Merge 'master' into x-updates

2014-04-19 13:16:57 +02:00 · 2014-04-19 13:16:57 +02:00 · 4d39c5427d
commit 4d39c5427d
parent 44f4862041 060a3da168
1132 changed files with 24211 additions and 10569 deletions
--- a/doc/meta.xml
+++ b/doc/meta.xml
@ -164,7 +164,7 @@ meta.hydraPlatforms = [];
    <listitem><para>If set to <literal>true</literal>, the package is
    marked as “broken”, meaning that it won’t show up in
    <literal>nix-env -qa</literal>, and cannot be built or installed.
-    Sush packages should be removed from Nixpkgs eventually unless
+    Such packages should be removed from Nixpkgs eventually unless
    they are fixed.</para></listitem>
  </varlistentry>
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@ -71,7 +71,7 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>
        <listitem>
          <para>GNU Multiple Precision arithmetic library (GMP): <link
-          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/gmp/5.1.1.nix"><filename>pkgs/development/libraries/gmp/5.1.1.nix</filename></link>.
+          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/gmp/5.1.x.nix"><filename>pkgs/development/libraries/gmp/5.1.x.nix</filename></link>.
          Also done by the generic builder, but has a dependency on
          <varname>m4</varname>.</para>
        </listitem>
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@ -298,6 +298,13 @@ executed and in what order:
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>preFixupPhases</varname></term>
    <listitem>
      <para>Additional phases executed just before the fixup phase.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>preDistPhases</varname></term>
    <listitem>
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -64,6 +64,12 @@
    url = https://fedoraproject.org/wiki/Licensing/BSD;
  };
  cc-by-30 = {
    shortName = "CC BY 3.0";
    fullName = "Creative Commons Attribution 3.0";
    url = http://creativecommons.org/licenses/by/3.0;
  };
  cddl = {
    shortName = "CDDL";
    fullName = "Common Development Distribution License ";
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -226,4 +226,5 @@ in rec {
  deepSeqList = xs: y: if any (x: deepSeq x false) xs then y else y;
  crossLists = f: foldl (fs: args: concatMap (f: map f args) fs) [f];
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -28,7 +28,8 @@
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
  edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
  eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
-  ertes = "Ertugrul Söylemez <es@ertes.de>";
+  emery = "Emery Hemingawy <emery@vfemail.net>";
  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
  falsifian = "James Cook <james.cook@utoronto.ca>";
  garbas = "Rok Garbas <rok@garbas.si>";
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
@ -38,6 +39,7 @@
  iElectric = "Domen Kozar <domen@dev.si>";
  iyzsong = "Song Wenwu <iyzsong@gmail.com>";
  jcumming = "Jack Cummings <jack@mudshark.org>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
  lethalman = "Luca Bruno <lucabru@src.gnome.org>";
--- a/maintainers/scripts/nixpkgs-lint.pl
+++ b/maintainers/scripts/nixpkgs-lint.pl
@ -31,8 +31,7 @@ GetOptions("package|p=s" => \$filter,
           "maintainer|m=s" => \$maintainer,
           "file|f=s" => \$path,
           "help" => sub { showHelp() }
-    )
+    ) or exit 1;
    or die("syntax: $0 ...\n");
 # Evaluate Nixpkgs into an XML representation.
 my $xml = `nix-env -f '$path' -qa '$filter' --xml --meta --drv-path`;
--- a/nixos/doc/manual/configuration.xml
+++ b/nixos/doc/manual/configuration.xml
@ -237,7 +237,7 @@ postgresql.package = pkgs.postgresql90;
 </section>
-<section><title>Abstractions</title>
+<section xml:id="sec-module-abstractions"><title>Abstractions</title>
 <para>If you find yourself repeating yourself over and over, it’s time
 to abstract.  Take, for instance, this Apache HTTP Server configuration:
@ -399,7 +399,7 @@ of an expression to be spliced into a string.</para>
 </section>
-<section><title>Modularity</title>
+<section xml:id="sec-modularity"><title>Modularity</title>
 <para>The NixOS configuration mechanism is modular.  If your
 <filename>configuration.nix</filename> becomes too big, you can split
@ -538,7 +538,7 @@ nix-repl> map (x: x.hostName) config.services.httpd.virtualHosts
 </section>
-<section><title>Syntax summary</title>
+<section xml:id="sec-nix-syntax-summary"><title>Syntax summary</title>
 <para>Below is a summary of the most important syntactic constructs in
 the Nix expression language.  It’s not complete.  In particular, there
@ -730,7 +730,7 @@ manual</link> for the rest.</para>
 <!--===============================================================-->
-<section><title>Package management</title>
+<section xml:id="sec-package-management"><title>Package management</title>
 <para>This section describes how to add additional packages to your
 system.  NixOS has two distinct styles of package management:
@ -1183,7 +1183,7 @@ fileSystems."/".device = "/dev/mapper/crypted";
 <!--===============================================================-->
-<section><title>X Window System</title>
+<section xml:id="sec-x11"><title>X Window System</title>
 <para>The X Window System (X11) provides the basis of NixOS’ graphical
 user interface.  It can be enabled as follows:
@ -1275,9 +1275,9 @@ services.xserver.synaptics.twoFingerScroll = true;
 <!--===============================================================-->
-<section><title>Networking</title>
+<section xml:id="sec-networking"><title>Networking</title>
-<section><title>Secure shell access</title>
+<section xml:id="sec-ssh"><title>Secure shell access</title>
 <para>Secure shell (SSH) access to your machine can be enabled by
 setting:
@ -1305,7 +1305,7 @@ users.extraUsers.alice.openssh.authorizedKeys.keys =
 </section>
-<section><title>IPv4 configuration</title>
+<section xml:id="sec-ipv4"><title>IPv4 configuration</title>
 <para>By default, NixOS uses DHCP (specifically,
 <command>dhcpcd</command>) to automatically configure network
@ -1348,7 +1348,7 @@ provide the host name.</para>
 </section>
-<section><title>IPv6 configuration</title>
+<section xml:id="sec-ipv6"><title>IPv6 configuration</title>
 <para>IPv6 is enabled by default.  Stateless address autoconfiguration
 is used to automatically assign IPv6 addresses to all interfaces.  You
@ -1363,17 +1363,19 @@ networking.enableIPv6 = false;
 </section>
-<section><title>Firewall</title>
+<section xml:id="sec-firewall"><title>Firewall</title>
 <para>NixOS has a simple stateful firewall that blocks incoming
 connections and other unexpected packets.  The firewall applies to
-both IPv4 and IPv6 traffic.  It can be enabled as follows:
+both IPv4 and IPv6 traffic. It is enabled by default. It can be
 disabled as follows:
 <programlisting>
-networking.firewall.enable = true;
+networking.firewall.enable = false;
 </programlisting>
-You can open specific TCP ports to the outside world:
+If the firewall is enabled, you can open specific TCP ports to the
 outside world:
 <programlisting>
 networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -1395,7 +1397,7 @@ always allowed.)</para>
 </section>
-<section><title>Wireless networks</title>
+<section xml:id="sec-wireless"><title>Wireless networks</title>
 <para>
 NixOS will start wpa_supplicant for you if you enable this setting:
@ -1456,7 +1458,7 @@ networking.localCommands =
 <!--===============================================================-->
-<section><title>Linux kernel</title>
+<section xml:id="sec-kernel-config"><title>Linux kernel</title>
 <para>You can override the Linux kernel and associated packages using
 the option <option>boot.kernelPackages</option>.  For instance, this
--- a/nixos/doc/manual/containers.xml
+++ b/nixos/doc/manual/containers.xml
@ -0,0 +1,242 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="ch-containers">
 <title>Containers</title>
 <para>NixOS allows you to easily run other NixOS instances as
 <emphasis>containers</emphasis>. Containers are a light-weight
 approach to virtualisation that runs software in the container at the
 same speed as in the host system. NixOS containers share the Nix store
 of the host, making container creation very efficient.</para>
 <warning><para>Currently, NixOS containers are not perfectly isolated
 from the host system. This means that a user with root access to the
 container can do things that affect the host. So you should not give
 container root access to untrusted users.</para></warning>
 <para>NixOS containers can be created in two ways: imperatively, using
 the command <command>nixos-container</command>, and declaratively, by
 specifying them in your <filename>configuration.nix</filename>. The
 declarative approach implies that containers get upgraded along with
 your host system when you run <command>nixos-rebuild</command>, which
 is often not what you want. By contrast, in the imperative approach,
 containers are configured and updated independently from the host
 system.</para>
 <section><title>Imperative container management</title>
 <para>We’ll cover imperative container management using
 <command>nixos-container</command> first. You create a container with
 identifier <literal>foo</literal> as follows:
 <screen>
 $ nixos-container create foo
 </screen>
 This creates the container’s root directory in
 <filename>/var/lib/containers/foo</filename> and a small configuration
 file in <filename>/etc/containers/foo.conf</filename>. It also builds
 the container’s initial system configuration and stores it in
 <filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You
 can modify the initial configuration of the container on the command
 line. For instance, to create a container that has
 <command>sshd</command> running, with the given public key for
 <literal>root</literal>:
 <screen>
 $ nixos-container create foo --config 'services.openssh.enable = true; \
  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
 </screen>
 </para>
 <para>Creating a container does not start it. To start the container,
 run:
 <screen>
 $ nixos-container start foo
 </screen>
 This command will return as soon as the container has booted and has
 reached <literal>multi-user.target</literal>. On the host, the
 container runs within a systemd unit called
 <literal>container@<replaceable>container-name</replaceable>.service</literal>.
