/doc/manual/installation.xml

@@ -318,8 +318,7 @@ changes:
   </listitem>
   <listitem>
     <para>You must set <option>boot.loader.gummiboot.enable</option> to
-    <literal>true</literal>, and <option>boot.loader.grub.enable</option>
-    to <literal>false</literal>. <command>nixos-generate-config</command>
+    <literal>true</literal>. <command>nixos-generate-config</command>
     should do this automatically for new configurations when booted in
     UEFI mode.</para>
   </listitem>
@@ -473,7 +472,7 @@ been built.  These channels are:
 <itemizedlist>
   <listitem>
     <para>Stable channels, such as <literal
-    xlink:href="http://nixos.org/channels/nixos-13.10">nixos-13.10</literal>.
+    xlink:href="http://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
     These only get conservative bug fixes and package upgrades.  For
     instance, a channel update may cause the Linux kernel on your
     system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
@@ -499,8 +498,8 @@ appliances.)</para>
 
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 13.10 ISO, you will be subscribed to
-the <literal>nixos-13.10</literal> channel.  To see which NixOS
+instance, if you installed from a 14.04 ISO, you will be subscribed to
+the <literal>nixos-14.04</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 
 <screen>
@@ -515,10 +514,10 @@ $ nix-channel --add http://nixos.org/channels/<replaceable>channel-name</replace
 </screen>
 
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 13.10 stable channel:
+end.)  For instance, to use the NixOS 14.04 stable channel:
 
 <screen>
-$ nix-channel --add http://nixos.org/channels/nixos-13.10 nixos
+$ nix-channel --add http://nixos.org/channels/nixos-14.04 nixos
 </screen>
 
 But it you want to live on the bleeding edge:

nixos/doc/manual/release-notes.xml

@@ -1,4 +1,5 @@
 <appendix xmlns="http://docbook.org/ns/docbook"
+          xmlns:xlink="http://www.w3.org/1999/xlink"
           xml:id="ch-release-notes">
 
 <title>Release notes</title>
@@ -7,10 +8,11 @@
 
 <section xml:id="sec-release-14.04">
 
-<title>Release 14.04 (“Baboon”, 2014/04/??)</title>
+<title>Release 14.04 (“Baboon”, 2014/04/30)</title>
 
-<para>This is the second stable release branch of NixOS.  The main
-enhancements are the following:
+<para>This is the second stable release branch of NixOS.  In addition
+to numerous new and upgraded packages and modules, this release has
+the following highlights:
 
 <itemizedlist>
 
@@ -18,9 +20,65 @@ enhancements are the following:
   <xref linkend="sec-uefi-installation"/> for
   details.</para></listitem>
 
+  <listitem><para>Systemd has been updated to version 212, which has
+  <link xlink:href="http://cgit.freedesktop.org/systemd/systemd/plain/NEWS?id=v212">numerous
+  improvements</link>. NixOS now automatically starts systemd user
+  instances when you log in. You can define global user units through
+  the <option>systemd.unit.*</option> options.</para></listitem>
+
   <listitem><para>NixOS is now based on Glibc 2.19 and GCC
   4.8.</para></listitem>
 
+  <listitem><para>The default Linux kernel has been updated to
+  3.12.</para></listitem>
+
+  <listitem><para>KDE has been updated to 4.12.</para></listitem>
+
+  <listitem><para>GNOME 3.10 experimental support has been added.</para></listitem>
+
+  <listitem><para>Nix has been updated to 1.7 (<link
+  xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>).</para></listitem>
+
+  <listitem><para>NixOS now supports fully declarative management of
+  users and groups. If you set <option>users.mutableUsers</option> to
+  <literal>false</literal>, then the contents of
+  <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
+  will be <link
+  xlink:href="https://www.usenix.org/legacy/event/lisa02/tech/full_papers/traugott/traugott_html/">congruent</link>
+  to your NixOS configuration. For instance, if you remove a user from
+  <option>users.extraUsers</option> and run
+  <command>nixos-rebuild</command>, the user account will cease to
+  exist. Also, imperative commands for managing users and groups, such
+  as <command>useradd</command>, are no longer available. If
+  <option>users.mutableUsers</option> is <literal>true</literal> (the
+  default), then behaviour is unchanged from NixOS
+  13.10.</para></listitem>
+
+  <listitem><para>NixOS now has basic container support, meaning you
+  can easily run a NixOS instance as a container in a NixOS host
+  system. These containers are suitable for testing and
+  experimentation but not production use, since they’re not fully
+  isolated from the host. See <xref linkend="ch-containers"/> for
+  details.</para></listitem>
+
+  <listitem><para>Systemd units provided by packages can now be
+  overridden from the NixOS configuration. For instance, if a package
+  <literal>foo</literal> provides systemd units, you can say:
+
+<programlisting>
+systemd.packages = [ pkgs.foo ];
+</programlisting>
+
+  to enable those units. You can then set or override unit options in
+  the usual way, e.g.
+
+<programlisting>
+systemd.services.foo.wantedBy = [ "multi-user.target" ];
+systemd.services.foo.serviceConfig.MemoryLimit = "512M";
+</programlisting>
+
+  </para></listitem>
+
 </itemizedlist>
 
 </para>
@@ -47,6 +105,18 @@ error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:
 
   </para></listitem>
 
+  <listitem><para>The Adobe Flash player is no longer enabled by
+  default in the Firefox and Chromium wrappers. To enable it, you must
+  set:
+
+<programlisting>
+nixpkgs.config.allowUnfree = true;
+nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox
+nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium
+</programlisting>
+
+  </para></listitem>
+
   <listitem><para>The firewall is now enabled by default. If you don’t
   want this, you need to disable it explicitly:
 
@@ -65,6 +135,28 @@ networking.firewall.enable = false;
   sets a default for the option
   <option>services.mysql.package</option>.</para></listitem>
 
+  <listitem><para>Package variants are now differentiated by suffixing
+  the name, rather than the version. For instance,
+  <filename>sqlite-3.8.4.3-interactive</filename> is now called
+  <filename>sqlite-interactive-3.8.4.3</filename>. This ensures that
+  <literal>nix-env -i sqlite</literal> is unambiguous, and that
+  <literal>nix-env -u</literal> won’t “upgrade”
+  <literal>sqlite</literal> to <literal>sqlite-interactive</literal>
+  or vice versa. Notably, this change affects the Firefox wrapper
+  (which provides plugins), as it is now called
+  <literal>firefox-wrapper</literal>. So when using
+  <command>nix-env</command>, you should do <literal>nix-env -e
+  firefox; nix-env -i firefox-wrapper</literal> if you want to keep
+  using the wrapper. This change does not affect declarative package
+  management, since attribute names like
+  <literal>pkgs.firefoxWrapper</literal> were already
+  unambiguous.</para></listitem>
+
+  <listitem><para>The symlink <filename>/etc/ca-bundle.crt</filename>
+  is gone. Programs should instead use the environment variable
+  <envar>OPENSSL_X509_CERT_FILE</envar> (which points to
+  <filename>/etc/ssl/certs/ca-bundle.crt</filename>).</para></listitem>
+
 </itemizedlist>
 
 </para>

nixos/lib/test-driver/Machine.pm

@@ -482,7 +482,7 @@ sub screenshot {
     my $name = basename($filename);
     $self->nest("making screenshot ‘$name’", sub {
         $self->sendMonitorCommand("screendump $tmp");
-        system("convert $tmp ${filename}") == 0
+        system("pnmtopng $tmp > ${filename}") == 0
             or die "cannot convert screenshot";
         unlink $tmp;
     }, { image => $name } );

nixos/lib/test-driver/log2html.xsl

@@ -9,8 +9,8 @@
   <xsl:template match="logfile">
     <html>
       <head>
-        <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
-        <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
+        <script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
+        <script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
         <script type="text/javascript" src="treebits.js" />
         <link rel="stylesheet" href="logfile.css" type="text/css" />
         <title>Log File</title>

nixos/lib/testing.nix

@@ -27,7 +27,7 @@ rec {
         cp ${./test-driver/Logger.pm} $libDir/Logger.pm
 
         wrapProgram $out/bin/nixos-test-driver \
-          --prefix PATH : "${pkgs.qemu_kvm}/bin:${pkgs.vde2}/bin:${imagemagick}/bin:${coreutils}/bin" \
+          --prefix PATH : "${qemu_kvm}/bin:${vde2}/bin:${netpbm}/bin:${coreutils}/bin" \
           --prefix PERL5LIB : "${lib.makePerlPath [ perlPackages.TermReadLineGnu perlPackages.XMLWriter perlPackages.IOTty ]}:$out/lib/perl5/site_perl"
       '';
   };
@@ -41,7 +41,7 @@ rec {
 
       requiredSystemFeatures = [ "kvm" "nixos-test" ];
 
-      buildInputs = [ pkgs.libxslt ];
+      buildInputs = [ libxslt ];
 
       buildCommand =
         ''
@@ -149,7 +149,7 @@ rec {
         startAll;
         $client->waitForUnit("multi-user.target");
         ${preBuild}
-        $client->succeed("env -i ${pkgs.bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2");
+        $client->succeed("env -i ${bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2");
         ${postBuild}
         $client->succeed("sync"); # flush all data before pulling the plug
       '';
@@ -196,6 +196,6 @@ rec {
       } // args);
 
 
-  simpleTest = as: (makeTest ({ ... }: as)).test;
+  simpleTest = as: (makeTest as).test;
 
 }

nixos/maintainers/scripts/ec2/amazon-base-config.nix

@@ -0,0 +1,5 @@
+{ modulesPath, ...}:
+{
+  imports = [ "${modulesPath}/virtualisation/amazon-config.nix" ];
+  services.journald.rateLimitBurst = 0;
+}

nixos/maintainers/scripts/ec2/amazon-hvm-config.nix

@@ -0,0 +1,5 @@
+{ config, pkgs, ...}:
+{
+  imports = [ ./amazon-base-config.nix ];
+  ec2.hvm = true;
+}

nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, lib, ...}:
+let
+  cloudUtils = pkgs.fetchurl {
+    url = "https://launchpad.net/cloud-utils/trunk/0.27/+download/cloud-utils-0.27.tar.gz";
+    sha256 = "16shlmg36lidp614km41y6qk3xccil02f5n3r4wf6d1zr5n4v8vd";
+  };
+  growpart = pkgs.stdenv.mkDerivation {
+    name = "growpart";
+    src = cloudUtils;
+    buildPhase = ''
+      cp bin/growpart $out
+      sed -i 's|awk|gawk|' $out
+      sed -i 's|sed|gnused|' $out
+    '';
+    dontInstall = true;
+    dontPatchShebangs = true;
+  };
+in
+{
+  imports = [ ./amazon-base-config.nix ];
+  ec2.hvm = true;
+  boot.loader.grub.device = lib.mkOverride 0 "nodev";
+
+  boot.initrd.extraUtilsCommands = ''
+    cp -v ${pkgs.gawk}/bin/gawk $out/bin/gawk
+    cp -v ${pkgs.gnused}/bin/sed $out/bin/gnused
+    cp -v ${pkgs.utillinux}/sbin/sfdisk $out/bin/sfdisk
+    cp -v ${growpart} $out/bin/growpart
+  '';
+  boot.initrd.postDeviceCommands = ''
+    [ -e /dev/xvda ] && [ -e /dev/xvda1 ] && TMPDIR=/run sh $(type -P growpart) /dev/xvda 1
+  '';
+}

nixos/maintainers/scripts/ec2/create-ebs-amis.py

@@ -8,15 +8,17 @@ import nixops.util
 from nixops import deployment
 from boto.ec2.blockdevicemapping import BlockDeviceMapping, BlockDeviceType
 import boto.ec2
+from nixops.statefile import StateFile, get_default_state_file
 
 parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI')
 parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in')
+parser.add_argument('--channel', dest='channel', default="13.10", help='Channel to use')
 parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use')
 parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image')
 parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob")
 args = parser.parse_args()
 
-instance_type = "m3.xlarge" if args.hvm else "m1.small"
+instance_type = "m3.medium" if args.hvm else "m1.small"
 ebs_size = 8 if args.hvm else 20
 
 
@@ -37,11 +39,11 @@ f.write('''{{
 '''.format(args.region, ebs_size))
 f.close()
 
-db = deployment.open_database(deployment.get_default_state_file())
+db = StateFile(get_default_state_file())
 try:
-    depl = deployment.open_deployment(db, "ebs-creator")
+    depl = db.open_deployment("ebs-creator")
 except Exception:
-    depl = deployment.create_deployment(db)
+    depl = db.create_deployment()
     depl.name = "ebs-creator"
 depl.auto_response = "y"
 depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")]
@@ -50,7 +52,6 @@ depl.deploy(allow_reboot=True)
 
 m = depl.machines['machine']
 
-
 # Do the installation.
 device="/dev/xvdg"
 if args.hvm:
@@ -64,24 +65,27 @@ m.run_command("mkdir -p /mnt")
 m.run_command("mount {0} /mnt".format(device))
 m.run_command("touch /mnt/.ebs")
 m.run_command("mkdir -p /mnt/etc/nixos")
-m.run_command("nix-channel --add http://nixos.org/channels/nixos-unstable")
+
+m.run_command("nix-channel --add http://nixos.org/channels/nixos-{} nixos".format(args.channel))
 m.run_command("nix-channel --update")
-m.run_command("nixos-rebuild switch")
-version = m.run_command("nixos-version", capture_stdout=True).split(' ')[0]
+
+version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip()
 print >> sys.stderr, "NixOS version is {0}".format(version)
-m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
-m.run_command("nixos-install")
 if args.hvm:
+    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/amazon-base-config.nix")
+    m.upload_file("./amazon-hvm-config.nix", "/mnt/etc/nixos/configuration.nix")
+    m.upload_file("./amazon-hvm-install-config.nix", "/mnt/etc/nixos/amazon-hvm-install-config.nix")
+    m.run_command("NIXOS_CONFIG=/etc/nixos/amazon-hvm-install-config.nix nixos-install")
     m.run_command('nix-env -iA nixos.pkgs.grub')
     m.run_command('cp /nix/store/*-grub-0.97*/lib/grub/i386-pc/* /mnt/boot/grub')
-    m.run_command('sed -i "s|hd0|hd0,0|" /mnt/boot/grub/menu.lst')
     m.run_command('echo "(hd1) /dev/xvdg" > device.map')
     m.run_command('echo -e "root (hd1,0)\nsetup (hd1)" | grub --device-map=device.map --batch')
-
+else:
+    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
+    m.run_command("nixos-install")
 
 m.run_command("umount /mnt")
 
-
 if args.hvm:
     ami_name = "nixos-{0}-x86_64-ebs-hvm".format(version)
     description = "NixOS {0} (x86_64; EBS root; hvm)".format(version)

nixos/maintainers/scripts/ec2/ebs-creator.nix

@@ -4,10 +4,11 @@
   machine =
     { config, pkgs, resources, ... }:
     { deployment.targetEnv = "ec2";
-      deployment.ec2.instanceType = "m1.large";
+      deployment.ec2.instanceType = "c3.large";
       deployment.ec2.securityGroups = [ "admin" ];
       deployment.ec2.ebsBoot = false;
       deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
+      deployment.ec2.zone = "us-east-1e";
       environment.systemPackages = [ pkgs.parted ];
     };
 }

nixos/modules/config/fonts/corefonts.nix

@@ -25,7 +25,7 @@ with lib;
 
   config = mkIf config.fonts.enableCoreFonts {
 
-    fonts.extraFonts = [ pkgs.corefonts ];
+    fonts.fonts = [ pkgs.corefonts ];
 
