Merge branch 'master' into mptcp-v91.3

2017-05-01 00:43:08 +02:00 · 2017-05-01 00:43:08 +02:00 · 1cce0887ee
commit 1cce0887ee
parent d431ff2776 65220cb2e7
1856 changed files with 61241 additions and 35390 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,8 +1,14 @@
 language: nix
 sudo: true
 # 'sudo: false' == containers that start fast, but only get 4G ram;
 # 'sudo: true'  == VMs that start slow, but with 8G
 # ..as per:  https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
 # Nixpkgs PR tests OOM with 4G: https://github.com/NixOS/nixpkgs/issues/24200
 matrix:
    include:
        - os: linux
-          sudo: false
+          sudo: required
          script:
              - ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball nixpkgs-unstable
              - ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
--- a/README.md
+++ b/README.md
@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 ```
 % git remote update channels
-% git rebase channels/nixos-16.09
+% git rebase channels/nixos-17.03
 ```
 For pull-requests, please rebase onto nixpkgs `master`.
@ -32,9 +32,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
+* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
+* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
 Communication:
--- a/doc/cross-compilation.xml
+++ b/doc/cross-compilation.xml
@ -37,16 +37,9 @@
    </para>
    <para>
      In Nixpkgs, these three platforms are defined as attribute sets under the names <literal>buildPlatform</literal>, <literal>hostPlatform</literal>, and <literal>targetPlatform</literal>.
      All are guaranteed to contain at least a <varname>platform</varname> field, which contains detailed information on the platform.
      All three are always defined at the top level, so one can get at them just like a dependency in a function that is imported with <literal>callPackage</literal>:
      <programlisting>{ stdenv, buildPlatform, hostPlatform, fooDep, barDep, .. }: ...</programlisting>
    </para>
    <warning><para>
      These platforms should all have the same structure in all scenarios, but that is currently not the case.
      When not cross-compiling, they will each contain a <literal>system</literal> field with a short 2-part, hyphen-separated summering string name for the platform.
      But, when when cross compiling, <literal>hostPlatform</literal> and <literal>targetPlatform</literal> may instead contain <literal>config</literal> with a fuller 3- or 4-part string in the manner of LLVM.
      We should have all 3 platforms always contain both, and maybe give <literal>config</literal> a better name while we are at it.
    </para></warning>
    <variablelist>
      <varlistentry>
        <term><varname>buildPlatform</varname></term>
@ -83,7 +76,7 @@
            Nixpkgs tries to avoid this where possible too, but still, because the concept of a target platform is so ingrained now in Autoconf and other tools, it is best to support it as is.
            Tools like LLVM that don't need up-front target platforms can safely ignore it like normal packages, and it will do no harm.
          </para>
-          </listitem>
+        </listitem>
      </varlistentry>
    </variablelist>
    <note><para>
@ -91,6 +84,56 @@
      This field defined as <varname>hostPlatform</varname> when the host and build platforms differ, but otherwise not defined at all.
      This field is obsolete and will soon disappear—please do not use it.
    </para></note>
    <para>
      The exact scheme these fields is a bit ill-defined due to a long and convoluted evolution, but this is slowly being cleaned up.
      For now, here are few fields can count on them containing:
    </para>
    <variablelist>
      <varlistentry>
        <term><varname>system</varname></term>
        <listitem>
          <para>
            This is a two-component shorthand for the platform.
            Examples of this would be "x86_64-darwin" and "i686-linux"; see <literal>lib.systems.doubles</literal> for more.
            This format isn't very standard, but has built-in support in Nix, such as the <varname>builtins.currentSystem</varname> impure string.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>config</varname></term>
        <listitem>
          <para>
            This is a 3- or 4- component shorthand for the platform.
            Examples of this would be "x86_64-unknown-linux-gnu" and "aarch64-apple-darwin14".
            This is a standard format called the "LLVM target triple", as they are pioneered by LLVM and traditionally just used for the <varname>targetPlatform</varname>.
            This format is strictly more informative than the "Nix host double", as the previous format could analogously be termed.
            This needs a better name than <varname>config</varname>!
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>parsed</varname></term>
        <listitem>
          <para>
            This is a nix representation of a parsed LLVM target triple with white-listed components.
            This can be specified directly, or actually parsed from the <varname>config</varname>.
            [Technically, only one need be specified and the others can be inferred, though the precision of inference may not be very good.]
            See <literal>lib.systems.parse</literal> for the exact representation, along with some <literal>is*</literal>predicates.
            These predicates are superior to the ones in <varname>stdenv</varname> as they aren't tied to the build platform (host, as previously discussed, would be a saner default).
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>platform</varname></term>
        <listitem>
          <para>
            This is, quite frankly, a dumping ground of ad-hoc settings (it's an attribute set).
            See <literal>lib.systems.platforms</literal> for examples—there's hopefully one in there that will work verbatim for each platform one is working.
            Please help us triage these flags and give them better homes!
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>
  <section>
@ -124,6 +167,11 @@
      Because of this, a best-of-both-worlds solution is in the works with no splicing or explicit access of <varname>buildPackages</varname> needed.
      For now, feel free to use either method.
    </para>
    <note><para>
      There is also a "backlink" <varname>__targetPackages</varname>, yielding a package set whose <varname>buildPackages</varname> is the current package set.
      This is a hack, though, to accommodate compilers with lousy build systems.
      Please do not use this unless you are absolutely sure you are packaging such a compiler and there is no other way.
    </para></note>
  </section>
 </section>
--- a/doc/functions.xml
+++ b/doc/functions.xml
@ -529,7 +529,7 @@
  <note>
  <para>
  If you see errors similar to <literal>getProtocolByName: does not exist (no such protocol name: tcp)</literal>
-  you may need to add <literal>pkgs.iana_etc</literal> to <varname>contents</varname>.
+  you may need to add <literal>pkgs.iana-etc</literal> to <varname>contents</varname>.
  </para>
  </note>
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@ -628,6 +628,9 @@ with import <nixpkgs> {};
 In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
 such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
 Python 2 namespace packages may provide `__init__.py` that collide. In that case `python.buildEnv` 
 should be used with `ignoreCollisions = true`.
 ### Development mode
 Development or editable mode is supported. To develop Python packages
--- a/doc/languages-frameworks/ruby.xml
+++ b/doc/languages-frameworks/ruby.xml
@ -16,8 +16,7 @@ $ cd sensu
 $ cat > Gemfile
 source 'https://rubygems.org'
 gem 'sensu'
-$ nix-shell -p bundler --command "bundler package --path /tmp/vendor/bundle"
+$ $(nix-build '<nixpkgs>' -A bundix)/bin/bundix --magic
 $ $(nix-build '<nixpkgs>' -A bundix)/bin/bundix
 $ cat > default.nix
 { lib, bundlerEnv, ruby }:
--- a/doc/languages-frameworks/rust.md
+++ b/doc/languages-frameworks/rust.md
@ -17,8 +17,8 @@ into the `environment.systemPackages` or bring them into scope with
 `nix-shell -p rustStable.rustc -p rustStable.cargo`.
 There are also `rustBeta` and `rustNightly` package sets available.
-These are not updated very regulary. For daily builds see
+These are not updated very regulary. For daily builds use either rustup from
-[Using the Rust nightlies overlay](#using-the-rust-nightlies-overlay)
+nixpkgs or use the [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
 ## Packaging Rust applications
--- a/doc/multiple-output.xml
+++ b/doc/multiple-output.xml
@ -16,7 +16,6 @@
 <section><title>Installing a split package</title>
  <para>When installing a package via <varname>systemPackages</varname> or <command>nix-env</command> you have several options:</para>
  <warning><para>Currently <command>nix-env</command> almost always installs all outputs until https://github.com/NixOS/nix/pull/815 gets merged.</para></warning>
  <itemizedlist>
    <listitem><para>You can install particular outputs explicitly, as each is available in the Nix language as an attribute of the package.  The <varname>outputs</varname> attribute contains a list of output names.</para></listitem>
    <listitem><para>You can let it use the default outputs.  These are handled by <varname>meta.outputsToInstall</varname> attribute that contains a list of output names.</para>
--- a/doc/overlays.xml
+++ b/doc/overlays.xml
@ -34,7 +34,7 @@ first one present is considered, and all the rest are ignored:
  <listitem>
-    <para>In the directory <filename>~/.nixpkgs/overlays/</filename>.</para>
+    <para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
  </listitem>
 </orderedlist>
@ -50,7 +50,7 @@ the same recipe. In the case where overlays are loaded from a directory, they ar
 alphabetical order.</para>
 <para>To install an overlay using the last option, you can clone the overlay's repository and add
-a symbolic link to it in <filename>~/.nixpkgs/overlays/</filename> directory.</para>
+a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
 </section>
--- a/lib/attrsets.nix
+++ b/lib/attrsets.nix
@ -1,12 +1,12 @@
 # Operations on attribute sets.
-with {
+let
  inherit (builtins) head tail length;
-  inherit (import ./trivial.nix) or;
+  inherit (import ./trivial.nix) and or;
  inherit (import ./default.nix) fold;
  inherit (import ./strings.nix) concatStringsSep;
  inherit (import ./lists.nix) concatMap concatLists all deepSeqList;
-};
+in
 rec {
  inherit (builtins) attrNames listToAttrs hasAttr isAttrs getAttr;
@ -116,7 +116,7 @@ rec {
    listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
-  /* Filter an attribute set recursivelly by removing all attributes for
+  /* Filter an attribute set recursively by removing all attributes for
     which the given predicate return false.
     Example:
@ -334,7 +334,7 @@ rec {
      value = f name (catAttrs name sets);
    }) names);
-  /* Implentation note: Common names  appear multiple times in the list of
+  /* Implementation note: Common names  appear multiple times in the list of
     names, hopefully this does not affect the system because the maximal
     laziness avoid computing twice the same expression and listToAttrs does
     not care about duplicated attribute names.
@ -353,7 +353,7 @@ rec {
  zipAttrs = zipAttrsWith (name: values: values);
  /* Does the same as the update operator '//' except that attributes are
-     merged until the given pedicate is verified.  The predicate should
+     merged until the given predicate is verified.  The predicate should
     accept 3 arguments which are the path to reach the attribute, a part of
     the first attribute set and a part of the second attribute set.  When
     the predicate is verified, the value of the first attribute set is
@ -417,18 +417,15 @@ rec {
  /* Returns true if the pattern is contained in the set. False otherwise.
     FIXME(zimbatm): this example doesn't work !!!
     Example:
-       sys = mkSystem { }
+       matchAttrs { cpu = {}; } { cpu = { bits = 64; }; }
       matchAttrs { cpu = { bits = 64; }; } sys
       => true
   */
-  matchAttrs = pattern: attrs:
+  matchAttrs = pattern: attrs: assert isAttrs pattern;
-    fold or false (attrValues (zipAttrsWithNames (attrNames pattern) (n: values:
+    fold and true (attrValues (zipAttrsWithNames (attrNames pattern) (n: values:
      let pat = head values; val = head (tail values); in
      if length values == 1 then false
-      else if isAttrs pat then isAttrs val && matchAttrs head values
+      else if isAttrs pat then isAttrs val && matchAttrs pat val
      else pat == val
    ) [pattern attrs]));
--- a/lib/composable-derivation.nix
+++ b/lib/composable-derivation.nix
@ -39,7 +39,7 @@ let inherit (lib) nv nvs; in
  #
  # issues:
  # * its complicated to understand
-  # * some "features" such as exact merge behaviour are burried in mergeAttrBy
+  # * some "features" such as exact merge behaviour are buried in mergeAttrBy
  #   and defaultOverridableDelayableArgs assuming the default behaviour does
  #   the right thing in the common case
  # * Eelco once said using such fix style functions are slow to evaluate
@ -48,7 +48,7 @@ let inherit (lib) nv nvs; in
  #   / add patches the way you want without having to declare function arguments
  #
  # nice features:
-  # declaring "optional featuers" is modular. For instance:
+  # declaring "optional features" is modular. For instance:
  #   flags.curl = {
  #     configureFlags = ["--with-curl=${curl.dev}" "--with-curlwrappers"];
  #     buildInputs = [curl openssl];
--- a/lib/customisation.nix
+++ b/lib/customisation.nix
@ -10,7 +10,7 @@ rec {
  /* `overrideDerivation drv f' takes a derivation (i.e., the result
     of a call to the builtin function `derivation') and returns a new
-     derivation in which the attributes of the original are overriden
+     derivation in which the attributes of the original are overridden
     according to the function `f'.  The function `f' is called with
     the original derivation attributes.
@ -167,7 +167,7 @@ rec {
  /* Make a set of packages with a common scope. All packages called
     with the provided `callPackage' will be evaluated with the same
     arguments. Any package in the set may depend on any other. The
-     `override' function allows subsequent modification of the package
+     `overrideScope' function allows subsequent modification of the package
     set in a consistent way, i.e. all packages in the set will be
     called with the overridden packages. The package sets may be
     hierarchical: the packages in the set are called with the scope
@ -177,7 +177,7 @@ rec {
    let self = f self // {
          newScope = scope: newScope (self // scope);
          callPackage = self.newScope {};
-          override = g:
+          overrideScope = g:
            makeScope newScope
            (self_: let super = f self_; in super // g super self_);
          packages = f;
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,3 +1,8 @@
 /* Library of low-level helper functions for nix expressions.
 *
 * Please implement (mostly) exhaustive unit tests
 * for new functions in `./tests.nix'.
 */
 let
  # trivial, often used functions
@ -22,8 +27,7 @@ let
  # constants
  licenses = import ./licenses.nix;
-  platforms = import ./platforms.nix;
+  systems = import ./systems;
  systems = import ./systems.nix;
  # misc
  debug = import ./debug.nix;
@ -42,13 +46,15 @@ in
            attrsets lists strings stringsWithDeps
            customisation maintainers meta sources
            modules options types
-            licenses platforms systems
+            licenses systems
            debug generators misc
            sandbox fetchers filesystem;
    # back-compat aliases
    platforms = systems.doubles;
  }
  # !!! don't include everything at top-level; perhaps only the most
  # commonly used functions.
  // trivial // lists // strings // stringsWithDeps // attrsets // sources
  // options // types // meta // debug // misc // modules
  // systems
  // customisation
--- a/lib/deprecated.nix
+++ b/lib/deprecated.nix
@ -253,11 +253,11 @@ rec {
  # eg { a = 7; } {  a = [ 2 3 ]; } becomes { a = [ 7 2 3 ]; }
  mergeAttrsConcatenateValues = mergeAttrsWithFunc ( a: b: (toList a) ++ (toList b) );
-  # merges attributes using //, if a name exisits in both attributes
+  # merges attributes using //, if a name exists in both attributes
  # an error will be triggered unless its listed in mergeLists
  # so you can mergeAttrsNoOverride { buildInputs = [a]; } { buildInputs = [a]; } {} to get
  # { buildInputs = [a b]; }
-  # merging buildPhase does'nt really make sense. The cases will be rare where appending /prefixing will fit your needs?
+  # merging buildPhase doesn't really make sense. The cases will be rare where appending /prefixing will fit your needs?
  # in these cases the first buildPhase will override the second one
  # ! deprecated, use mergeAttrByFunc instead
  mergeAttrsNoOverride = { mergeLists ? ["buildInputs" "propagatedBuildInputs"],
--- a/lib/fetchers.nix
+++ b/lib/fetchers.nix
@ -1,4 +1,4 @@
-# snippets that can be shared by mutliple fetchers (pkgs/build-support)
+# snippets that can be shared by multiple fetchers (pkgs/build-support)
 {
  proxyImpureEnvVars = [
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -357,6 +357,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
    fullName = "Lucent Public License v1.02";
  };
  miros = {
    fullname = "MirOS License";
    url = https://opensource.org/licenses/MirOS;
  };
  # spdx.org does not (yet) differentiate between the X11 and Expat versions
  # for details see http://en.wikipedia.org/wiki/MIT_License#Various_versions
  mit = spdx {
@ -526,6 +531,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
    fullName = "Do What The F*ck You Want To Public License";
  };
  wxWindows = spdx {
    spdxId = "WXwindows";
    fullName = "wxWindows Library Licence, Version 3.1";
  };
  zlib = spdx {
    spdxId = "Zlib";
    fullName = "zlib License";
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -191,7 +191,7 @@ rec {
  */
  optional = cond: elem: if cond then [elem] else [];
-  /* Return a list or an empty list, dependening on a boolean value.
+  /* Return a list or an empty list, depending on a boolean value.
     Example:
       optionals true [ 2 3 ]
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -25,6 +25,7 @@
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
  afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>";
  aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
  ahmedtd = "Taahir Ahmed <ahmed.taahir@gmail.com>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
  akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
  akc = "Anders Claesson <akc@akc.is>";
@ -59,6 +60,7 @@
  bachp = "Pascal Bach <pascal.bach@nextrem.ch>";
  badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
  balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
  basvandijk = "Bas van Dijk <v.dijk.bas@gmail.com>";
  Baughn = "Svein Ove Aas <sveina@gmail.com>";
  bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
  bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
@ -104,6 +106,7 @@
  codsl = "codsl <codsl@riseup.net>";
  codyopel = "Cody Opel <codyopel@gmail.com>";
  colemickens = "Cole Mickens <cole.mickens@gmail.com>";
  colescott = "Cole Scott <colescottsf@gmail.com>";
  copumpkin = "Dan Peebles <pumpkingod@gmail.com>";
  corngood = "David McFarland <corngood@gmail.com>";
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
@ -135,6 +138,7 @@
  dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
  dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  DmitryTsygankov = "Dmitry Tsygankov <dmitry.tsygankov@gmail.com>";
  dmjio = "David Johnson <djohnson.m@gmail.com>";
  dochang = "Desmond O. Chang <dochang@gmail.com>";
  domenkozar = "Domen Kozar <domen@dev.si>";
@ -142,6 +146,7 @@
  dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
  drets = "Dmytro Rets <dmitryrets@gmail.com>";
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
  dtzWill = "Will Dietz <nix@wdtz.org>";
  e-user = "Alexander Kahl <nixos@sodosopa.io>";
  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
@ -157,6 +162,7 @@
  eleanor = "Dejan Lukan <dejan@proteansec.com>";
  elitak = "Eric Litak <elitak@gmail.com>";
  ellis = "Ellis Whitehead <nixos@ellisw.net>";
  eperuffo = "Emanuele Peruffo <info@emanueleperuffo.com>";
  epitrochoid = "Mabry Cervin <mpcervin@uncg.edu>";
  ericbmerritt = "Eric Merritt <eric@afiniate.com>";
  ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
@ -181,6 +187,7 @@
  ftrvxmtrx = "Siarhei Zirukin <ftrvxmtrx@gmail.com>";
  funfunctor = "Edward O'Callaghan <eocallaghan@alterapraxis.com>";
  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
  fuzzy-id = "Thomas Bach <hacking+nixos@babibo.de>";
  fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
  gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
  garbas = "Rok Garbas <rok@garbas.si>";
@ -208,11 +215,13 @@
  heel = "Sergii Paryzhskyi <parizhskiy@gmail.com>";
  henrytill = "Henry Till <henrytill@gmail.com>";
  hinton = "Tom Hinton <t@larkery.com>";
  hodapp = "Chris Hodapp <hodapp87@gmail.com>";
  hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
  iand675 = "Ian Duncan <ian@iankduncan.com>";
  ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
  igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
  ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
  infinisil = "Silvan Mosberger <infinisil@icloud.com";
  ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
  j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
  jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
@ -230,6 +239,7 @@
  jgillich = "Jakob Gillich <jakob@gillich.me>";
  jhhuh = "Ji-Haeng Huh <jhhuh.note@gmail.com>";
  jirkamarsik = "Jirka Marsik <jiri.marsik89@gmail.com>";
  jlesquembre = "José Luis Lafuente <jl@lafuente.me>";
  joachifm = "Joachim Fasting <joachifm@fastmail.fm>";
  joamaki = "Jussi Maki <joamaki@gmail.com>";
  joelmo = "Joel Moberg <joel.moberg@gmail.com>";
@ -239,6 +249,7 @@
  jonafato = "Jon Banafato <jon@jonafato.com>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
  jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
  jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
  juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
@ -316,6 +327,7 @@
  michalrus = "Michal Rus <m@michalrus.com>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  mikefaille = "Michaël Faille <michael@faille.io>";
  miltador = "Vasiliy Solovey <miltador@yandex.ua>";
  mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
@ -377,6 +389,7 @@
  paholg = "Paho Lurie-Gregg <paho@paholg.com>";
  pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
  palo = "Ingolf Wanger <palipalo9@googlemail.com>";
  panaeon = "Vitalii Voloshyn <vitalii.voloshyn@gmail.com";
  paperdigits = "Mica Semrick <mica@silentumbrella.com>";
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
  patternspandemic = "Brad Christensen <patternspandemic@live.com>";
@ -398,6 +411,7 @@
  pjones = "Peter Jones <pjones@devalot.com>";
  pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
  plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
  plumps = "Maksim Bronsky <maks.bronsky@web.de";
  pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  polyrod = "Maurizio Di Pietro <dc1mdp@gmail.com>";
@ -440,7 +454,7 @@
  romildo = "José Romildo Malaquias <malaquias@gmail.com>";
  rongcuid = "Rongcui Dong <rongcuid@outlook.com>";
  ronny = "Ronny Pfannschmidt <nixos@ronnypfannschmidt.de>";
-  rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
+  rszibele = "Richard Szibele <richard@szibele.com>";
  rtreffer = "Rene Treffer <treffer+nixos@measite.de>";
  rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
  rvl = "Rodney Lorrimar <dev+nix@rodney.id.au>";
@ -450,9 +464,11 @@
  ryantm = "Ryan Mulligan <ryan@ryantm.com>";
  rycee = "Robert Helgesson <robert@rycee.net>";
  ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
  rzetterberg = "Richard Zetterberg <richard.zetterberg@gmail.com>";
  s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
  samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  sargon = "Daniel Ehlers <danielehlers@mindeye.net>";
  schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
  schneefux = "schneefux <schneefux+nixos_pkg@schneefux.xyz>";
  schristo = "Scott Christopher <schristopher@konputa.com>";
@ -460,11 +476,13 @@
  sepi = "Raffael Mancini <raffael@mancini.lu>";
  seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
  shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
  shawndellysse = "Shawn Dellysse <sdellysse@gmail.com>";
  sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
  sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
  shell = "Shell Turner <cam.turn@gmail.com>";
  shlevy = "Shea Levy <shea@shealevy.com>";
  siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
  sigma = "Yann Hodique <yann.hodique@gmail.com>";
  simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
  sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
  sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
@ -485,6 +503,7 @@
  sternenseemann = "Lukas Epple <post@lukasepple.de>";
  stesie = "Stefan Siegl <stesie@brokenpipe.de>";
  steveej = "Stefan Junker <mail@stefanjunker.de>";
  SuprDewd = "Bjarki Ágúst Guðmundsson <suprdewd@gmail.com>";
  swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
  swistak35 = "Rafał Łasocha <me@swistak35.com>";
  szczyp = "Szczyp <qb@szczyp.com>";
@ -493,6 +512,7 @@
  tailhook = "Paul Colomiets <paul@colomiets.name>";
  takikawa = "Asumu Takikawa <asumu@igalia.com>";
  taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
  taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
  tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
  teh = "Tom Hunger <tehunger@gmail.com>";
  telotortium = "Robert Irelan <rirelan@gmail.com>";
@ -515,7 +535,8 @@
  tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
  twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
  uralbash = "Svintsov Dmitry <root@uralbash.ru>";
-  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
+  utdemir = "Utku Demir <me@utdemir.com>";
  #urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
  uwap = "uwap <me@uwap.name>";
  vandenoever = "Jos van den Oever <jos@vandenoever.info>";
  vanzef = "Ivan Solyankin <vanzef@gmail.com>";
--- a/lib/modules.nix
+++ b/lib/modules.nix
@ -423,7 +423,7 @@ rec {
    in concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
  /* Sort a list of properties.  The sort priority of a property is
-     1000 by default, but can be overriden by wrapping the property
+     1000 by default, but can be overridden by wrapping the property
     using mkOrder. */
  sortProperties = defs:
    let
--- a/lib/platforms.nix
+++ b/lib/platforms.nix
@ -1,24 +0,0 @@
 let lists = import ./lists.nix; in
 rec {
  all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos;
  allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
  none = [];
  arm = ["armv5tel-linux" "armv6l-linux" "armv7l-linux" ];
  i686 = ["i686-linux" "i686-freebsd" "i686-netbsd" "i686-cygwin"];
  mips = [ "mips64el-linux" ];
  x86_64 = ["x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin"];
  cygwin = ["i686-cygwin" "x86_64-cygwin"];
  darwin = ["x86_64-darwin"];
  freebsd = ["i686-freebsd" "x86_64-freebsd"];
  gnu = linux; /* ++ hurd ++ kfreebsd ++ ... */
  illumos = ["x86_64-solaris"];
  linux = ["i686-linux" "x86_64-linux" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux" "mips64el-linux"];
  netbsd = ["i686-netbsd" "x86_64-netbsd"];
  openbsd = ["i686-openbsd" "x86_64-openbsd"];
  unix = linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos;
  mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux"];
 }
--- a/lib/strings.nix
+++ b/lib/strings.nix
@ -126,8 +126,8 @@ rec {
  */
  makePerlPath = makeSearchPathOutput "lib" "lib/perl5/site_perl";
-  /* Dependening on the boolean `cond', return either the given string
+  /* Depending on the boolean `cond', return either the given string
-     or the empty string. Useful to contatenate against a bigger string.
