Merge pull request #121569 from midchildan/backport/20.03/exiftool

[20.03] perlPackages.ImageExifTool: apply fix for CVE-2021-22204

.github/CONTRIBUTING.md

@@ -53,9 +53,9 @@ For package version upgrades and such a one-line commit message is usually suffi
 To [backport a change into a release branch](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches):
 
 1. Take note of the commit in which the change was introduced into `master`.
-2. Check out the target _release branch_, e.g. `release-19.09`. Do not use a _channel branch_ like `nixos-19.09` or `nixpkgs-19.09`.
+2. Check out the target _release branch_, e.g. `release-20.03`. Do not use a _channel branch_ like `nixos-20.03` or `nixpkgs-20.03`.
 3. Use `git cherry-pick -x <original commit>`.
-4. Open your backport PR. Make sure to select the release branch (e.g. `release-19.09`) as the target branch of the PR, and link to the PR in which the original change was made to `master`.
+4. Open your backport PR. Make sure to select the release branch (e.g. `release-20.03`) as the target branch of the PR, and link to the PR in which the original change was made to `master`.
 
 ## Reviewing contributions
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -6,7 +6,7 @@
 
 <!-- Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers. -->
 
-- [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux)
+- [ ] Tested using sandboxing ([nix.useSandbox](https://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](https://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux)
 - Built on platform(s)
    - [ ] NixOS
    - [ ] macOS

README.md

@@ -44,9 +44,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
 system, [Hydra](https://hydra.nixos.org/).
 
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 19.09 release](https://hydra.nixos.org/jobset/nixos/release-19.09)
+* [Continuous package builds for the NixOS 20.03 release](https://hydra.nixos.org/jobset/nixos/release-20.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 19.09 release](https://hydra.nixos.org/job/nixos/release-19.09/tested#tabs-constituents)
+* [Tests for the NixOS 20.03 release](https://hydra.nixos.org/job/nixos/release-20.03/tested#tabs-constituents)
 
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are

doc/contributing/quick-start.xml

@@ -112,7 +112,7 @@
     </para>
     <para>
      The exact syntax and semantics of the Nix expression language, including the built-in function, are described in the Nix manual in the <link
-    xlink:href="http://hydra.nixos.org/job/nix/trunk/tarball/latest/download-by-type/doc/manual/#chap-writing-nix-expressions">chapter on writing Nix expressions</link>.
+    xlink:href="https://hydra.nixos.org/job/nix/trunk/tarball/latest/download-by-type/doc/manual/#chap-writing-nix-expressions">chapter on writing Nix expressions</link>.
     </para>
    </listitem>
    <listitem>

doc/contributing/submitting-changes.xml

@@ -407,23 +407,47 @@ Additional information.
   <section xml:id="submitting-changes-stable-release-branches">
    <title>Stable release branches</title>
 
-   <itemizedlist>
+   <para>
+    For cherry-picking a commit to a stable release branch (<quote>backporting</quote>), use <literal>git cherry-pick -x &lt;original commit&gt;</literal> so that the original commit id is included in the commit.
+   </para>
+
+   <para>
+    Add a reason for the backport by using <literal>git cherry-pick -xe &lt;original commit&gt;</literal> instead when it is not obvious from the original commit message. It is not needed when it’s a minor version update that includes security and bug fixes but don’t add new features or when the commit fixes an otherwise broken package.
+   </para>
+
+   <para>
+    Here is an example of a cherry-picked commit message with good reason description:
+   </para>
+
+<screen>
+zfs: Keep trying root import until it works
+
+Works around #11003.
+
+(cherry picked from commit 98b213a11041af39b39473906b595290e2a4e2f9)
+
+Reason: several people cannot boot with ZFS on NVMe
+</screen>
+
+   <para>
+    Other examples of reasons are:
+   </para>
+
+   <itemizedlist spacing="compact">
     <listitem>
      <para>
-      If you're cherry-picking a commit to a stable release branch (“backporting”), always use <command>git cherry-pick -xe</command> and ensure the message contains a clear description about why this needs to be included in the stable branch.
+      Previously the build would fail due to, e.g., <literal>getaddrinfo</literal> not being defined
      </para>
+    </listitem>
+    <listitem>
      <para>
-      An example of a cherry-picked commit would look like this:
+      The previous download links were all broken
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      Crash when starting on some X11 systems
      </para>
-<screen>
-nixos: Refactor the world.
-
-The original commit message describing the reason why the world was torn apart.
-
-(cherry picked from commit abcdef)
-Reason: I just had a gut feeling that this would also be wanted by people from
-the stone age.
-</screen>
     </listitem>
    </itemizedlist>
   </section>

doc/languages-frameworks/android.section.md

@@ -167,7 +167,7 @@ parameters that the SDK composition function (the function shown in the
 previous section) supports.
 
 This build function is particularly useful when it is desired to use
-[Hydra](http://nixos.org/hydra): the Nix-based continuous integration solution
+[Hydra](https://nixos.org/hydra): the Nix-based continuous integration solution
 to build Android apps. An Android APK gets exposed as a build product and can be
 installed on any Android device with a web browser by navigating to the build
 result page.

doc/languages-frameworks/crystal.section.md

@@ -66,6 +66,6 @@ crystal.buildCrystalPackage rec {
   shardsFile = ./shards.nix;
   crystalBinaries.mint.src = "src/mint.cr";
 
-  buildInputs = [ openssl_1_0_2 ];
+  buildInputs = [ openssl ];
 }
 ```

doc/languages-frameworks/gnome.xml

@@ -233,7 +233,7 @@ mkDerivation {
     </term>
     <listitem>
      <para>
-      You can rely on applications depending on the library set the necessary environment variables but that it often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
+      You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
       <itemizedlist>
        <listitem xml:id="ssec-gnome-common-issues-unwrappable-package-gnome-shell-ext">
         <para>

doc/languages-frameworks/haskell.section.md

@@ -112,8 +112,10 @@ haskell.compiler.ghc865                  ghc-8.6.5
 haskell.compiler.integer-simple.ghc865   ghc-8.6.5
 haskell.compiler.ghc881                  ghc-8.8.1
 haskell.compiler.integer-simple.ghc881   ghc-8.8.1
-haskell.compiler.ghc882                  ghc-8.8.1.20191211
-haskell.compiler.integer-simple.ghc882   ghc-8.8.1.20191211
+haskell.compiler.ghc882                  ghc-8.8.2
+haskell.compiler.integer-simple.ghc882   ghc-8.8.2
+haskell.compiler.ghc883                  ghc-8.8.3
+haskell.compiler.integer-simple.ghc883   ghc-8.8.3
 haskell.compiler.ghcjs                   ghcjs-8.6.0.1
 ```
 
@@ -367,7 +369,7 @@ automatically select the right version of GHC and other build tools to build,
 test and execute apps in an existing project downloaded from somewhere on the
 Internet. Pass the `--nix` flag to any `stack` command to do so, e.g.
 ```shell
-git clone --recursive https://github.com/yesodweb/wai
+git clone --recurse-submodules https://github.com/yesodweb/wai.git
 cd wai
 stack --nix build
 ```

doc/languages-frameworks/ios.section.md

@@ -18,7 +18,7 @@ The primary objective of this project is to use the Nix expression language to
 specify how iOS apps can be built from source code, and to automatically spawn
 iOS simulator instances for testing.
 
-This component also makes it possible to use [Hydra](http://nixos.org/hydra),
+This component also makes it possible to use [Hydra](https://nixos.org/hydra),
 the Nix-based continuous integration server to regularly build iOS apps and to
 do wireless ad-hoc installations of enterprise IPAs on iOS devices through
 Hydra.

doc/manual.xml

@@ -1,7 +1,7 @@
 <book xmlns="http://docbook.org/ns/docbook"
       xmlns:xi="http://www.w3.org/2001/XInclude">
  <info>
-  <title>Nixpkgs Users and Contributors Guide</title>
+  <title>Nixpkgs Manual</title>
   <subtitle>Version <xi:include href=".version" parse="text" />
   </subtitle>
  </info>

doc/preface.chapter.md

@@ -42,7 +42,7 @@ distributed as soon as all tests for that channel pass, e.g.
 [this table](https://hydra.nixos.org/job/nixpkgs/trunk/unstable#tabs-constituents)
 shows the status of tests for the `nixpkgs` channel.
 
-The tests are conducted by a cluster called [Hydra](http://nixos.org/hydra/),
+The tests are conducted by a cluster called [Hydra](https://nixos.org/hydra/),
 which also builds binary packages from the Nix expressions in Nixpkgs for
 `x86_64-linux`, `i686-linux` and `x86_64-darwin`.
 The binaries are made available via a [binary cache](https://cache.nixos.org).

doc/release-notes.xml

@@ -286,7 +286,7 @@ export NIX_MIRRORS_sourceforge=http://osdn.dl.sourceforge.net/sourceforge/</prog
   <note>
    <para>
     This release of Nixpkgs requires <link
-xlink:href='http://nixos.org/releases/nix/nix-0.10/'>Nix 0.10</link> or higher.
+xlink:href='https://nixos.org/releases/nix/nix-0.10/'>Nix 0.10</link> or higher.
    </para>
   </note>
 
@@ -436,7 +436,7 @@ stdenv.mkDerivation {
    <listitem>
     <para>
      Distribution files have been moved to <link
-  xlink:href="http://nixos.org/" />.
+  xlink:href="https://nixos.org/" />.
     </para>
    </listitem>
    <listitem>

flake.nix

@@ -1,8 +1,6 @@
 # Experimental flake interface to Nixpkgs.
 # See https://github.com/NixOS/rfcs/pull/49 for details.
 {
-  edition = 201909;
-
   description = "A collection of packages for the Nix package manager";
 
   outputs = { self }:
@@ -25,7 +23,7 @@
           import ./nixos/lib/eval-config.nix (args // {
             modules = modules ++
               [ { system.nixos.versionSuffix =
-                    ".${lib.substring 0 8 self.lastModified}.${self.shortRev or "dirty"}";
+                    ".${lib.substring 0 8 (self.lastModifiedDate or self.lastModified)}.${self.shortRev or "dirty"}";
                   system.nixos.revision = lib.mkIf (self ? rev) self.rev;
                 }
               ];

lib/licenses.nix

@@ -649,6 +649,13 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
     url = http://metadata.ftp-master.debian.org/changelogs/main/d/debianutils/debianutils_4.8.1_copyright;
   };
 
+  sspl = {
+    shortName = "SSPL";
+    fullName = "Server Side Public License";
+    url = https://www.mongodb.com/licensing/server-side-public-license;
+    free = false;
+  };
+
   tcltk = spdx {
     spdxId = "TCL";
     fullName = "TCL/TK License";

lib/options.nix

@@ -159,7 +159,7 @@ rec {
           let ss = opt.type.getSubOptions opt.loc;
           in if ss != {} then optionAttrSetToDocList' opt.loc ss else [];
       in
-        [ docOption ] ++ subOptions) (collect isOption options);
+        [ docOption ] ++ optionals docOption.visible subOptions) (collect isOption options);
 
 
   /* This function recursively removes all derivation attributes from

lib/sources.nix

@@ -148,10 +148,14 @@ rec {
            # packed-refs file, so we have to grep through it:
            then
              let fileContent = readFile packedRefsName;
-                 matchRef    = match (".*\n([^\n ]*) " + file + "\n.*") fileContent;
-             in if  matchRef == null
+                 matchRef = builtins.match "([a-z0-9]+) ${file}";
+                 isRef = s: builtins.isString s && (matchRef s) != null;
+                 # there is a bug in libstdc++ leading to stackoverflow for long strings:
+                 # https://github.com/NixOS/nix/issues/2147#issuecomment-659868795
+                 refs = builtins.filter isRef (builtins.split "\n" fileContent);
+             in if refs == []
                 then throw ("Could not find " + file + " in " + packedRefsName)
-                else lib.head matchRef
+                else lib.head (matchRef (lib.head refs))
 
            else throw ("Not a .git directory: " + path);
     in readCommitFromFile "HEAD";

lib/trivial.nix

@@ -178,7 +178,7 @@ rec {
     let suffixFile = ../.version-suffix;
     in if pathExists suffixFile
     then lib.strings.fileContents suffixFile
-    else "pre-git";
+    else "post-git";
 
   /* Attempts to return the the current revision of nixpkgs and
      returns the supplied default value otherwise.

