Merge branch 'master' into add-sphinx-search

2014-08-24 11:21:41 +01:00 · 2014-08-24 11:21:41 +01:00 · 5ef459fe2d
commit 5ef459fe2d
parent 72df3f37e5 aa77fe0fb0
3561 changed files with 44899 additions and 22313 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,5 @@ result-*
 /doc/manual.html
 /doc/manual.pdf
 .version-suffix
 .DS_Store
--- a/doc/Makefile
+++ b/doc/Makefile
@ -1,41 +0,0 @@
 # You may need to override this.
 docbookxsl = $(HOME)/.nix-profile/xml/xsl/docbook
 dblatex = dblatex
 XMLLINT = xmllint --catalogs
 XSLTPROC = xsltproc --catalogs \
 --param section.autolabel 1 \
 --param section.label.includes.component.label 1 \
 --param html.stylesheet \'style.css\' \
 --param xref.with.number.and.title 1 \
 --param toc.section.depth 3 \
 --param admon.style \'\' \
 --param callout.graphics.extension \'.gif\'
 NEWS_OPTS = \
 --stringparam generate.toc "article nop" \
 --stringparam section.autolabel.max.depth 0 \
 --stringparam header.rule 0
 all: NEWS.html NEWS.txt manual.html manual.pdf
 NEWS.html: release-notes.xml
 	$(XSLTPROC) --nonet --xinclude --output $@ $(NEWS_OPTS) \
 	  $(docbookxsl)/xhtml/docbook.xsl release-notes.xml
 NEWS.txt: release-notes.xml
 	$(XSLTPROC) --nonet --xinclude quote-literals.xsl release-notes.xml | \
 	  $(XSLTPROC) --nonet --output $@.tmp.html $(NEWS_OPTS) \
 	  $(docbookxsl)/xhtml/docbook.xsl -
 	LANG=en_US w3m -dump $@.tmp.html > $@
 	rm $@.tmp.html
 manual.html: *.xml
 	$(XSLTPROC) --nonet --xinclude --output manual.html \
 	  $(docbookxsl)/xhtml/docbook.xsl manual.xml
 manual.pdf: *.xml
 	$(dblatex) \
 	  -P doc.collab.show=0 \
 	  -P latex.output.revhistory=0 \
 	  manual.xml
--- a/doc/contributing.xml
+++ b/doc/contributing.xml
@ -0,0 +1,21 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="chap-contributing">
 <title>Contributing</title>
 <para>If you make modifications to the manual, it's important to build the manual before contributing:</para>
 <orderedlist>
  <listitem><para><command>$ git clone git://github.com/NixOS/nixpkgs.git</command></para></listitem>
  <listitem><para><command>$ cd nixpkgs/pkgs/top-level</command></para></listitem>
  <listitem><para><command>$ nix-build -A tarball release.nix</command></para></listitem>
  <listitem><para>Inside the built derivation you shall see <literal>manual/index.html</literal> file.</para></listitem>
 </orderedlist>
 </chapter>
--- a/doc/default.nix
+++ b/doc/default.nix
@ -0,0 +1,42 @@
 with import ./.. { };
 with lib;
 stdenv.mkDerivation {
  name = "nixpkgs-manual";
  sources = sourceFilesBySuffices ./. [".xml"];
  buildInputs = [ libxml2 libxslt ];
  xsltFlags = ''
    --param section.autolabel 1
    --param section.label.includes.component.label 1
    --param html.stylesheet 'style.css'
    --param xref.with.number.and.title 1
    --param toc.section.depth 3
    --param admon.style '''
    --param callout.graphics.extension '.gif'
  '';
  buildCommand = ''
    ln -s $sources/*.xml . # */
    echo ${nixpkgsVersion} > .version
    xmllint --noout --nonet --xinclude --noxincludenode \
      --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
      manual.xml
    dst=$out/share/doc/nixpkgs
    mkdir -p $dst
    xsltproc $xsltFlags --nonet --xinclude \
      --output $dst/manual.html \
      ${docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
      ./manual.xml
    cp ${./style.css} $dst/style.css
    mkdir -p $out/nix-support
    echo "doc manual $dst manual.html" >> $out/nix-support/hydra-build-products
  '';
 }
--- a/doc/manual.xml
+++ b/doc/manual.xml
@ -3,25 +3,9 @@
  <info>
-    <title>Nixpkgs Manual</title>
+    <title>Nixpkgs Contributors Guide</title>
-    <subtitle>Draft (Version <xi:include href="../.version"
+    <subtitle>Version <xi:include href=".version" parse="text" /></subtitle>
    parse="text" />)</subtitle>
    <author>
      <personname>
        <firstname>Eelco</firstname>
        <surname>Dolstra</surname>
      </personname>
      <affiliation>
        <orgname>LogicBlox</orgname>
      </affiliation>
    </author>
    <copyright>
      <year>2008-2012</year>
      <holder>Eelco Dolstra</holder>
    </copyright>
  </info>
@ -32,6 +16,6 @@
  <xi:include href="language-support.xml" />
  <xi:include href="package-notes.xml" />
  <xi:include href="coding-conventions.xml" />
-  
+  <xi:include href="contributing.xml" />
 </book>
--- a/doc/meta.xml
+++ b/doc/meta.xml
@ -17,7 +17,9 @@ meta = {
    It is fully customizable.
  '';
  homepage = http://www.gnu.org/software/hello/manual/;
-  license = "GPLv3+";
+  license = stdenv.lib.licenses.gpl3Plus;
  maintainers = [ stdenv.lib.maintainers.eelco ];
  platforms = stdenv.lib.platforms.all;
 };
 </programlisting>
@ -31,16 +33,42 @@ the package.  The value of a meta-attribute must a string.</para>
 command-line using <command>nix-env</command>:
 <screen>
-$ nix-env -qa hello --meta --xml
+$ nix-env -qa hello --meta --json
-&lt;?xml version='1.0' encoding='utf-8'?>
+{
-&lt;items>
+    "hello": {
-  &lt;item attrPath="hello" name="hello-2.3" system="i686-linux">
+        "meta": {
-    &lt;meta name="description" value="A program that produces a familiar, friendly greeting" />
+            "description": "A program that produces a familiar, friendly greeting",
-    &lt;meta name="homepage" value="http://www.gnu.org/software/hello/manual/" />
+            "homepage": "http://www.gnu.org/software/hello/manual/",
-    &lt;meta name="license" value="GPLv3+" />
+            "license": {
-    &lt;meta name="longDescription" value="GNU Hello is a program that prints &amp;quot;Hello, world!&amp;quot; when you run it.&amp;#xA;It is fully customizable.&amp;#xA;" />
+                "fullName": "GNU General Public License version 3 or later",
-  &lt;/item>
+                "shortName": "GPLv3+",
-&lt;/items>
+                "url": "http://www.fsf.org/licensing/licenses/gpl.html"
            },
            "longDescription": "GNU Hello is a program that prints \"Hello, world!\" when you run it.\nIt is fully customizable.\n",
            "maintainers": [
                "Ludovic Court\u00e8s &lt;ludo@gnu.org>"
            ],
            "platforms": [
                "i686-linux",
                "x86_64-linux",
                "armv5tel-linux",
                "armv7l-linux",
                "mips64el-linux",
                "x86_64-darwin",
                "i686-cygwin",
                "i686-freebsd",
                "x86_64-freebsd",
                "i686-openbsd",
                "x86_64-openbsd"
            ],
            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/ex-2/default.nix:14"
        },
        "name": "hello-2.9",
        "system": "x86_64-linux"
    }
 }
 </screen>
 <command>nix-env</command> knows about the
@ -92,20 +120,23 @@ interpretation:</para>
  <varlistentry>
    <term><varname>license</varname></term>
-    <listitem><para>The license for the package.  See below for the
+    <listitem><para>The license for the package. One from the
-    allowed values.</para></listitem>
+    attribute set defined in <link
    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix">
    <filename>nixpkgs/lib/licenses.nix</filename></link>.  Example:
    <literal>stdenv.lib.licenses.gpl3</literal>. For details, see
    <xref linkend='sec-meta-license'/>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>maintainers</varname></term>
    <listitem><para>A list of names and e-mail addresses of the
-    maintainers of this Nix expression, e.g. <literal>["Alice
+    maintainers of this Nix expression. If
-    &lt;alice@example.org>" "Bob &lt;bob@example.com>"]</literal>.  If
+    you would like to be a maintainer of a package, you may want to add
    you are the maintainer of multiple packages, you may want to add
    yourself to <link
-    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/lib/maintainers.nix"><filename>pkgs/lib/maintainers.nix</filename></link>
+    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/maintainers.nix"><filename>nixpkgs/lib/maintainers.nix</filename></link>
-    and write something like <literal>[stdenv.lib.maintainers.alice
+    and write something like <literal>[ stdenv.lib.maintainers.alice
-    stdenv.lib.maintainers.bob]</literal>.</para></listitem>
+    stdenv.lib.maintainers.bob ]</literal>.</para></listitem>
  </varlistentry>
  <varlistentry>
@ -121,29 +152,25 @@ interpretation:</para>
  <varlistentry>
    <term><varname>platforms</varname></term>
    <listitem><para>The list of Nix platform types on which the
-    package is supported.  If this attribute is set, the package will
+    package is supported. Hydra builds packages according to the
-    refuse to build, and won’t show up in <literal>nix-env
+    platform specified. If no platform is specified, the package does
-    -qa</literal> output, on any platform not listed
+    not have prebuilt binaries. An example is:
    here.  An example is:
 <programlisting>
-meta.platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" ];
+meta.platforms = stdenv.lib.platforms.linux;
 </programlisting>
    The set <varname>lib.platforms</varname> defines various common
    lists of platforms types, so it’s more typical to write:
 <programlisting>
 meta.platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
 </programlisting>
    Attribute Set <varname>stdenv.lib.platforms</varname> in
    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/platforms.nix">
    <filename>nixpkgs/lib/platforms.nix</filename></link> defines various common
    lists of platforms types.
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>hydraPlatforms</varname></term>
    <listitem><para>The list of Nix platform types for which the Hydra
-    instance at <literal>hydra.nixos.org</literal> should build the
+    instance at <literal>hydra.nixos.org</literal> will build the
    package.  (Hydra is the Nix-based continuous build system.)  It
    defaults to the value of <varname>meta.platforms</varname>.  Thus,
    the only reason to set <varname>meta.hydraPlatforms</varname> is
@ -176,80 +203,23 @@ meta.hydraPlatforms = [];
 <section xml:id="sec-meta-license"><title>Licenses</title>
-<note><para>This is just a first attempt at standardising the license
+<para>The <varname>meta.license</varname> attribute should preferrably contain
-attribute.</para></note>
+a value from <varname>stdenv.lib.licenses</varname> defined in
-
+<link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix">
-<para>The <varname>meta.license</varname> attribute must be one of the
+<filename>nixpkgs/lib/licenses.nix</filename></link>,
-following:
+or in-place license description of the same format if the license is
 unlikely to be useful in another expression.
 A few generic options are available, although it's typically better
 to indicate the specific license:
 <variablelist>
  <varlistentry>
    <term><varname>GPL</varname></term>
    <listitem><para>GNU General Public License; version not
    specified.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv2</varname></term>
    <listitem><para>GNU General Public License, version
    2.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv2+</varname></term>
    <listitem><para>GNU General Public License, version
    2 or higher.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv3</varname></term>
    <listitem><para>GNU General Public License, version
    3.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>GPLv3+</varname></term>
    <listitem><para>GNU General Public License, version
    3 or higher.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>bsd</varname></term>
    <listitem><para>Catch-all for licenses that are essentially
    similar to <link
    xlink:href="http://www.gnu.org/licenses/license-list.html#ModifiedBSD">the
    original BSD license with the advertising clause removed</link>,
    i.e. permissive non-copyleft free software licenses.  This
    includes the <link
    xlink:href="http://www.gnu.org/licenses/license-list.html#X11License">X11
    (“MIT”) License</link>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>perl5</varname></term>
    <listitem><para>The Perl 5 license (Artistic License, version 1
    and GPL, version 1 or later).</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>free</varname></term>
    <listitem><para>Catch-all for free software licenses not listed
    above.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>free-copyleft</varname></term>
    <listitem><para>Catch-all for free, copyleft software licenses not
    listed above.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>free-non-copyleft</varname></term>
    <listitem><para>Catch-all for free, non-copyleft software licenses
    not listed above.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>unfree-redistributable</varname></term>
    <listitem><para>Unfree package that can be redistributed in binary
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@ -155,9 +155,10 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>
        </listitem>
        <listitem>
-          <para>You can use <command>nix-prefetch-url</command>
+          <para>You can use <command>nix-prefetch-url</command> (or similar nix-prefetch-git, etc)
          <replaceable>url</replaceable> to get the SHA-256 hash of
-          source distributions.</para>
+          source distributions. There are similar commands as <command>nix-prefetch-git</command> and
          <command>nix-prefetch-hg</command> available in <literal>nix-prefetch-scripts</literal> package.</para>
        </listitem>
        <listitem>
@ -221,17 +222,10 @@ $ nix-env -f . -iA libfoo</screen>
  </listitem>
  <listitem>
-    <para>Optionally commit the new package, or send a patch to
+    <para>Optionally commit the new package and open a pull request, or send a patch to
    <literal>nix-dev@cs.uu.nl</literal>.</para>
  </listitem>
  <listitem>
    <para>If you want the TU Delft build farm to build binaries of the
    package and make them available in the <link
    xlink:href="http://nixos.org/releases/nixpkgs/channels/nixpkgs-unstable/"><literal>nixpkgs</literal>
    channel</link>, add it to <link
    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/release.nix"><filename>pkgs/top-level/release.nix</filename></link>.</para>
  </listitem>
 </orderedlist>
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -1,25 +1,24 @@
-{
+let
-  /* License identifiers loosely based on: http://fedoraproject.org/wiki/Licensing
+  spdx = lic: lic // {
      url = "http://spdx.org/licenses/${lic.shortName}";
    };
 in
 rec {
  /* License identifiers from spdx.org where possible.
   * If you cannot find your license here, then look for a similar license or
   * add it to this list. The URL mentioned above is a good source for inspiration.