 Thus, if something went wrong, you can get status info using
 <command>systemctl</command>:
 <screen>
 $ systemctl status container@foo
 </screen>
 </para>
 <para>If the container has started succesfully, you can log in as
 root using the <command>root-login</command> operation:
 <screen>
 $ nixos-container root-login foo
 [root@foo:~]#
 </screen>
 Note that only root on the host can do this (since there is no
 authentication).  You can also get a regular login prompt using the
 <command>login</command> operation, which is available to all users on
 the host:
 <screen>
 $ nixos-container login foo
 foo login: alice
 Password: ***
 </screen>
 With <command>nixos-container run</command>, you can execute arbitrary
 commands in the container:
 <screen>
 $ nixos-container run foo -- uname -a
 Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
 </screen>
 </para>
 <para>There are several ways to change the configuration of the
 container. First, on the host, you can edit
 <literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
 and run
 <screen>
 $ nixos-container update foo
 </screen>
 This will build and activate the new configuration. You can also
 specify a new configuration on the command line:
 <screen>
 $ nixos-container update foo --config 'services.httpd.enable = true; \
  services.httpd.adminAddr = "foo@example.org";'
 $ curl http://$(nixos-container show-ip foo)/
 &lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
 </screen>
 However, note that this will overwrite the container’s
 <filename>/etc/nixos/configuration.nix</filename>.</para>
 <para>Alternatively, you can change the configuration from within the
 container itself by running <command>nixos-rebuild switch</command>
 inside the container. Note that the container by default does not have
 a copy of the NixOS channel, so you should run <command>nix-channel
 --update</command> first.</para>
 <para>Containers can be stopped and started using
 <literal>nixos-container stop</literal> and <literal>nixos-container
 start</literal>, respectively, or by using
 <command>systemctl</command> on the container’s service unit. To
 destroy a container, including its file system, do
 <screen>
 $ nixos-container destroy foo
 </screen>
 </para>
 </section>
 <section><title>Declarative container specification</title>
 <para>You can also specify containers and their configuration in the
 host’s <filename>configuration.nix</filename>.  For example, the
 following specifies that there shall be a container named
 <literal>database</literal> running PostgreSQL:
 <programlisting>
 containers.database =
  { config =
      { config, pkgs, ... }:
      { services.postgresql.enable = true;
        services.postgresql.package = pkgs.postgresql92;
      };
  };
 </programlisting>
 If you run <literal>nixos-rebuild switch</literal>, the container will
 be built and started. If the container was already running, it will be
 updated in place, without rebooting.</para>
 <para>By default, declarative containers share the network namespace
 of the host, meaning that they can listen on (privileged)
 ports. However, they cannot change the network configuration. You can
 give a container its own network as follows:
 <programlisting>
 containers.database =
  { privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";
  };
 </programlisting>
 This gives the container a private virtual Ethernet interface with IP
 address <literal>192.168.100.11</literal>, which is hooked up to a
 virtual Ethernet interface on the host with IP address
 <literal>192.168.100.10</literal>.  (See the next section for details
 on container networking.)</para>
 <para>To disable the container, just remove it from
 <filename>configuration.nix</filename> and run <literal>nixos-rebuild
 switch</literal>. Note that this will not delete the root directory of
 the container in <literal>/var/lib/containers</literal>.</para>
 </section>
 <section><title>Networking</title>
 <para>When you create a container using <literal>nixos-container
 create</literal>, it gets it own private IPv4 address in the range
 <literal>10.233.0.0/16</literal>. You can get the container’s IPv4
 address as follows:
 <screen>
 $ nixos-container show-ip foo
 10.233.4.2
 $ ping -c1 10.233.4.2
 64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms
 </screen>
 </para>
 <para>Networking is implemented using a pair of virtual Ethernet
 devices. The network interface in the container is called
 <literal>eth0</literal>, while the matching interface in the host is
 called <literal>c-<replaceable>container-name</replaceable></literal>
 (e.g., <literal>c-foo</literal>).  The container has its own network
 namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it
 can perform arbitrary network configuration such as setting up
 firewall rules, without affecting or having access to the host’s
 network.</para>
 <para>By default, containers cannot talk to the outside network. If
 you want that, you should set up Network Address Translation (NAT)
 rules on the host to rewrite container traffic to use your external
 IP address. This can be accomplished using the following configuration
 on the host:
 <programlisting>
 networking.nat.enable = true;
 networking.nat.internalInterfaces = ["c-+"];
 networking.nat.externalInterface = "eth0";
 </programlisting>
 where <literal>eth0</literal> should be replaced with the desired
 external interface. Note that <literal>c-+</literal> is a wildcard
 that matches all container interfaces.</para>
 </section>
 </chapter>
--- a/nixos/doc/manual/development.xml
+++ b/nixos/doc/manual/development.xml
@ -1,5 +1,6 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink">
+         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="ch-development">
 <title>Development</title>
@ -9,7 +10,7 @@ NixOS.</para>
 <!--===============================================================-->
-<section>
+<section xml:id="sec-getting-sources">
 <title>Getting the sources</title>
@ -74,7 +75,7 @@ in <filename>nixos/</filename> as packages.</para>
 <!--===============================================================-->
-<section>
+<section xml:id="sec-writing-modules">
 <title>Writing NixOS modules</title>
@ -188,9 +189,9 @@ commands to be executed periodically by <command>cron</command>).</para>
 <example xml:id='locate-example'><title>NixOS module for the “locate” service</title>
 <programlisting>
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let locatedb = "/var/cache/locatedb"; in
@ -579,7 +580,7 @@ systemd.services.dhcpcd =
 <!--===============================================================-->
-<section>
+<section xml:id="sec-building-parts">
 <title>Building specific parts of NixOS</title>
@ -692,7 +693,7 @@ $ systemctl start tmp-httpd.service
 <!--===============================================================-->
-<section>
+<section xml:id="sec-building-cd">
 <title>Building your own NixOS CD</title>
@ -748,57 +749,310 @@ $ ./result/bin/nixos-install</screen>
 <!--===============================================================-->
-<section><title>Whole-system testing using virtual machines</title>
+<section xml:id="sec-nixos-tests">
-<para>Complete NixOS GNU/Linux systems can be tested in virtual
+<title>NixOS tests</title>
 machines (VMs).  This makes it possible to test a system upgrade or
 configuration change before rebooting into it, using the
 <command>nixos-rebuild build-vm</command> or <command>nixos-rebuild
 build-vm-with-bootloader</command> command.</para>
-<!-- The following is adapted from
+<para>When you add some feature to NixOS, you should write a test for
-     http://wiki.nixos.org/wiki/NixOS_VM_tests, by Eelco Dolstra. -->
+it. NixOS tests are kept in the directory <filename
-<para>The <filename>tests/</filename> directory in the NixOS source
+xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/tests">nixos/tests</filename>,
-tree contains several <emphasis>whole-system unit tests</emphasis>.
+and are executed (using Nix) by a testing framework that automatically
-These tests can be run<footnote><para>NixOS tests can be run both from
+starts one or more virtual machines containing the NixOS system(s)
-NixOS and from a non-NixOS GNU/Linux distribution, provided the Nix
+required for the test.</para>
-package manager is installed.</para></footnote> from the NixOS source
+
-tree as follows:
+<simplesect><title>Writing tests</title>
 <para>A NixOS test is a Nix expression that has the following structure:
 <programlisting>
 import ./make-test.nix {
  # Either the configuration of a single machine:
  machine =
    { config, pkgs, ... }:
    { <replaceable>configuration…</replaceable>
    };
  # Or a set of machines:
  nodes =
    { <replaceable>machine1</replaceable> =
        { config, pkgs, ... }: { <replaceable>…</replaceable> };
      <replaceable>machine2</replaceable> =
        { config, pkgs, ... }: { <replaceable>…</replaceable> };
      …
    };
  testScript =
    ''
      <replaceable>Perl code…</replaceable>
    '';
 }
 </programlisting>
 The attribute <literal>testScript</literal> is a bit of Perl code that
 executes the test (described below). During the test, it will start
 one or more virtual machines, the configuration of which is described
 by the attribute <literal>machine</literal> (if you need only one
 machine in your test) or by the attribute <literal>nodes</literal> (if
 you need multiple machines). For instance, <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>
 only needs a single machine to test whether users can log in on the
 virtual console, whether device ownership is correctly maintained when
 switching between consoles, and so on. On the other hand, <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nfs.nix">nfs.nix</filename>,
 which tests NFS client and server functionality in the Linux kernel
 (including whether locks are maintained across server crashes),
 requires three machines: a server and two clients.</para>
 <para>There are a few special NixOS configuration options for test
 VMs:
 <!-- FIXME: would be nice to generate this automatically. -->
 <variablelist>
  <varlistentry>
    <term><option>virtualisation.memorySize</option></term>
    <listitem><para>The memory of the VM in
    megabytes.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><option>virtualisation.vlans</option></term>
    <listitem><para>The virtual networks to which the VM is
    connected. See <filename
    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nat.nix">nat.nix</filename>
    for an example.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><option>virtualisation.writableStore</option></term>
    <listitem><para>By default, the Nix store in the VM is not
    writable. If you enable this option, a writable union file system
    is mounted on top of the Nix store to make it appear
    writable. This is necessary for tests that run Nix operations that
    modify the store.</para></listitem>
  </varlistentry>
 </variablelist>
 For more options, see the module <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix">qemu-vm.nix</filename>.</para>
 <para>The test script is a sequence of Perl statements that perform
 various actions, such as starting VMs, executing commands in the VMs,
 and so on. Each virtual machine is represented as an object stored in
 the variable <literal>$<replaceable>name</replaceable></literal>,
 where <replaceable>name</replaceable> is the identifier of the machine
 (which is just <literal>machine</literal> if you didn’t specify
 multiple machines using the <literal>nodes</literal> attribute). For
 instance, the following starts the machine, waits until it has
 finished booting, then executes a command and checks that the output
 is more-or-less correct:
 <programlisting>
 $machine->start;
 $machine->waitForUnit("default.target");
 $machine->succeed("uname") =~ /Linux/;
 </programlisting>
 The first line is actually unnecessary; machines are implicitly
 started when you first execute an action on them (such as
 <literal>waitForUnit</literal> or <literal>succeed</literal>). If you
 have multiple machines, you can speed up the test by starting them in
 parallel:
 <programlisting>
 startAll;
 </programlisting>
 </para>
 <para>The following methods are available on machine objects:
 <variablelist>
  <varlistentry>
    <term><methodname>start</methodname></term>
    <listitem><para>Start the virtual machine. This method is
    asynchronous — it does not wait for the machine to finish
    booting.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>shutdown</methodname></term>
    <listitem><para>Shut down the machine, waiting for the VM to
    exit.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>crash</methodname></term>
    <listitem><para>Simulate a sudden power failure, by telling the VM