maintainers/maintainer-list.nix

@@ -1427,6 +1427,16 @@
     githubId = 5684605;
     name = "Cole Scott";
   };
+  cole-h = {
+    name = "Cole Helbling";
+    email = "cole.e.helbling@outlook.com";
+    github = "cole-h";
+    githubId = 28582702;
+    keys = [{
+      longkeyid = "rsa4096/0xB37E0F2371016A4C";
+      fingerprint = "68B8 0D57 B2E5 4AC3 EC1F  49B0 B37E 0F23 7101 6A4C";
+    }];
+  };
   copumpkin = {
     email = "pumpkingod@gmail.com";
     github = "copumpkin";
@@ -3275,6 +3285,12 @@
     githubId = 1198065;
     name = "Jeffrey David Johnson";
   };
+  jefflabonte = {
+    email = "grimsleepless@protonmail.com";
+    github = "jefflabonte";
+    githubId = 9425955;
+    name = "Jean-François Labonté";
+  };
   jensbin = {
     email = "jensbin+git@pm.me";
     github = "jensbin";
@@ -3902,6 +3918,12 @@
     githubId = 10544;
     name = "Giuluo Eulisse";
   };
+  kthielen = {
+    email = "kthielen@gmail.com";
+    github = "kthielen";
+    githubId = 1409287;
+    name = "Kalani Thielen";
+  };
   ktor = {
     email = "kruszewsky@gmail.com";
     github = "ktor";
@@ -3991,6 +4013,12 @@
     githubId = 32152;
     name = "Luka Blaskovic";
   };
+  lbpdt = {
+    email = "nix@pdtpartners.com";
+    github = "lbpdt";
+    githubId = 45168934;
+    name = "Louis Blin";
+  };
   ldelelis = {
     email = "ldelelis@est.frba.utn.edu.ar";
     github = "ldelelis";
@@ -4055,6 +4083,12 @@
     github = "leonardoce";
     name = "Leonardo Cecchi";
   };
+  leshainc = {
+    email = "leshainc@fomalhaut.me";
+    github = "LeshaInc";
+    githubId = 42153076;
+    name = "Alexey Nikashkin";
+  };
   lethalman = {
     email = "lucabru@src.gnome.org";
     github = "lethalman";
@@ -4494,6 +4528,12 @@
     githubId = 1269099;
     name = "Marius Bakke";
   };
+  mbaillie = {
+    email = "martin@baillie.email";
+    github = "martinbaillie";
+    githubId = 613740;
+    name = "Martin Baillie";
+  };
   mbbx6spp = {
     email = "me@susanpotter.net";
     github = "mbbx6spp";
@@ -7119,6 +7159,12 @@
     githubId = 844343;
     name = "Thiago K. Okada";
   };
+  thmzlt = {
+    email = "git@thomazleite.com";
+    github = "thmzlt";
+    githubId = 7709;
+    name = "Thomaz Leite";
+  };
   ThomasMader = {
     email = "thomas.mader@gmail.com";
     github = "ThomasMader";
@@ -7428,6 +7474,12 @@
     github = "valeriangalliat";
     name = "Valérian Galliat";
   };
+  valodim = {
+    email = "look@my.amazin.horse";
+    github = "valodim";
+    githubId = 27813;
+    name = "Vincent Breitmoser";
+  };
   vandenoever = {
     email = "jos@vandenoever.info";
     github = "vandenoever";
@@ -7610,6 +7662,12 @@
     githubId = 3889405;
     name = "vyp";
   };
+  wamserma = {
+    name = "Markus S. Wamser";
+    email = "github-dev@mail2013.wamser.eu";
+    github = "wamserma";
+    githubId = 60148;
+  };
   waynr = {
     name = "Wayne Warren";
     email = "wayne.warren.s@gmail.com";
@@ -7686,7 +7744,7 @@
     email = "worldofpeace@protonmail.ch";
     github = "worldofpeace";
     githubId = 28888242;
-    name = "Worldofpeace";
+    name = "worldofpeace";
   };
   wscott = {
     email = "wsc9tt@gmail.com";

maintainers/scripts/hydra-eval-failures.py

@@ -79,7 +79,7 @@ def cli(jobset):
     and print a summary of failed builds
     """
 
-    url = "http://hydra.nixos.org/jobset/{}".format(jobset)
+    url = "https://hydra.nixos.org/jobset/{}".format(jobset)
 
     # get the last evaluation
     click.echo(click.style(

maintainers/scripts/update.nix

@@ -2,6 +2,7 @@
 , maintainer ? null
 , path ? null
 , max-workers ? null
+, include-overlays ? false
 , keep-going ? null
 }:
 
@@ -20,9 +21,7 @@ let
       in
         [x] ++ nubOn f xs;
 
-  pkgs = import ./../../default.nix {
-    overlays = [];
-  };
+  pkgs = import ./../../default.nix (if include-overlays then { } else { overlays = []; });
 
   packagesWith = cond: return: set:
     nubOn (pkg: pkg.updateScript)

nixos/README

@@ -2,4 +2,4 @@
 
 NixOS is a Linux distribution based on the purely functional package
 management system Nix.  More information can be found at
-http://nixos.org/nixos and in the manual in doc/manual.
+https://nixos.org/nixos and in the manual in doc/manual.

nixos/doc/manual/configuration/adding-custom-packages.xml

@@ -11,7 +11,7 @@
   the package to your clone, and (optionally) submit a patch or pull request to
   have it accepted into the main Nixpkgs repository. This is described in
   detail in the <link
-xlink:href="http://nixos.org/nixpkgs/manual">Nixpkgs
+xlink:href="https://nixos.org/nixpkgs/manual">Nixpkgs
   manual</link>. In short, you clone Nixpkgs:
 <screen>
 <prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs

nixos/doc/manual/configuration/config-syntax.xml

@@ -14,7 +14,7 @@
   when managing complex systems. The syntax and semantics of the Nix language
   are fully described in the
   <link
-xlink:href="http://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix
+xlink:href="https://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix
   manual</link>, but here we give a short overview of the most important
   constructs useful in NixOS configuration files.
  </para>

nixos/doc/manual/configuration/configuration.xml

@@ -21,7 +21,6 @@
  <xi:include href="xfce.xml" />
  <xi:include href="networking.xml" />
  <xi:include href="linux-kernel.xml" />
- <xi:include href="matrix.xml" />
  <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
  <xi:include href="profiles.xml" />
  <xi:include href="kubernetes.xml" />

nixos/doc/manual/configuration/summary.xml

@@ -10,7 +10,7 @@
   expression language. It’s not complete. In particular, there are many other
   built-in functions. See the
   <link
-xlink:href="http://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix
+xlink:href="https://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix
   manual</link> for the rest.
  </para>
 

nixos/doc/manual/configuration/xfce.xml

@@ -9,7 +9,6 @@
 <programlisting>
 <xref linkend="opt-services.xserver.desktopManager.xfce.enable" /> = true;
 <xref linkend="opt-services.xserver.displayManager.defaultSession" /> = "xfce";
-};
 </programlisting>
  </para>
  <para>

nixos/doc/manual/development/releases.xml

@@ -57,7 +57,7 @@
     <listitem>
      <para>
       <link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
-      Make sure a channel is created at http://nixos.org/channels/. </link>
+      Make sure a channel is created at https://nixos.org/channels/. </link>
      </para>
     </listitem>
     <listitem>

nixos/doc/manual/development/replace-modules.xml

@@ -37,7 +37,7 @@
 
   imports =
     [ # Use postgresql service from nixos-unstable channel.
-      # sudo nix-channel --add http://nixos.org/channels/nixos-unstable nixos-unstable
+      # sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos-unstable
       <nixos-unstable/nixos/modules/services/databases/postgresql.nix>
     ];
 

nixos/doc/manual/installation/obtaining.xml

@@ -7,7 +7,7 @@
  <para>
   NixOS ISO images can be downloaded from the
   <link
-xlink:href="http://nixos.org/nixos/download.html">NixOS download
+xlink:href="https://nixos.org/nixos/download.html">NixOS download
   page</link>. There are a number of installation options. If you happen to
   have an optical drive and a spare CD, burning the image to CD and booting
   from that is probably the easiest option. Most people will need to prepare a
@@ -26,7 +26,7 @@ xlink:href="https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installa
     <para>
      Using virtual appliances in Open Virtualization Format (OVF) that can be
      imported into VirtualBox. These are available from the
-     <link xlink:href="http://nixos.org/nixos/download.html">NixOS download
+     <link xlink:href="https://nixos.org/nixos/download.html">NixOS download
      page</link>.
     </para>
    </listitem>

nixos/doc/manual/installation/upgrading.xml

@@ -14,7 +14,7 @@
     <para>
      <emphasis>Stable channels</emphasis>, such as
      <literal
-    xlink:href="https://nixos.org/channels/nixos-19.09">nixos-19.09</literal>.
+    xlink:href="https://nixos.org/channels/nixos-20.03">nixos-20.03</literal>.
      These only get conservative bug fixes and package upgrades. For instance,
      a channel update may cause the Linux kernel on your system to be upgraded
      from 4.19.34 to 4.19.38 (a minor bug fix), but not from
@@ -38,7 +38,7 @@
     <para>
      <emphasis>Small channels</emphasis>, such as
      <literal
-    xlink:href="https://nixos.org/channels/nixos-19.09-small">nixos-19.09-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-20.03-small">nixos-20.03-small</literal>
      or
      <literal
     xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>.
@@ -63,8 +63,8 @@
  <para>
   When you first install NixOS, you’re automatically subscribed to the NixOS
   channel that corresponds to your installation source. For instance, if you
-  installed from a 19.09 ISO, you will be subscribed to the
-  <literal>nixos-19.09</literal> channel. To see which NixOS channel you’re
+  installed from a 20.03 ISO, you will be subscribed to the
+  <literal>nixos-20.03</literal> channel. To see which NixOS channel you’re
   subscribed to, run the following as root:
 <screen>
 # nix-channel --list | grep nixos
@@ -75,13 +75,13 @@ nixos https://nixos.org/channels/nixos-unstable
 # nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
 </screen>
   (Be sure to include the <literal>nixos</literal> parameter at the end.) For
-  instance, to use the NixOS 19.09 stable channel:
+  instance, to use the NixOS 20.03 stable channel:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-19.09 nixos
+# nix-channel --add https://nixos.org/channels/nixos-20.03 nixos
 </screen>
   If you have a server, you may want to use the “small” channel instead:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-19.09-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-20.03-small nixos
 </screen>
   And if you want to live on the bleeding edge:
 <screen>
@@ -132,7 +132,7 @@ nixos https://nixos.org/channels/nixos-unstable
    kernel, initrd or kernel modules.
    You can also specify a channel explicitly, e.g.
 <programlisting>
-<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-19.09;
+<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-20.03;
 </programlisting>
   </para>
  </section>

nixos/doc/manual/release-notes/rl-1404.xml

@@ -49,7 +49,7 @@
     <para>
      Nix has been updated to 1.7
      (<link
-  xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>).
+  xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>).
     </para>
    </listitem>
    <listitem>

nixos/doc/manual/release-notes/rl-1509.xml

@@ -22,7 +22,7 @@
     in excess of 8,000 Haskell packages. Detailed instructions on how to use
     that infrastructure can be found in the
     <link
-    xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
+    xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
     Guide to the Haskell Infrastructure</link>. Users migrating from an earlier
     release may find helpful information below, in the list of
     backwards-incompatible changes. Furthermore, we distribute 51(!) additional
@@ -555,7 +555,7 @@ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.pandoc
      the compiler now is the <literal>haskellPackages.ghcWithPackages</literal>
      function. The
      <link
-    xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
+    xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
      Guide to the Haskell Infrastructure</link> provides more information about
      this subject.
     </para>

nixos/doc/manual/release-notes/rl-1603.xml

@@ -54,7 +54,7 @@
     xlink:href="https://reproducible-builds.org/specs/source-date-epoch/">SOURCE_DATE_EPOCH</envar>
     to a deterministic value, and Nix has
     <link
-    xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.11">gained
+    xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-1.11">gained
     an option</link> to repeat a build a number of times to test determinism.
     An ongoing project, the goal of exact reproducibility is to allow binaries
     to be verified independently (e.g., a user might only trust binaries that

nixos/doc/manual/release-notes/rl-2003.xml

@@ -3,7 +3,7 @@
          xmlns:xi="http://www.w3.org/2001/XInclude"
          version="5.0"
          xml:id="sec-release-20.03">
- <title>Release 20.03 (“Markhor”, 2020.03/??)</title>
+ <title>Release 20.03 (“Markhor”, 2020.04/20)</title>
 
