Merge branch 'closure-size' into p/default-outputs

2025-07-13 21:50:33 +03:00 · 2016-03-14 11:27:15 +01:00 · 2016-03-14 11:27:15 +01:00 · d6b46ecb30
commit d6b46ecb30
parent ab8a691d05 55b6c17926
2432 changed files with 228678 additions and 117715 deletions
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@ -1,7 +1,7 @@
 # How to contribute
 Note: contributing implies licensing those contributions
-under the terms of [COPYING](./COPYING), which is an MIT-like license.
+under the terms of [COPYING](../COPYING), which is an MIT-like license.
 ## Opening issues
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -0,0 +1,17 @@
 ## Basic info
 To make sure that we are on the same page:
 * Kernel: (run `uname -a`)
 * System: (NixOS: `nixos-version`, Ubuntu/Fedora: `lsb_release -a`, ...)
 * Nix version: (run `nix-env --version`)
 * Nixpkgs version: (run `nix-instantiate --eval '<nixpkgs>' -A lib.nixpkgsVersion`)
 ## Describe your issue here
 ### Expected result
 ### Actual result
 ### Steps to reproduce
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -0,0 +1,18 @@
 ###### Things done:
 - [ ] Tested using sandboxing (`nix-build --option build-use-chroot true` or [nix.useChroot](http://nixos.org/nixos/manual/options.html#opt-nix.useChroot) on NixOS)
 - [ ] Built on platform(s): NixOS / OSX / Linux
 - [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nox --run "nox-review wip"`
 - [ ] Tested execution of all binary files (usually in `./result/bin/`)
 - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
 ###### More
 Fixes issue #<insert id>
 cc @<maintainer>
 ---
 _Please note, that points are not mandatory, but rather desired._
--- a/.gitignore
+++ b/.gitignore
@ -12,7 +12,5 @@ result-*
 .DS_Store
 /pkgs/applications/kde-apps-*/tmp/
 /pkgs/development/libraries/kde-frameworks-*/tmp/
 /pkgs/development/libraries/qt-5/*/tmp/
-/pkgs/desktops/plasma-*/tmp/
+/pkgs/desktops/kde-5/*/tmp/
--- a/.mention-bot
+++ b/.mention-bot
@ -1,5 +1,6 @@
 {
  "userBlacklist": [
-    "civodul"
+    "civodul",
    "jhasse"
  ]
 }
--- a/.version
+++ b/.version
@ -1 +1 @@
-16.03
+16.09
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Copyright (c) 2003-2015 Eelco Dolstra and the Nixpkgs/NixOS contributors
+Copyright (c) 2003-2016 Eelco Dolstra and the Nixpkgs/NixOS contributors
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
--- a/doc/configuration.xml
+++ b/doc/configuration.xml
@ -89,7 +89,7 @@ packages via <literal>packageOverrides</literal></title>
 <para>You can define a function called
 <varname>packageOverrides</varname> in your local
-<filename>~/.nixpkgs/config</filename> to overide nix packages.  It
+<filename>~/.nixpkgs/config.nix</filename> to overide nix packages.  It
 must be a function that takes pkgs as an argument and return modified
 set of packages.
--- a/doc/default.nix
+++ b/doc/default.nix
@ -42,6 +42,11 @@ stdenv.mkDerivation {
    mkdir ./languages-frameworks
    cp -s '${sources-langs}'/* ./languages-frameworks
  ''
  + toDocbook {
      inputFile = ./introduction.md;
      outputFile = "introduction.xml";
      useChapters = true;
    }
  + toDocbook {
      inputFile = ./haskell-users-guide.md;
      outputFile = "haskell-users-guide.xml";
@ -51,8 +56,11 @@ stdenv.mkDerivation {
      inputFile = ./../pkgs/development/idris-modules/README.md;
      outputFile = "languages-frameworks/idris.xml";
    }
  + toDocbook {
      inputFile = ./../pkgs/development/r-modules/README.md;
      outputFile = "languages-frameworks/r.xml";
    }
  + ''
    cat languages-frameworks/idris.xml
    echo ${nixpkgsVersion} > .version
    xmllint --noout --nonet --xinclude --noxincludenode \
--- a/doc/erlang-users-guide.xml
+++ b/doc/erlang-users-guide.xml
@ -3,6 +3,23 @@
         xml:id="users-guide-to-the-erlang-infrastructure">
 <title>User's Guide to the Erlang Infrastructure</title>
 <section xml:id="build-tools">
  <title>Build Tools</title>
  <para>
    By default Rebar3 wants to manage it's own dependencies. In the
    normal non-Nix, this is perfectly acceptable. In the Nix world it
    is not. To support this we have created two versions of rebar3,
    <literal>rebar3</literal> and <literal>rebar3-open</literal>. The
    <literal>rebar3</literal> version has been patched to remove the
    ability to download anything from it. If you are not running it a
    nix-shell or a nix-build then its probably not going to work for
    you. <literal>rebar3-open</literal> is the normal, un-modified
    rebar3. It should work exactly as would any other version of
    rebar3. Any Erlang package should rely on
    <literal>rebar3</literal> and thats really what you should be
    using too.
  </para>
 </section>
 <section xml:id="how-to-install-erlang-packages">
  <title>How to install Erlang packages</title>
--- a/doc/functions.xml
+++ b/doc/functions.xml
@ -489,7 +489,6 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
    sha256 = "1bhw5hkz6chrnrih0ymjbmn69hyfriza2lr550xyvpdrnbzr4gk2"; <co xml:id='ex-dockerTools-pullImage-4' />
    indexUrl = "https://index.docker.io"; <co xml:id='ex-dockerTools-pullImage-5' />
    registryUrl = "https://registry-1.docker.io";
    registryVersion = "v1";
  }
  </programlisting>
@ -534,8 +533,8 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
   <callout arearefs='ex-dockerTools-pullImage-5'>
    <para>
-     In the above example the default values are shown for the variables <varname>indexUrl</varname>,
+     In the above example the default values are shown for the variables
-     <varname>registryUrl</varname> and <varname>registryVersion</varname>.
+     <varname>indexUrl</varname> and <varname>registryVersion</varname>.
     Hence by default the Docker.io registry is used to pull the images.
    </para>
   </callout>
--- a/doc/haskell-users-guide.md
+++ b/doc/haskell-users-guide.md
@ -117,9 +117,10 @@ Also, the attributes `haskell.compiler.ghcXYC` and
 ### How to install a compiler
-A simple development environment consists of a Haskell compiler and the tool
+A simple development environment consists of a Haskell compiler and one or both
-`cabal-install`, and we saw in section [How to install Haskell packages] how
+of the tools `cabal-install` and `stack`. We saw in section
-you can install those programs into your user profile:
+[How to install Haskell packages] how you can install those programs into your
 user profile:
    $ nix-env -f "<nixpkgs>" -iA haskellPackages.ghc haskellPackages.cabal-install
@ -148,10 +149,16 @@ version; just enter the Nix shell environment with the command
    $ nix-shell -p haskell.compiler.ghc784
-to bring GHC 7.8.4 into `$PATH`. Re-running `cabal configure` switches your
+to bring GHC 7.8.4 into `$PATH`. Alternatively, you can use Stack instead of
-build to use that compiler instead. If you're working on a project that doesn't
+`nix-shell` directly to select compiler versions and other build tools
-depend on any additional system libraries outside of GHC, then it's sufficient
+per-project. It uses `nix-shell` under the hood when Nix support is turned on.
-even to run the `cabal configure` command inside of the shell:
+See [How to build a Haskell project using Stack].
 If you're using `cabal-install`, re-running `cabal configure` inside the spawned
 shell switches your build to use that compiler instead. If you're working on
 a project that doesn't depend on any additional system libraries outside of GHC,
 then it's even sufficient to just run the `cabal configure` command inside of
 the shell:
    $ nix-shell -p haskell.compiler.ghc784 --command "cabal configure"
@ -234,7 +241,7 @@ library promises to give its users access to GHC's installation paths. Only,
 the library can't possible know that path when it's compiled, because the path
 GHC considers its own is determined only much later, when the user configures
 it through `ghcWithPackages`. So we [patched
-ghc-paths](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/haskell-modules/ghc-paths-nix.patch)
+ghc-paths](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/haskell-modules/patches/ghc-paths-nix.patch)
 to return the paths found in those environment variables at run-time rather
 than trying to guess them at compile-time.
@ -320,6 +327,58 @@ security reasons, which might be quite an inconvenience. See [this
 page](http://kb.mozillazine.org/Links_to_local_pages_do_not_work) for
 workarounds.
 ### How to build a Haskell project using Stack
 [Stack][http://haskellstack.org] is a popular build tool for Haskell projects.
 It has first-class support for Nix. Stack can optionally use Nix to
 automatically select the right version of GHC and other build tools to build,
 test and execute apps in an existing project downloaded from somewhere on the
 Internet. Pass the `--nix` flag to any `stack` command to do so, e.g.
    $ git clone --recursive http://github.com/yesodweb/wai
    $ cd wai
    $ stack --nix build
 If you want `stack` to use Nix by default, you can add a `nix` section to the
 `stack.yaml` file, as explained in the [Stack documentation][stack-nix-doc]. For
 example:
    nix:
      enable: true
      packages: [pkgconfig zeromq zlib]
 The example configuration snippet above tells Stack to create an ad hoc
 environment for `nix-shell` as in the below section, in which the `pkgconfig`,
 `zeromq` and `zlib` packages from Nixpkgs are available. All `stack` commands
 will implicitly be executed inside this ad hoc environment.
 Some projects have more sophisticated needs. For examples, some ad hoc
 environments might need to expose Nixpkgs packages compiled in a certain way, or
 with extra environment variables. In these cases, you'll need a `shell` field
 instead of `packages`:
    nix:
      enable: true
      shell-file: shell.nix
 For more on how to write a `shell.nix` file see the below section. You'll need
 to express a derivation. Note that Nixpkgs ships with a convenience wrapper
 function around `mkDerivation` called `haskell.lib.buildStackProject` to help you
 create this derivation in exactly the way Stack expects. All of the same inputs
 as `mkDerivation` can be provided. For example, to build a Stack project that
 including packages that link against a version of the R library compiled with
 special options turned on:
    with (import <nixpkgs> { });
    let R = pkgs.R.override { enableStrictBarrier = true; };
    in
 	haskell.lib.buildStackProject {
      name = "HaskellR";
 	  buildInputs = [ R zeromq zlib ];
    }
 [stack-nix-doc]: http://docs.haskellstack.org/en/stable/nix_integration.html
 ### How to create ad hoc environments for `nix-shell`
@ -605,7 +664,7 @@ can configure the environment variables
 in their `~/.bashrc` file to avoid the compiler error.
-### Using Stack together with Nix
+### Builds using Stack complain about missing system libraries
    --  While building package zlib-0.5.4.2 using:
      runhaskell -package=Cabal-1.22.4.0 -clear-package-db [... lots of flags ...]
@ -633,13 +692,16 @@ means specific to Stack: you'll have that problem with any other
 Haskell package that's built inside of nix-shell but run outside of that
 environment.
-I suppose we could try to remedy the issue by wrapping `stack` or
+You can remedy this issue in several ways. The easiest is to add a `nix` section
-`cabal` with a script that tries to find those kind of implicit search
+to the `stack.yaml` like the following:
 paths and makes them explicit on the "cabal configure" command line. I
 don't think anyone is working on that subject yet, though, because the
 problem doesn't seem so bad in practice.
-You can remedy that issue in several ways. First of all, run
+    nix:
      enable: true
 	  packages: [ zlib ]
 Stack's Nix support knows to add `${zlib}/lib` and `${zlib}/include` as an
 `--extra-lib-dirs` and `extra-include-dirs`, respectively. Alternatively, you
 can achieve the same effect by hand. First of all, run
    $ nix-build --no-out-link "<nixpkgs>" -A zlib
    /nix/store/alsvwzkiw4b7ip38l4nlfjijdvg3fvzn-zlib-1.2.8
@ -663,7 +725,8 @@ to find out the store path of the system's zlib library. Now, you can
   Typically, you'll need --extra-include-dirs as well. It's possible
   to add those flag to the project's "stack.yaml" or your user's
   global "~/.stack/global/stack.yaml" file so that you don't have to
-   specify them manually every time.
+   specify them manually every time. But again, you're likely better off using
   Stack's Nix support instead.
   The same thing applies to `cabal configure`, of course, if you're
   building with `cabal-install` instead of Stack.
--- a/doc/introduction.md
+++ b/doc/introduction.md
@ -0,0 +1,48 @@
 ---
 title: Introduction
 author: Frederik Rietdijk
 date: 2015-11-25
 ---
 # Introduction
 The Nix Packages collection (Nixpkgs) is a set of over 30,000 packages for the
 [Nix package manager](http://nixos.org/nix/), released under a [permissive MIT/X11 license](https://github.com/NixOS/nixpkgs/blob/master/COPYING).
 Packages are available for several architectures, and can be used with the Nix package manager
 on most GNU/Linux distributions as well as NixOS.
 This manual describes how to write packages for the Nix Packages collection
 (Nixpkgs). Thus it’s for packagers and developers who want to add packages to
 Nixpkgs. If you like to learn more about the Nix package manager and the Nix
 expression language, then you are kindly referred to the [Nix manual](http://nixos.org/nix/manual/).
 ## Overview of Nixpkgs
 Nix expressions describe how to build packages from source and are collected in
 the [nixpkgs repository](https://github.com/NixOS/nixpkgs). Also included in the
 collection are Nix expressions for [NixOS modules](http://nixos.org/nixos/manual/index.html#sec-writing-modules). With
 these expressions the Nix package manager can build binary packages.
 Packages, including the Nix packages collection, are distributed through
 [channels](http://nixos.org/nix/manual/#sec-channels). The collection is
 distributed for users of Nix on non-NixOS distributions through the channel
 `nixpkgs`. Users of NixOS generally use one of the `nixos-*` channels, e.g.
 `nixos-15.09`, which includes all packages and modules for the stable NixOS
 15.09. The channels of the stable NixOS releases are generally only given
 security updates. More up to date packages and modules are available via the
 `nixos-unstable` channel.
 Both `nixos-unstable` and `nixpkgs` follow the `master` branch of the Nixpkgs
 repository, although both do lag the `master` branch by generally [a couple of days](http://howoldis.herokuapp.com/). Updates to a channel are distributed as
 soon as all tests for that channel pass, e.g. [this table](http://hydra.nixos.org/job/nixpkgs/trunk/unstable#tabs-constituents)
 shows the status of tests for the `nixpkgs` channel.
 The tests are conducted by a cluster called [Hydra](http://nixos.org/hydra/),
 which also builds binary packages from the Nix expressions in Nixpkgs. As soon
 as a channel is updated, the binaries are made available via a [binary cache](https://cache.nixos.org). Until the channel updates, binaries that have
 already been built, are available via [Hydra's binary cache](https://hydra.nixos.org).
 The current Nix expressions of the channels are available in the
 [`nixpkgs-channels`](https://github.com/NixOS/nixpkgs-channels) repository,
 which has branches corresponding to the available channels. There is also the
 Nixpkgs Monitor which keeps track of updates and security vulnerabilities.
--- a/doc/introduction.xml
+++ b/doc/introduction.xml
@ -1,21 +0,0 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="chap-introduction">
 <title>Introduction</title>
 <para>This manual tells you how to write packages for the Nix Packages
 collection (Nixpkgs).  Thus it’s for packagers and developers who want
 to add packages to Nixpkgs.  End users are kindly referred to the
 <link xlink:href="http://hydra.nixos.org/job/nix/trunk/tarball/latest/download-by-type/doc/manual">Nix
 manual</link>.</para>
 <para>This manual does not describe the syntax and semantics of the
 Nix expression language, which are given in the Nix manual in the
 <link
 xlink:href="http://hydra.nixos.org/job/nix/trunk/tarball/latest/download-by-type/doc/manual/#chap-writing-nix-expressions">chapter
 on writing Nix expressions</link>.  It only describes the facilities
 provided by Nixpkgs to make writing packages easier, such as the
 standard build environment (<literal>stdenv</literal>).</para>
 </chapter>
--- a/doc/languages-frameworks/index.xml
+++ b/doc/languages-frameworks/index.xml
@ -21,6 +21,7 @@ such as Perl or Haskell.  These are described in this chapter.</para>
 <xi:include href="lua.xml" />
 <xi:include href="coq.xml" />
 <xi:include href="idris.xml" /> <!-- generated from ../../pkgs/development/idris-modules/README.md  -->
 <xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md  -->
 <xi:include href="qt.xml" />
--- a/doc/languages-frameworks/ruby.xml
+++ b/doc/languages-frameworks/ruby.xml
@ -42,5 +42,37 @@ and scalable.";
 <para>Please check in the <filename>Gemfile</filename>, <filename>Gemfile.lock</filename> and the <filename>gemset.nix</filename> so future updates can be run easily.
 </para>
 <para>Resulting derivations also have two helpful items, <literal>env</literal> and <literal>wrapper</literal>. The first one allows one to quickly drop into
 <command>nix-shell</command> with the specified environment present. E.g. <command>nix-shell -A sensu.env</command> would give you an environment with Ruby preset
 so it has all the libraries necessary for <literal>sensu</literal> in its paths. The second one can be used to make derivations from custom Ruby scripts which have
 <filename>Gemfile</filename>s with their dependencies specified. It is a derivation with <command>ruby</command> wrapped so it can find all the needed dependencies.
 For example, to make a derivation <literal>my-script</literal> for a <filename>my-script.rb</filename> (which should be placed in <filename>bin</filename>) you should
 run <command>bundix</command> as specified above and then use <literal>bundlerEnv</literal> lile this:</para>
 <programlisting>
 <![CDATA[let env = bundlerEnv {
  name = "my-script-env";
  inherit ruby;
  gemfile = ./Gemfile;
  lockfile = ./Gemfile.lock;
  gemset = ./gemset.nix;
 };
 in stdenv.mkDerivation {
  name = "my-script";
  buildInputs = [ env.wrapper ];
  script = ./my-script.rb;
  buildCommand = ''
    mkdir -p $out/bin
    install -D -m755 $script $out/bin/my-script
    patchShebangs $out/bin/my-script
  '';
 }]]>
 </programlisting>
 </section>
--- a/doc/meta.xml
+++ b/doc/meta.xml
@ -258,45 +258,54 @@ a value from <varname>stdenv.lib.licenses</varname> defined in
 <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix">
 <filename>nixpkgs/lib/licenses.nix</filename></link>,
 or in-place license description of the same format if the license is
-unlikely to be useful in another expression.
+unlikely to be useful in another expression.</para>
 <para>Although it's typically better to indicate the specific license,
 a few generic options are available:
 A few generic options are available, although it's typically better
 to indicate the specific license:
 <variablelist>
  <varlistentry>
-    <term><varname>free</varname></term>
+    <term><varname>stdenv.lib.licenses.free</varname>,
    <varname>"free"</varname></term>
    <listitem><para>Catch-all for free software licenses not listed
    above.</para></listitem>
  </varlistentry>
  <varlistentry>
-    <term><varname>unfree-redistributable</varname></term>
+    <term><varname>stdenv.lib.licenses.unfreeRedistributable</varname>,
    <varname>"unfree-redistributable"</varname></term>
    <listitem><para>Unfree package that can be redistributed in binary
-    form.  That is, it’s legal to redistribute the
+    form. That is, it’s legal to redistribute the
    <emphasis>output</emphasis> of the derivation.  This means that
    the package can be included in the Nixpkgs
    channel.</para>
    <para>Sometimes proprietary software can only be redistributed
-    unmodified.  Make sure the builder doesn’t actually modify the
+    unmodified. Make sure the builder doesn’t actually modify the
    original binaries; otherwise we’re breaking the license.  For
    instance, the NVIDIA X11 drivers can be redistributed unmodified,
    but our builder applies <command>patchelf</command> to make them
-    work.  Thus, its license is <varname>unfree</varname> and it
+    work. Thus, its license is <varname>"unfree"</varname> and it
    cannot be included in the Nixpkgs channel.</para></listitem>
  </varlistentry>
  <varlistentry>
-    <term><varname>unfree</varname></term>
+    <term><varname>stdenv.lib.licenses.unfree</varname>,
-    <listitem><para>Unfree package that cannot be redistributed.  You
+    <varname>"unfree"</varname></term>
    <listitem><para>Unfree package that cannot be redistributed. You
    can build it yourself, but you cannot redistribute the output of
-    the derivation.  Thus it cannot be included in the Nixpkgs
+    the derivation. Thus it cannot be included in the Nixpkgs
    channel.</para></listitem>
  </varlistentry>
  <varlistentry>
-    <term><varname>unfree-redistributable-firmware</varname></term>
+    <term><varname>stdenv.lib.licenses.unfreeRedistributableFirmware</varname>,
    <varname>"unfree-redistributable-firmware"</varname></term>
    <listitem><para>This package supplies unfree, redistributable
    firmware.  This is a separate value from
    <varname>unfree-redistributable</varname> because not everybody
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@ -224,6 +224,63 @@ genericBuild
 </variablelist>
 <variablelist>
  <title>Variables affecting build properties</title>
  <varlistentry>
    <term><varname>enableParallelBuilding</varname></term>
    <listitem><para>If set, <literal>stdenv</literal> will pass specific
    flags to <literal>make</literal> and other build tools to enable
    parallel building with up to <literal>build-cores</literal>
    workers.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>preferLocalBuild</varname></term>
    <listitem><para>If set, specifies that the package is so lightweight
    in terms of build operations (e.g. write a text file from a Nix string
    to the store) that there's no need to look for it in binary caches --
    it's faster to just build it locally. It also tells Hydra and other
    facilities that this package doesn't need to be exported in binary
    caches (noone would use it, after all).</para></listitem>
  </varlistentry>
 </variablelist>
 <variablelist>
  <title>Special variables</title>
  <varlistentry>
    <term><varname>passthru</varname></term>
    <listitem><para>This is an attribute set which can be filled with arbitrary
    values. For example:
 <programlisting>
 passthru = {
  foo = "bar";
  baz = {
    value1 = 4;
    value2 = 5;
  };
 }
 </programlisting>
 </para>
    <para>Values inside it are not passed to the builder, so you can change
    them without triggering a rebuild. However, they can be accessed outside of a
    derivation directly, as if they were set inside a derivation itself, e.g.