+     or the empty string. Useful to concatenate against a bigger string.
     Example:
       optionalString true "some-string"
--- a/lib/systems.nix
+++ b/lib/systems.nix
@ -1,126 +0,0 @@
 # Define the list of system with their properties.  Only systems tested for
 # Nixpkgs are listed below
 with import ./lists.nix;
 with import ./types.nix;
 with import ./attrsets.nix;
 let
  lib = import ./default.nix;
  setTypes = type:
    mapAttrs (name: value:
      setType type ({inherit name;} // value)
    );
 in
 rec {
  isSignificantByte = isType "significant-byte";
  significantBytes = setTypes "significant-byte" {
    bigEndian = {};
    littleEndian = {};
  };
  isCpuType = x: isType "cpu-type" x
    && elem x.bits [8 16 32 64 128]
    && (8 < x.bits -> isSignificantByte x.significantByte);
  cpuTypes = with significantBytes;
    setTypes "cpu-type" {
      arm =      { bits = 32; significantByte = littleEndian; };
      armv5tel = { bits = 32; significantByte = littleEndian; };
      armv7l   = { bits = 32; significantByte = littleEndian; };
      i686 =     { bits = 32; significantByte = littleEndian; };
      powerpc =  { bits = 32; significantByte = bigEndian; };
      x86_64 =   { bits = 64; significantByte = littleEndian; };
    };
  isExecFormat = isType "exec-format";
  execFormats = setTypes "exec-format" {
    aout = {}; # a.out
    elf = {};
    macho = {};
    pe = {};
    unknow = {};
  };
  isKernel = isType "kernel";
  kernels = with execFormats;
    setTypes "kernel" {
      cygwin =  { execFormat = pe; };
      darwin =  { execFormat = macho; };
      freebsd = { execFormat = elf; };
      linux =   { execFormat = elf; };
      netbsd =  { execFormat = elf; };
      none =    { execFormat = unknow; };
      openbsd = { execFormat = elf; };
      win32 =   { execFormat = pe; };
    };
  isArchitecture = isType "architecture";
  architectures = setTypes "architecture" {
    apple = {};
    pc = {};
    unknow = {};
  };
  isSystem = x: isType "system" x
    && isCpuType x.cpu
    && isArchitecture x.arch
    && isKernel x.kernel;
  mkSystem = {
    cpu ? cpuTypes.i686,
    arch ? architectures.pc,
    kernel ? kernels.linux,
    name ? "${cpu.name}-${arch.name}-${kernel.name}"
  }: setType "system" {
    inherit name cpu arch kernel;
  };
  is64Bit = matchAttrs { cpu = { bits = 64; }; };
  isDarwin = matchAttrs { kernel = kernels.darwin; };
  isi686 = matchAttrs { cpu = cpuTypes.i686; };
  isLinux = matchAttrs { kernel = kernels.linux; };
  # This should revert the job done by config.guess from the gcc compiler.
  mkSystemFromString = s: let
    l = lib.splitString "-" s;
    getCpu = name:
      attrByPath [name] (throw "Unknow cpuType `${name}'.")
        cpuTypes;
    getArch = name:
      attrByPath [name] (throw "Unknow architecture `${name}'.")
        architectures;
    getKernel = name:
      attrByPath [name] (throw "Unknow kernel `${name}'.")
        kernels;
    system =
      if builtins.length l == 2 then
        mkSystem rec {
          name = s;
          cpu = getCpu (head l);
          arch =
            if isDarwin system
            then architectures.apple
            else architectures.pc;
          kernel = getKernel (head (tail l));
        }
      else
        mkSystem {
          name = s;
          cpu = getCpu (head l);
          arch = getArch (head (tail l));
          kernel = getKernel (head (tail (tail l)));
        };
  in assert isSystem system; system;
 }
--- a/lib/systems/default.nix
+++ b/lib/systems/default.nix
@ -0,0 +1,23 @@
 rec {
  doubles = import ./doubles.nix;
  parse = import ./parse.nix;
  platforms = import ./platforms.nix;
  # Elaborate a `localSystem` or `crossSystem` so that it contains everything
  # necessary.
  #
  # `parsed` is inferred from args, both because there are two options with one
  # clearly prefered, and to prevent cycles. A simpler fixed point where the RHS
  # always just used `final.*` would fail on both counts.
  elaborate = args: let
    final = {
      # Prefer to parse `config` as it is strictly more informative.
      parsed = parse.mkSystemFromString (if args ? config then args.config else args.system);
      # Either of these can be losslessly-extracted from `parsed` iff parsing succeeds.
      system = parse.doubleFromSystem final.parsed;
      config = parse.tripleFromSystem final.parsed;
      # Just a guess, based on `system`
      platform = platforms.selectBySystem final.system;
    } // args;
  in final;
 }
--- a/lib/systems/doubles.nix
+++ b/lib/systems/doubles.nix
@ -0,0 +1,44 @@
 let lists = import ../lists.nix; in
 let parse = import ./parse.nix; in
 let inherit (import ../attrsets.nix) matchAttrs; in
 let
  all = [
    "aarch64-linux"
    "armv5tel-linux" "armv6l-linux" "armv7l-linux"
    "mips64el-linux"
    "i686-cygwin" "i686-freebsd" "i686-linux" "i686-netbsd" "i686-openbsd"
    "x86_64-cygwin" "x86_64-darwin" "x86_64-freebsd" "x86_64-linux"
    "x86_64-netbsd" "x86_64-openbsd" "x86_64-solaris"
  ];
  allParsed = map parse.mkSystemFromString all;
  filterDoubles = f: map parse.doubleFromSystem (lists.filter f allParsed);
 in rec {
  inherit all;
  allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
  none = [];
  arm = filterDoubles (matchAttrs { cpu = { family = "arm"; bits = 32; }; });
  i686 = filterDoubles parse.isi686;
  mips = filterDoubles (matchAttrs { cpu = { family = "mips"; }; });
  x86_64 = filterDoubles parse.isx86_64;
  cygwin = filterDoubles parse.isCygwin;
  darwin = filterDoubles parse.isDarwin;
  freebsd = filterDoubles (matchAttrs { kernel = parse.kernels.freebsd; });
  gnu = filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnu; }); # Should be better
  illumos = filterDoubles (matchAttrs { kernel = parse.kernels.solaris; });
  linux = filterDoubles parse.isLinux;
  netbsd = filterDoubles (matchAttrs { kernel = parse.kernels.netbsd; });
  openbsd = filterDoubles (matchAttrs { kernel = parse.kernels.openbsd; });
  unix = filterDoubles parse.isUnix;
  mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux"];
 }
--- a/lib/systems/parse.nix
+++ b/lib/systems/parse.nix
@ -0,0 +1,181 @@
 # Define the list of system with their properties.
 #
 # See https://clang.llvm.org/docs/CrossCompilation.html and
 # http://llvm.org/docs/doxygen/html/Triple_8cpp_source.html especially
 # Triple::normalize. Parsing should essentially act as a more conservative
 # version of that last function.
 with import ../lists.nix;
 with import ../types.nix;
 with import ../attrsets.nix;
 let
  lib = import ../default.nix;
  setTypesAssert = type: pred:
    mapAttrs (name: value:
      assert pred value;
      setType type ({ inherit name; } // value));
  setTypes = type: setTypesAssert type (_: true);
 in
 rec {
  isSignificantByte = isType "significant-byte";
  significantBytes = setTypes "significant-byte" {
    bigEndian = {};
    littleEndian = {};
  };
  isCpuType = isType "cpu-type";
  cpuTypes = with significantBytes; setTypesAssert "cpu-type"
    (x: elem x.bits [8 16 32 64 128]
        && (if 8 < x.bits
            then isSignificantByte x.significantByte
            else !(x ? significantByte)))
  {
    arm      = { bits = 32; significantByte = littleEndian; family = "arm"; };
    armv5tel = { bits = 32; significantByte = littleEndian; family = "arm"; };
    armv6l   = { bits = 32; significantByte = littleEndian; family = "arm"; };
    armv7a   = { bits = 32; significantByte = littleEndian; family = "arm"; };
    armv7l   = { bits = 32; significantByte = littleEndian; family = "arm"; };
    aarch64  = { bits = 64; significantByte = littleEndian; family = "arm"; };
    i686     = { bits = 32; significantByte = littleEndian; family = "x86"; };
    x86_64   = { bits = 64; significantByte = littleEndian; family = "x86"; };
    mips64el = { bits = 32; significantByte = littleEndian; family = "mips"; };
    powerpc  = { bits = 32; significantByte = bigEndian;    family = "powerpc"; };
  };
  isVendor = isType "vendor";
  vendors = setTypes "vendor" {
    apple = {};
    pc = {};
    unknown = {};
  };
  isExecFormat = isType "exec-format";
  execFormats = setTypes "exec-format" {
    aout = {}; # a.out
    elf = {};
    macho = {};
    pe = {};
    unknown = {};
  };
  isKernelFamily = isType "kernel-family";
  kernelFamilies = setTypes "kernel-family" {
    bsd = {};
    unix = {};
  };
  isKernel = x: isType "kernel" x;
  kernels = with execFormats; with kernelFamilies; setTypesAssert "kernel"
    (x: isExecFormat x.execFormat && all isKernelFamily (attrValues x.families))
  {
    darwin  = { execFormat = macho;   families = { inherit unix; }; };
    freebsd = { execFormat = elf;     families = { inherit unix bsd; }; };
    linux   = { execFormat = elf;     families = { inherit unix; }; };
    netbsd  = { execFormat = elf;     families = { inherit unix bsd; }; };
    none    = { execFormat = unknown; families = { inherit unix; }; };
    openbsd = { execFormat = elf;     families = { inherit unix bsd; }; };
    solaris = { execFormat = elf;     families = { inherit unix; }; };
    windows = { execFormat = pe;      families = { }; };
  } // { # aliases
    win32 = kernels.windows;
  };
  isAbi = isType "abi";
  abis = setTypes "abi" {
    cygnus = {};
    gnu = {};
    msvc = {};
    eabi = {};
    androideabi = {};
    gnueabi = {};
    gnueabihf = {};
    unknown = {};
  };
  isSystem = isType "system";
  mkSystem = { cpu, vendor, kernel, abi }:
    assert isCpuType cpu && isVendor vendor && isKernel kernel && isAbi abi;
    setType "system" {
      inherit cpu vendor kernel abi;
    };
  is64Bit = matchAttrs { cpu = { bits = 64; }; };
  is32Bit = matchAttrs { cpu = { bits = 32; }; };
  isi686 = matchAttrs { cpu = cpuTypes.i686; };
  isx86_64 = matchAttrs { cpu = cpuTypes.x86_64; };
  isDarwin = matchAttrs { kernel = kernels.darwin; };
  isLinux = matchAttrs { kernel = kernels.linux; };
  isUnix = matchAttrs { kernel = { families = { inherit (kernelFamilies) unix; }; }; };
  isWindows = matchAttrs { kernel = kernels.windows; };
  isCygwin = matchAttrs { kernel = kernels.windows; abi = abis.cygnus; };
  isMinGW = matchAttrs { kernel = kernels.windows; abi = abis.gnu; };
  mkSkeletonFromList = l: {
    "2" = # We only do 2-part hacks for things Nix already supports
      if elemAt l 1 == "cygwin"
        then { cpu = elemAt l 0;                      kernel = "windows"; abi = "cygnus";    }
      else   { cpu = elemAt l 0;                      kernel = elemAt l 1;                   };
    "3" = # Awkwards hacks, beware!
      if elemAt l 1 == "apple"
        then { cpu = elemAt l 0; vendor = "apple";    kernel = elemAt l 2;                   }
      else if (elemAt l 1 == "linux") || (elemAt l 2 == "gnu")
        then { cpu = elemAt l 0;                      kernel = elemAt l 1; abi = elemAt l 2; }
      else if (elemAt l 2 == "mingw32") # autotools breaks on -gnu for window
        then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "windows";  abi = "gnu"; }
      else throw "Target specification with 3 components is ambiguous";
    "4" =    { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
  }.${toString (length l)}
    or (throw "system string has invalid number of hyphen-separated components");
  # This should revert the job done by config.guess from the gcc compiler.
  mkSystemFromSkeleton = { cpu
                         , # Optional, but fallback too complex for here.
                           # Inferred below instead.
                           vendor ? assert false; null
                         , kernel
                         , # Also inferred below
                           abi    ? assert false; null
                         } @ args: let
    getCpu    = name: cpuTypes.${name} or (throw "Unknown CPU type: ${name}");
    getVendor = name:  vendors.${name} or (throw "Unknown vendor: ${name}");
    getKernel = name:  kernels.${name} or (throw "Unknown kernel: ${name}");
    getAbi    = name:     abis.${name} or (throw "Unknown ABI: ${name}");
    system = rec {
      cpu = getCpu args.cpu;
      vendor =
        /**/ if args ? vendor    then getVendor args.vendor
        else if isDarwin  system then vendors.apple
        else if isWindows system then vendors.pc
        else                     vendors.unknown;
      kernel = getKernel args.kernel;
      abi =
        /**/ if args ? abi       then getAbi args.abi
        else if isLinux   system then abis.gnu
        else if isWindows system then abis.gnu
        else                     abis.unknown;
    };
  in mkSystem system;
  mkSystemFromString = s: mkSystemFromSkeleton (mkSkeletonFromList (lib.splitString "-" s));
  doubleFromSystem = { cpu, vendor, kernel, abi, ... }:
    if vendor == kernels.windows && abi == abis.cygnus
    then "${cpu.name}-cygwin"
    else "${cpu.name}-${kernel.name}";
  tripleFromSystem = { cpu, vendor, kernel, abi, ... } @ sys: assert isSystem sys; let
    optAbi = lib.optionalString (abi != abis.unknown) "-${abi.name}";
  in "${cpu.name}-${vendor.name}-${kernel.name}${optAbi}";
 }
--- a/lib/systems/platforms.nix
+++ b/lib/systems/platforms.nix
@ -0,0 +1,486 @@
 rec {
  pcBase = {
    name = "pc";
    uboot = null;
    kernelHeadersBaseConfig = "defconfig";
    kernelBaseConfig = "defconfig";
    # Build whatever possible as a module, if not stated in the extra config.
    kernelAutoModules = true;
    kernelTarget = "bzImage";
  };
  pc64 = pcBase // { kernelArch = "x86_64"; };
  pc32 = pcBase // { kernelArch = "i386"; };
  pc32_simplekernel = pc32 // {
    kernelAutoModules = false;
  };
  pc64_simplekernel = pc64 // {
    kernelAutoModules = false;
  };
  sheevaplug = {
    name = "sheevaplug";
    kernelMajor = "2.6";
    kernelHeadersBaseConfig = "multi_v5_defconfig";
    kernelBaseConfig = "multi_v5_defconfig";
    kernelArch = "arm";
    kernelAutoModules = false;
    kernelExtraConfig = ''
      BLK_DEV_RAM y
      BLK_DEV_INITRD y
      BLK_DEV_CRYPTOLOOP m
      BLK_DEV_DM m
      DM_CRYPT m
      MD y
      REISERFS_FS m
      BTRFS_FS m
      XFS_FS m
      JFS_FS m
      EXT4_FS m
      USB_STORAGE_CYPRESS_ATACB m
      # mv cesa requires this sw fallback, for mv-sha1
      CRYPTO_SHA1 y
      # Fast crypto
      CRYPTO_TWOFISH y
      CRYPTO_TWOFISH_COMMON y
      CRYPTO_BLOWFISH y
      CRYPTO_BLOWFISH_COMMON y
      IP_PNP y
      IP_PNP_DHCP y
      NFS_FS y
      ROOT_NFS y
      TUN m
      NFS_V4 y
      NFS_V4_1 y
      NFS_FSCACHE y
      NFSD m
      NFSD_V2_ACL y
      NFSD_V3 y
      NFSD_V3_ACL y
      NFSD_V4 y
      NETFILTER y
      IP_NF_IPTABLES y
      IP_NF_FILTER y
      IP_NF_MATCH_ADDRTYPE y
      IP_NF_TARGET_LOG y
      IP_NF_MANGLE y
      IPV6 m
      VLAN_8021Q m
      CIFS y
      CIFS_XATTR y
      CIFS_POSIX y
      CIFS_FSCACHE y
      CIFS_ACL y
      WATCHDOG y
      WATCHDOG_CORE y
      ORION_WATCHDOG m
      ZRAM m
      NETCONSOLE m
      # Disable OABI to have seccomp_filter (required for systemd)
      # https://github.com/raspberrypi/firmware/issues/651
      OABI_COMPAT n
      # Fail to build
      DRM n
      SCSI_ADVANSYS n
      USB_ISP1362_HCD n
      SND_SOC n
      SND_ALI5451 n
      FB_SAVAGE n
      SCSI_NSP32 n
      ATA_SFF n
      SUNGEM n
      IRDA n
      ATM_HE n
      SCSI_ACARD n
      BLK_DEV_CMD640_ENHANCED n
      FUSE_FS m
      # systemd uses cgroups
      CGROUPS y
      # Latencytop
      LATENCYTOP y
      # Ubi for the mtd
      MTD_UBI y
      UBIFS_FS y
      UBIFS_FS_XATTR y
      UBIFS_FS_ADVANCED_COMPR y
      UBIFS_FS_LZO y
      UBIFS_FS_ZLIB y
      UBIFS_FS_DEBUG n
      # Kdb, for kernel troubles
      KGDB y
      KGDB_SERIAL_CONSOLE y
      KGDB_KDB y
    '';
    kernelMakeFlags = [ "LOADADDR=0x0200000" ];
    kernelTarget = "uImage";
    uboot = "sheevaplug";
    # Only for uboot = uboot :
    ubootConfig = "sheevaplug_config";
    kernelDTB = true; # Beyond 3.10
    gcc = {
      arch = "armv5te";
      float = "soft";
    };
  };
  raspberrypi = {
    name = "raspberrypi";
    kernelMajor = "2.6";
    kernelHeadersBaseConfig = "bcm2835_defconfig";
    kernelBaseConfig = "bcmrpi_defconfig";
    kernelDTB = true;
    kernelArch = "arm";
    kernelAutoModules = false;
    kernelExtraConfig = ''
      BLK_DEV_RAM y
      BLK_DEV_INITRD y
      BLK_DEV_CRYPTOLOOP m
      BLK_DEV_DM m
      DM_CRYPT m
      MD y
      REISERFS_FS m
      BTRFS_FS y
      XFS_FS m
      JFS_FS y
      EXT4_FS y
      IP_PNP y
      IP_PNP_DHCP y
      NFS_FS y
      ROOT_NFS y
      TUN m
      NFS_V4 y
      NFS_V4_1 y
      NFS_FSCACHE y
      NFSD m
      NFSD_V2_ACL y
      NFSD_V3 y
      NFSD_V3_ACL y
      NFSD_V4 y
      NETFILTER y
      IP_NF_IPTABLES y
      IP_NF_FILTER y
      IP_NF_MATCH_ADDRTYPE y
      IP_NF_TARGET_LOG y
      IP_NF_MANGLE y
      IPV6 m
      VLAN_8021Q m
      CIFS y
      CIFS_XATTR y
      CIFS_POSIX y
      CIFS_FSCACHE y
      CIFS_ACL y
      ZRAM m
      # Disable OABI to have seccomp_filter (required for systemd)
      # https://github.com/raspberrypi/firmware/issues/651
      OABI_COMPAT n
      # Fail to build
      DRM n
      SCSI_ADVANSYS n
      USB_ISP1362_HCD n
      SND_SOC n
      SND_ALI5451 n
      FB_SAVAGE n
      SCSI_NSP32 n
      ATA_SFF n
      SUNGEM n
      IRDA n
      ATM_HE n
      SCSI_ACARD n
      BLK_DEV_CMD640_ENHANCED n
      FUSE_FS m
      # nixos mounts some cgroup
      CGROUPS y
      # Latencytop
      LATENCYTOP y
    '';
    kernelTarget = "zImage";
    uboot = null;
    gcc = {
      arch = "armv6";
      fpu = "vfp";
      float = "hard";
    };
  };
  raspberrypi2 = armv7l-hf-multiplatform // {
    name = "raspberrypi2";
    kernelBaseConfig = "bcm2709_defconfig";
    kernelDTB = true;
    kernelAutoModules = false;
    kernelExtraConfig = ''
      BLK_DEV_RAM y
      BLK_DEV_INITRD y
      BLK_DEV_CRYPTOLOOP m
      BLK_DEV_DM m
      DM_CRYPT m
      MD y
      REISERFS_FS m
      BTRFS_FS y
      XFS_FS m
      JFS_FS y
      EXT4_FS y
      IP_PNP y
      IP_PNP_DHCP y
      NFS_FS y
      ROOT_NFS y
      TUN m
      NFS_V4 y
      NFS_V4_1 y
      NFS_FSCACHE y
      NFSD m
      NFSD_V2_ACL y
      NFSD_V3 y
      NFSD_V3_ACL y
      NFSD_V4 y
      NETFILTER y
      IP_NF_IPTABLES y
      IP_NF_FILTER y
      IP_NF_MATCH_ADDRTYPE y
      IP_NF_TARGET_LOG y
      IP_NF_MANGLE y
      IPV6 m
      VLAN_8021Q m
      CIFS y
      CIFS_XATTR y
      CIFS_POSIX y
      CIFS_FSCACHE y
      CIFS_ACL y
      ZRAM m
      # Disable OABI to have seccomp_filter (required for systemd)
      # https://github.com/raspberrypi/firmware/issues/651
      OABI_COMPAT n
      # Fail to build
      DRM n
      SCSI_ADVANSYS n
      USB_ISP1362_HCD n
      SND_SOC n
      SND_ALI5451 n
      FB_SAVAGE n
      SCSI_NSP32 n
      ATA_SFF n
      SUNGEM n
      IRDA n
      ATM_HE n
      SCSI_ACARD n
      BLK_DEV_CMD640_ENHANCED n
      FUSE_FS m
      # nixos mounts some cgroup
      CGROUPS y
      # Latencytop
      LATENCYTOP y
      # Disable the common config Xen, it doesn't build on ARM
      XEN? n
    '';
    kernelTarget = "zImage";
    uboot = null;
  };