   */
-  artistic2 = {
+  agpl3 = spdx {
-    shortName = "Artistic 2.0";
+    shortName = "AGPL-3.0";
-    fullName = "Artistic 2.0";
+    fullName = "GNU Affero General Public License v3.0";
    url = "http://opensource.org/licenses/artistic-license-2.0.php";
  };
  agpl3 = {
    shortName = "AGPLv3";
    fullName = "GNU Affero General Public License version 3 only";
    url = https://www.gnu.org/licenses/agpl.html;
  };
  agpl3Plus = {
-    shortName = "AGPLv3+";
+    shortName = "AGPL-3.0+";
-    fullName = "GNU Affero General Public License version 3 or later";
+    fullName = "GNU Affero General Public License v3.0 or later";
-    url = https://www.gnu.org/licenses/agpl.html;
+    inherit (agpl3) url;
  };
  amd = {
@ -28,126 +27,149 @@
    url = http://developer.amd.com/amd-license-agreement/;
  };#
-  apsl20 = {
+  apsl20 = spdx {
-    shortName = "APSL 2.0";
+    shortName = "APSL-2.0";
    fullName = "Apple Public Source License 2.0";
    url = http://opensource.org/licenses/APSL-2.0;
  };
-  asl20 = {
+  artistic2 = spdx {
-    shortName = "ASL2.0";
+    shortName = "Artistic-2.0";
-    fullName = "Apache Software License 2.0";
+    fullName = "Artistic License 2.0";
    url = http://www.apache.org/licenses/LICENSE-2.0;
  };
-  boost = {
+  asl20 = spdx {
-    shortName = "boost";
+    shortName = "Apache-2.0";
-    fullName = "Boost Software License";
+    fullName = "Apache License 2.0";
    url = http://www.boost.org/LICENSE_1_0.txt;
  };
-  bsd2 = {
+  boost = spdx {
-    shortName = "BSD-2";
+    shortName = "BSL-1.0";
-    fullName = "BSD license (2 clause)";
+    fullName = "Boost Software License 1.0";
    url = http://opensource.org/licenses/BSD-2-Clause;
  };
-  bsd3 = {
+  bsd2 = spdx {
-    shortName = "BSD-3";
+    shortName = "BSD-2-Clause";
-    fullName = "BSD license (3 clause)";
+    fullName = ''BSD 2-clause "Simplified" License'';
    url = http://opensource.org/licenses/BSD-3-Clause;
  };
-  bsdOriginal = {
+  bsd3 = spdx {
-    shortName = "BSD-original";
+    shortName = "BSD-3-Clause";
-    fullName = "Original BSD license with advertising clause";
+    fullName = ''BSD 3-clause "New" or "Revised" License'';
    url = https://fedoraproject.org/wiki/Licensing/BSD;
  };
-  cc-by-30 = {
+  bsdOriginal = spdx {
-    shortName = "CC BY 3.0";
+    shortName = "BSD-4-Clause";
    fullName = ''BSD 4-clause "Original" or "Old" License'';
  };
  cc-by-30 = spdx {
    shortName = "CC-BY-3.0";
    fullName = "Creative Commons Attribution 3.0";
    url = http://creativecommons.org/licenses/by/3.0;
  };
-  cddl = {
+  cddl = spdx {
-    shortName = "CDDL";
+    shortName = "CDDL-1.0";
-    fullName = "Common Development Distribution License ";
+    fullName = "Common Development and Distribution License 1.0";
    url = http://www.opensolaris.org/os/licensing/cddllicense.txt;
  };
-  cpl10 = {
+  cecill-c = spdx {
-    shortName = "CPL 1.0";
+    shortName = "CECILL-C";
-    fullName = "Common Public License version 1.0";
+    fullName  = "CeCILL-C Free Software License Agreement";
    url = http://www.eclipse.org/legal/cpl-v10.html;
  };
-  epl10 = {
+  cpl10 = spdx {
-    shortName = "EPL 1.0";
+    shortName = "CPL-1.0";
-    fullName = "Eclipse Public License version 1.0";
+    fullName = "Common Public License 1.0";
-    url = http://www.eclipse.org/legal/epl-v10.html;
+  };
  epl10 = spdx {
    shortName = "EPL-1.0";
    fullName = "Eclipse Public License 1.0";
  };
  free = "free";
-  gpl2 = {
+  gpl2 = spdx {
-    shortName = "GPLv2";
+    shortName = "GPL-2.0";
-    fullName = "GNU General Public License version 2";
+    fullName = "GNU General Public License v2.0 only";
    url = http://www.gnu.org/licenses/old-licenses/gpl-2.0.html;
  };
  gpl2Oss = {
-    shortName = "GPLv2+OSS";
+    shortName = "GPL-2.0-with-OSS";
    fullName = "GNU General Public License version 2 only (with OSI approved licenses linking exception)";
    url = http://www.mysql.com/about/legal/licensing/foss-exception;
  };
-  gpl2Plus = {
+  gpl2Plus = spdx {
-    shortName = "GPLv2+";
+    shortName = "GPL-2.0+";
-    fullName = "GNU General Public License version 2 or later";
+    fullName = "GNU General Public License v2.0 or later";
    url = http://www.gnu.org/licenses/old-licenses/gpl-2.0.html;
  };
-  gpl3 = {
+  gpl3 = spdx {
-    shortName = "GPLv3";
+    shortName = "GPL-3.0";
-    fullName = "GNU General Public License version 3 only";
+    fullName = "GNU General Public License v3.0 only";
    url = http://www.fsf.org/licensing/licenses/gpl.html;
  };
-  gpl3Plus = {
+  gpl3Plus = spdx {
-    shortName = "GPLv3+";
+    shortName = "GPL-3.0+";
-    fullName = "GNU General Public License version 3 or later";
+    fullName = "GNU General Public License v3.0 or later";
    url = http://www.fsf.org/licensing/licenses/gpl.html;
  };
  gpl3ClasspathPlus = {
-    shortName = "GPLv3+classpath+";
+    shortName = "GPL-3.0+-with-classpath-exception";
-    fullName = "GNU General Public License version 3 or later (with Classpath exception)";
+    fullName = "GNU General Public License v3.0 or later (with Classpath exception)";
    url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
  };
-  isc = {
+  inria = {
    shortName = "INRIA-NCLA";
    fullName  = "INRIA Non-Commercial License Agreement";
    url       = "http://compcert.inria.fr/doc/LICENSE";
  };
  ipa = spdx {
    shortName = "IPA";
    fullName = "IPA Font License";
  };
  ipl10 = spdx {
    shortName = "IPL-1.0";
    fullName = "IBM Public License v1.0";
  };
  isc = spdx {
    shortName = "ISC";
-    fullName = "Internet Systems Consortium License";
+    fullName = "ISC License";
    url = http://www.opensource.org/licenses/ISC;
  };
-  ipa = {
+  lgpl2 = spdx {
-    shortName = "IPA 1.0";
+    shortName = "LGPL-2.0";
-    fullName = "IPA Font License v1.0";
+    fullName = "GNU Library General Public License v2 only";
    url = http://ipafont.ipa.go.jp/ipafont/;
  };
-  ipl10 = {
+  lgpl2Plus = spdx {
-    shortName = "IPL 1.0";
+    shortName = "LGPL-2.0+";
-    fullName = "IBM Public License Version 1.0";
+    fullName = "GNU Library General Public License v2 or later";
    url = http://www.ibm.com/developerworks/opensource/library/os-i18n2/os-ipl.html;
  };
-  ijg = {
+  lgpl21 = spdx {
-    shortName = "IJG";
+    shortName = "LGPL-2.1";
-    fullName = "Independent JPEG Group License";
+    fullName = "GNU Library General Public License v2.1 only";
-    url = https://fedoraproject.org/wiki/Licensing/IJG;
+  };
  lgpl21Plus = spdx {
    shortName = "LGPL-2.1+";
    fullName = "GNU Library General Public License v2.1 or later";
  };
  lgpl3 = spdx {
    shortName = "LGPL-3.0";
    fullName = "GNU Lesser General Public License v3.0 only";
  };
  lgpl3Plus = spdx {
    shortName = "LGPL-3.0+";
    fullName = "GNU Lesser General Public License v3.0 or later";
  };
  libtiff = {
@ -156,76 +178,52 @@
    url = https://fedoraproject.org/wiki/Licensing/libtiff;
  };
  lgpl2 = {
    shortName = "LGPLv2";
    fullName = "GNU Library General Public License version 2";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html;
  };
  lgpl2Plus = {
    shortName = "LGPLv2+";
    fullName = "GNU Library General Public License version 2 or later";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html;
  };
  lgpl21 = {
    shortName = "LGPLv2.1";
    fullName = "GNU Lesser General Public License version 2.1";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html;
  };
  lgpl21Plus = {
    shortName = "LGPLv2.1+";
    fullName = "GNU Lesser General Public License version 2.1 or later";
    url = http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html;
  };
  llgpl21 = {
-    shortName = "LLGPLv2.1";
+    shortName = "LLGPL-2.1";
    fullName = "Lisp LGPL; GNU Lesser General Public License version 2.1 with Franz Inc. preamble for clarification of LGPL terms in context of Lisp";
    url = http://opensource.franz.com/preamble.html;
  };
-  lgpl3 = {
+  lpl-102 = spdx {
-    shortName = "LGPLv3";
+    shortName = "LPL-1.02";
-    fullName = "GNU Lesser General Public License version 3 only";
+    fullName = "Lucent Public License v1.02";
    url = http://www.fsf.org/licensing/licenses/lgpl.html;
  };
-  lgpl3Plus = {
+  mit = spdx {
    shortName = "LGPLv3+";
    fullName = "GNU Lesser General Public License version 3 or later";
    url = http://www.fsf.org/licensing/licenses/lgpl.html;
  };
  mit = {
    shortName = "MIT";
-    fullName = "MIT/X11 license";
+    fullName = "MIT License";
    url = http://www.opensource.org/licenses/mit-license.php;
  };
-  mpl11 = {
+  mpl11 = spdx {
-    shortName = "MPL1.1";
+    shortName = "MPL-1.1";
-    fullName = "Mozilla Public License version 1.1";
+    fullName = "Mozilla Public License 1.1";
    url = http://www.mozilla.org/MPL/MPL-1.1.html;
  };
-  mpl20 = {
+  mpl20 = spdx {
-    shortName = "MPL2.0";
+    shortName = "MPL-2.0";
-    fullName = "Mozilla Public License version 2.0";
+    fullName = "Mozilla Public License 2.0";
    url = https://www.mozilla.org/MPL/2.0;
  };
-  ofl = {
+  msrla = {
-    shortName = "OFL";
+    shortName = "MSR-LA";
-    fullName = "SIL Open Font License";
+    fullName  = "Microsoft Research License Agreement";
-    url = "http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL_web";
+    url       = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";
  };
-  openssl = {
+  ofl = spdx {
-    shortName = "openssl";
+    shortName = "OFL-1.1";
-    fullName = "OpenSSL license";
+    fullName = "SIL Open Font License 1.1";
-    url = http://www.openssl.org/source/license.html;
+  };
  openssl = spdx {
    shortName = "OpenSSL";
    fullName = "OpenSSL License";
  };
  psfl = spdx {
    shortName = "Python-2.0";
    fullName = "Python Software Foundation License version 2";
    #url = http://docs.python.org/license.html;
  };
  publicDomain = {
@ -233,10 +231,9 @@
    fullname = "Public Domain";
  };
-  psfl = {
+  sleepycat = spdx {
-    shortName = "PSFL";
+    shortName = "Sleepycat";
-    fullName = "Python Software Foundation License";
+    fullName  = "Sleepycat License";
    url = http://docs.python.org/license.html;
  };
  tcltk = {
@ -257,45 +254,20 @@
    url = https://fedoraproject.org/wiki/Licensing:Wadalab?rd=Licensing/Wadalab;
  };
-  zlib = {
+  zlib = spdx {
-    shortName = "zlib";
+    shortName = "Zlib";
-    fullName = "zlib license";
+    fullName = "zlib License";
    url = http://www.gzip.org/zlib/zlib_license.html;
  };
-  zpt20 = {
+  zpt20 = spdx { # FIXME: why zpt* instead of zpl*
-    shortName = "ZPT2.0";
+    shortName = "ZPL-2.0";
    fullName = "Zope Public License 2.0";
    url = "http://old.zope.org/Resources/License/ZPL-2.0";
  };
-  zpt21 = {
+  zpt21 = spdx {
-    shortName = "ZPT2.1";
+    shortName = "ZPL-2.1";
    fullName = "Zope Public License 2.1";
    url = "http://old.zope.org/Resources/License/ZPL-2.1";
  };
  sleepycat = {
    shortName = "Sleepycat";
    fullName  = "Sleepycat Public License";
    url       = "https://en.wikipedia.org/wiki/Sleepycat_License";
  };
  cecill-c = {
    shortName = "CeCILL-C";
    fullName  = "CEA CNRS INRIA Logiciel Libre";
    url       = "http://www.cecill.info/licences.en.html";
  };
  msrla = {
    shortName = "MSR-LA";
    fullName  = "Microsoft Research License Agreement";
    url       = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";
  };
  inria = {
    shortName = "INRIA-NCLA";
    fullName  = "INRIA Non-Commercial License Agreement";
    url       = "http://compcert.inria.fr/doc/LICENSE";
  };
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -19,19 +19,23 @@
  astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
  aszlig = "aszlig <aszlig@redmoonstudios.org>";
  auntie = "Jonathan Glines <auntieNeo@gmail.com>";
  aycanirican = "Aycan iRiCAN <iricanaycan@gmail.com>";
  bbenoist = "Baptist BENOIST <return_0@live.com>";
  bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
  berdario = "Dario Bertini <berdario@gmail.com>";
  bergey = "Daniel Bergey <bergey@teallabs.org>";
  bjg = "Brian Gough <bjg@gnu.org>";
  bjornfor = "Bjørn Forsman <bjorn.forsman@gmail.com>";
  bluescreen303 = "Mathijs Kwik <mathijs@bluescreen303.nl>";
  bodil = "Bodil Stokke <nix@bodil.org>";
  bosu = "Boris Sukholitko <boriss@gmail.com>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
  DamienCassou = "Damien Cassou <damien.cassou@gmail.com>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
  edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
  eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
@ -44,6 +48,7 @@
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
  guibert = "David Guibert <david.guibert@gmail.com>";
  hinton = "Tom Hinton <t@larkery.com>";
  hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
  ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
  iElectric = "Domen Kozar <domen@dev.si>";
  iyzsong = "Song Wenwu <iyzsong@gmail.com>";
@ -55,15 +60,20 @@
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
  lethalman = "Luca Bruno <lucabru@src.gnome.org>";
  lhvwb = "Nathaniel Baxter <nathaniel.baxter@gmail.com>";
  linquize = "Linquize <linquize@yahoo.com.hk>";
  lovek323 = "Jason O'Conal <jason@oconal.id.au>";
  ludo = "Ludovic Courtès <ludo@gnu.org>";
  madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
  marcweber = "Marc Weber <marco-oweber@gmx.de>";
  matejc = "Matej Cotman <cotman.matej@gmail.com>";
  meisternu = "Matt Miemiec <meister@krutt.org>";
  modulistic = "Pablo Costa <modulistic@gmail.com>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
  orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
@ -77,6 +87,7 @@
  qknight = "Joachim Schiele <js@lastlog.de>";
  raskin = "Michael Raskin <7c6f434c@mail.ru>";
  redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
  refnil = "Martin Lavoie <broemartino@gmail.com>";
  relrod = "Ricky Elrod <ricky@elrod.me>";
  rickynils = "Rickard Nilsson <rickynils@gmail.com>";
  rob = "Rob Vermaas <rob.vermaas@gmail.com>";
@ -87,13 +98,16 @@
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  shlevy = "Shea Levy <shea@shealevy.com>";
  simons = "Peter Simons <simons@cryp.to>";
  skeidel = "Sven Keidel <svenkeidel@gmail.com>";
  smironov = "Sergey Mironov <ierton@gmail.com>";
  sprock = "Roger Mason <rmason@mun.ca>";
  tailhook = "Paul Colomiets <paul@colomiets.name>";
  thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
  the-kenny = "Moritz Ulrich <moritz@tarn-vedra.de>";
  thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
  tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
  ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
  tv = "Tomislav Viljetić <tv@shackspace.de>";
  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
  vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
  vcunat = "Vladimír Čunát <vcunat@gmail.com>";
@ -102,6 +116,8 @@
  vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
  winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";
  wizeman = "Ricardo M. Correia <rcorreia@wizy.org>";
  wjlroe = "William Roe <willroe@gmail.com>";
  wkennington = "William A. Kennington III <william@wkennington.com>";
  wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
  z77z = "Marco Maggesi <maggesi@math.unifi.it>";
  zef = "Zef Hemel <zef@zef.me>";
--- a/lib/platforms.nix
+++ b/lib/platforms.nix
@ -11,6 +11,6 @@ rec {
  unix = linux ++ darwin ++ freebsd ++ openbsd;
  all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd;
  none = [];
-  allBut = platform: lists.filter (x: platform != x) all;
+  allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
  mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux"];
 }
--- a/lib/types.nix
+++ b/lib/types.nix
@ -200,6 +200,12 @@ rec {
      merge = mergeOneOption;
    };
    either = t1: t2: mkOptionType {
      name = "${t1.name} or ${t2.name}";
      check = x: t1.check x || t2.check x;
      merge = mergeOneOption;
    };
    # Obsolete alternative to configOf.  It takes its option
    # declarations from the ‘options’ attribute of containing option
    # declaration.
--- a/maintainers/scripts/sort-attrs.str
+++ b/maintainers/scripts/sort-attrs.str
@ -1,146 +0,0 @@
 /* Tool to sort attribute sets.  Primarily useful for keeping
   all-packages.nix tidy.
   To compile:
   $ strc -i ../../maintainers/scripts/sort-attrs.str -la stratego-lib
   Typical invocation:
   $ sglr -m -p ~/Dev/nix/src/libexpr/nix.tbl -i all-packages.nix \
     | implode-asfix --lex \
     | ../../maintainers/scripts/sort-attrs \
     | asfix-yield
 */
 module sort-attrs
 imports
  libstratego-lib
  libstratego-sglr
 strategies
  no-wsp = !appl(prod([], cf(opt(layout())), no-attrs()), [])
 rules
  list-sep(s): [] -> []
  list-sep(s): [x | xs] -> [[x | before] | <list-sep(s)> [split | after]]
    where
      <split-fetch-keep(s)> xs => (before, split, after)
  list-sep(s): [x | xs] -> [[x | xs]]
    where
      <not(split-fetch-keep(s))> xs
  list-sep-end(s): xs -> [<conc> (before, [split]) | <list-sep-end(s)> after]
    where
      <split-fetch-keep(s)> xs => (before, split, after)
  list-sep-end(s): xs -> [xs]
    where
      <not(split-fetch-keep(s))> xs
  sort-attrs:
    appl(p@prod(_, _, attrs([term(cons("Attrs"))])),
      [ lit("{")
      , ws1
      , appl(p2@list(cf(iter-star(sort("Bind")))), attrs)
      , ws2
      , lit("}")
      ]
    ) ->
    appl(p, [lit("{"), <no-wsp>, appl(p2, <concat> attrs'), ws2, lit("}")])
    where
      <debug> "found it";
      <attach-wsp> [ws1 | attrs] => withWSP;
      <list-sep(starts-section)> withWSP => groups;
      <length; debug> groups;
      <map({x', x'', x''', xs', starts, starts': \[x | xs] -> [x''' | xs']
        where
          <remove-section-start> x => (x', starts);
          <map(regularise-empty-lines); if !starts; debug; sortable-section; debug then qsort(compare-attrs) else id end> [x' | xs] => [x'' | xs'];
          <[] <+ \x -> ["\n\n\n" | x]\ > starts => starts';
          <prepend-layout> (starts', x'') => x'''
      \ })> groups => attrs';
      <debug> "did it"
  attach-wsp: [a, b | cs] -> [(a, b) | <attach-wsp> cs]
  attach-wsp: [] -> []
 strategies
  starts-section =
    ?x@(appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr);
    <implode-string; is-substring(!"###")> cs;
    !x
 rules
  sortable-section = ?[s]; !s; explode-string; not(fetch({x: ?x; !(x, 97); geq}))
  remove-section-start:
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr) ->
    ((appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs'), attr), starts)
    where
      !cs;
      list-sep-end(?10); // separate into lines, keeping the \n
      map(implode-string);
      partition(where(is-substring(!"###"))) => (starts, rest);
      <map(explode-string); concat> rest => cs'
  regularise-empty-lines:
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr) ->
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs''), attr)
    where
      // separate into lines, keeping the \n
      // last whitespace is significant, keep
      <list-sep-end(?10); split-init-last> cs => (init, last);
      <regularise-empty-lines'> init => cs'; // remove whitespace-only lines
      <concat> [<explode-string> "\n\n", <concat> cs', last] => cs'' // add one empty line
  /* Dirty hack: *do* keep the first empty line following a non-empty line. !!! order matters */
  regularise-empty-lines': [] -> []
  regularise-empty-lines': [x, y | xs] -> [x, y | <regularise-empty-lines'> xs]
    where
      <fetch-elem(not(?10 <+ ?32))> x;
      <not(fetch-elem(not(?10 <+ ?32)))> y
  regularise-empty-lines': [x | xs] -> [x | <regularise-empty-lines'> xs]
    where <fetch-elem(not(?10 <+ ?32))> x
  regularise-empty-lines': [x | xs] -> <regularise-empty-lines'> xs
    where <not(fetch-elem(not(?10 <+ ?32)))> x
  prepend-layout:
    (text, (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs), attr)) ->
    (appl(prod([cf(layout())], cf(opt(layout())), no-attrs()), cs''), attr)
    where
      <implode-string> cs => cs';
      <conc-strings; explode-string> (<concat-strings> text, cs') => cs''
  compare-attrs:
    x@
    ( (_, appl(p1@prod(_, _, attrs([term(cons("Bind"))])), [id1 | xs1]))
    , (_, appl(p2@prod(_, _, attrs([term(cons("Bind"))])), [id2 | xs2]))
    )
    -> x
    where
      <string-lt> (id1, id2)
 strategies
  main = io-wrap(
    oncetd(sort-attrs)
  )
--- a/nixos/doc/manual/README
+++ b/nixos/doc/manual/README
@ -0,0 +1,12 @@
 To build the manual, you need Nix installed on your system (no need
 for NixOS). To install Nix, follow the instructions at
    https://nixos.org/nix/download.html
 When you have Nix on your system, in the root directory of the project
 (i.e., `nixpkgs`), run:
    nix-build nixos/release.nix -A manual.x86_64-linux
 When this command successfully finishes, it will tell you where the
 manual got generated.
--- a/nixos/doc/manual/configuration.xml
+++ b/nixos/doc/manual/configuration.xml
@ -1036,21 +1036,28 @@ users.extraUsers.alice =
  { createHome = true;
    home = "/home/alice";
    description = "Alice Foobar";
-    extraGroups = [ "wheel" ];
+    extraGroups = [ "wheel" "networkmanager" ];
    useDefaultShell = true;
    openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
  };
 </programlisting>
 Note that <literal>alice</literal> is a member of the
-<literal>wheel</literal> group, which allows her to use
+<literal>wheel</literal> and <literal>networkmanager</literal> groups,
-<command>sudo</command> to execute commands as
+which allows her to use <command>sudo</command> to execute commands as
-<literal>root</literal>.  Also note the SSH public key that allows
+<literal>root</literal> and to configure the network, respectively.
-remote logins with the corresponding private key.  Users created in
+Also note the SSH public key that allows remote logins with the
-this way do not have a password by default, so they cannot log in via
+corresponding private key. Users created in this way do not have a
-mechanisms that require a password.  However, you can use the
+password by default, so they cannot log in via mechanisms that require
-<command>passwd</command> program to set a password, which is retained
+a password. However, you can use the <command>passwd</command> program
-across invocations of <command>nixos-rebuild</command>.</para>
+to set a password, which is retained across invocations of
 <command>nixos-rebuild</command>.</para>
 <para>If you set users.mutableUsers to false, then the contents of /etc/passwd
 and /etc/group will be congruent to your NixOS configuration. For instance,
 if you remove a user from users.extraUsers and run nixos-rebuild, the user
 account will cease to exist. Also, imperative commands for managing users
 and groups, such as useradd, are no longer available.</para>
 <para>A user ID (uid) is assigned automatically.  You can also specify
 a uid manually by adding
@ -1277,6 +1284,28 @@ services.xserver.synaptics.twoFingerScroll = true;
 <section xml:id="sec-networking"><title>Networking</title>
 <section xml:id="sec-networkmanager"><title>NetworkManager</title>
 <para>To facilitate network configuration, some desktop environments
 use NetworkManager. You can enable NetworkManager by setting:
 <programlisting>
 services.networkmanager.enable = true;
 </programlisting>
 Some desktop managers (e.g., GNOME) enable NetworkManager
 automatically for you.</para>
 <para>All users that should have permission to change network settings
 must belong to the <code>networkmanager</code> group.</para>
 <note><para><code>services.networkmanager</code> and
 <code>services.wireless</code> can not be enabled at the same time:
 you can still connect to the wireless networks using
 NetworkManager.</para></note>
 </section>
 <section xml:id="sec-ssh"><title>Secure shell access</title>
 <para>Secure shell (SSH) access to your machine can be enabled by
@ -1399,6 +1428,11 @@ always allowed.)</para>
 <section xml:id="sec-wireless"><title>Wireless networks</title>
 <para>For a desktop installation using NetworkManager (e.g., GNOME),
 you just have to make sure the user is in the
 <code>networkmanager</code> group and you can skip the rest of this
 section on wireless networks.</para>
 <para>
 NixOS will start wpa_supplicant for you if you enable this setting:
@ -1471,10 +1505,11 @@ are specific to the kernel version, such as the NVIDIA video drivers.