    <literal>hello.baz.value1</literal>. We don't specify any usage or
    schema of <literal>passthru</literal> - it is meant for values that would be
    useful outside the derivation in other parts of a Nix expression (e.g. in other
    derivations). An example would be to convey some specific dependency of your
    derivation which contains a program with plugins support.  Later, others who
    make derivations with plugins can use passed-through dependency to ensure that
    their plugin would be binary-compatible with built program.</para></listitem>
  </varlistentry>
 </variablelist>
 </section>
@ -1186,6 +1243,14 @@ echo @foo@
    environment variable.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term>Autoconf</term>
    <listitem><para>The <varname>autoreconfHook</varname> derivation adds
    <varname>autoreconfPhase</varname>, which runs autoreconf, libtoolize and
    automake, essentially preparing the configure script in autotools-based
    builds.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term>libxml2</term>
    <listitem><para>Adds every file named
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -155,6 +155,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
    fullName = "Common Public License 1.0";
  };
  doc = spdx {
    spdxId = "DOC";
    fullName = "DOC License";
  };
  efl10 = spdx {
    spdxId = "EFL-1.0";
    fullName = "Eiffel Forum License v1.0";
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -1,18 +1,21 @@
-/* -*- coding: utf-8; -*- */
+/* List of NixOS maintainers. The format is:
    handle = "Real Name <address@example.org>";
  where <handle> is preferred to be your GitHub username (so it's easy
  to ping a package @<handle>), and <Real Name> is your real name, not
  a pseudonym. Please keep the list alphabetically sorted. */
 {
  /* Add your name and email address here.
     Keep the list alphabetically sorted.
     Prefer the same attrname as your github username, please,
     so it's easy to ping a package @maintainer.
  */
  a1russell = "Adam Russell <adamlr6+pub@gmail.com>";
  aaronschif = "Aaron Schif <aaronschif@gmail.com>";
  abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
  abbradar = "Nikolay Amiantov <ab@fmap.me>";
-  adev	   = "Adrien Devresse <adev@adev.name>";
+  aboseley = "Adam Boseley <adam.boseley@gmail.com>";
-  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
+  adev = "Adrien Devresse <adev@adev.name>";
  aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>";
  aflatter = "Alexander Flatter <flatter@fastmail.fm>";
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
  afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>";
  aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
  akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
@ -26,10 +29,12 @@
  anderspapitto = "Anders Papitto <anderspapitto@gmail.com>";
  andres = "Andres Loeh <ksnixos@andres-loeh.de>";
  andrewrk = "Andrew Kelley <superjoe30@gmail.com>";
  aneeshusa = "Aneesh Agrawal <aneeshusa@gmail.com>";
  antono = "Antono Vasiljev <self@antono.info>";
  ardumont = "Antoine R. Dumont <eniotna.t@gmail.com>";
  aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
  arobyn = "Alexei Robyn <shados@shados.net>";
  artuuge = "Artur E. Ruuge <artuuge@gmail.com>";
  asppsa = "Alastair Pharo <asppsa@gmail.com>";
  astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
  aszlig = "aszlig <aszlig@redmoonstudios.org>";
@ -43,8 +48,8 @@
  bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
  bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
  bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
  bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
  benley = "Benjamin Staffin <benley@gmail.com>";
  bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
  berdario = "Dario Bertini <berdario@gmail.com>";
  bergey = "Daniel Bergey <bergey@teallabs.org>";
  bjg = "Brian Gough <bjg@gnu.org>";
@ -56,6 +61,7 @@
  bosu = "Boris Sukholitko <boriss@gmail.com>";
  bramd = "Bram Duvigneau <bram@bramd.nl>";
  bstrik = "Berno Strik <dutchman55@gmx.com>";
  bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
  c0dehero = "CodeHero <codehero@nerdpol.ch>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
@ -64,20 +70,24 @@
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  chattered = "Phil Scott <me@philscotted.com>";
  christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
  cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
  codsl = "codsl <codsl@riseup.net>";
  codyopel = "Cody Opel <codyopel@gmail.com>";
  colemickens = "Cole Mickens <cole.mickens@gmail.com>";
  copumpkin = "Dan Peebles <pumpkingod@gmail.com>";
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
  couchemar = "Andrey Pavlov <couchemar@yandex.ru>";
  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
  cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
  DamienCassou = "Damien Cassou <damien@cassou.me>";
  dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
  davidak = "David Kleuker <post@davidak.de>";
  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
  deepfire = "Kosyrev Serge <_deepfire@feelingofgreen.ru>";
  demin-dmitriy = "Dmitriy Demin <demindf@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
  desiderius = "Didier J. Devroye <didier@devroye.name>";
  devhell = "devhell <\"^\"@regexmail.net>";
  dezgeg = "Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>";
@ -91,10 +101,12 @@
  eduarrrd = "Eduard Bachmakov <e.bachmakov@gmail.com>";
  edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
  eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
  ehegnes = "Eric Hegnes <eric.hegnes@gmail.com>";
  ehmry = "Emery Hemingway <emery@vfemail.net>";
  eikek = "Eike Kettner <eike.kettner@posteo.de>";
  elasticdog = "Aaron Bull Schaefer <aaron@elasticdog.com>";
  elitak = "Eric Litak <elitak@gmail.com>";
  ellis = "Ellis Whitehead <nixos@ellisw.net>";
  ehmry = "Emery Hemingway <emery@vfemail.net>";
  epitrochoid = "Mabry Cervin <mpcervin@uncg.edu>";
  ericbmerritt = "Eric Merritt <eric@afiniate.com>";
  ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
@ -102,6 +114,7 @@
  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
  exi = "Reno Reckling <nixos@reckling.org>";
  exlevan = "Alexey Levan <exlevan@gmail.com>";
  fadenb = "Tristan Helmich <tristan.helmich+nixos@gmail.com>";
  falsifian = "James Cook <james.cook@utoronto.ca>";
  flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
  fluffynukeit = "Daniel Austin <dan@fluffynukeit.com>";
@ -114,6 +127,7 @@
  ftrvxmtrx = "Siarhei Zirukin <ftrvxmtrx@gmail.com>";
  funfunctor = "Edward O'Callaghan <eocallaghan@alterapraxis.com>";
  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
  fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
  gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
  garbas = "Rok Garbas <rok@garbas.si>";
  garrison = "Jim Garrison <jim@garrison.cc>";
@ -122,8 +136,9 @@
  gfxmonk = "Tim Cuthbertson <tim@gfxmonk.net>";
  giogadi = "Luis G. Torres <lgtorres42@gmail.com>";
  gleber = "Gleb Peregud <gleber.p@gmail.com>";
-  globin = "Robin Gloster <robin@glob.in>";
+  globin = "Robin Gloster <mail@glob.in>";
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
  Gonzih = "Max Gonzih <gonzih@gmail.com>";
  gridaphobe = "Eric Seidel <eric@seidel.io>";
  guibert = "David Guibert <david.guibert@gmail.com>";
  havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
@ -135,6 +150,7 @@
  iand675 = "Ian Duncan <ian@iankduncan.com>";
  ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
  iElectric = "Domen Kozar <domen@dev.si>";
  igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
  ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
  iyzsong = "Song Wenwu <iyzsong@gmail.com>";
  j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
@ -152,11 +168,13 @@
  joelmo = "Joel Moberg <joel.moberg@gmail.com>";
  joelteon = "Joel Taylor <me@joelt.io>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
  jwilberding = "Jordan Wilberding <jwilberding@afiniate.com>";
  jzellner = "Jeff Zellner <jeffz@eml.cc>";
  kamilchm = "Kamil Chmielewski <kamil.chm@gmail.com>";
  kampfschlaefer = "Arnold Krille <arnold@arnoldarts.de>";
  kevincox = "Kevin Cox <kevincox@kevincox.ca>";
  khumba = "Bryan Gardiner <bog@khumba.net>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  koral = "Koral <koral@mailoo.org>";
@ -166,6 +184,7 @@
  lassulus = "Lassulus <lassulus@gmail.com>";
  layus = "Guillaume Maudoux <layus.on@gmail.com>";
  lebastr = "Alexander Lebedev <lebastr@gmail.com>";
  leenaars = "Michiel Leenaars <ml.software@leenaa.rs>";
  leonardoce = "Leonardo Cecchi <leonardo.cecchi@gmail.com>";
  lethalman = "Luca Bruno <lucabru@src.gnome.org>";
  lewo = "Antoine Eiche <lewo@abesis.fr>";
@ -178,8 +197,9 @@
  lowfatcomputing = "Andreas Wagner <andreas.wagner@lowfatcomputing.org>";
  lsix = "Lancelot SIX <lsix@lancelotsix.com>";
  ludo = "Ludovic Courtès <ludo@gnu.org>";
  lukego = "Luke Gorrie <luke@snabb.co>";
  luispedro = "Luis Pedro Coelho <luis@luispedro.org>";
  lukasepple = "Lukas Epple <post@lukasepple.de>";
  lukego = "Luke Gorrie <luke@snabb.co>";
  lw = "Sergey Sofeychuk <lw@fmap.me>";
  madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
  magnetophon = "Bart Brouns <bart@magnetophon.nl>";
@ -189,24 +209,26 @@
  manveru = "Michael Fellinger <m.fellinger@gmail.com>";
  marcweber = "Marc Weber <marco-oweber@gmx.de>";
  markWot = "Markus Wotringer <markus@wotringer.de>";
  maurer = "Matthew Maurer <matthew.r.maurer+nix@gmail.com>";
  matejc = "Matej Cotman <cotman.matej@gmail.com>";
  mathnerd314 = "Mathnerd314 <mathnerd314.gph+hs@gmail.com>";
  matthiasbeyer = "Matthias Beyer <mail@beyermatthias.de>";
  maurer = "Matthew Maurer <matthew.r.maurer+nix@gmail.com>";
  mbakke = "Marius Bakke <ymse@tuta.io>";
  mbe = "Brandon Edens <brandonedens@gmail.com>";
  mboes = "Mathieu Boespflug <mboes@tweag.net>";
  mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
  meditans = "Carlo Nucera <meditans@gmail.com>";
  meisternu = "Matt Miemiec <meister@krutt.org>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
  mschristiansen = "Mikkel Christiansen <mikkel@rheosystems.com>";
  modulistic = "Pablo Costa <modulistic@gmail.com>";
  mog = "Matthew O'Gorman <mog-lists@rldn.net>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
  mschristiansen = "Mikkel Christiansen <mikkel@rheosystems.com>";
  msteen = "Matthijs Steen <emailmatthijs@gmail.com>";
  mtreskin = "Max Treskin <zerthurd@gmail.com>";
  mudri = "James Wood <lamudri@gmail.com>";
@ -214,6 +236,7 @@
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
  nequissimus = "Tim Steinbach <tim@nequissimus.com>";
  nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
  nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
@ -232,8 +255,9 @@
  palo = "Ingolf Wanger <palipalo9@googlemail.com>";
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
  pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
  phile314 = "Philipp Hausmann <nix@314.ch>";
  philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
  phile314 = "Philipp Hausmann <nix@314.ch>";
  Phlogistique = "Noé Rubinstein <noe.rubinstein@gmail.com>";
  phreedom = "Evgeny Egorochkin <phreedom@yandex.ru>";
  phunehehe = "Hoang Xuan Phu <phunehehe@gmail.com>";
  pierron = "Nicolas B. Pierron <nixos@nbp.name>";
@ -242,7 +266,6 @@
  pjones = "Peter Jones <pjones@devalot.com>";
  pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
  plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
  Phlogistique = "Noé Rubinstein <noe.rubinstein@gmail.com>";
  pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
@ -270,6 +293,7 @@
  rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
  rvl = "Rodney Lorrimar <dev+nix@rodney.id.au>";
  rvlander = "Gaëtan André <rvlander@gaetanandre.eu>";
  ryantm = "Ryan Mulligan <ryan@ryantm.com>";
  rycee = "Robert Helgesson <robert@rycee.net>";
  samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
@ -285,9 +309,12 @@
  sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
  sjourdois = "Stéphane ‘kwisatz’ Jourdois <sjourdois@gmail.com>";
  skeidel = "Sven Keidel <svenkeidel@gmail.com>";
  skrzyp = "Jakub Skrzypnik <jot.skrzyp@gmail.com>";
  sleexyz = "Sean Lee <freshdried@gmail.com>";
  smironov = "Sergey Mironov <ierton@gmail.com>";
  spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
  spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
  spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
  sprock = "Roger Mason <rmason@mun.ca>";
  spwhitt = "Spencer Whitt <sw@swhitt.me>";
  stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
@ -297,6 +324,7 @@
  taeer = "Taeer Bar-Yam <taeer@necsi.edu>";
  tailhook = "Paul Colomiets <paul@colomiets.name>";
  taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
  tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
  telotortium = "Robert Irelan <rirelan@gmail.com>";
  thall = "Niclas Thall <niclas.thall@gmail.com>";
  thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
@ -309,12 +337,14 @@
  tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
  travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
  trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
-  tstrobel = "Thomas Strobel <ts468@cam.ac.uk>";
+  tstrobel = "Thomas Strobel <4ZKTUB6TEP74PYJOPWIR013S2AV29YUBW5F9ZH2F4D5UMJUJ6S@hash.domains>";
  ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
  tv = "Tomislav Viljetić <tv@shackspace.de>";
  tvestelind = "Tomas Vestelind <tomas.vestelind@fripost.org>";
  twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
  vandenoever = "Jos van den Oever <jos@vandenoever.info>";
  vanzef = "Ivan Solyankin <vanzef@gmail.com>";
  vbgl = "Vincent Laporte <Vincent.Laporte@gmail.com>";
  vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
  vcunat = "Vladimír Čunát <vcunat@gmail.com>";
@ -328,9 +358,9 @@
  winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";
  wizeman = "Ricardo M. Correia <rcorreia@wizy.org>";
  wjlroe = "William Roe <willroe@gmail.com>";
  womfoo = "Kranium Gikos Mendoza <kranium@gikos.net>";
  wkennington = "William A. Kennington III <william@wkennington.com>";
  wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
  womfoo = "Kranium Gikos Mendoza <kranium@gikos.net>";
  wscott = "Wayne Scott <wsc9tt@gmail.com>";
  wyvie = "Elijah Rum <elijahrum@gmail.com>";
  yarr = "Dmitry V. <savraz@gmail.com>";
@ -338,6 +368,6 @@
  zagy = "Christian Zagrodnick <cz@flyingcircus.io>";
  zef = "Zef Hemel <zef@zef.me>";
  zimbatm = "zimbatm <zimbatm@zimbatm.com>";
  zohl = "Al Zohali <zohl@fmap.me>";
  zoomulator = "Kim Simmons <zoomulator@gmail.com>";
  Gonzih = "Max Gonzih <gonzih@gmail.com>";
 }
--- a/lib/platforms.nix
+++ b/lib/platforms.nix
@ -1,21 +1,24 @@
 let lists = import ./lists.nix; in
 rec {
-  gnu = linux; /* ++ hurd ++ kfreebsd ++ ... */
+  all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos;
-  linux = ["i686-linux" "x86_64-linux" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "mips64el-linux"];
+  allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
  none = [];
  arm = ["armv5tel-linux" "armv6l-linux" "armv7l-linux" ];
  i686 = ["i686-linux" "i686-freebsd" "i686-netbsd" "i686-cygwin"];
  mips = [ "mips64el-linux" ];
  x86_64 = ["x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin"];
  cygwin = ["i686-cygwin" "x86_64-cygwin"];
  darwin = ["x86_64-darwin"];
  freebsd = ["i686-freebsd" "x86_64-freebsd"];
-  openbsd = ["i686-openbsd" "x86_64-openbsd"];
+  gnu = linux; /* ++ hurd ++ kfreebsd ++ ... */
  netbsd = ["i686-netbsd" "x86_64-netbsd"];
  cygwin = ["i686-cygwin" "x86_64-cygwin"];
  illumos = ["x86_64-solaris"];
  linux = ["i686-linux" "x86_64-linux" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "mips64el-linux"];
  netbsd = ["i686-netbsd" "x86_64-netbsd"];
  openbsd = ["i686-openbsd" "x86_64-openbsd"];
  unix = linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos;
-  all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos;
+
-  none = [];
+  mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux" "armv7l-linux"];
  allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
  mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux"];
  x86_64 = ["x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin"];
  i686 = ["i686-linux" "i686-freebsd" "i686-netbsd" "i686-cygwin"];
  arm = ["armv5tel-linux" "armv6l-linux" "armv7l-linux" ];
  mips = [ "mips64el-linux" ];
 }
--- a/lib/systems.nix
+++ b/lib/systems.nix
@ -84,10 +84,10 @@ rec {
  };
  isDarwin = matchAttrs { kernel = kernels.darwin; };
  isLinux = matchAttrs { kernel = kernels.linux; };
  isi686 = matchAttrs { cpu = cpuTypes.i686; };
  is64Bit = matchAttrs { cpu = { bits = 64; }; };
  isDarwin = matchAttrs { kernel = kernels.darwin; };
  isi686 = matchAttrs { cpu = cpuTypes.i686; };
  isLinux = matchAttrs { kernel = kernels.linux; };
  # This should revert the job done by config.guess from the gcc compiler.
--- a/lib/tests/release.nix
+++ b/lib/tests/release.nix
@ -11,14 +11,14 @@ stdenv.mkDerivation {
  buildCommand = ''
    datadir="${nix}/share"
    export TEST_ROOT=$(pwd)/test-tmp
-    export NIX_STORE_DIR=$TEST_ROOT/store
+    export NIX_BUILD_HOOK=
    export NIX_CONF_DIR=$TEST_ROOT/etc
    export NIX_DB_DIR=$TEST_ROOT/db
    export NIX_LOCALSTATE_DIR=$TEST_ROOT/var
    export NIX_LOG_DIR=$TEST_ROOT/var/log/nix
    export NIX_STATE_DIR=$TEST_ROOT/var/nix
    export NIX_DB_DIR=$TEST_ROOT/db
    export NIX_CONF_DIR=$TEST_ROOT/etc
    export NIX_MANIFESTS_DIR=$TEST_ROOT/var/nix/manifests
-    export NIX_BUILD_HOOK=
+    export NIX_STATE_DIR=$TEST_ROOT/var/nix
    export NIX_STORE_DIR=$TEST_ROOT/store
    export PAGER=cat
    cacheDir=$TEST_ROOT/binary-cache
    nix-store --init
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@ -75,4 +75,25 @@ rec {
  min = x: y: if x < y then x else y;
  max = x: y: if x > y then x else y;
  /* Reads a JSON file. It is useful to import pure data into other nix
     expressions.
     Example:
       mkDerivation {
         src = fetchgit (importJSON ./repo.json)
         #...
