Merge remote-tracking branch 'upstream/master' into sage-8.5

2018-12-29 12:16:02 +01:00 · 2018-12-29 12:16:02 +01:00 · 22c16ed300
commit 22c16ed300
parent 95909d4fb6 19894adb77
2837 changed files with 46442 additions and 42275 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -55,7 +55,7 @@
 /pkgs/top-level/python-packages.nix     @FRidh
 /pkgs/development/interpreters/python   @FRidh
 /pkgs/development/python-modules        @FRidh
-/doc/languages-frameworks/python.md     @FRidh
+/doc/languages-frameworks/python.section.md     @FRidh
 # Haskell
 /pkgs/development/compilers/ghc                       @peti @ryantm @basvandijk
@ -64,13 +64,18 @@
 /pkgs/development/haskell-modules/generic-builder.nix @peti @ryantm @basvandijk
 /pkgs/development/haskell-modules/hoogle.nix          @peti @ryantm @basvandijk
 # Perl
 /pkgs/development/interpreters/perl @volth
 /pkgs/top-level/perl-packages.nix   @volth
 /pkgs/development/perl-modules      @volth
 # R
 /pkgs/applications/science/math/R   @peti
 /pkgs/development/r-modules         @peti
 # Ruby
-/pkgs/development/interpreters/ruby @zimbatm
+/pkgs/development/interpreters/ruby @alyssais @zimbatm
-/pkgs/development/ruby-modules      @zimbatm
+/pkgs/development/ruby-modules      @alyssais @zimbatm
 # Rust
 /pkgs/development/compilers/rust @Mic92 @LnL7
--- a/.gitignore
+++ b/.gitignore
@ -13,4 +13,5 @@ result-*
 .DS_Store
 /pkgs/development/libraries/qt-5/*/tmp/
-/pkgs/desktops/kde-5/*/tmp/
+/pkgs/desktops/kde-5/*/tmp/
 /pkgs/development/mobile/androidenv/xml/*
--- a/doc/coding-conventions.xml
+++ b/doc/coding-conventions.xml
@ -56,25 +56,30 @@ foo { arg = ...; }
     or list elements should be aligned:
 <programlisting>
 # A long list.
-list =
+list = [
-  [ elem1
+  elem1
-    elem2
+  elem2
-    elem3
+  elem3
-  ];
+];
 # A long attribute set.
 attrs =
  { attr1 = short_expr;
    attr2 =
      if true then big_expr else big_expr;
  };
 # Alternatively:
 attrs = {
  attr1 = short_expr;
  attr2 =
    if true then big_expr else big_expr;
 };
 # Combined
 listOfAttrs = [
  {
    attr1 = 3;
    attr2 = "fff";
  }
  {
    attr1 = 5;
    attr2 = "ggg";
  }
 ];
 </programlisting>
    </para>
   </listitem>
--- a/doc/cross-compilation.xml
+++ b/doc/cross-compilation.xml
@ -385,7 +385,7 @@ nix-build &lt;nixpkgs&gt; --arg crossSystem '(import &lt;nixpkgs/lib&gt;).system
    Eventually we would like to make these platform examples an unnecessary
    convenience so that
 <programlisting>
-nix-build &lt;nixpkgs&gt; --arg crossSystem.config '&lt;arch&gt;-&lt;os&gt;-&lt;vendor&gt;-&lt;abi&gt;' -A whatever</programlisting>
+nix-build &lt;nixpkgs&gt; --arg crossSystem '{ config = "&lt;arch&gt;-&lt;os&gt;-&lt;vendor&gt;-&lt;abi&gt;"; }' -A whatever</programlisting>
    works in the vast majority of cases. The problem today is dependencies on
    other sorts of configuration which aren't given proper defaults. We rely on
    the examples to crudely to set those configuration parameters in some
--- a/doc/languages-frameworks/android.section.md
+++ b/doc/languages-frameworks/android.section.md
@ -0,0 +1,240 @@
 ---
 title: Android
 author: Sander van der Burg
 date: 2018-11-18
 ---
 # Android
 The Android build environment provides three major features and a number of
 supporting features.
 Deploying an Android SDK installation with plugins
 --------------------------------------------------
 The first use case is deploying the SDK with a desired set of plugins or subsets
 of an SDK.
 ```nix
 with import <nixpkgs> {};
 let
  androidComposition = androidenv.composeAndroidPackages {
    toolsVersion = "25.2.5";
    platformToolsVersion = "27.0.1";
    buildToolsVersions = [ "27.0.3" ];
    includeEmulator = false;
    emulatorVersion = "27.2.0";
    platformVersions = [ "24" ];
    includeSources = false;
    includeDocs = false;
    includeSystemImages = false;
    systemImageTypes = [ "default" ];
    abiVersions = [ "armeabi-v7a" ];
    lldbVersions = [ "2.0.2558144" ];
    cmakeVersions = [ "3.6.4111459" ];
    includeNDK = false;
    ndkVersion = "16.1.4479499";
    useGoogleAPIs = false;
    useGoogleTVAddOns = false;
    includeExtras = [
      "extras;google;gcm"
    ];
  };
 in
 androidComposition.androidsdk
 ```
 The above function invocation states that we want an Android SDK with the above
 specified plugin versions. By default, most plugins are disabled. Notable
 exceptions are the tools, platform-tools and build-tools sub packages.
 The following parameters are supported:
 * `toolsVersion`, specifies the version of the tools package to use
 * `platformsToolsVersion` specifies the version of the `platform-tools` plugin
 * `buildToolsVersion` specifies the versions of the `build-tools` plugins to
  use.
 * `includeEmulator` specifies whether to deploy the emulator package (`false`
  by default). When enabled, the version of the emulator to deploy can be
  specified by setting the `emulatorVersion` parameter.
 * `includeDocs` specifies whether the documentation catalog should be included.
 * `lldbVersions` specifies what LLDB versions should be deployed.
 * `cmakeVersions` specifies which CMake versions should be deployed.
 * `includeNDK` specifies that the Android NDK bundle should be included.
  Defaults to: `false`.
 * `ndkVersion` specifies the NDK version that we want to use.
 * `includeExtras` is an array of identifier strings referring to arbitrary
  add-on packages that should be installed.
 * `platformVersions` specifies which platform SDK versions should be included.
 For each platform version that has been specified, we can apply the following
 options:
 * `includeSystemImages` specifies whether a system image for each platform SDK
  should be included.
 * `includeSources` specifies whether the sources for each SDK version should be
  included.
 * `useGoogleAPIs` specifies that for each selected platform version the
  Google API should be included.
 * `useGoogleTVAddOns` specifies that for each selected platform version the
  Google TV add-on should be included.
 For each requested system image we can specify the following options:
 * `systemImageTypes` specifies what kind of system images should be included.
  Defaults to: `default`.
 * `abiVersions` specifies what kind of ABI version of each system image should
  be included. Defaults to: `armeabi-v7a`.
 Most of the function arguments have reasonable default settings.
 When building the above expression with:
 ```bash
 $ nix-build
 ```
 The Android SDK gets deployed with all desired plugin versions.
 We can also deploy subsets of the Android SDK. For example, to only the the
 `platform-tools` package, you can evaluate the following expression:
 ```nix
 with import <nixpkgs> {};
 let
  androidComposition = androidenv.composeAndroidPackages {
    # ...
  };
 in
 androidComposition.platform-tools
 ```
 Using predefine Android package compositions
 --------------------------------------------
 In addition to composing an Android package set manually, it is also possible
 to use a predefined composition that contains all basic packages for a specific
 Android version, such as version 9.0 (API-level 28).
 The following Nix expression can be used to deploy the entire SDK with all basic
 plugins:
 ```nix
 with import <nixpkgs> {};
 androidenv.androidPkgs_9_0.androidsdk
 ```
 It is also possible to use one plugin only:
 ```nix
 with import <nixpkgs> {};
 androidenv.androidPkgs_9_0.platform-tools
 ```
 Building an Android application
 -------------------------------
 In addition to the SDK, it is also possible to build an Ant-based Android
 project and automatically deploy all the Android plugins that a project
 requires.
 ```nix
 with import <nixpkgs> {};
 androidenv.buildApp {
  name = "MyAndroidApp";
  src = ./myappsources;
  release = true;
  # If release is set to true, you need to specify the following parameters
  keyStore = ./keystore;
  keyAlias = "myfirstapp";
  keyStorePassword = "mykeystore";
  keyAliasPassword = "myfirstapp";
  # Any Android SDK parameters that install all the relevant plugins that a
  # build requires
  platformVersions = [ "24" ];
  # When we include the NDK, then ndk-build is invoked before Ant gets invoked
  includeNDK = true;
 }
 ```
 Aside from the app-specific build parameters (`name`, `src`, `release` and
 keystore parameters), the `buildApp {}` function supports all the function
 parameters that the SDK composition function (the function shown in the
 previous section) supports.
 This build function is particularly useful when it is desired to use
 [Hydra](http://nixos.org/hydra): the Nix-based continuous integration solution
 to build Android apps. An Android APK gets exposed as a build product and can be
 installed on any Android device with a web browser by navigating to the build
 result page.
 Spawning emulator instances
 ---------------------------
 For testing purposes, it can also be quite convenient to automatically generate
 scripts that spawn emulator instances with all desired configuration settings.
 An emulator spawn script can be configured by invoking the `emulateApp {}`
 function:
 ```nix
 with import <nixpkgs> {};
 androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
  platformVersion = "24";
  abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
  systemImageType = "default";
  useGoogleAPIs = false;
 }
 ```
 It is also possible to specify an APK to deploy inside the emulator
 and the package and activity names to launch it:
 ```nix
 with import <nixpkgs> {};
 androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
  platformVersion = "24";
  abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
  systemImageType = "default";
  useGoogleAPIs = false;
  app = ./MyApp.apk;
  package = "MyApp";
  activity = "MainActivity";
 }
 ```
 In addition to prebuilt APKs, you can also bind the APK parameter to a
 `buildApp {}` function invocation shown in the previous example.
 Querying the available versions of each plugin
 ----------------------------------------------
 When using any of the previously shown functions, it may be a bit inconvenient
 to find out what options are supported, since the Android SDK provides many
 plugins.
 A shell script in the `pkgs/development/mobile/androidenv/` sub directory can be used to retrieve all
 possible options:
 ```bash
 sh ./querypackages.sh packages build-tools
 ```
 The above command-line instruction queries all build-tools versions in the
 generated `packages.nix` expression.
 Updating the generated expressions
 ----------------------------------
 Most of the Nix expressions are generated from XML files that the Android
 package manager uses. To update the expressions run the `generate.sh` script
 that is stored in the `pkgs/development/mobile/androidenv/` sub directory:
 ```bash
 sh ./generate.sh
 ```
--- a/doc/languages-frameworks/haskell.section.md
+++ b/doc/languages-frameworks/haskell.section.md
@ -935,7 +935,7 @@ The implementation can be found in the
 [integer-gmp](http://hackage.haskell.org/package/integer-gmp) package.
 A potential problem with this is that GMP is licensed under the
-[GNU Lesser General Public License (LGPL)](http://www.gnu.org/copyleft/lesser.html),
+[GNU Lesser General Public License (LGPL)](https://www.gnu.org/copyleft/lesser.html),
 a kind of "copyleft" license. According to the terms of the LGPL, paragraph 5,
 you may distribute a program that is designed to be compiled and dynamically
 linked with the library under the terms of your choice (i.e., commercially) but
--- a/doc/languages-frameworks/index.xml
+++ b/doc/languages-frameworks/index.xml
@ -10,12 +10,14 @@
  Nixpkgs to easily build packages for other programming languages, such as
  Perl or Haskell. These are described in this chapter.
 </para>
 <xi:include href="android.section.xml" />
 <xi:include href="beam.xml" />
 <xi:include href="bower.xml" />
 <xi:include href="coq.xml" />
 <xi:include href="go.xml" />
 <xi:include href="haskell.section.xml" />
 <xi:include href="idris.section.xml" />
 <xi:include href="ios.section.xml" />
 <xi:include href="java.xml" />
 <xi:include href="lua.xml" />
 <xi:include href="node.section.xml" />
@ -27,6 +29,7 @@
 <xi:include href="ruby.xml" />
 <xi:include href="rust.section.xml" />
 <xi:include href="texlive.xml" />
 <xi:include href="titanium.section.xml" />
 <xi:include href="vim.section.xml" />
 <xi:include href="emscripten.section.xml" />
 </chapter>
--- a/doc/languages-frameworks/ios.section.md
+++ b/doc/languages-frameworks/ios.section.md
@ -0,0 +1,219 @@
 ---
 title: iOS
 author: Sander van der Burg
 date: 2018-11-18
 ---
 # iOS
 This component is basically a wrapper/workaround that makes it possible to
 expose an Xcode installation as a Nix package by means of symlinking to the
 relevant executables on the host system.
 Since Xcode can't be packaged with Nix, nor we can publish it as a Nix package
 (because of its license) this is basically the only integration strategy
 making it possible to do iOS application builds that integrate with other
 components of the Nix ecosystem
 The primary objective of this project is to use the Nix expression language to
 specify how iOS apps can be built from source code, and to automatically spawn
 iOS simulator instances for testing.
 This component also makes it possible to use [Hydra](http://nixos.org/hydra),
 the Nix-based continuous integration server to regularly build iOS apps and to
 do wireless ad-hoc installations of enterprise IPAs on iOS devices through
 Hydra.
 The Xcode build environment implements a number of features.
 Deploying a proxy component wrapper exposing Xcode
 --------------------------------------------------
 The first use case is deploying a Nix package that provides symlinks to the Xcode
 installation on the host system. This package can be used as a build input to
 any build function implemented in the Nix expression language that requires
 Xcode.
 ```nix
 let
  pkgs = import <nixpkgs> {};
  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
 in
 xcodeenv.composeXcodeWrapper {
  version = "9.2";
  xcodeBaseDir = "/Applications/Xcode.app";
 }
 ```
 By deploying the above expression with `nix-build` and inspecting its content
 you will notice that several Xcode-related executables are exposed as a Nix
 package:
 ```bash
 $ ls result/bin
 lrwxr-xr-x  1 sander  staff  94  1 jan  1970 Simulator -> /Applications/Xcode.app/Contents/Developer/Applications/Simulator.app/Contents/MacOS/Simulator
 lrwxr-xr-x  1 sander  staff  17  1 jan  1970 codesign -> /usr/bin/codesign
 lrwxr-xr-x  1 sander  staff  17  1 jan  1970 security -> /usr/bin/security
 lrwxr-xr-x  1 sander  staff  21  1 jan  1970 xcode-select -> /usr/bin/xcode-select
 lrwxr-xr-x  1 sander  staff  61  1 jan  1970 xcodebuild -> /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild
 lrwxr-xr-x  1 sander  staff  14  1 jan  1970 xcrun -> /usr/bin/xcrun
 ```
 Building an iOS application
 ---------------------------
 We can build an iOS app executable for the simulator, or an IPA/xcarchive file
 for release purposes, e.g. ad-hoc, enterprise or store installations, by
 executing the `xcodeenv.buildApp {}` function:
 ```nix
 let
  pkgs = import <nixpkgs> {};
  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
 in
 xcodeenv.buildApp {
  name = "MyApp";
  src = ./myappsources;
  sdkVersion = "11.2";
  target = null; # Corresponds to the name of the app by default
  configuration = null; # Release for release builds, Debug for debug builds
  scheme = null; # -scheme will correspond to the app name by default
  sdk = null; # null will set it to 'iphonesimulator` for simulator builds or `iphoneos` to real builds
  xcodeFlags = "";
  release = true;
  certificateFile = ./mycertificate.p12;
  certificatePassword = "secret";
  provisioningProfile = ./myprovisioning.profile;
  signMethod = "ad-hoc"; # 'enterprise' or 'store'
  generateIPA = true;
  generateXCArchive = false;
  enableWirelessDistribution = true;
  installURL = "/installipa.php";
  bundleId = "mycompany.myapp";
  appVersion = "1.0";
  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
 }
 ```
 The above function takes a variety of parameters:
 * The `name` and `src` parameters are mandatory and specify the name of the app
  and the location where the source code resides
 * `sdkVersion` specifies which version of the iOS SDK to use.
 It also possile to adjust the `xcodebuild` parameters. This is only needed in
 rare circumstances. In most cases the default values should suffice:
 * Specifies which `xcodebuild` target to build. By default it takes the target
  that has the same name as the app.
 * The `configuration` parameter can be overridden if desired. By default, it
  will do a debug build for the simulator and a release build for real devices.
 * The `scheme` parameter specifies which `-scheme` parameter to propagate to
  `xcodebuild`. By default, it corresponds to the app name.
 * The `sdk` parameter specifies which SDK to use. By default, it picks
  `iphonesimulator` for simulator builds and `iphoneos` for release builds.
 * The `xcodeFlags` parameter specifies arbitrary command line parameters that
  should be propagated to `xcodebuild`.
 By default, builds are carried out for the iOS simulator. To do release builds
 (builds for real iOS devices), you must set the `release` parameter to `true`.
 In addition, you need to set the following parameters:
 * `certificateFile` refers to a P12 certificate file.
 * `certificatePassword` specifies the password of the P12 certificate.
 * `provisioningProfile` refers to the provision profile needed to sign the app
 * `signMethod` should refer to `ad-hoc` for signing the app with an ad-hoc
  certificate, `enterprise` for enterprise certificates and `app-store` for App
  store certificates.
 * `generateIPA` specifies that we want to produce an IPA file (this is probably
  what you want)
 * `generateXCArchive` specifies thet we want to produce an xcarchive file.
 When building IPA files on Hydra and when it is desired to allow iOS devices to
 install IPAs by browsing to the Hydra build products page, you can enable the
 `enableWirelessDistribution` parameter.
 When enabled, you need to configure the following options:
 * The `installURL` parameter refers to the URL of a PHP script that composes the
  `itms-services://` URL allowing iOS devices to install the IPA file.
 * `bundleId` refers to the bundle ID value of the app
 * `appVersion` refers to the app's version number
 To use wireless adhoc distributions, you must also install the corresponding
 PHP script on a web server (see section: 'Installing the PHP script for wireless
 ad hoc installations from Hydra' for more information).
 In addition to the build parameters, you can also specify any parameters that
 the `xcodeenv.composeXcodeWrapper {}` function takes. For example, the
 `xcodeBaseDir` parameter can be overridden to refer to a different Xcode
 version.
 Spawning simulator instances
 ----------------------------
 In addition to building iOS apps, we can also automatically spawn simulator
 instances:
 ```nix
 let
  pkgs = import <nixpkgs> {};
  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
 in
 xcode.simulateApp {
  name = "simulate";
  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
 }
 ```
 The above expression produces a script that starts the simulator from the
 provided Xcode installation. The script can be started as follows:
 ```bash
 ./result/bin/run-test-simulator
 ```
 By default, the script will show an overview of UDID for all available simulator
 instances and asks you to pick one. You can also provide a UDID as a
 command-line parameter to launch an instance automatically:
 ```bash
 ./result/bin/run-test-simulator 5C93129D-CF39-4B1A-955F-15180C3BD4B8
 ```
 You can also extend the simulator script to automatically deploy and launch an
 app in the requested simulator instance:
 ```nix
 let
  pkgs = import <nixpkgs> {};
  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
 in
 xcode.simulateApp {
  name = "simulate";
  bundleId = "mycompany.myapp";
  app = xcode.buildApp {
    # ...
  };
  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
 }
 ```
 By providing the result of an `xcode.buildApp {}` function and configuring the
 app bundle id, the app gets deployed automatically and started.
--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@ -484,10 +484,12 @@ and in this case the `python35` interpreter is automatically used.
 ### Interpreters
 Versions 2.7, 3.5, 3.6 and 3.7 of the CPython interpreter are available as
-respectively `python27`, `python35`, `python36`, and `python37`. The PyPy
+respectively `python27`, `python35`, `python36` and `python37`. The aliases
-interpreter is available as `pypy`. The aliases `python2` and `python3`
+`python2` and `python3` correspond to respectively `python27` and
-correspond to respectively `python27` and `python37`. The default interpreter,
+`python37`. The default interpreter, `python`, maps to `python2`. The PyPy
-`python`, maps to `python2`. The Nix expressions for the interpreters can be
+interpreters compatible with Python 2.7 and 3 are available as `pypy27` and
 `pypy3`, with aliases `pypy2` mapping to `pypy27` and `pypy` mapping to
 `pypy2`. The Nix expressions for the interpreters can be
 found in `pkgs/development/interpreters/python`.
 All packages depending on any Python interpreter get appended
@ -1102,7 +1104,7 @@ on `numpy` will be built with `mkl`.
 The following is an overlay that configures `numpy` to use `mkl`:
 ```nix
 self: super: {
-  python36 = super.python36.override {
+  python37 = super.python37.override {
    packageOverrides = python-self: python-super: {
      numpy = python-super.numpy.override {
        blas = super.pkgs.mkl;
@ -1112,6 +1114,15 @@ self: super: {
 }
 ```
 `mkl` requires an `openmp` implementation when running with multiple processors.
 By default, `mkl` will use Intel's `iomp` implementation if no other is
 specified, but this is a runtime-only dependency and binary compatible with the
 LLVM implementation. To use that one instead, Intel recommends users set it with
 `LD_PRELOAD`.
 Note that `mkl` is only available on `x86_64-{linux,darwin}` platforms;
 moreover, Hydra is not building and distributing pre-compiled binaries using it.