   };
 

nixos/modules/config/fonts/fonts.nix

@@ -10,40 +10,37 @@ with lib;
 
       # TODO: find another name for it.
       fonts = mkOption {
-        default = [
-          # - the user's .fonts directory
-          "~/.fonts"
-          # - the user's current profile
-          "~/.nix-profile/lib/X11/fonts"
-          "~/.nix-profile/share/fonts"
-          # - the default profile
-          "/nix/var/nix/profiles/default/lib/X11/fonts"
-          "/nix/var/nix/profiles/default/share/fonts"
-        ];
-        description = "List of primary font paths.";
-        apply = list: list ++ [
-          # - a few statically built locations
-          pkgs.xorg.fontbhttf
-          pkgs.xorg.fontbhlucidatypewriter100dpi
-          pkgs.xorg.fontbhlucidatypewriter75dpi
-          pkgs.ttf_bitstream_vera
-          pkgs.freefont_ttf
-          pkgs.liberation_ttf
-          pkgs.xorg.fontbh100dpi
-          pkgs.xorg.fontmiscmisc
-          pkgs.xorg.fontcursormisc
-        ]
-        ++ config.fonts.extraFonts;
-      };
-
-      extraFonts = mkOption {
-        default = [];
+        type = types.listOf types.path;
         example = [ pkgs.dejavu_fonts ];
-        description = "List of packages with additional fonts.";
+        description = "List of primary font paths.";
+        apply = list: list ++
+          [ # - the user's current profile
+            "~/.nix-profile/lib/X11/fonts"
+            "~/.nix-profile/share/fonts"
+            # - the default profile
+            "/nix/var/nix/profiles/default/lib/X11/fonts"
+            "/nix/var/nix/profiles/default/share/fonts"
+          ];
       };
 
     };
 
   };
 
+  config = {
+
+    fonts.fonts =
+      [ pkgs.xorg.fontbhttf
+        pkgs.xorg.fontbhlucidatypewriter100dpi
+        pkgs.xorg.fontbhlucidatypewriter75dpi
+        pkgs.ttf_bitstream_vera
+        pkgs.freefont_ttf
+        pkgs.liberation_ttf
+        pkgs.xorg.fontbh100dpi
+        pkgs.xorg.fontmiscmisc
+        pkgs.xorg.fontcursormisc
+      ];
+
+  };
+
 }

nixos/modules/config/fonts/ghostscript.nix

@@ -25,7 +25,7 @@ with lib;
 
   config = mkIf config.fonts.enableGhostscriptFonts {
 
-    fonts.extraFonts = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ];
+    fonts.fonts = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ];
 
   };
 

nixos/modules/config/pulseaudio.nix

@@ -69,8 +69,7 @@ in {
       };
 
       configFile = mkOption {
-        type = types.uniq types.path;
-        default = "${cfg.package}/etc/pulse/default.pa";
+        type = types.path;
         description = ''
           The path to the configuration the PulseAudio server
           should use. By default, the "default.pa" configuration
@@ -110,6 +109,8 @@ in {
         target = "pulse/client.conf";
         source = clientConf;
       };
+
+      hardware.pulseaudio.configFile = mkDefault "${cfg.package}/etc/pulse/default.pa";
     }
 
     (mkIf cfg.enable {

nixos/modules/config/swap.nix

@@ -106,6 +106,7 @@ with utils;
                 if [ ! -e "${sw.device}" ]; then
                   fallocate -l ${toString sw.size}M "${sw.device}" ||
                     dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
+                  chmod 0600 ${sw.device}
                   mkswap ${sw.device}
                 fi
               '';

nixos/modules/config/system-path.nix

@@ -63,7 +63,7 @@ in
       systemPackages = mkOption {
         type = types.listOf types.path;
         default = [];
-        example = "[ pkgs.icecat3 pkgs.thunderbird ]";
+        example = "[ pkgs.firefox pkgs.thunderbird ]";
         description = ''
           The set of packages that appear in
           /run/current-system/sw.  These packages are

nixos/modules/config/users-groups.nix

@@ -55,13 +55,27 @@ let
         type = with types; nullOr int;
         default = null;
         description = ''
-          The account UID. If the <literal>mutableUsers</literal> option
+          The account UID. If the <option>mutableUsers</option> option
           is false, the UID cannot be null. Otherwise, the UID might be
           null, in which case a free UID is picked on activation (by the
           useradd command).
         '';
       };
 
+      isSystemUser = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Indicates if the user is a system user or not. This option
+          only has an effect if <option>mutableUsers</option> is
+          <literal>true</literal> and <option>uid</option> is
+          <option>null</option>, in which case it determines whether
+          the user's UID is allocated in the range for system users
+          (below 500) or in the range for normal users (starting at
+          1000).
+        '';
+      };
+
       group = mkOption {
         type = types.str;
         default = "nogroup";
@@ -459,17 +473,17 @@ in {
         '';
         groupadd = n: g: ''
           if [ -z "$(getent group "${g.name}")" ]; then
-            echo "Adding group ${g.name}"
             ${pkgs.shadow}/sbin/groupadd "${g.name}"
           fi
         '';
         useradd = n: u: ''
           if ! id "${u.name}" &>/dev/null; then
-            echo "Adding user ${u.name}"
             ${pkgs.shadow}/sbin/useradd \
               -g "${u.group}" \
+              -G "${concatStringsSep "," u.extraGroups}" \
               -s "${u.shell}" \
               -d "${u.home}" \
+              ${optionalString u.isSystemUser "--system"} \
               "${u.name}"
             echo "${u.name}:x" | ${pkgs.shadow}/sbin/chpasswd -e
           fi
@@ -495,7 +509,7 @@ in {
         message = "uids and gids must be unique!";
       }
       { assertion = cfg.mutableUsers || (nonUidUsers == {});
-        message = "When mutableUsers is false, no uid can be null";
+        message = "When mutableUsers is false, no uid can be null: ${toString (attrNames nonUidUsers)}";
       }
       { assertion = cfg.mutableUsers || (nonGidGroups == {});
         message = "When mutableUsers is false, no gid can be null";

nixos/modules/hardware/opengl.nix

@@ -1,14 +1,31 @@
-{ config, pkgs, pkgs_i686, ... }:
+{ config, lib, pkgs, pkgs_i686, ... }:
+
+with lib;
+
 let
-  inherit (pkgs.lib) mkOption types mkIf optional optionals elem optionalString optionalAttrs;
 
   cfg = config.hardware.opengl;
 
   kernelPackages = config.boot.kernelPackages;
-in {
+
+  videoDrivers = config.services.xserver.videoDrivers;
+
+  makePackage = p: p.buildEnv {
+    name = "mesa-drivers+txc-${p.mesa_drivers.version}";
+    paths =
+      [ p.mesa_drivers
+        p.mesa_noglu # mainly for libGL
+        (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
+	p.udev
+      ];
+  };
+
+in
+
+{
   options = {
     hardware.opengl.enable = mkOption {
-      description = "Whether this configuration requires opengl.";
+      description = "Whether this configuration requires OpenGL.";
       type = types.bool;
       default = false;
       internal = true;
@@ -45,84 +62,64 @@ in {
       '';
     };
 
-
-    hardware.opengl.videoDrivers = mkOption {
-      type = types.listOf types.str;
-      # !!! We'd like "nv" here, but it segfaults the X server.
-      default = [ "ati" "cirrus" "intel" "vesa" "vmware" ];
-      example = [ "vesa" ];
+    hardware.opengl.package = mkOption {
+      type = types.package;
+      internal = true;
       description = ''
-        The names of the opengl video drivers the configuration
-        supports. They will be tried in order until one that
-        supports your card is found.
+        The package that provides the OpenGL implementation.
       '';
     };
+
+    hardware.opengl.package32 = mkOption {
+      type = types.package;
+      internal = true;
+      description = ''
+        The package that provides the 32-bit OpenGL implementation on
+        64-bit systems.  Used when <option>driSupport32Bit</option> is
+        set.
+      '';
+    };
+
   };
 
   config = mkIf cfg.enable {
+
     assertions = pkgs.lib.singleton {
       assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64;
-      message = "Option driSupport32Bit only makes sens on a 64-bit system.";
+      message = "Option driSupport32Bit only makes sense on a 64-bit system.";
     };
 
-    system.activationScripts.setup-opengl.deps = [];
-    system.activationScripts.setup-opengl.text = ''
-      rm -f /run/opengl-driver{,-32}
-      ${optionalString (pkgs.stdenv.isi686) "ln -sf opengl-driver /run/opengl-driver-32"}
-    ''
-      #TODO:  The OpenGL driver should depend on what's detected at runtime.
-     +( if elem "nvidia" cfg.videoDrivers then
-          ''
-            ln -sf ${kernelPackages.nvidia_x11} /run/opengl-driver
-            ${optionalString cfg.driSupport32Bit
-              "ln -sf ${pkgs_i686.linuxPackages.nvidia_x11.override { libsOnly = true; kernel = null; } } /run/opengl-driver-32"}
-          ''
-        else if elem "nvidiaLegacy173" cfg.videoDrivers then
-          "ln -sf ${kernelPackages.nvidia_x11_legacy173} /run/opengl-driver"
-        else if elem "nvidiaLegacy304" cfg.videoDrivers then
-          ''
-            ln -sf ${kernelPackages.nvidia_x11_legacy304} /run/opengl-driver
-            ${optionalString cfg.driSupport32Bit
-              "ln -sf ${pkgs_i686.linuxPackages.nvidia_x11_legacy304.override { libsOnly = true; kernel = null; } } /run/opengl-driver-32"}
-          ''
-        else if elem "ati_unfree" cfg.videoDrivers then
-          "ln -sf ${kernelPackages.ati_drivers_x11} /run/opengl-driver"
-        else
-          let
-            lib_fun = p: p.buildEnv {
-              name = "mesa-drivers+txc-${p.mesa_drivers.version}";
-              paths = [
-                p.mesa_drivers
-                p.mesa_noglu # mainly for libGL
-                (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
-              ];
-            };
-          in
-          ''
-            ${optionalString cfg.driSupport "ln -sf ${lib_fun pkgs} /run/opengl-driver"}
-            ${optionalString cfg.driSupport32Bit
-              "ln -sf ${lib_fun pkgs_i686} /run/opengl-driver-32"}
-          ''
-      );
+    system.activationScripts.setup-opengl =
+      ''
+        ln -sfn ${cfg.package} /run/opengl-driver
+        ${if pkgs.stdenv.isi686 then ''
+          ln -sfn opengl-driver /run/opengl-driver-32
+        '' else if cfg.driSupport32Bit then ''
+          ln -sfn ${cfg.package32} /run/opengl-driver-32
+        '' else ''
+          rm -f /run/opengl-driver-32
+        ''}
+      '';
 
     environment.variables.LD_LIBRARY_PATH =
       [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ];
 
+    # FIXME: move this into card-specific modules.
+    hardware.opengl.package = mkDefault
+      (if elem "ati_unfree" videoDrivers then
+        kernelPackages.ati_drivers_x11
+      else
+        makePackage pkgs);
+
+    hardware.opengl.package32 = mkDefault (makePackage pkgs_i686);
+
     boot.extraModulePackages =
-      optional (elem "nvidia" cfg.videoDrivers) kernelPackages.nvidia_x11 ++
-      optional (elem "nvidiaLegacy173" cfg.videoDrivers) kernelPackages.nvidia_x11_legacy173 ++
-      optional (elem "nvidiaLegacy304" cfg.videoDrivers) kernelPackages.nvidia_x11_legacy304 ++
-      optional (elem "virtualbox" cfg.videoDrivers) kernelPackages.virtualboxGuestAdditions ++
-      optional (elem "ati_unfree" cfg.videoDrivers) kernelPackages.ati_drivers_x11;
+      optional (elem "virtualbox" videoDrivers) kernelPackages.virtualboxGuestAdditions ++
+      optional (elem "ati_unfree" videoDrivers) kernelPackages.ati_drivers_x11;
 
-    boot.blacklistedKernelModules =
-      optionals (elem "nvidia" cfg.videoDrivers) [ "nouveau" "nvidiafb" ];
-
-    environment.etc =  (optionalAttrs (elem "ati_unfree" cfg.videoDrivers) {
+    environment.etc =
+      optionalAttrs (elem "ati_unfree" videoDrivers) {
         "ati".source = "${kernelPackages.ati_drivers_x11}/etc/ati";
-      })
-      // (optionalAttrs (elem "nvidia" cfg.videoDrivers) {
-        "OpenCL/vendors/nvidia.icd".source = "${kernelPackages.nvidia_x11}/lib/vendors/nvidia.icd";
-      });
+      };
   };
 }

nixos/modules/hardware/video/bumblebee.nix

@@ -17,6 +17,12 @@ with lib;
         Only nvidia driver is supported so far.
       '';
     };
+    hardware.bumblebee.group = mkOption {
+      default = "wheel";
+      example = "video";
+      type = types.uniq types.str;
+      description = ''Group for bumblebee socket'';
+    };
   };
 
   config = mkIf config.hardware.bumblebee.enable {
@@ -29,13 +35,15 @@ with lib;
     systemd.services.bumblebeed = {
       description = "Bumblebee Hybrid Graphics Switcher";
       wantedBy = [ "display-manager.service" ];
-      script = "bumblebeed --use-syslog";
+      script = "bumblebeed --use-syslog -g ${config.hardware.bumblebee.group}";
       path = [ kernel.bbswitch pkgs.bumblebee ];
       serviceConfig = {
         Restart = "always";
         RestartSec = 60;
         CPUSchedulingPolicy = "idle";
       };
+      environment.LD_LIBRARY_PATH="/run/opengl-driver/lib/";
+      environment.MODULE_DIR="/run/current-system/kernel-modules/lib/modules/";
     };
   };
 }

nixos/modules/hardware/video/nvidia.nix

@@ -0,0 +1,54 @@
+# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
+
+{ config, lib, pkgs, pkgs_i686, ... }:
+
+with lib;
+
+let
+
+  drivers = config.services.xserver.videoDrivers;
+
+  # FIXME: should introduce an option like
+  # ‘hardware.video.nvidia.package’ for overriding the default NVIDIA
+  # driver.
+  enabled = elem "nvidia" drivers || elem "nvidiaLegacy173" drivers || elem "nvidiaLegacy304" drivers;
+
+  nvidia_x11 =
+    if elem "nvidia" drivers then
+      config.boot.kernelPackages.nvidia_x11
+    else if elem "nvidiaLegacy173" drivers then
+      config.boot.kernelPackages.nvidia_x11_legacy173
+    else if elem "nvidiaLegacy304" videoDrivers then
+      config.boot.kernelPackages.nvidia_x11_legacy304
+    else throw "impossible";
+
+in
+
+{
+
+  config = mkIf enabled {
+
+    services.xserver.drivers = singleton
+      { name = "nvidia"; modules = [ nvidia_x11 ]; libPath = [ nvidia_x11 ]; };
+
+    services.xserver.screenSection =
+      ''
+        Option "RandRRotation" "on"
+      '';
+
+    hardware.opengl.package = nvidia_x11;
+    hardware.opengl.package32 = pkgs_i686.linuxPackages.nvidia_x11.override { libsOnly = true; kernel = null; };
+
+    environment.systemPackages = [ nvidia_x11 ];
+
+    boot.extraModulePackages = [ nvidia_x11 ];
+
+    boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
+
+    services.acpid.enable = true;
+
+    environment.etc."OpenCL/vendors/nvidia.icd".source = "${nvidia_x11}/lib/vendors/nvidia.icd";
+
+  };
+
+}

nixos/modules/installer/cd-dvd/installation-cd-base.nix

@@ -19,7 +19,7 @@ with lib;
   # ISO naming.
   isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixosVersion}-${pkgs.stdenv.system}.iso";
 