       }
       where repo.json contains:
       {
         "url": "git://some-domain/some/repo",
         "rev": "265de7283488964f44f0257a8b4a055ad8af984d",
         "sha256": "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"
       }
  */
  importJSON = path:
    builtins.fromJSON (builtins.readFile path);
 }
--- a/lib/types.nix
+++ b/lib/types.nix
@ -93,7 +93,7 @@ rec {
    # derivation is a reserved keyword.
    package = mkOptionType {
-      name = "derivation";
+      name = "package";
      check = x: isDerivation x || isStorePath x;
      merge = loc: defs:
        let res = mergeOneOption loc defs;
--- a/maintainers/scripts/find-tarballs.nix
+++ b/maintainers/scripts/find-tarballs.nix
@ -18,7 +18,8 @@ let
  fetchurlDependencies =
    filter
-      (drv: drv.outputHash or "" != "" && drv.outputHashMode == "flat" && drv.postFetch or "" == "" && drv ? urls)
+      (drv: drv.outputHash or "" != "" && drv.outputHashMode or "flat" == "flat"
          && drv.postFetch or "" == "" && drv ? urls)
      dependencies;
  dependencies = map (x: x.value) (genericClosure {
--- a/maintainers/scripts/gnu/gnupdate
+++ b/maintainers/scripts/gnu/gnupdate
--- a/maintainers/scripts/nix-call-package
+++ b/maintainers/scripts/nix-call-package
@ -1,5 +1,5 @@
 #! /bin/sh
-echo "let pkgs = import /etc/nixos/nixpkgs$2 {}; x = pkgs.callPackage $1 { $3 }; in ${4:-x}" |
+echo "let pkgs = import <nixpkgs$2> {}; x = pkgs.callPackage $1 { $3 }; in ${4:-x}" |
 nix-instantiate --show-trace - |
 xargs nix-store -r -K
--- a/maintainers/scripts/nix-generate-from-cpan.nix
+++ b/maintainers/scripts/nix-generate-from-cpan.nix
@ -1,22 +1,24 @@
 { stdenv, makeWrapper, perl, perlPackages }:
 stdenv.mkDerivation {
-  name = "nix-generate-from-cpan-1";
+  name = "nix-generate-from-cpan-2";
-  buildInputs = [ makeWrapper perl perlPackages.YAMLLibYAML perlPackages.JSON perlPackages.CPANPLUS ];
+  buildInputs = with perlPackages; [
    makeWrapper perl CPANMeta GetoptLongDescriptive CPANPLUS Readonly Log4Perl
  ];
-  unpackPhase = "true";
+  phases = [ "installPhase" ];
  buildPhase = "true";
  installPhase =
    ''
      mkdir -p $out/bin
      cp ${./nix-generate-from-cpan.pl} $out/bin/nix-generate-from-cpan
      patchShebangs $out/bin/nix-generate-from-cpan
      wrapProgram $out/bin/nix-generate-from-cpan --set PERL5LIB $PERL5LIB
    '';
  meta = {
-    maintainers = [ stdenv.lib.maintainers.eelco ];
+    maintainers = with stdenv.lib.maintainers; [ eelco rycee ];
    description = "Utility to generate a Nix expression for a Perl package from CPAN";
  };
 }
--- a/maintainers/scripts/nix-generate-from-cpan.pl
+++ b/maintainers/scripts/nix-generate-from-cpan.pl
@ -1,154 +1,440 @@
-#! /run/current-system/sw/bin/perl -w
+#!/usr/bin/env perl
 use utf8;
 use strict;
-use CPANPLUS::Backend;
+use warnings;
 use YAML::XS;
 use JSON;
-my $module_name = $ARGV[0];
+use CPAN::Meta();
-die "syntax: $0 <MODULE-NAME>\n" unless defined $module_name;
+use CPANPLUS::Backend();
 use Getopt::Long::Descriptive qw( describe_options );
 use JSON::PP qw( encode_json );
 use Log::Log4perl qw(:easy);
 use Readonly();
-my $cb = CPANPLUS::Backend->new;
+# Readonly hash that maps CPAN style license strings to information
 # necessary to generate a Nixpkgs style license attribute.
 Readonly::Hash my %LICENSE_MAP => (
-my @modules = $cb->search(type => "name", allow => [$module_name]);
+    # The Perl 5 License (Artistic 1 & GPL 1 or later).
-die "module $module_name not found\n" if scalar @modules == 0;
+    perl_5 => {
-die "multiple packages that match module $module_name\n" if scalar @modules > 1;
+        licenses => [qw( artistic1 gpl1Plus )]
-my $module = $modules[0];
+    },
    # GNU Affero General Public License, Version 3.
    agpl_3 => {
        licenses => [qw( agpl3Plus )],
        amb      => 1
    },
    # Apache Software License, Version 1.1.
    apache_1_1 => {
        licenses => ["Apache License 1.1"],
        in_set   => 0
    },
    # Apache License, Version 2.0.
    apache_2_0 => {
        licenses => [qw( asl20 )]
    },
    # Artistic License, (Version 1).
    artistic_1 => {
        licenses => [qw( artistic1 )]
    },
    # Artistic License, Version 2.0.
    artistic_2 => {
        licenses => [qw( artistic2 )]
    },
    # BSD License (three-clause).
    bsd => {
        licenses => [qw( bsd3 )],
        amb      => 1
    },
    # FreeBSD License (two-clause).
    freebsd => {
        licenses => [qw( bsd2 )]
    },
    # GNU Free Documentation License, Version 1.2.
    gfdl_1_2 => {
        licenses => [qw( fdl12 )]
    },
    # GNU Free Documentation License, Version 1.3.
    gfdl_1_3 => {
        licenses => [qw( fdl13 )]
    },
    # GNU General Public License, Version 1.
    gpl_1 => {
        licenses => [qw( gpl1Plus )],
        amb      => 1
    },
    # GNU General Public License, Version 2. Note, we will interpret
    # "gpl" alone as GPL v2+.
    gpl_2 => {
        licenses => [qw( gpl2Plus )],
        amb      => 1
    },
    # GNU General Public License, Version 3.
    gpl_3 => {
        licenses => [qw( gpl3Plus )],
        amb      => 1
    },
    # GNU Lesser General Public License, Version 2.1. Note, we will
    # interpret "gpl" alone as LGPL v2.1+.
    lgpl_2_1 => {
        licenses => [qw( lgpl21Plus )],
        amb      => 1
    },
    # GNU Lesser General Public License, Version 3.0.
    lgpl_3_0 => {
        licenses => [qw( lgpl3Plus )],
        amb      => 1
    },
    # MIT (aka X11) License.
    mit => {
        licenses => [qw( mit )]
    },
    # Mozilla Public License, Version 1.0.
    mozilla_1_0 => {
        licenses => [qw( mpl10 )]
    },
    # Mozilla Public License, Version 1.1.
    mozilla_1_1 => {
        licenses => [qw( mpl11 )]
    },
    # OpenSSL License.
    openssl => {
        licenses => [qw( openssl )]
    },
    # Q Public License, Version 1.0.
    qpl_1_0 => {
        licenses => [qw( qpl )]
    },
    # Original SSLeay License.
    ssleay => {
        licenses => ["Original SSLeay License"],
        in_set   => 0
    },
    # Sun Internet Standards Source License (SISSL).
    sun => {
        licenses => ["Sun Industry Standards Source License v1.1"],
        in_set   => 0
    },
    # zlib License.
    zlib => {
        licenses => [qw( zlib )]
    },
    # Other Open Source Initiative (OSI) approved license.
    open_source => {
        licenses => [qw( free )],
        amb      => 1
    },
    # Requires special permission from copyright holder.
    restricted => {
        licenses => [qw( unfree )],
        amb      => 1
    },
    # Not an OSI approved license, but not restricted. Note, we
    # currently map this to unfreeRedistributable, which is a
    # conservative choice.
    unrestricted => {
        licenses => [qw( unfreeRedistributable )],
        amb      => 1
    },
    # License not provided in metadata.
    unknown => {
        licenses => [qw( unknown )],
        amb      => 1
    }
 );
 sub handle_opts {
    my ( $opt, $usage ) = describe_options(
        'usage: $0 %o MODULE',
        [ 'maintainer|m=s', 'the package maintainer' ],
        [ 'debug|d',        'enable debug output' ],
        [ 'help',           'print usage message and exit' ]
    );
    if ( $opt->help ) {
        print $usage->text;
        exit;
    }
    my $module_name = $ARGV[0];
    if ( !defined $module_name ) {
        print STDERR "Missing module name\n";
        print STDERR $usage->text;
        exit 1;
    }
    return ( $opt, $module_name );
 }
 # Takes a Perl package attribute name and returns 1 if the name cannot
 # be referred to as a bareword. This typically happens if the package
 # name is a reserved Nix keyword.
 sub is_reserved {
    my ($pkg) = @_;
    return $pkg =~ /^(?: assert    |
                         else      |
                         if        |
                         import    |
                         in        |
                         inherit   |
                         let       |
                         rec       |
                         then      |
                         while     |
                         with      )$/x;
 }
 sub pkg_to_attr {
-    my ($pkg_name) = @_;
+    my ($module) = @_;
-    my $attr_name = $pkg_name;
+    my $attr_name = $module->package_name;
-    $attr_name =~ s/-\d.*//; # strip version
+    if ( $attr_name eq "libwww-perl" ) {
-    return "LWP" if $attr_name eq "libwww-perl";
+        return "LWP";
-    $attr_name =~ s/-//g;
+    }
-    return $attr_name;
+    else {
        $attr_name =~ s/-//g;
        return $attr_name;
    }
 }
 sub get_pkg_name {
    my ($module) = @_;
-    my $pkg_name = $module->package;
+    return $module->package_name . '-' . $module->package_version;
    $pkg_name =~ s/\.tar.*//;
    $pkg_name =~ s/\.zip//;
    return $pkg_name;
 }
-my $pkg_name = get_pkg_name $module;
+sub read_meta {
-my $attr_name = pkg_to_attr $pkg_name;
+    my ($pkg_path) = @_;
-print STDERR "attribute name: ", $attr_name, "\n";
+    my $yaml_path = "$pkg_path/META.yml";
-print STDERR "module: ", $module->module, "\n";
+    my $json_path = "$pkg_path/META.json";
-print STDERR "version: ", $module->version, "\n";
+    my $meta;
 print STDERR "package: ", $module->package, , " (", $pkg_name, ", ", $attr_name, ")\n";
 print STDERR "path: ", $module->path, "\n";
-my $tar_path = $module->fetch();
+    if ( -r $json_path ) {
-print STDERR "downloaded to: $tar_path\n";
+        $meta = CPAN::Meta->load_file($json_path);
-print STDERR "sha-256: ", $module->status->checksum_value, "\n";
+    }
-
+    elsif ( -r $yaml_path ) {
-my $pkg_path = $module->extract();
+        $meta = CPAN::Meta->load_file($yaml_path);
-print STDERR "unpacked to: $pkg_path\n";
+    }
-
+    else {
-my $meta;
+        WARN("package has no META.yml or META.json");
 if (-e "$pkg_path/META.yml") {
    eval {
        $meta = YAML::XS::LoadFile("$pkg_path/META.yml");
    };
    if ($@) {
        system("iconv -f windows-1252 -t utf-8 '$pkg_path/META.yml' > '$pkg_path/META.yml.tmp'");
        $meta = YAML::XS::LoadFile("$pkg_path/META.yml.tmp");
    }
 } elsif (-e "$pkg_path/META.json") {
    local $/;
    open(my $fh, '<', "$pkg_path/META.json") or die;
    $meta = decode_json(<$fh>);
 } else {
    warn "package has no META.yml or META.json\n";
 }
-print STDERR "metadata: ", encode_json($meta), "\n" if defined $meta;
+    return $meta;
 }
 # Map a module to the attribute corresponding to its package
 # (e.g. HTML::HeadParser will be mapped to HTMLParser, because that
 # module is in the HTML-Parser package).
 sub module_to_pkg {
-    my ($module_name) = @_;
+    my ( $cb, $module_name ) = @_;
-    my @modules = $cb->search(type => "name", allow => [$module_name]);
+    my @modules = $cb->search( type => "name", allow => [$module_name] );
-    if (scalar @modules == 0) {
+    if ( scalar @modules == 0 ) {
        # Fallback.
        $module_name =~ s/:://g;
        return $module_name;
    }
-    my $module = $modules[0];
+    my $module    = $modules[0];
-    my $attr_name = pkg_to_attr(get_pkg_name $module);
+    my $attr_name = pkg_to_attr($module);
-    print STDERR "mapped dep $module_name to $attr_name\n";
+    DEBUG("mapped dep $module_name to $attr_name");
    return $attr_name;
 }
 sub get_deps {
-    my ($type) = @_;
+    my ( $cb, $meta, $type ) = @_;
-    my $deps;
+
-    if (defined $meta->{prereqs}) {
+    return if !defined $meta;
-        die "unimplemented";
+
-    } elsif ($type eq "runtime") {
+    my $prereqs = $meta->effective_prereqs;
-        $deps = $meta->{requires};
+    my $deps = $prereqs->requirements_for( $type, "requires" );
    } elsif ($type eq "configure") {
        $deps = $meta->{configure_requires};
    } elsif ($type eq "build") {
        $deps = $meta->{build_requires};
    }
    my @res;
-    foreach my $n (keys %{$deps}) {
+    foreach my $n ( $deps->required_modules ) {
        next if $n eq "perl";
        # Hacky way to figure out if this module is part of Perl.
-        if ($n !~ /^JSON/ && $n !~ /^YAML/ && $n !~ /^Module::Pluggable/) {
+        if ( $n !~ /^JSON/ && $n !~ /^YAML/ && $n !~ /^Module::Pluggable/  && $n !~ /^if$/ ) {
            eval "use $n;";
-            if (!$@) {
+            if ( !$@ ) {
-                print STDERR "skipping Perl-builtin module $n\n";
+                DEBUG("skipping Perl-builtin module $n");
                next;
            }
        }
-        push @res, module_to_pkg($n);
+
        my $pkg = module_to_pkg( $cb, $n );
        # If the package name is reserved then we need to refer to it
        # through the "self" variable.
        $pkg = "self.\"$pkg\"" if is_reserved($pkg);
        push @res, $pkg;
    }
    return @res;
 }
 sub uniq {
-    return keys %{{ map { $_ => 1 } @_ }};
+    return keys %{ { map { $_ => 1 } @_ } };
 }
-my @build_deps = sort(uniq(get_deps("configure"), get_deps("build"), get_deps("test")));
+sub render_license {
-print STDERR "build deps: @build_deps\n";
+    my ($cpan_license) = @_;
-my @runtime_deps = sort(uniq(get_deps("runtime")));
+    return if !defined $cpan_license;
 print STDERR "runtime deps: @runtime_deps\n";
-my $homepage = $meta->{resources}->{homepage};
+    my $licenses;
 print STDERR "homepage: $homepage\n" if defined $homepage;
-my $description = $meta->{abstract};
+    # If the license is ambiguous then we'll print an extra warning.
-if (defined $description) {
+    # For example, "gpl_2" is ambiguous since it may refer to exactly
-    $description = uc(substr($description, 0, 1)) . substr($description, 1); # capitalise first letter
+    # "GPL v2" or to "GPL v2 or later".
-    $description =~ s/\.$//; # remove period at the end
+    my $amb = 0;
    # Whether the license is available inside `stdenv.lib.licenses`.
    my $in_set = 1;
    my $nix_license = $LICENSE_MAP{$cpan_license};
    if ( !$nix_license ) {
        WARN("Unknown license: $cpan_license");
        $licenses = [$cpan_license];
        $in_set   = 0;
    }
    else {
        $licenses = $nix_license->{licenses};
        $amb      = $nix_license->{amb};
        $in_set   = !$nix_license->{in_set};
    }
    my $license_line;
    if ( @$licenses == 0 ) {
        # Avoid defining the license line.
    }
    elsif ($in_set) {
        my $lic = 'stdenv.lib.licenses';
        if ( @$licenses == 1 ) {
            $license_line = "$lic.$licenses->[0]";
        }
        else {
            $license_line = "with $lic; [ " . join( ' ', @$licenses ) . " ]";
        }
    }
    else {
        if ( @$licenses == 1 ) {
            $license_line = $licenses->[0];
        }
        else {
            $license_line = '[ ' . join( ' ', @$licenses ) . ' ]';
        }
    }
    INFO("license: $cpan_license");
    WARN("License '$cpan_license' is ambiguous, please verify") if $amb;
    return $license_line;
 }
 my ( $opt, $module_name ) = handle_opts();
 Log::Log4perl->easy_init(
    {
        level => $opt->debug ? $DEBUG : $INFO,
        layout => '%m%n'
    }
 );
 my $cb = CPANPLUS::Backend->new;
 my @modules = $cb->search( type => "name", allow => [$module_name] );
 die "module $module_name not found\n" if scalar @modules == 0;
 die "multiple packages that match module $module_name\n" if scalar @modules > 1;
 my $module = $modules[0];
 my $pkg_name  = get_pkg_name $module;
 my $attr_name = pkg_to_attr $module;
 INFO( "attribute name: ", $attr_name );
 INFO( "module: ",         $module->module );
 INFO( "version: ",        $module->version );
 INFO( "package: ", $module->package, " (", $pkg_name, ", ", $attr_name, ")" );
 INFO( "path: ",    $module->path );
 my $tar_path = $module->fetch();
 INFO( "downloaded to: ", $tar_path );
 INFO( "sha-256: ",       $module->status->checksum_value );
 my $pkg_path = $module->extract();
 INFO( "unpacked to: ", $pkg_path );
 my $meta = read_meta($pkg_path);
 DEBUG( "metadata: ", encode_json( $meta->as_struct ) ) if defined $meta;
 my @build_deps = sort( uniq(
        get_deps( $cb, $meta, "configure" ),
        get_deps( $cb, $meta, "build" ),
        get_deps( $cb, $meta, "test" )
 ) );
 INFO("build deps: @build_deps");
 my @runtime_deps = sort( uniq( get_deps( $cb, $meta, "runtime" ) ) );
 INFO("runtime deps: @runtime_deps");
 my $homepage = $meta ? $meta->resources->{homepage} : undef;
 INFO("homepage: $homepage") if defined $homepage;
 my $description = $meta ? $meta->abstract : undef;
 if ( defined $description ) {
    $description = uc( substr( $description, 0, 1 ) )
      . substr( $description, 1 );    # capitalise first letter
    $description =~ s/\.$//;          # remove period at the end
    $description =~ s/\s*$//;
    $description =~ s/^\s*//;
-    print STDERR "description: $description\n";
+    $description =~ s/\n+/ /;         # Replace new lines by space.
    INFO("description: $description");
 }
-my $license = $meta->{license};
+#print(Data::Dumper::Dumper($meta->licenses) . "\n");
-if (defined $license) {
+my $license = $meta ? render_license( $meta->licenses ) : undef;
    $license = "perl5" if $license eq "perl_5";
    print STDERR "license: $license\n";
 }
-my $build_fun = -e "$pkg_path/Build.PL" && ! -e "$pkg_path/Makefile.PL" ? "buildPerlModule" : "buildPerlPackage";
+INFO( "RSS feed: https://metacpan.org/feed/distribution/",
    $module->package_name );
 my $build_fun = -e "$pkg_path/Build.PL"
  && !-e "$pkg_path/Makefile.PL" ? "buildPerlModule" : "buildPerlPackage";
 print STDERR "===\n";
 print <<EOF;
-  $attr_name = $build_fun {
+  ${\(is_reserved($attr_name) ? "\"$attr_name\"" : $attr_name)} = $build_fun rec {
    name = "$pkg_name";
    src = fetchurl {
-      url = mirror://cpan/${\$module->path}/${\$module->package};
+      url = "mirror://cpan/${\$module->path}/\${name}.${\$module->package_extension}";
      sha256 = "${\$module->status->checksum_value}";
    };
 EOF
@ -164,11 +450,14 @@ EOF
 print <<EOF if defined $homepage;
      homepage = $homepage;
 EOF
-print <<EOF if defined $description;
+print <<EOF if defined $description && $description ne "Unknown";
      description = "$description";
 EOF
 print <<EOF if defined $license;
-      license = "$license";
+      license = $license;
 EOF
 print <<EOF if $opt->maintainer;
      maintainers = [ maintainers.${\$opt->maintainer} ];
 EOF
 print <<EOF;
    };
--- a/maintainers/scripts/travis-nox-review-pr.sh
+++ b/maintainers/scripts/travis-nox-review-pr.sh
@ -11,11 +11,7 @@ if [[ $1 == nix ]]; then
    # Make sure we can use hydra's binary cache
    sudo mkdir /etc/nix
-    sudo tee /etc/nix/nix.conf <<EOF >/dev/null
+    sudo sh -c 'echo "build-max-jobs = 4" > /etc/nix/nix.conf'
 binary-caches = http://cache.nixos.org http://hydra.nixos.org
 trusted-binary-caches = http://hydra.nixos.org
 build-max-jobs = 4
 EOF
    # Verify evaluation
    echo "=== Verifying that nixpkgs evaluates..."
