Merge remote-tracking branch 'upstream/staging' into fix/cross-xfsprogs

2018-12-02 12:32:03 -05:00 · 2018-12-02 12:32:03 -05:00 · 24270193b7
commit 24270193b7
parent 0b695faa07 aa65b32c2c
871 changed files with 10107 additions and 5804 deletions
--- a/doc/coding-conventions.xml
+++ b/doc/coding-conventions.xml
@ -56,25 +56,30 @@ foo { arg = ...; }
     or list elements should be aligned:
 <programlisting>
 # A long list.
-list =
+list = [
-  [ elem1
+  elem1
  elem2
  elem3
-  ];
+];
 # A long attribute set.
 attrs =
  { attr1 = short_expr;
    attr2 =
      if true then big_expr else big_expr;
  };
 # Alternatively:
 attrs = {
  attr1 = short_expr;
  attr2 =
    if true then big_expr else big_expr;
 };
 # Combined
 listOfAttrs = [
  {
    attr1 = 3;
    attr2 = "fff";
  }
  {
    attr1 = 5;
    attr2 = "ggg";
  }
 ];
 </programlisting>
    </para>
   </listitem>
--- a/doc/cross-compilation.xml
+++ b/doc/cross-compilation.xml
@ -385,7 +385,7 @@ nix-build &lt;nixpkgs&gt; --arg crossSystem '(import &lt;nixpkgs/lib&gt;).system
    Eventually we would like to make these platform examples an unnecessary
    convenience so that
 <programlisting>
-nix-build &lt;nixpkgs&gt; --arg crossSystem.config '&lt;arch&gt;-&lt;os&gt;-&lt;vendor&gt;-&lt;abi&gt;' -A whatever</programlisting>
+nix-build &lt;nixpkgs&gt; --arg crossSystem '{ config = "&lt;arch&gt;-&lt;os&gt;-&lt;vendor&gt;-&lt;abi&gt;"; }' -A whatever</programlisting>
    works in the vast majority of cases. The problem today is dependencies on
    other sorts of configuration which aren't given proper defaults. We rely on
    the examples to crudely to set those configuration parameters in some
--- a/doc/languages-frameworks/ruby.xml
+++ b/doc/languages-frameworks/ruby.xml
@ -50,6 +50,17 @@ bundlerEnv rec {
  future updates can be run easily.
 </para>
 <para>
  Updating Ruby packages can then be done like this:
 </para>
 <screen>
 <![CDATA[$ cd pkgs/servers/monitoring/sensu
 $ nix-shell -p bundler --run 'bundle lock --update'
 $ nix-shell -p bundix --run 'bundix'
 ]]>
 </screen>
 <para>
  For tools written in Ruby - i.e. where the desire is to install a package and
  then execute e.g. <command>rake</command> at the command line, there is an
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@ -2428,12 +2428,31 @@ addEnvHooks "$hostOffset" myBashFunction
      <para>
       This is a special setup hook which helps in packaging proprietary
       software in that it automatically tries to find missing shared library
-       dependencies of ELF files. All packages within the
+       dependencies of ELF files based on the given
-       <envar>runtimeDependencies</envar> environment variable are
+       <varname>buildInputs</varname> and <varname>nativeBuildInputs</varname>.
-       unconditionally added to executables, which is useful for programs that
+      </para>
-       use <citerefentry>
+      <para>
       You can also specify a <envar>runtimeDependencies</envar> environment
       variable which lists dependencies that are unconditionally added to all
       executables.
      </para>
      <para>
       This is useful for programs that use <citerefentry>
        <refentrytitle>dlopen</refentrytitle>
-       <manvolnum>3</manvolnum> </citerefentry> to load libraries at runtime.
+        <manvolnum>3</manvolnum>
       </citerefentry> to load libraries at runtime.
      </para>
      <para>
        In certain situations you may want to run the main command
        (<command>autoPatchelf</command>) of the setup hook on a file or a set
        of directories instead of unconditionally patching all outputs. This
        can be done by setting the <envar>dontAutoPatchelf</envar> environment
        variable to a non-empty value.
      </para>
      <para>
        The <command>autoPatchelf</command> command also recognizes a
        <parameter class="command">--no-recurse</parameter> command line flag,
        which prevents it from recursing into subdirectories.
      </para>
     </listitem>
    </varlistentry>
@ -2455,7 +2474,17 @@ addEnvHooks "$hostOffset" myBashFunction
       use the cntr exec subcommand. Note that <command>cntr</command> also
       needs to be executed on the machine that is doing the build, which might
       be not the case when remote builders are enabled.
-       <command>cntr</command> is only supported on linux based platforms.
+       <command>cntr</command> is only supported on Linux-based platforms. To
       use it first add <literal>cntr</literal> to your
       <literal>environment.systemPackages</literal> on NixOS or alternatively to
       the root user on non-NixOS systems. Then in the package that is supposed
       to be inspected, add <literal>breakpointHook</literal> to
       <literal>nativeBuildInputs</literal>.
 <programlisting>
         nativeBuildInputs = [ breakpointHook ];
       </programlisting>
       When a build failure happens there will be an instruction printed that
       shows how to attach with <literal>cntr</literal> to the build sandbox.
      </para>
     </listitem>
    </varlistentry>
--- a/lib/systems/default.nix
+++ b/lib/systems/default.nix
@ -66,6 +66,46 @@ rec {
         # uname -r
         release = null;
      };
      qemuArch =
        if final.isArm then "arm"
        else if final.isx86_64 then "x86_64"
        else if final.isx86 then "i386"
        else {
          "powerpc" = "ppc";
          "powerpc64" = "ppc64";
          "powerpc64le" = "ppc64";
          "mips64" = "mips";
          "mipsel64" = "mipsel";
        }.${final.parsed.cpu.name} or final.parsed.cpu.name;
      emulator = pkgs: let
        qemu-user = pkgs.qemu.override {
          smartcardSupport = false;
          spiceSupport = false;
          openGLSupport = false;
          virglSupport = false;
          vncSupport = false;
          gtkSupport = false;
          sdlSupport = false;
          pulseSupport = false;
          smbdSupport = false;
          seccompSupport = false;
          hostCpuTargets = ["${final.qemuArch}-linux-user"];
        };
        wine-name = "wine${toString final.parsed.cpu.bits}";
        wine = (pkgs.winePackagesFor wine-name).minimal;
      in
        if final.parsed.kernel.name == pkgs.stdenv.hostPlatform.parsed.kernel.name &&
           (final.parsed.cpu.name == pkgs.stdenv.hostPlatform.parsed.cpu.name ||
            (final.platform.isi686 && pkgs.stdenv.hostPlatform.isx86_64))
        then pkgs.runtimeShell
        else if final.isWindows
        then "${wine}/bin/${wine-name}"
        else if final.isLinux && pkgs.stdenv.hostPlatform.isLinux
        then "${qemu-user}/bin/qemu-${final.qemuArch}"
        else throw "Don't know how to run ${final.config} executables.";
    } // mapAttrs (n: v: v final.parsed) inspect.predicates
      // args;
  in assert final.useAndroidPrebuilt -> final.isAndroid;
--- a/lib/systems/examples.nix
+++ b/lib/systems/examples.nix
@ -2,7 +2,14 @@
 # `crossSystem`. They are put here for user convenience, but also used by cross
 # tests and linux cross stdenv building, so handle with care!
 { lib }:
-let platforms = import ./platforms.nix { inherit lib; }; in
+let
  platforms = import ./platforms.nix { inherit lib; };
  riscv = bits: {
    config = "riscv${bits}-unknown-linux-gnu";
    platform = platforms.riscv-multiplatform bits;
  };
 in
 rec {
  #
@ -92,10 +99,6 @@ rec {
  musl64 = { config = "x86_64-unknown-linux-musl"; };
  musl32  = { config = "i686-unknown-linux-musl"; };
  riscv = bits: {
    config = "riscv${bits}-unknown-linux-gnu";
    platform = platforms.riscv-multiplatform bits;
  };
  riscv64 = riscv "64";
  riscv32 = riscv "32";
--- a/nixos/doc/manual/configuration/modularity.xml
+++ b/nixos/doc/manual/configuration/modularity.xml
@ -127,4 +127,23 @@ nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHo
 [ "example.org" "example.gov" ]
 </screen>
 </para>
 <para>
   While abstracting your configuration, you may find it useful to generate
   modules using code, instead of writing files. The example
   below would have the same effect as importing a file which sets those
   options.
   <screen>
     { config, pkgs, ... }:
     let netConfig = { hostName }: {
       networking.hostName = hostName;
       networking.useDHCP = false;
    };
    in
    { imports = [ (netConfig "nixos.localdomain") ]; }
  </screen>
 </para>
 </section>
--- a/nixos/doc/manual/development/running-nixos-tests-interactively.xml
+++ b/nixos/doc/manual/development/running-nixos-tests-interactively.xml
@ -19,7 +19,7 @@ starting VDE switch for network 1
 &gt; startAll
 &gt; testScript
 &gt; $machine->succeed("touch /tmp/foo")
-&gt; print($machine->succeed("pwd"), "\n") # Show stdout of command
+&gt; print($machine->succeed("pwd")) # Show stdout of command
 </screen>
  The function <command>testScript</command> executes the entire test script
  and drops you back into the test driver command line upon its completion.
--- a/nixos/doc/manual/development/writing-nixos-tests.xml
+++ b/nixos/doc/manual/development/writing-nixos-tests.xml
@ -108,7 +108,7 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualis
 <programlisting>
 $machine->start;
 $machine->waitForUnit("default.target");
-die unless $machine->succeed("uname") =~ /Linux/;
+$machine->succeed("uname") =~ /Linux/ or die;
 </programlisting>
  The first line is actually unnecessary; machines are implicitly started when
  you first execute an action on them (such as <literal>waitForUnit</literal>
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@ -111,6 +111,16 @@
      without Syncthing resetting the permission on every start.
    </para>
   </listitem>
   <listitem>
    <para>
      The <literal>ntp</literal> module now has sane default restrictions.
      If you're relying on the previous defaults, which permitted all queries
      and commands from all firewall-permitted sources, you can set
      <varname>services.ntp.restrictDefault</varname> and
      <varname>services.ntp.restrictSource</varname> to
      <literal>[]</literal>.
    </para>
   </listitem>
   <listitem>
    <para>
     Package <varname>rabbitmq_server</varname> is renamed to
@ -233,6 +243,20 @@
     options.
   </para>
  </listitem>
  <listitem>
   <para>
     GitLab Shell previously used the nix store paths for the
     <literal>gitlab-shell</literal> command in its
     <literal>authorized_keys</literal> file, which might stop working after
     garbage collection. To circumvent that, we regenerated that file on each
     startup.  As <literal>gitlab-shell</literal> has now been changed to use
     <literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, this is
     not necessary anymore, but there might be leftover lines with a nix store
     path. Regenerate the <literal>authorized_keys</literal> file via
     <command>sudo -u git -H gitlab-rake gitlab:shell:setup</command> in that
     case.
   </para>
  </listitem>
  </itemizedlist>
 </section>
--- a/nixos/lib/make-system-tarball.nix
+++ b/nixos/lib/make-system-tarball.nix
@ -1,4 +1,4 @@
-{ stdenv, perl, pixz, pathsFromGraph
+{ stdenv, closureInfo, pixz
 , # The file name of the resulting tarball
  fileName ? "nixos-system-${stdenv.hostPlatform.system}"
@ -29,24 +29,28 @@
 , extraInputs ? [ pixz ]
 }:
 let
  symlinks = map (x: x.symlink) storeContents;
  objects = map (x: x.object) storeContents;
 in
 stdenv.mkDerivation {
  name = "tarball";
  builder = ./make-system-tarball.sh;
-  buildInputs = [ perl ] ++ extraInputs;
+  buildInputs = extraInputs;
-  inherit fileName pathsFromGraph extraArgs extraCommands compressCommand;
+  inherit fileName extraArgs extraCommands compressCommand;
  # !!! should use XML.
  sources = map (x: x.source) contents;
  targets = map (x: x.target) contents;
  # !!! should use XML.
-  objects = map (x: x.object) storeContents;
+  inherit symlinks objects;
  symlinks = map (x: x.symlink) storeContents;
-  # For obtaining the closure of `storeContents'.
+  closureInfo = closureInfo {
-  exportReferencesGraph =
+    rootPaths = objects;
-    map (x: [("closure-" + baseNameOf x.object) x.object]) storeContents;
+  };
  extension = compressionExtension;
 }
--- a/nixos/lib/make-system-tarball.sh
+++ b/nixos/lib/make-system-tarball.sh
@ -3,7 +3,6 @@ source $stdenv/setup
 sources_=($sources)
 targets_=($targets)
 echo $objects
 objects=($objects)
 symlinks=($symlinks)
@ -14,8 +13,6 @@ stripSlash() {
    if test "${res:0:1}" = /; then res=${res:1}; fi
 }
 touch pathlist
 # Add the individual files.
 for ((i = 0; i < ${#targets_[@]}; i++)); do
    stripSlash "${targets_[$i]}"
@ -25,9 +22,9 @@ done
 # Add the closures of the top-level store objects.
 chmod +w .
 mkdir -p nix/store
-storePaths=$(perl $pathsFromGraph closure-*)
+for i in $(< $closureInfo/store-paths); do
 for i in $storePaths; do
    cp -a "$i" "${i:1}"
 done
@ -35,7 +32,7 @@ done
 # TODO tar ruxo
 # Also include a manifest of the closures in a format suitable for
 # nix-store --load-db.
-printRegistration=1 perl $pathsFromGraph closure-* > nix-path-registration
+cp $closureInfo/registration nix-path-registration
 # Add symlinks to the top-level store objects.
 for ((n = 0; n < ${#objects[*]}; n++)); do
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -1,5 +1,5 @@
 { system
-, pkgs
+, pkgs ? import ../.. { inherit system config; }
  # Use a minimal kernel?
 , minimal ? false
  # Ignored
--- a/nixos/maintainers/scripts/gce/create-gce.sh
+++ b/nixos/maintainers/scripts/gce/create-gce.sh
@ -7,9 +7,9 @@ BUCKET_NAME="${BUCKET_NAME:-nixos-cloud-images}"
 TIMESTAMP="$(date +%Y%m%d%H%M)"
 export TIMESTAMP
-nix-build '<nixpkgs/nixos>' \
+nix-build '<nixpkgs/nixos/lib/eval-config.nix>' \
   -A config.system.build.googleComputeImage \
-   --arg configuration "{ imports = [ <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix> ]; }" \
+   --arg modules "[ <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix> ]" \
   --argstr system x86_64-linux \
   -o gce \
   -j 10
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@ -34,6 +34,17 @@ with lib;
        '';
      };
      extraLocaleSettings = mkOption {
        type = types.attrsOf types.str;
        default = {};
        example = { LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; };
        description = ''
          A set of additional system-wide locale settings other than
          <literal>LANG</literal> which can be configured with
          <option>i18n.defaultLocale</option>.