    to exit immediately.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>block</methodname></term>
    <listitem><para>Simulate unplugging the Ethernet cable that
    connects the machine to the other machines.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>unblock</methodname></term>
    <listitem><para>Undo the effect of
    <methodname>block</methodname>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>screenshot</methodname></term>
    <listitem><para>Take a picture of the display of the virtual
    machine, in PNG format. The screenshot is linked from the HTML
    log.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>sendMonitorCommand</methodname></term>
    <listitem><para>Send a command to the QEMU monitor. This is rarely
    used, but allows doing stuff such as attaching virtual USB disks
    to a running machine.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>sendKeys</methodname></term>
    <listitem><para>Simulate pressing keys on the virtual keyboard,
    e.g., <literal>sendKeys("ctrl-alt-delete")</literal>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>sendChars</methodname></term>
    <listitem><para>Simulate typing a sequence of characters on the
    virtual keyboard, e.g., <literal>sendKeys("foobar\n")</literal>
    will type the string <literal>foobar</literal> followed by the
    Enter key.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>execute</methodname></term>
    <listitem><para>Execute a shell command, returning a list
    <literal>(<replaceable>status</replaceable>,
    <replaceable>stdout</replaceable>)</literal>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>succeed</methodname></term>
    <listitem><para>Execute a shell command, raising an exception if
    the exit status is not zero, otherwise returning the standard
    output.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>fail</methodname></term>
    <listitem><para>Like <methodname>succeed</methodname>, but raising
    an exception if the command returns a zero status.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitUntilSucceeds</methodname></term>
    <listitem><para>Repeat a shell command with 1-second intervals
    until it succeeds.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitUntilFails</methodname></term>
    <listitem><para>Repeat a shell command with 1-second intervals
    until it fails.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForUnit</methodname></term>
    <listitem><para>Wait until the specified systemd unit has reached
    the “active” state.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForFile</methodname></term>
    <listitem><para>Wait until the specified file
    exists.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForOpenPort</methodname></term>
    <listitem><para>Wait until a process is listening on the given TCP
    port (on <literal>localhost</literal>, at least).</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForClosedPort</methodname></term>
    <listitem><para>Wait until nobody is listening on the given TCP
    port.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForX</methodname></term>
    <listitem><para>Wait until the X11 server is accepting
    connections.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForWindow</methodname></term>
    <listitem><para>Wait until an X11 window has appeared whose name
    matches the given regular expression, e.g.,
    <literal>waitForWindow(qr/Terminal/)</literal>.</para></listitem>
  </varlistentry>
 </variablelist>
 </para>
 </simplesect>
 <simplesect><title>Running tests</title>
 <para>You can run tests using <command>nix-build</command>. For
 example, to run the test <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>,
 you just do:
 <screen>
-$ nix-build tests/ -A nfs.test
+$ nix-build '&lt;nixpkgs/nixos/tests/login.nix>'
 </screen>
-This performs an automated test of the NFS client and server
+or, if you don’t want to rely on <envar>NIX_PATH</envar>:
-functionality in the Linux kernel, including file locking semantics
+
-(e.g., whether locks are maintained across server crashes).  It will
+<screen>
-first build or download all the dependencies of the test (e.g., all
+$ cd /my/nixpkgs/nixos/tests
-packages needed to run a NixOS VM). The test is defined in <link
+$ nix-build login.nix
-xlink:href="https://nixos.org/repos/nix/nixos/trunk/tests/nfs.nix">
+…
-<filename>tests/nfs.nix</filename></link>.  If the test succeeds,
+running the VM test script
-<command>nix-build</command> will place a symlink
+machine: QEMU running (pid 8841)
-<filename>./result</filename> in the current directory pointing at the
+…
-location in the Nix store of the test results (e.g., screenshots, test
+6 out of 6 tests succeeded
-reports, and so on).  In particular, a pretty-printed log of the test
+</screen>
-is written to <filename>log.html</filename>, which can be viewed using
+
-a web browser like this:
+After building/downloading all required dependencies, this will
 perform a build that starts a QEMU/KVM virtual machine containing a
 NixOS system. The virtual machine mounts the Nix store of the host;
 this makes VM creation very fast, as no disk image needs to be
 created. Afterwards, you can view a pretty-printed log of the test:
 <screen>
 $ firefox result/log.html
 </screen>
 </para>
 <para>It is also possible to run the test environment interactively,
 allowing you to experiment with the VMs.  For example:
 <screen>
-$ nix-build tests/ -A nfs.driver
+$ nix-build login.nix -A driver
 $ ./result/bin/nixos-run-vms
 </screen>
-The script <command>nixos-run-vms</command> starts the three virtual
+The script <command>nixos-run-vms</command> starts the virtual
-machines defined in the NFS test using QEMU/KVM.  The root file system
+machines defined by test.  The root file system of the VMs is created
-of the VMs is created on the fly and kept across VM restarts in
+on the fly and kept across VM restarts in
 <filename>./</filename><varname>hostname</varname><filename>.qcow2</filename>.</para>
 <para>Finally, the test itself can be run interactively.  This is
@ -811,17 +1065,11 @@ starting VDE switch for network 1
 &gt;
 </screen>
-Perl statements can now be typed in to start or manipulate the VMs:
+You can then take any Perl statement, e.g.
 <screen>
-&gt; startAll;
+&gt; startAll
-(the VMs start booting)
+&gt; $machine->succeed("touch /tmp/foo")
 &gt; $server-&gt;waitForJob("nfs-kernel-nfsd");
 &gt; $client1-&gt;succeed("flock -x /data/lock -c 'sleep 100000' &amp;");
 &gt; $client2-&gt;fail("flock -n -s /data/lock true");
 &gt; $client1-&gt;shutdown;
 (this releases client1's lock)
 &gt; $client2-&gt;succeed("flock -n -s /data/lock true");
 </screen>
 The function <command>testScript</command> executes the entire test
@ -829,54 +1077,7 @@ script and drops you back into the test driver command line upon its
 completion.  This allows you to inspect the state of the VMs after the
 test (e.g. to debug the test script).</para>
-<para>This and other tests are continuously run on <link
+</simplesect>
 xlink:href="http://hydra.nixos.org/jobset/nixos/trunk">the Hydra
 instance at <literal>nixos.org</literal></link>, which allows
 developers to be notified of any regressions introduced by a NixOS or
 Nixpkgs change.</para>
 <para>The actual Nix programming interface to VM testing is in NixOS,
 under <link
 xlink:href="https://nixos.org/repos/nix/nixos/trunk/lib/testing.nix">
 <filename>lib/testing.nix</filename></link>.  This file defines a
 function which takes an attribute set containing a
 <literal>nixpkgs</literal> attribute (the path to a Nixpkgs checkout),
 and a <literal>system</literal> attribute (the system type).  It
 returns an attribute set containing several utility functions, among
 which the main entry point is <literal>makeTest</literal>.
 </para>
 <para>The <literal>makeTest</literal> function takes a function
 similar to that found in <link
 xlink:href="https://nixos.org/repos/nix/nixos/trunk/tests/nfs.nix">
 <filename>tests/nfs.nix</filename></link> (discussed above).  It
 returns an attribute set containing (among others):
 <variablelist>
  <varlistentry>
    <term><varname>test</varname></term>
    <listitem><para>A derivation containing the test log as an HTML
    file, as seen above, suitable for presentation in the Hydra
    continuous build system.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>report</varname></term>
    <listitem><para>A derivation containing a code coverage report, with
    meta-data suitable for Hydra.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>driver</varname></term>
    <listitem><para>A derivation containing scripts to run the VM test or
    interact with the VM network interactively, as seen above.</para>
    </listitem>
  </varlistentry>
 </variablelist>
 </para>
 </section>
--- a/nixos/doc/manual/installation.xml
+++ b/nixos/doc/manual/installation.xml
@ -1,13 +1,13 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="installing-nixos">
+         xml:id="ch-installation">
 <title>Installing NixOS</title>
 <!--===============================================================-->
-<section>
+<section xml:id="sec-obtaining">
 <title>Obtaining NixOS</title>
@ -51,7 +51,7 @@ running NixOS system through several other means:
 <!--===============================================================-->
-<section>
+<section xml:id="sec-installation">
 <title>Installation</title>
@ -339,7 +339,7 @@ changes:
 <section>
-<title>Booting from a USB stick</title>
+<title xml:id="sec-booting-from-usb">Booting from a USB stick</title>
 <para>For systems withoua CD drive, the NixOS livecd can be booted from
 a usb stick. For non-UEFI installations,
--- a/nixos/doc/manual/manual.xml
+++ b/nixos/doc/manual/manual.xml
@ -54,12 +54,13 @@
  <xi:include href="running.xml" />
  <!-- <xi:include href="userconfiguration.xml" /> -->
  <xi:include href="troubleshooting.xml" />
  <xi:include href="containers.xml" />
  <xi:include href="development.xml" />
  <xi:include href="release-notes.xml" />
  <appendix xml:id="ch-options">
-    <title>List of options</title>
+    <title>Configuration options</title>
    <xi:include href="options-db.xml" />
  </appendix>
--- a/nixos/doc/manual/options-to-docbook.xsl
+++ b/nixos/doc/manual/options-to-docbook.xsl
@ -18,13 +18,12 @@
      <variablelist>
        <xsl:for-each select="attrs">
          <xsl:variable name="id" select="concat('opt-', str:replace(str:replace(str:replace(str:replace(attr[@name = 'name']/string/@value, '*', '_'), '&lt;', '_'), '>', '_'), '?', '_'))" />
          <varlistentry>
-            <term xml:id="{generate-id(attr[@name = 'name']/string/@value)}" xlink:href="#{generate-id(attr[@name = 'name']/string/@value)}">
+            <term xlink:href="#{$id}">
              <xsl:attribute name="xml:id"><xsl:value-of select="$id"/></xsl:attribute>
              <option>
-                 <xsl:for-each select="attr[@name = 'name']/string">
+                <xsl:value-of select="attr[@name = 'name']/string/@value" />
                   <xsl:value-of select="@value" />
                   <xsl:if test="position() != last()">.</xsl:if>
                 </xsl:for-each>
              </option>
             </term>
--- a/nixos/doc/manual/release-notes.xml
+++ b/nixos/doc/manual/release-notes.xml
@ -5,9 +5,9 @@
 <!--==================================================================-->
-<section xml:id="sec-release-14.02">
+<section xml:id="sec-release-14.04">
-<title>Release 14.02 (“Baboon”, 2014/02/??)</title>
+<title>Release 14.04 (“Baboon”, 2014/04/??)</title>
 <para>This is the second stable release branch of NixOS.  The main
 enhancements are the following:
@ -18,13 +18,9 @@ enhancements are the following:
  <xref linkend="sec-uefi-installation"/> for
  details.</para></listitem>
-  <listitem><para>NixOS is now based on Glibc 2.18 and GCC
+  <listitem><para>NixOS is now based on Glibc 2.19 and GCC
  4.8.</para></listitem>
  <listitem><para>The mysql55 service has been merged into the
  mysql service, which no longer sets a default for the 'package
  option.</para></listitem>
 </itemizedlist>
 </para>
@ -34,10 +30,41 @@ following incompatible changes:
 <itemizedlist>
  <listitem><para>Nixpkgs no longer exposes unfree packages by
  default. If your NixOS configuration requires unfree packages from
  Nixpkgs, you need to enable support for them explicitly by setting:
 <programlisting>
 nixpkgs.config.allowUnfree = true;
 </programlisting>
  Otherwise, you get an error message such as:
 <screen>
 error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’
  has an unfree license, refusing to evaluate
 </screen>
  </para></listitem>
  <listitem><para>The firewall is now enabled by default. If you don’t
  want this, you need to disable it explicitly:
 <programlisting>
 networking.firewall.enable = false;
 </programlisting>
  </para></listitem>