@ -27,6 +23,9 @@ elif [[ $1 == nox ]]; then
 elif [[ $1 == build ]]; then
    source $HOME/.nix-profile/etc/profile.d/nix.sh
    echo "=== Checking tarball creation"
    nix-build pkgs/top-level/release.nix -A tarball
    if [[ $TRAVIS_PULL_REQUEST == false ]]; then
        echo "=== Not a pull request"
    else
@ -41,8 +40,6 @@ elif [[ $1 == build ]]; then
            exit 1
        fi
    fi
    # echo "=== Checking tarball creation"
    # nix-build pkgs/top-level/release.nix -A tarball
 else
    echo "$0: Unknown option $1" >&2
    false
--- a/maintainers/scripts/vanity.sh
+++ b/maintainers/scripts/vanity.sh
@ -28,7 +28,7 @@ fetchGithubName () {
    )"
    userid="$(
        curl https://github.com/NixOS/nixpkgs/commit/"$commitid" 2>/dev/null |
-        grep authored -B10 | grep 'href="/' |
+        grep committed -B10 | grep 'href="/' |
        sed -re 's@.* href="/@@; s@".*@@' |
 	grep -v "/commit/"
    )";
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -1,20 +1,12 @@
 { configuration ? import ./lib/from-env.nix "NIXOS_CONFIG" <nixos-config>
 , system ? builtins.currentSystem
 , extraModules ? []
  # This attribute is used to specify a different nixos version, a different
  # system or additional modules which might be set conditionally.
 , reEnter ? false
 }:
 let
  reEnterModule = {
    config.nixos.path = with (import ../lib); mkIf reEnter (mkForce null);
    config.nixos.configuration = configuration;
  };
  eval = import ./lib/eval-config.nix {
    inherit system;
-    modules = [ configuration reEnterModule ] ++ extraModules;
+    modules = [ configuration ];
  };
  inherit (eval) pkgs;
@ -22,14 +14,14 @@ let
  # This is for `nixos-rebuild build-vm'.
  vmConfig = (import ./lib/eval-config.nix {
    inherit system;
-    modules = [ configuration reEnterModule ./modules/virtualisation/qemu-vm.nix ] ++ extraModules;
+    modules = [ configuration ./modules/virtualisation/qemu-vm.nix ];
  }).config;
  # This is for `nixos-rebuild build-vm-with-bootloader'.
  vmWithBootLoaderConfig = (import ./lib/eval-config.nix {
    inherit system;
    modules =
-      [ configuration reEnterModule
+      [ configuration
        ./modules/virtualisation/qemu-vm.nix
        { virtualisation.useBootLoader = true; }
      ];
@ -38,7 +30,7 @@ let
 in
 {
-  inherit (eval.config.nixos.reflect) config options;
+  inherit (eval) config options;
  system = eval.config.system.build.toplevel;
--- a/nixos/doc/manual/configuration/config-file.xml
+++ b/nixos/doc/manual/configuration/config-file.xml
@ -157,7 +157,7 @@ boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60;
 fileSystems."/boot" =
  { device = "/dev/sda1";
    fsType = "ext4";
-    options = "rw,data=ordered,relatime";
+    options = [ "rw" "data=ordered" "relatime" ];
  };
 </programlisting>
      </para>
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@ -26,8 +26,8 @@ effect after you run <command>nixos-rebuild</command>.</para>
 <!-- FIXME: auto-include NixOS module docs -->
 <xi:include href="postgresql.xml" />
 <xi:include href="gitlab.xml" />
 <xi:include href="acme.xml" />
 <xi:include href="nixos.xml" />
 <!-- Apache; libvirtd virtualisation -->
--- a/nixos/doc/manual/configuration/user-mgmt.xml
+++ b/nixos/doc/manual/configuration/user-mgmt.xml
@ -65,6 +65,14 @@ account named <literal>alice</literal>:
 <screen>
 $ useradd -m alice</screen>
 To make all nix tools available to this new user use `su - USER` which 
 opens a login shell (==shell that loads the profile) for given user. 
 This will create the ~/.nix-defexpr symlink. So run:
 <screen>
 $ su - alice -c "true"</screen>
 The flag <option>-m</option> causes the creation of a home directory
 for the new user, which is generally what you want.  The user does not
 have an initial password and therefore cannot log in.  A password can
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@ -1,4 +1,4 @@
-{ pkgs, options, version, revision }:
+{ pkgs, options, version, revision, extraSources ? [] }:
 with pkgs;
 with pkgs.lib;
@ -17,19 +17,20 @@ let
  # Clean up declaration sites to not refer to the NixOS source tree.
  optionsList' = flip map optionsList (opt: opt // {
-    declarations = map (fn: stripPrefix fn) opt.declarations;
+    declarations = map stripAnyPrefixes opt.declarations;
  }
  // optionalAttrs (opt ? example) { example = substFunction opt.example; }
  // optionalAttrs (opt ? default) { default = substFunction opt.default; }
  // optionalAttrs (opt ? type) { type = substFunction opt.type; });
-  prefix = toString ../../..;
+  # We need to strip references to /nix/store/* from options,
-
+  # including any `extraSources` if some modules came from elsewhere,
-  stripPrefix = fn:
+  # or else the build will fail.
-    if substring 0 (stringLength prefix) fn == prefix then
+  #
-      substring (stringLength prefix + 1) 1000 fn
+  # E.g. if some `options` came from modules in ${pkgs.customModules}/nix,
-    else
+  # you'd need to include `extraSources = [ pkgs.customModules ]`
-      fn;
+  prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
  stripAnyPrefixes = flip (fold removePrefix) prefixesToStrip;
  # Convert the list of options into an XML file.
  optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList');
@ -55,8 +56,8 @@ let
      cp -prd $sources/* . # */
      chmod -R u+w .
      cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml
      cp ${../../modules/services/misc/gitlab.xml} configuration/gitlab.xml
      cp ${../../modules/security/acme.xml} configuration/acme.xml
      cp ${../../modules/misc/nixos.xml} configuration/nixos.xml
      ln -s ${optionsDocBook} options-db.xml
      echo "${version}" > version
    '';
--- a/nixos/doc/manual/development/writing-modules.xml
+++ b/nixos/doc/manual/development/writing-modules.xml
@ -107,12 +107,12 @@ the file system.  This module declares two options that can be defined
 by other modules (typically the user’s
 <filename>configuration.nix</filename>):
 <option>services.locate.enable</option> (whether the database should
-be updated) and <option>services.locate.period</option> (when the
+be updated) and <option>services.locate.interval</option> (when the
 update should be done).  It implements its functionality by defining
 two options declared by other modules:
 <option>systemd.services</option> (the set of all systemd services)
-and <option>services.cron.systemCronJobs</option> (the list of
+and <option>systemd.timers</option> (the list of commands to be
-commands to be executed periodically by <command>cron</command>).</para>
+executed periodically by <command>systemd</command>).</para>
 <example xml:id='locate-example'><title>NixOS Module for the “locate” Service</title>
 <programlisting>
@ -120,53 +120,59 @@ commands to be executed periodically by <command>cron</command>).</para>
 with lib;
-let locatedb = "/var/cache/locatedb"; in
+let
-
+  cfg = config.services.locate;
-{
+in {
-  options = {
+  options.services.locate = {
-
+    enable = mkOption {
-    services.locate = {
+      type = types.bool;
-
+      default = false;
-      enable = mkOption {
+      description = ''
-        type = types.bool;
+        If enabled, NixOS will periodically update the database of
-        default = false;
+        files used by the <command>locate</command> command.
-        description = ''
+      '';
          If enabled, NixOS will periodically update the database of
          files used by the <command>locate</command> command.
        '';
      };
      period = mkOption {
        type = types.str;
        default = "15 02 * * *";
        description = ''
          This option defines (in the format used by cron) when the
          locate database is updated.  The default is to update at
          02:15 at night every day.
        '';
      };
    };
    interval = mkOption {
      type = types.str;
      default = "02:15";
      example = "hourly";
      description = ''
        Update the locate database at this interval. Updates by
        default at 2:15 AM every day.
        The format is described in
        <citerefentry><refentrytitle>systemd.time</refentrytitle>
        <manvolnum>7</manvolnum></citerefentry>.
      '';
    };
    # Other options omitted for documentation
  };
  config = {
    systemd.services.update-locatedb =
      { description = "Update Locate Database";
        path  = [ pkgs.su ];
        script =
          ''
-            mkdir -m 0755 -p $(dirname ${locatedb})
+            mkdir -m 0755 -p $(dirname ${toString cfg.output})
-            exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /run'
+            exec updatedb \
              --localuser=${cfg.localuser} \
              ${optionalString (!cfg.includeStore) "--prunepaths='/nix/store'"} \
              --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
          '';
      };
-    services.cron.systemCronJobs = optional config.services.locate.enable
+    systemd.timers.update-locatedb = mkIf cfg.enable
-      "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service";
+      { description = "Update timer for locate database";
-
+        partOf      = [ "update-locatedb.service" ];
        wantedBy    = [ "timers.target" ];
        timerConfig.OnCalendar = cfg.interval;
      };
  };
-}</programlisting>
+}
 </programlisting>
 </example>
 <xi:include href="option-declarations.xml" />
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -22,7 +22,10 @@
  (with empty password).</para></listitem>
  <listitem><para>If you downloaded the graphical ISO image, you can
-  run <command>start display-manager</command> to start KDE.</para></listitem>
+  run <command>start display-manager</command> to start KDE. If you
  want to continue on the terminal, you can use
  <command>loadkeys</command> to switch to your preferred keyboard layout.
  (We even provide neo2 via <command>loadkeys de neo</command>!)</para></listitem>
  <listitem><para>The boot process should have brought up networking (check
  <command>ip a</command>).  Networking is necessary for the
--- a/nixos/doc/manual/man-nixos-generate-config.xml
+++ b/nixos/doc/manual/man-nixos-generate-config.xml
@ -165,13 +165,13 @@ look like this:
  fileSystems."/" =
    { device = "/dev/disk/by-label/nixos";
      fsType = "ext3";
-      options = "rw,data=ordered,relatime";
+      options = [ "rw" "data=ordered" "relatime" ];
    };
  fileSystems."/boot" =
    { device = "/dev/sda1";
      fsType = "ext3";
-      options = "rw,errors=continue,user_xattr,acl,barrier=1,data=writeback,relatime";
+      options = [ "rw" "errors=continue" "user_xattr" "acl" "barrier=1" "data=writeback" "relatime" ];
    };
  swapDevices =
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@ -9,7 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>
-<xi:include href="rl-unstable.xml" />
+<xi:include href="rl-1603.xml" />
 <xi:include href="rl-1509.xml" />
 <xi:include href="rl-1412.xml" />
 <xi:include href="rl-1404.xml" />
--- a/nixos/doc/manual/release-notes/rl-unstable.xml
+++ b/nixos/doc/manual/release-notes/rl-unstable.xml
@ -2,28 +2,15 @@
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
-         xml:id="sec-release-unstable">
+         xml:id="sec-release-16.03">
-<title>Unstable</title>
+<title>Release 16.03 (“Emu”, 2016/03/??)</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights:</para>
 <itemizedlist>
  <listitem>
    <para>You can now pin a specific version of NixOS in your <filename>configuration.nix</filename>
    by setting:
 <programlisting>
 nixos.path = ./nixpkgs-unstable-2015-12-06/nixos;
 </programlisting>
    This will make NixOS re-evaluate your configuration with the modules of
    the specified NixOS version at the given path.  For more details, see
    <xref linkend="module-misc-nixos" /></para>
  </listitem>
  <listitem>
    <para>Firefox and similar browsers are now <emphasis>wrapped by default</emphasis>.
    The package and attribute names are plain <literal>firefox</literal>
@ -41,7 +28,10 @@ nixos.path = ./nixpkgs-unstable-2015-12-06/nixos;
  <itemizedlist>
    <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem>
    <listitem><para><literal>services/networking/pdnsd.nix</literal></para></listitem>
    <listitem><para><literal>services/web-apps/pump.io.nix</literal></para></listitem>
    <listitem><para><literal>services/security/haka.nix</literal></para></listitem>
    <listitem><para><literal>i18n/inputMethod/default.nix</literal></para></listitem>
  </itemizedlist>
 </para>
@ -145,6 +135,118 @@ nginx.override {
    from the ELPA, MELPA, and MELPA Stable repositories.
    </para>
  </listitem>
  <listitem>
    <para>Data directory for Postfix MTA server is moved from
    <filename>/var/postfix</filename> to <filename>/var/lib/postfix</filename>.
    Old configurations are migrated automatically. <literal>service.postfix</literal>
    module has also received many improvements, such as correct directories' access
    rights, new <literal>aliasFiles</literal> and <literal>mapFiles</literal>
    options and more.</para>
  </listitem>
  <listitem>
    <para>Filesystem options should now be configured as a list of strings, not
    a comma-separated string. The old style will continue to work, but print a
    warning, until the 16.09 release. An example of the new style:
 <programlisting>
 fileSystems."/example" = {
  device = "/dev/sdc";
  fsType = "btrfs";
  options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ];
 };
 </programlisting>
    </para>
  </listitem>
  <listitem>
    <para>CUPS, installed by <literal>services.printing</literal> module, now
    has its data directory in <filename>/var/lib/cups</filename>. Old
    configurations from <filename>/etc/cups</filename> are moved there
    automatically, but there might be problems. Also configuration options
    <literal>services.printing.cupsdConf</literal> and
    <literal>services.printing.cupsdFilesConf</literal> were removed
    because they had been allowing one to override configuration variables
    required for CUPS to work at all on NixOS. For most use cases,
    <literal>services.printing.extraConf</literal> and new option
    <literal>services.printing.extraFilesConf</literal> should be enough;
    if you encounter a situation when they are not, please file a bug.</para>
    <para>There are also Gutenprint improvements; in particular, a new option
    <literal>services.printing.gutenprint</literal> is added to enable automatic
    updating of Gutenprint PPMs; it's greatly recommended to enable it instead
    of adding <literal>gutenprint</literal> to the <literal>drivers</literal> list.
    </para>
  </listitem>
  <listitem>
    <para><literal>services.xserver.vaapiDrivers</literal> has been removed. Use
    <literal>services.hardware.opengl.extraPackages{,32}</literal> instead. You can
    also specify VDPAU drivers there.</para>
  </listitem>
  <listitem>
    <para>
    <literal>programs.ibus</literal> moved to <literal>i18n.inputMethod.ibus</literal>.
    The option <literal>programs.ibus.plugins</literal> changed to <literal>i18n.inputMethod.ibus.engines</literal>
    and the option to enable ibus changed from <literal>programs.ibus.enable</literal> to
    <literal>i18n.inputMethod.enabled</literal>.
    <literal>i18n.inputMethod.enabled</literal> should be set to the used input method name,
    <literal>"ibus"</literal> for ibus.
    An example of the new style:
 <programlisting>
 i18n.inputMethod.enabled = "ibus";
 i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ];
 </programlisting>
 That is equivalent to the old version:
 <programlisting>
 programs.ibus.enable = true;
 programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ];
 </programlisting>
    </para>
  </listitem>
  <listitem>
    <para><literal>services.udev.extraRules</literal> option now writes rules
    to <filename>99-local.rules</filename> instead of <filename>10-local.rules</filename>.
    This makes all the user rules apply after others, so their results wouldn't be
    overriden by anything else.</para>
  </listitem>
  <listitem>
    <para>Large parts of the <literal>services.gitlab</literal> module has been
    been rewritten. There are new configuration options available. The
    <literal>stateDir</literal> option was renamned to
    <literal>statePath</literal> and the <literal>satellitesDir</literal> option
    was removed. Please review the currently available options.</para>
  </listitem>
  <listitem>
    <para>
    The option <option>services.nsd.zones.&lt;name&gt;.data</option> no
    longer interpret the dollar sign ($) as a shell variable, as such it
    should not be escaped anymore.  Thus the following zone data:
    </para>
    <programlisting>
 \$ORIGIN example.com.
 \$TTL 1800
@       IN      SOA     ns1.vpn.nbp.name.      admin.example.com. (
    </programlisting>
    <para>
    Should modified to look like the actual file expected by nsd:
    </para>
    <programlisting>
 $ORIGIN example.com.
 $TTL 1800
@       IN      SOA     ns1.vpn.nbp.name.      admin.example.com. (
    </programlisting>
  </listitem>
 </itemizedlist>
@ -158,6 +260,17 @@ nginx.override {
    <command>nix-shell</command> (without installing anything). </para>
  </listitem>
  <listitem>
    <para><literal>ejabberd</literal> module is brought back and now works on
    NixOS.</para>
  </listitem>
  <listitem>
    <para>Input method support was improved. New NixOS modules (fcitx, nabi and uim),
    fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus engines (hangul and m17n)
    have been added.</para>
  </listitem>
 </itemizedlist></para>
 </section>
--- a/nixos/lib/make-iso9660-image.nix
+++ b/nixos/lib/make-iso9660-image.nix
@ -22,7 +22,7 @@
 , # Whether this should be an efi-bootable El-Torito CD.
  efiBootable ? false
-, # Wheter this should be an hybrid CD (bootable from USB as well as CD).
+, # Whether this should be an hybrid CD (bootable from USB as well as CD).
  usbBootable ? false
 , # The path (in the ISO file system) of the boot image.
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -129,6 +129,14 @@ with lib;
        };
        cache32Bit = mkOption {
          default = false;
          type = types.bool;
          description = ''
            Generate system fonts cache for 32-bit applications.
          '';
        };
      };
    };
@ -231,12 +239,19 @@ with lib;
        "${pkgs.fontconfig.out}/etc/fonts/fonts.conf";
      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
-        ''
+        let
          cache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
        in ''
          <?xml version='1.0'?>
          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
          <fontconfig>
            <!-- Font directories -->
            ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
            <!-- Pre-generated font caches -->
            <cachedir>${cache pkgs.fontconfig}</cachedir>
            ${optionalString (pkgs.stdenv.isx86_64 && config.fonts.fontconfig.cache32Bit) ''
              <cachedir>${cache pkgs.pkgsi686Linux.fontconfig}</cachedir>
            ''}
          </fontconfig>
        '';
--- a/nixos/modules/config/gtk-exe-env.nix
+++ b/nixos/modules/config/gtk-exe-env.nix
@ -1,41 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
  ];
  options = {
    gtkPlugins = lib.mkOption {
      type = lib.types.listOf lib.types.path;
      default = [];
      description = ''
        Plugin packages for GTK+ such as input methods.
      '';
    };
  };
  config = {
    environment.variables = if builtins.length config.gtkPlugins > 0
      then
        let
          paths = [ pkgs.gtk2 pkgs.gtk3 ] ++ config.gtkPlugins;
          env = pkgs.buildEnv {
            name = "gtk-exe-env";
            inherit paths;
            postBuild = lib.concatStringsSep "\n"
              (map (d: d.gtkExeEnvPostBuild or "") paths);
            ignoreCollisions = true;
          };
        in {
          GTK_EXE_PREFIX = builtins.toString env;
          GTK_PATH = [
            "${env}/lib/gtk-2.0"
            "${env}/lib/gtk-3.0"
          ];
        }
      else {};
  };
 }
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -39,6 +39,17 @@ in
      '';
    };
    networking.dnsExtensionMechanism = lib.mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable the <code>edns0</code> option in <filename>resolv.conf</filename>. With
        that option set, <code>glibc</code> supports use of the extension mechanisms for
        DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC,
        which does not work without it.
      '';
    };
    networking.extraResolvconfConf = lib.mkOption {
      type = types.lines;
      default = "";
@ -162,7 +173,10 @@ in
              libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
            '' + optionalString cfg.dnsSingleRequest ''
              # only send one DNS request at a time
-              resolv_conf_options='single-request'
+              resolv_conf_options+=' single-request'
            '' + optionalString cfg.dnsExtensionMechanism ''
              # enable extension mechanisms for DNS
              resolv_conf_options+=' edns0'
            '' + optionalString hasLocalResolver ''
              # This hosts runs a full-blown DNS resolver.
              name_servers='127.0.0.1'
--- a/nixos/modules/config/qt-plugin-env.nix
+++ b/nixos/modules/config/qt-plugin-env.nix
@ -1,37 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
  ];
  options = {
    qtPlugins = lib.mkOption {
      type = lib.types.listOf lib.types.path;
      default = [];
      description = ''
        Plugin packages for Qt such as input methods.