 This ensures that driver packages are consistent with the
 kernel.</para>
-<para>The default Linux kernel configuration should be fine for most
+<para>The default Linux kernel configuration should be fine for most users. You can see the configuration of your current kernel with the following command:
-users.  You can see the configuration of your current kernel in
+<programlisting>
-<filename>/run/booted-system/kernel-modules/config</filename>.  If you
+cat /proc/config.gz | gunzip
-want to change the kernel configuration, you can use the
+</programlisting>
 If you want to change the kernel configuration, you can use the
 <option>packageOverrides</option> feature (see <xref
 linkend="sec-customising-packages" />).  For instance, to enable
 support for the kernel debugger KGDB:
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@ -1,5 +1,6 @@
 { pkgs, options, version, revision }:
 with pkgs;
 with pkgs.lib;
 let
@ -22,7 +23,7 @@ let
  optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext (builtins.toXML options''));
-  optionsDocBook = pkgs.runCommand "options-db.xml" {} ''
+  optionsDocBook = runCommand "options-db.xml" {} ''
    if grep /nixpkgs/nixos/modules ${optionsXML}; then
      echo "The manual appears to depend on the location of Nixpkgs, which is bad"
      echo "since this prevents sharing via the NixOS channel.  This is typically"
@ -30,7 +31,7 @@ let
      echo "for hints about the offending path)."
      exit 1
    fi
-    ${pkgs.libxslt}/bin/xsltproc \
+    ${libxslt}/bin/xsltproc \
      --stringparam revision '${revision}' \
      -o $out ${./options-to-docbook.xsl} ${optionsXML}
  '';
@ -38,12 +39,12 @@ let
 in rec {
  # Generate the NixOS manual.
-  manual = pkgs.stdenv.mkDerivation {
+  manual = stdenv.mkDerivation {
    name = "nixos-manual";
    sources = sourceFilesBySuffices ./. [".xml"];
-    buildInputs = [ pkgs.libxml2 pkgs.libxslt ];
+    buildInputs = [ libxml2 libxslt ];
    xsltFlags = ''
      --param section.autolabel 1
@ -62,19 +63,19 @@ in rec {
      # Check the validity of the manual sources.
      xmllint --noout --nonet --xinclude --noxincludenode \
-        --relaxng ${pkgs.docbook5}/xml/rng/docbook/docbook.rng \
+        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
        manual.xml
      # Generate the HTML manual.
      dst=$out/share/doc/nixos
-      ensureDir $dst
+      mkdir -p $dst
      xsltproc $xsltFlags --nonet --xinclude \
        --output $dst/manual.html \
-        ${pkgs.docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
+        ${docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
        ./manual.xml
      mkdir -p $dst/images/callouts
-      cp ${pkgs.docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/images/callouts/
+      cp ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/images/callouts/
      cp ${./style.css} $dst/style.css
@ -86,13 +87,39 @@ in rec {
    meta.description = "The NixOS manual in HTML format";
  };
  manualPDF = stdenv.mkDerivation {
    name = "nixos-manual-pdf";
    sources = sourceFilesBySuffices ./. [".xml"];
    buildInputs = [ libxml2 libxslt dblatex tetex ];
    buildCommand = ''
      # TeX needs a writable font cache.
      export VARTEXFONTS=$TMPDIR/texfonts
      ln -s $sources/*.xml . # */
      ln -s ${optionsDocBook} options-db.xml
      echo "${version}" > version
      dst=$out/share/doc/nixos
      mkdir -p $dst
      xmllint --xinclude manual.xml | dblatex -o $dst/manual.pdf - \
        -P doc.collab.show=0 \
        -P latex.output.revhistory=0
      mkdir -p $out/nix-support
      echo "doc-pdf manual $dst/manual.pdf" >> $out/nix-support/hydra-build-products
    ''; # */
  };
  # Generate the NixOS manpages.
-  manpages = pkgs.stdenv.mkDerivation {
+  manpages = stdenv.mkDerivation {
    name = "nixos-manpages";
    sources = sourceFilesBySuffices ./. [".xml"];
-    buildInputs = [ pkgs.libxml2 pkgs.libxslt ];
+    buildInputs = [ libxml2 libxslt ];
    buildCommand = ''
      ln -s $sources/*.xml . # */
@ -100,7 +127,7 @@ in rec {
      # Check the validity of the manual sources.
      xmllint --noout --nonet --xinclude --noxincludenode \
-        --relaxng ${pkgs.docbook5}/xml/rng/docbook/docbook.rng \
+        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
        ./man-pages.xml
      # Generate manpages.
@ -109,7 +136,7 @@ in rec {
        --param man.output.in.separate.dir 1 \
        --param man.output.base.dir "'$out/share/man/'" \
        --param man.endnotes.are.numbered 0 \
-        ${pkgs.docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
+        ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
        ./man-pages.xml
    '';
  };
--- a/nixos/doc/manual/installation.xml
+++ b/nixos/doc/manual/installation.xml
@ -320,7 +320,10 @@ changes:
 <itemizedlist>
  <listitem>
    <para>You should boot the live CD in UEFI mode (consult your
-    specific hardware's documentation for instructions).</para>
+    specific hardware's documentation for instructions). You may find
    the <link
    xlink:href="http://www.rodsbooks.com/refind">rEFInd
    boot manager</link> useful.</para>
  </listitem>
  <listitem>
    <para>Instead of <command>fdisk</command>, you should use
@ -335,6 +338,11 @@ changes:
    should do this automatically for new configurations when booted in
    UEFI mode.</para>
  </listitem>
  <listitem>
    <para>After having mounted your installation partition to
    <code>/mnt</code>, you must mount the <code>boot</code> partition
    to <code>/mnt/boot</code>.</para>
  </listitem>
  <listitem>
    <para>You may want to look at the options starting with
    <option>boot.loader.efi</option> and <option>boot.loader.gummiboot</option>
--- a/nixos/doc/manual/manual.xml
+++ b/nixos/doc/manual/manual.xml
@ -7,25 +7,6 @@
    <title>NixOS Manual</title>
    <subtitle>Version <xi:include href="version" parse="text" /></subtitle>
    <author>
      <personname>
        <firstname>Eelco</firstname>
        <surname>Dolstra</surname>
      </personname>
    </author>
    <author>
      <personname>
        <firstname>Nicolas</firstname>
        <surname>Pierron</surname>
      </personname>
    </author>
    <copyright>
      <year>2007-2013</year>
      <holder>Eelco Dolstra</holder>
    </copyright>
  </info>
--- a/nixos/doc/manual/options-to-docbook.xsl
+++ b/nixos/doc/manual/options-to-docbook.xsl
@ -202,4 +202,10 @@
    </simplelist>
  </xsl:template>
  <xsl:template match="function">
    <xsl:text>λ</xsl:text>
  </xsl:template>
 </xsl:stylesheet>
--- a/nixos/lib/make-iso9660-image.sh
+++ b/nixos/lib/make-iso9660-image.sh
@ -78,7 +78,7 @@ done
 cat pathlist | sed -e 's/=\(.*\)=\(.*\)=/\\=\1=\2\\=/' | tee pathlist.safer
-ensureDir $out/iso
+mkdir -p $out/iso
 genCommand="genisoimage -iso-level 4 -r -J $bootFlags -hide-rr-moved -graft-points -path-list pathlist.safer ${volumeID:+-V $volumeID}"
 if test -z "$compressImage"; then
    $genCommand -o $out/iso/$isoName
@ -87,5 +87,5 @@ else
 fi
-ensureDir $out/nix-support
+mkdir -p $out/nix-support
 echo $system > $out/nix-support/system
--- a/nixos/lib/make-system-tarball.sh
+++ b/nixos/lib/make-system-tarball.sh
@ -48,11 +48,11 @@ for ((n = 0; n < ${#objects[*]}; n++)); do
    fi
 done
-ensureDir $out/tarball
+mkdir -p $out/tarball
 tar cvJf $out/tarball/$fileName.tar.xz *
-ensureDir $out/nix-support
+mkdir -p $out/nix-support
 echo $system > $out/nix-support/system
 echo "file system-tarball $out/tarball/$fileName.tar.xz" > $out/nix-support/hydra-build-products
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -117,7 +117,7 @@ rec {
      report = releaseTools.gcovReport { coverageRuns = [ test ]; };
-    in (if makeCoverageReport then report else test) // { inherit driver test; };
+    in (if makeCoverageReport then report else test) // { inherit nodes driver test; };
  runInMachine =
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@ -217,9 +217,7 @@ in
    systemd.services = mkIf cfg.daemon.enable {
      nslcd = {
-        wantedBy = [ "nss-user-lookup.target" ];
+        wantedBy = [ "multi-user.target" ];
        before = [ "nss-user-lookup.target" ];
        after = [ "network.target" ];
        preStart = ''
          mkdir -p /run/nslcd
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -80,12 +80,12 @@ in {
      package = mkOption {
        type = types.package;
-        default = pulseaudio;
+        default = pulseaudioFull;
-        example = literalExample "pulseaudio.override { jackaudioSupport = true; }";
+        example = literalExample "pulseaudioFull";
        description = ''
-          The PulseAudio derivation to use.  This can be used to enable
+          The PulseAudio derivation to use.  This can be used to disable
-          features (such as JACK support) that are not enabled in the
+          features (such as JACK support, Bluetooth) that are enabled in the
-          default PulseAudio in Nixpkgs.
+          pulseaudioFull package in Nixpkgs.
        '';
      };
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@ -110,6 +110,7 @@ in
        "/man"
        "/sbin"
        "/share/emacs"
        "/share/vim-plugins"
        "/share/org"
        "/share/info"
        "/share/terminfo"
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -404,7 +404,7 @@ in {
        uid = ids.uids.root;
        description = "System administrator";
        home = "/root";
-        shell = cfg.defaultUserShell;
+        shell = mkDefault cfg.defaultUserShell;
        group = "root";
        extraGroups = [ "grsecurity" ];
        hashedPassword = mkDefault config.security.initialRootPassword;
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -179,7 +179,6 @@ in
    fileSystems."/" =
      { fsType = "tmpfs";
        device = "none";
        options = "mode=0755";
      };
@ -192,6 +191,8 @@ in
        noCheck = true;
      };
    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
    # image) to make this a live CD.
    fileSystems."/nix/.ro-store" =
      { fsType = "squashfs";
        device = "/iso/nix-store.squashfs";
@ -201,23 +202,20 @@ in
    fileSystems."/nix/.rw-store" =
      { fsType = "tmpfs";
        device = "none";
        options = "mode=0755";
        neededForBoot = true;
      };
    fileSystems."/nix/store" =
      { fsType = "unionfs-fuse";
        device = "unionfs";
        options = "allow_other,cow,nonempty,chroot=/mnt-root,max_files=32768,hide_meta_files,dirs=/nix/.rw-store=rw:/nix/.ro-store=ro";
      };
    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" ];
    boot.initrd.kernelModules = [ "loop" ];
    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
    # image) to make this a live CD.
    boot.initrd.postMountCommands =
      ''
        mkdir -p $targetRoot/nix/store
        unionfs -o allow_other,cow,nonempty,chroot=$targetRoot,max_files=32768 /nix/.rw-store=RW:/nix/.ro-store=RO $targetRoot/nix/store
      '';
    # Closures to be copied to the Nix store on the CD, namely the init
    # script and the top-level system configuration directory.
    isoImage.storeContents =
@ -313,8 +311,8 @@ in
      '';
    # Add vfat support to the initrd to enable people to copy the
-    # contents of the CD to a bootable USB stick. Need unionfs-fuse for union mounts
+    # contents of the CD to a bootable USB stick.
-    boot.initrd.supportedFilesystems = [ "vfat" "unionfs-fuse" ];
+    boot.initrd.supportedFilesystems = [ "vfat" ];
  };
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@ -81,7 +81,7 @@ mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
 rm -f $mountPoint/etc/{resolv.conf,hosts}
-cp -f /etc/resolv.conf /etc/hosts $mountPoint/etc/
+cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
 if [ -n "$runChroot" ]; then
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -225,7 +225,10 @@ fi
 # If we're not just building, then make the new configuration the boot
 # default and/or activate it now.
 if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then
-    $pathToConfig/bin/switch-to-configuration "$action"
+    if ! $pathToConfig/bin/switch-to-configuration "$action"; then
        echo "warning: there were error switching to the new configuration" >&2
        exit 1
    fi
 fi
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -136,6 +136,17 @@
      nsd = 126;
      gitolite = 127;
      znc = 128;
      polipo = 129;
      mopidy = 130;
      unifi = 131;
      gdm = 132;
      dhcpd = 133;
      siproxd = 134;
      mlmmj = 135;
      neo4j = 136;
      riemann = 137;
      riemanndash = 138;
      radvd = 139;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -244,7 +255,17 @@
      teamspeak = 124;
      influxdb = 125;
      nsd = 126;
      firebird = 127;
      znc = 128;
      polipo = 129;
      mopidy = 130;
      docker = 131;
      gdm = 132;
      tss = 133;
      siproxd = 134;
      mlmmj = 135;
      riemann = 137;
      riemanndash = 138;
      # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -3,12 +3,8 @@
 with lib;
 let
-
+  cfg = config.services.locate;
-  locatedb = "/var/cache/locatedb";
+in {
 in
 {
  ###### interface
@ -35,6 +31,31 @@ in
        '';
      };
      extraFlags = mkOption {
        type = types.listOf types.str;
        default = [ ];
        description = ''
          Extra flags to append to <command>updatedb</command>.
        '';
      };
      output = mkOption {
        type = types.path;
        default = /var/cache/locatedb;
        description = ''
          The database file to build.
        '';
      };
      localuser = mkOption {
        type = types.str;
        default = "nobody";
        description = ''
          The user to search non-network directories as, using
          <command>su</command>.