  <listitem><para>The option
  <option>boot.loader.grub.memtest86</option> has been renamed to
  <option>boot.loader.grub.memtest86.enable</option>.</para></listitem>
  <listitem><para>The <literal>mysql55</literal> service has been
  merged into the <literal>mysql</literal> service, which no longer
  sets a default for the option
  <option>services.mysql.package</option>.</para></listitem>
 </itemizedlist>
 </para>
--- a/nixos/doc/manual/running.xml
+++ b/nixos/doc/manual/running.xml
@ -11,7 +11,7 @@ service manager.</para>
 <!--===============================================================-->
-<section><title>Service management</title>
+<section xml:id="sec-systemctl"><title>Service management</title>
 <para>In NixOS, all system services are started and monitored using
 the systemd program.  Systemd is the “init” process of the system
@ -92,7 +92,7 @@ necessary).</para>
 <!--===============================================================-->
-<section><title>Rebooting and shutting down</title>
+<section xml:id="sec-rebooting"><title>Rebooting and shutting down</title>
 <para>The system can be shut down (and automatically powered off) by
 doing:
@ -134,7 +134,7 @@ authentication.</para>
 <!--===============================================================-->
-<section><title>User sessions</title>
+<section xml:id="sec-user-sessions"><title>User sessions</title>
 <para>Systemd keeps track of all users who are logged into the system
 (e.g. on a virtual console or remotely via SSH).  The command
@ -185,7 +185,7 @@ $ loginctl terminate-session c3
 <!--===============================================================-->
-<section><title>Control groups</title>
+<section xml:id="sec-cgroups"><title>Control groups</title>
 <para>To keep track of the processes in a running system, systemd uses
 <emphasis>control groups</emphasis> (cgroups).  A control group is a
@ -258,7 +258,7 @@ usage.</para>
 <!--===============================================================-->
-<section><title>Logging</title>
+<section xml:id="sec-logging"><title>Logging</title>
 <para>System-wide logging is provided by systemd’s
 <emphasis>journal</emphasis>, which subsumes traditional logging
@ -308,7 +308,7 @@ groups.  All users have a private journal that can be read using
 <!--===============================================================-->
-<section><title>Cleaning up the Nix store</title>
+<section xml:id="sec-nix-gc"><title>Cleaning up the Nix store</title>
 <para>Nix has a purely functional model, meaning that packages are
 never upgraded in place.  Instead new versions of packages end up in a
--- a/nixos/doc/manual/troubleshooting.xml
+++ b/nixos/doc/manual/troubleshooting.xml
@ -1,12 +1,13 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink">
+         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="ch-troubleshooting">
 <title>Troubleshooting</title>
 <!--===============================================================-->
-<section><title>Boot problems</title>
+<section xml:id="sec-boot-problems"><title>Boot problems</title>
 <para>If NixOS fails to boot, there are a number of kernel command
 line parameters that may help you to identify or fix the issue.  You
@ -69,7 +70,7 @@ unless something is very wrong.)</para>
 <!--===============================================================-->
-<section><title>Maintenance mode</title>
+<section xml:id="sec-maintenance-mode"><title>Maintenance mode</title>
 <para>You can enter rescue mode by running:
@ -85,7 +86,7 @@ just exit from the rescue shell.</para>
 <!--===============================================================-->
-<section><title>Rolling back configuration changes</title>
+<section xml:id="sec-rollback"><title>Rolling back configuration changes</title>
 <para>After running <command>nixos-rebuild</command> to switch to a
 new configuration, you may find that the new configuration doesn’t
@ -131,7 +132,7 @@ lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link ->
 <!--===============================================================-->
-<section><title>Nix store corruption</title>
+<section xml:id="sec-nix-store-corruption"><title>Nix store corruption</title>
 <para>After a system crash, it’s possible for files in the Nix store
 to become corrupted.  (For instance, the Ext4 file system has the
@ -166,7 +167,7 @@ binary cache; otherwise, they cannot be repaired.</para>
 <!--===============================================================-->
-<section><title>Nix network issues</title>
+<section xml:id="sec-nix-network-issues"><title>Nix network issues</title>
 <para>Nix uses a so-called <emphasis>binary cache</emphasis> to
 optimise building a package from source into downloading it as a
--- a/nixos/lib/eval-config.nix
+++ b/nixos/lib/eval-config.nix
@ -26,10 +26,15 @@ rec {
  # These are the extra arguments passed to every module.  In
  # particular, Nixpkgs is passed through the "pkgs" argument.
  # FIXME: we enable config.allowUnfree to make packages like
  # nvidia-x11 available. This isn't a problem because if the user has
  # ‘nixpkgs.config.allowUnfree = false’, then evaluation will fail on
  # the 64-bit package anyway. However, it would be cleaner to respect
  # nixpkgs.config here.
  extraArgs = extraArgs_ // {
    inherit pkgs modules baseModules;
    modulesPath = ../modules;
-    pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; };
+    pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; config.allowUnfree = true; };
    utils = import ./utils.nix pkgs;
  };
--- a/nixos/lib/test-driver/test-driver.pl
+++ b/nixos/lib/test-driver/test-driver.pl
@ -147,7 +147,7 @@ sub runTests {
    $log->nest("syncing", sub {
        foreach my $vm (values %vms) {
            next unless $vm->isUp();
-            $vm->execute("sync /tmp/xchg");
+            $vm->execute("sync");
        }
    });
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -67,57 +67,55 @@ rec {
    };
-  makeTest = testFun: complete (call testFun);
+  makeTest =
-  makeTests = testsFun: lib.mapAttrs (name: complete) (call testsFun);
+    { testScript, makeCoverageReport ? false, ... } @ t:
-  apply = makeTest; # compatibility
+    let
  call = f: f { inherit pkgs system; };
-  complete = { testScript, ... } @ t: t // rec {
+      nodes = buildVirtualNetwork (
        t.nodes or (if t ? machine then { machine = t.machine; } else { }));
-    nodes = buildVirtualNetwork (
+      testScript' =
-      t.nodes or (if t ? machine then { machine = t.machine; } else { }));
+        # Call the test script with the computed nodes.
        if builtins.isFunction testScript
        then testScript { inherit nodes; }
        else testScript;
-    testScript =
+      vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes);
      # Call the test script with the computed nodes.
      if builtins.isFunction t.testScript
      then t.testScript { inherit nodes; }
      else t.testScript;
-    vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes);
+      vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
-    vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
+      # Generate onvenience wrappers for running the test driver
      # interactively with the specified network, and for starting the
      # VMs from the command line.
      driver = runCommand "nixos-test-driver"
        { buildInputs = [ makeWrapper];
          testScript = testScript';
          preferLocalBuild = true;
        }
        ''
          mkdir -p $out/bin
          echo "$testScript" > $out/test-script
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
          vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
          wrapProgram $out/bin/nixos-test-driver \
            --add-flags "$vms" \
            --run "testScript=\"\$(cat $out/test-script)\"" \
            --set testScript '"$testScript"' \
            --set VLANS '"${toString vlans}"'
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
          wrapProgram $out/bin/nixos-run-vms \
            --add-flags "$vms" \
            --set tests '"startAll; joinAll;"' \
            --set VLANS '"${toString vlans}"' \
            ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
        ''; # "
-    # Generate onvenience wrappers for running the test driver
+      test = runTests driver;
    # interactively with the specified network, and for starting the
    # VMs from the command line.
    driver = runCommand "nixos-test-driver"
      { buildInputs = [ makeWrapper];
        inherit testScript;
        preferLocalBuild = true;
      }
      ''
        mkdir -p $out/bin
        echo "$testScript" > $out/test-script
        ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
        vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
        wrapProgram $out/bin/nixos-test-driver \
          --add-flags "$vms" \
          --run "testScript=\"\$(cat $out/test-script)\"" \
          --set testScript '"$testScript"' \
          --set VLANS '"${toString vlans}"'
        ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
        wrapProgram $out/bin/nixos-run-vms \
          --add-flags "$vms" \
          --set tests '"startAll; joinAll;"' \
          --set VLANS '"${toString vlans}"' \
          ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
      ''; # "
-    test = runTests driver;
+      report = releaseTools.gcovReport { coverageRuns = [ test ]; };
-    report = releaseTools.gcovReport { coverageRuns = [ test ]; };
+    in (if makeCoverageReport then report else test) // { inherit driver test; };
  };
  runInMachine =
@ -147,7 +145,7 @@ rec {
        exit $?
      '';
-      testscript = ''
+      testScript = ''
        startAll;
        $client->waitForUnit("multi-user.target");
        ${preBuild}
@ -160,7 +158,7 @@ rec {
        ${coreutils}/bin/mkdir $out
        ${coreutils}/bin/mkdir -p vm-state-client/xchg
        export > vm-state-client/xchg/saved-env
-        export tests='${testscript}'
+        export tests='${testScript}'
        ${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm
      ''; # */
--- a/nixos/maintainers/scripts/gce/create-gce.sh
+++ b/nixos/maintainers/scripts/gce/create-gce.sh
@ -0,0 +1,14 @@
 #! /bin/sh -e
 export NIX_PATH=nixpkgs=../../../..
 export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
 export TIMESTAMP=$(date +%Y%m%d%H%M)
 nix-build '<nixpkgs/nixos>' \
   -A config.system.build.googleComputeImage --argstr system x86_64-linux -o gce --option extra-binary-caches http://hydra.nixos.org -j 10
 img=$(echo gce/*.tar.gz)
 if ! gsutil ls gs://nixos/$(basename $img); then
  gsutil cp $img gs://nixos/$(basename $img)
 fi
 gcutil addimage $(basename $img .raw.tar.gz | sed 's|\.|-|' | sed 's|_|-|') gs://nixos/$(basename $img)
--- a/nixos/modules/config/fonts/corefonts.nix
+++ b/nixos/modules/config/fonts/corefonts.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/config/fonts/fontdir.nix
+++ b/nixos/modules/config/fonts/fontdir.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/fonts/fonts.nix
+++ b/nixos/modules/config/fonts/fonts.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/config/fonts/ghostscript.nix
+++ b/nixos/modules/config/fonts/ghostscript.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/config/gnu.nix
+++ b/nixos/modules/config/gnu.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  options = {
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/krb5.nix
+++ b/nixos/modules/config/krb5.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 with pkgs;
 let
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -1,8 +1,8 @@
 # /etc files related to networking, such as /etc/services.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/no-x-libs.nix
+++ b/nixos/modules/config/no-x-libs.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  options = {
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@ -1,8 +1,8 @@
 # Configuration for the Name Service Switch (/etc/nsswitch.conf).
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/power-management.nix
+++ b/nixos/modules/config/power-management.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 with pkgs;
 let
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@ -1,9 +1,9 @@
 # This module defines a global environment configuration and
 # a common configuration for all shells.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@ -1,6 +1,6 @@
-{ config, pkgs, utils, ... }:
+{ config, lib, pkgs, utils, ... }:
-with pkgs.lib;
+with lib;
 with utils;
 {
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@ -1,12 +1,12 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  sysctlOption = mkOptionType {
    name = "sysctl option value";
-    check = x: isBool x || isString x || isInt x;
+    check = x: isBool x || isString x || isInt x || isNull x;
    merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix.
