Merge branch 'master' of https://github.com/nixos/nixpkgs

.github/CODEOWNERS

@@ -64,6 +64,9 @@
 /pkgs/development/interpreters/ruby @zimbatm
 /pkgs/development/ruby-modules      @zimbatm
 
+# Rust
+/pkgs/development/compilers/rust @Mic92 @LnL7
+
 # Darwin-related
 /pkgs/stdenv/darwin         @NixOS/darwin-maintainers
 /pkgs/os-specific/darwin    @NixOS/darwin-maintainers

doc/configuration.xml

@@ -14,6 +14,8 @@ true:</para>
   its <literal>meta.broken</literal> set to
   <literal>true</literal>.</para></listitem>
 
+  <listitem><para>The package isn't intended to run on the given system, as none of its <literal>meta.platforms</literal> match the given system.</para></listitem>
+
   <listitem><para>The package's <literal>meta.license</literal> is set
   to a license which is considered to be unfree.</para></listitem>
 
@@ -88,6 +90,42 @@ distributing the software.</para>
   </itemizedlist>
 </section>
 
+<section xml:id="sec-allow-unsupported-system">
+  <title>Installing packages on unsupported systems</title>
+
+
+  <para>
+    There are also two ways to try compiling a package which has been marked as unsuported for the given system.
+  </para>
+
+  <itemizedlist>
+    <listitem><para>
+      For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools:
+
+      <programlisting>$ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1</programlisting>
+    </para></listitem>
+
+    <listitem>
+      <para>
+        For permanently allowing broken packages to be built, you may add <literal>allowUnsupportedSystem = true;</literal> to your user's configuration file, like this:
+
+<programlisting>
+{
+  allowUnsupportedSystem = true;
+}
+</programlisting>
+      </para>
+    </listitem>
+  </itemizedlist>
+
+  <para>
+    The difference between an a package being unsupported on some system and being broken is admittedly a bit fuzzy.
+    If a program <emphasis>ought</emphasis> to work on a certain platform, but doesn't, the platform should be included in <literal>meta.platforms</literal>, but marked as broken with e.g. <literal>meta.broken = !hostPlatform.isWindows</literal>.
+    Of course, this begs the question of what "ought" means exactly.
+    That is left to the package maintainer.
+  </para>
+</section>
+
 <section xml:id="sec-allow-unfree">
   <title>Installing unfree packages</title>
 

doc/overrides.css

@@ -1,4 +1,5 @@
-
+.docbook .xref img[src^=images\/callouts\/],
+.screen img,
 .programlisting img {
     width: 1em;
 }

doc/reviewing-contributions.xml

@@ -112,7 +112,7 @@ $ git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD <co
               <varname>BASEBRANCH</varname> the base branch of the
               pull-request.</para>
           </callout>
-          <callout arearefs='reviewing-rebase-3'>
+          <callout arearefs='reviewing-rebase-4'>
             <para>Rebasing the pull-request changes to the nixos-unstable
               branch.</para>
           </callout>

lib/default.nix

@@ -74,7 +74,7 @@ let
     inherit (lists) singleton foldr fold foldl foldl' imap0 imap1
       concatMap flatten remove findSingle findFirst any all count
       optional optionals toList range partition zipListsWith zipLists
-      reverseList listDfs toposort sort compareLists take drop sublist
+      reverseList listDfs toposort sort naturalSort compareLists take drop sublist
       last init crossLists unique intersectLists subtractLists
       mutuallyExclusive;
     inherit (strings) concatStrings concatMapStrings concatImapStrings

lib/lists.nix

@@ -1,7 +1,9 @@
 # General list operations.
 { lib }:
 with lib.trivial;
-
+let
+  inherit (lib.strings) toInt;
+in
 rec {
 
   inherit (builtins) head tail length isList elemAt concatLists filter elem genList;
@@ -409,6 +411,25 @@ rec {
               then compareLists cmp (tail a) (tail b)
               else rel;
 
+  /* Sort list using "Natural sorting".
+     Numeric portions of strings are sorted in numeric order.
+
+     Example:
+       naturalSort ["disk11" "disk8" "disk100" "disk9"]
+       => ["disk8" "disk9" "disk11" "disk100"]
+       naturalSort ["10.46.133.149" "10.5.16.62" "10.54.16.25"]
+       => ["10.5.16.62" "10.46.133.149" "10.54.16.25"]
+       naturalSort ["v0.2" "v0.15" "v0.0.9"]
+       => [ "v0.0.9" "v0.2" "v0.15" ]
+  */
+  naturalSort = lst:
+    let
+      vectorise = s: map (x: if isList x then toInt (head x) else x) (builtins.split "(0|[1-9][0-9]*)" s);
+      prepared = map (x: [ (vectorise x) x ]) lst; # remember vectorised version for O(n) regex splits
+      less = a: b: (compareLists compare (head a) (head b)) < 0;
+    in
+      map (x: elemAt x 1) (sort less prepared);
+
   /* Return the first (at most) N elements of a list.
 
      Example:

lib/systems/parse.nix

@@ -34,7 +34,7 @@ rec {
 
   ################################################################################
 
-  types.openSignifiantByte = mkOptionType {
+  types.openSignificantByte = mkOptionType {
     name = "significant-byte";
     description = "Endianness";
     merge = mergeOneOption;
@@ -42,7 +42,7 @@ rec {
 
   types.significantByte = enum (attrValues significantBytes);
 
-  significantBytes = setTypes types.openSignifiantByte {
+  significantBytes = setTypes types.openSignificantByte {
     bigEndian = {};
     littleEndian = {};
   };

maintainers/maintainer-list.nix

@@ -305,6 +305,11 @@
     github = "akru";
     name = "Alexander Krupenkin ";
   };
+  alexchapman = {
+    name = "Alex Chapman";
+    email = "alex@farfromthere.net";
+    github = "AJChapman";
+  };
   alexvorobiev = {
     email = "alexander.vorobiev@gmail.com";
     github = "alexvorobiev";
@@ -1196,6 +1201,11 @@
     github = "ElvishJerricco";
     name = "Will Fancher";
   };
+  endgame = {
+    email = "jack@jackkelly.name";
+    github = "endgame";
+    name = "Jack Kelly";
+  };
   enzime = {
     email = "enzime@users.noreply.github.com";
     github = "enzime";
@@ -1892,6 +1902,11 @@
     email = "info+nix@chmist.com";
     name = "karolchmist";
   };
+  kazcw = {
+    email = "kaz@lambdaverse.org";
+    github = "kazcw";
+    name = "Kaz Wesley";
+  };
   kentjames = {
     email = "jameschristopherkent@gmail.com";
     github = "kentjames";
@@ -2495,6 +2510,11 @@
     github = "mschristiansen";
     name = "Mikkel Christiansen";
   };
+  msiedlarek = {
+    email = "mikolaj@siedlarek.pl";
+    github = "msiedlarek";
+    name = "Mikołaj Siedlarek";
+  };
   mstarzyk = {
     email = "mstarzyk@gmail.com";
     github = "mstarzyk";
@@ -2510,6 +2530,11 @@
     github = "mt-caret";
     name = "Masayuki Takeda";
   };
+  MtP = {
+    email = "marko.nixos@poikonen.de";
+    github = "MtP76";
+    name = "Marko Poikonen";
+  };
   mtreskin = {
     email = "zerthurd@gmail.com";
     github = "Zert";
@@ -2605,6 +2630,11 @@
     github = "ninjatrappeur";
     name = "Félix Baylac-Jacqué";
   };
+  nioncode = {
+    email = "nioncode+github@gmail.com";
+    github = "nioncode";
+    name = "Nicolas Schneider";
+  };
   nipav = {
     email = "niko.pavlinek@gmail.com";
     github = "nipav";
@@ -2644,6 +2674,11 @@
     github = "nthorne";
     name = "Niklas Thörne";
   };
+  nyanloutre = {
+    email = "paul@nyanlout.re";
+    github = "nyanloutre";
+    name = "Paul Trehiou";
+  };
   nyarly = {
     email = "nyarly@gmail.com";
     github = "nyarly";
@@ -3054,6 +3089,11 @@
     github = "risicle";
     name = "Robert Scott";
   };
+  rittelle = {
+    email = "rittelle@posteo.de";
+    github = "rittelle";
+    name = "Lennart Rittel";
+  };
   rlupton20 = {
     email = "richard.lupton@gmail.com";
     github = "rlupton20";
@@ -3114,6 +3154,11 @@
     github = "rongcuid";
     name = "Rongcui Dong";
   };
+  rprospero = {
+    email = "rprospero+nix@gmail.com";
+    github = "rprospero";
+    name = "Adam Washington";
+  };
   rszibele = {
     email = "richard@szibele.com";
     github = "rszibele";
@@ -3258,6 +3303,11 @@
     github = "sengaya";
     name = "Thilo Uttendorfer";
   };
+  sephalon = {
+    email = "me@sephalon.net";
+    github = "sephalon";
+    name = "Stefan Wiehler";
+  };
   sepi = {
     email = "raffael@mancini.lu";
     github = "sepi";
@@ -3361,6 +3411,11 @@
     github = "grwlf";
     name = "Sergey Mironov";
   };
+  sna = {
+    email = "abouzahra.9@wright.edu";
+    github = "s-na";
+    name = "S. Nordin Abouzahra";
+  };
   snyh = {
     email = "snyh@snyh.org";
     github = "snyh";
@@ -3471,6 +3526,11 @@
     github = "symphorien";
     name = "Guillaume Girol";
   };
+  synthetica = {
+    email = "nix@hilhorst.be";
+    github = "Synthetica9";
+    name = "Patrick Hilhorst";
+  };
   szczyp = {
     email = "qb@szczyp.com";
     github = "szczyp";
@@ -3710,6 +3770,11 @@
     github = "twey";
     name = "James ‘Twey’ Kay";
   };
+  typetetris = {
+    email = "ericwolf42@mail.com";
+    github = "typetetris";
+    name = "Eric Wolf";
+  };
   unode = {
     email = "alves.rjc@gmail.com";
     github = "unode";
@@ -4080,4 +4145,9 @@
     github = "zzamboni";
     name = "Diego Zamboni";
   };
+  srghma = {
+    email = "srghma@gmail.com";
+    github = "srghma";
+    name = "Sergei Khoma";
+  };
 }

nixos/doc/manual/installation/installing-usb.xml

@@ -51,7 +51,7 @@ ISO, copy its contents verbatim to your drive, then either:
   <listitem>
     <para>If you want to load the contents of the ISO to ram after bootin
     (So you can remove the stick after bootup) you can append the parameter
-    <literal>copytoram</literal>to the <literal>options</literal> field.</para>
+    <literal>copytoram</literal> to the <literal>options</literal> field.</para>
   </listitem>
 </itemizedlist>
 </para>

nixos/doc/manual/installation/installing.xml

@@ -115,23 +115,17 @@ for a UEFI installation is by and large the same as a BIOS installation. The dif
       <varlistentry><term>UEFI systems</term>
       <listitem><para>For creating boot partitions:
     <command>mkfs.fat</command>.  Again it’s recommended to assign a
-    label to the boot partition: <option>-L
+    label to the boot partition: <option>-n
     <replaceable>label</replaceable></option>. For example:
 
 <screen>
-# mkfs.fat -F 32 -L boot /dev/sda3</screen>
+# mkfs.fat -F 32 -n boot /dev/sda3</screen>
 
     </para></listitem></varlistentry></variablelist></listitem>
 
     <listitem><para>For creating LVM volumes, the LVM commands, e.g.,
-
+    <command>pvcreate</command>, <command>vgcreate</command>, and
-<screen>
+    <command>lvcreate</command>.</para></listitem>
-# pvcreate /dev/sda1 /dev/sdb1
-# vgcreate MyVolGroup /dev/sda1 /dev/sdb1
-# lvcreate --size 2G --name bigdisk MyVolGroup
-# lvcreate --size 1G --name smalldisk MyVolGroup</screen>
-
-    </para></listitem>
 
     <listitem><para>For creating software RAID devices, use
     <command>mdadm</command>.</para></listitem>
@@ -155,6 +149,7 @@ for a UEFI installation is by and large the same as a BIOS installation. The dif
       <listitem><para>Mount the boot file system on <filename>/mnt/boot</filename>, e.g.
 