  <section xmlns="http://docbook.org/ns/docbook"
          xmlns:xlink="http://www.w3.org/1999/xlink"
@@ -23,11 +23,24 @@
      Support is planned until the end of October 2020, handing over to 20.09.
     </para>
    </listitem>
+   <listitem>
+    <para>Core version changes:</para>
+    <para>gcc: 8.3.0 -&gt; 9.2.0</para>
+    <para>glibc: 2.27 -&gt; 2.30</para>
+    <para>linux: 4.19 -&gt; 5.4</para>
+    <para>mesa: 19.1.5 -&gt; 19.3.3</para>
+    <para>openssl: 1.0.2u -&gt; 1.1.1d</para>
+   </listitem>
+   <listitem>
+    <para>Desktop version changes:</para>
+    <para>plasma5: 5.16.5 -&gt; 5.17.5</para>
+    <para>kdeApplications: 19.08.2 -&gt; 19.12.3</para>
+    <para>gnome3: 3.32 -&gt; 3.34</para>
+    <para>pantheon: 5.0 -&gt; 5.1.3</para>
+   </listitem>
    <listitem>
     <para>
      Linux kernel is updated to branch 5.4 by default (from 4.19).
-     Users of Intel GPUs may prefer to explicitly set branch to 4.19 to avoid some regressions.
-     <programlisting>boot.kernelPackages = pkgs.linuxPackages_4_19;</programlisting>
     </para>
    </listitem>
    <listitem>
@@ -43,6 +56,24 @@
      quirk in the boot menu.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     GNOME 3 has been upgraded to 3.34. Please take a look at their
+     <link xlink:href="https://help.gnome.org/misc/release-notes/3.34">Release Notes</link>
+     for details.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     If you enable the Pantheon Desktop Manager via
+     <xref linkend="opt-services.xserver.desktopManager.pantheon.enable" />, we now default to also use
+     <link xlink:href="https://blog.elementary.io/say-hello-to-the-new-greeter/">
+      Pantheon's newly designed greeter
+     </link>.
+      Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of
+      NixOS 20.03 when backwards compatible.
+    </para>
+   </listitem>
    <listitem>
      <para>
        By default zfs pools will now be trimmed on a weekly basis.
@@ -75,6 +106,24 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
 </programlisting>
     </para>
    </listitem>
+   <listitem>
+    <para>
+     The testing driver implementation in NixOS is now in Python <filename>make-test-python.nix</filename>.
+     This was done by Jacek Galowicz (<link xlink:href="https://github.com/tfc">@tfc</link>), and with the
+     collaboration of Julian Stecklina (<link xlink:href="https://github.com/blitz">@blitz</link>) and
+     Jana Traue (<link xlink:href="https://github.com/jtraue">@jtraue</link>). All documentation has been updated to use this
+     testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation,
+     <filename>make-test.nix</filename>, is slated for removal. This should give users of the NixOS integration framework
+     a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see
+     this warning everytime they use it:
+<screen>
+<prompt>$ </prompt>warning: Perl VM tests are deprecated and will be removed for 20.09.
+Please update your tests to use the python test driver.
+See https://github.com/NixOS/nixpkgs/pull/71684 for details.
+</screen>
+     API compatibility is planned to be kept for at least the next release with the perl driver.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -110,6 +159,241 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
      It was created so Geary could function properly outside of GNOME.
     </para>
    </listitem>
+   <listitem>
+     <para>
+       <filename>./config/console.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./hardware/brillo.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./hardware/tuxedo-keyboard.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./programs/bandwhich.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./programs/bash-my-aws.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./programs/liboping.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./programs/traceroute.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/backup/sanoid.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/backup/syncoid.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/backup/zfs-replication.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/continuous-integration/buildkite-agents.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/databases/victoriametrics.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/desktops/gnome3/gnome-initial-setup.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/desktops/neard.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/games/openarena.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/hardware/fancontrol.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/mail/sympa.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/misc/freeswitch.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/misc/mame.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/monitoring/do-agent.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/monitoring/prometheus/xmpp-alerts.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/network-filesystems/orangefs/server.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/network-filesystems/orangefs/client.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/3proxy.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/corerad.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/go-shadowsocks2.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/ntp/openntpd.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/shorewall.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/shorewall6.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/spacecookie.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/trickster.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/v2ray.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/xandikos.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/networking/yggdrasil.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/dokuwiki.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/gotify-server.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/grocy.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/ihatemoney</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/moinmoin.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/trac.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/trilium.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-apps/shiori.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/web-servers/ttyd.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/x11/picom.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/x11/hardware/digimend.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./services/x11/imwheel.nix</filename>
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       <filename>./virtualisation/cri-o.nix</filename>
+     </para>
+   </listitem>
   </itemizedlist>
 
  </section>
@@ -127,6 +411,17 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
   </para>
 
   <itemizedlist>
+   <listitem>
+    <para>
+     The <package>dhcpcd</package> package <link xlink:href="https://roy.marples.name/archives/dhcpcd-discuss/0002621.html">
+     does not request IPv4 addresses for tap and bridge interfaces anymore by default</link>.
+     In order to still get an address on a bridge interface, one has to disable
+     <literal>networking.useDHCP</literal> and explicitly enable
+     <literal>networking.interfaces.&lt;name&gt;.useDHCP</literal> on
+     every interface, that should get an address via DHCP. This way, dhcpcd
+     is configured in an explicit way about which interface to run on.
+    </para>
+   </listitem>
    <listitem>
     <para>
       GnuPG is now built without support for a graphical passphrase entry
@@ -154,7 +449,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
    </listitem>
    <listitem>
     <para>
-     The <literal>99-main.network</literal> file was removed. Maching all
+     The <literal>99-main.network</literal> file was removed. Matching all
      network interfaces caused many breakages, see
      <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link>
        and <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>.
@@ -196,10 +491,10 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
    </listitem>
    <listitem>
     <para>
-     There is now only one Xfce package-set and module. This means attributes, <literal>xfce4-14</literal>
-     <literal>xfce4-12</literal>, and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
-     packages. And in future NixOS releases will be the latest released version of Xfce available at the
-     time during the releases development (if viable).
+     There is now only one Xfce package-set and module. This means that attributes <literal>xfce4-14</literal>
+     and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
+     packages. And in the future NixOS releases will be the latest released version of Xfce available at the
+     time of the release's development (if viable).
     </para>
    </listitem>
    <listitem>
@@ -235,7 +530,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
    <listitem>
     <para>
       The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
-      This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
+      This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
     </para>
     </listitem>
    <listitem>
@@ -603,6 +898,25 @@ auth required pam_succeed_if.so uid >= 1000 quiet
      The <option>services.dnscrypt-proxy</option> module has been removed
      as it used the deprecated version of dnscrypt-proxy. We've added
      <xref linkend="opt-services.dnscrypt-proxy2.enable"/> to use the supported version.
+     This module supports configuration via the Nix attribute set
+     <xref linkend="opt-services.dnscrypt-proxy2.settings" />, or by passing a TOML configuration file via
+     <xref linkend="opt-services.dnscrypt-proxy2.configFile" />.
+<programlisting>
+# Example configuration:
+services.dnscrypt-proxy2.enable = true;
+services.dnscrypt-proxy2.settings = {
+  listen_addresses = [ "127.0.0.1:43" ];
+  sources.public-resolvers = {
+    urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
+    cache_file = "public-resolvers.md";
+    minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+    refresh_delay = 72;
+  };
+};
+
+services.dnsmasq.enable = true;
+services.dnsmasq.servers = [ "127.0.0.1#43" ];
+</programlisting>
     </para>
    </listitem>
    <listitem>
@@ -634,6 +948,150 @@ auth required pam_succeed_if.so uid >= 1000 quiet
      to a fairly old snapshot  from the <package>gcc7</package>-branch.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     The <citerefentry><refentrytitle>nixos-build-vms</refentrytitle><manvolnum>8</manvolnum>
+     </citerefentry>-script now uses the python test-driver.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <package>riot-web</package> package now accepts configuration overrides as an attribute set instead of a string.
+     A formerly used JSON configuration can be converted to an attribute set with <literal>builtins.fromJSON</literal>.
+    </para>
+    <para>
+     The new default configuration also disables automatic guest account registration and analytics to improve privacy.
+     The previous behavior can be restored by setting <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>.
+    </para>
+   </listitem>
+   <listitem>
+     <para>
+       Stand-alone usage of <literal>Upower</literal> now requires
+       <option>services.upower.enable</option> instead of just installing into
+       <xref linkend="opt-environment.systemPackages"/>.
+     </para>
+   </listitem>
+   <listitem>
+    <para>
+     <package>nextcloud</package> has been updated to <literal>v18.0.2</literal>. This means
+     that users from NixOS 19.09 can't upgrade directly since you can only move one version
+      forward and 19.09 uses <literal>v16.0.8</literal>.
+    </para>
+    <para>
+     To provide a safe upgrade-path and to circumvent similar issues in the future, the following
+     measures were taken:
+     <itemizedlist>
+      <listitem>
+       <para>
+        The <package>pkgs.nextcloud</package>-attribute has been removed and replaced with
+        versioned attributes (currently <package>pkgs.nextcloud17</package> and
+        <package>pkgs.nextcloud18</package>). With this change major-releases can be backported
+        without breaking stuff and to make upgrade-paths easier.
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+        Existing setups will be detected using
+        <link linkend="opt-system.stateVersion">system.stateVersion</link>: by default,
+        <package>nextcloud17</package> will be used, but will raise a warning which notes
+        that after that deploy it's recommended to update to the latest stable version
+        (<package>nextcloud18</package>) by declaring the newly introduced setting
+        <link linkend="opt-services.nextcloud.package">services.nextcloud.package</link>.
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+        Users with an overlay (e.g. to use <package>nextcloud</package> at version
+        <literal>v18</literal> on <literal>19.09</literal>) will get an evaluation error
+        by default. This is done to ensure that our
+        <link linkend="opt-services.nextcloud.package">package</link>-option doesn't select an
+        older version by accident. It's recommended to use <package>pkgs.nextcloud18</package>
+        or to set <link linkend="opt-services.nextcloud.package">package</link> to
+        <package>pkgs.nextcloud</package> explicitly.
+       </para>
+      </listitem>
+     </itemizedlist>
+    </para>
+    <warning>
+     <para>
+      Please note that if you're coming from <literal>19.03</literal> or older, you have
+      to manually upgrade to <literal>19.09</literal> first to upgrade your server
+      to Nextcloud v16.
+     </para>
+    </warning>
+   </listitem>
+   <listitem>
+    <para>
+     <package>Hydra</package> has gained a massive performance improvement due to
+     <link xlink:href="https://github.com/NixOS/hydra/pull/710">some database schema
+     changes</link> by adding several IDs and better indexing. However, it's necessary
+     to upgrade Hydra in multiple steps:
+     <itemizedlist>
+      <listitem>
+       <para>
+        At first, an older version of Hydra needs to be deployed which adds those
+        (nullable) columns. When having set <link linkend="opt-system.stateVersion">stateVersion
+        </link> to a value older than <literal>20.03</literal>, this package will be selected
+        by default from the module when upgrading. Otherwise, the package can be deployed using
+        the following config:
+<programlisting>{ pkgs, ... }: {
+  <link linkend="opt-services.hydra.package">services.hydra.package</link> = pkgs.hydra-migration;
+}</programlisting>
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+        Automatically fill the newly added ID columns on the server by running the following
+        command:
+<screen>
+<prompt>$ </prompt>hydra-backfill-ids
+</screen>
+        <warning>
+         <para>Please note that this process can take a while depending on your database-size!</para>
+        </warning>
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+        Deploy a newer version of Hydra to activate the DB optimizations. This can be done by
+        using <package>hydra-unstable</package>. This package already includes
+        <link xlink:href="https://github.com/nixos/rfcs/pull/49">flake-support</link> and is
+        therefore compiled against <package>pkgs.nixFlakes</package>.
+        <warning>
+         <para>
+          If your <link linkend="opt-system.stateVersion">stateVersion</link> is set to
+          <literal>20.03</literal> or greater, <package>hydra-unstable</package> will be used
+          automatically! This will break your setup if you didn't run the migration.
+         </para>
+        </warning>
+        Please note that Hydra is currently not available with <package>nixStable</package>
+        as this doesn't compile anymore.
+       </para>
+      </listitem>
+     </itemizedlist>
+     <warning>
+      <para>
+       <package>pkgs.hydra</package> has been removed to ensure a graceful database-migration
+       using the dedicated package-attributes. If you still have <package>pkgs.hydra</package>
+       defined in e.g. an overlay, an assertion error will be thrown. To circumvent this,
+       you need to set <xref linkend="opt-services.hydra.package" /> to <package>pkgs.hydra</package>
+       explicitly and make sure you know what you're doing!
+      </para>
+     </warning>
+    </para>
+   </listitem>
+   <listitem>
+     <para>
+       The TokuDB storage engine will be disabled in <package>mariadb</package> 10.5. It is recommended to switch
+       to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>.
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups.
+       When updating Graylog from a version before 3.3.3 make sure to check the Graylog <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release info</link> for information on how to avoid the issue.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -651,7 +1109,8 @@ auth required pam_succeed_if.so uid >= 1000 quiet
    <listitem>
     <para>
      The nginx web server previously started its master process as root
-     privileged, then ran worker processes as a less privileged identity user.
+     privileged, then ran worker processes as a less privileged identity user
+     (the <literal>nginx</literal> user).
      This was changed to start all of nginx as a less privileged user (defined by
      <literal>services.nginx.user</literal> and
      <literal>services.nginx.group</literal>). As a consequence, all files that
@@ -659,6 +1118,13 @@ auth required pam_succeed_if.so uid >= 1000 quiet
      certificates and keys, etc.) must now be readable by this less privileged
      user/group.
     </para>
+    <para>
+     To continue to use the old approach, you can configure:
+      <programlisting>
+services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
+systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
+      </programlisting>
+    </para>
    </listitem>
    <listitem>
     <para>
@@ -685,9 +1151,11 @@ auth required pam_succeed_if.so uid >= 1000 quiet
      As well as this, the options <literal>security.acme.acceptTerms</literal> and either
      <literal>security.acme.email</literal> or <literal>security.acme.certs.&lt;name&gt;.email</literal>
      must be set in order to use the ACME module.
-     Certificates will be regenerated anew on the next renewal date. The credentials for simp-le are
-     preserved and thus it is possible to roll back to previous versions without breaking certificate
-     generation.
+     Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le.
+     In particular private keys will not be preserved. However, the credentials for simp-le are preserved and
+     thus it is possible to roll back to previous versions without breaking certificate generation.
+     Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can
+     have consequences if you embed your public key in apps.
     </para>
    </listitem>
    <listitem>
@@ -696,6 +1164,86 @@ auth required pam_succeed_if.so uid >= 1000 quiet
     via <option>boot.initrd.luks.fido2Support</option>.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     Predictably named network interfaces get renamed in stage-1. This means that it is possible
+     to use the proper interface name for e.g. Dropbear setups.
+    </para>
+    <para>
+     For further reference, please read <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <package>matrix-synapse</package>-package has been updated to
+     <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>.
+     Due to <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter requirements</link>
+     for database configuration when using <package>postgresql</package>, the automated database setup
+     of the module has been removed to avoid any further edge-cases.
+    </para>
+    <para>
+     <package>matrix-synapse</package> expects <literal>postgresql</literal>-databases to have the options
+     <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> set to
+     <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> which basically
+     instructs <literal>postgresql</literal> to ignore any locale-based preferences.
+    </para>
+    <para>
+     Depending on your setup, you need to incorporate one of the following changes in your setup to
+     upgrade to 20.03:
+     <itemizedlist>
+      <listitem><para>If you use <literal>sqlite3</literal> you don't need to do anything.</para></listitem>
+      <listitem><para>If you use <literal>postgresql</literal> on a different server, you don't need
+       to change anything as well since this module was never designed to configure remote databases.
+      </para></listitem>
+      <listitem><para>If you use <literal>postgresql</literal> and configured your synapse initially on
+       <literal>19.09</literal> or older, you simply need to enable <package>postgresql</package>-support
+        explicitly:
+<programlisting>{ ... }: {
+  services.matrix-synapse = {
+    <link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
+    /* and all the other config you've defined here */
+  };
+  <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
+}</programlisting>
+      </para></listitem>
+      <listitem><para>If you deploy a fresh <package>matrix-synapse</package>, you need to configure
+       the database yourself (e.g. by using the
+       <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link>
+       option). An example for this can be found in the
+       <link linkend="module-services-matrix">documentation of the Matrix module</link>.
+      </para></listitem>
+      <listitem><para>If you initially deployed your <package>matrix-synapse</package> on
+       <literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release,
+       your database is misconfigured due to a regression in NixOS. For now, <package>matrix-synapse</package> will
+       startup with a warning, but it's recommended to reconfigure the database to set the values
+       <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to
+       <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>.
+      </para></listitem>
+     </itemizedlist>
+    </para>
+  </listitem>
+  <listitem>
+   <para>
+    The <link linkend="opt-systemd.network.links">systemd.network.links</link> option is now respected
+    even when <link linkend="opt-systemd.network.enable">systemd-networkd</link> is disabled.
+    This mirrors the behaviour of systemd - It's udev that parses <literal>.link</literal> files,
+    not <command>systemd-networkd</command>.
+   </para>
+  </listitem>
+  <listitem>
+   <para>
+    <package>mongodb</package> has been updated to version <literal>3.4.24</literal>.
+    <warning>
+     <para>
+      Please note that <package>mongodb</package> has been relicensed under their own
+      <link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal>
+      sspl</literal></link>-license. Since it's not entirely free and not OSI-approved,
+      it's listed as non-free. This means that Hydra doesn't provide prebuilt
+      <package>mongodb</package>-packages and needs to be built locally.
+     </para>
+    </warning>
+   </para>
+  </listitem>
   </itemizedlist>
  </section>
 </section>