      '';
    };
  };
  config = {
    environment.variables = if builtins.length config.qtPlugins > 0
      then
        let
          paths = [ pkgs.qt48 ] ++ config.qtPlugins;
          env = pkgs.buildEnv {
            name = "qt-plugin-env";
            inherit paths;
            postBuild = lib.concatStringsSep "\n"
              (map (d: d.qtPluginEnvPostBuild or "") paths);
            ignoreCollisions = true;
          };
        in {
          QT_PLUGIN_PATH = [ (builtins.toString env) ];
        }
      else {};
  };
 }
--- a/nixos/modules/config/vpnc.nix
+++ b/nixos/modules/config/vpnc.nix
@ -17,16 +17,16 @@ in
      services = mkOption {
       type = types.attrsOf types.str;
       default = {};
-       example = {
+       example = literalExample ''
-         test = 
+         { test = '''
-          ''
+             IPSec gateway 192.168.1.1
-           IPSec gateway 192.168.1.1 
+             IPSec ID someID
-           IPSec ID someID
+             IPSec secret secretKey
-           IPSec secret secretKey
+             Xauth username name
-           Xauth username name
+             Xauth password pass
-           Xauth password pass
+           ''';
-          '';
+         }
-       };
+       '';
       description = 
         ''
           The names of cisco VPNs and their associated definitions
--- a/nixos/modules/config/zram.nix
+++ b/nixos/modules/config/zram.nix
@ -98,11 +98,9 @@ in
            script = ''
              set -u
              set -o pipefail
-
+              
              PATH=${pkgs.procps}/bin:${pkgs.gnugrep}/bin:${pkgs.gnused}/bin
              # Calculate memory to use for zram
-              totalmem=$(free | grep -e "^Mem:" | sed -e 's/^Mem: *//' -e 's/  *.*//')
+              totalmem=$(${pkgs.gnugrep}/bin/grep 'MemTotal: ' /proc/meminfo | ${pkgs.gawk}/bin/awk '{print $2}')
              mem=$(((totalmem * ${toString cfg.memoryPercent} / 100 / ${toString cfg.numDevices}) * 1024))
              echo $mem > /sys/class/block/${dev}/disksize
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -22,7 +22,7 @@ with lib;
  ###### implementation
  config = mkIf config.hardware.enableAllFirmware {
-    hardware.firmware = [ pkgs.firmwareLinuxNonfree ];
+    hardware.firmware = [ pkgs.firmwareLinuxNonfree pkgs.intel2200BGFirmware ];
  };
 }
--- a/nixos/modules/hardware/network/intel-2200bg.nix
+++ b/nixos/modules/hardware/network/intel-2200bg.nix
@ -23,7 +23,7 @@
  config = lib.mkIf config.networking.enableIntel2200BGFirmware {
-    hardware.enableAllFirmware = true;
+    hardware.firmware = [ pkgs.intel2200BGFirmware ];
  };
--- a/nixos/modules/hardware/opengl.nix
+++ b/nixos/modules/hardware/opengl.nix
@ -10,7 +10,7 @@ let
  videoDrivers = config.services.xserver.videoDrivers;
-  makePackage = p: p.buildEnv {
+  makePackage = p: pkgs.buildEnv {
    name = "mesa-drivers+txc-${p.mesa_drivers.version}";
    paths =
      [ p.mesa_drivers
@ -19,6 +19,16 @@ let
      ];
  };
  package = pkgs.buildEnv {
    name = "opengl-drivers";
    paths = [ cfg.package ] ++ cfg.extraPackages;
  };
  package32 = pkgs.buildEnv {
    name = "opengl-drivers-32bit";
    paths = [ cfg.package32 ] ++ cfg.extraPackages32;
  };
 in
 {
@ -75,11 +85,32 @@ in
      internal = true;
      description = ''
        The package that provides the 32-bit OpenGL implementation on
-        64-bit systems.  Used when <option>driSupport32Bit</option> is
+        64-bit systems. Used when <option>driSupport32Bit</option> is
        set.
      '';
    };
    hardware.opengl.extraPackages = mkOption {
      type = types.listOf types.package;
      default = [];
      example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]";
      description = ''
        Additional packages to add to OpenGL drivers. This can be used
        to add additional VA-API/VDPAU drivers.
      '';
    };
    hardware.opengl.extraPackages32 = mkOption {
      type = types.listOf types.package;
      default = [];
      example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]";
      description = ''
        Additional packages to add to 32-bit OpenGL drivers on
        64-bit systems. Used when <option>driSupport32Bit</option> is
        set. This can be used to add additional VA-API/VDPAU drivers.
      '';
    };
  };
  config = mkIf cfg.enable {
@ -91,11 +122,11 @@ in
    system.activationScripts.setup-opengl =
      ''
-        ln -sfn ${cfg.package} /run/opengl-driver
+        ln -sfn ${package} /run/opengl-driver
        ${if pkgs.stdenv.isi686 then ''
          ln -sfn opengl-driver /run/opengl-driver-32
        '' else if cfg.driSupport32Bit then ''
-          ln -sfn ${cfg.package32} /run/opengl-driver-32
+          ln -sfn ${package32} /run/opengl-driver-32
        '' else ''
          rm -f /run/opengl-driver-32
        ''}
--- a/nixos/modules/hardware/video/webcam/facetimehd.nix
+++ b/nixos/modules/hardware/video/webcam/facetimehd.nix
@ -0,0 +1,45 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.hardware.facetimehd;
  kernelPackages = config.boot.kernelPackages;
 in
 {
  options.hardware.facetimehd.enable = mkEnableOption "facetimehd kernel module";
  config = mkIf cfg.enable {
    assertions = singleton {
      assertion = versionAtLeast kernelPackages.kernel.version "3.19";
      message = "facetimehd is not supported for kernels older than 3.19";
    };
    boot.kernelModules = [ "facetimehd" ];
    boot.blacklistedKernelModules = [ "bdc_pci" ];
    boot.extraModulePackages = [ kernelPackages.facetimehd ];
    hardware.firmware = [ pkgs.facetimehd-firmware ];
    # unload module during suspend/hibernate as it crashes the whole system
    powerManagement.powerDownCommands = ''
      ${pkgs.module_init_tools}/bin/rmmod -f facetimehd
    '';
    # and load it back on resume
    powerManagement.resumeCommands = ''
      export MODULE_DIR=/run/current-system/kernel-modules/lib/modules
      ${pkgs.module_init_tools}/bin/modprobe -v facetimehd
    '';
  };
 }
--- a/nixos/modules/i18n/inputMethod/default.nix
+++ b/nixos/modules/i18n/inputMethod/default.nix
@ -0,0 +1,29 @@
 { config, pkgs, lib, ... }:
 with lib;
 {
  options = {
    i18n.inputMethod = {
      enabled = mkOption {
        type    = types.nullOr (types.enum [ "ibus" "fcitx" "nabi" "uim" ]);
        default = null;
        example = "fcitx";
        description = ''
          Select the enabled input method. Input methods is a software to input symbols that are not available on standard input devices.
          Input methods are specially used to input Chinese, Japanese and Korean characters.
          Currently the following input methods are available in NixOS:
          <itemizedlist>
          <listitem><para>ibus: The intelligent input bus, extra input engines can be added using <literal>i18n.inputMethod.ibus.engines</literal>.</para></listitem>
          <listitem><para>fcitx: A customizable lightweight input method, extra input engines can be added using <literal>i18n.inputMethod.fcitx.engines</literal>.</para></listitem>
          <listitem><para>nabi: A Korean input method based on XIM. Nabi doesn't support Qt 5.</para></listitem>
          <listitem><para>uim: The universal input method, is a library with a XIM bridge. uim mainly support Chinese, Japanese and Korean.</para></listitem>
          </itemizedlist>
        '';
      };
    };
  };
 }
--- a/nixos/modules/i18n/inputMethod/fcitx.nix
+++ b/nixos/modules/i18n/inputMethod/fcitx.nix
@ -0,0 +1,44 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.i18n.inputMethod.fcitx;
  fcitxPackage = pkgs.fcitx-with-plugins.override { plugins = cfg.engines; };
  fcitxEngine = types.package // {
    name  = "fcitx-engine";
    check = x: (lib.types.package.check x) && (attrByPath ["meta" "isFcitxEngine"] false x);
  };
 in
 {
  options = {
    i18n.inputMethod.fcitx = {
      engines = mkOption {
        type    = with types; listOf fcitxEngine;
        default = [];
        example = literalExample "with pkgs.fcitx-engines; [ mozc hangul ]";
        description =
          let
            engines =
              lib.concatStringsSep ", "
              (map (name: "<literal>${name}</literal>")
               (lib.attrNames pkgs.fcitx-engines));
          in
            "Enabled Fcitx engines. Available engines are: ${engines}.";
      };
    };
  };
  config = mkIf (config.i18n.inputMethod.enabled == "fcitx") {
    environment.systemPackages = [ fcitxPackage ];
    environment.variables = {
      GTK_IM_MODULE = "fcitx";
      QT_IM_MODULE  = "fcitx";
      XMODIFIERS    = "@im=fcitx";
    };
    services.xserver.displayManager.sessionCommands = "${fcitxPackage}/bin/fcitx";
  };
 }
--- a/nixos/modules/i18n/inputMethod/ibus.nix
+++ b/nixos/modules/i18n/inputMethod/ibus.nix
@ -0,0 +1,55 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.i18n.inputMethod.ibus;
  ibusPackage = pkgs.ibus-with-plugins.override { plugins = cfg.engines; };
  ibusEngine = types.package // {
    name  = "ibus-engine";
    check = x: (lib.types.package.check x) && (attrByPath ["meta" "isIbusEngine"] false x);
  };
  ibusAutostart = pkgs.writeTextFile {
    name = "autostart-ibus-daemon";
    destination = "/etc/xdg/autostart/ibus-daemon.desktop";
    text = ''
      [Desktop Entry]
      Name=IBus
      Type=Application
      Exec=${ibusPackage}/bin/ibus-daemon --daemonize --xim --cache=refresh
    '';
  };
 in
 {
  options = {
    i18n.inputMethod.ibus = {
      engines = mkOption {
        type    = with types; listOf ibusEngine;
        default = [];
        example = literalExample "with pkgs.ibus-engines; [ mozc hangul ]";
        description =
          let
            engines =
              lib.concatStringsSep ", "
              (map (name: "<literal>${name}</literal>")
               (lib.attrNames pkgs.ibus-engines));
          in
            "Enabled IBus engines. Available engines are: ${engines}.";
      };
    };
  };
  config = mkIf (config.i18n.inputMethod.enabled == "ibus") {
    # Without dconf enabled it is impossible to use IBus
    environment.systemPackages = with pkgs; [
      ibusPackage ibus-qt gnome3.dconf ibusAutostart
    ];
    environment.variables = {
      GTK_IM_MODULE = "ibus";
      QT_IM_MODULE = "ibus";
      XMODIFIERS = "@im=ibus";
    };
  };
 }
--- a/nixos/modules/i18n/inputMethod/nabi.nix
+++ b/nixos/modules/i18n/inputMethod/nabi.nix
@ -0,0 +1,16 @@
 { config, pkgs, lib, ... }:
 with lib;
 {
  config = mkIf (config.i18n.inputMethod.enabled == "nabi") {
    environment.systemPackages = [ pkgs.nabi ];
    environment.variables = {
      GTK_IM_MODULE = "nabi";
      QT_IM_MODULE  = "nabi";
      XMODIFIERS    = "@im=nabi";
    };
    services.xserver.displayManager.sessionCommands = "${pkgs.nabi}/bin/nabi &";
  };
 }
--- a/nixos/modules/i18n/inputMethod/uim.nix
+++ b/nixos/modules/i18n/inputMethod/uim.nix
@ -0,0 +1,37 @@
 { config, pkgs, lib, ... }:
 with lib;
 let 
  cfg = config.i18n.inputMethod.uim;
 in
 {
  options = {
    i18n.inputMethod.uim = {
      toolbar = mkOption {
        type    = types.enum [ "gtk" "gtk3" "gtk-systray" "gtk3-systray" "qt4" ];
        default = "gtk";
        example = "gtk-systray";
        description = ''
          selected UIM toolbar.
        '';
      };
    };
  };
  config = mkIf (config.i18n.inputMethod.enabled == "uim") {
    environment.systemPackages = [ pkgs.uim ];
    environment.variables = {
      GTK_IM_MODULE = "uim";
      QT_IM_MODULE  = "uim";
      XMODIFIERS    = "@im=uim";
    };
    services.xserver.displayManager.sessionCommands = ''
      ${pkgs.uim}/bin/uim-xim &
      ${pkgs.uim}/bin/uim-toolbar-${cfg.toolbar} &
    '';
  };
 }
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix
@ -0,0 +1,78 @@
 # This module defines a NixOS installation CD that contains X11 and
 # GNOME 3.
 { config, lib, pkgs, ... }:
 with lib;
 {
  imports = [ ./installation-cd-base.nix ];
  services.xserver = {
    enable = true;
    # GDM doesn't start in virtual machines with ISO
    displayManager.slim = {
      enable = true;
      defaultUser = "root";
      autoLogin = true;
    };
    desktopManager.gnome3 = {
      enable = true;
      extraGSettingsOverrides = ''
        [org.gnome.desktop.background]
        show-desktop-icons=true
        [org.gnome.nautilus.desktop]
        trash-icon-visible=false
        volumes-visible=false
        home-icon-visible=false
        network-icon-visible=false
      '';
      extraGSettingsOverridePackages = [ pkgs.gnome3.nautilus ];
    };
  };
  environment.systemPackages =
    [ # Include gparted for partitioning disks.
      pkgs.gparted
      # Include some editors.
      pkgs.vim
      pkgs.bvi # binary editor
      pkgs.joe
      pkgs.glxinfo
    ];
  # Don't start the X server by default.
  services.xserver.autorun = mkForce false;
  # Auto-login as root.
  services.xserver.displayManager.gdm.autoLogin = {
    enable = true;
    user = "root";
  };
  system.activationScripts.installerDesktop = let
    # Must be executable
    desktopFile = pkgs.writeScript "nixos-manual.desktop" ''
      [Desktop Entry]
      Version=1.0
      Type=Link
      Name=NixOS Manual
      URL=${config.system.build.manual.manual}/share/doc/nixos/index.html
      Icon=system-help
    '';
  # use cp and chmod +x, we must be sure the apps are in the nix store though
  in ''
    mkdir -p /root/Desktop
    ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop
    cp ${pkgs.gnome3.gnome_terminal}/share/applications/gnome-terminal.desktop /root/Desktop/gnome-terminal.desktop
    chmod a+rx /root/Desktop/gnome-terminal.desktop
    cp ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
    chmod a+rx /root/Desktop/gparted.desktop
  '';
 }
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde-new-kernel.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde-new-kernel.nix
@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 {
-  imports = [ ./installation-cd-graphical.nix ];
+  imports = [ ./installation-cd-graphical-kde.nix ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
 }
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -249,7 +249,7 @@ in
    fileSystems."/" =
      { fsType = "tmpfs";
-        options = "mode=0755";
+        options = [ "mode=0755" ];
      };
    # Note that /dev/root is a symlink to the actual root device
@ -266,20 +266,20 @@ in
    fileSystems."/nix/.ro-store" =
      { fsType = "squashfs";
        device = "/iso/nix-store.squashfs";
-        options = "loop";
+        options = [ "loop" ];
        neededForBoot = true;
      };
    fileSystems."/nix/.rw-store" =
      { fsType = "tmpfs";
-        options = "mode=0755";
+        options = [ "mode=0755" ];
        neededForBoot = true;
      };
    fileSystems."/nix/store" =
      { fsType = "unionfs-fuse";
        device = "unionfs";
-        options = "allow_other,cow,nonempty,chroot=/mnt-root,max_files=32768,hide_meta_files,dirs=/nix/.rw-store=rw:/nix/.ro-store=ro";
+        options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ];
      };
    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" ];
--- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
@ -23,7 +23,7 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
+  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
  # FIXME: this probably should be in installation-device.nix
  users.extraUsers.root.initialHashedPassword = "";
--- a/nixos/modules/installer/cd-dvd/sd-image.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image.nix
@ -30,7 +30,7 @@ in
    bootSize = mkOption {
      type = types.int;
-      default = 128;
+      default = 120;
      description = ''
        Size of the /boot partition, in megabytes.
      '';
@ -66,10 +66,10 @@ in
      buildInputs = with pkgs; [ dosfstools e2fsprogs mtools libfaketime utillinux ];
      buildCommand = ''
-        # Create the image file sized to fit /boot and /, plus 4M of slack
+        # Create the image file sized to fit /boot and /, plus 20M of slack
        rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }')
        bootSizeBlocks=$((${toString config.sdImage.bootSize} * 1024 * 1024 / 512))
-        imageSize=$((rootSizeBlocks * 512 + bootSizeBlocks * 512 + 4096 * 1024))
+        imageSize=$((rootSizeBlocks * 512 + bootSizeBlocks * 512 + 20 * 1024 * 1024))
        truncate -s $imageSize $out
        # type=b is 'W95 FAT32', type=83 is 'Linux'.
@ -77,8 +77,8 @@ in
            label: dos
            label-id: 0x2178694e
-            start=1M, size=$bootSizeBlocks, type=b, bootable
+            start=8M, size=$bootSizeBlocks, type=b, bootable
-            type=83
+            start=${toString (8 + config.sdImage.bootSize)}M, type=83
        EOF
        # Copy the rootfs into the SD image
--- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
@ -86,8 +86,7 @@ in
  system.boot.loader.kernelFile = "uImage";
  boot.initrd.availableKernelModules =
-    [ "mvsdio" "mmc_block" "reiserfs" "ext3" "ums-cypress" "rtc_mv"
+    [ "mvsdio" "reiserfs" "ext3" "ums-cypress" "rtc_mv" "ext4" ];
      "ext4" ];
  boot.postBootCommands =
    ''
--- a/nixos/modules/installer/cd-dvd/system-tarball.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball.nix
@ -43,7 +43,7 @@ in
    # so that we don't need to know its device.
    fileSystems = [ ];
-    # boot.initrd.availableKernelModules = [ "mvsdio" "mmc_block" "reiserfs" "ext3" "ext4" ];
+    # boot.initrd.availableKernelModules = [ "mvsdio" "reiserfs" "ext3" "ext4" ];
    # boot.initrd.kernelModules = [ "rtc_mv" ];
--- a/nixos/modules/installer/tools/auto-upgrade.nix
+++ b/nixos/modules/installer/tools/auto-upgrade.nix
@ -74,7 +74,7 @@ let cfg = config.system.autoUpgrade; in
      serviceConfig.Type = "oneshot";
      environment = config.nix.envVars //
-        { inherit (config.environment.sessionVariables) NIX_PATH SSL_CERT_FILE;
+        { inherit (config.environment.sessionVariables) NIX_PATH;
          HOME = "/root";
        };
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -148,7 +148,7 @@ sub pciCheck {
         $device eq "0x4331" || $device eq "0x43a0" || $device eq "0x43b1"
        ) )
     {
-        push @modulePackages, "\${config.boot.kernelPackages.broadcom_sta}";
+        push @modulePackages, "config.boot.kernelPackages.broadcom_sta";
        push @kernelModules, "wl";
     }
@ -349,7 +349,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
  fileSystems.\"$mountPoint\" =
    { device = \"$base$path\";
      fsType = \"none\";
-      options = \"bind\";
+      options = \[ \"bind\" \];
    };
 EOF
@ -409,7 +409,7 @@ EOF
    if (scalar @extraOptions > 0) {
      $fileSystems .= <<EOF;
-      options = \"${\join ",", uniq(@extraOptions)}\";
+      options = \[ ${\join " ", map { "\"" . $_ . "\"" } uniq(@extraOptions)} \];
