Revert "liferea: 1.10.18 -> 1.12-rc2"

This reverts commit 73d9d2d577.

It was pushed here accidentially, I've meant 17.03.

.gitignore

@@ -12,7 +12,5 @@ result-*
 
 .DS_Store
 
-/pkgs/applications/kde-apps-*/tmp/
-/pkgs/development/libraries/kde-frameworks-*/tmp/
 /pkgs/development/libraries/qt-5/*/tmp/
-/pkgs/desktops/plasma-*/tmp/
+/pkgs/desktops/kde-5/*/tmp/

README.md

@@ -14,12 +14,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-15.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-16.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 
 ```
 % git remote update channels
-% git rebase channels/nixos-15.09
+% git rebase channels/nixos-16.03
 ```
 
 For pull-requests, please rebase onto nixpkgs `master`.
@@ -33,9 +33,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 15.09 release](https://hydra.nixos.org/jobset/nixos/release-15.09)
+* [Continuous package builds for 16.03 release](https://hydra.nixos.org/jobset/nixos/release-16.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 15.09 release](https://hydra.nixos.org/job/nixos/release-15.09/tested#tabs-constituents)
+* [Tests for 16.03 release](https://hydra.nixos.org/job/nixos/release-16.03/tested#tabs-constituents)
 
 Communication:
 

doc/default.nix

@@ -27,6 +27,7 @@ stdenv.mkDerivation {
     in ''
       {
         pandoc '${inputFile}' -w docbook ${optionalString useChapters "--chapters"} \
+          --smart \
           | sed -e 's|<ulink url=|<link xlink:href=|' \
               -e 's|</ulink>|</link>|' \
               -e 's|<sect. id=|<section xml:id=|' \
@@ -63,9 +64,9 @@ stdenv.mkDerivation {
   + ''
     echo ${nixpkgsVersion} > .version
 
-    xmllint --noout --nonet --xinclude --noxincludenode \
-      --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
-      manual.xml
+    # validate against relaxng schema
+    xmllint --nonet --xinclude --noxincludenode manual.xml --output manual-full.xml
+    ${jing}/bin/jing ${docbook5}/xml/rng/docbook/docbook.rng manual-full.xml
 
     dst=$out/share/doc/nixpkgs
     mkdir -p $dst

doc/haskell-users-guide.md

@@ -117,9 +117,10 @@ Also, the attributes `haskell.compiler.ghcXYC` and
 
 ### How to install a compiler
 
-A simple development environment consists of a Haskell compiler and the tool
-`cabal-install`, and we saw in section [How to install Haskell packages] how
-you can install those programs into your user profile:
+A simple development environment consists of a Haskell compiler and one or both
+of the tools `cabal-install` and `stack`. We saw in section
+[How to install Haskell packages] how you can install those programs into your
+user profile:
 
     $ nix-env -f "<nixpkgs>" -iA haskellPackages.ghc haskellPackages.cabal-install
 
@@ -148,10 +149,16 @@ version; just enter the Nix shell environment with the command
 
     $ nix-shell -p haskell.compiler.ghc784
 
-to bring GHC 7.8.4 into `$PATH`. Re-running `cabal configure` switches your
-build to use that compiler instead. If you're working on a project that doesn't
-depend on any additional system libraries outside of GHC, then it's sufficient
-even to run the `cabal configure` command inside of the shell:
+to bring GHC 7.8.4 into `$PATH`. Alternatively, you can use Stack instead of
+`nix-shell` directly to select compiler versions and other build tools
+per-project. It uses `nix-shell` under the hood when Nix support is turned on.
+See [How to build a Haskell project using Stack].
+
+If you're using `cabal-install`, re-running `cabal configure` inside the spawned
+shell switches your build to use that compiler instead. If you're working on
+a project that doesn't depend on any additional system libraries outside of GHC,
+then it's even sufficient to just run the `cabal configure` command inside of
+the shell:
 
     $ nix-shell -p haskell.compiler.ghc784 --command "cabal configure"
 
@@ -320,6 +327,58 @@ security reasons, which might be quite an inconvenience. See [this
 page](http://kb.mozillazine.org/Links_to_local_pages_do_not_work) for
 workarounds.
 
+### How to build a Haskell project using Stack
+
+[Stack][http://haskellstack.org] is a popular build tool for Haskell projects.
+It has first-class support for Nix. Stack can optionally use Nix to
+automatically select the right version of GHC and other build tools to build,
+test and execute apps in an existing project downloaded from somewhere on the
+Internet. Pass the `--nix` flag to any `stack` command to do so, e.g.
+
+    $ git clone --recursive http://github.com/yesodweb/wai
+    $ cd wai
+    $ stack --nix build
+
+If you want `stack` to use Nix by default, you can add a `nix` section to the
+`stack.yaml` file, as explained in the [Stack documentation][stack-nix-doc]. For
+example:
+
+    nix:
+      enable: true
+      packages: [pkgconfig zeromq zlib]
+
+The example configuration snippet above tells Stack to create an ad hoc
+environment for `nix-shell` as in the below section, in which the `pkgconfig`,
+`zeromq` and `zlib` packages from Nixpkgs are available. All `stack` commands
+will implicitly be executed inside this ad hoc environment.
+
+Some projects have more sophisticated needs. For examples, some ad hoc
+environments might need to expose Nixpkgs packages compiled in a certain way, or
+with extra environment variables. In these cases, you'll need a `shell` field
+instead of `packages`:
+
+    nix:
+      enable: true
+      shell-file: shell.nix
+
+For more on how to write a `shell.nix` file see the below section. You'll need
+to express a derivation. Note that Nixpkgs ships with a convenience wrapper
+function around `mkDerivation` called `haskell.lib.buildStackProject` to help you
+create this derivation in exactly the way Stack expects. All of the same inputs
+as `mkDerivation` can be provided. For example, to build a Stack project that
+including packages that link against a version of the R library compiled with
+special options turned on:
+
+    with (import <nixpkgs> { });
+
+    let R = pkgs.R.override { enableStrictBarrier = true; };
+    in
+	haskell.lib.buildStackProject {
+      name = "HaskellR";
+	  buildInputs = [ R zeromq zlib ];
+    }
+
+[stack-nix-doc]: http://docs.haskellstack.org/en/stable/nix_integration.html
 
 ### How to create ad hoc environments for `nix-shell`
 
@@ -577,7 +636,7 @@ then you have to download and re-install `foo` and all its dependents from
 scratch:
 
     # nix-store -q --referrers /nix/store/*-haskell-text-1.2.0.4 \
-      | xargs -L 1 nix-store --repair-path --option binary-caches http://hydra.nixos.org
+      | xargs -L 1 nix-store --repair-path
 
 If you're using additional Hydra servers other than `hydra.nixos.org`, then it
 might be necessary to purge the local caches that store data from those
@@ -605,7 +664,7 @@ can configure the environment variables
 
 in their `~/.bashrc` file to avoid the compiler error.
 
-### Using Stack together with Nix
+### Builds using Stack complain about missing system libraries
 
     --  While building package zlib-0.5.4.2 using:
       runhaskell -package=Cabal-1.22.4.0 -clear-package-db [... lots of flags ...]
@@ -633,13 +692,16 @@ means specific to Stack: you'll have that problem with any other
 Haskell package that's built inside of nix-shell but run outside of that
 environment.
 
-I suppose we could try to remedy the issue by wrapping `stack` or
-`cabal` with a script that tries to find those kind of implicit search
-paths and makes them explicit on the "cabal configure" command line. I
-don't think anyone is working on that subject yet, though, because the
-problem doesn't seem so bad in practice.
+You can remedy this issue in several ways. The easiest is to add a `nix` section
+to the `stack.yaml` like the following:
 
-You can remedy that issue in several ways. First of all, run
+    nix:
+      enable: true
+	  packages: [ zlib ]
+
+Stack's Nix support knows to add `${zlib}/lib` and `${zlib}/include` as an
+`--extra-lib-dirs` and `extra-include-dirs`, respectively. Alternatively, you
+can achieve the same effect by hand. First of all, run
 
     $ nix-build --no-out-link "<nixpkgs>" -A zlib
     /nix/store/alsvwzkiw4b7ip38l4nlfjijdvg3fvzn-zlib-1.2.8
@@ -663,7 +725,8 @@ to find out the store path of the system's zlib library. Now, you can
    Typically, you'll need --extra-include-dirs as well. It's possible
    to add those flag to the project's "stack.yaml" or your user's
    global "~/.stack/global/stack.yaml" file so that you don't have to
-   specify them manually every time.
+   specify them manually every time. But again, you're likely better off using
+   Stack's Nix support instead.
 
    The same thing applies to `cabal configure`, of course, if you're
    building with `cabal-install` instead of Stack.

doc/introduction.md

@@ -6,13 +6,14 @@ date: 2015-11-25
 
 # Introduction
 
-The Nix Packages collection (Nixpkgs) is a set of over 30,000 packages for the
-[Nix package manager](http://nixos.org/nix/), released under a [permissive MIT/X11 license](https://github.com/NixOS/nixpkgs/blob/master/COPYING).
-Packages are available for several architectures, and can be used with the Nix package manager
-on most GNU/Linux distributions as well as NixOS.
+The Nix Packages collection (Nixpkgs) is a set of thousands of packages for the
+[Nix package manager](http://nixos.org/nix/), released under a
+[permissive MIT/X11 license](https://github.com/NixOS/nixpkgs/blob/master/COPYING).
+Packages are available for several platforms, and can be used with the Nix
+package manager on most GNU/Linux distributions as well as NixOS.
 
-This manual describes how to write packages for the Nix Packages collection
-(Nixpkgs). Thus it’s for packagers and developers who want to add packages to
+This manual primarily describes how to write packages for the Nix Packages collection
+(Nixpkgs). Thus it’s mainly for packagers and developers who want to add packages to
 Nixpkgs. If you like to learn more about the Nix package manager and the Nix
 expression language, then you are kindly referred to the [Nix manual](http://nixos.org/nix/manual/).
 
@@ -20,29 +21,33 @@ expression language, then you are kindly referred to the [Nix manual](http://nix
 
 Nix expressions describe how to build packages from source and are collected in
 the [nixpkgs repository](https://github.com/NixOS/nixpkgs). Also included in the
-collection are Nix expressions for [NixOS modules](http://nixos.org/nixos/manual/index.html#sec-writing-modules). With
-these expressions the Nix package manager can build binary packages.
+collection are Nix expressions for
+[NixOS modules](http://nixos.org/nixos/manual/index.html#sec-writing-modules).
+With these expressions the Nix package manager can build binary packages.
 
 Packages, including the Nix packages collection, are distributed through
 [channels](http://nixos.org/nix/manual/#sec-channels). The collection is
 distributed for users of Nix on non-NixOS distributions through the channel
 `nixpkgs`. Users of NixOS generally use one of the `nixos-*` channels, e.g.
-`nixos-15.09`, which includes all packages and modules for the stable NixOS
-15.09. The channels of the stable NixOS releases are generally only given
+`nixos-16.03`, which includes all packages and modules for the stable NixOS
+16.03. The purpose of stable NixOS releases are generally only given
 security updates. More up to date packages and modules are available via the
 `nixos-unstable` channel.
 
 Both `nixos-unstable` and `nixpkgs` follow the `master` branch of the Nixpkgs
-repository, although both do lag the `master` branch by generally [a couple of days](http://howoldis.herokuapp.com/). Updates to a channel are distributed as
-soon as all tests for that channel pass, e.g. [this table](http://hydra.nixos.org/job/nixpkgs/trunk/unstable#tabs-constituents)
+repository, although both do lag the `master` branch by generally
+[a couple of days](http://howoldis.herokuapp.com/). Updates to a channel are
+distributed as soon as all tests for that channel pass, e.g.
+[this table](http://hydra.nixos.org/job/nixpkgs/trunk/unstable#tabs-constituents)
 shows the status of tests for the `nixpkgs` channel.
 
 The tests are conducted by a cluster called [Hydra](http://nixos.org/hydra/),
-which also builds binary packages from the Nix expressions in Nixpkgs. As soon
-as a channel is updated, the binaries are made available via a [binary cache](https://cache.nixos.org). Until the channel updates, binaries that have
-already been built, are available via [Hydra's binary cache](https://hydra.nixos.org).
+which also builds binary packages from the Nix expressions in Nixpkgs for
+`x86_64-linux`, `i686-linux` and `x86_64-darwin`.
+The binaries are made available via a [binary cache](https://cache.nixos.org).
 
 The current Nix expressions of the channels are available in the
 [`nixpkgs-channels`](https://github.com/NixOS/nixpkgs-channels) repository,
 which has branches corresponding to the available channels. There is also the
-Nixpkgs Monitor which keeps track of updates and security vulnerabilities.
+[Nixpkgs Monitor](http://monitor.nixos.org) which keeps track of updates
+and security vulnerabilities.

doc/languages-frameworks/index.xml

@@ -23,6 +23,7 @@ such as Perl or Haskell.  These are described in this chapter.</para>
 <xi:include href="idris.xml" /> <!-- generated from ../../pkgs/development/idris-modules/README.md  -->
 <xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md  -->
 <xi:include href="qt.xml" />
+<xi:include href="texlive.xml" />
 
 
 <!--

doc/languages-frameworks/ruby.xml

@@ -30,7 +30,7 @@ bundlerEnv {
 
   meta = with lib; {
     description = "A monitoring framework that aims to be simple, malleable,
-and scalable.";
+and scalable";
     homepage    = http://sensuapp.org/;
     license     = with licenses; mit;
     maintainers = with maintainers; [ theuni ];

doc/languages-frameworks/texlive.xml

@@ -0,0 +1,59 @@
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xml:id="sec-language-texlive">
+
+<title>TeX Live</title>
+
+<para>Since release 15.09 there is a new TeX Live packaging that lives entirely under attribute <varname>texlive</varname>.</para>
+<section><title>User's guide</title>
+  <itemizedlist>
+    <listitem><para>
+      For basic usage just pull <varname>texlive.combined.scheme-basic</varname> for an environment with basic LaTeX support.</para></listitem>
+    <listitem><para>
+      It typically won't work to use separately installed packages together.
+      Instead, you can build a custom set of packages like this:
+      <programlisting>
+texlive.combine {
+  inherit (texlive) scheme-small collection-langkorean algorithms cm-super;
+}
+      </programlisting>
+      There are all the schemes, collections and a few thousand packages, as defined upstream (perhaps with tiny differences).
+    </para></listitem>
+    <listitem><para>
+      By default you only get executables and files needed during runtime, and a little documentation for the core packages.  To change that, you need to add <varname>pkgFilter</varname> function to <varname>combine</varname>.
+      <programlisting>
+texlive.combine {
+  # inherit (texlive) whatever-you-want;
+  pkgFilter = pkg:
+    pkg.tlType == "run" || pkg.tlType == "bin" || pkg.pname == "cm-super";
+  # elem tlType [ "run" "bin" "doc" "source" ]
+  # there are also other attributes: version, name
+}
+      </programlisting>
+    </para></listitem>
+    <listitem><para>
+      You can list packages e.g. by <command>nix-repl</command>.
+      <programlisting>
+$ nix-repl
+nix-repl> texlive.collection-&lt;TAB>
+      </programlisting>
+    </para></listitem>
+  </itemizedlist>
+</section>
+
+<section><title>Known problems</title>
+  <itemizedlist>
+    <listitem><para>
+      Some tools are still missing, e.g. luajittex;</para></listitem>
+    <listitem><para>
+      some apps aren't packaged/tested yet (asymptote, biber, etc.);</para></listitem>
+    <listitem><para>
+      feature/bug: when a package is rejected by <varname>pkgFilter</varname>, its dependencies are still propagated;</para></listitem>
+    <listitem><para>
+      in case of any bugs or feature requests, file a github issue or better a pull request and /cc @vcunat.</para></listitem>
+  </itemizedlist>
+</section>
+
+
+</section>
+

lib/lists.nix

@@ -67,7 +67,7 @@ rec {
   # == [1 2 3 4 5]' and `flatten 1 == [1]'.
   flatten = x:
     if isList x
-    then foldl' (x: y: x ++ (flatten y)) [] x
+    then concatMap (y: flatten y) x
     else [x];
 
