Merge master into PR

Conflicts: pkgs/top-level/all-packages.nix
2014-08-14 14:27:54 +02:00 · 2014-08-14 14:27:54 +02:00 · 0cc668bc1a
commit 0cc668bc1a
parent 749e73afc7 29a79bb0d5
3542 changed files with 30452 additions and 13149 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,5 @@ result-*
 /doc/manual.html
 /doc/manual.pdf
 .version-suffix
 .DS_Store
--- a/doc/Makefile
+++ b/doc/Makefile
@ -21,18 +21,18 @@ all: NEWS.html NEWS.txt manual.html manual.pdf
 NEWS.html: release-notes.xml
 	$(XSLTPROC) --nonet --xinclude --output $@ $(NEWS_OPTS) \
-	  $(docbookxsl)/html/docbook.xsl release-notes.xml
+	  $(docbookxsl)/xhtml/docbook.xsl release-notes.xml
 NEWS.txt: release-notes.xml
 	$(XSLTPROC) --nonet --xinclude quote-literals.xsl release-notes.xml | \
 	  $(XSLTPROC) --nonet --output $@.tmp.html $(NEWS_OPTS) \
-	  $(docbookxsl)/html/docbook.xsl -
+	  $(docbookxsl)/xhtml/docbook.xsl -
 	LANG=en_US w3m -dump $@.tmp.html > $@
 	rm $@.tmp.html
 manual.html: *.xml
 	$(XSLTPROC) --nonet --xinclude --output manual.html \
-	  $(docbookxsl)/html/docbook.xsl manual.xml
+	  $(docbookxsl)/xhtml/docbook.xsl manual.xml
 manual.pdf: *.xml
 	$(dblatex) \
--- a/doc/contributing.xml
+++ b/doc/contributing.xml
@ -0,0 +1,21 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="chap-contributing">
 <title>Contributing</title>
 <para>If you make modifications to the manual, it's important to build the manual before contributing:</para>
 <orderedlist>
  <listitem><para><command>$ git clone git://github.com/NixOS/nixpkgs.git</command></para></listitem>
  <listitem><para><command>$ cd nixpkgs/pkgs/top-level</command></para></listitem>
  <listitem><para><command>$ nix-build -A tarball release.nix</command></para></listitem>
  <listitem><para>Inside the built derivation you shall see <literal>manual/index.html</literal> file.</para></listitem>
 </orderedlist>
 </chapter>
--- a/doc/manual.xml
+++ b/doc/manual.xml
@ -32,6 +32,7 @@
  <xi:include href="language-support.xml" />
  <xi:include href="package-notes.xml" />
  <xi:include href="coding-conventions.xml" />
  <xi:include href="contributing.xml" />
 </book>
--- a/doc/meta.xml
+++ b/doc/meta.xml
@ -17,7 +17,9 @@ meta = {
    It is fully customizable.
  '';
  homepage = http://www.gnu.org/software/hello/manual/;
-  license = "GPLv3+";
+  license = stdenv.lib.licenses.gpl3Plus;
  maintainers = [ stdenv.lib.maintainers.eelco ];
  platforms = stdenv.lib.platforms.all;
 };
 </programlisting>
@ -31,16 +33,42 @@ the package.  The value of a meta-attribute must a string.</para>
 command-line using <command>nix-env</command>:
 <screen>
-$ nix-env -qa hello --meta --xml
+$ nix-env -qa hello --meta --json
-&lt;?xml version='1.0' encoding='utf-8'?>
+{
-&lt;items>
+    "hello": {
-  &lt;item attrPath="hello" name="hello-2.3" system="i686-linux">
+        "meta": {
-    &lt;meta name="description" value="A program that produces a familiar, friendly greeting" />
+            "description": "A program that produces a familiar, friendly greeting",
-    &lt;meta name="homepage" value="http://www.gnu.org/software/hello/manual/" />
+            "homepage": "http://www.gnu.org/software/hello/manual/",
-    &lt;meta name="license" value="GPLv3+" />
+            "license": {
-    &lt;meta name="longDescription" value="GNU Hello is a program that prints &amp;quot;Hello, world!&amp;quot; when you run it.&amp;#xA;It is fully customizable.&amp;#xA;" />
+                "fullName": "GNU General Public License version 3 or later",
-  &lt;/item>
+                "shortName": "GPLv3+",
-&lt;/items>
+                "url": "http://www.fsf.org/licensing/licenses/gpl.html"
            },
            "longDescription": "GNU Hello is a program that prints \"Hello, world!\" when you run it.\nIt is fully customizable.\n",
            "maintainers": [
                "Ludovic Court\u00e8s &lt;ludo@gnu.org>"
            ],
            "platforms": [
                "i686-linux",
                "x86_64-linux",
                "armv5tel-linux",
                "armv7l-linux",
                "mips64el-linux",
                "x86_64-darwin",
                "i686-cygwin",
                "i686-freebsd",
                "x86_64-freebsd",
                "i686-openbsd",
                "x86_64-openbsd"
            ],
            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/ex-2/default.nix:14"
        },
        "name": "hello-2.9",
        "system": "x86_64-linux"
    }
 }
 </screen>
 <command>nix-env</command> knows about the
@ -92,18 +120,21 @@ interpretation:</para>
  <varlistentry>
    <term><varname>license</varname></term>
-    <listitem><para>The license for the package.  See below for the
+    <listitem><para>The license for the package. One from attribute set defined in
-    allowed values.</para></listitem>
+      <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix">
      <filename>nixpkgs/lib/licenses.nix</filename></link>.
      Example:
      <literal>stdenv.lib.licenses.gpl3</literal>.</para></listitem>
      See details in <xref linkend='sec-meta-license'/>,
  </varlistentry>
  <varlistentry>
    <term><varname>maintainers</varname></term>
    <listitem><para>A list of names and e-mail addresses of the
-    maintainers of this Nix expression, e.g. <literal>["Alice
+    maintainers of this Nix expression. If
-    &lt;alice@example.org>" "Bob &lt;bob@example.com>"]</literal>.  If
+    you would like to be a maintainer of a package, you may want to add
    you are the maintainer of multiple packages, you may want to add
    yourself to <link
-    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/lib/maintainers.nix"><filename>pkgs/lib/maintainers.nix</filename></link>
+    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/maintainers.nix"><filename>nixpkgs/lib/maintainers.nix</filename></link>
    and write something like <literal>[ stdenv.lib.maintainers.alice
    stdenv.lib.maintainers.bob ]</literal>.</para></listitem>
  </varlistentry>
@ -121,29 +152,25 @@ interpretation:</para>
  <varlistentry>
    <term><varname>platforms</varname></term>
    <listitem><para>The list of Nix platform types on which the
-    package is supported.  If this attribute is set, the package will
+    package is supported. Hydra builds packages according to the
-    refuse to build, and won’t show up in <literal>nix-env
+    platform specified. If no platform is specified, the package does
-    -qa</literal> output, on any platform not listed
+    not have prebuilt binaries. An example is:
    here.  An example is:
 <programlisting>
-meta.platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" ];
+meta.platforms = stdenv.lib.platforms.linux;
 </programlisting>
    The set <varname>lib.platforms</varname> defines various common
    lists of platforms types, so it’s more typical to write:
 <programlisting>
 meta.platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
 </programlisting>
    Attribute Set <varname>stdenv.lib.platforms</varname> in
    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/platforms.nix">
    <filename>nixpkgs/lib/platforms.nix</filename></link> defines various common
    lists of platforms types.
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>hydraPlatforms</varname></term>
    <listitem><para>The list of Nix platform types for which the Hydra
-    instance at <literal>hydra.nixos.org</literal> should build the
+    instance at <literal>hydra.nixos.org</literal> will build the
    package.  (Hydra is the Nix-based continuous build system.)  It
    defaults to the value of <varname>meta.platforms</varname>.  Thus,
    the only reason to set <varname>meta.hydraPlatforms</varname> is
@ -176,80 +203,23 @@ meta.hydraPlatforms = [];
 <section xml:id="sec-meta-license"><title>Licenses</title>
-<note><para>This is just a first attempt at standardising the license
+<para>The <varname>meta.license</varname> attribute should preferrably contain
-attribute.</para></note>
+a value from <varname>stdenv.lib.licenses</varname> defined in
-
+<link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix">
-<para>The <varname>meta.license</varname> attribute must be one of the
+<filename>nixpkgs/lib/licenses.nix</filename></link>,
-following:
+or in-place license description of the same format if the license is
 unlikely to be useful in another expression.
 A few generic options are available, although it's typically better
 to indicate the specific license:
 <variablelist>
  <varlistentry>
    <term><varname>GPL</varname></term>
    <listitem><para>GNU General Public License; version not
    specified.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv2</varname></term>
    <listitem><para>GNU General Public License, version
    2.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv2+</varname></term>
    <listitem><para>GNU General Public License, version
    2 or higher.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv3</varname></term>
    <listitem><para>GNU General Public License, version
    3.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv3+</varname></term>
    <listitem><para>GNU General Public License, version
    3 or higher.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>bsd</varname></term>
    <listitem><para>Catch-all for licenses that are essentially
    similar to <link
    xlink:href="http://www.gnu.org/licenses/license-list.html#ModifiedBSD">the
    original BSD license with the advertising clause removed</link>,
    i.e. permissive non-copyleft free software licenses.  This
    includes the <link
    xlink:href="http://www.gnu.org/licenses/license-list.html#X11License">X11
    (“MIT”) License</link>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>perl5</varname></term>
    <listitem><para>The Perl 5 license (Artistic License, version 1
    and GPL, version 1 or later).</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>free</varname></term>
    <listitem><para>Catch-all for free software licenses not listed
    above.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>free-copyleft</varname></term>
    <listitem><para>Catch-all for free, copyleft software licenses not
    listed above.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>free-non-copyleft</varname></term>
    <listitem><para>Catch-all for free, non-copyleft software licenses
    not listed above.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>unfree-redistributable</varname></term>
    <listitem><para>Unfree package that can be redistributed in binary
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@ -155,9 +155,10 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>
        </listitem>
        <listitem>
-          <para>You can use <command>nix-prefetch-url</command>
+          <para>You can use <command>nix-prefetch-url</command> (or similar nix-prefetch-git, etc)
          <replaceable>url</replaceable> to get the SHA-256 hash of
-          source distributions.</para>
+          source distributions. There are similar commands as <command>nix-prefetch-git</command> and
          <command>nix-prefetch-hg</command> available in <literal>nix-prefetch-scripts</literal> package.</para>
        </listitem>
        <listitem>
@ -221,17 +222,10 @@ $ nix-env -f . -iA libfoo</screen>
  </listitem>
  <listitem>
-    <para>Optionally commit the new package, or send a patch to
+    <para>Optionally commit the new package and open a pull request, or send a patch to
    <literal>nix-dev@cs.uu.nl</literal>.</para>
  </listitem>
  <listitem>
    <para>If you want the TU Delft build farm to build binaries of the
    package and make them available in the <link
    xlink:href="http://nixos.org/releases/nixpkgs/channels/nixpkgs-unstable/"><literal>nixpkgs</literal>
    channel</link>, add it to <link
    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/release.nix"><filename>pkgs/top-level/release.nix</filename></link>.</para>
  </listitem>
 </orderedlist>
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -1,25 +1,24 @@
-{
+let
-  /* License identifiers loosely based on: http://fedoraproject.org/wiki/Licensing
+  spdx = lic: lic // {
      url = "http://spdx.org/licenses/${lic.shortName}";
    };
 in
 rec {
  /* License identifiers from spdx.org where possible.
   * If you cannot find your license here, then look for a similar license or
   * add it to this list. The URL mentioned above is a good source for inspiration.