 <screen>
+# mkdir -p /mnt/boot
 # mount /dev/disk/by-label/boot /mnt/boot
 </screen>
 
@@ -366,8 +361,9 @@ drive (here <filename>/dev/sda</filename>).  <xref linkend="ex-config"
 # mkfs.ext4 -L nixos /dev/sda1
 # mkswap -L swap /dev/sda2
 # swapon /dev/sda2
-# mkfs.fat -F 32 -L boot /dev/sda3        # <lineannotation>(for UEFI systems only)</lineannotation>
+# mkfs.fat -F 32 -n boot /dev/sda3        # <lineannotation>(for UEFI systems only)</lineannotation>
 # mount /dev/disk/by-label/nixos /mnt
+# mkdir -p /mnt/boot                      # <lineannotation>(for UEFI systems only)</lineannotation>
 # mount /dev/disk/by-label/boot /mnt/boot # <lineannotation>(for UEFI systems only)</lineannotation>
 # nixos-generate-config --root /mnt
 # nano /mnt/etc/nixos/configuration.nix

nixos/doc/manual/release-notes/rl-1809.xml

@@ -58,6 +58,9 @@ following incompatible changes:</para>
 <itemizedlist>
   <listitem>
     <para>
+      The <literal>clementine</literal> package points now to the free derivation.
+      <literal>clementineFree</literal> is removed now and <literal>clementineUnfree</literal>
+      points to the package which is bundled with the unfree <literal>libspotify</literal> package.
     </para>
   </listitem>
 </itemizedlist>

nixos/lib/make-ext4-fs.nix

@@ -7,23 +7,22 @@
 , volumeLabel
 }:
 
+let
+  sdClosureInfo = pkgs.closureInfo { rootPaths = storePaths; };
+in
+
 pkgs.stdenv.mkDerivation {
   name = "ext4-fs.img";
 
   nativeBuildInputs = with pkgs; [e2fsprogs libfaketime perl];
 
-  # For obtaining the closure of `storePaths'.
-  exportReferencesGraph =
-    map (x: [("closure-" + baseNameOf x) x]) storePaths;
-
   buildCommand =
     ''
       # Add the closures of the top-level store objects.
-      storePaths=$(perl ${pkgs.pathsFromGraph} closure-*)
+      storePaths=$(cat ${sdClosureInfo}/store-paths)
 
-      # Also include a manifest of the closures in a format suitable
+      # Also include a manifest of the closures in a format suitable for nix-store --load-db.
-      # for nix-store --load-db.
+      cp ${sdClosureInfo}/registration nix-path-registration
-      printRegistration=1 perl ${pkgs.pathsFromGraph} closure-* > nix-path-registration
 
       # Make a crude approximation of the size of the target image.
       # If the script starts failing, increase the fudge factors here.

nixos/lib/test-driver/Machine.pm

@@ -612,7 +612,7 @@ sub waitForX {
     my ($self, $regexp) = @_;
     $self->nest("waiting for the X11 server", sub {
         retry sub {
-            my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'session opened'");
+            my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'Reached target Current graphical'");
             return 0 if $status != 0;
             ($status, $out) = $self->execute("[ -e /tmp/.X11-unix/X0 ]");
             return 1 if $status == 0;

nixos/lib/testing.nix

@@ -111,6 +111,8 @@ in rec {
 
       ocrProg = tesseract_4.override { enableLanguages = [ "eng" ]; };
 
+      imagemagick_tiff = imagemagick_light.override { inherit libtiff; };
+
       # Generate onvenience wrappers for running the test driver
       # interactively with the specified network, and for starting the
       # VMs from the command line.
@@ -128,7 +130,7 @@ in rec {
           wrapProgram $out/bin/nixos-test-driver \
             --add-flags "''${vms[*]}" \
             ${lib.optionalString enableOCR
-              "--prefix PATH : '${ocrProg}/bin:${imagemagick}/bin'"} \
+              "--prefix PATH : '${ocrProg}/bin:${imagemagick_tiff}/bin'"} \
             --run "export testScript=\"\$(cat $out/test-script)\"" \
             --set VLANS '${toString vlans}'
           ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms

nixos/modules/config/pulseaudio.nix

@@ -214,6 +214,8 @@ in {
     (mkIf cfg.enable {
       environment.systemPackages = [ overriddenPackage ];
 
+      sound.enable = true;
+
       environment.etc = [
         { target = "asound.conf";
           source = alsaConf; }

nixos/modules/config/users-groups.nix

@@ -92,7 +92,7 @@ let
 
       group = mkOption {
         type = types.str;
-        apply = x: assert (builtins.stringLength x < 17 || abort "Group name '${x}' is longer than 16 characters which is not allowed!"); x;
+        apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
         default = "nogroup";
         description = "The user's primary group.";
       };

nixos/modules/hardware/onlykey.nix

@@ -0,0 +1,33 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+
+  ####### interface
+
+  options = {
+
+    hardware.onlykey = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable OnlyKey device (https://crp.to/p/) support.
+        '';
+      };
+    };
+
+  };
+
+  ## As per OnlyKey's documentation piece (hhttps://docs.google.com/document/d/1Go_Rs218fKUx-j_JKhddbSVTqY6P0vQO831t2MKCJC8),
+  ## it is important to add udev rule for OnlyKey for it to work on Linux
+
+  ####### implementation
+
+  config = mkIf config.hardware.onlykey.enable {
+    services.udev.extraRules = builtin.readFile ./onlykey.udev;
+  };
+
+
+}

nixos/modules/hardware/onlykey.udev

@@ -0,0 +1,4 @@
+ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
+ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", GROUP+="plugdev"
+KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", GROUP+="plugdev"

nixos/modules/hardware/opengl.nix

@@ -14,7 +14,6 @@ let
     name = "mesa-drivers+txc-${p.mesa_drivers.version}";
     paths =
       [ p.mesa_drivers
-        p.mesa_drivers.out # mainly for libGL
         (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
       ];
   };
@@ -33,7 +32,9 @@ in
 
 {
   options = {
-    hardware.opengl.enable = mkOption {
+
+    hardware.opengl = {
+      enable = mkOption {
         description = ''
           Whether to enable OpenGL drivers. This is needed to enable
           OpenGL support in X11 systems, as well as for Wayland compositors
@@ -47,7 +48,7 @@ in
         default = false;
       };
 
-    hardware.opengl.driSupport = mkOption {
+      driSupport = mkOption {
         type = types.bool;
         default = true;
         description = ''
@@ -56,7 +57,7 @@ in
         '';
       };
 
-    hardware.opengl.driSupport32Bit = mkOption {
+      driSupport32Bit = mkOption {
         type = types.bool;
         default = false;
         description = ''
@@ -68,7 +69,7 @@ in
         '';
       };
 
-    hardware.opengl.s3tcSupport = mkOption {
+      s3tcSupport = mkOption {
         type = types.bool;
         default = false;
         description = ''
@@ -79,7 +80,7 @@ in
         '';
       };
 
-    hardware.opengl.package = mkOption {
+      package = mkOption {
         type = types.package;
         internal = true;
         description = ''
@@ -87,7 +88,7 @@ in
         '';
       };
 
-    hardware.opengl.package32 = mkOption {
+      package32 = mkOption {
         type = types.package;
         internal = true;
         description = ''
@@ -97,7 +98,7 @@ in
         '';
       };
 
-    hardware.opengl.extraPackages = mkOption {
+      extraPackages = mkOption {
         type = types.listOf types.package;
         default = [];
         example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]";
@@ -107,7 +108,7 @@ in
         '';
       };
 
-    hardware.opengl.extraPackages32 = mkOption {
+      extraPackages32 = mkOption {
         type = types.listOf types.package;
         default = [];
         example = literalExample "with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]";
@@ -117,6 +118,7 @@ in
           set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
         '';
       };
+    };
 
   };
 

nixos/modules/hardware/video/nvidia.nix

@@ -25,13 +25,6 @@ let
   nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;
   nvidia_libs32 = (nvidiaForKernel pkgs_i686.linuxPackages).override { libsOnly = true; kernel = null; };
 
-  nvidiaPackage = nvidia: pkgs:
-    if !nvidia.useGLVND then nvidia.out
-    else pkgs.buildEnv {
-      name = "nvidia-libs";
-      paths = [ pkgs.libglvnd nvidia.out ];
-    };
-
   enabled = nvidia_x11 != null;
 in
 
@@ -57,8 +50,8 @@ in
       source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
     };
 
-    hardware.opengl.package = nvidiaPackage nvidia_x11 pkgs;
+    hardware.opengl.package = nvidia_x11.out;
-    hardware.opengl.package32 = nvidiaPackage nvidia_libs32 pkgs_i686;
+    hardware.opengl.package32 = nvidia_libs32.out;
 
     environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ]
       ++ lib.filter (p: p != null) [ nvidia_x11.persistenced ];

nixos/modules/installer/cd-dvd/channel.nix

@@ -21,7 +21,9 @@ let
       if [ ! -e $out/nixos/nixpkgs ]; then
         ln -s . $out/nixos/nixpkgs
       fi
+      echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision
       echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix
+      echo ${config.system.nixos.versionSuffix} | sed -e s/pre// > $out/nixos/svn-revision
     '';
 
 in

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -585,7 +585,6 @@ $bootLoaderConfig
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
-  # programs.bash.enableCompletion = true;
   # programs.mtr.enable = true;
   # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
 

nixos/modules/misc/ids.nix

@@ -305,6 +305,7 @@
       hass = 286;
       monero = 287;
       ceph = 288;
+      duplicati = 289;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -578,6 +579,7 @@
       hass = 286;
       monero = 287;
       ceph = 288;
+      duplicati = 289;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/misc/locate.nix

