Merge branch 'staging' into gcc-7

.github/CODEOWNERS

@@ -8,45 +8,75 @@
 # Mentioned users will get code review requests.
 
 # This file
-.github/CODEOWNERS @edolstra
+/.github/CODEOWNERS @edolstra
 
 # Boostraping and core infra
-pkgs/stdenv/    @edolstra
+/pkgs/stdenv                    @edolstra
-pkgs/build-support/cc-wrapper/  @edolstra
+/pkgs/build-support/cc-wrapper  @edolstra
 
 # Libraries
-lib/  @edolstra
+/lib                        @edolstra @nbp
+
+# Nixpkgs Internals
+/default.nix                @nbp
+/pkgs/top-level/default.nix @nbp
+/pkgs/top-level/impure.nix  @nbp
+/pkgs/top-level/stage.nix   @nbp
+
+# NixOS Internals
+/nixos/default.nix          @nbp
+/nixos/lib/from-env.nix     @nbp
+/nixos/lib/eval-config.nix  @nbp
+/nixos/doc/manual/configuration/abstractions.xml      @nbp
+/nixos/doc/manual/configuration/config-file.xml       @nbp
+/nixos/doc/manual/configuration/config-syntax.xml     @nbp
+/nixos/doc/manual/configuration/modularity.xml        @nbp
+/nixos/doc/manual/development/assertions.xml          @nbp
+/nixos/doc/manual/development/meta-attributes.xml     @nbp
+/nixos/doc/manual/development/option-declarations.xml @nbp
+/nixos/doc/manual/development/option-def.xml          @nbp
+/nixos/doc/manual/development/option-types.xml        @nbp
+/nixos/doc/manual/development/replace-modules.xml     @nbp
+/nixos/doc/manual/development/writing-modules.xml     @nbp
+/nixos/doc/manual/man-nixos-option.xml                @nbp
+/nixos/modules/installer/tools/nixos-option.sh        @nbp
 
 # Python-related code and docs
-pkgs/top-level/python-packages.nix      @FRidh
+/pkgs/top-level/python-packages.nix     @FRidh
-pkgs/development/interpreters/python/*  @FRidh
+/pkgs/development/interpreters/python   @FRidh
-pkgs/development/python-modules/*       @FRidh
+/pkgs/development/python-modules        @FRidh
-doc/languages-frameworks/python.md      @FRidh
+/doc/languages-frameworks/python.md     @FRidh
 
 # Haskell
-pkgs/development/compilers/ghc                       @peti
+/pkgs/development/compilers/ghc                       @peti
-pkgs/development/haskell-modules                     @peti
+/pkgs/development/haskell-modules                     @peti
-pkgs/development/haskell-modules/default.nix         @peti
+/pkgs/development/haskell-modules/default.nix         @peti
-pkgs/development/haskell-modules/generic-builder.nix @peti
+/pkgs/development/haskell-modules/generic-builder.nix @peti
-pkgs/development/haskell-modules/hoogle.nix          @peti
+/pkgs/development/haskell-modules/hoogle.nix          @peti
 
 # R
-pkgs/applications/science/math/R @peti
+/pkgs/applications/science/math/R   @peti
-pkgs/development/r-modules       @peti
+/pkgs/development/r-modules         @peti
+
+# Ruby
+/pkgs/development/interpreters/ruby @zimbatm
+/pkgs/development/ruby-modules      @zimbatm
 
 # Darwin-related
-pkgs/stdenv/darwin/*    @copumpkin @LnL7
+/pkgs/stdenv/darwin         @NixOS/darwin-maintainers
-pkgs/os-specific/darwin/*       @LnL7
+/pkgs/os-specific/darwin    @NixOS/darwin-maintainers
-pkgs/os-specific/darwin/apple-source-releases/* @copumpkin
 
 # Beam-related (Erlang, Elixir, LFE, etc)
-pkgs/development/beam-modules/*	@gleber
+/pkgs/development/beam-modules                  @gleber
-pkgs/development/interpreters/erlang/*	@gleber
+/pkgs/development/interpreters/erlang           @gleber
-pkgs/development/interpreters/lfe/*	@gleber
+/pkgs/development/interpreters/lfe              @gleber
-pkgs/development/interpreters/elixir/*	@gleber
+/pkgs/development/interpreters/elixir           @gleber
-pkgs/development/tools/build-managers/rebar/*	@gleber
+/pkgs/development/tools/build-managers/rebar    @gleber
-pkgs/development/tools/build-managers/rebar3/*	@gleber
+/pkgs/development/tools/build-managers/rebar3   @gleber
-pkgs/development/tools/erlang/*	@gleber
+/pkgs/development/tools/erlang                  @gleber
 
 # Jetbrains
-pkgs/applications/editors/jetbrains @edwtjo
+/pkgs/applications/editors/jetbrains @edwtjo
+
+# Eclipse
+/pkgs/applications/editors/eclipse @rycee

.github/CONTRIBUTING.md

@@ -32,11 +32,14 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
     The old config generation system used impure shell scripts and could break in specific circumstances (see #1234).
 
 * `meta.description` should:
-  * Be capitalized
+  * Be capitalized.
-  * Not start with the package name
+  * Not start with the package name.
-  * Not have a dot at the end
+  * Not have a period at the end.
+* `meta.license` must be set and fit the upstream license.
+  * If there is no upstream license, `meta.license` should default to `stdenv.lib.licenses.unfree`.
+* `meta.maintainers` must be set.
 
-See the nixpkgs manual for more details on how to [Submit changes to nixpkgs](https://nixos.org/nixpkgs/manual/#chap-submitting-changes).
+See the nixpkgs manual for more details on [standard meta-attributes](https://nixos.org/nixpkgs/manual/#sec-standard-meta-attributes) and on how to [submit changes to nixpkgs](https://nixos.org/nixpkgs/manual/#chap-submitting-changes).
 
 ## Writing good commit messages
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -9,7 +9,7 @@
 - Built on platform(s)
    - [ ] NixOS
    - [ ] macOS
-   - [ ] Linux
+   - [ ] other Linux distributions
 - [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
 - [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nox --run "nox-review wip"`
 - [ ] Tested execution of all binary files (usually in `./result/bin/`)

COPYING

@@ -23,9 +23,7 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 Note: the license above does not apply to the packages built by the
 Nix Packages collection, merely to the package descriptions (i.e., Nix
-expressions, build scripts, etc.).  Also, the license does not apply
+expressions, build scripts, etc.).  It also might not apply to patches
-to some of the binaries used for bootstrapping Nixpkgs (e.g.,
-pkgs/stdenv/linux/tools/bash).  It also might not apply to patches
 included in Nixpkgs, which may be derivative works of the packages to
 which they apply.  The aforementioned artifacts are all covered by the
 licenses of the respective packages.

README.md

@@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
+custom changes on top of one of the channels, e.g. `nixos-17.09` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 
 ```
 % git remote update channels
-% git rebase channels/nixos-17.03
+% git rebase channels/nixos-17.09
 ```
 
 For pull-requests, please rebase onto nixpkgs `master`.
@@ -30,11 +30,11 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Documentation (Nix Expression Language chapter)](https://nixos.org/nix/manual/#ch-expression-language)
 * [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
-* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
+* [Community maintained wiki](https://nixos.wiki/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
+* [Continuous package builds for 17.09 release](https://hydra.nixos.org/jobset/nixos/release-17.09)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
+* [Tests for 17.09 release](https://hydra.nixos.org/job/nixos/release-17.09/tested#tabs-constituents)
 
 Communication:
 

doc/configuration.xml

@@ -55,6 +55,10 @@ configuration file located at
 </programlisting>
 </para>
 
+<para>Note that we are not able to test or build unfree software on Hydra
+due to policy. Most unfree licenses prohibit us from either executing or
+distributing the software.</para>
+
 <section xml:id="sec-allow-broken">
   <title>Installing broken packages</title>
 

doc/cross-compilation.xml

@@ -184,7 +184,7 @@
       For now, feel free to use either method.
     </para>
     <note><para>
-      There is also a "backlink" <varname>__targetPackages</varname>, yielding a package set whose <varname>buildPackages</varname> is the current package set.
+      There is also a "backlink" <varname>targetPackages</varname>, yielding a package set whose <varname>buildPackages</varname> is the current package set.
       This is a hack, though, to accommodate compilers with lousy build systems.
       Please do not use this unless you are absolutely sure you are packaging such a compiler and there is no other way.
     </para></note>

doc/introduction.md

@@ -48,6 +48,4 @@ The binaries are made available via a [binary cache](https://cache.nixos.org).
 
 The current Nix expressions of the channels are available in the
 [`nixpkgs-channels`](https://github.com/NixOS/nixpkgs-channels) repository,
-which has branches corresponding to the available channels. There is also the
+which has branches corresponding to the available channels.
-[Nixpkgs Monitor](http://monitor.nixos.org) which keeps track of updates
-and security vulnerabilities.

doc/languages-frameworks/python.md

@@ -165,7 +165,7 @@ run the script in the `python3` shell.
 
 ```py
 #! /usr/bin/env nix-shell
-#! nix-shell -i 'python3.withPackages(ps: [ps.numpy])'
+#! nix-shell -i python3 -p "python3.withPackages(ps: [ps.numpy])"
 
 import numpy
 
@@ -785,7 +785,20 @@ example of such a situation is when `py.test` is used.
 
 #### Common issues
 
-- Non-working tests can often be deselected. In the case of `py.test`: `py.test -k 'not function_name and not other_function'`.
+- Non-working tests can often be deselected. By default `buildPythonPackage` runs `python setup.py test`.
+  Most python modules follows the standard test protocol where the pytest runner can be used instead.
+  `py.test` supports a `-k` parameter to ignore test methods or classes: 
+  
+  ```nix
+  buildPythonPackage {
+    # ...
+    # assumes the tests are located in tests
+    checkInputs = [ pytest ];
+    checkPhase = ''
+      py.test -k 'not function_name and not other_function' tests
+    '';
+  }
+  ```
 - Unicode issues can typically be fixed by including `glibcLocales` in `buildInputs` and exporting `LC_ALL=en_US.utf-8`.
 - Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
 

doc/languages-frameworks/rust.md

@@ -9,16 +9,15 @@ date: 2017-03-05
 To install the rust compiler and cargo put
 
 ```
-rustStable.rustc
+rust
-rustStable.cargo
 ```
 
-into the `environment.systemPackages` or bring them into scope with
+into the `environment.systemPackages` or bring them into
-`nix-shell -p rustStable.rustc -p rustStable.cargo`.
+scope with `nix-shell -p rust`.
 
-There are also `rustBeta` and `rustNightly` package sets available.
+For daily builds (beta and nightly) use either rustup from
-These are not updated very regularly. For daily builds use either rustup from
+nixpkgs or use the [Rust nightlies
-nixpkgs or use the [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
+overlay](#using-the-rust-nightlies-overlay).
 
 ## Packaging Rust applications
 
@@ -38,7 +37,7 @@ buildRustPackage rec {
     sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
   };
 
-  depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
+  cargoSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
 
   meta = with stdenv.lib; {
     description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";
@@ -50,7 +49,7 @@ buildRustPackage rec {
 }
 ```
 
-`buildRustPackage` requires a `depsSha256` attribute which is computed over
+`buildRustPackage` requires a `cargoSha256` attribute which is computed over
 all crate sources of this package. Currently it is obtained by inserting a
 fake checksum into the expression and building the package once. The correct
 checksum can be then take from the failed build.
@@ -76,11 +75,11 @@ in the `~/.config/nixpkgs/overlays` directory.
 
 The latest version can be installed with the following command:
 
-    $ nix-env -Ai nixos.rustChannels.stable.rust
+    $ nix-env -Ai nixos.latest.rustChannels.stable.rust
 
 Or using the attribute with nix-shell:
 
-    $ nix-shell -p nixos.rustChannels.stable.rust
+    $ nix-shell -p nixos.latest.rustChannels.stable.rust
 
 To install the beta or nightly channel, "stable" should be substituted by
 "nightly" or "beta", or

doc/manual.xml

@@ -18,6 +18,7 @@
   <xi:include href="functions.xml" />
   <xi:include href="meta.xml" />
   <xi:include href="languages-frameworks/index.xml" />
+  <xi:include href="platform-notes.xml" />
   <xi:include href="package-notes.xml" />
   <xi:include href="overlays.xml" />
   <xi:include href="coding-conventions.xml" />

doc/meta.xml

@@ -200,11 +200,9 @@ meta-attributes</title>
 meta.platforms = stdenv.lib.platforms.linux;
 </programlisting>
 
-    Attribute Set <varname>stdenv.lib.platforms</varname> in
+    Attribute Set <varname>stdenv.lib.platforms</varname> defines
-    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/platforms.nix">
+    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/systems/doubles.nix">
-    <filename>nixpkgs/lib/platforms.nix</filename></link> defines various common
+    various common lists</link> of platforms types.</para></listitem>
-    lists of platforms types.
-    </para></listitem>
   </varlistentry>
 
   <varlistentry>

doc/package-notes.xml

@@ -477,25 +477,11 @@ it. Place the resulting <filename>package.nix</filename> file into
 
   <varlistentry>
   <term>Using the FOSS Radeon or nouveau (nvidia) drivers</term>
-  <listitem><itemizedlist><listitem><para>
+  <listitem><itemizedlist>
-  Both the open source radeon drivers as well as the nouveau drivers (nvidia)
+    <listitem><para>The <literal>newStdcpp</literal> parameter
-  need a newer libc++ than is provided by the default runtime, which leads to a
+    was removed since NixOS 17.09 and should not be needed anymore.
-  crash on launch. Use <programlisting>environment.systemPackages =
+    </para></listitem>
-  [(pkgs.steam.override { newStdcpp = true; })];</programlisting> in your config
+
-  if you get an error like
-  <programlisting>
-libGL error: unable to load driver: radeonsi_dri.so
-libGL error: driver pointer missing
-libGL error: failed to load driver: radeonsi
-libGL error: unable to load driver: swrast_dri.so
-libGL error: failed to load driver: swrast</programlisting>
-  or
-  <programlisting>
-libGL error: unable to load driver: nouveau_dri.so
-libGL error: driver pointer missing
-libGL error: failed to load driver: nouveau
-libGL error: unable to load driver: swrast_dri.so
-libGL error: failed to load driver: swrast</programlisting></para></listitem>
     <listitem><para>
     Steam ships statically linked with a version of libcrypto that
     conflics with the one dynamically loaded by radeonsi_dri.so.
@@ -678,4 +664,34 @@ cp ${myEmacsConfig} $out/share/emacs/site-lisp/default.el
 
 </section>
 
+<section xml:id="sec-weechat">
+<title>Weechat</title>
+<para>
+Weechat can currently be configured to include your choice of plugins.
+To make use of this functionality, install an expression that overrides its configuration such as
+<programlisting>weechat.override {configure = {availablePlugins, ...}: {
+        plugins = with availablePlugins; [ python perl ];
+    }
+}</programlisting>
+</para>
+<para>
+The plugins currently available are <literal>python</literal>,
+<literal>perl</literal>, <literal>ruby</literal>, <literal>guile</literal>,
+<literal>tcl</literal> and <literal>lua</literal>.
+</para>
+<para>
+The python plugin allows the addition of extra libraries. For instance,
+the <literal>inotify.py</literal> script in weechat-scripts requires
+D-Bus or libnotify, and the <literal>fish.py</literal> script requires
+pycrypto. To use these scripts, use the <literal>python</literal>
+plugin's <literal>withPackages</literal> attribute:
+<programlisting>weechat.override {configure = {availablePlugins, ...}: {
+    plugins = with availablePlugins; [
+            (python.withPackages (ps: with ps; [ pycrypto python-dbus ]))
+        ];
+    }
+}
+</programlisting>
+</para>
+</section>
 </chapter>

doc/platform-notes.xml

@@ -0,0 +1,83 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xml:id="chap-platform-nodes">
+
+<title>Platform Notes</title>
+
+<section xml:id="sec-darwin">
+
+<title>Darwin (macOS)</title>
+<para>Some common issues when packaging software for darwin:</para>
+
+<itemizedlist>
+
+  <listitem>
+    <para>
+      The darwin <literal>stdenv</literal> uses clang instead of gcc.
+      When referring to the compiler <varname>$CC</varname> or <command>cc</command>
+      will work in both cases.  Some builds hardcode gcc/g++ in their
+      build scripts, that can usually be fixed with using something
+      like <literal>makeFlags = [ "CC=cc" ];</literal> or by patching
+      the build scripts.
+    </para>
+
+    <programlisting>
+      stdenv.mkDerivation {
+        name = "libfoo-1.2.3";
+        # ...
+        buildPhase = ''
+          $CC -o hello hello.c
+        '';
+      }
+    </programlisting>
+  </listitem>
+
+  <listitem>
+    <para>
+      On darwin libraries are linked using absolute paths, libraries
+      are resolved by their <literal>install_name</literal> at link
+      time.  Sometimes packages won't set this correctly causing the
+      library lookups to fail at runtime.  This can be fixed by adding
+      extra linker flags or by running <command>install_name_tool -id</command>
+      during the <function>fixupPhase</function>.
+    </para>
+
+    <programlisting>
+      stdenv.mkDerivation {
+        name = "libfoo-1.2.3";
+        # ...
+        makeFlags = stdenv.lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
+      }
+    </programlisting>
+  </listitem>
+
+  <listitem>
+    <para>
+      Some packages assume xcode is available and use <command>xcrun</command>
+      to resolve build tools like <command>clang</command>, etc.
+      This causes errors like <code>xcode-select: error: no developer tools were found at '/Applications/Xcode.app'</code>
+      while the build doesn't actually depend on xcode.
+    </para>
+
+    <programlisting>
+      stdenv.mkDerivation {
+        name = "libfoo-1.2.3";
+        # ...
+        prePatch = ''
+          substituteInPlace Makefile \
+              --replace '/usr/bin/xcrun clang' clang
+        '';
+      }
+    </programlisting>
+
+    <para>
+      The package <literal>xcbuild</literal> can be used to build projects
+      that really depend on Xcode, however projects that build some kind of
+      graphical interface won't work without using Xcode in an impure way.
+    </para>
+  </listitem>
+
+</itemizedlist>
+</section>
+
+</chapter>

doc/stdenv.xml

@@ -1,4 +1,3 @@
-
 <chapter xmlns="http://docbook.org/ns/docbook"
          xmlns:xlink="http://www.w3.org/1999/xlink"
          xml:id="chap-stdenv">
@@ -188,11 +187,13 @@ genericBuild
 
   <varlistentry>
     <term><varname>NIX_DEBUG</varname></term>
-    <listitem><para>If set, <literal>stdenv</literal> will print some
+    <listitem><para>
-    debug information during the build.  In particular, the
+      A natural number indicating how much information to log.
-    <command>gcc</command> and <command>ld</command> wrapper scripts
+      If set to 1 or higher, <literal>stdenv</literal> will print moderate debug information during the build.
-    will print out the complete command line passed to the wrapped
+      In particular, the <command>gcc</command> and <command>ld</command> wrapper scripts will print out the complete command line passed to the wrapped tools.
-    tools.</para></listitem>
+      If set to 6 or higher, the <literal>stdenv</literal> setup script will be run with <literal>set -x</literal> tracing.
+      If set to 7 or higher, the <command>gcc</command> and <command>ld</command> wrapper scripts will also be run with <literal>set -x</literal> tracing.
+    </para></listitem>
   </varlistentry>
 
 </variablelist>
@@ -697,8 +698,14 @@ nothing.</para>
     <listitem><para>A list of strings passed as additional flags to
     <command>make</command>.  These flags are also used by the default
     install and check phase.  For setting make flags specific to the
-    build phase, use <varname>buildFlags</varname> (see
+    build phase, use <varname>buildFlags</varname> (see below).
-    below).</para></listitem>
+
+<programlisting>
+makeFlags = [ "PREFIX=$(out)" ];
+</programlisting>
+
+    <note><para>The flags are quoted in bash, but environment variables can
+    be specified by using the make syntax.</para></note></para></listitem>
   </varlistentry>
 
   <varlistentry>

lib/licenses.nix

@@ -219,6 +219,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
   ffsl = {
     fullName = "Floodgap Free Software License";
     url = http://www.floodgap.com/software/ffsl/license.html;
+    free = false;
   };
 
   free = {
@@ -281,6 +282,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
     url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
   };
 
