ghcjs: Enable on darwin (#139067)

(cherry picked from commit d032f60c37)

.github/CONTRIBUTING.md

@@ -53,10 +53,10 @@ For package version upgrades and such a one-line commit message is usually suffi
 Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).
 
 1. Take note of the commits in which the change was introduced into `master` branch.
-2. Check out the target _release branch_, e.g. `release-20.03`. Do not use a _channel branch_ like `nixos-20.03` or `nixpkgs-20.03`.
+2. Check out the target _release branch_, e.g. `release-20.09`. Do not use a _channel branch_ like `nixos-20.09` or `nixpkgs-20.09`.
 3. Create a branch for your change, e.g. `git checkout -b backport`.
-4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar.
-5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-20.03`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[20.03]`.
+4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
+5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-20.09`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[20.09]`.
 
 ## Reviewing contributions
 

.github/labeler.yml

@@ -0,0 +1,146 @@
+"6.topic: agda":
+  - doc/languages-frameworks/agda.section.md
+  - nixos/tests/agda.nix
+  - pkgs/build-support/agda/**/*
+  - pkgs/development/libraries/agda/**/*
+  - pkgs/top-level/agda-packages.nix
+
+"6.topic: cinnamon":
+  - pkgs/desktops/cinnamon/**/*
+
+"6.topic: emacs":
+  - nixos/modules/services/editors/emacs.nix
+  - nixos/modules/services/editors/emacs.xml
+  - nixos/tests/emacs-daemon.nix
+  - pkgs/applications/editors/emacs-modes/**/*
+  - pkgs/applications/editors/emacs/**/*
+  - pkgs/build-support/emacs/**/*
+  - pkgs/top-level/emacs-packages.nix
+
+"6.topic: erlang":
+  - doc/languages-frameworks/beam.section.md
+  - pkgs/development/beam-modules/**/*
+  - pkgs/development/interpreters/elixir/**/*
+  - pkgs/development/interpreters/erlang/**/*
+  - pkgs/development/tools/build-managers/rebar/**/*
+  - pkgs/development/tools/build-managers/rebar3/**/*
+  - pkgs/development/tools/erlang/**/*
+  - pkgs/top-level/beam-packages.nix
+
+"6.topic: fetch":
+  - pkgs/build-support/fetch*/**/*
+
+"6.topic: GNOME":
+  - doc/languages-frameworks/gnome.section.md
+  - nixos/modules/services/desktops/gnome3/**/*
+  - nixos/modules/services/x11/desktop-managers/gnome3.nix
+  - nixos/tests/gnome3-xorg.nix
+  - nixos/tests/gnome3.nix
+  - pkgs/desktops/gnome-3/**/*
+
+"6.topic: golang":
+  - doc/languages-frameworks/go.section.md
+  - pkgs/development/compilers/go/**/*
+  - pkgs/development/go-modules/**/*
+  - pkgs/development/go-packages/**/*
+
+"6.topic: haskell":
+  - doc/languages-frameworks/haskell.section.md
+  - pkgs/development/compilers/ghc/**/*
+  - pkgs/development/haskell-modules/**/*
+  - pkgs/development/tools/haskell/**/*
+  - pkgs/top-level/haskell-packages.nix
+
+"6.topic: kernel":
+  - pkgs/build-support/kernel/**/*
+
+"6.topic: lua":
+  - pkgs/development/interpreters/lua-5/**/*
+  - pkgs/development/interpreters/luajit/**/*
+  - pkgs/development/lua-modules/**/*
+  - pkgs/top-level/lua-packages.nix
+
+"6.topic: nixos":
+  - nixos/**/*
+
+"6.topic: ocaml":
+  - doc/languages-frameworks/ocaml.section.md
+  - pkgs/development/compilers/ocaml/**/*
+  - pkgs/development/compilers/reason/**/*
+  - pkgs/development/ocaml-modules/**/*
+  - pkgs/development/tools/ocaml/**/*
+  - pkgs/top-level/ocaml-packages.nix
+
+"6.topic: pantheon":
+  - nixos/modules/services/desktops/pantheon/**/*
+  - nixos/modules/services/x11/desktop-managers/pantheon.nix
+  - nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix
+  - nixos/tests/pantheon.nix
+  - pkgs/desktops/pantheon/**/*
+
+"6.topic: policy discussion":
+  - .github/**/*
+
+"6.topic: printing":
+  - nixos/modules/services/printing/cupsd.nix
+  - pkgs/misc/cups/**/*
+
+"6.topic: python":
+  - doc/languages-frameworks/python.section.md
+  - pkgs/development/interpreters/python/**/*
+  - pkgs/development/python-modules/**/*
+  - pkgs/top-level/python-packages.nix
+
+"6.topic: qt/kde":
+  - doc/languages-frameworks/qt.section.md
+  - nixos/modules/services/x11/desktop-managers/plasma5.nix
+  - nixos/tests/plasma5.nix
+  - pkgs/applications/kde/**/*
+  - pkgs/desktops/plasma-5/**/*
+  - pkgs/development/libraries/kde-frameworks/**/*
+  - pkgs/development/libraries/qt-5/**/*
+
+"6.topic: ruby":
+  - doc/languages-frameworks/ruby.section.md
+  - pkgs/development/interpreters/ruby/**/*
+  - pkgs/development/ruby-modules/**/*
+
+"6.topic: rust":
+  - doc/languages-frameworks/rust.section.md
+  - pkgs/build-support/rust/**/*
+  - pkgs/development/compilers/rust/**/*
+
+"6.topic: stdenv":
+  - pkgs/stdenv/**/*
+
+"6.topic: steam":
+  - pkgs/games/steam/**/*
+
+"6.topic: systemd":
+  - pkgs/os-specific/linux/systemd/**/*
+  - nixos/modules/system/boot/systemd*/**/*
+
+"6.topic: TeX":
+  - doc/languages-frameworks/texlive.section.md
+  - pkgs/tools/typesetting/tex/**/*
+
+"6.topic: vim":
+  - doc/languages-frameworks/vim.section.md
+  - pkgs/applications/editors/vim/**/*
+  - pkgs/misc/vim-plugins/**/*
+
+"6.topic: xfce":
+  - nixos/doc/manual/configuration/xfce.xml
+  - nixos/modules/services/x11/desktop-managers/xfce.nix
+  - nixos/tests/xfce.nix
+  - pkgs/desktops/xfce/**/*
+
+"8.has: changelog":
+  - nixos/doc/manual/release-notes/**/*
+
+"8.has: documentation":
+  - doc/**/*
+  - nixos/doc/**/*
+
+"8.has: module (update)":
+  - nixos/modules/**/*

.github/workflows/editorconfig.yml

@@ -1,27 +0,0 @@
-name: "Checking EditorConfig"
-
-on:
-  pull_request:
-
-jobs:
-  tests:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-    - uses: technote-space/get-diff-action@v3.1.0
-    - name: Fetch editorconfig-checker
-      if: env.GIT_DIFF
-      env:
-        ECC_VERSION: "2.1.0"
-        ECC_URL: "https://github.com/editorconfig-checker/editorconfig-checker/releases/download"
-      run: |
-        curl -sSf -O -L -C - "$ECC_URL/$ECC_VERSION/ec-linux-amd64.tar.gz" && \
-        tar xzf ec-linux-amd64.tar.gz && \
-        mv ./bin/ec-linux-amd64 ./bin/editorconfig-checker
-    - name: Checking EditorConfig
-      if: env.GIT_DIFF
-      run: |
-        ./bin/editorconfig-checker -disable-indentation \
-        ${{ env.GIT_DIFF }}

.github/workflows/labels.yml

@@ -0,0 +1,14 @@
+name: "Label PR"
+
+on:
+  pull_request_target:
+
+jobs:
+  labels:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    steps:
+    - uses: actions/labeler@v3
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        sync-labels: true

.github/workflows/pending-set.yml

@@ -16,5 +16,5 @@ jobs:
           -X POST \
           -H "Accept: application/vnd.github.v3+json" \
           -H "Authorization: token $GITHUB_TOKEN" \
-          -d '{"state": "failure", "target_url": " ", "description": "This failed status will be cleared when ofborg finishes eval.", "context": "Wait for ofborg"}' \
+          -d '{"state": "pending", "target_url": " ", "description": "This pending status will be cleared when ofborg starts eval.", "context": "Wait for ofborg"}' \
           "https://api.github.com/repos/NixOS/nixpkgs/statuses/${{ github.event.pull_request.head.sha }}"

README.md

@@ -46,9 +46,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
 system, [Hydra](https://hydra.nixos.org/).
 
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 20.03 release](https://hydra.nixos.org/jobset/nixos/release-20.03)
+* [Continuous package builds for the NixOS 20.09 release](https://hydra.nixos.org/jobset/nixos/release-20.09)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 20.03 release](https://hydra.nixos.org/job/nixos/release-20.03/tested#tabs-constituents)
+* [Tests for the NixOS 20.09 release](https://hydra.nixos.org/job/nixos/release-20.09/tested#tabs-constituents)
 
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are

default.nix

@@ -14,7 +14,7 @@ if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.
     - If you installed Nix using the install script (https://nixos.org/nix/install),
       it is safe to upgrade by running it again:
 
-          curl https://nixos.org/nix/install | sh
+          curl -L https://nixos.org/nix/install | sh
 
     For more information, please see the NixOS release notes at
     https://nixos.org/nixos/manual or locally at

doc/builders/images/dockertools.xml

@@ -132,11 +132,11 @@ buildImage {
    <para>
     By default <function>buildImage</function> will use a static date of one second past the UNIX Epoch. This allows <function>buildImage</function> to produce binary reproducible images. When listing images with <command>docker images</command>, the newly created images will be listed like this:
    </para>
-<screen><![CDATA[
-$ docker images
+<screen>
+<prompt>$ </prompt>docker images
 REPOSITORY   TAG      IMAGE ID       CREATED        SIZE
 hello        latest   08c791c7846e   48 years ago   25.2MB
-]]></screen>
+</screen>
    <para>
     You can break binary reproducibility but have a sorted, meaningful <literal>CREATED</literal> column by setting <literal>created</literal> to <literal>now</literal>.
    </para>
@@ -152,11 +152,11 @@ pkgs.dockerTools.buildImage {
 ]]></programlisting>
    <para>
     and now the Docker CLI will display a reasonable date and sort the images as expected:
-<screen><![CDATA[
-$ docker images
+<screen>
+<prompt>$ </prompt>docker images
 REPOSITORY   TAG      IMAGE ID       CREATED              SIZE
 hello        latest   de2bf4786de6   About a minute ago   25.2MB
-]]></screen>
+</screen>
     however, the produced images will not be binary reproducible.
    </para>
   </example>

doc/builders/images/ocitools.xml

@@ -38,8 +38,7 @@ buildContainer {
 
   readonly = false; <co xml:id='ex-ociTools-buildContainer-3' />
 }
-
-    </programlisting>
+</programlisting>
    <calloutlist>
     <callout arearefs='ex-ociTools-buildContainer-1'>
      <para>

doc/builders/packages/citrix.xml

@@ -22,10 +22,10 @@
   </para>
   <para>
    In order to set this up, you first have to <link xlink:href="https://its.uiowa.edu/support/article/102186">download the <literal>.cr</literal> file from the Netscaler Gateway</link>. After that you can configure the <command>selfservice</command> like this:
-   <screen>
-    <prompt>$ </prompt>storebrowse -C ~/Downloads/receiverconfig.cr
-    <prompt>$ </prompt>selfservice
-   </screen>
+<screen>
+<prompt>$ </prompt>storebrowse -C ~/Downloads/receiverconfig.cr
+<prompt>$ </prompt>selfservice
+</screen>
   </para>
  </section>
 

doc/builders/packages/urxvt.xml

@@ -18,10 +18,13 @@
    includes all available plugins. To make use of this functionality, use an
    overlay or directly install an expression that overrides its configuration,
    such as
-   <programlisting>rxvt-unicode.override { configure = { availablePlugins, ... }: {
+<programlisting>
+rxvt-unicode.override {
+  configure = { availablePlugins, ... }: {
     plugins = with availablePlugins; [ perls resize-font vtwheel ];
-  }
-}</programlisting>
+  };
+}
+</programlisting>
    If the <literal>configure</literal> function returns an attrset without the
    <literal>plugins</literal> attribute, <literal>availablePlugins</literal>
    will be used automatically.
@@ -30,18 +33,22 @@
   <para>
    In order to add plugins but also keep all default plugins installed, it is
    possible to use the following method:
-   <programlisting>rxvt-unicode.override { configure = { availablePlugins, ... }: {
-     plugins = (builtins.attrValues availablePlugins) ++ [ custom-plugin ];
-   };
-}</programlisting>
+<programlisting>
+rxvt-unicode.override {
+  configure = { availablePlugins, ... }: {
+    plugins = (builtins.attrValues availablePlugins) ++ [ custom-plugin ];
+  };
+}
+</programlisting>
   </para>
 
   <para>
    To get a list of all the plugins available, open the Nix REPL and run
-   <programlisting>$ nix repl
+<screen>
+<prompt>$ </prompt>nix repl
 :l &lt;nixpkgs&gt;
 map (p: p.name) pkgs.rxvt-unicode.plugins
-   </programlisting>
+</screen>
    Alternatively, if your shell is bash or zsh and have completion enabled,
    simply type <literal>nixpkgs.rxvt-unicode.plugins.&lt;tab&gt;</literal>.
   </para>
@@ -53,18 +60,24 @@ map (p: p.name) pkgs.rxvt-unicode.plugins
     <literal>extraDeps</literal> can be used, for example, to provide
     <literal>xsel</literal> (a clipboard manager) to the clipboard plugin,
     without installing it globally:
-    <programlisting>rxvt-unicode.override { configure = { availablePlugins, ... }: {
-     pluginsDeps = [ xsel ];
-   }
-}</programlisting>
+<programlisting>
+rxvt-unicode.override {
+  configure = { availablePlugins, ... }: {
+    pluginsDeps = [ xsel ];
+  };
+}
+</programlisting>
 
     <literal>perlDeps</literal> is a handy way to provide Perl packages to
     your custom plugins (in <literal>$HOME/.urxvt/ext</literal>). For example,
     if you need <literal>AnyEvent</literal> you can do:
-    <programlisting>rxvt-unicode.override { configure = { availablePlugins, ... }: {
-     perlDeps = with perlPackages; [ AnyEvent ];
-   }
-}</programlisting>
+<programlisting>
+rxvt-unicode.override {
+  configure = { availablePlugins, ... }: {
+    perlDeps = with perlPackages; [ AnyEvent ];
+  };
+}
+</programlisting>
   </para>
 
  </section>
@@ -90,7 +103,8 @@ map (p: p.name) pkgs.rxvt-unicode.plugins
   <para>
    If the plugin is itself a perl package that needs to be imported from
    other plugins or scripts, add the following passthrough:
-   <programlisting>passthru.perlPackages = [ "self" ];
+<programlisting>
+passthru.perlPackages = [ "self" ];
 </programlisting>
    This will make the urxvt wrapper pick up the dependency and set up the perl
    path accordingly.

doc/contributing/submitting-changes.xml

@@ -209,12 +209,12 @@ Additional information.
   </para>
 
 <programlisting>
-   (fetchpatch {
-     name = "CVE-2019-11068.patch";
-     url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch";
-     sha256 = "0pkpb4837km15zgg6h57bncp66d5lwrlvkr73h0lanywq7zrwhj8";
-   })
-  </programlisting>
+(fetchpatch {
+  name = "CVE-2019-11068.patch";
+  url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch";
+  sha256 = "0pkpb4837km15zgg6h57bncp66d5lwrlvkr73h0lanywq7zrwhj8";
+})
+</programlisting>
 
   <para>
    If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch.

doc/languages-frameworks/beam.xml

@@ -72,9 +72,9 @@
    To install any of those builders into your profile, refer to them by their attribute path <literal>beamPackages.rebar3</literal>:
   </para>
 
-  <screen>
-  <prompt>$ </prompt>nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA beamPackages.rebar3
-  </screen>
+<screen>
+<prompt>$ </prompt>nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA beamPackages.rebar3
+</screen>
 </section>
 