@@ -133,13 +133,26 @@ in {
     systemd.services.update-locatedb =
       { description = "Update Locate Database";
         path = mkIf (!isMLocate) [ pkgs.su ];
+
+        # mlocate's updatedb takes flags via a configuration file or
+        # on the command line, but not by environment variable.
         script =
+          if isMLocate
+          then let toFlags = x: optional (cfg.${x} != [])
+                                         "--${lib.toLower x} '${concatStringsSep " " cfg.${x}}'";
+                   args = concatLists (map toFlags ["pruneFS" "pruneNames" "prunePaths"]);
+               in ''
+            exec ${cfg.locate}/bin/updatedb \
+              --output ${toString cfg.output} ${concatStringsSep " " args} \
+              --prune-bind-mounts ${if cfg.pruneBindMounts then "yes" else "no"} \
+              ${concatStringsSep " " cfg.extraFlags}
           ''
+          else ''
             exec ${cfg.locate}/bin/updatedb \
               ${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \
               --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
           '';
-        environment = {
+        environment = optionalAttrs (!isMLocate) {
           PRUNEFS = concatStringsSep " " cfg.pruneFS;
           PRUNEPATHS = concatStringsSep " " cfg.prunePaths;
           PRUNENAMES = concatStringsSep " " cfg.pruneNames;

nixos/modules/module-list.nix

@@ -41,6 +41,7 @@
   ./hardware/pcmcia.nix
   ./hardware/raid/hpsa.nix
   ./hardware/usb-wwan.nix
+  ./hardware/onlykey.nix
   ./hardware/video/amdgpu.nix
   ./hardware/video/amdgpu-pro.nix
   ./hardware/video/ati.nix
@@ -86,6 +87,7 @@
   ./programs/freetds.nix
   ./programs/gnupg.nix
   ./programs/gphoto2.nix
+  ./programs/iftop.nix
   ./programs/java.nix
   ./programs/kbdlight.nix
   ./programs/less.nix
@@ -159,6 +161,7 @@
   ./services/audio/ympd.nix
   ./services/backup/bacula.nix
   ./services/backup/borgbackup.nix
+  ./services/backup/duplicati.nix
   ./services/backup/crashplan.nix
   ./services/backup/crashplan-small-business.nix
   ./services/backup/mysql-backup.nix
@@ -363,6 +366,7 @@
   ./services/misc/ripple-data-api.nix
   ./services/misc/rogue.nix
   ./services/misc/serviio.nix
+  ./services/misc/safeeyes.nix
   ./services/misc/siproxd.nix
   ./services/misc/snapper.nix
   ./services/misc/sonarr.nix
@@ -529,7 +533,7 @@
   ./services/networking/prayer.nix
   ./services/networking/privoxy.nix
   ./services/networking/prosody.nix
-  # ./services/networking/quagga.nix
+  ./services/networking/quagga.nix
   ./services/networking/quassel.nix
   ./services/networking/racoon.nix
   ./services/networking/radicale.nix
@@ -543,6 +547,7 @@
   ./services/networking/searx.nix
   ./services/networking/seeks.nix
   ./services/networking/skydns.nix
+  ./services/networking/shadowsocks.nix
   ./services/networking/shairport-sync.nix
   ./services/networking/shout.nix
   ./services/networking/sniproxy.nix

nixos/modules/programs/bash/bash.nix

@@ -110,7 +110,7 @@ in
       };
 
       enableCompletion = mkOption {
-        default = false;
+        default = true;
         description = ''
           Enable Bash completion for all interactive bash shells.
         '';

nixos/modules/programs/iftop.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.iftop;
+in {
+  options = {
+    programs.iftop.enable = mkEnableOption "iftop + setcap wrapper";
+  };
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.iftop ];
+    security.wrappers.iftop = {
+      source = "${pkgs.iftop}/bin/iftop";
+      capabilities = "cap_net_raw+p";
+    };
+  };
+}

nixos/modules/programs/less.nix

@@ -6,7 +6,7 @@ let
 
   cfg = config.programs.less;
 
-  configFile = ''
+  configText = if (cfg.configFile != null) then (builtins.readFile cfg.configFile) else ''
     #command
     ${concatStringsSep "\n"
       (mapAttrsToList (command: action: "${command} ${action}") cfg.commands)
@@ -25,7 +25,7 @@ let
   '';
 
   lessKey = pkgs.runCommand "lesskey"
-            { src = pkgs.writeText "lessconfig" configFile; }
+            { src = pkgs.writeText "lessconfig" configText; }
             "${pkgs.less}/bin/lesskey -o $out $src";
 
 in
@@ -37,6 +37,19 @@ in
 
       enable = mkEnableOption "less";
 
+      configFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        example = literalExample "$${pkgs.my-configs}/lesskey";
+        description = ''
+          Path to lesskey configuration file.
+
+          <option>configFile</option> takes precedence over <option>commands</option>,
+          <option>clearDefaultCommands</option>, <option>lineEditingKeys</option>, and
+          <option>envVariables</option>.
+        '';
+      };
+
       commands = mkOption {
         type = types.attrsOf types.str;
         default = {};

nixos/modules/security/acme.nix

@@ -240,6 +240,7 @@ in
                 };
                 selfsignedService = {
                   description = "Create preliminary self-signed certificate for ${cert}";
+                  path = [ pkgs.openssl ];
                   preStart = ''
                       if [ ! -d '${cpath}' ]
                       then
@@ -250,37 +251,41 @@ in
                   '';
                   script = 
                     ''
-                      # Create self-signed key
+                      workdir="$(mktemp -d)"
-                      workdir="/run/acme-selfsigned-${cert}"
+
-                      ${pkgs.openssl.bin}/bin/openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048
+                      # Create CA
-                      ${pkgs.openssl.bin}/bin/openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key
+                      openssl genrsa -des3 -passout pass:x -out $workdir/ca.pass.key 2048
-                      ${pkgs.openssl.bin}/bin/openssl req -new -key $workdir/server.key -out $workdir/server.csr \
+                      openssl rsa -passin pass:x -in $workdir/ca.pass.key -out $workdir/ca.key
+                      openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \
+                        -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com"
+                      openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt
+
+                      # Create key
+                      openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048
+                      openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key
+                      openssl req -new -key $workdir/server.key -out $workdir/server.csr \
                         -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
-                      ${pkgs.openssl.bin}/bin/openssl x509 -req -days 1 -in $workdir/server.csr -signkey $workdir/server.key -out $workdir/server.crt
+                      openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \
+                        -CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \
+                        -out $workdir/server.crt
 
-                      # Move key to destination
+                      # Copy key to destination
-                      mv $workdir/server.key ${cpath}/key.pem
+                      cp $workdir/server.key ${cpath}/key.pem
-                      mv $workdir/server.crt ${cpath}/fullchain.pem
 
-                      # Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates)
+                      # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
-                      cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem"
+                      cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem"
 
-                      # Clean up working directory
+                      # Create full.pem for e.g. lighttpd
-                      rm $workdir/server.csr
+                      cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem"
-                      rm $workdir/server.pass.key
 
                       # Give key acme permissions
-                      chmod ${rights} '${cpath}/key.pem'
+                      chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem
-                      chown '${data.user}:${data.group}' '${cpath}/key.pem'
+                      chmod ${rights} "${cpath}/"{key,fullchain,full}.pem
-                      chmod ${rights} '${cpath}/fullchain.pem'
-                      chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
-                      chmod ${rights} '${cpath}/full.pem'
-                      chown '${data.user}:${data.group}' '${cpath}/full.pem'
                     '';
                   serviceConfig = {
                     Type = "oneshot";
-                    RuntimeDirectory = "acme-selfsigned-${cert}";
                     PermissionsStartOnly = true;
+                    PrivateTmp = true;
                     User = data.user;
                     Group = data.group;
                   };

nixos/modules/security/pam.nix

@@ -386,7 +386,7 @@ let
           ${optionalString (cfg.enableGnomeKeyring)
               "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
           ${optionalString (config.virtualisation.lxc.lxcfs.enable)
-               "session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"}
+               "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"}
         '');
     };
 

nixos/modules/security/wrappers/wrapper.c

@@ -10,8 +10,8 @@
 #include <errno.h>
 #include <linux/capability.h>
 #include <sys/capability.h>
-#include <linux/prctl.h>
 #include <sys/prctl.h>
+#include <limits.h>
 #include <cap-ng.h>
 
 // Make sure assertions are not compiled out, we use them to codify

nixos/modules/services/backup/duplicati.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.duplicati;
+in
+{
+  options = {
+    services.duplicati = {
+      enable = mkEnableOption "Duplicati";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.duplicati ];
+
+    systemd.services.duplicati = {
+      description = "Duplicati backup";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = "duplicati";
+        Group = "duplicati";
+        ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=any --webservice-port=8200 --server-datafolder=/var/lib/duplicati";
+        Restart = "on-failure";
+      };
+    };
+
+    users.extraUsers.duplicati = {
+      uid = config.ids.uids.duplicati;
+      home = "/var/lib/duplicati";
+      createHome = true;
+      group = "duplicati";
+    };
+    users.extraGroups.duplicati.gid = config.ids.gids.duplicati;
+
+  };
+}
+

nixos/modules/services/databases/pgmanage.nix

@@ -22,7 +22,7 @@ let
 
       web_root = ${cfg.package}/etc/pgmanage/web_root
 
-      data_root = ${cfg.dataRoot}
+      sql_root = ${cfg.sqlRoot}
 
       ${optionalString (!isNull cfg.tls) ''
       tls_cert = ${cfg.tls.cert}
@@ -130,7 +130,7 @@ let
       '';
     };
 
-    dataRoot = mkOption {
+    sqlRoot = mkOption {
       type = types.str;
       default = "/var/lib/pgmanage";
       description = ''
@@ -210,7 +210,7 @@ in {
         users."${pgmanage}" = {
           name  = pgmanage;
           group = pgmanage;
-          home  = cfg.dataRoot;
+          home  = cfg.sqlRoot;
           createHome = true;
         };
         groups."${pgmanage}" = {

nixos/modules/services/databases/postgresql.nix

@@ -36,9 +36,6 @@ let
       ${cfg.extraConfig}
     '';
 
-  pre84 = versionOlder (builtins.parseDrvName postgresql.name).version "8.4";
-
-
 in
 
 {
@@ -182,7 +179,7 @@ in
     services.postgresql.authentication = mkAfter
       ''
         # Generated file; do not edit!
-        local all all              ident ${optionalString pre84 "sameuser"}
+        local all all              ident
         host  all all 127.0.0.1/32 md5
         host  all all ::1/128      md5
       '';

nixos/modules/services/editors/emacs.nix

@@ -15,6 +15,25 @@ let
     fi
   '';
 
+desktopApplicationFile = pkgs.writeTextFile {
+  name = "emacsclient.desktop";
+  destination = "/share/applications/emacsclient.desktop";
+  text = ''
+[Desktop Entry]
+Name=Emacsclient
+GenericName=Text Editor
+Comment=Edit text
+MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++;
+Exec=emacseditor %F
+Icon=emacs
+Type=Application
+Terminal=false
+Categories=Development;TextEditor;
+StartupWMClass=Emacs
+Keywords=Text;Editor;
+'';
+};
+
 in {
 
   options.services.emacs = {
@@ -74,7 +93,7 @@ in {
       };
     } // optionalAttrs cfg.enable { wantedBy = [ "default.target" ]; };
 