   */
-  artistic2 = {
+  agpl3 = spdx {
-    shortName = "Artistic 2.0";
+    shortName = "AGPL-3.0";
-    fullName = "Artistic 2.0";
+    fullName = "GNU Affero General Public License v3.0";
    url = "http://opensource.org/licenses/artistic-license-2.0.php";
  };
  agpl3 = {
    shortName = "AGPLv3";
    fullName = "GNU Affero General Public License version 3 only";
    url = https://www.gnu.org/licenses/agpl.html;
  };
  agpl3Plus = {
-    shortName = "AGPLv3+";
+    shortName = "AGPL-3.0+";
-    fullName = "GNU Affero General Public License version 3 or later";
+    fullName = "GNU Affero General Public License v3.0 or later";
-    url = https://www.gnu.org/licenses/agpl.html;
+    inherit (agpl3) url;
  };
  amd = {
@ -28,118 +27,149 @@
    url = http://developer.amd.com/amd-license-agreement/;
  };#
-  apsl20 = {
+  apsl20 = spdx {
-    shortName = "APSL 2.0";
+    shortName = "APSL-2.0";
    fullName = "Apple Public Source License 2.0";
    url = http://opensource.org/licenses/APSL-2.0;
  };
-  asl20 = {
+  artistic2 = spdx {
-    shortName = "ASL2.0";
+    shortName = "Artistic-2.0";
-    fullName = "Apache Software License 2.0";
+    fullName = "Artistic License 2.0";
    url = http://www.apache.org/licenses/LICENSE-2.0;
  };
-  boost = {
+  asl20 = spdx {
-    shortName = "boost";
+    shortName = "Apache-2.0";
-    fullName = "Boost Software License";
+    fullName = "Apache License 2.0";
    url = http://www.boost.org/LICENSE_1_0.txt;
  };
-  bsd2 = {
+  boost = spdx {
-    shortName = "BSD-2";
+    shortName = "BSL-1.0";
-    fullName = "BSD license (2 clause)";
+    fullName = "Boost Software License 1.0";
    url = http://opensource.org/licenses/BSD-2-Clause;
  };
-  bsd3 = {
+  bsd2 = spdx {
-    shortName = "BSD-3";
+    shortName = "BSD-2-Clause";
-    fullName = "BSD license (3 clause)";
+    fullName = ''BSD 2-clause "Simplified" License'';
    url = http://opensource.org/licenses/BSD-3-Clause;
  };
-  bsdOriginal = {
+  bsd3 = spdx {
-    shortName = "BSD-original";
+    shortName = "BSD-3-Clause";
-    fullName = "Original BSD license with advertising clause";
+    fullName = ''BSD 3-clause "New" or "Revised" License'';
    url = https://fedoraproject.org/wiki/Licensing/BSD;
  };
-  cc-by-30 = {
+  bsdOriginal = spdx {
-    shortName = "CC BY 3.0";
+    shortName = "BSD-4-Clause";
    fullName = ''BSD 4-clause "Original" or "Old" License'';
  };
  cc-by-30 = spdx {
    shortName = "CC-BY-3.0";
    fullName = "Creative Commons Attribution 3.0";
    url = http://creativecommons.org/licenses/by/3.0;
  };
-  cddl = {
+  cddl = spdx {
-    shortName = "CDDL";
+    shortName = "CDDL-1.0";
-    fullName = "Common Development Distribution License ";
+    fullName = "Common Development and Distribution License 1.0";
    url = http://www.opensolaris.org/os/licensing/cddllicense.txt;
  };
-  cpl10 = {
+  cecill-c = spdx {
-    shortName = "CPL 1.0";
+    shortName = "CECILL-C";
-    fullName = "Common Public License version 1.0";
+    fullName  = "CeCILL-C Free Software License Agreement";
    url = http://www.eclipse.org/legal/cpl-v10.html;
  };
-  epl10 = {
+  cpl10 = spdx {
-    shortName = "EPL 1.0";
+    shortName = "CPL-1.0";
-    fullName = "Eclipse Public License version 1.0";
+    fullName = "Common Public License 1.0";
    url = http://www.eclipse.org/legal/epl-v10.html;
  };
-  gpl2 = {
+  epl10 = spdx {
-    shortName = "GPLv2";
+    shortName = "EPL-1.0";
-    fullName = "GNU General Public License version 2";
+    fullName = "Eclipse Public License 1.0";
-    url = http://www.gnu.org/licenses/old-licenses/gpl-2.0.html;
+  };
  free = "free";
  gpl2 = spdx {
    shortName = "GPL-2.0";
    fullName = "GNU General Public License v2.0 only";
  };
  gpl2Oss = {
-    shortName = "GPLv2+OSS";
+    shortName = "GPL-2.0-with-OSS";
    fullName = "GNU General Public License version 2 only (with OSI approved licenses linking exception)";
    url = http://www.mysql.com/about/legal/licensing/foss-exception;
  };
-  gpl2Plus = {
+  gpl2Plus = spdx {
-    shortName = "GPLv2+";
+    shortName = "GPL-2.0+";
-    fullName = "GNU General Public License version 2 or later";
+    fullName = "GNU General Public License v2.0 or later";
    url = http://www.gnu.org/licenses/old-licenses/gpl-2.0.html;
  };
-  gpl3 = {
+  gpl3 = spdx {
-    shortName = "GPLv3";
+    shortName = "GPL-3.0";
-    fullName = "GNU General Public License version 3 only";
+    fullName = "GNU General Public License v3.0 only";
    url = http://www.fsf.org/licensing/licenses/gpl.html;
  };
-  gpl3Plus = {
+  gpl3Plus = spdx {
-    shortName = "GPLv3+";
+    shortName = "GPL-3.0+";
-    fullName = "GNU General Public License version 3 or later";
+    fullName = "GNU General Public License v3.0 or later";
    url = http://www.fsf.org/licensing/licenses/gpl.html;
  };
  gpl3ClasspathPlus = {
-    shortName = "GPLv3+classpath+";
+    shortName = "GPL-3.0+-with-classpath-exception";
-    fullName = "GNU General Public License version 3 or later (with Classpath exception)";
+    fullName = "GNU General Public License v3.0 or later (with Classpath exception)";
    url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
  };
-  isc = {
+  inria = {
    shortName = "INRIA-NCLA";
    fullName  = "INRIA Non-Commercial License Agreement";
    url       = "http://compcert.inria.fr/doc/LICENSE";
  };
  ipa = spdx {
    shortName = "IPA";
    fullName = "IPA Font License";
  };
  ipl10 = spdx {
    shortName = "IPL-1.0";
    fullName = "IBM Public License v1.0";
  };
  isc = spdx {
    shortName = "ISC";
-    fullName = "Internet Systems Consortium License";
+    fullName = "ISC License";
    url = http://www.opensource.org/licenses/ISC;
  };
-  ipl10 = {
+  lgpl2 = spdx {
-    shortName = "IPL 1.0";
+    shortName = "LGPL-2.0";
-    fullName = "IBM Public License Version 1.0";
+    fullName = "GNU Library General Public License v2 only";
    url = http://www.ibm.com/developerworks/opensource/library/os-i18n2/os-ipl.html;
  };
-  ijg = {
+  lgpl2Plus = spdx {
-    shortName = "IJG";
+    shortName = "LGPL-2.0+";
-    fullName = "Independent JPEG Group License";
+    fullName = "GNU Library General Public License v2 or later";
-    url = https://fedoraproject.org/wiki/Licensing/IJG;
+  };
  lgpl21 = spdx {
    shortName = "LGPL-2.1";
    fullName = "GNU Library General Public License v2.1 only";
  };
  lgpl21Plus = spdx {
    shortName = "LGPL-2.1+";
    fullName = "GNU Library General Public License v2.1 or later";
  };
  lgpl3 = spdx {
    shortName = "LGPL-3.0";
    fullName = "GNU Lesser General Public License v3.0 only";
  };
  lgpl3Plus = spdx {
    shortName = "LGPL-3.0+";
    fullName = "GNU Lesser General Public License v3.0 or later";
  };
  libtiff = {
@ -148,76 +178,47 @@
    url = https://fedoraproject.org/wiki/Licensing/libtiff;
  };
  lgpl2 = {
    shortName = "LGPLv2";
    fullName = "GNU Library General Public License version 2";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html;
  };
  lgpl2Plus = {
    shortName = "LGPLv2+";
    fullName = "GNU Library General Public License version 2 or later";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html;
  };
  lgpl21 = {
    shortName = "LGPLv2.1";
    fullName = "GNU Lesser General Public License version 2.1";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html;
  };
  lgpl21Plus = {
    shortName = "LGPLv2.1+";
    fullName = "GNU Lesser General Public License version 2.1 or later";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html;
  };
  llgpl21 = {
-    shortName = "LLGPLv2.1";
+    shortName = "LLGPL-2.1";
    fullName = "Lisp LGPL; GNU Lesser General Public License version 2.1 with Franz Inc. preamble for clarification of LGPL terms in context of Lisp";
    url = http://opensource.franz.com/preamble.html;
  };
-  lgpl3 = {
+  mit = spdx {
    shortName = "LGPLv3";
    fullName = "GNU Lesser General Public License version 3 only";
    url = http://www.fsf.org/licensing/licenses/lgpl.html;
  };
  lgpl3Plus = {
    shortName = "LGPLv3+";
    fullName = "GNU Lesser General Public License version 3 or later";
    url = http://www.fsf.org/licensing/licenses/lgpl.html;
  };
  mit = {
    shortName = "MIT";
-    fullName = "MIT/X11 license";
+    fullName = "MIT License";
    url = http://www.opensource.org/licenses/mit-license.php;
  };
-  mpl11 = {
+  mpl11 = spdx {
-    shortName = "MPL1.1";
+    shortName = "MPL-1.1";
-    fullName = "Mozilla Public License version 1.1";
+    fullName = "Mozilla Public License 1.1";
    url = http://www.mozilla.org/MPL/MPL-1.1.html;
  };
-  mpl20 = {
+  mpl20 = spdx {
-    shortName = "MPL2.0";
+    shortName = "MPL-2.0";
-    fullName = "Mozilla Public License version 2.0";
+    fullName = "Mozilla Public License 2.0";
    url = https://www.mozilla.org/MPL/2.0;
  };
-  ofl = {
+  msrla = {
-    shortName = "OFL";
+    shortName = "MSR-LA";
-    fullName = "SIL Open Font License";
+    fullName  = "Microsoft Research License Agreement";
-    url = "http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL_web";
+    url       = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";
  };
-  openssl = {
+  ofl = spdx {
-    shortName = "openssl";
+    shortName = "OFL-1.1";
-    fullName = "OpenSSL license";
+    fullName = "SIL Open Font License 1.1";
-    url = http://www.openssl.org/source/license.html;
+  };
  openssl = spdx {
    shortName = "OpenSSL";
    fullName = "OpenSSL License";
  };
  psfl = spdx {
    shortName = "Python-2.0";
    fullName = "Python Software Foundation License version 2";
    #url = http://docs.python.org/license.html;
  };
  publicDomain = {
@ -225,10 +226,9 @@
    fullname = "Public Domain";
  };
-  psfl = {
+  sleepycat = spdx {
-    shortName = "PSFL";
+    shortName = "Sleepycat";
-    fullName = "Python Software Foundation License";
+    fullName  = "Sleepycat License";
    url = http://docs.python.org/license.html;
  };
  tcltk = {
@ -243,45 +243,26 @@
  unfreeRedistributableFirmware = "unfree-redistributable-firmware";
-  zlib = {
+  wadalab = {
-    shortName = "zlib";
+    shortName = "wadalab";
-    fullName = "zlib license";
+    fullName = "Wadalab Font License";
-    url = http://www.gzip.org/zlib/zlib_license.html;
+    url = https://fedoraproject.org/wiki/Licensing:Wadalab?rd=Licensing/Wadalab;
  };
-  zpt20 = {
+  zlib = spdx {
-    shortName = "ZPT2.0";
+    shortName = "Zlib";
    fullName = "zlib License";
  };
  zpt20 = spdx { # FIXME: why zpt* instead of zpl*
    shortName = "ZPL-2.0";
    fullName = "Zope Public License 2.0";
    url = "http://old.zope.org/Resources/License/ZPL-2.0";
  };
-  zpt21 = {
+  zpt21 = spdx {
-    shortName = "ZPT2.1";
+    shortName = "ZPL-2.1";
    fullName = "Zope Public License 2.1";
    url = "http://old.zope.org/Resources/License/ZPL-2.1";
  };
  sleepycat = {
    shortName = "Sleepycat";
    fullName  = "Sleepycat Public License";
    url       = "https://en.wikipedia.org/wiki/Sleepycat_License";
  };
  cecill-c = {
    shortName = "CeCILL-C";
    fullName  = "CEA CNRS INRIA Logiciel Libre";
    url       = "http://www.cecill.info/licences.en.html";
  };
  msrla = {
    shortName = "MSR-LA";
    fullName  = "Microsoft Research License Agreement";
    url       = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";
  };
  inria = {
    shortName = "INRIA-NCLA";
    fullName  = "INRIA Non-Commercial License Agreement";
    url       = "http://compcert.inria.fr/doc/LICENSE";
  };
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -6,6 +6,7 @@
  _1126 = "Christian Lask <mail@elfsechsundzwanzig.de>";
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
  akc = "Anders Claesson <akc@akc.is>";
  algorith = "Dries Van Daele <dries_van_daele@telenet.be>";
  all = "Nix Committers <nix-commits@lists.science.uu.nl>";
@ -25,27 +26,32 @@
  bjornfor = "Bjørn Forsman <bjorn.forsman@gmail.com>";
  bluescreen303 = "Mathijs Kwik <mathijs@bluescreen303.nl>";
  bodil = "Bodil Stokke <nix@bodil.org>";
  bosu = "Boris Sukholitko <boriss@gmail.com>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
  DamienCassou = "Damien Cassou <damien.cassou@gmail.com>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
  edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
  eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
  emery = "Emery Hemingway <emery@vfemail.net>";
  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
  falsifian = "James Cook <james.cook@utoronto.ca>";
  flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
  garbas = "Rok Garbas <rok@garbas.si>";
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
  guibert = "David Guibert <david.guibert@gmail.com>";
  hinton = "Tom Hinton <t@larkery.com>";
  hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
  ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
  iElectric = "Domen Kozar <domen@dev.si>";
  iyzsong = "Song Wenwu <iyzsong@gmail.com>";
  jcumming = "Jack Cummings <jack@mudshark.org>";
  jgeerds = "Jascha Geerds <jg@ekby.de>";
  joamaki = "Jussi Maki <joamaki@gmail.com>";
  joelteon = "Joel Taylor <me@joelt.io>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
@ -58,9 +64,11 @@
  madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
  marcweber = "Marc Weber <marco-oweber@gmx.de>";
  matejc = "Matej Cotman <cotman.matej@gmail.com>";
  meisternu = "Matt Miemiec <meister@krutt.org>";
  modulistic = "Pablo Costa <modulistic@gmail.com>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
  orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
@ -74,6 +82,7 @@
  qknight = "Joachim Schiele <js@lastlog.de>";
  raskin = "Michael Raskin <7c6f434c@mail.ru>";
  redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
  refnil = "Martin Lavoie <broemartino@gmail.com>";
  relrod = "Ricky Elrod <ricky@elrod.me>";
  rickynils = "Rickard Nilsson <rickynils@gmail.com>";
  rob = "Rob Vermaas <rob.vermaas@gmail.com>";
@ -84,13 +93,16 @@
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  shlevy = "Shea Levy <shea@shealevy.com>";
  simons = "Peter Simons <simons@cryp.to>";
  skeidel = "Sven Keidel <svenkeidel@gmail.com>";
  smironov = "Sergey Mironov <ierton@gmail.com>";
  sprock = "Roger Mason <rmason@mun.ca>";
  tailhook = "Paul Colomiets <paul@colomiets.name>";
  thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
  the-kenny = "Moritz Ulrich <moritz@tarn-vedra.de>";
  thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
  tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
  ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
  tv = "Tomislav Viljetić <tv@shackspace.de>";
  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
  vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
  vcunat = "Vladimír Čunát <vcunat@gmail.com>";
@ -99,6 +111,8 @@
  vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
  winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";
  wizeman = "Ricardo M. Correia <rcorreia@wizy.org>";
  wjlroe = "William Roe <willroe@gmail.com>";
  wkennington = "William A. Kennington III <william@wkennington.com>";
  wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
  z77z = "Marco Maggesi <maggesi@math.unifi.it>";
  zef = "Zef Hemel <zef@zef.me>";
--- a/lib/modules.nix
+++ b/lib/modules.nix
@ -194,7 +194,7 @@ rec {
     is transformed into
-       [ { boot = set1; } { boot = mkIf cond set2; services mkIf cond set3; } ].