-  isoImage.volumeID = substring 0 11 "NIXOS_${config.system.nixosVersion}";
+  isoImage.volumeID = substring 0 11 "NIXOS_ISO";
 
   # Make the installer more likely to succeed in low memory
   # environments.  The kernel's overcommit heustistics bite us

nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix

@@ -138,7 +138,8 @@ in
   };
 
   # Setting vesa, we don't get the nvidia driver, which can't work in arm.
-  hardware.opengl.videoDrivers = [ "vesa" ];
+  services.xserver.videoDrivers = [ "vesa" ];
+
   services.nixosManual.enable = false;
 
   # Include the firmware for various wireless cards.

nixos/modules/installer/tools/get-version-suffix

@@ -17,6 +17,6 @@ getVersion() {
 if nixpkgs=$(nix-instantiate --find-file nixpkgs "$@"); then
     getVersion $nixpkgs
     if [ -n "$rev" ]; then
-        echo "pre-$rev"
+        echo ".git.$rev"
     fi
 fi

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -130,13 +130,14 @@ sub pciCheck {
 
     # broadcom STA driver (wl.ko)
     # list taken from http://www.broadcom.com/docs/linux_sta/README.txt
-    # FIXME: still needed?
     if ($vendor eq "0x14e4" &&
         ($device eq "0x4311" || $device eq "0x4312" || $device eq "0x4313" ||
          $device eq "0x4315" || $device eq "0x4327" || $device eq "0x4328" ||
          $device eq "0x4329" || $device eq "0x432a" || $device eq "0x432b" ||
          $device eq "0x432c" || $device eq "0x432d" || $device eq "0x4353" ||
-         $device eq "0x4357" || $device eq "0x4358" || $device eq "0x4359" ) )
+         $device eq "0x4357" || $device eq "0x4358" || $device eq "0x4359" ||
+         $device eq "0x4331" || $device eq "0x43a0" || $device eq "0x43b1"
+        ) )
      {
         push @modulePackages, "config.boot.kernelPackages.broadcom_sta";
         push @kernelModules, "wl";
@@ -158,14 +159,14 @@ sub pciCheck {
     # Assume that all NVIDIA cards are supported by the NVIDIA driver.
     # There may be exceptions (e.g. old cards).
     # FIXME: do we want to enable an unfree driver here?
-    $videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/;
+    #$videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/;
 }
 
 foreach my $path (glob "/sys/bus/pci/devices/*") {
     pciCheck $path;
 }
 
-push @attrs, "hardware.opengl.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
+push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
 
 
 # Idem for USB devices.
@@ -218,18 +219,19 @@ foreach my $path (glob "/sys/class/block/*") {
 }
 
 
-my $dmi = `@dmidecode@/sbin/dmidecode`;
+my $virt = `systemd-detect-virt`;
+chomp $virt;
 
 
 # Check if we're a VirtualBox guest.  If so, enable the guest
 # additions.
-if ($dmi =~ /Manufacturer: innotek/) {
+if ($virt eq "oracle") {
     push @attrs, "services.virtualbox.enable = true;"
 }
 
 
 # Likewise for QEMU.
-if ($dmi =~ /Manufacturer: Bochs/) {
+if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") {
     push @imports, "<nixpkgs/nixos/modules/profiles/qemu-guest.nix>";
 }
 
@@ -267,6 +269,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
 
     # Skip special filesystems.
     next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
+    next if $mountPoint eq "/var/setuid-wrappers";
 
     # Skip the optional fields.
     my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
@@ -280,9 +283,11 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
     # Maybe this is a bind-mount of a filesystem we saw earlier?
     if (defined $fsByDev{$fields[2]}) {
         my $path = $fields[3]; $path = "" if $path eq "/";
+        my $base = $fsByDev{$fields[2]};
+        $base = "" if $base eq "/";
         $fileSystems .= <<EOF;
   fileSystems.\"$mountPoint\" =
-    { device = \"$fsByDev{$fields[2]}$path\";
+    { device = \"$base$path\";
       fsType = \"none\";
       options = \"bind\";
     };
@@ -401,7 +406,6 @@ if ($showHardwareConfig) {
         if (-e "/sys/firmware/efi/efivars") {
             $bootLoaderConfig = <<EOF;
   # Use the gummiboot efi boot loader.
-  boot.loader.grub.enable = false;
   boot.loader.gummiboot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 EOF
@@ -439,6 +443,12 @@ $bootLoaderConfig
   #   defaultLocale = "en_US.UTF-8";
   # };
 
+  # List packages installed in system profile. To search by name, run:
+  # $ nix-env -qaP | grep wget
+  # environment.systemPackages = with pkgs; [
+  #   wget
+  # ];
+
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
@@ -455,6 +465,17 @@ $bootLoaderConfig
   # Enable the KDE Desktop Environment.
   # services.xserver.displayManager.kdm.enable = true;
   # services.xserver.desktopManager.kde4.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.extraUsers.guest = {
+  #   name = "guest";
+  #   group = "users";
+  #   uid = 1000;
+  #   createHome = true;
+  #   home = "/home/guest";
+  #   shell = "/run/current-system/sw/bin/bash";
+  # };
+
 }
 EOF
     } else {

nixos/modules/installer/tools/nixos-install.sh

@@ -62,6 +62,7 @@ fi
 # into the chroot because we need networking and the nixbld user
 # accounts in /etc/passwd.  But we do need the target's /etc/nixos.
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/mnt $mountPoint/mnt2 $mountPoint/mnt-nixpkgs $mountPoint/etc /etc/nixos
+mkdir -m 0700 -p $mountPoint/root
 mount --make-private / # systemd makes / shared, which is annoying
 mount --bind / $mountPoint/mnt
 mount --bind /nix $mountPoint/mnt/nix

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -184,13 +184,13 @@ if [ -z "$rollback" ]; then
         nix-env "${extraBuildFlags[@]}" -p "$profile" -f '<nixpkgs/nixos>' --set -A system
         pathToConfig="$profile"
     elif [ "$action" = test -o "$action" = build -o "$action" = dry-run ]; then
-        nix-build '<nixpkgs/nixos>' -A system -K -k "${extraBuildFlags[@]}" > /dev/null
+        nix-build '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}" > /dev/null
         pathToConfig=./result
     elif [ "$action" = build-vm ]; then
-        nix-build '<nixpkgs/nixos>' -A vm -K -k "${extraBuildFlags[@]}" > /dev/null
+        nix-build '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}" > /dev/null
         pathToConfig=./result
     elif [ "$action" = build-vm-with-bootloader ]; then
-        nix-build '<nixpkgs/nixos>' -A vmWithBootLoader -K -k "${extraBuildFlags[@]}" > /dev/null
+        nix-build '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}" > /dev/null
         pathToConfig=./result
     else
         showSyntax

nixos/modules/installer/tools/tools.nix

@@ -38,7 +38,6 @@ let
     name = "nixos-generate-config";
     src = ./nixos-generate-config.pl;
     perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl";
-    inherit (pkgs) dmidecode;
   };
 
   nixos-option = makeProg {

nixos/modules/installer/virtualbox-demo.nix

@@ -15,5 +15,5 @@ with lib;
 
   # Add some more video drivers to give X11 a shot at working in
   # VMware and QEMU.
-  hardware.opengl.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" ];
+  services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" ];
 }

nixos/modules/misc/ids.nix

@@ -52,13 +52,13 @@
       osgi = 34;
       tor = 35;
       cups = 36;
-      foldingAtHome = 37;
+      foldingathome = 37;
       sabnzbd = 38;
       kdm = 39;
-      ghostOne = 40;
+      ghostone = 40;
       git = 41;
-      fourStore = 42;
-      fourStoreEndpoint = 43;
+      fourstore = 42;
+      fourstorehttp = 43;
       virtuoso = 44;
       rtkit = 45;
       dovecot2 = 46;
@@ -84,7 +84,7 @@
       postgres = 71;
       smbguest = 74;
       varnish = 75;
-      dd-agent = 76;
+      datadog = 76;
       lighttpd = 77;
       lightdm = 78;
       freenet = 79;
@@ -129,10 +129,10 @@
       foundationdb = 118;
       newrelic = 119;
       starbound = 120;
-      hydra     = 122;
-      spiped    = 123;
+      hydra = 122;
+      spiped = 123;
 
-      # When adding a uid, make sure it doesn't match an existing gid.
+      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
       nixbld = 30000; # start of range of uids
       nobody = 65534;
@@ -173,8 +173,8 @@
       osgi = 34;
       ghostOne = 40;
       git = 41;
-      fourStore = 42;
-      fourStoreEndpoint = 43;
+      fourstore = 42;
+      fourstorehttpd = 43;
       virtuoso = 44;
       dovecot2 = 46;
       prayer = 49;
@@ -201,7 +201,7 @@
       vboxsf = 73;
       smbguest = 74;
       varnish = 75;
-      dd-agent = 76;
+      datadog = 76;
       lighttpd = 77;
       lightdm = 78;
       freenet = 79;
@@ -237,7 +237,7 @@
       hydra = 122;
       spiped = 123;
 
-      # When adding a gid, make sure it doesn't match an existing uid.
+      # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
 
       users = 100;
       nixbld = 30000;

nixos/modules/misc/nixpkgs.nix

@@ -62,8 +62,7 @@ in
       type = types.str;
       description = ''
         Specifies the Nix platform type for which NixOS should be built.
-        If unset, it defaults to the platform type of your host system
-        (<literal>${builtins.currentSystem}</literal>).
+        If unset, it defaults to the platform type of your host system.
         Specifying this option is useful when doing distributed
         multi-platform deployment, or when building virtual machines.
       '';

nixos/modules/misc/version.nix

@@ -33,7 +33,7 @@ with lib;
     system.defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-14.04;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 

nixos/modules/module-list.nix

@@ -32,6 +32,7 @@
   ./hardware/opengl.nix
   ./hardware/pcmcia.nix
   ./hardware/video/bumblebee.nix
+  ./hardware/video/nvidia.nix
   ./installer/tools/nixos-checkout.nix
   ./installer/tools/tools.nix
   ./misc/assertions.nix
@@ -100,9 +101,12 @@
   ./services/desktops/accountservice.nix
   ./services/desktops/gnome3/at-spi2-core.nix
   ./services/desktops/gnome3/evolution-data-server.nix
+  ./services/desktops/gnome3/gnome-documents.nix
   ./services/desktops/gnome3/gnome-keyring.nix
   ./services/desktops/gnome3/gnome-online-accounts.nix
+  ./services/desktops/gnome3/gnome-online-miners.nix
   ./services/desktops/gnome3/gnome-user-share.nix
+  ./services/desktops/gnome3/seahorse.nix
   ./services/desktops/gnome3/sushi.nix
   ./services/desktops/gnome3/tracker.nix
   ./services/desktops/telepathy.nix
@@ -132,7 +136,7 @@
   ./services/mail/opensmtpd.nix
   ./services/mail/postfix.nix
   ./services/mail/spamassassin.nix
-  ./services/misc/autofs.nix
+  #./services/misc/autofs.nix
   ./services/misc/cgminer.nix
   ./services/misc/dictd.nix
   ./services/misc/disnix.nix

nixos/modules/profiles/base.nix

@@ -7,7 +7,6 @@
   # Include some utilities that are useful for installing or repairing
   # the system.
   environment.systemPackages = [
-    pkgs.subversion # for nixos-checkout
     pkgs.w3m # needed for the manual anyway
     pkgs.testdisk # useful for repairing boot problems
     pkgs.mssys # for writing Microsoft boot sectors / MBRs

nixos/modules/profiles/headless.nix

@@ -12,6 +12,8 @@ with lib;
   # Don't start a tty on the serial consoles.
   systemd.services."serial-getty@ttyS0".enable = false;
   systemd.services."serial-getty@hvc0".enable = false;
+  systemd.services."getty@tty1".enable = false;
+  systemd.services."autovt@".enable = false;
 
   # Since we can't manually respond to a panic, just reboot.
   boot.kernelParams = [ "panic=1" "boot.panic_on_fail" ];

nixos/modules/programs/bash/bash.nix

@@ -40,6 +40,7 @@ in
 
     programs.bash = {
 
+      /*
       enable = mkOption {
         default = true;
         description = ''
@@ -52,6 +53,7 @@ in
         '';
         type = types.bool;
       };
+      */
 
       shellAliases = mkOption {
         default = config.environment.shellAliases // { which = "type -P"; };
@@ -114,7 +116,7 @@ in
 
   };
 
-  config = mkIf cfg.enable {
+  config = /* mkIf cfg.enable */ {
 
     programs.bash = {
 

nixos/modules/programs/info.nix

@@ -2,6 +2,8 @@
 
 let
 
+  texinfo = pkgs.texinfoInteractive;
+
   # Quick hack to make the `info' command work properly.  `info' needs
   # a "dir" file containing all the installed Info files, which we
   # don't have (it would be impure to have a package installation
@@ -22,15 +24,15 @@ let
 
       for i in $(IFS=:; echo $INFOPATH); do
           for j in $i/*.info; do
-              ${pkgs.texinfo}/bin/install-info --quiet $j $dir/dir
+              ${texinfo}/bin/install-info --quiet $j $dir/dir
           done
       done
 
-      INFOPATH=$dir:$INFOPATH ${pkgs.texinfo}/bin/info "$@"
+      INFOPATH=$dir:$INFOPATH ${texinfo}/bin/info "$@"
     ''; # */
 
 in
 
 {
-  environment.systemPackages = [ infoWrapper pkgs.texinfo ];
+  environment.systemPackages = [ infoWrapper texinfo ];
 }

nixos/modules/programs/shadow.nix

@@ -10,12 +10,12 @@ let
     ''
       DEFAULT_HOME yes
 
-      SYS_UID_MIN  100
+      SYS_UID_MIN  400
       SYS_UID_MAX  499
       UID_MIN      1000
       UID_MAX      29999
 
-      SYS_GID_MIN  100
+      SYS_GID_MIN  400
       SYS_GID_MAX  499
       GID_MIN      1000
       GID_MAX      29999

nixos/modules/programs/zsh/zsh.nix

@@ -26,11 +26,6 @@ in
         default = false;
         description = ''
           Whenever to configure Zsh as an interactive shell.
-          Note that this tries to make Zsh the default
-          <option>users.defaultUserShell</option>,
-          which in turn means that you might need to explicitly
-          set this variable if you have another shell configured
-          with NixOS.
         '';
         type = types.bool;
       };
@@ -168,7 +163,7 @@ in
 
     environment.systemPackages = [ pkgs.zsh ];
 
-    users.defaultUserShell = mkDefault "/run/current-system/sw/bin/zsh";
+    #users.defaultUserShell = mkDefault "/run/current-system/sw/bin/zsh";
 
     environment.shells =
       [ "/run/current-system/sw/bin/zsh"

nixos/modules/rename.nix

@@ -74,6 +74,7 @@ in zipModules ([]
 ++ obsolete [ "environment" "x11Packages" ] [ "environment" "systemPackages" ]
 ++ obsolete [ "environment" "enableBashCompletion" ] [ "programs" "bash" "enableCompletion" ]
 ++ obsolete [ "environment" "nix" ] [ "nix" "package" ]
+++ obsolete [ "fonts" "extraFonts" ] [ "fonts" "fonts" ]
 