  <section xml:id="packaging-beam-applications">

doc/languages-frameworks/perl.xml

@@ -8,28 +8,28 @@
 
   <para>
    When executing a Perl script, it is possible you get an error such as <literal>./myscript.pl: bad interpreter: /usr/bin/perl: no such file or directory</literal>. This happens when the script expects Perl to be installed at <filename>/usr/bin/perl</filename>, which is not the case when using Perl from nixpkgs. You can fix the script by changing the first line to:
-  <programlisting>
-  #!/usr/bin/env perl
-  </programlisting>
+<programlisting>
+#!/usr/bin/env perl
+</programlisting>
   to take the Perl installation from the <literal>PATH</literal> environment variable, or invoke Perl directly with:
-  <screen>
-  <prompt>$ </prompt>perl ./myscript.pl
-  </screen>
+<screen>
+<prompt>$ </prompt>perl ./myscript.pl
+</screen>
   </para>
 
   <para>
    When the script is using a Perl library that is not installed globally, you might get an error such as <literal>Can't locate DB_File.pm in @INC (you may need to install the DB_File module)</literal>. In that case, you can use <command>nix-shell</command> to start an ad-hoc shell with that library installed, for instance:
-  <screen>
-  <prompt>$ </prompt>nix-shell -p perl perlPackages.DBFile --run ./myscript.pl
-  </screen>
+<screen>
+<prompt>$ </prompt>nix-shell -p perl perlPackages.DBFile --run ./myscript.pl
+</screen>
   </para>
 
   <para>
   If you are always using the script in places where <command>nix-shell</command> is available, you can embed the <command>nix-shell</command> invocation in the shebang like this:
-  <programlisting>
-  #!/usr/bin/env nix-shell
-  #! nix-shell -i perl -p perl perlPackages.DBFile
-  </programlisting>
+<programlisting>
+#!/usr/bin/env nix-shell
+#! nix-shell -i perl -p perl perlPackages.DBFile
+</programlisting>
   </para>
  </section>
 
@@ -44,30 +44,30 @@
   <para>
    Perl packages from CPAN are defined in <link
  xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/perl-packages.nix"><filename>pkgs/top-level/perl-packages.nix</filename></link>, rather than <filename>pkgs/all-packages.nix</filename>. Most Perl packages are so straight-forward to build that they are defined here directly, rather than having a separate function for each package called from <filename>perl-packages.nix</filename>. However, more complicated packages should be put in a separate file, typically in <filename>pkgs/development/perl-modules</filename>. Here is an example of the former:
- <programlisting>
- ClassC3 = buildPerlPackage rec {
-   name = "Class-C3-0.21";
-   src = fetchurl {
-     url = "mirror://cpan/authors/id/F/FL/FLORA/${name}.tar.gz";
-     sha256 = "1bl8z095y4js66pwxnm7s853pi9czala4sqc743fdlnk27kq94gz";
-   };
- };
- </programlisting>
+<programlisting>
+ClassC3 = buildPerlPackage rec {
+  name = "Class-C3-0.21";
+  src = fetchurl {
+    url = "mirror://cpan/authors/id/F/FL/FLORA/${name}.tar.gz";
+    sha256 = "1bl8z095y4js66pwxnm7s853pi9czala4sqc743fdlnk27kq94gz";
+  };
+};
+</programlisting>
    Note the use of <literal>mirror://cpan/</literal>, and the <literal>${name}</literal> in the URL definition to ensure that the name attribute is consistent with the source that we’re actually downloading. Perl packages are made available in <filename>all-packages.nix</filename> through the variable <varname>perlPackages</varname>. For instance, if you have a package that needs <varname>ClassC3</varname>, you would typically write
- <programlisting>
- foo = import ../path/to/foo.nix {
-   inherit stdenv fetchurl ...;
-   inherit (perlPackages) ClassC3;
- };
- </programlisting>
+<programlisting>
+foo = import ../path/to/foo.nix {
+  inherit stdenv fetchurl ...;
+  inherit (perlPackages) ClassC3;
+};
+</programlisting>
    in <filename>all-packages.nix</filename>. You can test building a Perl package as follows:
- <screen>
- <prompt>$ </prompt>nix-build -A perlPackages.ClassC3
- </screen>
+<screen>
+<prompt>$ </prompt>nix-build -A perlPackages.ClassC3
+</screen>
    <varname>buildPerlPackage</varname> adds <literal>perl-</literal> to the start of the name attribute, so the package above is actually called <literal>perl-Class-C3-0.21</literal>. So to install it, you can say:
- <screen>
- <prompt>$ </prompt>nix-env -i perl-Class-C3
- </screen>
+<screen>
+<prompt>$ </prompt>nix-env -i perl-Class-C3
+</screen>
    (Of course you can also install using the attribute name: <literal>nix-env -i -A perlPackages.ClassC3</literal>.)
   </para>
 
@@ -94,61 +94,61 @@
 
   <para>
    <varname>buildPerlPackage</varname> is built on top of <varname>stdenv</varname>, so everything can be customised in the usual way. For instance, the <literal>BerkeleyDB</literal> module has a <varname>preConfigure</varname> hook to generate a configuration file used by <filename>Makefile.PL</filename>:
- <programlisting>
- { buildPerlPackage, fetchurl, db }:
+<programlisting>
+{ buildPerlPackage, fetchurl, db }:
 
- buildPerlPackage rec {
-   name = "BerkeleyDB-0.36";
+buildPerlPackage rec {
+  name = "BerkeleyDB-0.36";
 
-   src = fetchurl {
-     url = "mirror://cpan/authors/id/P/PM/PMQS/${name}.tar.gz";
-     sha256 = "07xf50riarb60l1h6m2dqmql8q5dij619712fsgw7ach04d8g3z1";
-   };
+  src = fetchurl {
+    url = "mirror://cpan/authors/id/P/PM/PMQS/${name}.tar.gz";
+    sha256 = "07xf50riarb60l1h6m2dqmql8q5dij619712fsgw7ach04d8g3z1";
+  };
 
-   preConfigure = ''
-     echo "LIB = ${db.out}/lib" > config.in
-     echo "INCLUDE = ${db.dev}/include" >> config.in
-   '';
- }
- </programlisting>
+  preConfigure = ''
+    echo "LIB = ${db.out}/lib" > config.in
+    echo "INCLUDE = ${db.dev}/include" >> config.in
+  '';
+}
+</programlisting>
   </para>
 
   <para>
    Dependencies on other Perl packages can be specified in the <varname>buildInputs</varname> and <varname>propagatedBuildInputs</varname> attributes. If something is exclusively a build-time dependency, use <varname>buildInputs</varname>; if it’s (also) a runtime dependency, use <varname>propagatedBuildInputs</varname>. For instance, this builds a Perl module that has runtime dependencies on a bunch of other modules:
- <programlisting>
- ClassC3Componentised = buildPerlPackage rec {
-   name = "Class-C3-Componentised-1.0004";
-   src = fetchurl {
-     url = "mirror://cpan/authors/id/A/AS/ASH/${name}.tar.gz";
-     sha256 = "0xql73jkcdbq4q9m0b0rnca6nrlvf5hyzy8is0crdk65bynvs8q1";
-   };
-   propagatedBuildInputs = [
-     ClassC3 ClassInspector TestException MROCompat
-   ];
- };
- </programlisting>
+<programlisting>
+ClassC3Componentised = buildPerlPackage rec {
+  name = "Class-C3-Componentised-1.0004";
+  src = fetchurl {
+    url = "mirror://cpan/authors/id/A/AS/ASH/${name}.tar.gz";
+    sha256 = "0xql73jkcdbq4q9m0b0rnca6nrlvf5hyzy8is0crdk65bynvs8q1";
+  };
+  propagatedBuildInputs = [
+    ClassC3 ClassInspector TestException MROCompat
+  ];
+};
+</programlisting>
   </para>
 
   <para>
    On Darwin, if a script has too many <literal>-I<replaceable>dir</replaceable></literal> flags in its first line (its “shebang line”), it will not run. This can be worked around by calling the <literal>shortenPerlShebang</literal> function from the <literal>postInstall</literal> phase:
- <programlisting>
- { stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:
+<programlisting>
+{ stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:
 
- ImageExifTool = buildPerlPackage {
-   pname = "Image-ExifTool";
-   version = "11.50";
+ImageExifTool = buildPerlPackage {
+  pname = "Image-ExifTool";
+  version = "11.50";
 
-   src = fetchurl {
-     url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
-     sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
-   };
+  src = fetchurl {
+    url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
+    sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
+  };
 
-   buildInputs = stdenv.lib.optional stdenv.isDarwin shortenPerlShebang;
-   postInstall = stdenv.lib.optional stdenv.isDarwin ''
-     shortenPerlShebang $out/bin/exiftool
-   '';
- };
- </programlisting>
+  buildInputs = stdenv.lib.optional stdenv.isDarwin shortenPerlShebang;
+  postInstall = stdenv.lib.optional stdenv.isDarwin ''
+    shortenPerlShebang $out/bin/exiftool
+  '';
+};
+</programlisting>
    This will remove the <literal>-I</literal> flags from the shebang line, rewrite them in the <literal>use lib</literal> form, and put them on the next line instead. This function can be given any number of Perl scripts as arguments; it will modify them in-place.
   </para>
 
@@ -159,27 +159,27 @@
     Nix expressions for Perl packages can be generated (almost) automatically from CPAN. This is done by the program <command>nix-generate-from-cpan</command>, which can be installed as follows:
    </para>
 
- <screen>
- <prompt>$ </prompt>nix-env -i nix-generate-from-cpan
- </screen>
+<screen>
+<prompt>$ </prompt>nix-env -i nix-generate-from-cpan
+</screen>
 
    <para>
     This program takes a Perl module name, looks it up on CPAN, fetches and unpacks the corresponding package, and prints a Nix expression on standard output. For example:
- <screen>
- <prompt>$ </prompt>nix-generate-from-cpan XML::Simple
-   XMLSimple = buildPerlPackage rec {
-     name = "XML-Simple-2.22";
-     src = fetchurl {
-       url = "mirror://cpan/authors/id/G/GR/GRANTM/${name}.tar.gz";
-       sha256 = "b9450ef22ea9644ae5d6ada086dc4300fa105be050a2030ebd4efd28c198eb49";
-     };
-     propagatedBuildInputs = [ XMLNamespaceSupport XMLSAX XMLSAXExpat ];
-     meta = {
-       description = "An API for simple XML files";
-       license = with stdenv.lib.licenses; [ artistic1 gpl1Plus ];
-     };
-   };
- </screen>
+<screen>
+<prompt>$ </prompt>nix-generate-from-cpan XML::Simple
+  XMLSimple = buildPerlPackage rec {
+    name = "XML-Simple-2.22";
+    src = fetchurl {
+      url = "mirror://cpan/authors/id/G/GR/GRANTM/${name}.tar.gz";
+      sha256 = "b9450ef22ea9644ae5d6ada086dc4300fa105be050a2030ebd4efd28c198eb49";
+    };
+    propagatedBuildInputs = [ XMLNamespaceSupport XMLSAX XMLSAXExpat ];
+    meta = {
+      description = "An API for simple XML files";
+      license = with stdenv.lib.licenses; [ artistic1 gpl1Plus ];
+    };
+  };
+</screen>
     The output can be pasted into <filename>pkgs/top-level/perl-packages.nix</filename> or wherever else you need it.
    </para>
   </section>

doc/languages-frameworks/python.section.md

@@ -755,8 +755,8 @@ and in this case the `python38` interpreter is automatically used.
 
 ### Interpreters
 
-Versions 2.7, 3.6, 3.7 and 3.8 of the CPython interpreter are available as
-respectively `python27`, `python36`, `python37` and `python38`. The
+Versions 2.7, 3.6, 3.7, 3.8 and 3.9 of the CPython interpreter are available as
+respectively `python27`, `python36`, `python37`, `python38` and `python39`. The
 aliases `python2` and `python3` correspond to respectively `python27` and
 `python38`. The default interpreter, `python`, maps to `python2`. The PyPy
 interpreters compatible with Python 2.7 and 3 are available as `pypy27` and

doc/languages-frameworks/qt.xml

@@ -18,7 +18,7 @@ mkDerivation { <co xml:id='qt-default-nix-co-2' />
 
   buildInputs = [ qtbase ]; <co xml:id='qt-default-nix-co-3' />
 }
-   </programlisting>
+</programlisting>
  </example>
 
  <calloutlist>

doc/languages-frameworks/ruby.xml

@@ -12,14 +12,14 @@
  </para>
 
 <screen>
-<![CDATA[$ cd pkgs/servers/monitoring
-$ mkdir sensu
-$ cd sensu
-$ cat > Gemfile
+<prompt>$ </prompt>cd pkgs/servers/monitoring
+<prompt>$ </prompt>mkdir sensu
+<prompt>$ </prompt>cd sensu
+<prompt>$ </prompt>cat > Gemfile
 source 'https://rubygems.org'
 gem 'sensu'
-$ $(nix-build '<nixpkgs>' -A bundix --no-out-link)/bin/bundix --magic
-$ cat > default.nix
+<prompt>$ </prompt>$(nix-build '&lt;nixpkgs>' -A bundix --no-out-link)/bin/bundix --magic
+<prompt>$ </prompt>cat > default.nix
 { lib, bundlerEnv, ruby }:
 
 bundlerEnv rec {
@@ -37,7 +37,7 @@ bundlerEnv rec {
     maintainers = with maintainers; [ theuni ];
     platforms   = platforms.unix;
   };
-}]]>
+}
 </screen>
 
  <para>
@@ -49,17 +49,16 @@ bundlerEnv rec {
  </para>
 
 <screen>
-<![CDATA[$ cd pkgs/servers/monitoring/sensu
-$ nix-shell -p bundler --run 'bundle lock --update'
-$ nix-shell -p bundix --run 'bundix'
-]]>
+<prompt>$ </prompt>cd pkgs/servers/monitoring/sensu
+<prompt>$ </prompt>nix-shell -p bundler --run 'bundle lock --update'
+<prompt>$ </prompt>nix-shell -p bundix --run 'bundix'
 </screen>
 
  <para>
   For tools written in Ruby - i.e. where the desire is to install a package and then execute e.g. <command>rake</command> at the command line, there is an alternative builder called <literal>bundlerApp</literal>. Set up the <filename>gemset.nix</filename> the same way, and then, for example:
  </para>
 
-<screen>
+<programlisting>
 <![CDATA[{ lib, bundlerApp }:
 
 bundlerApp {
@@ -75,7 +74,7 @@ bundlerApp {
     platforms   = platforms.unix;
   };
 }]]>
-</screen>
+</programlisting>
 
  <para>
   The chief advantage of <literal>bundlerApp</literal> over <literal>bundlerEnv</literal> is the executables introduced in the environment are precisely those selected in the <literal>exes</literal> list, as opposed to <literal>bundlerEnv</literal> which adds all the executables made available by gems in the gemset, which can mean e.g. <command>rspec</command> or <command>rake</command> in unpredictable versions available from various packages.