  guruplug = sheevaplug // {
    # Define `CONFIG_MACH_GURUPLUG' (see
    # <http://kerneltrap.org/mailarchive/git-commits-head/2010/5/19/33618>)
    # and other GuruPlug-specific things.  Requires the `guruplug-defconfig'
    # patch.
    kernelBaseConfig = "guruplug_defconfig";
    #kernelHeadersBaseConfig = "guruplug_defconfig";
  };
  fuloong2f_n32 = {
    name = "fuloong2f_n32";
    kernelMajor = "2.6";
    kernelHeadersBaseConfig = "fuloong2e_defconfig";
    kernelBaseConfig = "lemote2f_defconfig";
    kernelArch = "mips";
    kernelAutoModules = false;
    kernelExtraConfig = ''
      MIGRATION n
      COMPACTION n
      # nixos mounts some cgroup
      CGROUPS y
      BLK_DEV_RAM y
      BLK_DEV_INITRD y
      BLK_DEV_CRYPTOLOOP m
      BLK_DEV_DM m
      DM_CRYPT m
      MD y
      REISERFS_FS m
      EXT4_FS m
      USB_STORAGE_CYPRESS_ATACB m
      IP_PNP y
      IP_PNP_DHCP y
      IP_PNP_BOOTP y
      NFS_FS y
      ROOT_NFS y
      TUN m
      NFS_V4 y
      NFS_V4_1 y
      NFS_FSCACHE y
      NFSD m
      NFSD_V2_ACL y
      NFSD_V3 y
      NFSD_V3_ACL y
      NFSD_V4 y
      # Fail to build
      DRM n
      SCSI_ADVANSYS n
      USB_ISP1362_HCD n
      SND_SOC n
      SND_ALI5451 n
      FB_SAVAGE n
      SCSI_NSP32 n
      ATA_SFF n
      SUNGEM n
      IRDA n
      ATM_HE n
      SCSI_ACARD n
      BLK_DEV_CMD640_ENHANCED n
      FUSE_FS m
      # Needed for udev >= 150
      SYSFS_DEPRECATED_V2 n
      VGA_CONSOLE n
      VT_HW_CONSOLE_BINDING y
      SERIAL_8250_CONSOLE y
      FRAMEBUFFER_CONSOLE y
      EXT2_FS y
      EXT3_FS y
      REISERFS_FS y
      MAGIC_SYSRQ y
      # The kernel doesn't boot at all, with FTRACE
      FTRACE n
    '';
    kernelTarget = "vmlinux";
    uboot = null;
    gcc.arch = "loongson2f";
  };
  beaglebone = armv7l-hf-multiplatform // {
    name = "beaglebone";
    kernelBaseConfig = "omap2plus_defconfig";
    kernelAutoModules = false;
    kernelExtraConfig = ""; # TBD kernel config
    kernelTarget = "zImage";
    uboot = null;
  };
  armv7l-hf-multiplatform = {
    name = "armv7l-hf-multiplatform";
    kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
    kernelHeadersBaseConfig = "multi_v7_defconfig";
    kernelBaseConfig = "multi_v7_defconfig";
    kernelArch = "arm";
    kernelDTB = true;
    kernelAutoModules = true;
    kernelPreferBuiltin = true;
    uboot = null;
    kernelTarget = "zImage";
    kernelExtraConfig = ''
      # Fix broken sunxi-sid nvmem driver.
      TI_CPTS y
      # Hangs ODROID-XU4
      ARM_BIG_LITTLE_CPUIDLE n
    '';
    gcc = {
      # Some table about fpu flags:
      # http://community.arm.com/servlet/JiveServlet/showImage/38-1981-3827/blogentry-103749-004812900+1365712953_thumb.png
      # Cortex-A5: -mfpu=neon-fp16
      # Cortex-A7 (rpi2): -mfpu=neon-vfpv4
      # Cortex-A8 (beaglebone): -mfpu=neon
      # Cortex-A9: -mfpu=neon-fp16
      # Cortex-A15: -mfpu=neon-vfpv4
      # More about FPU:
      # https://wiki.debian.org/ArmHardFloatPort/VfpComparison
      # vfpv3-d16 is what Debian uses and seems to be the best compromise: NEON is not supported in e.g. Scaleway or Tegra 2,
      # and the above page suggests NEON is only an improvement with hand-written assembly.
      arch = "armv7-a";
      fpu = "vfpv3-d16";
      float = "hard";
      # For Raspberry Pi the 2 the best would be:
      #   cpu = "cortex-a7";
      #   fpu = "neon-vfpv4";
    };
  };
  aarch64-multiplatform = {
    name = "aarch64-multiplatform";
    kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
    kernelHeadersBaseConfig = "defconfig";
    kernelBaseConfig = "defconfig";
    kernelArch = "arm64";
    kernelDTB = true;
    kernelAutoModules = true;
    kernelPreferBuiltin = true;
    kernelExtraConfig = ''
      # Raspberry Pi 3 stuff. Not needed for kernels >= 4.10.
      ARCH_BCM2835 y
      BCM2835_MBOX y
      BCM2835_WDT y
      RASPBERRYPI_FIRMWARE y
      RASPBERRYPI_POWER y
      SERIAL_8250_BCM2835AUX y
      SERIAL_8250_EXTENDED y
      SERIAL_8250_SHARE_IRQ y
      # Cavium ThunderX stuff.
      PCI_HOST_THUNDER_ECAM y
    '';
    uboot = null;
    kernelTarget = "Image";
    gcc = {
      arch = "armv8-a";
    };
  };
  selectBySystem = system: {
      "i686-linux" = pc32;
      "x86_64-linux" = pc64;
      "armv5tel-linux" = sheevaplug;
      "armv6l-linux" = raspberrypi;
      "armv7l-linux" = armv7l-hf-multiplatform;
      "aarch64-linux" = aarch64-multiplatform;
      "mips64el-linux" = fuloong2f_n32;
    }.${system} or pcBase;
 }
--- a/lib/tests.nix
+++ b/lib/tests.nix
@ -231,7 +231,7 @@ runTests {
    };
    in {
      expr = generators.toJSON {} val;
-      # trival implementation
+      # trivial implementation
      expected = builtins.toJSON val;
  };
@ -243,7 +243,7 @@ runTests {
    };
    in {
      expr = generators.toYAML {} val;
-      # trival implementation
+      # trivial implementation
      expected = builtins.toJSON val;
  };
@ -277,4 +277,14 @@ runTests {
    expected = [ "2001" "db8" "0" "0042" "" "8a2e" "370" "" ];
  };
  testComposeExtensions = {
    expr = let obj = makeExtensible (self: { foo = self.bar; });
               f = self: super: { bar = false; baz = true; };
               g = self: super: { bar = super.baz or false; };
               f_o_g = composeExtensions f g;
               composed = obj.extend f_o_g;
           in composed.foo;
    expected = true;
  };
 }
--- a/lib/tests/release.nix
+++ b/lib/tests/release.nix
@ -1,31 +1,40 @@
-{ nixpkgs }:
+{ nixpkgs ? { outPath = (import ../.).cleanSource ../..; revCount = 1234; shortRev = "abcdef"; }
 , # The platforms for which we build Nixpkgs.
  supportedSystems ? [ builtins.currentSystem ]
 , # Strip most of attributes when evaluating to spare memory usage
  scrubJobs ? true
 }:
-with import ../.. { };
+with import ../../pkgs/top-level/release-lib.nix { inherit supportedSystems scrubJobs; };
 with lib;
-stdenv.mkDerivation {
+{
-  name = "nixpkgs-lib-tests";
+  systems = import ./systems.nix { inherit lib assertTrue; };
  buildInputs = [ nix ];
  NIX_PATH="nixpkgs=${nixpkgs}";
-  buildCommand = ''
+  moduleSystem = pkgs.stdenv.mkDerivation {
-    datadir="${nix}/share"
+    name = "nixpkgs-lib-tests";
-    export TEST_ROOT=$(pwd)/test-tmp
+    buildInputs = [ pkgs.nix ];
-    export NIX_BUILD_HOOK=
+    NIX_PATH="nixpkgs=${nixpkgs}";
    export NIX_CONF_DIR=$TEST_ROOT/etc
    export NIX_DB_DIR=$TEST_ROOT/db
    export NIX_LOCALSTATE_DIR=$TEST_ROOT/var
    export NIX_LOG_DIR=$TEST_ROOT/var/log/nix
    export NIX_MANIFESTS_DIR=$TEST_ROOT/var/nix/manifests
    export NIX_STATE_DIR=$TEST_ROOT/var/nix
    export NIX_STORE_DIR=$TEST_ROOT/store
    export PAGER=cat
    cacheDir=$TEST_ROOT/binary-cache
    nix-store --init
-    cd ${nixpkgs}/lib/tests
+    buildCommand = ''
-    ./modules.sh
+      datadir="${pkgs.nix}/share"
      export TEST_ROOT=$(pwd)/test-tmp
      export NIX_BUILD_HOOK=
      export NIX_CONF_DIR=$TEST_ROOT/etc
      export NIX_DB_DIR=$TEST_ROOT/db
      export NIX_LOCALSTATE_DIR=$TEST_ROOT/var
      export NIX_LOG_DIR=$TEST_ROOT/var/log/nix
      export NIX_MANIFESTS_DIR=$TEST_ROOT/var/nix/manifests
      export NIX_STATE_DIR=$TEST_ROOT/var/nix
      export NIX_STORE_DIR=$TEST_ROOT/store
      export PAGER=cat
      cacheDir=$TEST_ROOT/binary-cache
      nix-store --init
-    touch $out
+      cd ${nixpkgs}/lib/tests
-  '';
+      ./modules.sh
      touch $out
    '';
  };
 }
--- a/lib/tests/systems.nix
+++ b/lib/tests/systems.nix
@ -0,0 +1,31 @@
 # We assert that the new algorithmic way of generating these lists matches the
 # way they were hard-coded before.
 #
 # One might think "if we exhaustively test, what's the point of procedurally
 # calculating the lists anyway?". The answer is one can mindlessly update these
 # tests as new platforms become supported, and then just give the diff a quick
 # sanity check before committing :).
 { lib, assertTrue }:
 with lib.systems.doubles;
 let mseteq = x: y: lib.sort lib.lessThan x == lib.sort lib.lessThan y; in
 {
  all = assertTrue (mseteq all (linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos));
  arm = assertTrue (mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv7l-linux" ]);
  i686 = assertTrue (mseteq i686 [ "i686-linux" "i686-freebsd" "i686-netbsd" "i686-openbsd" "i686-cygwin" ]);
  mips = assertTrue (mseteq mips [ "mips64el-linux" ]);
  x86_64 = assertTrue (mseteq x86_64 [ "x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin" "x86_64-solaris" ]);
  cygwin = assertTrue (mseteq cygwin [ "i686-cygwin" "x86_64-cygwin" ]);
  darwin = assertTrue (mseteq darwin [ "x86_64-darwin" ]);
  freebsd = assertTrue (mseteq freebsd [ "i686-freebsd" "x86_64-freebsd" ]);
  gnu = assertTrue (mseteq gnu (linux /* ++ hurd ++ kfreebsd ++ ... */));
  illumos = assertTrue (mseteq illumos [ "x86_64-solaris" ]);
  linux = assertTrue (mseteq linux [ "i686-linux" "x86_64-linux" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux" "mips64el-linux" ]);
  netbsd = assertTrue (mseteq netbsd [ "i686-netbsd" "x86_64-netbsd" ]);
  openbsd = assertTrue (mseteq openbsd [ "i686-openbsd" "x86_64-openbsd" ]);
  unix = assertTrue (mseteq unix (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos));
 }
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@ -30,10 +30,15 @@ rec {
  /* boolean “and” */
  and = x: y: x && y;
  /* Convert a boolean to a string.
     Note that toString on a bool returns "1" and "".
  */
  boolToString = b: if b then "true" else "false";
  /* Merge two attribute sets shallowly, right side trumps left
     Example:
-       mergeAttrs { a = 1; b = 2; } // { b = 3; c = 4; }
+       mergeAttrs { a = 1; b = 2; } { b = 3; c = 4; }
       => { a = 1; b = 3; c = 4; }
  */
  mergeAttrs = x: y: x // y;
@ -80,6 +85,15 @@ rec {
  # argument, but it's nice this way if several uses of `extends` are cascaded.
  extends = f: rattrs: self: let super = rattrs self; in super // f self super;
  # Compose two extending functions of the type expected by 'extends'
  # into one where changes made in the first are available in the
  # 'super' of the second
  composeExtensions =
    f: g: self: super:
      let fApplied = f self super;
          super' = super // fApplied;
      in fApplied // g self super';
  # Create an overridable, recursive attribute set. For example:
  #
  #     nix-repl> obj = makeExtensible (self: { })
@ -108,6 +122,9 @@ rec {
  # Flip the order of the arguments of a binary function.
  flip = f: a: b: f b a;
  # Apply function if argument is non-null
  mapNullable = f: a: if isNull a then a else f a;
  # Pull in some builtins not included elsewhere.
  inherit (builtins)
    pathExists readFile isBool isFunction
--- a/lib/types.nix
+++ b/lib/types.nix
@ -6,7 +6,7 @@ with import ./attrsets.nix;
 with import ./options.nix;
 with import ./trivial.nix;
 with import ./strings.nix;
-with {inherit (import ./modules.nix) mergeDefinitions filterOverrides; };
+let inherit (import ./modules.nix) mergeDefinitions filterOverrides; in
 rec {
@ -52,7 +52,7 @@ rec {
    { # Human-readable representation of the type, should be equivalent to
      # the type function name.
      name
-    , # Description of the type, defined recursively by embedding the the wrapped type if any.
+    , # Description of the type, defined recursively by embedding the wrapped type if any.
      description ? null
    , # Function applied to each definition that should return true if
      # its type-correct, false otherwise.
--- a/maintainers/scripts/all-tarballs.nix
+++ b/maintainers/scripts/all-tarballs.nix
@ -14,5 +14,5 @@ removeAttrs (import ../../pkgs/top-level/release.nix
    supportedSystems = [ "x86_64-linux" ];
  })
  [ # Remove jobs whose evaluation depends on a writable Nix store.
-    "tarball" "unstable"
+    "tarball" "unstable" "darwin-tested"
  ]
--- a/maintainers/scripts/hydra-eval-failures.py
+++ b/maintainers/scripts/hydra-eval-failures.py
@ -48,8 +48,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
    '--jobset',
-    default="nixos/release-16.09",
+    default="nixos/release-17.03",
-    help='Hydra project like nixos/release-16.09')
+    help='Hydra project like nixos/release-17.03')
 def cli(jobset):
    """
    Given a Hydra project, inspect latest evaluation
--- a/nixos/doc/manual/administration/imperative-containers.xml
+++ b/nixos/doc/manual/administration/imperative-containers.xml
@ -29,8 +29,10 @@ line. For instance, to create a container that has
 <literal>root</literal>:
 <screen>
-# nixos-container create foo --config 'services.openssh.enable = true; \
+# nixos-container create foo --config '
-  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
+  services.openssh.enable = true;
  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];
 '
 </screen>
 </para>
@ -97,8 +99,11 @@ This will build and activate the new configuration. You can also
 specify a new configuration on the command line:
 <screen>
-# nixos-container update foo --config 'services.httpd.enable = true; \
+# nixos-container update foo --config '
-  services.httpd.adminAddr = "foo@example.org";'
+  services.httpd.enable = true;
  services.httpd.adminAddr = "foo@example.org";
  networking.firewall.allowedTCPPorts = [ 80 ];
 '
 # curl http://$(nixos-container show-ip foo)/
 &lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
--- a/nixos/doc/manual/configuration/file-systems.xml
+++ b/nixos/doc/manual/configuration/file-systems.xml
@ -35,6 +35,12 @@ or <literal>ext4</literal>, then it’s best to specify
 <option>fsType</option> to ensure that the kernel module is
 available.</para>
 <note><para>System startup will fail if any of the filesystems fails to mount,
 dropping you to the emergency shell.
 You can make a mount asynchronous and non-critical by adding
 <literal>options = [ "nofail" ];</literal>.
 </para></note>
 <xi:include href="luks-file-systems.xml" />
 </chapter>
--- a/nixos/doc/manual/development/sources.xml
+++ b/nixos/doc/manual/development/sources.xml
@ -8,7 +8,7 @@
 <para>By default, NixOS’s <command>nixos-rebuild</command> command
 uses the NixOS and Nixpkgs sources provided by the
-<literal>nixos-unstable</literal> channel (kept in
+<literal>nixos</literal> channel (kept in
 <filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>).
 To modify NixOS, however, you should check out the latest sources from
 Git.  This is as follows:
@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
 <literal>channels</literal> refers to a read-only repository that
 tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
 for more information about channels). Thus, the Git branch
-<literal>channels/nixos-14.12</literal> will contain the latest built
+<literal>channels/nixos-17.03</literal> will contain the latest built
-and tested version available in the <literal>nixos-14.12</literal>
+and tested version available in the <literal>nixos-17.03</literal>
 channel.</para>
 <para>It’s often inconvenient to develop directly on the master
@ -39,9 +39,9 @@ branch based on your current NixOS version:
 <screen>
 $ nixos-version
-14.04.273.ea1952b (Baboon)
+17.09pre104379.6e0b727 (Hummingbird)
-$ git checkout -b local ea1952b
+$ git checkout -b local 6e0b727
 </screen>
 Or, to base your local branch on the latest version available in a
@ -49,17 +49,17 @@ NixOS channel:
 <screen>
 $ git remote update channels
-$ git checkout -b local channels/nixos-14.12
+$ git checkout -b local channels/nixos-17.03
 </screen>
-(Replace <literal>nixos-14.12</literal> with the name of the channel
+(Replace <literal>nixos-17.03</literal> with the name of the channel
 you want to use.) You can use <command>git merge</command> or
 <command>git rebase</command> to keep your local branch in sync with
 the channel, e.g.