 EOF
    }
@ -422,13 +422,20 @@ EOF
 # Generate the hardware configuration file.
-sub toNixExpr {
+sub toNixStringList {
    my $res = "";
    foreach my $s (@_) {
        $res .= " \"$s\"";
    }
    return $res;
 }
 sub toNixList {
    my $res = "";
    foreach my $s (@_) {
        $res .= " $s";
    }
    return $res;
 }
 sub multiLineList {
    my $indent = shift;
@ -444,9 +451,9 @@ sub multiLineList {
    return $res;
 }
-my $initrdAvailableKernelModules = toNixExpr(uniq @initrdAvailableKernelModules);
+my $initrdAvailableKernelModules = toNixStringList(uniq @initrdAvailableKernelModules);
-my $kernelModules = toNixExpr(uniq @kernelModules);
+my $kernelModules = toNixStringList(uniq @kernelModules);
-my $modulePackages = toNixExpr(uniq @modulePackages);
+my $modulePackages = toNixList(uniq @modulePackages);
 my $fsAndSwap = "";
 if (!$noFilesystems) {
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@ -73,11 +73,6 @@ if ! test -e "$mountPoint"; then
    exit 1
 fi
 if ! grep -F -q " $mountPoint " /proc/mounts; then
    echo "$mountPoint doesn't appear to be a mount point"
    exit 1
 fi
 # Mount some stuff in the target root directory.
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -19,6 +19,8 @@ rollback=
 upgrade=
 repair=
 profile=/nix/var/nix/profiles/system
 buildHost=
 targetHost=
 while [ "$#" -gt 0 ]; do
    i="$1"; shift 1
@ -73,6 +75,14 @@ while [ "$#" -gt 0 ]; do
        fi
        shift 1
        ;;
      --build-host|h)
        buildHost="$1"
        shift 1
        ;;
      --target-host|t)
        targetHost="$1"
        shift 1
        ;;
      *)
        echo "$0: unknown option \`$i'"
        exit 1
@ -80,6 +90,91 @@ while [ "$#" -gt 0 ]; do
    esac
 done
 if [ -z "$buildHost" -a -n "$targetHost" ]; then
    buildHost="$targetHost"
 fi
 if [ "$targetHost" = localhost ]; then
    targetHost=
 fi
 if [ "$buildHost" = localhost ]; then
    buildHost=
 fi
 buildHostCmd() {
    if [ -z "$buildHost" ]; then
        "$@"
    elif [ -n "$remoteNix" ]; then
        ssh $SSHOPTS "$buildHost" PATH="$remoteNix:$PATH" "$@"
    else
        ssh $SSHOPTS "$buildHost" "$@"
    fi
 }
 targetHostCmd() {
    if [ -z "$targetHost" ]; then
        "$@"
    else
        ssh $SSHOPTS "$targetHost" "$@"
    fi
 }
 copyToTarget() {
    if ! [ "$targetHost" = "$buildHost" ]; then
        if [ -z "$targetHost" ]; then
            NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --from "$buildHost" "$1"
        elif [ -z "$buildHost" ]; then
            NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$targetHost" "$1"
        else
            buildHostCmd nix-copy-closure --to "$targetHost" "$1"
        fi
    fi
 }
 nixBuild() {
    if [ -z "$buildHost" ]; then
        nix-build "$@"
    else
        local instArgs=()
        local buildArgs=()
        while [ "$#" -gt 0 ]; do
            local i="$1"; shift 1
            case "$i" in
              -o)
                local out="$1"; shift 1
                buildArgs+=("--add-root" "$out" "--indirect")
                ;;
              -A)
                local j="$1"; shift 1
                instArgs+=("$i" "$j")
                ;;
              -I) # We don't want this in buildArgs
                shift 1
                ;;
              --no-out-link) # We don't want this in buildArgs
                ;;
              "<"*) # nix paths
                instArgs+=("$i")
                ;;
              *)
                buildArgs+=("$i")
                ;;
            esac
        done
        local drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
        if [ -a "$drv" ]; then
            NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$buildHost" "$drv"
            buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
        else
            echo "nix-instantiate failed"
            exit 1
        fi
  fi
 }
 if [ -z "$action" ]; then showSyntax; fi
 # Only run shell scripts from the Nixpkgs tree if the action is
@ -128,7 +223,16 @@ fi
 tmpDir=$(mktemp -t -d nixos-rebuild.XXXXXX)
-trap 'rm -rf "$tmpDir"' EXIT
+SSHOPTS="$NIX_SSHOPTS -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-%n -o ControlPersist=60"
 cleanup() {
    for ctrl in "$tmpDir"/ssh-*; do
        ssh -o ControlPath="$ctrl" -O exit dummyhost 2>/dev/null || true
    done
    rm -rf "$tmpDir"
 }
 trap cleanup EXIT
 # If the Nix daemon is running, then use it.  This allows us to use
@ -150,30 +254,56 @@ if [ -n "$rollback" -o "$action" = dry-build ]; then
    buildNix=
 fi
 prebuiltNix() {
    machine="$1"
    if [ "$machine" = x86_64 ]; then
        return /nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
    elif [[ "$machine" =~ i.86 ]]; then
        return /nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
    else
        echo "$0: unsupported platform"
        exit 1
    fi
 }
 remotePATH=
 if [ -n "$buildNix" ]; then
    echo "building Nix..." >&2
-    if ! nix-build '<nixpkgs/nixos>' -A config.nix.package -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
+    nixDrv=
-        if ! nix-build '<nixpkgs/nixos>' -A nixFallback -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
+    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then
-            if ! nix-build '<nixpkgs>' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
+        if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then
-                machine="$(uname -m)"
+            if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
-                if [ "$machine" = x86_64 ]; then
+                nixStorePath="$(prebuiltNix "$(uname -m)")"
                    nixStorePath=/nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
                elif [[ "$machine" =~ i.86 ]]; then
                    nixStorePath=/nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
                else
                    echo "$0: unsupported platform"
                    exit 1
                fi
                if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
                    --option extra-binary-caches https://cache.nixos.org/; then
                    echo "warning: don't know how to get latest Nix" >&2
                fi
                # Older version of nix-store -r don't support --add-root.
                [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
                if [ -n "$buildHost" ]; then
                    remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
                    remoteNix="$remoteNixStorePath/bin"
                    if ! buildHostCmd nix-store -r $remoteNixStorePath \
                      --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
                        remoteNix=
                        echo "warning: don't know how to get latest Nix" >&2
                    fi
                fi
            fi
        fi
    fi
-    PATH=$tmpDir/nix/bin:$PATH
+    if [ -a "$nixDrv" ]; then
        nix-store -r "$nixDrv"'!'"out" --add-root $tmpDir/nix --indirect >/dev/null
        if [ -n "$buildHost" ]; then
            nix-copy-closure --to "$buildHost" "$nixDrv"
            # The nix build produces multiple outputs, we add them all to the remote path
            for p in $(buildHostCmd nix-store -r "$(readlink "$nixDrv")" "${buildArgs[@]}"); do
                remoteNix="$remoteNix${remoteNix:+:}$p/bin"
            done
        fi
    fi
    PATH="$tmpDir/nix/bin:$PATH"
 fi
@ -200,31 +330,35 @@ fi
 if [ -z "$rollback" ]; then
    echo "building the system configuration..." >&2
    if [ "$action" = switch -o "$action" = boot ]; then
-        nix-env "${extraBuildFlags[@]}" -p "$profile" -f '<nixpkgs/nixos>' --set -A system
+        pathToConfig="$(nixBuild '<nixpkgs/nixos>' --no-out-link -A system "${extraBuildFlags[@]}")"
-        pathToConfig="$profile"
+        copyToTarget "$pathToConfig"
        targetHostCmd nix-env -p "$profile" --set "$pathToConfig"
    elif [ "$action" = test -o "$action" = build -o "$action" = dry-build -o "$action" = dry-activate ]; then
-        nix-build '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}" > /dev/null
+        pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A system -k "${extraBuildFlags[@]}")"
        pathToConfig=./result
    elif [ "$action" = build-vm ]; then
-        nix-build '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}" > /dev/null
+        pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vm -k "${extraBuildFlags[@]}")"
        pathToConfig=./result
    elif [ "$action" = build-vm-with-bootloader ]; then
-        nix-build '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}" > /dev/null
+        pathToConfig="$(nixBuild '<nixpkgs/nixos>' -A vmWithBootLoader -k "${extraBuildFlags[@]}")"
        pathToConfig=./result
    else
        showSyntax
    fi
    # Copy build to target host if we haven't already done it
    if ! [ "$action" = switch -o "$action" = boot ]; then
        copyToTarget "$pathToConfig"
    fi
 else # [ -n "$rollback" ]
    if [ "$action" = switch -o "$action" = boot ]; then
-        nix-env --rollback -p "$profile"
+        targetHostCmd nix-env --rollback -p "$profile"
        pathToConfig="$profile"
    elif [ "$action" = test -o "$action" = build ]; then
        systemNumber=$(
-            nix-env -p "$profile" --list-generations |
+            targetHostCmd nix-env -p "$profile" --list-generations |
            sed -n '/current/ {g; p;}; s/ *\([0-9]*\).*/\1/; h'
        )
-        ln -sT "$profile"-${systemNumber}-link ./result
+        pathToConfig="$profile"-${systemNumber}-link
-        pathToConfig=./result
+        if [ -z "$targetHost" ]; then
            ln -sT "$pathToConfig" ./result
        fi
    else
        showSyntax
    fi
@ -234,7 +368,7 @@ fi
 # If we're not just building, then make the new configuration the boot
 # default and/or activate it now.
 if [ "$action" = switch -o "$action" = boot -o "$action" = test -o "$action" = dry-activate ]; then
-    if ! $pathToConfig/bin/switch-to-configuration "$action"; then
+    if ! targetHostCmd $pathToConfig/bin/switch-to-configuration "$action"; then
        echo "warning: error(s) occurred while switching to the new configuration" >&2
        exit 1
    fi
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -248,6 +248,12 @@
      matrix-synapse = 224;
      rspamd = 225;
      rmilter = 226;
      cfdyndns = 227;
      gammu-smsd = 228;
      pdnsd = 229;
      octoprint = 230;
      avahi-autoipd = 231;
      nntp-proxy = 232;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -473,6 +479,9 @@
      matrix-synapse = 224;
      rspamd = 225;
      rmilter = 226;
      cfdyndns = 227;
      pdnsd = 229;
      octoprint = 230;
      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -1,76 +1,76 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.locate;
 in {
-
+  options.services.locate = {
-  ###### interface
+    enable = mkOption {
-
+      type = types.bool;
-  options = {
+      default = false;
-
+      description = ''
-    services.locate = {
+        If enabled, NixOS will periodically update the database of
-
+        files used by the <command>locate</command> command.
-      enable = mkOption {
+      '';
        type = types.bool;
        default = false;
        description = ''
          If enabled, NixOS will periodically update the database of
          files used by the <command>locate</command> command.
        '';
      };
      period = mkOption {
        type = types.str;
        default = "15 02 * * *";
        description = ''
          This option defines (in the format used by cron) when the
          locate database is updated.
          The default is to update at 02:15 at night every day.
        '';
      };
      extraFlags = mkOption {
        type = types.listOf types.str;
        default = [ ];
        description = ''
          Extra flags to pass to <command>updatedb</command>.
        '';
      };
      output = mkOption {
        type = types.path;
        default = "/var/cache/locatedb";
        description = ''
          The database file to build.
        '';
      };
      localuser = mkOption {
        type = types.str;
        default = "nobody";
        description = ''
          The user to search non-network directories as, using
          <command>su</command>.
        '';
      };
      includeStore = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to include <filename>/nix/store</filename> in the locate database.
        '';
      };
    };
    interval = mkOption {
      type = types.str;
      default = "02:15";
      example = "hourly";
      description = ''
        Update the locate database at this interval. Updates by
        default at 2:15 AM every day.
        The format is described in
        <citerefentry><refentrytitle>systemd.time</refentrytitle>
        <manvolnum>7</manvolnum></citerefentry>.
      '';
    };
    # This is no longer supported, but we keep it to give a better warning below
    period = mkOption { visible = false; };
    extraFlags = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = ''
        Extra flags to pass to <command>updatedb</command>.
      '';
    };
    output = mkOption {
      type = types.path;
      default = "/var/cache/locatedb";
      description = ''
        The database file to build.
      '';
    };
    localuser = mkOption {
      type = types.str;
      default = "nobody";
      description = ''
        The user to search non-network directories as, using
        <command>su</command>.
      '';
    };
    includeStore = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to include <filename>/nix/store</filename> in the locate database.
      '';
    };
  };
  ###### implementation
  config = {
    warnings =
      let opt = options.services.locate.period; in
      optional opt.isDefined "The ‘services.locate.period’ option in ${showFiles opt.files} has been removed; please replace it with ‘services.locate.interval’, using the systemd.time(7) calendar event format.";
    systemd.services.update-locatedb =
      { description = "Update Locate Database";
        path  = [ pkgs.su ];
@ -84,11 +84,18 @@ in {
          '';
        serviceConfig.Nice = 19;
        serviceConfig.IOSchedulingClass = "idle";
        serviceConfig.PrivateTmp = "yes";
        serviceConfig.PrivateNetwork = "yes";
        serviceConfig.NoNewPrivileges = "yes";
        serviceConfig.ReadOnlyDirectories = "/";
        serviceConfig.ReadWriteDirectories = cfg.output;
      };
-    services.cron.systemCronJobs = optional config.services.locate.enable
+    systemd.timers.update-locatedb = mkIf cfg.enable
-      "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service";
+      { description = "Update timer for locate database";
-
+        partOf      = [ "update-locatedb.service" ];
        wantedBy    = [ "timers.target" ];
        timerConfig.OnCalendar = cfg.interval;
      };
  };
 }
--- a/nixos/modules/misc/nixos.nix
+++ b/nixos/modules/misc/nixos.nix
@ -1,82 +0,0 @@
 { config, options, lib, ... }:
 # This modules is used to inject a different NixOS version as well as its
 # argument such that one can pin a specific version with the versionning
 # system of the configuration.
 let
  nixosReentry = import config.nixos.path {
    inherit (config.nixos) configuration extraModules;
    inherit (config.nixpkgs) system;
    reEnter = true;
  };
 in
 with lib;
 {
  options = {
    nixos.path = mkOption {
      default = null;
      example = literalExample "./nixpkgs-15.09/nixos";
      type = types.nullOr types.path;
      description = ''
        This option give the ability to evaluate the current set of modules
        with a different version of NixOS. This option can be used version
        the version of NixOS with the configuration without relying on the
        <literal>NIX_PATH</literal> environment variable.
      '';
    };
    nixos.system = mkOption {
      example = "i686-linux";
      type = types.uniq types.str;
      description = ''
        Name of the system used to compile NixOS.
      '';
    };
    nixos.extraModules = mkOption {
      default = [];
      example = literalExample "[ ./sshd-config.nix ]";
      type = types.listOf (types.either (types.submodule ({...}:{options={};})) types.path);
      description = ''
        Define additional modules which would be loaded to evaluate the
        configuration.
      '';
    };
    nixos.configuration = mkOption {
      type = types.unspecified;
      internal = true;
      description = ''
        Option used by <filename>nixos/default.nix</filename> to re-inject
        the same configuration module as the one used for the current
        execution.
      '';
    };
    nixos.reflect = mkOption {
      default = { inherit config options; };
      type = types.unspecified;
      internal = true;
      description = ''
        Provides <literal>config</literal> and <literal>options</literal>
        computed by the module system and given as argument to all
        modules. These are used for introspection of options and
        configuration by tools such as <literal>nixos-option</literal>.
      '';
    };
  };
  config = mkMerge [
    (mkIf (config.nixos.path != null) (mkForce {
      system.build.toplevel = nixosReentry.system;
      system.build.vm = nixosReentry.vm;
      nixos.reflect = { inherit (nixosReentry) config options; };
    }))
    { meta.maintainers = singleton lib.maintainers.pierron;
      meta.doc = ./nixos.xml;
    }
  ];
 }
--- a/nixos/modules/misc/nixos.xml
+++ b/nixos/modules/misc/nixos.xml
@ -1,84 +0,0 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="module-misc-nixos">
 <title>NixOS Reentry</title>
 <!-- FIXME: render nicely -->
 <!-- FIXME: source can be added automatically -->
 <para><emphasis>Source:</emphasis> <filename>modules/misc/nixos.nix</filename></para>
 <!-- FIXME: more stuff, like maintainer? -->
 <para>NixOS reentry can be used for both pinning the evaluation to a
 specific version of NixOS, and to dynamically add additional modules into
 the Module evaluation.</para>
 <section><title>NixOS Version Pinning</title>
 <para>To pin a specific version of NixOS, you need a version that you can
 either clone localy, or that you can fetch remotely.</para>
 <para>If you already have a cloned version of NixOS in the directory
 <filename>/etc/nixos/nixpkgs-16-03</filename>, then you can specify the
 <option>nixos.path</option> with either the path or the relative path of
 your NixOS clone. For example, you can add the following to your
 <filename>/etc/nixos/configuration.nix</filename> file:
 <programlisting>
 nixos.path = ./nixpkgs-16-03/nixos;
 </programlisting>
 </para>
 <para>Another option is to fetch a specific version of NixOS, with either
 the <literal>fetchTarball</literal> builtin, or the
 <literal>pkgs.fetchFromGitHub</literal> function and use the result as an
 input.
 <programlisting>
 nixos.path = "${builtins.fetchTarball https://github.com/NixOS/nixpkgs/archive/1f27976e03c15183191d1b4aa1a40d1f14666cd2.tar.gz}/nixos";
 </programlisting>
 </para>
 </section>
 <section><title>Adding Module Dynamically</title>
 <para>To add additional module, the recommended way is to use statically
 known modules in the list of imported arguments as described in <xref
 linkend="sec-modularity" />.  Unfortunately, this recommended method has
 limitation, such that the list of imported files cannot be selected based on
 the content of the configuration.
 Fortunately, NixOS reentry system can be used as an alternative to register
 new imported modules based on the content of the configuration. To do so,
 one should define both <option>nixos.path</option> and
 <option>nixos.extraModules</option> options.
