Merge staging-next into staging

2019-07-03 08:59:42 +02:00 · 2019-07-03 08:59:42 +02:00 · 25a77b7210
commit 25a77b7210
parent d41bc0ff56 3ad01beda7
411 changed files with 4314 additions and 2253 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1,3 @@
 # These are supported funding model platforms
 custom: https://nixos.org/nixos/foundation.html
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -15,7 +15,7 @@
 - [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nix-review --run "nix-review wip"`
 - [ ] Tested execution of all binary files (usually in `./result/bin/`)
 - [ ] Determined the impact on package closure size (by running `nix path-info -S` before and after)
- [ ] Assured whether relevant documentation is up to date
+- [ ] Ensured that relevant documentation is up to date
 - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
 ---
--- a/doc/package-notes.xml
+++ b/doc/package-notes.xml
@ -325,6 +325,18 @@ packageOverrides = pkgs: {
   elm2nix</link>.
  </para>
 </section>
 <section xml:id="sec-kakoune">
  <title>Kakoune</title>
  <para>
   Kakoune can be built to autoload plugins:
 <programlisting>(kakoune.override {
  configure = {
    plugins = with pkgs.kakounePlugins; [ parinfer-rust ];
  };
 })</programlisting>
  </para>
 </section>
 <section xml:id="sec-shell-helpers">
  <title>Interactive shell helpers</title>
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -681,6 +681,11 @@
    github = "bergey";
    name = "Daniel Bergey";
  };
  betaboon = {
    email = "betaboon@0x80.ninja";
    github = "betaboon";
    name = "betaboon";
  };
  bfortz = {
    email = "bernard.fortz@gmail.com";
    github = "bfortz";
@ -1940,6 +1945,11 @@
    github = "glenns";
    name = "Glenn Searby";
  };
  gloaming = {
    email = "ch9871@gmail.com";
    github = "gloaming";
    name = "Craig Hall";
  };
  globin = {
    email = "mail@glob.in";
    github = "globin";
@ -2753,6 +2763,11 @@
    github = "lasandell";
    name = "Luke Sandell";
  };
  lambda-11235 = {
    email = "taranlynn0@gmail.com";
    github = "lambda-11235";
    name = "Taran Lynn";
  };
  lassulus = {
    email = "lassulus@gmail.com";
    github = "Lassulus";
@ -3559,6 +3574,11 @@
    github = "nathan-gs";
    name = "Nathan Bijnens";
  };
  nathyong = {
    email = "nathyong@noreply.github.com";
    github = "nathyong";
    name = "Nathan Yong";
  };
  nckx = {
    email = "github@tobias.gr";
    github = "nckx";
@ -4841,6 +4861,11 @@
    github = "severen";
    name = "Severen Redwood";
  };
  steell = {
    email = "steve@steellworks.com";
    github = "Steell";
    name = "Steve Elliott";
  };
  stephenmw = {
    email = "stephen@q5comm.com";
    github = "stephenmw";
--- a/nixos/doc/manual/configuration/ipv6-config.xml
+++ b/nixos/doc/manual/configuration/ipv6-config.xml
@ -39,7 +39,7 @@
 <xref linkend="opt-networking.defaultGateway6"/> = {
  address = "fe00::1";
  interface = "enp0s3";
-}
+};
 </programlisting>
 </para>
--- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
@ -22,7 +22,7 @@ in
  boot.kernelPackages = pkgs.linuxPackages_rpi;
  sdImage = {
-    populateBootCommands = let
+    populateFirmwareCommands = let
      configTxt = pkgs.writeText "config.txt" ''
        # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
        # when attempting to show low-voltage or overtemperature warnings.
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -191,6 +191,7 @@
  ./services/audio/liquidsoap.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
  ./services/audio/roon-server.nix
  ./services/audio/slimserver.nix
  ./services/audio/snapserver.nix
  ./services/audio/squeezelite.nix
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -213,6 +213,7 @@ with lib;
    (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd")
    (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
    # ZSH
    (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
@ -240,6 +241,12 @@ with lib;
    # binfmt
    (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
    # PHP-FPM
    (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpPackage" ] "Use services.phpfpm.pools.<name>.phpPackage instead.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpOptions" ] "Use services.phpfpm.pools.<name>.phpOptions instead.")
    (mkRenamedOptionModule [ "services" "phpfpm" "extraConfig" ] [ "services" "phpfpm" "globalExtraConfig" ])
  ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
                   "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
                   "snmpExporter" "unifiExporter" "varnishExporter" ]
--- a/nixos/modules/services/audio/mopidy.nix
+++ b/nixos/modules/services/audio/mopidy.nix
@ -70,25 +70,25 @@ in {
  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' - mopidy mopidy - -"
    ];
    systemd.services.mopidy = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "sound.target" ];
      description = "mopidy music player daemon";
      preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy  ${cfg.dataDir}";
      serviceConfig = {
        ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";
        User = "mopidy";
        PermissionsStartOnly = true;
      };
    };
    systemd.services.mopidy-scan = {
      description = "mopidy local files scanner";
      preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy  ${cfg.dataDir}";
      serviceConfig = {
        ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan";
        User = "mopidy";
        PermissionsStartOnly = true;
        Type = "oneshot";
      };
    };
@ -98,7 +98,7 @@ in {
      group = "mopidy";
      extraGroups = [ "audio" ];
      description = "Mopidy daemon user";
-      home = "${cfg.dataDir}";
+      home = cfg.dataDir;
    };
    users.groups.mopidy.gid = gid;
--- a/nixos/modules/services/audio/roon-server.nix
+++ b/nixos/modules/services/audio/roon-server.nix
@ -0,0 +1,49 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  name = "roon-server";
  cfg = config.services.roon-server;
 in {
  options = {
    services.roon-server = {
      enable = mkEnableOption "Roon Server";
      openFirewall = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Open ports in the firewall for the server.
          UDP: 9003
          TCP: 9100 - 9200
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.roon-server = {
      after = [ "network.target" ];
      description = "Roon Server";
      wantedBy = [ "multi-user.target" ];
      environment.ROON_DATAROOT = "/var/lib/${name}";
      serviceConfig = {
        ExecStart = "${pkgs.roon-server}/opt/start.sh";
        LimitNOFILE = 8192;
        DynamicUser = true;
        SupplementaryGroups = "audio";
        StateDirectory = name;
      };
    };
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPortRanges = [
        { from = 9100; to = 9200; }
      ];
      allowedUDPPorts = [ 9003 ];
    };
  };
 }
--- a/nixos/modules/services/audio/slimserver.nix
+++ b/nixos/modules/services/audio/slimserver.nix
@ -42,15 +42,17 @@ in {
  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' - slimserver slimserver - -"
    ];
    systemd.services.slimserver = {
      after = [ "network.target" ];
      description = "Slim Server for Logitech Squeezebox Players";
      wantedBy = [ "multi-user.target" ];
      preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}";
      serviceConfig = {
        User = "slimserver";
        PermissionsStartOnly = true;
        # Issue 40589: Disable broken image/video support (audio still works!)
        ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo";
      };
--- a/nixos/modules/services/backup/duplicati.nix
+++ b/nixos/modules/services/backup/duplicati.nix
@ -47,15 +47,11 @@ in
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User = cfg.user;
        PermissionsStartOnly = true;
        Group = "duplicati";
        StateDirectory = "duplicati";
        ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=${cfg.interface} --webservice-port=${toString cfg.port} --server-datafolder=/var/lib/duplicati";
        Restart = "on-failure";
      };
      preStart = ''
        mkdir -p /var/lib/duplicati
        chown -R ${cfg.user}:duplicati /var/lib/duplicati
      '';
    };
    users.users.duplicati = lib.optionalAttrs (cfg.user == "duplicati") {
--- a/nixos/modules/services/computing/boinc/client.nix
+++ b/nixos/modules/services/computing/boinc/client.nix
@ -105,19 +105,18 @@ in
        isSystemUser = true;
      };
      systemd.tmpfiles.rules = [
        "d '${cfg.dataDir}' - boinc - - -"
      ];
      systemd.services.boinc = {
        description = "BOINC Client";
        after = ["network.target" "local-fs.target"];
        wantedBy = ["multi-user.target"];
        preStart = ''
          mkdir -p ${cfg.dataDir}
          chown boinc ${cfg.dataDir}
        '';
        script = ''
          ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
        '';
        serviceConfig = {
          PermissionsStartOnly = true; # preStart must be run as root
          User = "boinc";
          Nice = 10;
        };
--- a/nixos/modules/services/databases/firebird.nix
+++ b/nixos/modules/services/databases/firebird.nix
@ -95,6 +95,11 @@ in
    environment.systemPackages = [cfg.package];
    systemd.tmpfiles.rules = [
      "d '${dataDir}' 0700 ${cfg.user} - - -"
      "d '${systemDir}' 0700 ${cfg.user} - - -"
    ];
    systemd.services.firebird =
      { description = "Firebird Super-Server";
@ -104,21 +109,16 @@ in
        # is a better way
        preStart =
          ''
            mkdir -m 0700 -p \
              "${dataDir}" \
              "${systemDir}" \
              /var/log/firebird
            if ! test -e "${systemDir}/security2.fdb"; then
                cp ${firebird}/security2.fdb "${systemDir}"
            fi
            chown -R ${cfg.user} "${dataDir}" "${systemDir}" /var/log/firebird
            chmod -R 700         "${dataDir}" "${systemDir}" /var/log/firebird
          '';
        serviceConfig.PermissionsStartOnly = true; # preStart must be run as root
        serviceConfig.User = cfg.user;
        serviceConfig.LogsDirectory = "firebird";
        serviceConfig.LogsDirectoryMode = "0700";
        serviceConfig.ExecStart = ''${firebird}/bin/fbserver -d'';
        # TODO think about shutdown
--- a/nixos/modules/services/databases/foundationdb.nix
+++ b/nixos/modules/services/databases/foundationdb.nix
@ -359,6 +359,13 @@ in
        }
      ];
    systemd.tmpfiles.rules = [
      "d /etc/foundationdb 0755 ${cfg.user} ${cfg.group} - -"
      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
      "d '${cfg.logDir}' 0770 ${cfg.user} ${cfg.group} - -"
      "F '${cfg.pidFile}' - ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.foundationdb = {
      description             = "FoundationDB Service";
@ -396,25 +403,12 @@ in
      path = [ pkg pkgs.coreutils ];
      preStart = ''
        rm -f ${cfg.pidfile}   && \
          touch ${cfg.pidfile} && \
          chown -R ${cfg.user}:${cfg.group} ${cfg.pidfile}
        for x in "${cfg.logDir}" "${cfg.dataDir}"; do
          [ ! -d "$x" ] && mkdir -m 0770 -vp "$x";
          chown -R ${cfg.user}:${cfg.group} "$x";
        done
        [ ! -d /etc/foundationdb ] && \
          mkdir -m 0775 -vp /etc/foundationdb && \
          chown -R ${cfg.user}:${cfg.group} "/etc/foundationdb"
        if [ ! -f /etc/foundationdb/fdb.cluster ]; then
            cf=/etc/foundationdb/fdb.cluster
            desc=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8)
            rand=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8)
            echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf
-            chmod 0664 $cf && chown -R ${cfg.user}:${cfg.group} $cf
+            chmod 0664 $cf
            touch "${cfg.dataDir}/.first_startup"
        fi
      '';
--- a/nixos/modules/services/databases/hbase.nix
+++ b/nixos/modules/services/databases/hbase.nix
@ -94,6 +94,11 @@ in {
  config = mkIf config.services.hbase.enable {
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -"
      "d '${cfg.logDir}' - ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.hbase = {
      description = "HBase Server";
      wantedBy = [ "multi-user.target" ];
@ -103,19 +108,7 @@ in {
        HBASE_LOG_DIR = cfg.logDir;
      };
      preStart =
        ''
        mkdir -p ${cfg.dataDir};
        mkdir -p ${cfg.logDir};
        if [ "$(id -u)" = 0 ]; then
          chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
          chown ${cfg.user}:${cfg.group} ${cfg.logDir}
        fi
        '';
      serviceConfig = {
        PermissionsStartOnly = true;
        User = cfg.user;
        Group = cfg.group;
        ExecStart = "${cfg.package}/bin/hbase --config ${configDir} master start";
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@ -204,12 +204,6 @@ in
        '';
      };
      # FIXME: remove this option; it's a really bad idea.
      rootPassword = mkOption {
        default = null;
        description = "Path to a file containing the root password, modified on the first startup. Not specifying a root password will leave the root password empty.";
      };
      replication = {
        role = mkOption {
          type = types.enum [ "master" "slave" "none" ];
@ -323,114 +317,105 @@ in
          RuntimeDirectoryMode = "0755";
          # The last two environment variables are used for starting Galera clusters
          ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION";
-        };
+          ExecStartPost =
            let
              setupScript = pkgs.writeShellScript "mysql-setup" ''
                ${optionalString (!hasNotify) ''
                  # Wait until the MySQL server is available for use
                  count=0
                  while [ ! -e /run/mysqld/mysqld.sock ]
                  do
                      if [ $count -eq 30 ]
                      then
                          echo "Tried 30 times, giving up..."
                          exit 1
                      fi
-        postStart =
+                      echo "MySQL daemon not yet started. Waiting for 1 second..."
-          let
+                      count=$((count++))
-            cmdWatchForMysqlSocket = ''
+                      sleep 1
-              # Wait until the MySQL server is available for use
+                  done
-              count=0
+                ''}
              while [ ! -e /run/mysqld/mysqld.sock ]
              do
                  if [ $count -eq 30 ]
                  then
                      echo "Tried 30 times, giving up..."
                      exit 1
                  fi
-                  echo "MySQL daemon not yet started. Waiting for 1 second..."
+                if [ -f /tmp/mysql_init ]
-                  count=$((count++))
+                then
-                  sleep 1
+                    ${concatMapStrings (database: ''
-              done
+                      # Create initial databases
-            '';
+                      if ! test -e "${cfg.dataDir}/${database.name}"; then
-            cmdInitialDatabases = concatMapStrings (database: ''
+                          echo "Creating initial database: ${database.name}"
-              # Create initial databases
+                          ( echo 'create database `${database.name}`;'
              if ! test -e "${cfg.dataDir}/${database.name}"; then
                  echo "Creating initial database: ${database.name}"
                  ( echo 'create database `${database.name}`;'
-                    ${optionalString (database.schema != null) ''
+                            ${optionalString (database.schema != null) ''
-                    echo 'use `${database.name}`;'
+                            echo 'use `${database.name}`;'
-                    # TODO: this silently falls through if database.schema does not exist,
+                            # TODO: this silently falls through if database.schema does not exist,
-                    # we should catch this somehow and exit, but can't do it here because we're in a subshell.
+                            # we should catch this somehow and exit, but can't do it here because we're in a subshell.