        '';
      };
    };
  };
@ -48,8 +69,10 @@ in
        path  = [ pkgs.su ];
        script =
          ''
-            mkdir -m 0755 -p $(dirname ${locatedb})
+            mkdir -m 0755 -p $(dirname ${toString cfg.output})
-            exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /media /run'
+            exec updatedb \
            --localuser=${cfg.localuser} \
            --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
          '';
        serviceConfig.Nice = 19;
        serviceConfig.IOSchedulingClass = "idle";
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -14,17 +14,17 @@
  ./config/power-management.nix
  ./config/pulseaudio.nix
  ./config/shells-environment.nix
  ./config/system-environment.nix
  ./config/swap.nix
  ./config/sysctl.nix
  ./config/system-environment.nix
  ./config/system-path.nix
  ./config/timezone.nix
  ./config/unix-odbc-drivers.nix
  ./config/users-groups.nix
  ./config/zram.nix
  ./hardware/all-firmware.nix
  ./hardware/cpu/intel-microcode.nix
  ./hardware/cpu/amd-microcode.nix
  ./hardware/cpu/intel-microcode.nix
  ./hardware/network/b43.nix
  ./hardware/network/intel-2100bg.nix
  ./hardware/network/intel-2200bg.nix
@ -50,8 +50,11 @@
  ./programs/bash/bash.nix
  ./programs/bash/command-not-found.nix
  ./programs/blcr.nix
  ./programs/dconf.nix
  ./programs/environment.nix
  ./programs/info.nix
  ./programs/nano.nix
  ./programs/screen.nix
  ./programs/shadow.nix
  ./programs/shell.nix
  ./programs/ssh.nix
@ -59,7 +62,6 @@
  ./programs/venus.nix
  ./programs/wvdial.nix
  ./programs/zsh/zsh.nix
  ./programs/screen.nix
  ./rename.nix
  ./security/apparmor.nix
  ./security/apparmor-suid.nix
@ -79,6 +81,7 @@
  ./services/audio/alsa.nix
  ./services/audio/fuppes.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
  ./services/backup/almir.nix
  ./services/backup/bacula.nix
  ./services/backup/mysql-backup.nix
@ -92,15 +95,16 @@
  ./services/databases/4store.nix
  ./services/databases/couchdb.nix
  ./services/databases/firebird.nix
  ./services/databases/influxdb.nix
  ./services/databases/memcached.nix
  ./services/databases/monetdb.nix
  ./services/databases/mongodb.nix
  ./services/databases/redis.nix
  ./services/databases/mysql.nix
  ./services/databases/neo4j.nix 
  ./services/databases/openldap.nix
  ./services/databases/postgresql.nix
  ./services/databases/redis.nix
  ./services/databases/virtuoso.nix
  ./services/databases/monetdb.nix
  ./services/databases/influxdb.nix
  ./services/desktops/accountsservice.nix
  ./services/desktops/geoclue2.nix
  ./services/desktops/gnome3/at-spi2-core.nix
@ -124,19 +128,22 @@
  ./services/hardware/pcscd.nix
  ./services/hardware/pommed.nix
  ./services/hardware/sane.nix
  ./services/hardware/tcsd.nix
  ./services/hardware/thinkfan.nix
  ./services/hardware/udev.nix
  ./services/hardware/udisks2.nix
  ./services/hardware/upower.nix
  ./services/hardware/thinkfan.nix
  ./services/logging/klogd.nix
  ./services/logging/logcheck.nix
  ./services/logging/logrotate.nix
  ./services/logging/logstash.nix
  ./services/logging/syslogd.nix
  ./services/logging/rsyslogd.nix
  ./services/logging/syslogd.nix
  ./services/logging/syslog-ng.nix
  ./services/mail/dovecot.nix
  ./services/mail/freepops.nix
  ./services/mail/mail.nix
  ./services/mail/mlmmj.nix
  ./services/mail/opensmtpd.nix
  ./services/mail/postfix.nix
  ./services/mail/spamassassin.nix
@ -146,14 +153,15 @@
  ./services/misc/disnix.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/gpsd.nix
  ./services/misc/gitolite.nix
  ./services/misc/gpsd.nix
  ./services/misc/nix-daemon.nix
  ./services/misc/nix-gc.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/nixos-manual.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/rippled.nix
  ./services/misc/rogue.nix
  ./services/misc/siproxd.nix
  ./services/misc/svnserve.nix
  ./services/misc/synergy.nix
  ./services/monitoring/apcupsd.nix
@ -162,6 +170,8 @@
  ./services/monitoring/monit.nix
  ./services/monitoring/munin.nix
  ./services/monitoring/nagios.nix
  ./services/monitoring/riemann.nix
  ./services/monitoring/riemann-dash.nix
  ./services/monitoring/smartd.nix
  ./services/monitoring/statsd.nix
  ./services/monitoring/systemhealth.nix
@ -179,24 +189,23 @@
  ./services/networking/bind.nix
  ./services/networking/bitlbee.nix
  ./services/networking/btsync.nix
  ./services/networking/cjdns.nix
  ./services/networking/connman.nix
  ./services/networking/cntlm.nix
  ./services/networking/chrony.nix
  ./services/networking/cjdns.nix
  ./services/networking/cntlm.nix
  ./services/networking/connman.nix
  ./services/networking/ddclient.nix
  ./services/networking/dhcpcd.nix
  ./services/networking/dhcpd.nix
  ./services/networking/dnsmasq.nix
  ./services/networking/ejabberd.nix
  ./services/networking/firewall.nix
  ./services/networking/haproxy.nix
  ./services/networking/tcpcrypt.nix
  ./services/networking/flashpolicyd.nix
  ./services/networking/freenet.nix
  ./services/networking/git-daemon.nix
  ./services/networking/gnunet.nix
  ./services/networking/gogoclient.nix
  ./services/networking/gvpe.nix
  ./services/networking/haproxy.nix
  ./services/networking/hostapd.nix
  ./services/networking/ifplugd.nix
  ./services/networking/iodined.nix
@ -214,6 +223,7 @@
  ./services/networking/oidentd.nix
  ./services/networking/openfire.nix
  ./services/networking/openvpn.nix
  ./services/networking/polipo.nix
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/quassel.nix
@ -224,13 +234,15 @@
  ./services/networking/sabnzbd.nix
  ./services/networking/searx.nix
  ./services/networking/spiped.nix
  ./services/networking/supybot.nix
  ./services/networking/syncthing.nix
  ./services/networking/ssh/lshd.nix
  ./services/networking/ssh/sshd.nix
  ./services/networking/supybot.nix
  ./services/networking/syncthing.nix
  ./services/networking/tcpcrypt.nix
  ./services/networking/teamspeak3.nix
  ./services/networking/tftpd.nix
  ./services/networking/unbound.nix
  ./services/networking/unifi.nix
  ./services/networking/vsftpd.nix
  ./services/networking/wakeonlan.nix
  ./services/networking/websockify.nix
@ -245,11 +257,11 @@
  ./services/search/elasticsearch.nix
  ./services/search/solr.nix
  ./services/security/clamav.nix
  ./services/security/haveged.nix
  ./services/security/fprot.nix
  ./services/security/frandom.nix
-  ./services/security/tor.nix
+  ./services/security/haveged.nix
  ./services/security/torify.nix
  ./services/security/tor.nix
  ./services/security/torsocks.nix
  ./services/system/dbus.nix
  ./services/system/kerberos.nix
@ -257,14 +269,14 @@
  ./services/system/uptimed.nix
  ./services/torrent/deluge.nix
  ./services/torrent/transmission.nix
  ./services/ttys/gpm.nix
  ./services/ttys/agetty.nix
  ./services/ttys/gpm.nix
  ./services/ttys/kmscon.nix
  ./services/web-servers/apache-httpd/default.nix
  ./services/web-servers/fcgiwrap.nix
  ./services/web-servers/jboss/default.nix
  ./services/web-servers/lighttpd/default.nix
  ./services/web-servers/lighttpd/cgit.nix
  ./services/web-servers/lighttpd/default.nix
  ./services/web-servers/lighttpd/gitweb.nix
  ./services/web-servers/nginx/default.nix
  ./services/web-servers/phpfpm.nix
@ -275,26 +287,30 @@
  ./services/x11/desktop-managers/default.nix
  ./services/x11/display-managers/auto.nix
  ./services/x11/display-managers/default.nix
  ./services/x11/display-managers/gdm.nix
  ./services/x11/display-managers/kdm.nix
  ./services/x11/display-managers/slim.nix
  ./services/x11/display-managers/lightdm.nix
  ./services/x11/display-managers/slim.nix
  ./services/x11/hardware/multitouch.nix
  ./services/x11/hardware/synaptics.nix
  ./services/x11/hardware/wacom.nix
  ./services/x11/redshift.nix
  ./services/x11/window-managers/awesome.nix
  #./services/x11/window-managers/compiz.nix
  ./services/x11/window-managers/default.nix
  ./services/x11/window-managers/fluxbox.nix
  ./services/x11/window-managers/icewm.nix
  ./services/x11/window-managers/bspwm.nix
  ./services/x11/window-managers/metacity.nix
  ./services/x11/window-managers/none.nix
  ./services/x11/window-managers/twm.nix
  ./services/x11/window-managers/wmii.nix
  ./services/x11/window-managers/xmonad.nix
  ./services/x11/redshift.nix
  ./services/x11/xfs.nix
  ./services/x11/xserver.nix
  ./system/activation/activation-script.nix
  ./system/activation/top-level.nix
  ./system/boot/emergency-mode.nix
  ./system/boot/kernel.nix
  ./system/boot/kexec.nix
  ./system/boot/loader/efi.nix
@ -310,11 +326,14 @@
  ./system/boot/stage-1.nix
  ./system/boot/stage-2.nix
  ./system/boot/systemd.nix
  ./system/boot/tmp.nix
  ./system/etc/etc.nix
  ./system/upstart/upstart.nix
  ./tasks/cpu-freq.nix
  ./tasks/encrypted-devices.nix
  ./tasks/filesystems.nix
  ./tasks/filesystems/btrfs.nix
  ./tasks/filesystems/cifs.nix
  ./tasks/filesystems/ext.nix
  ./tasks/filesystems/f2fs.nix
  ./tasks/filesystems/nfs.nix
@ -323,7 +342,6 @@
  ./tasks/filesystems/vfat.nix
  ./tasks/filesystems/xfs.nix
  ./tasks/filesystems/zfs.nix
  ./tasks/encrypted-devices.nix
  ./tasks/kbd.nix
  ./tasks/lvm.nix
  ./tasks/network-interfaces.nix
@ -333,6 +351,7 @@
  ./testing/service-runner.nix
  ./virtualisation/container-config.nix
  ./virtualisation/containers.nix
  ./virtualisation/docker.nix
  ./virtualisation/libvirtd.nix
  #./virtualisation/nova.nix
  ./virtualisation/virtualbox-guest.nix
--- a/nixos/modules/profiles/all-hardware.nix
+++ b/nixos/modules/profiles/all-hardware.nix
@ -8,7 +8,7 @@
 {
  # The initrd has to contain any module that might be necessary for
-  # mounting the CD/DVD.
+  # supporting the most important parts of HW like drives.
  boot.initrd.availableKernelModules =
    [ # SATA/PATA support.
      "ahci"
@ -43,7 +43,7 @@
      "virtio_net" "virtio_pci" "virtio_blk" "virtio_balloon" "virtio_console"
      # Keyboards
-      "hid_apple"
+      "usbhid" "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
    ];
  # Include lots of firmware.
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -7,7 +7,6 @@
  # Include some utilities that are useful for installing or repairing
  # the system.
  environment.systemPackages = [
    pkgs.subversion # for nixos-checkout
    pkgs.w3m # needed for the manual anyway
    pkgs.testdisk # useful for repairing boot problems
    pkgs.mssys # for writing Microsoft boot sectors / MBRs
--- a/nixos/modules/programs/dconf.nix
+++ b/nixos/modules/programs/dconf.nix
@ -0,0 +1,34 @@
 { config, lib, ... }:
 let
  inherit (lib) mkOption mkIf types mapAttrsToList;
  cfg = config.programs.dconf;
  mkDconfProfile = name: path:
    { source = path; target = "dconf/profile/${name}"; };
 in
 {
  ###### interface
  options = {
    programs.dconf = {
      profiles = mkOption {
        type = types.attrsOf types.path;
        default = {};
        description = "Set of dconf profile files.";
        internal = true;
      };
    };
  };
  ###### implementation
  config = mkIf (cfg.profiles != {}) {
    environment.etc =
      (mapAttrsToList mkDconfProfile cfg.profiles);
  };
 }
--- a/nixos/modules/programs/info.nix
+++ b/nixos/modules/programs/info.nix
@ -2,6 +2,8 @@
 let
  texinfo = pkgs.texinfoInteractive;
  # Quick hack to make the `info' command work properly.  `info' needs
  # a "dir" file containing all the installed Info files, which we
  # don't have (it would be impure to have a package installation
@ -22,15 +24,15 @@ let
      for i in $(IFS=:; echo $INFOPATH); do
          for j in $i/*.info; do
-              ${pkgs.texinfo}/bin/install-info --quiet $j $dir/dir
+              ${texinfo}/bin/install-info --quiet $j $dir/dir
          done
      done
-      INFOPATH=$dir:$INFOPATH ${pkgs.texinfo}/bin/info "$@"
+      INFOPATH=$dir:$INFOPATH ${texinfo}/bin/info "$@"
    ''; # */
 in
 {
-  environment.systemPackages = [ infoWrapper pkgs.texinfo ];
+  environment.systemPackages = [ infoWrapper texinfo ];
 }
--- a/nixos/modules/programs/nano.nix
+++ b/nixos/modules/programs/nano.nix
@ -0,0 +1,35 @@
 { config, lib, ... }:
 let
  cfg = config.programs.nano;
 in
 {
  ###### interface
  options = {
    programs.nano = {
      nanorc = lib.mkOption {
        type = lib.types.lines;
        default = "";
        description = ''
          The system-wide nano configuration.
          See <citerefentry><refentrytitle>nanorc</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
        '';
        example = ''
          set nowrap
          set tabstospaces
          set tabsize 4
        '';
      };
    };
  };
  ###### implementation
  config = lib.mkIf (cfg.nanorc != "") {
    environment.etc."nanorc".text = cfg.nanorc;
  };
 }
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -13,8 +13,9 @@ with lib;
      ];
    environment.sessionVariables =
-      { OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
+      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-bundle.crt";
-        CURL_CA_BUNDLE         = "/etc/ssl/certs/ca-bundle.crt";
+        # FIXME: unneeded - remove eventually.
        OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-bundle.crt";
      };
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -50,7 +50,7 @@ in
          description = ''
            grsecurity configuration mode. This specifies whether
            grsecurity is auto-configured or otherwise completely
-            manually configured. Can either by
+            manually configured. Can either be
            <literal>custom</literal> or <literal>auto</literal>.
            <literal>auto</literal> is recommended.
@ -64,7 +64,7 @@ in
          description = ''
            grsecurity configuration priority. This specifies whether
            the kernel configuration should emphasize speed or
-            security. Can either by <literal>security</literal> or
+            security. Can either be <literal>security</literal> or
            <literal>performance</literal>.
          '';
        };
@ -76,7 +76,7 @@ in
          description = ''
            grsecurity system configuration. This specifies whether
            the kernel configuration should be suitable for a Desktop
-            or a Server. Can either by <literal>server</literal> or
+            or a Server. Can either be <literal>server</literal> or
            <literal>desktop</literal>.
          '';
        };
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@ -30,7 +30,8 @@ with lib;
      description = "Hardware RNG Entropy Gatherer Daemon";
-      serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f";
+      serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +
        (if config.services.tcsd.enable then " --no-tpm=1" else "");
      restartTriggers = [ pkgs.rng_tools ];
    };
--- a/nixos/modules/security/setuid-wrappers.nix
+++ b/nixos/modules/security/setuid-wrappers.nix
@ -97,8 +97,7 @@ in
          }:
          ''
-            source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}
+            if ! source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}; then
            if test -z "$source"; then
                # If we can't find the program, fall back to the
                # system profile.
                source=/nix/var/nix/profiles/default/bin/${program}
--- a/nixos/modules/services/amqp/activemq/default.nix
+++ b/nixos/modules/services/amqp/activemq/default.nix
@ -12,7 +12,7 @@ let
    phases = [ "installPhase" ];
    buildInputs = [ jdk ];
    installPhase = ''
-      ensureDir $out/lib
+      mkdir -p $out/lib
      source ${activemq}/lib/classpath.env
      export CLASSPATH
      ln -s "${./ActiveMQBroker.java}" ActiveMQBroker.java
--- a/nixos/modules/services/amqp/rabbitmq.nix
+++ b/nixos/modules/services/amqp/rabbitmq.nix
@ -4,6 +4,8 @@ with lib;
 let
  cfg = config.services.rabbitmq;
  config_file = pkgs.writeText "rabbitmq.config" cfg.config;
  config_file_wo_suffix = builtins.substring 0 ((builtins.stringLength config_file) - 7) config_file;
 in {
  ###### interface
@ -31,7 +33,6 @@ in {
        '';
      };
      dataDir = mkOption {
        type = types.path;
        default = "/var/lib/rabbitmq";
@ -40,6 +41,30 @@ in {
        '';
      };
      cookie = mkOption {
        default = "";
        type = types.str;
        description = ''
          Erlang cookie is a string of arbitrary length which must
          be the same for several nodes to be allowed to communicate.
          Leave empty to generate automatically.
        '';
      };
      config = mkOption {
        default = "";
        type = types.str;
        description = ''
          Verbatim configuration file contents.
          See http://www.rabbitmq.com/configure.htm
        '';
      };
      plugins = mkOption {
        default = [];
        type = types.listOf types.str;
        description = "The names of plugins to enable";
      };
    };
  };
@ -69,7 +94,10 @@ in {
        RABBITMQ_NODE_IP_ADDRESS = cfg.listenAddress;
        RABBITMQ_SERVER_START_ARGS = "-rabbit error_logger tty -rabbit sasl_error_logger false";
        SYS_PREFIX = "";
-      };
+        RABBITMQ_ENABLED_PLUGINS_FILE = pkgs.writeText "enabled_plugins" ''
          [ ${concatStringsSep "," cfg.plugins} ].
        '';
      } //  optionalAttrs (cfg.config != "") { RABBITMQ_CONFIG_FILE = config_file_wo_suffix; };
      serviceConfig = {
        ExecStart = "${pkgs.rabbitmq_server}/sbin/rabbitmq-server";
@ -81,6 +109,15 @@ in {
      preStart = ''
        mkdir -p ${cfg.dataDir} && chmod 0700 ${cfg.dataDir}
        if [ "$(id -u)" = 0 ]; then chown rabbitmq:rabbitmq ${cfg.dataDir}; fi
        ${optionalString (cfg.cookie != "") ''
            echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie
            chmod 400 ${cfg.dataDir}/.erlang.cookie
            chown rabbitmq:rabbitmq ${cfg.dataDir}/.erlang.cookie
        ''}
        mkdir -p /var/log/rabbitmq && chmod 0700 /var/log/rabbitmq
        chown rabbitmq:rabbitmq /var/log/rabbitmq
      '';
    };
--- a/nixos/modules/services/audio/mopidy.nix
+++ b/nixos/modules/services/audio/mopidy.nix
@ -0,0 +1,118 @@
 { config, lib, pkgs, ... }:
 with pkgs;
 with lib;
 let
  uid = config.ids.uids.mopidy;
  gid = config.ids.gids.mopidy;
  cfg = config.services.mopidy;
  mopidyConf = writeText "mopidy.conf" cfg.configuration;
  mopidyLauncher = stdenv.mkDerivation {
    name = "mopidy-launcher";
    phases = [ "installPhase" ];
    buildInputs = [ makeWrapper python ];
    installPhase = ''
      mkdir -p $out/bin
      ln -s ${mopidy}/bin/mopidy $out/bin/mopidy
      wrapProgram $out/bin/mopidy \
        --prefix PYTHONPATH : \
        "${concatStringsSep ":" (map (p: "$(toPythonPath ${p})") cfg.extensionPackages)}"
    '';
  };
 in {
  options = {
    services.mopidy = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to enable Mopidy, a music player daemon.
        '';
      };
      dataDir = mkOption {
        default = "/var/lib/mopidy";
        type = types.str;
        description = ''
          The directory where Mopidy stores its state.
        '';
      };
      extensionPackages = mkOption {
        default = [];
        type = types.listOf types.package;
        example = [ mopidy-spotify ];
        description = ''
          Mopidy extensions that should be loaded by the service.
        '';
      };
      configuration = mkOption {
        type = types.lines;
        description = ''
          The configuration that Mopidy should use.
        '';
      };
      extraConfigFiles = mkOption {
        default = [];
        type = types.listOf types.str;
        description = ''
          Extra config file read by Mopidy when the service starts.