doc/languages-frameworks/texlive.xml

@@ -44,11 +44,11 @@ texlive.combine {
    <listitem>
     <para>
      You can list packages e.g. by <command>nix repl</command>.
-<programlisting><![CDATA[
-$ nix repl
-nix-repl> :l <nixpkgs>
-nix-repl> texlive.collection-<TAB>
-]]></programlisting>
+<programlisting>
+<prompt>$ </prompt>nix repl
+<prompt>nix-repl> </prompt>:l &lt;nixpkgs>
+<prompt>nix-repl> </prompt>texlive.collection-<keycap function="tab" />
+</programlisting>
     </para>
    </listitem>
    <listitem>

doc/manual.xml

@@ -1,7 +1,7 @@
 <book xmlns="http://docbook.org/ns/docbook"
       xmlns:xi="http://www.w3.org/2001/XInclude">
  <info>
-  <title>Nixpkgs Users and Contributors Guide</title>
+  <title>Nixpkgs Manual</title>
   <subtitle>Version <xi:include href=".version" parse="text" />
   </subtitle>
  </info>

doc/stdenv/multiple-output.xml

@@ -67,7 +67,7 @@
     <para>
      <command>nix-env</command> silenty disregards the outputs selected by the user, and instead installs the outputs from <varname>meta.outputsToInstall</varname>. For example,
     </para>
-<programlisting>$ nix-env -iA nixpkgs.coreutils.info</programlisting>
+<screen><prompt>$ </prompt>nix-env -iA nixpkgs.coreutils.info</screen>
     <para>
      installs the <literal>"out"</literal> output (<varname>coreutils.meta.outputsToInstall</varname> is <literal>[ "out" ]</literal>) instead of the requested <literal>"info"</literal>.
     </para>

doc/using/configuration.xml

@@ -66,7 +66,7 @@
    <listitem>
     <para>
      For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools:
-<programlisting>$ export NIXPKGS_ALLOW_BROKEN=1</programlisting>
+<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_BROKEN=1</screen>
     </para>
    </listitem>
    <listitem>
@@ -92,7 +92,7 @@
    <listitem>
     <para>
      For allowing the build of an unsupported package once, you can use an environment variable for a single invocation of the nix tools:
-<programlisting>$ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</programlisting>
+<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</screen>
     </para>
    </listitem>
    <listitem>
@@ -122,7 +122,7 @@
    <listitem>
     <para>
      To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools:
-<programlisting>$ export NIXPKGS_ALLOW_UNFREE=1</programlisting>
+<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_UNFREE=1</screen>
     </para>
    </listitem>
    <listitem>
@@ -187,7 +187,7 @@
    <listitem>
     <para>
      To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools:
-<programlisting>$ export NIXPKGS_ALLOW_INSECURE=1</programlisting>
+<screen><prompt>$ </prompt>export NIXPKGS_ALLOW_INSECURE=1</screen>
     </para>
    </listitem>
    <listitem>

doc/using/overlays.xml

@@ -226,7 +226,7 @@ self: super:
     lapackProvider = self.mkl;
   }
 }
-     </programlisting>
+</programlisting>
      <para>
        This overlay uses Intel’s MKL library for both BLAS and LAPACK
        interfaces. Note that the same can be accomplished at runtime
@@ -234,9 +234,9 @@ self: super:
        <literal>libblas.so.3</literal> and
        <literal>liblapack.so.3</literal>. For instance:
      </para>
-     <programlisting>
-$ LD_LIBRARY_PATH=$(nix-build -A mkl)/lib:$LD_LIBRARY_PATH nix-shell -p octave --run octave
-     </programlisting>
+<screen>
+<prompt>$ </prompt>LD_LIBRARY_PATH=$(nix-build -A mkl)/lib:$LD_LIBRARY_PATH nix-shell -p octave --run octave
+</screen>
      <para>
        Intel MKL requires an <literal>openmp</literal> implementation
        when running with multiple processors. By default,
@@ -274,7 +274,7 @@ assert (!blas.isILP64) &amp;&amp; (!lapack.isILP64);
 stdenv.mkDerivation {
   ...
 }
-     </programlisting>
+</programlisting>
    </section>
  </section>
 </chapter>

flake.nix

@@ -5,7 +5,6 @@
 
   outputs = { self }:
     let
-
       jobs = import ./pkgs/top-level/release.nix {
         nixpkgs = self;
       };
@@ -28,10 +27,36 @@
       lib = lib.extend (final: prev: {
         nixosSystem = { modules, ... } @ args:
           import ./nixos/lib/eval-config.nix (args // {
-            modules = modules ++
-              [ { system.nixos.versionSuffix =
-                    ".${final.substring 0 8 (self.lastModifiedDate or self.lastModified)}.${self.shortRev or "dirty"}";
+            modules =
+              let
+                vmConfig = (import ./nixos/lib/eval-config.nix
+                  (args // {
+                    modules = modules ++ [ ./nixos/modules/virtualisation/qemu-vm.nix ];
+                  })).config;
+
+                vmWithBootLoaderConfig = (import ./nixos/lib/eval-config.nix
+                  (args // {
+                    modules = modules ++ [
+                      ./nixos/modules/virtualisation/qemu-vm.nix
+                      { virtualisation.useBootLoader = true; }
+                      ({ config, ... }: {
+                        virtualisation.useEFIBoot =
+                          config.boot.loader.systemd-boot.enable ||
+                          config.boot.loader.efi.canTouchEfiVariables;
+                      })
+                    ];
+                  })).config;
+              in
+              modules ++ [
+                {
+                  system.nixos.versionSuffix =
+                    ".${final.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}.${self.shortRev or "dirty"}";
                   system.nixos.revision = final.mkIf (self ? rev) self.rev;
+
+                  system.build = {
+                    vm = vmConfig.system.build.vm;
+                    vmWithBootLoader = vmWithBootLoaderConfig.system.build.vm;
+                  };
                 }
               ];
           });

lib/licenses.nix

@@ -115,6 +115,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
     fullName = ''BSD 4-clause "Original" or "Old" License'';
   };
 
+  bsdOriginalUC = spdx {
+    spdxId = "BSD-4-Clause-UC";
+    fullName = "BSD 4-Clause University of California-Specific";
+  };
+
   bsdProtection = spdx {
     spdxId = "BSD-Protection";
     fullName = "BSD Protection License";
@@ -448,11 +453,6 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
     free = false;
   };
 
-  jasper = spdx {
-    spdxId = "JasPer-2.0";
-    fullName = "JasPer License";
-  };
-
   lgpl2Only = spdx {
     spdxId = "LGPL-2.0-only";
     fullName = "GNU Library General Public License v2 only";

lib/lists.nix

@@ -640,13 +640,7 @@ rec {
        unique [ 3 2 3 4 ]
        => [ 3 2 4 ]
    */
-  unique = list:
-    if list == [] then
-      []
-    else
-      let
-        x = head list;
-      in [x] ++ unique (remove x list);
+ unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [];
 
   /* Intersects list 'e' and another list. O(nm) complexity.
 

lib/systems/architectures.nix

@@ -60,7 +60,7 @@ rec {
   };
 
   predicates = let
-    featureSupport = feature: x: builtins.elem feature features.${x};
+    featureSupport = feature: x: builtins.elem feature features.${x} or [];
   in {
     sse3Support    = featureSupport "sse3";
     ssse3Support   = featureSupport "ssse3";

lib/systems/examples.nix

@@ -47,7 +47,7 @@ rec {
   armv7a-android-prebuilt = {
     config = "armv7a-unknown-linux-androideabi";
     sdkVer = "29";
-    ndkVer = "18b";
+    ndkVer = "21";
     platform = platforms.armv7a-android;
     useAndroidPrebuilt = true;
   };
@@ -55,7 +55,7 @@ rec {
   aarch64-android-prebuilt = {
     config = "aarch64-unknown-linux-android";
     sdkVer = "29";
-    ndkVer = "18b";
+    ndkVer = "21";
     platform = platforms.aarch64-multiplatform;
     useAndroidPrebuilt = true;
   };

maintainers/maintainer-list.nix

@@ -806,6 +806,12 @@
     githubId = 574938;
     name = "Jonathan Glines";
   };
+  austinbutler = {
+    email = "austinabutler@gmail.com";
+    github = "austinbutler";
+    githubId = 354741;
+    name = "Austin Butler";
+  };
   avaq = {
     email = "nixpkgs@account.avaq.it";
     github = "avaq";
@@ -920,6 +926,16 @@
     githubId = 75235;
     name = "Michael Walker";
   };
+  bartuka = {
+    email = "wand@hey.com";
+    github = "wandersoncferreira";
+    githubId = 17708295;
+    name = "Wanderson Ferreira";
+    keys = [{
+      longkeyid = "rsa4096/0x56840A614DBE37AE";
+      fingerprint = "A3E1 C409 B705 50B3 BF41  492B 5684 0A61 4DBE 37AE";
+    }];
+  };
   basvandijk = {
     email = "v.dijk.bas@gmail.com";
     github = "basvandijk";
@@ -2757,6 +2773,12 @@
       fingerprint = "50B7 11F4 3DFD 2018 DCE6  E8D0 8A52 A140 BEBF 7D2C";
     }];
   };
+  fabianhjr = {
+    email = "fabianhjr@protonmail.com";
+    github = "fabianhjr";
+    githubId = 303897;
+    name = "Fabián Heredia Montiel";
+  };
   fadenb = {
     email = "tristan.helmich+nixos@gmail.com";
     github = "fadenb";
@@ -3541,6 +3563,12 @@
     githubId = 993484;
     name = "Greg Hale";
   };
+  immae = {
+    email = "ismael@bouya.org";
+    github = "immae";
+    githubId = 510202;
+    name = "Ismaël Bouya";
+  };
   imuli = {
     email = "i@imu.li";
     github = "imuli";
@@ -3839,6 +3867,16 @@
     githubId = 2736480;
     name = "Johannes Frankenau";
   };
+  jfroche = {
+    name = "Jean-François Roche";
+    email = "jfroche@pyxel.be";
+    github = "jfroche";
+    githubId = 207369;
+    keys = [{
+      longkeyid = "dsa1024/0xD1D09DE169EA19A0";
+      fingerprint = "7EB1 C02A B62B B464 6D7C  E4AE D1D0 9DE1 69EA 19A0";
+    }];
+  };
   jgeerds = {
     email = "jascha@geerds.org";
     github = "jgeerds";
@@ -4906,6 +4944,12 @@
     githubId = 1202012;
     name = "Ignat Loskutov";
   };
+  lostnet = {
+    email = "lost.networking@gmail.com";
+    github = "lostnet";
+    githubId = 1422781;
+    name = "Will Young";
+  };
   louisdk1 = {
     email = "louis@louis.dk";
     github = "louisdk1";
@@ -6193,6 +6237,12 @@
     githubId = 3359345;
     name = "obadz";
   };
+  obsidian-systems-maintenance = {
+    name = "Obsidian Systems Maintenance";
+    email = "maintainer@obsidian.systems";
+    github = "obsidian-systems-maintenance";
+    githubId = 80847921;
+  };
   ocharles = {
     email = "ollie@ocharles.org.uk";
     github = "ocharles";
@@ -6281,6 +6331,12 @@
     githubId = 111265;
     name = "Ozan Sener";
   };
+  otavio = {
+    email = "otavio.salvador@ossystems.com.br";
+    github = "otavio";
+    githubId = 25278;
+    name = "Otavio Salvador";
+  };
   otwieracz = {
     email = "slawek@otwiera.cz";
     github = "otwieracz";
@@ -6675,6 +6731,12 @@
       fingerprint = "240B 57DE 4271 2480 7CE3  EAC8 4F74 D536 1C4C A31E";
     }];
   };
+  preisschild = {
+    email = "florian@florianstroeger.com";
+    github = "Preisschild";
+    githubId = 11898437;
+    name = "Florian Ströger";
+  };
   priegger = {
     email = "philipp@riegger.name";
     github = "priegger";
@@ -7105,6 +7167,12 @@
     githubId = 13752145;
     name = "Richard Lupton";
   };
+  rmcgibbo = {
+    email = "rmcgibbo@gmail.com";
+    github = "rmcgibbo";
+    githubId = 641278;
+    name = "Robert T. McGibbon";
+  };
   rnhmjoj = {
     email = "rnhmjoj@inventati.org";
     github = "rnhmjoj";

maintainers/scripts/build.nix

@@ -30,7 +30,7 @@ in
 packagesWith
   (name: pkg:
     (
-      if builtins.hasAttr "maintainers" pkg.meta
+      if builtins.hasAttr "meta" pkg && builtins.hasAttr "maintainers" pkg.meta
       then (
         if builtins.isList pkg.meta.maintainers
         then builtins.elem maintainer_ pkg.meta.maintainers

maintainers/team-list.nix

@@ -29,6 +29,13 @@ with lib.maintainers; {
     scope = "Maintain ACME-related packages and modules.";
   };
 
+  cinnamon = {
+    members = [
+      mkg20001
+    ];
+    scope = "Maintain Cinnamon desktop environment and applications made by the LinuxMint team.";
+  };
+
   freedesktop = {
     members = [ jtojnar worldofpeace ];
     scope = "Maintain Freedesktop.org packages for graphical desktop.";

nixos/default.nix

@@ -22,6 +22,11 @@ let
       [ configuration
         ./modules/virtualisation/qemu-vm.nix
         { virtualisation.useBootLoader = true; }
+        ({ config, ... }: {
+          virtualisation.useEFIBoot =
+            config.boot.loader.systemd-boot.enable ||
+            config.boot.loader.efi.canTouchEfiVariables;
+        })
       ];
   }).config;
 

nixos/doc/manual/administration/imperative-containers.xml

@@ -14,18 +14,18 @@
  <para>
   You create a container with identifier <literal>foo</literal> as follows:
 <screen>
-# nixos-container create foo
+<prompt># </prompt>nixos-container create <replaceable>foo</replaceable>
 </screen>
   This creates the container’s root directory in
-  <filename>/var/lib/containers/foo</filename> and a small configuration file
-  in <filename>/etc/containers/foo.conf</filename>. It also builds the
+  <filename>/var/lib/containers/<replaceable>foo</replaceable></filename> and a small configuration file
+  in <filename>/etc/containers/<replaceable>foo</replaceable>.conf</filename>. It also builds the
   container’s initial system configuration and stores it in
-  <filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You can
+  <filename>/nix/var/nix/profiles/per-container/<replaceable>foo</replaceable>/system</filename>. You can
   modify the initial configuration of the container on the command line. For
   instance, to create a container that has <command>sshd</command> running,
   with the given public key for <literal>root</literal>:
 <screen>
-# nixos-container create foo --config '
+<prompt># </prompt>nixos-container create <replaceable>foo</replaceable> --config '
   <xref linkend="opt-services.openssh.enable"/> = true;
   <link linkend="opt-users.users._name_.openssh.authorizedKeys.keys">users.users.root.openssh.authorizedKeys.keys</link> = ["ssh-dss AAAAB3N…"];
 '
@@ -34,7 +34,7 @@
   as container IP. This behavior can be altered by setting <literal>--host-address</literal> and
   <literal>--local-address</literal>:
 <screen>
-# nixos-container create test --config-file test-container.nix \
+<prompt># </prompt>nixos-container create test --config-file test-container.nix \
     --local-address 10.235.1.2 --host-address 10.235.1.1
 </screen>
  </para>
@@ -42,7 +42,7 @@
  <para>
   Creating a container does not start it. To start the container, run:
 <screen>
-# nixos-container start foo
+<prompt># </prompt>nixos-container start <replaceable>foo</replaceable>
 </screen>
   This command will return as soon as the container has booted and has reached
   <literal>multi-user.target</literal>. On the host, the container runs within
@@ -51,7 +51,7 @@
   Thus, if something went wrong, you can get status info using
   <command>systemctl</command>:
 <screen>
-# systemctl status container@foo
+<prompt># </prompt>systemctl status container@<replaceable>foo</replaceable>
 </screen>
  </para>
 
@@ -59,22 +59,22 @@
   If the container has started successfully, you can log in as root using the
   <command>root-login</command> operation:
 <screen>
-# nixos-container root-login foo
-[root@foo:~]#
+<prompt># </prompt>nixos-container root-login <replaceable>foo</replaceable>
+<prompt>[root@foo:~]#</prompt>
 </screen>
   Note that only root on the host can do this (since there is no
   authentication). You can also get a regular login prompt using the
   <command>login</command> operation, which is available to all users on the
   host:
 <screen>
-# nixos-container login foo
+<prompt># </prompt>nixos-container login <replaceable>foo</replaceable>
 foo login: alice
 Password: ***
 </screen>
   With <command>nixos-container run</command>, you can execute arbitrary
   commands in the container:
 <screen>
-# nixos-container run foo -- uname -a
+<prompt># </prompt>nixos-container run <replaceable>foo</replaceable> -- uname -a
 Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
 </screen>
  </para>
@@ -85,18 +85,18 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
   <literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
   and run
 <screen>
-# nixos-container update foo
+<prompt># </prompt>nixos-container update <replaceable>foo</replaceable>
 </screen>
   This will build and activate the new configuration. You can also specify a
   new configuration on the command line:
 <screen>
-# nixos-container update foo --config '
+<prompt># </prompt>nixos-container update <replaceable>foo</replaceable> --config '
   <xref linkend="opt-services.httpd.enable"/> = true;
   <xref linkend="opt-services.httpd.adminAddr"/> = "foo@example.org";
   <xref linkend="opt-networking.firewall.allowedTCPPorts"/> = [ 80 ];
 '
 
-# curl http://$(nixos-container show-ip foo)/
+<prompt># </prompt>curl http://$(nixos-container show-ip <replaceable>foo</replaceable>)/
 &lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
 </screen>
   However, note that this will overwrite the container’s
@@ -117,7 +117,7 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
   by using <command>systemctl</command> on the container’s service unit. To
   destroy a container, including its file system, do
 <screen>
-# nixos-container destroy foo
+<prompt># </prompt>nixos-container destroy <replaceable>foo</replaceable>
 </screen>
  </para>
 </section>

nixos/doc/manual/administration/maintenance-mode.xml

@@ -8,7 +8,7 @@
  <para>
   You can enter rescue mode by running:
 <screen>
-# systemctl rescue</screen>
+<prompt># </prompt>systemctl rescue</screen>
   This will eventually give you a single-user root shell. Systemd will stop
   (almost) all system services. To get out of maintenance mode, just exit from
   the rescue shell.