-                    if [ -f "${database.schema}" ]
+                            if [ -f "${database.schema}" ]
-                    then
+                            then
-                        cat ${database.schema}
+                                cat ${database.schema}
-                    elif [ -d "${database.schema}" ]
+                            elif [ -d "${database.schema}" ]
-                    then
+                            then
-                        cat ${database.schema}/mysql-databases/*.sql
+                                cat ${database.schema}/mysql-databases/*.sql
-                    fi
+                            fi
-                    ''}
+                            ''}
                          ) | ${mysql}/bin/mysql -u root -N
                      fi
                    '') cfg.initialDatabases}
                    ${optionalString (cfg.replication.role == "master")
                      ''
                        # Set up the replication master
                        ( echo "use mysql;"
                          echo "CREATE USER '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' IDENTIFIED WITH mysql_native_password;"
                          echo "SET PASSWORD FOR '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' = PASSWORD('${cfg.replication.masterPassword}');"
                          echo "GRANT REPLICATION SLAVE ON *.* TO '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}';"
                        ) | ${mysql}/bin/mysql -u root -N
                      ''}
                    ${optionalString (cfg.replication.role == "slave")
                      ''
                        # Set up the replication slave
                        ( echo "stop slave;"
                          echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';"
                          echo "start slave;"
                        ) | ${mysql}/bin/mysql -u root -N
                      ''}
                    ${optionalString (cfg.initialScript != null)
                      ''
                        # Execute initial script
                        # using toString to avoid copying the file to nix store if given as path instead of string,
                        # as it might contain credentials
                        cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
                      ''}
                    rm /tmp/mysql_init
                fi
                ${optionalString (cfg.ensureDatabases != []) ''
                  (
                  ${concatMapStrings (database: ''
                    echo "CREATE DATABASE IF NOT EXISTS \`${database}\`;"
                  '') cfg.ensureDatabases}
                  ) | ${mysql}/bin/mysql -u root -N
-              fi
+                ''}
            '') cfg.initialDatabases;
          in
-          lib.optionalString (!hasNotify) cmdWatchForMysqlSocket + ''
+                ${concatMapStrings (user:
            if [ -f /tmp/mysql_init ]
            then
                ${cmdInitialDatabases}
                ${optionalString (cfg.replication.role == "master")
                  ''
-                    # Set up the replication master
+                    ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};"
-
+                      ${concatStringsSep "\n" (mapAttrsToList (database: permission: ''
-                    ( echo "use mysql;"
+                        echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';"
-                      echo "CREATE USER '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' IDENTIFIED WITH mysql_native_password;"
+                      '') user.ensurePermissions)}
                      echo "SET PASSWORD FOR '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}' = PASSWORD('${cfg.replication.masterPassword}');"
                      echo "GRANT REPLICATION SLAVE ON *.* TO '${cfg.replication.masterUser}'@'${cfg.replication.slaveHost}';"
                    ) | ${mysql}/bin/mysql -u root -N
-                  ''}
+                  '') cfg.ensureUsers}
-
+              '';
-                ${optionalString (cfg.replication.role == "slave")
+            in
-                  ''
+              # ensureDatbases & ensureUsers depends on this script being run as root
-                    # Set up the replication slave
+              # when the user has secured their mysql install
-
+              "+${setupScript}";
-                    ( echo "stop slave;"
+        };
                      echo "change master to master_host='${cfg.replication.masterHost}', master_user='${cfg.replication.masterUser}', master_password='${cfg.replication.masterPassword}';"
                      echo "start slave;"
                    ) | ${mysql}/bin/mysql -u root -N
                  ''}
                ${optionalString (cfg.initialScript != null)
                  ''
                    # Execute initial script
                    # using toString to avoid copying the file to nix store if given as path instead of string,
                    # as it might contain credentials
                    cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
                  ''}
                ${optionalString (cfg.rootPassword != null)
                  ''
                    # Change root password
                    ( echo "use mysql;"
                      echo "update user set Password=password('$(cat ${cfg.rootPassword})') where User='root';"
                      echo "flush privileges;"
                    ) | ${mysql}/bin/mysql -u root -N
                  ''}
              rm /tmp/mysql_init
            fi
            ${optionalString (cfg.ensureDatabases != []) ''
              (
              ${concatMapStrings (database: ''
                echo "CREATE DATABASE IF NOT EXISTS \`${database}\`;"
              '') cfg.ensureDatabases}
              ) | ${mysql}/bin/mysql -u root -N
            ''}
            ${concatMapStrings (user:
              ''
                ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};"
                  ${concatStringsSep "\n" (mapAttrsToList (database: permission: ''
                  echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';"
                  '') user.ensurePermissions)}
                ) | ${mysql}/bin/mysql -u root -N
              '') cfg.ensureUsers}
          ''; # */
      };
  };
--- a/nixos/modules/services/desktops/deepin/deepin.nix
+++ b/nixos/modules/services/desktops/deepin/deepin.nix
@ -33,8 +33,10 @@
      environment.systemPackages = [
        pkgs.deepin.dde-api
        pkgs.deepin.dde-calendar
        pkgs.deepin.dde-control-center
        pkgs.deepin.dde-daemon
        pkgs.deepin.dde-dock
        pkgs.deepin.dde-launcher
        pkgs.deepin.dde-file-manager
        pkgs.deepin.dde-session-ui
        pkgs.deepin.deepin-anything
@ -45,8 +47,10 @@
      services.dbus.packages = [
        pkgs.deepin.dde-api
        pkgs.deepin.dde-calendar
        pkgs.deepin.dde-control-center
        pkgs.deepin.dde-daemon
        pkgs.deepin.dde-dock
        pkgs.deepin.dde-launcher
        pkgs.deepin.dde-file-manager
        pkgs.deepin.dde-session-ui
        pkgs.deepin.deepin-anything
--- a/nixos/modules/services/logging/graylog.nix
+++ b/nixos/modules/services/logging/graylog.nix
@ -134,6 +134,10 @@ in
      };
    };
    systemd.tmpfiles.rules = [
      "d '${cfg.messageJournalDir}' - ${cfg.user} - - -"
    ];
    systemd.services.graylog = with pkgs; {
      description = "Graylog Server";
      wantedBy = [ "multi-user.target" ];
@ -143,8 +147,6 @@ in
      };
      path = [ pkgs.jre_headless pkgs.which pkgs.procps ];
      preStart = ''
        mkdir -p /var/lib/graylog -m 755
        rm -rf /var/lib/graylog/plugins || true
        mkdir -p /var/lib/graylog/plugins -m 755
@ -154,14 +156,10 @@ in
        for includedplugin in `ls ${cfg.package}/plugin/`; do
          ln -s ${cfg.package}/plugin/$includedplugin /var/lib/graylog/plugins/$includedplugin || true
        done
        chown -R ${cfg.user} /var/lib/graylog
        mkdir -p ${cfg.messageJournalDir} -m 755
        chown -R ${cfg.user} ${cfg.messageJournalDir}
      '';
      serviceConfig = {
        User="${cfg.user}";
-        PermissionsStartOnly=true;
+        StateDirectory = "graylog";
        ExecStart = "${cfg.package}/bin/graylogctl run";
      };
    };
--- a/nixos/modules/services/logging/heartbeat.nix
+++ b/nixos/modules/services/logging/heartbeat.nix
@ -54,16 +54,18 @@ in
  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d '${cfg.stateDir}' - nobody nogroup - -"
    ];
    systemd.services.heartbeat = with pkgs; {
      description = "heartbeat log shipper";
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        mkdir -p "${cfg.stateDir}"/{data,logs}
        chown nobody:nogroup "${cfg.stateDir}"/{data,logs}
      '';
      serviceConfig = {
        User = "nobody";
        PermissionsStartOnly = true;
        AmbientCapabilities = "cap_net_raw";
        ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c \"${heartbeatYml}\" -path.data \"${cfg.stateDir}/data\" -path.logs \"${cfg.stateDir}/logs\"";
      };
--- a/nixos/modules/services/mail/dspam.nix
+++ b/nixos/modules/services/mail/dspam.nix
@ -113,19 +113,14 @@ in {
          Group = cfg.group;
          RuntimeDirectory = optional (cfg.domainSocket == defaultSock) "dspam";
          RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750";
-          PermissionsStartOnly = true;
+          StateDirectory = "dspam";
          StateDirectoryMode = "0750";
          LogsDirectory = "dspam";
          LogsDirectoryMode = "0750";
          # DSPAM segfaults on just about every error
          Restart = "on-abort";
          RestartSec = "1s";
        };
        preStart = ''
          mkdir -m750 -p /var/lib/dspam
          chown -R "${cfg.user}:${cfg.group}" /var/lib/dspam
          mkdir -m750 -p /var/log/dspam
          chown -R "${cfg.user}:${cfg.group}" /var/log/dspam
        '';
      };
    }
--- a/nixos/modules/services/mail/opendkim.nix
+++ b/nixos/modules/services/mail/opendkim.nix
@ -101,13 +101,16 @@ in {
    environment.systemPackages = [ pkgs.opendkim ];
    systemd.tmpfiles.rules = [
      "d '${cfg.keyPath}' - ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.opendkim = {
      description = "OpenDKIM signing and verification daemon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        mkdir -p "${cfg.keyPath}"
        cd "${cfg.keyPath}"
        if ! test -f ${cfg.selector}.private; then
          ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key
@ -116,7 +119,6 @@ in {
          cat ${cfg.selector}.txt
          echo "-------------------------------------------------------------"
        fi
        chown ${cfg.user}:${cfg.group} ${cfg.selector}.private
      '';
      serviceConfig = {
@ -124,7 +126,6 @@ in {
        User = cfg.user;
        Group = cfg.group;
        RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
        PermissionsStartOnly = true;
      };
    };
--- a/nixos/modules/services/mail/roundcube.nix
+++ b/nixos/modules/services/mail/roundcube.nix
@ -105,7 +105,7 @@ in
            extraConfig = ''
              location ~* \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                fastcgi_pass unix:/run/phpfpm/roundcube;
+                fastcgi_pass unix:/run/phpfpm-roundcube/roundcube.sock;
                include ${pkgs.nginx}/conf/fastcgi_params;
                include ${pkgs.nginx}/conf/fastcgi.conf;
              }
@ -119,24 +119,28 @@ in
      enable = true;
    };
-    services.phpfpm.poolConfigs.roundcube = ''
+    services.phpfpm.pools.roundcube = {
-      listen = /run/phpfpm/roundcube
+      socketName = "roundcube";
-      listen.owner = nginx
+      phpPackage = pkgs.php;
-      listen.group = nginx
+      user = "${config.services.nginx.user}";
-      listen.mode = 0660
+      group = "${config.services.nginx.group}";
-      user = nginx
+      extraConfig = ''
-      pm = dynamic
+        listen.owner = ${config.services.nginx.user}
-      pm.max_children = 75
+        listen.group = ${config.services.nginx.group}
-      pm.start_servers = 2
+        listen.mode = 0600
-      pm.min_spare_servers = 1
+        pm = dynamic
-      pm.max_spare_servers = 20
+        pm.max_children = 75
-      pm.max_requests = 500
+        pm.start_servers = 2
-      php_admin_value[error_log] = 'stderr'
+        pm.min_spare_servers = 1
-      php_admin_flag[log_errors] = on
+        pm.max_spare_servers = 20
-      php_admin_value[post_max_size] = 25M
+        pm.max_requests = 500
-      php_admin_value[upload_max_filesize] = 25M
+        php_admin_value[error_log] = 'stderr'
-      catch_workers_output = yes
+        php_admin_flag[log_errors] = on
-    '';
+        php_admin_value[post_max_size] = 25M
        php_admin_value[upload_max_filesize] = 25M
        catch_workers_output = yes
      '';
    };
    systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
    systemd.services.roundcube-setup = let
--- a/nixos/modules/services/misc/apache-kafka.nix
+++ b/nixos/modules/services/misc/apache-kafka.nix
@ -131,6 +131,8 @@ in {
      home = head cfg.logDirs;
    };
    systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs;
    systemd.services.apache-kafka = {
      description = "Apache Kafka Daemon";
      wantedBy = [ "multi-user.target" ];
@ -145,15 +147,8 @@ in {
            ${serverConfig}
        '';
        User = "apache-kafka";
        PermissionsStartOnly = true;
        SuccessExitStatus = "0 143";
      };
      preStart = ''
        mkdir -m 0700 -p ${concatStringsSep " " cfg.logDirs}
        if [ "$(id -u)" = 0 ]; then
           chown apache-kafka ${concatStringsSep " " cfg.logDirs};
        fi
      '';
    };
  };
--- a/nixos/modules/services/misc/couchpotato.nix
+++ b/nixos/modules/services/misc/couchpotato.nix
@ -19,16 +19,11 @@ in
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        mkdir -p /var/lib/couchpotato
        chown -R couchpotato:couchpotato /var/lib/couchpotato
      '';
      serviceConfig = {
        Type = "simple";
        User = "couchpotato";
        Group = "couchpotato";
-        PermissionsStartOnly = "true";
+        StateDirectory = "couchpotato";
        ExecStart = "${pkgs.couchpotato}/bin/couchpotato";
        Restart = "on-failure";
      };
--- a/nixos/modules/services/misc/gitea.nix
+++ b/nixos/modules/services/misc/gitea.nix
@ -38,6 +38,7 @@ let
    HTTP_PORT = ${toString cfg.httpPort}
    ROOT_URL = ${cfg.rootUrl}
    STATIC_ROOT_PATH = ${cfg.staticRootPath}
    LFS_JWT_SECRET = #jwtsecret#
    [session]
    COOKIE_NAME = session
@ -326,21 +327,28 @@ in
      preStart = let
        runConfig = "${cfg.stateDir}/custom/conf/app.ini";
        secretKey = "${cfg.stateDir}/custom/conf/secret_key";
        jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret";
      in ''
        # copy custom configuration and generate a random secret key if needed
        ${optionalString (cfg.useWizard == false) ''
          cp -f ${configFile} ${runConfig}
          if [ ! -e ${secretKey} ]; then
-              head -c 16 /dev/urandom | base64 > ${secretKey}
+              ${gitea.bin}/bin/gitea generate secret SECRET_KEY > ${secretKey}
          fi
-          KEY=$(head -n1 ${secretKey})
+          if [ ! -e ${jwtSecret} ]; then
-          DBPASS=$(head -n1 ${cfg.database.passwordFile})
+              ${gitea.bin}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret}
          fi
          KEY="$(head -n1 ${secretKey})"
          DBPASS="$(head -n1 ${cfg.database.passwordFile})"
          JWTSECRET="$(head -n1 ${jwtSecret})"
          sed -e "s,#secretkey#,$KEY,g" \
              -e "s,#dbpass#,$DBPASS,g" \
              -e "s,#jwtsecet#,$JWTSECET,g" \
              -i ${runConfig}
-          chmod 640 ${runConfig} ${secretKey}
+          chmod 640 ${runConfig} ${secretKey} ${jwtSecret}
        ''}
        # update all hooks' binary paths
--- a/nixos/modules/services/misc/gollum.nix
+++ b/nixos/modules/services/misc/gollum.nix
@ -75,27 +75,24 @@ in
    users.groups.gollum = { };
    systemd.tmpfiles.rules = [
      "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -"
    ];
    systemd.services.gollum = {
      description = "Gollum wiki";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.git ];
-      preStart = let
+      preStart = ''
-          userName = config.users.users.gollum.name;
+        # This is safe to be run on an existing repo
          groupName = config.users.groups.gollum.name;
        in ''
        # All of this is safe to be run on an existing repo
        mkdir -p ${cfg.stateDir}
        git init ${cfg.stateDir}
        chmod 755 ${cfg.stateDir}
        chown -R ${userName}:${groupName} ${cfg.stateDir}
      '';
      serviceConfig = {
        User = config.users.users.gollum.name;
        Group = config.users.groups.gollum.name;
        PermissionsStartOnly = true;
        ExecStart = ''
          ${pkgs.gollum}/bin/gollum \
            --port ${toString cfg.port} \
--- a/nixos/modules/services/misc/lidarr.nix
+++ b/nixos/modules/services/misc/lidarr.nix
@ -9,6 +9,13 @@ in
  options = {
    services.lidarr = {
      enable = mkEnableOption "Lidarr";
      package = mkOption {
        type = types.package;
        default = pkgs.lidarr;
        defaultText = "pkgs.lidarr";
        description = "The Lidarr package to use";
      };
    };
  };
@ -22,7 +29,7 @@ in
        Type = "simple";
        User = "lidarr";
        Group = "lidarr";
-        ExecStart = "${pkgs.lidarr}/bin/Lidarr";
+        ExecStart = "${cfg.package}/bin/Lidarr";
        Restart = "on-failure";
        StateDirectory = "lidarr";
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -272,10 +272,12 @@ in
      binaryCaches = mkOption {
        type = types.listOf types.str;
        default = [ https://cache.nixos.org/ ];
        description = ''
          List of binary cache URLs used to obtain pre-built binaries
          of Nix packages.
