Revert "nixos/fonts: Add unifont to list of default fonts."

This reverts commit 53746ff9d2 because it increases default system closure size significantly. It's also unnecessary - people can always add fonts themselves.
typos
2026-01-12 19:00:19 +08:00 · 2015-09-30 21:46:06 +02:00 · 2015-09-30 21:27:37 +02:00 · 2015-09-30 21:27:30 +02:00 · 2015-09-30 21:26:58 +02:00 · 2015-09-30 21:06:46 +02:00
688 changed files with 528297 additions and 10993 deletions
--- a/.version
+++ b/.version
@@ -1 +1 @@
-15.08
+15.09
--- a/README.md
+++ b/README.md
@@ -33,8 +33,10 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
 * [Continuous package builds for 14.12 release](https://hydra.nixos.org/jobset/nixos/release-14.12)
+* [Continuous package builds for 15.09 release](https://hydra.nixos.org/jobset/nixos/release-15.09)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
 * [Tests for 14.12 release](https://hydra.nixos.org/job/nixos/release-14.12/tested#tabs-constituents)
+* [Tests for 15.09 release](https://hydra.nixos.org/job/nixos/release-15.09/tested#tabs-constituents)

 Communication:

--- a/doc/functions.xml
+++ b/doc/functions.xml
@@ -248,7 +248,7 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
  targetPkgs = pkgs: (with pkgs;
    [ udev
      alsaLib
-    ]) ++ (with pkgs.xlibs;
+    ]) ++ (with pkgs.xorg;
    [ libX11
      libXcursor
      libXrandr
--- a/doc/haskell-users-guide.xml
+++ b/doc/haskell-users-guide.xml
@@ -11,14 +11,13 @@
    registered on
    <link xlink:href="http://hackage.haskell.org/">Hackage</link>, but
    strangely enough normal Nix package lookups don't seem to discover
-    any of them:
+    any of them, except for the default version of ghc, cabal-install, and stack:
  </para>
  <programlisting>
-$ nix-env -qa cabal-install
-error: selector ‘cabal-install’ matches no derivations
-
-$ nix-env -i ghc
-error: selector ‘ghc’ matches no derivations
+$ nix-env -i alex
+error: selector ‘alex’ matches no derivations
+$ nix-env -qa ghc
+ghc-7.10.2
 </programlisting>
  <para>
    The Haskell package set is not registered in the top-level namespace
@@ -95,7 +94,7 @@ $ nix-env -qaP coreutils
 nixos.coreutils  coreutils-8.23
 </programlisting>
  <para>
-    If your system responds like that (most NixOS installatios will),
+    If your system responds like that (most NixOS installations will),
    then the attribute path to <literal>haskellPackages</literal> is
    <literal>nixos.haskellPackages</literal>. Thus, if you want to
    use <literal>nix-env</literal> without giving an explicit
@@ -119,7 +118,7 @@ $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A haskell.packages.ghc763
 </programlisting>
  <para>
    The name <literal>haskellPackages</literal> is really just a synonym
-    for <literal>haskell.packages.ghc7101</literal>, because we prefer
+    for <literal>haskell.packages.ghc7102</literal>, because we prefer
    that package set internally and recommend it to our users as their
    default choice, but ultimately you are free to compile your Haskell
    packages with any GHC version you please. The following command
@@ -134,7 +133,7 @@ haskell.compiler.ghc722         ghc-7.2.2
 haskell.compiler.ghc742         ghc-7.4.2
 haskell.compiler.ghc763         ghc-7.6.3
 haskell.compiler.ghc784         ghc-7.8.4
-haskell.compiler.ghc7101        ghc-7.10.1
+haskell.compiler.ghc7102        ghc-7.10.2
 haskell.compiler.ghcHEAD        ghc-7.11.20150402
 haskell.compiler.ghcNokinds     ghc-nokinds-7.11.20150704
 haskell.compiler.ghcjs          ghcjs-0.1.0
@@ -167,7 +166,7 @@ $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.ghc haskellPackages
    <para>
      Instead of the default package set
      <literal>haskellPackages</literal>, you can also use the more
-      precise name <literal>haskell.compiler.ghc7101</literal>, which
+      precise name <literal>haskell.compiler.ghc7102</literal>, which
      has the advantage that it refers to the same GHC version
      regardless of what Nixpkgs considers &quot;default&quot; at any
      given time.
@@ -254,7 +253,7 @@ $ nix-shell -p haskell.compiler.ghc784 --command &quot;cabal configure&quot;
 $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;

 [nix-shell:~]$ ghc-pkg list mtl
-/nix/store/zy79...-ghc-7.10.1/lib/ghc-7.10.1/package.conf.d:
+/nix/store/zy79...-ghc-7.10.2/lib/ghc-7.10.2/package.conf.d:
    mtl-2.2.1
 </programlisting>
    <para>
@@ -266,7 +265,7 @@ $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;
 {
  packageOverrides = super: let self = super.pkgs; in
  {
-    myHaskellEnv = self.haskell.packages.ghc7101.ghcWithPackages
+    myHaskellEnv = self.haskell.packages.ghc7102.ghcWithPackages
                     (haskellPackages: with haskellPackages; [
                       # libraries
                       arrows async cgi criterion
@@ -281,7 +280,7 @@ $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;
      <literal>nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA myHaskellEnv</literal>.
      If you'd like to switch that development environment to a
      different version of GHC, just replace the
-      <literal>ghc7101</literal> bit in the previous definition with the
+      <literal>ghc7102</literal> bit in the previous definition with the
      appropriate name. Of course, it's also possible to define any
      number of these development environments! (You can't install two
      of them into the same profile at the same time, though, because
@@ -296,11 +295,11 @@ $ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: [pkgs.mtl])&quot;
    <programlisting>
 $ cat $(type -p ghc)
 #! /nix/store/xlxj...-bash-4.3-p33/bin/bash -e
-export NIX_GHC=/nix/store/19sm...-ghc-7.10.1/bin/ghc
-export NIX_GHCPKG=/nix/store/19sm...-ghc-7.10.1/bin/ghc-pkg
-export NIX_GHC_DOCDIR=/nix/store/19sm...-ghc-7.10.1/share/doc/ghc/html
-export NIX_GHC_LIBDIR=/nix/store/19sm...-ghc-7.10.1/lib/ghc-7.10.1
-exec /nix/store/j50p...-ghc-7.10.1/bin/ghc &quot;-B$NIX_GHC_LIBDIR&quot; &quot;$@&quot;
+export NIX_GHC=/nix/store/19sm...-ghc-7.10.2/bin/ghc
+export NIX_GHCPKG=/nix/store/19sm...-ghc-7.10.2/bin/ghc-pkg
+export NIX_GHC_DOCDIR=/nix/store/19sm...-ghc-7.10.2/share/doc/ghc/html
+export NIX_GHC_LIBDIR=/nix/store/19sm...-ghc-7.10.2/lib/ghc-7.10.2
+exec /nix/store/j50p...-ghc-7.10.2/bin/ghc &quot;-B$NIX_GHC_LIBDIR&quot; &quot;$@&quot;
 </programlisting>
    <para>
      The variables <literal>$NIX_GHC</literal>,
@@ -354,6 +353,90 @@ if [ -e ~/.nix-profile/bin/ghc ]; then
 fi
 </programlisting>
  </section>
+  <section xml:id="how-to-install-a-compiler-with-indexes">
+    <title>How to install a compiler with libraries, hoogle and documentation indexes</title>
+    <para>
+      If you plan to use your environment for interactive programming,
+      not just compiling random Haskell code, you might want to
+      replace <literal>ghcWithPackages</literal> in all the listings
+      above with <literal>ghcWithHoogle</literal>.
+    </para>
+    <para>
+      This environment generator not only produces an environment with
+      GHC and all the specified libraries, but also generates a
+      <literal>hoogle</literal> and <literal>haddock</literal> indexes
+      for all the packages, and provides a wrapper script around
+      <literal>hoogle</literal> binary that uses all those things. A
+      precise name for this thing would be
+      "<literal>ghcWithPackagesAndHoogleAndDocumentationIndexes</literal>",
+      which is, regrettably, too long and scary.
+    </para>
+    <para>
+      For example, installing the following environment
+    </para>
+    <programlisting>
+{
+  packageOverrides = super: let self = super.pkgs; in
+  {
+    myHaskellEnv = self.haskellPackages.ghcWithHoogle
+                     (haskellPackages: with haskellPackages; [
+                       # libraries
+                       arrows async cgi criterion
+                       # tools
+                       cabal-install haskintex
+                     ]);
+  };
+}
+</programlisting>
+    <para>
+      allows one to browse module documentation index <link
+      xlink:href="https://downloads.haskell.org/~ghc/latest/docs/html/libraries/index.html">not
+      too dissimilar to this</link> for all the specified packages and
+      their dependencies by directing a browser of choice to
+      <literal>~/.nix-profiles/share/doc/hoogle/index.html</literal>
+      (or
+      <literal>/run/current-system/sw/share/doc/hoogle/index.html</literal>
+      in case you put it in
+      <literal>environment.systemPackages</literal> in NixOS).
+    </para>
+    <para>
+      After you've marveled enough at that try adding the following to
+      your <literal>~/.ghc/ghci.conf</literal>
+    </para>
+    <programlisting>
+:def hoogle \s -> return $ ":! hoogle search -cl --count=15 \"" ++ s ++ "\""
+:def doc \s -> return $ ":! hoogle search -cl --info \"" ++ s ++ "\""
+</programlisting>
+    <para>
+      and test it by typing into <literal>ghci</literal>:
+    </para>
+    <programlisting>
+:hoogle a -> a
+:doc a -> a
+</programlisting>
+    <para>
+      Be sure to note the links to <literal>haddock</literal> files in
+      the output. With any modern and properly configured terminal
+      emulator you can just click those links to navigate there.
+    </para>
+    <para>
+      Finally, you can run
+    </para>
+    <programlisting>
+hoogle server -p 8080
+</programlisting>
+    <para>
+      and navigate to <link xlink:href="http://localhost:8080/"/> for
+      your own local <link
+      xlink:href="https://www.haskell.org/hoogle/">Hoogle</link>.
+      Note, however, that Firefox and possibly other browsers disallow
+      navigation from <literal>http:</literal> to
+      <literal>file:</literal> URIs for security reasons, which might
+      be quite an inconvenience. See <link
+      xlink:href="http://kb.mozillazine.org/Links_to_local_pages_do_not_work">this
+      page</link> for workarounds.
+    </para>
+  </section>
  <section xml:id="how-to-create-ad-hoc-environments-for-nix-shell">
    <title>How to create ad hoc environments for
    <literal>nix-shell</literal></title>
@@ -371,7 +454,7 @@ nix-shell -p &quot;haskellPackages.ghcWithPackages (pkgs: with pkgs; [mtl pandoc
      <literal>shell.nix</literal> that looks like this:
    </para>
    <programlisting>
-{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7101&quot; }:
+{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7102&quot; }:
 let
  inherit (nixpkgs) pkgs;
  ghc = pkgs.haskell.packages.${compiler}.ghcWithPackages (ps: with ps; [
@@ -451,7 +534,7 @@ $ cabal2nix . &gt;foo.nix
      <literal>default.nix</literal>:
    </para>
    <programlisting>
-{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7101&quot; }:
+{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7102&quot; }:
 nixpkgs.pkgs.haskell.packages.${compiler}.callPackage ./foo.nix { }
 </programlisting>
    <para>
@@ -459,7 +542,7 @@ nixpkgs.pkgs.haskell.packages.${compiler}.callPackage ./foo.nix { }
      <literal>shell.nix</literal>:
    </para>
    <programlisting>
-{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7101&quot; }:
+{ nixpkgs ? import &lt;nixpkgs&gt; {}, compiler ? &quot;ghc7102&quot; }:
 (import ./default.nix { inherit nixpkgs compiler; }).env
 </programlisting>
    <para>
@@ -600,6 +683,12 @@ $ nix-shell &quot;&lt;nixpkgs&gt;&quot; -A haskellPackages.bar.env
  };
 }
 </programlisting>
+    <para>
+        Then, replace instances of <literal>haskellPackages</literal> in the
+        <literal>cabal2nix</literal>-generated <literal>default.nix</literal>
+        or <literal>shell.nix</literal> files with
+        <literal>profiledHaskellPackages</literal>.
+    </para>
  </section>
  <section xml:id="how-to-override-package-versions-in-a-compiler-specific-package-set">
    <title>How to override package versions in a compiler-specific
@@ -755,4 +844,69 @@ export NIX_CFLAGS_LINK=&quot;-L/usr/lib&quot;
  </section>
 </section>

+<section xml:id="other-resources">
+  <title>Other resources</title>
+  <itemizedlist>
+    <listitem>
+      <para>
+        The Youtube video
+        <link xlink:href="https://www.youtube.com/watch?v=BsBhi_r-OeE">Nix
+        Loves Haskell</link> provides an introduction into Haskell NG
+        aimed at beginners. The slides are available at
+        http://cryp.to/nixos-meetup-3-slides.pdf and also -- in a form
+        ready for cut &amp; paste -- at
+        https://github.com/NixOS/cabal2nix/blob/master/doc/nixos-meetup-3-slides.md.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        Another Youtube video is
+        <link xlink:href="https://www.youtube.com/watch?v=mQd3s57n_2Y">Escaping
+        Cabal Hell with Nix</link>, which discusses the subject of
+        Haskell development with Nix but also provides a basic
+        introduction to Nix as well, i.e. it's suitable for viewers with
+        almost no prior Nix experience.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        Oliver Charles wrote a very nice
+        <link xlink:href="http://wiki.ocharles.org.uk/Nix">Tutorial how to
+        develop Haskell packages with Nix</link>.
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        The <emphasis>Journey into the Haskell NG
+        infrastructure</emphasis> series of postings describe the new
+        Haskell infrastructure in great detail:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>
+            <link xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-January/015591.html">Part
+            1</link> explains the differences between the old and the
+            new code and gives instructions how to migrate to the new
+            setup.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            <link xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-January/015608.html">Part
+            2</link> looks in-depth at how to tweak and configure your
+            setup by means of overrides.
+          </para>
+        </listitem>
+        <listitem>
+          <para>
+            <link xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-April/016912.html">Part
+            3</link> describes the infrastructure that keeps the
+            Haskell package set in Nixpkgs up-to-date.
+          </para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+  </itemizedlist>
+</section>
+
 </chapter>
--- a/doc/meta.xml
+++ b/doc/meta.xml
@@ -61,7 +61,7 @@ $ nix-env -qa hello --meta --json
                "i686-openbsd",
                "x86_64-openbsd"
            ],
-            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/ex-2/default.nix:14"
+            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/default.nix:14"
        },
        "name": "hello-2.9",
        "system": "x86_64-linux"
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@@ -56,7 +56,7 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>

        <listitem>
          <para>GNU Hello: <link
-          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/misc/hello/ex-2/default.nix"><filename>pkgs/applications/misc/hello/ex-2/default.nix</filename></link>.
+          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/misc/hello/default.nix"><filename>pkgs/applications/misc/hello/default.nix</filename></link>.
          Trivial package, which specifies some <varname>meta</varname>
          attributes which is good practice.</para>
        </listitem>
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -899,6 +899,34 @@ following:
    phase.</para></listitem>
  </varlistentry>

+  <varlistentry>
+    <term><varname>separateDebugInfo</varname></term>
+    <listitem><para>If set to <literal>true</literal>, the standard
+    environment will enable debug information in C/C++ builds. After
+    installation, the debug information will be separated from the
+    executables and stored in the output named
+    <literal>debug</literal>. (This output is enabled automatically;
+    you don’t need to set the <varname>outputs</varname> attribute
+    explicitly.) To be precise, the debug information is stored in
+    <filename><replaceable>debug</replaceable>/lib/debug/.build-id/<replaceable>XX</replaceable>/<replaceable>YYYY…</replaceable></filename>,
+    where <replaceable>XXYYYY…</replaceable> is the <replaceable>build
+    ID</replaceable> of the binary — a SHA-1 hash of the contents of
+    the binary. Debuggers like GDB use the build ID to look up the
+    separated debug information.</para>
+
+    <para>For example, with GDB, you can add
+
+<programlisting>
+set debug-file-directory ~/.nix-profile/lib/debug
+</programlisting>
+
+    to <filename>~/.gdbinit</filename>. GDB will then be able to find
+    debug information installed via <literal>nix-env
+    -i</literal>.</para>
+
+    </listitem>
+  </varlistentry>
+
 </variablelist>

 </section>
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -14,6 +14,7 @@
  aflatter = "Alexander Flatter <flatter@fastmail.fm>";
  aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
+  akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
  akc = "Anders Claesson <akc@akc.is>";
  algorith = "Dries Van Daele <dries_van_daele@telenet.be>";
  all = "Nix Committers <nix-commits@lists.science.uu.nl>";
@@ -67,7 +68,7 @@
  couchemar = "Andrey Pavlov <couchemar@yandex.ru>";
  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
  cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
-  DamienCassou = "Damien Cassou <damien.cassou@gmail.com>";
+  DamienCassou = "Damien Cassou <damien@cassou.me>";
  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
@@ -123,6 +124,7 @@
  jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
  jb55 = "William Casarin <bill@casarin.me>";
  jcumming = "Jack Cummings <jack@mudshark.org>";
+  jefdaj = "Jeffrey David Johnson <jefdaj@gmail.com>";
  jfb = "James Felix Black <james@yamtime.com>";
  jgeerds = "Jascha Geerds <jg@ekby.de>";
  jirkamarsik = "Jirka Marsik <jiri.marsik89@gmail.com>";
@@ -135,6 +137,7 @@
  jwilberding = "Jordan Wilberding <jwilberding@afiniate.com>";
  jzellner = "Jeff Zellner <jeffz@eml.cc>";
  kamilchm = "Kamil Chmielewski <kamil.chm@gmail.com>";
+  khumba = "Bryan Gardiner <bog@khumba.net>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  koral = "Koral <koral@mailoo.org>";
  kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
@@ -150,6 +153,7 @@
  linus = "Linus Arver <linusarver@gmail.com>";
  lnl7 = "Daiderd Jordan <daiderd@gmail.com>";
  lovek323 = "Jason O'Conal <jason@oconal.id.au>";
+  lowfatcomputing = "Andreas Wagner <andreas.wagner@lowfatcomputing.org>";
  lsix = "Lancelot SIX <lsix@lancelotsix.com>";
  ludo = "Ludovic Courtès <ludo@gnu.org>";
  madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
@@ -204,6 +208,7 @@
  pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
+  psibi = "Sibi <sibi@psibi.in>";
  pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
  puffnfresh = "Brian McKenna <brian@brianmckenna.org>";
  qknight = "Joachim Schiele <js@lastlog.de>";
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@@ -61,6 +61,12 @@ by default because it’s not free software.  You can enable it as follows:
 <programlisting>
 services.xserver.videoDrivers = [ "nvidia" ];
 </programlisting>
+Or if you have an older card, you may have to use one of the legacy drivers:
+<programlisting>
+services.xserver.videoDrivers = [ "nvidiaLegacy340" ];
+services.xserver.videoDrivers = [ "nvidiaLegacy304" ];
+services.xserver.videoDrivers = [ "nvidiaLegacy173" ];
+</programlisting>
 You may need to reboot after enabling this driver to prevent a clash
 with other kernel modules.</para>

--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@@ -107,4 +107,30 @@ newer Nix version, which may involve an upgrade of Nix’s database
 schema.  This cannot be undone easily, so in that case you will not be
 able to go back to your original channel.</para></warning>

+
+<section><title>Automatic Upgrades</title>
+
+<para>You can keep a NixOS system up-to-date automatically by adding
+the following to <filename>configuration.nix</filename>:
+
+<programlisting>
+system.autoUpgrade.enable = true;
+</programlisting>
+
+This enables a periodically executed systemd service named
+<literal>nixos-upgrade.service</literal>. It runs
+<command>nixos-rebuild switch --upgrade</command> to upgrade NixOS to
+the latest version in the current channel. (To see when the service
+runs, see <command>systemctl list-timers</command>.)  You can also
+specify a channel explicitly, e.g.
+
+<programlisting>
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
+</programlisting>
+
+</para>
+
+</section>
+
+
 </chapter>
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@@ -9,7 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>