 <screen>
 $ git remote update channels
-$ git merge channels/nixos-14.12
+$ git merge channels/nixos-17.03
 </screen>
 You can use <command>git cherry-pick</command> to copy commits from
@ -87,7 +87,11 @@ $ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
 You may want to delete the symlink
 <filename>~/.nix-defexpr/channels_root</filename> to prevent root’s
-NixOS channel from clashing with your own tree.</para>
+NixOS channel from clashing with your own tree (this may break the
 command-not-found utility though). If you want to go back to the default
 state, you may just remove the <filename>~/.nix-defexpr</filename>
 directory completely, log out and log in again and it should have been
 recreated with a link to the root channels.</para>
 <!-- FIXME: not sure what this means.
 <para>You should not pass the base directory
--- a/nixos/doc/manual/installation/installing-uefi.xml
+++ b/nixos/doc/manual/installation/installing-uefi.xml
@ -26,7 +26,8 @@ changes:
    <literal>vfat</literal> filesystem.</para>
  </listitem>
  <listitem>
-    <para>You must set <option>boot.loader.systemd-boot.enable</option> to
+    <para>Instead of <option>boot.loader.grub.device</option>,
    you must set <option>boot.loader.systemd-boot.enable</option> to
    <literal>true</literal>. <command>nixos-generate-config</command>
    should do this automatically for new configurations when booted in
    UEFI mode.</para>
--- a/nixos/doc/manual/installation/installing-usb.xml
+++ b/nixos/doc/manual/installation/installing-usb.xml
@ -34,6 +34,11 @@ ISO, copy its contents verbatim to your drive, then either:
    in <link xlink:href="https://www.kernel.org/doc/Documentation/kernel-parameters.txt">
    the kernel documentation</link> for more details).</para>
  </listitem>
  <listitem>
    <para>If you want to load the contents of the ISO to ram after bootin
    (So you can remove the stick after bootup) you can append the parameter
    <literal>copytoram</literal>to the <literal>options</literal> field.</para>
  </listitem>
 </itemizedlist>
 </para>
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@ -15,12 +15,12 @@ been built.  These channels are:
 <itemizedlist>
  <listitem>
    <para><emphasis>Stable channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
+    xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
    These only get conservative bug fixes and package upgrades.  For
    instance, a channel update may cause the Linux kernel on your
-    system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
+    system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
-    not from 3.4.<replaceable>x</replaceable> to
+    not from 4.9.<replaceable>x</replaceable> to
-    3.11.<replaceable>x</replaceable> (a major change that has the
+    4.11.<replaceable>x</replaceable> (a major change that has the
    potential to break things).  Stable channels are generally
    maintained until the next stable branch is created.</para>
    <para></para>
@ -34,7 +34,7 @@ been built.  These channels are:
  </listitem>
  <listitem>
    <para><emphasis>Small channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
    or <literal
    xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
    are identical to the stable and unstable channels described above,
@ -55,8 +55,8 @@ appliances.)</para>
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 14.12 ISO, you will be subscribed to
+instance, if you installed from a 17.03 ISO, you will be subscribed to
-the <literal>nixos-14.12</literal> channel.  To see which NixOS
+the <literal>nixos-17.03</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 <screen>
@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
 </screen>
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 14.12 stable channel:
+end.)  For instance, to use the NixOS 17.03 stable channel:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
 </screen>
 If you have a server, you may want to use the “small” channel instead:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
 </screen>
 And if you want to live on the bleeding edge:
@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.)  You can also
 specify a channel explicitly, e.g.
 <programlisting>
-system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
 </programlisting>
 </para>
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@ -4,7 +4,15 @@
         version="5.0"
         xml:id="sec-release-17.03">
-<title>Release 17.03 (“XXX”, 2017/03/??)</title>
+<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-highlights">
 <title>Highlights</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@ -16,19 +24,40 @@ has the following highlights: </para>
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
    232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
  </listitem>
  <listitem>
    <para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
  </listitem>
  <listitem>
    <para>The setuid wrapper functionality now supports setting
    capabilities.</para>
  </listitem>
  <listitem>
-    <para>X.org server uses branch 1.19.  Due to ABI incompatibilities,
+    <para>X.org server uses branch 1.19. Due to ABI incompatibilities,
      <literal>ati_unfree</literal> keeps forcing 1.17
      and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
  </listitem>
  <listitem>
-    <para>PHP now defaults to PHP 7.1</para>
+    <para>
      Cross compilation has been rewritten. See the nixpkgs manual for
      details. The most obvious breaking change is that in derivations there is no
      <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
  <listitem>
    <para>The <literal>overridePackages</literal> function has been rewritten
    to be replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
    overlays</link></para>
  </listitem>
  <listitem>
@ -38,16 +67,115 @@ has the following highlights: </para>
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>PHP now defaults to PHP 7.1</para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-new-services">
 <title>New Services</title>
 <para>The following new services were added since the last release:</para>
 <itemizedlist>
-  <listitem>
+  <listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
-    <para></para>
+  <listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
-  </listitem>
+  <listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
  <listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
  <listitem><para><literal>programs/adb.nix</literal></para></listitem>
  <listitem><para><literal>programs/chromium.nix</literal></para></listitem>
  <listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
  <listitem><para><literal>programs/java.nix</literal></para></listitem>
  <listitem><para><literal>programs/mtr.nix</literal></para></listitem>
  <listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
  <listitem><para><literal>programs/vim.nix</literal></para></listitem>
  <listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
  <listitem><para><literal>security/dhparams.nix</literal></para></listitem>
  <listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
  <listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
  <listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
  <listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
  <listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
  <listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
  <listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-incompatibilities">
 <title>Backward Incompatibilities</title>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
@ -55,10 +183,8 @@ following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
-      Cross compilation has been rewritten. See the nixpkgs manual for
+      Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> 
-      details. The most obvious breaking change is that derivations absent a
+      and are now cross by default, not native.
      <literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
@ -174,7 +300,7 @@ following incompatible changes:</para>
    <para><literal>overridePackages</literal> function no longer exists.
    It is replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
-    overlays</link>.  For example, the following code:
+    overlays</link>. For example, the following code:
 <programlisting>
  let
@ -219,7 +345,7 @@ following incompatible changes:</para>
  <listitem>
    <para>
    Iputils no longer provide ping6 and traceroute6. The functionality of
-    these tools have been integrated into ping and traceroute respectively. To
+    these tools has been integrated into ping and traceroute respectively. To
    enforce an address family the new flags <literal>-4</literal> and
    <literal>-6</literal> have been added. One notable incompatibility is that
    specifying an interface (for link-local IPv6 for instance) is no longer done
@ -247,10 +373,41 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy module interface has been streamlined around the
      <option>extraArgs</option> option. Where possible, legacy option
      declarations are mapped to <option>extraArgs</option> but will emit
      warnings. The <option>resolverList</option> has been outright
      removed: to use an unlisted resolver, use the
      <option>customResolver</option> option.
    </para>
  </listitem>
  <listitem>
    <para>
      torbrowser now stores local state under
      <filename>~/.local/share/tor-browser</filename> by default. Any
      browser profile data from the old location,
      <filename>~/.torbrowser4</filename>, must be migrated manually.
    </para>
  </listitem>
  <listitem>
    <para>
      The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
    </para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-notable-changes">
-<para>Other notable changes:</para>
+<title>Other Notable Changes</title>
 <itemizedlist>
@ -276,7 +433,11 @@ following incompatible changes:</para>
  </listitem>
  <listitem>
-    <para>The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.</para>
+    <para>
      The Python 2.7 interpreter does not use modules anymore. Instead, all
      CPython interpreters now include the whole standard library except for `tkinter`,
      which is available in the Python package set.
    </para>
  </listitem>
  <listitem>
@ -290,11 +451,17 @@ following incompatible changes:</para>
  </listitem>
  <listitem>
-    <para>The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.</para>
+    <para>
      The Python package sets now use a fixed-point combinator and the sets are
      available as attributes of the interpreters.
    </para>
  </listitem>
  <listitem>
-    <para>The Python function `buildPythonPackage` has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.</para>
+    <para>
      The Python function <literal>buildPythonPackage</literal> has been improved and can be
      used to build from Setuptools source, Flit source, and precompiled Wheels.
    </para>
  </listitem>
  <listitem>
@ -305,7 +472,43 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy service supports synchronizing the list of public
      resolvers without working DNS resolution. This fixes issues caused by the
      resolver list becoming outdated. It also improves the viability of
      DNSCrypt only configurations.
    </para>
  </listitem>
  <listitem>
    <para>
      Containers using bridged networking no longer lose their connection after
      changes to the host networking.
    </para>
  </listitem>
  <listitem>
    <para>
      ZFS supports pool auto scrubbing.
    </para>
  </listitem>
  <listitem>
    <para>
      The bind DNS utilities (e.g. dig) have been split into their own output and
      are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
      necessary to pull in all of <literal>bind</literal> to use them.
    </para>
  </listitem>
  <listitem>
    <para>
      Per-user configuration was moved from <filename>~/.nixpkgs</filename> to
      <filename>~/.config/nixpkgs</filename>. The former is still valid for
      <filename>config.nix</filename> for backwards compatibility.
    </para>
  </listitem>
 </itemizedlist>
-
+</section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@ -11,7 +11,11 @@ has the following highlights: </para>
 <itemizedlist>
  <listitem>
-    <para></para>
+    <para>
      The user handling now keeps track of deallocated UIDs/GIDs. When a user
      or group is revived, this allows it to be allocated the UID/GID it had before.
      A consequence is that UIDs and GIDs are no longer reused.
    </para>
  </listitem>
 </itemizedlist>
@ -31,6 +35,8 @@ following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
      Top-level <literal>idea</literal> package collection was renamed.
      All JetBrains IDEs are now at <literal>jetbrains</literal>.
    </para>
  </listitem>
 </itemizedlist>
@ -49,6 +55,18 @@ following incompatible changes:</para>
      rest of the system on a stable release.
    </para>
  </listitem>
  <listitem>
    <para>
      Updated to FreeType 2.7.1, including a new TrueType engine.
      The new engine replaces the Infinality engine which was the default in
      NixOS. The default font rendering settings are now provided by
      fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults
      are less invasive and provide rendering that is more consistent with
      other systems and hopefully with each font designer's intent. Some
      system-wide configuration has been removed from the Fontconfig NixOS
      module where user Fontconfig settings are available.
    </para>
  </listitem>
 </itemizedlist>
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@ -33,42 +33,124 @@
 , name ? "nixos-disk-image"
  # This prevents errors while checking nix-store validity, see
  # https://github.com/NixOS/nix/issues/1134
 , fixValidity ? true
 , format ? "raw"
 }:
 with lib;
-pkgs.vmTools.runInLinuxVM (
+let
  # Copied from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/cd-dvd/channel.nix
  # TODO: factor out more cleanly
  # Do not include these things:
  #   - The '.git' directory
  #   - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
  #   - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
  filterFn = path: type: let basename = baseNameOf (toString path); in
    if type == "directory" then basename != ".git"
    else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
    else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
  nixpkgs = builtins.filterSource filterFn pkgs.path;
  channelSources = pkgs.runCommand "nixos-${config.system.nixosVersion}" {} ''
    mkdir -p $out
    cp -prd ${nixpkgs} $out/nixos
    chmod -R u+w $out/nixos
    if [ ! -e $out/nixos/nixpkgs ]; then
      ln -s . $out/nixos/nixpkgs
    fi
    rm -rf $out/nixos/.git
    echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
  '';
  metaClosure = pkgs.writeText "meta" ''
    ${config.system.build.toplevel}
    ${config.nix.package.out}
    ${channelSources}
  '';
  prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot config.system.build.nixos-prepare-root ] ++ stdenv.initialPath;
  # I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
  # image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
  # !!! should use XML.
  sources = map (x: x.source) contents;
  targets = map (x: x.target) contents;
  prepareImage = ''
    export PATH=${pkgs.lib.makeSearchPathOutput "bin" "bin" prepareImageInputs}
    mkdir $out
    diskImage=nixos.raw
    truncate -s ${toString diskSize}M $diskImage
    ${if partitioned then ''
      parted $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
      offset=$((2048*512))
    '' else ''
      offset=0
    ''}
    mkfs.${fsType} -F -L nixos -E offset=$offset $diskImage
    root="$PWD/root"
    mkdir -p $root
    # Copy arbitrary other files into the image
    # Semi-shamelessly copied from make-etc.sh. I (@copumpkin) shall factor this stuff out as part of
    # https://github.com/NixOS/nixpkgs/issues/23052.
    set -f
    sources_=(${concatStringsSep " " sources})
    targets_=(${concatStringsSep " " targets})
    set +f
    for ((i = 0; i < ''${#targets_[@]}; i++)); do
      source="''${sources_[$i]}"
      target="''${targets_[$i]}"
      if [[ "$source" =~ '*' ]]; then
        # If the source name contains '*', perform globbing.
        mkdir -p $root/$target
        for fn in $source; do
          rsync -a --no-o --no-g "$fn" $root/$target/
        done
      else
        mkdir -p $root/$(dirname $target)
        if ! [ -e $root/$target ]; then
          rsync -a --no-o --no-g $source $root/$target
        else
          echo "duplicate entry $target -> $source"
          exit 1
        fi
      fi
    done
    # TODO: Nix really likes to chown things it creates to its current user...
    fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure
    echo "copying staging root to image..."
    cptofs ${pkgs.lib.optionalString partitioned "-P 1"} -t ${fsType} -i $diskImage $root/* /
  '';
 in pkgs.vmTools.runInLinuxVM (
  pkgs.runCommand name
-    { preVM =
+    { preVM = prepareImage;
-        ''
+      buildInputs = with pkgs; [ utillinux e2fsprogs ];
-          mkdir $out
+      exportReferencesGraph = [ "closure" metaClosure ];
-          diskImage=$out/nixos.${if format == "qcow2" then "qcow2" else "img"}
+      postVM = ''
-          ${pkgs.vmTools.qemu}/bin/qemu-img create -f ${format} $diskImage "${toString diskSize}M"
+        ${if format == "raw" then ''
-          mv closure xchg/
+          mv $diskImage $out/nixos.img
-        '';
+          diskImage=$out/nixos.img
-      buildInputs = with pkgs; [ utillinux perl e2fsprogs parted rsync ];
+        '' else ''
-
+          ${pkgs.qemu}/bin/qemu-img convert -f raw -O qcow2 $diskImage $out/nixos.qcow2
-      # I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
+          diskImage=$out/nixos.qcow2
-      # image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
+        ''}
-      # !!! should use XML.
+        ${postVM}
-      sources = map (x: x.source) contents;
+      '';
      targets = map (x: x.target) contents;
      exportReferencesGraph =
        [ "closure" config.system.build.toplevel ];
      inherit postVM;
      memSize = 1024;
    }
    ''
      ${if partitioned then ''
        # Create a single / partition.
        parted /dev/vda mklabel msdos
        parted /dev/vda -- mkpart primary ext2 1M -1s
        . /sys/class/block/vda1/uevent
        mknod /dev/vda1 b $MAJOR $MINOR
        rootDisk=/dev/vda1
@ -76,74 +158,34 @@ pkgs.vmTools.runInLinuxVM (
        rootDisk=/dev/vda
      ''}
-      # Create an empty filesystem and mount it.
+      # Some tools assume these exist
      mkfs.${fsType} -L nixos $rootDisk
      mkdir /mnt
      mount $rootDisk /mnt
      # Register the paths in the Nix database.
      printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
          ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
      ${if fixValidity then ''
        # Add missing size/hash fields to the database. FIXME:
        # exportReferencesGraph should provide these directly.
        ${config.nix.package.out}/bin/nix-store --verify --check-contents --option build-users-group ""
      '' else ""}
      # In case the bootloader tries to write to /dev/sda…
      ln -s vda /dev/xvda
      ln -s vda /dev/sda
-      # Install the closure onto the image
+      mountPoint=/mnt
-      USER=root ${config.system.build.nixos-install}/bin/nixos-install \
+      mkdir $mountPoint
-        --closure ${config.system.build.toplevel} \
+      mount $rootDisk $mountPoint
        --no-channel-copy \
        --no-root-passwd \
        ${optionalString (!installBootLoader) "--no-bootloader"}
-      # Install a configuration.nix.
+      # Install a configuration.nix
      mkdir -p /mnt/etc/nixos
      ${optionalString (configFile != null) ''
        cp ${configFile} /mnt/etc/nixos/configuration.nix
      ''}
-      # Remove /etc/machine-id so that each machine cloning this image will get its own id
+      mount --rbind /dev  $mountPoint/dev
-      rm -f /mnt/etc/machine-id
+      mount --rbind /proc $mountPoint/proc
      mount --rbind /sys  $mountPoint/sys
-      # Copy arbitrary other files into the image
+      # Set up core system link, GRUB, etc.
-      # Semi-shamelessly copied from make-etc.sh. I (@copumpkin) shall factor this stuff out as part of
+      NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint /nix/var/nix/profiles/system/bin/switch-to-configuration boot
      # https://github.com/NixOS/nixpkgs/issues/23052.
      set -f
      sources_=($sources)
      targets_=($targets)
      set +f
-      for ((i = 0; i < ''${#targets_[@]}; i++)); do
+      # TODO: figure out if I should activate, but for now I won't
-        source="''${sources_[$i]}"
+      # chroot $mountPoint /nix/var/nix/profiles/system/activate
        target="''${targets_[$i]}"
-        if [[ "$source" =~ '*' ]]; then
+      # The above scripts will generate a random machine-id and we don't want to bake a single ID into all our images
      rm -f $mountPoint/etc/machine-id
-          # If the source name contains '*', perform globbing.
+      umount -R /mnt
          mkdir -p /mnt/$target
          for fn in $source; do
            rsync -a --no-o --no-g "$fn" /mnt/$target/
          done
        else
          mkdir -p /mnt/$(dirname $target)
          if ! [ -e /mnt/$target ]; then
            rsync -a --no-o --no-g $source /mnt/$target
          else
            echo "duplicate entry $target -> $source"
            exit 1
          fi
        fi
      done
      umount /mnt
      # Make sure resize2fs works. Note that resize2fs has stricter criteria for resizing than a normal
      # mount, so the `-c 0` and `-i 0` don't affect it. Setting it to `now` doesn't produce deterministic
--- a/nixos/lib/test-driver/Machine.pm
+++ b/nixos/lib/test-driver/Machine.pm
@ -542,16 +542,20 @@ sub getScreenText {
    $self->nest("performing optical character recognition", sub {
        my $tmpbase = Cwd::abs_path(".")."/ocr";
        my $tmpin = $tmpbase."in.ppm";
        my $tmpout = "$tmpbase.ppm";
        $self->sendMonitorCommand("screendump $tmpin");
-        system("ppmtopgm $tmpin | pamscale 4 -filter=lanczos > $tmpout") == 0
+
-            or die "cannot scale screenshot";
+        my $magickArgs = "-filter Catrom -density 72 -resample 300 "
                       . "-contrast -normalize -despeckle -type grayscale "
                       . "-sharpen 1 -posterize 3 -negate -gamma 100 "
                       . "-blur 1x65535";
        my $tessArgs = "-c debug_file=/dev/null --psm 11 --oem 2";
        $text = `convert $magickArgs $tmpin tiff:- | tesseract - - $tessArgs`;
        my $status = $? >> 8;
        unlink $tmpin;
-        system("tesseract $tmpout $tmpbase") == 0 or die "OCR failed";
+
-        unlink $tmpout;
+        die "OCR failed with exit code $status" if $status != 0;
        $text = read_file("$tmpbase.txt");
        unlink "$tmpbase.txt";
    });
    return $text;
 }
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -93,7 +93,7 @@ rec {
      vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
-      ocrProg = tesseract;
+      ocrProg = tesseract_4.override { enableLanguages = [ "eng" ]; };
      # Generate onvenience wrappers for running the test driver
      # interactively with the specified network, and for starting the
@ -111,7 +111,8 @@ rec {
          vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
          wrapProgram $out/bin/nixos-test-driver \
            --add-flags "''${vms[*]}" \
-            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
+            ${lib.optionalString enableOCR
              "--prefix PATH : '${ocrProg}/bin:${imagemagick}/bin'"} \
            --run "testScript=\"\$(cat $out/test-script)\"" \
            --set testScript '$testScript' \
            --set VLANS '${toString vlans}'
--- a/nixos/maintainers/scripts/ec2/amazon-image.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-image.nix
@ -6,10 +6,7 @@ let
  cfg = config.amazonImage;
 in {
-  imports =
+  imports = [ ../../../modules/virtualisation/amazon-image.nix ];
    [ ../../../modules/installer/cd-dvd/channel.nix
      ../../../modules/virtualisation/amazon-image.nix
    ];
  options.amazonImage = {
    contents = mkOption {
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@ -3,21 +3,20 @@
 # To start with do: nix-shell -p awscli --run "aws configure"
-
+set -e
 set -o pipefail
 #set -x
 stateDir=${TMPDIR:-/tmp}/ec2-image
 echo "keeping state in $stateDir"
 mkdir -p $stateDir
 version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
 major=${version:0:5}
 echo "NixOS version is $version ($major)"
 stateDir=/var/tmp/ec2-image-$version
 echo "keeping state in $stateDir"
 mkdir -p $stateDir
 rm -f ec2-amis.nix
-types="hvm pv"
+types="hvm"
 stores="ebs s3"
 regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
@ -206,7 +205,7 @@ for type in $types; do
                    # Register the AMI.
                    if [ $type = pv ]; then
-                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
+                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.05-$arch.gz" | jq -r .Images[0].ImageId)
                        if [ "$kernel" = null ]; then break; fi
                        echo "using PV-GRUB kernel $kernel"
                        extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
--- a/nixos/maintainers/scripts/gce/create-gce.sh
+++ b/nixos/maintainers/scripts/gce/create-gce.sh
@ -1,15 +1,23 @@
-#! /bin/sh -e
+#!/usr/bin/env nix-shell
 #! nix-shell -i bash -p google-cloud-sdk
-BUCKET_NAME=${BUCKET_NAME:-nixos-images}
+set -euo pipefail
-export NIX_PATH=nixpkgs=../../../..