+       [ { boot = set1; } { boot = mkIf cond set2; services = mkIf cond set3; } ].
     This transform is the critical step that allows mkIf conditions
     to refer to the full configuration without creating an infinite
--- a/lib/platforms.nix
+++ b/lib/platforms.nix
@ -11,6 +11,6 @@ rec {
  unix = linux ++ darwin ++ freebsd ++ openbsd;
  all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd;
  none = [];
-  allBut = platform: lists.filter (x: platform != x) all;
+  allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
  mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux"];
 }
--- a/maintainers/scripts/sort-attrs.str
+++ b/maintainers/scripts/sort-attrs.str
@ -1,146 +0,0 @@
 /* Tool to sort attribute sets.  Primarily useful for keeping
   all-packages.nix tidy.
   To compile:
   $ strc -i ../../maintainers/scripts/sort-attrs.str -la stratego-lib
   Typical invocation:
   $ sglr -m -p ~/Dev/nix/src/libexpr/nix.tbl -i all-packages.nix \
     | implode-asfix --lex \
     | ../../maintainers/scripts/sort-attrs \
     | asfix-yield
 */
 module sort-attrs
 imports
  libstratego-lib
  libstratego-sglr
 strategies
  no-wsp = !appl(prod([], cf(opt(layout())), no-attrs()), [])
 rules
  list-sep(s): [] -> []
  list-sep(s): [x | xs] -> [[x | before] | <list-sep(s)> [split | after]]
    where
      <split-fetch-keep(s)> xs => (before, split, after)
  list-sep(s): [x | xs] -> [[x | xs]]
    where
      <not(split-fetch-keep(s))> xs
  list-sep-end(s): xs -> [<conc> (before, [split]) | <list-sep-end(s)> after]
    where
      <split-fetch-keep(s)> xs => (before, split, after)
  list-sep-end(s): xs -> [xs]
    where
      <not(split-fetch-keep(s))> xs
  sort-attrs:
    appl(p@prod(_, _, attrs([term(cons("Attrs"))])),
      [ lit("{")
      , ws1
      , appl(p2@list(cf(iter-star(sort("Bind")))), attrs)
      , ws2
      , lit("}")
      ]
    ) ->
    appl(p, [lit("{"), <no-wsp>, appl(p2, <concat> attrs'), ws2, lit("}")])
    where
      <debug> "found it";
      <attach-wsp> [ws1 | attrs] => withWSP;
      <list-sep(starts-section)> withWSP => groups;
      <length; debug> groups;
      <map({x', x'', x''', xs', starts, starts': \[x | xs] -> [x''' | xs']
        where
          <remove-section-start> x => (x', starts);
          <map(regularise-empty-lines); if !starts; debug; sortable-section; debug then qsort(compare-attrs) else id end> [x' | xs] => [x'' | xs'];
          <[] <+ \x -> ["\n\n\n" | x]\ > starts => starts';
          <prepend-layout> (starts', x'') => x'''
      \ })> groups => attrs';
      <debug> "did it"
  attach-wsp: [a, b | cs] -> [(a, b) | <attach-wsp> cs]
  attach-wsp: [] -> []
 strategies
  starts-section =
    ?x@(appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr);
    <implode-string; is-substring(!"###")> cs;
    !x
 rules
  sortable-section = ?[s]; !s; explode-string; not(fetch({x: ?x; !(x, 97); geq}))
  remove-section-start:
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr) ->
    ((appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs'), attr), starts)
    where
      !cs;
      list-sep-end(?10); // separate into lines, keeping the \n
      map(implode-string);
      partition(where(is-substring(!"###"))) => (starts, rest);
      <map(explode-string); concat> rest => cs'
  regularise-empty-lines:
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr) ->
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs''), attr)
    where
      // separate into lines, keeping the \n
      // last whitespace is significant, keep
      <list-sep-end(?10); split-init-last> cs => (init, last);
      <regularise-empty-lines'> init => cs'; // remove whitespace-only lines
      <concat> [<explode-string> "\n\n", <concat> cs', last] => cs'' // add one empty line
  /* Dirty hack: *do* keep the first empty line following a non-empty line. !!! order matters */
  regularise-empty-lines': [] -> []
  regularise-empty-lines': [x, y | xs] -> [x, y | <regularise-empty-lines'> xs]
    where
      <fetch-elem(not(?10 <+ ?32))> x;
      <not(fetch-elem(not(?10 <+ ?32)))> y
  regularise-empty-lines': [x | xs] -> [x | <regularise-empty-lines'> xs]
    where <fetch-elem(not(?10 <+ ?32))> x
  regularise-empty-lines': [x | xs] -> <regularise-empty-lines'> xs
    where <not(fetch-elem(not(?10 <+ ?32)))> x
  prepend-layout:
    (text, (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr)) ->
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs''), attr)
    where
      <implode-string> cs => cs';
      <conc-strings; explode-string> (<concat-strings> text, cs') => cs''
  compare-attrs:
    x@
    ( (_, appl(p1@prod(_, _, attrs([term(cons("Bind"))])), [id1 | xs1]))
    , (_, appl(p2@prod(_, _, attrs([term(cons("Bind"))])), [id2 | xs2]))
    )
    -> x
    where
      <string-lt> (id1, id2)
 strategies
  main = io-wrap(
    oncetd(sort-attrs)
  )
--- a/nixos/doc/manual/README
+++ b/nixos/doc/manual/README
@ -0,0 +1,12 @@
 To build the manual, you need Nix installed on your system (no need
 for NixOS). To install Nix, follow the instructions at
    https://nixos.org/nix/download.html
 When you have Nix on your system, in the root directory of the project
 (i.e., `nixpkgs`), run:
    nix-build nixos/release.nix -A manual.x86_64-linux
 When this command successfully finishes, it will tell you where the
 manual got generated.
--- a/nixos/doc/manual/configuration.xml
+++ b/nixos/doc/manual/configuration.xml
@ -1036,21 +1036,22 @@ users.extraUsers.alice =
  { createHome = true;
    home = "/home/alice";
    description = "Alice Foobar";
-    extraGroups = [ "wheel" ];
+    extraGroups = [ "wheel" "networkmanager" ];
    useDefaultShell = true;
    openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
  };
 </programlisting>
 Note that <literal>alice</literal> is a member of the
-<literal>wheel</literal> group, which allows her to use
+<literal>wheel</literal> and <literal>networkmanager</literal> groups,
-<command>sudo</command> to execute commands as
+which allows her to use <command>sudo</command> to execute commands as
-<literal>root</literal>.  Also note the SSH public key that allows
+<literal>root</literal> and to configure the network, respectively.
-remote logins with the corresponding private key.  Users created in
+Also note the SSH public key that allows remote logins with the
-this way do not have a password by default, so they cannot log in via
+corresponding private key. Users created in this way do not have a
-mechanisms that require a password.  However, you can use the
+password by default, so they cannot log in via mechanisms that require
-<command>passwd</command> program to set a password, which is retained
+a password. However, you can use the <command>passwd</command> program
-across invocations of <command>nixos-rebuild</command>.</para>
+to set a password, which is retained across invocations of
 <command>nixos-rebuild</command>.</para>
 <para>A user ID (uid) is assigned automatically.  You can also specify
 a uid manually by adding
@ -1277,6 +1278,28 @@ services.xserver.synaptics.twoFingerScroll = true;
 <section xml:id="sec-networking"><title>Networking</title>
 <section xml:id="sec-networkmanager"><title>NetworkManager</title>
 <para>To facilitate network configuration, some desktop environments
 use NetworkManager. You can enable NetworkManager by setting:
 <programlisting>
 services.networkmanager.enable = true;
 </programlisting>
 Some desktop managers (e.g., GNOME) enable NetworkManager
 automatically for you.</para>
 <para>All users that should have permission to change network settings
 must belong to the <code>networkmanager</code> group.</para>
 <note><para><code>services.networkmanager</code> and
 <code>services.wireless</code> can not be enabled at the same time:
 you can still connect to the wireless networks using
 NetworkManager.</para></note>
 </section>
 <section xml:id="sec-ssh"><title>Secure shell access</title>
 <para>Secure shell (SSH) access to your machine can be enabled by
@ -1399,6 +1422,11 @@ always allowed.)</para>
 <section xml:id="sec-wireless"><title>Wireless networks</title>
 <para>For a desktop installation using NetworkManager (e.g., GNOME),
 you just have to make sure the user is in the
 <code>networkmanager</code> group and you can skip the rest of this
 section on wireless networks.</para>
 <para>
 NixOS will start wpa_supplicant for you if you enable this setting:
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@ -1,5 +1,6 @@
 { pkgs, options, version, revision }:
 with pkgs;
 with pkgs.lib;
 let
@ -22,7 +23,7 @@ let
  optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext (builtins.toXML options''));
-  optionsDocBook = pkgs.runCommand "options-db.xml" {} ''
+  optionsDocBook = runCommand "options-db.xml" {} ''
    if grep /nixpkgs/nixos/modules ${optionsXML}; then
      echo "The manual appears to depend on the location of Nixpkgs, which is bad"
      echo "since this prevents sharing via the NixOS channel.  This is typically"
@ -30,7 +31,7 @@ let
      echo "for hints about the offending path)."
      exit 1
    fi
-    ${pkgs.libxslt}/bin/xsltproc \
+    ${libxslt}/bin/xsltproc \
      --stringparam revision '${revision}' \
      -o $out ${./options-to-docbook.xsl} ${optionsXML}
  '';
@ -38,12 +39,12 @@ let
 in rec {
  # Generate the NixOS manual.
-  manual = pkgs.stdenv.mkDerivation {
+  manual = stdenv.mkDerivation {
    name = "nixos-manual";
    sources = sourceFilesBySuffices ./. [".xml"];
-    buildInputs = [ pkgs.libxml2 pkgs.libxslt ];
+    buildInputs = [ libxml2 libxslt ];
    xsltFlags = ''
      --param section.autolabel 1
@ -62,19 +63,19 @@ in rec {
      # Check the validity of the manual sources.
      xmllint --noout --nonet --xinclude --noxincludenode \
-        --relaxng ${pkgs.docbook5}/xml/rng/docbook/docbook.rng \
+        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
        manual.xml
      # Generate the HTML manual.
      dst=$out/share/doc/nixos
-      ensureDir $dst
+      mkdir -p $dst
      xsltproc $xsltFlags --nonet --xinclude \
        --output $dst/manual.html \
-        ${pkgs.docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
+        ${docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
        ./manual.xml
      mkdir -p $dst/images/callouts
-      cp ${pkgs.docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/images/callouts/
+      cp ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/images/callouts/
      cp ${./style.css} $dst/style.css
@ -86,13 +87,39 @@ in rec {
    meta.description = "The NixOS manual in HTML format";
  };
  manualPDF = stdenv.mkDerivation {
    name = "nixos-manual-pdf";
    sources = sourceFilesBySuffices ./. [".xml"];
    buildInputs = [ libxml2 libxslt dblatex tetex ];
    buildCommand = ''
      # TeX needs a writable font cache.
      export VARTEXFONTS=$TMPDIR/texfonts
      ln -s $sources/*.xml . # */
      ln -s ${optionsDocBook} options-db.xml
      echo "${version}" > version
      dst=$out/share/doc/nixos
      mkdir -p $dst
      xmllint --xinclude manual.xml | dblatex -o $dst/manual.pdf - \
        -P doc.collab.show=0 \
        -P latex.output.revhistory=0
      mkdir -p $out/nix-support
      echo "doc-pdf manual $dst/manual.pdf" >> $out/nix-support/hydra-build-products
    ''; # */
  };
  # Generate the NixOS manpages.
-  manpages = pkgs.stdenv.mkDerivation {
+  manpages = stdenv.mkDerivation {
    name = "nixos-manpages";
    sources = sourceFilesBySuffices ./. [".xml"];
-    buildInputs = [ pkgs.libxml2 pkgs.libxslt ];
+    buildInputs = [ libxml2 libxslt ];
    buildCommand = ''