+  hpnd = spdx {
+    spdxId = "HPND";
+    fullName = "Historic Permission Notice and Disclaimer";
+  };
+
   # Intel's license, seems free
   iasl = {
     fullName = "iASL";

lib/maintainers.nix

@@ -31,6 +31,7 @@
   ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
   akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
   akc = "Anders Claesson <akc@akc.is>";
+  alexvorobiev = "Alex Vorobiev <alexander.vorobiev@gmail.com";
   algorith = "Dries Van Daele <dries_van_daele@telenet.be>";
   alibabzo = "Alistair Bill <alistair.bill@gmail.com>";
   all = "Nix Committers <nix-commits@lists.science.uu.nl>";
@@ -41,12 +42,15 @@
   amorsillo = "Andrew Morsillo <andrew.morsillo@gmail.com>";
   AndersonTorres = "Anderson Torres <torres.anderson.85@gmail.com>";
   anderspapitto = "Anders Papitto <anderspapitto@gmail.com>";
+  andir = "Andreas Rammhold <andreas@rammhold.de>";
   andres = "Andres Loeh <ksnixos@andres-loeh.de>";
+  andrestylianos = "Andre S. Ramos <andre.stylianos@gmail.com>";
   andrewrk = "Andrew Kelley <superjoe30@gmail.com>";
   andsild = "Anders Sildnes <andsild@gmail.com>";
   aneeshusa = "Aneesh Agrawal <aneeshusa@gmail.com>";
   ankhers = "Justin Wood <justin.k.wood@gmail.com>";
   antono = "Antono Vasiljev <self@antono.info>";
+  antonxy = "Anton Schirg <anton.schirg@posteo.de>";
   apeschar = "Albert Peschar <albert@peschar.net>";
   apeyroux = "Alexandre Peyroux <alex@px.io>";
   ardumont = "Antoine R. Dumont <eniotna.t@gmail.com>";
@@ -71,6 +75,7 @@
   bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
   bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
   bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
+  bendlas = "Herwig Hochleitner <herwig@bendlas.net>";
   benley = "Benjamin Staffin <benley@gmail.com>";
   bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
   benwbooth = "Ben Booth <benwbooth@gmail.com>";
@@ -90,6 +95,7 @@
   bramd = "Bram Duvigneau <bram@bramd.nl>";
   bstrik = "Berno Strik <dutchman55@gmx.com>";
   bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
+  c0bw3b = "Renaud <c0bw3b@gmail.com>";
   c0dehero = "CodeHero <codehero@nerdpol.ch>";
   calbrecht = "Christian Albrecht <christian.albrecht@mayflower.de>";
   calrama = "Moritz Maxeiner <moritz@ucworks.org>";
@@ -98,6 +104,7 @@
   canndrew = "Andrew Cann <shum@canndrew.org>";
   carlsverre = "Carl Sverre <accounts@carlsverre.com>";
   casey = "Casey Rodarmor <casey@rodarmor.net>";
+  catern = "Spencer Baugh <sbaugh@catern.com>";
   caugner = "Claas Augner <nixos@caugner.de>";
   cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
   cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
@@ -105,12 +112,14 @@
   chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
   chattered = "Phil Scott <me@philscotted.com>";
   choochootrain = "Hurshal Patel <hurshal@imap.cc>";
+  chpatrick = "Patrick Chilton <chpatrick@gmail.com>";
   chris-martin = "Chris Martin <ch.martin@gmail.com>";
   chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
   chrisrosset = "Christopher Rosset <chris@rosset.org.uk>";
   christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
   ciil = "Simon Lackerbauer <simon@lackerbauer.com>";
   ckampka = "Christian Kampka <christian@kampka.net>";
+  ckauhaus = "Christian Kauhaus <christian@kauhaus.de>";
   cko = "Christine Koppelt <christine.koppelt@gmail.com>";
   cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
   cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
@@ -130,12 +139,14 @@
   cryptix = "Henry Bubert <cryptix@riseup.net>";
   CrystalGamma = "Jona Stubbe <nixos@crystalgamma.de>";
   cstrahan = "Charles Strahan <charles@cstrahan.com>";
+  csingley = "Christopher Singley <csingley@gmail.com>";
   cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
   DamienCassou = "Damien Cassou <damien@cassou.me>";
   danbst = "Danylo Hlynskyi <abcz2.uprola@gmail.com>";
   dancek = "Hannu Hartikainen <hannu.hartikainen@gmail.com>";
   danielfullmer = "Daniel Fullmer <danielrf12@gmail.com>";
   dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
+  david50407 = "David Kuo <me@davy.tw>";
   davidak = "David Kleuker <post@davidak.de>";
   davidrusu = "David Rusu <davidrusu.me@gmail.com>";
   davorb = "Davor Babic <davor@davor.se>";
@@ -155,6 +166,7 @@
   dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
   dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
   disassembler = "Samuel Leathers <disasm@gmail.com>";
+  dizfer = "David Izquierdo <david@izquierdofernandez.com>";
   dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
   DmitryTsygankov = "Dmitry Tsygankov <dmitry.tsygankov@gmail.com>";
   dmjio = "David Johnson <djohnson.m@gmail.com>";
@@ -163,13 +175,16 @@
   dotlambda = "Robert Schütz <rschuetz17@gmail.com>";
   doublec = "Chris Double <chris.double@double.co.nz>";
   dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
+  dpflug = "David Pflug <david@pflug.email>";
   drets = "Dmytro Rets <dmitryrets@gmail.com>";
   drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
   dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
   dtzWill = "Will Dietz <nix@wdtz.org>";
+  dupgit = "Olivier Delhomme <olivier.delhomme@free.fr>";
   dywedir = "Vladyslav M. <dywedir@protonmail.ch>";
   e-user = "Alexander Kahl <nixos@sodosopa.io>";
-  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
+  earldouglas = "James Earl Douglas <james@earldouglas.com>";
+  ebzzry = "Rommel Martinez <ebzzry@ebzzry.io>";
   edanaher = "Evan Danaher <nixos@edanaher.net>";
   edef = "edef <edef@edef.eu>";
   ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
@@ -190,15 +205,19 @@
   eqyiel = "Ruben Maher <r@rkm.id.au>";
   ericbmerritt = "Eric Merritt <eric@afiniate.com>";
   ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
+  erictapen = "Justin Humm <justin.humm@posteo.de>";
   erikryb = "Erik Rybakken <erik.rybakken@math.ntnu.no>";
   ertes = "Ertugrul Söylemez <esz@posteo.de>";
   ethercrow = "Dmitry Ivanov <ethercrow@gmail.com>";
+  etu = "Elis Hirwing <elis@hirwing.se>";
   exi = "Reno Reckling <nixos@reckling.org>";
   exlevan = "Alexey Levan <exlevan@gmail.com>";
   expipiplus1 = "Joe Hermaszewski <nix@monoid.al>";
   fadenb = "Tristan Helmich <tristan.helmich+nixos@gmail.com>";
-  fare = "Francois-Rene Rideau <fahree@gmail.com>";
   falsifian = "James Cook <james.cook@utoronto.ca>";
+  fare = "Francois-Rene Rideau <fahree@gmail.com>";
+  fgaz = "Francesco Gazzetta <francygazz@gmail.com>";
+  flokli = "Florian Klink <flokli@flokli.de>";
   florianjacob = "Florian Jacob <projects+nixos@florianjacob.de>";
   flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
   fluffynukeit = "Daniel Austin <dan@fluffynukeit.com>";
@@ -237,6 +256,7 @@
   grburst = "Julius Elias <grburst@openmailbox.org>";
   gridaphobe = "Eric Seidel <eric@seidel.io>";
   guibert = "David Guibert <david.guibert@gmail.com>";
+  guibou = "Guillaume Bouchard <guillaum.bouchard@gmail.com>";
   guillaumekoenig = "Guillaume Koenig <guillaume.edward.koenig@gmail.com>";
   guyonvarch = "Joris Guyonvarch <joris@guyonvarch.me>";
   hakuch = "Jesse Haber-Kucharsky <hakuch@gmail.com>";
@@ -245,6 +265,7 @@
   hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
   hce = "Hans-Christian Esperer <hc@hcesperer.org>";
   hectorj = "Hector Jusforgues <hector.jusforgues+nixos@gmail.com>";
+  hedning = "Tor Hedin Brønner <torhedinbronner@gmail.com>";
   heel = "Sergii Paryzhskyi <parizhskiy@gmail.com>";
   henrytill = "Henry Till <henrytill@gmail.com>";
   hhm = "hhm <heehooman+nixpkgs@gmail.com>";
@@ -254,6 +275,7 @@
   htr = "Hugo Tavares Reis <hugo@linux.com>";
   iand675 = "Ian Duncan <ian@iankduncan.com>";
   ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
+  iblech = "Ingo Blechschmidt <iblech@speicherleck.de>";
   igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
   ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
   infinisil = "Silvan Mosberger <infinisil@icloud.com>";
@@ -285,17 +307,19 @@
   joelmo = "Joel Moberg <joel.moberg@gmail.com>";
   joelteon = "Joel Taylor <me@joelt.io>";
   johbo = "Johannes Bornhold <johannes@bornhold.name>";
+  johnmh = "John M. Harris, Jr. <johnmh@openblox.org>";
   johnramsden = "John Ramsden <johnramsden@riseup.net>";
   joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
   jonafato = "Jon Banafato <jon@jonafato.com>";
+  joncojonathan = "Jonathan Haddock <joncojonathan@gmail.com>";
   jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
   jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
-  jyp = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
   jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
   jtojnar = "Jan Tojnar <jtojnar@gmail.com>";
   juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
   jwiegley = "John Wiegley <johnw@newartisans.com>";
   jwilberding = "Jordan Wilberding <jwilberding@afiniate.com>";
+  jyp = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
   jzellner = "Jeff Zellner <jeffz@eml.cc>";
   kaiha = "Kai Harries <kai.harries@gmail.com>";
   kamilchm = "Kamil Chmielewski <kamil.chm@gmail.com>";
@@ -306,14 +330,17 @@
   KibaFox = "Kiba Fox <kiba.fox@foxypossibilities.com>";
   kierdavis = "Kier Davis <kierdavis@gmail.com>";
   kiloreux = "Kiloreux Emperex <kiloreux@gmail.com>";
+  kini = "Keshav Kini <keshav.kini@gmail.com>";
   kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
   knedlsepp = "Josef Kemetmüller <josef.kemetmueller@gmail.com>";
   konimex = "Muhammad Herdiansyah <herdiansyah@netc.eu>";
   koral = "Koral <koral@mailoo.org>";
   kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
+  kquick = "Kevin Quick <quick@sparq.org>";
   kragniz = "Louis Taylor <louis@kragniz.eu>";
   kristoff3r = "Kristoffer Søholm <k.soeholm@gmail.com>";
   ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
+  kuznero = "Roman Kuznetsov <roman@kuznero.com>";
   lassulus = "Lassulus <lassulus@gmail.com>";
   layus = "Guillaume Maudoux <layus.on@gmail.com>";
   ldesgoui = "Lucas Desgouilles <ldesgoui@gmail.com>";
@@ -331,10 +358,12 @@
   linus = "Linus Arver <linusarver@gmail.com>";
   lluchs = "Lukas Werling <lukas.werling@gmail.com>";
   lnl7 = "Daiderd Jordan <daiderd@gmail.com>";
+  lo1tuma = "Mathias Schreck <schreck.mathias@gmail.com>";
   loskutov = "Ignat Loskutov <ignat.loskutov@gmail.com>";
   lovek323 = "Jason O'Conal <jason@oconal.id.au>";
   lowfatcomputing = "Andreas Wagner <andreas.wagner@lowfatcomputing.org>";
   lsix = "Lancelot SIX <lsix@lancelotsix.com>";
+  ltavard = "Laure Tavard <laure.tavard@univ-grenoble-alpes.fr>";
   lucas8 = "Luc Chabassier <luc.linux@mailoo.org>";
   ludo = "Ludovic Courtès <ludo@gnu.org>";
   lufia = "Kyohei Kadota <lufia@lufia.org>";
@@ -368,8 +397,10 @@
   mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
   mdaiter = "Matthew S. Daiter <mdaiter8121@gmail.com>";
   meditans = "Carlo Nucera <meditans@gmail.com>";
+  mehandes = "Matt Deming <niewskici@gmail.com>";
   meisternu = "Matt Miemiec <meister@krutt.org>";
   metabar = "Celine Mercier <softs@metabarcoding.org>";
+  mgdelacroix = "Miguel de la Cruz <mgdelacroix@gmail.com>";
   mguentner = "Maximilian Güntner <code@klandest.in>";
   mic92 = "Jörg Thalheim <joerg@thalheim.io>";
   michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
@@ -379,7 +410,6 @@
   mikefaille = "Michaël Faille <michael@faille.io>";
   miltador = "Vasiliy Solovey <miltador@yandex.ua>";
   mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
-  mingchuan = "Ming Chuan <ming@culpring.com>";
   mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
   mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
   mjanczyk = "Marcin Janczyk <m@dragonvr.pl>";
@@ -419,7 +449,7 @@
   nicknovitski = "Nick Novitski <nixpkgs@nicknovitski.com>";
   nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
   NikolaMandic = "Ratko Mladic <nikola@mandic.email>";
-  nixy = "Andrew R. M. <andrewmiller237@gmail.com>";
+  nixy = "Andrew R. M. <nixy@nixy.moe>";
   nocoolnametom = "Tom Doggett <nocoolnametom@gmail.com>";
   notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
   np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
@@ -453,6 +483,7 @@
   periklis = "theopompos@gmail.com";
   pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
   peterhoeg = "Peter Hoeg <peter@hoeg.com>";
+  peterromfeldhk = "Peter Romfeld <peter.romfeld.hk@gmail.com>";
   peti = "Peter Simons <simons@cryp.to>";
   philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
   phile314 = "Philipp Hausmann <nix@314.ch>";
@@ -488,6 +519,7 @@
   rardiol = "Ricardo Ardissone <ricardo.ardissone@gmail.com>";
   rasendubi = "Alexey Shmalko <rasen.dubi@gmail.com>";
   raskin = "Michael Raskin <7c6f434c@mail.ru>";
+  ravloony = "Tom Macdonald <ravloony@gmail.com>";
   rbasso = "Rafael Basso <rbasso@sharpgeeks.net>";
   redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
   redvers = "Redvers Davies <red@infect.me>";
@@ -507,6 +539,7 @@
   robberer = "Longrin Wischnewski <robberer@freakmail.de>";
   robbinch = "Robbin C. <robbinch33@gmail.com>";
   roberth = "Robert Hensing <nixpkgs@roberthensing.nl>";
+  robertodr = "Roberto Di Remigio <roberto.diremigio@gmail.com>";
   robgssp = "Rob Glossop <robgssp@gmail.com>";
   roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
   roconnor = "Russell O'Connor <roconnor@theorem.ca>";
@@ -526,6 +559,7 @@
   ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
   rzetterberg = "Richard Zetterberg <richard.zetterberg@gmail.com>";
   s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
+  samdroid-apps = "Sam Parkinson <sam@sam.today>";
   samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
   sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
   sargon = "Daniel Ehlers <danielehlers@mindeye.net>";
@@ -535,6 +569,7 @@
   schristo = "Scott Christopher <schristopher@konputa.com>";
   scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
   sdll = "Sasha Illarionov <sasha.delly@gmail.com>";
+  SeanZicari = "Sean Zicari <sean.zicari@gmail.com>";
   sepi = "Raffael Mancini <raffael@mancini.lu>";
   seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
   shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
@@ -544,8 +579,10 @@
   shell = "Shell Turner <cam.turn@gmail.com>";
   shlevy = "Shea Levy <shea@shealevy.com>";
   siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
+  sifmelcara = "Ming Chuan <ming@culpring.com>";
   sigma = "Yann Hodique <yann.hodique@gmail.com>";
   simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
+  sivteck = "Sivaram Balakrishnan <sivaram1992@gmail.com>";
   sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
   sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
   sjourdois = "Stéphane ‘kwisatz’ Jourdois <sjourdois@gmail.com>";
@@ -556,6 +593,7 @@
   snyh = "Xia Bin <snyh@snyh.org>";
   solson = "Scott Olson <scott@solson.me>";
   sorpaas = "Wei Tang <hi@that.world>";
+  sorki = "Richard Marko <srk@48.io>";
   spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
   spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
   spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
@@ -567,23 +605,27 @@
   sternenseemann = "Lukas Epple <post@lukasepple.de>";
   stesie = "Stefan Siegl <stesie@brokenpipe.de>";
   steveej = "Stefan Junker <mail@stefanjunker.de>";
+  stumoss = "Stuart Moss <samoss@gmail.com>";
   SuprDewd = "Bjarki Ágúst Guðmundsson <suprdewd@gmail.com>";
   swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
   swflint = "Samuel W. Flint <swflint@flintfam.org>";
   swistak35 = "Rafał Łasocha <me@swistak35.com>";
+  symphorien = "Guillaume Girol <symphorien_nixpkgs@xlumurb.eu>";
   szczyp = "Szczyp <qb@szczyp.com>";
   sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
   taeer = "Taeer Bar-Yam <taeer@necsi.edu>";
   tailhook = "Paul Colomiets <paul@colomiets.name>";
+  taketwo = "Sergey Alexandrov <alexandrov88@gmail.com>";
   takikawa = "Asumu Takikawa <asumu@igalia.com>";
   taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
   taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
   tari = "Peter Marheine <peter@taricorp.net>";
   tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
-  ltavard = "Laure Tavard <laure.tavard@univ-grenoble-alpes.fr>";
+  TealG = "Teal Gaure <~@Teal.Gr>";
   teh = "Tom Hunger <tehunger@gmail.com>";
-  teto = "Matthieu Coudron <mcoudron@hotmail.com>";
   telotortium = "Robert Irelan <rirelan@gmail.com>";
+  teto = "Matthieu Coudron <mcoudron@hotmail.com>";
+  tex = "Milan Svoboda <milan.svoboda@centrum.cz>";
   thall = "Niclas Thall <niclas.thall@gmail.com>";
   thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
   the-kenny = "Moritz Ulrich <moritz@tarn-vedra.de>";
@@ -591,6 +633,7 @@
   ThomasMader = "Thomas Mader <thomas.mader@gmail.com>";
   thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
   timbertson = "Tim Cuthbertson <tim@gfxmonk.net>";
+  timokau = "Timo Kaufmann <timokau@zoho.com>";
   titanous = "Jonathan Rudenberg <jonathan@titanous.com>";
   tnias = "Philipp Bartsch <phil@grmr.de>";
   tohl = "Tomas Hlavaty <tom@logand.com>";
@@ -612,6 +655,7 @@
   #urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
   uwap = "uwap <me@uwap.name>";
   vaibhavsagar = "Vaibhav Sagar <vaibhavsagar@gmail.com>";
+  valeriangalliat = "Valérian Galliat <val@codejam.info>";
   vandenoever = "Jos van den Oever <jos@vandenoever.info>";
   vanschelven = "Klaas van Schelven <klaas@vanschelven.com>";
   vanzef = "Ivan Solyankin <vanzef@gmail.com>";
@@ -628,7 +672,6 @@
   vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
   vmandela = "Venkateswara Rao Mandela <venkat.mandela@gmail.com>";
   vmchale = "Vanessa McHale <tmchale@wisc.edu>";
-  valeriangalliat = "Valérian Galliat <val@codejam.info>";
   volhovm = "Mikhail Volkhov <volhovm.cs@gmail.com>";
   volth = "Jaroslavas Pocepko <jaroslavas@volth.com>";
   vozz = "Oliver Hunt <oliver.huntuk@gmail.com>";
@@ -649,7 +692,10 @@
   xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
   xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
   xwvvvvwx = "David Terry <davidterry@posteo.de>";
+  xzfc = "Albert Safin <xzfcpw@gmail.com>";
   yarr = "Dmitry V. <savraz@gmail.com>";
+  yegortimoshenko = "Yegor Timoshenko <yegortimoshenko@gmail.com>";
+  ylwghst = "Burim Augustin Berisa <ylwghst@onionmail.info>";
   yochai = "Yochai <yochai@titat.info>";
   yorickvp = "Yorick van Pelt <yorickvanpelt@gmail.com>";
   yuriaisaka = "Yuri Aisaka <yuri.aisaka+nix@gmail.com>";