 
@@ -139,12 +139,12 @@ rec {
 
   # Partition the elements of a list in two lists, `right' and
   # `wrong', depending on the evaluation of a predicate.
-  partition = pred:
+  partition = builtins.partition or (pred:
     fold (h: t:
       if pred h
       then { right = [h] ++ t.right; wrong = t.wrong; }
       else { right = t.right; wrong = [h] ++ t.wrong; }
-    ) { right = []; wrong = []; };
+    ) { right = []; wrong = []; });
 
 
   zipListsWith =

lib/maintainers.nix

@@ -10,6 +10,7 @@
   aaronschif = "Aaron Schif <aaronschif@gmail.com>";
   abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
   abbradar = "Nikolay Amiantov <ab@fmap.me>";
+  abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
   adev = "Adrien Devresse <adev@adev.name>";
   aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>";
   aflatter = "Alexander Flatter <flatter@fastmail.fm>";
@@ -32,6 +33,7 @@
   ardumont = "Antoine R. Dumont <eniotna.t@gmail.com>";
   aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
   arobyn = "Alexei Robyn <shados@shados.net>";
+  artuuge = "Artur E. Ruuge <artuuge@gmail.com>";
   asppsa = "Alastair Pharo <asppsa@gmail.com>";
   astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
   aszlig = "aszlig <aszlig@redmoonstudios.org>";
@@ -67,6 +69,7 @@
   chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
   chattered = "Phil Scott <me@philscotted.com>";
   christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
+  cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
   coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
   codsl = "codsl <codsl@riseup.net>";
   codyopel = "Cody Opel <codyopel@gmail.com>";
@@ -135,6 +138,7 @@
   globin = "Robin Gloster <mail@glob.in>";
   goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
   Gonzih = "Max Gonzih <gonzih@gmail.com>";
+  grahamc = "Graham Christensen <graham@grahamc.com>";
   gridaphobe = "Eric Seidel <eric@seidel.io>";
   guibert = "David Guibert <david.guibert@gmail.com>";
   havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
@@ -148,7 +152,6 @@
   iElectric = "Domen Kozar <domen@dev.si>";
   igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
   ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
-  iyzsong = "Song Wenwu <iyzsong@gmail.com>";
   j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
   jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
   javaguirre = "Javier Aguirre <contacto@javaguirre.net>";
@@ -163,7 +166,9 @@
   joamaki = "Jussi Maki <joamaki@gmail.com>";
   joelmo = "Joel Moberg <joel.moberg@gmail.com>";
   joelteon = "Joel Taylor <me@joelt.io>";
+  joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
   jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
+  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
   jwiegley = "John Wiegley <johnw@newartisans.com>";
   jwilberding = "Jordan Wilberding <jwilberding@afiniate.com>";
   jzellner = "Jeff Zellner <jeffz@eml.cc>";
@@ -249,6 +254,7 @@
   palo = "Ingolf Wanger <palipalo9@googlemail.com>";
   pashev = "Igor Pashev <pashev.igor@gmail.com>";
   pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
+  peterhoeg = "Peter Hoeg <peter@hoeg.com>";
   philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
   phile314 = "Philipp Hausmann <nix@314.ch>";
   Phlogistique = "Noé Rubinstein <noe.rubinstein@gmail.com>";
@@ -264,11 +270,15 @@
   pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
   prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
   profpatsch = "Profpatsch <mail@profpatsch.de>";
+  proglodyte = "Proglodyte <proglodyte23@gmail.com>";
+  pshendry = "Paul Hendry <paul@pshendry.com>";
   psibi = "Sibi <sibi@psibi.in>";
   pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
   puffnfresh = "Brian McKenna <brian@brianmckenna.org>";
+  pxc = "Patrick Callahan <patrick.callahan@latitudeengineering.com>";
   qknight = "Joachim Schiele <js@lastlog.de>";
   ragge = "Ragnar Dahlen <r.dahlen@gmail.com>";
+  ralith = "Benjamin Saunders <ben.e.saunders@gmail.com>";
   raskin = "Michael Raskin <7c6f434c@mail.ru>";
   redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
   refnil = "Martin Lavoie <broemartino@gmail.com>";
@@ -277,7 +287,7 @@
   rick68 = "Wei-Ming Yang <rick68@gmail.com>";
   rickynils = "Rickard Nilsson <rickynils@gmail.com>";
   rnhmjoj = "Michele Guerini Rocco <micheleguerinirocco@me.com>";
-  rob = "Rob Vermaas <rob.vermaas@gmail.com>";
+  rbvermaa = "Rob Vermaas <rob.vermaas@gmail.com>";
   robberer = "Longrin Wischnewski <robberer@freakmail.de>";
   robbinch = "Robbin C. <robbinch33@gmail.com>";
   robgssp = "Rob Glossop <robgssp@gmail.com>";
@@ -294,6 +304,7 @@
   schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
   schristo = "Scott Christopher <schristopher@konputa.com>";
   sepi = "Raffael Mancini <raffael@mancini.lu>";
+  sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
   sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
   shell = "Shell Turner <cam.turn@gmail.com>";
   shlevy = "Shea Levy <shea@shealevy.com>";
@@ -346,6 +357,7 @@
   vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
   vmandela = "Venkateswara Rao Mandela <venkat.mandela@gmail.com>";
   vozz = "Oliver Hunt <oliver.huntuk@gmail.com>";
+  vrthra = "Rahul Gopinath <rahul@gopinath.org>";
   wedens = "wedens <kirill.wedens@gmail.com>";
   willtim = "Tim Philip Williams <tim.williams.public@gmail.com>";
   winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";

lib/trivial.nix

@@ -69,7 +69,7 @@ rec {
     + (if pathExists suffixFile then readFile suffixFile else "pre-git");
 
   # Whether we're being called by nix-shell.
-  inNixShell = builtins.getEnv "IN_NIX_SHELL" == "1";
+  inNixShell = builtins.getEnv "IN_NIX_SHELL" != "";
 
   # Return minimum/maximum of two numbers.
   min = x: y: if x < y then x else y;

lib/types.nix

@@ -114,13 +114,17 @@ rec {
       name = "list of ${elemType.name}s";
       check = isList;
       merge = loc: defs:
-        map (x: x.value) (filter (x: x ? value) (concatLists (imap (n: def: imap (m: def':
-            (mergeDefinitions
-              (loc ++ ["[definition ${toString n}-entry ${toString m}]"])
-              elemType
-              [{ inherit (def) file; value = def'; }]
-            ).optionalValue
-          ) def.value) defs)));
+        map (x: x.value) (filter (x: x ? value) (concatLists (imap (n: def:
+          if isList def.value then
+            imap (m: def':
+              (mergeDefinitions
+                (loc ++ ["[definition ${toString n}-entry ${toString m}]"])
+                elemType
+                [{ inherit (def) file; value = def'; }]
+              ).optionalValue
+            ) def.value
+          else
+            throw "The option value `${showOption loc}' in `${def.file}' is not a list.") defs)));
       getSubOptions = prefix: elemType.getSubOptions (prefix ++ ["*"]);
       getSubModules = elemType.getSubModules;
       substSubModules = m: listOf (elemType.substSubModules m);

maintainers/scripts/copy-tarballs.pl

@@ -5,7 +5,7 @@
 # content-addressed cache used by fetchurl as a fallback for when
 # upstream tarballs disappear or change. Usage:
 #
-# 1) To upload a single file:
+# 1) To upload one or more files:
 #
 #    $ copy-tarballs.pl --file /path/to/tarball.tar.gz
 #
@@ -22,9 +22,38 @@ use JSON;
 use Net::Amazon::S3;
 use Nix::Store;
 
+isValidPath("/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo"); # FIXME: forces Nix::Store initialisation
+
+sub usage {
+    die "Syntax: $0 [--dry-run] [--exclude REGEXP] [--expr EXPR | --file FILES...]\n";
+}
+
+my $dryRun = 0;
+my $expr;
+my @fileNames;
+my $exclude;
+
+while (@ARGV) {
+    my $flag = shift @ARGV;
+
+    if ($flag eq "--expr") {
+        $expr = shift @ARGV or die "--expr requires an argument";
+    } elsif ($flag eq "--file") {
+        @fileNames = @ARGV;
+        last;
+    } elsif ($flag eq "--dry-run") {
+        $dryRun = 1;
+    } elsif ($flag eq "--exclude") {
+        $exclude = shift @ARGV or die "--exclude requires an argument";
+    } else {
+        usage();
+    }
+}
+
+
 # S3 setup.
-my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die;
-my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die;
+my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die "AWS_ACCESS_KEY_ID not set\n";
+my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die "AWS_SECRET_ACCESS_KEY not set\n";
 
 my $s3 = Net::Amazon::S3->new(
     { aws_access_key_id     => $aws_access_key_id,
@@ -34,12 +63,15 @@ my $s3 = Net::Amazon::S3->new(
 
 my $bucket = $s3->bucket("nixpkgs-tarballs") or die;
 
-my $cacheFile = "/tmp/copy-tarballs-cache";
+my $doWrite = 0;
+my $cacheFile = ($ENV{"HOME"} or die "\$HOME is not set") . "/.cache/nix/copy-tarballs";
 my %cache;
 $cache{$_} = 1 foreach read_file($cacheFile, err_mode => 'quiet', chomp => 1);
+$doWrite = 1;
 
 END() {
-    write_file($cacheFile, map { "$_\n" } keys %cache);
+    File::Path::mkpath(dirname($cacheFile), 0, 0755);
+    write_file($cacheFile, map { "$_\n" } keys %cache) if $doWrite;
 }
 
 sub alreadyMirrored {
@@ -84,11 +116,9 @@ sub uploadFile {
     $cache{$mainKey} = 1;
 }
 
-my $op = shift @ARGV;
-
-if ($op eq "--file") {
+if (scalar @fileNames) {
     my $res = 0;
-    foreach my $fn (@ARGV) {
+    foreach my $fn (@fileNames) {
         eval {
             if (alreadyMirrored("sha512", hashFile("sha512", 0, $fn))) {
                 print STDERR "$fn is already mirrored\n";
@@ -97,17 +127,16 @@ if ($op eq "--file") {
             }
         };
         if ($@) {
-            warn "$@\n";
+            warn "$@";
             $res = 1;
         }
     }
     exit $res;
 }
 
-elsif ($op eq "--expr") {
+elsif (defined $expr) {
 
     # Evaluate find-tarballs.nix.
-    my $expr = $ARGV[0] // die "$0: --expr requires a Nix expression\n";
     my $pid = open(JSON, "-|", "nix-instantiate", "--eval", "--json", "--strict",
                    "<nixpkgs/maintainers/scripts/find-tarballs.nix>",
                    "--arg", "expr", $expr);
@@ -123,10 +152,11 @@ elsif ($op eq "--expr") {
     # Check every fetchurl call discovered by find-tarballs.nix.
     my $mirrored = 0;
     my $have = 0;
-    foreach my $fetch (@{$fetches}) {
+    foreach my $fetch (sort { $a->{url} cmp $b->{url} } @{$fetches}) {
         my $url = $fetch->{url};
         my $algo = $fetch->{type};
         my $hash = $fetch->{hash};
+        my $name = $fetch->{name};
 
         if (defined $ENV{DEBUG}) {
             print "$url $algo $hash\n";
@@ -138,26 +168,44 @@ elsif ($op eq "--expr") {
             next;
         }
 
+        next if defined $exclude && $url =~ /$exclude/;
+
         if (alreadyMirrored($algo, $hash)) {
             $have++;
             next;
         }
 
-        print STDERR "mirroring $url...\n";
+        my $storePath = makeFixedOutputPath(0, $algo, $hash, $name);
 
-        next if $ENV{DRY_RUN};
+        print STDERR "mirroring $url ($storePath)...\n";
 
-        # Download the file using nix-prefetch-url.
-        $ENV{QUIET} = 1;
-        $ENV{PRINT_PATH} = 1;
-        my $fh;
-        my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
-        waitpid($pid, 0) or die;
-        if ($? != 0) {
-            print STDERR "failed to fetch $url: $?\n";
+        if ($dryRun) {
+            $mirrored++;
             next;
         }
-        <$fh>; my $storePath = <$fh>; chomp $storePath;
+
+        # Substitute the output.
+        if (!isValidPath($storePath)) {
+            system("nix-store", "-r", $storePath);
+        }
+
+        # Otherwise download the file using nix-prefetch-url.
+        if (!isValidPath($storePath)) {
+            $ENV{QUIET} = 1;
+            $ENV{PRINT_PATH} = 1;
+            my $fh;
+            my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
+            waitpid($pid, 0) or die;
+            if ($? != 0) {
+                print STDERR "failed to fetch $url: $?\n";
+                next;
+            }
+            <$fh>; my $storePath2 = <$fh>; chomp $storePath2;
+            if ($storePath ne $storePath2) {
+                warn "strange: $storePath != $storePath2\n";
+                next;
+            }
+        }
 
         uploadFile($storePath, $url);
         $mirrored++;
@@ -167,5 +215,5 @@ elsif ($op eq "--expr") {
 }
 
 else {
-    die "Syntax: $0 --file FILENAMES... | --expr EXPR\n";
+    usage();
 }

maintainers/scripts/find-tarballs.nix

@@ -14,12 +14,12 @@ let
     operator = const [ ];
   });
 
-  urls = map (drv: { url = head drv.urls; hash = drv.outputHash; type = drv.outputHashAlgo; }) fetchurlDependencies;
+  urls = map (drv: { url = head (drv.urls or [ drv.url ]); hash = drv.outputHash; type = drv.outputHashAlgo; name = drv.name; }) fetchurlDependencies;
 
   fetchurlDependencies =
     filter
       (drv: drv.outputHash or "" != "" && drv.outputHashMode or "flat" == "flat"
-          && drv.postFetch or "" == "" && drv ? urls)
+          && drv.postFetch or "" == "" && (drv ? url || drv ? urls))
       dependencies;
 
   dependencies = map (x: x.value) (genericClosure {

maintainers/scripts/nix-generate-from-cpan.pl

@@ -279,7 +279,7 @@ sub get_deps {
         next if $n eq "perl";
 
         # Hacky way to figure out if this module is part of Perl.
-        if ( $n !~ /^JSON/ && $n !~ /^YAML/ && $n !~ /^Module::Pluggable/ ) {
+        if ( $n !~ /^JSON/ && $n !~ /^YAML/ && $n !~ /^Module::Pluggable/  && $n !~ /^if$/ ) {
             eval "use $n;";
             if ( !$@ ) {
                 DEBUG("skipping Perl-builtin module $n");
@@ -431,7 +431,7 @@ my $build_fun = -e "$pkg_path/Build.PL"
 print STDERR "===\n";
 
 print <<EOF;
-  "$attr_name" = $build_fun rec {
+  ${\(is_reserved($attr_name) ? "\"$attr_name\"" : $attr_name)} = $build_fun rec {
     name = "$pkg_name";
     src = fetchurl {
       url = "mirror://cpan/${\$module->path}/\${name}.${\$module->package_extension}";
@@ -450,7 +450,7 @@ EOF
 print <<EOF if defined $homepage;
       homepage = $homepage;
 EOF
-print <<EOF if defined $description;
+print <<EOF if defined $description && $description ne "Unknown";
       description = "$description";
 EOF
 print <<EOF if defined $license;

maintainers/scripts/travis-nox-review-pr.sh

@@ -11,7 +11,7 @@ if [[ $1 == nix ]]; then
 
     # Make sure we can use hydra's binary cache
     sudo mkdir /etc/nix
-    sudo echo "build-max-jobs = 4" > /etc/nix/nix.conf
+    sudo sh -c 'echo "build-max-jobs = 4" > /etc/nix/nix.conf'
 
     # Verify evaluation
     echo "=== Verifying that nixpkgs evaluates..."

nixos/doc/manual/default.nix

@@ -187,6 +187,7 @@ in rec {
         --param man.output.in.separate.dir 1 \
         --param man.output.base.dir "'$out/share/man/'" \
         --param man.endnotes.are.numbered 0 \
+        --param man.break.after.slash 1 \
         ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
         ./man-pages.xml
     '';

nixos/doc/manual/installation/installing-usb.xml

@@ -7,10 +7,18 @@
 <title>Booting from a USB Drive</title>
 
 <para>For systems without CD drive, the NixOS live CD can be booted from
-a USB stick. For non-UEFI installations,
-<link xlink:href="http://unetbootin.sourceforge.net/">unetbootin</link>
-will work. For UEFI installations, you should mount the ISO, copy its contents
-verbatim to your drive, then either:
+a USB stick. You can use the <command>dd</command> utility to write the image:
+<command>dd if=<replaceable>path-to-image</replaceable>
+of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
+correct drive; you can use the <command>lsblk</command> command to get a list of
+block devices.</para>
+
+<para>The <command>dd</command> utility will write the image verbatim to the drive,
+making it the recommended option for both UEFI and non-UEFI installations. For
+non-UEFI installations, you can alternatively use
+<link xlink:href="http://unetbootin.sourceforge.net/">unetbootin</link>. If you
+cannot use <command>dd</command> for a UEFI installation, you can also mount the
+ISO, copy its contents verbatim to your drive, then either:
 
 <itemizedlist>
   <listitem>

nixos/doc/manual/installation/installing.xml

@@ -22,7 +22,10 @@
   (with empty password).</para></listitem>
 
   <listitem><para>If you downloaded the graphical ISO image, you can
-  run <command>start display-manager</command> to start KDE.</para></listitem>
+  run <command>start display-manager</command> to start KDE. If you
+  want to continue on the terminal, you can use
+  <command>loadkeys</command> to switch to your preferred keyboard layout.
+  (We even provide neo2 via <command>loadkeys de neo</command>!)</para></listitem>
 
   <listitem><para>The boot process should have brought up networking (check
   <command>ip a</command>).  Networking is necessary for the
@@ -154,10 +157,6 @@ $ nano /mnt/etc/nixos/configuration.nix
     <command>nixos-generate-config</command> will figure out the
     required modules.</para></note>
 
-    <para>Examples of real-world NixOS configuration files can be
-    found at <link
-    xlink:href="https://nixos.org/repos/nix/configurations/trunk/"/>.</para>
-
   </listitem>
 
   <listitem><para>Do the installation:

nixos/doc/manual/release-notes/release-notes.xml

@@ -9,7 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>
 
-<xi:include href="rl-unstable.xml" />
+<xi:include href="rl-1603.xml" />
 <xi:include href="rl-1509.xml" />
 <xi:include href="rl-1412.xml" />
 <xi:include href="rl-1404.xml" />

nixos/doc/manual/release-notes/rl-1603.xml

@@ -2,9 +2,9 @@
          xmlns:xlink="http://www.w3.org/1999/xlink"
          xmlns:xi="http://www.w3.org/2001/XInclude"
          version="5.0"
-         xml:id="sec-release-unstable">
+         xml:id="sec-release-16.03">
 
-<title>Unstable</title>
+<title>Release 16.03 (“Emu”, 2016/03/31)</title>
 
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights:</para>
@@ -12,14 +12,53 @@ has the following highlights:</para>
 <itemizedlist>
 