      ln -s $sources/*.xml . # */
@ -100,7 +127,7 @@ in rec {
      # Check the validity of the manual sources.
      xmllint --noout --nonet --xinclude --noxincludenode \
-        --relaxng ${pkgs.docbook5}/xml/rng/docbook/docbook.rng \
+        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
        ./man-pages.xml
      # Generate manpages.
@ -109,7 +136,7 @@ in rec {
        --param man.output.in.separate.dir 1 \
        --param man.output.base.dir "'$out/share/man/'" \
        --param man.endnotes.are.numbered 0 \
-        ${pkgs.docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
+        ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
        ./man-pages.xml
    '';
  };
--- a/nixos/doc/manual/installation.xml
+++ b/nixos/doc/manual/installation.xml
@ -320,7 +320,10 @@ changes:
 <itemizedlist>
  <listitem>
    <para>You should boot the live CD in UEFI mode (consult your
-    specific hardware's documentation for instructions).</para>
+    specific hardware's documentation for instructions). You may find
    the <link
    xlink:href="http://www.rodsbooks.com/refind">rEFInd
    boot manager</link> useful.</para>
  </listitem>
  <listitem>
    <para>Instead of <command>fdisk</command>, you should use
@ -335,6 +338,11 @@ changes:
    should do this automatically for new configurations when booted in
    UEFI mode.</para>
  </listitem>
  <listitem>
    <para>After having mounted your installation partition to
    <code>/mnt</code>, you must mount the <code>boot</code> partition
    to <code>/mnt/boot</code>.</para>
  </listitem>
  <listitem>
    <para>You may want to look at the options starting with
    <option>boot.loader.efi</option> and <option>boot.loader.gummiboot</option>
--- a/nixos/doc/manual/manual.xml
+++ b/nixos/doc/manual/manual.xml
@ -7,25 +7,6 @@
    <title>NixOS Manual</title>
    <subtitle>Version <xi:include href="version" parse="text" /></subtitle>
    <author>
      <personname>
        <firstname>Eelco</firstname>
        <surname>Dolstra</surname>
      </personname>
    </author>
    <author>
      <personname>
        <firstname>Nicolas</firstname>
        <surname>Pierron</surname>
      </personname>
    </author>
    <copyright>
      <year>2007-2013</year>
      <holder>Eelco Dolstra</holder>
    </copyright>
  </info>
--- a/nixos/doc/manual/options-to-docbook.xsl
+++ b/nixos/doc/manual/options-to-docbook.xsl
@ -202,4 +202,10 @@
    </simplelist>
  </xsl:template>
  <xsl:template match="function">
    <xsl:text>λ</xsl:text>
  </xsl:template>
 </xsl:stylesheet>
--- a/nixos/lib/make-iso9660-image.sh
+++ b/nixos/lib/make-iso9660-image.sh
@ -78,7 +78,7 @@ done
 cat pathlist | sed -e 's/=\(.*\)=\(.*\)=/\\=\1=\2\\=/' | tee pathlist.safer
-ensureDir $out/iso
+mkdir -p $out/iso
 genCommand="genisoimage -iso-level 4 -r -J $bootFlags -hide-rr-moved -graft-points -path-list pathlist.safer ${volumeID:+-V $volumeID}"
 if test -z "$compressImage"; then
    $genCommand -o $out/iso/$isoName
@ -87,5 +87,5 @@ else
 fi
-ensureDir $out/nix-support
+mkdir -p $out/nix-support
 echo $system > $out/nix-support/system
--- a/nixos/lib/make-system-tarball.sh
+++ b/nixos/lib/make-system-tarball.sh
@ -48,11 +48,11 @@ for ((n = 0; n < ${#objects[*]}; n++)); do
    fi
 done
-ensureDir $out/tarball
+mkdir -p $out/tarball
 tar cvJf $out/tarball/$fileName.tar.xz *
-ensureDir $out/nix-support
+mkdir -p $out/nix-support
 echo $system > $out/nix-support/system
 echo "file system-tarball $out/tarball/$fileName.tar.xz" > $out/nix-support/hydra-build-products
--- a/nixos/lib/test-driver/log2html.xsl
+++ b/nixos/lib/test-driver/log2html.xsl
@ -9,8 +9,8 @@
  <xsl:template match="logfile">
    <html>
      <head>
-        <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
+        <script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
-        <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
+        <script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
        <script type="text/javascript" src="treebits.js" />
        <link rel="stylesheet" href="logfile.css" type="text/css" />
        <title>Log File</title>
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -37,7 +37,7 @@ rec {
  # `driver' is the script that runs the network.
  runTests = driver:
    stdenv.mkDerivation {
-      name = "vm-test-run";
+      name = "vm-test-run-${driver.testName}";
      requiredSystemFeatures = [ "kvm" "nixos-test" ];
@ -68,9 +68,10 @@ rec {
  makeTest =
-    { testScript, makeCoverageReport ? false, ... } @ t:
+    { testScript, makeCoverageReport ? false, name ? "unnamed", ... } @ t:
    let
      testDriverName = "nixos-test-driver-${name}";
      nodes = buildVirtualNetwork (
        t.nodes or (if t ? machine then { machine = t.machine; } else { }));
@ -88,10 +89,11 @@ rec {
      # Generate onvenience wrappers for running the test driver
      # interactively with the specified network, and for starting the
      # VMs from the command line.
-      driver = runCommand "nixos-test-driver"
+      driver = runCommand testDriverName
        { buildInputs = [ makeWrapper];
          testScript = testScript';
          preferLocalBuild = true;
          testName = name;
        }
        ''
          mkdir -p $out/bin
@ -115,7 +117,7 @@ rec {
      report = releaseTools.gcovReport { coverageRuns = [ test ]; };
-    in (if makeCoverageReport then report else test) // { inherit driver test; };
+    in (if makeCoverageReport then report else test) // { inherit nodes driver test; };
  runInMachine =
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 with lib;
 let
@ -217,9 +217,7 @@ in
    systemd.services = mkIf cfg.daemon.enable {
      nslcd = {
-        wantedBy = [ "nss-user-lookup.target" ];
+        wantedBy = [ "multi-user.target" ];
        before = [ "nss-user-lookup.target" ];
        after = [ "network.target" ];
        preStart = ''
          mkdir -p /run/nslcd
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -14,7 +14,7 @@ in
  options = {
-    networking.extraHosts = pkgs.lib.mkOption {
+    networking.extraHosts = lib.mkOption {
      type = types.lines;
      default = "";
      example = "192.168.0.1 lanlocalhost";
@ -23,7 +23,7 @@ in
      '';
    };
-    networking.dnsSingleRequest = pkgs.lib.mkOption {
+    networking.dnsSingleRequest = lib.mkOption {
      type = types.bool;
      default = false;
      description = ''
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 with lib;
 let
@ -80,12 +80,12 @@ in {
      package = mkOption {
        type = types.package;
-        default = pulseaudio;
+        default = pulseaudioFull;
-        example = literalExample "pulseaudio.override { jackaudioSupport = true; }";
+        example = literalExample "pulseaudioFull";
        description = ''
-          The PulseAudio derivation to use.  This can be used to enable
+          The PulseAudio derivation to use.  This can be used to disable
-          features (such as JACK support) that are not enabled in the
+          features (such as JACK support, Bluetooth) that are enabled in the
-          default PulseAudio in Nixpkgs.
+          pulseaudioFull package in Nixpkgs.
        '';
      };
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, utils, ... }:
 with lib;
 with utils;
 with lib;
 {
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@ -6,8 +6,12 @@ let
  sysctlOption = mkOptionType {
    name = "sysctl option value";
-    check = x: isBool x || isString x || isInt x || isNull x;
+    check = val:
-    merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix.
+      let
        checkType = x: isBool x || isString x || isInt x || isNull x;
      in
        checkType val || (val._type or "" == "override" && checkType val.content);
    merge = loc: defs: mergeOneOption loc (filterOverrides defs);
  };
 in
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@ -110,6 +110,7 @@ in
        "/man"
        "/sbin"
        "/share/emacs"
        "/share/vim-plugins"
        "/share/org"
        "/share/info"
        "/share/terminfo"
--- a/nixos/modules/config/unix-odbc-drivers.nix
+++ b/nixos/modules/config/unix-odbc-drivers.nix
@ -27,7 +27,7 @@ with lib;
    environment.etc."odbcinst.ini".text =
      let inis = config.environment.unixODBCDrivers;
-      in pkgs.lib.concatStringsSep "\n" inis;
+      in lib.concatStringsSep "\n" inis;
  };
--- a/nixos/modules/hardware/network/intel-2100bg.nix
+++ b/nixos/modules/hardware/network/intel-2100bg.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
@ -6,9 +6,9 @@
  options = {
-    networking.enableIntel2100BGFirmware = pkgs.lib.mkOption {
+    networking.enableIntel2100BGFirmware = lib.mkOption {
      default = false;
-      type = pkgs.lib.types.bool;
+      type = lib.types.bool;
      description = ''
        Turn on this option if you want firmware for the Intel
        PRO/Wireless 2100BG to be loaded automatically.  This is
@ -21,7 +21,7 @@
  ###### implementation
-  config = pkgs.lib.mkIf config.networking.enableIntel2100BGFirmware {
+  config = lib.mkIf config.networking.enableIntel2100BGFirmware {
    hardware.enableAllFirmware = true;
--- a/nixos/modules/hardware/network/intel-2200bg.nix
+++ b/nixos/modules/hardware/network/intel-2200bg.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
@ -6,9 +6,9 @@
  options = {
-    networking.enableIntel2200BGFirmware = pkgs.lib.mkOption {
+    networking.enableIntel2200BGFirmware = lib.mkOption {
      default = false;
-      type = pkgs.lib.types.bool;
+      type = lib.types.bool;
      description = ''
        Turn on this option if you want firmware for the Intel
        PRO/Wireless 2200BG to be loaded automatically.  This is
@ -21,7 +21,7 @@
  ###### implementation
-  config = pkgs.lib.mkIf config.networking.enableIntel2200BGFirmware {
+  config = lib.mkIf config.networking.enableIntel2200BGFirmware {
    hardware.enableAllFirmware = true;
--- a/nixos/modules/hardware/network/intel-3945abg.nix
+++ b/nixos/modules/hardware/network/intel-3945abg.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
@ -6,9 +6,9 @@
  options = {
-    networking.enableIntel3945ABGFirmware = pkgs.lib.mkOption {
+    networking.enableIntel3945ABGFirmware = lib.mkOption {
      default = false;
-      type = pkgs.lib.types.bool;
+      type = lib.types.bool;
      description = ''
        This option enables automatic loading of the firmware for the Intel
        PRO/Wireless 3945ABG.
@ -20,7 +20,7 @@
  ###### implementation
-  config = pkgs.lib.mkIf config.networking.enableIntel3945ABGFirmware {
+  config = lib.mkIf config.networking.enableIntel3945ABGFirmware {
    hardware.enableAllFirmware = true;
--- a/nixos/modules/hardware/network/ralink.nix
+++ b/nixos/modules/hardware/network/ralink.nix
@ -1,4 +1,4 @@
-{pkgs, config, ...}:
+{pkgs, config, lib, ...}:
 {
@ -6,9 +6,9 @@
  options = {
-    networking.enableRalinkFirmware = pkgs.lib.mkOption {
+    networking.enableRalinkFirmware = lib.mkOption {
      default = false;
-      type = pkgs.lib.types.bool;
+      type = lib.types.bool;
      description = ''
        Turn on this option if you want firmware for the RT73 NIC.
      '';
@ -19,7 +19,7 @@
  ###### implementation
-  config = pkgs.lib.mkIf config.networking.enableRalinkFirmware {
+  config = lib.mkIf config.networking.enableRalinkFirmware {
    hardware.enableAllFirmware = true;
  };
--- a/nixos/modules/hardware/network/rtl8192c.nix
+++ b/nixos/modules/hardware/network/rtl8192c.nix
@ -1,4 +1,4 @@
-{pkgs, config, ...}:
+{pkgs, config, lib, ...}:
 {
@ -6,9 +6,9 @@
  options = {
-    networking.enableRTL8192cFirmware = pkgs.lib.mkOption {
+    networking.enableRTL8192cFirmware = lib.mkOption {
      default = false;
-      type = pkgs.lib.types.bool;
+      type = lib.types.bool;
      description = ''
        Turn on this option if you want firmware for the RTL8192c (and related) NICs.
      '';
@ -19,7 +19,7 @@
  ###### implementation
-  config = pkgs.lib.mkIf config.networking.enableRTL8192cFirmware {
+  config = lib.mkIf config.networking.enableRTL8192cFirmware {
    hardware.enableAllFirmware = true;
  };
--- a/nixos/modules/hardware/network/smc-2632w/default.nix
+++ b/nixos/modules/hardware/network/smc-2632w/default.nix
@ -1,9 +1,9 @@
-{pkgs, config, ...}:
+{lib, config, ...}:
 {
  hardware = {
    pcmcia = {
-      firmware = [ (pkgs.lib.cleanSource ./firmware) ];
+      firmware = [ (lib.cleanSource ./firmware) ];
    };
  };
 }
--- a/nixos/modules/hardware/opengl.nix
+++ b/nixos/modules/hardware/opengl.nix
@ -84,7 +84,7 @@ in
  config = mkIf cfg.enable {
-    assertions = pkgs.lib.singleton {
+    assertions = lib.singleton {
      assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64;
      message = "Option driSupport32Bit only makes sense on a 64-bit system.";
    };
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -179,7 +179,6 @@ in
    fileSystems."/" =
      { fsType = "tmpfs";
        device = "none";
        options = "mode=0755";
      };
@ -192,6 +191,8 @@ in
        noCheck = true;
      };
    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
    # image) to make this a live CD.
    fileSystems."/nix/.ro-store" =
      { fsType = "squashfs";
        device = "/iso/nix-store.squashfs";
@ -201,23 +202,20 @@ in
    fileSystems."/nix/.rw-store" =
      { fsType = "tmpfs";
        device = "none";
        options = "mode=0755";
        neededForBoot = true;
      };
    fileSystems."/nix/store" =
      { fsType = "unionfs-fuse";
        device = "unionfs";
        options = "allow_other,cow,nonempty,chroot=/mnt-root,max_files=32768,hide_meta_files,dirs=/nix/.rw-store=rw:/nix/.ro-store=ro";
      };
    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" ];
    boot.initrd.kernelModules = [ "loop" ];
    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
    # image) to make this a live CD.
    boot.initrd.postMountCommands =
      ''
        mkdir -p $targetRoot/nix/store
        unionfs -o allow_other,cow,nonempty,chroot=$targetRoot,max_files=32768 /nix/.rw-store=RW:/nix/.ro-store=RO $targetRoot/nix/store
      '';
    # Closures to be copied to the Nix store on the CD, namely the init
    # script and the top-level system configuration directory.
    isoImage.storeContents =
@ -313,8 +311,8 @@ in
      '';
    # Add vfat support to the initrd to enable people to copy the
-    # contents of the CD to a bootable USB stick. Need unionfs-fuse for union mounts
+    # contents of the CD to a bootable USB stick.