lib/modules.nix

@@ -338,7 +338,7 @@ rec {
     # Type-check the remaining definitions, and merge them.
     mergedValue = foldl' (res: def:
       if type.check def.value then res
-      else throw "The option value `${showOption loc}' in `${def.file}' is not a ${type.description}.")
+      else throw "The option value `${showOption loc}' in `${def.file}' is not of type `${type.description}'.")
       (type.merge loc defsFinal) defsFinal;
 
     isDefined = defsFinal != [];

lib/systems/platforms.nix

@@ -2,7 +2,6 @@
 rec {
   pcBase = {
     name = "pc";
-    uboot = null;
     kernelHeadersBaseConfig = "defconfig";
     kernelBaseConfig = "defconfig";
     # Build whatever possible as a module, if not stated in the extra config.
@@ -50,9 +49,6 @@ rec {
     kernelTarget = "uImage";
     # TODO reenable once manual-config's config actually builds a .dtb and this is checked to be working
     #kernelDTB = true;
-
-    # XXX can be anything non-null, pkgs actually only cares if it is set or not
-    uboot = "pogoplug4";
   };
 
   sheevaplug = {
@@ -162,9 +158,6 @@ rec {
     '';
     kernelMakeFlags = [ "LOADADDR=0x0200000" ];
     kernelTarget = "uImage";
-    uboot = "sheevaplug";
-    # Only for uboot = uboot :
-    ubootConfig = "sheevaplug_config";
     kernelDTB = true; # Beyond 3.10
     gcc = {
       arch = "armv5te";
@@ -251,7 +244,6 @@ rec {
       LATENCYTOP y
     '';
     kernelTarget = "zImage";
-    uboot = null;
     gcc = {
       arch = "armv6";
       fpu = "vfp";
@@ -342,7 +334,6 @@ rec {
       XEN? n
     '';
     kernelTarget = "zImage";
-    uboot = null;
   };
 
   scaleway-c1 = armv7l-hf-multiplatform // {
@@ -374,7 +365,6 @@ rec {
     kernelMakeFlags = [ "LOADADDR=0x10800000" ];
     kernelTarget = "uImage";
     kernelDTB = true;
-    uboot = true; #XXX: any non-null value here is needed so that mkimage is present to build kernelTarget uImage
     gcc = {
       cpu = "cortex-a9";
       fpu = "neon";
@@ -464,7 +454,6 @@ rec {
       FTRACE n
     '';
     kernelTarget = "vmlinux";
-    uboot = null;
     gcc = {
       arch = "loongson2f";
       abi = "n32";
@@ -473,11 +462,10 @@ rec {
 
   beaglebone = armv7l-hf-multiplatform // {
     name = "beaglebone";
-    kernelBaseConfig = "omap2plus_defconfig";
+    kernelBaseConfig = "bb.org_defconfig";
     kernelAutoModules = false;
     kernelExtraConfig = ""; # TBD kernel config
     kernelTarget = "zImage";
-    uboot = null;
   };
 
   armv7l-hf-multiplatform = {
@@ -489,7 +477,6 @@ rec {
     kernelDTB = true;
     kernelAutoModules = true;
     kernelPreferBuiltin = true;
-    uboot = null;
     kernelTarget = "zImage";
     kernelExtraConfig = ''
       # Fix broken sunxi-sid nvmem driver.
@@ -545,11 +532,13 @@ rec {
       # Cavium ThunderX stuff.
       PCI_HOST_THUNDER_ECAM y
 
+      # Nvidia Tegra stuff.
+      PCI_TEGRA y
+
       # The default (=y) forces us to have the XHCI firmware available in initrd,
       # which our initrd builder can't currently do easily.
       USB_XHCI_TEGRA m
     '';
-    uboot = null;
     kernelTarget = "Image";
     gcc = {
       arch = "armv8-a";

lib/tests/modules.sh

@@ -61,6 +61,16 @@ checkConfigError() {
 checkConfigOutput "false" config.enable ./declare-enable.nix
 checkConfigError 'The option .* defined in .* does not exist.' config.enable ./define-enable.nix
 
+# Check integer types.
+# unsigned
+checkConfigOutput "42" config.value ./declare-int-unsigned-value.nix ./define-value-int-positive.nix
+checkConfigError 'The option value .* in .* is not of type.*unsigned integer.*' config.value ./declare-int-unsigned-value.nix ./define-value-int-negative.nix
+# positive
+checkConfigError 'The option value .* in .* is not of type.*positive integer.*' config.value ./declare-int-positive-value.nix ./define-value-int-zero.nix
+# between
+checkConfigOutput "42" config.value ./declare-int-between-value.nix ./define-value-int-positive.nix
+checkConfigError 'The option value .* in .* is not of type.*between.*-21 and 43.*inclusive.*' config.value ./declare-int-between-value.nix ./define-value-int-negative.nix
+
 # Check mkForce without submodules.
 set -- config.enable ./declare-enable.nix ./define-enable.nix
 checkConfigOutput "true" "$@"
@@ -126,7 +136,7 @@ checkConfigOutput "true" "$@" ./define-module-check.nix
 # Check coerced value.
 checkConfigOutput "\"42\"" config.value ./declare-coerced-value.nix
 checkConfigOutput "\"24\"" config.value ./declare-coerced-value.nix ./define-value-string.nix
-checkConfigError 'The option value .* in .* is not a string or integer.' config.value ./declare-coerced-value.nix ./define-value-list.nix
+checkConfigError 'The option value .* in .* is not.*string or signed integer.*' config.value ./declare-coerced-value.nix ./define-value-list.nix
 
 cat <<EOF
 ====== module tests ======

lib/tests/modules/declare-int-between-value.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+  options = {
+    value = lib.mkOption {
+      type = lib.types.ints.between (-21) 43;
+    };
+  };
+}

lib/tests/modules/declare-int-positive-value.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+  options = {
+    value = lib.mkOption {
+      type = lib.types.ints.positive;
+    };
+  };
+}

lib/tests/modules/declare-int-unsigned-value.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+  options = {
+    value = lib.mkOption {
+      type = lib.types.ints.unsigned;
+    };
+  };
+}

lib/tests/modules/define-value-int-negative.nix

@@ -0,0 +1,3 @@
+{
+  value = -23;
+}

lib/tests/modules/define-value-int-positive.nix

@@ -0,0 +1,3 @@
+{
+  value = 42;
+}

lib/tests/modules/define-value-int-zero.nix

@@ -0,0 +1,3 @@
+{
+  value = 0;
+}

lib/types.nix

@@ -109,11 +109,64 @@ rec {
 
     int = mkOptionType rec {
         name = "int";
-      description = "integer";
+        description = "signed integer";
         check = isInt;
         merge = mergeOneOption;
       };
 
+    # Specialized subdomains of int
+    ints =
+      let
+        betweenDesc = lowest: highest:
+          "${toString lowest} and ${toString highest} (both inclusive)";
+        between = lowest: highest: assert lowest <= highest;
+          addCheck int (x: x >= lowest && x <= highest) // {
+            name = "intBetween";
+            description = "integer between ${betweenDesc lowest highest}";
+          };
+        ign = lowest: highest: name: docStart:
+          between lowest highest // {
+            inherit name;
+            description = docStart + "; between ${betweenDesc lowest highest}";
+          };
+        unsign = bit: range: ign 0 (range - 1)
+          "unsignedInt${toString bit}" "${toString bit} bit unsigned integer";
+        sign = bit: range: ign (0 - (range / 2)) (range / 2 - 1)
+          "signedInt${toString bit}" "${toString bit} bit signed integer";
+
+      in rec {
+        /* An int with a fixed range.
+        *
+        * Example:
+        *   (ints.between 0 100).check (-1)
+        *   => false
+        *   (ints.between 0 100).check (101)
+        *   => false
+        *   (ints.between 0 0).check 0
+        *   => true
+        */
+        inherit between;
+
+        unsigned = addCheck types.int (x: x >= 0) // {
+          name = "unsignedInt";
+          description = "unsigned integer, meaning >=0";
+        };
+        positive = addCheck types.int (x: x > 0) // {
+          name = "positiveInt";
+          description = "positive integer, meaning >0";
+        };
+        u8 = unsign 8 256;
+        u16 = unsign 16 65536;
+        # the biggest int a 64-bit Nix accepts is 2^63 - 1 (9223372036854775808), for a 32-bit Nix it is 2^31 - 1 (2147483647)
+        # the smallest int a 64-bit Nix accepts is -2^63 (-9223372036854775807), for a 32-bit Nix it is -2^31 (-2147483648)
+        # u32 = unsign 32 4294967296;
+        # u64 = unsign 64 18446744073709551616;
+
+        s8 = sign 8 256;
+        s16 = sign 16 65536;
+        # s32 = sign 32 4294967296;
+      };
+
     str = mkOptionType {
       name = "str";
       description = "string";
@@ -172,7 +225,7 @@ rec {
     };
 
     # drop this in the future:
-    list = builtins.trace "`types.list' is deprecated; use `types.listOf' instead" types.listOf;
+    list = builtins.trace "`types.list` is deprecated; use `types.listOf` instead" types.listOf;
 
     listOf = elemType: mkOptionType rec {
       name = "listOf";
@@ -189,7 +242,7 @@ rec {
               ).optionalValue
             ) def.value
           else
-            throw "The option value `${showOption loc}' in `${def.file}' is not a list.") defs)));
+            throw "The option value `${showOption loc}` in `${def.file}` is not a list.") defs)));
       getSubOptions = prefix: elemType.getSubOptions (prefix ++ ["*"]);
       getSubModules = elemType.getSubModules;
       substSubModules = m: listOf (elemType.substSubModules m);
@@ -240,25 +293,6 @@ rec {
         functor = (defaultFunctor name) // { wrapped = elemType; };
       };
 
-    # List or element of ...
-    loeOf = elemType: mkOptionType rec {
-      name = "loeOf";
-      description = "element or list of ${elemType.description}s";
-      check = x: isList x || elemType.check x;
-      merge = loc: defs:
-        let
-          defs' = filterOverrides defs;
-          res = (head defs').value;
-        in
-        if isList res then concatLists (getValues defs')
-        else if lessThan 1 (length defs') then
-          throw "The option `${showOption loc}' is defined multiple times, in ${showFiles (getFiles defs)}."
-        else if !isString res then
-          throw "The option `${showOption loc}' does not have a string value, in ${showFiles (getFiles defs)}."
-        else res;
-      functor = (defaultFunctor name) // { wrapped = elemType; };
-    };
-
     # Value of given type but with no merging (i.e. `uniq list`s are not concatenated).
     uniq = elemType: mkOptionType rec {
       name = "uniq";
@@ -279,7 +313,7 @@ rec {
         let nrNulls = count (def: def.value == null) defs; in
         if nrNulls == length defs then null
         else if nrNulls != 0 then
-          throw "The option `${showOption loc}' is defined both null and not null, in ${showFiles (getFiles defs)}."
+          throw "The option `${showOption loc}` is defined both null and not null, in ${showFiles (getFiles defs)}."
         else elemType.merge loc defs;
       getSubOptions = elemType.getSubOptions;
       getSubModules = elemType.getSubModules;
@@ -307,8 +341,17 @@ rec {
           }).config;
         getSubOptions = prefix: (evalModules
           { modules = opts'; inherit prefix;
-            # FIXME: hack to get shit to evaluate.
+            # This is a work-around due to the fact that some sub-modules,
-            args = { name = ""; }; }).options;
+            # such as the one included in an attribute set, expects a "args"
+            # attribute to be given to the sub-module. As the option
+            # evaluation does not have any specific attribute name, we
+            # provide a default one for the documentation.
+            #
+            # This is mandatory as some option declaration might use the
+            # "name" attribute given as argument of the submodule and use it
+            # as the default of option declarations.
+            args.name = "&lt;name&gt;";
+          }).options;
         getSubModules = opts';
         substSubModules = m: submodule m;
         functor = (defaultFunctor name) // {

maintainers/scripts/gnome.sh

@@ -6,7 +6,7 @@ GNOME_FTP=ftp.gnome.org/pub/GNOME/sources
 
 # projects that don't follow the GNOME major versioning, or that we don't want to
 # programmatically update
-NO_GNOME_MAJOR="ghex gtkhtml gdm"
+NO_GNOME_MAJOR="ghex gtkhtml gdm gucharmap"
 
 usage() {
   echo "Usage: $0 <show project>|<update project>|<update-all> [major.minor]" >&2

maintainers/scripts/hydra-eval-failures.py

@@ -49,8 +49,8 @@ def get_maintainers(attr_name):
 @click.command()
 @click.option(
     '--jobset',
-    default="nixos/release-17.03",
+    default="nixos/release-17.09",
-    help='Hydra project like nixos/release-17.03')
+    help='Hydra project like nixos/release-17.09')
 def cli(jobset):
     """
     Given a Hydra project, inspect latest evaluation

maintainers/scripts/update-python-libraries

@@ -18,6 +18,7 @@ import os
 import re
 import requests
 import toolz
+from concurrent.futures import ThreadPoolExecutor as pool
 
 INDEX = "https://pypi.io/pypi"
 """url of PyPI"""
@@ -235,7 +236,8 @@ def main():
 
     packages = map(os.path.abspath, args.package)
 
-    count = list(map(_update, packages))
+    with pool() as p:
+        count = list(p.map(_update, packages))
 
     logging.info("{} package(s) updated".format(sum(count)))
 

nixos/doc/manual/development/option-types.xml

@@ -22,10 +22,6 @@
     <listitem><para>A boolean, its values can be <literal>true</literal> or 
         <literal>false</literal>.</para></listitem>
   </varlistentry>
-  <varlistentry>
-    <term><varname>types.int</varname></term>
-    <listitem><para>An integer.</para></listitem>
-  </varlistentry>
   <varlistentry>
     <term><varname>types.path</varname></term>
     <listitem><para>A filesystem path, defined as anything that when coerced to 
@@ -39,7 +35,59 @@
   </varlistentry>
 </variablelist>
 
-<para>String related types:</para>
+<para>Integer-related types:</para>
+
+<variablelist>
+  <varlistentry>
+    <term><varname>types.int</varname></term>
+    <listitem><para>A signed integer.</para></listitem>
+  </varlistentry>
+  <varlistentry>
+    <term>
+      <varname>types.ints.{s8, s16, s32}</varname>
+    </term>
+    <listitem>
+      <para>Signed integers with a fixed length (8, 16 or 32 bits).
+        They go from
+        <inlineequation><mathphrase>−2<superscript>n</superscript>/2</mathphrase>
+        </inlineequation> to <inlineequation>
+        <mathphrase>2<superscript>n</superscript>/2−1</mathphrase>
+        </inlineequation>
+        respectively (e.g. <literal>−128</literal> to <literal>127</literal>
+        for 8 bits).
+    </para></listitem>
+  </varlistentry>
+  <varlistentry>
+    <term>
+      <varname>types.ints.unsigned</varname>
+    </term>
+    <listitem><para>An unsigned integer (that is >= 0).
+    </para></listitem>
+  </varlistentry>
+  <varlistentry>
+    <term>
+      <varname>types.ints.{u8, u16, u32}</varname>
+    </term>
+    <listitem>
+      <para>Unsigned integers with a fixed length (8, 16 or 32 bits).
+        They go from
+        <inlineequation><mathphrase>0</mathphrase></inlineequation> to <inlineequation>
+        <mathphrase>2<superscript>n</superscript>−1</mathphrase>
+        </inlineequation>
+        respectively (e.g. <literal>0</literal> to <literal>255</literal>
+        for 8 bits).
+    </para></listitem>
+  </varlistentry>
+  <varlistentry>
+    <term>
+      <varname>types.ints.positive</varname>
+    </term>
+    <listitem><para>A positive integer (that is > 0).
+    </para></listitem>
+  </varlistentry>
+</variablelist>
+
+<para>String-related types:</para>
 
 <variablelist>
   <varlistentry>
@@ -68,7 +116,7 @@
 
  <section><title>Value Types</title>
 
-   <para>Value types are type that take a value parameter.</para>
+   <para>Value types are types that take a value parameter.</para>
 
 <variablelist>
   <varlistentry>
@@ -84,6 +132,17 @@
         <replaceable>sep</replaceable>, e.g. <literal>types.separatedString
           "|"</literal>.</para></listitem>
   </varlistentry>
+  <varlistentry>
+    <term>
+      <varname>types.ints.between</varname>
+      <replaceable>lowest</replaceable>
+      <replaceable>highest</replaceable>
+    </term>
+    <listitem><para>An integer between <replaceable>lowest</replaceable>
+        and <replaceable>highest</replaceable> (both inclusive).
+        Useful for creating types like <literal>types.port</literal>.
+    </para></listitem>
+  </varlistentry>
   <varlistentry>
     <term><varname>types.submodule</varname> <replaceable>o</replaceable></term>
     <listitem><para>A set of sub options <replaceable>o</replaceable>.

nixos/doc/manual/installation/installing-usb.xml

@@ -31,7 +31,7 @@ ISO, copy its contents verbatim to your drive, then either:
     <para>Edit <filename>loader/entries/nixos-livecd.conf</filename> on the drive
     and change the <literal>root=</literal> field in the <literal>options</literal>
     line to point to your drive (see the documentation on <literal>root=</literal>
-    in <link xlink:href="https://www.kernel.org/doc/Documentation/kernel-parameters.txt">
+    in <link xlink:href="https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt">
     the kernel documentation</link> for more details).</para>
   </listitem>
   <listitem>

nixos/doc/manual/installation/installing.xml

@@ -16,7 +16,8 @@
   hardware.</para></listitem>
 
   <listitem><para>The NixOS manual is available on virtual console 8
-  (press Alt+F8 to access).</para></listitem>
+  (press Alt+F8 to access) or by running <command>nixos-help</command>.
+  </para></listitem>
 
   <listitem><para>You get logged in as <literal>root</literal>
   (with empty password).</para></listitem>
@@ -139,6 +140,11 @@
     the GRUB boot loader is to be installed.  Without it, NixOS cannot
     boot.</para>
 
+    <para>If there are other operating systems running on the machine before
+    installing NixOS, the
+    <option>boot.loader.grub.useOSProber</option> option can be set to
+    <literal>true</literal> to automatically add them to the grub menu.</para>
+
     <para>Another critical option is <option>fileSystems</option>,
     specifying the file systems that need to be mounted by NixOS.
     However, you typically don’t need to set it yourself, because

nixos/doc/manual/release-notes/release-notes.xml

@@ -9,6 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>
 
+<xi:include href="rl-1803.xml" />
 <xi:include href="rl-1709.xml" />
 <xi:include href="rl-1703.xml" />
 <xi:include href="rl-1609.xml" />

nixos/doc/manual/release-notes/rl-1709.xml

@@ -6,13 +6,22 @@
 
 <title>Release 17.09 (“Hummingbird”, 2017/09/??)</title>
 
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-highlights">
+
+<title>Highlights</title>
+
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 
 <itemizedlist>
   <listitem>
     <para>
-      The GNOME version is now 3.24.
+      The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10,
+      KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
     </para>
   </listitem>
   <listitem>
@@ -45,16 +54,130 @@ has the following highlights: </para>
       even though <literal>HDMI-0</literal> is the first head in the list.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      The handling of SSL in the <literal>services.nginx</literal> module has
+      been cleaned up, renaming the misnamed <literal>enableSSL</literal> to
+      <literal>onlySSL</literal> which reflects its original intention. This
+      is not to be used with the already existing <literal>forceSSL</literal>
+      which creates a second non-SSL virtual host redirecting to the SSL
+      virtual host. This by chance had worked earlier due to specific
+      implementation details. In case you had specified both please remove
+      the <literal>enableSSL</literal> option to keep the previous behaviour.
+    </para>
+    <para>
+      Another <literal>addSSL</literal> option has been introduced to configure
+      both a non-SSL virtual host and an SSL virtual host with the same
+      configuration.
+    </para>
+    <para>
+      Options to configure <literal>resolver</literal> options and
+      <literal>upstream</literal> blocks have been introduced. See their information
+      for further details.
+    </para>
+    <para>
+      The <literal>port</literal> option has been replaced by a more generic
+      <literal>listen</literal> option which makes it possible to specify
+      multiple addresses, ports and SSL configs dependant on the new SSL
+      handling mentioned above.
+    </para>
+  </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-new-services">
+
+<title>New Services</title>
+
 <para>The following new services were added since the last release:</para>
 