nixos/doc/manual/administration/network-problems.xml

@@ -16,12 +16,12 @@
   disable the use of the binary cache by adding <option>--option
   use-binary-caches false</option>, e.g.
 <screen>
-# nixos-rebuild switch --option use-binary-caches false
+<prompt># </prompt>nixos-rebuild switch --option use-binary-caches false
 </screen>
   If you have an alternative binary cache at your disposal, you can use it
   instead:
 <screen>
-# nixos-rebuild switch --option binary-caches http://my-cache.example.org/
+<prompt># </prompt>nixos-rebuild switch --option binary-caches <replaceable>http://my-cache.example.org/</replaceable>
 </screen>
  </para>
 </section>

nixos/doc/manual/administration/rebooting.xml

@@ -7,20 +7,20 @@
  <para>
   The system can be shut down (and automatically powered off) by doing:
 <screen>
-# shutdown
+<prompt># </prompt>shutdown
 </screen>
   This is equivalent to running <command>systemctl poweroff</command>.
  </para>
  <para>
   To reboot the system, run
 <screen>
-# reboot
+<prompt># </prompt>reboot
 </screen>
   which is equivalent to <command>systemctl reboot</command>. Alternatively,
   you can quickly reboot the system using <literal>kexec</literal>, which
   bypasses the BIOS by directly loading the new kernel into memory:
 <screen>
-# systemctl kexec
+<prompt># </prompt>systemctl kexec
 </screen>
  </para>
  <para>

nixos/doc/manual/administration/rollback.xml

@@ -20,16 +20,16 @@
   has booted, you can make the selected configuration the default for
   subsequent boots:
 <screen>
-# /run/current-system/bin/switch-to-configuration boot</screen>
+<prompt># </prompt>/run/current-system/bin/switch-to-configuration boot</screen>
  </para>
 
  <para>
   Second, you can switch to the previous configuration in a running system:
 <screen>
-# nixos-rebuild switch --rollback</screen>
+<prompt># </prompt>nixos-rebuild switch --rollback</screen>
   This is equivalent to running:
 <screen>
-# /nix/var/nix/profiles/system-<replaceable>N</replaceable>-link/bin/switch-to-configuration switch</screen>
+<prompt># </prompt>/nix/var/nix/profiles/system-<replaceable>N</replaceable>-link/bin/switch-to-configuration switch</screen>
   where <replaceable>N</replaceable> is the number of the NixOS system
   configuration. To get a list of the available configurations, do:
 <screen>

nixos/doc/manual/administration/service-mgmt.xml

@@ -58,9 +58,9 @@ Jan 07 15:55:57 hagbard systemd[1]: Started PostgreSQL Server.
  <para>
   Units can be stopped, started or restarted:
 <screen>
-# systemctl stop postgresql.service
-# systemctl start postgresql.service
-# systemctl restart postgresql.service
+<prompt># </prompt>systemctl stop postgresql.service
+<prompt># </prompt>systemctl start postgresql.service
+<prompt># </prompt>systemctl restart postgresql.service
 </screen>
   These operations are synchronous: they wait until the service has finished
   starting or stopping (or has failed). Starting a unit will cause the

nixos/doc/manual/administration/user-sessions.xml

@@ -39,7 +39,7 @@ c3 - root (0)
   can terminate a session in a way that ensures that all the session’s
   processes are gone:
 <screen>
-# loginctl terminate-session c3
+<prompt># </prompt>loginctl terminate-session c3
 </screen>
  </para>
 </chapter>

nixos/doc/manual/configuration/adding-custom-packages.xml

@@ -25,7 +25,7 @@ xlink:href="https://nixos.org/nixpkgs/manual">Nixpkgs
   and you run <command>nixos-rebuild</command>, specifying your own Nixpkgs
   tree:
 <screen>
-# nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs</screen>
+<prompt># </prompt>nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs</screen>
  </para>
 
  <para>

nixos/doc/manual/configuration/linux-kernel.xml

@@ -126,13 +126,13 @@ nixpkgs.config.packageOverrides = pkgs:
    <literal>mellanox</literal> drivers.
   </para>
 
-<screen><![CDATA[
-$ nix-build '<nixpkgs>' -A linuxPackages.kernel.dev
-$ nix-shell '<nixpkgs>' -A linuxPackages.kernel
-$ unpackPhase
-$ cd linux-*
-$ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules
-# insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko
-]]></screen>
+<screen>
+<prompt>$ </prompt>nix-build '&lt;nixpkgs>' -A linuxPackages.kernel.dev
+<prompt>$ </prompt>nix-shell '&lt;nixpkgs>' -A linuxPackages.kernel
+<prompt>$ </prompt>unpackPhase
+<prompt>$ </prompt>cd linux-*
+<prompt>$ </prompt>make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules
+<prompt># </prompt>insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko
+</screen>
  </section>
 </chapter>

nixos/doc/manual/configuration/luks-file-systems.xml

@@ -11,7 +11,7 @@
   you create an encrypted Ext4 file system on the device
   <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
 <screen>
-# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
+<prompt># </prompt>cryptsetup luksFormat <replaceable>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</replaceable>
 
 WARNING!
 ========
@@ -21,17 +21,17 @@ Are you sure? (Type uppercase yes): YES
 Enter LUKS passphrase: ***
 Verify passphrase: ***
 
-# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
+<prompt># </prompt>cryptsetup luksOpen <replaceable>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</replaceable> <replaceable>crypted</replaceable>
 Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
 
-# mkfs.ext4 /dev/mapper/crypted
+<prompt># </prompt>mkfs.ext4 /dev/mapper/<replaceable>crypted</replaceable>
 </screen>
   To ensure that this file system is automatically mounted at boot time as
   <filename>/</filename>, add the following to
   <filename>configuration.nix</filename>:
 <programlisting>
-<link linkend="opt-boot.initrd.luks.devices._name_.device">boot.initrd.luks.devices.crypted.device</link> = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
-<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/crypted";
+<link linkend="opt-boot.initrd.luks.devices._name_.device">boot.initrd.luks.devices.crypted.device</link> = "<replaceable>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</replaceable>";
+<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/<replaceable>crypted</replaceable>";
 </programlisting>
   Should grub be used as bootloader, and <filename>/boot</filename> is located
   on an encrypted partition, it is necessary to add the following grub option:
@@ -45,11 +45,11 @@ Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
    and add it as a new key to our existing device <filename>/dev/sda2</filename>:
 
    <screen>
-# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"
-# fido2luks credential "$FIDO2_LABEL"
+<prompt># </prompt>export FIDO2_LABEL="<replaceable>/dev/sda2</replaceable> @ $HOSTNAME"
+<prompt># </prompt>fido2luks credential "$FIDO2_LABEL"
 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
 
-# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
+<prompt># </prompt>fido2luks -i add-key <replaceable>/dev/sda2</replaceable> <replaceable>f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7</replaceable>
 Password:
 Password (again):
 Old password:
@@ -60,13 +60,13 @@ Added to key to device /dev/sda2, slot: 2
   To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to <filename>configuration.nix</filename>:
 <programlisting>
 <link linkend="opt-boot.initrd.luks.fido2Support">boot.initrd.luks.fido2Support</link> = true;
-<link linkend="opt-boot.initrd.luks.devices._name_.fido2.credential">boot.initrd.luks.devices."/dev/sda2".fido2.credential</link> = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
+<link linkend="opt-boot.initrd.luks.devices._name_.fido2.credential">boot.initrd.luks.devices."<replaceable>/dev/sda2</replaceable>".fido2.credential</link> = "<replaceable>f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7</replaceable>";
 </programlisting>
 
   You can also use the FIDO2 passwordless setup, but for security reasons, you might want to enable it only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.
 
 <programlisting>
-<link linkend="opt-boot.initrd.luks.devices._name_.fido2.passwordLess">boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess</link> = true;
+<link linkend="opt-boot.initrd.luks.devices._name_.fido2.passwordLess">boot.initrd.luks.devices."<replaceable>/dev/sda2</replaceable>".fido2.passwordLess</link> = true;
 </programlisting>
   </para>
  </section>

nixos/doc/manual/configuration/profiles/hardened.xml

@@ -7,7 +7,7 @@
 
  <para>
   A profile with most (vanilla) hardening options enabled by default,
-  potentially at the cost of features and performance.
+  potentially at the cost of stability, features and performance.
  </para>
 
  <para>
@@ -21,4 +21,12 @@
    xlink:href="https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix">
   profile source</literal> for further detail on which settings are altered.
  </para>
+ <warning>
+   <para>
+     This profile enables options that are known to affect system
+     stability. If you experience any stability issues when using the
+     profile, try disabling it. If you report an issue and use this
+     profile, always mention that you do.
+   </para>
+ </warning>
 </section>

nixos/doc/manual/configuration/user-mgmt.xml

@@ -62,24 +62,24 @@ uid = 1000;
   <command>useradd</command>, <command>groupmod</command> and so on. For
   instance, to create a user account named <literal>alice</literal>:
 <screen>
-# useradd -m alice</screen>
+<prompt># </prompt>useradd -m <replaceable>alice</replaceable></screen>
   To make all nix tools available to this new user use `su - USER` which opens
   a login shell (==shell that loads the profile) for given user. This will
   create the ~/.nix-defexpr symlink. So run:
 <screen>
-# su - alice -c "true"</screen>
+<prompt># </prompt>su - <replaceable>alice</replaceable> -c "true"</screen>
   The flag <option>-m</option> causes the creation of a home directory for the
   new user, which is generally what you want. The user does not have an initial
   password and therefore cannot log in. A password can be set using the
   <command>passwd</command> utility:
 <screen>
-# passwd alice
+<prompt># </prompt>passwd <replaceable>alice</replaceable>
 Enter new UNIX password: ***
 Retype new UNIX password: ***
 </screen>
   A user can be deleted using <command>userdel</command>:
 <screen>
-# userdel -r alice</screen>
+<prompt># </prompt>userdel -r <replaceable>alice</replaceable></screen>
   The flag <option>-r</option> deletes the user’s home directory. Accounts
   can be modified using <command>usermod</command>. Unix groups can be managed
   using <command>groupadd</command>, <command>groupmod</command> and

nixos/doc/manual/configuration/x-windows.xml

@@ -58,7 +58,7 @@
 </programlisting>
   The X server can then be started manually:
 <screen>
-# systemctl start display-manager.service
+<prompt># </prompt>systemctl start display-manager.service
 </screen>
  </para>
  <para>

nixos/doc/manual/development/meta-attributes.xml

@@ -57,7 +57,7 @@
       linkend="ch-configuration"/>. Changes to a module documentation
     have to be checked to not break building the NixOS manual:
    </para>
-<programlisting>$ nix-build nixos/release.nix -A manual</programlisting>
+<screen><prompt>$ </prompt>nix-build nixos/release.nix -A manual</screen>
   </callout>
  </calloutlist>
 </section>

nixos/doc/manual/development/writing-documentation.xml

@@ -24,8 +24,8 @@
   </para>
 
 <screen>
-  $ cd /path/to/nixpkgs/nixos/doc/manual
-  $ make
+<prompt>$ </prompt>cd /path/to/nixpkgs/nixos/doc/manual
+<prompt>$ </prompt>make
 </screen>
 
   <para>

nixos/doc/manual/development/writing-nixos-tests.xml

@@ -186,6 +186,25 @@ start_all()
      </para>
     </listitem>
    </varlistentry>
+   <varlistentry>
+    <term>
+     <methodname>get_screen_text_variants</methodname>
+    </term>
+    <listitem>
+     <para>
+      Return a list of different interpretations of what is currently visible
+      on the machine's screen using optical character recognition. The number
+      and order of the interpretations is not specified and is subject to
+      change, but if no exception is raised at least one will be returned.
+     </para>
+     <note>
+      <para>
+       This requires passing <option>enableOCR</option> to the test attribute
+       set.
+      </para>
+     </note>
+    </listitem>
+   </varlistentry>
    <varlistentry>
     <term>
      <methodname>get_screen_text</methodname>
@@ -350,7 +369,8 @@ start_all()
      <para>
       Wait until the supplied regular expressions matches the textual contents
       of the screen by using optical character recognition (see
-      <methodname>get_screen_text</methodname>).
+     <methodname>get_screen_text</methodname> and
+     <methodname>get_screen_text_variants</methodname>).
      </para>
      <note>
       <para>

nixos/doc/manual/installation/installing-behind-a-proxy.xml

@@ -27,13 +27,13 @@ networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
     Setup the proxy environment variables in the shell where you are running
     <literal>nixos-install</literal>.
    </para>
-<programlisting>
-# proxy_url=&quot;http://user:password@proxy:port/&quot;
-# export http_proxy=&quot;$proxy_url&quot;
-# export HTTP_PROXY=&quot;$proxy_url&quot;
-# export https_proxy=&quot;$proxy_url&quot;
-# export HTTPS_PROXY=&quot;$proxy_url&quot;
-</programlisting>
+<screen>
+<prompt># </prompt>proxy_url=&quot;http://user:password@proxy:port/&quot;
+<prompt># </prompt>export http_proxy=&quot;$proxy_url&quot;
+<prompt># </prompt>export HTTP_PROXY=&quot;$proxy_url&quot;
+<prompt># </prompt>export https_proxy=&quot;$proxy_url&quot;
+<prompt># </prompt>export HTTPS_PROXY=&quot;$proxy_url&quot;
+</screen>
   </listitem>
  </orderedlist>
 

nixos/doc/manual/installation/installing-from-other-distro.xml

@@ -47,7 +47,7 @@
     Short version:
    </para>
 <screen>
-<prompt>$ </prompt>curl https://nixos.org/nix/install | sh
+<prompt>$ </prompt>curl -L https://nixos.org/nix/install | sh
 <prompt>$ </prompt>. $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell</screen>
    <para>
     More details in the
@@ -325,14 +325,14 @@ sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
     to boot on a USB rescue disk and do something along these lines:
    </para>
 <screen>
-# mkdir root
-# mount /dev/sdaX root
-# mkdir root/nixos-root
-# mv -v root/* root/nixos-root/
-# mv -v root/nixos-root/old-root/* root/
-# mv -v root/boot.bak root/boot  # We had renamed this by hand earlier
-# umount root
-# reboot</screen>
+<prompt># </prompt>mkdir root
+<prompt># </prompt>mount /dev/sdaX root
+<prompt># </prompt>mkdir root/nixos-root
+<prompt># </prompt>mv -v root/* root/nixos-root/
+<prompt># </prompt>mv -v root/nixos-root/old-root/* root/
+<prompt># </prompt>mv -v root/boot.bak root/boot  # We had renamed this by hand earlier
+<prompt># </prompt>umount root
+<prompt># </prompt>reboot</screen>
    <para>
     This may work as is or you might also need to reinstall the boot loader
    </para>

nixos/doc/manual/installation/installing.xml

@@ -70,9 +70,13 @@
 
    <para>
     If you would like to continue the installation from a different machine you
-    need to activate the SSH daemon via <command>systemctl start
-    sshd</command>. You then must set a password for either <literal>root</literal> or
-    <literal>nixos</literal> with <command>passwd</command> to be able to login.
+    can use activated SSH daemon. You need to copy your ssh key to either
+    <literal>/home/nixos/.ssh/authorized_keys</literal> or
+    <literal>/root/.ssh/authorized_keys</literal> (Tip: For installers with a
+    modifiable filesystem such as the sd-card installer image a key can be manually
+    placed by mounting the image on a different machine). Alternatively you must set
+    a password for either <literal>root</literal> or <literal>nixos</literal> with
+    <command>passwd</command> to be able to login.
    </para>
   </section>
  </section>