-    boot.initrd.supportedFilesystems = [ "vfat" "unionfs-fuse" ];
+    boot.initrd.supportedFilesystems = [ "vfat" ];
  };
--- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
@ -152,7 +152,7 @@ in
  # default root password is empty.
  services.openssh.enable = true;
-  jobs.openssh.startOn = pkgs.lib.mkOverride 50 "";
+  jobs.openssh.startOn = lib.mkOverride 50 "";
  boot.loader.grub.enable = false;
  boot.loader.generationsDir.enable = false;
--- a/nixos/modules/installer/cd-dvd/system-tarball-pc.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-pc.nix
@ -109,7 +109,7 @@ in
  # not be started by default on the installation CD because the
  # default root password is empty.
  services.openssh.enable = true;
-  jobs.openssh.startOn = pkgs.lib.mkOverride 50 "";
+  jobs.openssh.startOn = lib.mkOverride 50 "";
  # To be able to use the systemTarball to catch troubles.
  boot.crashDump = {
--- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
@ -165,7 +165,7 @@ in
  # not be started by default on the installation CD because the
  # default root password is empty.
  services.openssh.enable = true;
-  jobs.openssh.startOn = pkgs.lib.mkOverride 50 "";
+  jobs.openssh.startOn = lib.mkOverride 50 "";
  # cpufrequtils fails to build on non-pc
  powerManagement.enable = false;
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -97,6 +97,16 @@ if [ -n "$upgrade" -a -z "$_NIXOS_REBUILD_REEXEC" ]; then
    nix-channel --update nixos
 fi
 # Make sure that we use the Nix package we depend on, not something
 # else from the PATH for nix-{env,instantiate,build}.  This is
 # important, because NixOS defaults the architecture of the rebuilt
 # system to the architecture of the nix-* binaries used.  So if on an
 # amd64 system the user has an i686 Nix package in her PATH, then we
 # would silently downgrade the whole system to be i686 NixOS on the
 # next reboot.
 if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
    export PATH=@nix@/bin:$PATH
 fi
 # Re-execute nixos-rebuild from the Nixpkgs tree.
 if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -1,7 +1,7 @@
 # This module generates nixos-install, nixos-rebuild,
 # nixos-generate-config, etc.
-{ config, pkgs, modulesPath, ... }:
+{ config, pkgs, modulesPath, lib, ... }:
 let
@ -32,6 +32,7 @@ let
  nixos-rebuild = makeProg {
    name = "nixos-rebuild";
    src = ./nixos-rebuild.sh;
    nix = config.nix.package;
  };
  nixos-generate-config = makeProg {
@ -64,7 +65,7 @@ let
        test -e "$out/chrome/content/jquery-1.5.2.js" ||
          cp -f "$jquery" "$out/chrome/content/jquery-1.5.2.js"
      '';
-      gui = pkgs.lib.cleanSource "${modulesPath}/../gui";
+      gui = lib.cleanSource "${modulesPath}/../gui";
      jquery = pkgs.fetchurl {
        url = http://code.jquery.com/jquery-1.5.2.min.js;
        sha256 = "8f0a19ee8c606b35a10904951e0a27da1896eafe33c6e88cb7bcbe455f05a24a";
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -1,19 +1,19 @@
 # This module defines the global list of uids and gids.  We keep a
 # central list to prevent id collisions.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
  options = {
-    ids.uids = pkgs.lib.mkOption {
+    ids.uids = lib.mkOption {
      internal = true;
      description = ''
        The user IDs used in NixOS.
      '';
    };
-    ids.gids = pkgs.lib.mkOption {
+    ids.gids = lib.mkOption {
      internal = true;
      description = ''
        The group IDs used in NixOS.
@ -134,6 +134,12 @@
      teamspeak = 124;
      influxdb = 125;
      nsd = 126;
      gitolite = 127;
      znc = 128;
      polipo = 129;
      mopidy = 130;
      unifi = 131;
      gdm = 132;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -242,6 +248,13 @@
      teamspeak = 124;
      influxdb = 125;
      nsd = 126;
      firebird = 127;
      znc = 128;
      polipo = 129;
      mopidy = 130;
      docker = 131;
      gdm = 132;
      tss = 133;
      # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
--- a/nixos/modules/misc/lib.nix
+++ b/nixos/modules/misc/lib.nix
@ -1,11 +1,11 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 {
  options = {
-    lib = pkgs.lib.mkOption {
+    lib = lib.mkOption {
      default = {};
-      type = pkgs.lib.types.attrsOf pkgs.lib.types.attrs;
+      type = lib.types.attrsOf lib.types.attrs;
      description = ''
        This option allows modules to define helper functions, constants, etc.
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -3,12 +3,8 @@
 with lib;
 let
-
+  cfg = config.services.locate;
-  locatedb = "/var/cache/locatedb";
+in {
 in
 {
  ###### interface
@ -35,6 +31,31 @@ in
        '';
      };
      extraFlags = mkOption {
        type = types.listOf types.str;
        default = [ ];
        description = ''
          Extra flags to append to <command>updatedb</command>.
        '';
      };
      output = mkOption {
        type = types.path;
        default = /var/cache/locatedb;
        description = ''
          The database file to build.
        '';
      };
      localuser = mkOption {
        type = types.str;
        default = "nobody";
        description = ''
          The user to search non-network directories as, using
          <command>su</command>.
        '';
      };
    };
  };
@ -48,8 +69,10 @@ in
        path  = [ pkgs.su ];
        script =
          ''
-            mkdir -m 0755 -p $(dirname ${locatedb})
+            mkdir -m 0755 -p $(dirname ${toString cfg.output})
-            exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /media /run'
+            exec updatedb \
            --localuser=${cfg.localuser} \
            --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
          '';
        serviceConfig.Nice = 19;
        serviceConfig.IOSchedulingClass = "idle";
--- a/nixos/modules/misc/passthru.nix
+++ b/nixos/modules/misc/passthru.nix
@ -1,11 +1,11 @@
 # This module allows you to export something from configuration
 # Use case: export kernel source expression for ease of configuring
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 {
  options = {
-    passthru = pkgs.lib.mkOption {
+    passthru = lib.mkOption {
      visible = false;
      description = ''
        This attribute set will be exported as a system attribute.
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -14,17 +14,17 @@
  ./config/power-management.nix
  ./config/pulseaudio.nix
  ./config/shells-environment.nix
  ./config/system-environment.nix
  ./config/swap.nix
  ./config/sysctl.nix
  ./config/system-environment.nix
  ./config/system-path.nix
  ./config/timezone.nix
  ./config/unix-odbc-drivers.nix
  ./config/users-groups.nix
  ./config/zram.nix
  ./hardware/all-firmware.nix
  ./hardware/cpu/intel-microcode.nix
  ./hardware/cpu/amd-microcode.nix
  ./hardware/cpu/intel-microcode.nix
  ./hardware/network/b43.nix
  ./hardware/network/intel-2100bg.nix
  ./hardware/network/intel-2200bg.nix
@ -50,8 +50,10 @@
  ./programs/bash/bash.nix
  ./programs/bash/command-not-found.nix
  ./programs/blcr.nix
  ./programs/dconf.nix
  ./programs/environment.nix
  ./programs/info.nix
  ./programs/screen.nix
  ./programs/shadow.nix
  ./programs/shell.nix
  ./programs/ssh.nix
@ -59,7 +61,6 @@
  ./programs/venus.nix
  ./programs/wvdial.nix
  ./programs/zsh/zsh.nix
  ./programs/screen.nix
  ./rename.nix
  ./security/apparmor.nix
  ./security/apparmor-suid.nix
@ -79,6 +80,7 @@
  ./services/audio/alsa.nix
  ./services/audio/fuppes.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
  ./services/backup/almir.nix
  ./services/backup/bacula.nix
  ./services/backup/mysql-backup.nix
@ -92,15 +94,15 @@
  ./services/databases/4store.nix
  ./services/databases/couchdb.nix
  ./services/databases/firebird.nix
  ./services/databases/influxdb.nix
  ./services/databases/memcached.nix
  ./services/databases/monetdb.nix
  ./services/databases/mongodb.nix
  ./services/databases/redis.nix
  ./services/databases/mysql.nix
  ./services/databases/openldap.nix
  ./services/databases/postgresql.nix
  ./services/databases/redis.nix
  ./services/databases/virtuoso.nix
  ./services/databases/monetdb.nix
  ./services/databases/influxdb.nix
  ./services/desktops/accountsservice.nix
  ./services/desktops/geoclue2.nix
  ./services/desktops/gnome3/at-spi2-core.nix
@ -124,16 +126,18 @@
  ./services/hardware/pcscd.nix
  ./services/hardware/pommed.nix
  ./services/hardware/sane.nix
  ./services/hardware/tcsd.nix
  ./services/hardware/thinkfan.nix
  ./services/hardware/udev.nix
  ./services/hardware/udisks2.nix
  ./services/hardware/upower.nix
  ./services/hardware/thinkfan.nix
  ./services/logging/klogd.nix
  ./services/logging/logcheck.nix
  ./services/logging/logrotate.nix
  ./services/logging/logstash.nix
  ./services/logging/syslogd.nix
  ./services/logging/rsyslogd.nix
  ./services/logging/syslogd.nix
  ./services/logging/syslog-ng.nix
  ./services/mail/dovecot.nix
  ./services/mail/freepops.nix
  ./services/mail/mail.nix
@ -146,11 +150,12 @@
  ./services/misc/disnix.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/gitolite.nix
  ./services/misc/gpsd.nix
  ./services/misc/nix-daemon.nix
  ./services/misc/nix-gc.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/nixos-manual.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/rippled.nix