          Later files in the list overrides earlier configuration.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    systemd.services.mopidy = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "sound.target" ];
      description = "mopidy music player daemon";
      preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy  ${cfg.dataDir}";
      serviceConfig = {
        ExecStart = "${mopidyLauncher}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";
        User = "mopidy";
        PermissionsStartOnly = true;
      };
    };
    systemd.services.mopidy-scan = {
      description = "mopidy local files scanner";
      preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy  ${cfg.dataDir}";
      serviceConfig = {
        ExecStart = "${mopidyLauncher}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan";
        User = "mopidy";
        PermissionsStartOnly = true;
        Type = "oneshot";
      };
    };
    users.extraUsers.mopidy = {
      inherit uid;
      group = "mopidy";
      extraGroups = [ "audio" ];
      description = "Mopidy daemon user";
      home = "${cfg.dataDir}";
    };
    users.extraGroups.mopidy.gid = gid;
  };
 }
--- a/nixos/modules/services/databases/firebird.nix
+++ b/nixos/modules/services/databases/firebird.nix
@ -159,5 +159,7 @@ in
      uid = config.ids.uids.firebird;
    };
    users.extraGroups.firebird.gid = config.ids.gids.firebird;
  };
 }
--- a/nixos/modules/services/databases/neo4j.nix
+++ b/nixos/modules/services/databases/neo4j.nix
@ -0,0 +1,143 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.neo4j;
  serverConfig = pkgs.writeText "neo4j-server.properties" ''
    org.neo4j.server.database.location=${cfg.dataDir}/data/graph.db
    org.neo4j.server.webserver.address=${cfg.host}
    org.neo4j.server.webserver.port=${toString cfg.port}
    ${optionalString cfg.enableHttps ''
      org.neo4j.server.webserver.https.enabled=true
      org.neo4j.server.webserver.https.port=${toString cfg.httpsPort}
      org.neo4j.server.webserver.https.cert.location=${cfg.cert}
      org.neo4j.server.webserver.https.key.location=${cfg.key}
      org.neo4j.server.webserver.https.keystore.location=${cfg.dataDir}/data/keystore
    ''}
    org.neo4j.server.webadmin.rrdb.location=${cfg.dataDir}/data/rrd
    org.neo4j.server.webadmin.data.uri=/db/data/
    org.neo4j.server.webadmin.management.uri=/db/manage/
    org.neo4j.server.db.tuning.properties=${pkgs.neo4j}/share/neo4j/conf/neo4j.properties
    org.neo4j.server.manage.console_engines=shell
    ${cfg.extraServerConfig}
  '';
  loggingConfig = pkgs.writeText "logging.properties" cfg.loggingConfig;
  wrapperConfig = pkgs.writeText "neo4j-wrapper.conf" ''
    wrapper.java.additional=-Dorg.neo4j.server.properties=${serverConfig}
    wrapper.java.additional=-Djava.util.logging.config.file=${loggingConfig}
    wrapper.java.additional=-XX:+UseConcMarkSweepGC
    wrapper.java.additional=-XX:+CMSClassUnloadingEnabled
    wrapper.pidfile=${cfg.dataDir}/neo4j-server.pid
    wrapper.name=neo4j
  '';
 in {
  ###### interface
  options.services.neo4j = {
    enable = mkOption {
      description = "Whether to enable neo4j.";
      default = false;
      type = types.uniq types.bool;
    };
    host = mkOption {
      description = "Neo4j listen address.";
      default = "127.0.0.1";
      type = types.str;
    };
    port = mkOption {
      description = "Neo4j port to listen for HTTP traffic.";
      default = 7474;
      type = types.int;
    };
    enableHttps = mkOption {
      description = "Enable https for Neo4j.";
      default = false;
      type = types.bool;
    };
    httpsPort = mkOption {
      description = "Neo4j port to listen for HTTPS traffic.";
      default = 7473;
      type = types.int;
    };
    cert = mkOption {
      description = "Neo4j https certificate.";
      default = "${cfg.dataDir}/conf/ssl/neo4j.cert";
      type = types.path;
    };
    key = mkOption {
      description = "Neo4j https certificate key.";
      default = "${cfg.dataDir}/conf/ssl/neo4j.key";
      type = types.path;
    };
    dataDir = mkOption {
      description = "Neo4j data directory.";
      default = "/var/lib/neo4j";
      type = types.path;
    };
    loggingConfig = mkOption {
      description = "Neo4j logging configuration.";
      default = ''
        handlers=java.util.logging.ConsoleHandler
        .level=INFO
        org.neo4j.server.level=INFO
        java.util.logging.ConsoleHandler.level=INFO
        java.util.logging.ConsoleHandler.formatter=org.neo4j.server.logging.SimpleConsoleFormatter
        java.util.logging.ConsoleHandler.filter=org.neo4j.server.logging.NeoLogFilter
      '';
      type = types.lines;
    };
    extraServerConfig = mkOption {
      description = "Extra configuration for neo4j server.";
      default = "";
      type = types.lines;
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    systemd.services.neo4j = {
      description = "Neo4j Daemon";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      environment = { NEO4J_INSTANCE = cfg.dataDir; };
      serviceConfig = {
        ExecStart = "${pkgs.neo4j}/bin/neo4j console";
        User = "neo4j";
        PermissionsStartOnly = true;
      };
      preStart = ''
        mkdir -m 0700 -p ${cfg.dataDir}/{data/graph.db,conf}
        ln -fs ${wrapperConfig} ${cfg.dataDir}/conf/neo4j-wrapper.conf
        if [ "$(id -u)" = 0 ]; then chown -R neo4j ${cfg.dataDir}; fi
      '';
    };
    environment.systemPackages = [ pkgs.neo4j ];
    users.extraUsers = singleton {
      name = "neo4j";
      uid = config.ids.uids.neo4j;
      description = "Neo4j daemon user";
      home = cfg.dataDir;
    };
  };
 }
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@ -38,86 +38,92 @@ in
    services.redis = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable the Redis server.";
      };
      package = mkOption {
        type = types.package;
        default = pkgs.redis;
        description = "Which Redis derivation to use.";
        type = types.package;
      };
      user = mkOption {
        type = types.str;
        default = "redis";
        description = "User account under which Redis runs.";
      };
      pidFile = mkOption {
        type = types.path;
        default = "/var/lib/redis/redis.pid";
        description = "";
      };
      port = mkOption {
        type = types.int;
        default = 6379;
        description = "The port for Redis to listen to.";
        type = with types; int;
      };
      bind = mkOption {
        type = with types; nullOr str;
        default = null; # All interfaces
        description = "The IP interface to bind to.";
        example = "127.0.0.1";
      };
      unixSocket = mkOption {
        type = with types; nullOr path;
        default = null;
        description = "The path to the socket to bind to.";
        example = "/var/run/redis.sock";
      };
      logLevel = mkOption {
        type = types.str;
        default = "notice"; # debug, verbose, notice, warning
        example = "debug";
        description = "Specify the server verbosity level, options: debug, verbose, notice, warning.";
        type = with types; string;
      };
      logfile = mkOption {
        type = types.str;
        default = "/dev/null";
        description = "Specify the log file name. Also 'stdout' can be used to force Redis to log on the standard output.";
        example = "/var/log/redis.log";
        type = with types; string;
      };
      syslog = mkOption {
        type = types.bool;
        default = true;
        description = "Enable logging to the system logger.";
        type = with types; bool;
      };
      databases = mkOption {
        type = types.int;
        default = 16;
        description = "Set the number of databases.";
        type = with types; int;
      };
      save = mkOption {
        type = with types; listOf (listOf int);
        default = [ [900 1] [300 10] [60 10000] ];
        description = "The schedule in which data is persisted to disk, represented as a list of lists where the first element represent the amount of seconds and the second the number of changes.";
        example = [ [900 1] [300 10] [60 10000] ];
      };
      dbFilename = mkOption {
        type = types.str;
        default = "dump.rdb";
        description = "The filename where to dump the DB.";
        type = with types; string;
      };
      dbpath = mkOption {
        type = types.path;
        default = "/var/lib/redis";
        description = "The DB will be written inside this directory, with the filename specified using the 'dbFilename' configuration.";
        type = with types; string;
      };
      slaveOf = mkOption {
@ -135,46 +141,47 @@ in
      };
      requirePass = mkOption {
        type = with types; nullOr str;
        default = null;
        description = "Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)";
        example = "letmein!";
      };
      appendOnly = mkOption {
        type = types.bool;
        default = false;
        description = "By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence.";
        type = with types; bool;
      };
      appendOnlyFilename = mkOption {
        type = types.str;
        default = "appendonly.aof";
        description = "Filename for the append-only file (stored inside of dbpath)";
        type = with types; string;
      };
      appendFsync = mkOption {
        type = types.str;
        default = "everysec"; # no, always, everysec
        description = "How often to fsync the append-only log, options: no, always, everysec.";
        type = with types; string;
      };
      slowLogLogSlowerThan = mkOption {
        type = types.int;
        default = 10000;
        description = "Log queries whose execution take longer than X in milliseconds.";
        example = 1000;
        type = with types; int;
      };
      slowLogMaxLen = mkOption {
        type = types.int;
        default = 128;
        description = "Maximum number of items to keep in slow log.";
        type = with types; int;
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = "Extra configuration options for redis.conf.";
        type = with types; string;
      };
    };
--- a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix
+++ b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix
@ -4,9 +4,6 @@
 with lib;
 let
  gnome3 = config.environment.gnome3.packageSet;
 in
 {
  ###### interface
@ -33,9 +30,9 @@ in
  config = mkIf config.services.gnome3.at-spi2-core.enable {
-    environment.systemPackages = [ gnome3.at_spi2_core ];
+    environment.systemPackages = [ pkgs.at_spi2_core ];
-    services.dbus.packages = [ gnome3.at_spi2_core ];
+    services.dbus.packages = [ pkgs.at_spi2_core ];
  };
--- a/nixos/modules/services/hardware/acpid.nix
+++ b/nixos/modules/services/hardware/acpid.nix
@ -6,7 +6,7 @@ let
  acpiConfDir = pkgs.runCommand "acpi-events" {}
    ''
-      ensureDir $out
+      mkdir -p $out
      ${
        # Generate a configuration file for each event. (You can't have
        # multiple events in one config file...)
--- a/nixos/modules/services/hardware/tcsd.nix
+++ b/nixos/modules/services/hardware/tcsd.nix
@ -0,0 +1,139 @@
 # tcsd daemon.
 { config, pkgs, ... }:
 with pkgs.lib;
 let
  cfg = config.services.tcsd;
  tcsdConf = pkgs.writeText "tcsd.conf" ''
    port = 30003
    num_threads = 10
    system_ps_file = ${cfg.stateDir}/system.data
    # This is the log of each individual measurement done by the system.
    # By re-calculating the PCR registers based on this information, even
    # finer details about the measured environment can be inferred than
    # what is available directly from the PCR registers.
    firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
    kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
    #firmware_pcrs = 0,1,2,3,4,5,6,7
    #kernel_pcrs = 10,11
    platform_cred = ${cfg.platformCred}
    conformance_cred = ${cfg.conformanceCred}
    endorsement_cred = ${cfg.endorsementCred}
    #remote_ops = create_key,random
    #host_platform_class = server_12
    #all_platform_classes = pc_11,pc_12,mobile_12
  '';
 in
 {
  ###### interface
  options = {
    services.tcsd = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to enable tcsd, a Trusted Computing management service
          that provides TCG Software Stack (TSS).  The tcsd daemon is
          the only portal to the Trusted Platform Module (TPM), a hardware
          chip on the motherboard.
        '';
      };
      user = mkOption {
        default = "tss";
        type = types.string;
        description = "User account under which tcsd runs.";
      };
      group = mkOption {
        default = "tss";
        type = types.string;
        description = "Group account under which tcsd runs.";
      };
      stateDir = mkOption {
 	default = "/var/lib/tpm";
        type = types.path;
 	description = ''
          The location of the system persistent storage file.
          The system persistent storage file holds keys and data across
          restarts of the TCSD and system reboots. 
 	'';
      };
      platformCred = mkOption {
        default = "${cfg.stateDir}/platform.cert";
        type = types.path;
        description = ''
 	  Path to the platform credential for your TPM. Your TPM
          manufacturer may have provided you with a set of credentials
          (certificates) that should be used when creating identities
          using your TPM. When a user of your TPM makes an identity,
          this credential will be encrypted as part of that process.
          See the 1.1b TPM Main specification section 9.3 for information
          on this process. '';
      };
      conformanceCred = mkOption {
        default = "${cfg.stateDir}/conformance.cert";
        type = types.path;
        description = ''
          Path to the conformance credential for your TPM.
          See also the platformCred option'';
      };
      endorsementCred = mkOption {
        default = "${cfg.stateDir}/endorsement.cert";
        type = types.path;
        description = ''
          Path to the endorsement credential for your TPM.
          See also the platformCred option'';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.trousers ];
 #    system.activationScripts.tcsd =
 #      ''
 #        chown ${cfg.user}:${cfg.group} ${tcsdConf}
 #      '';
    systemd.services.tcsd = {
      description = "TCSD";
      after = [ "systemd-udev-settle.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.trousers ];
      preStart =
        ''
        mkdir -m 0700 -p ${cfg.stateDir}
        chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
        '';
      serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";
    };
    users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton
      { name = "tss";
        group = "tss";
        uid = config.ids.uids.nginx;
      });
    users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton
      { name = "tss";
        gid = config.ids.gids.nginx;
      });
  };
 }
--- a/nixos/modules/services/hardware/thermald.nix
+++ b/nixos/modules/services/hardware/thermald.nix
@ -0,0 +1,28 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.thermald;
 in {
  ###### interface
  options = { 
    services.thermald = { 
      enable = mkOption {
        default = false;
        description = ''
          Whether to enable thermald, the temperature management daemon.
        ''; 
      };  
    };  
  };  
  ###### implementation
  config = mkIf cfg.enable {
    systemd.services.thermald = {
      description = "Thermal Daemon Service";
      wantedBy = [ "multi-user.target" ];
      script = "exec ${pkgs.thermald}/sbin/thermald --no-daemon --dbus-enable";
    };
  };
 }
--- a/nixos/modules/services/logging/logrotate.nix
+++ b/nixos/modules/services/logging/logrotate.nix
@ -8,10 +8,6 @@ let
  configFile = pkgs.writeText "logrotate.conf"
    cfg.config;
  cronJob = ''
    5 * * * * root ${pkgs.logrotate}/sbin/logrotate ${configFile}
  '';
 in
 {
  options = {
@ -33,6 +29,16 @@ in
  };
  config = mkIf cfg.enable {
-    services.cron.systemCronJobs = [ cronJob ];
+    systemd.services.logrotate = {
      description   = "Logrotate Service";
      wantedBy      = [ "multi-user.target" ];
      startAt       = "*-*-* *:05:00";
      serviceConfig.Restart = "no";
      serviceConfig.User    = "root";
      script = ''
        exec ${pkgs.logrotate}/sbin/logrotate ${configFile}
      '';
    };
  };
 }
--- a/nixos/modules/services/logging/logstash.nix
+++ b/nixos/modules/services/logging/logstash.nix
@ -69,9 +69,9 @@ in
    systemd.services.logstash = with pkgs; {
      description = "Logstash Daemon";
      wantedBy = [ "multi-user.target" ];
-
+      environment = { JAVA_HOME = jre; };
      serviceConfig = {
-        ExecStart = "${jre}/bin/java -jar ${logstash} agent -f ${writeText "logstash.conf" ''
+        ExecStart = "${logstash}/bin/logstash agent -f ${writeText "logstash.conf" ''
          input {
            ${cfg.inputConfig}
          }
--- a/nixos/modules/services/logging/syslog-ng.nix
+++ b/nixos/modules/services/logging/syslog-ng.nix
@ -0,0 +1,83 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.syslog-ng;
  syslogngConfig = pkgs.writeText "syslog-ng.conf" ''
    @version: 3.5
    @include "scl.conf"
    ${cfg.extraConfig}
  '';
  ctrlSocket = "/run/syslog-ng/syslog-ng.ctl";
  pidFile = "/run/syslog-ng/syslog-ng.pid";
  persistFile = "/var/syslog-ng/syslog-ng.persist";
  syslogngOptions = [
    "--foreground"
    "--module-path=${concatStringsSep ":" (["${pkgs.syslogng}/lib/syslog-ng"] ++ cfg.extraModulePaths)}"
    "--cfgfile=${syslogngConfig}"
    "--control=${ctrlSocket}"
    "--persist-file=${persistFile}"
    "--pidfile=${pidFile}"
  ];
 in {
  options = {
    services.syslog-ng = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable the syslog-ng daemon.
        '';
      };
      serviceName = mkOption {
        type = types.str;
        default = "syslog-ng";
        description = ''
          The name of the systemd service that runs syslog-ng. Set this to
          <literal>syslog</literal> if you want journald to automatically
          forward all logs to syslog-ng.
        '';
      };
      extraModulePaths = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "${pkgs.syslogng_incubator}/lib/syslog-ng" ];
        description = ''
          A list of paths that should be included in syslog-ng's
          <literal>--module-path</literal> option. They should usually
          end in <literal>/lib/syslog-ng</literal>
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Configuration added to the end of <literal>syslog-ng.conf</literal>.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services."${cfg.serviceName}" = {
      wantedBy = [ "multi-user.target" ];
      preStart = "mkdir -p /{var,run}/syslog-ng";
      serviceConfig = {
        Type = "notify";
        Sockets = "syslog.socket";
        StandardOutput = "null";
        Restart = "on-failure";
        ExecStart = "${pkgs.syslogng}/sbin/syslog-ng ${concatStringsSep " " syslogngOptions}";
      };
    };
  };
 }
--- a/nixos/modules/services/mail/mlmmj.nix
+++ b/nixos/modules/services/mail/mlmmj.nix
@ -0,0 +1,128 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.mlmmj;
  stateDir = "/var/lib/mlmmj";
  spoolDir = "/var/spool/mlmmj";
  listDir = domain: list: "${spoolDir}/${domain}/${list}";
  listCtl = domain: list: "${listDir domain list}/control";
  transport = domain: list: "${domain}--${list}@local.list.mlmmj mlmmj:${domain}/${list}";
  virtual = domain: list: "${list}@${domain} ${domain}--${list}@local.list.mlmmj";
  alias = domain: list: "${list}: \"|${pkgs.mlmmj}/mlmmj-receive -L ${listDir domain list}/\"";
  subjectPrefix = list: "[${list}]";
  listAddress = domain: list: "${list}@${domain}";
  customHeaders = list: domain: [ "List-Id: ${list}" "Reply-To: ${list}@${domain}" ];
  footer = domain: list: "To unsubscribe send a mail to ${list}+unsubscribe@${domain}";
  createList = d: l: ''
    ${pkgs.coreutils}/bin/mkdir -p ${listCtl d l}
    echo ${listAddress d l} > ${listCtl d l}/listadress
    echo "${lib.concatStringsSep "\n" (customHeaders d l)}" > ${listCtl d l}/customheaders
    echo ${footer d l} > ${listCtl d l}/footer
    echo ${subjectPrefix l} > ${listCtl d l}/prefix
  '';
 in
 {
  ###### interface
  options = {
    services.mlmmj = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Enable mlmmj";
      };
      user = mkOption {
        type = types.str;
        default = "mlmmj";
        description = "mailinglist local user";
      };
      group = mkOption {
        type = types.str;
        default = "mlmmj";
        description = "mailinglist local group";
      };
      listDomain = mkOption {
        type = types.str;
        default = "localhost";
        description = "Set the mailing list domain";
      };
      mailLists = mkOption {
        type = types.listOf types.str;
        default = [];
        description = "The collection of hosted maillists";
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    users.extraUsers = singleton {
      name = cfg.user;
      description = "mlmmj user";
      home = stateDir;
      createHome = true;
      uid = config.ids.uids.mlmmj;
      group = cfg.group;
      useDefaultShell = true;
    };
    users.extraGroups = singleton {
      name = cfg.group;
      gid = config.ids.gids.mlmmj;
    };
    services.postfix = {
      enable = true;
      recipientDelimiter= "+";
      extraMasterConf = ''
        mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-recieve -F -L ${spoolDir}/$nextHop
      '';
      extraAliases = concatMapStrings (alias cfg.listDomain) cfg.mailLists;
      extraConfig = ''
        transport = hash:${stateDir}/transports
        virtual = hash:${stateDir}/virtuals
      '';
    };
    environment.systemPackages = [ pkgs.mlmmj ];
    system.activationScripts.mlmmj = ''
          ${pkgs.coreutils}/bin/mkdir -p ${stateDir} ${spoolDir}/${cfg.listDomain}
          ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${spoolDir}
          ${lib.concatMapStrings (createList cfg.listDomain) cfg.mailLists}
          echo ${lib.concatMapStrings (virtual cfg.listDomain) cfg.mailLists} > ${stateDir}/virtuals
          echo ${cfg.listDomain} mailman: > ${stateDir}/transports
          echo ${lib.concatMapStrings (transport cfg.listDomain) cfg.mailLists} >> ${stateDir}/transports
    '';
    systemd.services."mlmmj-maintd" = {
      description = "mlmmj maintenance daemon";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User = cfg.user;
        Group = cfg.group;
        ExecStart = "${pkgs.mlmmj}/bin/mlmmj-maintd -F -d ${spoolDir}/${cfg.listDomain}";
      };
    };
  };
 }
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -22,14 +22,11 @@ let
  nixConf =
    let
-      # Tricky: if we're using a chroot for builds, then we need
+      # If we're using a chroot for builds, then provide /bin/sh in
-      # /bin/sh in the chroot (our own compromise to purity).
+      # the chroot as a bind-mount to bash. This means we also need to
-      # However, since /bin/sh is a symlink to some path in the
+      # include the entire closure of bash.