 <itemizedlist>
-  <listitem>
+  <listitem><para><literal>config/fonts/fontconfig-penultimate.nix</literal></para></listitem>
-    <para></para>
+  <listitem><para><literal>config/fonts/fontconfig-ultimate.nix</literal></para></listitem>
-  </listitem>
+  <listitem><para><literal>config/terminfo.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/sensor/iio.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/nitrokey.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/raid/hpsa.nix</literal></para></listitem>
+  <listitem><para><literal>programs/browserpass.nix</literal></para></listitem>
+  <listitem><para><literal>programs/gnupg.nix</literal></para></listitem>
+  <listitem><para><literal>programs/qt5ct.nix</literal></para></listitem>
+  <listitem><para><literal>programs/slock.nix</literal></para></listitem>
+  <listitem><para><literal>programs/thefuck.nix</literal></para></listitem>
+  <listitem><para><literal>security/auditd.nix</literal></para></listitem>
+  <listitem><para><literal>security/lock-kernel-modules.nix</literal></para></listitem>
+  <listitem><para><literal>service-managers/docker.nix</literal></para></listitem>
+  <listitem><para><literal>service-managers/trivial.nix</literal></para></listitem>
+  <listitem><para><literal>services/admin/salt/master.nix</literal></para></listitem>
+  <listitem><para><literal>services/admin/salt/minion.nix</literal></para></listitem>
+  <listitem><para><literal>services/audio/slimserver.nix</literal></para></listitem>
+  <listitem><para><literal>services/cluster/kubernetes/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/cluster/kubernetes/dns.nix</literal></para></listitem>
+  <listitem><para><literal>services/cluster/kubernetes/dashboard.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/hail.nix</literal></para></listitem>
+  <listitem><para><literal>services/databases/clickhouse.nix</literal></para></listitem>
+  <listitem><para><literal>services/databases/postage.nix</literal></para></listitem>
+  <listitem><para><literal>services/desktops/gnome3/gnome-disks.nix</literal></para></listitem>
+  <listitem><para><literal>services/desktops/gnome3/gpaste.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/SystemdJournal2Gelf.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/heartbeat.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/journalwatch.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/syslogd.nix</literal></para></listitem>
+  <listitem><para><literal>services/mail/mailhog.nix</literal></para></listitem>
+  <listitem><para><literal>services/mail/nullmailer.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/airsonic.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/autorandr.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/exhibitor.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/fstrim.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/gollum.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/irkerd.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/jackett.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/radarr.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/snapper.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/osquery.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/collectd-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/network-filesystems/kbfs.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/dnscache.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/fireqos.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/iwd.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/keepalived/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/keybase.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/lldpd.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/matterbridge.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/squid.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/tinydns.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/xrdp.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/shibboleth-sp.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/sks.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/sshguard.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/torify.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/usbguard.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/vault.nix</literal></para></listitem>
+  <listitem><para><literal>services/system/earlyoom.nix</literal></para></listitem>
+  <listitem><para><literal>services/system/saslauthd.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/nexus.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/pgpkeyserver-lite.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/piwik.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-servers/lighttpd/collectd.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-servers/minio.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/display-managers/xpra.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/xautolock.nix</literal></para></listitem>
+  <listitem><para><literal>tasks/filesystems/bcachefs.nix</literal></para></listitem>
+  <listitem><para><literal>tasks/powertop.nix</literal></para></listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-incompatibilities">
+
+<title>Backward Incompatibilities</title>
 
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
@@ -62,10 +185,97 @@ following incompatible changes:</para>
 <itemizedlist>
   <listitem>
     <para>
-      <literal>aiccu</literal> package was removed. This is due to SixXS
+        <emphasis role="strong">
+            In an Qemu-based virtualization environment, the network interface
+            names changed from i.e. <literal>enp0s3</literal> to
+            <literal>ens3</literal>.
+        </emphasis>
+    </para>
+    <para>
+        This is due to a kernel configuration change. The new naming
+        is consistent with those of other Linux distributions with
+        systemd. See
+        <link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link>
+        for more information.
+    </para>
+    <para>
+        A machine is affected if the <literal>virt-what</literal> tool
+        either returns <literal>qemu</literal> or
+        <literal>kvm</literal> <emphasis>and</emphasis> has
+        interface names used in any part of its NixOS configuration,
+        in particular if a static network configuration with
+        <literal>networking.interfaces</literal> is used.
+    </para>
+    <para>
+        Before rebooting affected machines, please ensure:
+        <itemizedlist>
+          <listitem>
+            <para>
+              Change the interface names in your NixOS configuration.
+              The first interface will be called <literal>ens3</literal>,
+              the second one <literal>ens8</literal> and starting from there
+              incremented by 1.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              After changing the interface names, rebuild your system with
+              <literal>nixos-rebuild boot</literal> to activate the new
+              configuration after a reboot. If you switch to the new
+              configuration right away you might lose network connectivity!
+              If using <literal>nixops</literal>, deploy with
+              <literal>nixops deploy --force-reboot</literal>.
+            </para>
+          </listitem>
+        </itemizedlist>
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
+      For <literal>stateVersion = "17.03"</literal> or lower the old behavior is preserved.
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem>
+    <para>
+      The <literal>aiccu</literal> package was removed. This is due to SixXS
       <link xlink:href="https://www.sixxs.net/main/"> sunsetting</link> its IPv6 tunnel.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      The <literal>fanctl</literal> package and <literal>fan</literal> module
+      have been removed due to the developers not upstreaming their iproute2
+      patches and lagging with compatibility to recent iproute2 versions.
+    </para>
+  </listitem>
   <listitem>
     <para>
       Top-level <literal>idea</literal> package collection was renamed.
@@ -81,7 +291,7 @@ following incompatible changes:</para>
   </listitem>
   <listitem>
     <para>
-      The ipfs package now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
+      The <literal>ipfs</literal> service now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
 <programlisting>
 dataDir=&lt;valueOfDataDir&gt;
 mv /var/lib/ipfs/.ipfs/* $dataDir
@@ -89,32 +299,11 @@ rmdir /var/lib/ipfs/.ipfs
 </programlisting>
     </para>
   </listitem>
-  <listitem>
-    <para>
-      The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
-      For <literal>stateVersion = "17.03</literal> or lower the old behavior is preserved.
-    </para>
-    <para>
-      The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
-    </para>
-    <para>
-      The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing.
-    </para>
-    <para>
-      The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
-    </para>
-    <para>
-      The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
-    </para>
-    <para>
-            Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration.
-    </para>
-  </listitem>
   <listitem>
     <para>
       The <literal>caddy</literal> service was previously using an extra
-      <literal>.caddy</literal> in the data directory specified with the
+      <literal>.caddy</literal> directory in the data directory specified
-      <literal>dataDir</literal> option. The contents of the
+      with the <literal>dataDir</literal> option. The contents of the
       <literal>.caddy</literal> directory are now expected to be in the
       <literal>dataDir</literal>.
     </para>
@@ -195,16 +384,112 @@ rmdir /var/lib/ipfs/.ipfs
   </listitem>
   <listitem>
     <para>
-      The <literal>gnupg</literal> package used to suffix its programs
+      <literal>services.mysql</literal> now has declarative
-      with <literal>2</literal>, like <command>gpg2</command> and
+      configuration of databases and users with the <literal>ensureDatabases</literal> and
-      <command>gpgv2</command>. This suffix has since been dropped,
+      <literal>ensureUsers</literal> options.
-      and the programs are now simply <command>gpg</command>,
+    </para>
-      <command>gpgv</command>, etc.
+
+    <para>
+      These options will never delete existing databases and users,
+      especially not when the value of the options are changed.
+    </para>
+
+    <para>
+      The MySQL users will be identified using
+      <link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/">
+        Unix socket authentication</link>. This authenticates the
+        Unix user with the same name only, and that without the need
+        for a password.
+    </para>
+
+    <para>
+      If you have previously created a MySQL <literal>root</literal>
+      user <emphasis>with a password</emphasis>, you will need to add
+      <literal>root</literal> user for unix socket authentication
+      before using the new options. This can be done by running the
+      following SQL script:
+
+<programlisting language="sql">
+CREATE USER 'root'@'%' IDENTIFIED BY '';
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
+FLUSH PRIVILEGES;
+
+-- Optionally, delete the password-authenticated user:
+-- DROP USER 'root'@'localhost';
+</programlisting>
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      <literal>services.mysqlBackup</literal> now works by default
+      without any user setup, including for users other than
+      <literal>mysql</literal>.
+    </para>
+
+    <para>
+      By default, the <literal>mysql</literal> user is no longer the
+      user which performs the backup. Instead a system account
+      <literal>mysqlbackup</literal> is used.
+    </para>
+
+    <para>
+      The <literal>mysqlBackup</literal> service is also now using
+      systemd timers instead of <literal>cron</literal>.
+    </para>
+
+    <para>
+      Therefore, the <literal>services.mysqlBackup.period</literal>
+      option no longer exists, and has been replaced with
+      <literal>services.mysqlBackup.calendar</literal>, which is in
+      the format of <link
+      xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>.
+    </para>
+
+    <para>
+      If you expect to be sent an e-mail when the backup fails,
+      consider using a script which monitors the systemd journal for
+      errors. Regretfully, at present there is no built-in
+      functionality for this.
+    </para>
+
+    <para>
+      You can check that backups still work by running
+      <command>systemctl start mysql-backup</command> then
+      <command>systemctl status mysql-backup</command>.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>
+      Templated systemd services e.g <literal>container@name</literal> are
+      now handled currectly when switching to a new configuration, resulting
+      in them being reloaded.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>Steam: the <literal>newStdcpp</literal> parameter
+    was removed and should not be needed anymore.</para>
+  </listitem>
+
+  <listitem>
+    <para>
+      Redis has been updated to version 4 which mandates a cluster
+      mass-restart, due to changes in the network handling, in order
+      to ensure compatibility with networks NATing traffic.
     </para>
   </listitem>
 </itemizedlist>
 
-<para>Other notable improvements:</para>
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-notable-changes">
+
+<title>Other Notable Changes</title>
 
 <itemizedlist>
 
@@ -249,7 +534,7 @@ rmdir /var/lib/ipfs/.ipfs
       Nixpkgs overlays may now be specified with a file as well as a directory. The
       value of <literal>&lt;nixpkgs-overlays></literal> may be a file, and
       <filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the
-      <filename>~/.config/nixpkgs/overalys</filename> directory.
+      <filename>~/.config/nixpkgs/overlays</filename> directory.
     </para>
     <para>
       See the overlays chapter of the Nixpkgs manual for more details.
@@ -257,14 +542,70 @@ rmdir /var/lib/ipfs/.ipfs
   </listitem>
   <listitem>
     <para>
-      <literal>sha256</literal> argument value of
+      Definitions for <filename>/etc/hosts</filename> can now be specified
-      <literal>dockerTools.pullImage</literal> expression must be
+      declaratively with <literal>networking.hosts</literal>.
-      updated since the mechanism to download the image has been
+    </para>
-      changed. Skopeo is now used to pull the image instead of the
+  </listitem>
-      Docker daemon.
+  <listitem>
+    <para>
+      Two new options have been added to the installer loader, in addition
+      to the default having changed. The kernel log verbosity has been lowered
+      to the upstream default for the default options, in order to not spam
+      the console when e.g. joining a network.
+    </para>
+    <para>
+      This therefore leads to adding a new <literal>debug</literal> option
+      to set the log level to the previous verbose mode, to make debugging
+      easier, but still accessible easily.
+    </para>
+    <para>
+      Additionally a <literal>copytoram</literal> option has been added,
+      which makes it possible to remove the install medium after booting.
+      This allows tethering from your phone after booting from it.
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      <literal>services.gitlab-runner.configOptions</literal> has been added
+      to specify the configuration of gitlab-runners declaratively.
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      <literal>services.jenkins.plugins</literal> has been added
+      to install plugins easily, this can be generated with jenkinsPlugins2nix.
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      <literal>services.postfix.config</literal> has been added
+      to specify the main.cf with NixOS options. Additionally other options
+      have been added to the postfix module and has been improved further.
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      The GitLab package and module have been updated to the latest 10.0
+      release.
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      The <literal>systemd-boot</literal> boot loader now lists the NixOS
+      version, kernel version and build date of all bootable generations.
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      The dnscrypt-proxy service now defaults to using a random upstream resolver,
+      selected from the list of public non-logging resolvers with DNSSEC support.
+      Existing configurations can be migrated to this mode of operation by
+      omitting the <option>services.dnscrypt-proxy.resolverName</option> option
+      or setting it to <literal>"random"</literal>.
     </para>
   </listitem>
 
 </itemizedlist>
 
 </section>
+</section>

nixos/doc/manual/release-notes/rl-1803.xml

@@ -6,6 +6,14 @@
 
 <title>Release 18.03 (“Impala”, 2018/03/??)</title>
 
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-highlights">
+
+<title>Highlights</title>
+
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 
@@ -16,6 +24,15 @@ has the following highlights: </para>
   </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-new-services">
+
+<title>New Services</title>
+
 <para>The following new services were added since the last release:</para>
 
 <itemizedlist>
@@ -24,23 +41,56 @@ has the following highlights: </para>
   </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-incompatibilities">
+
+<title>Backward Incompatibilities</title>
+
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 
 <itemizedlist>
   <listitem>
     <para>
+      Dollar signs in options under <option>services.postfix</option> are
+      passed verbatim to Postfix, which will interpret them as the beginning of
+      a parameter expression. This was already true for string-valued options
+      in the previous release, but not for list-valued options. If you need to
+      pass literal dollar signs through Postfix, double them.
     </para>
   </listitem>
-</itemizedlist>
-
-<para>Other notable improvements:</para>
-
-<itemizedlist>
   <listitem>
     <para>
+      The <literal>postage</literal> package (for web-based PostgreSQL
+      administration) has been renamed to <literal>pgmanage</literal>. The
+      corresponding module has also been renamed. To migrate please rename all
+      <option>services.postage</option> options to
+      <option>services.pgmanage</option>.
     </para>
   </listitem>
 </itemizedlist>
 
 </section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-notable-changes">
+
+<title>Other Notable Changes</title>
+
+<itemizedlist>
+  <listitem>
+    <para>
+      ZNC option <option>services.znc.mutable</option> now defaults to <literal>true</literal>.
+      That means that old configuration is not overwritten by default when update to the znc options are made.
+    </para>
+  </listitem>
+</itemizedlist>
+
+</section>
+</section>

nixos/lib/make-disk-image.nix

@@ -64,7 +64,7 @@ let
     ${channelSources}
   '';
 
-  prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot config.system.build.nixos-prepare-root ] ++ stdenv.initialPath;
+  prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot libfaketime config.system.build.nixos-prepare-root ] ++ stdenv.initialPath;
 
   # I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
   # image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
@@ -80,13 +80,13 @@ let
     truncate -s ${toString diskSize}M $diskImage
 
     ${if partitioned then ''
-      parted $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
+      parted --script $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
       offset=$((2048*512))
     '' else ''
       offset=0
     ''}
 
-    mkfs.${fsType} -F -L nixos -E offset=$offset $diskImage
+    faketime -f "1970-01-01 00:00:01" mkfs.${fsType} -F -L nixos -E offset=$offset $diskImage
   
     root="$PWD/root"
     mkdir -p $root
@@ -124,6 +124,14 @@ let
     fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure
 
     echo "copying staging root to image..."
+    # If we don't faketime, we can end up with timestamps other than 1 on the nix store, which
+    # will confuse Nix in some situations (e.g., breaking image builds in the target image)
+    # N.B: I use 0 here, which results in timestamp = 1 in the image. It's weird but see
+    # https://github.com/lkl/linux/issues/393. Also, running under faketime makes `cptofs` super
+    # noisy and it prints out that it can't find a bunch of files, and then works anyway. We'll
+    # shut it up someday but trying to do a stderr filter through grep is running into some nasty
+    # bug in some eval nonsense we have in runInLinuxVM and I'm sick of trying to fix it.
+    faketime -f "1970-01-01 00:00:00" \
       cptofs ${pkgs.lib.optionalString partitioned "-P 1"} -t ${fsType} -i $diskImage $root/* /
   '';
 in pkgs.vmTools.runInLinuxVM (

nixos/lib/test-driver/Machine.pm

@@ -372,6 +372,17 @@ sub getUnitInfo {
     return $info;
 }
 
+# Fail if the given systemd unit is not in the "active" state.
+sub requireActiveUnit {
+    my ($self, $unit) = @_;
+    $self->nest("checking if unit ‘$unit’ has reached state 'active'", sub {
+        my $info = $self->getUnitInfo($unit);
+        my $state = $info->{ActiveState};
+        if ($state ne "active") {
+            die "Expected unit ‘$unit’ to to be in state 'active' but it is in state ‘$state’\n";
+        };
+    });
+}
 
 # Wait for a systemd unit to reach the "active" state.
 sub waitForUnit {

nixos/lib/testing.nix

@@ -149,6 +149,7 @@ rec {
           { key = "run-in-machine";
             networking.hostName = "client";
             nix.readOnlyStore = false;
+            virtualisation.writableStore = false;
           }
         ];
 

nixos/maintainers/scripts/ec2/amazon-image.nix

@@ -9,6 +9,12 @@ in {
   imports = [ ../../../modules/virtualisation/amazon-image.nix ];
 
   options.amazonImage = {
+    name = mkOption {
+      type = types.str;
+      description = "The name of the generated derivation";
+      default = "nixos-disk-image";
+    };
+
     contents = mkOption {
       example = literalExample ''
         [ { source = pkgs.memtest86 + "/memtest.bin";
@@ -38,7 +44,7 @@ in {
 
   config.system.build.amazonImage = import ../../../lib/make-disk-image.nix {
     inherit lib config;
-    inherit (cfg) contents format;
+    inherit (cfg) contents format name;
     pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
     partitioned = config.ec2.hvm;
     diskSize = cfg.sizeMB;

nixos/maintainers/scripts/ec2/create-amis.sh

@@ -17,7 +17,7 @@ mkdir -p $stateDir
 rm -f ec2-amis.nix
 
 types="hvm"
-stores="ebs s3"
+stores="ebs"
 regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
 
 for type in $types; do

nixos/modules/config/debug-info.nix

@@ -30,14 +30,15 @@ with lib;
   };
 
 
-  config = {
+  config = mkIf config.environment.enableDebugInfo {
 
     # FIXME: currently disabled because /lib is already in
     # environment.pathsToLink, and we can't have both.
     #environment.pathsToLink = [ "/lib/debug/.build-id" ];
 
-    environment.extraOutputsToInstall =
+    environment.extraOutputsToInstall = [ "debug" ];
-      optional config.environment.enableDebugInfo "debug";
+
+    environment.variables.NIX_DEBUG_INFO_DIRS = [ "/run/current-system/sw/lib/debug" ];
 