  ./services/misc/rogue.nix
  ./services/misc/svnserve.nix
@ -178,24 +183,23 @@
  ./services/networking/bind.nix
  ./services/networking/bitlbee.nix
  ./services/networking/btsync.nix
  ./services/networking/cjdns.nix
  ./services/networking/connman.nix
  ./services/networking/cntlm.nix
  ./services/networking/chrony.nix
  ./services/networking/cjdns.nix
  ./services/networking/cntlm.nix
  ./services/networking/connman.nix
  ./services/networking/ddclient.nix
  ./services/networking/dhcpcd.nix
  ./services/networking/dhcpd.nix
  ./services/networking/dnsmasq.nix
  ./services/networking/ejabberd.nix
  ./services/networking/firewall.nix
  ./services/networking/haproxy.nix
  ./services/networking/tcpcrypt.nix
  ./services/networking/flashpolicyd.nix
  ./services/networking/freenet.nix
  ./services/networking/git-daemon.nix
  ./services/networking/gnunet.nix
  ./services/networking/gogoclient.nix
  ./services/networking/gvpe.nix
  ./services/networking/haproxy.nix
  ./services/networking/hostapd.nix
  ./services/networking/ifplugd.nix
  ./services/networking/iodined.nix
@ -213,28 +217,33 @@
  ./services/networking/oidentd.nix
  ./services/networking/openfire.nix
  ./services/networking/openvpn.nix
  ./services/networking/polipo.nix
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/quassel.nix
  ./services/networking/radicale.nix
  ./services/networking/radvd.nix
  ./services/networking/rdnssd.nix
  ./services/networking/rpcbind.nix
  ./services/networking/sabnzbd.nix
  ./services/networking/searx.nix
  ./services/networking/spiped.nix
  ./services/networking/supybot.nix
  ./services/networking/syncthing.nix
  ./services/networking/ssh/lshd.nix
  ./services/networking/ssh/sshd.nix
  ./services/networking/supybot.nix
  ./services/networking/syncthing.nix
  ./services/networking/tcpcrypt.nix
  ./services/networking/teamspeak3.nix
  ./services/networking/tftpd.nix
  ./services/networking/unbound.nix
  ./services/networking/unifi.nix
  ./services/networking/vsftpd.nix
  ./services/networking/wakeonlan.nix
  ./services/networking/websockify.nix
  ./services/networking/wicd.nix
  ./services/networking/wpa_supplicant.nix
  ./services/networking/xinetd.nix
  ./services/networking/znc.nix
  ./services/printing/cupsd.nix
  ./services/scheduling/atd.nix
  ./services/scheduling/cron.nix
@ -242,11 +251,11 @@
  ./services/search/elasticsearch.nix
  ./services/search/solr.nix
  ./services/security/clamav.nix
  ./services/security/haveged.nix
  ./services/security/fprot.nix
  ./services/security/frandom.nix
-  ./services/security/tor.nix
+  ./services/security/haveged.nix
  ./services/security/torify.nix
  ./services/security/tor.nix
  ./services/security/torsocks.nix
  ./services/system/dbus.nix
  ./services/system/kerberos.nix
@ -254,14 +263,14 @@
  ./services/system/uptimed.nix
  ./services/torrent/deluge.nix
  ./services/torrent/transmission.nix
  ./services/ttys/gpm.nix
  ./services/ttys/agetty.nix
  ./services/ttys/gpm.nix
  ./services/ttys/kmscon.nix
  ./services/web-servers/apache-httpd/default.nix
  ./services/web-servers/fcgiwrap.nix
  ./services/web-servers/jboss/default.nix
  ./services/web-servers/lighttpd/default.nix
  ./services/web-servers/lighttpd/cgit.nix
  ./services/web-servers/lighttpd/default.nix
  ./services/web-servers/lighttpd/gitweb.nix
  ./services/web-servers/nginx/default.nix
  ./services/web-servers/phpfpm.nix
@ -272,26 +281,29 @@
  ./services/x11/desktop-managers/default.nix
  ./services/x11/display-managers/auto.nix
  ./services/x11/display-managers/default.nix
  ./services/x11/display-managers/gdm.nix
  ./services/x11/display-managers/kdm.nix
  ./services/x11/display-managers/slim.nix
  ./services/x11/display-managers/lightdm.nix
  ./services/x11/display-managers/slim.nix
  ./services/x11/hardware/multitouch.nix
  ./services/x11/hardware/synaptics.nix
  ./services/x11/hardware/wacom.nix
  ./services/x11/redshift.nix
  ./services/x11/window-managers/awesome.nix
  #./services/x11/window-managers/compiz.nix
  ./services/x11/window-managers/default.nix
  ./services/x11/window-managers/icewm.nix
  ./services/x11/window-managers/bspwm.nix
  ./services/x11/window-managers/metacity.nix
  ./services/x11/window-managers/none.nix
  ./services/x11/window-managers/twm.nix
  ./services/x11/window-managers/wmii.nix
  ./services/x11/window-managers/xmonad.nix
  ./services/x11/redshift.nix
  ./services/x11/xfs.nix
  ./services/x11/xserver.nix
  ./system/activation/activation-script.nix
  ./system/activation/top-level.nix
  ./system/boot/emergency-mode.nix
  ./system/boot/kernel.nix
  ./system/boot/kexec.nix
  ./system/boot/loader/efi.nix
@ -307,11 +319,14 @@
  ./system/boot/stage-1.nix
  ./system/boot/stage-2.nix
  ./system/boot/systemd.nix
  ./system/boot/tmp.nix
  ./system/etc/etc.nix
  ./system/upstart/upstart.nix
  ./tasks/cpu-freq.nix
  ./tasks/encrypted-devices.nix
  ./tasks/filesystems.nix
  ./tasks/filesystems/btrfs.nix
  ./tasks/filesystems/cifs.nix
  ./tasks/filesystems/ext.nix
  ./tasks/filesystems/f2fs.nix
  ./tasks/filesystems/nfs.nix
@ -320,7 +335,6 @@
  ./tasks/filesystems/vfat.nix
  ./tasks/filesystems/xfs.nix
  ./tasks/filesystems/zfs.nix
  ./tasks/encrypted-devices.nix
  ./tasks/kbd.nix
  ./tasks/lvm.nix
  ./tasks/network-interfaces.nix
@ -330,6 +344,7 @@
  ./testing/service-runner.nix
  ./virtualisation/container-config.nix
  ./virtualisation/containers.nix
  ./virtualisation/docker.nix
  ./virtualisation/libvirtd.nix
  #./virtualisation/nova.nix
  ./virtualisation/virtualbox-guest.nix
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -7,7 +7,6 @@
  # Include some utilities that are useful for installing or repairing
  # the system.
  environment.systemPackages = [
    pkgs.subversion # for nixos-checkout
    pkgs.w3m # needed for the manual anyway
    pkgs.testdisk # useful for repairing boot problems
    pkgs.mssys # for writing Microsoft boot sectors / MBRs
--- a/nixos/modules/programs/blcr.nix
+++ b/nixos/modules/programs/blcr.nix
@ -1,7 +1,7 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 let
-  inherit (pkgs.lib) mkOption mkIf;
+  inherit (lib) mkOption mkIf;
  cfg = config.environment.blcr;
  blcrPkg = config.boot.kernelPackages.blcr;
 in
--- a/nixos/modules/programs/dconf.nix
+++ b/nixos/modules/programs/dconf.nix
@ -0,0 +1,34 @@
 { config, lib, ... }:
 let
  inherit (lib) mkOption mkIf types mapAttrsToList;
  cfg = config.programs.dconf;
  mkDconfProfile = name: path:
    { source = path; target = "dconf/profile/${name}"; };
 in
 {
  ###### interface
  options = {
    programs.dconf = {
      profiles = mkOption {
        type = types.attrsOf types.path;
        default = {};
        description = "Set of dconf profile files.";
        internal = true;
      };
    };
  };
  ###### implementation
  config = mkIf (cfg.profiles != {}) {
    environment.etc =
      (mapAttrsToList mkDconfProfile cfg.profiles);
  };
 }
--- a/nixos/modules/programs/info.nix
+++ b/nixos/modules/programs/info.nix
@ -2,6 +2,8 @@
 let
  texinfo = pkgs.texinfoInteractive;
  # Quick hack to make the `info' command work properly.  `info' needs
  # a "dir" file containing all the installed Info files, which we
  # don't have (it would be impure to have a package installation
@ -22,15 +24,15 @@ let
      for i in $(IFS=:; echo $INFOPATH); do
          for j in $i/*.info; do
-              ${pkgs.texinfo}/bin/install-info --quiet $j $dir/dir
+              ${texinfo}/bin/install-info --quiet $j $dir/dir
          done
      done
-      INFOPATH=$dir:$INFOPATH ${pkgs.texinfo}/bin/info "$@"
+      INFOPATH=$dir:$INFOPATH ${texinfo}/bin/info "$@"
    ''; # */
 in
 {
-  environment.systemPackages = [ infoWrapper pkgs.texinfo ];
+  environment.systemPackages = [ infoWrapper texinfo ];
 }
--- a/nixos/modules/programs/screen.nix
+++ b/nixos/modules/programs/screen.nix
@ -1,7 +1,7 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 let
-  inherit (pkgs.lib) mkOption mkIf types;
+  inherit (lib) mkOption mkIf types;
  cfg = config.programs.screen;
 in
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@ -40,7 +40,7 @@ in
  options = {
-    users.defaultUserShell = pkgs.lib.mkOption {
+    users.defaultUserShell = lib.mkOption {
      description = ''
        This option defines the default shell assigned to user
        accounts.  This must not be a store path, since the path is
@ -60,7 +60,7 @@ in
  config = {
    environment.systemPackages =
-      pkgs.lib.optional config.users.mutableUsers pkgs.shadow;
+      lib.optional config.users.mutableUsers pkgs.shadow;
    environment.etc =
      [ { # /etc/login.defs: global configuration for pwdutils.  You
--- a/nixos/modules/programs/virtualbox.nix
+++ b/nixos/modules/programs/virtualbox.nix
@ -14,6 +14,7 @@ let virtualbox = config.boot.kernelPackages.virtualbox; in
  services.udev.extraRules =
    ''
      KERNEL=="vboxdrv",    OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
      KERNEL=="vboxdrvu",   OWNER="root", GROUP="root",      MODE="0666", TAG+="systemd"
      KERNEL=="vboxnetctl", OWNER="root", GROUP="root",      MODE="0600", TAG+="systemd"
      SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
      SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -13,8 +13,9 @@ with lib;
      ];
    environment.sessionVariables =
-      { OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
+      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-bundle.crt";
-        CURL_CA_BUNDLE         = "/etc/ssl/certs/ca-bundle.crt";
+        # FIXME: unneeded - remove eventually.
        OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-bundle.crt";
      };
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -50,7 +50,7 @@ in
          description = ''
            grsecurity configuration mode. This specifies whether
            grsecurity is auto-configured or otherwise completely
-            manually configured. Can either by
+            manually configured. Can either be
            <literal>custom</literal> or <literal>auto</literal>.
            <literal>auto</literal> is recommended.
@ -64,7 +64,7 @@ in
          description = ''
            grsecurity configuration priority. This specifies whether
            the kernel configuration should emphasize speed or
-            security. Can either by <literal>security</literal> or
+            security. Can either be <literal>security</literal> or
            <literal>performance</literal>.
          '';
        };
@ -76,7 +76,7 @@ in
          description = ''
            grsecurity system configuration. This specifies whether
            the kernel configuration should be suitable for a Desktop
-            or a Server. Can either by <literal>server</literal> or
+            or a Server. Can either be <literal>server</literal> or
            <literal>desktop</literal>.
          '';
        };
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -189,7 +189,9 @@ let
          session required pam_env.so envfile=${config.system.build.pamEnvironment}
          session required pam_unix.so
          ${optionalString cfg.setLoginUid
-              "session required pam_loginuid.so"}
+              "session ${
                if config.boot.isContainer then "optional" else "required"
              } pam_loginuid.so"}
          ${optionalString cfg.updateWtmp
              "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
          ${optionalString config.users.ldap.enable
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@ -30,7 +30,8 @@ with lib;
      description = "Hardware RNG Entropy Gatherer Daemon";
-      serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f";
+      serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +
        (if config.services.tcsd.enable then " --no-tpm=1" else "");
      restartTriggers = [ pkgs.rng_tools ];
    };
--- a/nixos/modules/services/amqp/activemq/default.nix
+++ b/nixos/modules/services/amqp/activemq/default.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 with lib;
 let
@ -12,7 +12,7 @@ let
    phases = [ "installPhase" ];
    buildInputs = [ jdk ];
    installPhase = ''
-      ensureDir $out/lib
+      mkdir -p $out/lib
      source ${activemq}/lib/classpath.env
      export CLASSPATH
      ln -s "${./ActiveMQBroker.java}" ActiveMQBroker.java
--- a/nixos/modules/services/amqp/rabbitmq.nix
+++ b/nixos/modules/services/amqp/rabbitmq.nix
@ -4,6 +4,8 @@ with lib;
 let
  cfg = config.services.rabbitmq;
  config_file = pkgs.writeText "rabbitmq.config" cfg.config;
  config_file_wo_suffix = builtins.substring 0 ((builtins.stringLength config_file) - 7) config_file;
 in {
  ###### interface
@ -31,7 +33,6 @@ in {
        '';
      };
      dataDir = mkOption {
        type = types.path;
        default = "/var/lib/rabbitmq";
@ -40,6 +41,30 @@ in {
        '';
      };
      cookie = mkOption {
        default = "";
        type = types.str;
        description = ''
          Erlang cookie is a string of arbitrary length which must
          be the same for several nodes to be allowed to communicate.
          Leave empty to generate automatically.
        '';
      };
      config = mkOption {
        default = "";
        type = types.str;
        description = ''
          Verbatim configuration file contents.
          See http://www.rabbitmq.com/configure.htm
        '';
      };
      plugins = mkOption {
        default = [];
        type = types.listOf types.str;
        description = "The names of plugins to enable";
      };
    };
  };
@ -69,7 +94,10 @@ in {
        RABBITMQ_NODE_IP_ADDRESS = cfg.listenAddress;
        RABBITMQ_SERVER_START_ARGS = "-rabbit error_logger tty -rabbit sasl_error_logger false";
        SYS_PREFIX = "";
-      };
+        RABBITMQ_ENABLED_PLUGINS_FILE = pkgs.writeText "enabled_plugins" ''
          [ ${concatStringsSep "," cfg.plugins} ].
        '';
      } //  optionalAttrs (cfg.config != "") { RABBITMQ_CONFIG_FILE = config_file_wo_suffix; };
      serviceConfig = {
        ExecStart = "${pkgs.rabbitmq_server}/sbin/rabbitmq-server";
@ -81,6 +109,15 @@ in {
      preStart = ''
        mkdir -p ${cfg.dataDir} && chmod 0700 ${cfg.dataDir}
        if [ "$(id -u)" = 0 ]; then chown rabbitmq:rabbitmq ${cfg.dataDir}; fi
        ${optionalString (cfg.cookie != "") ''
            echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie
            chmod 400 ${cfg.dataDir}/.erlang.cookie
            chown rabbitmq:rabbitmq ${cfg.dataDir}/.erlang.cookie
        ''}
        mkdir -p /var/log/rabbitmq && chmod 0700 /var/log/rabbitmq
        chown rabbitmq:rabbitmq /var/log/rabbitmq
      '';
    };
--- a/nixos/modules/services/audio/mopidy.nix
+++ b/nixos/modules/services/audio/mopidy.nix
@ -0,0 +1,118 @@
 { config, lib, pkgs, ... }:
 with pkgs;
 with lib;
 let
  uid = config.ids.uids.mopidy;
  gid = config.ids.gids.mopidy;
  cfg = config.services.mopidy;
  mopidyConf = writeText "mopidy.conf" cfg.configuration;
  mopidyLauncher = stdenv.mkDerivation {
    name = "mopidy-launcher";
    phases = [ "installPhase" ];
    buildInputs = [ makeWrapper python ];
    installPhase = ''
      mkdir -p $out/bin
      ln -s ${mopidy}/bin/mopidy $out/bin/mopidy
      wrapProgram $out/bin/mopidy \
        --prefix PYTHONPATH : \
        "${concatStringsSep ":" (map (p: "$(toPythonPath ${p})") cfg.extensionPackages)}"
    '';
  };
 in {
  options = {
    services.mopidy = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to enable Mopidy, a music player daemon.
        '';
      };
      dataDir = mkOption {
        default = "/var/lib/mopidy";
        type = types.str;
        description = ''
          The directory where Mopidy stores its state.
        '';
      };
      extensionPackages = mkOption {
        default = [];
        type = types.listOf types.package;
        example = [ mopidy-spotify ];
        description = ''
          Mopidy extensions that should be loaded by the service.
        '';
      };
      configuration = mkOption {
        type = types.lines;
        description = ''
          The configuration that Mopidy should use.
        '';
      };
      extraConfigFiles = mkOption {
        default = [];
        type = types.listOf types.str;
        description = ''
          Extra config file read by Mopidy when the service starts.
          Later files in the list overrides earlier configuration.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    systemd.services.mopidy = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "sound.target" ];
      description = "mopidy music player daemon";
      preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy  ${cfg.dataDir}";
      serviceConfig = {
        ExecStart = "${mopidyLauncher}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";
        User = "mopidy";
        PermissionsStartOnly = true;
      };
    };
    systemd.services.mopidy-scan = {
      description = "mopidy local files scanner";
      preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy  ${cfg.dataDir}";
      serviceConfig = {
        ExecStart = "${mopidyLauncher}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan";
        User = "mopidy";
        PermissionsStartOnly = true;
        Type = "oneshot";
      };
    };
    users.extraUsers.mopidy = {
      inherit uid;
      group = "mopidy";
      extraGroups = [ "audio" ];
      description = "Mopidy daemon user";
      home = "${cfg.dataDir}";
    };
    users.extraGroups.mopidy.gid = gid;
  };
 }
--- a/nixos/modules/services/backup/sitecopy-backup.nix
+++ b/nixos/modules/services/backup/sitecopy-backup.nix
@ -73,7 +73,7 @@ in
        touch ${stateDir}/sitecopy.secrets
        chown root ${stateDir}/sitecopy.secrets
-        ${pkgs.lib.concatStrings (map ( b: ''
+        ${lib.concatStrings (map ( b: ''
            unset secrets
            unset secret
            secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
--- a/nixos/modules/services/databases/firebird.nix
+++ b/nixos/modules/services/databases/firebird.nix
@ -159,5 +159,7 @@ in
      uid = config.ids.uids.firebird;
    };
    users.extraGroups.firebird.gid = config.ids.gids.firebird;
  };
 }
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@ -68,7 +68,7 @@ in
    users.extraUsers = optionalAttrs (cfg.user == "openldap") (singleton
      { name = "openldap";
-        group = "openldap";
+        group = cfg.group;
        uid = config.ids.uids.openldap;
      });
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -85,7 +85,7 @@ in
          Defines how users authenticate themselves to the server. By
          default, "trust" access to local users will always be granted
          along with any other custom options. If you do not want this,
-          set this option using "pkgs.lib.mkForce" to override this
+          set this option using "lib.mkForce" to override this
          behaviour.
