Updating from trunk (to catch cron changes)

I had some merge problems with the system-tarball; I hope I've resolved them. svn path=/nixos/branches/stdenv-updates/; revision=24201
2010-10-10 11:46:57 +00:00 · 2010-10-10 11:46:57 +00:00 · 51d0ccdf3c
commit 51d0ccdf3c
parent 7eb7abdfd2 79ded36abf
83 changed files with 2605 additions and 1194 deletions
--- a/default.nix
+++ b/default.nix
@ -11,11 +11,22 @@ let
  inherit (eval) config pkgs;
  # This is for `nixos-rebuild build-vm'.
  vmConfig = (import ./lib/eval-config.nix {
    inherit system;
    modules = [ configuration ./modules/virtualisation/qemu-vm.nix ];
  }).config;
  # This is for `nixos-rebuild build-vm-with-bootloader'.
  vmWithBootLoaderConfig = (import ./lib/eval-config.nix {
    inherit system;
    modules =
      [ configuration
        ./modules/virtualisation/qemu-vm.nix
        { virtualisation.useBootLoader = true; }
      ];
  }).config;
 in
 {
@ -25,6 +36,8 @@ in
  vm = vmConfig.system.build.vm;
  vmWithBootLoader = vmWithBootLoaderConfig.system.build.vm;
  # The following are used by nixos-rebuild.
  nixFallback = pkgs.nixUnstable;
  manifests = config.installer.manifests;
--- a/doc/manual/installation.xml
+++ b/doc/manual/installation.xml
@ -38,24 +38,14 @@ $ nix-channel --update</screen>
  xlink:href="https://svn.nixos.org/repos/nix/nixos/trunk"/> as
  <literal>nixos</literal>.</para></listitem>
-  <listitem><para>If you don’t already have Nixpkgs checkout, Check
+  <listitem><para>Check out Nixpkgs from
-  out Nixpkgs from <link
+  <link xlink:href="https://svn.nixos.org/repos/nix/nixos/trunk"/> as
  xlink:href="https://svn.nixos.org/repos/nix/nixos/trunk"/> as
  <literal>nixpkgs</literal>.</para></listitem>
  <listitem><para>In the directory <literal>nixos</literal>, make a
  symbolic link <literal>pkgs</literal> to the <literal>pkgs</literal>
  directory of the Nixpkgs tree, e.g.,
 <screen>
 $ ln -s nixpkgs/pkgs nixos/</screen>
  </para></listitem>
  <listitem><para>Build the ISO image:
 <screen>
-$ nix-build configuration/rescue-cd.nix -A rescueCD</screen>
+$ nix-build ./nixos/release.nix -A iso_minimal.iso</screen>
  If everything goes well, you’ll end up with an ISO image in
  <filename>./result/iso/nixos-<replaceable>version</replaceable>-<replaceable>platform</replaceable>.iso</filename>
@ -89,8 +79,8 @@ $ nix-build configuration/rescue-cd.nix -A rescueCD</screen>
  server on your network.  Otherwise configure
  manually.</para></listitem>
-  <listitem><para>The NixOS manual is available on virtual console 7
+  <listitem><para>The NixOS manual is available on virtual console 8
-  (press Alt+F7 to access).</para></listitem>
+  (press Alt+F8 to access).</para></listitem>
  <listitem><para>Login as <literal>root</literal>, empty
  password.</para></listitem>
@ -138,43 +128,37 @@ $ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
  </para></listitem>
  <listitem><para>Mount the target file system on
-  <filename>/mnt</filename>.</para></listitem>
+  <filename>/mnt</filename> on which NixOS would be installed.</para>
  </listitem>
  <listitem>
-    <para>The installation is declarative; you need to write a
+    <para>Generate a template configuration for the target system:</para>
    description of the configuration that you want to be built and
    activated.  The configuration is specified in a Nix expression and
    must be stored <emphasis>on the target file system</emphasis> in
    <filename>/mnt/etc/nixos/configuration.nix</filename>.  See
    <filename>/etc/nixos/nixos/doc/config-examples</filename> for
    example machine configurations.  You can copy and edit one of
    those (e.g., copy
    <filename>/etc/nixos/nixos/doc/config-examples/basic.nix</filename>
    to <filename>/mnt/etc/nixos/configuration.nix</filename>).  See
    <xref linkend="ch-options"/> for a list of the available
    configuration options.  The text editors <command>nano</command>
    and <command>vim</command> are available.</para>
-    <para>In particular you need to specify a root file system in
+    <para>The command <command>nixos-option</command> can
    <option>fileSystems</option> and the target device for the Grub
    boot loader in <option>boot.grubDevice</option>.</para>
    <para>The command <command>nixos-hardware-scan</command> can
    generate an initial configuration file for you, i.e.,
 <screen>
-$ mkdir -p /mnt/etc/nixos
+$ nixos-option --install</screen>
 $ nixos-hardware-scan > /mnt/etc/nixos/configuration.nix</screen>
    It tries to figure out the modules necessary for mounting the root
    device, as well as various other hardware characteristics.
    However, it doesn’t try to figure out the 
    <option>fileSystems</option> option yet.</para>
-    <para>More examples of NixOS configurations for some actual
+    <para>Edit <filename>/mnt/etc/nixos/configuration.nix</filename> to
-    machines can be found at <link
+    configure your system.  The installation is declarative; you need to
-    xlink:href="https://svn.nixos.org/repos/nix/configurations/trunk/"/>.</para>
+    write a description of the configuration that you want to be built and
    activated.  The configuration is specified in a Nix expression and must
    be stored <emphasis>on the target file system</emphasis>.  The text
    editors <command>nano</command> and <command>vim</command> are
    available.</para>
    <para>You need to specify a root file system in
    <option>fileSystems</option> and the target device for the Grub boot
    loader in <option>boot.grubDevice</option>.  See
    <xref linkend="ch-options"/> for a list of the available configuration
    options.</para>
    <note><para>It is very important that you specify in the option
    <option>boot.initrd.kernelModules</option> all kernel modules that
@ -187,6 +171,11 @@ $ nixos-hardware-scan > /mnt/etc/nixos/configuration.nix</screen>
    <command>nixos-hardware-scan</command> should figure out the
    required modules in most cases.</para></note>
    <para>Examples are available in
    <filename>/etc/nixos/nixos/doc/config-examples</filename> and some
    actual NixOS configuration can be found at <link
    xlink:href="https://svn.nixos.org/repos/nix/configurations/trunk/"/>.</para>
  </listitem>
  <listitem><para>If your machine has a limited amount of memory, you
@ -268,8 +257,7 @@ $ fdisk /dev/sda <lineannotation>(or whatever device you want to install on)</li
 $ mke2fs -j -L nixos /dev/sda1 <lineannotation>(idem)</lineannotation>
 $ mkswap -L swap /dev/sda2 <lineannotation>(idem)</lineannotation>
 $ mount LABEL=nixos /mnt
-$ mkdir -p /mnt/etc/nixos
+$ nixos-option --install
 $ nixos-hardware-scan > /mnt/etc/nixos/configuration.nix
 $ nano /mnt/etc/nixos/configuration.nix
 <lineannotation>(in particular, set the fileSystems and swapDevices options)</lineannotation>
 $ nixos-install
@ -280,7 +268,8 @@ $ reboot</screen>
 <screen>
 {
  boot.initrd.kernelModules = [ "ata_piix" ];
-  boot.grubDevice = "/dev/sda";
+  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  fileSystems = [
    { mountPoint = "/";
--- a/doc/manual/man-nixos-option.xml
+++ b/doc/manual/man-nixos-option.xml
@ -0,0 +1,186 @@
 <refentry xmlns="http://docbook.org/ns/docbook"
          xmlns:xlink="http://www.w3.org/1999/xlink"
          xmlns:xi="http://www.w3.org/2001/XInclude">
 <refmeta>
  <refentrytitle><command>nixos-option</command></refentrytitle>
  <manvolnum>8</manvolnum>
  <refmiscinfo class="source">NixOS</refmiscinfo>
  <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> -->
 </refmeta>
 <refnamediv>
  <refname><command>nixos-option</command></refname>
  <refpurpose>inspect a NixOS configuration</refpurpose>
 </refnamediv>
 <refsynopsisdiv>
  <cmdsynopsis>
    <command>nixos-option</command>
    <group choice="opt">
      <option>-i</option>
      <option>v</option>
      <option>d</option>
      <option>l</option>
    </group>
    <arg choice='plain'><replaceable>option.name</replaceable></arg>
  </cmdsynopsis>
  <cmdsynopsis>
    <command>nixos-option</command>
    <arg choice='plain'><option>--install</option></arg>
  </cmdsynopsis>
 </refsynopsisdiv>
 <refsection><title>Description</title>
 <para>This command evaluates the configuration specified in
 <filename>/etc/nixos/configuration.nix</filename> and returns the properties
 of the option name given as argument.  By default, it returns the value of
 the option.</para>
 <para>When the option name is not an option, the command prints the list of
 attributes in contained in the attribute set.  This could used to provide
 completion in some editors.</para>
 <para>When the option <option>--install</option> (or <option>-i</option>) is
 used with no option name, this command generates a template configuration
 with a scan of the target system.  It produces a template configuration
 in <filename>/etc/nixos/configuration.nix</filename>, and a scan of the
 machine in <filename>/etc/nixos/hardware-configuration.nix</filename>.  The
 scan of the machine is produced
 by <command>nixos-hardware-scan</command>.</para>
 </refsection>
 <refsection><title>Options</title>
 <para>This command accepts the following options:</para>
 <variablelist>
  <varlistentry>
    <term><option>--install</option>, <option>-i</option></term>
    <listitem>
      <para>Use the installation configuration instead of current system
      configuration.  Generate a template configuration if no option name is
      specified.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>--value</option>, <option>-v</option></term>
    <listitem>
      <para>Returns the value of the option.  This is the default operation
      if no other options are defined.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>--description</option>, <option>-d</option></term>
    <listitem>
      <para>Return the default value, the example and the description of the
      option when available.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>--lookup</option>, <option>-l</option></term>
    <listitem>
      <para>Return the locations where the option is declared and where it
      is defined.  This is extremely useful to find sources of errors in
      your configuration.</para>
    </listitem>
  </varlistentry>
 </variablelist>
 </refsection>
 <refsection><title>Environment</title>
 <variablelist>
  <varlistentry>
    <term><envar>mountPoint</envar></term>
    <listitem>
      <para>Location of the target file system.  Defaults to
      <filename>/mnt</filename>.  This environment variable is only used in
      combinaison with <option>--install</option> option.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><envar>NIXOS</envar></term>
    <listitem>
      <para>Path to the NixOS source tree.  Defaults to
      <filename>/etc/nixos/nixos</filename>.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><envar>NIXPKGS</envar></term>
    <listitem>
      <para>Path to the Nixpkgs source tree.  Defaults to
      <filename>/etc/nixos/nixpkgs</filename>.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><envar>NIXOS_CONFIG</envar></term>
    <listitem>
      <para>Path to the main NixOS configuration module.  Defaults to
      <filename>/etc/nixos/configuration.nix</filename>.</para>
    </listitem>
  </varlistentry>
 </variablelist>
 </refsection>
 <refsection><title>Examples</title>
 <para>Investigate option values:
 <screen>$ nixos-option boot.loader
 This attribute set contains:
 generationsDir
 grub
 initScript
 $ nixos-option boot.loader.grub.enable
 true</screen></para>
 <para>Prints option information:
 <screen>$ nixos-option -d networking.hostName
 Default: "nixos"
 Description:
 The name of the machine. Leave it empty if you want to obtain
 it from a DHCP server (if using DHCP).</screen></para>
 <para>Find the locations which are declaring and defining an option:
 <screen>$ nixos-option -l hardware.firmware
 Declared by:
  /mnt/data/nix-sources/nixos/modules/services/hardware/udev.nix
 Defined by:
  /etc/nixos/nixos/modules/system/boot/kernel.nix
  /etc/nixos/nixos/modules/hardware/network/rt73.nix
  /etc/nixos/nixos/modules/hardware/network/intel-3945abg.nix
  /etc/nixos/nixos/modules/hardware/network/intel-2200bg.nix</screen></para>
 </refsection>
 <refsection><title>Bugs</title>
 <para>The author listed in the following section is wrong.  If there is any
  other bug, please report to Nicolas Pierron.</para>
 </refsection>
 </refentry>
--- a/doc/manual/man-nixos-rebuild.xml
+++ b/doc/manual/man-nixos-rebuild.xml
@ -24,6 +24,8 @@
      <arg choice='plain'><option>build</option></arg>
      <arg choice='plain'><option>dry-run</option></arg>
      <arg choice='plain'><option>build-vm</option></arg>
      <arg choice='plain'><option>build-vm-with-bootloader</option></arg>
      <arg choice='plain'><option>pull</option></arg>
    </group>
    <sbr />
    <arg><option>--install-grub</option></arg>
@ -151,6 +153,35 @@ $ ./result/bin/run-*-vm
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>build-vm-with-bootloader</option></term>
    <listitem>
      <para>Like <option>build-vm</option>, but boots using the
      regular boot loader of your configuration (e.g., GRUB 1 or 2),
      rather than booting directly into the kernel and initial ramdisk
      of the system.  This allows you to test whether the boot loader
      works correctly.  However, it does not guarantee that your NixOS
      configuration will boot successfully on the host hardware (i.e.,
      after running <command>nixos-rebuild switch</command>), because
      the hardware and boot loader configuration in the VM are
      different.  The boot loader is installed on an automatically
      generated virtual disk containing a <filename>/boot</filename>
      partition, which is mounted read-only in the VM.</para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>pull</option></term>
    <listitem>
      <para>This operation merely fetches the latest manifest in the
      Nixpkgs channel to speed up subsequent
      <command>nix-env</command> operations.  This is useful if you
      are not using <command>nix-channel</command> but still want to
      use pre-built binary packages.  It doesn’t reconfigure the
      system at all.</para>
    </listitem>
  </varlistentry>
 </variablelist>
 </para>
--- a/doc/manual/man-pages.xml
+++ b/doc/manual/man-pages.xml
@ -25,5 +25,6 @@
  <xi:include href="man-configuration.xml" />
  <xi:include href="man-nixos-rebuild.xml" />
  <xi:include href="man-nixos-option.xml" />
 </reference>
--- a/modules/config/nsswitch-mdns.conf
+++ b/modules/config/nsswitch-mdns.conf
@ -4,7 +4,7 @@ passwd:         ldap files
 group:          ldap files
 shadow:         ldap files
-hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
+hosts:          files mdns_minimal [NOTFOUND=return] dns mdns
 networks:       files dns
 services:       files
--- a/modules/config/users-groups.nix
+++ b/modules/config/users-groups.nix
@ -156,7 +156,23 @@ in
  config = {
-    system.activationScripts.users = fullDepEntry
+    system.activationScripts.rootPasswd = stringAfter [ "etc" ]
      ''
        # If there is no password file yet, create a root account with an
        # empty password.
        if ! test -e /etc/passwd; then
            rootHome=/root
            touch /etc/passwd; chmod 0644 /etc/passwd
            touch /etc/group; chmod 0644 /etc/group
            touch /etc/shadow; chmod 0600 /etc/shadow
            # Can't use useradd, since it complains that it doesn't know us
            # (bootstrap problem!).
            echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
            echo "root::::::::" >> /etc/shadow
        fi
      '';
    system.activationScripts.users = stringAfter [ "groups" ]
      ''
        echo "updating users..."
@ -206,9 +222,9 @@ in
            fi
        done
-      '' [ "groups" ];
+      '';
-    system.activationScripts.groups = fullDepEntry
+    system.activationScripts.groups = stringAfter [ "rootPasswd" "binsh" "etc" "var" ]
      ''
        echo "updating groups..."
@ -231,7 +247,7 @@ in
        done <<EndOfGroupList
        ${concatStringsSep "\n" (map serializedGroup groups)}
        EndOfGroupList
-      '' [ "rootPasswd" "binsh" "etc" "var" ];
+      '';
  };
--- a/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/modules/installer/cd-dvd/installation-cd-base.nix
@ -7,76 +7,6 @@ with pkgs.lib;
 let
  options = {
    system.nixosVersion = mkOption {
      default = "${builtins.readFile ../../../VERSION}";
      description = ''
        NixOS version number.
      '';
    };
    installer.configModule = mkOption {
      example = "./nixos/modules/installer/cd-dvd/installation-cd.nix";
      description = ''
        Filename of the configuration module that builds the CD
        configuration.  Must be specified to support reconfiguration
        in live CDs.
      '';
    };
    installer.basePackages = mkOption {
      description = ''
        The list of base packages available in the system profile of the
        installation CD.  Note that modules such as
        <literal>installation-cd-graphical.nix</literal> add
        packages to this list.
      '';
      default =
        [ pkgs.subversion # for nixos-checkout
          pkgs.w3m # needed for the manual anyway
          pkgs.testdisk # useful for repairing boot problems
          pkgs.mssys # for writing Microsoft boot sectors / MBRs
          pkgs.parted
          pkgs.ddrescue
          pkgs.ccrypt
          pkgs.cryptsetup # needed for dm-crypt volumes
          # Some networking tools.
          pkgs.sshfsFuse
          pkgs.socat
          pkgs.screen
          # Hardware-related tools.
          pkgs.sdparm
          pkgs.hdparm
          pkgs.dmraid
          # Tools to create / manipulate filesystems.
          pkgs.ntfsprogs # for resizing NTFS partitions
          pkgs.btrfsProgs
          pkgs.dosfstools
          pkgs.xfsprogs
          pkgs.jfsutils
          pkgs.jfsrec
          # Some compression/archiver tools.
          pkgs.unrar
          pkgs.unzip
          pkgs.zip
          pkgs.xz
          pkgs.dar # disk archiver
          # Some editors.
          pkgs.nvi
          pkgs.bvi # binary editor
          pkgs.joe
        ];
     };
  };
  # We need a copy of the Nix expressions for Nixpkgs and NixOS on the
  # CD.  We put them in a tarball because accessing that many small
  # files from a slow device like a CD-ROM takes too long.  !!! Once
@ -96,36 +26,16 @@ let
  includeSources = true;
  # A dummy /etc/nixos/configuration.nix in the booted CD that
  # rebuilds the CD's configuration (and allows the configuration to
  # be modified, of course, providing a true live CD).  Problem is
  # that we don't really know how the CD was built - the Nix
  # expression language doesn't allow us to query the expression being
  # evaluated.  So we'll just hope for the best.
  dummyConfiguration = pkgs.writeText "configuration.nix"
    ''
      {config, pkgs, ...}:
      {
        require = [${config.installer.configModule}];
        # Add your own options below and run "nixos-rebuild switch".
        # E.g.,
        #   services.openssh.enable = true;
      }
    '';
 in
 {
  require =
-    [ options
+    [ ./memtest.nix
      ./memtest.nix
      ./iso-image.nix
-      ../../hardware/network/intel-3945abg.nix
+
-      ../../hardware/network/rt73.nix
+      # Profiles of this basic installation CD.