          By default https://cache.nixos.org/ is added,
          to override it use <literal>lib.mkForce []</literal>.
        '';
      };
@ -386,6 +388,7 @@ in
  config = {
    nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
    nix.binaryCaches = [ "https://cache.nixos.org/" ];
    environment.etc."nix/nix.conf".source = nixConf;
--- a/nixos/modules/services/misc/octoprint.nix
+++ b/nixos/modules/services/misc/octoprint.nix
@ -97,6 +97,10 @@ in
        gid = config.ids.gids.octoprint;
      });
    systemd.tmpfiles.rules = [
      "d '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.octoprint = {
      description = "OctoPrint, web interface for 3D printers";
      wantedBy = [ "multi-user.target" ];
@ -105,7 +109,6 @@ in
      environment.PYTHONPATH = makeSearchPathOutput "lib" pkgs.python.sitePackages [ pluginsEnv ];
      preStart = ''
        mkdir -p "${cfg.stateDir}"
        if [ -e "${cfg.stateDir}/config.yaml" ]; then
          ${pkgs.yaml-merge}/bin/yaml-merge "${cfg.stateDir}/config.yaml" "${cfgUpdate}" > "${cfg.stateDir}/config.yaml.tmp"
          mv "${cfg.stateDir}/config.yaml.tmp" "${cfg.stateDir}/config.yaml"
@ -113,14 +116,12 @@ in
          cp "${cfgUpdate}" "${cfg.stateDir}/config.yaml"
          chmod 600 "${cfg.stateDir}/config.yaml"
        fi
        chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}"
      '';
      serviceConfig = {
        ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}";
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = true;
      };
    };
--- a/nixos/modules/services/misc/zoneminder.nix
+++ b/nixos/modules/services/misc/zoneminder.nix
@ -19,7 +19,7 @@ let
  useCustomDir = cfg.storageDir != null;
-  socket = "/run/phpfpm/${dirName}.sock";
+  socket = "/run/phpfpm-zoneminder/zoneminder.sock";
  zms = "/cgi-bin/zms";
@ -50,7 +50,7 @@ let
    ZM_DB_TYPE=mysql
    ZM_DB_HOST=${cfg.database.host}
    ZM_DB_NAME=${cfg.database.name}
-    ZM_DB_USER=${if cfg.database.createLocally then user else cfg.database.username}
+    ZM_DB_USER=${cfg.database.username}
    ZM_DB_PASS=${cfg.database.password}
    # Web
@ -155,6 +155,7 @@ in {
          default = "zmpass";
          description = ''
            Username for accessing the database.
            Not used if <literal>createLocally</literal> is set.
          '';
        };
      };
@ -189,6 +190,12 @@ in {
  config = lib.mkIf cfg.enable {
    assertions = [
      { assertion = cfg.database.createLocally -> cfg.database.username == user;
        message = "services.zoneminder.database.username must be set to ${user} if services.zoneminder.database.createLocally is set true";
      }
    ];
    environment.etc = {
      "zoneminder/60-defaults.conf".source = defaultsFile;
      "zoneminder/80-nixos.conf".source    = configFile;
@ -204,10 +211,9 @@ in {
      };
      mysql = lib.mkIf cfg.database.createLocally {
        enable = true;
        package = lib.mkDefault pkgs.mariadb;
        ensureDatabases = [ cfg.database.name ];
        initialDatabases = [{
          inherit (cfg.database) name; schema = "${pkg}/share/zoneminder/db/zm_create.sql";
        }];
        ensureUsers = [{
          name = cfg.database.username;
          ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
@ -278,7 +284,10 @@ in {
      phpfpm = lib.mkIf useNginx {
        pools.zoneminder = {
-          listen = socket;
+          socketName = "zoneminder";
          phpPackage = pkgs.php;
          user = "${user}";
          group = "${group}";
          phpOptions = ''
            date.timezone = "${config.time.timeZone}"
@ -286,9 +295,6 @@ in {
            "extension=${e.pkg}/lib/php/extensions/${e.name}.so") phpExtensions)}
          '';
          extraConfig = ''
            user = ${user}
            group = ${group}
            listen.owner = ${user}
            listen.group = ${group}
            listen.mode = 0660
@ -315,11 +321,16 @@ in {
          procps
          psmisc
        ];
-        after = [ "mysql.service" "nginx.service" ];
+        after = [ "nginx.service" ] ++ lib.optional cfg.database.createLocally "mysql.service";
        wantedBy = [ "multi-user.target" ];
        restartTriggers = [ defaultsFile configFile ];
-        preStart = lib.mkIf useCustomDir ''
+        preStart = lib.optionalString useCustomDir ''
          install -dm775 -o ${user} -g ${group} ${cfg.storageDir}/{${lib.concatStringsSep "," libDirs}}
        '' + lib.optionalString cfg.database.createLocally ''
          if ! test -e "/var/lib/${dirName}/db-created"; then
            ${config.services.mysql.package}/bin/mysql < ${pkg}/share/zoneminder/db/zm_create.sql
            touch "/var/lib/${dirName}/db-created"
          fi
        '';
        serviceConfig = {
          User = user;
--- a/nixos/modules/services/monitoring/alerta.nix
+++ b/nixos/modules/services/monitoring/alerta.nix
@ -83,6 +83,10 @@ in
  };
  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d '${cfg.logDir}' - alerta alerta - -"
    ];
    systemd.services.alerta = {
      description = "Alerta Monitoring System";
      wantedBy = [ "multi-user.target" ];
@ -94,12 +98,7 @@ in
        ExecStart = "${pkgs.python36Packages.alerta-server}/bin/alertad run --port ${toString cfg.port} --host ${cfg.bind}";
        User = "alerta";
        Group = "alerta";
        PermissionsStartOnly = true;
      };
      preStart = ''
        mkdir -p ${cfg.logDir}
        chown alerta:alerta ${cfg.logDir}
      '';
    };
    environment.systemPackages = [ pkgs.python36Packages.alerta ];
--- a/nixos/modules/services/monitoring/kapacitor.nix
+++ b/nixos/modules/services/monitoring/kapacitor.nix
@ -163,6 +163,10 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.kapacitor ];
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.kapacitor = {
      description = "Kapacitor Real-Time Stream Processing Engine";
      wantedBy = [ "multi-user.target" ];
@ -171,12 +175,7 @@ in
        ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${kapacitorConf}";
        User = "kapacitor";
        Group = "kapacitor";
        PermissionsStartOnly = true;
      };
      preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
      '';
    };
    users.users.kapacitor = {
--- a/nixos/modules/services/monitoring/netdata.nix
+++ b/nixos/modules/services/monitoring/netdata.nix
@ -143,7 +143,6 @@ in {
        User = cfg.user;
        Group = cfg.group;
        Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules";
        PermissionsStartOnly = true;
        ExecStart = "${pkgs.netdata}/bin/netdata -D -c ${configFile}";
        TimeoutStopSec = 60;
      };
--- a/nixos/modules/services/monitoring/riemann-dash.nix
+++ b/nixos/modules/services/monitoring/riemann-dash.nix
@ -59,18 +59,20 @@ in {
      group = "riemanndash";
    };
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' - riemanndash riemanndash - -"
    ];
    systemd.services.riemann-dash = {
      wantedBy = [ "multi-user.target" ];
      wants = [ "riemann.service" ];
      after = [ "riemann.service" ];
      preStart = ''
-        mkdir -p ${cfg.dataDir}/config
+        mkdir -p '${cfg.dataDir}/config'
        chown -R riemanndash:riemanndash ${cfg.dataDir}
      '';
      serviceConfig = {
        User = "riemanndash";
        ExecStart = "${launcher}/bin/riemann-dash";
        PermissionsStartOnly = true;
      };
    };
--- a/nixos/modules/services/monitoring/riemann-tools.nix
+++ b/nixos/modules/services/monitoring/riemann-tools.nix
@ -54,7 +54,6 @@ in {
      serviceConfig = {
        User = "riemanntools";
        ExecStart = "${healthLauncher}/bin/riemann-health";
        PermissionsStartOnly = true;
      };
    };
--- a/nixos/modules/services/monitoring/scollector.nix
+++ b/nixos/modules/services/monitoring/scollector.nix
@ -116,7 +116,6 @@ in {
      path = [ pkgs.coreutils pkgs.iproute ];
      serviceConfig = {
        PermissionsStartOnly = true;
        User = cfg.user;
        Group = cfg.group;
        ExecStart = "${cfg.package.bin}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}";
--- a/nixos/modules/services/networking/aria2.nix
+++ b/nixos/modules/services/networking/aria2.nix
@ -102,22 +102,19 @@ in
    users.groups.aria2.gid = config.ids.gids.aria2;
    systemd.tmpfiles.rules = [
      "d '${homeDir}' 0770 aria2 aria2 - -"
      "d '${config.services.aria2.downloadDir}' 0770 aria2 aria2 - -"
    ];
    systemd.services.aria2 = {
      description = "aria2 Service";
      after = [ "local-fs.target" "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        mkdir -m 0770 -p "${homeDir}"
        chown aria2:aria2 "${homeDir}"
        if [[ ! -d "${config.services.aria2.downloadDir}" ]]
        then
          mkdir -m 0770 -p "${config.services.aria2.downloadDir}"
          chown aria2:aria2 "${config.services.aria2.downloadDir}"
        fi
        if [[ ! -e "${sessionFile}" ]]
        then
          touch "${sessionFile}"
          chown aria2:aria2 "${sessionFile}"
        fi
        cp -f "${settingsFile}" "${settingsDir}/aria2.conf"
      '';
@ -128,7 +125,6 @@ in
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        User = "aria2";
        Group = "aria2";
        PermissionsStartOnly = true;
      };
    };
  };
--- a/nixos/modules/services/networking/autossh.nix
+++ b/nixos/modules/services/networking/autossh.nix
@ -99,7 +99,6 @@ in
              serviceConfig = {
                  User = "${s.user}";
                  PermissionsStartOnly = true;
                  # AutoSSH may exit with 0 code if the SSH session was
                  # gracefully terminated by either local or remote side.
                  Restart = "on-success";
--- a/nixos/modules/services/networking/charybdis.nix
+++ b/nixos/modules/services/networking/charybdis.nix
@ -83,6 +83,10 @@ in
        gid = config.ids.gids.ircd;
      };
      systemd.tmpfiles.rules = [
        "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -"
      ];
      systemd.services.charybdis = {
        description = "Charybdis IRC daemon";
        wantedBy = [ "multi-user.target" ];
@ -93,12 +97,7 @@ in
          ExecStart   = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}";
          Group = cfg.group;
          User = cfg.user;
          PermissionsStartOnly = true; # preStart needs to run with root permissions
        };
        preStart = ''
          ${coreutils}/bin/mkdir -p ${cfg.statedir}
          ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir}
        '';
      };
    }
--- a/nixos/modules/services/networking/hostapd.nix
+++ b/nixos/modules/services/networking/hostapd.nix
@ -30,10 +30,11 @@ let
    ctrl_interface=/run/hostapd
    ctrl_interface_group=${cfg.group}
-    ${if cfg.wpa then ''
+    ${optionalString cfg.wpa ''
      wpa=2
      wpa_passphrase=${cfg.wpaPassphrase}
-      '' else ""}
+    ''}
    ${optionalString cfg.noScan "noscan=1"}
    ${cfg.extraConfig}
  '' ;
@ -69,6 +70,14 @@ in
        '';
      };
      noScan = mkOption {
        default = false;
        description = ''
          Do not scan for overlapping BSSs in HT40+/- mode.
          Caution: turning this on will violate regulatory requirements!