  };
@ -29,8 +29,9 @@ in
        <manvolnum>8</manvolnum></citerefentry>.  Note that sysctl
        parameters names must be enclosed in quotes
        (e.g. <literal>"vm.swappiness"</literal> instead of
-        <literal>vm.swappiness</literal>).  The value of each parameter
+        <literal>vm.swappiness</literal>).  The value of each
-        may be a string, integer or Boolean.
+        parameter may be a string, integer, boolean, or null
        (signifying the option will not appear at all).
      '';
    };
@ -39,7 +40,9 @@ in
  config = {
    environment.etc."sysctl.d/nixos.conf".text =
-      concatStrings (mapAttrsToList (n: v: "${n}=${if v == false then "0" else toString v}\n") config.boot.kernel.sysctl);
+      concatStrings (mapAttrsToList (n: v:
        optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
      ) config.boot.kernel.sysctl);
    systemd.services.systemd-sysctl =
      { description = "Apply Kernel Variables";
@ -65,8 +68,9 @@ in
    # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
    # users as these make it easier to exploit kernel vulnerabilities.
-    boot.kernel.sysctl."kernel.kptr_restrict" = 1;
+    #
-
+    # Removed under grsecurity.
    boot.kernel.sysctl."kernel.kptr_restrict" =
      if config.security.grsecurity.enable then null else 1;
  };
 }
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@ -1,9 +1,9 @@
 # This module defines the packages that appear in
 # /run/current-system/sw.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -46,6 +46,7 @@ let
      pkgs.rsync
      pkgs.strace
      pkgs.sysvtools
      pkgs.su
      pkgs.time
      pkgs.usbutils
      pkgs.utillinux
@ -134,6 +135,10 @@ in
          if [ -x $out/bin/glib-compile-schemas -a -w $out/share/glib-2.0/schemas ]; then
              $out/bin/glib-compile-schemas $out/share/glib-2.0/schemas
          fi
          if [ -x $out/bin/update-desktop-database -a -w $out/share/applications ]; then
              $out/bin/update-desktop-database $out/share/applications
          fi
        '';
    };
--- a/nixos/modules/config/timezone.nix
+++ b/nixos/modules/config/timezone.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  options = {
--- a/nixos/modules/config/unix-odbc-drivers.nix
+++ b/nixos/modules/config/unix-odbc-drivers.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 # unixODBC drivers (this solution is not perfect.. Because the user has to
 # ask the admin to add a driver.. but it's simple and works
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -1,12 +1,15 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  ids = config.ids;
  cfg = config.users;
  nonUidUsers = filterAttrs (n: u: u.createUser && u.uid == null) cfg.extraUsers;
  nonGidGroups = filterAttrs (n: g: g.gid == null) cfg.extraGroups;
  passwordDescription = ''
    The options <literal>hashedPassword</literal>,
    <literal>password</literal> and <literal>passwordFile</literal>
@ -31,7 +34,10 @@ let
      name = mkOption {
        type = types.str;
-        description = "The name of the user account. If undefined, the name of the attribute set will be used.";
+        description = ''
          The name of the user account. If undefined, the name of the
          attribute set will be used.
        '';
      };
      description = mkOption {
@ -46,8 +52,14 @@ let
      };
      uid = mkOption {
-        type = with types; uniq int;
+        type = with types; nullOr int;
-        description = "The account UID.";
+        default = null;
        description = ''
          The account UID. If the <literal>mutableUsers</literal> option
          is false, the UID cannot be null. Otherwise, the UID might be
          null, in which case a free UID is picked on activation (by the
          useradd command).
        '';
      };
      group = mkOption {
@ -151,12 +163,21 @@ let
      name = mkOption {
        type = types.str;
-        description = "The name of the group. If undefined, the name of the attribute set will be used.";
+        description = ''
          The name of the group. If undefined, the name of the attribute set
          will be used.
        '';
      };
      gid = mkOption {
-        type = with types; uniq int;
+        type = with types; nullOr int;
-        description = "The GID of the group.";
+        default = null;
        description = ''
          The group GID. If the <literal>mutableUsers</literal> option
          is false, the GID cannot be null. Otherwise, the GID might be
          null, in which case a free GID is picked on activation (by the
          groupadd command).
        '';
      };
      members = mkOption {
@ -218,13 +239,15 @@ let
  groupFile = pkgs.writeText "group" (
    concatStringsSep "\n" (map (g: mkGroupEntry g.name) (
-      sortOn "gid" (attrValues cfg.extraGroups)
+      let f = g: g.gid != null; in
        sortOn "gid" (filter f (attrValues cfg.extraGroups))
    ))
  );
  passwdFile = pkgs.writeText "passwd" (
    concatStringsSep "\n" (map (u: mkPasswdEntry u.name) (
-      sortOn "uid" (filter (u: u.createUser) (attrValues cfg.extraUsers))
+      let f = u: u.createUser && (u.uid != null); in
        sortOn "uid" (filter f (attrValues cfg.extraUsers))
    ))
  );
@ -261,11 +284,11 @@ let
      then builtins.trace "Duplicate ${idAttr} ${id}" { dup = true; acc = null; }
      else { dup = false; acc = newAcc; }
    ) { dup = false; acc = {}; } (builtins.attrNames set)).dup;
  uidsAreUnique = idsAreUnique cfg.extraUsers "uid";
  gidsAreUnique = idsAreUnique cfg.extraGroups "gid";
 in
-{
+  uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.extraUsers) "uid";
  gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.extraGroups) "gid";
 in {
  ###### interface
@ -369,6 +392,7 @@ in
        home = "/root";
        shell = cfg.defaultUserShell;
        group = "root";
        extraGroups = [ "grsecurity" ];
        hashedPassword = mkDefault config.security.initialRootPassword;
      };
      nobody = {
@ -397,6 +421,7 @@ in
      nixbld.gid = ids.gids.nixbld;
      utmp.gid = ids.gids.utmp;
      adm.gid = ids.gids.adm;
      grsecurity.gid = ids.gids.grsecurity;
    };
    system.activationScripts.users =
@ -424,16 +449,31 @@ in
            }
          fi
        '';
-        mkhome = n: u:
+        mkhome = n: u: ''
-         let
+          uid="$(id -u ${u.name})"
-            uid = toString u.uid;
+          gid="$(id -g ${u.name})"
-            gid = toString ((getGroup u.group).gid);
+          h="${u.home}"
-            h = u.home;
+          test -a "$h" || mkdir -p "$h" || true
-          in ''
+          test "$(stat -c %u "$h")" = $uid || chown $uid "$h" || true
-            test -a "${h}" || mkdir -p "${h}" || true
+          test "$(stat -c %g "$h")" = $gid || chgrp $gid "$h" || true
-            test "$(stat -c %u "${h}")" = ${uid} || chown ${uid} "${h}" || true
+        '';
-            test "$(stat -c %g "${h}")" = ${gid} || chgrp ${gid} "${h}" || true
+        groupadd = n: g: ''
-          '';
+          if [ -z "$(getent group "${g.name}")" ]; then
            echo "Adding group ${g.name}"
            ${pkgs.shadow}/sbin/groupadd "${g.name}"
          fi
        '';
        useradd = n: u: ''
          if ! id "${u.name}" &>/dev/null; then
            echo "Adding user ${u.name}"
            ${pkgs.shadow}/sbin/useradd \
              -g "${u.group}" \
              -s "${u.shell}" \
              -d "${u.home}" \
              "${u.name}"
            echo "${u.name}:x" | ${pkgs.shadow}/sbin/chpasswd -e
          fi
        '';
      in stringAfter [ "etc" ] ''
        touch /etc/group
        touch /etc/passwd
@ -441,6 +481,8 @@ in
        VISUAL=${merger passwdFile} ${pkgs.shadow}/sbin/vipw &>/dev/null
        ${pkgs.shadow}/sbin/grpconv
        ${pkgs.shadow}/sbin/pwconv
        ${concatStrings (mapAttrsToList groupadd nonGidGroups)}
        ${concatStrings (mapAttrsToList useradd nonUidUsers)}
        ${concatStrings (mapAttrsToList mkhome mkhomeUsers)}
        ${concatStrings (mapAttrsToList setpw setpwUsers)}
      '';
@ -448,7 +490,17 @@ in
    # for backwards compatibility
    system.activationScripts.groups = stringAfter [ "users" ] "";
-    assertions = [ { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); message = "uids and gids must be unique!"; } ];
+    assertions = [
      { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
        message = "uids and gids must be unique!";
      }
      { assertion = cfg.mutableUsers || (nonUidUsers == {});
        message = "When mutableUsers is false, no uid can be null";
      }
      { assertion = cfg.mutableUsers || (nonGidGroups == {});
        message = "When mutableUsers is false, no gid can be null";
      }
    ];
  };
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/hardware/cpu/amd-microcode.nix
+++ b/nixos/modules/hardware/cpu/amd-microcode.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/hardware/cpu/intel-microcode.nix
+++ b/nixos/modules/hardware/cpu/intel-microcode.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/hardware/network/b43.nix
+++ b/nixos/modules/hardware/network/b43.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let kernelVersion = config.boot.kernelPackages.kernel.version; in
--- a/nixos/modules/hardware/opengl.nix
+++ b/nixos/modules/hardware/opengl.nix
@ -39,8 +39,7 @@ in {
      default = false;
      description = ''
        Make S3TC(S3 Texture Compression) via libtxc_dxtn available
-        to OpenGL drivers. It is essential for many games to work
+        to OpenGL drivers instead of the patent-free S2TC replacement.
        with FOSS GPU drivers.
        Using this library may require a patent license depending on your location.