      ../../profiles/base.nix
      ../../profiles/installation-device.nix
    ];
  # ISO naming.
@ -133,79 +43,10 @@ in
  isoImage.volumeID = "NIXOS_INSTALL_CD_${config.system.nixosVersion}";
  # Show the manual.
  services.nixosManual.showManual = true;
  # Let the user play Rogue on TTY 8 during the installation.
  services.rogue.enable = true;
  # Disable some other stuff we don't need.
  security.sudo.enable = false;
  # Include only the en_US locale.  This saves 75 MiB or so compared to
  # the full glibcLocales package.
  i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "en_US/ISO-8859-1"];
  # Include some utilities that are useful for installing or repairing
  # the system.
  environment.systemPackages = config.installer.basePackages;
  # The initrd has to contain any module that might be necessary for
  # mounting the CD/DVD.
  boot.initrd.availableKernelModules =
    [ # SATA/PATA support.
      "ahci"
      "ata_piix"
      "sata_inic162x" "sata_nv" "sata_promise" "sata_qstor"
      "sata_sil" "sata_sil24" "sata_sis" "sata_svw" "sata_sx4"
      "sata_uli" "sata_via" "sata_vsc"
      "pata_ali" "pata_amd" "pata_artop" "pata_atiixp"
      "pata_cs5520" "pata_cs5530" "pata_cs5535" "pata_efar"
      "pata_hpt366" "pata_hpt37x" "pata_hpt3x2n" "pata_hpt3x3"
      "pata_it8213" "pata_it821x" "pata_jmicron" "pata_marvell"
      "pata_mpiix" "pata_netcell" "pata_ns87410" "pata_oldpiix"
      "pata_pcmcia" "pata_pdc2027x" "pata_qdi" "pata_rz1000"
      "pata_sc1200" "pata_serverworks" "pata_sil680" "pata_sis"
      "pata_sl82c105" "pata_triflex" "pata_via"
      "pata_winbond"
      # SCSI support (incomplete).
      "3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" 
      # USB support, especially for booting from USB CD-ROM
      # drives.
      "usb_storage"
      # Firewire support.  Not tested.
      "ohci1394" "sbp2"
      # Virtio (QEMU, KVM etc.) support.
      "virtio_net" "virtio_pci" "virtio_blk" "virtio_balloon"
      # Add vfat to enable people to copy the contents of the CD to a
      # bootable USB stick.
      "vfat" "nls_cp437" "nls_iso8859-1"
    ];
  boot.initrd.kernelModules =
    [ # Wait for SCSI devices to appear.
      "scsi_wait_scan"
    ];
  # nixos-install will do a pull from this channel to speed up the
  # installation.
  installer.nixpkgsURL = http://nixos.org/releases/nixpkgs/channels/nixpkgs-unstable;
  boot.postBootCommands =
    ''
      export PATH=${pkgs.gnutar}/bin:${pkgs.bzip2}/bin:$PATH
      # Provide a mount point for nixos-install.
      mkdir -p /mnt
      # Provide the NixOS/Nixpkgs sources in /etc/nixos.  This is required
      # for nixos-install.
      ${optionalString includeSources ''
@ -216,40 +57,9 @@ in
        tar xjf ${nixpkgsTarball}/nixpkgs.tar.bz2 -C /etc/nixos/nixpkgs
        chown -R root.root /etc/nixos
     ''}
      # Provide a configuration for the CD/DVD itself, to allow users
      # to run nixos-rebuild to change the configuration of the
      # running system on the CD/DVD.
      cp ${dummyConfiguration} /etc/nixos/configuration.nix
    '';
  # Some more help text.
  services.mingetty.helpLine =
    ''
      Log in as "root" with an empty password.  ${
        if config.services.xserver.enable then
          "Type `start xserver' to start\nthe graphical user interface."
        else ""
      }
    '';
  # Include the firmware for various wireless cards.
  networking.enableRT73Firmware = true;
  networking.enableIntel2200BGFirmware = true;
  networking.enableIntel3945ABGFirmware = true;
  # To speed up installation a little bit, include the complete stdenv
  # in the Nix store on the CD.
  isoImage.storeContents = [ pkgs.stdenv pkgs.klibc pkgs.klibcShrunk ];
  # Allow sshd to be started manually through "start sshd".  It should
  # not be started by default on the installation CD because the
  # default root password is empty.
  services.openssh.enable = true;
  jobs.sshd.startOn = pkgs.lib.mkOverrideTemplate 50 {} "";
  # Enable wpa_supplicant, but don't start it by default.
  networking.enableWLAN = true;
  jobs.wpa_supplicant.startOn = pkgs.lib.mkOverrideTemplate 50 {} "";
 }
--- a/modules/installer/cd-dvd/installation-cd-graphical.nix
+++ b/modules/installer/cd-dvd/installation-cd-graphical.nix
@ -4,15 +4,8 @@
 {config, pkgs, ...}:
 {
-  require = [./installation-cd-base.nix];
+  require = [
-
+    ./installation-cd-base.nix
-  installer.configModule = "./nixos/modules/installer/cd-dvd/installation-cd-graphical.nix";
+    ../../profiles/graphical.nix
-
+  ];
  services.xserver = {
    enable = true;
    autorun = false;
    defaultDepth = 16;
    desktopManager.default = "kde4";
    desktopManager.kde4.enable = true;
  };
 }
--- a/modules/installer/cd-dvd/installation-cd-minimal.nix
+++ b/modules/installer/cd-dvd/installation-cd-minimal.nix
@ -4,14 +4,8 @@
 {config, pkgs, ...}:
 {
-  require = [./installation-cd-base.nix];
+  require = [
-
+    ./installation-cd-base.nix
-  installer.configModule = "./nixos/modules/installer/cd-dvd/installation-cd-minimal.nix";
+    ../../profiles/minimal.nix
-
+  ];
  # Don't include X libraries.
  services.openssh.forwardX11 = false;
  services.dbus.enable = false; # depends on libX11
  services.hal.enable = false; # depends on dbus
  fonts.enableFontConfig = false;
  fonts.enableCoreFonts = false;
 }
--- a/modules/installer/cd-dvd/installation-cd-rescue.nix
+++ b/modules/installer/cd-dvd/installation-cd-rescue.nix
@ -4,48 +4,8 @@
 {config, pkgs, ...}:
 {
-  require = [./installation-cd-base.nix];
+  require = [
-
+    ./installation-cd-base.nix
-  installer.configModule = "./nixos/modules/installer/cd-dvd/installation-cd-minimal.nix";
+    ../../profiles/rescue.nix
  # Don't include X libraries.
  services.openssh.forwardX11 = false;
  services.dbus.enable = false; # depends on libX11
  services.hal.enable = false; # depends on dbus
  fonts.enableFontConfig = false;
  fonts.enableCoreFonts = false;
  # Useful for rescue..
  environment.systemPackages = with pkgs; [
    utillinuxCurses ddrescue 
    pciutils sdparm hdparm hddtemp usbutils
    btrfsProgs xfsprogs jfsutils jfsrec
    iproute 
    fuse ntfs3g smbfsFuse sshfsFuse
    manpages irssi elinks mcabber mutt openssh lftp 
    openssl ncat socat
    gnupg1 gnupg
    patch which diffutils gcc binutils bc file
    screen
    bvi joe nvi 
    subversion16 monotone git darcs mercurial bazaar cvs
    unrar unzip zip lzma cabextract cpio 
    lsof
  ];
  boot.kernelPackages = pkgs.linuxPackages_2_6_32;
  boot.initrd.kernelModules = ["evdev" "i8042" "pcips2" "serio"
    "sd_mod" "libata" "unix" "usbhid" "uhci_hcd" "atkbd" "xtkbd" "fbdev"
    "iso9660" "udf" "loop"];
  boot.kernelModules = ["fbcon" "radeonfb" "intelfb" "sisfb" "nvidiafb"
    "cirrusfb"];
  boot.kernelParams = [
      "selinux=0"
      "acpi=on"
      "apm=off"
      "console=tty1"
      "splash=verbose"
    ];
  services.ttyBackgrounds.enable = false;
 }
--- a/modules/installer/cd-dvd/iso-image.nix
+++ b/modules/installer/cd-dvd/iso-image.nix
@ -174,11 +174,9 @@ in
  # Closures to be copied to the Nix store on the CD, namely the init
  # script and the top-level system configuration directory.
  isoImage.storeContents =
-    [ config.system.build.bootStage2
+    [ config.system.build.toplevel ] ++ 
-      config.system.build.toplevel
+    optional config.isoImage.includeSystemBuildDependencies
-    ] ++ 
+      config.system.build.toplevel.drvPath;
    (optional config.isoImage.includeSystemBuildDependencies
      config.system.build.toplevel.drvPath);
  # Create the squashfs image that contains the Nix store.
  system.build.squashfsStore = import ../../../lib/make-squashfs.nix {
@ -220,7 +218,7 @@ in
  boot.loader.grub.extraEntries =
    ''
      menuentry "NixOS Installer / Rescue" {
-        linux /boot/bzImage init=${config.system.build.bootStage2} systemConfig=${config.system.build.toplevel} ${toString config.boot.kernelParams}
+        linux /boot/bzImage init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
        initrd /boot/initrd
      }
--- a/modules/installer/cd-dvd/live-dvd.nix
+++ b/modules/installer/cd-dvd/live-dvd.nix
@ -1,7 +1,7 @@
 {config, pkgs, ...}:
 {
-  require = [./installation-cd.nix];
+  require = [./installation-cd-base.nix];
  # Build the build-time dependencies of this configuration on the DVD
  # to speed up installation.
--- a/modules/installer/cd-dvd/system-tarball-pc.nix
+++ b/modules/installer/cd-dvd/system-tarball-pc.nix
@ -7,165 +7,19 @@ with pkgs.lib;
 let
  # A dummy /etc/nixos/configuration.nix in the booted CD that
  # rebuilds the CD's configuration (and allows the configuration to
  # be modified, of course, providing a true live CD).  Problem is
  # that we don't really know how the CD was built - the Nix
  # expression language doesn't allow us to query the expression being
  # evaluated.  So we'll just hope for the best.
  dummyConfiguration = pkgs.writeText "configuration.nix"
    ''
      {config, pkgs, ...}:
      {
        require = [ ];
        # Add your own options below and run "nixos-rebuild switch".
        # E.g.,
        #   services.openssh.enable = true;
      }
    '';
  pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
  options = {
    system.nixosVersion = mkOption {
      default = "${builtins.readFile ../../../VERSION}";
      description = ''
        NixOS version number.
      '';
    };
  };
 in
 {
-  require =
+  require = [
    [ options
    ./system-tarball.nix
-      ../../hardware/network/rt73.nix
+ 
   # Profiles of this basic installation.
    ../../profiles/base.nix
    ../../profiles/installation-device.nix
  ];
  # Disable some other stuff we don't need.
  security.sudo.enable = false;
  # Include only the en_US locale.  This saves 75 MiB or so compared to
  # the full glibcLocales package.
  i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "en_US/ISO-8859-1"];
  # Include some utilities that are useful for installing or repairing
  # the system.
  environment.systemPackages =
    [ pkgs.subversion # for nixos-checkout
      pkgs.w3m # needed for the manual anyway
      pkgs.testdisk # useful for repairing boot problems
      pkgs.mssys # for writing Microsoft boot sectors / MBRs
      pkgs.parted
      pkgs.ddrescue
      pkgs.ccrypt
      pkgs.cryptsetup # needed for dm-crypt volumes
      # Some networking tools.
      pkgs.sshfsFuse
      pkgs.socat
      pkgs.screen
      pkgs.wpa_supplicant # !!! should use the wpa module
      # Hardware-related tools.
      pkgs.sdparm
      pkgs.hdparm
      pkgs.dmraid
      # Tools to create / manipulate filesystems.
      pkgs.ntfsprogs # for resizing NTFS partitions
      pkgs.btrfsProgs
      pkgs.xfsprogs
      pkgs.jfsutils
      pkgs.jfsrec
      # Some compression/archiver tools.
      pkgs.unrar
      pkgs.unzip
      pkgs.zip
      pkgs.xz
      pkgs.dar # disk archiver
      # Some editors.
      pkgs.nvi
      pkgs.bvi # binary editor
      pkgs.joe
    ];
  # The initrd has to contain any module that might be necessary for
  # mounting the CD/DVD.
  boot.initrd.availableKernelModules =
    [ # SATA/PATA support.
      "ahci"
      "ata_piix"
      "sata_inic162x" "sata_nv" "sata_promise" "sata_qstor"
      "sata_sil" "sata_sil24" "sata_sis" "sata_svw" "sata_sx4"
      "sata_uli" "sata_via" "sata_vsc"
      "pata_ali" "pata_amd" "pata_artop" "pata_atiixp"
      "pata_cs5520" "pata_cs5530" "pata_cs5535" "pata_efar"
      "pata_hpt366" "pata_hpt37x" "pata_hpt3x2n" "pata_hpt3x3"
      "pata_it8213" "pata_it821x" "pata_jmicron" "pata_marvell"
      "pata_mpiix" "pata_netcell" "pata_ns87410" "pata_oldpiix"
      "pata_pcmcia" "pata_pdc2027x" "pata_qdi" "pata_rz1000"
      "pata_sc1200" "pata_serverworks" "pata_sil680" "pata_sis"
      "pata_sl82c105" "pata_triflex" "pata_via"
      "pata_winbond"
      # SCSI support (incomplete).
      "3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" 
      # USB support, especially for booting from USB CD-ROM
      # drives.
      "usb_storage"
      # Firewire support.  Not tested.
      "ohci1394" "sbp2"
      # Virtio (QEMU, KVM etc.) support.
      "virtio_net" "virtio_pci" "virtio_blk" "virtio_balloon"
      # Add vfat to enable people to copy the contents of the CD to a
      # bootable USB stick.
      "vfat"
    ];
  boot.initrd.kernelModules =
    [ # Wait for SCSI devices to appear.
      "scsi_wait_scan"
    ];
  boot.postBootCommands =
    ''
      mkdir -p /mnt
      cp ${dummyConfiguration} /etc/nixos/configuration.nix
    '';
  # Some more help text.
  services.mingetty.helpLine =
    ''
      Log in as "root" with an empty password.  ${
        if config.services.xserver.enable then
          "Type `start xserver' to start\nthe graphical user interface."
        else ""
      }
    '';
  # Include the firmware for various wireless cards.
  networking.enableRT73Firmware = true;
  networking.enableIntel2200BGFirmware = true;
  # To speed up further installation of packages, include the complete stdenv
  # in the Nix store of the tarball.
  tarball.storeContents = pkgs2storeContents [ pkgs.stdenv pkgs.klibc pkgs.klibcShrunk ];
--- a/modules/installer/cd-dvd/system-tarball.nix
+++ b/modules/installer/cd-dvd/system-tarball.nix
@ -53,12 +53,7 @@ in
  # Closures to be copied to the Nix store on the CD, namely the init
  # script and the top-level system configuration directory.
  tarball.storeContents =
-    [ {
+    [ { object = config.system.build.toplevel;
        object = config.system.build.bootStage2;
        symlink = "none";
      }
      {
        object = config.system.build.toplevel;
        symlink = "/var/run/current-system";
      }
    ];
--- a/modules/installer/grub/grub-menu-builder.sh
+++ b/modules/installer/grub/grub-menu-builder.sh
@ -154,6 +154,7 @@ addEntry() {
    local kernel=$(readlink -f $path/kernel)
    local initrd=$(readlink -f $path/initrd)
    local xen=$([ -f $path/xen.gz ] && readlink -f $path/xen.gz)
    if test "$path" = "$defaultConfig"; then
 	cp "$kernel" /boot/nixos-kernel
@ -181,6 +182,7 @@ EOF
    if test -n "$copyKernels"; then
        copyToKernelsDir $kernel; kernel=$result
        copyToKernelsDir $initrd; initrd=$result
        if [ -n "$xen" ]; then copyToKernelsDir $xen; xen=$result; fi
    fi
    local confName=$(cat $path/configuration-name 2>/dev/null || true)
@ -188,21 +190,26 @@ EOF
 	name="$confName $3"
    fi
    local kernelParams="systemConfig=$(readlink -f $path) init=$(readlink -f $path/init) $(cat $path/kernel-params)"
    local xenParams="$([ -n "$xen" ] && cat $path/xen-params)"
    case "$grubVersion" in
 	1)
 	    cat >> "$tmp" << GRUBEND
 title $name
  @extraPerEntryConfig@
-  kernel $kernel systemConfig=$(readlink -f $path) init=$(readlink -f $path/init) $(cat $path/kernel-params)
+  ${xen:+kernel $xen $xenParams}
-  initrd $initrd
+  $(if [ -z "$xen" ]; then echo kernel; else echo module; fi) $kernel $kernelParams
  $(if [ -z "$xen" ]; then echo initrd; else echo module; fi) $initrd
 GRUBEND
 	    ;;
 	2)
 	    cat >> "$tmp" << GRUBEND
 menuentry "$name" {
  @extraPerEntryConfig@
-  linux  $kernel systemConfig=$(readlink -f $path) init=$(readlink -f $path/init) $(cat $path/kernel-params)
+  ${xen:+multiboot $xen $xenParams}
-  initrd $initrd
+  $(if [ -z "$xen" ]; then echo linux; else echo module; fi) $kernel $kernelParams
  $(if [ -z "$xen" ]; then echo initrd; else echo module; fi) $initrd
 }
 GRUBEND
 	    ;;
@ -243,7 +250,7 @@ for link in $((ls -d $defaultConfig/fine-tune/* ) | sort -n); do
 done
 for generation in $(
-    (cd /nix/var/nix/profiles && ls -d system-*-link) \
+    (cd /nix/var/nix/profiles && for i in system-*-link; do echo $i; done) \
    | sed 's/system-\([0-9]\+\)-link/\1/' \
    | sort -n -r); do
    link=/nix/var/nix/profiles/system-$generation-link
--- a/modules/installer/scan/detected.nix
+++ b/modules/installer/scan/detected.nix
@ -0,0 +1,13 @@
 # List all devices which are detected by nixos-hardware-scan.
 # Common devices are enabled by default.
 {config, pkgs, ...}:
 with pkgs.lib;
 {
  config = mkDefault {
    # Wireless card firmware
    networking.enableIntel2200BGFirmware = true;
    networking.enableIntel3945ABGFirmware = true;
  };