        '';
      };
      driver = mkOption {
        default = "nl80211";
        example = "hostapd";
@ -162,6 +171,7 @@ in
        after = [ "sys-subsystem-net-devices-${escapedInterface}.device" ];
        bindsTo = [ "sys-subsystem-net-devices-${escapedInterface}.device" ];
        requiredBy = [ "network-link-${cfg.interface}.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig =
          { ExecStart = "${pkgs.hostapd}/bin/hostapd ${configFile}";
--- a/nixos/modules/services/networking/minidlna.nix
+++ b/nixos/modules/services/networking/minidlna.nix
@ -98,16 +98,10 @@ in
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" "local-fs.target" ];
        preStart =
          ''
            mkdir -p /var/cache/minidlna
            chown -R minidlna:minidlna /var/cache/minidlna
          '';
        serviceConfig =
          { User = "minidlna";
            Group = "minidlna";
-            PermissionsStartOnly = true;
+            CacheDirectory = "minidlna";
            RuntimeDirectory = "minidlna";
            PIDFile = "/run/minidlna/pid";
            ExecStart =
--- a/nixos/modules/services/networking/quassel.nix
+++ b/nixos/modules/services/networking/quassel.nix
@ -104,6 +104,10 @@ in
        gid = config.ids.gids.quassel;
      }];
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' - ${user} - - -"
    ];
    systemd.services.quassel =
      { description = "Quassel IRC client daemon";
@ -111,11 +115,6 @@ in
        after = [ "network.target" ] ++ optional config.services.postgresql.enable "postgresql.service"
                                     ++ optional config.services.mysql.enable "mysql.service";
        preStart = ''
          mkdir -p ${cfg.dataDir}
          chown ${user} ${cfg.dataDir}
        '';
        serviceConfig =
        {
          ExecStart = concatStringsSep " " ([
@ -126,7 +125,6 @@ in
          ] ++ optional cfg.requireSSL "--require-ssl"
            ++ optional (cfg.certificateFile != null) "--ssl-cert=${cfg.certificateFile}");
          User = user;
          PermissionsStartOnly = true;
        };
      };
--- a/nixos/modules/services/networking/squid.nix
+++ b/nixos/modules/services/networking/squid.nix
@ -159,11 +159,10 @@ in
      serviceConfig = {
        Type="forking";
        PIDFile="/run/squid.pid";
        PermissionsStartOnly = true;
        ExecStart  = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}";
      };
    };
  };
-}
+}
--- a/nixos/modules/services/networking/teamspeak3.nix
+++ b/nixos/modules/services/networking/teamspeak3.nix
@ -111,16 +111,15 @@ in
      gid = config.ids.gids.teamspeak;
    };
    systemd.tmpfiles.rules = [
      "d '${cfg.logPath}' - ${user} ${group} - -"
    ];
    systemd.services.teamspeak3-server = {
      description = "Teamspeak3 voice communication server daemon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        mkdir -p ${cfg.logPath}
        chown ${user}:${group} ${cfg.logPath}
      '';
      serviceConfig = {
        ExecStart = ''
          ${ts3}/bin/ts3server \
@ -135,7 +134,6 @@ in
        WorkingDirectory = cfg.dataDir;
        User = user;
        Group = group;
        PermissionsStartOnly = true;
      };
    };
  };
--- a/nixos/modules/services/networking/unifi.nix
+++ b/nixos/modules/services/networking/unifi.nix
@ -146,6 +146,11 @@ in
        where = where;
      }) mountPoints;
    systemd.tmpfiles.rules = [
      "e '${stateDir}' 0700 unifi - - -"
      "e '${stateDir}/data' 0700 unifi - - -"
    ];
    systemd.services.unifi = {
      description = "UniFi controller daemon";
      wantedBy = [ "multi-user.target" ];
@ -157,14 +162,9 @@ in
      environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib";
      preStart = ''
        # Ensure privacy of state and data.
        chown unifi "${stateDir}" "${stateDir}/data"
        chmod 0700 "${stateDir}" "${stateDir}/data"
        # Create the volatile webapps
        rm -rf "${stateDir}/webapps"
        mkdir -p "${stateDir}/webapps"
        chown unifi "${stateDir}/webapps"
        ln -s "${cfg.unifiPackage}/webapps/ROOT" "${stateDir}/webapps/ROOT"
      '';
@ -177,7 +177,6 @@ in
        ExecStart = "${(removeSuffix "\n" cmd)} start";
        ExecStop = "${(removeSuffix "\n" cmd)} stop";
        User = "unifi";
        PermissionsStartOnly = true;
        UMask = "0077";
        WorkingDirectory = "${stateDir}";
      };
--- a/nixos/modules/services/networking/zeronet.nix
+++ b/nixos/modules/services/networking/zeronet.nix
@ -86,20 +86,17 @@ in with lib; {
      '';
    };
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' 750 zeronet zeronet - -"
      "d '${cfg.logDir}' 750 zeronet zeronet - -"
    ];
    systemd.services.zeronet = {
      description = "zeronet";
      after = [ "network.target" (optionalString cfg.tor "tor.service") ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        # Ensure folder exists or create it and permissions are correct
        mkdir -p ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir}
        chmod 750 ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir}
        chown zeronet:zeronet ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir}
      '';
      serviceConfig = {
        PermissionsStartOnly = true;
        PrivateTmp = "yes";
        User = "zeronet";
        Group = "zeronet";
--- a/nixos/modules/services/web-apps/atlassian/confluence.nix
+++ b/nixos/modules/services/web-apps/atlassian/confluence.nix
@ -149,6 +149,17 @@ in
    users.groups."${cfg.group}" = {};
    systemd.tmpfiles.rules = [
      "d '${cfg.home}' - ${cfg.user} - - -"
      "d /run/confluence - - - - -"
      "L+ /run/confluence/home - - - - ${cfg.home}"
      "L+ /run/confluence/logs - - - - ${cfg.home}/logs"
      "L+ /run/confluence/temp - - - - ${cfg.home}/temp"
      "L+ /run/confluence/work - - - - ${cfg.home}/work"
      "L+ /run/confluence/server.xml - - - - ${cfg.home}/server.xml"
    ];
    systemd.services.confluence = {
      description = "Atlassian Confluence";
@ -167,12 +178,6 @@ in
      preStart = ''
        mkdir -p ${cfg.home}/{logs,work,temp,deploy}
        mkdir -p /run/confluence
        ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/confluence
        ln -sf ${cfg.home} /run/confluence/home
        chown ${cfg.user} ${cfg.home}
        sed -e 's,port="8090",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \
        '' + (lib.optionalString cfg.proxy.enable ''
          -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \
@ -184,7 +189,6 @@ in
        User = cfg.user;
        Group = cfg.group;
        PrivateTmp = true;
        PermissionsStartOnly = true;
        ExecStart = "${pkg}/bin/start-confluence.sh -fg";
        ExecStop = "${pkg}/bin/stop-confluence.sh";
      };
--- a/nixos/modules/services/web-apps/atlassian/crowd.nix
+++ b/nixos/modules/services/web-apps/atlassian/crowd.nix
@ -117,6 +117,16 @@ in
    users.groups."${cfg.group}" = {};
    systemd.tmpfiles.rules = [
      "d '${cfg.home}' - ${cfg.user} ${cfg.group} - -"
      "d /run/atlassian-crowd - - - - -"
      "L+ /run/atlassian-crowd/database - - - - ${cfg.home}/database"
      "L+ /run/atlassian-crowd/logs - - - - ${cfg.home}/logs"
      "L+ /run/atlassian-crowd/work - - - - ${cfg.home}/work"
      "L+ /run/atlassian-crowd/server.xml - - - - ${cfg.home}/server.xml"
    ];
    systemd.services.atlassian-crowd = {
      description = "Atlassian Crowd";
@ -136,12 +146,6 @@ in
        rm -rf ${cfg.home}/work
        mkdir -p ${cfg.home}/{logs,database,work}
        mkdir -p /run/atlassian-crowd
        ln -sf ${cfg.home}/{database,logs,work,server.xml} /run/atlassian-crowd
        chown ${cfg.user}:${cfg.group} ${cfg.home}
        chown ${cfg.user}:${cfg.group} ${cfg.home}/{logs,database,work}
        sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \
        '' + (lib.optionalString cfg.proxy.enable ''
          -e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \
@ -153,7 +157,6 @@ in
        User = cfg.user;
        Group = cfg.group;
        PrivateTmp = true;
        PermissionsStartOnly = true;
        ExecStart = "${pkg}/start_crowd.sh -fg";
      };
    };
--- a/nixos/modules/services/web-apps/atlassian/jira.nix
+++ b/nixos/modules/services/web-apps/atlassian/jira.nix
@ -155,6 +155,17 @@ in
    users.groups."${cfg.group}" = {};
    systemd.tmpfiles.rules = [
      "d '${cfg.home}' - ${cfg.user} - - -"
      "d /run/atlassian-jira - - - - -"
      "L+ /run/atlassian-jira/home - - - - ${cfg.home}"
      "L+ /run/atlassian-jira/logs - - - - ${cfg.home}/logs"
      "L+ /run/atlassian-jira/work - - - - ${cfg.home}/work"
      "L+ /run/atlassian-jira/temp - - - - ${cfg.home}/temp"
      "L+ /run/atlassian-jira/server.xml - - - - ${cfg.home}/server.xml"
    ];
    systemd.services.atlassian-jira = {
      description = "Atlassian JIRA";
@ -174,12 +185,6 @@ in
      preStart = ''
        mkdir -p ${cfg.home}/{logs,work,temp,deploy}
        mkdir -p /run/atlassian-jira
        ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/atlassian-jira
        ln -sf ${cfg.home} /run/atlassian-jira/home
        chown ${cfg.user} ${cfg.home}
        sed -e 's,port="8080",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \
        '' + (lib.optionalString cfg.proxy.enable ''
          -e 's,protocol="HTTP/1.1",protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${toString cfg.proxy.secure}",' \
@ -191,7 +196,6 @@ in
        User = cfg.user;
        Group = cfg.group;
        PrivateTmp = true;
        PermissionsStartOnly = true;
        ExecStart = "${pkg}/bin/start-jira.sh -fg";
        ExecStop = "${pkg}/bin/stop-jira.sh";
      };
--- a/nixos/modules/services/web-apps/frab.nix
+++ b/nixos/modules/services/web-apps/frab.nix
@ -182,16 +182,16 @@ in
    users.groups = [ { name = cfg.group; } ];
    systemd.tmpfiles.rules = [
      "d '${cfg.statePath}/system/attachments' - ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.frab = {
      after = [ "network.target" "gitlab.service" ];
      wantedBy = [ "multi-user.target" ];
      environment = frabEnv;
      preStart = ''
        mkdir -p ${cfg.statePath}/system/attachments
        chown ${cfg.user}:${cfg.group} -R ${cfg.statePath}
        mkdir /run/frab -p
        ln -sf ${pkgs.writeText "frab-database.yml" databaseConfig} /run/frab/database.yml
        ln -sf ${cfg.statePath}/system /run/frab/system
@ -204,7 +204,6 @@ in
      '';
      serviceConfig = {
        PermissionsStartOnly = true;
        PrivateTmp = true;
        PrivateDevices = true;
        Type = "simple";
@ -213,6 +212,7 @@ in
        TimeoutSec = "300s";
        Restart = "on-failure";
        RestartSec = "10s";
        RuntimeDirectory = "frab";
        WorkingDirectory = "${package}/share/frab";
        ExecStart = "${frab-rake}/bin/frab-bundle exec rails server " +
          "--binding=${cfg.listenAddress} --port=${toString cfg.listenPort}";
--- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
+++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
@ -1,7 +1,6 @@
 { config, lib, pkgs, ... }: with lib; let
  cfg = config.services.icingaweb2;
  poolName = "icingaweb2";
  phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock";
  defaultConfig = {
    global = {
@ -162,19 +161,23 @@ in {
  };
  config = mkIf cfg.enable {
-    services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
+    services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
-      "${poolName}" = ''
+      "${poolName}" = {
-        listen = "${phpfpmSocketName}"
+        socketName = "${poolName}";
-        listen.owner = nginx
+        phpPackage = pkgs.php;
-        listen.group = nginx
+        user = "icingaweb2";
-        listen.mode = 0600
+        group = "icingaweb2";
-        user = icingaweb2
+        extraConfig = ''
-        pm = dynamic
+          listen.owner = ${config.services.nginx.user}
-        pm.max_children = 75
+          listen.group = ${config.services.nginx.group}
-        pm.start_servers = 2
+          listen.mode = 0600
-        pm.min_spare_servers = 2
+          pm = dynamic
-        pm.max_spare_servers = 10
+          pm.max_children = 75
-      '';
+          pm.start_servers = 2
          pm.min_spare_servers = 2
          pm.max_spare_servers = 10
        '';
      };
    };
    services.phpfpm.phpOptions = mkIf (cfg.pool == "${poolName}")
@ -206,7 +209,7 @@ in {
            include ${config.services.nginx.package}/conf/fastcgi.conf;
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_pass unix:${phpfpmSocketName};
+            fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
            fastcgi_param SCRIPT_FILENAME ${pkgs.icingaweb2}/public/index.php;
          '';
        };
@ -239,5 +242,8 @@ in {
      group = "icingaweb2";
      isSystemUser = true;
    };
    users.users.nginx = {
      extraGroups = [ "icingaweb2" ];
    };
  };
 }
--- a/nixos/modules/services/web-apps/limesurvey.nix
+++ b/nixos/modules/services/web-apps/limesurvey.nix
@ -202,13 +202,13 @@ in
    };
    services.phpfpm.pools.limesurvey = {
      socketName = "limesurvey";
      phpPackage = php;
-      listen = "/run/phpfpm/limesurvey.sock";
+      user = "${user}";
      group = "${group}";
      extraConfig = ''
        listen.owner = ${config.services.httpd.user};
        listen.group = ${config.services.httpd.group};
        user = ${user};
        group = ${group};
        env[LIMESURVEY_CONFIG] = ${limesurveyConfig}
@ -241,7 +241,7 @@ in
            <Directory "${pkg}/share/limesurvey">
              <FilesMatch "\.php$">
                <If "-f %{REQUEST_FILENAME}">
-                  SetHandler "proxy:unix:/run/phpfpm/limesurvey.sock|fcgi://localhost/"
+                  SetHandler "proxy:unix:/run/phpfpm-limesurvey/limesurvey.sock|fcgi://localhost/"
                </If>
              </FilesMatch>
--- a/nixos/modules/services/web-apps/matomo.nix
+++ b/nixos/modules/services/web-apps/matomo.nix
@ -4,13 +4,14 @@ let
  cfg = config.services.matomo;
  user = "matomo";
  group = "matomo";
  dataDir = "/var/lib/${user}";
  deprecatedDataDir = "/var/lib/piwik";
  pool = user;