-      # Nix store, which furthermore has runtime dependencies on
+      sh = pkgs.stdenv.shell;
-      # other paths in the store, we need the closure of /bin/sh
+      binshDeps = pkgs.writeReferencesToFile sh;
      # in `build-chroot-dirs' - otherwise any builder that uses
      # /bin/sh won't work.
      binshDeps = pkgs.writeReferencesToFile config.system.build.binsh;
    in
      pkgs.runCommand "nix.conf" {extraOptions = cfg.extraOptions; } ''
        extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done)
@ -40,7 +37,7 @@ let
        build-users-group = nixbld
        build-max-jobs = ${toString (cfg.maxJobs)}
        build-use-chroot = ${if cfg.useChroot then "true" else "false"}
-        build-chroot-dirs = ${toString cfg.chrootDirs} $(echo $extraPaths)
+        build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
        binary-caches = ${toString cfg.binaryCaches}
        trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
        $extraOptions
@ -253,8 +250,6 @@ in
  config = {
    nix.chrootDirs = [ "/bin" ];
    environment.etc."nix/nix.conf".source = nixConf;
    # List of machines for distributed Nix builds in the format
--- a/nixos/modules/services/misc/nix-ssh-serve.nix
+++ b/nixos/modules/services/misc/nix-ssh-serve.nix
@ -1,32 +1,35 @@
 { config, lib, pkgs, ... }:
-let
+with lib;
  serveOnly = pkgs.writeScript "nix-store-serve" ''
    #!${pkgs.stdenv.shell}
    if [ "$SSH_ORIGINAL_COMMAND" != "nix-store --serve" ]; then
      echo 'Error: You are only allowed to run `nix-store --serve'\'''!' >&2
      exit 1
    fi
    exec /run/current-system/sw/bin/nix-store --serve
  '';
-  inherit (lib) mkIf mkOption types;
+{
 in {
  options = {
    nix.sshServe = {
      enable = mkOption {
        description = "Whether to enable serving the nix store over ssh.";
        default = false;
        type = types.bool;
        default = false;
        description = "Whether to enable serving the Nix store as a binary cache via SSH.";
      };
      keys = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ];
        description = "A list of SSH public keys allowed to access the binary cache via SSH.";
      };
    };
  };
  config = mkIf config.nix.sshServe.enable {
    users.extraUsers.nix-ssh = {
-      description = "User for running nix-store --serve.";
+      description = "Nix SSH substituter user";
      uid = config.ids.uids.nix-ssh;
-      shell = pkgs.stdenv.shell;
+      useDefaultShell = true;
    };
    services.openssh.enable = true;
@ -38,8 +41,11 @@ in {
        PermitTTY no
        PermitTunnel no
        X11Forwarding no
-        ForceCommand ${serveOnly}
+        ForceCommand ${config.nix.package}/bin/nix-store --serve
      Match All
    '';
    users.extraUsers.nix-ssh.openssh.authorizedKeys.keys = config.nix.sshServe.keys;
  };
 }
--- a/nixos/modules/services/misc/siproxd.nix
+++ b/nixos/modules/services/misc/siproxd.nix
@ -0,0 +1,180 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.siproxd;
  conf = ''
    daemonize = 0
    rtp_proxy_enable = 1
    user = siproxd
    if_inbound  = ${cfg.ifInbound}
    if_outbound = ${cfg.ifOutbound}
    sip_listen_port = ${toString cfg.sipListenPort}
    rtp_port_low    = ${toString cfg.rtpPortLow}
    rtp_port_high   = ${toString cfg.rtpPortHigh}
    rtp_dscp        = ${toString cfg.rtpDscp}
    sip_dscp        = ${toString cfg.sipDscp}
    ${optionalString (cfg.hostsAllowReg != []) "hosts_allow_reg = ${concatStringsSep "," cfg.hostsAllowReg}"}
    ${optionalString (cfg.hostsAllowSip != []) "hosts_allow_sip = ${concatStringsSep "," cfg.hostsAllowSip}"}
    ${optionalString (cfg.hostsDenySip != []) "hosts_deny_sip  = ${concatStringsSep "," cfg.hostsDenySip}"}
    ${if (cfg.passwordFile != "") then "proxy_auth_pwfile = ${cfg.passwordFile}" else ""}
    ${cfg.extraConfig}
  '';
  confFile = builtins.toFile "siproxd.conf" conf;
 in
 {
  ##### interface
  options = {
    services.siproxd = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable the Siproxd SIP 
 	  proxy/masquerading daemon.
        '';
      };
      ifInbound = mkOption {
        type = types.str;
        example = "eth0";
        description = "Local network interface";
      };
      ifOutbound = mkOption {
        type = types.str;
        example = "ppp0";
        description = "Public network interface";
      };
      hostsAllowReg = mkOption {
        type = types.listOf types.str;
 	default = [ ];
        example = [ "192.168.1.0/24" "192.168.2.0/24" ];
 	description = ''
          Acess control list for incoming SIP registrations.
        '';
      };
      hostsAllowSip = mkOption {
        type = types.listOf types.str;
 	default = [ ];
        example = [ "123.45.0.0/16" "123.46.0.0/16" ];
 	description = ''
          Acess control list for incoming SIP traffic.
        '';
      };
      hostsDenySip = mkOption {
        type = types.listOf types.str;
 	default = [ ];
        example = [ "10.0.0.0/8" "11.0.0.0/8" ];
 	description = ''
          Acess control list for denying incoming
 	   SIP registrations and traffic.
        '';
      };
      sipListenPort = mkOption {
        type = types.int;
        default = 5060;
        description = ''
 	  Port to listen for incoming SIP messages.
        '';
      };
      rtpPortLow = mkOption {
        type = types.int;
        default = 7070;
        description = ''
         Bottom of UDP port range for incoming and outgoing RTP traffic
        '';
      };
      rtpPortHigh = mkOption {
        type = types.int;
        default = 7089;
        description = ''
         Top of UDP port range for incoming and outgoing RTP traffic
        '';
      };
      rtpTimeout = mkOption {
        type = types.int;
        default = 300;
        description = ''
          Timeout for an RTP stream. If for the specified 
          number of seconds no data is relayed on an active
          stream, it is considered dead and will be killed.
        '';
      };
      rtpDscp = mkOption {
        type = types.int;
        default = 46;
        description = ''
          DSCP (differentiated services) value to be assigned
          to RTP packets. Allows QOS aware routers to handle 
          different types traffic with different priorities.
        '';
      };
      sipDscp = mkOption {
        type = types.int;
        default = 0;
        description = ''
          DSCP (differentiated services) value to be assigned
          to SIP packets. Allows QOS aware routers to handle 
          different types traffic with different priorities.
        '';
      };
      passwordFile = mkOption {
        type = types.str;
        default = "";
        description = ''
          Path to per-user password file.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Extra configuration to add to siproxd configuration.
        '';
      };
    };
  };
  ##### implementation
  config = mkIf cfg.enable {
    users.extraUsers = singleton {
      name = "siproxyd";
      uid = config.ids.uids.siproxd;
    };
    systemd.services.siproxd = {
      description = "SIP proxy/masquerading daemon";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.siproxd}/sbin/siproxd -c ${confFile}";
      };
    };
  };
 }
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@ -189,19 +189,18 @@ in
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.munin ];
      environment.MUNIN_PLUGSTATE = "/var/run/munin";
      preStart = ''
        echo "updating munin plugins..."
        mkdir -p /etc/munin/plugins
        rm -rf /etc/munin/plugins/*
        PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
      '';
      serviceConfig = {
        ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
      };
    };
    system.activationScripts.munin-node = ''
      echo "updating munin plugins..."
      mkdir -p /etc/munin/plugins
      rm -rf /etc/munin/plugins/*
      PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
    '';
  }) (mkIf cronCfg.enable {
    services.cron.systemCronJobs = [
--- a/nixos/modules/services/monitoring/nagios.nix
+++ b/nixos/modules/services/monitoring/nagios.nix
@ -12,7 +12,7 @@ let
  nagiosObjectDefs = cfg.objectDefs;
  nagiosObjectDefsDir = pkgs.runCommand "nagios-objects" {inherit nagiosObjectDefs;}
-    "ensureDir $out; ln -s $nagiosObjectDefs $out/";
+    "mkdir -p $out; ln -s $nagiosObjectDefs $out/";
  nagiosCfgFile = pkgs.writeText "nagios.cfg"
    ''
--- a/nixos/modules/services/monitoring/riemann-dash.nix
+++ b/nixos/modules/services/monitoring/riemann-dash.nix
@ -0,0 +1,79 @@
 { config, pkgs, ... }:
 with pkgs;
 with pkgs.lib;
 let
  cfg = config.services.riemann-dash;
  conf = writeText "config.rb" ''
    riemann_base = "${cfg.dataDir}"
    config.store[:ws_config] = "#{riemann_base}/config/config.json"
    ${cfg.config}
  '';
  launcher = writeScriptBin "riemann-dash" ''
    #!/bin/sh
    exec ${rubyLibs.riemann_dash}/bin/riemann-dash ${conf}
  '';
 in {
  options = {
    services.riemann-dash = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the riemann-dash dashboard daemon.
        '';
      };
      config = mkOption {
        type = types.lines;
        description = ''
          Contents added to the end of the riemann-dash configuration file.
        '';
      };
      dataDir = mkOption {
        type = types.str;
        default = "/var/riemann-dash";
        description = ''
          Location of the riemann-base dir. The dashboard configuration file is
          is stored to this directory. The directory is created automatically on
          service start, and owner is set to the riemanndash user.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    users.extraGroups.riemanndash.gid = config.ids.gids.riemanndash;
    users.extraUsers.riemanndash = {
      description = "riemann-dash daemon user";
      uid = config.ids.uids.riemanndash;
      group = "riemanndash";
    };
    systemd.services.riemann-dash = {
      wantedBy = [ "multi-user.target" ];
      wants = [ "riemann.service" ];
      after = [ "riemann.service" ];
      preStart = ''
        mkdir -p ${cfg.dataDir}/config
        chown -R riemanndash:riemanndash ${cfg.dataDir}
      '';
      serviceConfig = {
        User = "riemanndash";
        ExecStart = "${launcher}/bin/riemann-dash";
        PermissionsStartOnly = true;
      };
    };
  };
 }
--- a/nixos/modules/services/monitoring/riemann.nix
+++ b/nixos/modules/services/monitoring/riemann.nix
@ -0,0 +1,77 @@
 { config, pkgs, ... }:
 with pkgs;
 with pkgs.lib;
 let
  cfg = config.services.riemann;
  classpath = concatStringsSep ":" (
    cfg.extraClasspathEntries ++ [ "${riemann}/share/java/riemann.jar" ]
  );
  launcher = writeScriptBin "riemann" ''
    #!/bin/sh
    exec ${openjdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \
      -cp ${classpath} \
      riemann.bin ${writeText "riemann.config" cfg.config}
  '';
 in {
  options = {
    services.riemann = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the Riemann network monitoring daemon.
        '';
      };
      config = mkOption {
        type = types.lines;
        description = ''
          Contents of the Riemann configuration file.
        '';
      };
      extraClasspathEntries = mkOption {
        type = with types; listOf str;
        default = [];
        description = ''
          Extra entries added to the Java classpath when running Riemann.
        '';
      };
      extraJavaOpts = mkOption {
        type = with types; listOf str;
        default = [];
        description = ''
          Extra Java options used when launching Riemann.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    users.extraGroups.riemann.gid = config.ids.gids.riemann;
    users.extraUsers.riemann = {
      description = "riemann daemon user";
      uid = config.ids.uids.riemann;
      group = "riemann";
    };
    systemd.services.riemann = {
      wantedBy = [ "multi-user.target" ];
      path = [ inetutils ];
      serviceConfig = {
        User = "riemann";
        ExecStart = "${launcher}/bin/riemann";
      };
    };
  };
 }
--- a/nixos/modules/services/monitoring/systemhealth.nix
+++ b/nixos/modules/services/monitoring/systemhealth.nix
@ -13,7 +13,7 @@ let
    };
    buildInputs = [ python ];
    installPhase = ''
-      ensureDir $out/bin
+      mkdir -p $out/bin
      # Make it work for kernels 3.x, not so different than 2.6
      sed -i 's/2\.6/4.0/' system_health.py
      cp system_health.py $out/bin
--- a/nixos/modules/services/network-filesystems/openafs-client/default.nix
+++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix
@ -11,7 +11,7 @@ let
  };
  afsConfig = pkgs.runCommand "afsconfig" {} ''
-    ensureDir $out
+    mkdir -p $out
    echo ${cfg.cellName} > $out/ThisCell
    cp ${cellServDB} $out/CellServDB
    echo "/afs:${cfg.cacheDirectory}:${cfg.cacheSize}" > $out/cacheinfo
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@ -7,9 +7,10 @@ let
  dhcpcd = if !config.boot.isContainer then pkgs.dhcpcd else pkgs.dhcpcd.override { udev = null; };
  # Don't start dhcpcd on explicitly configured interfaces or on
-  # interfaces that are part of a bridge.
+  # interfaces that are part of a bridge, bond or sit device.
  ignoredInterfaces =
    map (i: i.name) (filter (i: i.ipAddress != null) (attrValues config.networking.interfaces))
    ++ mapAttrsToList (i: _: i) config.networking.sits
    ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bridges))
    ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bonds))
    ++ config.networking.dhcpcd.denyInterfaces;
@ -35,7 +36,7 @@ let
      # Ignore peth* devices; on Xen, they're renamed physical
      # Ethernet cards used for bridging.  Likewise for vif* and tap*
      # (Xen) and virbr* and vnet* (libvirt).
-      denyinterfaces ${toString ignoredInterfaces} lo peth* vif* tap* tun* virbr* vnet* vboxnet*
+      denyinterfaces ${toString ignoredInterfaces} lo peth* vif* tap* tun* virbr* vnet* vboxnet* sit*
      ${config.networking.dhcpcd.extraConfig}
    '';
--- a/nixos/modules/services/networking/dhcpd.nix
+++ b/nixos/modules/services/networking/dhcpd.nix
@ -13,7 +13,7 @@ let
      default-lease-time 600;
      max-lease-time 7200;
      authoritative;
-      ddns-update-style ad-hoc;
+      ddns-update-style interim;
      log-facility local1; # see dhcpd.nix
      ${cfg.extraConfig}
@ -108,22 +108,41 @@ in
  config = mkIf config.services.dhcpd.enable {
-    jobs.dhcpd =
+    users = {
      extraUsers.dhcpd = {
        uid = config.ids.uids.dhcpd;
        description = "DHCP daemon user";
      };
    };
    systemd.services.dhcpd =
      { description = "DHCP server";
-        startOn = "started network-interfaces";
+        wantedBy = [ "multi-user.target" ];
        stopOn = "stopping network-interfaces";
-        script =
+        after = [ "network.target" ];
        path = [ pkgs.dhcp ];
        preStart =
          ''
            mkdir -m 755 -p ${stateDir}
            touch ${stateDir}/dhcpd.leases
-            exec ${pkgs.dhcp}/sbin/dhcpd -f -cf ${configFile} \
+            mkdir -m 755 -p /run/dhcpd
-                -lf ${stateDir}/dhcpd.leases \
+            chown dhcpd /run/dhcpd
                ${toString cfg.interfaces}
          '';
        serviceConfig =
          { ExecStart = "@${pkgs.dhcp}/sbin/dhcpd dhcpd"
              + " -pf /run/dhcpd/dhcpd.pid -cf ${configFile}"
              + " -lf ${stateDir}/dhcpd.leases -user dhcpd -group nogroup"
              + " ${toString cfg.interfaces}";
            Restart = "always";
            Type = "forking";
            PIDFile = "/run/dhcpd/dhcpd.pid";
          };
      };
  };
--- a/nixos/modules/services/networking/ircd-hybrid/builder.sh
+++ b/nixos/modules/services/networking/ircd-hybrid/builder.sh
@ -3,7 +3,7 @@ source $stdenv/setup
 doSub() {
    local src=$1
    local dst=$2
-    ensureDir $(dirname $dst)
+    mkdir -p $(dirname $dst)
    substituteAll $src $dst
 }
@ -28,4 +28,4 @@ for i in $substFiles; do
    fi
 done
-ensureDir $out/bin
+mkdir -p $out/bin
--- a/nixos/modules/services/networking/polipo.nix
+++ b/nixos/modules/services/networking/polipo.nix
@ -0,0 +1,118 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.polipo;
  polipoConfig = pkgs.writeText "polipo.conf" ''
    proxyAddress = ${cfg.proxyAddress}
    proxyPort = ${toString cfg.proxyPort}
    allowedClients = ${concatStringsSep ", " cfg.allowedClients}
    ${optionalString (cfg.parentProxy != "") "parentProxy = ${cfg.parentProxy}" }
    ${optionalString (cfg.socksParentProxy != "") "socksParentProxy = ${cfg.socksParentProxy}" }
    ${config.services.polipo.extraConfig}
  '';
 in
 {
  options = {
    services.polipo = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to run the polipo caching web proxy.";
      };
      proxyAddress = mkOption {
        type = types.string;
        default = "127.0.0.1";
        description = "IP address on which Polipo will listen.";
      };
      proxyPort = mkOption {
        type = types.int;
        default = 8123;
        description = "TCP port on which Polipo will listen.";
      };
      allowedClients = mkOption {
        type = types.listOf types.string;
        default = [ "127.0.0.1" "::1" ];
        example = [ "127.0.0.1" "::1" "134.157.168.0/24" "2001:660:116::/48" ];
        description = ''
          List of IP addresses or network addresses that may connect to Polipo.
        '';
      };
      parentProxy = mkOption {
        type = types.string;
        default = "";
        example = "localhost:8124";
        description = ''
          Hostname and port number of an HTTP parent proxy;
          it should have the form ‘host:port’.
        '';
      };
      socksParentProxy = mkOption {
        type = types.string;
        default = "";
        example = "localhost:9050";
        description = ''
          Hostname and port number of an SOCKS parent proxy;
          it should have the form ‘host:port’.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Polio configuration. Contents will be added 
          verbatim to the configuration file.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    users.extraUsers = singleton
      { name = "polipo";
        uid = config.ids.uids.polipo;
        description = "Polipo caching proxy user";
        home = "/var/cache/polipo";
        createHome = true;
      };
    users.extraGroups = singleton
      { name = "polipo";
        gid = config.ids.gids.polipo;
        members = [ "polipo" ];
      };
    systemd.services.polipo = {
      description = "caching web proxy";
      after = [ "network.target" "nss-lookup.target" ];
      wantedBy = [ "multi-user.target"];
      preStart = ''
         ${pkgs.coreutils}/bin/chown polipo:polipo /var/cache/polipo -R
      '';
      serviceConfig = {
        ExecStart  = "${pkgs.polipo}/bin/polipo -c ${polipoConfig}";
        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
        User = "polipo";
      };
    };
  };
 }
--- a/nixos/modules/services/networking/radvd.nix
+++ b/nixos/modules/services/networking/radvd.nix
@ -52,24 +52,32 @@ in
  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.radvd ];
+    users.extraUsers.radvd =
      { uid = config.ids.uids.radvd;
        description = "Router Advertisement Daemon User";
      };
-    jobs.radvd =
+    systemd.services.radvd =
      { description = "IPv6 Router Advertisement Daemon";
-        startOn = "started network-interfaces";
+        wantedBy = [ "multi-user.target" ];
-        preStart =
+        after = [ "network.target" ];
          ''
            # !!! Radvd only works if IPv6 forwarding is enabled.  But
            # this should probably be done somewhere else (and not
            # necessarily for all interfaces).
            echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
          '';
-        exec = "${pkgs.radvd}/sbin/radvd -m syslog -s -C ${confFile}";
+        path = [ pkgs.radvd ];
-        daemonType = "fork";
+        preStart = ''
          mkdir -m 755 -p /run/radvd
          chown radvd /run/radvd
        '';
        serviceConfig =
          { ExecStart = "@${pkgs.radvd}/sbin/radvd radvd"
              + " -p /run/radvd/radvd.pid -m syslog -u radvd -C ${confFile}";
            Restart = "always";
            Type = "forking";
            PIDFile = "/run/radvd/radvd.pid";
          };
      };
  };
--- a/nixos/modules/services/networking/ssh/lshd.nix
+++ b/nixos/modules/services/networking/ssh/lshd.nix
@ -99,7 +99,6 @@ in
      };
      subsystems = mkOption {
        default = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];
        description = ''
          List of subsystem-path pairs, where the head of the pair
          denotes the subsystem name, and the tail denotes the path to
@ -116,6 +115,8 @@ in
  config = mkIf cfg.enable {
    services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];
    jobs.lshd =
      { description = "GNU lshd SSH2 daemon";
--- a/nixos/modules/services/networking/unifi.nix
+++ b/nixos/modules/services/networking/unifi.nix
@ -0,0 +1,88 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.unifi;
  stateDir = "/var/lib/unifi";
  cmd = "@${pkgs.icedtea7_jre}/bin/java java -jar ${stateDir}/lib/ace.jar";
 in
 {
  options = {
    services.unifi.enable = mkOption {
      type = types.uniq types.bool;
      default = false;
      description = ''
        Whether or not to enable the unifi controller service.