-<xi:include href="rl-unstable.xml" />
+<xi:include href="rl-1509.xml" />
 <xi:include href="rl-1412.xml" />
 <xi:include href="rl-1404.xml" />
 <xi:include href="rl-1310.xml" />
--- a/nixos/doc/manual/release-notes/rl-1509.xml
+++ b/nixos/doc/manual/release-notes/rl-1509.xml
@@ -0,0 +1,491 @@
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-15.09">
+
+<title>Release 15.09 (“Dingo”, 2015/09/30)</title>
+
+<para>In addition to numerous new and upgraded packages, this release
+has the following highlights:</para>
+
+<itemizedlist>
+
+  <listitem>
+    <para>Gnome has been upgraded to 3.16.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>Xfce has been upgraded to 4.12.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>KDE 5 has been upgraded to KDE Frameworks 5.10,
+      Plasma 5.3.2 and Applications 15.04.3.
+      KDE 4 has been updated to kdelibs-4.14.10.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>E19 has been upgraded to 0.16.8.15.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>The <link xlink:href="http://haskell.org/">Haskell</link>
+    packages infrastructure has been re-designed from the ground up
+    (&quot;Haskell NG&quot;). NixOS now distributes the latest version
+    of every single package registered on <link
+    xlink:href="http://hackage.haskell.org/">Hackage</link> -- well in
+    excess of 8,000 Haskell packages. Detailed instructions on how to
+    use that infrastructure can be found in the <link
+    xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
+    Guide to the Haskell Infrastructure</link>. Users migrating from an
+    earlier release may find helpful information below, in the list of
+    backwards-incompatible changes. Furthermore, we distribute 51(!)
+    additional Haskell package sets that provide every single <link
+    xlink:href="http://www.stackage.org/">LTS Haskell</link> release
+    since version 0.0 as well as the most recent <link
+    xlink:href="http://www.stackage.org/">Stackage Nightly</link>
+    snapshot. The announcement <link
+    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-September/018138.html">&quot;Full
+    Stackage Support in Nixpkgs&quot;</link> gives additional
+    details.</para>
+  </listitem>
+
+  <listitem>
+    <para>Nix has been updated to version 1.10, which among other
+    improvements enables cryptographic signatures on binary caches for
+    improved security.</para>
+  </listitem>
+
+  <listitem>
+    <para>You can now keep your NixOS system up to date automatically
+    by setting
+
+<programlisting>
+system.autoUpgrade.enable = true;
+</programlisting>
+
+    This will cause the system to periodically check for updates in
+    your current channel and run <command>nixos-rebuild</command>.</para>
+  </listitem>
+
+  <listitem>
+    <para>This release is based on Glibc 2.21, GCC 4.9 and Linux
+    3.18.</para>
+  </listitem>
+
+</itemizedlist>
+
+
+  <para>Following new services were added since the last release:
+
+  <itemizedlist>
+    <listitem><para><literal>services/mail/exim.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/apache-kafka.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/canto-daemon.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/confd.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/devmon.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/gitit.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/ihaskell.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/mbpfan.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/mediatomb.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/mwlib.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/parsoid.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/plex.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/ripple-rest.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/ripple-data-api.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/subsonic.nix</literal></para></listitem>
+    <listitem><para><literal>services/misc/sundtek.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/cadvisor.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/das_watchdog.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/grafana.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/riemann-tools.nix</literal></para></listitem>
+    <listitem><para><literal>services/monitoring/teamviewer.nix</literal></para></listitem>
+    <listitem><para><literal>services/network-filesystems/u9fs.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/aiccu.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/asterisk.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/bird.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/charybdis.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/docker-registry-server.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/fan.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/firefox/sync-server.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/gateone.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/heyefi.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/i2p.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/lambdabot.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/mstpd.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/nix-serve.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/nylon.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/racoon.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/skydns.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/shout.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/softether.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/sslh.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tinc.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tlsdated.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tox-bootstrapd.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/tvheadend.nix</literal></para></listitem>
+    <listitem><para><literal>services/networking/zerotierone.nix</literal></para></listitem>
+    <listitem><para><literal>services/scheduling/marathon.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/fprintd.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/hologram.nix</literal></para></listitem>
+    <listitem><para><literal>services/security/munge.nix</literal></para></listitem>
+    <listitem><para><literal>services/system/cloud-init.nix</literal></para></listitem>
+    <listitem><para><literal>services/web-servers/shellinabox.nix</literal></para></listitem>
+    <listitem><para><literal>services/web-servers/uwsgi.nix</literal></para></listitem>
+    <listitem><para><literal>services/x11/unclutter.nix</literal></para></listitem>
+    <listitem><para><literal>services/x11/display-managers/sddm.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/coredump.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/loader/loader.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/loader/generic-extlinux-compatible</literal></para></listitem>
+    <listitem><para><literal>system/boot/networkd.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/resolved.nix</literal></para></listitem>
+    <listitem><para><literal>system/boot/timesyncd.nix</literal></para></listitem>
+    <listitem><para><literal>tasks/filesystems/exfat.nix</literal></para></listitem>
+    <listitem><para><literal>tasks/filesystems/ntfs.nix</literal></para></listitem>
+    <listitem><para><literal>tasks/filesystems/vboxsf.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/virtualbox-host.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/vmware-guest.nix</literal></para></listitem>
+    <listitem><para><literal>virtualisation/xen-dom0.nix</literal></para></listitem>
+  </itemizedlist>
+  </para>
+
+
+<para>When upgrading from a previous release, please be aware of the
+following incompatible changes:
+
+<itemizedlist>
+
+<listitem><para><command>sshd</command> no longer supports DSA and ECDSA
+host keys by default. If you have existing systems with such host keys
+and want to continue to use them, please set
+
+<programlisting>
+system.stateVersion = "14.12";
+</programlisting>
+
+The new option <option>system.stateVersion</option> ensures that
+certain configuration changes that could break existing systems (such
+as the <command>sshd</command> host key setting) will maintain
+compatibility with the specified NixOS release. NixOps sets the state
+version of existing deployments automatically.</para></listitem>
+
+<listitem><para><command>cron</command> is no longer enabled by
+default, unless you have a non-empty
+<option>services.cron.systemCronJobs</option>. To force
+<command>cron</command> to be enabled, set
+<option>services.cron.enable = true</option>.</para></listitem>
+
+<listitem><para>Nix now requires binary caches to be cryptographically
+signed. If you have unsigned binary caches that you want to continue
+to use, you should set <option>nix.requireSignedBinaryCaches =
+false</option>.</para></listitem>
+
+<listitem><para>Steam now doesn't need root rights to work. Instead of using
+<literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>.
+<literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>,
+and old <literal>steam</literal> package -- to <literal>steamOriginal</literal>.
+</para></listitem>
+
+<listitem><para>CMPlayer has been renamed to bomi upstream. Package
+<literal>cmplayer</literal> was accordingly renamed to
+<literal>bomi</literal> </para></listitem>
+
+<listitem><para>Atom Shell has been renamed to Electron upstream.  Package <literal>atom-shell</literal>
+was accordingly renamed to <literal>electron</literal>
+</para></listitem>
+
+<listitem><para>Elm is not released on Hackage anymore. You should now use <literal>elmPackages.elm</literal>
+which contains the latest Elm platform.</para></listitem>
+
+<listitem>
+  <para>The CUPS printing service has been updated to version
+  <literal>2.0.2</literal>.  Furthermore its systemd service has been
+  renamed to <literal>cups.service</literal>.</para>
+
+  <para>Local printers are no longer shared or advertised by
+  default. This behavior can be changed by enabling
+  <option>services.printing.defaultShared</option> or
+  <option>services.printing.browsing</option> respectively.</para>
+</listitem>
+
+<listitem>
+  <para>
+    The VirtualBox host and guest options have been named more
+    consistently. They can now found in
+    <option>virtualisation.virtualbox.host.*</option> instead of
+    <option>services.virtualboxHost.*</option> and
+    <option>virtualisation.virtualbox.guest.*</option> instead of
+    <option>services.virtualboxGuest.*</option>.
+  </para>
+
+  <para>
+    Also, there now is support for the <literal>vboxsf</literal> file
+    system using the <option>fileSystems</option> configuration
+    attribute. An example of how this can be used in a configuration:
+
+<programlisting>
+fileSystems."/shiny" = {
+  device = "myshinysharedfolder";
+  fsType = "vboxsf";
+};
+</programlisting>
+
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    &quot;<literal>nix-env -qa</literal>&quot; no longer discovers
+    Haskell packages by name. The only packages visible in the global
+    scope are <literal>ghc</literal>, <literal>cabal-install</literal>,
+    and <literal>stack</literal>, but all other packages are hidden. The
+    reason for this inconvenience is the sheer size of the Haskell
+    package set. Name-based lookups are expensive, and most
+    <literal>nix-env -qa</literal> operations would become much slower
+    if we'd add the entire Hackage database into the top level attribute
+    set. Instead, the list of Haskell packages can be displayed by
+    running:
+  </para>
+  <programlisting>
+nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A haskellPackages
+</programlisting>
+  <para>
+    Executable programs written in Haskell can be installed with:
+  </para>
+  <programlisting>
+nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.pandoc
+</programlisting>
+  <para>
+    Installing Haskell <emphasis>libraries</emphasis> this way, however, is no
+    longer supported. See the next item for more details.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    Previous versions of NixOS came with a feature called
+    <literal>ghc-wrapper</literal>, a small script that allowed GHC to
+    transparently pick up on libraries installed in the user's profile. This
+    feature has been deprecated; <literal>ghc-wrapper</literal> was removed
+    from the distribution. The proper way to register Haskell libraries with
+    the compiler now is the <literal>haskellPackages.ghcWithPackages</literal>
+    function. The <link
+    xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
+    Guide to the Haskell Infrastructure</link> provides more information about
+    this subject.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    All Haskell builds that have been generated with version 1.x of
+    the <literal>cabal2nix</literal> utility are now invalid and need
+    to be re-generated with a current version of
+    <literal>cabal2nix</literal> to function. The most recent version
+    of this tool can be installed by running
+    <literal>nix-env -i cabal2nix</literal>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The <literal>haskellPackages</literal> set in Nixpkgs used to have a
+    function attribute called <literal>extension</literal> that users
+    could override in their <literal>~/.nixpkgs/config.nix</literal>
+    files to configure additional attributes, etc. That function still
+    exists, but it's now called <literal>overrides</literal>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The OpenBLAS library has been updated to version
+    <literal>0.2.14</literal>. Support for the
+    <literal>x86_64-darwin</literal> platform was added. Dynamic
+    architecture detection was enabled; OpenBLAS now selects
+    microarchitecture-optimized routines at runtime, so optimal
+    performance is achieved without the need to rebuild OpenBLAS
+    locally. OpenBLAS has replaced ATLAS in most packages which use an
+    optimized BLAS or LAPACK implementation.
+ </para>
+</listitem>
+
+<listitem>
+  <para>
+    The <literal>phpfpm</literal> is now using the default PHP version
+    (<literal>pkgs.php</literal>) instead of PHP 5.4 (<literal>pkgs.php54</literal>).
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The <literal>locate</literal> service no longer indexes the Nix store
+    by default, preventing packages with potentially numerous versions from
+    cluttering the output. Indexing the store can be activated by setting
+    <option>services.locate.includeStore = true</option>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    The Nix expression search path (<envar>NIX_PATH</envar>) no longer
+    contains <filename>/etc/nixos/nixpkgs</filename> by default. You
+    can override <envar>NIX_PATH</envar> by setting
+    <option>nix.nixPath</option>.
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    Python 2.6 has been marked as broken (as it no longer recieves
+    security updates from upstream).
+  </para>
+</listitem>
+
+<listitem>
+  <para>
+    Any use of module arguments such as <varname>pkgs</varname> to access
+    library functions, or to define <literal>imports</literal> attributes
+    will now lead to an infinite loop at the time of the evaluation.
+  </para>
+
+  <para>
+    In case of an infinite loop, use the <command>--show-trace</command>
+    command line argument and read the line just above the error message.
+
+<screen>
+$ nixos-rebuild build --show-trace
+…
+while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix":
+infinite recursion encountered
+</screen>
+  </para>
+
+
+  <para>
+    Any use of <literal>pkgs.lib</literal>, should be replaced by
+    <varname>lib</varname>, after adding it as argument of the module.  The
+    following module
+
+<programlisting>
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+  options = {
+    foo = mkOption { … };
+  };
+  config = mkIf config.foo { … };
+}
+</programlisting>
+
+   should be modified to look like:
+
+<programlisting>
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  options = {
+    foo = mkOption { <replaceable>option declaration</replaceable> };
+  };
+  config = mkIf config.foo { <replaceable>option definition</replaceable> };
+}
+</programlisting>
+  </para>
+
+  <para>
+    When <varname>pkgs</varname> is used to download other projects to
+    import their modules, and only in such cases, it should be replaced by
+    <literal>(import &lt;nixpkgs&gt; {})</literal>.  The following module
+
+<programlisting>
+{ config, pkgs, ... }:
+
+let
+  myProject = pkgs.fetchurl {
+    src = <replaceable>url</replaceable>;
+    sha256 = <replaceable>hash</replaceable>;
+  };
+in
+
+{
+  imports = [ "${myProject}/module.nix" ];
+}
+</programlisting>
+
+    should be modified to look like:
+
+<programlisting>
+{ config, pkgs, ... }:
+
+let
+  myProject = (import &lt;nixpkgs&gt; {}).fetchurl {
+    src = <replaceable>url</replaceable>;
+    sha256 = <replaceable>hash</replaceable>;
+  };
+in
+
+{
+  imports = [ "${myProject}/module.nix" ];
+}
+</programlisting>
+  </para>
+
+</listitem>
+
+</itemizedlist>
+</para>
+
+
+<para>Other notable improvements:
+
+<itemizedlist>
+
+  <listitem><para>The nixos and nixpkgs channels were unified,
+    so one <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal>
+    instead of <literal>nix-env -iA nixos.pkgs.bash</literal>.
+    See <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the commit</link> for details.
+  </para></listitem>
+
+  <listitem>
+    <para>
+      Users running an SSH server who worry about the quality of their
+      <literal>/etc/ssh/moduli</literal> file with respect to the
+      <link
+      xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities
+      discovered in the Diffie-Hellman key exchange</link> can now
+      replace OpenSSH's default version with one they generated
+      themselves using the new
+      <option>services.openssh.moduliFile</option> option.
+      </para>
+  </listitem>
+
+  <listitem> <para>
+    A newly packaged TeX Live 2015 is provided in <literal>pkgs.texlive</literal>,
+    split into 6500 nix packages. For basic user documentation see
+    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive-new/default.nix#L1"
+      >the source</link>.
+    Beware of <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757"
+      >an issue</link> when installing a too large package set.
+
+    The plan is to deprecate and maybe delete the original TeX packages
+    until the next release.
+  </para> </listitem>
+
+  <listitem><para>
+    <option>buildEnv.env</option> on all Python interpreters
+    is now available for nix-shell interoperability.
+  </para> </listitem>
+</itemizedlist>
+
+</para>
+
+</section>
--- a/nixos/doc/manual/release-notes/rl-unstable.xml
+++ b/nixos/doc/manual/release-notes/rl-unstable.xml
@@ -1,231 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xmlns:xi="http://www.w3.org/2001/XInclude"
-         version="5.0"
-         xml:id="sec-release-unstable">
-
-<title>Release 15.07 (“Dingo”, 2015/07/??)</title>
-
-<para>In addition to numerous new and upgraded packages, this release has the following highlights:
-
-  <itemizedlist>
-    <listitem>
-      <para>
-        The Haskell packages infrastructure has been re-designed from the ground up.
-        NixOS now distributes the latest version of every single package registered on
-        <link xlink:href="http://hackage.haskell.org/">Hackage</link>, i.e. well over
-        8000 Haskell packages. Further information and usage instructions for the
-        improved infrastructure are available at <link
-        xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link>.
-        Users migrating from an earlier release will find also find helpful information
-        below, in the list of backwards-incompatible changes.
-      </para>
-    </listitem>
-
-    <listitem>
-      <para>
-        Users running an SSH server who worry about the quality of their
-        <literal>/etc/ssh/moduli</literal> file with respect to the <link
-        xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities
-        discovered in the Diffie-Hellman key exchange</link> can now replace OpenSSH's
-        default version with one they generated themselves using the new
-        <literal>services.openssh.moduliFile</literal> option.
-      </para>
-    </listitem>
-  </itemizedlist>
-
-</para>
-
-
-<para>When upgrading from a previous release, please be aware of the
-following incompatible changes:
-
-<itemizedlist>
-
-<listitem><para><command>sshd</command> no longer supports DSA and ECDSA
-host keys by default. If you have existing systems with such host keys
-and want to continue to use them, please set
-
-<programlisting>
-system.stateVersion = "14.12";
-</programlisting>
-
-(The new option <option>system.stateVersion</option> ensures that
-certain configuration changes that could break existing systems (such
-as the <command>sshd</command> host key setting) will maintain
-compatibility with the specified NixOS release.)</para></listitem>
-
-<listitem><para><command>cron</command> is no longer enabled by
-default, unless you have a non-empty
-<option>services.cron.systemCronJobs</option>. To force
-<command>cron</command> to be enabled, set
-<option>services.cron.enable = true</option>.</para></listitem>
-
-<listitem><para>Nix now requires binary caches to be cryptographically
-signed. If you have unsigned binary caches that you want to continue
-to use, you should set <option>nix.requireSignedBinaryCaches =
-false</option>.</para></listitem>
-
-<listitem><para>Steam now doesn't need root rights to work. Instead of using
-<literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>.
-<literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>,
-and old <literal>steam</literal> package -- to <literal>steamOriginal</literal>.
-</para></listitem>
-
-<listitem><para>CMPlayer has been renamed to bomi upstream. Package <literal>cmplayer</literal>
-was accordingly renamed to <literal>bomi</literal>
-</para></listitem>
-
-<listitem><para>Atom Shell has been renamed to Electron upstream.  Package <literal>atom-shell</literal>
-was accordingly renamed to <literal>electron</literal>
-</para></listitem>
-
-<listitem><para>Elm is not released on Hackage anymore. You should now use <literal>elmPackages.elm</literal>
-which contains the latest Elm platform.</para></listitem>
-
-<listitem>
-  <para>
-	The CUPS printing service has been updated to version <literal>2.0.2</literal>.
-	Furthermore its systemd service has been renamed to <literal>cups.service</literal>.
-  </para>
-  <para>
-	Local printers are no longer shared or advertised by default. This behavior
-	can be changed by enabling <literal>services.printing.defaultShared</literal>
-	or <literal>services.printing.browsing</literal> respectively.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The VirtualBox host and guest options have been moved/renamed more
-    consistently and less confusing to be now found in
-    <literal>virtualisation.virtualbox.host.*</literal> instead of
-    <literal>services.virtualboxHost.*</literal> and
-    <literal>virtualisation.virtualbox.guest.*</literal> instead of
-    <literal>services.virtualboxGuest.*</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    Haskell packages can no longer be found by name, i.e. the commands
-    <literal>nix-env -qa cabal-install</literal> and <literal>nix-env -i
-    ghc</literal> will fail, even though we <emphasis>do</emphasis> ship
-    both <literal>cabal-install</literal> and <literal>ghc</literal>.
-    The reason for this inconvenience is the sheer size of the Haskell
-    package set: name-based lookups such as these would become much
-    slower than they are today if we'd add the entire Hackage database
-    into the top level attribute set. Instead, the list of Haskell
-    packages can be displayed by
-  </para>
-  <programlisting>
-nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A haskellPackages
-</programlisting>
-  <para>
-    and packages can be installed with:
-  </para>
-  <programlisting>
-nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.cabal-install
-</programlisting>
-</listitem>
-
-<listitem>
-  <para>
-    Previous versions of NixOS came with a feature called
-    <literal>ghc-wrapper</literal>, a small wrapper script that allows
-    GHC to transparently pick up on libraries installed in the user's
-    profile. This feature has been deprecated;
-    <literal>ghc-wrapper</literal> was removed from the distribution.
-    The proper way to register Haskell libraries with the compiler now
-    is the <literal>haskellPackages.ghcWithPackages</literal>
-    function.
-    <link xlink:href="https://nixos.org/wiki/Haskell">https://nixos.org/wiki/Haskell</link>
-    provides much information about this subject.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    All Haskell builds that have been generated with version 1.x of
-    the <literal>cabal2nix</literal> utility are now invalid and need
-    to be re-generated with a current version of
-    <literal>cabal2nix</literal> to function. The most recent version
-    of this tool can be installed by running
-    <literal>nix-env -i cabal2nix</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The <literal>haskellPackages</literal> set in Nixpkgs used to have a
-    function attribute called <literal>extension</literal> that users
-    could override in their <literal>~/.nixpkgs/config.nix</literal>
-    files to configure additional attributes, etc. That function still
-    exists, but it's now called <literal>overrides</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The OpenBLAS library has been updated to version
-    <literal>0.2.14</literal>. Support for the
-    <literal>x86_64-darwin</literal> platform was added. Dynamic
-    architecture detection was enabled; OpenBLAS now selects
-    microarchitecture-optimized routines at runtime, so optimal
-    performance is achieved without the need to rebuild OpenBLAS
-    locally. OpenBLAS has replaced ATLAS in most packages which use an
-    optimized BLAS or LAPACK implementation.
- </para>
-</listitem>
-
-<listitem>
-  <para>
-    The <literal>phpfpm</literal> is now using the default PHP version
-    (<literal>pkgs.php</literal>) instead of PHP 5.4 (<literal>pkgs.php54</literal>).
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The <literal>locate</literal> service no longer indexes the Nix store
-    by default, preventing packages with potentially numerous versions from
