From 5deed1cb86a8d0f9cf4523113f92ac8b1b25dca3 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 18:59:18 -0500
Subject: [PATCH 001/153] network-interfaces: use setcap-wrappers for ping and
 ping6 iff linux kernel is at-least 4.3

---
 nixos/modules/tasks/network-interfaces.nix | 23 ++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index c52bd904cae..588a328192d 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, utils, stdenv, ... }:
 
 with lib;
 with utils;
@@ -889,7 +889,26 @@ in
         (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))
       ));
 
-    security.setuidPrograms = [ "ping" "ping6" ];
+    # Capabilities won't work unless we have at-least a 4.3 Linux
+    # kernel because we need the ambient capability
+    security.setcapCapabilities = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [
+        { program = "ping";
+          setcap  = true;
+          capabilities = "cap_net_raw+p";
+        }
+
+        { program = "ping6";
+          setcap  = true;
+          capabilities = "cap_net_raw+p";
+        }
+      ]
+    );
+
+    # If our linux kernel IS older than 4.3, let's setuid ping and ping6
+    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [ "ping" "ping6" ]
+    );
 
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,

From bfc3956376128b9560926f6c122a49d809b4be97 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 18:59:32 -0500
Subject: [PATCH 002/153] security: adding setcap-wrapper functionality

---
 nixos/modules/security/setcap-wrapper.c    | 210 +++++++++++++++++++++
 nixos/modules/security/setcap-wrappers.nix | 165 ++++++++++++++++
 2 files changed, 375 insertions(+)
 create mode 100644 nixos/modules/security/setcap-wrapper.c
 create mode 100644 nixos/modules/security/setcap-wrappers.nix

diff --git a/nixos/modules/security/setcap-wrapper.c b/nixos/modules/security/setcap-wrapper.c
new file mode 100644
index 00000000000..a44d174d90f
--- /dev/null
+++ b/nixos/modules/security/setcap-wrapper.c
@@ -0,0 +1,210 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <assert.h>
+#include <errno.h>
+#include <linux/capability.h>
+#include <sys/capability.h>
+#include <linux/prctl.h>
+#include <sys/prctl.h>
+#include <cap-ng.h>
+
+// Make sure assertions are not compiled out, we use them to codify
+// invariants about this program and we want it to fail fast and
+// loudly if they are violated.
+#undef NDEBUG
+
+extern char **environ;
+
+// The SOURCE_PROG and WRAPPER_DIR macros are supplied at compile time
+// for a security reason: So they cannot be changed at runtime.
+static char * sourceProg = SOURCE_PROG;
+static char * wrapperDir = WRAPPER_DIR;
+
+// Update the capabilities of the running process to include the given
+// capability in the Ambient set.
+static void set_ambient_cap(cap_value_t cap)
+{
+    capng_get_caps_process();
+
+    if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap))
+    {
+        printf("cannot raise the capability into the Inheritable set\n");
+        exit(1);
+    }
+
+    capng_apply(CAPNG_SELECT_CAPS);
+    
+    if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0))
+    {
+        perror("cannot raise the capability into the Ambient set\n");
+        exit(1);
+    }
+}
+
+// Given the path to this program, fetch its configured capability set
+// (as set by `setcap ... /path/to/file`) and raise those capabilities
+// into the Ambient set.
+static int make_caps_ambient(const char *selfPath)
+{
+    cap_t caps = cap_get_file(selfPath);
+
+    if(!caps)
+    {
+        fprintf(stderr, "could not retreive the capability set for this file\n");
+        return 1;
+    }
+
+    // We use `cap_to_text` and iteration over the tokenized result
+    // string because, as of libcap's current release, there is no
+    // facility for retrieving an array of `cap_value_t`'s that can be
+    // given to `prctl` in order to lift that capability into the
+    // Ambient set.
+    //
+    // Some discussion was had around shot-gunning all of the
+    // capabilities we know about into the Ambient set but that has a
+    // security smell and I deemed the risk of the current
+    // implementation crashing the program to be lower than the risk
+    // of a privilege escalation security hole being introduced by
+    // raising all capabilities, even ones we didn't intend for the
+    // program, into the Ambient set.
+    //
+    // `cap_t` which is returned by `cap_get_*` is an opaque type and
+    // even if we could retrieve the bitmasks (which, as far as I can
+    // tell we cannot) in order to get the `cap_value_t`
+    // representation for each capability we would have to take the
+    // total number of capabilities supported and iterate over the
+    // sequence of integers up-to that maximum total, testing each one
+    // against the bitmask ((bitmask >> n) & 1) to see if it's set and
+    // aggregating each "capability integer n" that is set in the
+    // bitmask.
+    //
+    // That, combined with the fact that we can't easily get the
+    // bitmask anyway seemed much more brittle than fetching the
+    // `cap_t`, transforming it into a textual representation,
+    // tokenizing the string, and using `cap_from_name` on the token
+    // to get the `cap_value_t` that we need for `prctl`. There is
+    // indeed risk involved if the output string format of
+    // `cap_to_text` ever changes but at this time the combination of
+    // factors involving the below list have led me to the conclusion
+    // that the best implementation at this time is reading then
+    // parsing with *lots of documentation* about why we're doing it
+    // this way.
+    //
+    // 1. No explicit API for fetching an array of `cap_value_t`'s or
+    //    for transforming a `cap_t` into such a representation
+    // 2. The risk of a crash is lower than lifting all capabilities
+    //    into the Ambient set
+    // 3. libcap is depended on heavily in the Linux ecosystem so
+    //    there is a high chance that the output representation of
+    //    `cap_to_text` will not change which reduces our risk that
+    //    this parsing step will cause a crash
+    //
+    // The preferred method, should it ever be available in the
+    // future, would be to use libcap API's to transform the result
+    // from a `cap_get_*` into an array of `cap_value_t`'s that can
+    // then be given to prctl.
+    //
+    // - Parnell
+    ssize_t capLen;
+    char* capstr = cap_to_text(caps, &capLen);
+    cap_free(caps);
+    
+    // TODO: For now, we assume that cap_to_text always starts its
+    // result string with " =" and that the first capability is listed
+    // immediately after that. We should verify this.
+    assert(capLen >= 2);
+    capstr += 2;
+
+    char* saveptr = NULL;
+    for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr))
+    {
+      cap_value_t capnum;
+      if (cap_from_name(tok, &capnum))
+      {
+          fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok);
+      }
+      else if (capnum == CAP_SETPCAP)
+      {
+        // Check for the cap_setpcap capability, we set this on the
+        // wrapper so it can elevate the capabilities to the Ambient
+        // set but we do not want to propagate it down into the
+        // wrapped program.
+        //
+        // TODO: what happens if that's the behavior you want
+        // though???? I'm preferring a strict vs. loose policy here.
+        fprintf(stderr, "cap_setpcap in set, skipping it\n");
+      }
+      else
+      {
+        set_ambient_cap(capnum);
+        printf("raised %s into the Ambient capability set\n", tok);
+      }
+    }
+    cap_free(capstr);
+
+    return 0;
+}
+
+int main(int argc, char * * argv)
+{
+    // I *think* it's safe to assume that a path from a symbolic link
+    // should safely fit within the PATH_MAX system limit. Though I'm
+    // not positive it's safe...
+    char selfPath[PATH_MAX];
+    int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath) - 1);
+
+    assert(selfPathSize > 0);
+
+    selfPath[selfPathSize] = '\0';
+
+    // Make sure that we are being executed from the right location,
+    // i.e., `safeWrapperDir'.  This is to prevent someone from creating
+    // hard link `X' from some other location, along with a false
+    // `X.real' file, to allow arbitrary programs from being executed
+    // with elevated capabilities.
+    int len = strlen(wrapperDir);
+    if (len > 0 && '/' == wrapperDir[len - 1])
+      --len;
+    assert(!strncmp(selfPath, wrapperDir, len));
+    assert('/' == wrapperDir[0]);
+    assert('/' == selfPath[len]);
+
+    // Make *really* *really* sure that we were executed as
+    // `selfPath', and not, say, as some other setuid program. That
+    // is, our effective uid/gid should match the uid/gid of
+    // `selfPath'.
+    struct stat st;
+    assert(lstat(selfPath, &st) != -1);
+
+    assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid()));
+    assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid()));
+
+    // And, of course, we shouldn't be writable.
+    assert(!(st.st_mode & (S_IWGRP | S_IWOTH)));
+
+    struct stat stR;
+    stat(sourceProg, &stR);
+
+    // Make sure the program we're wrapping is non-zero
+    assert(stR.st_size > 0);
+
+    // Read the capabilities set on the file and raise them in to the
+    // Ambient set so the program we're wrapping receives the
+    // capabilities too!
+    assert(!make_caps_ambient(selfPath));
+
+    execve(sourceProg, argv, environ);
+    
+    fprintf(stderr, "%s: cannot run `%s': %s\n",
+        argv[0], sourceProg, strerror(errno));
+
+    exit(1);
+}
+
+
diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/setcap-wrappers.nix
new file mode 100644
index 00000000000..a9e3f8c0b1c
--- /dev/null
+++ b/nixos/modules/security/setcap-wrappers.nix
@@ -0,0 +1,165 @@
+{ config, lib, pkgs, ... }:
+
+with lib; with pkgs;
+
+let
+
+  inherit (config.security) setcapWrapperDir;
+
+  cfg = config.security.setcapCapabilities;
+
+  # Produce a shell-code splice intended to be stitched into one of
+  # the build or install phases within the `setcapWrapper` derivation.
+  mkSetcapWrapper = { program, source ? null, ...}:
+    ''
+      if ! source=${if source != null then source else "$(readlink -f $(PATH=$SETCAP_PATH type -tP ${program}))"}; then
+          # If we can't find the program, fall back to the
+          # system profile.
+          source=/nix/var/nix/profiles/default/bin/${program}
+      fi
+
+      gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${setcapWrapperDir}\" \
+          -lcap-ng -lcap ${./setcap-wrapper.c} -o $out/bin/${program}.wrapper
+    '';
+
+  setcapWrappers = 
+
+    # This is only useful for Linux platforms and a kernel version of
+    # 4.3 or greater
+    assert pkgs.stdenv.isLinux;
+    assert versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3";
+
+    pkgs.stdenv.mkDerivation {
+      name         = "setcap-wrapper";
+      unpackPhase  = "true";
+      buildInputs  = [ linuxHeaders_4_4 libcap libcap_ng ];
+      installPhase = ''
+        mkdir -p $out/bin
+
+        # Concat together all of our shell splices to compile
+        # binary wrapper programs for all configured setcap programs.
+        ${concatMapStrings mkSetcapWrapper cfg}
+      '';
+    };
+in
+{
+  options = {
+    security.setcapCapabilities = mkOption {
+      type    = types.listOf types.attrs;
+      default = [];
+      example =
+        [ { program = "sendmail";
+            source  = "${pkgs.sendmail.bin}/bin/sendmail";
+            owner   = "nobody";
+            group   = "postdrop";
+            setcap  = true;
+            capabilities = "cap_net_raw+ep";
+          }
+        ];
+      description = ''
+        This option sets capabilities on a wrapper program that
+        propagates those capabilities down to the wrapped, real
+        program.
+
+        The `program` attribute is the name of the program to be
+        wrapped. If no `source` attribute is provided, specifying the
+        absolute path to the program, then the program will be
+        searched for in the path environment variable.
+
+        NOTE: cap_setpcap, which is required for the wrapper program
+        to be able to raise caps into the Ambient set is NOT raised to
+        the Ambient set so that the real program cannot modify its own
+        capabilities!! This may be too restrictive for cases in which
+        the real program needs cap_setpcap but it at least leans on
+        the side security paranoid vs. too relaxed.
+
+        The attribute `setcap` defaults to false and it will create a
+        wrapper program but never set the capability set on it. This
+        is done so that you can remove a capability sent entirely from
+        a wrapper program without also needing to go change any
+        absolute paths that may be directly referencing the wrapper
+        program.
+      '';
+    };
+
+    security.setcapWrapperDir = mkOption {
+      type        = types.path;
+      default     = "/nix/var/setcap-wrappers";
+      internal    = true;
+      description = ''
+        This option defines the path to the setcap wrappers. It
+        should generally not be overriden.
+      '';
+    };
+
+  };
+
+  config = {
+
+    # Make sure our setcap-wrapper dir exports to the PATH env
+    # variable when initializing the shell
+    environment.extraInit = ''
+    # The setcap wrappers override other bin directories.
+    export PATH="${config.security.setcapWrapperDir}:$PATH"
+    '';
+
+
+
+    system.activationScripts.setcap =
+      let
+        setcapPrograms = cfg;
+        configureSetcapWrapper =
+          { program
+          , capabilities
+          , source ? null
+          , owner  ? "nobody"
+          , group  ? "nogroup"
+          , setcap ? false
+          }:
+          ''
+            mkdir -p ${setcapWrapperDir}
+
+            cp ${setcapWrappers}/bin/${program}.wrapper ${setcapWrapperDir}/${program}
+
+            # Prevent races
+            chmod 0000 ${setcapWrapperDir}/${program}
+            chown ${owner}.${group} ${setcapWrapperDir}/${program}
+
+            # Set desired capabilities on the file plus cap_setpcap so
+            # the wrapper program can elevate the capabilities set on
+            # its file into the Ambient set.
+            #
+            # Only set the capabilities though if we're being told to
+            # do so.
+            ${
+            if setcap then
+              ''
+              ${libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${setcapWrapperDir}/${program}
+              ''
+            else ""
+            }
+
+            # Set the executable bit
+            chmod u+rx,g+x,o+x ${setcapWrapperDir}/${program}
+          '';
+
+      in stringAfter [ "users" ]
+        ''
+          # Look in the system path and in the default profile for
+          # programs to be wrapped.
+          SETCAP_PATH=${config.system.path}/bin:${config.system.path}/sbin
+
+          # When a program is removed from the security.setcapCapabilities
+          # list we have to remove all of the previous program wrappers
+          # and re-build them minus the wrapper for the program removed,
+          # hence the rm here in the activation script.
+
+          rm -f ${setcapWrapperDir}/*
+
+          # Concatenate the generated shell slices to configure
+          # wrappers for each program needing specialized capabilities.
+
+          ${concatMapStrings configureSetcapWrapper setcapPrograms}
+        '';
+  };
+}

From b3d63f81919d1da80b28362cbc6368d42d0deb68 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 19:14:14 -0500
Subject: [PATCH 003/153] security: whitespace wibble

---
 nixos/modules/security/setcap-wrappers.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/setcap-wrappers.nix
index a9e3f8c0b1c..dbd40e266ba 100644
--- a/nixos/modules/security/setcap-wrappers.nix
+++ b/nixos/modules/security/setcap-wrappers.nix
@@ -103,8 +103,6 @@ in
     export PATH="${config.security.setcapWrapperDir}:$PATH"
     '';
 
-
-
     system.activationScripts.setcap =
       let
         setcapPrograms = cfg;

From 00dc2c559ca98c449253ae0090cb227a3d4c59e1 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 19:21:12 -0500
Subject: [PATCH 004/153] installer: adding mkdir command for the
 setcap-wrappers dir

---
 nixos/modules/installer/tools/nixos-install.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index 589a51fa709..f9412ed444e 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -92,12 +92,14 @@ fi
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
+mkdir -m 0755 -p $mountPoint/var/permissions-wrappers
 mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount -t tmpfs -o "mode=0755" none $mountPoint/run
+mount -t tmpfs -o "mode=0755" none $mountPoint/var/permissions-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
 for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done

From 6fe93ae42add1ac9174909a3b69e4c4cb2d82b33 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 19:21:48 -0500
Subject: [PATCH 005/153] installer: adding perl 'next if' skip command for
 setcap-wrappers dir

---
 nixos/modules/installer/tools/nixos-generate-config.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index 5e576367eb2..2190cac53d9 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -329,6 +329,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
     # Skip special filesystems.
     next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
     next if $mountPoint eq "/var/setuid-wrappers";
+    next if $mountPoint eq "/var/setcap-wrappers";
 
     # Skip the optional fields.
     my $n = 6; $n++ while $fields[$n] ne "-"; $n++;

From 12a23b3d913573d6d7dbd202e00e4c6a1102d6fc Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 19:22:19 -0500
Subject: [PATCH 006/153] boot: create setcap-wrappers dir as a tmpfs

---
 nixos/modules/system/boot/stage-2-init.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
index 704150e77d7..946897b1c43 100644
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@@ -141,6 +141,11 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then
     cat /etc/resolv.conf | resolvconf -m 1000 -a host
 fi
 
+# Create /var/permissions-wrappers as a tmpfs.
+rm -rf /var/permissions-wrappers
+mkdir -m 0755 -p /var/permissions-wrappers
+mount -t tmpfs -o "mode=0755" tmpfs /var/permissions-wrappers
+
 # Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
 # Only at this point are all the necessary prerequisites ready for these commands.
 exec {logOutFd}>&1 {logErrFd}>&2

From 1c0f672f7ae2d7d1db29b7d1a4ed2181e71538b8 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 19:23:19 -0500
Subject: [PATCH 007/153] security: update setcap-wrappers dir to match the
 system-level dir we're creating on init

---
 nixos/modules/security/setcap-wrappers.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/setcap-wrappers.nix
index dbd40e266ba..faebc6f7e0d 100644
--- a/nixos/modules/security/setcap-wrappers.nix
+++ b/nixos/modules/security/setcap-wrappers.nix
@@ -84,7 +84,7 @@ in
 
     security.setcapWrapperDir = mkOption {
       type        = types.path;
-      default     = "/nix/var/setcap-wrappers";
+      default     = "/var/setcap-wrappers";
       internal    = true;
       description = ''
         This option defines the path to the setcap wrappers. It

From 4e98aa639f9161fe461ba1c2e4f31519f9d89569 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 1 Jul 2016 11:07:16 -0500
Subject: [PATCH 008/153] module-list: adding setcap-wrappers to the import
 list

---
 nixos/modules/module-list.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index dfc1d694e97..dde0be5c14c 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -104,6 +104,7 @@
   ./security/rngd.nix
   ./security/rtkit.nix
   ./security/setuid-wrappers.nix
+  ./security/setcap-wrappers.nix
   ./security/sudo.nix
   ./services/amqp/activemq/default.nix
   ./services/amqp/rabbitmq.nix

From 2efb60c8e9c502b0fb4df81b03700b600118722a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 1 Jul 2016 11:09:14 -0500
Subject: [PATCH 009/153] security: tweaking the setcap-wrapper example to be
 more relevant

---
 nixos/modules/security/setcap-wrappers.nix | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/setcap-wrappers.nix
index faebc6f7e0d..b8383d81358 100644
--- a/nixos/modules/security/setcap-wrappers.nix
+++ b/nixos/modules/security/setcap-wrappers.nix
@@ -48,10 +48,9 @@ in
       type    = types.listOf types.attrs;
       default = [];
       example =
-        [ { program = "sendmail";
-            source  = "${pkgs.sendmail.bin}/bin/sendmail";
+        [ { program = "ping";
             owner   = "nobody";
-            group   = "postdrop";
+            group   = "nogroup";
             setcap  = true;
             capabilities = "cap_net_raw+ep";
           }

From 79f1a1e07ae758de73cd640faf488a0bf1c479b8 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 1 Jul 2016 11:53:21 -0500
Subject: [PATCH 010/153] security: need to specify the ping binary paths for
 setcap wrappers.

---
 nixos/modules/tasks/network-interfaces.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 588a328192d..12605c24516 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -894,11 +894,13 @@ in
     security.setcapCapabilities = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
       [
         { program = "ping";
+          source  = "${pkgs.iputils.out}/bin/ping";
           setcap  = true;
           capabilities = "cap_net_raw+p";
         }
 
         { program = "ping6";
+          source  = "${pkgs.iputils.out}/bin/ping6";
           setcap  = true;
           capabilities = "cap_net_raw+p";
         }

From c16647ec29ab46b52cd365220288a8222cfcdad3 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 1 Jul 2016 15:54:33 -0500
Subject: [PATCH 011/153] security: switching to linuxHeaders so we always stay
 current with the selected kernel.

---
 nixos/modules/security/setcap-wrappers.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/setcap-wrappers.nix
index b8383d81358..ead3cb219f1 100644
--- a/nixos/modules/security/setcap-wrappers.nix
+++ b/nixos/modules/security/setcap-wrappers.nix
@@ -32,7 +32,7 @@ let
     pkgs.stdenv.mkDerivation {
       name         = "setcap-wrapper";
       unpackPhase  = "true";
-      buildInputs  = [ linuxHeaders_4_4 libcap libcap_ng ];
+      buildInputs  = [ linuxHeaders libcap libcap_ng ];
       installPhase = ''
         mkdir -p $out/bin
 

From 79e81aa31bc7a0fa88507c06f21b41fbbd1cb863 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 15 Jul 2016 18:05:28 -0500
Subject: [PATCH 012/153] security: Removing the old wrappers and replacing
 with 'permissions-wrappers'

---
 .../security/permissions-wrappers/default.nix | 201 ++++++++++++++++++
 .../permissions-wrapper.c}                    |  24 ++-
 .../setcap-wrapper-drv.nix                    |  37 ++++
 .../setcap-wrappers.nix                       |   0
 .../setuid-wrapper-drv.nix                    |  36 ++++
 .../setuid-wrappers.nix                       |   0
 nixos/modules/security/setuid-wrapper.c       |  81 -------
 7 files changed, 293 insertions(+), 86 deletions(-)
 create mode 100644 nixos/modules/security/permissions-wrappers/default.nix
 rename nixos/modules/security/{setcap-wrapper.c => permissions-wrappers/permissions-wrapper.c} (95%)
 create mode 100644 nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
 rename nixos/modules/security/{ => permissions-wrappers}/setcap-wrappers.nix (100%)
 create mode 100644 nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
 rename nixos/modules/security/{ => permissions-wrappers}/setuid-wrappers.nix (100%)
 delete mode 100644 nixos/modules/security/setuid-wrapper.c

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
new file mode 100644
index 00000000000..a4491946df5
--- /dev/null
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -0,0 +1,201 @@
+{ config, lib, pkgs, ... }:
+let
+
+  inherit (config.security) permissionsWrapperDir;
+
+  cfg = config.security.permissionsWrappers;
+
+  setcapWrappers = import ./setcap-wrapper-drv.nix { };
+  setuidWrappers = import ./setuid-wrapper-drv.nix { };
+
+  ###### Activation script for the setcap wrappers
+  configureSetcapWrapper =
+    { program
+    , capabilities
+    , source ? null
+    , owner  ? "nobody"
+    , group  ? "nogroup"
+    , setcap ? false
+    }:
+    ''
+      cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
+
+      # Prevent races
+      chmod 0000 ${permissionsWrapperDir}/${program}
+      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
+
+      # Set desired capabilities on the file plus cap_setpcap so
+      # the wrapper program can elevate the capabilities set on
+      # its file into the Ambient set.
+      #
+      # Only set the capabilities though if we're being told to
+      # do so.
+      ${
+      if setcap then
+        ''
+        ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${permissionsWrapperDir}/${program}
+        ''
+      else ""
+      }
+
+      # Set the executable bit
+      chmod u+rx,g+x,o+x ${permissionsWrapperDir}/${program}
+    '';
+
+  ###### Activation script for the setuid wrappers
+  setuidPrograms =
+    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
+      config.security.setuidPrograms)
+    ++ config.security.setuidOwners;
+
+  makeSetuidWrapper =
+    { program
+    , source ? null
+    , owner  ? "nobody"
+    , group  ? "nogroup"
+    , setuid ? false
+    , setgid ? false
+    , permissions ? "u+rx,g+x,o+x"
+    }:
+
+    ''
+      cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
+
+      # Prevent races
+      chmod 0000 ${permissionsWrapperDir}/${program}
+      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
+
+      chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
+    '';
+in
+{
+
+  ###### interface
+
+  options = {
+    security.permissionsWrappers.setcap = mkOption {
+      type    = types.listOf types.attrs;
+      default = [];
+      example =
+        [ { program = "ping";
+            source  = "${pkgs.iputils.out}/bin/ping"
+            owner   = "nobody";
+            group   = "nogroup";
+            setcap  = true;
+            capabilities = "cap_net_raw+ep";
+          }
+        ];
+      description = ''
+        This option sets capabilities on a wrapper program that
+        propagates those capabilities down to the wrapped, real
+        program.
+
+        The `program` attribute is the name of the program to be
+        wrapped. If no `source` attribute is provided, specifying the
+        absolute path to the program, then the program will be
+        searched for in the path environment variable.
+
+        NOTE: cap_setpcap, which is required for the wrapper program
+        to be able to raise caps into the Ambient set is NOT raised to
+        the Ambient set so that the real program cannot modify its own
+        capabilities!! This may be too restrictive for cases in which
+        the real program needs cap_setpcap but it at least leans on
+        the side security paranoid vs. too relaxed.
+
+        The attribute `setcap` defaults to false and it will create a
+        wrapper program but never set the capability set on it. This
+        is done so that you can remove a capability sent entirely from
+        a wrapper program without also needing to go change any
+        absolute paths that may be directly referencing the wrapper
+        program.
+      '';
+    };
+
+    security.permissionsWrappers.setuid = mkOption {
+      type = types.listOf types.attrs;
+      default = [];
+      example =
+        [ { program = "sendmail";
+            source = "${pkgs.sendmail.bin}/bin/sendmail";
+            owner = "nobody";
+            group = "postdrop";
+            setuid = false;
+            setgid = true;
+            permissions = "u+rx,g+x,o+x";
+          }
+        ];
+      description = ''
+        This option allows the ownership and permissions on the setuid
+        wrappers for specific programs to be overridden from the
+        default (setuid root, but not setgid root).
+      '';
+    };
+
+    security.permissionsWrapperDir = mkOption {
+      type        = types.path;
+      default     = "/var/permissions-wrappers";
+      internal    = true;
+      description = ''
+        This option defines the path to the permissions wrappers. It
+        should not be overriden.
+      '';
+    };
+
+  };
+
+
+  ###### implementation
+  
+  config = {
+
+    # Make sure our setcap-wrapper dir exports to the PATH env
+    # variable when initializing the shell
+    environment.extraInit = ''
+    # The permissions wrappers override other bin directories.
+    export PATH="${config.security.permissionsWrapperDir}:$PATH"
+    '';
+
+    ###### setcap activation script
+    system.activationScripts.setcap =
+      stringAfter [ "users" ]
+        ''
+          # Look in the system path and in the default profile for
+          # programs to be wrapped.
+          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
+
+          # When a program is removed from the security.permissionsWrappers.setcap
+          # list we have to remove all of the previous program wrappers
+          # and re-build them minus the wrapper for the program removed,
+          # hence the rm here in the activation script.
+
+          rm -f ${permissionsWrapperDir}/*
+
+          # Concatenate the generated shell slices to configure
+          # wrappers for each program needing specialized capabilities.
+
+          ${concatMapStrings configureSetcapWrapper cfg.setcap}
+        '';
+
+    ###### setuid activation script
+    system.activationScripts.setuid =
+      stringAfter [ "users" ]
+        ''
+          # Look in the system path and in the default profile for
+          # programs to be wrapped.
+          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
+
+          # When a program is removed from the security.permissionsWrappers.setcap
+          # list we have to remove all of the previous program wrappers
+          # and re-build them minus the wrapper for the program removed,
+          # hence the rm here in the activation script.
+
+          rm -f ${permissionsWrapperDir}/*
+
+          # Concatenate the generated shell slices to configure
+          # wrappers for each program needing specialized capabilities.
+
+          ${concatMapStrings configureSetuidWrapper cfg.setuid}
+        '';
+
+  };
+}
diff --git a/nixos/modules/security/setcap-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
similarity index 95%
rename from nixos/modules/security/setcap-wrapper.c
rename to nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index a44d174d90f..effdaa93096 100644
--- a/nixos/modules/security/setcap-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -8,11 +8,6 @@
 #include <dirent.h>
 #include <assert.h>
 #include <errno.h>
-#include <linux/capability.h>
-#include <sys/capability.h>
-#include <linux/prctl.h>
-#include <sys/prctl.h>
-#include <cap-ng.h>
 
 // Make sure assertions are not compiled out, we use them to codify
 // invariants about this program and we want it to fail fast and
@@ -26,6 +21,24 @@ extern char **environ;
 static char * sourceProg = SOURCE_PROG;
 static char * wrapperDir = WRAPPER_DIR;
 
+// Make sure we have the WRAPPER_TYPE macro specified at compile
+// time...
+#ifdef WRAPPER_SETCAP
+static char * wrapperType = "setcap";
+#elif defined WRAPPER_SETUID
+static char * wrapperType = "setuid";
+#else
+fprintf(stderr, "Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macros specified!\n");
+exit(1);
+#endif
+
+#ifdef WRAPPER_SETCAP
+#include <linux/capability.h>
+#include <sys/capability.h>
+#include <linux/prctl.h>
+#include <sys/prctl.h>
+#include <cap-ng.h>
+
 // Update the capabilities of the running process to include the given
 // capability in the Ambient set.
 static void set_ambient_cap(cap_value_t cap)
@@ -150,6 +163,7 @@ static int make_caps_ambient(const char *selfPath)
 
     return 0;
 }
+#endif
 
 int main(int argc, char * * argv)
 {
diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
new file mode 100644
index 00000000000..f64c683f6e8
--- /dev/null
+++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+let  
+     cfg = config.security.permissionsWrappers;
+
+     # Produce a shell-code splice intended to be stitched into one of
+     # the build or install phases within the derivation.
+     mkSetcapWrapper = { program, source ? null, ...}:
+       ''
+         if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
+             # If we can't find the program, fall back to the
+             # system profile.
+             source=/nix/var/nix/profiles/default/bin/${program}
+         fi
+
+         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \
+             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
+       '';
+in
+
+# This is only useful for Linux platforms and a kernel version of
+# 4.3 or greater
+assert pkgs.stdenv.isLinux;
+assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3";
+
+pkgs.stdenv.mkDerivation {
+  name         = "setcap-wrapper";
+  unpackPhase  = "true";
+  buildInputs  = [ pkgs.linuxHeaders pkgs.libcap pkgs.libcap_ng ];
+  installPhase = ''
+    mkdir -p $out/bin
+
+    # Concat together all of our shell splices to compile
+    # binary wrapper programs for all configured setcap programs.
+    ${concatMapStrings mkSetcapWrapper cfg.setcap}
+  '';
+};
diff --git a/nixos/modules/security/setcap-wrappers.nix b/nixos/modules/security/permissions-wrappers/setcap-wrappers.nix
similarity index 100%
rename from nixos/modules/security/setcap-wrappers.nix
rename to nixos/modules/security/permissions-wrappers/setcap-wrappers.nix
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
new file mode 100644
index 00000000000..15dc1918b5c
--- /dev/null
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+let  
+     cfg = config.security.permissionsWrappers;
+
+     # Produce a shell-code splice intended to be stitched into one of
+     # the build or install phases within the derivation.
+     mkSetuidWrapper = { program, source ? null, ...}:
+       ''
+         if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
+             # If we can't find the program, fall back to the
+             # system profile.
+             source=/nix/var/nix/profiles/default/bin/${program}
+         fi
+
+         gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \
+             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
+       '';
+in
+
+# This is only useful for Linux platforms and a kernel version of
+# 4.3 or greater
+assert pkgs.stdenv.isLinux;
+assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3";
+
+pkgs.stdenv.mkDerivation {
+  name         = "setuid-wrapper";
+  unpackPhase  = "true";
+  installPhase = ''
+    mkdir -p $out/bin
+
+    # Concat together all of our shell splices to compile
+    # binary wrapper programs for all configured setcap programs.
+    ${concatMapStrings mkSetuidWrapper cfg.setuid}
+  '';
+};
diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/permissions-wrappers/setuid-wrappers.nix
similarity index 100%
rename from nixos/modules/security/setuid-wrappers.nix
rename to nixos/modules/security/permissions-wrappers/setuid-wrappers.nix
diff --git a/nixos/modules/security/setuid-wrapper.c b/nixos/modules/security/setuid-wrapper.c
deleted file mode 100644
index ffd0b65b762..00000000000
--- a/nixos/modules/security/setuid-wrapper.c
+++ /dev/null
@@ -1,81 +0,0 @@
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <dirent.h>
-#include <assert.h>
-#include <string.h>
-#include <errno.h>
-
-/* Make sure assertions are not compiled out.  */
-#undef NDEBUG
-
-extern char **environ;
-
-static char * wrapperDir = WRAPPER_DIR;
-
-int main(int argc, char * * argv)
-{
-    char self[PATH_MAX];
-
-    int len = readlink("/proc/self/exe", self, sizeof(self) - 1);
-    assert (len > 0);
-    self[len] = 0;
-
-    /* Make sure that we are being executed from the right location,
-       i.e., `wrapperDir'.  This is to prevent someone from
-       creating hard link `X' from some other location, along with a
-       false `X.real' file, to allow arbitrary programs from being
-       executed setuid.  */
-    assert ((strncmp(self, wrapperDir, strlen(wrapperDir)) == 0) &&
-            (self[strlen(wrapperDir)] == '/'));
-
-    /* Make *really* *really* sure that we were executed as `self',
-       and not, say, as some other setuid program.  That is, our
-       effective uid/gid should match the uid/gid of `self'. */
-    //printf("%d %d\n", geteuid(), getegid());
-
-    struct stat st;
-    assert (lstat(self, &st) != -1);
-
-    //printf("%d %d\n", st.st_uid, st.st_gid);
-
-    assert ((st.st_mode & S_ISUID) == 0 ||
-            (st.st_uid == geteuid()));
-
-    assert ((st.st_mode & S_ISGID) == 0 ||
-            st.st_gid == getegid());
-
-    /* And, of course, we shouldn't be writable. */
-    assert (!(st.st_mode & (S_IWGRP | S_IWOTH)));
-
-
-    /* Read the path of the real (wrapped) program from <self>.real. */
-    char realFN[PATH_MAX + 10];
-    int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", self);
-    assert (realFNSize < sizeof(realFN));
-
-    int fdSelf = open(realFN, O_RDONLY);
-    assert (fdSelf != -1);
-
-    char real[PATH_MAX];
-    len = read(fdSelf, real, PATH_MAX);
-    assert (len != -1);
-    assert (len < sizeof (real));
-    assert (len > 0);
-    real[len] = 0;
-
-    close(fdSelf);
-
-    //printf("real = %s, len = %d\n", real, len);
-
-    execve(real, argv, environ);
-
-    fprintf(stderr, "%s: cannot run `%s': %s\n",
-        argv[0], real, strerror(errno));
-
-    exit(1);
-}

From 81b33eb46645b1bd3ab5029c0ca2012a24902bb0 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 15 Jul 2016 18:15:08 -0500
Subject: [PATCH 013/153] security: Updating the machinery for creating the
 wrapper programs dir in var and updating ping and ping6 for changed config
 interface.

---
 .../installer/tools/nixos-generate-config.pl  |  3 +--
 nixos/modules/module-list.nix                 |  3 +--
 nixos/modules/tasks/network-interfaces.nix    | 20 ++++++++++++++++---
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index 2190cac53d9..4da752e1905 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -328,8 +328,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
 
     # Skip special filesystems.
     next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
-    next if $mountPoint eq "/var/setuid-wrappers";
-    next if $mountPoint eq "/var/setcap-wrappers";
+    next if $mountPoint eq "/var/permissions-wrappers";
 
     # Skip the optional fields.
     my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index dde0be5c14c..6e69cebf763 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -103,8 +103,7 @@
   ./security/prey.nix
   ./security/rngd.nix
   ./security/rtkit.nix
-  ./security/setuid-wrappers.nix
-  ./security/setcap-wrappers.nix
+  ./security/permissions-wrappers
   ./security/sudo.nix
   ./services/amqp/activemq/default.nix
   ./services/amqp/rabbitmq.nix
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 12605c24516..1e0b874297a 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -891,7 +891,7 @@ in
 
     # Capabilities won't work unless we have at-least a 4.3 Linux
     # kernel because we need the ambient capability
-    security.setcapCapabilities = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
+    security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
       [
         { program = "ping";
           source  = "${pkgs.iputils.out}/bin/ping";
@@ -908,8 +908,22 @@ in
     );
 
     # If our linux kernel IS older than 4.3, let's setuid ping and ping6
-    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
-      [ "ping" "ping6" ]
+    security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [
+        { program = "ping";
+          source  = "${pkgs.iputils.out}/bin/ping";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+        
+        { program = "ping6";
+          source  = "${pkgs.iputils.out}/bin/ping6";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ]
     );
 
     # Set the host and domain names in the activation script.  Don't

From 390ab0b3eff809052d5b9d9b5335413b36898481 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 15 Jul 2016 19:10:48 -0500
Subject: [PATCH 014/153] everything?: Updating every package that depended on
 the old setuidPrograms configuration.

---
 nixos/modules/programs/kbdlight.nix           |  9 +++-
 nixos/modules/programs/light.nix              |  9 +++-
 nixos/modules/programs/shadow.nix             | 47 +++++++++++++++++--
 nixos/modules/rename.nix                      |  1 -
 nixos/modules/security/duosec.nix             | 12 ++++-
 nixos/modules/security/pam.nix                | 21 ++++++++-
 nixos/modules/security/pam_usb.nix            | 21 +++++++--
 .../security/permissions-wrappers/default.nix |  5 --
 nixos/modules/security/polkit.nix             | 10 +++-
 nixos/modules/security/sudo.nix               | 17 ++++++-
 nixos/modules/services/mail/exim.nix          | 10 +++-
 nixos/modules/services/scheduling/cron.nix    | 10 +++-
 nixos/modules/services/scheduling/fcron.nix   | 10 +++-
 .../x11/desktop-managers/enlightenment.nix    | 10 +++-
 pkgs/desktops/enlightenment/enlightenment.nix |  6 +--
 15 files changed, 170 insertions(+), 28 deletions(-)

diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix
index 0172368e968..c3ea6b5e973 100644
--- a/nixos/modules/programs/kbdlight.nix
+++ b/nixos/modules/programs/kbdlight.nix
@@ -11,6 +11,13 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.kbdlight ];
-    security.setuidPrograms = [ "kbdlight" ];
+
+    security.permissionsWrappers.setuid =
+    [ { program = "kbdlight";
+        source  = "${pkgs.kbdlight.out}/bin/kbdlight";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+    }];
   };
 }
diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix
index 09cd1113d9c..d141eaf66f7 100644
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@@ -21,6 +21,13 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.light ];
-    security.setuidPrograms = [ "light" ];
+
+    security.permissionsWrappers.setuid =
+    [ { program = "light";
+        source  = "${pkgs.light.out}/bin/light";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+    }];
   };
 }
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index 878c9cc0cf0..8ee324eaf63 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -102,11 +102,48 @@ in
         chgpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = [ "su" "chfn" ]
-      ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
-      ++ lib.optionals config.users.mutableUsers
-      [ "passwd" "sg" "newgrp" ];
+    security.setuidPrograms = 
+    [
+      { program = "su";
+        source  = "${pkgs.shadow.su}/bin/su";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
 
+      { program = "chfn";
+        source  = "${pkgs.shadow.out}/bin/chfn";
+        user    = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ] ++
+    (lib.optionals config.users.mutableUsers
+     map (x: x // { user = "root";
+                    group   = "root";
+                    setuid  = true;
+                  })
+         [
+           { program = "passwd";
+             source  = "${pkgs.shadow.out}/bin/passwd";
+           }
+
+           { program = "sg";
+             source  = "${pkgs.shadow.out}/bin/sg";
+           }
+
+           { program = "newgrp";
+             source  = "${pkgs.shadow.out}/bin/newgrp";
+           }
+
+           { program = "newuidmap";
+             source  = "${pkgs.shadow.out}/bin/newuidmap";
+           }
+
+           { program = "newgidmap";
+             source  = "${pkgs.shadow.out}/bin/newgidmap";
+           }
+         ]
+    );
   };
-
 }
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 412cccc20d5..e4584146d6f 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -10,7 +10,6 @@ with lib;
     (mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
     (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
 
-    (mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ])
     (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
     (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
 
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
index 0e3a54325ca..202218c915c 100644
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -193,7 +193,17 @@ in
       ];
 
      environment.systemPackages = [ pkgs.duo-unix ];
-     security.setuidPrograms    = [ "login_duo" ];
+
+     security.permissionsWrappers.setuid =
+     [
+       { program = "login_duo";
+         source  = "${pkgs.duo-unix.out}/bin/login_duo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+     ];
+
      environment.etc = loginCfgFile ++ pamCfgFile;
 
      /* If PAM *and* SSH are enabled, then don't do anything special.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 77815cd6dcc..4c6b54f0274 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -442,8 +442,25 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.setuidPrograms =
-        optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
+    security.permissionsWrappers.setuid =
+      [
+        (optionals config.security.pam.enableEcryptfs
+          { program = "mount.ecryptfs_private"
+            source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+          
+        (optionals config.security.pam.enableEcryptfs
+          { program = "umount.ecryptfs_private";
+            source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+      ]
+        
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
index 11708a1f016..699cf6306e1 100644
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@@ -32,10 +32,25 @@ in
 
   config = mkIf (cfg.enable || anyUsbAuth) {
 
-    # pmount need to have a set-uid bit to make pam_usb works in user
-    # environment. (like su, sudo)
+    # Make sure pmount and pumount are setuid wrapped.
+    security.permissionsWrappers.setuid =
+      [
+        { program = "pmount";
+          source  = "${pkgs.pmount.out}/bin/pmount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
 
-    security.setuidPrograms = [ "pmount" "pumount" ];
+        { program = "pumount";
+          source  = "${pkgs.pmount.out}/bin/pumount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
+
+setuidPrograms = [ "pmount" "pumount" ];
     environment.systemPackages = [ pkgs.pmount ];
 
   };
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index a4491946df5..5d4634daf78 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -43,11 +43,6 @@ let
     '';
 
   ###### Activation script for the setuid wrappers
-  setuidPrograms =
-    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
-      config.security.setuidPrograms)
-    ++ config.security.setuidOwners;
-
   makeSetuidWrapper =
     { program
     , source ? null
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index 507f81bbf07..db078667acf 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -83,7 +83,15 @@ in
 
     security.pam.services.polkit-1 = {};
 
-    security.setuidPrograms = [ "pkexec" ];
+    security.permissionsWrappers.setuid = 
+      [
+        { program = "pkexec";
+          source  = "${pkgs.polkit.out}/bin/pkexec";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
 
     security.setuidOwners = [
       { program = "polkit-agent-helper-1";
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index bced2a6ed75..06dde14cd1c 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -81,7 +81,22 @@ in
         ${cfg.extraConfig}
       '';
 
-    security.setuidPrograms = [ "sudo" "sudoedit" ];
+    security.permissionsWrappers.setuid =
+     [
+       { program = "sudo";
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+
+       { program = "sudoedit"
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+    ];
 
     environment.systemPackages = [ sudo ];
 
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index e0890d96a88..aad497cbc71 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -89,7 +89,15 @@ in
       gid = config.ids.gids.exim;
     };
 
-    security.setuidPrograms = [ "exim" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "exim";
+        source  = "${pkgs.exim.out}/bin/exim";
+        user    = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ]
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index f5e132fd77d..541fbb7ee64 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -95,7 +95,15 @@ in
 
     (mkIf (config.services.cron.enable) {
 
-      security.setuidPrograms = [ "crontab" ];
+      security.permissionsWrappers.setuid =
+      [
+        { program = "crontab";
+          source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
+          user    = "root";
+          group   = "root";
+          setuid  = true;        
+        }
+      ];
 
       environment.systemPackages = [ cronNixosPkg ];
 
diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
index 7b4665a8204..6e8465ab08f 100644
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -106,7 +106,15 @@ in
 
     environment.systemPackages = [ pkgs.fcron ];
 
-    security.setuidPrograms = [ "fcrontab" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "fcrontab";
+        source  = "${pkgs.fcron.out}/bin/fcrontab";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
+    ];
 
     systemd.services.fcron = {
       description = "fcron daemon";
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index 8a03dd65b33..b55950c6373 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -62,7 +62,15 @@ in
       '';
     }];
 
-    security.setuidPrograms = [ "e_freqset" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "e_freqset";
+        source  = "${e.enlightenment.out}/bin/e_freqset";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
+    ];
 
     environment.etc = singleton
       { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix
index f4ff94ad088..979843ffe9c 100644
--- a/pkgs/desktops/enlightenment/enlightenment.nix
+++ b/pkgs/desktops/enlightenment/enlightenment.nix
@@ -40,13 +40,13 @@ stdenv.mkDerivation rec {
   # this is a hack and without this cpufreq module is not working. does the following:
   #   1. moves the "freqset" binary to "e_freqset",
   #   2. linkes "e_freqset" to enlightenment/bin so that,
-  #   3. setuidPrograms detects it and makes appropriate stuff to /var/setuid-wrappers/e_freqset,
-  #   4. and finaly, linkes /var/setuid-wrappers/e_freqset to original destination where enlightenment wants it
+  #   3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset,
+  #   4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it
   postInstall = ''
     export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
     mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
     ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
-    ln -sv /var/setuid-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
+    ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
   '';
 
   meta = {

From 98c058a1ee338731d72d33f320da48c95fecd0e0 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 1 Sep 2016 19:06:21 -0500
Subject: [PATCH 015/153] Adapting everything for the merged permissions
 wrappers work.

---
 nixos/modules/config/shells-environment.nix   |  2 +-
 .../modules/installer/tools/nixos-install.sh  |  2 +-
 nixos/modules/programs/kbdlight.nix           |  2 +-
 nixos/modules/programs/light.nix              |  2 +-
 nixos/modules/programs/shadow.nix             |  6 +--
 nixos/modules/programs/unity3d.nix            | 25 ++++++++++
 nixos/modules/security/apparmor-suid.nix      |  4 +-
 nixos/modules/security/duosec.nix             |  2 +-
 nixos/modules/security/pam.nix                | 45 ++++++++---------
 nixos/modules/security/pam_usb.nix            |  5 +-
 .../security/permissions-wrappers/default.nix | 48 +++++++++++--------
 .../setcap-wrapper-drv.nix                    |  6 +--
 .../setuid-wrapper-drv.nix                    |  6 +--
 nixos/modules/security/polkit.nix             | 18 ++++---
 nixos/modules/security/sudo.nix               |  8 ++--
 nixos/modules/services/logging/logcheck.nix   |  4 +-
 nixos/modules/services/mail/dovecot.nix       |  2 +-
 nixos/modules/services/mail/exim.nix          |  6 +--
 nixos/modules/services/mail/mail.nix          |  2 +-
 nixos/modules/services/monitoring/munin.nix   |  4 +-
 nixos/modules/services/monitoring/smartd.nix  |  2 +-
 .../services/network-filesystems/samba.nix    |  2 +-
 nixos/modules/services/networking/gale.nix    |  2 +-
 nixos/modules/services/networking/prayer.nix  |  2 +-
 nixos/modules/services/scheduling/atd.nix     |  4 +-
 nixos/modules/services/scheduling/cron.nix    |  6 +--
 nixos/modules/services/scheduling/fcron.nix   |  4 +-
 nixos/modules/services/system/dbus.nix        |  6 +--
 .../x11/desktop-managers/enlightenment.nix    |  2 +-
 .../services/x11/desktop-managers/kde4.nix    |  2 +-
 .../services/x11/desktop-managers/kde5.nix    |  2 +-
 .../virtualisation/virtualbox-host.nix        |  2 +-
 .../applications/editors/sublime3/default.nix |  2 +-
 .../gale/gale-install.in.patch                |  2 +-
 .../wireshark-lookup-dumpcap-in-path.patch    |  4 +-
 .../gitlab/remove-hardcoded-locations.patch   |  2 +-
 .../virtualization/virtualbox/hardened.patch  |  6 +--
 pkgs/build-support/build-fhs-userenv/env.nix  |  2 +-
 .../development/libraries/libgksu/default.nix |  4 +-
 pkgs/development/libraries/polkit/default.nix |  2 +-
 pkgs/development/tools/unity3d/default.nix    |  2 +-
 pkgs/os-specific/linux/fuse/default.nix       |  2 +-
 pkgs/os-specific/linux/mdadm/default.nix      |  2 +-
 pkgs/os-specific/linux/pam/default.nix        |  2 +-
 pkgs/os-specific/linux/util-linux/default.nix |  2 +-
 pkgs/servers/interlock/default.nix            |  2 +-
 pkgs/servers/mail/petidomo/default.nix        |  2 +-
 .../nagios/plugins/official-2.x.nix           |  4 +-
 pkgs/tools/X11/x11vnc/default.nix             |  4 +-
 pkgs/tools/admin/certbot/default.nix          |  2 +-
 pkgs/tools/misc/debian-devscripts/default.nix |  2 +-
 pkgs/tools/security/ecryptfs/default.nix      |  2 +-
 pkgs/tools/security/sudo/default.nix          |  2 +-
 pkgs/tools/system/at/default.nix              |  2 +-
 pkgs/tools/system/ts/default.nix              |  2 +-
 55 files changed, 162 insertions(+), 131 deletions(-)
 create mode 100644 nixos/modules/programs/unity3d.nix

diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix
index f458bc39ada..54dd6f6570f 100644
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@@ -169,7 +169,7 @@ in
          ${cfg.extraInit}
 
          # The setuid wrappers override other bin directories.
-         export PATH="${config.security.wrapperDir}:$PATH"
+         export PATH="${config.security.permissionsWrapperDir}:$PATH"
 
          # ~/bin if it exists overrides other bin directories.
          export PATH="$HOME/bin:$PATH"
diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index f9412ed444e..27c03ff9792 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -262,7 +262,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 # Ask the user to set a root password.
 if [ -z "$noRootPasswd" ] && [ -x $mountPoint/var/setuid-wrappers/passwd ] && [ -t 0 ]; then
     echo "setting root password..."
-    chroot $mountPoint /var/setuid-wrappers/passwd
+    chroot $mountPoint /var/permissions-wrappers/passwd
 fi
 
 
diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix
index c3ea6b5e973..30767a03291 100644
--- a/nixos/modules/programs/kbdlight.nix
+++ b/nixos/modules/programs/kbdlight.nix
@@ -15,7 +15,7 @@ in
     security.permissionsWrappers.setuid =
     [ { program = "kbdlight";
         source  = "${pkgs.kbdlight.out}/bin/kbdlight";
-        user    = "root";
+        owner   = "root";
         group   = "root";
         setuid  = true;        
     }];
diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix
index d141eaf66f7..c89f8e93721 100644
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@@ -25,7 +25,7 @@ in
     security.permissionsWrappers.setuid =
     [ { program = "light";
         source  = "${pkgs.light.out}/bin/light";
-        user    = "root";
+        owner   = "root";
         group   = "root";
         setuid  = true;        
     }];
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index 8ee324eaf63..f40faa1ca5f 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -102,18 +102,18 @@ in
         chgpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = 
+    security.permissionsWrappers.setuid = 
     [
       { program = "su";
         source  = "${pkgs.shadow.su}/bin/su";
-        user    = "root";
+        owner   = "root";
         group   = "root";
         setuid  = true;        
       }
 
       { program = "chfn";
         source  = "${pkgs.shadow.out}/bin/chfn";
-        user    = "root";
+        owner   = "root";
         group   = "root";
         setuid  = true;
       }
diff --git a/nixos/modules/programs/unity3d.nix b/nixos/modules/programs/unity3d.nix
new file mode 100644
index 00000000000..47f1d1ef160
--- /dev/null
+++ b/nixos/modules/programs/unity3d.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.programs.unity3d;
+in {
+
+  options = {
+    programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
+  };
+
+  config = mkIf cfg.enable {
+    security.permissionsWrappers.setuid = [{
+      program = "unity-chrome-sandbox";
+      source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
+      owner = "root";
+      #group = "root";
+      setuid = true;
+      #setgid = true;
+    }];
+
+    environment.systemPackages = [ pkgs.unity3d ];
+  };
+
+}
diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix
index 4a6d61d2676..799f27b6708 100644
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@@ -19,7 +19,7 @@ with lib;
   config = mkIf (cfg.confineSUIDApplications) {
     security.apparmor.profiles = [ (pkgs.writeText "ping" ''
       #include <tunables/global>
-      /var/setuid-wrappers/ping {
+      /var/permissions-wrappers/ping {
         #include <abstractions/base>
         #include <abstractions/consoles>
         #include <abstractions/nameservice>
@@ -33,7 +33,7 @@ with lib;
         ${pkgs.attr.out}/lib/libattr.so* mr,
 
         ${pkgs.iputils}/bin/ping mixr,
-        /var/setuid-wrappers/ping.real r,
+        /var/permissions-wrappers/ping.real r,
 
         #/etc/modules.conf r,
 
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
index 202218c915c..b5e1417fc89 100644
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -198,7 +198,7 @@ in
      [
        { program = "login_duo";
          source  = "${pkgs.duo-unix.out}/bin/login_duo";
-         user    = "root";
+         owner   = "root";
          group   = "root";
          setuid  = true;
        }
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 4c6b54f0274..1c5e6862da6 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -444,34 +444,35 @@ in
 
     security.permissionsWrappers.setuid =
       [
-        (optionals config.security.pam.enableEcryptfs
-          { program = "mount.ecryptfs_private"
-            source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
-            user    = "root";
-            group   = "root";
-            setuid  = true;
-          })
+        { program = "unix_chkpwd";
+          source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
+          owner = "root";
+          group = "root";
+          setuid = true;
+        }
+
+
           
-        (optionals config.security.pam.enableEcryptfs
-          { program = "umount.ecryptfs_private";
-            source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
-            user    = "root";
-            group   = "root";
-            setuid  = true;
-          })
-      ]
+      ] ++ (optional config.security.pam.enableEcryptfs 
+        { program = "umount.ecryptfs_private";
+          source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ) ++ (optional config.security.pam.enableEcryptfs
+        { program = "mount.ecryptfs_private";
+          source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      );
         
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
 
-    security.setuidOwners = [ {
-      program = "unix_chkpwd";
-      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
-      owner = "root";
-      setuid = true;
-    } ];
-
     security.pam.services =
       { other.text =
           ''
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
index 699cf6306e1..53a7921a244 100644
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@@ -37,20 +37,19 @@ in
       [
         { program = "pmount";
           source  = "${pkgs.pmount.out}/bin/pmount";
-          user    = "root";
+          owner   = "root";
           group   = "root";
           setuid  = true;
         }
 
         { program = "pumount";
           source  = "${pkgs.pmount.out}/bin/pumount";
-          user    = "root";
+          owner   = "root";
           group   = "root";
           setuid  = true;
         }
       ];
 
-setuidPrograms = [ "pmount" "pumount" ];
     environment.systemPackages = [ pkgs.pmount ];
 
   };
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 5d4634daf78..6b0570faa40 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -3,10 +3,17 @@ let
 
   inherit (config.security) permissionsWrapperDir;
 
+  isNotNull = v: if v != null then true else false;
+
   cfg = config.security.permissionsWrappers;
 
-  setcapWrappers = import ./setcap-wrapper-drv.nix { };
-  setuidWrappers = import ./setuid-wrapper-drv.nix { };
+  setcapWrappers = import ./setcap-wrapper-drv.nix {
+    inherit config lib pkgs;
+  };
+
+  setuidWrappers = import ./setuid-wrapper-drv.nix {
+    inherit config lib pkgs;
+  };
 
   ###### Activation script for the setcap wrappers
   configureSetcapWrapper =
@@ -16,8 +23,7 @@ let
     , owner  ? "nobody"
     , group  ? "nogroup"
     , setcap ? false
-    }:
-    ''
+    }: ''
       cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
 
       # Prevent races
@@ -43,22 +49,22 @@ let
     '';
 
   ###### Activation script for the setuid wrappers
-  makeSetuidWrapper =
+  configureSetuidWrapper =
     { program
     , source ? null
     , owner  ? "nobody"
+    # Legacy code I can't find :(
+    , user   ? null
     , group  ? "nogroup"
     , setuid ? false
     , setgid ? false
     , permissions ? "u+rx,g+x,o+x"
-    }:
-
-    ''
+    }: ''
       cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
 
       # Prevent races
       chmod 0000 ${permissionsWrapperDir}/${program}
-      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
+      chown ${if user != null then user else owner}.${group} ${permissionsWrapperDir}/${program}
 
       chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
     '';
@@ -68,12 +74,12 @@ in
   ###### interface
 
   options = {
-    security.permissionsWrappers.setcap = mkOption {
-      type    = types.listOf types.attrs;
+    security.permissionsWrappers.setcap = lib.mkOption {
+      type    = lib.types.listOf lib.types.attrs;
       default = [];
       example =
         [ { program = "ping";
-            source  = "${pkgs.iputils.out}/bin/ping"
+            source  = "${pkgs.iputils.out}/bin/ping";
             owner   = "nobody";
             group   = "nogroup";
             setcap  = true;
@@ -106,12 +112,12 @@ in
       '';
     };
 
-    security.permissionsWrappers.setuid = mkOption {
-      type = types.listOf types.attrs;
+    security.permissionsWrappers.setuid = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
       default = [];
       example =
         [ { program = "sendmail";
-            source = "${pkgs.sendmail.bin}/bin/sendmail";
+            source = "/nix/store/.../bin/sendmail";
             owner = "nobody";
             group = "postdrop";
             setuid = false;
@@ -126,8 +132,8 @@ in
       '';
     };
 
-    security.permissionsWrapperDir = mkOption {
-      type        = types.path;
+    security.permissionsWrapperDir = lib.mkOption {
+      type        = lib.types.path;
       default     = "/var/permissions-wrappers";
       internal    = true;
       description = ''
@@ -152,7 +158,7 @@ in
 
     ###### setcap activation script
     system.activationScripts.setcap =
-      stringAfter [ "users" ]
+      lib.stringAfter [ "users" ]
         ''
           # Look in the system path and in the default profile for
           # programs to be wrapped.
@@ -168,12 +174,12 @@ in
           # Concatenate the generated shell slices to configure
           # wrappers for each program needing specialized capabilities.
 
-          ${concatMapStrings configureSetcapWrapper cfg.setcap}
+          ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
         '';
 
     ###### setuid activation script
     system.activationScripts.setuid =
-      stringAfter [ "users" ]
+      lib.stringAfter [ "users" ]
         ''
           # Look in the system path and in the default profile for
           # programs to be wrapped.
@@ -189,7 +195,7 @@ in
           # Concatenate the generated shell slices to configure
           # wrappers for each program needing specialized capabilities.
 
-          ${concatMapStrings configureSetuidWrapper cfg.setuid}
+          ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
         '';
 
   };
diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
index f64c683f6e8..adae9009fbe 100644
--- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
@@ -13,7 +13,7 @@ let
              source=/nix/var/nix/profiles/default/bin/${program}
          fi
 
-         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \
+         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
              -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
        '';
 in
@@ -32,6 +32,6 @@ pkgs.stdenv.mkDerivation {
 
     # Concat together all of our shell splices to compile
     # binary wrapper programs for all configured setcap programs.
-    ${concatMapStrings mkSetcapWrapper cfg.setcap}
+    ${lib.concatMapStrings mkSetcapWrapper cfg.setcap}
   '';
-};
+}
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
index 15dc1918b5c..e244364aa45 100644
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@@ -13,7 +13,7 @@ let
              source=/nix/var/nix/profiles/default/bin/${program}
          fi
 
-         gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \
+         gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
              -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
        '';
 in
@@ -31,6 +31,6 @@ pkgs.stdenv.mkDerivation {
 
     # Concat together all of our shell splices to compile
     # binary wrapper programs for all configured setcap programs.
-    ${concatMapStrings mkSetuidWrapper cfg.setuid}
+    ${lib.concatMapStrings mkSetuidWrapper cfg.setuid}
   '';
-};
+}
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index db078667acf..098319d5ded 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -87,20 +87,18 @@ in
       [
         { program = "pkexec";
           source  = "${pkgs.polkit.out}/bin/pkexec";
-          user    = "root";
+          owner   = "root";
           group   = "root";
           setuid  = true;
         }
-      ];
 
-    security.setuidOwners = [
-      { program = "polkit-agent-helper-1";
-        owner = "root";
-        group = "root";
-        setuid = true;
-        source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
-      }
-    ];
+        { program = "polkit-agent-helper-1";
+          owner = "root";
+          group = "root";
+          setuid = true;
+          source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
+        }
+      ];
 
     system.activationScripts.polkit =
       ''
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index 06dde14cd1c..8a8f1525df4 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -85,14 +85,14 @@ in
      [
        { program = "sudo";
          source  = "${pkgs.sudo.out}/bin/sudo";
-         user    = "root";
+         owner   = "root";
          group   = "root";
          setuid  = true;
        }
 
-       { program = "sudoedit"
-         source  = "${pkgs.sudo.out}/bin/sudo";
-         user    = "root";
+       { program = "sudoedit";
+         source  = "${pkgs.sudo.out}/bin/sudoedit";
+         owner   = "root";
          group   = "root";
          setuid  = true;
        }
diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix
index 3a85fa60fe7..755599ff621 100644
--- a/nixos/modules/services/logging/logcheck.nix
+++ b/nixos/modules/services/logging/logcheck.nix
@@ -29,8 +29,8 @@ let
     };
 
   cronJob = ''
-    @reboot   logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
-    2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
+    @reboot   logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
+    2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
   '';
 
   writeIgnoreRule = name: {level, regex, ...}:
diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
index f239dda564a..7848288850a 100644
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@@ -13,7 +13,7 @@ let
     ''
       base_dir = ${baseDir}
       protocols = ${concatStringsSep " " cfg.protocols}
-      sendmail_path = /var/setuid-wrappers/sendmail
+      sendmail_path = /var/permissions-wrappers/sendmail
     ''
 
     (if isNull cfg.sslServerCert then ''
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index aad497cbc71..6dfb8fdef11 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -70,7 +70,7 @@ in
       etc."exim.conf".text = ''
         exim_user = ${cfg.user}
         exim_group = ${cfg.group}
-        exim_path = /var/setuid-wrappers/exim
+        exim_path = /var/permissions-wrappers/exim
         spool_directory = ${cfg.spoolDir}
         ${cfg.config}
       '';
@@ -93,11 +93,11 @@ in
     [
       { program = "exim";
         source  = "${pkgs.exim.out}/bin/exim";
-        user    = "root";
+        owner   = "root";
         group   = "root";
         setuid  = true;
       }
-    ]
+    ];
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";
diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix
index 63e8d78b5b0..e8b16349f1a 100644
--- a/nixos/modules/services/mail/mail.nix
+++ b/nixos/modules/services/mail/mail.nix
@@ -26,7 +26,7 @@ with lib;
 
   config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
 
-    security.setuidOwners = [ config.services.mail.sendmailSetuidWrapper ];
+    security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
 
   };
 
diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix
index aaa041ad4cd..08ba161d38b 100644
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@@ -34,7 +34,7 @@ let
         cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
 
         wrapProgram $file \
-          --set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
+          --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
           --set MUNIN_LIBDIR "${pkgs.munin}/lib" \
           --set MUNIN_PLUGSTATE "/var/run/munin"
 
@@ -182,7 +182,7 @@ in
 
         mkdir -p /etc/munin/plugins
         rm -rf /etc/munin/plugins/*
-        PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+        PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
       '';
       serviceConfig = {
         ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix
index 1017005226b..b67519b3424 100644
--- a/nixos/modules/services/monitoring/smartd.nix
+++ b/nixos/modules/services/monitoring/smartd.nix
@@ -124,7 +124,7 @@ in
           };
 
           mailer = mkOption {
-            default = "/var/setuid-wrappers/sendmail";
+            default = "/var/permissions-wrappers/sendmail";
             type = types.path;
             description = ''
               Sendmail-compatible binary to be used to send the messages.
diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix
index a186982ec9c..91f1a333be7 100644
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@@ -30,7 +30,7 @@ let
     ''
       [ global ]
       security = ${cfg.securityType}
-      passwd program = /var/setuid-wrappers/passwd %u
+      passwd program = /var/permissions-wrappers/passwd %u
       pam password change = ${smbToString cfg.syncPasswordsByPam}
       invalid users = ${smbToString cfg.invalidUsers}
 
diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix
index bc975159cdf..bc9b884f11b 100644
--- a/nixos/modules/services/networking/gale.nix
+++ b/nixos/modules/services/networking/gale.nix
@@ -141,7 +141,7 @@ in
          setgid = false;
        };
 
-       security.setuidOwners = [ cfg.setuidWrapper ];
+       security.permissionsWrappers.setuid = [ cfg.setuidWrapper ];
 
        systemd.services.gale-galed = {
          description = "Gale messaging daemon";
diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix
index cb8fe6bf4fe..4e1d66bc110 100644
--- a/nixos/modules/services/networking/prayer.nix
+++ b/nixos/modules/services/networking/prayer.nix
@@ -18,7 +18,7 @@ let
     var_prefix = "${stateDir}"
     prayer_user = "${prayerUser}"
     prayer_group = "${prayerGroup}"
-    sendmail_path = "/var/setuid-wrappers/sendmail"
+    sendmail_path = "/var/permissions-wrappers/sendmail"
 
     use_http_port ${cfg.port}
 
diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix
index 2070b2ffa01..9c4f8d59faa 100644
--- a/nixos/modules/services/scheduling/atd.nix
+++ b/nixos/modules/services/scheduling/atd.nix
@@ -42,8 +42,10 @@ in
 
   config = mkIf cfg.enable {
 
-    security.setuidOwners = map (program: {
+    security.permissionsWrappers.setuid = map (program: {
       inherit program;
+
+      source = "${pkgs.atd}/bin/${program}";
       owner = "atd";
       group = "atd";
       setuid = true;
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index 541fbb7ee64..e33961658f0 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -20,7 +20,7 @@ let
   cronNixosPkg = pkgs.cron.override {
     # The mail.nix nixos module, if there is any local mail system enabled,
     # should have sendmail in this path.
-    sendmailPath = "/var/setuid-wrappers/sendmail";
+    sendmailPath = "/var/permissions-wrappers/sendmail";
   };
 
   allFiles =
@@ -61,7 +61,7 @@ in
           A list of Cron jobs to be appended to the system-wide
           crontab.  See the manual page for crontab for the expected
           format. If you want to get the results mailed you must setuid
-          sendmail. See <option>security.setuidOwners</option>
+          sendmail. See <option>security.permissionsWrappers.setuid</option>
 
           If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
           will is allowed to have its own crontab file. The /var/cron/cron.deny file
@@ -99,7 +99,7 @@ in
       [
         { program = "crontab";
           source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
-          user    = "root";
+          owner   = "root";
           group   = "root";
           setuid  = true;        
         }
diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
index 6e8465ab08f..5804f0ee72f 100644
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -96,7 +96,7 @@ in
             fcronallow  =       /etc/fcron.allow
             fcrondeny   =       /etc/fcron.deny
             shell       =       /bin/sh
-            sendmail    =       /var/setuid-wrappers/sendmail
+            sendmail    =       /var/permissions-wrappers/sendmail
             editor      =       /run/current-system/sw/bin/vi
           '';
           target = "fcron.conf";
@@ -110,7 +110,7 @@ in
     [
       { program = "fcrontab";
         source  = "${pkgs.fcron.out}/bin/fcrontab";
-        user    = "root";
+        owner   = "root";
         group   = "root";
         setuid  = true;        
       }
diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix
index 8bcd6f01656..df93fcd2bdb 100644
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@@ -30,7 +30,7 @@ let
       mkdir -p $out
 
       sed '${./dbus-system-local.conf.in}' \
-        -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
+        -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \
         -e 's,@extra@,${systemExtraxml},' \
         > "$out/system-local.conf"
 
@@ -102,9 +102,9 @@ in
 
     systemd.packages = [ pkgs.dbus.daemon ];
 
-    security.setuidOwners = singleton
+    security.permissionsWrappers.setuid = singleton
       { program = "dbus-daemon-launch-helper";
-        source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper";
+        source = "${pkgs.dbus_daemon}/libexec/dbus-daemon-launch-helper";
         owner = "root";
         group = "messagebus";
         setuid = true;
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index b55950c6373..90803ede9d9 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -66,7 +66,7 @@ in
     [
       { program = "e_freqset";
         source  = "${e.enlightenment.out}/bin/e_freqset";
-        user    = "root";
+        owner   = "root";
         group   = "root";
         setuid  = true;        
       }
diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix
index 1927341e45d..88b3c3a1016 100644
--- a/nixos/modules/services/x11/desktop-managers/kde4.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde4.nix
@@ -119,7 +119,7 @@ in
           '';
       };
 
-    security.setuidOwners = singleton
+    security.permissionsWrappers.setuid = singleton
       { program = "kcheckpass";
         source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
         owner = "root";
diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix
index bc010d1ce1c..7856ff03f16 100644
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@@ -47,7 +47,7 @@ in
       '';
     };
 
-    security.setuidOwners = [
+    security.permissionsWrappers.setuid = [
       {
         program = "kcheckpass";
         source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix
index ce4abecd676..ee8569d3c0c 100644
--- a/nixos/modules/virtualisation/virtualbox-host.nix
+++ b/nixos/modules/virtualisation/virtualbox-host.nix
@@ -63,7 +63,7 @@ in
     boot.extraModulePackages = [ virtualbox ];
     environment.systemPackages = [ virtualbox ];
 
-    security.setuidOwners = let
+    security.permissionsWrappers.setuid = let
       mkSuid = program: {
         inherit program;
         source = "${virtualbox}/libexec/virtualbox/${program}";
diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix
index 4eb428f37d8..9e7b52e40d4 100644
--- a/pkgs/applications/editors/sublime3/default.nix
+++ b/pkgs/applications/editors/sublime3/default.nix
@@ -1,5 +1,5 @@
 { fetchurl, stdenv, glib, xorg, cairo, gtk, pango, makeWrapper, openssl, bzip2,
-  pkexecPath ? "/var/setuid-wrappers/pkexec", libredirect,
+  pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect,
   gksuSupport ? false, gksu}:
 
 assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";
diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
index f9c3e3c5592..9a83fc09e4e 100644
--- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
+++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
@@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644
 +	is_nixos=no
 +fi
 +
-+if [ -u /var/setuid-wrappers/gksign ]; then
++if [ -u /var/permissions-wrappers/gksign ]; then
 +	cat <<EOM
 +
 +Gale appears to have already been set up via the NixOS module system (check
diff --git a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
index 35b54c79e8f..3d38cf3b604 100644
--- a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
+++ b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
@@ -4,7 +4,7 @@ Date: Thu, 26 Nov 2015 21:03:35 +0100
 Subject: [PATCH] Lookup dumpcap in PATH
 
 NixOS patch: Look for dumpcap in PATH first, because there may be a
-dumpcap setuid-wrapper that we want to use instead of the default
+dumpcap permissions-wrapper that we want to use instead of the default
 non-setuid dumpcap binary.
 