+
-export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
+BUCKET_NAME="${BUCKET_NAME:-nixos-images}"
-export TIMESTAMP=$(date +%Y%m%d%H%M)
+TIMESTAMP="$(date +%Y%m%d%H%M)"
 export TIMESTAMP
 nix-build '<nixpkgs/nixos>' \
-   -A config.system.build.googleComputeImage --argstr system x86_64-linux -o gce --option extra-binary-caches http://hydra.nixos.org -j 10
+   -A config.system.build.googleComputeImage \
   --arg configuration "{ imports = [ <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix> ]; }" \
   --argstr system x86_64-linux \
   -o gce \
   -j 10
-img=$(echo gce/*.tar.gz)
+img_path=$(echo gce/*.tar.gz)
-if ! gsutil ls gs://${BUCKET_NAME}/$(basename $img); then
+img_name=$(basename "$img_path")
-  gsutil cp $img gs://${BUCKET_NAME}/$(basename $img)
+img_id=$(echo "$img_name" | sed 's|.raw.tar.gz$||;s|\.|-|g;s|_|-|g')
 if ! gsutil ls "gs://${BUCKET_NAME}/$img_name"; then
  gsutil cp "$img_path" "gs://${BUCKET_NAME}/$img_name"
 fi
-gcloud compute images create $(basename $img .raw.tar.gz | sed 's|\.|-|' | sed 's|_|-|') --source-uri gs://${BUCKET_NAME}/$(basename $img)
+gcloud compute images create "$img_id" --source-uri "gs://${BUCKET_NAME}/$img_name"
--- a/nixos/modules/config/fonts/fontconfig-penultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-penultimate.nix
@ -0,0 +1,270 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.fonts.fontconfig;
  fcBool = x: "<bool>" + (boolToString x) + "</bool>";
  # back-supported fontconfig version and package
  # version is used for font cache generation
  supportVersion = "210";
  supportPkg     = pkgs."fontconfig_${supportVersion}";
  # latest fontconfig version and package
  # version is used for configuration folder name, /etc/fonts/VERSION/
  # note: format differs from supportVersion and can not be used with makeCacheConf
  latestVersion  = pkgs.fontconfig.configVersion;
  latestPkg      = pkgs.fontconfig;
  # supported version fonts.conf
  supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
  # configuration file to read fontconfig cache
  # version dependent
  # priority 0
  cacheConfSupport = makeCacheConf { version = supportVersion; };
  cacheConfLatest  = makeCacheConf {};
  # generate the font cache setting file for a fontconfig version
  # use latest when no version is passed
  makeCacheConf = { version ? null }:
    let
      fcPackage = if builtins.isNull version
                  then "fontconfig"
                  else "fontconfig_${version}";
      makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
      cache     = makeCache pkgs."${fcPackage}";
      cache32   = makeCache pkgs.pkgsi686Linux."${fcPackage}";
    in
    pkgs.writeText "fc-00-nixos-cache.conf" ''
      <?xml version='1.0'?>
      <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
      <fontconfig>
        <!-- Font directories -->
        ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
        <!-- Pre-generated font caches -->
        <cachedir>${cache}</cachedir>
        ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
          <cachedir>${cache32}</cachedir>
        ''}
      </fontconfig>
    '';
  # The configuration to be included in /etc/font/
  penultimateConf = pkgs.runCommand "font-penultimate-conf" {} ''
    support_folder=$out/etc/fonts/conf.d
    latest_folder=$out/etc/fonts/${latestVersion}/conf.d
    mkdir -p $support_folder
    mkdir -p $latest_folder
    ln -s ${supportFontsConf} $support_folder/../fonts.conf
    ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
          $latest_folder/../fonts.conf
    # fontconfig-penultimate various configuration files
    ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
          $support_folder
    ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
          $latest_folder
    ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
    ln -s ${cacheConfLatest}  $latest_folder/00-nixos-cache.conf
    rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
    ln -s ${antialiasConf} $support_folder/10-antialias.conf
    ln -s ${antialiasConf} $latest_folder/10-antialias.conf
    rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
    ln -s ${hintingConf} $support_folder/10-hinting.conf
    ln -s ${hintingConf} $latest_folder/10-hinting.conf
    ${optionalString cfg.useEmbeddedBitmaps ''
    rm $support_folder/10-no-embedded-bitmaps.conf
    rm $latest_folder/10-no-embedded-bitmaps.conf
    ''}
    rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
    ln -s ${subpixelConf} $support_folder/10-subpixel.conf
    ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
    ${optionalString (cfg.dpi != 0) ''
    ln -s ${dpiConf} $support_folder/11-dpi.conf
    ln -s ${dpiConf} $latest_folder/11-dpi.conf
    ''}
    ${optionalString (!cfg.includeUserConf) ''
    rm $support_folder/50-user.conf
    rm $latest_folder/50-user.conf
    ''}
    # 51-local.conf
    rm $latest_folder/51-local.conf
    substitute \
      ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
      $latest_folder/51-local.conf \
      --replace local.conf /etc/fonts/${latestVersion}/local.conf
    ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
    ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
    ${optionalString cfg.allowBitmaps ''
    rm $support_folder/53-no-bitmaps.conf
    rm $latest_folder/53-no-bitmaps.conf
    ''}
    ${optionalString (!cfg.allowType1) ''
    ln -s ${rejectType1} $support_folder/53-no-type1.conf
    ln -s ${rejectType1} $latest_folder/53-no-type1.conf
    ''}
  '';
  hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="hinting">
          ${fcBool cfg.hinting.enable}
        </edit>
        <edit mode="append" name="autohint">
          ${fcBool cfg.hinting.autohint}
        </edit>
        <edit mode="append" name="hintstyle">
          <const>hintslight</const>
        </edit>
      </match>
    </fontconfig>
  '';
  antialiasConf = pkgs.writeText "fc-10-antialias.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="antialias">
          ${fcBool cfg.antialias}
        </edit>
      </match>
    </fontconfig>
  '';
  subpixelConf = pkgs.writeText "fc-10-subpixel.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="rgba">
          <const>${cfg.subpixel.rgba}</const>
        </edit>
        <edit mode="append" name="lcdfilter">
          <const>lcd${cfg.subpixel.lcdfilter}</const>
        </edit>
      </match>
    </fontconfig>
  '';
  dpiConf = pkgs.writeText "fc-11-dpi.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <match target="pattern">
        <edit name="dpi" mode="assign">
          <double>${toString cfg.dpi}</double>
        </edit>
      </match>
    </fontconfig>
  '';
  defaultFontsConf =
    let genDefault = fonts: name:
      optionalString (fonts != []) ''
        <alias>
          <family>${name}</family>
          <prefer>
          ${concatStringsSep ""
          (map (font: ''
            <family>${font}</family>
          '') fonts)}
          </prefer>
        </alias>
      '';
    in
    pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default fonts -->
      ${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
      ${genDefault cfg.defaultFonts.serif     "serif"}
      ${genDefault cfg.defaultFonts.monospace "monospace"}
    </fontconfig>
  '';
  rejectType1 = pkgs.writeText "fc-53-no-type1.conf" ''
    <?xml version="1.0"?>
    <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
    <fontconfig>
    <!-- Reject Type 1 fonts -->
    <selectfont>
      <rejectfont>
        <pattern>
          <patelt name="fontformat"><string>Type 1</string></patelt>
        </pattern>
      </rejectfont>
    </selectfont>
    </fontconfig>
  '';
 in
 {
  options = {
    fonts = {
      fontconfig = {
        penultimate = {
          enable = mkOption {
            type = types.bool;
            default = true;
            description = ''
              Enable fontconfig-penultimate settings to supplement the
              NixOS defaults by providing per-font rendering defaults and
              metric aliases.
            '';
          };
        };
      };
    };
  };
  config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
    fonts.fontconfig.confPackages = [ penultimateConf ];
  };
 }
--- a/nixos/modules/config/fonts/fontconfig-ultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-ultimate.nix
@ -43,7 +43,7 @@ in
        ultimate = {
          enable = mkOption {
            type = types.bool;
-            default = true;
+            default = false;
            description = ''
              Enable fontconfig-ultimate settings (formerly known as
              Infinality). Besides the customizable settings in this NixOS
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -20,7 +20,7 @@ with lib;
 let cfg = config.fonts.fontconfig;
-    fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
+    fcBool = x: "<bool>" + (boolToString x) + "</bool>";
    # back-supported fontconfig version and package
    # version is used for font cache generation
@ -75,23 +75,23 @@ let cfg = config.fonts.fontconfig;
      <fontconfig>
        <!-- Default rendering settings -->
-        <match target="font">
+        <match target="pattern">
-          <edit mode="assign" name="hinting">
+          <edit mode="append" name="hinting">
            ${fcBool cfg.hinting.enable}
          </edit>
-          <edit mode="assign" name="autohint">
+          <edit mode="append" name="autohint">
            ${fcBool cfg.hinting.autohint}
          </edit>
-          <edit mode="assign" name="hintstyle">
+          <edit mode="append" name="hintstyle">
-            <const>hint${cfg.hinting.style}</const>
+            <const>hintslight</const>
          </edit>
-          <edit mode="assign" name="antialias">
+          <edit mode="append" name="antialias">
            ${fcBool cfg.antialias}
          </edit>
-          <edit mode="assign" name="rgba">
+          <edit mode="append" name="rgba">
            <const>${cfg.subpixel.rgba}</const>
          </edit>
-          <edit mode="assign" name="lcdfilter">
+          <edit mode="append" name="lcdfilter">
            <const>lcd${cfg.subpixel.lcdfilter}</const>
          </edit>
        </match>
@ -104,13 +104,6 @@ let cfg = config.fonts.fontconfig;
        </match>
        ''}
        <!-- Force autohint always -->
        <match target="font">
          <edit name="force_autohint" mode="assign">
            ${fcBool cfg.forceAutohint}
          </edit>
        </match>
      </fontconfig>
    '';
@ -174,13 +167,6 @@ let cfg = config.fonts.fontconfig;
        </edit>
      </match>
      <!-- Render some monospace TTF fonts as bitmaps -->
      <match target="pattern">
        <edit name="bitmap_monospace" mode="assign">
          ${fcBool cfg.renderMonoTTFAsBitmap}
        </edit>
      </match>
      </fontconfig>
    '';
@ -304,7 +290,11 @@ in
        antialias = mkOption {
          type = types.bool;
          default = true;
-          description = "Enable font antialiasing.";
+          description = ''
            Enable font antialiasing. At high resolution (> 200 DPI),
            antialiasing has no visible effect; users of such displays may want
            to disable this option.
          '';
        };
        dpi = mkOption {
@ -358,26 +348,21 @@ in
          enable = mkOption {
            type = types.bool;
            default = true;
-            description = "Enable TrueType hinting.";
+            description = ''
              Enable font hinting. Hinting aligns glyphs to pixel boundaries to
              improve rendering sharpness at low resolution. At high resolution
              (> 200 dpi) hinting will do nothing (at best); users of such
              displays may want to disable this option.
            '';
          };
          autohint = mkOption {
            type = types.bool;
-            default = true;
+            default = false;
            description = ''
-              Enable the autohinter, which provides hinting for otherwise
+              Enable the autohinter in place of the default interpreter.
-              un-hinted fonts. The results are usually lower quality than
+              The results are usually lower quality than correctly-hinted
-              correctly-hinted fonts.
+              fonts, but better than unhinted fonts.
            '';
          };
          style = mkOption {
            type = types.enum ["none" "slight" "medium" "full"];
            default = "full";
            description = ''
              TrueType hinting style, one of <literal>none</literal>,
              <literal>slight</literal>, <literal>medium</literal>, or
              <literal>full</literal>.
            '';
          };
        };
@ -398,7 +383,15 @@ in
            default = "rgb";
            type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
            description = ''
-              Subpixel order.
+              Subpixel order. The overwhelming majority of displays are
              <literal>rgb</literal> in their normal orientation. Select
              <literal>vrgb</literal> for mounting such a display 90 degrees
              clockwise from its normal orientation or <literal>vbgr</literal>
              for mounting 90 degrees counter-clockwise. Select
              <literal>bgr</literal> in the unlikely event of mounting 180
              degrees from the normal orientation. Reverse these directions in
              the improbable event that the display's native subpixel order is
              <literal>bgr</literal>.
            '';
          };
@ -406,7 +399,9 @@ in
            default = "default";
            type = types.enum ["none" "default" "light" "legacy"];
            description = ''
-              FreeType LCD filter.
+              FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering
              has no visible effect; users of such displays may want to select
              <literal>none</literal>.
            '';
          };
@ -444,31 +439,19 @@ in
          description = ''Use embedded bitmaps in fonts like Calibri.'';
        };
        forceAutohint = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Force use of the TrueType Autohinter. Useful for debugging or
            free-software purists.
          '';
        };
        renderMonoTTFAsBitmap = mkOption {
          type = types.bool;
          default = false;
          description = ''Render some monospace TTF fonts as bitmaps.'';
        };
      };
    };
  };
-  config = mkIf cfg.enable {
+  config = mkMerge [
-    fonts.fontconfig.confPackages = [ confPkg ];
+    (mkIf cfg.enable {
-
+      environment.systemPackages    = [ pkgs.fontconfig ];
-    environment.systemPackages    = [ pkgs.fontconfig ];
+      environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
-    environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
+    })
-  };
+    (mkIf (cfg.enable && !cfg.penultimate.enable) {
      fonts.fontconfig.confPackages = [ confPkg ];
    })
  ];
 }
--- a/nixos/modules/config/fonts/fonts.nix
+++ b/nixos/modules/config/fonts/fonts.nix
@ -37,6 +37,7 @@ with lib;
        pkgs.xorg.fontbhlucidatypewriter75dpi
        pkgs.dejavu_fonts
        pkgs.freefont_ttf
        pkgs.gyre-fonts # TrueType substitutes for standard PostScript fonts
        pkgs.liberation_ttf
        pkgs.xorg.fontbh100dpi
        pkgs.xorg.fontmiscmisc
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@ -2,21 +2,27 @@
 with lib;
 let
  glibcLocales = pkgs.glibcLocales.override {
    allLocales = any (x: x == "all") config.i18n.supportedLocales;
    locales = config.i18n.supportedLocales;
  };
 in
 {
  ###### interface
  options = {
    i18n = {
      glibcLocales = mkOption {
        type = types.path;
        default = pkgs.glibcLocales.override {
          allLocales = any (x: x == "all") config.i18n.supportedLocales;
          locales = config.i18n.supportedLocales;
        };
        example = literalExample "pkgs.glibcLocales";
        description = ''
          Customized pkg.glibcLocales package.
          Changing this option can disable handling of i18n.defaultLocale
          and supportedLocale.
        '';
      };
      defaultLocale = mkOption {
        type = types.str;
        default = "en_US.UTF-8";
@ -118,7 +124,7 @@ in
        '');
    environment.systemPackages =
-      optional (config.i18n.supportedLocales != []) glibcLocales;
+      optional (config.i18n.supportedLocales != []) config.i18n.glibcLocales;
    environment.sessionVariables =
      { LANG = config.i18n.defaultLocale;
@ -126,7 +132,7 @@ in
      };
    systemd.globalEnvironment = mkIf (config.i18n.supportedLocales != []) {
-      LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive";
+      LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
    };
    # ‘/etc/locale.conf’ is used by systemd.
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -178,10 +178,10 @@ in
    environment.etc =
      { # /etc/services: TCP/UDP port assignments.
-        "services".source = pkgs.iana_etc + "/etc/services";
+        "services".source = pkgs.iana-etc + "/etc/services";
        # /etc/protocols: IP protocol numbers.
-        "protocols".source  = pkgs.iana_etc + "/etc/protocols";
+        "protocols".source  = pkgs.iana-etc + "/etc/protocols";
        # /etc/rpc: RPC program numbers.
        "rpc".source = pkgs.glibc.out + "/etc/rpc";
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@ -168,9 +168,6 @@ in
         ${cfg.extraInit}
         # The setuid/setcap wrappers override other bin directories.
         export PATH="${config.security.wrapperDir}:$PATH"
         # ~/bin if it exists overrides other bin directories.
         export PATH="$HOME/bin:$PATH"
       '';
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@ -6,6 +6,21 @@ use JSON;
 make_path("/var/lib/nixos", { mode => 0755 });
 # Keep track of deleted uids and gids.
 my $uidMapFile = "/var/lib/nixos/uid-map";
 my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
 my $gidMapFile = "/var/lib/nixos/gid-map";
 my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
 sub updateFile {
    my ($path, $contents, $perms) = @_;
    write_file("$path.tmp", { binmode => ':utf8', perms => $perms // 0644 }, $contents);
    rename("$path.tmp", $path) or die;
 }
 sub hashPassword {
    my ($password) = @_;
    my $salt = "";
@ -18,10 +33,10 @@ sub hashPassword {
 # Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
 # /etc/login.defs.
 sub allocId {
-    my ($used, $idMin, $idMax, $up, $getid) = @_;
+    my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
    my $id = $up ? $idMin : $idMax;
    while ($id >= $idMin && $id <= $idMax) {
-        if (!$used->{$id} && !defined &$getid($id)) {
+        if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
            $used->{$id} = 1;
            return $id;
        }
@ -31,23 +46,36 @@ sub allocId {
    die "$0: out of free UIDs or GIDs\n";
 }
-my (%gidsUsed, %uidsUsed);
+my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
 sub allocGid {
-    return allocId(\%gidsUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
+    my ($name) = @_;
    my $prevGid = $gidMap->{$name};
    if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
        print STDERR "reviving group '$name' with GID $prevGid\n";
        $gidsUsed{$prevGid} = 1;
        return $prevGid;
    }
    return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
 }
 sub allocUid {
-    my ($isSystemUser) = @_;
+    my ($name, $isSystemUser) = @_;
    my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
-    return allocId(\%uidsUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
+    my $prevUid = $uidMap->{$name};
    if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
        print STDERR "reviving user '$name' with UID $prevUid\n";
        $uidsUsed{$prevUid} = 1;
        return $prevUid;
    }
    return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
 }
 # Read the declared users/groups.
 my $spec = decode_json(read_file($ARGV[0]));
-# Don't allocate UIDs/GIDs that are already in use.
+# Don't allocate UIDs/GIDs that are manually assigned.
 foreach my $g (@{$spec->{groups}}) {
    $gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
 }
@ -56,6 +84,11 @@ foreach my $u (@{$spec->{users}}) {
    $uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
 }
 # Likewise for previously used but deleted UIDs/GIDs.
 $uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
 $gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
 # Read the current /etc/group.
 sub parseGroup {
    chomp;
@ -114,16 +147,18 @@ foreach my $g (@{$spec->{groups}}) {
            }
        }
    } else {
-        $g->{gid} = allocGid if !defined $g->{gid};
+        $g->{gid} = allocGid($name) if !defined $g->{gid};
        $g->{password} = "x";
    }
    $g->{members} = join ",", sort(keys(%members));
    $groupsOut{$name} = $g;
    $gidMap->{$name} = $g->{gid};
 }
 # Update the persistent list of declarative groups.
-write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
+updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
 # Merge in the existing /etc/group.
 foreach my $name (keys %groupsCur) {
@ -140,8 +175,8 @@ foreach my $name (keys %groupsCur) {
 # Rewrite /etc/group. FIXME: acquire lock.
 my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
    (sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
-write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
+updateFile($gidMapFile, encode_json($gidMap));
-rename("/etc/group.tmp", "/etc/group") or die;
+updateFile("/etc/group", \@lines);
 system("nscd --invalidate group");
 # Generate a new /etc/passwd containing the declared users.
@ -167,7 +202,7 @@ foreach my $u (@{$spec->{users}}) {
            $u->{uid} = $existing->{uid};
        }
    } else {
-        $u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
+        $u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
        if (defined $u->{initialPassword}) {
            $u->{hashedPassword} = hashPassword($u->{initialPassword});
@ -195,10 +230,12 @@ foreach my $u (@{$spec->{users}}) {
    $u->{fakePassword} = $existing->{fakePassword} // "x";
    $usersOut{$name} = $u;
    $uidMap->{$name} = $u->{uid};
 }
 # Update the persistent list of declarative users.
-write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
+updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
 # Merge in the existing /etc/passwd.
 foreach my $name (keys %usersCur) {
@ -214,8 +251,8 @@ foreach my $name (keys %usersCur) {
 # Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
    (sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
-write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
+updateFile($uidMapFile, encode_json($uidMap));
-rename("/etc/passwd.tmp", "/etc/passwd") or die;
+updateFile("/etc/passwd", \@lines);
 system("nscd --invalidate passwd");
@ -242,5 +279,4 @@ foreach my $u (values %usersOut) {
    push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
 }
-write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
+updateFile("/etc/shadow", \@shadowNew, 0600);
 rename("/etc/shadow.tmp", "/etc/shadow") or die;
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -26,6 +26,7 @@ with lib;
      firmwareLinuxNonfree
      intel2200BGFirmware
      rtl8723bs-firmware
      rtl8192su-firmware
    ];
  };
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -6,6 +6,16 @@
 with lib;
 let
  # Do not include these things:
  #   - The '.git' directory
  #   - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
  #   - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
  filterFn = path: type: let basename = baseNameOf (toString path); in
    if type == "directory" then basename != ".git"
    else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
    else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
  nixpkgs = builtins.filterSource filterFn pkgs.path;
  # We need a copy of the Nix expressions for Nixpkgs and NixOS on the
  # CD.  These are installed into the "nixos" channel of the root
@ -15,12 +25,11 @@ let
    { }
    ''
      mkdir -p $out
-      cp -prd ${pkgs.path} $out/nixos
+      cp -prd ${nixpkgs} $out/nixos
      chmod -R u+w $out/nixos
      if [ ! -e $out/nixos/nixpkgs ]; then
        ln -s . $out/nixos/nixpkgs
      fi
      rm -rf $out/nixos/.git
      echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
    '';
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
+  x86_64-linux = "/nix/store/71im965h634iy99zsmlncw6qhx5jcclx-nix-1.11.9";
-  i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
+  i686-linux = "/nix/store/cgvavixkayc36l6kl92i8mxr6k0p2yhy-nix-1.11.9";
-  x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
+  x86_64-darwin = "/nix/store/w1c96v5yxvdmq4nvqlxjvg6kp7xa2lag-nix-1.11.9";
 }
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@ -87,38 +87,6 @@ if ! test -e "$mountPoint"; then
    exit 1
 fi
 # Mount some stuff in the target root directory.
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
 mkdir -m 0755 -p $mountPoint/var
 mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount -t tmpfs -o "mode=0755" none $mountPoint/run
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
 for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
 for f in /etc/passwd /etc/group;      do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done
 cp -Lf "@cacert@" "$mountPoint/tmp/ca-cert.crt"
 export SSL_CERT_FILE=/tmp/ca-cert.crt
 # For Nix 1.7
 export CURL_CA_BUNDLE=/tmp/ca-cert.crt
 if [ -n "$runChroot" ]; then
    if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
        echo "$0: installation not finished; cannot chroot into installation directory"
        exit 1
    fi
    ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system
    exec chroot $mountPoint "${chrootCommand[@]}"
 fi
 # Get the path of the NixOS configuration file.
 if test -z "$NIXOS_CONFIG"; then
    NIXOS_CONFIG=/etc/nixos/configuration.nix
@ -130,121 +98,60 @@ if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then
 fi
 # Create the necessary Nix directories on the target device, if they
 # don't already exist.
 mkdir -m 0755 -p \
    $mountPoint/nix/var/nix/gcroots \
    $mountPoint/nix/var/nix/temproots \
    $mountPoint/nix/var/nix/userpool \
    $mountPoint/nix/var/nix/profiles \
    $mountPoint/nix/var/nix/db \
    $mountPoint/nix/var/log/nix/drvs
 mkdir -m 1775 -p $mountPoint/nix/store
 chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
 # There is no daemon in the chroot.
 unset NIX_REMOTE
 # We don't have locale-archive in the chroot, so clear $LANG.
 export LANG=
 export LC_ALL=
 export LC_TIME=
 # Builds will use users that are members of this group
 extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup")
 # Inherit binary caches from the host
 # TODO: will this still work with Nix 1.12 now that it has no perl? Probably not... 
 binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')"
 extraBuildFlags+=(--option "binary-caches" "$binary_caches")
 nixpkgs="$(readlink -f "$(nix-instantiate --find-file nixpkgs)")"
 export NIX_PATH="nixpkgs=$nixpkgs:nixos-config=$mountPoint/$NIXOS_CONFIG"
 unset NIXOS_CONFIG
-# Copy Nix to the Nix store on the target device, unless it's already there.