-    cluttering the output. Indexing the store can be activated by setting
-    <literal>services.locate.includeStore = true</literal>.
-  </para>
-</listitem>
-
-<listitem>
-  <para>
-    The Nix expression search path (<envar>NIX_PATH</envar>) no longer
-    contains <filename>/etc/nixos/nixpkgs</filename> by default. You
-    can override <envar>NIX_PATH</envar> by setting
-    <option>nix.nixPath</option>.
-  </para>
-</listitem>
-
-</itemizedlist>
-</para>
-
-
-<para>The following new services were added since the last release:
-
-<itemizedlist>
-<listitem><para><literal>brltty</literal></para></listitem>
-<listitem><para><literal>marathon</literal></para></listitem>
-<listitem><para><literal>tvheadend</literal></para></listitem>
-</itemizedlist>
-</para>
-
-
-<para>Other notable improvements:
-
-<itemizedlist>
-  <listitem><para>The nixos and nixpkgs channels were unified,
-    so one <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal>
-    instead of <literal>nix-env -iA nixos.pkgs.bash</literal>.
-    See <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the commit</link> for details.
-  </para></listitem>
-</itemizedlist>
-</para>
-
-</section>
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@@ -0,0 +1,115 @@
+{ pkgs
+, lib
+
+, # The NixOS configuration to be installed onto the disk image.
+  config
+
+, # The size of the disk, in megabytes.
+  diskSize
+
+, # Whether the disk should be partitioned (with a single partition
+  # containing the root filesystem) or contain the root filesystem
+  # directly.
+  partitioned ? true
+
+, # The root file system type.
+  fsType ? "ext4"
+
+, # The initial NixOS configuration file to be copied to
+  # /etc/nixos/configuration.nix.
+  configFile ? null
+
+, # Shell code executed after the VM has finished.
+  postVM ? ""
+
+}:
+
+with lib;
+
+pkgs.vmTools.runInLinuxVM (
+  pkgs.runCommand "nixos-disk-image"
+    { preVM =
+        ''
+          mkdir $out
+          diskImage=$out/nixos.img
+          ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "${toString diskSize}M"
+          mv closure xchg/
+        '';
+      buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ];
+      exportReferencesGraph =
+        [ "closure" config.system.build.toplevel ];
+      inherit postVM;
+    }
+    ''
+      ${if partitioned then ''
+        # Create a single / partition.
+        parted /dev/vda mklabel msdos
+        parted /dev/vda -- mkpart primary ext2 1M -1s
+        . /sys/class/block/vda1/uevent
+        mknod /dev/vda1 b $MAJOR $MINOR
+        rootDisk=/dev/vda1
+      '' else ''
+        rootDisk=/dev/vda
+      ''}
+
+      # Create an empty filesystem and mount it.
+      mkfs.${fsType} -L nixos $rootDisk
+      ${optionalString (fsType == "ext4") ''
+        tune2fs -c 0 -i 0 $rootDisk
+      ''}
+      mkdir /mnt
+      mount $rootDisk /mnt
+
+      # The initrd expects these directories to exist.
+      mkdir /mnt/dev /mnt/proc /mnt/sys
+
+      mount -o bind /proc /mnt/proc
+      mount -o bind /dev /mnt/dev
+      mount -o bind /sys /mnt/sys
+
+      # Copy all paths in the closure to the filesystem.
+      storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
+
+      mkdir -p /mnt/nix/store
+      echo "copying everything (will take a while)..."
+      set -f
+      cp -prd $storePaths /mnt/nix/store/
+
+      # Register the paths in the Nix database.
+      printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
+          chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
+
+      # Add missing size/hash fields to the database. FIXME:
+      # exportReferencesGraph should provide these directly.
+      chroot /mnt ${config.nix.package}/bin/nix-store --verify --check-contents
+
+      # Create the system profile to allow nixos-rebuild to work.
+      chroot /mnt ${config.nix.package}/bin/nix-env --option build-users-group "" \
+          -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
+
+      # `nixos-rebuild' requires an /etc/NIXOS.
+      mkdir -p /mnt/etc
+      touch /mnt/etc/NIXOS
+
+      # `switch-to-configuration' requires a /bin/sh
+      mkdir -p /mnt/bin
+      ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
+
+      # Install a configuration.nix.
+      mkdir -p /mnt/etc/nixos
+      ${optionalString (configFile != null) ''
+        cp ${configFile} /mnt/etc/nixos/configuration.nix
+      ''}
+
+      # Generate the GRUB menu.
+      ln -s vda /dev/xvda
+      ln -s vda /dev/sda
+      chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
+
+      umount /mnt/proc /mnt/dev /mnt/sys
+      umount /mnt
+
+      # Do an fsck to make sure resize2fs works.
+      fsck.${fsType} -f -y $rootDisk
+    ''
+)
--- a/nixos/maintainers/scripts/ec2/amazon-base-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-base-config.nix
@@ -1,5 +0,0 @@
-{ modulesPath, ...}:
-{
-  imports = [ "${modulesPath}/virtualisation/amazon-init.nix" ];
-  services.journald.rateLimitBurst = 0;
-}
--- a/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix
@@ -1,5 +0,0 @@
-{ config, pkgs, ...}:
-{
-  imports = [ ./amazon-base-config.nix ];
-  ec2.hvm = true;
-}
--- a/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
@@ -1,34 +0,0 @@
-{ config, pkgs, lib, ...}:
-let
-  cloudUtils = pkgs.fetchurl {
-    url = "https://launchpad.net/cloud-utils/trunk/0.27/+download/cloud-utils-0.27.tar.gz";
-    sha256 = "16shlmg36lidp614km41y6qk3xccil02f5n3r4wf6d1zr5n4v8vd";
-  };
-  growpart = pkgs.stdenv.mkDerivation {
-    name = "growpart";
-    src = cloudUtils;
-    buildPhase = ''
-      cp bin/growpart $out
-      sed -i 's|awk|gawk|' $out
-      sed -i 's|sed|gnused|' $out
-    '';
-    dontInstall = true;
-    dontPatchShebangs = true;
-  };
-in
-{
-  imports = [ ./amazon-base-config.nix ];
-  ec2.hvm = true;
-  boot.loader.grub.device = lib.mkOverride 0 "/dev/xvdg";
-  boot.kernelParams = [ "console=ttyS0" ];
-
-  boot.initrd.extraUtilsCommands = ''
-    copy_bin_and_libs ${pkgs.gawk}/bin/gawk
-    copy_bin_and_libs ${pkgs.gnused}/bin/sed
-    copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk
-    cp -v ${growpart} $out/bin/growpart
-  '';
-  boot.initrd.postDeviceCommands = ''
-    [ -e /dev/xvda ] && [ -e /dev/xvda1 ] && TMPDIR=/run sh $(type -P growpart) /dev/xvda 1
-  '';
-}
--- a/nixos/maintainers/scripts/ec2/amazon-image.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-image.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  imports =
+    [ ../../../modules/installer/cd-dvd/channel.nix
+      ../../../modules/virtualisation/amazon-image.nix
+    ];
+
+  system.build.amazonImage = import ../../../lib/make-disk-image.nix {
+    inherit pkgs lib config;
+    partitioned = config.ec2.hvm;
+    diskSize = if config.ec2.hvm then 2048 else 8192;
+    configFile = pkgs.writeText "configuration.nix"
+      ''
+        {
+          imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
+          ${optionalString config.ec2.hvm ''
+            ec2.hvm = true;
+          ''}
+        }
+      '';
+  };
+
+}
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@@ -0,0 +1,217 @@
+#! /bin/sh -e
+
+set -o pipefail
+#set -x
+
+stateDir=${TMPDIR:-/tmp}/ec2-image
+echo "keeping state in $stateDir"
+mkdir -p $stateDir
+
+version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
+echo "NixOS version is $version"
+
+rm -f ec2-amis.nix
+
+
+for type in hvm pv; do
+    link=$stateDir/$type
+    imageFile=$link/nixos.img
+    system=x86_64-linux
+    arch=x86_64
+
+    # Build the image.
+    if ! [ -L $link ]; then
+        if [ $type = pv ]; then hvmFlag=false; else hvmFlag=true; fi
+
+        echo "building image type '$type'..."
+        nix-build -o $link \
+            '<nixpkgs/nixos>' \
+            -A config.system.build.amazonImage \
+            --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }"
+    fi
+
+    for store in ebs s3; do
+
+        bucket=nixos-amis
+        bucketDir="$version-$type-$store"
+
+        prevAmi=
+        prevRegion=
+
+        #for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
+        for region in eu-west-1 us-east-1; do
+
+            name=nixos-$version-$arch-$type-$store
+            description="NixOS $system $version ($type-$store)"
+
+            amiFile=$stateDir/$region.$type.$store.ami-id
+
+            if ! [ -e $amiFile ]; then
+
+                echo "doing $name in $region..."
+
+                if [ -n "$prevAmi" ]; then
+                    ami=$(ec2-copy-image \
+                        --region "$region" \
+                        --source-region "$prevRegion" --source-ami-id "$prevAmi" \
+                        --name "$name" --description "$description" | cut -f 2)
+                else
+
+                    if [ $store = s3 ]; then
+
+                        # Bundle the image.
+                        imageDir=$stateDir/$type-bundled
+
+                        if ! [ -d $imageDir ]; then
+                            rm -rf $imageDir.tmp
+                            mkdir -p $imageDir.tmp
+                            ec2-bundle-image \
+                                -d $imageDir.tmp \
+                                -i $imageFile --arch $arch \
+                                --user "$AWS_ACCOUNT" -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY"
+                            mv $imageDir.tmp $imageDir
+                        fi
+
+                        # Upload the bundle to S3.
+                        if ! [ -e $imageDir/uploaded ]; then
+                            echo "uploading bundle to S3..."
+                            ec2-upload-bundle \
+                                -m $imageDir/nixos.img.manifest.xml \
+                                -b "$bucket/$bucketDir" \
+                                -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \
+                                --location EU
+                            touch $imageDir/uploaded
+                        fi
+
+                        extraFlags="$bucket/$bucketDir/nixos.img.manifest.xml"
+
+                    else
+
+                        # Convert the image to vhd format so we don't have
+                        # to upload a huge raw image.
+                        vhdFile=$stateDir/$type.vhd
+                        if ! [ -e $vhdFile ]; then
+                            qemu-img convert -O vpc $imageFile $vhdFile.tmp
+                            mv $vhdFile.tmp $vhdFile
+                        fi
+
+                        taskId=$(cat $stateDir/$region.$type.task-id 2> /dev/null || true)
+                        volId=$(cat $stateDir/$region.$type.vol-id 2> /dev/null || true)
+                        snapId=$(cat $stateDir/$region.$type.snap-id 2> /dev/null || true)
+
+                        # Import the VHD file.
+                        if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then
+                            echo "importing $vhdFile..."
+                            taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \
+                                --region "$region" -z "${region}a" \
+                                --bucket "$bucket" --prefix "$bucketDir/" \
+                                | tee /dev/stderr \
+                                | sed 's/.*\(import-vol-[0-9a-z]\+\).*/\1/ ; t ; d')
+                            echo -n "$taskId" > $stateDir/$region.$type.task-id
+                        fi
+
+                        if [ -z "$snapId" -a -z "$volId" ]; then
+                            ec2-resume-import  $vhdFile -t "$taskId" --region "$region" \
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY"
+                        fi
+
+                        # Wait for the volume creation to finish.
+                        if [ -z "$snapId" -a -z "$volId" ]; then
+                            echo "waiting for import to finish..."
+                            while true; do
+                                volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d')
+                                if [ -n "$volId" ]; then break; fi
+                                sleep 10
+                            done
+
+                            echo -n "$volId" > $stateDir/$region.$type.vol-id
+                        fi
+
+                        # Delete the import task.
+                        if [ -n "$volId" -a -n "$taskId" ]; then
+                            echo "removing import task..."
+                            ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true
+                            rm -f $stateDir/$region.$type.task-id
+                        fi
+
+                        # Create a snapshot.
+                        if [ -z "$snapId" ]; then
+                            echo "creating snapshot..."
+                            snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2)
+                            echo -n "$snapId" > $stateDir/$region.$type.snap-id
+                            ec2-create-tags "$snapId" -t "Name=$description" --region "$region"
+                        fi
+
+                        # Wait for the snapshot to finish.
+                        echo "waiting for snapshot to finish..."
+                        while true; do
+                            status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4)
+                            if [ "$status" = completed ]; then break; fi
+                            sleep 10
+                        done
+
+                        # Delete the volume.
+                        if [ -n "$volId" ]; then
+                            echo "deleting volume..."
+                            ec2-delete-volume "$volId" --region "$region" || true
+                            rm -f $stateDir/$region.$type.vol-id
+                        fi
+
+                        extraFlags="-b /dev/sda1=$snapId:20:true:gp2"
+
+                        if [ $type = pv ]; then
+                            extraFlags+=" --root-device-name=/dev/sda1"
+                        fi
+
+                        extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3"
+                    fi
+
+                    # Register the AMI.
+                    if [ $type = pv ]; then
+                        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
+                        [ -n "$kernel" ]
+                        echo "using PV-GRUB kernel $kernel"
+                        extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
+                    else
+                        extraFlags+=" --virtualization-type hvm"
+                    fi
+
+                    set -x
+                    ami=$(ec2-register \
+                        -n "$name" \
+                        -d "$description" \
+                        --region "$region" \
+                        --architecture "$arch" \
+                        $extraFlags | cut -f 2)
+                fi
+
+                echo -n "$ami" > $amiFile
+                echo "created AMI $ami of type '$type' in $region..."
+
+            else
+                ami=$(cat $amiFile)
+            fi
+
+            echo "waiting for AMI..."
+            while true; do
+                status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5)
+                if [ "$status" = available ]; then break; fi
+                sleep 10
+            done
+
+            ec2-modify-image-attribute \
+                --region "$region" "$ami" -l -a all
+
+            echo "region = $region, type = $type, store = $store, ami = $ami"
+            if [ -z "$prevAmi" ]; then
+                prevAmi="$ami"
+                prevRegion="$region"
+            fi
+
+            echo "  \"15.09\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
+        done
+
+    done
+
+done
--- a/nixos/maintainers/scripts/ec2/create-ebs-amis.py
+++ b/nixos/maintainers/scripts/ec2/create-ebs-amis.py
@@ -1,216 +0,0 @@
-#! /usr/bin/env python
-
-import os
-import sys
-import time
-import argparse
-import nixops.util
-from nixops import deployment
-from boto.ec2.blockdevicemapping import BlockDeviceMapping, BlockDeviceType
-import boto.ec2
-from nixops.statefile import StateFile, get_default_state_file
-
-parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI')
-parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in')
-parser.add_argument('--channel', dest='channel', default="14.12", help='Channel to use')
-parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use')
-parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image')
-parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob")
-args = parser.parse_args()
-
-instance_type = "m3.medium" if args.hvm else "m1.small"
-
-if args.hvm:
-    virtualization_type = "hvm"
-    root_block = "/dev/sda1"
-    image_type = 'hvm'
-else:
-    virtualization_type = "paravirtual"
-    root_block = "/dev/sda"
-    image_type = 'ebs'
-
-ebs_size = 20
-
-# Start a NixOS machine in the given region.
-f = open("ebs-creator-config.nix", "w")
-f.write('''{{
-  resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
-  resources.ec2KeyPairs.keypair.region = "{0}";
-
-  machine =
-    {{ pkgs, ... }}:
-    {{
-      deployment.ec2.accessKeyId = "lb-nixos";
-      deployment.ec2.region = "{0}";
-      deployment.ec2.blockDeviceMapping."/dev/xvdg".size = pkgs.lib.mkOverride 10 {1};
-    }};
-}}
-'''.format(args.region, ebs_size))
-f.close()
-
-db = StateFile(get_default_state_file())
-try:
-    depl = db.open_deployment("ebs-creator")
-except Exception:
-    depl = db.create_deployment()
-    depl.name = "ebs-creator"
-depl.logger.set_autoresponse("y")
-depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")]
-if not args.keep: depl.destroy_resources()
-depl.deploy(allow_reboot=True)
-
-m = depl.machines['machine']
-
-# Do the installation.
-device="/dev/xvdg"
-if args.hvm:
-    m.run_command('parted -s /dev/xvdg -- mklabel msdos')
-    m.run_command('parted -s /dev/xvdg -- mkpart primary ext2 1M -1s')
-    device="/dev/xvdg1"
-
-m.run_command("if mountpoint -q /mnt; then umount /mnt; fi")
-m.run_command("mkfs.ext4 -L nixos {0}".format(device))
-m.run_command("mkdir -p /mnt")
-m.run_command("mount {0} /mnt".format(device))
-m.run_command("touch /mnt/.ebs")
-m.run_command("mkdir -p /mnt/etc/nixos")
-
-m.run_command("nix-channel --add https://nixos.org/channels/nixos-{} nixos".format(args.channel))
-m.run_command("nix-channel --update")
-
-version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip()
-print >> sys.stderr, "NixOS version is {0}".format(version)
-if args.hvm:
-    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/amazon-base-config.nix")
-    m.upload_file("./amazon-hvm-config.nix", "/mnt/etc/nixos/configuration.nix")
-    m.upload_file("./amazon-hvm-install-config.nix", "/mnt/etc/nixos/amazon-hvm-install-config.nix")
-    m.run_command("NIXOS_CONFIG=/etc/nixos/amazon-hvm-install-config.nix nixos-install")
-else:
-    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
-    m.run_command("nixos-install")
-
-m.run_command("umount /mnt")
-
-if args.hvm:
-    ami_name = "nixos-{0}-x86_64-hvm".format(version)
-    description = "NixOS {0} (x86_64; EBS root; hvm)".format(version)
-else:
-    ami_name = "nixos-{0}-x86_64-ebs".format(version)
-    description = "NixOS {0} (x86_64; EBS root)".format(version)
-
-
-# Wait for the snapshot to finish.
-def check():
-    status = snapshot.update()
-    print >> sys.stderr, "snapshot status is {0}".format(status)
-    return status == '100%'
-
-m.connect()
-volume = m._conn.get_all_volumes([], filters={'attachment.instance-id': m.resource_id, 'attachment.device': "/dev/sdg"})[0]
-
-# Create a snapshot.
-snapshot = volume.create_snapshot(description=description)
-print >> sys.stderr, "created snapshot {0}".format(snapshot.id)
-
-nixops.util.check_wait(check, max_tries=120)
-
-m._conn.create_tags([snapshot.id], {'Name': ami_name})
-
-if not args.keep: depl.destroy_resources()
-
-# Register the image.
-aki = m._conn.get_all_images(filters={'manifest-location': 'ec2*pv-grub-hd0_1.03-x86_64*'})[0]
-print >> sys.stderr, "using kernel image {0} - {1}".format(aki.id, aki.location)
-
-block_map = BlockDeviceMapping()
-block_map[root_block] = BlockDeviceType(snapshot_id=snapshot.id, delete_on_termination=True, size=ebs_size, volume_type="gp2")
-block_map['/dev/sdb'] = BlockDeviceType(ephemeral_name="ephemeral0")
-block_map['/dev/sdc'] = BlockDeviceType(ephemeral_name="ephemeral1")
-block_map['/dev/sdd'] = BlockDeviceType(ephemeral_name="ephemeral2")
-block_map['/dev/sde'] = BlockDeviceType(ephemeral_name="ephemeral3")
-
-common_args = dict(
-        name=ami_name,
-        description=description,
-        architecture="x86_64",
-        root_device_name=root_block,
-        block_device_map=block_map,
-        virtualization_type=virtualization_type,
-        delete_root_volume_on_termination=True
-        )
-if not args.hvm:
-    common_args['kernel_id']=aki.id
-
-ami_id = m._conn.register_image(**common_args)
-
-print >> sys.stderr, "registered AMI {0}".format(ami_id)
-
-print >> sys.stderr, "sleeping a bit..."
-time.sleep(30)
-
-print >> sys.stderr, "setting image name..."
-m._conn.create_tags([ami_id], {'Name': ami_name})
-
-print >> sys.stderr, "making image public..."
-image = m._conn.get_all_images(image_ids=[ami_id])[0]
-image.set_launch_permissions(user_ids=[], group_names=["all"])
-
-# Do a test deployment to make sure that the AMI works.
-f = open("ebs-test.nix", "w")
-f.write(
-    '''
-    {{
-      network.description = "NixOS EBS test";
-
-      resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
-      resources.ec2KeyPairs.keypair.region = "{0}";
-
-      machine = {{ config, pkgs, resources, ... }}: {{
-        deployment.targetEnv = "ec2";
-        deployment.ec2.accessKeyId = "lb-nixos";
-        deployment.ec2.region = "{0}";
-        deployment.ec2.instanceType = "{2}";
-        deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-        deployment.ec2.securityGroups = [ "public-ssh" ];
-        deployment.ec2.ami = "{1}";
-      }};
-    }}
-    '''.format(args.region, ami_id, instance_type))
-f.close()
-
-test_depl = db.create_deployment()
-test_depl.auto_response = "y"
-test_depl.name = "ebs-creator-test"
-test_depl.nix_exprs = [os.path.abspath("./ebs-test.nix")]
-test_depl.deploy(create_only=True)
-test_depl.machines['machine'].run_command("nixos-version")
-
-# Log the AMI ID.
-f = open("ec2-amis.nix".format(args.region, image_type), "w")
-f.write("{\n")
-
-for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']:
-    copy_image = None
-    if args.region != dest:
-        try:
-            print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest)
-            conn = boto.ec2.connect_to_region(dest)
-            copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None)
-        except :
-            print >> sys.stderr, "FAILED!"
-
-        # Log the AMI ID.
-        if copy_image != None:
-            f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,dest,"hvm" if args.hvm else "ebs",copy_image.image_id))
-    else:
-        f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,args.region,"hvm" if args.hvm else "ebs",ami_id))
-
-
-f.write("}\n")
-f.close()
-
-if not args.keep:
-    test_depl.logger.set_autoresponse("y")
-    test_depl.destroy_resources()
-    test_depl.delete()
-
--- a/nixos/maintainers/scripts/ec2/create-s3-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-s3-amis.sh
@@ -1,53 +0,0 @@
-#! /bin/sh -e
-
-export NIXOS_CONFIG=$(dirname $(readlink -f $0))/amazon-base-config.nix
-
-version=$(nix-instantiate --eval-only '<nixpkgs/nixos>' -A config.system.nixosVersion | sed s/'"'//g)
-echo "NixOS version is $version"
-
-buildAndUploadFor() {
-    system="$1"
-    arch="$2"
-
-    echo "building $system image..."
-    nix-build '<nixpkgs/nixos>' \
-        -A config.system.build.amazonImage --argstr system "$system" -o ec2-ami
-
-    ec2-bundle-image -i ./ec2-ami/nixos.img --user "$AWS_ACCOUNT" --arch "$arch" \
-        -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY"
-
-    for region in eu-west-1; do
-        echo "uploading $system image for $region..."
-
-        name=nixos-$version-$arch-s3
-        bucket="$(echo $name-$region | tr '[A-Z]_' '[a-z]-')"
-
-        if [ "$region" = eu-west-1 ]; then s3location=EU;
-        elif [ "$region" = us-east-1 ]; then s3location=US;
-        else s3location="$region"
-        fi
-
-        ec2-upload-bundle -b "$bucket" -m /tmp/nixos.img.manifest.xml \
-            -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" --location "$s3location" \
-            --url http://s3.amazonaws.com
-
-        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
-        echo "using PV-GRUB kernel $kernel"
-
-        ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" \
-            --region "$region" --kernel "$kernel" | cut -f 2)
-
-        echo "AMI ID is $ami"
-
-        echo "  \"14.12\".\"$region\".s3 = \"$ami\";" >> ec2-amis.nix
-
-        ec2-modify-image-attribute --region "$region" "$ami" -l -a all -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY"
-
-        for cp_region in us-east-1 us-west-1 us-west-2 eu-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
-          new_ami=$(aws ec2 copy-image --source-image-id $ami --source-region $region --region $cp_region --name "$name" | json ImageId)
-          echo "  \"14.12\".\"$cp_region\".s3 = \"$new_ami\";" >> ec2-amis.nix  
-        done
-    done
-}
-
-buildAndUploadFor x86_64-linux x86_64
--- a/nixos/maintainers/scripts/ec2/ebs-creator.nix
+++ b/nixos/maintainers/scripts/ec2/ebs-creator.nix
@@ -1,13 +0,0 @@
-{
-  network.description = "NixOS EBS creator";
-
-  machine =
-    { config, pkgs, resources, ... }:
-    { deployment.targetEnv = "ec2";
-      deployment.ec2.instanceType = "c3.large";
-      deployment.ec2.securityGroups = [ "public-ssh" ];
-      deployment.ec2.ebsBoot = false;
-      deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-      environment.systemPackages = [ pkgs.parted ];
-    };
-}
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@@ -103,16 +103,23 @@ in
      [ "/bin"
        "/etc/xdg"
        "/info"
-        "/lib"
+        "/lib" # FIXME: remove
+        #"/lib/debug/.build-id" # enables GDB to find separated debug info
        "/man"
        "/sbin"
+        "/share/applications"
+        "/share/desktop-directories"
        "/share/doc"
        "/share/emacs"
+        "/share/icons"
        "/share/info"
        "/share/man"
+        "/share/menus"
+        "/share/mime"
        "/share/nano"
        "/share/org"
        "/share/terminfo"
+        "/share/themes"
        "/share/vim-plugins"
      ];