 }
--- a/modules/installer/scan/not-detected.nix
+++ b/modules/installer/scan/not-detected.nix
@ -0,0 +1,12 @@
 # List all devices which are _not_ detected by nixos-hardware-scan.
 # Common devices are enabled by default.
 {config, pkgs, ...}:
 with pkgs.lib;
 {
  config = mkDefault {
    # Wireless card firmware
    networking.enableRT73Firmware = true;
  };
 }
--- a/modules/installer/tools/nixos-deploy-network/deploy.nix
+++ b/modules/installer/tools/nixos-deploy-network/deploy.nix
@ -0,0 +1,61 @@
 { nixos ? /etc/nixos/nixos
 , nixpkgs ? /etc/nixos/nixpkgs
 , networkExpr
 , infrastructureExpr
 }:
 let
  pkgs = import nixpkgs {};
  inherit (builtins) attrNames getAttr listToAttrs concatMapStrings;
  network = import networkExpr;
  infrastructure = import infrastructureExpr;
  generateScript = network: infrastructure: configs:
    concatMapStrings (configurationName: 
      let
        infrastructureElement = getAttr configurationName infrastructure;
 	config = getAttr configurationName configs;
      in
      ''
        echo "=== upgrading ${infrastructureElement.hostName} ==="
        nix-copy-closure --to ${infrastructureElement.hostName} ${config.system.build.toplevel} \
        && ssh $NIX_SSHOPTS ${infrastructureElement.hostName} nix-env -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \
        && ssh $NIX_SSHOPTS ${infrastructureElement.hostName} ${config.system.build.toplevel}/bin/switch-to-configuration switch \
        && { succeeded=$((succeeded + 1)); } \
        || { failed=$((failed + 1)); echo 'WARNING: upgrade of ${infrastructureElement.hostName} failed!'; }
      ''
    ) (attrNames network)
  ;
  evaluateMachines = network: infrastructure:
    listToAttrs (map (configurationName:
      let
        configuration = getAttr configurationName network;
        system = (getAttr configurationName infrastructure).system;
      in
      { name = configurationName;
        value = (import "${nixos}/lib/eval-config.nix" {
          inherit nixpkgs system;
          modules = [ configuration ];
          extraArgs = evaluateMachines network infrastructure;
        }).config; }
    ) (attrNames (network)))
  ;
  configs = evaluateMachines network infrastructure;
 in
 pkgs.stdenv.mkDerivation {
  name = "deploy-script";
  buildCommand = ''
    ensureDir $out/bin
    cat > $out/bin/deploy-systems << "EOF"
    #! ${pkgs.stdenv.shell} -e
    failed=0; succeeded=0
    ${generateScript network infrastructure configs}
    echo "Upgrade of $failed machines failed, $succeeded machines succeeded.";
    EOF
    chmod +x $out/bin/deploy-systems
  '';
 }
--- a/modules/installer/tools/nixos-deploy-network/nixos-deploy-network.sh
+++ b/modules/installer/tools/nixos-deploy-network/nixos-deploy-network.sh
@ -0,0 +1,73 @@
 #! @shell@ -e
 # Shows the usage of this command to the user
 showUsage()
 {
    echo "Usage: $0 -n network_expr -i infrastructure_expr"
    echo "Options:"
    echo
    echo "-n,--network        Network Nix expression which captures properties of machines in the network"
    echo "-i,--infrastructure Infrastructure Nix expression which captures properties of machines in the network"
    echo "-h,--help           Shows the usage of this command"
 }
 # Parse valid argument options
 PARAMS=`getopt -n $0 -o n:i:h -l network:,infrastructure:,show-trace,help -- "$@"`
 if [ $? != 0 ]
 then
    showUsage
    exit 1
 fi
 eval set -- "$PARAMS"
 # Evaluate valid options
 while [ "$1" != "--" ]
 do
    case "$1" in
 	-n|--network)
 	    networkExpr=`readlink -f $2`
 	    ;;
 	-i|--infrastructure)
 	    infrastructureExpr=`readlink -f $2`
 	    ;;
 	--show-trace)
 	    showTraceArg="--show-trace"
 	    ;;
 	-h|--help)
 	    showUsage
 	    exit 0
 	    ;;
    esac
    shift
 done
 # Validate the given options
 if [ "$infrastructureExpr" = "" ]
 then
    echo "ERROR: A infrastructure expression must be specified!" >&2
    exit 1
 fi
 if [ "$networkExpr" = "" ]
 then
    echo "ERROR: A network expression must be specified!" >&2
    exit 1
 fi
 if [ -z "$NIXOS" ]
 then
    NIXOS=/etc/nixos/nixos
 fi
 # Deploy the network
 nix-build $NIXOS/deploy.nix --argstr networkExpr $networkExpr --argstr infrastructureExpr $infrastructureExpr $showTraceArg
 ./result/bin/deploy-systems
 rm -f result
--- a/modules/installer/tools/nixos-hardware-scan.pl
+++ b/modules/installer/tools/nixos-hardware-scan.pl
@ -227,7 +227,14 @@ my $attrs = multiLineList("  ", removeDups @attrs);
 print <<EOF ;
 # This is a generated file.  Do not modify!
 # Make changes to /etc/nixos/configuration.nix instead.
 {modulesPath, ...}:
 {
  require = [
    "\${modulesPath}/profiles/@profile@.nix"
    "\${modulesPath}/installer/scan/not-detected.nix"
  ];
  boot.initrd.kernelModules = [ $initrdKernelModules ];
  boot.kernelModules = [ $kernelModules ];
--- a/modules/installer/tools/nixos-option.sh
+++ b/modules/installer/tools/nixos-option.sh
@ -2,33 +2,41 @@
 # Allow the location of NixOS sources and the system configuration
 # file to be overridden.
-: ${NIXOS_PATH=/etc/nixos/nixos}
+
 : ${mountPoint=/mnt}
 : ${NIXOS=/etc/nixos/nixos}
 : ${NIXPKGS=/etc/nixos/nixpkgs}
 : ${NIXOS_CONFIG=/etc/nixos/configuration.nix}
-export NIXOS_PATH
+: ${NIXPKGS=/etc/nixos/nixpkgs}
 export NIXOS
 usage () {
  echo 1>&2 "
-Usage: $0 OPTION_NAME [-v] [-d] [-l]
+Usage: $0 [--install] [-v] [-d] [-l] OPTION_NAME
       $0 [--install]
 This program is used to explore NixOS options by looking at their values or
-by looking at their description.  It is helpful for understanding the how
+by looking at their description.  It is helpful for understanding how your
-your configuration is working.
+configuration is working.
 Options:
  -i | --install        Use the configuration on
                        ${mountPoint:+$mountPoint/}$NIXOS_CONFIG instead of
                        the current system configuration.  Generate a
                        template configuration if no option name is
                        specified.
  -v | --value          Display the current value, based on your
                        configuration.
-  -d | --default        Display the default value, the example and the
+  -d | --description    Display the default value, the example and the
                        description.
  -l | --lookup         Display where the option is defined and where it
                        is declared.
  --help                Show this message.
-Environment variables affecting nixos-option:
+Environment variables affecting $0:
-  \$NIXOS_PATH          Path where the NixOS repository is located.
+  \$mountPoint          Path to the target file system.
  \$NIXOS               Path where the NixOS repository is located.
  \$NIXOS_CONFIG        Path to your configuration file.
  \$NIXPKGS             Path to Nix packages.
@ -44,6 +52,7 @@ Environment variables affecting nixos-option:
 desc=false
 defs=false
 value=false
 install=false
 verbose=false
 option=""
@ -52,18 +61,39 @@ argfun=""
 for arg; do
  if test -z "$argfun"; then
    case $arg in
-      -d|--description) desc=true;;
+      -*)
-      -v|--value) value=true;;
+        longarg=""
-      -l|--lookup) defs=true;;
+        sarg="$arg"
        while test "$sarg" != "-"; do
          case $sarg in
            --*) longarg=$arg;;
            -d*) longarg="$longarg --description";;
            -v*) longarg="$longarg --value";;
            -l*) longarg="$longarg --lookup";;
            -i*) longarg="$longarg --install";;
            -*) usage;;
          esac
          sarg="-${sarg#??}"
        done
        ;;
      *) longarg=$arg;;
    esac
    for larg in $longarg; do
      case $larg in
        --description) desc=true;;
        --value) value=true;;
        --lookup) defs=true;;
        --install) install=true;;
        --verbose) verbose=true;;
        --help) usage;;
        -*) usage;;
        *) if test -z "$option"; then
-           option="$arg"
+             option="$larg"
           else
             usage
           fi;;
      esac
    done
  else
    case $argfun in
      set_*)
@ -75,6 +105,16 @@ for arg; do
  fi
 done
 # --install cannot be used with -d -v -l without option name.
 if $value || $desc || $defs && $install && test -z "$option"; then
  usage
 fi
 generate=false
 if ! $defs && ! $desc && ! $value && $install && test -z "$option"; then
  generate=true
 fi
 if ! $defs && ! $desc; then
  value=true
 fi
@ -93,7 +133,7 @@ evalAttr(){
  local prefix=$1
  local suffix=$2
  local strict=$3
-  echo "(import $NIXOS_PATH {}).$prefix${option:+.$option}${suffix:+.$suffix}" |
+  echo "(import $NIXOS {}).$prefix${option:+.$option}${suffix:+.$suffix}" |
    nix-instantiate - --eval-only ${strict:+--strict}
 }
@ -107,11 +147,134 @@ evalCfg(){
 findSources(){
  local suffix=$1
-  echo "builtins.map (f: f.source) (import $NIXOS_PATH {}).eval.options${option:+.$option}.$suffix" |
+  echo "builtins.map (f: f.source) (import $NIXOS {}).eval.options${option:+.$option}.$suffix" |
    nix-instantiate - --eval-only --strict
 }
 if $install; then
  if test -e "$mountPoint$NIXOS"; then
    export NIXOS="$mountPoint$NIXOS"
  fi
  if test -e "$mountPoint$NIXPKGS"; then
    export NIXPKGS="$mountPoint$NIXPKGS"
  fi
  export NIXOS_CONFIG="$mountPoint$NIXOS_CONFIG"
 fi
 if $generate; then
  mkdir -p $(dirname "$NIXOS_CONFIG")
  # Scan the hardware and add the result to /etc/nixos/hardware-scan.nix.
  hardware_config="${NIXOS_CONFIG%/configuration.nix}/hardware-configuration.nix"
  if test -e "$hardware_config"; then
    echo "A hardware configuration file exists, generation skipped."
  else
    echo "Scan your hardware to generate a hardware configuration file."
    nixos-hardware-scan > "$hardware_config"
  fi
  if test -e "$NIXOS_CONFIG"; then
    echo 1>&2 "error: Cannot generate a template configuration because a configuration file exists."
    exit 1
  fi
  echo "Generate a template configuration that you should edit."
  # Generate a template configuration file where the user has to
  # fill the gaps.
  echo > "$NIXOS_CONFIG" \
 '# Edit this configuration file which defines what would be installed on the
 # system.  To Help while choosing option value, you can watch at the manual
 # page of configuration.nix or at the last chapter of the manual available
 # on the virtual console 8 (Alt+F8).
 {config, pkgs, ...}:
 {
  require = [
    # Include the configuration for part of your system which have been
    # detected automatically.  In addition, it includes the same
    # configuration as the installation device that you used.
    ./hardware-configuration.nix
  ];
  boot.initrd.kernelModules = [
    # Specify all kernel modules that are necessary for mounting the root
    # file system.
    #
    # "ext4" "ata_piix"
  ];
  boot.loader.grub = {
    # Use grub 2 as boot loader.
    enable = true;
    version = 2;
    # Define on which hard drive you want to install Grub.
    # device = "/dev/sda";
  };
  networking = {
    # hostName = "nixos"; # Define your hostname.
    interfaceMonitor.enable = true; # Watch for plugged cable.
    enableWLAN = true;  # Enables Wireless.
  };
  # Add file system entries for each partition that you want to see mounted
  # at boot time.  You can add filesystems which are not mounted at boot by
  # adding the noauto option.
  fileSystems = [
    # Mount the root file system
    #
    # { mountPoint = "/";
    #   device = "/dev/sda2";
    # }
    # Copy & Paste & Uncomment & Modify to add any other file system.
    #
    # { mountPoint = "/data"; # where you want to mount the device
    #   device = "/dev/sdb"; # the device or the label of the device
    #   # label = "data";
    #   fsType = "ext3";      # the type of the partition.
    #   options = "data=journal";
    # }
  ];
  swapDevices = [
    # List swap partitions that are mounted at boot time.
    #
    # { device = "/dev/sda1"; }
  ];
  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "lat9w-16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };
  # List services that you want to enable:
  # Add an OpenSSH daemon.
  # services.openssh.enable = true;
  # Add CUPS to print documents.
  # services.printing.enable = true;
  # Add XServer (default if you have used a graphical iso)
  # services.xserver = {
  #   enable = true;
  #   layout = "us";
  #   xkbOptions = "eurosign:e";
  # };
  # Add the NixOS Manual on virtual console 8
  services.nixosManual.showManual = true;
 }
 '
  exit 0
 fi;
 if test "$(evalOpt "_type" 2> /dev/null)" = '"option"'; then
  $value && evalCfg;
--- a/modules/installer/tools/nixos-rebuild.sh
+++ b/modules/installer/tools/nixos-rebuild.sh
@ -22,6 +22,8 @@ The operation is one of the following:
            activate it
  build-vm: build a virtual machine containing the configuration
            (useful for testing)
  build-vm-with-bootloader:
            like build-vm, but include a boot loader in the VM
  dry-run:  just show what store paths would be built/downloaded
  pull:     just pull the Nixpkgs channel manifest and exit
@ -64,7 +66,7 @@ while test "$#" -gt 0; do
      --help)
        showSyntax
      ;;
-      switch|boot|test|build|dry-run|build-vm|pull)
+      switch|boot|test|build|dry-run|build-vm|build-vm-with-bootloader|pull)
        action="$i"
      ;;
      --install-grub)
@ -171,9 +173,12 @@ if test -z "$rollback"; then
    elif test "$action" = test -o "$action" = build -o "$action" = dry-run; then
        nix-build $NIXOS -A system -K -k $extraBuildFlags > /dev/null
        pathToConfig=./result
-    elif test "$action" = build-vm; then
+    elif [ "$action" = build-vm ]; then
        nix-build $NIXOS -A vm -K -k $extraBuildFlags > /dev/null
        pathToConfig=./result
    elif [ "$action" = build-vm-with-bootloader ]; then
        nix-build $NIXOS -A vmWithBootLoader -K -k $extraBuildFlags > /dev/null
        pathToConfig=./result
    else
        showSyntax
    fi
--- a/modules/installer/tools/tools.nix
+++ b/modules/installer/tools/tools.nix
@ -11,6 +11,11 @@ let
    isExecutable = true;
  });
  nixosDeployNetwork = makeProg {
    name = "nixos-deploy-network";
    src = ./nixos-deploy-network/nixos-deploy-network.sh;
  };
  nixosInstall = makeProg {
    name = "nixos-install";
    src = ./nixos-install.sh;
@ -80,6 +85,7 @@ let
    name = "nixos-hardware-scan";
    src = ./nixos-hardware-scan.pl;
    inherit (pkgs) perl;
    profile = config.installer.installProfile;
  };
  nixosOption = makeProg {
@ -113,11 +119,20 @@ in
      '';
    };
    installer.installProfile = pkgs.lib.mkOption {
      default = "base";
      example = "graphical";
      description = ''
        Name of the profile used when generating the hardware-scan.
      '';
    };
  };
  config = {
    environment.systemPackages =
-      [ nixosInstall
+      [ nixosDeployNetwork
        nixosInstall
        nixosRebuild
         nixosHardwareScan
         nixosGenSeccureKeys
@ -128,7 +143,7 @@ in
      ];
    system.build = {
-      inherit nixosInstall;
+      inherit nixosInstall nixosHardwareScan nixosOption;
      # expose scripts
      inherit (installer2) nixosPrepareInstall runInChroot nixosBootstrap minimalInstallArchive;
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@ -56,6 +56,7 @@ in
    sabnzbd = 33;
    tor = 35;
    cups = 36;
    foldingAtHome = 37;
    # When adding a uid, make sure it doesn't match an existing gid.
    nixbld = 30000; # start of range of uids
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -14,6 +14,7 @@
  ./config/users-groups.nix
  ./hardware/network/intel-2200bg.nix
  ./hardware/network/intel-3945abg.nix
  ./hardware/network/rt2870.nix 
  ./hardware/network/rt73.nix 
  ./hardware/pcmcia.nix
  ./installer/generations-dir/generations-dir.nix
@ -44,6 +45,7 @@
  ./security/sudo.nix
  ./services/audio/alsa.nix
  ./services/audio/pulseaudio.nix
  ./services/backup/hydra-mirror.nix
  ./services/backup/mysql-backup.nix
  ./services/backup/postgresql-backup.nix
  ./services/backup/sitecopy-backup.nix
@ -58,10 +60,12 @@
  ./services/logging/logrotate.nix
  ./services/logging/syslogd.nix
  ./services/mail/dovecot.nix
  ./services/mail/mail.nix
  ./services/mail/postfix.nix
  ./services/misc/autofs.nix
  ./services/misc/disnix.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/gpsd.nix
  ./services/misc/nix-daemon.nix
  ./services/misc/nix-gc.nix
@ -77,6 +81,7 @@
  ./services/network-filesystems/nfs-kernel.nix
  ./services/network-filesystems/openafs-client/default.nix
  ./services/network-filesystems/samba.nix
  ./services/networking/amuled.nix
  ./services/networking/avahi-daemon.nix
  ./services/networking/bind.nix
  ./services/networking/bitlbee.nix
@ -109,6 +114,7 @@
  ./services/scheduling/cron.nix
  ./services/scheduling/fcron.nix
  ./services/security/tor.nix
  ./services/security/torsocks.nix
  ./services/system/dbus.nix
  ./services/system/kerberos.nix
  ./services/system/nscd.nix
@ -154,4 +160,5 @@
  ./tasks/network-interfaces.nix
  ./tasks/swraid.nix
  ./tasks/tty-backgrounds.nix
  ./virtualisation/xen-dom0.nix
 ]
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -0,0 +1,92 @@
 {config, pkgs, ...}:
 {
  # The initrd has to contain any module that might be necessary for
  # mounting the CD/DVD.
  boot.initrd.availableKernelModules =
    [ # SATA/PATA support.
      "ahci"
      "ata_piix"
      "sata_inic162x" "sata_nv" "sata_promise" "sata_qstor"
      "sata_sil" "sata_sil24" "sata_sis" "sata_svw" "sata_sx4"
      "sata_uli" "sata_via" "sata_vsc"
      "pata_ali" "pata_amd" "pata_artop" "pata_atiixp"
      "pata_cs5520" "pata_cs5530" "pata_cs5535" "pata_efar"
      "pata_hpt366" "pata_hpt37x" "pata_hpt3x2n" "pata_hpt3x3"
      "pata_it8213" "pata_it821x" "pata_jmicron" "pata_marvell"
      "pata_mpiix" "pata_netcell" "pata_ns87410" "pata_oldpiix"
      "pata_pcmcia" "pata_pdc2027x" "pata_qdi" "pata_rz1000"
      "pata_sc1200" "pata_serverworks" "pata_sil680" "pata_sis"
      "pata_sl82c105" "pata_triflex" "pata_via"
      "pata_winbond"
      # SCSI support (incomplete).
      "3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" 
      # USB support, especially for booting from USB CD-ROM
      # drives.
      "usb_storage"
      # Firewire support.  Not tested.
      "ohci1394" "sbp2"
      # Virtio (QEMU, KVM etc.) support.
      "virtio_net" "virtio_pci" "virtio_blk" "virtio_balloon"
      # Add vfat to enable people to copy the contents of the CD to a
      # bootable USB stick.
      "vfat" "nls_cp437" "nls_iso8859-1"
    ];
  boot.initrd.kernelModules =
    [ # Wait for SCSI devices to appear.