-    environment.systemPackages = [ cfg.package editorScript ];
+    environment.systemPackages = [ cfg.package editorScript desktopApplicationFile ];
 
     environment.variables = {
       # This is required so that GTK applications launched from Emacs

nixos/modules/services/hardware/bluetooth.nix

@@ -3,8 +3,8 @@
 with lib;
 
 let
-  bluez-bluetooth = pkgs.bluez;
   cfg = config.hardware.bluetooth;
+  bluez-bluetooth = cfg.package;
 
 in {
 
@@ -21,6 +21,16 @@ in {
         description = "Whether to power up the default Bluetooth controller on boot.";
       };
 
+      package = mkOption {
+        type = types.package;
+        default = pkgs.bluez;
+        defaultText = "pkgs.bluez";
+        example = "pkgs.bluez.override { enableMidi = true; }";
+        description = ''
+          Which BlueZ package to use.
+        '';
+      };
+
       extraConfig = mkOption {
         type = types.lines;
         default = "";

nixos/modules/services/hardware/trezord.nix

@@ -38,7 +38,7 @@ in {
       path = [];
       serviceConfig = {
         Type = "simple";
-        ExecStart = "${pkgs.trezord}/bin/trezord -f";
+        ExecStart = "${pkgs.trezord}/bin/trezord-go";
         User = "trezord";
       };
     };

nixos/modules/services/misc/mesos-slave.nix

@@ -213,7 +213,7 @@ in {
         PermissionsStartOnly = true;
       };
       preStart = ''
-        mkdir -m 0700 -p ${cfg.workDir}
+        mkdir -m 0701 -p ${cfg.workDir}
       '';
     };
   };

nixos/modules/services/misc/safeeyes.nix

@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.safeeyes;
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.safeeyes = {
+
+      enable = mkOption {
+        default = false;
+        description = "Whether to enable the safeeyes OSGi service";
+      };
+
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    systemd.user.services.safeeyes = {
+      description = "Safeeyes";
+
+      wantedBy = [ "graphical-session.target" ];
+      partOf   = [ "graphical-session.target" ];
+
+      serviceConfig = {
+        ExecStart = ''
+          ${pkgs.safeeyes}/bin/safeeyes
+        '';
+        Restart = "on-failure";
+        RestartSec = 3;
+        StartLimitInterval = 350;
+        StartLimitBurst = 10;
+      };
+    };
+
+  };
+}

nixos/modules/services/monitoring/grafana.nix

@@ -50,7 +50,7 @@ in {
     protocol = mkOption {
       description = "Which protocol to listen.";
       default = "http";
-      type = types.enum ["http" "https"];
+      type = types.enum ["http" "https" "socket"];
     };
 
     addr = mkOption {

nixos/modules/services/networking/dnscache.nix

@@ -9,12 +9,12 @@ let
     mkdir -p $out/{servers,ip}
 
     ${concatMapStrings (ip: ''
-      echo > "$out/ip/"${lib.escapeShellArg ip}
+      touch "$out/ip/"${lib.escapeShellArg ip}
     '') cfg.clientIps}
 
     ${concatStrings (mapAttrsToList (host: ips: ''
       ${concatMapStrings (ip: ''
-        echo ${lib.escapeShellArg ip} > "$out/servers/"${lib.escapeShellArg host}
+        echo ${lib.escapeShellArg ip} >> "$out/servers/"${lib.escapeShellArg host}
       '') ips}
     '') cfg.domainServers)}
 
@@ -34,33 +34,49 @@ in {
 
   options = {
     services.dnscache = {
+
       enable = mkOption {
         default = false;
         type = types.bool;
-        description = "Whether to run the dnscache caching dns server";
+        description = "Whether to run the dnscache caching dns server.";
       };
 
       ip = mkOption {
         default = "0.0.0.0";
         type = types.str;
-        description = "IP address on which to listen for connections";
+        description = "IP address on which to listen for connections.";
       };
 
       clientIps = mkOption {
         default = [ "127.0.0.1" ];
         type = types.listOf types.str;
-        description = "client IP addresses (or prefixes) from which to accept connections";
+        description = "Client IP addresses (or prefixes) from which to accept connections.";
         example = ["192.168" "172.23.75.82"];
       };
 
       domainServers = mkOption {
         default = { };
         type = types.attrsOf (types.listOf types.str);
-        description = "table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts)";
+        description = ''
+          Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts).
+          If entry for @ is not specified predefined list of root servers is used.
+        '';
         example = {
-          "example.com" = ["8.8.8.8" "8.8.4.4"];
+          "@" = ["8.8.8.8" "8.8.4.4"];
+          "example.com" = ["192.168.100.100"];
         };
       };
+
+      forwardOnly = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Whether to treat root servers (for @) as caching
+          servers, requesting addresses the same way a client does. This is
+          needed if you want to use e.g. Google DNS as your upstream DNS.
+        '';
+      };
+
     };
   };
 
@@ -82,6 +98,7 @@ in {
       '';
       script = ''
         cd /var/lib/dnscache/
+        ${optionalString cfg.forwardOnly "export FORWARDONLY=1"}
         exec ./run
       '';
     };

nixos/modules/services/networking/iwd.nix

@@ -26,7 +26,7 @@ in {
       wants = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
-      serviceConfig.ExecStart = "${pkgs.iwd}/bin/iwd";
+      serviceConfig.ExecStart = "${pkgs.iwd}/libexec/iwd";
     };
   };
 

nixos/modules/services/networking/prosody.nix

@@ -295,6 +295,24 @@ in
         '';
       };
 
+      dataDir = mkOption {
+        type = types.string;
+        description = "Directory where Prosody stores its data";
+        default = "/var/lib/prosody";
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "prosody";
+        description = "User account under which prosody runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "prosody";
+        description = "Group account under which prosody runs.";
+      };
+
       allowRegistration = mkOption {
         type = types.bool;
         default = false;
@@ -421,11 +439,11 @@ in
 
     environment.etc."prosody/prosody.cfg.lua".text = ''
 
-      pidfile = "/var/lib/prosody/prosody.pid"
+      pidfile = "/run/prosody/prosody.pid"
 
       log = "*syslog"
 
-      data_path = "/var/lib/prosody"
+      data_path = "${cfg.dataDir}"
       plugin_paths = {
         ${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.extraPluginPaths) }
       }
@@ -469,15 +487,15 @@ in
         '') cfg.virtualHosts) }
     '';
 
-    users.extraUsers.prosody = {
+    users.extraUsers.prosody = mkIf (cfg.user == "prosody") {
       uid = config.ids.uids.prosody;
       description = "Prosody user";
       createHome = true;
-      group = "prosody";
+      inherit (cfg) group;
-      home = "/var/lib/prosody";
+      home = "${cfg.dataDir}";
     };
 
-    users.extraGroups.prosody = {
+    users.extraGroups.prosody = mkIf (cfg.group == "prosody") {
       gid = config.ids.gids.prosody;
     };
 
@@ -488,9 +506,11 @@ in
       wantedBy = [ "multi-user.target" ];
       restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ];
       serviceConfig = {
-        User = "prosody";
+        User = cfg.user;
+        Group = cfg.group;
         Type = "forking";
-        PIDFile = "/var/lib/prosody/prosody.pid";
+        RuntimeDirectory = [ "prosody" ];
+        PIDFile = "/run/prosody/prosody.pid";
         ExecStart = "${cfg.package}/bin/prosodyctl start";
       };
     };

nixos/modules/services/networking/quagga.nix

@@ -133,7 +133,7 @@ in
     users.groups = {
       quagga = {};
       # Members of the quaggavty group can use vtysh to inspect the Quagga daemons
-      quaggavty = {};
+      quaggavty = { members = [ "quagga" ]; };
     };
 
     systemd.services =

nixos/modules/services/networking/shadowsocks.nix

@@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.shadowsocks;
+
+  opts = {
+    server = cfg.localAddress;
+    server_port = cfg.port;
+    method = cfg.encryptionMethod;
+    mode = cfg.mode;
+    user = "nobody";
+    fast_open = true;
+  } // optionalAttrs (cfg.password != null) { password = cfg.password; };
+
+  configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts);
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.shadowsocks = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to run shadowsocks-libev shadowsocks server.
+        '';
+      };
+
+      localAddress = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = ''
+          Local address to which the server binds.
+        '';
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 8388;
+        description = ''
+          Port which the server uses.
+        '';
+      };
+
+      password = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Password for connecting clients.
+        '';
+      };
+
+      passwordFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = ''
+          Password file with a password for connecting clients.
+        '';
+      };
+
+      mode = mkOption {
+        type = types.enum [ "tcp_only" "tcp_and_udp" "udp_only" ];
+        default = "tcp_and_udp";
+        description = ''
+          Relay protocols.
+        '';
+      };
+
+      encryptionMethod = mkOption {
+        type = types.str;
+        default = "chacha20-ietf-poly1305";
+        description = ''
+          Encryption method. See <link xlink:href="https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers"/>.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+    assertions = singleton
+      { assertion = cfg.password == null || cfg.passwordFile == null;
+        message = "Cannot use both password and passwordFile for shadowsocks-libev";
+      };
+
+    systemd.services.shadowsocks-libev = {
+      description = "shadowsocks-libev Daemon";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.passwordFile != null) pkgs.jq;
+      serviceConfig.PrivateTmp = true;
+      script = ''
+        ${optionalString (cfg.passwordFile != null) ''
+          cat ${configFile} | jq --arg password "$(cat "${cfg.passwordFile}")" '. + { password: $password }' > /tmp/shadowsocks.json
+        ''}
+        exec ss-server -c ${if cfg.passwordFile != null then "/tmp/shadowsocks.json" else configFile}
+      '';
+    };
+  };
+}

nixos/modules/services/search/elasticsearch.nix

@@ -32,8 +32,11 @@ let
       (if es5 then (pkgs.writeTextDir "log4j2.properties" cfg.logging)
               else (pkgs.writeTextDir "logging.yml" cfg.logging))
     ];
+    postBuild = concatStringsSep "\n" (concatLists [
       # Elasticsearch 5.x won't start when the scripts directory does not exist
-    postBuild = if es5 then "${pkgs.coreutils}/bin/mkdir -p $out/scripts" else "";
+      (optional es5 "${pkgs.coreutils}/bin/mkdir -p $out/scripts")
+      (optional es6 "ln -s ${cfg.package}/config/jvm.options $out/jvm.options")
+    ]);
   };
 
   esPlugins = pkgs.buildEnv {

nixos/modules/services/security/tor.nix

@@ -703,14 +703,10 @@ in
         after    = [ "network.target" ];
         restartTriggers = [ torRcFile ];
 
-        # Translated from the upstream contrib/dist/tor.service.in
-        preStart = ''
-          install -o tor -g tor -d ${torDirectory}/onion ${torRunDirectory}
-          ${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config
-        '';
-
         serviceConfig =
           { Type         = "simple";
+            # Translated from the upstream contrib/dist/tor.service.in
+            ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config";
             ExecStart    = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0";
             ExecReload   = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
             KillSignal   = "SIGINT";
@@ -725,6 +721,8 @@ in
             #   DeviceAllow /dev/urandom r
             # .. but we can't specify DeviceAllow multiple times. 'closed'
             # is close enough.
+            RuntimeDirectory        = "tor";
+            StateDirectory          = [ "tor" "tor/onion" ];
             PrivateTmp              = "yes";
             DevicePolicy            = "closed";
             InaccessibleDirectories = "/home";

nixos/modules/services/torrent/transmission.nix

@@ -147,6 +147,7 @@ in
           ${getLib pkgs.libcap}/lib/libcap*.so*            mr,
           ${getLib pkgs.attr}/lib/libattr*.so*             mr,
           ${getLib pkgs.lz4}/lib/liblz4*.so*               mr,
+          ${getLib pkgs.libkrb5}/lib/lib*.so*              mr,
 