--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -216,7 +216,7 @@ let
          exist. If <option>users.mutableUsers</option> is true, the
          password can be changed subsequently using the
          <command>passwd</command> command. Otherwise, it's
-          equivalent to setting the <option>password</option> option.
+          equivalent to setting the <option>hashedPassword</option> option.

          ${hashedPasswordDescription}
        '';
@@ -336,13 +336,13 @@ let
    map (range: "${user.name}:${toString range.startUid}:${toString range.count}\n")
      user.subUidRanges);

-  subuidFile = concatStrings (map mkSubuidEntry (attrValues cfg.extraUsers));
+  subuidFile = concatStrings (map mkSubuidEntry (attrValues cfg.users));

  mkSubgidEntry = user: concatStrings (
    map (range: "${user.name}:${toString range.startGid}:${toString range.count}\n")
        user.subGidRanges);

-  subgidFile = concatStrings (map mkSubgidEntry (attrValues cfg.extraUsers));
+  subgidFile = concatStrings (map mkSubgidEntry (attrValues cfg.users));

  idsAreUnique = set: idAttr: !(fold (name: args@{ dup, acc }:
    let
@@ -354,8 +354,8 @@ let
      else { dup = false; acc = newAcc; }
    ) { dup = false; acc = {}; } (builtins.attrNames set)).dup;

-  uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.extraUsers) "uid";
-  gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.extraGroups) "gid";
+  uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.users) "uid";
+  gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid";

  spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
    inherit (cfg) mutableUsers;
@@ -364,13 +364,13 @@ let
          name uid group description home shell createHome isSystemUser
          password passwordFile hashedPassword
          initialPassword initialHashedPassword;
-      }) cfg.extraUsers;
+      }) cfg.users;
    groups = mapAttrsToList (n: g:
      { inherit (g) name gid;
        members = g.members ++ (mapAttrsToList (n: u: u.name) (
-          filterAttrs (n: u: elem g.name u.extraGroups) cfg.extraUsers
+          filterAttrs (n: u: elem g.name u.extraGroups) cfg.users
        ));
-      }) cfg.extraGroups;
+      }) cfg.groups;
  });

 in {
@@ -388,10 +388,10 @@ in {
        <literal>groupadd</literal> commands. On system activation, the
        existing contents of the <literal>/etc/passwd</literal> and
        <literal>/etc/group</literal> files will be merged with the
-        contents generated from the <literal>users.extraUsers</literal> and
-        <literal>users.extraGroups</literal> options.
+        contents generated from the <literal>users.users</literal> and
+        <literal>users.groups</literal> options.
        The initial password for a user will be set
-        according to <literal>users.extraUsers</literal>, but existing passwords
+        according to <literal>users.users</literal>, but existing passwords
        will not be changed.

        <warning><para>
@@ -399,7 +399,7 @@ in {
        group files will simply be replaced on system activation. This also
        holds for the user passwords; all changed
        passwords will be reset according to the
-        <literal>users.extraUsers</literal> configuration on activation.
+        <literal>users.users</literal> configuration on activation.
        </para></warning>
      '';
    };
@@ -412,7 +412,7 @@ in {
      '';
    };

-    users.extraUsers = mkOption {
+    users.users = mkOption {
      default = {};
      type = types.loaOf types.optionSet;
      example = {
@@ -433,7 +433,7 @@ in {
      options = [ userOpts ];
    };

-    users.extraGroups = mkOption {
+    users.groups = mkOption {
      default = {};
      example =
        { students.gid = 1001;
@@ -461,7 +461,7 @@ in {

  config = {

-    users.extraUsers = {
+    users.users = {
      root = {
        uid = ids.uids.root;
        description = "System administrator";
@@ -478,7 +478,7 @@ in {
      };
    };

-    users.extraGroups = {
+    users.groups = {
      root.gid = ids.gids.root;
      wheel.gid = ids.gids.wheel;
      disk.gid = ids.gids.disk;
@@ -525,6 +525,27 @@ in {
      { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
        message = "UIDs and GIDs must be unique!";
      }
+      { # If mutableUsers is false, to prevent users creating a
+        # configuration that locks them out of the system, ensure that
+        # there is at least one "privileged" account that has a
+        # password or an SSH authorized key. Privileged accounts are
+        # root and users in the wheel group.
+        assertion = !cfg.mutableUsers ->
+          any id (mapAttrsToList (name: cfg:
+            (name == "root"
+             || cfg.group == "wheel"
+             || elem "wheel" cfg.extraGroups)
+            &&
+            ((cfg.hashedPassword != null && cfg.hashedPassword != "!")
+             || cfg.password != null
+             || cfg.passwordFile != null
+             || cfg.openssh.authorizedKeys.keys != []
+             || cfg.openssh.authorizedKeys.keyFiles != [])
+          ) cfg.users);
+        message = ''
+          Neither the root account nor any wheel user has a password or SSH authorized key.
+          You must set one to prevent being locked out of your system.'';
+      }
    ];

  };
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@@ -33,7 +33,7 @@ in
        echo "unpacking the NixOS/Nixpkgs sources..."
        mkdir -p /nix/var/nix/profiles/per-user/root
        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \
-          -i ${channelSources} --quiet --option use-substitutes false
+          -i ${channelSources} --quiet --option build-use-substitutes false
        mkdir -m 0700 -p /root/.nix-defexpr
        ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels
        mkdir -m 0755 -p /var/lib/nixos
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -157,9 +157,9 @@ if [ -n "$buildNix" ]; then
            if ! nix-build '<nixpkgs>' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
                machine="$(uname -m)"
                if [ "$machine" = x86_64 ]; then
-                    nixStorePath=/nix/store/664kxr14kfgx4dl095crvmr7pbh9xlh5-nix-1.9
+                    nixStorePath=/nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
                elif [[ "$machine" =~ i.86 ]]; then
-                    nixStorePath=/nix/store/p7xdvz72xx3rhm121jclsbdmmcds7xh6-nix-1.9
+                    nixStorePath=/nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
                else
                    echo "$0: unsupported platform"
                    exit 1
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -56,7 +56,7 @@ with lib;
    system.defaultChannel = mkOption {
      internal = true;
      type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-15.09;
      description = "Default NixOS channel to which the root user is subscribed.";
    };

--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -468,6 +468,7 @@
  ./tasks/filesystems/ntfs.nix
  ./tasks/filesystems/reiserfs.nix
  ./tasks/filesystems/unionfs-fuse.nix
+  ./tasks/filesystems/vboxsf.nix
  ./tasks/filesystems/vfat.nix
  ./tasks/filesystems/xfs.nix
  ./tasks/filesystems/zfs.nix
--- a/nixos/modules/programs/command-not-found/command-not-found.nix
+++ b/nixos/modules/programs/command-not-found/command-not-found.nix
@@ -57,9 +57,9 @@ in
          if [ $? = 126 ]; then
            "$@"
          fi
-	else
+        else
          # Indicate than there was an error so ZSH falls back to its default handler
-	  return 127
+          return 127
        fi
      }
    '';
--- a/nixos/modules/programs/command-not-found/command-not-found.pl
+++ b/nixos/modules/programs/command-not-found/command-not-found.pl
@@ -30,11 +30,11 @@ The program ‘$program’ is currently not installed. It is provided by
 the package ‘$package’, which I will now install for you.
 EOF
        ;
-        exit 126 if system("nix-env", "-i", $package) == 0;
+        exit 126 if system("nix-env", "-iA", "nixos.$package") == 0;
    } else {
        print STDERR <<EOF;
 The program ‘$program’ is currently not installed. You can install it by typing:
-  nix-env -i $package
+  nix-env -iA nixos.$package
 EOF
    }
 } else {
@@ -42,7 +42,7 @@ EOF
 The program ‘$program’ is currently not installed. It is provided by
 several packages. You can install it by typing one of the following:
 EOF
-    print STDERR "  nix-env -i $_->{package}\n" foreach @$res;
+    print STDERR "  nix-env -iA nixos.$_->{package}\n" foreach @$res;
 }

 exit 127;
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -18,6 +18,14 @@ let
      exec ${askPassword}
    '';

+  knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
+
+  knownHostsText = flip (concatMapStringsSep "\n") knownHosts
+    (h: assert h.hostNames != [];
+      concatStringsSep "," h.hostNames + " "
+      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+    );
+
 in
 {
  ###### interface
@@ -92,16 +100,76 @@ in
        '';
      };

+      knownHosts = mkOption {
+        default = {};
+        type = types.loaOf (types.submodule ({ name, ... }: {
+          options = {
+            hostNames = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              description = ''
+                A list of host names and/or IP numbers used for accessing
+                the host's ssh service.
+              '';
+            };
+            publicKey = mkOption {
+              default = null;
+              type = types.nullOr types.str;
+              example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
+              description = ''
+                The public key data for the host. You can fetch a public key
+                from a running SSH server with the <command>ssh-keyscan</command>
+                command. The public key should not include any host names, only
+                the key type and the key itself.
+              '';
+            };
+            publicKeyFile = mkOption {
+              default = null;
+              type = types.nullOr types.path;
+              description = ''
+                The path to the public key file for the host. The public
+                key file is read at build time and saved in the Nix store.
+                You can fetch a public key file from a running SSH server
+                with the <command>ssh-keyscan</command> command. The content
+                of the file should follow the same format as described for
+                the <literal>publicKey</literal> option.
+              '';
+            };
+          };
+          config = {
+            hostNames = mkDefault [ name ];
+          };
+        }));
+        description = ''
+          The set of system-wide known SSH hosts.
+        '';
+        example = [
+          {
+            hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
+            publicKeyFile = literalExample "./pubkeys/myhost_ssh_host_dsa_key.pub";
+          }
+          {
+            hostNames = [ "myhost2" ];
+            publicKeyFile = literalExample "./pubkeys/myhost2_ssh_host_dsa_key.pub";
+          }
+        ];
+      };
+
    };

  };

  config = {

-    assertions = singleton
-      { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
-        message = "cannot enable X11 forwarding without setting XAuth location";
-      };
+    assertions =
+      [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
+          message = "cannot enable X11 forwarding without setting XAuth location";
+        }
+      ] ++ flip mapAttrsToList cfg.knownHosts (name: data: {
+        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                    (data.publicKey != null && data.publicKeyFile == null);
+        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+      });

    # SSH configuration. Slight duplication of the sshd_config
    # generation in the sshd service.
@@ -118,6 +186,8 @@ in
        ${cfg.extraConfig}
      '';

+    environment.etc."ssh/ssh_known_hosts".text = knownHostsText;
+
    # FIXME: this should really be socket-activated for über-awesomeness.
    systemd.user.services.ssh-agent =
      { enable = cfg.startAgent;
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -77,6 +77,8 @@ in zipModules ([]
 ++ obsolete [ "environment" "nix" ] [ "nix" "package" ]
 ++ obsolete [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ]
 ++ obsolete [ "fonts" "extraFonts" ] [ "fonts" "fonts" ]
++ alias [ "users" "extraUsers" ] [ "users" "users" ]
++ alias [ "users" "extraGroups" ] [ "users" "groups" ]

 ++ obsolete [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ]
 ++ obsolete [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ]
@@ -110,6 +112,7 @@ in zipModules ([]
 ++ obsolete [ "services" "sshd" "permitRootLogin" ] [ "services" "openssh" "permitRootLogin" ]
 ++ obsolete [ "services" "xserver" "startSSHAgent" ] [ "services" "xserver" "startOpenSSHAgent" ]
 ++ obsolete [ "services" "xserver" "startOpenSSHAgent" ] [ "programs" "ssh" "startAgent" ]
++ alias [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]

 # VirtualBox
 ++ obsolete [ "services" "virtualbox" "enable" ] [ "virtualisation" "virtualbox" "guest" "enable" ]
--- a/nixos/modules/services/cluster/kubernetes.nix
+++ b/nixos/modules/services/cluster/kubernetes.nix
@@ -105,7 +105,7 @@ in {
      tokenAuth = mkOption {
        description = ''
          Kubernetes apiserver token authentication file. See
-          <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/>
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/>
        '';
        default = {};
        example = literalExample ''
@@ -120,7 +120,7 @@ in {
      authorizationMode = mkOption {
        description = ''
          Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See
-          <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
        '';
        default = "AlwaysAllow";
        type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"];
@@ -129,7 +129,7 @@ in {
      authorizationPolicy = mkOption {
        description = ''
          Kubernetes apiserver authorization policy file. See
-          <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
        '';
        default = [];
        example = literalExample ''
@@ -159,18 +159,37 @@ in {
      };

      runtimeConfig = mkOption {
-        description = "Api runtime configuration";
+        description = ''
+          Api runtime configuration. See
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/>
+        '';
        default = "";
        example = "api/all=false,api/v1=true";
        type = types.str;
      };

      admissionControl = mkOption {
-        description = "Kubernetes admission control plugins to use.";
+        description = ''
+          Kubernetes admission control plugins to use. See
+          <link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/>
+        '';
        default = ["AlwaysAdmit"];
+        example = [
+          "NamespaceLifecycle" "NamespaceExists" "LimitRanger"
+          "SecurityContextDeny" "ServiceAccount" "ResourceQuota"
+        ];
        type = types.listOf types.str;
      };

+      serviceAccountKey = mkOption {
+        description = ''
+          Kubernetes apiserver PEM-encoded x509 RSA private or public key file,
+          used to verify ServiceAccount tokens.
+        '';
+        default = null;
+        type = types.nullOr types.path;
+      };
+
      extraOpts = mkOption {
        description = "Kubernetes apiserver extra command line options.";
        default = "";
@@ -235,8 +254,26 @@ in {
        type = types.str;
      };

+      serviceAccountPrivateKey = mkOption {
+        description = ''
+          Kubernetes controller manager PEM-encoded private RSA key file used to
+          sign service account tokens
+        '';
+        default = null;
+        type = types.nullOr types.path;
+      };
+
+      rootCaFile = mkOption {
+        description = ''
+          Kubernetes controller manager certificate authority file included in
+          service account's token secret.
+        '';
+        default = null;
+        type = types.nullOr types.path;
+      };
+
      extraOpts = mkOption {
-        description = "Kubernetes controller extra command line options.";
+        description = "Kubernetes controller manager extra command line options.";
        default = "";
        type = types.str;
      };
@@ -294,7 +331,10 @@ in {
      };

      apiServers = mkOption {
-        description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services.";
+        description = ''
+          Kubernetes kubelet list of Kubernetes API servers for publishing events,
+          and reading pods and services.
+        '';
        default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"];
        type = types.listOf types.str;
      };
@@ -413,17 +453,14 @@ in {
            ${optionalString (cfg.apiserver.runtimeConfig!="")
              "--runtime-config=${cfg.apiserver.runtimeConfig}"} \
            --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \
+            ${optionalString (cfg.apiserver.serviceAccountKey!=null)
+              "--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \
            --logtostderr=true \
            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
            ${cfg.apiserver.extraOpts}
          '';
          User = "kubernetes";
        };
-        postStart = ''
-          until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do
-            sleep 1;
-          done
-        '';
      };
    })