      "scsi_wait_scan"
    ];
  # Include some utilities that are useful for installing or repairing
  # the system.
  environment.systemPackages = [
    pkgs.subversion # for nixos-checkout
    pkgs.w3m # needed for the manual anyway
    pkgs.testdisk # useful for repairing boot problems
    pkgs.mssys # for writing Microsoft boot sectors / MBRs
    pkgs.parted
    pkgs.ddrescue
    pkgs.ccrypt
    pkgs.cryptsetup # needed for dm-crypt volumes
    # Some networking tools.
    pkgs.sshfsFuse
    pkgs.socat
    pkgs.screen
    # Hardware-related tools.
    pkgs.sdparm
    pkgs.hdparm
    pkgs.dmraid
    # Tools to create / manipulate filesystems.
    pkgs.ntfsprogs # for resizing NTFS partitions
    pkgs.btrfsProgs
    pkgs.dosfstools
    pkgs.xfsprogs
    pkgs.jfsutils
    pkgs.jfsrec
    # Some compression/archiver tools.
    pkgs.unrar
    pkgs.unzip
    pkgs.zip
    pkgs.xz
    pkgs.dar # disk archiver
    # Some editors.
    pkgs.nvi
    pkgs.bvi # binary editor
    pkgs.joe
  ];
 }
--- a/modules/profiles/empty.nix
+++ b/modules/profiles/empty.nix
@ -0,0 +1,8 @@
 # Empty profiles, used to avoid the case where no profiles are selected for
 # nixos-hardware-scan.
 {
  imports = [];
  options = {};
  config = {};
 }
--- a/modules/profiles/graphical.nix
+++ b/modules/profiles/graphical.nix
@ -0,0 +1,17 @@
 # This module defines a NixOS configuration that contains X11 and
 # KDE 4.
 {config, pkgs, ...}:
 {
  require = [
    ./base.nix
  ];
  services.xserver = {
    enable = true;
    autorun = true;
    defaultDepth = 24;
    desktopManager.default = "kde4";
    desktopManager.kde4.enable = true;
  };
 }
--- a/modules/profiles/installation-device.nix
+++ b/modules/profiles/installation-device.nix
@ -0,0 +1,166 @@
 # Provide a basic cponfiguration for installation devices like CDs.
 {config, pkgs, modules, ...}:
 with pkgs.lib;
 let
  # Location of the repository on the harddrive
  nixosPath = toString ../../.;
  # Check if the path is from the NixOS repository
  isNixOSFile = path:
    let s = toString path; in
      removePrefix nixosPath s != s;
  # Copy modules given as extra configuration files.  Unfortunately, we
  # cannot serialized attribute set given in the list of modules (that's why
  # you should use files).
  moduleFiles =
    filter isPath modules;
  # Partition module files because between NixOS and non-NixOS files.  NixOS
  # files may change if the repository is updated.
  partitionnedModuleFiles =
    let p = partition isNixOSFile moduleFiles; in
    { nixos = p.right; others = p.wrong; };
  # Path transformed to be valid on the installation device.  Thus the
  # device configuration could be rebuild.
  relocatedModuleFiles =
    let
      relocateNixOS = path:
        "/etc/nixos/nixos" + removePrefix nixosPath (toString path);
      relocateOthers = null;
    in
      { nixos = map relocateNixOS partitionnedModuleFiles.nixos;
        others = []; # TODO: copy the modules to the install-device repository.
      };
  # A dummy /etc/nixos/configuration.nix in the booted CD that
  # rebuilds the CD's configuration (and allows the configuration to
  # be modified, of course, providing a true live CD).  Problem is
  # that we don't really know how the CD was built - the Nix
  # expression language doesn't allow us to query the expression being
  # evaluated.  So we'll just hope for the best.
  configClone = pkgs.writeText "configuration.nix"
    ''
      {config, pkgs, ...}:
      {
        require = [
          ${toString config.installer.cloneConfigIncludes}
        ];
        # Add your own options below and run "nixos-rebuild switch".
        # E.g.,
        #   services.openssh.enable = true;
      }
    '';
 in
 {
  imports = [
    # Enable devices which are usually scanned, because we don't know the
    # target system.
    ../installer/scan/detected.nix
    ../installer/scan/not-detected.nix
  ];
  options = {
    system.nixosVersion = mkOption {
      default = "${builtins.readFile ../../VERSION}";
      description = ''
        NixOS version number.
      '';
    };
    installer.cloneConfig = mkOption {
      default = true;
      description = ''
        Try to clone the installation-device configuration by re-using it's
        profile from the list of imported modules.
      '';
    };
    installer.cloneConfigIncludes = mkOption {
      default = [];
      example = [ "./nixos/modules/hardware/network/rt73.nix" ];
      description = ''
        List of modules used to re-build this installation device profile.
      '';
    };
    # Ignored. Kept for Backward compatibiliy.
    # you can retrieve the profiles which have been used by looking at the
    # list of modules use to configure the installation device.
    installer.configModule = mkOption {
      example = "./nixos/modules/installer/cd-dvd/installation-cd.nix";
      description = ''
        Filename of the configuration module that builds the CD
        configuration.  Must be specified to support reconfiguration
        in live CDs.
      '';
    };
  };
  config = {
    installer.cloneConfigIncludes =
      relocatedModuleFiles.nixos ++ relocatedModuleFiles.others;
    # Show the manual.
    services.nixosManual.showManual = true;
    # Let the user play Rogue on TTY 8 during the installation.
    services.rogue.enable = true;
    # Disable some other stuff we don't need.
    security.sudo.enable = false;
    # Include only the en_US locale.  This saves 75 MiB or so compared to
    # the full glibcLocales package.
    i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "en_US/ISO-8859-1"];
    # nixos-install will do a pull from this channel to speed up the
    # installation.
    installer.nixpkgsURL = http://nixos.org/releases/nixpkgs/channels/nixpkgs-unstable;
    boot.postBootCommands =
      ''
        # Provide a mount point for nixos-install.
        mkdir -p /mnt
        ${optionalString config.installer.cloneConfig ''
          # Provide a configuration for the CD/DVD itself, to allow users
          # to run nixos-rebuild to change the configuration of the
          # running system on the CD/DVD.
          cp ${configClone} /etc/nixos/configuration.nix
       ''}
      '';
    # Force the xserver autorun to false.
    services.xserver.autorun = mkForce false;
    services.xserver.defaultDepth = mkForce 16;
    # Some more help text.
    services.mingetty.helpLine =
      ''
        Log in as "root" with an empty password.  ${
          if config.services.xserver.enable then
            "Type `start xserver' to start\nthe graphical user interface."
          else ""
        }
      '';
    # Allow sshd to be started manually through "start sshd".  It should
    # not be started by default on the installation CD because the
    # default root password is empty.
    services.openssh.enable = true;
    jobs.sshd.startOn = pkgs.lib.mkOverride 50 "";
    # Enable wpa_supplicant, but don't start it by default.
    networking.enableWLAN = true;
    jobs.wpa_supplicant.startOn = pkgs.lib.mkOverride 50 "";
  };
 }
--- a/modules/profiles/minimal.nix
+++ b/modules/profiles/minimal.nix
@ -0,0 +1,15 @@
 # This module defines a small NixOS configuration.  It does not
 # contain any graphical stuff.
 {config, pkgs, ...}:
 {
  require = [ ./base.nix ];
  # Don't include X libraries.
  services.openssh.forwardX11 = false;
  services.dbus.enable = false; # depends on libX11
  services.hal.enable = false; # depends on dbus
  fonts.enableFontConfig = false;
  fonts.enableCoreFonts = false;
 }
--- a/modules/profiles/rescue.nix
+++ b/modules/profiles/rescue.nix
@ -0,0 +1,52 @@
 # This module defines a small NixOS configuration.  It does not contain any
 # graphical stuff but contains many tools useful for the rescue.
 {config, pkgs, ...}:
 {
  require = [ ./minimal.nix ];
  # Useful for rescue..
  environment.systemPackages = with pkgs; [
    utillinuxCurses ddrescue 
    pciutils sdparm hdparm hddtemp usbutils
    btrfsProgs xfsprogs jfsutils jfsrec
    iproute 
    fuse ntfs3g smbfsFuse sshfsFuse
    manpages irssi elinks mcabber mutt openssh lftp 
    openssl ncat socat
    gnupg1 gnupg
    patch which diffutils gcc binutils bc file
    screen
    bvi joe nvi 
    subversion16 monotone git darcs mercurial bazaar cvs
    unrar unzip zip lzma cabextract cpio 
    lsof
  ];
  boot.kernelPackages = pkgs.linuxPackages_2_6_32;
  boot.initrd.kernelModules = [
    "evdev" "i8042" "pcips2" "serio" "sd_mod" "libata" "unix" "usbhid"
    "uhci_hcd" "atkbd" "xtkbd" "fbdev" "iso9660" "udf" "loop"
  ];
  boot.kernelModules = [
    "fbcon"
    "radeonfb"
    "intelfb"
    "sisfb"
    "nvidiafb"
    "cirrusfb"
  ];
  boot.kernelParams = [
    "selinux=0"
    "acpi=on"
    "apm=off"
    "console=tty1"
    "splash=verbose"
  ];
  services.ttyBackgrounds.enable = false;
 }
--- a/modules/programs/bash/bash.nix
+++ b/modules/programs/bash/bash.nix
@ -1,19 +1,21 @@
 # This module defines global configuration for the Bash shell, in
 # particular /etc/bashrc and /etc/profile.
-{config, pkgs, ...}:
+{ config, pkgs, ... }:
 with pkgs.lib;
 let
  options = {
-    environment.shellInit = pkgs.lib.mkOption {
+    environment.shellInit = mkOption {
        default = "";
        example = ''export PATH=/godi/bin/:$PATH'';
        description = "
          Script used to initialized user shell environments.
        ";
-        merge = pkgs.lib.mergeStringOption;
+        merge = mergeStringOption;
      };
  };
@ -57,4 +59,13 @@ in
    ];
  system.build.binsh = pkgs.bashInteractive;
  system.activationScripts.binsh = stringAfter [ "stdio" ]
    ''
      # Create the required /bin/sh symlink; otherwise lots of things
      # (notably the system() function) won't work.
      mkdir -m 0755 -p /bin
      ln -sfn ${config.system.build.binsh}/bin/sh /bin/sh
    '';
 }
--- a/modules/programs/bash/bashrc.sh
+++ b/modules/programs/bash/bashrc.sh
@ -15,14 +15,14 @@ export LOCATE_PATH=/var/cache/locatedb
 # Include the various profiles in the appropriate environment variables.
 NIX_USER_PROFILE_DIR=/nix/var/nix/profiles/per-user/$USER
-NIX_PROFILES="/var/run/current-system/sw /nix/var/nix/profiles/default $NIX_USER_PROFILE_DIR/profile"
+NIX_PROFILES="/var/run/current-system/sw /nix/var/nix/profiles/default $HOME/.nix-profile"
 unset PATH INFOPATH PKG_CONFIG_PATH PERL5LIB GST_PLUGIN_PATH KDEDIRS
 unset XDG_CONFIG_DIRS XDG_DATA_DIRS
 for i in $NIX_PROFILES; do # !!! reverse
    # We have to care not leaving an empty PATH element, because that means '.' to Linux
-    export PATH=$i/bin:$i/sbin${PATH:+:}$PATH
+    export PATH=$i/bin:$i/sbin:$i/lib/kde4/libexec${PATH:+:}$PATH
    export INFOPATH=$i/info:$i/share/info${INFOPATH:+:}$INFOPATH
    export PKG_CONFIG_PATH="$i/lib/pkgconfig${PKG_CONFIG_PATH:+:}$PKG_CONFIG_PATH"
@ -30,12 +30,15 @@ for i in $NIX_PROFILES; do # !!! reverse
    # from Nixpkgs <= 0.12.
    export PERL5LIB="$i/lib/perl5/site_perl:$i/lib/site_perl${PERL5LIB:+:}$PERL5LIB"
    # ALSA plugins
    export ALSA_PLUGIN_DIRS="$i/lib/alsa-lib${ALSA_PLUGIN_DIRS:+:}$ALSA_PLUGIN_DIRS"
    # GStreamer.
    export GST_PLUGIN_PATH="$i/lib/gstreamer-0.10${GST_PLUGIN_PATH:+:}$GST_PLUGIN_PATH"
    # KDE/Gnome stuff.
    export KDEDIRS=$i${KDEDIRS:+:}$KDEDIRS
-    export QT_PLUGIN_PATH=$i/plugins:$i/lib/qt4/plugins${QT_PLUGIN_PATH:+:}$QT_PLUGIN_PATH
+    export QT_PLUGIN_PATH=$i/lib/qt4/plugins:$i/lib/kde4/plugins${QT_PLUGIN_PATH:+:}$QT_PLUGIN_PATH
    export XDG_CONFIG_DIRS=$i/etc/xdg${XDG_CONFIG_DIRS:+:}$XDG_CONFIG_DIRS
    export XDG_DATA_DIRS=$i/share${XDG_DATA_DIRS:+:}$XDG_DATA_DIRS
 done
@ -43,7 +46,7 @@ done
 # Search directory for Aspell dictionaries.
-export ASPELL_CONF="dict-dir $NIX_USER_PROFILE_DIR/profile/lib/aspell"
+export ASPELL_CONF="dict-dir $HOME/.nix-profile/lib/aspell"
 # ~/bin and the setuid wrappers override other bin directories.
--- a/modules/security/policykit.nix
+++ b/modules/security/policykit.nix
@ -51,7 +51,7 @@ in
        }
      ];
-    system.activationScripts.policyKit = fullDepEntry
+    system.activationScripts.policyKit = stringAfter [ "users" ]
      ''
        mkdir -m 0770 -p /var/run/PolicyKit
        chown root.polkituser /var/run/PolicyKit
@ -63,7 +63,7 @@ in
        touch /var/lib/misc/PolicyKit.reload
        chmod 0664 /var/lib/misc/PolicyKit.reload
        chown polkituser.polkituser /var/lib/misc/PolicyKit.reload
-      '' [ "users" ];
+      '';
  };
--- a/modules/security/polkit.nix
+++ b/modules/security/polkit.nix
@ -27,12 +27,10 @@ in
    environment = {
      systemPackages = [ pkWrapper ];
      pathsToLink = [ "/share/polkit-1" "/etc/polkit-1" ];
-      etc = [
+      etc = singleton
-        {
+        { source = "${config.system.path}/etc/polkit-1";
          source = "${config.system.path}/etc/polkit-1";
          target = "polkit-1";
-        }
+        };
      ];
    };
    services.dbus.packages = [ pkWrapper ];
@ -41,18 +39,16 @@ in
      pam.services = [ { name = "polkit-1"; } ];
      setuidPrograms = [ "pkexec" ];
-      setuidOwners = [
+      setuidOwners = singleton
-        {
+        { program = "polkit-agent-helper-1";
          program = "polkit-agent-helper-1";
          owner = "root";
          group = "root";
          setuid = true;
          source = pkgs.polkit + "/" + pkWrapper.helper;
-        }
+        };
      ];
    };
-    system.activationScripts.polikit = pkgs.stringsWithDeps.noDepEntry
+    system.activationScripts.polkit =
      ''
        mkdir -p /var/lib/polkit-1/localauthority
        chmod 700 /var/lib/polkit-1{/localauthority,}
--- a/modules/security/setuid-wrappers.nix
+++ b/modules/security/setuid-wrappers.nix
@ -75,7 +75,7 @@ in
  config = {
    security.setuidPrograms =
-      [ "crontab" "fusermount" "wodim" "cdrdao" "growisofs" ];
+      [ "fusermount" "wodim" "cdrdao" "growisofs" ];
    system.activationScripts.setuid =
      let
@ -110,7 +110,7 @@ in
            chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${wrapperDir}/${program}
          '';
-      in pkgs.stringsWithDeps.fullDepEntry
+      in stringAfter [ "users" ] 
        ''
          # Look in the system path and in the default profile for
          # programs to be wrapped.
@ -120,7 +120,7 @@ in
          mkdir -p ${wrapperDir}
          ${concatMapStrings makeSetuidWrapper setuidPrograms}
-        '' [ "defaultPath" "users" ];
+        '';
  };
--- a/modules/services/backup/hydra-mirror.nix
+++ b/modules/services/backup/hydra-mirror.nix
@ -0,0 +1,87 @@
 { config, pkgs, ... }:
 with pkgs.lib;
 let 
  cfg = config.services.hydraChannelMirror ;
  mirrorChannel = pkgs.fetchsvn {
    url = https://svn.nixos.org/repos/nix/release/trunk/channels/mirror-channel.pl;
    rev = 24132;
    sha256 = "02xvswbbr2sj9k1wfraa0j9053vf6w88nhk15qwzs8nkm180n820";
  };
  cronjob = jobset : ''
    ${cfg.period} root ENABLE_PATCHES=1 PATH=${config.environment.nix}/libexec/nix:$PATH perl -I${config.environment.nix}/libexec/nix ${mirrorChannel} ${cfg.hydraURL}/jobset/${jobset.project}/${jobset.jobset}/channel/latest ${cfg.dataDir}/channels/${jobset.relURL} ${cfg.dataDir}/nars ${cfg.mirrorURL}/nars ${cfg.dataDir}/patches ${cfg.mirrorURL}/patches ${if jobset.nixexprs == "" then "" else "${cfg.hydraURL}/job/${jobset.project}/${jobset.jobset}/${jobset.nixexprs}/latest/download-by-type/file/source-dist"} >> ${cfg.dataDir}/logs/${jobset.name}.log
  '';
 in
 {
  options = {
    services.hydraChannelMirror = {
      enable = mkOption {
        default = false;
        description = ''
          Whether to enable Hydra channel mirroring.
        '';
      };
      period = mkOption {
        default = "15 * * * *";
        description = ''
          This option defines (in the format used by cron) when the
          mirroring should occur.
        '';
      };
      jobsets = mkOption {
        default = [ rec { name = "nixpkgs-unstable"; project = "nixpkgs"; jobset = "trunk"; nixexprs = "tarball"; relURL = "nixpkgs/channels/${name}"; } ];
        description = ''
          List of jobsets to mirror.