        '';
      };
      supportedLocales = mkOption {
        type = types.listOf types.str;
        default = ["all"];
@ -129,7 +140,7 @@ with lib;
    environment.sessionVariables =
      { LANG = config.i18n.defaultLocale;
        LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
-      };
+      } // config.i18n.extraLocaleSettings;
    systemd.globalEnvironment = mkIf (config.i18n.supportedLocales != []) {
      LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
@ -141,6 +152,7 @@ with lib;
        source = pkgs.writeText "locale.conf"
          ''
            LANG=${config.i18n.defaultLocale}
            ${concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}=${v}'') config.i18n.extraLocaleSettings)}
          '';
      };
--- a/nixos/modules/config/no-x-libs.nix
+++ b/nixos/modules/config/no-x-libs.nix
@ -35,7 +35,7 @@ with lib;
      networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; };
      networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };
      pinentry = super.pinentry_ncurses;
-      gobjectIntrospection = super.gobjectIntrospection.override { x11Support = false; };
+      gobject-introspection = super.gobject-introspection.override { x11Support = false; };
    }));
  };
 }
--- a/nixos/modules/hardware/raid/hpsa.nix
+++ b/nixos/modules/hardware/raid/hpsa.nix
@ -8,7 +8,7 @@ let
    version = "2.40-13.0";
    src = pkgs.fetchurl {
-      url = "http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${name}_amd64.deb";
+      url = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${name}_amd64.deb";
      sha256 = "11w7fwk93lmfw0yya4jpjwdmgjimqxx6412sqa166g1pz4jil4sw";
    };
@ -34,7 +34,7 @@ let
    meta = with lib; {
      description = "HP Smart Array CLI";
-      homepage = http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/;
+      homepage = https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/;
      license = licenses.unfreeRedistributable;
      platforms = [ "x86_64-linux" ];
      maintainers = with maintainers; [ volth ];
--- a/nixos/modules/installer/cd-dvd/sd-image.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image.nix
@ -134,7 +134,9 @@ in
        ${config.sdImage.populateBootCommands}
        # Copy the populated /boot into the SD image
-        (cd boot; mcopy -bpsvm -i ../bootpart.img ./* ::)
+        (cd boot; mcopy -psvm -i ../bootpart.img ./* ::)
        # Verify the FAT partition before copying it.
        fsck.vfat -vn bootpart.img
        dd conv=notrunc if=bootpart.img of=$img seek=$START count=$SECTORS
      '';
    }) {};
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -175,7 +175,7 @@
      dnsmasq = 141;
      uhub = 142;
      yandexdisk = 143;
-      #collectd = 144; #unused
+      mxisd = 144; # was once collectd
      consul = 145;
      mailpile = 146;
      redmine = 147;
@ -484,7 +484,7 @@
      #dnsmasq = 141; # unused
      uhub = 142;
      #yandexdisk = 143; # unused
-      #collectd = 144; # unused
+      mxisd = 144; # was once collectd
      #consul = 145; # unused
      mailpile = 146;
      redmine = 147;
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -246,6 +246,7 @@
  ./services/desktops/gnome3/gnome-documents.nix
  ./services/desktops/gnome3/gnome-keyring.nix
  ./services/desktops/gnome3/gnome-online-accounts.nix
  ./services/desktops/gnome3/gnome-remote-desktop.nix
  ./services/desktops/gnome3/gnome-online-miners.nix
  ./services/desktops/gnome3/gnome-terminal-server.nix
  ./services/desktops/gnome3/gnome-user-share.nix
@ -332,6 +333,7 @@
  ./services/mail/rspamd.nix
  ./services/mail/rss2email.nix
  ./services/mail/rmilter.nix
  ./services/mail/roundcube.nix
  ./services/mail/nullmailer.nix
  ./services/misc/airsonic.nix
  ./services/misc/apache-kafka.nix
@ -560,6 +562,7 @@
  ./services/networking/miredo.nix
  ./services/networking/mstpd.nix
  ./services/networking/murmur.nix
  ./services/networking/mxisd.nix
  ./services/networking/namecoind.nix
  ./services/networking/nat.nix
  ./services/networking/ndppd.nix
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -49,7 +49,7 @@
  ];
  # Include support for various filesystems.
-  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ];
+  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "zfs" "ntfs" "cifs" ];
  # Configure host id for ZFS to work
  networking.hostId = lib.mkDefault "8425e349";
--- a/nixos/modules/profiles/docker-container.nix
+++ b/nixos/modules/profiles/docker-container.nix
@ -15,15 +15,19 @@ in {
  # Create the tarball
  system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
-    contents = [];
+    contents = [
      {
        source = "${config.system.build.toplevel}/.";
        target = "./";
      }
    ];
    extraArgs = "--owner=0";
    # Add init script to image
-    storeContents = [
+    storeContents = pkgs2storeContents [
-      { object = config.system.build.toplevel + "/init";
+      config.system.build.toplevel
-        symlink = "/init";
+      pkgs.stdenv
-      }
+    ];
    ] ++ (pkgs2storeContents [ pkgs.stdenv ]);
    # Some container managers like lxc need these
    extraCommands = "mkdir -p proc sys dev";
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -12,6 +12,8 @@ with lib;
  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
  nix.allowedUsers = mkDefault [ "@users" ];
  security.hideProcessInformation = mkDefault true;
  security.lockKernelModules = mkDefault true;
--- a/nixos/modules/programs/sway-beta.nix
+++ b/nixos/modules/programs/sway-beta.nix
@ -8,7 +8,7 @@ let
  swayWrapped = pkgs.writeShellScriptBin "sway" ''
    ${cfg.extraSessionCommands}
-    exec ${pkgs.dbus.dbus-launch} --exit-with-session ${swayPackage}/bin/sway
+    exec ${pkgs.dbus.dbus-launch} --exit-with-session ${swayPackage}/bin/sway "$@"
  '';
  swayJoined = pkgs.symlinkJoin {
    name = "sway-joined";
--- a/nixos/modules/services/backup/borgbackup.nix
+++ b/nixos/modules/services/backup/borgbackup.nix
@ -191,7 +191,7 @@ in {
        options = {
          paths = mkOption {
-            type = with types; either path (nonEmptyListOf path);
+            type = with types; either path (listOf str);
            description = "Path(s) to back up.";
            example = "/home/user";
            apply = x: if isList x then x else [ x ];
--- a/nixos/modules/services/cluster/kubernetes/default.nix
+++ b/nixos/modules/services/cluster/kubernetes/default.nix
@ -784,7 +784,7 @@ in {
    clusterCidr = mkOption {
      description = "Kubernetes controller manager and proxy CIDR Range for Pods in cluster.";
      default = "10.1.0.0/16";
-      type = types.str;
+      type = types.nullOr types.str;
    };
    flannel.enable = mkOption {
@ -1018,9 +1018,9 @@ in {
            ${if (cfg.controllerManager.rootCaFile!=null)
              then "--root-ca-file=${cfg.controllerManager.rootCaFile}"
              else "--root-ca-file=/var/run/kubernetes/apiserver.crt"} \
-            ${optionalString (cfg.clusterCidr!=null)
+            ${if (cfg.clusterCidr!=null)
-              "--cluster-cidr=${cfg.clusterCidr}"} \
+              then "--cluster-cidr=${cfg.clusterCidr} --allocate-node-cidrs=true"
-            --allocate-node-cidrs=true \
+              else "--allocate-node-cidrs=false"} \
            ${optionalString (cfg.controllerManager.featureGates != [])
              "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.controllerManager.featureGates}"} \
            ${optionalString cfg.verbose "--v=6"} \
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -238,6 +238,9 @@ in
            User = "postgres";
            Group = "postgres";
            PermissionsStartOnly = true;
            Type = if lib.versionAtLeast cfg.package.version "9.6"
                   then "notify"
                   else "simple";
            # Shut down Postgres using SIGINT ("Fast Shutdown mode").  See
            # http://www.postgresql.org/docs/current/static/server-shutdown.html
--- a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix
@ -0,0 +1,18 @@
 # Remote desktop daemon using Pipewire.
 { config, lib, pkgs, ... }:
 with lib;
 {
  ###### interface
  options = {
    services.gnome3.gnome-remote-desktop = {
      enable = mkEnableOption "Remote Desktop support using Pipewire";
    };
  };
  ###### implementation
  config = mkIf config.services.gnome3.gnome-remote-desktop.enable {
    systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ];
  };
 }
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@ -0,0 +1,153 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.roundcube;
 in
 {
  options.services.roundcube = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to enable roundcube.
        Also enables nginx virtual host management.
        Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
        See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
      '';
    };
    hostName = mkOption {
      type = types.str;
      example = "webmail.example.com";
      description = "Hostname to use for the nginx vhost";
    };
    database = {
      username = mkOption {
        type = types.str;
        default = "roundcube";
        description = "Username for the postgresql connection";
      };
      host = mkOption {
        type = types.str;
        default = "localhost";
        description = ''
          Host of the postgresql server. If this is not set to
          <literal>localhost</literal>, you have to create the
          postgresql user and database yourself, with appropriate
          permissions.
        '';
      };
      password = mkOption {
        type = types.str;
        description = "Password for the postgresql connection";
      };
      dbname = mkOption {
        type = types.str;
        default = "roundcube";
        description = "Name of the postgresql database";
      };
    };
    plugins = mkOption {
      type = types.listOf types.str;
      default = [];
      description = ''
        List of roundcube plugins to enable. Currently, only those directly shipped with Roundcube are supported.
      '';
    };
    extraConfig = mkOption {
      type = types.lines;
      default = "";
      description = "Extra configuration for roundcube webmail instance";
    };
  };
  config = mkIf cfg.enable {
    environment.etc."roundcube/config.inc.php".text = ''
      <?php
      $config = array();
      $config['db_dsnw'] = 'pgsql://${cfg.database.username}:${cfg.database.password}@${cfg.database.host}/${cfg.database.dbname}';
      $config['log_driver'] = 'syslog';
      $config['max_message_size'] = '25M';
      $config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}];
      ${cfg.extraConfig}
    '';
    services.nginx = {
      enable = true;
      virtualHosts = {
        ${cfg.hostName} = {
          forceSSL = mkDefault true;
          enableACME = mkDefault true;
          locations."/" = {
            root = pkgs.roundcube;
            index = "index.php";
            extraConfig = ''
              location ~* \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/run/phpfpm/roundcube;
                include ${pkgs.nginx}/conf/fastcgi_params;
                include ${pkgs.nginx}/conf/fastcgi.conf;
              }
            '';
          };
        };
      };
    };
    services.postgresql = mkIf (cfg.database.host == "localhost") {
      enable = true;
    };
    services.phpfpm.poolConfigs.roundcube = ''
      listen = /run/phpfpm/roundcube
      listen.owner = nginx
      listen.group = nginx
      listen.mode = 0660
      user = nginx
      pm = dynamic
      pm.max_children = 75
      pm.start_servers = 2
      pm.min_spare_servers = 1
      pm.max_spare_servers = 20
      pm.max_requests = 500
      php_admin_value[error_log] = 'stderr'
      php_admin_flag[log_errors] = on
      php_admin_value[post_max_size] = 25M
      php_admin_value[upload_max_filesize] = 25M
      catch_workers_output = yes
    '';
    systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
    systemd.services.roundcube-setup = let
      pgSuperUser = config.services.postgresql.superUser;
    in {
      requires = [ "postgresql.service" ];
      after = [ "postgresql.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ config.services.postgresql.package ];
      script = ''
        mkdir -p /var/lib/roundcube
        if [ ! -f /var/lib/roundcube/db-created ]; then
          if [ "${cfg.database.host}" = "localhost" ]; then
            ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'";
            ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}";
          fi
          PGPASSWORD=${cfg.database.password} ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \
            -f ${pkgs.roundcube}/SQL/postgres.initial.sql \
            -h ${cfg.database.host} ${cfg.database.dbname}
          touch /var/lib/roundcube/db-created
        fi
        ${pkgs.php}/bin/php ${pkgs.roundcube}/bin/update.sh
      '';
      serviceConfig.Type = "oneshot";
    };
  };
 }
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@ -45,7 +45,9 @@ let
      else "${config.socket}${maybeOption "mode"}${maybeOption "owner"}${maybeOption "group"}";
  };
-  workerOpts = { name, ... }: {
+  traceWarning = w: x: builtins.trace "[1;31mwarning: ${w}[0m" x;
  workerOpts = { name, options, ... }: {
    options = {
      enable = mkOption {
        type = types.nullOr types.bool;
@ -59,9 +61,18 @@ let
      };
      type = mkOption {
        type = types.nullOr (types.enum [
-          "normal" "controller" "fuzzy_storage" "rspamd_proxy" "lua"
+          "normal" "controller" "fuzzy_storage" "rspamd_proxy" "lua" "proxy"
        ]);
-        description = "The type of this worker";
+        description = ''
          The type of this worker. The type <literal>proxy</literal> is
          deprecated and only kept for backwards compatibility and should be
          replaced with <literal>rspamd_proxy</literal>.
        '';
        apply = let
            from = "services.rspamd.workers.\”${name}\".type";
            files = options.type.files;
            warning = "The option `${from}` defined in ${showFiles files} has enum value `proxy` which has been renamed to `rspamd_proxy`";
          in x: if x == "proxy" then traceWarning warning "rspamd_proxy" else x;
      };
      bindSockets = mkOption {
        type = types.listOf (types.either types.str (types.submodule bindSocketOpts));
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -609,10 +609,6 @@ in {
          touch "${cfg.statePath}/db-seeded"
        fi
        # The gitlab:shell:setup regenerates the authorized_keys file so that
        # the store path to the gitlab-shell in it gets updated
        ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H force=yes ${gitlab-rake}/bin/gitlab-rake gitlab:shell:setup
        # The gitlab:shell:create_hooks task seems broken for fixing links
        # so we instead delete all the hooks and create them anew
        rm -f ${cfg.statePath}/repositories/**/*.git/hooks
--- a/nixos/modules/services/monitoring/apcupsd.nix
+++ b/nixos/modules/services/monitoring/apcupsd.nix
@ -180,7 +180,7 @@ in
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.apcupsd}/bin/apcupsd --killpower -f ${configFile}";
-        TimeoutSec = 0;
+        TimeoutSec = "infinity";
        StandardOutput = "tty";
        RemainAfterExit = "yes";
      };
--- a/nixos/modules/services/monitoring/osquery.nix
+++ b/nixos/modules/services/monitoring/osquery.nix
@ -78,7 +78,7 @@ in
        mkdir -p "$(dirname ${escapeShellArg cfg.databasePath})"
      '';
      serviceConfig = {
-        TimeoutStartSec = 0;
+        TimeoutStartSec = "infinity";
        ExecStart = "${pkgs.osquery}/bin/osqueryd --logger_path ${escapeShellArg cfg.loggerPath} --pidfile ${escapeShellArg cfg.pidfile} --database_path ${escapeShellArg cfg.databasePath}";
        KillMode = "process";
        KillSignal = "SIGTERM";
--- a/nixos/modules/services/monitoring/systemhealth.nix
+++ b/nixos/modules/services/monitoring/systemhealth.nix
@ -8,7 +8,7 @@ let
  systemhealth = with pkgs; stdenv.mkDerivation {
    name = "systemhealth-1.0";
    src = fetchurl {
-      url = "http://www.brianlane.com/static/downloads/systemhealth/systemhealth-1.0.tar.bz2";
+      url = "https://www.brianlane.com/downloads/systemhealth/systemhealth-1.0.tar.bz2";
      sha256 = "1q69lz7hmpbdpbz36zb06nzfkj651413n9icx0njmyr3xzq1j9qy";
    };
    buildInputs = [ python ];
--- a/nixos/modules/services/networking/consul.nix
+++ b/nixos/modules/services/networking/consul.nix
@ -185,7 +185,7 @@ in
          PermissionsStartOnly = true;
          User = if cfg.dropPrivileges then "consul" else null;
          Restart = "on-failure";
-          TimeoutStartSec = "0";
+          TimeoutStartSec = "infinity";
        } // (optionalAttrs (cfg.leaveOnStop) {
          ExecStop = "${cfg.package.bin}/bin/consul leave";
        });
--- a/nixos/modules/services/networking/flashpolicyd.nix
+++ b/nixos/modules/services/networking/flashpolicyd.nix
@ -11,7 +11,7 @@ let
    src = pkgs.fetchurl {
      name = "flashpolicyd_v0.6.zip";
-      url = "http://www.adobe.com/content/dotcom/en/devnet/flashplayer/articles/socket_policy_files/_jcr_content/articlePrerequistes/multiplefiles/node_1277808777771/file.res/flashpolicyd_v0.6%5B1%5D.zip";
+      url = "https://download.adobe.com/pub/adobe/devnet/flashplayer/articles/socket_policy_files/flashpolicyd_v0.6.zip";
      sha256 = "16zk237233npwfq1m4ksy4g5lzy1z9fp95w7pz0cdlpmv0fv9sm3";
    };
--- a/nixos/modules/services/networking/mxisd.nix
+++ b/nixos/modules/services/networking/mxisd.nix
@ -0,0 +1,125 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.mxisd;
  server = optionalAttrs (cfg.server.name != null) { inherit (cfg.server) name; }
        // optionalAttrs (cfg.server.port != null) { inherit (cfg.server) port; };
  baseConfig = {
    matrix.domain = cfg.matrix.domain;
    key.path = "${cfg.dataDir}/signing.key";
    storage = {
      provider.sqlite.database = "${cfg.dataDir}/mxisd.db";
    };
  } // optionalAttrs (server != {}) { inherit server; };
  # merges baseConfig and extraConfig into a single file
  fullConfig = recursiveUpdate baseConfig cfg.extraConfig;
  configFile = pkgs.writeText "mxisd-config.yaml" (builtins.toJSON fullConfig);
 in {
  options = {
    services.mxisd = {
      enable = mkEnableOption "mxisd matrix federated identity server";
      package = mkOption {
        type = types.package;
        default = pkgs.mxisd;
        defaultText = "pkgs.mxisd";
        description = "The mxisd package to use";
      };
      dataDir = mkOption {
        type = types.str;
        default = "/var/lib/mxisd";
        description = "Where data mxisd uses resides";
      };
      extraConfig = mkOption {
        type = types.attrs;
        default = {};
        description = "Extra options merged into the mxisd configuration";
      };
      matrix = {
        domain = mkOption {
          type = types.str;
          description = ''
            the domain of the matrix homeserver
          '';
        };
      };
      server = {
        name = mkOption {
          type = types.nullOr types.str;
          default = null;
          description = ''
            Public hostname of mxisd, if different from the Matrix domain.