      '';
    };
  };
  config = mkIf cfg.enable {
    users.extraUsers.unifi = {
      uid = config.ids.uids.unifi;
      description = "UniFi controller daemon user";
      home = "${stateDir}";
    };
    # We must create the binary directories as bind mounts instead of symlinks
    # This is because the controller resolves all symlinks to absolute paths
    # to be used as the working directory.
    systemd.mounts = map ({ what, where }: {
        bindsTo = [ "unifi.service" ];
        requiredBy = [ "unifi.service" ];
        before = [ "unifi.service" ];
        options = "bind";
        what = what;
        where = where;
      }) [
        {
          what = "${pkgs.unifi}/dl";
          where = "${stateDir}/dl";
        }
        {
          what = "${pkgs.unifi}/lib";
          where = "${stateDir}/lib";
        }
        {
          what = "${pkgs.mongodb}/bin";
          where = "${stateDir}/bin";
        }
      ];
    systemd.services.unifi = {
      description = "UniFi controller daemon";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      preStart = ''
        # Ensure privacy of state
        chown unifi "${stateDir}"
        chmod 0700 "${stateDir}"
        # Create the volatile webapps
        mkdir -p "${stateDir}/webapps"
        chown unifi "${stateDir}/webapps"
        ln -s "${pkgs.unifi}/webapps/ROOT.war" "${stateDir}/webapps/ROOT.war"
      '';
      postStop = ''
        rm "${stateDir}/webapps/ROOT.war"
      '';
      serviceConfig = {
        Type = "simple";
        ExecStart = "${cmd} start";
        ExecStop = "${cmd} stop";
        User = "unifi";
        PermissionsStartOnly = true;
        UMask = "0077";
        WorkingDirectory = "${stateDir}";
      };
    };
  };
 }
--- a/nixos/modules/services/networking/znc.nix
+++ b/nixos/modules/services/networking/znc.nix
@ -20,6 +20,11 @@ let
        </Pass>
  ";
  modules = pkgs.buildEnv {
    name = "znc-modules";
    paths = cfg.modulePackages;
  };
  confOptions = { ... }: {
    options = {
      modules = mkOption {
@ -31,6 +36,15 @@ let
        '';
      };
      userModules = mkOption {
        type = types.listOf types.string;
        default = [ ];
        example = [ "fish" "push" ];
        description = ''
          A list of user modules to include in the `znc.conf` file.
        '';
      };
      userName = mkOption {
        default = defaultUserName;
        example = "johntron";
@ -63,9 +77,9 @@ let
      };
      port = mkOption {
-        default = "5000";
+        default = 5000;
-        example = "5000";
+        example = 5000;
-        type = types.string;
+        type = types.int;
        description = ''
          Specifies the port on which to listen.
        '';
@ -80,6 +94,13 @@ let
        '';
      };
      extraZncConf = mkOption {
        default = "";
        type = types.lines;
        description = ''
          Extra config to `znc.conf` file
        '';
      };
    };
  };
@ -104,7 +125,7 @@ let
            AllowWeb = true
            IPv4 = true
            IPv6 = false
-            Port = ${if confOpts.useSSL then "+" else ""}${confOpts.port}
+            Port = ${if confOpts.useSSL then "+" else ""}${toString confOpts.port}
            SSL = ${if confOpts.useSSL then "true" else "false"}
    </Listener>
@ -128,9 +149,11 @@ let
            QuitMsg = Quit
            RealName = ${confOpts.nick}
            TimestampFormat = [%H:%M:%S]
            ${concatMapStrings (n: "LoadModule = ${n}\n") confOpts.userModules}
            ${confOpts.passBlock}
    </User>
    ${confOpts.extraZncConf}
  '';
  zncConfFile = pkgs.writeTextFile {
@ -168,9 +191,9 @@ in
      };
      dataDir = mkOption {
-        default = "/home/${cfg.user}/.znc";
+        default = "/var/lib/znc/";
-        example = "/home/john/.znc";
+        example = "/home/john/.znc/";
-        type = types.string; 
+        type = types.path;
        description = ''
          The data directory. Used for configuration files and modules.
        '';
@ -179,7 +202,7 @@ in
      zncConf = mkOption {
        default = "";
        example = "See: http://wiki.znc.in/Configuration";
-        type = types.string;
+        type = types.lines;
        description = ''
          The contents of the `znc.conf` file to use when creating it.
          If specified, `confOptions` will be ignored, and this value, as-is, will be used.
@ -202,6 +225,15 @@ in
        options = confOptions; 
      };
      modulePackages = mkOption {
        type = types.listOf types.package;
        default = [ ];
        example = [ pkgs.zncModules.fish pkgs.zncModules.push ];
        description = ''
          A list of global znc module packages to add to znc.
        '';
      };
      mutable = mkOption {
        default = false;
        example = true;
@ -218,9 +250,9 @@ in
      };
      extraFlags = mkOption {
-        default = "";
+        default = [ ];
-        example = "--debug";
+        example = [ "--debug" ];
-        type = types.string;
+        type = types.listOf types.str;
        description = ''
          Extra flags to use when executing znc command.
        '';
@ -233,25 +265,22 @@ in
  config = mkIf cfg.enable {
-    systemd.services."znc-${cfg.user}" = {
+    systemd.services.znc = {
-      description = "ZNC Server of ${cfg.user}.";
+      description = "ZNC Server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.service" ];
      path = [ pkgs.znc ];
      serviceConfig = {
-        User = "${cfg.user}";
+        User = cfg.user;
        Restart = "always";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        ExecStop   = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
      };
      preStart = ''
        ${pkgs.coreutils}/bin/mkdir -p ${cfg.dataDir}
        ${pkgs.coreutils}/bin/chown ${cfg.user} ${cfg.dataDir} -R
        ${pkgs.coreutils}/bin/mkdir -p ${cfg.dataDir}/configs
        # If mutable, regenerate conf file every time.
        ${optionalString (!cfg.mutable) ''
-          ${pkgs.coreutils}/echo "znc-${cfg.user} is set to be system-managed. Now deleting old znc.conf file to be regenerated."
+          ${pkgs.coreutils}/echo "znc is set to be system-managed. Now deleting old znc.conf file to be regenerated."
          ${pkgs.coreutils}/rm -f ${cfg.dataDir}/configs/znc.conf
        ''}
@ -259,7 +288,7 @@ in
        if [[ ! -f ${cfg.dataDir}/configs/znc.conf ]]; then
          ${pkgs.coreutils}/bin/echo "No znc.conf file found in ${cfg.dataDir}. Creating one now."
          ${if (!cfg.mutable)
-            then "${pkgs.coreutils}/bin/ln --force -s ${zncConfFile} ${cfg.dataDir}/configs/znc.conf"
+            then "${pkgs.coreutils}/bin/ln --force -s ${zncConfFile} ${cfg.dataDir}/.znc/configs/znc.conf"
            else ''
              ${pkgs.coreutils}/bin/cp --no-clobber ${zncConfFile} ${cfg.dataDir}/configs/znc.conf
              ${pkgs.coreutils}/bin/chmod u+rw ${cfg.dataDir}/configs/znc.conf
@ -269,10 +298,14 @@ in
        if [[ ! -f ${cfg.dataDir}/znc.pem ]]; then
          ${pkgs.coreutils}/bin/echo "No znc.pem file found in ${cfg.dataDir}. Creating one now."
-          ${pkgs.znc}/bin/znc --makepem
+          ${pkgs.znc}/bin/znc --makepem --datadir ${cfg.dataDir} 
        fi
        # Symlink modules
        rm ${cfg.dataDir}/modules || true
        ln -fs ${modules}/lib/znc ${cfg.dataDir}/modules
      '';
-      script = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${cfg.extraFlags}";
+      script = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${toString cfg.extraFlags}";
    };
    users.extraUsers = optional (cfg.user == defaultUser)
@ -280,6 +313,7 @@ in
        description = "ZNC server daemon owner";
        group = defaultUser;
        uid = config.ids.uids.znc;
        home = cfg.dataDir;
        createHome = true;
        createUser = true;
      };
--- a/nixos/modules/services/search/elasticsearch.nix
+++ b/nixos/modules/services/search/elasticsearch.nix
@ -21,6 +21,11 @@ let
    ];
  };
  esPlugins = pkgs.buildEnv {
    name = "elasticsearch-plugins";
    paths = cfg.plugins;
  };
 in {
  ###### interface
@ -101,6 +106,12 @@ in {
      example = [ "-Djava.net.preferIPv4Stack=true" ];
    };
    plugins = mkOption {
      description = "Extra elasticsearch plugins";
      default = [];
      type = types.listOf types.package;
    };
  };
  ###### implementation
@ -119,6 +130,10 @@ in {
      preStart = ''
        mkdir -m 0700 -p ${cfg.dataDir}
        if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi
        # Install plugins
        rm ${cfg.dataDir}/plugins || true
        ln -s ${esPlugins}/plugins ${cfg.dataDir}/plugins
      '';
    };
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@ -25,12 +25,17 @@ in
  options = {
    services.fail2ban = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "Whether to enable the fail2ban service.";
      };
      daemonConfig = mkOption {
        default =
          ''
            [Definition]
-            loglevel  = 3
+            loglevel  = INFO
            logtarget = SYSLOG
            socket    = /run/fail2ban/fail2ban.sock
            pidfile   = /run/fail2ban/fail2ban.pid
@ -80,7 +85,7 @@ in
  ###### implementation
-  config = {
+  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.fail2ban ];
@ -101,12 +106,13 @@ in
        preStart =
          ''
            mkdir -p /run/fail2ban -m 0755
            mkdir -p /var/lib/fail2ban
          '';
        serviceConfig =
          { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
            ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/run /var/tmp";
+            ReadWriteDirectories = "/run /var/tmp /var/lib";
            CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
          };
@ -131,15 +137,14 @@ in
        bantime  = 600
        findtime = 600
        maxretry = 3
-        backend  = auto
+        backend  = systemd
-      '';
+       '';
    # Block SSH if there are too many failing connection attempts.
    services.fail2ban.jails.ssh-iptables =
      ''
        filter   = sshd
        action   = iptables[name=SSH, port=ssh, protocol=tcp]
        logpath  = /var/log/warn
        maxretry = 5
      '';
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@ -14,7 +14,7 @@ let
    name = "dbus-conf";
    preferLocalBuild = true;
    buildCommand = ''
-      ensureDir $out
+      mkdir -p $out
      cp -v ${pkgs.dbus.daemon}/etc/dbus-1/system.conf $out/system.conf
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@ -80,7 +80,7 @@ let
  # !!! should be in lib
  writeTextInDir = name: text:
-    pkgs.runCommand name {inherit text;} "ensureDir $out; echo -n \"$text\" > $out/$name";
+    pkgs.runCommand name {inherit text;} "mkdir -p $out; echo -n \"$text\" > $out/$name";
  enableSSL = any (vhost: vhost.enableSSL) allHosts;
@ -130,7 +130,7 @@ let
  '';
-  loggingConf = ''
+  loggingConf = (if mainCfg.logFormat != "none" then ''
    ErrorLog ${mainCfg.logDir}/error_log
    LogLevel notice
@ -141,7 +141,9 @@ let
    LogFormat "%{User-agent}i" agent
    CustomLog ${mainCfg.logDir}/access_log ${mainCfg.logFormat}
-  '';
+  '' else ''
    ErrorLog /dev/null
  '');
  browserHacks = ''
@ -194,7 +196,7 @@ let
    ) null ([ cfg ] ++ subservices);
    documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
-      pkgs.runCommand "empty" {} "ensureDir $out";
+      pkgs.runCommand "empty" {} "mkdir -p $out";
    documentRootConf = ''
      DocumentRoot "${documentRoot}"
@ -387,7 +389,7 @@ let
  '';
-  enablePHP = any (svc: svc.enablePHP) allSubservices;
+  enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices;
  # Generate the PHP configuration file.  Should probably be factored
@ -531,6 +533,12 @@ in
        '';
      };
      enablePHP = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable the PHP module.";
      };
      phpOptions = mkOption {
        type = types.lines;
        default = "";
--- a/nixos/modules/services/web-servers/apache-httpd/mediawiki-postgresql-fixes.patch
+++ b/nixos/modules/services/web-servers/apache-httpd/mediawiki-postgresql-fixes.patch
@ -0,0 +1,22 @@
 diff --git a/includes/specials/SpecialActiveusers.php b/includes/specials/SpecialActiveusers.php
 index f739d3b..fdd8db3 100644
 --- a/includes/specials/SpecialActiveusers.php
 +++ b/includes/specials/SpecialActiveusers.php
@@ -112,7 +112,7 @@ class ActiveUsersPager extends UsersPager {
 		return array(
 			'tables' => array( 'querycachetwo', 'user', 'recentchanges' ),
 			'fields' => array( 'user_name', 'user_id', 'recentedits' => 'COUNT(*)', 'qcc_title' ),
 -			'options' => array( 'GROUP BY' => array( 'qcc_title' ) ),
 +			'options' => array( 'GROUP BY' => array( 'qcc_title', 'user_name', 'user_id' ) ),
 			'conds' => $conds
 		);
 	}
@@ -349,7 +349,7 @@ class SpecialActiveUsers extends SpecialPage {
 			__METHOD__,
 			array(
 				'GROUP BY' => array( 'rc_user_text' ),
 -				'ORDER BY' => 'NULL' // avoid filesort
 +				'ORDER BY' => 'lastedittime DESC'
 			)
 		);
 		$names = array();
--- a/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
@ -79,6 +79,8 @@ let
      sha256 = "07z5j8d988cdg4ml4n0vs9fwmj0p594ibbqdid16faxwqm52dkhl";
    };
    patches = [ ./mediawiki-postgresql-fixes.patch ];
    skins = config.skins;
    buildPhase =
@ -90,7 +92,7 @@ let
    installPhase =
      ''
-        ensureDir $out
+        mkdir -p $out
        cp -r * $out
        cp ${mediawikiConfig} $out/LocalSettings.php
        sed -i \
@ -104,7 +106,7 @@ let
  mediawikiScripts = pkgs.runCommand "mediawiki-${config.id}-scripts"
    { buildInputs = [ pkgs.makeWrapper ]; }
    ''
-      ensureDir $out/bin
+      mkdir -p $out/bin
      for i in changePassword.php createAndPromote.php userOptions.php edit.php nukePage.php update.php; do
        makeWrapper ${php}/bin/php $out/bin/mediawiki-${config.id}-$(basename $i .php) \
          --add-flags ${mediawikiRoot}/maintenance/$i
--- a/nixos/modules/services/web-servers/apache-httpd/mercurial.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/mercurial.nix
@ -9,7 +9,7 @@ let
  cgi = pkgs.stdenv.mkDerivation {
    name = "mercurial-cgi";
    buildCommand = ''
-      ensureDir $out
+      mkdir -p $out
      cp -v ${mercurial}/share/cgi-bin/hgweb.cgi $out
      sed -i "s|/path/to/repo/or/config|$out/hgweb.config|" $out/hgweb.cgi
      echo "
--- a/nixos/modules/services/web-servers/apache-httpd/tomcat-connector.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/tomcat-connector.nix
@ -29,6 +29,14 @@ ${extraWorkersProperties}
  '';
 in
 {
  options = {
    extraWorkersProperties = lib.mkOption {
      default = "";
      description = "Additional configuration for the workers.properties file.";
    };
  };
  extraModules = [
    { name = "jk"; path = "${pkgs.tomcat_connectors}/modules/mod_jk.so"; }
  ];
--- a/nixos/modules/services/web-servers/lighttpd/cgit.nix
+++ b/nixos/modules/services/web-servers/lighttpd/cgit.nix
@ -29,7 +29,7 @@ in
        cache-size=1000
        scan-path=/srv/git
      '';
-      type = types.string;
+      type = types.lines;
      description = ''
        Verbatim contents of the cgit runtime configuration file. Documentation
        (with cgitrc example file) is available in "man cgitrc". Or online:
--- a/nixos/modules/services/web-servers/lighttpd/default.nix
+++ b/nixos/modules/services/web-servers/lighttpd/default.nix
@ -9,9 +9,9 @@ let
  cfg = config.services.lighttpd;
  needModRedirect = cfg.gitweb.enable;
-  needModAlias = cfg.cgit.enable or cfg.gitweb.enable;
+  needModAlias = cfg.cgit.enable || cfg.gitweb.enable;
-  needModSetenv = cfg.cgit.enable or cfg.gitweb.enable;
+  needModSetenv = cfg.cgit.enable || cfg.gitweb.enable;
-  needModCgi = cfg.cgit.enable or cfg.gitweb.enable;
+  needModCgi = cfg.cgit.enable || cfg.gitweb.enable;
  needModStatus = cfg.mod_status;
  needModUserdir = cfg.mod_userdir;
@ -102,7 +102,7 @@ in
      document-root = mkOption {
        default = "/srv/www";
-        type = types.str;
+        type = types.path;
        description = ''
          Document-root of the web server. Must be readable by the "lighttpd" user.
        '';
@ -128,7 +128,7 @@ in
      configText = mkOption {
        default = "";
-        type = types.string;
+        type = types.lines;
 	example = ''...verbatim config file contents...'';
        description = ''
          Overridable config file contents to use for lighttpd. By default, use
@ -138,7 +138,7 @@ in
      extraConfig = mkOption {
        default = "";
-        type = types.string;
+        type = types.lines;
        description = ''
          These configuration lines will be appended to the generated lighttpd
          config file. Note that this mechanism does not work when the manual
--- a/nixos/modules/services/web-servers/lighttpd/gitweb.nix
+++ b/nixos/modules/services/web-servers/lighttpd/gitweb.nix
@ -25,7 +25,7 @@ in
    projectroot = mkOption {
      default = "/srv/git";
-      type = types.str;
+      type = types.path;
      description = ''
        Path to git projects (bare repositories) that should be served by
        gitweb. Must not end with a slash.
@ -34,7 +34,7 @@ in
    extraConfig = mkOption {
      default = "";
-      type = types.str;
+      type = types.lines;
      description = ''
        Verbatim configuration text appended to the generated gitweb.conf file.
      '';
--- a/nixos/modules/services/web-servers/tomcat.nix
+++ b/nixos/modules/services/web-servers/tomcat.nix
@ -77,6 +77,11 @@ in
        description = "Whether to enable logging per virtual host.";
      };
      jdk = mkOption {
        default = pkgs.jdk;
        description = "Which JDK to use.";
      };
      axis2 = {
        enable = mkOption {
@ -332,13 +337,13 @@ in
          '';
        script = ''
-            ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c 'CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${pkgs.jdk} JAVA_OPTS="${cfg.javaOpts}" CATALINA_OPTS="${cfg.catalinaOpts}" ${tomcat}/bin/startup.sh'
+            ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c 'CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} JAVA_OPTS="${cfg.javaOpts}" CATALINA_OPTS="${cfg.catalinaOpts}" ${tomcat}/bin/startup.sh'
        '';
        postStop =
          ''
            echo "Stopping tomcat..."