 <programlisting>
 nixos.path = &lt;nixos&gt;;
 nixos.extraModules =
  if config.networking.hostName == "server" then
    [ ./server.nix ] else [ ./client.nix ];
 </programlisting>
 Also note, that the above can be reimplemented in a different way which is
 not as expensive, by using <literal>mkIf</literal> at the top each
 configuration if both modules are present on the file system (see <xref
 linkend="sec-option-definitions" />) and by always inmporting both
 modules.</para>
 </section>
 <section><title>Options</title>
 <para>FIXME: auto-generated list of module options.</para>
 </section>
 </chapter>
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -7,7 +7,6 @@
  ./config/fonts/fonts.nix
  ./config/fonts/ghostscript.nix
  ./config/gnu.nix
  ./config/gtk-exe-env.nix
  ./config/i18n.nix
  ./config/krb5.nix
  ./config/ldap.nix
@ -16,7 +15,6 @@
  ./config/nsswitch.nix
  ./config/power-management.nix
  ./config/pulseaudio.nix
  ./config/qt-plugin-env.nix
  ./config/shells-environment.nix
  ./config/swap.nix
  ./config/sysctl.nix
@ -42,6 +40,12 @@
  ./hardware/video/bumblebee.nix
  ./hardware/video/nvidia.nix
  ./hardware/video/ati.nix
  ./hardware/video/webcam/facetimehd.nix
  ./i18n/inputMethod/default.nix
  ./i18n/inputMethod/fcitx.nix
  ./i18n/inputMethod/ibus.nix
  ./i18n/inputMethod/nabi.nix
  ./i18n/inputMethod/uim.nix
  ./installer/tools/auto-upgrade.nix
  ./installer/tools/nixos-checkout.nix
  ./installer/tools/tools.nix
@ -52,7 +56,6 @@
  ./misc/lib.nix
  ./misc/locate.nix
  ./misc/meta.nix
  ./misc/nixos.nix
  ./misc/nixpkgs.nix
  ./misc/passthru.nix
  ./misc/version.nix
@ -65,7 +68,6 @@
  ./programs/environment.nix
  ./programs/freetds.nix
  ./programs/fish.nix
  ./programs/ibus.nix
  ./programs/kbdlight.nix
  ./programs/light.nix
  ./programs/man.nix
@ -75,7 +77,6 @@
  ./programs/shell.nix
  ./programs/ssh.nix
  ./programs/ssmtp.nix
  ./programs/uim.nix
  ./programs/venus.nix
  ./programs/wvdial.nix
  ./programs/xfs_quota.nix
@ -88,6 +89,7 @@
  ./security/ca.nix
  ./security/duosec.nix
  ./security/grsecurity.nix
  ./security/oath.nix
  ./security/pam.nix
  ./security/pam_usb.nix
  ./security/pam_mount.nix
@ -200,6 +202,7 @@
  ./services/misc/bepasty.nix
  ./services/misc/canto-daemon.nix
  ./services/misc/calibre-server.nix
  ./services/misc/cfdyndns.nix
  ./services/misc/cpuminer-cryptonight.nix
  ./services/misc/cgminer.nix
  ./services/misc/confd.nix
@ -210,6 +213,7 @@
  ./services/misc/etcd.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/gammu-smsd.nix
  #./services/misc/gitit.nix
  ./services/misc/gitlab.nix
  ./services/misc/gitolite.nix
@ -226,6 +230,7 @@
  ./services/misc/nix-gc.nix
  ./services/misc/nixos-manual.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/octoprint.nix
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
@ -235,6 +240,7 @@
  ./services/misc/ripple-data-api.nix
  ./services/misc/rogue.nix
  ./services/misc/siproxd.nix
  ./services/misc/spice-vdagentd.nix
  ./services/misc/subsonic.nix
  ./services/misc/sundtek.nix
  ./services/misc/svnserve.nix
@ -249,6 +255,7 @@
  ./services/monitoring/dd-agent.nix
  ./services/monitoring/grafana.nix
  ./services/monitoring/graphite.nix
  ./services/monitoring/hdaps.nix
  ./services/monitoring/heapster.nix
  ./services/monitoring/longview.nix
  ./services/monitoring/monit.nix
@ -267,6 +274,7 @@
  ./services/monitoring/zabbix-agent.nix
  ./services/monitoring/zabbix-server.nix
  ./services/network-filesystems/drbd.nix
  ./services/network-filesystems/netatalk.nix
  ./services/network-filesystems/nfsd.nix
  ./services/network-filesystems/openafs-client/default.nix
  ./services/network-filesystems/rsyncd.nix
@ -315,11 +323,11 @@
  ./services/networking/hostapd.nix
  ./services/networking/i2pd.nix
  ./services/networking/i2p.nix
  ./services/networking/ifplugd.nix
  ./services/networking/iodined.nix
  ./services/networking/ircd-hybrid/default.nix
  ./services/networking/kippo.nix
  ./services/networking/lambdabot.nix
  ./services/networking/libreswan.nix
  ./services/networking/mailpile.nix
  ./services/networking/minidlna.nix
  ./services/networking/miniupnpd.nix
@ -330,6 +338,7 @@
  ./services/networking/networkmanager.nix
  ./services/networking/ngircd.nix
  ./services/networking/nix-serve.nix
  ./services/networking/nntp-proxy.nix
  ./services/networking/nsd.nix
  ./services/networking/ntopng.nix
  ./services/networking/ntpd.nix
@ -339,6 +348,7 @@
  ./services/networking/openntpd.nix
  ./services/networking/openvpn.nix
  ./services/networking/ostinato.nix
  ./services/networking/pdnsd.nix
  ./services/networking/polipo.nix
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
@ -395,6 +405,7 @@
  ./services/security/fprintd.nix
  ./services/security/fprot.nix
  ./services/security/frandom.nix
  ./services/security/haka.nix
  ./services/security/haveged.nix
  ./services/security/hologram.nix
  ./services/security/munge.nix
@ -437,6 +448,7 @@
  ./services/x11/display-managers/lightdm.nix
  ./services/x11/display-managers/sddm.nix
  ./services/x11/display-managers/slim.nix
  ./services/x11/hardware/libinput.nix
  ./services/x11/hardware/multitouch.nix
  ./services/x11/hardware/synaptics.nix
  ./services/x11/hardware/wacom.nix
@ -460,10 +472,10 @@
  ./system/boot/coredump.nix
  ./system/boot/emergency-mode.nix
  ./system/boot/initrd-network.nix
  ./system/boot/initrd-ssh.nix
  ./system/boot/kernel.nix
  ./system/boot/kexec.nix
  ./system/boot/loader/efi.nix
  ./system/boot/loader/loader.nix
  ./system/boot/loader/generations-dir/generations-dir.nix
  ./system/boot/loader/generic-extlinux-compatible
  ./system/boot/loader/grub/grub.nix
@ -471,15 +483,16 @@
  ./system/boot/loader/grub/memtest.nix
  ./system/boot/loader/gummiboot/gummiboot.nix
  ./system/boot/loader/init-script/init-script.nix
  ./system/boot/loader/loader.nix
  ./system/boot/loader/raspberrypi/raspberrypi.nix
  ./system/boot/luksroot.nix
  ./system/boot/modprobe.nix
  ./system/boot/networkd.nix
  ./system/boot/resolved.nix
  ./system/boot/shutdown.nix
  ./system/boot/stage-1.nix
  ./system/boot/stage-2.nix
  ./system/boot/systemd.nix
  ./system/boot/networkd.nix
  ./system/boot/resolved.nix
  ./system/boot/timesyncd.nix
  ./system/boot/tmp.nix
  ./system/etc/etc.nix
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -17,6 +17,7 @@
    pkgs.ddrescue
    pkgs.ccrypt
    pkgs.cryptsetup # needed for dm-crypt volumes
    pkgs.which # 88K size
    # Some networking tools.
    pkgs.fuse
--- a/nixos/modules/profiles/qemu-guest.nix
+++ b/nixos/modules/profiles/qemu-guest.nix
@ -14,4 +14,6 @@
      # to the *boot time* of the host).
      hwclock -s
    '';
  security.rngd.enable = false;
 }
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@ -56,7 +56,7 @@ in
      */
      shellAliases = mkOption {
-        default = config.environment.shellAliases // { which = "type -P"; };
+        default = config.environment.shellAliases;
        description = ''
          Set of aliases for bash shell. See <option>environment.shellAliases</option>
          for an option format description.
--- a/nixos/modules/programs/freetds.nix
+++ b/nixos/modules/programs/freetds.nix
@ -17,14 +17,14 @@ in
    environment.freetds = mkOption {
      type = types.attrsOf types.str;
      default = {};
-      example = {
+      example = literalExample ''
-        MYDATABASE = 
+        { MYDATABASE = '''
-          ''
+            host = 10.0.2.100
-          host = 10.0.2.100
+            port = 1433
-          port = 1433
+            tds version = 7.2
-          tds version = 7.2
+          ''';
-          '';
+        }
-      };
+      '';
      description = 
        ''
        Configure freetds database entries. Each attribute denotes
--- a/nixos/modules/programs/ibus.nix
+++ b/nixos/modules/programs/ibus.nix
@ -1,51 +0,0 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.programs.ibus;
 in
 {
  options = {
    programs.ibus = {
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = "Enable IBus input method";
      };
      plugins = mkOption {
        type = lib.types.listOf lib.types.path;
        default = [];
        description = ''
          IBus plugin packages
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.ibus pkgs.gnome3.dconf ];
    gtkPlugins = [ pkgs.ibus ];
    qtPlugins = [ pkgs.ibus-qt ];
    environment.variables =
      let
        env = pkgs.buildEnv {
          name = "ibus-env";
          paths = [ pkgs.ibus ] ++ cfg.plugins;
        };
      in {
        GTK_IM_MODULE = "ibus";
        QT_IM_MODULE = "ibus";
        XMODIFIERS = "@im=ibus";
        IBUS_COMPONENT_PATH = "${env}/share/ibus/component";
      };
    services.xserver.displayManager.sessionCommands = "${pkgs.ibus}/bin/ibus-daemon --daemonize --xim --cache=none";
  };
 }
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -36,6 +36,7 @@ in
      askPassword = mkOption {
        type = types.str;
        default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
        description = ''Program used by SSH to ask for passwords.'';
      };
@ -186,6 +187,9 @@ in
        ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
        # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
        PubkeyAcceptedKeyTypes +ssh-dss
        ${cfg.extraConfig}
      '';
@ -221,12 +225,7 @@ in
        fi
      '';
-    environment.interactiveShellInit = optionalString config.services.xserver.enable
+    environment.variables.SSH_ASKPASS = optionalString config.services.xserver.enable askPassword;
      ''
        export SSH_ASKPASS=${askPassword}
      '';
    programs.ssh.askPassword = mkDefault "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
  };
 }
--- a/nixos/modules/programs/uim.nix
+++ b/nixos/modules/programs/uim.nix
@ -1,31 +0,0 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.uim;
 in
 {
  options = {
    uim = {
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = "Enable UIM input method";
      };
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.uim ];
    gtkPlugins = [ pkgs.uim ];
    qtPlugins = [ pkgs.uim ];
    environment.variables.GTK_IM_MODULE = "uim";
    environment.variables.QT_IM_MODULE = "uim";
    environment.variables.XMODIFIERS = "@im=uim";
    services.xserver.displayManager.sessionCommands = "uim-xim &";
  };
 }
--- a/nixos/modules/programs/venus.nix
+++ b/nixos/modules/programs/venus.nix
@ -99,6 +99,7 @@ in
      };
      outputTheme = mkOption {
        default = "${pkgs.venus}/themes/classic_fancy";
        type = types.path;
        description = ''
          Directory containing a config.ini file which is merged with this one.
@ -165,11 +166,8 @@ in
        script = "exec venus-planet ${configFile}";
        serviceConfig.User = "${cfg.user}";
        serviceConfig.Group = "${cfg.group}";
        environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
        startAt = cfg.dates;
      };
    services.venus.outputTheme = mkDefault "${pkgs.venus}/themes/classic_fancy";
  };
 }
--- a/nixos/modules/programs/xfs_quota.nix
+++ b/nixos/modules/programs/xfs_quota.nix
@ -89,8 +89,8 @@ in
      nameValuePair "xfs_quota-${name}" {
        description = "Setup xfs_quota for project ${name}";
        script = ''
-          ${pkgs.xfsprogs}/bin/xfs_quota -x -c 'project -s ${name}' ${opts.fileSystem}
+          ${pkgs.xfsprogs.bin}/bin/xfs_quota -x -c 'project -s ${name}' ${opts.fileSystem}
-          ${pkgs.xfsprogs}/bin/xfs_quota -x -c 'limit -p ${limitOptions opts} ${name}' ${opts.fileSystem}
+          ${pkgs.xfsprogs.bin}/bin/xfs_quota -x -c 'limit -p ${limitOptions opts} ${name}' ${opts.fileSystem}
        '';
        wantedBy = [ "multi-user.target" ];
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -28,6 +28,9 @@ with lib;
    (mkRenamedOptionModule [ "services" "subsonic" "host" ] [ "services" "subsonic" "listenAddress" ])
    (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
    (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
    (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ])
    # Old Grub-related options.
    (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
    (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
@ -59,6 +62,9 @@ with lib;
    # Tarsnap
    (mkRenamedOptionModule [ "services" "tarsnap" "config" ] [ "services" "tarsnap" "archives" ])
    # ibus
    (mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ])
    # proxy
    (mkRenamedOptionModule [ "nix" "proxy" ] [ "networking" "proxy" "default" ])
@ -77,6 +83,7 @@ with lib;
    (mkRenamedOptionModule [ "services" "xserver" "driSupport32Bit" ] [ "hardware" "opengl" "driSupport32Bit" ])
    (mkRenamedOptionModule [ "services" "xserver" "s3tcSupport" ] [ "hardware" "opengl" "s3tcSupport" ])
    (mkRenamedOptionModule [ "hardware" "opengl" "videoDrivers" ] [ "services" "xserver" "videoDrivers" ])
    (mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ])
    (mkRenamedOptionModule [ "services" "mysql55" ] [ "services" "mysql" ])
@ -99,6 +106,8 @@ with lib;
    (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ])
    (mkRemovedOptionModule [ "ec2" "metadata" ])
    (mkRemovedOptionModule [ "services" "openvpn" "enable" ])
    (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
    (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
  ];
 }
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -56,8 +56,8 @@ let
      plugins = mkOption {
        type = types.listOf (types.enum [
-          "cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh"
+          "cert.der" "cert.pem" "chain.pem" "external.sh"
-          "fullchain.der" "fullchain.pem" "key.der" "key.pem" "account_key.json"
+          "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
        ]);
        default = [ "fullchain.pem" "key.pem" "account_key.json" ];
        description = ''
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@ -29,8 +29,8 @@ with lib;
        network inet raw,
        ${pkgs.glibc.out}/lib/*.so mr,
-        ${pkgs.libcap}/lib/libcap.so* mr,
+        ${pkgs.libcap.out}/lib/libcap.so* mr,
-        ${pkgs.attr}/lib/libattr.so* mr,
+        ${pkgs.attr.out}/lib/libattr.so* mr,
        ${pkgs.iputils}/bin/ping mixr,
        /var/setuid-wrappers/ping.real r,
--- a/nixos/modules/security/audit.nix
+++ b/nixos/modules/security/audit.nix
@ -93,9 +93,11 @@ in {
  config = mkIf (cfg.enable == "lock" || cfg.enable) {
    systemd.services.audit = {
-      description = "pseudo-service representing the kernel audit state";
+      description = "Kernel Auditing";
      wantedBy = [ "basic.target" ];
      unitConfig.ConditionVirtualization = "!container";
      path = [ pkgs.audit ];
      serviceConfig = {
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -4,7 +4,7 @@ with lib;
 let
-  caBundle = pkgs.runCommand "ca-bundle.crt"
+  caCertificates = pkgs.runCommand "ca-certificates.crt"
    { files =
        config.security.pki.certificateFiles ++
        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
@ -26,7 +26,7 @@ in
      description = ''
        A list of files containing trusted root certificates in PEM
        format. These are concatenated to form
-        <filename>/etc/ssl/certs/ca-bundle.crt</filename>, which is
+        <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
        used by many programs that use OpenSSL, such as
        <command>curl</command> and <command>git</command>.
      '';
@ -35,14 +35,17 @@ in
    security.pki.certificates = mkOption {
      type = types.listOf types.str;
      default = [];
-      example = singleton ''
+      example = literalExample ''
-        NixOS.org
+        [ '''
-        =========
+            NixOS.org
-        -----BEGIN CERTIFICATE-----
+            =========
-        MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
+            -----BEGIN CERTIFICATE-----
-        TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
+            MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
-        ...
+            TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
-        -----END CERTIFICATE-----
+            ...
            -----END CERTIFICATE-----
          '''
        ]
      '';
      description = ''
        A list of trusted root certificates in PEM format.
@ -56,19 +59,13 @@ in
    security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
    # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
-    environment.etc."ssl/certs/ca-certificates.crt".source = caBundle;
+    environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
    # Old NixOS compatibility.
-    environment.etc."ssl/certs/ca-bundle.crt".source = caBundle;
+    environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates;
    # CentOS/Fedora compatibility.
-    environment.etc."pki/tls/certs/ca-bundle.crt".source = caBundle;
+    environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
    environment.sessionVariables =
      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-certificates.crt";
        # FIXME: unneeded - remove eventually.
        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-certificates.crt";
      };
  };
--- a/nixos/modules/security/oath.nix
+++ b/nixos/modules/security/oath.nix
@ -0,0 +1,50 @@
 # This module provides configuration for the OATH PAM modules.
 { config, lib, pkgs, ... }:
 with lib;
 {
  options = {
    security.pam.oath = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the OATH (one-time password) PAM module.
        '';
      };
      digits = mkOption {
        type = types.enum [ 6 7 8 ];
        default = 6;
        description = ''
          Specify the length of the one-time password in number of
          digits.
        '';
      };
      window = mkOption {
        type = types.int;
        default = 5;
        description = ''
          Specify the number of one-time passwords to check in order
          to accommodate for situations where the system and the
          client are slightly out of sync (iteration for HOTP or time
          steps for TOTP).
        '';
      };
      usersFile = mkOption {
        type = types.path;
        default = "/etc/users.oath";
        description = ''
          Set the path to file where the user's credentials are
          stored. This file must not be world readable!
        '';
      };
    };
  };
 }
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -75,7 +75,7 @@ let
      };
      oathAuth = mkOption {
-        default = config.security.pam.enableOATH;
+        default = config.security.pam.oath.enable;
        type = types.bool;
        description = ''
          If set, the OATH Toolkit will be used.
@ -259,8 +259,8 @@ let
              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
          ${optionalString cfg.otpwAuth
              "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
-          ${optionalString cfg.oathAuth
+          ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
-              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
+              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
          ${optionalString config.users.ldap.enable
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
          ${optionalString config.krb5.enable ''
@ -302,8 +302,6 @@ let
              "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
          ${optionalString cfg.otpwAuth
              "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
          ${optionalString cfg.oathAuth
              "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
          ${optionalString cfg.startSession
              "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
          ${optionalString cfg.forwardXAuth
@ -405,13 +403,6 @@ in
      '';
    };
    security.pam.enableOATH = mkOption {
      default = false;
      description = ''
        Enable the OATH (one-time password) PAM module.
      '';
    };
    security.pam.enableU2F = mkOption {
      default = false;
      description = ''
@ -446,7 +437,7 @@ in
      ++ optional config.users.ldap.enable pam_ldap
      ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
-      ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]
+      ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
--- a/nixos/modules/services/amqp/activemq/default.nix
+++ b/nixos/modules/services/amqp/activemq/default.nix
@ -32,6 +32,7 @@ in {
        '';
      };
      configurationDir = mkOption {
        default = "${activemq}/conf";
        description = ''
          The base directory for ActiveMQ's configuration.
          By default, this directory is searched for a file named activemq.xml,
@ -125,8 +126,6 @@ in {
      '';
    };
    services.activemq.configurationDir = mkDefault "${activemq}/conf";
  };
 }
--- a/nixos/modules/services/computing/slurm/slurm.nix
+++ b/nixos/modules/services/computing/slurm/slurm.nix
@ -37,6 +37,7 @@ in
      package = mkOption {
        type = types.package;
        default = pkgs.slurm-llnl;
        defaultText = "pkgs.slurm-llnl";
        example = literalExample "pkgs.slurm-llnl-full";
        description = ''
          The packge to use for slurm binaries.
--- a/nixos/modules/services/continuous-integration/jenkins/default.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/default.nix
@ -92,11 +92,12 @@ in {
        type = with types; attrsOf str;
        description = ''
          Additional environment variables to be passed to the jenkins process.
-          As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and
+          As a base environment, jenkins receives NIX_PATH from
-          GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,
+          <option>environment.sessionVariables</option>, NIX_REMOTE is set to
-          NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to
+          "daemon" and JENKINS_HOME is set to the value of
-          the value of <option>services.jenkins.home</option>. This option has
+          <option>services.jenkins.home</option>.
-          precedence and can be used to override those mentioned variables.
+          This option has precedence and can be used to override those
          mentioned variables.
        '';
      };
@ -136,11 +137,7 @@ in {
      environment =
        let
          selectedSessionVars =
-            lib.filterAttrs (n: v: builtins.elem n
+            lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
                [ "NIX_PATH"
                  "SSL_CERT_FILE"
                  "GIT_SSL_CAINFO"
                ])
              config.environment.sessionVariables;
        in
          selectedSessionVars //
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -158,7 +158,7 @@ in
      # Note: when changing the default, make it conditional on
      # ‘system.stateVersion’ to maintain compatibility with existing
      # systems!
-      mkDefault pkgs.postgresql94;
+      mkDefault (if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql95 else pkgs.postgresql94);
    services.postgresql.authentication = mkAfter
      ''
@ -177,7 +177,7 @@ in
    users.extraGroups.postgres.gid = config.ids.gids.postgres;
-    environment.systemPackages = [postgresql];
+    environment.systemPackages = [ postgresql ];
    systemd.services.postgresql =
      { description = "PostgreSQL Server";
@ -187,35 +187,37 @@ in
        environment.PGDATA = cfg.dataDir;
-        path = [ pkgs.su postgresql ];
+        path = [ postgresql ];
        preStart =
          ''
            # Create data directory.
            if ! test -e ${cfg.dataDir}/PG_VERSION; then
              mkdir -m 0700 -p ${cfg.dataDir}
              rm -f ${cfg.dataDir}/*.conf
              chown -R postgres:postgres ${cfg.dataDir}
            fi
          ''; # */
        script =
          ''
            # Initialise the database.
            if ! test -e ${cfg.dataDir}/PG_VERSION; then
-                mkdir -m 0700 -p ${cfg.dataDir}
+              initdb -U root
-                rm -f ${cfg.dataDir}/*.conf
+              # See postStart!