   <listitem>
-    <para>Firefox and similar browsers are now <emphasis>wrapped by default</emphasis>.
-    The package and attribute names are plain <literal>firefox</literal>
-    or <literal>midori</literal>, etc.  Backward-compatibility attributes were set up,
-    but note that <command>nix-env -u</command> will <emphasis>not</emphasis> update
-    your current <literal>firefox-with-plugins</literal>;
-    you have to uninstall it and install <literal>firefox</literal> instead.
-    More discussion is <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12299">
-    on the PR</link>.  </para>
+    <para>Systemd 229, bringing <link
+    xlink:href="https://github.com/systemd/systemd/blob/v229/NEWS">numerous
+    improvements</link> over 217.</para>
+  </listitem>
+
+  <listitem>
+    <para>Linux 4.4 (was 3.18).</para>
+  </listitem>
+
+  <listitem>
+    <para>GCC 5.3 (was 4.9). Note that GCC 5 <link
+    xlink:href="https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_dual_abi.html">changes
+    the C++ ABI in an incompatible way</link>; this may cause problems
+    if you try to link objects compiled with different versions of
+    GCC.</para>
+  </listitem>
+
+  <listitem>
+    <para>Glibc 2.23 (was 2.21).</para>
+  </listitem>
+
+  <listitem>
+    <para>Binutils 2.26 (was 2.23.1). See #909</para>
+  </listitem>
+
+  <listitem>
+    <para>Improved support for ensuring <link
+    xlink:href="https://reproducible-builds.org/">bitwise reproducible
+    builds</link>. For example, <literal>stdenv</literal> now sets the
+    environment variable <envar
+    xlink:href="https://reproducible-builds.org/specs/source-date-epoch/">SOURCE_DATE_EPOCH</envar>
+    to a deterministic value, and Nix has <link
+    xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.11">gained
+    an option</link> to repeat a build a number of times to test
+    determinism. An ongoing project, the goal of exact reproducibility
+    is to allow binaries to be verified independently (e.g., a user
+    might only trust binaries that appear in three independent binary
+    caches).</para>
+  </listitem>
+
+  <listitem>
+    <para>Perl 5.22.</para>
+  </listitem>
+
+  <listitem>
+    <para>KDE Plasma 5.5.5 (was 5.3.2) and Applications 15.12.3 (was
+    15.04.3), based on KDE Frameworks 5.19 (was 5.12).</para>
   </listitem>
 
 </itemizedlist>
@@ -28,10 +67,57 @@ has the following highlights:</para>
 
   <itemizedlist>
     <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem>
-    <listitem><para><literal>services/networking/pdnsd.nix</literal></para></listitem>
-    <listitem><para><literal>services/web-apps/pump.io.nix</literal></para></listitem>
-    <listitem><para><literal>services/security/haka.nix</literal></para></listitem>
+    <listitem><para><literal>hardware/video/webcam/facetimehd.nix</literal></para></listitem>
     <listitem><para><literal>i18n/inputMethod/default.nix</literal></para></listitem>
+    <listitem><para><literal>i18n/inputMethod/fcitx.nix</literal></para></listitem>
+    <listitem><para><literal>i18n/inputMethod/ibus.nix</literal></para></listitem>
+    <listitem><para><literal>i18n/inputMethod/nabi.nix</literal></para></listitem>
+    <listitem><para><literal>i18n/inputMethod/uim.nix</literal></para></listitem>
+    <listitem><para><literal>programs/fish.nix</literal></para></listitem>
+    <listitem><para><literal>security/acme.nix</literal></para></listitem>
+    <listitem><para><literal>security/audit.nix</literal></para></listitem>
+    <listitem><para><literal>security/oath.nix</literal></para></listitem>
+    <listitem><para><literal>services/hardware/irqbalance.nix</literal></para></listitem>
+    <listitem><para><literal>services/mail/dspam.nix</literal></para></listitem>
+    <listitem><para><literal>services/mail/opendkim.nix</literal></para></listitem>
+    <listitem><para><literal>services/mail/postsrsd.nix</literal></para></listitem>
+    <listitem><para><literal>services/mail/rspamd.nix</literal></para></listitem>
+    <listitem><para><literal>services/mail/rmilter.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/autofs.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/bepasty.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/calibre-server.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/cfdyndns.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/gammu-smsd.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/mathics.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/matrix-synapse.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/octoprint.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/hdaps.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/heapster.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem>
+    <listitem><para><literal>services/network-filesystems/netatalk.nix</literal></para></listitem>
+    <listitem><para><literal>services/network-filesystems/xtreemfs.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/autossh.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/dnschain.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/gale.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/miniupnpd.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/namecoind.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/ostinato.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/pdnsd.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/shairport-sync.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/supplicant.nix</literal></para></listitem>
+    <listitem><para><literal>services/search/kibana.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/haka.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/physlock.nix</literal></para></listitem>
+    <listitem><para><literal>services/web-apps/pump.io.nix</literal></para></listitem>
+    <listitem><para><literal>services/x11/hardware/libinput.nix</literal></para></listitem>
+    <listitem><para><literal>services/x11/window-managers/windowlab.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/initrd-network.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/initrd-ssh.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/loader/loader.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/networkd.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/resolved.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/lxd.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/rkt.nix</literal></para></listitem>
   </itemizedlist>
 </para>
 
@@ -39,6 +125,22 @@ has the following highlights:</para>
 following incompatible changes:</para>
 
 <itemizedlist>
+
+  <listitem>
+    <para>We no longer produce graphical ISO images and VirtualBox
+    images for <literal>i686-linux</literal>. A minimal ISO image is
+    still provided.</para>
+  </listitem>
+
+  <listitem>
+    <para>Firefox and similar browsers are now <emphasis>wrapped by default</emphasis>.
+    The package and attribute names are plain <literal>firefox</literal>
+    or <literal>midori</literal>, etc.  Backward-compatibility attributes were set up,
+    but note that <command>nix-env -u</command> will <emphasis>not</emphasis> update
+    your current <literal>firefox-with-plugins</literal>;
+    you have to uninstall it and install <literal>firefox</literal> instead.</para>
+  </listitem>
+
   <listitem>
     <para><command>wmiiSnap</command> has been replaced with
     <command>wmii_hg</command>, but
@@ -68,7 +170,7 @@ following incompatible changes:</para>
 
 <programlisting><![CDATA[
 {
-  imports = [ <nixos/modules/services/misc/gitit.nix> ];
+  imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];
 }
 ]]></programlisting>
 
@@ -182,7 +284,7 @@ fileSystems."/example" = {
 
   <listitem>
     <para><literal>services.xserver.vaapiDrivers</literal> has been removed. Use
-    <literal>services.hardware.opengl.extraPackages{,32}</literal> instead. You can
+    <literal>hardware.opengl.extraPackages{,32}</literal> instead. You can
     also specify VDPAU drivers there.</para>
   </listitem>
 
@@ -226,18 +328,84 @@ programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ];
     was removed. Please review the currently available options.</para>
   </listitem>
 
+  <listitem>
+    <para>
+    The option <option>services.nsd.zones.&lt;name&gt;.data</option> no
+    longer interpret the dollar sign ($) as a shell variable, as such it
+    should not be escaped anymore.  Thus the following zone data:
+    </para>
+    <programlisting>
+\$ORIGIN example.com.
+\$TTL 1800
+@       IN      SOA     ns1.vpn.nbp.name.      admin.example.com. (
+    </programlisting>
+    <para>
+    Should modified to look like the actual file expected by nsd:
+    </para>
+    <programlisting>
+$ORIGIN example.com.
+$TTL 1800
+@       IN      SOA     ns1.vpn.nbp.name.      admin.example.com. (
+    </programlisting>
+  </listitem>
+
+  <listitem>
+    <para>
+    <literal>service.syncthing.dataDir</literal> options now has to point
+    to exact folder where syncthing is writing to. Example configuration should
+    look something like:
+    </para>
+    <programlisting>
+services.syncthing = {
+    enable = true;
+    dataDir = "/home/somebody/.syncthing";
+    user = "somebody";
+};
+    </programlisting>
+  </listitem>
+
+  <listitem>
+    <para>
+      <literal>networking.firewall.allowPing</literal> is now enabled by
+      default. Users are encourarged to configure an approiate rate limit for
+      their machines using the Kernel interface at
+      <filename>/proc/sys/net/ipv4/icmp_ratelimit</filename> and
+      <filename>/proc/sys/net/ipv6/icmp/ratelimit</filename> or using the
+      firewall itself, i.e. by setting the NixOS option
+      <literal>networking.firewall.pingLimit</literal>.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      Systems with some broadcom cards used to result into a generated config
+      that is no longer accepted. If you get errors like
+      <screen>error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created</screen>
+      you should either re-run <command>nixos-generate-config</command> or manually replace
+      <literal>"${config.boot.kernelPackages.broadcom_sta}"</literal>
+      by
+      <literal>config.boot.kernelPackages.broadcom_sta</literal>
+      in your <filename>/etc/nixos/hardware-configuration.nix</filename>.
+      More discussion is on <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12595">
+      the github issue</link>.
+    </para>
+  </listitem>
 </itemizedlist>
 
 
 <para>Other notable improvements:
+
 <itemizedlist>
+
+  <!--
   <listitem>
     <para>The <command>command-not-found</command> hook was extended.
     Apart from <literal>$NIX_AUTO_INSTALL</literal> variable,
     it newly also checks for <literal>$NIX_AUTO_RUN</literal>
     which causes it to directly run the missing commands via
-    <command>nix-shell</command> (without installing anything). </para>
+    <command>nix-shell</command> (without installing anything).</para>
   </listitem>
+  -->
 
   <listitem>
     <para><literal>ejabberd</literal> module is brought back and now works on

nixos/lib/build-vms.nix

@@ -1,6 +1,6 @@
-{ system, minimal ? false }:
+{ system, minimal ? false, config ? {} }:
 
-let pkgs = import ../.. { config = {}; inherit system; }; in
+let pkgs = import ../.. { inherit system config; }; in
 
 with pkgs.lib;
 with import ../lib/qemu-flags.nix;

nixos/lib/make-disk-image.nix

@@ -22,17 +22,20 @@
 , # Shell code executed after the VM has finished.
   postVM ? ""
 
+, name ? "nixos-disk-image"
+
+, format ? "raw"
 }:
 
 with lib;
 
 pkgs.vmTools.runInLinuxVM (
-  pkgs.runCommand "nixos-disk-image"
+  pkgs.runCommand name
     { preVM =
         ''
           mkdir $out
-          diskImage=$out/nixos.img
-          ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "${toString diskSize}M"
+          diskImage=$out/nixos.${if format == "qcow2" then "qcow2" else "img"}
+          ${pkgs.vmTools.qemu}/bin/qemu-img create -f ${format} $diskImage "${toString diskSize}M"
           mv closure xchg/
         '';
       buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ];

nixos/lib/make-iso9660-image.nix

@@ -39,7 +39,6 @@
 
 , # The volume ID.
   volumeID ? ""
-
 }:
 
 assert bootable -> bootImage != "";
@@ -47,7 +46,7 @@ assert efiBootable -> efiBootImage != "";
 assert usbBootable -> isohybridMbrImage != "";
 
 stdenv.mkDerivation {
-  name = "iso9660-image";
+  name = isoName;
   builder = ./make-iso9660-image.sh;
   buildInputs = [perl xorriso syslinux];
 

nixos/lib/make-iso9660-image.sh

@@ -133,3 +133,4 @@ fi
 
 mkdir -p $out/nix-support
 echo $system > $out/nix-support/system
+echo "file iso $out/iso/$isoName" >> $out/nix-support/hydra-build-products

nixos/lib/test-driver/Machine.pm

@@ -382,9 +382,17 @@ sub waitForUnit {
             my $state = $info->{ActiveState};
             die "unit ‘$unit’ reached state ‘$state’\n" if $state eq "failed";
             if ($state eq "inactive") {
+                # If there are no pending jobs, then assume this unit
+                # will never reach active state.
                 my ($status, $jobs) = $self->execute("systemctl list-jobs --full 2>&1");
-                die "unit ‘$unit’ is inactive and there are no pending jobs\n"
-                    if $jobs =~ /No jobs/; # FIXME: fragile
+                if ($jobs =~ /No jobs/) {  # FIXME: fragile
+                    # Handle the case where the unit may have started
+                    # between the previous getUnitInfo() and
+                    # list-jobs.
+                    my $info2 = $self->getUnitInfo($unit);
+                    die "unit ‘$unit’ is inactive and there are no pending jobs\n"
+                        if $info2->{ActiveState} eq $state;
+                }
             }
             return 1 if $state eq "active";
         };
@@ -543,7 +551,7 @@ sub waitForX {
         retry sub {
             my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'session opened'");
             return 0 if $status != 0;
-            ($status, $out) = $self->execute("xwininfo -root > /dev/null 2>&1");
+            ($status, $out) = $self->execute("[ -e /tmp/.X11-unix/X0 ]");
             return 1 if $status == 0;
         }
     });

nixos/lib/testing.nix

@@ -1,6 +1,6 @@
-{ system, minimal ? false }:
+{ system, minimal ? false, config ? {} }:
 
-with import ./build-vms.nix { inherit system minimal; };
+with import ./build-vms.nix { inherit system minimal config; };
 with pkgs;
 
 rec {

nixos/maintainers/scripts/azure/create-azure.sh

@@ -1,11 +1,8 @@
 #! /bin/sh -e
 
-BUCKET_NAME=${BUCKET_NAME:-nixos}
 export NIX_PATH=nixpkgs=../../../..
 export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/azure-image.nix
 export TIMESTAMP=$(date +%Y%m%d%H%M)
 
 nix-build '<nixpkgs/nixos>' \
-   -A config.system.build.azureImage --argstr system x86_64-linux -o azure --option extra-binary-caches http://hydra.nixos.org -j 10
-
-azure vm image create nixos-test --location "West Europe" --md5-skip -v --os Linux azure/disk.vhd
+   -A config.system.build.azureImage --argstr system x86_64-linux -o azure --option extra-binary-caches https://hydra.nixos.org -j 10

nixos/maintainers/scripts/azure/upload-azure.sh

@@ -0,0 +1,22 @@
+#! /bin/sh -e
+
+export STORAGE=${STORAGE:-nixos}
+export THREADS=${THREADS:-8}
+
+azure-vhd-utils-for-go  upload --localvhdpath azure/disk.vhd  --stgaccountname "$STORAGE"  --stgaccountkey "$KEY" \
+   --containername images --blobname nixos-unstable-nixops-updated.vhd --parallelism "$THREADS" --overwrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

nixos/maintainers/scripts/ec2/amazon-image.nix

@@ -10,9 +10,11 @@ with lib;
     ];
 
   system.build.amazonImage = import ../../../lib/make-disk-image.nix {
-    inherit pkgs lib config;
+    inherit lib config;
+    pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
     partitioned = config.ec2.hvm;
     diskSize = if config.ec2.hvm then 2048 else 8192;
+    format = "qcow2";
     configFile = pkgs.writeText "configuration.nix"
       ''
         {

nixos/maintainers/scripts/ec2/create-amis.sh

@@ -8,14 +8,18 @@ echo "keeping state in $stateDir"
 mkdir -p $stateDir
 
 version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
-echo "NixOS version is $version"
+major=${version:0:5}
+echo "NixOS version is $version ($major)"
 
 rm -f ec2-amis.nix
 
+types="hvm pv"
+stores="ebs s3"
+regions="eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
 
-for type in hvm pv; do
+for type in $types; do
     link=$stateDir/$type
-    imageFile=$link/nixos.img
+    imageFile=$link/nixos.qcow2
     system=x86_64-linux
     arch=x86_64
 
@@ -30,7 +34,7 @@ for type in hvm pv; do
             --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }"
     fi
 
-    for store in ebs s3; do
+    for store in $stores; do
 
         bucket=nixos-amis
         bucketDir="$version-$type-$store"
@@ -38,7 +42,7 @@ for type in hvm pv; do
         prevAmi=
         prevRegion=
 
-        for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
+        for region in $regions; do
 
             name=nixos-$version-$arch-$type-$store
             description="NixOS $system $version ($type-$store)"
@@ -50,10 +54,11 @@ for type in hvm pv; do
                 echo "doing $name in $region..."
 
                 if [ -n "$prevAmi" ]; then
-                    ami=$(ec2-copy-image \
+                    ami=$(aws ec2 copy-image \
                         --region "$region" \
-                        --source-region "$prevRegion" --source-ami-id "$prevAmi" \
-                        --name "$name" --description "$description" | cut -f 2)
+                        --source-region "$prevRegion" --source-image-id "$prevAmi" \
+                        --name "$name" --description "$description" | json -q .ImageId)
+                    if [ "$ami" = null ]; then break; fi
                 else
 
                     if [ $store = s3 ]; then
@@ -61,12 +66,19 @@ for type in hvm pv; do
                         # Bundle the image.
                         imageDir=$stateDir/$type-bundled
 
+                        # Convert the image to raw format.
+                        rawFile=$stateDir/$type.raw
+                        if ! [ -e $rawFile ]; then
+                            qemu-img convert -f qcow2 -O raw $imageFile $rawFile.tmp
+                            mv $rawFile.tmp $rawFile
+                        fi
+
                         if ! [ -d $imageDir ]; then
                             rm -rf $imageDir.tmp
                             mkdir -p $imageDir.tmp
                             ec2-bundle-image \
                                 -d $imageDir.tmp \
-                                -i $imageFile --arch $arch \
+                                -i $rawFile --arch $arch \
                                 --user "$AWS_ACCOUNT" -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY"
                             mv $imageDir.tmp $imageDir
                         fi
@@ -75,14 +87,14 @@ for type in hvm pv; do
                         if ! [ -e $imageDir/uploaded ]; then
                             echo "uploading bundle to S3..."
                             ec2-upload-bundle \
-                                -m $imageDir/nixos.img.manifest.xml \
+                                -m $imageDir/$type.raw.manifest.xml \
                                 -b "$bucket/$bucketDir" \
-                                -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \
+                                -a "$AWS_ACCESS_KEY_ID" -s "$AWS_SECRET_ACCESS_KEY" \
                                 --location EU
                             touch $imageDir/uploaded
                         fi
 
-                        extraFlags="$bucket/$bucketDir/nixos.img.manifest.xml"
+                        extraFlags="--image-location $bucket/$bucketDir/$type.raw.manifest.xml"
 
                     else
 
@@ -90,10 +102,15 @@ for type in hvm pv; do
                         # to upload a huge raw image.
                         vhdFile=$stateDir/$type.vhd
                         if ! [ -e $vhdFile ]; then
-                            qemu-img convert -O vpc $imageFile $vhdFile.tmp
+                            qemu-img convert -f qcow2 -O vpc $imageFile $vhdFile.tmp
                             mv $vhdFile.tmp $vhdFile
                         fi
 