+# TODO: do I need to set NIX_SUBSTITUTERS here or is the --option binary-caches above enough?
 if ! NIX_DB_DIR=$mountPoint/nix/var/nix/db nix-store --check-validity @nix@ 2> /dev/null; then
    echo "copying Nix to $mountPoint...."
    for i in $(@perl@/bin/perl @pathsFromGraph@ @nixClosure@); do
        echo "  $i"
        chattr -R -i $mountPoint/$i 2> /dev/null || true # clear immutable bit
        @rsync@/bin/rsync -a $i $mountPoint/nix/store/
    done
    # Register the paths in the Nix closure as valid.  This is necessary
    # to prevent them from being deleted the first time we install
    # something.  (I.e., Nix will see that, e.g., the glibc path is not
    # valid, delete it to get it out of the way, but as a result nothing
    # will work anymore.)
    chroot $mountPoint @nix@/bin/nix-store --register-validity < @nixClosure@
 fi
-# Create the required /bin/sh symlink; otherwise lots of things
+# A place to drop temporary closures
-# (notably the system() function) won't work.
+trap "rm -rf $tmpdir" EXIT
-mkdir -m 0755 -p $mountPoint/bin
+tmpdir="$(mktemp -d)"
 # !!! assuming that @shell@ is in the closure
 ln -sf @shell@ $mountPoint/bin/sh
 # Build a closure (on the host; we then copy it into the guest)
 function closure() {
    nix-build "${extraBuildFlags[@]}" --no-out-link -E "with import <nixpkgs> {}; runCommand \"closure\" { exportReferencesGraph = [ \"x\" (buildEnv { name = \"env\"; paths = [ ($1) stdenv ]; }) ]; } \"cp x \$out\""
 }
-# Build hooks likely won't function correctly in the minimal chroot; just disable them.
+system_closure="$tmpdir/system.closure"
 unset NIX_BUILD_HOOK
 # Make the build below copy paths from the CD if possible.  Note that
 # /tmp/root in the chroot is the root of the CD.
 export NIX_OTHER_STORES=/tmp/root/nix:$NIX_OTHER_STORES
 p=@nix@/libexec/nix/substituters
 export NIX_SUBSTITUTERS=$p/copy-from-other-stores.pl:$p/download-from-binary-cache.pl
 if [ -z "$closure" ]; then
-    # Get the absolute path to the NixOS/Nixpkgs sources.
+    expr="(import <nixpkgs/nixos> {}).system"
-    nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"
+    system_root="$(nix-build -E "$expr")"
-
+    system_closure="$(closure "$expr")"
    nixEnvAction="-f <nixpkgs/nixos> --set -A system"
 else
-    nixpkgs=""
+    system_root=$closure
-    nixEnvAction="--set $closure"
+    # Create a temporary file ending in .closure (so nixos-prepare-root knows to --import it) to transport the store closure
    # to the filesytem we're preparing. Also delete it on exit!
    nix-store --export $(nix-store -qR $closure) > $system_closure
 fi
-# Build the specified Nix expression in the target store and install
+channel_root="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")"
-# it into the system configuration profile.
+channel_closure="$tmpdir/channel.closure"
-echo "building the system configuration..."
+nix-store --export $channel_root > $channel_closure
 NIX_PATH="nixpkgs=/tmp/root/$nixpkgs:nixos-config=$NIXOS_CONFIG" NIXOS_CONFIG= \
    chroot $mountPoint @nix@/bin/nix-env \
    "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system $nixEnvAction
 # Populate the target root directory with the basics
@prepare_root@/bin/nixos-prepare-root $mountPoint $channel_root $system_root @nixClosure@ $system_closure $channel_closure
-# Copy the NixOS/Nixpkgs sources to the target as the initial contents
+# nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead
-# of the NixOS channel.
+chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
 mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
 mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
 mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
 srcs=$(nix-env "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")
 if [ -z "$noChannelCopy" ] && [ -n "$srcs" ]; then
    echo "copying NixOS/Nixpkgs sources..."
    chroot $mountPoint @nix@/bin/nix-env \
        "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -i "$srcs" --quiet
 fi
 mkdir -m 0700 -p $mountPoint/root/.nix-defexpr
 ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels
 # Get rid of the /etc bind mounts.
 for f in /etc/passwd /etc/group; do [ -f "$f" ] && umount $mountPoint/$f; done
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 # Grub needs an mtab.
 ln -sfn /proc/mounts $mountPoint/etc/mtab
 # Mark the target as a NixOS installation, otherwise
 # switch-to-configuration will chicken out.
 touch $mountPoint/etc/NIXOS
 # Switch to the new system configuration.  This will install Grub with
 # a menu default pointing at the kernel/initrd/etc of the new
 # configuration.
--- a/nixos/modules/installer/tools/nixos-prepare-root.sh
+++ b/nixos/modules/installer/tools/nixos-prepare-root.sh
@ -0,0 +1,105 @@
 #! @shell@
 # This script's goal is to perform all "static" setup of a filesystem structure from pre-built store paths. Everything
 # in here should run in a non-root context and inside a Nix builder. It's designed primarily to be called from image-
 # building scripts and from nixos-install, but because it makes very few assumptions about the context in which it runs,
 # it could be useful in other contexts as well.
 #
 # Current behavior:
 #  - set up basic filesystem structure
 #  - make Nix store etc.
 #  - copy Nix, system, channel, and misceallaneous closures to target Nix store
 #  - register validity of all paths in the target store
 #  - set up channel and system profiles
 # Ensure a consistent umask.
 umask 0022
 set -e
 mountPoint="$1"
 channel="$2"
 system="$3"
 shift 3
 closures="$@"
 PATH="@coreutils@/bin:@nix@/bin:@perl@/bin:@utillinux@/bin:@rsync@/bin"
 if ! test -e "$mountPoint"; then
    echo "mount point $mountPoint doesn't exist"
    exit 1
 fi
 # Create a few of the standard directories in the target root directory.
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
 mkdir -m 0755 -p $mountPoint/var
 mkdir -m 0700 -p $mountPoint/root
 ln -s /run $mountPoint/var/run
 # Create the necessary Nix directories on the target device
 mkdir -m 0755 -p \
    $mountPoint/nix/var/nix/gcroots \
    $mountPoint/nix/var/nix/temproots \
    $mountPoint/nix/var/nix/userpool \
    $mountPoint/nix/var/nix/profiles \
    $mountPoint/nix/var/nix/db \
    $mountPoint/nix/var/log/nix/drvs
 mkdir -m 1775 -p $mountPoint/nix/store
 # All Nix operations below should operate on our target store, not /nix/store.
 # N.B: this relies on Nix 1.12 or higher
 export NIX_REMOTE=local?root=$mountPoint
 # Copy our closures to the Nix store on the target mount point, unless they're already there.
 for i in $closures; do
    # We support closures both in the format produced by `nix-store --export` and by `exportReferencesGraph`,
    # mostly because there doesn't seem to be a single format that can be produced outside of a nix build and
    # inside one. See https://github.com/NixOS/nix/issues/1242 for more discussion.
    if [[ "$i" =~ \.closure$ ]]; then
        echo "importing serialized closure $i to $mountPoint..."
        nix-store --import < $i
    else
        # There has to be a better way to do this, right?
        echo "copying closure $i to $mountPoint..."
        for j in $(perl @pathsFromGraph@ $i); do
            echo "  $j... "
            rsync -a $j $mountPoint/nix/store/
        done
        nix-store --option build-users-group root --register-validity < $i
    fi
 done
 # Create the required /bin/sh symlink; otherwise lots of things
 # (notably the system() function) won't work.
 if [ ! -x $mountPoint/@shell@ ]; then
    echo "Error: @shell@ wasn't included in the closure" >&2
    exit 1
 fi
 mkdir -m 0755 -p $mountPoint/bin
 ln -sf @shell@ $mountPoint/bin/sh
 echo "setting the system closure to '$system'..."
 nix-env "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/system --set "$system"
 ln -sfn /nix/var/nix/profiles/system $mountPoint/run/current-system
 # Copy the NixOS/Nixpkgs sources to the target as the initial contents of the NixOS channel.
 mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
 mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
 mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
 if [ -z "$noChannelCopy" ] && [ -n "$channel" ]; then
    echo "copying channel..."
    nix-env --option build-use-substitutes false "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channel" --quiet
 fi
 mkdir -m 0700 -p $mountPoint/root/.nix-defexpr
 ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels
 # Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out.
 touch $mountPoint/etc/NIXOS
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -4,7 +4,6 @@
 { config, pkgs, modulesPath, ... }:
 let
  cfg = config.installer;
  makeProg = args: pkgs.substituteAll (args // {
@ -17,6 +16,14 @@ let
    src = ./nixos-build-vms/nixos-build-vms.sh;
  };
  nixos-prepare-root = makeProg {
    name = "nixos-prepare-root";
    src = ./nixos-prepare-root.sh;
    nix = pkgs.nixUnstable;
    inherit (pkgs) perl pathsFromGraph rsync utillinux coreutils;
  };
  nixos-install = makeProg {
    name = "nixos-install";
    src = ./nixos-install.sh;
@ -26,6 +33,7 @@ let
    cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
    root_uid = config.ids.uids.root;
    nixbld_gid = config.ids.gids.nixbld;
    prepare_root = nixos-prepare-root;
    nixClosure = pkgs.runCommand "closure"
      { exportReferencesGraph = ["refs" config.nix.package.out]; }
@ -69,6 +77,7 @@ in
    environment.systemPackages =
      [ nixos-build-vms
        nixos-prepare-root
        nixos-install
        nixos-rebuild
        nixos-generate-config
@ -77,7 +86,7 @@ in
      ];
    system.build = {
-      inherit nixos-install nixos-generate-config nixos-option nixos-rebuild;
+      inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild;
    };
  };
--- a/nixos/modules/misc/extra-arguments.nix
+++ b/nixos/modules/misc/extra-arguments.nix
@ -2,16 +2,6 @@
 {
  _module.args = {
    pkgs_i686 = import ../../.. {
      system = "i686-linux";
      # FIXME: we enable config.allowUnfree to make packages like
      # nvidia-x11 available. This isn't a problem because if the user has
      # ‘nixpkgs.config.allowUnfree = false’, then evaluation will fail on
      # the 64-bit package anyway. However, it would be cleaner to respect
      # nixpkgs.config here.
      config.allowUnfree = true;
    };
    utils = import ../../lib/utils.nix pkgs;
  };
 }
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -289,6 +289,10 @@
      rpc = 271;
      geoip = 272;
      fcron = 273;
      sonarr = 274;
      radarr = 275;
      jackett = 276;
      aria2 = 277;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -547,6 +551,10 @@
      #rpc = 271; # unused
      #geoip = 272; # unused
      fcron = 273;
      sonarr = 274;
      radarr = 275;
      jackett = 276;
      aria2 = 277;
      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@ -42,6 +42,8 @@ let
    merge = lib.mergeOneOption;
  };
  _pkgs = import ../../.. config.nixpkgs;
 in
 {
@ -97,6 +99,9 @@ in
  };
  config = {
-    _module.args.pkgs = import ../../.. config.nixpkgs;
+    _module.args = {
      pkgs = _pkgs;
      pkgs_i686 = _pkgs.pkgsi686Linux;
    };
  };
 }
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1,8 +1,9 @@
 [
  ./config/debug-info.nix
  ./config/fonts/corefonts.nix
  ./config/fonts/fontconfig-ultimate.nix
  ./config/fonts/fontconfig.nix
  ./config/fonts/fontconfig-penultimate.nix
  ./config/fonts/fontconfig-ultimate.nix
  ./config/fonts/fontdir.nix
  ./config/fonts/fonts.nix
  ./config/fonts/ghostscript.nix
@ -87,7 +88,9 @@
  ./programs/mtr.nix
  ./programs/nano.nix
  ./programs/oblogout.nix
  ./programs/qt5ct.nix
  ./programs/screen.nix
  ./programs/slock.nix
  ./programs/shadow.nix
  ./programs/shell.nix
  ./programs/spacefm.nix
@ -100,7 +103,9 @@
  ./programs/wvdial.nix
  ./programs/xfs_quota.nix
  ./programs/xonsh.nix
  ./programs/zsh/oh-my-zsh.nix
  ./programs/zsh/zsh.nix
  ./programs/zsh/zsh-syntax-highlighting.nix
  ./rename.nix
  ./security/acme.nix
  ./security/apparmor.nix
@ -112,6 +117,7 @@
  ./security/duosec.nix
  ./security/grsecurity.nix
  ./security/hidepid.nix
  ./security/lock-kernel-modules.nix
  ./security/oath.nix
  ./security/pam.nix
  ./security/pam_usb.nix
@ -129,6 +135,7 @@
  ./services/audio/liquidsoap.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
  ./services/audio/slimserver.nix
  ./services/audio/squeezelite.nix
  ./services/audio/ympd.nix
  ./services/backup/almir.nix
@ -137,7 +144,6 @@
  ./services/backup/mysql-backup.nix
  ./services/backup/postgresql-backup.nix
  ./services/backup/rsnapshot.nix
  ./services/backup/sitecopy-backup.nix
  ./services/backup/tarsnap.nix
  ./services/backup/znapzend.nix
  ./services/cluster/fleet.nix
@ -247,6 +253,7 @@
  ./services/mail/rmilter.nix
  ./services/misc/apache-kafka.nix
  ./services/misc/autofs.nix
  ./services/misc/autorandr.nix
  ./services/misc/bepasty.nix
  ./services/misc/canto-daemon.nix
  ./services/misc/calibre-server.nix
@ -274,6 +281,7 @@
  ./services/misc/gpsd.nix
  #./services/misc/ihaskell.nix
  ./services/misc/irkerd.nix
  ./services/misc/jackett.nix
  ./services/misc/leaps.nix
  ./services/misc/mantisbt.nix
  ./services/misc/mathics.nix
@ -294,6 +302,7 @@
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
  ./services/misc/radarr.nix
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
  ./services/misc/ripple-rest.nix
@ -415,6 +424,7 @@
  ./services/networking/i2p.nix
  ./services/networking/iodine.nix
  ./services/networking/ircd-hybrid/default.nix
  ./services/networking/keepalived/default.nix
  ./services/networking/kippo.nix
  ./services/networking/kresd.nix
  ./services/networking/lambdabot.nix
@ -453,7 +463,7 @@
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/prosody.nix
-  ./services/networking/quagga.nix
+  # ./services/networking/quagga.nix
  ./services/networking/quassel.nix
  ./services/networking/racoon.nix
  ./services/networking/radicale.nix
@ -496,6 +506,7 @@
  ./services/networking/wpa_supplicant.nix
  ./services/networking/xinetd.nix
  ./services/networking/xl2tpd.nix
  ./services/networking/xrdp.nix
  ./services/networking/zerobin.nix
  ./services/networking/zerotierone.nix
  ./services/networking/znc.nix
@ -521,12 +532,14 @@
  ./services/security/munge.nix
  ./services/security/oauth2_proxy.nix
  ./services/security/physlock.nix
-  ./services/security/torify.nix
+  ./services/security/sshguard.nix
  ./services/security/tor.nix
  ./services/security/torify.nix
  ./services/security/torsocks.nix
  ./services/system/cgmanager.nix
  ./services/system/cloud-init.nix
  ./services/system/dbus.nix
  ./services/system/earlyoom.nix
  ./services/system/kerberos.nix
  ./services/system/nscd.nix
  ./services/system/uptimed.nix
@ -654,6 +667,7 @@
  ./tasks/scsi-link-power-management.nix
  ./tasks/swraid.nix
  ./tasks/trackpoint.nix
  ./tasks/powertop.nix
  ./testing/service-runner.nix
  ./virtualisation/container-config.nix
  ./virtualisation/containers.nix
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -0,0 +1,62 @@
 # A profile with most (vanilla) hardening options enabled by default,
 # potentially at the cost of features and performance.
 { config, lib, pkgs, ... }:
 with lib;
 {
  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
  security.hideProcessInformation = mkDefault true;
  security.lockKernelModules = mkDefault true;
  security.apparmor.enable = mkDefault true;
  boot.kernelParams = [
    # Overwrite free'd memory
    "page_poison=1"
    # Disable legacy virtual syscalls
    "vsyscall=none"
    # Disable hibernation (allows replacing the running kernel)
    "nohibernate"
  ];
  # Restrict ptrace() usage to processes with a pre-defined relationship
  # (e.g., parent/child)
  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
  # Prevent replacing the running kernel image w/o reboot
  boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
  # Restrict access to kernel ring buffer (information leaks)
  boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
  # Hide kptrs even for processes with CAP_SYSLOG
  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
  # Unprivileged access to bpf() has been used for privilege escalation in
  # the past
  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
  # Disable bpf() JIT (to eliminate spray attacks)
  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
  # ... or at least apply some hardening to it
  boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
  # A recurring problem with user namespaces is that there are
  # still code paths where the kernel's permission checking logic
  # fails to account for namespacing, instead permitting a
  # namespaced process to act outside the namespace with the
  # same privileges as it would have inside it.  This is particularly
  # bad in the common case of running as root within the namespace.
  #
  # Setting the number of allowed userns to 0 effectively disables
  # the feature at runtime.  Attempting to create a user namespace
  # with unshare will then fail with "no space left on device".
  boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
 }
--- a/nixos/modules/programs/command-not-found/command-not-found.nix
+++ b/nixos/modules/programs/command-not-found/command-not-found.nix
@ -8,13 +8,14 @@
 with lib;
 let
-
+  cfg = config.programs.command-not-found;
  commandNotFound = pkgs.substituteAll {
    name = "command-not-found";
    dir = "bin";
    src = ./command-not-found.pl;
    isExecutable = true;
    inherit (pkgs) perl;
    inherit (cfg) dbPath;
    perlFlags = concatStrings (map (path: "-I ${path}/lib/perl5/site_perl ")
      [ pkgs.perlPackages.DBI pkgs.perlPackages.DBDSQLite pkgs.perlPackages.StringShellQuote ]);
  };
@ -22,50 +23,66 @@ let
 in
 {
  options.programs.command-not-found = {
-  programs.bash.interactiveShellInit =
+    enable = mkEnableOption "command-not-found hook for interactive shell";
-    ''
+
-      # This function is called whenever a command is not found.
+    dbPath = mkOption {
-      command_not_found_handle() {
+      default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ;
-        local p=/run/current-system/sw/bin/command-not-found
+      description = ''
-        if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then
+        Absolute path to programs.sqlite.
-          # Run the helper program.
+
-          $p "$@"
+        By default this file will be provided by your channel
-          # Retry the command if we just installed it.
+        (nixexprs.tar.xz).
-          if [ $? = 126 ]; then
+      '';
-            "$@"
+      type = types.path;
    };
  };
  config = mkIf cfg.enable {
    programs.bash.interactiveShellInit =
      ''
        # This function is called whenever a command is not found.
        command_not_found_handle() {
          local p=${commandNotFound}/bin/command-not-found
          if [ -x $p -a -f ${cfg.dbPath} ]; then
            # Run the helper program.
            $p "$@"
            # Retry the command if we just installed it.
            if [ $? = 126 ]; then
              "$@"
            else
              return 127
            fi
          else
            echo "$1: command not found" >&2
            return 127
          fi
-        else
+        }
-          echo "$1: command not found" >&2
+      '';
          return 127
        fi
      }
    '';
-  programs.zsh.interactiveShellInit =
+    programs.zsh.interactiveShellInit =
-    ''
+      ''
-      # This function is called whenever a command is not found.
+        # This function is called whenever a command is not found.