   };
 

nixos/modules/config/krb5.nix

@@ -1,206 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  cfg = config.krb5;
-
-in
-
-{
-  ###### interface
-
-  options = {
-
-    krb5 = {
-
-      enable = mkOption {
-        default = false;
-        description = "Whether to enable Kerberos V.";
-      };
-
-      defaultRealm = mkOption {
-        default = "ATENA.MIT.EDU";
-        description = "Default realm.";
-      };
-
-      domainRealm = mkOption {
-        default = "atena.mit.edu";
-        description = "Default domain realm.";
-      };
-
-      kdc = mkOption {
-        default = "kerberos.mit.edu";
-        description = "Key Distribution Center";
-      };
-
-      kerberosAdminServer = mkOption {
-        default = "kerberos.mit.edu";
-        description = "Kerberos Admin Server.";
-      };
-
-    };
-
-  };
-
-  ###### implementation
-
-  config = mkIf config.krb5.enable {
-
-    environment.systemPackages = [ pkgs.krb5Full ];
-
-    environment.etc."krb5.conf".text =
-      ''
-        [libdefaults]
-            default_realm = ${cfg.defaultRealm}
-            encrypt = true
-
-        # The following krb5.conf variables are only for MIT Kerberos.
-            krb4_config = /etc/krb.conf
-            krb4_realms = /etc/krb.realms
-            kdc_timesync = 1
-            ccache_type = 4
-            forwardable = true
-            proxiable = true
-
-        # The following encryption type specification will be used by MIT Kerberos
-        # if uncommented.  In general, the defaults in the MIT Kerberos code are
-        # correct and overriding these specifications only serves to disable new
-        # encryption types as they are added, creating interoperability problems.
-
-        #   default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
-        #   default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
-        #   permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
-
-        # The following libdefaults parameters are only for Heimdal Kerberos.
-            v4_instance_resolve = false
-            v4_name_convert = {
-                host = {
-                    rcmd = host
-                    ftp = ftp
-                }
-                plain = {
-                    something = something-else
-                }
-            }
-            fcc-mit-ticketflags = true
-
-        [realms]
-            ${cfg.defaultRealm} = {
-                kdc = ${cfg.kdc}
-                admin_server = ${cfg.kerberosAdminServer}
-                #kpasswd_server = ${cfg.kerberosAdminServer}
-            }
-            ATHENA.MIT.EDU = {
-                kdc = kerberos.mit.edu:88
-                kdc = kerberos-1.mit.edu:88
-                kdc = kerberos-2.mit.edu:88
-                admin_server = kerberos.mit.edu
-                default_domain = mit.edu
-            }
-            MEDIA-LAB.MIT.EDU = {
-                kdc = kerberos.media.mit.edu
-                admin_server = kerberos.media.mit.edu
-            }
-            ZONE.MIT.EDU = {
-                kdc = casio.mit.edu
-                kdc = seiko.mit.edu
-                admin_server = casio.mit.edu
-            }
-            MOOF.MIT.EDU = {
-                kdc = three-headed-dogcow.mit.edu:88
-                kdc = three-headed-dogcow-1.mit.edu:88
-                admin_server = three-headed-dogcow.mit.edu
-            }
-            CSAIL.MIT.EDU = {
-                kdc = kerberos-1.csail.mit.edu
-                kdc = kerberos-2.csail.mit.edu
-                admin_server = kerberos.csail.mit.edu
-                default_domain = csail.mit.edu
-                krb524_server = krb524.csail.mit.edu
-            }
-            IHTFP.ORG = {
-                kdc = kerberos.ihtfp.org
-                admin_server = kerberos.ihtfp.org
-            }
-            GNU.ORG = {
-                kdc = kerberos.gnu.org
-                kdc = kerberos-2.gnu.org
-                kdc = kerberos-3.gnu.org
-                admin_server = kerberos.gnu.org
-            }
-            1TS.ORG = {
-                kdc = kerberos.1ts.org
-                admin_server = kerberos.1ts.org
-            }
-            GRATUITOUS.ORG = {
-                kdc = kerberos.gratuitous.org
-                admin_server = kerberos.gratuitous.org
-            }
-            DOOMCOM.ORG = {
-                kdc = kerberos.doomcom.org
-                admin_server = kerberos.doomcom.org
-            }
-            ANDREW.CMU.EDU = {
-                kdc = vice28.fs.andrew.cmu.edu
-                kdc = vice2.fs.andrew.cmu.edu
-                kdc = vice11.fs.andrew.cmu.edu
-                kdc = vice12.fs.andrew.cmu.edu
-                admin_server = vice28.fs.andrew.cmu.edu
-                default_domain = andrew.cmu.edu
-            }
-            CS.CMU.EDU = {
-                kdc = kerberos.cs.cmu.edu
-                kdc = kerberos-2.srv.cs.cmu.edu
-                admin_server = kerberos.cs.cmu.edu
-            }
-            DEMENTIA.ORG = {
-                kdc = kerberos.dementia.org
-                kdc = kerberos2.dementia.org
-                admin_server = kerberos.dementia.org
-            }
-            stanford.edu = {
-                kdc = krb5auth1.stanford.edu
-                kdc = krb5auth2.stanford.edu
-                kdc = krb5auth3.stanford.edu
-                admin_server = krb5-admin.stanford.edu
-                default_domain = stanford.edu
-            }
-
-        [domain_realm]
-            .${cfg.domainRealm} = ${cfg.defaultRealm}
-            ${cfg.domainRealm} = ${cfg.defaultRealm}
-            .mit.edu = ATHENA.MIT.EDU
-            mit.edu = ATHENA.MIT.EDU
-            .exchange.mit.edu = EXCHANGE.MIT.EDU
-            exchange.mit.edu = EXCHANGE.MIT.EDU
-            .media.mit.edu = MEDIA-LAB.MIT.EDU
-            media.mit.edu = MEDIA-LAB.MIT.EDU
-            .csail.mit.edu = CSAIL.MIT.EDU
-            csail.mit.edu = CSAIL.MIT.EDU
-            .whoi.edu = ATHENA.MIT.EDU
-            whoi.edu = ATHENA.MIT.EDU
-            .stanford.edu = stanford.edu
-
-        [logging]
-            kdc = SYSLOG:INFO:DAEMON
-            admin_server = SYSLOG:INFO:DAEMON
-            default = SYSLOG:INFO:DAEMON
-            krb4_convert = true
-            krb4_get_tickets = false
-
-        [appdefaults]
-            pam = {
-                debug = false
-                ticket_lifetime = 36000
-                renew_lifetime = 36000
-                max_timeout = 30
-                timeout_shift = 2
-                initial_timeout = 1
-            }
-      '';
-
-  };
-
-}

nixos/modules/config/krb5/default.nix

@@ -0,0 +1,367 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.krb5;
+
+  # This is to provide support for old configuration options (as much as is
+  # reasonable). This can be removed after 18.03 was released.
+  defaultConfig = {
+    libdefaults = optionalAttrs (cfg.defaultRealm != null)
+      { default_realm = cfg.defaultRealm; };
+
+    realms = optionalAttrs (lib.all (value: value != null) [
+      cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer
+    ]) {
+      "${cfg.defaultRealm}" = {
+        kdc = cfg.kdc;
+        admin_server = cfg.kerberosAdminServer;
+      };
+    };
+
+    domain_realm = optionalAttrs (lib.all (value: value != null) [
+      cfg.domainRealm cfg.defaultRealm
+    ]) {
+      ".${cfg.domainRealm}" = cfg.defaultRealm;
+      "${cfg.domainRealm}" = cfg.defaultRealm;
+    };
+  };
+
+  mergedConfig = (recursiveUpdate defaultConfig {
+    inherit (config.krb5)
+      kerberos libdefaults realms domain_realm capaths appdefaults plugins
+      extraConfig config;
+  });
+
+  filterEmbeddedMetadata = value: if isAttrs value then
+    (filterAttrs
+      (attrName: attrValue: attrName != "_module" && attrValue != null)
+        value)
+    else value;
+
+  mkIndent = depth: concatStrings (builtins.genList (_:  " ") (2 * depth));
+
+  mkRelation = name: value: "${name} = ${mkVal { inherit value; }}";
+
+  mkVal = { value, depth ? 0 }:
+    if (value == true) then "true"
+    else if (value == false) then "false"
+    else if (isInt value) then (toString value)
+    else if (isList value) then
+      concatMapStringsSep " " mkVal { inherit value depth; }
+    else if (isAttrs value) then
+      (concatStringsSep "\n${mkIndent (depth + 1)}"
+        ([ "{" ] ++ (mapAttrsToList
+          (attrName: attrValue: let
+            mappedAttrValue = mkVal {
+              value = attrValue;
+              depth = depth + 1;
+            };
+          in "${attrName} = ${mappedAttrValue}")
+        value))) + "\n${mkIndent depth}}"
+    else value;
+
+  mkMappedAttrsOrString = value: concatMapStringsSep "\n"
+    (line: if builtins.stringLength line > 0
+      then "${mkIndent 1}${line}"
+      else line)
+    (splitString "\n"
+      (if isAttrs value then
+        concatStringsSep "\n"
+            (mapAttrsToList mkRelation value)
+        else value));
+
+in {
+
+  ###### interface
+
+  options = {
+    krb5 = {
+      enable = mkEnableOption "Whether to enable Kerberos V.";
+
+      kerberos = mkOption {
+        type = types.package;
+        default = pkgs.krb5Full;
+        defaultText = "pkgs.krb5Full";
+        example = literalExample "pkgs.heimdalFull";
+        description = ''
+          The Kerberos implementation that will be present in
+          <literal>environment.systemPackages</literal> after enabling this
+          service.
+        '';
+      };
+
+      libdefaults = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        apply = attrs: filterEmbeddedMetadata attrs;
+        example = literalExample ''
+          {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+        '';
+        description = ''
+          Settings used by the Kerberos V5 library.
+        '';
+      };
+
+      realms = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = "athena.mit.edu";
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = "Realm-specific contact information and settings.";
+      };
+
+      domain_realm = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            "example.com" = "EXAMPLE.COM";
+            ".example.com" = "EXAMPLE.COM";
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Map of server hostnames to Kerberos realms.
+        '';
+      };
+
+      capaths = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            "ATHENA.MIT.EDU" = {
+              "EXAMPLE.COM" = ".";
+            };
+            "EXAMPLE.COM" = {
+              "ATHENA.MIT.EDU" = ".";
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Authentication paths for non-hierarchical cross-realm authentication.
+        '';
+      };
+
+      appdefaults = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            pam = {
+              debug = false;
+              ticket_lifetime = 36000;
+              renew_lifetime = 36000;
+              max_timeout = 30;
+              timeout_shift = 2;
+              initial_timeout = 1;
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Settings used by some Kerberos V5 applications.
+        '';
+      };
+
+      plugins = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            ccselect = {
+              disable = "k5identity";
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Controls plugin module registration.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = with types; nullOr lines;
+        default = null;
+        example = ''
+          [logging]
+            kdc          = SYSLOG:NOTICE
+            admin_server = SYSLOG:NOTICE
+            default      = SYSLOG:NOTICE
+        '';
+        description = ''
+          These lines go to the end of <literal>krb5.conf</literal> verbatim.
+          <literal>krb5.conf</literal> may include any of the relations that are
+          valid for <literal>kdc.conf</literal> (see <literal>man
+          kdc.conf</literal>), but it is not a recommended practice.
+        '';
+      };
+
+      config = mkOption {
+        type = with types; nullOr lines;
+        default = null;
+        example = ''
+          [libdefaults]
+            default_realm = EXAMPLE.COM
+
+          [realms]
+            EXAMPLE.COM = {
+              admin_server = kerberos.example.com
+              kdc = kerberos.example.com
+              default_principal_flags = +preauth
+            }
+
+          [domain_realm]
+            example.com  = EXAMPLE.COM
+            .example.com = EXAMPLE.COM
+
+          [logging]
+            kdc          = SYSLOG:NOTICE
+            admin_server = SYSLOG:NOTICE
+            default      = SYSLOG:NOTICE
+        '';
+        description = ''
+          Verbatim <literal>krb5.conf</literal> configuration.  Note that this
+          is mutually exclusive with configuration via
+          <literal>libdefaults</literal>, <literal>realms</literal>,
+          <literal>domain_realm</literal>, <literal>capaths</literal>,
+          <literal>appdefaults</literal>, <literal>plugins</literal> and
+          <literal>extraConfig</literal> configuration options.  Consult
+          <literal>man krb5.conf</literal> for documentation.
+        '';
+      };
+
+      defaultRealm = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "ATHENA.MIT.EDU";
+        description = ''
+          DEPRECATED, please use
+          <literal>krb5.libdefaults.default_realm</literal>.
+        '';
+      };
+
+      domainRealm = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "athena.mit.edu";
+        description = ''
+          DEPRECATED, please create a map of server hostnames to Kerberos realms
+          in <literal>krb5.domain_realm</literal>.
+        '';
+      };
+
+      kdc = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "kerberos.mit.edu";
+        description = ''
+          DEPRECATED, please pass a <literal>kdc</literal> attribute to a realm
+          in <literal>krb5.realms</literal>.
+        '';
+      };
+
+      kerberosAdminServer = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "kerberos.mit.edu";
+        description = ''
+          DEPRECATED, please pass an <literal>admin_server</literal> attribute
+          to a realm in <literal>krb5.realms</literal>.
+        '';
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = [ cfg.kerberos ];
+
+    environment.etc."krb5.conf".text = if isString cfg.config
+      then cfg.config
+      else (''
+        [libdefaults]
+        ${mkMappedAttrsOrString mergedConfig.libdefaults}
+
+        [realms]
+        ${mkMappedAttrsOrString mergedConfig.realms}
+
+        [domain_realm]
+        ${mkMappedAttrsOrString mergedConfig.domain_realm}
+
+        [capaths]
+        ${mkMappedAttrsOrString mergedConfig.capaths}
+
+        [appdefaults]
+        ${mkMappedAttrsOrString mergedConfig.appdefaults}
+
+        [plugins]
+        ${mkMappedAttrsOrString mergedConfig.plugins}
+      '' + optionalString (mergedConfig.extraConfig != null)
+          ("\n" + mergedConfig.extraConfig));
+
+    warnings = flatten [
+      (optional (cfg.defaultRealm != null) ''
+        The option krb5.defaultRealm is deprecated, please use
+        krb5.libdefaults.default_realm.
+      '')
+      (optional (cfg.domainRealm != null) ''
+        The option krb5.domainRealm is deprecated, please use krb5.domain_realm.
+      '')
+      (optional (cfg.kdc != null) ''
+        The option krb5.kdc is deprecated, please pass a kdc attribute to a
+        realm in krb5.realms.
+      '')
+      (optional (cfg.kerberosAdminServer != null) ''
+        The option krb5.kerberosAdminServer is deprecated, please pass an
+        admin_server attribute to a realm in krb5.realms.
+      '')
+    ];
+
+    assertions = [
+      { assertion = !((builtins.any (value: value != null) [
+            cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer
+          ]) && ((builtins.any (value: value != {}) [
+              cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
+              cfg.appdefaults cfg.plugins
+            ]) || (builtins.any (value: value != null) [
+              cfg.config cfg.extraConfig
+            ])));
+        message = ''
+          Configuration of krb5.conf by deprecated options is mutually exclusive
+          with configuration by section.  Please migrate your config using the
+          attributes suggested in the warnings.
+        '';
+      }
+      { assertion = !(cfg.config != null
+          && ((builtins.any (value: value != {}) [
+              cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
+              cfg.appdefaults cfg.plugins
+            ]) || (builtins.any (value: value != null) [
+              cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc
+              cfg.kerberosAdminServer
+            ])));
+        message = ''
+          Configuration of krb5.conf using krb.config is mutually exclusive with
+          configuration by section.  If you want to mix the two, you can pass
+          lines to any configuration section or lines to krb5.extraConfig.
+        '';
+      }
+    ];
+  };
+}

nixos/modules/config/nsswitch.nix

@@ -18,7 +18,7 @@ let
 
   hostArray = [ "files" ]
     ++ optionals mymachines [ "mymachines" ]
-    ++ optionals nssmdns [ "mdns_minimal [!UNAVAIL=return]" ]
+    ++ optionals nssmdns [ "mdns_minimal [NOTFOUND=return]" ]
     ++ optionals nsswins [ "wins" ]
     ++ optionals resolved ["resolve [!UNAVAIL=return]"]
     ++ [ "dns" ]

nixos/modules/config/system-path.nix

@@ -31,6 +31,7 @@ let
       pkgs.nano
       pkgs.ncurses
       pkgs.netcat
+      pkgs.nix-info
       config.programs.ssh.package
       pkgs.perl
       pkgs.procps

nixos/modules/config/timezone.nix

@@ -5,6 +5,9 @@ with lib;
 let
 
   tzdir = "${pkgs.tzdata}/share/zoneinfo";
+  nospace  = str: filter (c: c == " ") (stringToCharacters str) == [];
+  timezone = types.nullOr (types.addCheck types.str nospace)
+    // { description = "null or string without spaces"; };
 
 in
 
@@ -15,7 +18,7 @@ in
 
       timeZone = mkOption {
         default = null;
-        type = types.nullOr types.str;
+        type = timezone;
         example = "America/New_York";
         description = ''
           The time zone used when displaying times and dates. See <link

nixos/modules/hardware/network/intel-2030.nix

@@ -1,3 +0,0 @@
-{
-  hardware.enableRedistributableFirmware = true;
-}

nixos/modules/hardware/network/intel-2100bg.nix

@@ -1,30 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-
-  ###### interface
-
-  options = {
-
-    networking.enableIntel2100BGFirmware = lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-      description = ''
-        Turn on this option if you want firmware for the Intel
-        PRO/Wireless 2100BG to be loaded automatically.  This is
-        required if you want to use this device.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = lib.mkIf config.networking.enableIntel2100BGFirmware {
-
-    hardware.enableRedistributableFirmware = true;
-
-  };
-
-}

nixos/modules/hardware/network/intel-3945abg.nix

@@ -1,29 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-
-  ###### interface
-
-  options = {
-
-    networking.enableIntel3945ABGFirmware = lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-      description = ''
-        This option enables automatic loading of the firmware for the Intel
-        PRO/Wireless 3945ABG.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = lib.mkIf config.networking.enableIntel3945ABGFirmware {
-
-    hardware.enableRedistributableFirmware = true;
-
-  };
-
-}

nixos/modules/hardware/network/intel-4965agn.nix

@@ -1,3 +0,0 @@
-{
-  hardware.enableRedistributableFirmware = true;
-}

nixos/modules/hardware/network/intel-5000.nix

@@ -1,3 +0,0 @@
-{
-  hardware.enableRedistributableFirmware = true;
-}

nixos/modules/hardware/network/intel-5150.nix

@@ -1,3 +0,0 @@
-{
-  hardware.enableRedistributableFirmware = true;
-}

nixos/modules/hardware/network/intel-6000.nix

@@ -1,3 +0,0 @@
-{
-  hardware.enableRedistributableFirmware = true;
-}

nixos/modules/hardware/network/intel-6000g2a.nix

@@ -1,3 +0,0 @@
-{
-  hardware.enableRedistributableFirmware = true;
-}

nixos/modules/hardware/network/intel-6000g2b.nix

@@ -1,3 +0,0 @@
-{
-  hardware.enableRedistributableFirmware = true;
-}

nixos/modules/hardware/network/ralink.nix

@@ -1,26 +0,0 @@
-{pkgs, config, lib, ...}:
-
-{
-
-  ###### interface
-
-  options = {
-
-    networking.enableRalinkFirmware = lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-      description = ''
-        Turn on this option if you want firmware for the RT73 NIC.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = lib.mkIf config.networking.enableRalinkFirmware {
-    hardware.enableRedistributableFirmware = true;
-  };
-
-}

nixos/modules/hardware/network/rtl8192c.nix

@@ -1,26 +0,0 @@
-{pkgs, config, lib, ...}:
-
-{
-
-  ###### interface
-
-  options = {
-
-    networking.enableRTL8192cFirmware = lib.mkOption {
-      default = false;
-      type = lib.types.bool;
-      description = ''
-        Turn on this option if you want firmware for the RTL8192c (and related) NICs.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = lib.mkIf config.networking.enableRTL8192cFirmware {
-    hardware.enableRedistributableFirmware = true;
-  };
-
-}

nixos/modules/hardware/opengl.nix

@@ -93,7 +93,7 @@ in
     hardware.opengl.extraPackages = mkOption {
       type = types.listOf types.package;
       default = [];
-      example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]";
+      example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]";
       description = ''
         Additional packages to add to OpenGL drivers. This can be used
         to add OpenCL drivers, VA-API/VDPAU drivers etc.

nixos/modules/hardware/video/nvidia.nix

@@ -40,6 +40,12 @@ in
 {
 
   config = mkIf enabled {
+    assertions = [
+      {
+        assertion = config.services.xserver.displayManager.gdm.wayland;
+        message = "NVidia drivers don't support wayland";
+      }
+    ];
 
     services.xserver.drivers = singleton
       { name = "nvidia"; modules = [ nvidia_x11.bin ]; libPath = [ nvidia_x11 ]; };
@@ -62,11 +68,16 @@ in
     boot.extraModulePackages = [ nvidia_x11.bin ];
 
     # nvidia-uvm is required by CUDA applications.
-    boot.kernelModules = [ "nvidia-uvm" ];
+    boot.kernelModules = [ "nvidia-uvm" ] ++
+      lib.optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
+
 
     # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
     services.udev.extraRules =
       ''
+        KERNEL=="nvidia", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidiactl c $(grep nvidia-frontend /proc/devices | cut -d \  -f 1) 255'"
+        KERNEL=="nvidia_modeset", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia-modeset c $(grep nvidia-frontend /proc/devices | cut -d \  -f 1) 254'"
+        KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia%n c $(grep nvidia-frontend /proc/devices | cut -d \  -f 1) %n'"
         KERNEL=="nvidia_uvm", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \  -f 1) 0'"
       '';
 