           @{PROC}/sys/kernel/random/uuid   r,
           @{PROC}/sys/vm/overcommit_memory r,

nixos/modules/services/web-apps/atlassian/jira.nix

@@ -155,7 +155,7 @@ in
       requires = [ "postgresql.service" ];
       after = [ "postgresql.service" ];
 
-      path = [ cfg.jrePackage ];
+      path = [ cfg.jrePackage pkgs.bash ];
 
       environment = {
         JIRA_USER = cfg.user;

nixos/modules/services/web-apps/tt-rss.nix

@@ -466,10 +466,10 @@ let
       '';
     };
 
-    services.nginx = {
-      enable = true;
     # NOTE: No configuration is done if not using virtual host
-      virtualHosts = mkIf (cfg.virtualHost != null) {
+    services.nginx = mkIf (cfg.virtualHost != null) {
+      enable = true;
+      virtualHosts = {
         "${cfg.virtualHost}" = {
           root = "${cfg.root}";
 

nixos/modules/services/web-servers/nginx/default.nix

@@ -9,15 +9,16 @@ let
       serverName = if vhostConfig.serverName != null
         then vhostConfig.serverName
         else vhostName;
+      acmeDirectory = config.security.acme.directory;
     in
     vhostConfig // {
       inherit serverName;
     } // (optionalAttrs vhostConfig.enableACME {
-      sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem";
+      sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${serverName}/key.pem";
+      sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";
     }) // (optionalAttrs (vhostConfig.useACMEHost != null) {
-      sslCertificate = "/var/lib/acme/${vhostConfig.useACMEHost}/fullchain.pem";
+      sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/${vhostConfig.useACMEHost}/key.pem";
+      sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";
     })
   ) cfg.virtualHosts;
   enableIPv6 = config.networking.enableIPv6;

nixos/modules/services/x11/xserver.nix

@@ -626,9 +626,7 @@ in
 
         environment =
           {
-            XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
+            LD_LIBRARY_PATH = concatStringsSep ":" ([ "/run/opengl-driver/lib" ]
-            LD_LIBRARY_PATH = concatStringsSep ":" (
-              [ "${xorg.libX11.out}/lib" "${xorg.libXext.out}/lib" "/run/opengl-driver/lib" ]
               ++ concatLists (catAttrs "libPath" cfg.drivers));
           } // cfg.displayManager.job.environment;
 

nixos/modules/system/boot/kernel.nix

@@ -77,8 +77,8 @@ in
       type = types.int;
       default = 4;
       description = ''
-        The kernel console log level.  Log messages with a priority
+        The kernel console <literal>loglevel</literal>. All Kernel Messages with a log level smaller
-        numerically less than this will not appear on the console.
+        than this setting will be printed to the console.
       '';
     };
 

nixos/modules/system/boot/systemd.nix

@@ -137,7 +137,6 @@ let
 
       # Slices / containers.
       "slices.target"
-      "system.slice"
       "user.slice"
       "machine.slice"
       "machines.target"
@@ -836,7 +835,8 @@ in
 
     system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled
       [ "DEVTMPFS" "CGROUPS" "INOTIFY_USER" "SIGNALFD" "TIMERFD" "EPOLL" "NET"
-        "SYSFS" "PROC_FS" "FHANDLE" "DMIID" "AUTOFS4_FS" "TMPFS_POSIX_ACL"
+        "SYSFS" "PROC_FS" "FHANDLE" "CRYPTO_USER_API_HASH" "CRYPTO_HMAC"
+        "CRYPTO_SHA256" "DMIID" "AUTOFS4_FS" "TMPFS_POSIX_ACL"
         "TMPFS_XATTR" "SECCOMP"
       ];
 

nixos/modules/tasks/filesystems/exfat.nix

@@ -5,7 +5,7 @@ with lib;
 {
   config = mkIf (any (fs: fs == "exfat") config.boot.supportedFilesystems) {
 
-    system.fsPackages = [ pkgs.exfat-utils pkgs.fuse_exfat ];
+    system.fsPackages = [ pkgs.exfat ];
 
   };
 }

nixos/modules/tasks/filesystems/zfs.nix

@@ -305,6 +305,8 @@ in
         }
       ];
 
+      virtualisation.lxd.zfsSupport = true;
+
       boot = {
         kernelModules = [ "spl" "zfs" ] ;
         extraModulePackages = with packages; [ spl zfs ];
@@ -452,7 +454,7 @@ in
                               }) snapshotNames);
 
       systemd.timers = let
-                         timer = name: if name == "frequent" then "*:15,30,45" else name;
+                         timer = name: if name == "frequent" then "*:0,15,30,45" else name;
                        in builtins.listToAttrs (map (snapName:
                             {
                               name = "zfs-snapshot-${snapName}";

nixos/modules/tasks/network-interfaces-scripted.nix

@@ -191,7 +191,7 @@ let
                     if out=$(ip addr add "${cidr}" dev "${i.name}" 2>&1); then
                       echo "done"
                     elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
-                      echo "failed"
+                      echo "'ip addr add "${cidr}" dev "${i.name}"' failed: $out"
                       exit 1
                     fi
                   ''
@@ -212,7 +212,7 @@ let
                      if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" 2>&1); then
                        echo "done"
                      elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
-                       echo "failed"
+                       echo "'ip route add "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out"
                        exit 1
                      fi
                   ''

nixos/modules/virtualisation/azure-agent.nix

@@ -66,6 +66,10 @@ in
       default = false;
       description = "Whether to enable verbose logging.";
     };
+    mountResourceDisk = mkOption {
+      default = true;
+      description = "Whether the agent should format (ext4) and mount the resource disk to /mnt/resource.";
+    };
   };
 
   ###### implementation
@@ -112,7 +116,7 @@ in
         Provisioning.ExecuteCustomData=n
 
         # Format if unformatted. If 'n', resource disk will not be mounted.
-        ResourceDisk.Format=y
+        ResourceDisk.Format=${if cfg.mountResourceDisk then "y" else "n"}
 
         # File system on the resource disk
         # Typically ext3 or ext4. FreeBSD images should use 'ufs2' here.
@@ -181,7 +185,7 @@ in
       after = [ "network-online.target" "sshd.service" ];
       wants = [ "network-online.target" ];
 
-      path = [ pkgs.e2fsprogs ];
+      path = [ pkgs.e2fsprogs pkgs.bash ];
       description = "Windows Azure Agent Service";
       unitConfig.ConditionPathExists = "/etc/waagent.conf";
       serviceConfig = {

nixos/modules/virtualisation/google-compute-image.nix

@@ -75,6 +75,9 @@ in
 
   networking.usePredictableInterfaceNames = false;
 
+  # GC has 1460 MTU
+  networking.interfaces.eth0.mtu = 1460;
+
   # allow the google-accounts-daemon to manage users
   users.mutableUsers = true;
   # and allow users to sudo without password

nixos/modules/virtualisation/lxc.nix

@@ -74,6 +74,9 @@ in
     systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
 
     security.apparmor.packages = [ pkgs.lxc ];
-    security.apparmor.profiles = [ "${pkgs.lxc}/etc/apparmor.d/lxc-containers" ];
+    security.apparmor.profiles = [
+      "${pkgs.lxc}/etc/apparmor.d/lxc-containers"
+      "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start"
+    ];
   };
 }

nixos/modules/virtualisation/lxd.nix

@@ -15,28 +15,34 @@ in
 
   options = {
 
-    virtualisation.lxd.enable =
+    virtualisation.lxd = {
-      mkOption {
+      enable = mkOption {
         type = types.bool;
         default = false;
-        description =
+        description = ''
-          ''
           This option enables lxd, a daemon that manages
           containers. Users in the "lxd" group can interact with
           the daemon (e.g. to start or stop containers) using the
           <command>lxc</command> command line tool, among others.
         '';
       };
-
+      zfsSupport = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          enables lxd to use zfs as a storage for containers.
+          This option is enabled by default if a zfs pool is configured
+          with nixos.
+        '';
+      };
+    };
   };
-
 
   ###### implementation
 
   config = mkIf cfg.enable {
 
-    environment.systemPackages =
+    environment.systemPackages = [ pkgs.lxd ];
-      [ pkgs.lxd ];
 
     security.apparmor = {
       enable = true;
@@ -47,22 +53,24 @@ in
       packages = [ pkgs.lxc ];
     };
 
-    systemd.services.lxd =
+    systemd.services.lxd = {
-      { description = "LXD Container Management Daemon";
+      description = "LXD Container Management Daemon";
 
       wantedBy = [ "multi-user.target" ];
       after = [ "systemd-udev-settle.service" ];
 
-        # TODO(wkennington): Add lvm2 and thin-provisioning-tools
+      path = lib.optional cfg.zfsSupport pkgs.zfs;
-        path = with pkgs; [ acl rsync gnutar xz btrfs-progs gzip dnsmasq squashfsTools iproute iptables ];
 
       preStart = ''
         mkdir -m 0755 -p /var/lib/lxc/rootfs
       '';
 
-        serviceConfig.ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --syslog --group lxd";
+      serviceConfig = {
-        serviceConfig.Type = "simple";
+        ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd";
-        serviceConfig.KillMode = "process"; # when stopping, leave the containers alone
+        Type = "simple";
+        KillMode = "process"; # when stopping, leave the containers alone
+      };
+
     };
 
     users.extraGroups.lxd.gid = config.ids.gids.lxd;
@@ -71,7 +79,5 @@ in
       subUidRanges = [ { startUid = 1000000; count = 65536; } ];
       subGidRanges = [ { startGid = 1000000; count = 65536; } ];
     };
-
   };
-
 }

nixos/modules/virtualisation/qemu-vm.nix

@@ -98,7 +98,7 @@ let
           ${qemuGraphics} \
           ${toString config.virtualisation.qemu.options} \
           $QEMU_OPTS \
-          $@
+          "$@"
     '';
 
 

nixos/release.nix

@@ -166,8 +166,12 @@ in rec {
     inherit system;
   });
 
-  sd_image = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage {
+  sd_image = forMatchingSystems [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ] (system: makeSdImage {
-    module = ./modules/installer/cd-dvd/sd-image-aarch64.nix;
+    module = {
+        armv6l-linux = ./modules/installer/cd-dvd/sd-image-raspberrypi.nix;
+        armv7l-linux = ./modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix;
+        aarch64-linux = ./modules/installer/cd-dvd/sd-image-aarch64.nix;
+      }.${system};
     inherit system;
   });
 