 ## Contributing
 ### Contributing guidelines
--- a/doc/languages-frameworks/ruby.xml
+++ b/doc/languages-frameworks/ruby.xml
@ -50,6 +50,17 @@ bundlerEnv rec {
  future updates can be run easily.
 </para>
 <para>
  Updating Ruby packages can then be done like this:
 </para>
 <screen>
 <![CDATA[$ cd pkgs/servers/monitoring/sensu
 $ nix-shell -p bundler --run 'bundle lock --update'
 $ nix-shell -p bundix --run 'bundix'
 ]]>
 </screen>
 <para>
  For tools written in Ruby - i.e. where the desire is to install a package and
  then execute e.g. <command>rake</command> at the command line, there is an
--- a/doc/languages-frameworks/texlive.xml
+++ b/doc/languages-frameworks/texlive.xml
@ -49,12 +49,12 @@ texlive.combine {
   </listitem>
   <listitem>
    <para>
-     You can list packages e.g. by <command>nix-repl</command>.
+     You can list packages e.g. by <command>nix repl</command>.
-<programlisting>
+<programlisting><![CDATA[
-$ nix-repl
+$ nix repl
-nix-repl> :l &lt;nixpkgs>
+nix-repl> :l <nixpkgs>
-nix-repl> texlive.collection-&lt;TAB>
+nix-repl> texlive.collection-<TAB>
-      </programlisting>
+]]></programlisting>
    </para>
   </listitem>
   <listitem>
--- a/doc/languages-frameworks/titanium.section.md
+++ b/doc/languages-frameworks/titanium.section.md
@ -0,0 +1,115 @@
 ---
 title: Titanium
 author: Sander van der Burg
 date: 2018-11-18
 ---
 # Titanium
 The Nixpkgs repository contains facilities to deploy a variety of versions of
 the [Titanium SDK](https://www.appcelerator.com) versions, a cross-platform
 mobile app development framework using JavaScript as an implementation language,
 and includes a function abstraction making it possible to build Titanium
 applications for Android and iOS devices from source code.
 Not all Titanium features supported -- currently, it can only be used to build
 Android and iOS apps.
 Building a Titanium app
 -----------------------
 We can build a Titanium app from source for Android or iOS and for debugging or
 release purposes by invoking the `titaniumenv.buildApp {}` function:
 ```nix
 titaniumenv.buildApp {
  name = "myapp";
  src = ./myappsource;
  preBuild = "";
  target = "android"; # or 'iphone'
  tiVersion = "7.1.0.GA";
  release = true;
  androidsdkArgs = {
    platformVersions = [ "25" "26" ];
  };
  androidKeyStore = ./keystore;
  androidKeyAlias = "myfirstapp";
  androidKeyStorePassword = "secret";
  xcodeBaseDir = "/Applications/Xcode.app";
  xcodewrapperArgs = {
    version = "9.3";
  };
  iosMobileProvisioningProfile = ./myprovisioning.profile;
  iosCertificateName = "My Company";
  iosCertificate = ./mycertificate.p12;
  iosCertificatePassword = "secret";
  iosVersion = "11.3";
  iosBuildStore = false;
  enableWirelessDistribution = true;
  installURL = "/installipa.php";
 }
 ```
 The `titaniumenv.buildApp {}` function takes the following parameters:
 * The `name` parameter refers to the name in the Nix store.
 * The `src` parameter refers to the source code location of the app that needs
  to be built.
 * `preRebuild` contains optional build instructions that are carried out before
  the build starts.
 * `target` indicates for which device the app must be built. Currently only
  'android' and 'iphone' (for iOS) are supported.
 * `tiVersion` can be used to optionally override the requested Titanium version
  in `tiapp.xml`. If not specified, it will use the version in `tiapp.xml`.
 * `release` should be set to true when building an app for submission to the
  Google Playstore or Apple Appstore. Otherwise, it should be false.
 When the `target` has been set to `android`, we can configure the following
 parameters:
 * The `androidSdkArgs` parameter refers to an attribute set that propagates all
  parameters to the `androidenv.composeAndroidPackages {}` function. This can
  be used to install all relevant Android plugins that may be needed to perform
  the Android build. If no parameters are given, it will deploy the platform
  SDKs for API-levels 25 and 26 by default.
 When the `release` parameter has been set to true, you need to provide
 parameters to sign the app:
 * `androidKeyStore` is the path to the keystore file
 * `androidKeyAlias` is the key alias
 * `androidKeyStorePassword` refers to the password to open the keystore file.
 When the `target` has been set to `iphone`, we can configure the following
 parameters:
 * The `xcodeBaseDir` parameter refers to the location where Xcode has been
  installed. When none value is given, the above value is the default.
 * The `xcodewrapperArgs` parameter passes arbitrary parameters to the
  `xcodeenv.composeXcodeWrapper {}` function. This can, for example, be used
  to adjust the default version of Xcode.
 When `release` has been set to true, you also need to provide the following
 parameters:
 * `iosMobileProvisioningProfile` refers to a mobile provisioning profile needed
  for signing.
 * `iosCertificateName` refers to the company name in the P12 certificate.
 * `iosCertificate` refers to the path to the P12 file.
 * `iosCertificatePassword` contains the password to open the P12 file.
 * `iosVersion` refers to the iOS SDK version to use. It defaults to the latest
  version.
 * `iosBuildStore` should be set to `true` when building for the Apple Appstore
  submission. For enterprise or ad-hoc builds it should be set to `false`.
 When `enableWirelessDistribution` has been enabled, you must also provide the
 path of the PHP script (`installURL`) (that is included with the iOS build
 environment) to enable wireless ad-hoc installations.
 Emulating or simulating the app
 -------------------------------
 It is also possible to simulate the correspond iOS simulator build by using
 `xcodeenv.simulateApp {}` and emulate an Android APK by using
 `androidenv.emulateApp {}`.
--- a/doc/languages-frameworks/vim.section.md
+++ b/doc/languages-frameworks/vim.section.md
@ -48,7 +48,7 @@ neovim.override {
 ## Managing plugins with Vim packages
-To store you plugins in Vim packages the following example can be used:
+To store you plugins in Vim packages (the native vim plugin manager, see `:help packages`) the following example can be used:
 ```
 vim_configurable.customize {
@ -56,6 +56,8 @@ vim_configurable.customize {
    # loaded on launch
    start = [ youcompleteme fugitive ];
    # manually loadable by calling `:packadd $plugin-name`
    # however, if a vim plugin has a dependency that is not explicitly listed in
 	# opt that dependency will always be added to start to avoid confusion.
    opt = [ phpCompletion elm-vim ];
    # To automatically load a plugin when opening a filetype, add vimrc lines like:
    # autocmd FileType php :packadd phpCompletion
@ -63,6 +65,7 @@ vim_configurable.customize {
 }
 ```
 `myVimPackage` is an arbitrary name for the generated package. You can choose any name you like.
 For Neovim the syntax is:
 ```
@ -74,6 +77,8 @@ neovim.override {
    packages.myVimPackage = with pkgs.vimPlugins; {
      # see examples below how to use custom packages
      start = [ ];
      # If a vim plugin has a dependency that is not explicitly listed in
      # opt that dependency will always be added to start to avoid confusion.
      opt = [ ];
    };
  };
--- a/doc/meta.xml
+++ b/doc/meta.xml
@ -14,7 +14,7 @@ meta = with stdenv.lib; {
    GNU Hello is a program that prints "Hello, world!" when you run it.
    It is fully customizable.
  '';
-  homepage = http://www.gnu.org/software/hello/manual/;
+  homepage = https://www.gnu.org/software/hello/manual/;
  license = licenses.gpl3Plus;
  maintainers = [ maintainers.eelco ];
  platforms = platforms.all;
@ -35,7 +35,7 @@ $ nix-env -qa hello --json
    "hello": {
        "meta": {
            "description": "A program that produces a familiar, friendly greeting",
-            "homepage": "http://www.gnu.org/software/hello/manual/",
+            "homepage": "https://www.gnu.org/software/hello/manual/",
            "license": {
                "fullName": "GNU General Public License version 3 or later",
                "shortName": "GPLv3+",
@ -135,7 +135,7 @@ hello-2.3  A program that produces a familiar, friendly greeting
    <listitem>
     <para>
      The package’s homepage. Example:
-      <literal>http://www.gnu.org/software/hello/manual/</literal>
+      <literal>https://www.gnu.org/software/hello/manual/</literal>
     </para>
    </listitem>
   </varlistentry>
@ -146,7 +146,7 @@ hello-2.3  A program that produces a familiar, friendly greeting
    <listitem>
     <para>
      The page where a link to the current version can be found. Example:
-      <literal>http://ftp.gnu.org/gnu/hello/</literal>
+      <literal>https://ftp.gnu.org/gnu/hello/</literal>
     </para>
    </listitem>
   </varlistentry>
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@ -671,6 +671,43 @@ passthru = {
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>
     <varname>passthru.updateScript</varname>
    </term>
    <listitem>
     <para>
      A script to be run by <filename>maintainers/scripts/update.nix</filename> when
      the package is matched. It needs to be an executable file, either on the file
      system:
 <programlisting>
 passthru.updateScript = ./update.sh;
 </programlisting>
      or inside the expression itself:
 <programlisting>
 passthru.updateScript = writeScript "update-zoom-us" ''
  #!/usr/bin/env nix-shell
  #!nix-shell -i bash -p curl pcre common-updater-scripts
  set -eu -o pipefail
  version="$(curl -sI https://zoom.us/client/latest/zoom_x86_64.tar.xz | grep -Fi 'Location:' | pcregrep -o1 '/(([0-9]\.?)+)/')"
  update-source-version zoom-us "$version"
 '';
 </programlisting>
      The attribute can also contain a list, a script followed by arguments to be passed to it:
 <programlisting>
 passthru.updateScript = [ ../../update.sh pname "--requested-release=unstable" ];
 </programlisting>
      Note that the update scripts will be run in parallel by default; you should avoid running <command>git commit</command> or any other commands that cannot handle that.
     </para>
     <para>
      For information about how to run the updates, execute
      <cmdsynopsis><command>nix-shell</command> <arg>maintainers/scripts/update.nix</arg></cmdsynopsis>.
     </para>
    </listitem>
   </varlistentry>
  </variablelist>
 </section>
 <section xml:id="sec-stdenv-phases">
@ -2463,17 +2500,17 @@ addEnvHooks "$hostOffset" myBashFunction
     <listitem>
      <para>
       This hook will make a build pause instead of stopping when a failure
-       happen. It prevents nix to cleanup the build environment immediatly and
+       happens. It prevents nix from cleaning up the build environment immediately and
       allows the user to attach to a build environment using the
-       <command>cntr</command> command. On build error it will print the
+       <command>cntr</command> command. Upon build error it will print
-       instruction that are neccessary for <command>cntr</command>. Installing
+       instructions on how to use <command>cntr</command>. Installing
       cntr and running the command will provide shell access to the build
       sandbox of failed build. At <filename>/var/lib/cntr</filename> the
-       sandbox filesystem is mounted. All commands and files of the system are
+       sandboxed filesystem is mounted. All commands and files of the system are
       still accessible within the shell. To execute commands from the sandbox
       use the cntr exec subcommand. Note that <command>cntr</command> also
       needs to be executed on the machine that is doing the build, which might
-       be not the case when remote builders are enabled.
+       not be the case when remote builders are enabled.
       <command>cntr</command> is only supported on Linux-based platforms. To
       use it first add <literal>cntr</literal> to your
       <literal>environment.systemPackages</literal> on NixOS or alternatively to
@ -2488,6 +2525,23 @@ addEnvHooks "$hostOffset" myBashFunction
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>
      libiconv, libintl
     </term>
     <listitem>
       <para>
 	 A few libraries automatically add to
 	 <literal>NIX_LDFLAGS</literal> their library, making their
 	 symbols automatically available to the linker. This includes
 	 libiconv and libintl (gettext). This is done to provide
 	 compatibility between GNU Linux, where libiconv and libintl
 	 are bundled in, and other systems where that might not be the
 	 case. Sometimes, this behavior is not desired. To disable
 	 this behavior, set <literal>dontAddExtraLibs</literal>.
       </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>
      cmake
--- a/lib/attrsets.nix
+++ b/lib/attrsets.nix
@ -94,6 +94,15 @@ rec {
  attrValues = builtins.attrValues or (attrs: attrVals (attrNames attrs) attrs);
  /* Given a set of attribute names, return the set of the corresponding
     attributes from the given set.
     Example:
       getAttrs [ "a" "b" ] { a = 1; b = 2; c = 3; }
       => { a = 1; b = 2; }
  */
  getAttrs = names: attrs: genAttrs names (name: attrs.${name});
  /* Collect each attribute named `attr' from a list of attribute
     sets.  Sets that don't contain the named attribute are ignored.
--- a/lib/default.nix
+++ b/lib/default.nix
@ -61,10 +61,10 @@ let
      boolToString mergeAttrs flip mapNullable inNixShell min max
      importJSON warn info nixpkgsVersion version mod compare
      splitByAndCompare functionArgs setFunctionArgs isFunction;
-    inherit (fixedPoints) fix fix' extends composeExtensions
+    inherit (fixedPoints) fix fix' converge extends composeExtensions
      makeExtensible makeExtensibleWithCustomName;
    inherit (attrsets) attrByPath hasAttrByPath setAttrByPath
-      getAttrFromPath attrVals attrValues catAttrs filterAttrs
+      getAttrFromPath attrVals attrValues getAttrs catAttrs filterAttrs
      filterAttrsRecursive foldAttrs collect nameValuePair mapAttrs
      mapAttrs' mapAttrsToList mapAttrsRecursive mapAttrsRecursiveCond
      genAttrs isDerivation toDerivation optionalAttrs
--- a/lib/fixed-points.nix
+++ b/lib/fixed-points.nix
@ -24,6 +24,16 @@ rec {
  # for a concrete example.
  fix' = f: let x = f x // { __unfix__ = f; }; in x;
  # Return the fixpoint that `f` converges to when called recursively, starting
  # with the input `x`.
  #
  #     nix-repl> converge (x: x / 2) 16
  #     0
  converge = f: x:
    if (f x) == x
    then x
    else converge f (f x);
  # Modify the contents of an explicitly recursive attribute set in a way that
  # honors `self`-references. This is accomplished with a function
  #
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -29,13 +29,13 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  };
  agpl3 = spdx {
-    spdxId = "AGPL-3.0";
+    spdxId = "AGPL-3.0-only";
-    fullName = "GNU Affero General Public License v3.0";
+    fullName = "GNU Affero General Public License v3.0 only";
  };
-  agpl3Plus = {
+  agpl3Plus = spdx {
    spdxId = "AGPL-3.0-or-later";
    fullName = "GNU Affero General Public License v3.0 or later";
    inherit (agpl3) url;
  };
  amazonsl = {
@ -266,13 +266,23 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  };
  fdl12 = spdx {
-    spdxId = "GFDL-1.2";
+    spdxId = "GFDL-1.2-only";
-    fullName = "GNU Free Documentation License v1.2";
+    fullName = "GNU Free Documentation License v1.2 only";
  };
  fdl12Plus = spdx {
    spdxId = "GFDL-1.2-or-later";
    fullName = "GNU Free Documentation License v1.2 or later";
  };
  fdl13 = spdx {
-    spdxId = "GFDL-1.3";
+    spdxId = "GFDL-1.3-only";
-    fullName = "GNU Free Documentation License v1.3";
+    fullName = "GNU Free Documentation License v1.3 only";
  };
  fdl13Plus = spdx {
    spdxId = "GFDL-1.3-or-later";
    fullName = "GNU Free Documentation License v1.3 or later";
  };
  ffsl = {
@ -297,24 +307,23 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  };
  gpl1 = spdx {
-    spdxId = "GPL-1.0";
+    spdxId = "GPL-1.0-only";
    fullName = "GNU General Public License v1.0 only";
  };
  gpl1Plus = spdx {
-    spdxId = "GPL-1.0+";
+    spdxId = "GPL-1.0-or-later";
    fullName = "GNU General Public License v1.0 or later";
  };
  gpl2 = spdx {
-    spdxId = "GPL-2.0";
+    spdxId = "GPL-2.0-only";
    fullName = "GNU General Public License v2.0 only";
  };
-  gpl2Classpath = {
+  gpl2Classpath = spdx {
    spdxId = "GPL-2.0-with-classpath-exception";
    fullName = "GNU General Public License v2.0 only (with Classpath exception)";
    url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
  };
  gpl2ClasspathPlus = {
@ -328,17 +337,17 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  };
  gpl2Plus = spdx {
-    spdxId = "GPL-2.0+";
+    spdxId = "GPL-2.0-or-later";
    fullName = "GNU General Public License v2.0 or later";
  };
  gpl3 = spdx {
-    spdxId = "GPL-3.0";
+    spdxId = "GPL-3.0-only";
    fullName = "GNU General Public License v3.0 only";
  };
  gpl3Plus = spdx {
-    spdxId = "GPL-3.0+";
+    spdxId = "GPL-3.0-or-later";
    fullName = "GNU General Public License v3.0 or later";
  };
@ -408,32 +417,32 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  };
  lgpl2 = spdx {
-    spdxId = "LGPL-2.0";
+    spdxId = "LGPL-2.0-only";
    fullName = "GNU Library General Public License v2 only";
  };
  lgpl2Plus = spdx {
-    spdxId = "LGPL-2.0+";
+    spdxId = "LGPL-2.0-or-later";
    fullName = "GNU Library General Public License v2 or later";
  };
  lgpl21 = spdx {
-    spdxId = "LGPL-2.1";
+    spdxId = "LGPL-2.1-only";
    fullName = "GNU Library General Public License v2.1 only";
  };
  lgpl21Plus = spdx {
-    spdxId = "LGPL-2.1+";
+    spdxId = "LGPL-2.1-or-later";
    fullName = "GNU Library General Public License v2.1 or later";
  };
  lgpl3 = spdx {
-    spdxId = "LGPL-3.0";
+    spdxId = "LGPL-3.0-only";
    fullName = "GNU Lesser General Public License v3.0 only";
  };
  lgpl3Plus = spdx {
-    spdxId = "LGPL-3.0+";
+    spdxId = "LGPL-3.0-or-later";
    fullName = "GNU Lesser General Public License v3.0 or later";
  };
@ -505,6 +514,12 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
    free = false;
  };
  nasa13 = spdx {
    spdxId = "NASA-1.3";
    fullName = "NASA Open Source Agreement 1.3";
    free = false;
  };
  ncsa = spdx {
    spdxId = "NCSA";
    fullName  = "University of Illinois/NCSA Open Source License";
@ -691,7 +706,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  };
  wxWindows = spdx {
-    spdxId = "WXwindows";
+    spdxId = "wxWindows";
    fullName = "wxWindows Library Licence, Version 3.1";
  };
--- a/lib/strings.nix
+++ b/lib/strings.nix
@ -236,6 +236,26 @@ rec {
    in lenContent >= lenSuffix &&
       substring (lenContent - lenSuffix) lenContent content == suffix;
  /* Determine whether a string contains the given infix
    Type: hasInfix :: string -> string -> bool
    Example:
      hasInfix "bc" "abcd"
      => true
      hasInfix "ab" "abcd"
      => true
      hasInfix "cd" "abcd"
      => true
      hasInfix "foo" "abcd"
      => false
  */
  hasInfix = infix: content:
    let
      drop = x: substring 1 (stringLength x) x;
    in hasPrefix infix content
      || content != "" && hasInfix infix (drop content);
  /* Convert a string to a list of characters (i.e. singleton strings).