-            CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${pkgs.jdk} ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c ${tomcat}/bin/shutdown.sh
+            CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c ${tomcat}/bin/shutdown.sh
          '';
      };
--- a/nixos/modules/services/x11/desktop-managers/default.nix
+++ b/nixos/modules/services/x11/desktop-managers/default.nix
@ -17,7 +17,10 @@ in
  # Note: the order in which desktop manager modules are imported here
  # determines the default: later modules (if enabled) are preferred.
  # E.g., if KDE is enabled, it supersedes xterm.
-  imports = [ ./none.nix ./xterm.nix ./xfce.nix ./kde4.nix ./e17.nix ./gnome3.nix ./xbmc.nix ];
+  imports = [
    ./none.nix ./xterm.nix ./xfce.nix ./kde4.nix
    ./e17.nix ./e18.nix ./gnome3.nix ./xbmc.nix
  ];
  options = {
--- a/nixos/modules/services/x11/desktop-managers/e18.nix
+++ b/nixos/modules/services/x11/desktop-managers/e18.nix
@ -0,0 +1,43 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  xcfg = config.services.xserver;
  cfg = xcfg.desktopManager.e18;
  e18_enlightenment = pkgs.e18.enlightenment.override { set_freqset_setuid = true; };
 in
 {
  options = {
    services.xserver.desktopManager.e18.enable = mkOption {
      default = false;
      example = true;
      description = "Enable the E18 desktop environment.";
    };
  };
  config = mkIf (xcfg.enable && cfg.enable) {
    environment.systemPackages = [
      pkgs.e18.efl pkgs.e18.evas pkgs.e18.emotion pkgs.e18.elementary e18_enlightenment
      pkgs.e18.terminology pkgs.e18.econnman
    ];
    services.xserver.desktopManager.session = [
    { name = "E18";
      start = ''
        ${e18_enlightenment}/bin/enlightenment_start
        waitPID=$!
      '';
    }];
    security.setuidPrograms = [ "e18_freqset" ];
  };
 }
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@ -35,6 +35,14 @@ in {
      description = "Enable Gnome 3 desktop manager.";
    };
    services.xserver.desktopManager.gnome3.sessionPath = mkOption {
      default = [];
      example = "[ pkgs.gnome3.gpaste ]";
      description = "Additional list of packages to be added to the session search path.
                     Useful for gnome shell extensions or gsettings-conditionated autostart.";
      apply = list: list ++ [ gnome3.gnome_shell ]; 
    };
    environment.gnome3.packageSet = mkOption {
      default = pkgs.gnome3;
      example = literalExample "pkgs.gnome3_12";
@ -86,10 +94,19 @@ in {
          export XDG_MENU_PREFIX=gnome
-          # Don't let epiphany depend upon gnome-shell
+          ${concatMapStrings (p: ''
-          # Don't let gnome-session depend upon vino (for .desktop autostart condition)
+            if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then
              export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name}
            fi
            if [ -d "${p}/lib/girepository-1.0" ]; then
              export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0
              export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib
            fi
          '') cfg.sessionPath}
          # Override default mimeapps
-          export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome3.gnome_shell}/share/gsettings-schemas/${gnome3.gnome_shell.name}:${gnome3.vino}/share/gsettings-schemas/${gnome3.vino.name}:${mimeAppsList}/share
+          export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${mimeAppsList}/share
          # Let gnome-control-center find gnome-shell search providers
          export GNOME_SEARCH_PROVIDERS_DIR=${config.system.path}/share/gnome-shell/search-providers/
@ -123,7 +140,7 @@ in {
        gnome3.gnome_settings_daemon
        gnome3.gnome_shell
        gnome3.gnome_themes_standard
-      ] ++ (removePackagesByName [
+      ] ++ cfg.sessionPath ++ (removePackagesByName [
        gnome3.baobab
        gnome3.empathy
        gnome3.eog
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@ -0,0 +1,151 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.xserver.displayManager;
  gdm = pkgs.gnome3_12.gdm; # gdm 3.10 not supported
  gnome3 = config.environment.gnome3.packageSet;
 in
 {
  ###### interface
  options = {
    services.xserver.displayManager.gdm = {
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether to enable GDM as the display manager.
          <emphasis>GDM is very experimental and may render system unusable.</emphasis>
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.gdm.enable {
    services.xserver.displayManager.slim.enable = false;
    users.extraUsers.gdm =
      { name = "gdm";
        uid = config.ids.uids.gdm;
        group = "gdm";
        home = "/run/gdm";
        description = "GDM user";
      };
    users.extraGroups.gdm.gid = config.ids.gids.gdm;
    services.xserver.displayManager.job =
      { 
        environment = {
          GDM_X_SERVER = "${cfg.xserverBin} ${cfg.xserverArgs}";
          GDM_SESSIONS_DIR = "${cfg.session.desktops}";
          XDG_CONFIG_DIRS = "${gnome3.gnome_settings_daemon}/etc/xdg";
        };
        execCmd = "exec ${gdm}/sbin/gdm";
      };
    # Because sd_login_monitor_new requires /run/systemd/machines
    systemd.services.display-manager.wants = [ "systemd-machined.service" ];
    systemd.services.display-manager.after = [ "systemd-machined.service" ];
    systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou ];
    services.dbus.packages = [ gdm ];
    programs.dconf.profiles.gdm = "${gdm}/share/dconf/profile/gdm";
    # GDM LFS PAM modules, adapted somehow to NixOS
    security.pam.services = {
      gdm-launch-environment.text = ''
        auth     required       pam_succeed_if.so audit quiet_success user = gdm
        auth     optional       pam_permit.so
        account  required       pam_succeed_if.so audit quiet_success user = gdm
        account  sufficient     pam_unix.so
        password required       pam_deny.so
        session  required       pam_succeed_if.so audit quiet_success user = gdm
        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       pam_keyinit.so force revoke
        session  optional       pam_permit.so
      '';
     gdm.text = ''
        auth     requisite      pam_nologin.so
        auth     required       pam_env.so
        auth     required       pam_succeed_if.so uid >= 1000 quiet
        auth     optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
        auth     sufficient     pam_unix.so nullok likeauth
        auth     required       pam_deny.so
        account  sufficient     pam_unix.so
        password requisite      pam_unix.so nullok sha512
        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
        session  required       pam_unix.so
        session  required       pam_loginuid.so
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
      '';
      gdm-password.text = ''
        auth     requisite      pam_nologin.so
        auth     required       pam_env.so envfile=${config.system.build.pamEnvironment}
        auth     required       pam_succeed_if.so uid >= 1000 quiet
        auth     optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
        auth     sufficient     pam_unix.so nullok likeauth
        auth     required       pam_deny.so 
        account  sufficient     pam_unix.so
        password requisite      pam_unix.so nullok sha512
        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
        session  required       pam_unix.so
        session  required       pam_loginuid.so
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
      '';
      gdm-autologin.text = ''
        auth     requisite      pam_nologin.so
        auth     required       pam_succeed_if.so uid >= 1000 quiet
        auth     required       pam_permit.so
        account  sufficient     pam_unix.so
        password requisite      pam_unix.so nullok sha512
        session  optional       pam_keyinit.so revoke
        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
        session  required       pam_unix.so
        session  required       pam_loginuid.so
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
      '';
    };
  };
 }
--- a/nixos/modules/services/x11/display-managers/lightdm.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm.nix
@ -26,7 +26,7 @@ let
    buildInputs = [ pkgs.makeWrapper ];
    buildCommand = ''
-      ensureDir $out/gtk-3.0/
+      mkdir -p $out/gtk-3.0/
      # This wrapper ensures that we actually get fonts
      makeWrapper ${pkgs.lightdm_gtk_greeter}/sbin/lightdm-gtk-greeter \
--- a/nixos/modules/services/x11/display-managers/slim.nix
+++ b/nixos/modules/services/x11/display-managers/slim.nix
@ -27,7 +27,7 @@ let
      unpackedTheme = pkgs.stdenv.mkDerivation {
        name = "slim-theme";
        buildCommand = ''
-          ensureDir $out
+          mkdir -p $out
          cd $out
          unpackFile ${cfg.theme}
          ln -s * default
--- a/nixos/modules/services/x11/hardware/synaptics.nix
+++ b/nixos/modules/services/x11/hardware/synaptics.nix
@ -41,16 +41,19 @@ in {
      };
      accelFactor = mkOption {
        type = types.nullOr types.string;
        default = "0.001";
        description = "Cursor acceleration (how fast speed increases from minSpeed to maxSpeed).";
      };
      minSpeed = mkOption {
        type = types.nullOr types.string;
        default = "0.6";
        description = "Cursor speed factor for precision finger motion.";
      };
      maxSpeed = mkOption {
        type = types.nullOr types.string;
        default = "1.0";
        description = "Cursor speed factor for highest-speed finger motion.";
      };
@ -120,9 +123,9 @@ in {
          MatchIsTouchpad "on"
          ${optionalString (cfg.dev != null) ''MatchDevicePath "${cfg.dev}"''}
          Driver "synaptics"
-          Option "MinSpeed" "${cfg.minSpeed}"
+          ${optionalString (cfg.minSpeed != null) ''Option "MinSpeed" "${cfg.minSpeed}"''}
-          Option "MaxSpeed" "${cfg.maxSpeed}"
+          ${optionalString (cfg.maxSpeed != null) ''Option "MaxSpeed" "${cfg.maxSpeed}"''}
-          Option "AccelFactor" "${cfg.accelFactor}"
+          ${optionalString (cfg.accelFactor != null) ''Option "AccelFactor" "${cfg.accelFactor}"''}
          ${optionalString cfg.tapButtons tapConfig}
          Option "ClickFinger1" "${builtins.elemAt cfg.buttonsMap 0}"
          Option "ClickFinger2" "${builtins.elemAt cfg.buttonsMap 1}"
--- a/nixos/modules/services/x11/window-managers/bspwm.nix
+++ b/nixos/modules/services/x11/window-managers/bspwm.nix
@ -0,0 +1,29 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.xserver.windowManager.bspwm;
 in
 {
  options = {
    services.xserver.windowManager.bspwm.enable = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = "Enable the bspwm window manager.";
    };
  };
  config = mkIf cfg.enable {
    services.xserver.windowManager.session = singleton {
      name = "bspwm";
      start = "
        ${pkgs.sxhkd}/bin/sxhkd &
        ${pkgs.bspwm}/bin/bspwm
      ";
    };
    environment.systemPackages = [ pkgs.bspwm ];
  };
 }
--- a/nixos/modules/services/x11/window-managers/default.nix
+++ b/nixos/modules/services/x11/window-managers/default.nix
@ -17,6 +17,7 @@ in
      ./xmonad.nix
      ./i3.nix
      ./herbstluftwm.nix
      ./bspwm.nix
    ];
  options = {
--- a/nixos/modules/services/x11/window-managers/fluxbox.nix
+++ b/nixos/modules/services/x11/window-managers/fluxbox.nix
@ -0,0 +1,28 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.xserver.windowManager.fluxbox;
 in
 {
  ###### interface
  options = {
    services.xserver.windowManager.fluxbox.enable = mkOption {
      default = false;
      description = "Enable the Fluxbox window manager.";
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    services.xserver.windowManager.session = singleton {
      name = "fluxbox";
      start = ''
        ${pkgs.fluxbox}/bin/startfluxbox &
        waitPID=$!
      '';
    };
    environment.systemPackages = [ pkgs.fluxbox ];
  };
 }
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@ -66,6 +66,9 @@ in
                PATH=$PATH:$i/bin:$i/sbin
            done
            _status=0
            trap "_status=1" ERR
            # Ensure a consistent umask.
            umask 0022
@ -84,6 +87,8 @@ in
            # Prevent the current configuration from being garbage-collected.
            ln -sfn /run/current-system /nix/var/nix/gcroots/current-system
            exit $_status
          '';
      };
--- a/nixos/modules/system/boot/emergency-mode.nix
+++ b/nixos/modules/system/boot/emergency-mode.nix
@ -0,0 +1,37 @@
 { config, lib, ... }:
 with lib;
 {
  ###### interface
  options = {
    systemd.enableEmergencyMode = mkOption {
      default = true;
      type = types.bool;
      description = ''
        Whether to enable emergency mode, which is an
        <command>sulogin</command> shell started on the console if
        mounting a filesystem fails.  Since some machines (like EC2
        instances) have no console of any kind, emergency mode doesn't
        make sense, and it's better to continue with the boot insofar
        as possible.
      '';
    };
  };
  ###### implementation
  config = {
    systemd.additionalUpstreamSystemUnits = optionals
      config.systemd.enableEmergencyMode [
        "emergency.target" "emergency.service"
      ];
  };
 }
--- a/nixos/modules/system/boot/kernel.nix
+++ b/nixos/modules/system/boot/kernel.nix
@ -195,6 +195,7 @@ in
        "xhci_hcd"
        "usbhid"
        "hid_generic"
        "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
        # Unix domain sockets (needed by udev).
        "unix"
--- a/nixos/modules/system/boot/modprobe.nix
+++ b/nixos/modules/system/boot/modprobe.nix
@ -68,20 +68,15 @@ with lib;
  config = mkIf (!config.boot.isContainer) {
-    environment.etc = [
+    environment.etc."modprobe.d/ubuntu.conf".source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
-      { source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
+
-        target = "modprobe.d/ubuntu.conf";
+    environment.etc."modprobe.d/nixos.conf".text =
-      }
+      ''
-      { source = pkgs.writeText "modprobe.conf"
+        ${flip concatMapStrings config.boot.blacklistedKernelModules (name: ''
-          ''
+          blacklist ${name}
-            ${flip concatMapStrings config.boot.blacklistedKernelModules (name: ''
+        '')}
-              blacklist ${name}
+        ${config.boot.extraModprobeConfig}
-            '')}
+      '';
            ${config.boot.extraModprobeConfig}
          '';
        target = "modprobe.d/nixos.conf";
      }
    ];
    environment.systemPackages = [ config.system.sbin.modprobe pkgs.kmod ];
--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@ -4,7 +4,8 @@ targetRoot=/mnt-root
 console=tty1
 export LD_LIBRARY_PATH=@extraUtils@/lib
-export PATH=@extraUtils@/bin:@extraUtils@/sbin
+export PATH=@extraUtils@/bin
 ln -s @extraUtils@/bin /bin
 fail() {
@ -193,6 +194,9 @@ checkFS() {
    # Don't check ROM filesystems.
    if [ "$fsType" = iso9660 -o "$fsType" = udf ]; then return 0; fi
    # Don't check resilient COWs as they validate the fs structures at mount time
    if [ "$fsType" = btrfs -o "$fsType" = zfs ]; then return 0; fi
    # If we couldn't figure out the FS type, then skip fsck.
    if [ "$fsType" = auto ]; then
        echo 'cannot check filesystem with type "auto"!'
@ -262,6 +266,13 @@ mountFS() {
    checkFS "$device" "$fsType"
    # Create backing directories for unionfs-fuse.
    if [ "$fsType" = unionfs-fuse ]; then
        for i in $(IFS=:; echo ${options##*,dirs=}); do
            mkdir -m 0700 -p /mnt-root"${i%=*}"
        done
    fi
    echo "mounting $device on $mountPoint..."
    mkdir -p "/mnt-root$mountPoint" || true
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@ -23,22 +23,6 @@ let
  };
  needsCifsUtils = kernelPackages.kernel ? features
                && kernelPackages.kernel.features ? needsCifsUtils
                && kernelPackages.kernel.features.needsCifsUtils
                && any (fs: fs.fsType == "cifs") fileSystems;
  busybox =
    if needsCifsUtils
    then pkgs.busybox.override {
           extraConfig = ''
             CONFIG_FEATURE_MOUNT_CIFS n
             CONFIG_FEATURE_MOUNT_HELPERS y
           '';
         }
    else pkgs.busybox;
  # Some additional utilities needed in stage 1, like mount, lvm, fsck
  # etc.  We don't want to bring in all of those packages, so we just
  # copy what we need.  Instead of using statically linked binaries,
@ -51,6 +35,7 @@ let
    }
    ''
      mkdir -p $out/bin $out/lib
      ln -s $out/bin $out/sbin
      # Copy what we need from Glibc.
      cp -pv ${pkgs.glibc}/lib/ld*.so.? $out/lib
@ -62,11 +47,10 @@ let
      cp -pv ${pkgs.gcc.gcc}/lib*/libgcc_s.so.* $out/lib
      # Copy BusyBox.
-      cp -rvd ${busybox}/{bin,sbin} $out/
+      cp -pvd ${pkgs.busybox}/bin/* ${pkgs.busybox}/sbin/* $out/bin/
      chmod -R u+w $out
      # Copy some utillinux stuff.
-      cp -v ${pkgs.utillinux}/sbin/blkid $out/bin
+      cp -vf ${pkgs.utillinux}/sbin/blkid $out/bin
      cp -pdv ${pkgs.utillinux}/lib/libblkid*.so.* $out/lib
      cp -pdv ${pkgs.utillinux}/lib/libuuid*.so.* $out/lib
@ -89,12 +73,7 @@ let
      # Copy modprobe.
      cp -v ${pkgs.kmod}/bin/kmod $out/bin/
-      ln -s kmod $out/bin/modprobe
+      ln -sf kmod $out/bin/modprobe
      # Maybe copy cifs utils
      ${optionalString needsCifsUtils ''
        cp -v ${pkgs.cifs_utils}/sbin/mount.cifs $out/bin
      ''}
      ${config.boot.initrd.extraUtilsCommands}
@ -140,7 +119,7 @@ let
  udevRules = pkgs.stdenv.mkDerivation {
    name = "udev-rules";
    buildCommand = ''
-      ensureDir $out
+      mkdir -p $out
      echo 'ENV{LD_LIBRARY_PATH}="${extraUtils}/lib"' > $out/00-env.rules
@ -220,6 +199,21 @@ let
        { object = pkgs.writeText "mdadm.conf" config.boot.initrd.mdadmConf;
          symlink = "/etc/mdadm.conf";
        }
        { object = config.environment.etc."modprobe.d/nixos.conf".source;
          symlink = "/etc/modprobe.d/nixos.conf";
        }
        { object = pkgs.stdenv.mkDerivation {
            name = "initrd-kmod-blacklist-ubuntu";
            builder = pkgs.writeText "builder.sh" ''
              source $stdenv/setup
              target=$out
              ${pkgs.perl}/bin/perl -0pe 's/## file: iwlwifi.conf(.+?)##/##/s;' $src > $out
            '';
            src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
          };
          symlink = "/etc/modprobe.d/ubuntu.conf";
        }
      ];
  };
@ -313,6 +307,13 @@ in
      example = "xz";
    };
    boot.initrd.supportedFilesystems = mkOption {
      default = [ ];
      example = [ "btrfs" ];
      type = types.listOf types.string;
      description = "Names of supported filesystem types in the initial ramdisk.";
    };
    fileSystems = mkOption {
      options.neededForBoot = mkOption {
        default = false;
@ -347,5 +348,7 @@ in
    # Prevent systemd from waiting for the /dev/root symlink.
    systemd.units."dev-root.device".text = "";
    boot.initrd.supportedFilesystems = map (fs: fs.fsType) fileSystems;
  };
 }
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@ -29,7 +29,9 @@ setPath "@path@"
 # Normally, stage 1 mounts the root filesystem read/writable.
 # However, in some environments, stage 2 is executed directly, and the
 # root is read-only.  So make it writable here.
-mount -n -o remount,rw /
+if [ "$container" != systemd-nspawn ]; then
    mount -n -o remount,rw none /
 fi
 # Likewise, stage 1 mounts /proc, /dev and /sys, so if we don't have a
@ -98,12 +100,6 @@ mkdir -m 0755 -p /etc/nixos
 rm -rf /var/run /var/lock
 rm -f /etc/{group,passwd,shadow}.lock
 if test -n "@cleanTmpDir@"; then
    echo -n "cleaning \`/tmp'..."
    find /tmp -maxdepth 1 -mindepth 1 -print0 | xargs -0r rm -rf --one-file-system
    echo " done"
 fi
 # Also get rid of temporary GC roots.
 rm -rf /nix/var/nix/gcroots/tmp /nix/var/nix/temproots
@ -186,4 +182,4 @@ echo "starting systemd..."
 PATH=/run/current-system/systemd/lib/systemd \
    MODULE_DIR=/run/booted-system/kernel-modules/lib/modules \
    LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive \
-    exec systemd --log-target=journal # --log-level=debug --log-target=console --crash-shell
+    exec systemd
--- a/Show More
+++ b/Show More