        '';
      };
      hydraURL = mkOption {
        default = "http://hydra.nixos.org";
        description = ''
          Location (URL) of Hydra instance
        '';
      };
      mirrorURL = mkOption {
        default = "http://nixos.org/releases";
        description = ''
          Location (URL) of Hydra mirror
        '';
      };
      dataDir = mkOption {
        default = "/data/hydra-mirror";
        description = ''
          Location of Hydra mirror data
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    services.cron.systemCronJobs = map cronjob cfg.jobsets ;
    system.activationScripts.hydraChannelMirror = stringAfter [ "stdio" "users" ]
      ''
        mkdir -m 0755 -p ${cfg.dataDir}
        mkdir -m 0755 -p ${cfg.dataDir}/nars
        mkdir -m 0755 -p ${cfg.dataDir}/patches
        mkdir -m 0755 -p ${cfg.dataDir}/channels
        ln -fs ${cfg.dataDir}/nars ${cfg.dataDir}/channels/nars 
        ln -fs ${cfg.dataDir}/patches ${cfg.dataDir}/channels/patches 
        mkdir -m 0755 -p ${cfg.dataDir}/logs
        ${concatMapStrings (j : ''
        mkdir -m 0755 -p ${cfg.dataDir}/channels/${j.relURL}
        '') cfg.jobsets}
      '';
  };
 }
--- a/modules/services/backup/mysql-backup.nix
+++ b/modules/services/backup/mysql-backup.nix
@ -1,7 +1,9 @@
-{pkgs, config, ...}:
+{ config, pkgs, ... }:
 with pkgs.lib;
 let
-  inherit (pkgs.lib) mkOption mkIf singleton concatStrings;
+
  inherit (pkgs) mysql gzip;
  location = config.services.mysqlBackup.location ;
@ -58,14 +60,15 @@ in
  };
  config = mkIf config.services.mysqlBackup.enable {
    services.cron = {
      systemCronJobs = map mysqlBackupCron config.services.mysqlBackup.databases;
    };
-    system.activationScripts.mysqlBackup = pkgs.stringsWithDeps.fullDepEntry ''
+    services.cron.systemCronJobs = map mysqlBackupCron config.services.mysqlBackup.databases;
    system.activationScripts.mysqlBackup = stringAfter [ "stdio" "defaultPath" "systemConfig" "users" ]
      ''
        mkdir -m 0700 -p ${config.services.mysqlBackup.location}
        chown ${config.services.mysqlBackup.user} ${config.services.mysqlBackup.location}
-    '' [ "stdio" "defaultPath" "systemConfig" "users" ];
+      '';
  };
 }
--- a/modules/services/backup/postgresql-backup.nix
+++ b/modules/services/backup/postgresql-backup.nix
@ -1,12 +1,14 @@
-{pkgs, config, ...}:
+{ config, pkgs, ... }:
 with pkgs.lib;
 let
  inherit (pkgs.lib) mkOption mkIf singleton concatStrings;
  inherit (pkgs) postgresql gzip;
  location = config.services.postgresqlBackup.location ;
-  postgresqlBackupCron = db : ''
+  postgresqlBackupCron = db:
    ''
      ${config.services.postgresqlBackup.period} root ${postgresql}/bin/pg_dump ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz
    ''; 
@ -52,14 +54,13 @@ in
  };
  config = mkIf config.services.postgresqlBackup.enable {
-    services.cron = {
+    services.cron.systemCronJobs = map postgresqlBackupCron config.services.postgresqlBackup.databases;
      systemCronJobs = map postgresqlBackupCron config.services.postgresqlBackup.databases;
    };
-    system.activationScripts.postgresqlBackup = pkgs.stringsWithDeps.fullDepEntry ''
+    system.activationScripts.postgresqlBackup = stringAfter [ "stdio" "defaultPath" "systemConfig" "users" ]
      ''
        mkdir -m 0700 -p ${config.services.postgresqlBackup.location}
        chown root ${config.services.postgresqlBackup.location}
-    '' [ "stdio" "defaultPath" "systemConfig" "users" ];
+      '';
  };
 }
--- a/modules/services/backup/sitecopy-backup.nix
+++ b/modules/services/backup/sitecopy-backup.nix
@ -1,7 +1,8 @@
-{pkgs, config, ...}:
+{ config, pkgs, ... }:
 with pkgs.lib;
 let
  inherit (pkgs.lib) mkOption mkIf singleton concatStrings;
  inherit (pkgs) sitecopy;
  stateDir = "/var/spool/sitecopy";
@ -63,13 +64,10 @@ in
  config = mkIf config.services.sitecopy.enable {
    environment.systemPackages = [ sitecopy ];
-    services.cron = {
+    services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
      systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
    };
-
+    system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "systemConfig" "users" ]
-    system.activationScripts.sitecopyBackup = 
+      ''  
      pkgs.stringsWithDeps.fullDepEntry ''  
        mkdir -m 0700 -p ${stateDir}
        chown root ${stateDir}
        touch ${stateDir}/sitecopy.secrets
@ -100,8 +98,7 @@ in
            fi
          '' ) config.services.sitecopy.backups 
        )}
-
+      '';
      '' [ "stdio" "defaultPath" "systemConfig" "users" ] ;
  };
 }
--- a/modules/services/hardware/udev.nix
+++ b/modules/services/hardware/udev.nix
@ -38,7 +38,7 @@ let
      cp -v ${udev}/libexec/rules.d/*.rules $out/
      # Set a reasonable $PATH for programs called by udev rules.
-      echo 'ENV{PATH}="${pkgs.coreutils}/bin:${pkgs.gnused}/bin:${pkgs.utillinux}/bin"' > $out/00-path.rules
+      echo 'ENV{PATH}="${udevPath}/bin:${udevPath}/sbin"' > $out/00-path.rules
      # Set the firmware search path so that the firmware.sh helper
      # called by 50-firmware.rules works properly.
@ -84,6 +84,15 @@ let
    #udev_log="debug"
  '';
  # Udev has a 512-character limit for ENV{PATH}, so create a symlink
  # tree to work around this.
  udevPath = pkgs.buildEnv {
    name = "udev-path";
    paths = cfg.path;
    pathsToLink = [ "/bin" "/sbin" ];
    ignoreCollisions = true;
  };
 in
 {
@ -118,6 +127,15 @@ in
        '';
      };
      path = mkOption {
        default = [];
        merge = mergeListOption;
        description = ''
          Packages added to the <envar>PATH</envar> environment variable when
          executing programs from Udev rules.
        '';
      };
      extraRules = mkOption {
        default = "";
        example = ''
@ -159,7 +177,9 @@ in
    services.udev.extraRules = nixosRules;
-    services.udev.packages = [extraUdevRules];
+    services.udev.packages = [ extraUdevRules ];
    services.udev.path = [ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.utillinux ];
    jobs.udev =
      { startOn = "startup";
--- a/modules/services/mail/mail.nix
+++ b/modules/services/mail/mail.nix
@ -0,0 +1,33 @@
 { config, pkgs, ... }:
 with pkgs.lib;
 {
  ###### interface
  options = {
    services.mail = {
      sendmailSetuidWrapper = mkOption {
        default = null;
        description = ''
          Configuration for the sendmail setuid wrwapper (like an element of
          security.setuidOwners)";
        '';
      };
    };
  };
  ###### implementation
  config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
    security.setuidOwners = [ config.services.mail.sendmailSetuidWrapper ];
  };
 }
--- a/modules/services/mail/postfix.nix
+++ b/modules/services/mail/postfix.nix
@ -112,6 +112,11 @@ in
        description = "Whether to run the Postfix mail server.";
      };
      setSendmail = mkOption {
        default = true;
        description = "Whether to set the system sendmail to postfix's.";
      };
      user = mkOption {
        default = "postfix";
        description = "What to call the Postfix user (must be used only for postfix).";
@ -254,11 +259,25 @@ in
  config = mkIf config.services.postfix.enable {
-    environment.etc = singleton
+    environment = {
      etc = singleton
        { source = "/var/postfix/conf";
          target = "postfix";
        };
      # This makes comfortable for root to run 'postqueue' for example.
      systemPackages = [ pkgs.postfix ];
    };
    services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
      program = "sendmail";
      source = "${pkgs.postfix}/bin/sendmail";
      owner = "nobody";
      group = "postdrop";
      setuid = false;
      setgid = true;
    };
    users.extraUsers = singleton
      { name = user;
        description = "Postfix mail server user";
--- a/modules/services/misc/folding-at-home.nix
+++ b/modules/services/misc/folding-at-home.nix
@ -0,0 +1,74 @@
 { config, pkgs, ... }:
 with pkgs.lib;
 let
  stateDir = "/var/lib/foldingathome";
  cfg = config.services.foldingAtHome;
  fahUser = "foldingathome";
 in {
  ###### interface
  options = {
    services.foldingAtHome = {
      enable = mkOption {
        default = false;
        description = ''
          Whether to enable the Folding@Home to use idle CPU time.
        '';
      };
      nickname = mkOption {
        default = "Anonymous";
        description = ''
          A unique handle for statistics.
        '';
      };
      config = mkOption {
        default = "";
        description = ''
          Extra configuration. Contents will be added verbatim to the 
          configuration file.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    users.extraUsers = singleton
      { name = fahUser;
        uid = config.ids.uids.foldingAtHome;
        description = "Folding@Home user";
        home = stateDir;
      };
    jobs.foldingAtHome =
      { name = "foldingathome";
        startOn = "started network-interfaces";
        stopOn = "stopping network-interfaces";
        preStart =
          ''
            mkdir -m 0755 -p ${stateDir}
            chown ${fahUser} ${stateDir}
            cp -f ${pkgs.writeText "client.cfg" cfg.config} ${stateDir}/client.cfg
          '';
        exec = "${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${fahUser} -c 'cd ${stateDir}; ${pkgs.foldingathome}/bin/fah6'";
      };
      services.foldingAtHome.config = ''
          [settings]
          username=${cfg.nickname}
      '';
  };
 }
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@ -277,7 +277,7 @@ in
        # do this, mount the remote file system on a subdirectory of
        # /var/run/nix/remote-stores.
        export NIX_OTHER_STORES=/var/run/nix/remote-stores/*/nix
-      '' 
+      '' # */
      + optionalString config.nix.distributedBuilds ''
        export NIX_BUILD_HOOK=${config.environment.nix}/libexec/nix/build-remote.pl
        export NIX_REMOTE_SYSTEMS=/etc/nix.machines
@ -292,6 +292,33 @@ in
    users.extraUsers = map makeNixBuildUser (pkgs.lib.range 1 config.nix.nrBuildUsers);
    system.activationScripts.nix = stringAfter [ "etc" "users" ]
      ''
        # Set up Nix.
        mkdir -p /nix/etc/nix
        ln -sfn /etc/nix.conf /nix/etc/nix/nix.conf
        chown root.nixbld /nix/store
        chmod 1775 /nix/store
        # Nix initialisation.
        mkdir -m 0755 -p \
          /nix/var/nix/gcroots \
          /nix/var/nix/temproots \
          /nix/var/nix/manifests \
          /nix/var/nix/userpool \
          /nix/var/nix/profiles \
          /nix/var/nix/db \
          /nix/var/log/nix/drvs \
          /nix/var/nix/channel-cache \
          /nix/var/nix/chroots
        mkdir -m 1777 -p /nix/var/nix/gcroots/per-user
        mkdir -m 1777 -p /nix/var/nix/profiles/per-user
        mkdir -m 1777 -p /nix/var/nix/gcroots/tmp
        ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
        ln -sf /nix/var/nix/manifests /nix/var/nix/gcroots/
      '';
  };
 }
--- a/modules/services/monitoring/systemhealth.nix
+++ b/modules/services/monitoring/systemhealth.nix
@ -75,7 +75,8 @@ in
  config = mkIf cfg.enable {
    services.cron.systemCronJobs = [ cronJob ];
-    system.activationScripts.systemhealth = fullDepEntry ''
+    system.activationScripts.systemhealth = stringAfter [ "var" ]
      ''
        mkdir -p ${rrdDir} ${htmlDir}
        chown wwwrun.wwwrun ${rrdDir} ${htmlDir}
@ -111,7 +112,7 @@ in
        ${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --check" wwwrun
        ${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --html" wwwrun
-    '' [ "var" ];
+      '';
    services.httpd.extraSubservices = [
      { function = f: {
--- a/modules/services/networking/amuled.nix
+++ b/modules/services/networking/amuled.nix
@ -0,0 +1,71 @@
 { config, pkgs, ... }:
 with pkgs.lib;
 let
  cfg = config.services.amule;
  user = if cfg.user != null then cfg.user else "amule";
 in
 {
  ###### interface
  options = {
    services.amule = {
      enable = mkOption {
        default = false;
        description = ''
          Whether to run the AMule daemon. You need to manually run "amuled --ec-config" to configure the service for the first time.
        '';
      };
      dataDir = mkOption {
        default = ''/home/${user}/'';
        description = ''
          The directory holding configuration, incoming and temporary files.
        '';
      };
      user = mkOption {
        default = null;
        description = ''
          The user the AMule daemon should run as.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    users.extraUsers = mkIf (cfg.user == null) [
      { name = "amule";
        description = "AMule daemon";
      } ];
    jobs.amuled =
      { description = "AMule daemon";
        startOn = "ip-up";
        preStart = ''
            mkdir -p ${cfg.dataDir}
            chown ${user} ${cfg.dataDir}
        '';
        exec = ''
            ${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${user} \
                -c 'HOME="${cfg.dataDir}" ${pkgs.amuleDaemon}/bin/amuled'
        '';
      };
  };
 }
--- a/modules/services/networking/avahi-daemon.nix
+++ b/modules/services/networking/avahi-daemon.nix
@ -81,12 +81,6 @@ in
          Whether to enable the mDNS NSS (Name Service Switch) plug-in.
          Enabling it allows applications to resolve names in the `.local'
          domain by transparently querying the Avahi daemon.
          Warning: Currently, enabling this option breaks DNS lookups after
          a `nixos-rebuild'.  This is because `/etc/nsswitch.conf' is
          updated to use `nss-mdns' but `libnss_mdns' is not in
          applications' `LD_LIBRARY_PATH'.  The next time `/etc/profile' is
          sourced, it will set up an appropriate `LD_LIBRARY_PATH', though.
        '';
      };
@ -130,7 +124,7 @@ in
            mkdir -p /var/run/avahi-daemon
-            exec ${avahi}/sbin/avahi-daemon --daemonize -f "${avahiDaemonConf}"
+            exec ${avahi}/sbin/avahi-daemon --syslog -f "${avahiDaemonConf}"
          '';
      };
--- a/modules/services/networking/dhclient.nix
+++ b/modules/services/networking/dhclient.nix
@ -78,9 +78,13 @@ in
            for i in $(cd /sys/class/net && ls -d *); do
                # Only run dhclient on interfaces of type ARPHRD_ETHER
-                # (1), i.e. Ethernet.
+                # (1), i.e. Ethernet.  Ignore peth* devices; on Xen,
                # they're renamed physical Ethernet cards used for
                # bridging.
                if [ "$(cat /sys/class/net/$i/type)" = 1 ]; then
-                    if ! for j in ${toString ignoredInterfaces}; do echo $j; done | grep -F -x -q "$i"; then
+                    if ! for j in ${toString ignoredInterfaces}; do echo $j; done | grep -F -x -q "$i" &&
                       ! echo "$i" | grep -x -q "peth.*";
 		    then
                        echo "Running dhclient on $i"
                        interfaces="$interfaces $i"
                    fi
--- a/modules/services/networking/ntpd.nix
+++ b/modules/services/networking/ntpd.nix
@ -20,7 +20,7 @@ let
    # chroot to ${stateDir}, we have to specify it as /ntp.drift.
    driftfile /ntp.drift
-    ${toString (map (server: "server " + server + "\n") servers)}
+    ${toString (map (server: "server " + server + " iburst\n") servers)}
  '';
  ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup -i ${stateDir}";
--- a/modules/services/networking/quassel.nix
+++ b/modules/services/networking/quassel.nix
@ -3,8 +3,9 @@
 with pkgs.lib;
 let
-  quassel = pkgs.quassel.override { daemon = true; monolithic = false; client = false; };
+  quassel = pkgs.quasselDaemon;
  cfg = config.services.quassel;
  user = if cfg.user != null then cfg.user else "quassel";
 in
 {
@ -38,22 +39,17 @@ in
        '';
      };
      logFile = mkOption {
        default = "/var/log/quassel.log";
        description = "Location of the logfile of the Quassel daemon.";
      };
      dataDir = mkOption {
-        default = ''/home/${cfg.user}/.config/quassel-irc.org'';
+        default = ''/home/${user}/.config/quassel-irc.org'';
        description = ''
          The directory holding configuration files, the SQlite database and the SSL Cert.
        '';
      };
      user = mkOption {
-        default = "quassel";
+        default = null;
        description = ''
-          The user the Quassel daemon should run as.
+          The existing user the Quassel daemon should run as. If left empty, a default "quassel" user will be created.
        '';
      };
@ -66,10 +62,10 @@ in
  config = mkIf cfg.enable {
-    users.extraUsers = singleton
+    users.extraUsers = mkIf (cfg.user == null) [
-      { name = cfg.user;
+      { name = "quassel";
        description = "Quassel IRC client daemon";
-      };
+      }];
    jobs.quassel =
@ -79,19 +75,16 @@ in
        preStart = ''
            mkdir -p ${cfg.dataDir}
-            chown ${cfg.user} ${cfg.dataDir}
+            chown ${user} ${cfg.dataDir}
            touch ${cfg.logFile} && chown ${cfg.user} ${cfg.logFile}
        '';
        exec = ''
-            ${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${cfg.user} \
+            ${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${user} \
                -c '${quassel}/bin/quasselcore --listen=${cfg.interface}\
-                    --port=${toString cfg.portNumber} --configdir=${cfg.dataDir} --logfile=${cfg.logFile}'
+                    --port=${toString cfg.portNumber} --configdir=${cfg.dataDir}'
        '';
      };
    environment.systemPackages = [ quassel ];
  };
 }
--- a/modules/services/printing/cupsd.nix
+++ b/modules/services/printing/cupsd.nix
@ -134,10 +134,7 @@ in
        startOn = "started network-interfaces";
        stopOn = "stopping network-interfaces";
-        environment = {
+        path = [ config.system.path ];
          # Cups scripts for printing (psto...) require awk, sed, grep, ...
          PATH = "${config.system.path}/bin";
        };
        preStart =
          ''
--- a/modules/services/scheduling/atd.nix
+++ b/modules/services/scheduling/atd.nix
@ -66,7 +66,7 @@ in
    jobs.atd =
      { description = "at daemon (atd)";
-        startOn = "started udev";
+        startOn = "stopped udevtrigger";
        preStart =
          ''
@ -99,7 +99,9 @@ in
            fi
          '';
-        exec = "${at}/sbin/atd -f";
+        exec = "${at}/sbin/atd";
        daemonType = "fork";
      };
  };
--- a/modules/services/scheduling/cron.nix
+++ b/modules/services/scheduling/cron.nix
@ -16,6 +16,13 @@ let
      ${pkgs.lib.concatStrings (map (job: job + "\n") config.services.cron.systemCronJobs)}
    '';
  # Vixie cron requires build-time configuration for the sendmail path.
  cronNixosPkg = pkgs.cron.override {
    # The mail.nix nixos module, if there is any local mail system enabled,
    # should have sendmail in this path.
    sendmailPath = "/var/setuid-wrappers/sendmail";
  };
 in
 {
@ -26,6 +33,11 @@ in
    services.cron = {
      enable = mkOption {
        default = true;
        description = "Whether to enable the `vixie cron' daemon.";
      };
      mailto = mkOption {
        default = "";
        description = " The job output will be mailed to this email address. ";
@ -46,6 +58,10 @@ in
          If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
          will is allowed to have its own crontab file. The /var/cron/cron.deny file
          is created automatically for you. So every user can use a crontab.
          Many nixos modules set systemCronJobs, so if you decide to disable vixie cron
          and enable another cron daemon, you may want it to get its system crontab
          based on systemCronJobs.
        '';
      };
@ -56,7 +72,7 @@ in
  ###### implementation
-  config = {  
+  config = mkIf config.services.cron.enable {
    environment.etc = singleton
      # The system-wide crontab.
@ -65,7 +81,9 @@ in
        mode = "0600"; # Cron requires this.
      };
-    environment.systemPackages = [pkgs.cron];
+    security.setuidPrograms = [ "crontab" ];
    environment.systemPackages = [ cronNixosPkg ];
    jobs.cron =
      { description = "Cron daemon";
@ -86,7 +104,7 @@ in
            fi
          '';
-        exec = "${pkgs.cron}/sbin/cron -n";
+        exec = "${cronNixosPkg}/sbin/cron -n";
      };
  };
--- a/modules/services/scheduling/fcron.nix
+++ b/modules/services/scheduling/fcron.nix
@ -4,20 +4,17 @@ with pkgs.lib;
 let
  # Put all the system cronjobs together.
  # TODO allow using fcron only..
  #systemCronJobs =
  #  config.services.cron.systemCronJobs;
  cfg = config.services.fcron;
  queuelen = if cfg.queuelen == "" then "" else "-q ${toString cfg.queuelen}";
-  # shell is set to /sh in config..