     This allows you to, e.g., map a function over each character.  However,
     note that this will likely be horribly inefficient; Nix is not a
--- a/lib/systems/default.nix
+++ b/lib/systems/default.nix
@ -66,6 +66,46 @@ rec {
         # uname -r
         release = null;
      };
      qemuArch =
        if final.isArm then "arm"
        else if final.isx86_64 then "x86_64"
        else if final.isx86 then "i386"
        else {
          "powerpc" = "ppc";
          "powerpc64" = "ppc64";
          "powerpc64le" = "ppc64";
          "mips64" = "mips";
          "mipsel64" = "mipsel";
        }.${final.parsed.cpu.name} or final.parsed.cpu.name;
      emulator = pkgs: let
        qemu-user = pkgs.qemu.override {
          smartcardSupport = false;
          spiceSupport = false;
          openGLSupport = false;
          virglSupport = false;
          vncSupport = false;
          gtkSupport = false;
          sdlSupport = false;
          pulseSupport = false;
          smbdSupport = false;
          seccompSupport = false;
          hostCpuTargets = ["${final.qemuArch}-linux-user"];
        };
        wine-name = "wine${toString final.parsed.cpu.bits}";
        wine = (pkgs.winePackagesFor wine-name).minimal;
      in
        if final.parsed.kernel.name == pkgs.stdenv.hostPlatform.parsed.kernel.name &&
           (final.parsed.cpu.name == pkgs.stdenv.hostPlatform.parsed.cpu.name ||
            (final.platform.isi686 && pkgs.stdenv.hostPlatform.isx86_64))
        then pkgs.runtimeShell
        else if final.isWindows
        then "${wine}/bin/${wine-name}"
        else if final.isLinux && pkgs.stdenv.hostPlatform.isLinux
        then "${qemu-user}/bin/qemu-${final.qemuArch}"
        else throw "Don't know how to run ${final.config} executables.";
    } // mapAttrs (n: v: v final.parsed) inspect.predicates
      // args;
  in assert final.useAndroidPrebuilt -> final.isAndroid;
--- a/lib/systems/examples.nix
+++ b/lib/systems/examples.nix
@ -2,7 +2,14 @@
 # `crossSystem`. They are put here for user convenience, but also used by cross
 # tests and linux cross stdenv building, so handle with care!
 { lib }:
-let platforms = import ./platforms.nix { inherit lib; }; in
+let
  platforms = import ./platforms.nix { inherit lib; };
  riscv = bits: {
    config = "riscv${bits}-unknown-linux-gnu";
    platform = platforms.riscv-multiplatform bits;
  };
 in
 rec {
  #
@ -40,7 +47,7 @@ rec {
  armv5te-android-prebuilt = rec {
    config = "armv5tel-unknown-linux-androideabi";
    sdkVer = "21";
-    ndkVer = "10e";
+    ndkVer = "18b";
    platform = platforms.armv5te-android;
    useAndroidPrebuilt = true;
  };
@ -48,7 +55,7 @@ rec {
  armv7a-android-prebuilt = rec {
    config = "armv7a-unknown-linux-androideabi";
    sdkVer = "24";
-    ndkVer = "17c";
+    ndkVer = "18b";
    platform = platforms.armv7a-android;
    useAndroidPrebuilt = true;
  };
@ -56,7 +63,7 @@ rec {
  aarch64-android-prebuilt = rec {
    config = "aarch64-unknown-linux-android";
    sdkVer = "24";
-    ndkVer = "17c";
+    ndkVer = "18b";
    platform = platforms.aarch64-multiplatform;
    useAndroidPrebuilt = true;
  };
@ -92,10 +99,6 @@ rec {
  musl64 = { config = "x86_64-unknown-linux-musl"; };
  musl32  = { config = "i686-unknown-linux-musl"; };
  riscv = bits: {
    config = "riscv${bits}-unknown-linux-gnu";
    platform = platforms.riscv-multiplatform bits;
  };
  riscv64 = riscv "64";
  riscv32 = riscv "32";
@ -107,6 +110,10 @@ rec {
    config = "arm-none-eabi";
    libc = "newlib";
  };
  armhf-embedded = {
    config = "arm-none-eabihf";
    libc = "newlib";
  };
  aarch64-embedded = {
    config = "aarch64-none-elf";
--- a/lib/systems/parse.nix
+++ b/lib/systems/parse.nix
@ -209,8 +209,15 @@ rec {
  abis = setTypes types.openAbi {
    cygnus       = {};
    msvc         = {};
-    eabi         = {};
+
-    elf         = {};
+    # Note: eabi is specific to ARM and PowerPC.
    # On PowerPC, this corresponds to PPCEABI.
    # On ARM, this corresponds to ARMEABI.
    eabi         = { float = "soft"; };
    eabihf       = { float = "hard"; };
    # Other architectures should use ELF in embedded situations.
    elf          = {};
    androideabi  = {};
    android      = {
@ -272,10 +279,8 @@ rec {
    "2" = # We only do 2-part hacks for things Nix already supports
      if elemAt l 1 == "cygwin"
        then { cpu = elemAt l 0;                      kernel = "windows";  abi = "cygnus";   }
-      else if (elemAt l 1 == "eabi")
+      else if (elemAt l 1) == "elf"
-        then { cpu = elemAt l 0; vendor = "none"; kernel = "none"; abi = elemAt l 1; }
+      then { cpu = elemAt l 0; vendor = "unknown";    kernel = "none";     abi = elemAt l 1; }
      else if (elemAt l 1 == "elf")
        then { cpu = elemAt l 0; vendor = "none"; kernel = "none"; abi = elemAt l 1; }
      else   { cpu = elemAt l 0;                      kernel = elemAt l 1;                   };
    "3" = # Awkwards hacks, beware!
      if elemAt l 1 == "apple"
@ -286,10 +291,8 @@ rec {
        then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "windows";  abi = "gnu"; }
      else if hasPrefix "netbsd" (elemAt l 2)
        then { cpu = elemAt l 0; vendor = elemAt l 1;    kernel = elemAt l 2;                }
-      else if (elemAt l 2 == "eabi")
+      else if (elem (elemAt l 2) ["eabi" "eabihf" "elf"])
-        then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "none"; abi = elemAt l 2; }
+        then { cpu = elemAt l 0; vendor = "unknown"; kernel = elemAt l 1; abi = elemAt l 2; }
      else if (elemAt l 2 == "elf")
        then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "none"; abi = elemAt l 2; }
      else throw "Target specification with 3 components is ambiguous";
    "4" =    { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
  }.${toString (length l)}
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -256,6 +256,11 @@
    github = "AndrewMorsillo";
    name = "Andrew Morsillo";
  };
  andersk = {
    email = "andersk@mit.edu";
    github = "andersk";
    name = "Anders Kaseorg";
  };
  AndersonTorres = {
    email = "torres.anderson.85@protonmail.com";
    github = "AndersonTorres";
@ -401,6 +406,11 @@
    github = "aszlig";
    name = "aszlig";
  };
  atnnn = {
    email = "etienne@atnnn.com";
    github = "atnnn";
    name = "Etienne Laurin";
  };
  auntie = {
    email = "auntieNeo@gmail.com";
    github = "auntie";
@ -1319,6 +1329,11 @@
    github = "ellis";
    name = "Ellis Whitehead";
  };
  elohmeier = {
    email = "elo-nixos@nerdworks.de";
    github = "elohmeier";
    name = "Enno Lohmeier";
  };
  elseym = {
    email = "elseym@me.com";
    github = "elseym";
@ -1889,6 +1904,11 @@
    github = "ironpinguin";
    name = "Michele Catalano";
  };
  ivan = {
    email = "ivan@ludios.org";
    github = "ivan";
    name = "Ivan Kozik";
  };
  ivan-tkatchev = {
    email = "tkatchev@gmail.com";
    name = "Ivan Tkatchev";
@ -1918,6 +1938,11 @@
    github = "jagajaga";
    name = "Arseniy Seroka";
  };
  jakelogemann = {
    email = "jake.logemann@gmail.com";
    github = "jakelogemann";
    name = "Jake Logemann";
  };
  jammerful = {
    email = "jammerful@gmail.com";
    github = "jammerful";
@ -2052,6 +2077,11 @@
    github = "jluttine";
    name = "Jaakko Luttinen";
  };
  jmagnusj = {
    email = "jmagnusj@gmail.com";
    github = "magnusjonsson";
    name = "Johan Magnus Jonsson";
  };
  jmettes = {
    email = "jonathan@jmettes.com";
    github = "jmettes";
@ -2459,6 +2489,11 @@
    github = "listx";
    name = "Linus Arver";
  };
  lionello = {
    email = "lio@lunesu.com";
    github = "lionello";
    name = "Lionello Lunesu";
  };
  lluchs = {
    email = "lukas.werling@gmail.com";
    github = "lluchs";
@ -3404,6 +3439,11 @@
    github = "pkmx";
    name = "Chih-Mao Chen";
  };
  plchldr = {
    email = "mail@oddco.de";
    github = "plchldr";
    name = "Jonas Beyer";
  };
  plcplc = {
    email = "plcplc@gmail.com";
    github = "plcplc";
@ -3856,6 +3896,11 @@
    github = "sboosali";
    name = "Sam Boosalis";
  };
  scalavision = {
    email = "scalavision@gmail.com";
    github = "scalavision";
    name = "Tom Sorlie";
  };
  schmitthenner = {
    email = "development@schmitthenner.eu";
    github = "fkz";
@ -3925,6 +3970,11 @@
    github = "seppeljordan";
    name = "Sebastian Jordan";
  };
  seqizz = {
    email = "seqizz@gmail.com";
    github = "seqizz";
    name = "Gurkan Gur";
  };
  sfrijters = {
    email = "sfrijters@gmail.com";
    github = "sfrijters";
@ -4258,6 +4308,11 @@
    github = "talyz";
    name = "Kim Lindberger";
  };
  taneb = {
    email = "nvd1234@gmail.com";
    github = "Taneb";
    name = "Nathan van Doorn";
  };
  tari = {
    email = "peter@taricorp.net";
    github = "tari";
--- a/maintainers/scripts/update-python-libraries
+++ b/maintainers/scripts/update-python-libraries
@ -1,361 +1,5 @@
-#! /usr/bin/env nix-shell
+#!/bin/sh
-#! nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ packaging requests toolz ])" -p git
+build=`nix-build -E "with import (fetchTarball "channel:nixpkgs-unstable") {}; python3.withPackages(ps: with ps; [ packaging requests toolz ])"`
 python=${build}/bin/python
 exec ${python} pkgs/development/interpreters/python/update-python-libraries/update-python-libraries.py $@
 """
 Update a Python package expression by passing in the `.nix` file, or the directory containing it.
 You can pass in multiple files or paths.
 You'll likely want to use
 ``
  $ ./update-python-libraries ../../pkgs/development/python-modules/*
 ``
 to update all libraries in that folder.
 """
 import argparse
 import logging
 import os
 import re
 import requests
 import toolz
 from concurrent.futures import ThreadPoolExecutor as Pool
 from packaging.version import Version as _Version
 from packaging.version import InvalidVersion
 from packaging.specifiers import SpecifierSet
 import collections
 import subprocess
 INDEX = "https://pypi.io/pypi"
 """url of PyPI"""
 EXTENSIONS = ['tar.gz', 'tar.bz2', 'tar', 'zip', '.whl']
 """Permitted file extensions. These are evaluated from left to right and the first occurance is returned."""
 PRERELEASES = False
 import logging
 logging.basicConfig(level=logging.INFO)
 class Version(_Version, collections.abc.Sequence):
    def __init__(self, version):
        super().__init__(version)
        # We cannot use `str(Version(0.04.21))` because that becomes `0.4.21`
        # https://github.com/avian2/unidecode/issues/13#issuecomment-354538882
        self.raw_version = version
    def __getitem__(self, i):
        return self._version.release[i]
    def __len__(self):
        return len(self._version.release)
    def __iter__(self):
        yield from self._version.release
 def _get_values(attribute, text):
    """Match attribute in text and return all matches.
    :returns: List of matches.
    """
    regex = '{}\s+=\s+"(.*)";'.format(attribute)
    regex = re.compile(regex)
    values = regex.findall(text)
    return values
 def _get_unique_value(attribute, text):
    """Match attribute in text and return unique match.
    :returns: Single match.
    """
    values = _get_values(attribute, text)
    n = len(values)
    if n > 1:
        raise ValueError("found too many values for {}".format(attribute))
    elif n == 1:
        return values[0]
    else:
        raise ValueError("no value found for {}".format(attribute))
 def _get_line_and_value(attribute, text):
    """Match attribute in text. Return the line and the value of the attribute."""
    regex = '({}\s+=\s+"(.*)";)'.format(attribute)
    regex = re.compile(regex)
    value = regex.findall(text)
    n = len(value)
    if n > 1:
        raise ValueError("found too many values for {}".format(attribute))
    elif n == 1:
        return value[0]
    else:
        raise ValueError("no value found for {}".format(attribute))
 def _replace_value(attribute, value, text):
    """Search and replace value of attribute in text."""
    old_line, old_value = _get_line_and_value(attribute, text)
    new_line = old_line.replace(old_value, value)
    new_text = text.replace(old_line, new_line)
    return new_text
 def _fetch_page(url):
    r = requests.get(url)
    if r.status_code == requests.codes.ok:
        return r.json()
    else:
        raise ValueError("request for {} failed".format(url))
 SEMVER = {
    'major' : 0,
    'minor' : 1,
    'patch' : 2,
 }
 def _determine_latest_version(current_version, target, versions):
    """Determine latest version, given `target`.
    """
    current_version = Version(current_version)
    def _parse_versions(versions):
        for v in versions:
            try:
                yield Version(v)
            except InvalidVersion:
                pass
    versions = _parse_versions(versions)
    index = SEMVER[target]
    ceiling = list(current_version[0:index])
    if len(ceiling) == 0:
        ceiling = None
    else:
        ceiling[-1]+=1
        ceiling = Version(".".join(map(str, ceiling)))
    # We do not want prereleases
    versions = SpecifierSet(prereleases=PRERELEASES).filter(versions)
    if ceiling is not None:
        versions = SpecifierSet(f"<{ceiling}").filter(versions)
    return (max(sorted(versions))).raw_version
 def _get_latest_version_pypi(package, extension, current_version, target):
    """Get latest version and hash from PyPI."""
    url = "{}/{}/json".format(INDEX, package)
    json = _fetch_page(url)
    versions = json['releases'].keys()
    version = _determine_latest_version(current_version, target, versions)
    try:
        releases = json['releases'][version]
    except KeyError as e:
        raise KeyError('Could not find version {} for {}'.format(version, package)) from e
    for release in releases:
        if release['filename'].endswith(extension):
            # TODO: In case of wheel we need to do further checks!
            sha256 = release['digests']['sha256']
            break
    else:
        sha256 = None
    return version, sha256
 def _get_latest_version_github(package, extension, current_version, target):
    raise ValueError("updating from GitHub is not yet supported.")
 FETCHERS = {
    'fetchFromGitHub'   :   _get_latest_version_github,
    'fetchPypi'         :   _get_latest_version_pypi,
    'fetchurl'          :   _get_latest_version_pypi,
 }
 DEFAULT_SETUPTOOLS_EXTENSION = 'tar.gz'
 FORMATS = {
    'setuptools'        :   DEFAULT_SETUPTOOLS_EXTENSION,
    'wheel'             :   'whl'
 }
 def _determine_fetcher(text):
    # Count occurences of fetchers.
    nfetchers = sum(text.count('src = {}'.format(fetcher)) for fetcher in FETCHERS.keys())
    if nfetchers == 0:
        raise ValueError("no fetcher.")
    elif nfetchers > 1:
        raise ValueError("multiple fetchers.")
    else:
        # Then we check which fetcher to use.
        for fetcher in FETCHERS.keys():
            if 'src = {}'.format(fetcher) in text:
                return fetcher
 def _determine_extension(text, fetcher):
    """Determine what extension is used in the expression.
    If we use:
    - fetchPypi, we check if format is specified.
    - fetchurl, we determine the extension from the url.
    - fetchFromGitHub we simply use `.tar.gz`.
    """
    if fetcher == 'fetchPypi':
        try:
            src_format = _get_unique_value('format', text)
        except ValueError as e:
            src_format = None   # format was not given
        try:
            extension = _get_unique_value('extension', text)
        except ValueError as e:
            extension = None    # extension was not given
        if extension is None:
            if src_format is None:
                src_format = 'setuptools'
            elif src_format == 'flit':
                raise ValueError("Don't know how to update a Flit package.")
            extension = FORMATS[src_format]
    elif fetcher == 'fetchurl':
        url = _get_unique_value('url', text)
        extension = os.path.splitext(url)[1]
        if 'pypi' not in url:
            raise ValueError('url does not point to PyPI.')
    elif fetcher == 'fetchFromGitHub':
        raise ValueError('updating from GitHub is not yet implemented.')
    return extension
 def _update_package(path, target):
    # Read the expression
    with open(path, 'r') as f:
        text = f.read()
    # Determine pname.
    pname = _get_unique_value('pname', text)
    # Determine version.
    version = _get_unique_value('version', text)
    # First we check how many fetchers are mentioned.
    fetcher = _determine_fetcher(text)
    extension = _determine_extension(text, fetcher)
    new_version, new_sha256 = FETCHERS[fetcher](pname, extension, version, target)
    if new_version == version:
        logging.info("Path {}: no update available for {}.".format(path, pname))
        return False
    elif Version(new_version) <= Version(version):
        raise ValueError("downgrade for {}.".format(pname))
    if not new_sha256:
        raise ValueError("no file available for {}.".format(pname))
    text = _replace_value('version', new_version, text)
    text = _replace_value('sha256', new_sha256, text)
    with open(path, 'w') as f:
        f.write(text)
        logging.info("Path {}: updated {} from {} to {}".format(path, pname, version, new_version))
    result = {
        'path'  : path,
        'target': target,
        'pname': pname,
        'old_version'   : version,
        'new_version'   : new_version,
        #'fetcher'       : fetcher,
        }
    return result
 def _update(path, target):
    # We need to read and modify a Nix expression.
    if os.path.isdir(path):
        path = os.path.join(path, 'default.nix')
    # If a default.nix does not exist, we quit.
    if not os.path.isfile(path):
        logging.info("Path {}: does not exist.".format(path))
        return False
    # If file is not a Nix expression, we quit.
    if not path.endswith(".nix"):
        logging.info("Path {}: does not end with `.nix`.".format(path))
        return False
    try:
        return _update_package(path, target)
    except ValueError as e:
        logging.warning("Path {}: {}".format(path, e))
        return False
 def _commit(path, pname, old_version, new_version, **kwargs):
    """Commit result.
    """
    msg = f'python: {pname}: {old_version} -> {new_version}'
    try:
        subprocess.check_call(['git', 'add', path])
        subprocess.check_call(['git', 'commit', '-m', msg])
    except subprocess.CalledProcessError as e:
        subprocess.check_call(['git', 'checkout', path])
        raise subprocess.CalledProcessError(f'Could not commit {path}') from e
    return True
 def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('package', type=str, nargs='+')
    parser.add_argument('--target', type=str, choices=SEMVER.keys(), default='major')
    parser.add_argument('--commit', action='store_true', help='Create a commit for each package update')
    args = parser.parse_args()
    target = args.target
    packages = list(map(os.path.abspath, args.package))
    logging.info("Updating packages...")
    # Use threads to update packages concurrently
    with Pool() as p:
        results = list(p.map(lambda pkg: _update(pkg, target), packages))
    logging.info("Finished updating packages.")
    # Commits are created sequentially.
    if args.commit:
        logging.info("Committing updates...")
        list(map(lambda x: _commit(**x), filter(bool, results)))
        logging.info("Finished committing updates")
    count = sum(map(bool, results))
    logging.info("{} package(s) updated".format(count))
 if __name__ == '__main__':
    main()
--- a/maintainers/scripts/update.nix
+++ b/maintainers/scripts/update.nix
@ -1,6 +1,8 @@
 { package ? null
 , maintainer ? null
 , path ? null
 , max-workers ? null
 , keep-going ? null
 }:
 # TODO: add assert statements
@ -105,26 +107,23 @@ let
        % nix-shell maintainers/scripts/update.nix --argstr path gnome3
    to run update script for all package under an attribute path.
    You can also add
        --argstr max-workers 8
    to increase the number of jobs in parallel, or
        --argstr keep-going true
    to continue running when a single update fails.
  '';
-  runUpdateScript = package: ''
+  packageData = package: {
-    echo -ne " - ${package.name}: UPDATING ..."\\r
+    name = package.name;
-    ${package.updateScript} &> ${(builtins.parseDrvName package.name).name}.log
+    pname = (builtins.parseDrvName package.name).name;
-    CODE=$?