nixos/lib/eval-config.nix

@@ -41,6 +41,12 @@ let
       # default to the argument. That way this new default could propagate all
       # they way through, but has the last priority behind everything else.
       nixpkgs.system = lib.mkDefault system;
+
+      # Stash the value of the `system` argument. When using `nesting.children`
+      # we want to have the same default value behavior (immediately above)
+      # without any interference from the user's configuration.
+      nixpkgs.initialSystem = system;
+
       _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_);
     };
   };

nixos/lib/make-iso9660-image.sh

@@ -107,6 +107,7 @@ xorriso="xorriso
  -publisher nixos
  -graft-points
  -full-iso9660-filenames
+ -joliet
  ${isoBootFlags}
  ${usbBootFlags}
  ${efiBootFlags}

nixos/lib/make-options-doc/default.nix

@@ -86,7 +86,7 @@ let
   optionsList = lib.sort optionLess optionsListDesc;
 
   # Convert the list of options into an XML file.
-  optionsXML = pkgs.writeText "options.xml" (builtins.toXML optionsList);
+  optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
 
   optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList);
 
@@ -133,6 +133,7 @@ in {
 
   optionsJSON = pkgs.runCommand "options.json"
     { meta.description = "List of NixOS options in JSON format";
+      buildInputs = [ pkgs.brotli ];
     }
     ''
       # Export list of options in different format.
@@ -141,8 +142,11 @@ in {
 
       cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
 
+      brotli -9 < $dst/options.json > $dst/options.json.br
+
       mkdir -p $out/nix-support
       echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
+      echo "file json-br $dst/options.json.br" >> $out/nix-support/hydra-build-products
     ''; # */
 
   optionsDocBook = pkgs.runCommand "options-docbook.xml" {} ''

nixos/lib/test-driver/test-driver.py

@@ -141,7 +141,7 @@ class Logger:
         self.logfile = os.environ.get("LOGFILE", "/dev/null")
         self.logfile_handle = open(self.logfile, "wb")
         self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8")
-        self.queue: "Queue[Dict[str, str]]" = Queue(1000)
+        self.queue: "Queue[Dict[str, str]]" = Queue()
 
         self.xml.startDocument()
         self.xml.startElement("logfile", attrs={})
@@ -367,7 +367,7 @@ class Machine:
             q = q.replace("'", "\\'")
             return self.execute(
                 (
-                    "su -l {} -c "
+                    "su -l {} --shell /bin/sh -c "
                     "$'XDG_RUNTIME_DIR=/run/user/`id -u` "
                     "systemctl --user {}'"
                 ).format(user, q)
@@ -383,17 +383,17 @@ class Machine:
             if state != require_state:
                 raise Exception(
                     "Expected unit ‘{}’ to to be in state ".format(unit)
-                    + "'active' but it is in state ‘{}’".format(state)
+                    + "'{}' but it is in state ‘{}’".format(require_state, state)
                 )
 
     def execute(self, command: str) -> Tuple[int, str]:
         self.connect()
 
-        out_command = "( {} ); echo '|!EOF' $?\n".format(command)
+        out_command = "( {} ); echo '|!=EOF' $?\n".format(command)
         self.shell.send(out_command.encode())
 
         output = ""
-        status_code_pattern = re.compile(r"(.*)\|\!EOF\s+(\d+)")
+        status_code_pattern = re.compile(r"(.*)\|\!=EOF\s+(\d+)")
 
         while True:
             chunk = self.shell.recv(4096).decode(errors="ignore")

nixos/lib/testing-python.nix

@@ -175,13 +175,13 @@ in rec {
 
       nodeNames = builtins.attrNames nodes;
       invalidNodeNames = lib.filter
-        (node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames;
+        (node: builtins.match "^[A-z_]([A-z0-9_]+)?$" node == null) nodeNames;
 
     in
       if lib.length invalidNodeNames > 0 then
         throw ''
           Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})!
-          All machines are referenced as perl variables in the testing framework which will break the
+          All machines are referenced as python variables in the testing framework which will break the
           script when special characters are used.
 
           Please stick to alphanumeric chars and underscores as separation.
@@ -218,12 +218,12 @@ in rec {
       '';
 
       testScript = ''
-        startAll;
-        $client->waitForUnit("multi-user.target");
+        start_all()
+        client.wait_for_unit("multi-user.target")
         ${preBuild}
-        $client->succeed("env -i ${bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2");
+        client.succeed("env -i ${bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2")
         ${postBuild}
-        $client->succeed("sync"); # flush all data before pulling the plug
+        client.succeed("sync") # flush all data before pulling the plug
       '';
 
       vmRunCommand = writeText "vm-run" ''
@@ -263,9 +263,12 @@ in rec {
         { ... }:
         {
           inherit require;
+          imports = [
+            ../tests/common/auto.nix
+          ];
           virtualisation.memorySize = 1024;
           services.xserver.enable = true;
-          services.xserver.displayManager.auto.enable = true;
+          test-support.displayManager.auto.enable = true;
           services.xserver.displayManager.defaultSession = "none+icewm";
           services.xserver.windowManager.icewm.enable = true;
         };
@@ -274,7 +277,7 @@ in rec {
         machine = client;
         preBuild =
           ''
-            $client->waitForX;
+            client.wait_for_x()
           '';
       } // args);
 

nixos/lib/testing.nix

@@ -250,9 +250,12 @@ in rec {
         { ... }:
         {
           inherit require;
+          imports = [
+            ../tests/common/auto.nix
+          ];
           virtualisation.memorySize = 1024;
           services.xserver.enable = true;
-          services.xserver.displayManager.auto.enable = true;
+          test-support.displayManager.auto.enable = true;
           services.xserver.displayManager.defaultSession = "none+icewm";
           services.xserver.windowManager.icewm.enable = true;
         };

nixos/maintainers/scripts/ec2/amazon-image.nix

@@ -8,10 +8,15 @@ in {
 
   imports = [ ../../../modules/virtualisation/amazon-image.nix ];
 
-  # Required to provide good EBS experience,
+  # Amazon recomments setting this to the highest possible value for a good EBS
+  # experience, which prior to 4.15 was 255.
   # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
-  # TODO change value to 4294967295 when kernel is updated to 4.15 or later
-  config.boot.kernelParams = [ "nvme_core.io_timeout=255" ];
+  config.boot.kernelParams =
+    let timeout =
+      if pkgs.lib.versionAtLeast config.boot.kernelPackages.kernel.version "4.15"
+      then "4294967295"
+      else  "255";
+    in [ "nvme_core.io_timeout=${timeout}" ];
 
   options.amazonImage = {
     name = mkOption {

nixos/modules/config/fonts/fontconfig.nix

@@ -195,7 +195,7 @@ let
   confPkg = pkgs.runCommand "fontconfig-conf" {
     preferLocalBuild = true;
   } ''
-    support_folder=$out/etc/fonts/conf.d
+    support_folder=$out/etc/fonts/${lib.optionalString cfg.disableVersionedFontConfiguration "2.10/"}conf.d
     latest_folder=$out/etc/fonts/${latestVersion}/conf.d
 
     mkdir -p $support_folder
@@ -206,6 +206,11 @@ let
     ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
           $latest_folder/../fonts.conf
 
+    ${lib.optionalString cfg.disableVersionedFontConfiguration ''
+    ln -s $latest_folder/../fonts.conf \
+          $latest_folder/../../fonts.conf
+    ''}
+
     # fontconfig default config files
     ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \
           $support_folder/
@@ -292,6 +297,23 @@ in
           '';
         };
 
+        disableVersionedFontConfiguration = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            If enabled, /etc/fonts/fonts.conf will contain configuration file
+            for the latest fontconfig, instead of the ancient 2.10 version.
+            This is necessary for using packages from Nixpkgs unstable.
+
+            Without it, running programs from unstable will populate
+            ~/.cache/fontconfig with values incompatible with
+            programs from NixOS 20.03.
+
+            Enabling this should not cause any issues as there are no programs
+            using the legacy fontconfig version since NixOS 15.03.
+          '';
+        };
+
         confPackages = mkOption {
           internal = true;
           type     = with types; listOf path;

nixos/modules/config/fonts/fontdir.nix

@@ -25,6 +25,7 @@ in
     fonts = {
 
       enableFontDir = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           Whether to create a directory with links to all fonts in

nixos/modules/config/fonts/ghostscript.nix

@@ -9,6 +9,7 @@ with lib;
     fonts = {
 
       enableGhostscriptFonts = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           Whether to add the fonts provided by Ghostscript (such as

nixos/modules/config/ldap.nix

@@ -88,6 +88,7 @@ in
       };
 
       useTLS = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           If enabled, use TLS (encryption) over an LDAP (port 389)
@@ -109,6 +110,7 @@ in
 
       daemon = {
         enable = mkOption {
+          type = types.bool;
           default = false;
           description = ''
             Whether to let the nslcd daemon (nss-pam-ldapd) handle the

nixos/modules/config/swap.nix

@@ -185,6 +185,8 @@ in
           { description = "Initialisation of swap device ${sw.device}";
             wantedBy = [ "${realDevice'}.swap" ];
             before = [ "${realDevice'}.swap" ];
+            # If swap is encrypted, depending on rngd resolves a possible entropy starvation during boot
+            after = mkIf (config.security.rngd.enable && sw.randomEncryption.enable) [ "rngd.service" ];
             path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
 
             script =

nixos/modules/config/system-path.nix

@@ -8,8 +8,7 @@ with lib;
 let
 
   requiredPackages = map (pkg: setPrio ((pkg.meta.priority or 5) + 3) pkg)
-    [ config.nix.package
-      pkgs.acl
+    [ pkgs.acl
       pkgs.attr
       pkgs.bashInteractive # bash with ncurses support
       pkgs.bzip2
@@ -33,7 +32,6 @@ let
       pkgs.nano
       pkgs.ncurses
       pkgs.netcat
-      pkgs.nix-info
       config.programs.ssh.package
       pkgs.perl
       pkgs.procps

nixos/modules/hardware/all-firmware.nix

@@ -51,6 +51,7 @@ in {
         rtlwifi_new-firmware
         zd1211fw
         alsa-firmware
+        sof-firmware
         openelec-dvb-firmware
       ] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware
         ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [

nixos/modules/hardware/brightnessctl.nix

@@ -1,31 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  cfg = config.hardware.brightnessctl;
-in
-{
-
-  options = {
-
-    hardware.brightnessctl = {
-
-      enable = mkOption {
-        default = false;
-        type = types.bool;
-        description = ''
-          Enable brightnessctl in userspace.
-          This will allow brightness control from users in the video group.
-        '';
-
-      };
-    };
-  };
-
-
-  config = mkIf cfg.enable {
-    services.udev.packages = with pkgs; [ brightnessctl ];
-    environment.systemPackages = with pkgs; [ brightnessctl ];
-  };
-
-}

nixos/modules/i18n/input-method/ibus.nix

@@ -64,7 +64,7 @@ in
     # Without dconf enabled it is impossible to use IBus
     programs.dconf.enable = true;
 