          '';
        };
        port = mkOption {
          type = types.nullOr types.int;
          default = null;
          description = ''
            HTTP port to listen on (unencrypted)
          '';
        };
      };
    };
  };
  config = mkIf cfg.enable {
    users.users = [
      {
        name = "mxisd";
        group = "mxisd";
        home = cfg.dataDir;
        createHome = true;
        shell = "${pkgs.bash}/bin/bash";
        uid = config.ids.uids.mxisd;
      }
    ];
    users.groups = [
      {
        name = "mxisd";
        gid = config.ids.gids.mxisd;
      }
    ];
    systemd.services.mxisd = {
      description = "a federated identity server for the matrix ecosystem";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      # mxisd / spring.boot needs the configuration to be named "application.yaml"
      preStart = ''
        config=${cfg.dataDir}/application.yaml
        cp ${configFile} $config
        chmod 444 $config
      '';
      serviceConfig = {
        Type = "simple";
        User = "mxisd";
        Group = "mxisd";
        ExecStart = "${cfg.package}/bin/mxisd --spring.config.location=${cfg.dataDir}/ --spring.profiles.active=systemd --java.security.egd=file:/dev/./urandom";
        WorkingDirectory = cfg.dataDir;
        PermissionsStartOnly = true;
        SuccessExitStatus = 143;
        Restart = "on-failure";
      };
    };
  };
 }
--- a/nixos/modules/services/networking/ntpd.nix
+++ b/nixos/modules/services/networking/ntpd.nix
@ -15,6 +15,10 @@ let
  configFile = pkgs.writeText "ntp.conf" ''
    driftfile ${stateDir}/ntp.drift
    restrict default ${toString cfg.restrictDefault}
    restrict -6 default ${toString cfg.restrictDefault}
    restrict source ${toString cfg.restrictSource}
    restrict 127.0.0.1
    restrict -6 ::1
@ -36,11 +40,40 @@ in
      enable = mkOption {
        default = false;
        description = ''
-          Whether to synchronise your machine's time using the NTP
+          Whether to synchronise your machine's time using ntpd, as a peer in
-          protocol.
+          the NTP network.
          </para>
          <para>
          Disables <literal>systemd.timesyncd</literal> if enabled.
        '';
      };
      restrictDefault = mkOption {
        type = types.listOf types.str;
        description = ''
          The restriction flags to be set by default.
          </para>
          <para>
          The default flags prevent external hosts from using ntpd as a DDoS
          reflector, setting system time, and querying OS/ntpd version. As
          recommended in section 6.5.1.1.3, answer "No" of
          http://support.ntp.org/bin/view/Support/AccessRestrictions
        '';
        default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ];
      };
      restrictSource = mkOption {
        type = types.listOf types.str;
        description = ''
          The restriction flags to be set on source.
          </para>
          <para>
          The default flags allow peers to be added by ntpd from configured
          pool(s), but not by other means.
        '';
        default = [ "limited" "kod" "nomodify" "notrap" "noquery" ];
      };
      servers = mkOption {
        default = config.networking.timeServers;
        description = ''
@ -51,6 +84,7 @@ in
      extraFlags = mkOption {
        type = types.listOf types.str;
        description = "Extra flags passed to the ntpd command.";
        example = literalExample ''[ "--interface=eth0" ]'';
        default = [];
      };
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@ -92,6 +92,7 @@ let
  # Hidden services
  + concatStrings (flip mapAttrsToList cfg.hiddenServices (n: v: ''
    HiddenServiceDir ${torDirectory}/onion/${v.name}
    ${optionalString (v.version != null) "HiddenServiceVersion ${toString v.version}"}
    ${flip concatMapStrings v.map (p: ''
      HiddenServicePort ${toString p.port} ${p.destination}
    '')}
@ -667,6 +668,12 @@ in
                 };
               }));
             };
             version = mkOption {
               default = null;
               description = "Rendezvous service descriptor version to publish for the hidden service. Currently, versions 2 and 3 are supported. (Default: 2)";
               type = types.nullOr (types.enum [ 2 3 ]);
             };
          };
          config = {
--- a/nixos/modules/services/system/cloud-init.nix
+++ b/nixos/modules/services/system/cloud-init.nix
@ -119,7 +119,7 @@ in
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init init --local";
            RemainAfterExit = "yes";
-            TimeoutSec = "0";
+            TimeoutSec = "infinity";
            StandardOutput = "journal+console";
          };
      };
@ -137,7 +137,7 @@ in
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init init";
            RemainAfterExit = "yes";
-            TimeoutSec = "0";
+            TimeoutSec = "infinity";
            StandardOutput = "journal+console";
          };
      };
@ -153,7 +153,7 @@ in
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init modules --mode=config";
            RemainAfterExit = "yes";
-            TimeoutSec = "0";
+            TimeoutSec = "infinity";
            StandardOutput = "journal+console";
          };
      };
@ -169,7 +169,7 @@ in
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init modules --mode=final";
            RemainAfterExit = "yes";
-            TimeoutSec = "0";
+            TimeoutSec = "infinity";
            StandardOutput = "journal+console";
          };
      };
--- a/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
@ -86,7 +86,7 @@ let
    name= "mediawiki-1.29.1";
    src = pkgs.fetchurl {
-      url = "http://download.wikimedia.org/mediawiki/1.29/${name}.tar.gz";
+      url = "https://releases.wikimedia.org/mediawiki/1.29/${name}.tar.gz";
      sha256 = "03mpazbxvb011s2nmlw5p6dc43yjgl5yrsilmj1imyykm57bwb3m";
    };
@ -311,7 +311,7 @@ in
      description = ''
        Any additional text to be appended to MediaWiki's
        configuration file.  This is a PHP script.  For configuration
-        settings, see <link xlink:href='http://www.mediawiki.org/wiki/Manual:Configuration_settings'/>.
+        settings, see <link xlink:href='https://www.mediawiki.org/wiki/Manual:Configuration_settings'/>.
      '';
    };
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@ -107,6 +107,7 @@ in {
    services.gnome3.gnome-documents.enable = mkDefault true;
    services.gnome3.gnome-keyring.enable = true;
    services.gnome3.gnome-online-accounts.enable = mkDefault true;
    services.gnome3.gnome-remote-desktop.enable = mkDefault true;
    services.gnome3.gnome-terminal-server.enable = mkDefault true;
    services.gnome3.gnome-user-share.enable = mkDefault true;
    services.gnome3.gvfs.enable = true;
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@ -116,7 +116,7 @@ in
        environment = {
          GDM_X_SERVER_EXTRA_ARGS = toString
            (filter (arg: arg != "-terminate") cfg.xserverArgs);
-          GDM_SESSIONS_DIR = "${cfg.session.desktops}/share/xsessions";
+          XDG_DATA_DIRS = "${cfg.session.desktops}/share/";
          # Find the mouse
          XCURSOR_PATH = "~/.icons:${pkgs.gnome3.adwaita-icon-theme}/share/icons";
        } // optionalAttrs (xSessionWrapper != null) {
--- a/nixos/modules/services/x11/urxvtd.nix
+++ b/nixos/modules/services/x11/urxvtd.nix
@ -18,18 +18,10 @@ in {
  };
  config = mkIf cfg.enable {
-    systemd.user = {
+    systemd.user.services.urxvtd = {
-      sockets.urxvtd = {
+      description = "urxvt terminal daemon";
        description = "socket for urxvtd, the urxvt terminal daemon";
      wantedBy = [ "graphical-session.target" ];
      partOf = [ "graphical-session.target" ];
        socketConfig = {
          ListenStream = "%t/urxvtd-socket";
        };
      };
      services.urxvtd = {
        description = "urxvt terminal daemon";
      path = [ pkgs.xsel ];
      serviceConfig = {
        ExecStart = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtd -o";
@ -39,8 +31,6 @@ in {
      };
    };
    };
    environment.systemPackages = [ pkgs.rxvt_unicode-with-plugins ];
    environment.variables.RXVT_SOCKET = "/run/user/$(id -u)/urxvtd-socket";
  };
--- a/nixos/modules/system/boot/systemd-nspawn.nix
+++ b/nixos/modules/system/boot/systemd-nspawn.nix
@ -112,7 +112,7 @@ in {
      environment.etc."systemd/nspawn".source = generateUnits "nspawn" units [] [];
-      systemd.targets."multi-user".wants = [ "machines.target "];
+      systemd.targets."multi-user".wants = [ "machines.target" ];
  };
 }
--- a/nixos/modules/virtualisation/container-config.nix
+++ b/nixos/modules/virtualisation/container-config.nix
@ -22,12 +22,8 @@ with lib;
    # Not supported in systemd-nspawn containers.
    security.audit.enable = false;
-    # Make sure that root user in container will talk to host nix-daemon
+    # Use the host's nix-daemon.
-    environment.etc."profile".text = ''
+    environment.variables.NIX_REMOTE = "daemon";
    export NIX_REMOTE=daemon
    '';
  };
--- a/nixos/modules/virtualisation/docker-image.nix
+++ b/nixos/modules/virtualisation/docker-image.nix
@ -17,3 +17,41 @@
  # Socket activated ssh presents problem in Docker.
  services.openssh.startWhenNeeded = false;
 }
 # Example usage:
 #
 ## default.nix
 # let
 #   nixos = import <nixpkgs/nixos> {
 #     configuration = ./configuration.nix;
 #     system = "x86_64-linux";
 #   };
 # in
 # nixos.config.system.build.tarball
 #
 ## configuration.nix
 # { pkgs, config, lib, ... }:
 # {
 #   imports = [
 #     <nixpkgs/nixos/modules/virtualisation/docker-image.nix>
 #     <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
 #   ];
 #
 #   documentation.doc.enable = false;
 #
 #   environment.systemPackages = with pkgs; [
 #     bashInteractive
 #     cacert
 #     nix
 #   ];
 # }
 #
 ## Run
 # Build the tarball:
 # $ nix-build default.nix
 # Load into docker:
 # $ docker import result/tarball/nixos-system-*.tar.xz nixos-docker
 # Boots into systemd
 # $ docker run --privileged -it nixos-docker /init
 # Log into the container
 # $ docker exec -it <container-name> /run/current-system/sw/bin/bash
--- a/nixos/modules/virtualisation/google-compute-config.nix
+++ b/nixos/modules/virtualisation/google-compute-config.nix
@ -1,5 +1,261 @@
-{ ... }:
+{ config, lib, pkgs, ... }:
-
+with lib;
 let
  gce = pkgs.google-compute-engine;
  cfg = config.virtualisation.googleComputeImage;
 in
 {
-  imports = [ <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix> ];
+  imports = [
    ../profiles/headless.nix
    ../profiles/qemu-guest.nix
  ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
    autoResize = true;
  };
  boot.growPartition = true;
  boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
  boot.initrd.kernelModules = [ "virtio_scsi" ];
  boot.kernelModules = [ "virtio_pci" "virtio_net" ];
  # Generate a GRUB menu.  Amazon's pv-grub uses this to boot our kernel/initrd.
  boot.loader.grub.device = "/dev/sda";
  boot.loader.timeout = 0;
  # Don't put old configurations in the GRUB menu.  The user has no
  # way to select them anyway.
  boot.loader.grub.configurationLimit = 0;
  # Allow root logins only using the SSH key that the user specified
  # at instance creation time.
  services.openssh.enable = true;
  services.openssh.permitRootLogin = "prohibit-password";
  services.openssh.passwordAuthentication = mkDefault false;
  # Use GCE udev rules for dynamic disk volumes
  services.udev.packages = [ gce ];
  # Force getting the hostname from Google Compute.
  networking.hostName = mkDefault "";
  # Always include cryptsetup so that NixOps can use it.
  environment.systemPackages = [ pkgs.cryptsetup ];
  # Make sure GCE image does not replace host key that NixOps sets
  environment.etc."default/instance_configs.cfg".text = lib.mkDefault ''
    [InstanceSetup]
    set_host_keys = false
  '';
  # Rely on GCP's firewall instead
  networking.firewall.enable = mkDefault false;
  # Configure default metadata hostnames
  networking.extraHosts = ''
    169.254.169.254 metadata.google.internal metadata
  '';
  networking.timeServers = [ "metadata.google.internal" ];
  networking.usePredictableInterfaceNames = false;
  # GC has 1460 MTU
  networking.interfaces.eth0.mtu = 1460;
  # allow the google-accounts-daemon to manage users
  users.mutableUsers = true;
  # and allow users to sudo without password
  security.sudo.enable = true;
  security.sudo.extraConfig = ''
  %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
  '';
  # NOTE: google-accounts tries to write to /etc/sudoers.d but the folder doesn't exist
  # FIXME: not such file or directory on dynamic SSH provisioning
  systemd.services.google-accounts-daemon = {
    description = "Google Compute Engine Accounts Daemon";
    # This daemon creates dynamic users
    enable = config.users.mutableUsers;
    after = [
      "network.target"
      "google-instance-setup.service"
      "google-network-setup.service"
    ];
    requires = ["network.target"];
    wantedBy = ["multi-user.target"];
    path = with pkgs; [ shadow ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${gce}/bin/google_accounts_daemon --debug";
    };
  };
  systemd.services.google-clock-skew-daemon = {
    description = "Google Compute Engine Clock Skew Daemon";
    after = [
      "network.target"
      "google-instance-setup.service"
      "google-network-setup.service"
    ];
    requires = ["network.target"];
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${gce}/bin/google_clock_skew_daemon --debug";
    };
  };
  systemd.services.google-instance-setup = {
    description = "Google Compute Engine Instance Setup";
    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"];
    before = ["sshd.service"];
    wants = ["local-fs.target" "network-online.target" "network.target"];
    wantedBy = [ "sshd.service" "multi-user.target" ];
    path = with pkgs; [ ethtool openssh ];
    serviceConfig = {
      ExecStart = "${gce}/bin/google_instance_setup --debug";
      Type = "oneshot";
    };
  };
  systemd.services.google-network-daemon = {
    description = "Google Compute Engine Network Daemon";
    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"];
    wants = ["local-fs.target" "network-online.target" "network.target"];
    requires = ["network.target"];
    partOf = ["network.target"];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ iproute ];
    serviceConfig = {
      ExecStart = "${gce}/bin/google_network_daemon --debug";
    };
  };
  systemd.services.google-shutdown-scripts = {
    description = "Google Compute Engine Shutdown Scripts";
    after = [
      "local-fs.target"
      "network-online.target"
      "network.target"
      "rsyslog.service"
      "systemd-resolved.service"
      "google-instance-setup.service"
      "google-network-daemon.service"
    ];
    wants = [ "local-fs.target" "network-online.target" "network.target"];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.coreutils}/bin/true";
      ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown";
      Type = "oneshot";
      RemainAfterExit = true;
      TimeoutStopSec = "infinity";
    };
  };
  systemd.services.google-startup-scripts = {
    description = "Google Compute Engine Startup Scripts";
    after = [
      "local-fs.target"
      "network-online.target"
      "network.target"
      "rsyslog.service"
      "google-instance-setup.service"
      "google-network-daemon.service"
    ];
    wants = ["local-fs.target" "network-online.target" "network.target"];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup";
      KillMode = "process";
      Type = "oneshot";
    };
  };
  # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
  boot.kernel.sysctl = {
    # Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
    # of TCP functionality/features under normal conditions.  When flood
    # protections kick in under high unanswered-SYN load, the system
    # should remain more stable, with a trade off of some loss of TCP
    # functionality/features (e.g. TCP Window scaling).
    "net.ipv4.tcp_syncookies" = mkDefault "1";
    # ignores source-routed packets
    "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
    # ignores source-routed packets
    "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
    # ignores ICMP redirects
    "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
    # ignores ICMP redirects
    "net.ipv4.conf.default.accept_redirects" = mkDefault "0";
    # ignores ICMP redirects from non-GW hosts
    "net.ipv4.conf.all.secure_redirects" = mkDefault "1";
    # ignores ICMP redirects from non-GW hosts
    "net.ipv4.conf.default.secure_redirects" = mkDefault "1";
    # don't allow traffic between networks or act as a router
    "net.ipv4.ip_forward" = mkDefault "0";
    # don't allow traffic between networks or act as a router
    "net.ipv4.conf.all.send_redirects" = mkDefault "0";
    # don't allow traffic between networks or act as a router
    "net.ipv4.conf.default.send_redirects" = mkDefault "0";
    # reverse path filtering - IP spoofing protection
    "net.ipv4.conf.all.rp_filter" = mkDefault "1";
    # reverse path filtering - IP spoofing protection
    "net.ipv4.conf.default.rp_filter" = mkDefault "1";
    # ignores ICMP broadcasts to avoid participating in Smurf attacks
    "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1";
    # ignores bad ICMP errors
    "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
    # logs spoofed, source-routed, and redirect packets
    "net.ipv4.conf.all.log_martians" = mkDefault "1";
    # log spoofed, source-routed, and redirect packets
    "net.ipv4.conf.default.log_martians" = mkDefault "1";
    # implements RFC 1337 fix
    "net.ipv4.tcp_rfc1337" = mkDefault "1";
    # randomizes addresses of mmap base, heap, stack and VDSO page
    "kernel.randomize_va_space" = mkDefault "2";
    # Reboot the machine soon after a kernel panic.
    "kernel.panic" = mkDefault "10";
    ## Not part of the original config
    # provides protection from ToCToU races
    "fs.protected_hardlinks" = mkDefault "1";
    # provides protection from ToCToU races
    "fs.protected_symlinks" = mkDefault "1";
    # makes locating kernel addresses more difficult
    "kernel.kptr_restrict" = mkDefault "1";
    # set ptrace protections
    "kernel.yama.ptrace_scope" = mkOverride 500 "1";
    # set perf only available to root
    "kernel.perf_event_paranoid" = mkDefault "2";
  };
 }
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@ -2,334 +2,60 @@
 with lib;
 let
-  diskSize = 1536; # MB
+  cfg = config.virtualisation.googleComputeImage;
-  gce = pkgs.google-compute-engine;
+  defaultConfigFile = pkgs.writeText "configuration.nix" ''
    { ... }:
    {
      imports = [
        <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix>
      ];
    }
  '';
 in
 {
-  imports = [ ../profiles/headless.nix ../profiles/qemu-guest.nix ];
+
  imports = [ ./google-compute-config.nix ];
  options = {
    virtualisation.googleComputeImage.diskSize = mkOption {
      type = with types; int;
      default = 1536;
      description = ''
        Size of disk image. Unit is MB.
      '';
    };
    virtualisation.googleComputeImage.configFile = mkOption {
      type = with types; nullOr str;
      default = null;
      description = ''
        A path to a configuration file which will be placed at `/etc/nixos/configuration.nix`
        and be used when switching to a new configuration.
        If set to `null`, a default configuration is used, where the only import is
        `<nixpkgs/nixos/modules/virtualisation/google-compute-image.nix>`.
      '';
    };
  };
  #### implementation
  config = {
    system.build.googleComputeImage = import ../../lib/make-disk-image.nix {
      name = "google-compute-image";
      postVM = ''
-      PATH=$PATH:${pkgs.stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
+        PATH=$PATH:${with pkgs; stdenv.lib.makeBinPath [ gnutar gzip ]}
        pushd $out
        mv $diskImage disk.raw
        tar -Szcf nixos-image-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.raw.tar.gz disk.raw
        rm $out/disk.raw
        popd
      '';
    configFile = <nixpkgs/nixos/modules/virtualisation/google-compute-config.nix>;
      format = "raw";
-    inherit diskSize;
+      configFile = if isNull cfg.configFile then defaultConfigFile else cfg.configFile;
      inherit (cfg) diskSize;
      inherit config lib pkgs;
    };
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
    autoResize = true;
  };
  boot.growPartition = true;
  boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
  boot.initrd.kernelModules = [ "virtio_scsi" ];
  boot.kernelModules = [ "virtio_pci" "virtio_net" ];
  # Generate a GRUB menu.  Amazon's pv-grub uses this to boot our kernel/initrd.
  boot.loader.grub.device = "/dev/sda";
  boot.loader.timeout = 0;
  # Don't put old configurations in the GRUB menu.  The user has no
  # way to select them anyway.
  boot.loader.grub.configurationLimit = 0;
  # Allow root logins only using the SSH key that the user specified
  # at instance creation time.
  services.openssh.enable = true;
  services.openssh.permitRootLogin = "prohibit-password";
  services.openssh.passwordAuthentication = mkDefault false;
  # Use GCE udev rules for dynamic disk volumes
  services.udev.packages = [ gce ];
  # Force getting the hostname from Google Compute.
  networking.hostName = mkDefault "";
  # Always include cryptsetup so that NixOps can use it.
  environment.systemPackages = [ pkgs.cryptsetup ];
  # Make sure GCE image does not replace host key that NixOps sets
  environment.etc."default/instance_configs.cfg".text = lib.mkDefault ''
    [InstanceSetup]
    set_host_keys = false
  '';
  # Rely on GCP's firewall instead
  networking.firewall.enable = mkDefault false;
  # Configure default metadata hostnames
  networking.extraHosts = ''
    169.254.169.254 metadata.google.internal metadata
  '';
  networking.timeServers = [ "metadata.google.internal" ];
  networking.usePredictableInterfaceNames = false;
  # GC has 1460 MTU
  networking.interfaces.eth0.mtu = 1460;
  # allow the google-accounts-daemon to manage users
  users.mutableUsers = true;
  # and allow users to sudo without password
  security.sudo.enable = true;
  security.sudo.extraConfig = ''
  %google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL
  '';
  # NOTE: google-accounts tries to write to /etc/sudoers.d but the folder doesn't exist
  # FIXME: not such file or directory on dynamic SSH provisioning
  systemd.services.google-accounts-daemon = {
    description = "Google Compute Engine Accounts Daemon";
    # This daemon creates dynamic users
    enable = config.users.mutableUsers;
    after = [
      "network.target"
      "google-instance-setup.service"
      "google-network-setup.service"
    ];
    requires = ["network.target"];
    wantedBy = ["multi-user.target"];
    path = with pkgs; [ shadow ];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${gce}/bin/google_accounts_daemon --debug";
    };
  };
  systemd.services.google-clock-skew-daemon = {
    description = "Google Compute Engine Clock Skew Daemon";
    after = [
      "network.target"
      "google-instance-setup.service"
      "google-network-setup.service"
    ];
    requires = ["network.target"];
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${gce}/bin/google_clock_skew_daemon --debug";
    };
  };
  systemd.services.google-instance-setup = {
    description = "Google Compute Engine Instance Setup";
    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"];
    before = ["sshd.service"];
    wants = ["local-fs.target" "network-online.target" "network.target"];
    wantedBy = [ "sshd.service" "multi-user.target" ];
    path = with pkgs; [ ethtool openssh ];
    serviceConfig = {
      ExecStart = "${gce}/bin/google_instance_setup --debug";
      Type = "oneshot";
    };
  };
  systemd.services.google-network-daemon = {
    description = "Google Compute Engine Network Daemon";
    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"];
    wants = ["local-fs.target" "network-online.target" "network.target"];
    requires = ["network.target"];
    partOf = ["network.target"];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ iproute ];
    serviceConfig = {
      ExecStart = "${gce}/bin/google_network_daemon --debug";
    };
  };
  systemd.services.google-shutdown-scripts = {
    description = "Google Compute Engine Shutdown Scripts";
    after = [
      "local-fs.target"
      "network-online.target"
      "network.target"
      "rsyslog.service"
      "systemd-resolved.service"
      "google-instance-setup.service"
      "google-network-daemon.service"
    ];
    wants = [ "local-fs.target" "network-online.target" "network.target"];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.coreutils}/bin/true";
      ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown";
      Type = "oneshot";
      RemainAfterExit = true;
      TimeoutStopSec = 0;
    };
  };
  systemd.services.google-startup-scripts = {
    description = "Google Compute Engine Startup Scripts";
    after = [
      "local-fs.target"
      "network-online.target"
      "network.target"
      "rsyslog.service"
      "google-instance-setup.service"
      "google-network-daemon.service"
    ];
    wants = ["local-fs.target" "network-online.target" "network.target"];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup";
      KillMode = "process";
      Type = "oneshot";
    };
  };
  # TODO: remove this
  systemd.services.fetch-ssh-keys =
    { description = "Fetch host keys and authorized_keys for root user";
      wantedBy = [ "sshd.service" ];
      before = [ "sshd.service" ];
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'";
                   mktemp = "mktemp --tmpdir=/run"; in
        ''
          # When dealing with cryptographic keys, we want to keep things private.
          umask 077
          # Don't download the SSH key if it has already been downloaded
          echo "Obtaining SSH keys..."
          mkdir -m 0700 -p /root/.ssh
          AUTH_KEYS=$(${mktemp})
          ${wget} -O $AUTH_KEYS http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys
          if [ -s $AUTH_KEYS ]; then
            # Read in key one by one, split in case Google decided
            # to append metadata (it does sometimes) and add to
            # authorized_keys if not already present.
            touch /root/.ssh/authorized_keys
            NEW_KEYS=$(${mktemp})
            # Yes this is a nix escape of two single quotes.
            while IFS=''' read -r line || [[ -n "$line" ]]; do
              keyLine=$(echo -n "$line" | cut -d ':' -f2)
              IFS=' ' read -r -a array <<< "$keyLine"
              if [ ''${#array[@]} -ge 3 ]; then
                echo ''${array[@]:0:3} >> $NEW_KEYS
                echo "Added ''${array[@]:2} to authorized_keys"
              fi
            done < $AUTH_KEYS
            mv $NEW_KEYS /root/.ssh/authorized_keys
            chmod 600 /root/.ssh/authorized_keys
            rm -f $KEY_PUB
          else
            echo "Downloading http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys failed."
            false
          fi
          rm -f $AUTH_KEYS
          SSH_HOST_KEYS_DIR=$(${mktemp} -d)
          ${wget} -O $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key
          ${wget} -O $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub
          if [ -s $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key -a -s $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key.pub ]; then
              mv -f $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key* /etc/ssh/
              chmod 600 /etc/ssh/ssh_host_ed25519_key
              chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
          else
              echo "Setup of ssh host keys from http://metadata.google.internal/computeMetadata/v1/instance/attributes/ failed."
              false
          fi
          rm -rf $SSH_HOST_KEYS_DIR
        '';
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = true;
      serviceConfig.StandardError = "journal+console";
      serviceConfig.StandardOutput = "journal+console";
    };
  # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
  boot.kernel.sysctl = {
    # Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
    # of TCP functionality/features under normal conditions.  When flood
    # protections kick in under high unanswered-SYN load, the system
    # should remain more stable, with a trade off of some loss of TCP
    # functionality/features (e.g. TCP Window scaling).
    "net.ipv4.tcp_syncookies" = mkDefault "1";
    # ignores source-routed packets
    "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
    # ignores source-routed packets
    "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
    # ignores ICMP redirects
    "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
    # ignores ICMP redirects
    "net.ipv4.conf.default.accept_redirects" = mkDefault "0";
    # ignores ICMP redirects from non-GW hosts
    "net.ipv4.conf.all.secure_redirects" = mkDefault "1";
    # ignores ICMP redirects from non-GW hosts
    "net.ipv4.conf.default.secure_redirects" = mkDefault "1";
    # don't allow traffic between networks or act as a router
    "net.ipv4.ip_forward" = mkDefault "0";
    # don't allow traffic between networks or act as a router
    "net.ipv4.conf.all.send_redirects" = mkDefault "0";
    # don't allow traffic between networks or act as a router
    "net.ipv4.conf.default.send_redirects" = mkDefault "0";
    # reverse path filtering - IP spoofing protection
    "net.ipv4.conf.all.rp_filter" = mkDefault "1";
    # reverse path filtering - IP spoofing protection
    "net.ipv4.conf.default.rp_filter" = mkDefault "1";
    # ignores ICMP broadcasts to avoid participating in Smurf attacks
    "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1";
    # ignores bad ICMP errors
    "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
    # logs spoofed, source-routed, and redirect packets
    "net.ipv4.conf.all.log_martians" = mkDefault "1";
    # log spoofed, source-routed, and redirect packets
    "net.ipv4.conf.default.log_martians" = mkDefault "1";
    # implements RFC 1337 fix
    "net.ipv4.tcp_rfc1337" = mkDefault "1";
    # randomizes addresses of mmap base, heap, stack and VDSO page
    "kernel.randomize_va_space" = mkDefault "2";