-  # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770,
+  # it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770,
  # and therefore is not accessible by the web server.
-  phpSocket = "/run/phpfpm-${pool}.sock";
+  phpSocket = "/run/phpfpm-${pool}/${pool}.sock";
  phpExecutionUnit = "phpfpm-${pool}";
  databaseService = "mysql.service";
@ -137,9 +138,12 @@ in {
      isSystemUser = true;
      createHome = true;
      home = dataDir;
-      group  = user;
+      group  = "${group}";
    };
-    users.groups.${user} = {};
+    users.users.${config.services.nginx.user} = {
      extraGroups = [ "${group}" ];
    };
    users.groups.${group} = {};
    systemd.services.matomo-setup-update = {
      # everything needs to set up and up to date before Matomo php files are executed
@ -169,7 +173,7 @@ in {
          echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
          mv -T ${deprecatedDataDir} ${dataDir}
        fi
-        chown -R ${user}:${user} ${dataDir}
+        chown -R ${user}:${group} ${dataDir}
        chmod -R ug+rwX,o-rwx ${dataDir}
        '';
      script = ''
@ -225,22 +229,26 @@ in {
      serviceConfig.UMask = "0007";
    };
-    services.phpfpm.poolConfigs = let
+    services.phpfpm.pools = let
      # workaround for when both are null and need to generate a string,
      # which is illegal, but as assertions apparently are being triggered *after* config generation,
      # we have to avoid already throwing errors at this previous stage.
      socketOwner = if (cfg.nginx != null) then config.services.nginx.user
      else if (cfg.webServerUser != null) then cfg.webServerUser else "";
    in {
-      ${pool} = ''
+      ${pool} = {
-        listen = "${phpSocket}"
+        socketName = "${pool}";
-        listen.owner = ${socketOwner}
+        phpPackage = pkgs.php;
-        listen.group = root
+        user = "${user}";
-        listen.mode = 0600
+        group = "${group}";
-        user = ${user}
+        extraConfig = ''
-        env[PIWIK_USER_PATH] = ${dataDir}
+          listen.owner = ${socketOwner}
-        ${cfg.phpfpmProcessManagerConfig}
+          listen.group = ${group}
-      '';
+          listen.mode = 0600
          env[PIWIK_USER_PATH] = ${dataDir}
          ${cfg.phpfpmProcessManagerConfig}
        '';
      };
    };
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -394,13 +394,14 @@ in {
                phpOptions)));
        in {
          phpOptions = phpOptionsExtensions;
          socketName = "nextcloud";
          phpPackage = phpPackage;
-          listen = "/run/phpfpm/nextcloud";
+          user = "nextcloud";
          group = "${config.services.nginx.group}";
          extraConfig = ''
-            listen.owner = nginx
+            listen.owner = ${config.services.nginx.user}
-            listen.group = nginx
+            listen.group = ${config.services.nginx.group}
-            user = nextcloud
+            listen.mode = 0600
            group = nginx
            ${cfg.poolConfig}
            env[NEXTCLOUD_CONFIG_DIR] = ${cfg.home}/config
            env[PATH] = /run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin
@ -466,7 +467,7 @@ in {
                  fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
                  fastcgi_param modHeadersAvailable true;
                  fastcgi_param front_controller_active true;
-                  fastcgi_pass unix:/run/phpfpm/nextcloud;
+                  fastcgi_pass unix:/run/phpfpm-nextcloud/nextcloud.sock;
                  fastcgi_intercept_errors on;
                  fastcgi_request_buffering off;
                  fastcgi_read_timeout 120s;
--- a/nixos/modules/services/web-apps/restya-board.nix
+++ b/nixos/modules/services/web-apps/restya-board.nix
@ -13,7 +13,7 @@ let
  runDir = "/run/restya-board";
  poolName = "restya-board";
-  phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
+  phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock";
 in
@ -178,9 +178,12 @@ in
  config = mkIf cfg.enable {
-    services.phpfpm.poolConfigs = {
+    services.phpfpm.pools = {
      "${poolName}" = {
-        listen = phpfpmSocketName;
+        socketName = "${poolName}";
        phpPackage = pkgs.php;
        user = "${cfg.user}";
        group = "${cfg.group}";
        phpOptions = ''
          date.timezone = "CET"
@ -192,11 +195,9 @@ in
          ''}
        '';
        extraConfig = ''
-          listen.owner = nginx
+          listen.owner = ${config.services.nginx.user}
-          listen.group = nginx
+          listen.group = ${config.services.nginx.group}
          listen.mode = 0600
          user = ${cfg.user}
          group = ${cfg.group}
          pm = dynamic
          pm.max_children = 75
          pm.start_servers = 10
@ -365,6 +366,9 @@ in
      home = runDir;
      group  = "restya-board";
    };
    users.users.nginx = {
      extraGroups = [ "restya-board" ];
     };
    users.groups.restya-board = {};
    services.postgresql.enable = mkIf (cfg.database.host == null) true;
--- a/nixos/modules/services/web-apps/selfoss.nix
+++ b/nixos/modules/services/web-apps/selfoss.nix
@ -3,9 +3,9 @@ with lib;
 let
  cfg = config.services.selfoss;
-  poolName = "selfoss_pool";
+  poolName = "selfoss";
-  phpfpmSocketName = "/run/phpfpm/${poolName}.sock";
+  phpfpmSocketName = "/run/phpfpm-${poolName}/${poolName}.sock";
-
+  group = "${cfg.user}";
  dataDir = "/var/lib/selfoss";
  selfoss-config =
@ -116,21 +116,25 @@ in
  config = mkIf cfg.enable {
-    services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
+    services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
-      "${poolName}" = ''
+      "${poolName}" = {
-        listen = "${phpfpmSocketName}";
+        socketName = "${poolName}";
-        listen.owner = nginx
+        phpPackage = pkgs.php;
-        listen.group = nginx
+        user = "${cfg.user}";
-        listen.mode = 0600
+        group = "${group}";
-        user = nginx
+        extraConfig = ''
-        pm = dynamic
+          listen.owner = ${config.services.nginx.user}
-        pm.max_children = 75
+          listen.group = ${config.services.nginx.group}
-        pm.start_servers = 10
+          listen.mode = 0600
-        pm.min_spare_servers = 5
+          pm = dynamic
-        pm.max_spare_servers = 20
+          pm.max_children = 75
-        pm.max_requests = 500
+          pm.start_servers = 10
-        catch_workers_output = 1
+          pm.min_spare_servers = 5
-      '';
+          pm.max_spare_servers = 20
          pm.max_requests = 500
          catch_workers_output = 1
        '';
      };
    };
    systemd.services.selfoss-config = {
@ -145,7 +149,7 @@ in
        # Create the files
        cp -r "${pkgs.selfoss}/"* "${dataDir}"
        ln -sf "${selfoss-config}" "${dataDir}/config.ini"
-        chown -R "${cfg.user}" "${dataDir}"
+        chown -R "${cfg.user}":"${group}" "${dataDir}"
        chmod -R 755 "${dataDir}"
      '';
      wantedBy = [ "multi-user.target" ];
@ -162,5 +166,8 @@ in
    };
    users.users.nginx = {
      extraGroups = [ "${group}" ];
     };
  };
 }
--- a/nixos/modules/services/web-apps/tt-rss.nix
+++ b/nixos/modules/services/web-apps/tt-rss.nix
@ -512,12 +512,14 @@ let
    services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
      "${poolName}" = {
-        listen = "/var/run/phpfpm/${poolName}.sock";
+        socketName = "${poolName}";
        phpPackage = pkgs.php;
        user = "${config.services.nginx.user}";
        group = "${config.services.nginx.group}";
        extraConfig = ''
-          listen.owner = nginx
+          listen.owner = ${config.services.nginx.user}
-          listen.group = nginx
+          listen.group = ${config.services.nginx.group}
          listen.mode = 0600
          user = ${cfg.user}
          pm = dynamic
          pm.max_children = 75
          pm.start_servers = 10
@ -543,7 +545,7 @@ let
          locations."~ \.php$" = {
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen};
+              fastcgi_pass unix:/run/phpfpm-${poolName}/${poolName}.sock;
              fastcgi_index index.php;
            '';
          };
--- a/nixos/modules/services/web-servers/lighttpd/cgit.nix
+++ b/nixos/modules/services/web-servers/lighttpd/cgit.nix
@ -42,10 +42,10 @@ in
    configText = mkOption {
      default = "";
      example = ''
        cache-size=1000
        scan-path=/srv/git
        source-filter=''${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
        about-filter=''${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
        cache-size=1000
        scan-path=/srv/git
      '';
      type = types.lines;
      description = ''
--- a/nixos/modules/services/web-servers/phpfpm/default.nix
+++ b/nixos/modules/services/web-servers/phpfpm/default.nix
@ -4,37 +4,26 @@ with lib;
 let
  cfg = config.services.phpfpm;
-  enabled = cfg.poolConfigs != {} || cfg.pools != {};
+  enabled = cfg.pools != {};
-  stateDir = "/run/phpfpm";
+  poolConfigs = (mapAttrs mapPool cfg.pools);
  poolConfigs =
    (mapAttrs mapPoolConfig cfg.poolConfigs) //
    (mapAttrs mapPool cfg.pools);
  mapPoolConfig = n: p: {
    phpPackage = cfg.phpPackage;
    phpOptions = cfg.phpOptions;
    config = p;
  };
  mapPool = n: p: {
    phpPackage = p.phpPackage;
    phpOptions = p.phpOptions;
-    config = ''
+    userPool = p.user;
-      listen = ${p.listen}
+    groupPool = p.group;
      ${p.extraConfig}
    '';
  };
  fpmCfgFile = pool: conf: pkgs.writeText "phpfpm-${pool}.conf" ''
    [global]
    error_log = syslog
    daemonize = no
-    ${cfg.extraConfig}
+    ${cfg.globalExtraConfig}
    [${pool}]
-    ${conf}
+    listen = /run/phpfpm-${pool}/${cfg.pools.${pool}.socketName}.sock
    ${cfg.pools.${pool}.extraConfig}
  '';
  phpIni = pool: pkgs.runCommand "php.ini" {
@ -49,86 +38,98 @@ let
  '';
 in {
  options = {
    services.phpfpm = {
-      extraConfig = mkOption {
+      globalExtraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
-          Extra configuration that should be put in the global section of
+          Global extra configuration that should be put in the global section of
          the PHP-FPM configuration file. Do not specify the options
          <literal>error_log</literal> or
-          <literal>daemonize</literal> here, since they are generated by
+          <literal>daemonize</literal> here, since they are generated by NixOS.
          NixOS.
        '';
      };
      phpPackage = mkOption {
        type = types.package;
        default = pkgs.php;
        defaultText = "pkgs.php";
        description = ''
          The PHP package to use for running the PHP-FPM service.
        '';
      };
      phpOptions = mkOption {
        type = types.lines;
        default = "";
        example =
          ''
            date.timezone = "CET"
          '';
        description =
          "Options appended to the PHP configuration file <filename>php.ini</filename>.";
      };
      poolConfigs = mkOption {
        default = {};
        type = types.attrsOf types.lines;
        example = literalExample ''
          { mypool = '''
              listen = /run/phpfpm/mypool
              user = nobody
              pm = dynamic
              pm.max_children = 75
              pm.start_servers = 10
              pm.min_spare_servers = 5
              pm.max_spare_servers = 20
              pm.max_requests = 500
            ''';
          }
        '';
        description = ''
          A mapping between PHP-FPM pool names and their configurations.
          See the documentation on <literal>php-fpm.conf</literal> for
          details on configuration directives. If no pools are defined,
          the phpfpm service is disabled.
        '';
      };
      pools = mkOption {
        type = types.attrsOf (types.submodule (import ./pool-options.nix {
          inherit lib config;
        }));
        default = {};
        type = types.attrsOf (types.submodule {
          options = {
            socketName = mkOption {
              type = types.str;
              example = "php-fpm";
              description = ''
                The address on which to accept FastCGI requests.
              '';
            };
            phpPackage = mkOption {
              type = types.package;
              default = pkgs.php;
              defaultText = "pkgs.php";
              description = ''
                The PHP package to use for running this PHP-FPM pool.
              '';
            };
            phpOptions = mkOption {
              type = types.lines;
              default = "";
              description = ''
                Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool.
              '';
            };
            user = mkOption {
              type = types.string;
              default = "phpfpm";
              description = "User account under which phpfpm runs.";
            };
            group = mkOption {
              type = types.string;
              default = "phpfpm";
              description = "Group account under which phpfpm runs.";
            };
            extraConfig = mkOption {
              type = types.lines;
              example = ''
                pm = dynamic
                pm.max_children = 75
                pm.start_servers = 10
                pm.min_spare_servers = 5
                pm.max_spare_servers = 20
                pm.max_requests = 500
              '';
              description = ''
                Extra lines that go into the pool configuration.
                See the documentation on <literal>php-fpm.conf</literal> for
                details on configuration directives.
              '';
            };
          };
        });
        example = literalExample ''
-         {
+          {
-           mypool = {
+            mypool = {
-             listen = "/path/to/unix/socket";
+              socketName = "example";
-             phpPackage = pkgs.php;
+              phpPackage = pkgs.php;
-             extraConfig = '''
+              user = "phpfpm";
-               user = nobody
+              group = "phpfpm";
-               pm = dynamic
+              extraConfig = '''
-               pm.max_children = 75
+                pm = dynamic
-               pm.start_servers = 10
+                pm.max_children = 75
-               pm.min_spare_servers = 5
+                pm.start_servers = 10
-               pm.max_spare_servers = 20
+                pm.min_spare_servers = 5
-               pm.max_requests = 500
+                pm.max_spare_servers = 20
-             ''';
+                pm.max_requests = 500
-           }
+              ''';
-         }'';
+            }
          }
        '';
        description = ''
          PHP-FPM pools. If no pools or poolConfigs are defined, the PHP-FPM
          service is disabled.
@ -154,9 +155,6 @@ in {
        after = [ "network.target" ];
        wantedBy = [ "phpfpm.target" ];
        partOf = [ "phpfpm.target" ];
        preStart = ''
          mkdir -p ${stateDir}
        '';
        serviceConfig = let
          cfgFile = fpmCfgFile pool poolConfig.config;
          iniFile = phpIni poolConfig;
@ -166,10 +164,19 @@ in {
          ProtectSystem = "full";
          ProtectHome = true;
          # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
-          RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
          Type = "notify";
-          ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}";
+          ExecStart = "${poolConfig.phpPackage}/bin/php-fpm -y '${cfgFile}' -c '${iniFile}'";
          ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
          # User and group
          User = "${poolConfig.userPool}";
          Group = "${poolConfig.groupPool}";
          # Runtime directory and mode
          RuntimeDirectory = "phpfpm-${pool}";
          RuntimeDirectoryMode = "0750";
          # Capabilities
          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" "CAP_CHOWN" "CAP_SYS_RESOURCE" ];
        };
      }
   );
--- a/nixos/modules/services/web-servers/phpfpm/pool-options.nix
+++ b/nixos/modules/services/web-servers/phpfpm/pool-options.nix
@ -1,57 +0,0 @@
 { lib, config }:
 let
  fpmCfg = config.services.phpfpm;
 in
 with lib; {
  options = {
    listen = mkOption {
      type = types.str;
      example = "/path/to/unix/socket";
      description = ''
        The address on which to accept FastCGI requests.
      '';
    };
    phpPackage = mkOption {
      type = types.package;
      default = fpmCfg.phpPackage;
      defaultText = "config.services.phpfpm.phpPackage";
      description = ''
        The PHP package to use for running this PHP-FPM pool.
      '';
    };
    phpOptions = mkOption {
      type = types.lines;
      default = fpmCfg.phpOptions;
      defaultText = "config.services.phpfpm.phpOptions";
      description = ''
        "Options appended to the PHP configuration file <filename>php.ini</filename> used for this PHP-FPM pool."
      '';
    };
    extraConfig = mkOption {
      type = types.lines;
      example = ''
        user = nobody
        pm = dynamic
        pm.max_children = 75
        pm.start_servers = 10
        pm.min_spare_servers = 5
        pm.max_spare_servers = 20
        pm.max_requests = 500
      '';
      description = ''
        Extra lines that go into the pool configuration.
        See the documentation on <literal>php-fpm.conf</literal> for
        details on configuration directives.