+                        vhdFileLogicalBytes="$(qemu-img info "$vhdFile" | grep ^virtual\ size: | cut -f 2 -d \(  | cut -f 1 -d \ )"
+                        vhdFileLogicalGigaBytes=$(((vhdFileLogicalBytes-1)/1024/1024/1024+1)) # Round to the next GB
+
+                        echo "Disk size is $vhdFileLogicalBytes bytes. Will be registered as $vhdFileLogicalGigaBytes GB."
+
                         taskId=$(cat $stateDir/$region.$type.task-id 2> /dev/null || true)
                         volId=$(cat $stateDir/$region.$type.vol-id 2> /dev/null || true)
                         snapId=$(cat $stateDir/$region.$type.snap-id 2> /dev/null || true)
@@ -102,7 +119,8 @@ for type in hvm pv; do
                         if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then
                             echo "importing $vhdFile..."
                             taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \
-                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \
+                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" \
                                 --region "$region" -z "${region}a" \
                                 --bucket "$bucket" --prefix "$bucketDir/" \
                                 | tee /dev/stderr \
@@ -112,15 +130,16 @@ for type in hvm pv; do
 
                         if [ -z "$snapId" -a -z "$volId" ]; then
                             ec2-resume-import  $vhdFile -t "$taskId" --region "$region" \
-                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY"
+                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY"
                         fi
 
                         # Wait for the volume creation to finish.
                         if [ -z "$snapId" -a -z "$volId" ]; then
                             echo "waiting for import to finish..."
                             while true; do
-                                volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d')
-                                if [ -n "$volId" ]; then break; fi
+                                volId=$(aws ec2 describe-conversion-tasks --conversion-task-ids "$taskId" --region "$region" | jq -r .ConversionTasks[0].ImportVolume.Volume.Id)
+                                if [ "$volId" != null ]; then break; fi
                                 sleep 10
                             done
 
@@ -130,22 +149,24 @@ for type in hvm pv; do
                         # Delete the import task.
                         if [ -n "$volId" -a -n "$taskId" ]; then
                             echo "removing import task..."
-                            ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true
+                            ec2-delete-disk-image -t "$taskId" --region "$region" \
+                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" || true
                             rm -f $stateDir/$region.$type.task-id
                         fi
 
                         # Create a snapshot.
                         if [ -z "$snapId" ]; then
                             echo "creating snapshot..."
-                            snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2)
+                            snapId=$(aws ec2 create-snapshot --volume-id "$volId" --region "$region" --description "$description" | jq -r .SnapshotId)
+                            if [ "$snapId" = null ]; then exit 1; fi
                             echo -n "$snapId" > $stateDir/$region.$type.snap-id
-                            ec2-create-tags "$snapId" -t "Name=$description" --region "$region"
                         fi
 
                         # Wait for the snapshot to finish.
                         echo "waiting for snapshot to finish..."
                         while true; do
-                            status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4)
+                            status=$(aws ec2 describe-snapshots --snapshot-ids "$snapId" --region "$region" | jq -r .Snapshots[0].State)
                             if [ "$status" = completed ]; then break; fi
                             sleep 10
                         done
@@ -153,35 +174,50 @@ for type in hvm pv; do
                         # Delete the volume.
                         if [ -n "$volId" ]; then
                             echo "deleting volume..."
-                            ec2-delete-volume "$volId" --region "$region" || true
+                            aws ec2 delete-volume --volume-id "$volId" --region "$region" || true
                             rm -f $stateDir/$region.$type.vol-id
                         fi
 
-                        extraFlags="-b /dev/sda1=$snapId:20:true:gp2"
+                        blockDeviceMappings="DeviceName=/dev/sda1,Ebs={SnapshotId=$snapId,VolumeSize=$vhdFileLogicalGigaBytes,DeleteOnTermination=true,VolumeType=gp2}"
+                        extraFlags=""
 
                         if [ $type = pv ]; then
-                            extraFlags+=" --root-device-name=/dev/sda1"
+                            extraFlags+=" --root-device-name /dev/sda1"
+                        else
+                            extraFlags+=" --root-device-name /dev/sda1"
+                            extraFlags+=" --sriov-net-support simple"
+                            extraFlags+=" --ena-support"
                         fi
 
-                        extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3"
+                        blockDeviceMappings+=" DeviceName=/dev/sdb,VirtualName=ephemeral0"
+                        blockDeviceMappings+=" DeviceName=/dev/sdc,VirtualName=ephemeral1"
+                        blockDeviceMappings+=" DeviceName=/dev/sdd,VirtualName=ephemeral2"
+                        blockDeviceMappings+=" DeviceName=/dev/sde,VirtualName=ephemeral3"
+                    fi
+
+                    if [ $type = hvm ]; then
+                        extraFlags+=" --sriov-net-support simple"
+                        extraFlags+=" --ena-support"
                     fi
 
                     # Register the AMI.
                     if [ $type = pv ]; then
-                        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
-                        [ -n "$kernel" ]
+                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
+                        if [ "$kernel" = null ]; then break; fi
                         echo "using PV-GRUB kernel $kernel"
                         extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
                     else
                         extraFlags+=" --virtualization-type hvm"
                     fi
 
-                    ami=$(ec2-register \
-                        -n "$name" \
-                        -d "$description" \
+                    ami=$(aws ec2 register-image \
+                        --name "$name" \
+                        --description "$description" \
                         --region "$region" \
                         --architecture "$arch" \
-                        $extraFlags | cut -f 2)
+                        --block-device-mappings $blockDeviceMappings \
+                        $extraFlags | jq -r .ImageId)
+                    if [ "$ami" = null ]; then break; fi
                 fi
 
                 echo -n "$ami" > $amiFile
@@ -191,25 +227,47 @@ for type in hvm pv; do
                 ami=$(cat $amiFile)
             fi
 
-            if [ -z "$NO_WAIT" -o -z "$prevAmi" ]; then
-                echo "waiting for AMI..."
-                while true; do
-                    status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5)
-                    if [ "$status" = available ]; then break; fi
-                    sleep 10
-                done
-
-                ec2-modify-image-attribute \
-                    --region "$region" "$ami" -l -a all
-            fi
-
             echo "region = $region, type = $type, store = $store, ami = $ami"
+
             if [ -z "$prevAmi" ]; then
                 prevAmi="$ami"
                 prevRegion="$region"
             fi
-
-            echo "  \"15.09\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
+        done
+
+    done
+
+done
+
+for type in $types; do
+    link=$stateDir/$type
+    system=x86_64-linux
+    arch=x86_64
+
+    for store in $stores; do
+
+        for region in $regions; do
+
+            name=nixos-$version-$arch-$type-$store
+            amiFile=$stateDir/$region.$type.$store.ami-id
+            ami=$(cat $amiFile)
+
+            echo "region = $region, type = $type, store = $store, ami = $ami"
+
+            echo -n "waiting for AMI..."
+            while true; do
+                status=$(aws ec2 describe-images --image-ids "$ami" --region "$region" | jq -r .Images[0].State)
+                if [ "$status" = available ]; then break; fi
+                sleep 10
+                echo -n '.'
+            done
+            echo
+
+            # Make the image public.
+            aws ec2 modify-image-attribute \
+                --image-id "$ami" --region "$region" --launch-permission 'Add={Group=all}'
+
+            echo "  \"$major\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
         done
 
     done

nixos/modules/config/gtk-exe-env.nix

@@ -1,41 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports = [
-  ];
-
-  options = {
-    gtkPlugins = lib.mkOption {
-      type = lib.types.listOf lib.types.path;
-      default = [];
-      description = ''
-        Plugin packages for GTK+ such as input methods.
-      '';
-    };
-  };
-
-  config = {
-    environment.variables = if builtins.length config.gtkPlugins > 0
-      then
-        let
-          paths = [ pkgs.gtk2 pkgs.gtk3 ] ++ config.gtkPlugins;
-          env = pkgs.buildEnv {
-            name = "gtk-exe-env";
-
-            inherit paths;
-
-            postBuild = lib.concatStringsSep "\n"
-              (map (d: d.gtkExeEnvPostBuild or "") paths);
-
-            ignoreCollisions = true;
-          };
-        in {
-          GTK_EXE_PREFIX = builtins.toString env;
-          GTK_PATH = [
-            "${env}/lib/gtk-2.0"
-            "${env}/lib/gtk-3.0"
-          ];
-        }
-      else {};
-  };
-}

nixos/modules/config/krb5.nix

@@ -173,6 +173,8 @@ in
             ${cfg.domainRealm} = ${cfg.defaultRealm}
             .mit.edu = ATHENA.MIT.EDU
             mit.edu = ATHENA.MIT.EDU
+            .exchange.mit.edu = EXCHANGE.MIT.EDU
+            exchange.mit.edu = EXCHANGE.MIT.EDU
             .media.mit.edu = MEDIA-LAB.MIT.EDU
             media.mit.edu = MEDIA-LAB.MIT.EDU
             .csail.mit.edu = CSAIL.MIT.EDU

nixos/modules/config/ldap.nix

@@ -192,7 +192,7 @@ in
     system.activationScripts = mkIf insertLdapPassword {
       ldap = stringAfter [ "etc" "groups" "users" ] ''
         if test -f "${cfg.bind.password}" ; then
-          echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig} - > /etc/ldap.conf.bindpw
+          echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw
           mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf
           chmod 600 /etc/ldap.conf
         fi

nixos/modules/config/qt-plugin-env.nix

@@ -1,37 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports = [
-  ];
-
-  options = {
-    qtPlugins = lib.mkOption {
-      type = lib.types.listOf lib.types.path;
-      default = [];
-      description = ''
-        Plugin packages for Qt such as input methods.
-      '';
-    };
-  };
-
-  config = {
-    environment.variables = if builtins.length config.qtPlugins > 0
-      then
-        let
-          paths = [ pkgs.qt48 ] ++ config.qtPlugins;
-          env = pkgs.buildEnv {
-            name = "qt-plugin-env";
-
-            inherit paths;
-
-            postBuild = lib.concatStringsSep "\n"
-              (map (d: d.qtPluginEnvPostBuild or "") paths);
-
-            ignoreCollisions = true;
-          };
-        in {
-          QT_PLUGIN_PATH = [ (builtins.toString env) ];
-        }
-      else {};
-  };
-}

nixos/modules/config/swap.nix

@@ -30,8 +30,7 @@ let
         description = ''
           If this option is set, ‘device’ is interpreted as the
           path of a swapfile that will be created automatically
-          with the indicated size (in megabytes) if it doesn't
-          exist.
+          with the indicated size (in megabytes).
         '';
       };
 
@@ -132,9 +131,13 @@ in
             script =
               ''
                 ${optionalString (sw.size != null) ''
-                  if [ ! -e "${sw.device}" ]; then
+                  currentSize=$(( $(stat -c "%s" "${sw.device}" 2>/dev/null || echo 0) / 1024 / 1024 ))
+                  if [ "${toString sw.size}" != "$currentSize" ]; then
                     fallocate -l ${toString sw.size}M "${sw.device}" ||
                       dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
+                    if [ "${toString sw.size}" -lt "$currentSize" ]; then
+                      truncate --size "${toString sw.size}M" "${sw.device}"
+                    fi
                     chmod 0600 ${sw.device}
                     ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
                   fi

nixos/modules/config/update-users-groups.pl

@@ -103,7 +103,7 @@ foreach my $g (@{$spec->{groups}}) {
     if (defined $existing) {
         $g->{gid} = $existing->{gid} if !defined $g->{gid};
         if ($g->{gid} != $existing->{gid}) {
-            warn "warning: not applying GID change of group ‘$name’\n";
+            warn "warning: not applying GID change of group ‘$name’ ($existing->{gid} -> $g->{gid})\n";
             $g->{gid} = $existing->{gid};
         }
         $g->{password} = $existing->{password}; # do we want this?
@@ -163,7 +163,7 @@ foreach my $u (@{$spec->{users}}) {
     if (defined $existing) {
         $u->{uid} = $existing->{uid} if !defined $u->{uid};
         if ($u->{uid} != $existing->{uid}) {
-            warn "warning: not applying UID change of user ‘$name’\n";
+            warn "warning: not applying UID change of user ‘$name’ ($existing->{uid} -> $u->{uid})\n";
             $u->{uid} = $existing->{uid};
         }
     } else {

nixos/modules/hardware/video/webcam/facetimehd.nix

@@ -31,13 +31,13 @@ in
 
     # unload module during suspend/hibernate as it crashes the whole system
     powerManagement.powerDownCommands = ''
-      ${pkgs.module_init_tools}/bin/rmmod -f facetimehd
+      ${pkgs.kmod}/bin/lsmod | ${pkgs.gnugrep}/bin/grep -q "^facetimehd" && ${pkgs.kmod}/bin/rmmod -f -v facetimehd
     '';
 
     # and load it back on resume
     powerManagement.resumeCommands = ''
       export MODULE_DIR=/run/current-system/kernel-modules/lib/modules
-      ${pkgs.module_init_tools}/bin/modprobe -v facetimehd
+      ${pkgs.kmod}/bin/modprobe -v facetimehd
     '';
 
   };

nixos/modules/i18n/inputMethod/fcitx.nix

@@ -18,10 +18,14 @@ in
         type    = with types; listOf fcitxEngine;
         default = [];
         example = literalExample "with pkgs.fcitx-engines; [ mozc hangul ]";
-        description = ''
-          Enabled Fcitx engines.
-          Available engines can be found by running `nix-env "<nixpkgs>" . -qaP -A fcitx-engines`.
-        '';
+        description =
+          let
+            engines =
+              lib.concatStringsSep ", "
+              (map (name: "<literal>${name}</literal>")
+               (lib.attrNames pkgs.fcitx-engines));
+          in
+            "Enabled Fcitx engines. Available engines are: ${engines}.";
       };
     };
 
@@ -29,8 +33,6 @@ in
 
   config = mkIf (config.i18n.inputMethod.enabled == "fcitx") {
     environment.systemPackages = [ fcitxPackage ];
-    gtkPlugins = [ fcitxPackage ];
-    qtPlugins  = [ fcitxPackage ];
 
     environment.variables = {
       GTK_IM_MODULE = "fcitx";

nixos/modules/i18n/inputMethod/nabi.nix

@@ -4,7 +4,6 @@ with lib;
 {
   config = mkIf (config.i18n.inputMethod.enabled == "nabi") {
     environment.systemPackages = [ pkgs.nabi ];
-    qtPlugins  = [ pkgs.nabi ];
 
     environment.variables = {
       GTK_IM_MODULE = "nabi";

nixos/modules/i18n/inputMethod/uim.nix

@@ -23,8 +23,6 @@ in
 
   config = mkIf (config.i18n.inputMethod.enabled == "uim") {
     environment.systemPackages = [ pkgs.uim ];
-    gtkPlugins = [ pkgs.uim ];
-    qtPlugins  = [ pkgs.uim ];
 
     environment.variables = {
       GTK_IM_MODULE = "uim";

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -1,5 +1,6 @@
 #! @perl@
 
+use strict;
 use Cwd 'abs_path';
 use File::Spec;
 use File::Path;
@@ -69,6 +70,7 @@ for (my $n = 0; $n < scalar @ARGV; $n++) {
 my @attrs = ();
 my @kernelModules = ();
 my @initrdKernelModules = ();
+my @initrdAvailableKernelModules = ();
 my @modulePackages = ();
 my @imports;
 
@@ -165,7 +167,7 @@ sub pciCheck {
         ) )
     {
         # we need e.g. brcmfmac43602-pcie.bin
-        push @imports, "<nixos/modules/hardware/network/broadcom-43xx.nix>";
+        push @imports, "<nixpkgs/nixos/modules/hardware/network/broadcom-43xx.nix>";
     }
 
     # Can't rely on $module here, since the module may not be loaded
@@ -379,7 +381,7 @@ EOF
     # Is this a btrfs filesystem?
     if ($fsType eq "btrfs") {
         my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint");
-        if ($status != 0 || join("", @msg) =~ /ERROR:/) {
+        if ($status != 0 || join("", @id_info) =~ /ERROR:/) {
             die "Failed to retrieve subvolume info for $mountPoint\n";
         }
         my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/;
@@ -440,7 +442,7 @@ sub toNixList {
 sub multiLineList {
     my $indent = shift;
     return " [ ]" if !@_;
-    $res = "\n${indent}[ ";
+    my $res = "\n${indent}[ ";
     my $first = 1;
     foreach my $s (@_) {
         $res .= "$indent  " if !$first;
@@ -474,7 +476,7 @@ my $hwConfig = <<EOF;
   boot.kernelModules = [$kernelModules ];
   boot.extraModulePackages = [$modulePackages ];
 $fsAndSwap
-  nix.maxJobs = $cpus;
+  nix.maxJobs = lib.mkDefault $cpus;
 ${\join "", (map { "  $_\n" } (uniq @attrs))}}
 EOF
 
@@ -494,7 +496,7 @@ if ($showHardwareConfig) {
     if ($force || ! -e $fn) {
         print STDERR "writing $fn...\n";
 
-        my $bootloaderConfig = "";
+        my $bootLoaderConfig = "";
         if (-e "/sys/firmware/efi/efivars") {
             $bootLoaderConfig = <<EOF;
   # Use the gummiboot efi boot loader.
@@ -568,7 +570,7 @@ $bootLoaderConfig
   # };
 
   # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "@nixosRelease@";
+  system.stateVersion = "${\(qw(@nixosRelease@))}";
 
 }
 EOF

nixos/modules/installer/tools/nixos-install.sh

@@ -91,12 +91,10 @@ ln -s /run $mountPoint/var/run
 rm -f $mountPoint/etc/{resolv.conf,hosts}
 cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
 