+    updateScript = pkgs.lib.toList package.updateScript;
-    if [ "$CODE" != "0" ]; then
+  };
      echo " - ${package.name}: ERROR       "
      echo ""
      echo "--- SHOWING ERROR LOG FOR ${package.name} ----------------------"
      echo ""
      cat ${(builtins.parseDrvName package.name).name}.log
      echo ""
      echo "--- SHOWING ERROR LOG FOR ${package.name} ----------------------"
      exit $CODE
    else
      rm ${(builtins.parseDrvName package.name).name}.log
    fi
    echo " - ${package.name}: DONE.       "
  '';
 in pkgs.stdenv.mkDerivation {
  name = "nixpkgs-update-script";
@ -139,21 +138,7 @@ in pkgs.stdenv.mkDerivation {
    exit 1
  '';
  shellHook = ''
-    echo ""
+    unset shellHook # do not contaminate nested shells
-    echo "Going to be running update for following packages:"
+    exec ${pkgs.python3.interpreter} ${./update.py} ${pkgs.writeText "packages.json" (builtins.toJSON (map packageData packages))}${pkgs.lib.optionalString (max-workers != null) " --max-workers=${max-workers}"}${pkgs.lib.optionalString (keep-going == "true") " --keep-going"}
    echo "${builtins.concatStringsSep "\n" (map (x: " - ${x.name}") packages)}"
    echo ""
    read -n1 -r -p "Press space to continue..." confirm
    if [ "$confirm" = "" ]; then
      echo ""
      echo "Running update for:"
      ${builtins.concatStringsSep "\n" (map runUpdateScript packages)}
      echo ""
      echo "Packages updated!"
      exit 0
    else
      echo "Aborting!"
      exit 1
    fi
  '';
 }
--- a/maintainers/scripts/update.py
+++ b/maintainers/scripts/update.py
@ -0,0 +1,79 @@
 import argparse
 import concurrent.futures
 import json
 import os
 import subprocess
 import sys
 updates = {}
 def eprint(*args, **kwargs):
    print(*args, file=sys.stderr, **kwargs)
 def run_update_script(package):
    eprint(f" - {package['name']}: UPDATING ...")
    subprocess.run(package['updateScript'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, check=True)
 def main(max_workers, keep_going, packages):
    with open(sys.argv[1]) as f:
        packages = json.load(f)
    eprint()
    eprint('Going to be running update for following packages:')
    for package in packages:
        eprint(f" - {package['name']}")
    eprint()
    confirm = input('Press Enter key to continue...')
    if confirm == '':
        eprint()
        eprint('Running update for:')
        with concurrent.futures.ProcessPoolExecutor(max_workers=max_workers) as executor:
            for package in packages:
                updates[executor.submit(run_update_script, package)] = package
            for future in concurrent.futures.as_completed(updates):
                package = updates[future]
                try:
                    future.result()
                    eprint(f" - {package['name']}: DONE.")
                except subprocess.CalledProcessError as e:
                    eprint(f" - {package['name']}: ERROR")
                    eprint()
                    eprint(f"--- SHOWING ERROR LOG FOR {package['name']} ----------------------")
                    eprint()
                    eprint(e.stdout.decode('utf-8'))
                    with open(f"{package['pname']}.log", 'wb') as f:
                        f.write(e.stdout)
                    eprint()
                    eprint(f"--- SHOWING ERROR LOG FOR {package['name']} ----------------------")
                    if not keep_going:
                        sys.exit(1)
        eprint()
        eprint('Packages updated!')
        sys.exit()
    else:
        eprint('Aborting!')
        sys.exit(130)
 parser = argparse.ArgumentParser(description='Update packages')
 parser.add_argument('--max-workers', '-j', dest='max_workers', type=int, help='Number of updates to run concurrently', nargs='?', default=4)
 parser.add_argument('--keep-going', '-k', dest='keep_going', action='store_true', help='Do not stop after first failure')
 parser.add_argument('packages', help='JSON file containing the list of package names and their update scripts')
 if __name__ == '__main__':
    args = parser.parse_args()
    try:
        main(args.max_workers, args.keep_going, args.packages)
    except (KeyboardInterrupt, SystemExit) as e:
        for update in updates:
            update.cancel()
        sys.exit(e.code if isinstance(e, SystemExit) else 130)
--- a/nixos/doc/manual/configuration/adding-custom-packages.xml
+++ b/nixos/doc/manual/configuration/adding-custom-packages.xml
@ -31,7 +31,7 @@ $ cd nixpkgs
 <para>
  The second possibility is to add the package outside of the Nixpkgs tree. For
  instance, here is how you specify a build of the
-  <link xlink:href="http://www.gnu.org/software/hello/">GNU Hello</link>
+  <link xlink:href="https://www.gnu.org/software/hello/">GNU Hello</link>
  package directly in <filename>configuration.nix</filename>:
 <programlisting>
 <xref linkend="opt-environment.systemPackages"/> =
--- a/nixos/doc/manual/configuration/modularity.xml
+++ b/nixos/doc/manual/configuration/modularity.xml
@ -113,12 +113,10 @@ $ nixos-option <xref linkend="opt-boot.kernelModules"/>
 [ "tun" "ipv6" "loop" <replaceable>...</replaceable> ]
 </screen>
  Interactive exploration of the configuration is possible using
-  <command
+  <command>nix repl</command>, a read-eval-print loop for Nix expressions.
-xlink:href="https://github.com/edolstra/nix-repl">nix-repl</command>,
+  A typical use:
  a read-eval-print loop for Nix expressions. It’s not installed by default;
  run <literal>nix-env -i nix-repl</literal> to get it. A typical use:
 <screen>
-$ nix-repl '&lt;nixpkgs/nixos>'
+$ nix repl '&lt;nixpkgs/nixos>'
 nix-repl> config.<xref linkend="opt-networking.hostName"/>
 "mandark"
@ -127,4 +125,23 @@ nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHo
 [ "example.org" "example.gov" ]
 </screen>
 </para>
 <para>
   While abstracting your configuration, you may find it useful to generate
   modules using code, instead of writing files. The example
   below would have the same effect as importing a file which sets those
   options.
   <screen>
     { config, pkgs, ... }:
     let netConfig = { hostName }: {
       networking.hostName = hostName;
       networking.useDHCP = false;
    };
    in
    { imports = [ (netConfig "nixos.localdomain") ]; }
  </screen>
 </para>
 </section>
--- a/nixos/doc/manual/development/running-nixos-tests-interactively.xml
+++ b/nixos/doc/manual/development/running-nixos-tests-interactively.xml
@ -19,7 +19,7 @@ starting VDE switch for network 1
 &gt; startAll
 &gt; testScript
 &gt; $machine->succeed("touch /tmp/foo")
-&gt; print($machine->succeed("pwd"), "\n") # Show stdout of command
+&gt; print($machine->succeed("pwd")) # Show stdout of command
 </screen>
  The function <command>testScript</command> executes the entire test script
  and drops you back into the test driver command line upon its completion.
--- a/nixos/doc/manual/development/writing-nixos-tests.xml
+++ b/nixos/doc/manual/development/writing-nixos-tests.xml
@ -108,7 +108,7 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualis
 <programlisting>
 $machine->start;
 $machine->waitForUnit("default.target");
-die unless $machine->succeed("uname") =~ /Linux/;
+$machine->succeed("uname") =~ /Linux/ or die;
 </programlisting>
  The first line is actually unnecessary; machines are implicitly started when
  you first execute an action on them (such as <literal>waitForUnit</literal>
--- a/nixos/doc/manual/release-notes/rl-1412.xml
+++ b/nixos/doc/manual/release-notes/rl-1412.xml
@ -17,7 +17,7 @@
   </listitem>
   <listitem>
    <para>
-     <link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165">
+     <link xlink:href="https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg13957.html">
     Nix has been updated to 1.8.</link>
    </para>
   </listitem>
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@ -39,7 +39,18 @@
  <itemizedlist>
   <listitem>
-    <para />
+    <para>
     <literal>./programs/nm-applet.nix</literal>
    </para>
   </listitem>
   <listitem>
    <para>
     There is a new <varname>security.googleOsLogin</varname> module for using
     <link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS Login</link>
     to manage SSH access to Google Compute Engine instances, which supersedes
     the imperative and broken <literal>google-accounts-daemon</literal> used
     in <literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
    </para>
   </listitem>
  </itemizedlist>
 </section>
@ -111,6 +122,16 @@
      without Syncthing resetting the permission on every start.
    </para>
   </listitem>
   <listitem>
    <para>
      The <literal>ntp</literal> module now has sane default restrictions.
      If you're relying on the previous defaults, which permitted all queries
      and commands from all firewall-permitted sources, you can set
      <varname>services.ntp.restrictDefault</varname> and
      <varname>services.ntp.restrictSource</varname> to
      <literal>[]</literal>.
    </para>
   </listitem>
   <listitem>
    <para>
     Package <varname>rabbitmq_server</varname> is renamed to
@ -231,8 +252,97 @@
     (<literal>networking.firewall.interfaces.default.*</literal>), and assigning
     to this pseudo device will override the (<literal>networking.firewall.allow*</literal>)
     options.
-    </para>
+   </para>
-   </listitem>
+  </listitem>
  <listitem>
   <para>
     The <literal>nscd</literal> service now disables all caching of
     <literal>passwd</literal> and <literal>group</literal> databases by
     default. This was interferring with the correct functioning of the
     <literal>libnss_systemd.so</literal> module which is used by
     <literal>systemd</literal> to manage uids and usernames in the presence of
     <literal>DynamicUser=</literal> in systemd services.  This was already the
     default behaviour in presence of <literal>services.sssd.enable =
       true</literal> because nscd caching would interfere with
     <literal>sssd</literal> in unpredictable ways as well.  Because we're
     using nscd not for caching, but for convincing glibc to find NSS modules
     in the nix store instead of an absolute path, we have decided to disable
     caching globally now, as it's usually not the behaviour the user wants and
     can lead to surprising behaviour.  Furthermore, negative caching of host
     lookups is also disabled now by default. This should fix the issue of dns
     lookups failing in the presence of an unreliable network.
   </para>
   <para>
     If the old behaviour is desired, this can be restored by setting
     the <literal>services.nscd.config</literal> option
     with the desired caching parameters.
     <programlisting>
     services.nscd.config =
     ''
     server-user             nscd
     threads                 1
     paranoia                no
     debug-level             0
     enable-cache            passwd          yes
     positive-time-to-live   passwd          600
     negative-time-to-live   passwd          20
     suggested-size          passwd          211
     check-files             passwd          yes
     persistent              passwd          no
     shared                  passwd          yes
     enable-cache            group           yes
     positive-time-to-live   group           3600
     negative-time-to-live   group           60
     suggested-size          group           211
     check-files             group           yes
     persistent              group           no
     shared                  group           yes
     enable-cache            hosts           yes
     positive-time-to-live   hosts           600
     negative-time-to-live   hosts           5
     suggested-size          hosts           211
     check-files             hosts           yes
     persistent              hosts           no
     shared                  hosts           yes
     '';
     </programlisting>
     See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
     for details.
   </para>
  </listitem>
  <listitem>
   <para>
     GitLab Shell previously used the nix store paths for the
     <literal>gitlab-shell</literal> command in its
     <literal>authorized_keys</literal> file, which might stop working after
     garbage collection. To circumvent that, we regenerated that file on each
     startup.  As <literal>gitlab-shell</literal> has now been changed to use
     <literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, this is
     not necessary anymore, but there might be leftover lines with a nix store
     path. Regenerate the <literal>authorized_keys</literal> file via
     <command>sudo -u git -H gitlab-rake gitlab:shell:setup</command> in that
     case.
   </para>
  </listitem>
  <listitem>
   <para>
     The <literal>pam_unix</literal> account module is now loaded with its
     control field set to <literal>required</literal> instead of
     <literal>sufficient</literal>, so that later pam account modules that
     might do more extensive checks are being executed.
     Previously, the whole account module verification was exited prematurely
     in case a nss module provided the account name to
     <literal>pam_unix</literal>.
     The LDAP and SSSD NixOS modules already add their NSS modules when
     enabled. In case your setup breaks due to some later pam account module
     previosuly shadowed, or failing NSS lookups, please file a bug. You can
     get back the old behaviour by manually setting
     <literal><![CDATA[security.pam.services.<name?>.text]]></literal>.
   </para>
  </listitem>
  </itemizedlist>
 </section>
@ -273,6 +383,18 @@
      <option>services.kubernetes.addons.dns.replicas</option>.
    </para>
   </listitem>
   <listitem>
     <para>
       The quassel-webserver package and module was removed from nixpkgs due to the lack
       of maintainers.
     </para>
   </listitem>
   <listitem>
     <para>
       The owncloud server packages and httpd subservice module were removed
       from nixpkgs due to the lack of maintainers.
     </para>
   </listitem>
  </itemizedlist>
 </section>
 </section>
--- a/nixos/lib/make-ext4-fs.nix
+++ b/nixos/lib/make-ext4-fs.nix
@ -94,5 +94,24 @@ pkgs.stdenv.mkDerivation {
        cat errorlog
        return 1
      fi
      (
        # Resizes **snugly** to its actual limits (or closer to)
        free=$(dumpe2fs $out | grep '^Free blocks:')
        blocksize=$(dumpe2fs $out | grep '^Block size:')
        blocks=$(dumpe2fs $out | grep '^Block count:')
        blocks=$((''${blocks##*:})) # format the number.
        blocksize=$((''${blocksize##*:})) # format the number.
        # System can't boot with 0 blocks free.
        # Add 16MiB of free space
        fudge=$(( 16 * 1024 * 1024 / blocksize ))
        size=$(( blocks - ''${free##*:} + fudge ))
        echo "Resizing from $blocks blocks to $size blocks. (~ $((size*blocksize/1024/1024))MiB)"
        EXT2FS_NO_MTAB_OK=yes resize2fs $out -f $size
      )
      # And a final fsck, because of the previous truncating.
      fsck.ext4 -n -f $out
    '';
 }
--- a/nixos/lib/make-iso9660-image.sh
+++ b/nixos/lib/make-iso9660-image.sh
@ -47,7 +47,8 @@ if test -n "$bootable"; then
    isoBootFlags="-eltorito-boot ${bootImage}
                  -eltorito-catalog .boot.cat
-                  -no-emul-boot -boot-load-size 4 -boot-info-table"
+                  -no-emul-boot -boot-load-size 4 -boot-info-table
                  --sort-weight 1 /isolinux" # Make sure isolinux is near the beginning of the ISO
 fi
 if test -n "$usbBootable"; then
@ -112,7 +113,7 @@ xorriso="xorriso
 -r
 -path-list pathlist
 --sort-weight 0 /
- --sort-weight 1 /isolinux" # Make sure isolinux is near the beginning of the ISO
+"
 $xorriso -output $out/iso/$isoName
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -116,7 +116,7 @@ in rec {
      vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
-      ocrProg = tesseract_4.override { enableLanguages = [ "eng" ]; };
+      ocrProg = tesseract4.override { enableLanguages = [ "eng" ]; };
      imagemagick_tiff = imagemagick_light.override { inherit libtiff; };
@ -156,9 +156,23 @@ in rec {
      test = passMeta (runTests driver);
      report = passMeta (releaseTools.gcovReport { coverageRuns = [ test ]; });
-    in (if makeCoverageReport then report else test) // {
+      nodeNames = builtins.attrNames nodes;
-      inherit nodes driver test;
+      invalidNodeNames = lib.filter
-    };
+        (node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames;
    in
      if lib.length invalidNodeNames > 0 then
        throw ''
          Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})!
          All machines are referenced as perl variables in the testing framework which will break the
          script when special characters are used.
          Please stick to alphanumeric chars and underscores as separation.
        ''
      else
        (if makeCoverageReport then report else test) // {
          inherit nodes driver test;
        };
  runInMachine =
    { drv
--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@ -7,9 +7,8 @@ rec {
                     || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
  # Check whenever `b` depends on `a` as a fileSystem
-  # FIXME: it's incorrect to simply use hasPrefix here: "/dev/a" is not a parent of "/dev/ab"
+  fsBefore = a: b: a.mountPoint == b.device
-  fsBefore = a: b: ((any (x: elem x [ "bind" "move" ]) b.options) && (a.mountPoint == b.device))
+                || hasPrefix "${a.mountPoint}${optionalString (!(hasSuffix "/" a.mountPoint)) "/"}" b.mountPoint;
                || (hasPrefix a.mountPoint b.mountPoint);
  # Escape a path according to the systemd rules, e.g. /dev/xyzzy
  # becomes dev-xyzzy.  FIXME: slow.
--- a/nixos/modules/config/appstream.nix
+++ b/nixos/modules/config/appstream.nix
@ -0,0 +1,25 @@
 { config, lib, ... }:
 with lib;
 {
  options = {
    appstream.enable = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to install files to support the 
        <link xlink:href="https://www.freedesktop.org/software/appstream/docs/index.html">AppStream metadata specification</link>.
      '';
    };
  };
  config = mkIf config.appstream.enable {
    environment.pathsToLink = [ 
      # per component metadata
      "/share/metainfo" 
      # legacy path for above
      "/share/appdata" 
    ];
  };
 }
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@ -34,6 +34,17 @@ with lib;
        '';
      };
      extraLocaleSettings = mkOption {
        type = types.attrsOf types.str;
        default = {};
        example = { LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; };
        description = ''
          A set of additional system-wide locale settings other than
          <literal>LANG</literal> which can be configured with
          <option>i18n.defaultLocale</option>.
        '';
      };
      supportedLocales = mkOption {
        type = types.listOf types.str;
        default = ["all"];
@ -129,7 +140,7 @@ with lib;
    environment.sessionVariables =
      { LANG = config.i18n.defaultLocale;
        LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
-      };
+      } // config.i18n.extraLocaleSettings;
    systemd.globalEnvironment = mkIf (config.i18n.supportedLocales != []) {
      LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
@ -141,6 +152,7 @@ with lib;
        source = pkgs.writeText "locale.conf"
          ''
            LANG=${config.i18n.defaultLocale}
            ${concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}=${v}'') config.i18n.extraLocaleSettings)}
          '';
      };
--- a/nixos/modules/config/no-x-libs.nix
+++ b/nixos/modules/config/no-x-libs.nix
@ -35,7 +35,7 @@ with lib;
      networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; };
      networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };
      pinentry = super.pinentry_ncurses;
-      gobjectIntrospection = super.gobjectIntrospection.override { x11Support = false; };
+      gobject-introspection = super.gobject-introspection.override { x11Support = false; };
    }));
  };
 }
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@ -1,6 +1,6 @@
 # Configuration for the Name Service Switch (/etc/nsswitch.conf).
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
@ -15,6 +15,7 @@ let
  ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
  sssd = canLoadExternalModules && config.services.sssd.enable;
  resolved = canLoadExternalModules && config.services.resolved.enable;
  googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable;
  hostArray = [ "files" ]
    ++ optional mymachines "mymachines"
@ -29,6 +30,7 @@ let
    ++ optional sssd "sss"
    ++ optional ldap "ldap"
    ++ optional mymachines "mymachines"
    ++ optional googleOsLogin "cache_oslogin oslogin"
    ++ [ "systemd" ];
  shadowArray = [ "files" ]
@ -97,7 +99,7 @@ in {
    # configured IP addresses, or ::1 and 127.0.0.2 as
    # fallbacks. Systemd also provides nss-mymachines to return IP
    # addresses of local containers.
-    system.nssModules = optionals canLoadExternalModules [ config.systemd.package.out ];
+    system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ])
-
+      ++ optional googleOsLogin pkgs.google-compute-engine-oslogin.out;
  };
 }
--- a/nixos/modules/config/xdg/sounds.nix
+++ b/nixos/modules/config/xdg/sounds.nix
@ -0,0 +1,22 @@
 { config, lib, ... }:
 with lib;
 {
  options = {
    xdg.sounds.enable = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to install files to support the
        <link xlink:href="https://www.freedesktop.org/wiki/Specifications/sound-theme-spec/">XDG Sound Theme specification</link>.
      '';
    };
  };
  config = mkIf config.xdg.sounds.enable {
    environment.pathsToLink = [
      "/share/sounds"
    ];
  };
 }
--- a/nixos/modules/hardware/bladeRF.nix
+++ b/nixos/modules/hardware/bladeRF.nix
@ -0,0 +1,28 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.hardware.bladeRF;
 in
 {
  options.hardware.bladeRF = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enables udev rules for BladeRF devices. By default grants access
        to users in the "bladerf" group. You may want to install the
        libbladeRF package.
      '';
    };
  };
  config = mkIf cfg.enable {
    services.udev.packages = [ pkgs.libbladeRF ];
    users.groups.bladerf = {};
  };
 }
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@ -20,6 +20,8 @@ let
      kernelPackages.nvidia_x11_legacy304
    else if elem "nvidiaLegacy340" drivers then
      kernelPackages.nvidia_x11_legacy340
    else if elem "nvidiaLegacy390" drivers then
      kernelPackages.nvidia_x11_legacy390
    else null;
  nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;
@ -101,8 +103,8 @@ in
  config = mkIf enabled {
    assertions = [
      {
-        assertion = config.services.xserver.displayManager.gdm.wayland;
+        assertion = with config.services.xserver.displayManager; gdm.enable -> !gdm.wayland;
-        message = "NVIDIA drivers don't support wayland";
+        message = "NVIDIA drivers don't support wayland, set services.xserver.displayManager.gdm.wayland=false";
      }
      {
        assertion = !optimusCfg.enable ||
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -50,7 +50,7 @@ let
    finalCfg = {
      name = "NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel}";
      params = "init=${config.system.build.toplevel}/init ${additional} ${toString config.boot.kernelParams}";
-      image = "/boot/bzImage";
+      image = "/boot/${config.system.boot.loader.kernelFile}";
      initrd = "/boot/initrd";
    };
  in
@ -163,7 +163,7 @@ let
      cp -v ${pkgs.refind}/share/refind/refind_x64.efi $out/EFI/boot/
      ''
    else
-      "# No refind for ia32"
+      "# No refind for ${targetArch}"
  ;
  grubMenuCfg = ''
@ -222,18 +222,34 @@ let
  efiDir = pkgs.runCommand "efi-directory" {} ''
    mkdir -p $out/EFI/boot/
    # ALWAYS required modules.
    MODULES="fat iso9660 part_gpt part_msdos \
             normal boot linux configfile loopback chain halt \
-             efifwsetup efi_gop efi_uga \
+             efifwsetup efi_gop \
             ls search search_label search_fs_uuid search_fs_file \
             gfxmenu gfxterm gfxterm_background gfxterm_menu test all_video loadenv \
             exfat ext2 ntfs btrfs hfsplus udf \
             videoinfo png \
             echo serial \
            "
    echo "Building GRUB with modules:"
    for mod in $MODULES; do
      echo " - $mod"
    done
    # Modules that may or may not be available per-platform.
    echo "Adding additional modules:"
    for mod in efi_uga; do
      if [ -f ${pkgs.grub2_efi}/lib/grub/${pkgs.grub2_efi.grubTarget}/$mod.mod ]; then
        echo " - $mod"
        MODULES+=" $mod"
      fi
    done
    # Make our own efi program, we can't rely on "grub-install" since it seems to
    # probe for devices, even with --skip-fs-probe.
-    ${pkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/${if targetArch == "x64" then "bootx64" else "bootia32"}.efi -p /EFI/boot -O ${if targetArch == "x64" then "x86_64" else "i386"}-efi \
+    ${pkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${pkgs.grub2_efi.grubTarget} \
      $MODULES
    cp ${pkgs.grub2_efi}/share/grub/unicode.pf2 $out/EFI/boot/
@ -339,15 +355,24 @@ let
      echo "Image size: $image_size"
      truncate --size=$image_size "$out"
      ${pkgs.libfaketime}/bin/faketime "2000-01-01 00:00:00" ${pkgs.dosfstools}/sbin/mkfs.vfat -i 12345678 -n EFIBOOT "$out"
-      mcopy -bpsvm -i "$out" ./* ::
+      mcopy -psvm -i "$out" ./* ::
      # Verify the FAT partition.
      ${pkgs.dosfstools}/sbin/fsck.vfat -vn "$out"
    ''; # */
-  targetArch = if pkgs.stdenv.isi686 then
+  # Name used by UEFI for architectures.