-    programs.dconf.profiles.ibus = "${ibusPackage}/etc/dconf/profile/ibus";
+    programs.dconf.packages = [ ibusPackage ];
 
     services.dbus.packages = [
       ibusAutostart
@@ -75,5 +75,9 @@ in
       QT_IM_MODULE = "ibus";
       XMODIFIERS = "@im=ibus";
     };
+
+    xdg.portal.extraPortals = mkIf config.xdg.portal.enable [
+      ibusPackage
+    ];
   };
 }

nixos/modules/installer/cd-dvd/channel.nix

@@ -21,7 +21,9 @@ let
       if [ ! -e $out/nixos/nixpkgs ]; then
         ln -s . $out/nixos/nixpkgs
       fi
-      echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision
+      ${optionalString (config.system.nixos.revision != null) ''
+        echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision
+      ''}
       echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix
       echo ${config.system.nixos.versionSuffix} | sed -e s/pre// > $out/nixos/svn-revision
     '';

nixos/modules/installer/cd-dvd/installation-cd-base.nix

@@ -18,8 +18,6 @@ with lib;
   # ISO naming.
   isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso";
 
-  isoImage.volumeID = substring 0 11 "NIXOS_ISO";
-
   # EFI booting
   isoImage.makeEfiBootable = true;
 

nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix

@@ -8,6 +8,8 @@ with lib;
 {
   imports = [ ./installation-cd-graphical-base.nix ];
 
+  isoImage.edition = "gnome";
+
   services.xserver.desktopManager.gnome3.enable = true;
 
   # Auto-login as root.

nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix

@@ -8,6 +8,8 @@ with lib;
 {
   imports = [ ./installation-cd-graphical-base.nix ];
 
+  isoImage.edition = "plasma5";
+
   services.xserver = {
     desktopManager.plasma5 = {
       enable = true;

nixos/modules/installer/cd-dvd/installation-cd-minimal.nix

@@ -8,5 +8,7 @@
     [ ./installation-cd-base.nix
     ];
 
+  isoImage.edition = "minimal";
+
   fonts.fontconfig.enable = false;
 }

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -417,8 +417,17 @@ in
       '';
     };
 
+    isoImage.edition = mkOption {
+      default = "";
+      description = ''
+        Specifies which edition string to use in the volume ID of the generated
+        ISO image.
+      '';
+    };
+
     isoImage.volumeID = mkOption {
-      default = "NIXOS_BOOT_CD";
+      # nixos-$EDITION-$RELEASE-$ARCH
+      default = "nixos${optionalString (config.isoImage.edition != "") "-${config.isoImage.edition}"}-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}";
       description = ''
         Specifies the label or volume ID of the generated ISO image.
         Note that the label is used by stage 1 of the boot process to
@@ -515,6 +524,19 @@ in
   };
 
   config = {
+    assertions = [
+      {
+        assertion = !(stringLength config.isoImage.volumeID > 32);
+        # https://wiki.osdev.org/ISO_9660#The_Primary_Volume_Descriptor
+        # Volume Identifier can only be 32 bytes
+        message = let
+          length = stringLength config.isoImage.volumeID;
+          howmany = toString length;
+          toomany = toString (length - 32);
+        in
+        "isoImage.volumeID ${config.isoImage.volumeID} is ${howmany} characters. That is ${toomany} characters longer than the limit of 32.";
+      }
+    ];
 
     boot.loader.grub.version = 2;
 

nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix

@@ -1,31 +0,0 @@
-# To build, use:
-# nix-build nixos -I nixos-config=nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix -A config.system.build.sdImage
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ../../profiles/base.nix
-    ../../profiles/installation-device.nix
-    ./sd-image.nix
-  ];
-
-  boot.loader.grub.enable = false;
-  boot.loader.raspberryPi.enable = true;
-  boot.loader.raspberryPi.version = 4;
-  boot.kernelPackages = pkgs.linuxPackages_rpi4;
-
-  boot.consoleLogLevel = lib.mkDefault 7;
-
-  sdImage = {
-    firmwareSize = 128;
-    # This is a hack to avoid replicating config.txt from boot.loader.raspberryPi
-    populateFirmwareCommands =
-      "${config.system.build.installBootLoader} ${config.system.build.toplevel} -d ./firmware";
-    # As the boot process is done entirely in the firmware partition.
-    populateRootCommands = "";
-  };
-
-  # the installation media is also the installation target,
-  # so we don't want to provide the installation configuration.nix.
-  installer.cloneConfig = false;
-}

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,6 +1,6 @@
 {
-  x86_64-linux = "/nix/store/0q5qnh10m2sfrriszc1ysmggw659q6qm-nix-2.3.2";
-  i686-linux = "/nix/store/i7ad7r5d8a5b3l22hg4a1im2qq05y6vd-nix-2.3.2";
-  aarch64-linux = "/nix/store/bv06pavfw0dbqzr8w3l7s71nx27gnxa0-nix-2.3.2";
-  x86_64-darwin = "/nix/store/x6mnl1nij7y4v5ihlplr4k937ayr403r-nix-2.3.2";
+  x86_64-linux = "/nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6";
+  i686-linux = "/nix/store/9fqvbdisahqp0238vrs7wn5anpri0a65-nix-2.3.6";
+  aarch64-linux = "/nix/store/72pwn0nm9bjqx9vpi8sgh4bl6g5wh814-nix-2.3.6";
+  x86_64-darwin = "/nix/store/g37vk77m90p5zcl5nixjlzp3vqpisfn5-nix-2.3.6";
 }

nixos/modules/installer/tools/nixos-build-vms/build-vms.nix

@@ -5,7 +5,7 @@
 
 let nodes = import networkExpr; in
 
-with import ../../../../lib/testing.nix {
+with import ../../../../lib/testing-python.nix {
   inherit system;
   pkgs = import ../../../../.. { inherit system config; };
 };

nixos/modules/installer/tools/tools.nix

@@ -42,7 +42,10 @@ let
     inherit (config.system.nixos-generate-config) configuration;
   };
 
-  nixos-option = pkgs.callPackage ./nixos-option { };
+  nixos-option =
+    if lib.versionAtLeast (lib.getVersion pkgs.nix) "2.4pre"
+    then null
+    else pkgs.callPackage ./nixos-option { };
 
   nixos-version = makeProg {
     name = "nixos-version";
@@ -108,10 +111,10 @@ in
         # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
         # Select internationalisation properties.
-        # i18n = {
-        #   consoleFont = "Lat2-Terminus16";
-        #   consoleKeyMap = "us";
-        #   defaultLocale = "en_US.UTF-8";
+        # i18n.defaultLocale = "en_US.UTF-8";
+        # console = {
+        #   font = "Lat2-Terminus16";
+        #   keyMap = "us";
         # };
 
         # Set your time zone.
@@ -184,10 +187,9 @@ in
         nixos-install
         nixos-rebuild
         nixos-generate-config
-        nixos-option
         nixos-version
         nixos-enter
-      ];
+      ] ++ lib.optional (nixos-option != null) nixos-option;
 
     system.build = {
       inherit nixos-install nixos-generate-config nixos-option nixos-rebuild nixos-enter;

nixos/modules/misc/documentation.nix

@@ -17,6 +17,7 @@ let
     inherit pkgs config;
     version = config.system.nixos.release;
     revision = "release-${version}";
+    extraSources = cfg.nixos.extraModuleSources;
     options =
       let
         scrubbedEval = evalModules {
@@ -163,6 +164,19 @@ in
         '';
       };
 
+      nixos.extraModuleSources = mkOption {
+        type = types.listOf (types.either types.path types.str);
+        default = [ ];
+        description = ''
+          Which extra NixOS module paths the generated NixOS's documentation should strip
+          from options.
+        '';
+        example = literalExample ''
+          # e.g. with options from modules in ''${pkgs.customModules}/nix:
+          [ pkgs.customModules ]
+        '';
+      };
+
     };
 
   };

nixos/modules/misc/ids.nix

@@ -133,7 +133,7 @@ in
       tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
       firebird = 95;
       #keys = 96; # unused
-      #haproxy = 97; # DynamicUser as of 2019-11-08
+      #haproxy = 97; # dynamically allocated as of 2020-03-11
       mongodb = 98;
       openldap = 99;
       #users = 100; # unused
@@ -448,7 +448,7 @@ in
       #tcpcryptd = 93; # unused
       firebird = 95;
       keys = 96;
-      #haproxy = 97; # DynamicUser as of 2019-11-08
+      #haproxy = 97; # dynamically allocated as of 2020-03-11
       #mongodb = 98; # unused
       openldap = 99;
       munin = 102;

nixos/modules/misc/nixpkgs.nix

@@ -216,6 +216,14 @@ in
         Ignored when <code>nixpkgs.pkgs</code> is set.
       '';
     };
+
+    initialSystem = mkOption {
+      type = types.str;
+      internal = true;
+      description = ''
+        Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>.
+      '';
+    };
   };
 
   config = {

nixos/modules/misc/version.nix

@@ -4,10 +4,6 @@ with lib;
 
 let
   cfg = config.system.nixos;
-
-  gitRepo      = "${toString pkgs.path}/.git";
-  gitRepoValid = lib.pathIsGitRepo gitRepo;
-  gitCommitId  = lib.substring 0 7 (commitIdFromGitRepo gitRepo);
 in
 
 {
@@ -80,7 +76,7 @@ in
     defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-20.03;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 
@@ -98,8 +94,6 @@ in
       # These defaults are set here rather than up there so that
       # changing them would not rebuild the manual
       version = mkDefault (cfg.release + cfg.versionSuffix);
-      revision      = mkIf gitRepoValid (mkDefault            gitCommitId);
-      versionSuffix = mkIf gitRepoValid (mkDefault (".git." + gitCommitId));
     };
 
     # Generate /etc/os-release.  See
@@ -115,8 +109,8 @@ in
         PRETTY_NAME="NixOS ${cfg.release} (${cfg.codeName})"
         LOGO="nix-snowflake"
         HOME_URL="https://nixos.org/"
-        DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html"
-        SUPPORT_URL="https://nixos.org/nixos/support.html"
+        DOCUMENTATION_URL="https://nixos.org/learn.html"
+        SUPPORT_URL="https://nixos.org/community.html"
         BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
       '';
 

nixos/modules/module-list.nix

@@ -41,7 +41,6 @@
   ./hardware/acpilight.nix
   ./hardware/all-firmware.nix
   ./hardware/bladeRF.nix
-  ./hardware/brightnessctl.nix
   ./hardware/brillo.nix
   ./hardware/ckb-next.nix
   ./hardware/cpu/amd-microcode.nix
@@ -724,6 +723,7 @@
   ./services/networking/syncthing.nix
   ./services/networking/syncthing-relay.nix
   ./services/networking/syncplay.nix
+  ./services/networking/tailscale.nix
   ./services/networking/tcpcrypt.nix
   ./services/networking/teamspeak3.nix
   ./services/networking/tedicross.nix

nixos/modules/programs/bash/bash.nix

@@ -238,9 +238,6 @@ in
       "/share/bash-completion"
     ];
 
-    environment.systemPackages = optional cfg.enableCompletion
-      pkgs.nix-bash-completions;
-
     environment.shells =
       [ "/run/current-system/sw/bin/bash"
         "/run/current-system/sw/bin/sh"

nixos/modules/programs/cdemu.nix

@@ -8,6 +8,7 @@ in {
   options = {
     programs.cdemu = {
       enable = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           <command>cdemu</command> for members of

nixos/modules/programs/criu.nix

@@ -8,6 +8,7 @@ in {
   options = {
     programs.criu = {
       enable = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           Install <command>criu</command> along with necessary kernel options.

nixos/modules/programs/dconf.nix

@@ -4,13 +4,24 @@ with lib;
 
 let
   cfg = config.programs.dconf;
-
-  mkDconfProfile = name: path:
-    {
-      name = "dconf/profile/${name}";
-      value.source = path; 
-    };
-
+  cfgDir = pkgs.symlinkJoin {
+    name = "dconf-system-config";
+    paths = map (x: "${x}/etc/dconf") cfg.packages;
+    postBuild = ''
+      mkdir -p $out/profile
+      mkdir -p $out/db
+    '' + (
+      concatStringsSep "\n" (
+        mapAttrsToList (
+          name: path: ''
+            ln -s ${path} $out/profile/${name}
+          ''
+        ) cfg.profiles
+      )
+    ) + ''
+      ${pkgs.dconf}/bin/dconf update $out/db
+    '';
+  };
 in
 {
   ###### interface
@@ -22,18 +33,24 @@ in
       profiles = mkOption {
         type = types.attrsOf types.path;
         default = {};
-        description = "Set of dconf profile files.";
+        description = "Set of dconf profile files, installed at <filename>/etc/dconf/profiles/<replaceable>name</replaceable></filename>.";
         internal = true;
       };
 