      '';
@ -89,17 +88,25 @@ in {
        else if elem "ati_unfree" cfg.videoDrivers then
          "ln -sf ${kernelPackages.ati_drivers_x11} /run/opengl-driver"
        else
          let
            lib_fun = p: p.buildEnv {
              name = "mesa-drivers+txc-${p.mesa_drivers.version}";
              paths = [
                p.mesa_drivers
                p.mesa_noglu # mainly for libGL
                (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
              ];
            };
          in
          ''
-            ${optionalString cfg.driSupport "ln -sf ${pkgs.mesa_drivers} /run/opengl-driver"}
+            ${optionalString cfg.driSupport "ln -sf ${lib_fun pkgs} /run/opengl-driver"}
            ${optionalString cfg.driSupport32Bit
-              "ln -sf ${pkgs_i686.mesa_drivers} /run/opengl-driver-32"}
+              "ln -sf ${lib_fun pkgs_i686} /run/opengl-driver-32"}
          ''
      );
    environment.variables.LD_LIBRARY_PATH =
-      [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ]
+      [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ];
      ++ optional cfg.s3tcSupport "${pkgs.libtxc_dxtn}/lib"
      ++ optional (cfg.s3tcSupport && cfg.driSupport32Bit) "${pkgs_i686.libtxc_dxtn}/lib";
    boot.extraModulePackages =
      optional (elem "nvidia" cfg.videoDrivers) kernelPackages.nvidia_x11 ++
--- a/nixos/modules/hardware/pcmcia.nix
+++ b/nixos/modules/hardware/pcmcia.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/hardware/video/bumblebee.nix
+++ b/nixos/modules/hardware/video/bumblebee.nix
@ -1,7 +1,7 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let kernel = config.boot.kernelPackages; in
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -1,9 +1,9 @@
 # Provide an initial copy of the NixOS channel so that the user
 # doesn't need to run "nix-channel --update" first.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -28,7 +28,7 @@ in
 {
  # Provide the NixOS/Nixpkgs sources in /etc/nixos.  This is required
  # for nixos-install.
-  boot.postBootCommands =
+  boot.postBootCommands = mkAfter
    ''
      if ! [ -e /var/lib/nixos/did-channel-init ]; then
        echo "unpacking the NixOS/Nixpkgs sources..."
--- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix
@ -1,9 +1,9 @@
 # This module contains the basic configuration for building a NixOS
 # installation CD.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  imports =
@ -29,8 +29,9 @@ with pkgs.lib;
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  # To speed up installation a little bit, include the complete stdenv
-  # in the Nix store on the CD.
+  # in the Nix store on the CD.  Archive::Cpio is needed for the
-  isoImage.storeContents = [ pkgs.stdenv pkgs.busybox ];
+  # initrd builder.
  isoImage.storeContents = [ pkgs.stdenv pkgs.busybox pkgs.perlPackages.ArchiveCpio ];
  # EFI booting
  isoImage.makeEfiBootable = true;
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix
@ -1,9 +1,9 @@
 # This module defines a NixOS installation CD that contains X11 and
 # KDE 4.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  imports = [ ./installation-cd-base.nix ../../profiles/graphical.nix ];
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -2,9 +2,9 @@
 # configuration.  The derivation for the ISO image will be placed in
 # config.system.build.isoImage.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/cd-dvd/system-tarball-pc.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-pc.nix
@ -1,9 +1,9 @@
 # This module contains the basic configuration for building a NixOS
 # tarball, that can directly boot, maybe using PXE or unpacking on a fs.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
@ -1,9 +1,9 @@
 # This module contains the basic configuration for building a NixOS
 # tarball for the sheevaplug.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/cd-dvd/system-tarball.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball.nix
@ -2,9 +2,9 @@
 # configuration.  The derivation for the ISO image will be placed in
 # config.system.build.tarball.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/scan/detected.nix
+++ b/nixos/modules/installer/scan/detected.nix
@ -1,8 +1,8 @@
 # List all devices which are detected by nixos-hardware-scan.
 # Common devices are enabled by default.
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  config = mkDefault {
--- a/nixos/modules/installer/scan/not-detected.nix
+++ b/nixos/modules/installer/scan/not-detected.nix
@ -1,8 +1,8 @@
 # List all devices which are _not_ detected by nixos-hardware-scan.
 # Common devices are enabled by default.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  hardware.enableAllFirmware = true;
--- a/nixos/modules/installer/tools/nixos-checkout.nix
+++ b/nixos/modules/installer/tools/nixos-checkout.nix
@ -1,9 +1,9 @@
 # This module generates the nixos-checkout script, which replaces the
 # Nixpkgs source trees in /etc/nixos/nixpkgs with a Git checkout.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -96,9 +96,9 @@ my $videoDriver;
 sub pciCheck {
    my $path = shift;
-    my $vendor = read_file "$path/vendor";
+    my $vendor = read_file "$path/vendor"; chomp $vendor;
-    my $device = read_file "$path/device";
+    my $device = read_file "$path/device"; chomp $device;
-    my $class = read_file "$path/class";
+    my $class = read_file "$path/class"; chomp $class;
    my $module;
    if (-e "$path/driver/module") {
@ -130,6 +130,7 @@ sub pciCheck {
    # broadcom STA driver (wl.ko)
    # list taken from http://www.broadcom.com/docs/linux_sta/README.txt
    # FIXME: still needed?
    if ($vendor eq "0x14e4" &&
        ($device eq "0x4311" || $device eq "0x4312" || $device eq "0x4313" ||
         $device eq "0x4315" || $device eq "0x4327" || $device eq "0x4328" ||
@ -156,6 +157,7 @@ sub pciCheck {
    # Assume that all NVIDIA cards are supported by the NVIDIA driver.
    # There may be exceptions (e.g. old cards).
    # FIXME: do we want to enable an unfree driver here?
    $videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/;
 }
@ -170,9 +172,9 @@ push @attrs, "hardware.opengl.videoDrivers = [ \"$videoDriver\" ];" if $videoDri
 sub usbCheck {
    my $path = shift;
-    my $class = read_file "$path/bInterfaceClass";
+    my $class = read_file "$path/bInterfaceClass"; chomp $class;
-    my $subclass = read_file "$path/bInterfaceSubClass";
+    my $subclass = read_file "$path/bInterfaceSubClass"; chomp $subclass;
-    my $protocol = read_file "$path/bInterfaceProtocol";
+    my $protocol = read_file "$path/bInterfaceProtocol"; chomp $protocol;
    my $module;
    if (-e "$path/driver/module") {
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -1,4 +1,6 @@
-#! @shell@ -e
+#! @shell@
 set -e
 showSyntax() {
    exec man nixos-rebuild
@ -7,6 +9,7 @@ showSyntax() {
 # Parse the command line.
 origArgs=("$@")
 extraBuildFlags=()
 action=
 buildNix=1
@ -76,8 +79,30 @@ done
 if [ -z "$action" ]; then showSyntax; fi
-if [ -n "$rollback" ]; then
+# Only run shell scripts from the Nixpkgs tree if the action is
-    buildNix=
+# "switch", "boot", or "test". With other actions (such as "build"),
 # the user may reasonably expect that no code from the Nixpkgs tree is
 # executed, so it's safe to run nixos-rebuild against a potentially
 # untrusted tree.
 canRun=
 if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then
    canRun=1
 fi
 # If ‘--upgrade’ is given, run ‘nix-channel --update nixos’.
 if [ -n "$upgrade" -a -z "$_NIXOS_REBUILD_REEXEC" ]; then
    nix-channel --update nixos
 fi
 # Re-execute nixos-rebuild from the Nixpkgs tree.
 if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
    if p=$(nix-instantiate --find-file nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh "${extraBuildFlags[@]}"); then
        export _NIXOS_REBUILD_REEXEC=1
        exec $SHELL -e $p "${origArgs[@]}"
        exit 1
    fi
 fi
@ -98,20 +123,33 @@ if [ -z "$repair" ] && systemctl show nix-daemon.socket nix-daemon.service | gre
 fi
-# If ‘--upgrade’ is given, run ‘nix-channel --update nixos’.
+# First build Nix, since NixOS may require a newer version than the
-if [ -n "$upgrade" ]; then
+# current one.
-    nix-channel --update nixos
+if [ -n "$rollback" -o "$action" = dry-run ]; then
    buildNix=
 fi
-
+if [ -n "$buildNix" ]; then
 # First build Nix, since NixOS may require a newer version than the
 # current one.  Of course, the same goes for Nixpkgs, but Nixpkgs is
 # more conservative.
 if [ "$action" != dry-run -a -n "$buildNix" ]; then
    echo "building Nix..." >&2
    if ! nix-build '<nixpkgs/nixos>' -A config.nix.package -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
        if ! nix-build '<nixpkgs/nixos>' -A nixFallback -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
-            nix-build '<nixpkgs>' -A nixUnstable -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null
+            if ! nix-build '<nixpkgs>' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
                machine="$(uname -m)"
                if [ "$machine" = x86_64 ]; then
                    nixStorePath=/nix/store/d34q3q2zj9nriq4ifhn3dnnngqvinjb3-nix-1.7
                elif [[ "$machine" =~ i.86 ]]; then
                    nixStorePath=/nix/store/qlah0darpcn6sf3lr2226rl04l1gn4xz-nix-1.7
                else
                    echo "$0: unsupported platform"
                    exit 1
                fi
                if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
                    --option extra-binary-caches http://cache.nixos.org/; then
                    echo "warning: don't know how to get latest Nix" >&2
                fi
                # Older version of nix-store -r don't support --add-root.
                [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
            fi
        fi
    fi
    PATH=$tmpDir/nix/bin:$PATH
@ -120,10 +158,12 @@ fi
 # Update the version suffix if we're building from Git (so that
 # nixos-version shows something useful).
-if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
+if [ -n "$canRun" ]; then
-    suffix=$(@shell@ $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true)
+    if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
-    if [ -n "$suffix" ]; then
+        suffix=$($SHELL $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true)
-        echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
+        if [ -n "$suffix" ]; then
            echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
        fi
    fi
 fi
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -80,9 +80,9 @@ in
  /*
  options = {
-    installer.enableGraphicalTools = pkgs.lib.mkOption {
+    installer.enableGraphicalTools = mkOption {
      default = false;
-      type = with pkgs.lib.types; bool;
+      type = types.bool;
      example = true;
      description = ''
        Enable the installation of graphical tools.