@@ -456,6 +493,10 @@ in {
            --address=${cfg.controllerManager.address} \
            --port=${toString cfg.controllerManager.port} \
            --master=${cfg.controllerManager.master} \
+            ${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null)
+              "--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \
+            ${optionalString (cfg.controllerManager.rootCaFile!=null)
+              "--root-ca-file=${cfg.controllerManager.rootCaFile}"} \
            --logtostderr=true \
            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
            ${cfg.controllerManager.extraOpts}
@@ -509,6 +550,8 @@ in {
            ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
            ${cfg.proxy.extraOpts}
          '';
+          Restart = "always"; # Retry connection
+          RestartSec = "5s";
        };
      };
    })
--- a/nixos/modules/services/databases/opentsdb.nix
+++ b/nixos/modules/services/databases/opentsdb.nix
@@ -5,10 +5,7 @@ with lib;
 let
  cfg = config.services.opentsdb;

-  configFile = pkgs.writeText "opentsdb.conf" ''
-    tsd.core.auto_create_metrics = true
-    tsd.http.request.enable_chunked  = true
-  '';
+  configFile = pkgs.writeText "opentsdb.conf" cfg.config;

 in {

@@ -59,6 +56,17 @@ in {
        '';
      };

+      config = mkOption {
+        type = types.lines;
+        default = ''
+          tsd.core.auto_create_metrics = true
+          tsd.http.request.enable_chunked  = true
+        '';
+        description = ''
+          The contents of OpenTSDB's configuration file
+        '';
+      };
+
    };

  };
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@@ -180,9 +180,7 @@ in
        firmware to function).  If multiple packages contain firmware
        files with the same name, the first package in the list takes
        precedence.  Note that you must rebuild your system if you add
-        files to any of these directories.  For quick testing,
-        put firmware files in <filename>/root/test-firmware</filename>
-        and add that directory to the list.
+        files to any of these directories.
      '';
      apply = list: pkgs.buildEnv {
        name = "firmware";
--- a/nixos/modules/services/logging/logstash.nix
+++ b/nixos/modules/services/logging/logstash.nix
@@ -132,6 +132,7 @@ in
      description = "Logstash Daemon";
      wantedBy = [ "multi-user.target" ];
      environment = { JAVA_HOME = jre; };
+      path = [ pkgs.bash ];
      serviceConfig = {
        ExecStart =
          "${cfg.package}/bin/logstash agent " +
--- a/nixos/modules/services/misc/nixos-manual.nix
+++ b/nixos/modules/services/misc/nixos-manual.nix
@@ -93,7 +93,7 @@ in

    system.build.manual = manual;

-    environment.systemPackages = [ manual.manpages help ];
+    environment.systemPackages = [ manual.manpages manual.manual help ];

    boot.extraTTYs = mkIf cfg.showManual ["tty${cfg.ttyNumber}"];

--- a/nixos/modules/services/monitoring/bosun.nix
+++ b/nixos/modules/services/monitoring/bosun.nix
@@ -30,6 +30,7 @@ in {

      package = mkOption {
        type = types.package;
+        default = pkgs.bosun;
        example = literalExample "pkgs.bosun";
        description = ''
          bosun binary to use.
@@ -95,8 +96,6 @@ in {

  config = mkIf cfg.enable {
  
-    services.bosun.package = mkDefault pkgs.bosun; 
-
    systemd.services.bosun = {
      description = "bosun metrics collector (part of Bosun)";
      wantedBy = [ "multi-user.target" ];
--- a/nixos/modules/services/network-filesystems/nfsd.nix
+++ b/nixos/modules/services/network-filesystems/nfsd.nix
@@ -88,10 +88,7 @@ in

    environment.systemPackages = [ pkgs.nfs-utils ];

-    environment.etc = singleton
-      { source = exports;
-        target = "exports";
-      };
+    environment.etc.exports.source = exports;

    boot.kernelModules = [ "nfsd" ];

--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -9,14 +9,6 @@ let

  nssModulesPath = config.system.nssModules.path;

-  knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
-
-  knownHostsText = flip (concatMapStringsSep "\n") knownHosts
-    (h:
-      concatStringsSep "," h.hostNames + " "
-      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-    );
-
  userOptions = {

    openssh.authorizedKeys = {
@@ -48,8 +40,7 @@ let
  };

  authKeysFiles = let
-    mkAuthKeyFile = u: {
-      target = "ssh/authorized_keys.d/${u.name}";
+    mkAuthKeyFile = u: nameValuePair "ssh/authorized_keys.d/${u.name}" {
      mode = "0444";
      source = pkgs.writeText "${u.name}-authorized_keys" ''
        ${concatStringsSep "\n" u.openssh.authorizedKeys.keys}
@@ -59,7 +50,7 @@ let
    usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u:
      length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
    ));
-  in map mkAuthKeyFile usersWithKeys;
+  in listToAttrs (map mkAuthKeyFile usersWithKeys);

 in

@@ -211,57 +202,6 @@ in
        description = "Verbatim contents of <filename>sshd_config</filename>.";
      };

-      knownHosts = mkOption {
-        default = {};
-        type = types.loaOf types.optionSet;
-        description = ''
-          The set of system-wide known SSH hosts.
-        '';
-        example = [
-          {
-            hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = literalExample "./pubkeys/myhost_ssh_host_dsa_key.pub";
-          }
-          {
-            hostNames = [ "myhost2" ];
-            publicKeyFile = literalExample "./pubkeys/myhost2_ssh_host_dsa_key.pub";
-          }
-        ];
-        options = {
-          hostNames = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            description = ''
-              A list of host names and/or IP numbers used for accessing
-              the host's ssh service.
-            '';
-          };
-          publicKey = mkOption {
-            default = null;
-            type = types.nullOr types.str;
-            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
-            description = ''
-              The public key data for the host. You can fetch a public key
-              from a running SSH server with the <command>ssh-keyscan</command>
-              command. The public key should not include any host names, only
-              the key type and the key itself.
-            '';
-          };
-          publicKeyFile = mkOption {
-            default = null;
-            type = types.nullOr types.path;
-            description = ''
-              The path to the public key file for the host. The public
-              key file is read at build time and saved in the Nix store.
-              You can fetch a public key file from a running SSH server
-              with the <command>ssh-keyscan</command> command. The content
-              of the file should follow the same format as described for
-              the <literal>publicKey</literal> option.
-            '';
-          };
-        };
-      };
-
      moduliFile = mkOption {
        example = "services.openssh.moduliFile = /etc/my-local-ssh-moduli;";
        type = types.path;
@@ -274,7 +214,7 @@ in

    };

-    users.extraUsers = mkOption {
+    users.users = mkOption {
      options = [ userOptions ];
    };

@@ -292,14 +232,8 @@ in

    services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";

-    environment.etc = authKeysFiles ++ [
-      { source = cfg.moduliFile;
-        target = "ssh/moduli";
-      }
-      { text = knownHostsText;
-        target = "ssh/ssh_known_hosts";
-      }
-    ];
+    environment.etc = authKeysFiles //
+      { "ssh/moduli".source = cfg.moduliFile; };

    systemd =
      let
@@ -417,11 +351,6 @@ in

    assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
                    message = "cannot enable X11 forwarding without setting xauth location";}]
-      ++ flip mapAttrsToList cfg.knownHosts (name: data: {
-        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
-                    (data.publicKey != null && data.publicKeyFile == null);
-        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
-      })
      ++ flip map cfg.listenAddresses ({ addr, port, ... }: {
        assertion = addr != null;
        message = "addr must be specified in each listenAddresses entry";
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -117,7 +117,6 @@ let
    ]
    ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
    ++ optional enableSSL "ssl"
-    ++ optional mainCfg.enableCompression "deflate"
    ++ extraApacheModules;


@@ -177,27 +176,6 @@ let
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!EXP
  '';

-  # From http://paulstamatiou.com/how-to-optimize-your-apache-site-with-mod-deflate/
-  compressConf = ''
-    SetOutputFilter DEFLATE
-
-    # Don't compress binaries
-    SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|iso|tar|bz2|sit|rar) no-gzip dont-vary
-    # Don't compress images
-    SetEnvIfNoCase Request_URI .(?:gif|jpe?g|jpg|ico|png)  no-gzip dont-vary
-    # Don't compress PDFs
-    SetEnvIfNoCase Request_URI .pdf no-gzip dont-vary
-    # Don't compress flash files (only relevant if you host your own videos)
-    SetEnvIfNoCase Request_URI .flv no-gzip dont-vary
-    # Netscape 4.X has some problems
-    BrowserMatch ^Mozilla/4 gzip-only-text/html
-    # Netscape 4.06-4.08 have some more problems
-    BrowserMatch ^Mozilla/4.0[678] no-gzip
-    # MSIE masquerades as Netscape, but it is fine
-    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-    # Make sure proxies don't deliver the wrong content
-    Header append Vary User-Agent env=!dont-vary
-  '';

  mimeConf = ''
    TypesConfig ${httpd}/conf/mime.types
@@ -373,7 +351,6 @@ let
    ${mimeConf}
    ${loggingConf}
    ${browserHacks}
-    ${optionalString mainCfg.enableCompression compressConf}

    Include ${httpd}/conf/extra/httpd-default.conf
    Include ${httpd}/conf/extra/httpd-autoindex.conf
@@ -446,7 +423,7 @@ in
      enable = mkOption {
        type = types.bool;
        default = false;
-        description = "Enable the Apache HTTP Server.";
+        description = "Whether to enable the Apache HTTP Server.";
      };

      package = mkOption {
@@ -609,12 +586,6 @@ in
        description =
          "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
      };
-
-      enableCompression = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Enable compression of responses using mod_deflate.";
-      };
    }

    # Include the options shared between the main server and virtual hosts.
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -8,9 +8,12 @@ let
  configFile = pkgs.writeText "nginx.conf" ''
    user ${cfg.user} ${cfg.group};
    daemon off;
+
    ${cfg.config}
+
    ${optionalString (cfg.httpConfig != "") ''
    http {
+      include ${cfg.package}/conf/mime.types;
      ${cfg.httpConfig}
    }
    ''}
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@@ -99,7 +99,6 @@ in {
    networking.networkmanager.enable = mkDefault true;
    services.upower.enable = config.powerManagement.enable;
    hardware.bluetooth.enable = mkDefault true;
-    services.xserver.displayManager.desktopManagerHandlesLidAndPower = false; # true doesn't make sense here, GNOME just doesn't handle it anymore

    fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ];

--- a/nixos/modules/services/x11/desktop-managers/kodi.nix
+++ b/nixos/modules/services/x11/desktop-managers/kodi.nix
@@ -28,4 +28,4 @@ in

    environment.systemPackages = [ pkgs.kodi ];
  };
-}
+}
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@@ -62,7 +62,7 @@ let
        if [ -z "$_INHIBITION_LOCK_TAKEN" ]; then
          export _INHIBITION_LOCK_TAKEN=1
          if ! ${config.systemd.package}/bin/loginctl show-session $XDG_SESSION_ID | grep -q '^RemoteHost='; then
-            exec ${config.systemd.package}/bin/systemd-inhibit --what=handle-lid-switch:handle-power-key --why="See NixOS configuration option 'services.xserver.displayManager.desktopManagerHandlesLidAndPower' for more information." "$0" "$sessionType"
+            exec ${config.systemd.package}/bin/systemd-inhibit --what=handle-lid-switch:handle-power-key --why="Desktop environment handles power events" "$0" "$sessionType"
          fi
        fi

@@ -114,6 +114,10 @@ let
      rm -rf $HOME/.compose-cache
      mkdir $HOME/.compose-cache

+      # Work around KDE errors when a user first logs in and
+      # .local/share doesn't exist yet.
+      mkdir -p $HOME/.local/share
+
      ${cfg.displayManager.sessionCommands}

      # Allow the user to execute commands at the beginning of the X session.
@@ -161,7 +165,11 @@ let
      exit 0
    '';

-  mkDesktops = names: pkgs.runCommand "desktops" {}
+  mkDesktops = names: pkgs.runCommand "desktops"
+    { # trivial derivation
+      preferLocalBuild = true;
+      allowSubstitutes = false;
+    }
    ''
      mkdir -p $out
      ${concatMapStrings (n: ''
@@ -225,7 +233,7 @@ in

      desktopManagerHandlesLidAndPower = mkOption {
        type = types.bool;
-        default = true;
+        default = false;
        description = ''
          Whether the display manager should prevent systemd from handling
          lid and power events. This is normally handled by the desktop
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@@ -65,7 +65,7 @@ in
    systemd.services.display-manager.wants = [ "systemd-machined.service" ];
    systemd.services.display-manager.after = [ "systemd-machined.service" ];

-    systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou pkgs.xlibs.xhost pkgs.dbus_tools ];
+    systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou pkgs.xorg.xhost pkgs.dbus_tools ];

    services.dbus.packages = [ gdm ];

--- a/nixos/modules/services/x11/display-managers/kdm.nix
+++ b/nixos/modules/services/x11/display-managers/kdm.nix
@@ -19,7 +19,7 @@ let
      ''}

      [X-*-Core]
-      Xrdb=${pkgs.xlibs.xrdb}/bin/xrdb
+      Xrdb=${pkgs.xorg.xrdb}/bin/xrdb
      SessionsDirs=${dmcfg.session.desktops}
      Session=${dmcfg.session.script}
      FailsafeClient=${pkgs.xterm}/bin/xterm
--- a/nixos/modules/system/boot/modprobe.nix
+++ b/nixos/modules/system/boot/modprobe.nix
@@ -85,11 +85,7 @@ with lib;
        '')}
        ${config.boot.extraModprobeConfig}
      '';
-    environment.etc."modprobe.d/usb-load-ehci-first.conf".text =
-      ''
-        softdep uhci_hcd pre: ehci_hcd
-        softdep ohci_hcd pre: ehci_hcd
-      '';
+    environment.etc."modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases;

    environment.systemPackages = [ config.system.sbin.modprobe pkgs.kmod ];

--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@@ -290,10 +290,23 @@ mountFS() {
        if [ -z "$fsType" ]; then fsType=auto; fi
    fi

-    echo "$device /mnt-root$mountPoint $fsType $options" >> /etc/fstab
+    # Filter out x- options, which busybox doesn't do yet.
+    local optionsFiltered="$(IFS=,; for i in $options; do if [ "${i:0:2}" != "x-" ]; then echo -n $i,; fi; done)"
+
+    echo "$device /mnt-root$mountPoint $fsType $optionsFiltered" >> /etc/fstab

    checkFS "$device" "$fsType"

+    # Optionally resize the filesystem.
+    case $options in
+        *x-nixos.autoresize*)
+            if [ "$fsType" = ext2 -o "$fsType" = ext3 -o "$fsType" = ext4 ]; then
+                echo "resizing $device..."
+                resize2fs "$device"
+            fi
+            ;;
+    esac
+
    # Create backing directories for unionfs-fuse.
    if [ "$fsType" = unionfs-fuse ]; then
        for i in $(IFS=:; echo ${options##*,dirs=}); do
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@@ -70,6 +70,12 @@ let
      copy_bin_and_libs ${pkgs.kmod}/bin/kmod
      ln -sf kmod $out/bin/modprobe

+      # Copy resize2fs if needed.
+      ${optionalString (any (fs: fs.autoResize) (attrValues config.fileSystems)) ''
+        # We need mke2fs in the initrd.
+        copy_bin_and_libs ${pkgs.e2fsprogs}/sbin/resize2fs
+      ''}
+
      ${config.boot.initrd.extraUtilsCommands}

      # Copy ld manually since it isn't detected correctly
@@ -241,6 +247,9 @@ let
          };
          symlink = "/etc/modprobe.d/ubuntu.conf";
        }
+        { object = pkgs.kmod-debian-aliases;
+          symlink = "/etc/modprobe.d/debian.conf";
+        }
      ];
  };

@@ -390,7 +399,6 @@ in
      }
    ];

-
    system.build.bootStage1 = bootStage1;
    system.build.initialRamdisk = initialRamdisk;
    system.build.extraUtils = extraUtils;
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -643,6 +643,10 @@ in
        if ! [ -e /etc/machine-id ]; then
          ${systemd}/bin/systemd-machine-id-setup
        fi
+
+        # Keep a persistent journal. Note that systemd-tmpfiles will
+        # set proper ownership/permissions.
+        mkdir -m 0700 -p /var/log/journal
      '';

    users.extraUsers.systemd-network.uid = config.ids.uids.systemd-network;
--- a/nixos/modules/tasks/filesystems.nix
+++ b/nixos/modules/tasks/filesystems.nix
@@ -7,7 +7,7 @@ let

  fileSystems = attrValues config.fileSystems;

-  prioOption = prio: optionalString (prio !=null) " pri=${toString prio}";
+  prioOption = prio: optionalString (prio != null) " pri=${toString prio}";

  fileSystemOpts = { name, config, ... }: {

@@ -41,9 +41,9 @@ let
      };

      options = mkOption {
-        default = "defaults,relatime";
+        default = "defaults";
        example = "data=journal";
-        type = types.commas;
+        type = types.commas; # FIXME: should be a list
        description = "Options used to mount the file system.";
      };

@@ -58,6 +58,17 @@ let
        '';
      };

+      autoResize = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          If set, the filesystem is grown to its maximum size before
+          being mounted. (This is typically the size of the containing
+          partition.) This is currently only supported for ext2/3/4
+          filesystems that are mounted during early boot.
+        '';
+      };
+
      noCheck = mkOption {
        default = false;
        type = types.bool;
@@ -69,6 +80,7 @@ let
    config = {
      mountPoint = mkDefault name;
      device = mkIf (config.fsType == "tmpfs") (mkDefault config.fsType);
+      options = mkIf config.autoResize "x-nixos.autoresize";
    };