-    "ia32"
+  targetArch =
-  else if pkgs.stdenv.isx86_64 then
+    if pkgs.stdenv.isi686 then
-    "x64"
+      "ia32"
-  else
+    else if pkgs.stdenv.isx86_64 then
-    throw "Unsupported architecture";
+      "x64"
    else if pkgs.stdenv.isAarch64 then
      "aa64"
    else
      throw "Unsupported architecture";
  # Syslinux (and isolinux) only supports x86-based architectures.
  canx86BiosBoot = pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64;
 in
@ -481,9 +506,9 @@ in
    # here and it causes a cyclic dependency.
    boot.loader.grub.enable = false;
-    # !!! Hack - attributes expected by other modules.
+    environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi ]
-    system.boot.loader.kernelFile = "bzImage";
+      ++ optional canx86BiosBoot pkgs.syslinux
-    environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ];
+    ;
    # In stage 1 of the boot, mount the CD as the root FS by label so
    # that we don't need to know its device.  We pass the label of the
@ -554,13 +579,7 @@ in
    # Individual files to be included on the CD, outside of the Nix
    # store on the CD.
    isoImage.contents =
-      [ { source = pkgs.substituteAll  {
+      [
            name = "isolinux.cfg";
            src = pkgs.writeText "isolinux.cfg-in" isolinuxCfg;
            bootRoot = "/boot";
          };
          target = "/isolinux/isolinux.cfg";
        }
        { source = config.boot.kernelPackages.kernel + "/" + config.system.boot.loader.kernelFile;
          target = "/boot/" + config.system.boot.loader.kernelFile;
        }
@ -570,9 +589,6 @@ in
        { source = config.system.build.squashfsStore;
          target = "/nix-store.squashfs";
        }
        { source = "${pkgs.syslinux}/share/syslinux";
          target = "/isolinux";
        }
        { source = config.isoImage.efiSplashImage;
          target = "/EFI/boot/efi-background.png";
        }
@ -582,6 +598,17 @@ in
        { source = pkgs.writeText "version" config.system.nixos.label;
          target = "/version.txt";
        }
      ] ++ optionals canx86BiosBoot [
        { source = pkgs.substituteAll  {
            name = "isolinux.cfg";
            src = pkgs.writeText "isolinux.cfg-in" isolinuxCfg;
            bootRoot = "/boot";
          };
          target = "/isolinux/isolinux.cfg";
        }
        { source = "${pkgs.syslinux}/share/syslinux";
          target = "/isolinux";
        }
      ] ++ optionals config.isoImage.makeEfiBootable [
        { source = efiImg;
          target = "/boot/efi.img";
@ -589,7 +616,7 @@ in
        { source = "${efiDir}/EFI";
          target = "/EFI";
        }
-      ] ++ optionals config.boot.loader.grub.memtest86.enable [
+      ] ++ optionals (config.boot.loader.grub.memtest86.enable && canx86BiosBoot) [
        { source = "${pkgs.memtest86plus}/memtest.bin";
          target = "/boot/memtest.bin";
        }
@ -604,9 +631,10 @@ in
    # Create the ISO image.
    system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({
      inherit (config.isoImage) isoName compressImage volumeID contents;
-      bootable = true;
+      bootable = canx86BiosBoot;
      bootImage = "/isolinux/isolinux.bin";
-    } // optionalAttrs config.isoImage.makeUsbBootable {
+      syslinux = if canx86BiosBoot then pkgs.syslinux else null;
    } // optionalAttrs (config.isoImage.makeUsbBootable && canx86BiosBoot) {
      usbBootable = true;
      isohybridMbrImage = "${pkgs.syslinux}/share/syslinux/isohdpfx.bin";
    } // optionalAttrs config.isoImage.makeEfiBootable {
--- a/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix
@ -0,0 +1,7 @@
 { pkgs, ... }:
 {
  imports = [ ./sd-image-aarch64.nix ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
 }
--- a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
@ -26,7 +26,6 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.consoleLogLevel = lib.mkDefault 7;
  boot.kernelPackages = pkgs.linuxPackages_latest;
  # The serial ports listed here are:
  # - ttyS0: for Tegra (Jetson TX1)
--- a/nixos/modules/installer/cd-dvd/sd-image.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image.nix
@ -134,7 +134,9 @@ in
        ${config.sdImage.populateBootCommands}
        # Copy the populated /boot into the SD image
-        (cd boot; mcopy -bpsvm -i ../bootpart.img ./* ::)
+        (cd boot; mcopy -psvm -i ../bootpart.img ./* ::)
        # Verify the FAT partition before copying it.
        fsck.vfat -vn bootpart.img
        dd conv=notrunc if=bootpart.img of=$img seek=$START count=$SECTORS
      '';
    }) {};
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -337,6 +337,7 @@
      alerta = 310;
      minetest = 311;
      rss2email = 312;
      cockroachdb = 313;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -634,6 +635,7 @@
      alerta = 310;
      minetest = 311;
      rss2email = 312;
      cockroachdb = 313;
      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -11,6 +11,8 @@
  ./config/xdg/icons.nix
  ./config/xdg/menus.nix
  ./config/xdg/mime.nix
  ./config/appstream.nix
  ./config/xdg/sounds.nix
  ./config/gtk/gtk-icon-cache.nix
  ./config/gnu.nix
  ./config/i18n.nix
@ -34,6 +36,7 @@
  ./config/vpnc.nix
  ./config/zram.nix
  ./hardware/all-firmware.nix
  ./hardware/bladeRF.nix
  ./hardware/brightnessctl.nix
  ./hardware/ckb-next.nix
  ./hardware/cpu/amd-microcode.nix
@ -106,6 +109,7 @@
  ./programs/mininet.nix
  ./programs/mtr.nix
  ./programs/nano.nix
  ./programs/nm-applet.nix
  ./programs/npm.nix
  ./programs/oblogout.nix
  ./programs/plotinus.nix
@ -150,6 +154,7 @@
  ./security/chromium-suid-sandbox.nix
  ./security/dhparams.nix
  ./security/duosec.nix
  ./security/google_oslogin.nix
  ./security/hidepid.nix
  ./security/lock-kernel-modules.nix
  ./security/misc.nix
@ -212,6 +217,7 @@
  ./services/databases/aerospike.nix
  ./services/databases/cassandra.nix
  ./services/databases/clickhouse.nix
  ./services/databases/cockroachdb.nix
  ./services/databases/couchdb.nix
  ./services/databases/firebird.nix
  ./services/databases/foundationdb.nix
@ -246,6 +252,7 @@
  ./services/desktops/gnome3/gnome-documents.nix
  ./services/desktops/gnome3/gnome-keyring.nix
  ./services/desktops/gnome3/gnome-online-accounts.nix
  ./services/desktops/gnome3/gnome-remote-desktop.nix
  ./services/desktops/gnome3/gnome-online-miners.nix
  ./services/desktops/gnome3/gnome-terminal-server.nix
  ./services/desktops/gnome3/gnome-user-share.nix
@ -297,6 +304,7 @@
  ./services/hardware/usbmuxd.nix
  ./services/hardware/thermald.nix
  ./services/hardware/undervolt.nix
  ./services/hardware/vdr.nix
  ./services/logging/SystemdJournal2Gelf.nix
  ./services/logging/awstats.nix
  ./services/logging/fluentd.nix
@ -332,11 +340,13 @@
  ./services/mail/rspamd.nix
  ./services/mail/rss2email.nix
  ./services/mail/rmilter.nix
  ./services/mail/roundcube.nix
  ./services/mail/nullmailer.nix
  ./services/misc/airsonic.nix
  ./services/misc/apache-kafka.nix
  ./services/misc/autofs.nix
  ./services/misc/autorandr.nix
  ./services/misc/bees.nix
  ./services/misc/bepasty.nix
  ./services/misc/canto-daemon.nix
  ./services/misc/calibre-server.nix
@ -710,7 +720,6 @@
  ./services/web-apps/restya-board.nix
  ./services/web-apps/tt-rss.nix
  ./services/web-apps/selfoss.nix
  ./services/web-apps/quassel-webserver.nix
  ./services/web-apps/virtlyst.nix
  ./services/web-apps/youtrack.nix
  ./services/web-servers/apache-httpd/default.nix
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -49,7 +49,7 @@
  ];
  # Include support for various filesystems.
-  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ];
+  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "zfs" "ntfs" "cifs" ];
  # Configure host id for ZFS to work
  networking.hostId = lib.mkDefault "8425e349";
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -20,6 +20,12 @@ with lib;
  security.allowUserNamespaces = mkDefault false;
  security.protectKernelImage = mkDefault true;
  security.allowSimultaneousMultithreading = mkDefault false;
  security.virtualization.flushL1DataCache = mkDefault "always";
  security.apparmor.enable = mkDefault true;
  boot.kernelParams = [
@ -28,9 +34,6 @@ with lib;
    # Disable legacy virtual syscalls
    "vsyscall=none"
    # Disable hibernation (allows replacing the running kernel)
    "nohibernate"
  ];
  boot.blacklistedKernelModules = [
@ -44,9 +47,6 @@ with lib;
  # (e.g., parent/child)
  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
  # Prevent replacing the running kernel image w/o reboot
  boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
  # Restrict access to kernel ring buffer (information leaks)
  boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
--- a/nixos/modules/programs/adb.nix
+++ b/nixos/modules/programs/adb.nix
@ -16,7 +16,6 @@ with lib;
          To grant access to a user, it must be part of adbusers group:
          <code>users.users.alice.extraGroups = ["adbusers"];</code>
        '';
        relatedPackages = [ ["androidenv" "platformTools"] ];
      };
    };
  };
@ -24,7 +23,7 @@ with lib;
  ###### implementation
  config = mkIf config.programs.adb.enable {
    services.udev.packages = [ pkgs.android-udev-rules ];
-    environment.systemPackages = [ pkgs.androidenv.platformTools ];
+    environment.systemPackages = [ pkgs.androidenv.androidPkgs_9_0.platform-tools ];
    users.groups.adbusers = {};
  };
 }
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@ -98,7 +98,12 @@ in
          if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then
            PROMPT_COLOR="1;31m"
            let $UID && PROMPT_COLOR="1;32m"
-            PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
+            if [ -n "$INSIDE_EMACS" ]; then
              # Emacs term mode doesn't support xterm title escape sequence (\e]0;)
              PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
            else
              PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
            fi
            if test "$TERM" = "xterm"; then
              PS1="\[\033]2;\h:\u:\w\007\]$PS1"
            fi
--- a/nixos/modules/programs/nm-applet.nix
+++ b/nixos/modules/programs/nm-applet.nix
@ -0,0 +1,14 @@
 { config, lib, pkgs, ... }:
 {
  options.programs.nm-applet.enable = lib.mkEnableOption "nm-applet";
  config = lib.mkIf config.programs.nm-applet.enable {
    systemd.user.services.nm-applet = {
      description = "Network manager applet";
      wantedBy = [ "graphical-session.target" ];
      partOf = [ "graphical-session.target" ];
      serviceConfig.ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet";
    };
  };
 }
--- a/nixos/modules/programs/sway-beta.nix
+++ b/nixos/modules/programs/sway-beta.nix
@ -7,8 +7,19 @@ let
  swayPackage = cfg.package;
  swayWrapped = pkgs.writeShellScriptBin "sway" ''
-    ${cfg.extraSessionCommands}
+    set -o errexit
-    exec ${pkgs.dbus.dbus-launch} --exit-with-session ${swayPackage}/bin/sway
+
    if [ ! "$_SWAY_WRAPPER_ALREADY_EXECUTED" ]; then
      export _SWAY_WRAPPER_ALREADY_EXECUTED=1
      ${cfg.extraSessionCommands}
    fi
    if [ "$DBUS_SESSION_BUS_ADDRESS" ]; then
      export DBUS_SESSION_BUS_ADDRESS
      exec ${swayPackage}/bin/sway "$@"
    else
      exec ${pkgs.dbus}/bin/dbus-run-session ${swayPackage}/bin/sway "$@"
    fi
  '';
  swayJoined = pkgs.symlinkJoin {
    name = "sway-joined";
--- a/nixos/modules/programs/zsh/oh-my-zsh.xml
+++ b/nixos/modules/programs/zsh/oh-my-zsh.xml
@ -19,7 +19,7 @@
   configuration format of <literal>oh-my-zsh</literal>.
 <programlisting>
 {
-  programs.ohMyZsh = {
+  programs.zsh.ohMyZsh = {
    enable = true;
    plugins = [ "git" "python" "man" ];
    theme = "agnoster";
@ -51,7 +51,7 @@
   The module can do this as well:
 <programlisting>
 {
-  programs.ohMyZsh.custom = "~/path/to/custom/scripts";
+  programs.zsh.ohMyZsh.custom = "~/path/to/custom/scripts";
 }
 </programlisting>
  </para>
@ -73,7 +73,7 @@
 <programlisting>
 { pkgs, ... }:
 {
-  programs.ohMyZsh.customPkgs = with pkgs; [
+  programs.zsh.ohMyZsh.customPkgs = with pkgs; [
    pkgs.nix-zsh-completions
    # and even more...
  ];
@ -87,7 +87,7 @@
  <para>
   <emphasis>Please keep in mind that this is not compatible with
-   <literal>programs.ohMyZsh.custom</literal> as it requires an immutable store
+   <literal>programs.zsh.ohMyZsh.custom</literal> as it requires an immutable store
   path while <literal>custom</literal> shall remain mutable! An evaluation
   failure will be thrown if both <literal>custom</literal> and
   <literal>customPkgs</literal> are set.</emphasis>
--- a/nixos/modules/programs/zsh/zsh-autosuggestions.nix
+++ b/nixos/modules/programs/zsh/zsh-autosuggestions.nix
@ -18,13 +18,13 @@ in
    };
    strategy = mkOption {
-      type = types.enum [ "default" "match_prev_cmd" ];
+      type = types.enum [ "history" "match_prev_cmd" ];
-      default = "default";
+      default = "history";
      description = ''
        Set ZSH_AUTOSUGGEST_STRATEGY to choose the strategy for generating suggestions.
        There are currently two to choose from:
-          * default: Chooses the most recent match.
+          * history: Chooses the most recent match.
          * match_prev_cmd: Chooses the most recent match whose preceding history item matches
            the most recently executed command (more info). Note that this strategy won't work as
            expected with ZSH options that don't preserve the history order such as
@ -51,7 +51,7 @@ in
      source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
      export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="${cfg.highlightStyle}"
-      export ZSH_AUTOSUGGEST_STRATEGY="${cfg.strategy}"
+      export ZSH_AUTOSUGGEST_STRATEGY=("${cfg.strategy}")
      ${concatStringsSep "\n" (mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)}
    '';
--- a/nixos/modules/security/google_oslogin.nix
+++ b/nixos/modules/security/google_oslogin.nix
@ -0,0 +1,68 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.security.googleOsLogin;
  package = pkgs.google-compute-engine-oslogin;
 in
 {
  options = {
    security.googleOsLogin.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to enable Google OS Login
        The OS Login package enables the following components:
        AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
        profile during ssh authentication phase.
        NSS Module to provide user and group information
        PAM Module for the sshd service, providing authorization and
        authentication support, allowing the system to use data stored in
        Google Cloud IAM permissions to control both, the ability to log into
        an instance, and to perform operations as root (sudo).
      '';
    };
  };
  config = mkIf cfg.enable {
    security.pam.services.sshd = {
      makeHomeDir = true;
      googleOsLoginAccountVerification = true;
      # disabled for now: googleOsLoginAuthentication = true;
    };
    security.sudo.extraConfig = ''
      #includedir /run/google-sudoers.d
    '';
    systemd.tmpfiles.rules = [
      "d /run/google-sudoers.d 750 root root -"
      "d /var/google-users.d 750 root root -"
    ];
    # enable the nss module, so user lookups etc. work
    system.nssModules = [ package ];
    # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
    # So indirect by a symlink.
    environment.etc."ssh/authorized_keys_command_google_oslogin" = {
      mode = "0755";
      text = ''
        #!/bin/sh
        exec ${package}/bin/google_authorized_keys "$@"
      '';
    };
    services.openssh.extraConfig = ''
      AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u
      AuthorizedKeysCommandUser nobody
    '';
  };
 }
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@ -22,18 +22,104 @@ with lib;
        a user namespace fails with "no space left on device" (ENOSPC).
      '';
    };
    security.protectKernelImage = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to prevent replacing the running kernel image.
      '';
    };
    security.allowSimultaneousMultithreading = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to allow SMT/hyperthreading.  Disabling SMT means that only
        physical CPU cores will be usable at runtime, potentially at
        significant performance cost.
        </para>
        <para>
        The primary motivation for disabling SMT is to mitigate the risk of
        leaking data between threads running on the same CPU core (due to
        e.g., shared caches).  This attack vector is unproven.
        </para>
        <para>
        Disabling SMT is a supplement to the L1 data cache flushing mitigation
        (see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
        versus malicious VM guests (SMT could "bring back" previously flushed
        data).
        </para>
        <para>
      '';
    };
    security.virtualization.flushL1DataCache = mkOption {
      type = types.nullOr (types.enum [ "never" "cond" "always" ]);
      default = null;
      description = ''
        Whether the hypervisor should flush the L1 data cache before
        entering guests.
        See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
        </para>
        <para>
          <variablelist>
          <varlistentry>
            <term><literal>null</literal></term>
            <listitem><para>uses the kernel default</para></listitem>
          </varlistentry>
          <varlistentry>
            <term><literal>"never"</literal></term>
            <listitem><para>disables L1 data cache flushing entirely.
            May be appropriate if all guests are trusted.</para></listitem>
          </varlistentry>
          <varlistentry>
            <term><literal>"cond"</literal></term>
            <listitem><para>flushes L1 data cache only for pre-determined
            code paths.  May leak information about the host address space
            layout.</para></listitem>
          </varlistentry>
          <varlistentry>
            <term><literal>"always"</literal></term>
            <listitem><para>flushes L1 data cache every time the hypervisor
            enters the guest.  May incur significant performance cost.
            </para></listitem>
          </varlistentry>
          </variablelist>
      '';
    };
  };
-  config = mkIf (!config.security.allowUserNamespaces) {
+  config = mkMerge [
-    # Setting the number of allowed user namespaces to 0 effectively disables
+    (mkIf (!config.security.allowUserNamespaces) {
-    # the feature at runtime.  Note that root may raise the limit again
+      # Setting the number of allowed user namespaces to 0 effectively disables
-    # at any time.
+      # the feature at runtime.  Note that root may raise the limit again
-    boot.kernel.sysctl."user.max_user_namespaces" = 0;
+      # at any time.
      boot.kernel.sysctl."user.max_user_namespaces" = 0;
-    assertions = [
+      assertions = [
-      { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
+        { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
-        message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
+          message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
-      }
+        }
-    ];
+      ];
-  };
+    })
    (mkIf config.security.protectKernelImage {
      # Disable hibernation (allows replacing the running kernel)
      boot.kernelParams = [ "nohibernate" ];
      # Prevent replacing the running kernel image w/o reboot
      boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
    })
    (mkIf (!config.security.allowSimultaneousMultithreading) {
      boot.kernelParams = [ "nosmt" ];
    })
    (mkIf (config.security.virtualization.flushL1DataCache != null) {
      boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
    })
  ];
 }
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -77,6 +77,30 @@ let
        '';
      };
      googleOsLoginAccountVerification = mkOption {
        default = false;
        type = types.bool;
        description = ''
          If set, will use the Google OS Login PAM modules
          (<literal>pam_oslogin_login</literal>,
          <literal>pam_oslogin_admin</literal>) to verify possible OS Login
          users and set sudoers configuration accordingly.
          This only makes sense to enable for the <literal>sshd</literal> PAM
          service.
        '';
      };
      googleOsLoginAuthentication = mkOption {
        default = false;
        type = types.bool;
        description = ''
          If set, will use the <literal>pam_oslogin_login</literal>'s user
          authentication methods to authenticate users using 2FA.
          This only makes sense to enable for the <literal>sshd</literal> PAM
          service.
        '';
      };
      fprintAuth = mkOption {
        default = config.services.fprintd.enable;
        type = types.bool;
@ -269,7 +293,7 @@ let
      text = mkDefault
        (''
          # Account management.
-          account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
+          account required pam_unix.so
          ${optionalString use_ldap
              "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
@ -278,8 +302,14 @@ let
              "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
          ${optionalString config.krb5.enable
              "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
          ${optionalString cfg.googleOsLoginAccountVerification ''
            account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
            account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
          ''}
          # Authentication management.
          ${optionalString cfg.googleOsLoginAuthentication
              "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
          ${optionalString cfg.rootOK
              "auth sufficient pam_rootok.so"}
          ${optionalString cfg.requireWheel
--- a/nixos/modules/services/backup/borgbackup.nix
+++ b/nixos/modules/services/backup/borgbackup.nix
@ -191,7 +191,7 @@ in {
        options = {
          paths = mkOption {
-            type = with types; either path (nonEmptyListOf path);
+            type = with types; either path (listOf str);
            description = "Path(s) to back up.";
            example = "/home/user";
            apply = x: if isList x then x else [ x ];
--- a/nixos/modules/services/computing/slurm/slurm.nix
+++ b/nixos/modules/services/computing/slurm/slurm.nix
@ -46,7 +46,7 @@ let
  # in the same directory as slurm.conf
  etcSlurm = pkgs.symlinkJoin {
    name = "etc-slurm";
-    paths = [ configFile cgroupConfig plugStackConfig ];
+    paths = [ configFile cgroupConfig plugStackConfig ] ++ cfg.extraConfigPaths;
  };
 in
@ -239,6 +239,17 @@ in
        '';
      };
      extraConfigPaths = mkOption {
        type = with types; listOf path;
        default = [];
        description = ''
          Slurm expects config files for plugins in the same path
          as <literal>slurm.conf</literal>. Add extra nix store
          paths that should be merged into same directory as
          <literal>slurm.conf</literal>.