+      packages = mkOption {
+        type = types.listOf types.package;
+        default = [];
+        description = "A list of packages which provide dconf profiles and databases in <filename>/etc/dconf</filename>.";
+      };
     };
   };
 
   ###### implementation
 
   config = mkIf (cfg.profiles != {} || cfg.enable) {
-    environment.etc = optionalAttrs (cfg.profiles != {})
-      (mapAttrs' mkDconfProfile cfg.profiles);
+    environment.etc.dconf = mkIf (cfg.profiles != {} || cfg.packages != []) {
+      source = cfgDir;
+    };
 
     services.dbus.packages = [ pkgs.dconf ];
 

nixos/modules/programs/ssmtp.nix

@@ -14,8 +14,16 @@ in
 {
 
   imports = [
-    (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ])
-    (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "directDelivery" ] [ "services" "ssmtp" "enable" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "hostName" ] [ "services" "ssmtp" "hostName" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "domain" ] [ "services" "ssmtp" "domain" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "root" ] [ "services" "ssmtp" "root" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "useTLS" ] [ "services" "ssmtp" "useTLS" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "useSTARTTLS" ] [ "services" "ssmtp" "useSTARTTLS" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "authUser" ] [ "services" "ssmtp" "authUser" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPass" ] [ "services" "ssmtp" "authPass" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPassFile" ] [ "services" "ssmtp" "authPassFile" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "setSendmail" ] [ "services" "ssmtp" "setSendmail" ])
   ];
 
   options = {

nixos/modules/programs/sway.nix

@@ -88,10 +88,10 @@ in {
       default = with pkgs; [
         swaylock swayidle
         xwayland alacritty dmenu
-        rxvt_unicode # For backward compatibility (old default terminal)
+        rxvt-unicode # For backward compatibility (old default terminal)
       ];
       defaultText = literalExample ''
-        with pkgs; [ swaylock swayidle xwayland rxvt_unicode dmenu ];
+        with pkgs; [ swaylock swayidle xwayland rxvt-unicode dmenu ];
       '';
       example = literalExample ''
         with pkgs; [

nixos/modules/programs/systemtap.nix

@@ -8,6 +8,7 @@ in {
   options = {
     programs.systemtap = {
       enable = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           Install <command>systemtap</command> along with necessary kernel options.

nixos/modules/programs/venus.nix

@@ -75,7 +75,7 @@ in
       };
 
       link = mkOption {
-        default = "http://planet.nixos.org";
+        default = "https://planet.nixos.org";
         type = types.str;
         description = ''
           Link to the main page.

nixos/modules/programs/zsh/oh-my-zsh.nix

@@ -39,6 +39,7 @@ in
     options = {
       programs.zsh.ohMyZsh = {
         enable = mkOption {
+          type = types.bool;
           default = false;
           description = ''
             Enable oh-my-zsh.

nixos/modules/programs/zsh/zsh.nix

@@ -162,9 +162,8 @@ in
         # This file is read for all shells.
 
         # Only execute this file once per shell.
-        # But don't clobber the environment of interactive non-login children!
         if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi
-        export __ETC_ZSHENV_SOURCED=1
+        __ETC_ZSHENV_SOURCED=1
 
         if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]; then
             . ${config.system.build.setEnvironment}

nixos/modules/rename.nix

@@ -21,12 +21,12 @@ with lib;
     (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "")
     (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.")
     (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.")
-    (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed")
-    (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed")
-    (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed")
-    (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed")
-    (mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed")
-    (mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
+    (mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed")
+    (mkRemovedOptionModule [ "services" "beegfsEnable" ] "The BeeGFS module has been removed")
+    (mkRemovedOptionModule [ "services" "beegfs" ] "The BeeGFS module has been removed")
+    (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")
+    (mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed")
+    (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
     (mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " +
       "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html"))
     (mkRemovedOptionModule [ "services" "xserver" "multitouch" ] ''
@@ -42,6 +42,12 @@ with lib;
       instead, or any other display manager in NixOS as they all support auto-login.
     '')
     (mkRemovedOptionModule [ "services" "dnscrypt-proxy" ] "Use services.dnscrypt-proxy2 instead")
+    (mkRemovedOptionModule ["hardware" "brightnessctl" ] ''
+      The brightnessctl module was removed because newer versions of
+      brightnessctl don't require the udev rules anymore (they can use the
+      systemd-logind API). Instead of using the module you can now
+      simply add the brightnessctl package to environment.systemPackages.
+    '')
 
     # Do NOT add any option renames here, see top of the file
   ];

nixos/modules/security/acme.nix

@@ -87,19 +87,19 @@ let
         default = {};
         example = literalExample ''
           {
-            "example.org" = "/srv/http/nginx";
+            "example.org" = null;
             "mydomain.org" = null;
           }
         '';
         description = ''
-          A list of extra domain names, which are included in the one certificate to be issued, with their
-          own server roots if needed.
+          A list of extra domain names, which are included in the one certificate to be issued.
+          Setting a distinct server root is deprecated and not functional in 20.03+
         '';
       };
 
       keyType = mkOption {
         type = types.str;
-        default = "ec384";
+        default = "ec256";
         description = ''
           Key type to use for private keys.
           For an up to date list of supported values check the --key-type option
@@ -174,7 +174,7 @@ in
 
       renewInterval = mkOption {
         type = types.str;
-        default = "weekly";
+        default = "daily";
         description = ''
           Systemd calendar expression when to check for renewal. See
           <citerefentry><refentrytitle>systemd.time</refentrytitle>
@@ -229,7 +229,7 @@ in
             "example.com" = {
               webroot = "/var/www/challenges/";
               email = "foo@example.com";
-              extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; };
+              extraDomains = { "www.example.com" = null; "foo.example.com" = null; };
             };
             "bar.example.com" = {
               webroot = "/var/www/challenges/";
@@ -280,8 +280,8 @@ in
                 # StateDirectory must be relative, and will be created under /var/lib by systemd
                 lpath = "acme/${cert}";
                 apath = "/var/lib/${lpath}";
-                spath = "/var/lib/acme/.lego";
-                rights = if data.allowKeysForGroup then "750" else "700";
+                spath = "/var/lib/acme/.lego/${cert}";
+                fileMode = if data.allowKeysForGroup then "640" else "600";
                 globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
                           ++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
                           ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
@@ -294,24 +294,20 @@ in
                   description = "Renew ACME Certificate for ${cert}";
                   after = [ "network.target" "network-online.target" ];
                   wants = [ "network-online.target" ];
+                  wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ];
                   serviceConfig = {
                     Type = "oneshot";
-                    # With RemainAfterExit the service is considered active even
-                    # after the main process having exited, which means when it
-                    # gets changed, the activation phase restarts it, meaning
-                    # the permissions of the StateDirectory get adjusted
-                    # according to the specified group
-                    RemainAfterExit = true;
                     User = data.user;
                     Group = data.group;
                     PrivateTmp = true;
-                    StateDirectory = "acme/.lego ${lpath}";
-                    StateDirectoryMode = rights;
+                    StateDirectory = "acme/.lego/${cert} acme/.lego/accounts ${lpath}";
+                    StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
                     WorkingDirectory = spath;
                     # Only try loading the credentialsFile if the dns challenge is enabled
                     EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
                     ExecStart = pkgs.writeScript "acme-start" ''
                       #!${pkgs.runtimeShell} -e
+                      test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts
                       ${pkgs.lego}/bin/lego ${renewOpts} || ${pkgs.lego}/bin/lego ${runOpts}
                     '';
                     ExecStartPost =
@@ -323,17 +319,23 @@ in
 
                           # Test that existing cert is older than new cert
                           KEY=${spath}/certificates/${keyName}.key
+                          KEY_CHANGED=no
                           if [ -e $KEY -a $KEY -nt key.pem ]; then
+                            KEY_CHANGED=yes
                             cp -p ${spath}/certificates/${keyName}.key key.pem
-                            cp -p ${spath}/certificates/${keyName}.crt cert.pem
+                            cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
                             cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
-                            cat cert.pem chain.pem > fullchain.pem
-                            cat key.pem cert.pem chain.pem > full.pem
-                            chmod ${rights} *.pem
-                            chown '${data.user}:${data.group}' *.pem
+                            ln -sf fullchain.pem cert.pem
+                            cat key.pem fullchain.pem > full.pem
                           fi
 
-                          ${data.postRun}
+                          chmod ${fileMode} *.pem
+                          chown '${data.user}:${data.group}' *.pem
+
+                          if [ "$KEY_CHANGED" = "yes" ]; then
+                            : # noop in case postRun is empty
+                            ${data.postRun}
+                          fi
                         '';
                       in
                         "+${script}";
@@ -374,7 +376,7 @@ in
 
                       # Give key acme permissions
                       chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
-                      chmod ${rights} "${apath}/"{key,fullchain,full}.pem
+                      chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
                     '';
                   serviceConfig = {
                     Type = "oneshot";
@@ -399,7 +401,17 @@ in
       systemd.tmpfiles.rules =
         map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));
 
-      systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
+      systemd.timers = let
+        # Allow systemd to pick a convenient time within the day
+        # to run the check.
+        # This allows the coalescing of multiple timer jobs.
+        # We divide by the number of certificates so that if you
+        # have many certificates, the renewals are distributed over
+        # the course of the day to avoid rate limits.
+        numCerts = length (attrNames cfg.certs);
+        _24hSecs = 60 * 60 * 24;
+        AccuracySec = "${toString (_24hSecs / numCerts)}s";
+      in flip mapAttrs' cfg.certs (cert: data: nameValuePair
         ("acme-${cert}")
         ({
           description = "Renew ACME Certificate for ${cert}";
@@ -408,8 +420,9 @@ in
             OnCalendar = cfg.renewInterval;
             Unit = "acme-${cert}.service";
             Persistent = "yes";
-            AccuracySec = "5m";
-            RandomizedDelaySec = "1h";
+            inherit AccuracySec;
+            # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
+            RandomizedDelaySec = "24h";
           };
         })
       );

nixos/modules/security/acme.xml

@@ -6,65 +6,49 @@
  <title>SSL/TLS Certificates with ACME</title>
  <para>
   NixOS supports automatic domain validation &amp; certificate retrieval and
-  renewal using the ACME protocol. This is currently only implemented by and
-  for Let's Encrypt. The alternative ACME client <literal>lego</literal> is
-  used under the hood.
+  renewal using the ACME protocol. Any provider can be used, but by default
+  NixOS uses Let's Encrypt. The alternative ACME client <literal>lego</literal>
+  is used under the hood.
+ </para>
+ <para>
+  Automatic cert validation and configuration for Apache and Nginx virtual
+  hosts is included in NixOS, however if you would like to generate a wildcard
+  cert or you are not using a web server you will have to configure DNS
+  based validation.
  </para>
  <section xml:id="module-security-acme-prerequisites">
   <title>Prerequisites</title>
 
   <para>
-   You need to have a running HTTP server for verification. The server must
-   have a webroot defined that can serve
+   To use the ACME module, you must accept the provider's terms of service
+   by setting <literal><xref linkend="opt-security.acme.acceptTerms" /></literal>
+   to <literal>true</literal>. The Let's Encrypt ToS can be found
+   <link xlink:href="https://letsencrypt.org/repository/">here</link>.
+  </para>
+
+  <para>
+   You must also set an email address to be used when creating accounts with
+   Let's Encrypt. You can set this for all certs with
+   <literal><xref linkend="opt-security.acme.email" /></literal>
+   and/or on a per-cert basis with
+   <literal><xref linkend="opt-security.acme.certs._name_.email" /></literal>.
+   This address is only used for registration and renewal reminders,
+   and cannot be used to administer the certificates in any way.
+  </para>
+
+  <para>
+   Alternatively, you can use a different ACME server by changing the
+   <literal><xref linkend="opt-security.acme.server" /></literal> option
+   to a provider of your choosing, or just change the server for one cert with
+   <literal><xref linkend="opt-security.acme.certs._name_.server" /></literal>.
+  </para>
+
+  <para>
+   You will need an HTTP server or DNS server for verification. For HTTP,
+   the server must have a webroot defined that can serve
    <filename>.well-known/acme-challenge</filename>. This directory must be
-   writeable by the user that will run the ACME client.
-  </para>
-
-  <para>
-   For instance, this generic snippet could be used for Nginx:
-<programlisting>
-http {
-  server {
-    server_name _;
-    listen 80;
-    listen [::]:80;
-
-    location /.well-known/acme-challenge {
-      root /var/www/challenges;
-    }
-
-    location / {
-      return 301 https://$host$request_uri;
-    }
-  }
-}
-</programlisting>
-  </para>
- </section>
- <section xml:id="module-security-acme-configuring">
-  <title>Configuring</title>
-
-  <para>
-   To enable ACME certificate retrieval &amp; renewal for a certificate for
-   <literal>foo.example.com</literal>, add the following in your
-   <filename>configuration.nix</filename>:
-<programlisting>
-<xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
-  <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/challenges";
-  <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
-};
-</programlisting>
-  </para>
-
-  <para>
-   The private key <filename>key.pem</filename> and certificate
-   <filename>fullchain.pem</filename> will be put into
-   <filename>/var/lib/acme/foo.example.com</filename>.
-  </para>
-  <para>
-   Refer to <xref linkend="ch-options" /> for all available configuration
-   options for the <link linkend="opt-security.acme.certs">security.acme</link>
-   module.
+   writeable by the user that will run the ACME client. For DNS, you must
+   set up credentials with your provider/server for use with lego.
   </para>
  </section>
  <section xml:id="module-security-acme-nginx">
@@ -80,12 +64,27 @@ http {
   </para>
 