  };
@@ -141,7 +153,7 @@ in

    environment.etc.fstab.text =
      let
-        fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" ];
+        fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" ];
        skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck;
      in ''
        # This is a generated file.  Do not edit!
--- a/nixos/modules/tasks/filesystems/vboxsf.nix
+++ b/nixos/modules/tasks/filesystems/vboxsf.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  inInitrd = any (fs: fs == "vboxsf") config.boot.initrd.supportedFilesystems;
+
+  package = pkgs.runCommand "mount.vboxsf" {} ''
+    mkdir -p $out/bin
+    cp ${pkgs.linuxPackages.virtualboxGuestAdditions}/bin/mount.vboxsf $out/bin
+  '';
+in
+
+{
+  config = mkIf (any (fs: fs == "vboxsf") config.boot.supportedFilesystems) {
+
+    system.fsPackages = [ package ];
+
+    boot.initrd.kernelModules = mkIf inInitrd [ "vboxsf" ];
+
+  };
+}
--- a/nixos/modules/virtualisation/amazon-config.nix
+++ b/nixos/modules/virtualisation/amazon-config.nix
@@ -1,3 +0,0 @@
-{
-  imports = [ <nixpkgs/nixos/modules/virtualisation/amazon-image.nix> ];
-}
--- a/nixos/modules/virtualisation/amazon-grow-partition.nix
+++ b/nixos/modules/virtualisation/amazon-grow-partition.nix
@@ -0,0 +1,50 @@
+# This module automatically grows the root partition on Amazon EC2 HVM
+# instances. This allows an instance to be created with a bigger root
+# filesystem than provided by the AMI.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  growpart = pkgs.stdenv.mkDerivation {
+    name = "growpart";
+    src = pkgs.fetchurl {
+      url = "https://launchpad.net/cloud-utils/trunk/0.27/+download/cloud-utils-0.27.tar.gz";
+      sha256 = "16shlmg36lidp614km41y6qk3xccil02f5n3r4wf6d1zr5n4v8vd";
+    };
+    patches = [ ./growpart-util-linux-2.26.patch ];
+    buildPhase = ''
+      cp bin/growpart $out
+      sed -i 's|awk|gawk|' $out
+      sed -i 's|sed|gnused|' $out
+    '';
+    dontInstall = true;
+    dontPatchShebangs = true;
+  };
+
+in
+
+{
+
+  config = mkIf config.ec2.hvm {
+
+    boot.initrd.extraUtilsCommands = ''
+      copy_bin_and_libs ${pkgs.gawk}/bin/gawk
+      copy_bin_and_libs ${pkgs.gnused}/bin/sed
+      copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk
+      cp -v ${growpart} $out/bin/growpart
+      ln -s sed $out/bin/gnused
+    '';
+
+    boot.initrd.postDeviceCommands = ''
+      if [ -e /dev/xvda ] && [ -e /dev/xvda1 ]; then
+        TMPDIR=/run sh $(type -P growpart) /dev/xvda 1
+        udevadm settle
+      fi
+    '';
+
+  };
+
+}
--- a/nixos/modules/virtualisation/amazon-image.nix
+++ b/nixos/modules/virtualisation/amazon-image.nix
@@ -1,105 +1,40 @@
+# Configuration for Amazon EC2 instances. (Note that this file is a
+# misnomer - it should be "amazon-config.nix" or so, not
+# "amazon-image.nix", since it's used not only to build images but
+# also to reconfigure instances. However, we can't rename it because
+# existing "configuration.nix" files on EC2 instances refer to it.)
+
 { config, lib, pkgs, ... }:

 with lib;
-let
-  cfg = config.ec2;
-in
+
+let cfg = config.ec2; in
+
 {
-  imports = [ ../profiles/headless.nix ./ec2-data.nix ];
+  imports = [ ../profiles/headless.nix ./ec2-data.nix ./amazon-grow-partition.nix ];

  config = {
-    system.build.amazonImage =
-      pkgs.vmTools.runInLinuxVM (
-        pkgs.runCommand "amazon-image"
-          { preVM =
-              ''
-                mkdir $out
-                diskImage=$out/nixos.img
-                ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "8G"
-                mv closure xchg/
-              '';
-            buildInputs = [ pkgs.utillinux pkgs.perl ];
-            exportReferencesGraph =
-              [ "closure" config.system.build.toplevel ];
-          }
-          ''
-            ${if cfg.hvm then ''
-              # Create a single / partition.
-              ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos
-              ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s
-              . /sys/class/block/vda1/uevent
-              mknod /dev/vda1 b $MAJOR $MINOR

-              # Create an empty filesystem and mount it.
-              ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1
-              ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1
-              mkdir /mnt
-              mount /dev/vda1 /mnt
-            '' else ''
-              # Create an empty filesystem and mount it.
-              ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda
-              ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda
-              mkdir /mnt
-              mount /dev/vda /mnt
-            ''}
-
-            # The initrd expects these directories to exist.
-            mkdir /mnt/dev /mnt/proc /mnt/sys
-
-            mount -o bind /proc /mnt/proc
-            mount -o bind /dev /mnt/dev
-            mount -o bind /sys /mnt/sys
-
-            # Copy all paths in the closure to the filesystem.
-            storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
-
-            mkdir -p /mnt/nix/store
-            echo "copying everything (will take a while)..."
-            cp -prd $storePaths /mnt/nix/store/
-
-            # Register the paths in the Nix database.
-            printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-                chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
-
-            # Create the system profile to allow nixos-rebuild to work.
-            chroot /mnt ${config.nix.package}/bin/nix-env --option build-users-group "" \
-                -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
-
-            # `nixos-rebuild' requires an /etc/NIXOS.
-            mkdir -p /mnt/etc
-            touch /mnt/etc/NIXOS
-
-            # `switch-to-configuration' requires a /bin/sh
-            mkdir -p /mnt/bin
-            ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
-
-            # Install a configuration.nix.
-            mkdir -p /mnt/etc/nixos
-            cp ${./amazon-config.nix} /mnt/etc/nixos/configuration.nix
-
-            # Generate the GRUB menu.
-            ln -s vda /dev/xvda
-            chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
-
-            umount /mnt/proc /mnt/dev /mnt/sys
-            umount /mnt
-          ''
-      );
-
-    fileSystems."/".device = "/dev/disk/by-label/nixos";
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      autoResize = true;
+    };

    boot.initrd.kernelModules = [ "xen-blkfront" ];
    boot.kernelModules = [ "xen-netfront" ];
+    boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0" ];

    # Prevent the nouveau kernel module from being loaded, as it
    # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
-    boot.blacklistedKernelModules = [ "nouveau" ];
+    # Also blacklist xen_fbfront to prevent a 30 second delay during
+    # boot.
+    boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];

    # Generate a GRUB menu.  Amazon's pv-grub uses this to boot our kernel/initrd.
    boot.loader.grub.version = if cfg.hvm then 2 else 1;
    boot.loader.grub.device = if cfg.hvm then "/dev/xvda" else "nodev";
    boot.loader.grub.timeout = 0;
-    boot.loader.grub.extraPerEntryConfig = "root (hd0${lib.optionalString cfg.hvm ",0"})";
+    boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)";

    boot.initrd.postDeviceCommands =
      ''
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -299,7 +299,7 @@ in
            ''
              #! ${pkgs.stdenv.shell} -e
              ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \
-                bash --login -c "/nix/var/nix/profiles/system/bin/switch-to-configuration test"
+                bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test"
            '';

          SyslogIdentifier = "container %i";
--- a/nixos/modules/virtualisation/docker.nix
+++ b/nixos/modules/virtualisation/docker.nix
@@ -43,6 +43,17 @@ in
            in future.  So set this option explicitly to false if you wish.
          '';
      };
+    storageDriver =
+      mkOption {
+        type = types.enum ["aufs" "btrfs" "devicemapper" "overlay" "zfs"];
+        description =
+          ''
+            This option determines which Docker storage driver to use.
+            It is required but lacks a default value as its most
+            suitable value will depend the filesystems available on the
+            host.
+          '';
+      };
    extraOptions =
      mkOption {
        type = types.separatedString " ";
@@ -85,7 +96,7 @@ in
        after = [ "network.target" "docker.socket" ];
        requires = [ "docker.socket" ];
        serviceConfig = {
-          ExecStart = "${pkgs.docker}/bin/docker --daemon=true --host=fd:// --group=docker ${cfg.extraOptions}";
+          ExecStart = "${pkgs.docker}/bin/docker daemon --host=fd:// --group=docker --storage-driver=${cfg.storageDriver} ${cfg.extraOptions}";
          #  I'm not sure if that limits aren't too high, but it's what
          #  goes in config bundled with docker itself
          LimitNOFILE = 1048576;
@@ -111,7 +122,7 @@ in
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig = {
-          ExecStart = "${pkgs.docker}/bin/docker --daemon=true --group=docker ${cfg.extraOptions}";
+          ExecStart = "${pkgs.docker}/bin/docker daemon --group=docker --storage-driver=${cfg.storageDriver} ${cfg.extraOptions}";
          #  I'm not sure if that limits aren't too high, but it's what
          #  goes in config bundled with docker itself
          LimitNOFILE = 1048576;
--- a/nixos/modules/virtualisation/ec2-data.nix
+++ b/nixos/modules/virtualisation/ec2-data.nix
@@ -9,7 +9,7 @@ with lib;
 {
  config = {

-    systemd.services."fetch-ec2-data" =
+    systemd.services.fetch-ec2-data =
      { description = "Fetch EC2 Data";

        wantedBy = [ "multi-user.target" "sshd.service" ];
@@ -35,10 +35,8 @@ with lib;
                mkdir -m 0700 -p /root/.ssh
                $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub
                if [ $? -eq 0 -a -e /root/key.pub ]; then
-                    if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then
-                        cat /root/key.pub >> /root/.ssh/authorized_keys
-                        echo "new key added to authorized_keys"
-                    fi
+                    cat /root/key.pub >> /root/.ssh/authorized_keys
+                    echo "new key added to authorized_keys"
                    chmod 600 /root/.ssh/authorized_keys
                    rm -f /root/key.pub
                fi
@@ -48,13 +46,22 @@ with lib;
            # the supplied user data, if available.  Otherwise sshd will
            # generate one normally.
            $wget http://169.254.169.254/2011-01-01/user-data > /root/user-data || true
+
+            mkdir -m 0755 -p /etc/ssh
+
            key="$(sed 's/|/\n/g; s/SSH_HOST_DSA_KEY://; t; d' /root/user-data)"
            key_pub="$(sed 's/SSH_HOST_DSA_KEY_PUB://; t; d' /root/user-data)"
            if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_dsa_key ]; then
-                mkdir -m 0755 -p /etc/ssh
                (umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
                echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
            fi
+
+            key="$(sed 's/|/\n/g; s/SSH_HOST_ED25519_KEY://; t; d' /root/user-data)"
+            key_pub="$(sed 's/SSH_HOST_ED25519_KEY_PUB://; t; d' /root/user-data)"
+            if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_ed25519_key ]; then
+                (umask 077; echo "$key" > /etc/ssh/ssh_host_ed25519_key)
+                echo "$key_pub" > /etc/ssh/ssh_host_ed25519_key.pub
+            fi
          '';

        serviceConfig.Type = "oneshot";
@@ -71,7 +78,9 @@ with lib;
            # can obtain it securely by parsing the output of
            # ec2-get-console-output.
            echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console
-            ${config.programs.ssh.package}/bin/ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub > /dev/console
+            for i in /etc/ssh/ssh_host_*_key.pub; do
+                ${config.programs.ssh.package}/bin/ssh-keygen -l -f $i > /dev/console
+            done
            echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console
          '';
        serviceConfig.Type = "oneshot";
--- a/nixos/modules/virtualisation/growpart-util-linux-2.26.patch
+++ b/nixos/modules/virtualisation/growpart-util-linux-2.26.patch
@@ -0,0 +1,88 @@
+From 1895d10a7539d055a4e0206af1e7a9e5ea32a4f7 Mon Sep 17 00:00:00 2001
+From: Juerg Haefliger <juerg.haefliger@hp.com>
+Date: Wed, 25 Mar 2015 13:59:20 +0100
+Subject: [PATCH] Support new sfdisk version 2.26
+
+The sfdisk usage with version 2.26 changed. Specifically, the option
+--show-pt-geometry and functionality for CHS have been removed.
+Also, restoring a backup MBR now needs to be done using dd.
+---
+ bin/growpart | 28 ++++++++++------------------
+ 1 file changed, 10 insertions(+), 18 deletions(-)
+
+diff --git a/bin/growpart b/bin/growpart
+index 595c40b..d4c995b 100755
+--- a/bin/growpart
+++ b/bin/growpart
+@@ -28,7 +28,6 @@ PART=""
+ PT_UPDATE=false
+ DRY_RUN=0
+ 
+-MBR_CHS=""
+ MBR_BACKUP=""
+ GPT_BACKUP=""
+ _capture=""
+@@ -133,7 +132,8 @@ bad_Usage() {
+ }
+ 
+ mbr_restore() {
+-	sfdisk --no-reread "${DISK}" ${MBR_CHS} -I "${MBR_BACKUP}"
+	dd if="${MBR_BACKUP}-${DISK#/dev/}-0x00000000.bak" of="${DISK}" bs=1 \
+		conv=notrunc
+ }
+ 
+ sfdisk_worked_but_blkrrpart_failed() {
+@@ -148,34 +148,26 @@ sfdisk_worked_but_blkrrpart_failed() {
+ 
+ mbr_resize() {
+ 	RESTORE_HUMAN="${TEMP_D}/recovery"
+-	MBR_BACKUP="${TEMP_D}/orig.save"
+	MBR_BACKUP="${TEMP_D}/backup"
+ 
+ 	local change_out=${TEMP_D}/change.out
+ 	local dump_out=${TEMP_D}/dump.out
+ 	local new_out=${TEMP_D}/new.out
+ 	local dump_mod=${TEMP_D}/dump.mod
+-	local tmp="${TEMP_D}/tmp.out"
+-	local err="${TEMP_D}/err.out"
+ 
+-	local _devc cyl _w1 heads _w2 sectors _w3 tot dpart
+	local tot dpart
+ 	local pt_start pt_size pt_end max_end new_size change_info
+ 
+-	# --show-pt-geometry outputs something like
+-	#     /dev/sda: 164352 cylinders, 4 heads, 32 sectors/track
+-	rqe sfd_geom sfdisk "${DISK}" --show-pt-geometry >"${tmp}" &&
+-		read _devc cyl _w1 heads _w2 sectors _w3 <"${tmp}" &&
+-		MBR_CHS="-C ${cyl} -H ${heads} -S ${sectors}" ||
+-		fail "failed to get CHS from ${DISK}"
+	tot=$(sfdisk --list "${DISK}" | awk '{ print $(NF-1) ; exit }') ||
+		fail "failed to get total number of sectors from ${DISK}"
+ 
+-	tot=$((${cyl}*${heads}*${sectors}))
+	debug 1 "total number of sectors of ${DISK} is ${tot}"
+ 
+-	debug 1 "geometry is ${MBR_CHS}. total size=${tot}"
+-	rqe sfd_dump sfdisk ${MBR_CHS} --unit=S --dump "${DISK}" \
+	rqe sfd_dump sfdisk --dump "${DISK}" \
+ 		>"${dump_out}" ||
+ 		fail "failed to dump sfdisk info for ${DISK}"
+-
+ 	{
+-		echo "## sfdisk ${MBR_CHS} --unit=S --dump ${DISK}"
+		echo "## sfdisk --dump ${DISK}"
+ 		cat "${dump_out}"
+ 	}  >"${RESTORE_HUMAN}"
+ 	[ $? -eq 0 ] || fail "failed to save sfdisk -d output"
+@@ -237,7 +229,7 @@ mbr_resize() {
+ 		exit 0
+ 	fi
+ 
+-	LANG=C sfdisk --no-reread "${DISK}" ${MBR_CHS} --force \
+	LANG=C sfdisk --no-reread "${DISK}" --force \
+ 		-O "${MBR_BACKUP}" <"${new_out}" >"${change_out}" 2>&1
+ 	ret=$?
+ 	[ $ret -eq 0 ] || RESTORE_FUNC="mbr_restore"
+-- 
+2.1.4
+
--- a/nixos/modules/virtualisation/nixos-container.pl
+++ b/nixos/modules/virtualisation/nixos-container.pl
@@ -290,7 +290,8 @@ elsif ($action eq "show-ip") {
 }

 elsif ($action eq "show-host-key") {
-    my $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub";
+    my $fn = "$root/etc/ssh/ssh_host_ed25519_key.pub";
+    $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub" unless -e $fn;
    exit 1 if ! -f $fn;
    print read_file($fn);
 }
--- a/nixos/modules/virtualisation/openvswitch.nix
+++ b/nixos/modules/virtualisation/openvswitch.nix
@@ -67,7 +67,6 @@ in {
      description = "Open_vSwitch Database Server";
      wantedBy = [ "multi-user.target" ];
      after = [ "systemd-udev-settle.service" ];
-      wants = [ "vswitchd.service" ];
      path = [ cfg.package ];
      restartTriggers = [ db cfg.package ];
      # Create the config database
@@ -108,6 +107,7 @@ in {

    systemd.services.vswitchd = {
      description = "Open_vSwitch Daemon";
+      wantedBy = [ "multi-user.target" ];
      bindsTo = [ "ovsdb.service" ];
      after = [ "ovsdb.service" ];
      path = [ cfg.package ];
@@ -135,8 +135,8 @@ in {
    systemd.services.ovs-monitor-ipsec = {
      description = "Open_vSwitch Ipsec Daemon";
      wantedBy = [ "multi-user.target" ];
-      requires = [ "racoon.service" ];
-      after = [ "vswitchd.service" ];
+      requires = [ "ovsdb.service" ];
+      before = [ "vswitchd.service" "racoon.service" ];
      environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock";
      serviceConfig = {
        ExecStart = ''
--- a/nixos/modules/virtualisation/virtualbox-guest.nix
+++ b/nixos/modules/virtualisation/virtualbox-guest.nix
@@ -32,7 +32,8 @@ in

    boot.extraModulePackages = [ kernel.virtualboxGuestAdditions ];

-    boot.kernelModules = [ "vboxsf" ];
+    boot.supportedFilesystems = [ "vboxsf" ];
+    boot.initrd.supportedFilesystems = [ "vboxsf" ];

    users.extraGroups.vboxsf.gid = config.ids.gids.vboxsf;

--- a/nixos/modules/virtualisation/virtualbox-image.nix
+++ b/nixos/modules/virtualisation/virtualbox-image.nix
@@ -11,93 +11,37 @@ in {
  options = {
    virtualbox = {
      baseImageSize = mkOption {
-        type = types.str;
-        default = "10G";
+        type = types.int;
+        default = 10 * 1024;
        description = ''
-          The size of the VirtualBox base image. The size string should be on
-          a format the qemu-img command accepts.
+          The size of the VirtualBox base image in MiB.
        '';
      };
    };
  };

  config = {
-    system.build.virtualBoxImage =
-      pkgs.vmTools.runInLinuxVM (
-        pkgs.runCommand "virtualbox-image"
-          { memSize = 768;
-            preVM =
-              ''
-                mkdir $out
-                diskImage=$out/image
-                ${pkgs.vmTools.qemu}/bin/qemu-img create -f raw $diskImage "${cfg.baseImageSize}"
-                mv closure xchg/
-              '';
-            postVM =
-              ''
-                echo "creating VirtualBox disk image..."
-                ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vdi $diskImage $out/disk.vdi
-                rm $diskImage
-              '';
-            buildInputs = [ pkgs.utillinux pkgs.perl ];
-            exportReferencesGraph =
-              [ "closure" config.system.build.toplevel ];
+
+    system.build.virtualBoxImage = import ../../lib/make-disk-image.nix {
+      inherit pkgs lib config;
+      partitioned = true;
+      diskSize = cfg.baseImageSize;
+
+      configFile = pkgs.writeText "configuration.nix"
+        ''
+          {
+            imports = [ <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix> ];
          }
-          ''
-            # Create a single / partition.
-            ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos
-            ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s
-            . /sys/class/block/vda1/uevent
-            mknod /dev/vda1 b $MAJOR $MINOR
-  
-            # Create an empty filesystem and mount it.
-            ${pkgs.e2fsprogs}/sbin/mkfs.ext4 -L nixos /dev/vda1
-            ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1
-            mkdir /mnt
-            mount /dev/vda1 /mnt
-  
-            # The initrd expects these directories to exist.
-            mkdir /mnt/dev /mnt/proc /mnt/sys
-            mount --bind /proc /mnt/proc
-            mount --bind /dev /mnt/dev
-            mount --bind /sys /mnt/sys
-  
-            # Copy all paths in the closure to the filesystem.
-            storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
-  
-            echo "filling Nix store..."
-            mkdir -p /mnt/nix/store
-            set -f
-            cp -prd $storePaths /mnt/nix/store/
-  
-            mkdir -p /mnt/etc/nix
-            echo 'build-users-group = ' > /mnt/etc/nix/nix.conf
-  
-            # Register the paths in the Nix database.
-            printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-                chroot /mnt ${config.nix.package}/bin/nix-store --load-db
-  
-            # Create the system profile to allow nixos-rebuild to work.
-            chroot /mnt ${config.nix.package}/bin/nix-env \
-                -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
-  
-            # `nixos-rebuild' requires an /etc/NIXOS.
-            mkdir -p /mnt/etc/nixos
-            touch /mnt/etc/NIXOS
-  
-            # `switch-to-configuration' requires a /bin/sh
-            mkdir -p /mnt/bin
-            ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
-  
-            # Generate the GRUB menu.
-            ln -s vda /dev/sda
-            chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
-  
-            umount /mnt/proc /mnt/dev /mnt/sys
-            umount /mnt
-          ''
-      );
-  
+        '';
+
+      postVM =
+        ''
+          echo "creating VirtualBox disk image..."
+          ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vdi $diskImage $out/disk.vdi
+          rm $diskImage
+        '';
+    };
+
    system.build.virtualBoxOVA = pkgs.runCommand "virtualbox-ova"
      { buildInputs = [ pkgs.linuxPackages.virtualbox ];
        vmName = "NixOS ${config.system.nixosVersion} (${pkgs.stdenv.system})";
@@ -109,7 +53,8 @@ in {
        VBoxManage createvm --name "$vmName" --register \
          --ostype ${if pkgs.stdenv.system == "x86_64-linux" then "Linux26_64" else "Linux26"}
        VBoxManage modifyvm "$vmName" \
-          --memory 1536 --acpi on --vram 10 \
+          --memory 1536 --acpi on --vram 32 \
+          ${optionalString (pkgs.stdenv.system == "i686-linux") "--pae on"} \
          --nictype1 virtio --nic1 nat \
          --audiocontroller ac97 --audio alsa \
          --rtcuseutc on \
@@ -117,17 +62,17 @@ in {
        VBoxManage storagectl "$vmName" --name SATA --add sata --portcount 4 --bootable on --hostiocache on
        VBoxManage storageattach "$vmName" --storagectl SATA --port 0 --device 0 --type hdd \
          --medium ${config.system.build.virtualBoxImage}/disk.vdi
-  
+
        echo "exporting VirtualBox VM..."
        mkdir -p $out
        VBoxManage export "$vmName" --output "$out/$fileName"
      '';
-  
+
    fileSystems."/".device = "/dev/disk/by-label/nixos";
-  
-    boot.loader.grub.version = 2;
+
    boot.loader.grub.device = "/dev/sda";
-  
-    services.virtualboxGuest.enable = true;
+
+    virtualisation.virtualbox.guest.enable = true;
+
  };
 }
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -9,7 +9,7 @@ let

  version = builtins.readFile ../.version;
  versionSuffix =
-    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "pre") + "${toString (nixpkgs.revCount - 67824)}.${nixpkgs.shortRev}";

  forAllSystems = genAttrs supportedSystems;