        '';
      };
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@ -38,86 +38,92 @@ in
    services.redis = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable the Redis server.";
      };
      package = mkOption {
        type = types.package;
        default = pkgs.redis;
        description = "Which Redis derivation to use.";
        type = types.package;
      };
      user = mkOption {
        type = types.str;
        default = "redis";
        description = "User account under which Redis runs.";
      };
      pidFile = mkOption {
        type = types.path;
        default = "/var/lib/redis/redis.pid";
        description = "";
      };
      port = mkOption {
        type = types.int;
        default = 6379;
        description = "The port for Redis to listen to.";
        type = with types; int;
      };
      bind = mkOption {
        type = with types; nullOr str;
        default = null; # All interfaces
        description = "The IP interface to bind to.";
        example = "127.0.0.1";
      };
      unixSocket = mkOption {
        type = with types; nullOr path;
        default = null;
        description = "The path to the socket to bind to.";
        example = "/var/run/redis.sock";
      };
      logLevel = mkOption {
        type = types.str;
        default = "notice"; # debug, verbose, notice, warning
        example = "debug";
        description = "Specify the server verbosity level, options: debug, verbose, notice, warning.";
        type = with types; string;
      };
      logfile = mkOption {
        type = types.str;
        default = "/dev/null";
        description = "Specify the log file name. Also 'stdout' can be used to force Redis to log on the standard output.";
        example = "/var/log/redis.log";
        type = with types; string;
      };
      syslog = mkOption {
        type = types.bool;
        default = true;
        description = "Enable logging to the system logger.";
        type = with types; bool;
      };
      databases = mkOption {
        type = types.int;
        default = 16;
        description = "Set the number of databases.";
        type = with types; int;
      };
      save = mkOption {
        type = with types; listOf (listOf int);
        default = [ [900 1] [300 10] [60 10000] ];
        description = "The schedule in which data is persisted to disk, represented as a list of lists where the first element represent the amount of seconds and the second the number of changes.";
        example = [ [900 1] [300 10] [60 10000] ];
      };
      dbFilename = mkOption {
        type = types.str;
        default = "dump.rdb";
        description = "The filename where to dump the DB.";
        type = with types; string;
      };
      dbpath = mkOption {
        type = types.path;
        default = "/var/lib/redis";
        description = "The DB will be written inside this directory, with the filename specified using the 'dbFilename' configuration.";
        type = with types; string;
      };
      slaveOf = mkOption {
@ -135,46 +141,47 @@ in
      };
      requirePass = mkOption {
        type = with types; nullOr str;
        default = null;
        description = "Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)";
        example = "letmein!";
      };
      appendOnly = mkOption {
        type = types.bool;
        default = false;
        description = "By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence.";
        type = with types; bool;
      };
      appendOnlyFilename = mkOption {
        type = types.str;
        default = "appendonly.aof";
        description = "Filename for the append-only file (stored inside of dbpath)";
        type = with types; string;
      };
      appendFsync = mkOption {
        type = types.str;
        default = "everysec"; # no, always, everysec
        description = "How often to fsync the append-only log, options: no, always, everysec.";
        type = with types; string;
      };
      slowLogLogSlowerThan = mkOption {
        type = types.int;
        default = 10000;
        description = "Log queries whose execution take longer than X in milliseconds.";
        example = 1000;
        type = with types; int;
      };
      slowLogMaxLen = mkOption {
        type = types.int;
        default = 128;
        description = "Maximum number of items to keep in slow log.";
        type = with types; int;
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = "Extra configuration options for redis.conf.";
        type = with types; string;
      };
    };
--- a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix
+++ b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix
@ -4,9 +4,6 @@
 with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
 in
 {
  ###### interface
@ -33,9 +30,9 @@ in
  config = mkIf config.services.gnome3.at-spi2-core.enable {
-    environment.systemPackages = [ gnome3.at_spi2_core ];
+    environment.systemPackages = [ pkgs.at_spi2_core ];
-    services.dbus.packages = [ gnome3.at_spi2_core ];
+    services.dbus.packages = [ pkgs.at_spi2_core ];
  };
--- a/nixos/modules/services/desktops/gnome3/gnome-documents.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-documents.nix
@ -1,8 +1,8 @@
 # GNOME Documents daemon.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix
@ -1,8 +1,8 @@
 # GNOME Keyring daemon.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix
@ -1,8 +1,8 @@
 # GNOME Online Accounts daemon.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix
@ -1,8 +1,8 @@
 # GNOME Online Miners daemon.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-user-share.nix
@ -1,8 +1,8 @@
 # GNOME User Share daemon.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/desktops/gnome3/gvfs.nix
+++ b/nixos/modules/services/desktops/gnome3/gvfs.nix
@ -1,8 +1,8 @@
 # gvfs backends
-{ config, pkgs, ... }:
+{ config, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/desktops/gnome3/seahorse.nix
+++ b/nixos/modules/services/desktops/gnome3/seahorse.nix
@ -1,8 +1,8 @@
 # Seahorse daemon.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/desktops/gnome3/tracker.nix
+++ b/nixos/modules/services/desktops/gnome3/tracker.nix
@ -1,8 +1,8 @@
 # Tracker daemon.
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
--- a/nixos/modules/services/hardware/acpid.nix
+++ b/nixos/modules/services/hardware/acpid.nix
@ -6,7 +6,7 @@ let
  acpiConfDir = pkgs.runCommand "acpi-events" {}
    ''
-      ensureDir $out
+      mkdir -p $out
      ${
        # Generate a configuration file for each event. (You can't have
        # multiple events in one config file...)
@ -16,7 +16,7 @@ let
            echo "event=${event.event}" > $fn
            echo "action=${pkgs.writeScript "${event.name}.sh" event.action}" >> $fn
          '';
-        in pkgs.lib.concatMapStrings f events
+        in lib.concatMapStrings f events
      }
    '';
--- a/nixos/modules/services/hardware/amd-hybrid-graphics.nix
+++ b/nixos/modules/services/hardware/amd-hybrid-graphics.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
@ -6,9 +6,9 @@
  options = {
-    hardware.amdHybridGraphics.disable = pkgs.lib.mkOption {
+    hardware.amdHybridGraphics.disable = lib.mkOption {
      default = false;
-      type = pkgs.lib.types.bool;
+      type = lib.types.bool;
      description = ''
        Completely disable the AMD graphics card and use the
        integrated graphics processor instead.
@ -20,7 +20,7 @@
  ###### implementation
-  config = pkgs.lib.mkIf config.hardware.amdHybridGraphics.disable {
+  config = lib.mkIf config.hardware.amdHybridGraphics.disable {
    systemd.services."amd-hybrid-graphics" = {
      path = [ pkgs.bash ];
      description = "Disable AMD Card";
--- a/nixos/modules/services/hardware/nvidia-optimus.nix
+++ b/nixos/modules/services/hardware/nvidia-optimus.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let kernel = config.boot.kernelPackages; in
@ -8,9 +8,9 @@ let kernel = config.boot.kernelPackages; in
  options = {
-    hardware.nvidiaOptimus.disable = pkgs.lib.mkOption {
+    hardware.nvidiaOptimus.disable = lib.mkOption {
      default = false;
-      type = pkgs.lib.types.bool;
+      type = lib.types.bool;
      description = ''
        Completely disable the NVIDIA graphics card and use the
        integrated graphics processor instead.
@ -22,7 +22,7 @@ let kernel = config.boot.kernelPackages; in
  ###### implementation
-  config = pkgs.lib.mkIf config.hardware.nvidiaOptimus.disable {
+  config = lib.mkIf config.hardware.nvidiaOptimus.disable {
    boot.blacklistedKernelModules = ["nouveau" "nvidia" "nvidiafb"];
    boot.kernelModules = [ "bbswitch" ];
    boot.extraModulePackages = [ kernel.bbswitch ];
--- a/nixos/modules/services/hardware/tcsd.nix
+++ b/nixos/modules/services/hardware/tcsd.nix
@ -0,0 +1,139 @@
 # tcsd daemon.
 { config, pkgs, ... }:
 with pkgs.lib;
 let
  cfg = config.services.tcsd;
  tcsdConf = pkgs.writeText "tcsd.conf" ''
    port = 30003
    num_threads = 10
    system_ps_file = ${cfg.stateDir}/system.data
    # This is the log of each individual measurement done by the system.
    # By re-calculating the PCR registers based on this information, even
    # finer details about the measured environment can be inferred than
    # what is available directly from the PCR registers.
    firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
    kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
    #firmware_pcrs = 0,1,2,3,4,5,6,7
    #kernel_pcrs = 10,11
    platform_cred = ${cfg.platformCred}
    conformance_cred = ${cfg.conformanceCred}
    endorsement_cred = ${cfg.endorsementCred}
    #remote_ops = create_key,random
    #host_platform_class = server_12
    #all_platform_classes = pc_11,pc_12,mobile_12
  '';
 in
 {
  ###### interface
  options = {
    services.tcsd = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to enable tcsd, a Trusted Computing management service
          that provides TCG Software Stack (TSS).  The tcsd daemon is
          the only portal to the Trusted Platform Module (TPM), a hardware
          chip on the motherboard.
        '';
      };
      user = mkOption {
        default = "tss";
        type = types.string;
        description = "User account under which tcsd runs.";
      };
      group = mkOption {
        default = "tss";
        type = types.string;
        description = "Group account under which tcsd runs.";
      };
      stateDir = mkOption {
 	default = "/var/lib/tpm";
        type = types.path;
 	description = ''
          The location of the system persistent storage file.
          The system persistent storage file holds keys and data across
          restarts of the TCSD and system reboots. 
 	'';
      };
      platformCred = mkOption {
        default = "${cfg.stateDir}/platform.cert";
        type = types.path;
        description = ''
 	  Path to the platform credential for your TPM. Your TPM
          manufacturer may have provided you with a set of credentials
          (certificates) that should be used when creating identities
          using your TPM. When a user of your TPM makes an identity,
          this credential will be encrypted as part of that process.
          See the 1.1b TPM Main specification section 9.3 for information
          on this process. '';
      };
      conformanceCred = mkOption {
        default = "${cfg.stateDir}/conformance.cert";
        type = types.path;
        description = ''
          Path to the conformance credential for your TPM.
          See also the platformCred option'';
      };
      endorsementCred = mkOption {
        default = "${cfg.stateDir}/endorsement.cert";
        type = types.path;
        description = ''
          Path to the endorsement credential for your TPM.
          See also the platformCred option'';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.trousers ];
 #    system.activationScripts.tcsd =
 #      ''
 #        chown ${cfg.user}:${cfg.group} ${tcsdConf}
 #      '';
    systemd.services.tcsd = {
      description = "TCSD";
      after = [ "systemd-udev-settle.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.trousers ];
      preStart =
        ''
        mkdir -m 0700 -p ${cfg.stateDir}
        chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
        '';
      serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";
    };
    users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton
      { name = "tss";
        group = "tss";
        uid = config.ids.uids.nginx;
      });
    users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton
      { name = "tss";
        gid = config.ids.gids.nginx;
      });
  };
 }
--- a/nixos/modules/services/logging/logrotate.nix
+++ b/nixos/modules/services/logging/logrotate.nix
@ -8,10 +8,6 @@ let
  configFile = pkgs.writeText "logrotate.conf"
    cfg.config;
  cronJob = ''
    5 * * * * root ${pkgs.logrotate}/sbin/logrotate ${configFile}
  '';
 in
 {
  options = {
@ -33,6 +29,16 @@ in
  };
  config = mkIf cfg.enable {
-    services.cron.systemCronJobs = [ cronJob ];
+    systemd.services.logrotate = {
      description   = "Logrotate Service";
      wantedBy      = [ "multi-user.target" ];
      startAt       = "*-*-* *:05:00";
      serviceConfig.Restart = "no";
      serviceConfig.User    = "root";
      script = ''
        exec ${pkgs.logrotate}/sbin/logrotate ${configFile}
      '';
    };
  };
 }
--- a/nixos/modules/services/logging/logstash.nix
+++ b/nixos/modules/services/logging/logstash.nix
@ -69,9 +69,9 @@ in
    systemd.services.logstash = with pkgs; {
      description = "Logstash Daemon";
      wantedBy = [ "multi-user.target" ];
-
+      environment = { JAVA_HOME = jre; };
      serviceConfig = {
-        ExecStart = "${jre}/bin/java -jar ${logstash} agent -f ${writeText "logstash.conf" ''
+        ExecStart = "${logstash}/bin/logstash agent -f ${writeText "logstash.conf" ''
          input {
            ${cfg.inputConfig}
          }
--- a/nixos/modules/services/logging/syslog-ng.nix
+++ b/nixos/modules/services/logging/syslog-ng.nix
@ -0,0 +1,83 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.syslog-ng;
  syslogngConfig = pkgs.writeText "syslog-ng.conf" ''
    @version: 3.5
    @include "scl.conf"
    ${cfg.extraConfig}
  '';
  ctrlSocket = "/run/syslog-ng/syslog-ng.ctl";
  pidFile = "/run/syslog-ng/syslog-ng.pid";
  persistFile = "/var/syslog-ng/syslog-ng.persist";
  syslogngOptions = [
    "--foreground"
    "--module-path=${concatStringsSep ":" (["${pkgs.syslogng}/lib/syslog-ng"] ++ cfg.extraModulePaths)}"
    "--cfgfile=${syslogngConfig}"
    "--control=${ctrlSocket}"
    "--persist-file=${persistFile}"
    "--pidfile=${pidFile}"
  ];
 in {
  options = {
    services.syslog-ng = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable the syslog-ng daemon.
        '';
      };
      serviceName = mkOption {
        type = types.str;
        default = "syslog-ng";
        description = ''
          The name of the systemd service that runs syslog-ng. Set this to
          <literal>syslog</literal> if you want journald to automatically
          forward all logs to syslog-ng.