-if [ -e "$SSL_CERT_FILE" ]; then
-    cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
-    export SSL_CERT_FILE=/tmp/ca-cert.crt
-    # For Nix 1.7
-    export CURL_CA_BUNDLE=/tmp/ca-cert.crt
-fi
+cp -Lf "@cacert@" "$mountPoint/tmp/ca-cert.crt"
+export SSL_CERT_FILE=/tmp/ca-cert.crt
+# For Nix 1.7
+export CURL_CA_BUNDLE=/tmp/ca-cert.crt
 
 if [ -n "$runChroot" ]; then
     if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -257,9 +257,9 @@ fi
 prebuiltNix() {
     machine="$1"
     if [ "$machine" = x86_64 ]; then
-        return /nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
+        echo /nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
     elif [[ "$machine" =~ i.86 ]]; then
-        return /nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
+        echo /nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
     else
         echo "$0: unsupported platform"
         exit 1

nixos/modules/installer/tools/tools.nix

@@ -23,6 +23,7 @@ let
 
     inherit (pkgs) perl pathsFromGraph;
     nix = config.nix.package;
+    cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
     nixClosure = pkgs.runCommand "closure"
       { exportReferencesGraph = ["refs" config.nix.package]; }

nixos/modules/misc/ids.nix

@@ -253,6 +253,8 @@
       pdnsd = 229;
       octoprint = 230;
       avahi-autoipd = 231;
+      hydra-queue-runner = 235;
+      hydra-www = 236;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -352,7 +354,7 @@
       quassel = 89;
       amule = 90;
       minidlna = 91;
-      #elasticsearch = 92; # unused
+      elasticsearch = 92;
       #tcpcryptd = 93; # unused
       connman = 94;
       firebird = 95;

nixos/modules/misc/locate.nix

@@ -88,7 +88,7 @@ in {
         serviceConfig.PrivateNetwork = "yes";
         serviceConfig.NoNewPrivileges = "yes";
         serviceConfig.ReadOnlyDirectories = "/";
-        serviceConfig.ReadWriteDirectories = cfg.output;
+        serviceConfig.ReadWriteDirectories = dirOf cfg.output;
       };
 
     systemd.timers.update-locatedb = mkIf cfg.enable

nixos/modules/misc/version.nix

@@ -89,7 +89,7 @@ in
     defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-16.03;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 

nixos/modules/module-list.nix

@@ -7,7 +7,6 @@
   ./config/fonts/fonts.nix
   ./config/fonts/ghostscript.nix
   ./config/gnu.nix
-  ./config/gtk-exe-env.nix
   ./config/i18n.nix
   ./config/krb5.nix
   ./config/ldap.nix
@@ -16,7 +15,6 @@
   ./config/nsswitch.nix
   ./config/power-management.nix
   ./config/pulseaudio.nix
-  ./config/qt-plugin-env.nix
   ./config/shells-environment.nix
   ./config/swap.nix
   ./config/sysctl.nix
@@ -79,7 +77,6 @@
   ./programs/shell.nix
   ./programs/ssh.nix
   ./programs/ssmtp.nix
-  ./programs/uim.nix
   ./programs/venus.nix
   ./programs/wvdial.nix
   ./programs/xfs_quota.nix
@@ -211,6 +208,7 @@
   ./services/misc/confd.nix
   ./services/misc/devmon.nix
   ./services/misc/dictd.nix
+  ./services/misc/dysnomia.nix
   ./services/misc/disnix.nix
   ./services/misc/docker-registry.nix
   ./services/misc/etcd.nix
@@ -325,7 +323,6 @@
   ./services/networking/hostapd.nix
   ./services/networking/i2pd.nix
   ./services/networking/i2p.nix
-  ./services/networking/ifplugd.nix
   ./services/networking/iodined.nix
   ./services/networking/ircd-hybrid/default.nix
   ./services/networking/kippo.nix
@@ -440,6 +437,7 @@
   ./services/web-servers/varnish/default.nix
   ./services/web-servers/winstone.nix
   ./services/web-servers/zope2.nix
+  ./services/x11/colord.nix
   ./services/x11/unclutter.nix
   ./services/x11/desktop-managers/default.nix
   ./services/x11/display-managers/auto.nix

nixos/modules/profiles/base.nix

@@ -17,6 +17,7 @@
     pkgs.ddrescue
     pkgs.ccrypt
     pkgs.cryptsetup # needed for dm-crypt volumes
+    pkgs.which # 88K size
 
     # Some networking tools.
     pkgs.fuse

nixos/modules/profiles/headless.nix

@@ -20,4 +20,7 @@ with lib;
 
   # Don't allow emergency mode, because we don't have a console.
   systemd.enableEmergencyMode = false;
+
+  # Being headless, we don't need a GRUB splash image.
+  boot.loader.grub.splashImage = null;
 }

nixos/modules/programs/bash/bash.nix

@@ -56,7 +56,7 @@ in
       */
 
       shellAliases = mkOption {
-        default = config.environment.shellAliases // { which = "type -P"; };
+        default = config.environment.shellAliases;
         description = ''
           Set of aliases for bash shell. See <option>environment.shellAliases</option>
           for an option format description.

nixos/modules/programs/ssh.nix

@@ -189,6 +189,7 @@ in
 
         # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
         PubkeyAcceptedKeyTypes +ssh-dss
+        HostKeyAlgorithms +ssh-dss
 
         ${cfg.extraConfig}
       '';

nixos/modules/programs/uim.nix

@@ -1,31 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let
-  cfg = config.uim;
-in
-{
-  options = {
-
-    uim = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        example = true;
-        description = "Enable UIM input method";
-      };
-    };
-
-  };
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.uim ];
-    gtkPlugins = [ pkgs.uim ];
-    qtPlugins = [ pkgs.uim ];
-    environment.variables.GTK_IM_MODULE = "uim";
-    environment.variables.QT_IM_MODULE = "uim";
-    environment.variables.XMODIFIERS = "@im=uim";
-    services.xserver.displayManager.sessionCommands = "uim-xim &";
-  };
-}

nixos/modules/security/acme.nix

@@ -152,7 +152,7 @@ in
         in nameValuePair
         ("acme-${cert}")
         ({
-          description = "ACME cert renewal for ${cert} using simp_le";
+          description = "Renew ACME Certificate for ${cert}";
           after = [ "network.target" ];
           serviceConfig = {
             Type = "oneshot";
@@ -192,7 +192,7 @@ in
       systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
         ("acme-${cert}")
         ({
-          description = "timer for ACME cert renewal of ${cert}";
+          description = "Renew ACME Certificate for ${cert}";
           wantedBy = [ "timers.target" ];
           timerConfig = {
             OnCalendar = cfg.renewInterval;

nixos/modules/security/ca.nix

@@ -67,6 +67,12 @@ in
     # CentOS/Fedora compatibility.
     environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
 
+    environment.sessionVariables =
+      { # FIXME: unneeded - remove eventually.
+        SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
+        GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";
+      };
+
   };
 
 }

nixos/modules/security/grsecurity.nix

@@ -26,19 +26,11 @@ in
         '';
       };
 
-      stable = mkOption {
-        type = types.bool;
-        default = false;
+      kernelPatch = mkOption {
+        type = types.attrs;
+        example = lib.literalExample "pkgs.kernelPatches.grsecurity_4_1";
         description = ''
-          Enable the stable grsecurity patch, based on Linux 3.14.
-        '';
-      };
-
-      testing = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable the testing grsecurity patch, based on Linux 4.0.
+          Grsecurity patch to use.
         '';
       };
 
@@ -134,6 +126,19 @@ in
           '';
         };
 
+        denyChrootCaps = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Whether to lower capabilities of all processes within a chroot,
+            preventing commands that require <literal>CAP_SYS_ADMIN</literal>.
+
+            This protection is disabled by default because it breaks
+            <literal>nixos-rebuild</literal>. Whenever possible, it is
+            highly recommended to enable this protection.
+          '';
+        };
+
         denyUSB = mkOption {
           type = types.bool;
           default = false;
@@ -219,16 +224,7 @@ in
 
   config = mkIf cfg.enable {
     assertions =
-      [ { assertion = cfg.stable || cfg.testing;
-          message   = ''
-            If grsecurity is enabled, you must select either the
-            stable patch (with kernel 3.14), or the testing patch (with
-            kernel 4.0) to continue.
-          '';
-        }
-        { assertion = !(cfg.stable && cfg.testing);
-          message   = "Select either one of the stable or testing patch";
-        }
+      [
         { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
                       (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
           message   = "You cannot enable both restrictProc and restrictProcWithGroup";
@@ -247,9 +243,12 @@ in
         }
       ];
 
+    security.grsecurity.kernelPatch = lib.mkDefault pkgs.kernelPatches.grsecurity_latest;
+
     systemd.services.grsec-lock = mkIf cfg.config.sysctl {
       description     = "grsecurity sysctl-lock Service";
-      requires        = [ "systemd-sysctl.service" ];
+      wants           = [ "systemd-sysctl.service" ];
+      after           = [ "systemd-sysctl.service" ];
       wantedBy        = [ "multi-user.target" ];
       serviceConfig.Type = "oneshot";
       serviceConfig.RemainAfterExit = "yes";

nixos/modules/security/setuid-wrappers.nix

@@ -96,7 +96,7 @@ in
           }:
 
           ''
-            if ! source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}; then
+            if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then
                 # If we can't find the program, fall back to the
                 # system profile.
                 source=/nix/var/nix/profiles/default/bin/${program}

nixos/modules/services/audio/mopidy.nix

@@ -47,6 +47,7 @@ in {
       };
 
       configuration = mkOption {
+        default = "";
         type = types.lines;
         description = ''
           The configuration that Mopidy should use.

nixos/modules/services/backup/tarsnap.nix

@@ -293,7 +293,7 @@ in
       # make sure that the tarsnap server is reachable after systemd starts up
       # the service - therefore we sleep in a loop until we can ping the
       # endpoint.
-      preStart = "while ! ping -q -c 1 betatest-server.tarsnap.com &> /dev/null; do sleep 3; done";
+      preStart = "while ! ping -q -c 1 v1-0-0-server.tarsnap.com &> /dev/null; do sleep 3; done";
       scriptArgs = "%i";
       script = ''
         mkdir -p -m 0755 ${dirOf cfg.cachedir}

nixos/modules/services/continuous-integration/jenkins/default.nix

@@ -92,12 +92,11 @@ in {
         type = with types; attrsOf str;
         description = ''
           Additional environment variables to be passed to the jenkins process.
-          As a base environment, jenkins receives NIX_PATH from
-          <option>environment.sessionVariables</option>, NIX_REMOTE is set to
-          "daemon" and JENKINS_HOME is set to the value of
-          <option>services.jenkins.home</option>.
-          This option has precedence and can be used to override those
-          mentioned variables.
+          As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and
+          GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,
+          NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to
+          the value of <option>services.jenkins.home</option>. This option has
+          precedence and can be used to override those mentioned variables.
         '';
       };
 
@@ -137,7 +136,11 @@ in {
       environment =
         let
           selectedSessionVars =
-            lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
+            lib.filterAttrs (n: v: builtins.elem n
+                [ "NIX_PATH"
+                  "SSL_CERT_FILE"
+                  "GIT_SSL_CAINFO"
+                ])
               config.environment.sessionVariables;
         in
           selectedSessionVars //
@@ -161,16 +164,8 @@ in {
       '';
 
       postStart = ''
-        until ${pkgs.curl}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} ; do
-          sleep 10
-        done
-        while true ; do
-          index=`${pkgs.curl}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix}`
-          if [[ !("$index" =~ 'Please wait while Jenkins is restarting' ||
-                  "$index" =~ 'Please wait while Jenkins is getting ready to work') ]]; then
-            exit 0
-          fi
-          sleep 30
+        until ${pkgs.curl}/bin/curl -s -L --fail --head http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} >/dev/null; do
+            sleep 2
         done
       '';
 

nixos/modules/services/mail/dspam.nix

@@ -104,6 +104,7 @@ in {
       systemd.services.dspam = {
         description = "dspam spam filtering daemon";
         wantedBy = [ "multi-user.target" ];
+        after = [ "postgresql.service" ];
         restartTriggers = [ cfgfile ];
 
         serviceConfig = {
@@ -114,7 +115,7 @@ in {
           RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750";
           PermissionsStartOnly = true;
           # DSPAM segfaults on just about every error
-          Restart = "on-failure";
+          Restart = "on-abort";
           RestartSec = "1s";
         };
 

nixos/modules/services/misc/disnix.nix

@@ -36,49 +36,32 @@ in
         default = false;
         description = "Whether to enable the DisnixWebService interface running on Apache Tomcat";
       };
-
-      publishInfrastructure = {
-        enable = mkOption {
-          default = false;
-          description = "Whether to publish capabilities/properties of this machine in as attributes in the infrastructure option";
-        };
-
-        enableAuthentication = mkOption {
-          default = false;
-          description = "Whether to publish authentication credentials through the infrastructure attribute (not recommended in combination with Avahi)";
-        };
-      };
-
-      infrastructure = mkOption {
-        default = {};
-        description = "List of name value pairs containing properties for the infrastructure model";
-      };
-
-      publishAvahi = mkOption {
-        default = false;
-        description = "Whether to publish capabilities/properties as a Disnix service through Avahi";
+      
+      package = mkOption {
+        type = types.path;
+        description = "The Disnix package";
+        default = pkgs.disnix;
       };
 
     };
 
   };
 
-
   ###### implementation
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.disnix pkgs.dysnomia ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService;
+    dysnomia.enable = true;
+    
+    environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService;
 
     services.dbus.enable = true;
     services.dbus.packages = [ pkgs.disnix ];
 
-    services.avahi.enable = cfg.publishAvahi;
-
     services.tomcat.enable = cfg.useWebServiceInterface;
     services.tomcat.extraGroups = [ "disnix" ];
     services.tomcat.javaOpts = "${optionalString cfg.useWebServiceInterface "-Djava.library.path=${pkgs.libmatthew_java}/lib/jni"} ";
     services.tomcat.sharedLibs = optional cfg.useWebServiceInterface "${pkgs.DisnixWebService}/share/java/DisnixConnection.jar"
-                                 ++ optional cfg.useWebServiceInterface "${pkgs.dbus_java}/share/java/dbus.jar";
+      ++ optional cfg.useWebServiceInterface "${pkgs.dbus_java}/share/java/dbus.jar";
     services.tomcat.webapps = optional cfg.useWebServiceInterface pkgs.DisnixWebService;
 
     users.extraGroups = singleton
@@ -86,38 +69,6 @@ in
         gid = config.ids.gids.disnix;
       };
 
-    services.disnix.infrastructure =
-      optionalAttrs (cfg.publishInfrastructure.enable)
-      ( { hostname = config.networking.hostName;
-          #targetHost = config.deployment.targetHost;
-          system = if config.nixpkgs.system == "" then builtins.currentSystem else config.nixpkgs.system;
-
-          supportedTypes = (import "${pkgs.stdenv.mkDerivation {
-            name = "supportedtypes";
-            buildCommand = ''
-              ( echo -n "[ "
-                cd ${dysnomia}/libexec/dysnomia
-                for i in *
-                do
-                    echo -n "\"$i\" "
-                done
-                echo -n " ]") > $out
-            '';
-          }}");
-        }
-        #// optionalAttrs (cfg.useWebServiceInterface) { targetEPR = "http://${config.deployment.targetHost}:8080/DisnixWebService/services/DisnixWebService"; }
-        // optionalAttrs (config.services.httpd.enable) { documentRoot = config.services.httpd.documentRoot; }
-        // optionalAttrs (config.services.mysql.enable) { mysqlPort = config.services.mysql.port; }
-        // optionalAttrs (config.services.tomcat.enable) { tomcatPort = 8080; }
-        // optionalAttrs (config.services.svnserve.enable) { svnBaseDir = config.services.svnserve.svnBaseDir; }
-        // optionalAttrs (config.services.ejabberd.enable) { ejabberdUser = config.services.ejabberd.user; }
-        // optionalAttrs (cfg.publishInfrastructure.enableAuthentication) (
-          optionalAttrs (config.services.mysql.enable) { mysqlUsername = "root"; mysqlPassword = readFile config.services.mysql.rootPassword; })
-        )
-    ;
-
-    services.disnix.publishInfrastructure.enable = cfg.publishAvahi;
-
     systemd.services = {
       disnix = {
         description = "Disnix server";
@@ -133,46 +84,17 @@ in
 
         restartIfChanged = false;
 
-        path = [ pkgs.nix pkgs.disnix dysnomia "/run/current-system/sw" ];
+        path = [ config.nix.package cfg.package config.dysnomia.package "/run/current-system/sw" ];
 
         environment = {
           HOME = "/root";
-        };
-
-        preStart = ''
-          mkdir -p /etc/systemd-mutable/system
-          if [ ! -f /etc/systemd-mutable/system/dysnomia.target ]
-          then
-              ( echo "[Unit]"
-                echo "Description=Services that are activated and deactivated by Dysnomia"
-                echo "After=final.target"
-              ) > /etc/systemd-mutable/system/dysnomia.target
-          fi
-        '';
-
-        script = "disnix-service";
+        }
+        // (if config.environment.variables ? DYSNOMIA_CONTAINERS_PATH then { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; } else {})
+        // (if config.environment.variables ? DYSNOMIA_MODULES_PATH then { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; } else {});
+        
+        serviceConfig.ExecStart = "${cfg.package}/bin/disnix-service";
       };
-    } // optionalAttrs cfg.publishAvahi {
-      disnixAvahi = {
-        description = "Disnix Avahi publisher";
-        wants = [ "avahi-daemon.service" ];
-        wantedBy = [ "multi-user.target" ];
 