-      command_not_found_handler() {
+        command_not_found_handler() {
-        local p=/run/current-system/sw/bin/command-not-found
+          local p=${commandNotFound}/bin/command-not-found
-        if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then
+          if [ -x $p -a -f ${cfg.dbPath} ]; then
-          # Run the helper program.
+            # Run the helper program.
-          $p "$@"
+            $p "$@"
-          # Retry the command if we just installed it.
+            # Retry the command if we just installed it.
-          if [ $? = 126 ]; then
+            if [ $? = 126 ]; then
-            "$@"
+              "$@"
            fi
          else
            # Indicate than there was an error so ZSH falls back to its default handler
            echo "$1: command not found" >&2
            return 127
          fi
-        else
+        }
-          # Indicate than there was an error so ZSH falls back to its default handler
+      '';
          return 127
        fi
      }
    '';
-  environment.systemPackages = [ commandNotFound ];
+    environment.systemPackages = [ commandNotFound ];
-
+  };
  # TODO: tab completion for uninstalled commands! :-)
 }
--- a/nixos/modules/programs/command-not-found/command-not-found.pl
+++ b/nixos/modules/programs/command-not-found/command-not-found.pl
@ -8,7 +8,7 @@ use Config;
 my $program = $ARGV[0];
-my $dbPath = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite";
+my $dbPath = "@dbPath@";
 my $dbh = DBI->connect("dbi:SQLite:dbname=$dbPath", "", "")
    or die "cannot open database `$dbPath'";
--- a/nixos/modules/programs/environment.nix
+++ b/nixos/modules/programs/environment.nix
@ -20,6 +20,7 @@ in
      { NIXPKGS_CONFIG = "/etc/nix/nixpkgs-config.nix";
        PAGER = mkDefault "less -R";
        EDITOR = mkDefault "nano";
        XCURSOR_PATH = "$HOME/.icons";
      };
    environment.profiles =
@ -42,6 +43,7 @@ in
        GTK_PATH = [ "/lib/gtk-2.0" "/lib/gtk-3.0" ];
        XDG_CONFIG_DIRS = [ "/etc/xdg" ];
        XDG_DATA_DIRS = [ "/share" ];
        XCURSOR_PATH = [ "/share/icons" ];
        MOZ_PLUGIN_PATH = [ "/lib/mozilla/plugins" ];
        LIBEXEC_PATH = [ "/lib/libexec" ];
      };
--- a/nixos/modules/programs/qt5ct.nix
+++ b/nixos/modules/programs/qt5ct.nix
@ -0,0 +1,31 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  meta.maintainers = [ maintainers.romildo ];
  ###### interface
  options = {
    programs.qt5ct = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to enable the Qt5 Configuration Tool (qt5ct), a
          program that allows users to configure Qt5 settings (theme,
          font, icons, etc.) under desktop environments or window
          manager without Qt integration.
          Official home page: <link xlink:href="https://sourceforge.net/projects/qt5ct/">https://sourceforge.net/projects/qt5ct/</link>
        '';
      };
    };
  };
  ###### implementation
  config = mkIf config.programs.qt5ct.enable {
    environment.variables.QT_QPA_PLATFORMTHEME = "qt5ct";
    environment.systemPackages = [ pkgs.qt5ct ];
  };
 }
--- a/nixos/modules/programs/slock.nix
+++ b/nixos/modules/programs/slock.nix
@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.programs.slock;
 in
 {
  options = {
    programs.slock = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to install slock screen locker with setuid wrapper.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.slock ];
    security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";
  };
 }
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@ -39,7 +39,8 @@ in
        example = "mail.example.org";
        description = ''
          The host name of the default mail server to use to deliver
-          e-mail.
+          e-mail. Can also contain a port number (ex: mail.example.org:587),
          defaults to port 25 if no port is given.
        '';
      };
@ -95,6 +96,25 @@ in
        example = "correctHorseBatteryStaple";
        description = ''
          Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
          It's recommended to use <option>authPassFile</option>
          which takes precedence over <option>authPass</option>.
        '';
      };
      authPassFile = mkOption {
        type = types.nullOr types.str;
        default = null;
        example = "/run/keys/ssmtp-authpass";
        description = ''
          Path to a file that contains the password used for SMTP auth. The file
          should not contain a trailing newline, if the password does not contain one.
          This file should be readable by the users that need to execute ssmtp.
          <option>authPassFile</option> takes precedence over <option>authPass</option>.
          Warning: when <option>authPass</option> is non-empty <option>authPassFile</option>
          defaults to a file in the WORLD-READABLE Nix store containing that password.
        '';
      };
@ -111,17 +131,24 @@ in
  config = mkIf cfg.directDelivery {
    networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "")
      (mkDefault (toString (pkgs.writeTextFile {
        name = "ssmtp-authpass";
        text = cfg.authPass;
      })));
    environment.etc."ssmtp/ssmtp.conf".text =
      let yesNo = yes : if yes then "YES" else "NO"; in
      ''
        MailHub=${cfg.hostName}
        FromLineOverride=YES
-        ${if cfg.root != "" then "root=${cfg.root}" else ""}
+        ${optionalString (cfg.root   != "") "root=${cfg.root}"}
-        ${if cfg.domain != "" then "rewriteDomain=${cfg.domain}" else ""}
+        ${optionalString (cfg.domain != "") "rewriteDomain=${cfg.domain}"}
-        UseTLS=${if cfg.useTLS then "YES" else "NO"}
+        UseTLS=${yesNo cfg.useTLS}
-        UseSTARTTLS=${if cfg.useSTARTTLS then "YES" else "NO"}
+        UseSTARTTLS=${yesNo cfg.useSTARTTLS}
        #Debug=YES
-        ${if cfg.authUser != "" then "AuthUser=${cfg.authUser}" else ""}
+        ${optionalString (cfg.authUser != "")       "AuthUser=${cfg.authUser}"}
-        ${if cfg.authPass != "" then "AuthPass=${cfg.authPass}" else ""}
+        ${optionalString (!isNull cfg.authPassFile) "AuthPassFile=${cfg.authPassFile}"}
      '';
    environment.systemPackages = [pkgs.ssmtp];
--- a/nixos/modules/programs/zsh/oh-my-zsh.nix
+++ b/nixos/modules/programs/zsh/oh-my-zsh.nix
@ -0,0 +1,66 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.programs.zsh.oh-my-zsh;
 in
  {
    options = {
      programs.zsh.oh-my-zsh = {
        enable = mkOption {
          default = false;
          description = ''
            Enable oh-my-zsh.
          '';
        };
        plugins = mkOption {
          default = [];
          type = types.listOf(types.str);
          description = ''
            List of oh-my-zsh plugins
          '';
        };
        custom = mkOption {
          default = "";
          type = types.str;
          description = ''
            Path to a custom oh-my-zsh package to override config of oh-my-zsh.
          '';
        };
        theme = mkOption {
          default = "";
          type = types.str;
          description = ''
            Name of the theme to be used by oh-my-zsh.
          '';
        };
      };
    };
    config = mkIf cfg.enable {
      environment.systemPackages = with pkgs; [ oh-my-zsh ];
      programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
        # oh-my-zsh configuration generated by NixOS
        export ZSH=${oh-my-zsh}/share/oh-my-zsh
        ${optionalString (length(cfg.plugins) > 0)
          "plugins=(${concatStringsSep " " cfg.plugins})"
        }
        ${optionalString (stringLength(cfg.custom) > 0)
          "ZSH_CUSTOM=\"${cfg.custom}\""
        }
        ${optionalString (stringLength(cfg.theme) > 0)
          "ZSH_THEME=\"${cfg.theme}\""
        }
        source $ZSH/oh-my-zsh.sh
      '';
    };
  }
--- a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix
+++ b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix
@ -0,0 +1,53 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.programs.zsh.syntax-highlighting;
 in
  {
    options = {
      programs.zsh.syntax-highlighting = {
        enable = mkOption {
          default = false;
          type = types.bool;
          description = ''
            Enable zsh-syntax-highlighting.
          '';
        };
        highlighters = mkOption {
          default = [ "main" ];
          # https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
          type = types.listOf(types.enum([
            "main"
            "brackets"
            "pattern"
            "cursor"
            "root"
            "line"
          ]));
          description = ''
            Specifies the highlighters to be used by zsh-syntax-highlighting.
            The following defined options can be found here:
            https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
          '';
        };
      };
    };
    config = mkIf cfg.enable {
      environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ];
      programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
        source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
        ${optionalString (length(cfg.highlighters) > 0)
          "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
        }
      '';
    };
  }
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@ -84,14 +84,6 @@ in
        type = types.bool;
      };
      enableSyntaxHighlighting = mkOption {
        default = false;
        description = ''
          Enable zsh-syntax-highlighting
        '';
        type = types.bool;
      };
      enableAutosuggestions = mkOption {
        default = false;
        description = ''
@ -130,10 +122,6 @@ in
        ${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""}
        ${optionalString (cfg.enableSyntaxHighlighting)
          "source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
        }
        ${optionalString (cfg.enableAutosuggestions)
          "source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh"
        }
@ -143,7 +131,6 @@ in
        ${cfge.interactiveShellInit}
        HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
      '';
@ -206,8 +193,7 @@ in
    environment.etc."zinputrc".source = ./zinputrc;
    environment.systemPackages = [ pkgs.zsh ]
-      ++ optional cfg.enableCompletion pkgs.nix-zsh-completions
+      ++ optional cfg.enableCompletion pkgs.nix-zsh-completions;
      ++ optional cfg.enableSyntaxHighlighting pkgs.zsh-syntax-highlighting;
    environment.pathsToLink = optional cfg.enableCompletion "/share/zsh";
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -141,9 +141,6 @@ with lib;
    # Unity3D
    (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
    # fontconfig-ultimate
    (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
    # murmur
    (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
@ -202,7 +199,13 @@ with lib;
      "See the 16.09 release notes for more information.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
    (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
    (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
      "Set the option `services.xserver.displayManager.sddm.package' instead.")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
    # ZSH
    (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntax-highlighting" "enable" ])
  ];
 }
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -19,6 +19,12 @@ let
        '';
      };
      domain = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "Domain to fetch certificate for (defaults to the entry name)";
      };
      email = mkOption {
        type = types.nullOr types.str;
        default = null;
@ -157,9 +163,10 @@ in
          servicesLists = mapAttrsToList certToServices cfg.certs;
          certToServices = cert: data:
              let
                domain = if data.domain != null then data.domain else cert;
                cpath = "${cfg.directory}/${cert}";
                rights = if data.allowKeysForGroup then "750" else "700";
-                cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
+                cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
                          ++ optionals (data.email != null) [ "--email" data.email ]
                          ++ concatMap (p: [ "-f" p ]) data.plugins
                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
@ -178,7 +185,7 @@ in
                  path = [ pkgs.simp_le ];
                  preStart = ''
                    mkdir -p '${cfg.directory}'
-                    chown '${data.user}:${data.group}' '${cfg.directory}'
+                    chown -R '${data.user}:${data.group}' '${cfg.directory}'
                    if [ ! -d '${cpath}' ]; then
                      mkdir '${cpath}'
                    fi
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -13,7 +13,7 @@ in
 {
  meta = {
-    maintainers = with maintainers; [ joachifm ];
+    maintainers = with maintainers; [ ];
    doc = ./grsecurity.xml;
  };
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@ -26,9 +26,11 @@
    <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
    Linux wiki page on grsecurity</link>.
-    <note><para>grsecurity/PaX is only available for the latest linux -stable
+    <warning><para>Upstream has ceased free support for grsecurity/PaX.  See
-    kernel; patches against older kernels are available from upstream only for
+    <link xlink:href="https://grsecurity.net/passing_the_baton.php">
-    a fee.</para></note>
+    the announcement</link> for more information.  Consequently, NixOS
    support for grsecurity/PaX also must cease.  Enabling this module will
    result in a build error.</para></warning>
    <note><para>We standardise on a desktop oriented configuration primarily due
    to lack of resources.  The grsecurity/PaX configuration state space is huge
    and each configuration requires quite a bit of testing to ensure that the
--- a/nixos/modules/security/lock-kernel-modules.nix
+++ b/nixos/modules/security/lock-kernel-modules.nix
@ -0,0 +1,36 @@
 { config, lib, ... }:
 with lib;
 {
  options = {
    security.lockKernelModules = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Disable kernel module loading once the system is fully initialised.
        Module loading is disabled until the next reboot.  Problems caused
        by delayed module loading can be fixed by adding the module(s) in
        question to <option>boot.kernelModules</option>.
      '';
    };
  };
  config = mkIf config.security.lockKernelModules {
    systemd.services.disable-kernel-module-loading = rec {
      description = "Disable kernel module loading";
      wantedBy = [ config.systemd.defaultUnit ];
      after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;
      script = "echo -n 1 > /proc/sys/kernel/modules_disabled";
      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
    };
  };
 }
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@ -64,7 +64,7 @@ in
    systemd.packages = [ pkgs.polkit.out ];
    systemd.services.polkit.restartTriggers = [ config.system.path ];
-    systemd.services.polkit.unitConfig.X-StopIfChanged = false;
+    systemd.services.polkit.stopIfChanged = false;
    # The polkit daemon reads action/rule files
    environment.pathsToLink = [ "/share/polkit-1" ];
--- a/nixos/modules/services/audio/slimserver.nix
+++ b/nixos/modules/services/audio/slimserver.nix
@ -0,0 +1,69 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.slimserver;
 in {
  options = {
    services.slimserver = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable slimserver.
        '';
      };
      package = mkOption {
        type = types.package;
        default = pkgs.slimserver;
        defaultText = "pkgs.slimserver";
        description = "Slimserver package to use.";
      };
      dataDir = mkOption {
        type = types.path;
        default = "/var/lib/slimserver";
        description = ''
          The directory where slimserver stores its state, tag cache,
          playlists etc.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    systemd.services.slimserver = {
      after = [ "network.target" ];
      description = "Slim Server for Logitech Squeezebox Players";
      wantedBy = [ "multi-user.target" ];
      preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}";
      serviceConfig = {
        User = "slimserver";
        PermissionsStartOnly = true;
        ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache";
      };
    };
    users = {
      users.slimserver = {
        description = "Slimserver daemon user";
        home = cfg.dataDir;
        group = "slimserver";
      };
      groups.slimserver = {};
    };
  };
 }
--- a/nixos/modules/services/backup/sitecopy-backup.nix
+++ b/nixos/modules/services/backup/sitecopy-backup.nix
@ -1,106 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  inherit (pkgs) sitecopy;
  stateDir = "/var/spool/sitecopy";
  sitecopyCron = backup : ''
    ${if backup ? period then backup.period else config.services.sitecopy.period} root ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${backup.name}.conf --update ${backup.name} >> /var/log/sitecopy.log 2>&1
  '';
 in
 {
  options = {
    services.sitecopy = {
      enable = mkOption {
        default = false;
        description = ''
          Whether to enable <command>sitecopy</command> backups of specified
          directories.
        '';
      };
      period = mkOption {
        default = "15 04 * * *";
        description = ''
          This option defines (in the format used by <command>cron</command>)
          when the <command>sitecopy</command> backups are to be run.
          The default is to update at 04:15 (at night) every day.
        '';
      };
      backups = mkOption {
        example = [
          { name = "test";
            local = "/tmp/backup";
            remote = "/staff-groups/ewi/st/strategoxt/backup/test";
            server = "webdata.tudelft.nl";
            protocol = "webdav";
            https = true ;
            symlinks = "maintain" ;
          }
        ];
        default = [];
        description = ''
           List of attribute sets describing the backups.