        '';
      };
      extraModulePaths = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "${pkgs.syslogng_incubator}/lib/syslog-ng" ];
        description = ''
          A list of paths that should be included in syslog-ng's
          <literal>--module-path</literal> option. They should usually
          end in <literal>/lib/syslog-ng</literal>
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Configuration added to the end of <literal>syslog-ng.conf</literal>.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services."${cfg.serviceName}" = {
      wantedBy = [ "multi-user.target" ];
      preStart = "mkdir -p /{var,run}/syslog-ng";
      serviceConfig = {
        Type = "notify";
        Sockets = "syslog.socket";
        StandardOutput = "null";
        Restart = "on-failure";
        ExecStart = "${pkgs.syslogng}/sbin/syslog-ng ${concatStringsSep " " syslogngOptions}";
      };
    };
  };
 }
--- a/nixos/modules/services/misc/gitolite.nix
+++ b/nixos/modules/services/misc/gitolite.nix
@ -0,0 +1,66 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.gitolite;
  pubkeyFile = pkgs.writeText "gitolite-admin.pub" cfg.adminPubkey;
 in
 {
  options = {
    services.gitolite = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable gitolite management under the
          <literal>gitolite</literal> user. The Gitolite home
          directory is <literal>/var/lib/gitolite</literal>. After
          switching to a configuration with Gitolite enabled, you can
          then run <literal>git clone
          gitolite@host:gitolite-admin.git</literal> to manage it further.
        '';
      };
      adminPubkey = mkOption {
        type = types.str;
        description = ''
          Initial administrative public key for Gitolite. This should
          be an SSH Public Key. Note that this key will only be used
          once, upon the first initialization of the Gitolite user.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    users.extraUsers.gitolite = {
      description     = "Gitolite user";
      home            = "/var/lib/gitolite";
      createHome      = true;
      uid             = config.ids.uids.gitolite;
      useDefaultShell = true;
    };
    systemd.services."gitolite-init" = {
      description = "Gitolite initialization";
      wantedBy    = [ "multi-user.target" ];
      serviceConfig.User = "gitolite";
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = true;
      path = [ pkgs.gitolite pkgs.git pkgs.perl pkgs.bash pkgs.openssh ];
      script = ''
        cd /var/lib/gitolite
        mkdir -p .gitolite/logs
        if [ ! -d repositories ]; then
          gitolite setup -pk ${pubkeyFile}
        fi
        gitolite setup # Upgrade if needed
      '';
    };
    environment.systemPackages = [ pkgs.gitolite pkgs.git ];
  };
 }
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -22,14 +22,11 @@ let
  nixConf =
    let
-      # Tricky: if we're using a chroot for builds, then we need
+      # If we're using a chroot for builds, then provide /bin/sh in
-      # /bin/sh in the chroot (our own compromise to purity).
+      # the chroot as a bind-mount to bash. This means we also need to
-      # However, since /bin/sh is a symlink to some path in the
+      # include the entire closure of bash.
-      # Nix store, which furthermore has runtime dependencies on
+      sh = pkgs.stdenv.shell;
-      # other paths in the store, we need the closure of /bin/sh
+      binshDeps = pkgs.writeReferencesToFile sh;
      # in `build-chroot-dirs' - otherwise any builder that uses
      # /bin/sh won't work.
      binshDeps = pkgs.writeReferencesToFile config.system.build.binsh;
    in
      pkgs.runCommand "nix.conf" {extraOptions = cfg.extraOptions; } ''
        extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done)
@ -40,7 +37,7 @@ let
        build-users-group = nixbld
        build-max-jobs = ${toString (cfg.maxJobs)}
        build-use-chroot = ${if cfg.useChroot then "true" else "false"}
-        build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths)
+        build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
        binary-caches = ${toString cfg.binaryCaches}
        trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
        $extraOptions
@ -253,8 +250,6 @@ in
  config = {
    nix.chrootDirs = [ "/bin" ];
    environment.etc."nix/nix.conf".source = nixConf;
    # List of machines for distributed Nix builds in the format
--- a/nixos/modules/services/misc/nix-ssh-serve.nix
+++ b/nixos/modules/services/misc/nix-ssh-serve.nix
@ -1,32 +1,35 @@
 { config, lib, pkgs, ... }:
-let
+with lib;
  serveOnly = pkgs.writeScript "nix-store-serve" ''
    #!${pkgs.stdenv.shell}
    if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then
      echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2
      exit 1
    fi
    exec /run/current-system/sw/bin/nix-store --serve
  '';
-  inherit (lib) mkIf mkOption types;
+{
 in {
  options = {
    nix.sshServe = {
      enable = mkOption {
        description = "Whether to enable serving the nix store over ssh.";
        default = false;
        type = types.bool;
        default = false;
        description = "Whether to enable serving the Nix store as a binary cache via SSH.";
      };
      keys = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
        description = "A list of SSH public keys allowed to access the binary cache via SSH.";
      };
    };
  };
  config = mkIf config.nix.sshServe.enable {
    users.extraUsers.nix-ssh = {
-      description = "User for running nix-store --serve.";
+      description = "Nix SSH substituter user";
      uid = config.ids.uids.nix-ssh;
-      shell = pkgs.stdenv.shell;
+      useDefaultShell = true;
    };
    services.openssh.enable = true;
@ -38,8 +41,11 @@ in {
        PermitTTY no
        PermitTunnel no
        X11Forwarding no
-        ForceCommand ${serveOnly}
+        ForceCommand ${config.nix.package}/bin/nix-store --serve
      Match All
    '';
    users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys;
  };
 }
--- a/nixos/modules/services/monitoring/monit.nix
+++ b/nixos/modules/services/monitoring/monit.nix
@ -1,9 +1,9 @@
 # Monit system watcher
 # http://mmonit.org/monit/
-{config, pkgs, ...}:
+{config, pkgs, lib, ...}:
-let inherit (pkgs.lib) mkOption mkIf;
+let inherit (lib) mkOption mkIf;
 in
 {
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@ -189,18 +189,17 @@ in
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.munin ];
      environment.MUNIN_PLUGSTATE = "/var/run/munin";
-      serviceConfig = {
+      preStart = ''
        ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
      };
    };
    system.activationScripts.munin-node = ''
        echo "updating munin plugins..."
        mkdir -p /etc/munin/plugins
        rm -rf /etc/munin/plugins/*
        PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
      '';
      serviceConfig = {
        ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
      };
    };
  }) (mkIf cronCfg.enable {
--- a/nixos/modules/services/monitoring/nagios.nix
+++ b/nixos/modules/services/monitoring/nagios.nix
@ -12,7 +12,7 @@ let
  nagiosObjectDefs = cfg.objectDefs;
  nagiosObjectDefsDir = pkgs.runCommand "nagios-objects" {inherit nagiosObjectDefs;}
-    "ensureDir $out; ln -s $nagiosObjectDefs $out/";
+    "mkdir -p $out; ln -s $nagiosObjectDefs $out/";
  nagiosCfgFile = pkgs.writeText "nagios.cfg"
    ''
--- a/nixos/modules/services/monitoring/systemhealth.nix
+++ b/nixos/modules/services/monitoring/systemhealth.nix
@ -13,7 +13,7 @@ let
    };
    buildInputs = [ python ];
    installPhase = ''
-      ensureDir $out/bin
+      mkdir -p $out/bin
      # Make it work for kernels 3.x, not so different than 2.6
      sed -i 's/2\.6/4.0/' system_health.py
      cp system_health.py $out/bin
--- a/nixos/modules/services/monitoring/uptime.nix
+++ b/nixos/modules/services/monitoring/uptime.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
-  inherit (pkgs.lib) mkOption mkEnableOption mkIf mkMerge types optionalAttrs optional;
+  inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalAttrs optional;
  cfg = config.services.uptime;
--- a/nixos/modules/services/network-filesystems/openafs-client/default.nix
+++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix
@ -1,7 +1,7 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
-  inherit (pkgs.lib) mkOption mkIf;
+  inherit (lib) mkOption mkIf;
  cfg = config.services.openafsClient;
@ -11,7 +11,7 @@ let
  };
  afsConfig = pkgs.runCommand "afsconfig" {} ''
-    ensureDir $out
+    mkdir -p $out
    echo ${cfg.cellName} > $out/ThisCell
    cp ${cellServDB} $out/CellServDB
    echo "/afs:${cfg.cacheDirectory}:${cfg.cacheSize}" > $out/cacheinfo
--- a/nixos/modules/services/network-filesystems/rsyncd.nix
+++ b/nixos/modules/services/network-filesystems/rsyncd.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/services/networking/connman.nix
+++ b/nixos/modules/services/networking/connman.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 with lib;
 let
  cfg = config.networking.connman;
--- a/nixos/modules/services/networking/ddclient.nix
+++ b/nixos/modules/services/networking/ddclient.nix
@ -1,8 +1,8 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
-  inherit (pkgs.lib) mkOption mkIf singleton;
+  inherit (lib) mkOption mkIf singleton;
  inherit (pkgs) ddclient;
--- a/nixos/modules/services/networking/dhcpd.nix
+++ b/nixos/modules/services/networking/dhcpd.nix
@ -18,7 +18,7 @@ let
      ${cfg.extraConfig}
-      ${pkgs.lib.concatMapStrings
+      ${lib.concatMapStrings
          (machine: ''
            host ${machine.hostName} {
              hardware ethernet ${machine.ethernetAddress};
--- a/nixos/modules/services/networking/gvpe.nix
+++ b/nixos/modules/services/networking/gvpe.nix
@ -1,9 +1,9 @@
 # GNU Virtual Private Ethernet
-{config, pkgs, ...}:
+{config, pkgs, lib, ...}:
 let
-  inherit (pkgs.lib) mkOption mkIf;
+  inherit (lib) mkOption mkIf;
  cfg = config.services.gvpe;
--- a/nixos/modules/services/networking/ircd-hybrid/builder.sh
+++ b/nixos/modules/services/networking/ircd-hybrid/builder.sh
@ -3,7 +3,7 @@ source $stdenv/setup
 doSub() {
    local src=$1
    local dst=$2
-    ensureDir $(dirname $dst)
+    mkdir -p $(dirname $dst)
    substituteAll $src $dst
 }
@ -28,4 +28,4 @@ for i in $substFiles; do
    fi
 done
-ensureDir $out/bin
+mkdir -p $out/bin
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
 with pkgs;
 with lib;
 let
  cfg = config.networking.networkmanager;
@ -151,7 +151,7 @@ in {
      { source = "${networkmanager_pptp}/etc/NetworkManager/VPN/nm-pptp-service.name";
        target = "NetworkManager/VPN/nm-pptp-service.name";
      }
-    ] ++ pkgs.lib.optional (cfg.appendNameservers == [] || cfg.insertNameservers == [])
+    ] ++ optional (cfg.appendNameservers == [] || cfg.insertNameservers == [])
           { source = overrideNameserversScript;
             target = "NetworkManager/dispatcher.d/02overridedns";
           };
--- a/nixos/modules/services/networking/notbit.nix
+++ b/nixos/modules/services/networking/notbit.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  cfg = config.services.notbit;
  varDir = "/var/lib/notbit";
--- a/nixos/modules/services/networking/nsd.nix
+++ b/nixos/modules/services/networking/nsd.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
-with pkgs.lib;
+with lib;
 let
  cfg = config.services.nsd;
--- a/nixos/modules/services/networking/polipo.nix
+++ b/nixos/modules/services/networking/polipo.nix
@ -0,0 +1,118 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.polipo;
  polipoConfig = pkgs.writeText "polipo.conf" ''
    proxyAddress = ${cfg.proxyAddress}
    proxyPort = ${toString cfg.proxyPort}
    allowedClients = ${concatStringsSep ", " cfg.allowedClients}
    ${optionalString (cfg.parentProxy != "") "parentProxy = ${cfg.parentProxy}" }
    ${optionalString (cfg.socksParentProxy != "") "socksParentProxy = ${cfg.socksParentProxy}" }
    ${config.services.polipo.extraConfig}
  '';
 in
 {
  options = {
    services.polipo = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to run the polipo caching web proxy.";
      };
      proxyAddress = mkOption {
        type = types.string;
        default = "127.0.0.1";
        description = "IP address on which Polipo will listen.";
      };
      proxyPort = mkOption {
        type = types.int;
        default = 8123;
        description = "TCP port on which Polipo will listen.";
      };
      allowedClients = mkOption {
        type = types.listOf types.string;
        default = [ "127.0.0.1" "::1" ];
        example = [ "127.0.0.1" "::1" "134.157.168.0/24" "2001:660:116::/48" ];
        description = ''
          List of IP addresses or network addresses that may connect to Polipo.
        '';
      };
      parentProxy = mkOption {
        type = types.string;
        default = "";
        example = "localhost:8124";
        description = ''
          Hostname and port number of an HTTP parent proxy;
          it should have the form ‘host:port’.
        '';
      };
      socksParentProxy = mkOption {
        type = types.string;
        default = "";
        example = "localhost:9050";
        description = ''
          Hostname and port number of an SOCKS parent proxy;
          it should have the form ‘host:port’.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Polio configuration. Contents will be added 
          verbatim to the configuration file.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    users.extraUsers = singleton
      { name = "polipo";
        uid = config.ids.uids.polipo;
        description = "Polipo caching proxy user";
        home = "/var/cache/polipo";
        createHome = true;
      };
    users.extraGroups = singleton
      { name = "polipo";
        gid = config.ids.gids.polipo;
        members = [ "polipo" ];
      };
    systemd.services.polipo = {
      description = "caching web proxy";
      after = [ "network.target" "nss-lookup.target" ];
      wantedBy = [ "multi-user.target"];
      preStart = ''
         ${pkgs.coreutils}/bin/chown polipo:polipo /var/cache/polipo -R
      '';
      serviceConfig = {
        ExecStart  = "${pkgs.polipo}/bin/polipo -c ${polipoConfig}";
        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
        User = "polipo";
      };
    };
  };
 }
--- a/Show More
+++ b/Show More