--- a/nixos/modules/installer/virtualbox-demo.nix
+++ b/nixos/modules/installer/virtualbox-demo.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  imports =
--- a/nixos/modules/misc/assertions.nix
+++ b/nixos/modules/misc/assertions.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/misc/check-config.nix
+++ b/nixos/modules/misc/check-config.nix
@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ lib, ... }:
-with pkgs.lib;
+with lib;
 {
  options = {
--- a/nixos/modules/misc/crashdump.nix
+++ b/nixos/modules/misc/crashdump.nix
@ -1,6 +1,6 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  crashdump = config.boot.crashDump;
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -123,6 +123,14 @@
      ngircd = 112;
      btsync = 113;
      minecraft = 114;
      monetdb = 115;
      rippled = 116;
      murmur = 117;
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
      hydra     = 122;
      spiped    = 123;
      # When adding a uid, make sure it doesn't match an existing gid.
@ -221,6 +229,13 @@
      jenkins = 109;
      systemd-journal-gateway = 110;
      notbit = 111;
      monetdb = 115;
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
      grsecurity = 121;
      hydra = 122;
      spiped = 123;
      # When adding a gid, make sure it doesn't match an existing uid.
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  isConfig = x:
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -62,6 +62,7 @@
  ./security/apparmor-suid.nix
  ./security/ca.nix
  ./security/duosec.nix
  ./security/grsecurity.nix
  ./security/pam.nix
  ./security/pam_usb.nix
  ./security/polkit.nix
@ -95,6 +96,16 @@
  ./services/databases/openldap.nix
  ./services/databases/postgresql.nix
  ./services/databases/virtuoso.nix
  ./services/databases/monetdb.nix
  ./services/desktops/accountservice.nix
  ./services/desktops/gnome3/at-spi2-core.nix
  ./services/desktops/gnome3/evolution-data-server.nix
  ./services/desktops/gnome3/gnome-keyring.nix
  ./services/desktops/gnome3/gnome-online-accounts.nix
  ./services/desktops/gnome3/gnome-user-share.nix
  ./services/desktops/gnome3/sushi.nix
  ./services/desktops/gnome3/tracker.nix
  ./services/desktops/telepathy.nix
  ./services/games/ghost-one.nix
  ./services/games/minecraft-server.nix
  ./services/hardware/acpid.nix
@ -132,6 +143,7 @@
  ./services/misc/nix-gc.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/nixos-manual.nix
  ./services/misc/rippled.nix
  ./services/misc/rogue.nix
  ./services/misc/svnserve.nix
  ./services/misc/synergy.nix
@ -151,12 +163,14 @@
  ./services/network-filesystems/drbd.nix
  ./services/network-filesystems/nfsd.nix
  ./services/network-filesystems/openafs-client/default.nix
  ./services/network-filesystems/rsyncd.nix
  ./services/network-filesystems/samba.nix
  ./services/networking/amuled.nix
  ./services/networking/avahi-daemon.nix
  ./services/networking/bind.nix
  ./services/networking/bitlbee.nix
  ./services/networking/btsync.nix
  ./services/networking/cjdns.nix
  ./services/networking/connman.nix
  ./services/networking/cntlm.nix
  ./services/networking/chrony.nix
@ -180,6 +194,7 @@
  ./services/networking/ircd-hybrid/default.nix
  ./services/networking/kippo.nix
  ./services/networking/minidlna.nix
  ./services/networking/murmur.nix
  ./services/networking/nat.nix
  ./services/networking/networkmanager.nix
  ./services/networking/ngircd.nix
@ -197,7 +212,9 @@
  ./services/networking/rpcbind.nix
  ./services/networking/sabnzbd.nix
  ./services/networking/searx.nix
  ./services/networking/spiped.nix
  ./services/networking/supybot.nix
  ./services/networking/syncthing.nix
  ./services/networking/ssh/lshd.nix
  ./services/networking/ssh/sshd.nix
  ./services/networking/tftpd.nix
@ -297,6 +314,7 @@
  ./tasks/scsi-link-power-management.nix
  ./tasks/swraid.nix
  ./testing/service-runner.nix
  ./virtualisation/container-config.nix
  ./virtualisation/containers.nix
  ./virtualisation/libvirtd.nix
  #./virtualisation/nova.nix
--- a/nixos/modules/profiles/clone-config.nix
+++ b/nixos/modules/profiles/clone-config.nix
@ -1,6 +1,6 @@
-{ config, pkgs, modules, ... }:
+{ config, lib, pkgs, modules, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/profiles/headless.nix
+++ b/nixos/modules/profiles/headless.nix
@ -1,9 +1,9 @@
 # Common configuration for headless machines (e.g., Amazon EC2
 # instances).
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  sound.enable = false;
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@ -1,7 +1,7 @@
 # Provide a basic configuration for installation devices like CDs.
-{ config, pkgs, modules, ... }:
+{ config, lib, ... }:
-with pkgs.lib;
+with lib;
 {
  imports =
@ -45,7 +45,7 @@ with pkgs.lib;
    # Enable wpa_supplicant, but don't start it by default.
    networking.wireless.enable = true;
-    jobs.wpa_supplicant.startOn = pkgs.lib.mkOverride 50 "";
+    jobs.wpa_supplicant.startOn = mkOverride 50 "";
    # Tell the Nix evaluator to garbage collect more aggressively.
    # This is desirable in memory-constrained environments that don't
--- a/nixos/modules/programs/atop.nix
+++ b/nixos/modules/programs/atop.nix
@ -1,8 +1,8 @@
 # Global configuration for atop.
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let cfg = config.programs.atop;
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@ -1,9 +1,9 @@
 # This module defines global configuration for the Bash shell, in
 # particular /etc/bashrc and /etc/profile.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/bash/command-not-found.nix
+++ b/nixos/modules/programs/bash/command-not-found.nix
@ -3,9 +3,9 @@
 # SQLite database that maps program names to Nix package names (e.g.,
 # "pdflatex" is mapped to "tetex").
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/environment.nix
+++ b/nixos/modules/programs/environment.nix
@ -2,9 +2,9 @@
 # Most of the stuff here should probably be moved elsewhere sometime.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@ -1,8 +1,8 @@
 # Configuration for the pwdutils suite of tools: passwd, useradd, etc.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/shell.nix
+++ b/nixos/modules/programs/shell.nix
@ -1,8 +1,8 @@
 # This module defines a standard configuration for NixOS shells.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -1,8 +1,8 @@
 # Global configuration for the SSH client.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let cfg  = config.programs.ssh;
    cfgd = config.services.openssh;
@ -31,7 +31,7 @@ in
      setXAuthLocation = mkOption {
        type = types.bool;
-        default = true;
+        default = config.services.xserver.enable;
        description = ''
          Whether to set the path to <command>xauth</command> for X11-forwarded connections.
          This causes a dependency on X11 packages.
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@ -3,9 +3,9 @@
 # directly to an SMTP server defined in its configuration file, wihout
 # queueing mail locally.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/venus.nix
+++ b/nixos/modules/programs/venus.nix
@ -1,6 +1,6 @@
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  cfg = config.services.venus;
--- a/nixos/modules/programs/virtualbox.nix
+++ b/nixos/modules/programs/virtualbox.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let virtualbox = config.boot.kernelPackages.virtualbox; in
--- a/nixos/modules/programs/wvdial.nix
+++ b/nixos/modules/programs/wvdial.nix
@ -1,8 +1,8 @@
 # Global configuration for wvdial.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@ -1,8 +1,8 @@
 # This module defines global configuration for the zshell.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -1,6 +1,6 @@
-{ config, pkgs, options, ... }:
+{ config, lib, options, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@ -1,8 +1,8 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
 let
  cfg = config.security.apparmor;
 in
-with pkgs.lib;
+with lib;
 {
  options.security.apparmor.confineSUIDApplications = mkOption {
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@ -1,55 +1,39 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.security.apparmor;
 in
 with pkgs.lib;
 {
  ###### interface
  options = {
    security.apparmor = {
      enable = mkOption {
        type = types.bool;
        default = false;
-        description = ''
+        description = "Enable the AppArmor Mandatory Access Control system.";
          Enable AppArmor application security system. Enable only if
          you want to further improve AppArmor.
        '';
      };
      profiles = mkOption {
        type = types.listOf types.path;
        default = [];
-        description = ''
+        description = "List of files containing AppArmor profiles.";
          List of file names of AppArmor profiles.
        '';
      };
    };
  };
-
+  config = mkIf cfg.enable {
-  ###### implementation
+    assertions =
-
+      [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
-  config = mkIf (cfg.enable) {
+                   && config.boot.kernelPackages.kernel.features.apparmor;
-
+          message = "Your selected kernel does not have AppArmor support";
-    assertions = [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
+        }
-                               && config.boot.kernelPackages.kernel.features.apparmor;
+      ];
                     message = "AppArmor is enabled, but the kernel doesn't have AppArmor support"; }
                 ];
    environment.systemPackages = [ pkgs.apparmor ];
    systemd.services.apparmor = {
      #wantedBy = [ "basic.target" ];
      wantedBy = [ "local-fs.target" ];
-      path = [ pkgs.apparmor ];
+      path     = [ pkgs.apparmor ];
      serviceConfig = {
        Type = "oneshot";
@ -61,9 +45,6 @@ with pkgs.lib;
          ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
        ) cfg.profiles;
      };
    };
  };
 }
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  cfg = config.security.duosec;
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -0,0 +1,443 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.security.grsecurity;
  mkKernel = kernel: patch:
    assert patch.kversion == kernel.version;
      { inherit kernel patch;
        inherit (patch) grversion revision;
      };
  stable-patch = with pkgs.kernelPatches;
    if cfg.vserver then grsecurity_vserver else grsecurity_stable;
  stableKernel = mkKernel pkgs.linux_3_2  stable-patch;
  testKernel   = mkKernel pkgs.linux_3_13 pkgs.kernelPatches.grsecurity_unstable;
  ## -- grsecurity configuration -----------------------------------------------
  grsecPrioCfg =
    if cfg.config.priority == "security" then
      "GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
    else
      "GRKERNSEC_CONFIG_PRIORITY_PERF y";
  grsecSystemCfg =
    if cfg.config.system == "desktop" then
      "GRKERNSEC_CONFIG_DESKTOP y"
    else
      "GRKERNSEC_CONFIG_SERVER y";
  grsecVirtCfg =
    if cfg.config.virtualisationConfig == "none" then
      "GRKERNSEC_CONFIG_VIRT_NONE y"
    else if cfg.config.virtualisationConfig == "host" then
      "GRKERNSEC_CONFIG_VIRT_HOST y"
    else
      "GRKERNSEC_CONFIG_VIRT_GUEST y";
  grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else
    if cfg.config.hardwareVirtualisation == true then
      "GRKERNSEC_CONFIG_VIRT_EPT y"
    else
      "GRKERNSEC_CONFIG_VIRT_SOFT y";
  grsecVirtswCfg =
    let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
    in
      if cfg.config.virtualisationConfig == "none" then ""
      else if cfg.config.virtualisationSoftware == "xen"    then virtCfg "XEN"
      else if cfg.config.virtualisationSoftware == "kvm"    then virtCfg "KVM"
      else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
      else                                                       virtCfg "VIRTUALBOX";
  grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
    GRKERNSEC_CONFIG_AUTO y
    ${grsecPrioCfg}
    ${grsecSystemCfg}
    ${grsecVirtCfg}
    ${grsecHwvirtCfg}
    ${grsecVirtswCfg}
  '';
  grsecConfig =
    let boolToKernOpt = b: if b then "y" else "n";
        # Disable RANDSTRUCT under virtualbox, as it has some kind of
        # breakage with the vbox guest drivers
        randstruct = optionalString config.services.virtualbox.enable
          "GRKERNSEC_RANDSTRUCT n";