 Also change execv() to execvp() because we've set argv[0] to "dumpcap"
@@ -27,7 +27,7 @@ index 970688e..49914d5 100644
 -    exename = g_strdup_printf("%s/dumpcap", progfile_dir);
 +    /*
 +     * NixOS patch: Look for dumpcap in PATH first, because there may be a
-+     * dumpcap setuid-wrapper that we want to use instead of the default
++     * dumpcap permissions-wrapper that we want to use instead of the default
 +     * non-setuid dumpcap binary.
 +     */
 +    if (system("command -v dumpcap >/dev/null") == 0) {
diff --git a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
index a8a0542a882..fb5b9e1d39d 100644
--- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
+++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
@@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644
 -  # #   arguments: '-i -t'
 -  # # }
 +  config.action_mailer.sendmail_settings = {
-+    location: '/var/setuid-wrappers/sendmail',
++    location: '/var/permissions-wrappers/sendmail',
 +    arguments: '-i -t'
 +  }
    config.action_mailer.perform_deliveries = true
diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch
index 37d2ad3a515..cae4abe8612 100644
--- a/pkgs/applications/virtualization/virtualbox/hardened.patch
+++ b/pkgs/applications/virtualization/virtualbox/hardened.patch
@@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644
      /* get the path to the executable */
      char szPath[RTPATH_MAX];
 -    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
-+    RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");
++    RTStrCopy(szPath, sizeof(szPath) - 1, "/var/permissions-wrappers");
      size_t cchBufLeft = strlen(szPath);
      szPath[cchBufLeft++] = RTPATH_DELIMITER;
      szPath[cchBufLeft] = 0;
@@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644
  
 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
 +{
-+    return RTStrCopy(pszPath, cchPath, "/var/setuid-wrappers");
++    return RTStrCopy(pszPath, cchPath, "/var/permissions-wrappers");
 +}
 +
 +
@@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644
 + * will cut off everything after the rightmost / as this function is analogous
 + * to RTProcGetExecutablePath().
 + */
-+#define SUIDDIR "/var/setuid-wrappers/"
++#define SUIDDIR "/var/permissions-wrappers/"
 +
 +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
 +{
diff --git a/pkgs/build-support/build-fhs-userenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix
index 1dc71987f54..f69338cb16c 100644
--- a/pkgs/build-support/build-fhs-userenv/env.nix
+++ b/pkgs/build-support/build-fhs-userenv/env.nix
@@ -51,7 +51,7 @@ let
     export PS1='${name}-chrootenv:\u@\h:\w\$ '
     export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
     export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
-    export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin'
+    export PATH='/var/permissions-wrappers:/usr/bin:/usr/sbin'
     export PKG_CONFIG_PATH=/usr/lib/pkgconfig
 
     # Force compilers to look in default search paths
diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix
index b86eba685bb..4cedd6f8e8f 100644
--- a/pkgs/development/libraries/libgksu/default.nix
+++ b/pkgs/development/libraries/libgksu/default.nix
@@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
 
     # Fix some binary paths
     sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c
-    sed -i -e 's|/usr/bin/sudo|/var/setuid-wrappers/sudo|g' libgksu/libgksu.c
-    sed -i -e 's|/bin/su\([^d]\)|/var/setuid-wrappers/su\1|g' libgksu/libgksu.c
+    sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c
+    sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c
 
     touch NEWS README
   '';
diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix
index ab1943b8590..f33ee3917f1 100644
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@@ -5,7 +5,7 @@
 let
 
   system = "/var/run/current-system/sw";
-  setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
+  setuid = "/var/permissions-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
 
   foolVars = {
     SYSCONF = "/etc";
diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix
index 0a72e6bb91e..287422282cb 100644
--- a/pkgs/development/tools/unity3d/default.nix
+++ b/pkgs/development/tools/unity3d/default.nix
@@ -94,7 +94,7 @@ in stdenv.mkDerivation rec {
     unitydir="$out/opt/Unity/Editor"
     mkdir -p $unitydir
     mv Editor/* $unitydir
-    ln -sf /var/setuid-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
+    ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
 
     mkdir -p $out/share/applications
     sed "/^Exec=/c\Exec=$out/bin/unity-editor" \
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index d86eb2a9756..9f63ae4f35a 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
       # Ensure that FUSE calls the setuid wrapper, not
       # $out/bin/fusermount. It falls back to calling fusermount in
       # $PATH, so it should also work on non-NixOS systems.
-      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/setuid-wrappers\""
+      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\""
 
       sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
     '';
diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix
index 3fa7e2ba8d1..531d55a7f12 100644
--- a/pkgs/os-specific/linux/mdadm/default.nix
+++ b/pkgs/os-specific/linux/mdadm/default.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     sed -e 's@/lib/udev@''${out}/lib/udev@' \
         -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/var/setuid-wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
   '';
 
   meta = {
diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index d84c6224eeb..196af58183f 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
 
   postInstall = ''
     mv -v $out/sbin/unix_chkpwd{,.orig}
-    ln -sv /var/setuid-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
+    ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
   ''; /*
     rm -rf $out/etc
     mkdir -p $modules/lib
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index 4d4a22fc720..11444c57f9a 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
     --enable-last
     --enable-mesg
     --disable-use-tty-group
-    --enable-fs-paths-default=/var/setuid-wrappers:/var/run/current-system/sw/bin:/sbin
+    --enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin
     ${if ncurses == null then "--without-ncurses" else ""}
     ${if systemd == null then "" else ''
       --with-systemd
diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix
index 5842495e323..d3c143617dd 100644
--- a/pkgs/servers/interlock/default.nix
+++ b/pkgs/servers/interlock/default.nix
@@ -30,7 +30,7 @@ buildGoPackage rec {
       -e 's|/bin/chown|${coreutils}/bin/chown|' \
       -e 's|/bin/date|${coreutils}/bin/date|' \
       -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \
-      -e 's|/usr/bin/sudo|/var/setuid-wrappers/sudo|' \
+      -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \
       -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|'
   '';
 }
diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix
index 3ecb00b64fc..c112af567fd 100644
--- a/pkgs/servers/mail/petidomo/default.nix
+++ b/pkgs/servers/mail/petidomo/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/setuid-wrappers/sendmail" }:
+{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
 
 stdenv.mkDerivation rec {
   name = "petidomo-4.3";
diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
index 79180f17241..695211a177d 100644
--- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
+++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
@@ -16,8 +16,8 @@ stdenv.mkDerivation rec {
   # configured on the build machine).
   preConfigure= "
     configureFlagsArray=(
-      --with-ping-command='/var/setuid-wrappers/ping -n -U -w %d -c %d %s'
-      --with-ping6-command='/var/setuid-wrappers/ping6 -n -U -w %d -c %d %s'
+      --with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s'
+      --with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s'
     )
   ";
 
diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix
index a8c249116c0..5f96a35af6f 100644
--- a/pkgs/tools/X11/x11vnc/default.nix
+++ b/pkgs/tools/X11/x11vnc/default.nix
@@ -20,10 +20,10 @@ stdenv.mkDerivation rec {
     configureFlags="--mandir=$out/share/man"
 
     substituteInPlace x11vnc/unixpw.c \
-        --replace '"/bin/su"' '"/var/setuid-wrappers/su"' \
+        --replace '"/bin/su"' '"/var/permissions-wrappers/su"' \
         --replace '"/bin/true"' '"${coreutils}/bin/true"'
 
-    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/setuid-wrappers/su|g' x11vnc/ssltools.h
+    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h
   '';
 
   meta = {
diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix
index 80805666a3a..518c3763994 100644
--- a/pkgs/tools/admin/certbot/default.nix
+++ b/pkgs/tools/admin/certbot/default.nix
@@ -29,7 +29,7 @@ pythonPackages.buildPythonApplication rec {
   buildInputs = [ dialog ] ++ (with pythonPackages; [ nose mock gnureadline ]);
 
   patchPhase = ''
-    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/setuid-wrappers/sendmail"
+    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail"
     substituteInPlace certbot/le_util.py --replace "sw_vers" "/usr/bin/sw_vers"
   '';
 
diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix
index ece9c5ed382..15108852fbc 100644
--- a/pkgs/tools/misc/debian-devscripts/default.nix
+++ b/pkgs/tools/misc/debian-devscripts/default.nix
@@ -2,7 +2,7 @@
 , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper
 , python3Packages
 , perlPackages, curl, gnupg, diffutils
-, sendmailPath ? "/var/setuid-wrappers/sendmail"
+, sendmailPath ? "/var/permissions-wrappers/sendmail"
 }:
 
 let
diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix
index 582b5ceae11..a477b22f191 100644
--- a/pkgs/tools/security/ecryptfs/default.nix
+++ b/pkgs/tools/security/ecryptfs/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   };
 
   # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
-  wrapperDir = "/var/setuid-wrappers";
+  wrapperDir = "/var/permissions-wrappers";
 
   postPatch = ''
     FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"
diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix
index e2c69377df5..b0b19d750eb 100644
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, coreutils, pam, groff
-, sendmailPath ? "/var/setuid-wrappers/sendmail"
+, sendmailPath ? "/var/permissions-wrappers/sendmail"
 , withInsults ? false
 }:
 
diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix
index 9991adf4013..2fb5b9670c8 100644
--- a/pkgs/tools/system/at/default.nix
+++ b/pkgs/tools/system/at/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/setuid-wrappers/sendmail" }:
+{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
 
 stdenv.mkDerivation {
   name = "at-3.1.16";
diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix
index cad1230ac87..1384ea04fb6 100644
--- a/pkgs/tools/system/ts/default.nix
+++ b/pkgs/tools/system/ts/default.nix
@@ -1,5 +1,5 @@
 {stdenv, fetchurl,
-sendmailPath ? "/var/setuid-wrappers/sendmail" }:
+sendmailPath ? "/var/permissions-wrappers/sendmail" }:
 
 stdenv.mkDerivation rec {
 

From 849dcde2a53398f91ab1da9adedcf65616c4e6ef Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 1 Sep 2016 19:22:37 -0500
Subject: [PATCH 016/153] Wonder why this wasn't removed in the rebase?

---
 nixos/modules/programs/unity3d.nix | 25 -------------------------
 1 file changed, 25 deletions(-)
 delete mode 100644 nixos/modules/programs/unity3d.nix

diff --git a/nixos/modules/programs/unity3d.nix b/nixos/modules/programs/unity3d.nix
deleted file mode 100644
index 47f1d1ef160..00000000000
--- a/nixos/modules/programs/unity3d.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let cfg = config.programs.unity3d;
-in {
-
-  options = {
-    programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
-  };
-
-  config = mkIf cfg.enable {
-    security.permissionsWrappers.setuid = [{
-      program = "unity-chrome-sandbox";
-      source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
-      owner = "root";
-      #group = "root";
-      setuid = true;
-      #setgid = true;
-    }];
-
-    environment.systemPackages = [ pkgs.unity3d ];
-  };
-
-}

From c686da8655bbdd4f0677bea788794e7b9f1d7dda Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 1 Sep 2016 19:26:30 -0500
Subject: [PATCH 017/153] Updatig the chromium-suid-sandbox module

---
 nixos/modules/security/chromium-suid-sandbox.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix
index 88fbe518c2d..6fe25213639 100644
--- a/nixos/modules/security/chromium-suid-sandbox.nix
+++ b/nixos/modules/security/chromium-suid-sandbox.nix
@@ -27,6 +27,10 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ sandbox ];
-    security.setuidPrograms    = [ sandbox.passthru.sandboxExecutableName ];
+    security.permissionsWrappers.setuid = [
+      { program = sandbox.passthru.sandboxExecutableName;
+        source  = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
+      }
+    ];
   };
 }

From d60581d4d620787311e4268354680025eaeec27a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 1 Sep 2016 19:26:54 -0500
Subject: [PATCH 018/153] Resolving that silly bad argument error.

---
 nixos/modules/programs/shadow.nix                       | 2 +-
 nixos/modules/security/permissions-wrappers/default.nix | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index f40faa1ca5f..3910831fb0e 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -119,7 +119,7 @@ in
       }
     ] ++
     (lib.optionals config.users.mutableUsers
-     map (x: x // { user = "root";
+     map (x: x // { owner   = "root";
                     group   = "root";
                     setuid  = true;
                   })
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 6b0570faa40..76a22b4f603 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -53,8 +53,6 @@ let
     { program
     , source ? null
     , owner  ? "nobody"
-    # Legacy code I can't find :(
-    , user   ? null
     , group  ? "nogroup"
     , setuid ? false
     , setgid ? false
@@ -64,7 +62,7 @@ let
 
       # Prevent races
       chmod 0000 ${permissionsWrapperDir}/${program}
-      chown ${if user != null then user else owner}.${group} ${permissionsWrapperDir}/${program}
+      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
 
       chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
     '';

From 1f9494b752082ec3ac048e56d1c6364a2e23a675 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 1 Sep 2016 19:47:41 -0500
Subject: [PATCH 019/153] Need to create a new build to see why it's failing

---
 nixos/modules/programs/shadow.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index 3910831fb0e..f6f66924f32 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -102,6 +102,7 @@ in
         chgpasswd = { rootOK = true; };
       };
 
+
     security.permissionsWrappers.setuid = 
     [
       { program = "su";

From 4efd108e60ea56f13d3ff3c35a30432787a3a3d8 Mon Sep 17 00:00:00 2001
From: Sebastian Hagen <sh_c_git@memespace.net>
Date: Thu, 22 Dec 2016 23:30:09 +0000
Subject: [PATCH 020/153] digikam: Add patch to fix compilation against Lensfun
 0.3.2

---
 pkgs/applications/graphics/digikam/default.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/graphics/digikam/default.nix b/pkgs/applications/graphics/digikam/default.nix
index f38e402ce92..11cc6c9c808 100644
--- a/pkgs/applications/graphics/digikam/default.nix
+++ b/pkgs/applications/graphics/digikam/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchurl, automoc4, boost, shared_desktop_ontologies, cmake
-, eigen, lcms, gettext, jasper, kdelibs, kdepimlibs, lensfun
+{ stdenv, fetchurl, fetchpatch, automoc4, boost, shared_desktop_ontologies
+, cmake, eigen, lcms, gettext, jasper, kdelibs, kdepimlibs, lensfun
 , libgphoto2, libjpeg, libkdcraw, libkexiv2, libkipi, libpgf, libtiff
 , libusb1, liblqr1, marble, mysql, opencv, perl, phonon, pkgconfig
 , qca2, qimageblitz, qjson, qt4, soprano
@@ -36,6 +36,16 @@ let
       sha256 = "081ldsaf3frf5khznjd3sxkjmi4dyp6w6nqnc2a0agkk0kxkl10m";
     };
 
+    patches = [
+      (fetchpatch {
+        # Fix compilation against Lensfun 0.3.2
+        url = "http://cgit.kde.org/digikam.git/patch/?id=0f159981176faa6da701f112bfe557b79804d468";
+        sha256 = "1c8bg7s84vg4v620gbs16cjcbpml749018gy5dpvfacx5vl24wza";
+      })
+    ];
+
+    patchFlags = ["-p1" "-dcore"];
+
     nativeBuildInputs = [ 
       automoc4 cmake gettext perl pkgconfig
     ] ++ [

From 025555d7f1a0fc39ea152b03e942002e1bff1721 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 00:05:40 -0800
Subject: [PATCH 021/153] More fixes and improvements

---
 nixos/doc/manual/release-notes/rl-1609.xml    |  2 +-
 .../modules/installer/tools/nixos-install.sh  |  2 +-
 .../security/permissions-wrappers/default.nix |  4 ++++
 .../setcap-wrapper-drv.nix                    | 22 +++++++++----------
 .../setuid-wrapper-drv.nix                    |  5 +++--
 .../modules/services/networking/smokeping.nix | 13 ++++++++---
 nixos/tests/smokeping.nix                     |  2 +-
 .../networking/browsers/chromium/default.nix  |  4 ++--
 .../kinit/start_kdeinit-path.patch            |  2 +-
 pkgs/os-specific/linux/mdadm/4.nix            |  2 +-
 pkgs/tools/security/ecryptfs/helper.nix       |  2 +-
 pkgs/tools/system/cron/default.nix            |  2 +-
 12 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml
index ade7d5581ce..bf8be1b68f2 100644
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@@ -202,7 +202,7 @@ following incompatible changes:</para>
 
   <listitem>
     <para>The directory container setuid wrapper programs,
-    <filename>/var/setuid-wrappers</filename>, <link
+    <filename>/var/permissions-wrappers</filename>, <link
     xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
     updated atomically to prevent failures if the switch to a new
     configuration is interrupted.</link></para>
diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index 5250edd1500..4e9f8ab60f2 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -260,7 +260,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 
 
 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
+if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then
     echo "setting root password..."
     chroot $mountPoint /var/permissions-wrappers/passwd
 fi
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 76a22b4f603..2f60d54fd77 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -154,6 +154,10 @@ in
     export PATH="${config.security.permissionsWrapperDir}:$PATH"
     '';
 
+    system.activationScripts.wrapper-dir = ''
+      mkdir -p "${config.security.permissionsWrapperDir}"
+    '';
+
     ###### setcap activation script
     system.activationScripts.setcap =
       lib.stringAfter [ "users" ]
diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
index adae9009fbe..04cae3c8493 100644
--- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
@@ -5,17 +5,17 @@ let
 
      # Produce a shell-code splice intended to be stitched into one of
      # the build or install phases within the derivation.
-     mkSetcapWrapper = { program, source ? null, ...}:
-       ''
-         if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
-             # If we can't find the program, fall back to the
-             # system profile.
-             source=/nix/var/nix/profiles/default/bin/${program}
-         fi
+     mkSetcapWrapper = { program, source ? null, ...}: ''
+       if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
+         # If we can't find the program, fall back to the
+         # system profile.
+         source=/nix/var/nix/profiles/default/bin/${program}
+       fi
 
-         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
-       '';
+       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
+           -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+           -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+     '';
 in
 
 # This is only useful for Linux platforms and a kernel version of
@@ -26,7 +26,7 @@ assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.
 pkgs.stdenv.mkDerivation {
   name         = "setcap-wrapper";
   unpackPhase  = "true";
-  buildInputs  = [ pkgs.linuxHeaders pkgs.libcap pkgs.libcap_ng ];
+  buildInputs  = [ pkgs.linuxHeaders ];
   installPhase = ''
     mkdir -p $out/bin
 
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
index e244364aa45..273aaf2a88a 100644
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@@ -13,8 +13,9 @@ let
              source=/nix/var/nix/profiles/default/bin/${program}
          fi
 
-         gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
+         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
+             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+             -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
        '';
 in
 
diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix
index 04312c39062..6d2f5f8d41f 100644
--- a/nixos/modules/services/networking/smokeping.nix
+++ b/nixos/modules/services/networking/smokeping.nix
@@ -219,14 +219,14 @@ in
         type = types.string;
         default = ''
           + FPing
-          binary = ${config.security.wrapperDir}/fping
+          binary = ${config.security.permissionsWrapperDir}/fping
         '';
         description = "Probe configuration";
       };
       sendmail = mkOption {
         type = types.nullOr types.path;
         default = null;
-        example = "/var/setuid-wrappers/sendmail";
+        example = "/var/permissions-wrappers/sendmail";
         description = "Use this sendmail compatible script to deliver alerts";
       };
       smokeMailTemplate = mkOption {
@@ -273,7 +273,14 @@ in
         message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
       }
     ];
-    security.setuidPrograms = [ "fping" ];
+    security.permissionsWrappers.setuid = [
+      { program = "fping";
+        source  = "${e.enlightenment.out}/bin/fping";
+        owner   = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ];
     environment.systemPackages = [ pkgs.fping ];
     users.extraUsers = singleton {
       name = cfg.user;
diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix
index 9de3030417f..7e2d84f4422 100644
--- a/nixos/tests/smokeping.nix
+++ b/nixos/tests/smokeping.nix
@@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
           mailHost = "127.0.0.2";
           probeConfig = ''
             + FPing
-            binary = /var/setuid-wrappers/fping
+            binary = /var/permissions-wrappers/fping
             offset = 0%
           '';
         };
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index d014999a667..dd8fd32adfd 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -83,9 +83,9 @@ in stdenv.mkDerivation {
     ed -v -s "$out/bin/chromium" << EOF
     2i
 
-    if [ -x "/var/setuid-wrappers/${sandboxExecutableName}" ]
+    if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ]
     then
-      export CHROME_DEVEL_SANDBOX="/var/setuid-wrappers/${sandboxExecutableName}"
+      export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}"
     else
       export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
     fi
diff --git a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
index fbecf9433f6..a16d3575725 100644
--- a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
+++ b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
@@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
  #include <unistd.h>
  
 -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
-+#define EXECUTE "/var/setuid-wrappers/start_kdeinit"
++#define EXECUTE "/var/permissions-wrappers/start_kdeinit"
  
  #if KDEINIT_OOM_PROTECT
  
diff --git a/pkgs/os-specific/linux/mdadm/4.nix b/pkgs/os-specific/linux/mdadm/4.nix
index d929668a26a..abe8632773f 100644
--- a/pkgs/os-specific/linux/mdadm/4.nix
+++ b/pkgs/os-specific/linux/mdadm/4.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     sed -e 's@/lib/udev@''${out}/lib/udev@' \
         -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/var/setuid-wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
   '';
 
   meta = {
diff --git a/pkgs/tools/security/ecryptfs/helper.nix b/pkgs/tools/security/ecryptfs/helper.nix
index 0d4b37a8efc..6e3e6766a28 100644
--- a/pkgs/tools/security/ecryptfs/helper.nix
+++ b/pkgs/tools/security/ecryptfs/helper.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper ];
 
-  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/setuid-wrappers
+  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers
   installPhase = ''
     mkdir -p $out/bin $out/libexec
     cp $src $out/libexec/ecryptfs-helper.py
diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix
index 3d03f19cb6f..f7f2a6158a2 100644
--- a/pkgs/tools/system/cron/default.nix
+++ b/pkgs/tools/system/cron/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation {
     #define _PATH_SENDMAIL "${sendmailPath}"
 
     #undef _PATH_DEFPATH
-    #define _PATH_DEFPATH "/var/setuid-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
+    #define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
     __EOT__
 
     # Implicit saved uids do not work here due to way NixOS uses setuid wrappers

From a20e65724bad6472bbf40080955ecc5d0bb351e6 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 00:32:59 -0800
Subject: [PATCH 022/153] Fixing

---
 .../security/permissions-wrappers/default.nix | 72 +++++++++----------
 .../permissions-wrapper.c                     |  2 +-
 .../setuid-wrapper-drv.nix                    | 21 +++---
 3 files changed, 46 insertions(+), 49 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 2f60d54fd77..2ec1e91cee9 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -66,6 +66,39 @@ let
 
       chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
     '';
+
+    mkActivationScript = programsToWrap:
+      lib.stringAfter [ "users" ]
+        ''
+          # Look in the system path and in the default profile for
+          # programs to be wrapped.
+          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
+
+          mkdir -p /run/permissions-wrapper-dirs
+          permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
+          chmod a+rx $permissionsWrapperDir
+
+          ${programsToWrap}
+
+          if [ -L ${permissionsWrapperDir} ]; then
+            # Atomically replace the symlink
+            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
+            old=$(readlink ${permissionsWrapperDir})
+            ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
+            mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
+            rm --force --recursive $old
+          elif [ -d ${permissionsWrapperDir} ]; then
+            # Compatibility with old state, just remove the folder and symlink
+            rm -f ${permissionsWrapperDir}/*
+            # if it happens to be a tmpfs
+            ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
+            rm -d ${permissionsWrapperDir}
+            ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
+          else
+            # For initial setup
+            ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
+          fi
+        '';
 in
 {
 
@@ -160,45 +193,10 @@ in
 
     ###### setcap activation script
     system.activationScripts.setcap =
-      lib.stringAfter [ "users" ]
-        ''
-          # Look in the system path and in the default profile for
-          # programs to be wrapped.
-          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
-
-          # When a program is removed from the security.permissionsWrappers.setcap
-          # list we have to remove all of the previous program wrappers
-          # and re-build them minus the wrapper for the program removed,
-          # hence the rm here in the activation script.
-
-          rm -f ${permissionsWrapperDir}/*
-
-          # Concatenate the generated shell slices to configure
-          # wrappers for each program needing specialized capabilities.
-
-          ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
-        '';
+      mkActivationScript (lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap));
 
     ###### setuid activation script
     system.activationScripts.setuid =
-      lib.stringAfter [ "users" ]
-        ''
-          # Look in the system path and in the default profile for
-          # programs to be wrapped.
-          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
-
-          # When a program is removed from the security.permissionsWrappers.setcap
-          # list we have to remove all of the previous program wrappers
-          # and re-build them minus the wrapper for the program removed,
-          # hence the rm here in the activation script.
-
-          rm -f ${permissionsWrapperDir}/*
-
-          # Concatenate the generated shell slices to configure
-          # wrappers for each program needing specialized capabilities.
-
-          ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
-        '';
-
+      mkActivationScript (lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid));
   };
 }
diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index effdaa93096..3cb5bb4f560 100644
--- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -211,7 +211,7 @@ int main(int argc, char * * argv)
     // Read the capabilities set on the file and raise them in to the
     // Ambient set so the program we're wrapping receives the
     // capabilities too!
-    assert(!make_caps_ambient(selfPath));
+    if (strcmp(wrapperType, "setcap") == 0) assert(!make_caps_ambient(selfPath));
 
     execve(sourceProg, argv, environ);
     
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
index 273aaf2a88a..3bf3effb801 100644
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@@ -5,18 +5,17 @@ let
 
      # Produce a shell-code splice intended to be stitched into one of
      # the build or install phases within the derivation.
-     mkSetuidWrapper = { program, source ? null, ...}:
-       ''
-         if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
-             # If we can't find the program, fall back to the
-             # system profile.
-             source=/nix/var/nix/profiles/default/bin/${program}
-         fi
+     mkSetuidWrapper = { program, source ? null, ...}: ''
+       if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
+         # If we can't find the program, fall back to the
+         # system profile.
+         source=/nix/var/nix/profiles/default/bin/${program}
+       fi
 
-         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-             -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
-       '';
+       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
+           -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+           -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+     '';
 in
 
 # This is only useful for Linux platforms and a kernel version of

From e8bec4c75f9da5c2e6a12b8f96630dae2d2d57d6 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 00:35:01 -0800
Subject: [PATCH 023/153] Implicit declared function...

---
 .../security/permissions-wrappers/permissions-wrapper.c        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index 3cb5bb4f560..4a77e8aa3d5 100644
--- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -211,7 +211,8 @@ int main(int argc, char * * argv)
     // Read the capabilities set on the file and raise them in to the
     // Ambient set so the program we're wrapping receives the
     // capabilities too!
-    if (strcmp(wrapperType, "setcap") == 0) assert(!make_caps_ambient(selfPath));
+    if (strcmp(wrapperType, "setcap") == 0)
+        assert(!make_caps_ambient(selfPath));
 
     execve(sourceProg, argv, environ);
     

From 1ad541171e5d9362dce100de08d46fff91cab4d1 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 00:36:35 -0800
Subject: [PATCH 024/153] Hmm

---
 .../security/permissions-wrappers/permissions-wrapper.c      | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index 4a77e8aa3d5..9834bcd937b 100644
--- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -211,8 +211,9 @@ int main(int argc, char * * argv)
     // Read the capabilities set on the file and raise them in to the
     // Ambient set so the program we're wrapping receives the
     // capabilities too!
-    if (strcmp(wrapperType, "setcap") == 0)
-        assert(!make_caps_ambient(selfPath));
+
+
+    assert(!make_caps_ambient(selfPath));
 
     execve(sourceProg, argv, environ);
     

From 785684f6c2367ce979d908e25dd7831992f19f24 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 00:39:17 -0800
Subject: [PATCH 025/153] Ahhh, my compile-time macros confused me...of course
 they did...

---
 .../security/permissions-wrappers/permissions-wrapper.c       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index 9834bcd937b..f74a952b7d8 100644
--- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -211,9 +211,9 @@ int main(int argc, char * * argv)
     // Read the capabilities set on the file and raise them in to the
     // Ambient set so the program we're wrapping receives the
     // capabilities too!
-
-
+    #ifdef WRAPPER_SETCAP
     assert(!make_caps_ambient(selfPath));
+    #endif
 
     execve(sourceProg, argv, environ);
     

From a4f905afc251e48ee106fdede8ad15e9cf5b4cdc Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 00:41:00 -0800
Subject: [PATCH 026/153] Enhhh I think compile time macros are gross

---
 .../permissions-wrappers/permissions-wrapper.c | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index f74a952b7d8..2e7b1edde3b 100644
--- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -8,6 +8,11 @@
 #include <dirent.h>
 #include <assert.h>
 #include <errno.h>
+#include <linux/capability.h>
+#include <sys/capability.h>
+#include <linux/prctl.h>
+#include <sys/prctl.h>
+#include <cap-ng.h>
 
 // Make sure assertions are not compiled out, we use them to codify
 // invariants about this program and we want it to fail fast and
@@ -32,13 +37,6 @@ fprintf(stderr, "Program must be compiled with either the WRAPPER_SETCAP or WRAP
 exit(1);
 #endif
 
-#ifdef WRAPPER_SETCAP
-#include <linux/capability.h>
-#include <sys/capability.h>
-#include <linux/prctl.h>
-#include <sys/prctl.h>
-#include <cap-ng.h>
-
 // Update the capabilities of the running process to include the given
 // capability in the Ambient set.
 static void set_ambient_cap(cap_value_t cap)
@@ -163,7 +161,6 @@ static int make_caps_ambient(const char *selfPath)
 
     return 0;
 }
-#endif
 
 int main(int argc, char * * argv)
 {
@@ -211,9 +208,8 @@ int main(int argc, char * * argv)
     // Read the capabilities set on the file and raise them in to the
     // Ambient set so the program we're wrapping receives the
     // capabilities too!
-    #ifdef WRAPPER_SETCAP
-    assert(!make_caps_ambient(selfPath));
-    #endif
+    if (strcmp(wrapperType, "setcap") == 0)
+        assert(!make_caps_ambient(selfPath));
 
     execve(sourceProg, argv, environ);
     

From 21368c4c67580f6ff245636d4af37d3094a1cd09 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 00:58:44 -0800
Subject: [PATCH 027/153] Hmm, unnecessary

---
 nixos/modules/security/permissions-wrappers/default.nix | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 2ec1e91cee9..af8158aab92 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -22,7 +22,6 @@ let
     , source ? null
     , owner  ? "nobody"
     , group  ? "nogroup"
-    , setcap ? false
     }: ''
       cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
 
@@ -36,13 +35,7 @@ let
       #
       # Only set the capabilities though if we're being told to
       # do so.
-      ${
-      if setcap then
-        ''
-        ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${permissionsWrapperDir}/${program}
-        ''
-      else ""
-      }
+      ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${permissionsWrapperDir}/${program}
 
       # Set the executable bit
       chmod u+rx,g+x,o+x ${permissionsWrapperDir}/${program}

From 48a0c5a3a728418286d4790491ed1bd9c4df9e7e Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 01:00:46 -0800
Subject: [PATCH 028/153] More fixing

---
 nixos/modules/security/permissions-wrappers/default.nix | 1 -
 nixos/modules/tasks/network-interfaces.nix              | 2 --
 2 files changed, 3 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index af8158aab92..14f9dadcb24 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -106,7 +106,6 @@ in
             source  = "${pkgs.iputils.out}/bin/ping";
             owner   = "nobody";
             group   = "nogroup";
-            setcap  = true;
             capabilities = "cap_net_raw+ep";
           }
         ];
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index a69435ff593..61519c6a3ce 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -902,13 +902,11 @@ in
       [
         { program = "ping";
           source  = "${pkgs.iputils.out}/bin/ping";
-          setcap  = true;
           capabilities = "cap_net_raw+p";
         }
 
         { program = "ping6";
           source  = "${pkgs.iputils.out}/bin/ping6";
-          setcap  = true;
           capabilities = "cap_net_raw+p";
         }
       ]

From 61fe8de40c9efbcd31301233e78278202485d8d8 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 01:03:18 -0800
Subject: [PATCH 029/153] Silly, should just have one activation script

---
 .../security/permissions-wrappers/default.nix | 69 +++++++++----------
 1 file changed, 33 insertions(+), 36 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 14f9dadcb24..55033266c9a 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -61,37 +61,7 @@ let
     '';
 
     mkActivationScript = programsToWrap:
-      lib.stringAfter [ "users" ]
-        ''
-          # Look in the system path and in the default profile for
-          # programs to be wrapped.
-          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
-
-          mkdir -p /run/permissions-wrapper-dirs
-          permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
-          chmod a+rx $permissionsWrapperDir
-
-          ${programsToWrap}
-
-          if [ -L ${permissionsWrapperDir} ]; then
-            # Atomically replace the symlink
-            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-            old=$(readlink ${permissionsWrapperDir})
-            ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
-            mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
-            rm --force --recursive $old
-          elif [ -d ${permissionsWrapperDir} ]; then
-            # Compatibility with old state, just remove the folder and symlink
-            rm -f ${permissionsWrapperDir}/*
-            # if it happens to be a tmpfs
-            ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
-            rm -d ${permissionsWrapperDir}
-            ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
-          else
-            # For initial setup
-            ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
-          fi
-        '';
+;
 in
 {
 
@@ -184,11 +154,38 @@ in
     '';
 
     ###### setcap activation script
-    system.activationScripts.setcap =
-      mkActivationScript (lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap));
+    system.activationScripts.permissions-wrappers =
+      lib.stringAfter [ "users" ]
+        ''
+          # Look in the system path and in the default profile for
+          # programs to be wrapped.
+          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
-    ###### setuid activation script
-    system.activationScripts.setuid =
-      mkActivationScript (lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid));
+          mkdir -p /run/permissions-wrapper-dirs
+          permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
+          chmod a+rx $permissionsWrapperDir
+
+          ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
+          ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
+
+          if [ -L ${permissionsWrapperDir} ]; then
+            # Atomically replace the symlink
+            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
+            old=$(readlink ${permissionsWrapperDir})
+            ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
+            mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
+            rm --force --recursive $old
+          elif [ -d ${permissionsWrapperDir} ]; then
+            # Compatibility with old state, just remove the folder and symlink
+            rm -f ${permissionsWrapperDir}/*
+            # if it happens to be a tmpfs
+            ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
+            rm -d ${permissionsWrapperDir}
+            ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
+          else
+            # For initial setup
+            ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
+          fi
+        '';
   };
 }

From fd974085bf5b7a18c0c053a1fdd331c523221fb1 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 01:04:12 -0800
Subject: [PATCH 030/153] It's clearly quite late

---
 nixos/modules/security/permissions-wrappers/default.nix | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 55033266c9a..0ea465fbd78 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -59,9 +59,6 @@ let
 
       chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
     '';
-
-    mkActivationScript = programsToWrap:
-;
 in
 {
 

From f64b06a3e045c14110d9a7fcac9e4c8ee70ae8f0 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 01:13:19 -0800
Subject: [PATCH 031/153] Hmmm

---
 .../security/permissions-wrappers/default.nix | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 0ea465fbd78..bb5ffff8e27 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -23,11 +23,11 @@ let
     , owner  ? "nobody"
     , group  ? "nogroup"
     }: ''
-      cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
+      cp ${setcapWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
 
       # Prevent races
-      chmod 0000 ${permissionsWrapperDir}/${program}
-      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
+      chmod 0000 $permissionsWrapperDir/${program}
+      chown ${owner}.${group} $permissionsWrapperDir/${program}
 
       # Set desired capabilities on the file plus cap_setpcap so
       # the wrapper program can elevate the capabilities set on
@@ -35,10 +35,10 @@ let
       #
       # Only set the capabilities though if we're being told to
       # do so.
-      ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${permissionsWrapperDir}/${program}
+      ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $permissionsWrapperDir/${program}
 
       # Set the executable bit
-      chmod u+rx,g+x,o+x ${permissionsWrapperDir}/${program}
+      chmod u+rx,g+x,o+x $permissionsWrapperDir/${program}
     '';
 
   ###### Activation script for the setuid wrappers
@@ -51,13 +51,13 @@ let
     , setgid ? false
     , permissions ? "u+rx,g+x,o+x"
     }: ''
-      cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
+      cp ${setuidWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
 
       # Prevent races
-      chmod 0000 ${permissionsWrapperDir}/${program}
-      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
+      chmod 0000 $permissionsWrapperDir/${program}
+      chown ${owner}.${group} $permissionsWrapperDir/${program}
 
-      chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
+      chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $permissionsWrapperDir/${program}
     '';
 in
 {
@@ -143,11 +143,11 @@ in
     # variable when initializing the shell
     environment.extraInit = ''
     # The permissions wrappers override other bin directories.
-    export PATH="${config.security.permissionsWrapperDir}:$PATH"
+    export PATH="${permissionsWrapperDir}:$PATH"
     '';
 
     system.activationScripts.wrapper-dir = ''
-      mkdir -p "${config.security.permissionsWrapperDir}"
+      mkdir -p "${permissionsWrapperDir}"
     '';
 
     ###### setcap activation script

From ce36b58e21e8d15c1de0c300819b06e83a2a1c5a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 01:31:49 -0800
Subject: [PATCH 032/153] Derp

---
 .../security/permissions-wrappers/default.nix    | 16 +++++++++++++---
 .../permissions-wrappers/setcap-wrapper-drv.nix  |  2 +-
 .../permissions-wrappers/setuid-wrapper-drv.nix  |  2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index bb5ffff8e27..585e4a13be6 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 let
 
-  inherit (config.security) permissionsWrapperDir;
+  inherit (config.security) run-permissionsWrapperDir permissionsWrapperDir;
 
   isNotNull = v: if v != null then true else false;
 
@@ -132,6 +132,16 @@ in
       '';
     };
 
+    security.run-permissionsWrapperDir = lib.mkOption {
+      type        = lib.types.path;
+      default     = "/run/permissions-wrapper-dirs";
+      internal    = true;
+      description = ''
+        This option defines the run path to the permissions
+        wrappers. It should not be overriden.
+      '';
+    };
+
   };
 
 
@@ -158,8 +168,8 @@ in
           # programs to be wrapped.
           PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
-          mkdir -p /run/permissions-wrapper-dirs
-          permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
+          mkdir -p ${run-permissionsWrapperDir}
+          permissionsWrapperDir=$(mktemp --directory --tmpdir=${run-permissionsWrapperDir} permissions-wrappers.XXXXXXXXXX)
           chmod a+rx $permissionsWrapperDir
 
           ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
index 04cae3c8493..3ec9b829a94 100644
--- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
@@ -12,7 +12,7 @@ let
          source=/nix/var/nix/profiles/default/bin/${program}
        fi
 
-       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
+       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.run-permissionsWrapperDir}\" \
            -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
            -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
      '';
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
index 3bf3effb801..97dc3c1b0e0 100644
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@@ -12,7 +12,7 @@ let
          source=/nix/var/nix/profiles/default/bin/${program}
        fi
 
-       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
+       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.run-permissionsWrapperDir}\" \
            -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
            -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
      '';

From ad8fde5e5d9bc25a54ac238f485e28b37d6d185a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 01:33:25 -0800
Subject: [PATCH 033/153] Andddd more derp

---
 .../security/permissions-wrappers/setcap-wrapper-drv.nix        | 2 +-
 .../security/permissions-wrappers/setuid-wrapper-drv.nix        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
index 3ec9b829a94..2ae3067b1b1 100644
--- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
@@ -12,7 +12,7 @@ let
          source=/nix/var/nix/profiles/default/bin/${program}
        fi
 
-       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.run-permissionsWrapperDir}\" \
+       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
            -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
            -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
      '';
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
index 97dc3c1b0e0..42b00c8548a 100644
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@@ -12,7 +12,7 @@ let
          source=/nix/var/nix/profiles/default/bin/${program}
        fi
 
-       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.run-permissionsWrapperDir}\" \
+       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
            -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
            -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
      '';

From c30cf645f84232eba03d542519b5eca398a06825 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 02:06:24 -0800
Subject: [PATCH 034/153] Make setting of the wrapper macros a compile-time
 error

---
 .../security/permissions-wrappers/permissions-wrapper.c        | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index 2e7b1edde3b..6e00df9cef8 100644
--- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -33,8 +33,7 @@ static char * wrapperType = "setcap";
 #elif defined WRAPPER_SETUID
 static char * wrapperType = "setuid";
 #else
-fprintf(stderr, "Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macros specified!\n");
-exit(1);
+#error Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macro
 #endif
 
 // Update the capabilities of the running process to include the given

From 189a0c25796d10ee5ca9e7e61b6a79ff1656f177 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 02:07:36 -0800
Subject: [PATCH 035/153] Wrap with quotes as-per GCC's recommendation

---
 .../modules/security/permissions-wrappers/permissions-wrapper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
index 6e00df9cef8..cb9d8d6b37b 100644
--- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c
@@ -33,7 +33,7 @@ static char * wrapperType = "setcap";
 #elif defined WRAPPER_SETUID
 static char * wrapperType = "setuid";
 #else
-#error Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macro
+#error "Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macro"
 #endif
 
 // Update the capabilities of the running process to include the given

From 01e6b82f3f5584f76ec46354d34a787968a7f262 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 09:20:15 -0800
Subject: [PATCH 036/153] Removing dead code

---
 .../permissions-wrappers/setcap-wrappers.nix  | 162 ------------------
 .../permissions-wrappers/setuid-wrappers.nix  | 146 ----------------
 2 files changed, 308 deletions(-)
 delete mode 100644 nixos/modules/security/permissions-wrappers/setcap-wrappers.nix
 delete mode 100644 nixos/modules/security/permissions-wrappers/setuid-wrappers.nix

diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrappers.nix b/nixos/modules/security/permissions-wrappers/setcap-wrappers.nix
deleted file mode 100644
index ead3cb219f1..00000000000
--- a/nixos/modules/security/permissions-wrappers/setcap-wrappers.nix
+++ /dev/null
@@ -1,162 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib; with pkgs;
-
-let
-
-  inherit (config.security) setcapWrapperDir;
-
-  cfg = config.security.setcapCapabilities;
-
-  # Produce a shell-code splice intended to be stitched into one of
-  # the build or install phases within the `setcapWrapper` derivation.
-  mkSetcapWrapper = { program, source ? null, ...}:
-    ''
-      if ! source=${if source != null then source else "$(readlink -f $(PATH=$SETCAP_PATH type -tP ${program}))"}; then
-          # If we can't find the program, fall back to the
-          # system profile.
-          source=/nix/var/nix/profiles/default/bin/${program}
-      fi
-
-      gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${setcapWrapperDir}\" \
-          -lcap-ng -lcap ${./setcap-wrapper.c} -o $out/bin/${program}.wrapper
-    '';
-
-  setcapWrappers = 
-
-    # This is only useful for Linux platforms and a kernel version of
-    # 4.3 or greater
-    assert pkgs.stdenv.isLinux;
-    assert versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3";
-
-    pkgs.stdenv.mkDerivation {
-      name         = "setcap-wrapper";
-      unpackPhase  = "true";
-      buildInputs  = [ linuxHeaders libcap libcap_ng ];
-      installPhase = ''
-        mkdir -p $out/bin
-
-        # Concat together all of our shell splices to compile
-        # binary wrapper programs for all configured setcap programs.
-        ${concatMapStrings mkSetcapWrapper cfg}
-      '';
-    };
-in
-{
-  options = {
-    security.setcapCapabilities = mkOption {
-      type    = types.listOf types.attrs;
-      default = [];
-      example =
-        [ { program = "ping";
-            owner   = "nobody";
-            group   = "nogroup";
-            setcap  = true;
-            capabilities = "cap_net_raw+ep";
-          }
-        ];
-      description = ''
-        This option sets capabilities on a wrapper program that
-        propagates those capabilities down to the wrapped, real
-        program.
-
-        The `program` attribute is the name of the program to be
-        wrapped. If no `source` attribute is provided, specifying the
-        absolute path to the program, then the program will be
-        searched for in the path environment variable.
-
-        NOTE: cap_setpcap, which is required for the wrapper program
-        to be able to raise caps into the Ambient set is NOT raised to
-        the Ambient set so that the real program cannot modify its own
-        capabilities!! This may be too restrictive for cases in which
-        the real program needs cap_setpcap but it at least leans on
-        the side security paranoid vs. too relaxed.
-
-        The attribute `setcap` defaults to false and it will create a
-        wrapper program but never set the capability set on it. This
-        is done so that you can remove a capability sent entirely from
-        a wrapper program without also needing to go change any
-        absolute paths that may be directly referencing the wrapper
-        program.
-      '';
-    };
-
-    security.setcapWrapperDir = mkOption {
-      type        = types.path;
-      default     = "/var/setcap-wrappers";
-      internal    = true;
-      description = ''
-        This option defines the path to the setcap wrappers. It
-        should generally not be overriden.
-      '';
-    };
-
-  };
-
-  config = {
-
-    # Make sure our setcap-wrapper dir exports to the PATH env
-    # variable when initializing the shell
-    environment.extraInit = ''
-    # The setcap wrappers override other bin directories.
-    export PATH="${config.security.setcapWrapperDir}:$PATH"
-    '';
-
-    system.activationScripts.setcap =
-      let
-        setcapPrograms = cfg;
-        configureSetcapWrapper =
-          { program
-          , capabilities
-          , source ? null
-          , owner  ? "nobody"
-          , group  ? "nogroup"
-          , setcap ? false
-          }:
-          ''
-            mkdir -p ${setcapWrapperDir}
-
-            cp ${setcapWrappers}/bin/${program}.wrapper ${setcapWrapperDir}/${program}
-
-            # Prevent races
-            chmod 0000 ${setcapWrapperDir}/${program}
-            chown ${owner}.${group} ${setcapWrapperDir}/${program}
-
-            # Set desired capabilities on the file plus cap_setpcap so
-            # the wrapper program can elevate the capabilities set on
-            # its file into the Ambient set.
-            #
-            # Only set the capabilities though if we're being told to
-            # do so.
-            ${
-            if setcap then
-              ''
-              ${libcap.out}/bin/setcap "cap_setpcap,${capabilities}" ${setcapWrapperDir}/${program}
-              ''
-            else ""
-            }
-
-            # Set the executable bit
-            chmod u+rx,g+x,o+x ${setcapWrapperDir}/${program}
-          '';
-
-      in stringAfter [ "users" ]
-        ''
-          # Look in the system path and in the default profile for
-          # programs to be wrapped.
-          SETCAP_PATH=${config.system.path}/bin:${config.system.path}/sbin
-
-          # When a program is removed from the security.setcapCapabilities
-          # list we have to remove all of the previous program wrappers
-          # and re-build them minus the wrapper for the program removed,
-          # hence the rm here in the activation script.
-
-          rm -f ${setcapWrapperDir}/*
-
-          # Concatenate the generated shell slices to configure
-          # wrappers for each program needing specialized capabilities.
-
-          ${concatMapStrings configureSetcapWrapper setcapPrograms}
-        '';
-  };
-}
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrappers.nix b/nixos/modules/security/permissions-wrappers/setuid-wrappers.nix
deleted file mode 100644
index fe220c94313..00000000000
--- a/nixos/modules/security/permissions-wrappers/setuid-wrappers.nix
+++ /dev/null
@@ -1,146 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  inherit (config.security) wrapperDir;
-
-  setuidWrapper = pkgs.stdenv.mkDerivation {
-    name = "setuid-wrapper";
-    unpackPhase = "true";
-    installPhase = ''
-      mkdir -p $out/bin
-      cp ${./setuid-wrapper.c} setuid-wrapper.c
-      gcc -Wall -O2 -DWRAPPER_DIR=\"/run/setuid-wrapper-dirs\" \
-          setuid-wrapper.c -o $out/bin/setuid-wrapper
-    '';
-  };
-
-in
-
-{
-
-  ###### interface
-
-  options = {
-
-    security.setuidPrograms = mkOption {
-      type = types.listOf types.str;
-      default = [];
-      example = ["passwd"];
-      description = ''
-        The Nix store cannot contain setuid/setgid programs directly.
-        For this reason, NixOS can automatically generate wrapper
-        programs that have the necessary privileges.  This option
-        lists the names of programs in the system environment for
-        which setuid root wrappers should be created.
-      '';
-    };
-
-    security.setuidOwners = mkOption {
-      type = types.listOf types.attrs;
-      default = [];
-      example =
-        [ { program = "sendmail";
-            owner = "nobody";
-            group = "postdrop";
-            setuid = false;
-            setgid = true;
-            permissions = "u+rx,g+x,o+x";
-          }
-        ];
-      description = ''
-        This option allows the ownership and permissions on the setuid
-        wrappers for specific programs to be overridden from the
-        default (setuid root, but not setgid root).
-      '';
-    };
-
-    security.wrapperDir = mkOption {
-      internal = true;
-      type = types.path;
-      default = "/var/setuid-wrappers";
-      description = ''
-        This option defines the path to the setuid wrappers.  It
-        should generally not be overriden. Some packages in Nixpkgs
-        expect that <option>wrapperDir</option> is
-        <filename>/var/setuid-wrappers</filename>.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = {
-
-    security.setuidPrograms = [ "fusermount" ];
-
-    system.activationScripts.setuid =
-      let
-        setuidPrograms =
-          (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
-            config.security.setuidPrograms)
-          ++ config.security.setuidOwners;
-
-        makeSetuidWrapper =
-          { program
-          , source ? ""
-          , owner ? "nobody"
-          , group ? "nogroup"
-          , setuid ? false
-          , setgid ? false
-          , permissions ? "u+rx,g+x,o+x"
-          }:
-
-          ''
-            if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then
-                # If we can't find the program, fall back to the
-                # system profile.
-                source=/nix/var/nix/profiles/default/bin/${program}
-            fi
-
-            cp ${setuidWrapper}/bin/setuid-wrapper $wrapperDir/${program}
-            echo -n "$source" > $wrapperDir/${program}.real
-            chmod 0000 $wrapperDir/${program} # to prevent races
-            chown ${owner}.${group} $wrapperDir/${program}
-            chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
-          '';
-
-      in stringAfter [ "users" ]
-        ''
-          # Look in the system path and in the default profile for
-          # programs to be wrapped.
-          SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin
-
-          mkdir -p /run/setuid-wrapper-dirs
-          wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX)
-          chmod a+rx $wrapperDir
-
-          ${concatMapStrings makeSetuidWrapper setuidPrograms}
-
-          if [ -L ${wrapperDir} ]; then
-            # Atomically replace the symlink
-            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-            old=$(readlink ${wrapperDir})
-            ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
-            mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
-            rm --force --recursive $old
-          elif [ -d ${wrapperDir} ]; then
-            # Compatibility with old state, just remove the folder and symlink
-            rm -f ${wrapperDir}/*
-            # if it happens to be a tmpfs
-            ${pkgs.utillinux}/bin/umount ${wrapperDir} || true
-            rm -d ${wrapperDir}
-            ln -d --symbolic $wrapperDir ${wrapperDir}
-          else
-            # For initial setup
-            ln --symbolic $wrapperDir ${wrapperDir}
-          fi
-        '';
-
-  };
-
-}

From 9de070e620544f9637b20966eec62cbff42988d8 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Thu, 26 Jan 2017 09:39:37 -0800
Subject: [PATCH 037/153] Setuid wrapper should not be constrained to a
 specific linux kernel version

---
 nixos/modules/security/permissions-wrappers/default.nix    | 7 -------
 .../security/permissions-wrappers/setuid-wrapper-drv.nix   | 1 -
 2 files changed, 8 deletions(-)

diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 585e4a13be6..480bd371040 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -92,13 +92,6 @@ in
         capabilities!! This may be too restrictive for cases in which
         the real program needs cap_setpcap but it at least leans on
         the side security paranoid vs. too relaxed.
-
-        The attribute `setcap` defaults to false and it will create a
-        wrapper program but never set the capability set on it. This
-        is done so that you can remove a capability sent entirely from
-        a wrapper program without also needing to go change any
-        absolute paths that may be directly referencing the wrapper
-        program.
       '';
     };
 
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
index 42b00c8548a..53cce2ff48e 100644
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@@ -21,7 +21,6 @@ in
 # This is only useful for Linux platforms and a kernel version of
 # 4.3 or greater
 assert pkgs.stdenv.isLinux;
-assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3";
 
 pkgs.stdenv.mkDerivation {
   name         = "setuid-wrapper";

From e92b8402b05f34072a20075ed54660e7a7237cc3 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sat, 28 Jan 2017 20:48:03 -0800
Subject: [PATCH 038/153] Addressing PR feedback

---
 nixos/doc/manual/release-notes/rl-1609.xml    |   2 +-
 nixos/doc/manual/release-notes/rl-1703.xml    |   8 +
 nixos/modules/config/shells-environment.nix   |   4 +-
 .../installer/tools/nixos-generate-config.pl  |   2 +-
 .../modules/installer/tools/nixos-install.sh  |   7 +-
 nixos/modules/module-list.nix                 |   2 +-
 nixos/modules/programs/kbdlight.nix           |   9 +-
 nixos/modules/programs/light.nix              |   9 +-
 nixos/modules/programs/shadow.nix             |  48 +----
 nixos/modules/security/apparmor-suid.nix      |   4 +-
 .../security/chromium-suid-sandbox.nix        |   6 +-
 nixos/modules/security/duosec.nix             |  11 +-
 nixos/modules/security/pam.nix                |  33 +--
 nixos/modules/security/pam_usb.nix            |  17 +-
 .../security/permissions-wrappers/default.nix | 191 ------------------
 nixos/modules/security/polkit.nix             |  18 +-
 nixos/modules/security/sudo.nix               |  17 +-
 nixos/modules/security/wrappers/default.nix   | 191 ++++++++++++++++++
 .../permissions-wrapper.c                     |   0
 .../setcap-wrapper-drv.nix                    |   4 +-
 .../setuid-wrapper-drv.nix                    |  12 +-
 nixos/modules/services/logging/logcheck.nix   |   4 +-
 nixos/modules/services/mail/dovecot.nix       |   2 +-
 nixos/modules/services/mail/exim.nix          |  12 +-
 nixos/modules/services/mail/mail.nix          |   2 +-
 nixos/modules/services/monitoring/munin.nix   |   4 +-
 nixos/modules/services/monitoring/smartd.nix  |   2 +-
 .../services/network-filesystems/samba.nix    |   2 +-
 nixos/modules/services/networking/gale.nix    |   2 +-
 nixos/modules/services/networking/prayer.nix  |   2 +-
 .../modules/services/networking/smokeping.nix |  20 +-
 nixos/modules/services/scheduling/atd.nix     |   2 +-
 nixos/modules/services/scheduling/cron.nix    |  18 +-
 nixos/modules/services/scheduling/fcron.nix   |  13 +-
 nixos/modules/services/system/dbus.nix        |   4 +-
 .../x11/desktop-managers/enlightenment.nix    |  11 +-
 .../services/x11/desktop-managers/kde4.nix    |   2 +-
 .../services/x11/desktop-managers/kde5.nix    |   2 +-
 nixos/modules/system/boot/stage-2-init.sh     |   8 +-
 nixos/modules/tasks/network-interfaces.nix    |  45 ++---
 .../virtualisation/virtualbox-host.nix        |   4 +-
 nixos/tests/smokeping.nix                     |   2 +-
 .../applications/editors/sublime3/default.nix |   2 +-
 .../networking/browsers/chromium/default.nix  |   4 +-
 .../gale/gale-install.in.patch                |   2 +-
 .../gitlab/remove-hardcoded-locations.patch   |   2 +-
 .../virtualization/virtualbox/hardened.patch  |   6 +-
 pkgs/build-support/build-fhs-userenv/env.nix  |   2 +-
 pkgs/desktops/enlightenment/enlightenment.nix |   6 +-
 .../kinit/start_kdeinit-path.patch            |   2 +-
 .../development/libraries/libgksu/default.nix |   4 +-
 pkgs/development/libraries/polkit/default.nix |   2 +-
 pkgs/development/tools/unity3d/default.nix    |   2 +-
 pkgs/os-specific/linux/fuse/default.nix       |   2 +-
 pkgs/os-specific/linux/mdadm/4.nix            |   2 +-
 pkgs/os-specific/linux/mdadm/default.nix      |   2 +-
 pkgs/os-specific/linux/pam/default.nix        |   2 +-
 pkgs/os-specific/linux/util-linux/default.nix |   2 +-
 pkgs/servers/interlock/default.nix            |   2 +-
 pkgs/servers/mail/petidomo/default.nix        |   2 +-
 .../nagios/plugins/official-2.x.nix           |   4 +-
 pkgs/tools/X11/x11vnc/default.nix             |   4 +-
 pkgs/tools/admin/certbot/default.nix          |   2 +-
 pkgs/tools/misc/debian-devscripts/default.nix |   2 +-
 pkgs/tools/security/ecryptfs/default.nix      |   2 +-
 pkgs/tools/security/ecryptfs/helper.nix       |   2 +-
 pkgs/tools/security/sudo/default.nix          |   2 +-
 pkgs/tools/system/at/default.nix              |   2 +-
 pkgs/tools/system/cron/default.nix            |   2 +-
 pkgs/tools/system/ts/default.nix              |   2 +-
 70 files changed, 320 insertions(+), 510 deletions(-)
 delete mode 100644 nixos/modules/security/permissions-wrappers/default.nix
 create mode 100644 nixos/modules/security/wrappers/default.nix
 rename nixos/modules/security/{permissions-wrappers => wrappers}/permissions-wrapper.c (100%)
 rename nixos/modules/security/{permissions-wrappers => wrappers}/setcap-wrapper-drv.nix (92%)
 rename nixos/modules/security/{permissions-wrappers => wrappers}/setuid-wrapper-drv.nix (75%)

diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml
index bf8be1b68f2..ade7d5581ce 100644
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@@ -202,7 +202,7 @@ following incompatible changes:</para>
 
   <listitem>
     <para>The directory container setuid wrapper programs,
-    <filename>/var/permissions-wrappers</filename>, <link
+    <filename>/var/setuid-wrappers</filename>, <link
     xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
     updated atomically to prevent failures if the switch to a new
     configuration is interrupted.</link></para>
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index 177010e2a32..94aa674fed6 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -15,6 +15,14 @@ has the following highlights: </para>
     xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs
     manual</link> for more information.</para>
   </listitem>
+
+  <listitem>
+
+    <para>Setting capabilities on programs is now supported with a
+    <literal>setcap-wrapper</literal> functionality. This
+    functionality and the <literal>setuid-wrapper</literal> are merged
+    into a single "wrappers" module.</para>
+  </listitem>
 </itemizedlist>
 
 <para>The following new services were added since the last release:</para>
diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix
index 7003c074522..8a7b3ea0bfd 100644
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@@ -168,8 +168,8 @@ in
 
          ${cfg.extraInit}
 
-         # The setuid wrappers override other bin directories.
-         export PATH="${config.security.permissionsWrapperDir}:$PATH"
+         # The setuid/setcap wrappers override other bin directories.
+         export PATH="${config.security.wrapperDir}:$PATH"
 
          # ~/bin if it exists overrides other bin directories.
          export PATH="$HOME/bin:$PATH"
diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index bb379dafc64..657c28f095d 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -343,7 +343,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
 
     # Skip special filesystems.
     next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
-    next if $mountPoint eq "/var/permissions-wrappers";
+    next if $mountPoint eq "/run/wrappers";
 
     # Skip the optional fields.
     my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index 4e9f8ab60f2..36b1a47956d 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -92,14 +92,13 @@ fi
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
-mkdir -m 0755 -p $mountPoint/var/permissions-wrappers
+mkdir -m 0755 -p $mountPoint/var
 mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount -t tmpfs -o "mode=0755" none $mountPoint/run
-mount -t tmpfs -o "mode=0755" none $mountPoint/var/permissions-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
 for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
@@ -260,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 
 
 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then
+if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then
     echo "setting root password..."
-    chroot $mountPoint /var/permissions-wrappers/passwd
+    chroot $mountPoint /run/wrappers/passwd
 fi
 
 
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index f7206ea931b..bd351460a52 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -113,7 +113,7 @@
   ./security/prey.nix
   ./security/rngd.nix
   ./security/rtkit.nix
-  ./security/permissions-wrappers
+  ./security/wrappers
   ./security/sudo.nix
   ./services/amqp/activemq/default.nix
   ./services/amqp/rabbitmq.nix
diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix
index 30767a03291..0172368e968 100644
--- a/nixos/modules/programs/kbdlight.nix
+++ b/nixos/modules/programs/kbdlight.nix
@@ -11,13 +11,6 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.kbdlight ];
-
-    security.permissionsWrappers.setuid =
-    [ { program = "kbdlight";
-        source  = "${pkgs.kbdlight.out}/bin/kbdlight";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;        
-    }];
+    security.setuidPrograms = [ "kbdlight" ];
   };
 }
diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix
index c89f8e93721..09cd1113d9c 100644
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@@ -21,13 +21,6 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.light ];
-
-    security.permissionsWrappers.setuid =
-    [ { program = "light";
-        source  = "${pkgs.light.out}/bin/light";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;        
-    }];
+    security.setuidPrograms = [ "light" ];
   };
 }
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index 08d96cbcf4b..c5a50318026 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -101,49 +101,9 @@ in
         chpasswd = { rootOK = true; };
       };
 