        '';
      };
    };
@ -303,6 +314,7 @@ in
      serviceConfig = {
        Type = "forking";
        KillMode = "process";
        ExecStart = "${wrappedSlurm}/bin/slurmd";
        PIDFile = "/run/slurmd.pid";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
--- a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
@ -42,6 +42,18 @@ in {
        type = types.str;
        description = ''
          User token in Jenkins used to reload config.
          WARNING: This token will be world readable in the Nix store. To keep
          it secret, use the <option>accessTokenFile</option> option instead.
        '';
      };
      accessTokenFile = mkOption {
        default = "";
        type = types.str;
        example = "/run/keys/jenkins-job-builder-access-token";
        description = ''
          File containing the API token for the <option>accessUser</option>
          user.
        '';
      };
@ -103,6 +115,21 @@ in {
  };
  config = mkIf (jenkinsCfg.enable && cfg.enable) {
    assertions = [
      { assertion =
          if cfg.accessUser != ""
          then (cfg.accessToken != "" && cfg.accessTokenFile == "") ||
               (cfg.accessToken == "" && cfg.accessTokenFile != "")
          else true;
        message = ''
          One of accessToken and accessTokenFile options must be non-empty
          strings, but not both. Current values:
            services.jenkins.jobBuilder.accessToken = "${cfg.accessToken}"
            services.jenkins.jobBuilder.accessTokenFile = "${cfg.accessTokenFile}"
        '';
      }
    ];
    systemd.services.jenkins-job-builder = {
      description = "Jenkins Job Builder Service";
      # JJB can run either before or after jenkins. We chose after, so we can
@ -128,8 +155,13 @@ in {
          ownerStamp = ".config-xml-managed-by-nixos-jenkins-job-builder";
          reloadScript = ''
            echo "Asking Jenkins to reload config"
-            CRUMB=$(curl -s 'http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
+            curl_opts="--silent --fail --show-error"
-            curl --silent -X POST -H "$CRUMB" http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/reload
+            access_token=${if cfg.accessTokenFile != ""
                           then "$(cat '${cfg.accessTokenFile}')"
                           else cfg.accessToken}
            jenkins_url="http://${cfg.accessUser}:$access_token@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}"
            crumb=$(curl $curl_opts "$jenkins_url"'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
            curl $curl_opts -X POST -H "$crumb" "$jenkins_url"/reload
          '';
        in
          ''
--- a/nixos/modules/services/databases/aerospike.nix
+++ b/nixos/modules/services/databases/aerospike.nix
@ -43,6 +43,7 @@ in
      package = mkOption {
        default = pkgs.aerospike;
        defaultText = "pkgs.aerospike";
        type = types.package;
        description = "Which Aerospike derivation to use";
      };
--- a/nixos/modules/services/databases/clickhouse.nix
+++ b/nixos/modules/services/databases/clickhouse.nix
@ -70,6 +70,11 @@ with lib;
      };
    };
    environment.systemPackages = [ pkgs.clickhouse ];
    # startup requires a `/etc/localtime` which only if exists if `time.timeZone != null`
    time.timeZone = mkDefault "UTC";
  };
 }
--- a/nixos/modules/services/databases/cockroachdb.nix
+++ b/nixos/modules/services/databases/cockroachdb.nix
@ -0,0 +1,217 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.cockroachdb;
  crdb = cfg.package;
  escape    = builtins.replaceStrings ["%"] ["%%"];
  ifNotNull = v: s: optionalString (!isNull v) s;
  startupCommand = lib.concatStringsSep " "
    [ # Basic startup
      "${crdb}/bin/cockroach start"
      "--logtostderr"
      "--store=/var/lib/cockroachdb"
      (ifNotNull cfg.locality "--locality='${cfg.locality}'")
      # WebUI settings
      "--http-addr='${cfg.http.address}:${toString cfg.http.port}'"
      # Cluster listen address
      "--listen-addr='${cfg.listen.address}:${toString cfg.listen.port}'"
      # Cluster configuration
      (ifNotNull cfg.join "--join=${cfg.join}")
      # Cache and memory settings. Must be escaped.
      "--cache='${escape cfg.cache}'"
      "--max-sql-memory='${escape cfg.maxSqlMemory}'"
      # Certificate/security settings.
      (if cfg.insecure then "--insecure" else "--certs-dir=${cfg.certsDir}")
    ];
    addressOption = descr: defaultPort: {
      address = mkOption {
        type = types.str;
        default = "localhost";
        description = "Address to bind to for ${descr}";
      };
      port = mkOption {
        type = types.port;
        default = defaultPort;
        description = "Port to bind to for ${descr}";
      };
    };
 in
 {
  options = {
    services.cockroachdb = {
      enable = mkEnableOption "CockroachDB Server";
      listen = addressOption "intra-cluster communication" 26257;
      http = addressOption "http-based Admin UI" 8080;
      locality = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          An ordered, comma-separated list of key-value pairs that describe the
          topography of the machine. Topography might include country,
          datacenter or rack designations. Data is automatically replicated to
          maximize diversities of each tier. The order of tiers is used to
          determine the priority of the diversity, so the more inclusive
          localities like country should come before less inclusive localities
          like datacenter.  The tiers and order must be the same on all nodes.
          Including more tiers is better than including fewer. For example:
          <literal>
              country=us,region=us-west,datacenter=us-west-1b,rack=12
              country=ca,region=ca-east,datacenter=ca-east-2,rack=4
              planet=earth,province=manitoba,colo=secondary,power=3
          </literal>
        '';
      };
      join = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "The addresses for connecting the node to a cluster.";
      };
      insecure = mkOption {
        type = types.bool;
        default = false;
        description = "Run in insecure mode.";
      };
      certsDir = mkOption {
        type = types.nullOr types.path;
        default = null;
        description = "The path to the certificate directory.";
      };
      user = mkOption {
        type = types.str;
        default = "cockroachdb";
        description = "User account under which CockroachDB runs";
      };
      group = mkOption {
        type = types.str;
        default = "cockroachdb";
        description = "User account under which CockroachDB runs";
      };
      openPorts = mkOption {
        type = types.bool;
        default = false;
        description = "Open firewall ports for cluster communication by default";
      };
      cache = mkOption {
        type = types.str;
        default = "25%";
        description = ''
          The total size for caches.
          This can be a percentage, expressed with a fraction sign or as a
          decimal-point number, or any bytes-based unit. For example,
          <literal>"25%"</literal>, <literal>"0.25"</literal> both represent
          25% of the available system memory. The values
          <literal>"1000000000"</literal> and <literal>"1GB"</literal> both
          represent 1 gigabyte of memory.
        '';
      };
      maxSqlMemory = mkOption {
        type = types.str;
        default = "25%";
        description = ''
          The maximum in-memory storage capacity available to store temporary
          data for SQL queries.
          This can be a percentage, expressed with a fraction sign or as a
          decimal-point number, or any bytes-based unit. For example,
          <literal>"25%"</literal>, <literal>"0.25"</literal> both represent
          25% of the available system memory. The values
          <literal>"1000000000"</literal> and <literal>"1GB"</literal> both
          represent 1 gigabyte of memory.
        '';
      };
      package = mkOption {
        type = types.package;
        default = pkgs.cockroachdb;
        defaultText = "pkgs.cockroachdb";
        description = ''
          The CockroachDB derivation to use for running the service.
          This would primarily be useful to enable Enterprise Edition features
          in your own custom CockroachDB build (Nixpkgs CockroachDB binaries
          only contain open source features and open source code).
        '';
      };
    };
  };
  config = mkIf config.services.cockroachdb.enable {
    assertions = [
      { assertion = !cfg.insecure -> !(isNull cfg.certsDir);
        message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)";
      }
    ];
    environment.systemPackages = [ crdb ];
    users.users = optionalAttrs (cfg.user == "cockroachdb") (singleton
      { name        = "cockroachdb";
        description = "CockroachDB Server User";
        uid         = config.ids.uids.cockroachdb;
        group       = cfg.group;
      });
    users.groups = optionalAttrs (cfg.group == "cockroachdb") (singleton
      { name = "cockroachdb";
        gid  = config.ids.gids.cockroachdb;
      });
    networking.firewall.allowedTCPPorts = lib.optionals cfg.openPorts
      [ cfg.http.port cfg.listen.port ];
    systemd.services.cockroachdb =
      { description   = "CockroachDB Server";
        documentation = [ "man:cockroach(1)" "https://www.cockroachlabs.com" ];
        after    = [ "network.target" "time-sync.target" ];
        requires = [ "time-sync.target" ];
        wantedBy = [ "multi-user.target" ];
        unitConfig.RequiresMountsFor = "/var/lib/cockroachdb";
        serviceConfig =
          { ExecStart = startupCommand;
            Type = "notify";
            User = cfg.user;
            StateDirectory = "cockroachdb";
            StateDirectoryMode = "0700";
            Restart = "always";
            # A conservative-ish timeout is alright here, because for Type=notify
            # cockroach will send systemd pings during startup to keep it alive
            TimeoutStopSec = 60;
            RestartSec = 10;
          };
      };
  };
  meta.maintainers = with lib.maintainers; [ thoughtpolice ];
 }
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@ -29,21 +29,6 @@ let
  installOptions =
    "${mysqldAndInstallOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}";
  myCnf = pkgs.writeText "my.cnf"
  ''
    [mysqld]
    port = ${toString cfg.port}
    datadir = ${cfg.dataDir}
    ${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" }
    ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"}
    ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"}
    ${optionalString (cfg.ensureUsers != [])
    ''
      plugin-load-add = auth_socket.so
    ''}
    ${cfg.extraOptions}
  '';
 in
 {
@ -242,6 +227,21 @@ in
    environment.systemPackages = [mysql];
    environment.etc."my.cnf".text =
    ''
      [mysqld]
      port = ${toString cfg.port}
      datadir = ${cfg.dataDir}
      ${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" }
      ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"}
      ${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"}
      ${optionalString (cfg.ensureUsers != [])
      ''
        plugin-load-add = auth_socket.so
      ''}
      ${cfg.extraOptions}
    '';
    systemd.services.mysql = let
      hasNotify = (cfg.package == pkgs.mariadb);
    in {
@ -263,7 +263,7 @@ in
            if ! test -e ${cfg.dataDir}/mysql; then
                mkdir -m 0700 -p ${cfg.dataDir}
                chown -R ${cfg.user} ${cfg.dataDir}
-                ${mysql}/bin/mysql_install_db ${installOptions}
+                ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions}
                touch /tmp/mysql_init
            fi
@ -274,7 +274,7 @@ in
        serviceConfig = {
          Type = if hasNotify then "notify" else "simple";
          RuntimeDirectory = "mysqld";
-          ExecStart = "${mysql}/bin/mysqld --defaults-extra-file=${myCnf} ${mysqldOptions}";
+          ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions}";
        };
        postStart = ''
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@ -54,6 +54,13 @@ in
        description = "The database directory.";
      };
      logLevel = mkOption {
        type = types.str;
        default = "0";
        example = "acl trace";
        description = "The log level selector of slapd.";
      };
      configDir = mkOption {
        type = types.nullOr types.path;
        default = null;
@ -139,7 +146,7 @@ in
        chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}"
      '';
      serviceConfig.ExecStart =
-        "${openldap.out}/libexec/slapd -d 0 " +
+        "${openldap.out}/libexec/slapd -d ${cfg.logLevel} " +
          "-u '${cfg.user}' -g '${cfg.group}' " +
          "-h '${concatStringsSep " " cfg.urlList}' " +
          "${configOpts}";
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -238,6 +238,9 @@ in
            User = "postgres";
            Group = "postgres";
            PermissionsStartOnly = true;
            Type = if lib.versionAtLeast cfg.package.version "9.6"
                   then "notify"
                   else "simple";
            # Shut down Postgres using SIGINT ("Fast Shutdown mode").  See
            # http://www.postgresql.org/docs/current/static/server-shutdown.html
--- a/nixos/modules/services/desktops/geoclue2.nix
+++ b/nixos/modules/services/desktops/geoclue2.nix
@ -61,6 +61,8 @@ in
        wantedBy = [ "default.target" ];
      };
    };
    environment.etc."geoclue/geoclue.conf".source = "${package}/etc/geoclue/geoclue.conf";
  };
 }
--- a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix
@ -0,0 +1,18 @@
 # Remote desktop daemon using Pipewire.
 { config, lib, pkgs, ... }:
 with lib;
 {
  ###### interface
  options = {
    services.gnome3.gnome-remote-desktop = {
      enable = mkEnableOption "Remote Desktop support using Pipewire";
    };
  };
  ###### implementation
  config = mkIf config.services.gnome3.gnome-remote-desktop.enable {
    systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ];
  };
 }
--- a/nixos/modules/services/editors/emacs.xml
+++ b/nixos/modules/services/editors/emacs.xml
@ -11,7 +11,7 @@
      Rodney Lorrimar @rvl
  -->
 <para>
-  <link xlink:href="http://www.gnu.org/software/emacs/">Emacs</link> is an
+  <link xlink:href="https://www.gnu.org/software/emacs/">Emacs</link> is an
  extensible, customizable, self-documenting real-time display editor — and
  more. At its core is an interpreter for Emacs Lisp, a dialect of the Lisp
  programming language with extensions to support text editing.
--- a/nixos/modules/services/hardware/bluetooth.nix
+++ b/nixos/modules/services/hardware/bluetooth.nix
@ -25,9 +25,14 @@ in {
        type = types.package;
        default = pkgs.bluez;
        defaultText = "pkgs.bluez";
-        example = "pkgs.bluez.override { enableMidi = true; }";
+        example = "pkgs.bluezFull";
        description = ''
          Which BlueZ package to use.
          <note><para>
            Use the <literal>pkgs.bluezFull</literal> package to enable all
            bluez plugins.
          </para></note>
        '';
      };
--- a/nixos/modules/services/hardware/lirc.nix
+++ b/nixos/modules/services/hardware/lirc.nix
@ -49,6 +49,7 @@ in {
      description = "LIRC daemon socket";
      wantedBy = [ "sockets.target" ];
      socketConfig = {
        # default search path
        ListenStream = "/run/lirc/lircd";
        SocketUser = "lirc";
        SocketMode = "0660";
@ -66,9 +67,19 @@ in {
      serviceConfig = {
        RuntimeDirectory = "lirc";
-        # socket lives in runtime directory; we have to keep is available
+        # Service runtime directory and socket share same folder.
        # Following hacks are necessary to get everything right:
        # 1. prevent socket deletion during stop and restart
        RuntimeDirectoryPreserve = true;
        # 2. fix runtime folder owner-ship, happens when socket activation
        #    creates the folder
        PermissionsStartOnly = true;
        ExecStartPre = [
          "${pkgs.coreutils}/bin/chown lirc /run/lirc/"
        ];
        ExecStart = ''
          ${pkgs.lirc}/bin/lircd --nodaemon \
            ${escapeShellArgs cfg.extraArguments} \
--- a/nixos/modules/services/hardware/vdr.nix
+++ b/nixos/modules/services/hardware/vdr.nix
@ -0,0 +1,71 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.vdr;
  libDir = "/var/lib/vdr";
 in {
  ###### interface
  options = {
    services.vdr = {
      enable = mkEnableOption "enable VDR. Please put config into ${libDir}.";
      package = mkOption {
        type = types.package;
        default = pkgs.vdr;
        defaultText = "pkgs.vdr";
        example = literalExample "pkgs.wrapVdr.override { plugins = with pkgs.vdrPlugins; [ hello ]; }";
        description = "Package to use.";
      };
      videoDir = mkOption {
        type = types.path;
        default = "/srv/vdr/video";
        description = "Recording directory";
      };
      extraArguments = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "Additional command line arguments to pass to VDR.";
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d ${cfg.videoDir} 0755 vdr vdr -"
      "Z ${cfg.videoDir} - vdr vdr -"
    ];
    systemd.services.vdr = {
      description = "VDR";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = ''
          ${cfg.package}/bin/vdr \
            --video="${cfg.videoDir}" \
            --config="${libDir}" \
            ${escapeShellArgs cfg.extraArguments}
        '';
        User = "vdr";
        CacheDirectory = "vdr";
        StateDirectory = "vdr";
        Restart = "on-failure";
      };
    };
    users.users.vdr = {
      group = "vdr";
      home = libDir;
    };
    users.groups.vdr = {};
  };
 }
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@ -0,0 +1,153 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.roundcube;
 in
 {
  options.services.roundcube = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to enable roundcube.
        Also enables nginx virtual host management.
        Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
        See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
      '';
    };
    hostName = mkOption {
      type = types.str;
      example = "webmail.example.com";
      description = "Hostname to use for the nginx vhost";
    };
    database = {
      username = mkOption {
        type = types.str;
        default = "roundcube";
        description = "Username for the postgresql connection";
      };
      host = mkOption {
        type = types.str;
        default = "localhost";
        description = ''
          Host of the postgresql server. If this is not set to
          <literal>localhost</literal>, you have to create the
          postgresql user and database yourself, with appropriate
          permissions.
        '';
      };
      password = mkOption {
        type = types.str;
        description = "Password for the postgresql connection";
      };
      dbname = mkOption {
        type = types.str;
        default = "roundcube";
        description = "Name of the postgresql database";
      };
    };
    plugins = mkOption {
      type = types.listOf types.str;
      default = [];
      description = ''
        List of roundcube plugins to enable. Currently, only those directly shipped with Roundcube are supported.
      '';
    };
    extraConfig = mkOption {
      type = types.lines;
      default = "";
      description = "Extra configuration for roundcube webmail instance";
    };
  };
  config = mkIf cfg.enable {
    environment.etc."roundcube/config.inc.php".text = ''
      <?php
      $config = array();
      $config['db_dsnw'] = 'pgsql://${cfg.database.username}:${cfg.database.password}@${cfg.database.host}/${cfg.database.dbname}';
      $config['log_driver'] = 'syslog';
      $config['max_message_size'] = '25M';
      $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}];
      ${cfg.extraConfig}
    '';
    services.nginx = {
      enable = true;
      virtualHosts = {
        ${cfg.hostName} = {
          forceSSL = mkDefault true;
          enableACME = mkDefault true;
          locations."/" = {
            root = pkgs.roundcube;
            index = "index.php";
            extraConfig = ''
              location ~* \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/run/phpfpm/roundcube;
                include ${pkgs.nginx}/conf/fastcgi_params;
                include ${pkgs.nginx}/conf/fastcgi.conf;
              }
            '';
          };
        };
      };
    };
    services.postgresql = mkIf (cfg.database.host == "localhost") {
      enable = true;
    };
    services.phpfpm.poolConfigs.roundcube = ''
      listen = /run/phpfpm/roundcube
      listen.owner = nginx
      listen.group = nginx
      listen.mode = 0660
      user = nginx
      pm = dynamic
      pm.max_children = 75
      pm.start_servers = 2
      pm.min_spare_servers = 1
      pm.max_spare_servers = 20
      pm.max_requests = 500
      php_admin_value[error_log] = 'stderr'
      php_admin_flag[log_errors] = on
      php_admin_value[post_max_size] = 25M
      php_admin_value[upload_max_filesize] = 25M
      catch_workers_output = yes
    '';
    systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
    systemd.services.roundcube-setup = let
      pgSuperUser = config.services.postgresql.superUser;
    in {
      requires = [ "postgresql.service" ];
      after = [ "postgresql.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ config.services.postgresql.package ];
      script = ''
        mkdir -p /var/lib/roundcube
        if [ ! -f /var/lib/roundcube/db-created ]; then
          if [ "${cfg.database.host}" = "localhost" ]; then
            ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'";
            ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}";
          fi
          PGPASSWORD=${cfg.database.password} ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \
            -f ${pkgs.roundcube}/SQL/postgres.initial.sql \
            -h ${cfg.database.host} ${cfg.database.dbname}
          touch /var/lib/roundcube/db-created
        fi
        ${pkgs.php}/bin/php ${pkgs.roundcube}/bin/update.sh
      '';
      serviceConfig.Type = "oneshot";
    };
  };
 }
--- a/nixos/modules/services/misc/bees.nix
+++ b/nixos/modules/services/misc/bees.nix
@ -0,0 +1,123 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.beesd;
  logLevels = { emerg = 0; alert = 1; crit = 2; err = 3; warning = 4; notice = 5; info = 6; debug = 7; };
  fsOptions = with types; {
    options.spec = mkOption {
      type = str;
      description = ''
        Description of how to identify the filesystem to be duplicated by this
        instance of bees. Note that deduplication crosses subvolumes; one must
        not configure multiple instances for subvolumes of the same filesystem
        (or block devices which are part of the same filesystem), but only for
        completely independent btrfs filesystems.