+  systemCronJobsFile = pkgs.writeText "system-crontab"
  # ${pkgs.lib.concatStrings (map (job: job + "\n") systemCronJobs)}
  systemCronJobsFile = pkgs.writeText "fcron-systab"
    ''
-      SHELL=${pkgs.bash}/bin/sh
+      SHELL=${pkgs.bash}/bin/bash
-      PATH=${pkgs.coreutils}/bin:${pkgs.findutils}/bin:${pkgs.gnused}/bin
+      PATH=${config.system.path}/bin:${config.system.path}/sbin
      MAILTO="${config.services.cron.mailto}"
      NIX_CONF_DIR=/nix/etc/nix
      ${pkgs.lib.concatStrings (map (job: job + "\n") config.services.cron.systemCronJobs)}
    '';
  allowdeny = target: users:
@ -42,7 +39,7 @@ in
      };
      allow = mkOption {
-        default = [];
+        default = [ "all" ];
        description = ''
          Users allowed to use fcrontab and fcrondyn (one name per line, "all" for everyone).
        '';
@ -64,7 +61,7 @@ in
      };
      systab = mkOption {
-        default = "";
+        default = systemCronJobsFile;
        description = ''The "system" crontab contents.'';
      };
    };
@ -77,7 +74,7 @@ in
  config = mkIf cfg.enable {
    environment.etc =
-      [ (allowdeny "allow" (["root"] ++ cfg.allow))
+      [ (allowdeny "allow" (cfg.allow))
        (allowdeny "deny" cfg.deny)
        # see man 5 fcron.conf
        { source = pkgs.writeText "fcon.conf" ''
@ -97,6 +94,8 @@ in
    environment.systemPackages = [ pkgs.fcron ];
    security.setuidPrograms = [ "fcrontab" ];
    jobs.fcron =
      { description = "fcron daemon";
--- a/modules/services/security/tor.nix
+++ b/modules/services/security/tor.nix
@ -27,15 +27,18 @@ in
    services.tor = {
-      enable = mkOption {
+      config = mkOption {
-        default = false;
+        default = "";
        description = ''
-          Whether to enable the Tor anonymous routing daemon.
+          Extra configuration. Contents will be added verbatim to the 
          configuration file.
        '';
      };
-      enableClient = mkOption {
+      client = {
-        default = true;
+
        enable = mkOption {
          default = false;
          description = ''
            Whether to enable Tor daemon to route application connections.
            You might want to disable this if you plan running a dedicated Tor relay.
@ -44,10 +47,10 @@ in
        socksListenAddress = mkOption {
          default = "127.0.0.1:9050";
-        example = "127.0.0.1:9050, 192.168.0.1:9100";
+          example = "192.168.0.1:9100";
          description = ''
-          Bind to this address(es) to listen for connections from Socks-speaking 
+            Bind to this address to listen for connections from Socks-speaking 
-          applications. You can also specify a port.
+            applications.
          '';
        };
@ -61,15 +64,9 @@ in
          '';
        };
-      config = mkOption {
+        privoxy = {
        default = "";
        description = ''
          Extra configuration. Contents will be added verbatim to the 
          configuration file.
        '';
      };
-      enablePrivoxy = mkOption {
+          enable = mkOption {
            default = true;
            description = ''
              Whether to enable a special instance of privoxy dedicated to Tor.
@ -78,12 +75,12 @@ in
              Most people using Tor want to anonymize their web traffic, so by 
              default we enable an special instance of privoxy specifically for
              Tor.
-          However, if you are only going to use Tor only as a relay then you
+              However, if you are only going to use Tor only for other kinds of
-          can disable this option.
+              traffic then you can disable this option.
            '';
          };
-      privoxyListenAddress = mkOption {
+          listenAddress = mkOption {
            default = "127.0.0.1:8118";
            description = ''
              Address that Tor's instance of privoxy is listening to.
@ -94,7 +91,7 @@ in
            '';
          };
-      privoxyConfig = mkOption {
+          config = mkOption {
            default = "";
            description = ''
              Extra configuration for Tor's instance of privoxy. Contents will be 
@ -106,16 +103,22 @@ in
            '';
          };
-      enableRelay = mkOption {
+        };
      };
      relay = {      
        enable = mkOption {
          default = false;
          description = ''
-          Whether to enable relaying traffic for others.
+            Whether to enable relaying TOR traffic for others.
            See https://www.torproject.org/docs/tor-doc-relay for details.
          '';
        };
-      isBridgeRelay = mkOption {
+        isBridge = mkOption {
          default = false;
          description = ''
            Bridge relays (or "bridges" ) are Tor relays that aren't listed in the
@ -131,7 +134,7 @@ in
          '';
        };
-      isExitRelay = mkOption {
+        isExit = mkOption {
          default = false;
          description = ''
            An exit relay allows Tor users to access regular Internet services.
@ -150,39 +153,39 @@ in
          '';
        };
-      relayBandwidthRate = mkOption {
+        bandwidthRate = mkOption {
          default = 0;
          example = 100;
          description = ''
            Specify this to limit the bandwidth usage of relayed (server)
-          traffic. Your own traffic is still unthrottled. Units: kilobytes/second.
+            traffic. Your own traffic is still unthrottled. Units: bytes/second.
          '';
        };
-      relayBandwidthBurst = mkOption {
+        bandwidthBurst = mkOption {
-        default = 0;
+          default = cfg.relay.bandwidthRate;
          example = 200;
          description = ''
            Specify this to allow bursts of the bandwidth usage of relayed (server)
            traffic. The average usage will still be as specified in relayBandwidthRate.
-          Your own traffic is still unthrottled. Units: kilobytes/second.
+            Your own traffic is still unthrottled. Units: bytes/second.
          '';
        };
-      relayPort = mkOption {
+        port = mkOption {
          default = 9001;
          description = ''
            What port to advertise for Tor connections.
          '';
        };
-      relayListenAddress = mkOption {
+        listenAddress = mkOption {
          default = "";
          example = "0.0.0.0:9090";
          description = ''
            Set this if you need to listen on a port other than the one advertised
            in relayPort (e.g. to advertise 443 but bind to 9090). You'll need to do
-          ipchains or other port forwarding yourself to make this work.
+            ipchains or other port forwsarding yourself to make this work.
          '';
        };
@ -210,17 +213,15 @@ in
    };
  };
  ###### implementation
-  config = mkIf cfg.enable {
+  config = mkIf (cfg.client.enable || cfg.relay.enable) {
    environment.systemPackages = [ tor ];  # provides tor-resolve and torify
-    assertions = [{
+    assertions = [ {
-      assertion = cfg.enableRelay || cfg.enableClient;
+      assertion = cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
      message = "Need to either enable TOR client or relay functionality";
    } {
      assertion = cfg.enableRelay -> !(cfg.isBridgeRelay && cfg.isExitRelay);
      message = "Can't be both an exit and a bridge relay at the same time";
    } ];
@ -231,60 +232,57 @@ in
        home = stateDir;
      };
-    jobs.tor =
+    jobs = {
-      { name = "tor";
+      tor = { name = "tor";
              startOn = "started network-interfaces";
              stopOn = "stopping network-interfaces";
-        preStart =
+              preStart = ''
          ''
                mkdir -m 0755 -p ${stateDir}
                chown ${torUser} ${stateDir}
              '';
              exec = "${tor}/bin/tor -f ${pkgs.writeText "torrc" cfg.config}";
-      };
+    }; }
-
+    // optionalAttrs (cfg.client.privoxy.enable && cfg.client.enable) {
-    jobs.torPrivoxy = mkIf (cfg.enablePrivoxy && cfg.enableClient)
+      torPrivoxy = { name = "tor-privoxy";
      { name = "tor-privoxy";
                     startOn = "starting tor";
                     stopOn = "stopping tor"; 
-        preStart =
+                     preStart = ''
          ''
                       mkdir -m 0755 -p ${privoxyDir}
                       chown ${torUser} ${privoxyDir}
                       # Needed to run privoxy as an unprivileged user?
                       ${modprobe}/sbin/modprobe capability || true
                     '';
-        exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" cfg.privoxyConfig}";
+                     exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" cfg.client.privoxy.config}";
-      };
+    }; };
      services.tor.config = ''
        DataDirectory ${stateDir}
        User ${torUser}
      ''
-      + optionalString cfg.enableClient  ''
+      + optionalString cfg.client.enable  ''
-        SocksListenAddress ${cfg.socksListenAddress}
+        SocksListenAddress ${cfg.client.socksListenAddress}
-        ${opt "SocksPolicy" cfg.socksPolicy}
+        ${opt "SocksPolicy" cfg.client.socksPolicy}
      ''
-      + optionalString cfg.enableRelay ''
+      + optionalString cfg.relay.enable ''
-        ORPort ${toString cfg.relayPort}
+        ORPort ${toString cfg.relay.port}
-        ${opt "ORListenAddress" cfg.relayListenAddress }
+        ${opt "ORListenAddress" cfg.relay.listenAddress }
-        ${opt "Nickname" cfg.nickname}
+        ${opt "Nickname" cfg.relay.nickname}
-        ${optint "RelayBandwidthRate" cfg.relayBandwidthRate}
+        ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
-        ${optint "RelayBandwidthBurst" cfg.relayBandwidthBurst}
+        ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
-        ${if cfg.isExitRelay then opt "ExitPolicy" cfg.exitPolicy else "ExitPolicy reject *:*"}
+        ${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"}
-        ${if cfg.isBridgeRelay then "BridgeRelay 1" else ""}
+        ${if cfg.relay.isBridge then "BridgeRelay 1" else ""}
      '';
-      services.tor.privoxyConfig = ''
+      services.tor.client.privoxy.config = ''
        # Generally, this file goes in /etc/privoxy/config
        #
        # Tor listens as a SOCKS4a proxy here:
-        forward-socks4a / ${cfg.socksListenAddress} .
+        forward-socks4a / ${cfg.client.socksListenAddress} .
        confdir ${privoxy}/etc
        logdir ${privoxyDir}
        # actionsfile standard  # Internal purpose, recommended
@ -300,7 +298,7 @@ in
        debug   8192 # Errors - *we highly recommended enabling this*
        user-manual ${privoxy}/doc/privoxy/user-manual
-        listen-address  ${cfg.privoxyListenAddress}
+        listen-address  ${cfg.client.privoxy.listenAddress}
        toggle  1
        enable-remote-toggle 0
        enable-edit-actions 0
--- a/modules/services/security/torsocks.nix
+++ b/modules/services/security/torsocks.nix
@ -0,0 +1,72 @@
 { config, pkgs, ... }:
 with pkgs.lib;
 let
  cfg = config.services.tor;
  torsocks = pkgs.writeTextFile {
    name = "torsocks";
    text = ''
        #!${pkgs.stdenv.shell}
        TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" cfg.torsocks.config} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" $@
    '';
    executable = true;
    destination = "/bin/torsocks";
  };
 in
 {
  ###### interface
  options = {
    services.tor.torsocks = {
      enable = mkOption {
        default = cfg.client.enable;
        description = ''
          Whether to build torsocks scipt to relay application traffic via TOR.
        '';
      };
      server = mkOption {
        default = cfg.client.socksListenAddress;
        example = "192.168.0.20";
        description = ''
          IP address of TOR client to use.
        '';
      };
      config = mkOption {
        default = "";
        description = ''
          Extra configuration. Contents will be added verbatim to torsocks
          configuration file.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.torsocks.enable {
    environment.systemPackages = [ torsocks ];  # expose it to the users
    services.tor.torsocks.config = ''
      server = ${toString(head (splitString ":" cfg.torsocks.server))}
      server_port = ${toString(tail (splitString ":" cfg.torsocks.server))}
      local = 127.0.0.0/255.128.0.0
      local = 127.128.0.0/255.192.0.0
      local = 169.254.0.0/255.255.0.0
      local = 172.16.0.0/255.240.0.0
      local = 192.168.0.0/255.255.0.0
    '';
  };
 }
--- a/modules/services/web-servers/apache-httpd/mercurial.nix
+++ b/modules/services/web-servers/apache-httpd/mercurial.nix
@ -0,0 +1,77 @@
 { config, pkgs, serverInfo, servicesPath, ... }:
 let
  inherit (pkgs) mercurial;
  inherit (pkgs.lib) mkOption;
  urlPrefix = config.urlPrefix;
  cgi = pkgs.stdenv.mkDerivation {
    name = "mercurial-cgi";  
    buildCommand = ''
      ensureDir $out
      cp -v ${mercurial}/share/cgi-bin/hgweb.cgi $out
      sed -i "s|/path/to/repo/or/config|$out/hgweb.config|" $out/hgweb.cgi
      echo "
      [collections]
      ${config.dataDir} = ${config.dataDir}
      [web]
      style = gitweb
      allow_push = *
      " > $out/hgweb.config
    '';
  };
 in {
  extraConfig = ''
    RewriteEngine on
    RewriteRule /(.*) ${cgi}/hgweb.cgi/$1
    <Location "${urlPrefix}">
        AuthType Basic
        AuthName "Mercurial repositories"
        AuthUserFile ${config.dataDir}/hgusers
        <LimitExcept GET>
            Require valid-user
        </LimitExcept>
    </Location>
    <Directory "${cgi}">
        Order allow,deny
        Allow from all
        AllowOverride All
        Options ExecCGI
        AddHandler cgi-script .cgi
        PassEnv PYTHONPATH
    </Directory>
  '';
  robotsEntries = ''
    User-agent: *
    Disallow: ${urlPrefix}
  '';
  extraServerPath = [
    (pkgs.python+"/bin")    
  ];
  globalEnvVars = [ { name = "PYTHONPATH"; value = "${mercurial}/lib/${pkgs.python.libPrefix}/site-packages"; } ];
  options = {
    urlPrefix = mkOption {
      default = "/hg";
      description = "
        The URL prefix under which the Mercurial service appears.
        Use the empty string to have it appear in the server root.
      ";
    };
    dataDir = mkOption {
      example = "/data/mercurial";
      description = "
        Path to the directory that holds the repositories.
      ";
    };
  };
 }
--- a/modules/services/web-servers/apache-httpd/twiki.nix
+++ b/modules/services/web-servers/apache-httpd/twiki.nix
@ -20,7 +20,7 @@ let
  defaultUrlHost = "";
  # Build the TWiki CGI and configuration files.
-  twikiRoot = (import /etc/nixos/services/twiki/twiki-instance.nix).twiki {
+  twikiRoot = (import /etc/nixos/services/twiki/twiki-instance.nix { inherit pkgs; }).twiki {
    name = "wiki-instance";
    pubdir = pubDir;
    datadir = dataDir;
--- a/modules/services/web-servers/tomcat.nix
+++ b/modules/services/web-servers/tomcat.nix
@ -282,7 +282,7 @@ in
 	    mkdir -p ${cfg.baseDir}/work
 	    chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/work
-	    ${if cfg.axis2.enable == true then
+	    ${if cfg.axis2.enable then
 		''
 		# Copy the Axis2 web application
 		cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps
--- a/modules/services/x11/desktop-managers/kde4.nix
+++ b/modules/services/x11/desktop-managers/kde4.nix
@ -47,7 +47,13 @@ in
          '';
      };
-    security.setuidPrograms = [ "kcheckpass" ];
+    security.setuidOwners = [ {
      program = "kcheckpass";
      source = "${pkgs.kde4.kdebase_workspace}/lib/kde4/libexec/kcheckpass";
      owner = "root";
      group = "root";
      setuid = true;
    } ];
    environment = {
      kdePackages = [
--- a/modules/system/activation/activation-script.nix
+++ b/modules/system/activation/activation-script.nix
@ -1,73 +1,105 @@
 # generate the script used to activate the configuration.
-{pkgs, config, ...}:
+{ config, pkgs, ... }:
 with pkgs.lib;
 let
  inherit (pkgs.lib) mkOption mergeTypedOption mergeAttrs
    mapAttrs addErrorContext fold id filter textClosureMap noDepEntry
    fullDepEntry;
  inherit (builtins) attrNames;
  addAttributeName = mapAttrs (a: v: v // {
    text = ''
-        #### actionScripts snippet ${a} :
+      #### Activation script snippet ${a}:
        #    ========================================
      ${v.text}
    '';
  });
-  defaultScripts = {
+  path =
-  
+    [ pkgs.coreutils pkgs.gnugrep pkgs.findutils
    systemConfig = noDepEntry ''
      systemConfig="$1"
      if test -z "$systemConfig"; then
        systemConfig="/system" # for the installation CD
      fi
    '';
    defaultPath =
      let path = [
        pkgs.coreutils pkgs.gnugrep pkgs.findutils
      pkgs.glibc # needed for getent
      pkgs.shadow
      pkgs.nettools # needed for hostname
-      ]; in noDepEntry ''
+    ];
        export PATH=/empty
        for i in ${toString path}; do
          PATH=$PATH:$i/bin:$i/sbin;
        done
      '';
-    stdio = fullDepEntry ''
+in
 {
  ###### interface
  options = {
    system.activationScripts = mkOption {
      default = {};
      example = {
        stdio = {
          text = ''
            # Needed by some programs.
            ln -sfn /proc/self/fd /dev/fd
            ln -sfn /proc/self/fd/0 /dev/stdin
            ln -sfn /proc/self/fd/1 /dev/stdout
            ln -sfn /proc/self/fd/2 /dev/stderr
-    '' [
+          '';
-      "defaultPath" # path to ln
+          deps = [];
-    ];
+        };
      };
-    binsh = fullDepEntry ''
+      description = ''
-      # Create the required /bin/sh symlink; otherwise lots of things
+        Activate the new configuration (i.e., update /etc, make accounts,
-      # (notably the system() function) won't work.
+        and so on).
-      mkdir -m 0755 -p $mountPoint/bin
+      '';
      ln -sfn ${config.system.build.binsh}/bin/sh $mountPoint/bin/sh
    '' [
      "defaultPath" # path to ln & mkdir
      "stdio" # ?