-
-    security.permissionsWrappers.setuid = 
-    [
-      { program = "su";
-        source  = "${pkgs.shadow.su}/bin/su";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;        
-      }
-
-      { program = "chfn";
-        source  = "${pkgs.shadow.out}/bin/chfn";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;
-      }
-    ] ++
-    (lib.optionals config.users.mutableUsers
-     map (x: x // { owner   = "root";
-                    group   = "root";
-                    setuid  = true;
-                  })
-         [
-           { program = "passwd";
-             source  = "${pkgs.shadow.out}/bin/passwd";
-           }
-
-           { program = "sg";
-             source  = "${pkgs.shadow.out}/bin/sg";
-           }
-
-           { program = "newgrp";
-             source  = "${pkgs.shadow.out}/bin/newgrp";
-           }
-
-           { program = "newuidmap";
-             source  = "${pkgs.shadow.out}/bin/newuidmap";
-           }
-
-           { program = "newgidmap";
-             source  = "${pkgs.shadow.out}/bin/newgidmap";
-           }
-         ]
-    );
+    security.setuidPrograms = [
+      "su" "chfn" "newuidmap" "newgidmap"
+      ] ++ lib.optionals config.users.mutableUsers
+      [ "passwd" "sg" "newgrp" ];
   };
 }
diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix
index 799f27b6708..e7b870864ee 100644
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@@ -19,7 +19,7 @@ with lib;
   config = mkIf (cfg.confineSUIDApplications) {
     security.apparmor.profiles = [ (pkgs.writeText "ping" ''
       #include <tunables/global>
-      /var/permissions-wrappers/ping {
+      /run/wrappers/ping {
         #include <abstractions/base>
         #include <abstractions/consoles>
         #include <abstractions/nameservice>
@@ -33,7 +33,7 @@ with lib;
         ${pkgs.attr.out}/lib/libattr.so* mr,
 
         ${pkgs.iputils}/bin/ping mixr,
-        /var/permissions-wrappers/ping.real r,
+        /run/wrappers/ping.real r,
 
         #/etc/modules.conf r,
 
diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix
index 6fe25213639..0699fbb728a 100644
--- a/nixos/modules/security/chromium-suid-sandbox.nix
+++ b/nixos/modules/security/chromium-suid-sandbox.nix
@@ -27,10 +27,6 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ sandbox ];
-    security.permissionsWrappers.setuid = [
-      { program = sandbox.passthru.sandboxExecutableName;
-        source  = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
-      }
-    ];
+    security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
   };
 }
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
index e5b35427015..ee62c34438e 100644
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -188,16 +188,7 @@ in
 
      environment.systemPackages = [ pkgs.duo-unix ];
 
-     security.permissionsWrappers.setuid =
-     [
-       { program = "login_duo";
-         source  = "${pkgs.duo-unix.out}/bin/login_duo";
-         owner   = "root";
-         group   = "root";
-         setuid  = true;
-       }
-     ];
-
+     security.setuidPrograms = [ "login_duo" ];
      environment.etc = loginCfgFile ++ pamCfgFile;
 
      /* If PAM *and* SSH are enabled, then don't do anything special.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index c5088b64bb3..3c944acf6cf 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -472,33 +472,14 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.permissionsWrappers.setuid =
-      [
-        { program = "unix_chkpwd";
-          source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
-          owner = "root";
-          group = "root";
-          setuid = true;
-        }
+    security.setuidPrograms =
+      optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
 
-
-          
-      ] ++ (optional config.security.pam.enableEcryptfs 
-        { program = "umount.ecryptfs_private";
-          source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;
-        }
-      ) ++ (optional config.security.pam.enableEcryptfs
-        { program = "mount.ecryptfs_private";
-          source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;
-        }
-      );
-        
+    security.wrappers.unix_chkpwd = {
+      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
+      owner = "root";
+      setuid = true;
+    };
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
index 53a7921a244..032f8e38d11 100644
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@@ -33,22 +33,7 @@ in
   config = mkIf (cfg.enable || anyUsbAuth) {
 
     # Make sure pmount and pumount are setuid wrapped.
-    security.permissionsWrappers.setuid =
-      [
-        { program = "pmount";
-          source  = "${pkgs.pmount.out}/bin/pmount";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;
-        }
-
-        { program = "pumount";
-          source  = "${pkgs.pmount.out}/bin/pumount";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;
-        }
-      ];
+    security.setuidPrograms = [ "pmount" "pumount" ];
 
     environment.systemPackages = [ pkgs.pmount ];
 
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
deleted file mode 100644
index 480bd371040..00000000000
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ /dev/null
@@ -1,191 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-
-  inherit (config.security) run-permissionsWrapperDir permissionsWrapperDir;
-
-  isNotNull = v: if v != null then true else false;
-
-  cfg = config.security.permissionsWrappers;
-
-  setcapWrappers = import ./setcap-wrapper-drv.nix {
-    inherit config lib pkgs;
-  };
-
-  setuidWrappers = import ./setuid-wrapper-drv.nix {
-    inherit config lib pkgs;
-  };
-
-  ###### Activation script for the setcap wrappers
-  configureSetcapWrapper =
-    { program
-    , capabilities
-    , source ? null
-    , owner  ? "nobody"
-    , group  ? "nogroup"
-    }: ''
-      cp ${setcapWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
-
-      # Prevent races
-      chmod 0000 $permissionsWrapperDir/${program}
-      chown ${owner}.${group} $permissionsWrapperDir/${program}
-
-      # Set desired capabilities on the file plus cap_setpcap so
-      # the wrapper program can elevate the capabilities set on
-      # its file into the Ambient set.
-      #
-      # Only set the capabilities though if we're being told to
-      # do so.
-      ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $permissionsWrapperDir/${program}
-
-      # Set the executable bit
-      chmod u+rx,g+x,o+x $permissionsWrapperDir/${program}
-    '';
-
-  ###### Activation script for the setuid wrappers
-  configureSetuidWrapper =
-    { program
-    , source ? null
-    , owner  ? "nobody"
-    , group  ? "nogroup"
-    , setuid ? false
-    , setgid ? false
-    , permissions ? "u+rx,g+x,o+x"
-    }: ''
-      cp ${setuidWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
-
-      # Prevent races
-      chmod 0000 $permissionsWrapperDir/${program}
-      chown ${owner}.${group} $permissionsWrapperDir/${program}
-
-      chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $permissionsWrapperDir/${program}
-    '';
-in
-{
-
-  ###### interface
-
-  options = {
-    security.permissionsWrappers.setcap = lib.mkOption {
-      type    = lib.types.listOf lib.types.attrs;
-      default = [];
-      example =
-        [ { program = "ping";
-            source  = "${pkgs.iputils.out}/bin/ping";
-            owner   = "nobody";
-            group   = "nogroup";
-            capabilities = "cap_net_raw+ep";
-          }
-        ];
-      description = ''
-        This option sets capabilities on a wrapper program that
-        propagates those capabilities down to the wrapped, real
-        program.
-
-        The `program` attribute is the name of the program to be
-        wrapped. If no `source` attribute is provided, specifying the
-        absolute path to the program, then the program will be
-        searched for in the path environment variable.
-
-        NOTE: cap_setpcap, which is required for the wrapper program
-        to be able to raise caps into the Ambient set is NOT raised to
-        the Ambient set so that the real program cannot modify its own
-        capabilities!! This may be too restrictive for cases in which
-        the real program needs cap_setpcap but it at least leans on
-        the side security paranoid vs. too relaxed.
-      '';
-    };
-
-    security.permissionsWrappers.setuid = lib.mkOption {
-      type = lib.types.listOf lib.types.attrs;
-      default = [];
-      example =
-        [ { program = "sendmail";
-            source = "/nix/store/.../bin/sendmail";
-            owner = "nobody";
-            group = "postdrop";
-            setuid = false;
-            setgid = true;
-            permissions = "u+rx,g+x,o+x";
-          }
-        ];
-      description = ''
-        This option allows the ownership and permissions on the setuid
-        wrappers for specific programs to be overridden from the
-        default (setuid root, but not setgid root).
-      '';
-    };
-
-    security.permissionsWrapperDir = lib.mkOption {
-      type        = lib.types.path;
-      default     = "/var/permissions-wrappers";
-      internal    = true;
-      description = ''
-        This option defines the path to the permissions wrappers. It
-        should not be overriden.
-      '';
-    };
-
-    security.run-permissionsWrapperDir = lib.mkOption {
-      type        = lib.types.path;
-      default     = "/run/permissions-wrapper-dirs";
-      internal    = true;
-      description = ''
-        This option defines the run path to the permissions
-        wrappers. It should not be overriden.
-      '';
-    };
-
-  };
-
-
-  ###### implementation
-  
-  config = {
-
-    # Make sure our setcap-wrapper dir exports to the PATH env
-    # variable when initializing the shell
-    environment.extraInit = ''
-    # The permissions wrappers override other bin directories.
-    export PATH="${permissionsWrapperDir}:$PATH"
-    '';
-
-    system.activationScripts.wrapper-dir = ''
-      mkdir -p "${permissionsWrapperDir}"
-    '';
-
-    ###### setcap activation script
-    system.activationScripts.permissions-wrappers =
-      lib.stringAfter [ "users" ]
-        ''
-          # Look in the system path and in the default profile for
-          # programs to be wrapped.
-          PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
-
-          mkdir -p ${run-permissionsWrapperDir}
-          permissionsWrapperDir=$(mktemp --directory --tmpdir=${run-permissionsWrapperDir} permissions-wrappers.XXXXXXXXXX)
-          chmod a+rx $permissionsWrapperDir
-
-          ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
-          ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
-
-          if [ -L ${permissionsWrapperDir} ]; then
-            # Atomically replace the symlink
-            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-            old=$(readlink ${permissionsWrapperDir})
-            ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
-            mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
-            rm --force --recursive $old
-          elif [ -d ${permissionsWrapperDir} ]; then
-            # Compatibility with old state, just remove the folder and symlink
-            rm -f ${permissionsWrapperDir}/*
-            # if it happens to be a tmpfs
-            ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
-            rm -d ${permissionsWrapperDir}
-            ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
-          else
-            # For initial setup
-            ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
-          fi
-        '';
-  };
-}
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index 098319d5ded..547b40cedfd 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -83,22 +83,8 @@ in
 
     security.pam.services.polkit-1 = {};
 
-    security.permissionsWrappers.setuid = 
-      [
-        { program = "pkexec";
-          source  = "${pkgs.polkit.out}/bin/pkexec";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;
-        }
-
-        { program = "polkit-agent-helper-1";
-          owner = "root";
-          group = "root";
-          setuid = true;
-          source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
-        }
-      ];
+    security.setuidPrograms = [ "pkexec" ];
+    security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
 
     system.activationScripts.polkit =
       ''
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index 652f23c2938..f5612e1b0c5 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -81,22 +81,7 @@ in
         ${cfg.extraConfig}
       '';
 
-    security.permissionsWrappers.setuid =
-     [
-       { program = "sudo";
-         source  = "${pkgs.sudo.out}/bin/sudo";
-         owner   = "root";
-         group   = "root";
-         setuid  = true;
-       }
-
-       { program = "sudoedit";
-         source  = "${pkgs.sudo.out}/bin/sudoedit";
-         owner   = "root";
-         group   = "root";
-         setuid  = true;
-       }
-    ];
+    security.setuidPrograms = [ "sudo" "sudoedit" ];
 
     environment.systemPackages = [ sudo ];
 
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
new file mode 100644
index 00000000000..d12209b375b
--- /dev/null
+++ b/nixos/modules/security/wrappers/default.nix
@@ -0,0 +1,191 @@
+{ config, lib, pkgs, ... }:
+let
+
+  inherit (config.security) wrapperDir;
+
+  isNotNull = v: if v != null || v != "" then true else false;
+
+  cfg = config.security.wrappers;
+
+  setcapWrappers = import ./setcap-wrapper-drv.nix {
+    inherit config lib pkgs;
+  };
+
+  setuidWrappers = import ./setuid-wrapper-drv.nix {
+    inherit config lib pkgs;
+  };
+
+  ###### Activation script for the setcap wrappers
+  mkSetcapProgram =
+    { program
+    , capabilities
+    , source ? null
+    , owner  ? "nobody"
+    , group  ? "nogroup"
+    ...
+    }: ''
+      cp ${setcapWrappers}/bin/${program}.wrapper $wrapperDir/${program}
+
+      # Prevent races
+      chmod 0000 $wrapperDir/${program}
+      chown ${owner}.${group} $wrapperDir/${program}
+
+      # Set desired capabilities on the file plus cap_setpcap so
+      # the wrapper program can elevate the capabilities set on
+      # its file into the Ambient set.
+      #
+      # Only set the capabilities though if we're being told to
+      # do so.
+      ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}
+
+      # Set the executable bit
+      chmod u+rx,g+x,o+x $wrapperDir/${program}
+    '';
+
+  ###### Activation script for the setuid wrappers
+  mkSetuidProgram =
+    { program
+    , source ? null
+    , owner  ? "nobody"
+    , group  ? "nogroup"
+    , setuid ? false
+    , setgid ? false
+    , permissions ? "u+rx,g+x,o+x"
+    ...
+    }: ''
+      cp ${setuidWrappers}/bin/${program}.wrapper $wrapperDir/${program}
+
+      # Prevent races
+      chmod 0000 $wrapperDir/${program}
+      chown ${owner}.${group} $wrapperDir/${program}
+
+      chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
+    '';
+in
+{
+
+  ###### interface
+
+  options = {
+    security.wrappers.setcap = lib.mkOption {
+      type    = lib.types.listOf lib.types.attrs;
+      default = [];
+      example =
+        [ { program = "ping";
+            source  = "${pkgs.iputils.out}/bin/ping";
+            owner   = "nobody";
+            group   = "nogroup";
+            capabilities = "cap_net_raw+ep";
+          }
+        ];
+      description = ''
+        This option sets capabilities on a wrapper program that
+        propagates those capabilities down to the wrapped, real
+        program.
+
+        The <literal>program</literal> attribute is the name of the
+        program to be wrapped. If no <literal>source</literal>
+        attribute is provided, specifying the absolute path to the
+        program, then the program will be searched for in the path
+        environment variable.
+
+        NOTE: cap_setpcap, which is required for the wrapper program
+        to be able to raise caps into the Ambient set is NOT raised to
+        the Ambient set so that the real program cannot modify its own
+        capabilities!! This may be too restrictive for cases in which
+        the real program needs cap_setpcap but it at least leans on
+        the side security paranoid vs. too relaxed.
+      '';
+    };
+
+    security.setuidPrograms = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = ["passwd"];
+      description = ''
+        The Nix store cannot contain setuid/setgid programs directly.
+        For this reason, NixOS can automatically generate wrapper
+        programs that have the necessary privileges.  This option
+        lists the names of programs in the system environment for
+        which setuid root wrappers should be created.
+      '';
+    };
+
+    security.wrappers = lib.mkOption {
+      type = lib.types.attrs;
+      default = {};
+      example = {
+        sendmail.source = "/nix/store/.../bin/sendmail";
+      };
+      description = ''
+        This option allows the ownership and permissions on the setuid
+        wrappers for specific programs to be overridden from the
+        default (setuid root, but not setgid root).
+      '';
+    };
+
+    security.old-wrapperDir = lib.mkOption {
+      type        = lib.types.path;
+      default     = "/var/setuid-wrappers";
+      internal    = true;
+      description = ''
+        This option defines the path to the wrapper programs. It
+        should not be overriden.
+      '';
+    };
+
+    security.wrapperDir = lib.mkOption {
+      type        = lib.types.path;
+      default     = "/run/wrappers";
+      internal    = true;
+      description = ''
+        This option defines the path to the wrapper programs. It
+        should not be overriden.
+      '';
+    };
+  };
+
+  ###### implementation
+  config = {
+    # Make sure our setcap-wrapper dir exports to the PATH env
+    # variable when initializing the shell
+    environment.extraInit = ''
+      # The permissions wrappers override other bin directories.
+      export PATH="${wrapperDir}:$PATH"
+    '';
+
+    ###### setcap activation script
+    system.activationScripts.wrappers =
+      let
+        programs =
+          (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
+            config.security.setuidPrograms)
+            ++ lib.mapAttrsToList
+                 (n: v: (if v ? "program" then v else v // {program=n;}))
+                 cfg.wrappers;
+
+        wrapperPrograms =
+          builtins.map
+            (s: if (s ? "setuid"  && s.setuid  == true) ||
+                   (s ? "setguid" && s.setguid == true) ||
+                   (s ? "permissions")
+                then mkSetuidProgram s
+                else if (s ? "capabilities")
+                then mkSetcapProgram s
+                else ""
+            ) programs;
+
+      in lib.stringAfter [ "users" ]
+        ''
+          # Look in the system path and in the default profile for
+          # programs to be wrapped.
+          WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
+
+          mkdir -p ${wrapperDir}
+          wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX)
+          chmod a+rx $wrapperDir
+
+          ${lib.concatStringsSep "\n" (builtins.filter isNotNull cfg.wrappers)}
+        '';
+  };
+}
diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/wrappers/permissions-wrapper.c
similarity index 100%
rename from nixos/modules/security/permissions-wrappers/permissions-wrapper.c
rename to nixos/modules/security/wrappers/permissions-wrapper.c
diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/wrappers/setcap-wrapper-drv.nix
similarity index 92%
rename from nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
rename to nixos/modules/security/wrappers/setcap-wrapper-drv.nix
index 2ae3067b1b1..03dca5c9f42 100644
--- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
+++ b/nixos/modules/security/wrappers/setcap-wrapper-drv.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
 let  
-     cfg = config.security.permissionsWrappers;
+     cfg = config.security.wrappers;
 
      # Produce a shell-code splice intended to be stitched into one of
      # the build or install phases within the derivation.
@@ -12,7 +12,7 @@ let
          source=/nix/var/nix/profiles/default/bin/${program}
        fi
 
-       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
+       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
            -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
            -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
      '';
diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix
similarity index 75%
rename from nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
rename to nixos/modules/security/wrappers/setuid-wrapper-drv.nix
index 53cce2ff48e..e08ae799bf4 100644
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix
@@ -1,18 +1,18 @@
 { config, lib, pkgs, ... }:
 
 let  
-     cfg = config.security.permissionsWrappers;
+     cfg = config.security.wrappers;
 
      # Produce a shell-code splice intended to be stitched into one of
      # the build or install phases within the derivation.
      mkSetuidWrapper = { program, source ? null, ...}: ''
-       if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
-         # If we can't find the program, fall back to the
-         # system profile.
-         source=/nix/var/nix/profiles/default/bin/${program}
+       if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
+           # If we can't find the program, fall back to the
+           # system profile.
+           source=/nix/var/nix/profiles/default/bin/${program}
        fi
 
-       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
+       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
            -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
            -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
      '';
diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix
index 86451ec318c..c933c496479 100644
--- a/nixos/modules/services/logging/logcheck.nix
+++ b/nixos/modules/services/logging/logcheck.nix
@@ -29,8 +29,8 @@ let
     };
 
   cronJob = ''
-    @reboot   logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
-    2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
+    @reboot   logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
+    2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
   '';
 
   writeIgnoreRule = name: {level, regex, ...}:
diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
index 6b37a8a4ea2..7cea2f75439 100644
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@@ -13,7 +13,7 @@ let
     ''
       base_dir = ${baseDir}
       protocols = ${concatStringsSep " " cfg.protocols}
-      sendmail_path = /var/permissions-wrappers/sendmail
+      sendmail_path = /run/wrappers/sendmail
     ''
 
     (if isNull cfg.sslServerCert then ''
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index 6dfb8fdef11..71414bddd5d 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -70,7 +70,7 @@ in
       etc."exim.conf".text = ''
         exim_user = ${cfg.user}
         exim_group = ${cfg.group}
-        exim_path = /var/permissions-wrappers/exim
+        exim_path = /run/wrappers/exim
         spool_directory = ${cfg.spoolDir}
         ${cfg.config}
       '';
@@ -89,15 +89,7 @@ in
       gid = config.ids.gids.exim;
     };
 
-    security.permissionsWrappers.setuid =
-    [
-      { program = "exim";
-        source  = "${pkgs.exim.out}/bin/exim";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;
-      }
-    ];
+    security.setuidPrograms = [ "exim" ];
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";
diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix
index e8b16349f1a..aef02eddbe1 100644
--- a/nixos/modules/services/mail/mail.nix
+++ b/nixos/modules/services/mail/mail.nix
@@ -26,7 +26,7 @@ with lib;
 
   config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
 
-    security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
+    security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
 
   };
 
diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix
index a80565fa280..cd4a5125029 100644
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@@ -34,7 +34,7 @@ let
         cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
 
         wrapProgram $file \
-          --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
+          --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
           --set MUNIN_LIBDIR "${pkgs.munin}/lib" \
           --set MUNIN_PLUGSTATE "/var/run/munin"
 
@@ -183,7 +183,7 @@ in
 
         mkdir -p /etc/munin/plugins
         rm -rf /etc/munin/plugins/*
-        PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+        PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
       '';
       serviceConfig = {
         ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix
index 99fd5c4d367..af02d73597f 100644
--- a/nixos/modules/services/monitoring/smartd.nix
+++ b/nixos/modules/services/monitoring/smartd.nix
@@ -124,7 +124,7 @@ in
           };
 
           mailer = mkOption {
-            default = "/var/permissions-wrappers/sendmail";
+            default = "/run/wrappers/sendmail";
             type = types.path;
             description = ''
               Sendmail-compatible binary to be used to send the messages.
diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix
index 884966363b8..8cc8f21851c 100644
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@@ -30,7 +30,7 @@ let
     ''
       [ global ]
       security = ${cfg.securityType}
-      passwd program = /var/permissions-wrappers/passwd %u
+      passwd program = /run/wrappers/passwd %u
       pam password change = ${smbToString cfg.syncPasswordsByPam}
       invalid users = ${smbToString cfg.invalidUsers}
 
diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix
index bc9b884f11b..f4c75c17290 100644
--- a/nixos/modules/services/networking/gale.nix
+++ b/nixos/modules/services/networking/gale.nix
@@ -141,7 +141,7 @@ in
          setgid = false;
        };
 
-       security.permissionsWrappers.setuid = [ cfg.setuidWrapper ];
+       security.wrappers.setuid = [ cfg.setuidWrapper ];
 
        systemd.services.gale-galed = {
          description = "Gale messaging daemon";
diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix
index 67d8cece611..58e6ad8a683 100644
--- a/nixos/modules/services/networking/prayer.nix
+++ b/nixos/modules/services/networking/prayer.nix
@@ -18,7 +18,7 @@ let
     var_prefix = "${stateDir}"
     prayer_user = "${prayerUser}"
     prayer_group = "${prayerGroup}"
-    sendmail_path = "/var/permissions-wrappers/sendmail"
+    sendmail_path = "/run/wrappers/sendmail"
 
     use_http_port ${cfg.port}
 
diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix
index 67aa313c860..b7bb55f5508 100644
--- a/nixos/modules/services/networking/smokeping.nix
+++ b/nixos/modules/services/networking/smokeping.nix
@@ -219,14 +219,14 @@ in
         type = types.string;
         default = ''
           + FPing
-          binary = ${config.security.permissionsWrapperDir}/fping
+          binary = ${config.security.wrapperDir}/fping
         '';
         description = "Probe configuration";
       };
       sendmail = mkOption {
         type = types.nullOr types.path;
         default = null;
-        example = "/var/permissions-wrappers/sendmail";
+        example = "/run/wrappers/sendmail";
         description = "Use this sendmail compatible script to deliver alerts";
       };
       smokeMailTemplate = mkOption {
@@ -273,21 +273,7 @@ in
         message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
       }
     ];
-    security.permissionsWrappers.setuid = [
-      { program = "fping";
-        source  = "${pkgs.fping}/bin/fping";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;
-      }
-
-      { program = "fping";
-        source  = "${pkgs.fping}/bin/fping6";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;
-      }
-    ];
+    security.setuidPrograms = [ "fping" "fping6" ];
     environment.systemPackages = [ pkgs.fping ];
     users.extraUsers = singleton {
       name = cfg.user;
diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix
index 9c4f8d59faa..316ab847b34 100644
--- a/nixos/modules/services/scheduling/atd.nix
+++ b/nixos/modules/services/scheduling/atd.nix
@@ -42,7 +42,7 @@ in
 
   config = mkIf cfg.enable {
 
-    security.permissionsWrappers.setuid = map (program: {
+    security.wrappers.setuid = map (program: {
       inherit program;
 
       source = "${pkgs.atd}/bin/${program}";
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index e33961658f0..26ce3c98d67 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -20,7 +20,7 @@ let
   cronNixosPkg = pkgs.cron.override {
     # The mail.nix nixos module, if there is any local mail system enabled,
     # should have sendmail in this path.
-    sendmailPath = "/var/permissions-wrappers/sendmail";
+    sendmailPath = "/run/wrappers/sendmail";
   };
 
   allFiles =
@@ -61,7 +61,7 @@ in
           A list of Cron jobs to be appended to the system-wide
           crontab.  See the manual page for crontab for the expected
           format. If you want to get the results mailed you must setuid
-          sendmail. See <option>security.permissionsWrappers.setuid</option>
+          sendmail. See <option>security.wrappers.setuid</option>
 
           If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
           will is allowed to have its own crontab file. The /var/cron/cron.deny file
@@ -92,21 +92,9 @@ in
   config = mkMerge [
 
     { services.cron.enable = mkDefault (allFiles != []); }
-
     (mkIf (config.services.cron.enable) {
-
-      security.permissionsWrappers.setuid =
-      [
-        { program = "crontab";
-          source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;        
-        }
-      ];
-
+      security.setuidPrograms = [ "crontab" ];
       environment.systemPackages = [ cronNixosPkg ];
-
       environment.etc.crontab =
         { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
             ''
diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
index 5804f0ee72f..f0de996224f 100644
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -96,7 +96,7 @@ in
             fcronallow  =       /etc/fcron.allow
             fcrondeny   =       /etc/fcron.deny
             shell       =       /bin/sh
-            sendmail    =       /var/permissions-wrappers/sendmail
+            sendmail    =       /run/wrappers/sendmail
             editor      =       /run/current-system/sw/bin/vi
           '';
           target = "fcron.conf";
@@ -106,16 +106,7 @@ in
 
     environment.systemPackages = [ pkgs.fcron ];
 
-    security.permissionsWrappers.setuid =
-    [
-      { program = "fcrontab";
-        source  = "${pkgs.fcron.out}/bin/fcrontab";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;        
-      }
-    ];
-
+    security.setuidPrograms = [ "fcrontab" ];
     systemd.services.fcron = {
       description = "fcron daemon";
       after = [ "local-fs.target" ];
diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix
index d15d5551e34..47fc4426af0 100644
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@@ -38,7 +38,7 @@ let
       sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
 
       sed '${./dbus-system-local.conf.in}' \
-        -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \
+        -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
         -e 's,@extra@,${systemExtraxml},' \
         > "$out/system-local.conf"
 
@@ -114,7 +114,7 @@ in
 
     systemd.packages = [ pkgs.dbus.daemon ];
 
-    security.permissionsWrappers.setuid = singleton
+    security.wrappers.setuid = singleton
       { program = "dbus-daemon-launch-helper";
         source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
         owner = "root";
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index 9d0ff77c2ae..feee6ba87ec 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -62,16 +62,7 @@ in
       '';
     }];
 
-    security.permissionsWrappers.setuid =
-    [
-      { program = "e_freqset";
-        source  = "${e.enlightenment.out}/bin/e_freqset";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;        
-      }
-    ];
-
+    security.setuidPrograms = [ "e_freqset" ];
     environment.etc = singleton
       { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
         target = "X11/xkb";
diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix
index 31d2ebcdf1a..d21a1f28dca 100644
--- a/nixos/modules/services/x11/desktop-managers/kde4.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde4.nix
@@ -131,7 +131,7 @@ in
           '';
       };
 
-    security.permissionsWrappers.setuid = singleton
+    security.wrappers.setuid = singleton
       { program = "kcheckpass";
         source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
         owner = "root";
diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix
index f886c60793d..a4124aaefa9 100644
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@@ -68,7 +68,7 @@ in
         '';
       };
 
-      security.permissionsWrappers.setuid = [
+      security.wrappers.setuid = [
         {
           program = "kcheckpass";
           source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
index 86f552cd3ca..ffc0700806c 100644
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@@ -131,10 +131,10 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then
     cat /etc/resolv.conf | resolvconf -m 1000 -a host
 fi
 
-# Create /var/permissions-wrappers as a tmpfs.
-rm -rf /var/permissions-wrappers
-mkdir -m 0755 -p /var/permissions-wrappers
-mount -t tmpfs -o "mode=0755" tmpfs /var/permissions-wrappers
+# Create /run/wrappers as a tmpfs.
+rm -rf /run/wrappers
+mkdir -m 0755 -p /run/wrappers
+mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers
 
 # Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
 # Only at this point are all the necessary prerequisites ready for these commands.
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 61519c6a3ce..1afcddd915f 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -898,38 +898,23 @@ in
 
     # Capabilities won't work unless we have at-least a 4.3 Linux
     # kernel because we need the ambient capability
-    security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
-      [
-        { program = "ping";
-          source  = "${pkgs.iputils.out}/bin/ping";
-          capabilities = "cap_net_raw+p";
-        }
+    security.wrappers = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") {
+      ping = {
+        source  = "${pkgs.iputils.out}/bin/ping";
+        capabilities = "cap_net_raw+p";
+      };
 
-        { program = "ping6";
-          source  = "${pkgs.iputils.out}/bin/ping6";
-          capabilities = "cap_net_raw+p";
-        }
-      ]
-    );
+      ping6 = {
+        source  = "${pkgs.iputils.out}/bin/ping6";
+        capabilities = "cap_net_raw+p";
+      };
+    };
 
-    # If our linux kernel IS older than 4.3, let's setuid ping and ping6
-    security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
-      [
-        { program = "ping";
-          source  = "${pkgs.iputils.out}/bin/ping";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;
-        }
-        
-        { program = "ping6";
-          source  = "${pkgs.iputils.out}/bin/ping6";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;
-        }
-      ]
-    );
+    # If the linux kernel IS older than 4.3, create setuid wrappers
+    # for ping and ping6
+    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [
+      "ping" "ping6"
+    ];
 
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,
diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix
index b3647482f2c..405a630dfa7 100644
--- a/nixos/modules/virtualisation/virtualbox-host.nix
+++ b/nixos/modules/virtualisation/virtualbox-host.nix
@@ -68,7 +68,7 @@ in
     boot.extraModulePackages = [ kernelModules ];
     environment.systemPackages = [ virtualbox ];
 
-    security.permissionsWrappers.setuid = let
+    security.wrappers.setuid = let
       mkSuid = program: {
         inherit program;
         source = "${virtualbox}/libexec/virtualbox/${program}";
@@ -99,7 +99,7 @@ in
         SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
       '';
 
-    # Since we lack the right setuid binaries, set up a host-only network by default.
+    # Since we lack the right setuid/setcap binaries, set up a host-only network by default.
   } (mkIf cfg.addNetworkInterface {
     systemd.services."vboxnet0" =
       { description = "VirtualBox vboxnet0 Interface";
diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix
index 7e2d84f4422..5e2d013abc5 100644
--- a/nixos/tests/smokeping.nix
+++ b/nixos/tests/smokeping.nix
@@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
           mailHost = "127.0.0.2";
           probeConfig = ''
             + FPing
-            binary = /var/permissions-wrappers/fping
+            binary = /run/wrappers/fping
             offset = 0%
           '';
         };
diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix
index 0f7d50088a9..1c24ff4737b 100644
--- a/pkgs/applications/editors/sublime3/default.nix
+++ b/pkgs/applications/editors/sublime3/default.nix
@@ -1,5 +1,5 @@
 { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2,
-  pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect,
+  pkexecPath ? "/run/wrappers/pkexec", libredirect,
   gksuSupport ? false, gksu}:
 
 assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index dd8fd32adfd..7009cf17fab 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -83,9 +83,9 @@ in stdenv.mkDerivation {
     ed -v -s "$out/bin/chromium" << EOF
     2i
 
-    if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ]
+    if [ -x "/run/wrappers/${sandboxExecutableName}" ]
     then
-      export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}"
+      export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}"
     else
       export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
     fi
diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
index 9a83fc09e4e..4b59f1a376d 100644
--- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
+++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
@@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644
 +	is_nixos=no
 +fi
 +
-+if [ -u /var/permissions-wrappers/gksign ]; then
++if [ -u /run/wrappers/gksign ]; then
 +	cat <<EOM
 +
 +Gale appears to have already been set up via the NixOS module system (check
diff --git a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
index 5377ddb9a62..6603e8d4b60 100644
--- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
+++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
@@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644
 -  # #   arguments: '-i -t'
 -  # # }
 +  config.action_mailer.sendmail_settings = {
-+    location: '/var/permissions-wrappers/sendmail',
++    location: '/run/wrappers/sendmail',
 +    arguments: '-i -t'
 +  }
    config.action_mailer.perform_deliveries = true
diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch
index cae4abe8612..a788a1df3ca 100644
--- a/pkgs/applications/virtualization/virtualbox/hardened.patch
+++ b/pkgs/applications/virtualization/virtualbox/hardened.patch
@@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644
      /* get the path to the executable */
      char szPath[RTPATH_MAX];
 -    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
-+    RTStrCopy(szPath, sizeof(szPath) - 1, "/var/permissions-wrappers");
++    RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers");
      size_t cchBufLeft = strlen(szPath);
      szPath[cchBufLeft++] = RTPATH_DELIMITER;
      szPath[cchBufLeft] = 0;
@@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644
  
 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
 +{
-+    return RTStrCopy(pszPath, cchPath, "/var/permissions-wrappers");
++    return RTStrCopy(pszPath, cchPath, "/run/wrappers");
 +}
 +
 +
@@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644
 + * will cut off everything after the rightmost / as this function is analogous
 + * to RTProcGetExecutablePath().
 + */
-+#define SUIDDIR "/var/permissions-wrappers/"
++#define SUIDDIR "/run/wrappers/"
 +
 +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
 +{
diff --git a/pkgs/build-support/build-fhs-userenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix
index b30e1362aba..98381d9023f 100644
--- a/pkgs/build-support/build-fhs-userenv/env.nix
+++ b/pkgs/build-support/build-fhs-userenv/env.nix
@@ -51,7 +51,7 @@ let
     export PS1='${name}-chrootenv:\u@\h:\w\$ '
     export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
     export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
-    export PATH='/var/permissions-wrappers:/usr/bin:/usr/sbin'
+    export PATH='/run/wrappers:/usr/bin:/usr/sbin'
     export PKG_CONFIG_PATH=/usr/lib/pkgconfig
 
     # Force compilers to look in default search paths
diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix
index 753b939bd48..65e3bf2d642 100644
--- a/pkgs/desktops/enlightenment/enlightenment.nix
+++ b/pkgs/desktops/enlightenment/enlightenment.nix
@@ -42,13 +42,13 @@ stdenv.mkDerivation rec {
   # this is a hack and without this cpufreq module is not working. does the following:
   #   1. moves the "freqset" binary to "e_freqset",
   #   2. linkes "e_freqset" to enlightenment/bin so that,
-  #   3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset,
-  #   4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it
+  #   3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset,
+  #   4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it
   postInstall = ''
     export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
     mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
     ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
-    ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
+    ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
   '';
 
   meta = with stdenv.lib; {
diff --git a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
index a16d3575725..61aa49f70e5 100644
--- a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
+++ b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
@@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
  #include <unistd.h>
  
 -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
-+#define EXECUTE "/var/permissions-wrappers/start_kdeinit"
++#define EXECUTE "/run/wrappers/start_kdeinit"
  
  #if KDEINIT_OOM_PROTECT
  
diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix
index 7da4a900b7e..6d57ca2397e 100644
--- a/pkgs/development/libraries/libgksu/default.nix
+++ b/pkgs/development/libraries/libgksu/default.nix
@@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
 
     # Fix some binary paths
     sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c
-    sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c
-    sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c
+    sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c
+    sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c
 
     touch NEWS README
   '';
diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix
index 0f7106181b8..b2e2ecf0493 100644
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@@ -5,7 +5,7 @@
 let
 
   system = "/var/run/current-system/sw";
-  setuid = "/var/permissions-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
+  setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir;
 
   foolVars = {
     SYSCONF = "/etc";
diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix
index 1fc56b98656..2d4977a3195 100644
--- a/pkgs/development/tools/unity3d/default.nix
+++ b/pkgs/development/tools/unity3d/default.nix
@@ -94,7 +94,7 @@ in stdenv.mkDerivation rec {
     unitydir="$out/opt/Unity/Editor"
     mkdir -p $unitydir
     mv Editor/* $unitydir
-    ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
+    ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
 
     mkdir -p $out/share/applications
     sed "/^Exec=/c\Exec=$out/bin/unity-editor" \
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index a36934004d2..29bcc58c7c0 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
       # Ensure that FUSE calls the setuid wrapper, not
       # $out/bin/fusermount. It falls back to calling fusermount in
       # $PATH, so it should also work on non-NixOS systems.
-      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\""
+      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\""
 
       sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
       sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
diff --git a/pkgs/os-specific/linux/mdadm/4.nix b/pkgs/os-specific/linux/mdadm/4.nix
index abe8632773f..af8e53ec3a2 100644
--- a/pkgs/os-specific/linux/mdadm/4.nix
+++ b/pkgs/os-specific/linux/mdadm/4.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     sed -e 's@/lib/udev@''${out}/lib/udev@' \
         -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
   '';
 
   meta = {
diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix
index 531d55a7f12..d9bdf21723b 100644
--- a/pkgs/os-specific/linux/mdadm/default.nix
+++ b/pkgs/os-specific/linux/mdadm/default.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     sed -e 's@/lib/udev@''${out}/lib/udev@' \
         -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
   '';
 
   meta = {
diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index 196af58183f..dc61b3f27f6 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
 
   postInstall = ''
     mv -v $out/sbin/unix_chkpwd{,.orig}
-    ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
+    ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd
   ''; /*
     rm -rf $out/etc
     mkdir -p $modules/lib
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index 1c4a7b798ce..90fbf861448 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
     --enable-last
     --enable-mesg
     --disable-use-tty-group
-    --enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin
+    --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin
     ${if ncurses == null then "--without-ncurses" else ""}
     ${if systemd == null then "" else ''
       --with-systemd
diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix
index af733540ff3..b58c1b50e03 100644
--- a/pkgs/servers/interlock/default.nix
+++ b/pkgs/servers/interlock/default.nix
@@ -30,7 +30,7 @@ buildGoPackage rec {
       -e 's|/bin/chown|${coreutils}/bin/chown|' \
       -e 's|/bin/date|${coreutils}/bin/date|' \
       -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \
-      -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \
+      -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \
       -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|'
   '';
 }
diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix
index c112af567fd..1770517047f 100644
--- a/pkgs/servers/mail/petidomo/default.nix
+++ b/pkgs/servers/mail/petidomo/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
+{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }:
 
 stdenv.mkDerivation rec {
   name = "petidomo-4.3";
diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
index ac1cb1a5398..30bd7e8a7c3 100644
--- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
+++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
@@ -16,8 +16,8 @@ stdenv.mkDerivation rec {
   # configured on the build machine).
   preConfigure= "
     configureFlagsArray=(
-      --with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s'
-      --with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s'
+      --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s'
+      --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s'
     )
   ";
 
diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix
index 5f96a35af6f..b343a7da378 100644
--- a/pkgs/tools/X11/x11vnc/default.nix
+++ b/pkgs/tools/X11/x11vnc/default.nix
@@ -20,10 +20,10 @@ stdenv.mkDerivation rec {
     configureFlags="--mandir=$out/share/man"
 
     substituteInPlace x11vnc/unixpw.c \
-        --replace '"/bin/su"' '"/var/permissions-wrappers/su"' \
+        --replace '"/bin/su"' '"/run/wrappers/su"' \
         --replace '"/bin/true"' '"${coreutils}/bin/true"'
 
-    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h
+    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h
   '';
 
   meta = {
diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix
index 23eb02e294a..366213d2e1e 100644
--- a/pkgs/tools/admin/certbot/default.nix
+++ b/pkgs/tools/admin/certbot/default.nix
@@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec {
   buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]);
 
   patchPhase = ''
-    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail"
+    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail"
     substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers"
   '';
 
diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix
index 2261bfc6637..be3b674de04 100644
--- a/pkgs/tools/misc/debian-devscripts/default.nix
+++ b/pkgs/tools/misc/debian-devscripts/default.nix
@@ -2,7 +2,7 @@
 , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper
 , python3Packages
 , perlPackages, curl, gnupg, diffutils
-, sendmailPath ? "/var/permissions-wrappers/sendmail"
+, sendmailPath ? "/run/wrappers/sendmail"
 }:
 
 let
diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix
index 7e941e5378a..98e06d1de3e 100644
--- a/pkgs/tools/security/ecryptfs/default.nix
+++ b/pkgs/tools/security/ecryptfs/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   };
 
   # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
-  wrapperDir = "/var/permissions-wrappers";
+  wrapperDir = "/run/wrappers";
 
   postPatch = ''
     FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"
diff --git a/pkgs/tools/security/ecryptfs/helper.nix b/pkgs/tools/security/ecryptfs/helper.nix
index 6e3e6766a28..3daaadcaad6 100644
--- a/pkgs/tools/security/ecryptfs/helper.nix
+++ b/pkgs/tools/security/ecryptfs/helper.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper ];
 
-  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers
+  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers
   installPhase = ''
     mkdir -p $out/bin $out/libexec
     cp $src $out/libexec/ecryptfs-helper.py
diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix
index a3a13f19803..0d2953c6f45 100644
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, coreutils, pam, groff
-, sendmailPath ? "/var/permissions-wrappers/sendmail"
+, sendmailPath ? "/run/wrappers/sendmail"
 , withInsults ? false
 }:
 
diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix
index 2fb5b9670c8..9f8bad00ca4 100644
--- a/pkgs/tools/system/at/default.nix
+++ b/pkgs/tools/system/at/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
+{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }:
 
 stdenv.mkDerivation {
   name = "at-3.1.16";
diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix
index f7f2a6158a2..8a6a5dc15d3 100644
--- a/pkgs/tools/system/cron/default.nix
+++ b/pkgs/tools/system/cron/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation {
     #define _PATH_SENDMAIL "${sendmailPath}"
 
     #undef _PATH_DEFPATH
-    #define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
+    #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
     __EOT__
 
     # Implicit saved uids do not work here due to way NixOS uses setuid wrappers
diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix
index 1384ea04fb6..1dfb856d4d6 100644
--- a/pkgs/tools/system/ts/default.nix
+++ b/pkgs/tools/system/ts/default.nix
@@ -1,5 +1,5 @@
 {stdenv, fetchurl,
-sendmailPath ? "/var/permissions-wrappers/sendmail" }:
+sendmailPath ? "/run/wrappers/sendmail" }:
 
 stdenv.mkDerivation rec {
 

From 3fe7b1a4c97ef0a098c0cd786386e2b547762983 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:07:12 -0600
Subject: [PATCH 039/153] setcap-wrapper: Addressing more PR feedback, unifying
 drvs, and cleaning up a bit

---
 nixos/modules/security/wrappers/default.nix   | 58 +++++++++++--------
 .../security/wrappers/permissions-wrapper.c   | 25 ++++----
 .../security/wrappers/setcap-wrapper-drv.nix  | 37 ------------
 .../security/wrappers/setuid-wrapper-drv.nix  | 35 -----------
 4 files changed, 46 insertions(+), 109 deletions(-)
 delete mode 100644 nixos/modules/security/wrappers/setcap-wrapper-drv.nix
 delete mode 100644 nixos/modules/security/wrappers/setuid-wrapper-drv.nix

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index d12209b375b..69b62d7b2ff 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -3,17 +3,27 @@ let
 
   inherit (config.security) wrapperDir;
 
-  isNotNull = v: if v != null || v != "" then true else false;
+  wrappers  = config.security.wrappers;
+  mkWrapper = { program, source ? null, ...}: ''
+    if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
+        # If we can't find the program, fall back to the
+        # system profile.
+        source=/nix/var/nix/profiles/default/bin/${program}
+    fi
 
-  cfg = config.security.wrappers;
+    gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.wrapperDir}\" \
+        -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+        -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+  '';
 
-  setcapWrappers = import ./setcap-wrapper-drv.nix {
-    inherit config lib pkgs;
-  };
-
-  setuidWrappers = import ./setuid-wrapper-drv.nix {
-    inherit config lib pkgs;
-  };
+  wrappedPrograms = pkgs.stdenv.mkDerivation {
+    name         = "permissions-wrapper";
+    unpackPhase  = "true";
+    installPhase = ''
+      mkdir -p $out/bin
+      ${lib.concatMapStrings mkWrapper wrappers}
+    '';
+  }
 
   ###### Activation script for the setcap wrappers
   mkSetcapProgram =
@@ -23,8 +33,10 @@ let
     , owner  ? "nobody"
     , group  ? "nogroup"
     ...
-    }: ''
-      cp ${setcapWrappers}/bin/${program}.wrapper $wrapperDir/${program}
+    }: 
+    assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
+    ''
+      cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}
@@ -33,9 +45,6 @@ let
       # Set desired capabilities on the file plus cap_setpcap so
       # the wrapper program can elevate the capabilities set on
       # its file into the Ambient set.
-      #
-      # Only set the capabilities though if we're being told to
-      # do so.
       ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}
 
       # Set the executable bit
@@ -53,7 +62,7 @@ let
     , permissions ? "u+rx,g+x,o+x"
     ...
     }: ''
-      cp ${setuidWrappers}/bin/${program}.wrapper $wrapperDir/${program}
+      cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}
@@ -147,10 +156,10 @@ in
 
   ###### implementation
   config = {
-    # Make sure our setcap-wrapper dir exports to the PATH env
-    # variable when initializing the shell
+    # Make sure our wrapperDir exports to the PATH env variable when
+    # initializing the shell
     environment.extraInit = ''
-      # The permissions wrappers override other bin directories.
+      # Wrappers override other bin directories.
       export PATH="${wrapperDir}:$PATH"
     '';
 
@@ -162,16 +171,17 @@ in
             config.security.setuidPrograms)
             ++ lib.mapAttrsToList
                  (n: v: (if v ? "program" then v else v // {program=n;}))
-                 cfg.wrappers;
+                 wrappers;
 
-        wrapperPrograms =
+        mkWrappedPrograms =
           builtins.map
-            (s: if (s ? "setuid"  && s.setuid  == true) ||
+            (s: if (s ? "capabilities")
+                then mkSetcapProgram s
+                else if 
+                   (s ? "setuid"  && s.setuid  == true) ||
                    (s ? "setguid" && s.setguid == true) ||
                    (s ? "permissions")
                 then mkSetuidProgram s
-                else if (s ? "capabilities")
-                then mkSetcapProgram s
                 else ""
             ) programs;
 
@@ -185,7 +195,7 @@ in
           wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX)
           chmod a+rx $wrapperDir
 
-          ${lib.concatStringsSep "\n" (builtins.filter isNotNull cfg.wrappers)}
+          ${lib.concatStringsSep "\n" mkWrappedPrograms}
         '';
   };
 }
diff --git a/nixos/modules/security/wrappers/permissions-wrapper.c b/nixos/modules/security/wrappers/permissions-wrapper.c
index cb9d8d6b37b..608bd3a378c 100644
--- a/nixos/modules/security/wrappers/permissions-wrapper.c
+++ b/nixos/modules/security/wrappers/permissions-wrapper.c
@@ -26,16 +26,6 @@ extern char **environ;
 static char * sourceProg = SOURCE_PROG;
 static char * wrapperDir = WRAPPER_DIR;
 
-// Make sure we have the WRAPPER_TYPE macro specified at compile
-// time...
-#ifdef WRAPPER_SETCAP
-static char * wrapperType = "setcap";
-#elif defined WRAPPER_SETUID
-static char * wrapperType = "setuid";
-#else
-#error "Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macro"
-#endif
-
 // Update the capabilities of the running process to include the given
 // capability in the Ambient set.
 static void set_ambient_cap(cap_value_t cap)
@@ -66,7 +56,7 @@ static int make_caps_ambient(const char *selfPath)
 
     if(!caps)
     {
-        fprintf(stderr, "could not retreive the capability set for this file\n");
+        fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...\n");
         return 1;
     }
 
@@ -171,6 +161,16 @@ int main(int argc, char * * argv)
 
     assert(selfPathSize > 0);
 
+    // Assert we have room for the zero byte, this ensures the path
+    // isn't being truncated because it's too big for the buffer.
+    //
+    // A better way to handle this might be to use something like the
+    // whereami library (https://github.com/gpakosz/whereami) or a
+    // loop that resizes the buffer and re-reads the link if the
+    // contents are being truncated.
+    assert(selfPathSize < sizeof(selfPath));
+
+    // Set the zero byte since readlink doesn't do that for us.
     selfPath[selfPathSize] = '\0';
 
     // Make sure that we are being executed from the right location,
@@ -207,8 +207,7 @@ int main(int argc, char * * argv)
     // Read the capabilities set on the file and raise them in to the
     // Ambient set so the program we're wrapping receives the
     // capabilities too!
-    if (strcmp(wrapperType, "setcap") == 0)
-        assert(!make_caps_ambient(selfPath));
+    make_caps_ambient(selfPath);
 
     execve(sourceProg, argv, environ);
     
diff --git a/nixos/modules/security/wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/wrappers/setcap-wrapper-drv.nix
deleted file mode 100644
index 03dca5c9f42..00000000000
--- a/nixos/modules/security/wrappers/setcap-wrapper-drv.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let  
-     cfg = config.security.wrappers;
-
-     # Produce a shell-code splice intended to be stitched into one of
-     # the build or install phases within the derivation.
-     mkSetcapWrapper = { program, source ? null, ...}: ''
-       if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
-         # If we can't find the program, fall back to the
-         # system profile.
-         source=/nix/var/nix/profiles/default/bin/${program}
-       fi
-
-       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
-           -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-           -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
-     '';
-in
-
-# This is only useful for Linux platforms and a kernel version of
-# 4.3 or greater
-assert pkgs.stdenv.isLinux;
-assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3";
-
-pkgs.stdenv.mkDerivation {
-  name         = "setcap-wrapper";
-  unpackPhase  = "true";
-  buildInputs  = [ pkgs.linuxHeaders ];
-  installPhase = ''
-    mkdir -p $out/bin
-
-    # Concat together all of our shell splices to compile
-    # binary wrapper programs for all configured setcap programs.
-    ${lib.concatMapStrings mkSetcapWrapper cfg.setcap}
-  '';
-}
diff --git a/nixos/modules/security/wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix
deleted file mode 100644
index e08ae799bf4..00000000000
--- a/nixos/modules/security/wrappers/setuid-wrapper-drv.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let  
-     cfg = config.security.wrappers;
-
-     # Produce a shell-code splice intended to be stitched into one of
-     # the build or install phases within the derivation.
-     mkSetuidWrapper = { program, source ? null, ...}: ''
-       if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
-           # If we can't find the program, fall back to the
-           # system profile.
-           source=/nix/var/nix/profiles/default/bin/${program}
-       fi
-
-       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
-           -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-           -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
-     '';
-in
-
-# This is only useful for Linux platforms and a kernel version of
-# 4.3 or greater
-assert pkgs.stdenv.isLinux;
-
-pkgs.stdenv.mkDerivation {
-  name         = "setuid-wrapper";
-  unpackPhase  = "true";
-  installPhase = ''
-    mkdir -p $out/bin
-
-    # Concat together all of our shell splices to compile
-    # binary wrapper programs for all configured setcap programs.
-    ${lib.concatMapStrings mkSetuidWrapper cfg.setuid}
-  '';
-}

From 2f113ee90a8c97be2ccb70dc6738fe243dde1b84 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:08:36 -0600
Subject: [PATCH 040/153] setcap-wrapper: Minor refactor

---
 nixos/modules/security/wrappers/default.nix                   | 2 +-
 .../security/wrappers/{permissions-wrapper.c => wrapper.c}    | 0
 .../sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch | 4 ++--
 3 files changed, 3 insertions(+), 3 deletions(-)
 rename nixos/modules/security/wrappers/{permissions-wrapper.c => wrapper.c} (100%)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 69b62d7b2ff..4d51796b676 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -12,7 +12,7 @@ let
     fi
 
     gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.wrapperDir}\" \
-        -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+        -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
         -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
   '';
 
diff --git a/nixos/modules/security/wrappers/permissions-wrapper.c b/nixos/modules/security/wrappers/wrapper.c
similarity index 100%
rename from nixos/modules/security/wrappers/permissions-wrapper.c
rename to nixos/modules/security/wrappers/wrapper.c
diff --git a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
index 3d38cf3b604..549da5436e6 100644
--- a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
+++ b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
@@ -4,7 +4,7 @@ Date: Thu, 26 Nov 2015 21:03:35 +0100
 Subject: [PATCH] Lookup dumpcap in PATH
 
 NixOS patch: Look for dumpcap in PATH first, because there may be a
-dumpcap permissions-wrapper that we want to use instead of the default
+dumpcap wrapper that we want to use instead of the default
 non-setuid dumpcap binary.
 
 Also change execv() to execvp() because we've set argv[0] to "dumpcap"
@@ -27,7 +27,7 @@ index 970688e..49914d5 100644
 -    exename = g_strdup_printf("%s/dumpcap", progfile_dir);
 +    /*
 +     * NixOS patch: Look for dumpcap in PATH first, because there may be a
-+     * dumpcap permissions-wrapper that we want to use instead of the default
++     * dumpcap wrapper that we want to use instead of the default
 +     * non-setuid dumpcap binary.
 +     */
 +    if (system("command -v dumpcap >/dev/null") == 0) {

From 7680a40a373a89c683f5b87dfa3cd09c2a168473 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:16:04 -0600
Subject: [PATCH 041/153] setcap-wrapper: Syntax wibble

---
 nixos/modules/security/wrappers/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 4d51796b676..093f2bb49b0 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -23,7 +23,7 @@ let
       mkdir -p $out/bin
       ${lib.concatMapStrings mkWrapper wrappers}
     '';
-  }
+  };
 
   ###### Activation script for the setcap wrappers
   mkSetcapProgram =

From 82de4c0fad9607b9b193564dedf92ac830202eeb Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:20:02 -0600
Subject: [PATCH 042/153] setcap-wrapper: Syntax wibble

---
 nixos/modules/security/wrappers/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 093f2bb49b0..3f1a42c53b7 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -32,7 +32,7 @@ let
     , source ? null
     , owner  ? "nobody"
     , group  ? "nogroup"
-    ...
+    , ...
     }: 
     assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
     ''
@@ -60,7 +60,7 @@ let
     , setuid ? false
     , setgid ? false
     , permissions ? "u+rx,g+x,o+x"
-    ...
+    , ...
     }: ''
       cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
 

From 70ec24093c45a07a5b4f4d230390dfa16e87e1dc Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:22:19 -0600
Subject: [PATCH 043/153] Removing dead code

---
 nixos/modules/security/wrappers/default.nix | 54 +++++++++------------
 1 file changed, 23 insertions(+), 31 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 3f1a42c53b7..3012439e13d 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -76,37 +76,6 @@ in
   ###### interface
 
   options = {
-    security.wrappers.setcap = lib.mkOption {
-      type    = lib.types.listOf lib.types.attrs;
-      default = [];
-      example =
-        [ { program = "ping";
-            source  = "${pkgs.iputils.out}/bin/ping";
-            owner   = "nobody";
-            group   = "nogroup";
-            capabilities = "cap_net_raw+ep";
-          }
-        ];
-      description = ''
-        This option sets capabilities on a wrapper program that
-        propagates those capabilities down to the wrapped, real
-        program.
-
-        The <literal>program</literal> attribute is the name of the
-        program to be wrapped. If no <literal>source</literal>
-        attribute is provided, specifying the absolute path to the
-        program, then the program will be searched for in the path
-        environment variable.
-
-        NOTE: cap_setpcap, which is required for the wrapper program
-        to be able to raise caps into the Ambient set is NOT raised to
-        the Ambient set so that the real program cannot modify its own
-        capabilities!! This may be too restrictive for cases in which
-        the real program needs cap_setpcap but it at least leans on
-        the side security paranoid vs. too relaxed.
-      '';
-    };
-
     security.setuidPrograms = mkOption {
       type = types.listOf types.str;
       default = [];
@@ -125,11 +94,34 @@ in
       default = {};
       example = {
         sendmail.source = "/nix/store/.../bin/sendmail";
+        ping = {
+          source  = "${pkgs.iputils.out}/bin/ping";
+          owner   = "nobody";
+          group   = "nogroup";
+          capabilities = "cap_net_raw+ep";
+        };
       };
       description = ''
         This option allows the ownership and permissions on the setuid
         wrappers for specific programs to be overridden from the
         default (setuid root, but not setgid root).
+
+        Additionally, this option can set capabilities on a wrapper
+        program that propagates those capabilities down to the
+        wrapped, real program.
+
+        The <literal>program</literal> attribute is the name of the
+        program to be wrapped. If no <literal>source</literal>
+        attribute is provided, specifying the absolute path to the
+        program, then the program will be searched for in the path
+        environment variable.
+
+        NOTE: cap_setpcap, which is required for the wrapper program
+        to be able to raise caps into the Ambient set is NOT raised to
+        the Ambient set so that the real program cannot modify its own
+        capabilities!! This may be too restrictive for cases in which
+        the real program needs cap_setpcap but it at least leans on
+        the side security paranoid vs. too relaxed.
       '';
     };
 

From 8e159b9d1ed816abca9ca415aba0bc254c4e162c Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:22:47 -0600
Subject: [PATCH 044/153] Qualify mkOption with lib

---
 nixos/modules/security/wrappers/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 3012439e13d..fa371283706 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -76,7 +76,7 @@ in
   ###### interface
 
   options = {
-    security.setuidPrograms = mkOption {
+    security.setuidPrograms = lib.mkOption {
       type = types.listOf types.str;
       default = [];
       example = ["passwd"];

From 0707a3eaa2ce33e8f490fff474c168a33dc1b5f5 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:23:10 -0600
Subject: [PATCH 045/153] Qualify with lib

---
 nixos/modules/security/wrappers/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index fa371283706..b71e3d21985 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -77,7 +77,7 @@ in
 
   options = {
     security.setuidPrograms = lib.mkOption {
-      type = types.listOf types.str;
+      type = lib.types.listOf lib.types.str;
       default = [];
       example = ["passwd"];
       description = ''

From 5077699605fae8840afe1a066a37412e7ea9206f Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:27:11 -0600
Subject: [PATCH 046/153] Derp derp

---
 nixos/modules/security/wrappers/default.nix | 46 ++++++++++-----------
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index b71e3d21985..a93db916fad 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -1,9 +1,15 @@
 { config, lib, pkgs, ... }:
 let
 
-  inherit (config.security) wrapperDir;
+  inherit (config.security) wrapperDir wrappers setuidPrograms;
+
+  programs =
+    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
+      setuidPrograms)
+      ++ lib.mapAttrsToList
+           (n: v: (if v ? "program" then v else v // {program=n;}))
+           wrappers;
 
-  wrappers  = config.security.wrappers;
   mkWrapper = { program, source ? null, ...}: ''
     if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
         # If we can't find the program, fall back to the
@@ -21,7 +27,7 @@ let
     unpackPhase  = "true";
     installPhase = ''
       mkdir -p $out/bin
-      ${lib.concatMapStrings mkWrapper wrappers}
+      ${lib.concatMapStrings (builtins.map mkWrapper programs)}
     '';
   };
 
@@ -70,6 +76,18 @@ let
 
       chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
     '';
+
+  mkWrappedPrograms =
+    builtins.map
+      (s: if (s ? "capabilities")
+          then mkSetcapProgram s
+          else if 
+             (s ? "setuid"  && s.setuid  == true) ||
+             (s ? "setguid" && s.setguid == true) ||
+             (s ? "permissions")
+          then mkSetuidProgram s
+          else ""
+      ) programs;
 in
 {
 
@@ -157,27 +175,7 @@ in
 
     ###### setcap activation script
     system.activationScripts.wrappers =
-      let
-        programs =
-          (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
-            config.security.setuidPrograms)
-            ++ lib.mapAttrsToList
-                 (n: v: (if v ? "program" then v else v // {program=n;}))
-                 wrappers;
-
-        mkWrappedPrograms =
-          builtins.map
-            (s: if (s ? "capabilities")
-                then mkSetcapProgram s
-                else if 
-                   (s ? "setuid"  && s.setuid  == true) ||
-                   (s ? "setguid" && s.setguid == true) ||
-                   (s ? "permissions")
-                then mkSetuidProgram s
-                else ""
-            ) programs;
-
-      in lib.stringAfter [ "users" ]
+      lib.stringAfter [ "users" ]
         ''
           # Look in the system path and in the default profile for
           # programs to be wrapped.

From 48564d1ae56b93a27ca6dc5565f389dfde66831a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:31:33 -0600
Subject: [PATCH 047/153] Another wibble

---
 nixos/modules/security/wrappers/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index a93db916fad..28aacb891ee 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -27,7 +27,7 @@ let
     unpackPhase  = "true";
     installPhase = ''
       mkdir -p $out/bin
-      ${lib.concatMapStrings (builtins.map mkWrapper programs)}
+      ${lib.concatMapStrings mkWrapper programs}
     '';
   };
 

From af3b9a3d46672232d70e4ab6a45f00e10363bfae Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:41:39 -0600
Subject: [PATCH 048/153] More wibbles?