        </para>
        <para>
        This must be in a format usable by findmnt; that could be a key=value
        pair, or a bare path to a mount point.
      '';
      example = "LABEL=MyBulkDataDrive";
    };
    options.hashTableSizeMB = mkOption {
      type = types.addCheck types.int (n: mod n 16 == 0);
      default = 1024; # 1GB; default from upstream beesd script
      description = ''
        Hash table size in MB; must be a multiple of 16.
        </para>
        <para>
        A larger ratio of index size to storage size means smaller blocks of
        duplicate content are recognized.
        </para>
        <para>
        If you have 1TB of data, a 4GB hash table (which is to say, a value of
        4096) will permit 4KB extents (the smallest possible size) to be
        recognized, whereas a value of 1024 -- creating a 1GB hash table --
        will recognize only aligned duplicate blocks of 16KB.
      '';
    };
    options.verbosity = mkOption {
      type = types.enum (attrNames logLevels ++ attrValues logLevels);
      apply = v: if isString v then logLevels.${v} else v;
      default = "info";
      description = "Log verbosity (syslog keyword/level).";
    };
    options.workDir = mkOption {
      type = str;
      default = ".beeshome";
      description = ''
        Name (relative to the root of the filesystem) of the subvolume where
        the hash table will be stored.
      '';
    };
    options.extraOptions = mkOption {
      type = listOf str;
      default = [];
      description = ''
        Extra command-line options passed to the daemon. See upstream bees documentation.
      '';
      example = literalExample ''
        [ "--thread-count" "4" ]
      '';
    };
  };
 in {
  options.services.beesd = {
    filesystems = mkOption {
      type = with types; attrsOf (submodule fsOptions);
      description = "BTRFS filesystems to run block-level deduplication on.";
      default = { };
      example = literalExample ''
        {
          root = {
            spec = "LABEL=root";
            hashTableSizeMB = 2048;
            verbosity = "crit";
            extraOptions = [ "--loadavg-target" "5.0" ];
          };
        }
      '';
    };
  };
  config = {
    systemd.services = mapAttrs' (name: fs: nameValuePair "beesd@${name}" {
      description = "Block-level BTRFS deduplication for %i";
      after = [ "sysinit.target" ];
      serviceConfig = let
        configOpts = [
          fs.spec
          "verbosity=${toString fs.verbosity}"
          "idxSizeMB=${toString fs.hashTableSizeMB}"
          "workDir=${fs.workDir}"
        ];
        configOptsStr = escapeShellArgs configOpts;
      in {
        # Values from https://github.com/Zygo/bees/blob/v0.6.1/scripts/beesd%40.service.in
        ExecStart = "${pkgs.bees}/bin/bees-service-wrapper run ${configOptsStr} -- --no-timestamps ${escapeShellArgs fs.extraOptions}";
        ExecStopPost = "${pkgs.bees}/bin/bees-service-wrapper cleanup ${configOptsStr}";
        CPUAccounting = true;
        CPUWeight = 12;
        IOSchedulingClass = "idle";
        IOSchedulingPriority = 7;
        IOWeight = 10;
        KillMode = "control-group";
        KillSignal = "SIGTERM";
        MemoryAccounting = true;
        Nice = 19;
        Restart = "on-abnormal";
        StartupCPUWeight = 25;
        StartupIOWeight = 25;
        SyslogIdentifier = "bees"; # would otherwise be "bees-service-wrapper"
      };
      wantedBy = ["multi-user.target"];
    }) cfg.filesystems;
  };
 }
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -609,10 +609,6 @@ in {
          touch "${cfg.statePath}/db-seeded"
        fi
        # The gitlab:shell:setup regenerates the authorized_keys file so that
        # the store path to the gitlab-shell in it gets updated
        ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H force=yes ${gitlab-rake}/bin/gitlab-rake gitlab:shell:setup
        # The gitlab:shell:create_hooks task seems broken for fixing links
        # so we instead delete all the hooks and create them anew
        rm -f ${cfg.statePath}/repositories/**/*.git/hooks
--- a/nixos/modules/services/misc/nscd-sssd.conf
+++ b/nixos/modules/services/misc/nscd-sssd.conf
@ -1,36 +0,0 @@
 server-user             nscd
 threads                 1
 paranoia                no
 debug-level             0
 enable-cache            passwd          yes
 positive-time-to-live   passwd          0
 negative-time-to-live   passwd          0
 suggested-size          passwd          211
 check-files             passwd          yes
 persistent              passwd          no
 shared                  passwd          yes
 enable-cache            group           yes
 positive-time-to-live   group           0
 negative-time-to-live   group           0
 suggested-size          group           211
 check-files             group           yes
 persistent              group           no
 shared                  group           yes
 enable-cache            hosts           yes
 positive-time-to-live   hosts           600
 negative-time-to-live   hosts           5
 suggested-size          hosts           211
 check-files             hosts           yes
 persistent              hosts           no
 shared                  hosts           yes
 enable-cache            services        yes
 positive-time-to-live   services        0
 negative-time-to-live   services        0
 suggested-size          services        211
 check-files             services        yes
 persistent              services        no
 shared                  services        yes
--- a/nixos/modules/services/misc/sssd.nix
+++ b/nixos/modules/services/misc/sssd.nix
@ -75,7 +75,6 @@ in {
      };
      system.nssModules = optional cfg.enable pkgs.sssd;
      services.nscd.config = builtins.readFile ./nscd-sssd.conf;
      services.dbus.packages = [ pkgs.sssd ];
    })
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@ -169,8 +169,9 @@ in {
          Sets the maximum amount of time (in seconds) a connection may be reused.
          For MySQL this setting should be shorter than the `wait_timeout' variable.
        '';
-        default = 14400;
+        default = "unlimited";
-        type = types.int;
+        example = 14400;
        type = types.either types.int (types.enum [ "unlimited" ]);
      };
    };
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@ -127,7 +127,7 @@ let
        serviceConfig.Restart = mkDefault "always";
        serviceConfig.PrivateTmp = mkDefault true;
        serviceConfig.WorkingDirectory = mkDefault /tmp;
-      } serviceOpts ] ++ optional (serviceOpts.serviceConfig.DynamicUser or false) {
+      } serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) {
        serviceConfig.User = conf.user;
        serviceConfig.Group = conf.group;
      });
--- a/nixos/modules/services/monitoring/prometheus/exporters/tor.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/tor.nix
@ -36,5 +36,10 @@ in
          ${concatStringsSep " \\\n  " cfg.extraFlags}
      '';
    };
    # CPython requires a process to either have $HOME defined or run as a UID
    # defined in /etc/passwd. The latter is false with DynamicUser, so define a
    # dummy $HOME. https://bugs.python.org/issue10496
    environment = { HOME = "/var/empty"; };
  };
 }
--- a/nixos/modules/services/network-filesystems/ipfs.nix
+++ b/nixos/modules/services/network-filesystems/ipfs.nix
@ -74,7 +74,7 @@ in {
    services.ipfs = {
-      enable = mkEnableOption "Interplanetary File System";
+      enable = mkEnableOption "Interplanetary File System (WARNING: may cause severe network degredation)";
      user = mkOption {
        type = types.str;
--- a/nixos/modules/services/networking/chrony.nix
+++ b/nixos/modules/services/networking/chrony.nix
@ -12,7 +12,7 @@ let
    ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
    ${optionalString
-      cfg.initstepslew.enabled
+      (cfg.initstepslew.enabled && (cfg.servers != []))
      "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}"
    }
@ -113,6 +113,7 @@ in
          chown chrony:chrony ${stateDir} ${keyFile}
        '';
        unitConfig.ConditionCapability = "CAP_SYS_TIME";
        serviceConfig =
          { Type = "forking";
            ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
@ -121,8 +122,8 @@ in
            ProtectSystem = "full";
            PrivateTmp = "yes";
            ConditionCapability = "CAP_SYS_TIME";
          };
      };
  };
 }
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@ -71,7 +71,7 @@ let
          # anything ever again ("couldn't resolve ..., giving up on
          # it"), so we silently lose time synchronisation. This also
          # applies to openntpd.
-          ${config.systemd.package}/bin/systemctl try-reload-or-restart ntpd.service openntpd.service || true
+          ${config.systemd.package}/bin/systemctl try-reload-or-restart ntpd.service openntpd.service chronyd.service || true
      fi
      ${cfg.runHook}
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -488,7 +488,7 @@ in {
      '') cfg.dynamicHosts.hostsDirs);
      serviceConfig = {
        Type = "oneshot";
-        RemainAfterExist = true;
+        RemainAfterExit = true;
      };
    };
--- a/nixos/modules/services/networking/ntpd.nix
+++ b/nixos/modules/services/networking/ntpd.nix
@ -15,6 +15,10 @@ let
  configFile = pkgs.writeText "ntp.conf" ''
    driftfile ${stateDir}/ntp.drift
    restrict default ${toString cfg.restrictDefault}
    restrict -6 default ${toString cfg.restrictDefault}
    restrict source ${toString cfg.restrictSource}
    restrict 127.0.0.1
    restrict -6 ::1
@ -36,11 +40,40 @@ in
      enable = mkOption {
        default = false;
        description = ''
-          Whether to synchronise your machine's time using the NTP
+          Whether to synchronise your machine's time using ntpd, as a peer in
-          protocol.
+          the NTP network.
          </para>
          <para>
          Disables <literal>systemd.timesyncd</literal> if enabled.
        '';
      };
      restrictDefault = mkOption {
        type = types.listOf types.str;
        description = ''
          The restriction flags to be set by default.
          </para>
          <para>
          The default flags prevent external hosts from using ntpd as a DDoS
          reflector, setting system time, and querying OS/ntpd version. As
          recommended in section 6.5.1.1.3, answer "No" of
          http://support.ntp.org/bin/view/Support/AccessRestrictions
        '';
        default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ];
      };
      restrictSource = mkOption {
        type = types.listOf types.str;
        description = ''
          The restriction flags to be set on source.
          </para>
          <para>
          The default flags allow peers to be added by ntpd from configured
          pool(s), but not by other means.
        '';
        default = [ "limited" "kod" "nomodify" "notrap" "noquery" ];
      };
      servers = mkOption {
        default = config.networking.timeServers;
        description = ''
@ -51,6 +84,7 @@ in
      extraFlags = mkOption {
        type = types.listOf types.str;
        description = "Extra flags passed to the ntpd command.";
        example = literalExample ''[ "--interface=eth0" ]'';
        default = [];
      };
--- a/nixos/modules/services/networking/prosody.nix
+++ b/nixos/modules/services/networking/prosody.nix
@ -228,6 +228,7 @@ let
  createSSLOptsStr = o: ''
    ssl = {
      cafile = "/etc/ssl/certs/ca-bundle.crt";
      key = "${o.key}";
      certificate = "${o.cert}";
      ${concatStringsSep "\n" (mapAttrsToList (name: value: "${name} = ${toLua value};") o.extraOptions)}
--- a/nixos/modules/services/networking/shairport-sync.nix
+++ b/nixos/modules/services/networking/shairport-sync.nix
@ -27,7 +27,7 @@ in
      };
      arguments = mkOption {
-        default = "-v -d pulse";
+        default = "-v pulse";
        description = ''
          Arguments to pass to the daemon. Defaults to a local pulseaudio
          server.
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@ -202,7 +202,7 @@ let
        };
        script = ''
-          modprobe wireguard
+          ${optionalString (!config.boot.isContainer) "modprobe wireguard"}
          ${values.preSetup}
--- a/nixos/modules/services/search/kibana.nix
+++ b/nixos/modules/services/search/kibana.nix
@ -149,7 +149,10 @@ in {
      after = [ "network.target" "elasticsearch.service" ];
      environment = { BABEL_CACHE_PATH = "${cfg.dataDir}/.babelcache.json"; };
      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/kibana --config ${cfgFile}";
+        ExecStart =
          "${cfg.package}/bin/kibana" +
          " --config ${cfgFile}" +
          " --path.data ${cfg.dataDir}";
        User = "kibana";
        WorkingDirectory = cfg.dataDir;
      };
--- a/nixos/modules/services/system/nscd.conf
+++ b/nixos/modules/services/system/nscd.conf
@ -1,28 +1,52 @@
 # We basically use nscd as a proxy for forwarding nss requests to appropriate
 # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
 # containing all such modules
 # Note that we can not use `enable-cache no` As this will actually cause nscd
 # to just reject the nss requests it receives, which then causes glibc to
 # fallback to trying to handle the request by itself. Which won't work as glibc
 # is not aware of the path in which the nss modules live.  As a workaround, we
 # have `enable-cache yes` with an explicit ttl of 0
 server-user             nscd
 threads                 1
 paranoia                no
 debug-level             0
 enable-cache            passwd          yes
-positive-time-to-live   passwd          600
+positive-time-to-live   passwd          0
-negative-time-to-live   passwd          20
+negative-time-to-live   passwd          0
 suggested-size          passwd          211
 check-files             passwd          yes
 persistent              passwd          no
 shared                  passwd          yes
 enable-cache            group           yes
-positive-time-to-live   group           3600
+positive-time-to-live   group           0
-negative-time-to-live   group           60
+negative-time-to-live   group           0
 suggested-size          group           211
 check-files             group           yes
 persistent              group           no
 shared                  group           yes
 enable-cache            netgroup        yes
 positive-time-to-live   netgroup        0
 negative-time-to-live   netgroup        0
 suggested-size          netgroup        211
 check-files             netgroup        yes
 persistent              netgroup        no
 shared                  netgroup        yes
 enable-cache            hosts           yes
 positive-time-to-live   hosts           600
-negative-time-to-live   hosts           5
+negative-time-to-live   hosts           0
 suggested-size          hosts           211
 check-files             hosts           yes
 persistent              hosts           no
 shared                  hosts           yes
 enable-cache            services        yes
 positive-time-to-live   services        0
 negative-time-to-live   services        0
 suggested-size          services        211
 check-files             services        yes
 persistent              services        no
 shared                  services        yes
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -484,4 +484,6 @@ in {
      };
    })
  ]);
  meta.doc = ./nextcloud.xml;
 }
--- a/nixos/modules/services/web-apps/nextcloud.xml
+++ b/nixos/modules/services/web-apps/nextcloud.xml
@ -0,0 +1,99 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="module-services-nextcloud">
 <title>Nextcloud</title>
 <para>
  <link xlink:href="https://nextcloud.com/">Nextcloud</link> is an open-source, self-hostable cloud
  platform. The server setup can be automated using
  <link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. A desktop client is packaged
  at <literal>pkgs.nextcloud-client</literal>.
 </para>
 <section xml:id="module-services-nextcloud-basic-usage">
  <title>Basic usage</title>
  <para>
   Nextcloud is a PHP-based application which requires an HTTP server
   (<literal><link linkend="opt-services.nextcloud.enable">services.nextcloud</link></literal> optionally supports
   <literal><link linkend="opt-services.nginx.enable">services.nginx</link></literal>) and a database
   (it's recommended to use <literal><link linkend="opt-services.postgresql.enable">services.postgresql</link></literal>).
  </para>
  <para>
    A very basic configuration may look like this:
 <programlisting>{ pkgs, ... }:
 {
  services.nextcloud = {
    <link linkend="opt-services.nextcloud.enable">enable</link> = true;
    <link linkend="opt-services.nextcloud.hostName">hostName</link> = "nextcloud.tld";
    <link linkend="opt-services.nextcloud.nginx.enable">nginx.enable</link> = true;
    config = {
      <link linkend="opt-services.nextcloud.config.dbtype">dbtype</link> = "pgsql";
      <link linkend="opt-services.nextcloud.config.dbuser">dbuser</link> = "nextcloud";
      <link linkend="opt-services.nextcloud.config.dbhost">dbhost</link> = "/tmp"; # nextcloud will add /.s.PGSQL.5432 by itself
      <link linkend="opt-services.nextcloud.config.dbname">dbname</link> = "nextcloud";
      <link linkend="opt-services.nextcloud.config.adminpassFile">adminpassFile</link> = "/path/to/admin-pass-file";
      <link linkend="opt-services.nextcloud.config.adminuser">adminuser</link> = "root";
    };
  };
  services.postgresql = {
    <link linkend="opt-services.postgresql.enable">enable</link> = true;
    <link linkend="opt-services.postgresql.initialScript">initialScript</link> = pkgs.writeText "psql-init" ''
      CREATE ROLE nextcloud WITH LOGIN;
      CREATE DATABASE nextcloud WITH OWNER nextcloud;
    '';
  };
  # ensure that postgres is running *before* running the setup
  systemd.services."nextcloud-setup" = {
    requires = ["postgresql.service"];
    after = ["postgresql.service"];
  };
  <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
 }</programlisting>
  </para>
  <para>
   The options <literal>hostName</literal> and <literal>nginx.enable</literal> are used internally to configure an
   HTTP server using <literal><link xlink:href="https://php-fpm.org/">PHP-FPM</link></literal> and <literal>nginx</literal>.
   The <literal>config</literal> attribute set is used for the <literal>config.php</literal> which is used
   for the application's configuration.
   <emphasis>Beware: this isn't entirely pure since the config is modified by the application's runtime!</emphasis>
  </para>
  <para>
    In case the application serves multiple hosts (those are checked with
    <literal><link xlink:href="http://php.net/manual/en/reserved.variables.server.php">$_SERVER['HTTP_HOST']</link></literal>)
    those can be added using
    <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>.
  </para>
 </section>
 <section xml:id="module-services-nextcloud-pitfalls-during-upgrade">
  <title>Pitfalls</title>
  <para>
   Unfortunately Nextcloud appears to be very stateful when it comes to managing its own configuration. The
   config file lives in the home directory of the <literal>nextcloud</literal> user (by default
   <literal>/var/lib/nextcloud/config/config.php</literal>) and is also used to track several
   states of the application (e.g. whether installed or not).
  </para>
  <para>
   Right now changes to the <literal>services.nextcloud.config</literal> attribute set won't take effect
   after the first install
   (except <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>) since the actual configuration
   file is generated by the NextCloud installer which also sets up critical parts such as the database
   structure.
  </para>
  <para>
   <emphasis>Warning: don't delete <literal>config.php</literal>! This file tracks the application's state and a deletion can cause unwanted side-effects!</emphasis>
  </para>
  <para>
   <emphasis>Warning: don't rerun <literal>nextcloud-occ maintenance:install</literal>! This command tries to install the application and can cause unwanted side-effects!</emphasis>
  </para>
  <para>
    The issues are known and reported in <link xlink:href="https://github.com/NixOS/nixpkgs/issues/49783">#49783</link>, for now it's unfortunately necessary to manually work around these issues.
  </para>
 </section>
 </chapter>
--- a/nixos/modules/services/web-apps/quassel-webserver.nix
+++ b/nixos/modules/services/web-apps/quassel-webserver.nix
@ -1,101 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.quassel-webserver;
  quassel-webserver = cfg.pkg;
  settings = ''
    module.exports = {
      default: {
        host: '${cfg.quasselCoreHost}',  // quasselcore host
        port: ${toString cfg.quasselCorePort},  // quasselcore port
        initialBacklogLimit: ${toString cfg.initialBacklogLimit},  // Amount of backlogs to fetch per buffer on connection
        backlogLimit: ${toString cfg.backlogLimit},  // Amount of backlogs to fetch per buffer after first retrieval
        securecore: ${boolToString cfg.secureCore},  // Connect to the core using SSL
        theme: '${cfg.theme}'  // Default UI theme
      },
      themes: ['default', 'darksolarized'],  //  Available themes
      forcedefault: ${boolToString cfg.forceHostAndPort},  // Will force default host and port to be used, and will hide the corresponding fields in the UI
      prefixpath: '${cfg.prefixPath}'  // Configure this if you use a reverse proxy
    };
  '';
  settingsFile = pkgs.writeText "settings-user.js" settings;
 in {
  options = {
    services.quassel-webserver = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "Whether to enable the quassel webclient service";
      };
      pkg = mkOption {
        default = pkgs.quassel-webserver;
        defaultText = "pkgs.quassel-webserver";
        type = types.package;
        description = "The quassel-webserver package";
      };
      quasselCoreHost = mkOption {
        default = "";
        type = types.str;
        description = "The default host of the quassel core";
      };
      quasselCorePort = mkOption {
        default = 4242;
        type = types.int;
        description = "The default quassel core port";
      };
      initialBacklogLimit = mkOption {
        default = 20;
        type = types.int;
        description = "Amount of backlogs to fetch per buffer on connection";
      };
      backlogLimit = mkOption {
        default = 100;
        type = types.int;
        description = "Amount of backlogs to fetch per buffer after first retrieval";
      };
      secureCore = mkOption {
        default = true;
        type = types.bool;
        description = "Connect to the core using SSL";
      };
      theme = mkOption {
        default = "default";
        type = types.str;
        description = "default or darksolarized";
      };
      prefixPath = mkOption {
        default = "";
        type = types.str;
        description = "Configure this if you use a reverse proxy. Must start with a '/'";
        example = "/quassel";
      };
      port = mkOption {
        default = 60443;
        type = types.int;
        description = "The port the quassel webserver should listen on";
      };
      useHttps = mkOption {
        default = true;
        type = types.bool;
        description = "Whether the quassel webserver connection should be a https connection";
      };
      forceHostAndPort = mkOption {
        default = false;
        type = types.bool;
        description = "Force the users to use the quasselCoreHost and quasselCorePort defaults";
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.quassel-webserver = {
      description = "A web server/client for Quassel";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${quassel-webserver}/lib/node_modules/quassel-webserver/bin/www -p ${toString cfg.port} -m ${if cfg.useHttps == true then "https" else "http"} -c ${settingsFile}";
      };
    };
  };
 }
--- a/nixos/modules/services/web-servers/apache-httpd/limesurvey.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/limesurvey.nix
@ -85,7 +85,7 @@ in rec {
    id = mkOption {
      default = "main";
      description = ''
-        A unique identifier necessary to keep multiple owncloud server
+        A unique identifier necessary to keep multiple Limesurvey server
        instances on the same machine apart.  This is used to
        disambiguate the administrative scripts, which get names like
        mediawiki-$id-change-password.