 ++ obsolete [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ]
 ++ obsolete [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ]
@@ -120,12 +121,13 @@ in zipModules ([]
 ++ obsolete [ "services" "xserver" "driSupport" ] [ "hardware" "opengl" "driSupport" ]
 ++ obsolete [ "services" "xserver" "driSupport32Bit" ] [ "hardware" "opengl" "driSupport32Bit" ]
 ++ obsolete [ "services" "xserver" "s3tcSupport" ] [ "hardware" "opengl" "s3tcSupport" ]
-++ obsolete [ "services" "xserver" "videoDrivers" ] [ "hardware" "opengl" "videoDrivers" ]
+++ obsolete [ "hardware" "opengl" "videoDrivers" ] [ "services" "xserver" "videoDrivers" ]
 
 ++ obsolete [ "services" "mysql55" ] [ "services" "mysql" ]
 
 # Options that are obsolete and have no replacement.
 ++ obsolete' [ "boot" "loader" "grub" "bootDevice" ]
 ++ obsolete' [ "boot" "initrd" "luks" "enable" ]
+++ obsolete' [ "programs" "bash" "enable" ]
 
 )

nixos/modules/security/polkit.nix

@@ -98,10 +98,6 @@ in
       ''
         # Probably no more needed, clean up
         rm -rf /var/lib/{polkit-1,PolicyKit}
-
-        # Force polkitd to be restarted so that it reloads its
-        # configuration.
-        ${pkgs.procps}/bin/pkill -INT -u root -x polkitd
       '';
 
     users.extraUsers.polkituser = {

nixos/modules/services/backup/tarsnap.nix

@@ -7,9 +7,9 @@ let
 
   optionalNullStr = e: v: if e == null then "" else v;
 
-  configFile = pkgs.writeText "tarsnap.conf" ''
-    cachedir ${cfg.cachedir}
-    keyfile  ${cfg.keyfile}
+  configFile = cfg: ''
+    cachedir ${config.services.tarsnap.cachedir}
+    keyfile  ${config.services.tarsnap.keyfile}
     ${optionalString cfg.nodump "nodump"}
     ${optionalString cfg.printStats "print-stats"}
     ${optionalNullStr cfg.checkpointBytes "checkpoint-bytes "+cfg.checkpointBytes}
@@ -39,15 +39,15 @@ in
         '';
       };
 
-      label = mkOption {
-        type = types.str;
-        default = "nixos";
+      keyfile = mkOption {
+        type = types.path;
+        default = "/root/tarsnap.key";
         description = ''
-          Specifies the label for archives created by Tarsnap. The
-          full name will be
-          <literal>label-$(date+"%Y%m%d%H%M%S")</literal>. For
-          example, by default your backups will look similar to
-          <literal>nixos-20140301011501</literal>.
+          Path to the keyfile which identifies the machine
+          associated with your Tarsnap account. This file can
+          be created using the
+          <literal>tarsnap-keygen</literal> utility, and
+          providing your Tarsnap login credentials.
         '';
       };
 
@@ -55,122 +55,158 @@ in
         type    = types.path;
         default = "/var/cache/tarsnap";
         description = ''
-          Tarsnap operations use a "cache directory" which allows
-          Tarsnap to identify which blocks of data have been
-          previously stored; this directory is specified via the
-          <literal>cachedir</literal> option. If the cache directory
-          is lost or out of date, tarsnap creation/deletion operations
-          will exit with an error message instructing you to run
-          <literal>tarsnap --fsck</literal> to regenerate the cache
-          directory.
+          Tarsnap operations use a "cache directory" which
+          allows Tarsnap to identify which blocks of data have
+          been previously stored; this directory is specified
+          via the <literal>cachedir</literal> option. If the
+          cache directory is lost or out of date, tarsnap
+          creation/deletion operations will exit with an error
+          message instructing you to run <literal>tarsnap
+          --fsck</literal> to regenerate the cache directory.
         '';
       };
 
-      keyfile = mkOption {
-        type = types.path;
-        default = "/root/tarsnap.key";
-        description = ''
-          Path to the keyfile which identifies the machine associated
-          with your Tarsnap account. This file can be created using
-          the <literal>tarsnap-keygen</literal> utility, and providing
-          your Tarsnap login credentials.
+      config = mkOption {
+        type = types.attrsOf (types.submodule (
+          {
+            options = {
+              nodump = mkOption {
+                type = types.bool;
+                default = true;
+                description = ''
+                  If set to <literal>true</literal>, then don't
+                  archive files which have the
+                  <literal>nodump</literal> flag set.
+                '';
+              };
+
+              printStats = mkOption {
+                type = types.bool;
+                default = true;
+                description = "Print statistics when creating archives.";
+              };
+
+              checkpointBytes = mkOption {
+                type = types.nullOr types.str;
+                default = "1G";
+                description = ''
+                  Create a checkpoint per a particular amount of
+                  uploaded data. By default, Tarsnap will create
+                  checkpoints once per GB of data uploaded. At
+                  minimum, <literal>checkpointBytes</literal> must be
+                  1GB.
+
+                  Can also be set to <literal>null</literal> to
+                  disable checkpointing.
+                '';
+              };
+
+              period = mkOption {
+                type = types.str;
+                default = "15 01 * * *";
+                description = ''
+                  This option defines (in the format used by cron)
+                  when tarsnap is run for backups. The default is to
+                  backup the specified paths at 01:15 at night every
+                  day.
+                '';
+              };
+
+              aggressiveNetworking = mkOption {
+                type = types.bool;
+                default = false;
+                description = ''
+                  Aggressive network behaviour: Use multiple TCP
+                  connections when writing archives.  Use of this
+                  option is recommended only in cases where TCP
+                  congestion control is known to be the limiting
+                  factor in upload performance.
+                '';
+              };
+
+              directories = mkOption {
+                type = types.listOf types.path;
+                default = [];
+                description = "List of filesystem paths to archive.";
+              };
+
+              excludes = mkOption {
+                type = types.listOf types.str;
+                default = [];
+                description = ''
+                  Exclude files and directories matching the specified
+                  patterns.
+                '';
+              };
+
+              includes = mkOption {
+                type = types.listOf types.str;
+                default = [];
+                description = ''
+                  Include only files and directories matching the
+                  specified patterns.
+
+                  Note that exclusions specified via
+                  <literal>excludes</literal> take precedence over
+                  inclusions.
+                '';
+              };
+
+              lowmem = mkOption {
+                type = types.bool;
+                default = false;
+                description = ''
+                  Attempt to reduce tarsnap memory consumption.  This
+                  option will slow down the process of creating
+                  archives, but may help on systems where the average
+                  size of files being backed up is less than 1 MB.
+                '';
+              };
+
+              verylowmem = mkOption {
+                type = types.bool;
+                default = false;
+                description = ''
+                  Try even harder to reduce tarsnap memory
+                  consumption.  This can significantly slow down
+                  tarsnap, but reduces its memory usage by an
+                  additional factor of 2 beyond what the
+                  <literal>lowmem</literal> option does.
+                '';
+              };
+            };
+          }
+        ));
+
+        default = {};
+
+        example = literalExample ''
+          {
+            nixos =
+              { directories = [ "/home" "/root/ssl" ];
+              };
+
+            gamedata =
+              { directories = [ "/var/lib/minecraft "];
+                period      = "*/30 * * * *";
+              };
+          }
         '';
-      };
 
-      nodump = mkOption {
-        type = types.bool;
-        default = true;
         description = ''
-          If set to <literal>true</literal>, then don't archive files
-          which have the <literal>nodump</literal> flag set.
-        '';
-      };
-
-      printStats = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Print statistics when creating archives.";
-      };
-
-      checkpointBytes = mkOption {
-        type = types.nullOr types.str;
-        default = "1G";
-        description = ''
-          Create a checkpoint per a particular amount of uploaded
-          data. By default, Tarsnap will create checkpoints once per
-          GB of data uploaded. At minimum,
-          <literal>checkpointBytes</literal> must be 1GB.
-
-          Can also be set to <literal>null</literal> to disable
-          checkpointing.
-        '';
-      };
-
-      period = mkOption {
-        type = types.str;
-        default = "15 01 * * *";
-        description = ''
-          This option defines (in the format used by cron) when
-          tarsnap is run for backups. The default is to backup the
-          specified paths at 01:15 at night every day.
-        '';
-      };
-
-      aggressiveNetworking = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Aggressive network behaviour: Use multiple TCP connections
-          when writing archives.  Use of this option is recommended
-          only in cases where TCP congestion control is known to be
-          the limiting factor in upload performance.
-        '';
-      };
-
-      directories = mkOption {
-        type = types.listOf types.path;
-        default = [];
-        description = "List of filesystem paths to archive.";
-      };
-
-      excludes = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = ''
-          Exclude files and directories matching the specified patterns.
-        '';
-      };
-
-      includes = mkOption {
-        type = types.listOf types.str;
-        default = [];
-        description = ''
-          Include only files and directories matching the specified patterns.
-
-          Note that exclusions specified via
-          <literal>excludes</literal> take precedence over inclusions.
-        '';
-      };
-
-      lowmem = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Attempt to reduce tarsnap memory consumption.  This option
-          will slow down the process of creating archives, but may
-          help on systems where the average size of files being backed
-          up is less than 1 MB.
-        '';
-      };
-
-      verylowmem = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Try even harder to reduce tarsnap memory consumption.  This
-          can significantly slow down tarsnap, but reduces its memory
-          usage by an additional factor of 2 beyond what the
-          <literal>lowmem</literal> option does.
+          Configuration of a Tarsnap archive. In the example, your
+          machine will have two tarsnap archives:
+          <literal>gamedata</literal> (backed up every 30 minutes) and
+          <literal>nixos</literal> (backed up at 1:15 AM every night by
+          default). You can control individual archive backups using
+          <literal>systemctl</literal>, using the
+          <literal>tarsnap@nixos</literal> or
+          <literal>tarsnap@gamedata</literal> units. For example,
+          <literal>systemctl start tarsnap@nixos</literal> will
+          immediately create a new NixOS archive. By default, archives
+          are suffixed with the timestamp of when they were started,
+          down to second resolution. This means you can use GNU
+          <literal>sort</literal> to sort output easily.
         '';
       };
     };
@@ -178,26 +214,40 @@ in
 
   config = mkIf cfg.enable {
     assertions =
-      [ { assertion = cfg.directories != [];
+      (mapAttrsToList (name: cfg:
+        { assertion = cfg.directories != [];
           message = "Must specify directories for Tarsnap to back up";
-        }
+        }) cfg.config) ++
+      (mapAttrsToList (name: cfg:
         { assertion = cfg.lowmem -> !cfg.verylowmem && (cfg.verylowmem -> !cfg.lowmem);
           message = "You cannot set both lowmem and verylowmem";
-        }
-      ];
+        }) cfg.config);
+
+    systemd.services."tarsnap@" = {
+      description = "Tarsnap Backup of '%i'";
+      requires    = [ "network.target" ];
 
-    systemd.services.tarsnap-backup = {
-      description = "Tarsnap Backup process";
       path = [ pkgs.tarsnap pkgs.coreutils ];
+      scriptArgs = "%i";
       script = ''
         mkdir -p -m 0755 $(dirname ${cfg.cachedir})
         mkdir -p -m 0600 ${cfg.cachedir}
-        exec tarsnap --configfile ${configFile} -c -f ${cfg.label}-$(date +"%Y%m%d%H%M%S") ${concatStringsSep " " cfg.directories}
+        DIRS=`cat /etc/tarsnap/$1.dirs`
+        exec tarsnap --configfile /etc/tarsnap/$1.conf -c -f $1-$(date +"%Y%m%d%H%M%S") $DIRS
       '';
     };
 
-    services.cron.systemCronJobs = optional cfg.enable
-      "${cfg.period} root ${config.systemd.package}/bin/systemctl start tarsnap-backup.service";
+    services.cron.systemCronJobs = mapAttrsToList (name: cfg:
+      "${cfg.period} root ${config.systemd.package}/bin/systemctl start tarsnap@${name}"
+    ) cfg.config;
+
+    environment.etc =
+      (mapAttrs' (name: cfg: nameValuePair "tarsnap/${name}.conf"
+        { text = configFile cfg;
+        }) cfg.config) //
+      (mapAttrs' (name: cfg: nameValuePair "tarsnap/${name}.dirs"
+        { text = concatStringsSep " " cfg.directories;
+        }) cfg.config);
 
     environment.systemPackages = [ pkgs.tarsnap ];
   };

nixos/modules/services/databases/4store-endpoint.nix

@@ -54,7 +54,7 @@ with lib;
 
     users.extraUsers = singleton
       { name = endpointUser;
-        uid = config.ids.uids.fourStoreEndpoint;
+        uid = config.ids.uids.fourstorehttp;
         description = "4Store SPARQL endpoint user";
 #        home = stateDir;
       };

nixos/modules/services/databases/4store.nix

@@ -45,7 +45,7 @@ with lib;
 
     users.extraUsers = singleton
       { name = fourStoreUser;
-        uid = config.ids.uids.fourStore;
+        uid = config.ids.uids.fourstore;
         description = "4Store database user";
         home = stateDir;
       };

nixos/modules/services/databases/mysql.nix

@@ -21,6 +21,7 @@ let
   myCnf = pkgs.writeText "my.cnf"
   ''
     [mysqld]
+    port = ${toString cfg.port}
     ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"}
     ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"}
     ${optionalString (cfg.replication.role == "slave" && !is55)

nixos/modules/services/desktops/gnome3/gnome-documents.nix

@@ -0,0 +1,43 @@
+# GNOME Documents daemon.
+
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.gnome3.gnome-documents = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable GNOME Documents services, a document
+          manager application for GNOME.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.gnome3.gnome-documents.enable {
+
+    environment.systemPackages = [ pkgs.gnome3.gnome-documents ];
+
+    services.dbus.packages = [ pkgs.gnome3.gnome-documents ];
+
+    services.gnome3.gnome-online-accounts.enable = true;
+
+    services.gnome3.gnome-online-miners.enable = true;
+
+  };
+
+}

nixos/modules/services/desktops/gnome3/gnome-online-miners.nix

@@ -0,0 +1,39 @@
+# GNOME Online Miners daemon.
+
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.gnome3.gnome-online-miners = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable GNOME Online Miners, a service that
+          crawls through your online content.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.gnome3.gnome-online-miners.enable {
+
+    environment.systemPackages = [ pkgs.gnome3.gnome-online-miners ];
+
+    services.dbus.packages = [ pkgs.gnome3.gnome-online-miners ];
+
+  };
+
+}

nixos/modules/services/desktops/gnome3/seahorse.nix

@@ -0,0 +1,38 @@
+# Seahorse daemon.
+
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.gnome3.seahorse = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable Seahorse search provider for the GNOME Shell activity search.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.gnome3.seahorse.enable {
+
+    environment.systemPackages = [ pkgs.gnome3.seahorse ];
+
+    services.dbus.packages = [ pkgs.gnome3.seahorse ];
+
+  };
+
+}

nixos/modules/services/games/ghost-one.nix

@@ -57,14 +57,14 @@ in
 
     users.extraUsers = singleton
       { name = ghostUser;
-        uid = config.ids.uids.ghostOne;
+        uid = config.ids.uids.ghostone;
         description = "Ghost One game server user";
         home = stateDir;
       };
 
     users.extraGroups = singleton
       { name = ghostUser;
-        gid = config.ids.gids.ghostOne;
+        gid = config.ids.gids.ghostone;
       };
 
     services.ghostOne.config = ''

nixos/modules/services/hardware/pommed.nix

@@ -4,30 +4,34 @@ with lib;
 