      '';
    };
  };
 }
--- a/nixos/modules/virtualisation/libvirtd.nix
+++ b/nixos/modules/virtualisation/libvirtd.nix
@ -23,14 +23,16 @@ let
    ''}
    ${cfg.qemuVerbatimConfig}
  '';
  dirName = "libvirt";
  subDirs = list: [ dirName ] ++ map (e: "${dirName}/${e}") list;
 in {
  ###### interface
-  options = {
+  options.virtualisation.libvirtd = {
-    virtualisation.libvirtd.enable = mkOption {
+    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
@ -41,7 +43,7 @@ in {
      '';
    };
-    virtualisation.libvirtd.qemuPackage = mkOption {
+    qemuPackage = mkOption {
      type = types.package;
      default = pkgs.qemu;
      description = ''
@ -51,7 +53,7 @@ in {
      '';
    };
-    virtualisation.libvirtd.extraConfig = mkOption {
+    extraConfig = mkOption {
      type = types.lines;
      default = "";
      description = ''
@ -60,7 +62,7 @@ in {
      '';
    };
-    virtualisation.libvirtd.qemuRunAsRoot = mkOption {
+    qemuRunAsRoot = mkOption {
      type = types.bool;
      default = true;
      description = ''
@ -72,7 +74,7 @@ in {
      '';
    };
-    virtualisation.libvirtd.qemuVerbatimConfig = mkOption {
+    qemuVerbatimConfig = mkOption {
      type = types.lines;
      default = ''
        namespaces = []
@ -84,7 +86,7 @@ in {
      '';
    };
-    virtualisation.libvirtd.qemuOvmf = mkOption {
+    qemuOvmf = mkOption {
      type = types.bool;
      default = true;
      description = ''
@ -93,7 +95,7 @@ in {
      '';
    };
-    virtualisation.libvirtd.extraOptions = mkOption {
+    extraOptions = mkOption {
      type = types.listOf types.str;
      default = [ ];
      example = [ "--verbose" ];
@ -102,7 +104,7 @@ in {
      '';
    };
-    virtualisation.libvirtd.onShutdown = mkOption {
+    onShutdown = mkOption {
      type = types.enum ["shutdown" "suspend" ];
      default = "suspend";
      description = ''
@ -113,6 +115,14 @@ in {
      '';
    };
    allowedBridges = mkOption {
      type = types.listOf types.str;
      default = [ "virbr0" ];
      description = ''
        List of bridge devices that can be used by qemu:///session
      '';
    };
  };
@ -120,7 +130,12 @@ in {
  config = mkIf cfg.enable {
-    environment.systemPackages = with pkgs; [ libvirt libressl.nc cfg.qemuPackage ];
+    environment = {
      # this file is expected in /etc/qemu and not sysconfdir (/var/lib)
      etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e:
        "allow ${e}") cfg.allowedBridges;
      systemPackages = with pkgs; [ libvirt libressl.nc cfg.qemuPackage ];
    };
    boot.kernelModules = [ "tun" ];
@ -134,30 +149,15 @@ in {
      group = "qemu-libvirtd";
    };
    security.wrappers.qemu-bridge-helper = {
      source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";
    };
    systemd.packages = [ pkgs.libvirt ];
-    systemd.services.libvirtd = {
+    systemd.services.libvirtd-config = {
-      description = "Libvirt Virtual Machine Management Daemon";
+      description = "Libvirt Virtual Machine Management Daemon - configuration";
-
+      script = ''
      wantedBy = [ "multi-user.target" ];
      after = [ "systemd-udev-settle.service" ]
              ++ optional vswitch.enable "vswitchd.service";
      environment.LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}'';
      path = [ cfg.qemuPackage ] # libvirtd requires qemu-img to manage disk images
             ++ optional vswitch.enable vswitch.package;
      preStart = ''
        mkdir -p /var/log/libvirt/qemu -m 755
        rm -f /var/run/libvirtd.pid
        mkdir -p /var/lib/libvirt
        mkdir -p /var/lib/libvirt/dnsmasq
        chmod 755 /var/lib/libvirt
        chmod 755 /var/lib/libvirt/dnsmasq
        # Copy default libvirt network config .xml files to /var/lib
        # Files modified by the user will not be overwritten
        for i in $(cd ${pkgs.libvirt}/var/lib && echo \
@ -169,21 +169,45 @@ in {
        done
        # Copy generated qemu config to libvirt directory
-        cp -f ${qemuConfigFile} /var/lib/libvirt/qemu.conf
+        cp -f ${qemuConfigFile} /var/lib/${dirName}/qemu.conf
        # stable (not GC'able as in /nix/store) paths for using in <emulator> section of xml configs
        mkdir -p /run/libvirt/nix-emulators
        for emulator in ${pkgs.libvirt}/libexec/libvirt_lxc ${cfg.qemuPackage}/bin/qemu-kvm ${cfg.qemuPackage}/bin/qemu-system-*; do
-          ln -s --force "$emulator" /run/libvirt/nix-emulators/
+          ln -s --force "$emulator" /run/${dirName}/nix-emulators/
        done
        for helper in libexec/qemu-bridge-helper bin/qemu-pr-helper; do
          ln -s --force ${cfg.qemuPackage}/$helper /run/${dirName}/nix-helpers/
        done
        ${optionalString cfg.qemuOvmf ''
-            mkdir -p /run/libvirt/nix-ovmf
+          ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd /run/${dirName}/nix-ovmf/
-            ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_CODE.fd /run/libvirt/nix-ovmf/
+          ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_VARS.fd /run/${dirName}/nix-ovmf/
            ln -s --force ${pkgs.OVMF.fd}/FV/OVMF_VARS.fd /run/libvirt/nix-ovmf/
        ''}
      '';
      serviceConfig = {
        Type = "oneshot";
        RuntimeDirectoryPreserve = "yes";
        LogsDirectory = subDirs [ "qemu" ];
        RuntimeDirectory = subDirs [ "nix-emulators" "nix-helpers" "nix-ovmf" ];
        StateDirectory = subDirs [ "dnsmasq" ];
      };
    };
    systemd.services.libvirtd = {
      description = "Libvirt Virtual Machine Management Daemon";
      wantedBy = [ "multi-user.target" ];
      requires = [ "libvirtd-config.service" ];
      after = [ "systemd-udev-settle.service" "libvirtd-config.service" ]
              ++ optional vswitch.enable "vswitchd.service";
      environment.LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}'';
      path = [ cfg.qemuPackage ] # libvirtd requires qemu-img to manage disk images
             ++ optional vswitch.enable vswitch.package;
      serviceConfig = {
        Type = "notify";
        KillMode = "process"; # when stopping, leave the VMs alone
@ -203,7 +227,7 @@ in {
    systemd.sockets.virtlogd = {
      description = "Virtual machine log manager socket";
      wantedBy = [ "sockets.target" ];
-      listenStreams = [ "/run/libvirt/virtlogd-sock" ];
+      listenStreams = [ "/run/${dirName}/virtlogd-sock" ];
    };
    systemd.services.virtlogd = {
@ -215,7 +239,7 @@ in {
    systemd.sockets.virtlockd = {
      description = "Virtual machine lock manager socket";
      wantedBy = [ "sockets.target" ];
-      listenStreams = [ "/run/libvirt/virtlockd-sock" ];
+      listenStreams = [ "/run/${dirName}/virtlockd-sock" ];
    };
    systemd.services.virtlockd = {
--- a/nixos/tests/mysql.nix
+++ b/nixos/tests/mysql.nix
@ -28,6 +28,12 @@ import ./make-test.nix ({ pkgs, ...} : {
      {
        users.users.testuser = { };
        services.mysql.enable = true;
        services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
          echo "ALTER USER root@localhost IDENTIFIED WITH unix_socket;"
          echo "DELETE FROM mysql.user WHERE password = ''' AND plugin = ''';"
          echo "DELETE FROM mysql.user WHERE user = ''';"
          echo "FLUSH PRIVILEGES;"
        '';
        services.mysql.ensureDatabases = [ "testdb" ];
        services.mysql.ensureUsers = [{
          name = "testuser";
--- a/pkgs/applications/altcoins/parity/beta.nix
+++ b/pkgs/applications/altcoins/parity/beta.nix
@ -1,6 +1,6 @@
 let
-  version     = "2.5.1";
+  version     = "2.5.3";
-  sha256      = "0nnrgc2qyqqld3znjigryqpg5jaqh3jnmin4a334dbr4jw50dz3d";
+  sha256      = "04z38ba4f1kmaa3d9b4gqz7dwr5blbppnkngw758xdm56772hfmj";
-  cargoSha256 = "184vfhsalk5dims3k13zrsv4lmm45a7nm3r0b84g72q7hhbl8pkf";
+  cargoSha256 = "03dlzl96g8k02lifymwp1xs0b2mrnj5c1xzpwp014ijqlnzcfgsv";
 in
  import ./parity.nix { inherit version sha256 cargoSha256; }
--- a/pkgs/applications/altcoins/parity/default.nix
+++ b/pkgs/applications/altcoins/parity/default.nix
@ -1,6 +1,6 @@
 let
-  version     = "2.4.6";
+  version     = "2.4.8";
-  sha256      = "0vfq1pyd92n60h9gimn4d5j56xanvl43sgxk9h2kb16amy0mmh3z";
+  sha256      = "1kr7hzv27vxa14wafhpaq5a4fv97zh71xjjmwzaqq4gj3k9yj0rm";
-  cargoSha256 = "04gi9vddahq1q207f83n3wriwdjnmmnby6mq4crdh7yx1p4b26m9";
+  cargoSha256 = "1yjyk6mhr3ws73aq6h8z5iabvj03ch7mxhkrfdkmhw3cjj0jgx6j";
 in
  import ./parity.nix { inherit version sha256 cargoSha256; }
--- a/pkgs/applications/altcoins/parity/parity.nix
+++ b/pkgs/applications/altcoins/parity/parity.nix
@ -5,7 +5,7 @@
 { stdenv
 , fetchFromGitHub
-, rustPlatform 
+, rustPlatform
 , pkgconfig
 , openssl
 , systemd
@ -29,12 +29,14 @@ rustPlatform.buildRustPackage rec {
    systemd.lib systemd.dev openssl openssl.dev
  ];
  cargoBuildFlags = [ "--features final" ];
  # test result: FAILED. 80 passed; 12 failed; 0 ignored; 0 measured; 0 filtered out
  doCheck = false;
  meta = with stdenv.lib; {
    description = "Fast, light, robust Ethereum implementation";
-    homepage = http://parity.io;
+    homepage = "http://parity.io";
    license = licenses.gpl3;
    maintainers = [ maintainers.akru ];
    platforms = platforms.linux;
--- a/pkgs/applications/audio/ecasound/default.nix
+++ b/pkgs/applications/audio/ecasound/default.nix
@ -15,11 +15,11 @@
 stdenv.mkDerivation rec {
  name = "ecasound-${version}";
-  version = "2.9.1";
+  version = "2.9.2";
  src = fetchurl {
    url = "https://ecasound.seul.org/download/ecasound-${version}.tar.gz";
-    sha256 = "1wyws3xc4f9pglrrqv6k9137sarv4asizqrxz8h0dn44rnzfiz1r";
+    sha256 = "15rcs28fq2wfvfs66p5na7adq88b55qszbhshpizgdbyqzgr2jf1";
  };
  buildInputs = [ alsaLib audiofile libjack2 liblo liboil libsamplerate libsndfile lilv lv2 ];
--- a/pkgs/applications/audio/pulseaudio-modules-bt/default.nix
+++ b/pkgs/applications/audio/pulseaudio-modules-bt/default.nix
@ -35,6 +35,7 @@ in stdenv.mkDerivation rec {
  patches = [
    ./fix-install-path.patch
    ./fix-aac-defaults.patch
  ];
  nativeBuildInputs = [
--- a/pkgs/applications/audio/pulseaudio-modules-bt/fix-aac-defaults.patch
+++ b/pkgs/applications/audio/pulseaudio-modules-bt/fix-aac-defaults.patch
@ -0,0 +1,15 @@
 diff --git a/src/modules/bluetooth/a2dp/a2dp_aac.c b/src/modules/bluetooth/a2dp/a2dp_aac.c
 index 394a7a0..cf5abaf 100644
 --- a/src/modules/bluetooth/a2dp/a2dp_aac.c
 +++ b/src/modules/bluetooth/a2dp/a2dp_aac.c
@@ -90,8 +90,8 @@ pa_aac_encoder_init(pa_a2dp_source_read_cb_t read_cb, pa_a2dp_source_read_buf_fr
     info->read_pcm = read_cb;
     info->read_buf_free = free_cb;
     info->aacenc_handle_opened = false;
 -    info->aac_enc_bitrate_mode = 5;
 -    info->aac_afterburner = false;
 +    info->aac_enc_bitrate_mode = 0;
 +    info->aac_afterburner = true;
     info->force_pa_fmt = PA_SAMPLE_INVALID;
     return true;
 }
--- a/pkgs/applications/audio/pulseeffects/default.nix
+++ b/pkgs/applications/audio/pulseeffects/default.nix
@ -47,13 +47,13 @@ let
  ];
 in stdenv.mkDerivation rec {
  pname = "pulseeffects";
-  version = "4.6.3";
+  version = "4.6.5";
  src = fetchFromGitHub {
    owner = "wwmm";
    repo = "pulseeffects";
    rev = "v${version}";
-    sha256 = "1gp23hpsnbiymbbhn6hp8sg1pnysgf04bj9k4h9dfinbgshlq6m7";
+    sha256 = "11ihr29szpqlk9wkscns00ijihyvn5659bj1p7r1ixwgfv708apq";
  };
  nativeBuildInputs = [
--- a/pkgs/applications/audio/qmmp/default.nix
+++ b/pkgs/applications/audio/qmmp/default.nix
@ -29,11 +29,11 @@
 # handle that.
 stdenv.mkDerivation rec {
-  name = "qmmp-1.3.2";
+  name = "qmmp-1.3.3";
  src = fetchurl {
    url = "http://qmmp.ylsoftware.com/files/${name}.tar.bz2";
-    sha256 = "1rh063kcyg7gs9yj2r4v5irpnq4pjaxaxsgrw30mdr21xhhc15cz";
+    sha256 = "1777kqgvbkshqlawy00gbgwflxflwmjjidqdq29mhqszs76r6727";
  };
  nativeBuildInputs = [ cmake pkgconfig ];
--- a/pkgs/applications/editors/android-studio/default.nix
+++ b/pkgs/applications/editors/android-studio/default.nix
@ -13,9 +13,9 @@ let
    sha256Hash = "0y4l9d1yrvv1csx6vl4jnqgqy96y44rl6p8hcxrnbvrg61iqnj30";
  };
  betaVersion = {
-    version = "3.5.0.16"; # "Android Studio 3.5 Beta 4"
+    version = "3.5.0.17"; # "Android Studio 3.5 Beta 5"
-    build = "191.5619324";
+    build = "191.5675373";
-    sha256Hash = "1rg6v9b8fdnmslpv80khhpx59lvwhj1vwbkyabz2fryfj67wz01z";
+    sha256Hash = "0iw9v2rzr32dhs3z4vgz93zvxcv111q4cvwzi2cb83hn8kl050ip";
  };
  latestVersion = { # canary & dev
    version = "3.6.0.3"; # "Android Studio 3.6 Canary 3"
--- a/pkgs/applications/editors/kakoune/default.nix
+++ b/pkgs/applications/editors/kakoune/default.nix
@ -3,7 +3,7 @@
 with stdenv.lib;
 stdenv.mkDerivation rec {
-  name = "kakoune-${version}";
+  pname = "kakoune-unwrapped";
  version = "2019.01.20";
  src = fetchFromGitHub {
    repo = "kakoune";
--- a/pkgs/applications/editors/kakoune/plugins.nix
+++ b/pkgs/applications/editors/kakoune/plugins.nix
@ -0,0 +1,5 @@
 { parinfer-rust }:
 {
  inherit parinfer-rust;
 }
--- a/pkgs/applications/editors/kakoune/wrapper.nix
+++ b/pkgs/applications/editors/kakoune/wrapper.nix
@ -0,0 +1,44 @@
 { stdenv, bash }:
 with stdenv.lib;
 kakoune:
 let
  getPlugins = { plugins ? [] }: plugins;
  wrapper = { configure ? {} }:
  stdenv.mkDerivation rec {
    pname = "kakoune";
    version = getVersion kakoune;
    src = ./.;
    buildCommand = ''
      mkdir -p $out/share/kak
      for plugin in ${strings.escapeShellArgs (getPlugins configure)}; do
        if [[ -d $plugin/share/kak/autoload ]]; then
          find "$plugin/share/kak/autoload" -type f -name '*.kak'| while read rcfile; do
            printf 'source "%s"\n' "$rcfile"
          done
        fi
      done >>$out/share/kak/plugins.kak
      mkdir -p $out/bin
      substitute ${src}/wrapper.sh $out/bin/kak \
        --subst-var-by bash "${bash}" \
        --subst-var-by kakoune "${kakoune}" \
        --subst-var-by out "$out"
      chmod +x $out/bin/kak
    '';
    preferLocalBuild = true;
    buildInputs = [ bash kakoune ];
    passthru = { unwrapped = kakoune; };
    meta = kakoune.meta // {
      # prefer wrapper over the package
      priority = (kakoune.meta.priority or 0) - 1;
      hydraPlatforms = [];
    };
  };