-        script = ''
-          ${pkgs.avahi}/bin/avahi-publish-service disnix-${config.networking.hostName} _disnix._tcp 22 \
-            "mem=$(grep 'MemTotal:' /proc/meminfo | sed -e 's/kB//' -e 's/MemTotal://' -e 's/ //g')" \
-            ${concatMapStrings (infrastructureAttrName:
-              let infrastructureAttrValue = getAttr infrastructureAttrName (cfg.infrastructure);
-              in
-              if isInt infrastructureAttrValue then
-              ''${infrastructureAttrName}=${toString infrastructureAttrValue} \
-              ''
-              else
-              ''${infrastructureAttrName}=\"${infrastructureAttrValue}\" \
-              ''
-              ) (attrNames (cfg.infrastructure))}
-        '';
-      };
     };
   };
 }

nixos/modules/services/misc/dysnomia.nix

@@ -0,0 +1,217 @@
+{pkgs, lib, config, ...}:
+
+with lib;
+
+let
+  cfg = config.dysnomia;
+  
+  printProperties = properties:
+    concatMapStrings (propertyName:
+      let
+        property = properties."${propertyName}";
+      in
+      if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties."${propertyName}")})\n"
+      else "${propertyName}=\"${toString property}\"\n"
+    ) (builtins.attrNames properties);
+  
+  properties = pkgs.stdenv.mkDerivation {
+    name = "dysnomia-properties";
+    buildCommand = ''
+      cat > $out << "EOF"
+      ${printProperties cfg.properties}
+      EOF
+    '';
+  };
+  
+  containersDir = pkgs.stdenv.mkDerivation {
+    name = "dysnomia-containers";
+    buildCommand = ''
+      mkdir -p $out
+      cd $out
+      
+      ${concatMapStrings (containerName:
+        let
+          containerProperties = cfg.containers."${containerName}";
+        in
+        ''
+          cat > ${containerName} <<EOF
+          ${printProperties containerProperties}
+          type=${containerName}
+          EOF
+        ''
+      ) (builtins.attrNames cfg.containers)}
+    '';
+  };
+  
+  linkMutableComponents = {containerName}:
+    ''
+      mkdir ${containerName}
+      
+      ${concatMapStrings (componentName:
+        let
+          component = cfg.components."${containerName}"."${componentName}";
+        in
+        "ln -s ${component} ${containerName}/${componentName}\n"
+      ) (builtins.attrNames (cfg.components."${containerName}" or {}))}
+    '';
+  
+  componentsDir = pkgs.stdenv.mkDerivation {
+    name = "dysnomia-components";
+    buildCommand = ''
+      mkdir -p $out
+      cd $out
+      
+      ${concatMapStrings (containerName:
+        let
+          components = cfg.components."${containerName}";
+        in
+        linkMutableComponents { inherit containerName; }
+      ) (builtins.attrNames cfg.components)}
+    '';
+  };
+in
+{
+  options = {
+    dysnomia = {
+      
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable Dysnomia";
+      };
+      
+      enableAuthentication = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to publish privacy-sensitive authentication credentials";
+      };
+      
+      package = mkOption {
+        type = types.path;
+        description = "The Dysnomia package";
+      };
+      
+      properties = mkOption {
+        description = "An attribute set in which each attribute represents a machine property. Optionally, these values can be shell substitutions.";
+        default = {};
+      };
+      
+      containers = mkOption {
+        description = "An attribute set in which each key represents a container and each value an attribute set providing its configuration properties";
+        default = {};
+      };
+      
+      components = mkOption {
+        description = "An atttribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state";
+        default = {};
+      };
+      
+      extraContainerProperties = mkOption {
+        description = "An attribute set providing additional container settings in addition to the default properties";
+        default = {};
+      };
+      
+      extraContainerPaths = mkOption {
+        description = "A list of paths containing additional container configurations that are added to the search folders";
+        default = [];
+      };
+      
+      extraModulePaths = mkOption {
+        description = "A list of paths containing additional modules that are added to the search folders";
+        default = [];
+      };
+    };
+  };
+  
+  config = mkIf cfg.enable {
+  
+    environment.etc = {
+      "dysnomia/containers" = {
+        source = containersDir;
+      };
+      "dysnomia/components" = {
+        source = componentsDir;
+      };
+      "dysnomia/properties" = {
+        source = properties;
+      };
+    };
+    
+    environment.variables = {
+      DYSNOMIA_STATEDIR = "/var/state/dysnomia-nixos";
+      DYSNOMIA_CONTAINERS_PATH = "${lib.concatMapStrings (containerPath: "${containerPath}:") cfg.extraContainerPaths}/etc/dysnomia/containers";
+      DYSNOMIA_MODULES_PATH = "${lib.concatMapStrings (modulePath: "${modulePath}:") cfg.extraModulePaths}/etc/dysnomia/modules";
+    };
+    
+    environment.systemPackages = [ cfg.package ];
+    
+    dysnomia.package = pkgs.dysnomia.override (origArgs: {
+      enableApacheWebApplication = config.services.httpd.enable;
+      enableAxis2WebService = config.services.tomcat.axis2.enable;
+      enableEjabberdDump = config.services.ejabberd.enable;
+      enableMySQLDatabase = config.services.mysql.enable;
+      enablePostgreSQLDatabase = config.services.postgresql.enable;
+      enableSubversionRepository = config.services.svnserve.enable;
+      enableTomcatWebApplication = config.services.tomcat.enable;
+      enableMongoDatabase = config.services.mongodb.enable;
+    });
+    
+    dysnomia.properties = {
+      hostname = config.networking.hostName;
+      system = if config.nixpkgs.system == "" then builtins.currentSystem else config.nixpkgs.system;
+
+      supportedTypes = (import "${pkgs.stdenv.mkDerivation {
+        name = "supportedtypes";
+        buildCommand = ''
+          ( echo -n "[ "
+            cd ${cfg.package}/libexec/dysnomia
+            for i in *
+            do
+                echo -n "\"$i\" "
+            done
+            echo -n " ]") > $out
+        '';
+      }}");
+    };
+    
+    dysnomia.containers = lib.recursiveUpdate ({
+      process = {};
+      wrapper = {};
+    }
+    // lib.optionalAttrs (config.services.httpd.enable) { apache-webapplication = {
+      documentRoot = config.services.httpd.documentRoot;
+    }; }
+    // lib.optionalAttrs (config.services.tomcat.axis2.enable) { axis2-webservice = {}; }
+    // lib.optionalAttrs (config.services.ejabberd.enable) { ejabberd-dump = {
+      ejabberdUser = config.services.ejabberd.user;
+    }; }
+    // lib.optionalAttrs (config.services.mysql.enable) { mysql-database = {
+        mysqlPort = config.services.mysql.port;
+      } // lib.optionalAttrs cfg.enableAuthentication {
+        mysqlUsername = "root";
+        mysqlPassword = builtins.readFile (config.services.mysql.rootPassword);
+      };
+    }
+    // lib.optionalAttrs (config.services.postgresql.enable && cfg.enableAuthentication) { postgresql-database = {
+      postgresqlUsername = "root";
+    }; }
+    // lib.optionalAttrs (config.services.tomcat.enable) { tomcat-webapplication = {
+      tomcatPort = 8080;
+    }; }
+    // lib.optionalAttrs (config.services.mongodb.enable) { mongo-database = {}; }
+    // lib.optionalAttrs (config.services.svnserve.enable) { subversion-repository = {
+      svnBaseDir = config.services.svnserve.svnBaseDir;
+    }; }) cfg.extraContainerProperties;
+
+    system.activationScripts.dysnomia = ''
+      mkdir -p /etc/systemd-mutable/system
+      if [ ! -f /etc/systemd-mutable/system/dysnomia.target ]
+      then
+          ( echo "[Unit]"
+            echo "Description=Services that are activated and deactivated by Dysnomia"
+            echo "After=final.target"
+          ) > /etc/systemd-mutable/system/dysnomia.target
+      fi
+    '';
+  };
+}

nixos/modules/services/misc/gitlab.nix

@@ -206,12 +206,6 @@ in {
         description = "Gitlab database user.";
       };
 
-      emailFrom = mkOption {
-        type = types.str;
-        default = "example@example.org";
-        description = "The source address for emails sent by gitlab.";
-      };
-
       host = mkOption {
         type = types.str;
         default = config.networking.hostName;
@@ -328,7 +322,7 @@ in {
         Group = cfg.group;
         TimeoutSec = "300";
         WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
-        ExecStart="${bundler}/bin/bundle exec \"sidekiq -q post_receive -q mailer -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
+        ExecStart="${bundler}/bin/bundle exec \"sidekiq -q post_receive -q mailers -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
       };
     };
 

nixos/modules/services/misc/matrix-synapse.nix

@@ -5,17 +5,31 @@ with lib;
 let
   cfg = config.services.matrix-synapse;
   logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;
+  mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${if r.compress then "true" else "false"}}'';
+  mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${if l.tls then "true" else "false"}, x_forwarded: ${if l.x_forwarded then "true" else "false"}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
   configFile = pkgs.writeText "homeserver.yaml" ''
 tls_certificate_path: "${cfg.tls_certificate_path}"
+${optionalString (cfg.tls_private_key_path != null) ''
 tls_private_key_path: "${cfg.tls_private_key_path}"
+''}
 tls_dh_params_path: "${cfg.tls_dh_params_path}"
 no_tls: ${if cfg.no_tls then "true" else "false"}
+${optionalString (cfg.bind_port != null) ''
 bind_port: ${toString cfg.bind_port}
+''}
+${optionalString (cfg.unsecure_port != null) ''
 unsecure_port: ${toString cfg.unsecure_port}
+''}
+${optionalString (cfg.bind_host != null) ''
 bind_host: "${cfg.bind_host}"
+''}
 server_name: "${cfg.server_name}"
 pid_file: "/var/run/matrix-synapse.pid"
 web_client: ${if cfg.web_client then "true" else "false"}
+${optionalString (cfg.public_baseurl != null) ''
+public_baseurl: "${cfg.public_baseurl}"
+''}
+listeners: [${concatStringsSep "," (map mkListener cfg.listeners)}]
 database: {
   name: "${cfg.database_type}",
   args: {
@@ -24,21 +38,41 @@ database: {
     )}
   }
 }
+event_cache_size: "${cfg.event_cache_size}"
+verbose: ${cfg.verbose}
 log_file: "/var/log/matrix-synapse/homeserver.log"
 log_config: "${logConfigFile}"
+rc_messages_per_second: ${cfg.rc_messages_per_second}
+rc_message_burst_count: ${cfg.rc_message_burst_count}
+federation_rc_window_size: ${cfg.federation_rc_window_size}
+federation_rc_sleep_limit: ${cfg.federation_rc_sleep_limit}
+federation_rc_sleep_delay: ${cfg.federation_rc_sleep_delay}
+federation_rc_reject_limit: ${cfg.federation_rc_reject_limit}
+federation_rc_concurrent: ${cfg.federation_rc_concurrent}
 media_store_path: "/var/lib/matrix-synapse/media"
+uploads_path: "/var/lib/matrix-synapse/uploads"
+max_upload_size: "${cfg.max_upload_size}"
+max_image_pixels: "${cfg.max_image_pixels}"
+dynamic_thumbnails: ${if cfg.dynamic_thumbnails then "true" else "false"}
+url_preview_enabled: False
 recaptcha_private_key: "${cfg.recaptcha_private_key}"
 recaptcha_public_key: "${cfg.recaptcha_public_key}"
 enable_registration_captcha: ${if cfg.enable_registration_captcha then "true" else "false"}
-turn_uris: ${if (length cfg.turn_uris) == 0 then "[]" else ("\n" + (concatStringsSep "\n" (map (s: "- " + s) cfg.turn_uris)))}
+turn_uris: ${builtins.toJSON cfg.turn_uris}
 turn_shared_secret: "${cfg.turn_shared_secret}"
 enable_registration: ${if cfg.enable_registration then "true" else "false"}
-${optionalString (cfg.registration_shared_secret != "") ''
+${optionalString (cfg.registration_shared_secret != null) ''
 registration_shared_secret: "${cfg.registration_shared_secret}"
 ''}
+recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+turn_user_lifetime: "${cfg.turn_user_lifetime}"
+user_creation_max_duration: ${cfg.user_creation_max_duration}
+bcrypt_rounds: ${cfg.bcrypt_rounds}
+allow_guest_access: {if cfg.allow_guest_access then "true" else "false"}
 enable_metrics: ${if cfg.enable_metrics then "true" else "false"}
 report_stats: ${if cfg.report_stats then "true" else "false"}
 signing_key_path: "/var/lib/matrix-synapse/homeserver.signing.key"
+key_refresh_interval: "${cfg.key_refresh_interval}"
 perspectives:
   servers: {
     ${concatStringsSep "},\n" (mapAttrsToList (n: v: ''
@@ -52,6 +86,8 @@ perspectives:
     '') cfg.servers)}
     }
   }
+app_service_config_files: ${builtins.toJSON cfg.app_service_config_files}
+
 ${cfg.extraConfig}
 '';
 in {
@@ -73,53 +109,65 @@ in {
           Don't bind to the https port
         '';
       };
-      tls_certificate_path = mkOption {
-        type = types.path;
-        default = "/var/lib/matrix-synapse/homeserver.tls.crt";
-        description = ''
-          PEM encoded X509 certificate for TLS
-        '';
-      };
-      tls_private_key_path = mkOption {
-        type = types.path;
-        default = "/var/lib/matrix-synapse/homeserver.tls.key";
-        description = ''
-          PEM encoded private key for TLS
-        '';
-      };
-      tls_dh_params_path = mkOption {
-        type = types.path;
-        default = "/var/lib/matrix-synapse/homeserver.tls.dh";
-        description = ''
-          PEM dh parameters for ephemeral keys
-        '';
-      };
       bind_port = mkOption {
-        type = types.int;
-        default = 8448;
+        type = types.nullOr types.int;
+        default = null;
+        example = 8448;
         description = ''
+          DEPRECATED: Use listeners instead.
           The port to listen for HTTPS requests on.
           For when matrix traffic is sent directly to synapse.
         '';
       };
       unsecure_port = mkOption {
-        type = types.int;
-        default = 8008;
+        type = types.nullOr types.int;
+        default = null;
+        example = 8008;
         description = ''
+          DEPRECATED: Use listeners instead.
           The port to listen for HTTP requests on.
           For when matrix traffic passes through loadbalancer that unwraps TLS.
         '';
       };
       bind_host = mkOption {
-        type = types.str;
-        default = "";
+        type = types.nullOr types.str;
+        default = null;
         description = ''
+          DEPRECATED: Use listeners instead.
           Local interface to listen on.
           The empty string will cause synapse to listen on all interfaces.
         '';
       };
+      tls_certificate_path = mkOption {
+        type = types.str;
+        default = "/var/lib/matrix-synapse/homeserver.tls.crt";
+        description = ''
+          PEM encoded X509 certificate for TLS.
+          You can replace the self-signed certificate that synapse
+          autogenerates on launch with your own SSL certificate + key pair
+          if you like.  Any required intermediary certificates can be
+          appended after the primary certificate in hierarchical order.
+        '';
+      };
+      tls_private_key_path = mkOption {
+        type = types.nullOr types.str;
+        default = "/var/lib/matrix-synapse/homeserver.tls.key";
+        example = null;
+        description = ''
+          PEM encoded private key for TLS. Specify null if synapse is not
+          speaking TLS directly.
+        '';
+      };
+      tls_dh_params_path = mkOption {
+        type = types.str;
+        default = "/var/lib/matrix-synapse/homeserver.tls.dh";
+        description = ''
+          PEM dh parameters for ephemeral keys
+        '';
+      };
       server_name = mkOption {
         type = types.str;
+        example = "example.com";
         description = ''
           The domain name of the server, with optional explicit port.
           This is used by remote servers to connect to this server,
@@ -134,6 +182,145 @@ in {
           Whether to serve a web client from the HTTP/HTTPS root resource.
         '';
       };
+      public_baseurl = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "https://example.com:8448/";
+        description = ''
+          The public-facing base URL for the client API (not including _matrix/...)
+        '';
+      };
+      listeners = mkOption {
+        type = types.listOf (types.submodule {
+          options = {
+            port = mkOption {
+              type = types.int;
+              example = 8448;
+              description = ''
+                The port to listen for HTTP(S) requests on.
+              '';
+            };
+            bind_address = mkOption {
+              type = types.str;
+              default = "";
+              example = "203.0.113.42";
+              description = ''
+                Local interface to listen on.
+                The empty string will cause synapse to listen on all interfaces.
+              '';
+            };
+            type = mkOption {
+              type = types.str;
+              default = "http";
+              description = ''
+                Type of listener.
+              '';
+            };
+            tls = mkOption {
+              type = types.bool;
+              default = true;
+              description = ''
+                Whether to listen for HTTPS connections rather than HTTP.
+              '';
+            };
+            x_forwarded = mkOption {
+              type = types.bool;
+              default = false;
+              description = ''
+                Use the X-Forwarded-For (XFF) header as the client IP and not the
+                actual client IP.
+              '';
+            };
+            resources = mkOption {
+              type = types.listOf (types.submodule {
+                options = {
+                  names = mkOption {
+                    type = types.listOf types.str;
+                    description = ''
+                      List of resources to host on this listener.
+                    '';
+                    example = ["client" "webclient" "federation"];
+                  };
+                  compress = mkOption {
+                    type = types.bool;
+                    description = ''
+                      Should synapse compress HTTP responses to clients that support it?
+                      This should be disabled if running synapse behind a load balancer
+                      that can do automatic compression.
+                    '';
+                  };
+                };
+              });
+              description = ''
+                List of HTTP resources to serve on this listener.
+              '';
+            };
+          };
+        });
+        default = [{
+          port = 8448;
+          bind_address = "";
+          type = "http";
+          tls = true;
+          x_forwarded = false;
+          resources = [
+            { names = ["client" "webclient"]; compress = true; }
+            { names = ["federation"]; compress = false; }
+          ];
+        }];
+        description = ''
+          List of ports that Synapse should listen on, their purpose and their configuration.
+        '';
+      };
+      verbose = mkOption {
+        type = types.str;
+        default = "0";
+        description = "Logging verbosity level.";
+      };
+      rc_messages_per_second = mkOption {
+        type = types.str;
+        default = "0.2";
+        description = "Number of messages a client can send per second";
+      };
+      rc_message_burst_count = mkOption {
+        type = types.str;
+        default = "10.0";
+        description = "Number of message a client can send before being throttled";
+      };
+      federation_rc_window_size = mkOption {
+        type = types.str;
+        default = "1000";
+        description = "The federation window size in milliseconds";
+      };
+      federation_rc_sleep_limit = mkOption {
+        type = types.str;
+        default = "10";
+        description = ''
+          The number of federation requests from a single server in a window
+          before the server will delay processing the request.
+        '';
+      };
+      federation_rc_sleep_delay = mkOption {
+        type = types.str;
+        default = "500";
+        description = ''
+          The duration in milliseconds to delay processing events from
+          remote servers by if they go over the sleep limit.
+        '';
+      };
+      federation_rc_reject_limit = mkOption {
+        type = types.str;
+        default = "50";
+        description = ''
+          The maximum number of concurrent federation requests allowed
+          from a single server
+        '';
+      };
+      federation_rc_concurrent = mkOption {
+        type = types.str;
+        default = "3";
+        description = "The number of federation requests to concurrently process from a single server";
+      };
       database_type = mkOption {
         type = types.enum [ "sqlite3" "psycopg2" ];
         default = "sqlite3";
@@ -150,6 +337,11 @@ in {
           Arguments to pass to the engine.
         '';
       };
+      event_cache_size = mkOption {
+        type = types.str;
+        default = "10K";
+        description = "Number of events to cache in memory.";
+      };
       recaptcha_private_key = mkOption {
         type = types.str;
         default = "";
@@ -187,6 +379,11 @@ in {
           The shared secret used to compute passwords for the TURN server
         '';
       };
+      turn_user_lifetime = mkOption {
+        type = types.str;
+        default = "1h";
+        description = "How long generated TURN credentials last";
+      };
       enable_registration = mkOption {
         type = types.bool;
         default = false;
@@ -195,8 +392,8 @@ in {
         '';
       };
       registration_shared_secret = mkOption {
-        type = types.str;
-        default = "";
+        type = types.nullOr types.str;
+        default = null;
         description = ''
           If set, allows registration by anyone who also has the shared
           secret, even if registration is otherwise disabled.
@@ -216,7 +413,7 @@ in {
         '';
       };
       servers = mkOption {
-        type = types.attrs;
+        type = types.attrsOf (types.attrsOf types.str);
         default = {
           "matrix.org" = {
             "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
@@ -226,6 +423,69 @@ in {
           The trusted servers to download signing keys from.
         '';
       };
+      max_upload_size = mkOption {
+        type = types.str;
+        default = "10M";
+        description = "The largest allowed upload size in bytes";
+      };
+      max_image_pixels = mkOption {
+        type = types.str;
+        default = "32M";
+        description = "Maximum number of pixels that will be thumbnailed";
+      };
+      dynamic_thumbnails = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to generate new thumbnails on the fly to precisely match
+          the resolution requested by the client. If true then whenever
+          a new resolution is requested by the client the server will
+          generate a new thumbnail. If false the server will pick a thumbnail
+          from a precalculated list.
+        '';
+      };
+      user_creation_max_duration = mkOption {
+        type = types.str;
+        default = "1209600000";
+        description = ''
+          Sets the expiry for the short term user creation in
+          milliseconds. The default value is two weeks.
+        '';
+      };
+      bcrypt_rounds = mkOption {
+        type = types.str;
+        default = "12";
+        description = ''
+          Set the number of bcrypt rounds used to generate password hash.
+          Larger numbers increase the work factor needed to generate the hash.
+        '';
+      };
+      allow_guest_access = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Allows users to register as guests without a password/email/etc, and
+          participate in rooms hosted on this server which have been made
+          accessible to anonymous users.
+        '';
+      };
+      key_refresh_interval = mkOption {
+        type = types.str;
+        default = "1d";
+        description = ''
+          How long key response published by this server is valid for.
+          Used to set the valid_until_ts in /key/v2 APIs.
+          Determines how quickly servers will query to check which keys
+          are still valid.
+        '';
+      };
+      app_service_config_files = mkOption {
+        type = types.listOf types.path;
+        default = [ ];
+        description = ''
+          A list of application service config file to use
+        '';
+      };
       extraConfig = mkOption {
         type = types.lines;
         default = "";
@@ -265,7 +525,7 @@ in {
         mkdir -p /var/lib/matrix-synapse
         chmod 700 /var/lib/matrix-synapse
         chown -R matrix-synapse:matrix-synapse /var/lib/matrix-synapse
-        ${cfg.package}/bin/homeserver --config-path ${configFile} --generate-keys
+        ${cfg.package}/bin/homeserver --config-path ${configFile} --keys-directory /var/lib/matrix-synapse/ --generate-keys
       '';
       serviceConfig = {
         Type = "simple";