-                if [ "$(id -u)" = 0 ]; then
+              touch "${cfg.dataDir}/.first_startup"
                  chown -R postgres ${cfg.dataDir}
                  su -s ${pkgs.stdenv.shell} postgres -c 'initdb -U root'
                else
                  # For non-root operation.
                  initdb
                fi
                # See postStart!
                touch "${cfg.dataDir}/.first_startup"
            fi
            ln -sfn "${configFile}" "${cfg.dataDir}/postgresql.conf"
            ${optionalString (cfg.recoveryConfig != null) ''
              ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                "${cfg.dataDir}/recovery.conf"
            ''}
-          ''; # */
+
             exec postgres ${toString flags}
          '';
        serviceConfig =
-          { ExecStart = "@${postgresql}/bin/postgres postgres ${toString flags}";
+          { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
            User = "postgres";
            Group = "postgres";
            PermissionsStartOnly = true;
--- a/nixos/modules/services/hardware/acpid.nix
+++ b/nixos/modules/services/hardware/acpid.nix
@ -4,112 +4,39 @@ with lib;
 let
  canonicalHandlers = {
    powerEvent = {
      event = "button/power.*";
      action = config.services.acpid.powerEventCommands;
    };
    lidEvent = {
      event = "button/lid.*";
      action = config.services.acpid.lidEventCommands;
    };
    acEvent = {
      event = "ac_adapter.*";
      action = config.services.acpid.acEventCommands;
    };
  };
  acpiConfDir = pkgs.runCommand "acpi-events" {}
    ''
      mkdir -p $out
      ${
        # Generate a configuration file for each event. (You can't have
        # multiple events in one config file...)
-        let f = event:
+        let f = name: handler:
          ''
-            fn=$out/${event.name}
+            fn=$out/${name}
-            echo "event=${event.event}" > $fn
+            echo "event=${handler.event}" > $fn
-            echo "action=${pkgs.writeScript "${event.name}.sh" event.action}" >> $fn
+            echo "action=${pkgs.writeScript "${name}.sh" (concatStringsSep "\n" [ "#! ${pkgs.bash}/bin/sh" handler.action ])}" >> $fn
          '';
-        in lib.concatMapStrings f events
+        in concatStringsSep "\n" (mapAttrsToList f (canonicalHandlers // config.services.acpid.handlers))
      }
    '';
  events = [powerEvent lidEvent acEvent muteEvent volumeDownEvent volumeUpEvent cdPlayEvent cdNextEvent cdPrevEvent];
  # Called when the power button is pressed.
  powerEvent =
    { name = "power-button";
      event = "button/power.*";
      action =
        ''
          #! ${pkgs.bash}/bin/sh
          ${config.services.acpid.powerEventCommands}
        '';
    };
  # Called when the laptop lid is opened/closed.
  lidEvent =
    { name = "lid";
      event = "button/lid.*";
      action =
        ''
          #! ${pkgs.bash}/bin/sh
          ${config.services.acpid.lidEventCommands}
        '';
    };
  # Called when the AC power is connected or disconnected.
  acEvent =
    { name = "ac-power";
      event = "ac_adapter.*";
      action =
        ''
          #! ${pkgs.bash}/bin/sh
          ${config.services.acpid.acEventCommands}
        '';
    };
  muteEvent = {
    name = "mute";
    event = "button/mute.*";
    action = ''
      #! ${pkgs.bash}/bin/sh
      ${config.services.acpid.muteCommands}
    '';
  };
  volumeDownEvent = {
    name = "volume-down";
    event = "button/volumedown.*";
    action = ''
      #! ${pkgs.bash}/bin/sh
      ${config.services.acpid.volumeDownEventCommands}
    '';
  };
  volumeUpEvent = {
    name = "volume-up";
    event = "button/volumeup.*";
    action = ''
      #! ${pkgs.bash}/bin/sh
      ${config.services.acpid.volumeUpEventCommands}
    '';
  };
  cdPlayEvent = {
    name = "cd-play";
    event = "cd/play.*";
    action = ''
      #! ${pkgs.bash}/bin/sh
      ${config.services.acpid.cdPlayEventCommands}
    '';
  };
  cdNextEvent = {
    name = "cd-next";
    event = "cd/next.*";
    action = ''
      #! ${pkgs.bash}/bin/sh
      ${config.services.acpid.cdNextEventCommands}
    '';
  };
  cdPrevEvent = {
    name = "cd-prev";
    event = "cd/prev.*";
    action = ''
      #! ${pkgs.bash}/bin/sh
      ${config.services.acpid.cdPrevEventCommands}
    '';
  };
 in
 {
@ -126,6 +53,29 @@ in
        description = "Whether to enable the ACPI daemon.";
      };
      handlers = mkOption {
        type = types.attrsOf (types.submodule {
          options = {
            event = mkOption {
              type = types.str;
              example = [ "button/power.*" "button/lid.*" "ac_adapter.*" "button/mute.*" "button/volumedown.*" "cd/play.*" "cd/next.*" ];
              description = "Event type.";
            };
            action = mkOption {
              type = types.lines;
              description = "Shell commands to execute when the event is triggered.";
            };
          };
        });
        description = "Event handlers.";
        default = {};
        example = { mute = { event = "button/mute.*"; action = "amixer set Master toggle"; }; };
      };
      powerEventCommands = mkOption {
        type = types.lines;
        default = "";
@ -144,42 +94,6 @@ in
        description = "Shell commands to execute on an ac_adapter.* event.";
      };
      muteCommands = mkOption {
        type = types.lines;
        default = "";
        description = "Shell commands to execute on an button/mute.* event.";
      };
      volumeDownEventCommands = mkOption {
        type = types.lines;
        default = "";
        description = "Shell commands to execute on an button/volumedown.* event.";
      };
      volumeUpEventCommands = mkOption {
        type = types.lines;
        default = "";
        description = "Shell commands to execute on an button/volumeup.* event.";
      };
      cdPlayEventCommands = mkOption {
        type = types.lines;
        default = "";
        description = "Shell commands to execute on an cd/play.* event.";
      };
      cdNextEventCommands = mkOption {
        type = types.lines;
        default = "";
        description = "Shell commands to execute on an cd/next.* event.";
      };
      cdPrevEventCommands = mkOption {
        type = types.lines;
        default = "";
        description = "Shell commands to execute on an cd/prev.* event.";
      };
    };
  };
--- a/nixos/modules/services/hardware/bluetooth.nix
+++ b/nixos/modules/services/hardware/bluetooth.nix
@ -1,6 +1,43 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
    bluez-bluetooth = if config.services.xserver.desktopManager.kde4.enable then pkgs.bluez else pkgs.bluez5;
    configBluez = {
        description = "Bluetooth Service";
        serviceConfig = {
          Type = "dbus";
          BusName = "org.bluez";
          ExecStart = "${bluez-bluetooth}/sbin/bluetoothd -n";
        };
        wantedBy = [ "bluetooth.target" ];
    };
    configBluez5 =  {
        description = "Bluetooth Service";
        serviceConfig = {
          Type = "dbus";
          BusName = "org.bluez";
          ExecStart = "${bluez-bluetooth}/sbin/bluetoothd -n";
          NotifyAccess="main";
          CapabilityBoundingSet="CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
          LimitNPROC=1;
        };
        wantedBy = [ "bluetooth.target" ];
    };
    obexConfig = {
        description = "Bluetooth OBEX service";
        serviceConfig = {
          Type = "dbus";
          BusName = "org.bluez.obex";
          ExecStart = "${bluez-bluetooth}/sbin/obexd";
        };
    };
    bluezConfig = if config.services.xserver.desktopManager.kde4.enable then configBluez else configBluez5;
 in
 {
@ -16,26 +53,15 @@ with lib;
  };
  ###### implementation
-
+  
  config = mkIf config.hardware.bluetooth.enable {
-    environment.systemPackages = [ pkgs.bluez pkgs.openobex pkgs.obexftp ];
+    environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ];
-
+    services.udev.packages = [ bluez-bluetooth ];
-    services.udev.packages = [ pkgs.bluez ];
+    services.dbus.packages = [ bluez-bluetooth ];
-
+    systemd.services."dbus-org.bluez" = bluezConfig;
-    services.dbus.packages = [ pkgs.bluez ];
+    systemd.services."dbus-org.bluez.obex" = obexConfig;
    systemd.services."dbus-org.bluez" = {
      description = "Bluetooth Service";
      serviceConfig = {
        Type = "dbus";
        BusName = "org.bluez";
        ExecStart = "${pkgs.bluez}/sbin/bluetoothd -n";
      };
      wantedBy = [ "bluetooth.target" ];
    };
  };
--- a/nixos/modules/services/hardware/sane.nix
+++ b/nixos/modules/services/hardware/sane.nix
@ -21,7 +21,13 @@ in
    hardware.sane.enable = mkOption {
      type = types.bool;
      default = false;
-      description = "Enable support for SANE scanners.";
+      description = ''
        Enable support for SANE scanners.
        <note><para>
          Users in the "scanner" group will gain access to the scanner.
        </para></note>
      '';
    };
    hardware.sane.snapshot = mkOption {
@ -33,7 +39,14 @@ in
    hardware.sane.extraBackends = mkOption {
      type = types.listOf types.path;
      default = [];
-      description = "Packages providing extra SANE backends to enable.";
+      description = ''
        Packages providing extra SANE backends to enable.
        <note><para>
          The example contains the package for HP scanners.
        </para></note>
      '';
      example = literalExample "[ pkgs.hplipWithPlugin ]";
    };
    hardware.sane.configDir = mkOption {
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@ -13,7 +13,13 @@ let
  extraUdevRules = pkgs.writeTextFile {
    name = "extra-udev-rules";
    text = cfg.extraRules;
-    destination = "/etc/udev/rules.d/10-local.rules";
+    destination = "/etc/udev/rules.d/99-local.rules";
  };
  extraHwdbFile = pkgs.writeTextFile {
    name = "extra-hwdb-file";
    text = cfg.extraHwdb;
    destination = "/etc/udev/hwdb.d/99-local.hwdb";
  };
  nixosRules = ''
@ -55,7 +61,9 @@ let
          --replace \"/sbin/modprobe \"${config.system.sbin.modprobe}/sbin/modprobe \
          --replace \"/sbin/mdadm \"${pkgs.mdadm}/sbin/mdadm \
          --replace \"/sbin/blkid \"${pkgs.utillinux}/sbin/blkid \
-          --replace \"/bin/mount \"${pkgs.utillinux}/bin/mount
+          --replace \"/bin/mount \"${pkgs.utillinux}/bin/mount \
          --replace /usr/bin/readlink ${pkgs.coreutils}/bin/readlink \
          --replace /usr/bin/basename ${pkgs.coreutils}/bin/basename
      done
      echo -n "Checking that all programs called by relative paths in udev rules exist in ${udev}/lib/udev... "
@ -86,10 +94,30 @@ let
      done
      echo "OK"
-      echo "Consider fixing the following udev rules:"
+      filesToFixup="$(for i in "$out"/*; do
-      for i in ${toString cfg.packages}; do
+        grep -l '\B\(/usr\)\?/s\?bin' "$i" || :
-        grep -l '\(RUN+\|IMPORT{program}\)="\(/usr\)\?/s\?bin' $i/*/udev/rules.d/* || true
+      done)"
-      done
+
      if [ -n "$filesToFixup" ]; then
        echo "Consider fixing the following udev rules:"
        echo "$filesToFixup" | while read localFile; do
          remoteFile="origin unknown"
          for i in ${toString cfg.packages}; do
            for j in "$i"/*/udev/rules.d/*; do
              [ -e "$out/$(basename "$j")" ] || continue
              [ "$(basename "$j")" = "$(basename "$localFile")" ] || continue
              remoteFile="originally from $j"
              break 2
            done
          done
          refs="$(
            grep -o '\B\(/usr\)\?/s\?bin/[^ "]\+' "$localFile" \
              | sed -e ':r;N;''${s/\n/ and /;br};s/\n/, /g;br'
          )"
          echo "$localFile ($remoteFile) contains references to $refs."
        done
        exit 1
      fi
      ${optionalString config.networking.usePredictableInterfaceNames ''
        cp ${./80-net-setup-link.rules} $out/80-net-setup-link.rules
@ -104,6 +132,27 @@ let
    ''; # */
  };
  hwdbBin = stdenv.mkDerivation {
    name = "hwdb.bin";
    preferLocalBuild = true;
    allowSubstitutes = false;
    buildCommand = ''
      mkdir -p etc/udev/hwdb.d
      for i in ${toString ([udev] ++ cfg.packages)}; do
        echo "Adding hwdb files for package $i"
        for j in $i/{etc,lib}/udev/hwdb.d/*; do
          ln -s $j etc/udev/hwdb.d/$(basename $j)
        done
      done
      echo "Generating hwdb database..."
      ${udev}/bin/udevadm hwdb --update --root=$(pwd)
      mv etc/udev/hwdb.bin $out
    '';
  };
  # Udev has a 512-character limit for ENV{PATH}, so create a symlink
  # tree to work around this.
  udevPath = pkgs.buildEnv {
@ -163,8 +212,23 @@ in
        type = types.lines;
        description = ''
          Additional <command>udev</command> rules. They'll be written
-          into file <filename>10-local.rules</filename>. Thus they are
+          into file <filename>99-local.rules</filename>. Thus they are
-          read before all other rules.
+          read and applied after all other rules.
        '';
      };
      extraHwdb = mkOption {
        default = "";
        example = ''
          evdev:input:b0003v05AFp8277*
            KEYBOARD_KEY_70039=leftalt
            KEYBOARD_KEY_700e2=leftctrl
        '';
        type = types.lines;
        description = ''
          Additional <command>hwdb</command> files. They'll be written
          into file <filename>10-local.hwdb</filename>. Thus they are
          read before all other files.
        '';
      };
@ -216,7 +280,7 @@ in
    services.udev.extraRules = nixosRules;
-    services.udev.packages = [ extraUdevRules ];
+    services.udev.packages = [ extraUdevRules extraHwdbFile ];
    services.udev.path = [ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.utillinux udev ];
@ -224,6 +288,9 @@ in
      [ { source = udevRules;
          target = "udev/rules.d";
        }
        { source = hwdbBin;
          target = "udev/hwdb.bin";
        }
      ];
    system.requiredKernelConfig = with config.lib.kernelConfig; [
@ -241,13 +308,6 @@ in
          echo "" > /proc/sys/kernel/hotplug
        fi
        # Regenerate the hardware database /var/lib/udev/hwdb.bin
        # whenever systemd changes.
        if [ ! -e /var/lib/udev/prev-systemd -o "$(readlink /var/lib/udev/prev-systemd)" != ${config.systemd.package} ]; then
          echo "regenerating udev hardware database..."
          ${config.systemd.package}/bin/udevadm hwdb --update && ln -sfn ${config.systemd.package} /var/lib/udev/prev-systemd
        fi
        # Allow the kernel to find our firmware.
        if [ -e /sys/module/firmware_class/parameters/path ]; then
          echo -n "${config.hardware.firmware}/lib/firmware" > /sys/module/firmware_class/parameters/path
@ -256,6 +316,7 @@ in
    systemd.services.systemd-udevd =
      { environment.MODULE_DIR = "/run/booted-system/kernel-modules/lib/modules";
        restartTriggers = cfg.packages;
      };
  };
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@ -9,16 +9,11 @@ let
  baseDir = "/run/dovecot2";
  stateDir = "/var/lib/dovecot";
  protocols = concatStrings [
    (optionalString cfg.enableImap "imap")
    (optionalString cfg.enablePop3 "pop3")
    (optionalString cfg.enableLmtp "lmtp")
  ];
  dovecotConf = concatStrings [
    ''
      base_dir = ${baseDir}
-      protocols = ${protocols}
+      protocols = ${concatStringsSep " " cfg.protocols}
      sendmail_path = /var/setuid-wrappers/sendmail
    ''
    (if isNull cfg.sslServerCert then ''
@ -33,6 +28,8 @@ let
    ''
      default_internal_user = ${cfg.user}
      ${optionalString (cfg.mailUser != null) "mail_uid = ${cfg.mailUser}"}
      ${optionalString (cfg.mailGroup != null) "mail_gid = ${cfg.mailGroup}"}
      mail_location = ${cfg.mailLocation}
@ -57,11 +54,17 @@ let
      }
    '')
    (optionalString (cfg.sieveScripts != {}) ''
      plugin {
        ${concatStringsSep "\n" (mapAttrsToList (to: from: "sieve_${to} = ${stateDir}/sieve/${to}") cfg.sieveScripts)}
      }
    '')
    cfg.extraConfig
  ];
  modulesDir = pkgs.symlinkJoin "dovecot-modules"
-    (map (module: "${module}/lib/dovecot") cfg.modules);
+    (map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules));
 in
 {
@ -87,6 +90,12 @@ in
      description = "Start the LMTP listener (when Dovecot is enabled).";
    };
    protocols = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = "Additional listeners to start when Dovecot is enabled.";
    };
    package = mkOption {
      type = types.package;
      default = pkgs.dovecot22;
@ -129,13 +138,25 @@ in
      '';
    };
    mailUser = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = "Default user to store mail for virtual users.";
    };
    mailGroup = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = "Default group to store mail for virtual users.";
    };
    modules = mkOption {
      type = types.listOf types.package;
      default = [];
      example = literalExample "[ pkgs.dovecot_pigeonhole ]";
      description = ''
        Symlinks the contents of lib/dovecot of every given package into
-        /var/lib/dovecot/modules. This will make the given modules available
+        /etc/dovecot/modules. This will make the given modules available
        if a dovecot package with the module_dir patch applied (like
        pkgs.dovecot22, the default) is being used.
      '';
@ -162,7 +183,13 @@ in
    enablePAM = mkOption {
      type = types.bool;
      default = true;
-      description = "Wether to create a own Dovecot PAM service and configure PAM user logins.";
+      description = "Whether to create a own Dovecot PAM service and configure PAM user logins.";
    };
    sieveScripts = mkOption {
      type = types.attrsOf types.path;
      default = {};
      description = "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc.";
    };
    showPAMFailure = mkOption {
@ -177,23 +204,31 @@ in
    security.pam.services.dovecot2 = mkIf cfg.enablePAM {};
    services.dovecot2.protocols =
     optional cfg.enableImap "imap"
     ++ optional cfg.enablePop3 "pop3"
     ++ optional cfg.enableLmtp "lmtp";
    users.extraUsers = [
      { name = cfg.user;
        uid = config.ids.uids.dovecot2;
        description = "Dovecot user";
        group = cfg.group;
      }
      { name = "dovenull";
        uid = config.ids.uids.dovenull2;
        description = "Dovecot user for untrusted logins";
        group = cfg.group;
      }
-    ];
+    ] ++ optional (cfg.user == "dovecot2")
         { name = "dovecot2";
           uid = config.ids.uids.dovecot2;
           description = "Dovecot user";
           group = cfg.group;
         };
-    users.extraGroups = singleton {
+    users.extraGroups = optional (cfg.group == "dovecot2")
-      name = cfg.group;
+      { name = "dovecot2";
-      gid = config.ids.gids.dovecot2;
+        gid = config.ids.gids.dovecot2;
-    };
+      };
    environment.etc."dovecot/modules".source = modulesDir;
    environment.etc."dovecot/dovecot.conf".source = cfg.configFile;
    systemd.services.dovecot2 = {
      description = "Dovecot IMAP/POP3 server";
@ -201,26 +236,38 @@ in
      after = [ "keys.target" "network.target" ];
      wants = [ "keys.target" ];
      wantedBy = [ "multi-user.target" ];
-
+      restartTriggers = [ cfg.configFile ];
      preStart = ''
        mkdir -p "${baseDir}/login"
        chown -R ${cfg.user}:${cfg.group} "${baseDir}"
        rm -f "${stateDir}/modules"
        ln -s "${modulesDir}" "${stateDir}/modules"
      '';
      serviceConfig = {
-        ExecStart = "${dovecotPkg}/sbin/dovecot -F -c ${cfg.configFile}";
+        ExecStart = "${dovecotPkg}/sbin/dovecot -F";
        ExecReload = "${dovecotPkg}/sbin/doveadm reload";
        Restart = "on-failure";
        RestartSec = "1s";
        StartLimitInterval = "1min";
        RuntimeDirectory = [ "dovecot2" ];
      };
      preStart = ''
        rm -rf ${stateDir}/sieve
      '' + optionalString (cfg.sieveScripts != {}) ''
        mkdir -p ${stateDir}/sieve
        ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
          if [ -d '${from}' ]; then
            mkdir '${stateDir}/sieve/${to}'
            cp "${from}/"*.sieve '${stateDir}/sieve/${to}'
          else
            cp '${from}' '${stateDir}/sieve/${to}'
          fi
           ${pkgs.dovecot_pigeonhole}/bin/sievec '${stateDir}/sieve/${to}'
        '') cfg.sieveScripts)}
        chown -R '${cfg.mailUser}:${cfg.mailGroup}' '${stateDir}/sieve'
      '';
    };
    environment.systemPackages = [ dovecotPkg ];
    assertions = [
-      { assertion = cfg.enablePop3 || cfg.enableImap;
+      { assertion = intersectLists cfg.protocols [ "pop3" "imap" ] != [];
        message = "dovecot needs at least one of the IMAP or POP3 listeners enabled";
      }
      { assertion = isNull cfg.sslServerCert == isNull cfg.sslServerKey
--- a/Show more
+++ b/Show more