 in
  makeOverridable wrapper
--- a/pkgs/applications/editors/kakoune/wrapper.sh
+++ b/pkgs/applications/editors/kakoune/wrapper.sh
@ -0,0 +1,30 @@
 #!@bash@/bin/bash
 # We use the -E option to load plugins.  This only makes sense when we are
 # starting a new session, so we detect that.  Also, Kakoune can only handle
 # one -E option, so we prepend loading plugins to an existing one.
 args=( "$@" )
 loadPlugins=true
 EValueOffset=-1
 pluginScript='@out@/share/kak/plugins.kak'
 for (( i = 0; i < ${#args[@]}; i++ )); do
    case "${args[i]}" in
        -n|-c|-l|-p|-clear|-version) loadPlugins=false;;
        -E)                          EValueOffset=$(( i + 1 ));;
        --)                          break;;
    esac
    case "${args[i]}" in
        -E|-c|-e|-s|-p|-f|-i|-ui|-debug) i=$(( i + 1 ));;
    esac
 done
 if [[ $loadPlugins = true ]]; then
    if (( EValueOffset >= 0 )); then
        args[EValueOffset]="source '$pluginScript'"$'\n'"${args[EValueOffset]}"
    else
        args=( "-E" "source '$pluginScript'" "${args[@]}" )
    fi
 fi
 exec @kakoune@/bin/kak "${args[@]}"
--- a/pkgs/applications/editors/typora/default.nix
+++ b/pkgs/applications/editors/typora/default.nix
@ -2,11 +2,11 @@
 stdenv.mkDerivation rec {
  pname = "typora";
-  version = "0.9.70";
+  version = "0.9.72";
  src = fetchurl {
    url = "https://www.typora.io/linux/typora_${version}_amd64.deb";
-    sha256 = "08bgllbvgrpdkk9bryj4s16n274ps4igwrzdvsdbyw8wpp44vcy2";
+    sha256 = "0q7fj77pr3ykpwgip87h12qxvpvlzs15mi9w3phqm3p9mmm9rlrs";
  };
  nativeBuildInputs = [
--- a/pkgs/applications/editors/vscode/with-extensions.nix
+++ b/pkgs/applications/editors/vscode/with-extensions.nix
@ -68,6 +68,7 @@ runCommand "${wrappedPkgName}-with-extensions-${wrappedPkgVersion}" {
  ln -sT "${vscode}/share/pixmaps/code.png" "$out/share/pixmaps/code.png"
  ln -sT "${vscode}/share/applications/${executableName}.desktop" "$out/share/applications/${executableName}.desktop"
  ln -sT "${vscode}/share/applications/${executableName}-url-handler.desktop" "$out/share/applications/${executableName}-url-handler.desktop"
  makeWrapper "${vscode}/bin/${executableName}" "$out/bin/${executableName}" ${lib.optionalString (vscodeExtensions != []) ''
    --add-flags "--extensions-dir ${combinedExtensionsDrv}/share/${wrappedPkgName}/extensions"
  ''}
--- a/pkgs/applications/graphics/drawpile/default.nix
+++ b/pkgs/applications/graphics/drawpile/default.nix
@ -59,11 +59,11 @@ let
 in stdenv.mkDerivation rec {
  name = "drawpile-${version}";
-  version = "2.1.10";
+  version = "2.1.11";
  src = fetchurl {
    url = "https://drawpile.net/files/src/drawpile-${version}.tar.gz";
-    sha256 = "074lp5z5kh6qwar3y4ik7gma5mdgafdsb50q425xcd3pv00gy0hm";
+    sha256 = "00r5vzracvjk369rri2jxzgfaa1ll4qj5gdmzgflvidz8420bcvm";
  };
  nativeBuildInputs = [
--- a/pkgs/applications/graphics/geeqie/default.nix
+++ b/pkgs/applications/graphics/geeqie/default.nix
@ -1,6 +1,6 @@
 { stdenv, fetchurl, pkgconfig, autoconf, automake, gettext, intltool
 , gtk3, lcms2, exiv2, libchamplain, clutter-gtk, ffmpegthumbnailer, fbida
-, wrapGAppsHook
+, wrapGAppsHook, fetchpatch
 }:
 stdenv.mkDerivation rec {
@ -12,8 +12,20 @@ stdenv.mkDerivation rec {
    sha256 = "0ciygvcxb78pqg59r6p061mkbpvkgv2rv3r79j3kgv3kalb3ln2w";
  };
-  # Do not build the changelog as this requires markdown.
+  patches = [
-  patches = [ ./geeqie-no-changelog.patch ];
+    # Do not build the changelog as this requires markdown.
    (fetchpatch {
      name = "geeqie-1.4-goodbye-changelog.patch";
      url = "https://src.fedoraproject.org/rpms/geeqie/raw/132fb04a1a5e74ddb333d2474f7edb9a39dc8d27/f/geeqie-1.4-goodbye-changelog.patch";
      sha256 = "00a35dds44kjjdqsbbfk0x9y82jspvsbpm2makcm1ivzlhjjgszn";
    })
    # Fixes build with exiv2 0.27.1
    (fetchpatch {
      name = "geeqie-exiv2-0.27.patch";
      url = "https://git.archlinux.org/svntogit/packages.git/plain/trunk/geeqie-exiv2-0.27.patch?h=packages/geeqie&id=dee28a8b3e9039b9cd6927b5a93ef2a07cd8271d";
      sha256 = "05skpbyp8pcq92psgijyccc8liwfy2cpwprw6m186pf454yb5y9p";
    })
  ];
  preConfigure = "./autogen.sh";
--- a/pkgs/applications/graphics/geeqie/geeqie-no-changelog.patch
+++ b/pkgs/applications/graphics/geeqie/geeqie-no-changelog.patch
@ -1,14 +0,0 @@
 --- geeqie-1.4.orig/Makefile.am	2017-12-31 07:31:21.000000000 -0500
 +++ geeqie-1.4/Makefile.am	2018-01-01 15:05:58.742068166 -0500
@@ -10,9 +10,9 @@
 readmedir = @readmedir@
 if HAVE_MARKDOWN
 -readme_DATA = README.md COPYING ChangeLog TODO README.lirc AUTHORS README.html ChangeLog.html
 +readme_DATA = README.md COPYING TODO README.lirc AUTHORS README.html
 else
 -readme_DATA = README.md COPYING ChangeLog TODO README.lirc AUTHORS ChangeLog.html
 +readme_DATA = README.md COPYING TODO README.lirc AUTHORS
 endif
 desktopdir = $(datadir)/applications
--- a/pkgs/applications/graphics/hugin/default.nix
+++ b/pkgs/applications/graphics/hugin/default.nix
@ -1,4 +1,4 @@
-{ stdenv, cmake, fetchurl, gnumake, makeWrapper, pkgconfig
+{ stdenv, cmake, fetchurl, gnumake, makeWrapper, pkgconfig, fetchpatch
 , autopanosiftc, boost, cairo, enblend-enfuse, exiv2, fftw, flann, gettext
 , glew, ilmbase, lcms2, lensfun, libjpeg, libpng, libtiff, libX11, libXi
 , libXmu, libGLU_combined, openexr, panotools, perlPackages, sqlite, vigra, wxGTK, zlib
@ -12,6 +12,14 @@ stdenv.mkDerivation rec {
    sha256 = "1l925qslp98gg7yzmgps10h6dq0nb60wbfk345anlxsv0g2ifizr";
  };
  patches = [
    # Fixes build with exiv2 0.27.1
    (fetchpatch {
      url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/hugin-exiv2-0.27.1.patch?h=packages/hugin";
      sha256 = "1yxvlpvrhyrfd2w6kwx1w3mncsvlzdhp0w7xchy8q6kc2kd5nf7r";
    })
  ];
  buildInputs = [
    boost cairo exiv2 fftw flann gettext glew ilmbase lcms2 lensfun libjpeg
    libpng libtiff libX11 libXi libXmu libGLU_combined openexr panotools sqlite vigra
--- a/pkgs/applications/graphics/luminance-hdr/default.nix
+++ b/pkgs/applications/graphics/luminance-hdr/default.nix
@ -1,23 +1,25 @@
-{ stdenv, cmake, fetchurl, pkgconfig, boost, exiv2, fftwFloat, gsl
+{ stdenv, cmake, fetchFromGitHub, pkgconfig, boost, exiv2, fftwFloat, gsl
 , ilmbase, lcms2, libraw, libtiff, openexr
-, qtbase, qtdeclarative, qttools, qtwebengine
+, qtbase, qtdeclarative, qttools, qtwebengine, eigen
 }:
 stdenv.mkDerivation rec {
-  name = "luminance-hdr-2.5.1";
+  pname = "luminance-hdr";
  version = "2.6.0";
-  src = fetchurl {
+  src = fetchFromGitHub {
-    url = "mirror://sourceforge/qtpfsgui/${name}.tar.bz2";
+    owner = "LuminanceHDR";
-    sha256 = "15hnyk9yjkkc97dmnrg2ipfgwqxprlcyv2kyvbls4d54zc56x658";
+    repo = "LuminanceHDR";
    rev = "v.${version}";
    sha256 = "1izmgjjp8mgyxv57sjjr05z7g7059ykb5wchlcn4wrnnb6aslnvn";
  };
  NIX_CFLAGS_COMPILE = "-I${ilmbase.dev}/include/OpenEXR";
-  buildInputs =
+  buildInputs = [
-    [
+    qtbase qtdeclarative qttools qtwebengine eigen
-      qtbase qtdeclarative qttools qtwebengine
+    boost exiv2 fftwFloat gsl ilmbase lcms2 libraw libtiff openexr
-      boost exiv2 fftwFloat gsl ilmbase lcms2 libraw libtiff openexr
+  ];
    ];
  nativeBuildInputs = [ cmake pkgconfig ];
--- a/pkgs/applications/graphics/nomacs/default.nix
+++ b/pkgs/applications/graphics/nomacs/default.nix
@ -27,6 +27,10 @@ stdenv.mkDerivation rec {
    sha256 = "12582i5v85da7vwjxj8grj99hxg34ij5cn3b1578wspdfw1xfy1i";
  };
  patches = [
    ./nomacs-iostream.patch
  ];
  enableParallelBuilding = true;
  setSourceRoot = ''
--- a/pkgs/applications/graphics/nomacs/nomacs-iostream.patch
+++ b/pkgs/applications/graphics/nomacs/nomacs-iostream.patch
@ -0,0 +1,26 @@
 diff --git a/src/DkCore/DkMetaData.cpp b/src/DkCore/DkMetaData.cpp
 index d195757e..affec7be 100644
 --- a/src/DkCore/DkMetaData.cpp
 +++ b/src/DkCore/DkMetaData.cpp
@@ -42,6 +42,8 @@
 #include <QApplication>
 #pragma warning(pop)		// no warnings from includes - end
 +#include <iostream>
 +
 namespace nmc {
 // DkMetaDataT --------------------------------------------------------------------
 diff --git a/src/DkGui/DkNoMacs.cpp b/src/DkGui/DkNoMacs.cpp
 index 6a412f70..bbfba233 100644
 --- a/src/DkGui/DkNoMacs.cpp
 +++ b/src/DkGui/DkNoMacs.cpp
@@ -96,6 +96,8 @@
 #include <QWinTaskbarButton>
 #endif
 +#include <iostream>
 +
 namespace nmc {
 DkNomacsOSXEventFilter::DkNomacsOSXEventFilter(QObject *parent) : QObject(parent) {
--- a/pkgs/applications/graphics/photivo/default.nix
+++ b/pkgs/applications/graphics/photivo/default.nix
@ -37,5 +37,6 @@ stdenv.mkDerivation rec {
  meta = with stdenv.lib; {
    platforms = platforms.linux;
    license = licenses.gpl3;
    broken = true; # exiv2 0.27.1 FTBFS
  };
 }
--- a/pkgs/applications/graphics/photoqt/default.nix
+++ b/pkgs/applications/graphics/photoqt/default.nix
@ -1,23 +1,36 @@
-{ stdenv, fetchurl, cmake, exiv2, graphicsmagick, libraw
+{ stdenv, fetchurl, cmake, exiv2, graphicsmagick, libraw, fetchpatch
 , qtbase, qtdeclarative, qtmultimedia, qtquickcontrols, qttools, qtgraphicaleffects
 , extra-cmake-modules, poppler, kimageformats, libarchive, libdevil
 }:
 stdenv.mkDerivation rec {
-  name = "photoqt-${version}";
+  pname = "photoqt";
-  version = "1.5.1";
+  version = "1.7.1";
  src = fetchurl {
-    url = "https://photoqt.org/pkgs/photoqt-${version}.tar.gz";
+    url = "https://${pname}.org/pkgs/${pname}-${version}.tar.gz";
-    sha256 = "17kkpzkmzfnigs26jjyd75iy58qffjsclif81cmviq73lzmqy0b1";
+    sha256 = "1qvxdh3cbjcywqx0da2qp8z092660qyzv5yknqbps2zr12qqb103";
  };
-  patches = [ ./photoqt-1.5.1-qt-5.9.patch ];
+  patches = [
    # Fixes build with exiv2 0.27.1
    (fetchpatch {
      url = "https://gitlab.com/luspi/photoqt/commit/c6fd41478e818f3a651d40f96cab3d790e1c09a4.patch";
      sha256 = "1j2pdr7hm3js7lswhb4qkf9sj9viclhjqz50qxpyd7pqrl1gf2va";
    })
  ];
-  nativeBuildInputs = [ cmake ];
+  nativeBuildInputs = [ cmake extra-cmake-modules qttools ];
  buildInputs = [
-    qtbase qtquickcontrols qttools exiv2 graphicsmagick
+    qtbase qtquickcontrols exiv2 graphicsmagick poppler
    qtmultimedia qtdeclarative libraw qtgraphicaleffects
    kimageformats libarchive
  ];
  cmakeFlags = [
    "-DFREEIMAGE=OFF"
    "-DDEVIL=OFF"
  ];
  preConfigure = ''
--- a/pkgs/applications/graphics/photoqt/photoqt-1.5.1-qt-5.9.patch
+++ b/pkgs/applications/graphics/photoqt/photoqt-1.5.1-qt-5.9.patch
@ -1,13 +0,0 @@
 diff --git a/CMakeLists.txt b/CMakeLists.txt
 index 97abcb5..fd4877a 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
@@ -50,7 +50,7 @@ SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -O3 -Wall")
 #### FIND REQUIRED PACKAGES ####
 ################################
 -FIND_PACKAGE(Qt5 COMPONENTS LinguistTools Quick Widgets Core Svg REQUIRED)
 +FIND_PACKAGE(Qt5 COMPONENTS LinguistTools Quick Widgets Core Svg Sql Xml REQUIRED)
 SET(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake" ${CMAKE_MODULE_PATH})
 FIND_PACKAGE(Magick)
 FIND_PACKAGE(Exiv2)
--- a/pkgs/applications/graphics/qtpfsgui/default.nix
+++ b/pkgs/applications/graphics/qtpfsgui/default.nix
@ -1,41 +0,0 @@
 {stdenv, fetchurl, qt4, qmake4Hook, exiv2, openexr, fftwSinglePrec, libtiff, ilmbase }:
 stdenv.mkDerivation rec {
  name = "qtpfsgui-1.9.3";
  src = fetchurl {
    url = "mirror://sourceforge/qtpfsgui/${name}.tar.gz";
    sha256 = "1mlg9dry4mfnnjlnwsw375hzsiagssdhccfmapx5nh6ykqrslsh1";
  };
  buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
  nativeBuildInputs = [ qmake4Hook ];
  hardeningDisable = [ "format" ];
  preConfigure = ''
    export CPATH="${ilmbase.dev}/include/OpenEXR:$CPATH"
  '';
  qmakeFlags = [
    "EXIV2PATH=${exiv2.dev}/include/exiv2"
    "OPENEXRDIR=${openexr.dev}/include/OpenEXR"
    "FFTW3DIR=${fftwSinglePrec.dev}/include"
    "LIBTIFFDIR=${libtiff.dev}/include"
  ];
  meta = {
    homepage = http://qtpfsgui.sourceforge.net/;
    description = "Qtpfsqui, a graphical application for high dynamic range (HDR) imaging";
    longDescription =
      '' Qtpfsgui is an open source graphical user interface application that
         aims to provide a workflow for high dynamic range (HDR) imaging.