nixos/modules/services/misc/nix-daemon.nix

@@ -39,7 +39,7 @@ let
         build-users-group = nixbld
         build-max-jobs = ${toString (cfg.maxJobs)}
         build-cores = ${toString (cfg.buildCores)}
-        build-use-chroot = ${if cfg.useChroot then "true" else "false"}
+        build-use-chroot = ${if (builtins.isBool cfg.useChroot) then (if cfg.useChroot then "true" else "false") else cfg.useChroot}
         build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
         binary-caches = ${toString cfg.binaryCaches}
         trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
@@ -99,7 +99,7 @@ in
       };
 
       useChroot = mkOption {
-        type = types.bool;
+        type = types.either types.bool (types.enum ["relaxed"]);
         default = false;
         description = "
           If set, Nix will perform builds in a chroot-environment that it
@@ -257,13 +257,11 @@ in
         type = types.bool;
         default = true;
         description = ''
-          If enabled, Nix will only download binaries from binary
-          caches if they are cryptographically signed with any of the
-          keys listed in
-          <option>nix.binaryCachePublicKeys</option>. If disabled (the
-          default), signatures are neither required nor checked, so
-          it's strongly recommended that you use only trustworthy
-          caches and https to prevent man-in-the-middle attacks.
+          If enabled (the default), Nix will only download binaries from binary caches if
+          they are cryptographically signed with any of the keys listed in
+          <option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither
+          required nor checked, so it's strongly recommended that you use only
+          trustworthy caches and https to prevent man-in-the-middle attacks.
         '';
       };
 

nixos/modules/services/monitoring/collectd.nix

@@ -100,7 +100,7 @@ in {
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
-        ExecStart = "${pkgs.collectd}/sbin/collectd -C ${conf} -P ${cfg.pidFile}";
+        ExecStart = "${cfg.package}/sbin/collectd -C ${conf} -P ${cfg.pidFile}";
         Type = "forking";
         PIDFile = cfg.pidFile;
         User = optional (cfg.user!="root") cfg.user;

nixos/modules/services/monitoring/dd-agent.nix

@@ -72,6 +72,7 @@ let
   postgresqlConfig = pkgs.writeText "postgres.yaml" cfg.postgresqlConfig;
   nginxConfig = pkgs.writeText "nginx.yaml" cfg.nginxConfig;
   mongoConfig = pkgs.writeText "mongo.yaml" cfg.mongoConfig;
+  jmxConfig = pkgs.writeText "jmx.yaml" cfg.jmxConfig;
   
   etcfiles =
     [ { source = ddConf;
@@ -94,6 +95,10 @@ let
     (optional (cfg.mongoConfig != null)
       { source = mongoConfig;
         target = "dd-agent/conf.d/mongo.yaml";
+      }) ++
+    (optional (cfg.jmxConfig != null)
+      { source = jmxConfig;
+        target = "dd-agent/conf.d/jmx.yaml";
       });
 
 in {
@@ -141,6 +146,13 @@ in {
       default = null;
       type = types.uniq (types.nullOr types.string);
     };
+
+    jmxConfig = mkOption {
+      description = "JMX integration configuration";
+      default = null;
+      type = types.uniq (types.nullOr types.string);
+    };
+
   };
 
   config = mkIf cfg.enable {
@@ -167,7 +179,7 @@ in {
         Restart = "always";
         RestartSec = 2;
       };
-      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
+      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig ];
     };
 
     systemd.services.dogstatsd = {
@@ -183,7 +195,21 @@ in {
         Restart = "always";
         RestartSec = 2;
       };
-      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
+      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig ];
+    };
+
+    systemd.services.dd-jmxfetch = lib.mkIf (cfg.jmxConfig != null) {
+      description = "Datadog JMX Fetcher";
+      path = [ pkgs."dd-agent" pkgs.python pkgs.sysstat pkgs.procps pkgs.jdk ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.dd-agent}/bin/dd-jmxfetch";
+        User = "datadog";
+        Group = "datadog";
+        Restart = "always";
+        RestartSec = 2;
+      };
+      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig ];
     };
 
     environment.etc = etcfiles;

nixos/modules/services/monitoring/grafana.nix

@@ -87,7 +87,7 @@ in {
 
     staticRootPath = mkOption {
       description = "Root path for static assets.";
-      default = "${cfg.package.out}/share/grafana/public";
+      default = "${cfg.package}/share/grafana/public";
       type = types.str;
     };
 

nixos/modules/services/monitoring/graphite.nix

@@ -51,7 +51,13 @@ let
   '';
 
   carbonEnv = {
-    PYTHONPATH = "${pkgs.python27Packages.carbon}/lib/python2.7/site-packages";
+    PYTHONPATH = let
+      cenv = pkgs.python.buildEnv.override {
+        extraLibs = [ pkgs.python27Packages.carbon ];
+      };
+      cenvPack =  "${cenv}/${pkgs.python.sitePackages}";
+    # opt/graphite/lib contains twisted.plugins.carbon-cache
+    in "${cenvPack}/opt/graphite/lib:${cenvPack}";
     GRAPHITE_ROOT = dataDir;
     GRAPHITE_CONF_DIR = configDir;
     GRAPHITE_STORAGE_DIR = dataDir;
@@ -445,10 +451,21 @@ in {
         after = [ "network-interfaces.target" ];
         path = [ pkgs.perl ];
         environment = {
-          PYTHONPATH = "${pkgs.python27Packages.graphite_web}/lib/python2.7/site-packages";
+          PYTHONPATH = let
+              penv = pkgs.python.buildEnv.override {
+                extraLibs = [
+                  pkgs.python27Packages.graphite_web
+                  pkgs.python27Packages.pysqlite
+                ];
+              };
+              penvPack = "${penv}/${pkgs.python.sitePackages}";
+              # opt/graphite/webapp contains graphite/settings.py
+              # explicitly adding pycairo in path because it cannot be imported via buildEnv
+            in "${penvPack}/opt/graphite/webapp:${penvPack}:${pkgs.pycairo}/${pkgs.python.sitePackages}";
           DJANGO_SETTINGS_MODULE = "graphite.settings";
           GRAPHITE_CONF_DIR = configDir;
           GRAPHITE_STORAGE_DIR = dataDir;
+          LD_LIBRARY_PATH = "${pkgs.cairo}/lib";
         };
         serviceConfig = {
           ExecStart = ''
@@ -486,9 +503,11 @@ in {
         wantedBy = [ "multi-user.target" ];
         after = [ "network-interfaces.target" ];
         environment = {
-          PYTHONPATH =
-            "${cfg.api.package}/lib/python2.7/site-packages:" +
-            concatMapStringsSep ":" (f: f + "/lib/python2.7/site-packages") cfg.api.finders;
+          PYTHONPATH = let
+              aenv = pkgs.python.buildEnv.override {
+                extraLibs = [ cfg.api.package pkgs.cairo ] ++ cfg.api.finders;
+              };
+            in "${aenv}/${pkgs.python.sitePackages}";
           GRAPHITE_API_CONFIG = graphiteApiConfig;
           LD_LIBRARY_PATH = "${pkgs.cairo}/lib";
         };

nixos/modules/services/network-filesystems/nfsd.nix

@@ -126,7 +126,7 @@ in
       { description = "NFSv3 Mount Daemon";
 
         requires = [ "rpcbind.service" ];
-        after = [ "rpcbind.service" ];
+        after = [ "rpcbind.service" "local-fs.target" ];
 
         path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
 

nixos/modules/services/network-filesystems/openafs-client/default.nix

@@ -80,7 +80,7 @@ in
       preStart = ''
         mkdir -p -m 0755 /afs
         mkdir -m 0700 -p ${cfg.cacheDirectory}
-        ${pkgs.module_init_tools}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true
+        ${pkgs.kmod}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true
         ${openafsPkgs}/sbin/afsd -confdir ${afsConfig} -cachedir ${cfg.cacheDirectory} ${if cfg.sparse then "-dynroot-sparse" else "-dynroot"} -fakestat -afsdb
         ${openafsPkgs}/bin/fs setcrypt ${if cfg.crypt then "on" else "off"}
       '';
@@ -92,7 +92,7 @@ in
       preStop = ''
         ${pkgs.utillinux}/bin/umount /afs
         ${openafsPkgs}/sbin/afsd -shutdown
-        ${pkgs.module_init_tools}/sbin/rmmod libafs
+        ${pkgs.kmod}/sbin/rmmod libafs
       '';
     };
   };

nixos/modules/services/networking/bird.nix

@@ -30,7 +30,7 @@ in
 
       user = mkOption {
         type = types.string;
-        default = "ircd";
+        default = "bird";
         description = ''
           BIRD Internet Routing Daemon user.
         '';
@@ -38,7 +38,7 @@ in
 
       group = mkOption {
         type = types.string;
-        default = "ircd";
+        default = "bird";
         description = ''
           BIRD Internet Routing Daemon group.
         '';

nixos/modules/services/networking/ddclient.nix

@@ -7,22 +7,8 @@ let
 
   stateDir = "/var/spool/ddclient";
   ddclientUser = "ddclient";
-  ddclientFlags = "-foreground -verbose -noquiet -file ${ddclientCfg}";
+  ddclientFlags = "-foreground -verbose -noquiet -file /etc/ddclient.conf";
   ddclientPIDFile = "${stateDir}/ddclient.pid";
-  ddclientCfg = pkgs.writeText "ddclient.conf" ''
-    daemon=600
-    cache=${stateDir}/ddclient.cache
-    pid=${ddclientPIDFile}
-    use=${config.services.ddclient.use}
-    login=${config.services.ddclient.username}
-    password=${config.services.ddclient.password}
-    protocol=${config.services.ddclient.protocol}
-    server=${config.services.ddclient.server}
-    ssl=${if config.services.ddclient.ssl then "yes" else "no"}
-    wildcard=YES
-    ${config.services.ddclient.domain}
-    ${config.services.ddclient.extraConfig}
-  '';
 
 in
 
@@ -62,7 +48,7 @@ in
         default = "";
         type = str;
         description = ''
-          Password.
+          Password. WARNING: The password becomes world readable in the Nix store.
         '';
       };
 
@@ -122,10 +108,30 @@ in
       home = stateDir;
     };
 
+    environment.etc."ddclient.conf" = {
+      uid = config.ids.uids.ddclient;
+      mode = "0600";
+      text = ''
+        daemon=600
+        cache=${stateDir}/ddclient.cache
+        pid=${ddclientPIDFile}
+        use=${config.services.ddclient.use}
+        login=${config.services.ddclient.username}
+        password=${config.services.ddclient.password}
+        protocol=${config.services.ddclient.protocol}
+        server=${config.services.ddclient.server}
+        ssl=${if config.services.ddclient.ssl then "yes" else "no"}
+        wildcard=YES
+        ${config.services.ddclient.domain}
+        ${config.services.ddclient.extraConfig}
+      '';
+    };
+
     systemd.services.ddclient = {
       description = "Dynamic DNS Client";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
+      restartTriggers = [ config.environment.etc."ddclient.conf".source ];
 
       serviceConfig = {
         # Uncomment this if too many problems occur:

nixos/modules/services/networking/dnscrypt-proxy.nix

@@ -27,33 +27,54 @@ in
 {
   options = {
     services.dnscrypt-proxy = {
-      enable = mkEnableOption ''
-        Enable dnscrypt-proxy. The proxy relays regular DNS queries to a
-        DNSCrypt enabled upstream resolver. The traffic between the
-        client and the upstream resolver is encrypted and authenticated,
-        which may mitigate the risk of MITM attacks and third-party
+      enable = mkEnableOption "dnscrypt-proxy" // { description = ''
+        Whether to enable the DNSCrypt client proxy. The proxy relays
+        DNS queries to a DNSCrypt enabled upstream resolver. The traffic
+        between the client and the upstream resolver is encrypted and
+        authenticated, mitigating the risk of MITM attacks and third-party
         snooping (assuming the upstream is trustworthy).
-      '';
+
+        Enabling this option does not alter the system nameserver; to relay
+        local queries, prepend <literal>127.0.0.1</literal> to
+        <option>networking.nameservers</option>.
+
+        The recommended configuration is to run DNSCrypt proxy as a forwarder
+        for a caching DNS client, as in
+        <programlisting>
+        {
+          services.dnscrypt-proxy.enable = true;
+          services.dnscrypt-proxy.localPort = 43;
+          services.dnsmasq.enable = true;
+          services.dnsmasq.servers = [ "127.0.0.1#43" ];
+          services.dnsmasq.resolveLocalQueries = true; # this is the default
+        }
+        </programlisting>
+     ''; };
       localAddress = mkOption {
         default = "127.0.0.1";
         type = types.string;
         description = ''
-          Listen for DNS queries on this address.
+          Listen for DNS queries to relay on this address. The only reason to
+          change this from its default value is to proxy queries on behalf
+          of other machines (typically on the local network).
         '';
       };
       localPort = mkOption {
         default = 53;
         type = types.int;
         description = ''
-          Listen on this port.
+          Listen for DNS queries to relay on this port. The default value
+          assumes that the DNSCrypt proxy should relay DNS queries directly.
+          When running as a forwarder for another DNS client, set this option
+          to a different value; otherwise leave the default.
         '';
       };
       resolverName = mkOption {
-        default = "opendns";
+        default = "cisco";
         type = types.nullOr types.string;
         description = ''
           The name of the upstream DNSCrypt resolver to use. See
-          <literal>${resolverListFile}</literal> for alternative resolvers
+          <filename>${resolverListFile}</filename> for alternative resolvers
           (e.g., if you are concerned about logging and/or server
           location).
         '';
@@ -61,9 +82,8 @@ in
       customResolver = mkOption {
         default = null;
         description = ''
-          Use a resolver not listed in the upstream list (e.g.,
-          a private DNSCrypt provider). For advanced users only.
-          If specified, this option takes precedence.
+          Use an unlisted resolver (e.g., a private DNSCrypt provider). For
+          advanced users only. If specified, this option takes precedence.
         '';
         type = types.nullOr (types.submodule ({ ... }: { options = {
           address = mkOption {
@@ -80,20 +100,20 @@ in
             type = types.str;
             description = "Provider fully qualified domain name";
             example = "2.dnscrypt-cert.opendns.com";
-         };
-         key = mkOption {
-           type = types.str;
-           description = "Provider public key";
-           example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79";
-         }; }; }));
+          };
+          key = mkOption {
+            type = types.str;
+            description = "Provider public key";
+            example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79";
+          };
+        }; }));
       };
       tcpOnly = mkOption {
         default = false;
         type = types.bool;
         description = ''
-          Force sending encrypted DNS queries to the upstream resolver
-          over TCP instead of UDP (on port 443). Enabling this option may
-          help circumvent filtering, but should not be used otherwise.
+          Force sending encrypted DNS queries to the upstream resolver over
+          TCP instead of UDP (on port 443). Use only if the UDP port is blocked.
         '';
       };
     };
@@ -130,6 +150,9 @@ in
         ${pkgs.xz}/lib/liblzma.so.* mr,
         ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
         ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
+        ${pkgs.libcap}/lib/libcap.so.* mr,
+        ${pkgs.lz4}/lib/liblz4.so.* mr,
+        ${pkgs.attr}/lib/libattr.so.* mr,
 