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -361,6 +361,9 @@ in
         { source = config.isoImage.splashImage;
           target = "/isolinux/background.png";
         }
+        { source = pkgs.writeText "version" config.system.nixosVersion;
+          target = "/version.txt";
+        }
       ] ++ optionals config.isoImage.makeEfiBootable [
         { source = efiImg;
           target = "/boot/efi.img";

nixos/modules/installer/cd-dvd/sd-image-aarch64.nix

@@ -10,6 +10,7 @@ let
 in
 {
   imports = [
+    ../../profiles/base.nix
     ../../profiles/installation-device.nix
     ./sd-image.nix
   ];
@@ -27,9 +28,12 @@ in
   boot.loader.generic-extlinux-compatible.enable = true;
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
-  # Increase the amount of CMA to ensure the virtual console on the RPi3 works.
+
-  boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=tty0"];
+  # The serial ports listed here are:
-  boot.consoleLogLevel = 7;
+  # - ttyS0: for Tegra (Jetson TX1)
+  # - ttyAMA0: for QEMU's -machine virt
+  # Also increase the amount of CMA to ensure the virtual console on the RPi3 works.
+  boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
 
   # FIXME: this probably should be in installation-device.nix
   users.extraUsers.root.initialHashedPassword = "";

nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix

@@ -10,6 +10,7 @@ let
 in
 {
   imports = [
+    ../../profiles/base.nix
     ../../profiles/installation-device.nix
     ./sd-image.nix
   ];
@@ -27,6 +28,12 @@ in
   boot.loader.generic-extlinux-compatible.enable = true;
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
+  # The serial ports listed here are:
+  # - ttyS0: for Tegra (Jetson TK1)
+  # - ttymxc0: for i.MX6 (Wandboard)
+  # - ttyAMA0: for Allwinner (pcDuino3 Nano) and QEMU's -machine virt
+  # - ttyO0: for OMAP (BeagleBone Black)
+  # - ttySAC2: for Exynos (ODROID-XU3)
   boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
 
   # FIXME: this probably should be in installation-device.nix

nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix

@@ -10,6 +10,7 @@ let
 in
 {
   imports = [
+    ../../profiles/base.nix
     ../../profiles/installation-device.nix
     ./sd-image.nix
   ];

nixos/modules/installer/scan/detected.nix

@@ -6,8 +6,7 @@ with lib;
 
 {
   config = mkDefault {
-    # Wireless card firmware
+    # Common firmware, i.e. for wifi cards
-    networking.enableIntel2200BGFirmware = true;
+    hardware.enableRedistributableFirmware = true;
-    networking.enableIntel3945ABGFirmware = true;
   };
 }

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -8,6 +8,7 @@ use File::Basename;
 use File::Slurp;
 use File::stat;
 
+umask(0022);
 
 sub uniq {
     my %seen;
@@ -103,7 +104,7 @@ if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") {
 
     foreach $e (@desired_governors) {
         if (index($governors, $e) != -1) {
-            last if (push @attrs, "powerManagement.cpuFreqGovernor = \"$e\";");
+            last if (push @attrs, "powerManagement.cpuFreqGovernor = lib.mkDefault \"$e\";");
         }
     }
 }
@@ -398,19 +399,15 @@ EOF
 
     # Is this a btrfs filesystem?
     if ($fsType eq "btrfs") {
-        my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint");
+        my ($status, @info) = runCommand("btrfs subvol show $rootDir$mountPoint");
-        if ($status != 0 || join("", @id_info) =~ /ERROR:/) {
+        if ($status != 0 || join("", @info) =~ /ERROR:/) {
             die "Failed to retrieve subvolume info for $mountPoint\n";
         }
-        my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/;
+        my @ids = join("\n", @info) =~ m/^(?!\/\n).*Subvolume ID:[ \t\n]*([0-9]+)/s;
         if ($#ids > 0) {
             die "Btrfs subvol name for $mountPoint listed multiple times in mount\n"
         } elsif ($#ids == 0) {
-            my ($status, @path_info) = runCommand("btrfs subvol list $rootDir$mountPoint");
+            my @paths = join("", @info) =~ m/^([^\n]*)/;
-            if ($status != 0) {
-                die "Failed to find $mountPoint subvolume id from btrfs\n";
-            }
-            my @paths = join("", @path_info) =~ m/ID $ids[0] [^\n]* path ([^\n]*)/;
             if ($#paths > 0) {
                 die "Btrfs returned multiple paths for a single subvolume id, mountpoint $mountPoint\n";
             } elsif ($#paths != 0) {

nixos/modules/installer/tools/nixos-install.sh

@@ -113,8 +113,33 @@ if [[ -z "$closure" ]]; then
 fi
 unset NIXOS_CONFIG
 
-# TODO: do I need to set NIX_SUBSTITUTERS here or is the --option binary-caches above enough?
+# These get created in nixos-prepare-root as well, but we want to make sure they're here in case we're
+# running with --chroot. TODO: --chroot should just be split into a separate tool.
+mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/proc" "$mountPoint/sys"
 
+# Set up some bind mounts we'll want regardless of chroot or not
+mount --rbind /dev "$mountPoint/dev"
+mount --rbind /proc "$mountPoint/proc"
+mount --rbind /sys "$mountPoint/sys"
+
+# If we asked for a chroot, that means we're not actually installing anything (yeah I was confused too)
+# and we just want to run a command in the context of a $mountPoint that we're assuming has already been
+# set up by a previous nixos-install invocation. In that case we set up some remaining bind mounts and
+# exec the requested command, skipping the rest of the installation procedure.
+if [ -n "$runChroot" ]; then
+    mount -t tmpfs -o "mode=0755" none $mountPoint/run
+    rm -rf $mountPoint/var/run
+    ln -s /run $mountPoint/var/run
+    for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
+    for f in /etc/passwd /etc/group;      do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done
+
+    if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
+        echo "$0: installation not finished; cannot chroot into installation directory"
+        exit 1
+    fi
+    ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system
+    exec chroot $mountPoint "${chrootCommand[@]}"
+fi
 
 # A place to drop temporary closures
 trap "rm -rf $tmpdir" EXIT
@@ -153,9 +178,7 @@ nix-store --export $channel_root > $channel_closure
 # nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead
 chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
 
-mount --rbind /dev $mountPoint/dev
+
-mount --rbind /proc $mountPoint/proc
-mount --rbind /sys $mountPoint/sys
 
 # Grub needs an mtab.
 ln -sfn /proc/mounts $mountPoint/etc/mtab

nixos/modules/installer/tools/nixos-prepare-root.sh

@@ -31,16 +31,16 @@ if ! test -e "$mountPoint"; then
 fi
 
 # Create a few of the standard directories in the target root directory.
-mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
+install -m 0755 -d $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
-mkdir -m 01777 -p $mountPoint/tmp
+install -m 01777 -d $mountPoint/tmp
-mkdir -m 0755 -p $mountPoint/tmp/root
+install -m 0755 -d $mountPoint/tmp/root
-mkdir -m 0755 -p $mountPoint/var
+install -m 0755 -d $mountPoint/var
-mkdir -m 0700 -p $mountPoint/root
+install -m 0700 -d $mountPoint/root
 
 ln -sf /run $mountPoint/var/run
 
 # Create the necessary Nix directories on the target device
-mkdir -m 0755 -p \
+install -m 0755 -d \
     $mountPoint/nix/var/nix/gcroots \
     $mountPoint/nix/var/nix/temproots \
     $mountPoint/nix/var/nix/userpool \
@@ -48,7 +48,7 @@ mkdir -m 0755 -p \
     $mountPoint/nix/var/nix/db \
     $mountPoint/nix/var/log/nix/drvs
 
-mkdir -m 1775 -p $mountPoint/nix/store
+install -m 1775 -d $mountPoint/nix/store
 
 # All Nix operations below should operate on our target store, not /nix/store.
 # N.B: this relies on Nix 1.12 or higher
@@ -80,7 +80,7 @@ if [ ! -x $mountPoint/@shell@ ]; then
     echo "Error: @shell@ wasn't included in the closure" >&2
     exit 1
 fi
-mkdir -m 0755 -p $mountPoint/bin
+install -m 0755 -d $mountPoint/bin
 ln -sf @shell@ $mountPoint/bin/sh
 
 echo "setting the system closure to '$system'..."
@@ -89,17 +89,16 @@ nix-env "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/system --set
 ln -sfn /nix/var/nix/profiles/system $mountPoint/run/current-system
 
 # Copy the NixOS/Nixpkgs sources to the target as the initial contents of the NixOS channel.
-mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
+install -m 0755 -d $mountPoint/nix/var/nix/profiles
-mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
+install -m 1777 -d $mountPoint/nix/var/nix/profiles/per-user
-mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
+install -m 0755 -d $mountPoint/nix/var/nix/profiles/per-user/root
 
 if [ -z "$noChannelCopy" ] && [ -n "$channel" ]; then
     echo "copying channel..."
     nix-env --option build-use-substitutes false "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channel" --quiet
 fi
-mkdir -m 0700 -p $mountPoint/root/.nix-defexpr
+install -m 0700 -d $mountPoint/root/.nix-defexpr
 ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels
 
 # Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out.
 touch $mountPoint/etc/NIXOS
-

nixos/modules/misc/crashdump.nix

@@ -18,26 +18,23 @@ in
           default = false;
           description = ''
             If enabled, NixOS will set up a kernel that will
-            boot on crash, and leave the user to a stage1 debug1devices
+            boot on crash, and leave the user in systemd rescue
-            interactive shell to be able to save the crashed kernel dump.
+            to be able to save the crashed kernel dump at
+            /proc/vmcore.
             It also activates the NMI watchdog.
           '';
         };
-        kernelPackages = mkOption {
+        reservedMemory = mkOption {
-          type = types.package;
+          default = "128M";
-          default = pkgs.linuxPackages;
-          # We don't want to evaluate all of linuxPackages for the manual
-          # - some of it might not even evaluate correctly.
-          defaultText = "pkgs.linuxPackages";
-          example = literalExample "pkgs.linuxPackages_2_6_25";
           description = ''
-            This will override the boot.kernelPackages, and will add some
+            The amount of memory reserved for the crashdump kernel.
-            kernel configuration parameters for the crash dump to work.
+            If you choose a too high value, dmesg will mention
+            "crashkernel reservation failed".
           '';
         };
         kernelParams = mkOption {
           type = types.listOf types.str;
-          default = [ "debug1devices" ];
+          default = [ "1" "boot.shell_on_fail" ];
           description = ''
             Parameters that will be passed to the kernel kexec-ed on crash.
           '';
@@ -51,29 +48,29 @@ in
   config = mkIf crashdump.enable {
     boot = {
       postBootCommands = ''
+        echo "loading crashdump kernel...";
         ${pkgs.kexectools}/sbin/kexec -p /run/current-system/kernel \
         --initrd=/run/current-system/initrd \
-        --append="init=$(readlink -f /run/current-system/init) system=$(readlink -f /run/current-system) irqpoll maxcpus=1 reset_devices ${kernelParams}" --reset-vga --console-vga
+        --reset-vga --console-vga \
+        --command-line="systemConfig=$(readlink -f /run/current-system) init=$(readlink -f /run/current-system/init) irqpoll maxcpus=1 reset_devices ${kernelParams}"
       '';
       kernelParams = [
-       "crashkernel=64M"
+       "crashkernel=${crashdump.reservedMemory}"
        "nmi_watchdog=panic"
        "softlockup_panic=1"
        "idle=poll"
       ];
-      kernelPackages = mkOverride 50 (crashdump.kernelPackages // {
+      kernelPatches = [ {
-        kernel = crashdump.kernelPackages.kernel.override 
+        name = "crashdump-config";
-          (attrs: {
+        patch = null;
-            extraConfig = (optionalString (attrs ? extraConfig) attrs.extraConfig) +
+        extraConfig = ''
-              ''
                 CRASH_DUMP y
                 DEBUG_INFO y
                 PROC_VMCORE y
                 LOCKUP_DETECTOR y
                 HARDLOCKUP_DETECTOR y
               '';
-          });
+        } ];
-      });
     };
   };
 }

nixos/modules/misc/ids.nix

@@ -207,11 +207,12 @@
       ripple-data-api = 186;
       mediatomb = 187;
       rdnssd = 188;
-      # ihaskell = 189; # unused
+      ihaskell = 189;
       i2p = 190;
       lambdabot = 191;
       asterisk = 192;
       plex = 193;
+      plexpy = 195;
       grafana = 196;
       skydns = 197;
       # ripple-rest = 198; # unused, removed 2017-08-12
@@ -296,6 +297,9 @@
       clickhouse = 278;
       rslsync = 279;
       minio = 280;
+      kanboard = 281;
+      pykms = 282;
+      kodi = 283;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -480,7 +484,7 @@
       #ripple-data-api = 186; #unused
       mediatomb = 187;
       #rdnssd = 188; # unused
-      # ihaskell = 189; # unused
+      ihaskell = 189;
       i2p = 190;
       lambdabot = 191;
       asterisk = 192;
@@ -561,6 +565,9 @@
       clickhouse = 278;
       rslsync = 279;
       minio = 280;
+      kanboard = 281;
+      pykms = 282;
+      kodi = 283;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/misc/locate.nix

@@ -126,12 +126,15 @@ in {
             ++ optional (isFindutils && cfg.pruneNames != []) "findutils locate does not support pruning by directory component"
             ++ optional (isFindutils && cfg.pruneBindMounts) "findutils locate does not support skipping bind mounts";
 
+    # directory creation needs to be separated from main service
+    # because ReadWritePaths fails when the directory doesn't already exist
+    systemd.tmpfiles.rules = [ "d ${dirOf cfg.output} 0755 root root -" ];
+
     systemd.services.update-locatedb =
       { description = "Update Locate Database";
         path = mkIf (!isMLocate) [ pkgs.su ];
         script =
           ''
-            mkdir -m 0755 -p ${dirOf cfg.output}
             exec ${cfg.locate}/bin/updatedb \
               ${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \
               --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
@@ -147,8 +150,13 @@ in {
         serviceConfig.PrivateTmp = "yes";
         serviceConfig.PrivateNetwork = "yes";
         serviceConfig.NoNewPrivileges = "yes";
-        serviceConfig.ReadOnlyDirectories = "/";
+        serviceConfig.ReadOnlyPaths = "/";
-        serviceConfig.ReadWriteDirectories = dirOf cfg.output;
+        # Use dirOf cfg.output because mlocate creates temporary files next to
+        # the actual database. We could specify and create them as well,
+        # but that would make this quite brittle when they change something.
+        # NOTE: If /var/cache does not exist, this leads to the misleading error message:
+        # update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
+        serviceConfig.ReadWritePaths = dirOf cfg.output;
       };
 
     systemd.timers.update-locatedb =

nixos/modules/module-list.nix

@@ -9,7 +9,7 @@
   ./config/fonts/ghostscript.nix
   ./config/gnu.nix
   ./config/i18n.nix
-  ./config/krb5.nix
+  ./config/krb5/default.nix
   ./config/ldap.nix
   ./config/networking.nix
   ./config/no-x-libs.nix
@@ -35,11 +35,6 @@
   ./hardware/ksm.nix
   ./hardware/mcelog.nix
   ./hardware/network/b43.nix
-  ./hardware/network/intel-2100bg.nix
-  ./hardware/network/intel-2200bg.nix
-  ./hardware/network/intel-3945abg.nix
-  ./hardware/network/ralink.nix
-  ./hardware/network/rtl8192c.nix
   ./hardware/nitrokey.nix
   ./hardware/opengl.nix
   ./hardware/pcmcia.nix
@@ -73,6 +68,7 @@
   ./programs/adb.nix
   ./programs/atop.nix
   ./programs/bash/bash.nix
+  ./programs/bcc.nix
   ./programs/blcr.nix
   ./programs/browserpass.nix
   ./programs/cdemu.nix
@@ -102,6 +98,8 @@
   ./programs/spacefm.nix
   ./programs/ssh.nix
   ./programs/ssmtp.nix
+  ./programs/sysdig.nix
+  ./programs/sway.nix
   ./programs/thefuck.nix
   ./programs/tmux.nix
   ./programs/venus.nix
@@ -134,8 +132,6 @@
   ./security/rtkit.nix
   ./security/wrappers/default.nix
   ./security/sudo.nix
-  ./service-managers/docker.nix
-  ./service-managers/trivial.nix
   ./services/admin/salt/master.nix
   ./services/admin/salt/minion.nix
   ./services/amqp/activemq/default.nix
@@ -189,7 +185,7 @@
   ./services/databases/neo4j.nix
   ./services/databases/openldap.nix
   ./services/databases/opentsdb.nix
-  ./services/databases/postage.nix
+  ./services/databases/pgmanage.nix
   ./services/databases/postgresql.nix
   ./services/databases/redis.nix
   ./services/databases/riak.nix
@@ -267,6 +263,7 @@
   ./services/mail/offlineimap.nix
   ./services/mail/opendkim.nix
   ./services/mail/opensmtpd.nix
+  ./services/mail/pfix-srsd.nix
   ./services/mail/postfix.nix
   ./services/mail/postsrsd.nix
   ./services/mail/postgrey.nix
@@ -300,13 +297,14 @@
   ./services/misc/fstrim.nix
   ./services/misc/gammu-smsd.nix
   ./services/misc/geoip-updater.nix
+  ./services/misc/gitea.nix
   #./services/misc/gitit.nix
   ./services/misc/gitlab.nix
   ./services/misc/gitolite.nix
   ./services/misc/gogs.nix
   ./services/misc/gollum.nix
   ./services/misc/gpsd.nix
-  #./services/misc/ihaskell.nix
+  ./services/misc/ihaskell.nix
   ./services/misc/irkerd.nix
   ./services/misc/jackett.nix
   ./services/misc/logkeys.nix
@@ -330,6 +328,8 @@
   ./services/misc/parsoid.nix
   ./services/misc/phd.nix
   ./services/misc/plex.nix
+  ./services/misc/plexpy.nix
+  ./services/misc/pykms.nix
   ./services/misc/radarr.nix
   ./services/misc/redmine.nix
   ./services/misc/rippled.nix
@@ -346,6 +346,7 @@
   ./services/misc/svnserve.nix
   ./services/misc/synergy.nix
   ./services/misc/taskserver
+  ./services/misc/tzupdate.nix
   ./services/misc/uhub.nix
   ./services/misc/zookeeper.nix
   ./services/monitoring/apcupsd.nix
@@ -355,6 +356,7 @@
   ./services/monitoring/collectd.nix
   ./services/monitoring/das_watchdog.nix
   ./services/monitoring/dd-agent/dd-agent.nix
+  ./services/monitoring/fusion-inventory.nix
   ./services/monitoring/grafana.nix
   ./services/monitoring/graphite.nix
   ./services/monitoring/hdaps.nix
@@ -371,6 +373,7 @@
   ./services/monitoring/prometheus/collectd-exporter.nix
   ./services/monitoring/prometheus/fritzbox-exporter.nix
   ./services/monitoring/prometheus/json-exporter.nix
+  ./services/monitoring/prometheus/minio-exporter.nix
   ./services/monitoring/prometheus/nginx-exporter.nix
   ./services/monitoring/prometheus/node-exporter.nix
   ./services/monitoring/prometheus/snmp-exporter.nix
@@ -410,6 +413,7 @@
   ./services/networking/asterisk.nix
   ./services/networking/atftpd.nix
   ./services/networking/avahi-daemon.nix
+  ./services/networking/babeld.nix
   ./services/networking/bind.nix
   ./services/networking/autossh.nix
   ./services/networking/bird.nix
@@ -618,6 +622,7 @@
   ./services/web-servers/phpfpm/default.nix
   ./services/web-servers/shellinabox.nix
   ./services/web-servers/tomcat.nix
+  ./services/web-servers/traefik.nix
   ./services/web-servers/uwsgi.nix
   ./services/web-servers/varnish/default.nix
   ./services/web-servers/winstone.nix
@@ -693,6 +698,7 @@
   ./tasks/filesystems/bcachefs.nix
   ./tasks/filesystems/btrfs.nix
   ./tasks/filesystems/cifs.nix
+  ./tasks/filesystems/ecryptfs.nix
   ./tasks/filesystems/exfat.nix
   ./tasks/filesystems/ext.nix
   ./tasks/filesystems/f2fs.nix

nixos/modules/profiles/all-hardware.nix

@@ -47,9 +47,6 @@
 
       # Hyper-V support.
       "hv_storvsc"
-
-      # Keyboards
-      "usbhid" "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
     ];
 