---
 nixos/modules/security/wrappers/default.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 28aacb891ee..0170da03689 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -4,11 +4,11 @@ let
   inherit (config.security) wrapperDir wrappers setuidPrograms;
 
   programs =
-    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
-      setuidPrograms)
-      ++ lib.mapAttrsToList
-           (n: v: (if v ? "program" then v else v // {program=n;}))
-           wrappers;
+    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) setuidPrograms)
+    ++
+    (lib.mapAttrsToList
+      (n: v: (if v ? "program" then v else v // {program=n;}))
+      wrappers);
 
   mkWrapper = { program, source ? null, ...}: ''
     if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then

From a8cb2afa981099889cf47185be33f4a831ff482b Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 01:58:12 -0600
Subject: [PATCH 049/153] Fixing a bunch of issues

---
 nixos/modules/services/mail/mail.nix           |  2 +-
 nixos/modules/services/networking/gale.nix     |  2 +-
 nixos/modules/services/scheduling/atd.nix      |  4 +---
 nixos/modules/services/scheduling/cron.nix     |  2 +-
 nixos/modules/services/system/dbus.nix         | 17 ++++++++---------
 .../services/x11/desktop-managers/kde4.nix     |  8 +-------
 .../services/x11/desktop-managers/kde5.nix     | 18 ++++--------------
 .../modules/virtualisation/virtualbox-host.nix |  5 ++---
 8 files changed, 19 insertions(+), 39 deletions(-)

diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix
index aef02eddbe1..cfe1b5496a4 100644
--- a/nixos/modules/services/mail/mail.nix
+++ b/nixos/modules/services/mail/mail.nix
@@ -26,7 +26,7 @@ with lib;
 
   config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
 
-    security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
+    security.wrappers.sendmail = config.services.mail.sendmailSetuidWrapper;
 
   };
 
diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix
index f4c75c17290..fd83f9e3c1b 100644
--- a/nixos/modules/services/networking/gale.nix
+++ b/nixos/modules/services/networking/gale.nix
@@ -141,7 +141,7 @@ in
          setgid = false;
        };
 
-       security.wrappers.setuid = [ cfg.setuidWrapper ];
+       security.wrappers.gksign = cfg.setuidWrapper;
 
        systemd.services.gale-galed = {
          description = "Gale messaging daemon";
diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix
index 316ab847b34..7b4937b5c67 100644
--- a/nixos/modules/services/scheduling/atd.nix
+++ b/nixos/modules/services/scheduling/atd.nix
@@ -42,9 +42,7 @@ in
 
   config = mkIf cfg.enable {
 
-    security.wrappers.setuid = map (program: {
-      inherit program;
-
+    security.wrappers.setuid = map (program: "${program}" = {
       source = "${pkgs.atd}/bin/${program}";
       owner = "atd";
       group = "atd";
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index 26ce3c98d67..7bd1e481804 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -61,7 +61,7 @@ in
           A list of Cron jobs to be appended to the system-wide
           crontab.  See the manual page for crontab for the expected
           format. If you want to get the results mailed you must setuid
-          sendmail. See <option>security.wrappers.setuid</option>
+          sendmail. See <option>security.wrappers</option>
 
           If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
           will is allowed to have its own crontab file. The /var/cron/cron.deny file
diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix
index 47fc4426af0..f787c02540d 100644
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@@ -114,15 +114,14 @@ in
 
     systemd.packages = [ pkgs.dbus.daemon ];
 
-    security.wrappers.setuid = singleton
-      { program = "dbus-daemon-launch-helper";
-        source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
-        owner = "root";
-        group = "messagebus";
-        setuid = true;
-        setgid = false;
-        permissions = "u+rx,g+rx,o-rx";
-      };
+    security.wrappers.dbus-daemon-launch-helper = {
+      source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
+      owner = "root";
+      group = "messagebus";
+      setuid = true;
+      setgid = false;
+      permissions = "u+rx,g+rx,o-rx";
+    };
 
     services.dbus.packages = [
       pkgs.dbus.out
diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix
index d21a1f28dca..25ae75592c9 100644
--- a/nixos/modules/services/x11/desktop-managers/kde4.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde4.nix
@@ -131,13 +131,7 @@ in
           '';
       };
 
-    security.wrappers.setuid = singleton
-      { program = "kcheckpass";
-        source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
-        owner = "root";
-        group = "root";
-        setuid = true;
-      };
+    security.wrappers.kcheckpass.source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
 
     environment.systemPackages =
         [ pkgs.kde4.kdelibs
diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix
index a4124aaefa9..00fdfedbc7b 100644
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@@ -68,20 +68,10 @@ in
         '';
       };
 
-      security.wrappers.setuid = [
-        {
-          program = "kcheckpass";
-          source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
-          owner = "root";
-          setuid = true;
-        }
-        {
-          program = "start_kdeinit";
-          source = "${kde5.kinit.out}/lib/libexec/kf5/start_kdeinit";
-          owner = "root";
-          setuid = true;
-        }
-      ];
+      security.wrappers = {
+        kcheckpass.source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
+        "start_kdeinit".source = "${kde5.kinit.out}/lib/libexec/kf5/start_kdeinit";
+      };
 
       environment.systemPackages =
         [
diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix
index 405a630dfa7..70ee44680ab 100644
--- a/nixos/modules/virtualisation/virtualbox-host.nix
+++ b/nixos/modules/virtualisation/virtualbox-host.nix
@@ -68,9 +68,8 @@ in
     boot.extraModulePackages = [ kernelModules ];
     environment.systemPackages = [ virtualbox ];
 
-    security.wrappers.setuid = let
-      mkSuid = program: {
-        inherit program;
+    security.wrappers = let
+      mkSuid = program: "${program}" = {
         source = "${virtualbox}/libexec/virtualbox/${program}";
         owner = "root";
         group = "vboxusers";

From 4aa0923009dac4d2307b5fe018b944180bfad6a2 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 04:11:01 -0600
Subject: [PATCH 050/153] Getting rid of the var indirection and using a bin
 path instead

---
 .../modules/installer/tools/nixos-install.sh  |  4 +--
 nixos/modules/security/apparmor-suid.nix      |  3 +-
 nixos/modules/security/wrappers/default.nix   | 33 +++++++++++++++++--
 nixos/modules/services/logging/logcheck.nix   |  4 +--
 nixos/modules/services/mail/dovecot.nix       |  2 +-
 nixos/modules/services/mail/exim.nix          |  2 +-
 nixos/modules/services/monitoring/munin.nix   |  4 +--
 nixos/modules/services/monitoring/smartd.nix  |  2 +-
 .../services/network-filesystems/samba.nix    |  2 +-
 nixos/modules/services/networking/prayer.nix  |  2 +-
 .../modules/services/networking/smokeping.nix |  2 +-
 nixos/modules/services/scheduling/atd.nix     |  4 +--
 nixos/modules/services/scheduling/cron.nix    |  2 +-
 nixos/modules/services/scheduling/fcron.nix   |  2 +-
 nixos/modules/system/boot/stage-2-init.sh     |  5 ---
 .../virtualisation/virtualbox-host.nix        |  4 +--
 nixos/tests/smokeping.nix                     |  2 +-
 .../applications/editors/sublime3/default.nix |  2 +-
 .../networking/browsers/chromium/default.nix  |  4 +--
 .../gale/gale-install.in.patch                |  2 +-
 .../gitlab/remove-hardcoded-locations.patch   |  2 +-
 .../virtualization/virtualbox/hardened.patch  |  6 ++--
 pkgs/build-support/build-fhs-userenv/env.nix  |  2 +-
 pkgs/desktops/enlightenment/enlightenment.nix |  6 ++--
 .../kinit/start_kdeinit-path.patch            |  2 +-
 .../development/libraries/libgksu/default.nix |  4 +--
 pkgs/development/libraries/polkit/default.nix |  2 +-
 pkgs/development/tools/unity3d/default.nix    |  2 +-
 pkgs/os-specific/linux/fuse/default.nix       |  2 +-
 pkgs/os-specific/linux/mdadm/4.nix            |  2 +-
 pkgs/os-specific/linux/mdadm/default.nix      |  2 +-
 pkgs/os-specific/linux/pam/default.nix        |  2 +-
 pkgs/os-specific/linux/util-linux/default.nix |  2 +-
 pkgs/servers/interlock/default.nix            |  2 +-
 pkgs/servers/mail/petidomo/default.nix        |  2 +-
 .../nagios/plugins/official-2.x.nix           |  4 +--
 pkgs/tools/X11/x11vnc/default.nix             |  4 +--
 pkgs/tools/admin/certbot/default.nix          |  2 +-
 pkgs/tools/misc/debian-devscripts/default.nix |  2 +-
 pkgs/tools/security/ecryptfs/default.nix      |  2 +-
 pkgs/tools/security/ecryptfs/helper.nix       |  2 +-
 pkgs/tools/security/sudo/default.nix          |  2 +-
 pkgs/tools/system/at/default.nix              |  2 +-
 pkgs/tools/system/cron/default.nix            |  2 +-
 pkgs/tools/system/ts/default.nix              |  2 +-
 45 files changed, 86 insertions(+), 65 deletions(-)

diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index 36b1a47956d..57bc249360e 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -259,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 
 
 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then
+if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then
     echo "setting root password..."
-    chroot $mountPoint /run/wrappers/passwd
+    chroot $mountPoint /run/wrappers/bin/passwd
 fi
 
 
diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix
index e7b870864ee..dfbf5d859ba 100644
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@@ -19,7 +19,7 @@ with lib;
   config = mkIf (cfg.confineSUIDApplications) {
     security.apparmor.profiles = [ (pkgs.writeText "ping" ''
       #include <tunables/global>
-      /run/wrappers/ping {
+      /run/wrappers/bin/ping {
         #include <abstractions/base>
         #include <abstractions/consoles>
         #include <abstractions/nameservice>
@@ -33,7 +33,6 @@ with lib;
         ${pkgs.attr.out}/lib/libattr.so* mr,
 
         ${pkgs.iputils}/bin/ping mixr,
-        /run/wrappers/ping.real r,
 
         #/etc/modules.conf r,
 
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 0170da03689..8837ac35a53 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -17,7 +17,9 @@ let
         source=/nix/var/nix/profiles/default/bin/${program}
     fi
 
-    gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.wrapperDir}\" \
+    parentWrapperDir=$(dirname ${wrapperDir})
+
+    gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
         -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
         -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
   '';
@@ -155,7 +157,7 @@ in
 
     security.wrapperDir = lib.mkOption {
       type        = lib.types.path;
-      default     = "/run/wrappers";
+      default     = "/run/wrappers/bin";
       internal    = true;
       description = ''
         This option defines the path to the wrapper programs. It
@@ -181,11 +183,36 @@ in
           # programs to be wrapped.
           WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
+          if [ -d ${config.security.old-wrapperDir} ]; then
+            rm -rf ${config.security.old-wrapperDir}
+          fi
+
+          parentWrapperDir="$(dirname ${wrapperDir})"
+
           mkdir -p ${wrapperDir}
-          wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX)
+          wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX)
           chmod a+rx $wrapperDir
 
           ${lib.concatStringsSep "\n" mkWrappedPrograms}
+
+          if [ -L ${wrapperDir} ]; then
+            # Atomically replace the symlink
+            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
+            old=$(readlink ${wrapperDir})
+            ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
+            mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
+            rm --force --recursive $old
+          elif [ -d ${wrapperDir} ]; then
+            # Compatibility with old state, just remove the folder and symlink
+            rm -f ${wrapperDir}/*
+            # if it happens to be a tmpfs
+            ${pkgs.utillinux}/bin/umount ${wrapperDir} || true
+            rm -d ${wrapperDir}
+            ln -d --symbolic $wrapperDir ${wrapperDir}
+          else
+            # For initial setup
+            ln --symbolic $wrapperDir ${wrapperDir}
+          fi
         '';
   };
 }
diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix
index c933c496479..72925b95cae 100644
--- a/nixos/modules/services/logging/logcheck.nix
+++ b/nixos/modules/services/logging/logcheck.nix
@@ -29,8 +29,8 @@ let
     };
 
   cronJob = ''
-    @reboot   logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
-    2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
+    @reboot   logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
+    2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
   '';
 
   writeIgnoreRule = name: {level, regex, ...}:
diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
index 7cea2f75439..3b25e41edb1 100644
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@@ -13,7 +13,7 @@ let
     ''
       base_dir = ${baseDir}
       protocols = ${concatStringsSep " " cfg.protocols}
-      sendmail_path = /run/wrappers/sendmail
+      sendmail_path = /run/wrappers/bin/sendmail
     ''
 
     (if isNull cfg.sslServerCert then ''
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index 71414bddd5d..b05344fa9b5 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -70,7 +70,7 @@ in
       etc."exim.conf".text = ''
         exim_user = ${cfg.user}
         exim_group = ${cfg.group}
-        exim_path = /run/wrappers/exim
+        exim_path = /run/wrappers/bin/exim
         spool_directory = ${cfg.spoolDir}
         ${cfg.config}
       '';
diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix
index cd4a5125029..6d2ce538368 100644
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@@ -34,7 +34,7 @@ let
         cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
 
         wrapProgram $file \
-          --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
+          --set PATH "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" \
           --set MUNIN_LIBDIR "${pkgs.munin}/lib" \
           --set MUNIN_PLUGSTATE "/var/run/munin"
 
@@ -183,7 +183,7 @@ in
 
         mkdir -p /etc/munin/plugins
         rm -rf /etc/munin/plugins/*
-        PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+        PATH="/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
       '';
       serviceConfig = {
         ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix
index af02d73597f..4d10299a987 100644
--- a/nixos/modules/services/monitoring/smartd.nix
+++ b/nixos/modules/services/monitoring/smartd.nix
@@ -124,7 +124,7 @@ in
           };
 
           mailer = mkOption {
-            default = "/run/wrappers/sendmail";
+            default = "/run/wrappers/bin/sendmail";
             type = types.path;
             description = ''
               Sendmail-compatible binary to be used to send the messages.
diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix
index 8cc8f21851c..09a11585bc9 100644
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@@ -30,7 +30,7 @@ let
     ''
       [ global ]
       security = ${cfg.securityType}
-      passwd program = /run/wrappers/passwd %u
+      passwd program = /run/wrappers/bin/passwd %u
       pam password change = ${smbToString cfg.syncPasswordsByPam}
       invalid users = ${smbToString cfg.invalidUsers}
 
diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix
index 58e6ad8a683..8cd4a082353 100644
--- a/nixos/modules/services/networking/prayer.nix
+++ b/nixos/modules/services/networking/prayer.nix
@@ -18,7 +18,7 @@ let
     var_prefix = "${stateDir}"
     prayer_user = "${prayerUser}"
     prayer_group = "${prayerGroup}"
-    sendmail_path = "/run/wrappers/sendmail"
+    sendmail_path = "/run/wrappers/bin/sendmail"
 
     use_http_port ${cfg.port}
 
diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix
index b7bb55f5508..eedc2759337 100644
--- a/nixos/modules/services/networking/smokeping.nix
+++ b/nixos/modules/services/networking/smokeping.nix
@@ -226,7 +226,7 @@ in
       sendmail = mkOption {
         type = types.nullOr types.path;
         default = null;
-        example = "/run/wrappers/sendmail";
+        example = "/run/wrappers/bin/sendmail";
         description = "Use this sendmail compatible script to deliver alerts";
       };
       smokeMailTemplate = mkOption {
diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix
index 7b4937b5c67..f3ada6b7496 100644
--- a/nixos/modules/services/scheduling/atd.nix
+++ b/nixos/modules/services/scheduling/atd.nix
@@ -42,13 +42,13 @@ in
 
   config = mkIf cfg.enable {
 
-    security.wrappers.setuid = map (program: "${program}" = {
+    security.wrappers = map (program: {"${program}" = {
       source = "${pkgs.atd}/bin/${program}";
       owner = "atd";
       group = "atd";
       setuid = true;
       setgid = true;
-    }) [ "at" "atq" "atrm" "batch" ];
+    };}) [ "at" "atq" "atrm" "batch" ];
 
     environment.systemPackages = [ at ];
 
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index 7bd1e481804..48c5f6be316 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -20,7 +20,7 @@ let
   cronNixosPkg = pkgs.cron.override {
     # The mail.nix nixos module, if there is any local mail system enabled,
     # should have sendmail in this path.
-    sendmailPath = "/run/wrappers/sendmail";
+    sendmailPath = "/run/wrappers/bin/sendmail";
   };
 
   allFiles =
diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
index f0de996224f..339b0de66e9 100644
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -96,7 +96,7 @@ in
             fcronallow  =       /etc/fcron.allow
             fcrondeny   =       /etc/fcron.deny
             shell       =       /bin/sh
-            sendmail    =       /run/wrappers/sendmail
+            sendmail    =       /run/wrappers/bin/sendmail
             editor      =       /run/current-system/sw/bin/vi
           '';
           target = "fcron.conf";
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
index ffc0700806c..f827e530f87 100644
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@@ -131,11 +131,6 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then
     cat /etc/resolv.conf | resolvconf -m 1000 -a host
 fi
 
-# Create /run/wrappers as a tmpfs.
-rm -rf /run/wrappers
-mkdir -m 0755 -p /run/wrappers
-mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers
-
 # Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
 # Only at this point are all the necessary prerequisites ready for these commands.
 exec {logOutFd}>&1 {logErrFd}>&2
diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix
index 70ee44680ab..501ed9bc683 100644
--- a/nixos/modules/virtualisation/virtualbox-host.nix
+++ b/nixos/modules/virtualisation/virtualbox-host.nix
@@ -69,12 +69,12 @@ in
     environment.systemPackages = [ virtualbox ];
 
     security.wrappers = let
-      mkSuid = program: "${program}" = {
+      mkSuid = program: {"${program}" = {
         source = "${virtualbox}/libexec/virtualbox/${program}";
         owner = "root";
         group = "vboxusers";
         setuid = true;
-      };
+      };};
     in mkIf cfg.enableHardening (map mkSuid [
       "VBoxHeadless"
       "VBoxNetAdpCtl"
diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix
index 5e2d013abc5..4c77e4b7861 100644
--- a/nixos/tests/smokeping.nix
+++ b/nixos/tests/smokeping.nix
@@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
           mailHost = "127.0.0.2";
           probeConfig = ''
             + FPing
-            binary = /run/wrappers/fping
+            binary = /run/wrappers/bin/fping
             offset = 0%
           '';
         };
diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix
index 1c24ff4737b..f900a4e9147 100644
--- a/pkgs/applications/editors/sublime3/default.nix
+++ b/pkgs/applications/editors/sublime3/default.nix
@@ -1,5 +1,5 @@
 { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2,
-  pkexecPath ? "/run/wrappers/pkexec", libredirect,
+  pkexecPath ? "/run/wrappers/bin/pkexec", libredirect,
   gksuSupport ? false, gksu}:
 
 assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 7009cf17fab..c59d6b00945 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -83,9 +83,9 @@ in stdenv.mkDerivation {
     ed -v -s "$out/bin/chromium" << EOF
     2i
 
-    if [ -x "/run/wrappers/${sandboxExecutableName}" ]
+    if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ]
     then
-      export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}"
+      export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}"
     else
       export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
     fi
diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
index 4b59f1a376d..33e3e09a96d 100644
--- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
+++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
@@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644
 +	is_nixos=no
 +fi
 +
-+if [ -u /run/wrappers/gksign ]; then
++if [ -u /run/wrappers/bin/gksign ]; then
 +	cat <<EOM
 +
 +Gale appears to have already been set up via the NixOS module system (check
diff --git a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
index 6603e8d4b60..dfd024a762a 100644
--- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
+++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
@@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644
 -  # #   arguments: '-i -t'
 -  # # }
 +  config.action_mailer.sendmail_settings = {
-+    location: '/run/wrappers/sendmail',
++    location: '/run/wrappers/bin/sendmail',
 +    arguments: '-i -t'
 +  }
    config.action_mailer.perform_deliveries = true
diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch
index a788a1df3ca..8d408d3494e 100644
--- a/pkgs/applications/virtualization/virtualbox/hardened.patch
+++ b/pkgs/applications/virtualization/virtualbox/hardened.patch
@@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644
      /* get the path to the executable */
      char szPath[RTPATH_MAX];
 -    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
-+    RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers");
++    RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers/bin");
      size_t cchBufLeft = strlen(szPath);
      szPath[cchBufLeft++] = RTPATH_DELIMITER;
      szPath[cchBufLeft] = 0;
@@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644
  
 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
 +{
-+    return RTStrCopy(pszPath, cchPath, "/run/wrappers");
++    return RTStrCopy(pszPath, cchPath, "/run/wrappers/bin");
 +}
 +
 +
@@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644
 + * will cut off everything after the rightmost / as this function is analogous
 + * to RTProcGetExecutablePath().
 + */
-+#define SUIDDIR "/run/wrappers/"
++#define SUIDDIR "/run/wrappers/bin/"
 +
 +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
 +{
diff --git a/pkgs/build-support/build-fhs-userenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix
index 98381d9023f..9a1897695a9 100644
--- a/pkgs/build-support/build-fhs-userenv/env.nix
+++ b/pkgs/build-support/build-fhs-userenv/env.nix
@@ -51,7 +51,7 @@ let
     export PS1='${name}-chrootenv:\u@\h:\w\$ '
     export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
     export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
-    export PATH='/run/wrappers:/usr/bin:/usr/sbin'
+    export PATH='/run/wrappers/bin:/usr/bin:/usr/sbin'
     export PKG_CONFIG_PATH=/usr/lib/pkgconfig
 
     # Force compilers to look in default search paths
diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix
index 65e3bf2d642..3949bffaba1 100644
--- a/pkgs/desktops/enlightenment/enlightenment.nix
+++ b/pkgs/desktops/enlightenment/enlightenment.nix
@@ -42,13 +42,13 @@ stdenv.mkDerivation rec {
   # this is a hack and without this cpufreq module is not working. does the following:
   #   1. moves the "freqset" binary to "e_freqset",
   #   2. linkes "e_freqset" to enlightenment/bin so that,
-  #   3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset,
-  #   4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it
+  #   3. wrappers.setuid detects it and places wrappers in /run/wrappers/bin/e_freqset,
+  #   4. and finally, links /run/wrappers/bin/e_freqset to original destination where enlightenment wants it
   postInstall = ''
     export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
     mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
     ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
-    ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
+    ln -sv /run/wrappers/bin/e_freqset $CPUFREQ_DIRPATH/freqset
   '';
 
   meta = with stdenv.lib; {
diff --git a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
index 61aa49f70e5..e3bfc2ebe6b 100644
--- a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
+++ b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
@@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
  #include <unistd.h>
  
 -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
-+#define EXECUTE "/run/wrappers/start_kdeinit"
++#define EXECUTE "/run/wrappers/bin/start_kdeinit"
  
  #if KDEINIT_OOM_PROTECT
  
diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix
index 6d57ca2397e..e96ef7329a2 100644
--- a/pkgs/development/libraries/libgksu/default.nix
+++ b/pkgs/development/libraries/libgksu/default.nix
@@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
 
     # Fix some binary paths
     sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c
-    sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c
-    sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c
+    sed -i -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|g' libgksu/libgksu.c
+    sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/bin/su\1|g' libgksu/libgksu.c
 
     touch NEWS README
   '';
diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix
index b2e2ecf0493..27482743d2c 100644
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@@ -5,7 +5,7 @@
 let
 
   system = "/var/run/current-system/sw";
-  setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir;
+  setuid = "/run/wrappers/bin"; #TODO: from <nixos> config.security.wrapperDir;
 
   foolVars = {
     SYSCONF = "/etc";
diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix
index 2d4977a3195..73cb902ae69 100644
--- a/pkgs/development/tools/unity3d/default.nix
+++ b/pkgs/development/tools/unity3d/default.nix
@@ -94,7 +94,7 @@ in stdenv.mkDerivation rec {
     unitydir="$out/opt/Unity/Editor"
     mkdir -p $unitydir
     mv Editor/* $unitydir
-    ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
+    ln -sf /run/wrappers/bin/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
 
     mkdir -p $out/share/applications
     sed "/^Exec=/c\Exec=$out/bin/unity-editor" \
diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index 29bcc58c7c0..db18b13bfb8 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
       # Ensure that FUSE calls the setuid wrapper, not
       # $out/bin/fusermount. It falls back to calling fusermount in
       # $PATH, so it should also work on non-NixOS systems.
-      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\""
+      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""
 
       sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
       sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
diff --git a/pkgs/os-specific/linux/mdadm/4.nix b/pkgs/os-specific/linux/mdadm/4.nix
index af8e53ec3a2..05d98de0b23 100644
--- a/pkgs/os-specific/linux/mdadm/4.nix
+++ b/pkgs/os-specific/linux/mdadm/4.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     sed -e 's@/lib/udev@''${out}/lib/udev@' \
         -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile
   '';
 
   meta = {
diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix
index d9bdf21723b..e0109791ef2 100644
--- a/pkgs/os-specific/linux/mdadm/default.nix
+++ b/pkgs/os-specific/linux/mdadm/default.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     sed -e 's@/lib/udev@''${out}/lib/udev@' \
         -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile
   '';
 
   meta = {
diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix
index dc61b3f27f6..5189b84ff7e 100644
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
 
   postInstall = ''
     mv -v $out/sbin/unix_chkpwd{,.orig}
-    ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd
+    ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd
   ''; /*
     rm -rf $out/etc
     mkdir -p $modules/lib
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index 90fbf861448..6c3aacbef29 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
     --enable-last
     --enable-mesg
     --disable-use-tty-group
-    --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin
+    --enable-fs-paths-default=/run/wrappers/bin:/var/run/current-system/sw/bin:/sbin
     ${if ncurses == null then "--without-ncurses" else ""}
     ${if systemd == null then "" else ''
       --with-systemd
diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix
index b58c1b50e03..a0b59d332a3 100644
--- a/pkgs/servers/interlock/default.nix
+++ b/pkgs/servers/interlock/default.nix
@@ -30,7 +30,7 @@ buildGoPackage rec {
       -e 's|/bin/chown|${coreutils}/bin/chown|' \
       -e 's|/bin/date|${coreutils}/bin/date|' \
       -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \
-      -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \
+      -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|' \
       -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|'
   '';
 }
diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix
index 1770517047f..395f3ded7fd 100644
--- a/pkgs/servers/mail/petidomo/default.nix
+++ b/pkgs/servers/mail/petidomo/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }:
+{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/bin/sendmail" }:
 
 stdenv.mkDerivation rec {
   name = "petidomo-4.3";
diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
index 30bd7e8a7c3..1ea6f88084d 100644
--- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
+++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
@@ -16,8 +16,8 @@ stdenv.mkDerivation rec {
   # configured on the build machine).
   preConfigure= "
     configureFlagsArray=(
-      --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s'
-      --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s'
+      --with-ping-command='/run/wrappers/bin/ping -n -U -w %d -c %d %s'
+      --with-ping6-command='/run/wrappers/bin/ping6 -n -U -w %d -c %d %s'
     )
   ";
 
diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix
index b343a7da378..2d319cccf20 100644
--- a/pkgs/tools/X11/x11vnc/default.nix
+++ b/pkgs/tools/X11/x11vnc/default.nix
@@ -20,10 +20,10 @@ stdenv.mkDerivation rec {
     configureFlags="--mandir=$out/share/man"
 
     substituteInPlace x11vnc/unixpw.c \
-        --replace '"/bin/su"' '"/run/wrappers/su"' \
+        --replace '"/bin/su"' '"/run/wrappers/bin/su"' \
         --replace '"/bin/true"' '"${coreutils}/bin/true"'
 
-    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h
+    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/bin/su|g' x11vnc/ssltools.h
   '';
 
   meta = {
diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix
index 366213d2e1e..3648cb2c136 100644
--- a/pkgs/tools/admin/certbot/default.nix
+++ b/pkgs/tools/admin/certbot/default.nix
@@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec {
   buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]);
 
   patchPhase = ''
-    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail"
+    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/bin/sendmail"
     substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers"
   '';
 
diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix
index be3b674de04..cbc7a2e7e46 100644
--- a/pkgs/tools/misc/debian-devscripts/default.nix
+++ b/pkgs/tools/misc/debian-devscripts/default.nix
@@ -2,7 +2,7 @@
 , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper
 , python3Packages
 , perlPackages, curl, gnupg, diffutils
-, sendmailPath ? "/run/wrappers/sendmail"
+, sendmailPath ? "/run/wrappers/bin/sendmail"
 }:
 
 let
diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix
index 98e06d1de3e..ab4867a4cc8 100644
--- a/pkgs/tools/security/ecryptfs/default.nix
+++ b/pkgs/tools/security/ecryptfs/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   };
 
   # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
-  wrapperDir = "/run/wrappers";
+  wrapperDir = "/run/wrappers/bin";
 
   postPatch = ''
     FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"
diff --git a/pkgs/tools/security/ecryptfs/helper.nix b/pkgs/tools/security/ecryptfs/helper.nix
index 3daaadcaad6..05327ad3a09 100644
--- a/pkgs/tools/security/ecryptfs/helper.nix
+++ b/pkgs/tools/security/ecryptfs/helper.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper ];
 
-  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers
+  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers/bin
   installPhase = ''
     mkdir -p $out/bin $out/libexec
     cp $src $out/libexec/ecryptfs-helper.py
diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix
index 0d2953c6f45..9f56a9d7f26 100644
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, coreutils, pam, groff
-, sendmailPath ? "/run/wrappers/sendmail"
+, sendmailPath ? "/run/wrappers/bin/sendmail"
 , withInsults ? false
 }:
 
diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix
index 9f8bad00ca4..185645763fd 100644
--- a/pkgs/tools/system/at/default.nix
+++ b/pkgs/tools/system/at/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }:
+{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/bin/sendmail" }:
 
 stdenv.mkDerivation {
   name = "at-3.1.16";
diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix
index 8a6a5dc15d3..dec1bacd741 100644
--- a/pkgs/tools/system/cron/default.nix
+++ b/pkgs/tools/system/cron/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation {
     #define _PATH_SENDMAIL "${sendmailPath}"
 
     #undef _PATH_DEFPATH
-    #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
+    #define _PATH_DEFPATH "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
     __EOT__
 
     # Implicit saved uids do not work here due to way NixOS uses setuid wrappers
diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix
index 1dfb856d4d6..97b35378673 100644
--- a/pkgs/tools/system/ts/default.nix
+++ b/pkgs/tools/system/ts/default.nix
@@ -1,5 +1,5 @@
 {stdenv, fetchurl,
-sendmailPath ? "/run/wrappers/sendmail" }:
+sendmailPath ? "/run/wrappers/bin/sendmail" }:
 
 stdenv.mkDerivation rec {
 

From 70b8167d4ac3572a2f364bba18432ea15df92971 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:05:30 -0600
Subject: [PATCH 051/153] A few more tweaks

---
 nixos/modules/security/wrappers/default.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 8837ac35a53..8e20d773125 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -11,7 +11,7 @@ let
       wrappers);
 
   mkWrapper = { program, source ? null, ...}: ''
-    if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
+    if ! source=${if source != null || source != "" then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
         # If we can't find the program, fall back to the
         # system profile.
         source=/nix/var/nix/profiles/default/bin/${program}
@@ -183,13 +183,16 @@ in
           # programs to be wrapped.
           WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
+          # Remove the old /var/setuid-wrappers path from the system...
           if [ -d ${config.security.old-wrapperDir} ]; then
             rm -rf ${config.security.old-wrapperDir}
           fi
 
+          # Get the "/run/wrappers" path, we want to place the tmpdirs
+          # for the wrappers there
           parentWrapperDir="$(dirname ${wrapperDir})"
 
-          mkdir -p ${wrapperDir}
+          mkdir -p "$parentWrapperDir"
           wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX)
           chmod a+rx $wrapperDir
 
@@ -198,7 +201,7 @@ in
           if [ -L ${wrapperDir} ]; then
             # Atomically replace the symlink
             # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-            old=$(readlink ${wrapperDir})
+            old=$(readlink -f ${wrapperDir})
             ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
             mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
             rm --force --recursive $old

From 628e6a83d0f3b7ddc0592c88fef7978a7ee0063e Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:33:56 -0600
Subject: [PATCH 052/153] More derp

---
 .../security/chromium-suid-sandbox.nix        |  2 +-
 nixos/modules/security/duosec.nix             |  2 +-
 nixos/modules/security/pam.nix                | 15 ++++++++----
 nixos/modules/security/pam_usb.nix            |  5 +++-
 nixos/modules/security/polkit.nix             |  6 +++--
 nixos/modules/security/sudo.nix               |  5 +++-
 nixos/modules/security/wrappers/default.nix   | 24 +------------------
 nixos/modules/services/mail/exim.nix          |  2 +-
 .../modules/services/networking/smokeping.nix |  5 +++-
 nixos/modules/services/scheduling/cron.nix    |  2 +-
 nixos/modules/services/scheduling/fcron.nix   |  2 +-
 .../x11/desktop-managers/enlightenment.nix    |  3 ++-
 nixos/modules/tasks/network-interfaces.nix    |  7 +++---
 13 files changed, 38 insertions(+), 42 deletions(-)

diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix
index 0699fbb728a..0458ffb6c46 100644
--- a/nixos/modules/security/chromium-suid-sandbox.nix
+++ b/nixos/modules/security/chromium-suid-sandbox.nix
@@ -27,6 +27,6 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ sandbox ];
-    security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
+    security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
   };
 }
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
index ee62c34438e..9ca818e86ff 100644
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -188,7 +188,7 @@ in
 
      environment.systemPackages = [ pkgs.duo-unix ];
 
-     security.setuidPrograms = [ "login_duo" ];
+     security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
      environment.etc = loginCfgFile ++ pamCfgFile;
 
      /* If PAM *and* SSH are enabled, then don't do anything special.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 3c944acf6cf..86143dd2ee5 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -472,13 +472,18 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.setuidPrograms =
+    security.wrapperssetuidPrograms =
       optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
 
-    security.wrappers.unix_chkpwd = {
-      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
-      owner = "root";
-      setuid = true;
+    security.wrappers = {
+      unix_chkpwd = {
+        source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
+        owner = "root";
+        setuid = true;
+      };
+    } // (mkIf config.security.pam.enableEcryptfs {
+      "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+       "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
     };
 
     environment.etc =
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
index 032f8e38d11..6f811dab8d7 100644
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@@ -33,7 +33,10 @@ in
   config = mkIf (cfg.enable || anyUsbAuth) {
 
     # Make sure pmount and pumount are setuid wrapped.
-    security.setuidPrograms = [ "pmount" "pumount" ];
+    security.wrappers = {
+      pmount.source = "${pkgs.pmount.out}/bin/pmount";
+      pumount.source = "${pkgs.pmount.out}/bin/pumount";
+    };
 
     environment.systemPackages = [ pkgs.pmount ];
 
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index 547b40cedfd..419abb8b086 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -83,8 +83,10 @@ in
 
     security.pam.services.polkit-1 = {};
 
-    security.setuidPrograms = [ "pkexec" ];
-    security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
+    security.wrappers = {
+      pkexec.source = "${pkgs.polkit.out}/bin/pkexec";
+      "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
+    };
 
     system.activationScripts.polkit =
       ''
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index f5612e1b0c5..67a9b9a45ee 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -81,7 +81,10 @@ in
         ${cfg.extraConfig}
       '';
 
-    security.setuidPrograms = [ "sudo" "sudoedit" ];
+    security.wrappers = {
+      sudo.source = "${pkgs.sudo.out}/bin/sudo";
+      sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";
+    };
 
     environment.systemPackages = [ sudo ];
 
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 8e20d773125..9909c640647 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -4,22 +4,13 @@ let
   inherit (config.security) wrapperDir wrappers setuidPrograms;
 
   programs =
-    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) setuidPrograms)
-    ++
     (lib.mapAttrsToList
       (n: v: (if v ? "program" then v else v // {program=n;}))
       wrappers);
 
   mkWrapper = { program, source ? null, ...}: ''
-    if ! source=${if source != null || source != "" then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
-        # If we can't find the program, fall back to the
-        # system profile.
-        source=/nix/var/nix/profiles/default/bin/${program}
-    fi
-
     parentWrapperDir=$(dirname ${wrapperDir})
-
-    gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
+    gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
         -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
         -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
   '';
@@ -96,19 +87,6 @@ in
   ###### interface
 
   options = {
-    security.setuidPrograms = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [];
-      example = ["passwd"];
-      description = ''
-        The Nix store cannot contain setuid/setgid programs directly.
-        For this reason, NixOS can automatically generate wrapper
-        programs that have the necessary privileges.  This option
-        lists the names of programs in the system environment for
-        which setuid root wrappers should be created.
-      '';
-    };
-
     security.wrappers = lib.mkOption {
       type = lib.types.attrs;
       default = {};
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index b05344fa9b5..440eae281f4 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -89,7 +89,7 @@ in
       gid = config.ids.gids.exim;
     };
 
-    security.setuidPrograms = [ "exim" ];
+    security.wrappers.exim.source = "${exim}/bin/exim";
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";
diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix
index eedc2759337..bac79474527 100644
--- a/nixos/modules/services/networking/smokeping.nix
+++ b/nixos/modules/services/networking/smokeping.nix
@@ -273,7 +273,10 @@ in
         message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
       }
     ];
-    security.setuidPrograms = [ "fping" "fping6" ];
+    security.wrappers = {
+      fping.source = "${pkgs.fping}/bin/fping";
+      "fping6".source = "${pkgs.fping}/bin/fping6";
+    };
     environment.systemPackages = [ pkgs.fping ];
     users.extraUsers = singleton {
       name = cfg.user;
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index 48c5f6be316..cc6eb96bf5d 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -93,7 +93,7 @@ in
 
     { services.cron.enable = mkDefault (allFiles != []); }
     (mkIf (config.services.cron.enable) {
-      security.setuidPrograms = [ "crontab" ];
+      security.wrappers.crontab.source = "${pkgs.cronNixosPkg.out}/bin/crontab";
       environment.systemPackages = [ cronNixosPkg ];
       environment.etc.crontab =
         { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
index 339b0de66e9..e4ada276871 100644
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -106,7 +106,7 @@ in
 
     environment.systemPackages = [ pkgs.fcron ];
 
-    security.setuidPrograms = [ "fcrontab" ];
+    security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
     systemd.services.fcron = {
       description = "fcron daemon";
       after = [ "local-fs.target" ];
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index feee6ba87ec..77050bcb23f 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -62,7 +62,8 @@ in
       '';
     }];
 
-    security.setuidPrograms = [ "e_freqset" ];
+    security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
+    
     environment.etc = singleton
       { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
         target = "X11/xkb";
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 1afcddd915f..a01bf21af51 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -912,9 +912,10 @@ in
 
     # If the linux kernel IS older than 4.3, create setuid wrappers
     # for ping and ping6
-    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [
-      "ping" "ping6"
-    ];
+    security.wrappers = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {
+      ping.source = "${pkgs.iputils.out}/bin/ping";
+      "ping6".source = "${pkgs.iputils.out}/bin/ping6";
+    };
 
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,

From 1cc500ea8e66b2f09735e7dccc756ba00518bd8a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:34:50 -0600
Subject: [PATCH 053/153] Syntax wibble

---
 nixos/modules/security/pam.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 86143dd2ee5..713e15322c7 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -484,7 +484,7 @@ in
     } // (mkIf config.security.pam.enableEcryptfs {
       "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
        "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
-    };
+    });
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

From a3e9d77640b686c29692294ca7d557b11dfe2c65 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:36:47 -0600
Subject: [PATCH 054/153] More derp? It's 5am...

---
 nixos/modules/tasks/network-interfaces.nix | 26 +++++++++++++---------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index a01bf21af51..3ef0a2ee1a2 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -898,23 +898,27 @@ in
 
     # Capabilities won't work unless we have at-least a 4.3 Linux
     # kernel because we need the ambient capability
-    security.wrappers = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") {
-      ping = {
-        source  = "${pkgs.iputils.out}/bin/ping";
-        capabilities = "cap_net_raw+p";
-      };
+    security = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") {
+      wrappers = {
+        ping = {
+          source  = "${pkgs.iputils.out}/bin/ping";
+          capabilities = "cap_net_raw+p";
+        };
 
-      ping6 = {
-        source  = "${pkgs.iputils.out}/bin/ping6";
-        capabilities = "cap_net_raw+p";
+        ping6 = {
+          source  = "${pkgs.iputils.out}/bin/ping6";
+          capabilities = "cap_net_raw+p";
+        };
       };
     };
 
     # If the linux kernel IS older than 4.3, create setuid wrappers
     # for ping and ping6
-    security.wrappers = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {
-      ping.source = "${pkgs.iputils.out}/bin/ping";
-      "ping6".source = "${pkgs.iputils.out}/bin/ping6";
+    security = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {
+      wrappers = {
+        ping.source = "${pkgs.iputils.out}/bin/ping";
+        "ping6".source = "${pkgs.iputils.out}/bin/ping6";
+      };
     };
 
     # Set the host and domain names in the activation script.  Don't

From 3215bcf4450080c44411171b4d69d0cb2dd1b1bd Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:39:18 -0600
Subject: [PATCH 055/153] Beebooboop

---
 nixos/modules/tasks/network-interfaces.nix | 28 ++++++++--------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 3ef0a2ee1a2..dc77a6a40f8 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -898,27 +898,19 @@ in
 
     # Capabilities won't work unless we have at-least a 4.3 Linux
     # kernel because we need the ambient capability
-    security = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") {
-      wrappers = {
-        ping = {
-          source  = "${pkgs.iputils.out}/bin/ping";
-          capabilities = "cap_net_raw+p";
-        };
-
-        ping6 = {
-          source  = "${pkgs.iputils.out}/bin/ping6";
-          capabilities = "cap_net_raw+p";
-        };
+    security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {
+      ping = {
+        source  = "${pkgs.iputils.out}/bin/ping";
+        capabilities = "cap_net_raw+p";
       };
-    };
 
-    # If the linux kernel IS older than 4.3, create setuid wrappers
-    # for ping and ping6
-    security = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {
-      wrappers = {
-        ping.source = "${pkgs.iputils.out}/bin/ping";
-        "ping6".source = "${pkgs.iputils.out}/bin/ping6";
+      ping6 = {
+        source  = "${pkgs.iputils.out}/bin/ping6";
+        capabilities = "cap_net_raw+p";
       };
+    } else {
+      ping.source = "${pkgs.iputils.out}/bin/ping";
+      "ping6".source = "${pkgs.iputils.out}/bin/ping6";
     };
 
     # Set the host and domain names in the activation script.  Don't

From cfe4351c33bd23e7007179d6c75299919a873210 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:39:54 -0600
Subject: [PATCH 056/153] I'm clearly very tired

---
 nixos/modules/security/pam.nix | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 713e15322c7..711e4c55c7d 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -472,9 +472,6 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.wrapperssetuidPrograms =
-      optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
-
     security.wrappers = {
       unix_chkpwd = {
         source = "${pkgs.pam}/sbin/unix_chkpwd.orig";

From 9f82c9903d8cba0685795c526fe5e7c51a6bc9c8 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:44:29 -0600
Subject: [PATCH 057/153] More fixes

---
 nixos/modules/programs/shadow.nix | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index c5a50318026..d497b662113 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -101,9 +101,15 @@ in
         chpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = [
-      "su" "chfn" "newuidmap" "newgidmap"
-      ] ++ lib.optionals config.users.mutableUsers
-      [ "passwd" "sg" "newgrp" ];
+    security.wrappers = {
+      su.source        = "${pkgs.shadow.su}/bin/su";
+      chfn.source      = "${pkgs.shadow.out}/bin/chfn";
+      newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
+      newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
+    } // (lib.mkIf config.users.mutableUsers {
+      passwd.source    = "${pkgs.shadow.out}/bin/passwd";
+      sg.source        = "${pkgs.shadow.out}/bin/sg";
+      newgrp.source    = "${pkgs.shadow.out}/bin/newgrp";
+    });
   };
 }

From c5f1f9a3b5bcf5d2990aba0ab086767d1d384922 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 05:45:43 -0600
Subject: [PATCH 058/153] More mistake fixes

---
 nixos/modules/programs/kbdlight.nix | 2 +-
 nixos/modules/programs/light.nix    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix
index 0172368e968..58e45872fac 100644
--- a/nixos/modules/programs/kbdlight.nix
+++ b/nixos/modules/programs/kbdlight.nix
@@ -11,6 +11,6 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.kbdlight ];
-    security.setuidPrograms = [ "kbdlight" ];
+    security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
   };
 }
diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix
index 09cd1113d9c..6f8c389acc9 100644
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@@ -21,6 +21,6 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.light ];
-    security.setuidPrograms = [ "light" ];
+    security.wrappers.light.source = "${pkgs.light.out}/bin/light";
   };
 }

From 9abe7528e4c495c868fa518af50c3cdfd1e755ed Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 11:27:08 -0600
Subject: [PATCH 059/153] Switching locate over to new wrapper API

---
 nixos/modules/misc/locate.nix | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix
index a9c84f6db24..089f354f611 100644
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@@ -103,15 +103,16 @@ in {
   config = mkIf cfg.enable {
     users.extraGroups = mkIf isMLocate { mlocate = {}; };
 
-    security.setuidOwners = mkIf isMLocate
-      [ { group = "mlocate";
-          owner = "root";
-          permissions = "u+rx,g+x,o+x";
-          setgid = true;
-          setuid = false;
-          program = "locate";
-        }
-      ];
+    security.wrappers = mkIf isMLocate {
+      mlocate = {
+        group = "mlocate";
+        owner = "root";
+        permissions = "u+rx,g+x,o+x";
+        setgid = true;
+        setuid = false;
+        program = "locate";
+      };
+    };
 
     nixpkgs.config = { locate.dbfile = cfg.output; };
 

From 4856b42ab69beb882414664551f1ca879d379936 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 16:47:14 -0600
Subject: [PATCH 060/153] Gotta provide sane defaults! This is what I get for
 5AM coding

---
 nixos/modules/security/wrappers/default.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 9909c640647..cb288fc0880 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -79,7 +79,13 @@ let
              (s ? "setguid" && s.setguid == true) ||
              (s ? "permissions")
           then mkSetuidProgram s
-          else ""
+          else mkSetuidProgram
+                 ({ owner  = "root";
+                    group  = "root";
+                    setuid = true;
+                    setgid = false;
+                    permissions = "u+rx,g+x,o+x";
+                  } // s)
       ) programs;
 in
 {

From 0f728de67eeb8b1ebfb0c77418f95f2806f918b5 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 16:52:23 -0600
Subject: [PATCH 061/153] More migration cleanup + todos for cleanup

---
 nixos/modules/security/wrappers/default.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index cb288fc0880..5ec1a7e6206 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -168,10 +168,24 @@ in
           WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
           # Remove the old /var/setuid-wrappers path from the system...
+          #
+          # TDOO: this is only necessary for ugprades 16.09 => 17.x;
+          # this conditional removal block needs to be removed after
+          # the release.
           if [ -d ${config.security.old-wrapperDir} ]; then
             rm -rf ${config.security.old-wrapperDir}
           fi
 
+          # Remove the old /run/setuid-wrappers-dir path from the
+          # system as well...
+          #
+          # TDOO: this is only necessary for ugprades 16.09 => 17.x;
+          # this conditional removal block needs to be removed after
+          # the release.
+          if [ -d /run/setuid-wrappers-dir ]; then
+            rm -rf /run/setuid-wrappers-dir
+          fi
+
           # Get the "/run/wrappers" path, we want to place the tmpdirs
           # for the wrappers there
           parentWrapperDir="$(dirname ${wrapperDir})"

From f2f3f1479e18b530b57628c7d7725283afb57ac4 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 16:54:27 -0600
Subject: [PATCH 062/153] Derp, wrong path name

---
 nixos/modules/security/wrappers/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 5ec1a7e6206..73b4cad8687 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -182,8 +182,8 @@ in
           # TDOO: this is only necessary for ugprades 16.09 => 17.x;
           # this conditional removal block needs to be removed after
           # the release.
-          if [ -d /run/setuid-wrappers-dir ]; then
-            rm -rf /run/setuid-wrappers-dir
+          if [ -d /run/setuid-wrapper-dirs ]; then
+            rm -rf /run/setuid-wrapper-dirs
           fi
 
           # Get the "/run/wrappers" path, we want to place the tmpdirs

From 264db4e30936cbb4dd9f88123aafb42a5259e74f Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Sun, 29 Jan 2017 17:10:32 -0600
Subject: [PATCH 063/153] Set merge + mkIf always surprises me

---
 nixos/modules/programs/shadow.nix           | 4 ++--
 nixos/modules/security/pam.nix              | 4 ++--
 nixos/modules/security/wrappers/default.nix | 3 +++
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index d497b662113..0f3f42901ba 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -106,10 +106,10 @@ in
       chfn.source      = "${pkgs.shadow.out}/bin/chfn";
       newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
       newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
-    } // (lib.mkIf config.users.mutableUsers {
+    } // (if config.users.mutableUsers then {
       passwd.source    = "${pkgs.shadow.out}/bin/passwd";
       sg.source        = "${pkgs.shadow.out}/bin/sg";
       newgrp.source    = "${pkgs.shadow.out}/bin/newgrp";
-    });
+    } else {});
   };
 }
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 711e4c55c7d..3cc5db2fb9b 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -478,10 +478,10 @@ in
         owner = "root";
         setuid = true;
       };
-    } // (mkIf config.security.pam.enableEcryptfs {
+    } // (if config.security.pam.enableEcryptfs then {
       "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
        "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
-    });
+    } else {});
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 73b4cad8687..71799175011 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -152,6 +152,9 @@ in
 
   ###### implementation
   config = {
+
+    security.wrappers.fusermount.source = "${pkgs.fuse}/bin/fusermount";
+
     # Make sure our wrapperDir exports to the PATH env variable when
     # initializing the shell
     environment.extraInit = ''

From d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Mon, 30 Jan 2017 12:26:56 -0600
Subject: [PATCH 064/153] Switching to individually generated derivations

---
 nixos/modules/security/wrappers/default.nix | 46 ++++++++++++---------
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 71799175011..757765ed08c 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -8,21 +8,24 @@ let
       (n: v: (if v ? "program" then v else v // {program=n;}))
       wrappers);
 
-  mkWrapper = { program, source ? null, ...}: ''
-    parentWrapperDir=$(dirname ${wrapperDir})
-    gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
-        -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-        -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
-  '';
-
-  wrappedPrograms = pkgs.stdenv.mkDerivation {
-    name         = "permissions-wrapper";
-    unpackPhase  = "true";
-    installPhase = ''
-      mkdir -p $out/bin
-      ${lib.concatMapStrings mkWrapper programs}
-    '';
-  };
+  mkWrapper = { program, source ? null, ...}:
+    let buildWrapper = ''
+          parentWrapperDir=$(dirname ${wrapperDir})
+          gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
+              -Wformat -Wformat-security -Werror=format-security \
+              -fstack-protector-strong --param ssp-buffer-size=4 \
+              -D_FORTIFY_SOURCE=2 -fPIC \
+              -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+              -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+        '';
+    in pkgs.stdenv.mkDerivation {
+      name         = "${program}-wrapper";
+      unpackPhase  = "true";
+      installPhase = ''
+        mkdir -p $out/bin
+        ${buildWrapper}
+      '';
+    };
 
   ###### Activation script for the setcap wrappers
   mkSetcapProgram =
@@ -32,10 +35,11 @@ let
     , owner  ? "nobody"
     , group  ? "nogroup"
     , ...
-    }: 
+    }:
     assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
-    ''
-      cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
+    let wrapperDrv = mkWrapper { inherit program source; };
+    in ''
+      cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}
@@ -60,8 +64,10 @@ let
     , setgid ? false
     , permissions ? "u+rx,g+x,o+x"
     , ...
-    }: ''
-      cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}
+    }:
+    let wrapperDrv = mkWrapper { inherit program source; };
+    in ''
+      cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}

From 128bdac94fe8173845e162c61ddb83cb4b8ed8de Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Mon, 30 Jan 2017 12:59:29 -0600
Subject: [PATCH 065/153] Conditionally logging debug messages based on the
 WRAPPER_DEBUG env var being set (or not)

---
 nixos/modules/security/wrappers/wrapper.c | 35 ++++++++++++++---------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c
index 608bd3a378c..e6f2605143f 100644
--- a/nixos/modules/security/wrappers/wrapper.c
+++ b/nixos/modules/security/wrappers/wrapper.c
@@ -26,6 +26,9 @@ extern char **environ;
 static char * sourceProg = SOURCE_PROG;
 static char * wrapperDir = WRAPPER_DIR;
 
+// Wrapper debug variable name
+static char * wrapperDebug = "WRAPPER_DEBUG";
+
 // Update the capabilities of the running process to include the given
 // capability in the Ambient set.
 static void set_ambient_cap(cap_value_t cap)
@@ -34,7 +37,7 @@ static void set_ambient_cap(cap_value_t cap)
 
     if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap))
     {
-        printf("cannot raise the capability into the Inheritable set\n");
+        perror("cannot raise the capability into the Inheritable set\n");
         exit(1);
     }
 
@@ -56,7 +59,9 @@ static int make_caps_ambient(const char *selfPath)
 
     if(!caps)
     {
-        fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...\n");
+        if(getenv(wrapperDebug))
+            fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...");
+
         return 1;
     }
 
@@ -127,23 +132,27 @@ static int make_caps_ambient(const char *selfPath)
       cap_value_t capnum;
       if (cap_from_name(tok, &capnum))
       {
-          fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok);
+          if(getenv(wrapperDebug))
+              fprintf(stderr, "cap_from_name failed, skipping: %s", tok);
       }
       else if (capnum == CAP_SETPCAP)
       {
-        // Check for the cap_setpcap capability, we set this on the
-        // wrapper so it can elevate the capabilities to the Ambient
-        // set but we do not want to propagate it down into the
-        // wrapped program.
-        //
-        // TODO: what happens if that's the behavior you want
-        // though???? I'm preferring a strict vs. loose policy here.
-        fprintf(stderr, "cap_setpcap in set, skipping it\n");
+          // Check for the cap_setpcap capability, we set this on the
+          // wrapper so it can elevate the capabilities to the Ambient
+          // set but we do not want to propagate it down into the
+          // wrapped program.
+          //
+          // TODO: what happens if that's the behavior you want
+          // though???? I'm preferring a strict vs. loose policy here.
+          if(getenv(wrapperDebug))
+              fprintf(stderr, "cap_setpcap in set, skipping it\n");
       }
       else
       {
-        set_ambient_cap(capnum);
-        printf("raised %s into the Ambient capability set\n", tok);
+          set_ambient_cap(capnum);
+
+          if(getenv(wrapperDebug))
+              fprintf(stderr, "raised %s into the Ambient capability set\n", tok);
       }
     }
     cap_free(capstr);

From af09e72d52d9b9918f7b2e2397181f87d0e148fd Mon Sep 17 00:00:00 2001
From: Neil Mayhew <neil@neil.mayhew.name>
Date: Tue, 7 Feb 2017 11:07:48 -0700
Subject: [PATCH 066/153] spideroak: enable it to appear in the application
 menus

Put files in $out/share instead of $out/usr/share
---
 pkgs/applications/networking/spideroak/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/applications/networking/spideroak/default.nix b/pkgs/applications/networking/spideroak/default.nix
index 23c226b9f8a..bcdc3cd8342 100644
--- a/pkgs/applications/networking/spideroak/default.nix
+++ b/pkgs/applications/networking/spideroak/default.nix
@@ -40,6 +40,8 @@ in stdenv.mkDerivation {
     cp -r "./"* "$out"
     mkdir "$out/bin"
     rm "$out/usr/bin/SpiderOakONE"
+    rmdir $out/usr/bin || true
+    mv $out/usr/share $out/
 
     patchelf --set-interpreter ${stdenv.glibc.out}/lib/${interpreter} \
       "$out/opt/SpiderOakONE/lib/SpiderOakONE"
@@ -48,6 +50,8 @@ in stdenv.mkDerivation {
     makeWrapper $out/opt/SpiderOakONE/lib/SpiderOakONE $out/bin/spideroak --set LD_LIBRARY_PATH $RPATH \
       --set QT_PLUGIN_PATH $out/opt/SpiderOakONE/lib/plugins/ \
       --set SpiderOak_EXEC_SCRIPT $out/bin/spideroak
+
+    sed -i 's/^Exec=.*/Exec=spideroak/' $out/share/applications/SpiderOakONE.desktop
   '';
 
   buildInputs = [ patchelf makeWrapper ];

From 0fe9b1e2033ac78b6ac6b4ded8179effee8cf592 Mon Sep 17 00:00:00 2001
From: Charles Strahan <charles@cstrahan.com>
Date: Thu, 9 Feb 2017 23:58:27 -0500
Subject: [PATCH 067/153] vim-plugins: use ycmd package for youcompleteme

---
 pkgs/misc/vim-plugins/default.nix             | 28 +++------------
 .../patches/youcompleteme/2-ycm-cmake.patch   | 36 -------------------
 .../vim2nix/additional-nix-code/youcompleteme | 27 +++-----------
 3 files changed, 9 insertions(+), 82 deletions(-)
 delete mode 100644 pkgs/misc/vim-plugins/patches/youcompleteme/2-ycm-cmake.patch

diff --git a/pkgs/misc/vim-plugins/default.nix b/pkgs/misc/vim-plugins/default.nix
index 3ee8f32da0c..fb60317172b 100644
--- a/pkgs/misc/vim-plugins/default.nix
+++ b/pkgs/misc/vim-plugins/default.nix
@@ -3,6 +3,7 @@
 , which, fetchgit, llvmPackages
 , xkb_switch, rustracerd, fzf
 , python3, boost, icu
+, ycmd
 , Cocoa ? null
 }:
 
@@ -1429,32 +1430,13 @@ rec {
       sha256 = "1bilzzv02ksqv6m44alp32s61scxqqj5cxx1klr70mhm81k2ksb9";
     };
     dependencies = [];
-    buildInputs = [
-      python go cmake
-    ] ++ stdenv.lib.optional stdenv.isDarwin Cocoa;
-
-    propagatedBuildInputs = stdenv.lib.optional (!stdenv.isDarwin) rustracerd;
-
-    patches = [
-      ./patches/youcompleteme/2-ycm-cmake.patch
-    ];
-
-    # YCM requires path to external libclang 3.9
-    # For explicit use and as env variable for ../third_party/ycmd/build.py
-    EXTRA_CMAKE_ARGS="-DEXTERNAL_LIBCLANG_PATH=${llvmPackages.clang.cc}/lib/libclang.${if stdenv.isDarwin then "dylib" else "so"}";
-
     buildPhase = ''
-      patchShebangs .
       substituteInPlace plugin/youcompleteme.vim \
-        --replace "'ycm_path_to_python_interpreter', '''" "'ycm_path_to_python_interpreter', '${python}/bin/python'"
+        --replace "'ycm_path_to_python_interpreter', '''" \
+                  "'ycm_path_to_python_interpreter', '${python}/bin/python'"
 
-      mkdir build
-      pushd build
-      cmake -G "Unix Makefiles" . ../third_party/ycmd/cpp -DPYTHON_LIBRARIES:PATH=${python}/lib/libpython2.7.so -DPYTHON_INCLUDE_DIR:PATH=${python}/include/python2.7 -DUSE_CLANG_COMPLETER=ON \
-        $EXTRA_CMAKE_ARGS
-      make ycm_core -j''${NIX_BUILD_CORES} -l''${NIX_BUILD_CORES}}
-      ${python}/bin/python ../third_party/ycmd/build.py --gocode-completer --clang-completer
-      popd
+      rm -r third_party/ycmd
+      ln -s ${ycmd}/lib/ycmd third_party
     '';
 
     meta = {
diff --git a/pkgs/misc/vim-plugins/patches/youcompleteme/2-ycm-cmake.patch b/pkgs/misc/vim-plugins/patches/youcompleteme/2-ycm-cmake.patch
deleted file mode 100644
index a1c4b1b39a4..00000000000
--- a/pkgs/misc/vim-plugins/patches/youcompleteme/2-ycm-cmake.patch
+++ /dev/null
@@ -1,36 +0,0 @@
---- ./third_party/ycmd/cpp/ycm/CMakeLists.txt
-+++ ./third_party/ycmd/cpp/ycm/CMakeLists.txt
-@@ -335,7 +335,7 @@
-       COMMAND ${CMAKE_COMMAND} -E copy "${LIBCLANG_TARGET}" "$<TARGET_FILE_DIR:${PROJECT_NAME}>"
-     )
- 
--    if( APPLE )
-+  #if( APPLE )
-       # In OS X El Capitan, Apple introduced System Integrity Protection.
-       # Amongst other things, this introduces features to the dynamic loader
-       # (dyld) which cause it to "sanitise" (and complain about) embedded
-@@ -354,15 +354,15 @@
-       # simply strip the rpath entry from the dylib.  There's no way any
-       # @executable_path that python might have could be in any way useful to
-       # libclang.dylib, so this seems perfectly safe.
--      get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
--      add_custom_command( TARGET ${PROJECT_NAME}
--                          POST_BUILD
--                          COMMAND install_name_tool
--                          "-delete_rpath"
--                          "@executable_path/../lib"
--                          "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
--                        )
--    endif()
-+      #    get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
-+      #add_custom_command( TARGET ${PROJECT_NAME}
-+      #                    POST_BUILD
-+      #                    COMMAND install_name_tool
-+      #                    "-delete_rpath"
-+      #                    "@executable_path/../lib"
-+      #                    "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
-+      #                  )
-+      # endif()
-   endif()
- endif()
- 
diff --git a/pkgs/misc/vim-plugins/vim2nix/additional-nix-code/youcompleteme b/pkgs/misc/vim-plugins/vim2nix/additional-nix-code/youcompleteme
index 8da267837fb..d61fdff0f08 100644
--- a/pkgs/misc/vim-plugins/vim2nix/additional-nix-code/youcompleteme
+++ b/pkgs/misc/vim-plugins/vim2nix/additional-nix-code/youcompleteme
@@ -1,29 +1,10 @@
-    buildInputs = [
-      python go cmake
-    ] ++ stdenv.lib.optional stdenv.isDarwin Cocoa;
-
-    propagatedBuildInputs = stdenv.lib.optional (!stdenv.isDarwin) rustracerd;
-
-    patches = [
-      ./patches/youcompleteme/2-ycm-cmake.patch
-    ];
-
-    # YCM requires path to external libclang 3.9
-    # For explicit use and as env variable for ../third_party/ycmd/build.py
-    EXTRA_CMAKE_ARGS="-DEXTERNAL_LIBCLANG_PATH=${llvmPackages.clang.cc}/lib/libclang.${if stdenv.isDarwin then "dylib" else "so"}";
-
     buildPhase = ''
-      patchShebangs .
       substituteInPlace plugin/youcompleteme.vim \
-        --replace "'ycm_path_to_python_interpreter', '''" "'ycm_path_to_python_interpreter', '${python}/bin/python'"
+        --replace "'ycm_path_to_python_interpreter', '''" \
+                  "'ycm_path_to_python_interpreter', '${python}/bin/python'"
 
-      mkdir build
-      pushd build
-      cmake -G "Unix Makefiles" . ../third_party/ycmd/cpp -DPYTHON_LIBRARIES:PATH=${python}/lib/libpython2.7.so -DPYTHON_INCLUDE_DIR:PATH=${python}/include/python2.7 -DUSE_CLANG_COMPLETER=ON \
-        $EXTRA_CMAKE_ARGS
-      make ycm_core -j''${NIX_BUILD_CORES} -l''${NIX_BUILD_CORES}}
-      ${python}/bin/python ../third_party/ycmd/build.py --gocode-completer --clang-completer
-      popd
+      rm -r third_party/ycmd
+      ln -s ${ycmd}/lib/ycmd third_party
     '';
 
     meta = {

From 9d55479e07421d1c02c4bbab9508bf5d0913c21b Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.conf>
Date: Sun, 12 Feb 2017 13:57:42 +0000
Subject: [PATCH 068/153] add .overrideDerivation and .overrideAttrs to
 packages created with `callPackages`/`callPackagesWith`

nix/nixUnstable, tomcatN and postgresqlNN use `callPackages` pattern, they have .override
attribute, but lack .overrideDerivation and recent .overrideAttrs.
Packages created with `callPackage` have all of those. Because .overrideDerivation function
is used in public, without this we can break code when refactoring callPackage -> callPackages.
---
 lib/customisation.nix | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/customisation.nix b/lib/customisation.nix
index 41fe07fbd0a..bedb91af773 100644
--- a/lib/customisation.nix
+++ b/lib/customisation.nix
@@ -106,11 +106,9 @@ rec {
     let
       f = if builtins.isFunction fn then fn else import fn;
       auto = builtins.intersectAttrs (builtins.functionArgs f) autoArgs;
-      finalArgs = auto // args;
-      pkgs = f finalArgs;
-      mkAttrOverridable = name: pkg: pkg // {
-        override = newArgs: mkAttrOverridable name (f (finalArgs // newArgs)).${name};
-      };
+      origArgs = auto // args;
+      pkgs = f origArgs;
+      mkAttrOverridable = name: pkg: makeOverridable (newArgs: (f newArgs).${name}) origArgs;
     in lib.mapAttrs mkAttrOverridable pkgs;
 
 

From a50b4d0e03df781d081a492bd292a34a81e059e1 Mon Sep 17 00:00:00 2001
From: Vincent Demeester <vincent@sbr.pm>
Date: Mon, 13 Feb 2017 16:42:39 +0100
Subject: [PATCH 069/153] docker: 1.13.0 -> 1.13.1

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
---
 .../applications/virtualization/docker/default.nix | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/pkgs/applications/virtualization/docker/default.nix b/pkgs/applications/virtualization/docker/default.nix
index 7c0475697c0..903ee98a0e1 100644
--- a/pkgs/applications/virtualization/docker/default.nix
+++ b/pkgs/applications/virtualization/docker/default.nix
@@ -11,14 +11,14 @@ with lib;
 
 stdenv.mkDerivation rec {
   name = "docker-${version}";
-  version = "1.13.0";
-  rev = "49bf474"; # should match the version commit
+  version = "1.13.1";
+  rev = "092cba3"; # should match the version commit
 
   src = fetchFromGitHub {
     owner = "docker";
     repo = "docker";
     rev = "v${version}";
-    sha256 = "03b181xiqgnwanc567w9p6rbdgdvrfv0lk4r7b604ksm0fr4cz23";
+    sha256 = "0l9kjibnpwcgk844sibxk9ppyqniw9r0np1mzp95f8f461jb0iar";
   };
 
   docker-runc = runc.overrideAttrs (oldAttrs: rec {
@@ -26,8 +26,8 @@ stdenv.mkDerivation rec {
     src = fetchFromGitHub {
       owner = "docker";
       repo = "runc";
-      rev = "2f7393a47307a16f8cee44a37b262e8b81021e3e";
-      sha256 = "1s5nfnbinzmcnm8avhvsniz0ihxyva4w5qz1hzzyqdyr0w2scnbj";
+      rev = "9df8b306d01f59d3a8029be411de015b7304dd8f";
+      sha256 = "1yvrk1w2409b90gk55k72z7l3jlkj682x4h3b7004mkl9bhscqd9";
     };
     # docker/runc already include these patches / are not applicable
     patches = [];
@@ -37,8 +37,8 @@ stdenv.mkDerivation rec {
     src = fetchFromGitHub {
       owner = "docker";
       repo = "containerd";
-      rev = "03e5862ec0d8d3b3f750e19fca3ee367e13c090e";
-      sha256 = "184sd9dwkcba3zhxnz9grw8p81x05977p36cif2dgkhjdhv12map";
+      rev = "aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1";
+      sha256 = "0vidbsgyn77m98kisrqnbykva0zmk1ljprgqhbfp5lw16ac6qj8c";
     };
   });
   docker-tini = tini.overrideAttrs  (oldAttrs: rec {

From 23fee8bfbddd8ce4c0a38ff4cbdd3cc9481232bd Mon Sep 17 00:00:00 2001
From: Tuomas Tynkkynen <tuomas@tuxera.com>
Date: Sat, 11 Feb 2017 14:18:17 +0200
Subject: [PATCH 070/153] nixos-rebuild: Support passing e.g. '-j8'

Where there is no space between '-j' and the number.
---
 nixos/modules/installer/tools/nixos-rebuild.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh
index 8e55a4f525f..846f79d77f4 100644
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -52,13 +52,13 @@ while [ "$#" -gt 0 ]; do
         repair=1
         extraBuildFlags+=("$i")
         ;;
-      --show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q)
-        extraBuildFlags+=("$i")
-        ;;
       --max-jobs|-j|--cores|-I)
         j="$1"; shift 1
         extraBuildFlags+=("$i" "$j")
         ;;
+      --show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*)
+        extraBuildFlags+=("$i")
+        ;;
       --option)
         j="$1"; shift 1
         k="$1"; shift 1

From 2000f0941e5de5ce62ede09f2003ff3ccfcd26ac Mon Sep 17 00:00:00 2001
From: Tuomas Tynkkynen <tuomas@tuxera.com>
Date: Sat, 11 Feb 2017 15:52:23 +0200
Subject: [PATCH 071/153] nixos-rebuild: Don't build nixos-rebuild with --fast