nixos/doc/manual/installation/upgrading.xml

@@ -14,7 +14,7 @@
     <para>
      <emphasis>Stable channels</emphasis>, such as
      <literal
-    xlink:href="https://nixos.org/channels/nixos-20.03">nixos-20.03</literal>.
+    xlink:href="https://nixos.org/channels/nixos-20.09">nixos-20.09</literal>.
      These only get conservative bug fixes and package upgrades. For instance,
      a channel update may cause the Linux kernel on your system to be upgraded
      from 4.19.34 to 4.19.38 (a minor bug fix), but not from
@@ -38,7 +38,7 @@
     <para>
      <emphasis>Small channels</emphasis>, such as
      <literal
-    xlink:href="https://nixos.org/channels/nixos-20.03-small">nixos-20.03-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-20.09-small">nixos-20.09-small</literal>
      or
      <literal
     xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>.
@@ -63,36 +63,36 @@
  <para>
   When you first install NixOS, you’re automatically subscribed to the NixOS
   channel that corresponds to your installation source. For instance, if you
-  installed from a 20.03 ISO, you will be subscribed to the
-  <literal>nixos-20.03</literal> channel. To see which NixOS channel you’re
+  installed from a 20.09 ISO, you will be subscribed to the
+  <literal>nixos-20.09</literal> channel. To see which NixOS channel you’re
   subscribed to, run the following as root:
 <screen>
-# nix-channel --list | grep nixos
+<prompt># </prompt>nix-channel --list | grep nixos
 nixos https://nixos.org/channels/nixos-unstable
 </screen>
   To switch to a different NixOS channel, do
 <screen>
-# nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
+<prompt># </prompt>nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
 </screen>
   (Be sure to include the <literal>nixos</literal> parameter at the end.) For
-  instance, to use the NixOS 20.03 stable channel:
+  instance, to use the NixOS 20.09 stable channel:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-20.03 nixos
+<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.09 nixos
 </screen>
   If you have a server, you may want to use the “small” channel instead:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-20.03-small nixos
+<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.09-small nixos
 </screen>
   And if you want to live on the bleeding edge:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-unstable nixos
+<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-unstable nixos
 </screen>
  </para>
  <para>
   You can then upgrade NixOS to the latest version in your chosen channel by
   running
 <screen>
-# nixos-rebuild switch --upgrade
+<prompt># </prompt>nixos-rebuild switch --upgrade
 </screen>
   which is equivalent to the more verbose <literal>nix-channel --update nixos;
   nixos-rebuild switch</literal>.
@@ -132,7 +132,7 @@ nixos https://nixos.org/channels/nixos-unstable
    kernel, initrd or kernel modules.
    You can also specify a channel explicitly, e.g.
 <programlisting>
-<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-20.03;
+<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-20.09;
 </programlisting>
   </para>
  </section>

nixos/doc/manual/man-nixos-enter.xml

@@ -136,13 +136,13 @@
    <filename>/mnt</filename>:
   </para>
 <screen>
-# nixos-enter --root /mnt
+<prompt># </prompt>nixos-enter --root /mnt
 </screen>
   <para>
    Run a shell command:
   </para>
 <screen>
-# nixos-enter -c 'ls -l /; cat /proc/mounts'
+<prompt># </prompt>nixos-enter -c 'ls -l /; cat /proc/mounts'
 </screen>
   <para>
    Run a non-shell command:

nixos/doc/manual/man-nixos-install.xml

@@ -49,6 +49,12 @@
     <option>--flake</option> <replaceable>flake-uri</replaceable>
    </arg>
 
+   <arg>
+    <group choice='req'>
+     <arg choice='plain'><option>--impure</option></arg>
+    </group>
+   </arg>
+
    <arg>
      <arg choice='plain'>
        <option>--channel</option>

nixos/doc/manual/man-nixos-rebuild.xml

@@ -110,6 +110,11 @@
      <arg choice='plain'><option>-v</option></arg>
     </group>
    </arg>
+   <arg>
+    <group choice='req'>
+     <arg choice='plain'><option>--impure</option></arg>
+    </group>
+   </arg>
    <arg>
     <group choice='req'>
      <arg choice='plain'><option>--max-jobs</option></arg>
@@ -542,7 +547,7 @@
    In addition, <command>nixos-rebuild</command> accepts various Nix-related
    flags, including <option>--max-jobs</option> / <option>-j</option>,
    <option>--show-trace</option>, <option>--keep-failed</option>,
-   <option>--keep-going</option> and <option>--verbose</option> /
+   <option>--keep-going</option>, <option>--impure</option>, and <option>--verbose</option> /
    <option>-v</option>. See the Nix manual for details.
   </para>
  </refsection>

nixos/doc/manual/man-nixos-version.xml

@@ -33,7 +33,7 @@
   <para>
    This command shows the version of the currently active NixOS configuration.
    For example:
-<screen>$ nixos-version
+<screen><prompt>$ </prompt>nixos-version
 16.03.1011.6317da4 (Emu)
 </screen>
    The version consists of the following elements:
@@ -111,7 +111,7 @@
      <para>
       Show the full SHA1 hash of the Git commit from which this configuration
       was built, e.g.
-<screen>$ nixos-version --hash
+<screen><prompt>$ </prompt>nixos-version --hash
 6317da40006f6bc2480c6781999c52d88dde2acf
 </screen>
      </para>

nixos/doc/manual/release-notes/rl-1903.xml

@@ -173,7 +173,7 @@
      <listitem>
       <para>
        For users of a daemon-less Nix installation on Linux or macOS, you can
-       upgrade Nix by running <command>curl https://nixos.org/nix/install |
+       upgrade Nix by running <command>curl -L https://nixos.org/nix/install |
        sh</command>, or prior to doing a channel update, running
        <command>nix-env -iA nix</command>.
       </para>

nixos/lib/make-disk-image.nix

@@ -28,6 +28,9 @@
   #   partition of reasonable size is created in addition to the root partition.
   # For "legacy", the msdos partition table is used and a single large root
   #   partition is created.
+  # For "legacy+gpt", the GPT partition table is used, a 1MiB no-fs partition for
+  #   use by the bootloader is created, and a single large root partition is
+  #   created.
   # For "hybrid", the GPT partition table is used and a mandatory ESP
   #   partition of reasonable size is created in addition to the root partition.
   #   Also a legacy MBR will be present.
@@ -54,7 +57,7 @@
   format ? "raw"
 }:
 
-assert partitionTableType == "legacy" || partitionTableType == "efi" || partitionTableType == "hybrid" || partitionTableType == "none";
+assert partitionTableType == "legacy" || partitionTableType == "legacy+gpt" || partitionTableType == "efi" || partitionTableType == "hybrid" || partitionTableType == "none";
 # We use -E offset=X below, which is only supported by e2fsprogs
 assert partitionTableType != "none" -> fsType == "ext4";
 
@@ -75,6 +78,7 @@ let format' = format; in let
 
   rootPartition = { # switch-case
     legacy = "1";
+    "legacy+gpt" = "2";
     efi = "2";
     hybrid = "3";
   }.${partitionTableType};
@@ -85,6 +89,16 @@ let format' = format; in let
         mklabel msdos \
         mkpart primary ext4 1MiB -1
     '';
+    "legacy+gpt" = ''
+      parted --script $diskImage -- \
+        mklabel gpt \
+        mkpart no-fs 1MB 2MB \
+        set 1 bios_grub on \
+        align-check optimal 1 \
+        mkpart primary ext4 2MB -1 \
+        align-check optimal 2 \
+        print
+    '';
     efi = ''
       parted --script $diskImage -- \
         mklabel gpt \

nixos/lib/test-driver/test-driver.py

@@ -1,7 +1,7 @@
 #! /somewhere/python3
 from contextlib import contextmanager, _GeneratorContextManager
 from queue import Queue, Empty
-from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List
+from typing import Tuple, Any, Callable, Dict, Iterator, Optional, List, Iterable
 from xml.sax.saxutils import XMLGenerator
 import queue
 import io
@@ -206,6 +206,37 @@ class Logger:
         self.xml.endElement("nest")
 
 
+def _perform_ocr_on_screenshot(
+    screenshot_path: str, model_ids: Iterable[int]
+) -> List[str]:
+    if shutil.which("tesseract") is None:
+        raise Exception("OCR requested but enableOCR is false")
+
+    magick_args = (
+        "-filter Catrom -density 72 -resample 300 "
+        + "-contrast -normalize -despeckle -type grayscale "
+        + "-sharpen 1 -posterize 3 -negate -gamma 100 "
+        + "-blur 1x65535"
+    )
+
+    tess_args = f"-c debug_file=/dev/null --psm 11"
+
+    cmd = f"convert {magick_args} {screenshot_path} tiff:{screenshot_path}.tiff"
+    ret = subprocess.run(cmd, shell=True, capture_output=True)
+    if ret.returncode != 0:
+        raise Exception(f"TIFF conversion failed with exit code {ret.returncode}")
+
+    model_results = []
+    for model_id in model_ids:
+        cmd = f"tesseract {screenshot_path}.tiff - {tess_args} --oem {model_id}"
+        ret = subprocess.run(cmd, shell=True, capture_output=True)
+        if ret.returncode != 0:
+            raise Exception(f"OCR failed with exit code {ret.returncode}")
+        model_results.append(ret.stdout.decode("utf-8"))
+
+    return model_results
+
+
 class Machine:
     def __init__(self, args: Dict[str, Any]) -> None:
         if "name" in args:
@@ -217,7 +248,7 @@ class Machine:
                 match = re.search("run-(.+)-vm$", cmd)
                 if match:
                     self.name = match.group(1)
-
+        self.logger = args["log"]
         self.script = args.get("startCommand", self.create_startcommand(args))
 
         tmp_dir = os.environ.get("TMPDIR", tempfile.gettempdir())
@@ -227,7 +258,10 @@ class Machine:
             os.makedirs(path, mode=0o700, exist_ok=True)
             return path
 
-        self.state_dir = create_dir("vm-state-{}".format(self.name))
+        self.state_dir = os.path.join(tmp_dir, f"vm-state-{self.name}")
+        if not args.get("keepVmState", False):
+            self.cleanup_statedir()
+        os.makedirs(self.state_dir, mode=0o700, exist_ok=True)
         self.shared_dir = create_dir("shared-xchg")
 
         self.booted = False
@@ -235,7 +269,6 @@ class Machine:
         self.pid: Optional[int] = None
         self.socket = None
         self.monitor: Optional[socket.socket] = None
-        self.logger: Logger = args["log"]
         self.allow_reboot = args.get("allowReboot", False)
 
     @staticmethod
@@ -637,43 +670,29 @@ class Machine:
         """
         self.execute("fold -w 80 /dev/vcs{} | systemd-cat".format(tty))
 
+    def _get_screen_text_variants(self, model_ids: Iterable[int]) -> List[str]:
+        with tempfile.TemporaryDirectory() as tmpdir:
+            screenshot_path = os.path.join(tmpdir, "ppm")
+            self.send_monitor_command(f"screendump {screenshot_path}")
+            return _perform_ocr_on_screenshot(screenshot_path, model_ids)
+
+    def get_screen_text_variants(self) -> List[str]:
+        return self._get_screen_text_variants([0, 1, 2])
+
     def get_screen_text(self) -> str:
-        if shutil.which("tesseract") is None:
-            raise Exception("get_screen_text used but enableOCR is false")
-
-        magick_args = (
-            "-filter Catrom -density 72 -resample 300 "
-            + "-contrast -normalize -despeckle -type grayscale "
-            + "-sharpen 1 -posterize 3 -negate -gamma 100 "
-            + "-blur 1x65535"
-        )
-
-        tess_args = "-c debug_file=/dev/null --psm 11 --oem 2"
-
-        with self.nested("performing optical character recognition"):
-            with tempfile.NamedTemporaryFile() as tmpin:
-                self.send_monitor_command("screendump {}".format(tmpin.name))
-
-                cmd = "convert {} {} tiff:- | tesseract - - {}".format(
-                    magick_args, tmpin.name, tess_args
-                )
-                ret = subprocess.run(cmd, shell=True, capture_output=True)
-                if ret.returncode != 0:
-                    raise Exception(
-                        "OCR failed with exit code {}".format(ret.returncode)
-                    )
-
-                return ret.stdout.decode("utf-8")
+        return self._get_screen_text_variants([2])[0]
 
     def wait_for_text(self, regex: str) -> None:
         def screen_matches(last: bool) -> bool:
-            text = self.get_screen_text()
-            matches = re.search(regex, text) is not None
+            variants = self.get_screen_text_variants()
+            for text in variants:
+                if re.search(regex, text) is not None:
+                    return True
 
-            if last and not matches:
-                self.log("Last OCR attempt failed. Text was: {}".format(text))
+            if last:
+                self.log("Last OCR attempt failed. Text was: {}".format(variants))
 
-            return matches
+            return False
 
         with self.nested("waiting for {} to appear on screen".format(regex)):
             retry(screen_matches)
@@ -780,9 +799,10 @@ class Machine:
         self.log("QEMU running (pid {})".format(self.pid))
 
     def cleanup_statedir(self) -> None:
-        self.log("delete the VM state directory")
-        if os.path.isfile(self.state_dir):
+        if os.path.isdir(self.state_dir):
             shutil.rmtree(self.state_dir)
+            self.logger.log(f"deleting VM state directory {self.state_dir}")
+            self.logger.log("if you want to keep the VM state, pass --keep-vm-state")
 
     def shutdown(self) -> None:
         if not self.booted:
@@ -940,10 +960,10 @@ if __name__ == "__main__":
     for nr, vde_socket, _, _ in vde_sockets:
         os.environ["QEMU_VDE_SOCKET_{}".format(nr)] = vde_socket
 
-    machines = [create_machine({"startCommand": s}) for s in vm_scripts]
-    for machine in machines:
-        if not cli_args.keep_vm_state:
-            machine.cleanup_statedir()
+    machines = [
+        create_machine({"startCommand": s, "keepVmState": cli_args.keep_vm_state})
+        for s in vm_scripts
+    ]
     machine_eval = [
         "{0} = machines[{1}]".format(m.name, idx) for idx, m in enumerate(machines)
     ]

nixos/maintainers/scripts/ec2/amazon-image.nix

@@ -57,7 +57,7 @@ in {
     inherit (cfg) contents format name;
     pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
     partitionTableType = if config.ec2.efi then "efi"
-                         else if config.ec2.hvm then "legacy"
+                         else if config.ec2.hvm then "legacy+gpt"
                          else "none";
     diskSize = cfg.sizeMB;
     fsType = "ext4";

nixos/maintainers/scripts/ec2/create-amis.sh

@@ -1,13 +1,15 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -p awscli -p jq -p qemu -i bash
+# shellcheck shell=bash
 
 # Uploads and registers NixOS images built from the
 # <nixos/release.nix> amazonImage attribute. Images are uploaded and
 # registered via a home region, and then copied to other regions.
 