@@ -220,7 +220,7 @@ in rec {
  tests.dockerRegistry = hydraJob (import tests/docker-registry.nix { system = "x86_64-linux"; });
  tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; });
  tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops;
-  tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config;
+  #tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config;
  tests.firefox = callTest tests/firefox.nix {};
  tests.firewall = callTest tests/firewall.nix {};
  tests.fleet = hydraJob (import tests/fleet.nix { system = "x86_64-linux"; });
--- a/nixos/tests/docker.nix
+++ b/nixos/tests/docker.nix
@@ -11,6 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : {
      { config, pkgs, ... }:
        {
          virtualisation.docker.enable = true;
+          virtualisation.docker.storageDriver = "overlay";
        };
    };

--- a/nixos/tests/ec2.nix
+++ b/nixos/tests/ec2.nix
@@ -9,9 +9,18 @@ let
    (import ../lib/eval-config.nix {
      inherit system;
      modules = [
-        ../maintainers/scripts/ec2/amazon-hvm-config.nix
+        ../maintainers/scripts/ec2/amazon-image.nix
        ../../nixos/modules/testing/test-instrumentation.nix
-        { boot.initrd.kernelModules = [ "virtio" "virtio_blk" "virtio_pci" "virtio_ring" ]; }
+        { boot.initrd.kernelModules = [ "virtio" "virtio_blk" "virtio_pci" "virtio_ring" ];
+          ec2.hvm = true;
+
+          # Hack to make the partition resizing work in QEMU.
+          boot.initrd.postDeviceCommands = mkBefore
+            ''
+              ln -s vda /dev/xvda
+              ln -s vda1 /dev/xvda1
+            '';
+        }
      ];
    }).config.system.build.amazonImage;

@@ -34,41 +43,49 @@ let
      nodes = {};
      testScript =
        ''
-          use File::Temp qw/ tempfile /;
-          my ($fh, $filename) = tempfile();
+          my $imageDir = ($ENV{'TMPDIR'} // "/tmp") . "/vm-state-machine";
+          mkdir $imageDir, 0700;
+          my $diskImage = "$imageDir/machine.qcow2";
+          system("qemu-img create -f qcow2 -o backing_file=${image}/nixos.img $diskImage") == 0 or die;
+          system("qemu-img resize $diskImage 10G") == 0 or die;

-          `qemu-img create -f qcow2 -o backing_file=${image}/nixos.img $filename`;
-
-          my $startCommand = "qemu-kvm -m 768 -net nic -net 'user,net=169.254.0.0/16,guestfwd=tcp:169.254.169.254:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${metaData}'";
-          $startCommand .= " -drive file=" . Cwd::abs_path($filename) . ",if=virtio,werror=report";
+          # Note: we use net=169.0.0.0/8 rather than
+          # net=169.254.0.0/16 to prevent dhcpcd from getting horribly
+          # confused. (It would get a DHCP lease in the 169.254.*
+          # range, which it would then configure and prompty delete
+          # again when it deletes link-local addresses.) Ideally we'd
+          # turn off the DHCP server, but qemu does not have an option
+          # to do that.
+          my $startCommand = "qemu-kvm -m 768 -net nic -net 'user,net=169.0.0.0/8,guestfwd=tcp:169.254.169.254:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${metaData}'";
+          $startCommand .= " -drive file=$diskImage,if=virtio,werror=report";
          $startCommand .= " \$QEMU_OPTS";

          my $machine = createMachine({ startCommand => $startCommand });
+
          ${script}
        '';
    };

-  snakeOilPrivateKey = [
-    "-----BEGIN EC PRIVATE KEY-----"
-    "MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49"
-    "AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN"
-    "r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA=="
-    "-----END EC PRIVATE KEY-----"
-  ];
+  snakeOilPrivateKey = ''
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACDEPmwZv5dDPrMUaq0dDP+6eBTTe+QNrz14KBEIdhHd1QAAAJDufJ4S7nye
+    EgAAAAtzc2gtZWQyNTUxOQAAACDEPmwZv5dDPrMUaq0dDP+6eBTTe+QNrz14KBEIdhHd1Q
+    AAAECgwbDlYATM5/jypuptb0GF/+zWZcJfoVIFBG3LQeRyGsQ+bBm/l0M+sxRqrR0M/7p4
+    FNN75A2vPXgoEQh2Ed3VAAAADEVDMiB0ZXN0IGtleQE=
+    -----END OPENSSH PRIVATE KEY-----
+  '';
+
+  snakeOilPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQ+bBm/l0M+sxRqrR0M/7p4FNN75A2vPXgoEQh2Ed3V EC2 test key";

-  snakeOilPublicKey = pkgs.lib.concatStrings [
-    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"
-    "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"
-    "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil"
-  ];
 in {
  boot-ec2-nixops = makeEc2Test {
    name         = "nixops-userdata";
    sshPublicKey = snakeOilPublicKey; # That's right folks! My user's key is also the host key!

    userData = ''
-      SSH_HOST_DSA_KEY_PUB:${snakeOilPublicKey}
-      SSH_HOST_DSA_KEY:${pkgs.lib.concatStringsSep "|" snakeOilPrivateKey}
+      SSH_HOST_ED25519_KEY_PUB:${snakeOilPublicKey}
+      SSH_HOST_ED25519_KEY:${replaceStrings ["\n"] ["|"] snakeOilPrivateKey}
    '';
    script = ''
      $machine->start;
@@ -80,8 +97,9 @@ in {

      # Let's install our client private key
      $machine->succeed("mkdir -p ~/.ssh");
-      ${concatMapStrings (s: "$machine->succeed('echo ${s} >> ~/.ssh/id_ecdsa');") snakeOilPrivateKey}
-      $machine->succeed("chmod 600 ~/.ssh/id_ecdsa");
+
+      $machine->succeed("echo '${snakeOilPrivateKey}' > ~/.ssh/id_ed25519");
+      $machine->succeed("chmod 600 ~/.ssh/id_ed25519");

      # We haven't configured the host key yet, so this should still fail
      $machine->fail("ssh -o BatchMode=yes localhost exit");
@@ -90,7 +108,16 @@ in {
      $machine->succeed("echo localhost,127.0.0.1 ${snakeOilPublicKey} > ~/.ssh/known_hosts");
      $machine->succeed("ssh -o BatchMode=yes localhost exit");

+      # Test whether the root disk was resized.
+      my $blocks = $machine->succeed("stat -c %b -f /");
+      my $bsize = $machine->succeed("stat -c %S -f /");
+      my $size = $blocks * $bsize;
+      die "wrong free space $size" if $size < 9.7 * 1024 * 1024 * 1024 || $size > 10 * 1024 * 1024 * 1024;
+
+      # Just to make sure resizing is idempotent.
      $machine->shutdown;
+      $machine->start;
+      $machine->waitForFile("/root/user-data");
    '';
  };

--- a/nixos/tests/etcd.nix
+++ b/nixos/tests/etcd.nix
@@ -82,7 +82,7 @@ import ./make-test.nix ({ pkgs, ... } : {
    subtest "single node", sub {
      $simple->start();
      $simple->waitForUnit("etcd.service");
-      $simple->succeed("etcdctl set /foo/bar 'Hello world'");
+      $simple->waitUntilSucceeds("etcdctl set /foo/bar 'Hello world'");
      $simple->waitUntilSucceeds("etcdctl get /foo/bar | grep 'Hello world'");
    };

@@ -91,7 +91,7 @@ import ./make-test.nix ({ pkgs, ... } : {
      $node2->start();
      $node1->waitForUnit("etcd.service");
      $node2->waitForUnit("etcd.service");
-      $node1->succeed("etcdctl set /foo/bar 'Hello world'");
+      $node1->waitUntilSucceeds("etcdctl set /foo/bar 'Hello world'");
      $node2->waitUntilSucceeds("etcdctl get /foo/bar | grep 'Hello world'");
      $node1->shutdown();
      $node2->shutdown();
@@ -104,7 +104,7 @@ import ./make-test.nix ({ pkgs, ... } : {
      $discovery2->start();
      $discovery1->waitForUnit("etcd.service");
      $discovery2->waitForUnit("etcd.service");
-      $discovery1->succeed("etcdctl set /foo/bar 'Hello world'");
+      $discovery1->waitUntilSucceeds("etcdctl set /foo/bar 'Hello world'");
      $discovery2->waitUntilSucceeds("etcdctl get /foo/bar | grep 'Hello world'");
    };
  '';
--- a/nixos/tests/firefox.nix
+++ b/nixos/tests/firefox.nix
@@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ... }: {
  testScript =
    ''
      $machine->waitForX;
-      $machine->execute("firefox file://${pkgs.valgrind}/share/doc/valgrind/html/index.html &");
+      $machine->execute("firefox file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html &");
      $machine->waitForWindow(qr/Valgrind/);
      $machine->sleep(40); # wait until Firefox has finished loading the page
      $machine->screenshot("screen");
--- a/nixos/tests/kde4.nix
+++ b/nixos/tests/kde4.nix
@@ -15,7 +15,7 @@ import ./make-test.nix ({ pkgs, ... }: {

      services.httpd.enable = true;
      services.httpd.adminAddr = "foo@example.org";
-      services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html";
+      services.httpd.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html";

      services.xserver.displayManager.kdm.enable = true;
      services.xserver.displayManager.kdm.extraConfig =
--- a/nixos/tests/logstash.nix
+++ b/nixos/tests/logstash.nix
@@ -19,8 +19,8 @@ import ./make-test.nix ({ pkgs, ...} : {
                exec { command => "echo dragons" interval => 1 type => "test" }
              '';
              filterConfig = ''
-                if [type] == "test" {
-                  grep { match => ["message", "flowers"] drop => true }
+                if [message] =~ /dragons/ {
+                  drop {}
                }
              '';
              outputConfig = ''
--- a/nixos/tests/make-test.nix
+++ b/nixos/tests/make-test.nix
@@ -2,4 +2,4 @@ f: { system ? builtins.currentSystem, ... } @ args:

 with import ../lib/testing.nix { inherit system; };

-makeTest (if builtins.isFunction f then f (args // { inherit pkgs; }) else f)
+makeTest (if builtins.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f)
--- a/nixos/tests/nfs.nix
+++ b/nixos/tests/nfs.nix
@@ -6,7 +6,7 @@ let
    { config, pkgs, ... }:
    { fileSystems = pkgs.lib.mkVMOverride
        [ { mountPoint = "/data";
-            device = "server:${if version == 4 then "/" else "/data"}";
+            device = "server:/data";
            fsType = "nfs";
            options = "vers=${toString version}";
          }
--- a/nixos/tests/printing.nix
+++ b/nixos/tests/printing.nix
@@ -63,7 +63,7 @@ import ./make-test.nix ({pkgs, ... }: {
      foreach my $file ("${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf",
                        "${pkgs.groff.doc}/share/doc/*/meref.ps",
                        "${pkgs.cups}/share/doc/cups/images/cups.png",
-                        "${pkgs.pcre}/share/doc/pcre/pcre.txt")
+                        "${pkgs.pcre.doc}/share/doc/pcre/pcre.txt")
      {
          $file =~ /([^\/]*)$/; my $fn = $1;

--- a/nixos/tests/proxy.nix
+++ b/nixos/tests/proxy.nix
@@ -7,7 +7,7 @@ let

    { services.httpd.enable = true;
      services.httpd.adminAddr = "foo@example.org";
-      services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html";
+      services.httpd.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html";
      networking.firewall.allowedTCPPorts = [ 80 ];
    };

@@ -67,6 +67,7 @@ in
      $proxy->waitForUnit("httpd");
      $backend1->waitForUnit("httpd");
      $backend2->waitForUnit("httpd");
+      $client->waitForUnit("network.target");

      # With the back-ends up, the proxy should work.
      $client->succeed("curl --fail http://proxy/");
--- a/nixos/tests/resize-root.nix
+++ b/nixos/tests/resize-root.nix
@@ -0,0 +1,36 @@
+import ./make-test.nix ({ pkgs, lib, ...} : {
+
+  meta.maintainers = [ lib.maintainers.eelco ];
+
+  machine = { config, pkgs, ... }: {
+    virtualisation.diskSize = 512;
+    fileSystems = lib.mkVMOverride {
+      "/".autoResize = true;
+    };
+  };
+
+  testScript =
+    ''
+      # Create a VM with a 512 MiB disk.
+      $machine->start;
+      $machine->waitForUnit("multi-user.target");
+      my $blocks = $machine->succeed("stat -c %b -f /");
+      my $bsize = $machine->succeed("stat -c %S -f /");
+      my $size = $blocks * $bsize;
+      die "wrong free space $size" if $size < 480 * 1024 * 1024 || $size > 512 * 1024 * 1024;
+      $machine->succeed("touch /marker");
+      $machine->shutdown;
+
+      # Grow the disk to 1024 MiB.
+      system("qemu-img resize vm-state-machine/machine.qcow2 1024M") == 0 or die;
+
+      # Start the VM again and check whether the initrd has correctly
+      # grown the root filesystem.
+      $machine->start;
+      $machine->waitForUnit("multi-user.target");
+      $machine->succeed("[ -e /marker ]");
+      my $blocks = $machine->succeed("stat -c %b -f /");
+      my $size = $blocks * $bsize;
+      die "wrong free space $size" if $size < 980 * 1024 * 1024 || $size > 1024 * 1024 * 1024;
+    '';
+})
--- a/nixos/tests/virtualbox.nix
+++ b/nixos/tests/virtualbox.nix
@@ -1,26 +1,41 @@
+{ debug ? false, ... } @ args:
+
 import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let

-  debug = false;
+  testVMConfig = vmName: attrs: { config, pkgs, ... }: let
+    guestAdditions = pkgs.linuxPackages.virtualboxGuestAdditions;

-  testVMConfig = vmName: attrs: { config, pkgs, ... }: {
-    boot.kernelParams = let
-      miniInit = ''
-        #!${pkgs.stdenv.shell} -xe
-        export PATH="${pkgs.coreutils}/bin:${pkgs.utillinux}/bin"
+    miniInit = ''
+      #!${pkgs.stdenv.shell} -xe
+      export PATH="${pkgs.coreutils}/bin:${pkgs.utillinux}/bin"

-        ${pkgs.linuxPackages.virtualboxGuestAdditions}/bin/VBoxService
-        ${(attrs.vmScript or (const "")) pkgs}
+      mkdir -p /etc/dbus-1 /var/run/dbus
+      cat > /etc/passwd <<EOF
+      root:x:0:0::/root:/bin/false
+      messagebus:x:1:1::/var/run/dbus:/bin/false
+      EOF
+      cat > /etc/group <<EOF
+      root:x:0:
+      messagebus:x:1:
+      EOF
+      cp -v "${pkgs.dbus.daemon}/etc/dbus-1/system.conf" \
+        /etc/dbus-1/system.conf
+      "${pkgs.dbus.daemon}/bin/dbus-daemon" --fork --system

-        i=0
-        while [ ! -e /mnt-root/shutdown ]; do
-          sleep 10
-          i=$(($i + 10))
-          [ $i -le 120 ] || fail
-        done
+      ${guestAdditions}/bin/VBoxService
+      ${(attrs.vmScript or (const "")) pkgs}

-        rm -f /mnt-root/boot-done /mnt-root/shutdown
-      '';
-    in [
+      i=0
+      while [ ! -e /mnt-root/shutdown ]; do
+        sleep 10
+        i=$(($i + 10))
+        [ $i -le 120 ] || fail
+      done
+
+      rm -f /mnt-root/boot-done /mnt-root/shutdown
+    '';
+  in {
+    boot.kernelParams = [
      "console=tty0" "console=ttyS0" "ignore_loglevel"
      "boot.trace" "panic=1" "boot.panic_on_fail"
      "init=${pkgs.writeScript "mini-init.sh" miniInit}"
@@ -39,7 +54,7 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let
    ];

    boot.initrd.extraUtilsCommands = ''
-      copy_bin_and_libs "${pkgs.linuxPackages.virtualboxGuestAdditions}/bin/mount.vboxsf"
+      copy_bin_and_libs "${guestAdditions}/bin/mount.vboxsf"
      copy_bin_and_libs "${pkgs.utillinux}/bin/unshare"
      ${(attrs.extraUtilsCommands or (const "")) pkgs}
    '';
@@ -126,6 +141,7 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let
    vmFlags = mkFlags ([
      "--uart1 0x3F8 4"
      "--uartmode1 client /run/virtualbox-log-${name}.sock"
+      "--memory 768"
    ] ++ (attrs.vmFlags or []));

    controllerFlags = mkFlags [
@@ -180,6 +196,8 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let
    };

    testSubs = ''
+      my ${"$" + name}_sharepath = '${sharePath}';
+
      sub checkRunning_${name} {
        my $cmd = 'VBoxManage list runningvms | grep -q "^\"${name}\""';
        my ($status, $out) = $machine->execute(ru $cmd);
@@ -286,9 +304,15 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.lib; let
    echo "$otherIP reachable" | ${pkgs.netcat}/bin/netcat -clp 5678 || :
  '';

+  sysdDetectVirt = pkgs: ''
+    ${pkgs.systemd}/bin/systemd-detect-virt > /mnt-root/result
+  '';
+
  vboxVMs = mapAttrs createVM {
    simple = {};

+    detectvirt.vmScript = sysdDetectVirt;
+
    test1.vmFlags = hostonlyVMFlags;
    test1.vmScript = dhcpScript;

@@ -307,7 +331,7 @@ in {
      mkVMConf = name: val: val.machine // { key = "${name}-config"; };
      vmConfigs = mapAttrsToList mkVMConf vboxVMs;
    in [ ./common/user-account.nix ./common/x11.nix ] ++ vmConfigs;
-    virtualisation.memorySize = 768;
+    virtualisation.memorySize = 2048;
    virtualisation.virtualbox.host.enable = true;
    users.extraUsers.alice.extraGroups = let
      inherit (config.virtualisation.virtualbox.host) enableHardening;
@@ -372,17 +396,44 @@ in {

    destroyVM_simple;

+    sub removeUUIDs {
+      return join("\n", grep { $_ !~ /^UUID:/ } split(/\n/, $_[0]))."\n";
+    }
+
+    subtest "host-usb-permissions", sub {
+      my $userUSB = removeUUIDs vbm("list usbhost");
+      print STDERR $userUSB;
+      my $rootUSB = removeUUIDs $machine->succeed("VBoxManage list usbhost");
+      print STDERR $rootUSB;
+
+      die "USB host devices differ for root and normal user"
+        if $userUSB ne $rootUSB;
+      die "No USB host devices found" if $userUSB =~ /<none>/;
+    };
+
+    subtest "systemd-detect-virt", sub {
+      createVM_detectvirt;
+      vbm("startvm detectvirt");
+      waitForStartup_detectvirt;
+      waitForVMBoot_detectvirt;
+      shutdownVM_detectvirt;
+      my $result = $machine->succeed("cat '$detectvirt_sharepath/result'");
+      chomp $result;
+      destroyVM_detectvirt;
+      die "systemd-detect-virt returned \"$result\" instead of \"oracle\""
+        if $result ne "oracle";
+    };
+
    subtest "net-hostonlyif", sub {
      createVM_test1;
      createVM_test2;

      vbm("startvm test1");
      waitForStartup_test1;
+      waitForVMBoot_test1;

      vbm("startvm test2");
      waitForStartup_test2;
-
-      waitForVMBoot_test1;
      waitForVMBoot_test2;