    ];
-    modprobe = fullDepEntry ''
+      merge = mergeTypedOption "script" builtins.isAttrs (fold mergeAttrs {});
      # Allow the kernel to find our wrapped modprobe (which searches
      # in the right location in the Nix store for kernel modules).
      # We need this when the kernel (or some module) auto-loads a
      # module.
      echo ${config.system.sbin.modprobe}/sbin/modprobe > /proc/sys/kernel/modprobe
    '' [
      # ?
    ];
-    var = fullDepEntry ''
+      apply = set: {
        script =
          ''
            #! ${pkgs.stdenv.shell}
            systemConfig=@out@
            export PATH=/empty
            for i in ${toString path}; do
                PATH=$PATH:$i/bin:$i/sbin;
            done
            ${
              let
                set' = mapAttrs (n: v: if builtins.isString v then noDepEntry v else v) set;
                withHeadlines = addAttributeName set';
              in textClosureMap id (withHeadlines) (attrNames withHeadlines)
            }
            # Make this configuration the current configuration.
            # The readlink is there to ensure that when $systemConfig = /system
            # (which is a symlink to the store), /var/run/current-system is still
            # used as a garbage collection root.
            ln -sfn "$(readlink -f "$systemConfig")" /var/run/current-system
            # Prevent the current configuration from being garbage-collected.
            ln -sfn /var/run/current-system /nix/var/nix/gcroots/current-system
          '';
      };
    };
  };
  ###### implementation
  config = {
    system.activationScripts.stdio =
      ''
        # Needed by some programs.
        ln -sfn /proc/self/fd /dev/fd
        ln -sfn /proc/self/fd/0 /dev/stdin
        ln -sfn /proc/self/fd/1 /dev/stdout
        ln -sfn /proc/self/fd/2 /dev/stderr
      '';
    system.activationScripts.var =
      ''
        # Various log/runtime directories.
        touch /var/run/utmp # must exist
@ -90,131 +122,13 @@ let
        # Empty, read-only home directory of many system accounts.
        mkdir -m 0555 -p /var/empty
    '' [
      "defaultPath" # path to mkdir & touch & chmod
    ];
    rootPasswd = fullDepEntry ''
      # If there is no password file yet, create a root account with an
      # empty password.
      if ! test -e /etc/passwd; then
          rootHome=/root
          touch /etc/passwd; chmod 0644 /etc/passwd
          touch /etc/group; chmod 0644 /etc/group
          touch /etc/shadow; chmod 0600 /etc/shadow
          # Can't use useradd, since it complains that it doesn't know us
          # (bootstrap problem!).
          echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
          echo "root::::::::" >> /etc/shadow
      fi
    '' [
      "defaultPath" # path to touch & passwd
      "etc" # for /etc
      # ?
    ];
    nix = fullDepEntry ''
      # Set up Nix.
      mkdir -p /nix/etc/nix
      ln -sfn /etc/nix.conf /nix/etc/nix/nix.conf
      chown root.nixbld /nix/store
      chmod 1775 /nix/store
      # Nix initialisation.
      mkdir -m 0755 -p \
          /nix/var/nix/gcroots \
          /nix/var/nix/temproots \
          /nix/var/nix/manifests \
          /nix/var/nix/userpool \
          /nix/var/nix/profiles \
          /nix/var/nix/db \
          /nix/var/log/nix/drvs \
          /nix/var/nix/channel-cache \
          /nix/var/nix/chroots
      mkdir -m 1777 -p /nix/var/nix/gcroots/per-user
      mkdir -m 1777 -p /nix/var/nix/profiles/per-user
      mkdir -m 1777 -p /nix/var/nix/gcroots/tmp
      ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
      ln -sf /nix/var/nix/manifests /nix/var/nix/gcroots/
    '' [
      "defaultPath"
      "etc" # /etc/nix.conf
      "users" # nixbld group
    ];
    hostname = fullDepEntry ''
      # Set the host name.  Don't clear it if it's not configured in the
      # NixOS configuration, since it may have been set by dhclient in the
      # meantime.
      ${if config.networking.hostName != "" then
          ''hostname "${config.networking.hostName}"''
      else ''
          # dhclient won't do anything if the hostname isn't empty.
          if test "$(hostname)" = "(none)"; then
            hostname ""
          fi
      ''}
    '' [ "defaultPath" ];
    # The activation has to be done at the end. This is forced at the apply
    # function of activationScripts option
    activate = noDepEntry ''
      # Make this configuration the current configuration.
      # The readlink is there to ensure that when $systemConfig = /system
      # (which is a symlink to the store), /var/run/current-system is still
      # used as a garbage collection root.
      ln -sfn "$(readlink -f "$systemConfig")" /var/run/current-system
      # Prevent the current configuration from being garbage-collected.
      ln -sfn /var/run/current-system /nix/var/nix/gcroots/current-system
      '';
-    media = noDepEntry ''
+    system.activationScripts.media =
      ''
        mkdir -p /media
      '';
  };
 in
 {
  require = {
    system = {
      activationScripts = mkOption {
        default = [];
        example = {
          stdio = {
            text = "
              # Needed by some programs.
              ln -sfn /proc/self/fd /dev/fd
              ln -sfn /proc/self/fd/0 /dev/stdin
              ln -sfn /proc/self/fd/1 /dev/stdout
              ln -sfn /proc/self/fd/2 /dev/stderr
            ";
            deps = [];
          };
        };
        description = ''
          Activate the new configuration (i.e., update /etc, make accounts,
          and so on).
        '';
        merge = mergeTypedOption "script" builtins.isAttrs (fold mergeAttrs {});
        apply = set:
          let withHeadlines = addAttributeName set;
              activateLib = removeAttrs withHeadlines ["activate"];
              activateLibNames = attrNames activateLib;
          in {
          script = pkgs.writeScript "nixos-activation-script"
            ("#! ${pkgs.stdenv.shell}\n"
             + textClosureMap id activateLib activateLibNames + "\n"
               # make sure that the activate snippet is added last.
             + withHeadlines.activate.text);
        };
      };
    };
  };
  system.activationScripts = defaultScripts;
 }
--- a/modules/system/activation/switch-to-configuration.sh
+++ b/modules/system/activation/switch-to-configuration.sh
@ -38,7 +38,7 @@ if [ "$action" = "switch" -o "$action" = "boot" ]; then
              if [ "$NIXOS_INSTALL_GRUB" = 1 -o "$oldGrubVersion" != "$newGrubVersion" ]; then
                  echo "installing the GRUB bootloader..."
-                  @grub@/sbin/grub-install "@grubDevice@" --no-floppy --recheck
+                  @grub@/sbin/grub-install "@grubDevice@" --no-floppy
                  echo "$newGrubVersion" > /boot/grub/version
              fi
          fi
@ -110,7 +110,11 @@ EOF
        # forget about current sessions.
        # Idem for the emergeny-shell, because its `console owner'
        # line screws up the X server.
-        if echo "$job" | grep -q "^shutdown$\|^control-alt-delete$\|^xserver$\|^dbus$\|^disnix$\|^emergency-shell$"; then continue; fi
+        # Idem for xendomains because we don't want to save/restore
 	# Xen domains unless we have to.
        # TODO: Jobs should be able to declare that they should not be
 	# auto-restarted.
        if echo "$job" | grep -q "^shutdown$\|^control-alt-delete$\|^xserver$\|^dbus$\|^disnix$\|^emergency-shell$\|^xendomains$"; then continue; fi
        if ! test -e "$oldJobs/$job.conf"; then
            echo "starting $job..."
--- a/modules/system/activation/top-level.nix
+++ b/modules/system/activation/top-level.nix
@ -43,30 +43,19 @@ let
    system.copySystemConfiguration = pkgs.lib.mkOption {
      default = false;
      description = ''
-        Unless set to false copies the nixos configuration file
+        If enabled, copies the NixOS configuration file
-        <literal>$NIXOS_CONFIG</literal> defaulting to
+        <literal>$NIXOS_CONFIG</literal> (usually
-        <filename>/etc/nixos/configuration.nix</filename>
+        <filename>/etc/nixos/configuration.nix</filename>)
        to the system store path.
        See <option>extraSystemBuilderCmds</option>
        if you want to do add more customized info
        to your system storepath.
      '';
    };
    system.extraSystemBuilderCmds = pkgs.lib.mkOption {
      default = "";
      internal = true;
      merge = pkgs.lib.concatStringsSep "\n";
      description = ''
        This code will be added to the builder creating the system store path.
        This use case copies your configuration file into the system derivation:
        <command>
        cp ${pkgs.lib.maybeEnv "NIXOS_CONFIG" "/etc/nixos/configuration.nix"} $out
        </command>
        Of course you could add code saving a svn diff or svn revision number
        of both nixos and nixpkgs repositories as well. Keep in mind that when
        you build in chroots that you have do either copy sources to store or
        add them to the chroot somehow.
        You still should consider putting your configuration into a VCS.
      '';
    };
@ -107,14 +96,23 @@ let
        echo "(Expecting ${kernelPath})"
        false
      fi
      ln -s ${kernelPath} $out/kernel
      ln -s ${config.system.modulesTree} $out/kernel-modules
      if [ -n "$grub" ]; then 
        ln -s $grub $out/grub
      fi
-      ln -s ${config.system.build.bootStage2} $out/init
+      
      ln -s ${config.system.build.initialRamdisk}/initrd $out/initrd
-      ln -s ${config.system.activationScripts.script} $out/activate
+      
      echo "$activationScript" > $out/activate
      substituteInPlace $out/activate --subst-var out
      chmod u+x $out/activate
      unset activationScript
      cp ${config.system.build.bootStage2} $out/init
      substituteInPlace $out/init --subst-var-by systemConfig $out
      ln -s ${config.system.build.etc}/etc $out/etc
      ln -s ${config.system.path} $out/sw
      ln -s ${config.system.build.upstart} $out/upstart
@ -152,6 +150,7 @@ let
      config.boot.kernelParams ++ config.boot.extraKernelParams;
    menuBuilder = config.system.build.menuBuilder;
    initScriptBuilder = config.system.build.initScriptBuilder;
    activationScript = config.system.activationScripts.script;
    # Most of these are needed by grub-install.
    path = [
      pkgs.coreutils
@ -184,5 +183,6 @@ in {
    pkgs.lib.optionalString
      config.system.copySystemConfiguration
      "cp ${pkgs.lib.maybeEnv "NIXOS_CONFIG" "/etc/nixos/configuration.nix"} $out";
  system.build.toplevel = system;
 }
--- a/modules/system/boot/modprobe.nix
+++ b/modules/system/boot/modprobe.nix
@ -88,6 +88,15 @@ with pkgs.lib;
        # too?
      ];
    system.activationScripts.modprobe =
      ''
        # Allow the kernel to find our wrapped modprobe (which searches
        # in the right location in the Nix store for kernel modules).
        # We need this when the kernel (or some module) auto-loads a
        # module.
        echo ${config.system.sbin.modprobe}/sbin/modprobe > /proc/sys/kernel/modprobe
      '';
  };
 }
--- a/modules/system/boot/stage-1.nix
+++ b/modules/system/boot/stage-1.nix
@ -199,7 +199,6 @@ let
      $out/bin/umount --version | grep "umount "
      $out/bin/e2fsck -V 2>&1 | grep "e2fsck "
      $out/bin/tune2fs 2> /dev/null | grep "tune2fs "
      $out/bin/fsck -N | grep "fsck from"
      $out/bin/udevadm --version
      $out/bin/blkid -v 2>&1 | tee -a $out/log | grep "blkid from util-linux-ng"
      $out/bin/dmsetup --version 2>&1 | tee -a $out/log | grep "version:"
--- a/modules/system/boot/stage-2-init.sh
+++ b/modules/system/boot/stage-2-init.sh
@ -1,6 +1,6 @@
 #! @shell@
-# !!! copied from stage 1; remove duplication
+systemConfig=@systemConfig@
 # Print a greeting.
@ -56,11 +56,6 @@ rm -f /etc/mtab* # not that we care about stale locks
 cat /proc/mounts > /etc/mtab
 # If no `systemConfig' parameter is specified on the kernel command
 # line, use a fallback.
 systemConfig=/nix/var/nix/profiles/system
 # Process the kernel command line.
 for o in $(cat /proc/cmdline); do
    case $o in
@ -79,10 +74,6 @@ for o in $(cat /proc/cmdline); do
        safemode)
            safeMode=1
            ;;
        systemConfig=*)
            set -- $(IFS==; echo $o)
            systemConfig=$2
            ;;
        resume=*)
            set -- $(IFS==; echo $o)
            resumeDevice=$2
@ -90,8 +81,6 @@ for o in $(cat /proc/cmdline); do
    esac
 done
 systemConfig="$(readlink -f "$systemConfig")"
 # More special file systems, initialise required directories.
 mkdir -m 0777 /dev/shm
@ -153,19 +142,16 @@ fi
 # Run the script that performs all configuration activation that does
 # not have to be done at boot time.
 echo "running activation script..."
-@activateConfiguration@ "$systemConfig"
+$systemConfig/activate
 # Record the boot configuration.
-if test -n "$systemConfig"; then
+ln -sfn "$systemConfig" /var/run/booted-system
    ln -sfn "$systemConfig" /var/run/booted-system
-    # Prevent the booted system form being garbage-collected
+# Prevent the booted system form being garbage-collected If it weren't
-    # If it weren't a gcroot, if we were running a different kernel,
+# a gcroot, if we were running a different kernel, switched system,
-    # switched system, and garbage collected all, we could not load
+# and garbage collected all, we could not load kernel modules anymore.
-    # kernel modules anymore.
+ln -sfn /var/run/booted-system /nix/var/nix/gcroots/booted-system
    ln -sfn /var/run/booted-system /nix/var/nix/gcroots/booted-system
 fi
 # Ensure that the module tools can find the kernel modules.
--- a/modules/system/boot/stage-2.nix
+++ b/modules/system/boot/stage-2.nix
@ -43,7 +43,7 @@ let
  bootStage2 = substituteAll {
    src = ./stage-2-init.sh;
    isExecutable = true;
-    inherit kernel activateConfiguration;
+    inherit kernel;
    inherit (config.boot) devShmSize;
    ttyGid = config.ids.gids.tty;
    upstart = config.system.build.upstart;
--- a/modules/system/etc/etc.nix
+++ b/modules/system/etc/etc.nix
@ -1,9 +1,10 @@
-# produce a script to generate /etc
+# Produce a script to generate /etc.
-{config, pkgs, ...}:
+{ config, pkgs, ... }:
 with pkgs.lib;
 ###### interface
 let
  inherit (pkgs.lib) mkOption;
  option = {
    environment.etc = mkOption {
@ -36,7 +37,7 @@ let
      chmod ${mode} "$target"
    '';
-  makeEtc = pkgs.stdenv.mkDerivation {
+  etc = pkgs.stdenv.mkDerivation {
    name = "etc";
    builder = ./make-etc.sh;
@ -52,47 +53,13 @@ in
 {
  require = [option];
-  system = {
+  system.build.etc = etc;
    build = {
      etc = makeEtc;
    };
-    activationScripts = {
+  system.activationScripts.etc = stringAfter [ "stdio" ]
-      etc = pkgs.lib.fullDepEntry ''
+    ''
      # Set up the statically computed bits of /etc.
      echo "setting up /etc..."
-        staticEtc=/etc/static
+      ${pkgs.perl}/bin/perl ${./setup-etc.pl} ${etc}/etc
-        rm -f $staticEtc
+    '';
        ln -s ${makeEtc}/etc $staticEtc
        for i in $(cd $staticEtc && find * -type l); do
            mkdir -p /etc/$(dirname $i)
            rm -f /etc/$i
            if test -e "$staticEtc/$i.mode"; then
                # Create a regular file in /etc.
                cp $staticEtc/$i /etc/$i
                chown 0.0 /etc/$i
                chmod "$(cat "$staticEtc/$i.mode")" /etc/$i
            else
                # Create a symlink in /etc.
                ln -s $staticEtc/$i /etc/$i
            fi
        done
        # Remove dangling symlinks that point to /etc/static.  These are
        # configuration files that existed in a previous configuration but not
        # in the current one.  For efficiency, don't look under /etc/nixos
        # (where all the NixOS sources live).
        for i in $(find /etc/ \( -path /etc/nixos -prune \) -o -type l); do
            target=$(readlink "$i")
            if test "''${target:0:''${#staticEtc}}" = "$staticEtc" -a ! -e "$i"; then
                rm -f "$i"
            fi
        done
      '' [
        "systemConfig"
        "defaultPath" # path to cp, chmod, chown
        "stdio"
      ];
    };
  };
 }
--- a/modules/system/etc/setup-etc.pl
+++ b/modules/system/etc/setup-etc.pl
@ -0,0 +1,65 @@
 use strict;
 use File::Find;
 use File::Copy;
 use File::Path;
 use File::Basename;
 my $etc = $ARGV[0] or die;
 my $static = "/etc/static";
 sub atomicSymlink {
    my ($source, $target) = @_;
    my $tmp = "$target.tmp";
    unlink $tmp;
    symlink $source, $tmp or return 1;
    rename $tmp, $target or return 1;
    return 1;
 }
 # Atomically update /etc/static to point at the etc files of the
 # current configuration.
 atomicSymlink $etc, $static or die;
 # For every file in the etc tree, create a corresponding symlink in
 # /etc to /etc/static.  The indirection through /etc/static is to make
 # switching to a new configuration somewhat more atomic.
 sub link {
    my $fn = substr $File::Find::name, length($etc) + 1 or next;
    my $target = "/etc/$fn";
    File::Path::make_path(dirname $target);
    if (-e "$_.mode") {
        open MODE, "<$_.mode";
        my $mode = <MODE>; chomp $mode;
        close MODE;
        copy "$static/$fn", "$target.tmp" or warn;
        chmod oct($mode), "$target.tmp" or warn;
        rename "$target.tmp", $target or warn;
    } elsif (-l "$_") {
        atomicSymlink "$static/$fn", $target or warn;
    }
 }
 find(\&link, $etc);
 # Remove dangling symlinks that point to /etc/static.  These are
 # configuration files that existed in a previous configuration but not
 # in the current one.  For efficiency, don't look under /etc/nixos
 # (where all the NixOS sources live).
 sub cleanup {
    if ($File::Find::name eq "/etc/nixos") {
        $File::Find::prune = 1;
        return;
    }
    if (-l $_) {
        my $target = readlink $_;
        if (substr($target, 0, length $static) eq $static) {
            my $x = "/etc/static/" . substr($File::Find::name, length "/etc/");
            unlink "$_" unless -e "$x";
        }
    }
 }
 find(\&cleanup, "/etc");
--- a/modules/system/upstart-events/control-alt-delete.nix
+++ b/modules/system/upstart-events/control-alt-delete.nix
@ -15,4 +15,12 @@
          shutdown -r now 'Ctrl-Alt-Delete pressed'
        '';
    };
  system.activationScripts.poweroff =
    ''
      # Allow the kernel to find the poweroff command.  This is used
      # (for instance) by Xen's "xm shutdown" command to signal a
      # guest to shut down cleanly.
      echo ${config.system.build.upstart}/sbin/poweroff > /proc/sys/kernel/poweroff_cmd
    '';
 }
--- a/modules/system/upstart/upstart.nix
+++ b/modules/system/upstart/upstart.nix
@ -39,7 +39,8 @@ let
          ${optionalString (job.stopOn != "") "stop on ${job.stopOn}"}
-          env PATH=${makeSearchPath "bin" upstartPath}:${makeSearchPath "sbin" upstartPath}
+          env PATH=${makeSearchPath "bin" (job.path ++ upstartPath)}:${makeSearchPath "sbin" (job.path ++ upstartPath)}
          ${concatMapStrings (n: "env ${n}=\"${getAttr n job.environment}\"\n") (attrNames job.environment)}
          ${optionalString (job.preStart != "") ''
@ -271,6 +272,15 @@ let
      '';
    };
    path = mkOption {
      default = [ ];
      description = ''
        Packages added to the job's <envar>PATH</envar> environment variable.
        Both the <filename>bin</filename> and <filename>sbin</filename> 
        subdirectories of each package are added.