 {
 
-  options.services.hardware.pommed = {
-    enable = mkOption {
-      default = false;
-       description = ''
-        Whether to use the pommed tool to handle Apple laptop keyboard hotkeys.
-      '';
+  options = {
+
+    services.hardware.pommed = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to use the pommed tool to handle Apple laptop keyboard hotkeys.
+        '';
+      };
+
+      configFile = mkOption {
+        type = types.path;
+        description = ''
+          The path to the <filename>pommed.conf</filename> file.
+        '';
+      };
     };
 
-    configFile = mkOption {
-      default = "${pkgs.pommed}/etc/pommed.conf";
-      description = ''
-        The contents of the pommed.conf file.
-      '';
-    };
   };
 
   config = mkIf config.services.hardware.pommed.enable {
     environment.systemPackages = [ pkgs.polkit ];
 
-    environment.etc = [
-      { source = config.services.hardware.pommed.configFile;
-        target = "pommed.conf";
-      }
-    ];
+    environment.etc."pommed.conf".source = config.services.hardware.pommed.configFile;
+
+    services.hardware.pommed.configFile = "${pkgs.pommed}/etc/pommed.conf";
 
     services.dbus.packages = [ pkgs.pommed ];
 

nixos/modules/services/hardware/udev.nix

@@ -20,6 +20,9 @@ let
     # Miscellaneous devices.
     KERNEL=="kvm",                  MODE="0666"
     KERNEL=="kqemu",                MODE="0666"
+
+    # Needed for gpm.
+    SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd"
   '';
 
   # Perform substitutions in all udev rules files.

nixos/modules/services/misc/folding-at-home.nix

@@ -44,7 +44,7 @@ in {
 
     users.extraUsers = singleton
       { name = fahUser;
-        uid = config.ids.uids.foldingAtHome;
+        uid = config.ids.uids.foldingathome;
         description = "Folding@Home user";
         home = stateDir;
       };

nixos/modules/services/misc/synergy.nix

@@ -83,7 +83,8 @@ in
 
   config = {
 
-    systemd.services."synergy-client" = mkIf cfgC.enable {
+    systemd.services."synergy-client" = {
+      enable = cfgC.enable;
       after = [ "network.target" ];
       description = "Synergy client";
       wantedBy = optional cfgC.autoStart "multi-user.target";
@@ -91,7 +92,8 @@ in
       serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergyc -f ${optionalString (cfgC.screenName != "") "-n ${cfgC.screenName}"} ${cfgC.serverAddress}'';
     };
 
-    systemd.services."synergy-server" = mkIf cfgS.enable {
+    systemd.services."synergy-server" = {
+      enable = cfgS.enable;
       after = [ "network.target" ];
       description = "Synergy server";
       wantedBy = optional cfgS.autoStart "multi-user.target";

nixos/modules/services/monitoring/dd-agent.nix

@@ -5,54 +5,113 @@ with lib;
 let
   cfg = config.services.dd-agent;
 
-  datadog_conf = pkgs.runCommand "datadog.conf" {} ''
-    sed -e 's|^api_key:|api_key: ${cfg.api_key}|' ${optionalString (cfg.hostname != null)
-      "-e 's|^#hostname: mymachine.mydomain|hostname: ${cfg.hostname}|'"
-    } ${pkgs.dd-agent}/etc/dd-agent/datadog.conf.example > $out
+  ddConf = pkgs.writeText "datadog.conf" ''
+    [Main]
+    dd_url: https://app.datadoghq.com
+    skip_ssl_validation: no
+    api_key: ${cfg.api_key}
+    ${optionalString (cfg.hostname != null) "hostname: ${cfg.hostname}"}
+
+    collector_log_file: /var/log/datadog/collector.log
+    forwarder_log_file: /var/log/datadog/forwarder.log
+    dogstatsd_log_file: /var/log/datadog/dogstatsd.log
+    pup_log_file:       /var/log/datadog/pup.log
+
+    # proxy_host: my-proxy.com
+    # proxy_port: 3128
+    # proxy_user: user
+    # proxy_password: password
+
+    # tags: mytag0, mytag1
+
+    # collect_ec2_tags: no
+    # recent_point_threshold: 30
+    # use_mount: no
+    # listen_port: 17123
+    # graphite_listen_port: 17124
+    # non_local_traffic: no
+    # use_curl_http_client: False
+    # bind_host: localhost
+
+    # use_pup: no
+    # pup_port: 17125
+    # pup_interface: localhost
+    # pup_url: http://localhost:17125
+
+    # dogstatsd_port : 8125
+    # dogstatsd_interval : 10
+    # dogstatsd_normalize : yes
+    # statsd_forward_host: address_of_own_statsd_server
+    # statsd_forward_port: 8125
+
+    # device_blacklist_re: .*\/dev\/mapper\/lxc-box.*
+
+    # ganglia_host: localhost
+    # ganglia_port: 8651
   '';
+
+  postgresqlConfig = pkgs.writeText "postgres.yaml" cfg.postgresqlConfig;
+  nginxConfig = pkgs.writeText "nginx.yaml" cfg.nginxConfig;
+
+  etcfiles =
+    [ { source = ddConf;
+        target = "dd-agent/datadog.conf";
+      } ] ++
+    (optional (cfg.postgresqlConfig != null)
+      { source = postgresqlConfig;
+        target = "dd-agent/conf.d/postgres.yaml";
+      }) ++
+    (optional (cfg.nginxConfig != null)
+      { source = nginxConfig;
+        target = "dd-agent/conf.d/nginx.yaml";
+      });
+
 in {
   options.services.dd-agent = {
     enable = mkOption {
       description = "Whether to enable the dd-agent montioring service";
-
       default = false;
-
       type = types.bool;
     };
 
-    # !!! This gets stored in the store (world-readable), wish we had https://github.com/NixOS/nix/issues/8
     api_key = mkOption {
       description = "The Datadog API key to associate the agent with your account";
-
       example = "ae0aa6a8f08efa988ba0a17578f009ab";
-
       type = types.str;
     };
 
     hostname = mkOption {
       description = "The hostname to show in the Datadog dashboard (optional)";
-
       default = null;
-
       example = "mymachine.mydomain";
+      type = types.uniq (types.nullOr types.string);
+    };
 
+    postgresqlConfig = mkOption {
+      description = "Datadog PostgreSQL integration configuration";
+      default = null;
+      type = types.uniq (types.nullOr types.string);
+    };
+
+    nginxConfig = mkOption {
+      description = "Datadog nginx integration configuration";
+      default = null;
       type = types.uniq (types.nullOr types.string);
     };
   };
 
   config = mkIf cfg.enable {
-    environment.etc = [ { source = datadog_conf; target = "dd-agent/datadog.conf"; } ];
     environment.systemPackages = [ pkgs."dd-agent" pkgs.sysstat pkgs.procps ];
 
-    users.extraUsers."dd-agent" = {
+    users.extraUsers.datadog = {
       description = "Datadog Agent User";
-      uid = config.ids.uids.dd-agent;
-      group = "dd-agent";
+      uid = config.ids.uids.datadog;
+      group = "datadog";
       home = "/var/log/datadog/";
       createHome = true;
     };
 
-    users.extraGroups.dd-agent.gid = config.ids.gids.dd-agent;
+    users.extraGroups.datadog.gid = config.ids.gids.datadog;
 
     systemd.services.dd-agent = {
       description = "Datadog agent monitor";
@@ -60,28 +119,30 @@ in {
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         ExecStart = "${pkgs.dd-agent}/bin/dd-agent foreground";
-        User = "dd-agent";
-        Group = "dd-agent";
+        User = "datadog";
+        Group = "datadog";
         Restart = "always";
         RestartSec = 2;
       };
-      restartTriggers = [ pkgs.dd-agent datadog_conf ];
+      restartTriggers = [ pkgs.dd-agent ddConf postgresqlConfig nginxConfig ];
     };
 
     systemd.services.dogstatsd = {
       description = "Datadog statsd";
-      path = [ pkgs."dd-agent" pkgs.python ];
+      path = [ pkgs."dd-agent" pkgs.python pkgs.procps ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         ExecStart = "${pkgs.dd-agent}/bin/dogstatsd start";
-        User = "dd-agent";
-        Group = "dd-agent";
+        User = "datadog";
+        Group = "datadog";
         Type = "forking";
         PIDFile = "/tmp/dogstatsd.pid";
         Restart = "always";
         RestartSec = 2;
       };
-      restartTriggers = [ pkgs.dd-agent datadog_conf ];
+      restartTriggers = [ pkgs.dd-agent ddConf postgresqlConfig nginxConfig ];
     };
+
+    environment.etc = etcfiles;
   };
 }

nixos/modules/services/monitoring/zabbix-agent.nix

@@ -67,11 +67,11 @@ in
 
   config = mkIf cfg.enable {
 
-    users.extraUsers = singleton
+    users.extraUsers = mkIf (!config.services.zabbixServer.enable) (singleton
       { name = "zabbix";
         uid = config.ids.uids.zabbix;
         description = "Zabbix daemon user";
-      };
+      });
 
     systemd.services."zabbix-agent" =
       { description = "Zabbix Agent";

nixos/modules/services/network-filesystems/nfsd.nix

@@ -56,6 +56,13 @@ in
           default = false;
           description = "Whether to create the mount points in the exports file at startup time.";
         };
+
+        lockdPort = mkOption {
+          default = 0;
+          description = ''
+            Fix the lockd port number. This can help setting firewall rules for NFS.
+          '';
+        };
       };
 
     };
@@ -96,6 +103,9 @@ in
             # Create a state directory required by NFSv4.
             mkdir -p /var/lib/nfs/v4recovery
 
+            ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_tcpport=${builtins.toString cfg.lockdPort}
+            ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_udpport=${builtins.toString cfg.lockdPort}
+
             rpc.nfsd \
               ${if cfg.hostName != null then "-H ${cfg.hostName}" else ""} \
               ${builtins.toString cfg.nproc}

nixos/modules/services/networking/btsync.nix

@@ -164,6 +164,7 @@ in
       httpLogin = mkOption {
         type = types.str;
         example = "allyourbase";
+        default = "";
         description = ''
           HTTP web login username.
         '';
@@ -172,6 +173,7 @@ in
       httpPass = mkOption {
         type = types.str;
         example = "arebelongtous";
+        default = "";
         description = ''
           HTTP web login password.
         '';
@@ -237,12 +239,6 @@ in
         { assertion = cfg.apiKey != "" -> cfg.enableWebUI;
           message   = "If you're using an API key, you must enable the web server.";
         }
-        # TODO FIXME: the README says not specifying the login/pass means it
-        # should disable authentication, but apparently it doesn't?
-        { assertion = cfg.enableWebUI -> cfg.httpLogin != "" && cfg.httpPass != "";
-          message   = "If using the web UI, you must configure a login/password.";
-        }
-        # TODO FIXME: assert the existence of sharedFolder directories?
       ];
 
     users.extraUsers.btsync = {

nixos/modules/services/networking/chrony.nix

@@ -48,9 +48,10 @@ in
 
       servers = mkOption {
         default = [
-          "0.pool.ntp.org"
-          "1.pool.ntp.org"
-          "2.pool.ntp.org"
+          "0.nixos.pool.ntp.org"
+          "1.nixos.pool.ntp.org"
+          "2.nixos.pool.ntp.org"
+          "3.nixos.pool.ntp.org"
         ];
         description = ''
           The set of NTP servers from which to synchronise.

nixos/modules/services/networking/cjdns.nix

@@ -1,13 +1,3 @@
-# You may notice the commented out sections in this file,
-# it would be great to configure cjdns from nix, but cjdns 
-# reads its configuration from stdin, including the private
-# key and admin password, all nested in a JSON structure.
-#
-# Until a good method of storing the keys outside the nix 
-# store and mixing them back into a string is devised
-# (without too much shell hackery), a skeleton of the
-# configuration building lies commented out.
-
 { config, lib, pkgs, ... }:
 
 with lib;
@@ -16,41 +6,35 @@ let
 
   cfg = config.services.cjdns;
 
-  /*
-  # can't keep keys and passwords in the nix store,
-  # but don't want to deal with this stdin quagmire.
+  # would be nice to  merge 'cfg' with a //,
+  # but the json nesting is wacky.
+  cjdrouteConf = builtins.toJSON ( {
+    admin = {
+      bind = cfg.admin.bind;
+      password = "@CJDNS_ADMIN_PASSWORD@";
+    };
+    authorizedPasswords = map (p: { password = p; }) cfg.authorizedPasswords;
+    interfaces = {
+      ETHInterface = if (cfg.ETHInterface.bind != "") then [ cfg.ETHInterface ] else [ ];
+      UDPInterface = if (cfg.UDPInterface.bind != "") then [ cfg.UDPInterface ] else [ ];
+    };
 
-  cjdrouteConf = '' {
-    "admin": {"bind": "${cfg.admin.bind}", "password": "\${CJDNS_ADMIN}" },
-    "privateKey": "\${CJDNS_KEY}",
+    privateKey = "@CJDNS_PRIVATE_KEY@";
 
-    "interfaces": {
-    ''
+    resetAfterInactivitySeconds = 100;
 
-    + optionalString (cfg.interfaces.udp.bind.address != null) ''
-      "UDPInterface": [ {
-        "bind": "${cfg.interfaces.udp.bind.address}:"''
-	   ${if cfg.interfaces.upd.bind.port != null
-             then ${toString cfg.interfaces.udp.bind.port}
-	     else ${RANDOM}
-	   fi)
-      + '' } ]''
+    router = {
+      interface = { type = "TUNInterface"; };
+      ipTunnel = {
+        allowedConnections = [];
+        outgoingConnections = [];
+      };
+    };
 
-    + (if cfg.interfaces.eth.bind != null then ''
-      "ETHInterface": [ {
-        "bind": "${cfg.interfaces.eth.bind}",
-        "beacon": ${toString cfg.interfaces.eth.beacon}
-      } ]
-    '' fi )
-    + ''
-    },
-    "router": { "interface": { "type": "TUNInterface" }, },
-    "security": [ { "setuser": "nobody" } ]
-    }
-    '';   
+    security = [ { exemptAngel = 1; setuser = "nobody"; } ];
+
+  });
 
-    cjdrouteConfFile = pkgs.writeText "cjdroute.conf" cjdrouteConf
-    */
 in
 
 {
@@ -62,146 +46,180 @@ in
         type = types.bool;
 	default = false;
         description = ''
-          Enable this option to start a instance of the 
-          cjdns network encryption and and routing engine.
-          Configuration will be read from <literal>confFile</literal>.
+          Whether to enable the cjdns network encryption
+          and routing engine. A file at /etc/cjdns.keys will
+          be created if it does not exist to contain a random
+          secret key that your IPv6 address will be derived from.
         '';
       };
 