 <programlisting>
+<xref linkend="opt-security.acme.acceptTerms" /> = true;
+<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
 services.nginx = {
-  <link linkend="opt-services.nginx.enable">enable = true;</link>
+  <link linkend="opt-services.nginx.enable">enable</link> = true;
   <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
     "foo.example.com" = {
       <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
       <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
+      # All serverAliases will be added as <link linkend="opt-security.acme.certs._name_.extraDomains">extra domains</link> on the certificate.
+      <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "bar.example.com" ];
+      locations."/" = {
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www";
+      };
+    };
+
+    # We can also add a different vhost and reuse the same certificate
+    # but we have to append extraDomains manually.
+    <link linkend="opt-security.acme.certs._name_.extraDomains">security.acme.certs."foo.example.com".extraDomains."baz.example.com"</link> = null;
+    "baz.example.com" = {
+      <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
+      <link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com";
       locations."/" = {
         <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www";
       };
@@ -94,4 +93,162 @@ services.nginx = {
 }
 </programlisting>
  </section>
+ <section xml:id="module-security-acme-httpd">
+  <title>Using ACME certificates in Apache/httpd</title>
+
+  <para>
+   Using ACME certificates with Apache virtual hosts is identical
+   to using them with Nginx. The attribute names are all the same, just replace
+   "nginx" with "httpd" where appropriate.
+  </para>
+ </section>
+ <section xml:id="module-security-acme-configuring">
+  <title>Manual configuration of HTTP-01 validation</title>
+
+  <para>
+   First off you will need to set up a virtual host to serve the challenges.
+   This example uses a vhost called <literal>certs.example.com</literal>, with
+   the intent that you will generate certs for all your vhosts and redirect
+   everyone to HTTPS.
+  </para>
+
+<programlisting>
+<xref linkend="opt-security.acme.acceptTerms" /> = true;
+<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
+services.nginx = {
+  <link linkend="opt-services.nginx.enable">enable</link> = true;
+  <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
+    "acmechallenge.example.com" = {
+      # Catchall vhost, will redirect users to HTTPS for all vhosts
+      <link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ];
+      # /var/lib/acme/.challenges must be writable by the ACME user
+      # and readable by the Nginx user.
+      # By default, this is the case.
+      locations."/.well-known/acme-challenge" = {
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/lib/acme/.challenges";
+      };
+      locations."/" = {
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.return">return</link> = "301 https://$host$request_uri";
+      };
+    };
+  };
+}
+# Alternative config for Apache
+services.httpd = {
+  <link linkend="opt-services.httpd.enable">enable = true;</link>
+  <link linkend="opt-services.httpd.virtualHosts">virtualHosts</link> = {
+    "acmechallenge.example.com" = {
+      # Catchall vhost, will redirect users to HTTPS for all vhosts
+      <link linkend="opt-services.httpd.virtualHosts._name_.serverAliases">serverAliases</link> = [ "*.example.com" ];
+      # /var/lib/acme/.challenges must be writable by the ACME user and readable by the Apache user.
+      # By default, this is the case.
+      <link linkend="opt-services.httpd.virtualHosts._name_.documentRoot">documentRoot</link> = "/var/lib/acme/.challenges";
+      <link linkend="opt-services.httpd.virtualHosts._name_.extraConfig">extraConfig</link> = ''
+        RewriteEngine On
+        RewriteCond %{HTTPS} off
+        RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge [NC]
+        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301]
+      '';
+    };
+  };
+}
+</programlisting>
+
+  <para>
+   Now you need to configure ACME to generate a certificate.
+  </para>
+
+<programlisting>
+<xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
+  <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges";
+  <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
+  # Since we have a wildcard vhost to handle port 80,
+  # we can generate certs for anything!
+  # Just make sure your DNS resolves them.
+  <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> = [ "mail.example.com" ];
+};
+</programlisting>
+
+  <para>
+   The private key <filename>key.pem</filename> and certificate
+   <filename>fullchain.pem</filename> will be put into
+   <filename>/var/lib/acme/foo.example.com</filename>.
+  </para>
+
+  <para>
+   Refer to <xref linkend="ch-options" /> for all available configuration
+   options for the <link linkend="opt-security.acme.certs">security.acme</link>
+   module.
+  </para>
+ </section>
+ <section xml:id="module-security-acme-config-dns">
+  <title>Configuring ACME for DNS validation</title>
+
+  <para>
+   This is useful if you want to generate a wildcard certificate, since
+   ACME servers will only hand out wildcard certs over DNS validation.
+   There a number of supported DNS providers and servers you can utilise,
+   see the <link xlink:href="https://go-acme.github.io/lego/dns/">lego docs</link>
+   for provider/server specific configuration values. For the sake of these
+   docs, we will provide a fully self-hosted example using bind.
+  </para>
+
+<programlisting>
+services.bind = {
+  <link linkend="opt-services.bind.enable">enable</link> = true;
+  <link linkend="opt-services.bind.extraConfig">extraConfig</link> = ''
+    include "/var/lib/secrets/dnskeys.conf";
+  '';
+  <link linkend="opt-services.bind.zones">zones</link> = [
+    rec {
+      name = "example.com";
+      file = "/var/db/bind/${name}";
+      master = true;
+      extraConfig = "allow-update { key rfc2136key.example.com.; };";
+    }
+  ];
+}
+
+# Now we can configure ACME
+<xref linkend="opt-security.acme.acceptTerms" /> = true;
+<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
+<xref linkend="opt-security.acme.certs" />."example.com" = {
+  <link linkend="opt-security.acme.certs._name_.domain">domain</link> = "*.example.com";
+  <link linkend="opt-security.acme.certs._name_.dnsProvider">dnsProvider</link> = "rfc2136";
+  <link linkend="opt-security.acme.certs._name_.credentialsFile">credentialsFile</link> = "/var/lib/secrets/certs.secret";
+  # We don't need to wait for propagation since this is a local DNS server
+  <link linkend="opt-security.acme.certs._name_.dnsPropagationCheck">dnsPropagationCheck</link> = false;
+};
+</programlisting>
+
+  <para>
+   The <filename>dnskeys.conf</filename> and <filename>certs.secret</filename>
+   must be kept secure and thus you should not keep their contents in your
+   Nix config. Instead, generate them one time with these commands:
+  </para>
+
+<programlisting>
+mkdir -p /var/lib/secrets
+tsig-keygen rfc2136key.example.com &gt; /var/lib/secrets/dnskeys.conf
+chown named:root /var/lib/secrets/dnskeys.conf
+chmod 400 /var/lib/secrets/dnskeys.conf
+
+# Copy the secret value from the dnskeys.conf, and put it in
+# RFC2136_TSIG_SECRET below
+
+cat &gt; /var/lib/secrets/certs.secret &lt;&lt; EOF
+RFC2136_NAMESERVER='127.0.0.1:53'
+RFC2136_TSIG_ALGORITHM='hmac-sha256.'
+RFC2136_TSIG_KEY='rfc2136key.example.com'
+RFC2136_TSIG_SECRET='your secret key'
+EOF
+chmod 400 /var/lib/secrets/certs.secret
+</programlisting>
+
+  <para>
+   Now you're all set to generate certs! You should monitor the first invokation
+   by running <literal>systemctl start acme-example.com.service &amp;
+   journalctl -fu acme-example.com.service</literal> and watching its log output.
+  </para>
+ </section>
 </chapter>

nixos/modules/security/apparmor-suid.nix

@@ -9,6 +9,7 @@ with lib;
   ];
 
   options.security.apparmor.confineSUIDApplications = mkOption {
+    type = types.bool;
     default = true;
     description = ''
       Install AppArmor profiles for commonly-used SUID application

nixos/modules/security/duosec.nix

@@ -24,22 +24,6 @@ let
     motd=${boolToStr cfg.motd}
     accept_env_factor=${boolToStr cfg.acceptEnvFactor}
   '';
-
-  loginCfgFile = optionalAttrs cfg.ssh.enable {
-    "duo/login_duo.conf" =
-      { source = pkgs.writeText "login_duo.conf" configFileLogin;
-        mode   = "0600";
-        user   = "sshd";
-      };
-  };
-
-  pamCfgFile = optional cfg.pam.enable {
-    "duo/pam_duo.conf" =
-      { source = pkgs.writeText "pam_duo.conf" configFilePam;
-        mode   = "0600";
-        user   = "sshd";
-      };
-  };
 in
 {
   imports = [
@@ -198,7 +182,18 @@ in
      environment.systemPackages = [ pkgs.duo-unix ];
 
      security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
-     environment.etc = loginCfgFile // pamCfgFile;
+
+     environment.etc."duo/login_duo.conf" = mkIf cfg.ssh.enable
+       { source = pkgs.writeText "login_duo.conf" configFileLogin;
+         mode = "0600";
+         user = "sshd";
+       };
+
+     environment.etc."duo/pam_duo.conf" = mkIf cfg.pam.enable
+       { source = pkgs.writeText "pam_duo.conf" configFilePam;
+         mode = "0600";
+         user = "sshd";
+       };
 
      /* If PAM *and* SSH are enabled, then don't do anything special.
      If PAM isn't used, set the default SSH-only options. */

nixos/modules/security/pam.nix

@@ -545,6 +545,7 @@ in
     };
 
     security.pam.enableSSHAgentAuth = mkOption {
+      type = types.bool;
       default = false;
       description =
         ''
@@ -555,12 +556,7 @@ in
         '';
     };
 
-    security.pam.enableOTPW = mkOption {
-      default = false;
-      description = ''
-        Enable the OTPW (one-time password) PAM module.
-      '';
-    };
+    security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
 
     security.pam.u2f = {
       enable = mkOption {
@@ -719,12 +715,7 @@ in
       };
     };
 
-    security.pam.enableEcryptfs = mkOption {
-      default = false;
-      description = ''
-        Enable eCryptfs PAM module (mounting ecryptfs home directory on login).
-      '';
-    };
+    security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)";
 
     users.motd = mkOption {
       default = null;

nixos/modules/security/rngd.nix

@@ -37,14 +37,24 @@ in
 
       after = [ "dev-random.device" ];
 
+      # Clean shutdown without DefaultDependencies
+      conflicts = [ "shutdown.target" ];
+      before = [
+        "sysinit.target"
+        "shutdown.target"
+      ];
+
       description = "Hardware RNG Entropy Gatherer Daemon";
 
+      # rngd may have to start early to avoid entropy starvation during boot with encrypted swap
+      unitConfig.DefaultDependencies = false;
       serviceConfig = {
         ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
           + optionalString cfg.debug " -d";
+        # PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
+        # thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
         NoNewPrivileges = true;
         PrivateNetwork = true;
-        PrivateTmp = true;
         ProtectSystem = "full";
         ProtectHome = true;
       };

nixos/modules/security/sudo.nix

@@ -173,7 +173,9 @@ in
 
   config = mkIf cfg.enable {
 
-    security.sudo.extraRules = [
+    # We `mkOrder 600` so that the default rule shows up first, but there is
+    # still enough room for a user to `mkBefore` it.
+    security.sudo.extraRules = mkOrder 600 [
       { groups = [ "wheel" ];
         commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
       }

nixos/modules/security/systemd-confinement.nix

@@ -135,7 +135,7 @@ in {
           ];
           execPkgs = lib.concatMap (opt: let
             isSet = config.serviceConfig ? ${opt};
-          in lib.optional isSet config.serviceConfig.${opt}) execOpts;
+          in lib.flatten (lib.optional isSet config.serviceConfig.${opt})) execOpts;
           unitAttrs = toplevelConfig.systemd.units."${name}.service";
           allPkgs = lib.singleton (builtins.toJSON unitAttrs);
           unitPkgs = if fullUnit then allPkgs else execPkgs;

nixos/modules/security/wrappers/default.nix

@@ -166,7 +166,7 @@ in
 
     boot.specialFileSystems.${parentWrapperDir} = {
       fsType = "tmpfs";
-      options = [ "nodev" ];
+      options = [ "nodev" "mode=755" ];
     };
 
     # Make sure our wrapperDir exports to the PATH env variable when
@@ -184,6 +184,8 @@ in
           # programs to be wrapped.
           WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
+          chmod 755 "${parentWrapperDir}"
+
           # We want to place the tmpdirs for the wrappers to the parent dir.
           wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
           chmod a+rx $wrapperDir
@@ -194,6 +196,9 @@ in
             # Atomically replace the symlink
             # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
             old=$(readlink -f ${wrapperDir})
+            if [ -e ${wrapperDir}-tmp ]; then
+              rm --force --recursive ${wrapperDir}-tmp
+            fi
             ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
             mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
             rm --force --recursive $old

nixos/modules/services/amqp/rabbitmq.nix

@@ -17,6 +17,7 @@ in {
   options = {
     services.rabbitmq = {
       enable = mkOption {
+        type = types.bool;
         default = false;
         description = ''
           Whether to enable the RabbitMQ server, an Advanced Message

nixos/modules/services/audio/alsa.nix

@@ -91,11 +91,7 @@ in
     environment.systemPackages = [ alsaUtils ];
 
     environment.etc = mkIf (!pulseaudioEnabled && config.sound.extraConfig != "")
-      [
-        { source = pkgs.writeText "asound.conf" config.sound.extraConfig;
-          target = "asound.conf";
-        }
-      ];
+      { "asound.conf".text = config.sound.extraConfig; };
 