   # Include lots of firmware.

nixos/modules/programs/bcc.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+{
+  options.programs.bcc.enable = lib.mkEnableOption "bcc";
+
+  config = lib.mkIf config.programs.bcc.enable {
+    environment.systemPackages = [ config.boot.kernelPackages.bcc ];
+    boot.extraModulePackages = [ config.boot.kernelPackages.bcc ];
+  };
+}

nixos/modules/programs/command-not-found/command-not-found.nix

@@ -25,7 +25,14 @@ in
 {
   options.programs.command-not-found = {
 
-    enable = mkEnableOption "command-not-found hook for interactive shell";
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether interactive shells should show which Nix package (if
+        any) provides a missing command.
+      '';
+    };
 
     dbPath = mkOption {
       default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ;

nixos/modules/programs/ssh.nix

@@ -148,11 +148,11 @@ in
           [
             {
               hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
-              publicKeyFile = "./pubkeys/myhost_ssh_host_dsa_key.pub";
+              publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
             }
             {
               hostNames = [ "myhost2" ];
-              publicKeyFile = "./pubkeys/myhost2_ssh_host_dsa_key.pub";
+              publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
             }
           ]
         '';

nixos/modules/programs/sway.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.sway;
+  sway = pkgs.sway;
+
+  swayWrapped = pkgs.writeScriptBin "sway" ''
+    #! ${pkgs.stdenv.shell}
+    ${cfg.extraSessionCommands}
+    PATH="${sway}/bin:$PATH"
+    exec ${pkgs.dbus.dbus-launch} --exit-with-session sway-setcap
+  '';
+  swayJoined = pkgs.symlinkJoin {
+    name = "sway-wrapped";
+    paths = [ swayWrapped sway ];
+  };
+in
+{
+  options.programs.sway = {
+    enable = mkEnableOption "sway";
+
+    extraSessionCommands = mkOption {
+      default     = "";
+      type        = types.lines;
+      example = ''
+        export XKB_DEFAULT_LAYOUT=us,de
+        export XKB_DEFAULT_VARIANT=,nodeadkeys
+        export XKB_DEFAULT_OPTIONS=grp:alt_shift_toggle,
+      '';
+      description = ''
+        Shell commands executed just before sway is started.
+      '';
+    };
+
+    extraPackages = mkOption {
+      type = with types; listOf package;
+      default = with pkgs; [
+        i3status xwayland rxvt_unicode dmenu
+      ];
+      example = literalExample ''
+        with pkgs; [
+          i3status xwayland rxvt_unicode dmenu
+        ]
+      '';
+      description = ''
+        Extra packages to be installed system wide.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ swayJoined ] ++ cfg.extraPackages;
+    security.wrappers.sway = {
+      program = "sway-setcap";
+      source = "${sway}/bin/sway";
+      capabilities = "cap_sys_ptrace,cap_sys_tty_config=eip";
+      owner = "root";
+      group = "sway";
+      permissions = "u+rx,g+rx";
+    };
+
+    users.extraGroups.sway = {};
+
+    hardware.opengl.enable = mkDefault true;
+    fonts.enableDefaultFonts = mkDefault true;
+  };
+}

nixos/modules/programs/sysdig.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.sysdig;
+in {
+  options.programs.sysdig.enable = mkEnableOption "sysdig";
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.sysdig ];
+    boot.extraModulePackages = [ config.boot.kernelPackages.sysdig ];
+  };
+}

nixos/modules/programs/zsh/zsh-syntax-highlighting.nix

@@ -54,25 +54,25 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ];
 
-      programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
+    assertions = [
-        source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+      {
-
+        assertion = length(attrNames cfg.patterns) > 0 -> elem "pattern" cfg.highlighters;
-        ${optionalString (length(cfg.highlighters) > 0)
+        message = ''
-          "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
+          When highlighting patterns, "pattern" needs to be included in the list of highlighters.
-        }
-
-        ${let
-            n = attrNames cfg.patterns;
-          in
-            optionalString (length(n) > 0)
-              (assert(elem "pattern" cfg.highlighters); (foldl (
-                a: b:
-                  ''
-                    ${a}
-                    ZSH_HIGHLIGHT_PATTERNS+=('${b}' '${attrByPath [b] "" cfg.patterns}')
-                  ''
-              ) "") n)
-        }
         '';
+      }
+    ];
+
+    programs.zsh.interactiveShellInit = with pkgs;
+      lib.concatStringsSep "\n" ([
+        "source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
+      ] ++ optional (length(cfg.highlighters) > 0)
+        "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
+        ++ optionals (length(attrNames cfg.patterns) > 0)
+          (mapAttrsToList (
+            pattern: design:
+            "ZSH_HIGHLIGHT_PATTERNS+=('${pattern}' '${design}')"
+          ) cfg.patterns)
+      );
   };
 }

nixos/modules/rename.nix

@@ -11,7 +11,11 @@ with lib;
     (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
 
     (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
-    (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
+    (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ])
+    (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
+    (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
+    (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
+    (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
 
     (mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
     (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
@@ -108,6 +112,9 @@ with lib;
 
     (mkAliasOptionModule [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ])
 
+    # opendkim
+    (mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ])
+
     # XBMC
     (mkRenamedOptionModule [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
     (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])

nixos/modules/security/acme.nix

@@ -139,6 +139,20 @@ in
         '';
       };
 
+      production = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          If set to true, use Let's Encrypt's production environment
+          instead of the staging environment. The main benefit of the
+          staging environment is to get much higher rate limits.
+
+          See
+          <literal>https://letsencrypt.org/docs/staging-environment</literal>
+          for more detail.
+        '';
+      };
+
       certs = mkOption {
         default = { };
         type = with types; attrsOf (submodule certOpts);
@@ -177,7 +191,9 @@ in
                 cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
                           ++ optionals (data.email != null) [ "--email" data.email ]
                           ++ concatMap (p: [ "-f" p ]) data.plugins
-                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
+                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
+                          ++ (if cfg.production then []
+                              else ["--server" "https://acme-staging.api.letsencrypt.org/directory"]);
                 acmeService = {
                   description = "Renew ACME Certificate for ${cert}";
                   after = [ "network.target" "network-online.target" ];

nixos/modules/security/acme.xml

@@ -89,8 +89,5 @@ services.nginx = {
   };
 }
 </programlisting>
-
-<para>At the moment you still have to restart Nginx after the ACME
-certs arrive.</para>
 </section>
 </chapter>

nixos/modules/security/pam.nix

@@ -486,8 +486,9 @@ in
       ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
       ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
       ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
-      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
+      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ];
-      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
+
+    boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
 
     security.wrappers = {
       unix_chkpwd = {
@@ -495,10 +496,7 @@ in
         owner = "root";
         setuid = true;
       };
-    } // (if config.security.pam.enableEcryptfs then {
+    };
-      "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
-       "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
-    } else {});
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
@@ -521,6 +519,7 @@ in
         ftp = {};
         i3lock = {};
         i3lock-color = {};
+        swaylock = {};
         screen = {};
         vlock = {};
         xlock = {};

nixos/modules/security/pam_usb.nix

@@ -22,7 +22,7 @@ in
         description = ''
           Enable USB login for all login systems that support it.  For
           more information, visit <link
-          xlink:href="http://pamusb.org/doc/quickstart#setting_up" />.
+          xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users" />.
         '';
       };
 

nixos/modules/service-managers/docker.nix

@@ -1,29 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.docker-containers;
-
-  containerModule = {
-    script = mkOption {
-      type = types.lines;
-      description = "Shell commands executed as the service's main process.";
-    };
-  };
-
-  toContainer = name: value: pkgs.dockerTools.buildImage {
-    inherit name;
-    config = {
-      Cmd = [ value.script ];
-    };
-  };
-in {
-  options.docker-containers = mkOption {
-    default = {};
-    type = with types; attrsOf (types.submodule containerModule);
-    description = "Definition of docker containers";
-  };
-
-  config.system.build.toplevel-docker = lib.mapAttrs toContainer cfg;
-}

nixos/modules/service-managers/trivial.nix

@@ -1,35 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.trivial-services;
-
-  serviceModule.options = {
-    script = mkOption {
-      type = types.lines;
-      description = "Shell commands executed as the service's main process.";
-    };
-
-    environment = mkOption {
-      default = {};
-      type = types.attrs; # FIXME
-      example = { PATH = "/foo/bar/bin"; LANG = "nl_NL.UTF-8"; };
-      description = "Environment variables passed to the service's processes.";
-    };
-  };
-
-  launcher = name: value: pkgs.writeScript name ''
-    #!${pkgs.stdenv.shell} -eu
-
-    ${pkgs.writeScript "${name}-entry" value.script}
-  '';
-in {
-  options.trivial-services = mkOption {
-    default = {};
-    type = with types; attrsOf (types.submodule serviceModule);
-    description = "Definition of trivial services";
-  };
-
-  config.system.build.toplevel-trivial = lib.mapAttrs launcher cfg;
-}

nixos/modules/services/backup/mysql-backup.nix

@@ -7,9 +7,27 @@ let
   inherit (pkgs) mysql gzip;
 
   cfg = config.services.mysqlBackup;
-  location = cfg.location ;
+  defaultUser = "mysqlbackup";
-  mysqlBackupCron = db : ''
+
-    ${cfg.period} ${cfg.user} ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz
+  backupScript = ''
+    set -o pipefail
+    failed=""
+    ${concatMapStringsSep "\n" backupDatabaseScript cfg.databases}
+    if [ -n "$failed" ]; then
+      echo "Backup of database(s) failed:$failed"
+      exit 1
+    fi
+  '';
+  backupDatabaseScript = db: ''
+    dest="${cfg.location}/${db}.gz"
+    if ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > $dest.tmp; then
+      mv $dest.tmp $dest
+      echo "Backed up to $dest"
+    else
+      echo "Failed to back up to $dest"
+      rm -f $dest.tmp
+      failed="$failed ${db}"
+    fi
   '';
 
 in
@@ -26,17 +44,16 @@ in
         '';
       };
 
-      period = mkOption {
+      calendar = mkOption {
-        default = "15 01 * * *";
+        type = types.str;
+        default = "01:15:00";
         description = ''
-          This option defines (in the format used by cron) when the
+          Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).
-          databases should be dumped.
-          The default is to update at 01:15 (at night) every day.
         '';
       };
 
       user = mkOption {
-        default = "mysql";
+        default = defaultUser;
         description = ''
           User to be used to perform backup.
         '';
@@ -66,16 +83,49 @@ in
 
   };
 
-  config = mkIf config.services.mysqlBackup.enable {
+  config = mkIf cfg.enable {
+    users.extraUsers = optionalAttrs (cfg.user == defaultUser) (singleton
+      { name = defaultUser;
+        isSystemUser = true;
+        createHome = false;
+        home = cfg.location;
+        group = "nogroup";
+      });
 
-    services.cron.systemCronJobs = map mysqlBackupCron config.services.mysqlBackup.databases;
+    services.mysql.ensureUsers = [{
+      name = cfg.user;
+      ensurePermissions = with lib;
+        let
+          privs = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES";
+          grant = db: nameValuePair "${db}.*" privs;
+        in
+          listToAttrs (map grant cfg.databases);
+    }];
 
-    system.activationScripts.mysqlBackup = stringAfter [ "stdio" "users" ]
+    systemd = {
-      ''
+      timers."mysql-backup" = {
-        mkdir -m 0700 -p ${config.services.mysqlBackup.location}
+        description = "Mysql backup timer";
-        chown ${config.services.mysqlBackup.user} ${config.services.mysqlBackup.location}
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = cfg.calendar;
+          AccuracySec = "5m";
+          Unit = "mysql-backup.service";
+        };
+      };
+      services."mysql-backup" = {
+        description = "Mysql backup service";
+        enable = true;
+        serviceConfig = {
+          User = cfg.user;
+          PermissionsStartOnly = true;
+        };
+        preStart = ''
+          mkdir -m 0700 -p ${cfg.location}
+          chown -R ${cfg.user} ${cfg.location}
         '';
-
+        script = backupScript;
+      };
+    };
   };
 
 }

nixos/modules/services/cluster/kubernetes/dashboard.nix

@@ -11,7 +11,7 @@ let
   image = pkgs.dockerTools.pullImage {
     imageName = name;
     imageTag = version;
-    sha256 = "0b5v7xa3s91yi9yfsw2b8wijiprnicbb02f5kqa579h4yndb3gfz";
+    sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
   };
 in {
   options.services.kubernetes.addons.dashboard = {

nixos/modules/services/cluster/kubernetes/dns.nix

@@ -8,19 +8,19 @@ let
   k8s-dns-kube-dns = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-kube-dns-amd64";
     imageTag = version;
-    sha256 = "0g64jc2076ng28xl4w3w9svf7hc6s9h8rq9mhvvwpfy2p6lgj6gy";
+    sha256 = "0q97xfqrigrfjl2a9cxl5in619py0zv44gch09jm8gqjkxl80imp";
   };
 
   k8s-dns-dnsmasq-nanny = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64";
     imageTag = version;
-    sha256 = "0sdpsbj1vismihy7ass1cn96nwmav6sf3r5h6i4k2dxha0y0jsh5";
+    sha256 = "051w5ca4qb88mwva4hbnh9xzlsvv7k1mbk3wz50lmig2mqrqqx6c";
   };
 
   k8s-dns-sidecar = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-sidecar-amd64";
     imageTag = version;
-    sha256 = "01zpi189hpy2z62awl38fap908s8rrhc3v5gb6m90y2pycl4ad6q";
+    sha256 = "1z0d129bcm8i2cqq36x5jhnrv9hirj8c6kjrmdav8vgf7py78vsm";
   };
 
   cfg = config.services.kubernetes.addons.dns;

nixos/modules/services/continuous-integration/buildkite-agent.nix

@@ -9,9 +9,8 @@ let
       token="${cfg.token}"
       name="${cfg.name}"
       meta-data="${cfg.meta-data}"
-      hooks-path="${pkgs.buildkite-agent}/share/hooks"
+      hooks-path="${cfg.package}/share/hooks"
-      build-path="/var/lib/buildkite-agent/builds"
+      build-path="${cfg.dataDir}"
-      bootstrap-script="${pkgs.buildkite-agent}/share/bootstrap.sh"
     '';
 in
 
@@ -20,6 +19,26 @@ in
     services.buildkite-agent = {
       enable = mkEnableOption "buildkite-agent";
 
+      package = mkOption {
+        default = pkgs.buildkite-agent;
+        defaultText = "pkgs.buildkite-agent";
+        description = "Which buildkite-agent derivation to use";
+        type = types.package;
+      };
+
+      dataDir = mkOption {
+        default = "/var/lib/buildkite-agent";
+        description = "The workdir for the agent";
+        type = types.str;
+      };
+
+      runtimePackages = mkOption {
+        default = [ pkgs.bash pkgs.nix ];
+        defaultText = "[ pkgs.bash pkgs.nix ]";
+        description = "Add programs to the buildkite-agent environment";
+        type = types.listOf types.package;
+      };
+
       token = mkOption {
         type = types.str;
         description = ''
@@ -62,26 +81,30 @@ in
   config = mkIf config.services.buildkite-agent.enable {
     users.extraUsers.buildkite-agent =
       { name = "buildkite-agent";
-        home = "/var/lib/buildkite-agent";
+        home = cfg.dataDir;
         createHome = true;
         description = "Buildkite agent user";
       };
 
-    environment.systemPackages = [ pkgs.buildkite-agent ];
+    environment.systemPackages = [ cfg.package ];
 
     systemd.services.buildkite-agent =
       { description = "Buildkite Agent";
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
-        environment.HOME = "/var/lib/buildkite-agent";
+        path = cfg.runtimePackages;
+        environment = config.networking.proxy.envVars // {
+          HOME = cfg.dataDir;
+          NIX_REMOTE = "daemon";
+        };
         preStart = ''
-            ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/lib/buildkite-agent/.ssh
+          ${pkgs.coreutils}/bin/mkdir -m 0700 -p ${cfg.dataDir}/.ssh
 
-            echo "${cfg.openssh.privateKey}" > /var/lib/buildkite-agent/.ssh/id_rsa
+          echo "${cfg.openssh.privateKey}" > ${cfg.dataDir}/.ssh/id_rsa
-            ${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa
+          ${pkgs.coreutils}/bin/chmod 600 ${cfg.dataDir}/.ssh/id_rsa
 
-            echo "${cfg.openssh.publicKey}" > /var/lib/buildkite-agent/.ssh/id_rsa.pub
+          echo "${cfg.openssh.publicKey}" > ${cfg.dataDir}/.ssh/id_rsa.pub
-            ${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa.pub
+          ${pkgs.coreutils}/bin/chmod 600 ${cfg.dataDir}/.ssh/id_rsa.pub
         '';
 
         serviceConfig =

nixos/modules/services/continuous-integration/jenkins/default.nix

@@ -78,6 +78,13 @@ in {
         '';
       };
 
+      package = mkOption {
+        default = pkgs.jenkins;
+        defaultText = "pkgs.jenkins";
+        type = types.package;
+        description = "Jenkins package to use.";
+      };
+
       packages = mkOption {
         default = [ pkgs.stdenv pkgs.git pkgs.jdk config.programs.ssh.package pkgs.nix ];
         defaultText = "[ pkgs.stdenv pkgs.git pkgs.jdk config.programs.ssh.package pkgs.nix ]";
@@ -194,7 +201,7 @@ in {
         '';
 
       script = ''
-        ${pkgs.jdk}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${pkgs.jenkins}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
+        ${pkgs.jdk}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
                                                   --httpPort=${toString cfg.port} \
                                                   --prefix=${cfg.prefix} \
                                                   ${concatStringsSep " " cfg.extraOptions}

nixos/modules/services/databases/mysql.nix

@@ -67,7 +67,7 @@ in
         type = types.nullOr types.str;
         default = null;
         example = literalExample "0.0.0.0";
-        description = "Address to bind to. The default it to bind to all addresses";
+        description = "Address to bind to. The default is to bind to all addresses";
       };
 
       port = mkOption {

nixos/modules/services/databases/pgmanage.nix

@@ -3,16 +3,16 @@
 with lib;
 
 let
-  cfg = config.services.postage;
+  cfg = config.services.pgmanage;
 
   confFile = pkgs.writeTextFile {
-    name = "postage.conf";
+    name = "pgmanage.conf";
     text =  ''
-      connection_file = ${postageConnectionsFile}
+      connection_file = ${pgmanageConnectionsFile}
 
       allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections}
 
-      postage_port = ${toString cfg.port}
+      pgmanage_port = ${toString cfg.port}
 
       super_only = ${builtins.toJSON cfg.superOnly}
 
@@ -20,7 +20,7 @@ let
 
       login_timeout = ${toString cfg.loginTimeout}
 
-      web_root = ${cfg.package}/etc/postage/web_root
+      web_root = ${cfg.package}/etc/pgmanage/web_root
 
       data_root = ${cfg.dataRoot}
 
@@ -33,24 +33,23 @@ let
     '';
   };
 
-  postageConnectionsFile = pkgs.writeTextFile {
+  pgmanageConnectionsFile = pkgs.writeTextFile {
-    name = "postage-connections.conf";
+    name = "pgmanage-connections.conf";
     text = concatStringsSep "\n"
       (mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections);
   };
 
-  postage = "postage";
+  pgmanage = "pgmanage";
-in {
 
-  options.services.postage = {
+  pgmanageOptions = {
     enable = mkEnableOption "PostgreSQL Administration for the web";
 
     package = mkOption {
       type = types.package;
-      default = pkgs.postage;
+      default = pkgs.pgmanage;
-      defaultText = "pkgs.postage";
+      defaultText = "pkgs.pgmanage";
       description = ''
-        The postage package to use.
+        The pgmanage package to use.
       '';
     };
 
@@ -62,14 +61,14 @@ in {
         "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require";
       };
       description = ''
-        Postage requires at least one PostgreSQL server be defined.
+        pgmanage requires at least one PostgreSQL server be defined.
         </para><para>
         Detailed information about PostgreSQL connection strings is available at:
         <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/>
         </para><para>
         Note that you should not specify your user name or password. That
         information will be entered on the login screen. If you specify a
-        username or password, it will be removed by Postage before attempting to
+        username or password, it will be removed by pgmanage before attempting to
         connect to a database.
       '';
     };
@@ -78,7 +77,7 @@ in {
       type = types.bool;
       default = false;
       description = ''
-        This tells Postage whether or not to allow anyone to use a custom
+        This tells pgmanage whether or not to allow anyone to use a custom
         connection from the login screen.
       '';
     };
@@ -87,7 +86,7 @@ in {
       type = types.int;
       default = 8080;
       description = ''
-        This tells Postage what port to listen on for browser requests.
+        This tells pgmanage what port to listen on for browser requests.
       '';
     };
 