-# The home region requires an s3 bucket, and a "vmimport" IAM role
-# with access to the S3 bucket.  Configuration of the vmimport role is
-# documented in
+# The home region requires an s3 bucket, and an IAM role named "vmimport"
+# (by default) with access to the S3 bucket. The name can be
+# configured with the "service_role_name" variable. Configuration of the
+# vmimport role is documented in
 # https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html
 
 # set -x
@@ -17,6 +19,7 @@ set -euo pipefail
 state_dir=$HOME/amis/ec2-images
 home_region=eu-west-1
 bucket=nixos-amis
+service_role_name=vmimport
 
 regions=(eu-west-1 eu-west-2 eu-west-3 eu-central-1 eu-north-1
          us-east-1 us-east-2 us-west-1 us-west-2
@@ -64,7 +67,7 @@ image_logical_bytes=$(read_image_info .logical_bytes)
 
 # Derived attributes
 
-image_logical_gigabytes=$((($image_logical_bytes-1)/1024/1024/1024+1)) # Round to the next GB
+image_logical_gigabytes=$(((image_logical_bytes-1)/1024/1024/1024+1)) # Round to the next GB
 
 case "$image_system" in
     aarch64-linux)
@@ -100,7 +103,7 @@ write_state() {
     local type=$2
     local val=$3
 
-    mkdir -p $state_dir
+    mkdir -p "$state_dir"
     echo "$val" > "$state_dir/$state_key.$type"
 }
 
@@ -110,8 +113,8 @@ wait_for_import() {
     local state snapshot_id
     log "Waiting for import task $task_id to be completed"
     while true; do
-        read state progress snapshot_id < <(
-            aws ec2 describe-import-snapshot-tasks --region $region --import-task-ids "$task_id" | \
+        read -r state progress snapshot_id < <(
+            aws ec2 describe-import-snapshot-tasks --region "$region" --import-task-ids "$task_id" | \
                 jq -r '.ImportSnapshotTasks[].SnapshotTaskDetail | "\(.Status) \(.Progress) \(.SnapshotId)"'
         )
         log " ... state=$state progress=$progress snapshot_id=$snapshot_id"
@@ -125,6 +128,8 @@ wait_for_import() {
                 ;;
             *)
                 log "Unexpected snapshot import state: '${state}'"
+                log "Full response: "
+                aws ec2 describe-import-snapshot-tasks --region "$region" --import-task-ids "$task_id" >&2
                 exit 1
                 ;;
         esac
@@ -138,8 +143,8 @@ wait_for_image() {
     log "Waiting for image $ami_id to be available"
 
     while true; do
-        read state < <(
-            aws ec2 describe-images --image-ids "$ami_id" --region $region | \
+        read -r state < <(
+            aws ec2 describe-images --image-ids "$ami_id" --region "$region" | \
                 jq -r ".Images[].State"
         )
         log " ... state=$state"
@@ -163,7 +168,7 @@ make_image_public() {
     local region=$1
     local ami_id=$2
 
-    wait_for_image $region "$ami_id"
+    wait_for_image "$region" "$ami_id"
 
     log "Making image $ami_id public"
 
@@ -177,27 +182,30 @@ upload_image() {
     local aws_path=${image_file#/}
 
     local state_key="$region.$image_label.$image_system"
-    local task_id=$(read_state "$state_key" task_id)
-    local snapshot_id=$(read_state "$state_key" snapshot_id)
-    local ami_id=$(read_state "$state_key" ami_id)
+    local task_id
+    task_id=$(read_state "$state_key" task_id)
+    local snapshot_id
+    snapshot_id=$(read_state "$state_key" snapshot_id)
+    local ami_id
+    ami_id=$(read_state "$state_key" ami_id)
 
     if [ -z "$task_id" ]; then
         log "Checking for image on S3"
         if ! aws s3 ls --region "$region" "s3://${bucket}/${aws_path}" >&2; then
             log "Image missing from aws, uploading"
-            aws s3 cp --region $region "$image_file" "s3://${bucket}/${aws_path}" >&2
+            aws s3 cp --region "$region" "$image_file" "s3://${bucket}/${aws_path}" >&2
         fi
 
         log "Importing image from S3 path s3://$bucket/$aws_path"
 
-        task_id=$(aws ec2 import-snapshot --disk-container "{
+        task_id=$(aws ec2 import-snapshot --role-name "$service_role_name" --disk-container "{
           \"Description\": \"nixos-image-${image_label}-${image_system}\",
           \"Format\": \"vhd\",
           \"UserBucket\": {
               \"S3Bucket\": \"$bucket\",
               \"S3Key\": \"$aws_path\"
           }
-        }" --region $region | jq -r '.ImportTaskId')
+        }" --region "$region" | jq -r '.ImportTaskId')
 
         write_state "$state_key" task_id "$task_id"
     fi
@@ -211,7 +219,7 @@ upload_image() {
         log "Registering snapshot $snapshot_id as AMI"
 
         local block_device_mappings=(
-            "DeviceName=/dev/xvda,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp2}"
+            "DeviceName=/dev/xvda,Ebs={SnapshotId=$snapshot_id,VolumeSize=$image_logical_gigabytes,DeleteOnTermination=true,VolumeType=gp3}"
         )
 
         local extra_flags=(
@@ -221,16 +229,16 @@ upload_image() {
             --virtualization-type hvm
         )
 
-        block_device_mappings+=(DeviceName=/dev/sdb,VirtualName=ephemeral0)
-        block_device_mappings+=(DeviceName=/dev/sdc,VirtualName=ephemeral1)
-        block_device_mappings+=(DeviceName=/dev/sdd,VirtualName=ephemeral2)
-        block_device_mappings+=(DeviceName=/dev/sde,VirtualName=ephemeral3)
+        block_device_mappings+=("DeviceName=/dev/sdb,VirtualName=ephemeral0")
+        block_device_mappings+=("DeviceName=/dev/sdc,VirtualName=ephemeral1")
+        block_device_mappings+=("DeviceName=/dev/sdd,VirtualName=ephemeral2")
+        block_device_mappings+=("DeviceName=/dev/sde,VirtualName=ephemeral3")
 
         ami_id=$(
             aws ec2 register-image \
                 --name "$image_name" \
                 --description "$image_description" \
-                --region $region \
+                --region "$region" \
                 --architecture $amazon_arch \
                 --block-device-mappings "${block_device_mappings[@]}" \
                 "${extra_flags[@]}" \
@@ -240,7 +248,7 @@ upload_image() {
         write_state "$state_key" ami_id "$ami_id"
     fi
 
-    make_image_public $region "$ami_id"
+    make_image_public "$region" "$ami_id"
 
     echo "$ami_id"
 }
@@ -268,7 +276,7 @@ copy_to_region() {
         write_state "$state_key" ami_id "$ami_id"
     fi
 
-    make_image_public $region "$ami_id"
+    make_image_public "$region" "$ami_id"
 
     echo "$ami_id"
 }

nixos/modules/config/malloc.nix

@@ -23,7 +23,7 @@ let
     };
 
     scudo = {
-      libPath = "${pkgs.llvmPackages.compiler-rt}/lib/linux/libclang_rt.scudo-x86_64.so";
+      libPath = "${pkgs.llvmPackages_latest.compiler-rt}/lib/linux/libclang_rt.scudo-x86_64.so";
       description = ''
         A user-mode allocator based on LLVM Sanitizer’s CombinedAllocator,
         which aims at providing additional mitigations against heap based

nixos/modules/config/system-path.nix

@@ -41,6 +41,12 @@ let
       pkgs.zstd
     ];
 
+    defaultPackages = map (pkg: setPrio ((pkg.meta.priority or 5) + 3) pkg)
+      [ pkgs.perl
+        pkgs.rsync
+        pkgs.strace
+      ];
+
 in
 
 {
@@ -63,6 +69,21 @@ in
         '';
       };
 
+      defaultPackages = mkOption {
+        type = types.listOf types.package;
+        default = defaultPackages;
+        example = literalExample "[]";
+        description = ''
+          Set of packages users expect from a minimal linux istall.
+          Like systemPackages, they appear in
+          /run/current-system/sw.  These packages are
+          automatically available to all users, and are
+          automatically updated every time you rebuild the system
+          configuration.
+          If you want a more minimal system, set it to an empty list.
+        '';
+      };
+
       pathsToLink = mkOption {
         type = types.listOf types.str;
         # Note: We need `/lib' to be among `pathsToLink' for NSS modules
@@ -102,7 +123,7 @@ in
 
   config = {
 
-    environment.systemPackages = requiredPackages;
+    environment.systemPackages = requiredPackages ++ config.environment.defaultPackages;
 
     environment.pathsToLink =
       [ "/bin"

nixos/modules/config/update-users-groups.pl

@@ -281,6 +281,12 @@ foreach my $u (values %usersOut) {
 }
 
 updateFile("/etc/shadow", \@shadowNew, 0600);
+{
+    my $uid = getpwnam "root";
+    my $gid = getgrnam "shadow";
+    my $path = "/etc/shadow";
+    chown($uid, $gid, $path) || die "Failed to change ownership of $path: $!";
+}
 
 # Rewrite /etc/subuid & /etc/subgid to include default container mappings
 

nixos/modules/config/users-groups.nix

@@ -537,6 +537,7 @@ in {
       input.gid = ids.gids.input;
       kvm.gid = ids.gids.kvm;
       render.gid = ids.gids.render;
+      shadow.gid = ids.gids.shadow;
     };
 
     system.activationScripts.users = stringAfter [ "stdio" ]

nixos/modules/config/xdg/portal.nix

@@ -62,7 +62,7 @@ with lib;
       services.dbus.packages  = packages;
       systemd.packages = packages;
 
-      environment.variables = {
+      environment.sessionVariables = {
         GTK_USE_PORTAL = mkIf cfg.gtkUsePortal "1";
         XDG_DESKTOP_PORTAL_DIR = "${joinedPortals}/share/xdg-desktop-portal/portals";
       };

nixos/modules/hardware/system-76.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkOption mkEnableOption types mkIf mkMerge optional versionOlder;
+  cfg = config.hardware.system76;
+
+  kpkgs = config.boot.kernelPackages;
+  modules = [ "system76" "system76-io" ] ++ (optional (versionOlder kpkgs.kernel.version "5.5") "system76-acpi");
+  modulePackages = map (m: kpkgs.${m}) modules;
+  moduleConfig = mkIf cfg.kernel-modules.enable {
+    boot.extraModulePackages = modulePackages;
+
+    boot.kernelModules = modules;
+
+    services.udev.packages = modulePackages;
+  };
+
+  firmware-pkg = pkgs.system76-firmware;
+  firmwareConfig = mkIf cfg.firmware-daemon.enable {
+    services.dbus.packages = [ firmware-pkg ];
+
+    systemd.services.system76-firmware-daemon = {
+      description = "The System76 Firmware Daemon";
+
+      serviceConfig = {
+        ExecStart = "${firmware-pkg}/bin/system76-firmware-daemon";
+
+        Restart = "on-failure";
+      };
+
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+in {
+  options = {
+    hardware.system76 = {
+      enableAll = mkEnableOption "all recommended configuration for system76 systems";
+
+      firmware-daemon.enable = mkOption {
+        default = cfg.enableAll;
+        example = true;
+        description = "Whether to enable the system76 firmware daemon";
+        type = types.bool;
+      };
+
+      kernel-modules.enable = mkOption {
+        default = cfg.enableAll;
+        example = true;
+        description = "Whether to make the system76 out-of-tree kernel modules available";
+        type = types.bool;
+      };
+    };
+  };
+
+  config = mkMerge [ moduleConfig firmwareConfig ];
+}

nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix

@@ -9,7 +9,14 @@ with lib;
 
   isoImage.edition = "gnome";
 
-  services.xserver.desktopManager.gnome3.enable = true;
+  services.xserver.desktopManager.gnome3 = {
+    # Add firefox to favorite-apps
+    favoriteAppsOverride = ''
+      [org.gnome.shell]
+      favorite-apps=[ 'firefox.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop' ]
+    '';
+    enable = true;
+  };
 
   services.xserver.displayManager = {
     gdm = {

nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix

@@ -1,38 +0,0 @@
-# To build, use:
-# nix-build nixos -I nixos-config=nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix -A config.system.build.sdImage
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ../../profiles/base.nix
-    ../../profiles/installation-device.nix
-    ./sd-image.nix
-  ];
-
-  boot.loader.grub.enable = false;
-  boot.loader.raspberryPi.enable = true;
-  boot.loader.raspberryPi.version = 4;
-  boot.kernelPackages = pkgs.linuxPackages_rpi4;
-
-  boot.consoleLogLevel = lib.mkDefault 7;
-
-  sdImage = {
-    firmwareSize = 128;
-    firmwarePartitionName = "NIXOS_BOOT";
-    # This is a hack to avoid replicating config.txt from boot.loader.raspberryPi
-    populateFirmwareCommands =
-      "${config.system.build.installBootLoader} ${config.system.build.toplevel} -d ./firmware";
-    # As the boot process is done entirely in the firmware partition.
-    populateRootCommands = "";
-  };
-
-  fileSystems."/boot/firmware" = {
-    # This effectively "renames" the attrsOf entry set in sd-image.nix
-    mountPoint = "/boot";
-    neededForBoot = true;
-  };
-
-  # the installation media is also the installation target,
-  # so we don't want to provide the installation configuration.nix.
-  installer.cloneConfig = false;
-}

nixos/modules/installer/cd-dvd/sd-image.nix

@@ -223,9 +223,10 @@ in
         # Figure out device names for the boot device and root filesystem.
         rootPart=$(${pkgs.utillinux}/bin/findmnt -n -o SOURCE /)
         bootDevice=$(lsblk -npo PKNAME $rootPart)
+        partNum=$(lsblk -npo MAJ:MIN $rootPart | ${pkgs.gawk}/bin/awk -F: '{print $2}')
 
         # Resize the root partition and the filesystem to fit the disk
-        echo ",+," | sfdisk -N2 --no-reread $bootDevice
+        echo ",+," | sfdisk -N$partNum --no-reread $bootDevice
         ${pkgs.parted}/bin/partprobe
         ${pkgs.e2fsprogs}/bin/resize2fs $rootPart
 

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,6 +1,6 @@
 {
-  x86_64-linux = "/nix/store/4vz8sh9ngx34ivi0bw5hlycxdhvy5hvz-nix-2.3.7";
-  i686-linux = "/nix/store/dzxkg9lpp60bjmzvagns42vqlz3yq5kx-nix-2.3.7";
-  aarch64-linux = "/nix/store/cfvf8nl8mwyw817by5y8zd3s8pnf5m9f-nix-2.3.7";
-  x86_64-darwin = "/nix/store/5ira7xgs92inqz1x8l0n1wci4r79hnd0-nix-2.3.7";
+  x86_64-linux = "/nix/store/d1ppfhjhdwcsb4npfzyifv5z8i00fzsk-nix-2.3.11";
+  i686-linux = "/nix/store/c6ikndcrzwpfn2sb5b9xb1f17p9b8iga-nix-2.3.11";
+  aarch64-linux = "/nix/store/fb0lfrn0m8s197d264jzd64vhz9c8zbx-nix-2.3.11";
+  x86_64-darwin = "/nix/store/qvb86ffv08q3r66qbd6nqifz425lyyhf-nix-2.3.11";
 }

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -580,6 +580,22 @@ EOF
     return $config;
 }
 
+sub generateXserverConfig {
+    my $xserverEnabled = "@xserverEnabled@";
+
+    my $config = "";
+    if ($xserverEnabled eq "1") {
+        $config = <<EOF;
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+EOF
+    } else {
+        $config = <<EOF;
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+EOF
+    }
+}
 
 if ($showHardwareConfig) {
     print STDOUT $hwConfig;
@@ -625,10 +641,16 @@ EOF
 
         my $networkingDhcpConfig = generateNetworkingDhcpConfig();
 
+        my $xserverConfig = generateXserverConfig();
+
+        (my $desktopConfiguration = <<EOF)=~s/^/  /gm;
+@desktopConfiguration@
+EOF
+
         write_file($fn, <<EOF);
 @configuration@
 EOF
-        print STDERR "For more hardware-specific settings, see https://github.com/NixOS/nixos-hardware"
+        print STDERR "For more hardware-specific settings, see https://github.com/NixOS/nixos-hardware.\n"
     } else {
         print STDERR "warning: not overwriting existing $fn\n";
     }

nixos/modules/installer/tools/nixos-install.sh

@@ -64,7 +64,7 @@ while [ "$#" -gt 0 ]; do
         --no-bootloader)
             noBootLoader=1
             ;;
-        --show-trace)
+        --show-trace|--impure)
             extraBuildFlags+=("$i")
             ;;
         --help)
@@ -153,7 +153,7 @@ if [[ -z $system ]]; then
     else
         echo "building the flake in $flake..."
         nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.toplevel" \
-            --extra-substituters "$sub" "${verbosity[@]}" \
+            --store "$mountPoint" --extra-substituters "$sub" "${verbosity[@]}" \
             "${extraBuildFlags[@]}" "${lockFlags[@]}" --out-link "$outLink"
     fi
     system=$(readlink -f "$outLink")

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -63,7 +63,7 @@ while [ "$#" -gt 0 ]; do
         j="$1"; shift 1
         extraBuildFlags+=("$i" "$j")
         ;;
-      --show-trace|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*|-L|--refresh|--no-net)
+      --show-trace|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*|-L|--refresh|--no-net|--impure)
         extraBuildFlags+=("$i")
         ;;
       --option)
@@ -438,15 +438,17 @@ if [ -z "$rollback" ]; then
         if [[ -z $flake ]]; then
             pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}")"
         else
-            echo "$0: 'build-vm' is not supported with '--flake'" >&2
-            exit 1
+            nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.vm" \
+              "${extraBuildFlags[@]}" "${lockFlags[@]}"
+            pathToConfig="$(readlink -f ./result)"
         fi
     elif [ "$action" = build-vm-with-bootloader ]; then
         if [[ -z $flake ]]; then
             pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}")"
         else
-            echo "$0: 'build-vm-with-bootloader' is not supported with '--flake'" >&2
-            exit 1
+            nix "${flakeFlags[@]}" build "$flake#$flakeAttr.config.system.build.vmWithBootLoader" \
+              "${extraBuildFlags[@]}" "${lockFlags[@]}"
+            pathToConfig="$(readlink -f ./result)"
         fi
     else
         showSyntax

nixos/modules/installer/tools/tools.nix

@@ -22,7 +22,10 @@ let
     src = ./nixos-install.sh;
     inherit (pkgs) runtimeShell;
     nix = config.nix.package.out;
-    path = makeBinPath [ pkgs.nixUnstable nixos-enter ];
+    path = makeBinPath [
+      pkgs.jq
+      nixos-enter
+    ];
   };
 
   nixos-rebuild =
@@ -42,7 +45,8 @@ let
     src = ./nixos-generate-config.pl;
     path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ];
     perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/${pkgs.perl.libPrefix}";
-    inherit (config.system.nixos-generate-config) configuration;
+    inherit (config.system.nixos-generate-config) configuration desktopConfiguration;
+    xserverEnabled = config.services.xserver.enable;
   };
 
   nixos-option =
@@ -75,24 +79,42 @@ in
 
 {
 
-  options.system.nixos-generate-config.configuration = mkOption {
-    internal = true;
-    type = types.str;
-    description = ''
-      The NixOS module that <literal>nixos-generate-config</literal>
-      saves to <literal>/etc/nixos/configuration.nix</literal>.
+  options.system.nixos-generate-config = {
+    configuration = mkOption {
+      internal = true;
+      type = types.str;
+      description = ''
+        The NixOS module that <literal>nixos-generate-config</literal>
+        saves to <literal>/etc/nixos/configuration.nix</literal>.
 