---
 nixos/modules/installer/tools/nixos-rebuild.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh
index 846f79d77f4..4f73865dad6 100644
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -15,6 +15,7 @@ origArgs=("$@")
 extraBuildFlags=()
 action=
 buildNix=1
+fast=
 rollback=
 upgrade=
 repair=
@@ -66,6 +67,7 @@ while [ "$#" -gt 0 ]; do
         ;;
       --fast)
         buildNix=
+        fast=1
         extraBuildFlags+=(--show-trace)
         ;;
       --profile-name|-p)
@@ -217,7 +219,7 @@ if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
 fi
 
 # Re-execute nixos-rebuild from the Nixpkgs tree.
-if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
+if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" -a -z "$fast" ]; then
     if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
         export _NIXOS_REBUILD_REEXEC=1
         exec $p/bin/nixos-rebuild "${origArgs[@]}"

From 9775a26da39e72298bae1914ddec24799f80e33f Mon Sep 17 00:00:00 2001
From: Rongcui Dong <rongcuid@outlook.com>
Date: Sat, 11 Feb 2017 18:44:29 -0800
Subject: [PATCH 072/153] stlink: 1.1.0 -> 1.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[Bjørn: Upstream moved from autotools to cmake.]
---
 .../development/tools/misc/stlink/default.nix | 27 ++++++++++---------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/pkgs/development/tools/misc/stlink/default.nix b/pkgs/development/tools/misc/stlink/default.nix
index e52795bf5cd..de13f6709b2 100644
--- a/pkgs/development/tools/misc/stlink/default.nix
+++ b/pkgs/development/tools/misc/stlink/default.nix
@@ -1,30 +1,33 @@
-{ stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, libusb1 }:
+{ stdenv, fetchurl, cmake, libusb1 }:
 
-# IMPORTANT: You need permissions to access the stlink usb devices. Here are
-# example udev rules for stlink v1 and v2 so you don't need to have root
-# permissions (copied from <stlink>/49-stlink*.rules):
-#
-# SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3744", MODE:="0666", SYMLINK+="stlinkv1_%n"
-# SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", MODE:="0666", SYMLINK+="stlinkv2_%n"
+# IMPORTANT: You need permissions to access the stlink usb devices. 
+# Add services.udev.pkgs = [ pkgs.stlink ] to your configuration.nix
 
 let
-  version = "1.1.0";
+  version = "1.3.0";
 in
 stdenv.mkDerivation {
   name = "stlink-${version}";
 
   src = fetchurl {
     url = "https://github.com/texane/stlink/archive/${version}.tar.gz";
-    sha256 = "0b38a32ids9dpnz5h892l279fz8y1zzqk1qsnyhl1nm03p7xzi1s";
+    sha256 = "3e8cba21744d2c38a0557f6835a05189e1b98202931bb0183d22efc462c893dd";
   };
 
-  buildInputs = [ autoconf automake libtool pkgconfig libusb1 ];
-  preConfigure = "./autogen.sh";
+  buildInputs = [ cmake libusb1 ];
+  patchPhase = ''
+    sed -i 's@/etc/udev/rules.d@$ENV{out}/etc/udev/rules.d@' CMakeLists.txt
+    sed -i 's@/etc/modprobe.d@$ENV{out}/etc/modprobe.d@' CMakeLists.txt
+  '';
+  preInstall = ''
+    mkdir -p $out/etc/udev/rules.d
+    mkdir -p $out/etc/modprobe.d
+  '';
 
   meta = with stdenv.lib; {
     description = "In-circuit debug and programming for ST-Link devices";
     license = licenses.bsd3;
     platforms = platforms.linux;
-    maintainers = [ maintainers.bjornfor ];
+    maintainers = [ maintainers.bjornfor maintainers.rongcuid ];
   };
 }

From be7a6eb70e7c305eed877850c9ebb6d50c52457e Mon Sep 17 00:00:00 2001
From: Matthias Herrmann <matthias.mh.herrmann@googlemail.com>
Date: Sun, 12 Feb 2017 20:22:35 +0100
Subject: [PATCH 073/153] sweethome3d: 5.2 -> 5.4

---
 pkgs/applications/misc/sweethome3d/default.nix | 9 ++++-----
 pkgs/applications/misc/sweethome3d/editors.nix | 1 +
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkgs/applications/misc/sweethome3d/default.nix b/pkgs/applications/misc/sweethome3d/default.nix
index 68dd69f385d..4a530a92781 100644
--- a/pkgs/applications/misc/sweethome3d/default.nix
+++ b/pkgs/applications/misc/sweethome3d/default.nix
@@ -6,9 +6,8 @@ let
   getDesktopFileName = drvName: (builtins.parseDrvName drvName).name;
 
   # TODO: Should we move this to `lib`? Seems like its would be useful in many cases.
-  extensionOf = filePath: 
-    lib.concatStringsSep "." (lib.tail (lib.splitString "." 
-      (builtins.baseNameOf filePath)));
+  extensionOf = filePath:
+    lib.concatStringsSep "." (lib.tail (lib.splitString "." (builtins.baseNameOf filePath)));
 
   installIcons = iconName: icons: lib.concatStringsSep "\n" (lib.mapAttrsToList (size: iconFile: ''
     mkdir -p "$out/share/icons/hicolor/${size}/apps"
@@ -68,14 +67,14 @@ let
 in rec {
 
   application = mkSweetHome3D rec {
-    version = "5.2";
+    version = "5.4";
     module = "SweetHome3D";
     name = stdenv.lib.toLower module + "-application-" + version;
     description = "Design and visualize your future home";
     license = stdenv.lib.licenses.gpl2Plus;
     src = fetchcvs {
       cvsRoot = ":pserver:anonymous@sweethome3d.cvs.sourceforge.net:/cvsroot/sweethome3d";
-      sha256 = "0vws3lj5lgix5fz2hpqvz6p79py5gbfpkhmqpfb1knx1a12310bb";
+      sha256 = "09sk4svmaiw8dabcya3407iq5yjwxbss8pik1rzalrlds2428vyw";
       module = module;
       tag = "V_" + d2u version;
     };
diff --git a/pkgs/applications/misc/sweethome3d/editors.nix b/pkgs/applications/misc/sweethome3d/editors.nix
index 61b47dcdd2a..7dbf1e8f2a3 100644
--- a/pkgs/applications/misc/sweethome3d/editors.nix
+++ b/pkgs/applications/misc/sweethome3d/editors.nix
@@ -30,6 +30,7 @@ let
 
     patchPhase = ''
       sed -i -e 's,../SweetHome3D,${application.src},g' build.xml
+      sed -i -e 's,lib/macosx/java3d-1.6/jogl-all.jar,lib/java3d-1.6/jogl-all.jar,g' build.xml
     '';
 
     buildPhase = ''

From 2ad8face66e73529bda21aac97e9a374c8d7deda Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Mon, 13 Feb 2017 22:20:49 +0100
Subject: [PATCH 074/153] wireguard: 0.0.20170115 -> 0.0.20170213 (#22759)

---
 pkgs/os-specific/linux/wireguard/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index 12c5eedcb96..8a2e6287364 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -6,11 +6,11 @@ assert kernel != null -> stdenv.lib.versionAtLeast kernel.version "3.18";
 let
   name = "wireguard-${version}";
 
-  version = "0.0.20170115";
+  version = "0.0.20170213";
 
   src = fetchurl {
     url    = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${version}.tar.xz";
-    sha256 = "1s7zypgbwyf3mkh9any413p0awpny0dxix8d1plsrm52k539ypvy";
+    sha256 = "256a7d41cf228f2a88e1b03b3911746dc827fe7be5b982c60080e7f81998cc6d";
   };
 
   meta = with stdenv.lib; {

From 7b6a88c95e99c29e6d89ff4e34beac701c1f0681 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Mon, 13 Feb 2017 22:16:12 +0100
Subject: [PATCH 075/153] urh: init at 1.3.3

---
 pkgs/applications/misc/urh/default.nix | 25 +++++++++++++++++++++++++
 pkgs/top-level/all-packages.nix        |  2 ++
 2 files changed, 27 insertions(+)
 create mode 100644 pkgs/applications/misc/urh/default.nix

diff --git a/pkgs/applications/misc/urh/default.nix b/pkgs/applications/misc/urh/default.nix
new file mode 100644
index 00000000000..713a36f1029
--- /dev/null
+++ b/pkgs/applications/misc/urh/default.nix
@@ -0,0 +1,25 @@
+{ stdenv, fetchFromGitHub, python3Packages }:
+
+python3Packages.buildPythonApplication rec {
+  name = "urh-${version}";
+  version = "1.3.3";
+
+  src = fetchFromGitHub {
+    owner = "jopohl";
+    repo = "urh";
+    rev = "v${version}";
+    sha256 = "137dsxs4i0lmxwp31g8fzwpwv1i8rsiir9gxvs5cmnwsrbcrdvxh";
+  };
+
+  propagatedBuildInputs = with python3Packages; [ pyqt5 numpy psutil cython ];
+
+  doCheck = false;
+
+  meta = with stdenv.lib; {
+    inherit (src.meta) homepage;
+    description = "Universal Radio Hacker: investigate wireless protocols like a boss";
+    license = licenses.asl20;
+    platform = platforms.all;
+    maintainers = with maintainers; [ fpletz ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 96b56479d57..30694dc8740 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -15354,6 +15354,8 @@ with pkgs;
 
   unpaper = callPackage ../tools/graphics/unpaper { };
 
+  urh = callPackage ../applications/misc/urh { };
+
   uucp = callPackage ../tools/misc/uucp { };
 
   uvccapture = callPackage ../applications/video/uvccapture { };

From 51592a3f495b032dbe53b0d97a2fe471c550e3d1 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Mon, 13 Feb 2017 22:38:36 +0100
Subject: [PATCH 076/153] ripgrep: 0.3.2 -> 0.4.0

---
 pkgs/tools/text/ripgrep/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/text/ripgrep/default.nix b/pkgs/tools/text/ripgrep/default.nix
index 8d7ffd3e477..7ba43e38f38 100644
--- a/pkgs/tools/text/ripgrep/default.nix
+++ b/pkgs/tools/text/ripgrep/default.nix
@@ -4,16 +4,16 @@ with rustPlatform;
 
 buildRustPackage rec {
   name = "ripgrep-${version}";
-  version = "0.3.2";
+  version = "0.4.0";
 
   src = fetchFromGitHub {
     owner = "BurntSushi";
     repo = "ripgrep";
     rev = "${version}";
-    sha256 = "15j68bkkxpbh9c05f8l7j0y33da01y28kpg781lc0234h45535f3";
+    sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
   };
 
-  depsSha256 = "142h6pcf2mr4i7dg7di4299c18aqn0yvk9nr1mxnkb7wjcmrvcfg";
+  depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
 
   meta = with stdenv.lib; {
     description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";

From 7e5424ac0913e1f890fb8227c8e4790dbf098cb0 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 13 Feb 2017 22:43:40 +0100
Subject: [PATCH 077/153] php: default to php71

---
 nixos/doc/manual/release-notes/rl-1703.xml | 4 ++++
 pkgs/top-level/all-packages.nix            | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index 37173ccd744..51de93db92f 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -21,6 +21,10 @@ has the following highlights: </para>
       <literal>ati_unfree</literal> keeps forcing 1.17
       and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
   </listitem>
+
+  <listitem>
+    <para>PHP now defaults to PHP 7.1</para>
+  </listitem>
 </itemizedlist>
 
 <para>The following new services were added since the last release:</para>
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 30694dc8740..33273481cd4 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5792,7 +5792,7 @@ with pkgs;
 
   pachyderm = callPackage ../applications/networking/cluster/pachyderm { };
 
-  php = php70;
+  php = php71;
 
   phpPackages = php70Packages;
 

From dda70d9b06cfb876d34f07b668c04cd2a401f9fd Mon Sep 17 00:00:00 2001
From: ndowens <ndowens04@gmail.com>
Date: Sun, 12 Feb 2017 20:51:17 -0600
Subject: [PATCH 078/153] epic5: init at 2.0.1

Added conditional to support darwin

Changed comment about buildInputs

Added 's' to optional condition
---
 .../networking/irc/epic5/default.nix          | 34 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  2 ++
 2 files changed, 36 insertions(+)
 create mode 100644 pkgs/applications/networking/irc/epic5/default.nix

diff --git a/pkgs/applications/networking/irc/epic5/default.nix b/pkgs/applications/networking/irc/epic5/default.nix
new file mode 100644
index 00000000000..94c3833995d
--- /dev/null
+++ b/pkgs/applications/networking/irc/epic5/default.nix
@@ -0,0 +1,34 @@
+{stdenv, fetchurl, pkgs, openssl
+  , ncurses, libiconv, tcl }:
+
+stdenv.mkDerivation rec {
+  name = "epic5-${version}";
+  version = "2.0.1";
+
+  src = fetchurl {
+    url = "http://ftp.epicsol.org/pub/epic/EPIC5-PRODUCTION/${name}.tar.xz";
+    sha256 = "1ap73d5f4vccxjaaq249zh981z85106vvqmxfm4plvy76b40y9jm";
+    };
+
+   # Darwin needs libiconv, tcl; while Linux build don't
+ 
+   buildInputs = [ openssl ncurses ]  
+   ++ stdenv.lib.optionals 
+   stdenv.isDarwin [ libiconv tcl ];
+  
+  postConfigure = ''
+      substituteInPlace bsdinstall \
+      --replace /bin/cp cp \
+      --replace /bin/rm rm \
+      --replace /bin/chmod chmod \
+      '';
+  meta = with stdenv.lib; {
+    homepage = "http://epicsol.org/";
+    description = "a IRC client that offers a great ircII interface";
+    license = licenses.bsd3;
+    maintainers = [ maintainers.ndowens ];
+  };
+}
+
+
+
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index f9ddc52ea22..4784fcf1df4 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -13154,6 +13154,8 @@ with pkgs;
 
   inherit (gnome3) epiphany;
 
+  epic5 = callPackage ../applications/networking/irc/epic5 { };
+  
   eq10q = callPackage ../applications/audio/eq10q { };
 
   errbot = callPackage ../applications/networking/errbot {

From 74041a42a929cefb9e88435b3857cc37f10166db Mon Sep 17 00:00:00 2001
From: Thomas Tuegel <ttuegel@mailbox.org>
Date: Mon, 13 Feb 2017 16:02:14 -0600
Subject: [PATCH 079/153] shimbun: init at 20170203.647

---
 .../editors/emacs-modes/melpa-generated.nix   | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pkgs/applications/editors/emacs-modes/melpa-generated.nix b/pkgs/applications/editors/emacs-modes/melpa-generated.nix
index a47b5d69760..7a95620d727 100644
--- a/pkgs/applications/editors/emacs-modes/melpa-generated.nix
+++ b/pkgs/applications/editors/emacs-modes/melpa-generated.nix
@@ -60062,6 +60062,25 @@
           license = lib.licenses.free;
         };
       }) {};
+    shimbun = callPackage ({ fetchcvs, fetchurl, lib, melpaBuild }: melpaBuild {
+        pname = "shimbun";
+        version = "20170203.647";
+        src = fetchcvs {
+          cvsRoot = ":pserver:anonymous@cvs.namazu.org:/storage/cvsroot";
+          module = "emacs-w3m";
+          sha256 = "ac08d29a884ac5e692a18fd47a7d3a43f1fe7464c3acb923e63da39201bf6453";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/8bbb18b0db057b9cca78ae7280674fd1beb56443/recipes/shimbun";
+          sha256 = "05dxdyh8xvbpjmc19q733jmjd6kgv8rdahjd3bw5wwsb3smqig4x";
+          name = "shimbun";
+        };
+        packageRequires = [];
+        meta = {
+          homepage = "https://melpa.org/#/shimbun";
+          license = lib.licenses.free;
+        };
+      }) {};
     shm = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "shm";

From 549f5b7d139315e37d6cfa9cf2cb9ac356a7b749 Mon Sep 17 00:00:00 2001
From: Thomas Tuegel <ttuegel@mailbox.org>
Date: Mon, 13 Feb 2017 16:02:51 -0600
Subject: [PATCH 080/153] Update e-mail address for ttuegel

---
 lib/maintainers.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/maintainers.nix b/lib/maintainers.nix
index 3753a6955c8..82f59e728ed 100644
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -490,7 +490,7 @@
   travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
   trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
   tstrobel = "Thomas Strobel <4ZKTUB6TEP74PYJOPWIR013S2AV29YUBW5F9ZH2F4D5UMJUJ6S@hash.domains>";
-  ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
+  ttuegel = "Thomas Tuegel <ttuegel@mailbox.org>";
   tv = "Tomislav Viljetić <tv@shackspace.de>";
   tvestelind = "Tomas Vestelind <tomas.vestelind@fripost.org>";
   tvorog = "Marsel Zaripov <marszaripov@gmail.com>";

From cda4a4dcfce277b93b87be49945ed44f61483ee1 Mon Sep 17 00:00:00 2001
From: Rickard Nilsson <rickynils@gmail.com>
Date: Mon, 13 Feb 2017 23:11:40 +0100
Subject: [PATCH 081/153] nixos/grafana: Don't print password warning if no
 password has been set

---
 nixos/modules/services/monitoring/grafana.nix | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix
index b9e4015c238..97806d5d83e 100644
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ options, config, lib, pkgs, ... }:
 
 with lib;
 
@@ -232,9 +232,10 @@ in {
   };
 
   config = mkIf cfg.enable {
-    warnings = [
-      "Grafana passwords will be stored as plaintext in the Nix store!"
-    ];
+    warnings = optional (
+      cfg.database.password != options.services.grafana.database.password.default ||
+      cfg.security.adminPassword != options.services.grafana.security.adminPassword.default
+    ) "Grafana passwords will be stored as plaintext in the Nix store!";
 
     environment.systemPackages = [ cfg.package ];
 

From 66eba1f3e0f0bb4c8b424e69c19a704e1b102a7f Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Mon, 13 Feb 2017 23:35:09 +0100
Subject: [PATCH 082/153] epic5: add configure flags

---
 .../networking/irc/epic5/default.nix          | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/pkgs/applications/networking/irc/epic5/default.nix b/pkgs/applications/networking/irc/epic5/default.nix
index 94c3833995d..2daeab5d302 100644
--- a/pkgs/applications/networking/irc/epic5/default.nix
+++ b/pkgs/applications/networking/irc/epic5/default.nix
@@ -1,5 +1,4 @@
-{stdenv, fetchurl, pkgs, openssl
-  , ncurses, libiconv, tcl }:
+{ stdenv, fetchurl, openssl, ncurses, libiconv, tcl }:
 
 stdenv.mkDerivation rec {
   name = "epic5-${version}";
@@ -8,20 +7,21 @@ stdenv.mkDerivation rec {
   src = fetchurl {
     url = "http://ftp.epicsol.org/pub/epic/EPIC5-PRODUCTION/${name}.tar.xz";
     sha256 = "1ap73d5f4vccxjaaq249zh981z85106vvqmxfm4plvy76b40y9jm";
-    };
+  };
+
+  # Darwin needs libiconv, tcl; while Linux build don't
+  buildInputs = [ openssl ncurses ]
+    ++ stdenv.lib.optionals stdenv.isDarwin [ libiconv tcl ];
+
+  configureFlags = [ "--disable-debug" "--with-ipv6" ];
 
-   # Darwin needs libiconv, tcl; while Linux build don't
- 
-   buildInputs = [ openssl ncurses ]  
-   ++ stdenv.lib.optionals 
-   stdenv.isDarwin [ libiconv tcl ];
-  
   postConfigure = ''
-      substituteInPlace bsdinstall \
+    substituteInPlace bsdinstall \
       --replace /bin/cp cp \
       --replace /bin/rm rm \
-      --replace /bin/chmod chmod \
-      '';
+      --replace /bin/chmod chmod
+  '';
+
   meta = with stdenv.lib; {
     homepage = "http://epicsol.org/";
     description = "a IRC client that offers a great ircII interface";

From 2aad8590d71f433d7263c5ddb4e7540e7e308473 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Mon, 13 Feb 2017 22:53:08 +0100
Subject: [PATCH 083/153] sudo: 1.8.19p1 -> 1.8.19p2

---
 pkgs/tools/security/sudo/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix
index f2fede456d1..d360bd8b17e 100644
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@@ -4,14 +4,14 @@
 }:
 
 stdenv.mkDerivation rec {
-  name = "sudo-1.8.19p1";
+  name = "sudo-1.8.19p2";
 
   src = fetchurl {
     urls =
       [ "ftp://ftp.sudo.ws/pub/sudo/${name}.tar.gz"
         "ftp://ftp.sudo.ws/pub/sudo/OLD/${name}.tar.gz"
       ];
-    sha256 = "14pwdwl03kdbbyjkvxrfx409x3c1fjqz8aqz2wgwddinhz7v3bxq";
+    sha256 = "1q2j3b1xqw66kdd5h8a6j62cz7xhk1qp1dx4rz59xm9agkk1hzi3";
   };
 
   configureFlags = [

From 0b8564ba35bf20405c94154f27777b6bfaea3b31 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Mon, 13 Feb 2017 23:57:50 +0100
Subject: [PATCH 084/153] qutebrowser: 0.9.0 -> 0.9.1

---
 .../networking/browsers/qutebrowser/default.nix           | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/applications/networking/browsers/qutebrowser/default.nix b/pkgs/applications/networking/browsers/qutebrowser/default.nix
index 3746bbe4f7e..4c186fcf5ea 100644
--- a/pkgs/applications/networking/browsers/qutebrowser/default.nix
+++ b/pkgs/applications/networking/browsers/qutebrowser/default.nix
@@ -7,11 +7,11 @@
 let
   pdfjs = stdenv.mkDerivation rec {
     name = "pdfjs-${version}";
-    version = "1.5.188";
+    version = "1.7.225";
 
     src = fetchurl {
       url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/${name}-dist.zip";
-      sha256 = "1y3yaqfgjj96qzvbm5200x68j5hy1qs7l2mqm3kbbj2b58z9f1qv";
+      sha256 = "1n8ylmv60r0qbw2vilp640a87l4lgnrsi15z3iihcs6dj1n1yy67";
     };
 
     nativeBuildInputs = [ unzip ];
@@ -24,12 +24,12 @@ let
 
 in buildPythonApplication rec {
   name = "qutebrowser-${version}";
-  version = "0.9.0";
+  version = "0.9.1";
   namePrefix = "";
 
   src = fetchurl {
     url = "https://github.com/The-Compiler/qutebrowser/releases/download/v${version}/${name}.tar.gz";
-    sha256 = "1fp7yddx8xmy6hx01gg4z3vnw8b9qa5ixam7150i3xaalx0gjzfq";
+    sha256 = "0pf91nc0xcykahc3x7ww525c9czm8zpg80nxl8n2mrzc4ilgvass";
   };
 
   # Needs tox

From 486b9be579fc1f046671ddaf1157f084ba956bdd Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Mon, 13 Feb 2017 23:59:03 +0100
Subject: [PATCH 085/153] eclipse-plugin-scala: use stable download URL

Unfortunately, the latest release does not appear to be available
through a stable URL.
---
 pkgs/applications/editors/eclipse/plugins.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/editors/eclipse/plugins.nix b/pkgs/applications/editors/eclipse/plugins.nix
index 68859a7ac41..76f6f4bcc48 100644
--- a/pkgs/applications/editors/eclipse/plugins.nix
+++ b/pkgs/applications/editors/eclipse/plugins.nix
@@ -388,7 +388,7 @@ rec {
     version = "4.4.1.201605041056";
 
     src = fetchzip {
-      url = "http://download.scala-ide.org/sdk/lithium/e44/scala211/stable/update-site.zip";
+      url = "http://download.scala-ide.org/sdk/lithium/e44/scala211/stable/base-20160504-1321.zip";
       sha256 = "13xgx2rwlll0l4bs0g6gyvrx5gcc0125vzn501fdj0wv2fqxn5lw";
     };
 

From d0a086770a1be8c1f3175c195587052c5a5bfe1c Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Mon, 13 Feb 2017 18:06:01 -0500
Subject: [PATCH 086/153] nix-daemon: default useSandbox to true

---
 nixos/doc/manual/release-notes/rl-1703.xml | 4 ++++
 nixos/modules/services/misc/nix-daemon.nix | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index 51de93db92f..08b772e5670 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -25,6 +25,10 @@ has the following highlights: </para>
   <listitem>
     <para>PHP now defaults to PHP 7.1</para>
   </listitem>
+
+  <listitem>
+    <para>nix-daemon now uses sandboxing by default.</para>
+  </listitem>
 </itemizedlist>
 
 <para>The following new services were added since the last release:</para>
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 7101cadfeed..4c7264f4ac8 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -100,14 +100,14 @@ in
 
       useSandbox = mkOption {
         type = types.either types.bool (types.enum ["relaxed"]);
-        default = false;
+        default = true;
         description = "
           If set, Nix will perform builds in a sandboxed environment that it
           will set up automatically for each build.  This prevents
           impurities in builds by disallowing access to dependencies
-          outside of the Nix store. This isn't enabled by default for
-          performance. It doesn't affect derivation hashes, so changing
-          this option will not trigger a rebuild of packages.
+          outside of the Nix store. It doesn't affect derivation
+          hashes, so changing this option will not trigger a rebuild
+          of packages.
         ";
       };
 

From acce1d9ad26bbec08b9e8621e9afdd66da4475ef Mon Sep 17 00:00:00 2001
From: Rongcui Dong <rongcuid@outlook.com>
Date: Mon, 6 Feb 2017 17:05:12 -0800
Subject: [PATCH 087/153] ngspice: Add XSpice and Cider support

---
 pkgs/applications/science/electronics/ngspice/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/science/electronics/ngspice/default.nix b/pkgs/applications/science/electronics/ngspice/default.nix
index 7a493e14bca..dfcdac20ae0 100644
--- a/pkgs/applications/science/electronics/ngspice/default.nix
+++ b/pkgs/applications/science/electronics/ngspice/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, readline, bison, libX11, libICE, libXaw, libXext}:
+{stdenv, fetchurl, readline, bison, flex, libX11, libICE, libXaw, libXext}:
 
 stdenv.mkDerivation {
   name = "ngspice-26";
@@ -8,9 +8,9 @@ stdenv.mkDerivation {
     sha256 = "51e230c8b720802d93747bc580c0a29d1fb530f3dd06f213b6a700ca9a4d0108";
   };
 
-  buildInputs = [ readline libX11 bison libICE libXaw libXext ];
+  buildInputs = [ readline libX11 flex bison libICE libXaw libXext ];
 
-  configureFlags = [ "--enable-x" "--with-x" "--with-readline" ];
+  configureFlags = [ "--enable-x" "--with-x" "--with-readline" "--enable-xspice" "--enable-cider" ];
 
   meta = with stdenv.lib; {
     description = "The Next Generation Spice (Electronic Circuit Simulator)";

From 07c21bfaf72b54c3bcc1649c635d95fdc900a5ed Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Tue, 14 Feb 2017 00:27:12 +0100
Subject: [PATCH 088/153] ycmd: fix darwin build

---
 .../tools/misc/ycmd/2-ycm-cmake.patch         | 41 +++++++++----------
 pkgs/top-level/all-packages.nix               |  1 +
 2 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/pkgs/development/tools/misc/ycmd/2-ycm-cmake.patch b/pkgs/development/tools/misc/ycmd/2-ycm-cmake.patch
index 76b996ec2cc..baa907b2126 100644
--- a/pkgs/development/tools/misc/ycmd/2-ycm-cmake.patch
+++ b/pkgs/development/tools/misc/ycmd/2-ycm-cmake.patch
@@ -2,30 +2,19 @@ diff --git a/cpp/ycm/CMakeLists.txt b/cpp/ycm/CMakeLists.txt
 index 2074c58e..9ecd6e57 100644
 --- a/cpp/ycm/CMakeLists.txt
 +++ b/cpp/ycm/CMakeLists.txt
-@@ -366,35 +366,6 @@ if( LIBCLANG_TARGET )
-       POST_BUILD
+@@ -335,7 +335,7 @@
        COMMAND ${CMAKE_COMMAND} -E copy "${LIBCLANG_TARGET}" "$<TARGET_FILE_DIR:${PROJECT_NAME}>"
      )
--
+ 
 -    if( APPLE )
--      # In OS X El Capitan, Apple introduced System Integrity Protection.
--      # Amongst other things, this introduces features to the dynamic loader
--      # (dyld) which cause it to "sanitise" (and complain about) embedded
--      # LC_RPATH entries which contain @executable_path when then are loaded
--      # into "restricted" binaries.  For our purposes, "restricted" here means
--      # "supplied by Apple" and includes the system versions of python.  For
--      # unknown reasons, the libclang.dylib that comes from llvm.org includes an
--      # LC_RPATH entry '@executable_path/../lib' which causes the OS X dynamic
--      # loader to print a cryptic warning to stderr of the form:
--      #
--      #    dyld: warning, LC_RPATH @executable_path/../lib in
--      #    /path/to/ycmd/libclang.dylib being ignored in restricted program
--      #    because of @executable_path
--      #
--      # In order to prevent this harmless and annoying message appearing, we
--      # simply strip the rpath entry from the dylib.  There's no way any
--      # @executable_path that python might have could be in any way useful to
--      # libclang.dylib, so this seems perfectly safe.
++  #if( APPLE )
+       # In OS X El Capitan, Apple introduced System Integrity Protection.
+       # Amongst other things, this introduces features to the dynamic loader
+       # (dyld) which cause it to "sanitise" (and complain about) embedded
+@@ -354,15 +354,15 @@
+       # simply strip the rpath entry from the dylib.  There's no way any
+       # @executable_path that python might have could be in any way useful to
+       # libclang.dylib, so this seems perfectly safe.
 -      get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
 -      add_custom_command( TARGET ${PROJECT_NAME}
 -                          POST_BUILD
@@ -35,6 +24,14 @@ index 2074c58e..9ecd6e57 100644
 -                          "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
 -                        )
 -    endif()
++      #    get_filename_component( LIBCLANG_TAIL ${LIBCLANG_TARGET} NAME )
++      #add_custom_command( TARGET ${PROJECT_NAME}
++      #                    POST_BUILD
++      #                    COMMAND install_name_tool
++      #                    "-delete_rpath"
++      #                    "@executable_path/../lib"
++      #                    "$<TARGET_FILE_DIR:${PROJECT_NAME}>/${LIBCLANG_TAIL}"
++      #                  )
++      # endif()
    endif()
  endif()
- 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 496d6e9e236..622fcaadb48 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -6807,6 +6807,7 @@ with pkgs;
 
   ycmd = callPackage ../development/tools/misc/ycmd {
     inherit (darwin.apple_sdk.frameworks) Cocoa;
+    llvmPackages = llvmPackages_39;
     python = python2;
   };
 

From 08779a71e996a8d2a8a1f185d04e7d833b8c7884 Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Tue, 14 Feb 2017 00:26:59 +0100
Subject: [PATCH 089/153] eclipse-plugin-jdt: 4.6 -> 4.6.2

---
 pkgs/applications/editors/eclipse/plugins.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/editors/eclipse/plugins.nix b/pkgs/applications/editors/eclipse/plugins.nix
index 76f6f4bcc48..46b81cb0a54 100644
--- a/pkgs/applications/editors/eclipse/plugins.nix
+++ b/pkgs/applications/editors/eclipse/plugins.nix
@@ -341,12 +341,12 @@ rec {
 
   jdt = buildEclipseUpdateSite rec {
     name = "jdt-${version}";
-    version = "4.6";
+    version = "4.6.2";
 
     src = fetchzip {
       stripRoot = false;
-      url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.6-201606061100/org.eclipse.jdt-4.6.zip";
-      sha256 = "0raz8d09fnnx19l012l5frca97qavfivvygn3mvsllcyskhqc5hg";
+      url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.6.2-201611241400/org.eclipse.jdt-4.6.2.zip";
+      sha256 = "1nnlrl05lh1hcsh14dlisnx0vwmj21agm4wia98rv0gl2gkp19n1";
     };
 
     meta = with stdenv.lib; {

From 0ec9e695c8f9f9a2017618a7ff4e58e9a3debba0 Mon Sep 17 00:00:00 2001
From: Tim Steinbach <tim@nequissimus.com>
Date: Mon, 13 Feb 2017 18:47:01 -0500
Subject: [PATCH 090/153] linux: 3.10.104 -> 3.10.105

---
 pkgs/os-specific/linux/kernel/linux-3.10.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/kernel/linux-3.10.nix b/pkgs/os-specific/linux/kernel/linux-3.10.nix
index 42546b0262e..8ab879f7b00 100644
--- a/pkgs/os-specific/linux/kernel/linux-3.10.nix
+++ b/pkgs/os-specific/linux/kernel/linux-3.10.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "3.10.104";
+  version = "3.10.105";
   extraMeta.branch = "3.10";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
-    sha256 = "04kc64zdpg8h8655m825lbny3fwvqhmh3mg9h564i2irnll35lp3";
+    sha256 = "1739mikbyfx1zfmra16lnprca3pcvcplqss4x1jzdqmvkh9cqnqw";
   };
 
   kernelPatches = args.kernelPatches;

From 2fce8dda39c1877acf02b018ae3513ad5014f706 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 14 Feb 2017 00:47:01 +0100
Subject: [PATCH 091/153] knot-dns: fixup Darwin build again, hopefully

---
 pkgs/servers/dns/knot-dns/default.nix | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/pkgs/servers/dns/knot-dns/default.nix b/pkgs/servers/dns/knot-dns/default.nix
index af7d4d4c48c..94d5ee9f5c7 100644
--- a/pkgs/servers/dns/knot-dns/default.nix
+++ b/pkgs/servers/dns/knot-dns/default.nix
@@ -2,6 +2,8 @@
 , systemd, nettle, libedit, zlib, libiconv, fetchpatch
 }:
 
+with { inherit (stdenv.lib) optional optionals; };
+
 # Note: ATM only the libraries have been tested in nixpkgs.
 stdenv.mkDerivation rec {
   name = "knot-dns-${version}";
@@ -16,16 +18,17 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [
-    gnutls jansson liburcu libidn lmdb
+    gnutls jansson liburcu libidn
     nettle libedit
     libiconv
     # without sphinx &al. for developer documentation
   ]
     # Use embedded lmdb there for now, as detection is broken on Darwin somehow.
-    ++ stdenv.lib.optionals stdenv.isLinux [ libcap_ng systemd ]
-    ++ stdenv.lib.optional stdenv.isDarwin zlib; # perhaps due to gnutls
+    ++ optionals stdenv.isLinux [ libcap_ng systemd lmdb ]
+    ++ optional stdenv.isDarwin zlib; # perhaps due to gnutls
 
-  configureFlags = [ "--with-lmdb=${stdenv.lib.getLib lmdb}"/*not perfect*/ ];
+  # Not ideal but seems to work on Linux.
+  configureFlags = optional stdenv.isLinux "--with-lmdb=${stdenv.lib.getLib lmdb}";
 
   enableParallelBuilding = true;
 

From cca2e1155617304b5bcb3457309983cf8e99b067 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Mon, 13 Feb 2017 18:03:06 -0600
Subject: [PATCH 092/153] Resurrecting the single-wrapper read from sibling
 .real file behavior

---
 nixos/modules/security/wrappers/default.nix | 44 ++++++++++-----------
 nixos/modules/security/wrappers/wrapper.c   | 28 ++++++++-----
 2 files changed, 39 insertions(+), 33 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 757765ed08c..0548b1d9659 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -8,24 +8,20 @@ let
       (n: v: (if v ? "program" then v else v // {program=n;}))
       wrappers);
 
-  mkWrapper = { program, source ? null, ...}:
-    let buildWrapper = ''
-          parentWrapperDir=$(dirname ${wrapperDir})
-          gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
-              -Wformat -Wformat-security -Werror=format-security \
-              -fstack-protector-strong --param ssp-buffer-size=4 \
-              -D_FORTIFY_SOURCE=2 -fPIC \
-              -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-              -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
-        '';
-    in pkgs.stdenv.mkDerivation {
-      name         = "${program}-wrapper";
-      unpackPhase  = "true";
-      installPhase = ''
-        mkdir -p $out/bin
-        ${buildWrapper}
-      '';
-    };
+  securityWrapper = pkgs.stdenv.mkDerivation {
+    name         = "security-wrapper";
+    unpackPhase  = "true";
+    installPhase = ''
+      mkdir -p $out/bin
+      parentWrapperDir=$(dirname ${wrapperDir})
+      gcc -Wall -O2 -DWRAPPER_DIR=\"$parentWrapperDir\" \
+          -Wformat -Wformat-security -Werror=format-security \
+          -fstack-protector-strong --param ssp-buffer-size=4 \
+          -D_FORTIFY_SOURCE=2 -fPIC \
+          -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+          -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+    '';
+  };
 
   ###### Activation script for the setcap wrappers
   mkSetcapProgram =
@@ -37,9 +33,9 @@ let
     , ...
     }:
     assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
-    let wrapperDrv = mkWrapper { inherit program source; };
-    in ''
-      cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
+    ''
+      cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
+      echo -n "$source" > $wrapperDir/${program}.real
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}
@@ -65,9 +61,9 @@ let
     , permissions ? "u+rx,g+x,o+x"
     , ...
     }:
-    let wrapperDrv = mkWrapper { inherit program source; };
-    in ''
-      cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}
+    ''
+      cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
+      echo -n "$source" > $wrapperDir/${program}.real
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}
diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c
index e6f2605143f..4a656c54e3f 100644
--- a/nixos/modules/security/wrappers/wrapper.c
+++ b/nixos/modules/security/wrappers/wrapper.c
@@ -21,9 +21,8 @@
 
 extern char **environ;
 
-// The SOURCE_PROG and WRAPPER_DIR macros are supplied at compile time
-// for a security reason: So they cannot be changed at runtime.
-static char * sourceProg = SOURCE_PROG;
+// The WRAPPER_DIR macro is supplied at compile time so that it cannot
+// be changed at runtime
 static char * wrapperDir = WRAPPER_DIR;
 
 // Wrapper debug variable name
@@ -207,14 +206,25 @@ int main(int argc, char * * argv)
     // And, of course, we shouldn't be writable.
     assert(!(st.st_mode & (S_IWGRP | S_IWOTH)));
 
-    struct stat stR;
-    stat(sourceProg, &stR);
+    // Read the path of the real (wrapped) program from <self>.real.
+    char realFN[PATH_MAX + 10];
+    int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", selfPath);
+    assert (realFNSize < sizeof(realFN));
 
-    // Make sure the program we're wrapping is non-zero
-    assert(stR.st_size > 0);
+    int fdSelf = open(realFN, O_RDONLY);
+    assert (fdSelf != -1);
 
-    // Read the capabilities set on the file and raise them in to the
-    // Ambient set so the program we're wrapping receives the
+    char sourceProg[PATH_MAX];
+    len = read(fdSelf, sourceProg, PATH_MAX);
+    assert (len != -1);
+    assert (len < sizeof(sourceProg));
+    assert (len > 0);
+    sourceProg[len] = 0;
+
+    close(fdSelf);
+
+    // Read the capabilities set on the wrapper and raise them in to
+    // the Ambient set so the program we're wrapping receives the
     // capabilities too!
     make_caps_ambient(selfPath);
 

From 25121d4350b8e0deb552575a9377cb2e899fc7c9 Mon Sep 17 00:00:00 2001
From: Itai Zukerman <zukerman@math-hat.com>
Date: Mon, 13 Feb 2017 16:12:26 -0800
Subject: [PATCH 093/153] bazel: 0.3.2 -> 0.4.4

---
 .../tools/build-managers/bazel/default.nix       | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/pkgs/development/tools/build-managers/bazel/default.nix b/pkgs/development/tools/build-managers/bazel/default.nix
index 5d57c9b4579..7b98ce7898a 100644
--- a/pkgs/development/tools/build-managers/bazel/default.nix
+++ b/pkgs/development/tools/build-managers/bazel/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchFromGitHub, buildFHSUserEnv, writeScript, jdk, zip, unzip,
+{ stdenv, fetchurl, buildFHSUserEnv, writeScript, jdk, zip, unzip,
   which, makeWrapper, binutils }:
 
 let
 
-  version = "0.3.2";
+  version = "0.4.4";
 
   meta = with stdenv.lib; {
     homepage = http://github.com/bazelbuild/bazel/;
@@ -22,14 +22,16 @@ let
   };
 
   bazelBinary = stdenv.mkDerivation rec {
+
     name = "bazel-${version}";
 
-    src = fetchFromGitHub {
-      owner = "bazelbuild";
-      repo = "bazel";
-      rev = version;
-      sha256 = "085cjz0qhm4a12jmhkjd9w3ic4a67035j01q111h387iklvgn6xg";
+    src = fetchurl {
+      url = "https://github.com/bazelbuild/bazel/releases/download/${version}/bazel-${version}-dist.zip";
+      sha256 = "1fwfahkqi680zyxmdriqj603lpacyh6cg6ff25bn9bkilbfj2anm";
     };
+
+    sourceRoot = ".";
+
     patches = [ ./java_stub_template.patch ];
 
     packagesNotFromEnv = [

From a27f35993d380487d7262055aff0bfc939c235ec Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Mon, 13 Feb 2017 18:28:13 -0600
Subject: [PATCH 094/153] Derp, correctly write the source program's path

---
 nixos/modules/security/wrappers/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 0548b1d9659..e51103981e6 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -27,7 +27,7 @@ let
   mkSetcapProgram =
     { program
     , capabilities
-    , source ? null
+    , source
     , owner  ? "nobody"
     , group  ? "nogroup"
     , ...
@@ -35,7 +35,7 @@ let
     assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
     ''
       cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
-      echo -n "$source" > $wrapperDir/${program}.real
+      echo -n "${source}" > $wrapperDir/${program}.real
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}
@@ -53,7 +53,7 @@ let
   ###### Activation script for the setuid wrappers
   mkSetuidProgram =
     { program
-    , source ? null
+    , source
     , owner  ? "nobody"
     , group  ? "nogroup"
     , setuid ? false
@@ -63,7 +63,7 @@ let
     }:
     ''
       cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
-      echo -n "$source" > $wrapperDir/${program}.real
+      echo -n "${source}" > $wrapperDir/${program}.real
 
       # Prevent races
       chmod 0000 $wrapperDir/${program}

From d5691d98fc625b06443d51fb22ca9d01af86d201 Mon Sep 17 00:00:00 2001
From: Eric Sagnes <eric.sagnes@gmail.com>
Date: Tue, 14 Feb 2017 10:07:30 +0900
Subject: [PATCH 095/153] groonga: 6.1.5 -> 7.0.0

---
 pkgs/servers/search/groonga/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/search/groonga/default.nix b/pkgs/servers/search/groonga/default.nix
index 6e3ab5a4eae..e71c570f736 100644
--- a/pkgs/servers/search/groonga/default.nix
+++ b/pkgs/servers/search/groonga/default.nix
@@ -7,11 +7,11 @@
 stdenv.mkDerivation rec {
 
   name    = "groonga-${version}";
-  version = "6.1.5";
+  version = "7.0.0";
 
   src = fetchurl {
     url    = "http://packages.groonga.org/source/groonga/${name}.tar.gz";
-    sha256 = "0phh4qp7ky5rw8xgxv3gjzw2cadkjl604xrdyxxbpd30i354sh5x";
+    sha256 = "0c3vzw2ias0xpz1hwywlib1qqfjvvzwj1zggswd5l2cj87f1krfd";
   };
 
   buildInputs = with stdenv.lib;

From 868d30f97574c50f2cfd272aa047cae683bfe1f8 Mon Sep 17 00:00:00 2001
From: Cillian de Roiste <deroiste@syslab.com>
Date: Tue, 14 Feb 2017 09:29:57 +0100
Subject: [PATCH 096/153] openconnect: add support for stoken

Tested with a Juniper Network Connect VPN
---
 pkgs/tools/networking/openconnect/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/openconnect/default.nix b/pkgs/tools/networking/openconnect/default.nix
index d9e3063f5c1..e1104a88c90 100644
--- a/pkgs/tools/networking/openconnect/default.nix
+++ b/pkgs/tools/networking/openconnect/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, vpnc, openssl ? null, gnutls ? null, libxml2, zlib } :
+{ stdenv, fetchurl, pkgconfig, vpnc, openssl ? null, gnutls ? null, libxml2, stoken, zlib } :
 
 let
   xor = a: b: (a || b) && (!(a && b));
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
   ];
 
   buildInputs = [ pkgconfig ];
-  propagatedBuildInputs = [ vpnc openssl gnutls libxml2 zlib ];
+  propagatedBuildInputs = [ vpnc openssl gnutls libxml2 stoken zlib ];
 
   meta = {
     description = "VPN Client for Cisco's AnyConnect SSL VPN";

From 6a472cf4c1b78580de79c79ca7d7b714f4d8d36e Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 14 Feb 2017 01:00:17 +0100
Subject: [PATCH 097/153] opensubdiv: Remove cudatoolkit from the closure

This reduces Blender's closure size by around ~2 GiB when CUDA support
is enabled.
---
 pkgs/development/libraries/opensubdiv/default.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/opensubdiv/default.nix b/pkgs/development/libraries/opensubdiv/default.nix
index b253a27a7db..f5f84ee1546 100644
--- a/pkgs/development/libraries/opensubdiv/default.nix
+++ b/pkgs/development/libraries/opensubdiv/default.nix
@@ -39,7 +39,16 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  postInstall = "rm $out/lib/*.a";
+  postInstall =
+    ''
+      rm $out/lib/*.a
+    '' + lib.optionalString cudaSupport ''
+      # Drop cudatoolkit reference from the closure. We'll get
+      # libOpenCL from /run/opengl-driver.
+      s=${cudatoolkit}/lib
+      t=$(for ((i = 0; i < ''${#s}; i++)); do echo -n X; done)
+      sed -i $out/lib/libosdGPU.so.* -e "s|$s|$t|g"
+    '';
 
   meta = {
     description = "An Open-Source subdivision surface library";

From 61236eb7ee816259178eba718cfcadad283ae300 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 14 Feb 2017 10:50:32 +0100
Subject: [PATCH 098/153] lmdb on Darwin: fix bogus library name

---
 pkgs/development/libraries/lmdb/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkgs/development/libraries/lmdb/default.nix b/pkgs/development/libraries/lmdb/default.nix
index 6b3070a39aa..ec3e9997690 100644
--- a/pkgs/development/libraries/lmdb/default.nix
+++ b/pkgs/development/libraries/lmdb/default.nix
@@ -25,6 +25,12 @@ in stdenv.mkDerivation rec {
     moveToOutput bin "$bin"
     moveToOutput "lib/*.a" REMOVE # until someone needs it
   ''
+
+    # fix bogus library name
+    + stdenv.lib.optionalString stdenv.isDarwin ''
+    mv "$out"/lib/liblmdb.{so,dylib}
+    ''
+
     # add lmdb.pc (dynamic only)
     + ''
     mkdir -p "$dev/lib/pkgconfig"

From 8d853d0190b90695f8324c509285d651204d2313 Mon Sep 17 00:00:00 2001
From: Tristan Helmich <tristan.helmich@gmail.com>
Date: Tue, 14 Feb 2017 10:39:36 +0100
Subject: [PATCH 099/153] gitlab: 8.16.3 -> 8.16.4

---
 pkgs/applications/version-management/gitlab/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix
index a2b08e43617..23100a85e7e 100644
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@@ -22,7 +22,7 @@ in
 
 stdenv.mkDerivation rec {
   name = "gitlab-${version}";
-  version = "8.16.3";
+  version = "8.16.4";
 
   buildInputs = [ env ruby bundler tzdata git nodejs procps ];
 
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
     owner = "gitlabhq";
     repo = "gitlabhq";
     rev = "v${version}";
-    sha256 = "0fdm92w97ggnpiqlpr5aia6x8j09v8id7n6pks134hq3pkdiz6mv";
+    sha256 = "118p3c9i9r2acc0yv5jzw9p7hql5pbp37k54qzrfgrs8vjjxi14i";
   };
 
   patches = [

From 36d50978b275f0986ed805c42471feb0f6d2cc0f Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 14 Feb 2017 12:08:58 +0100
Subject: [PATCH 100/153] wireguard: 0.0.20170213 -> 0.0.20170214

This has a quick fix for old bash.
---
 pkgs/os-specific/linux/wireguard/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index 8a2e6287364..3e78fed7ade 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -6,11 +6,11 @@ assert kernel != null -> stdenv.lib.versionAtLeast kernel.version "3.18";
 let
   name = "wireguard-${version}";
 
-  version = "0.0.20170213";
+  version = "0.0.20170214";
 
   src = fetchurl {
     url    = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${version}.tar.xz";
-    sha256 = "256a7d41cf228f2a88e1b03b3911746dc827fe7be5b982c60080e7f81998cc6d";
+    sha256 = "1e4ee213d2a5ac672c952c59e9c64d6d7d5dc3e21c003aee30d75208237e8bf5";
   };
 
   meta = with stdenv.lib; {

From 8493a2d0609b1ba4fa5be36f4542ad6d55ecf54c Mon Sep 17 00:00:00 2001
From: Gabriel Ebner <gebner@gebner.org>
Date: Tue, 14 Feb 2017 12:19:40 +0100
Subject: [PATCH 101/153] heaptrack: init at 2017-02-14

---
 .../tools/profiling/heaptrack/default.nix     | 26 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  4 ++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/development/tools/profiling/heaptrack/default.nix

diff --git a/pkgs/development/tools/profiling/heaptrack/default.nix b/pkgs/development/tools/profiling/heaptrack/default.nix
new file mode 100644
index 00000000000..378073d16c0
--- /dev/null
+++ b/pkgs/development/tools/profiling/heaptrack/default.nix
@@ -0,0 +1,26 @@
+{ stdenv, fetchFromGitHub, cmake, zlib, boost162, libunwind,
+  elfutils, qt5, kde5, sparsehash }:
+
+stdenv.mkDerivation rec {
+  name = "heaptrack-${version}";
+  version = "2017-02-14";
+
+  src = fetchFromGitHub {
+    owner = "KDE";
+    repo = "heaptrack";
+    rev = "2469003b3172874e1df7e1f81c56e469b80febdb";
+    sha256 = "0dqchd2r4khv9gzj4n0qjii2nqygkj5jclkji8jbvivx5qwsqznc";
+  };
+
+  buildInputs = [ cmake zlib boost162 libunwind elfutils sparsehash
+                  qt5.ecm qt5.qtbase kde5.kio kde5.kitemmodels
+                  kde5.threadweaver kde5.kconfigwidgets kde5.kcoreaddons ];
+
+  meta = with stdenv.lib; {
+    description = "Heap memory profiler for Linux";
+    homepage = https://github.com/KDE/heaptrack;
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ gebner ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 24d3b9ad485..37b2ae71460 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2190,6 +2190,8 @@ with pkgs;
 
   hecate = callPackage ../applications/editors/hecate { };
 
+  heaptrack = callPackage ../development/tools/profiling/heaptrack {};
+
   heimdall = callPackage ../tools/misc/heimdall { };
 
   hevea = callPackage ../tools/typesetting/hevea { };
@@ -13156,7 +13158,7 @@ with pkgs;
   inherit (gnome3) epiphany;
 
   epic5 = callPackage ../applications/networking/irc/epic5 { };
-  
+
   eq10q = callPackage ../applications/audio/eq10q { };
 
   errbot = callPackage ../applications/networking/errbot {

From 30e8d577f10048526e92d15dd3d547d2fd975b9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Tue, 14 Feb 2017 11:49:24 +0100
Subject: [PATCH 102/153] ccid: 1.4.23 -> 1.4.26

---
 pkgs/tools/security/ccid/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/security/ccid/default.nix b/pkgs/tools/security/ccid/default.nix
index cfa9f69b386..914247dcd0b 100644
--- a/pkgs/tools/security/ccid/default.nix
+++ b/pkgs/tools/security/ccid/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, pcsclite, pkgconfig, libusb1, perl }:
 
 stdenv.mkDerivation rec {
-  version = "1.4.23";
+  version = "1.4.26";
   name = "ccid-${version}";
 
   src = fetchurl {
-    url = "https://alioth.debian.org/frs/download.php/file/4169/ccid-1.4.23.tar.bz2";
-    sha256 = "0s7c2g8idnnh19958aswaa2s51ncr2j7gqrkk5g95qpfnv7asdh8";
+    url = "https://alioth.debian.org/frs/download.php/file/4205/ccid-1.4.26.tar.bz2";
+    sha256 = "0bxy835c133ajalpj4gx60nqkjvpf9y1n97n04pw105pi9qbyrrj";
   };
 
   patchPhase = ''

From 5ebf37f749d8567262aed1ed3ec3bb19cf2a0e86 Mon Sep 17 00:00:00 2001
From: Michael Alan Dorman <mdorman@ironicdesign.com>
Date: Sat, 11 Feb 2017 19:51:11 -0500
Subject: [PATCH 103/153] org-packages: 2017-02-13

---
 .../editors/emacs-modes/org-generated.nix            | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/applications/editors/emacs-modes/org-generated.nix b/pkgs/applications/editors/emacs-modes/org-generated.nix
index d5bccbbc642..0e3d3fea328 100644
--- a/pkgs/applications/editors/emacs-modes/org-generated.nix
+++ b/pkgs/applications/editors/emacs-modes/org-generated.nix
@@ -1,10 +1,10 @@
 { callPackage }: {
     org = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
         pname = "org";
-        version = "20170124";
+        version = "20170210";
         src = fetchurl {
-          url = "http://orgmode.org/elpa/org-20170124.tar";
-          sha256 = "0zlqb31fkwv74wszfz914agnprnh6jlr60v9dw62y9jyivaxg99k";
+          url = "http://orgmode.org/elpa/org-20170210.tar";
+          sha256 = "1v8adjz3rv429is8m7xx2v8hvc20dxl4hcdhdf2vhcx44bgbvyjb";
         };
         packageRequires = [];
         meta = {
@@ -14,10 +14,10 @@
       }) {};
     org-plus-contrib = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
         pname = "org-plus-contrib";
-        version = "20170124";
+        version = "20170210";
         src = fetchurl {
-          url = "http://orgmode.org/elpa/org-plus-contrib-20170124.tar";
-          sha256 = "1vgiw9xbh7zcr7gywb021h46idm0k69ifgkmwb9f9wb4snar4yq8";
+          url = "http://orgmode.org/elpa/org-plus-contrib-20170210.tar";
+          sha256 = "1h0lwf1sw7n1df865ip5mp0pdmdi2md6hz6fq53r4zhali041ifx";
         };
         packageRequires = [];
         meta = {

From 58b5c49ddd73c763583f4a274395ff6838f5d5d3 Mon Sep 17 00:00:00 2001
From: Michael Alan Dorman <mdorman@ironicdesign.com>
Date: Sat, 11 Feb 2017 19:51:32 -0500
Subject: [PATCH 104/153] elpa-packages: 2017-02-13

---
 .../editors/emacs-modes/elpa-generated.nix           | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/applications/editors/emacs-modes/elpa-generated.nix b/pkgs/applications/editors/emacs-modes/elpa-generated.nix
index 4298f605744..a11518735d7 100644
--- a/pkgs/applications/editors/emacs-modes/elpa-generated.nix
+++ b/pkgs/applications/editors/emacs-modes/elpa-generated.nix
@@ -725,10 +725,10 @@
       }) {};
     exwm = callPackage ({ elpaBuild, fetchurl, lib, xelb }: elpaBuild {
         pname = "exwm";
-        version = "0.12";
+        version = "0.13";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/exwm-0.12.tar";
-          sha256 = "1h964w9ir8plam45c194af74g5q1wdvgwrldlmlcplcswlsn3n4z";
+          url = "https://elpa.gnu.org/packages/exwm-0.13.tar";
+          sha256 = "0n1wzy6chh024r0yaywjbf7mdsrxs6hrfycv5v0ps0drf6q3zldc";
         };
         packageRequires = [ xelb ];
         meta = {
@@ -1377,10 +1377,10 @@
       }) {};
     org = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
         pname = "org";
-        version = "20170124";
+        version = "20170210";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/org-20170124.tar";
-          sha256 = "0mcnjwvily0xv1xl11dj18lg38llvrxja2j9mwn6vql8n5y1srxi";
+          url = "https://elpa.gnu.org/packages/org-20170210.tar";
+          sha256 = "15415wh3w8d4c8hd7qfrfdjnjb1zppmrkg8cdp7hw2ilyr90c0bn";
         };
         packageRequires = [];
         meta = {

From cd90c7fe7997b0cf36e555c3a08d9b21df7981fb Mon Sep 17 00:00:00 2001
From: Michael Alan Dorman <mdorman@ironicdesign.com>
Date: Sat, 11 Feb 2017 19:51:41 -0500
Subject: [PATCH 105/153] melpa-stable-packages: 2017-02-13