      $machine->screenshot("net_booted");
@@ -403,4 +454,4 @@ in {
      destroyVM_test2;
    };
  '';
-})
+}) args
--- a/pkgs/applications/altcoins/bitcoin-xt.nix
+++ b/pkgs/applications/altcoins/bitcoin-xt.nix
@@ -0,0 +1,39 @@
+{ stdenv, fetchurl, pkgconfig, autoreconfHook, openssl, db48, boost
+, zlib, miniupnpc, qt4, utillinux, protobuf, qrencode, curl
+, withGui }:
+
+with stdenv.lib;
+stdenv.mkDerivation rec{
+
+  name = "bitcoin" + (toString (optional (!withGui) "d")) + "-xt-" + version;
+  xt_version = "0.11A";
+  version = xt_version;
+
+  src = fetchurl {
+    url = "https://github.com/bitcoinxt/bitcoinxt/archive/v0.11A.tar.gz";
+    sha256 = "129cbqf6bln6rhdk70c6nfwdjk6afvsaaw4xdyp0pnfand8idz7n";
+  };
+
+  buildInputs = [ pkgconfig autoreconfHook openssl db48 boost zlib
+                  miniupnpc utillinux protobuf curl ]
+                  ++ optionals withGui [ qt4 qrencode ];
+
+  configureFlags = [
+    "--with-boost-libdir=${boost.lib}/lib"
+    "--with-libcurl-headers=${curl}/include"
+  ] ++ optionals withGui [ "--with-gui=qt4" ];
+
+  meta = {
+    description = "Peer-to-peer electronic cash system";
+    longDescription= ''
+       Bitcoin XT is an implementation of a Bitcoin full node, based upon the
+       source code of Bitcoin Core. It is built by taking the latest stable
+       Core release, applying a series of patches, and then doing deterministic
+       builds so anyone can check the downloads correspond to the source code. 
+    '';
+    homepage = "https://bitcoinxt.software/";
+    maintainers = with maintainers; [ jefdaj ];
+    license = licenses.mit;
+    platforms = platforms.unix;
+  };
+}
--- a/pkgs/applications/altcoins/default.nix
+++ b/pkgs/applications/altcoins/default.nix
@@ -5,6 +5,9 @@ rec {
  bitcoin  = callPackage ./bitcoin.nix { withGui = true; };
  bitcoind = callPackage ./bitcoin.nix { withGui = false; };

+  bitcoin-xt  = callPackage ./bitcoin-xt.nix { withGui = true; };
+  bitcoind-xt = callPackage ./bitcoin-xt.nix { withGui = false; };
+
  darkcoin  = callPackage ./darkcoin.nix { withGui = true; };
  darkcoind = callPackage ./darkcoin.nix { withGui = false; };

--- a/pkgs/applications/audio/audacious/default.nix
+++ b/pkgs/applications/audio/audacious/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pkgconfig, glib, gtk3, libmowgli, libmcs
-, gettext, dbus_glib, libxml2, libmad, xlibs, alsaLib, libogg
+, gettext, dbus_glib, libxml2, libmad, xorg, alsaLib, libogg
 , libvorbis, libcdio, libcddb, flac, ffmpeg, makeWrapper
 , mpg123, neon, faad2
 }:
@@ -21,7 +21,7 @@ stdenv.mkDerivation {

  buildInputs =
    [ gettext pkgconfig glib gtk3 libmowgli libmcs libxml2 dbus_glib
-      libmad xlibs.libXcomposite libogg libvorbis flac alsaLib libcdio
+      libmad xorg.libXcomposite libogg libvorbis flac alsaLib libcdio
      libcddb ffmpeg makeWrapper mpg123 neon faad2
    ];

--- a/pkgs/applications/audio/beast/default.nix
+++ b/pkgs/applications/audio/beast/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, zlib, guile, libart_lgpl, pkgconfig, intltool
 , gtk, glib, libogg, libvorbis, libgnomecanvas, gettext, perl }:

-stdenv.mkDerivation {
+stdenv.mkDerivation rec {
  name = "beast-0.7.1";

  src = fetchurl {
-    url = ftp://beast.gtk.org/pub/beast/v0.7/beast-0.7.1.tar.bz2;
+    url = "http://ftp.gtk.org/pub/beast/v0.7/${name}.tar.bz2";
    sha256 = "0jyl1i1918rsn4296w07fsf6wx3clvad522m3bzgf8ms7gxivg5l";
  };

--- a/pkgs/applications/audio/bristol/default.nix
+++ b/pkgs/applications/audio/bristol/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, alsaLib, libjack2, pkgconfig, libpulseaudio, xlibs }:
+{ stdenv, fetchurl, alsaLib, libjack2, pkgconfig, libpulseaudio, xorg }:

 stdenv.mkDerivation  rec {
  name = "bristol-${version}";
@@ -10,8 +10,8 @@ stdenv.mkDerivation  rec {
  };

  buildInputs = [
-    alsaLib libjack2 pkgconfig libpulseaudio xlibs.libX11 xlibs.libXext
-    xlibs.xproto
+    alsaLib libjack2 pkgconfig libpulseaudio xorg.libX11 xorg.libXext
+    xorg.xproto
  ];

  preInstall = ''
--- a/pkgs/applications/audio/calf/default.nix
+++ b/pkgs/applications/audio/calf/default.nix
@@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
  version = "0.0.60";

  src = fetchurl {
-    url = "mirror://sourceforge/calf/${name}.tar.gz";
+    url = "http://calf-studio-gear.org/files/${name}.tar.gz";
    sha256 = "019fwg00jv217a5r767z7szh7vdrarybac0pr2sk26xp81kibrx9";
  };

--- a/pkgs/applications/audio/deadbeef/default.nix
+++ b/pkgs/applications/audio/deadbeef/default.nix
@@ -84,7 +84,7 @@ stdenv.mkDerivation rec {

  patches = [ (fetchpatch {
                url = "https://github.com/Alexey-Yakovenko/deadbeef/commit/e7725ea73fa1bd279a3651704870156bca8efea8.patch";
-                sha256 = "0a04l2607y3swcq9b1apffl1chdwj38jwfiizxcfmdbia4a0qlyg";
+                sha256 = "1530w968zyvcm9c8k57889n125k7a1kk3ydinjm398n07gypd599";
              })
            ];

--- a/pkgs/applications/audio/distrho/default.nix
+++ b/pkgs/applications/audio/distrho/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchgit, alsaLib, fftwSinglePrec, freetype, libjack2
-, libxslt, lv2, pkgconfig, premake3, xlibs, ladspa-sdk }:
+, libxslt, lv2, pkgconfig, premake3, xorg, ladspa-sdk }:

 stdenv.mkDerivation rec {
  name = "distrho-ports-git-2015-07-18";
@@ -16,8 +16,8 @@ stdenv.mkDerivation rec {

  buildInputs = [
    alsaLib fftwSinglePrec freetype libjack2 pkgconfig premake3
-    xlibs.libX11 xlibs.libXcomposite xlibs.libXcursor xlibs.libXext
-    xlibs.libXinerama xlibs.libXrender ladspa-sdk
+    xorg.libX11 xorg.libXcomposite xorg.libXcursor xorg.libXext
+    xorg.libXinerama xorg.libXrender ladspa-sdk
  ];

  buildPhase = ''
--- a/pkgs/applications/audio/eq10q/default.nix
+++ b/pkgs/applications/audio/eq10q/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cmake, fftw, gtkmm, libxcb, lv2, pkgconfig, xlibs }:
+{ stdenv, fetchurl, cmake, fftw, gtkmm, libxcb, lv2, pkgconfig, xorg }:
 stdenv.mkDerivation rec {
  name = "eq10q-2-${version}";
  version = "beta7.1";
@@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
    sha256 = "1jmrcx4jlx8kgsy5n4jcxa6qkjqvx7d8l2p7dsmw4hj20s39lgyi";
  };

-  buildInputs = [ cmake fftw gtkmm libxcb lv2 pkgconfig xlibs.libpthreadstubs xlibs.libXdmcp xlibs.libxshmfence ];
+  buildInputs = [ cmake fftw gtkmm libxcb lv2 pkgconfig xorg.libpthreadstubs xorg.libXdmcp xorg.libxshmfence ];

  installFlags = ''
    DESTDIR=$(out)
--- a/pkgs/applications/audio/fmit/default.nix
+++ b/pkgs/applications/audio/fmit/default.nix
@@ -1,7 +1,5 @@
-# FIXME: upgrading qt5Full (Qt 5.3) to qt5.{base,multimedia} (Qt 5.4) breaks
-# the default Qt audio capture source!
-{ stdenv, fetchFromGitHub, fftw, freeglut, qt5Full
-, alsaSupport ? false, alsaLib ? null
+{ stdenv, fetchFromGitHub, fftw, freeglut, qt5
+, alsaSupport ? true, alsaLib ? null
 , jackSupport ? false, libjack2 ? null }:

 assert alsaSupport -> alsaLib != null;
@@ -18,7 +16,7 @@ stdenv.mkDerivation {
    owner = "gillesdegottex";
  };

-  buildInputs = [ fftw freeglut qt5Full ]
+  buildInputs = [ fftw freeglut qt5.base qt5.multimedia ]
    ++ stdenv.lib.optional alsaSupport [ alsaLib ]
    ++ stdenv.lib.optional jackSupport [ libjack2 ];

--- a/pkgs/applications/audio/jaaa/default.nix
+++ b/pkgs/applications/audio/jaaa/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, alsaLib, libclthreads, libclxclient, libX11, libXft, libXrender, fftwFloat, freetype, fontconfig, libjack2, xlibs, zita-alsa-pcmi }:
+{ stdenv, fetchurl, alsaLib, libclthreads, libclxclient, libX11, libXft, libXrender, fftwFloat, freetype, fontconfig, libjack2, xorg, zita-alsa-pcmi }:

 stdenv.mkDerivation rec {
  name = "jaaa-${version}";
--- a/pkgs/applications/audio/pd-plugins/helmholtz/default.nix
+++ b/pkgs/applications/audio/pd-plugins/helmholtz/default.nix
@@ -6,6 +6,7 @@ stdenv.mkDerivation rec {
  src = fetchurl {
    url = "http://www.katjaas.nl/helmholtz/helmholtz~.zip";
    name = "helmholtz.zip";
+    curlOpts = "--user-agent ''";
    sha256 = "0h1fj7lmvq9j6rmw33rb8k0byxb898bi2xhcwkqalb84avhywgvs";
  };

--- a/pkgs/applications/audio/petrifoo/default.nix
+++ b/pkgs/applications/audio/petrifoo/default.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchurl, alsaLib, cmake, gtk, libjack2, libgnomecanvas
 , libpthreadstubs, libsamplerate, libsndfile, libtool, libxml2
-, pkgconfig }:
+, pkgconfig, openssl }:

 stdenv.mkDerivation  rec {
  name = "petri-foo-${version}";
@@ -13,7 +13,7 @@ stdenv.mkDerivation  rec {

  buildInputs =
   [ alsaLib cmake  gtk libjack2 libgnomecanvas libpthreadstubs
-     libsamplerate libsndfile libtool libxml2 pkgconfig
+     libsamplerate libsndfile libtool libxml2 pkgconfig openssl
   ];

  meta = with stdenv.lib; {
--- a/pkgs/applications/audio/praat/default.nix
+++ b/pkgs/applications/audio/praat/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, alsaLib, gtk, pkgconfig }:

-let version = "5401"; in
+let version = "5417"; in
 stdenv.mkDerivation {
  name = "praat-${version}";

  src = fetchurl {
    url = "http://www.fon.hum.uva.nl/praat/praat${version}_sources.tar.gz";
-    sha256 = "1hx0simc0hp5w5scyaiw8h8lrpafra4h1zy1jn1kzb0299yd06n3";
+    sha256 = "1bspl963pb1s6k3cd9p3g5j518pxg6hkrann945lqsrvbzaa20kl";
  };

  configurePhase = ''
--- a/pkgs/applications/audio/qmidiroute/default.nix
+++ b/pkgs/applications/audio/qmidiroute/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, fetchurl, pkgconfig, qt4, alsaLib }:
+
+stdenv.mkDerivation rec {
+  version = "0.3.0";
+  name = "qmidiroute-${version}";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/project/alsamodular/QMidiRoute/${version}/${name}.tar.gz";
+    sha256 = "11bfjz14z37v6hk2xyg4vrw423b5h3qgcbviv07g00ws1fgjygm2";
+  };
+
+  buildInputs = [ pkgconfig qt4 alsaLib ];
+
+  meta = with stdenv.lib; {
+    description = "MIDI event processor and router";
+    longDescription = ''
+    qmidiroute is a versatile MIDI event processor and router for the ALSA
+    sequencer.  The graphical  interface  is  based  on  the  Qt4  toolkit.
+    qmidiroute permits setting up an unlimited number of MIDI maps in which
+    incoming events are selected, modified or even changed in  type  before
+    being  directed  to  a  dedicated  ALSA  output  port. The maps work in
+    parallel, and they are organized in tabs.
+    '';
+
+    license = licenses.gpl2;
+    maintainers = [ maintainers.lebastr ];
+    platforms = stdenv.lib.platforms.linux;
+  };
+}
--- a/pkgs/applications/audio/qmmp/default.nix
+++ b/pkgs/applications/audio/qmmp/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cmake, qt4, pkgconfig, x11
+{ stdenv, fetchurl, cmake, qt4, pkgconfig, xlibsWrapper
 # transports
 , curl, libmms
 # input plugins
@@ -37,7 +37,7 @@ stdenv.mkDerivation rec {

  buildInputs =
    [ # basic requirements
-      cmake qt4 pkgconfig x11
+      cmake qt4 pkgconfig xlibsWrapper
      # transports
      curl libmms
      # input plugins
--- a/pkgs/applications/audio/rkrlv2/default.nix
+++ b/pkgs/applications/audio/rkrlv2/default.nix
@@ -1,5 +1,5 @@
 { stdenv, pkgs, fetchFromGitHub,
-automake, pkgconfig, lv2, fftw, cmake, xlibs, libjack2, libsamplerate, libsndfile
+automake, pkgconfig, lv2, fftw, cmake, xorg, libjack2, libsamplerate, libsndfile
 }:

 stdenv.mkDerivation rec {
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
    sha256 = "0kr3rvq7n1bh47qryyarcpiibms601qd8l1vypmm61969l4d4bn8";
  };

-  buildInputs = with xlibs; [ automake pkgconfig lv2 fftw cmake libXpm libjack2 libsamplerate libsndfile libXft ];
+  buildInputs = with xorg; [ automake pkgconfig lv2 fftw cmake libXpm libjack2 libsamplerate libsndfile libXft ];

  meta = {
    description = "Rakarrak effects ported to LV2";
--- a/pkgs/applications/audio/rosegarden/default.nix
+++ b/pkgs/applications/audio/rosegarden/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation (rec {
                  libsndfile libsamplerate perl makedepend libjack2 ]
 		++ stdenv.lib.optional withLirc [ lirc ];
  
-  enableParallelBuilding = true;
+  #enableParallelBuilding = true; issues on hydra
  
  meta = with stdenv.lib; {
    homepage = http://www.rosegardenmusic.com/;
--- a/pkgs/applications/audio/spotify/default.nix
+++ b/pkgs/applications/audio/spotify/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, stdenv, dpkg, xlibs, qt4, alsaLib, makeWrapper, openssl, freetype
+{ fetchurl, stdenv, dpkg, xorg, qt4, alsaLib, makeWrapper, openssl, freetype
 , glib, pango, cairo, atk, gdk_pixbuf, gtk, cups, nspr, nss, libpng, GConf
 , libgcrypt, chromium, udev, fontconfig
 , dbus, expat }:
@@ -28,16 +28,16 @@ let
    qt4
    stdenv.cc.cc
    udev
-    xlibs.libX11
-    xlibs.libXcomposite
-    xlibs.libXdamage
-    xlibs.libXext
-    xlibs.libXfixes
-    xlibs.libXi
-    xlibs.libXrandr
-    xlibs.libXrender
-    xlibs.libXrender
-    xlibs.libXScrnSaver
+    xorg.libX11
+    xorg.libXcomposite
+    xorg.libXdamage
+    xorg.libXext
+    xorg.libXfixes
+    xorg.libXi
+    xorg.libXrandr
+    xorg.libXrender
+    xorg.libXrender
+    xorg.libXScrnSaver
  ];

 in
--- a/pkgs/applications/audio/tetraproc/default.nix
+++ b/pkgs/applications/audio/tetraproc/default.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchurl, makeWrapper
 , expat, fftwFloat, fontconfig, freetype, libjack2, jack2Full, libclthreads, libclxclient
-, libsndfile, libxcb, xlibs
+, libsndfile, libxcb, xorg
 }:

 stdenv.mkDerivation rec {
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {

  buildInputs = [
    expat libjack2 libclthreads libclxclient fftwFloat fontconfig libsndfile freetype
-    libxcb xlibs.libX11 xlibs.libXau xlibs.libXdmcp xlibs.libXft xlibs.libXrender
+    libxcb xorg.libX11 xorg.libXau xorg.libXdmcp xorg.libXft xorg.libXrender
  ];

  makeFlags = [
--- a/pkgs/applications/audio/vorbis-tools/default.nix
+++ b/pkgs/applications/audio/vorbis-tools/default.nix
@@ -1,6 +1,12 @@
-{stdenv, fetchurl, libogg, libvorbis, libao, pkgconfig, curl, glibc
-, speex, flac}:
+{ stdenv, fetchurl, fetchzip, libogg, libvorbis, libao, pkgconfig, curl
+, speex, flac }:

+let
+  debPatch = fetchzip {
+    url = "mirror://debian/pool/main/v/vorbis-tools/vorbis-tools_1.4.0-6.debian.tar.xz";
+    sha256 = "1xmmpdvxyr84lazlg23c6ck5ic97ga2rkiqabb1d98ix2zdzyqz5";
+  };
+in
 stdenv.mkDerivation {
  name = "vorbis-tools-1.4.0";
  src = fetchurl {
@@ -8,14 +14,23 @@ stdenv.mkDerivation {
    sha256 = "1g12bnh5ah08v529y72kfdz5lhvy75iaz7f9jskyby23m9dkk2d3";
  };

-  buildInputs = [ libogg libvorbis libao pkgconfig curl speex glibc flac ];
+  postPatch = ''
+    for patch in $(ls "${debPatch}"/patches/*.{diff,patch} | grep -v debian_subdir)
+    do patch -p1 < "$patch"
+    done
+  '';

-  meta = {
+  buildInputs = [ libogg libvorbis libao pkgconfig curl speex flac ];
+
+  meta = with stdenv.lib; {
+    description = "Extra tools for Ogg-Vorbis audio codec";
    longDescription = ''
      A set of command-line tools to manipulate Ogg Vorbis audio
      files, notably the `ogg123' player and the `oggenc' encoder.
    '';
    homepage = http://xiph.org/vorbis/;
-    license = stdenv.lib.licenses.gpl2;
+    license = licenses.gpl2;
+    platforms = platforms.all;
  };
 }
+
--- a/pkgs/applications/audio/yoshimi/default.nix
+++ b/pkgs/applications/audio/yoshimi/default.nix
@@ -6,11 +6,11 @@ assert stdenv ? glibc;

 stdenv.mkDerivation  rec {
  name = "yoshimi-${version}";
-  version = "1.3.5.1";
+  version = "1.3.5.2";

  src = fetchurl {
    url = "mirror://sourceforge/yoshimi/${name}.tar.bz2";
-    sha256 = "1c7049pnvadxndk1rbja77kyr0rwnqca2546pxjnxksg923s5l8n";
+    sha256 = "001xvwknsm1sv5lvwz7f6dgf57b8djbpwbyk2gfxjy9rzl5q53qr";
  };

  buildInputs = [
--- a/pkgs/applications/display-managers/lightdm/default.nix
+++ b/pkgs/applications/display-managers/lightdm/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pam, pkgconfig, libxcb, glib, libXdmcp, itstool, libxml2
-, intltool, x11, libxklavier, libgcrypt
+, intltool, xlibsWrapper, libxklavier, libgcrypt
 , qt4 ? null, qt5 ? null
 }:

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .08
 .09