@@ -266,6 +270,7 @@ in rec {
   tests.couchdb = callTest tests/couchdb.nix {};
   tests.docker = callTestOnMatchingSystems ["x86_64-linux"] tests/docker.nix {};
   tests.docker-tools = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools.nix {};
+  tests.docker-tools-overlay = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools-overlay.nix {};
   tests.docker-edge = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-edge.nix {};
   tests.dovecot = callTest tests/dovecot.nix {};
   tests.dnscrypt-proxy = callTestOnMatchingSystems ["x86_64-linux"] tests/dnscrypt-proxy.nix {};
@@ -295,6 +300,7 @@ in rec {
   tests.hound = callTest tests/hound.nix {};
   tests.hocker-fetchdocker = callTest tests/hocker-fetchdocker {};
   tests.i3wm = callTest tests/i3wm.nix {};
+  tests.iftop = callTest tests/iftop.nix {};
   tests.initrd-network-ssh = callTest tests/initrd-network-ssh {};
   tests.installer = callSubTests tests/installer.nix {};
   tests.influxdb = callTest tests/influxdb.nix {};
@@ -364,7 +370,7 @@ in rec {
   tests.prometheus = callTest tests/prometheus.nix {};
   tests.prosody = callTest tests/prosody.nix {};
   tests.proxy = callTest tests/proxy.nix {};
-  # tests.quagga = callTest tests/quagga.nix {};
+  tests.quagga = callTest tests/quagga.nix {};
   tests.quake3 = callTest tests/quake3.nix {};
   tests.rabbitmq = callTest tests/rabbitmq.nix {};
   tests.radicale = callTest tests/radicale.nix {};

nixos/tests/chromium.nix

@@ -151,11 +151,11 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
 
       $machine->screenshot("sandbox_info");
 
-      $machine->succeed(ru "${xdo "submit-url" ''
+      $machine->succeed(ru "${xdo "find-window" ''
         search --sync --onlyvisible --name "sandbox status"
         windowfocus --sync
       ''}");
-      $machine->succeed(ru "${xdo "submit-url" ''
+      $machine->succeed(ru "${xdo "copy-sandbox-info" ''
         key --delay 1000 Ctrl+a Ctrl+c
       ''}");
 
@@ -166,6 +166,26 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
           && $clipboard =~ /network namespaces.*yes/mi
           && $clipboard =~ /seccomp.*sandbox.*yes/mi
           && $clipboard =~ /you are adequately sandboxed/mi;
+
+      $machine->sleep(1);
+      $machine->succeed(ru "${xdo "find-window-after-copy" ''
+        search --onlyvisible --name "sandbox status"
+      ''}");
+
+      my $clipboard = $machine->succeed(ru "echo void | ${pkgs.xclip}/bin/xclip -i");
+      $machine->succeed(ru "${xdo "copy-sandbox-info" ''
+        key --delay 1000 Ctrl+a Ctrl+c
+      ''}");
+
+      my $clipboard = $machine->succeed(ru "${pkgs.xclip}/bin/xclip -o");
+      die "copying twice in a row does not work properly: $clipboard"
+      unless $clipboard =~ /namespace sandbox.*yes/mi
+          && $clipboard =~ /pid namespaces.*yes/mi
+          && $clipboard =~ /network namespaces.*yes/mi
+          && $clipboard =~ /seccomp.*sandbox.*yes/mi
+          && $clipboard =~ /you are adequately sandboxed/mi;
+
+      $machine->screenshot("afer_copy_from_chromium");
     };
 
     $machine->shutdown;

nixos/tests/docker-tools-overlay.nix

@@ -0,0 +1,32 @@
+# this test creates a simple GNU image with docker tools and sees if it executes
+
+import ./make-test.nix ({ pkgs, ... }:
+{
+  name = "docker-tools-overlay";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ lnl7 ];
+  };
+
+  nodes = {
+    docker =
+      { config, pkgs, ... }:
+      {
+        virtualisation.docker.enable = true;
+        virtualisation.docker.storageDriver = "overlay";  # defaults to overlay2
+      };
+  };
+
+  testScript =
+    ''
+      $docker->waitForUnit("sockets.target");
+
+      $docker->succeed("docker load --input='${pkgs.dockerTools.examples.bash}'");
+      $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version");
+
+      # Check if the nix store has correct user permissions depending on what
+      # storage driver is used, incorrectly built images can show up as readonly.
+      # drw-------  3 0 0   3 Apr 14 11:36 /nix
+      # drw------- 99 0 0 100 Apr 14 11:36 /nix/store
+      $docker->succeed("docker run --rm -u 1000:1000 ${pkgs.dockerTools.examples.bash.imageName} bash --version");
+    '';
+})

nixos/tests/docker-tools.nix

@@ -3,7 +3,7 @@
 import ./make-test.nix ({ pkgs, ... }: {
   name = "docker-tools";
   meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ ];
+    maintainers = [ lnl7 ];
   };
 
   nodes = {
@@ -21,12 +21,12 @@ import ./make-test.nix ({ pkgs, ... }: {
       $docker->waitForUnit("sockets.target");
 
       $docker->succeed("docker load --input='${pkgs.dockerTools.examples.bash}'");
-      $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} /bin/bash --version");
+      $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version");
       $docker->succeed("docker rmi ${pkgs.dockerTools.examples.bash.imageName}");
 
       # Check if the nix store is correctly initialized by listing dependencies of the installed Nix binary
       $docker->succeed("docker load --input='${pkgs.dockerTools.examples.nix}'");
-      $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.nix.imageName} /bin/nix-store -qR ${pkgs.nix}");
+      $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.nix.imageName} nix-store -qR ${pkgs.nix}");
       $docker->succeed("docker rmi ${pkgs.dockerTools.examples.nix.imageName}");
 
       # To test the pullImage tool

nixos/tests/iftop.nix

@@ -0,0 +1,30 @@
+import ./make-test.nix ({ pkgs, lib, ... }:
+
+with lib;
+
+{
+  name = "iftop";
+  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ];
+
+  nodes = {
+    withIftop = {
+      imports = [ ./common/user-account.nix ];
+
+      programs.iftop.enable = true;
+    };
+    withoutIftop = {
+      imports = [ ./common/user-account.nix ];
+    };
+  };
+
+  testScript = ''
+    subtest "machine with iftop enabled", sub {
+      $withIftop->start;
+      $withIftop->succeed("su -l alice -c 'iftop -t -s 1'");
+    };
+    subtest "machine without iftop", sub {
+      $withoutIftop->start;
+      $withoutIftop->mustFail("su -l alice -c 'iftop -t -s 1'");
+    };
+  '';
+})

nixos/tests/kernel-copperhead.nix

@@ -6,14 +6,14 @@ import ./make-test.nix ({ pkgs, ...} : {
 
   machine = { config, lib, pkgs, ... }:
     {
-      boot.kernelPackages = pkgs.linuxPackages_hardened_copperhead;
+      boot.kernelPackages = pkgs.linuxPackages_copperhead_hardened;
     };
 
   testScript =
     ''
       $machine->succeed("uname -a");
       $machine->succeed("uname -s | grep 'Linux'");
-      $machine->succeed("uname -a | grep '${pkgs.linuxPackages_hardened_copperhead.kernel.modDirVersion}'");
+      $machine->succeed("uname -a | grep '${pkgs.linuxPackages_copperhead_hardened.kernel.modDirVersion}'");
       $machine->succeed("uname -a | grep 'hardened'");
     '';
 })

pkgs/applications/altcoins/dcrd.nix

@@ -29,5 +29,6 @@ buildGoPackage rec {
     homepage = "https://decred.org";
     description = "Decred daemon in Go (golang)";
     license = with lib.licenses; [ isc ];
+    broken = stdenv.isLinux; # 2018-04-10
   };
 }

pkgs/applications/altcoins/dcrwallet.nix

@@ -38,5 +38,6 @@ buildGoPackage rec {
     homepage = "https://decred.org";
     description = "Decred daemon in Go (golang)";
     license = with lib.licenses; [ isc ];
+    broken = stdenv.isLinux; # 2018-04-10
   };
 }

pkgs/applications/altcoins/hevm.nix

@@ -55,6 +55,7 @@ lib.overrideDerivation (mkDerivation rec {
   description = "Ethereum virtual machine evaluator";
   license = stdenv.lib.licenses.agpl3;
   maintainers = [stdenv.lib.maintainers.dbrock];
+  broken = true; # 2018-04-10
 }) (attrs: {
   buildInputs = attrs.buildInputs ++ [solc];
   nativeBuildInputs = attrs.nativeBuildInputs ++ [makeWrapper];

pkgs/applications/audio/asunder/default.nix

@@ -12,11 +12,11 @@
 with stdenv.lib;
 
 stdenv.mkDerivation rec {
-  version = "2.9.2";
+  version = "2.9.3";
   name = "asunder-${version}";
   src = fetchurl {
     url = "http://littlesvr.ca/asunder/releases/${name}.tar.bz2";
-    sha256 = "0vjbxrrjih4c673sc39wj5whp81xp9kmnwqxwzfnmhkky970rg5r";
+    sha256 = "1630i1df06y840v3fgdf75jxw1s8kwbfn5bhi0686viah0scccw5";
   };
 
   nativeBuildInputs = [ pkgconfig ];

pkgs/applications/audio/bitwig-studio/bitwig-studio2.nix

@@ -3,11 +3,11 @@
 
 bitwig-studio1.overrideAttrs (oldAttrs: rec {
   name = "bitwig-studio-${version}";
-  version = "2.2.2";
+  version = "2.3.1";
 
   src = fetchurl {
     url    = "https://downloads.bitwig.com/stable/${version}/bitwig-studio-${version}.deb";
-    sha256 = "1x4wka32xlygmhdh9rb15s37zh5qjrgap2qk35y34c52lf5aak22";
+    sha256 = "18gghx0ygwh01cidj8mkf82l9qhq2dy1b3yc4ajksvj762yg6cf2";
   };
 
   buildInputs = bitwig-studio1.buildInputs ++ [ ffmpeg ];

pkgs/applications/audio/caps/default.nix

@@ -9,9 +9,13 @@ stdenv.mkDerivation rec {
 
   patches = [
     (fetchurl {
-      url = "https://anonscm.debian.org/cgit/pkg-multimedia/caps.git/plain/debian/patches/0001-Avoid-ambiguity-in-div-invocation.patch";
+      url = "https://salsa.debian.org/multimedia-team/caps/raw/9a99c225/debian/patches/0001-Avoid-ambiguity-in-div-invocation.patch";
       sha256 = "1b1pb5yfskiw8zi1lkj572l2ajpirh4amq538vggwvlpv1fqfway";
     })
+    (fetchurl {
+      url = "https://salsa.debian.org/multimedia-team/caps/raw/a411203d/debian/patches/0002-Use-standard-exp10f-instead-of-pow10f.patch";
+      sha256 = "18ciklnscabr77l8b89xmbagkk79w4iqfpzr2yhn2ywv2jp8akx9";
+    })
   ];
 
   configurePhase = ''