      '';
    license = stdenv.lib.licenses.gpl2Plus;
    maintainers = [ ];
    platforms = stdenv.lib.platforms.gnu ++ stdenv.lib.platforms.linux;
  };
 }
--- a/pkgs/applications/kde/gwenview.nix
+++ b/pkgs/applications/kde/gwenview.nix
@ -3,7 +3,7 @@
  extra-cmake-modules, kdoctools,
  exiv2, lcms2,
  baloo, kactivities, kdelibs4support, kio, kipi-plugins, libkdcraw, libkipi,
-  phonon, qtimageformats, qtsvg, qtx11extras, kinit
+  phonon, qtimageformats, qtsvg, qtx11extras, kinit, fetchpatch
 }:
 mkDerivation {
@ -18,4 +18,12 @@ mkDerivation {
    qtimageformats qtsvg qtx11extras
  ];
  propagatedUserEnvPkgs = [ kipi-plugins libkipi (lib.getBin kinit) ];
  # Fixes build with exiv2-0.27.1. Drop in 19.04.2
  patches = [
    (fetchpatch {
      url = "https://github.com/KDE/gwenview/commit/172560b845460b6121154f88221c855542219943.patch";
      sha256 = "0y1l34h2s7rhfknvg6ggcc389jfzhpq69wf0s3xd5ccwfw7c0ycq";
    })
  ];
 }
--- a/pkgs/applications/misc/1password/default.nix
+++ b/pkgs/applications/misc/1password/default.nix
@ -2,24 +2,24 @@
 stdenv.mkDerivation rec {
  pname = "1password";
-  version = "0.5.6-003";
+  version = "0.5.7";
  src =
    if stdenv.hostPlatform.system == "i686-linux" then
      fetchzip {
        url = "https://cache.agilebits.com/dist/1P/op/pkg/v${version}/op_linux_386_v${version}.zip";
-        sha256 = "11smnx8fh32qm3b82x2ps4y46q29h77x1j1dj3d5vs0vha9b8frj";
+        sha256 = "1193lq6cvqkv2cy07l6wzb25gb5vb3s3pxm534q3izhzrrz6lisz";
        stripRoot = false;
      }
    else if stdenv.hostPlatform.system == "x86_64-linux" then
      fetchzip {
        url = "https://cache.agilebits.com/dist/1P/op/pkg/v${version}/op_linux_amd64_v${version}.zip";
-        sha256 = "1qwxga6qmb3n76h2fl1lxhnz676cqbx8gic1b5c9hw88gnqwykb9";
+        sha256 = "0hlw1jasxzg31293d2n3ydzj62q7ji7nig7aaighcvzi3c9j7v51";
        stripRoot = false;
      }
    else if stdenv.hostPlatform.system == "x86_64-darwin" then
      fetchzip {
        url = "https://cache.agilebits.com/dist/1P/op/pkg/v${version}/op_darwin_amd64_v${version}.zip";
-        sha256 = "0gzmwc20liqx2cqply06yarwp228ydfgfb26bmpxbvlp0cq7d07g";
+        sha256 = "05z5k63fza6v0vhydyiq4sh9xhxnd9rcfxyym7jihv6b3fv3fnx3";
        stripRoot = false;
      }
    else throw "Architecture not supported";
--- a/pkgs/applications/misc/alacritty/default.nix
+++ b/pkgs/applications/misc/alacritty/default.nix
@ -120,6 +120,6 @@ in buildRustPackage rec {
    homepage = https://github.com/jwilm/alacritty;
    license = with licenses; [ asl20 ];
    maintainers = with maintainers; [ mic92 ];
-    platforms = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" ];
+    platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" "aarch64-linux" ];
  };
 }
--- a/pkgs/applications/misc/calcurse/default.nix
+++ b/pkgs/applications/misc/calcurse/default.nix
@ -2,11 +2,11 @@
 stdenv.mkDerivation rec {
  name = "calcurse-${version}";
-  version = "4.4.0";
+  version = "4.5.0";
  src = fetchurl {
    url = "https://calcurse.org/files/${name}.tar.gz";
-    sha256 = "0vw2xi6a2lrhrb8n55zq9lv4mzxhby4xdf3hmi1vlfpyrpdwkjzd";
+    sha256 = "1vjwcmp51h7dsvwn0qx93w9chp3wp970v7d9mjhk7jyamcbfywn3";
  };
  buildInputs = [ ncurses gettext python3 python3Packages.wrapPython ];
--- a/pkgs/applications/misc/copyq/default.nix
+++ b/pkgs/applications/misc/copyq/default.nix
@ -5,13 +5,13 @@
 stdenv.mkDerivation rec {
  name = "CopyQ-${version}";
-  version = "3.8.0";
+  version = "3.9.0";
  src  = fetchFromGitHub {
    owner = "hluk";
    repo = "CopyQ";
    rev = "v${version}";
-    sha256 = "0kbhgg0j6iqfrpixvwl1mk3m0bz5s8bd6npk5xqcgzp1giywdc4i";
+    sha256 = "1l9f0hg2ggy944sjlyiyglln5mjm9fvgmvwp3pnvmmc6mfbmslq3";
  };
  nativeBuildInputs = [ cmake ];
--- a/pkgs/applications/misc/electron-cash/default.nix
+++ b/pkgs/applications/misc/electron-cash/default.nix
@ -2,13 +2,13 @@
 python3Packages.buildPythonApplication rec {
  pname = "electron-cash";
-  version = "4.0.2";
+  version = "4.0.7";
  src = fetchurl {
    url = "https://electroncash.org/downloads/${version}/win-linux/Electron-Cash-${version}.tar.gz";
    # Verified using official SHA-1 and signature from
    # https://github.com/fyookball/keys-n-hashes
-    sha256 = "6255cd0493442ec57c10ae70ca2e84c6a29497f90a1393e6ac5772afe7572acf";
+    sha256 = "d63ef2d52cff0b821b745067d752fd0c7f2902fa23eaf8e9392c54864cae5c77";
  };
  propagatedBuildInputs = with python3Packages; [
--- a/pkgs/applications/misc/gpscorrelate/default.nix
+++ b/pkgs/applications/misc/gpscorrelate/default.nix
@ -1,28 +1,41 @@
-{ fetchFromGitHub, stdenv, pkgconfig, exiv2, libxml2, gtk2
+{ fetchFromGitHub, stdenv, fetchpatch, pkgconfig, exiv2, libxml2, gtk3
-, libxslt, docbook_xsl, docbook_xml_dtd_42 }:
+, libxslt, docbook_xsl, docbook_xml_dtd_42, desktop-file-utils }:
 stdenv.mkDerivation rec {
-  name = "gpscorrelate-${version}";
+  pname = "gpscorrelate";
-  version = "1.6.1";
+  version = "unstable-2019-06-05";
  src = fetchFromGitHub {
-    owner = "freefoote";
+    owner = "dfandrich";
-    repo = "gpscorrelate";
+    repo = pname;
-    rev = version;
+    rev = "80b14fe7c10c1cc8f62c13f517c062577ce88c85";
-    sha256 = "1z0fc75rx7dl6nnydksa578qv116j2c2xs1czfiijzxjghx8njdj";
+    sha256 = "1gaan0nd7ai0bwilfnkza7lg5mz87804mvlygj0gjc672izr37r6";
  };
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [
-  buildInputs = [
+    desktop-file-utils
    exiv2 libxml2 gtk2
    libxslt docbook_xsl 
    docbook_xml_dtd_42
    docbook_xsl
    libxslt
    pkgconfig
  ];
-  patchPhase = ''
+  buildInputs = [
-    sed -i "Makefile" \
+    exiv2
-        -es",^[[:blank:]]*prefix[[:blank:]]*=.*$,prefix = $out,g"
+    gtk3
-  '';
+    libxml2
  ];
  makeFlags = [
    "prefix=${placeholder ''out''}"
    "GTK=3"
    "CC=cc"
    "CXX=c++"
  ];
  doCheck = true;
  installTargets = [ "install" "install-desktop-file" ];
  meta = with stdenv.lib; {
    description = "A GPS photo correlation tool, to add EXIF geotags";
@ -44,7 +57,7 @@ stdenv.mkDerivation rec {
    '';
    license = licenses.gpl2Plus;
-    homepage = https://github.com/freefoote/gpscorrelate;
+    homepage = "https://github.com/dfandrich/gpscorrelate";
    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/misc/jekyll/default.nix
+++ b/pkgs/applications/misc/jekyll/default.nix
@ -1,8 +1,27 @@
 { lib, bundlerApp, ruby
 , writeShellScriptBin, makeWrapper
 , withOptionalDependencies ? false
 }:
-bundlerApp rec {
+let
  rubyWrapper = writeShellScriptBin "ruby" ''
    if [[ "$#" -eq 2 ]]; then
      if [[ "''${1##*/}" == "bundle" && "$2" == "install" ]]; then
        # See https://github.com/NixOS/nixpkgs/issues/58126 for more details.
        echo 'Skipping "bundle install" as it fails due to the Nix wrapper.'
        echo 'Please enter the new directory and run the following commands to serve the page:'
        echo 'nix-shell -p bundler --run "bundle install --gemfile=Gemfile --path vendor/cache"'
        echo 'nix-shell -p bundler --run "bundle exec jekyll serve"'
        exit 0
        # The following nearly works:
        unset BUNDLE_FROZEN
        exec ${ruby}/bin/ruby "$@" --gemfile=Gemfile --path=vendor/cache
      fi
    fi
    # Else: Don't modify the arguments:
    exec ${ruby}/bin/ruby "$@"
  '';
 in bundlerApp rec {
  pname = "jekyll";
  exes = [ "jekyll" ];
@ -11,6 +30,12 @@ bundlerApp rec {
    then ./full
    else ./basic;
  buildInputs = [ makeWrapper ];
  postBuild = ''
    wrapProgram $out/bin/jekyll --prefix PATH : ${rubyWrapper}/bin
  '';
  meta = with lib; {
    description = "A blog-aware, static site generator, written in Ruby";
    longDescription = ''
--- a/pkgs/applications/misc/latte-dock/default.nix
+++ b/pkgs/applications/misc/latte-dock/default.nix
@ -3,12 +3,12 @@
 mkDerivation rec {
  pname = "latte-dock";
-  version = "0.8.8";
+  version = "0.8.9";
  name = "${pname}-${version}";
  src = fetchurl {
    url = "https://download.kde.org/stable/${pname}/${name}.tar.xz";
-    sha256 = "137s7rx35a5qrfww3q8bllj4zyjfa7l709snvdfj34y7jbq7p6cd";
+    sha256 = "1kkpxa39crjpqgamrcpgp1mrcdg0aq9850yb6cf7lw7d3x2fdrxj";
    name = "${name}.tar.xz";
  };
--- a/pkgs/applications/misc/lutris/default.nix
+++ b/pkgs/applications/misc/lutris/default.nix
@ -103,7 +103,7 @@ let
    perl which p7zip gnused gnugrep psmisc cups lcms2 mpg123 cairo unixODBC
    samba4 sane-backends openldap opencl-headers ocl-icd utillinux
-    (wine.override { wineBuild = "wineWow"; })
+    wineWowPackages.staging
    # ZDOOM
    soundfont-fluid bzip2 game-music-emu
--- a/pkgs/applications/misc/merkaartor/default.nix
+++ b/pkgs/applications/misc/merkaartor/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, qmake, pkgconfig, boost, gdal, proj
+{ stdenv, fetchFromGitHub, makeWrapper, qmake, pkgconfig, boost, gdal, proj
 , qtbase, qtsvg, qtwebkit }:
 stdenv.mkDerivation rec {
@ -12,12 +12,17 @@ stdenv.mkDerivation rec {
    sha256 = "0ls3q8m1hxiwyrypy6qca8wczhl4969ncl0sszfdwfv70rzxjk88";
  };
-  nativeBuildInputs = [ qmake pkgconfig ];
+  nativeBuildInputs = [ makeWrapper qmake pkgconfig ];
  buildInputs = [ boost gdal proj qtbase qtsvg qtwebkit ];
  enableParallelBuilding = true;
  postInstall = ''
    wrapProgram $out/bin/merkaartor \
      --set QT_QPA_PLATFORM_PLUGIN_PATH ${qtbase.bin}/lib/qt-*/plugins/platforms
  '';
  meta = with stdenv.lib; {
    description = "OpenStreetMap editor";
    homepage = http://merkaartor.be/;
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,3 @@`
							`# These are supported funding model platforms`

							`custom: https://nixos.org/nixos/foundation.html`