    # Reboot the machine soon after a kernel panic.
    "kernel.panic" = mkDefault "10";
    ## Not part of the original config
    # provides protection from ToCToU races
    "fs.protected_hardlinks" = mkDefault "1";
    # provides protection from ToCToU races
    "fs.protected_symlinks" = mkDefault "1";
    # makes locating kernel addresses more difficult
    "kernel.kptr_restrict" = mkDefault "1";
    # set ptrace protections
    "kernel.yama.ptrace_scope" = mkOverride 500 "1";
    # set perf only available to root
    "kernel.perf_event_paranoid" = mkDefault "2";
  };
 }
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -178,6 +178,7 @@ in
  rabbitmq = handleTest ./rabbitmq.nix {};
  radicale = handleTest ./radicale.nix {};
  redmine = handleTest ./redmine.nix {};
  roundcube = handleTest ./roundcube.nix {};
  rspamd = handleTest ./rspamd.nix {};
  rss2email = handleTest ./rss2email.nix {};
  rsyslogd = handleTest ./rsyslogd.nix {};
--- a/nixos/tests/gitlab.nix
+++ b/nixos/tests/gitlab.nix
@ -16,6 +16,7 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; {
      services.nginx = {
        enable = true;
        recommendedProxySettings = true;
        virtualHosts = {
          "localhost" = {
            locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
@ -75,7 +76,8 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; {
    $gitlab->waitForUnit("gitlab.service");
    $gitlab->waitForUnit("gitlab-sidekiq.service");
    $gitlab->waitForFile("/var/gitlab/state/tmp/sockets/gitlab.socket");
-    $gitlab->waitUntilSucceeds("curl -sSf http://localhost/users/sign_in");
+    $gitlab->waitUntilSucceeds("curl -sSf http://gitlab/users/sign_in");
    $gitlab->succeed("curl -isSf http://gitlab  | grep -i location | grep -q http://gitlab/users/sign_in");
    $gitlab->succeed("${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2")
  '';
 })
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@ -10,6 +10,7 @@ import ./make-test.nix ({ pkgs, ...} : {
    { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
      users.users.sybil = { isNormalUser = true; group = "wheel"; };
      imports = [ ../modules/profiles/hardened.nix ];
      nix.useSandbox = false;
      virtualisation.emptyDiskImages = [ 4096 ];
      boot.initrd.postDeviceCommands = ''
        ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
@ -63,5 +64,11 @@ import ./make-test.nix ({ pkgs, ...} : {
        $machine->succeed("mount /dev/disk/by-label/EFISYS /efi");
        $machine->succeed("mountpoint -q /efi"); # now mounted
      };
      # Test Nix dæmon usage
      subtest "nix-daemon", sub {
        $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'");
        $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK";
      };
    '';
 })
--- a/nixos/tests/mxisd.nix
+++ b/nixos/tests/mxisd.nix
@ -0,0 +1,21 @@
 import ./make-test.nix ({ pkgs, ... } : {
  name = "mxisd";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ mguentner ];
  };
  nodes = {
    server_mxisd = args : {
      services.mxisd.enable = true;
      services.mxisd.matrix.domain = "example.org";
    };
  };
  testScript = ''
    startAll;
    $server_mxisd->waitForUnit("mxisd.service");
    $server_mxisd->waitForOpenPort(8090);
    $server_mxisd->succeed("curl -Ssf \"http://127.0.0.1:8090/_matrix/identity/api/v1\"")
  '';
 })
--- a/nixos/tests/roundcube.nix
+++ b/nixos/tests/roundcube.nix
@ -0,0 +1,28 @@
 import ./make-test.nix ({ pkgs, ...} : {
  name = "roundcube";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ globin ];
  };
  nodes = {
    roundcube = { config, pkgs, ... }: {
      services.roundcube = {
        enable = true;
        hostName = "roundcube";
        database.password = "notproduction";
      };
      services.nginx.virtualHosts.roundcube = {
        forceSSL = false;
        enableACME = false;
      };
    };
  };
  testScript = ''
    $roundcube->start;
    $roundcube->waitForUnit("postgresql.service");
    $roundcube->waitForUnit("phpfpm-roundcube.service");
    $roundcube->waitForUnit("nginx.service");
    $roundcube->succeed("curl -sSfL http://roundcube/");
  '';
 })
--- a/nixos/tests/rspamd.nix
+++ b/nixos/tests/rspamd.nix
@ -235,6 +235,7 @@ in
      services.rspamd = {
        enable = true;
        postfix.enable = true;
        workers.rspamd_proxy.type = "proxy";
      };
    };
    testScript = ''
--- a/pkgs/applications/audio/a2jmidid/default.nix
+++ b/pkgs/applications/audio/a2jmidid/default.nix
@ -9,12 +9,12 @@ in stdenv.mkDerivation rec {
  version = "8";
  src = fetchurl {
-    url = "http://repo.or.cz/a2jmidid.git/snapshot/7383d268c4bfe85df9f10df6351677659211d1ca.tar.gz";
+    url = "https://repo.or.cz/a2jmidid.git/snapshot/7383d268c4bfe85df9f10df6351677659211d1ca.tar.gz";
    sha256 = "06dgf5655znbvrd7fhrv8msv6zw8vk0hjqglcqkh90960mnnmwz7";
  };
-  nativeBuildInputs = [ pkgconfig wafHook ];
+  nativeBuildInputs = [ pkgconfig makeWrapper wafHook ];
-  buildInputs = [ makeWrapper alsaLib dbus libjack2 python dbus-python ];
+  buildInputs = [ alsaLib dbus libjack2 python dbus-python ];
  postInstall = ''
    wrapProgram $out/bin/a2j_control --set PYTHONPATH $PYTHONPATH
--- a/pkgs/applications/audio/avldrums-lv2/default.nix
+++ b/pkgs/applications/audio/avldrums-lv2/default.nix
@ -3,13 +3,13 @@
 stdenv.mkDerivation rec {
  name = "${pname}-${version}";
  pname = "avldrums.lv2";
-  version = "0.3.0";
+  version = "0.3.1";
  src = fetchFromGitHub {
    owner = "x42";
    repo = pname;
    rev = "v${version}";
-    sha256 = "0w51gdshq2i5bix2x5l3g3gnycy84nlzf5sj0jkrw0zrnbk6ghwg";
+    sha256 = "0yhq3n5bahhqpj40mvlkxcjsdsw63jsbz20pl77bx2qj30w25i2j";
    fetchSubmodules = true;
  };
--- a/pkgs/applications/audio/cadence/default.nix
+++ b/pkgs/applications/audio/cadence/default.nix
@ -1,5 +1,5 @@
 { stdenv
-, fetchurl
+, fetchzip
 , pkgconfig
 , qtbase
 , makeWrapper
@ -12,31 +12,13 @@
  version = "0.9.0";
  pname = "cadence";
-  src = fetchurl {
+  src = fetchzip {
    url = "https://github.com/falkTX/Cadence/archive/v${version}.tar.gz";
-    sha256 = "07z1mnb0bmldb3i31bgw816pnvlvr9gawr51rpx3mhixg5wpiqzb";
+    sha256 = "08vcggypkdfr70v49innahs5s11hi222dhhnm5wcqzdgksphqzwx";
  };
-  buildInputs = [
+  nativeBuildInputs = [ makeWrapper pkgconfig ];
-    makeWrapper
+  buildInputs = [ qtbase ];
    pkgconfig
    qtbase
  ];
  apps = [
    "cadence"
    "cadence-jacksettings"
    "cadence-pulse2loopback"
    "claudia"
    "cadence-aloop-daemon"
    "cadence-logs"
    "cadence-render"
    "catarina"
    "claudia-launcher"
    "cadence-pulse2jack"
    "cadence-session-start"
    "catia"
  ];
  makeFlags = ''
    PREFIX=""
@ -46,20 +28,54 @@
  propagatedBuildInputs = with python3Packages; [ pyqt5 ];
  postInstall = ''
-    # replace with our own wrappers.
+    # replace with our own wrappers. They need to be changed manually since it wouldn't work otherwise
-    for app in $apps; do
+    rm $out/bin/cadence
-      rm $out/bin/$app
+    makeWrapper ${python3Packages.python.interpreter} $out/bin/cadence \
      makeWrapper ${python3Packages.python.interpreter} $out/bin/$app \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
-        --add-flags "-O $out/share/cadence/src/$app.py"
+      --add-flags "-O $out/share/cadence/src/cadence.py"
-    done
+    rm $out/bin/claudia
    makeWrapper ${python3Packages.python.interpreter} $out/bin/claudia \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/claudia.py"
    rm $out/bin/catarina
    makeWrapper ${python3Packages.python.interpreter} $out/bin/catarina \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/catarina.py"
    rm $out/bin/catia
    makeWrapper ${python3Packages.python.interpreter} $out/bin/catia \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/catia.py"
    rm $out/bin/cadence-jacksettings
    makeWrapper ${python3Packages.python.interpreter} $out/bin/cadence-jacksettings \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/jacksettings.py"
    rm $out/bin/cadence-aloop-daemon
    makeWrapper ${python3Packages.python.interpreter} $out/bin/cadence-aloop-daemon \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/cadence_aloop_daemon.py"
    rm $out/bin/cadence-logs
    makeWrapper ${python3Packages.python.interpreter} $out/bin/cadence-logs \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/logs.py"
    rm $out/bin/cadence-render
    makeWrapper ${python3Packages.python.interpreter} $out/bin/cadence-render \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/render.py"
    rm $out/bin/claudia-launcher
    makeWrapper ${python3Packages.python.interpreter} $out/bin/claudia-launcher \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/claudia_launcher.py"
    rm $out/bin/cadence-session-start
    makeWrapper ${python3Packages.python.interpreter} $out/bin/cadence-session-start \
      --set PYTHONPATH "$PYTHONPATH:$out/share/cadence" \
      --add-flags "-O $out/share/cadence/src/cadence_session_start.py"
  '';
  meta = {
    homepage = https://github.com/falkTX/Cadence/;
    description = "Collection of tools useful for audio production";
-    license = stdenv.lib.licenses.mit;
+    license = stdenv.lib.licenses.gpl2Plus;
    maintainers = with stdenv.lib.maintainers; [ genesis ];
-    platforms = stdenv.lib.platforms.linux;
+    platforms = [ "x86_64-linux" ];
  };
 }
--- a/pkgs/applications/audio/cozy-audiobooks/default.nix
+++ b/pkgs/applications/audio/cozy-audiobooks/default.nix
@ -8,7 +8,7 @@
 , desktop-file-utils
 , gtk3
 , gst_all_1
-, gobjectIntrospection
+, gobject-introspection
 , python3Packages
 , file
 , cairo
@ -36,7 +36,7 @@ python3Packages.buildPythonApplication rec {
    wrapGAppsHook
    appstream-glib
    desktop-file-utils
-    gobjectIntrospection
+    gobject-introspection
  ];
  buildInputs = [
--- a/pkgs/applications/audio/distrho/default.nix
+++ b/pkgs/applications/audio/distrho/default.nix
@ -1,7 +1,13 @@
 { stdenv, fetchFromGitHub, alsaLib, fftwSinglePrec, freetype, libjack2
-, pkgconfig, premake3, xorg, ladspa-sdk }:
+, pkgconfig, ladspa-sdk, premake3
 , libX11, libXcomposite, libXcursor, libXext, libXinerama, libXrender
 }:
-stdenv.mkDerivation rec {
+let
  premakeos = if stdenv.hostPlatform.isDarwin then "osx"
              else if stdenv.hostPlatform.isWindows then "mingw"
              else "linux";
 in stdenv.mkDerivation rec {
  name = "distrho-ports-${version}";
  version = "2018-04-16";
@ -12,27 +18,26 @@ stdenv.mkDerivation rec {
    sha256 = "0l4zwl4mli8jzch32a1fh7c88r9q17xnkxsdw17ds5hadnxlk12v";
  };
  configurePhase = ''
    runHook preConfigure
    sh ./scripts/premake-update.sh ${premakeos}
    runHook postConfigure
  '';
  patchPhase = ''
    sed -e "s#@./scripts#sh scripts#" -i Makefile
  '';
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkgconfig premake3 ];
  buildInputs = [
-    alsaLib fftwSinglePrec freetype libjack2 premake3
+    alsaLib fftwSinglePrec freetype libjack2
-    xorg.libX11 xorg.libXcomposite xorg.libXcursor xorg.libXext
+    libX11 libXcomposite libXcursor libXext
-    xorg.libXinerama xorg.libXrender ladspa-sdk
+    libXinerama libXrender ladspa-sdk
  ];
-  buildPhase = ''
+  makeFlags = "PREFIX=$(out)";
    sh ./scripts/premake-update.sh linux
    make lv2
  '';
  installPhase = ''
    mkdir -p $out/bin
    mkdir -p $out/lib/lv2
    cp -a bin/lv2/* $out/lib/lv2/
  '';
  meta = with stdenv.lib; {
    homepage = http://distrho.sourceforge.net;
--- a/pkgs/applications/audio/dragonfly-reverb/default.nix
+++ b/pkgs/applications/audio/dragonfly-reverb/default.nix
@ -6,8 +6,8 @@ stdenv.mkDerivation rec {
  src = fetchFromGitHub {
    owner = "michaelwillis";
    repo = "dragonfly-reverb";
-    rev = "0.9.4";
+    rev = "1.0.0";
-    sha256 = "0lc45jybjwg4wrcz4s9lvzpvqawgj825rkqhz2xxvalfbvjazi53";
+    sha256 = "05m4hd8lg0a7iiia6cbiw5qmc4p8vbkxp2qh7ywaabawiwa9r24x";
    fetchSubmodules = true;
  };
--- a/pkgs/applications/audio/gnome-podcasts/default.nix
+++ b/pkgs/applications/audio/gnome-podcasts/default.nix
@ -0,0 +1,44 @@
 { stdenv, fetchurl, fetchFromGitLab, meson, ninja, gettext, cargo, rustc, python3, rustPlatform, pkgconfig, gnome3
 , glib, libhandy, gtk3, dbus, openssl, sqlite, gst_all_1, wrapGAppsHook }:
 # TODO: build from git for easier updates
 # rustPlatform.buildRustPackage rec {
 stdenv.mkDerivation rec {
  version = "0.4.6";
  name = "gnome-podcasts-${version}";
  src = fetchurl {
    url = https://gitlab.gnome.org/World/podcasts/uploads/e59ac5d618d7daf4c7f33ba72957c466/gnome-podcasts-0.4.6.tar.xz;
    sha256 = "0g2rk3w251fp5jwbxs5ya1adv8nsgdqjy1vmfg8qqab6qyndhbrc";
  };
  # src = fetchFromGitLab {
  #   domain = "gitlab.gnome.org";
  #   owner = "World";
  #   repo = "podcasts";
  #   rev = version;
  #   sha256 = "15xj98dhxvys0cnya9488qsfsm0ys1wy69wkc39z8j6hwdm7byq2";
  # };
  nativeBuildInputs = [
    meson ninja pkgconfig gettext cargo rustc python3 wrapGAppsHook
  ];
  buildInputs = [
    glib gtk3 libhandy dbus openssl sqlite gst_all_1.gstreamer gst_all_1.gst-plugins-base gst_all_1.gst-plugins-bad
  ];
  # cargoSha256 = "0721b5f700vvvzvmdl8nfjaa6j412q1fjssgrjv8n6rmn9z13d2v";
  postPatch = ''
    chmod +x scripts/compile-gschema.py # patchShebangs requires executable file
    patchShebangs scripts/compile-gschema.py
  '';
  meta = with stdenv.lib; {
    description = "Listen to your favorite podcasts";
    homepage = https://wiki.gnome.org/Apps/Podcasts;
    license = licenses.gpl3;
    maintainers = gnome3.maintainers;
    platforms = platforms.unix;
  };
 }
--- a/pkgs/applications/audio/gpodder/default.nix
+++ b/pkgs/applications/audio/gpodder/default.nix
@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, python3, python3Packages, intltool
 , glibcLocales, gnome3, gtk3, wrapGAppsHook
-, ipodSupport ? false, libgpod, gobjectIntrospection
+, ipodSupport ? false, libgpod, gobject-introspection
 }:
 python3Packages.buildPythonApplication rec {
@ -27,7 +27,7 @@ python3Packages.buildPythonApplication rec {
  buildInputs = [
    python3
-    gobjectIntrospection
+    gobject-introspection
    gnome3.defaultIconTheme
  ];
--- a/pkgs/applications/audio/lollypop/default.nix
+++ b/pkgs/applications/audio/lollypop/default.nix
@ -1,7 +1,7 @@
 { stdenv, fetchgit, meson, ninja, pkgconfig
 , python3, gtk3, gst_all_1, libsecret, libsoup
 , appstream-glib, desktop-file-utils, gnome3
-, gobjectIntrospection, wrapGAppsHook }:
+, gobject-introspection, wrapGAppsHook }:
 python3.pkgs.buildPythonApplication rec  {
  version = "0.9.611";
@ -20,7 +20,7 @@ python3.pkgs.buildPythonApplication rec  {
  nativeBuildInputs = with python3.pkgs; [
    appstream-glib
    desktop-file-utils
-    gobjectIntrospection
+    gobject-introspection
    meson
    ninja
    pkgconfig
--- a/pkgs/applications/audio/mopidy/default.nix
+++ b/pkgs/applications/audio/mopidy/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchFromGitHub, pythonPackages, wrapGAppsHook
-, gst_all_1, glib-networking, gobjectIntrospection
+, gst_all_1, glib-networking, gobject-introspection
 }:
 pythonPackages.buildPythonApplication rec {
@ -17,7 +17,7 @@ pythonPackages.buildPythonApplication rec {
  buildInputs = with gst_all_1; [
    gst-plugins-base gst-plugins-good gst-plugins-ugly gst-plugins-bad
-    glib-networking gobjectIntrospection
+    glib-networking gobject-introspection
  ];
  propagatedBuildInputs = with pythonPackages; [
--- a/pkgs/applications/audio/mopidy/iris.nix
+++ b/pkgs/applications/audio/mopidy/iris.nix
@ -2,11 +2,11 @@
 pythonPackages.buildPythonApplication rec {
  pname = "Mopidy-Iris";
-  version = "3.31.1";
+  version = "3.31.2";
  src = pythonPackages.fetchPypi {
    inherit pname version;
-    sha256 = "1djxkgjvfzijvlq3gill1p20l0q64dbv9wd55whbir1l7y8wdga5";
+    sha256 = "0639ib5nicrabckjd17wdmhl8n3822gc2p1bn0xv8mq70paspar6";
  };
  propagatedBuildInputs = [
@ -17,7 +17,7 @@ pythonPackages.buildPythonApplication rec {
    pylast
    spotipy
    raven
-    tornado
+    tornado_4
  ]);
  postPatch = "sed -i /tornado/d setup.py";
--- a/pkgs/applications/audio/mopidy/local-images.nix
+++ b/pkgs/applications/audio/mopidy/local-images.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, pythonPackages, mopidy, gobjectIntrospection }:
+{ stdenv, fetchFromGitHub, pythonPackages, mopidy, gobject-introspection }:
 pythonPackages.buildPythonApplication rec {
  pname = "mopidy-local-images";
@ -11,7 +11,7 @@ pythonPackages.buildPythonApplication rec {
    sha256 = "0gdqxws0jish50mmi57mlqcs659wrllzv00czl18niz94vzvyc0d";
  };
-  buildInputs = [ gobjectIntrospection ];
+  buildInputs = [ gobject-introspection ];
  checkInputs = [
    pythonPackages.mock
--- a/pkgs/applications/audio/pithos/default.nix
+++ b/pkgs/applications/audio/pithos/default.nix
@ -1,4 +1,4 @@
-{ fetchFromGitHub, stdenv, pythonPackages, gtk3, gobjectIntrospection, libnotify
+{ fetchFromGitHub, stdenv, pythonPackages, gtk3, gobject-introspection, libnotify
 , gst_all_1, wrapGAppsHook }:
 pythonPackages.buildPythonApplication rec {
@ -27,7 +27,7 @@ pythonPackages.buildPythonApplication rec {
  buildInputs = [ wrapGAppsHook ];
  propagatedBuildInputs =
-    [ gtk3 gobjectIntrospection libnotify ] ++
+    [ gtk3 gobject-introspection libnotify ] ++
    (with gst_all_1; [ gstreamer gst-plugins-base gst-plugins-good gst-plugins-ugly gst-plugins-bad ]) ++
    (with pythonPackages; [ pygobject3 pylast ]);
--- a/pkgs/applications/audio/quodlibet/default.nix
+++ b/pkgs/applications/audio/quodlibet/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchurl, python3, wrapGAppsHook, gettext, intltool, libsoup, gnome3, gtk3, gdk_pixbuf,
-  tag ? "", xvfb_run, dbus, glibcLocales, glib, glib-networking, gobjectIntrospection,
+  tag ? "", xvfb_run, dbus, glibcLocales, glib, glib-networking, gobject-introspection,
  gst_all_1, withGstPlugins ? true,
  xineBackend ? false, xineLib,
  withDbusPython ? false, withPyInotify ? false, withMusicBrainzNgs ? false, withPahoMqtt ? false,
@ -24,7 +24,7 @@ python3.pkgs.buildPythonApplication rec {
  checkInputs = with python3.pkgs; [ pytest pytest_xdist pyflakes pycodestyle polib xvfb_run dbus.daemon glibcLocales ];
-  buildInputs = [ gnome3.defaultIconTheme libsoup glib glib-networking gtk3 webkitgtk gdk_pixbuf keybinder3 gtksourceview libmodplug libappindicator-gtk3 kakasi gobjectIntrospection ]
+  buildInputs = [ gnome3.defaultIconTheme libsoup glib glib-networking gtk3 webkitgtk gdk_pixbuf keybinder3 gtksourceview libmodplug libappindicator-gtk3 kakasi gobject-introspection ]
    ++ (if xineBackend then [ xineLib ] else with gst_all_1;
    [ gstreamer gst-plugins-base ] ++ optionals withGstPlugins [ gst-plugins-good gst-plugins-ugly gst-plugins-bad ]);
--- a/pkgs/applications/audio/renoise/default.nix
+++ b/pkgs/applications/audio/renoise/default.nix
@ -1,4 +1,5 @@
-{ stdenv, fetchurl, libX11, libXext, libXcursor, libXrandr, libjack2, alsaLib, releasePath ? null }:
+{ stdenv, fetchurl, libX11, libXext, libXcursor, libXrandr, libjack2, alsaLib
 , mpg123, releasePath ? null }:
 with stdenv.lib;
@ -35,7 +36,7 @@ stdenv.mkDerivation rec {
        releasePath
    else throw "Platform is not supported by Renoise";
-  buildInputs = [ libX11 libXext libXcursor libXrandr alsaLib libjack2 ];
+  buildInputs = [ alsaLib libjack2 libX11 libXcursor libXext libXrandr ];
  installPhase = ''
    cp -r Resources $out
@ -54,13 +55,18 @@ stdenv.mkDerivation rec {
    mkdir $out/bin
    ln -s $out/renoise $out/bin/renoise
  '';
-    patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) --set-rpath $out/lib $out/renoise
+  postFixup = ''
    patchelf \
      --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
      --set-rpath ${mpg123}/lib:$out/lib \
      $out/renoise
  '';
  meta = {
    description = "Modern tracker-based DAW";
-    homepage = http://www.renoise.com/;
+    homepage = https://www.renoise.com/;
    license = licenses.unfree;
    maintainers = [];
    platforms = [ "i686-linux" "x86_64-linux" ];
--- a/pkgs/applications/audio/seq24/default.nix
+++ b/pkgs/applications/audio/seq24/default.nix
@ -5,7 +5,7 @@ stdenv.mkDerivation  rec {
  version = "0.9.3";
  src = fetchurl {
-    url = "http://launchpad.net/seq24/trunk/${version}/+download/${name}.tar.gz";
+    url = "https://launchpad.net/seq24/trunk/${version}/+download/${name}.tar.gz";
    sha256 = "1qpyb7355s21sgy6gibkybxpzx4ikha57a8w644lca6qy9mhcwi3";
  };
--- a/pkgs/applications/audio/sonata/default.nix
+++ b/pkgs/applications/audio/sonata/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchFromGitHub, pkgconfig, intltool, wrapGAppsHook
-, python3Packages, gnome3, gtk3, gobjectIntrospection}:
+, python3Packages, gnome3, gtk3, gobject-introspection}:
 let
  inherit (python3Packages) buildPythonApplication isPy3k dbus-python pygobject3 mpd2;
@ -29,7 +29,7 @@ in buildPythonApplication rec {
  '';
  propagatedBuildInputs = [
-    gobjectIntrospection gtk3 pygobject3
+    gobject-introspection gtk3 pygobject3
  ];
  # The optional tagpy dependency (for editing metadata) is not yet
--- a/pkgs/applications/audio/synthv1/default.nix
+++ b/pkgs/applications/audio/synthv1/default.nix
@ -2,11 +2,11 @@
 stdenv.mkDerivation rec {
  name = "synthv1-${version}";
-  version = "0.9.2";
+  version = "0.9.3";
  src = fetchurl {
    url = "mirror://sourceforge/synthv1/${name}.tar.gz";
-    sha256 = "1r60l286n8y4a4rrlnbc3h7xk4s2pvqykvskls89prxg0lkpz7kl";
+    sha256 = "0f58k5n2k667q8wsigg7bzl3lfgaf6jdj98r2a5nvyb18v1wpy2c";
  };
  buildInputs = [ qt5.qtbase qt5.qttools libjack2 alsaLib liblo lv2 ];
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
  meta = with stdenv.lib; {
    description = "An old-school 4-oscillator subtractive polyphonic synthesizer with stereo fx";
-    homepage = http://synthv1.sourceforge.net/;
+    homepage = https://synthv1.sourceforge.io/;
    license = licenses.gpl2Plus;
    platforms = platforms.linux;
    maintainers = [ maintainers.goibhniu ];
--- a/pkgs/applications/audio/transcribe/default.nix
+++ b/pkgs/applications/audio/transcribe/default.nix
@ -1,33 +1,31 @@
-{ stdenv, fetchzip, lib, makeWrapper, alsaLib, atk, cairo, gdk_pixbuf
+{ stdenv, fetchzip, wrapGAppsHook, alsaLib, atk, cairo, gdk_pixbuf
-, glib, gst-ffmpeg, gst-plugins-bad, gst-plugins-base
+, glib, gst_all_1,  gtk3, libSM, libX11, libpng12, pango, zlib }:
 , gst-plugins-good, gst-plugins-ugly, gstreamer, gtk2, libSM, libX11
 , libpng12, pango, zlib }:
 stdenv.mkDerivation rec {
  name = "transcribe-${version}";
-  version = "8.40";
+  version = "8.72";
  src = if stdenv.hostPlatform.system == "i686-linux" then
    fetchzip {
-      url = "https://www.seventhstring.com/xscribe/downlinux32_old/xscsetup.tar.gz";
+      url = "https://www.seventhstring.com/xscribe/downlinux32/xscsetup.tar.gz";
-      sha256 = "1ngidmj9zz8bmv754s5xfsjv7v6xr03vck4kigzq4bpc9b1fdhjq";
+      sha256 = "1h5l7ry9c9awpxfnd29b0wm973ifrhj17xl5d2fdsclw2swsickb";
    }
  else if stdenv.hostPlatform.system == "x86_64-linux" then
    fetchzip {
-      url = "https://www.seventhstring.com/xscribe/downlinux64_old/xsc64setup.tar.gz";
+      url = "https://www.seventhstring.com/xscribe/downlinux64/xsc64setup.tar.gz";
-      sha256 = "0svzi8svj6zn06gj0hr8mpnhq4416dvb4g5al0gpb1g3paywdaf9";
+      sha256 = "1rpd3ppnx5i5yrnfbjrx7h7dk48kwl99i9lnpa75ap7nxvbiznm0";
    }
  else throw "Platform not supported";
-  nativeBuildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ wrapGAppsHook ];
-  buildInputs = [ gst-plugins-base gst-plugins-good
+  buildInputs = with gst_all_1; [ gst-plugins-base gst-plugins-good
-    gst-plugins-bad gst-plugins-ugly gst-ffmpeg ];
+    gst-plugins-bad gst-plugins-ugly ];
  dontPatchELF = true;
-  libPath = lib.makeLibraryPath [
+  libPath = with gst_all_1; stdenv.lib.makeLibraryPath [
-    stdenv.cc.cc glib gtk2 atk pango cairo gdk_pixbuf alsaLib
+    stdenv.cc.cc glib gtk3 atk pango cairo gdk_pixbuf alsaLib
    libX11 libSM libpng12 gstreamer gst-plugins-base zlib
  ];
@ -42,11 +40,16 @@ stdenv.mkDerivation rec {
    patchelf \
      --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
      $out/libexec/transcribe
  '';
-    wrapProgram $out/libexec/transcribe \
+  preFixup = ''
-      --prefix GST_PLUGIN_SYSTEM_PATH : "$GST_PLUGIN_SYSTEM_PATH" \
+    gappsWrapperArgs+=(
      --prefix GST_PLUGIN_SYSTEM_PATH : "$GST_PLUGIN_SYSTEM_PATH_1_0"
      --prefix LD_LIBRARY_PATH : "${libPath}"
    )
  '';
  postFixup = ''
    ln -s $out/libexec/transcribe $out/bin/
  '';
--- a/pkgs/applications/audio/vocal/default.nix
+++ b/pkgs/applications/audio/vocal/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchFromGitHub, cmake, ninja, pkgconfig, vala_0_40, gtk3, libxml2, granite, webkitgtk, clutter-gtk
-, clutter-gst, libunity, libnotify, sqlite, gst_all_1, libsoup, json-glib, gnome3, gobjectIntrospection, wrapGAppsHook }:
+, clutter-gst, libunity, libnotify, sqlite, gst_all_1, libsoup, json-glib, gnome3, gobject-introspection, wrapGAppsHook }:
 stdenv.mkDerivation rec {
  pname = "vocal";
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [
    cmake
-    gobjectIntrospection
+    gobject-introspection
    libxml2
    ninja
    pkgconfig
--- a/pkgs/applications/audio/x42-plugins/default.nix
+++ b/pkgs/applications/audio/x42-plugins/default.nix
@ -3,12 +3,12 @@
 , libGLU, lv2, gtk2, cairo, pango, fftwFloat, zita-convolver }:
 stdenv.mkDerivation rec {
-  version = "20180812";
+  version = "20181103";
  name = "x42-plugins-${version}";
  src = fetchurl {
    url = "https://gareus.org/misc/x42-plugins/${name}.tar.xz";
-    sha256 = "0gzwzxpa2k2w9c6j3pspwi9slfyd57wb192d6yqcg92pfmnxy9dz";
+    sha256 = "085d6qjj7nl22f0xamqdrnfxwi8zrfwgkwm1svm73bjkdv270438";
  };
  nativeBuildInputs = [ pkgconfig ];
@ -34,6 +34,6 @@ stdenv.mkDerivation rec {
      homepage = https://github.com/x42/x42-plugins;
      maintainers = with maintainers; [ magnetophon ];
      license = licenses.gpl2;
-      platforms = platforms.linux;
+      platforms = [ "i686-linux" "x86_64-linux" ];
    };
 }
--- a/pkgs/applications/display-managers/lightdm/default.nix
+++ b/pkgs/applications/display-managers/lightdm/default.nix
@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, pam, pkgconfig, autoconf, automake, libtool, libxcb
 , glib, libXdmcp, itstool, intltool, libxklavier, libgcrypt, audit, busybox
-, polkit, accountsservice, gtk-doc, gnome3, gobjectIntrospection, vala
+, polkit, accountsservice, gtk-doc, gnome3, gobject-introspection, vala
 , withQt4 ? false, qt4
 , withQt5 ? false, qtbase
 }:
@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
    automake
    gnome3.yelp-tools
    gnome3.yelp-xsl
-    gobjectIntrospection
+    gobject-introspection
    gtk-doc
    intltool
    itstool
--- a/pkgs/applications/editors/android-studio/default.nix
+++ b/pkgs/applications/editors/android-studio/default.nix
@ -13,14 +13,14 @@ let
    sha256Hash = "117skqjax1xz9plarhdnrw2rwprjpybdc7mx7wggxapyy920vv5r";
  };
  betaVersion = {
-    version = "3.3.0.16"; # "Android Studio 3.3 Beta 4"
+    version = "3.3.0.17"; # "Android Studio 3.3 RC 1"
-    build = "182.5114240";
+    build = "182.5138683";
-    sha256Hash = "12gzwnlvc1w5lywpdckdgwxy2yrhf0m0fvaljdsis2arw0x9qdh2";
+    sha256Hash = "0apc566l4gwkwvfgj50d4qxm2gw26rxdlyr8kj3kfcra9a33c2b7";
  };
  latestVersion = { # canary & dev
-    version = "3.4.0.3"; # "Android Studio 3.4 Canary 4"
+    version = "3.4.0.5"; # "Android Studio 3.4 Canary 6"
-    build = "183.5129585";
+    build = "183.5146016";
-    sha256Hash = "10y09sy0h4yp39dwpp8x7kjvw8r7hvk0qllbbaqj76j33xa85793";
+    sha256Hash = "1z2asimpsw15iild7c4aqicph6v327qx3ffjgvl2n8vr5rspsns1";
  };
 in rec {
  # Old alias
--- a/pkgs/applications/editors/eclipse/plugins.nix
+++ b/pkgs/applications/editors/eclipse/plugins.nix
@ -555,12 +555,12 @@ rec {
  spotbugs = buildEclipseUpdateSite rec {
    name = "spotbugs-${version}";
-    version = "3.1.8";
+    version = "3.1.9";
    src = fetchzip {
      stripRoot = false;
      url = "https://github.com/spotbugs/spotbugs/releases/download/${version}/eclipsePlugin.zip";
-      sha256 = "0086shivxx745f69226f59xcv7l9xliwyr9kxm6zyn753c888js3";
+      sha256 = "0m68jbyaiz0rm4qq3nnwnvgndzv2c6ay6i29kh0p0vdbanggq3xz";
    };
    meta = with stdenv.lib; {
--- a/pkgs/applications/editors/gnome-builder/default.nix
+++ b/pkgs/applications/editors/gnome-builder/default.nix
@ -3,16 +3,15 @@
 , desktop-file-utils
 , docbook_xsl
 , docbook_xml_dtd_43
 , fetchpatch
 , fetchurl
 , flatpak
 , glibcLocales
 , gnome3
-, gobjectIntrospection
+, gobject-introspection
 , gspell
 , gtk-doc
 , gtk3
-, gtksourceview3
+, gtksourceview4
 , hicolor-icon-theme
 , json-glib
 , jsonrpc-glib
@ -31,14 +30,14 @@
 , wrapGAppsHook
 }:
 let
-  version = "3.28.4";
+  version = "3.30.0";
  pname = "gnome-builder";
 in stdenv.mkDerivation {
  name = "${pname}-${version}";
  src = fetchurl {