           Username/password are extracted from
           <filename>${stateDir}/sitecopy.secrets</filename> at activation
           time. The secrets file lines should have the following structure:
           <screen>
             server username password
           </screen>
        '';
      };
    };
  };
  config = mkIf config.services.sitecopy.enable {
    environment.systemPackages = [ sitecopy ];
    services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
    system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "users" ]
      ''
        mkdir -m 0700 -p ${stateDir}
        chown root ${stateDir}
        touch ${stateDir}/sitecopy.secrets
        chown root ${stateDir}/sitecopy.secrets
        ${lib.concatStrings (map ( b: ''
            unset secrets
            unset secret
            secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
            secret=($secrets)
            cat > ${stateDir}/${b.name}.conf << EOF
              site ${b.name}
              server ${b.server}
              protocol ${b.protocol}
              username ''${secret[1]}
              password ''${secret[2]}
              local ${b.local}
              remote ${b.remote}
              symlinks ${b.symlinks}
              ${if b.https then "http secure" else ""}
            EOF
            chmod 0600 ${stateDir}/${b.name}.conf
            if ! test -e ${stateDir}/${b.name} ; then
              echo " * Initializing sitecopy '${b.name}'"
              ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${b.name}.conf --initialize ${b.name}
            else
              echo " * Sitecopy '${b.name}' already initialized"
            fi
          '' ) config.services.sitecopy.backups
        )}
      '';
  };
 }
--- a/nixos/modules/services/cluster/kubernetes.nix
+++ b/nixos/modules/services/cluster/kubernetes.nix
@ -45,7 +45,7 @@ let
  cniConfig = pkgs.buildEnv {
    name = "kubernetes-cni-config";
    paths = imap (i: entry:
-      pkgs.writeTextDir "${10+i}-${entry.type}.conf" (builtins.toJSON entry)
+      pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry)
    ) cfg.kubelet.cni.config;
  };
@ -597,7 +597,7 @@ in {
    (mkIf cfg.kubelet.enable {
      systemd.services.kubelet = {
        description = "Kubernetes Kubelet Service";
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "kubernetes.target" ];
        after = [ "network.target" "docker.service" "kube-apiserver.service" ];
        path = with pkgs; [ gitMinimal openssh docker utillinux iproute ethtool thin-provisioning-tools iptables ];
        preStart = ''
@ -606,14 +606,15 @@ in {
          ${concatMapStringsSep "\n" (p: "ln -fs ${p.plugins}/* /opt/cni/bin") cfg.kubelet.cni.packages}
        '';
        serviceConfig = {
          Slice = "kubernetes.slice";
          ExecStart = ''${cfg.package}/bin/kubelet \
            --pod-manifest-path=${manifests} \
            --kubeconfig=${kubeconfig} \
            --require-kubeconfig \
            --address=${cfg.kubelet.address} \
            --port=${toString cfg.kubelet.port} \
-            --register-node=${if cfg.kubelet.registerNode then "true" else "false"} \
+            --register-node=${boolToString cfg.kubelet.registerNode} \
-            --register-schedulable=${if cfg.kubelet.registerSchedulable then "true" else "false"} \
+            --register-schedulable=${boolToString cfg.kubelet.registerSchedulable} \
            ${optionalString (cfg.kubelet.tlsCertFile != null)
              "--tls-cert-file=${cfg.kubelet.tlsCertFile}"} \
            ${optionalString (cfg.kubelet.tlsKeyFile != null)
@ -621,7 +622,7 @@ in {
            --healthz-bind-address=${cfg.kubelet.healthz.bind} \
            --healthz-port=${toString cfg.kubelet.healthz.port} \
            --hostname-override=${cfg.kubelet.hostname} \
-            --allow-privileged=${if cfg.kubelet.allowPrivileged then "true" else "false"} \
+            --allow-privileged=${boolToString cfg.kubelet.allowPrivileged} \
            --root-dir=${cfg.dataDir} \
            --cadvisor_port=${toString cfg.kubelet.cadvisorPort} \
            ${optionalString (cfg.kubelet.clusterDns != "")
@ -655,9 +656,10 @@ in {
    (mkIf cfg.apiserver.enable {
      systemd.services.kube-apiserver = {
        description = "Kubernetes Kubelet Service";
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "kubernetes.target" ];
        after = [ "network.target" "docker.service" ];
        serviceConfig = {
          Slice = "kubernetes.slice";
          ExecStart = ''${cfg.package}/bin/kube-apiserver \
            --etcd-servers=${concatStringsSep "," cfg.etcd.servers} \
            ${optionalString (cfg.etcd.caFile != null)
@ -670,14 +672,14 @@ in {
            --bind-address=0.0.0.0 \
            ${optionalString (cfg.apiserver.advertiseAddress != null)
              "--advertise-address=${cfg.apiserver.advertiseAddress}"} \
-            --allow-privileged=${if cfg.apiserver.allowPrivileged then "true" else "false"} \
+            --allow-privileged=${boolToString cfg.apiserver.allowPrivileged}\
            ${optionalString (cfg.apiserver.tlsCertFile != null)
              "--tls-cert-file=${cfg.apiserver.tlsCertFile}"} \
            ${optionalString (cfg.apiserver.tlsKeyFile != null)
              "--tls-private-key-file=${cfg.apiserver.tlsKeyFile}"} \
            ${optionalString (cfg.apiserver.tokenAuth != null)
              "--token-auth-file=${cfg.apiserver.tokenAuth}"} \
-            --kubelet-https=${if cfg.apiserver.kubeletHttps then "true" else "false"} \
+            --kubelet-https=${boolToString cfg.apiserver.kubeletHttps} \
            ${optionalString (cfg.apiserver.kubeletClientCaFile != null)
              "--kubelet-certificate-authority=${cfg.apiserver.kubeletClientCaFile}"} \
            ${optionalString (cfg.apiserver.kubeletClientCertFile != null)
@ -713,13 +715,14 @@ in {
    (mkIf cfg.scheduler.enable {
      systemd.services.kube-scheduler = {
        description = "Kubernetes Scheduler Service";
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "kubernetes.target" ];
        after = [ "kube-apiserver.service" ];
        serviceConfig = {
          Slice = "kubernetes.slice";
          ExecStart = ''${cfg.package}/bin/kube-scheduler \
            --address=${cfg.scheduler.address} \
            --port=${toString cfg.scheduler.port} \
-            --leader-elect=${if cfg.scheduler.leaderElect then "true" else "false"} \
+            --leader-elect=${boolToString cfg.scheduler.leaderElect} \
            --kubeconfig=${kubeconfig} \
            ${optionalString cfg.verbose "--v=6"} \
            ${optionalString cfg.verbose "--log-flush-frequency=1s"} \
@ -735,16 +738,17 @@ in {
    (mkIf cfg.controllerManager.enable {
      systemd.services.kube-controller-manager = {
        description = "Kubernetes Controller Manager Service";
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "kubernetes.target" ];
        after = [ "kube-apiserver.service" ];
        serviceConfig = {
          RestartSec = "30s";
          Restart = "on-failure";
          Slice = "kubernetes.slice";
          ExecStart = ''${cfg.package}/bin/kube-controller-manager \
            --address=${cfg.controllerManager.address} \
            --port=${toString cfg.controllerManager.port} \
            --kubeconfig=${kubeconfig} \
-            --leader-elect=${if cfg.controllerManager.leaderElect then "true" else "false"} \
+            --leader-elect=${boolToString cfg.controllerManager.leaderElect} \
            ${if (cfg.controllerManager.serviceAccountKeyFile!=null)
              then "--service-account-private-key-file=${cfg.controllerManager.serviceAccountKeyFile}"
              else "--service-account-private-key-file=/var/run/kubernetes/apiserver.key"} \
@ -767,10 +771,11 @@ in {
    (mkIf cfg.proxy.enable {
      systemd.services.kube-proxy = {
        description = "Kubernetes Proxy Service";
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "kubernetes.target" ];
        after = [ "kube-apiserver.service" ];
        path = [pkgs.iptables];
        serviceConfig = {
          Slice = "kubernetes.slice";
          ExecStart = ''${cfg.package}/bin/kube-proxy \
            --kubeconfig=${kubeconfig} \
            --bind-address=${cfg.proxy.address} \
@ -786,9 +791,10 @@ in {
    (mkIf cfg.dns.enable {
      systemd.services.kube-dns = {
        description = "Kubernetes Dns Service";
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "kubernetes.target" ];
        after = [ "kube-apiserver.service" ];
        serviceConfig = {
          Slice = "kubernetes.slice";
          ExecStart = ''${cfg.package}/bin/kube-dns \
            --kubecfg-file=${kubeconfig} \
            --dns-port=${toString cfg.dns.port} \
@ -836,6 +842,11 @@ in {
        cfg.proxy.enable ||
        cfg.dns.enable
    ) {
      systemd.targets.kubernetes = {
        description = "Kubernetes";
        wantedBy = [ "multi-user.target" ];
      };
      systemd.tmpfiles.rules = [
        "d /opt/cni/bin 0755 root root -"
        "d /var/run/kubernetes 0755 kubernetes kubernetes -"
--- a/nixos/modules/services/continuous-integration/gitlab-runner.nix
+++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix
@ -20,6 +20,14 @@ in
      description = "The working directory used";
    };
    package = mkOption {
      description = "Gitlab Runner package to use";
      default = pkgs.gitlab-runner;
      defaultText = "pkgs.gitlab-runner";
      type = types.package;
      example = literalExample "pkgs.gitlab-runner_1_11";
    };
  };
  config = mkIf cfg.enable {
@ -29,7 +37,7 @@ in
      requires = [ "docker.service" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
-        ExecStart = ''${pkgs.gitlab-runner.bin}/bin/gitlab-runner run \
+        ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \
          --working-directory ${cfg.workDir} \
          --config ${configFile} \
          --service gitlab-runner \
@ -38,6 +46,9 @@ in
      };
    };
    # Make the gitlab-runner command availabe so users can query the runner
    environment.systemPackages = [ cfg.package ];
    users.extraUsers.gitlab-runner = {
      group = "gitlab-runner";
      extraGroups = [ "docker" ];
--- a/nixos/modules/services/continuous-integration/hydra/default.nix
+++ b/nixos/modules/services/continuous-integration/hydra/default.nix
@ -233,6 +233,7 @@ in
          hydra_logo ${cfg.logo}
        ''}
        gc_roots_dir ${cfg.gcRootsDir}
        use-substitutes = ${if cfg.useSubstitutes then "1" else "0"}
      '';
    environment.systemPackages = [ cfg.package ];
@ -328,7 +329,7 @@ in
          IN_SYSTEMD = "1"; # to get log severity levels
        };
        serviceConfig =
-          { ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${if cfg.useSubstitutes then "true" else "false"}";
+          { ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${boolToString cfg.useSubstitutes}";
            ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock";
            User = "hydra-queue-runner";
            Restart = "always";
--- a/nixos/modules/services/databases/cassandra.nix
+++ b/nixos/modules/services/databases/cassandra.nix
@ -21,8 +21,8 @@ let
  cassandraConf = ''
    cluster_name: ${cfg.clusterName}
    num_tokens: 256
-    auto_bootstrap: ${if cfg.autoBootstrap then "true" else "false"}
+    auto_bootstrap: ${boolToString cfg.autoBootstrap}
-    hinted_handoff_enabled: ${if cfg.hintedHandOff then "true" else "false"}
+    hinted_handoff_enabled: ${boolToString cfg.hintedHandOff}
    hinted_handoff_throttle_in_kb: ${builtins.toString cfg.hintedHandOffThrottle}
    max_hints_delivery_threads: 2
    max_hint_window_in_ms: 10800000 # 3 hours
@ -62,7 +62,7 @@ let
    rpc_keepalive: true
    rpc_server_type: sync
    thrift_framed_transport_size_in_mb: 15
-    incremental_backups: ${if cfg.incrementalBackups then "true" else "false"}
+    incremental_backups: ${boolToString cfg.incrementalBackups}
    snapshot_before_compaction: false
    auto_snapshot: true
    column_index_size_in_kb: 64
@ -89,7 +89,7 @@ let
      truststore: ${cfg.trustStorePath}
      truststore_password: ${cfg.trustStorePassword}
    client_encryption_options:
-      enabled: ${if cfg.clientEncryption then "true" else "false"}
+      enabled: ${boolToString cfg.clientEncryption}
      keystore: ${cfg.keyStorePath}
      keystore_password: ${cfg.keyStorePassword}
    internode_compression: all
--- a/nixos/modules/services/databases/mongodb.nix
+++ b/nixos/modules/services/databases/mongodb.nix
@ -4,8 +4,6 @@ with lib;
 let
  b2s = x: if x then "true" else "false";
  cfg = config.services.mongodb;
  mongodb = cfg.package;
--- a/nixos/modules/services/hardware/amd-hybrid-graphics.nix
+++ b/nixos/modules/services/hardware/amd-hybrid-graphics.nix
@ -25,15 +25,22 @@
      path = [ pkgs.bash ];
      description = "Disable AMD Card";
      after = [ "sys-kernel-debug.mount" ];
-      requires = [ "sys-kernel-debug.mount" ];
+      before = [ "systemd-vconsole-setup.service" "display-manager.service" ];
-      wantedBy = [ "multi-user.target" ];
+      requires = [ "sys-kernel-debug.mount" "vgaswitcheroo.path" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
-        ExecStart = "${pkgs.bash}/bin/sh -c 'echo -e \"IGD\\nOFF\" > /sys/kernel/debug/vgaswitcheroo/switch; exit 0'";
+        ExecStart = "${pkgs.bash}/bin/sh -c 'echo -e \"IGD\\nOFF\" > /sys/kernel/debug/vgaswitcheroo/switch'";
-        ExecStop = "${pkgs.bash}/bin/sh -c 'echo ON >/sys/kernel/debug/vgaswitcheroo/switch; exit 0'";
+        ExecStop = "${pkgs.bash}/bin/sh -c 'echo ON >/sys/kernel/debug/vgaswitcheroo/switch'";
      };
    };
    systemd.paths."vgaswitcheroo" = {
      pathConfig = {
        PathExists = "/sys/kernel/debug/vgaswitcheroo/switch";
        Unit = "amd-hybrid-graphics.service";
      };
      wantedBy = ["multi-user.target"];
    };
  };
 }
--- a/nixos/modules/services/hardware/bluetooth.nix
+++ b/nixos/modules/services/hardware/bluetooth.nix
@ -6,9 +6,7 @@ let
  bluez-bluetooth = pkgs.bluez;
  cfg = config.hardware.bluetooth;
-in
+in {
 {
  ###### interface
@ -32,6 +30,8 @@ in
        '';
        description = ''
          Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
          NOTE: We already include [Policy], so any configuration under the Policy group should come first.
        '';
      };
    };
@ -45,7 +45,12 @@ in
    environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ];
    environment.etc = singleton {
-      source = pkgs.writeText "main.conf" cfg.extraConfig;
+      source = pkgs.writeText "main.conf" ''
        [Policy]
        AutoEnable=${lib.boolToString cfg.powerOnBoot}
        ${cfg.extraConfig}
      '';
      target = "bluetooth/main.conf";
    };
@ -53,29 +58,11 @@ in
    services.dbus.packages = [ bluez-bluetooth ];
    systemd.packages       = [ bluez-bluetooth ];
    services.udev.extraRules = optionalString cfg.powerOnBoot ''
      ACTION=="add", KERNEL=="hci[0-9]*", ENV{SYSTEMD_WANTS}="bluetooth-power@%k.service"
    '';
    systemd.services = {
      bluetooth = {
        wantedBy = [ "bluetooth.target" ];
        aliases  = [ "dbus-org.bluez.service" ];
      };
      "bluetooth-power@" = mkIf cfg.powerOnBoot {
        description = "Power up bluetooth controller";
        after = [
          "bluetooth.service"
          "suspend.target"
          "sys-subsystem-bluetooth-devices-%i.device"
        ];
        wantedBy = [ "suspend.target" ];
        serviceConfig.Type      = "oneshot";
        serviceConfig.ExecStart = "${pkgs.bluez.out}/bin/hciconfig %i up";
      };
    };
    systemd.user.services = {
--- a/nixos/modules/services/hardware/tlp.nix
+++ b/nixos/modules/services/hardware/tlp.nix
@ -58,6 +58,9 @@ in
    powerManagement.cpuFreqGovernor = null;
    systemd.services = {
      "systemd-rfkill@".enable = false;
      "systemd-rfkill".enable = false;
      tlp = {
        description = "TLP system startup/shutdown";
--- a/nixos/modules/services/logging/graylog.nix
+++ b/nixos/modules/services/logging/graylog.nix
@ -4,16 +4,15 @@ with lib;
 let
  cfg = config.services.graylog;
  configBool = b: if b then "true" else "false";
  confFile = pkgs.writeText "graylog.conf" ''
-    is_master = ${configBool cfg.isMaster}
+    is_master = ${boolToString cfg.isMaster}
    node_id_file = ${cfg.nodeIdFile}
    password_secret = ${cfg.passwordSecret}
    root_username = ${cfg.rootUsername}
    root_password_sha2 = ${cfg.rootPasswordSha2}
    elasticsearch_cluster_name = ${cfg.elasticsearchClusterName}
-    elasticsearch_discovery_zen_ping_multicast_enabled = ${configBool cfg.elasticsearchDiscoveryZenPingMulticastEnabled}
+    elasticsearch_discovery_zen_ping_multicast_enabled = ${boolToString cfg.elasticsearchDiscoveryZenPingMulticastEnabled}
    elasticsearch_discovery_zen_ping_unicast_hosts = ${cfg.elasticsearchDiscoveryZenPingUnicastHosts}
    message_journal_dir = ${cfg.messageJournalDir}
    mongodb_uri = ${cfg.mongodbUri}
--- a/nixos/modules/services/misc/autorandr.nix
+++ b/nixos/modules/services/misc/autorandr.nix
@ -0,0 +1,43 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.autorandr;
 in {
  options = {
    services.autorandr = {
      enable = mkEnableOption "handling of hotplug and sleep events by autorandr";
    };
  };
  config = mkIf cfg.enable {
    services.udev.packages = [ pkgs.autorandr ];
    environment.systemPackages = [ pkgs.autorandr ];
    # systemd.unitPackages = [ pkgs.autorandr ];
    systemd.services.autorandr = {
      unitConfig = {
        Description = "autorandr execution hook";
        After = [ "sleep.target" ];
        StartLimitInterval = "5";
        StartLimitBurst = "1";
      };
      serviceConfig = {
        ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default default";
        Type = "oneshot";
        RemainAfterExit = false;
      };
      wantedBy = [ "sleep.target" ];
    };
  };
 }
--- a/nixos/modules/services/misc/bepasty.nix
+++ b/nixos/modules/services/misc/bepasty.nix
@ -21,7 +21,7 @@ in
        configure a number of bepasty servers which will be started with
        gunicorn.
        '';
-      type = with types ; attrsOf (submodule ({
+      type = with types ; attrsOf (submodule ({ config, ... } : {
        options = {
@ -34,7 +34,6 @@ in
            default = "127.0.0.1:8000";
          };
          dataDir = mkOption {
            type = types.str;
            description = ''
@ -73,10 +72,28 @@ in
            type = types.str;
            description = ''
              server secret for safe session cookies, must be set.
              Warning: this secret is stored in the WORLD-READABLE Nix store!
              It's recommended to use <option>secretKeyFile</option>
              which takes precedence over <option>secretKey</option>.
              '';
            default = "";
          };
          secretKeyFile = mkOption {
            type = types.nullOr types.str;
            default = null;
            description = ''
              A file that contains the server secret for safe session cookies, must be set.
              <option>secretKeyFile</option> takes precedence over <option>secretKey</option>.
              Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option>
              defaults to a file in the WORLD-READABLE Nix store containing that secret.
              '';
          };
          workDir = mkOption {
            type = types.str;
            description = ''
@ -87,11 +104,22 @@ in
          };
        };
        config = {
          secretKeyFile = mkDefault (
            if config.secretKey != ""
            then toString (pkgs.writeTextFile {
              name = "bepasty-secret-key";
              text = config.secretKey;
            })
            else null
          );
        };
      }));
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ bepasty ];
    # creates gunicorn systemd service for each configured server
@ -115,7 +143,7 @@ in
          serviceConfig = {
            Type = "simple";
            PrivateTmp = true;
-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+            ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
              #!/bin/sh
              mkdir -p "${server.workDir}"
              mkdir -p "${server.dataDir}"
@ -123,7 +151,7 @@ in
              cat > ${server.workDir}/bepasty-${name}.conf <<EOF
              SITENAME="${name}"
              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
+              SECRET_KEY="$(cat "${server.secretKeyFile}")"
              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
              ${server.extraConfig}
              EOF
--- a/nixos/modules/services/misc/cgminer.nix
+++ b/nixos/modules/services/misc/cgminer.nix
@ -6,7 +6,7 @@ let
  cfg = config.services.cgminer;
  convType = with builtins;
-    v: if isBool v then (if v then "true" else "false") else toString v;
+    v: if isBool v then boolToString v else toString v;
  mergedHwConfig =
    mapAttrsToList (n: v: ''"${n}": "${(concatStringsSep "," (map convType v))}"'')
      (foldAttrs (n: a: [n] ++ a) [] cfg.hardware);
--- a/nixos/modules/services/misc/confd.nix
+++ b/nixos/modules/services/misc/confd.nix
@ -12,7 +12,7 @@ let
    nodes = [ ${concatMapStringsSep "," (s: ''"${s}"'') cfg.nodes}, ]
    prefix = "${cfg.prefix}"
    log-level = "${cfg.logLevel}"
-    watch = ${if cfg.watch then "true" else "false"}
+    watch = ${boolToString cfg.watch}
  '';
 in {
--- a/nixos/modules/services/misc/etcd.nix
+++ b/nixos/modules/services/misc/etcd.nix
@ -119,7 +119,7 @@ in {
    extraConf = mkOption {
      description = ''
        Etcd extra configuration. See
-        <link xlink:href='https://github.com/coreos/etcd/blob/master/Documentation/configuration.md#environment-variables' />
+        <link xlink:href='https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags' />
      '';
      type = types.attrsOf types.str;
      default = {};
--- a/nixos/modules/services/misc/jackett.nix
+++ b/nixos/modules/services/misc/jackett.nix
@ -0,0 +1,47 @@
 { config, pkgs, lib, mono, ... }:
 with lib;
 let
  cfg = config.services.jackett;
 in
 {
  options = {
    services.jackett = {
      enable = mkEnableOption "Jackett";
    };
  };
  config = mkIf cfg.enable {
    systemd.services.jackett = {
      description = "Jackett";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        test -d /var/lib/jackett/ || {
          echo "Creating jackett data directory in /var/lib/jackett/"
          mkdir -p /var/lib/jackett/
        }
        chown -R jackett:jackett /var/lib/jackett/
        chmod 0700 /var/lib/jackett/
      '';
      serviceConfig = {
        Type = "simple";
        User = "jackett";
        Group = "jackett";
        PermissionsStartOnly = "true";
        ExecStart = "${pkgs.jackett}/bin/Jackett";
        Restart = "on-failure";
      };
    };
    users.extraUsers.jackett = {
      uid = config.ids.uids.jackett;
      home = "/var/lib/jackett";
      group = "jackett";
    };
    users.extraGroups.jackett.gid = config.ids.gids.jackett;
  };
 }
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@ -5,9 +5,8 @@ with lib;
 let
  cfg = config.services.matrix-synapse;
  logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;
-  mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${fromBool r.compress}}'';
+  mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${boolToString r.compress}}'';
-  mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${fromBool l.tls}, x_forwarded: ${fromBool l.x_forwarded}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
+  mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${boolToString l.tls}, x_forwarded: ${boolToString l.x_forwarded}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
  fromBool = x: if x then "true" else "false";
  configFile = pkgs.writeText "homeserver.yaml" ''
 ${optionalString (cfg.tls_certificate_path != null) ''
 tls_certificate_path: "${cfg.tls_certificate_path}"
@ -18,7 +17,7 @@ tls_private_key_path: "${cfg.tls_private_key_path}"
 ${optionalString (cfg.tls_dh_params_path != null) ''
 tls_dh_params_path: "${cfg.tls_dh_params_path}"
 ''}
-no_tls: ${fromBool cfg.no_tls}
+no_tls: ${boolToString cfg.no_tls}
 ${optionalString (cfg.bind_port != null) ''
 bind_port: ${toString cfg.bind_port}
 ''}
@ -30,7 +29,7 @@ bind_host: "${cfg.bind_host}"
 ''}
 server_name: "${cfg.server_name}"
 pid_file: "/var/run/matrix-synapse.pid"
-web_client: ${fromBool cfg.web_client}
+web_client: ${boolToString cfg.web_client}
 ${optionalString (cfg.public_baseurl != null) ''
 public_baseurl: "${cfg.public_baseurl}"
 ''}
@ -58,8 +57,8 @@ media_store_path: "/var/lib/matrix-synapse/media"
 uploads_path: "/var/lib/matrix-synapse/uploads"
 max_upload_size: "${cfg.max_upload_size}"
 max_image_pixels: "${cfg.max_image_pixels}"
-dynamic_thumbnails: ${fromBool cfg.dynamic_thumbnails}
+dynamic_thumbnails: ${boolToString cfg.dynamic_thumbnails}
-url_preview_enabled: ${fromBool cfg.url_preview_enabled}
+url_preview_enabled: ${boolToString cfg.url_preview_enabled}
 ${optionalString (cfg.url_preview_enabled == true) ''
 url_preview_ip_range_blacklist: ${builtins.toJSON cfg.url_preview_ip_range_blacklist}
 url_preview_ip_range_whitelist: ${builtins.toJSON cfg.url_preview_ip_range_whitelist}
@ -67,10 +66,10 @@ url_preview_url_blacklist: ${builtins.toJSON cfg.url_preview_url_blacklist}
 ''}
 recaptcha_private_key: "${cfg.recaptcha_private_key}"
 recaptcha_public_key: "${cfg.recaptcha_public_key}"
-enable_registration_captcha: ${fromBool cfg.enable_registration_captcha}
+enable_registration_captcha: ${boolToString cfg.enable_registration_captcha}
 turn_uris: ${builtins.toJSON cfg.turn_uris}
 turn_shared_secret: "${cfg.turn_shared_secret}"
-enable_registration: ${fromBool cfg.enable_registration}
+enable_registration: ${boolToString cfg.enable_registration}
 ${optionalString (cfg.registration_shared_secret != null) ''
 registration_shared_secret: "${cfg.registration_shared_secret}"
 ''}
@ -78,15 +77,15 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
 turn_user_lifetime: "${cfg.turn_user_lifetime}"
 user_creation_max_duration: ${cfg.user_creation_max_duration}
 bcrypt_rounds: ${cfg.bcrypt_rounds}
-allow_guest_access: ${fromBool cfg.allow_guest_access}
+allow_guest_access: ${boolToString cfg.allow_guest_access}
 trusted_third_party_id_servers: ${builtins.toJSON cfg.trusted_third_party_id_servers}
 room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types}
 ${optionalString (cfg.macaroon_secret_key != null) ''
  macaroon_secret_key: "${cfg.macaroon_secret_key}"
 ''}
-expire_access_token: ${fromBool cfg.expire_access_token}
+expire_access_token: ${boolToString cfg.expire_access_token}
-enable_metrics: ${fromBool cfg.enable_metrics}
+enable_metrics: ${boolToString cfg.enable_metrics}
-report_stats: ${fromBool cfg.report_stats}
+report_stats: ${boolToString cfg.report_stats}
 signing_key_path: "/var/lib/matrix-synapse/homeserver.signing.key"
 key_refresh_interval: "${cfg.key_refresh_interval}"
 perspectives:
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -41,12 +41,12 @@ let
        build-users-group = nixbld
        build-max-jobs = ${toString (cfg.maxJobs)}
        build-cores = ${toString (cfg.buildCores)}
-        build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then (if cfg.useSandbox then "true" else "false") else cfg.useSandbox}
+        build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
        build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths)
        binary-caches = ${toString cfg.binaryCaches}
        trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
        binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
-        auto-optimise-store = ${if cfg.autoOptimiseStore then "true" else "false"}
+        auto-optimise-store = ${boolToString cfg.autoOptimiseStore}
        ${optionalString cfg.requireSignedBinaryCaches ''
          signed-binary-caches = *
        ''}
--- a/Show More
+++ b/Show More