      '';
    };
  };
--- a/modules/tasks/filesystems.nix
+++ b/modules/tasks/filesystems.nix
@ -94,9 +94,7 @@ in
          example = "data=journal";
          type = types.string;
          merge = pkgs.lib.concatStringsSep ",";
-          description = "
+          description = "Options used to mount the file system.";
            Option used to mount the file system.
          ";
        };
        autocreate = mkOption {
@ -107,6 +105,12 @@ in
            <option>fileSystems.*.mountPoint</option>.
          ";
        };
        noCheck = mkOption {
          default = false;
          type = types.bool;
          description = "Disable running fsck on this filesystem.";
        };
      };
    };
@ -142,7 +146,8 @@ in
                + " " + fs.fsType
                + " " + fs.options
                + " 0"
-                + " " + (if fs.fsType == "none" then "0" else if fs.mountPoint == "/" then "1" else "2")
+                + " " + (if fs.fsType == "none" || fs.noCheck then "0" else
                         if fs.mountPoint == "/" then "1" else "2")
                + "\n"
            )}
--- a/modules/tasks/network-interfaces.nix
+++ b/modules/tasks/network-interfaces.nix
@ -207,6 +207,14 @@ in
          '';
      };
    # Set the host name in the activation script.  Don't clear it if
    # it's not configured in the NixOS configuration, since it may
    # have been set by dhclient in the meantime.
    system.activationScripts.hostname =
      optionalString (config.networking.hostName != "") ''
        hostname "${config.networking.hostName}"
      '';
  };
 }
--- a/modules/testing/test-instrumentation.nix
+++ b/modules/testing/test-instrumentation.nix
@ -77,9 +77,13 @@ in
    # Send all of /var/log/messages to the serial port.
    services.syslogd.extraConfig = "*.* /dev/ttyS0";
    # Clear the kernel log buffer before starting klogd to prevent it
    # from printing messages that we have already seen.
    jobs.klogd.preStart = "dmesg -c > /dev/null";
    # Prevent tests from accessing the Internet.
-    networking.defaultGateway = mkOverrideTemplate 150 {} "";
+    networking.defaultGateway = mkOverride 150 "";
-    networking.nameservers = mkOverrideTemplate 150 {} [ ];
+    networking.nameservers = mkOverride 150 [ ];
    # Require a patch to the kernel to increase the 15s CIFS timeout.
    assertions =
--- a/modules/virtualisation/qemu-vm.nix
+++ b/modules/virtualisation/qemu-vm.nix
@ -111,6 +111,20 @@ let
        description = "Options passed to QEMU.";
      };
    virtualisation.useBootLoader =
      mkOption {
        default = false;
        description =
          ''
            If enabled, the virtual machine will be booted using the
            regular boot loader (i.e., GRUB 1 or 2).  This allows
            testing of the boot loader.  If
            disabled (the default), the VM directly boots the NixOS
            kernel and initial ramdisk, bypassing the boot loader
            altogether.
          '';
      };
  };
  cfg = config.virtualisation;
@ -146,12 +160,17 @@ let
          -net nic,vlan=0,model=virtio \
          -chardev socket,id=samba,path=./samba \
          -net user,vlan=0,guestfwd=tcp:10.0.2.4:139-chardev:samba''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} \
          ${if cfg.useBootLoader then ''
            -drive index=0,file=$NIX_DISK_IMAGE,if=virtio,cache=writeback,werror=report \
            -drive index=1,file=${bootDisk}/disk.img,if=virtio,boot=on \
          '' else ''
            -drive file=$NIX_DISK_IMAGE,if=virtio,boot=on,cache=writeback,werror=report \
            -kernel ${config.system.build.toplevel}/kernel \
            -initrd ${config.system.build.toplevel}/initrd \
            -append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo} ${kernelConsole} $QEMU_KERNEL_PARAMS" \
          ''} \
          ${qemuGraphics} \
          $QEMU_OPTS \
          -append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.bootStage2} systemConfig=${config.system.build.toplevel} regInfo=${regInfo} ${kernelConsole} $QEMU_KERNEL_PARAMS" \
          ${config.virtualisation.qemu.options}
    '';
@ -165,11 +184,54 @@ let
      printRegistration=1 perl ${pkgs.pathsFromGraph} closure-* > $out
    '';
  # Generate a hard disk image containing a /boot partition and GRUB
  # in the MBR.  Used when the `useBootLoader' option is set.
  bootDisk =
    pkgs.vmTools.runInLinuxVM (
      pkgs.runCommand "nixos-boot-disk"
        { preVM =
            ''
              mkdir $out
              diskImage=$out/disk.img
              ${pkgs.vmTools.kvm}/bin/qemu-img create -f qcow2 $diskImage "32M"
            '';
          buildInputs = [ pkgs.utillinux ];
        }
        ''
          # Create a single /boot partition.
          ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos
          ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s
          . /sys/class/block/vda1/uevent
          mknod /dev/vda1 b $MAJOR $MINOR
          . /sys/class/block/vda/uevent
          ${pkgs.e2fsprogs}/sbin/mkfs.ext3 -L boot /dev/vda1
          ${pkgs.e2fsprogs}/sbin/tune2fs -c 0 -i 0 /dev/vda1
          # Mount /boot.
          mkdir /boot
          mount /dev/vda1 /boot
          # This is needed for GRUB 0.97, which doesn't know about virtio devices.
          mkdir /boot/grub
          echo '(hd0) /dev/vda' > /boot/grub/device.map
          # Install GRUB and generate the GRUB boot menu.
          touch /etc/NIXOS 
          mkdir -p /nix/var/nix/profiles
          ${config.system.build.toplevel}/bin/switch-to-configuration boot
          umount /boot
        ''
    );
 in
 {
  require = options;
  boot.loader.grub.device = mkOverride 50 "/dev/vda";
  # All the modules the initrd needs to mount the host filesystem via
  # CIFS.  Also use paravirtualised network and block devices for
  # performance.
@ -207,6 +269,7 @@ in
  boot.initrd.postMountCommands =
    ''
      mkdir -p $targetRoot/boot
      mount -o remount,ro $targetRoot/nix/store
      ${optionalString cfg.writableStore ''
        mkdir /mnt-store-tmpfs
@ -225,19 +288,21 @@ in
  boot.postBootCommands =
    ''
      ( source /proc/cmdline
        if [ -n "$regInfo" ]; then
            ${config.environment.nix}/bin/nix-store --load-db < $regInfo
        fi
      )
    '';
  virtualisation.pathsInNixDB = [ config.system.build.toplevel ];
  # Mount the host filesystem via CIFS, and bind-mount the Nix store
-  # of the host into our own filesystem.  We use mkOverrideTemplate to allow
+  # of the host into our own filesystem.  We use mkOverride to allow
  # this module to be applied to "normal" NixOS system configuration,
  # where the regular value for the `fileSystems' attribute should be
  # disregarded for the purpose of building a VM test image (since
  # those filesystems don't exist in the VM).
-  fileSystems = mkOverrideTemplate 50 {}
+  fileSystems = mkOverride 50 (
    [ { mountPoint = "/";
        device = "/dev/vda";
      }
@ -253,13 +318,21 @@ in
        options = "bind";
        neededForBoot = true;
      }
-    ];
+    ] ++ optional cfg.useBootLoader
      { mountPoint = "/boot";
        device = "/dev/disk/by-label/boot";
        fsType = "ext3";
        options = "ro";
        noCheck = true; # fsck fails on a r/o filesystem
      });
  swapDevices = mkOverride 50 [ ];
  # Starting DHCP brings down eth0, which kills the connection to the
  # host filesystem and thus deadlocks the system.
  networking.useDHCP = false;
-  networking.defaultGateway = mkOverrideTemplate 200 {} "10.0.2.2";
+  networking.defaultGateway = mkOverride 200 "10.0.2.2";
  networking.nameservers = [ "10.0.2.3" ];
@ -287,9 +360,9 @@ in
  # When building a regular system configuration, override whatever
  # video driver the host uses.
-  services.xserver.videoDriver = mkOverrideTemplate 50 {} null;
+  services.xserver.videoDriver = mkOverride 50 null;
-  services.xserver.videoDrivers = mkOverrideTemplate 50 {} [ "cirrus" "vesa" ];
+  services.xserver.videoDrivers = mkOverride 50 [ "cirrus" "vesa" ];
-  services.xserver.defaultDepth = mkOverrideTemplate 50 {} 0;
+  services.xserver.defaultDepth = mkOverride 50 0;
  services.xserver.monitorSection =
    ''
      # Set a higher refresh rate so that resolutions > 800x600 work.
@ -300,5 +373,5 @@ in
  services.mingetty.ttys = ttys ++ optional (!cfg.graphics) "ttyS0";
  # Wireless won't work in the VM.
-  networking.enableWLAN = mkOverrideTemplate 50 {} false;
+  networking.enableWLAN = mkOverride 50 false;
 }
--- a/modules/virtualisation/xen-dom0.nix
+++ b/modules/virtualisation/xen-dom0.nix
@ -0,0 +1,165 @@
 # Xen hypervisor (Dom0) support.
 { config, pkgs, ... }:
 with pkgs.lib;
 let 
  cfg = config.virtualisation.xen; 
  xen = pkgs.xen;
  xendConfig = pkgs.writeText "xend-config.sxp"
    ''
      (loglevel DEBUG)
      (network-script network-bridge)
      (vif-script vif-bridge)
    '';
 in
 {
  ###### interface
  options = {
    virtualisation.xen.enable = 
      mkOption {
        default = false;
        description =
          ''
            Setting this option enables the Xen hypervisor, a
            virtualisation technology that allows multiple virtual
            machines, known as <emphasis>domains</emphasis>, to run
            concurrently on the physical machine.  NixOS runs as the
            privileged <emphasis>Domain 0</emphasis>.  This option
            requires a reboot to take effect.
          '';
      };
    virtualisation.xen.bootParams = 
      mkOption {
        default = "";
        description =
          ''
            Parameters passed to the Xen hypervisor at boot time.
          '';
      };
    virtualisation.xen.domain0MemorySize = 
      mkOption {
        default = 0;
        example = 512;
        description =
          ''
            Amount of memory (in MiB) allocated to Domain 0 on boot.
            If set to 0, all memory is assigned to Domain 0.
          '';
      };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ xen ];
    # Domain 0 requires a pvops-enabled kernel.
    boot.kernelPackages = pkgs.linuxPackages_2_6_32_xen;
    boot.kernelModules = 
      [ "xen_evtchn" "xen_gntdev" "xen_blkback" "xen_netback" "xen_pciback" 
        "blktap" "tap"
      ];
    # The radeonfb kernel module causes the screen to go black as soon
    # as it's loaded, so don't load it.
    boot.blacklistedKernelModules = [ "radeonfb" ];
    virtualisation.xen.bootParams = 
      [ "loglvl=all" "guest_loglvl=all" ] ++
      optional (cfg.domain0MemorySize != 0) "dom0_mem=${toString cfg.domain0MemorySize}M";
    system.extraSystemBuilderCmds =
      ''
        ln -s ${xen}/boot/xen.gz $out/xen.gz
        echo "${toString cfg.bootParams}" > $out/xen-params
      '';
    # Mount the /proc/xen pseudo-filesystem.
    system.activationScripts.xen =
      ''
        if [ -d /proc/xen ]; then
            ${pkgs.sysvtools}/bin/mountpoint -q /proc/xen || \
                ${pkgs.utillinux}/bin/mount -t xenfs none /proc/xen
        fi
      '';
    jobs.xend =
      { description = "Xen control daemon";
        startOn = "stopped udevtrigger";
        path = 
          [ pkgs.bridge_utils pkgs.gawk pkgs.iproute pkgs.nettools 
            pkgs.utillinux pkgs.bash xen pkgs.pciutils pkgs.procps
          ];
        preStart = 
          ''
            ${xen}/sbin/xend start
            # Wait until Xend is running.
            for ((i = 0; i < 60; i++)); do echo "waiting for xend..."; ${xen}/sbin/xend status && break; done
            ${xen}/sbin/xend status || exit 1
          '';
        postStop = "${xen}/sbin/xend stop";
      };
    jobs.xendomains =
      { description = "Automatically starts, saves and restores Xen domains on startup/shutdown";
        startOn = "started xend";
        stopOn = "starting shutdown and stopping xend";
        path = [ pkgs.xen ];
        environment.XENDOM_CONFIG = "${xen}/etc/sysconfig/xendomains";
        preStart = 
          ''
            mkdir -p /var/lock/subsys -m 755
            ${xen}/etc/init.d/xendomains start
          '';
        postStop = "${xen}/etc/init.d/xendomains stop";
      };
    # To prevent a race between dhclient and xend's bridge setup
    # script (which renames eth* to peth* and recreates eth* as a
    # virtual device), start dhclient after xend.
    jobs.dhclient.startOn = mkOverride 50 "started xend";
    environment.etc =
      [ { source = xendConfig;
          target = "xen/xend-config.sxp";
        }
        { source = "${xen}/etc/xen/scripts";
          target = "xen/scripts";
        }
      ];
    # Xen provides udev rules.
    services.udev.packages = [ xen ];
    services.udev.path = [ pkgs.bridge_utils pkgs.iproute ];
  };
 }
--- a/modules/virtualisation/xen-domU.nix
+++ b/modules/virtualisation/xen-domU.nix
@ -0,0 +1,26 @@
 # Common configuration for Xen DomU NixOS virtual machines.
 { config, pkgs, ... }:
 {
  # We're being booted using pv-grub, which means that we need to
  # generate a GRUB 1 menu without actually installing GRUB.
  boot.loader.grub.version = 1;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.extraPerEntryConfig = "root (hd0)";
  boot.initrd.kernelModules = [ "xen-blkfront" ];
  # Backgrounds don't work, so don't bother.
  services.ttyBackgrounds.enable = false;
  # Send syslog messages to the Xen console.
  services.syslogd.tty = "hvc0";
  # Start a mingetty on the Xen console (so that you can login using
  # "xm console" in Dom0). 
  services.mingetty.ttys = [ "hvc0" "tty1" "tty2" ];
  # Don't run ntpd, since we should get the correct time from Dom0.
  services.ntp.enable = false;
 }
--- a/tests/avahi.nix
+++ b/tests/avahi.nix
@ -0,0 +1,60 @@
 { pkgs, ... }:
 with pkgs;
 {
  nodes = {
    one =
      { config, pkgs, ... }: {
        services.avahi.enable = true;
        services.avahi.nssmdns = true;
      };
    two =
      { config, pkgs, ... }: {
        services.avahi.enable = true;
        services.avahi.nssmdns = true;
      };
  };
  # Test whether `avahi-daemon' and `libnss-mdns' work as expected.
  testScript =
    '' startAll;
       # mDNS.
       print STDERR
        $one->mustSucceed("avahi-resolve-host-name one.local | tee out");
       $one->mustSucceed("test \"`cut -f1 < out`\" = one.local");
       print STDERR
        $one->mustSucceed("avahi-resolve-host-name two.local | tee out");
       $one->mustSucceed("test \"`cut -f1 < out`\" = two.local");
       print STDERR
        $two->mustSucceed("avahi-resolve-host-name one.local | tee out");
       $two->mustSucceed("test \"`cut -f1 < out`\" = one.local");
       print STDERR
        $two->mustSucceed("avahi-resolve-host-name two.local | tee out");
       $two->mustSucceed("test \"`cut -f1 < out`\" = two.local");
       # Basic DNS-SD.
       print STDERR
        $one->mustSucceed("avahi-browse -r -t _workstation._tcp | tee out");
       $one->mustSucceed("test `wc -l < out` -gt 0");
       print STDERR
        $two->mustSucceed("avahi-browse -r -t _workstation._tcp | tee out");
       $two->mustSucceed("test `wc -l < out` -gt 0");
       # More DNS-SD.
       $one->execute("avahi-publish -s \"This is a test\" _test._tcp 123 one=1 &");
       sleep 5;
       print STDERR
        $two->mustSucceed("avahi-browse -r -t _test._tcp | tee out");
       $two->mustSucceed("test `wc -l < out` -gt 0");
       # NSS-mDNS.
       print STDERR $one->mustSucceed("getent hosts one.local");
       print STDERR $one->mustSucceed("getent hosts two.local");
       print STDERR $two->mustSucceed("getent hosts one.local");
       print STDERR $two->mustSucceed("getent hosts two.local");
    '';
 }
--- a/tests/default.nix
+++ b/tests/default.nix
@ -6,6 +6,7 @@
 with import ../lib/testing.nix { inherit nixpkgs services system; };
 {
  avahi = makeTest (import ./avahi.nix);
  bittorrent = makeTest (import ./bittorrent.nix);
  firefox = makeTest (import ./firefox.nix);
  installer = makeTests (import ./installer.nix);
@ -18,6 +19,7 @@ with import ../lib/testing.nix { inherit nixpkgs services system; };
  proxy = makeTest (import ./proxy.nix);
  quake3 = makeTest (import ./quake3.nix);
  remote_builds = makeTest (import ./remote-builds.nix);
  simple = makeTest (import ./simple.nix);
  subversion = makeTest (import ./subversion.nix);
  trac = makeTest (import ./trac.nix);
 }
--- a/tests/installer.nix
+++ b/tests/installer.nix
@ -170,7 +170,7 @@ let
      $machine->waitUntilSucceeds("cat /proc/swaps | grep -q /dev");
      $machine->mustSucceed("nix-env -i coreutils >&2");
-      $machine->mustSucceed("type -tP ls") =~ /profiles/
+      $machine->mustSucceed("type -tP ls | tee /dev/stderr") =~ /.nix-profile/
          or die "nix-env failed";
      $machine->mustSucceed("nixos-rebuild switch >&2");
@ -297,4 +297,42 @@ in {
      fileSystems = rootFS + bootFS;
    };
  # Rebuild the CD configuration with a little modification.
  rebuildCD = 
    { inherit iso;
      nodes = { };
      testScript =
    ''
      # damn, it's costly to evaluate nixos-rebuild (1G of ram)
      my $machine = Machine->new({ cdrom => glob("${iso}/iso/*.iso"), qemuFlags => '${qemuNICFlags 1 1} -m 1024' });
      $machine->start;
      # Make sure that we get a login prompt etc.
      $machine->mustSucceed("echo hello");
      $machine->waitForJob("tty1");
      $machine->waitForJob("rogue");
      $machine->waitForJob("nixos-manual");
      # Make sure that we don't try to download anything.
      $machine->stopJob("dhclient");
      $machine->mustSucceed("rm /etc/resolv.conf");
      # Enable sshd service.
      $machine->mustSucceed(
        "sed -i 's,^}\$,jobs.sshd.startOn = pkgs.lib.mkOverride 0 \"startup\"; },' /etc/nixos/configuration.nix"
      );
      my $cfg = $machine->mustSucceed("cat /etc/nixos/configuration.nix");
      print STDERR "New CD config:\n$cfg\n";
      # Apply the new CD configuration.
      $machine->mustSucceed("nixos-rebuild test --no-pull");
      # Connect to it-self.
      #$machine->waitForJob("sshd");
      #$machine->mustSucceed("ssh root@127.0.0.1 echo hello");
      $machine->shutdown;
    '';
    };
 }
--- a/tests/simple.nix
+++ b/tests/simple.nix
@ -0,0 +1,11 @@
 { pkgs, ... }:
 {
  machine = { config, pkgs, ... }: { };
  testScript =
    ''
      startAll;
      $machine->shutdown;
    '';
 }