-      This is an internal option. No backward compatibility is guaranteed.
-      Use at your own risk!
+        This is an internal option. No backward compatibility is guaranteed.
+        Use at your own risk!
 
-      Note that this string gets spliced into a Perl script. The perl
-      variable <literal>$bootLoaderConfig</literal> can be used to
-      splice in the boot loader configuration.
-    '';
+        Note that this string gets spliced into a Perl script. The perl
+        variable <literal>$bootLoaderConfig</literal> can be used to
+        splice in the boot loader configuration.
+      '';
+    };
+
+    desktopConfiguration = mkOption {
+      internal = true;
+      type = types.listOf types.lines;
+      default = [];
+      description = ''
+        Text to preseed the desktop configuration that <literal>nixos-generate-config</literal>
+        saves to <literal>/etc/nixos/configuration.nix</literal>.
+
+        This is an internal option. No backward compatibility is guaranteed.
+        Use at your own risk!
+
+        Note that this string gets spliced into a Perl script. The perl
+        variable <literal>$bootLoaderConfig</literal> can be used to
+        splice in the boot loader configuration.
+      '';
+    };
   };
 
   config = {
-
     system.nixos-generate-config.configuration = mkDefault ''
       # Edit this configuration file to define what should be installed on
       # your system.  Help is available in the configuration.nix(5) man page
@@ -110,6 +132,9 @@ in
         # networking.hostName = "nixos"; # Define your hostname.
         # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
+        # Set your time zone.
+        # time.timeZone = "Europe/Amsterdam";
+
       $networkingDhcpConfig
         # Configure network proxy if necessary
         # networking.proxy.default = "http://user:password\@proxy:port/";
@@ -122,13 +147,34 @@ in
         #   keyMap = "us";
         # };
 
-        # Set your time zone.
-        # time.timeZone = "Europe/Amsterdam";
+      $xserverConfig
+
+      $desktopConfiguration
+        # Configure keymap in X11
+        # services.xserver.layout = "us";
+        # services.xserver.xkbOptions = "eurosign:e";
+
+        # Enable CUPS to print documents.
+        # services.printing.enable = true;
+
+        # Enable sound.
+        # sound.enable = true;
+        # hardware.pulseaudio.enable = true;
+
+        # Enable touchpad support (enabled default in most desktopManager).
+        # services.xserver.libinput.enable = true;
+
+        # Define a user account. Don't forget to set a password with ‘passwd’.
+        # users.users.jane = {
+        #   isNormalUser = true;
+        #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+        # };
 
         # List packages installed in system profile. To search, run:
         # \$ nix search wget
         # environment.systemPackages = with pkgs; [
         #   wget vim
+        #   firefox
         # ];
 
         # Some programs need SUID wrappers, can be configured further or are
@@ -137,7 +183,6 @@ in
         # programs.gnupg.agent = {
         #   enable = true;
         #   enableSSHSupport = true;
-        #   pinentryFlavor = "gnome3";
         # };
 
         # List services that you want to enable:
@@ -151,31 +196,6 @@ in
         # Or disable the firewall altogether.
         # networking.firewall.enable = false;
 
-        # Enable CUPS to print documents.
-        # services.printing.enable = true;
-
-        # Enable sound.
-        # sound.enable = true;
-        # hardware.pulseaudio.enable = true;
-
-        # Enable the X11 windowing system.
-        # services.xserver.enable = true;
-        # services.xserver.layout = "us";
-        # services.xserver.xkbOptions = "eurosign:e";
-
-        # Enable touchpad support.
-        # services.xserver.libinput.enable = true;
-
-        # Enable the KDE Desktop Environment.
-        # services.xserver.displayManager.sddm.enable = true;
-        # services.xserver.desktopManager.plasma5.enable = true;
-
-        # Define a user account. Don't forget to set a password with ‘passwd’.
-        # users.users.jane = {
-        #   isNormalUser = true;
-        #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-        # };
-
         # This value determines the NixOS release from which the default
         # settings for stateful data, like file locations and database versions
         # on your system were taken. It‘s perfectly fine and recommended to leave

nixos/modules/misc/documentation.nix

@@ -209,7 +209,7 @@ in
           manualCache = pkgs.runCommandLocal "man-cache" { }
           ''
             echo "MANDB_MAP ${manualPages}/share/man $out" > man.conf
-            ${pkgs.man-db}/bin/mandb -C man.conf -psc
+            ${pkgs.man-db}/bin/mandb -C man.conf -psc >/dev/null 2>&1
           '';
         in
         ''

nixos/modules/misc/ids.nix

@@ -346,6 +346,7 @@ in
       paperless = 315;
       #mailman = 316;  # removed 2019-08-30
       zigbee2mqtt = 317;
+      # shadow = 318; # unused
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -467,7 +468,7 @@ in
       #minecraft = 114; # unused
       vault = 115;
       #ripped = 116; # unused
-      #murmur = 117; # unused
+      murmur = 117;
       foundationdb = 118;
       newrelic = 119;
       starbound = 120;
@@ -647,6 +648,7 @@ in
       paperless = 315;
       #mailman = 316;  # removed 2019-08-30
       zigbee2mqtt = 317;
+      shadow = 318;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/misc/version.nix

@@ -76,7 +76,7 @@ in
     defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = "https://nixos.org/channels/nixos-unstable";
+      default = "https://nixos.org/channels/nixos-20.09";
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 

nixos/modules/module-list.nix

@@ -60,6 +60,7 @@
   ./hardware/printers.nix
   ./hardware/raid/hpsa.nix
   ./hardware/steam-hardware.nix
+  ./hardware/system-76.nix
   ./hardware/tuxedo-keyboard.nix
   ./hardware/usb-wwan.nix
   ./hardware/onlykey.nix
@@ -137,6 +138,7 @@
   ./programs/light.nix
   ./programs/mosh.nix
   ./programs/mininet.nix
+  ./programs/msmtp.nix
   ./programs/mtr.nix
   ./programs/nano.nix
   ./programs/nm-applet.nix
@@ -728,6 +730,7 @@
   ./services/networking/skydns.nix
   ./services/networking/shadowsocks.nix
   ./services/networking/shairport-sync.nix
+  ./services/networking/shellhub-agent.nix
   ./services/networking/shorewall.nix
   ./services/networking/shorewall6.nix
   ./services/networking/shout.nix
@@ -841,7 +844,6 @@
   ./services/web-apps/atlassian/confluence.nix
   ./services/web-apps/atlassian/crowd.nix
   ./services/web-apps/atlassian/jira.nix
-  ./services/web-apps/codimd.nix
   ./services/web-apps/convos.nix
   ./services/web-apps/cryptpad.nix
   ./services/web-apps/documize.nix
@@ -851,6 +853,7 @@
   ./services/web-apps/gerrit.nix
   ./services/web-apps/gotify-server.nix
   ./services/web-apps/grocy.nix
+  ./services/web-apps/hedgedoc.nix
   ./services/web-apps/icingaweb2/icingaweb2.nix
   ./services/web-apps/icingaweb2/module-monitoring.nix
   ./services/web-apps/ihatemoney

nixos/modules/profiles/all-hardware.nix

@@ -35,6 +35,9 @@
       # drives.
       "uas"
 
+      # SD cards.
+      "sdhci_pci"
+
       # Firewire support.  Not tested.
       "ohci1394" "sbp2"
 

nixos/modules/profiles/hardened.nix

@@ -1,5 +1,10 @@
 # A profile with most (vanilla) hardening options enabled by default,
-# potentially at the cost of features and performance.
+# potentially at the cost of stability, features and performance.
+#
+# This profile enables options that are known to affect system
+# stability. If you experience any stability issues when using the
+# profile, try disabling it. If you report an issue and use this
+# profile, always mention that you do.
 
 { config, lib, pkgs, ... }:
 

nixos/modules/profiles/installation-device.nix

@@ -51,22 +51,23 @@ with lib;
     services.mingetty.helpLine = ''
       The "nixos" and "root" accounts have empty passwords.
 
-      Type `sudo systemctl start sshd` to start the SSH daemon.
-      You then must set a password for either "root" or "nixos"
-      with `passwd` to be able to login.
+      An ssh daemon is running. You then must set a password
+      for either "root" or "nixos" with `passwd` or add an ssh key
+      to /home/nixos/.ssh/authorized_keys be able to login.
     '' + optionalString config.services.xserver.enable ''
       Type `sudo systemctl start display-manager' to
       start the graphical user interface.
     '';
 
-    # Allow sshd to be started manually through "systemctl start sshd".
+    # We run sshd by default. Login via root is only possible after adding a
+    # password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys.
+    # The latter one is particular useful if keys are manually added to
+    # installation device for head-less systems i.e. arm boards by manually
+    # mounting the storage in a different system.
     services.openssh = {
       enable = true;
-      # Allow password login to the installation, if the user sets a password via "passwd"
-      # It is safe as root doesn't have a password by default and SSH is disabled by default
       permitRootLogin = "yes";
     };
-    systemd.services.sshd.wantedBy = mkOverride 50 [];
 
     # Enable wpa_supplicant, but don't start it by default.
     networking.wireless.enable = mkDefault true;

nixos/modules/programs/chromium.nix

@@ -29,7 +29,7 @@ in
           page. To install a chromium extension not included in the chrome web
           store, append to the extension id a semicolon ";" followed by a URL
           pointing to an Update Manifest XML file. See
-          <link xlink:href="https://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist">ExtensionInstallForcelist</link>
+          <link xlink:href="https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionInstallForcelist">ExtensionInstallForcelist</link>
           for additional details.
         '';
         default = [];

nixos/modules/programs/fish.nix

@@ -103,7 +103,7 @@ in
     programs.fish.shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases;
 
     # Required for man completions
-    documentation.man.generateCaches = true;
+    documentation.man.generateCaches = lib.mkDefault true;
 
     environment.etc."fish/foreign-env/shellInit".text = cfge.shellInit;
     environment.etc."fish/foreign-env/loginShellInit".text = cfge.loginShellInit;

nixos/modules/programs/msmtp.nix

@@ -0,0 +1,104 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.msmtp;
+
+in {
+  meta.maintainers = with maintainers; [ pacien ];
+
+  options = {
+    programs.msmtp = {
+      enable = mkEnableOption "msmtp - an SMTP client";
+
+      setSendmail = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to set the system sendmail to msmtp's.
+        '';
+      };
+
+      defaults = mkOption {
+        type = types.attrs;
+        default = {};
+        example = {
+          aliases = "/etc/aliases";
+          port = 587;
+          tls = true;
+        };
+        description = ''
+          Default values applied to all accounts.
+          See msmtp(1) for the available options.
+        '';
+      };
+
+      accounts = mkOption {
+        type = with types; attrsOf attrs;
+        default = {};
+        example = {
+          "default" = {
+            host = "smtp.example";
+            auth = true;
+            user = "someone";
+            passwordeval = "cat /secrets/password.txt";
+          };
+        };
+        description = ''
+          Named accounts and their respective configurations.
+          The special name "default" allows a default account to be defined.
+          See msmtp(1) for the available options.
+
+          Use `programs.msmtp.extraConfig` instead of this attribute set-based
+          option if ordered account inheritance is needed.
+
+          It is advised to use the `passwordeval` setting to read the password
+          from a secret file to avoid having it written in the world-readable
+          nix store. The password file must end with a newline (`\n`).
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Extra lines to add to the msmtp configuration verbatim.
+          See msmtp(1) for the syntax and available options.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.msmtp ];
+
+    services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail {
+      program = "sendmail";
+      source = "${pkgs.msmtp}/bin/sendmail";
+      setuid = false;
+      setgid = false;
+    };
+
+    environment.etc."msmtprc".text = let
+      mkValueString = v:
+        if v == true then "on"
+        else if v == false then "off"
+        else generators.mkValueStringDefault {} v;
+      mkKeyValueString = k: v: "${k} ${mkValueString v}";
+      mkInnerSectionString =
+        attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValueString attrs);
+      mkAccountString = name: attrs: ''
+        account ${name}
+        ${mkInnerSectionString attrs}
+      '';
+    in ''
+      defaults
+      ${mkInnerSectionString cfg.defaults}
+
+      ${concatStringsSep "\n" (mapAttrsToList mkAccountString cfg.accounts)}
+
+      ${cfg.extraConfig}
+    '';
+  };
+}

nixos/modules/programs/qt5ct.nix

@@ -26,6 +26,6 @@ with lib;
   ###### implementation
   config = mkIf config.programs.qt5ct.enable {
     environment.variables.QT_QPA_PLATFORMTHEME = "qt5ct";
-    environment.systemPackages = with pkgs; [ qt5ct libsForQt5.qtstyleplugins ];
+    environment.systemPackages = with pkgs; [ qt5ct ];
   };
 }

nixos/modules/programs/ssmtp.nix

@@ -155,15 +155,16 @@ in
       (mkIf (cfg.authPassFile != null) { AuthPassFile = cfg.authPassFile; })
     ];
 
-    environment.etc."ssmtp/ssmtp.conf".source =
-      let
-        toStr = value:
+    # careful here: ssmtp REQUIRES all config lines to end with a newline char!
+    environment.etc."ssmtp/ssmtp.conf".text = with generators; toKeyValue {
+      mkKeyValue = mkKeyValueDefault {
+        mkValueString = value:
           if value == true then "YES"
           else if value == false then "NO"
-          else builtins.toString value
+          else mkValueStringDefault {} value
         ;
-      in
-        pkgs.writeText "ssmtp.conf" (concatStringsSep "\n" (mapAttrsToList (key: value: "${key}=${toStr value}") cfg.settings));
+      } "=";
+    } cfg.settings;
 
     environment.systemPackages = [pkgs.ssmtp];
 

nixos/modules/security/acme.nix

@@ -7,6 +7,11 @@ let
   numCerts = length (builtins.attrNames cfg.certs);
   _24hSecs = 60 * 60 * 24;
 
+  # Used to make unique paths for each cert/account config set
+  mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
+  mkAccountHash = acmeServer: data: mkHash "${toString acmeServer} ${data.keyType} ${data.email}";
+  accountDirRoot = "/var/lib/acme/.lego/accounts/";
+
   # There are many services required to make cert renewals work.
   # They all follow a common structure:
   #   - They inherit this commonServiceConfig
@@ -19,7 +24,7 @@ let
       Type = "oneshot";
       User = "acme";
       Group = mkDefault "acme";
-      UMask = 0027;
+      UMask = 0022;
       StateDirectoryMode = 750;
       ProtectSystem = "full";
       PrivateTmp = true;
@@ -54,23 +59,35 @@ let
     '';
   };
 
-  # Previously, all certs were owned by whatever user was configured in
-  # config.security.acme.certs.<cert>.user. Now everything is owned by and
-  # run by the acme user.
-  userMigrationService = {
-    description = "Fix owner and group of all ACME certificates";
-
-    script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: ''
-      for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do
+  # Ensures that directories which are shared across all certs
+  # exist and have the correct user and group, since group
+  # is configurable on a per-cert basis.
+  userMigrationService = let
+    script = with builtins; ''
+      chown -R acme .lego/accounts
+    '' + (concatStringsSep "\n" (mapAttrsToList (cert: data: ''
+      for fixpath in ${escapeShellArg cert} .lego/${escapeShellArg cert}; do
         if [ -d "$fixpath" ]; then
           chmod -R 750 "$fixpath"
           chown -R acme:${data.group} "$fixpath"
         fi
       done
-    '') certConfigs);
+    '') certConfigs));
+  in {
+    description = "Fix owner and group of all ACME certificates";
 