pkgs/applications/audio/chuck/clang.patch

@@ -0,0 +1,58 @@
+diff --git a/src/ugen_osc.cpp b/src/ugen_osc.cpp
+index 6b93c6b..dbefe4f 100644
+--- a/src/ugen_osc.cpp
++++ b/src/ugen_osc.cpp
+@@ -1232,7 +1232,7 @@ CK_DLL_CTRL( gen5_coeffs )
+     Chuck_Array8 * in_args = (Chuck_Array8 *)GET_CK_OBJECT(ARGS);
+     
+     // fprintf(stdout, "calling gen10coeffs, %d\n", weights);
+-    if(in_args<0) return;
++    if(in_args!=0) return;
+     size = in_args->size();
+     if(size >= genX_MAX_COEFFS) size = genX_MAX_COEFFS - 1;
+     
+@@ -1287,7 +1287,7 @@ CK_DLL_CTRL( gen7_coeffs )
+     Chuck_Array8 * in_args = (Chuck_Array8 *)GET_CK_OBJECT(ARGS);
+     
+     // fprintf(stdout, "calling gen10coeffs, %d\n", weights);
+-    if(in_args<0) return;
++    if(in_args!=0) return;
+     size = in_args->size();
+     if(size >= genX_MAX_COEFFS) size = genX_MAX_COEFFS - 1;
+     
+@@ -1340,7 +1340,7 @@ CK_DLL_CTRL( gen9_coeffs )
+     Chuck_Array8 * weights = (Chuck_Array8 *)GET_CK_OBJECT(ARGS);
+     
+     // fprintf(stdout, "calling gen10coeffs, %d\n", weights);
+-    if(weights<0) return;
++    if(weights!=0) return;
+     size = weights->size();
+     if(size >= genX_MAX_COEFFS) size = genX_MAX_COEFFS - 1;
+     
+@@ -1390,7 +1390,7 @@ CK_DLL_CTRL( gen10_coeffs )
+     Chuck_Array8 * weights = (Chuck_Array8 *)GET_CK_OBJECT(ARGS);
+     
+     // fprintf(stdout, "calling gen10coeffs, %d\n", weights);
+-    if(weights<0) return;
++    if(weights!=0) return;
+     size = weights->size();
+     if(size >= genX_MAX_COEFFS) size = genX_MAX_COEFFS - 1;
+     
+@@ -1441,7 +1441,7 @@ CK_DLL_CTRL( gen17_coeffs )
+     Chuck_Array8 * weights = (Chuck_Array8 *)GET_CK_OBJECT(ARGS);
+     
+     // fprintf(stdout, "calling gen17coeffs, %d\n", weights);
+-    if(weights<0) return;
++    if(weights!=0) return;
+     size = weights->size();
+     if(size >= genX_MAX_COEFFS) size = genX_MAX_COEFFS - 1;
+     
+@@ -1502,7 +1502,7 @@ CK_DLL_CTRL( curve_coeffs )
+     Chuck_Array8 * weights = (Chuck_Array8 *)GET_CK_OBJECT(ARGS);
+     
+     // fprintf(stdout, "calling gen17coeffs, %d\n", weights);
+-    if(weights<0) goto done;
++    if(weights!=0) goto done;
+ 
+     nargs = weights->size();
+     if (nargs < 5 || (nargs % 3) != 2)  {   // check number of args

pkgs/applications/audio/chuck/default.nix

@@ -1,4 +1,6 @@
-{ stdenv, fetchurl, alsaLib, bison, flex, libsndfile, which }:
+{ stdenv, fetchurl, alsaLib, bison, flex, libsndfile, which
+, AppKit, Carbon, CoreAudio, CoreMIDI, CoreServices, Kernel
+}:
 
 stdenv.mkDerivation rec {
   version = "1.3.5.2";
@@ -10,19 +12,24 @@ stdenv.mkDerivation rec {
   };
 
   buildInputs = [ bison flex libsndfile which ]
-    ++ stdenv.lib.optional (!stdenv.isDarwin) alsaLib;
+    ++ stdenv.lib.optional (!stdenv.isDarwin) alsaLib
+    ++ stdenv.lib.optional stdenv.isDarwin [ AppKit Carbon CoreAudio CoreMIDI CoreServices Kernel ];
 
-  patches = [ ./darwin-limits.patch ];
+  patches = [ ./clang.patch ./darwin-limits.patch ];
+
+  NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.isDarwin "-Wno-missing-sysroot";
+  NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isDarwin "-framework MultitouchSupport";
 
   postPatch = ''
     substituteInPlace src/makefile --replace "/usr/bin" "$out/bin"
     substituteInPlace src/makefile.osx --replace "xcodebuild" "/usr/bin/xcodebuild"
     substituteInPlace src/makefile.osx --replace "weak_framework" "framework"
+    substituteInPlace src/makefile.osx --replace "MACOSX_DEPLOYMENT_TARGET=10.5" "MACOSX_DEPLOYMENT_TARGET=$MACOSX_DEPLOYMENT_TARGET"
   '';
 
-  buildPhase =
+  buildPhase = ''
-    stdenv.lib.optionals stdenv.isLinux  ["make -C src linux-alsa"] ++
+    make -C src ${if stdenv.isDarwin then "osx" else "linux-alsa"}
-    stdenv.lib.optionals stdenv.isDarwin ["make -C src osx"];
+  '';
 
   installPhase = ''
     install -Dm755 ./src/chuck $out/bin/chuck

pkgs/applications/audio/clementine/default.nix

@@ -76,6 +76,8 @@ let
 
     enableParallelBuilding = true;
 
+    passthru.unfree = unfree;
+
     meta = with stdenv.lib; {
       homepage = http://www.clementine-player.org;
       description = "A multiplatform music player";
@@ -85,8 +87,8 @@ let
     };
   };
 
-  # Spotify blob for Clementine
+  # Unfree Spotify blob for Clementine
-  blob = stdenv.mkDerivation {
+  unfree = stdenv.mkDerivation {
     name = "clementine-blob-${version}";
     # Use the same patches and sources as Clementine
     inherit src nativeBuildInputs postPatch;
@@ -95,7 +97,7 @@ let
       ./clementine-spotify-blob.patch
     ];
 
-    buildInputs = buildInputs ++ [ libspotify ];
+    buildInputs = buildInputs ++ [ libspotify makeWrapper gst_plugins ];
     # Only build and install the Spotify blob
     preBuild = ''
       cd ext/clementine-spotifyblob
@@ -104,6 +106,15 @@ let
       mkdir -p $out/libexec/clementine
       mv $out/bin/clementine-spotifyblob $out/libexec/clementine
       rmdir $out/bin
+
+      makeWrapper ${free}/bin/clementine $out/bin/clementine \
+        --set CLEMENTINE_SPOTIFYBLOB $out/libexec/clementine \
+        --prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0"
+
+      mkdir -p $out/share
+      for dir in applications icons kde4; do
+        ln -s "$free/share/$dir" "$out/share/$dir"
+      done
     '';
     enableParallelBuilding = true;
     meta = with stdenv.lib; {
@@ -116,34 +127,4 @@ let
     };
   };
 
-in
+in free
-
-with stdenv.lib;
-
-runCommand "clementine-${version}"
-{
-  inherit blob free;
-  buildInputs = [ makeWrapper ] ++ gst_plugins; # for the setup-hooks
-  dontPatchELF = true;
-  dontStrip = true;
-  meta = {
-    description = "A multiplatform music player"
-      + " (" + (optionalString withSpotify "with Spotify, ")
-      + "with gstreamer plugins: "
-      + concatStrings (intersperse ", " (map (x: x.name) gst_plugins))
-      + ")";
-    license = licenses.gpl3Plus;
-    inherit (free.meta) homepage platforms maintainers;
-  };
-}
-''
-  mkdir -p $out/bin
-  makeWrapper "$free/bin/${exeName}" "$out/bin/${exeName}" \
-      ${optionalString withSpotify "--set CLEMENTINE_SPOTIFYBLOB \"$blob/libexec/clementine\""} \
-      --prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0"
-
-  mkdir -p $out/share
-  for dir in applications icons kde4; do
-      ln -s "$free/share/$dir" "$out/share/$dir"
-  done
-''

pkgs/applications/audio/crip/default.nix

@@ -0,0 +1,68 @@
+{ stdenv
+, fetchurl
+, makeWrapper
+
+, perl
+, perlPackages
+
+, cdparanoia
+, coreutils
+, eject
+, flac
+, gnugrep
+, nano
+, sox
+, vorbis-tools
+, vorbisgain
+, which
+}:
+
+with stdenv.lib;
+
+stdenv.mkDerivation rec {
+  name = "crip-3.9";
+  src = fetchurl {
+    url = "http://bach.dynet.com/crip/src/${name}.tar.gz";
+    sha256 = "0pk9152wll6fmkj1pki3fz3ijlf06jyk32v31yarwvdkwrk7s9xz";
+  };
+
+  buildInputs = [ perl perlPackages.CDDB_get ];
+  nativeBuildInputs = [ makeWrapper ];
+
+  toolDeps = makeBinPath [
+    cdparanoia
+    coreutils
+    eject
+    flac
+    gnugrep
+    sox
+    vorbis-tools
+    vorbisgain
+    which
+  ];
+
+  scripts = [ "crip" "editcomment" "editfilenames" ];
+
+  installPhase = ''
+    mkdir -p $out/bin/
+
+    for script in ${escapeShellArgs scripts}; do
+      cp $script $out/bin/
+
+      substituteInPlace $out/bin/$script \
+        --replace '$editor = "vim";' '$editor = "${nano}/bin/nano";'
+
+      wrapProgram $out/bin/$script \
+        --set PERL5LIB "${makePerlPath [ perlPackages.CDDB_get ]}" \
+        --set PATH "${toolDeps}"
+    done
+  '';
+
+  meta = {
+    homepage = http://bach.dynet.com/crip/;
+    description = "Terminal-based ripper/encoder/tagger tool for creating Ogg Vorbis/FLAC files";
+    license = stdenv.lib.licenses.gpl1;
+    platforms = stdenv.lib.platforms.linux;
+    maintainers = [ maintainers.endgame ];
+  };
+}

pkgs/applications/audio/eq10q/default.nix

@@ -1,4 +1,5 @@
-{ stdenv, fetchurl, cmake, fftw, gtkmm2, libxcb, lv2, pkgconfig, xorg }:
+{ stdenv, fetchurl, fetchpatch, cmake, fftw, gtkmm2, libxcb, lv2, pkgconfig
+, xorg }:
 stdenv.mkDerivation rec {
   name = "eq10q-${version}";
   version = "2.2";
@@ -10,6 +11,14 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ cmake fftw gtkmm2 libxcb lv2 xorg.libpthreadstubs xorg.libXdmcp xorg.libxshmfence ];
 