@@ -95,7 +94,7 @@ in {
       type = types.bool;
       default = true;
       description = ''
-        This tells Postage whether or not to set the listening socket to local
+        This tells pgmanage whether or not to set the listening socket to local
         addresses only.
       '';
     };
@@ -104,10 +103,10 @@ in {
       type = types.bool;
       default = true;
       description = ''
-        This tells Postage whether or not to only allow super users to
+        This tells pgmanage whether or not to only allow super users to
         login. The recommended value is true and will restrict users who are not
         super users from logging in to any PostgreSQL instance through
-        Postage. Note that a connection will be made to PostgreSQL in order to
+        pgmanage. Note that a connection will be made to PostgreSQL in order to
         test if the user is a superuser.
       '';
     };
@@ -116,8 +115,8 @@ in {
       type = types.nullOr types.str;
       default = null;
       description = ''
-        This tells Postage to only allow users in a certain PostgreSQL group to
+        This tells pgmanage to only allow users in a certain PostgreSQL group to
-        login to Postage. Note that a connection will be made to PostgreSQL in
+        login to pgmanage. Note that a connection will be made to PostgreSQL in
         order to test if the user is a member of the login group.
       '';
     };
@@ -133,10 +132,10 @@ in {
 
     dataRoot = mkOption {
       type = types.str;
-      default = "/var/lib/postage";
+      default = "/var/lib/pgmanage";
       description = ''
-        This tells Postage where to put the SQL file history. All tabs are saved
+        This tells pgmanage where to put the SQL file history. All tabs are saved
-        to this location so that if you get disconnected from Postage you
+        to this location so that if you get disconnected from pgmanage you
         don't lose your work.
       '';
     };
@@ -156,15 +155,15 @@ in {
       });
       default = null;
       description = ''
-        These options tell Postage where the TLS Certificate and Key files
+        These options tell pgmanage where the TLS Certificate and Key files
         reside. If you use these options then you'll only be able to access
-        Postage through a secure TLS connection. These options are only
+        pgmanage through a secure TLS connection. These options are only
-        necessary if you wish to connect directly to Postage using a secure TLS
+        necessary if you wish to connect directly to pgmanage using a secure TLS
-        connection. As an alternative, you can set up Postage in a reverse proxy
+        connection. As an alternative, you can set up pgmanage in a reverse proxy
         configuration. This allows your web server to terminate the secure
-        connection and pass on the request to Postage. You can find help to set
+        connection and pass on the request to pgmanage. You can find help to set
         up this configuration in:
-        <link xlink:href="https://github.com/workflowproducts/postage/blob/master/INSTALL_NGINX.md"/>
+        <link xlink:href="https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md"/>
       '';
     };
 
@@ -177,29 +176,47 @@ in {
     };
   };
 
-  config = mkIf cfg.enable {
+
-    systemd.services.postage = {
+in {
-      description = "postage - PostgreSQL Administration for the web";
+
+  options.services.pgmanage = pgmanageOptions;
+
+  # This is deprecated and should be removed for NixOS-18.03.
+  options.services.postage = pgmanageOptions;
+
+  config = mkMerge [
+    { assertions = [
+        { assertion = !config.services.postage.enable;
+          message =
+            "services.postage is deprecated in favour of pgmanage. " +
+            "They have the same options so just substitute postage for pgmanage." ;
+        }
+      ];
+    }
+    (mkIf cfg.enable {
+      systemd.services.pgmanage = {
+        description = "pgmanage - PostgreSQL Administration for the web";
         wants    = [ "postgresql.service" ];
         after    = [ "postgresql.service" ];
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
-        User         = postage;
+          User         = pgmanage;
-        Group        = postage;
+          Group        = pgmanage;
-        ExecStart    = "${pkgs.postage}/sbin/postage -c ${confFile}" +
+          ExecStart    = "${pkgs.pgmanage}/sbin/pgmanage -c ${confFile}" +
                          optionalString cfg.localOnly " --local-only=true";
         };
       };
       users = {
-      users."${postage}" = {
+        users."${pgmanage}" = {
-        name  = postage;
+          name  = pgmanage;
-        group = postage;
+          group = pgmanage;
           home  = cfg.dataRoot;
           createHome = true;
         };
-      groups."${postage}" = {
+        groups."${pgmanage}" = {
-        name = postage;
+          name = pgmanage;
-      };
         };
       };
+    })
+  ];
 }

nixos/modules/services/desktops/gnome3/at-spi2-core.nix

@@ -34,6 +34,8 @@ with lib;
 
     services.dbus.packages = [ pkgs.at_spi2_core ];
 
+    systemd.packages = [ pkgs.at_spi2_core ];
+
   };
 
 }

nixos/modules/services/mail/nullmailer.nix

@@ -35,6 +35,18 @@ with lib;
         description = "Whether to set the system sendmail to nullmailer's.";
       };
 
+      remotesFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Path to the <code>remotes</code> control file. This file contains a
+          list of remote servers to which to send each message.
+
+          See <code>man 8 nullmailer-send</code> for syntax and available
+          options.
+        '';
+      };
+
       config = {
         adminaddr = mkOption {
           type = types.nullOr types.str;
@@ -142,7 +154,16 @@ with lib;
           type = types.nullOr types.str;
           default = null;
           description = ''
-            If set, content will override the envelope sender on all messages.
+            A list of remote servers to which to send each message. Each line
+            contains a remote host name or address followed by an optional
+            protocol string, separated by white space.
+
+            See <code>man 8 nullmailer-send</code> for syntax and available
+            options.
+
+            WARNING: This is stored world-readable in the nix store. If you need
+            to specify any secret credentials here, consider using the
+            <code>remotesFile</code> option instead.
           '';
         };
 
@@ -164,13 +185,19 @@ with lib;
     cfg = config.services.nullmailer;
   in mkIf cfg.enable {
 
+    assertions = [
+      { assertion = cfg.config.remotes == null || cfg.remotesFile == null;
+        message = "Only one of `remotesFile` or `config.remotes` may be used at a time.";
+      }
+    ];
+
     environment = {
       systemPackages = [ pkgs.nullmailer ];
       etc = let
-        getval  = attr: builtins.getAttr attr cfg.config;
+        validAttrs = filterAttrs (name: value: value != null) cfg.config;
-        attrs   = builtins.attrNames cfg.config;
+      in
-        attrs'  = builtins.filter (attr: ! isNull (getval attr)) attrs;
+        (foldl' (as: name: as // { "nullmailer/${name}".text = validAttrs.${name}; }) {} (attrNames validAttrs))
-      in foldl' (as: attr: as // { "nullmailer/${attr}".text = getval attr; }) {} attrs';
+          // optionalAttrs (cfg.remotesFile != null) { "nullmailer/remotes".source = cfg.remotesFile; };
     };
 
     users = {
@@ -192,7 +219,7 @@ with lib;
 
       preStart = ''
         mkdir -p /var/spool/nullmailer/{queue,tmp}
-        rm -f var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
+        rm -f /var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
         chown ${cfg.user} /var/spool/nullmailer/*
       '';
 

nixos/modules/services/mail/opendkim.nix

@@ -8,10 +8,12 @@ let
 
   defaultSock = "local:/run/opendkim/opendkim.sock";
 
+  keyFile = "${cfg.keyPath}/${cfg.selector}.private";
+
   args = [ "-f" "-l"
            "-p" cfg.socket
            "-d" cfg.domains
-           "-k" cfg.keyFile
+           "-k" keyFile
            "-s" cfg.selector
          ] ++ optionals (cfg.configFile != null) [ "-x" cfg.configFile ];
 
@@ -57,9 +59,13 @@ in {
         '';
       };
 
-      keyFile = mkOption {
+      keyPath = mkOption {
         type = types.path;
-        description = "Secret key file used for signing messages.";
+        description = ''
+          The path that opendkim should put its generated private keys into.
+          The DNS settings will be found in this directory with the name selector.txt.
+        '';
+        default = "/var/lib/opendkim/keys";
       };
 
       selector = mkOption {
@@ -100,11 +106,25 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
+      preStart = ''
+        mkdir -p "${cfg.keyPath}"
+        cd "${cfg.keyPath}"
+        if ! test -f ${cfg.selector}.private; then
+          ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key
+          echo "Generated OpenDKIM key! Please update your DNS settings:\n"
+          echo "-------------------------------------------------------------"
+          cat ${cfg.selector}.txt
+          echo "-------------------------------------------------------------"
+        fi
+        chown ${cfg.user}:${cfg.group} ${cfg.selector}.private
+      '';
+
       serviceConfig = {
         ExecStart = "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
         User = cfg.user;
         Group = cfg.group;
         RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
+        PermissionsStartOnly = true;
       };
     };
 

nixos/modules/services/mail/pfix-srsd.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.pfix-srsd = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Whether to run the postfix sender rewriting scheme daemon.";
+      };
+
+      domain = mkOption {
+        description = "The domain for which to enable srs";
+        type = types.str;
+        example = "example.com";
+      };
+
+      secretsFile = mkOption {
+        description = ''
+          The secret data used to encode the SRS address.
+          to generate, use a command like:
+          <literal>for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/  -$//' | sed 's/^/          /'; done</literal>
+        '';
+        type = types.path;
+        default = "/var/lib/pfix-srsd/secrets";
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf config.services.pfix-srsd.enable {
+    environment = {
+      systemPackages = [ pkgs.pfixtools ];
+    };
+
+    systemd.services."pfix-srsd" = {
+      description = "Postfix sender rewriting scheme daemon";
+      before = [ "postfix.service" ];
+      #note that we use requires rather than wants because postfix
+      #is unable to process (almost) all mail without srsd
+      requiredBy = [ "postfix.service" ];
+      serviceConfig = {
+        Type = "forking";
+        PIDFile = "/var/run/pfix-srsd.pid";
+        ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /var/run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
+      };
+    };
+  };
+}

nixos/modules/services/mail/postfix.nix

@@ -28,7 +28,7 @@ let
 
   mainCf = let
     escape = replaceStrings ["$"] ["$$"];
-    mkList = items: "\n  " + concatMapStringsSep "\n  " escape items;
+    mkList = items: "\n  " + concatStringsSep "\n  " items;
     mkVal = value:
       if isList value then mkList value
         else " " + (if value == true then "yes"
@@ -60,9 +60,11 @@ let
     manpage_directory    = "${pkgs.postfix}/share/man";
     html_directory       = "${pkgs.postfix}/share/postfix/doc/html";
     shlib_directory      = false;
-    relayhost            = if cfg.lookupMX || cfg.relayHost == ""
+    relayhost            = if cfg.relayHost == "" then "" else
-                             then cfg.relayHost
+                             if cfg.lookupMX
-                             else "[${cfg.relayHost}]";
+                             then "${cfg.relayHost}:${toString cfg.relayPort}"
+                             else "[${cfg.relayHost}]:${toString cfg.relayPort}";
+
     mail_spool_directory = "/var/spool/mail/";
     setgid_group         = setgidGroup;
   }
@@ -79,6 +81,12 @@ let
   // optionalAttrs haveTransport { transport_maps = "hash:/etc/postfix/transport"; }
   // optionalAttrs haveVirtual { virtual_alias_maps = "${cfg.virtualMapType}:/etc/postfix/virtual"; }
   // optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; }
+  // optionalAttrs cfg.useSrs {
+    sender_canonical_maps = "tcp:127.0.0.1:10001";
+    sender_canonical_classes = "envelope_sender";
+    recipient_canonical_maps = "tcp:127.0.0.1:10002";
+    recipient_canonical_classes= "envelope_recipient";
+  }
   // optionalAttrs cfg.enableHeaderChecks { header_checks = "regexp:/etc/postfix/header_checks"; }
   // optionalAttrs (cfg.sslCert != "") {
     smtp_tls_CAfile = cfg.sslCACert;
@@ -452,6 +460,14 @@ in
         ";
       };
 
+      relayPort = mkOption {
+        type = types.int;
+        default = 25;
+        description = "
+          SMTP port for relay mail relay.
+        ";
+      };
+
       lookupMX = mkOption {
         type = types.bool;
         default = false;
@@ -626,6 +642,12 @@ in
         description = "Maps to be compiled and placed into /var/lib/postfix/conf.";
       };
 
+      useSrs = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable sender rewriting scheme";
+      };
+
     };
 
   };
@@ -646,6 +668,8 @@ in
         systemPackages = [ pkgs.postfix ];
       };
 
+      services.pfix-srsd.enable = config.services.postfix.useSrs;
+
       services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
         program = "sendmail";
         source = "${pkgs.postfix}/bin/sendmail";

nixos/modules/services/mail/spamassassin.nix

@@ -122,7 +122,11 @@ in
   config = mkIf cfg.enable {
 
     # Allow users to run 'spamc'.
-    environment.systemPackages = [ pkgs.spamassassin ];
+
+    environment = {
+      etc = singleton { source = spamdEnv; target = "spamassassin"; };
+      systemPackages = [ pkgs.spamassassin ];
+    };
 
     users.extraUsers = singleton {
       name = "spamd";
@@ -177,11 +181,6 @@ in
       # 0 and 1 no error, exitcode > 1 means error:
       # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
       preStart = ''
-        # this abstraction requires no centralized config at all
-        if [ -d /etc/spamassassin ]; then
-          echo "This spamassassin does not support global '/etc/spamassassin' folder for configuration as this would be impure. Merge your configs into 'services.spamassassin' and remove the '/etc/spamassassin' folder to make this service work. Also see 'https://github.com/NixOS/nixpkgs/pull/26470'."; 
-          exit 1
-        fi
         echo "Recreating '/var/lib/spamasassin' with creating '3.004001' (or similar) and 'sa-update-keys'"
         mkdir -p /var/lib/spamassassin
         chown spamd:spamd /var/lib/spamassassin -R

nixos/modules/services/misc/gitea.nix

@@ -0,0 +1,270 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.gitea;
+  configFile = pkgs.writeText "app.ini" ''
+    APP_NAME = ${cfg.appName}
+    RUN_USER = ${cfg.user}
+    RUN_MODE = prod
+
+    [database]
+    DB_TYPE = ${cfg.database.type}
+    HOST = ${cfg.database.host}:${toString cfg.database.port}
+    NAME = ${cfg.database.name}
+    USER = ${cfg.database.user}
+    PASSWD = #dbpass#
+    PATH = ${cfg.database.path}
+
+    [repository]
+    ROOT = ${cfg.repositoryRoot}
+
+    [server]
+    DOMAIN = ${cfg.domain}
+    HTTP_ADDR = ${cfg.httpAddress}
+    HTTP_PORT = ${toString cfg.httpPort}
+    ROOT_URL = ${cfg.rootUrl}
+    STATIC_ROOT_PATH = ${cfg.staticRootPath}
+
+    [session]
+    COOKIE_NAME = session
+    COOKIE_SECURE = ${boolToString cfg.cookieSecure}
+
+    [security]
+    SECRET_KEY = #secretkey#
+    INSTALL_LOCK = true
+
+    ${cfg.extraConfig}
+  '';
+in
+
+{
+  options = {
+    services.gitea = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Enable Gitea Service.";
+      };
+
+      useWizard = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Do not generate a configuration and use gitea' installation wizard instead. The first registered user will be administrator.";
+      };
+
+      stateDir = mkOption {
+        default = "/var/lib/gitea";
+        type = types.str;
+        description = "gitea data directory.";
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "gitea";
+        description = "User account under which gitea runs.";
+      };
+
+      database = {
+        type = mkOption {
+          type = types.enum [ "sqlite3" "mysql" "postgres" ];
+          example = "mysql";
+          default = "sqlite3";
+          description = "Database engine to use.";
+        };
+
+        host = mkOption {
+          type = types.str;
+          default = "127.0.0.1";
+          description = "Database host address.";
+        };
+
+        port = mkOption {
+          type = types.int;
+          default = 3306;
+          description = "Database host port.";
+        };
+
+        name = mkOption {
+          type = types.str;
+          default = "gitea";
+          description = "Database name.";
+        };
+
+        user = mkOption {
+          type = types.str;
+          default = "gitea";
+          description = "Database user.";
+        };
+
+        password = mkOption {
+          type = types.str;
+          default = "";
+          description = ''
+            The password corresponding to <option>database.user</option>.
+            Warning: this is stored in cleartext in the Nix store!
+            Use <option>database.passwordFile</option> instead.
+          '';
+        };
+
+        passwordFile = mkOption {
+          type = types.nullOr types.path;
+          default = null;
+          example = "/run/keys/gitea-dbpassword";
+          description = ''
+            A file containing the password corresponding to
+            <option>database.user</option>.
+          '';
+        };
+
+        path = mkOption {
+          type = types.str;
+          default = "${cfg.stateDir}/data/gitea.db";
+          description = "Path to the sqlite3 database file.";
+        };
+      };
+
+      appName = mkOption {
+        type = types.str;
+        default = "gitea: Gitea Service";
+        description = "Application name.";
+      };
+
+      repositoryRoot = mkOption {
+        type = types.str;
+        default = "${cfg.stateDir}/repositories";
+        description = "Path to the git repositories.";
+      };
+
+      domain = mkOption {
+        type = types.str;
+        default = "localhost";
+        description = "Domain name of your server.";
+      };
+
+      rootUrl = mkOption {
+        type = types.str;
+        default = "http://localhost:3000/";
+        description = "Full public URL of gitea server.";
+      };
+
+      httpAddress = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = "HTTP listen address.";
+      };
+
+      httpPort = mkOption {
+        type = types.int;
+        default = 3000;
+        description = "HTTP listen port.";
+      };
+
+      cookieSecure = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Marks session cookies as "secure" as a hint for browsers to only send
+          them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
+        '';
+      };
+
+      staticRootPath = mkOption {
+        type = types.str;
+        default = "${pkgs.gitea.data}";
+        example = "/var/lib/gitea/data";
+        description = "Upper level of template and static files path.";
+      };
+
+      extraConfig = mkOption {
+        type = types.str;
+        default = "";
+        description = "Configuration lines appended to the generated gitea configuration file.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services.gitea = {
+      description = "gitea";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.gitea.bin ];
+
+      preStart = let
+        runConfig = "${cfg.stateDir}/custom/conf/app.ini";
+        secretKey = "${cfg.stateDir}/custom/conf/secret_key";
+      in ''
+        mkdir -p ${cfg.stateDir}
+
+        # copy custom configuration and generate a random secret key if needed
+        ${optionalString (cfg.useWizard == false) ''
+          mkdir -p ${cfg.stateDir}/custom/conf
+          cp -f ${configFile} ${runConfig}
+
+          if [ ! -e ${secretKey} ]; then
+              head -c 16 /dev/urandom | base64 > ${secretKey}
+          fi
+
+          KEY=$(head -n1 ${secretKey})
+          DBPASS=$(head -n1 ${cfg.database.passwordFile})
+          sed -e "s,#secretkey#,$KEY,g" \
+              -e "s,#dbpass#,$DBPASS,g" \
+              -i ${runConfig}
+          chmod 640 ${runConfig} ${secretKey}
+        ''}
+
+        mkdir -p ${cfg.repositoryRoot}
+        # update all hooks' binary paths
+        HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 4 -type f -wholename "*git/hooks/*")
+        if [ "$HOOKS" ]
+        then
+          sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${pkgs.gitea.bin}/bin/gitea,g' $HOOKS
+          sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS
+          sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS
+          sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS
+        fi
+        if [ ! -d ${cfg.stateDir}/conf/locale ]
+        then
+          mkdir -p ${cfg.stateDir}/conf
+          cp -r ${pkgs.gitea.out}/locale ${cfg.stateDir}/conf/locale
+        fi
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        WorkingDirectory = cfg.stateDir;
+        ExecStart = "${pkgs.gitea.bin}/bin/gitea web";
+        Restart = "always";
+      };
+
+      environment = {
+        USER = cfg.user;
+        HOME = cfg.stateDir;
+        GITEA_WORK_DIR = cfg.stateDir;
+      };
+    };
+
+    users = mkIf (cfg.user == "gitea") {
+      extraUsers.gitea = {
+        description = "Gitea Service";
+        home = cfg.stateDir;
+        createHome = true;
+      };
+    };
+
+    warnings = optional (cfg.database.password != "")
+      ''config.services.gitea.database.password will be stored as plaintext
+        in the Nix store. Use database.passwordFile instead.'';
+
+    # Create database passwordFile default when password is configured.
+    services.gitea.database.passwordFile =
+      (mkDefault (toString (pkgs.writeTextFile {
+        name = "gitea-database-password";
+        text = cfg.database.password;
+      })));
+  };
+}