---
 .../emacs-modes/melpa-stable-generated.nix    | 171 +++++++++++-------
 1 file changed, 110 insertions(+), 61 deletions(-)

diff --git a/pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix b/pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix
index cc794cc6cf2..88b3f04cb5a 100644
--- a/pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix
+++ b/pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix
@@ -2578,12 +2578,12 @@
     bing-dict = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "bing-dict";
-        version = "0.2.2";
+        version = "0.2.3";
         src = fetchFromGitHub {
           owner = "cute-jumper";
           repo = "bing-dict.el";
-          rev = "e94975ac63ba87225b56eec13a153ce169e4ec94";
-          sha256 = "0pmpg54faq0l886f2cmnmwm28d2yfg8adk7gp7623gx0ifggn332";
+          rev = "7c067b7a3a1a4797476f03a65f4a0b4a269a70c7";
+          sha256 = "1cw8zxcj7ygj73dc8xf6b4sdjrwxfl6h07mrwym8anllqs2v0fa6";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/5653d2b6c2a9b33cfed867e7f6e552d4ed90b181/recipes/bing-dict";
@@ -7763,12 +7763,12 @@
     el-patch = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "el-patch";
-        version = "1.0";
+        version = "1.1";
         src = fetchFromGitHub {
           owner = "raxod502";
           repo = "el-patch";
-          rev = "4775dfb0957605308985ce2d2cf73550704137ae";
-          sha256 = "0xdb3l9184lmsabq9ajm7xj47pcg1rn743f24j7vp8r93ac21x5x";
+          rev = "5fe9ff42e2651013ae8ff6bb8a1691d3f7b7225c";
+          sha256 = "1d6n1w049wziphkx9vc2ijg70qj8zflwmn4xgzf3k09hzbgk4n46";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/2f4f57e0edbae35597aa4a7744d22d2f971d5de5/recipes/el-patch";
@@ -13548,22 +13548,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    go-eldoc = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, go-mode, lib, melpaBuild }:
+    go-eldoc = callPackage ({ emacs, fetchFromGitHub, fetchurl, go-mode, lib, melpaBuild }:
     melpaBuild {
         pname = "go-eldoc";
-        version = "0.27";
+        version = "0.30";
         src = fetchFromGitHub {
           owner = "syohex";
           repo = "emacs-go-eldoc";
-          rev = "ebf17e486bb64af494278f851f674303c954432c";
-          sha256 = "1n5fnlfq9cy9rbn2hizqqsy0iryw5g2blaa7nd75ya03gxm10p8j";
+          rev = "f1ad302ec4073354801e613293be2f55ba770618";
+          sha256 = "0hkwhmgjyn5jxrd0k1nakrvy4d7cz7sxb1nw4hb1rqmz4yd14c8i";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/6ce1190db06cc214746215dd27648eded5fe5140/recipes/go-eldoc";
           sha256 = "1k115dirfqxdnb6hdzlw41xdy2dxp38g3vq5wlvslqggha7gzhkk";
           name = "go-eldoc";
         };
-        packageRequires = [ cl-lib go-mode ];
+        packageRequires = [ emacs go-mode ];
         meta = {
           homepage = "https://melpa.org/#/go-eldoc";
           license = lib.licenses.free;
@@ -15782,6 +15782,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    helm-perspeen = callPackage ({ fetchFromGitHub, fetchurl, helm-projectile, lib, melpaBuild, perspeen }:
+    melpaBuild {
+        pname = "helm-perspeen";
+        version = "0.1.0";
+        src = fetchFromGitHub {
+          owner = "jimo1001";
+          repo = "helm-perspeen";
+          rev = "28c91e4e8a43921457f047a548366dd799c07f69";
+          sha256 = "1zn7k0v734d9qcp79p3ajz6kr4hdxqiwi82i2rplg7y4ylikq0jq";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/1ee26a57aacbd571da0cfaca2c31eec6ea86a543/recipes/helm-perspeen";
+          sha256 = "07cnsfhph807fqyai3by2c5ml9a40gxkq280f27disf8sc45rg1y";
+          name = "helm-perspeen";
+        };
+        packageRequires = [ helm-projectile perspeen ];
+        meta = {
+          homepage = "https://melpa.org/#/helm-perspeen";
+          license = lib.licenses.free;
+        };
+      }) {};
     helm-proc = callPackage ({ fetchFromGitHub, fetchurl, helm, lib, melpaBuild }:
     melpaBuild {
         pname = "helm-proc";
@@ -18299,6 +18320,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    jdecomp = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
+    melpaBuild {
+        pname = "jdecomp";
+        version = "0.2.0";
+        src = fetchFromGitHub {
+          owner = "xiongtx";
+          repo = "jdecomp";
+          rev = "1590b06f139f036c1041e1ce5c0acccaa24b31a7";
+          sha256 = "0sb9vzn6cycys31r98kxwgpn7v9aw5ck86nkskmn9hhhkrfsabii";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/d7725a5b3e2aa065cc6f9bac55575151cfdc7791/recipes/jdecomp";
+          sha256 = "1s8y7q361300i7f6pany1phxzr42j8gcdv9vpin05xx15p2nr3qz";
+          name = "jdecomp";
+        };
+        packageRequires = [ emacs ];
+        meta = {
+          homepage = "https://melpa.org/#/jdecomp";
+          license = lib.licenses.free;
+        };
+      }) {};
     jedi = callPackage ({ auto-complete, emacs, fetchFromGitHub, fetchurl, jedi-core, lib, melpaBuild }:
     melpaBuild {
         pname = "jedi";
@@ -19977,14 +20019,14 @@
         pname = "magit-filenotify";
         version = "0.1";
         src = fetchFromGitHub {
-          owner = "emacsorphanage";
+          owner = "ruediger";
           repo = "magit-filenotify";
           rev = "575c4321f61fb8f25e4779f9ffd4514ac086ae96";
           sha256 = "1vn6x53kpwv3zf2b5xjswyz6v853r8b9dg88qhwd2h480hrx6kal";
         };
         recipeFile = fetchurl {
-          url = "https://raw.githubusercontent.com/milkypostman/melpa/41aeebef8ed914fb378fef13ba47572accee332c/recipes/magit-filenotify";
-          sha256 = "0bbw6ay3csbc5zc6wa9p9nxpbxl3k35xz9jwqlw8mgz2b1xq083d";
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/ca5541d2ce3553e9ade2c1ec1c0d78103dfd0c4d/recipes/magit-filenotify";
+          sha256 = "1ihk5yi6psqkccpi2bq2h70kn7k874zl7wcinjaq21lirk4z7bvn";
           name = "magit-filenotify";
         };
         packageRequires = [ emacs magit ];
@@ -20143,12 +20185,12 @@
     magit-svn = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, magit, melpaBuild }:
     melpaBuild {
         pname = "magit-svn";
-        version = "2.2.0";
+        version = "2.2.1";
         src = fetchFromGitHub {
           owner = "magit";
           repo = "magit-svn";
-          rev = "d9e61effc55480694014e5422e8f74f0f17a757a";
-          sha256 = "128ra3habdqk1rsnmy87m0aw2pqi033dqmmjmgsmfblnfvi987p9";
+          rev = "c833903732a14478f5c4cfc561bae7c50671b36c";
+          sha256 = "01kcsc53q3mbhgjssjpby7ypnhqsr48rkl1xz3ahaypmlp929gl9";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cec5af50ae7634cc566adfbfdf0f95c3e2951c0c/recipes/magit-svn";
@@ -20182,22 +20224,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    magithub = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, magit, melpaBuild }:
+    magithub = callPackage ({ emacs, fetchFromGitHub, fetchurl, git-commit, lib, magit, melpaBuild, s, with-editor }:
     melpaBuild {
         pname = "magithub";
-        version = "0.1";
+        version = "0.1.2";
         src = fetchFromGitHub {
           owner = "vermiculus";
           repo = "magithub";
-          rev = "c94ff69749dd14200956e0b59a3757618c594730";
-          sha256 = "12z9gl5lrvdfvhvk213phhgddvvr3y3hpigpzzcq0jla65db367b";
+          rev = "283bde94b3fe5cd8f4634887812c58eaf55aef60";
+          sha256 = "0nd9q3x60pydigyrp7b00xgnw7pgb0plh6mry7pj1532z3xxz1d7";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/4605012c9d43403e968609710375e34f1b010235/recipes/magithub";
           sha256 = "1c3rbav13rw16ngjhjwnz80v653k8df63fkw0kayd80xrkxhrkxw";
           name = "magithub";
         };
-        packageRequires = [ emacs magit ];
+        packageRequires = [ emacs git-commit magit s with-editor ];
         meta = {
           homepage = "https://melpa.org/#/magithub";
           license = lib.licenses.free;
@@ -20434,22 +20476,29 @@
           license = lib.licenses.free;
         };
       }) {};
-    markdown-preview-mode = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, markdown-mode, melpaBuild, websocket }:
+    markdown-preview-mode = callPackage ({ cl-lib ? null, emacs, fetchFromGitHub, fetchurl, lib, markdown-mode, melpaBuild, uuidgen, web-server, websocket }:
     melpaBuild {
         pname = "markdown-preview-mode";
-        version = "0.7";
+        version = "0.8";
         src = fetchFromGitHub {
           owner = "ancane";
           repo = "markdown-preview-mode";
-          rev = "2fc9f06fdf8489a2d5661b794941abb6f863f194";
-          sha256 = "0grljxihip0xyfm47ljwz6hy4kn30vw69bv4w5dw8kr33d51y5ym";
+          rev = "65f48df07c87d37275cc6a135741df4b585f1836";
+          sha256 = "0gkfwm7zxwdi7x7xd6m9sl9q1p5f2q8mxryq6cd4xldbvbcki71f";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/d3c5d222cf0d7eca6a4e3eb914907f8ca58e40f0/recipes/markdown-preview-mode";
           sha256 = "1cam5wfxca91q3i1kl0qbdvnfy62hr5ksargi4430kgaz34bcbyn";
           name = "markdown-preview-mode";
         };
-        packageRequires = [ cl-lib markdown-mode websocket ];
+        packageRequires = [
+          cl-lib
+          emacs
+          markdown-mode
+          uuidgen
+          web-server
+          websocket
+        ];
         meta = {
           homepage = "https://melpa.org/#/markdown-preview-mode";
           license = lib.licenses.free;
@@ -20689,12 +20738,12 @@
     meghanada = callPackage ({ company, emacs, fetchFromGitHub, fetchurl, flycheck, lib, melpaBuild, yasnippet }:
     melpaBuild {
         pname = "meghanada";
-        version = "0.5.0";
+        version = "0.6.0";
         src = fetchFromGitHub {
           owner = "mopemope";
           repo = "meghanada-emacs";
-          rev = "6b1b514ca3424c08301325f99608510130365cd1";
-          sha256 = "1pl65186k696mx6lm6lnn2jm86kwky780rph97cqb1dy506qpqxf";
+          rev = "9f73f1b0656a6a2ea55bbacf7659ffd3b35cdd9d";
+          sha256 = "0hnhzkkggv035x0qkxmw64migq6v6jpg8m6ayfc95avimyf1j67r";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/4c75c69b2f00be9a93144f632738272c1e375785/recipes/meghanada";
@@ -21990,12 +22039,12 @@
     nginx-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "nginx-mode";
-        version = "1.1.6";
+        version = "1.1.7";
         src = fetchFromGitHub {
           owner = "ajc";
           repo = "nginx-mode";
-          rev = "304c9e2dbe884645661e3f133c11217a2b4d4274";
-          sha256 = "1i9yh55zi7ml4i9nfjgvyz62y7id3c9fszs0h41skdzjfs9x5p6j";
+          rev = "b58708d15a6659577945c0aa3a63983eebff2e67";
+          sha256 = "0y2wwgvm3495h6hms425gzgi3qx2wn33xq6b7clrvj4amfy29qix";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a6da3640b72496e2b32e6ed21aa39df87af9f7f3/recipes/nginx-mode";
@@ -25282,12 +25331,12 @@
     phpunit = callPackage ({ cl-lib ? null, emacs, f, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
     melpaBuild {
         pname = "phpunit";
-        version = "0.14.0";
+        version = "0.15.0";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "phpunit.el";
-          rev = "791d1b33b63887cdeaf287fa657b8109f9d1dd18";
-          sha256 = "0j9ym19pz17wsjh1ky65x9mz8aiiryxbw1nsygvy9isbdzjx591k";
+          rev = "5ca5ee53e16b2cf0939dbeacbf1dffa13b41b48f";
+          sha256 = "0gmb5fxnllkjg45cmqpr2gy2k6qhg1r6j2w67qbpir0x4h3q2x6x";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/0670b42c0c998daa7bf01080757976ac3589ec06/recipes/phpunit";
@@ -26095,22 +26144,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    projectile-ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
+    projectile-ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild, projectile, ripgrep }:
     melpaBuild {
         pname = "projectile-ripgrep";
-        version = "0.3.0";
+        version = "0.4.0";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "ripgrep.el";
-          rev = "1d579c5dc820b9a2c58261d362ffb95a02a8a752";
-          sha256 = "0ayq3h0mfqyn695r3qp31yamsyy6hcgj9fxsmlrsm615axvmki9g";
+          rev = "73595f1364f2117db49e1e4a49290bd6d430e345";
+          sha256 = "1a5rdpmvsgsjlc9sywism9pq7jd6n9qbcdsvpbfkq1npwhpifkbj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/195f340855b403128645b59c8adce1b45e90cd18/recipes/projectile-ripgrep";
           sha256 = "1iczizyayql40wcljvpc1mvfvn9r28b1dkrkcmdxif732gd01jjg";
           name = "projectile-ripgrep";
         };
-        packageRequires = [];
+        packageRequires = [ projectile ripgrep ];
         meta = {
           homepage = "https://melpa.org/#/projectile-ripgrep";
           license = lib.licenses.free;
@@ -27400,12 +27449,12 @@
     repo = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "repo";
-        version = "0.1.2";
+        version = "0.1.3";
         src = fetchFromGitHub {
           owner = "canatella";
           repo = "repo-el";
-          rev = "98bde6fdc840d42a24c5784ee440cad39e8264d9";
-          sha256 = "0hs80g3npgb6qfcaivdfkpsc9mss1kdmyp5j7s922qcy2k4yxmgl";
+          rev = "d7b87cd515bad8a67d3a892a46a23f5fe81e08de";
+          sha256 = "0rbvcvm7bfr6ncji7cllfxyyr6x7n9fx863byp243phsj3n93adz";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/1729d4ea9498549fff3594b971fcde5f81592f84/recipes/repo";
@@ -27610,12 +27659,12 @@
     rg = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild, s }:
     melpaBuild {
         pname = "rg";
-        version = "1.1.0";
+        version = "1.1.1";
         src = fetchFromGitHub {
           owner = "dajva";
           repo = "rg.el";
-          rev = "ec9eb5240191612debf0392ee7a7f491c7dae27e";
-          sha256 = "0773d0n5jq42yr5p1xbbfji027j0kw4msv1p8b7zk82ij1yc7hyr";
+          rev = "fd0f056a5912caeeb2d4f668969d9df81c9e22db";
+          sha256 = "1lig93lj5mnm2fjvwac42kfw8bhq8ggs4jfc73fmclm6s5dg8661";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/9ce1f721867383a841957370946f283f996fa76f/recipes/rg";
@@ -27694,12 +27743,12 @@
     ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "ripgrep";
-        version = "0.3.0";
+        version = "0.4.0";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "ripgrep.el";
-          rev = "1d579c5dc820b9a2c58261d362ffb95a02a8a752";
-          sha256 = "0ayq3h0mfqyn695r3qp31yamsyy6hcgj9fxsmlrsm615axvmki9g";
+          rev = "73595f1364f2117db49e1e4a49290bd6d430e345";
+          sha256 = "1a5rdpmvsgsjlc9sywism9pq7jd6n9qbcdsvpbfkq1npwhpifkbj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e8d789818876e959a1a59690f1dd7d4efa6d608b/recipes/ripgrep";
@@ -28427,12 +28476,12 @@
     selectric-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "selectric-mode";
-        version = "1.2";
+        version = "1.4";
         src = fetchFromGitHub {
           owner = "rbanffy";
           repo = "selectric-mode";
-          rev = "a8e8c8899c749bd36bdd161e161cdc51301defc6";
-          sha256 = "1dj8vccdk1s0ynl5znpg02xp182srn3s8cqcxqrxjllp7wbgab31";
+          rev = "e60703d9a6c9944270d77bc829dae3a8b092346f";
+          sha256 = "04i5rrn93hzcf8zzfli2ams927lm83hl4q6w2azcg24lhldaqf8p";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/08922071b9854142eab726302e75f1db2d326ec5/recipes/selectric-mode";
@@ -28553,12 +28602,12 @@
     shackle = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "shackle";
-        version = "0.9.0";
+        version = "0.9.2";
         src = fetchFromGitHub {
           owner = "wasamasa";
           repo = "shackle";
-          rev = "4069e0cbff0d172de2cd7d588de971d8b02915c6";
-          sha256 = "0yy162sz7vwj0i9w687a5x1c2fq31vc3i6gqhbywspviczdp4q1y";
+          rev = "979b021077655ca38749a60c9752c0817e8fd93e";
+          sha256 = "11qp4gqxfi5d6krvxlqxfn58b1kcgsnldpi54r8lx6mis8l0f4wl";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/806e7d00f763f3fc4e3b8ebd483070ac6c5d0f21/recipes/shackle";
@@ -29537,22 +29586,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    socyl = callPackage ({ dash, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
+    socyl = callPackage ({ cl-lib ? null, dash, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
     melpaBuild {
         pname = "socyl";
-        version = "0.2.0";
+        version = "0.3.0";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "socyl";
-          rev = "09ea9d1ea02060ccdb17b80ad88f912c08045c5b";
-          sha256 = "09zdknrg4ar38nbhvz4407x78i3lngmnrcijr7a4x1ybs5x61zis";
+          rev = "fcc0deda5b6c39d25e48e7da2a0ae73295193ea8";
+          sha256 = "1a8qd9hcmp4xl6hyvlq116nr9cn392bmrrda8vqkvjpd8rm8i776";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/774b3006f5b6b781594257f1d9819068becbbcc1/recipes/socyl";
           sha256 = "00b7x247cyjh4gci101fq1j6708vbcz1g9ls3845w863wjf6m5sz";
           name = "socyl";
         };
-        packageRequires = [ dash pkg-info s ];
+        packageRequires = [ cl-lib dash pkg-info s ];
         meta = {
           homepage = "https://melpa.org/#/socyl";
           license = lib.licenses.free;

From 25a2f9073142d7bedfab17cfa4ba3ecb831ddc31 Mon Sep 17 00:00:00 2001
From: Michael Alan Dorman <mdorman@ironicdesign.com>
Date: Sat, 11 Feb 2017 19:55:16 -0500
Subject: [PATCH 106/153] melpa-packages: 2017-02-13

Removals:
 - ebib-handy: removed from melpa
 - goose-theme: repository removed
---
 .../editors/emacs-modes/melpa-generated.nix   | 880 ++++++++++--------
 1 file changed, 482 insertions(+), 398 deletions(-)

diff --git a/pkgs/applications/editors/emacs-modes/melpa-generated.nix b/pkgs/applications/editors/emacs-modes/melpa-generated.nix
index a47b5d69760..7a7d05f5899 100644
--- a/pkgs/applications/editors/emacs-modes/melpa-generated.nix
+++ b/pkgs/applications/editors/emacs-modes/melpa-generated.nix
@@ -127,12 +127,12 @@
     abl-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "abl-mode";
-        version = "20170208.647";
+        version = "20170211.1328";
         src = fetchFromGitHub {
           owner = "afroisalreadyinu";
           repo = "abl-mode";
-          rev = "9c928c2968d7960ef672c3312051f0fbd4a7aeb3";
-          sha256 = "0fxl67nmy6vi6viwxday4j81m9lg4l8vg6yw2phgagm4zlp65k58";
+          rev = "54777551c1760f02b35043a51e1cadad1468aa44";
+          sha256 = "0p5jhp71n4021p173c9agmm26xqqx7z864ygaskf9dh810mxs1yh";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/70a52edb381daa9c4dcc9f7e511175b38fc141be/recipes/abl-mode";
@@ -1570,12 +1570,12 @@
     all-the-icons-dired = callPackage ({ all-the-icons, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "all-the-icons-dired";
-        version = "20161203.605";
+        version = "20170210.811";
         src = fetchFromGitHub {
           owner = "jtbm37";
           repo = "all-the-icons-dired";
-          rev = "3ccab8ae4113e03ff2c7b103d388fa6ec1447d9c";
-          sha256 = "0rbcbhsw5js9wx29pp65s7q6mxhbz1jskhvzl0k4gqlk4m6gqcxq";
+          rev = "6e5152dfeb0f8be01a61d6fb0c0cb248ecdf1718";
+          sha256 = "1siwrcfpj9wnrq5q0y5yhbqnh081db0v4kzvxiiqs3idppdnddxg";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cf8e432e3cd316ffeb7e0b68b855e23bcc3b9491/recipes/all-the-icons-dired";
@@ -1688,8 +1688,8 @@
         src = fetchFromGitHub {
           owner = "proofit404";
           repo = "anaconda-mode";
-          rev = "fe7a4ece906c5aec242b94e95befa50080414d3c";
-          sha256 = "0lisa1j4x13yk5cgdakdk2xly3ds3hw2s2vq0am375a57p65vpq0";
+          rev = "a6b80a4fbb4e6ce3bc6a51a6e9f0982ea219b16b";
+          sha256 = "06rgwx03x84r4i5z07sia09nsb76a3cb7zxkravx78h7anlw16xw";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e03b698fd3fe5b80bdd24ce01f7fba28e9da0da8/recipes/anaconda-mode";
@@ -2492,12 +2492,12 @@
     apropospriate-theme = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "apropospriate-theme";
-        version = "20170120.1254";
+        version = "20170212.1229";
         src = fetchFromGitHub {
           owner = "waymondo";
           repo = "apropospriate-theme";
-          rev = "9b4a0058a41ac7849c3d4e9cbe05a79e80b3fee1";
-          sha256 = "0xaq9ssvc5ysc18cjcm07plhf0b02rwwzfm82s4cakh8zffm2rnd";
+          rev = "f5ffcabf7f079bd899d95ffa11a78ccca7eb8c8e";
+          sha256 = "1vrpg0fjshqcfhj4iwkgrqw052rvx9kf2l217mg2z94rjm1y9g55";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/1da33013f15825ab656260ce7453b8127e0286f4/recipes/apropospriate-theme";
@@ -4221,12 +4221,12 @@
     base16-theme = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "base16-theme";
-        version = "20170208.1225";
+        version = "20170213.1604";
         src = fetchFromGitHub {
           owner = "belak";
           repo = "base16-emacs";
-          rev = "53a4b2175ad58db5314105244f74d1f03a9f3df2";
-          sha256 = "1la5qljl8jcvnla5xfql509pwrcyjbamc6a3bzdxq55snh6hdkda";
+          rev = "f7cbf7734d99733ed99eb8a7b95d2dc808a73927";
+          sha256 = "16i617i3pflwdmdijiklwwh9ywiin6ln7mar0k7yybmlr6xbvlkf";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/30862f6be74882cfb57fb031f7318d3fd15551e3/recipes/base16-theme";
@@ -4931,8 +4931,8 @@
         src = fetchFromGitHub {
           owner = "jwiegley";
           repo = "use-package";
-          rev = "38034854ac21bd5ddc1a1129fd6c8ff86d939f8a";
-          sha256 = "0s20z5njwmk591674mb2lyv50agg6496hkr5b11904jq5ca3xagz";
+          rev = "6c2d81cfadb12c10af0dabe148ede355737ed1a8";
+          sha256 = "18aqyphq1cwandfarql773d0h3ki6c9ip1wji1ni86fm29f99ikq";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/d39d33af6b6c9af9fe49bda319ea05c711a1b16e/recipes/bind-key";
@@ -5036,8 +5036,8 @@
         src = fetchFromGitHub {
           owner = "canatella";
           repo = "bitbake-el";
-          rev = "4ab424d970bee0f6b91a1fc545b14ded173e3476";
-          sha256 = "0xqi5s8536hajjl3g1a2i8p9ll4vq9gdx2jjbjzlid65h669bny8";
+          rev = "4d9f0a4ffb7b9c6cd4d8271f1b429ca1bb7e9130";
+          sha256 = "0c8f6w8pgbr63g1zhgppfyh5g3sb0iv31ywqmvp6467766di4qh9";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/da099b66180ed537f8962ab4ca727d2441f9691d/recipes/bitbake";
@@ -6050,8 +6050,8 @@
         src = fetchFromGitHub {
           owner = "EricCrosson";
           repo = "bury-successful-compilation";
-          rev = "2b673a6df1513d976836087259e35384d94a9bed";
-          sha256 = "11bhpad8h9pmmm84ps95wdnaxn76wz4wm4l04mhcps5fsj7x15by";
+          rev = "52da2c07419beceab9b4d426d76adb3dcf2548d1";
+          sha256 = "1qdkx14rwabrfm9kzp4w9gvk9h4qg8f5b3qdwlyn863d2y7q468g";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/f66e2e23c7a1fa0ce6fa8a0e814242b7c46c299c/recipes/bury-successful-compilation";
@@ -6720,8 +6720,8 @@
         src = fetchFromGitHub {
           owner = "skk-dev";
           repo = "ddskk";
-          rev = "df9d8a8332c9f75498bfecd870d7296c6ba0b42e";
-          sha256 = "05ay6qkx77yl581jvikkf11dzny0v9h70iahss4bz5a37hawp4dd";
+          rev = "4681d150d80da779bc8f95ec912c7de13cecd0f1";
+          sha256 = "0hsz5gpj2lq7f8grb9wmjv5sqm8ky2c98di0m8n27y4ikcqv7dz3";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/7375cab750a67ede1a021b6a4371b678a7b991b0/recipes/ccc";
@@ -6762,8 +6762,8 @@
         src = fetchFromGitHub {
           owner = "skk-dev";
           repo = "ddskk";
-          rev = "df9d8a8332c9f75498bfecd870d7296c6ba0b42e";
-          sha256 = "05ay6qkx77yl581jvikkf11dzny0v9h70iahss4bz5a37hawp4dd";
+          rev = "4681d150d80da779bc8f95ec912c7de13cecd0f1";
+          sha256 = "0hsz5gpj2lq7f8grb9wmjv5sqm8ky2c98di0m8n27y4ikcqv7dz3";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/b48fe069ecd95ea0f9768ecad969e0838344e45d/recipes/cdb";
@@ -7759,12 +7759,12 @@
     circe = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "circe";
-        version = "20170205.1414";
+        version = "20170212.240";
         src = fetchFromGitHub {
           owner = "jorgenschaefer";
           repo = "circe";
-          rev = "773e48624edc32022764d9b3bab861f32c336ac3";
-          sha256 = "0s0ksk4f8hz2jajh7hx8b5qv8vrv5mr8mvk8n51ycip0gmrl98nf";
+          rev = "a9df12a6e2f2c8e940722e151829d5dcf980c902";
+          sha256 = "00rdv0dij1d21jddw73iikc4vcx7hi1bi85b25hj1jx36nx4m16c";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a2b295656d53fddc76cacc86b239e5648e49e3a4/recipes/circe";
@@ -7846,7 +7846,7 @@
         version = "20170120.137";
         src = fetchsvn {
           url = "http://llvm.org/svn/llvm-project/cfe/trunk/tools/clang-format";
-          rev = "294752";
+          rev = "295019";
           sha256 = "13516xv7ypswhlarh4sd97sc17zar10snbmrcn14wd53jgxx440y";
         };
         recipeFile = fetchurl {
@@ -8488,8 +8488,8 @@
         src = fetchFromGitHub {
           owner = "Kitware";
           repo = "CMake";
-          rev = "ada0bc21f42e25882ddf5a8aab10eaf3ea7e0b89";
-          sha256 = "0cl8c2kbsd8jcc9mdpdriamxv9bk5fnjra5c7rpwc19qahgf2w3a";
+          rev = "38bfe65eba21c697d05e8bed79635fc125cdac17";
+          sha256 = "1dqh7rd2hnn68dfj271sbm1j5dgpkd3phhjrcxnkg0wxyhpcpp7w";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/598723893ae4bc2e60f527a072efe6ed9d4e2488/recipes/cmake-mode";
@@ -8758,8 +8758,8 @@
         src = fetchFromGitHub {
           owner = "defunkt";
           repo = "coffee-mode";
-          rev = "d7d554cbf435aa875fbf56e67c4374375a164a93";
-          sha256 = "1glif3jxh31cmy2rgz39bc2bbrlgh87v5wd5c93f7slb45gkinqi";
+          rev = "231eccd8cf662516159359ed24d1b27d068ec7f8";
+          sha256 = "1anidih1kbwqifrb7v90ga172alqhxizwz1vrf87cnj5ns1h1hx8";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cae2ac3513e371a256be0f1a7468e38e686c2487/recipes/coffee-mode";
@@ -9298,8 +9298,8 @@
         src = fetchFromGitHub {
           owner = "yuutayamada";
           repo = "company-arduino";
-          rev = "5958b917cc5cc729dc64d74d947da5ee91c48980";
-          sha256 = "08766m35s0r2fyv32y0h3sns9d5jykbgg24d2z8czklnc8hay7jc";
+          rev = "d7e369702b8eee63e6dfdeba645ce28b6dc66fb1";
+          sha256 = "06v7y7gxlxrxdaqy8c93niy1di80r738cq7rkghnhqi174pwl1wv";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/45350f816c4f5249792d29f97ef91f8c0685b983/recipes/company-arduino";
@@ -10050,12 +10050,12 @@
     company-statistics = callPackage ({ company, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "company-statistics";
-        version = "20161213.159";
+        version = "20170210.1133";
         src = fetchFromGitHub {
           owner = "company-mode";
           repo = "company-statistics";
-          rev = "36d9692da9172c3ad1e1a46d66ffa9346a44b212";
-          sha256 = "05br3ikxad7gm7h6327yfwdfap6bbg68fbybsx967a31yv4rxhvm";
+          rev = "e62157d43b2c874d2edbd547c3bdfb05d0a7ae5c";
+          sha256 = "12mwviz1mwx4ywks2lkmybbgh1wny67wkzlq5y3ml8gvyc288n3i";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/89d05b43f31ec157ce8e7bfba4b7c9119bda6dd2/recipes/company-statistics";
@@ -10515,8 +10515,8 @@
         src = fetchFromGitHub {
           owner = "abo-abo";
           repo = "swiper";
-          rev = "d23d1feefccd658f013cbf7d1b052767bed9b2b6";
-          sha256 = "0fffs5l45hrz7qv4gxwdn4prabl49zgx74daxyflrlkmbffy0gr4";
+          rev = "5f732cdce5ac2529f36b5c8cc9f053789783de45";
+          sha256 = "1ha7filrnkdya4905yy002n1hjdl23k9hbb2w2id3wfj0cbw930f";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/06c50f32b8d603db0d70e77907e36862cd66b811/recipes/counsel";
@@ -10634,6 +10634,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    cov = callPackage ({ emacs, f, fetchFromGitHub, fetchurl, lib, melpaBuild, s }:
+    melpaBuild {
+        pname = "cov";
+        version = "20170130.1727";
+        src = fetchFromGitHub {
+          owner = "AdamNiederer";
+          repo = "cov";
+          rev = "d73b3aa7f3f285f046e448ffabd3525ccfcc08a1";
+          sha256 = "0l21422mjhknabm1l4d9f5radq153vr6qc6ihsm0hxhy1i713mqn";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/d0f35ce436ac157955d6f92de96e14bef9ad69e3/recipes/cov";
+          sha256 = "02wk8ikanl5lcwqb9wqc8xx5vwzhn2hpqpxdchg5mdi7fifa1rni";
+          name = "cov";
+        };
+        packageRequires = [ emacs f s ];
+        meta = {
+          homepage = "https://melpa.org/#/cov";
+          license = lib.licenses.free;
+        };
+      }) {};
     coverage = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild, ov }:
     melpaBuild {
         pname = "coverage";
@@ -11530,8 +11551,8 @@
         src = fetchFromGitHub {
           owner = "cython";
           repo = "cython";
-          rev = "e4b8a88d1e9b0ff053705b5082d6f9e12a839069";
-          sha256 = "1m4h0jw4baa70z5difns5afbylagdw11w3ppc92sjzjpicxn2g9v";
+          rev = "4924bd9cb7fc9350646f347e99292d115c39852c";
+          sha256 = "0yrq1hi79kyca774ab5kg0ran9nyjyh0h504rs17f8w05ly48n3r";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/be9bfabe3f79153cb859efc7c3051db244a63879/recipes/cython-mode";
@@ -12135,12 +12156,12 @@
     ddskk = callPackage ({ ccc, cdb, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "ddskk";
-        version = "20161127.118";
+        version = "20170213.315";
         src = fetchFromGitHub {
           owner = "skk-dev";
           repo = "ddskk";
-          rev = "df9d8a8332c9f75498bfecd870d7296c6ba0b42e";
-          sha256 = "05ay6qkx77yl581jvikkf11dzny0v9h70iahss4bz5a37hawp4dd";
+          rev = "4681d150d80da779bc8f95ec912c7de13cecd0f1";
+          sha256 = "0hsz5gpj2lq7f8grb9wmjv5sqm8ky2c98di0m8n27y4ikcqv7dz3";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/6eccccb79881eaa04af3ed6395cd2ab981d9c894/recipes/ddskk";
@@ -14193,6 +14214,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    dokuwiki = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild, xml-rpc }:
+    melpaBuild {
+        pname = "dokuwiki";
+        version = "20170213.122";
+        src = fetchFromGitHub {
+          owner = "accidentalrebel";
+          repo = "emacs-dokuwiki";
+          rev = "4f23638ab6f795fe70508576fa73583d447aecae";
+          sha256 = "18vfbvx2mck48pd1s3h2a8zx8axa808krailvfjm3ypa86ia95w6";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/e46cf6a57b93ddfda8e2d6e74cee8d0df2cb1ec7/recipes/dokuwiki";
+          sha256 = "1vi6crl5y3g1p6xcpqzybmidn09cdf4gplmrvb2nkc94pyd9qxnw";
+          name = "dokuwiki";
+        };
+        packageRequires = [ emacs xml-rpc ];
+        meta = {
+          homepage = "https://melpa.org/#/dokuwiki";
+          license = lib.licenses.free;
+        };
+      }) {};
     dokuwiki-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "dokuwiki-mode";
@@ -14498,12 +14540,12 @@
     dracula-theme = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "dracula-theme";
-        version = "20161119.1345";
+        version = "20170210.830";
         src = fetchFromGitHub {
           owner = "dracula";
           repo = "emacs";
-          rev = "c9f8a97eba74a82a65554c9b282e86125a22ecb2";
-          sha256 = "12918nidcmqnhkqhhrnhhd2sihqld5dy1v06q4j9fkrcbp4j4l4l";
+          rev = "0b865af179768c24a1f7135c2866eca0f65b9295";
+          sha256 = "114kxmki4hmrckxflkzgrl8i6n9qc1jdvma5assbvmhnfqmy4hvm";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/d63cb8906726f106e65f7d9895b49a38ffebf8d5/recipes/dracula-theme";
@@ -14667,8 +14709,8 @@
         src = fetchFromGitHub {
           owner = "arnested";
           repo = "drupal-mode";
-          rev = "6f40ad04b760d2266b8c07283df266471d85a9b2";
-          sha256 = "13wlgy1g1nl3xxkibh0cj983lq3snw4xxmq4nsphq92pjd2lggs7";
+          rev = "9d5808972f344a09dcf665d5113ae81e39ac1051";
+          sha256 = "0vz41jfkfir7ymyl5y0v836zclqfihrjdiyz3vnb081x0gara8l0";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/13e16af340868048eb1f51f9865dfc707e57abe8/recipes/drupal-mode";
@@ -14707,7 +14749,7 @@
         version = "20130120.1257";
         src = fetchsvn {
           url = "http://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/emacs/";
-          rev = "1782484";
+          rev = "1782905";
           sha256 = "016dxpzm1zba8rag7czynlk58hys4xab4mz1nkry5bfihknpzcrq";
         };
         recipeFile = fetchurl {
@@ -15329,27 +15371,6 @@
           license = lib.licenses.free;
         };
       }) {};
-    ebib-handy = callPackage ({ chinese-pyim, ebib, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
-    melpaBuild {
-        pname = "ebib-handy";
-        version = "20170208.524";
-        src = fetchFromGitHub {
-          owner = "tumashu";
-          repo = "ebib-handy";
-          rev = "d70731bd02dd86500cb7807d0d11fc05b53d2a69";
-          sha256 = "03db4k69qkp4s9xj910ynkq4ky68hs404djsglhlcirdpwj58d80";
-        };
-        recipeFile = fetchurl {
-          url = "https://raw.githubusercontent.com/milkypostman/melpa/8843caa0d80000c70d3b264854f50daac94e6962/recipes/ebib-handy";
-          sha256 = "069dq4sfw4jz4cd8mw611qzcz7jyj271qwv2l54fyi3pfvd68h17";
-          name = "ebib-handy";
-        };
-        packageRequires = [ chinese-pyim ebib emacs ];
-        meta = {
-          homepage = "https://melpa.org/#/ebib-handy";
-          license = lib.licenses.free;
-        };
-      }) {};
     ecb = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "ecb";
@@ -15581,12 +15602,12 @@
     ede-php-autoload = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "ede-php-autoload";
-        version = "20170123.1113";
+        version = "20170212.450";
         src = fetchFromGitHub {
           owner = "stevenremot";
           repo = "ede-php-autoload";
-          rev = "141de1002c289e9852d34b6f603126fd21fcaf83";
-          sha256 = "1d4a1502lsz48r183iqw3xn06jd32n01dydvi2rgzydj5kf0lyka";
+          rev = "c25e7dd7ade0e514b1dc94e69b73415fd3eb57c3";
+          sha256 = "1v7jpm81r3c4iqrbslrlnczxfs35s7lky7v75x9ahm5vbnrd9iig";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/8ee9f7fd9cbc3397cd9af34b08b75c3d9d8bc551/recipes/ede-php-autoload";
@@ -15967,11 +15988,11 @@
       }) {};
     eide = callPackage ({ fetchgit, fetchurl, lib, melpaBuild }: melpaBuild {
         pname = "eide";
-        version = "20170207.1259";
+        version = "20170213.1254";
         src = fetchgit {
           url = "git://git.tuxfamily.org/gitroot/eide/emacs-ide.git";
-          rev = "756ebff43c4c2393a679ea7d26e22743831d4564";
-          sha256 = "135ymq7pc9478dlx6q4nln439r9d64ylmbbykcpisgw6ypn1yzbz";
+          rev = "66d4490ec38dd992ba90b3801879d3f0ff312635";
+          sha256 = "1y8imvgms7nb8fcpm1v6zkx3hqsf6zygc38gbj87c8s85f2qmfrq";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/d384f185f76039b06a1b5b12c792b346c6d47a22/recipes/eide";
@@ -16008,12 +16029,12 @@
     ein = callPackage ({ cl-generic, fetchFromGitHub, fetchurl, lib, melpaBuild, request, websocket }:
     melpaBuild {
         pname = "ein";
-        version = "20170209.956";
+        version = "20170212.2016";
         src = fetchFromGitHub {
           owner = "millejoh";
           repo = "emacs-ipython-notebook";
-          rev = "faf61c3cc371a9d4caa2e84687c31e5efb4577e9";
-          sha256 = "1rhd7l5pjfg11m6njc6z13p92v3fdswjr354rfrc2p0w03vc6nyb";
+          rev = "f1d3fbe96713e85aaea2f1027c2cc1782e0e5a70";
+          sha256 = "0kf8glywsdscviml8gwdj659zm28npkz0w6ybcx2k1wv9gkg3shs";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/215e163755fe391ce1f049622e7b9bf9a8aea95a/recipes/ein";
@@ -16071,12 +16092,12 @@
     ejc-sql = callPackage ({ auto-complete, cider, clomacs, dash, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild, spinner }:
     melpaBuild {
         pname = "ejc-sql";
-        version = "20170210.30";
+        version = "20170211.259";
         src = fetchFromGitHub {
           owner = "kostafey";
           repo = "ejc-sql";
-          rev = "4046b291dce26148e62fed3974b94489ccc24674";
-          sha256 = "127kiplrwf1wkwpjf1fra6j1ic0wwiiza7d4ih47ffs40cq1f91r";
+          rev = "94617344a74336ecaebc17a414f4d05162a79303";
+          sha256 = "1lcc8y6lhqv0fgdik0qifbb1dzj077s86skrnvy92x373wv565kr";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/8f2cd74717269ef7f10362077a91546723a72104/recipes/ejc-sql";
@@ -16117,8 +16138,8 @@
         src = fetchFromGitHub {
           owner = "dimitri";
           repo = "el-get";
-          rev = "f98bbc72303e17fe6833ece472c5f110ccd97911";
-          sha256 = "19l295g5ryx95jxgxgh55s1j97la30qjl7xkgkd5gn01hdvn9v97";
+          rev = "6b707565b7328d8bcb8898db1a5b9dffaa06cdf8";
+          sha256 = "02qvxpg3pnw6crr13isimbhxyk6lf0x216418bhilgvgzmp1jwmj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/1c61197a2b616d6d3c6b652248cb166196846b44/recipes/el-get";
@@ -16197,12 +16218,12 @@
     el-patch = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "el-patch";
-        version = "20170201.1652";
+        version = "20170211.1725";
         src = fetchFromGitHub {
           owner = "raxod502";
           repo = "el-patch";
-          rev = "df3cb294fdbed717fd7f7fcb8dd917226c5f2d8d";
-          sha256 = "01z824qxbqzgggj07x1ryx7mvw0jqq2s9hwg1jn23vzy7fchij44";
+          rev = "5fe9ff42e2651013ae8ff6bb8a1691d3f7b7225c";
+          sha256 = "1d6n1w049wziphkx9vc2ijg70qj8zflwmn4xgzf3k09hzbgk4n46";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/2f4f57e0edbae35597aa4a7744d22d2f971d5de5/recipes/el-patch";
@@ -17059,12 +17080,12 @@
     elpy = callPackage ({ company, fetchFromGitHub, fetchurl, find-file-in-project, highlight-indentation, lib, melpaBuild, pyvenv, s, yasnippet }:
     melpaBuild {
         pname = "elpy";
-        version = "20170201.629";
+        version = "20170212.420";
         src = fetchFromGitHub {
           owner = "jorgenschaefer";
           repo = "elpy";
-          rev = "ff0277013bf1319c72759d3f6eb001f2317cb52b";
-          sha256 = "13wdw9y78gwdlz83zgbbhkmk2q3wvf569pgnlcpy330fxmalbj6v";
+          rev = "7e005dc48530007aeac871dbe214512289ec5dea";
+          sha256 = "0pjdsh53f8d2fva55kvm726x5830r78fyigcd4ni4sifl83szrpf";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/1d8fcd8745bb15402c9f3b6f4573ea151415237a/recipes/elpy";
@@ -18239,12 +18260,12 @@
     epkg = callPackage ({ closql, dash, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "epkg";
-        version = "20170131.627";
+        version = "20170205.616";
         src = fetchFromGitHub {
           owner = "emacscollective";
           repo = "epkg";
-          rev = "f2daeceb98766914548bf9a3c8206ae64850e395";
-          sha256 = "06j07j0gfg4ahjklxlk7m7w53arpl42ynf1diphqn02jy7ycdlh6";
+          rev = "521026f777543b73bee6107aab089f44fb809c91";
+          sha256 = "0k2vxhr9rjkya95wca4v2qihbs72yx9zv1z7snm0wgfy39y385fh";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/2df16abf56e53d4a1cc267a78797419520ff8a1c/recipes/epkg";
@@ -18760,22 +18781,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    erlang = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
+    erlang = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "erlang";
-        version = "20170208.306";
+        version = "20170209.52";
         src = fetchFromGitHub {
           owner = "erlang";
           repo = "otp";
-          rev = "47b4abf118e2dac88c5c2cbd531372cc217854ec";
-          sha256 = "13fhkkfnvyf938gznl4av9gn7r4yyvw2rv438pabf0d0min37qqf";
+          rev = "6282023d28588e4838f37ea45a060ec48ef5ba3f";
+          sha256 = "01bbx82746abfqlr6hqja9jkvwalqyvxhdmzk6qarngyr2fpq1sa";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/d9cd526f43981e0826af59cdc4bb702f644781d9/recipes/erlang";
           sha256 = "1cs768xxbyrr78ln50k4yknmpbcc1iplws3k07r0gx5f3ca73iaq";
           name = "erlang";
         };
-        packageRequires = [];
+        packageRequires = [ emacs ];
         meta = {
           homepage = "https://melpa.org/#/erlang";
           license = lib.licenses.free;
@@ -18924,22 +18945,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    es-mode = callPackage ({ cl-lib ? null, dash, fetchFromGitHub, fetchurl, lib, melpaBuild, spark }:
+    es-mode = callPackage ({ cl-lib ? null, dash, fetchFromGitHub, fetchurl, lib, melpaBuild, s, spark }:
     melpaBuild {
         pname = "es-mode";
-        version = "20170207.1035";
+        version = "20170213.1137";
         src = fetchFromGitHub {
           owner = "dakrone";
           repo = "es-mode";
-          rev = "996730ebce57d810d2c275c7fadb11c2b1134dea";
-          sha256 = "1qhfnd5anp5qrmravv7ks5ix763xnki2f5jwcyj70qyxwr0l60cg";
+          rev = "9fb395996316c140f3a6c77afb10dcd37cb49126";
+          sha256 = "0g2x3jwy3v45p6nqjfskj0w0c94gyvxm1xzi5yypnyhsj188fsyp";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/85445b59329bfd81a3fd913d7d6fe7784c31744c/recipes/es-mode";
           sha256 = "1541c7d8gbi4mgxwk886hgsxhq7bfx8is7hjjg80sfn40z6kdwcp";
           name = "es-mode";
         };
-        packageRequires = [ cl-lib dash spark ];
+        packageRequires = [ cl-lib dash s spark ];
         meta = {
           homepage = "https://melpa.org/#/es-mode";
           license = lib.licenses.free;
@@ -19326,12 +19347,12 @@
     ess = callPackage ({ fetchFromGitHub, fetchurl, julia-mode, lib, melpaBuild }:
     melpaBuild {
         pname = "ess";
-        version = "20170206.310";
+        version = "20170211.805";
         src = fetchFromGitHub {
           owner = "emacs-ess";
           repo = "ESS";
-          rev = "2ca23d826dfeeeb248739d68e5528286af3346a5";
-          sha256 = "16i6zqnnj4c12y7bfhmk723gffqn05mjc9zs8lyb0c59s6la54c9";
+          rev = "59233439aaa73ae34d548ab126fd3a79e8363c92";
+          sha256 = "0p1hs4fy8aig504qck4j7c5jc9nw5fny42az1k56gifw6c243wfr";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/12997b9e2407d782b3d2fcd2843f7c8b22442c0a/recipes/ess";
@@ -19908,12 +19929,12 @@
     evil-ediff = callPackage ({ evil, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "evil-ediff";
-        version = "20170208.848";
+        version = "20170213.539";
         src = fetchFromGitHub {
           owner = "justbur";
           repo = "evil-ediff";
-          rev = "b77232b82ca0d81f2acd0d3ff60a8b99e0a30460";
-          sha256 = "18rlwn2yn6yf11hfhvs76qk3i9l45gry3lpahpsd2gf426hd48mg";
+          rev = "4f3b9652e5df58ccc454d970df558f921958894d";
+          sha256 = "1nc7xq86v5ns3d47ifwnfm7x7x3qxb18rjqx37mqvga91nz2i1k3";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/45eb1339792849b80a3ec94b96a88dd36262df2b/recipes/evil-ediff";
@@ -20937,12 +20958,12 @@
     exec-path-from-shell = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "exec-path-from-shell";
-        version = "20161229.1338";
+        version = "20170212.2116";
         src = fetchFromGitHub {
           owner = "purcell";
           repo = "exec-path-from-shell";
-          rev = "0f53502d463eeeaefe48dfeb0c2fbaac1e6302e3";
-          sha256 = "12mkh5sna8j0ijxc6fd8sr2zlk3p6w9q3fv5l3n16sjmnlj3cf0r";
+          rev = "9def990ba4c30409a316d5cbf7b02296a394dece";
+          sha256 = "1ghivxwslvsbcimhhacbl07kxc1kfv7gn95fwsdx687p9qyffyfb";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/3d8545191031bece15cf1706d81ad1d064f2a4bd/recipes/exec-path-from-shell";
@@ -20979,12 +21000,12 @@
     expand-region = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "expand-region";
-        version = "20170122.2241";
+        version = "20170213.616";
         src = fetchFromGitHub {
           owner = "magnars";
           repo = "expand-region.el";
-          rev = "c75dab7bf0f9bb392ceafb10de16deee87467fa6";
-          sha256 = "0bhwv92wqccz8y5xm6gj71ryci8cpsnm8z8vmdj8lsf6ki8vz512";
+          rev = "d9435e3d0954e9b791001a36d628124cc520445e";
+          sha256 = "0i4463821lhi3cid6y3v3milq0ckagbdc513xs5vv3ri44h91n57";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cae2ac3513e371a256be0f1a7468e38e686c2487/recipes/expand-region";
@@ -21843,8 +21864,8 @@
         src = fetchFromGitHub {
           owner = "technomancy";
           repo = "find-file-in-project";
-          rev = "1c50ca72acd816c5d5b3fbdb605bbd85a0172b11";
-          sha256 = "0nzn5bccxr8nsxqbc2gx17hrydbx511h4ba6bz3gaf78qfppn2ff";
+          rev = "08ab38b89d21f528fa7dc18f860191365852959a";
+          sha256 = "1ybv1scpf7578zfjpl71nynzydq8g5607ai6l0vavprdhri70xdf";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cae2ac3513e371a256be0f1a7468e38e686c2487/recipes/find-file-in-project";
@@ -22463,12 +22484,12 @@
     fluxus-mode = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild, osc }:
     melpaBuild {
         pname = "fluxus-mode";
-        version = "20161124.1145";
+        version = "20170210.1141";
         src = fetchFromGitHub {
           owner = "defaultxr";
           repo = "fluxus-mode";
-          rev = "6670eeda008e2f0180e549624da708d5aa3599f6";
-          sha256 = "1r2i88qv7zxcgccvyxpgq36ilsv3rdplx52pvd6kvfcw7whym205";
+          rev = "3661d4dfdaf249138e7f215f15f291c9391ede8d";
+          sha256 = "1dp974qs80agx9qcq5k5awdsr8p8smv8cdwkjz2d8xfd5wq2vhh9";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a3396e0da67153ad051b8551bf34630d32f974f4/recipes/fluxus-mode";
@@ -22547,12 +22568,12 @@
     flycheck = callPackage ({ dash, emacs, fetchFromGitHub, fetchurl, let-alist, lib, melpaBuild, pkg-info, seq }:
     melpaBuild {
         pname = "flycheck";
-        version = "20170209.1145";
+        version = "20170212.1015";
         src = fetchFromGitHub {
           owner = "flycheck";
           repo = "flycheck";
-          rev = "4c0aa8e00d9419a37dbb58a4faef36ab273b69c3";
-          sha256 = "0ridbz5xnxr8lj83xn45h4y5pl09mwl053b3b3vq0z8dh3r8ac7n";
+          rev = "3943b4cc991eba2d6aff6ef085ab34915dc274ee";
+          sha256 = "1n2rl1b7xca5vyk6x60q7v3xn55n7a971xcmzz10yqh28qxn6qlg";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/649f9c3576e81409ae396606798035173cc6669f/recipes/flycheck";
@@ -24374,12 +24395,12 @@
     flyspell-correct = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "flyspell-correct";
-        version = "20161031.1134";
+        version = "20170213.700";
         src = fetchFromGitHub {
           owner = "d12frosted";
           repo = "flyspell-correct";
-          rev = "7e7f94a36699c7e7bba728df722e13a7b4af4b73";
-          sha256 = "16lbhbgyrpp9ig9li1v31bs9i5z8dchjb1vrkcih020p3g9vwi27";
+          rev = "1e19a2b506470e8d741b521da0bd9b66214256f3";
+          sha256 = "03npd8yd9l64xmla3z7q86q267z9455kbsd8752w4737cjw65avl";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/fa06fbe3bc40ae5e3f6d10dee93a9d49e9288ba5/recipes/flyspell-correct";
@@ -24399,8 +24420,8 @@
         src = fetchFromGitHub {
           owner = "d12frosted";
           repo = "flyspell-correct";
-          rev = "7e7f94a36699c7e7bba728df722e13a7b4af4b73";
-          sha256 = "16lbhbgyrpp9ig9li1v31bs9i5z8dchjb1vrkcih020p3g9vwi27";
+          rev = "1e19a2b506470e8d741b521da0bd9b66214256f3";
+          sha256 = "03npd8yd9l64xmla3z7q86q267z9455kbsd8752w4737cjw65avl";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/ef7b9302d8f804c77eb81fee7ed27f13cb1176f6/recipes/flyspell-correct-helm";
@@ -24420,8 +24441,8 @@
         src = fetchFromGitHub {
           owner = "d12frosted";
           repo = "flyspell-correct";
-          rev = "7e7f94a36699c7e7bba728df722e13a7b4af4b73";
-          sha256 = "16lbhbgyrpp9ig9li1v31bs9i5z8dchjb1vrkcih020p3g9vwi27";
+          rev = "1e19a2b506470e8d741b521da0bd9b66214256f3";
+          sha256 = "03npd8yd9l64xmla3z7q86q267z9455kbsd8752w4737cjw65avl";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/ef7b9302d8f804c77eb81fee7ed27f13cb1176f6/recipes/flyspell-correct-ivy";
@@ -24441,8 +24462,8 @@
         src = fetchFromGitHub {
           owner = "d12frosted";
           repo = "flyspell-correct";
-          rev = "7e7f94a36699c7e7bba728df722e13a7b4af4b73";
-          sha256 = "16lbhbgyrpp9ig9li1v31bs9i5z8dchjb1vrkcih020p3g9vwi27";
+          rev = "1e19a2b506470e8d741b521da0bd9b66214256f3";
+          sha256 = "03npd8yd9l64xmla3z7q86q267z9455kbsd8752w4737cjw65avl";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/ef7b9302d8f804c77eb81fee7ed27f13cb1176f6/recipes/flyspell-correct-popup";
@@ -24725,6 +24746,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    font-lock-profiler = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
+    melpaBuild {
+        pname = "font-lock-profiler";
+        version = "20170208.1208";
+        src = fetchFromGitHub {
+          owner = "Lindydancer";
+          repo = "font-lock-profiler";
+          rev = "6e096458416888a4f63cca0d6bc5965a052753c8";
+          sha256 = "186fvyfbakz54fr8j1l7cijvaklw96m1hfbjyw7nha08zc2m1hw5";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/b372892a29376bc3f0101ea5865efead41e1df26/recipes/font-lock-profiler";
+          sha256 = "089r74jgi5gwjk9w1bc600vkj0p5ac84rgcl7aqcpqfbh9ylwcp9";
+          name = "font-lock-profiler";
+        };
+        packageRequires = [ emacs ];
+        meta = {
+          homepage = "https://melpa.org/#/font-lock-profiler";
+          license = lib.licenses.free;
+        };
+      }) {};
     font-lock-studio = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "font-lock-studio";
@@ -25253,12 +25295,12 @@
     fstar-mode = callPackage ({ dash, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "fstar-mode";
-        version = "20170209.744";
+        version = "20170210.1336";
         src = fetchFromGitHub {
           owner = "FStarLang";
           repo = "fstar-mode.el";
-          rev = "826422333deac91b390836a3bb4bb0b696c4f926";
-          sha256 = "1zrpz6qdfwa9p7wp5pd0xsax1cvlz0vr177w9bkvwvnax8cy1n42";
+          rev = "26ac5bb8fe1cafbf2bd09ef8a528af506c2caf8a";
+          sha256 = "0gbcwj36ns34xqgjp6pxml6zn8kza080gyyf383vhqqfqp640vqj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e1198ee309675c391c479ce39efcdca23f548d2a/recipes/fstar-mode";
@@ -25277,8 +25319,8 @@
         version = "20170107.626";
         src = fetchgit {
           url = "git://factorcode.org/git/factor.git";
-          rev = "d63c992d97f415ba97b115356d796e2da2dadbe1";
-          sha256 = "15scnv8gbinazwf97da7crpmj6nlqi8ai4psk257x9c82p3jyln6";
+          rev = "e826546c6d33ff02048b3652cc64058dde819f1c";
+          sha256 = "1pgpmsyxilsqwjr57zd1afzr33fq0nnahx8ppih6pqnfza97008s";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/0c3633c23baa472560a489fc663a0302f082bcef/recipes/fuel";
@@ -25983,8 +26025,8 @@
         src = fetchFromGitHub {
           owner = "javaguirre";
           repo = "ghost-blog-emacs";
-          rev = "19c2f62da87c756ff080a235bf1b115c88d499ba";
-          sha256 = "1br27p8kqnj6gfii6xp37yd3rja876vhpcf784n98qhnkd7a63q1";
+          rev = "d4e66d114ff7b846b967af4cff64dcafa381ead3";
+          sha256 = "174swf066vcf99g38c9x5lxp14fyh59cy9lriywhm6hk7mcaakng";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/9b589edfacb807fb17936e139499bdd9673dad94/recipes/ghost-blog";
@@ -26193,8 +26235,8 @@
         src = fetchFromGitHub {
           owner = "magit";
           repo = "magit";
-          rev = "ac9c50592722a2f03e6f28e54b9fb05e9460674b";
-          sha256 = "0fyb5x22svqxpm7krd061hd2dzd30z2pnkxzqf8lx82j1zapqkqj";
+          rev = "1643dc626ab28fd28eff8a94272f0f4fba8e2737";
+          sha256 = "0fank75arc9bwndpv87jli7cadbh2dgka42m0nc5lqldykflnfd7";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cec5af50ae7634cc566adfbfdf0f95c3e2951c0c/recipes/git-commit";
@@ -27233,22 +27275,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    go-eldoc = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, go-mode, lib, melpaBuild }:
+    go-eldoc = callPackage ({ emacs, fetchFromGitHub, fetchurl, go-mode, lib, melpaBuild }:
     melpaBuild {
         pname = "go-eldoc";
-        version = "20161012.616";
+        version = "20170211.721";
         src = fetchFromGitHub {
           owner = "syohex";
           repo = "emacs-go-eldoc";
-          rev = "ecf71a75ccfac7f9bc6fac64ef536f2ffb56b3bf";
-          sha256 = "1q3l8x7qlcblxy0h4j48hzqjx90c14qh7nzbk8gds3ff2yrxy2kl";
+          rev = "f9c6e25419c2d13f3841050ba66610a7ac728f49";
+          sha256 = "033md85r3y5gxvw458l125d0jxc3k8yfn5im22zi64rrbwlwkifx";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/6ce1190db06cc214746215dd27648eded5fe5140/recipes/go-eldoc";
           sha256 = "1k115dirfqxdnb6hdzlw41xdy2dxp38g3vq5wlvslqggha7gzhkk";
           name = "go-eldoc";
         };
-        packageRequires = [ cl-lib go-mode ];
+        packageRequires = [ emacs go-mode ];
         meta = {
           homepage = "https://melpa.org/#/go-eldoc";
           license = lib.licenses.free;
@@ -27362,12 +27404,12 @@
     go-playground = callPackage ({ emacs, fetchFromGitHub, fetchurl, go-mode, gotest, lib, melpaBuild }:
     melpaBuild {
         pname = "go-playground";
-        version = "20170126.1240";
+        version = "20170211.2";
         src = fetchFromGitHub {
           owner = "grafov";
           repo = "go-playground";
-          rev = "eebb1fec2177bc85b746b948beac873a77bea4a2";
-          sha256 = "0ixpcms4f0q8327jyp2k48x03vjxwmzdsq76vg4j0kmjs9dfad1v";
+          rev = "70437bc4348ef252e4788f867c86622aff670f91";
+          sha256 = "1mvldim8igbrnff80h0x7570bhhxa0pli84888wfylks30r9kg5x";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/900aabb7bc2350698f8740d72a5fad69c9219c33/recipes/go-playground";
@@ -27639,8 +27681,8 @@
         src = fetchFromGitHub {
           owner = "golang";
           repo = "lint";
-          rev = "6d7efc48f3ecdd4fdd4035680f25173dbb22fdba";
-          sha256 = "1i50sxyvvykdw51iafaw87aj2dwisgj0qcxi5gl1czdfw9x0v06k";
+          rev = "b8599f7d71e7fead76b25aeb919c0e2558672f4a";
+          sha256 = "0dlai5893607dirgwiw39zfmmp3iaswayym4gc1m4p7v9pvl7hx9";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/34f22d829257456abbc020c006b92da9c7a7860e/recipes/golint";
@@ -27800,27 +27842,6 @@
           license = lib.licenses.free;
         };
       }) {};
-    goose-theme = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
-    melpaBuild {
-        pname = "goose-theme";
-        version = "20160828.545";
-        src = fetchFromGitHub {
-          owner = "thwg";
-          repo = "goose-theme";
-          rev = "acd017b50ab25a75fd1331eb3de66467e2042e9c";
-          sha256 = "1mmdvjsgnwgs6akhyj96fgj30mz53djdq85dl5q4cmiznlbma7hy";
-        };
-        recipeFile = fetchurl {
-          url = "https://raw.githubusercontent.com/milkypostman/melpa/818b526f3e633cf9922c011f3db5d3db7e17ee5d/recipes/goose-theme";
-          sha256 = "18kfz61mhf8pvp3z5cdvjklla9p840p1dazylrgjb1g5hdwqw0n9";
-          name = "goose-theme";
-        };
-        packageRequires = [ emacs ];
-        meta = {
-          homepage = "https://melpa.org/#/goose-theme";
-          license = lib.licenses.free;
-        };
-      }) {};
     gore-mode = callPackage ({ fetchFromGitHub, fetchurl, go-mode, lib, melpaBuild }:
     melpaBuild {
         pname = "gore-mode";
@@ -27968,12 +27989,12 @@
     govc = callPackage ({ dash, emacs, fetchFromGitHub, fetchurl, json-mode, lib, magit-popup, melpaBuild, s }:
     melpaBuild {
         pname = "govc";
-        version = "20170107.2101";
+        version = "20170213.1516";
         src = fetchFromGitHub {
           owner = "vmware";
           repo = "govmomi";
-          rev = "0a28e595c8e9e99879e8d2f796e82c5a68202ff0";
-          sha256 = "1raknv2iv4hxdv8c8vxwrf1q90b9q4b5vgkbhmcfv08ii6s5dxn5";
+          rev = "9bda6c3e3d4e1a477092cf2967ddbe5195cb7833";
+          sha256 = "1shdh2hx6vildj8daqivy7227ywf7arz1wy2hzk46dck6q58w9ls";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/92d6391318021c63b06fe39b0ca38f667bb45ae9/recipes/govc";
@@ -28010,12 +28031,12 @@
     grab-mac-link = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "grab-mac-link";
-        version = "20170131.254";
+        version = "20170211.619";
         src = fetchFromGitHub {
           owner = "xuchunyang";
           repo = "grab-mac-link.el";
-          rev = "d428ce46eaf4243510955f05f0890250b74b1837";
-          sha256 = "0zmvd6j21fynmyjzmychpghy23r800zmaj4naqz4jcand8skd79z";
+          rev = "e47faf9c190d694b8b19b99bc919db98e51e67d8";
+          sha256 = "1hkyd8mr2rrvkrm2rqmi2yb2way05jkxj3l6z3d8026l88rwiddy";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e4cc8a72a9f161f024ed9415ad281dbea5f07a18/recipes/grab-mac-link";
@@ -28604,12 +28625,12 @@
     guess-language = callPackage ({ cl-lib ? null, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild, typo }:
     melpaBuild {
         pname = "guess-language";
-        version = "20170210.216";
+        version = "20170213.330";
         src = fetchFromGitHub {
           owner = "tmalsburg";
           repo = "guess-language.el";
-          rev = "9763f9e81892c7dd2f5ffa6e771b356beeefafee";
-          sha256 = "07k0cf3n3c9hmrhnj2h6yfp4hbw09qn22a5wq5c54bskfyhrkj4s";
+          rev = "c0a9cd33d8233e2e0cd62b28fdb7128945b3de99";
+          sha256 = "0jlhk8vqxhsjvrf5iln9rii8vcvcaz247cpk51fymy5sh4dbc5sw";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/6e78cb707943fcaaba0414d7af2af717efce84d0/recipes/guess-language";
@@ -29150,12 +29171,12 @@
     haskell-mode = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "haskell-mode";
-        version = "20170209.415";
+        version = "20170210.1038";
         src = fetchFromGitHub {
           owner = "haskell";
           repo = "haskell-mode";
-          rev = "f430fdce5ff747fb3c6490d29bc6be23d5444480";
-          sha256 = "0z31wsbjq67dm8bfb5gcrncp3xif47vxr51gjyprsam9k5ixlmm4";
+          rev = "0f8eabf8c633df2539a158108a7c9083f894970f";
+          sha256 = "0a3iqsq6pdsifylydk1wqrf45y5j9r86imh5pac15r2p0xqg6p46";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/7f18b4dcbad4192b0153a316cff6533272898f1a/recipes/haskell-mode";
@@ -29418,12 +29439,12 @@
     helm = callPackage ({ async, emacs, fetchFromGitHub, fetchurl, helm-core, lib, melpaBuild, popup }:
     melpaBuild {
         pname = "helm";
-        version = "20170209.513";
+        version = "20170211.2302";
         src = fetchFromGitHub {
           owner = "emacs-helm";
           repo = "helm";
-          rev = "bbd39ac5d2833e50882a8736b846e432aea3a754";
-          sha256 = "0px36psp6lp3wih8i8xv0q4yb6c3ps39mkrlc8b8a50zf7bi75x7";
+          rev = "fdc277116bcc57917a17838a388d880f7c7ea83b";
+          sha256 = "0s0qnwx8sm4dm0hgn70433rvkqw7144a3pvsk3yli56crvdpxvi4";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/7e8bccffdf69479892d76b9336a4bec3f35e919d/recipes/helm";
@@ -29989,8 +30010,8 @@
         src = fetchFromGitHub {
           owner = "emacs-helm";
           repo = "helm";
-          rev = "bbd39ac5d2833e50882a8736b846e432aea3a754";
-          sha256 = "0px36psp6lp3wih8i8xv0q4yb6c3ps39mkrlc8b8a50zf7bi75x7";
+          rev = "fdc277116bcc57917a17838a388d880f7c7ea83b";
+          sha256 = "0s0qnwx8sm4dm0hgn70433rvkqw7144a3pvsk3yli56crvdpxvi4";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/ef7a700c5665e6d72cb4cecf7fb5a2dd43ef9bf7/recipes/helm-core";
@@ -30384,12 +30405,12 @@
     helm-flyspell = callPackage ({ fetchFromGitHub, fetchurl, helm, lib, melpaBuild }:
     melpaBuild {
         pname = "helm-flyspell";
-        version = "20160927.1648";
+        version = "20170210.1101";
         src = fetchFromGitHub {
           owner = "pronobis";
           repo = "helm-flyspell";
-          rev = "5aeace7004cbb689276fb5056a9935d27593ce8c";
-          sha256 = "1jnphdmh6j252bgyxw5jl01wkfwnjrv2j7isnq40xnqs4azjwz80";
+          rev = "8d4d947c687cb650cb149aa2271ad5201ea92594";
+          sha256 = "0q0xcgg8w9rrlsrrnk0l7qd8q7jc6x1agm2i769j21wpyfv1nbns";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/f8c5b91762d47a4d3024f1ed7f19666c6f2d5ce5/recipes/helm-flyspell";
@@ -30573,12 +30594,12 @@
     helm-gitignore = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, gitignore-mode, helm, lib, melpaBuild, request }:
     melpaBuild {
         pname = "helm-gitignore";
-        version = "20150517.2056";
+        version = "20170210.1608";
         src = fetchFromGitHub {
           owner = "jupl";
           repo = "helm-gitignore";
-          rev = "03aad6edb0ed4471c093230856f26719754e570b";
-          sha256 = "0pd755s5zcg8y1svxj3g8m0znkp6cyx5y6lsj4lxczrk7lynzc3g";
+          rev = "2a2e7da7855a6db0ab3bb6a6a087863d7abd4391";
+          sha256 = "07770qhy56cf5l69mk6aq882sryjbfjd05kdk78v65mgmlwv806a";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/3146b9309e8cbe464330dcd1f5b8a9fd8788ad6f/recipes/helm-gitignore";
@@ -31584,8 +31605,8 @@
         src = fetchFromGitHub {
           owner = "asok";
           repo = "helm-rails";
-          rev = "31d79cd0feca11cbb1aa532a8d2112ec794de4f0";
-          sha256 = "1a26r21jvgzk21vh3mf29s1dhvvv70jh860zaq9ihrpfrrl91158";
+          rev = "506d9948d45dfbc575c9c4c0d102c1ad2f511e82";
+          sha256 = "0i5ps5yds21bsrx86piy9bdgca95l1farsrbjpqz88ad8pq6xa9c";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/3af52fd266364a81ff42eb6d08389fa549bd6c2c/recipes/helm-rails";
@@ -32700,11 +32721,11 @@
     highlight-operators = callPackage ({ fetchhg, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "highlight-operators";
-        version = "20160517.1349";
+        version = "20170213.1420";
         src = fetchhg {
           url = "https://bitbucket.com/jpkotta/highlight-operators";
-          rev = "c06a29726f3e";
-          sha256 = "0fqfxwdz1xbc6dwxbjdhryvnvrb5vc38cq7c2yiz294mfzyn3l5s";
+          rev = "3938e88e78c5";
+          sha256 = "1h5whrc1iphzq0g8x9mmkhjkbmbdg9i9bvr1y8zrwrs8za8k127y";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e7bd74b7a3484e437c6db4f18613744ebae030f5/recipes/highlight-operators";
@@ -32759,6 +32780,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    highlight-refontification = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
+    melpaBuild {
+        pname = "highlight-refontification";
+        version = "20170211.1224";
+        src = fetchFromGitHub {
+          owner = "Lindydancer";
+          repo = "highlight-refontification";
+          rev = "32632897d88c4611fadb08517ca00ef5cbc989b6";
+          sha256 = "1k6af947h70ivkj31mk3nv2vkxlfpqvpwq8za53n2l7adsjdlf73";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/d6c59f2b5cf1594248e8365b6ce3324f493c5647/recipes/highlight-refontification";
+          sha256 = "0cm9p4d7yhkz5a88m0y4646a6b9lb2ha7q12fcrdikyckpmbkqss";
+          name = "highlight-refontification";
+        };
+        packageRequires = [];
+        meta = {
+          homepage = "https://melpa.org/#/highlight-refontification";
+          license = lib.licenses.free;
+        };
+      }) {};
     highlight-stages = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "highlight-stages";
@@ -34211,8 +34253,8 @@
         src = fetchFromGitHub {
           owner = "DarwinAwardWinner";
           repo = "ido-ubiquitous";
-          rev = "a1c2965e31ebc6bf6f86fba0184415da32a8214d";
-          sha256 = "0fvsi6hll1x0nvx1axsmsfv93pydkpmzq36hjw4kkp07nrf2byrz";
+          rev = "2d6d38edc0798d9552fc3430bc2dd7ff5025ced1";
+          sha256 = "0cks67cgbcv19hjim2jbvpqcgfwg61bssvm5d864bb32ygdg51af";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/4a227a6d44f1981e8a3f73b253d2c33eb18ef72f/recipes/ido-completing-read+";
@@ -34501,12 +34543,12 @@
     ido-ubiquitous = callPackage ({ cl-lib ? null, emacs, fetchFromGitHub, fetchurl, ido-completing-read-plus, lib, melpaBuild }:
     melpaBuild {
         pname = "ido-ubiquitous";
-        version = "20160623.815";
+        version = "20170211.1432";
         src = fetchFromGitHub {
           owner = "DarwinAwardWinner";
           repo = "ido-ubiquitous";
-          rev = "a1c2965e31ebc6bf6f86fba0184415da32a8214d";
-          sha256 = "0fvsi6hll1x0nvx1axsmsfv93pydkpmzq36hjw4kkp07nrf2byrz";
+          rev = "2d6d38edc0798d9552fc3430bc2dd7ff5025ced1";
+          sha256 = "0cks67cgbcv19hjim2jbvpqcgfwg61bssvm5d864bb32ygdg51af";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/4a227a6d44f1981e8a3f73b253d2c33eb18ef72f/recipes/ido-ubiquitous";
@@ -34874,12 +34916,12 @@
     imenu-list = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "imenu-list";
-        version = "20160211.341";
+        version = "20170212.518";
         src = fetchFromGitHub {
           owner = "bmag";
           repo = "imenu-list";
-          rev = "a68d596b437ce1c125d8bd5414467ca1ff55bdcc";
-          sha256 = "1j0p0zkk89lg5xk5qzdnj9nxxiaxhff2y9iv9lw456kvb3lsyvjk";
+          rev = "415a8db6598e949e4389f2e06dc2c28f96892214";
+          sha256 = "0w1x3psbzwqmbjm2dcqx4x72p43pdsliz0z40g2zjqkbqjs2al2q";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/86dea881a5b2d0458449f08b82c2614ad9abd068/recipes/imenu-list";
@@ -35248,12 +35290,12 @@
     inf-ruby = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "inf-ruby";
-        version = "20170115.1602";
+        version = "20170212.1444";
         src = fetchFromGitHub {
           owner = "nonsequitur";
           repo = "inf-ruby";
-          rev = "bf380c13e50c18b6bac6651b22b6fc6ba349062f";
-          sha256 = "1in57d8q33x68ccxng13yp8l4frdgab3nx74p4n4lxa183qcs2n5";
+          rev = "af4f238ef4555521d13c5eb2fb8e818acf59d70a";
+          sha256 = "1668dr6y0nph739x947kjz435qikg77m8ja7h6laf3f9wzcxcg9s";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cae2ac3513e371a256be0f1a7468e38e686c2487/recipes/inf-ruby";
@@ -35664,12 +35706,12 @@
     interleave = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "interleave";
-        version = "20170110.234";
+        version = "20170211.807";
         src = fetchFromGitHub {
           owner = "rudolfochrist";
           repo = "interleave";
-          rev = "0993383bf4a36f8e4480e5ea50226e1f8fa549c8";
-          sha256 = "1f4syyfga5f49nvlcw4ajxabxki9hglf89mslxkh15zib3mpakf9";
+          rev = "822ae2d29aaf92bcf96324442126b551e4477d6a";
+          sha256 = "0nq2f6pgq4vszy3hx84qdml4i9lbqlrh9knqgwgrl819vr15srqg";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/6c43d4aaaf4fca17f2bc0ee90a21c51071886ae2/recipes/interleave";
@@ -36247,8 +36289,8 @@
         src = fetchFromGitHub {
           owner = "abo-abo";
           repo = "swiper";
-          rev = "d23d1feefccd658f013cbf7d1b052767bed9b2b6";
-          sha256 = "0fffs5l45hrz7qv4gxwdn4prabl49zgx74daxyflrlkmbffy0gr4";
+          rev = "5f732cdce5ac2529f36b5c8cc9f053789783de45";
+          sha256 = "1ha7filrnkdya4905yy002n1hjdl23k9hbb2w2id3wfj0cbw930f";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/06c24112a5e17c423a4d92607356b25eb90a9a7b/recipes/ivy";
@@ -36331,8 +36373,8 @@
         src = fetchFromGitHub {
           owner = "abo-abo";
           repo = "swiper";
-          rev = "d23d1feefccd658f013cbf7d1b052767bed9b2b6";
-          sha256 = "0fffs5l45hrz7qv4gxwdn4prabl49zgx74daxyflrlkmbffy0gr4";
+          rev = "5f732cdce5ac2529f36b5c8cc9f053789783de45";
+          sha256 = "1ha7filrnkdya4905yy002n1hjdl23k9hbb2w2id3wfj0cbw930f";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/06c24112a5e17c423a4d92607356b25eb90a9a7b/recipes/ivy-hydra";
@@ -36931,15 +36973,36 @@
           license = lib.licenses.free;
         };
       }) {};
+    jdecomp = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
+    melpaBuild {
+        pname = "jdecomp";
+        version = "20170212.2147";
+        src = fetchFromGitHub {
+          owner = "xiongtx";
+          repo = "jdecomp";
+          rev = "1590b06f139f036c1041e1ce5c0acccaa24b31a7";
+          sha256 = "0sb9vzn6cycys31r98kxwgpn7v9aw5ck86nkskmn9hhhkrfsabii";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/d7725a5b3e2aa065cc6f9bac55575151cfdc7791/recipes/jdecomp";
+          sha256 = "1s8y7q361300i7f6pany1phxzr42j8gcdv9vpin05xx15p2nr3qz";
+          name = "jdecomp";
+        };
+        packageRequires = [ emacs ];
+        meta = {
+          homepage = "https://melpa.org/#/jdecomp";
+          license = lib.licenses.free;
+        };
+      }) {};
     jdee = callPackage ({ dash, emacs, fetchFromGitHub, fetchurl, flycheck, lib, melpaBuild, memoize }:
     melpaBuild {
         pname = "jdee";
-        version = "20170209.1026";
+        version = "20170211.609";
         src = fetchFromGitHub {
           owner = "jdee-emacs";
           repo = "jdee";
-          rev = "60bf9339d1871e06e37865b58be4b6716d081a7c";
-          sha256 = "09hv4pm5p1m4wpr7wfvxda6w1y5wacg6apbn90c6w0zgivq89k4i";
+          rev = "0ac750cb6c3b9b9f0c4c8d440a88bc9d7377d9f7";
+          sha256 = "094sip7s0vqvn7xv6w66gd3pxhsdb3a1psvcv4dyliqj2zkfa3q4";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a6d2c98f3bf2075e33d95c7befe205df802e798d/recipes/jdee";
@@ -37706,12 +37769,12 @@
     julia-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "julia-mode";
-        version = "20161027.625";
+        version = "20170210.1504";
         src = fetchFromGitHub {
           owner = "JuliaLang";
           repo = "julia-emacs";
-          rev = "feb6e79dddc8f992f85ae8c955ce024d57ec5e26";
-          sha256 = "015y0y5xx7b3iky3r9gdnkh4kq1nxvdshvmlb0yy3mg71s62xi76";
+          rev = "9c36479c83039c4fc26e583bb1c4dc27de058a4e";
+          sha256 = "1w9fhc8k8zxxiscpyip39rrwd2yr1xpxias16scj470mviwh7j26";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/8522d197cb1b2c139959e7189765001c5ee7e61a/recipes/julia-mode";
@@ -38482,8 +38545,8 @@
         src = fetchFromGitHub {
           owner = "kivy";
           repo = "kivy";
-          rev = "b15c6507a60ed3ef6dc3cb9489ddc8ca6ebba4b2";
-          sha256 = "0bkk8cld7g0id0xs7ql6piyzdng6rzn4w0i3xlkhlq759mv413dg";
+          rev = "ec7f2477ac417e4ccad245b3ce69472c3766d008";
+          sha256 = "063wp6fv6wi5qc7ybam6swmhmakavg3lh7n8v4lms7zjiq47c90c";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/688e2a114073958c413e56e1d117d48db9d16fb8/recipes/kivy-mode";
@@ -39356,12 +39419,12 @@
     leuven-theme = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "leuven-theme";
-        version = "20170129.1131";
+        version = "20170211.1157";
         src = fetchFromGitHub {
           owner = "fniessen";
           repo = "emacs-leuven-theme";
-          rev = "98c8e660f24d9e4873aa5cee00f47437ac301084";
-          sha256 = "10fwz2zlyvvlwnjb2dxdb8gfvcfb1y0j0qkagbk5lkyb6j65yayl";
+          rev = "4d32174f5930bd4de81117d83a232768cf96ce4c";
+          sha256 = "1w64pa0rl2fr8z3l0bq4sw4543rfp53zdgjm5gm5f84py3fjkwmc";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/b09451f4eb2be820e94d3fecbf4ec7cecd2cabdc/recipes/leuven-theme";
@@ -39420,8 +39483,8 @@
         src = fetchFromGitHub {
           owner = "rvirding";
           repo = "lfe";
-          rev = "332f39d3fef443ef2d869b6a393e8a1c16a7e1f9";
-          sha256 = "11n8d8rbjgi3wfhcwidavg3wfsn1fvdzpqi4s3m8lqc2gq2srccn";
+          rev = "640ef0f7251ae23b43f6824bd4f116fa2ee16b9b";
+          sha256 = "067n6i4vvjldwrm2xif7qskbxy59aqz8jrkjniq4kv8jgpab9iwc";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/c44bdb00707c9ef90160e0a44f7148b480635132/recipes/lfe-mode";
@@ -39733,12 +39796,12 @@
     lispy = callPackage ({ ace-window, emacs, fetchFromGitHub, fetchurl, hydra, iedit, lib, melpaBuild, swiper, zoutline }:
     melpaBuild {
         pname = "lispy";
-        version = "20170209.125";
+        version = "20170212.1136";
         src = fetchFromGitHub {
           owner = "abo-abo";
           repo = "lispy";
-          rev = "205cd556621d5d1db0c6e9f2608a80fc014b492d";
-          sha256 = "080azhzp6gd1ihkd6ydbcrqzrhggprwn08n9pz7ms0cd75vwxj9k";
+          rev = "3dcacc88a0964550b7f4f37290e46cecee8843d8";
+          sha256 = "0vhysxh264bdh4rmfnk0hczb80fi8gbhvbnc9ah1nip9l53m1gdf";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e23c062ff32d7aeae486c01e29c56a74727dcf1d/recipes/lispy";
@@ -39983,12 +40046,12 @@
     literate-coffee-mode = callPackage ({ coffee-mode, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "literate-coffee-mode";
-        version = "20160114.434";
+        version = "20170211.715";
         src = fetchFromGitHub {
           owner = "syohex";
           repo = "emacs-literate-coffee-mode";
-          rev = "996bffe70499fb807b824a4a03d7fa0e5b675c82";
-          sha256 = "1wxysnsigjw40ykdwngg0gqfaag0dx6zg029i2zx25kl3gr1lflc";
+          rev = "55ce0305495f4a38c8063c4bd63deb1e1252373d";
+          sha256 = "1gm89azjgsdg0c7z9yprpjbph211c5jnqv11pkf1i1r1wzx0wanj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a20410e916d45e5b243e7eb3bb2226c7e1e67b00/recipes/literate-coffee-mode";
@@ -40046,12 +40109,12 @@
     live-py-mode = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "live-py-mode";
-        version = "20170209.2119";
+        version = "20170212.2013";
         src = fetchFromGitHub {
           owner = "donkirkby";
           repo = "live-py-plugin";
-          rev = "61822a570283987d93543a4fd230c738813072cf";
-          sha256 = "1chf8vkr3sn3i63q1rzpn3cxw16fqv29bbhrzw64scgdjqjn796w";
+          rev = "c4e28fdf6c409c870ecbb7b4d3c19d0dda76e79c";
+          sha256 = "19m2k9srlc8v5nrb4a44v8pdcfg9zbx28b5s7qa7m676b3yav58b";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/c7615237e80b46b5c50cb51a3ed5b07d92566fb7/recipes/live-py-mode";
@@ -40133,8 +40196,8 @@
         version = "20150910.644";
         src = fetchgit {
           url = "http://llvm.org/git/llvm";
-          rev = "7f4371b614a6e25f0efd2133d11d631329eba1fb";
-          sha256 = "0wa86zmbs3i8v50yvww5anzl29194vfkgn9zdh24vkzwxlshfmwk";
+          rev = "9053d357baecccf1399f934c5faea2b2e6c0a742";
+          sha256 = "09p441mrp4bfg5imh2dghz0zr95qibh0hwv278lbdbq33svl8qmg";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/05b7a689463c1dd4d3d00b992b9863d10e93112d/recipes/llvm-mode";
@@ -40507,8 +40570,8 @@
         src = fetchFromGitHub {
           owner = "vibhavp";
           repo = "emacs-lsp";
-          rev = "de6e3615b0c0775bd9739aeb98ce629e59f77695";
-          sha256 = "1bfspb3iwr6py6v8k3h5qc84bhgp1w80zvgn3kvkm27mlh6qpbv9";
+          rev = "7f43aa9c669832f1c2f22a3f785f3cd05aacfe02";
+          sha256 = "0dfyyjvzh55cnm33w6gq841cbldki8yfzqpz37gs98zxy0wkc6kw";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/b192c90c96e24ccb464ac56e624a2fd527bc5cc9/recipes/lsp-mode";
@@ -40794,12 +40857,12 @@
     magit = callPackage ({ async, dash, emacs, fetchFromGitHub, fetchurl, git-commit, lib, magit-popup, melpaBuild, with-editor }:
     melpaBuild {
         pname = "magit";
-        version = "20170208.834";
+        version = "20170213.927";
         src = fetchFromGitHub {
           owner = "magit";
           repo = "magit";
-          rev = "ac9c50592722a2f03e6f28e54b9fb05e9460674b";
-          sha256 = "0fyb5x22svqxpm7krd061hd2dzd30z2pnkxzqf8lx82j1zapqkqj";
+          rev = "1643dc626ab28fd28eff8a94272f0f4fba8e2737";
+          sha256 = "0fank75arc9bwndpv87jli7cadbh2dgka42m0nc5lqldykflnfd7";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/68bb049b7c4424345f5c1aea82e950a5e47e9e47/recipes/magit";
@@ -40822,12 +40885,12 @@
     magit-annex = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, magit, melpaBuild }:
     melpaBuild {
         pname = "magit-annex";
-        version = "20161115.1528";
+        version = "20170211.1601";
         src = fetchFromGitHub {
           owner = "magit";
           repo = "magit-annex";
-          rev = "74e0343b4152ad5c0d4f77f9f15dd6f1b02de432";
-          sha256 = "08mpnj9c43p528iy3hj8yljhzpkpjxkjiaiiss5n2jgyyc64hw9z";
+          rev = "2437efb93767b352eecf27f5d5e3513e34a395ca";
+          sha256 = "1pmsbl8jh3dgs42k7b0a9ya1ywwy5435pshplc23z33i7qplva9f";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cec5af50ae7634cc566adfbfdf0f95c3e2951c0c/recipes/magit-annex";
@@ -40973,8 +41036,8 @@
         src = fetchFromGitHub {
           owner = "magit";
           repo = "magit";
-          rev = "ac9c50592722a2f03e6f28e54b9fb05e9460674b";
-          sha256 = "0fyb5x22svqxpm7krd061hd2dzd30z2pnkxzqf8lx82j1zapqkqj";
+          rev = "1643dc626ab28fd28eff8a94272f0f4fba8e2737";
+          sha256 = "0fank75arc9bwndpv87jli7cadbh2dgka42m0nc5lqldykflnfd7";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cec5af50ae7634cc566adfbfdf0f95c3e2951c0c/recipes/magit-popup";
@@ -41032,12 +41095,12 @@
     magit-svn = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, magit, melpaBuild }:
     melpaBuild {
         pname = "magit-svn";
-        version = "20170118.925";
+        version = "20170213.433";
         src = fetchFromGitHub {
           owner = "magit";
           repo = "magit-svn";
-          rev = "d9e61effc55480694014e5422e8f74f0f17a757a";
-          sha256 = "128ra3habdqk1rsnmy87m0aw2pqi033dqmmjmgsmfblnfvi987p9";
+          rev = "c833903732a14478f5c4cfc561bae7c50671b36c";
+          sha256 = "01kcsc53q3mbhgjssjpby7ypnhqsr48rkl1xz3ahaypmlp929gl9";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cec5af50ae7634cc566adfbfdf0f95c3e2951c0c/recipes/magit-svn";
@@ -41074,12 +41137,12 @@
     magithub = callPackage ({ emacs, fetchFromGitHub, fetchurl, git-commit, lib, magit, melpaBuild, s, with-editor }:
     melpaBuild {
         pname = "magithub";
-        version = "20170203.437";
+        version = "20170213.1926";
         src = fetchFromGitHub {
           owner = "vermiculus";
           repo = "magithub";
-          rev = "6880e5efb73e0cc8b8b71c639328cbec29d9cb9d";
-          sha256 = "1l82vibgmhpwpsarvh40js6q044b458h3i7r0wm7l897izsxkk84";
+          rev = "a94502461ada9098ccb031ec6241414dcbfce989";
+          sha256 = "0wsk7qhvz1k41lfajx0hrrdj5pwvqr2m10a9lil1f124pkc883w0";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/4605012c9d43403e968609710375e34f1b010235/recipes/magithub";
@@ -41431,12 +41494,12 @@
     mandoku = callPackage ({ fetchFromGitHub, fetchurl, git, github-clone, lib, magit, melpaBuild, org }:
     melpaBuild {
         pname = "mandoku";
-        version = "20170210.348";
+        version = "20170210.2253";
         src = fetchFromGitHub {
           owner = "mandoku";
           repo = "mandoku";
-          rev = "2727f2b1b217764e8217fb0db9ab87a8bcc80201";
-          sha256 = "1lxmxka6jg3ma6nmg5b4b6a2lz94in43pgb7gh1kprwl3i13578w";
+          rev = "578d87183d2a759811a5d1eab4dc9c74513e557c";
+          sha256 = "02zgc56s1wl7a27vrgycfgsy0fd6xbsbhgnpy6rrq5iyrb6a6wnc";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/1aac4ae2c908de2c44624fb22a3f5ccf0b7a4912/recipes/mandoku";
@@ -41498,8 +41561,8 @@
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "marcopolo";
-          rev = "85db828f2bb4346a811b3326349b1c6d0aae4601";
-          sha256 = "1qf724y1zq3z6fzm23qhwjl2knhs49nbz0vizwf8g9s51bk6bny2";
+          rev = "e53ee8a0822d092d8669d75138f6d73f46d076f9";
+          sha256 = "1hhqgwx65489rdq9qd8v0dpcnwicfr772j3i4k8cmnn2lkr3fmm8";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/936a1cff601594575c5b550c5eb16e7dafc8a5ab/recipes/marcopolo";
@@ -41557,12 +41620,12 @@
     markdown-edit-indirect = callPackage ({ edit-indirect, emacs, fetchFromGitHub, fetchurl, lib, markdown-mode, melpaBuild }:
     melpaBuild {
         pname = "markdown-edit-indirect";
-        version = "20170208.722";
+        version = "20170210.1504";
         src = fetchFromGitHub {
           owner = "emacs-pe";
           repo = "markdown-edit-indirect.el";
-          rev = "f617397e5f1a77d87a1d189f66c5a2f012f66b4d";
-          sha256 = "00l6mkvsfq37jy3c7qmw4ca5h0an9326ambrkrna4ii03qlshqik";
+          rev = "980d8bf3a123a72aef18f608e99be3472be100c3";
+          sha256 = "1idsh6gsm7kaz7i8kv3s326qxnd2j3nmwn8ykbnfwracm6him3qf";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/fa4da9d5c63da3bd777101098168696f5c4d3fbc/recipes/markdown-edit-indirect";
@@ -42063,12 +42126,12 @@
     mbsync = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "mbsync";
-        version = "20170118.448";
+        version = "20170213.357";
         src = fetchFromGitHub {
           owner = "dimitri";
           repo = "mbsync-el";
-          rev = "874b6dd2debabf5dd5516db7f976634157bb7eec";
-          sha256 = "1i068rw9kg9z8pbja4qhh6cqn3ysbgf79cl31c2pvdz3p6fgaks6";
+          rev = "a1fbd1a350e7da5cf4da09ded0443bfee826a45a";
+          sha256 = "0a52s9pvh83hdj05rg04na6pnr4dra256h64bgdvf65703yfbs8k";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/3ef6ffa53bb0ce2ba796555e39f59534fc134aa5/recipes/mbsync";
@@ -42147,12 +42210,12 @@
     meghanada = callPackage ({ company, emacs, fetchFromGitHub, fetchurl, flycheck, lib, melpaBuild, yasnippet }:
     melpaBuild {
         pname = "meghanada";
-        version = "20170131.627";
+        version = "20170212.2226";
         src = fetchFromGitHub {
           owner = "mopemope";
           repo = "meghanada-emacs";
-          rev = "6b1b514ca3424c08301325f99608510130365cd1";
-          sha256 = "1pl65186k696mx6lm6lnn2jm86kwky780rph97cqb1dy506qpqxf";
+          rev = "9f73f1b0656a6a2ea55bbacf7659ffd3b35cdd9d";
+          sha256 = "0hnhzkkggv035x0qkxmw64migq6v6jpg8m6ayfc95avimyf1j67r";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/4c75c69b2f00be9a93144f632738272c1e375785/recipes/meghanada";
@@ -44131,11 +44194,11 @@
     multi-project = callPackage ({ fetchhg, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "multi-project";
-        version = "20170128.1236";
+        version = "20170212.1130";
         src = fetchhg {
           url = "https://bitbucket.com/ellisvelo/multi-project";
-          rev = "1b4aa85d1e65";
-          sha256 = "0pgj1kkv7ddbg3zk4b6q4d6r4xw8dhsj4wwg9ydxd9ahdlbb6i66";
+          rev = "7465189ae9ac";
+          sha256 = "1zgvg3gx283jgclqyl141p2nbrc21x775d4nnz9fp8bxz3gci7nk";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/5b7972602399f9df9139cff177e38653bb0f43ed/recipes/multi-project";
@@ -45314,12 +45377,12 @@
     nginx-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "nginx-mode";
-        version = "20161023.223";
+        version = "20170213.1326";
         src = fetchFromGitHub {
           owner = "ajc";
           repo = "nginx-mode";
-          rev = "a04cef3a07d235eb03bd944fe6923664493896ee";
-          sha256 = "0bk5jjh0rz81q27k105f5azvgy1zcn4w33xygzzpblks760dkgar";
+          rev = "b58708d15a6659577945c0aa3a63983eebff2e67";
+          sha256 = "0y2wwgvm3495h6hms425gzgi3qx2wn33xq6b7clrvj4amfy29qix";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a6da3640b72496e2b32e6ed21aa39df87af9f7f3/recipes/nginx-mode";
@@ -45423,8 +45486,8 @@
         src = fetchFromGitHub {
           owner = "martine";
           repo = "ninja";
-          rev = "2993752dd617ada5218836dd6545fb06690e238b";
-          sha256 = "0lwh4jb3q7gdchapd83lg6zj9gpmff6fvlny4vfhp7q95xd7nz36";
+          rev = "fb3c70049b82d53101fc6086a1699ecf16966792";
+          sha256 = "0amylb876720959hhsd31k025l1d3rv1i9i8qhf2k1skd8xfrvpj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/aed2f32a02cb38c49163d90b1b503362e2e4a480/recipes/ninja-mode";
@@ -45465,8 +45528,8 @@
         src = fetchFromGitHub {
           owner = "NixOS";
           repo = "nix";
-          rev = "4724903c78e80481fc63d627081fac6a98e4205d";
-          sha256 = "1wqyha271xvlyjmk4ygqhdj8m8gcz2f9npknpz5vriqnpv22hwmr";
+          rev = "62ff5ad424547630e70f35406da85fbb5ec3445a";
+          sha256 = "1xcx70km6zb8qmnjb2fsk66qmx2lpqv94rfp34a0bpn98an7akwc";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/f2b542189cfde5b9b1ebee4625684949b6704ded/recipes/nix-mode";
@@ -47914,12 +47977,12 @@
     org-download = callPackage ({ async, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "org-download";
-        version = "20170202.927";
+        version = "20170213.1151";
         src = fetchFromGitHub {
           owner = "abo-abo";
           repo = "org-download";
-          rev = "c63b057e84b8ba1e7c969391a0263f7d0ce936e4";
-          sha256 = "1qb0vqk1k7v0ydhfwsvhfqrjfm3c5baz8358ibivnm126d2hbsya";
+          rev = "137c3d2aa083283a3fc853f9ecbbc03039bf397b";
+          sha256 = "0c4vvpccmc60bavywsd0lijzyzchs6cdmp8y36d70lmp4s66863v";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/edab283bc9ca736499207518b4c9f5e71e822bd9/recipes/org-download";
@@ -48315,8 +48378,8 @@
         version = "20140107.519";
         src = fetchgit {
           url = "git://orgmode.org/org-mode.git";
-          rev = "eb59c75f394ddec8f0714ccff3e9a6280ee1898d";
-          sha256 = "0sk3232jgrnfjxix8mrrcq8zwxww16iy6vpsq5njh8avqdf6mi9n";
+          rev = "2e3270984332013b8df22d2995bdeba256534a63";
+          sha256 = "1ixr16v2gfg5gyj42gic6kipqa3c8vv6iq1qdj9gj0ky6zlyy9wg";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/ee69e5e7b1617a29919d5fcece92414212fdf963/recipes/org-mac-iCal";
@@ -48335,8 +48398,8 @@
         version = "20170105.1723";
         src = fetchgit {
           url = "git://orgmode.org/org-mode.git";
-          rev = "eb59c75f394ddec8f0714ccff3e9a6280ee1898d";
-          sha256 = "0sk3232jgrnfjxix8mrrcq8zwxww16iy6vpsq5njh8avqdf6mi9n";
+          rev = "2e3270984332013b8df22d2995bdeba256534a63";
+          sha256 = "1ixr16v2gfg5gyj42gic6kipqa3c8vv6iq1qdj9gj0ky6zlyy9wg";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/b86c666ee9b0620390a250dddd42b17cbec2409f/recipes/org-mac-link";
@@ -49835,8 +49898,8 @@
         src = fetchFromGitHub {
           owner = "jkitchin";
           repo = "scimax";
-          rev = "f0eae25e9d5c7e426551c2ae2ba5695f0df2cff2";
-          sha256 = "1lxh2zangf0r8xd11h9fja6jcgxfs6miw2n5r89z92nj0b0vsh3g";
+          rev = "b3d9d6310a411ada0212c702a75f32dc2f7743a1";
+          sha256 = "1hllqlh89y4cn7jx72bxljvvys6avgnq2qb2543q8iabh1jj4q2m";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/222ccf4480395bda8c582ad5faf8c7902a69370e/recipes/ox-clip";
@@ -50686,6 +50749,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    paperless = callPackage ({ cl-lib ? null, emacs, f, fetchFromGitHub, fetchurl, lib, melpaBuild, s }:
+    melpaBuild {
+        pname = "paperless";
+        version = "20170213.503";
+        src = fetchFromGitHub {
+          owner = "atgreen";
+          repo = "paperless";
+          rev = "abf43ed368c909dfeeab1faa5b91763976945b81";
+          sha256 = "0qlwbwym4575kxxssi9y2g60ai9k5pccbjp963rkwsnabczg0lxg";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/921ba9059183a57e08f9c79af2b28bb77a210508/recipes/paperless";
+          sha256 = "02jbqdhbq4b3yb9lrqkwaxmyymvcqrjswhzp4sbccw6arla4q7wg";
+          name = "paperless";
+        };
+        packageRequires = [ cl-lib emacs f s ];
+        meta = {
+          homepage = "https://melpa.org/#/paperless";
+          license = lib.licenses.free;
+        };
+      }) {};
     paradox = callPackage ({ emacs, fetchFromGitHub, fetchurl, hydra, let-alist, lib, melpaBuild, seq, spinner }:
     melpaBuild {
         pname = "paradox";
@@ -51193,8 +51277,8 @@
         src = fetchFromGitHub {
           owner = "promethial";
           repo = "paxedit";
-          rev = "48df0a26285f68cd20ea64368e7bf2a5fbf13135";
-          sha256 = "0z32lb2s943vk9fincsifdrjqmk7ks2skpzr6g4s3gd40sz5imfz";
+          rev = "09f3d5aeb108937a801e77ef413e29eaa4ecc4be";
+          sha256 = "1yd5wh8fsxh3v2fgpxm2cd7h9xz9zfj2d8g4bh4gzqjwrmn5rlgl";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/106b272c2f0741d21d31a0ddfa4f521c575559c1/recipes/paxedit";
@@ -52221,8 +52305,8 @@
         src = fetchFromGitHub {
           owner = "echosa";
           repo = "phpplus-mode";
-          rev = "e66950502e7c9a9cd39c9a619ad66fc54c12aafa";
-          sha256 = "0f1n0jcla157ngqshq5n8iws216ar63ynjd6743cbdrzj0v030wg";
+          rev = "36efff84dd1303eeef5fc116eff0ac89a0248c74";
+          sha256 = "1aw3sp3wa58m7csml2cfys8s8d0x1m9bkqvxqqxz52iyf8ji0cz3";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/f10631b740eea56e7209d7e84f0da8613274ef1d/recipes/php+-mode";
@@ -52301,12 +52385,12 @@
     phpunit = callPackage ({ cl-lib ? null, emacs, f, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
     melpaBuild {
         pname = "phpunit";
-        version = "20161219.319";
+        version = "20161219.320";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "phpunit.el";
-          rev = "791d1b33b63887cdeaf287fa657b8109f9d1dd18";
-          sha256 = "0j9ym19pz17wsjh1ky65x9mz8aiiryxbw1nsygvy9isbdzjx591k";
+          rev = "5ca5ee53e16b2cf0939dbeacbf1dffa13b41b48f";
+          sha256 = "0gmb5fxnllkjg45cmqpr2gy2k6qhg1r6j2w67qbpir0x4h3q2x6x";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/0670b42c0c998daa7bf01080757976ac3589ec06/recipes/phpunit";
@@ -54085,12 +54169,12 @@
     projectile-ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild, projectile, ripgrep }:
     melpaBuild {
         pname = "projectile-ripgrep";
-        version = "20161119.59";
+        version = "20170211.857";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "ripgrep.el";
-          rev = "876d9b410f9a183ab6bbba8fa2b9e1eb79f3f7d2";
-          sha256 = "0s2vg3c2hvlbsgbs83hvgcbg63salj7scizc52ry5m0abx6dl298";
+          rev = "73595f1364f2117db49e1e4a49290bd6d430e345";
+          sha256 = "1a5rdpmvsgsjlc9sywism9pq7jd6n9qbcdsvpbfkq1npwhpifkbj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/195f340855b403128645b59c8adce1b45e90cd18/recipes/projectile-ripgrep";
@@ -54229,22 +54313,22 @@
           license = lib.licenses.free;
         };
       }) {};
-    promise = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
+    promise = callPackage ({ async, emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "promise";
-        version = "20170208.348";
+        version = "20170213.426";
         src = fetchFromGitHub {
           owner = "chuntaro";
           repo = "emacs-promise";
-          rev = "06161da00e73afa013f3de59f2cf2a2d5a721f36";
-          sha256 = "13k6cj3igvslwwiar92vg58vr8jd24ns927xxxjjb5wdgzvbj5i9";
+          rev = "f109b089a387af081c1dfceb29aea14864f31bbf";
+          sha256 = "1g9f7vbbxk1qrbr8bcza1f93a9h4inh7qlqmizpygil0s17ng1kk";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/3eaf5ac668008759677b9cc6f11406abd573012a/recipes/promise";
           sha256 = "1y1v3ikcmh9yp5fdwagcjg755bgkyqk714lb6s1hb2606m3ia03s";
           name = "promise";
         };
-        packageRequires = [ emacs ];
+        packageRequires = [ async emacs ];
         meta = {
           homepage = "https://melpa.org/#/promise";
           license = lib.licenses.free;
@@ -54362,8 +54446,8 @@
         src = fetchFromGitHub {
           owner = "google";
           repo = "protobuf";
-          rev = "c6e0d0e7f3dca63c006edae515dfca2a89b9c1e4";
-          sha256 = "00808ymwd7y0qq3xkyxkn3bvmp806qwd6jil3x4kqhymnwqnah7g";
+          rev = "d2dfe46b2789dfe155559508c3f567a746a50616";
+          sha256 = "0sywn6b6m2vbdkv4vycrhlg1l3hjmcpvbps0v35wqk1ll1l66rqh";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/b4e7f5f641251e17add561991d3bcf1fde23467b/recipes/protobuf-mode";
@@ -54599,12 +54683,12 @@
     puppet-mode = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info }:
     melpaBuild {
         pname = "puppet-mode";
-        version = "20170120.1813";
+        version = "20170213.207";
         src = fetchFromGitHub {
           owner = "voxpupuli";
           repo = "puppet-mode";
-          rev = "3df623f41134c260d591c1fde1a82e99a09cd527";
-          sha256 = "02glqgs484zg5izrvd8r7iai2glwy4qsqv2y4chq6d5i1f2fdrp2";
+          rev = "03f608234ed0cf403966454de6758ec7fc9c784d";
+          sha256 = "11kqbi4bjwn9cb48wn1nfy4d8rln07wmpj263cpb3npm1y6hfvpp";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/1de94f0ab39ab18dfd0b050e337f502d894fb3ad/recipes/puppet-mode";
@@ -55105,8 +55189,8 @@
         src = fetchFromGitHub {
           owner = "PyCQA";
           repo = "pylint";
-          rev = "a59a1581571c8f27708778a9ded58435c05f7703";
-          sha256 = "0r3pwq7hy8cawljk63lm239cjf4q9zfs1cmhjaq493dd9xjizwms";
+          rev = "62361d10f5dc5fa751038745d23e06b5a9c5bc56";
+          sha256 = "1sa4vqpqmgf0pagn2y72vvfki7jgqrnaigwfxnhjwfi6x3diz2fh";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a073c91d6f4d31b82f6bfee785044c4e3ae96d3f/recipes/pylint";
@@ -55248,12 +55332,12 @@
     python-mode = callPackage ({ fetchFromGitLab, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "python-mode";
-        version = "20170208.237";
+        version = "20170211.1101";
         src = fetchFromGitLab {
           owner = "python-mode-devs";
           repo = "python-mode";
-          rev = "ad91fe544cc8f361c718ca8a538bd44a4fb331d8";
-          sha256 = "1wcgaydw7fnix5c5ka2lkjliznbavls51sgzq5l5s6l48190a7l9";
+          rev = "eb03f0172efe5c368a830a8b9ca15366feaf083d";
+          sha256 = "0pjq4a7gkzysmhwr1i3bzfnqi33899j1l13n1ij6a4bdy8km0hm4";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/82861e1ab114451af5e1106d53195afd3605448a/recipes/python-mode";
@@ -55353,12 +55437,12 @@
     pyvenv = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "pyvenv";
-        version = "20160527.442";
+        version = "20170211.456";
         src = fetchFromGitHub {
           owner = "jorgenschaefer";
           repo = "pyvenv";
-          rev = "726940c59d584a7e3a6647e149c20e426c3d883d";
-          sha256 = "1fqp3khz8rl0frg6kaqj53p0w07ricbnl2xw57c4w776jnmc0npa";
+          rev = "3fd0fad48cfdc978b3cbc2da56b26af0e33dd94c";
+          sha256 = "09mqkqdp615c689qz71q94ynyysiz4qc280cvznp6k4w28nskbwf";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e37236b89b9705ba7a9d134b1fb2c3c003953a9b/recipes/pyvenv";
@@ -57112,12 +57196,12 @@
     repo = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "repo";
-        version = "20160114.1114";
+        version = "20170213.139";
         src = fetchFromGitHub {
           owner = "canatella";
           repo = "repo-el";
-          rev = "98bde6fdc840d42a24c5784ee440cad39e8264d9";
-          sha256 = "0hs80g3npgb6qfcaivdfkpsc9mss1kdmyp5j7s922qcy2k4yxmgl";
+          rev = "d7b87cd515bad8a67d3a892a46a23f5fe81e08de";
+          sha256 = "0rbvcvm7bfr6ncji7cllfxyyr6x7n9fx863byp243phsj3n93adz";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/1729d4ea9498549fff3594b971fcde5f81592f84/recipes/repo";
@@ -57505,12 +57589,12 @@
     rg = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild, s }:
     melpaBuild {
         pname = "rg";
-        version = "20170206.833";
+        version = "20170212.938";
         src = fetchFromGitHub {
           owner = "dajva";
           repo = "rg.el";
-          rev = "ec9eb5240191612debf0392ee7a7f491c7dae27e";
-          sha256 = "0773d0n5jq42yr5p1xbbfji027j0kw4msv1p8b7zk82ij1yc7hyr";
+          rev = "fd0f056a5912caeeb2d4f668969d9df81c9e22db";
+          sha256 = "1lig93lj5mnm2fjvwac42kfw8bhq8ggs4jfc73fmclm6s5dg8661";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/9ce1f721867383a841957370946f283f996fa76f/recipes/rg";
@@ -57631,12 +57715,12 @@
     ripgrep = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "ripgrep";
-        version = "20170116.47";
+        version = "20170211.857";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "ripgrep.el";
-          rev = "876d9b410f9a183ab6bbba8fa2b9e1eb79f3f7d2";
-          sha256 = "0s2vg3c2hvlbsgbs83hvgcbg63salj7scizc52ry5m0abx6dl298";
+          rev = "73595f1364f2117db49e1e4a49290bd6d430e345";
+          sha256 = "1a5rdpmvsgsjlc9sywism9pq7jd6n9qbcdsvpbfkq1npwhpifkbj";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e8d789818876e959a1a59690f1dd7d4efa6d608b/recipes/ripgrep";
@@ -57970,7 +58054,7 @@
         version = "20161115.2259";
         src = fetchsvn {
           url = "http://svn.ruby-lang.org/repos/ruby/trunk/misc/";
-          rev = "57597";
+          rev = "57624";
           sha256 = "0n4gnpms3vyvnag3sa034yisfcfy5gnwl2l46krfwy6qjm1nyzhf";
         };
         recipeFile = fetchurl {
@@ -58050,7 +58134,7 @@
         version = "20150424.752";
         src = fetchsvn {
           url = "http://svn.ruby-lang.org/repos/ruby/trunk/misc/";
-          rev = "57597";
+          rev = "57624";
           sha256 = "0n4gnpms3vyvnag3sa034yisfcfy5gnwl2l46krfwy6qjm1nyzhf";
         };
         recipeFile = fetchurl {
@@ -58319,12 +58403,12 @@
     rust-playground = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild, rust-mode }:
     melpaBuild {
         pname = "rust-playground";
-        version = "20170106.1734";
+        version = "20170211.5";
         src = fetchFromGitHub {
           owner = "grafov";
           repo = "rust-playground";
-          rev = "29075a3753cc0b48b4fcc0a99340306a856a8bc1";
-          sha256 = "1g0b0jg45pf7xivk8xjsm77vd8fvpp2vwdwvgzr810hj8npnqhs7";
+          rev = "ff4149489c30a65817750428847217368bd995ba";
+          sha256 = "04d5z33pv1xqsn539nfkyjh7dvf0kc0rwili1zr6817z0406k1qn";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a5ebbcca659bb6d79ca37dc347894fac7bafd9dd/recipes/rust-playground";
@@ -58680,8 +58764,8 @@
         src = fetchFromGitHub {
           owner = "openscad";
           repo = "openscad";
-          rev = "2ef5333d8dbeddf7f862c76c84a8550275b13c3c";
-          sha256 = "0jxns9jzmlzr7qvsprid2ij26y246nb8yzhw9i8w2xv09gbmfxvw";
+          rev = "e990ac49eb449bb8b1befcf0fd021c901f687ac5";
+          sha256 = "068m6lny2xf2i7bm2hxqn1dcjxgs4g8pkd730x0shvvn3yc5jqql";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/2d27782b9ac8474fbd4f51535351207c9c84984c/recipes/scad-mode";
@@ -59382,12 +59466,12 @@
     selectric-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "selectric-mode";
-        version = "20161125.429";
+        version = "20170211.1108";
         src = fetchFromGitHub {
           owner = "rbanffy";
           repo = "selectric-mode";
-          rev = "a8e8c8899c749bd36bdd161e161cdc51301defc6";
-          sha256 = "1dj8vccdk1s0ynl5znpg02xp182srn3s8cqcxqrxjllp7wbgab31";
+          rev = "e60703d9a6c9944270d77bc829dae3a8b092346f";
+          sha256 = "04i5rrn93hzcf8zzfli2ams927lm83hl4q6w2azcg24lhldaqf8p";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/08922071b9854142eab726302e75f1db2d326ec5/recipes/selectric-mode";
@@ -59693,12 +59777,12 @@
     shackle = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "shackle";
-        version = "20170201.1322";
+        version = "20170213.1534";
         src = fetchFromGitHub {
           owner = "wasamasa";
           repo = "shackle";
-          rev = "4ccacf92d0bfd7729388a3e698c1ded55e7f2b92";
-          sha256 = "0lmclwhv3wic0b5dxnjggi7191r63iv2gwn2k50c7ldm526qld0c";
+          rev = "979b021077655ca38749a60c9752c0817e8fd93e";
+          sha256 = "11qp4gqxfi5d6krvxlqxfn58b1kcgsnldpi54r8lx6mis8l0f4wl";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/806e7d00f763f3fc4e3b8ebd483070ac6c5d0f21/recipes/shackle";
@@ -60002,12 +60086,12 @@
     shen-elisp = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "shen-elisp";
-        version = "20161113.1611";
+        version = "20170213.1303";
         src = fetchFromGitHub {
           owner = "deech";
           repo = "shen-elisp";
-          rev = "1828dbd81ced737a7b0bc6e3c8caf9380d5f8fdd";
-          sha256 = "1paf9lyk552kl3lmfsfw9r45ab9s8iypvg20jwdw6y6p1fjcykmk";
+          rev = "8248cd96a0931cb3215dc13e0905ac4be1701981";
+          sha256 = "1acml0p04wxnm0di9iy5kwml6myr7gcj09ky6dw35f0k0m1w51ba";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/ed9f0577c6828236582df1781e751b8b81746492/recipes/shen-elisp";
@@ -61523,12 +61607,12 @@
     smartscan = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "smartscan";
-        version = "20160705.138";
+        version = "20170211.1233";
         src = fetchFromGitHub {
           owner = "mickeynp";
           repo = "smart-scan";
-          rev = "2aea1a1ac3c4b12032e5599c4eb6df5b8f68a01b";
-          sha256 = "0szx1w2zkxi74xfzcfw7sgdyd34fbv3pcgl7vhjcl0zp0ch473rl";
+          rev = "234e077145710a174c20742de792b97ed2f965f6";
+          sha256 = "1nzkgfr1w30yi88h4kwgiwq4lcd0fpm1cd50gy0csjcpbnyq6ykf";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/26c73e1d15186ebf300c6397fda61a8a885a130f/recipes/smartscan";
@@ -61921,12 +62005,12 @@
     socyl = callPackage ({ cl-lib ? null, dash, fetchFromGitHub, fetchurl, lib, melpaBuild, pkg-info, s }:
     melpaBuild {
         pname = "socyl";
-        version = "20170129.144";
+        version = "20170211.2242";
         src = fetchFromGitHub {
           owner = "nlamirault";
           repo = "socyl";
-          rev = "38157e3bb0d7afa8b90b744648f63c85b4edb230";
-          sha256 = "1ha0827zcdkl1ih8c7018cpbiw2k1b8ik4h7p6asw7pg0n5xf1c6";
+          rev = "1ef2da42f66f3ab31a34131e51648f352416f0ba";
+          sha256 = "0jks5dkxhhgh4gbli90p71s8354iywlwj2lq6n5fyqxbdxzk412d";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/774b3006f5b6b781594257f1d9819068becbbcc1/recipes/socyl";
@@ -63550,10 +63634,10 @@
       }) {};
     strings = callPackage ({ fetchurl, lib, melpaBuild }: melpaBuild {
         pname = "strings";
-        version = "20170101.1137";
+        version = "20170210.1925";
         src = fetchurl {
           url = "https://www.emacswiki.org/emacs/download/strings.el";
-          sha256 = "0gvj39cjc50ks31dzridskync3dnaxsr28wmyky781l87cgna4hq";
+          sha256 = "0am2w3p2igh0y5mdbmjfdzyrx3bngs4c3nibjjcky3pmvj4k3r4i";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a5d15f875b0080b12ce45cf696c581f6bbf061ba/recipes/strings";
@@ -64272,12 +64356,12 @@
     swiper = callPackage ({ emacs, fetchFromGitHub, fetchurl, ivy, lib, melpaBuild }:
     melpaBuild {
         pname = "swiper";
-        version = "20170208.2028";
+        version = "20170213.1002";
         src = fetchFromGitHub {
           owner = "abo-abo";
           repo = "swiper";
-          rev = "d23d1feefccd658f013cbf7d1b052767bed9b2b6";
-          sha256 = "0fffs5l45hrz7qv4gxwdn4prabl49zgx74daxyflrlkmbffy0gr4";
+          rev = "5f732cdce5ac2529f36b5c8cc9f053789783de45";
+          sha256 = "1ha7filrnkdya4905yy002n1hjdl23k9hbb2w2id3wfj0cbw930f";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/e64cad81615ef3ec34fab1f438b0c55134833c97/recipes/swiper";
@@ -65940,8 +66024,8 @@
         src = fetchFromGitHub {
           owner = "apache";
           repo = "thrift";
-          rev = "3590f1e7ca49c3eea879008d510023edf30b6408";
-          sha256 = "0kh2ws9ryfk5qgnaszacsznrg3bwr9vx6riiy2za02in0dlbldk9";
+          rev = "0a660ee285e4a4cbac8f702168c40fd4ef5495d1";
+          sha256 = "19cn5kkj9jmjghb54l64wpvbcn355ixfzdp7rqrxcy2gcxwcc95a";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/857ab7e3a5c290265d88ebacb9685b3faee586e5/recipes/thrift";
@@ -65997,12 +66081,12 @@
     tide = callPackage ({ cl-lib ? null, dash, fetchFromGitHub, fetchurl, flycheck, lib, melpaBuild, typescript-mode }:
     melpaBuild {
         pname = "tide";
-        version = "20170210.255";
+        version = "20170210.1932";
         src = fetchFromGitHub {
           owner = "ananthakumaran";
           repo = "tide";
-          rev = "1d000d8cebd5ae8768b0acba065cf267ba5d9c23";
-          sha256 = "059q2pijha146hpiz19ykckbcprdfmw825p45wfqqm4lll1dfd9y";
+          rev = "8e2c78de6e7a0eb42853ba2dee3ffe5c81cff336";
+          sha256 = "0imdjxvvz9b1b1mlzdp5mildjz1s2m7zz3y383p1x6m8w4vzxln7";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a21e063011ebbb03ac70bdcf0a379f9e383bdfab/recipes/tide";
@@ -66729,8 +66813,8 @@
         src = fetchFromGitHub {
           owner = "jorgenschaefer";
           repo = "circe";
-          rev = "773e48624edc32022764d9b3bab861f32c336ac3";
-          sha256 = "0s0ksk4f8hz2jajh7hx8b5qv8vrv5mr8mvk8n51ycip0gmrl98nf";
+          rev = "a9df12a6e2f2c8e940722e151829d5dcf980c902";
+          sha256 = "00rdv0dij1d21jddw73iikc4vcx7hi1bi85b25hj1jx36nx4m16c";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/a2b295656d53fddc76cacc86b239e5648e49e3a4/recipes/tracking";
@@ -67116,12 +67200,12 @@
     tuareg = callPackage ({ caml, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "tuareg";
-        version = "20170202.1751";
+        version = "20170212.139";
         src = fetchFromGitHub {
           owner = "ocaml";
           repo = "tuareg";
-          rev = "8614825a9dcc08f0c77264ae8892f2417468cefb";
-          sha256 = "0jfvva5j33hs99grz4jzpr1qkmhx5vwrixl2pf20ggb4jd7c482j";
+          rev = "662f6af94c3273f2dab04b9c7485dfe627812c95";
+          sha256 = "06iigh6kia60r4i3d414z594s3xab20z73q1l0z2fkb0613wznbg";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/01fb6435a1dfeebdf4e7fa3f4f5928bc75526809/recipes/tuareg";
@@ -68045,8 +68129,8 @@
         src = fetchFromGitHub {
           owner = "EricCrosson";
           repo = "unkillable-scratch";
-          rev = "0e1d9e1574e497171a7ccfbcb8c994cb9c5880da";
-          sha256 = "0bhdqpxq6cly4b6v4ya1ksw0yfdb9g2f2ifbjn4gfcq6j4zszbdm";
+          rev = "676a5a97658830caece18fa65a23e3d113933151";
+          sha256 = "14k9ad542y0haz1yid9jy8f9zvpvac6cirnf0751g8rwjbdnvr85";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/822ac5610f333e41b676a29ef45a6f8bfea3162e/recipes/unkillable-scratch";
@@ -68143,12 +68227,12 @@
     use-package = callPackage ({ bind-key, diminish, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "use-package";
-        version = "20170116.1309";
+        version = "20170213.1353";
         src = fetchFromGitHub {
           owner = "jwiegley";
           repo = "use-package";
-          rev = "38034854ac21bd5ddc1a1129fd6c8ff86d939f8a";
-          sha256 = "0s20z5njwmk591674mb2lyv50agg6496hkr5b11904jq5ca3xagz";
+          rev = "6c2d81cfadb12c10af0dabe148ede355737ed1a8";
+          sha256 = "18aqyphq1cwandfarql773d0h3ki6c9ip1wji1ni86fm29f99ikq";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/3f9b52790e2a0bd579c24004873df5384e2ba549/recipes/use-package";
@@ -69582,12 +69666,12 @@
     web-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "web-mode";
-        version = "20170131.1400";
+        version = "20170211.1516";
         src = fetchFromGitHub {
           owner = "fxbois";
           repo = "web-mode";
-          rev = "2d05692634766cfa647d9441aaf7f8d95d2d5206";
-          sha256 = "1q7vpw56fqjgyiq21xjnhclhbz9hdynapp53hsdsd361nghdg9d0";
+          rev = "c6d73fb48ee3c0911b7361cd556765c94742dee2";
+          sha256 = "0b9gcm0dlbp9v57pv9dkh08a8f5bacmjkyqkh0pr285gvsfi776i";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/6f0565555eaa356141422c5175d6cca4e9eb5c00/recipes/web-mode";
@@ -70724,12 +70808,12 @@
     worf = callPackage ({ ace-link, fetchFromGitHub, fetchurl, hydra, lib, melpaBuild, swiper, zoutline }:
     melpaBuild {
         pname = "worf";
-        version = "20161231.217";
+        version = "20170211.402";
         src = fetchFromGitHub {
           owner = "abo-abo";
           repo = "worf";
-          rev = "ca9a42b64938f43d757c6e0c41f21610bea87dba";
-          sha256 = "0nwsryj7xiizvrcnwb1an8siihqjbdvcwg6mjc36cyr6cv3icqmw";
+          rev = "cba75ae94e6c233f92fcdde005d023107495df7b";
+          sha256 = "1sxs89mqns9n847m0gqpv43b9gr15zicjhcnavk5n8g7gnssjmj4";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/f00f8765e35c21dd1a4b5c01c239ed4d15170ab7/recipes/worf";
@@ -71102,12 +71186,12 @@
     xah-fly-keys = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "xah-fly-keys";
-        version = "20170210.354";
+        version = "20170213.321";
         src = fetchFromGitHub {
           owner = "xahlee";
           repo = "xah-fly-keys";
-          rev = "7fd0ae4bd2afbe59273b224b299519aad564189c";
-          sha256 = "1di8i2x7gg8w3kviz7az7wrg6gfr06p67rkmkm2z7pwblbsbd57f";
+          rev = "073190840e6a07566f75a6dcabd1d3c120b0639e";
+          sha256 = "19b8d4a5g43n9y2y0r8l12ds5badns9zlky0j201bzz3yrcid7xb";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/fc1683be70d1388efa3ce00adc40510e595aef2b/recipes/xah-fly-keys";
@@ -71165,12 +71249,12 @@
     xah-math-input = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "xah-math-input";
-        version = "20161222.327";
+        version = "20170210.2128";
         src = fetchFromGitHub {
           owner = "xahlee";
           repo = "xah-math-input";
-          rev = "4ab83f7d9bcd6f2697a77507930542bc2a00a1a3";
-          sha256 = "13h7gkdy47mnks1r80j94j3h825s93fwi43l9r7wp9jbngdx057f";
+          rev = "a4b8aa833f65c028f7f94b9c3b5b8993b8961736";
+          sha256 = "02xin68nrzlg6qaniincj5dk1aw5fbqfb8cj00yjyyjnv55jrbpn";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/95d57e33e6d60dc20d6452b407ea1486604ba23a/recipes/xah-math-input";
@@ -71459,16 +71543,16 @@
     xquery-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "xquery-mode";
-        version = "20140121.943";
+        version = "20161218.1617";
         src = fetchFromGitHub {
-          owner = "mblakele";
+          owner = "xquery-mode";
           repo = "xquery-mode";
-          rev = "ac0ca72ccd575952393804330c3efe3b2271c4e2";
-          sha256 = "09fpxr55b2adqmca8xhpy8z5cify5091fjdjyxjd1jh5wdp1658v";
+          rev = "58e947e2630223b89822c2c3e5883be4950ea2f5";
+          sha256 = "0zasfq8cgp42ac7ad041f7bn785y10359ayrd9h2wwyb34bw9wjd";
         };
         recipeFile = fetchurl {
-          url = "https://raw.githubusercontent.com/milkypostman/melpa/c7c145039be872cd5a19383232180ba481e4e144/recipes/xquery-mode";
-          sha256 = "0b5k2ihbjm5drv4lf64ap31yj873x1fcq85y6yq1ayahn6s52rql";
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/e8ea1c9e26963f290d912df21b81afd689543658/recipes/xquery-mode";
+          sha256 = "13xrvygk7wdby6599q6yxw8cm45qqki8szrm49fc3b6pr6vzpidg";
           name = "xquery-mode";
         };
         packageRequires = [];
@@ -71774,12 +71858,12 @@
     yaml-mode = callPackage ({ emacs, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "yaml-mode";
-        version = "20161105.814";
+        version = "20170213.1023";
         src = fetchFromGitHub {
           owner = "yoshiki";
           repo = "yaml-mode";
-          rev = "f378589912af8731428198ef57546c616d941df0";
-          sha256 = "0ag1psjrn4b1idz096jwdsygax7ydirhlky7zpj6awqzx4gh43yg";
+          rev = "1c3ade410fb0bf5b6f2140b099f0ef96836ee74e";
+          sha256 = "1p0m702lyjx5xcqvifc8lkrj430nvjiwswpf3ghcvl5sls8bf5af";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/cae2ac3513e371a256be0f1a7468e38e686c2487/recipes/yaml-mode";
@@ -71837,12 +71921,12 @@
     yang-mode = callPackage ({ fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "yang-mode";
-        version = "20161220.157";
+        version = "20170213.154";
         src = fetchFromGitHub {
           owner = "mbj4668";
           repo = "yang-mode";
-          rev = "bcf698acbdb4df91f587942348739b407a8b0807";
-          sha256 = "1rrmailvhxvivmdjamm2vvciym484cw0lqn1hgdw1lz999g5a5vs";
+          rev = "46c201b1d5195842fdf540d4c153127f91b1a125";
+          sha256 = "0bfx6wsj8g6ryawxly17x2nppzcgg3bxpkx00ar1hgcrs11988kk";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/bb42ab9b5f118baaf6766c478046552b686981a1/recipes/yang-mode";
@@ -72002,12 +72086,12 @@
     yasnippet = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, lib, melpaBuild }:
     melpaBuild {
         pname = "yasnippet";
-        version = "20170203.626";
+        version = "20170212.832";
         src = fetchFromGitHub {
           owner = "joaotavora";
           repo = "yasnippet";
-          rev = "9abf842e356e7b42fa105fe6284fb5ebe58a7ed1";
-          sha256 = "1gnaa8nwxa969pxgspk1v1vmfcxb32mbswy7yr60gnmb6mlfmjkk";
+          rev = "c87afe0901735d4421c712b25dfa69b2ac59c8e9";
+          sha256 = "0ssk3pgkq4bv74g8h0zbi38z3lb11cn4ylnfsa0gnn5jlyg0bccc";
         };
         recipeFile = fetchurl {
           url = "https://raw.githubusercontent.com/milkypostman/melpa/5d1927dc3351d3522de1baccdc4ce200ba52bd6e/recipes/yasnippet";