+  patches = [
+    (fetchpatch {
+      # glibc 2.27 compatibility
+      url = https://sources.debian.org/data/main/e/eq10q/2.2~repack0-2.1/debian/patches/05-pow10.patch;
+      sha256 = "07b0wf6k4xqgigv4h095bzfaw8r218wa36r9w1817jcys13r6c5r";
+    })
+  ];
+
   installFlags = ''
     DESTDIR=$(out)
   '';

pkgs/applications/audio/fluidsynth/default.nix

@@ -5,13 +5,13 @@
 
 stdenv.mkDerivation  rec {
   name = "fluidsynth-${version}";
-  version = "1.1.9";
+  version = "1.1.10";
 
   src = fetchFromGitHub {
     owner = "FluidSynth";
     repo = "fluidsynth";
     rev = "v${version}";
-    sha256 = "0krvmb1idnf95l2ydzfcb08ayyx3n4m71hf9fgwv3srzaikvpf3q";
+    sha256 = "04jlgq1d1hd8r9cnmkl3lgf1fgm7kgy4hh9nfddap41fm1wp121p";
   };
 
   nativeBuildInputs = [ pkgconfig cmake ];

pkgs/applications/audio/freewheeling/default.nix

@@ -8,13 +8,13 @@ in
 
 stdenv.mkDerivation rec {
   name = "freewheeling-${version}";
-  version = "0.6.2";
+  version = "0.6.4";
 
   src = fetchFromGitHub {
     owner = "free-wheeling";
     repo = "freewheeling";
     rev = "v${version}";
-    sha256 = "01hmp0jxzxpb5sl0x91hdlwmbw9n4yffrpra4f89s4n8cixrz3d9";
+    sha256 = "1xflbbnjdibjmyxb1zq8liylaw5k03nnl1z3272jh204pqh17ri9";
   };
 
   nativeBuildInputs = [ pkgconfig autoreconfHook libtool ];

pkgs/applications/audio/mi2ly/default.nix

@@ -36,5 +36,6 @@ stdenv.mkDerivation {
     license = stdenv.lib.licenses.gpl2Plus ;
     maintainers = [stdenv.lib.maintainers.raskin];
     platforms = stdenv.lib.platforms.linux;
+    broken = true; # 2018-04-11
   };
 }

pkgs/applications/audio/mopidy/iris.nix

@@ -2,11 +2,11 @@
 
 pythonPackages.buildPythonApplication rec {
   pname = "Mopidy-Iris";
-  version = "3.14.2";
+  version = "3.16.3";
 
   src = pythonPackages.fetchPypi {
     inherit pname version;
-    sha256 = "19affzk45wby50gwxwzqgwa7h7618lcs48ngdsa06sd66s8x2fza";
+    sha256 = "1zdlvrqlj1hapaxnskrbp9idziy3rcxhpqhw3x4q25cjbl8m0b0d";
   };
 
   propagatedBuildInputs = [
@@ -17,8 +17,11 @@ pythonPackages.buildPythonApplication rec {
     pylast
     spotipy
     raven
+    tornado
   ]);
 
+  postPatch = "sed -i /tornado/d setup.py";
+
   # no tests implemented
   doCheck = false;
 

pkgs/applications/audio/ncmpc/default.nix

@@ -3,20 +3,18 @@
 
 stdenv.mkDerivation rec {
   name = "ncmpc-${version}";
-  version = "0.29";
+  version = "0.30";
 
   src = fetchFromGitHub {
     owner  = "MusicPlayerDaemon";
     repo   = "ncmpc";
     rev    = "v${version}";
-    sha256 = "1b2kbx2phbf4s2qpy7mx72c87xranljr0yam6z9m1i1kvcnp8q1q";
+    sha256 = "0s2bynm5szrk8bjhg200mvsm2ny0wz9s10nx7r69y9y4jsxr8624";
   };
 
   buildInputs = [ glib ncurses mpd_clientlib ];
   nativeBuildInputs = [ meson ninja pkgconfig gettext ];
 
-  NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isDarwin "-lintl";
-
   meta = with stdenv.lib; {
     description = "Curses-based interface for MPD (music player daemon)";
     homepage    = https://www.musicpd.org/clients/ncmpc/;

pkgs/applications/audio/ncmpcpp/default.nix

@@ -12,11 +12,11 @@ assert taglibSupport -> (taglib != null);
 with stdenv.lib;
 stdenv.mkDerivation rec {
   name = "ncmpcpp-${version}";
-  version = "0.8.1";
+  version = "0.8.2";
 
   src = fetchurl {
     url = "https://ncmpcpp.rybczak.net/stable/${name}.tar.bz2";
-    sha256 = "1zw8d07b2bkssbsybg6jnmpq001w525viajrnz4jvfml3l55gyad";
+    sha256 = "0m0mjb049sl62vx13h9waavysa30mk0rphacksnvf94n13la62v5";
   };
 
   configureFlags = [ "BOOST_LIB_SUFFIX=" ]

pkgs/applications/audio/quodlibet/default.nix

@@ -1,5 +1,5 @@
-{ stdenv, fetchurl, python2Packages, wrapGAppsHook, gettext, intltool, libsoup, gnome3,
+{ stdenv, fetchurl, python3, wrapGAppsHook, gettext, intltool, libsoup, gnome3, gtk3, gdk_pixbuf,
-  tag ? "",
+  tag ? "", xvfb_run, dbus, glibcLocales, glib, gobjectIntrospection,
   gst_all_1, withGstPlugins ? true,
   xineBackend ? false, xineLib,
   withDbusPython ? false, withPyInotify ? false, withMusicBrainzNgs ? false, withPahoMqtt ? false,
@@ -7,38 +7,53 @@
   keybinder3 ? null, gtksourceview ? null, libmodplug ? null, kakasi ? null, libappindicator-gtk3 ? null }:
 
 let optionals = stdenv.lib.optionals; in
-python2Packages.buildPythonApplication rec {
+python3.pkgs.buildPythonApplication rec {
   name = "quodlibet${tag}-${version}";
-  version = "3.9.1";
+  version = "4.0.2";
 
   # XXX, tests fail
+  # https://github.com/quodlibet/quodlibet/issues/2820
   doCheck = false;
 
   src = fetchurl {
     url = "https://github.com/quodlibet/quodlibet/releases/download/release-${version}/quodlibet-${version}.tar.gz";
-    sha256 = "d2b42df5d439213973dc97149fddc779a6c90cec389c24baf1c0bdcc39ffe591";
+    sha256 = "072s983p3n84yl807pbdxsy5vrgs8jzzfl648gsri6kpwsp6w5fz";
   };
 
   nativeBuildInputs = [ wrapGAppsHook gettext intltool ];
-  # ++ (with python2Packages; [ pytest pyflakes pycodestyle polib ]); # test deps
 
-  buildInputs = [ gnome3.defaultIconTheme libsoup webkitgtk keybinder3 gtksourceview libmodplug libappindicator-gtk3 kakasi ]
+  checkInputs = with python3.pkgs; [ pytest pytest_xdist pyflakes pycodestyle polib xvfb_run dbus.daemon glibcLocales ];
+
+  buildInputs = [ gnome3.defaultIconTheme libsoup glib gtk3 webkitgtk gdk_pixbuf keybinder3 gtksourceview libmodplug libappindicator-gtk3 kakasi gobjectIntrospection ]
     ++ (if xineBackend then [ xineLib ] else with gst_all_1;
     [ gstreamer gst-plugins-base ] ++ optionals withGstPlugins [ gst-plugins-good gst-plugins-ugly gst-plugins-bad ]);
 
-  propagatedBuildInputs = with python2Packages;
+  propagatedBuildInputs = with python3.pkgs; [ pygobject3 pycairo mutagen gst-python feedparser ]
-    [ pygobject3 pycairo mutagen pygtk gst-python feedparser faulthandler futures ]
       ++ optionals withDbusPython [ dbus-python ]
       ++ optionals withPyInotify [ pyinotify ]
       ++ optionals withMusicBrainzNgs [ musicbrainzngs ]
       ++ optionals stdenv.isDarwin [ pyobjc ]
       ++ optionals withPahoMqtt [ paho-mqtt ];
 
-  makeWrapperArgs = optionals (kakasi != null) [ "--prefix PATH : ${kakasi}/bin" ];
+  LC_ALL = "en_US.UTF-8";
 
-  meta = {
+  checkPhase = ''
+    runHook preCheck
+    checkHomeDir=$(mktemp -d)
+    mkdir -p $checkHomeDir/.cache/thumbnails/normal # Required by TThumb.test_recreate_broken_cache_file
+    env XDG_DATA_DIRS="$out/share:${gtk3}/share/gsettings-schemas/${gtk3.name}:$XDG_DATA_DIRS" \
+      HOME=$checkHomeDir \
+      xvfb-run -s '-screen 0 800x600x24' dbus-run-session \
+        --config-file=${dbus.daemon}/share/dbus-1/session.conf \
+        py.test
+    runHook postCheck
+  '';
+
+  preFixup = stdenv.lib.optionalString (kakasi != null) "gappsWrapperArgs+=(--prefix PATH : ${kakasi}/bin)";
+
+  meta = with stdenv.lib; {
     description = "GTK+-based audio player written in Python, using the Mutagen tagging library";
-    license = stdenv.lib.licenses.gpl2;
+    license = licenses.gpl2Plus;
 
     longDescription = ''
       Quod Libet is a GTK+-based audio player written in Python, using
@@ -54,7 +69,7 @@ python2Packages.buildPythonApplication rec {
       & internet radio, and all major audio formats.
     '';
 
-    maintainers = with stdenv.lib.maintainers; [ coroa sauyon ];
+    maintainers = with maintainers; [ coroa sauyon ];
     homepage = https://quodlibet.readthedocs.io/en/latest/;
   };
 }

pkgs/applications/audio/spotify/default.nix

@@ -9,7 +9,7 @@ let
   # Latest version number can be found at:
   # http://repository-origin.spotify.com/pool/non-free/s/spotify-client/
   # Be careful not to pick the testing version.
-  version = "1.0.72.117.g6bd7cc73-35";
+  version = "1.0.77.338.g758ebd78-41";
 
   deps = [
     alsaLib
@@ -54,7 +54,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://repository-origin.spotify.com/pool/non-free/s/spotify-client/spotify-client_${version}_amd64.deb";
-    sha256 = "0yicwvg6jx8r657ff53326akq3g4ayiinlracjw5jrcs8x9whjap";
+    sha256 = "1971jc0431pl8yixpl37ryl2l0pqdf0xjvkg59nqdwj3vbdx5606";
   };
 
   buildInputs = [ dpkg makeWrapper ];

pkgs/applications/display-managers/sddm/default.nix

@@ -22,6 +22,10 @@ in mkDerivation rec {
     # Module Qt5::Test must be included in `find_package` before it is used.
     ''
       sed -i CMakeLists.txt -e '/find_package(Qt5/ s|)| Test)|'
+    ''
+    # Fix missing include for gettimeofday()
+    + ''
+      sed -e '1i#include <sys/time.h>' -i src/helper/HelperApp.cpp
     '';
 
   nativeBuildInputs = [ cmake extra-cmake-modules pkgconfig qttools ];

pkgs/applications/editors/android-studio/common.nix

@@ -5,10 +5,13 @@
 , fetchurl
 , findutils
 , file
+, fontsConf
 , git
 , glxinfo
 , gnugrep
+, gnused
 , gnutar
+, gtk2, gnome_vfs, glib, GConf
 , gzip
 , fontconfig
 , freetype
@@ -29,8 +32,6 @@
 , writeTextFile
 , xkeyboard_config
 , zlib
-, gtk2, gnome_vfs, glib, GConf
-, fontsConf
 }:
 
 let
@@ -57,6 +58,7 @@ let
           findutils
           gnugrep
           which
+          gnused
 
           # For Android emulator
           file