-      confFile = mkOption {
-	default = "/etc/cjdroute.conf";
-        description = ''
-          Configuration file to pipe to cjdroute.
+      authorizedPasswords = mkOption {
+        type = types.listOf types.str;
+	default = [ ];
+	example = [
+          "snyrfgkqsc98qh1y4s5hbu0j57xw5s0"
+	  "z9md3t4p45mfrjzdjurxn4wuj0d8swv"
+	  "49275fut6tmzu354pq70sr5b95qq0vj"
+        ];
+	description = ''
+	  Any remote cjdns nodes that offer these passwords on 
+	  connection will be allowed to route through this node.
         '';
       };
-
-      /*
+    
       admin = {
         bind = mkOption {
+          type = types.string;
 	  default = "127.0.0.1:11234";
 	  description = ''
             Bind the administration port to this address and port.
 	  '';
         };
+      };
 
-	passwordFile = mkOption {
-	  example = "/root/cjdns.adminPassword";
+      UDPInterface = {
+        bind = mkOption {
+          type = types.string;
+	  default = "";
+          example = "192.168.1.32:43211";
+          description = ''
+	    Address and port to bind UDP tunnels to.
+	  '';
+ 	};
+        connectTo = mkOption {
+          type = types.attrsOf ( types.submodule (
+	    { options, ... }:
+            { options = {
+                # TODO make host an option, and add it to networking.extraHosts
+                password = mkOption {
+                  type = types.str;
+                  description = "Authorized password to the opposite end of the tunnel.";
+                };
+                publicKey = mkOption {
+                  type = types.str;
+                  description = "Public key at the opposite end of the tunnel.";
+                };
+              };
+            }
+          ));
+	  default = { };
+          example = {
+            "192.168.1.1:27313" = {
+	      password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
+              publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
+            };
+          };
+          description = ''
+	    Credentials for making UDP tunnels.
+	  '';
+	};
+      };
+
+      ETHInterface = {
+        bind = mkOption {
+	  default = "";
+	  example = "eth0";
 	  description = ''
-	    File containing a password to the administration port.
+	    Bind to this device for native ethernet operation.
 	  '';
-	};
-      };
-
-      keyFile = mkOption {
-        type = types.str;
-	example = "/root/cjdns.key";
-	description = ''
-	  Path to a file containing a cjdns private key on a single line.
-	'';
-      };
-      
-      passwordsFile = mkOption {
-        type = types.str;
-	default = null;
-	example = "/root/cjdns.authorizedPasswords";
-	description = ''
-	  A file containing a list of json dictionaries with passwords.
-	  For example:
-	    {"password": "s8xf5z7znl4jt05g922n3wpk75wkypk"},
-	    { "name": "nice guy",
-	      "password": "xhthk1mglz8tpjrbbvdlhyc092rhpx5"},
-	    {"password": "3qfxyhmrht7uwzq29pmhbdm9w4bnc8w"}
-	  '';
-	};
-
-      interfaces = {
-        udp = {
-	  bind = { 
-            address = mkOption {
-	      default = "0.0.0.0";
-	      description = ''
-	        Address to bind UDP tunnels to; disable by setting to null;
-	      '';
- 	    };
-	    port = mkOption {
-	      type = types.int;
-	      default = null;
-	      description = ''
-	        Port to bind UDP tunnels to.
-	        A port will be choosen at random if this is not set.
-	        This option is required to act as the server end of 
-	        a tunnel.
-	      '';
- 	    };
-	  };
-	};
-
-	eth = {
-	  bind = mkOption {
-	    default = null;
-	    example = "eth0";
-	    description = ''
-	      Bind to this device and operate with native wire format.
-	    '';
-	  };
-
-	  beacon = mkOption {
-	    default = 2;
-	    description = ''
-	      Auto-connect to other cjdns nodes on the same network.
-	      Options:
-	        0 -- Disabled.
-
-                1 -- Accept beacons, this will cause cjdns to accept incoming
-		     beacon messages and try connecting to the sender.
-
-		2 -- Accept and send beacons, this will cause cjdns to broadcast
-		     messages on the local network which contain a randomly
-		     generated per-session password, other nodes which have this
-                     set to 1 or 2 will hear the beacon messages and connect
-                     automatically.
-            '';
-	  };
-	  
-	  connectTo = mkOption {
-	    type = types.listOf types.str;
-	    default = [];
-	    description = ''
-	      Credentials for connecting look similar to UDP credientials
-              except they begin with the mac address, for example:
-              "01:02:03:04:05:06":{"password":"a","publicKey":"b"}
-	    '';
-	  };
         };
+
+        beacon = mkOption {
+	  type = types.int;
+          default = 2;
+          description = ''
+            Auto-connect to other cjdns nodes on the same network.
+            Options:
+	      0: Disabled.
+              1: Accept beacons, this will cause cjdns to accept incoming
+                 beacon messages and try connecting to the sender.
+              2: Accept and send beacons, this will cause cjdns to broadcast
+                 messages on the local network which contain a randomly
+                 generated per-session password, other nodes which have this
+                 set to 1 or 2 will hear the beacon messages and connect
+                 automatically.
+          '';
+        };
+
+        connectTo = mkOption {
+          type = types.attrsOf ( types.submodule (
+	    { options, ... }:
+            { options = {
+                password = mkOption {
+                  type = types.str;
+                  description = "Authorized password to the opposite end of the tunnel.";
+                };
+                publicKey = mkOption {
+                  type = types.str;
+                  description = "Public key at the opposite end of the tunnel.";
+                };
+              };
+            }
+          ));
+	  default = { };
+          example = {
+            "01:02:03:04:05:06" = {
+	      password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
+              publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
+            };
+          };
+	  description = ''
+	    Credentials for connecting look similar to UDP credientials
+            except they begin with the mac address.
+	  '';
+	};
       };
-      */
+
     };
+
   };
 
   config = mkIf config.services.cjdns.enable {
 
     boot.kernelModules = [ "tun" ];
 
-    /*
-    networking.firewall.allowedUDPPorts = mkIf (cfg.udp.bind.port != null) [
-      cfg.udp.bind.port
-    ];
-    */
+    # networking.firewall.allowedUDPPorts = ...
 
     systemd.services.cjdns = {
       description = "encrypted networking for everybody";
       wantedBy = [ "multi-user.target" ];
-      wants = [ "network.target" ];
-      before = [ "network.target" ];
-      path = [ pkgs.cjdns ];
+      after = [ "network-interfaces.target" ];
+
+      script = ''
+        source /etc/cjdns.keys
+        echo '${cjdrouteConf}' | sed \
+	  -e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \
+          -e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \
+            | ${pkgs.cjdns}/bin/cjdroute
+      '';
 
       serviceConfig = {
         Type = "forking";
-	ExecStart = ''
-          ${pkgs.stdenv.shell} -c "${pkgs.cjdns}/sbin/cjdroute < ${cfg.confFile}"
-	'';
 	Restart = "on-failure";
       };
     };
+
+    system.activationScripts.cjdns = ''
+      grep -q "CJDNS_PRIVATE_KEY=" /etc/cjdns.keys || \
+        echo "CJDNS_PRIVATE_KEY=$(${pkgs.cjdns}/bin/makekey)" \
+	  >> /etc/cjdns.keys
+
+      grep -q "CJDNS_ADMIN_PASSWORD=" /etc/cjdns.keys || \
+        echo "CJDNS_ADMIN_PASSWORD=$(${pkgs.coreutils}/bin/head -c 96 /dev/urandom | ${pkgs.coreutils}/bin/tr -dc A-Za-z0-9)" \
+	  >> /etc/cjdns.keys
+
+      chmod 600 /etc/cjdns.keys
+    '';
+
+    assertions = [
+      { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" );
+        message = "Neither cjdns.ETHInterface.bind nor cjdns.UDPInterface.bind defined.";
+      }
+      { assertion = config.networking.enableIPv6;
+        message = "networking.enableIPv6 must be enabled for CJDNS to work";
+      }
+    ];
+
   };
-}
+
+}

nixos/modules/services/networking/dhcpcd.nix

@@ -36,7 +36,7 @@ let
       # Ethernet cards used for bridging.  Likewise for vif* and tap*
       # (Xen) and virbr* and vnet* (libvirt) and c-* and ctmp-* (NixOS
       # containers).
-      denyinterfaces ${toString ignoredInterfaces} peth* vif* tap* tun* virbr* vnet* vboxnet* c-* ctmp-*
+      denyinterfaces ${toString ignoredInterfaces} lo peth* vif* tap* tun* virbr* vnet* vboxnet* c-* ctmp-*
 
       ${config.networking.dhcpcd.extraConfig}
     '';
@@ -44,17 +44,6 @@ let
   # Hook for emitting ip-up/ip-down events.
   exitHook = pkgs.writeText "dhcpcd.exit-hook"
     ''
-      #exec >> /var/log/dhcpcd 2>&1
-      #set -x
-
-      params="IFACE=$interface REASON=$reason"
-
-      # only works when interface is wireless and wpa_supplicant has a control socket
-      # but we allow it to fail silently
-      ${optionalString config.networking.wireless.enable ''
-        params+=" $(${pkgs.wpa_supplicant}/sbin/wpa_cli -i$interface status 2>/dev/null | grep ssid | sed 's|^b|B|;s|ssid|SSID|' | xargs)"
-      ''}
-
       if [ "$reason" = BOUND -o "$reason" = REBOOT ]; then
           # Restart ntpd.  We need to restart it to make sure that it
           # will actually do something: if ntpd cannot resolve the
@@ -109,7 +98,6 @@ in
       { description = "DHCP Client";
 
         wantedBy = [ "network.target" ];
-        after = [ "systemd-udev-settle.service" ]; # FIXME
 
         # Stopping dhcpcd during a reconfiguration is undesirable
         # because it brings down the network interfaces configured by
@@ -123,9 +111,8 @@ in
         serviceConfig =
           { Type = "forking";
             PIDFile = "/run/dhcpcd.pid";
-            ExecStart = "@${dhcpcd}/sbin/dhcpcd dhcpcd --config ${dhcpcdConf}";
+            ExecStart = "@${dhcpcd}/sbin/dhcpcd dhcpcd --quiet --config ${dhcpcdConf}";
             ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";
-            StandardError = "null";
             Restart = "always";
           };
       };

nixos/modules/services/networking/ircd-hybrid/default.nix

@@ -66,7 +66,7 @@ in
 
       rsaKey = mkOption {
         default = null;
-        example = /root/certificates/irc.key;
+        example = literalExample "/root/certificates/irc.key";
         description = "
           IRCD server RSA key.
         ";
@@ -74,7 +74,7 @@ in
 
       certificate = mkOption {
         default = null;
-        example = /root/certificates/irc.pem;
+        example = literalExample "/root/certificates/irc.pem";
         description = "
           IRCD server SSL certificate. There are some limitations - read manual.
         ";

nixos/modules/services/networking/ntpd.nix

@@ -45,9 +45,10 @@ in
 
       servers = mkOption {
         default = [
-          "0.pool.ntp.org"
-          "1.pool.ntp.org"
-          "2.pool.ntp.org"
+          "0.nixos.pool.ntp.org"
+          "1.nixos.pool.ntp.org"
+          "2.nixos.pool.ntp.org"
+          "3.nixos.pool.ntp.org"
         ];
         description = ''
           The set of NTP servers from which to synchronise.

nixos/modules/services/networking/spiped.nix

@@ -7,161 +7,169 @@ let
 in
 {
   options = {
-    services.spiped = mkOption {
-      type = types.attrsOf (types.submodule (
-        {
-          options = {
-            encrypt = mkOption {
-              type    = types.bool;
-              default = false;
-              description = ''
-                Take unencrypted connections from the
-                <literal>source</literal> socket and send encrypted
-                connections to the <literal>target</literal> socket.
-              '';
-            };
+    services.spiped = {
+      enable = mkOption {
+        type        = types.bool;
+        default     = false;
+        description = "Enable the spiped service module.";
+      };
 
-            decrypt = mkOption {
-              type    = types.bool;
-              default = false;
-              description = ''
-                Take encrypted connections from the
-                <literal>source</literal> socket and send unencrypted
-                connections to the <literal>target</literal> socket.
-              '';
-            };
+      config = mkOption {
+        type = types.attrsOf (types.submodule (
+          {
+            options = {
+              encrypt = mkOption {
+                type    = types.bool;
+                default = false;
+                description = ''
+                  Take unencrypted connections from the
+                  <literal>source</literal> socket and send encrypted
+                  connections to the <literal>target</literal> socket.
+                '';
+              };
 
-            source = mkOption {
-              type    = types.str;
-              description = ''
-                Address on which spiped should listen for incoming
-                connections.  Must be in one of the following formats:
-                <literal>/absolute/path/to/unix/socket</literal>,
-                <literal>host.name:port</literal>,
-                <literal>[ip.v4.ad.dr]:port</literal> or
-                <literal>[ipv6::addr]:port</literal> - note that
-                hostnames are resolved when spiped is launched and are
-                not re-resolved later; thus if DNS entries change
-                spiped will continue to connect to the expired
-                address.
-              '';
-            };
+              decrypt = mkOption {
+                type    = types.bool;
+                default = false;
+                description = ''
+                  Take encrypted connections from the
+                  <literal>source</literal> socket and send unencrypted
+                  connections to the <literal>target</literal> socket.
+                '';
+              };
 
-            target = mkOption {
-              type    = types.str;
-              description = "Address to which spiped should connect.";
-            };
+              source = mkOption {
+                type    = types.str;
+                description = ''
+                  Address on which spiped should listen for incoming
+                  connections.  Must be in one of the following formats:
+                  <literal>/absolute/path/to/unix/socket</literal>,
+                  <literal>host.name:port</literal>,
+                  <literal>[ip.v4.ad.dr]:port</literal> or
+                  <literal>[ipv6::addr]:port</literal> - note that
+                  hostnames are resolved when spiped is launched and are
+                  not re-resolved later; thus if DNS entries change
+                  spiped will continue to connect to the expired
+                  address.
+                '';
+              };
 
-            keyfile = mkOption {
-              type    = types.path;
-              description = ''
-                Name of a file containing the spiped key. As the
-                daemon runs as the <literal>spiped</literal> user, the
-                key file must be somewhere owned by that user. By
-                default, we recommend putting the keys for any spipe
-                services in <literal>/var/lib/spiped</literal>.
-              '';
-            };
+              target = mkOption {
+                type    = types.str;
+                description = "Address to which spiped should connect.";
+              };
 
-            timeout = mkOption {
-              type = types.int;
-              default = 5;
-              description = ''
-                Timeout, in seconds, after which an attempt to connect to
-                the target or a protocol handshake will be aborted (and the
-                connection dropped) if not completed
-              '';
-            };
+              keyfile = mkOption {
+                type    = types.path;
+                description = ''
+                  Name of a file containing the spiped key. As the
+                  daemon runs as the <literal>spiped</literal> user, the
+                  key file must be somewhere owned by that user. By
+                  default, we recommend putting the keys for any spipe
+                  services in <literal>/var/lib/spiped</literal>.
+                '';
+              };
 
-            maxConns = mkOption {
-              type = types.int;
-              default = 100;
-              description = ''
-                Limit on the number of simultaneous connections allowed.
-              '';
-            };
+              timeout = mkOption {
+                type = types.int;
+                default = 5;
+                description = ''
+                  Timeout, in seconds, after which an attempt to connect to
+                  the target or a protocol handshake will be aborted (and the
+                  connection dropped) if not completed
+                '';
+              };
 
-            waitForDNS = mkOption {
-              type = types.bool;
-              default = false;
-              description = ''
-                Wait for DNS. Normally when <literal>spiped</literal> is
-                launched it resolves addresses and binds to its source
-                socket before the parent process returns; with this option
-                it will daemonize first and retry failed DNS lookups until
-                they succeed. This allows <literal>spiped</literal> to
-                launch even if DNS isn't set up yet, but at the expense of
-                losing the guarantee that once <literal>spiped</literal> has
-                finished launching it will be ready to create pipes.
-              '';
-            };
+              maxConns = mkOption {
+                type = types.int;
+                default = 100;
+                description = ''
+                  Limit on the number of simultaneous connections allowed.
+                '';
+              };
 