--- a/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
@ -83,11 +83,11 @@ let
  # Unpack Mediawiki and put the config file in its root directory.
  mediawikiRoot = pkgs.stdenv.mkDerivation rec {
-    name= "mediawiki-1.29.1";
+    name= "mediawiki-1.31.1";
    src = pkgs.fetchurl {
-      url = "https://releases.wikimedia.org/mediawiki/1.29/${name}.tar.gz";
+      url = "https://releases.wikimedia.org/mediawiki/1.31/${name}.tar.gz";
-      sha256 = "03mpazbxvb011s2nmlw5p6dc43yjgl5yrsilmj1imyykm57bwb3m";
+      sha256 = "13x48clij21cmysjkpnx68vggchrdasqp7b290j87xlfgjhdhnnf";
    };
    skins = config.skins;
@ -111,7 +111,7 @@ let
        sed -i \
        -e 's|/bin/bash|${pkgs.bash}/bin/bash|g' \
        -e 's|/usr/bin/timeout|${pkgs.coreutils}/bin/timeout|g' \
-          $out/includes/limit.sh \
+          $out/includes/shell/limit.sh \
          $out/includes/GlobalFunctions.php
      '';
  };
--- a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
@ -1,608 +0,0 @@
 { config, lib, pkgs, serverInfo, php, ... }:
 with lib;
 let
  owncloudConfig = pkgs.writeText "config.php"
    ''
      <?php
      /* Only enable this for local development and not in productive environments */
      /* This will disable the minifier and outputs some additional debug informations */
      define("DEBUG", false);
      $CONFIG = array(
      /* Flag to indicate ownCloud is successfully installed (true = installed) */
      "installed" => true,
      /* Type of database, can be sqlite, mysql or pgsql */
      "dbtype" => "${config.dbType}",
      /* Name of the ownCloud database */
      "dbname" => "${config.dbName}",
      /* User to access the ownCloud database */
      "dbuser" => "${config.dbUser}",
      /* Password to access the ownCloud database */
      "dbpassword" => "${config.dbPassword}",
      /* Host running the ownCloud database. To specify a port use "HOSTNAME:####"; to specify a unix sockets use "localhost:/path/to/socket". */
      "dbhost" => "${config.dbServer}",
      /* Prefix for the ownCloud tables in the database */
      "dbtableprefix" => "",
      /* Force use of HTTPS connection (true = use HTTPS) */
      "forcessl" => ${config.forceSSL},
      /* Blacklist a specific file and disallow the upload of files with this name - WARNING: USE THIS ONLY IF YOU KNOW WHAT YOU ARE DOING. */
      "blacklisted_files" => array('.htaccess'),
      /* The automatic hostname detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. You can also add a port. For example "www.example.com:88" */
      "overwritehost" => "${config.overwriteHost}",
      /* The automatic protocol detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the protocol detection. For example "https" */
      "overwriteprotocol" => "${config.overwriteProtocol}",
      /* The automatic webroot detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. For example "/domain.tld/ownCloud". The value "/" can be used to remove the root. */
      "overwritewebroot" => "${config.overwriteWebRoot}",
      /* The automatic detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to define a manually override condition as regular expression for the remote ip address. For example "^10\.0\.0\.[1-3]$" */
      "overwritecondaddr" => "",
      /* A proxy to use to connect to the internet. For example "myproxy.org:88" */
      "proxy" => "",
      /* The optional authentication for the proxy to use to connect to the internet. The format is: [username]:[password] */
      "proxyuserpwd" => "",
      /* List of trusted domains, to prevent host header poisoning ownCloud is only using these Host headers */
      ${if config.trustedDomain != "" then "'trusted_domains' => array('${config.trustedDomain}')," else ""}
      /* Theme to use for ownCloud */
      "theme" => "",
      /* Optional ownCloud default language - overrides automatic language detection on public pages like login or shared items. This has no effect on the user's language preference configured under "personal -> language" once they have logged in */
      "default_language" => "${config.defaultLang}",
      /* Path to the parent directory of the 3rdparty directory */
      "3rdpartyroot" => "",
      /* URL to the parent directory of the 3rdparty directory, as seen by the browser */
      "3rdpartyurl" => "",
      /* Default app to open on login.
       * This can be a comma-separated list of app ids.
       * If the first app is not enabled for the current user,
       * it will try with the second one and so on. If no enabled app could be found,
       * the "files" app will be displayed instead. */
      "defaultapp" => "${config.defaultApp}",
      /* Enable the help menu item in the settings */
      "knowledgebaseenabled" => true,
      /* Enable installing apps from the appstore */
      "appstoreenabled" => ${config.appStoreEnable},
      /* URL of the appstore to use, server should understand OCS */
      "appstoreurl" => "https://api.owncloud.com/v1",
      /* Domain name used by ownCloud for the sender mail address, e.g. no-reply@example.com */
      "mail_domain" => "${config.mailFromDomain}",
      /* FROM address used by ownCloud for the sender mail address, e.g. owncloud@example.com
         This setting overwrites the built in 'sharing-noreply' and 'lostpassword-noreply'
         FROM addresses, that ownCloud uses
      */
      "mail_from_address" => "${config.mailFrom}",
      /* Enable SMTP class debugging */
      "mail_smtpdebug" => false,
      /* Mode to use for sending mail, can be sendmail, smtp, qmail or php, see PHPMailer docs */
      "mail_smtpmode" => "${config.SMTPMode}",
      /* Host to use for sending mail, depends on mail_smtpmode if this is used */
      "mail_smtphost" => "${config.SMTPHost}",
      /* Port to use for sending mail, depends on mail_smtpmode if this is used */
      "mail_smtpport" => ${config.SMTPPort},
      /* SMTP server timeout in seconds for sending mail, depends on mail_smtpmode if this is used */
      "mail_smtptimeout" => ${config.SMTPTimeout},
      /* SMTP connection prefix or sending mail, depends on mail_smtpmode if this is used.
         Can be "", ssl or tls */
      "mail_smtpsecure" => "${config.SMTPSecure}",
      /* authentication needed to send mail, depends on mail_smtpmode if this is used
       * (false = disable authentication)
       */
      "mail_smtpauth" => ${config.SMTPAuth},
      /* authentication type needed to send mail, depends on mail_smtpmode if this is used
       * Can be LOGIN (default), PLAIN or NTLM */
      "mail_smtpauthtype" => "${config.SMTPAuthType}",
      /* Username to use for sendmail mail, depends on mail_smtpauth if this is used */
      "mail_smtpname" => "${config.SMTPUser}",
      /* Password to use for sendmail mail, depends on mail_smtpauth if this is used */
      "mail_smtppassword" => "${config.SMTPPass}",
      /* memcached servers (Only used when xCache, APC and APCu are absent.) */
      "memcached_servers" => array(
          // hostname, port and optional weight. Also see:
          // http://www.php.net/manual/en/memcached.addservers.php
          // http://www.php.net/manual/en/memcached.addserver.php
          //array('localhost', 11211),
          //array('other.host.local', 11211),
      ),
      /* How long should ownCloud keep deleted files in the trash bin, default value:  30 days */
      'trashbin_retention_obligation' => 30,
      /* Disable/Enable auto expire for the trash bin, by default auto expire is enabled */
      'trashbin_auto_expire' => true,
      /* allow user to change his display name, if it is supported by the back-end */
      'allow_user_to_change_display_name' => true,
      /* Check 3rdparty apps for malicious code fragments */
      "appcodechecker" => true,
      /* Check if ownCloud is up to date */
      "updatechecker" => true,
      /* Are we connected to the internet or are we running in a closed network? */
      "has_internet_connection" => true,
      /* Check if the ownCloud WebDAV server is working correctly. Can be disabled if not needed in special situations*/
      "check_for_working_webdav" => true,
      /* Check if .htaccess protection of data is working correctly. Can be disabled if not needed in special situations*/
      "check_for_working_htaccess" => true,
      /* Place to log to, can be owncloud and syslog (owncloud is log menu item in admin menu) */
      "log_type" => "owncloud",
      /* File for the owncloud logger to log to, (default is ownloud.log in the data dir) */
      "logfile" => "${config.dataDir}/owncloud.log",
      /* Loglevel to start logging at. 0=DEBUG, 1=INFO, 2=WARN, 3=ERROR (default is WARN) */
      "loglevel" => "2",
      /* date format to be used while writing to the owncloud logfile */
      'logdateformat' => 'F d, Y H:i:s',
      ${tzSetting}
      /* Append all database queries and parameters to the log file.
       (watch out, this option can increase the size of your log file)*/
      "log_query" => false,
      /* Whether ownCloud should log the last successfull cron exec */
      "cron_log" => true,
      /*
       * Configure the size in bytes log rotation should happen, 0 or false disables the rotation.
       * This rotates the current owncloud logfile to a new name, this way the total log usage
       * will stay limited and older entries are available for a while longer. The
       * total disk usage is twice the configured size.
       * WARNING: When you use this, the log entries will eventually be lost.
       */
      'log_rotate_size' => "104857600", // 104857600, // 100 MiB
      /* Lifetime of the remember login cookie, default is 15 days */
      "remember_login_cookie_lifetime" => 1296000,
      /* Life time of a session after inactivity */
      "session_lifetime" => 86400,
      /*
       * Enable/disable session keep alive when a user is logged in in the Web UI.
       * This is achieved by sending a "heartbeat" to the server to prevent
       * the session timing out.
       */
      "session_keepalive" => true,
      /* Custom CSP policy, changing this will overwrite the standard policy */
      "custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *",
      /* Enable/disable X-Frame-Restriction */
      /* HIGH SECURITY RISK IF DISABLED*/
      "xframe_restriction" => true,
      /* The directory where the user data is stored, default to data in the owncloud
       * directory. The sqlite database is also stored here, when sqlite is used.
       */
      "datadirectory" => "${config.dataDir}/storage",
      /* The directory where the skeleton files are located. These files will be copied to the data
       * directory of new users. Leave empty to not copy any skeleton files.
       */
      // "skeletondirectory" => "",
      /* Enable maintenance mode to disable ownCloud
         If you want to prevent users to login to ownCloud before you start doing some maintenance work,
         you need to set the value of the maintenance parameter to true.
         Please keep in mind that users who are already logged-in are kicked out of ownCloud instantly.
      */
      "maintenance" => false,
      "apps_paths" => array(
      /* Set an array of path for your apps directories
       key 'path' is for the fs path and the key 'url' is for the http path to your
       applications paths. 'writable' indicates whether the user can install apps in this folder.
       You must have at least 1 app folder writable or you must set the parameter 'appstoreenabled' to false
      */
          array(
              'path'=> '${config.dataDir}/apps',
              'url' => '/apps',
              'writable' => true,
          ),
      ),
      'user_backends'=>array(
          /*
          array(
              'class'=>'OC_User_IMAP',
              'arguments'=>array('{imap.gmail.com:993/imap/ssl}INBOX')
          )
          */
      ),
      //links to custom clients
      'customclient_desktop' => ''', //http://owncloud.org/sync-clients/
      'customclient_android' => ''', //https://play.google.com/store/apps/details?id=com.owncloud.android
      'customclient_ios' => ''', //https://itunes.apple.com/us/app/owncloud/id543672169?mt=8
      // PREVIEW
      'enable_previews' => true,
      /* the max width of a generated preview, if value is null, there is no limit */
      'preview_max_x' => null,
      /* the max height of a generated preview, if value is null, there is no limit */
      'preview_max_y' => null,
      /* the max factor to scale a preview, default is set to 10 */
      'preview_max_scale_factor' => 10,
      /* custom path for libreoffice / openoffice binary */
      'preview_libreoffice_path' => '${config.libreofficePath}',
      /* cl parameters for libreoffice / openoffice */
      'preview_office_cl_parameters' => ''',
      /* whether avatars should be enabled */
      'enable_avatars' => true,
      // Extra SSL options to be used for configuration
      'openssl' => array(
          'config' => '/etc/ssl/openssl.cnf',
      ),
      // default cipher used for file encryption, currently we support AES-128-CFB and AES-256-CFB
      'cipher' => 'AES-256-CFB',
      /* whether usage of the instance should be restricted to admin users only */
      'singleuser' => false,
      /* all css and js files will be served by the web server statically in one js file and ons css file*/
      'asset-pipeline.enabled' => false,
      /* where mount.json file should be stored, defaults to data/mount.json */
      'mount_file' => ''',
      /*
       * Location of the cache folder, defaults to "data/$user/cache" where "$user" is the current user.
       *
       * When specified, the format will change to "$cache_path/$user" where "$cache_path" is the configured
       * cache directory and "$user" is the user.
       *
       */
      'cache_path' => ''',
      /* EXPERIMENTAL: option whether to include external storage in quota calculation, defaults to false */
      'quota_include_external_storage' => false,
      /*
       * specifies how often the filesystem is checked for changes made outside owncloud
       * 0 -> never check the filesystem for outside changes, provides a performance increase when it's certain that no changes are made directly to the filesystem
       * 1 -> check each file or folder at most once per request, recomended for general use if outside changes might happen
       * 2 -> check every time the filesystem is used, causes a performance hit when using external storages, not recomended for regular use
       */
      'filesystem_check_changes' => 1,
      /* If true, prevent owncloud from changing the cache due to changes in the filesystem for all storage */
      'filesystem_cache_readonly' => false,
      /**
       * define default folder for shared files and folders
       */
      'share_folder' => '/',
      'version' => '${config.package.version}',
      'openssl' => '${pkgs.openssl.bin}/bin/openssl'
      );
    '';
  tzSetting = let tz = serverInfo.fullConfig.time.timeZone; in optionalString (!isNull tz) ''
    /* timezone used while writing to the owncloud logfile (default: UTC) */
    'logtimezone' => '${tz}',
  '';
  postgresql = serverInfo.fullConfig.services.postgresql.package;
  setupDb = pkgs.writeScript "setup-owncloud-db" ''
    #!${pkgs.runtimeShell}
    PATH="${postgresql}/bin"
    createuser --no-superuser --no-createdb --no-createrole "${config.dbUser}" || true
    createdb "${config.dbName}" -O "${config.dbUser}" || true
    psql -U postgres -d postgres -c "alter user ${config.dbUser} with password '${config.dbPassword}';" || true
    QUERY="CREATE TABLE appconfig
             ( appid       VARCHAR( 255 ) NOT NULL
             , configkey   VARCHAR( 255 ) NOT NULL
             , configvalue VARCHAR( 255 ) NOT NULL
             );
           GRANT ALL ON appconfig TO ${config.dbUser};
           ALTER TABLE appconfig OWNER TO ${config.dbUser};"
    psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true
  '';
 in
 rec {
  extraConfig =
    ''
      ${if config.urlPrefix != "" then "Alias ${config.urlPrefix} ${config.package}" else ''
        RewriteEngine On
        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
      ''}
      <Directory ${config.package}>
        Include ${config.package}/.htaccess
      </Directory>
    '';
  globalEnvVars = [
    { name = "OC_CONFIG_PATH"; value = "${config.dataDir}/config/"; }
  ];
  documentRoot = if config.urlPrefix == "" then config.package else null;
  enablePHP = true;
  options = {
    package = mkOption {
      type = types.package;
      default = pkgs.owncloud70;
      defaultText = "pkgs.owncloud70";
      example = literalExample "pkgs.owncloud70";
      description = ''
          ownCloud package to use.
      '';
    };
    urlPrefix = mkOption {
      default = "";
      example = "/owncloud";
      description = ''
        The URL prefix under which the owncloud service appears.
      '';
    };
    id = mkOption {
      default = "main";
      description = ''
        A unique identifier necessary to keep multiple owncloud server
        instances on the same machine apart.  This is used to
        disambiguate the administrative scripts, which get names like
        mediawiki-$id-change-password.
      '';
    };
    adminUser = mkOption {
      default = "owncloud";
      description = "The admin user name for accessing owncloud.";
    };
    adminPassword = mkOption {
      description = "The admin password for accessing owncloud.";
    };
    dbType = mkOption {
      default = "pgsql";
      description = "Type of database, in NixOS, for now, only pgsql.";
    };
    dbName = mkOption {
      default = "owncloud";
      description = "Name of the database that holds the owncloud data.";
    };
    dbServer = mkOption {
      default = "localhost:5432";
      description = ''
        The location of the database server.
      '';
    };
    dbUser = mkOption {
      default = "owncloud";
      description = "The user name for accessing the database.";
    };
    dbPassword = mkOption {
      example = "foobar";
      description = ''
        The password of the database user.  Warning: this is stored in
        cleartext in the Nix store!
      '';
    };
    forceSSL = mkOption {
      default = "false";
      description = "Force use of HTTPS connection.";
    };
    adminAddr = mkOption {
      default = serverInfo.serverConfig.adminAddr;
      example = "admin@example.com";
      description = ''
        Emergency contact e-mail address.  Defaults to the Apache
        admin address.
      '';
    };
    siteName = mkOption {
      default = "owncloud";
      example = "Foobar owncloud";
      description = "Name of the owncloud";
    };
    trustedDomain = mkOption {
      default = "";
      description = "Trusted domain";
    };
    defaultLang = mkOption {
      default = "";
      description = "Default language";
    };
    defaultApp = mkOption {
      default = "";
      description = "Default application";
    };
    appStoreEnable = mkOption {
      default = "true";
      description = "Enable app store";
    };
    mailFrom = mkOption {
      default = "no-reply";
      description = "Mail from";
    };
    mailFromDomain = mkOption {
      default = "example.xyz";
      description = "Mail from domain";
    };
    SMTPMode = mkOption {
      default = "smtp";
      description = "Which mode to use for sending mail: sendmail, smtp, qmail or php.";
    };
    SMTPHost = mkOption {
      default = "";
      description = "SMTP host";
    };
    SMTPPort = mkOption {
      default = "25";
      description = "SMTP port";
    };
    SMTPTimeout = mkOption {
      default = "10";
      description = "SMTP mode";
    };
    SMTPSecure = mkOption {
      default = "ssl";
      description = "SMTP secure";
    };
    SMTPAuth = mkOption {
      default = "true";
      description = "SMTP auth";
    };
    SMTPAuthType = mkOption {
      default = "LOGIN";
      description = "SMTP auth type";
    };
    SMTPUser = mkOption {
      default = "";
      description = "SMTP user";
    };
    SMTPPass = mkOption {
      default = "";
      description = "SMTP pass";
    };
    dataDir = mkOption {
      default = "/var/lib/owncloud";
      description = "Data dir";
    };
    libreofficePath = mkOption {
      default = "/usr/bin/libreoffice";
      description = "Path for LibreOffice/OpenOffice binary.";
    };
    overwriteHost = mkOption {
      default = "";
      description = "The automatic hostname detection of ownCloud can fail in
        certain reverse proxy and CLI/cron situations. This option allows to
        manually override the automatic detection. You can also add a port.";
    };
    overwriteProtocol = mkOption {
      default = "";
      description = "The automatic protocol detection of ownCloud can fail in
        certain reverse proxy and CLI/cron situations. This option allows to
        manually override the protocol detection.";
    };
    overwriteWebRoot = mkOption {
      default = "";
      description = "The automatic webroot detection of ownCloud can fail in
        certain reverse proxy and CLI/cron situations. This option allows to
        manually override the automatic detection.";
    };
  };
  startupScript = pkgs.writeScript "owncloud_startup.sh" ''
    if [ ! -d ${config.dataDir}/config ]; then
      mkdir -p ${config.dataDir}/config
      cp ${owncloudConfig} ${config.dataDir}/config/config.php
      mkdir -p ${config.dataDir}/storage
      mkdir -p ${config.dataDir}/apps
      cp -r ${config.package}/apps/* ${config.dataDir}/apps/
      chmod -R ug+rw ${config.dataDir}
      chmod -R o-rwx ${config.dataDir}
      chown -R wwwrun:wwwrun ${config.dataDir}
      ${pkgs.sudo}/bin/sudo -u postgres ${setupDb}
    fi
    if [ -e ${config.package}/config/ca-bundle.crt ]; then
      cp -f ${config.package}/config/ca-bundle.crt ${config.dataDir}/config/
    fi
    ${php}/bin/php ${config.package}/occ upgrade >> ${config.dataDir}/upgrade.log || true
    chown wwwrun:wwwrun ${config.dataDir}/owncloud.log || true
    QUERY="INSERT INTO groups (gid) values('admin');
           INSERT INTO users (uid,password)
             values('${config.adminUser}','${builtins.hashString "sha1" config.adminPassword}');
           INSERT INTO group_user (gid,uid)
             values('admin','${config.adminUser}');"
    ${pkgs.sudo}/bin/sudo -u postgres ${postgresql}/bin/psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true
  '';
 }
--- a/Show More
+++ b/Show More