     # ALSA provides a udev rule for restoring volume settings.
     services.udev.packages = [ alsaUtils ];

nixos/modules/services/backup/mysql-backup.nix

@@ -37,12 +37,7 @@ in
 
     services.mysqlBackup = {
 
-      enable = mkOption {
-        default = false;
-        description = ''
-          Whether to enable MySQL backups.
-        '';
-      };
+      enable = mkEnableOption "MySQL backups";
 
       calendar = mkOption {
         type = types.str;

nixos/modules/services/backup/postgresql-backup.nix

@@ -44,12 +44,7 @@ in {
 
   options = {
     services.postgresqlBackup = {
-      enable = mkOption {
-        default = false;
-        description = ''
-          Whether to enable PostgreSQL dumps.
-        '';
-      };
+      enable = mkEnableOption "PostgreSQL dumps";
 
       startAt = mkOption {
         default = "*-*-* 01:15:00";

nixos/modules/services/continuous-integration/buildkite-agents.nix

@@ -258,7 +258,7 @@ in
   });
 
   config.assertions = mapAgents (name: cfg: [
-      { assertion = cfg.hooksPath == hooksDir || all (v: v == null) (attrValues cfg.hooks);
+      { assertion = cfg.hooksPath == (hooksDir cfg) || all (v: v == null) (attrValues cfg.hooks);
         message = ''
           Options `services.buildkite-agents.${name}.hooksPath' and
           `services.buildkite-agents.${name}.hooks.<name>' are mutually exclusive.

nixos/modules/services/continuous-integration/hydra/default.nix

@@ -37,6 +37,8 @@ let
 
   haveLocalDB = cfg.dbi == localDB;
 
+  inherit (config.system) stateVersion;
+
 in
 
 {
@@ -63,8 +65,7 @@ in
       };
 
       package = mkOption {
-        type = types.path;
-        default = pkgs.hydra;
+        type = types.package;
         defaultText = "pkgs.hydra";
         description = "The Hydra package.";
       };
@@ -194,6 +195,34 @@ in
 
   config = mkIf cfg.enable {
 
+    warnings = optional (cfg.package.migration or false) ''
+      You're currently deploying an older version of Hydra which is needed to
+      make some required database changes[1]. As soon as this is done, it's recommended
+      to run `hydra-backfill-ids` and set `services.hydra.package` to `pkgs.hydra-unstable`
+      after that.
+
+      [1] https://github.com/NixOS/hydra/pull/711
+    '';
+
+    services.hydra.package = with pkgs;
+      mkDefault (
+        if pkgs ? hydra
+          then throw ''
+            The Hydra package doesn't exist anymore in `nixpkgs`! It probably exists
+            due to an overlay. To upgrade Hydra, you need to take two steps as some
+            bigger changes in the database schema were implemented recently[1]. You first
+            need to deploy `pkgs.hydra-migration`, run `hydra-backfill-ids` on the server
+            and then deploy `pkgs.hydra-unstable`.
+
+            If you want to use `pkgs.hydra` from your overlay, please set `services.hydra.package`
+            explicitly to `pkgs.hydra` and make sure you know what you're doing.
+
+            [1] https://github.com/NixOS/hydra/pull/711
+          ''
+        else if versionOlder stateVersion "20.03" then hydra-migration
+        else hydra-unstable
+      );
+
     users.groups.hydra = {
       gid = config.ids.gids.hydra;
     };

nixos/modules/services/databases/clickhouse.nix

@@ -11,10 +11,7 @@ with lib;
 
     services.clickhouse = {
 
-      enable = mkOption {
-        default = false;
-        description = "Whether to enable ClickHouse database server.";
-      };
+      enable = mkEnableOption "ClickHouse database server";
 
     };
 

nixos/modules/services/databases/firebird.nix

@@ -40,12 +40,7 @@ in
 
     services.firebird = {
 
-      enable = mkOption {
-        default = false;
-        description = ''
-          Whether to enable the Firebird super server.
-        '';
-      };
+      enable = mkEnableOption "the Firebird super server";
 
       package = mkOption {
         default = pkgs.firebirdSuper;

nixos/modules/services/databases/memcached.nix

@@ -18,12 +18,7 @@ in
 
     services.memcached = {
 
-      enable = mkOption {
-        default = false;
-        description = "
-          Whether to enable Memcached.
-        ";
-      };
+      enable = mkEnableOption "Memcached";
 
       user = mkOption {
         default = "memcached";

nixos/modules/services/databases/mongodb.nix

@@ -29,12 +29,7 @@ in
 
     services.mongodb = {
 
-      enable = mkOption {
-        default = false;
-        description = "
-          Whether to enable the MongoDB server.
-        ";
-      };
+      enable = mkEnableOption "the MongoDB server";
 
       package = mkOption {
         default = pkgs.mongodb;

nixos/modules/services/databases/mysql.nix

@@ -10,16 +10,8 @@ let
 
   isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb;
 
-  isMysqlAtLeast57 =
-    (lib.getName mysql == lib.getName pkgs.mysql57)
-     && (builtins.compareVersions mysql.version "5.7" >= 0);
-
   mysqldOptions =
     "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}";
-  # For MySQL 5.7+, --insecure creates the root user without password
-  # (earlier versions and MariaDB do this by default).
-  installOptions =
-    "${mysqldOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}";
 
 in
 
@@ -307,9 +299,14 @@ in
           pkgs.nettools
         ];
 
-        preStart = ''
+        preStart = if isMariaDB then ''
           if ! test -e ${cfg.dataDir}/mysql; then
-            ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions}
+            ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions}
+            touch /tmp/mysql_init
+          fi
+        '' else ''
+          if ! test -e ${cfg.dataDir}/mysql; then
+            ${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure
             touch /tmp/mysql_init
           fi
         '';

nixos/modules/services/databases/postgresql.xml

@@ -7,12 +7,10 @@
 <!-- FIXME: render nicely -->
 <!-- FIXME: source can be added automatically -->
  <para>
-  <emphasis>Source:</emphasis>
-  <filename>modules/services/databases/postgresql.nix</filename>
+  <emphasis>Source:</emphasis> <filename>modules/services/databases/postgresql.nix</filename>
  </para>
  <para>
-  <emphasis>Upstream documentation:</emphasis>
-  <link xlink:href="http://www.postgresql.org/docs/"/>
+  <emphasis>Upstream documentation:</emphasis> <link xlink:href="http://www.postgresql.org/docs/"/>
  </para>
 <!-- FIXME: more stuff, like maintainer? -->
  <para>
@@ -23,18 +21,12 @@
   <title>Configuring</title>
 
   <para>
-   To enable PostgreSQL, add the following to your
-   <filename>configuration.nix</filename>:
+   To enable PostgreSQL, add the following to your <filename>configuration.nix</filename>:
 <programlisting>
 <xref linkend="opt-services.postgresql.enable"/> = true;
 <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11;
 </programlisting>
-   Note that you are required to specify the desired version of PostgreSQL
-   (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your
-   PostgreSQL version requires a database dump and reload (see below), NixOS
-   cannot provide a default value for
-   <xref linkend="opt-services.postgresql.package"/> such as the most recent
-   release of PostgreSQL.
+   Note that you are required to specify the desired version of PostgreSQL (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for <xref linkend="opt-services.postgresql.package"/> such as the most recent release of PostgreSQL.
   </para>
 
 <!--
@@ -51,9 +43,7 @@ Type "help" for help.
 -->
 
   <para>
-   By default, PostgreSQL stores its databases in
-   <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using
-   <xref linkend="opt-services.postgresql.dataDir"/>, e.g.
+   By default, PostgreSQL stores its databases in <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using <xref linkend="opt-services.postgresql.dataDir"/>, e.g.
 <programlisting>
 <xref linkend="opt-services.postgresql.dataDir"/> = "/data/postgresql";
 </programlisting>
@@ -63,25 +53,83 @@ Type "help" for help.
   <title>Upgrading</title>
 
   <para>
-   FIXME: document dump/upgrade/load cycle.
+   Major PostgreSQL upgrade requires PostgreSQL downtime and a few imperative steps to be called. To simplify this process, use the following NixOS module:
+<programlisting>
+  containers.temp-pg.config.services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_12;
+    ## set a custom new dataDir
+    # dataDir = "/some/data/dir";
+  };
+  environment.systemPackages =
+    let newpg = config.containers.temp-pg.config.services.postgresql;
+    in [
+      (pkgs.writeScriptBin "upgrade-pg-cluster" ''
+        set -x
+        export OLDDATA="${config.services.postgresql.dataDir}"
+        export NEWDATA="${newpg.dataDir}"
+        export OLDBIN="${config.services.postgresql.package}/bin"
+        export NEWBIN="${newpg.package}/bin"
+
+        install -d -m 0700 -o postgres -g postgres "$NEWDATA"
+        cd "$NEWDATA"
+        sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
+
+        systemctl stop postgresql    # old one
+
+        sudo -u postgres $NEWBIN/pg_upgrade \
+          --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
+          --old-bindir $OLDBIN --new-bindir $NEWBIN \
+          "$@"
+      '')
+    ];
+</programlisting>
   </para>
+
+  <para>
+   The upgrade process is:
+  </para>
+
+  <orderedlist>
+   <listitem>
+    <para>
+     Rebuild nixos configuration with the configuration above added to your <filename>configuration.nix</filename>. Alternatively, add that into separate file and reference it in <literal>imports</literal> list.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Login as root (<literal>sudo su -</literal>)
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Run <literal>upgrade-pg-cluster</literal>. It will stop old postgresql, initialize new one and migrate old one to new one. You may supply arguments like <literal>--jobs 4</literal> and <literal>--link</literal> to speedup migration process. See <link xlink:href="https://www.postgresql.org/docs/current/pgupgrade.html" /> for details.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Change postgresql package in NixOS configuration to the one you were upgrading to, and change <literal>dataDir</literal> to the one you have migrated to. Rebuild NixOS. This should start new postgres using upgraded data directory.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     After upgrade you may want to <literal>ANALYZE</literal> new db.
+    </para>
+   </listitem>
+  </orderedlist>
  </section>
  <section xml:id="module-services-postgres-options">
   <title>Options</title>
 
   <para>
-   A complete list of options for the PostgreSQL module may be found
-   <link linkend="opt-services.postgresql.enable">here</link>.
+   A complete list of options for the PostgreSQL module may be found <link linkend="opt-services.postgresql.enable">here</link>.
   </para>
  </section>
  <section xml:id="module-services-postgres-plugins">
   <title>Plugins</title>
 
   <para>
-   Plugins collection for each PostgreSQL version can be accessed with
-   <literal>.pkgs</literal>. For example, for
-   <literal>pkgs.postgresql_11</literal> package, its plugin collection is
-   accessed by <literal>pkgs.postgresql_11.pkgs</literal>:
+   Plugins collection for each PostgreSQL version can be accessed with <literal>.pkgs</literal>. For example, for <literal>pkgs.postgresql_11</literal> package, its plugin collection is accessed by <literal>pkgs.postgresql_11.pkgs</literal>:
 <screen>
 <prompt>$ </prompt>nix repl '&lt;nixpkgs&gt;'
 
@@ -98,8 +146,9 @@ postgresql_11.pkgs.pg_partman        postgresql_11.pkgs.pgroonga
 ...
 </screen>
   </para>
+
   <para>
-    To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>:
+   To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>:
 <programlisting>
 <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11;
 <xref linkend="opt-services.postgresql.extraPlugins"/> = with pkgs.postgresql_11.pkgs; [
@@ -108,10 +157,9 @@ postgresql_11.pkgs.pg_partman        postgresql_11.pkgs.pgroonga
 ];
 </programlisting>
   </para>
+
   <para>
-   You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using
-   function <literal>.withPackages</literal>. For example, creating a custom
-   PostgreSQL package in an overlay can look like:
+   You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function <literal>.withPackages</literal>. For example, creating a custom PostgreSQL package in an overlay can look like:
 <programlisting>
 self: super: {
   postgresql_custom = self.postgresql_11.withPackages (ps: [
@@ -121,8 +169,9 @@ self: super: {
 }
 </programlisting>
   </para>
+
   <para>
-    Here's a recipe on how to override a particular plugin through an overlay:
+   Here's a recipe on how to override a particular plugin through an overlay:
 <programlisting>
 self: super: {
   postgresql_11 = super.postgresql_11.override { this = self.postgresql_11; } // {

nixos/modules/services/databases/virtuoso.nix

@@ -13,10 +13,7 @@ with lib;
 
     services.virtuoso = {
 
-      enable = mkOption {
-        default = false;
-        description = "Whether to enable Virtuoso Opensource database server.";
-      };
+      enable = mkEnableOption "Virtuoso Opensource database server";
 
       config = mkOption {
         default = "";

nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix

@@ -13,6 +13,8 @@ with lib;
 
   ###### implementation
   config = mkIf config.services.gnome3.gnome-remote-desktop.enable {
+    services.pipewire.enable = true;
+
     systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ];
   };
 }