-            disableKeepalives = mkOption {
-              type = types.bool;
-              default = false;
-              description = "Disable transport layer keep-alives.";
-            };
+              waitForDNS = mkOption {
+                type = types.bool;
+                default = false;
+                description = ''
+                  Wait for DNS. Normally when <literal>spiped</literal> is
+                  launched it resolves addresses and binds to its source
+                  socket before the parent process returns; with this option
+                  it will daemonize first and retry failed DNS lookups until
+                  they succeed. This allows <literal>spiped</literal> to
+                  launch even if DNS isn't set up yet, but at the expense of
+                  losing the guarantee that once <literal>spiped</literal> has
+                  finished launching it will be ready to create pipes.
+                '';
+              };
 
-            weakHandshake = mkOption {
-              type = types.bool;
-              default = false;
-              description = ''
-                Use fast/weak handshaking: This reduces the CPU time spent
-                in the initial connection setup, at the expense of losing
-                perfect forward secrecy.
-              '';
-            };
+              disableKeepalives = mkOption {
+                type = types.bool;
+                default = false;
+                description = "Disable transport layer keep-alives.";
+              };
 
-            resolveRefresh = mkOption {
-              type = types.int;
-              default = 60;
-              description = ''
-                Resolution refresh time for the target socket, in seconds.
-              '';
-            };
+              weakHandshake = mkOption {
+                type = types.bool;
+                default = false;
+                description = ''
+                  Use fast/weak handshaking: This reduces the CPU time spent
+                  in the initial connection setup, at the expense of losing
+                  perfect forward secrecy.
+                '';
+              };
 
-            disableReresolution = mkOption {
-              type = types.bool;
-              default = false;
-              description = "Disable target address re-resolution.";
-            };
-          };
-        }
-      ));
+              resolveRefresh = mkOption {
+                type = types.int;
+                default = 60;
+                description = ''
+                  Resolution refresh time for the target socket, in seconds.
+                '';
+              };
 
-      default = {};
-
-      example = literalExample ''
-        {
-          pipe1 =
-            { keyfile = "/var/lib/spiped/pipe1.key";
-              encrypt = true;
-              source  = "localhost:6000";
-              target  = "endpoint.example.com:7000";
+              disableReresolution = mkOption {
+                type = types.bool;
+                default = false;
+                description = "Disable target address re-resolution.";
+              };
             };
-          pipe2 =
-            { keyfile = "/var/lib/spiped/pipe2.key";
-              decrypt = true;
-              source  = "0.0.0.0:7000";
-              target  = "localhost:3000";
-            };
-        }
-      '';
+          }
+        ));
 
-      description = ''
-        Configuration for a secure pipe daemon. The daemon can be
-        started, stopped, or examined using
-        <literal>systemctl</literal>, under the name
-        <literal>spiped@foo</literal>.
-      '';
+        default = {};
+
+        example = literalExample ''
+          {
+            pipe1 =
+              { keyfile = "/var/lib/spiped/pipe1.key";
+                encrypt = true;
+                source  = "localhost:6000";
+                target  = "endpoint.example.com:7000";
+              };
+            pipe2 =
+              { keyfile = "/var/lib/spiped/pipe2.key";
+                decrypt = true;
+                source  = "0.0.0.0:7000";
+                target  = "localhost:3000";
+              };
+          }
+        '';
+
+        description = ''
+          Configuration for a secure pipe daemon. The daemon can be
+          started, stopped, or examined using
+          <literal>systemctl</literal>, under the name
+          <literal>spiped@foo</literal>.
+        '';
+      };
     };
   };
 
-  config = {
+  config = mkIf cfg.enable {
     assertions = mapAttrsToList (name: c: {
       assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
       message   = "A pipe must either encrypt or decrypt";
-    }) cfg;
+    }) cfg.config;
 
     users.extraGroups.spiped.gid = config.ids.gids.spiped;
     users.extraUsers.spiped = {
@@ -189,7 +197,7 @@ in
       script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
     };
 
-    system.activationScripts.spiped = optionalString (cfg != {})
+    system.activationScripts.spiped = optionalString (cfg.config != {})
       "mkdir -p /var/lib/spiped";
 
     # Setup spiped config files
@@ -207,6 +215,6 @@ in
             (if cfg.disableReresolution then "-R"
               else "-r ${toString cfg.resolveRefresh}")
           ];
-      }) cfg;
+      }) cfg.config;
   };
 }

nixos/modules/services/networking/wpa_supplicant.nix

@@ -46,9 +46,7 @@ in
         example = [ "wlan0" "wlan1" ];
         description = ''
           The interfaces <command>wpa_supplicant</command> will use.  If empty, it will
-          automatically use all wireless interfaces. (Note that auto-detection is currently
-          broken on Linux 3.4.x kernels. See http://github.com/NixOS/nixos/issues/10 for
-          further details.)
+          automatically use all wireless interfaces.
         '';
       };
 
@@ -92,11 +90,11 @@ in
 
     services.dbus.packages = [ pkgs.wpa_supplicant ];
 
+    # FIXME: start a separate wpa_supplicant instance per interface.
     jobs.wpa_supplicant =
       { description = "WPA Supplicant";
 
         wantedBy = [ "network.target" ];
-        after = [ "systemd-udev-settle.service" ];
 
         path = [ pkgs.wpa_supplicant ];
 
@@ -135,6 +133,12 @@ in
     assertions = [{ assertion = !cfg.userControlled.enable || cfg.interfaces != [];
                     message = "user controlled wpa_supplicant needs explicit networking.wireless.interfaces";}];
 
+    # Restart wpa_supplicant when a wlan device appears or disappears.
+    services.udev.extraRules =
+      ''
+        ACTION=="add|remove", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", RUN+="${config.systemd.package}/bin/systemctl try-restart wpa_supplicant.service"
+      '';
+
   };
 
 }

nixos/modules/services/printing/cupsd.nix

@@ -56,6 +56,15 @@ in
         '';
       };
 
+      listenAddresses = mkOption {
+        type = types.listOf types.str;
+        default = [ "127.0.0.1:631" ];
+        example = [ "*:631" ];
+        description = ''
+          A list of addresses and ports on which to listen.
+        '';
+      };
+
       bindirCmds = mkOption {
         type = types.lines;
         internal = true;
@@ -126,7 +135,8 @@ in
       { description = "CUPS Printing Daemon";
 
         wantedBy = [ "multi-user.target" ];
-        after = [ "network-interfaces.target" ];
+        wants = [ "network.target" ];
+        after = [ "network.target" ];
 
         path = [ cups ];
 
@@ -145,7 +155,7 @@ in
     services.printing.drivers =
       [ pkgs.cups pkgs.cups_pdf_filter pkgs.ghostscript additionalBackends
         pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep
-	];
+      ];
 
     services.printing.cupsdConf =
       ''
@@ -153,7 +163,9 @@ in
 
         SystemGroup root wheel
 
-        Listen localhost:631
+        ${concatMapStrings (addr: ''
+          Listen ${addr}
+        '') cfg.listenAddresses}
         Listen /var/run/cups/cups.sock
 
         # Note: we can't use ${cups}/etc/cups as the ServerRoot, since

nixos/modules/services/scheduling/cron.nix

@@ -91,12 +91,10 @@ in
 
     environment.systemPackages = [ cronNixosPkg ];
 
-    jobs.cron =
+    systemd.services.cron =
       { description = "Cron Daemon";
 
-        startOn = "startup";
-
-        path = [ cronNixosPkg ];
+        wantedBy = [ "multi-user.target" ];
 
         preStart =
           ''
@@ -109,7 +107,8 @@ in
             fi
           '';
 
-        exec = "cron -n";
+        restartTriggers = [ config.environment.etc.localtime.source ];
+        serviceConfig.ExecStart = "${cronNixosPkg}/sbin/cron -n";
       };
 
   };

nixos/modules/services/search/elasticsearch.nix

@@ -106,6 +106,7 @@ in {
       serviceConfig = {
         ExecStart = "${pkgs.elasticsearch}/bin/elasticsearch -f -Des.path.conf=${configDir}";
         User = "elasticsearch";
+        PermissionsStartOnly = true;
       };
       preStart = ''
         mkdir -m 0700 -p ${cfg.dataDir}

nixos/modules/services/system/nscd.nix

@@ -9,6 +9,8 @@ let
 
   inherit (pkgs.lib) singleton;
 
+  cfgFile = pkgs.writeText "nscd.conf" cfg.config;
+
 in
 
 {
@@ -63,7 +65,7 @@ in
         restartTriggers = [ config.environment.etc.hosts.source ];
 
         serviceConfig =
-          { ExecStart = "@${pkgs.glibc}/sbin/nscd nscd -f ${pkgs.writeText "nscd.conf" cfg.config}";
+          { ExecStart = "@${pkgs.glibc}/sbin/nscd nscd -f ${cfgFile}";
             Type = "forking";
             PIDFile = "/run/nscd/nscd.pid";
             Restart = "always";
@@ -73,6 +75,15 @@ in
                 "${pkgs.glibc}/sbin/nscd --invalidate hosts"
               ];
           };
+
+        # Urgggggh... Nscd forks before opening its socket and writing
+        # its pid. So wait until it's ready.
+        postStart =
+          ''
+            while ! ${pkgs.glibc}/sbin/nscd -g -f ${cfgFile} > /dev/null; do
+              sleep 0.2
+            done
+          '';
       };
 
   };

nixos/modules/services/ttys/gpm.nix

@@ -44,7 +44,8 @@ in
       { description = "Console Mouse Daemon";
 
         wantedBy = [ "multi-user.target" ];
-        requires = [ "getty.target" ];
+        requires = [ "dev-input-mice.device" ];
+        after = [ "dev-input-mice.device" ];
 
         serviceConfig.ExecStart = "@${pkgs.gpm}/sbin/gpm gpm -m /dev/input/mice -t ${cfg.protocol}";
         serviceConfig.Type = "forking";

nixos/modules/services/web-servers/apache-httpd/default.nix

@@ -206,16 +206,12 @@ let
       </Directory>
     '';
 
-    robotsTxt = pkgs.writeText "robots.txt" ''
-      ${# If this is a vhost, the include the entries for the main server as well.
-        if isMainServer then ""
-        else concatMapStrings (svc: svc.robotsEntries) mainSubservices}
-      ${concatMapStrings (svc: svc.robotsEntries) subservices}
-    '';
-
-    robotsConf = ''
-      Alias /robots.txt ${robotsTxt}
-    '';
+    robotsTxt =
+      concatStringsSep "\n" (filter (x: x != "") (
+        # If this is a vhost, the include the entries for the main server as well.
+        (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices)
+        ++ [cfg.robotsEntries]
+        ++ (map (svc: svc.robotsEntries) subservices)));
 
   in ''
     ServerName ${serverInfo.canonicalName}
@@ -243,7 +239,9 @@ let
       CustomLog ${mainCfg.logDir}/access_log-${cfg.hostName} ${cfg.logFormat}
     '' else ""}
 
-    ${robotsConf}
+    ${optionalString (robotsTxt != "") ''
+      Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt}
+    ''}
 
     ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""}
 
@@ -594,14 +592,14 @@ in
                      message = "SSL is enabled for HTTPD, but sslServerCert and/or sslServerKey haven't been specified."; }
                  ];
 
-    users.extraUsers = optionalAttrs (mainCfg.user == "wwwrun") singleton
+    users.extraUsers = optional (mainCfg.user == "wwwrun")
       { name = "wwwrun";
         group = "wwwrun";
         description = "Apache httpd user";
         uid = config.ids.uids.wwwrun;
       };
 
-    users.extraGroups = optionalAttrs (mainCfg.group == "wwwrun") singleton
+    users.extraGroups = optional (mainCfg.group == "wwwrun")
       { name = "wwwrun";
         gid = config.ids.gids.wwwrun;
       };

nixos/modules/services/web-servers/apache-httpd/per-server-options.nix

@@ -142,9 +142,19 @@ with lib;
     type = types.str;
     default = "common";
     example = "combined";
-    description = "
+    description = ''
       Log format for Apache's log files. Possible values are: combined, common, referer, agent.
-    ";
+    '';
+  };
+
+  robotsEntries = mkOption {
+    type = types.lines;
+    default = "";
+    example = "Disallow: /foo/";
+    description = ''
+      Specification of pages to be ignored by web crawlers. See <link
+      xlink:href='http://www.robotstxt.org/'/> for details.
+    '';
   };
 
 }

nixos/modules/services/web-servers/apache-httpd/trac.nix

@@ -8,8 +8,6 @@ let
   subversion = pkgs.subversion.override (origArgs: {
     bdbSupport = true;
     httpServer = true;
-    sslSupport = true;
-    compressionSupport = true;
     pythonBindings = true;
   });
 

nixos/modules/services/x11/desktop-managers/gnome3.nix

@@ -15,6 +15,16 @@ let
     in
       filter (x: !(builtins.elem (pkgName x) ysNames)) xs;
 
+  # Prioritize nautilus by default when opening directories
+  mimeAppsList = pkgs.writeTextFile {
+    name = "gnome-mimeapps";
+    destination = "/share/applications/mimeapps.list";
+    text = ''
+      [Default Applications]
+      inode/directory=nautilus.desktop
+    '';
+  };
+
 in {
 
   options = {
@@ -42,9 +52,11 @@ in {
     services.accounts-daemon.enable = true;
     services.gnome3.at-spi2-core.enable = true;
     services.gnome3.evolution-data-server.enable = true;
+    services.gnome3.gnome-documents.enable = mkDefault true;
     services.gnome3.gnome-keyring.enable = true;
     services.gnome3.gnome-online-accounts.enable = mkDefault true;
     services.gnome3.gnome-user-share.enable = mkDefault true;
+    services.gnome3.seahorse.enable = mkDefault true;
     services.gnome3.sushi.enable = mkDefault true;
     services.gnome3.tracker.enable = mkDefault true;
     hardware.pulseaudio.enable = mkDefault true;
@@ -52,7 +64,7 @@ in {
     networking.networkmanager.enable = true;
     services.upower.enable = config.powerManagement.enable;
 
-    fonts.extraFonts = [ pkgs.dejavu_fonts ];
+    fonts.fonts = [ pkgs.dejavu_fonts ];
 
     services.xserver.desktopManager.session = singleton
       { name = "gnome3";
@@ -66,7 +78,8 @@ in {
           export XDG_MENU_PREFIX=gnome
 
           # Don't let epiphany depend upon gnome-shell
-          export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${pkgs.gnome3.gnome_shell}/share/gsettings-schemas/${pkgs.gnome3.gnome_shell.name}
+          # Override default mimeapps
+          export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${pkgs.gnome3.gnome_shell}/share/gsettings-schemas/${pkgs.gnome3.gnome_shell.name}:${mimeAppsList}/share
 