From 1a9cf94ba2ddd169f15e751cacd1847f97cdc8d3 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 14 Feb 2017 11:16:37 +0100
Subject: [PATCH 107/153] Revert "opensubdiv: Remove cudatoolkit from the
 closure"

This reverts commit 6a472cf4c1b78580de79c79ca7d7b714f4d8d36e. On
second thought, this is not a good idea, because it means that a
CUDA-enabled Blender doesn't work on non-CUDA systems anymore (since
they don't have libOpenCL.so in /run/opengl-driver). I guess a better
solution will be to split cudatoolkit into multiple outputs.
---
 pkgs/development/libraries/opensubdiv/default.nix | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/pkgs/development/libraries/opensubdiv/default.nix b/pkgs/development/libraries/opensubdiv/default.nix
index f5f84ee1546..b253a27a7db 100644
--- a/pkgs/development/libraries/opensubdiv/default.nix
+++ b/pkgs/development/libraries/opensubdiv/default.nix
@@ -39,16 +39,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  postInstall =
-    ''
-      rm $out/lib/*.a
-    '' + lib.optionalString cudaSupport ''
-      # Drop cudatoolkit reference from the closure. We'll get
-      # libOpenCL from /run/opengl-driver.
-      s=${cudatoolkit}/lib
-      t=$(for ((i = 0; i < ''${#s}; i++)); do echo -n X; done)
-      sed -i $out/lib/libosdGPU.so.* -e "s|$s|$t|g"
-    '';
+  postInstall = "rm $out/lib/*.a";
 
   meta = {
     description = "An Open-Source subdivision surface library";

From adcd9bc884d9518ee41f3d763742e725f8d34c08 Mon Sep 17 00:00:00 2001
From: taku0 <mxxouy6x3m_github@tatapa.org>
Date: Tue, 14 Feb 2017 21:13:04 +0900
Subject: [PATCH 108/153] flashplayer: 24.0.0.194 -> 24.0.0.221

---
 .../browsers/mozilla-plugins/flashplayer/default.nix   | 10 +++++-----
 .../mozilla-plugins/flashplayer/standalone.nix         |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/default.nix b/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/default.nix
index 8ae86eed02c..9e0b0852bf8 100644
--- a/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/default.nix
+++ b/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/default.nix
@@ -73,7 +73,7 @@ let
 in
 stdenv.mkDerivation rec {
   name = "flashplayer-${version}";
-  version = "24.0.0.194";
+  version = "24.0.0.221";
 
   src = fetchurl {
     url =
@@ -84,14 +84,14 @@ stdenv.mkDerivation rec {
     sha256 =
       if debug then
         if arch == "x86_64" then
-          "197s3ksx6h3dkfx8q7v9c8mf8ai9s1jpqnaczjdkmzcyp5jd29w9"
+          "10f8m5zc8p4xbhihbl785lws1kpv6smnbhx4ydzf8ai3mlv3y241"
         else
-          "0ll0ddss3gkzngmm96pyvnf4a6mf8axraxlqpjdl63ghrndd1gkc"
+          "1rz9rkbvln8wdkfmsnnq936xs6969qma141jc4qx408419q7v3hg"
       else
         if arch == "x86_64" then
-          "0bri8kjqy9g929ix4qx4whmxz5rzbgjff253kvs6dlr8vyglz0gx"
+          "1cb4mvslphj3bcchgr7lcswz8kk8si0s60rl5266mi53byplhw08"
         else
-          "1lrfwwhl18411bk9qsizhch8n3ilcvhmj4i7sak5zjv5r6mwnqgl";
+          "1vcyp9041171xkcnz05dlk3n7bnbcb9qbh4sy5wfgjkqsyd6i5bl";
   };
 
   nativeBuildInputs = [ unzip ];
diff --git a/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/standalone.nix b/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/standalone.nix
index be33cf139d2..248fe63ab0c 100644
--- a/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/standalone.nix
+++ b/pkgs/applications/networking/browsers/mozilla-plugins/flashplayer/standalone.nix
@@ -57,7 +57,7 @@ let
 in
 stdenv.mkDerivation rec {
   name = "flashplayer-standalone-${version}";
-  version = "24.0.0.194";
+  version = "24.0.0.221";
 
   src = fetchurl {
     url =
@@ -67,9 +67,9 @@ stdenv.mkDerivation rec {
         "https://fpdownload.macromedia.com/pub/flashplayer/updaters/24/flash_player_sa_linux.x86_64.tar.gz";
     sha256 =
       if debug then
-        "0yiln97l8b27s5c6nv9m09cdgwa4c47idnf2p6y6i0slfcqj1cxv"
+        "0cy81cml72ayx2wa0fd9vgp2wzny866jasahndg01v0jfxcxw5rz"
       else
-        "1f34qm8grj3141p6kym6y2pqisrmn9l6nkhbfmfhsd472g5q85v1";
+        "0xgiycd47mzmwvmhbi0ig3rd7prksfdpcd4h62as1m9gs1ax4d7l";
   };
 
   nativeBuildInputs = [ unzip ];

From 3508b4832fbed06db1d0dd6bbf6ca9c1c3c3ed8e Mon Sep 17 00:00:00 2001
From: Michael Raskin <7c6f434c@mail.ru>
Date: Tue, 14 Feb 2017 13:23:12 +0100
Subject: [PATCH 109/153] haskellPackages: fgl, fgl-arbitrary: jailbreak
 (w.r.t. hspec for tests)

---
 pkgs/development/haskell-modules/configuration-common.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 8e00386267b..3f448aa9c6c 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -857,4 +857,8 @@ self: super: {
   # https://github.com/ekmett/lens/issues/713
   lens = disableCabalFlag super.lens "test-doctests";
 
+  # https://github.com/haskell/fgl/issues/60
+  fgl = doJailbreak super.fgl;
+  fgl-arbitrary = doJailbreak super.fgl-arbitrary;
+
 }

From 232639ccbba0e45ee526fac47e59c5dcab344d3e Mon Sep 17 00:00:00 2001
From: Rickard Nilsson <rickynils@gmail.com>
Date: Tue, 14 Feb 2017 13:38:30 +0100
Subject: [PATCH 110/153] haskellPackages: Remove jailbreak for xxhash and Glob
 (fixed upstream)

---
 .../development/haskell-modules/configuration-ghc-8.0.x.nix | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/pkgs/development/haskell-modules/configuration-ghc-8.0.x.nix b/pkgs/development/haskell-modules/configuration-ghc-8.0.x.nix
index 095b6ee4f1b..78c3823a0f9 100644
--- a/pkgs/development/haskell-modules/configuration-ghc-8.0.x.nix
+++ b/pkgs/development/haskell-modules/configuration-ghc-8.0.x.nix
@@ -60,12 +60,6 @@ self: super: {
     sha256 = "026vv2k3ks73jngwifszv8l59clg88pcdr4mz0wr0gamivkfa1zy";
   });
 
-  # https://github.com/christian-marie/xxhash/issues/3
-  xxhash = doJailbreak super.xxhash;
-
-  # https://github.com/Deewiant/glob/issues/8
-  Glob = doJailbreak super.Glob;
-
   ## GHC 8.0.2
 
   # http://hub.darcs.net/dolio/vector-algorithms/issue/9#comment-20170112T145715

From 866525084463de9b36662c9fa7c4c6805e2ffc56 Mon Sep 17 00:00:00 2001
From: Rickard Nilsson <rickynils@gmail.com>
Date: Tue, 14 Feb 2017 13:46:20 +0100
Subject: [PATCH 111/153] haskellPackages.dirstream: jailbreak

---
 pkgs/development/haskell-modules/configuration-common.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 3f448aa9c6c..51287f14979 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -861,4 +861,6 @@ self: super: {
   fgl = doJailbreak super.fgl;
   fgl-arbitrary = doJailbreak super.fgl-arbitrary;
 
+  # https://github.com/Gabriel439/Haskell-DirStream-Library/issues/8
+  dirstream = doJailbreak super.dirstream;
 }

From 51a338a601150a01e958ed004e622ca7328aed99 Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Tue, 14 Feb 2017 14:14:27 +0100
Subject: [PATCH 112/153] sabnzbd: 1.1.0 -> 1.2.0

---
 pkgs/servers/sabnzbd/default.nix | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/pkgs/servers/sabnzbd/default.nix b/pkgs/servers/sabnzbd/default.nix
index 616d898b33f..19990da147c 100644
--- a/pkgs/servers/sabnzbd/default.nix
+++ b/pkgs/servers/sabnzbd/default.nix
@@ -1,15 +1,18 @@
-{stdenv, fetchurl, python2, par2cmdline, unzip, unrar, p7zip, makeWrapper}:
+{stdenv, fetchFromGitHub, python2, par2cmdline, unzip, unrar, p7zip, makeWrapper}:
 
 let
   pythonEnv = python2.withPackages(ps: with ps; [ pyopenssl cheetah yenc ]);
   path = stdenv.lib.makeBinPath [ par2cmdline unrar unzip p7zip ];
 in stdenv.mkDerivation rec {
-  version = "1.1.0";
-  name = "sabnzbd-${version}";
+  version = "1.2.0";
+  pname = "sabnzbd";
+  name = "${pname}-${version}";
 
-  src = fetchurl {
-    url = "https://github.com/sabnzbd/sabnzbd/archive/${version}.tar.gz";
-    sha256 = "16srhknmjx5x2zsg1m0w9bipcv9b3b96bvb27fkf4dc2aswwcsc7";
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = version;
+    sha256 = "1g1zf0zrlqgparg6hws6agpr414dw2q4xq9l8nh720rn6m7fv4vb";
   };
 
   buildInputs = [ pythonEnv makeWrapper ];

From 67bd8d552fc79f127b1fc89c27e1acb4af9bf37f Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Tue, 14 Feb 2017 14:19:38 +0100
Subject: [PATCH 113/153] sabnzbd: fix dependencies

---
 pkgs/servers/sabnzbd/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/servers/sabnzbd/default.nix b/pkgs/servers/sabnzbd/default.nix
index 19990da147c..f685d8b24d6 100644
--- a/pkgs/servers/sabnzbd/default.nix
+++ b/pkgs/servers/sabnzbd/default.nix
@@ -1,7 +1,7 @@
 {stdenv, fetchFromGitHub, python2, par2cmdline, unzip, unrar, p7zip, makeWrapper}:
 
 let
-  pythonEnv = python2.withPackages(ps: with ps; [ pyopenssl cheetah yenc ]);
+  pythonEnv = python2.withPackages(ps: with ps; [ cryptography cheetah yenc ]);
   path = stdenv.lib.makeBinPath [ par2cmdline unrar unzip p7zip ];
 in stdenv.mkDerivation rec {
   version = "1.2.0";

From 1a9707de24dd8c8d09cec8e18f4bab7465b2e424 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Tue, 14 Feb 2017 08:19:19 -0500
Subject: [PATCH 114/153] wireguard: update description to describe its current
 state

---
 pkgs/os-specific/linux/wireguard/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index 8a2e6287364..a5102a7b197 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -16,7 +16,7 @@ let
   meta = with stdenv.lib; {
     homepage     = https://www.wireguard.io/;
     downloadPage = https://git.zx2c4.com/WireGuard/refs/;
-    description  = "Fast, modern, secure VPN tunnel";
+    description  = "A prerelease of an experimental VPN tunnel which is not to be depended upon for security";
     maintainers  = with maintainers; [ ericsagnes ];
     license      = licenses.gpl2;
     platforms    = platforms.linux;

From ba499e3aa04dccd5e99676731055bf3c3a34b249 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 07:30:21 -0600
Subject: [PATCH 115/153] Removing unused module option old-wrapperDir

---
 nixos/modules/security/wrappers/default.nix | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index e51103981e6..8c4353fdd96 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -131,16 +131,6 @@ in
       '';
     };
 