-    # We don't want this to run every time a renewal happens
-    serviceConfig.RemainAfterExit = true;
+    serviceConfig = commonServiceConfig // {
+      # We don't want this to run every time a renewal happens
+      RemainAfterExit = true;
+
+      # These StateDirectory entries negate the need for tmpfiles
+      StateDirectory = [ "acme" "acme/.lego" "acme/.lego/accounts" ];
+      StateDirectoryMode = 755;
+      WorkingDirectory = "/var/lib/acme";
+
+      # Run the start script as root
+      ExecStart = "+" + (pkgs.writeShellScript "acme-fixperms" script);
+    };
   };
 
   certToConfig = cert: data: let
@@ -101,11 +118,10 @@ let
       ${toString acmeServer} ${toString data.dnsProvider}
       ${toString data.ocspMustStaple} ${data.keyType}
     '';
-    mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
     certDir = mkHash hashData;
     domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
-    othersHash = mkHash "${toString acmeServer} ${data.keyType}";
-    accountDir = "/var/lib/acme/.lego/accounts/" + othersHash;
+    accountHash = (mkAccountHash acmeServer data);
+    accountDir = accountDirRoot + accountHash;
 
     protocolOpts = if useDns then (
       [ "--dns" data.dnsProvider ]
@@ -121,26 +137,28 @@ let
       "--email" data.email
       "--key-type" data.keyType
     ] ++ protocolOpts
-      ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ optionals (acmeServer != null) [ "--server" acmeServer ]
       ++ concatMap (name: [ "-d" name ]) extraDomains
       ++ data.extraLegoFlags;
 
+    # Although --must-staple is common to both modes, it is not declared as a
+    # mode-agnostic argument in lego and thus must come after the mode.
     runOpts = escapeShellArgs (
       commonOpts
       ++ [ "run" ]
+      ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRunFlags
     );
     renewOpts = escapeShellArgs (
       commonOpts
       ++ [ "renew" "--reuse-key" ]
+      ++ optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );
 
   in {
-    inherit accountDir selfsignedDeps;
+    inherit accountHash cert selfsignedDeps;
 
-    webroot = data.webroot;
     group = data.group;
 
     renewTimer = {
@@ -180,7 +198,10 @@ let
 
         StateDirectory = "acme/${cert}";
 
-        BindPaths = "/var/lib/acme/.minica:/tmp/ca /var/lib/acme/${cert}:/tmp/${keyName}";
+        BindPaths = [
+          "/var/lib/acme/.minica:/tmp/ca"
+          "/var/lib/acme/${cert}:/tmp/${keyName}"
+        ];
       };
 
       # Working directory will be /tmp
@@ -207,7 +228,7 @@ let
 
     renewService = {
       description = "Renew ACME certificate for ${cert}";
-      after = [ "network.target" "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
+      after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps;
       wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
 
       # https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099
@@ -218,16 +239,22 @@ let
       serviceConfig = commonServiceConfig // {
         Group = data.group;
 
-        # AccountDir dir will be created by tmpfiles to ensure correct permissions
-        # And to avoid deletion during systemctl clean
-        # acme/.lego/${cert} is listed so that it is deleted during systemctl clean
-        StateDirectory = "acme/${cert} acme/.lego/${cert} acme/.lego/${cert}/${certDir}";
+        # Keep in mind that these directories will be deleted if the user runs
+        # systemctl clean --what=state
+        # acme/.lego/${cert} is listed for this reason.
+        StateDirectory = [
+          "acme/${cert}"
+          "acme/.lego/${cert}"
+          "acme/.lego/${cert}/${certDir}"
+          "acme/.lego/accounts/${accountHash}"
+        ];
 
         # Needs to be space separated, but can't use a multiline string because that'll include newlines
-        BindPaths =
-          "${accountDir}:/tmp/accounts " +
-          "/var/lib/acme/${cert}:/tmp/out " +
-          "/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates ";
+        BindPaths = [
+          "${accountDir}:/tmp/accounts"
+          "/var/lib/acme/${cert}:/tmp/out"
+          "/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates"
+        ];
 
         # Only try loading the credentialsFile if the dns challenge is enabled
         EnvironmentFile = mkIf useDns data.credentialsFile;
@@ -244,12 +271,24 @@ let
 
       # Working directory will be /tmp
       script = ''
-        set -euo pipefail
+        set -euxo pipefail
+
+        ${optionalString (data.webroot != null) ''
+          # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.
+          # Lego will fail if the webroot does not exist at all.
+          (
+            mkdir -p '${data.webroot}/.well-known/acme-challenge' \
+            && chgrp '${data.group}' ${data.webroot}/.well-known/acme-challenge
+          ) || (
+            echo 'Please ensure ${data.webroot}/.well-known/acme-challenge exists and is writable by acme:${data.group}' \
+            && exit 1
+          )
+        ''}
 
         echo '${domainHash}' > domainhash.txt
 
         # Check if we can renew
-        if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' ]; then
+        if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then
 
           # When domains are updated, there's no need to do a full
           # Lego run, but it's likely renew won't work if days is too low.
@@ -648,21 +687,33 @@ in {
 
       systemd.timers = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewTimer) certConfigs;
 
-      # .lego and .lego/accounts specified to fix any incorrect permissions
-      systemd.tmpfiles.rules = [
-        "d /var/lib/acme/.lego - acme acme"
-        "d /var/lib/acme/.lego/accounts - acme acme"
-      ] ++ (unique (concatMap (conf: [
-          "d ${conf.accountDir} - acme acme"
-        ] ++ (optional (conf.webroot != null) "d ${conf.webroot}/.well-known/acme-challenge - acme ${conf.group}")
-      ) (attrValues certConfigs)));
+      systemd.targets = let
+        # Create some targets which can be depended on to be "active" after cert renewals
+        finishedTargets = mapAttrs' (cert: conf: nameValuePair "acme-finished-${cert}" {
+          wantedBy = [ "default.target" ];
+          requires = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
+          after = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
+        }) certConfigs;
 
-      # Create some targets which can be depended on to be "active" after cert renewals
-      systemd.targets = mapAttrs' (cert: conf: nameValuePair "acme-finished-${cert}" {
-        wantedBy = [ "default.target" ];
-        requires = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
-        after = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
-      }) certConfigs;
+        # Create targets to limit the number of simultaneous account creations
+        # How it works:
+        # - Pick a "leader" cert service, which will be in charge of creating the account,
+        #   and run first (requires + after)
+        # - Make all other cert services sharing the same account wait for the leader to
+        #   finish before starting (requiredBy + before).
+        # Using a target here is fine - account creation is a one time event. Even if
+        # systemd clean --what=state is used to delete the account, so long as the user
+        # then runs one of the cert services, there won't be any issues.
+        accountTargets = mapAttrs' (hash: confs: let
+          leader = "acme-${(builtins.head confs).cert}.service";
+          dependantServices = map (conf: "acme-${conf.cert}.service") (builtins.tail confs);
+        in nameValuePair "acme-account-${hash}" {
+          requiredBy = dependantServices;
+          before = dependantServices;
+          requires = [ leader ];
+          after = [ leader ];
+        }) (groupBy (conf: conf.accountHash) (attrValues certConfigs));
+      in finishedTargets // accountTargets;
     })
   ];
 

nixos/modules/security/acme.xml

@@ -162,6 +162,9 @@ services.httpd = {
 <xref linkend="opt-security.acme.certs"/>."foo.example.com" = {
   <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/lib/acme/.challenges";
   <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com";
+  # Ensure that the web server you use can read the generated certs
+  # Take a look at the <link linkend="opt-services.nginx.group">group</link> option for the web server you choose.
+  <link linkend="opt-security.acme.certs._name_.group">group</link> = "nginx";
   # Since we have a wildcard vhost to handle port 80,
   # we can generate certs for anything!
   # Just make sure your DNS resolves them.
@@ -257,10 +260,35 @@ chmod 400 /var/lib/secrets/certs.secret
   <para>
    Should you need to regenerate a particular certificate in a hurry, such
    as when a vulnerability is found in Let's Encrypt, there is now a convenient
-   mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal>
-   will remove all certificate files for the given domain, allowing you to then
-   <literal>systemctl start acme-example.com.service</literal> to generate fresh
-   ones.
+   mechanism for doing so. Running
+   <literal>systemctl clean --what=state acme-example.com.service</literal>
+   will remove all certificate files and the account data for the given domain,
+   allowing you to then <literal>systemctl start acme-example.com.service</literal>
+   to generate fresh ones.
   </para>
  </section>
+ <section xml:id="module-security-acme-fix-jws">
+  <title>Fixing JWS Verification error</title>
+
+  <para>
+   It is possible that your account credentials file may become corrupt and need
+   to be regenerated. In this scenario lego will produce the error <literal>JWS verification error</literal>.
+   The solution is to simply delete the associated accounts file and
+   re-run the affected service(s).
+  </para>
+
+<programlisting>
+# Find the accounts folder for the certificate
+systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*'
+export accountdir="$(!!)"
+# Move this folder to some place else
+mv /var/lib/acme/.lego/$accountdir{,.bak}
+# Recreate the folder using systemd-tmpfiles
+systemd-tmpfiles --create
+# Get a new account and reissue certificates
+# Note: Do this for all certs that share the same account email address
+systemctl start acme-example.com.service
+</programlisting>
+
+ </section>
 </chapter>

nixos/modules/security/pam.nix

@@ -394,7 +394,7 @@ let
                 "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
               ${optionalString cfg.enableKwallet
                 ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
-                 " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
+                 " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")}
               ${optionalString cfg.enableGnomeKeyring
                 "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
               ${optionalString cfg.googleAuthenticator.enable
@@ -471,7 +471,7 @@ let
               "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
           ${optionalString (cfg.enableKwallet)
               ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
-               " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
+               " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")}
           ${optionalString (cfg.enableGnomeKeyring)
               "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
           ${optionalString (config.virtualisation.lxc.lxcfs.enable)

nixos/modules/security/rngd.nix

@@ -10,11 +10,10 @@ in
     security.rngd = {
       enable = mkOption {
         type = types.bool;
-        default = true;
+        default = false;
         description = ''
-          Whether to enable the rng daemon, which adds entropy from
-          hardware sources of randomness to the kernel entropy pool when
-          available.
+          Whether to enable the rng daemon.  Devices that the kernel recognises
+          as entropy sources are handled automatically by krngd.
         '';
       };
       debug = mkOption {
@@ -26,12 +25,6 @@ in
   };
 
   config = mkIf cfg.enable {
-    services.udev.extraRules = ''
-      KERNEL=="random", TAG+="systemd"
-      SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-      KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-    '';
-
     systemd.services.rngd = {
       bindsTo = [ "dev-random.device" ];
 

nixos/modules/security/systemd-confinement.nix

@@ -135,7 +135,7 @@ in {
           ];
           execPkgs = lib.concatMap (opt: let
             isSet = config.serviceConfig ? ${opt};
-          in lib.optional isSet config.serviceConfig.${opt}) execOpts;
+          in lib.flatten (lib.optional isSet config.serviceConfig.${opt})) execOpts;
           unitAttrs = toplevelConfig.systemd.units."${name}.service";
           allPkgs = lib.singleton (builtins.toJSON unitAttrs);
           unitPkgs = if fullUnit then allPkgs else execPkgs;
@@ -160,7 +160,7 @@ in {
               + " the 'users.users' option instead as this combination is"
               + " currently not supported.";
     }
-    { assertion = !cfg.serviceConfig.ProtectSystem or false;
+    { assertion = cfg.serviceConfig ? ProtectSystem -> cfg.serviceConfig.ProtectSystem == false;
       message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible"
               + " with service confinement as it fails to remount /usr within"
               + " our chroot. Please disable the option.";

nixos/modules/security/wrappers/default.nix

@@ -169,7 +169,7 @@ in
 
     boot.specialFileSystems.${parentWrapperDir} = {
       fsType = "tmpfs";
-      options = [ "nodev" ];
+      options = [ "nodev" "mode=755" ];
     };
 
     # Make sure our wrapperDir exports to the PATH env variable when
@@ -187,6 +187,8 @@ in
           # programs to be wrapped.
           WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
+          chmod 755 "${parentWrapperDir}"
+
           # We want to place the tmpdirs for the wrappers to the parent dir.
           wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
           chmod a+rx $wrapperDir
@@ -197,6 +199,9 @@ in
             # Atomically replace the symlink
             # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
             old=$(readlink -f ${wrapperDir})
+            if [ -e ${wrapperDir}-tmp ]; then
+              rm --force --recursive ${wrapperDir}-tmp
+            fi
             ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
             mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
             rm --force --recursive $old

nixos/modules/services/backup/borgbackup.xml

@@ -69,10 +69,10 @@
     access this single repository. You need the output of the generate pub file.
   </para>
     <para>
-        <programlisting>
-# sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_my_borg_repo
-# cat /run/keys/id_ed25519_my_borg_repo
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos</programlisting>
+<screen>
+<prompt># </prompt>sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_my_borg_repo
+<prompt># </prompt>cat /run/keys/id_ed25519_my_borg_repo
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos</screen>
     </para>
     <para>
       Add the following snippet to your NixOS configuration:

nixos/modules/services/cluster/kubernetes/pki.nix

@@ -20,7 +20,7 @@ let
         size = 2048;
     };
     CN = top.masterAddress;
-    hosts = cfg.cfsslAPIExtraSANs;
+    hosts = [top.masterAddress] ++ cfg.cfsslAPIExtraSANs;
   });
 
   cfsslAPITokenBaseName = "apitoken.secret";
@@ -228,7 +228,8 @@ in
             };
             private_key = cert.privateKeyOptions;
             request = {
-              inherit (cert) CN hosts;
+              hosts = [cert.CN] ++ cert.hosts;
+              inherit (cert) CN;
               key = {
                 algo = "rsa";
                 size = 2048;

nixos/modules/services/databases/victoriametrics.nix

@@ -49,8 +49,8 @@ let cfg = config.services.victoriametrics; in
         ExecStart = ''
           ${cfg.package}/bin/victoria-metrics \
               -storageDataPath=/var/lib/victoriametrics \
-              -httpListenAddr ${cfg.listenAddress}
-              -retentionPeriod ${toString cfg.retentionPeriod}
+              -httpListenAddr ${cfg.listenAddress} \
+              -retentionPeriod ${toString cfg.retentionPeriod} \
               ${lib.escapeShellArgs cfg.extraOptions}
         '';
       };

nixos/modules/services/desktops/flatpak.nix

@@ -15,6 +15,18 @@ in {
   options = {
     services.flatpak = {
       enable = mkEnableOption "flatpak";
+
+      guiPackages = mkOption {
+        internal = true;
+        type = types.listOf types.package;
+        default = [];
+        example = literalExample "[ pkgs.gnome3.gnome-software ]";
+        description = ''
+          Packages that provide an interface for flatpak
+          (like gnome-software) that will be automatically available
+          to all users when flatpak is enabled.
+        '';
+      };
     };
   };
 
@@ -28,7 +40,7 @@ in {
       }
     ];
 
-    environment.systemPackages = [ pkgs.flatpak ];
+    environment.systemPackages = [ pkgs.flatpak ] ++ cfg.guiPackages;
 
     services.dbus.packages = [ pkgs.flatpak ];
 

nixos/modules/services/games/factorio.nix

@@ -49,8 +49,13 @@ in
         default = 34197;
         description = ''
           The port to which the service should bind.
-
-          This option will also open up the UDP port in the firewall configuration.
+        '';
+      };
+      openFirewall = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to automatically open the specified UDP port in the firewall.
         '';
       };
       saveName = mkOption {
@@ -237,6 +242,6 @@ in
       };
     };
 
-    networking.firewall.allowedUDPPorts = [ cfg.port ];
+    networking.firewall.allowedUDPPorts = if cfg.openFirewall then [ cfg.port ] else [];
   };
 }

nixos/modules/services/games/minetest-server.nix

@@ -4,7 +4,7 @@ with lib;
 
 let
   cfg   = config.services.minetest-server;
-  flag  = val: name: if val != null then "--${name} ${val} " else "";
+  flag  = val: name: if val != null then "--${name} ${toString val} " else "";
   flags = [
     (flag cfg.gameId "gameid")
     (flag cfg.world "world")