           # Let gnome-control-center find gnome-shell search providers
           export GNOME_SEARCH_PROVIDERS_DIR=${config.system.path}/share/gnome-shell/search-providers/
@@ -87,6 +100,7 @@ in {
         pkgs.gtk3 # for gtk-update-icon-cache
         pkgs.ibus
         pkgs.shared_mime_info # for update-mime-database
+        gnome3.gvfs
         gnome3.dconf
         gnome3.gnome-backgrounds
         gnome3.gnome_control_center
@@ -117,6 +131,8 @@ in {
         gnome3.gnome-user-docs
 
         gnome3.file-roller
+        gnome3.gedit
+        gnome3.gnome-music
         gnome3.gnome-tweak-tool
       ] config.environment.gnome3.excludePackages);
 

nixos/modules/services/x11/display-managers/default.nix

@@ -169,7 +169,6 @@ in
 
       xserverBin = mkOption {
         type = types.path;
-        default = "${xorg.xorgserver}/bin/X";
         description = "Path to the X server used by display managers.";
       };
 
@@ -258,7 +257,7 @@ in
         environment = mkOption {
           type = types.attrsOf types.unspecified;
           default = {};
-          example = { SLIM_CFGFILE = /etc/slim.conf; };
+          example = literalExample "{ SLIM_CFGFILE = /etc/slim.conf; }";
           description = "Additional environment variables needed by the display manager.";
         };
 
@@ -278,4 +277,10 @@ in
 
   };
 
+  config = {
+
+    services.xserver.displayManager.xserverBin = "${xorg.xorgserver}/bin/X";
+
+  };
+
 }

nixos/modules/services/x11/display-managers/slim.nix

@@ -58,7 +58,7 @@ in
         default = null;
         example = literalExample ''
           pkgs.fetchurl {
-            url = http://download.berlios.de/slim/slim-wave.tar.gz;
+            url = "mirror://sourceforge/slim.berlios/slim-wave.tar.gz";
             sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy";
           }
         '';
@@ -66,7 +66,7 @@ in
           The theme for the SLiM login manager.  If not specified, SLiM's
           default theme is used.  See <link
           xlink:href='http://slim.berlios.de/themes01.php'/> for a
-          collection of themes.
+          collection of themes. TODO: berlios shut down.
         '';
       };
 

nixos/modules/services/x11/terminal-server.nix

@@ -27,7 +27,7 @@ in
   config = {
 
     services.xserver.enable = true;
-    hardware.opengl.videoDrivers = [];
+    services.xserver.videoDrivers = [];
 
     # Enable KDM.  Any display manager will do as long as it supports XDMCP.
     services.xserver.displayManager.kdm.enable = true;

nixos/modules/services/x11/xserver.nix

@@ -11,30 +11,16 @@ let
   xorg = pkgs.xorg;
 
 
-  # Map video driver names to driver packages.
+  # Map video driver names to driver packages. FIXME: move into card-specific modules.
   knownVideoDrivers = {
     ati_unfree   = { modules = [ kernelPackages.ati_drivers_x11 ]; driverName = "fglrx"; };
     nouveau       = { modules = [ pkgs.xf86_video_nouveau ]; };
-    nvidia       = { modules = [ kernelPackages.nvidia_x11 ]; };
-    nvidiaLegacy173 = { modules = [ kernelPackages.nvidia_x11_legacy173 ]; driverName = "nvidia"; };
-    nvidiaLegacy304 = { modules = [ kernelPackages.nvidia_x11_legacy304 ]; driverName = "nvidia"; };
     unichrome    = { modules = [ pkgs.xorgVideoUnichrome ]; };
     virtualbox   = { modules = [ kernelPackages.virtualboxGuestAdditions ]; driverName = "vboxvideo"; };
     ati = { modules = [ pkgs.xorg.xf86videoati pkgs.xorg.glamoregl ]; };
     intel-testing = { modules = with pkgs.xorg; [ xf86videointel-testing glamoregl ]; driverName = "intel"; };
   };
 
-  driverNames = config.hardware.opengl.videoDrivers;
-
-  needsAcpid =
-     (elem "nvidia" driverNames) ||
-     (elem "nvidiaLegacy173" driverNames) ||
-     (elem "nvidiaLegacy304" driverNames);
-
-  drivers = flip map driverNames
-    (name: { inherit name; driverName = name; } //
-      attrByPath [name] (if (hasAttr ("xf86video" + name) xorg) then { modules = [(getAttr ("xf86video" + name) xorg) ]; } else throw "unknown video driver `${name}'") knownVideoDrivers);
-
   fontsForXServer =
     config.fonts.fonts ++
     # We don't want these fonts in fonts.conf, because then modern,
@@ -79,7 +65,6 @@ let
     monitors = foldl mkMonitor [] xrandrHeads;
   in concatMapStrings (getAttr "value") monitors;
 
-
   configFile = pkgs.stdenv.mkDerivation {
     name = "xserver.conf";
 
@@ -181,6 +166,18 @@ in
         '';
       };
 
+      videoDrivers = mkOption {
+        type = types.listOf types.str;
+        # !!! We'd like "nv" here, but it segfaults the X server.
+        default = [ "ati" "cirrus" "intel" "vesa" "vmware" ];
+        example = [ "vesa" ];
+        description = ''
+          The names of the video drivers the configuration
+          supports. They will be tried in order until one that
+          supports your card is found.
+        '';
+      };
+
       videoDriver = mkOption {
         type = types.nullOr types.str;
         default = null;
@@ -188,7 +185,16 @@ in
         description = ''
           The name of the video driver for your graphics card.  This
           option is obsolete; please set the
-          <option>hardware.opengl.videoDrivers</option> instead.
+          <option>services.xserver.videoDrivers</option> instead.
+        '';
+      };
+
+      drivers = mkOption {
+        type = types.listOf types.attrs;
+        internal = true;
+        description = ''
+          A list of attribute sets specifying drivers to be loaded by
+          the X11 server.
         '';
       };
 
@@ -385,8 +391,20 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
-    hardware.opengl.enable = true;
-    hardware.opengl.videoDrivers = mkIf (cfg.videoDriver != null) [ cfg.videoDriver ];
+
+    hardware.opengl.enable = mkDefault true;
+
+    services.xserver.videoDrivers = mkIf (cfg.videoDriver != null) [ cfg.videoDriver ];
+
+    # FIXME: somehow check for unknown driver names.
+    services.xserver.drivers = flip concatMap cfg.videoDrivers (name:
+      let driver =
+        attrByPath [name]
+          (if (hasAttr ("xf86video" + name) xorg)
+           then { modules = [(getAttr ("xf86video" + name) xorg) ]; }
+           else null)
+          knownVideoDrivers;
+      in optional (driver != null) ({ inherit name; driverName = name; } // driver));
 
     assertions =
       [ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent);
@@ -426,24 +444,18 @@ in
         pkgs.xterm
         pkgs.xdg_utils
       ]
-      ++ optional (elem "nvidia" driverNames) kernelPackages.nvidia_x11
-      ++ optional (elem "nvidiaLegacy173" driverNames) kernelPackages.nvidia_x11_legacy173
-      ++ optional (elem "nvidiaLegacy304" driverNames) kernelPackages.nvidia_x11_legacy304
-      ++ optional (elem "virtualbox" driverNames) xorg.xrefresh
-      ++ optional (elem "ati_unfree" driverNames) kernelPackages.ati_drivers_x11;
-
-    services.acpid.enable = mkIf needsAcpid true;
+      ++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh
+      ++ optional (elem "ati_unfree" cfg.videoDrivers) kernelPackages.ati_drivers_x11;
 
     environment.pathsToLink =
       [ "/etc/xdg" "/share/xdg" "/share/applications" "/share/icons" "/share/pixmaps" ];
 
     systemd.defaultUnit = mkIf cfg.autorun "graphical.target";
 
-    systemd.services."display-manager" =
+    systemd.services.display-manager =
       { description = "X11 Server";
 
-        after = [ "systemd-udev-settle.service" "local-fs.target" ]
-                ++ optional needsAcpid "acpid.service";
+        after = [ "systemd-udev-settle.service" "local-fs.target" "acpid.service" ];
 
         restartIfChanged = false;
 
@@ -451,15 +463,11 @@ in
           { FONTCONFIG_FILE = "/etc/fonts/fonts.conf"; # !!! cleanup
             XKB_BINDIR = "${xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
             XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
-          } // optionalAttrs (elem "nvidia" driverNames) {
-            LD_LIBRARY_PATH = "${xorg.libX11}/lib:${xorg.libXext}/lib:${kernelPackages.nvidia_x11}/lib";
-          } // optionalAttrs (elem "nvidiaLegacy173" driverNames) {
-            LD_LIBRARY_PATH = "${xorg.libX11}/lib:${xorg.libXext}/lib:${kernelPackages.nvidia_x11_legacy173}/lib";
-          } // optionalAttrs (elem "nvidiaLegacy304" driverNames) {
-            LD_LIBRARY_PATH = "${xorg.libX11}/lib:${xorg.libXext}/lib:${kernelPackages.nvidia_x11_legacy304}/lib";
-          } // optionalAttrs (elem "ati_unfree" driverNames) {
-            LD_LIBRARY_PATH = "${xorg.libX11}/lib:${xorg.libXext}/lib:${kernelPackages.ati_drivers_x11}/lib:${kernelPackages.ati_drivers_x11}/X11R6/lib64/modules/linux";
-            #XORG_DRI_DRIVER_PATH = "${kernelPackages.ati_drivers_x11}/lib/dri"; # is ignored because ati drivers ship their own unpatched libglx.so !
+            LD_LIBRARY_PATH = concatStringsSep ":" (
+              [ "${xorg.libX11}/lib" "${xorg.libXext}/lib" ]
+              ++ optionals (elem "ati_unfree" cfg.videoDrivers)
+                [ "${kernelPackages.ati_drivers_x11}/lib" "${kernelPackages.ati_drivers_x11}/X11R6/lib64/modules/linux" ]
+              ++ concatLists (catAttrs "libPath" cfg.drivers));
           } // cfg.displayManager.job.environment;
 
         preStart =
@@ -489,7 +497,7 @@ in
       ] ++ optional (!cfg.enableTCP) "-nolisten tcp";
 
     services.xserver.modules =
-      concatLists (catAttrs "modules" drivers) ++
+      concatLists (catAttrs "modules" cfg.drivers) ++
       [ xorg.xorgserver
         xorg.xf86inputevdev
       ];
@@ -525,7 +533,7 @@ in
           ${cfg.serverLayoutSection}
           # Reference the Screen sections for each driver.  This will
           # cause the X server to try each in turn.
-          ${flip concatMapStrings drivers (d: ''
+          ${flip concatMapStrings cfg.drivers (d: ''
             Screen "Screen-${d.name}[0]"
           '')}
         EndSection
@@ -539,11 +547,11 @@ in
 
         # For each supported driver, add a "Device" and "Screen"
         # section.
-        ${flip concatMapStrings drivers (driver: ''
+        ${flip concatMapStrings cfg.drivers (driver: ''
 
           Section "Device"
             Identifier "Device-${driver.name}[0]"
-            Driver "${driver.driverName}"
+            Driver "${driver.driverName or driver.name}"
             ${if cfg.useGlamor then ''Option "AccelMethod" "glamor"'' else ""}
             ${cfg.deviceSection}
             ${xrandrDeviceSection}
@@ -562,10 +570,6 @@ in
               DefaultDepth ${toString cfg.defaultDepth}
             ''}
 
-            ${optionalString (driver.name == "nvidia") ''
-              Option "RandRRotation" "on"
-            ''}
-
             ${optionalString
                 (driver.name != "virtualbox" &&
                  (cfg.resolutions != [] ||

nixos/modules/system/activation/switch-to-configuration.pl

@@ -65,12 +65,12 @@ $SIG{PIPE} = "IGNORE";
 sub getActiveUnits {
     # FIXME: use D-Bus or whatever to query this, since parsing the
     # output of list-units is likely to break.
-    my $lines = `LANG= @systemd@/bin/systemctl list-units --full`;
+    my $lines = `LANG= systemctl list-units --full --no-legend`;
     my $res = {};
     foreach my $line (split '\n', $lines) {
         chomp $line;
         last if $line eq "";
-        $line =~ /^\*?\s*(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s/ or next;
+        $line =~ /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s/ or next;
         next if $1 eq "UNIT";
         $res->{$1} = { load => $2, state => $3, substate => $4 };
     }
@@ -188,7 +188,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
                 if (boolIsTrue($unitInfo->{'X-ReloadIfChanged'} // "no")) {
                     write_file($reloadListFile, { append => 1 }, "$unit\n");
                 }
-                elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes")) {
+                elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes") || boolIsTrue($unitInfo->{'RefuseManualStop'} // "no") ) {
                     push @unitsToSkip, $unit;
                 } else {
                     # If this unit is socket-activated, then stop the
@@ -297,7 +297,7 @@ foreach my $device (keys %$prevSwaps) {
 if (scalar @unitsToStop > 0) {
     @unitsToStop = unique(@unitsToStop);
     print STDERR "stopping the following units: ", join(", ", sort(@unitsToStop)), "\n";
-    system("@systemd@/bin/systemctl", "stop", "--", @unitsToStop); # FIXME: ignore errors?
+    system("systemctl", "stop", "--", @unitsToStop); # FIXME: ignore errors?
 }
 
 print STDERR "NOT restarting the following units: ", join(", ", sort(@unitsToSkip)), "\n"

nixos/modules/system/boot/loader/grub/grub.nix

@@ -25,7 +25,7 @@ let
       inherit (cfg)
         version extraConfig extraPerEntryConfig extraEntries
         extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels timeout
-        default devices;
+        default devices explicitBootRoot;
       path = (makeSearchPath "bin" [
         pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils
       ]) + ":" + (makeSearchPath "sbin" [
@@ -209,6 +209,15 @@ in
         '';
       };
 
+      explicitBootRoot = mkOption {
+        default = "";
+        type = types.str;
+        description = ''
+          The relative path of /boot within the parent volume. Leave empty
+          if /boot is not a btrfs subvolume.
+        '';
+      };
+
     };
 
   };

nixos/modules/system/boot/loader/grub/install-grub.pl

@@ -39,6 +39,7 @@ my $configurationLimit = int(get("configurationLimit"));
 my $copyKernels = get("copyKernels") eq "true";
 my $timeout = int(get("timeout"));
 my $defaultEntry = int(get("default"));
+my $explicitBootRoot = get("explicitBootRoot");
 $ENV{'PATH'} = get("path");
 
 die "unsupported GRUB version\n" if $grubVersion != 1 && $grubVersion != 2;
@@ -61,6 +62,10 @@ if (stat("/")->dev != stat("/boot")->dev) {
     $copyKernels = 1;
 }
 
+if ($explicitBootRoot ne "") {
+    $bootRoot = $explicitBootRoot;
+}
+
 
 # Generate the header.
 my $conf .= "# Automatically generated.  DO NOT EDIT THIS FILE!\n";

nixos/modules/system/boot/loader/gummiboot/gummiboot.nix

@@ -54,6 +54,8 @@ in {
       }
     ];
 
+    boot.loader.grub.enable = mkDefault false;
+
     system = {
       build.installBootLoader = gummibootBuilder;
 

nixos/modules/system/boot/luksroot.nix

@@ -348,7 +348,7 @@ in
 
               options = {
                 device = mkOption {
-                  default = /dev/sda1;
+                  default = "/dev/sda1";
                   type = types.path;
                   description = ''
                     An unencrypted device that will temporarily be mounted in stage-1.

nixos/modules/system/boot/shutdown.nix

@@ -13,7 +13,7 @@ with lib;
 
       unitConfig = {
         DefaultDependencies = false;
-        ConditionVirtualization = "!systemd-nspawn";
+        ConditionPathExists = "/dev/rtc";
       };
 
       serviceConfig = {