         ${resolverListFile} r,
       }

nixos/modules/services/networking/firewall.nix

@@ -338,7 +338,7 @@ in
     };
 
     networking.firewall.allowPing = mkOption {
-      default = false;
+      default = true;
       type = types.bool;
       description =
         ''

nixos/modules/services/networking/ifplugd.nix

@@ -1,82 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  inherit (pkgs) ifplugd;
-
-  cfg = config.networking.interfaceMonitor;
-
-  # The ifplugd action script, which is called whenever the link
-  # status changes (i.e., a cable is plugged in or unplugged).
-  plugScript = pkgs.writeScript "ifplugd.action"
-    ''
-      #! ${pkgs.stdenv.shell}
-      iface="$1"
-      status="$2"
-      ${cfg.commands}
-    '';
-
-in
-
-{
-
-  ###### interface
-
-  options = {
-
-    networking.interfaceMonitor.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        If <literal>true</literal>, monitor Ethernet interfaces for
-        cables being plugged in or unplugged.  When this occurs, the
-        commands specified in
-        <option>networking.interfaceMonitor.commands</option> are
-        executed.
-      '';
-    };
-
-    networking.interfaceMonitor.beep = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        If <literal>true</literal>, beep when an Ethernet cable is
-        plugged in or unplugged.
-      '';
-    };
-
-    networking.interfaceMonitor.commands = mkOption {
-      type = types.lines;
-      default = "";
-      description = ''
-        Shell commands to be executed when the link status of an
-        interface changes.  On invocation, the shell variable
-        <varname>iface</varname> contains the name of the interface,
-        while the variable <varname>status</varname> contains either
-        <literal>up</literal> or <literal>down</literal> to indicate
-        the new status.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-    systemd.services.ifplugd = {
-      description = "Network interface connectivity monitor";
-      after = [ "network-interfaces.target" ];
-      wantedBy = [ "multi-user.target" ];
-      script = ''
-        ${ifplugd}/sbin/ifplugd --no-daemon --no-startup --no-shutdown \
-          ${if config.networking.interfaceMonitor.beep then "" else "--no-beep"} \
-          --run ${plugScript}
-      '';
-    };
-
-    environment.systemPackages = [ ifplugd ];
-  };
-}

nixos/modules/services/networking/iodined.nix

@@ -64,8 +64,7 @@ in
 
     systemd.services.iodined = {
       description = "iodine, ip over dns daemon";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [ "ip-up.target" ];
       serviceConfig.ExecStart = "${pkgs.iodine}/sbin/iodined -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.ip} ${cfg.domain}";
     };
 

nixos/modules/services/networking/shairport-sync.nix

@@ -52,6 +52,8 @@ in
   config = mkIf config.services.shairport-sync.enable {
 
     services.avahi.enable = true;
+    services.avahi.publish.enable = true;
+    services.avahi.publish.userServices = true;
 
     users.extraUsers = singleton
       { name = cfg.user;

nixos/modules/services/networking/unbound.nix

@@ -106,8 +106,10 @@ in
       preStart = ''
         mkdir -m 0755 -p ${stateDir}/dev/
         cp ${confFile} ${stateDir}/unbound.conf
+        ${optionalString cfg.enableRootTrustAnchor ''
         ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile}
         chown unbound ${stateDir} ${rootTrustAnchorFile}
+        ''}
         touch ${stateDir}/dev/random
         ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random
       '';

nixos/modules/services/printing/cupsd.nix

@@ -310,7 +310,9 @@ in
               [ ! -e "/var/lib/cups/$i" ] && ln -s "${rootdir}/etc/cups/$i" "/var/lib/cups/$i"
             done
             ${optionalString cfg.gutenprint ''
-              ${gutenprint}/bin/cups-genppdupdate -p /etc/cups/ppd
+              if [ -d /var/lib/cups/ppd ]; then
+                ${gutenprint}/bin/cups-genppdupdate -p /var/lib/cups/ppd
+              fi
             ''}
           '';
       };

nixos/modules/services/search/elasticsearch.nix

@@ -156,11 +156,14 @@ in {
 
     environment.systemPackages = [ cfg.package ];
 
-    users.extraUsers = singleton {
-      name = "elasticsearch";
-      uid = config.ids.uids.elasticsearch;
-      description = "Elasticsearch daemon user";
-      home = cfg.dataDir;
+    users = {
+      groups.elasticsearch.gid = config.ids.gids.elasticsearch;
+      users.elasticsearch = {
+        uid = config.ids.uids.elasticsearch;
+        description = "Elasticsearch daemon user";
+        home = cfg.dataDir;
+        group = "elasticsearch";
+      };
     };
   };
 }

nixos/modules/services/security/fail2ban.nix

@@ -101,7 +101,7 @@ in
         after = [ "network.target" ];
 
         restartTriggers = [ fail2banConf jailConf ];
-        path = [ pkgs.fail2ban pkgs.iptables ];
+        path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ];
 
         preStart =
           ''

nixos/modules/services/system/kerberos.nix

@@ -4,7 +4,7 @@ let
 
   inherit (lib) mkOption mkIf singleton;
 
-  inherit (pkgs) heimdal;
+  inherit (pkgs) heimdalFull;
 
   stateDir = "/var/heimdal";
 in
@@ -33,7 +33,7 @@ in
 
   config = mkIf config.services.kerberos_server.enable {
 
-    environment.systemPackages = [ heimdal ];
+    environment.systemPackages = [ heimdalFull ];
 
     services.xinetd.enable = true;
     services.xinetd.services = lib.singleton
@@ -42,7 +42,7 @@ in
         protocol = "tcp";
         user = "root";
         server = "${pkgs.tcp_wrappers}/sbin/tcpd";
-        serverArgs = "${pkgs.heimdal}/sbin/kadmind";
+        serverArgs = "${pkgs.heimdalFull}/sbin/kadmind";
       };
 
     systemd.services.kdc = {
@@ -51,13 +51,13 @@ in
       preStart = ''
         mkdir -m 0755 -p ${stateDir}
       '';
-      script = "${heimdal}/sbin/kdc";
+      script = "${heimdalFull}/sbin/kdc";
     };
 
     systemd.services.kpasswdd = {
       description = "Kerberos Domain Controller daemon";
       wantedBy = [ "multi-user.target" ];
-      script = "${heimdal}/sbin/kpasswdd";
+      script = "${heimdalFull}/sbin/kpasswdd";
     };
   };
 

nixos/modules/services/web-servers/apache-httpd/default.nix

@@ -685,6 +685,7 @@ in
 
         serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}";
         serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
+        serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful";
         serviceConfig.Type = "forking";
         serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid";
         serviceConfig.Restart = "always";

nixos/modules/services/web-servers/apache-httpd/trac.nix

@@ -5,14 +5,19 @@ with lib;
 let
 
   # Build a Subversion instance with Apache modules and Swig/Python bindings.
-  subversion = pkgs.subversion.override (origArgs: {
+  subversion = pkgs.subversion.override {
     bdbSupport = true;
     httpServer = true;
     pythonBindings = true;
-  });
+    apacheHttpd = httpd;
+  };
 
   pythonLib = p: "${p}/";
 
+  httpd = serverInfo.serverConfig.package;
+
+  versionPre24 = versionOlder httpd.version "2.4";
+
 in
 
 {
@@ -82,7 +87,7 @@ in
         AuthName "${config.ldapAuthentication.name}"
         AuthBasicProvider "ldap"
         AuthLDAPURL "${config.ldapAuthentication.url}"
-        authzldapauthoritative Off
+        ${if versionPre24 then "authzldapauthoritative Off" else ""}
         require valid-user
       </LocationMatch>
     '' else ""}

nixos/modules/services/web-servers/uwsgi.nix

@@ -32,17 +32,27 @@ let
         self = pythonPackages;
       };
 
-      json = builtins.toJSON {
+      penv = python.buildEnv.override {
+        extraLibs = (c.pythonPackages or (self: [])) pythonPackages;
+      };
+
+      uwsgiCfg = {
         uwsgi =
           if c.type == "normal"
             then {
               inherit plugins;
             } // removeAttrs c [ "type" "pythonPackages" ]
               // optionalAttrs (python != null) {
-                pythonpath = "@PYTHONPATH@";
-                env = (c.env or {}) // {
-                  PATH = optionalString (c ? env.PATH) "${c.env.PATH}:" + "@PATH@";
-                };
+                pythonpath = "${penv}/${python.sitePackages}";
+                env =
+                  # Argh, uwsgi expects list of key-values there instead of a dictionary.
+                  let env' = c.env or [];
+                      getPath =
+                        x: if hasPrefix "PATH=" x
+                           then substring (stringLength "PATH=") (stringLength x) x
+                           else null;
+                      oldPaths = filter (x: x != null) (map getPath env');
+                  in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${penv}/bin" ];
               }
           else if c.type == "emperor"
             then {
@@ -55,35 +65,7 @@ let
           else throw "`type` attribute in UWSGI configuration should be either 'normal' or 'emperor'";
       };
 
-    in
-      if python == null || c.type != "normal"
-      then pkgs.writeTextDir "${name}.json" json
-      else pkgs.stdenv.mkDerivation {
-        name = "uwsgi-config";
-        inherit json;
-        passAsFile = [ "json" ];
-        nativeBuildInputs = [ pythonPackages.wrapPython ];
-        pythonInputs = (c.pythonPackages or (self: [])) pythonPackages;
-
-        buildCommand = ''
-          mkdir $out
-          declare -A pythonPathsSeen=()
-          program_PYTHONPATH=
-          program_PATH=
-          if [ -n "$pythonInputs" ]; then
-            for i in $pythonInputs; do
-              _addToPythonPath $i
-            done
-          fi
-          # A hack to replace "@PYTHONPATH@" with a JSON list
-          if [ -n "$program_PYTHONPATH" ]; then
-            program_PYTHONPATH="\"''${program_PYTHONPATH//:/\",\"}\""
-          fi
-          substitute $jsonPath $out/${name}.json \
-            --replace '"@PYTHONPATH@"' "[$program_PYTHONPATH]" \
-            --subst-var-by PATH "$program_PATH"
-        '';
-      };
+    in pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg);
 
 in {
 

nixos/modules/services/x11/colord.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.colord;
+
+in {
+
+  options = {
+
+    services.colord = {
+      enable = mkEnableOption "colord, the color management daemon";
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    services.dbus.packages = [ pkgs.colord ];
+
+    services.udev.packages = [ pkgs.colord ];
+
+    environment.systemPackages = [ pkgs.colord ];
+
+    systemd.services.colord = {
+      description = "Manage, Install and Generate Color Profiles";
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "org.freedesktop.ColorManager";
+        ExecStart = "${pkgs.colord}/libexec/colord";
+        PrivateTmp = true;
+      };
+    };
+
+  };
+
+}

nixos/modules/services/x11/desktop-managers/gnome3.nix

@@ -99,6 +99,8 @@ in {
     services.telepathy.enable = mkDefault true;
     networking.networkmanager.enable = mkDefault true;
     services.upower.enable = config.powerManagement.enable;
+    services.dbus.packages = mkIf config.services.printing.enable [ pkgs.system-config-printer ];
+    services.colord.enable = mkDefault true;
     hardware.bluetooth.enable = mkDefault true;
 
     fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ];

nixos/modules/services/x11/redshift.nix

@@ -94,11 +94,9 @@ in {
   };
 
   config = mkIf cfg.enable {
-    systemd.services.redshift = {
+    systemd.user.services.redshift = {
       description = "Redshift colour temperature adjuster";
-      requires = [ "display-manager.service" ];
-      after = [ "display-manager.service" ];
-      wantedBy = [ "graphical.target" ];
+      wantedBy = [ "default.target" ];
       serviceConfig = {
         ExecStart = ''
           ${cfg.package}/bin/redshift \
@@ -107,10 +105,10 @@ in {
             -b ${toString cfg.brightness.day}:${toString cfg.brightness.night} \
             ${lib.strings.concatStringsSep " " cfg.extraOptions}
         '';
-	RestartSec = 3;
+        RestartSec = 3;
+        Restart = "always";
       };
       environment = { DISPLAY = ":0"; };
-      serviceConfig.Restart = "always";
     };
   };
 

nixos/modules/services/x11/terminal-server.nix

@@ -41,7 +41,7 @@ with lib;
       { description = "Terminal Server";
 
         path =
-          [ pkgs.xorgserver pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
+          [ pkgs.xorg.xorgserver pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
             pkgs.nettools pkgs.shadow pkgs.procps pkgs.utillinux pkgs.bash
           ];
 

nixos/modules/services/x11/window-managers/default.nix

@@ -10,7 +10,6 @@ in
   imports = [
     ./afterstep.nix
     ./bspwm.nix
-    ./clfswm.nix
     ./compiz.nix
     ./dwm.nix
     ./fluxbox.nix

nixos/modules/services/x11/xserver.nix

@@ -13,9 +13,10 @@ let
 
   # Map video driver names to driver packages. FIXME: move into card-specific modules.
   knownVideoDrivers = {
-    virtualbox   = { modules = [ kernelPackages.virtualboxGuestAdditions ]; driverName = "vboxvideo"; };
-    ati = { modules = [ pkgs.xorg.xf86videoati pkgs.xorg.glamoregl ]; };
-    intel-testing = { modules = with pkgs.xorg; [ xf86videointel-testing glamoregl ]; driverName = "intel"; };
+    virtualbox = { modules = [ kernelPackages.virtualboxGuestAdditions ]; driverName = "vboxvideo"; };
+    ati = { modules = with pkgs.xorg; [ xf86videoati glamoregl ]; };
+    intel = { modules = with pkgs.xorg; [ xf86videointel glamoregl ]; };
+    modesetting = { modules = []; };
   };
 
   fontsForXServer =
@@ -478,6 +479,7 @@ in
         xorg.xsetroot
         xorg.xinput
         xorg.xprop
+        xorg.xauth
         pkgs.xterm
         pkgs.xdg_utils
       ]
@@ -525,8 +527,7 @@ in
       };
 
     services.xserver.displayManager.xserverArgs =
-      [ "-ac"
-        "-terminate"
+      [ "-terminate"
         "-config ${configFile}"
         "-xkbdir" "${cfg.xkbDir}"
       ] ++ optional (cfg.display != null) ":${toString cfg.display}"

nixos/modules/system/activation/switch-to-configuration.pl

@@ -261,7 +261,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
 
 sub pathToUnitName {
     my ($path) = @_;
-    open my $cmd, "-|", "systemd-escape", "--suffix=mount", "-p", $path
+    open my $cmd, "-|", "@systemd@/bin/systemd-escape", "--suffix=mount", "-p", $path
         or die "Unable to escape $path!\n";
     my $escaped = join "", <$cmd>;
     chomp $escaped;

nixos/modules/system/boot/coredump.nix

@@ -33,19 +33,29 @@ with lib;
 
   };
 
-  config = mkIf config.systemd.coredump.enable {
+  config = mkMerge [
+    (mkIf config.systemd.coredump.enable {
 
-    environment.etc."systemd/coredump.conf".text =
-      ''
-        [Coredump]
-        ${config.systemd.coredump.extraConfig}
-      '';
+      environment.etc."systemd/coredump.conf".text =
+        ''
+          [Coredump]
+          ${config.systemd.coredump.extraConfig}
+        '';
 
-    # Have the kernel pass core dumps to systemd's coredump helper binary.
-    # From systemd's 50-coredump.conf file. See:
-    # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in>
-    boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %p %u %g %s %t %e";
+      # Have the kernel pass core dumps to systemd's coredump helper binary.
+      # From systemd's 50-coredump.conf file. See:
+      # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in>
+      boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %p %u %g %s %t %e";
+    })
 
-  };
+    (mkIf (!config.systemd.coredump.enable) {
+      boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core";
+
+      systemd.extraConfig =
+        ''
+          DefaultLimitCORE=0:infinity
+        '';
+    })
+  ];
 
 }

nixos/modules/system/boot/kernel.nix

@@ -200,8 +200,8 @@ in
         "hid_generic" "hid_lenovo"
         "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
 
-        # Misc. stuff.
-        "pcips2" "atkbd"
+        # Misc. keyboard stuff.
+        "pcips2" "atkbd" "i8042"
 
         # To wait for SCSI devices to appear.
         "scsi_wait_scan"

nixos/modules/system/boot/loader/grub/install-grub.pl

@@ -501,7 +501,7 @@ sub getEfiTarget {
 my @deviceTargets = getDeviceTargets();
 my $efiTarget = getEfiTarget();
 my $prevGrubState = readGrubState();
-my @prevDeviceTargets = split/:/, $prevGrubState->devices;
+my @prevDeviceTargets = split/,/, $prevGrubState->devices;
 
 my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference());
 my $nameDiffer = get("fullName") ne $prevGrubState->name;
@@ -549,7 +549,7 @@ if ($requireNewInstall != 0) {
     print FILE get("fullName"), "\n" or die;
     print FILE get("fullVersion"), "\n" or die;
     print FILE $efiTarget, "\n" or die;
-    print FILE join( ":", @deviceTargets ), "\n" or die;
+    print FILE join( ",", @deviceTargets ), "\n" or die;
     print FILE $efiSysMountPoint, "\n" or die;
     close FILE or die;
 }