-    security.old-wrapperDir = lib.mkOption {
-      type        = lib.types.path;
-      default     = "/var/setuid-wrappers";
-      internal    = true;
-      description = ''
-        This option defines the path to the wrapper programs. It
-        should not be overriden.
-      '';
-    };
-
     security.wrapperDir = lib.mkOption {
       type        = lib.types.path;
       default     = "/run/wrappers/bin";

From 467bb3f674fad56ef697bafbcc5f4db71acb036e Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 07:32:24 -0600
Subject: [PATCH 116/153] /run/wrapper is not a filesystem, no need to skip it

---
 nixos/modules/installer/tools/nixos-generate-config.pl | 1 -
 1 file changed, 1 deletion(-)

diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index a1b6cf53597..b72db1f6f50 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -347,7 +347,6 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
 
     # Skip special filesystems.
     next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
-    next if $mountPoint eq "/run/wrappers";
 
     # Skip the optional fields.
     my $n = 6; $n++ while $fields[$n] ne "-"; $n++;

From fb6d13c01aa22cdaffe45597495f390ef2989eda Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 07:38:45 -0600
Subject: [PATCH 117/153] Addressing feedback and fixing a bug

---
 nixos/doc/manual/release-notes/rl-1703.xml | 6 ++----
 nixos/modules/module-list.nix              | 2 +-
 nixos/modules/security/wrappers/wrapper.c  | 2 +-
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index 5d6053fcbf7..8f9694bad8b 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -17,10 +17,8 @@ has the following highlights: </para>
   </listitem>
 
   <listitem>
-    <para>Setting capabilities on programs is now supported with a
-    <literal>setcap-wrapper</literal> functionality. This
-    functionality and the <literal>setuid-wrapper</literal> are merged
-    into a single "wrappers" module.</para>
+    <para>The setuid wrapper functionality now supports setting
+    capabilities.</para>
   </listitem>
 
   <listitem>
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 9dbc009a6e4..81597d91d89 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -113,7 +113,7 @@
   ./security/prey.nix
   ./security/rngd.nix
   ./security/rtkit.nix
-  ./security/wrappers
+  ./security/wrappers/default.nix
   ./security/sudo.nix
   ./services/amqp/activemq/default.nix
   ./services/amqp/rabbitmq.nix
diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c
index 4a656c54e3f..7091e314bb2 100644
--- a/nixos/modules/security/wrappers/wrapper.c
+++ b/nixos/modules/security/wrappers/wrapper.c
@@ -165,7 +165,7 @@ int main(int argc, char * * argv)
     // should safely fit within the PATH_MAX system limit. Though I'm
     // not positive it's safe...
     char selfPath[PATH_MAX];
-    int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath) - 1);
+    int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath));
 
     assert(selfPathSize > 0);
 

From c86798125b85a6c4fc49520e79b59ed2299f2885 Mon Sep 17 00:00:00 2001
From: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Date: Sun, 10 Jan 2016 16:45:25 +0200
Subject: [PATCH 118/153] amoeba: init at 1.1

This uses all the patches from Debian since otherwise it would work on
i686 among other things.
---
 pkgs/games/amoeba/data.nix               | 24 +++++++++++++
 pkgs/games/amoeba/default.nix            | 45 ++++++++++++++++++++++++
 pkgs/games/amoeba/include-string-h.patch | 12 +++++++
 pkgs/top-level/all-packages.nix          |  3 ++
 4 files changed, 84 insertions(+)
 create mode 100644 pkgs/games/amoeba/data.nix
 create mode 100644 pkgs/games/amoeba/default.nix
 create mode 100644 pkgs/games/amoeba/include-string-h.patch

diff --git a/pkgs/games/amoeba/data.nix b/pkgs/games/amoeba/data.nix
new file mode 100644
index 00000000000..b5c7f4b730b
--- /dev/null
+++ b/pkgs/games/amoeba/data.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  name = "amoeba-data-${version}";
+  version = "1.1";
+
+  src = fetchurl {
+    url = "http://http.debian.net/debian/pool/non-free/a/amoeba-data/amoeba-data_${version}.orig.tar.gz";
+    sha256 = "1bgclr1v63n14bj9nwzm5zxg48nm0cla9bq1rbd5ylxra18k0jbg";
+  };
+
+  installPhase = ''
+    mkdir -p $out/share/amoeba
+    cp demo.dat $out/share/amoeba/
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Fast-paced, polished OpenGL demonstration by Excess (data files)";
+    homepage = https://packages.qa.debian.org/a/amoeba-data.html;
+    license = licenses.unfree;
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.all;
+  };
+}
diff --git a/pkgs/games/amoeba/default.nix b/pkgs/games/amoeba/default.nix
new file mode 100644
index 00000000000..4e5f85f7d5a
--- /dev/null
+++ b/pkgs/games/amoeba/default.nix
@@ -0,0 +1,45 @@
+{ stdenv, fetchurl, amoeba-data, alsaLib, expat, freetype, gtk2, libvorbis, mesa_glu, pkgconfig }:
+
+stdenv.mkDerivation rec {
+  name = "amoeba-${version}-${debver}";
+  version = "1.1";
+  debver = "29.1";
+
+  srcs = [
+    (fetchurl {
+      url = "http://http.debian.net/debian/pool/contrib/a/amoeba/amoeba_${version}.orig.tar.gz";
+      sha256 = "1hyycw4r36ryka2gab9vzkgs8gq4gqhk08vn29cwak95w0rahgim";
+    })
+    (fetchurl {
+      url = "http://http.debian.net/debian/pool/contrib/a/amoeba/amoeba_${version}-${debver}.debian.tar.xz";
+      sha256 = "1xgi2sqzq97w6hd3dcyq6cka8xmp6nr25qymzhk52cwqh7qb75p3";
+    })
+  ];
+  sourceRoot = "amoeba-1.1.orig";
+
+  prePatch = ''
+    patches="${./include-string-h.patch} $(echo ../debian/patches/*.diff)"
+  '';
+  postPatch = ''
+    sed -i packer/pakfile.cpp -e 's|/usr/share/amoeba|${amoeba-data}/share/amoeba|'
+    sed -i main/linux-config/linux-config.cpp -e 's|libgdk-x11-2.0.so.0|${gtk2}/lib/&|'
+    sed -i main/linux-config/linux-config.cpp -e 's|libgtk-x11-2.0.so.0|${gtk2}/lib/&|'
+  '';
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ alsaLib expat freetype gtk2 libvorbis mesa_glu ];
+
+  installPhase = ''
+    mkdir -p $out/bin $out/share/man/man1/
+    cp amoeba $out/bin/
+    cp ../debian/amoeba.1 $out/share/man/man1/
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Fast-paced, polished OpenGL demonstration by Excess";
+    homepage = https://packages.qa.debian.org/a/amoeba.html;
+    license = licenses.gpl2; # Engine is GPLv2, data files in amoeba-data nonfree
+    maintainers = [ maintainers.dezgeg ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/games/amoeba/include-string-h.patch b/pkgs/games/amoeba/include-string-h.patch
new file mode 100644
index 00000000000..828cab88d98
--- /dev/null
+++ b/pkgs/games/amoeba/include-string-h.patch
@@ -0,0 +1,12 @@
+diff --git a/image/png_image.cpp b/image/png_image.cpp
+index 37875fc..1531d6f 100644
+--- a/image/png_image.cpp
++++ b/image/png_image.cpp
+@@ -4,6 +4,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <string.h>
+ 
+ #include <png.h>
+ #include "png_image.h"
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 37b2ae71460..d37db1b3311 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -15941,6 +15941,9 @@ with pkgs;
 
   alienarena = callPackage ../games/alienarena { };
 
+  amoeba = callPackage ../games/amoeba { };
+  amoeba-data = callPackage ../games/amoeba/data.nix { };
+
   andyetitmoves = if stdenv.isLinux then callPackage ../games/andyetitmoves {} else null;
 
   angband = callPackage ../games/angband { };

From f8b8c353ffcfb2a29178c1f7b145baebfab55f81 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 08:27:40 -0600
Subject: [PATCH 119/153] Simplifying the wrapper program derivation

---
 nixos/modules/security/wrappers/default.nix | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 8c4353fdd96..96f4544c2fa 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -9,17 +9,15 @@ let
       wrappers);
 
   securityWrapper = pkgs.stdenv.mkDerivation {
-    name         = "security-wrapper";
-    unpackPhase  = "true";
+    name            = "security-wrapper";
+    phases          = [ "installPhase" "fixupPhase" ];
+    buildInputs     = [ pkgs.libcap pkgs.libcap_ng pkgs.linuxHeaders ];
+    hardeningEnable = [ "pie" ];
     installPhase = ''
       mkdir -p $out/bin
       parentWrapperDir=$(dirname ${wrapperDir})
       gcc -Wall -O2 -DWRAPPER_DIR=\"$parentWrapperDir\" \
-          -Wformat -Wformat-security -Werror=format-security \
-          -fstack-protector-strong --param ssp-buffer-size=4 \
-          -D_FORTIFY_SOURCE=2 -fPIC \
-          -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-          -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+          -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper
     '';
   };
 

From c01689f8dab3387eb004192ce078659e9a4f334c Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 08:33:07 -0600
Subject: [PATCH 120/153] Fixing ref to old-wrappersDir

---
 nixos/modules/security/wrappers/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 96f4544c2fa..144053a4ea3 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -162,11 +162,11 @@ in
 
           # Remove the old /var/setuid-wrappers path from the system...
           #
-          # TDOO: this is only necessary for ugprades 16.09 => 17.x;
+          # TODO: this is only necessary for ugprades 16.09 => 17.x;
           # this conditional removal block needs to be removed after
           # the release.
-          if [ -d ${config.security.old-wrapperDir} ]; then
-            rm -rf ${config.security.old-wrapperDir}
+          if [ -d /var/setuid-wrappers ]; then
+            rm -rf /var/setuid-wrappers
           fi
 
           # Remove the old /run/setuid-wrappers-dir path from the

From e856d6efe812f24034aa8077fb538af0e8f8462d Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 08:40:12 -0600
Subject: [PATCH 121/153] Default should be to set owner and group to root on
 setcap wrappers too

---
 nixos/modules/security/wrappers/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 144053a4ea3..2ed8a601a03 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -73,7 +73,10 @@ let
   mkWrappedPrograms =
     builtins.map
       (s: if (s ? "capabilities")
-          then mkSetcapProgram s
+          then mkSetcapProgram
+                 ({ owner = "root";
+                  , group = "root";
+                  } // s)
           else if 
              (s ? "setuid"  && s.setuid  == true) ||
              (s ? "setguid" && s.setguid == true) ||

From 794b3721bc8bd06169b23ed923ce45905a1baf7b Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 08:42:08 -0600
Subject: [PATCH 122/153] Syntax wibble

---
 nixos/modules/security/wrappers/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 2ed8a601a03..6f93403960a 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -75,7 +75,7 @@ let
       (s: if (s ? "capabilities")
           then mkSetcapProgram
                  ({ owner = "root";
-                  , group = "root";
+                    group = "root";
                   } // s)
           else if 
              (s ? "setuid"  && s.setuid  == true) ||

From 69794e333a41f3d7d0de44da790c5d356c58e28b Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 08:53:30 -0600
Subject: [PATCH 123/153] Using para tags for manual formatting

---
 nixos/modules/security/wrappers/default.nix | 31 +++++++++++----------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 6f93403960a..c5b99c0c801 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -109,26 +109,27 @@ in
         };
       };
       description = ''
-        This option allows the ownership and permissions on the setuid
-        wrappers for specific programs to be overridden from the
-        default (setuid root, but not setgid root).
+        <para>This option allows the ownership and permissions on the
+        setuid wrappers for specific programs to be overridden from
+        the default (setuid root, but not setgid root).</para>
 
-        Additionally, this option can set capabilities on a wrapper
-        program that propagates those capabilities down to the
-        wrapped, real program.
+        <para>Additionally, this option can set capabilities on a
+        wrapper program that propagates those capabilities down to the
+        wrapped, real program.</para>
 
-        The <literal>program</literal> attribute is the name of the
-        program to be wrapped. If no <literal>source</literal>
+        <para>The <literal>program</literal> attribute is the name of
+        the program to be wrapped. If no <literal>source</literal>
         attribute is provided, specifying the absolute path to the
         program, then the program will be searched for in the path
-        environment variable.
+        environment variable.</para>
 
-        NOTE: cap_setpcap, which is required for the wrapper program
-        to be able to raise caps into the Ambient set is NOT raised to
-        the Ambient set so that the real program cannot modify its own
-        capabilities!! This may be too restrictive for cases in which
-        the real program needs cap_setpcap but it at least leans on
-        the side security paranoid vs. too relaxed.
+        <para>NOTE: cap_setpcap, which is required for the wrapper
+        program to be able to raise caps into the Ambient set is NOT
+        raised to the Ambient set so that the real program cannot
+        modify its own capabilities!! This may be too restrictive for
+        cases in which the real program needs cap_setpcap but it at
+        least leans on the side security paranoid vs. too
+        relaxed.</para>
       '';
     };
 

From d43738ae931475cc456e556c52e2b57a357b1a2d Mon Sep 17 00:00:00 2001
From: Thomas Tuegel <ttuegel@mailbox.org>
Date: Tue, 14 Feb 2017 08:54:10 -0600
Subject: [PATCH 124/153] notmuch: don't double-compress man pages

---
 pkgs/applications/networking/mailreaders/notmuch/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/applications/networking/mailreaders/notmuch/default.nix b/pkgs/applications/networking/mailreaders/notmuch/default.nix
index a8502b33cc5..212d366facb 100644
--- a/pkgs/applications/networking/mailreaders/notmuch/default.nix
+++ b/pkgs/applications/networking/mailreaders/notmuch/default.nix
@@ -95,6 +95,7 @@ stdenv.mkDerivation rec {
   postInstall = ''
     make install-man
   '';
+  dontGzipMan = true; # already compressed
 
   meta = {
     description = "Mail indexer";

From d95868e9809b84f1c743ca1218a1b5dc6b521470 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Tue, 14 Feb 2017 17:43:58 +0100
Subject: [PATCH 125/153] geogebra: 5-0-320-0 -> 5-0-328-0

---
 pkgs/applications/science/math/geogebra/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/science/math/geogebra/default.nix b/pkgs/applications/science/math/geogebra/default.nix
index 8c02af752e7..f72ec5bacc2 100644
--- a/pkgs/applications/science/math/geogebra/default.nix
+++ b/pkgs/applications/science/math/geogebra/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "geogebra-${version}";
-  version = "5-0-320-0";
+  version = "5-0-328-0";
 
   preferLocalBuild = true;
 
   src = fetchurl {
     url = "http://download.geogebra.org/installers/5.0/GeoGebra-Linux-Portable-${version}.tar.bz2";
-    sha256 = "039mrjwgkj3z51zq4xpchzr4msz5xgscgmp36dr1wms1kl42vibk";
+    sha256 = "1bzmnw5410fv9s29ji8f4naa6m6ykvv8h88mmxhiygr3rfsc7050";
   };
 
   srcIcon = fetchurl {

From ce859290e9a31acd9b0be51fa2c0ebe988b2c8bb Mon Sep 17 00:00:00 2001
From: Thomas Tuegel <ttuegel@mailbox.org>
Date: Tue, 14 Feb 2017 12:36:02 -0600
Subject: [PATCH 126/153] offlineimap: install man pages

---
 pkgs/tools/networking/offlineimap/default.nix | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/offlineimap/default.nix b/pkgs/tools/networking/offlineimap/default.nix
index 790212ec689..d585be26e26 100644
--- a/pkgs/tools/networking/offlineimap/default.nix
+++ b/pkgs/tools/networking/offlineimap/default.nix
@@ -1,4 +1,5 @@
-{ stdenv, fetchFromGitHub, pythonPackages, }:
+{ stdenv, fetchFromGitHub, pythonPackages,
+  asciidoc, libxml2, libxslt, docbook_xml_xslt }:
 
 pythonPackages.buildPythonApplication rec {
   version = "7.0.13";
@@ -12,10 +13,22 @@ pythonPackages.buildPythonApplication rec {
     sha256 = "0108xmp9df6cb1nzw3ym59mir3phgfdgp5d43n44ymsk2cc39xcc";
   };
 
+  postPatch = ''
+    # Skip xmllint to stop failures due to no network access
+    sed -i docs/Makefile -e "s|a2x -v -d |a2x -L -v -d |"
+  '';
+
   doCheck = false;
 
+  nativeBuildInputs = [ asciidoc libxml2 libxslt docbook_xml_xslt ];
   propagatedBuildInputs = [ pythonPackages.six ];
 
+  postInstall = ''
+    make -C docs man
+    install -D -m 644 docs/offlineimap.1 ''${!outputMan}/share/man/man1/offlineimap.1
+    install -D -m 644 docs/offlineimapui.7 ''${!outputMan}/share/man/man7/offlineimapui.7
+  '';
+
   meta = {
     description = "Synchronize emails between two repositories, so that you can read the same mailbox from multiple computers";
     homepage = "http://offlineimap.org";

From 8d8bd31e5f24227eb4d955c6085fc400b18a5d0a Mon Sep 17 00:00:00 2001
From: Lancelot SIX <lsix@lancelotsix.com>
Date: Tue, 14 Feb 2017 19:40:39 +0100
Subject: [PATCH 127/153] ddrescue: 1.21 -> 1.22

See https://lists.gnu.org/archive/html/info-gnu/2017-02/msg00003.html
for release note.
---
 pkgs/tools/system/ddrescue/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/system/ddrescue/default.nix b/pkgs/tools/system/ddrescue/default.nix
index 173c2623e18..3dcbf59d4d7 100644
--- a/pkgs/tools/system/ddrescue/default.nix
+++ b/pkgs/tools/system/ddrescue/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, lzip }:
 
 stdenv.mkDerivation rec {
-  name = "ddrescue-1.21";
+  name = "ddrescue-1.22";
 
   src = fetchurl {
     url = "mirror://gnu/ddrescue/${name}.tar.lz";
-    sha256 = "1b71hb42lh33y9843nd1mxlwkk9qh9ajvnz6ivzd1jq9lav4x7ph";
+    sha256 = "19qhx9ggkkjl0g3a88g501wmybkj1y4n5lm5kp0km0blh0p7p189";
   };
 
   nativeBuildInputs = [ lzip ];

From 3a0efcc4ca59cc3ebb3676e47b05f05dfbc6c9d2 Mon Sep 17 00:00:00 2001
From: John Wiegley <johnw@newartisans.com>
Date: Tue, 14 Feb 2017 10:42:11 -0800
Subject: [PATCH 128/153] configuration-common: http-api-data is now at version
 0.3.5

---
 pkgs/development/haskell-modules/configuration-common.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 51287f14979..f18582d501a 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -752,11 +752,7 @@ self: super: {
   servant-server = dontCheck super.servant-server;
 
   # Fix build for latest versions of servant and servant-client.
-  servant_0_10 = super.servant_0_10.overrideScope (self: super: {
-    http-api-data = self.http-api-data_0_3_5;
-  });
   servant-client_0_10 = super.servant-client_0_10.overrideScope (self: super: {
-    http-api-data = self.http-api-data_0_3_5;
     servant-server = self.servant-server_0_10;
     servant = self.servant_0_10;
   });

From 7483ba093222371e33d5daa22269992104f401c6 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Tue, 14 Feb 2017 14:13:39 -0500
Subject: [PATCH 129/153] Revert "nix-daemon: default useSandbox to true"

This reverts commit d0a086770a1be8c1f3175c195587052c5a5bfe1c.
---
 nixos/doc/manual/release-notes/rl-1703.xml | 4 ----
 nixos/modules/services/misc/nix-daemon.nix | 8 ++++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index 68dc8e9b4bf..8f9694bad8b 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -30,10 +30,6 @@ has the following highlights: </para>
   <listitem>
     <para>PHP now defaults to PHP 7.1</para>
   </listitem>
-
-  <listitem>
-    <para>nix-daemon now uses sandboxing by default.</para>
-  </listitem>
 </itemizedlist>
 
 <para>The following new services were added since the last release:</para>
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 4c7264f4ac8..7101cadfeed 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -100,14 +100,14 @@ in
 
       useSandbox = mkOption {
         type = types.either types.bool (types.enum ["relaxed"]);
-        default = true;
+        default = false;
         description = "
           If set, Nix will perform builds in a sandboxed environment that it
           will set up automatically for each build.  This prevents
           impurities in builds by disallowing access to dependencies
-          outside of the Nix store. It doesn't affect derivation
-          hashes, so changing this option will not trigger a rebuild
-          of packages.
+          outside of the Nix store. This isn't enabled by default for
+          performance. It doesn't affect derivation hashes, so changing
+          this option will not trigger a rebuild of packages.
         ";
       };
 

From c2a21d4d7b5780664a1c356244b97801f663ad01 Mon Sep 17 00:00:00 2001
From: Tom Doggett <nocoolnametom@gmail.com>
Date: Tue, 14 Feb 2017 14:25:42 -0800
Subject: [PATCH 130/153] gcalcli: init at 3.4.0 (#22725)

---
 lib/maintainers.nix                        | 1 +
 pkgs/applications/misc/gcalcli/default.nix | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/maintainers.nix b/lib/maintainers.nix
index 82f59e728ed..6e53114354c 100644
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -344,6 +344,7 @@
   nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
   NikolaMandic = "Ratko Mladic <nikola@mandic.email>";
   nixy = "Andrew R. M. <andrewmiller237@gmail.com>";
+  nocoolnametom = "Tom Doggett <nocoolnametom@gmail.com>";
   notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
   np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
   nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
diff --git a/pkgs/applications/misc/gcalcli/default.nix b/pkgs/applications/misc/gcalcli/default.nix
index 7d5f16cfde1..7560a8bfeb4 100644
--- a/pkgs/applications/misc/gcalcli/default.nix
+++ b/pkgs/applications/misc/gcalcli/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, pkgs, lib, python, pythonPackages }:
+{ fetchFromGitHub, lib, pythonPackages }:
 
 pythonPackages.buildPythonApplication rec {
   version = "3.4.0";
@@ -26,5 +26,6 @@ pythonPackages.buildPythonApplication rec {
     homepage = https://github.com/insanum/gcalcli;
     description = "CLI for Google Calendar";
     license = licenses.mit;
+    maintainers = [ maintainers.nocoolnametom ];
   };
 }

From 0280d327f44a8f084520793bf30ab66f263bc936 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Tue, 14 Feb 2017 23:47:27 +0100
Subject: [PATCH 131/153] fzf: 0.16.2 -> 0.16.4

---
 pkgs/tools/misc/fzf/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/misc/fzf/default.nix b/pkgs/tools/misc/fzf/default.nix
index f0a1b63e831..84b074de6cc 100644
--- a/pkgs/tools/misc/fzf/default.nix
+++ b/pkgs/tools/misc/fzf/default.nix
@@ -2,7 +2,7 @@
 
 buildGoPackage rec {
   name = "fzf-${version}";
-  version = "0.16.2";
+  version = "0.16.4";
   rev = "${version}";
 
   goPackagePath = "github.com/junegunn/fzf";
@@ -11,7 +11,7 @@ buildGoPackage rec {
     inherit rev;
     owner = "junegunn";
     repo = "fzf";
-    sha256 = "160474x0m3fzxi2ddy53chzhmlrx6lvialjknfxb72rm938fc845";
+    sha256 = "0kq4j6q1xk17ryzzcb8s6l2zqsjkk75lrwalias9gwcriqs6k6yn";
   };
 
   outputs = [ "bin" "out" "man" ];

From e3d7ce842bfb72cf04cc4a512a78ff28491d4e63 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Tue, 14 Feb 2017 23:59:00 +0100
Subject: [PATCH 132/153] shotwell: 0.25.2 -> 0.25.5

---
 pkgs/applications/graphics/shotwell/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/graphics/shotwell/default.nix b/pkgs/applications/graphics/shotwell/default.nix
index ca74cd1a4aa..814127abe7d 100644
--- a/pkgs/applications/graphics/shotwell/default.nix
+++ b/pkgs/applications/graphics/shotwell/default.nix
@@ -8,12 +8,12 @@
 stdenv.mkDerivation rec {
   version = "${major}.${minor}";
   major = "0.25";
-  minor = "2";
+  minor = "5";
   name = "shotwell-${version}";
 
   src = fetchurl {
     url = "mirror://gnome/sources/shotwell/${major}/${name}.tar.xz";
-    sha256 = "1bih5hr3pvpkx3fck55bnhngn4fl92ryjizc34wb8pwigbkxnaj1";
+    sha256 = "10pv3v789hky8h7ladqzzmgvkmgy3c41n4xz0nnyjmpycwl26g29";
   };
 
   NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/glib-2.0 -I${glib.out}/lib/glib-2.0/include";

From 736fde5be36eff8bfd62d392f2912e1b55998c89 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 15 Feb 2017 00:35:54 +0100
Subject: [PATCH 133/153] grafana: 4.1.1 -> 4.1.2

---
 pkgs/servers/monitoring/grafana/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/servers/monitoring/grafana/default.nix b/pkgs/servers/monitoring/grafana/default.nix
index f2ce7822b8a..6c7b7ff001a 100644
--- a/pkgs/servers/monitoring/grafana/default.nix
+++ b/pkgs/servers/monitoring/grafana/default.nix
@@ -1,8 +1,8 @@
 { lib, buildGoPackage, fetchurl, fetchFromGitHub, phantomjs2 }:
 
 buildGoPackage rec {
-  version = "4.1.1";
-  ts = "1484211277";
+  version = "4.1.2";
+  ts = "1486989747";
   name = "grafana-v${version}";
   goPackagePath = "github.com/grafana/grafana";
 
@@ -10,12 +10,12 @@ buildGoPackage rec {
     rev = "v${version}";
     owner = "grafana";
     repo = "grafana";
-    sha256 = "028s8fq8akv509kqw49865qpccxmhskaxcm51nn3c0i7vask2ivs";
+    sha256 = "0x2knb2lrs6sbj3svcjn70p46fzdy71gh8fgi801g1l0yp9s5yrg";
   };
 
   srcStatic = fetchurl {
     url = "https://grafanarel.s3.amazonaws.com/builds/grafana-${version}-${ts}.linux-x64.tar.gz";
-    sha256 = "1srscjlm9m08z7shydhkl4wnhv19by7pqfd7qvbvz2v3d5slqiji";
+    sha256 = "1i7n1a2xn65flwy2zqs3kqg1ch51653r52qn3gfh5hp92k81q4dq";
   };
 
   preBuild = "export GOPATH=$GOPATH:$NIX_BUILD_TOP/go/src/${goPackagePath}/Godeps/_workspace";

From f87eb8920c1aa665b71f386b7bdc674827c43931 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 15 Feb 2017 00:41:20 +0100
Subject: [PATCH 134/153] grafana-old: outdated, probably without users

---
 .../tools/misc/grafana/default.nix            | 30 -------------------
 pkgs/top-level/all-packages.nix               |  2 --
 2 files changed, 32 deletions(-)
 delete mode 100644 pkgs/development/tools/misc/grafana/default.nix

diff --git a/pkgs/development/tools/misc/grafana/default.nix b/pkgs/development/tools/misc/grafana/default.nix
deleted file mode 100644
index fc98d9703ef..00000000000
--- a/pkgs/development/tools/misc/grafana/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ stdenv, fetchurl, unzip, conf ? null }:
-
-with stdenv.lib;
-
-stdenv.mkDerivation rec {
-  name = "grafana-${version}";
-  version = "1.9.1";
-
-  src = fetchurl {
-    url = "http://grafanarel.s3.amazonaws.com/${name}.zip";
-    sha256 = "1zyzsbspxrzaf2kk6fysp6c3y025s6nd75rc2p9qq9q95dv8fj23";
-  };
-
-  buildInputs = [ unzip ];
-
-  phases = ["unpackPhase" "installPhase"];
-  installPhase = ''
-    mkdir -p $out && cp -R * $out
-    ${optionalString (conf!=null) ''cp ${conf} $out/config.js''}
-  '';
-
-  meta = {
-    description = "A Graphite & InfluxDB Dashboard and Graph Editor";
-    homepage = http://grafana.org/;
-    license = licenses.asl20;
-
-    maintainers = [ maintainers.offline ];
-    platforms = stdenv.lib.platforms.unix;
-  };
-}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 9cdc6f0a5ba..d3aadd14771 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1993,8 +1993,6 @@ with pkgs;
 
   gptfdisk = callPackage ../tools/system/gptfdisk { };
 
-  grafana-old = callPackage ../development/tools/misc/grafana { };
-
   grafx2 = callPackage ../applications/graphics/grafx2 {};
 
   grails = callPackage ../development/web/grails { jdk = null; };

From e18bec1e3c902d6ae8ce84f8d5586fc3e784aed0 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 15 Feb 2017 00:38:26 +0100
Subject: [PATCH 135/153] nginxMainline: 1.11.9 -> 1.11.10

---
 pkgs/servers/http/nginx/mainline.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/nginx/mainline.nix b/pkgs/servers/http/nginx/mainline.nix
index 5d976a33488..a9f3d74e99c 100644
--- a/pkgs/servers/http/nginx/mainline.nix
+++ b/pkgs/servers/http/nginx/mainline.nix
@@ -1,6 +1,6 @@
 { callPackage, ... }@args:
 
 callPackage ./generic.nix (args // {
-  version = "1.11.9";
-  sha256 = "0j2pcara9ir2xj3m2mjzf7wz46mdy51c0kal61cp0ldm2qgvf8nw";
+  version = "1.11.10";
+  sha256 = "0gak6pcsn1m8fsz0g95z4b72nn12ivy35vlxrmagfcvnn2mkr2vp";
 })

From f56fa4824a3ebb79c797e83dda4eb6fb3f0dcee0 Mon Sep 17 00:00:00 2001
From: Laverne Schrock <laverne@schrock.email>
Date: Mon, 13 Feb 2017 18:40:36 -0600
Subject: [PATCH 136/153] mnemosyne: move generated locale files to correct
 location

It feels like a bit of a hack to move them after the install rather
than generating them in the correct spot in the first place, but this
fixes #12763.
---
 pkgs/games/mnemosyne/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/games/mnemosyne/default.nix b/pkgs/games/mnemosyne/default.nix
index c1bde5fcbc3..03052c52f7f 100644
--- a/pkgs/games/mnemosyne/default.nix
+++ b/pkgs/games/mnemosyne/default.nix
@@ -20,6 +20,11 @@ in pythonPackages.buildPythonApplication rec {
     substituteInPlace setup.py --replace /usr $out
     find . -type f -exec grep -H sys.exec_prefix {} ';' | cut -d: -f1 | xargs sed -i s,sys.exec_prefix,\"$out\",
   '';
+  postInstall = ''
+    mkdir -p $out/share
+    mv $out/lib/python2.7/site-packages/$out/share/locale $out/share
+    rm -r $out/lib/python2.7/site-packages/nix
+  '';
   meta = {
     homepage = http://mnemosyne-proj.org/;
     description = "Spaced-repetition software";

From 0637f83fb8fc8b7eb7090d75dce42ca9e8058b75 Mon Sep 17 00:00:00 2001
From: Jude Taylor <me@jude.bio>
Date: Tue, 14 Feb 2017 16:51:55 -0800
Subject: [PATCH 137/153] update xmonad nix patch to apply to new xmonad

---
 .../haskell-modules/patches/xmonad-nix.patch  | 63 ++++++++++++++-----
 1 file changed, 46 insertions(+), 17 deletions(-)

diff --git a/pkgs/development/haskell-modules/patches/xmonad-nix.patch b/pkgs/development/haskell-modules/patches/xmonad-nix.patch
index cfce819747f..2a9ec4bfedf 100644
--- a/pkgs/development/haskell-modules/patches/xmonad-nix.patch
+++ b/pkgs/development/haskell-modules/patches/xmonad-nix.patch
@@ -1,31 +1,33 @@
+diff --git a/src/XMonad/Core.hs b/src/XMonad/Core.hs
+index 138d735..65b5a84 100644
 --- a/src/XMonad/Core.hs
 +++ b/src/XMonad/Core.hs
-@@ -48,6 +48,7 @@ import System.Posix.Types (ProcessID)
+@@ -51,6 +51,7 @@ import System.Posix.Types (ProcessID)
  import System.Process
  import System.Directory
  import System.Exit
 +import System.Environment (lookupEnv)
  import Graphics.X11.Xlib
- import Graphics.X11.Xlib.Extras (Event)
+ import Graphics.X11.Xlib.Extras (getWindowAttributes, WindowAttributes, Event)
  import Data.Typeable
-@@ -463,6 +464,7 @@ recompile force = io $ do
-         err  = base ++ ".errors"
-         src  = base ++ ".hs"
-         lib  = dir </> "lib"
+@@ -571,6 +572,7 @@ recompile force = io $ do
+         lib  = cfgdir </> "lib"
+         buildscript = cfgdir </> "build"
+ 
 +    ghc <- fromMaybe "ghc" <$> liftIO (lookupEnv "NIX_GHC")
      libTs <- mapM getModTime . Prelude.filter isSource =<< allFiles lib
      srcT <- getModTime src
      binT <- getModTime bin
-@@ -471,7 +473,7 @@ recompile force = io $ do
-         -- temporarily disable SIGCHLD ignoring:
-         uninstallSignalHandlers
-         status <- bracket (openFile err WriteMode) hClose $ \h ->
--            waitForProcess =<< runProcess "ghc" ["--make", "xmonad.hs", "-i", "-ilib", "-fforce-recomp", "-main-is", "main", "-v0", "-o",binn] (Just dir)
-+            waitForProcess =<< runProcess ghc ["--make", "xmonad.hs", "-i", "-ilib", "-fforce-recomp", "-main-is", "main", "-v0", "-o",binn] (Just dir)
-                                     Nothing Nothing Nothing (Just h)
+@@ -586,7 +588,7 @@ recompile force = io $ do
+         status <- bracket (openFile err WriteMode) hClose $ \errHandle ->
+             waitForProcess =<< if useBuildscript
+                                then compileScript bin cfgdir buildscript errHandle
+-                               else compileGHC bin cfgdir errHandle
++                               else compileGHC ghc bin cfgdir errHandle
  
          -- re-enable SIGCHLD:
-@@ -480,6 +482,7 @@ recompile force = io $ do
+         installSignalHandlers
+@@ -594,6 +596,7 @@ recompile force = io $ do
          -- now, if it fails, run xmessage to let the user know:
          when (status /= ExitSuccess) $ do
              ghcErr <- readFile err
@@ -33,12 +35,39 @@
              let msg = unlines $
                      ["Error detected while loading xmonad configuration file: " ++ src]
                      ++ lines (if null ghcErr then show status else ghcErr)
-@@ -487,7 +490,7 @@ recompile force = io $ do
+@@ -601,7 +604,7 @@ recompile force = io $ do
              -- nb, the ordering of printing, then forking, is crucial due to
              -- lazy evaluation
              hPutStrLn stderr msg
--            forkProcess $ executeFile "xmessage" True ["-default", "okay", msg] Nothing
-+            forkProcess $ executeFile xmessage True ["-default", "okay", msg] Nothing
+-            forkProcess $ executeFile "xmessage" True ["-default", "okay", replaceUnicode msg] Nothing
++            forkProcess $ executeFile xmessage True ["-default", "okay", replaceUnicode msg] Nothing
              return ()
          return (status == ExitSuccess)
        else return True
+@@ -619,16 +622,16 @@ recompile force = io $ do
+            '\8216' -> '`'  -- ‘
+            '\8217' -> '`'  -- ’
+            _ -> c
+-       compileGHC bin dir errHandle =
+-         runProcess "ghc" ["--make"
+-                          , "xmonad.hs"
+-                          , "-i"
+-                          , "-ilib"
+-                          , "-fforce-recomp"
+-                          , "-main-is", "main"
+-                          , "-v0"
+-                          , "-o", bin
+-                          ] (Just dir) Nothing Nothing Nothing (Just errHandle)
++       compileGHC ghc bin dir errHandle =
++         runProcess ghc ["--make"
++                        , "xmonad.hs"
++                        , "-i"
++                        , "-ilib"
++                        , "-fforce-recomp"
++                        , "-main-is", "main"
++                        , "-v0"
++                        , "-o", bin
++                        ] (Just dir) Nothing Nothing Nothing (Just errHandle)
+        compileScript bin dir script errHandle =
+          runProcess script [bin] (Just dir) Nothing Nothing Nothing (Just errHandle)
+ 

From c34a52bf5da351a13211a87ebc1a7a32ef2af6ba Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Mon, 13 Feb 2017 18:24:22 +0100
Subject: [PATCH 138/153] mozart: prefer local builds

The build essentially unpacks a tarball and generates
a few wrappers.  No need to use hydra for that.
---
 pkgs/development/compilers/mozart/binary.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/mozart/binary.nix b/pkgs/development/compilers/mozart/binary.nix
index e3dd950e0d1..1c3a21e2e44 100644
--- a/pkgs/development/compilers/mozart/binary.nix
+++ b/pkgs/development/compilers/mozart/binary.nix
@@ -9,6 +9,8 @@ let
 in stdenv.mkDerivation {
   name = "mozart-binary-${version}";
 
+  preferLocalBuild = true;
+
   src = fetchurl {
     url = "mirror://sourceforge/project/mozart-oz/v${version}-alpha.0/mozart2-${version}-alpha.0+build.4105.5c06ced-x86_64-linux.tar.gz";
     sha256 = "0rsfrjimjxqbwprpzzlmydl3z3aiwg5qkb052jixdxjyad7gyh5z";

From 1f83f1c8789e4ad30f0242d4a8896324b8f9e89a Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@digitalmentat.com>
Date: Tue, 14 Feb 2017 21:30:04 -0600
Subject: [PATCH 139/153] security-wrapper: Wrap <para> tags in a <note> tag

---
 nixos/modules/security/wrappers/default.nix | 38 +++++++++++----------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index c5b99c0c801..9e4f3fdaa01 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -109,27 +109,29 @@ in
         };
       };
       description = ''
-        <para>This option allows the ownership and permissions on the
-        setuid wrappers for specific programs to be overridden from
-        the default (setuid root, but not setgid root).</para>
+        This option allows the ownership and permissions on the setuid
+        wrappers for specific programs to be overridden from the
+        default (setuid root, but not setgid root).
 
-        <para>Additionally, this option can set capabilities on a
-        wrapper program that propagates those capabilities down to the
-        wrapped, real program.</para>
+        <note>
+          <para>Additionally, this option can set capabilities on a
+          wrapper program that propagates those capabilities down to the
+          wrapped, real program.</para>
 
-        <para>The <literal>program</literal> attribute is the name of
-        the program to be wrapped. If no <literal>source</literal>
-        attribute is provided, specifying the absolute path to the
-        program, then the program will be searched for in the path
-        environment variable.</para>
+          <para>The <literal>program</literal> attribute is the name of
+          the program to be wrapped. If no <literal>source</literal>
+          attribute is provided, specifying the absolute path to the
+          program, then the program will be searched for in the path
+          environment variable.</para>
 
-        <para>NOTE: cap_setpcap, which is required for the wrapper
-        program to be able to raise caps into the Ambient set is NOT
-        raised to the Ambient set so that the real program cannot
-        modify its own capabilities!! This may be too restrictive for
-        cases in which the real program needs cap_setpcap but it at
-        least leans on the side security paranoid vs. too
-        relaxed.</para>
+          <para>NOTE: cap_setpcap, which is required for the wrapper
+          program to be able to raise caps into the Ambient set is NOT
+          raised to the Ambient set so that the real program cannot
+          modify its own capabilities!! This may be too restrictive for
+          cases in which the real program needs cap_setpcap but it at
+          least leans on the side security paranoid vs. too
+          relaxed.</para>
+        </note>
       '';
     };
 

From 3490508ed1708a7dad1307a5739665b51df9b34d Mon Sep 17 00:00:00 2001
From: Ian-Woo Kim <ianwookim@gmail.com>
Date: Sun, 27 Nov 2016 02:37:50 -0800
Subject: [PATCH 140/153] nixos-container: support bridge.

---
 pkgs/tools/virtualization/nixos-container/nixos-container.pl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/virtualization/nixos-container/nixos-container.pl b/pkgs/tools/virtualization/nixos-container/nixos-container.pl
index 5cb7e3b560b..18ee2f111b4 100755
--- a/pkgs/tools/virtualization/nixos-container/nixos-container.pl
+++ b/pkgs/tools/virtualization/nixos-container/nixos-container.pl
@@ -16,7 +16,7 @@ umask 0022;
 sub showHelp {
     print <<EOF;
 Usage: nixos-container list
-       nixos-container create <container-name> [--nixos-path <path>] [--system-path <path>] [--config-file <path>] [--config <string>] [--ensure-unique-name] [--auto-start]
+       nixos-container create <container-name> [--nixos-path <path>] [--system-path <path>] [--config-file <path>] [--config <string>] [--ensure-unique-name] [--auto-start] [--bridge <iface>]
        nixos-container destroy <container-name>
        nixos-container start <container-name>
        nixos-container stop <container-name>
@@ -36,6 +36,7 @@ my $systemPath;
 my $nixosPath;
 my $ensureUniqueName = 0;
 my $autoStart = 0;
+my $bridge;
 my $extraConfig;
 my $signal;
 my $configFile;
@@ -44,6 +45,7 @@ GetOptions(
     "help" => sub { showHelp() },
     "ensure-unique-name" => \$ensureUniqueName,
     "auto-start" => \$autoStart,
+    "bridge=s" => \$bridge,
     "system-path=s" => \$systemPath,
     "signal=s" => \$signal,
     "nixos-path=s" => \$nixosPath,
@@ -153,6 +155,7 @@ if ($action eq "create") {
     push @conf, "PRIVATE_NETWORK=1\n";
     push @conf, "HOST_ADDRESS=$hostAddress\n";
     push @conf, "LOCAL_ADDRESS=$localAddress\n";
+    push @conf, "HOST_BRIDGE=$bridge\n";
     push @conf, "AUTO_START=$autoStart\n";
     write_file($confFile, \@conf);
 

From a238c8a575a0397861e75b9509ded670f9e6381b Mon Sep 17 00:00:00 2001
From: Ian-Woo Kim <ianwookim@gmail.com>
Date: Fri, 2 Dec 2016 13:21:03 -0800
Subject: [PATCH 141/153] nixos-container: add --port option for
 nixos-container (forward network ports to systemd-nspawn container)

---
 nixos/modules/virtualisation/containers.nix                  | 3 +++
 pkgs/tools/virtualization/nixos-container/nixos-container.pl | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 7d445fa0951..7193029d451 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -89,6 +89,9 @@ let
         if [ -n "$HOST_BRIDGE" ]; then
           extraFlags+=" --network-bridge=$HOST_BRIDGE"
         fi
+        if [ -n "$HOST_PORT" ]; then
+          extraFlags+=" --port=$HOST_PORT"
+        fi
       fi
 
       extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}"
diff --git a/pkgs/tools/virtualization/nixos-container/nixos-container.pl b/pkgs/tools/virtualization/nixos-container/nixos-container.pl
index 18ee2f111b4..cde79f8a820 100755
--- a/pkgs/tools/virtualization/nixos-container/nixos-container.pl
+++ b/pkgs/tools/virtualization/nixos-container/nixos-container.pl
@@ -16,7 +16,7 @@ umask 0022;
 sub showHelp {
     print <<EOF;
 Usage: nixos-container list
-       nixos-container create <container-name> [--nixos-path <path>] [--system-path <path>] [--config-file <path>] [--config <string>] [--ensure-unique-name] [--auto-start] [--bridge <iface>]
+       nixos-container create <container-name> [--nixos-path <path>] [--system-path <path>] [--config-file <path>] [--config <string>] [--ensure-unique-name] [--auto-start] [--bridge <iface>] [--port <port>]
        nixos-container destroy <container-name>
        nixos-container start <container-name>
        nixos-container stop <container-name>
@@ -37,6 +37,7 @@ my $nixosPath;
 my $ensureUniqueName = 0;
 my $autoStart = 0;
 my $bridge;
+my $port;
 my $extraConfig;
 my $signal;
 my $configFile;
@@ -46,6 +47,7 @@ GetOptions(
     "ensure-unique-name" => \$ensureUniqueName,
     "auto-start" => \$autoStart,
     "bridge=s" => \$bridge,
+    "port=s" => \$port,
     "system-path=s" => \$systemPath,
     "signal=s" => \$signal,
     "nixos-path=s" => \$nixosPath,
@@ -156,6 +158,7 @@ if ($action eq "create") {
     push @conf, "HOST_ADDRESS=$hostAddress\n";
     push @conf, "LOCAL_ADDRESS=$localAddress\n";
     push @conf, "HOST_BRIDGE=$bridge\n";
+    push @conf, "HOST_PORT=$port\n";
     push @conf, "AUTO_START=$autoStart\n";
     write_file($confFile, \@conf);
 

From 86842852513a8e0132e5580802b0fa1d90ef5f9b Mon Sep 17 00:00:00 2001
From: Ian-Woo Kim <ianwookim@gmail.com>
Date: Fri, 2 Dec 2016 13:49:38 -0800
Subject: [PATCH 142/153] nixos-container: introduce hostPort in declarative
 container options.

---
 nixos/modules/virtualisation/containers.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 7193029d451..88273545c2b 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -131,6 +131,7 @@ let
         --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \
         --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \
         --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
+        --setenv HOST_PORT="$HOST_PORT" \
         --setenv PATH="$PATH" \
         ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then
           ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else ""
@@ -318,6 +319,16 @@ let
       '';
     };
 
+    hostPort = mkOption {
+      type = types.nullOr types.string;
+      default = null;
+      example = "8080";
+      description = ''
+        Allow port forwarding from the host to the container. 
+      '';
+    };
+
+
     hostAddress = mkOption {
       type = types.nullOr types.str;
       default = null;
@@ -654,6 +665,9 @@ in
               ${optionalString (cfg.hostBridge != null) ''
                 HOST_BRIDGE=${cfg.hostBridge}
               ''}
+              ${optionalString (cfg.hostPort != null) ''
+                HOST_PORT=${cfg.hostPort}
+              ''}
               ${optionalString (cfg.hostAddress != null) ''
                 HOST_ADDRESS=${cfg.hostAddress}
               ''}

From 0bfc631de20a351b23af571e80347df1a58a298a Mon Sep 17 00:00:00 2001
From: Ian-Woo Kim <ianwookim@gmail.com>
Date: Sun, 4 Dec 2016 04:00:07 +0000
Subject: [PATCH 143/153] nixos-container: support multiple port forwarding.
 change type of hostPort from 'string' to 'listOf str'

---
 nixos/modules/virtualisation/containers.nix | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 88273545c2b..83b7a2fdecd 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -90,7 +90,13 @@ let
           extraFlags+=" --network-bridge=$HOST_BRIDGE"
         fi
         if [ -n "$HOST_PORT" ]; then
-          extraFlags+=" --port=$HOST_PORT"
+	  OIFS=$IFS
+	  IFS=","
+          for i in $HOST_PORT
+	  do
+              extraFlags+=" --port=$i"
+	  done
+	  IFS=$OIFS
         fi
       fi
 
@@ -320,11 +326,11 @@ let
     };
 
     hostPort = mkOption {
-      type = types.nullOr types.string;
+      type = types.listOf types.str;
       default = null;
-      example = "8080";
+      example = [ "8080" ];
       description = ''
-        Allow port forwarding from the host to the container. 
+        List of forwarded ports from the host to the container. 
       '';
     };
 
@@ -665,8 +671,8 @@ in
               ${optionalString (cfg.hostBridge != null) ''
                 HOST_BRIDGE=${cfg.hostBridge}
               ''}
-              ${optionalString (cfg.hostPort != null) ''
-                HOST_PORT=${cfg.hostPort}
+              ${optionalString (length cfg.hostPort > 0) ''
+                HOST_PORT=${concatStringsSep "," cfg.hostPort}
               ''}
               ${optionalString (cfg.hostAddress != null) ''
                 HOST_ADDRESS=${cfg.hostAddress}

From 4f0b663c2e3939981d2e254a3f1d93ea2901599b Mon Sep 17 00:00:00 2001
From: Ian-Woo Kim <ianwookim@gmail.com>
Date: Sat, 3 Dec 2016 20:57:24 -0800
Subject: [PATCH 144/153] nixos-container: hostPort -> forwardPort and
 forwardPort is now a list of (protocol,hostPort,containerPort).

---
 nixos/modules/virtualisation/containers.nix | 45 +++++++++++++++------
 1 file changed, 32 insertions(+), 13 deletions(-)

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 83b7a2fdecd..5c867cbc2c8 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -90,13 +90,13 @@ let
           extraFlags+=" --network-bridge=$HOST_BRIDGE"
         fi
         if [ -n "$HOST_PORT" ]; then
-	  OIFS=$IFS
-	  IFS=","
+          OIFS=$IFS
+          IFS=","
           for i in $HOST_PORT
-	  do
+          do
               extraFlags+=" --port=$i"
-	  done
-	  IFS=$OIFS
+          done
+          IFS=$OIFS
         fi
       fi
 
@@ -325,12 +325,29 @@ let
       '';
     };
 
-    hostPort = mkOption {
-      type = types.listOf types.str;
-      default = null;
-      example = [ "8080" ];
+    forwardPorts = mkOption {
+      type = types.listOf (types.submodule {
+        options = {
+          protocol = mkOption {
+            type = types.str;
+            default = "tcp";
+            description = "The protocol specifier for port forwarding between host and container";
+          };
+          hostPort = mkOption {
+            type = types.int;
+            description = "Source port of the external interface on host";
+          };
+          containerPort = mkOption {
+            type = types.nullOr types.int;
+            default = null;
+            description = "Target port of container";
+          };
+        };
+      });
+      default = [];
+      example = [ { protocol = "tcp"; hostPort = 8080; containerPort = 80; } ];
       description = ''
-        List of forwarded ports from the host to the container. 
+        List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given. 
       '';
     };
 
@@ -662,7 +679,9 @@ in
     # Generate a configuration file in /etc/containers for each
     # container so that container@.target can get the container
     # configuration.
-    environment.etc = mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf"
+    environment.etc =
+      let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort); 
+      in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf"
       { text =
           ''
             SYSTEM_PATH=${cfg.path}
@@ -671,8 +690,8 @@ in
               ${optionalString (cfg.hostBridge != null) ''
                 HOST_BRIDGE=${cfg.hostBridge}
               ''}
-              ${optionalString (length cfg.hostPort > 0) ''
-                HOST_PORT=${concatStringsSep "," cfg.hostPort}
+              ${optionalString (length cfg.forwardPorts > 0) ''
+                HOST_PORT=${concatStringsSep "," (map mkPortStr cfg.forwardPorts)}
               ''}
               ${optionalString (cfg.hostAddress != null) ''
                 HOST_ADDRESS=${cfg.hostAddress}

From 5ca0f72472a08ee42231410642a4928a3d58c61f Mon Sep 17 00:00:00 2001
From: Ian-Woo Kim <ianwookim@gmail.com>
Date: Sat, 17 Dec 2016 17:48:29 -0800
Subject: [PATCH 145/153] nixos-container: break lines in description of
 forwardPorts.

---
 nixos/modules/virtualisation/containers.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 5c867cbc2c8..f79854967f1 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -347,7 +347,10 @@ let
       default = [];
       example = [ { protocol = "tcp"; hostPort = 8080; containerPort = 80; } ];
       description = ''
-        List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given. 
+        List of forwarded ports from host to container. Each forwarded port
+        is specified by protocol, hostPort and containerPort. By default,
+        protocol is tcp and hostPort and containerPort are assumed to be
+        the same if containerPort is not explicitly given. 
       '';
     };
 

From b7a24e0a2b540c0598fc3ff4056feb1208ec89f9 Mon Sep 17 00:00:00 2001
From: Ian-Woo Kim <ianwookim@gmail.com>
Date: Fri, 3 Feb 2017 12:50:02 -0800
Subject: [PATCH 146/153] nixos-container: added test for port forwarding (
 nixos/tests/containers-portforward.nix )

---
 nixos/tests/containers-portforward.nix | 63 ++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 nixos/tests/containers-portforward.nix

diff --git a/nixos/tests/containers-portforward.nix b/nixos/tests/containers-portforward.nix
new file mode 100644
index 00000000000..78cc445c2dd
--- /dev/null
+++ b/nixos/tests/containers-portforward.nix
@@ -0,0 +1,63 @@
+# Test for NixOS' container support.
+
+let
+  hostIp = "192.168.0.1";
+  hostPort = 10080;
+  containerIp = "192.168.0.100";
+  containerPort = 80;
+in 
+
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "containers-portforward";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ aristid aszlig eelco chaoflow kampfschlaefer ianwookim ];
+  };
+
+  machine =
+    { config, pkgs, ... }:
+    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
+      virtualisation.writableStore = true;
+      virtualisation.memorySize = 768;
+
+      containers.webserver =
+        { privateNetwork = true;
+          hostAddress = hostIp;
+          localAddress = containerIp;
+          forwardPorts = [ { protocol = "tcp"; hostPort = hostPort; containerPort = containerPort; } ];
+          config =
+            { services.httpd.enable = true;
+              services.httpd.adminAddr = "foo@example.org";
+              networking.firewall.allowedTCPPorts = [ 80 ];
+              networking.firewall.allowPing = true;
+            };
+        };
+
+      virtualisation.pathsInNixDB = [ pkgs.stdenv ];
+    };
+
+  testScript =
+    ''
+      $machine->succeed("nixos-container list") =~ /webserver/ or die;
+
+      # Start the webserver container.
+      $machine->succeed("nixos-container start webserver");
+
+      # wait two seconds for the container to start and the network to be up
+      sleep 2;
+
+      # Since "start" returns after the container has reached
+      # multi-user.target, we should now be able to access it.
+      #my $ip = $machine->succeed("nixos-container show-ip webserver");
+      #chomp $ip;
+      $machine->succeed("ping -n -c1 ${hostIp}");
+      $machine->succeed("curl --fail http://${hostIp}:${toString hostPort}/ > /dev/null");
+
+      # Stop the container.
+      $machine->succeed("nixos-container stop webserver");
+      $machine->fail("curl --fail --connect-timeout 2 http://${hostIp}:${toString hostPort}/ > /dev/null");
+
+      # Destroying a declarative container should fail.
+      $machine->fail("nixos-container destroy webserver");
+    '';
+
+})

From 9d8a0f8dd8153ea2f41104820b0c234b5aea9dba Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Wed, 15 Feb 2017 05:36:03 +0100
Subject: [PATCH 147/153] pax-utils: 1.1.7 -> 1.2.2

Fixes at least a few out-of-bounds reads[1][2]

[1]: http://seclists.org/oss-sec/2017/q1/256
[2]: http://seclists.org/oss-sec/2017/q1/308
---
 pkgs/os-specific/linux/pax-utils/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/pax-utils/default.nix b/pkgs/os-specific/linux/pax-utils/default.nix
index 1e4373f286c..956492ba747 100644
--- a/pkgs/os-specific/linux/pax-utils/default.nix
+++ b/pkgs/os-specific/linux/pax-utils/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "pax-utils-${version}";
-  version = "1.1.7";
+  version = "1.2.2";
 
   src = fetchurl {
     url = "https://dev.gentoo.org/~vapier/dist/${name}.tar.xz";
-    sha256 = "045dxgl4kkmq6205iw6fqyx3565gd607p3xpad5l9scdi3qdp6xv";
+    sha512 = "26f7lqr1s2iywj8qfbf24sm18bl6f7cwsf77nxwwvgij1z88gvh6yx3gp65zap92l0xjdp8kwq9y96xld39p86zd9dmkm447czykbvb";
   };
 
   makeFlags = [

From 7ee777d784de06a088c5ec933bfb2383c7001d1f Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Tue, 14 Feb 2017 16:08:51 +0100
Subject: [PATCH 148/153] picard: 1.32. -> 1.4

---
 pkgs/applications/audio/picard/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/audio/picard/default.nix b/pkgs/applications/audio/picard/default.nix
index bbd59f56f70..886a77bb714 100644
--- a/pkgs/applications/audio/picard/default.nix
+++ b/pkgs/applications/audio/picard/default.nix
@@ -1,7 +1,7 @@
 { stdenv, python2Packages, fetchurl, gettext, chromaprint }:
 
 let
-  version = "1.3.2";
+  version = "1.4";
   pythonPackages = python2Packages;
 in pythonPackages.buildPythonApplication {
   name = "picard-${version}";
@@ -9,7 +9,7 @@ in pythonPackages.buildPythonApplication {
 
   src = fetchurl {
     url = "http://ftp.musicbrainz.org/pub/musicbrainz/picard/picard-${version}.tar.gz";
-    sha256 = "0821xb7gyg0rhch8s3qkzmak90wjpcxkv9a364yv6bmqc12j6a77";
+    sha256 = "0gi7f1h7jcg7n18cx8iw38sd868viv3w377xmi7cq98f1g76d4h6";
   };
 
   buildInputs = [ gettext ];

From 01e5b8527dacfb61319dcdc2178ec6aed7f7f3c5 Mon Sep 17 00:00:00 2001
From: Philipp <philipp@xndr.de>
Date: Wed, 15 Feb 2017 07:05:22 +0100
Subject: [PATCH 149/153] dehydrated: 0.3.1 -> 0.4.0 (#22804)

---
 pkgs/tools/admin/dehydrated/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/admin/dehydrated/default.nix b/pkgs/tools/admin/dehydrated/default.nix
index 6bd915e7050..4860311fa73 100644
--- a/pkgs/tools/admin/dehydrated/default.nix
+++ b/pkgs/tools/admin/dehydrated/default.nix
@@ -1,7 +1,7 @@
 { stdenv, bash, coreutils, curl, diffutils, gawk, gnugrep, gnused, openssl, makeWrapper, fetchFromGitHub }:
 let
   pkgName = "dehydrated";
-  version = "0.3.1";
+  version = "0.4.0";
 in
 stdenv.mkDerivation rec {
   name = pkgName + "-" + version;
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     owner = "lukas2511";
     repo = "dehydrated";
     rev = "v${version}";
-    sha256 = "0prg940ykbsfb4w48bc03j5abycg8v7f9rg9x3kcva37y8ml0jsp";
+    sha256 = "0nxs6l5i6409dzgiyjn8cnzjcblwj4rqcpxxb766vcvb8d4kqwby";
   };
 
   buildInputs = [ makeWrapper ];

From 195ca7393c42a9d93d34ca8911082101cb8db642 Mon Sep 17 00:00:00 2001
From: rardiol <ricardo.ardissone@gmail.com>
Date: Wed, 15 Feb 2017 04:11:59 -0200
Subject: [PATCH 150/153] widelands: 18 -> 19 (#22796)

---
 pkgs/games/widelands/bincmake.patch | 21 ++++++++++++++++
 pkgs/games/widelands/default.nix    | 37 +++++++++++++++++++----------
 pkgs/top-level/all-packages.nix     |  2 +-
 3 files changed, 47 insertions(+), 13 deletions(-)
 create mode 100644 pkgs/games/widelands/bincmake.patch

diff --git a/pkgs/games/widelands/bincmake.patch b/pkgs/games/widelands/bincmake.patch
new file mode 100644
index 00000000000..ed6a9912522
--- /dev/null
+++ b/pkgs/games/widelands/bincmake.patch
@@ -0,0 +1,21 @@
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -25,6 +25,8 @@
+ # Packagers (or people using make install) have to set this variable to an absolute path.
+ wl_set_if_unset(WL_INSTALL_DATADIR "./data")
+ 
++wl_set_if_unset(WL_INSTALL_BINARY "./bin")
++
+ if("${CMAKE_CXX_COMPILER_ID}" STREQUAL "GNU")
+   if (CMAKE_CXX_COMPILER_VERSION VERSION_LESS 4.7)
+     message(FATAL_ERROR "Widelands needs GCC >= 4.7 to compile.")
+
+--- a/cmake/WlFunctions.cmake
++++ b/cmake/WlFunctions.cmake
+@@ -276,5 +276,5 @@
+ 
+   #Quoting the CMake documentation on DESTINATION:
+   #"If a relative path is given it is interpreted relative to the value of CMAKE_INSTALL_PREFIX"
+-  install(TARGETS ${NAME} DESTINATION "." COMPONENT ExecutableFiles)
++  install(TARGETS ${NAME} DESTINATION ${WL_INSTALL_BINARY} COMPONENT ExecutableFiles)
+ endfunction()
diff --git a/pkgs/games/widelands/default.nix b/pkgs/games/widelands/default.nix
index b6008bd7e76..94fd23cd8cb 100644
--- a/pkgs/games/widelands/default.nix
+++ b/pkgs/games/widelands/default.nix
@@ -1,10 +1,11 @@
 { stdenv, fetchurl, cmake, python, gettext
-, boost, libpng, zlib, glew, lua
-, SDL, SDL_image, SDL_mixer, SDL_net, SDL_ttf, SDL_gfx
+, boost, libpng, zlib, glew, lua, doxygen, icu
+, SDL2, SDL2_image, SDL2_mixer, SDL2_net, SDL2_ttf, SDL2_gfx
 }:
 
-stdenv.mkDerivation {
-  name = "widelands-18";
+stdenv.mkDerivation rec {
+  name = "widelands-${version}";
+  version = "19";
 
   meta = with stdenv.lib; {
     description = "RTS with multiple-goods economy";
@@ -20,27 +21,39 @@ stdenv.mkDerivation {
     hydraPlatforms = [];
   };
 
+  patches = [
+    ./bincmake.patch
+  ];
 
   src = fetchurl {
-    url = "https://launchpad.net/widelands/build18/build-18/+download/"
-        + "widelands-build18-src.tar.bz2";
-    sha256 = "1qvx1cwkf61iwq0qkngvg460dsxqsfvk36qc7jf7mzwkiwbxkzvd";
+    url = "https://launchpad.net/widelands/build${version}/build${version}/+download/"
+        + "widelands-build${version}-src.tar.bz2";
+    sha256 = "19h1gina7k1ai2mn2fd75lxm8iz8wrs6dz6dchdvg8i8d39gj4g5";
   };
 
   preConfigure = ''
     cmakeFlags="
-      -DWL_INSTALL_PREFIX=$out
-      -DWL_INSTALL_BINDIR=bin
-      -DWL_INSTALL_DATADIR=share/widelands
+      -DWL_INSTALL_BASEDIR=$out
+      -DWL_INSTALL_DATADIR=$out/share/widelands
+      -DWL_INSTALL_BINARY=$out/bin
     "
   '';
 
   nativeBuildInputs = [ cmake python gettext ];
 
   buildInputs = [
-    boost libpng zlib glew lua
-    SDL SDL_image SDL_mixer SDL_net SDL_ttf SDL_gfx
+    boost libpng zlib glew lua doxygen icu
+    SDL2 SDL2_image SDL2_mixer SDL2_net SDL2_ttf
   ];
 
+  prePatch = ''
+    substituteInPlace ./debian/widelands.desktop --replace "/usr/share/games/widelands/data/" "$out/share/widelands/"
+  '';
+
+  postInstall = ''
+    mkdir -p "$out/share/applications/"
+    cp -v "../debian/widelands.desktop" "$out/share/applications/"
+  '';
+
   enableParallelBuilding = true;
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index d3aadd14771..3ba672c477d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -16491,7 +16491,7 @@ with pkgs;
   wesnoth-dev = callPackage ../games/wesnoth/dev.nix { };
 
   widelands = callPackage ../games/widelands {
-    lua = lua5_1;
+    lua = lua5_2;
   };
 
   worldofgoo_demo = callPackage ../games/worldofgoo {

From 448acd8e5e722bbd6396f6d069bf1b06993f72d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Tue, 14 Feb 2017 22:20:27 +0100
Subject: [PATCH 151/153] nixos: remove remaining reference to setuidPrograms

The option doesn't exist anymore.
---
 nixos/modules/security/wrappers/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 9e4f3fdaa01..cdf7e5a1765 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 let
 
-  inherit (config.security) wrapperDir wrappers setuidPrograms;
+  inherit (config.security) wrapperDir wrappers;
 
   programs =
     (lib.mapAttrsToList

From 34c1b74421f2c158dfb9f54c2855fd7b74ba1bc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Tue, 14 Feb 2017 22:56:37 +0100
Subject: [PATCH 152/153] nixos/virtualbox: unbreak wrt. new security.wrappers

The new option takes an attrset, not a list.
---
 nixos/modules/virtualisation/virtualbox-host.nix | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix
index 501ed9bc683..bb0c38bd4eb 100644
--- a/nixos/modules/virtualisation/virtualbox-host.nix
+++ b/nixos/modules/virtualisation/virtualbox-host.nix
@@ -69,13 +69,14 @@ in
     environment.systemPackages = [ virtualbox ];
 
     security.wrappers = let
-      mkSuid = program: {"${program}" = {
+      mkSuid = program: {
         source = "${virtualbox}/libexec/virtualbox/${program}";
         owner = "root";
         group = "vboxusers";
         setuid = true;
-      };};
-    in mkIf cfg.enableHardening (map mkSuid [
+      };
+    in mkIf cfg.enableHardening
+      (builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) [
       "VBoxHeadless"
       "VBoxNetAdpCtl"
       "VBoxNetDHCP"
@@ -83,7 +84,7 @@ in
       "VBoxSDL"
       "VBoxVolInfo"
       "VirtualBox"
-    ]);
+    ]));
 
     users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
 

From b1bfe9d3db71de1aa9524ec76b188cfe4cd7dd3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Tue, 14 Feb 2017 22:58:11 +0100
Subject: [PATCH 153/153] nixos: hint about security.setuidOwners/Programs ->
 security.wrappers

Let users know about the option rename / change during nixos-rebuild
with a useful message instead of an error (with no way forward).
---
 nixos/modules/rename.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index e419474b3e3..ee68f8bff81 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -32,6 +32,9 @@ with lib;
 
     (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])
 
+    (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
+    (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
+
     # Old Grub-related options.
     (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
     (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])