        # Disable restricting links under the testing kernel, as something
        # has changed causing it to fail miserably during boot.
        restrictLinks = optionalString cfg.testing
          "GRKERNSEC_LINK n";
    in ''
      SECURITY_APPARMOR y
      DEFAULT_SECURITY_APPARMOR y
      GRKERNSEC y
      ${grsecMainConfig}
      ${if cfg.config.restrictProc then
          "GRKERNSEC_PROC_USER y"
        else
          optionalString cfg.config.restrictProcWithGroup ''
            GRKERNSEC_PROC_USERGROUP y
            GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
          ''
      }
      GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
      GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
      GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
      ${randstruct}
      ${restrictLinks}
      ${cfg.config.kernelExtraConfig}
    '';
  ## -- grsecurity kernel packages ---------------------------------------------
  localver = grkern:
    "-grsec" + optionalString cfg.config.verboseVersion
       "-${grkern.grversion}-${grkern.revision}";
  grsecurityOverrider = args: grkern: {
    # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
    # include libgmp headers, so we need these extra tweaks
    buildInputs = args.buildInputs ++ [ pkgs.gmp ];
    preConfigure = ''
      ${args.preConfigure or ""}
      sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
      sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
      sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
      rm localversion-grsec
      echo ${localver grkern} > localversion-grsec
    '';
  };
  mkGrsecPkg = grkern:
    let kernelPkg = lowPrio (overrideDerivation (grkern.kernel.override (args: {
          kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
          argsOverride = {
            modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
          };
          extraConfig = grsecConfig;
        })) (args: grsecurityOverrider args grkern));
    in pkgs.linuxPackagesFor kernelPkg (mkGrsecPkg grkern);
  grsecPackage = mkGrsecPkg (if cfg.stable then stableKernel else testKernel);
 in
 {
  options = {
    security.grsecurity = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable grsecurity support. This enables advanced exploit
          hardening for the Linux kernel, and adds support for
          administrative Role-Based Acess Control (RBAC) via
          <literal>gradm</literal>. It also includes traditional
          utilities for PaX.
        '';
      };
      stable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the stable grsecurity patch, based on Linux 3.2.
        '';
      };
      vserver = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the stable grsecurity/vserver patches, based on Linux 3.2.
        '';
      };
      testing = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the testing grsecurity patch, based on Linux 3.13.
        '';
      };
      config = {
        mode = mkOption {
          type = types.str;
          default = "auto";
          example = "custom";
          description = ''
            grsecurity configuration mode. This specifies whether
            grsecurity is auto-configured or otherwise completely
            manually configured. Can either by
            <literal>custom</literal> or <literal>auto</literal>.
            <literal>auto</literal> is recommended.
          '';
        };
        priority = mkOption {
          type = types.str;
          default = "security";
          example = "performance";
          description = ''
            grsecurity configuration priority. This specifies whether
            the kernel configuration should emphasize speed or
            security. Can either by <literal>security</literal> or
            <literal>performance</literal>.
          '';
        };
        system = mkOption {
          type = types.str;
          default = "";
          example = "desktop";
          description = ''
            grsecurity system configuration. This specifies whether
            the kernel configuration should be suitable for a Desktop
            or a Server. Can either by <literal>server</literal> or
            <literal>desktop</literal>.
          '';
        };
        virtualisationConfig = mkOption {
          type = types.str;
          default = "none";
          example = "host";
          description = ''
            grsecurity virtualisation configuration. This specifies
            the virtualisation role of the machine - that is, whether
            it will be a virtual machine guest, a virtual machine
            host, or neither. Can be one of <literal>none</literal>,
            <literal>host</literal>, or <literal>guest</literal>.
          '';
        };
        hardwareVirtualisation = mkOption {
          type = types.nullOr types.bool;
          default = null;
          example = true;
          description = ''
            grsecurity hardware virtualisation configuration. Set to
            <literal>true</literal> if your machine supports hardware
            accelerated virtualisation.
          '';
        };
        virtualisationSoftware = mkOption {
          type = types.str;
          default = "";
          example = "kvm";
          description = ''
            grsecurity virtualisation software. Set this to the
            specified virtual machine technology if the machine is
            running as a guest, or a host.
            Can be one of <literal>kvm</literal>,
            <literal>xen</literal>, <literal>vmware</literal> or
            <literal>virtualbox</literal>.
          '';
        };
        sysctl = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_SYSCTL y</literal>. If
            enabled then grsecurity can be controlled using sysctl
            (and turned off). You are advised to *never* enable this,
            but if you do, make sure to always set the sysctl
            <literal>kernel.grsecurity.grsec_lock</literal> to
            non-zero as soon as all sysctl options are set. *THIS IS
            EXTREMELY IMPORTANT*!
            If disabled, this also turns off the
            <literal>systemd-sysctl</literal> service.
          '';
        };
        denyChrootChmod = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_CHROOT_CHMOD
            y</literal>. If enabled, this denies processes inside a
            chroot from setting the suid or sgid bits using
            <literal>chmod</literal> or <literal>fchmod</literal>.
            By default this protection is disabled - it makes it
            impossible to use Nix to build software on your system,
            which is what most users want.
            If you are using NixOps to deploy your software to a
            remote machine, you're encouraged to enable this as you
            won't need to compile code.
          '';
        };
        restrictProc = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_PROC_USER
            y</literal>. This restricts non-root users to only viewing
            their own processes and restricts network-related
            information, kernel symbols, and module information.
          '';
        };
        restrictProcWithGroup = mkOption {
          type = types.bool;
          default = true;
          description = ''
            If true, then set <literal>GRKERN_PROC_USERGROUP
            y</literal>. This is similar to
            <literal>restrictProc</literal> except it allows a special
            group (specified by <literal>unrestrictProcGid</literal>)
            to still access otherwise classified information in
            <literal>/proc</literal>.
          '';
        };
        unrestrictProcGid = mkOption {
          type = types.int;
          default = config.ids.gids.grsecurity;
          description = ''
            If set, specifies a GID which is exempt from
            <literal>/proc</literal> restrictions (set by
            <literal>GRKERN_PROC_USERGROUP</literal>). By default,
            this is set to the GID for <literal>grsecurity</literal>,
            a predefined NixOS group, which the
            <literal>root</literal> account is a member of. You may
            conveniently add other users to this group if you need
            access to <literal>/proc</literal>
          '';
        };
        disableRBAC = mkOption {
          type = types.bool;
          default = false;
          description = ''
            If true, then set <literal>GRKERN_NO_RBAC
            y</literal>. This disables the
            <literal>/dev/grsec</literal> device, which in turn
            disables the RBAC system (and <literal>gradm</literal>).
          '';
        };
        verboseVersion = mkOption {
          type = types.bool;
          default = false;
          description = "Use verbose version in kernel localversion.";
        };
        kernelExtraConfig = mkOption {
          type = types.str;
          default = "";
          description = "Extra kernel configuration parameters.";
        };
      };
    };
  };
  config = mkIf cfg.enable {
    assertions =
      [ { assertion = cfg.stable || cfg.testing;
          message   = ''
            If grsecurity is enabled, you must select either the
            stable patch (with kernel 3.2), or the testing patch (with
            kernel 3.13) to continue.
          '';
        }
        { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable);
          message   = ''
            You must select either the stable or testing patch, not
            both.
          '';
        }
        { assertion = (cfg.testing -> !cfg.vserver);
          message   = "The vserver patches are only supported in the stable kernel.";
        }
        { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
                      (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
          message   = "You cannot enable both restrictProc and restrictProcWithGroup";
        }
        { assertion = config.boot.kernelPackages.kernel.features ? grsecurity
                   && config.boot.kernelPackages.kernel.features.grsecurity;
          message = "grsecurity enabled, but kernel doesn't have grsec support";
        }
        { assertion = elem cfg.config.mode [ "auto" "custom" ];
          message = "grsecurity mode must either be 'auto' or 'custom'.";
        }
        { assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ];
          message = "when using auto grsec mode, system must be either 'desktop' or 'server'";
        }
        { assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ];
          message = "when using auto grsec mode, priority must be 'performance' or 'security'.";
        }
        { assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ];
          message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'.";
        }
        { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
              cfg.config.hardwareVirtualisation != null;
          message   = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
        }
        { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
              elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ];
          message   = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'";
        }
      ];
    systemd.services.grsec-lock = mkIf cfg.config.sysctl {
      description     = "grsecurity sysctl-lock Service";
      requires        = [ "sysctl.service" ];
      wantedBy        = [ "multi-user.target" ];
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = "yes";
      script = ''
        locked=`cat /proc/sys/kernel/grsecurity/grsec_lock`
        if [ "$locked" == "0" ]; then
            echo 1 > /proc/sys/kernel/grsecurity/grsec_lock
            echo grsecurity sysctl lock - enabled
        else
            echo grsecurity sysctl lock already enabled - doing nothing
        fi
      '';
    };
 #   systemd.services.grsec-learn = {
 #     description     = "grsecurity learning Service";
 #     wantedBy        = [ "local-fs.target" ];
 #     serviceConfig   = {
 #       Type = "oneshot";
 #       RemainAfterExit = "yes";
 #       ExecStart = "${pkgs.gradm}/sbin/gradm -VFL /etc/grsec/learning.logs";
 #       ExecStop  = "${pkgs.gradm}/sbin/gradm -D";
 #     };
 #   };
    system.activationScripts.grsec =
      ''
        mkdir -p /etc/grsec
        if [ ! -f /etc/grsec/learn_config ]; then
          cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
        fi
        if [ ! -f /etc/grsec/policy ]; then
          cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
        fi
        chmod -R 0600 /etc/grsec
      '';
    # Enable apparmor support, gradm udev rules, and utilities
    security.apparmor.enable   = true;
    boot.kernelPackages        = grsecPackage;
    services.udev.packages     = [ pkgs.gradm ];
    environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ];
  };
 }
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -1,9 +1,9 @@
 # This module provides configuration for the PAM (Pluggable
 # Authentication Modules) system.
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@ -1,6 +1,6 @@
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/security/prey.nix
+++ b/nixos/modules/security/prey.nix
@ -1,6 +1,6 @@
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  cfg = config.services.prey;
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  options = {
--- a/nixos/modules/security/rtkit.nix
+++ b/nixos/modules/security/rtkit.nix
@ -1,9 +1,9 @@
 # A module for ‘rtkit’, a DBus system service that hands out realtime
 # scheduling priority to processes that ask for it.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/security/setuid-wrappers.nix
+++ b/nixos/modules/security/setuid-wrappers.nix
@ -1,6 +1,6 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -46,6 +46,7 @@ in
            group = "postdrop";
            setuid = false;
            setgid = true;
            permissions = "u+rx,g+x,o+x";
          }
        ];
      description = ''
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@ -1,6 +1,6 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/Show More
+++ b/Show More