    url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "0ibb74jlyrl5f6rj1b74196zfg2qaf870lxgi76qzpkgwq0iya05";
+    sha256 = "1pshzpjy9rk6gijlm97s316aihykzxrmb07vilp17q5857passak";
  };
  nativeBuildInputs = [
@ -47,7 +46,7 @@ in stdenv.mkDerivation {
    docbook_xsl
    docbook_xml_dtd_43
    glibcLocales # for Meson's gtkdochelper
-    gobjectIntrospection
+    gobject-introspection
    gtk-doc
    hicolor-icon-theme
    meson
@ -67,7 +66,7 @@ in stdenv.mkDerivation {
    gnome3.vte
    gspell
    gtk3
-    gtksourceview3
+    gtksourceview4
    json-glib
    jsonrpc-glib
    libdazzle
@ -87,24 +86,6 @@ in stdenv.mkDerivation {
    patchShebangs build-aux/meson/post_install.py
  '';
  patches = [
    (fetchpatch {
      name = "absolute-shared-library-path.patch";
      url = "https://gitlab.gnome.org/GNOME/gnome-builder/commit/1011cabc519fd7322e2d695c79bfce3e18ff6200.patch";
      sha256 = "1g12zziidzrphp527aa8sklfaln4qpjprkz73f0c9w5ph6k252fw";
    })
    (fetchpatch {
      name = "python-libprefix.patch";
      url = "https://gitlab.gnome.org/GNOME/gnome-builder/commit/43494ce83a347f369ed4cfb8dd71d3b93452736b.patch";
      sha256 = "0kgi3n3g13n1j4xa61ln9xiahcfdc43bxi5mw4yva2d5px445msf";
    })
    (fetchpatch {
      name = "ostree-dependency.patch";
      url = "https://gitlab.gnome.org/GNOME/gnome-builder/commit/8b11773b65c95f464a0de16b91318c1ca73deeae.patch";
      sha256 = "18r4hd90id0w6r0lzqpw83bcj45nm9jhr46a0ffi1mcayb18mgbk";
    })
  ];
  mesonFlags = [
    "-Dpython_libprefix=${python3.libPrefix}"
    "-Dwith_docs=true"
--- a/pkgs/applications/editors/gnome-latex/default.nix
+++ b/pkgs/applications/editors/gnome-latex/default.nix
@ -1,14 +1,14 @@
 { stdenv, fetchurl, wrapGAppsHook
 , tepl, amtk, gnome3, glib, pkgconfig, intltool, itstool, libxml2 }:
 let
-  version = "3.30.1";
+  version = "3.30.2";
  pname = "gnome-latex";
 in stdenv.mkDerivation {
  name = "${pname}-${version}";
  src = fetchurl {
    url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "0yvkp311ikmiypzj2q6ypvyw5migxiqp8lwhyl3qq6mk6p0x66w8";
+    sha256 = "0fn3vy6w714wy0bz3y11zpdprpwxbv5xfiyyxjwp2nix9mbvv2sm";
  };
  NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/gio-unix-2.0";
--- a/pkgs/applications/editors/jetbrains/default.nix
+++ b/pkgs/applications/editors/jetbrains/default.nix
@ -276,12 +276,12 @@ in
  goland = buildGoland rec {
    name = "goland-${version}";
-    version = "2018.2.4"; /* updated by script */
+    version = "2018.3"; /* updated by script */
    description = "Up and Coming Go IDE";
    license = stdenv.lib.licenses.unfree;
    src = fetchurl {
      url = "https://download.jetbrains.com/go/${name}.tar.gz";
-      sha256 = "0aan23ggs314bvpsldsv9m4pdmnlgdcjac9x6hv1j145a1pp439i"; /* updated by script */
+      sha256 = "0hd44flxqnnxg390mkf4ppjs2nxv0nwdc7a2i65f69bp5h61x783"; /* updated by script */
    };
    wmClass = "jetbrains-goland";
    update-channel = "GoLand Release";
@ -289,12 +289,12 @@ in
  idea-community = buildIdea rec {
    name = "idea-community-${version}";
-    version = "2018.2.6"; /* updated by script */
+    version = "2018.3"; /* updated by script */
    description = "Integrated Development Environment (IDE) by Jetbrains, community edition";
    license = stdenv.lib.licenses.asl20;
    src = fetchurl {
      url = "https://download.jetbrains.com/idea/ideaIC-${version}.tar.gz";
-      sha256 = "02hpbyivji9vnik7p04zrja1rhhl49r0365g0i6sa1rrwd1fhvwf"; /* updated by script */
+      sha256 = "01ccz5ksbv8xh8mnk3zxqpia8zgayy8bcgmbwqibrykz47y6r7yy"; /* updated by script */
    };
    wmClass = "jetbrains-idea-ce";
    update-channel = "IntelliJ IDEA Release";
@ -302,12 +302,12 @@ in
  idea-ultimate = buildIdea rec {
    name = "idea-ultimate-${version}";
-    version = "2018.2.6"; /* updated by script */
+    version = "2018.3"; /* updated by script */
    description = "Integrated Development Environment (IDE) by Jetbrains, requires paid license";
    license = stdenv.lib.licenses.unfree;
    src = fetchurl {
      url = "https://download.jetbrains.com/idea/ideaIU-${version}-no-jdk.tar.gz";
-      sha256 = "0x0ylcbj8spvzmwxrw3p4c64ad27iz58lwj4yb8a6vwh6p22gflk"; /* updated by script */
+      sha256 = "16z0pqmxjn5dl42rbz7mx8gi13xs3220pzkdsdkh1k1ny9caqzvj"; /* updated by script */
    };
    wmClass = "jetbrains-idea";
    update-channel = "IntelliJ IDEA Release";
@ -328,12 +328,12 @@ in
  pycharm-community = buildPycharm rec {
    name = "pycharm-community-${version}";
-    version = "2018.2.5"; /* updated by script */
+    version = "2018.3"; /* updated by script */
    description = "PyCharm Community Edition";
    license = stdenv.lib.licenses.asl20;
    src = fetchurl {
      url = "https://download.jetbrains.com/python/${name}.tar.gz";
-      sha256 = "0zfnhrkv4y90a3myq13406vzivg234l69x0c5d7vyv6ys7dmq5fm"; /* updated by script */
+      sha256 = "0kgrh3w4lpk7qkp5gss24in1nqahdfllvf97qz6r77zn9n5k1wq7"; /* updated by script */
    };
    wmClass = "jetbrains-pycharm-ce";
    update-channel = "PyCharm Release";
@ -341,12 +341,12 @@ in
  pycharm-professional = buildPycharm rec {
    name = "pycharm-professional-${version}";
-    version = "2018.2.5"; /* updated by script */
+    version = "2018.3"; /* updated by script */
    description = "PyCharm Professional Edition";
    license = stdenv.lib.licenses.unfree;
    src = fetchurl {
      url = "https://download.jetbrains.com/python/${name}.tar.gz";
-      sha256 = "0yfq25kmzzd15x83zdbrq9j62c32maklzhsk1rzymabyb56blh5c"; /* updated by script */
+      sha256 = "0q4scwnqy0h725g9z5hd145c3n10iaj04z790s4lixg1c63h3y8q"; /* updated by script */
    };
    wmClass = "jetbrains-pycharm";
    update-channel = "PyCharm Release";
@ -367,12 +367,12 @@ in
  ruby-mine = buildRubyMine rec {
    name = "ruby-mine-${version}";
-    version = "2018.2.4"; /* updated by script */
+    version = "2018.2.5"; /* updated by script */
    description = "The Most Intelligent Ruby and Rails IDE";
    license = stdenv.lib.licenses.unfree;
    src = fetchurl {
      url = "https://download.jetbrains.com/ruby/RubyMine-${version}.tar.gz";
-      sha256 = "0dk3ch749ai5kyg9q8819ckrqw2jk4f656iqrkkpab9fjqfjylka"; /* updated by script */
+      sha256 = "0b01fnifk5iawyf2zi7r5ffz8dxlh18g2ilrkc5746vmnsp0jxq4"; /* updated by script */
    };
    wmClass = "jetbrains-rubymine";
    update-channel = "RubyMine 2018.2";
@ -380,12 +380,12 @@ in
  webstorm = buildWebStorm rec {
    name = "webstorm-${version}";
-    version = "2018.2.6"; /* updated by script */
+    version = "2018.3"; /* updated by script */
    description = "Professional IDE for Web and JavaScript development";
    license = stdenv.lib.licenses.unfree;
    src = fetchurl {
      url = "https://download.jetbrains.com/webstorm/WebStorm-${version}.tar.gz";
-      sha256 = "1snx59b6d0szd1a07agpqxlprhy2mc9jvbnxcck5hfwxl3ic7x5g"; /* updated by script */
+      sha256 = "0msvgdjbdipc4g8j705d1jya2mjmx4wwhb23nch3znh7grryr75s"; /* updated by script */
    };
    wmClass = "jetbrains-webstorm";
    update-channel = "WebStorm Release";
--- a/pkgs/applications/editors/monodevelop/default.nix
+++ b/pkgs/applications/editors/monodevelop/default.nix
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
  };
  nunit2510 = fetchurl {
-    url = "http://launchpad.net/nunitv2/2.5/2.5.10/+download/NUnit-2.5.10.11092.zip";
+    url = "https://launchpad.net/nunitv2/2.5/2.5.10/+download/NUnit-2.5.10.11092.zip";
    sha256 = "0k5h5bz1p2v3d0w0hpkpbpvdkcszgp8sr9ik498r1bs72w5qlwnc";
  };
--- a/pkgs/applications/editors/quilter/default.nix
+++ b/pkgs/applications/editors/quilter/default.nix
@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, fetchpatch, vala_0_40, pkgconfig, meson, ninja, python3
 , granite, gtk3, desktop-file-utils, gnome3, gtksourceview, webkitgtk, gtkspell3
-, discount, gobjectIntrospection, wrapGAppsHook }:
+, discount, gobject-introspection, wrapGAppsHook }:
 stdenv.mkDerivation rec {
  pname = "quilter";
@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [
    desktop-file-utils
-    gobjectIntrospection
+    gobject-introspection
    meson
    ninja
    pkgconfig
--- a/pkgs/applications/editors/rednotebook/default.nix
+++ b/pkgs/applications/editors/rednotebook/default.nix
@ -1,5 +1,5 @@
 { lib, buildPythonApplication, fetchFromGitHub
-, gdk_pixbuf, glib, gobjectIntrospection, gtk3, gtksourceview, pango, webkitgtk
+, gdk_pixbuf, glib, gobject-introspection, gtk3, gtksourceview, pango, webkitgtk
 , pygobject3, pyyaml
 }:
@ -17,7 +17,7 @@ buildPythonApplication rec {
  # We have not packaged tests.
  doCheck = false;
-  nativeBuildInputs = [ gobjectIntrospection ];
+  nativeBuildInputs = [ gobject-introspection ];
  propagatedBuildInputs = [
    gdk_pixbuf glib gtk3 gtksourceview pango webkitgtk
--- a/pkgs/applications/graphics/deskew/default.nix
+++ b/pkgs/applications/graphics/deskew/default.nix
@ -0,0 +1,37 @@
 { stdenv, fetchFromBitbucket, libtiff, fpc }:
 stdenv.mkDerivation rec {
  name = "deskew-${version}";
  version = "1.25";
  src = fetchFromBitbucket {
    owner = "galfar";
    repo = "app-deskew";
    rev = "v${version}";
    sha256 = "0zjjj66qhgqkmfxl3q7p78dv4xl4ci918pgl4d5259pqdj1bfgc8";
  };
  nativeBuildInputs = [ fpc ];
  buildInputs = [ libtiff ];
  buildPhase = ''
    rm -r Bin # Remove pre-compiled binary
    mkdir Bin
    chmod +x compile.sh
    ./compile.sh
  '';
  installPhase = ''
    install -Dt $out/bin Bin/*
  '';
  meta = with stdenv.lib; {
    description = "A command line tool for deskewing scanned text documents";
    homepage = https://bitbucket.org/galfar/app-deskew/overview;
    license = licenses.mit;
    maintainers = with maintainers; [ryantm];
    platforms = platforms.all;
  };
 }
--- a/pkgs/applications/graphics/mypaint/default.nix
+++ b/pkgs/applications/graphics/mypaint/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, gtk3, intltool, json_c, lcms2, libpng, librsvg, gobjectIntrospection, hicolor-icon-theme
+{ stdenv, fetchFromGitHub, gtk3, intltool, json_c, lcms2, libpng, librsvg, gobject-introspection, hicolor-icon-theme
 , gdk_pixbuf, pkgconfig, python2Packages, scons, swig, wrapGAppsHook }:
 let
@ -17,7 +17,7 @@ in stdenv.mkDerivation rec {
  nativeBuildInputs = [
    intltool pkgconfig scons swig wrapGAppsHook
-    gobjectIntrospection # for setup hook
+    gobject-introspection # for setup hook
  ];
  buildInputs = [
--- a/pkgs/applications/graphics/photoflow/default.nix
+++ b/pkgs/applications/graphics/photoflow/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, gettext, glib, libxml2, pkgconfig, swig, automake, gobjectIntrospection, cmake, ninja, libtiff, libjpeg, fftw, exiv2, lensfun, gtkmm2, libraw, lcms2, libexif, vips, expat, pcre, pugixml }:
+{ stdenv, fetchFromGitHub, gettext, glib, libxml2, pkgconfig, swig, automake, gobject-introspection, cmake, ninja, libtiff, libjpeg, fftw, exiv2, lensfun, gtkmm2, libraw, lcms2, libexif, vips, expat, pcre, pugixml }:
 stdenv.mkDerivation {
  name = "photoflow-unstable-2018-08-28";
@ -17,7 +17,7 @@ stdenv.mkDerivation {
    pkgconfig
    swig
    automake
-    gobjectIntrospection
+    gobject-introspection
    cmake
    ninja
  ];
--- a/pkgs/applications/graphics/rapid-photo-downloader/default.nix
+++ b/pkgs/applications/graphics/rapid-photo-downloader/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchurl, python3Packages
-, file, intltool, gobjectIntrospection, libgudev
+, file, intltool, gobject-introspection, libgudev
 , udisks, glib, gnome3, gst_all_1, libnotify
 , exiv2, exiftool, qt5, gdk_pixbuf
 }:
@ -23,7 +23,7 @@ python3Packages.buildPythonApplication rec {
      --replace "import problemnotification" "import raphodo.problemnotification"
  '';
-  nativeBuildInputs = [ file intltool gobjectIntrospection ];
+  nativeBuildInputs = [ file intltool gobject-introspection ];
  buildInputs = [
    libgudev
--- a/pkgs/applications/graphics/shotwell/default.nix
+++ b/pkgs/applications/graphics/shotwell/default.nix
@ -1,23 +1,23 @@
 { fetchurl, stdenv, meson, ninja, gtk3, libexif, libgphoto2, libsoup, libxml2, vala, sqlite
 , webkitgtk, pkgconfig, gnome3, gst_all_1, libgudev, libraw, glib, json-glib
 , gettext, desktop-file-utils, gdk_pixbuf, librsvg, wrapGAppsHook
-, gobjectIntrospection, itstool, libgdata }:
+, gobject-introspection, itstool, libgdata, python3 }:
 # for dependencies see https://wiki.gnome.org/Apps/Shotwell/BuildingAndInstalling
 let
  pname = "shotwell";
-  version = "0.28.2";
+  version = "0.30.1";
 in stdenv.mkDerivation rec {
  name = "${pname}-${version}";
  src = fetchurl {
    url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
-    sha256 = "0pa7lb33i4hdnz7hr7x938d48ilrnj47jzb99la79rmm08yyin8n";
+    sha256 = "01hsmig06hjv34yf9y60hv2gml593xfkza4ilq4b22gr8l4v2qip";
  };
  nativeBuildInputs = [
-    meson ninja vala pkgconfig itstool gettext desktop-file-utils wrapGAppsHook gobjectIntrospection
+    meson ninja vala pkgconfig itstool gettext desktop-file-utils python3 wrapGAppsHook gobject-introspection
  ];
  buildInputs = [
@ -28,8 +28,9 @@ in stdenv.mkDerivation rec {
    gnome3.gcr gnome3.defaultIconTheme libgdata
  ];
-  postInstall = ''
+  postPatch = ''
-    glib-compile-schemas $out/share/glib-2.0/schemas
+    chmod +x build-aux/meson/postinstall.py # patchShebangs requires executable file
    patchShebangs build-aux/meson/postinstall.py
  '';
  passthru = {
--- a/pkgs/applications/graphics/tesseract/4.x.nix
+++ b/pkgs/applications/graphics/tesseract/4.x.nix
@ -7,20 +7,20 @@
 stdenv.mkDerivation rec {
  name = "tesseract-${version}";
-  version = "4.00.00alpha-git-20170410";
+  version = "4.0.0";
  src = fetchFromGitHub {
    owner = "tesseract-ocr";
    repo = "tesseract";
-    rev = "36a995bdc92eb2dd8bc5a63205708944a3f990a1";
+    rev = version;
-    sha256 = "0xz3krvap8sdm27v1dyb34lcdmx11wzvxyszpppfsfmjgkvg19bq";
+    sha256 = "1b5fi2vibc4kk9b30kkk4ais4bw8fbbv24bzr5709194hb81cav8";
  };
  tessdata = fetchFromGitHub {
    owner = "tesseract-ocr";
    repo = "tessdata";
-    rev = "8bf2e7ad08db9ca174ae2b0b3a7498c9f1f71d40";
+    rev = version;
-    sha256 = "0idwkv4qsmmqhrxcgyhy32yldl3vk054m7dkv4fjswfnalgsx794";
+    sha256 = "1chw1ya5zf8aaj2ixr9x013x7vwwwjjmx6f2ag0d6i14lypygy28";
  };
  nativeBuildInputs = [ pkgconfig autoreconfHook autoconf-archive ];
--- a/pkgs/applications/inferno/default.nix
+++ b/pkgs/applications/inferno/default.nix
@ -1,58 +0,0 @@
 { fetchhg, stdenv, xorg, makeWrapper }:
 stdenv.mkDerivation rec {
  # Inferno is a rolling release from a mercurial repository. For the verison number
  # of the package I'm using the mercurial commit number.
  rev = "785";
  name = "inferno-${rev}";
  host = "Linux";
  objtype = "386";
  src = fetchhg {
    url    = "https://bitbucket.org/inferno-os/inferno-os";
    sha256 = "1b428ma9fi5skvfrxp91dr43a62kax89wmx7950ahc1cxyx90k7x";
  };
  buildInputs = [ makeWrapper ] ++ (with xorg; [ libX11 libXpm libXext xextproto ]);
  infernoWrapper = ./inferno;
  configurePhase = ''
    sed -e 's@^ROOT=.*$@ROOT='"$out"'/share/inferno@g' \
        -e 's@^OBJTYPE=.*$@OBJTYPE=${objtype}@g' \
        -e 's@^SYSHOST=.*$@SYSHOST=${host}@g' \
        -i mkconfig
    # Get rid of an annoying warning
    sed -e 's/_BSD_SOURCE/_DEFAULT_SOURCE/g' \
        -i ${host}/${objtype}/include/lib9.h
  '';
  buildPhase = ''
    mkdir -p $out/share/inferno
    cp -r . $out/share/inferno
    ./makemk.sh
    export PATH=$PATH:$out/share/inferno/Linux/386/bin
    mk nuke
    mk
  '';
  installPhase = ''
    # Installs executables in $out/share/inferno/${host}/${objtype}/bin
    mk install
    mkdir -p $out/bin
    # Install start-up script
    makeWrapper $infernoWrapper $out/bin/inferno \
      --suffix PATH ':' "$out/share/inferno/Linux/386/bin" \
      --set INFERNO_ROOT "$out/share/inferno"
  '';
  hardeningDisable = [ "fortify" ];
  meta = {
    description = "A compact distributed operating system for building cross-platform distributed systems";
    homepage = http://inferno-os.org/;
    license = stdenv.lib.licenses.gpl2;
    maintainers = with stdenv.lib.maintainers; [ doublec kovirobi ];
    platforms = with stdenv.lib.platforms; linux;
  };
 }
--- a/pkgs/applications/inferno/inferno
+++ b/pkgs/applications/inferno/inferno
@ -1,31 +0,0 @@
 #! /usr/bin/env bash
 export INFERNO_HOME="$HOME/.local/share/inferno"
 if [ -n "$XDG_DATA_HOME" ]
  then export INFERNO_HOME="$XDG_DATA_HOME/inferno"
 fi
 if [ ! -d $INFERNO_HOME ]; then
  mkdir -p $INFERNO_HOME
 fi
 if [ ! -d $INFERNO_HOME/tmp ]; then
  mkdir -p $INFERNO_HOME/tmp
 fi
 for d in $INFERNO_HOME/{acme,appl,dis,lib,man,module,usr/inferno}; do
  if [ ! -d $d ]; then
    mkdir -p $d
    cp --no-preserve=all -r $INFERNO_ROOT/${d#$INFERNO_HOME/}/* $d/
    chmod -R +w $d
  fi
 done
 if [ ! -d $INFERNO_HOME/usr/$USER ]; then
  mkdir -p $INFERNO_HOME/usr/$USER
  cp -r $INFERNO_ROOT/usr/inferno/* $INFERNO_HOME/usr/$USER/
  chmod -R +w $INFERNO_HOME/usr/$USER
 fi
 exec emu "$@" /dis/sh.dis -c "bind -b -c '#U*$INFERNO_HOME/' /; /dis/sh.dis"
--- a/pkgs/applications/kde/dolphin.nix
+++ b/pkgs/applications/kde/dolphin.nix
@ -4,7 +4,8 @@
  baloo, baloo-widgets, kactivities, kbookmarks, kcmutils,
  kcompletion, kconfig, kcoreaddons, kdelibs4support, kdbusaddons,
  kfilemetadata, ki18n, kiconthemes, kinit, kio, knewstuff, knotifications,
-  kparts, ktexteditor, kwindowsystem, phonon, solid
+  kparts, ktexteditor, kwindowsystem, phonon, solid,
  wayland, qtwayland
 }:
 mkDerivation {
@ -19,6 +20,7 @@ mkDerivation {
    kcoreaddons kdelibs4support kdbusaddons kfilemetadata ki18n kiconthemes
    kinit kio knewstuff knotifications kparts ktexteditor kwindowsystem
    phonon solid
    wayland qtwayland
  ];
  outputs = [ "out" "dev" ];
  # We need the RPATH for linking, because the `libkdeinit5_dolphin.so` links
--- a/pkgs/applications/misc/aminal/default.nix
+++ b/pkgs/applications/misc/aminal/default.nix
@ -0,0 +1,75 @@
 { buildGoPackage
 , Carbon
 , Cocoa
 , Kernel
 , cf-private
 , fetchFromGitHub
 , lib
 , mesa_glu
 , stdenv
 , xorg
 }:
 buildGoPackage rec {
  name = "aminal-${version}";
  version = "0.7.4";
  goPackagePath = "github.com/liamg/aminal";
  buildInputs =
    lib.optionals stdenv.isLinux [
      mesa_glu
      xorg.libX11
      xorg.libXcursor
      xorg.libXi
      xorg.libXinerama
      xorg.libXrandr
      xorg.libXxf86vm
    ] ++ lib.optionals stdenv.isDarwin [
      Carbon
      Cocoa
      Kernel
      cf-private  /* Needed for NSDefaultRunLoopMode */
    ];
  src = fetchFromGitHub {
    owner = "liamg";
    repo = "aminal";
    rev = "v${version}";
    sha256 = "0wnzxjlv98pi3gy4hp3d19pwpa4kf1h5rqy03s9bcqdbpb1v1b7v";
  };
  preBuild = ''
    buildFlagsArray=("-ldflags=-X ${goPackagePath}/version.Version=${version}")
  '';
  meta = with lib; {
    description = "Golang terminal emulator from scratch";
    longDescription = ''
      Aminal is a modern terminal emulator for Mac/Linux implemented in Golang
      and utilising OpenGL.
      The project is experimental at the moment, so you probably won't want to
      rely on Aminal as your main terminal for a while.
      Features:
      - Unicode support
      - OpenGL rendering
      - Customisation options
      - True colour support
      - Support for common ANSI escape sequences a la xterm
      - Scrollback buffer
      - Clipboard access
      - Clickable URLs
      - Multi platform support (Windows coming soon...)
      - Sixel support
      - Hints/overlays
      - Built-in patched fonts for powerline
      - Retina display support
    '';
    homepage = https://github.com/liamg/aminal;
    license = licenses.gpl3;
    maintainers = with maintainers; [ kalbasit ];
    platforms = platforms.linux ++ platforms.darwin;
  };
 }
--- a/pkgs/applications/misc/autospotting/default.nix
+++ b/pkgs/applications/misc/autospotting/default.nix
@ -0,0 +1,30 @@
 { stdenv, buildGoPackage, fetchFromGitHub }:
 buildGoPackage rec {
  name = "autospotting-${version}";
  version = "unstable-2018-11-17";
  goPackagePath = "github.com/AutoSpotting/AutoSpotting";
  src = fetchFromGitHub {
    owner = "AutoSpotting";
    repo = "AutoSpotting";
    rev = "122ab8f292a2f718dd85e79ec22acd455122907e";
    sha256 = "0p48lgig9kblxvgq1kggczkn4qdbx6ciq9c8x0179i80vl4jf7v6";
  };
  goDeps = ./deps.nix;
  # patching path where repository used to exist
  postPatch = ''
    sed -i "s+github.com/cristim/autospotting/core+github.com/AutoSpotting/AutoSpotting/core+" autospotting.go
  '';
  meta = with stdenv.lib; {
    homepage = https://github.com/AutoSpotting/AutoSpotting;
    description = "Automatically convert your existing AutoScaling groups to up to 90% cheaper spot instances with minimal configuration changes";
    license = licenses.free;
    maintainers = [ maintainers.costrouc ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/misc/autospotting/deps.nix
+++ b/pkgs/applications/misc/autospotting/deps.nix
@ -0,0 +1,75 @@
 # file generated from Gopkg.lock using dep2nix (https://github.com/nixcloud/dep2nix)
 [
  {
    goPackagePath  = "github.com/aws/aws-lambda-go";
    fetch = {
      type = "git";
      url = "https://github.com/aws/aws-lambda-go";
      rev =  "2d482ef09017ae953b1e8d5a6ddac5b696663a3c";
      sha256 = "06v2yfvn4sn116lds0526a8mfrsng4vafrdjf1dhpalqarrbdvmz";
    };
  }
  {
    goPackagePath  = "github.com/aws/aws-sdk-go";
    fetch = {
      type = "git";
      url = "https://github.com/aws/aws-sdk-go";
      rev =  "9333060a8d957db41bff1c80603a802aa674fad8";
      sha256 = "0fnypw6zm6k70fzhm5a8g69ag64rxbrrpdk7l3rkfqd99slyg5kz";
    };
  }
  {
    goPackagePath  = "github.com/cristim/ec2-instances-info";
    fetch = {
      type = "git";
      url = "https://github.com/cristim/ec2-instances-info";
      rev =  "73c042a5558cd6d8b61fb82502d6f7aec334e9ed";
      sha256 = "1xajrkxqqz5wlbi9w2wdhnk115rbmqxyga29f8v9psq8hzwgi0rg";
    };
  }
  {
    goPackagePath  = "github.com/davecgh/go-spew";
    fetch = {
      type = "git";
      url = "https://github.com/davecgh/go-spew";
      rev =  "d8f796af33cc11cb798c1aaeb27a4ebc5099927d";
      sha256 = "19z27f306fpsrjdvkzd61w1bdazcdbczjyjck177g33iklinhpvx";
    };
  }
  {
    goPackagePath  = "github.com/go-ini/ini";
    fetch = {
      type = "git";
      url = "https://github.com/go-ini/ini";
      rev =  "5cf292cae48347c2490ac1a58fe36735fb78df7e";
      sha256 = "0xbnw1nd22q6k863n5gs0nxld15w0p8qxbhfky85akcb5rk1vwi9";
    };
  }
  {
    goPackagePath  = "github.com/jmespath/go-jmespath";
    fetch = {
      type = "git";
      url = "https://github.com/jmespath/go-jmespath";
      rev =  "0b12d6b5";
      sha256 = "1vv6hph8j6xgv7gwl9vvhlsaaqsm22sxxqmgmldi4v11783pc1ld";
    };
  }
  {
    goPackagePath  = "github.com/namsral/flag";
    fetch = {
      type = "git";
      url = "https://github.com/namsral/flag";
      rev =  "67f268f20922975c067ed799e4be6bacf152208c";
      sha256 = "1lmxq3z276zrsggpfq9b7yklzzxdyib49zr8sznb1lcqlvxqsr47";
    };
  }
  {
    goPackagePath  = "github.com/pkg/errors";
    fetch = {
      type = "git";
      url = "https://github.com/pkg/errors";
      rev =  "645ef00459ed84a119197bfb8d8205042c6df63d";
      sha256 = "001i6n71ghp2l6kdl3qq1v2vmghcz3kicv9a5wgcihrzigm75pp5";
    };
  }
 ]
--- a/pkgs/applications/misc/font-manager/default.nix
+++ b/pkgs/applications/misc/font-manager/default.nix
@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, automake, autoconf, libtool,
  pkgconfig, file, intltool, libxml2, json-glib , sqlite, itstool,
-  librsvg, vala, gnome3, wrapGAppsHook, gobjectIntrospection
+  librsvg, vala, gnome3, wrapGAppsHook, gobject-introspection
 }:
 stdenv.mkDerivation rec {
@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
    gnome3.yelp-tools
    wrapGAppsHook
    # For setup hook
-    gobjectIntrospection
+    gobject-introspection
  ];
  buildInputs = [
--- a/pkgs/applications/misc/gImageReader/default.nix
+++ b/pkgs/applications/misc/gImageReader/default.nix
@ -6,7 +6,7 @@
 # Gtk deps
 # upstream gImagereader supports Qt too
-, gtk3, gobjectIntrospection, wrapGAppsHook
+, gtk3, gobject-introspection, wrapGAppsHook
 , gnome3, gtkspell3, gtkspellmm, cairomm
 }:
@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
    # Gtk specific
    wrapGAppsHook
-    gobjectIntrospection
+    gobject-introspection
  ];
  buildInputs = [
--- a/pkgs/applications/misc/gnome-recipes/default.nix
+++ b/pkgs/applications/misc/gnome-recipes/default.nix
@ -0,0 +1,79 @@
 { stdenv
 , fetchurl
 , meson
 , ninja
 , pkgconfig
 , gnome3
 , desktop-file-utils
 , gettext
 , itstool
 , python3
 , wrapGAppsHook
 , gtk3
 , glib
 , libsoup
 , gnome-online-accounts
 , rest
 , json-glib
 , gnome-autoar
 , gspell
 , libcanberra }:
 let
  pname = "gnome-recipes";
  version = "2.0.2";
 in stdenv.mkDerivation rec {
  name = "${pname}-${version}";
  src = fetchurl {
    url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
    sha256 = "1yymii3yf823d9x28fbhqdqm1wa30s40j94x0am9fjj0nzyd5s8v";
  };
  nativeBuildInputs = [
    meson
    ninja
    pkgconfig
    desktop-file-utils
    gettext
    itstool
    python3
    wrapGAppsHook
  ];
  buildInputs = [
    gtk3
    glib
    libsoup
    gnome-online-accounts
    rest
    json-glib
    gnome-autoar
    gspell
    libcanberra
  ];
  # https://github.com/NixOS/nixpkgs/issues/36468
  # https://gitlab.gnome.org/GNOME/recipes/issues/76
  NIX_CFLAGS_COMPILE = "-I${gnome3.glib.dev}/include/gio-unix-2.0";
  postPatch = ''
    chmod +x src/list_to_c.py
    patchShebangs src/list_to_c.py
    patchShebangs meson_post_install.py
  '';
  passthru = {
    updateScript = gnome3.updateScript {
      packageName = pname;
    };
  };
  meta = with stdenv.lib; {
    description = "Recipe management application for GNOME";
    homepage = https://wiki.gnome.org/Apps/Recipes;
    maintainers = gnome3.maintainers;
    license = licenses.gpl3;
    platforms = platforms.unix;
  };
 }
--- a/Show More
+++ b/Show More